diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-04 16:25:37 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-06-20 15:50:44 +0200 |
| commit | e9366c86ee8434669014fc1544d52e384430072a (patch) | |
| tree | 036ff1eb760c05691288a198bbbfb8e915f43e20 /lib/algorithms/protocols.c | |
| parent | 90142f2d70018d862cba02067159cad8c7db4239 (diff) | |
| download | gnutls-e9366c86ee8434669014fc1544d52e384430072a.tar.gz | |
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/algorithms/protocols.c')
| -rw-r--r-- | lib/algorithms/protocols.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c index 72b43fcf77..7242e1aa0c 100644 --- a/lib/algorithms/protocols.c +++ b/lib/algorithms/protocols.c @@ -27,7 +27,9 @@ #include "c-strcase.h" /* TLS Versions */ -static const version_entry_st sup_versions[] = { + +static SYSTEM_CONFIG_OR_CONST +version_entry_st sup_versions[] = { {.name = "SSL3.0", .id = GNUTLS_SSL3, .age = 0, @@ -195,6 +197,21 @@ version_is_valid_for_session(gnutls_session_t session, return 0; } +int _gnutls_version_mark_disabled(const char *name) +{ +#ifndef DISABLE_SYSTEM_CONFIG + version_entry_st *p; + + for (p = sup_versions; p->name != NULL; p++) + if (c_strcasecmp(p->name, name) == 0) { + p->supported = 0; + return 0; + } + +#endif + return GNUTLS_E_INVALID_REQUEST; +} + /* Return the priority of the provided version number */ int _gnutls_version_priority(gnutls_session_t session, @@ -440,8 +457,11 @@ const gnutls_protocol_t *gnutls_protocol_list(void) if (supported_protocols[0] == 0) { int i = 0; - for (p = sup_versions; p->name != NULL; p++) + for (p = sup_versions; p->name != NULL; p++) { + if (!p->supported) + continue; supported_protocols[i++] = p->id; + } supported_protocols[i++] = 0; } |