Modified GnuTLS priority according to standard crypto-policy guideline

rsyslog · Aug 24, 2018 · 20587a7 · 20587a7
1 parent df97019
commit 20587a7
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/src/tcp.c b/src/tcp.c
@@ -1097,22 +1097,30 @@ relpTcpTLSSetPrio(relpTcp_t *const pThis)
 	char pristringBuf[4096];
 	char *pristring;
 	ENTER_RELPFUNC;
-	/* Compute priority string (in simple cases where the user does not care...) */
+	/* Set default priority string (in simple cases where the user does not care...) */
 	if(pThis->pristring == NULL) {
 #if defined(ENABLE_TLS)
+		strncpy(pristringBuf, "@SYSTEM", sizeof(pristringBuf));
+		size_t pos = strlen("@SYSTEM");
+		if (pThis->authmode == eRelpAuthMode_None) {
+			strncpy(pristringBuf+pos, ":+ANON-DH", sizeof(pristringBuf-pos));
+			pos += strlen(":+ANON-DH");
+		}
 		if(pThis->bEnableTLSZip) {
-			strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
+			strncpy(pristringBuf+pos, ":+COMP-ALL", sizeof(pristringBuf-pos));
+			pos += strlen(":+COMP-ALL");
 		} else {
-			strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
+			strncpy(pristringBuf+pos, ":+COMP-NULL", sizeof(pristringBuf-pos));
+			pos += strlen(":+COMP-NULL");
 		}
 #endif /* defined(ENABLE_TLS)*/
 #if defined(ENABLE_TLS_OPENSSL)
-	if (pThis->authmode == eRelpAuthMode_None)
-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL" /* :+aNULL:+eNULL */,
-			sizeof(pristringBuf));
-	else
-		strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
-
+		if (pThis->authmode == eRelpAuthMode_None) {
+			strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL" /* :+aNULL:+eNULL */,
+				sizeof(pristringBuf));
+		} else {
+			strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
+		}
 #endif /* defined(ENABLE_TLS_OPENSSL)*/
 		pristringBuf[sizeof(pristringBuf)-1] = '\0';
 		pristring = pristringBuf;