Commit c7de377e authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos
Browse files

Merge branch 'tmp-ignore-ctypes' into 'master'

gnutls_priority_init: ignore CTYPE-OPENPGP options

Closes #593

See merge request !789
parents a7018176 e515d443
Pipeline #35220992 passed with stage
in 83 minutes and 43 seconds
......@@ -18,6 +18,9 @@ See the end for copying conditions.
have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
S-BOXes). They are fixed now.
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
in the priority string. It is only accepted as legacy option and is ignored.
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
option (#561)
......
......@@ -1775,38 +1775,44 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
else
goto error;
}
} else if (strncasecmp
(&broken_list[i][1], "CTYPE-", 6) == 0) { // Certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0)
{ // Symmetric cert types, all types allowed
bulk_fn(&(*priority_cache)->client_ctype, cert_type_priority_all);
bulk_fn(&(*priority_cache)->server_ctype, cert_type_priority_all);
} else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0)
{ // Client certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0)
{ // All client cert types allowed
bulk_fn(&(*priority_cache)->client_ctype, cert_type_priority_all);
} else if (strncasecmp(&broken_list[i][1], "CTYPE-", 6) == 0) {
// Certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-ALL", 9) == 0) {
// Symmetric cert types, all types allowed
bulk_fn(&(*priority_cache)->client_ctype,
cert_type_priority_all);
bulk_fn(&(*priority_cache)->server_ctype,
cert_type_priority_all);
} else if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-", 10) == 0) {
// Client certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-CLI-ALL", 13) == 0) {
// All client cert types allowed
bulk_fn(&(*priority_cache)->client_ctype,
cert_type_priority_all);
} else if ((algo = gnutls_certificate_type_get_id
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN)
{ // Specific client cert type allowed
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
// Specific client cert type allowed
fn(&(*priority_cache)->client_ctype, algo);
} else goto error;
} else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0)
{ // Server certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0)
{ // All server cert types allowed
bulk_fn(&(*priority_cache)->server_ctype, cert_type_priority_all);
} else if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-", 10) == 0) {
// Server certificate types
if (strncasecmp(&broken_list[i][1], "CTYPE-SRV-ALL", 13) == 0) {
// All server cert types allowed
bulk_fn(&(*priority_cache)->server_ctype,
cert_type_priority_all);
} else if ((algo = gnutls_certificate_type_get_id
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN)
{ // Specific server cert type allowed
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
// Specific server cert type allowed
fn(&(*priority_cache)->server_ctype, algo);
} else goto error;
} else { // Symmetric certificate type
if ((algo = gnutls_certificate_type_get_id
(&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN)
{
(&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) {
fn(&(*priority_cache)->client_ctype, algo);
fn(&(*priority_cache)->server_ctype, algo);
} else if (strncasecmp(&broken_list[i][1], "CTYPE-OPENPGP", 13) == 0) {
/* legacy openpgp option - ignore */
continue;
} else goto error;
}
} else if (strncasecmp
......
......@@ -61,7 +61,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \
ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \
data/listings-DTLS1.0 data/listings-SSL3.0 data/listings-TLS1.0 data/listings-TLS1.1 \
data/listings-legacy1 data/listings-legacy2 \
data/listings-legacy1 data/listings-legacy2 data/listings-legacy3 data/listings-legacy4 \
data/listings-SSL3.0-TLS1.1 p11-kit-trust-data/Example_Root_CA.p11-kit server-kx-neg-common.c \
p11-kit-trust-data/Example_Root_CA.pem data/test1.cat data/test2.cat \
data/test1.cat.data data/test2.cat.data data/test1.cat.out data/test2.cat.out \
......
......@@ -85,6 +85,8 @@ check DTLS1.0 "NORMAL:-VERS-ALL:+VERS-DTLS1.0"
# test whether these work as expected.
check legacy1 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL"
check legacy2 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL"
check legacy3 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP"
check legacy4 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP"
rm -f ${TMPFILE}
......
Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+CTYPE-OPENPGP
TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Cipher suites for NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:-CTYPE-OPENPGP
TLS_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x7b TLS1.2
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment