When setting multiple initial keywords in a priority string, the security level set...

Conflicts:
	lib/gnutls_priority.c

diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 1ec6f280accc7141841886988cabdbb0f580f305..1fb440edd83e14ffc8b518e131bcc93d8da305d6 100644 (file)
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -633,6 +633,10 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority)
 #define LEVEL_SUITEB192 "SUITEB192"
 #define LEVEL_EXPORT "EXPORT"
 
+#define SET_LEVEL(to_set) \
+       if (priority_cache->level == 0 || priority_cache->level > to_set) \
+               priority_cache->level = to_set
+
 static
 int check_level(const char* level, gnutls_priority_t priority_cache, int add)
 {
@@ -651,8 +655,7 @@ bulk_rmadd_func *func;
                      sign_priority_default);
       func (&priority_cache->supported_ecc, supported_ecc_normal);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
+      SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_NORMAL) == 0)
@@ -664,8 +667,7 @@ bulk_rmadd_func *func;
                      sign_priority_default);
       func (&priority_cache->supported_ecc, supported_ecc_normal);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
+      SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_PFS) == 0)
@@ -677,8 +679,7 @@ bulk_rmadd_func *func;
                      sign_priority_default);
       func (&priority_cache->supported_ecc, supported_ecc_normal);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK;
+      SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_SECURE256) == 0
@@ -693,8 +694,7 @@ bulk_rmadd_func *func;
       func (&priority_cache->supported_ecc, supported_ecc_secure192);
       
       /* be conservative for now. Set the bits to correspond to 96-bit level */
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_LEGACY;
+      SET_LEVEL(GNUTLS_SEC_PARAM_LEGACY);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_SECURE128) == 0
@@ -709,8 +709,7 @@ bulk_rmadd_func *func;
       func (&priority_cache->supported_ecc, supported_ecc_secure128);
 
       /* be conservative for now. Set the bits to correspond to an 72-bit level */
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_WEAK;
+      SET_LEVEL(GNUTLS_SEC_PARAM_WEAK);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_SUITEB128) == 0)
@@ -724,8 +723,7 @@ bulk_rmadd_func *func;
                      sign_priority_suiteb128);
       func (&priority_cache->supported_ecc, supported_ecc_suiteb128);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_HIGH;
+      SET_LEVEL(GNUTLS_SEC_PARAM_HIGH);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_SUITEB192) == 0)
@@ -739,8 +737,7 @@ bulk_rmadd_func *func;
                      sign_priority_suiteb192);
       func (&priority_cache->supported_ecc, supported_ecc_suiteb192);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_ULTRA;
+      SET_LEVEL(GNUTLS_SEC_PARAM_ULTRA);
       return 1;
     }
   else if (strcasecmp (level, LEVEL_EXPORT) == 0)
@@ -752,8 +749,7 @@ bulk_rmadd_func *func;
                      sign_priority_default);
       func (&priority_cache->supported_ecc, supported_ecc_normal);
 
-      if (priority_cache->level == 0)
-        priority_cache->level = GNUTLS_SEC_PARAM_EXPORT;
+      SET_LEVEL(GNUTLS_SEC_PARAM_EXPORT);
       return 1;
     }
   return 0;