1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-12-26 01:59:53 +03:00

Merge PR #1235: Manage security level

This commit is contained in:
Davide Beatrici 2020-10-31 22:12:08 +01:00 committed by GitHub
commit fffed52f3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 75 additions and 32 deletions

View File

@ -67,13 +67,26 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
{
CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param;
SOCK *s;
UINT i;
UINT i, rsa_bits = 1024;
K *pub, *pri;
X *x;
LIST *o = NewList(NULL);
NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba");
RsaGen(&pri, &pub, 1024);
// Set RSA bits considering OpenSSL security Level
// Security level 4 needs 7680 bits
switch (GetOSSecurityLevel())
{
case 2:
rsa_bits = 2048;
break;
case 3:
rsa_bits = 4096;
break;
default:
break;
}
RsaGen(&pri, &pub, rsa_bits);
x = NewRootX(pub, pri, name, 1000, NULL);
FreeName(name);

View File

@ -5931,6 +5931,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3");
c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level");
c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value");
s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat");
@ -6256,6 +6258,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3);
CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level);
CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value);
CfgAddInt(f, "DhParamBits", c->DhParamBits);
// Disable session reconnect

View File

@ -5737,12 +5737,6 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{
if (server_mode)
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it
#endif
@ -5753,10 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{
SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh);
}
}
else
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
#if 0
// Cannot get config
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
#endif
}
if (verify_peer)
@ -12120,12 +12120,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
{
if (sock->ServerMode)
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TLSv1
if (sock->SslAcceptSettings.Tls_Disable1_0)
{
@ -12154,18 +12148,17 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
}
#endif // SSL_OP_NO_TLSv1_3
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
Lock(openssl_lock);
}
else
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
sock->ssl = SSL_new(ssl_ctx);
SSL_set_fd(sock->ssl, (int)sock->socket);
@ -16819,6 +16812,20 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
{
struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
// It resets some parameters.
if (server_mode)
{
SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
}
else
{
SSL_CTX_set_ssl_version(ctx, SSLv23_client_method());
}
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
#endif // SSL_OP_NO_TICKET
@ -16851,6 +16858,28 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx)
SSL_CTX_free(ctx);
}
// Get OS (maximum) Security Level
UINT GetOSSecurityLevel()
{
UINT security_level_new = 0, security_level_set_ssl_version = 0;
struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
security_level_new = SSL_CTX_get_security_level(ctx);
#endif
security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
FreeSSLCtx(ctx);
if(security_level_new >= security_level_set_ssl_version)
{
return security_level_new;
}
return security_level_set_ssl_version;
}
// The number of get ip threads
void SetGetIpThreadMaxNum(UINT num)
{
@ -16966,12 +16995,6 @@ TOKEN_LIST *GetCipherList()
return ciphers;
}
SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
{

View File

@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS
bool Tls_Disable1_1;
bool Tls_Disable1_2;
bool Tls_Disable1_3;
bool Override_Security_Level;
UINT Override_Security_Level_Value;
};
// Socket
@ -1448,6 +1450,7 @@ void RefreshLocalMacAddressList();
struct ssl_ctx_st *NewSSLCtx(bool server_mode);
void FreeSSLCtx(struct ssl_ctx_st *ctx);
UINT GetOSSecurityLevel();
void SetCurrentDDnsFqdn(char *name);
void GetCurrentDDnsFqdn(char *name, UINT size);