mirror of
git://slackware.nl/current.git
synced 2024-12-30 10:24:23 +01:00
2136209b06
a/cryptsetup-2.7.2-x86_64-1.txz: Upgraded. a/kernel-firmware-20240410_53438f8-noarch-1.txz: Upgraded. a/kernel-generic-6.6.26-x86_64-1.txz: Upgraded. a/kernel-huge-6.6.26-x86_64-1.txz: Upgraded. a/kernel-modules-6.6.26-x86_64-1.txz: Upgraded. a/openssl-solibs-3.3.0-x86_64-1.txz: Upgraded. a/pam-1.6.1-x86_64-1.txz: Upgraded. d/kernel-headers-6.6.26-x86-1.txz: Upgraded. d/rust-1.77.2-x86_64-1.txz: Upgraded. [PATCH] compiler: Use wasm-ld for wasm targets. Thanks to Heinz Wiesinger. k/kernel-source-6.6.26-noarch-1.txz: Upgraded. +SPECTRE_BHI_AUTO n +SPECTRE_BHI_OFF n +SPECTRE_BHI_ON y l/gst-plugins-bad-free-1.24.2-x86_64-1.txz: Upgraded. l/gst-plugins-base-1.24.2-x86_64-1.txz: Upgraded. l/gst-plugins-good-1.24.2-x86_64-1.txz: Upgraded. l/gst-plugins-libav-1.24.2-x86_64-1.txz: Upgraded. l/gstreamer-1.24.2-x86_64-1.txz: Upgraded. l/libcap-ng-0.8.5-x86_64-1.txz: Upgraded. l/nodejs-20.12.2-x86_64-1.txz: Upgraded. l/python-trove-classifiers-2024.4.10-x86_64-1.txz: Upgraded. n/gnutls-3.8.5-x86_64-2.txz: Rebuilt. [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration. Thanks to bortolotto. n/openssl-3.3.0-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
96 lines
2.9 KiB
Diff
96 lines
2.9 KiB
Diff
From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001
|
|
From: Zoltan Fridrich <zfridric@redhat.com>
|
|
Date: Wed, 10 Apr 2024 12:51:33 +0200
|
|
Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
|
|
|
|
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
|
---
|
|
lib/priority.c | 12 ++++++----
|
|
...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++--
|
|
2 files changed, 28 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/lib/priority.c b/lib/priority.c
|
|
index 8abe00d1ff..342f71471d 100644
|
|
--- a/lib/priority.c
|
|
+++ b/lib/priority.c
|
|
@@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
|
|
_gnutls_default_priority_string = cfg->default_priority_string;
|
|
}
|
|
|
|
- /* enable RSA-PKCS1-V1_5 by default */
|
|
- cfg->allow_rsa_pkcs1_encrypt = true;
|
|
-
|
|
if (cfg->allowlisting) {
|
|
/* also updates `flags` of global `hash_algorithms[]` */
|
|
ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
|
|
@@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
|
|
}
|
|
|
|
if (stat(system_priority_file, &sb) < 0) {
|
|
+ /* if there is no config enable RSA-PKCS1-V1_5 by default */
|
|
+ system_wide_config.allow_rsa_pkcs1_encrypt = true;
|
|
+
|
|
_gnutls_debug_log("cfg: unable to access: %s: %d\n",
|
|
system_priority_file, errno);
|
|
goto out;
|
|
@@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
|
|
system_priority_file, errno);
|
|
goto out;
|
|
}
|
|
+
|
|
+ memset(&ctx, 0, sizeof(ctx));
|
|
+ /* enable RSA-PKCS1-V1_5 by default */
|
|
+ ctx.cfg.allow_rsa_pkcs1_encrypt = true;
|
|
+
|
|
/* Parsing the configuration file needs to be done in 2 phases:
|
|
* first parsing the [global] section
|
|
* and then the other sections,
|
|
* because the [global] section modifies the parsing behavior.
|
|
*/
|
|
- memset(&ctx, 0, sizeof(ctx));
|
|
err = ini_parse_file(fp, global_ini_handler, &ctx);
|
|
if (!err) {
|
|
if (fseek(fp, 0L, SEEK_SET) < 0) {
|
|
diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
|
|
index b7d477c96e..014088bd2f 100755
|
|
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
|
|
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
|
|
@@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF}
|
|
allow-rsa-pkcs1-encrypt = true
|
|
_EOF_
|
|
|
|
-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
|
|
+${TEST}
|
|
+if [ $? != 0 ]; then
|
|
+ echo "${TEST} expected to succeed"
|
|
+ exit 1
|
|
+fi
|
|
+echo "RSAES-PKCS1-v1_5 successfully enabled"
|
|
|
|
cat <<_EOF_ > ${CONF}
|
|
[overrides]
|
|
allow-rsa-pkcs1-encrypt = false
|
|
_EOF_
|
|
|
|
-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
|
|
+${TEST}
|
|
+if [ $? = 0 ]; then
|
|
+ echo "${TEST} expected to fail"
|
|
+ exit 1
|
|
+fi
|
|
+echo "RSAES-PKCS1-v1_5 successfully disabled"
|
|
|
|
unset GNUTLS_SYSTEM_PRIORITY_FILE
|
|
unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
|
|
+
|
|
+${TEST}
|
|
+if [ $? != 0 ]; then
|
|
+ echo "${TEST} expected to succeed by default"
|
|
+ exit 1
|
|
+fi
|
|
+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
|
|
+
|
|
exit 0
|
|
--
|
|
GitLab
|
|
|