ssl_seclevel.c revision 1.15
1/* $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */ 2/* 3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <stddef.h> 19 20#include <openssl/asn1.h> 21#include <openssl/dh.h> 22#include <openssl/evp.h> 23#include <openssl/objects.h> 24#include <openssl/ossl_typ.h> 25#include <openssl/ssl.h> 26#include <openssl/tls1.h> 27#include <openssl/x509.h> 28#include <openssl/x509v3.h> 29 30#include "bytestring.h" 31#include "ssl_locl.h" 32 33static int 34ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level) 35{ 36 int security_level; 37 38 if (ctx != NULL) 39 security_level = SSL_CTX_get_security_level(ctx); 40 else 41 security_level = SSL_get_security_level(ssl); 42 43 if (security_level < 0) 44 security_level = 0; 45 if (security_level > 5) 46 security_level = 5; 47 48 *out_level = security_level; 49 50 return 1; 51} 52 53static int 54ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits) 55{ 56 if (security_level < 0) 57 return 0; 58 59 if (security_level == 0) 60 *out_minimum_bits = 0; 61 else if (security_level == 1) 62 *out_minimum_bits = 80; 63 else if (security_level == 2) 64 *out_minimum_bits = 112; 65 else if (security_level == 3) 66 *out_minimum_bits = 128; 67 else if (security_level == 4) 68 *out_minimum_bits = 192; 69 else if (security_level >= 5) 70 *out_minimum_bits = 256; 71 72 return 1; 73} 74 75static int 76ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl, 77 int *out_level, int *out_minimum_bits) 78{ 79 int security_level = 0, minimum_bits = 0; 80 81 if (!ssl_security_normalize_level(ctx, ssl, &security_level)) 82 return 0; 83 if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits)) 84 return 0; 85 86 if (out_level != NULL) 87 *out_level = security_level; 88 if (out_minimum_bits != NULL) 89 *out_minimum_bits = minimum_bits; 90 91 return 1; 92} 93 94static int 95ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, 96 void *arg) 97{ 98 const SSL_CIPHER *cipher = arg; 99 int security_level, minimum_bits; 100 101 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 102 &minimum_bits)) 103 return 0; 104 105 if (security_level <= 0) 106 return 1; 107 108 if (bits < minimum_bits) 109 return 0; 110 111 /* No unauthenticated ciphersuites. */ 112 if (cipher->algorithm_auth & SSL_aNULL) 113 return 0; 114 115 if (security_level <= 1) 116 return 1; 117 118 if (cipher->algorithm_enc == SSL_RC4) 119 return 0; 120 121 if (security_level <= 2) 122 return 1; 123 124 /* Security level >= 3 requires a cipher with forward secrecy. */ 125 if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 && 126 cipher->algorithm_ssl != SSL_TLSV1_3) 127 return 0; 128 129 return 1; 130} 131 132static int 133ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version) 134{ 135 int min_version = TLS1_2_VERSION; 136 int security_level; 137 138 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 139 return 0; 140 141 if (security_level < 4) 142 min_version = TLS1_1_VERSION; 143 if (security_level < 3) 144 min_version = TLS1_VERSION; 145 146 return ssl_tls_version(version) >= min_version; 147} 148 149static int 150ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl) 151{ 152 return 0; 153} 154 155static int 156ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl) 157{ 158 int security_level; 159 160 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 161 return 0; 162 163 return security_level < 3; 164} 165 166static int 167ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits) 168{ 169 int security_level, minimum_bits; 170 171 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 172 &minimum_bits)) 173 return 0; 174 175 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */ 176 if (security_level <= 0 && bits < 80) 177 return 0; 178 179 return bits >= minimum_bits; 180} 181 182static int 183ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits) 184{ 185 int minimum_bits; 186 187 if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits)) 188 return 0; 189 190 return bits >= minimum_bits; 191} 192 193int 194ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, 195 int version, void *cipher, void *ex_data) 196{ 197 switch (op) { 198 case SSL_SECOP_CIPHER_SUPPORTED: 199 case SSL_SECOP_CIPHER_SHARED: 200 case SSL_SECOP_CIPHER_CHECK: 201 return ssl_security_secop_cipher(ctx, ssl, bits, cipher); 202 case SSL_SECOP_VERSION: 203 return ssl_security_secop_version(ctx, ssl, version); 204 case SSL_SECOP_COMPRESSION: 205 return ssl_security_secop_compression(ctx, ssl); 206 case SSL_SECOP_TICKET: 207 return ssl_security_secop_tickets(ctx, ssl); 208 case SSL_SECOP_TMP_DH: 209 return ssl_security_secop_tmp_dh(ctx, ssl, bits); 210 default: 211 return ssl_security_secop_default(ctx, ssl, bits); 212 } 213} 214 215int 216ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, 217 int version, void *cipher, void *ex_data) 218{ 219 return 1; 220} 221 222int 223ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) 224{ 225 return ctx->internal->cert->security_cb(NULL, ctx, op, bits, nid, other, 226 ctx->internal->cert->security_ex_data); 227} 228 229int 230ssl_security(const SSL *ssl, int op, int bits, int nid, void *other) 231{ 232 return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other, 233 ssl->cert->security_ex_data); 234} 235 236int 237ssl_security_version(const SSL *ssl, int version) 238{ 239 return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL); 240} 241 242int 243ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) 244{ 245#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 246 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, 247 dh); 248#else 249 return 1; 250#endif 251} 252 253int 254ssl_security_dh(const SSL *ssl, DH *dh) 255{ 256#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 257 return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); 258#else 259 return 1; 260#endif 261} 262 263#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 264static int 265ssl_cert_pubkey_security_bits(const X509 *x509) 266{ 267 EVP_PKEY *pkey; 268 269 if ((pkey = X509_get0_pubkey(x509)) == NULL) 270 return -1; 271 272 /* 273 * XXX: DSA_security_bits() returns -1 on keys without parameters and 274 * cause the default security callback to fail. 275 */ 276 277 return EVP_PKEY_security_bits(pkey); 278} 279 280static int 281ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op) 282{ 283 int security_bits; 284 285 security_bits = ssl_cert_pubkey_security_bits(x509); 286 287 if (ssl != NULL) 288 return ssl_security(ssl, op, security_bits, 0, x509); 289 290 return ssl_ctx_security(ctx, op, security_bits, 0, x509); 291} 292 293static int 294ssl_cert_signature_md_nid(X509 *x509) 295{ 296 int md_nid, signature_nid; 297 298 if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef) 299 return NID_undef; 300 301 if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL)) 302 return NID_undef; 303 304 return md_nid; 305} 306 307static int 308ssl_cert_md_nid_security_bits(int md_nid) 309{ 310 const EVP_MD *md; 311 312 if (md_nid == NID_undef) 313 return -1; 314 315 if ((md = EVP_get_digestbynid(md_nid)) == NULL) 316 return -1; 317 318 /* Assume 4 bits of collision resistance for each hash octet. */ 319 return EVP_MD_size(md) * 4; 320} 321 322static int 323ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op) 324{ 325 int md_nid, security_bits; 326 327 /* Don't check signature if self signed. */ 328 if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0) 329 return 1; 330 331 md_nid = ssl_cert_signature_md_nid(x509); 332 security_bits = ssl_cert_md_nid_security_bits(md_nid); 333 334 if (ssl != NULL) 335 return ssl_security(ssl, op, security_bits, md_nid, x509); 336 337 return ssl_ctx_security(ctx, op, security_bits, md_nid, x509); 338} 339#endif 340 341int 342ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, 343 int is_ee, int *out_error) 344{ 345#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 346 int key_error, operation; 347 348 *out_error = 0; 349 350 if (is_ee) { 351 operation = SSL_SECOP_EE_KEY; 352 key_error = SSL_R_EE_KEY_TOO_SMALL; 353 } else { 354 operation = SSL_SECOP_CA_KEY; 355 key_error = SSL_R_CA_KEY_TOO_SMALL; 356 } 357 358 if (!ssl_security_cert_key(ctx, ssl, x509, operation)) { 359 *out_error = key_error; 360 return 0; 361 } 362 363 if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) { 364 *out_error = SSL_R_CA_MD_TOO_WEAK; 365 return 0; 366 } 367 368#endif 369 return 1; 370} 371 372/* 373 * Check security of a chain. If |sk| includes the end entity certificate 374 * then |x509| must be NULL. 375 */ 376int 377ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509, 378 int *out_error) 379{ 380 int start_idx = 0; 381 int is_ee; 382 int i; 383 384 if (x509 == NULL) { 385 x509 = sk_X509_value(sk, 0); 386 start_idx = 1; 387 } 388 389 if (!ssl_security_cert(NULL, ssl, x509, is_ee = 1, out_error)) 390 return 0; 391 392 for (i = start_idx; i < sk_X509_num(sk); i++) { 393 x509 = sk_X509_value(sk, i); 394 395 if (!ssl_security_cert(NULL, ssl, x509, is_ee = 0, 396 out_error)) 397 return 0; 398 } 399 400 return 1; 401} 402 403int 404ssl_security_supported_group(const SSL *ssl, uint16_t group_id) 405{ 406 CBB cbb; 407 int bits, nid; 408 uint8_t group[2]; 409 410 if (!tls1_ec_group_id2bits(group_id, &bits)) 411 return 0; 412 if (!tls1_ec_group_id2nid(group_id, &nid)) 413 return 0; 414 415 if (!CBB_init_fixed(&cbb, group, sizeof(group))) 416 return 0; 417 if (!CBB_add_u16(&cbb, group_id)) 418 return 0; 419 if (!CBB_finish(&cbb, NULL, NULL)) 420 return 0; 421 422 return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, group); 423} 424