Fix bg in security setting exposed by earlier fix.

2025-04-23 09:04:13 +00:00 · 2019-09-25 12:54:11 +01:00 · 2019-09-25 12:54:11 +01:00 · 99c080a3ee
commit 99c080a3ee
parent ddcff45b89
3 changed files with 17 additions and 12 deletions
--- a/2
+++ b/2
@ -3,6 +3,8 @@
 	* Source/NSArray.m: [-removeObjectsInArray:] add checks to prevent
 	possible crashes, particulary if the method argument is the receiver;
 	crash seen by Wolfgang.
+	* Source/GSSocketStream.m: Fix incorrect key when setting old security
+	level.  Change internal API name to avoid confusion.

 2019-09-21  Richard Frith-Macdonald <rfm@gnu.org>

--- a/Source/GSSocketStream.m
+++ b/Source/GSSocketStream.m
@ -363,7 +363,7 @@ GSPrivateSockaddrSetup(NSString *machine, uint16_t port,
 * the output stream's one has precedence.
 */
 + (void) populateProperties: (NSMutableDictionary**)dict
-            withTLSPriority: (NSString*)pri
+          withSecurityLevel: (NSString*)l
            fromInputStream: (NSStream*)i
             orOutputStream: (NSStream*)o;

@ -465,7 +465,7 @@ static NSArray  *keys = nil;
 }

 + (void) populateProperties: (NSMutableDictionary**)dict
-	    withTLSPriority: (NSString*)pri
+	  withSecurityLevel: (NSString*)l
 	    fromInputStream: (NSStream*)i
 	     orOutputStream: (NSStream*)o
 {
@ -475,9 +475,9 @@ static NSArray  *keys = nil;
      NSMutableDictionary       *opts = *dict;
      NSUInteger                count;
      
-      if (nil != pri)
+      if (nil != l)
 	{
-	  [opts setObject: pri forKey: GSTLSPriority];
+	  [opts setObject: l forKey: NSStreamSocketSecurityLevelKey];
 	}
      count = [keys count];
      while (count-- > 0)
@ -645,7 +645,7 @@ static NSArray  *keys = nil;
   */
  opts = [NSMutableDictionary new];
  [[self class] populateProperties: &opts
-		   withTLSPriority: str
+		 withSecurityLevel: str
 		   fromInputStream: i
 		    orOutputStream: o];
  
@ -798,7 +798,7 @@ static NSArray  *keys = nil;
 }

 + (void) populateProperties: (NSMutableDictionary**)dict
-	    withTLSPriority: (NSString*)pri
+	  withSecurityLevel: (NSString*)l
 	    fromInputStream: (NSStream*)i
 	     orOutputStream: (NSStream*)o
 {
@ -808,9 +808,9 @@ static NSArray  *keys = nil;
  
  if (NULL != dict)
    {
-      if (nil != pri)
+      if (nil != l)
 	{
-	  [opts setObject: pri forKey: GSTLSPriority];
+	  [opts setObject: l forKey: NSStreamSocketSecurityLevelKey];
 	}
      count = [keys count];
      while (count-- > 0)
@ -2804,7 +2804,7 @@ setNonBlocking(SOCKET fd)
 	  [opts setObject: str forKey: NSStreamSocketSecurityLevelKey];
 	  // copy the properties in the 'opts'
 	  [GSTLSHandler populateProperties: &opts
-			   withTLSPriority: str
+			 withSecurityLevel: str
 			   fromInputStream: self
 			    orOutputStream: nil];
 	  // and set the input/output streams's properties from the 'opts'
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@ -1765,10 +1765,13 @@ retrieve_callback(gnutls_session_t session,
        }
      else
        {
-#if GNUTLS_VERSION_NUMBER >= 0x020C00
-          gnutls_priority_set_direct(session, [str UTF8String], NULL);
+#if GNUTLS_VERSION_NUMBER < 0x020C00
+	  gnutls_set_default_priority(session);
 #else
-          gnutls_set_default_priority(session);
+	  /* By default we disable SSL3.0 as the 'POODLE' attack (Oct 2014)
+	   * renders it insecure.
+	   */
+          gnutls_priority_set_direct(session, [str UTF8String], NULL);
 #endif
        }