Merge branch 'wip/asosedki/hash-filters-prf' into 'master'

make insecure-hash filter out ciphersuites on ->prf as well See merge request gnutls/gnutls!1479
author: Daiki Ueno <ueno@gnu.org> 2021-10-21 10:56:06 +0000
committer: Daiki Ueno <ueno@gnu.org> 2021-10-21 10:56:06 +0000
commit: 05580592785a73208fb33526d72d5bfd6aa292c5 (patch)
tree: d468a7760c760cae6e73b7e324631dc8bdd91d19
parent: fea473a90351004fe2b84b4d722994bbc899d4ab (diff)
parent: d1ae9fb43e8bc74230d25f7b95065b4967aa09d7 (diff)
download: gnutls-05580592785a73208fb33526d72d5bfd6aa292c5.tar.gz
4 files changed, 122 insertions, 14 deletions
diff --git a/NEWS b/NEWS
index 0ae6410098..de57ed5dc1 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ See the end for copying conditions.
 
 ** certtool: Certtool can now generate, manipulate, and evaluate x25519 and
    x448 public keys, private keys, and certificates.
+** libgnutls: disabling a hashing algorithm through "insecure-hash"
+   configuration directive now also disables TLS ciphersuites that use it
+   as a PRF algorithm.
 
 ** API and ABI modifications:
 GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
diff --git a/lib/priority.c b/lib/priority.c
index f043e9dd6f..55d68d734c 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1539,6 +1539,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 	unsigned have_tls13 = 0, have_srp = 0;
 	unsigned have_pre_tls12 = 0, have_tls12 = 0;
 	unsigned have_psk = 0, have_null = 0, have_rsa_psk = 0;
+	gnutls_digest_algorithm_t prf_digest;
 
 	/* have_psk indicates that a PSK key exchange compatible
 	 * with TLS1.3 is enabled. */
@@ -1682,10 +1683,17 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 			ce = cipher_suite_get(
 				0, priority_cache->_cipher.priorities[j],
 				priority_cache->_mac.priorities[z]);
+			if (ce == NULL)
+				continue;
+
+			prf_digest = MAC_TO_DIG(ce->prf);
+			if (prf_digest == GNUTLS_DIG_UNKNOWN)
+				continue;
+			if (_gnutls_digest_is_insecure(prf_digest))
+				continue;
 
-			if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) {
+			if (priority_cache->cs.size < MAX_CIPHERSUITE_SIZE)
 				priority_cache->cs.entry[priority_cache->cs.size++] = ce;
-			}
 		}
 	}
 
@@ -1696,18 +1704,26 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 					priority_cache->_kx.priorities[i],
 					priority_cache->_cipher.priorities[j],
 					priority_cache->_mac.priorities[z]);
+				if (ce == NULL)
+					continue;
 
-				if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) {
-					priority_cache->cs.entry[priority_cache->cs.size++] = ce;
-					if (!have_ec && (_gnutls_kx_is_ecc(ce->kx_algorithm) ||
-							 _gnutls_kx_is_vko_gost(ce->kx_algorithm))) {
-						have_ec = 1;
-						add_ec(priority_cache);
-					}
-					if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) {
-						have_dh = 1;
-						add_dh(priority_cache);
-					}
+				prf_digest = MAC_TO_DIG(ce->prf);
+				if (prf_digest == GNUTLS_DIG_UNKNOWN)
+					continue;
+				if (_gnutls_digest_is_insecure(prf_digest))
+					continue;
+
+				if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE)
+					continue;
+				priority_cache->cs.entry[priority_cache->cs.size++] = ce;
+				if (!have_ec && (_gnutls_kx_is_ecc(ce->kx_algorithm) ||
+						 _gnutls_kx_is_vko_gost(ce->kx_algorithm))) {
+					have_ec = 1;
+					add_ec(priority_cache);
+				}
+				if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) {
+					have_dh = 1;
+					add_dh(priority_cache);
 				}
 			}
 		}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 95a447b997..e830291aa5 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -518,7 +518,7 @@ dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
 	system-override-versions.sh system-override-invalid.sh \
 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
 	system-override-kx.sh system-override-default-priority-string.sh \
-	system-override-sig-tls.sh
+	system-override-sig-tls.sh system-override-hash-filters-prf.sh
 endif
 
 dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
diff --git a/tests/system-override-hash-filters-prf.sh b/tests/system-override-hash-filters-prf.sh
new file mode 100755
index 0000000000..89774f42a7
--- /dev/null
+++ b/tests/system-override-hash-filters-prf.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# Author: Alexander Sosedkin
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+: ${GREP=grep}
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+TMPCFGFILE=cfg.$$.tmp
+TMPOUTFILE=out.$$.tmp
+
+# Sanity
+
+${CLI} --list -d 4 --priority NORMAL &>"${TMPOUTFILE}"
+if test $? != 0; then
+	cat "${TMPOUTFILE}"
+	echo 'fails just listing ciphersuites for NORMAL'
+	exit 1
+fi
+if ! ${GREP} -Fq TLS_AES_256_GCM_SHA384 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_AES_256_GCM_SHA384 (TLS 1.3) with NORMAL'
+	exit 1
+fi
+if ! ${GREP} -Fq TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (TLS 1.2) with NORMAL'
+	exit 1
+fi
+if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_RSA_AES_128_GCM_SHA256 (non-SHA384 example) with NORMAL'
+	exit 1
+fi
+
+# insecure-hash = SHA384 disables TLS_AES_256_GCM_SHA384 and friends
+
+cat <<_EOF_ > ${TMPCFGFILE}
+[overrides]
+insecure-hash = SHA384
+_EOF_
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPCFGFILE}"
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+${CLI} --list -d 4 --priority NORMAL &>"${TMPOUTFILE}"
+if ${GREP} -Fq TLS_AES_256_GCM_SHA384 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'TLS_AES_256_GCM_SHA384 (TLS 1.3) has not disappeared'
+	exit 1
+fi
+if ${GREP} -Fq TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (TLS 1.2) has not disappeared'
+	exit 1
+fi
+if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'TLS_RSA_AES_128_GCM_SHA256 (non-SHA384 example) has disappeared'
+	exit 1
+fi
+if ${GREP} -Fq SHA.*384 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'SHA384 is still mentioned'
+	exit 1
+fi
+
+rm "${TMPCFGFILE}" "${TMPOUTFILE}"
author	Daiki Ueno <ueno@gnu.org>	2021-10-21 10:56:06 +0000
committer	Daiki Ueno <ueno@gnu.org>	2021-10-21 10:56:06 +0000
commit	05580592785a73208fb33526d72d5bfd6aa292c5 (patch)
tree	d468a7760c760cae6e73b7e324631dc8bdd91d19
parent	fea473a90351004fe2b84b4d722994bbc899d4ab (diff)
parent	d1ae9fb43e8bc74230d25f7b95065b4967aa09d7 (diff)
download	gnutls-05580592785a73208fb33526d72d5bfd6aa292c5.tar.gz