ssl_seclevel.c revision 1.15 
1/*	$OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
2/*
3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stddef.h>
19
20#include <openssl/asn1.h>
21#include <openssl/dh.h>
22#include <openssl/evp.h>
23#include <openssl/objects.h>
24#include <openssl/ossl_typ.h>
25#include <openssl/ssl.h>
26#include <openssl/tls1.h>
27#include <openssl/x509.h>
28#include <openssl/x509v3.h>
29
30#include "bytestring.h"
31#include "ssl_locl.h"
32
33static int
34ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
35{
36	int security_level;
37
38	if (ctx != NULL)
39		security_level = SSL_CTX_get_security_level(ctx);
40	else
41		security_level = SSL_get_security_level(ssl);
42
43	if (security_level < 0)
44		security_level = 0;
45	if (security_level > 5)
46		security_level = 5;
47
48	*out_level = security_level;
49
50	return 1;
51}
52
53static int
54ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
55{
56	if (security_level < 0)
57		return 0;
58
59	if (security_level == 0)
60		*out_minimum_bits = 0;
61	else if (security_level == 1)
62		*out_minimum_bits = 80;
63	else if (security_level == 2)
64		*out_minimum_bits = 112;
65	else if (security_level == 3)
66		*out_minimum_bits = 128;
67	else if (security_level == 4)
68		*out_minimum_bits = 192;
69	else if (security_level >= 5)
70		*out_minimum_bits = 256;
71
72	return 1;
73}
74
75static int
76ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
77    int *out_level, int *out_minimum_bits)
78{
79	int security_level = 0, minimum_bits = 0;
80
81	if (!ssl_security_normalize_level(ctx, ssl, &security_level))
82		return 0;
83	if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
84		return 0;
85
86	if (out_level != NULL)
87		*out_level = security_level;
88	if (out_minimum_bits != NULL)
89		*out_minimum_bits = minimum_bits;
90
91	return 1;
92}
93
94static int
95ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
96    void *arg)
97{
98	const SSL_CIPHER *cipher = arg;
99	int security_level, minimum_bits;
100
101	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
102	    &minimum_bits))
103		return 0;
104
105	if (security_level <= 0)
106		return 1;
107
108	if (bits < minimum_bits)
109		return 0;
110
111	/* No unauthenticated ciphersuites. */
112	if (cipher->algorithm_auth & SSL_aNULL)
113		return 0;
114
115	if (security_level <= 1)
116		return 1;
117
118	if (cipher->algorithm_enc == SSL_RC4)
119		return 0;
120
121	if (security_level <= 2)
122		return 1;
123
124	/* Security level >= 3 requires a cipher with forward secrecy. */
125	if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
126	    cipher->algorithm_ssl != SSL_TLSV1_3)
127		return 0;
128
129	return 1;
130}
131
132static int
133ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
134{
135	int min_version = TLS1_2_VERSION;
136	int security_level;
137
138	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
139		return 0;
140
141	if (security_level < 4)
142		min_version = TLS1_1_VERSION;
143	if (security_level < 3)
144		min_version = TLS1_VERSION;
145
146	return ssl_tls_version(version) >= min_version;
147}
148
149static int
150ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
151{
152	return 0;
153}
154
155static int
156ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
157{
158	int security_level;
159
160	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
161		return 0;
162
163	return security_level < 3;
164}
165
166static int
167ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
168{
169	int security_level, minimum_bits;
170
171	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
172	    &minimum_bits))
173		return 0;
174
175	/* Disallow DHE keys weaker than 1024 bits even at security level 0. */
176	if (security_level <= 0 && bits < 80)
177		return 0;
178
179	return bits >= minimum_bits;
180}
181
182static int
183ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
184{
185	int minimum_bits;
186
187	if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
188		return 0;
189
190	return bits >= minimum_bits;
191}
192
193int
194ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits,
195    int version, void *cipher, void *ex_data)
196{
197	switch (op) {
198	case SSL_SECOP_CIPHER_SUPPORTED:
199	case SSL_SECOP_CIPHER_SHARED:
200	case SSL_SECOP_CIPHER_CHECK:
201		return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
202	case SSL_SECOP_VERSION:
203		return ssl_security_secop_version(ctx, ssl, version);
204	case SSL_SECOP_COMPRESSION:
205		return ssl_security_secop_compression(ctx, ssl);
206	case SSL_SECOP_TICKET:
207		return ssl_security_secop_tickets(ctx, ssl);
208	case SSL_SECOP_TMP_DH:
209		return ssl_security_secop_tmp_dh(ctx, ssl, bits);
210	default:
211		return ssl_security_secop_default(ctx, ssl, bits);
212	}
213}
214
215int
216ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits,
217    int version, void *cipher, void *ex_data)
218{
219	return 1;
220}
221
222int
223ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
224{
225	return ctx->internal->cert->security_cb(NULL, ctx, op, bits, nid, other,
226	    ctx->internal->cert->security_ex_data);
227}
228
229int
230ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
231{
232	return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
233	    ssl->cert->security_ex_data);
234}
235
236int
237ssl_security_version(const SSL *ssl, int version)
238{
239	return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
240}
241
242int
243ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
244{
245#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
246	return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0,
247	    dh);
248#else
249	return 1;
250#endif
251}
252
253int
254ssl_security_dh(const SSL *ssl, DH *dh)
255{
256#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
257	return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
258#else
259	return 1;
260#endif
261}
262
263#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
264static int
265ssl_cert_pubkey_security_bits(const X509 *x509)
266{
267	EVP_PKEY *pkey;
268
269	if ((pkey = X509_get0_pubkey(x509)) == NULL)
270		return -1;
271
272	/*
273	 * XXX: DSA_security_bits() returns -1 on keys without parameters and
274	 * cause the default security callback to fail.
275	 */
276
277	return EVP_PKEY_security_bits(pkey);
278}
279
280static int
281ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op)
282{
283	int security_bits;
284
285	security_bits = ssl_cert_pubkey_security_bits(x509);
286
287	if (ssl != NULL)
288		return ssl_security(ssl, op, security_bits, 0, x509);
289
290	return ssl_ctx_security(ctx, op, security_bits, 0, x509);
291}
292
293static int
294ssl_cert_signature_md_nid(X509 *x509)
295{
296	int md_nid, signature_nid;
297
298	if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef)
299		return NID_undef;
300
301	if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL))
302		return NID_undef;
303
304	return md_nid;
305}
306
307static int
308ssl_cert_md_nid_security_bits(int md_nid)
309{
310	const EVP_MD *md;
311
312	if (md_nid == NID_undef)
313		return -1;
314
315	if ((md = EVP_get_digestbynid(md_nid)) == NULL)
316		return -1;
317
318	/* Assume 4 bits of collision resistance for each hash octet. */
319	return EVP_MD_size(md) * 4;
320}
321
322static int
323ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op)
324{
325	int md_nid, security_bits;
326
327	/* Don't check signature if self signed. */
328	if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
329		return 1;
330
331	md_nid = ssl_cert_signature_md_nid(x509);
332	security_bits = ssl_cert_md_nid_security_bits(md_nid);
333
334	if (ssl != NULL)
335		return ssl_security(ssl, op, security_bits, md_nid, x509);
336
337	return ssl_ctx_security(ctx, op, security_bits, md_nid, x509);
338}
339#endif
340
341int
342ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
343    int is_ee, int *out_error)
344{
345#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
346	int key_error, operation;
347
348	*out_error = 0;
349
350	if (is_ee) {
351		operation = SSL_SECOP_EE_KEY;
352		key_error = SSL_R_EE_KEY_TOO_SMALL;
353	} else {
354		operation = SSL_SECOP_CA_KEY;
355		key_error = SSL_R_CA_KEY_TOO_SMALL;
356	}
357
358	if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
359		*out_error = key_error;
360		return 0;
361	}
362
363	if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
364		*out_error = SSL_R_CA_MD_TOO_WEAK;
365		return 0;
366	}
367
368#endif
369	return 1;
370}
371
372/*
373 * Check security of a chain. If |sk| includes the end entity certificate
374 * then |x509| must be NULL.
375 */
376int
377ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
378    int *out_error)
379{
380	int start_idx = 0;
381	int is_ee;
382	int i;
383
384	if (x509 == NULL) {
385		x509 = sk_X509_value(sk, 0);
386		start_idx = 1;
387	}
388
389	if (!ssl_security_cert(NULL, ssl, x509, is_ee = 1, out_error))
390		return 0;
391
392	for (i = start_idx; i < sk_X509_num(sk); i++) {
393		x509 = sk_X509_value(sk, i);
394
395		if (!ssl_security_cert(NULL, ssl, x509, is_ee = 0,
396		    out_error))
397			return 0;
398	}
399
400	return 1;
401}
402
403int
404ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
405{
406	CBB cbb;
407	int bits, nid;
408	uint8_t group[2];
409
410	if (!tls1_ec_group_id2bits(group_id, &bits))
411		return 0;
412	if (!tls1_ec_group_id2nid(group_id, &nid))
413		return 0;
414
415	if (!CBB_init_fixed(&cbb, group, sizeof(group)))
416		return 0;
417	if (!CBB_add_u16(&cbb, group_id))
418		return 0;
419	if (!CBB_finish(&cbb, NULL, NULL))
420		return 0;
421
422	return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, group);
423}
424