1 /* $OpenBSD: ssl_seclevel.c,v 1.25 2022/08/17 18:41:17 tb Exp $ */ 2 /* 3 * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <stddef.h> 19 20 #include <openssl/asn1.h> 21 #include <openssl/dh.h> 22 #include <openssl/evp.h> 23 #include <openssl/objects.h> 24 #include <openssl/ossl_typ.h> 25 #include <openssl/ssl.h> 26 #include <openssl/tls1.h> 27 #include <openssl/x509.h> 28 #include <openssl/x509v3.h> 29 30 #include "bytestring.h" 31 #include "ssl_locl.h" 32 33 static int 34 ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level) 35 { 36 int security_level; 37 38 if (ctx != NULL) 39 security_level = SSL_CTX_get_security_level(ctx); 40 else 41 security_level = SSL_get_security_level(ssl); 42 43 if (security_level < 0) 44 security_level = 0; 45 if (security_level > 5) 46 security_level = 5; 47 48 *out_level = security_level; 49 50 return 1; 51 } 52 53 static int 54 ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits) 55 { 56 if (security_level < 0) 57 return 0; 58 59 if (security_level == 0) 60 *out_minimum_bits = 0; 61 else if (security_level == 1) 62 *out_minimum_bits = 80; 63 else if (security_level == 2) 64 *out_minimum_bits = 112; 65 else if (security_level == 3) 66 *out_minimum_bits = 128; 67 else if (security_level == 4) 68 *out_minimum_bits = 192; 69 else if (security_level >= 5) 70 *out_minimum_bits = 256; 71 72 return 1; 73 } 74 75 static int 76 ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl, 77 int *out_level, int *out_minimum_bits) 78 { 79 int security_level = 0, minimum_bits = 0; 80 81 if (!ssl_security_normalize_level(ctx, ssl, &security_level)) 82 return 0; 83 if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits)) 84 return 0; 85 86 if (out_level != NULL) 87 *out_level = security_level; 88 if (out_minimum_bits != NULL) 89 *out_minimum_bits = minimum_bits; 90 91 return 1; 92 } 93 94 static int 95 ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, 96 void *arg) 97 { 98 const SSL_CIPHER *cipher = arg; 99 int security_level, minimum_bits; 100 101 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 102 &minimum_bits)) 103 return 0; 104 105 if (security_level <= 0) 106 return 1; 107 108 if (bits < minimum_bits) 109 return 0; 110 111 /* No unauthenticated ciphersuites. */ 112 if (cipher->algorithm_auth & SSL_aNULL) 113 return 0; 114 115 if (cipher->algorithm_mac & SSL_MD5) 116 return 0; 117 118 if (security_level <= 1) 119 return 1; 120 121 if (cipher->algorithm_enc & SSL_RC4) 122 return 0; 123 124 if (security_level <= 2) 125 return 1; 126 127 /* Security level >= 3 requires a cipher with forward secrecy. */ 128 if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 && 129 cipher->algorithm_ssl != SSL_TLSV1_3) 130 return 0; 131 132 if (security_level <= 3) 133 return 1; 134 135 if (cipher->algorithm_mac & SSL_SHA1) 136 return 0; 137 138 return 1; 139 } 140 141 static int 142 ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version) 143 { 144 int min_version = TLS1_2_VERSION; 145 int security_level; 146 147 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 148 return 0; 149 150 if (security_level < 4) 151 min_version = TLS1_1_VERSION; 152 if (security_level < 3) 153 min_version = TLS1_VERSION; 154 155 return ssl_tls_version(version) >= min_version; 156 } 157 158 static int 159 ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl) 160 { 161 return 0; 162 } 163 164 static int 165 ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl) 166 { 167 int security_level; 168 169 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) 170 return 0; 171 172 return security_level < 3; 173 } 174 175 static int 176 ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits) 177 { 178 int security_level, minimum_bits; 179 180 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, 181 &minimum_bits)) 182 return 0; 183 184 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */ 185 if (security_level <= 0 && bits < 80) 186 return 0; 187 188 return bits >= minimum_bits; 189 } 190 191 static int 192 ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits) 193 { 194 int minimum_bits; 195 196 if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits)) 197 return 0; 198 199 return bits >= minimum_bits; 200 } 201 202 int 203 ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, 204 int version, void *cipher, void *ex_data) 205 { 206 switch (secop) { 207 case SSL_SECOP_CIPHER_SUPPORTED: 208 case SSL_SECOP_CIPHER_SHARED: 209 case SSL_SECOP_CIPHER_CHECK: 210 return ssl_security_secop_cipher(ctx, ssl, bits, cipher); 211 case SSL_SECOP_VERSION: 212 return ssl_security_secop_version(ctx, ssl, version); 213 case SSL_SECOP_COMPRESSION: 214 return ssl_security_secop_compression(ctx, ssl); 215 case SSL_SECOP_TICKET: 216 return ssl_security_secop_tickets(ctx, ssl); 217 case SSL_SECOP_TMP_DH: 218 return ssl_security_secop_tmp_dh(ctx, ssl, bits); 219 default: 220 return ssl_security_secop_default(ctx, ssl, bits); 221 } 222 } 223 224 static int 225 ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) 226 { 227 return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid, 228 other, ctx->internal->cert->security_ex_data); 229 } 230 231 static int 232 ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other) 233 { 234 return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other, 235 ssl->cert->security_ex_data); 236 } 237 238 int 239 ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) 240 { 241 int bits; 242 243 bits = EVP_PKEY_security_bits(pkey); 244 245 return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL); 246 } 247 248 int 249 ssl_security_tickets(const SSL *ssl) 250 { 251 return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL); 252 } 253 254 int 255 ssl_security_version(const SSL *ssl, int version) 256 { 257 return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL); 258 } 259 260 static int 261 ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop) 262 { 263 return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher); 264 } 265 266 int 267 ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher) 268 { 269 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK); 270 } 271 272 int 273 ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher) 274 { 275 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED); 276 } 277 278 int 279 ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher) 280 { 281 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED); 282 } 283 284 int 285 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) 286 { 287 int bits; 288 289 bits = DH_security_bits(dh); 290 291 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh); 292 } 293 294 int 295 ssl_security_dh(const SSL *ssl, DH *dh) 296 { 297 int bits; 298 299 bits = DH_security_bits(dh); 300 301 return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh); 302 } 303 304 static int 305 ssl_cert_pubkey_security_bits(const X509 *x509) 306 { 307 EVP_PKEY *pkey; 308 309 if ((pkey = X509_get0_pubkey(x509)) == NULL) 310 return -1; 311 312 /* 313 * XXX: DSA_security_bits() returns -1 on keys without parameters and 314 * makes the default security callback fail. 315 */ 316 317 return EVP_PKEY_security_bits(pkey); 318 } 319 320 static int 321 ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) 322 { 323 int security_bits; 324 325 security_bits = ssl_cert_pubkey_security_bits(x509); 326 327 if (ssl != NULL) 328 return ssl_security(ssl, secop, security_bits, 0, x509); 329 330 return ssl_ctx_security(ctx, secop, security_bits, 0, x509); 331 } 332 333 static int 334 ssl_cert_signature_md_nid(X509 *x509) 335 { 336 int md_nid, signature_nid; 337 338 if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef) 339 return NID_undef; 340 341 if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL)) 342 return NID_undef; 343 344 return md_nid; 345 } 346 347 static int 348 ssl_cert_md_nid_security_bits(int md_nid) 349 { 350 const EVP_MD *md; 351 352 if (md_nid == NID_undef) 353 return -1; 354 355 if ((md = EVP_get_digestbynid(md_nid)) == NULL) 356 return -1; 357 358 /* Assume 4 bits of collision resistance for each hash octet. */ 359 return EVP_MD_size(md) * 4; 360 } 361 362 static int 363 ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) 364 { 365 int md_nid, security_bits; 366 367 /* Don't check signature if self signed. */ 368 if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0) 369 return 1; 370 371 md_nid = ssl_cert_signature_md_nid(x509); 372 security_bits = ssl_cert_md_nid_security_bits(md_nid); 373 374 if (ssl != NULL) 375 return ssl_security(ssl, secop, security_bits, md_nid, x509); 376 377 return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509); 378 } 379 380 int 381 ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, 382 int is_ee, int *out_error) 383 { 384 int key_error, operation; 385 386 *out_error = 0; 387 388 if (is_ee) { 389 operation = SSL_SECOP_EE_KEY; 390 key_error = SSL_R_EE_KEY_TOO_SMALL; 391 } else { 392 operation = SSL_SECOP_CA_KEY; 393 key_error = SSL_R_CA_KEY_TOO_SMALL; 394 } 395 396 if (!ssl_security_cert_key(ctx, ssl, x509, operation)) { 397 *out_error = key_error; 398 return 0; 399 } 400 401 if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) { 402 *out_error = SSL_R_CA_MD_TOO_WEAK; 403 return 0; 404 } 405 406 return 1; 407 } 408 409 /* 410 * Check security of a chain. If |sk| includes the end entity certificate 411 * then |x509| must be NULL. 412 */ 413 int 414 ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509, 415 int *out_error) 416 { 417 int start_idx = 0; 418 int is_ee; 419 int i; 420 421 if (x509 == NULL) { 422 x509 = sk_X509_value(sk, 0); 423 start_idx = 1; 424 } 425 426 is_ee = 1; 427 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error)) 428 return 0; 429 430 is_ee = 0; 431 for (i = start_idx; i < sk_X509_num(sk); i++) { 432 x509 = sk_X509_value(sk, i); 433 434 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error)) 435 return 0; 436 } 437 438 return 1; 439 } 440 441 static int 442 ssl_security_group(const SSL *ssl, uint16_t group_id, int secop) 443 { 444 CBB cbb; 445 int bits, nid; 446 uint8_t group[2]; 447 448 if (!tls1_ec_group_id2bits(group_id, &bits)) 449 return 0; 450 if (!tls1_ec_group_id2nid(group_id, &nid)) 451 return 0; 452 453 if (!CBB_init_fixed(&cbb, group, sizeof(group))) 454 return 0; 455 if (!CBB_add_u16(&cbb, group_id)) 456 return 0; 457 if (!CBB_finish(&cbb, NULL, NULL)) 458 return 0; 459 460 return ssl_security(ssl, secop, bits, nid, group); 461 } 462 463 int 464 ssl_security_shared_group(const SSL *ssl, uint16_t group_id) 465 { 466 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED); 467 } 468 469 int 470 ssl_security_supported_group(const SSL *ssl, uint16_t group_id) 471 { 472 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED); 473 } 474