From fd8a2af39b74e30e6c80d464809d0afb0a623776 Mon Sep 17 00:00:00 2001 From: Petr Písař Date: Nov 04 2020 11:06:01 +0000 Subject: Respect a system crypto policy --- diff --git a/icecast-2.4.4-Respect-a-default-cipher-list-defined-by-the-SSL-lib.patch b/icecast-2.4.4-Respect-a-default-cipher-list-defined-by-the-SSL-lib.patch new file mode 100644 index 0000000..9079eed --- /dev/null +++ b/icecast-2.4.4-Respect-a-default-cipher-list-defined-by-the-SSL-lib.patch @@ -0,0 +1,96 @@ +From 25ba9dd91d33471d0485105ee6e5dd6d343fc8b0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 4 Nov 2020 11:20:19 +0100 +Subject: [PATCH] Respect a default cipher list defined by the SSL library +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Software distributions, like Fedora, set and enforce a global +cryptographic policy +(https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/). +That enables users to control a security level from one place. + +Overriding the default cipher list in Icecast sources undermines the +goal. + +This patch removes the hard-coded cipher list from the sources. + + + +Signed-off-by: Petr Písař +--- + doc/config-file.html | 4 ++-- + src/cfgfile.c | 3 +-- + src/connection.c | 12 +++++++----- + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/doc/config-file.html b/doc/config-file.html +index 4650146..4cf0fd0 100644 +--- a/doc/config-file.html ++++ b/doc/config-file.html +@@ -648,7 +648,7 @@ For example: <alias source="/foo" dest="/bar"> + This is required for HTTPS support to be enabled. Please note that the user Icecast is running as must be able to read the file. Failing to ensure this will cause a “Invalid cert file” WARN message, just as if the file wasn’t there. +
ssl-allowed-ciphers
+
This optional tag specifies the list of allowed ciphers passed on to the SSL library. +-Icecast contains a set of defaults conforming to current best practices and you should only override those, using this tag, if you know exactly what you are doing.
++Icecast respects a set of defaults coming from the SSL library and you should only override those, using this tag, if you know exactly what you are doing. + + + +@@ -738,4 +738,4 @@ These need to be valid users on the system. Icecast must be started as root for + + + +- +\ No newline at end of file ++ +diff --git a/src/cfgfile.c b/src/cfgfile.c +index a9df53c..b758fab 100644 +--- a/src/cfgfile.c ++++ b/src/cfgfile.c +@@ -59,7 +59,6 @@ + #define CONFIG_DEFAULT_GROUP NULL + #define CONFIG_MASTER_UPDATE_INTERVAL 120 + #define CONFIG_YP_URL_TIMEOUT 10 +-#define CONFIG_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + + #ifndef _WIN32 + #define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast" +@@ -432,7 +431,7 @@ static void _set_defaults(ice_config_t *configuration) + configuration->master_password = NULL; + configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR); + configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR); +- configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST); ++ configuration->cipher_list = NULL; + configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR); + configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR); + configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG); +diff --git a/src/connection.c b/src/connection.c +index df85b07..8261c6f 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -233,13 +233,15 @@ static void get_ssl_certificate (ice_config_t *config) + ICECAST_LOG_ERROR("Invalid %s - Private key does not match cert public key", config->cert_file); + break; + } +- if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0) +- { +- ICECAST_LOG_WARN("Invalid cipher list: %s", config->cipher_list); +- } ++ if (config->cipher_list) ++ { ++ if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0) ++ ICECAST_LOG_WARN("Invalid cipher list: %s", config->cipher_list); ++ else ++ ICECAST_LOG_INFO("SSL using ciphers %s", config->cipher_list); ++ } + ssl_ok = 1; + ICECAST_LOG_INFO("SSL certificate found at %s", config->cert_file); +- ICECAST_LOG_INFO("SSL using ciphers %s", config->cipher_list); + return; + } while (0); + ICECAST_LOG_INFO("No SSL capability on any configured ports"); +-- +2.25.4 + diff --git a/icecast.spec b/icecast.spec index ffc95ac..9a7813e 100644 --- a/icecast.spec +++ b/icecast.spec @@ -12,7 +12,7 @@ Name: icecast Version: 2.4.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: ShoutCast compatible streaming media server # admin/xspf.xsl: GPLv2+ @@ -41,6 +41,8 @@ Source2: %{name}.logrotate Source3: %{name}.service Source4: %{name}.xml Source5: status3.xsl +# Respect a system crypto policy, bug #1645612 +Patch0: icecast-2.4.4-Respect-a-default-cipher-list-defined-by-the-SSL-lib.patch BuildRequires: autoconf BuildRequires: automake @@ -203,6 +205,9 @@ fi %changelog +* Wed Nov 04 2020 Petr Pisar - 2.4.4-6 +- Respect a system crypto policy (bug #1645612) + * Tue Jul 28 2020 Fedora Release Engineering - 2.4.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild