Skip to content

crypto-policies: add MinProtocol, Ciphersuites, and key=value config format#10535

Open
dom-omg wants to merge 1 commit into
wolfSSL:masterfrom
dom-omg:fedora-crypto-policy-v2
Open

crypto-policies: add MinProtocol, Ciphersuites, and key=value config format#10535
dom-omg wants to merge 1 commit into
wolfSSL:masterfrom
dom-omg:fedora-crypto-policy-v2

Conversation

@dom-omg
Copy link
Copy Markdown

@dom-omg dom-omg commented May 27, 2026

Summary

Extends the Fedora system crypto-policy support (added in #8205) to parse config files in the same key=value format as OpenSSL's opensslcnf.config backend, and to actually call wolfSSL API to enforce every policy parameter read from the file.

What was missing (fedora-crypto-policies work item #60)

The original implementation only parsed a single-line @SECLEVEL=N:cipher_string format and applied the cipher list. It did not:

  • Parse an explicit MinProtocol = TLSv1.2 key
  • Parse a Ciphersuites = ... key for TLS 1.3 suites
  • Use the same config format as opensslcnf.config so that fedora-crypto-policies can generate a wolfssl.config with the same tooling

Changes

wolfssl/internal.h

  • Add explicitMinDowngrade and explicitMinDtlsDowngrade fields to SystemCryptoPolicy to store values from MinProtocol / DTLS.MinProtocol keys.
  • Add cipherSuites[] field for TLS 1.3 Ciphersuites key.
  • Add MAX_WOLFSSL_CRYPTO_POLICY_FILE_SIZE = 4096 for multi-line configs.

src/ssl.c

  • crypto_policy_parse(): detects legacy @SECLEVEL= format (fully backward-compatible) or new key=value format.
  • New key=value parser handles: MinProtocol, DTLS.MinProtocol, CipherString, Ciphersuites. Unknown keys silently ignored.
  • wolfSSL_crypto_policy_enable(): allocates a temporary buffer with XMALLOC so multi-line files up to 4 KiB are accepted.
  • wolfSSL_CTX_new_ex(): also applies Ciphersuites (TLS 1.3) when set.
  • New internal accessors: wolfSSL_crypto_policy_get_min_downgrade(), wolfSSL_crypto_policy_get_min_dtls_downgrade(), wolfSSL_crypto_policy_get_ciphersuites().

src/internal.c

  • wolfSSL_crypto_policy_init_ctx(): after deriving minDowngrade from @SECLEVEL, overrides it with the explicit MinProtocol value if one was provided.

Example files — updated to new format:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = @SECLEVEL=2:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!RC4:!eNULL:!aNULL
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Backward compatibility

The old single-line @SECLEVEL=N:cipher_string format still works — wolfSSL_crypto_policy_enable_buffer() with the legacy format passes all existing tests unchanged.

Test plan

  • Existing test_wolfSSL_crypto_policy (buffer path with @SECLEVEL= strings) continues to pass
  • wolfSSL_crypto_policy_enable() with new-format files sets correct secLevel, minDowngrade, cipher list
  • DTLS.MinProtocol sets minDowngrade for DTLS contexts
  • Unknown keys in config are silently ignored

🤖 Generated with Claude Code

@dom-omg @claude
crypto-policies: add MinProtocol, Ciphersuites, and key=value config …
3490c87 
…format

Extend the system crypto-policy support to parse a config file in the
same key=value format as OpenSSL's opensslcnf.config backend, so that
fedora-crypto-policies can generate a wolfssl.config with explicit
MinProtocol, CipherString, and Ciphersuites keys.

Changes:
- crypto_policy_parse(): detect legacy @SECLEVEL= format (backward
  compat) OR new key=value format; new format supports MinProtocol,
  DTLS.MinProtocol, CipherString, Ciphersuites.
- wolfSSL_crypto_policy_init_ctx(): honour explicit MinProtocol /
  DTLS.MinProtocol from the config, overriding the SECLEVEL-derived
  minimum TLS version.
- wolfSSL_CTX_new_ex(): also apply Ciphersuites (TLS 1.3) from config.
- wolfSSL_crypto_policy_enable(): use XMALLOC for the read buffer so
  multi-line files up to MAX_WOLFSSL_CRYPTO_POLICY_FILE_SIZE (4096 B)
  are accepted.
- Add wolfSSL_crypto_policy_get_min_downgrade(),
  wolfSSL_crypto_policy_get_min_dtls_downgrade(),
  wolfSSL_crypto_policy_get_ciphersuites() internal accessors.
- Update example policy files to new format.
- SystemCryptoPolicy struct: add explicitMinDowngrade,
  explicitMinDtlsDowngrade, cipherSuites fields.

Satisfies fedora-crypto-policies work item wolfSSL#60: wolfSSL now reads a
config file in the same style as opensslcnf.config and calls the
wolfSSL API to actually enforce MinProtocol and cipher constraints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@wolfSSL-Bot
Copy link
Copy Markdown

wolfSSL-Bot commented May 27, 2026

Can one of the admins verify this patch?

@dgarske dgarske requested a review from philljj May 27, 2026 17:43
@philljj
Copy link
Copy Markdown
Contributor

philljj commented May 27, 2026

Hi @dom-omg, thank you for the PR! I'm reviewing this in addition to #10541.

Could you email support@wolfssl.com for a contributor agreement?

Best,
Jordan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philljj philljj Awaiting requested review from philljj

At least 1 approving review is required to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

@philljj philljj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dom-omg @wolfSSL-Bot @philljj