search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
inet6: only mark autoconf addresses tentative if detached
[dragonfly.git] / crypto / libressl / ssl / ssl_seclevel.c
blobb691b9bc4bc56f85b3e7e47860a7cf2755041158
1 /* $OpenBSD: ssl_seclevel.c,v 1.25 2022/08/17 18:41:17 tb Exp $ */
2 /*
3 * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <stddef.h>
19
20 #include <openssl/asn1.h>
21 #include <openssl/dh.h>
22 #include <openssl/evp.h>
23 #include <openssl/objects.h>
24 #include <openssl/ossl_typ.h>
25 #include <openssl/ssl.h>
26 #include <openssl/tls1.h>
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
29
30 #include "bytestring.h"
31 #include "ssl_locl.h"
32
33 static int
34 ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
35 {
36 int security_level;
37
38 if (ctx != NULL)
39 security_level = SSL_CTX_get_security_level(ctx);
40 else
41 security_level = SSL_get_security_level(ssl);
42
43 if (security_level < 0)
44 security_level = 0;
45 if (security_level > 5)
46 security_level = 5;
47
48 *out_level = security_level;
49
50 return 1;
51 }
52
53 static int
54 ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
55 {
56 if (security_level < 0)
57 return 0;
58
59 if (security_level == 0)
60 *out_minimum_bits = 0;
61 else if (security_level == 1)
62 *out_minimum_bits = 80;
63 else if (security_level == 2)
64 *out_minimum_bits = 112;
65 else if (security_level == 3)
66 *out_minimum_bits = 128;
67 else if (security_level == 4)
68 *out_minimum_bits = 192;
69 else if (security_level >= 5)
70 *out_minimum_bits = 256;
71
72 return 1;
73 }
74
75 static int
76 ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
77 int *out_level, int *out_minimum_bits)
78 {
79 int security_level = 0, minimum_bits = 0;
80
81 if (!ssl_security_normalize_level(ctx, ssl, &security_level))
82 return 0;
83 if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
84 return 0;
85
86 if (out_level != NULL)
87 *out_level = security_level;
88 if (out_minimum_bits != NULL)
89 *out_minimum_bits = minimum_bits;
90
91 return 1;
92 }
93
94 static int
95 ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
96 void *arg)
97 {
98 const SSL_CIPHER *cipher = arg;
99 int security_level, minimum_bits;
100
101 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
102 &minimum_bits))
103 return 0;
104
105 if (security_level <= 0)
106 return 1;
107
108 if (bits < minimum_bits)
109 return 0;
110
111 /* No unauthenticated ciphersuites. */
112 if (cipher->algorithm_auth & SSL_aNULL)
113 return 0;
114
115 if (cipher->algorithm_mac & SSL_MD5)
116 return 0;
117
118 if (security_level <= 1)
119 return 1;
120
121 if (cipher->algorithm_enc & SSL_RC4)
122 return 0;
123
124 if (security_level <= 2)
125 return 1;
126
127 /* Security level >= 3 requires a cipher with forward secrecy. */
128 if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
129 cipher->algorithm_ssl != SSL_TLSV1_3)
130 return 0;
131
132 if (security_level <= 3)
133 return 1;
134
135 if (cipher->algorithm_mac & SSL_SHA1)
136 return 0;
137
138 return 1;
139 }
140
141 static int
142 ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
143 {
144 int min_version = TLS1_2_VERSION;
145 int security_level;
146
147 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
148 return 0;
149
150 if (security_level < 4)
151 min_version = TLS1_1_VERSION;
152 if (security_level < 3)
153 min_version = TLS1_VERSION;
154
155 return ssl_tls_version(version) >= min_version;
156 }
157
158 static int
159 ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
160 {
161 return 0;
162 }
163
164 static int
165 ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
166 {
167 int security_level;
168
169 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
170 return 0;
171
172 return security_level < 3;
173 }
174
175 static int
176 ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
177 {
178 int security_level, minimum_bits;
179
180 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
181 &minimum_bits))
182 return 0;
183
184 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
185 if (security_level <= 0 && bits < 80)
186 return 0;
187
188 return bits >= minimum_bits;
189 }
190
191 static int
192 ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
193 {
194 int minimum_bits;
195
196 if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
197 return 0;
198
199 return bits >= minimum_bits;
200 }
201
202 int
203 ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
204 int version, void *cipher, void *ex_data)
205 {
206 switch (secop) {
207 case SSL_SECOP_CIPHER_SUPPORTED:
208 case SSL_SECOP_CIPHER_SHARED:
209 case SSL_SECOP_CIPHER_CHECK:
210 return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
211 case SSL_SECOP_VERSION:
212 return ssl_security_secop_version(ctx, ssl, version);
213 case SSL_SECOP_COMPRESSION:
214 return ssl_security_secop_compression(ctx, ssl);
215 case SSL_SECOP_TICKET:
216 return ssl_security_secop_tickets(ctx, ssl);
217 case SSL_SECOP_TMP_DH:
218 return ssl_security_secop_tmp_dh(ctx, ssl, bits);
219 default:
220 return ssl_security_secop_default(ctx, ssl, bits);
221 }
222 }
223
224 static int
225 ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
226 {
227 return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid,
228 other, ctx->internal->cert->security_ex_data);
229 }
230
231 static int
232 ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
233 {
234 return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other,
235 ssl->cert->security_ex_data);
236 }
237
238 int
239 ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
240 {
241 int bits;
242
243 bits = EVP_PKEY_security_bits(pkey);
244
245 return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL);
246 }
247
248 int
249 ssl_security_tickets(const SSL *ssl)
250 {
251 return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
252 }
253
254 int
255 ssl_security_version(const SSL *ssl, int version)
256 {
257 return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
258 }
259
260 static int
261 ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
262 {
263 return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
264 }
265
266 int
267 ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
268 {
269 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
270 }
271
272 int
273 ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
274 {
275 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
276 }
277
278 int
279 ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
280 {
281 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
282 }
283
284 int
285 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
286 {
287 int bits;
288
289 bits = DH_security_bits(dh);
290
291 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh);
292 }
293
294 int
295 ssl_security_dh(const SSL *ssl, DH *dh)
296 {
297 int bits;
298
299 bits = DH_security_bits(dh);
300
301 return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh);
302 }
303
304 static int
305 ssl_cert_pubkey_security_bits(const X509 *x509)
306 {
307 EVP_PKEY *pkey;
308
309 if ((pkey = X509_get0_pubkey(x509)) == NULL)
310 return -1;
311
312 /*
313 * XXX: DSA_security_bits() returns -1 on keys without parameters and
314 * makes the default security callback fail.
315 */
316
317 return EVP_PKEY_security_bits(pkey);
318 }
319
320 static int
321 ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
322 {
323 int security_bits;
324
325 security_bits = ssl_cert_pubkey_security_bits(x509);
326
327 if (ssl != NULL)
328 return ssl_security(ssl, secop, security_bits, 0, x509);
329
330 return ssl_ctx_security(ctx, secop, security_bits, 0, x509);
331 }
332
333 static int
334 ssl_cert_signature_md_nid(X509 *x509)
335 {
336 int md_nid, signature_nid;
337
338 if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef)
339 return NID_undef;
340
341 if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL))
342 return NID_undef;
343
344 return md_nid;
345 }
346
347 static int
348 ssl_cert_md_nid_security_bits(int md_nid)
349 {
350 const EVP_MD *md;
351
352 if (md_nid == NID_undef)
353 return -1;
354
355 if ((md = EVP_get_digestbynid(md_nid)) == NULL)
356 return -1;
357
358 /* Assume 4 bits of collision resistance for each hash octet. */
359 return EVP_MD_size(md) * 4;
360 }
361
362 static int
363 ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
364 {
365 int md_nid, security_bits;
366
367 /* Don't check signature if self signed. */
368 if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
369 return 1;
370
371 md_nid = ssl_cert_signature_md_nid(x509);
372 security_bits = ssl_cert_md_nid_security_bits(md_nid);
373
374 if (ssl != NULL)
375 return ssl_security(ssl, secop, security_bits, md_nid, x509);
376
377 return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
378 }
379
380 int
381 ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
382 int is_ee, int *out_error)
383 {
384 int key_error, operation;
385
386 *out_error = 0;
387
388 if (is_ee) {
389 operation = SSL_SECOP_EE_KEY;
390 key_error = SSL_R_EE_KEY_TOO_SMALL;
391 } else {
392 operation = SSL_SECOP_CA_KEY;
393 key_error = SSL_R_CA_KEY_TOO_SMALL;
394 }
395
396 if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
397 *out_error = key_error;
398 return 0;
399 }
400
401 if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
402 *out_error = SSL_R_CA_MD_TOO_WEAK;
403 return 0;
404 }
405
406 return 1;
407 }
408
409 /*
410 * Check security of a chain. If |sk| includes the end entity certificate
411 * then |x509| must be NULL.
412 */
413 int
414 ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
415 int *out_error)
416 {
417 int start_idx = 0;
418 int is_ee;
419 int i;
420
421 if (x509 == NULL) {
422 x509 = sk_X509_value(sk, 0);
423 start_idx = 1;
424 }
425
426 is_ee = 1;
427 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
428 return 0;
429
430 is_ee = 0;
431 for (i = start_idx; i < sk_X509_num(sk); i++) {
432 x509 = sk_X509_value(sk, i);
433
434 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
435 return 0;
436 }
437
438 return 1;
439 }
440
441 static int
442 ssl_security_group(const SSL *ssl, uint16_t group_id, int secop)
443 {
444 CBB cbb;
445 int bits, nid;
446 uint8_t group[2];
447
448 if (!tls1_ec_group_id2bits(group_id, &bits))
449 return 0;
450 if (!tls1_ec_group_id2nid(group_id, &nid))
451 return 0;
452
453 if (!CBB_init_fixed(&cbb, group, sizeof(group)))
454 return 0;
455 if (!CBB_add_u16(&cbb, group_id))
456 return 0;
457 if (!CBB_finish(&cbb, NULL, NULL))
458 return 0;
459
460 return ssl_security(ssl, secop, bits, nid, group);
461 }
462
463 int
464 ssl_security_shared_group(const SSL *ssl, uint16_t group_id)
465 {
466 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED);
467 }
468
469 int
470 ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
471 {
472 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED);
473 }
DragonFly BSD