priority: support allowlisting in configuration file

This adds a new mode of interpreting the [overrides] section.  If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled.  Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index d69b29b443..1e883aa8eb 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1438,6 +1438,17 @@ const char *
 				 gnutls_mac_algorithm_t * mac,
 				 gnutls_protocol_t * min_version);
 
+  /* functions for run-time enablement of algorithms */
+int gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve,
+				 unsigned int enabled);
+int gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, unsigned int secure);
+int gnutls_sign_set_secure_for_certs(gnutls_sign_algorithm_t sign,
+				     unsigned int secure);
+int gnutls_digest_set_secure(gnutls_digest_algorithm_t dig,
+			     unsigned int secure);
+int gnutls_protocol_set_enabled(gnutls_protocol_t version,
+				unsigned int enabled);
+
   /* error functions */
 int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
 int gnutls_error_to_alert(int err, int *level);