]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f20525b)
gnutls_store_commitment: introduced flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 24 Feb 2017 07:57:27 +0000 (08:57 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 24 Feb 2017 09:30:42 +0000 (10:30 +0100)
This flag allows operation of the function even with broken algorithms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/includes/gnutls/gnutls.h.in patch | blob | blame | history
lib/verify-tofu.c patch | blob | blame | history

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 2b240727d23e8bd6f6a3ce39e0439a85e0fb21d3..d56b028b42d238a4c99fe0b25b27f2b83632334c 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2429,6 +2429,7 @@ int gnutls_verify_stored_pubkey(const char *db_name,
                                const gnutls_datum_t * cert,
                                unsigned int flags);
 
+#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1
 int gnutls_store_commitment(const char *db_name,
                            gnutls_tdb_t tdb,
                            const char *host,
diff --git a/lib/verify-tofu.c b/lib/verify-tofu.c
index 3c953ba757988ec1d570c6649a6542d69f31fdec..02b427c50854b35554084ff4e97ed20e98a8815f 100644 (file)
--- a/lib/verify-tofu.c
+++ b/lib/verify-tofu.c
@@ -623,7 +623,7 @@ gnutls_store_pubkey(const char *db_name,
  * @hash_algo: The hash algorithm type
  * @hash: The raw hash
  * @expiration: The expiration time (use 0 to disable expiration)
- * @flags: should be 0.
+ * @flags: should be 0 or %GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN.
  *
  * This function will store the provided hash commitment to 
  * the list of stored public keys. The key with the given
@@ -653,9 +653,12 @@ gnutls_store_commitment(const char *db_name,
        char local_file[MAX_FILENAME];
        const mac_entry_st *me = hash_to_entry(hash_algo);
 
-       if (me == NULL || _gnutls_digest_is_secure(me) == 0)
+       if (me == NULL)
                return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
+       if (!(flags & GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN) && _gnutls_digest_is_secure(me) == 0)
+               return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
+
        if (_gnutls_hash_get_algo_len(me) != hash->size)
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
Mirror of https://gitlab.com/gnutls/gnutls.git