libgnutls: Add system-wide default-priority-string override.

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

8 files changed, 153 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 2b4fd94210..1e931e5613 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,9 @@ See the end for copying conditions.
    to accepting it. This addresses the problem of accepting CAs which would
    have been marked as insecure otherwise (#877).
 
+** libgnutls: The default-priority-string added to system configuration
+   to allow overriding compiled-in default-priority-string.
+
 ** certtool: Added the --verify-profile option to set a certificate
    verification profile. Use '--verify-profile low' for certificate verification
    to apply the 'NORMAL' verification profile.
diff --git a/doc/cha-config.texi b/doc/cha-config.texi
index 3cc568a607..f094407900 100644
--- a/doc/cha-config.texi
+++ b/doc/cha-config.texi
@@ -25,6 +25,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
 * Disabling algorithms and protocols::
 * Querying for disabled algorithms and protocols::
 * Overriding the parameter verification profile::
+* Overriding the default priority string::
 @end menu
 
 @node Application-specific priority strings
@@ -156,3 +157,18 @@ using the following.
 min-verification-profile = legacy
 
 @end example
+
+@node Overriding the default priority string
+@section Overriding the default priority string
+
+GnuTLS uses default priority string which is defined at compiled
+time. Usually it is set to @code{NORMAL}. This override allows to set
+the default priority string to something more appropriate for a given
+deployment.
+
+Below example sets a more specific default priority string.
+@example
+[overrides]
+default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
+
+@end example
diff --git a/lib/priority.c b/lib/priority.c
index c4328d066a..65e3c044b7 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -963,6 +963,7 @@ static void dummy_func(gnutls_priority_t c)
 static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
 static name_val_array_t system_wide_priority_strings = NULL;
 static unsigned system_wide_priority_strings_init = 0;
+static unsigned system_wide_default_priority_string = 0;
 static unsigned fail_on_invalid_config = 0;
 static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
 static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
@@ -974,7 +975,17 @@ static time_t system_priority_last_mod = 0;
 
 #define CUSTOM_PRIORITY_SECTION "priorities"
 #define OVERRIDES_SECTION "overrides"
-#define MAX_ALGO_NAME 128
+#define MAX_ALGO_NAME 2048
+
+static void _clear_default_system_priority(void)
+{
+        if (system_wide_default_priority_string) {
+                gnutls_free(_gnutls_default_priority_string);
+                _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
+                system_wide_default_priority_string = 0;
+        }
+
+}
 
 gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void)
 {
@@ -1027,7 +1038,24 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
 		if (ret < 0)
 			return 0;
 	} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
-		if (c_strcasecmp(name, "insecure-hash")==0) {
+		if (c_strcasecmp(name, "default-priority-string")==0) {
+			_clear_default_system_priority();
+			p = clear_spaces(value, str);
+			_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
+			if (strlen(p) > 0) {
+				_gnutls_default_priority_string = gnutls_strdup(p);
+				if (!_gnutls_default_priority_string) {
+					_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
+					_gnutls_debug_log("cfg: failed setting default-priority-string\n");
+					return 0;
+				}
+				system_wide_default_priority_string = 1;
+			} else {
+				_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
+				if (fail_on_invalid_config)
+					return 0;
+			}
+		} else if (c_strcasecmp(name, "insecure-hash")==0) {
 			p = clear_spaces(value, str);
 
 			_gnutls_debug_log("cfg: marking hash %s as insecure\n",
@@ -1293,6 +1321,7 @@ void _gnutls_load_system_priorities(void)
 void _gnutls_unload_system_priorities(void)
 {
 	_name_val_array_clear(&system_wide_priority_strings);
+	_clear_default_system_priority();
 	system_priority_last_mod = 0;
 }
 
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 1fecf78c3a..f0188ecdc9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -71,7 +71,8 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
 	testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \
 	testpkcs11-certs/client.key testpkcs11-certs/server.crt testpkcs11-certs/server-tmpl \
 	testpkcs11-certs/ca.key testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl testpkcs11-certs/server.key \
-	crt_type-neg-common.c
+	crt_type-neg-common.c \
+	system-override-default-priority-string.bad.config system-override-default-priority-string.none.config system-override-default-priority-string.only-tls13.config
 
 AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
 AM_CPPFLAGS = \
@@ -512,7 +513,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
 if !DISABLE_SYSTEM_CONFIG
 dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh system-override-invalid.sh \
 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
-	system-override-kx.sh
+	system-override-kx.sh system-override-default-priority-string.sh
 endif
 
 dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
diff --git a/tests/system-override-default-priority-string.bad.config b/tests/system-override-default-priority-string.bad.config
new file mode 100644
index 0000000000..ca88d71115
--- /dev/null
+++ b/tests/system-override-default-priority-string.bad.config
@@ -0,0 +1,3 @@
+SYSTEM=NORMAL
+[overrides]
+default-priority-string = 
diff --git a/tests/system-override-default-priority-string.none.config b/tests/system-override-default-priority-string.none.config
new file mode 100644
index 0000000000..0a42c3a743
--- /dev/null
+++ b/tests/system-override-default-priority-string.none.config
@@ -0,0 +1,2 @@
+[overrides]
+default-priority-string = NONE
diff --git a/tests/system-override-default-priority-string.only-tls13.config b/tests/system-override-default-priority-string.only-tls13.config
new file mode 100644
index 0000000000..c4614a19f6
--- /dev/null
+++ b/tests/system-override-default-priority-string.only-tls13.config
@@ -0,0 +1,2 @@
+[overrides]
+default-priority-string = NORMAL:-VERS-ALL:+VERS-TLS1.3
diff --git a/tests/system-override-default-priority-string.sh b/tests/system-override-default-priority-string.sh
new file mode 100755
index 0000000000..b0c963bb9c
--- /dev/null
+++ b/tests/system-override-default-priority-string.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (C) 2019 Canonical, Ltd.
+#
+# Author: Dimitri John Ledkov
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
+CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+STOCK_PRIORITY="${GNUTLS_SYSTEM_PRIORITY_FILE:-./system.prio}"
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+export GNUTLS_DEBUG_LEVEL=3
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+# Try whether a client connection with priority string None succeeds
+export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.none.config"
+eval "${GETPORT}"
+launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}"
+"${CLI}" -p "${PORT}" 127.0.0.1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (1)"
+kill ${PID}
+wait
+
+# Try whether a client connection to an tls1.3 only server succeeds
+export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.only-tls13.config"
+eval "${GETPORT}"
+launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}"
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}"
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+	fail "expected connection to succeed (1)"
+
+kill ${PID}
+wait
+
+# Check that a bad (empty) default-priority-string results in an built-one being used, when non-strict
+export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.bad.config"
+unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+eval "${GETPORT}"
+launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+	fail "expected connection to succeed (2)"
+
+kill ${PID}
+wait
+
+exit 0