priorities: ensure that SSL3.0 enablement fails early when disabled

That is, that a priority string with only SSL3.0 present is discarded as
invalid.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c
index 86c7a6027fc0d3e2650933a57d560f98e9aac123..e1093a9cedb5cbee5fff7bd62f9dc8419c7c68e8 100644 (file)
--- a/lib/algorithms/protocols.c
+++ b/lib/algorithms/protocols.c
@@ -33,7 +33,9 @@ static const version_entry_st sup_versions[] = {
         .major = 3,
         .minor = 0,
         .transport = GNUTLS_STREAM,
+#ifdef ENABLE_SSL3
         .supported = 1,
+#endif
         .explicit_iv = 0,
         .extensions = 0,
         .selectable_sighash = 0,

diff --git a/lib/priority.c b/lib/priority.c
index 4027042b332b7359ae4a0c5b6e5012b48652a0e5..9236f7fe0940626deba87082448978a5de49aa50 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1350,9 +1350,10 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
                }
        }
 
-       _gnutls_debug_log("added %d ciphersuites, %d sig algos and %d groups into priority list\n",
-               priority_cache->cs.size, priority_cache->sigalg.size,
-               priority_cache->groups.size);
+       _gnutls_debug_log("added %d protocols, %d ciphersuites, %d sig algos and %d groups into priority list\n",
+                         priority_cache->protocol.algorithms,
+                         priority_cache->cs.size, priority_cache->sigalg.size,
+                         priority_cache->groups.size);
 
        if (priority_cache->sigalg.size == 0) {
                /* no signature algorithms; eliminate TLS 1.2 or DTLS 1.2 and later */
@@ -1369,16 +1370,20 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
                        }
                }
                memcpy(&priority_cache->protocol, &newp, sizeof(newp));
-
-               if (priority_cache->protocol.algorithms == 0)
-                       return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
        }
 
-       if (priority_cache->cs.size == 0)
+       if (unlikely(priority_cache->protocol.algorithms == 0))
+               return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
+#ifndef ENABLE_SSL3
+       else if (unlikely(priority_cache->protocol.algorithms == 1 && priority_cache->protocol.priority[0] == GNUTLS_SSL3))
+               return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
+#endif
+
+       if (unlikely(priority_cache->cs.size == 0))
                return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
        /* when TLS 1.3 is available we must have groups set */
-       if (!have_psk && tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0)
+       if (unlikely(!have_psk && tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0))
                return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
        return 0;