From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 27 Nov 2018 13:24:37 -0500
Subject: [PATCH 2/4] Adjust defaults based on system security level
Also permit arbitrary keylengths.
Disallow keylengths smaller than the configured system minimum.
Resolves: rhbz#1653323
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
config.h.in | 1 -
include/sscg.h | 1 +
meson.build | 10 ++++++--
src/sscg.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++----
4 files changed, 68 insertions(+), 8 deletions(-)
delete mode 100644 config.h.in
diff --git a/config.h.in b/config.h.in
deleted file mode 100644
index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000
--- a/config.h.in
+++ /dev/null
@@ -1 +0,0 @@
-#define PACKAGE_VERSION "@version@"
diff --git a/include/sscg.h b/include/sscg.h
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -137,10 +137,11 @@ struct sscg_options
const char *hostname;
char **subject_alt_names;
/* Encryption requirements */
int key_strength;
+ int minimum_key_strength;
const EVP_MD *hash_fn;
/* Output Files */
char *ca_file;
char *ca_key_file;
diff --git a/meson.build b/meson.build
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
--- a/meson.build
+++ b/meson.build
@@ -32,10 +32,11 @@ foreach cflag: test_cflags
endif
endforeach
pkg = import('pkgconfig')
crypto = dependency('libcrypto')
+ssl = dependency('libssl')
path_utils = dependency('path_utils')
talloc = dependency('talloc')
popt = dependency(
'popt',
@@ -47,10 +48,14 @@ if popt.found()
else
popt = subproject('popt').get_variable('libpopt_a')
popt_incdirs = include_directories('subprojects/popt')
endif
+has_get_sec_level = cc.has_function(
+ 'SSL_CTX_get_security_level',
+ dependencies: [ ssl])
+
sscg_lib_srcs = [
'src/authority.c',
'src/bignum.c',
'src/key.c',
'src/service.c',
@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
sscg_lib = static_library(
'sscg',
sources : sscg_lib_srcs,
dependencies : [
crypto,
+ ssl,
talloc,
],
install : false,
pic : true,
)
@@ -133,13 +139,13 @@ init_bignum_test = executable(
install : false,
)
test('init_bignum_test', init_bignum_test)
cdata = configuration_data()
-cdata.set('version', meson.project_version())
+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
configure_file(
- input : 'config.h.in',
output : 'config.h',
configuration : cdata)
# Generate a manpage from the POPT documentation
help2man = find_program('help2man')
diff --git a/src/sscg.c b/src/sscg.c
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -15,30 +15,80 @@
along with sscg. If not, see <http://www.gnu.org/licenses/>.
Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
*/
+#define _GNU_SOURCE
#include <popt.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <talloc.h>
#include <path_utils.h>
#include <unistd.h>
#include <openssl/evp.h>
+#include <openssl/ssl.h>
#include <sys/param.h>
#include "config.h"
#include "include/sscg.h"
#include "include/authority.h"
#include "include/service.h"
+static int
+get_security_level (void)
+{
+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
+ SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
+ int security_level = SSL_CTX_get_security_level (ssl_ctx);
+ SSL_CTX_free (ssl_ctx);
+ ssl_ctx = NULL;
+ return security_level;
+#else
+ return 0;
+#endif
+}
+
static int
set_default_options (struct sscg_options *opts)
{
+ int security_level = get_security_level ();
+
opts->lifetime = 3650;
- opts->key_strength = 2048;
+
+ /* Select the default key strength based on the system security level
+ * See:
+ * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
+ * for the specification of the minimums.
+ */
+ switch (security_level)
+ {
+ case 0:
+ case 1:
+ case 2:
+ /* Security level 2 and below permits lower key-strengths, but SSCG
+ * will set a minimum of 2048 bits
+ */
+ opts->key_strength = 2048;
+ break;
+
+ case 3: opts->key_strength = 3072; break;
+
+ case 4: opts->key_strength = 7680; break;
+
+ default:
+ /* Unknown security level. Default to the highest we know about */
+ fprintf (stderr,
+ "Unknown system security level %d. Defaulting to highest-known "
+ "level.\n",
+ security_level);
+ /* Fall through */
+
+ case 5: opts->key_strength = 15360; break;
+ }
+
+ opts->minimum_key_strength = opts->key_strength;
return 0;
}
static void
print_options (struct sscg_options *opts)
@@ -115,10 +165,11 @@ main (int argc, const char **argv)
{
int ret, sret, opt;
size_t i;
poptContext pc;
struct sscg_options *options;
+ char *minimum_key_strength_help = NULL;
char *country = NULL;
char *state = NULL;
char *locality = NULL;
char *organization = NULL;
@@ -170,10 +221,13 @@ main (int argc, const char **argv)
ret = set_default_options (options);
if (ret != EOK)
goto done;
+ minimum_key_strength_help =
+ talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);
+
options->verbosity = SSCG_DEFAULT;
struct poptOption long_options[] = {
POPT_AUTOHELP{ "quiet",
'q',
POPT_ARG_VAL,
@@ -291,11 +345,11 @@ main (int argc, const char **argv)
'\0',
POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
&options->key_strength,
0,
_ ("Strength of the certificate private keys in bits."),
- _ ("{512,1024,2048,4096}") },
+ minimum_key_strength_help },
{
"hash-alg",
'\0',
POPT_ARG_STRING,
&hash_alg,
@@ -527,15 +581,15 @@ main (int argc, const char **argv)
options->subject_alt_names[i + 1] = NULL;
i++;
}
}
- if (options->key_strength != 512 && options->key_strength != 1024 &&
- options->key_strength != 2048 && options->key_strength != 4096)
+ if (options->key_strength < options->minimum_key_strength)
{
fprintf (stderr,
- "Key strength must be one of {512, 1024, 2048, 4096}.\n");
+ "Key strength must be at least %d bits.\n",
+ options->minimum_key_strength);
ret = EINVAL;
goto done;
}
if (!hash_alg)
--
2.19.1