Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fedora crypto-policies: initial support. #8205

Merged
merged 1 commit into from
Dec 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -8993,6 +8993,25 @@ AC_ARG_WITH([libsuffix],
)
AC_SUBST(LIBSUFFIX)

# Support system wide crypto-policy file:
# - Pass path to your wolfssl.config system crypto-policy file.
# - Pass no argument to use default.
AC_ARG_WITH([sys-crypto-policy],
[AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
[ SYS_CRYPTO_POLICY=$withval],
[ SYS_CRYPTO_POLICY=no ]
)

if test "$SYS_CRYPTO_POLICY" != "no"; then
if test "$SYS_CRYPTO_POLICY" = "yes"; then
# Default to the wolfssl fedora crypto-policy file.
SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
fi

AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
fi

AC_ARG_ENABLE([context-extra-user-data],
[AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
[ ENABLED_EX_DATA=$enableval ],
Expand Down
33 changes: 29 additions & 4 deletions examples/client/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -1168,7 +1168,7 @@ static int ClientWriteRead(WOLFSSL* ssl, const char* msg, int msgSz,
/* 4. add the same message into Japanese section */
/* (will be translated later) */
/* 5. add printf() into suitable position of Usage() */
static const char* client_usage_msg[][77] = {
static const char* client_usage_msg[][78] = {
/* English */
{
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
Expand Down Expand Up @@ -1404,9 +1404,12 @@ static const char* client_usage_msg[][77] = {
"--rpk Use RPK for the defined certificates\n", /* 74 */
#endif
"--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 76 */
#endif
"\n"
"For simpler wolfSSL TLS client examples, visit\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
NULL,
},
#ifndef NO_MULTIBYTE_PRINT
Expand Down Expand Up @@ -1649,10 +1652,13 @@ static const char* client_usage_msg[][77] = {
"--rpk Use RPK for the defined certificates\n", /* 74 */
#endif
"--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 76 */
#endif
"\n"
"より簡単なwolfSSL TLS クライアントの例については"
"下記にアクセスしてください\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
NULL,
},
#endif
Expand Down Expand Up @@ -2069,6 +2075,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
{ "rpk", 0, 267 },
#endif /* HAVE_RPK */
{ "files-are-der", 0, 268 },
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
{ "crypto-policy", 1, 269 },
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
{ 0, 0, 0 }
};
#endif
Expand Down Expand Up @@ -2213,6 +2222,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
int useRPK = 0;
#endif /* HAVE_RPK */
int fileFormat = WOLFSSL_FILETYPE_PEM;
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
const char * policy = NULL;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */


char buffer[WOLFSSL_MAX_ERROR_SZ];

Expand Down Expand Up @@ -2932,6 +2945,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
case 268:
fileFormat = WOLFSSL_FILETYPE_ASN1;
break;
case 269:
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
policy = myoptarg;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
break;

default:
Usage();
XEXIT_T(MY_EX_USAGE);
Expand Down Expand Up @@ -3159,6 +3178,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (method == NULL)
err_sys("unable to get method");

#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
if (policy != NULL) {
if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
err_sys("wolfSSL_crypto_policy_enable failed");
}
}
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
Expand Down Expand Up @@ -4821,7 +4847,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
{
func_args args;


StartTCP();

#if defined(WOLFSSL_SRTP) && defined(WOLFSSL_COND)
Expand Down
1 change: 1 addition & 0 deletions examples/crypto_policies/default/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=2:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!RC4:!eNULL:!aNULL
1 change: 1 addition & 0 deletions examples/crypto_policies/future/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!AES128:!RC4:!eNULL:!aNULL:!SHA1
1 change: 1 addition & 0 deletions examples/crypto_policies/legacy/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=1:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!eNULL:!aNULL
31 changes: 28 additions & 3 deletions examples/server/server.c
Original file line number Diff line number Diff line change
Expand Up @@ -873,7 +873,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
/* 4. add the same message into Japanese section */
/* (will be translated later) */
/* 5. add printf() into suitable position of Usage() */
static const char* server_usage_msg[][65] = {
static const char* server_usage_msg[][66] = {
/* English */
{
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
Expand Down Expand Up @@ -1056,11 +1056,14 @@ static const char* server_usage_msg[][65] = {
#ifdef WOLFSSL_DUAL_ALG_CERTS
"--altPrivKey <file> Generate alternative signature with this key.\n",
/* 65 */
#endif
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 66 */
#endif
"\n"
"For simpler wolfSSL TLS server examples, visit\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
/* 66 */
/* 67 */
NULL,
},
#ifndef NO_MULTIBYTE_PRINT
Expand Down Expand Up @@ -1261,12 +1264,15 @@ static const char* server_usage_msg[][65] = {
#ifdef WOLFSSL_DUAL_ALG_CERTS
"--altPrivKey <file> Generate alternative signature with this key.\n",
/* 65 */
#endif
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 66 */
#endif
"\n"
"より簡単なwolfSSL TSL クライアントの例については"
"下記にアクセスしてください\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
/* 66 */
/* 67 */
NULL,
},
#endif
Expand Down Expand Up @@ -1545,6 +1551,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef WOLFSSL_DUAL_ALG_CERTS
{ "altPrivKey", 1, 267},
#endif
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
{ "crypto-policy", 1, 268 },
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
{ 0, 0, 0 }
};
#endif
Expand Down Expand Up @@ -1669,6 +1678,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
char* crlDir = NULL;
#endif
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
const char * policy = NULL;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
/* Note: Actual memory used is much less, this is the entire buffer buckets,
Expand Down Expand Up @@ -2438,6 +2450,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
altPrivKey = myoptarg;
break;
#endif
case 268:
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
policy = myoptarg;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
break;

case -1:
default:
Expand Down Expand Up @@ -2592,6 +2609,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (method == NULL)
err_sys_ex(runWithErrors, "unable to get method");

#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
if (policy != NULL) {
if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
err_sys("wolfSSL_crypto_policy_enable failed");
}
}
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
/* print off helper buffer sizes for use with static memory
Expand Down
Loading
Loading