Update OpenSSL version and change sig algs

While the PSK cipher suites do not use any ECDHE/RSA signatures, in the
future someone may change the code. In that case, as a robustness
measure, already set the acceptable signature algorithms now.
Additionally upgrade to OpenSSL v1.1.0e and include the comment to
include X448 once it becomes available for TLS ECDHE (it's not yet,
unfortunately).
This commit is contained in:
Johannes Bauer 2017-03-07 21:40:21 +01:00
parent 8f2dabc053
commit 8b892e3347
3 changed files with 11 additions and 7 deletions

View File

@ -2,7 +2,7 @@
all: luksrku luksrku-config
INSTALL_PREFIX := /usr/local/
OPENSSL_DIR := `pwd`/openssl-1.1.0b/
OPENSSL_DIR := `pwd`/openssl-1.1.0e/
#OPENSSL_DIR := /home/joe/openssl/
#LIBDIR := /usr/lib/x86_64-linux-gnu/
LIBDIR := $(OPENSSL_DIR)

View File

@ -2,7 +2,7 @@
#
#
VERSION="1.1.0b"
VERSION="1.1.0e"
URL="https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
LOCAL_TARGZ="openssl-${VERSION}.tar.gz"
LOCAL_DIR="openssl-${VERSION}"

View File

@ -79,16 +79,20 @@ bool create_generic_ssl_context(struct generic_ssl_ctx_t *gctx, bool server) {
return false;
}
if (!SSL_CTX_set_max_proto_version(gctx->ctx, TLS1_2_VERSION)) {
log_openssl(LLVL_FATAL, "Cannot set SSL generic context maximal version.");
return false;
}
if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) {
log_openssl(LLVL_FATAL, "Cannot set SSL generic context cipher suites.");
return false;
}
/* In the cipher suite we're using, none of these should be used anyways
* (PSK); however for the future we want to have proper crypto here as
* well. */
if (!SSL_CTX_set1_sigalgs_list(gctx->ctx, "ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512")) {
log_openssl(LLVL_FATAL, "Cannot set SSL signature algorithms.");
return false;
}
/* TODO: When X448 becomes available, include it here. */
if (!SSL_CTX_set1_curves_list(gctx->ctx, "X25519")) {
log_openssl(LLVL_FATAL, "Cannot set SSL generic context ECDHE curves.");
return false;