xref: /dragonfly/crypto/libressl/ssl/ssl_seclevel.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /*        $OpenBSD: ssl_seclevel.c,v 1.25 2022/08/17 18:41:17 tb Exp $ */
2 /*
3  * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <stddef.h>
19 
20 #include <openssl/asn1.h>
21 #include <openssl/dh.h>
22 #include <openssl/evp.h>
23 #include <openssl/objects.h>
24 #include <openssl/ossl_typ.h>
25 #include <openssl/ssl.h>
26 #include <openssl/tls1.h>
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
29 
30 #include "bytestring.h"
31 #include "ssl_locl.h"
32 
33 static int
ssl_security_normalize_level(const SSL_CTX * ctx,const SSL * ssl,int * out_level)34 ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
35 {
36           int security_level;
37 
38           if (ctx != NULL)
39                     security_level = SSL_CTX_get_security_level(ctx);
40           else
41                     security_level = SSL_get_security_level(ssl);
42 
43           if (security_level < 0)
44                     security_level = 0;
45           if (security_level > 5)
46                     security_level = 5;
47 
48           *out_level = security_level;
49 
50           return 1;
51 }
52 
53 static int
ssl_security_level_to_minimum_bits(int security_level,int * out_minimum_bits)54 ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
55 {
56           if (security_level < 0)
57                     return 0;
58 
59           if (security_level == 0)
60                     *out_minimum_bits = 0;
61           else if (security_level == 1)
62                     *out_minimum_bits = 80;
63           else if (security_level == 2)
64                     *out_minimum_bits = 112;
65           else if (security_level == 3)
66                     *out_minimum_bits = 128;
67           else if (security_level == 4)
68                     *out_minimum_bits = 192;
69           else if (security_level >= 5)
70                     *out_minimum_bits = 256;
71 
72           return 1;
73 }
74 
75 static int
ssl_security_level_and_minimum_bits(const SSL_CTX * ctx,const SSL * ssl,int * out_level,int * out_minimum_bits)76 ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
77     int *out_level, int *out_minimum_bits)
78 {
79           int security_level = 0, minimum_bits = 0;
80 
81           if (!ssl_security_normalize_level(ctx, ssl, &security_level))
82                     return 0;
83           if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
84                     return 0;
85 
86           if (out_level != NULL)
87                     *out_level = security_level;
88           if (out_minimum_bits != NULL)
89                     *out_minimum_bits = minimum_bits;
90 
91           return 1;
92 }
93 
94 static int
ssl_security_secop_cipher(const SSL_CTX * ctx,const SSL * ssl,int bits,void * arg)95 ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
96     void *arg)
97 {
98           const SSL_CIPHER *cipher = arg;
99           int security_level, minimum_bits;
100 
101           if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
102               &minimum_bits))
103                     return 0;
104 
105           if (security_level <= 0)
106                     return 1;
107 
108           if (bits < minimum_bits)
109                     return 0;
110 
111           /* No unauthenticated ciphersuites. */
112           if (cipher->algorithm_auth & SSL_aNULL)
113                     return 0;
114 
115           if (cipher->algorithm_mac & SSL_MD5)
116                     return 0;
117 
118           if (security_level <= 1)
119                     return 1;
120 
121           if (cipher->algorithm_enc & SSL_RC4)
122                     return 0;
123 
124           if (security_level <= 2)
125                     return 1;
126 
127           /* Security level >= 3 requires a cipher with forward secrecy. */
128           if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
129               cipher->algorithm_ssl != SSL_TLSV1_3)
130                     return 0;
131 
132           if (security_level <= 3)
133                     return 1;
134 
135           if (cipher->algorithm_mac & SSL_SHA1)
136                     return 0;
137 
138           return 1;
139 }
140 
141 static int
ssl_security_secop_version(const SSL_CTX * ctx,const SSL * ssl,int version)142 ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
143 {
144           int min_version = TLS1_2_VERSION;
145           int security_level;
146 
147           if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
148                     return 0;
149 
150           if (security_level < 4)
151                     min_version = TLS1_1_VERSION;
152           if (security_level < 3)
153                     min_version = TLS1_VERSION;
154 
155           return ssl_tls_version(version) >= min_version;
156 }
157 
158 static int
ssl_security_secop_compression(const SSL_CTX * ctx,const SSL * ssl)159 ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
160 {
161           return 0;
162 }
163 
164 static int
ssl_security_secop_tickets(const SSL_CTX * ctx,const SSL * ssl)165 ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
166 {
167           int security_level;
168 
169           if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
170                     return 0;
171 
172           return security_level < 3;
173 }
174 
175 static int
ssl_security_secop_tmp_dh(const SSL_CTX * ctx,const SSL * ssl,int bits)176 ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
177 {
178           int security_level, minimum_bits;
179 
180           if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
181               &minimum_bits))
182                     return 0;
183 
184           /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
185           if (security_level <= 0 && bits < 80)
186                     return 0;
187 
188           return bits >= minimum_bits;
189 }
190 
191 static int
ssl_security_secop_default(const SSL_CTX * ctx,const SSL * ssl,int bits)192 ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
193 {
194           int minimum_bits;
195 
196           if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
197                     return 0;
198 
199           return bits >= minimum_bits;
200 }
201 
202 int
ssl_security_default_cb(const SSL * ssl,const SSL_CTX * ctx,int secop,int bits,int version,void * cipher,void * ex_data)203 ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
204     int version, void *cipher, void *ex_data)
205 {
206           switch (secop) {
207           case SSL_SECOP_CIPHER_SUPPORTED:
208           case SSL_SECOP_CIPHER_SHARED:
209           case SSL_SECOP_CIPHER_CHECK:
210                     return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
211           case SSL_SECOP_VERSION:
212                     return ssl_security_secop_version(ctx, ssl, version);
213           case SSL_SECOP_COMPRESSION:
214                     return ssl_security_secop_compression(ctx, ssl);
215           case SSL_SECOP_TICKET:
216                     return ssl_security_secop_tickets(ctx, ssl);
217           case SSL_SECOP_TMP_DH:
218                     return ssl_security_secop_tmp_dh(ctx, ssl, bits);
219           default:
220                     return ssl_security_secop_default(ctx, ssl, bits);
221           }
222 }
223 
224 static int
ssl_ctx_security(const SSL_CTX * ctx,int secop,int bits,int nid,void * other)225 ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
226 {
227           return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid,
228               other, ctx->internal->cert->security_ex_data);
229 }
230 
231 static int
ssl_security(const SSL * ssl,int secop,int bits,int nid,void * other)232 ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
233 {
234           return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other,
235               ssl->cert->security_ex_data);
236 }
237 
238 int
ssl_security_sigalg_check(const SSL * ssl,const EVP_PKEY * pkey)239 ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
240 {
241           int bits;
242 
243           bits = EVP_PKEY_security_bits(pkey);
244 
245           return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL);
246 }
247 
248 int
ssl_security_tickets(const SSL * ssl)249 ssl_security_tickets(const SSL *ssl)
250 {
251           return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
252 }
253 
254 int
ssl_security_version(const SSL * ssl,int version)255 ssl_security_version(const SSL *ssl, int version)
256 {
257           return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
258 }
259 
260 static int
ssl_security_cipher(const SSL * ssl,SSL_CIPHER * cipher,int secop)261 ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
262 {
263           return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
264 }
265 
266 int
ssl_security_cipher_check(const SSL * ssl,SSL_CIPHER * cipher)267 ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
268 {
269           return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
270 }
271 
272 int
ssl_security_shared_cipher(const SSL * ssl,SSL_CIPHER * cipher)273 ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
274 {
275           return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
276 }
277 
278 int
ssl_security_supported_cipher(const SSL * ssl,SSL_CIPHER * cipher)279 ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
280 {
281           return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
282 }
283 
284 int
ssl_ctx_security_dh(const SSL_CTX * ctx,DH * dh)285 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
286 {
287           int bits;
288 
289           bits = DH_security_bits(dh);
290 
291           return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh);
292 }
293 
294 int
ssl_security_dh(const SSL * ssl,DH * dh)295 ssl_security_dh(const SSL *ssl, DH *dh)
296 {
297           int bits;
298 
299           bits = DH_security_bits(dh);
300 
301           return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh);
302 }
303 
304 static int
ssl_cert_pubkey_security_bits(const X509 * x509)305 ssl_cert_pubkey_security_bits(const X509 *x509)
306 {
307           EVP_PKEY *pkey;
308 
309           if ((pkey = X509_get0_pubkey(x509)) == NULL)
310                     return -1;
311 
312           /*
313            * XXX: DSA_security_bits() returns -1 on keys without parameters and
314            * makes the default security callback fail.
315            */
316 
317           return EVP_PKEY_security_bits(pkey);
318 }
319 
320 static int
ssl_security_cert_key(const SSL_CTX * ctx,const SSL * ssl,X509 * x509,int secop)321 ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
322 {
323           int security_bits;
324 
325           security_bits = ssl_cert_pubkey_security_bits(x509);
326 
327           if (ssl != NULL)
328                     return ssl_security(ssl, secop, security_bits, 0, x509);
329 
330           return ssl_ctx_security(ctx, secop, security_bits, 0, x509);
331 }
332 
333 static int
ssl_cert_signature_md_nid(X509 * x509)334 ssl_cert_signature_md_nid(X509 *x509)
335 {
336           int md_nid, signature_nid;
337 
338           if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef)
339                     return NID_undef;
340 
341           if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL))
342                     return NID_undef;
343 
344           return md_nid;
345 }
346 
347 static int
ssl_cert_md_nid_security_bits(int md_nid)348 ssl_cert_md_nid_security_bits(int md_nid)
349 {
350           const EVP_MD *md;
351 
352           if (md_nid == NID_undef)
353                     return -1;
354 
355           if ((md = EVP_get_digestbynid(md_nid)) == NULL)
356                     return -1;
357 
358           /* Assume 4 bits of collision resistance for each hash octet. */
359           return EVP_MD_size(md) * 4;
360 }
361 
362 static int
ssl_security_cert_sig(const SSL_CTX * ctx,const SSL * ssl,X509 * x509,int secop)363 ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
364 {
365           int md_nid, security_bits;
366 
367           /* Don't check signature if self signed. */
368           if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
369                     return 1;
370 
371           md_nid = ssl_cert_signature_md_nid(x509);
372           security_bits = ssl_cert_md_nid_security_bits(md_nid);
373 
374           if (ssl != NULL)
375                     return ssl_security(ssl, secop, security_bits, md_nid, x509);
376 
377           return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
378 }
379 
380 int
ssl_security_cert(const SSL_CTX * ctx,const SSL * ssl,X509 * x509,int is_ee,int * out_error)381 ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
382     int is_ee, int *out_error)
383 {
384           int key_error, operation;
385 
386           *out_error = 0;
387 
388           if (is_ee) {
389                     operation = SSL_SECOP_EE_KEY;
390                     key_error = SSL_R_EE_KEY_TOO_SMALL;
391           } else {
392                     operation = SSL_SECOP_CA_KEY;
393                     key_error = SSL_R_CA_KEY_TOO_SMALL;
394           }
395 
396           if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
397                     *out_error = key_error;
398                     return 0;
399           }
400 
401           if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
402                     *out_error = SSL_R_CA_MD_TOO_WEAK;
403                     return 0;
404           }
405 
406           return 1;
407 }
408 
409 /*
410  * Check security of a chain. If |sk| includes the end entity certificate
411  * then |x509| must be NULL.
412  */
413 int
ssl_security_cert_chain(const SSL * ssl,STACK_OF (X509)* sk,X509 * x509,int * out_error)414 ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
415     int *out_error)
416 {
417           int start_idx = 0;
418           int is_ee;
419           int i;
420 
421           if (x509 == NULL) {
422                     x509 = sk_X509_value(sk, 0);
423                     start_idx = 1;
424           }
425 
426           is_ee = 1;
427           if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
428                     return 0;
429 
430           is_ee = 0;
431           for (i = start_idx; i < sk_X509_num(sk); i++) {
432                     x509 = sk_X509_value(sk, i);
433 
434                     if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
435                               return 0;
436           }
437 
438           return 1;
439 }
440 
441 static int
ssl_security_group(const SSL * ssl,uint16_t group_id,int secop)442 ssl_security_group(const SSL *ssl, uint16_t group_id, int secop)
443 {
444           CBB cbb;
445           int bits, nid;
446           uint8_t group[2];
447 
448           if (!tls1_ec_group_id2bits(group_id, &bits))
449                     return 0;
450           if (!tls1_ec_group_id2nid(group_id, &nid))
451                     return 0;
452 
453           if (!CBB_init_fixed(&cbb, group, sizeof(group)))
454                     return 0;
455           if (!CBB_add_u16(&cbb, group_id))
456                     return 0;
457           if (!CBB_finish(&cbb, NULL, NULL))
458                     return 0;
459 
460           return ssl_security(ssl, secop, bits, nid, group);
461 }
462 
463 int
ssl_security_shared_group(const SSL * ssl,uint16_t group_id)464 ssl_security_shared_group(const SSL *ssl, uint16_t group_id)
465 {
466           return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED);
467 }
468 
469 int
ssl_security_supported_group(const SSL * ssl,uint16_t group_id)470 ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
471 {
472           return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED);
473 }
474