fedora crypto-policies: initial support.

wolfSSL · Nov 20, 2024 · 07cca1e · 07cca1e
1 parent 42825e8
commit 07cca1e
Show file tree

Hide file tree

Showing 15 changed files with 1,427 additions and 115 deletions.
diff --git a/configure.ac b/configure.ac
@@ -8905,6 +8905,25 @@ AC_ARG_WITH([libsuffix],
 )
 AC_SUBST(LIBSUFFIX)
 
+# Support system wide crypto-policy file:
+#   - Pass path to your wolfssl.config system crypto-policy file.
+#   - Pass no argument to use default.
+AC_ARG_WITH([sys-crypto-policy],
+    [AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
+    [ SYS_CRYPTO_POLICY=$withval],
+    [ SYS_CRYPTO_POLICY=no ]
+    )
+
+if test "$SYS_CRYPTO_POLICY" != "no"; then
+    if test "$SYS_CRYPTO_POLICY" == "yes"; then
+        # Default to the wolfssl fedora crypto-policy file.
+        SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
+    fi
+
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
+fi
+
 AC_ARG_ENABLE([context-extra-user-data],
     [AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
     [ ENABLED_EX_DATA=$enableval ],

diff --git a/examples/client/client.c b/examples/client/client.c
@@ -4818,6 +4818,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     int main(int argc, char** argv)
     {
         func_args args;
+#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
+        const char * policy = "examples/crypto_policies/default/wolfssl.txt";
+#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 
 
         StartTCP();
@@ -4833,6 +4836,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         wolfSSL_Debugging_ON();
 #endif
         wolfSSL_Init();
+#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
+        if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
+            fprintf(stderr, "crypto_policy_enable failed\n");
+            wolfSSL_Cleanup();
+            return EXIT_FAILURE;
+        }
+#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
         ChangeToWolfRoot();
 
 #ifndef NO_WOLFSSL_CLIENT

diff --git a/examples/crypto_policies/default/wolfssl.txt b/examples/crypto_policies/default/wolfssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!aDSS:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!SHA384:!CAMELLIA:!ARIA:!AESCCM8
diff --git a/examples/crypto_policies/future/wolfssl.txt b/examples/crypto_policies/future/wolfssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!RSA:!aDSS:!AES128:!SHA256:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!SHA1:!MD5:!SHA384:!CAMELLIA:!ARIA:!AESCCM8
diff --git a/examples/crypto_policies/legacy/wolfssl.txt b/examples/crypto_policies/legacy/wolfssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=1:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!SHA384:!CAMELLIA:!ARIA:!AESCCM8
diff --git a/examples/server/server.c b/examples/server/server.c
@@ -3995,6 +3995,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     {
         func_args args;
         tcp_ready ready;
+#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
+        const char * policy = "examples/crypto_policies/default/wolfssl.txt";
+#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 
         StartTCP();
 
@@ -4014,6 +4017,13 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #ifdef WC_RNG_SEED_CB
         wc_SetSeed_Cb(wc_GenerateSeed);
 #endif
+#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
+        if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
+            fprintf(stderr, "crypto_policy_enable failed\n");
+            wolfSSL_Cleanup();
+            return EXIT_FAILURE;
+        }
+#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
         ChangeToWolfRoot();
 
 #ifndef NO_WOLFSSL_SERVER