diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-12-19 21:35:53 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-12-20 10:08:32 +0100 |
commit | 0f34a9c5886d0017a40ec6940d0de1d99f03f49f (patch) | |
tree | 7f469c8bf6ba1a8a30f2f5cf7937ed39730bc71c | |
parent | 8ab3dd8fc6daa78d508fb40c0c55ecc7ea8aa5b1 (diff) | |
download | gnutls-0f34a9c5886d0017a40ec6940d0de1d99f03f49f.tar.gz |
priorities: reset the profile flags when appending new flags
That is, to avoid causing issues to applications calling gnutls_*priority_set()
multiple times with different parameters. In that case if multiple profiles are
used the outcome could be undefined. Now, the last call will prevail.
-rw-r--r-- | lib/auto-verify.c | 5 | ||||
-rw-r--r-- | lib/gnutls_int.h | 10 | ||||
-rw-r--r-- | lib/priority.c | 2 |
3 files changed, 14 insertions, 3 deletions
diff --git a/lib/auto-verify.c b/lib/auto-verify.c index 1cf5f55dfa..179fb1066f 100644 --- a/lib/auto-verify.c +++ b/lib/auto-verify.c @@ -91,8 +91,9 @@ void gnutls_session_set_verify_cert(gnutls_session_t session, session->internals.vc_elements = 0; } - if (flags) - session->internals.additional_verify_flags |= flags; + if (flags) { + ADD_PROFILE_VFLAGS(session, flags); + } gnutls_session_set_verify_function(session, auto_verify_cb); } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 5ed45cec4e..8da8dadf93 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1029,6 +1029,16 @@ typedef struct { unsigned vc_status; unsigned int additional_verify_flags; /* may be set by priorities or the vc functions */ + /* we append the verify flags because these can be set, + * either by this function or by gnutls_session_set_verify_cert(). + * However, we ensure that a single profile is set. */ +#define ADD_PROFILE_VFLAGS(session, vflags) do { \ + if ((session->internals.additional_verify_flags & GNUTLS_VFLAGS_PROFILE_MASK) && \ + (vflags & GNUTLS_VFLAGS_PROFILE_MASK)) \ + session->internals.additional_verify_flags &= ~GNUTLS_VFLAGS_PROFILE_MASK; \ + session->internals.additional_verify_flags |= vflags; \ + } while(0) + /* the SHA256 hash of the peer's certificate */ uint8_t cert_hash[32]; bool cert_hash_set; diff --git a/lib/priority.c b/lib/priority.c index 8ebdee0158..cb2de23a9a 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -575,7 +575,7 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority) session->internals.priorities.compression.algorithms == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); - session->internals.additional_verify_flags |= priority->additional_verify_flags; + ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags); return 0; } |