[glib-networking: 92/129] Allow setting of allowed signature algorithms and curves
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking: 92/129] Allow setting of allowed signature algorithms and curves
- Date: Sat, 2 Feb 2019 22:51:07 +0000 (UTC)
commit 57839cfe30bd82573c9a9d83cd0e232b188d1320
Author: Joakim Tosteberg <joakim tosteberg zenterio com>
Date: Fri Jan 12 14:44:06 2018 +0100
Allow setting of allowed signature algorithms and curves
Add environment variables for explictly setting the allowed signature
algorithms and curves that are used for tls connections.
https://bugzilla.gnome.org/show_bug.cgi?id=792605
tls/openssl/gtlsclientconnection-openssl.c | 32 ++++++++++++++++++++++++++++++
tls/openssl/gtlsserverconnection-openssl.c | 32 ++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 6592ead..9287bfd 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -431,6 +431,36 @@ set_cipher_list (GTlsClientConnectionOpenssl *client)
SSL_CTX_set_cipher_list (priv->ssl_ctx, cipher_list);
}
+static void
+set_signature_algorithm_list (GTlsClientConnectionOpenssl *client)
+{
+ GTlsClientConnectionOpensslPrivate *priv;
+ const gchar *signature_algorithm_list;
+
+ priv = g_tls_client_connection_openssl_get_instance_private (client);
+
+ signature_algorithm_list = g_getenv ("G_TLS_OPENSSL_SIGNATURE_ALGORITHM_LIST");
+ if (signature_algorithm_list == NULL)
+ return;
+
+ SSL_CTX_set1_sigalgs_list (priv->ssl_ctx, signature_algorithm_list);
+}
+
+static void
+set_curve_list (GTlsClientConnectionOpenssl *client)
+{
+ GTlsClientConnectionOpensslPrivate *priv;
+ const gchar *curve_list;
+
+ priv = g_tls_client_connection_openssl_get_instance_private (client);
+
+ curve_list = g_getenv ("G_TLS_OPENSSL_CURVE_LIST");
+ if (curve_list == NULL)
+ return;
+
+ SSL_CTX_set1_curves_list (priv->ssl_ctx, curve_list);
+}
+
static gboolean
g_tls_client_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
@@ -485,6 +515,8 @@ g_tls_client_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_set_client_cert_cb (priv->ssl_ctx, retrieve_certificate);
set_cipher_list (client);
+ set_signature_algorithm_list (client);
+ set_curve_list (client);
priv->ssl = SSL_new (priv->ssl_ctx);
if (priv->ssl == NULL)
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index d77f9b5..ef27fc2 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -236,6 +236,36 @@ set_cipher_list (GTlsServerConnectionOpenssl *server)
SSL_CTX_set_cipher_list (priv->ssl_ctx, cipher_list);
}
+static void
+set_signature_algorithm_list (GTlsServerConnectionOpenssl *server)
+{
+ GTlsServerConnectionOpensslPrivate *priv;
+ const gchar *signature_algorithm_list;
+
+ priv = g_tls_server_connection_openssl_get_instance_private (server);
+
+ signature_algorithm_list = g_getenv ("G_TLS_OPENSSL_SIGNATURE_ALGORITHM_LIST");
+ if (signature_algorithm_list == NULL)
+ return;
+
+ SSL_CTX_set1_sigalgs_list (priv->ssl_ctx, signature_algorithm_list);
+}
+
+static void
+set_curve_list (GTlsServerConnectionOpenssl *server)
+{
+ GTlsServerConnectionOpensslPrivate *priv;
+ const gchar *curve_list;
+
+ priv = g_tls_server_connection_openssl_get_instance_private (server);
+
+ curve_list = g_getenv ("G_TLS_OPENSSL_CURVE_LIST");
+ if (curve_list == NULL)
+ return;
+
+ SSL_CTX_set1_curves_list (priv->ssl_ctx, curve_list);
+}
+
static gboolean
g_tls_server_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
@@ -325,6 +355,8 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_add_session (priv->ssl_ctx, priv->session);
set_cipher_list (server);
+ set_signature_algorithm_list (server);
+ set_curve_list (server);
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
# ifdef SSL_CTX_set_ecdh_auto
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]