priority: support allowlisting in configuration file

This adds a new mode of interpreting the [overrides] section.  If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled.  Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 42c2be0124..638b3b51c2 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,11 @@ See the end for copying conditions.
 
 * Version 3.7.3 (unreleased)
 
+** libgnutls: The allowlisting configuration mode has been added to the system-wide
+   settings. In this mode, all the algorithms are initially marked as insecure
+   or disabled, while the applications can re-enable them either through the
+   [overrides] section of the configuration file or the new API (#1172).
+
 ** certtool: Certtool can now generate, manipulate, and evaluate x25519 and
    x448 public keys, private keys, and certificates.
 ** libgnutls: disabling a hashing algorithm through "insecure-hash"
@@ -22,6 +27,11 @@ See the end for copying conditions.
 ** API and ABI modifications:
 GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
 GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
+gnutls_ecc_curve_set_enabled: Added.
+gnutls_sign_set_secure: Added.
+gnutls_sign_set_secure_for_certs: Added.
+gnutls_digest_set_secure: Added.
+gnutls_protocol_set_enabled: Added.
 
 * Version 3.7.2 (released 2021-05-29)