diff options
Diffstat (limited to 'source/n/gnutls')
-rw-r--r-- | source/n/gnutls/1830.patch | 96 | ||||
-rwxr-xr-x | source/n/gnutls/gnutls.SlackBuild | 7 |
2 files changed, 101 insertions, 2 deletions
diff --git a/source/n/gnutls/1830.patch b/source/n/gnutls/1830.patch new file mode 100644 index 000000000..d3271fb1d --- /dev/null +++ b/source/n/gnutls/1830.patch @@ -0,0 +1,96 @@ +From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich <zfridric@redhat.com> +Date: Wed, 10 Apr 2024 12:51:33 +0200 +Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration + +Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> +--- + lib/priority.c | 12 ++++++---- + ...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++-- + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/lib/priority.c b/lib/priority.c +index 8abe00d1ff..342f71471d 100644 +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) + _gnutls_default_priority_string = cfg->default_priority_string; + } + +- /* enable RSA-PKCS1-V1_5 by default */ +- cfg->allow_rsa_pkcs1_encrypt = true; +- + if (cfg->allowlisting) { + /* also updates `flags` of global `hash_algorithms[]` */ + ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size); +@@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) + } + + if (stat(system_priority_file, &sb) < 0) { ++ /* if there is no config enable RSA-PKCS1-V1_5 by default */ ++ system_wide_config.allow_rsa_pkcs1_encrypt = true; ++ + _gnutls_debug_log("cfg: unable to access: %s: %d\n", + system_priority_file, errno); + goto out; +@@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) + system_priority_file, errno); + goto out; + } ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ /* enable RSA-PKCS1-V1_5 by default */ ++ ctx.cfg.allow_rsa_pkcs1_encrypt = true; ++ + /* Parsing the configuration file needs to be done in 2 phases: + * first parsing the [global] section + * and then the other sections, + * because the [global] section modifies the parsing behavior. + */ +- memset(&ctx, 0, sizeof(ctx)); + err = ini_parse_file(fp, global_ini_handler, &ctx); + if (!err) { + if (fseek(fp, 0L, SEEK_SET) < 0) { +diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh +index b7d477c96e..014088bd2f 100755 +--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh ++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh +@@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF} + allow-rsa-pkcs1-encrypt = true + _EOF_ + +-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed" ++${TEST} ++if [ $? != 0 ]; then ++ echo "${TEST} expected to succeed" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully enabled" + + cat <<_EOF_ > ${CONF} + [overrides] + allow-rsa-pkcs1-encrypt = false + _EOF_ + +-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail" ++${TEST} ++if [ $? = 0 ]; then ++ echo "${TEST} expected to fail" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully disabled" + + unset GNUTLS_SYSTEM_PRIORITY_FILE + unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID ++ ++${TEST} ++if [ $? != 0 ]; then ++ echo "${TEST} expected to succeed by default" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully enabled by default" ++ + exit 0 +-- +GitLab + diff --git a/source/n/gnutls/gnutls.SlackBuild b/source/n/gnutls/gnutls.SlackBuild index 157f01aae..154b283fa 100755 --- a/source/n/gnutls/gnutls.SlackBuild +++ b/source/n/gnutls/gnutls.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2007, 2008, 2009, 2010, 2016, 2017, 2018, 2020 Patrick Volkerding, Sebeka, MN, USA +# Copyright 2007, 2008, 2009, 2010, 2016, 2017, 2018, 2020, 2024 Patrick Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=gnutls VERSION=${VERSION:-$(echo gnutls-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -81,6 +81,9 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ +# [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration: +cat $CWD/1830.patch | patch -p1 --verbose || exit 1 + # Need to reconf to find guile-3.0.x: autoreconf -vif |