diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-06-25 10:36:18 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-09 12:40:39 +0200 |
commit | 3518d288d4649a7e264c685e9a85aa84ddf361ad (patch) | |
tree | 27b56d36b6f73238ad9253e89fc8dcdeafe4b6a5 /lib/priority.c | |
parent | 7be78eba6dc33c3ed0787f806c71d75b7c9fe4de (diff) | |
download | gnutls-3518d288d4649a7e264c685e9a85aa84ddf361ad.tar.gz |
gnutls_priority_init2,gnutls_set_default_priority_append: introduced
This allows enhancing the default priority with additional
options, allowing an application to introduce stricter (or weaker)
settings without requiring it to override all settings.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'lib/priority.c')
-rw-r--r-- | lib/priority.c | 138 |
1 files changed, 135 insertions, 3 deletions
diff --git a/lib/priority.c b/lib/priority.c index cb162a12fe..4027042b33 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1385,10 +1385,11 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) } /** - * gnutls_priority_init: + * gnutls_priority_init2: * @priority_cache: is a #gnutls_prioritity_t type. * @priorities: is a string describing priorities (may be %NULL) * @err_pos: In case of an error this will have the position in the string the error occurred + * @flags: zero or %GNUTLS_PRIORITY_INIT_DEF_APPEND * * Sets priorities for the ciphers, key exchange methods, and macs. * The @priority_cache should be deinitialized @@ -1399,6 +1400,9 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) * Some keywords are defined to provide quick access * to common preferences. * + * When @flags is set to %GNUTLS_PRIORITY_INIT_DEF_APPEND then the @priorities + * specified will be appended to the default options. + * * Unless there is a special need, use the "NORMAL" keyword to * apply a reasonable security level, or "NORMAL:%%COMPAT" for compatibility. * @@ -1478,6 +1482,80 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) * * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned, * %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 3.6.3 + **/ +int +gnutls_priority_init2(gnutls_priority_t * priority_cache, + const char *priorities, const char **err_pos, + unsigned flags) +{ + gnutls_buffer_st buf; + const char *ep; + int ret; + + if (flags & GNUTLS_PRIORITY_INIT_DEF_APPEND) { + if (priorities == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (err_pos) + *err_pos = priorities; + + _gnutls_buffer_init(&buf); + + ret = _gnutls_buffer_append_str(&buf, DEFAULT_PRIORITY_STRING); + if (ret < 0) { + _gnutls_buffer_clear(&buf); + return gnutls_assert_val(ret); + } + + ret = _gnutls_buffer_append_str(&buf, ":"); + if (ret < 0) { + _gnutls_buffer_clear(&buf); + return gnutls_assert_val(ret); + } + + ret = _gnutls_buffer_append_str(&buf, priorities); + if (ret < 0) { + _gnutls_buffer_clear(&buf); + return gnutls_assert_val(ret); + } + + ret = gnutls_priority_init(priority_cache, (const char*)buf.data, &ep); + if (ret < 0 && ep != (const char*)buf.data && ep != NULL) { + ptrdiff_t diff = (ptrdiff_t)ep-(ptrdiff_t)buf.data; + unsigned hlen = strlen(DEFAULT_PRIORITY_STRING)+1; + + if (err_pos && diff > hlen) { + *err_pos = priorities + diff - hlen; + } + } + _gnutls_buffer_clear(&buf); + return ret; + } else { + return gnutls_priority_init(priority_cache, priorities, err_pos); + } +} + +/** + * gnutls_priority_init: + * @priority_cache: is a #gnutls_prioritity_t type. + * @priorities: is a string describing priorities (may be %NULL) + * @err_pos: In case of an error this will have the position in the string the error occurred + * + * For applications that do not modify their crypto settings per release, consider + * using gnutls_priority_init2() with %GNUTLS_PRIORITY_INIT_DEF_APPEND flag + * instead. We suggest to use centralized crypto settings handled by the GnuTLS + * library, and applications modifying the default settings to their needs. + * + * This function is identical to gnutls_priority_init2() with zero + * flags. + * + * A %NULL @priorities string indicates the default priorities to be + * used (this is available since GnuTLS 3.3.0). + * + * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned, + * %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_priority_init(gnutls_priority_t * priority_cache, @@ -1734,7 +1812,6 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, *priority_cache = NULL; return ret; - } /** @@ -1778,7 +1855,7 @@ void gnutls_priority_deinit(gnutls_priority_t priority_cache) * TLS session. For documentation check the gnutls_priority_init(). * * To use a reasonable default, consider using gnutls_set_default_priority(), - * instead of this function. + * or gnutls_set_default_priority_append() instead of this function. * * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned, * %GNUTLS_E_SUCCESS on success, or an error code. @@ -1849,6 +1926,9 @@ break_list(char *list, * maximum compatibility consider calling gnutls_session_enable_compatibility_mode() * after this function. * + * For an application to specify additional options to priority string + * consider using gnutls_set_default_priority_append(). + * * To allow a user to override the defaults (e.g., when a user interface * or configuration file is available), the functions * gnutls_priority_set_direct() or gnutls_priority_set() can @@ -1864,6 +1944,58 @@ int gnutls_set_default_priority(gnutls_session_t session) } /** + * gnutls_set_default_priority_append: + * @session: is a #gnutls_session_t type. + * @add_prio: is a string describing priorities to be appended to default + * @err_pos: In case of an error this will have the position in the string the error occurred + * @flags: must be zero + * + * Sets the default priority on the ciphers, key exchange methods, + * and macs with the additional options in @add_prio. This is the recommended method of + * setting the defaults when only few additional options are to be added. This promotes + * consistency between applications using GnuTLS, and allows GnuTLS using applications + * to update settings in par with the library. + * + * The @add_prio string should start as a normal priority string, e.g., + * '-VERS-TLS-ALL:+VERS-TLS1.3:%%COMPAT' or '%%FORCE_ETM'. That is, it must not start + * with ':'. + * + * To allow a user to override the defaults (e.g., when a user interface + * or configuration file is available), the functions + * gnutls_priority_set_direct() or gnutls_priority_set() can + * be used. + * + * Returns: %GNUTLS_E_SUCCESS on success, or an error code. + * + * Since: 3.6.3 + **/ +int gnutls_set_default_priority_append(gnutls_session_t session, + const char *add_prio, + const char **err_pos, + unsigned flags) +{ + gnutls_priority_t prio; + int ret; + + ret = gnutls_priority_init2(&prio, add_prio, err_pos, GNUTLS_PRIORITY_INIT_DEF_APPEND); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_priority_set(session, prio); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* ensure that the session holds the only reference for the struct */ + gnutls_priority_deinit(prio); + + return 0; +} + +/** * gnutls_priority_ecc_curve_list: * @pcache: is a #gnutls_prioritity_t type. * @list: will point to an integer list |