[gnutls] Added support for 'very weak' profile and corrected path name.
Nikos Mavrogiannopoulos
nmav at fedoraproject.org
Mon May 5 11:44:47 UTC 2014
commit 0f0e860b1e20b48c9de76fc5676f8280a12e0479
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Mon May 5 13:42:00 2014 +0200
Added support for 'very weak' profile and corrected path name.
...ery-weak-certificate-verification-profile.patch | 80 ++++++++++++++++++++
gnutls.spec | 10 ++-
2 files changed, 88 insertions(+), 2 deletions(-)
---
diff --git a/0001-Added-the-very-weak-certificate-verification-profile.patch b/0001-Added-the-very-weak-certificate-verification-profile.patch
new file mode 100644
index 0000000..52c3248
--- /dev/null
+++ b/0001-Added-the-very-weak-certificate-verification-profile.patch
@@ -0,0 +1,80 @@
+From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Mon, 5 May 2014 11:58:25 +0200
+Subject: [PATCH] Added the 'very weak' certificate verification profile.
+
+This profile corresponds to a 64-bit security level (e.g., RSA
+parameters of 768 bits).
+---
+ doc/cha-gtls-app.texi | 6 ++++++
+ lib/gnutls_priority.c | 6 ++++++
+ lib/includes/gnutls/x509.h | 3 +++
+ lib/priority_options.gperf | 1 +
+ lib/x509/verify.c | 1 +
+ 6 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index 877ee90..769eed1 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c)
+ {
+ c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
+ }
++static void enable_profile_very_weak(gnutls_priority_t c)
++{
++ c->additional_verify_flags &= 0x00ffffff;
++ c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
++ c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
++}
+ static void enable_profile_low(gnutls_priority_t c)
+ {
+ c->additional_verify_flags &= 0x00ffffff;
+diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
+index b4b24b9..cad804e 100644
+--- a/lib/includes/gnutls/x509.h
++++ b/lib/includes/gnutls/x509.h
+@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags {
+
+ /**
+ * gnutls_certificate_verification_profiles_t:
++ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
++ * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
+ * @GNUTLS_PROFILE_LOW: A verification profile that
+ * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
+ * @GNUTLS_PROFILE_LEGACY: A verification profile that
+@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags {
+ * Enumeration of different certificate verification profiles.
+ */
+ typedef enum gnutls_certificate_verification_profiles_t {
++ GNUTLS_PROFILE_VERY_WEAK = 1,
+ GNUTLS_PROFILE_LOW = 2,
+ GNUTLS_PROFILE_LEGACY = 4,
+ GNUTLS_PROFILE_MEDIUM = 5,
+diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
+index fd081c5..79f3f7d 100644
+--- a/lib/priority_options.gperf
++++ b/lib/priority_options.gperf
+@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation
+ DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation
+ DISABLE_WILDCARDS, disable_wildcards
+ SERVER_PRECEDENCE, enable_server_precedence
++PROFILE_VERY_WEAK, enable_profile_very_weak
+ PROFILE_LOW, enable_profile_low
+ PROFILE_LEGACY, enable_profile_legacy
+ PROFILE_MEDIUM, enable_profile_medium
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index d9b7fb7..037cd8e 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -433,6 +433,7 @@ int hash;
+ return gnutls_assert_val(0);
+
+ switch (profile) {
++ CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
+ CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW);
+ CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY);
+ CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);
+--
+1.9.0
+
diff --git a/gnutls.spec b/gnutls.spec
index 241ae73..435936a 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -3,7 +3,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 3.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
# The libraries are LGPLv2.1+, utilities are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@@ -33,6 +33,7 @@ Patch7: gnutls-2.12.21-fips-algorithms.patch
Patch8: gnutls-3.1.11-nosrp.patch
Patch9: gnutls-othername.patch
Patch10: gnutls-global-deinit.patch
+Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
@@ -139,6 +140,7 @@ This package contains Guile bindings for the library.
%patch8 -p1 -b .nosrp
%patch9 -p1 -b .othername
%patch10 -p1 -b .global-deinit
+%patch11 -p1 -b .very-weak
sed 's/gnutls_srp.c//g' -i lib/Makefile.in
sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
@@ -154,7 +156,7 @@ export LDFLAGS="-Wl,--no-add-needed"
--disable-openssl-compatibility \
--disable-srp-authentication \
--disable-non-suiteb-curves \
- --with-system-priority-file=/etc/crypto-profiles/apps/gnutls.config \
+ --with-system-priority-file=/etc/crypto-profiles/back-ends/gnutls.config \
--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
%if %{with guile}
--enable-guile \
@@ -272,6 +274,10 @@ fi
%endif
%changelog
+* Mon May 05 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.3.1-3
+- Replaced /etc/crypto-profiles/apps with /etc/crypto-profiles/back-ends.
+- Added support for "very weak" profile.
+
* Mon Apr 28 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.3.1-2
- gnutls_global_deinit() will not do anything if the previous
initialization has failed (#1091053)
More information about the scm-commits
mailing list