sscg 3.0

.github/workflows/ci.yaml

@@ -1,17 +1,23 @@
 name: Continuous Integration
 
 on:
-  - push
-  - pull_request
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
   ubuntu:
     name: Ubuntu
     runs-on: ${{ matrix.os }}
+    continue-on-error: true
     strategy:
       matrix:
         os:
-          - ubuntu-18.04
+#         https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1936975
+#         - ubuntu-18.04
           - ubuntu-20.04
         compiler:
           - gcc
@@ -33,7 +39,7 @@ jobs:
 
     - name: Configure build directory
       run: |
-        CC=${{ matrix.compiler}} meson -Drun_slow_tests=true ${{ matrix.os }}
+        CC=${{ matrix.compiler}} meson ${{ matrix.os }}
 
     - name: Build SSCG
       run: |
@@ -75,9 +81,9 @@ jobs:
     strategy:
       matrix:
         release:
-          - 32
           - 33
           - 34
+          - 35
         compiler:
           - gcc
           - clang
@@ -99,7 +105,7 @@ jobs:
 
     - name: Configure build directory
       run: |
-        CC=${{ matrix.compiler}} meson -Drun_slow_tests=true fedora-${{ matrix.release }}
+        CC=${{ matrix.compiler}} meson fedora-${{ matrix.release }}
 
     - name: Build SSCG
       run: |
@@ -126,7 +132,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
 
-      - uses: uraimo/run-on-arch-action@v2.0.8
+      - uses: uraimo/run-on-arch-action@v2.1.0
         name: Perform upstream tests
 
         with:
@@ -143,7 +149,7 @@ jobs:
 
           run: |
             CC=${{ matrix.compiler}} meson fedora-${{ matrix.arch }}
-            meson test -t 5 --print-errorlogs -C fedora-${{ matrix.arch }}
+            meson test -t 10 --print-errorlogs -C fedora-${{ matrix.arch }}
 
 
   centos:
@@ -190,13 +196,18 @@ jobs:
         yum -y install dnf-plugins-core
         yum config-manager --set-enabled powertools
 
+    - name: Install OpenSSL 1.1 Development Libraries
+      if: matrix.release == '7'
+      run: |
+        yum -y install openssl11-devel
+
     - name: Install build dependencies
       run: |
-        yum install -y git-core glibc-devel meson pkgconf openssl-devel libpath_utils-devel libtalloc-devel help2man popt-devel ${{ matrix.compiler }}
+        yum install -y git-core glibc-devel openssl-devel meson pkgconf libpath_utils-devel libtalloc-devel help2man popt-devel ${{ matrix.compiler }}
 
     - name: Configure build directory
       run: |
-        CC=${{ matrix.compiler}} meson --errorlogs -Drun_slow_tests=true centos-${{ matrix.release }} || cat centos-7/meson-logs/meson-log.txt
+        CC=${{ matrix.compiler}} meson --errorlogs centos-${{ matrix.release }} || cat centos-7/meson-logs/meson-log.txt
 
     - name: Build SSCG
       run: |
@@ -205,3 +216,54 @@ jobs:
     - name: Run in-tree tests
       run: |
         meson test -t 5 --print-errorlogs -C centos-${{ matrix.release }}
+
+
+  centos-stream:
+    name: CentOS Stream
+    runs-on: ubuntu-latest
+    continue-on-error: false
+
+    strategy:
+      matrix:
+        release:
+          - 9
+        compiler:
+          - gcc
+          - clang
+
+    container:
+      image: quay.io/centos/centos:stream9-development
+
+    steps:
+    - name: Identify the system
+      run: |
+        cat /etc/os-release
+
+    - name: Checkout SSCG code
+      uses: actions/checkout@v2
+
+    - name: Enable CRB
+      run: |
+        yum -y install dnf-plugins-core
+        yum config-manager --set-enabled crb
+
+    - name: Add OpenSSL 3.0 Beta Repo
+      working-directory: /etc/yum.repos.d
+      run: |
+        curl -O https://sgallagh.fedorapeople.org/repo/openssl3b/openssl3b.repo
+
+    - name: Install build dependencies
+      run: |
+        yum install -y meson pkgconf-pkg-config openssl-devel libpath_utils-devel libtalloc-devel help2man popt-devel ${{ matrix.compiler }}
+
+    - name: Configure build directory
+      run: |
+        CC=${{ matrix.compiler}} meson --errorlogs centos-stream-${{ matrix.release }} || ( cat centos-stream-${{ matrix.release }}/meson-logs/meson-log.txt && exit 1 )
+
+    - name: Build SSCG
+      run: |
+        ninja -C centos-stream-${{ matrix.release }}
+
+    - name: Run in-tree tests
+      run: |
+        meson test -t 5 --print-errorlogs -C centos-stream-${{ matrix.release }}

Changelog.md

@@ -0,0 +1,11 @@
+# Changes for sscg 3.0
+
+## New features
+* Support for OpenSSL 3.0
+* Support for outputting named Diffie-Hellman parameter groups
+* Support for CentOS Stream 9
+
+## Major version notes
+* SSCG now requires OpenSSL 1.1.0 or later.
+* sscg will now always output DH parameters to a PEM file. It will default to using the `ffdhe4096` group.
+* Generated certificate lifetime now defaults to 398 days, rather than ten years to conform to [modern browser expectations](https://chromium-review.googlesource.com/c/chromium/src/+/2258372).

README.md

@@ -27,32 +27,65 @@ Usage: sscg [OPTION...]
                                                         private key information to the screen!
   -V, --version                                         Display the version number and exit.
   -f, --force                                           Overwrite any pre-existing files in the requested locations
-      --lifetime=1-3650                                 Certificate lifetime (days). (default: 3650)
+      --lifetime=1-3650                                 Certificate lifetime (days). (default: 398)
       --country=US, CZ, etc.                            Certificate DN: Country (C). (default: "US")
       --state=Massachusetts, British Columbia, etc.     Certificate DN: State or Province (ST).
       --locality=Westford, Paris, etc.                  Certificate DN: Locality (L).
       --organization=My Company                         Certificate DN: Organization (O). (default: "Unspecified")
       --organizational-unit=Engineering, etc.           Certificate DN: Organizational Unit (OU).
       --email=myname@example.com                        Certificate DN: Email Address (Email).
-      --hostname=server.example.com                     The valid hostname of the certificate. Must be an FQDN. (default: current
-                                                        system FQDN)
-      --subject-alt-name alt.example.com                Optional additional valid hostnames for the certificate. In addition to
-                                                        hostnames, this option also accepts explicit values supported by RFC 5280 such
-                                                        as IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times.
+      --hostname=server.example.com                     The valid hostname of the certificate. Must be an FQDN. (default: current system
+                                                        FQDN)
+      --subject-alt-name alt.example.com                Optional additional valid hostnames for the certificate. In addition to hostnames,
+                                                        this option also accepts explicit values supported by RFC 5280 such as
+                                                        IP:xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy May be specified multiple times.
       --package=STRING                                  Unused. Retained for compatibility with earlier versions of sscg.
       --key-strength=2048 or larger                     Strength of the certificate private keys in bits. (default: 2048)
       --hash-alg={sha256,sha384,sha512}                 Hashing algorithm to use for signing. (default: "sha256")
+      --cipher-alg={des-ede3-cbc,aes-256-cbc}           Cipher to use for encrypting key files. (default: "aes-256-cbc")
       --ca-file=STRING                                  Path where the public CA certificate will be stored. (default: "./ca.crt")
-      --ca-mode=0644                                    File mode of the created CA certificate. (default: 0644)
-      --ca-key-file=STRING                              Path where the CA's private key will be stored. If unspecified, the key will
-                                                        be destroyed rather than written to the disk.
-      --ca-key-mode=0600                                File mode of the created CA key. (default: 0600)
-      --cert-file=STRING                                Path where the public service certificate will be stored. (default
-                                                        "./service.pem")
-      --cert-mode=0644                                  File mode of the created certificate. (default: 0644)
-      --cert-key-file=STRING                            Path where the service's private key will be stored. (default
-                                                        "service-key.pem")
-      --cert-key-mode=0600                              File mode of the created certificate key. (default: 0600)
+      --ca-mode=0644                                    File mode of the created CA certificate.
+      --ca-key-file=STRING                              Path where the CA's private key will be stored. If unspecified, the key will be
+                                                        destroyed rather than written to the disk.
+      --ca-key-mode=0600                                File mode of the created CA key.
+      --ca-key-password=STRING                          Provide a password for the CA key file. Note that this will be visible in the
+                                                        process table for all users, so it should be used for testing purposes only. Use
+                                                        --ca-keypassfile or --ca-key-password-prompt for secure password entry.
+      --ca-key-passfile=STRING                          A file containing the password to encrypt the CA key file.
+  -C, --ca-key-password-prompt                          Prompt to enter a password for the CA key file.
+      --crl-file=STRING                                 Path where an (empty) Certificate Revocation List file will be created, for
+                                                        applications that expect such a file to exist. If unspecified, no such file will
+                                                        be created.
+      --crl-mode=0644                                   File mode of the created Certificate Revocation List.
+      --cert-file=STRING                                Path where the public service certificate will be stored. (default "./service.pem")
+      --cert-mode=0644                                  File mode of the created certificate.
+      --cert-key-file=STRING                            Path where the service's private key will be stored. (default "service-key.pem")
+      --cert-key-mode=0600                              File mode of the created certificate key.
+  -p, --cert-key-password=STRING                        Provide a password for the service key file. Note that this will be visible in the
+                                                        process table for all users, so this flag should be used for testing purposes
+                                                        only. Use --cert-keypassfile or --cert-key-password-prompt for secure password
+                                                        entry.
+      --cert-key-passfile=STRING                        A file containing the password to encrypt the service key file.
+  -P, --cert-key-password-prompt                        Prompt to enter a password for the service key file.
+      --client-file=STRING                              Path where a client authentication certificate will be stored.
+      --client-mode=0644                                File mode of the created certificate.
+      --client-key-file=STRING                          Path where the client's private key will be stored. (default is the client-file)
+      --client-key-mode=0600                            File mode of the created certificate key.
+      --client-key-password=STRING                      Provide a password for the client key file. Note that this will be visible in the
+                                                        process table for all users, so this flag should be used for testing purposes
+                                                        only. Use --client-keypassfile or --client-key-password-prompt for secure password
+                                                        entry.
+      --client-key-passfile=STRING                      A file containing the password to encrypt the client key file.
+      --client-key-password-prompt                      Prompt to enter a password for the client key file.
+      --dhparams-file=STRING                            A file to contain a set of Diffie-Hellman parameters. (Default: "./dhparams.pem")
+      --dhparams-named-group=STRING                     Output well-known DH parameters. The available named groups are: ffdhe2048,
+                                                        ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096,
+                                                        modp_6144, modp_8192, modp_1536, dh_1024_160, dh_2048_224, dh_2048_256. (Default:
+                                                        "ffdhe4096")
+      --dhparams-prime-len=INT                          The length of the prime number to generate for dhparams, in bits. If set to
+                                                        non-zero, the parameters will be generated rather than using a well-known group.
+                                                        (default: 0)
+      --dhparams-generator={2,3,5}                      The generator value for dhparams. (default: 2)
 
 Help options:
   -?, --help                                            Show this help message

include/dhparams.h

@@ -21,22 +21,29 @@
 #define _SSCG_DHPARAMS_H
 
 #include <talloc.h>
+#include <openssl/evp.h>
 
 #include "include/sscg.h"
 
-struct sscg_dhparams
-{
-  int prime_len;
-  int generator;
-  DH *dh;
-  BN_GENCB *cb;
-};
+
+extern const char *dh_fips_groups[];
+extern const char *dh_nonfips_groups[];
+
 
 int
-create_dhparams (TALLOC_CTX *mem_ctx,
-                 enum sscg_verbosity options,
+create_dhparams (enum sscg_verbosity verbosity,
                  int prime_len,
                  int generator,
-                 struct sscg_dhparams **_dhparams);
+                 EVP_PKEY **dhparams);
+
+bool
+is_valid_named_group (const char *group_name);
+
+char *
+valid_dh_group_names (TALLOC_CTX *mem_ctx);
+
+
+int
+get_params_by_named_group (const char *group_name, EVP_PKEY **dhparams);
 
 #endif /* _SSCG_DHPARAMS_H */

include/key.h

@@ -21,6 +21,7 @@
 #define _SSCG_KEY_H
 
 #include <openssl/rsa.h>
+#include <openssl/dh.h>
 #include <openssl/evp.h>
 
 #include "include/sscg.h"
@@ -34,7 +35,6 @@ struct sscg_evp_pkey
 int
 sscg_generate_rsa_key (TALLOC_CTX *mem_ctx,
                        int bits,
-                       struct sscg_bignum *e,
                        struct sscg_evp_pkey **_key);
 
 

include/sscg.h

@@ -25,6 +25,7 @@
 #define _SSCG_H
 
 #include <errno.h>
+#include <openssl/bn.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/ui.h>
@@ -250,7 +251,35 @@ struct sscg_options
   /* Output Files */
   struct sscg_stream **streams;
 
+  char *ca_file;
+  char *ca_key_file;
+  int ca_mode;
+  int ca_key_mode;
+  char *ca_key_password;
+  char *ca_key_passfile;
+
+  char *cert_file;
+  char *cert_key_file;
+  int cert_mode;
+  int cert_key_mode;
+  char *cert_key_password;
+  char *cert_key_passfile;
+
+  char *client_file;
+  char *client_key_file;
+  int client_mode;
+  int client_key_mode;
+  char *client_key_password;
+  char *client_key_passfile;
+
+  char *crl_file;
+  int crl_mode;
+
+  char *dhparams_file;
+  int dhparams_mode;
+
   /* Diffie-Hellman Parameters */
+  char *dhparams_group;
   int dhparams_prime_len;
   int dhparams_generator;
 
@@ -271,4 +300,11 @@ enum sscg_cert_type
 #define SSCG_MIN_KEY_PASS_LEN 4
 #define SSCG_MAX_KEY_PASS_LEN 1023
 
+
+int
+sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+                       int argc,
+                       const char **argv,
+                       struct sscg_options **config);
+
 #endif /* _SSCG_H */