diff --git a/0001-Added-the-very-weak-certificate-verification-profile.patch b/0001-Added-the-very-weak-certificate-verification-profile.patch new file mode 100644 index 0000000..52c3248 --- /dev/null +++ b/0001-Added-the-very-weak-certificate-verification-profile.patch @@ -0,0 +1,80 @@ +From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 5 May 2014 11:58:25 +0200 +Subject: [PATCH] Added the 'very weak' certificate verification profile. + +This profile corresponds to a 64-bit security level (e.g., RSA +parameters of 768 bits). +--- + doc/cha-gtls-app.texi | 6 ++++++ + lib/gnutls_priority.c | 6 ++++++ + lib/includes/gnutls/x509.h | 3 +++ + lib/priority_options.gperf | 1 + + lib/x509/verify.c | 1 + + 6 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index 877ee90..769eed1 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c) + { + c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS; + } ++static void enable_profile_very_weak(gnutls_priority_t c) ++{ ++ c->additional_verify_flags &= 0x00ffffff; ++ c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK); ++ c->level = GNUTLS_SEC_PARAM_VERY_WEAK; ++} + static void enable_profile_low(gnutls_priority_t c) + { + c->additional_verify_flags &= 0x00ffffff; +diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h +index b4b24b9..cad804e 100644 +--- a/lib/includes/gnutls/x509.h ++++ b/lib/includes/gnutls/x509.h +@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags { + + /** + * gnutls_certificate_verification_profiles_t: ++ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that ++ * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) + * @GNUTLS_PROFILE_LOW: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) + * @GNUTLS_PROFILE_LEGACY: A verification profile that +@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags { + * Enumeration of different certificate verification profiles. + */ + typedef enum gnutls_certificate_verification_profiles_t { ++ GNUTLS_PROFILE_VERY_WEAK = 1, + GNUTLS_PROFILE_LOW = 2, + GNUTLS_PROFILE_LEGACY = 4, + GNUTLS_PROFILE_MEDIUM = 5, +diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf +index fd081c5..79f3f7d 100644 +--- a/lib/priority_options.gperf ++++ b/lib/priority_options.gperf +@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation + DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation + DISABLE_WILDCARDS, disable_wildcards + SERVER_PRECEDENCE, enable_server_precedence ++PROFILE_VERY_WEAK, enable_profile_very_weak + PROFILE_LOW, enable_profile_low + PROFILE_LEGACY, enable_profile_legacy + PROFILE_MEDIUM, enable_profile_medium +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index d9b7fb7..037cd8e 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -433,6 +433,7 @@ int hash; + return gnutls_assert_val(0); + + switch (profile) { ++ CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK); + CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW); + CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY); + CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); +-- +1.9.0 + diff --git a/gnutls.spec b/gnutls.spec index 241ae73..435936a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,7 +3,7 @@ Summary: A TLS protocol implementation Name: gnutls Version: 3.3.1 -Release: 2%{?dist} +Release: 3%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -33,6 +33,7 @@ Patch7: gnutls-2.12.21-fips-algorithms.patch Patch8: gnutls-3.1.11-nosrp.patch Patch9: gnutls-othername.patch Patch10: gnutls-global-deinit.patch +Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -139,6 +140,7 @@ This package contains Guile bindings for the library. %patch8 -p1 -b .nosrp %patch9 -p1 -b .othername %patch10 -p1 -b .global-deinit +%patch11 -p1 -b .very-weak sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in @@ -154,7 +156,7 @@ export LDFLAGS="-Wl,--no-add-needed" --disable-openssl-compatibility \ --disable-srp-authentication \ --disable-non-suiteb-curves \ - --with-system-priority-file=/etc/crypto-profiles/apps/gnutls.config \ + --with-system-priority-file=/etc/crypto-profiles/back-ends/gnutls.config \ --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \ %if %{with guile} --enable-guile \ @@ -272,6 +274,10 @@ fi %endif %changelog +* Mon May 05 2014 Nikos Mavrogiannopoulos 3.3.1-3 +- Replaced /etc/crypto-profiles/apps with /etc/crypto-profiles/back-ends. +- Added support for "very weak" profile. + * Mon Apr 28 2014 Nikos Mavrogiannopoulos 3.3.1-2 - gnutls_global_deinit() will not do anything if the previous initialization has failed (#1091053)