slackware-current/source/n/gnutls/1830.patch

From 6eec2a3854f90bfb30492d59db59c675bfb0f6f9 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 10 Apr 2024 12:51:33 +0200
Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 lib/priority.c                                | 12 ++++++----
 ...system-override-allow-rsa-pkcs1-encrypt.sh | 22 +++++++++++++++++--
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/lib/priority.c b/lib/priority.c
index 8abe00d1ff..342f71471d 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1423,9 +1423,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
 		_gnutls_default_priority_string = cfg->default_priority_string;
 	}
 
-	/* enable RSA-PKCS1-V1_5 by default */
-	cfg->allow_rsa_pkcs1_encrypt = true;
-
 	if (cfg->allowlisting) {
 		/* also updates `flags` of global `hash_algorithms[]` */
 		ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
@@ -2231,6 +2228,9 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
 	}
 
 	if (stat(system_priority_file, &sb) < 0) {
+		/* if there is no config enable RSA-PKCS1-V1_5 by default */
+		system_wide_config.allow_rsa_pkcs1_encrypt = true;
+
 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
 				  system_priority_file, errno);
 		goto out;
@@ -2272,12 +2272,16 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
 					  system_priority_file, errno);
 			goto out;
 		}
+
+		memset(&ctx, 0, sizeof(ctx));
+		/* enable RSA-PKCS1-V1_5 by default */
+		ctx.cfg.allow_rsa_pkcs1_encrypt = true;
+
 		/* Parsing the configuration file needs to be done in 2 phases:
 		 * first parsing the [global] section
 		 * and then the other sections,
 		 * because the [global] section modifies the parsing behavior.
 		 */
-		memset(&ctx, 0, sizeof(ctx));
 		err = ini_parse_file(fp, global_ini_handler, &ctx);
 		if (!err) {
 			if (fseek(fp, 0L, SEEK_SET) < 0) {
diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
index b7d477c96e..014088bd2f 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
@@ -38,15 +38,33 @@ cat <<_EOF_ > ${CONF}
 allow-rsa-pkcs1-encrypt = true
 _EOF_
 
-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
+${TEST}
+if [ $? != 0 ]; then
+	echo "${TEST} expected to succeed"
+	exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled"
 
 cat <<_EOF_ > ${CONF}
 [overrides]
 allow-rsa-pkcs1-encrypt = false
 _EOF_
 
-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
+${TEST}
+if [ $? = 0 ]; then
+	echo "${TEST} expected to fail"
+	exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully disabled"
 
 unset GNUTLS_SYSTEM_PRIORITY_FILE
 unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+
+${TEST}
+if [ $? != 0 ]; then
+	echo "${TEST} expected to succeed by default"
+	exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
+
 exit 0
-- 
GitLab