diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-03 14:02:08 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-03 14:04:05 +0100 |
commit | b4ede98dc88d4672c4ab803dcba80da2cc46e59e (patch) | |
tree | 027c402cd711eb702e755b9b2ebd634465ba4dde | |
parent | 0736e5a8f8474df22b19e155b015fcf2a777bf5f (diff) | |
download | gnutls-b4ede98dc88d4672c4ab803dcba80da2cc46e59e.tar.gz |
When setting multiple initial keywords in a priority string, the security level set is the one of the lowest security.
Conflicts:
lib/gnutls_priority.c
-rw-r--r-- | lib/gnutls_priority.c | 28 |
1 files changed, 12 insertions, 16 deletions
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 1ec6f280ac..1fb440edd8 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -633,6 +633,10 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) #define LEVEL_SUITEB192 "SUITEB192" #define LEVEL_EXPORT "EXPORT" +#define SET_LEVEL(to_set) \ + if (priority_cache->level == 0 || priority_cache->level > to_set) \ + priority_cache->level = to_set + static int check_level(const char* level, gnutls_priority_t priority_cache, int add) { @@ -651,8 +655,7 @@ bulk_rmadd_func *func; sign_priority_default); func (&priority_cache->supported_ecc, supported_ecc_normal); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; + SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK); return 1; } else if (strcasecmp (level, LEVEL_NORMAL) == 0) @@ -664,8 +667,7 @@ bulk_rmadd_func *func; sign_priority_default); func (&priority_cache->supported_ecc, supported_ecc_normal); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; + SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK); return 1; } else if (strcasecmp (level, LEVEL_PFS) == 0) @@ -677,8 +679,7 @@ bulk_rmadd_func *func; sign_priority_default); func (&priority_cache->supported_ecc, supported_ecc_normal); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; + SET_LEVEL(GNUTLS_SEC_PARAM_VERY_WEAK); return 1; } else if (strcasecmp (level, LEVEL_SECURE256) == 0 @@ -693,8 +694,7 @@ bulk_rmadd_func *func; func (&priority_cache->supported_ecc, supported_ecc_secure192); /* be conservative for now. Set the bits to correspond to 96-bit level */ - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_LEGACY; + SET_LEVEL(GNUTLS_SEC_PARAM_LEGACY); return 1; } else if (strcasecmp (level, LEVEL_SECURE128) == 0 @@ -709,8 +709,7 @@ bulk_rmadd_func *func; func (&priority_cache->supported_ecc, supported_ecc_secure128); /* be conservative for now. Set the bits to correspond to an 72-bit level */ - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_WEAK; + SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); return 1; } else if (strcasecmp (level, LEVEL_SUITEB128) == 0) @@ -724,8 +723,7 @@ bulk_rmadd_func *func; sign_priority_suiteb128); func (&priority_cache->supported_ecc, supported_ecc_suiteb128); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_HIGH; + SET_LEVEL(GNUTLS_SEC_PARAM_HIGH); return 1; } else if (strcasecmp (level, LEVEL_SUITEB192) == 0) @@ -739,8 +737,7 @@ bulk_rmadd_func *func; sign_priority_suiteb192); func (&priority_cache->supported_ecc, supported_ecc_suiteb192); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_ULTRA; + SET_LEVEL(GNUTLS_SEC_PARAM_ULTRA); return 1; } else if (strcasecmp (level, LEVEL_EXPORT) == 0) @@ -752,8 +749,7 @@ bulk_rmadd_func *func; sign_priority_default); func (&priority_cache->supported_ecc, supported_ecc_normal); - if (priority_cache->level == 0) - priority_cache->level = GNUTLS_SEC_PARAM_EXPORT; + SET_LEVEL(GNUTLS_SEC_PARAM_EXPORT); return 1; } return 0; |