diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index 372baa54..c11455cc 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -67,13 +67,26 @@ void CheckNetworkListenThread(THREAD *thread, void *param) { CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param; SOCK *s; - UINT i; + UINT i, rsa_bits = 1024; K *pub, *pri; X *x; LIST *o = NewList(NULL); NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba"); - RsaGen(&pri, &pub, 1024); + // Set RSA bits considering OpenSSL security Level + // Security level 4 needs 7680 bits + switch (GetOSSecurityLevel()) + { + case 2: + rsa_bits = 2048; + break; + case 3: + rsa_bits = 4096; + break; + default: + break; + } + RsaGen(&pri, &pub, rsa_bits); x = NewRootX(pub, pri, name, 1000, NULL); FreeName(name); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 8bad3eb9..13be597d 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -16840,6 +16840,28 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx) SSL_CTX_free(ctx); } +// Get OS (maximum) Security Level +UINT GetOSSecurityLevel() +{ + UINT security_level_new = 0, security_level_set_ssl_version = 0; + struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + security_level_new = SSL_CTX_get_security_level(ctx); +#endif + + security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + + FreeSSLCtx(ctx); + + if(security_level_new >= security_level_set_ssl_version) + { + return security_level_new; + } + + return security_level_set_ssl_version; +} + // The number of get ip threads void SetGetIpThreadMaxNum(UINT num) { diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 8f1a44f2..362882e4 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -1448,6 +1448,7 @@ void RefreshLocalMacAddressList(); struct ssl_ctx_st *NewSSLCtx(bool server_mode); void FreeSSLCtx(struct ssl_ctx_st *ctx); +UINT GetOSSecurityLevel(); void SetCurrentDDnsFqdn(char *name); void GetCurrentDDnsFqdn(char *name, UINT size);