From 8b892e33477cfd3840f4a068c5107d23417e812a Mon Sep 17 00:00:00 2001 From: Johannes Bauer Date: Tue, 7 Mar 2017 21:40:21 +0100 Subject: [PATCH] Update OpenSSL version and change sig algs While the PSK cipher suites do not use any ECDHE/RSA signatures, in the future someone may change the code. In that case, as a robustness measure, already set the acceptable signature algorithms now. Additionally upgrade to OpenSSL v1.1.0e and include the comment to include X448 once it becomes available for TLS ECDHE (it's not yet, unfortunately). --- Makefile | 2 +- build_openssl | 2 +- openssl.c | 14 +++++++++----- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index edb7312..6c673f5 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ all: luksrku luksrku-config INSTALL_PREFIX := /usr/local/ -OPENSSL_DIR := `pwd`/openssl-1.1.0b/ +OPENSSL_DIR := `pwd`/openssl-1.1.0e/ #OPENSSL_DIR := /home/joe/openssl/ #LIBDIR := /usr/lib/x86_64-linux-gnu/ LIBDIR := $(OPENSSL_DIR) diff --git a/build_openssl b/build_openssl index 8309c88..5d298d8 100755 --- a/build_openssl +++ b/build_openssl @@ -2,7 +2,7 @@ # # -VERSION="1.1.0b" +VERSION="1.1.0e" URL="https://www.openssl.org/source/openssl-${VERSION}.tar.gz" LOCAL_TARGZ="openssl-${VERSION}.tar.gz" LOCAL_DIR="openssl-${VERSION}" diff --git a/openssl.c b/openssl.c index 18fe774..06bd5d0 100644 --- a/openssl.c +++ b/openssl.c @@ -78,17 +78,21 @@ bool create_generic_ssl_context(struct generic_ssl_ctx_t *gctx, bool server) { log_openssl(LLVL_FATAL, "Cannot set SSL generic context minimal version."); return false; } - - if (!SSL_CTX_set_max_proto_version(gctx->ctx, TLS1_2_VERSION)) { - log_openssl(LLVL_FATAL, "Cannot set SSL generic context maximal version."); - return false; - } if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) { log_openssl(LLVL_FATAL, "Cannot set SSL generic context cipher suites."); return false; } + /* In the cipher suite we're using, none of these should be used anyways + * (PSK); however for the future we want to have proper crypto here as + * well. */ + if (!SSL_CTX_set1_sigalgs_list(gctx->ctx, "ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512")) { + log_openssl(LLVL_FATAL, "Cannot set SSL signature algorithms."); + return false; + } + + /* TODO: When X448 becomes available, include it here. */ if (!SSL_CTX_set1_curves_list(gctx->ctx, "X25519")) { log_openssl(LLVL_FATAL, "Cannot set SSL generic context ECDHE curves."); return false;