Skip to content

Commit

Permalink
fedora crypto-policies: initial support.
Browse files Browse the repository at this point in the history
  • Loading branch information
philljj committed Nov 21, 2024
1 parent be70bea commit a29b79f
Show file tree
Hide file tree
Showing 15 changed files with 1,461 additions and 113 deletions.
19 changes: 19 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -8905,6 +8905,25 @@ AC_ARG_WITH([libsuffix],
)
AC_SUBST(LIBSUFFIX)
# Support system wide crypto-policy file:
# - Pass path to your wolfssl.config system crypto-policy file.
# - Pass no argument to use default.
AC_ARG_WITH([sys-crypto-policy],
[AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
[ SYS_CRYPTO_POLICY=$withval],
[ SYS_CRYPTO_POLICY=no ]
)
if test "$SYS_CRYPTO_POLICY" != "no"; then
if test "$SYS_CRYPTO_POLICY" = "yes"; then
# Default to the wolfssl fedora crypto-policy file.
SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
fi
AC_ARG_ENABLE([context-extra-user-data],
[AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
[ ENABLED_EX_DATA=$enableval ],
Expand Down
33 changes: 29 additions & 4 deletions examples/client/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -1167,7 +1167,7 @@ static int ClientWriteRead(WOLFSSL* ssl, const char* msg, int msgSz,
/* 4. add the same message into Japanese section */
/* (will be translated later) */
/* 5. add printf() into suitable position of Usage() */
static const char* client_usage_msg[][77] = {
static const char* client_usage_msg[][78] = {
/* English */
{
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
Expand Down Expand Up @@ -1403,9 +1403,12 @@ static const char* client_usage_msg[][77] = {
"--rpk Use RPK for the defined certificates\n", /* 74 */
#endif
"--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 76 */
#endif
"\n"
"For simpler wolfSSL TLS client examples, visit\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
NULL,
},
#ifndef NO_MULTIBYTE_PRINT
Expand Down Expand Up @@ -1648,10 +1651,13 @@ static const char* client_usage_msg[][77] = {
"--rpk Use RPK for the defined certificates\n", /* 74 */
#endif
"--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 76 */
#endif
"\n"
"より簡単なwolfSSL TLS クライアントの例については"
"下記にアクセスしてください\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
NULL,
},
#endif
Expand Down Expand Up @@ -2068,6 +2074,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
{ "rpk", 0, 267 },
#endif /* HAVE_RPK */
{ "files-are-der", 0, 268 },
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
{ "crypto-policy", 1, 269 },
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
{ 0, 0, 0 }
};
#endif
Expand Down Expand Up @@ -2212,6 +2221,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
int useRPK = 0;
#endif /* HAVE_RPK */
int fileFormat = WOLFSSL_FILETYPE_PEM;
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
const char * policy = NULL;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */


char buffer[WOLFSSL_MAX_ERROR_SZ];

Expand Down Expand Up @@ -2931,6 +2944,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
case 268:
fileFormat = WOLFSSL_FILETYPE_ASN1;
break;
case 269:
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
policy = myoptarg;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
break;

default:
Usage();
XEXIT_T(MY_EX_USAGE);
Expand Down Expand Up @@ -3158,6 +3177,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (method == NULL)
err_sys("unable to get method");

#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
if (policy != NULL) {
if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
err_sys("wolfSSL_crypto_policy_enable failed");
}
}
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
Expand Down Expand Up @@ -4819,7 +4845,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
{
func_args args;


StartTCP();

#if defined(WOLFSSL_SRTP) && defined(WOLFSSL_COND)
Expand Down
1 change: 1 addition & 0 deletions examples/crypto_policies/default/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=2:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!aDSS:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!CAMELLIA:!ARIA:!AESCCM8
1 change: 1 addition & 0 deletions examples/crypto_policies/future/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!aDSS:!AES128:!SHA256:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!SHA1:!MD5:!CAMELLIA:!ARIA:!AESCCM8
1 change: 1 addition & 0 deletions examples/crypto_policies/legacy/wolfssl.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
@SECLEVEL=1:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!CAMELLIA:!ARIA:!AESCCM8
31 changes: 28 additions & 3 deletions examples/server/server.c
Original file line number Diff line number Diff line change
Expand Up @@ -872,7 +872,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
/* 4. add the same message into Japanese section */
/* (will be translated later) */
/* 5. add printf() into suitable position of Usage() */
static const char* server_usage_msg[][65] = {
static const char* server_usage_msg[][66] = {
/* English */
{
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
Expand Down Expand Up @@ -1055,11 +1055,14 @@ static const char* server_usage_msg[][65] = {
#ifdef WOLFSSL_DUAL_ALG_CERTS
"--altPrivKey <file> Generate alternative signature with this key.\n",
/* 65 */
#endif
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 66 */
#endif
"\n"
"For simpler wolfSSL TLS server examples, visit\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
/* 66 */
/* 67 */
NULL,
},
#ifndef NO_MULTIBYTE_PRINT
Expand Down Expand Up @@ -1260,12 +1263,15 @@ static const char* server_usage_msg[][65] = {
#ifdef WOLFSSL_DUAL_ALG_CERTS
"--altPrivKey <file> Generate alternative signature with this key.\n",
/* 65 */
#endif
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 66 */
#endif
"\n"
"より簡単なwolfSSL TSL クライアントの例については"
"下記にアクセスしてください\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
/* 66 */
/* 67 */
NULL,
},
#endif
Expand Down Expand Up @@ -1544,6 +1550,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef WOLFSSL_DUAL_ALG_CERTS
{ "altPrivKey", 1, 267},
#endif
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
{ "crypto-policy", 1, 268 },
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
{ 0, 0, 0 }
};
#endif
Expand Down Expand Up @@ -1668,6 +1677,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
char* crlDir = NULL;
#endif
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
const char * policy = NULL;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
/* Note: Actual memory used is much less, this is the entire buffer buckets,
Expand Down Expand Up @@ -2437,6 +2449,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
altPrivKey = myoptarg;
break;
#endif
case 268:
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
policy = myoptarg;
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
break;

case -1:
default:
Expand Down Expand Up @@ -2591,6 +2608,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (method == NULL)
err_sys_ex(runWithErrors, "unable to get method");

#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
if (policy != NULL) {
if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
err_sys("wolfSSL_crypto_policy_enable failed");
}
}
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */

#ifdef WOLFSSL_STATIC_MEMORY
#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
/* print off helper buffer sizes for use with static memory
Expand Down
Loading

0 comments on commit a29b79f

Please sign in to comment.