diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-01-14 10:45:21 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-01-14 11:05:02 +0100 |
| commit | a20027bc058bbc38d6c7dea76a26dda5d5aa54df (patch) | |
| tree | 31c5061c55b988d8dbfbcc8a38a3463dfc473f05 /lib | |
| parent | 2667ae8b20fa68f785927bd5ccd6e1a948bf48ae (diff) | |
| download | gnutls-a20027bc058bbc38d6c7dea76a26dda5d5aa54df.tar.gz | |
GNUTLS_SEC_PARAM_NORMAL was renamed to GNUTLS_SEC_PARAM_MEDIUM
That was done to avoid confusion with the NORMAL priority string.
Also when setting a PROFILE explicitly as priority string the
session security level is adjusted accordingly.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/algorithms/secparams.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 11 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 7 | ||||
| -rw-r--r-- | lib/includes/gnutls/x509.h | 6 | ||||
| -rw-r--r-- | lib/priority_options.gperf | 2 | ||||
| -rw-r--r-- | lib/x509/verify.c | 2 |
6 files changed, 21 insertions, 11 deletions
diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index 239cc44265..852557c5b2 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -45,13 +45,13 @@ static const gnutls_sec_params_entry sec_params[] = { #ifdef ENABLE_FIPS140 {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160}, {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1024, 1024, 192, 192}, - {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2048, 2048, 224, 224}, + {"Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 224, 224}, {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256}, {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15360, 15360, 512, 512}, #else {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 1024, 160, 160}, {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192}, - {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 2048, 256, 224}, + {"Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2432, 2048, 256, 224}, {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256}, {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512}, #endif diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 33fef17c08..db04aa4477 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -780,36 +780,43 @@ static void enable_profile_low(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW); + c->level = GNUTLS_SEC_PARAM_LOW; } static void enable_profile_legacy(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY); + c->level = GNUTLS_SEC_PARAM_LEGACY; } static void enable_profile_high(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH); + c->level = GNUTLS_SEC_PARAM_HIGH; } static void enable_profile_ultra(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA); + c->level = GNUTLS_SEC_PARAM_ULTRA; } -static void enable_profile_normal(gnutls_priority_t c) +static void enable_profile_medium(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_NORMAL); + c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM); + c->level = GNUTLS_SEC_PARAM_MEDIUM; } static void enable_profile_suiteb128(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128); + c->level = GNUTLS_SEC_PARAM_HIGH; } static void enable_profile_suiteb192(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192); + c->level = GNUTLS_SEC_PARAM_ULTRA; } static void enable_safe_renegotiation(gnutls_priority_t c) { diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 2dbd9b4d07..176c9533de 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -701,7 +701,7 @@ typedef enum { * @GNUTLS_SEC_PARAM_WEAK: 72 bits of security * @GNUTLS_SEC_PARAM_LOW: 80 bits of security * @GNUTLS_SEC_PARAM_LEGACY: 96 bits of security - * @GNUTLS_SEC_PARAM_NORMAL: 112 bits of security + * @GNUTLS_SEC_PARAM_MEDIUM: 112 bits of security (used to be %GNUTLS_SEC_PARAM_NORMAL) * @GNUTLS_SEC_PARAM_HIGH: 128 bits of security * @GNUTLS_SEC_PARAM_ULTRA: 192 bits of security * @@ -715,11 +715,14 @@ typedef enum { GNUTLS_SEC_PARAM_UNKNOWN = 0, GNUTLS_SEC_PARAM_LOW = 1, GNUTLS_SEC_PARAM_LEGACY = 2, - GNUTLS_SEC_PARAM_NORMAL = 3, + GNUTLS_SEC_PARAM_MEDIUM = 3, GNUTLS_SEC_PARAM_HIGH = 4, GNUTLS_SEC_PARAM_ULTRA = 5, } gnutls_sec_param_t; +/* old name */ +#define GNUTLS_SEC_PARAM_NORMAL GNUTLS_SEC_PARAM_MEDIUM + /** * gnutls_channel_binding_t: * @GNUTLS_CB_TLS_UNIQUE: "tls-unique" (RFC 5929) channel binding diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 6ca62eaccd..293e9a2f13 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -758,8 +758,8 @@ typedef enum gnutls_certificate_verify_flags { * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) * @GNUTLS_PROFILE_LEGACY: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_LEGACY (96 bits) - * @GNUTLS_PROFILE_NORMAL: A verification profile that - * corresponds to @GNUTLS_SEC_PARAM_NORMAL (112 bits) + * @GNUTLS_PROFILE_MEDIUM: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_MEDIUM (112 bits) * @GNUTLS_PROFILE_HIGH: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits) * @GNUTLS_PROFILE_ULTRA: A verification profile that @@ -774,7 +774,7 @@ typedef enum gnutls_certificate_verify_flags { typedef enum gnutls_certificate_verification_profiles_t { GNUTLS_PROFILE_LOW = 2, GNUTLS_PROFILE_LEGACY = 4, - GNUTLS_PROFILE_NORMAL = 5, + GNUTLS_PROFILE_MEDIUM = 5, GNUTLS_PROFILE_HIGH = 6, GNUTLS_PROFILE_ULTRA = 7, diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index 56e710dbf7..6a4e00c407 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -22,7 +22,7 @@ DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation SERVER_PRECEDENCE, enable_server_precedence PROFILE_LOW, enable_profile_low PROFILE_LEGACY, enable_profile_legacy -PROFILE_NORMAL, enable_profile_normal +PROFILE_MEDIUM, enable_profile_medium PROFILE_HIGH, enable_profile_high PROFILE_ULTRA, enable_profile_ultra PROFILE_SUITEB128, enable_profile_suiteb128 diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 16f79e754a..0599840376 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -408,7 +408,7 @@ gnutls_sec_param_t sp; switch (profile) { CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW); CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY); - CASE_SEC_PARAM(GNUTLS_PROFILE_NORMAL, GNUTLS_SEC_PARAM_NORMAL); + CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); CASE_SEC_PARAM(GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH); CASE_SEC_PARAM(GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA); case GNUTLS_PROFILE_SUITEB128: |