diff options
-rw-r--r-- | doc/cha-gtls-app.texi | 11 | ||||
-rw-r--r-- | doc/examples/ex-cert-select-pkcs11.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-cert-select.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-dtls.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-srp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-x509.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-anon.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-pgp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-psk.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-srp.c | 2 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 48 |
11 files changed, 48 insertions, 29 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 68a15ec246..85ae38b0f7 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -894,8 +894,10 @@ additional algorithm or special keywords. @item SYSTEM @tab Means that a compile-time specified configuration file will be used to read the priorities. That is used to impose system-specific policies. -It may be followed by a priority string that will be used as backup, e.g., -"SYSTEM:NORMAL". +It may be followed by additional options that will be appended to the +system string (e.g., "SYSTEM:+SRP"). If there is no available system priority +string then the default acceptable security level by GnuTLS will be +set (i.e., NORMAL). @item PERFORMANCE @tab All the known to be secure ciphersuites are enabled, @@ -1142,8 +1144,11 @@ or by using the priority functions as in @ref{Listing the ciphersuites in a prio Example priority strings are: @example +The system imposed security level: + "SYSTEM" + The default priority without the HMAC-MD5: - "SYSTEM:NORMAL:-MD5" + "NORMAL:-MD5" Specifying RSA with AES-128-CBC: "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL" diff --git a/doc/examples/ex-cert-select-pkcs11.c b/doc/examples/ex-cert-select-pkcs11.c index aa76662ccf..bf66b4fbbf 100644 --- a/doc/examples/ex-cert-select-pkcs11.c +++ b/doc/examples/ex-cert-select-pkcs11.c @@ -89,7 +89,7 @@ int main(void) gnutls_certificate_allocate_credentials(&xcred); /* priorities */ - gnutls_priority_init(&priorities_cache, "NORMAL", NULL); + gnutls_priority_init(&priorities_cache, "SYSTEM", NULL); /* sets the trusted cas file */ diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c index 99cd126d91..25d0045e38 100644 --- a/doc/examples/ex-cert-select.c +++ b/doc/examples/ex-cert-select.c @@ -103,7 +103,7 @@ int main(void) gnutls_certificate_allocate_credentials(&xcred); /* priorities */ - gnutls_priority_init(&priorities_cache, "NORMAL", NULL); + gnutls_priority_init(&priorities_cache, "SYSTEM", NULL); /* sets the trusted cas file diff --git a/doc/examples/ex-client-dtls.c b/doc/examples/ex-client-dtls.c index cb9375d2ab..bd978c6b83 100644 --- a/doc/examples/ex-client-dtls.c +++ b/doc/examples/ex-client-dtls.c @@ -48,7 +48,7 @@ int main(void) gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM); /* Use default priorities */ - ret = gnutls_priority_set_direct(session, "NORMAL", &err); + ret = gnutls_priority_set_direct(session, "SYSTEM", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf(stderr, "Syntax error at: %s\n", err); diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index 722b79a0ae..8b2bb6b0be 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -51,7 +51,7 @@ int main(void) /* Set the priorities. */ gnutls_priority_set_direct(session, - "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL); + "SYSTEM:+SRP:+SRP-RSA:+SRP-DSS", NULL); /* put the SRP credentials to the current session */ diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index 4d1753ae7f..b26a473ae2 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -61,7 +61,7 @@ int main(void) strlen("my_host_name")); /* Use default priorities */ - ret = gnutls_priority_set_direct(session, "NORMAL", &err); + ret = gnutls_priority_set_direct(session, "SYSTEM", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf(stderr, "Syntax error at: %s\n", err); diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index fd24cbfa1f..b0706079e1 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -89,7 +89,7 @@ int main(void) for (;;) { gnutls_init(&session, GNUTLS_SERVER); gnutls_priority_set_direct(session, - "NORMAL:+ANON-ECDH:+ANON-DH", + "SYSTEM:+ANON-ECDH:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index b68a6bfec2..8219a8a006 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -103,7 +103,7 @@ int main(void) for (;;) { gnutls_init(&session, GNUTLS_SERVER); gnutls_priority_set_direct(session, - "NORMAL:+CTYPE-OPENPGP", NULL); + "SYSTEM:+CTYPE-OPENPGP", NULL); /* request client certificate if any. */ diff --git a/doc/examples/ex-serv-psk.c b/doc/examples/ex-serv-psk.c index 7244787619..42bc6181e7 100644 --- a/doc/examples/ex-serv-psk.c +++ b/doc/examples/ex-serv-psk.c @@ -98,7 +98,7 @@ int main(void) generate_dh_params(); gnutls_priority_init(&priority_cache, - "NORMAL:+PSK:+ECDHE-PSK:+DHE-PSK", NULL); + "SYSTEM:+PSK:+ECDHE-PSK:+DHE-PSK", NULL); gnutls_certificate_set_dh_params(x509_cred, dh_params); diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index 44b0a711ad..152e6c273b 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -85,7 +85,7 @@ int main(void) for (;;) { gnutls_init(&session, GNUTLS_SERVER); gnutls_priority_set_direct(session, - "NORMAL:-KX-ALL:+SRP:+SRP-DSS:+SRP-RSA", + "SYSTEM:-KX-ALL:+SRP:+SRP-DSS:+SRP-RSA", NULL); gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred); /* for the certificate authenticated ciphersuites. diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index a41ee6a031..8c96ec1eb6 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -872,24 +872,25 @@ static void enable_new_padding(gnutls_priority_t c) /* Returns the new priorities if SYSTEM is specified in * an allocated string, or just a copy of the provided - * priorities. + * priorities, appended with any additional present in + * the priorities string. + * + * The returned string must be released using free(). */ static char* resolve_priorities(const char* priorities) { char *p = (char*)priorities; -char* backup; +char* additional = NULL; char *ret = NULL; FILE* fp = NULL; -size_t n; +size_t n, n2; if (c_isspace(*p)) p++; - backup = p; - if (strncasecmp(p, "SYSTEM", 6) == 0) { - backup = p + 6; - if (*backup == ':') backup++; + additional = p + 6; + if (*additional == ':') additional++; fp = fopen(SYSTEM_PRIORITY_FILE, "r"); if (fp == NULL) {/* use backup */ @@ -904,7 +905,9 @@ size_t n; goto apply_backup; } - p = gnutls_malloc(n+1); + n2 = strlen(additional); + + p = malloc(n+n2+1+1); if (p == NULL) { ret = NULL; goto finish; @@ -925,13 +928,22 @@ size_t n; n--; p[n] = 0; } + if (n2 > 0) { + p[n] = ':'; + memcpy(&p[n+1], additional, n2); + p[n+n2+1] = 0; + } ret = p; goto finish; } apply_backup: - ret = gnutls_strdup(backup); + if (additional != NULL) { + n = asprintf(&ret, "NORMAL:%s", additional); + } else { + ret = strdup("NORMAL"); + } finish: if (ret != NULL) { @@ -957,12 +969,14 @@ finish: * Some keywords are defined to provide quick access * to common preferences. * - * Unless there is a special need, using "SYSTEM:NORMAL" or "SYSTEM:NORMAL:%COMPAT" - * for compatibility is recommended. + * Unless there is a special need, using "SYSTEM" would be the ideal choice + * for daemons or services that want to use the system-imposed level, + * "NORMAL" for a typical server that requires a reasonable security level, + * or even "NORMAL:%COMPAT" for compatibility. * - * "SYSTEM" The system administrator imposed settings. If followed with - * an additional level, it will be used as backup when there are no - * settings available in the system. + * "SYSTEM" The system administrator imposed settings. Any options that follow + * will be appended to the system string. If there is no system string, + * then NORMAL will be used instead. * * "PERFORMANCE" means all the "secure" ciphersuites are enabled, * limited to 128 bit ciphers and sorted by terms of speed @@ -1051,7 +1065,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, (*priority_cache)->max_empty_records = DEFAULT_MAX_EMPTY_RECORDS; if (priorities == NULL) - priorities = "SYSTEM:"LEVEL_NORMAL; + priorities = "SYSTEM"; darg = resolve_priorities(priorities); if (darg == NULL) { @@ -1243,7 +1257,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, goto error; } - gnutls_free(darg); + free(darg); return 0; error: @@ -1253,7 +1267,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, (*err_pos) += strlen(broken_list[j]) + 1; } } - gnutls_free(darg); + free(darg); gnutls_free(*priority_cache); return GNUTLS_E_INVALID_REQUEST; |