AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-22 17:39:53 +03:00
Code Releases Activity

Merge PR #1235: Manage security level

Browse Source
This commit is contained in:
Davide Beatrici 2020-10-31 22:12:08 +01:00 committed by GitHub
commit fffed52f3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 75 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/Cedar/Command.c
View File

@ -67,13 +67,26 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
{ {
CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param; CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param;
SOCK *s; SOCK *s;
UINT i; UINT i, rsa_bits = 1024;
K *pub, *pri; K *pub, *pri;
X *x; X *x;
LIST *o = NewList(NULL); LIST *o = NewList(NULL);
NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba"); NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba");
RsaGen(&pri, &pub, 1024); // Set RSA bits considering OpenSSL security Level
// Security level 4 needs 7680 bits
switch (GetOSSecurityLevel())
{
case 2:
rsa_bits = 2048;
break;
case 3:
rsa_bits = 4096;
break;
default:
break;
}
RsaGen(&pri, &pub, rsa_bits);
x = NewRootX(pub, pri, name, 1000, NULL); x = NewRootX(pub, pri, name, 1000, NULL);
FreeName(name); FreeName(name);

4
src/Cedar/Server.c
View File

@ -5931,6 +5931,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3"); c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3");
c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level");
c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value");
s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat"); s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat");
@ -6256,6 +6258,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3); CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3);
CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level);
CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value);
CfgAddInt(f, "DhParamBits", c->DhParamBits); CfgAddInt(f, "DhParamBits", c->DhParamBits);
// Disable session reconnect // Disable session reconnect

81
src/Mayaqua/Network.c
View File

@ -5737,12 +5737,6 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{ {
if (server_mode) if (server_mode)
{ {
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it
#endif #endif
@ -5753,10 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{ {
SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh); SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh);
} }
}
else #if 0
// Cannot get config
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{ {
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
#endif
} }
if (verify_peer) if (verify_peer)
@ -12120,12 +12120,6 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
{ {
if (sock->ServerMode) if (sock->ServerMode)
{ {
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TLSv1 #ifdef SSL_OP_NO_TLSv1
if (sock->SslAcceptSettings.Tls_Disable1_0) if (sock->SslAcceptSettings.Tls_Disable1_0)
{ {
@ -12154,18 +12148,17 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
} }
#endif // SSL_OP_NO_TLSv1_3 #endif // SSL_OP_NO_TLSv1_3
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
Unlock(openssl_lock); Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx); AddChainSslCertOnDirectory(ssl_ctx);
Lock(openssl_lock); Lock(openssl_lock);
} }
else
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
sock->ssl = SSL_new(ssl_ctx); sock->ssl = SSL_new(ssl_ctx);
SSL_set_fd(sock->ssl, (int)sock->socket); SSL_set_fd(sock->ssl, (int)sock->socket);
@ -16819,6 +16812,20 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
{ {
struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
// It resets some parameters.
if (server_mode)
{
SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
}
else
{
SSL_CTX_set_ssl_version(ctx, SSLv23_client_method());
}
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
#ifdef SSL_OP_NO_TICKET #ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
#endif // SSL_OP_NO_TICKET #endif // SSL_OP_NO_TICKET
@ -16851,6 +16858,28 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx)
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
} }
// Get OS (maximum) Security Level
UINT GetOSSecurityLevel()
{
UINT security_level_new = 0, security_level_set_ssl_version = 0;
struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
security_level_new = SSL_CTX_get_security_level(ctx);
#endif
security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
FreeSSLCtx(ctx);
if(security_level_new >= security_level_set_ssl_version)
{
return security_level_new;
}
return security_level_set_ssl_version;
}
// The number of get ip threads // The number of get ip threads
void SetGetIpThreadMaxNum(UINT num) void SetGetIpThreadMaxNum(UINT num)
{ {
@ -16966,12 +16995,6 @@ TOKEN_LIST *GetCipherList()
return ciphers; return ciphers;
} }
SSL_CTX_set_ssl_version(ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#endif
ssl = SSL_new(ctx); ssl = SSL_new(ctx);
if (ssl == NULL) if (ssl == NULL)
{ {

3
src/Mayaqua/Network.h
View File

@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS
bool Tls_Disable1_1; bool Tls_Disable1_1;
bool Tls_Disable1_2; bool Tls_Disable1_2;
bool Tls_Disable1_3; bool Tls_Disable1_3;
bool Override_Security_Level;
UINT Override_Security_Level_Value;
}; };
// Socket // Socket
@ -1448,6 +1450,7 @@ void RefreshLocalMacAddressList();
struct ssl_ctx_st *NewSSLCtx(bool server_mode); struct ssl_ctx_st *NewSSLCtx(bool server_mode);
void FreeSSLCtx(struct ssl_ctx_st *ctx); void FreeSSLCtx(struct ssl_ctx_st *ctx);
UINT GetOSSecurityLevel();
void SetCurrentDDnsFqdn(char *name); void SetCurrentDDnsFqdn(char *name);
void GetCurrentDDnsFqdn(char *name, UINT size); void GetCurrentDDnsFqdn(char *name, UINT size);