[gnutls-devel] GnuTLS | Tests are not ready for allow-rsa-pkcs1-encrypt=false (#1622)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Dec 3 13:00:58 CET 2024 


Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1622



> A new option `allow-rsa-pkcs1-encrypt`
> has been added into the system-wide library configuration which
> allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
> RSAES-PKCS1-v1_5 is enabled by default.

According to this NEWS entry, there are future plans to flip the option to false by default.
I've tried doing just that with 3.8.8 by flipping the value in lib/priority.c,
and the existing testsuite is not ready for this.

One easy way to work around this is to run the tests with configs that flip the option back on.
For many such tests, this can be attained by a 

``` diff
--- a/tests/system.prio
+++ b/tests/system.prio
@@ -1,3 +1,6 @@
 HELLO1=NORMAL
 HELLO2=NORMAL:+AES-128-CBC
 HELLO3=NONE:+VERS-TLS-ALL:-VERS-SSL3.0:+AEAD:+SHA1:+SHA256:+SHA384:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-GCM:+CAMELLIA-128-CBC:+3DES-CBC:+SIGN-ALL:-SIGN-RSA-MD5:+CURVE-ALL:+COMP-NULL:%PROFILE_LOW
+
+[overrides]
+allow-rsa-pkcs1-encrypt = true
```

but then several other tests that override the config and try to use, say, RSA kex, need to have an `allow-rsa-pkcs1-encrypt = true` slotted into the `[overrides]` of their overriding configs (`gnutls-cli-debug.sh`, `protocol-set-allowlist.sh`, `system-override-allow-rsa-pkcs1-encrypt.sh`).
The list would be even longer when building with full testsuite.

I'm afraid the tests should gradually migrate off using RSA kex, made able to override the option back on, or, at least, expect failures when the library is built with the option defaulting to false. The latter currently doesn't look possible, as there's no API to query neither the compile default nor the current effective value.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1622
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241203/2e5a7f1a/attachment-0001.html>

More information about the Gnutls-devel mailing list