diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 08:57:27 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 12:26:43 +0100 |
commit | 1f2f9dafe00f6d240cb8c67f49bfadfd020e0304 (patch) | |
tree | 42216929ab5d609489d9fa3c8040e6e558e564b9 | |
parent | e2de2924506edec3183648225d5c08b5e29bbf61 (diff) | |
download | gnutls-1f2f9dafe00f6d240cb8c67f49bfadfd020e0304.tar.gz |
gnutls_store_commitment: introduced flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN
This flag allows operation of the function even with broken algorithms.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
-rw-r--r-- | lib/verify-tofu.c | 7 |
2 files changed, 6 insertions, 2 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 9db1baf14a..cf82cd13ab 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2425,6 +2425,7 @@ int gnutls_verify_stored_pubkey(const char *db_name, const gnutls_datum_t * cert, unsigned int flags); +#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1 int gnutls_store_commitment(const char *db_name, gnutls_tdb_t tdb, const char *host, diff --git a/lib/verify-tofu.c b/lib/verify-tofu.c index 3c953ba757..02b427c508 100644 --- a/lib/verify-tofu.c +++ b/lib/verify-tofu.c @@ -623,7 +623,7 @@ gnutls_store_pubkey(const char *db_name, * @hash_algo: The hash algorithm type * @hash: The raw hash * @expiration: The expiration time (use 0 to disable expiration) - * @flags: should be 0. + * @flags: should be 0 or %GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. * * This function will store the provided hash commitment to * the list of stored public keys. The key with the given @@ -653,9 +653,12 @@ gnutls_store_commitment(const char *db_name, char local_file[MAX_FILENAME]; const mac_entry_st *me = hash_to_entry(hash_algo); - if (me == NULL || _gnutls_digest_is_secure(me) == 0) + if (me == NULL) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + if (!(flags & GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN) && _gnutls_digest_is_secure(me) == 0) + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); + if (_gnutls_hash_get_algo_len(me) != hash->size) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |