diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-11-02 13:41:46 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-11-02 13:41:46 +0000 |
commit | c7de377eb4a9fe820d785fb93288041b1ac8484b (patch) | |
tree | fe52840333cebbbe38e1e15a733d33f05468e927 | |
parent | a701817616bdf263d4dcb688bd0cb4705e7a37c8 (diff) | |
parent | e515d4439f84067a6c956a890214848f722c621c (diff) | |
download | gnutls-c7de377eb4a9fe820d785fb93288041b1ac8484b.tar.gz |
Merge branch 'tmp-ignore-ctypes' into 'master'
gnutls_priority_init: ignore CTYPE-OPENPGP options
Closes #593
See merge request gnutls/gnutls!789
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/priority.c | 50 | ||||
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/cipher-listings.sh | 2 | ||||
-rw-r--r-- | tests/data/listings-legacy3 | 4 | ||||
-rw-r--r-- | tests/data/listings-legacy4 | 4 |
6 files changed, 42 insertions, 23 deletions
@@ -18,6 +18,9 @@ See the end for copying conditions. have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now. +** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword + in the priority string. It is only accepted as legacy option and is ignored. + ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin option (#561) diff --git a/lib/priority.c b/lib/priority.c index 33d164f214..11ff9ddce5 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1775,38 +1775,44 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, else goto error; } - } else if (strncasecmp - (&broken_list[i][1], "CTYPE-", 6) == 0) { // Certificate types - if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0) - { // Symmetric cert types, all types allowed - bulk_fn(&(*priority_cache)->client_ctype, cert_type_priority_all); - bulk_fn(&(*priority_cache)->server_ctype, cert_type_priority_all); - } else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0) - { // Client certificate types - if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0) - { // All client cert types allowed - bulk_fn(&(*priority_cache)->client_ctype, cert_type_priority_all); + } else if (strncasecmp(&broken_list[i][1], "CTYPE-", 6) == 0) { + // Certificate types + if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0) { + // Symmetric cert types, all types allowed + bulk_fn(&(*priority_cache)->client_ctype, + cert_type_priority_all); + bulk_fn(&(*priority_cache)->server_ctype, + cert_type_priority_all); + } else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0) { + // Client certificate types + if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0) { + // All client cert types allowed + bulk_fn(&(*priority_cache)->client_ctype, + cert_type_priority_all); } else if ((algo = gnutls_certificate_type_get_id - (&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) - { // Specific client cert type allowed + (&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) { + // Specific client cert type allowed fn(&(*priority_cache)->client_ctype, algo); } else goto error; - } else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0) - { // Server certificate types - if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0) - { // All server cert types allowed - bulk_fn(&(*priority_cache)->server_ctype, cert_type_priority_all); + } else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0) { + // Server certificate types + if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0) { + // All server cert types allowed + bulk_fn(&(*priority_cache)->server_ctype, + cert_type_priority_all); } else if ((algo = gnutls_certificate_type_get_id - (&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) - { // Specific server cert type allowed + (&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) { + // Specific server cert type allowed fn(&(*priority_cache)->server_ctype, algo); } else goto error; } else { // Symmetric certificate type if ((algo = gnutls_certificate_type_get_id - (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) - { + (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) { fn(&(*priority_cache)->client_ctype, algo); fn(&(*priority_cache)->server_ctype, algo); + } else if (strncasecmp(&broken_list[i][1], "CTYPE-OPENPGP", 13) == 0) { + /* legacy openpgp option - ignore */ + continue; } else goto error; } } else if (strncasecmp diff --git a/tests/Makefile.am b/tests/Makefile.am index 4d40cc213a..021da722ae 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -61,7 +61,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \ ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \ data/listings-DTLS1.0 data/listings-SSL3.0 data/listings-TLS1.0 data/listings-TLS1.1 \ - data/listings-legacy1 data/listings-legacy2 \ + data/listings-legacy1 data/listings-legacy2 data/listings-legacy3 data/listings-legacy4 \ data/listings-SSL3.0-TLS1.1 p11-kit-trust-data/Example_Root_CA.p11-kit server-kx-neg-common.c \ p11-kit-trust-data/Example_Root_CA.pem data/test1.cat data/test2.cat \ data/test1.cat.data data/test2.cat.data data/test1.cat.out data/test2.cat.out \ diff --git a/tests/cipher-listings.sh b/tests/cipher-listings.sh index b8f3a602e3..ae20529ef2 100755 --- a/tests/cipher-listings.sh +++ b/tests/cipher-listings.sh @@ -85,6 +85,8 @@ check DTLS1.0 "NORMAL:-VERS-ALL:+VERS-DTLS1.0" # test whether these work as expected. check legacy1 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL" check legacy2 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL" +check legacy3 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP" +check legacy4 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP" rm -f ${TMPFILE} diff --git a/tests/data/listings-legacy3 b/tests/data/listings-legacy3 new file mode 100644 index 0000000000..cc932505b0 --- /dev/null +++ b/tests/data/listings-legacy3 @@ -0,0 +1,4 @@ +Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP +TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2 + +Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0 diff --git a/tests/data/listings-legacy4 b/tests/data/listings-legacy4 new file mode 100644 index 0000000000..736692ef1e --- /dev/null +++ b/tests/data/listings-legacy4 @@ -0,0 +1,4 @@ +Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP +TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2 + +Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0 |