diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-12 13:33:46 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-11 15:51:53 +0200 |
| commit | aaf0bf6587d48cba24e8b4aec1b3120efe85343b (patch) | |
| tree | 319886ff5a173f999534e06c198de1d09ad18944 /lib | |
| parent | f3add9cb5756a715ab01f0c6e329bc883731b719 (diff) | |
| download | gnutls-aaf0bf6587d48cba24e8b4aec1b3120efe85343b.tar.gz | |
priorities: when no signature algorithms eliminate (D)TLS 1.2 or later
If an application intentionally disables all signature algorithms, ensure
that we can operate by eliminating protocol options which require these
signature algorithms to be set.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/priority.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/lib/priority.c b/lib/priority.c index e297f3fd2b..a142994725 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1260,16 +1260,29 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) priority_cache->cs.size, priority_cache->sigalg.size, priority_cache->groups.size); - if (priority_cache->cs.size == 0) { - return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); - } - if (priority_cache->sigalg.size == 0) { - if ((tlsmax && tlsmax->id >= GNUTLS_TLS1_2) || (dtlsmax && dtlsmax->id >= GNUTLS_DTLS1_2)) { - return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); + /* no signature algorithms; eliminate TLS 1.2 or DTLS 1.2 and later */ + priority_st newp; + newp.algorithms = 0; + + /* we need to eliminate TLS 1.2 or DTLS 1.2 and later protocols */ + for (i = 0; i < priority_cache->protocol.algorithms; i++) { + if (priority_cache->protocol.priority[i] < GNUTLS_TLS1_2) { + newp.priority[newp.algorithms++] = priority_cache->protocol.priority[i]; + } else if (priority_cache->protocol.priority[i] >= GNUTLS_DTLS_VERSION_MIN && + priority_cache->protocol.priority[i] < GNUTLS_DTLS1_2) { + newp.priority[newp.algorithms++] = priority_cache->protocol.priority[i]; + } } + memcpy(&priority_cache->protocol, &newp, sizeof(newp)); + + if (priority_cache->protocol.algorithms == 0) + return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); } + if (priority_cache->cs.size == 0) + return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); + /* when TLS 1.3 is available we must have groups set */ if (tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); |