Skip to content

Commit

Permalink
Merge pull request #8 from sgallagher/crypto-policies
Browse files Browse the repository at this point in the history
Adjust defaults based on system security level
  • Loading branch information
sgallagher authored Nov 27, 2018
2 parents 216e64f + 7c0cf3a commit 77d3afa
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 8 deletions.
1 change: 0 additions & 1 deletion config.h.in

This file was deleted.

1 change: 1 addition & 0 deletions include/sscg.h
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ struct sscg_options

/* Encryption requirements */
int key_strength;
int minimum_key_strength;
const EVP_MD *hash_fn;

/* Output Files */
Expand Down
10 changes: 8 additions & 2 deletions meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ endforeach

pkg = import('pkgconfig')
crypto = dependency('libcrypto')
ssl = dependency('libssl')
path_utils = dependency('path_utils')
talloc = dependency('talloc')

Expand All @@ -49,6 +50,10 @@ else
popt_incdirs = include_directories('subprojects/popt')
endif

has_get_sec_level = cc.has_function(
'SSL_CTX_get_security_level',
dependencies: [ ssl])

sscg_bin_srcs = [
'src/sscg.c',
]
Expand All @@ -74,6 +79,7 @@ sscg_lib = static_library(
sources : sscg_lib_srcs,
dependencies : [
crypto,
ssl,
talloc,
],
install : false,
Expand Down Expand Up @@ -145,9 +151,9 @@ init_bignum_test = executable(
test('init_bignum_test', init_bignum_test)

cdata = configuration_data()
cdata.set('version', meson.project_version())
cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
configure_file(
input : 'config.h.in',
output : 'config.h',
configuration : cdata)

Expand Down
64 changes: 59 additions & 5 deletions src/sscg.c
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
Copyright 2017 by Stephen Gallagher <[email protected]>
*/

#define _GNU_SOURCE
#include <popt.h>
#include <stdlib.h>
#include <stdio.h>
Expand All @@ -25,18 +26,67 @@
#include <path_utils.h>
#include <unistd.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
#include <sys/param.h>

#include "config.h"
#include "include/sscg.h"
#include "include/authority.h"
#include "include/service.h"

static int
get_security_level (void)
{
#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
int security_level = SSL_CTX_get_security_level (ssl_ctx);
SSL_CTX_free (ssl_ctx);
ssl_ctx = NULL;
return security_level;
#else
return 0;
#endif
}

static int
set_default_options (struct sscg_options *opts)
{
int security_level = get_security_level ();

opts->lifetime = 3650;
opts->key_strength = 2048;

/* Select the default key strength based on the system security level
* See:
* https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
* for the specification of the minimums.
*/
switch (security_level)
{
case 0:
case 1:
case 2:
/* Security level 2 and below permits lower key-strengths, but SSCG
* will set a minimum of 2048 bits
*/
opts->key_strength = 2048;
break;

case 3: opts->key_strength = 3072; break;

case 4: opts->key_strength = 7680; break;

default:
/* Unknown security level. Default to the highest we know about */
fprintf (stderr,
"Unknown system security level %d. Defaulting to highest-known "
"level.\n",
security_level);
/* Fall through */

case 5: opts->key_strength = 15360; break;
}

opts->minimum_key_strength = opts->key_strength;
return 0;
}

Expand Down Expand Up @@ -117,6 +167,7 @@ main (int argc, const char **argv)
size_t i;
poptContext pc;
struct sscg_options *options;
char *minimum_key_strength_help = NULL;

char *country = NULL;
char *state = NULL;
Expand Down Expand Up @@ -172,6 +223,9 @@ main (int argc, const char **argv)
if (ret != EOK)
goto done;

minimum_key_strength_help =
talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);

options->verbosity = SSCG_DEFAULT;
struct poptOption long_options[] = {
POPT_AUTOHELP { "quiet",
Expand Down Expand Up @@ -293,7 +347,7 @@ main (int argc, const char **argv)
&options->key_strength,
0,
_ ("Strength of the certificate private keys in bits."),
_ ("{512,1024,2048,4096}") },
minimum_key_strength_help },
{
"hash-alg",
'\0',
Expand Down Expand Up @@ -529,11 +583,11 @@ main (int argc, const char **argv)
}
}

if (options->key_strength != 512 && options->key_strength != 1024 &&
options->key_strength != 2048 && options->key_strength != 4096)
if (options->key_strength < options->minimum_key_strength)
{
fprintf (stderr,
"Key strength must be one of {512, 1024, 2048, 4096}.\n");
"Key strength must be at least %d bits.\n",
options->minimum_key_strength);
ret = EINVAL;
goto done;
}
Expand Down

0 comments on commit 77d3afa

Please sign in to comment.