From 7c0cf3a3fd65d9e5fefb7c7c045da647b61a31b5 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 27 Nov 2018 13:24:37 -0500 Subject: [PATCH] Adjust defaults based on system security level Also permit arbitrary keylengths. Disallow keylengths smaller than the configured system minimum. Resolves: rhbz#1653323 Signed-off-by: Stephen Gallagher --- config.h.in | 1 - include/sscg.h | 1 + meson.build | 10 ++++++-- src/sscg.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---- 4 files changed, 68 insertions(+), 8 deletions(-) delete mode 100644 config.h.in diff --git a/config.h.in b/config.h.in deleted file mode 100644 index 6044a43..0000000 --- a/config.h.in +++ /dev/null @@ -1 +0,0 @@ -#define PACKAGE_VERSION "@version@" diff --git a/include/sscg.h b/include/sscg.h index 2bd42bb..3e97cfe 100644 --- a/include/sscg.h +++ b/include/sscg.h @@ -139,6 +139,7 @@ struct sscg_options /* Encryption requirements */ int key_strength; + int minimum_key_strength; const EVP_MD *hash_fn; /* Output Files */ diff --git a/meson.build b/meson.build index 8a2daa6..c30fc69 100644 --- a/meson.build +++ b/meson.build @@ -34,6 +34,7 @@ endforeach pkg = import('pkgconfig') crypto = dependency('libcrypto') +ssl = dependency('libssl') path_utils = dependency('path_utils') talloc = dependency('talloc') @@ -49,6 +50,10 @@ else popt_incdirs = include_directories('subprojects/popt') endif +has_get_sec_level = cc.has_function( + 'SSL_CTX_get_security_level', + dependencies: [ ssl]) + sscg_bin_srcs = [ 'src/sscg.c', ] @@ -74,6 +79,7 @@ sscg_lib = static_library( sources : sscg_lib_srcs, dependencies : [ crypto, + ssl, talloc, ], install : false, @@ -145,9 +151,9 @@ init_bignum_test = executable( test('init_bignum_test', init_bignum_test) cdata = configuration_data() -cdata.set('version', meson.project_version()) +cdata.set_quoted('PACKAGE_VERSION', meson.project_version()) +cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level) configure_file( - input : 'config.h.in', output : 'config.h', configuration : cdata) diff --git a/src/sscg.c b/src/sscg.c index 115617e..beec8ec 100644 --- a/src/sscg.c +++ b/src/sscg.c @@ -17,6 +17,7 @@ Copyright 2017 by Stephen Gallagher */ +#define _GNU_SOURCE #include #include #include @@ -25,6 +26,7 @@ #include #include #include +#include #include #include "config.h" @@ -32,11 +34,59 @@ #include "include/authority.h" #include "include/service.h" +static int +get_security_level (void) +{ +#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL + SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ()); + int security_level = SSL_CTX_get_security_level (ssl_ctx); + SSL_CTX_free (ssl_ctx); + ssl_ctx = NULL; + return security_level; +#else + return 0; +#endif +} + static int set_default_options (struct sscg_options *opts) { + int security_level = get_security_level (); + opts->lifetime = 3650; - opts->key_strength = 2048; + + /* Select the default key strength based on the system security level + * See: + * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html + * for the specification of the minimums. + */ + switch (security_level) + { + case 0: + case 1: + case 2: + /* Security level 2 and below permits lower key-strengths, but SSCG + * will set a minimum of 2048 bits + */ + opts->key_strength = 2048; + break; + + case 3: opts->key_strength = 3072; break; + + case 4: opts->key_strength = 7680; break; + + default: + /* Unknown security level. Default to the highest we know about */ + fprintf (stderr, + "Unknown system security level %d. Defaulting to highest-known " + "level.\n", + security_level); + /* Fall through */ + + case 5: opts->key_strength = 15360; break; + } + + opts->minimum_key_strength = opts->key_strength; return 0; } @@ -117,6 +167,7 @@ main (int argc, const char **argv) size_t i; poptContext pc; struct sscg_options *options; + char *minimum_key_strength_help = NULL; char *country = NULL; char *state = NULL; @@ -172,6 +223,9 @@ main (int argc, const char **argv) if (ret != EOK) goto done; + minimum_key_strength_help = + talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength); + options->verbosity = SSCG_DEFAULT; struct poptOption long_options[] = { POPT_AUTOHELP { "quiet", @@ -293,7 +347,7 @@ main (int argc, const char **argv) &options->key_strength, 0, _ ("Strength of the certificate private keys in bits."), - _ ("{512,1024,2048,4096}") }, + minimum_key_strength_help }, { "hash-alg", '\0', @@ -529,11 +583,11 @@ main (int argc, const char **argv) } } - if (options->key_strength != 512 && options->key_strength != 1024 && - options->key_strength != 2048 && options->key_strength != 4096) + if (options->key_strength < options->minimum_key_strength) { fprintf (stderr, - "Key strength must be one of {512, 1024, 2048, 4096}.\n"); + "Key strength must be at least %d bits.\n", + options->minimum_key_strength); ret = EINVAL; goto done; }