Set RSA bits considering OpenSSL security Level

src/Cedar/Command.c

@@ -67,13 +67,26 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
 {
 	CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param;
 	SOCK *s;
-	UINT i;
+	UINT i, rsa_bits = 1024;
 	K *pub, *pri;
 	X *x;
 	LIST *o = NewList(NULL);
 	NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba");
 
-	RsaGen(&pri, &pub, 1024);
+	// Set RSA bits considering OpenSSL security Level
+	// Security level 4 needs 7680 bits
+	switch (GetOSSecurityLevel())
+	{
+	case 2:
+		rsa_bits = 2048;
+		break;
+	case 3:
+		rsa_bits = 4096;
+		break;
+	default:
+		break;
+	}
+	RsaGen(&pri, &pub, rsa_bits);
 	x = NewRootX(pub, pri, name, 1000, NULL);
 
 	FreeName(name);

src/Mayaqua/Network.c

@@ -16840,6 +16840,28 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx)
 	SSL_CTX_free(ctx);
 }
 
+// Get OS (maximum) Security Level
+UINT GetOSSecurityLevel()
+{
+	UINT security_level_new = 0, security_level_set_ssl_version = 0;
+	struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+	security_level_new = SSL_CTX_get_security_level(ctx);
+#endif
+
+	security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
+
+	FreeSSLCtx(ctx);
+
+	if(security_level_new >= security_level_set_ssl_version)
+	{
+		return security_level_new;
+	}
+
+	return security_level_set_ssl_version;
+}
+
 // The number of get ip threads
 void SetGetIpThreadMaxNum(UINT num)
 {

src/Mayaqua/Network.h

@@ -1448,6 +1448,7 @@ void RefreshLocalMacAddressList();
 
 struct ssl_ctx_st *NewSSLCtx(bool server_mode);
 void FreeSSLCtx(struct ssl_ctx_st *ctx);
+UINT GetOSSecurityLevel();
 
 void SetCurrentDDnsFqdn(char *name);
 void GetCurrentDDnsFqdn(char *name, UINT size);