1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 10 Apr 2024 12:51:33 +0200
Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
lib/priority.c | 12 ++++++----
...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++--
2 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/lib/priority.c b/lib/priority.c
index 8abe00d1ff..342f71471d 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
_gnutls_default_priority_string = cfg->default_priority_string;
}
- /* enable RSA-PKCS1-V1_5 by default */
- cfg->allow_rsa_pkcs1_encrypt = true;
-
if (cfg->allowlisting) {
/* also updates `flags` of global `hash_algorithms[]` */
ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
@@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
}
if (stat(system_priority_file, &sb) < 0) {
+ /* if there is no config enable RSA-PKCS1-V1_5 by default */
+ system_wide_config.allow_rsa_pkcs1_encrypt = true;
+
_gnutls_debug_log("cfg: unable to access: %s: %d\n",
system_priority_file, errno);
goto out;
@@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
system_priority_file, errno);
goto out;
}
+
+ memset(&ctx, 0, sizeof(ctx));
+ /* enable RSA-PKCS1-V1_5 by default */
+ ctx.cfg.allow_rsa_pkcs1_encrypt = true;
+
/* Parsing the configuration file needs to be done in 2 phases:
* first parsing the [global] section
* and then the other sections,
* because the [global] section modifies the parsing behavior.
*/
- memset(&ctx, 0, sizeof(ctx));
err = ini_parse_file(fp, global_ini_handler, &ctx);
if (!err) {
if (fseek(fp, 0L, SEEK_SET) < 0) {
diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
index b7d477c96e..014088bd2f 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
@@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF}
allow-rsa-pkcs1-encrypt = true
_EOF_
-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
+${TEST}
+if [ $? != 0 ]; then
+ echo "${TEST} expected to succeed"
+ exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled"
cat <<_EOF_ > ${CONF}
[overrides]
allow-rsa-pkcs1-encrypt = false
_EOF_
-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
+${TEST}
+if [ $? = 0 ]; then
+ echo "${TEST} expected to fail"
+ exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully disabled"
unset GNUTLS_SYSTEM_PRIORITY_FILE
unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+
+${TEST}
+if [ $? != 0 ]; then
+ echo "${TEST} expected to succeed by default"
+ exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
+
exit 0
--
GitLab
|
