+++ /dev/null
-From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
-From: Zoltan Fridrich <zfridric@redhat.com>
-Date: Wed, 10 Apr 2024 12:51:33 +0200
-Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
-
-Upstream-Status: Backport [expected for 3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
-
-Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
-Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
----
- lib/priority.c | 125 +++++++++++-------
- ...system-override-allow-rsa-pkcs1-encrypt.sh | 27 +++-
- 2 files changed, 96 insertions(+), 56 deletions(-)
-
-diff --git a/lib/priority.c b/lib/priority.c
-index 8abe00d1ff..3434619aad 100644
---- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -1018,6 +1018,12 @@ struct cfg {
- bool force_ext_master_secret_set;
- };
-
-+static inline void cfg_init(struct cfg *cfg)
-+{
-+ memset(cfg, 0, sizeof(*cfg));
-+ cfg->allow_rsa_pkcs1_encrypt = true;
-+}
-+
- static inline void cfg_deinit(struct cfg *cfg)
- {
- if (cfg->priority_strings) {
-@@ -1095,6 +1101,12 @@ struct ini_ctx {
- size_t curves_size;
- };
-
-+static inline void ini_ctx_init(struct ini_ctx *ctx)
-+{
-+ memset(ctx, 0, sizeof(*ctx));
-+ cfg_init(&ctx->cfg);
-+}
-+
- static inline void ini_ctx_deinit(struct ini_ctx *ctx)
- {
- cfg_deinit(&ctx->cfg);
-@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
- _gnutls_default_priority_string = cfg->default_priority_string;
- }
-
-- /* enable RSA-PKCS1-V1_5 by default */
-- cfg->allow_rsa_pkcs1_encrypt = true;
--
- if (cfg->allowlisting) {
- /* also updates `flags` of global `hash_algorithms[]` */
- ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
-@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
- return 0;
- }
-
-+/* Returns false on parse error, otherwise true.
-+ * The system_wide_config must be locked for writing.
-+ */
-+static inline bool load_system_priority_file(void)
-+{
-+ int err;
-+ FILE *fp;
-+ struct ini_ctx ctx;
-+
-+ cfg_init(&system_wide_config);
-+
-+ fp = fopen(system_priority_file, "re");
-+ if (fp == NULL) {
-+ _gnutls_debug_log("cfg: unable to open: %s: %d\n",
-+ system_priority_file, errno);
-+ return true;
-+ }
-+
-+ /* Parsing the configuration file needs to be done in 2 phases:
-+ * first parsing the [global] section
-+ * and then the other sections,
-+ * because the [global] section modifies the parsing behavior.
-+ */
-+ ini_ctx_init(&ctx);
-+ err = ini_parse_file(fp, global_ini_handler, &ctx);
-+ if (!err) {
-+ if (fseek(fp, 0L, SEEK_SET) < 0) {
-+ _gnutls_debug_log("cfg: unable to rewind: %s\n",
-+ system_priority_file);
-+ if (fail_on_invalid_config)
-+ exit(1);
-+ }
-+ err = ini_parse_file(fp, cfg_ini_handler, &ctx);
-+ }
-+ fclose(fp);
-+ if (err) {
-+ ini_ctx_deinit(&ctx);
-+ _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
-+ system_priority_file, err);
-+ return false;
-+ }
-+ cfg_apply(&system_wide_config, &ctx);
-+ ini_ctx_deinit(&ctx);
-+ return true;
-+}
-+
- static int _gnutls_update_system_priorities(bool defer_system_wide)
- {
-- int ret, err = 0;
-+ int ret;
-+ bool config_parse_error = false;
- struct stat sb;
-- FILE *fp;
- gnutls_buffer_st buf;
-- struct ini_ctx ctx;
-
- ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
-- if (ret < 0) {
-+ if (ret < 0)
- return gnutls_assert_val(ret);
-- }
-
- if (stat(system_priority_file, &sb) < 0) {
- _gnutls_debug_log("cfg: unable to access: %s: %d\n",
- system_priority_file, errno);
-+
-+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
-+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
-+ if (ret < 0)
-+ goto out;
-+ /* If system-wide config is unavailable, apply the defaults */
-+ cfg_init(&system_wide_config);
- goto out;
- }
-
-@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
- system_priority_last_mod == sb.st_mtime) {
- _gnutls_debug_log("cfg: system priority %s has not changed\n",
- system_priority_file);
-- if (system_wide_config.priority_string) {
-+ if (system_wide_config.priority_string)
- goto out; /* nothing to do */
-- }
- }
-
- (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
-
- ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
-- if (ret < 0) {
-+ if (ret < 0)
- return gnutls_assert_val(ret);
-- }
-
- /* Another thread could have successfully re-read system-wide config,
- * skip re-reading if the mtime it has used is exactly the same.
- */
-- if (system_priority_file_loaded) {
-+ if (system_priority_file_loaded)
- system_priority_file_loaded =
- (system_priority_last_mod == sb.st_mtime);
-- }
-
- if (!system_priority_file_loaded) {
-- _name_val_array_clear(&system_wide_config.priority_strings);
--
-- gnutls_free(system_wide_config.priority_string);
-- system_wide_config.priority_string = NULL;
--
-- fp = fopen(system_priority_file, "re");
-- if (fp == NULL) {
-- _gnutls_debug_log("cfg: unable to open: %s: %d\n",
-- system_priority_file, errno);
-+ config_parse_error = !load_system_priority_file();
-+ if (config_parse_error)
- goto out;
-- }
-- /* Parsing the configuration file needs to be done in 2 phases:
-- * first parsing the [global] section
-- * and then the other sections,
-- * because the [global] section modifies the parsing behavior.
-- */
-- memset(&ctx, 0, sizeof(ctx));
-- err = ini_parse_file(fp, global_ini_handler, &ctx);
-- if (!err) {
-- if (fseek(fp, 0L, SEEK_SET) < 0) {
-- _gnutls_debug_log("cfg: unable to rewind: %s\n",
-- system_priority_file);
-- if (fail_on_invalid_config)
-- exit(1);
-- }
-- err = ini_parse_file(fp, cfg_ini_handler, &ctx);
-- }
-- fclose(fp);
-- if (err) {
-- ini_ctx_deinit(&ctx);
-- _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
-- system_priority_file, err);
-- goto out;
-- }
-- cfg_apply(&system_wide_config, &ctx);
-- ini_ctx_deinit(&ctx);
- _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
- system_priority_file,
- (unsigned long long)sb.st_mtime);
-@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
- out:
- (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
-
-- if (err && fail_on_invalid_config) {
-+ if (config_parse_error && fail_on_invalid_config)
- exit(1);
-- }
-
- return ret;
- }
-diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-index b7d477c96e..714d0af946 100755
---- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-@@ -19,9 +19,8 @@
- # You should have received a copy of the GNU Lesser General Public License
- # along with this program. If not, see <https://www.gnu.org/licenses/>
-
--: ${srcdir=.}
--TEST=${srcdir}/rsaes-pkcs1-v1_5
--CONF=${srcdir}/config.$$.tmp
-+TEST=${builddir}/rsaes-pkcs1-v1_5
-+CONF=config.$$.tmp
- export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
- export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
-
-@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
- allow-rsa-pkcs1-encrypt = true
- _EOF_
-
--${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
-+${TEST}
-+if [ $? != 0 ]; then
-+ echo "${TEST} expected to succeed"
-+ exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully enabled"
-
- cat <<_EOF_ > ${CONF}
- [overrides]
- allow-rsa-pkcs1-encrypt = false
- _EOF_
-
--${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
-+${TEST}
-+if [ $? = 0 ]; then
-+ echo "${TEST} expected to fail"
-+ exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully disabled"
-
- unset GNUTLS_SYSTEM_PRIORITY_FILE
- unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
-+
-+${TEST}
-+if [ $? != 0 ]; then
-+ echo "${TEST} expected to succeed by default"
-+ exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
-+
- exit 0
---
-GitLab
-
-
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
