* [PR PATCH] gnutls: Fix RSAES-PKCS1-v1_5 system-wide config
@ 2024-04-11 19:40 cinerea0
0 siblings, 0 replies; only message in thread
From: cinerea0 @ 2024-04-11 19:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 425 bytes --]
There is a new pull request by cinerea0 against master on the void-packages repository
https://github.com/cinerea0/void-packages gnutls
https://github.com/void-linux/void-packages/pull/49809
gnutls: Fix RSAES-PKCS1-v1_5 system-wide config
#### Testing the changes
- I tested the changes in this PR: **briefly**
---
Closes #49804
A patch file from https://github.com/void-linux/void-packages/pull/49809.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-gnutls-49809.patch --]
[-- Type: text/x-diff, Size: 8887 bytes --]
From 0aa3b3dc537fcc652c1a9fe133f56ae7c594492d Mon Sep 17 00:00:00 2001
From: cinerea0 <cinerea0@disroot.org>
Date: Thu, 11 Apr 2024 15:38:51 -0400
Subject: [PATCH] gnutls: Fix RSAES-PKCS1-v1_5 system-wide config
---
.../gnutls/patches/fix-RSAES-PKCS1-v1_5.patch | 263 ++++++++++++++++++
srcpkgs/gnutls/template | 2 +-
2 files changed, 264 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/gnutls/patches/fix-RSAES-PKCS1-v1_5.patch
diff --git a/srcpkgs/gnutls/patches/fix-RSAES-PKCS1-v1_5.patch b/srcpkgs/gnutls/patches/fix-RSAES-PKCS1-v1_5.patch
new file mode 100644
index 00000000000000..01fc5d01cc22e9
--- /dev/null
+++ b/srcpkgs/gnutls/patches/fix-RSAES-PKCS1-v1_5.patch
@@ -0,0 +1,263 @@
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH 1/2] Fix RSAES-PKCS1-v1_5 system-wide configuration
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ lib/priority.c | 125 +++++++++++-------
+ ...system-override-allow-rsa-pkcs1-encrypt.sh | 27 +++-
+ 2 files changed, 96 insertions(+), 56 deletions(-)
+
+diff --git a/lib/priority.c b/lib/priority.c
+index 8abe00d1ff..3434619aad 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+ bool force_ext_master_secret_set;
+ };
+
++static inline void cfg_init(struct cfg *cfg)
++{
++ memset(cfg, 0, sizeof(*cfg));
++ cfg->allow_rsa_pkcs1_encrypt = true;
++}
++
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+ if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+ size_t curves_size;
+ };
+
++static inline void ini_ctx_init(struct ini_ctx *ctx)
++{
++ memset(ctx, 0, sizeof(*ctx));
++ cfg_init(&ctx->cfg);
++}
++
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+ cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+ _gnutls_default_priority_string = cfg->default_priority_string;
+ }
+
+- /* enable RSA-PKCS1-V1_5 by default */
+- cfg->allow_rsa_pkcs1_encrypt = true;
+-
+ if (cfg->allowlisting) {
+ /* also updates `flags` of global `hash_algorithms[]` */
+ ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+ return 0;
+ }
+
++/* Returns false on parse error, otherwise true.
++ * The system_wide_config must be locked for writing.
++ */
++static inline bool load_system_priority_file(void)
++{
++ int err;
++ FILE *fp;
++ struct ini_ctx ctx;
++
++ cfg_init(&system_wide_config);
++
++ fp = fopen(system_priority_file, "re");
++ if (fp == NULL) {
++ _gnutls_debug_log("cfg: unable to open: %s: %d\n",
++ system_priority_file, errno);
++ return true;
++ }
++
++ /* Parsing the configuration file needs to be done in 2 phases:
++ * first parsing the [global] section
++ * and then the other sections,
++ * because the [global] section modifies the parsing behavior.
++ */
++ ini_ctx_init(&ctx);
++ err = ini_parse_file(fp, global_ini_handler, &ctx);
++ if (!err) {
++ if (fseek(fp, 0L, SEEK_SET) < 0) {
++ _gnutls_debug_log("cfg: unable to rewind: %s\n",
++ system_priority_file);
++ if (fail_on_invalid_config)
++ exit(1);
++ }
++ err = ini_parse_file(fp, cfg_ini_handler, &ctx);
++ }
++ fclose(fp);
++ if (err) {
++ ini_ctx_deinit(&ctx);
++ _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
++ system_priority_file, err);
++ return false;
++ }
++ cfg_apply(&system_wide_config, &ctx);
++ ini_ctx_deinit(&ctx);
++ return true;
++}
++
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+- int ret, err = 0;
++ int ret;
++ bool config_parse_error = false;
+ struct stat sb;
+- FILE *fp;
+ gnutls_buffer_st buf;
+- struct ini_ctx ctx;
+
+ ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+- if (ret < 0) {
++ if (ret < 0)
+ return gnutls_assert_val(ret);
+- }
+
+ if (stat(system_priority_file, &sb) < 0) {
+ _gnutls_debug_log("cfg: unable to access: %s: %d\n",
+ system_priority_file, errno);
++
++ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
++ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
++ if (ret < 0)
++ goto out;
++ /* If system-wide config is unavailable, apply the defaults */
++ cfg_init(&system_wide_config);
+ goto out;
+ }
+
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ system_priority_last_mod == sb.st_mtime) {
+ _gnutls_debug_log("cfg: system priority %s has not changed\n",
+ system_priority_file);
+- if (system_wide_config.priority_string) {
++ if (system_wide_config.priority_string)
+ goto out; /* nothing to do */
+- }
+ }
+
+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+
+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+- if (ret < 0) {
++ if (ret < 0)
+ return gnutls_assert_val(ret);
+- }
+
+ /* Another thread could have successfully re-read system-wide config,
+ * skip re-reading if the mtime it has used is exactly the same.
+ */
+- if (system_priority_file_loaded) {
++ if (system_priority_file_loaded)
+ system_priority_file_loaded =
+ (system_priority_last_mod == sb.st_mtime);
+- }
+
+ if (!system_priority_file_loaded) {
+- _name_val_array_clear(&system_wide_config.priority_strings);
+-
+- gnutls_free(system_wide_config.priority_string);
+- system_wide_config.priority_string = NULL;
+-
+- fp = fopen(system_priority_file, "re");
+- if (fp == NULL) {
+- _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+- system_priority_file, errno);
++ config_parse_error = !load_system_priority_file();
++ if (config_parse_error)
+ goto out;
+- }
+- /* Parsing the configuration file needs to be done in 2 phases:
+- * first parsing the [global] section
+- * and then the other sections,
+- * because the [global] section modifies the parsing behavior.
+- */
+- memset(&ctx, 0, sizeof(ctx));
+- err = ini_parse_file(fp, global_ini_handler, &ctx);
+- if (!err) {
+- if (fseek(fp, 0L, SEEK_SET) < 0) {
+- _gnutls_debug_log("cfg: unable to rewind: %s\n",
+- system_priority_file);
+- if (fail_on_invalid_config)
+- exit(1);
+- }
+- err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+- }
+- fclose(fp);
+- if (err) {
+- ini_ctx_deinit(&ctx);
+- _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+- system_priority_file, err);
+- goto out;
+- }
+- cfg_apply(&system_wide_config, &ctx);
+- ini_ctx_deinit(&ctx);
+ _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+ system_priority_file,
+ (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+
+- if (err && fail_on_invalid_config) {
++ if (config_parse_error && fail_on_invalid_config)
+ exit(1);
+- }
+
+ return ret;
+ }
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index b7d477c96e..714d0af946 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program. If not, see <https://www.gnu.org/licenses/>
+
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
++TEST=${builddir}/rsaes-pkcs1-v1_5
++CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
++${TEST}
++if [ $? != 0 ]; then
++ echo "${TEST} expected to succeed"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled"
+
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
++${TEST}
++if [ $? = 0 ]; then
++ echo "${TEST} expected to fail"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully disabled"
+
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
++
++${TEST}
++if [ $? != 0 ]; then
++ echo "${TEST} expected to succeed by default"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled by default"
++
+ exit 0
+
diff --git a/srcpkgs/gnutls/template b/srcpkgs/gnutls/template
index e87f46fc06e39a..273534bc29472e 100644
--- a/srcpkgs/gnutls/template
+++ b/srcpkgs/gnutls/template
@@ -1,7 +1,7 @@
# Template file for 'gnutls'
pkgname=gnutls
version=3.8.5
-revision=1
+revision=2
build_style=gnu-configure
configure_args="--disable-static --disable-valgrind-tests
--disable-rpath
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-04-11 19:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-11 19:40 [PR PATCH] gnutls: Fix RSAES-PKCS1-v1_5 system-wide config cinerea0
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).