config: added ability to override and mark algorithms as disabled

This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.

The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.

The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.

This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.

Resolves: #587

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 836e75eb87..338cae2b1b 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1286,6 +1286,12 @@ GNUTLS_3_6_8
 	gnutls_ffdhe_8192_group_q;
 } GNUTLS_3_6_6;
 
+GNUTLS_3_6_9
+{
+ global:
+	gnutls_get_system_config_file;
+} GNUTLS_3_6_8;
+
 GNUTLS_FIPS140_3_4 {
   global:
 	gnutls_cipher_self_test;
@@ -1374,4 +1380,6 @@ GNUTLS_PRIVATE_3_4 {
 	_gnutls_global_set_gettime_function;
 	# Internal symbols needed by tests/tls13/anti_replay.c
 	_gnutls_anti_replay_check;
+	# needed by gnutls-strcodes.c
+	_gnutls_ecc_curve_is_supported;
 } GNUTLS_3_4;