[gnutls-devel] GnuTLS | gnutls_priority_init: ignore CTYPE-OPENPGP options (!789)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Oct 31 15:12:45 CET 2018 

Tom started a new discussion on lib/priority.c:

> +							cert_type_priority_all);
>  					} else if ((algo = gnutls_certificate_type_get_id
> -							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN)
> -					{ // Specific server cert type allowed
> +							(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
> +							// Specific server cert type allowed
>  						fn(&(*priority_cache)->server_ctype, algo);
>  					} else goto error;
>  				} else { // Symmetric certificate type
>  					if ((algo = gnutls_certificate_type_get_id
> -					     (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN)
> -					{
> +					     (&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) {
>  						fn(&(*priority_cache)->client_ctype, algo);
>  						fn(&(*priority_cache)->server_ctype, algo);
> +					} else if (strncasecmp(&broken_list[i][1], "CTYPE-OPENPGP", 13) == 0) {

I think this check should be done first, i.e. before the `&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN` check. Otherwise we do not reach this second condition. `GNUTLS_CRT_OPENPGP` is not equal to `GNUTLS_CRT_UNKNOWN` and therefore we always end up in the first branch.

I think this will do the trick:
```
if ((algo = gnutls_certificate_type_get_id(&broken_list[i][7])) == GNUTLS_CRT_OPENPGP) {
	continue;
} else if (algo != GNUTLS_CRT_UNKNOWN) {
	//original code
}
```

or nested differently:

```
if ((algo = gnutls_certificate_type_get_id(&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) {
	if (algo == GNUTLS_CRT_OPENPGP) {
		continue;
	} else {
		fn(&(*priority_cache)->client_ctype, algo);
		fn(&(*priority_cache)->server_ctype, algo);
	}
}
```

BTW, untested code so please check syntax errors and stuff. It's just to give you an idea.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/789#note_113516677
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181031/3c9a1e2d/attachment-0001.html>

More information about the Gnutls-devel mailing list