diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-12 15:41:21 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-13 08:52:22 +0200 |
| commit | 9faa012bc07aeef2147f4b4224aaee4cfe02256a (patch) | |
| tree | c3150896b84ddefe70fc999cf2d1c6f93443f3e3 | |
| parent | 7f74ddbd0bfab5c45ef7d3bd59a806ed6fa6082a (diff) | |
| download | gnutls-9faa012bc07aeef2147f4b4224aaee4cfe02256a.tar.gz | |
priorities: ensure that SSL3.0 enablement fails early when disabled
That is, that a priority string with only SSL3.0 present is discarded as
invalid.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/algorithms/protocols.c | 2 | ||||
| -rw-r--r-- | lib/priority.c | 21 |
2 files changed, 15 insertions, 8 deletions
diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c index 86c7a6027f..e1093a9ced 100644 --- a/lib/algorithms/protocols.c +++ b/lib/algorithms/protocols.c @@ -33,7 +33,9 @@ static const version_entry_st sup_versions[] = { .major = 3, .minor = 0, .transport = GNUTLS_STREAM, +#ifdef ENABLE_SSL3 .supported = 1, +#endif .explicit_iv = 0, .extensions = 0, .selectable_sighash = 0, diff --git a/lib/priority.c b/lib/priority.c index 4027042b33..9236f7fe09 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1350,9 +1350,10 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) } } - _gnutls_debug_log("added %d ciphersuites, %d sig algos and %d groups into priority list\n", - priority_cache->cs.size, priority_cache->sigalg.size, - priority_cache->groups.size); + _gnutls_debug_log("added %d protocols, %d ciphersuites, %d sig algos and %d groups into priority list\n", + priority_cache->protocol.algorithms, + priority_cache->cs.size, priority_cache->sigalg.size, + priority_cache->groups.size); if (priority_cache->sigalg.size == 0) { /* no signature algorithms; eliminate TLS 1.2 or DTLS 1.2 and later */ @@ -1369,16 +1370,20 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) } } memcpy(&priority_cache->protocol, &newp, sizeof(newp)); - - if (priority_cache->protocol.algorithms == 0) - return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); } - if (priority_cache->cs.size == 0) + if (unlikely(priority_cache->protocol.algorithms == 0)) + return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); +#ifndef ENABLE_SSL3 + else if (unlikely(priority_cache->protocol.algorithms == 1 && priority_cache->protocol.priority[0] == GNUTLS_SSL3)) + return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); +#endif + + if (unlikely(priority_cache->cs.size == 0)) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); /* when TLS 1.3 is available we must have groups set */ - if (!have_psk && tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0) + if (unlikely(!have_psk && tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0)) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); return 0; |