From d0b3cde485d3be13b43f8aa913e789c0c0f17053 Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Tue, 5 May 2020 19:02:51 +0900 Subject: [PATCH 1/5] Refact: move SSL_CTX_set_ssl_version to NewSSLCtx --- src/Mayaqua/Network.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index bbe4b1ad..839f8e2a 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5737,8 +5737,6 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { if (server_mode) { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method()); - #ifdef SSL_OP_NO_SSLv3 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); #endif // SSL_OP_NO_SSLv3 @@ -5754,10 +5752,6 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh); } } - else - { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); - } if (verify_peer) { @@ -12120,8 +12114,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) { if (sock->ServerMode) { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method()); - #ifdef SSL_OP_NO_SSLv3 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); #endif // SSL_OP_NO_SSLv3 @@ -12160,8 +12152,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) } else { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); - #ifdef SSL_OP_NO_SSLv3 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); #endif // SSL_OP_NO_SSLv3 @@ -16836,6 +16826,15 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode) SSL_CTX_set_ecdh_auto(ctx, 1); #endif // SSL_CTX_set_ecdh_auto + if (server_mode) + { + SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + } + else + { + SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); + } + return ctx; } @@ -16966,8 +16965,6 @@ TOKEN_LIST *GetCipherList() return ciphers; } - SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); - #ifdef SSL_OP_NO_SSLv3 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); #endif From 5ca62bdd8aa31a4b11c9a7901c8af6ac7ae533b4 Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Tue, 5 May 2020 19:05:30 +0900 Subject: [PATCH 2/5] Refact: manage SSL_OP_NO_SSLv3 in NewSSLCtx --- src/Mayaqua/Network.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 839f8e2a..8bad3eb9 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5737,10 +5737,6 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { if (server_mode) { -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); -#endif // SSL_OP_NO_SSLv3 - #ifdef SSL_OP_NO_TLSv1_3 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it #endif @@ -12114,10 +12110,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) { if (sock->ServerMode) { -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); -#endif // SSL_OP_NO_SSLv3 - #ifdef SSL_OP_NO_TLSv1 if (sock->SslAcceptSettings.Tls_Disable1_0) { @@ -12150,12 +12142,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) AddChainSslCertOnDirectory(ssl_ctx); Lock(openssl_lock); } - else - { -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); -#endif // SSL_OP_NO_SSLv3 - } sock->ssl = SSL_new(ssl_ctx); SSL_set_fd(sock->ssl, (int)sock->socket); @@ -16835,6 +16821,10 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode) SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); } +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 + return ctx; } @@ -16965,10 +16955,6 @@ TOKEN_LIST *GetCipherList() return ciphers; } -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); -#endif - ssl = SSL_new(ctx); if (ssl == NULL) { From 190672bd84bd5b422f5faa34c059afa7d63e957a Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Tue, 5 May 2020 21:03:17 +0900 Subject: [PATCH 3/5] Set RSA bits considering OpenSSL security Level --- src/Cedar/Command.c | 17 +++++++++++++++-- src/Mayaqua/Network.c | 22 ++++++++++++++++++++++ src/Mayaqua/Network.h | 1 + 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index 372baa54..c11455cc 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -67,13 +67,26 @@ void CheckNetworkListenThread(THREAD *thread, void *param) { CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param; SOCK *s; - UINT i; + UINT i, rsa_bits = 1024; K *pub, *pri; X *x; LIST *o = NewList(NULL); NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba"); - RsaGen(&pri, &pub, 1024); + // Set RSA bits considering OpenSSL security Level + // Security level 4 needs 7680 bits + switch (GetOSSecurityLevel()) + { + case 2: + rsa_bits = 2048; + break; + case 3: + rsa_bits = 4096; + break; + default: + break; + } + RsaGen(&pri, &pub, rsa_bits); x = NewRootX(pub, pri, name, 1000, NULL); FreeName(name); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 8bad3eb9..13be597d 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -16840,6 +16840,28 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx) SSL_CTX_free(ctx); } +// Get OS (maximum) Security Level +UINT GetOSSecurityLevel() +{ + UINT security_level_new = 0, security_level_set_ssl_version = 0; + struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + security_level_new = SSL_CTX_get_security_level(ctx); +#endif + + security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + + FreeSSLCtx(ctx); + + if(security_level_new >= security_level_set_ssl_version) + { + return security_level_new; + } + + return security_level_set_ssl_version; +} + // The number of get ip threads void SetGetIpThreadMaxNum(UINT num) { diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 8f1a44f2..362882e4 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -1448,6 +1448,7 @@ void RefreshLocalMacAddressList(); struct ssl_ctx_st *NewSSLCtx(bool server_mode); void FreeSSLCtx(struct ssl_ctx_st *ctx); +UINT GetOSSecurityLevel(); void SetCurrentDDnsFqdn(char *name); void GetCurrentDDnsFqdn(char *name, UINT size); From 7fdacec2a62cef9085d9c33fd7644e9c851114cf Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Sat, 31 Oct 2020 20:19:10 +0100 Subject: [PATCH 4/5] Manage OpenSSL security level Add SslAcceptSettings option Override_Security_Level and Override_Security_Level_Value to allow user to choose. --- src/Cedar/Server.c | 4 ++++ src/Mayaqua/Network.c | 17 +++++++++++++++++ src/Mayaqua/Network.h | 2 ++ 3 files changed, 23 insertions(+) diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index fcd0c2bd..f606fd29 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -5931,6 +5931,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3"); + c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level"); + c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value"); s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat"); @@ -6256,6 +6258,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3); + CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level); + CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value); CfgAddInt(f, "DhParamBits", c->DhParamBits); // Disable session reconnect diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 13be597d..9a0834d3 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5747,6 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh); } + +#if 0 + // Cannot get config +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (sock->SslAcceptSettings.Override_Security_Level) + { + SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); + } +#endif +#endif } if (verify_peer) @@ -12138,6 +12148,13 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) } #endif // SSL_OP_NO_TLSv1_3 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (sock->SslAcceptSettings.Override_Security_Level) + { + SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); + } +#endif + Unlock(openssl_lock); AddChainSslCertOnDirectory(ssl_ctx); Lock(openssl_lock); diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 362882e4..bd4b535d 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS bool Tls_Disable1_1; bool Tls_Disable1_2; bool Tls_Disable1_3; + bool Override_Security_Level; + UINT Override_Security_Level_Value; }; // Socket From c029b34b806b4fa05319e86c599b36cf63c3d707 Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Wed, 20 May 2020 11:59:36 +0900 Subject: [PATCH 5/5] Run SSL_CTX_set_ssl_version earlier SSL_CTX_set_ssl_version may change security level. --- src/Mayaqua/Network.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 9a0834d3..ed1e1c9a 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -16812,6 +16812,20 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode) { struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); + // It resets some parameters. + if (server_mode) + { + SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + } + else + { + SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); + } + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 + #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); #endif // SSL_OP_NO_TICKET @@ -16829,19 +16843,6 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode) SSL_CTX_set_ecdh_auto(ctx, 1); #endif // SSL_CTX_set_ecdh_auto - if (server_mode) - { - SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); - } - else - { - SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); - } - -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); -#endif // SSL_OP_NO_SSLv3 - return ctx; }