sscg/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch

From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 27 Nov 2018 13:24:37 -0500
Subject: [PATCH 2/4] Adjust defaults based on system security level

Also permit arbitrary keylengths.

Disallow keylengths smaller than the configured system minimum.

Resolves: rhbz#1653323

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 config.h.in    |  1 -
 include/sscg.h |  1 +
 meson.build    | 10 ++++++--
 src/sscg.c     | 64 ++++++++++++++++++++++++++++++++++++++++++++++----
 4 files changed, 68 insertions(+), 8 deletions(-)
 delete mode 100644 config.h.in

diff --git a/config.h.in b/config.h.in
deleted file mode 100644
index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000
--- a/config.h.in
+++ /dev/null
@@ -1 +0,0 @@
-#define PACKAGE_VERSION "@version@"
diff --git a/include/sscg.h b/include/sscg.h
index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -137,10 +137,11 @@ struct sscg_options
   const char *hostname;
   char **subject_alt_names;
 
   /* Encryption requirements */
   int key_strength;
+  int minimum_key_strength;
   const EVP_MD *hash_fn;
 
   /* Output Files */
   char *ca_file;
   char *ca_key_file;
diff --git a/meson.build b/meson.build
index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
--- a/meson.build
+++ b/meson.build
@@ -32,10 +32,11 @@ foreach cflag: test_cflags
   endif
 endforeach
 
 pkg = import('pkgconfig')
 crypto = dependency('libcrypto')
+ssl = dependency('libssl')
 path_utils = dependency('path_utils')
 talloc = dependency('talloc')
 
 popt = dependency(
     'popt',
@@ -47,10 +48,14 @@ if popt.found()
 else
     popt = subproject('popt').get_variable('libpopt_a')
     popt_incdirs = include_directories('subprojects/popt')
 endif
 
+has_get_sec_level = cc.has_function(
+    'SSL_CTX_get_security_level',
+    dependencies: [ ssl])
+
 sscg_lib_srcs = [
     'src/authority.c',
     'src/bignum.c',
     'src/key.c',
     'src/service.c',
@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
 sscg_lib = static_library(
     'sscg',
     sources : sscg_lib_srcs,
     dependencies : [
         crypto,
+        ssl,
         talloc,
     ],
     install : false,
     pic : true,
 )
@@ -133,13 +139,13 @@ init_bignum_test = executable(
     install : false,
 )
 test('init_bignum_test', init_bignum_test)
 
 cdata = configuration_data()
-cdata.set('version', meson.project_version())
+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
 configure_file(
-    input : 'config.h.in',
     output : 'config.h',
     configuration : cdata)
 
 # Generate a manpage from the POPT documentation
 help2man = find_program('help2man')
diff --git a/src/sscg.c b/src/sscg.c
index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -15,30 +15,80 @@
     along with sscg.  If not, see <http://www.gnu.org/licenses/>.
 
     Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
 */
 
+#define _GNU_SOURCE
 #include <popt.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <talloc.h>
 #include <path_utils.h>
 #include <unistd.h>
 #include <openssl/evp.h>
+#include <openssl/ssl.h>
 #include <sys/param.h>
 
 #include "config.h"
 #include "include/sscg.h"
 #include "include/authority.h"
 #include "include/service.h"
 
+static int
+get_security_level (void)
+{
+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
+  SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
+  int security_level = SSL_CTX_get_security_level (ssl_ctx);
+  SSL_CTX_free (ssl_ctx);
+  ssl_ctx = NULL;
+  return security_level;
+#else
+  return 0;
+#endif
+}
+
 static int
 set_default_options (struct sscg_options *opts)
 {
+  int security_level = get_security_level ();
+
   opts->lifetime = 3650;
-  opts->key_strength = 2048;
+
+  /* Select the default key strength based on the system security level
+   * See:
+   * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
+   * for the specification of the minimums.
+   */
+  switch (security_level)
+    {
+    case 0:
+    case 1:
+    case 2:
+      /* Security level 2 and below permits lower key-strengths, but SSCG
+       * will set a minimum of 2048 bits
+       */
+      opts->key_strength = 2048;
+      break;
+
+    case 3: opts->key_strength = 3072; break;
+
+    case 4: opts->key_strength = 7680; break;
+
+    default:
+      /* Unknown security level. Default to the highest we know about */
+      fprintf (stderr,
+               "Unknown system security level %d. Defaulting to highest-known "
+               "level.\n",
+               security_level);
+      /* Fall through */
+
+    case 5: opts->key_strength = 15360; break;
+    }
+
+  opts->minimum_key_strength = opts->key_strength;
   return 0;
 }
 
 static void
 print_options (struct sscg_options *opts)
@@ -115,10 +165,11 @@ main (int argc, const char **argv)
 {
   int ret, sret, opt;
   size_t i;
   poptContext pc;
   struct sscg_options *options;
+  char *minimum_key_strength_help = NULL;
 
   char *country = NULL;
   char *state = NULL;
   char *locality = NULL;
   char *organization = NULL;
@@ -170,10 +221,13 @@ main (int argc, const char **argv)
 
   ret = set_default_options (options);
   if (ret != EOK)
     goto done;
 
+  minimum_key_strength_help =
+    talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);
+
   options->verbosity = SSCG_DEFAULT;
   struct poptOption long_options[] = {
     POPT_AUTOHELP{ "quiet",
                    'q',
                    POPT_ARG_VAL,
@@ -291,11 +345,11 @@ main (int argc, const char **argv)
       '\0',
       POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
       &options->key_strength,
       0,
       _ ("Strength of the certificate private keys in bits."),
-      _ ("{512,1024,2048,4096}") },
+      minimum_key_strength_help },
     {
       "hash-alg",
       '\0',
       POPT_ARG_STRING,
       &hash_alg,
@@ -527,15 +581,15 @@ main (int argc, const char **argv)
           options->subject_alt_names[i + 1] = NULL;
           i++;
         }
     }
 
-  if (options->key_strength != 512 && options->key_strength != 1024 &&
-      options->key_strength != 2048 && options->key_strength != 4096)
+  if (options->key_strength < options->minimum_key_strength)
     {
       fprintf (stderr,
-               "Key strength must be one of {512, 1024, 2048, 4096}.\n");
+               "Key strength must be at least %d bits.\n",
+               options->minimum_key_strength);
       ret = EINVAL;
       goto done;
     }
 
   if (!hash_alg)
-- 
2.19.1
import sscg-2.3.3-6.el8 2019-08-02 02:38:14 +00:00			`From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001`
			`From: Stephen Gallagher <sgallagh@redhat.com>`
			`Date: Tue, 27 Nov 2018 13:24:37 -0500`
			`Subject: [PATCH 2/4] Adjust defaults based on system security level`

			`Also permit arbitrary keylengths.`

			`Disallow keylengths smaller than the configured system minimum.`

			`Resolves: rhbz#1653323`

			`Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>`
			`---`
			`config.h.in \| 1 -`
			`include/sscg.h \| 1 +`
			`meson.build \| 10 ++++++--`
			`src/sscg.c \| 64 ++++++++++++++++++++++++++++++++++++++++++++++----`
			`4 files changed, 68 insertions(+), 8 deletions(-)`
			`delete mode 100644 config.h.in`

			`diff --git a/config.h.in b/config.h.in`
			`deleted file mode 100644`
			`index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000`
			`--- a/config.h.in`
			`+++ /dev/null`
			`@@ -1 +0,0 @@`
			`-#define PACKAGE_VERSION "@version@"`
			`diff --git a/include/sscg.h b/include/sscg.h`
			`index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644`
			`--- a/include/sscg.h`
			`+++ b/include/sscg.h`
			`@@ -137,10 +137,11 @@ struct sscg_options`
			`const char *hostname;`
			`char **subject_alt_names;`

			`/* Encryption requirements */`
			`int key_strength;`
			`+ int minimum_key_strength;`
			`const EVP_MD *hash_fn;`

			`/* Output Files */`
			`char *ca_file;`
			`char *ca_key_file;`
			`diff --git a/meson.build b/meson.build`
			`index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644`
			`--- a/meson.build`
			`+++ b/meson.build`
			`@@ -32,10 +32,11 @@ foreach cflag: test_cflags`
			`endif`
			`endforeach`

			`pkg = import('pkgconfig')`
			`crypto = dependency('libcrypto')`
			`+ssl = dependency('libssl')`
			`path_utils = dependency('path_utils')`
			`talloc = dependency('talloc')`

			`popt = dependency(`
			`'popt',`
			`@@ -47,10 +48,14 @@ if popt.found()`
			`else`
			`popt = subproject('popt').get_variable('libpopt_a')`
			`popt_incdirs = include_directories('subprojects/popt')`
			`endif`

			`+has_get_sec_level = cc.has_function(`
			`+ 'SSL_CTX_get_security_level',`
			`+ dependencies: [ ssl])`
			`+`
			`sscg_lib_srcs = [`
			`'src/authority.c',`
			`'src/bignum.c',`
			`'src/key.c',`
			`'src/service.c',`
			`@@ -68,10 +73,11 @@ sscg_lib_hdrs = [`
			`sscg_lib = static_library(`
			`'sscg',`
			`sources : sscg_lib_srcs,`
			`dependencies : [`
			`crypto,`
			`+ ssl,`
			`talloc,`
			`],`
			`install : false,`
			`pic : true,`
			`)`
			`@@ -133,13 +139,13 @@ init_bignum_test = executable(`
			`install : false,`
			`)`
			`test('init_bignum_test', init_bignum_test)`

			`cdata = configuration_data()`
			`-cdata.set('version', meson.project_version())`
			`+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())`
			`+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)`
			`configure_file(`
			`- input : 'config.h.in',`
			`output : 'config.h',`
			`configuration : cdata)`

			`# Generate a manpage from the POPT documentation`
			`help2man = find_program('help2man')`
			`diff --git a/src/sscg.c b/src/sscg.c`
			`index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644`
			`--- a/src/sscg.c`
			`+++ b/src/sscg.c`
			`@@ -15,30 +15,80 @@`
			`along with sscg. If not, see <http://www.gnu.org/licenses/>.`

			`Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>`
			`*/`

			`+#define _GNU_SOURCE`
			`#include <popt.h>`
			`#include <stdlib.h>`
			`#include <stdio.h>`
			`#include <string.h>`
			`#include <talloc.h>`
			`#include <path_utils.h>`
			`#include <unistd.h>`
			`#include <openssl/evp.h>`
			`+#include <openssl/ssl.h>`
			`#include <sys/param.h>`

			`#include "config.h"`
			`#include "include/sscg.h"`
			`#include "include/authority.h"`
			`#include "include/service.h"`

			`+static int`
			`+get_security_level (void)`
			`+{`
			`+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL`
			`+ SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());`
			`+ int security_level = SSL_CTX_get_security_level (ssl_ctx);`
			`+ SSL_CTX_free (ssl_ctx);`
			`+ ssl_ctx = NULL;`
			`+ return security_level;`
			`+#else`
			`+ return 0;`
			`+#endif`
			`+}`
			`+`
			`static int`
			`set_default_options (struct sscg_options *opts)`
			`{`
			`+ int security_level = get_security_level ();`
			`+`
			`opts->lifetime = 3650;`
			`- opts->key_strength = 2048;`
			`+`
			`+ /* Select the default key strength based on the system security level`
			`+ * See:`
			`+ * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html`
			`+ * for the specification of the minimums.`
			`+ */`
			`+ switch (security_level)`
			`+ {`
			`+ case 0:`
			`+ case 1:`
			`+ case 2:`
			`+ /* Security level 2 and below permits lower key-strengths, but SSCG`
			`+ * will set a minimum of 2048 bits`
			`+ */`
			`+ opts->key_strength = 2048;`
			`+ break;`
			`+`
			`+ case 3: opts->key_strength = 3072; break;`
			`+`
			`+ case 4: opts->key_strength = 7680; break;`
			`+`
			`+ default:`
			`+ /* Unknown security level. Default to the highest we know about */`
			`+ fprintf (stderr,`
			`+ "Unknown system security level %d. Defaulting to highest-known "`
			`+ "level.\n",`
			`+ security_level);`
			`+ /* Fall through */`
			`+`
			`+ case 5: opts->key_strength = 15360; break;`
			`+ }`
			`+`
			`+ opts->minimum_key_strength = opts->key_strength;`
			`return 0;`
			`}`

			`static void`
			`print_options (struct sscg_options *opts)`
			`@@ -115,10 +165,11 @@ main (int argc, const char **argv)`
			`{`
			`int ret, sret, opt;`
			`size_t i;`
			`poptContext pc;`
			`struct sscg_options *options;`
			`+ char *minimum_key_strength_help = NULL;`

			`char *country = NULL;`
			`char *state = NULL;`
			`char *locality = NULL;`
			`char *organization = NULL;`
			`@@ -170,10 +221,13 @@ main (int argc, const char **argv)`

			`ret = set_default_options (options);`
			`if (ret != EOK)`
			`goto done;`

			`+ minimum_key_strength_help =`
			`+ talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);`
			`+`
			`options->verbosity = SSCG_DEFAULT;`
			`struct poptOption long_options[] = {`
			`POPT_AUTOHELP{ "quiet",`
			`'q',`
			`POPT_ARG_VAL,`
			`@@ -291,11 +345,11 @@ main (int argc, const char **argv)`
			`'\0',`
			`POPT_ARG_INT \| POPT_ARGFLAG_SHOW_DEFAULT,`
			`&options->key_strength,`
			`0,`
			`_ ("Strength of the certificate private keys in bits."),`
			`- _ ("{512,1024,2048,4096}") },`
			`+ minimum_key_strength_help },`
			`{`
			`"hash-alg",`
			`'\0',`
			`POPT_ARG_STRING,`
			`&hash_alg,`
			`@@ -527,15 +581,15 @@ main (int argc, const char **argv)`
			`options->subject_alt_names[i + 1] = NULL;`
			`i++;`
			`}`
			`}`

			`- if (options->key_strength != 512 && options->key_strength != 1024 &&`
			`- options->key_strength != 2048 && options->key_strength != 4096)`
			`+ if (options->key_strength < options->minimum_key_strength)`
			`{`
			`fprintf (stderr,`
			`- "Key strength must be one of {512, 1024, 2048, 4096}.\n");`
			`+ "Key strength must be at least %d bits.\n",`
			`+ options->minimum_key_strength);`
			`ret = EINVAL;`
			`goto done;`
			`}`

			`if (!hash_alg)`
			`--`
			`2.19.1`