priority: support allowlisting in configuration file

This adds a new mode of interpreting the [overrides] section. If "override-mode" is set to "allowlisting" in the [global] section, all the algorithms (hashes, signature algorithms, curves, and versions) are initially marked as insecure/disabled. Then the user can enable them by specifying allowlisting keywords such as "secure-hash" in the [overrides] section. Signed-off-by: Daiki Ueno <ueno@gnu.org> Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
author: Daiki Ueno <ueno@gnu.org> 2021-05-06 12:41:40 +0200
committer: Daiki Ueno <ueno@gnu.org> 2021-11-29 13:21:53 +0100
commit: 0ecce7191dfd78387f2994253d37ed1df50d563d (patch)
tree: fb1d66e9329cdad3ef617c02b96c77aca1c8dd3e /lib/algorithms/groups.c
parent: ee3af8d6e863bd958cbe7468f9cbe09d803f4e92 (diff)
download: gnutls-0ecce7191dfd78387f2994253d37ed1df50d563d.tar.gz
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
index d4b77beb2a..d8bf95824f 100644
--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
@@ -276,6 +276,24 @@ gnutls_group_t gnutls_group_get_id(const char *name)
 	return ret;
 }
 
+
+/* Similar to gnutls_group_get_id, except that it does not check if
+ * the curve is supported.
+ */
+gnutls_group_t _gnutls_group_get_id(const char *name)
+{
+	gnutls_group_t ret = GNUTLS_GROUP_INVALID;
+
+	GNUTLS_GROUP_LOOP(
+		if (c_strcasecmp(p->name, name) == 0) {
+			ret = p->id;
+			break;
+		}
+	);
+
+	return ret;
+}
+
 /**
  * gnutls_group_get_name:
  * @group: is an element from %gnutls_group_t
author	Daiki Ueno <ueno@gnu.org>	2021-05-06 12:41:40 +0200
committer	Daiki Ueno <ueno@gnu.org>	2021-11-29 13:21:53 +0100
commit	0ecce7191dfd78387f2994253d37ed1df50d563d (patch)
tree	fb1d66e9329cdad3ef617c02b96c77aca1c8dd3e /lib/algorithms/groups.c
parent	ee3af8d6e863bd958cbe7468f9cbe09d803f4e92 (diff)
download	gnutls-0ecce7191dfd78387f2994253d37ed1df50d563d.tar.gz