]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
enforce certificate verification profiles when setting priority strings
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 13 Jan 2014 09:39:46 +0000 (10:39 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 13 Jan 2014 09:39:46 +0000 (10:39 +0100)
lib/gnutls_int.h
lib/gnutls_priority.c

index 3a55f32b667d4a1d4875b3867de9373bbf726293..3689f275b8ad33188a2e7e172abe4155f1214171 100644 (file)
@@ -670,7 +670,10 @@ struct gnutls_priority_st {
 #define ENABLE_COMPAT(x) \
               (x)->allow_large_records = 1; \
               (x)->allow_wrong_pms = 1; \
-              (x)->allow_weak_keys = 1
+              (x)->allow_weak_keys = 1; \
+              (x)->additional_verify_flags &= 0x00ffffff; \
+              (x)->additional_verify_flags |= GNUTLS_VFLAGS_TO_PROFILE(GNUTLS_PROFILE_LOW); \
+              (x)->level = GNUTLS_SEC_PARAM_VERY_WEAK
 
 /* DH and RSA parameters types.
  */
index 14566b1570bbd11076b7268ce1fa99c3daaa923d..04efde0f742e88fd802a63e806dbea69ae73d041 100644 (file)
@@ -27,6 +27,7 @@
 #include "algorithms.h"
 #include "gnutls_errors.h"
 #include <gnutls_num.h>
+#include <gnutls/x509.h>
 
 static void
 break_comma_list(char *etag,
@@ -659,6 +660,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->sign_algo, sign_priority_default);
                func(&priority_cache->supported_ecc, supported_ecc_normal);
 
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
                return 1;
@@ -669,6 +672,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->sign_algo, sign_priority_default);
                func(&priority_cache->supported_ecc, supported_ecc_normal);
 
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
                return 1;
@@ -679,6 +684,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->sign_algo, sign_priority_default);
                func(&priority_cache->supported_ecc, supported_ecc_normal);
 
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
                return 1;
@@ -692,6 +699,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                     supported_ecc_secure192);
 
                /* be conservative for now. Set the bits to correspond to 96-bit level */
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_LEGACY;
                return 1;
@@ -704,7 +713,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->supported_ecc,
                     supported_ecc_secure128);
 
-               /* be conservative for now. Set the bits to correspond to an 72-bit level */
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_WEAK;
                return 1;
@@ -717,6 +727,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->supported_ecc,
                     supported_ecc_suiteb128);
 
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_HIGH;
                return 1;
@@ -729,6 +741,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                func(&priority_cache->supported_ecc,
                     supported_ecc_suiteb192);
 
+               if (GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags) == 0)
+                       priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192);
                if (priority_cache->level == 0)
                        priority_cache->level = GNUTLS_SEC_PARAM_ULTRA;
                return 1;