From: Nikos Mavrogiannopoulos Date: Fri, 24 Feb 2017 07:57:27 +0000 (+0100) Subject: gnutls_store_commitment: introduced flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN X-Git-Tag: gnutls_3_6_0~943 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d766bb305afd9ba3006d87aa7aa9d2af91715364;p=thirdparty%2Fgnutls.git gnutls_store_commitment: introduced flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN This flag allows operation of the function even with broken algorithms. Signed-off-by: Nikos Mavrogiannopoulos --- diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 2b240727d2..d56b028b42 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2429,6 +2429,7 @@ int gnutls_verify_stored_pubkey(const char *db_name, const gnutls_datum_t * cert, unsigned int flags); +#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1 int gnutls_store_commitment(const char *db_name, gnutls_tdb_t tdb, const char *host, diff --git a/lib/verify-tofu.c b/lib/verify-tofu.c index 3c953ba757..02b427c508 100644 --- a/lib/verify-tofu.c +++ b/lib/verify-tofu.c @@ -623,7 +623,7 @@ gnutls_store_pubkey(const char *db_name, * @hash_algo: The hash algorithm type * @hash: The raw hash * @expiration: The expiration time (use 0 to disable expiration) - * @flags: should be 0. + * @flags: should be 0 or %GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. * * This function will store the provided hash commitment to * the list of stored public keys. The key with the given @@ -653,9 +653,12 @@ gnutls_store_commitment(const char *db_name, char local_file[MAX_FILENAME]; const mac_entry_st *me = hash_to_entry(hash_algo); - if (me == NULL || _gnutls_digest_is_secure(me) == 0) + if (me == NULL) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + if (!(flags & GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN) && _gnutls_digest_is_secure(me) == 0) + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); + if (_gnutls_hash_get_algo_len(me) != hash->size) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);