Adjust defaults based on system security level

Also permit arbitrary keylengths. Disallow keylengths smaller than the configured system minimum. Resolves: rhbz#1653323 Signed-off-by: Stephen Gallagher <[email protected]>
sgallagher · Nov 27, 2018 · 7c0cf3a · 7c0cf3a
1 parent 216e64f
commit 7c0cf3a
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 8 deletions.
diff --git a/config.h.in b/config.h.in
diff --git a/include/sscg.h b/include/sscg.h
@@ -139,6 +139,7 @@ struct sscg_options
 
   /* Encryption requirements */
   int key_strength;
+  int minimum_key_strength;
   const EVP_MD *hash_fn;
 
   /* Output Files */

diff --git a/meson.build b/meson.build
@@ -34,6 +34,7 @@ endforeach
 
 pkg = import('pkgconfig')
 crypto = dependency('libcrypto')
+ssl = dependency('libssl')
 path_utils = dependency('path_utils')
 talloc = dependency('talloc')
 
@@ -49,6 +50,10 @@ else
     popt_incdirs = include_directories('subprojects/popt')
 endif
 
+has_get_sec_level = cc.has_function(
+    'SSL_CTX_get_security_level',
+    dependencies: [ ssl])
+
 sscg_bin_srcs = [
     'src/sscg.c',
 ]
@@ -74,6 +79,7 @@ sscg_lib = static_library(
     sources : sscg_lib_srcs,
     dependencies : [
         crypto,
+        ssl,
         talloc,
     ],
     install : false,
@@ -145,9 +151,9 @@ init_bignum_test = executable(
 test('init_bignum_test', init_bignum_test)
 
 cdata = configuration_data()
-cdata.set('version', meson.project_version())
+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
 configure_file(
-    input : 'config.h.in',
     output : 'config.h',
     configuration : cdata)
 

diff --git a/src/sscg.c b/src/sscg.c
@@ -17,6 +17,7 @@
     Copyright 2017 by Stephen Gallagher <[email protected]>
 */
 
+#define _GNU_SOURCE
 #include <popt.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -25,18 +26,67 @@
 #include <path_utils.h>
 #include <unistd.h>
 #include <openssl/evp.h>
+#include <openssl/ssl.h>
 #include <sys/param.h>
 
 #include "config.h"
 #include "include/sscg.h"
 #include "include/authority.h"
 #include "include/service.h"
 
+static int
+get_security_level (void)
+{
+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
+  SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
+  int security_level = SSL_CTX_get_security_level (ssl_ctx);
+  SSL_CTX_free (ssl_ctx);
+  ssl_ctx = NULL;
+  return security_level;
+#else
+  return 0;
+#endif
+}
+
 static int
 set_default_options (struct sscg_options *opts)
 {
+  int security_level = get_security_level ();
+
   opts->lifetime = 3650;
-  opts->key_strength = 2048;
+
+  /* Select the default key strength based on the system security level
+   * See:
+   * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
+   * for the specification of the minimums.
+   */
+  switch (security_level)
+    {
+    case 0:
+    case 1:
+    case 2:
+      /* Security level 2 and below permits lower key-strengths, but SSCG
+       * will set a minimum of 2048 bits
+       */
+      opts->key_strength = 2048;
+      break;
+
+    case 3: opts->key_strength = 3072; break;
+
+    case 4: opts->key_strength = 7680; break;
+
+    default:
+      /* Unknown security level. Default to the highest we know about */
+      fprintf (stderr,
+               "Unknown system security level %d. Defaulting to highest-known "
+               "level.\n",
+               security_level);
+      /* Fall through */
+
+    case 5: opts->key_strength = 15360; break;
+    }
+
+  opts->minimum_key_strength = opts->key_strength;
   return 0;
 }
 
@@ -117,6 +167,7 @@ main (int argc, const char **argv)
   size_t i;
   poptContext pc;
   struct sscg_options *options;
+  char *minimum_key_strength_help = NULL;
 
   char *country = NULL;
   char *state = NULL;
@@ -172,6 +223,9 @@ main (int argc, const char **argv)
   if (ret != EOK)
     goto done;
 
+  minimum_key_strength_help =
+    talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);
+
   options->verbosity = SSCG_DEFAULT;
   struct poptOption long_options[] = {
     POPT_AUTOHELP { "quiet",
@@ -293,7 +347,7 @@ main (int argc, const char **argv)
       &options->key_strength,
       0,
       _ ("Strength of the certificate private keys in bits."),
-      _ ("{512,1024,2048,4096}") },
+      minimum_key_strength_help },
     {
       "hash-alg",
       '\0',
@@ -529,11 +583,11 @@ main (int argc, const char **argv)
         }
     }
 
-  if (options->key_strength != 512 && options->key_strength != 1024 &&
-      options->key_strength != 2048 && options->key_strength != 4096)
+  if (options->key_strength < options->minimum_key_strength)
     {
       fprintf (stderr,
-               "Key strength must be one of {512, 1024, 2048, 4096}.\n");
+               "Key strength must be at least %d bits.\n",
+               options->minimum_key_strength);
       ret = EINVAL;
       goto done;
     }