Added support for 'very weak' profile and corrected path name.
This commit is contained in:
Nikos Mavrogiannopoulos
parent
2fe59e7dcb
commit
0f0e860b1e
|
|
@ -0,0 +1,80 @@
|
|||
From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001
|
||||
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
||||
Date: Mon, 5 May 2014 11:58:25 +0200
|
||||
Subject: [PATCH] Added the 'very weak' certificate verification profile.
|
||||
|
||||
This profile corresponds to a 64-bit security level (e.g., RSA
|
||||
parameters of 768 bits).
|
||||
---
|
||||
doc/cha-gtls-app.texi | 6 ++++++
|
||||
lib/gnutls_priority.c | 6 ++++++
|
||||
lib/includes/gnutls/x509.h | 3 +++
|
||||
lib/priority_options.gperf | 1 +
|
||||
lib/x509/verify.c | 1 +
|
||||
6 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
|
||||
index 877ee90..769eed1 100644
|
||||
--- a/lib/gnutls_priority.c
|
||||
+++ b/lib/gnutls_priority.c
|
||||
@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c)
|
||||
{
|
||||
c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
|
||||
}
|
||||
+static void enable_profile_very_weak(gnutls_priority_t c)
|
||||
+{
|
||||
+ c->additional_verify_flags &= 0x00ffffff;
|
||||
+ c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
|
||||
+ c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
|
||||
+}
|
||||
static void enable_profile_low(gnutls_priority_t c)
|
||||
{
|
||||
c->additional_verify_flags &= 0x00ffffff;
|
||||
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
|
||||
index b4b24b9..cad804e 100644
|
||||
--- a/lib/includes/gnutls/x509.h
|
||||
+++ b/lib/includes/gnutls/x509.h
|
||||
@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags {
|
||||
|
||||
/**
|
||||
* gnutls_certificate_verification_profiles_t:
|
||||
+ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
|
||||
+ * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
|
||||
* @GNUTLS_PROFILE_LOW: A verification profile that
|
||||
* corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
|
||||
* @GNUTLS_PROFILE_LEGACY: A verification profile that
|
||||
@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags {
|
||||
* Enumeration of different certificate verification profiles.
|
||||
*/
|
||||
typedef enum gnutls_certificate_verification_profiles_t {
|
||||
+ GNUTLS_PROFILE_VERY_WEAK = 1,
|
||||
GNUTLS_PROFILE_LOW = 2,
|
||||
GNUTLS_PROFILE_LEGACY = 4,
|
||||
GNUTLS_PROFILE_MEDIUM = 5,
|
||||
diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
|
||||
index fd081c5..79f3f7d 100644
|
||||
--- a/lib/priority_options.gperf
|
||||
+++ b/lib/priority_options.gperf
|
||||
@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation
|
||||
DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation
|
||||
DISABLE_WILDCARDS, disable_wildcards
|
||||
SERVER_PRECEDENCE, enable_server_precedence
|
||||
+PROFILE_VERY_WEAK, enable_profile_very_weak
|
||||
PROFILE_LOW, enable_profile_low
|
||||
PROFILE_LEGACY, enable_profile_legacy
|
||||
PROFILE_MEDIUM, enable_profile_medium
|
||||
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
|
||||
index d9b7fb7..037cd8e 100644
|
||||
--- a/lib/x509/verify.c
|
||||
+++ b/lib/x509/verify.c
|
||||
@@ -433,6 +433,7 @@ int hash;
|
||||
return gnutls_assert_val(0);
|
||||
|
||||
switch (profile) {
|
||||
+ CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
|
||||
CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW);
|
||||
CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY);
|
||||
CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);
|
||||
--
|
||||
1.9.0
|
||||
|
||||
10
gnutls.spec
10
gnutls.spec
|
|
@ -3,7 +3,7 @@
|
|||
Summary: A TLS protocol implementation
|
||||
Name: gnutls
|
||||
Version: 3.3.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
# The libraries are LGPLv2.1+, utilities are GPLv3+
|
||||
License: GPLv3+ and LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -33,6 +33,7 @@ Patch7: gnutls-2.12.21-fips-algorithms.patch
|
|||
Patch8: gnutls-3.1.11-nosrp.patch
|
||||
Patch9: gnutls-othername.patch
|
||||
Patch10: gnutls-global-deinit.patch
|
||||
Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch
|
||||
|
||||
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
|
||||
Provides: bundled(gnulib) = 20130424
|
||||
|
|
@ -139,6 +140,7 @@ This package contains Guile bindings for the library.
|
|||
%patch8 -p1 -b .nosrp
|
||||
%patch9 -p1 -b .othername
|
||||
%patch10 -p1 -b .global-deinit
|
||||
%patch11 -p1 -b .very-weak
|
||||
sed 's/gnutls_srp.c//g' -i lib/Makefile.in
|
||||
sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
|
||||
|
||||
|
|
@ -154,7 +156,7 @@ export LDFLAGS="-Wl,--no-add-needed"
|
|||
--disable-openssl-compatibility \
|
||||
--disable-srp-authentication \
|
||||
--disable-non-suiteb-curves \
|
||||
--with-system-priority-file=/etc/crypto-profiles/apps/gnutls.config \
|
||||
--with-system-priority-file=/etc/crypto-profiles/back-ends/gnutls.config \
|
||||
--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
|
||||
%if %{with guile}
|
||||
--enable-guile \
|
||||
|
|
@ -272,6 +274,10 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 05 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.1-3
|
||||
- Replaced /etc/crypto-profiles/apps with /etc/crypto-profiles/back-ends.
|
||||
- Added support for "very weak" profile.
|
||||
|
||||
* Mon Apr 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.1-2
|
||||
- gnutls_global_deinit() will not do anything if the previous
|
||||
initialization has failed (#1091053)
|
||||
|
|
|
|||
Loading…
Reference in New Issue