Hello.
Matt Caswell wrote in
<[email protected]>:
|On 09/01/2021 23:24, Steffen Nurpmeso wrote:
|> Hello.
|>
|> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
|> since it allow users to simply use the features of the newest
|> OpenSSL library without any code changes on my side.
|> This is great, and i think i applauded in the past.
|>
|> I discovered security_level(), needless to say i thought
|> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
|> required to make it functional (..and do not get me started on
|> -ciphersuites..).
|>
|> Wouldn't it make sense to offer SecurityLevel as a keyword for
|> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
|> it seems (from the manual) to extend to more than what i would
|> assume to be covered by a @SECLEVEL member of CipherString aka
|> ..Ciphersuites...?
|
|This is probably a good idea. I'd support it if someone wanted to add that.
Please find a simple add-on attached, it could be it ("having no
idea of the codebase"..). It compiles, but when linking against
678cae0295e3f (master from today) plus the patch i get errors:
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration
specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'*' token
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'OPENSSL_sk_value'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
In file included from
/home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
from /home/steffen/src/nail.git/src/mx/xtls.c:53:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or
'(' before 'struct'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'OPENSSL_sk_new'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro
"sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^ ~~~~~~~~~~~~~~~~~~~~~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225:
note: macro "sk_GENERAL_NAME_new_null" defined here
225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME)
*)OPENSSL_sk_new_null())
|
I have not tested OpenSSL 3.0 for a while, but it was clean when
i tried it last, my last commit was "Be truly
OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used
./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
zlib-dynamic shared no-deprecated no-async threads no-tests \
-Wl,-rpath,'$(LIBRPATH)'
on a current glibc Linux (CRUX-Linux 3.6).
Ciao from Germany,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
From ab46866fa6b5c13ff26795871b41e3980b963f77 Mon Sep 17 00:00:00 2001
Message-Id: <ab46866fa6b5c13ff26795871b41e3980b963f77.1610403428.git.stef...@sdaoden.eu>
From: Steffen Nurpmeso <[email protected]>
Date: Mon, 11 Jan 2021 22:47:36 +0100
Subject: [PATCH] SSL_CONF_cmd: add SecurityLevel/security_level for
SSL_CTX_set_security_level(3)
---
doc/man3/SSL_CONF_cmd.pod | 28 ++++++++++++++++++++++++++++
ssl/ssl_conf.c | 20 ++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 97ebff047f..161feedc3a 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -190,6 +190,20 @@ for DTLS.
To restrict the supported protocol versions use these commands rather than the
deprecated alternative commands below.
+=item B<-security_level> I<level>
+
+Set the enforced security level.
+Currently supported values are in between B<0> (lowest) and B<5> (highest).
+The security framework disables or reject parameters inconsistent with the
+set security level.
+The bits of security limits affect all relevant parameters including cipher
+suite encryption algorithms, supported ECC curves, supported signature
+algorithms, DH parameter sizes, certificate key sizes and signature
+algorithms. This limit applies no matter what other custom settings an
+application has set: so if the cipher suite is set to ALL then only cipher
+suites consistent with the security level are permissible.
+See L<SSL_CTX_set_security_level(3)> for more information.
+
=item B<-record_padding> I<padding>
Attempts to pad TLSv1.3 records so that they are a multiple of B<padding>
@@ -524,6 +538,20 @@ B<CANames>: use CA names extension, enabled by
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+=item B<SecurityLevel>
+
+Set the enforced security level.
+Currently supported values are in between B<0> (lowest) and B<5> (highest).
+The security framework disables or reject parameters inconsistent with the
+set security level.
+The bits of security limits affect all relevant parameters including cipher
+suite encryption algorithms, supported ECC curves, supported signature
+algorithms, DH parameter sizes, certificate key sizes and signature
+algorithms. This limit applies no matter what other custom settings an
+application has set: so if the cipher suite is set to ALL then only cipher
+suites consistent with the security level are permissible.
+See L<SSL_CTX_set_security_level(3)> for more information.
+
=item B<VerifyMode>
The B<value> argument is a comma separated list of flags to set.
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 2e8240c73b..014124fc53 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -368,6 +368,25 @@ static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
return min_max_proto(cctx, value, cctx->max_version);
}
+static int cmd_SecurityLevel(SSL_CONF_CTX *cctx, const char *value)
+{
+ int level = atoi(value);
+
+ /*
+ * All we care about is a non-negative value,
+ * range is cramped by the checks as necessary
+ */
+ if (level >= 0) {
+ if (cctx->ctx)
+ SSL_CTX_set_security_level(cctx->ctx, level);
+ if (cctx->ssl)
+ SSL_set_security_level(cctx->ssl, level);
+ level = 1;
+ } else
+ level = 0;
+ return level;
+}
+
static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
{
static const ssl_flag_tbl ssl_option_list[] = {
@@ -709,6 +728,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
+ SSL_CONF_CMD_STRING(SecurityLevel, "security_level", 0),
SSL_CONF_CMD_STRING(Options, NULL, 0),
SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
--
2.30.0
