gnutls_store_commitment: introduced flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN

This flag allows operation of the function even with broken algorithms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 6 insertions, 2 deletions

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 2b240727d2..d56b028b42 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2429,6 +2429,7 @@ int gnutls_verify_stored_pubkey(const char *db_name,
 				const gnutls_datum_t * cert,
 				unsigned int flags);
 
+#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1
 int gnutls_store_commitment(const char *db_name,
 			    gnutls_tdb_t tdb,
 			    const char *host,
diff --git a/lib/verify-tofu.c b/lib/verify-tofu.c
index 3c953ba757..02b427c508 100644
--- a/lib/verify-tofu.c
+++ b/lib/verify-tofu.c
@@ -623,7 +623,7 @@ gnutls_store_pubkey(const char *db_name,
  * @hash_algo: The hash algorithm type
  * @hash: The raw hash
  * @expiration: The expiration time (use 0 to disable expiration)
- * @flags: should be 0.
+ * @flags: should be 0 or %GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN.
  *
  * This function will store the provided hash commitment to 
  * the list of stored public keys. The key with the given
@@ -653,9 +653,12 @@ gnutls_store_commitment(const char *db_name,
 	char local_file[MAX_FILENAME];
 	const mac_entry_st *me = hash_to_entry(hash_algo);
 
-	if (me == NULL || _gnutls_digest_is_secure(me) == 0)
+	if (me == NULL)
 		return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
+	if (!(flags & GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN) && _gnutls_digest_is_secure(me) == 0)
+		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
+
 	if (_gnutls_hash_get_algo_len(me) != hash->size)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);