diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-04 16:25:37 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-06-20 15:50:44 +0200 |
| commit | e9366c86ee8434669014fc1544d52e384430072a (patch) | |
| tree | 036ff1eb760c05691288a198bbbfb8e915f43e20 /tests/system-override-kx.sh | |
| parent | 90142f2d70018d862cba02067159cad8c7db4239 (diff) | |
| download | gnutls-e9366c86ee8434669014fc1544d52e384430072a.tar.gz | |
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/system-override-kx.sh')
| -rwxr-xr-x | tests/system-override-kx.sh | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/tests/system-override-kx.sh b/tests/system-override-kx.sh new file mode 100755 index 0000000000..cd318a1650 --- /dev/null +++ b/tests/system-override-kx.sh @@ -0,0 +1,104 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/> + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +TMPFILE=config.$$.tmp +TMPFILE2=log.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +# We intentionally add stray spaces and tabs to check our parser +cat <<_EOF_ > ${TMPFILE} +[overrides] + +tls-disabled-kx = dhe-dss +tls-disabled-kx = dhe-rsa +tls-disabled-kx = unknown +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +export GNUTLS_DEBUG_LEVEL=3 + +# Try whether a client connection with a disabled KX algorithm will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-KX-ALL:+DHE-RSA --insecure --logfile ${TMPFILE2} </dev/null >/dev/null || + fail "expected connection to succeed (1)" + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-KX-ALL:+DHE-RSA --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +# test whether the unknown KX will be caught +GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to succeed (3)" + +unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID + +kill ${PID} +wait + +# Try whether a server connection with a disabled KX will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-KX-ALL:+DHE-RSA" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +kill ${PID} +wait + +exit 0 |