-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fedora crypto-policies: initial support. #8205
Conversation
2b8ae8b
to
d3b28ff
Compare
Retest this please. CRL issues |
0b8d992
to
a29b79f
Compare
9535b80
to
8bc9faf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. Is there feedback on use with Fedora?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current code depends on OPENSSL_EXTRA
, and you should add an error in configure.ac
if someone attempts to use --with-sys-crypto-policy
without ENABLED_OPENSSLEXTRA
.
The other notable dependency is on stdio filesystem, so build fails if -DNO_FILESYSTEM
. But wolfSSL_crypto_policy_enable()
could be implemented to take a const char *
instead of a path, eliminating that dependency. That could prove useful in embedded and kernel apps.
The combo
|
02d70ba
to
b5c47d2
Compare
Description
Adds initial support for Fedora and Redhat system-wide crypto-policies.
The idea is at runtime, a system wide crypto-policy config file is loaded that sets minimum security limits on:
Fixes zd#18593.
Build with
--with-sys-crypto-policy
, or--with-sys-crypto-policy=<path>
. If no arg is given, then/etc/crypto-policies/back-ends/wolfssl.config
is used as default.Requires enable-distro.
crypto-policy API
Enable with wolfSSL_crypto_policy_enable or wolfSSL_crypto_policy_enable_buffer. Once enabled, new instantiated WOLFSSL_CTX will inherit the policy's parameters. Trying to change the minimum downgrade version, or set key sizes smaller than allowed minimum will return CRYPTO_POLICY_FORBIDDEN.
The crypto_policy API are not thread safe, and should only be used during program init.
Testing
Added new unit tests:
Added Jenkins test:
Config
Added three example crypto-policy configs here:
Examples
The examples client and server were updated to take crypto-policy as an arg.
E.g. if you run the example with the future policy it will fail, because the future policy requires min 3072 RSA and DH key sizes (or 256 bit ecc keys):
If you set the client to use larger keys, then it works again: