diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-04 16:25:37 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-06-20 15:50:44 +0200 |
commit | e9366c86ee8434669014fc1544d52e384430072a (patch) | |
tree | 036ff1eb760c05691288a198bbbfb8e915f43e20 /configure.ac | |
parent | 90142f2d70018d862cba02067159cad8c7db4239 (diff) | |
download | gnutls-e9366c86ee8434669014fc1544d52e384430072a.tar.gz |
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/configure.ac b/configure.ac index c2fe1794ef..e246fdcb73 100644 --- a/configure.ac +++ b/configure.ac @@ -628,17 +628,23 @@ fi AC_DEFINE_UNQUOTED([UNBOUND_ROOT_KEY_FILE], ["$unbound_root_key_file"], [The DNSSEC root key file]) +system_config_file="/etc/gnutls/config" AC_ARG_WITH(system-priority-file, AS_HELP_STRING([--with-system-priority-file], - [specify the system priority file]), - system_priority_file="$withval", -system_priority_file="/etc/gnutls/default-priorities" + [specify the system-wide config file (set empty to disable; default is $config)]), + system_config_file="$withval" ) +AM_CONDITIONAL(DISABLE_SYSTEM_CONFIG, test -z "${system_config_file}") + +if test -z "${system_config_file}";then + AC_DEFINE([DISABLE_SYSTEM_CONFIG], 1, [Whether to disable system configuration]) +fi + AC_DEFINE_UNQUOTED([SYSTEM_PRIORITY_FILE], - ["$system_priority_file"], [The system priority file]) + ["$system_config_file"], [The system-wide gnutls configuration file]) AC_ARG_WITH(default-priority-string, AS_HELP_STRING([--with-default-priority-string], - [specify the default priority string (e.g. @SYSTEM)]), + [specify the default priority string used by gnutls_set_default_priority (default is NORMAL)]), prio_string="$withval", prio_string="NORMAL") @@ -1079,7 +1085,7 @@ AC_MSG_NOTICE([System files: Trust store file: $with_default_trust_store_file Blacklist file: $with_default_blacklist_file CRL file: $with_default_crl_file - Priority file: $system_priority_file + Configuration file: $system_config_file DNSSEC root key file: $unbound_root_key_file ]) |