ssl_seclevel.c revision 1.12
1/* $OpenBSD: ssl_seclevel.c,v 1.12 2022/06/30 11:17:49 tb Exp $ */ 2/* 3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <stddef.h> 19 20#include <openssl/asn1.h> 21#include <openssl/dh.h> 22#include <openssl/evp.h> 23#include <openssl/objects.h> 24#include <openssl/ossl_typ.h> 25#include <openssl/ssl.h> 26#include <openssl/tls1.h> 27#include <openssl/x509.h> 28#include <openssl/x509v3.h> 29 30#include "ssl_locl.h" 31 32static int 33ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level) 34{ 35 int security_level; 36 37 if (ctx != NULL) 38 security_level = SSL_CTX_get_security_level(ctx); 39 else 40 security_level = SSL_get_security_level(ssl); 41 42 if (security_level < 0) 43 security_level = 0; 44 if (security_level > 5) 45 security_level = 5; 46 47 *out_level = security_level; 48 49 return 1; 50} 51 52static int 53ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits) 54{ 55 if (security_level < 0) 56 return 0; 57 58 if (security_level == 0) 59 *out_minimum_bits = 0; 60 else if (security_level == 1) 61 *out_minimum_bits = 80; 62 else if (security_level == 2) 63 *out_minimum_bits = 112; 64 else if (security_level == 3) 65 *out_minimum_bits = 128; 66 else if (security_level == 4) 67 *out_minimum_bits = 192; 68 else if (security_level >= 5) 69 *out_minimum_bits = 256; 70 71 return 1; 72} 73 74static int 75ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl, 76 int *out_level, int *out_minimum_bits) 77{ 78 int security_level = 0, minimum_bits = 0; 79 80 if (!ssl_security_normalize_level(ctx, ssl, &security_level)) 81 return 0; 82 if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits)) 83 return 0; 84 85 if (out_level != NULL) 86 *out_level = security_level; 87 if (out_minimum_bits != NULL) 88 *out_minimum_bits = minimum_bits; 89 90 return 1; 91} 92 93static int 94ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, 95 void *arg) 96{ 97 const SSL_CIPHER *cipher = arg; 98 int security_level, minimum_bits; 99 100 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 101 &minimum_bits)) 102 return 0; 103 104 if (security_level <= 0) 105 return 1; 106 107 if (bits < minimum_bits) 108 return 0; 109 110 /* No unauthenticated ciphersuites. */ 111 if (cipher->algorithm_auth & SSL_aNULL) 112 return 0; 113 114 if (security_level <= 1) 115 return 1; 116 117 if (cipher->algorithm_enc == SSL_RC4) 118 return 0; 119 120 if (security_level <= 2) 121 return 1; 122 123 /* Security level >= 3 requires a cipher with forward secrecy. */ 124 if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 && 125 cipher->algorithm_ssl != SSL_TLSV1_3) 126 return 0; 127 128 return 1; 129} 130 131static int 132ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version) 133{ 134 int min_version = TLS1_2_VERSION; 135 int security_level; 136 137 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 138 return 0; 139 140 if (security_level < 4) 141 min_version = TLS1_1_VERSION; 142 if (security_level < 3) 143 min_version = TLS1_VERSION; 144 145 return ssl_tls_version(version) >= min_version; 146} 147 148static int 149ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl) 150{ 151 return 0; 152} 153 154static int 155ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl) 156{ 157 int security_level; 158 159 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 160 return 0; 161 162 return security_level < 3; 163} 164 165static int 166ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits) 167{ 168 int security_level, minimum_bits; 169 170 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 171 &minimum_bits)) 172 return 0; 173 174 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */ 175 if (security_level <= 0 && bits < 80) 176 return 0; 177 178 return bits >= minimum_bits; 179} 180 181static int 182ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits) 183{ 184 int minimum_bits; 185 186 if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits)) 187 return 0; 188 189 return bits >= minimum_bits; 190} 191 192int 193ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, 194 int version, void *cipher, void *ex_data) 195{ 196 switch (op) { 197 case SSL_SECOP_CIPHER_SUPPORTED: 198 case SSL_SECOP_CIPHER_SHARED: 199 case SSL_SECOP_CIPHER_CHECK: 200 return ssl_security_secop_cipher(ctx, ssl, bits, cipher); 201 case SSL_SECOP_VERSION: 202 return ssl_security_secop_version(ctx, ssl, version); 203 case SSL_SECOP_COMPRESSION: 204 return ssl_security_secop_compression(ctx, ssl); 205 case SSL_SECOP_TICKET: 206 return ssl_security_secop_tickets(ctx, ssl); 207 case SSL_SECOP_TMP_DH: 208 return ssl_security_secop_tmp_dh(ctx, ssl, bits); 209 default: 210 return ssl_security_secop_default(ctx, ssl, bits); 211 } 212} 213 214int 215ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, 216 int version, void *cipher, void *ex_data) 217{ 218 return 1; 219} 220 221int 222ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) 223{ 224 return ctx->internal->cert->security_cb(NULL, ctx, op, bits, nid, other, 225 ctx->internal->cert->security_ex_data); 226} 227 228int 229ssl_security(const SSL *ssl, int op, int bits, int nid, void *other) 230{ 231 return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other, 232 ssl->cert->security_ex_data); 233} 234 235int 236ssl_security_version(const SSL *ssl, int tls_version) 237{ 238 return ssl_security(ssl, SSL_SECOP_VERSION, 0, tls_version, NULL); 239} 240 241int 242ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) 243{ 244#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 245 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, 246 dh); 247#else 248 return 1; 249#endif 250} 251 252int 253ssl_security_dh(const SSL *ssl, DH *dh) 254{ 255#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 256 return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); 257#else 258 return 1; 259#endif 260} 261 262#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 263static int 264ssl_cert_pubkey_security_bits(const X509 *x509) 265{ 266 EVP_PKEY *pkey; 267 268 if ((pkey = X509_get0_pubkey(x509)) == NULL) 269 return -1; 270 271 /* 272 * XXX: DSA_security_bits() returns -1 on keys without parameters and 273 * cause the default security callback to fail. 274 */ 275 276 return EVP_PKEY_security_bits(pkey); 277} 278 279static int 280ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op) 281{ 282 int security_bits; 283 284 security_bits = ssl_cert_pubkey_security_bits(x509); 285 286 if (ssl != NULL) 287 return ssl_security(ssl, op, security_bits, 0, x509); 288 289 return ssl_ctx_security(ctx, op, security_bits, 0, x509); 290} 291 292static int 293ssl_cert_signature_md_nid(X509 *x509) 294{ 295 int md_nid, signature_nid; 296 297 if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef) 298 return NID_undef; 299 300 if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL)) 301 return NID_undef; 302 303 return md_nid; 304} 305 306static int 307ssl_cert_md_nid_security_bits(int md_nid) 308{ 309 const EVP_MD *md; 310 311 if (md_nid == NID_undef) 312 return -1; 313 314 if ((md = EVP_get_digestbynid(md_nid)) == NULL) 315 return -1; 316 317 /* Assume 4 bits of collision resistance for each hash octet. */ 318 return EVP_MD_size(md) * 4; 319} 320 321static int 322ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op) 323{ 324 int md_nid, security_bits; 325 326 /* Don't check signature if self signed. */ 327 if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0) 328 return 1; 329 330 md_nid = ssl_cert_signature_md_nid(x509); 331 security_bits = ssl_cert_md_nid_security_bits(md_nid); 332 333 if (ssl != NULL) 334 return ssl_security(ssl, op, security_bits, md_nid, x509); 335 336 return ssl_ctx_security(ctx, op, security_bits, md_nid, x509); 337} 338#endif 339 340int 341ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, 342 int is_ee, int *out_error) 343{ 344#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 345 int key_error, operation; 346 347 *out_error = 0; 348 349 if (is_ee) { 350 operation = SSL_SECOP_EE_KEY; 351 key_error = SSL_R_EE_KEY_TOO_SMALL; 352 } else { 353 operation = SSL_SECOP_CA_KEY; 354 key_error = SSL_R_CA_KEY_TOO_SMALL; 355 } 356 357 if (!ssl_security_cert_key(ctx, ssl, x509, operation)) { 358 *out_error = key_error; 359 return 0; 360 } 361 362 if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) { 363 *out_error = SSL_R_CA_MD_TOO_WEAK; 364 return 0; 365 } 366 367#endif 368 return 1; 369} 370 371/* 372 * Check security of a chain. If |sk| includes the end entity certificate 373 * then |x509| must be NULL. 374 */ 375int 376ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509, 377 int *out_error) 378{ 379 int start_idx = 0; 380 int is_ee; 381 int i; 382 383 if (x509 == NULL) { 384 x509 = sk_X509_value(sk, 0); 385 start_idx = 1; 386 } 387 388 if (!ssl_security_cert(NULL, ssl, x509, is_ee = 1, out_error)) 389 return 0; 390 391 for (i = start_idx; i < sk_X509_num(sk); i++) { 392 x509 = sk_X509_value(sk, i); 393 394 if (!ssl_security_cert(NULL, ssl, x509, is_ee = 0, 395 out_error)) 396 return 0; 397 } 398 399 return 1; 400} 401