[gnutls] Added support for 'very weak' profile and corrected path name.

Nikos Mavrogiannopoulos nmav at fedoraproject.org
Mon May 5 11:44:47 UTC 2014 

commit 0f0e860b1e20b48c9de76fc5676f8280a12e0479
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date:   Mon May 5 13:42:00 2014 +0200

    Added support for 'very weak' profile and corrected path name.

 ...ery-weak-certificate-verification-profile.patch |   80 ++++++++++++++++++++
 gnutls.spec                                        |   10 ++-
 2 files changed, 88 insertions(+), 2 deletions(-)
---
diff --git a/0001-Added-the-very-weak-certificate-verification-profile.patch b/0001-Added-the-very-weak-certificate-verification-profile.patch
new file mode 100644
index 0000000..52c3248
--- /dev/null
+++ b/0001-Added-the-very-weak-certificate-verification-profile.patch
@@ -0,0 +1,80 @@
+From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Mon, 5 May 2014 11:58:25 +0200
+Subject: [PATCH] Added the 'very weak' certificate verification profile.
+
+This profile corresponds to a 64-bit security level (e.g., RSA
+parameters of 768 bits).
+---
+ doc/cha-gtls-app.texi      | 6 ++++++
+ lib/gnutls_priority.c      | 6 ++++++
+ lib/includes/gnutls/x509.h | 3 +++
+ lib/priority_options.gperf | 1 +
+ lib/x509/verify.c          | 1 +
+ 6 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index 877ee90..769eed1 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c)
+ {
+ 	c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
+ }
++static void enable_profile_very_weak(gnutls_priority_t c)
++{
++	c->additional_verify_flags &= 0x00ffffff;
++	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
++	c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
++}
+ static void enable_profile_low(gnutls_priority_t c)
+ {
+ 	c->additional_verify_flags &= 0x00ffffff;
+diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
+index b4b24b9..cad804e 100644
+--- a/lib/includes/gnutls/x509.h
++++ b/lib/includes/gnutls/x509.h
+@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags {
+ 
+ /**
+  * gnutls_certificate_verification_profiles_t:
++ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
++ *  corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
+  * @GNUTLS_PROFILE_LOW: A verification profile that
+  *  corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
+  * @GNUTLS_PROFILE_LEGACY: A verification profile that
+@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags {
+  * Enumeration of different certificate verification profiles.
+  */
+ typedef enum gnutls_certificate_verification_profiles_t {
++	GNUTLS_PROFILE_VERY_WEAK = 1,
+ 	GNUTLS_PROFILE_LOW = 2,
+ 	GNUTLS_PROFILE_LEGACY = 4,
+ 	GNUTLS_PROFILE_MEDIUM = 5,
+diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
+index fd081c5..79f3f7d 100644
+--- a/lib/priority_options.gperf
++++ b/lib/priority_options.gperf
+@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation
+ DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation
+ DISABLE_WILDCARDS, disable_wildcards
+ SERVER_PRECEDENCE, enable_server_precedence
++PROFILE_VERY_WEAK, enable_profile_very_weak
+ PROFILE_LOW, enable_profile_low
+ PROFILE_LEGACY, enable_profile_legacy
+ PROFILE_MEDIUM, enable_profile_medium
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index d9b7fb7..037cd8e 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -433,6 +433,7 @@ int hash;
+ 		return gnutls_assert_val(0);
+ 
+ 	switch (profile) {
++		CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
+ 		CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW);
+ 		CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY);
+ 		CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);
+-- 
+1.9.0
+
diff --git a/gnutls.spec b/gnutls.spec
index 241ae73..435936a 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -3,7 +3,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 3.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -33,6 +33,7 @@ Patch7: gnutls-2.12.21-fips-algorithms.patch
 Patch8: gnutls-3.1.11-nosrp.patch
 Patch9: gnutls-othername.patch
 Patch10: gnutls-global-deinit.patch
+Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -139,6 +140,7 @@ This package contains Guile bindings for the library.
 %patch8 -p1 -b .nosrp
 %patch9 -p1 -b .othername
 %patch10 -p1 -b .global-deinit
+%patch11 -p1 -b .very-weak
 sed 's/gnutls_srp.c//g' -i lib/Makefile.in
 sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
 
@@ -154,7 +156,7 @@ export LDFLAGS="-Wl,--no-add-needed"
            --disable-openssl-compatibility \
            --disable-srp-authentication \
 	   --disable-non-suiteb-curves \
-	   --with-system-priority-file=/etc/crypto-profiles/apps/gnutls.config \
+	   --with-system-priority-file=/etc/crypto-profiles/back-ends/gnutls.config \
 	   --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
 %if %{with guile}
            --enable-guile \
@@ -272,6 +274,10 @@ fi
 %endif
 
 %changelog
+* Mon May 05 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.3.1-3
+- Replaced /etc/crypto-profiles/apps with /etc/crypto-profiles/back-ends.
+- Added support for "very weak" profile.
+
 * Mon Apr 28 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.3.1-2
 - gnutls_global_deinit() will not do anything if the previous 
   initialization has failed (#1091053)

More information about the scm-commits mailing list