diff options
author | Dimitri John Ledkov <xnox@ubuntu.com> | 2020-01-07 11:32:37 +0000 |
---|---|---|
committer | Dimitri John Ledkov <xnox@ubuntu.com> | 2020-01-13 18:55:25 +0000 |
commit | 454eb184f0c2255a9d33fbdd096906b8e18ef582 (patch) | |
tree | 06183862ec93e55aad6951ef2cf4eaf6dc71e57a | |
parent | 2e52d307be9f971c721a94a908f487df5e8e483b (diff) | |
download | gnutls-454eb184f0c2255a9d33fbdd096906b8e18ef582.tar.gz |
libgnutls: Add system-wide default-priority-string override.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | doc/cha-config.texi | 16 | ||||
-rw-r--r-- | lib/priority.c | 33 | ||||
-rw-r--r-- | tests/Makefile.am | 5 | ||||
-rw-r--r-- | tests/system-override-default-priority-string.bad.config | 3 | ||||
-rw-r--r-- | tests/system-override-default-priority-string.none.config | 2 | ||||
-rw-r--r-- | tests/system-override-default-priority-string.only-tls13.config | 2 | ||||
-rwxr-xr-x | tests/system-override-default-priority-string.sh | 93 |
8 files changed, 153 insertions, 4 deletions
@@ -40,6 +40,9 @@ See the end for copying conditions. to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). +** libgnutls: The default-priority-string added to system configuration + to allow overriding compiled-in default-priority-string. + ** certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. diff --git a/doc/cha-config.texi b/doc/cha-config.texi index 3cc568a607..f094407900 100644 --- a/doc/cha-config.texi +++ b/doc/cha-config.texi @@ -25,6 +25,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}. * Disabling algorithms and protocols:: * Querying for disabled algorithms and protocols:: * Overriding the parameter verification profile:: +* Overriding the default priority string:: @end menu @node Application-specific priority strings @@ -156,3 +157,18 @@ using the following. min-verification-profile = legacy @end example + +@node Overriding the default priority string +@section Overriding the default priority string + +GnuTLS uses default priority string which is defined at compiled +time. Usually it is set to @code{NORMAL}. This override allows to set +the default priority string to something more appropriate for a given +deployment. + +Below example sets a more specific default priority string. +@example +[overrides] +default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3 + +@end example diff --git a/lib/priority.c b/lib/priority.c index c4328d066a..65e3c044b7 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -963,6 +963,7 @@ static void dummy_func(gnutls_priority_t c) static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN; static name_val_array_t system_wide_priority_strings = NULL; static unsigned system_wide_priority_strings_init = 0; +static unsigned system_wide_default_priority_string = 0; static unsigned fail_on_invalid_config = 0; static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0}; static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0}; @@ -974,7 +975,17 @@ static time_t system_priority_last_mod = 0; #define CUSTOM_PRIORITY_SECTION "priorities" #define OVERRIDES_SECTION "overrides" -#define MAX_ALGO_NAME 128 +#define MAX_ALGO_NAME 2048 + +static void _clear_default_system_priority(void) +{ + if (system_wide_default_priority_string) { + gnutls_free(_gnutls_default_priority_string); + _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; + system_wide_default_priority_string = 0; + } + +} gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void) { @@ -1027,7 +1038,24 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co if (ret < 0) return 0; } else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) { - if (c_strcasecmp(name, "insecure-hash")==0) { + if (c_strcasecmp(name, "default-priority-string")==0) { + _clear_default_system_priority(); + p = clear_spaces(value, str); + _gnutls_debug_log("cfg: setting default-priority-string to %s\n", p); + if (strlen(p) > 0) { + _gnutls_default_priority_string = gnutls_strdup(p); + if (!_gnutls_default_priority_string) { + _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; + _gnutls_debug_log("cfg: failed setting default-priority-string\n"); + return 0; + } + system_wide_default_priority_string = 1; + } else { + _gnutls_debug_log("cfg: empty default-priority-string, using default\n"); + if (fail_on_invalid_config) + return 0; + } + } else if (c_strcasecmp(name, "insecure-hash")==0) { p = clear_spaces(value, str); _gnutls_debug_log("cfg: marking hash %s as insecure\n", @@ -1293,6 +1321,7 @@ void _gnutls_load_system_priorities(void) void _gnutls_unload_system_priorities(void) { _name_val_array_clear(&system_wide_priority_strings); + _clear_default_system_priority(); system_priority_last_mod = 0; } diff --git a/tests/Makefile.am b/tests/Makefile.am index 1fecf78c3a..f0188ecdc9 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -71,7 +71,8 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \ testpkcs11-certs/client.key testpkcs11-certs/server.crt testpkcs11-certs/server-tmpl \ testpkcs11-certs/ca.key testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl testpkcs11-certs/server.key \ - crt_type-neg-common.c + crt_type-neg-common.c \ + system-override-default-priority-string.bad.config system-override-default-priority-string.none.config system-override-default-priority-string.only-tls13.config AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = \ @@ -512,7 +513,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start if !DISABLE_SYSTEM_CONFIG dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh system-override-invalid.sh \ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ - system-override-kx.sh + system-override-kx.sh system-override-default-priority-string.sh endif dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh diff --git a/tests/system-override-default-priority-string.bad.config b/tests/system-override-default-priority-string.bad.config new file mode 100644 index 0000000000..ca88d71115 --- /dev/null +++ b/tests/system-override-default-priority-string.bad.config @@ -0,0 +1,3 @@ +SYSTEM=NORMAL +[overrides] +default-priority-string = diff --git a/tests/system-override-default-priority-string.none.config b/tests/system-override-default-priority-string.none.config new file mode 100644 index 0000000000..0a42c3a743 --- /dev/null +++ b/tests/system-override-default-priority-string.none.config @@ -0,0 +1,2 @@ +[overrides] +default-priority-string = NONE diff --git a/tests/system-override-default-priority-string.only-tls13.config b/tests/system-override-default-priority-string.only-tls13.config new file mode 100644 index 0000000000..c4614a19f6 --- /dev/null +++ b/tests/system-override-default-priority-string.only-tls13.config @@ -0,0 +1,2 @@ +[overrides] +default-priority-string = NORMAL:-VERS-ALL:+VERS-TLS1.3 diff --git a/tests/system-override-default-priority-string.sh b/tests/system-override-default-priority-string.sh new file mode 100755 index 0000000000..b0c963bb9c --- /dev/null +++ b/tests/system-override-default-priority-string.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# Copyright (C) 2019 Canonical, Ltd. +# +# Author: Dimitri John Ledkov +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +TMPFILE=config.$$.tmp +TMPFILE2=log.$$.tmp +STOCK_PRIORITY="${GNUTLS_SYSTEM_PRIORITY_FILE:-./system.prio}" +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +export GNUTLS_DEBUG_LEVEL=3 +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +# Try whether a client connection with priority string None succeeds +export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.none.config" +eval "${GETPORT}" +launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}" +"${CLI}" -p "${PORT}" 127.0.0.1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (1)" +kill ${PID} +wait + +# Try whether a client connection to an tls1.3 only server succeeds +export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.only-tls13.config" +eval "${GETPORT}" +launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +export GNUTLS_SYSTEM_PRIORITY_FILE="${STOCK_PRIORITY}" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null || + fail "expected connection to succeed (1)" + +kill ${PID} +wait + +# Check that a bad (empty) default-priority-string results in an built-one being used, when non-strict +export GNUTLS_SYSTEM_PRIORITY_FILE="${srcdir}/system-override-default-priority-string.bad.config" +unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID +eval "${GETPORT}" +launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null || + fail "expected connection to succeed (2)" + +kill ${PID} +wait + +exit 0 |