Merge branch 'tmp-ignore-ctypes' into 'master'

gnutls_priority_init: ignore CTYPE-OPENPGP options Closes #593 See merge request gnutls/gnutls!789
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-11-02 13:41:46 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-11-02 13:41:46 +0000
commit: c7de377eb4a9fe820d785fb93288041b1ac8484b (patch)
tree: fe52840333cebbbe38e1e15a733d33f05468e927
parent: a701817616bdf263d4dcb688bd0cb4705e7a37c8 (diff)
parent: e515d4439f84067a6c956a890214848f722c621c (diff)
download: gnutls-c7de377eb4a9fe820d785fb93288041b1ac8484b.tar.gz
6 files changed, 42 insertions, 23 deletions
diff --git a/NEWS b/NEWS
index 55a793c935..ea9fb34697 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,9 @@ See the end for copying conditions.
    have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
    S-BOXes). They are fixed now.
 
+** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
+   in the priority string. It is only accepted as legacy option and is ignored.
+
 ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
    option (#561)
 
diff --git a/lib/priority.c b/lib/priority.c
index 33d164f214..11ff9ddce5 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1775,38 +1775,44 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					else
 						goto error;
 				}
-			} else if (strncasecmp
-				(&broken_list[i][1], "CTYPE-", 6) == 0) { // Certificate types
-				if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0)
-				{ // Symmetric cert types, all types allowed
-					bulk_fn(&(*priority_cache)->client_ctype, cert_type_priority_all);
-					bulk_fn(&(*priority_cache)->server_ctype, cert_type_priority_all);
-				} else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0)
-				{ // Client certificate types
-					if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0)
-					{ // All client cert types allowed
-						bulk_fn(&(*priority_cache)->client_ctype,	cert_type_priority_all);
+			} else if (strncasecmp(&broken_list[i][1], "CTYPE-", 6) == 0) {
+				// Certificate types
+				if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0) {
+					// Symmetric cert types, all types allowed
+					bulk_fn(&(*priority_cache)->client_ctype,
+						cert_type_priority_all);
+					bulk_fn(&(*priority_cache)->server_ctype,
+						cert_type_priority_all);
+				} else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0) {
+					// Client certificate types
+					if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0) {
+						// All client cert types allowed
+						bulk_fn(&(*priority_cache)->client_ctype,
+							cert_type_priority_all);
 					} else if ((algo = gnutls_certificate_type_get_id
-							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN)
-					{ // Specific client cert type allowed
+							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
+						// Specific client cert type allowed
 						fn(&(*priority_cache)->client_ctype, algo);
 					} else goto error;
-				} else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0)
-				{ // Server certificate types
-					if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0)
-					{ // All server cert types allowed
-						bulk_fn(&(*priority_cache)->server_ctype,	cert_type_priority_all);
+				} else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0) {
+					// Server certificate types
+					if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0) {
+						// All server cert types allowed
+						bulk_fn(&(*priority_cache)->server_ctype,
+							cert_type_priority_all);
 					} else if ((algo = gnutls_certificate_type_get_id
-							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN)
-					{ // Specific server cert type allowed
+							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
+							// Specific server cert type allowed
 						fn(&(*priority_cache)->server_ctype, algo);
 					} else goto error;
 				} else { // Symmetric certificate type
 					if ((algo = gnutls_certificate_type_get_id
-					     (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN)
-					{
+					     (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) {
 						fn(&(*priority_cache)->client_ctype, algo);
 						fn(&(*priority_cache)->server_ctype, algo);
+					} else if (strncasecmp(&broken_list[i][1], "CTYPE-OPENPGP", 13) == 0) {
+						/* legacy openpgp option - ignore */
+						continue;
 					} else goto error;
 				}
 			} else if (strncasecmp
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4d40cc213a..021da722ae 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -61,7 +61,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
 	ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \
 	ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \
 	data/listings-DTLS1.0 data/listings-SSL3.0 data/listings-TLS1.0 data/listings-TLS1.1 \
-	data/listings-legacy1 data/listings-legacy2 \
+	data/listings-legacy1 data/listings-legacy2 data/listings-legacy3 data/listings-legacy4 \
 	data/listings-SSL3.0-TLS1.1 p11-kit-trust-data/Example_Root_CA.p11-kit server-kx-neg-common.c \
 	p11-kit-trust-data/Example_Root_CA.pem data/test1.cat data/test2.cat \
 	data/test1.cat.data data/test2.cat.data data/test1.cat.out data/test2.cat.out \
diff --git a/tests/cipher-listings.sh b/tests/cipher-listings.sh
index b8f3a602e3..ae20529ef2 100755
--- a/tests/cipher-listings.sh
+++ b/tests/cipher-listings.sh
@@ -85,6 +85,8 @@ check DTLS1.0 "NORMAL:-VERS-ALL:+VERS-DTLS1.0"
 # test whether these work as expected.
 check legacy1 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL"
 check legacy2 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL"
+check legacy3 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP"
+check legacy4 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP"
 
 
 rm -f ${TMPFILE}
diff --git a/tests/data/listings-legacy3 b/tests/data/listings-legacy3
new file mode 100644
index 0000000000..cc932505b0
--- /dev/null
+++ b/tests/data/listings-legacy3
@@ -0,0 +1,4 @@
+Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP
+TLS_RSA_CAMELLIA_256_GCM_SHA384                   	0xc0, 0x7b	TLS1.2
+
+Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
diff --git a/tests/data/listings-legacy4 b/tests/data/listings-legacy4
new file mode 100644
index 0000000000..736692ef1e
--- /dev/null
+++ b/tests/data/listings-legacy4
@@ -0,0 +1,4 @@
+Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP
+TLS_RSA_CAMELLIA_256_GCM_SHA384                   	0xc0, 0x7b	TLS1.2
+
+Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-02 13:41:46 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-02 13:41:46 +0000
commit	c7de377eb4a9fe820d785fb93288041b1ac8484b (patch)
tree	fe52840333cebbbe38e1e15a733d33f05468e927
parent	a701817616bdf263d4dcb688bd0cb4705e7a37c8 (diff)
parent	e515d4439f84067a6c956a890214848f722c621c (diff)
download	gnutls-c7de377eb4a9fe820d785fb93288041b1ac8484b.tar.gz