The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
Adds initial support for Fedora and Redhat system-wide crypto-policies.
The idea is at runtime, a system wide crypto-policy config file is loaded that sets minimum security limits on:
key sizes
tls methods
allowed ciphers
Fixes zd#18593.
Build with --with-sys-crypto-policy, or --with-sys-crypto-policy=<path>. If no arg is given, then /etc/crypto-policies/back-ends/wolfssl.config is used as default.
Requires enable-distro.
crypto-policy API
wolfSSL_crypto_policy_enable
wolfSSL_crypto_policy_enable_buffer
wolfSSL_crypto_policy_disable
wolfSSL_crypto_policy_is_enabled
wolfSSL_crypto_policy_get_ciphers
wolfSSL_crypto_policy_get_level
Enable with wolfSSL_crypto_policy_enable or wolfSSL_crypto_policy_enable_buffer. Once enabled, new instantiated WOLFSSL_CTX will inherit the policy's parameters. Attempts to call API such as wolfSSL_CTX_set_cipher_list will return CRYPTO_POLICY_FORBIDDEN.
The crypto_policy API are not thread safe, and should only be used during program init.
Testing
Added new unit tests:
test_wolfSSL_crypto_policy
test_wolfSSL_crypto_policy_certs_and_keys
test_wolfSSL_crypto_policy_tls_methods
test_wolfSSL_crypto_policy_ciphers
Config
Added three example crypto-policy configs here:
examples/crypto_policies/future/wolfssl.txt
examples/crypto_policies/default/wolfssl.txt
examples/crypto_policies/legacy/wolfssl.txt
Examples
The examples client and server were updated to take crypto-policy as an arg.
E.g. if you run the example with the future policy it will fail, because the future policy requires min 3072 RSA key size, and the example defaults to 2048:
./examples/client/client --crypto-policy examples/crypto_policies/future/wolfssl.txt
...
Cert signature not supported
...
wolfSSL Leaving ProcessBuffer, return -409
wolfSSL Entering wolfSSL_CTX_free
CTX ref count down to 0, doing full free
...
wolfSSL Leaving wolfSSL_CTX_free, return 0
wolfSSL error: can't load client cert file, check file and run from wolfSSL home dir
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfSSL_crypto_policy_disable
wolfSSL Entering wolfCrypt_Cleanup
dgarske
commented
1 day ago
Description
Adds initial support for Fedora and Redhat system-wide crypto-policies.
The idea is at runtime, a system wide crypto-policy config file is loaded that sets minimum security limits on:
Fixes zd#18593.
Build with
--with-sys-crypto-policy, or--with-sys-crypto-policy=<path>. If no arg is given, then/etc/crypto-policies/back-ends/wolfssl.configis used as default.Requires enable-distro.
crypto-policy API
Enable with wolfSSL_crypto_policy_enable or wolfSSL_crypto_policy_enable_buffer. Once enabled, new instantiated WOLFSSL_CTX will inherit the policy's parameters. Attempts to call API such as wolfSSL_CTX_set_cipher_list will return CRYPTO_POLICY_FORBIDDEN.
The crypto_policy API are not thread safe, and should only be used during program init.
Testing
Added new unit tests:
Config
Added three example crypto-policy configs here:
Examples
The examples client and server were updated to take crypto-policy as an arg.
E.g. if you run the example with the future policy it will fail, because the future policy requires min 3072 RSA key size, and the example defaults to 2048: