Merge branch 'wip/dueno/config-allowlisting' into 'master'

priority: support allowlisting in configuration file

Closes #1172

See merge request gnutls/gnutls!1427

6 files changed, 489 insertions, 0 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index d15595a657..b7fee50488 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -523,6 +523,12 @@ dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
 	system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
 	system-override-kx.sh system-override-default-priority-string.sh \
 	system-override-sig-tls.sh system-override-hash-filters-prf.sh
+
+dist_check_SCRIPTS += system-override-sig-allowlist.sh \
+	system-override-hash-allowlist.sh \
+	system-override-versions-allowlist.sh \
+	system-override-curves-allowlist.sh \
+	system-override-special-allowlist.sh
 endif
 
 dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
diff --git a/tests/system-override-curves-allowlist.sh b/tests/system-override-curves-allowlist.sh
new file mode 100755
index 0000000000..08f3e2ca94
--- /dev/null
+++ b/tests/system-override-curves-allowlist.sh
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+# This test doesn't work in FIPS mode
+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
+	exit 77
+fi
+
+# We intentionally add stray spaces and tabs to check our parser
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-curve = secp384r1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list|grep ^Groups >${TMPFILE2}
+cat ${TMPFILE2}
+if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
+	echo "Found disabled curve with --list"
+	exit 1
+fi
+
+if ! grep -i "SECP384R1" ${TMPFILE2};then
+	echo "Could not found secp384r1"
+	exit 1
+fi
+
+# Try whether a client connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+	fail "expected connection to succeed (1)"
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0
diff --git a/tests/system-override-hash-allowlist.sh b/tests/system-override-hash-allowlist.sh
new file mode 100755
index 0000000000..651a596461
--- /dev/null
+++ b/tests/system-override-hash-allowlist.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-hash"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff --git a/tests/system-override-sig-allowlist.sh b/tests/system-override-sig-allowlist.sh
new file mode 100755
index 0000000000..70b02f14cb
--- /dev/null
+++ b/tests/system-override-sig-allowlist.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-sig"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff --git a/tests/system-override-special-allowlist.sh b/tests/system-override-special-allowlist.sh
new file mode 100755
index 0000000000..47e838e580
--- /dev/null
+++ b/tests/system-override-special-allowlist.sh
@@ -0,0 +1,177 @@
+#!/bin/sh
+
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# Author: Alexander Sosedkin
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+: ${GREP=grep}
+: ${DIFF=diff}
+: ${SED=sed}
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+TMPCFGFILE=cfg.$$.tmp
+TMPREFFILE=ref.$$.tmp
+TMPCMPFILE=cmp.$$.tmp
+TMPOUTFILE=out.$$.tmp
+TMPSPECIAL=spc.$$.tmp
+
+# extract the list of %SPECIALs from the sources
+
+< ${srcdir}/../lib/priority_options.gperf \
+	${SED} -ne '/\([A-Z_0-9]\{1,\}\), .*/p' | \
+	${SED} -e 's/\([A-Z_0-9]\{1,\}\), .*/\1/' > "${TMPSPECIAL}"
+
+if ! ${GREP} -Fqx STATELESS_COMPRESSION "${TMPSPECIAL}"; then
+	cat "${TMPSPECIAL}"
+	echo 'source-extracted list of %SPECIALs has no %STATELESS_COMPRESSION'
+	exit 1
+fi
+
+# Set up a configuration file using allowlisting
+# allowing for both TLS 1.2 and TLS 1.3
+# (so that %NO_EXTENSIONS later caps that just TLS 1.2)
+
+cat <<_EOF_ > ${TMPCFGFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+tls-enabled-mac = AEAD
+tls-enabled-group = GROUP-FFDHE3072
+secure-sig = RSA-SHA256
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-kx = RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+_EOF_
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPCFGFILE}"
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+# Smoke --list, @SYSTEM
+
+${CLI} --list -d 4 --priority @SYSTEM &>"${TMPOUTFILE}"
+if test $? != 0; then
+	cat "${TMPOUTFILE}"
+	echo 'fails with just @SYSTEM'
+	exit 1
+fi
+if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.3, VERS-TLS1.2' \
+		"${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'unexpected protocol list with @SYSTEM'
+	exit 1
+fi
+if ! ${GREP} -Fq TLS_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_AES_128_GCM_SHA256 with just @SYSTEM'
+	exit 1
+fi
+if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_RSA_AES_128_GCM_SHA256 with just @SYSTEM'
+	exit 1
+fi
+${SED} 's/for @SYSTEM/for ---PRIORITY---/' "${TMPOUTFILE}" > "${TMPREFFILE}"
+
+# Smoke-test a no-op %STATELESS_COMPRESSION, expect --list to stay the same
+
+${CLI} --list -d 4 --priority @SYSTEM:%STATELESS_COMPRESSION &>"${TMPOUTFILE}"
+if test $? != 0; then
+	cat "${TMPOUTFILE}"
+	echo 'fails with %STATELESS_COMPRESSION'
+	exit 1
+fi
+${SED} 's/for @SYSTEM:%STATELESS_COMPRESSION/for ---PRIORITY---/' \
+	"${TMPOUTFILE}" > "${TMPCMPFILE}"
+if ! ${DIFF} "${TMPCMPFILE}" "${TMPREFFILE}"; then
+	echo '%STATELESS_COMPRESSION has changed the output'
+	exit 1
+fi
+
+# Smoke-test %NONEXISTING_OPTION, expect a syntax error
+
+${CLI} --list -d 4 --priority @SYSTEM:%NONEXISTING_OPTION &>"${TMPOUTFILE}"
+if test $? = 0; then
+	cat "${TMPOUTFILE}"
+	echo 'unknown option was not caught'
+	exit 1
+fi
+if ! ${GREP} -Fq 'Syntax error at: @SYSTEM:%NONEXISTING_OPTION' "${TMPOUTFILE}"
+then
+	cat "${TMPOUTFILE}"
+	echo 'unknown option was not errored upon'
+	exit 1
+fi
+
+# Test impact-less %SPECIALs, expect --list to stay the same
+
+while read special; do
+	if test "$special" = NO_EXTENSIONS; then
+		continue  # see below
+	fi
+	prio="@SYSTEM:%$special"
+	${CLI} --list -d 4 --priority "$prio" &>"${TMPOUTFILE}"
+	if test $? != 0; then
+		cat "${TMPOUTFILE}"
+		echo "fails with $prio"
+		exit 1
+	fi
+	${SED} "s/for $prio/for ---PRIORITY---/" "${TMPOUTFILE}" \
+		> "${TMPCMPFILE}"
+	if ! ${DIFF} "${TMPCMPFILE}" "${TMPREFFILE}"; then
+		echo "$special has changed the output"
+		exit 1
+	fi
+done < "${TMPSPECIAL}"
+
+# Check that %NO_EXTENSIONS changes the output, capping it to TLS 1.2
+
+${CLI} --list -d 4 --priority @SYSTEM:%NO_EXTENSIONS &>"${TMPOUTFILE}"
+if test $? != 0; then
+	cat "${TMPOUTFILE}"
+	echo 'fails with just @SYSTEM'
+	exit 1
+fi
+if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.2' \
+		"${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'unexpected protocol list with @SYSTEM:%NO_EXTENSIONS'
+	exit 1
+fi
+if ${GREP} -Fq TLS_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'TLS_AES_128_GCM_SHA256 present with @SYSTEM:%NO_EXTENSIONS'
+	exit 1
+fi
+if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then
+	cat "${TMPOUTFILE}"
+	echo 'no TLS_RSA_AES_128_GCM_SHA256 with @SYSTEM:%NO_EXTENSIONS'
+	exit 1
+fi
+
+rm "${TMPCFGFILE}" "${TMPREFFILE}" "${TMPCMPFILE}" "${TMPOUTFILE}"
+rm "${TMPSPECIAL}"
+
+exit 0
diff --git a/tests/system-override-versions-allowlist.sh b/tests/system-override-versions-allowlist.sh
new file mode 100755
index 0000000000..b708c8c7e4
--- /dev/null
+++ b/tests/system-override-versions-allowlist.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+	exit 77
+fi
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-version = tls1.1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list --priority=@SYSTEM | grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep 'VERS-TLS1\.[23]' ${TMPFILE2}; then
+	echo "Found disabled protocol with --list"
+	exit 1
+fi
+
+PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL
+
+"${CLI}" --priority "$PRIO" --list | grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep 'VERS-TLS1\.[23]' ${TMPFILE2}; then
+	echo "Found disabled protocol with --list --priority $PRIO"
+	exit 1
+fi
+
+# Try whether a client connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (1)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+	fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0