From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 10 Apr 2024 12:51:33 +0200 Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration Signed-off-by: Zoltan Fridrich --- lib/priority.c | 12 ++++++---- ...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++-- 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/lib/priority.c b/lib/priority.c index 8abe00d1ff..342f71471d 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) _gnutls_default_priority_string = cfg->default_priority_string; } - /* enable RSA-PKCS1-V1_5 by default */ - cfg->allow_rsa_pkcs1_encrypt = true; - if (cfg->allowlisting) { /* also updates `flags` of global `hash_algorithms[]` */ ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size); @@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) } if (stat(system_priority_file, &sb) < 0) { + /* if there is no config enable RSA-PKCS1-V1_5 by default */ + system_wide_config.allow_rsa_pkcs1_encrypt = true; + _gnutls_debug_log("cfg: unable to access: %s: %d\n", system_priority_file, errno); goto out; @@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) system_priority_file, errno); goto out; } + + memset(&ctx, 0, sizeof(ctx)); + /* enable RSA-PKCS1-V1_5 by default */ + ctx.cfg.allow_rsa_pkcs1_encrypt = true; + /* Parsing the configuration file needs to be done in 2 phases: * first parsing the [global] section * and then the other sections, * because the [global] section modifies the parsing behavior. */ - memset(&ctx, 0, sizeof(ctx)); err = ini_parse_file(fp, global_ini_handler, &ctx); if (!err) { if (fseek(fp, 0L, SEEK_SET) < 0) { diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh index b7d477c96e..014088bd2f 100755 --- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh +++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh @@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF} allow-rsa-pkcs1-encrypt = true _EOF_ -${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed" +${TEST} +if [ $? != 0 ]; then + echo "${TEST} expected to succeed" + exit 1 +fi +echo "RSAES-PKCS1-v1_5 successfully enabled" cat <<_EOF_ > ${CONF} [overrides] allow-rsa-pkcs1-encrypt = false _EOF_ -${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail" +${TEST} +if [ $? = 0 ]; then + echo "${TEST} expected to fail" + exit 1 +fi +echo "RSAES-PKCS1-v1_5 successfully disabled" unset GNUTLS_SYSTEM_PRIORITY_FILE unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID + +${TEST} +if [ $? != 0 ]; then + echo "${TEST} expected to succeed by default" + exit 1 +fi +echo "RSAES-PKCS1-v1_5 successfully enabled by default" + exit 0 -- GitLab