diff options
author | JackLivio <jack@livio.io> | 2021-04-14 12:03:05 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-14 12:03:05 -0400 |
commit | 0a18698549da1b9f1e78cdc65d8708fc0a3fb59a (patch) | |
tree | d1edf191cd433ad81244b4bcc1e2cb8b9c585d29 /src/components/security_manager/src | |
parent | a0e93bb70e0e3bce3b727e2fb06f39847d3b23bd (diff) | |
parent | 9fb349ea44547a05f812817c2221f88ef99f5a56 (diff) | |
download | sdl_core-0a18698549da1b9f1e78cdc65d8708fc0a3fb59a.tar.gz |
Merge pull request #3669 from smartdevicelink/release/7.1.0-RC17.1.0release/7.1.0
Release 7.1.0
Diffstat (limited to 'src/components/security_manager/src')
3 files changed, 48 insertions, 11 deletions
diff --git a/src/components/security_manager/src/crypto_manager_impl.cc b/src/components/security_manager/src/crypto_manager_impl.cc index b4b4d01485..717991cf5c 100644 --- a/src/components/security_manager/src/crypto_manager_impl.cc +++ b/src/components/security_manager/src/crypto_manager_impl.cc @@ -36,20 +36,21 @@ #include <openssl/err.h> #include <openssl/pkcs12.h> #include <openssl/ssl.h> - #include <stdio.h> + #include <algorithm> #include <ctime> #include <fstream> #include <iostream> -#include "security_manager/security_manager.h" +#include "security_manager/security_manager.h" #include "utils/atomic.h" #include "utils/date_time.h" #include "utils/logger.h" #include "utils/macro.h" #include "utils/scope_guard.h" +#define OPENSSL1_1_VERSION 0x1010000fL #define TLS1_1_MINIMAL_VERSION 0x1000103fL #define CONST_SSL_METHOD_MINIMAL_VERSION 0x00909000L @@ -170,11 +171,17 @@ bool CryptoManagerImpl::Init() { #else SDL_LOG_DEBUG("SSLv3 is used"); method = is_server ? SSLv3_server_method() : SSLv3_client_method(); + SSL_CTX_set_max_proto_version(context_, SSL3_VERSION); break; #endif case TLSv1: SDL_LOG_DEBUG("TLSv1 is used"); +#if OPENSSL_VERSION_NUMBER < OPENSSL1_1_VERSION method = is_server ? TLSv1_server_method() : TLSv1_client_method(); +#else + method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_VERSION); +#endif break; case TLSv1_1: SDL_LOG_DEBUG("TLSv1_1 is used"); @@ -182,8 +189,11 @@ bool CryptoManagerImpl::Init() { SDL_LOG_WARN( "OpenSSL has no TLSv1.1 with version lower 1.0.1, set TLSv1.0"); method = is_server ? TLSv1_server_method() : TLSv1_client_method(); -#else +#elif OPENSSL_VERSION_NUMBER < OPENSSL1_1_VERSION method = is_server ? TLSv1_1_server_method() : TLSv1_1_client_method(); +#else + method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_1_VERSION); #endif break; case TLSv1_2: @@ -192,13 +202,21 @@ bool CryptoManagerImpl::Init() { SDL_LOG_WARN( "OpenSSL has no TLSv1.2 with version lower 1.0.1, set TLSv1.0"); method = is_server ? TLSv1_server_method() : TLSv1_client_method(); -#else +#elif OPENSSL_VERSION_NUMBER < OPENSSL1_1_VERSION method = is_server ? TLSv1_2_server_method() : TLSv1_2_client_method(); +#else + method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_2_VERSION); #endif break; case DTLSv1: SDL_LOG_DEBUG("DTLSv1 is used"); +#if OPENSSL_VERSION_NUMBER < OPENSSL1_1_VERSION method = is_server ? DTLSv1_server_method() : DTLSv1_client_method(); +#else + method = is_server ? DTLS_server_method() : DTLS_client_method(); + SSL_CTX_set_max_proto_version(context_, DTLS1_VERSION); +#endif break; default: SDL_LOG_ERROR("Unknown protocol: " @@ -213,6 +231,7 @@ bool CryptoManagerImpl::Init() { utils::ScopeGuard guard = utils::MakeGuard(free_ctx, &context_); // Disable SSL2 as deprecated + // TLS 1.2 is the max supported TLS version for SDL SSL_CTX_set_options(context_, SSL_OP_NO_SSLv2); SaveCertificateData(get_settings().certificate_data()); @@ -221,14 +240,31 @@ bool CryptoManagerImpl::Init() { SDL_LOG_WARN("Empty ciphers list"); } else { SDL_LOG_DEBUG("Cipher list: " << get_settings().ciphers_list()); + // If using openssl 1.1.1, this method may always return true + // https://github.com/openssl/openssl/issues/7196#issue-359287519 if (!SSL_CTX_set_cipher_list(context_, get_settings().ciphers_list().c_str())) { SDL_LOG_ERROR( "Could not set cipher list: " << get_settings().ciphers_list()); return false; } +#if OPENSSL_VERSION_NUMBER > OPENSSL1_1_VERSION + auto sk = SSL_CTX_get_ciphers(context_); + const char* p; + for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER* c = sk_SSL_CIPHER_value(sk, i); + p = SSL_CIPHER_get_name(c); + if (p == NULL) + break; + SDL_LOG_DEBUG("Using Cipher: " << p); + } +#endif } +#if OPENSSL_VERSION_NUMBER >= OPENSSL1_1_VERSION + SSL_CTX_set_security_level(context_, get_settings().security_level()); +#endif + if (get_settings().ca_cert_path().empty()) { SDL_LOG_WARN("Setting up empty CA certificate location"); } diff --git a/src/components/security_manager/src/security_manager_impl.cc b/src/components/security_manager/src/security_manager_impl.cc index 1bf10c4f7c..914d30003a 100644 --- a/src/components/security_manager/src/security_manager_impl.cc +++ b/src/components/security_manager/src/security_manager_impl.cc @@ -425,7 +425,7 @@ void SecurityManagerImpl::ProcessFailedPTU() { } } -#ifdef EXTERNAL_PROPRIETARY_MODE +#if defined(EXTERNAL_PROPRIETARY_MODE) && defined(ENABLE_SECURITY) void SecurityManagerImpl::ProcessFailedCertDecrypt() { SDL_LOG_AUTO_TRACE(); { diff --git a/src/components/security_manager/src/ssl_context_impl.cc b/src/components/security_manager/src/ssl_context_impl.cc index 5d151e854a..1c8b009097 100644 --- a/src/components/security_manager/src/ssl_context_impl.cc +++ b/src/components/security_manager/src/ssl_context_impl.cc @@ -131,6 +131,8 @@ CryptoManagerImpl::SSLContextImpl::create_max_block_sizes() { rc.insert(std::make_pair("AES128-SHA", seed_sha_max_block_size)); rc.insert( std::make_pair("AES256-GCM-SHA384", aes128_gcm_sha256_max_block_size)); + rc.insert(std::make_pair("ECDHE-RSA-AES256-GCM-SHA384", + aes128_gcm_sha256_max_block_size)); rc.insert(std::make_pair("AES256-SHA256", aes128_sha256_max_block_size)); rc.insert(std::make_pair("AES256-SHA", seed_sha_max_block_size)); rc.insert(std::make_pair("CAMELLIA128-SHA", seed_sha_max_block_size)); @@ -522,16 +524,15 @@ bool CryptoManagerImpl::SSLContextImpl::Decrypt(const uint8_t* const in_data, size_t CryptoManagerImpl::SSLContextImpl::get_max_block_size(size_t mtu) const { SDL_LOG_AUTO_TRACE(); + const auto max_allowed_block_size = + mtu > SSL3_RT_MAX_PLAIN_LENGTH ? SSL3_RT_MAX_PLAIN_LENGTH : mtu; if (!max_block_size_) { // FIXME(EZamakhov): add correct logics for TLS1/1.2/SSL3 // For SSL3.0 set temporary value 90, old TLS1.2 value is 29 - assert(mtu > 90); - return mtu - 90; + assert(max_allowed_block_size > 90); + return max_allowed_block_size - 90; } - const auto max_allowed_block_size = - mtu > SSL3_RT_MAX_PLAIN_LENGTH ? SSL3_RT_MAX_PLAIN_LENGTH : mtu; - return max_block_size_(max_allowed_block_size); } @@ -588,7 +589,7 @@ void CryptoManagerImpl::SSLContextImpl::ResetConnection() { SSL_shutdown(connection_); } SDL_LOG_DEBUG("SSL connection recreation"); - SSL_CTX* ssl_context = connection_->ctx; + SSL_CTX* ssl_context = SSL_get_SSL_CTX(connection_); SSL_free(connection_); connection_ = SSL_new(ssl_context); if (mode_ == SERVER) { |