1 /* $OpenBSD: ssl_seclevel.c,v 1.25 2022/08/17 18:41:17 tb Exp $ */
3 * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #include <openssl/asn1.h>
21 #include <openssl/dh.h>
22 #include <openssl/evp.h>
23 #include <openssl/objects.h>
24 #include <openssl/ossl_typ.h>
25 #include <openssl/ssl.h>
26 #include <openssl/tls1.h>
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
30 #include "bytestring.h"
34 ssl_security_normalize_level(const SSL_CTX
*ctx
, const SSL
*ssl
, int *out_level
)
39 security_level
= SSL_CTX_get_security_level(ctx
);
41 security_level
= SSL_get_security_level(ssl
);
43 if (security_level
< 0)
45 if (security_level
> 5)
48 *out_level
= security_level
;
54 ssl_security_level_to_minimum_bits(int security_level
, int *out_minimum_bits
)
56 if (security_level
< 0)
59 if (security_level
== 0)
60 *out_minimum_bits
= 0;
61 else if (security_level
== 1)
62 *out_minimum_bits
= 80;
63 else if (security_level
== 2)
64 *out_minimum_bits
= 112;
65 else if (security_level
== 3)
66 *out_minimum_bits
= 128;
67 else if (security_level
== 4)
68 *out_minimum_bits
= 192;
69 else if (security_level
>= 5)
70 *out_minimum_bits
= 256;
76 ssl_security_level_and_minimum_bits(const SSL_CTX
*ctx
, const SSL
*ssl
,
77 int *out_level
, int *out_minimum_bits
)
79 int security_level
= 0, minimum_bits
= 0;
81 if (!ssl_security_normalize_level(ctx
, ssl
, &security_level
))
83 if (!ssl_security_level_to_minimum_bits(security_level
, &minimum_bits
))
86 if (out_level
!= NULL
)
87 *out_level
= security_level
;
88 if (out_minimum_bits
!= NULL
)
89 *out_minimum_bits
= minimum_bits
;
95 ssl_security_secop_cipher(const SSL_CTX
*ctx
, const SSL
*ssl
, int bits
,
98 const SSL_CIPHER
*cipher
= arg
;
99 int security_level
, minimum_bits
;
101 if (!ssl_security_level_and_minimum_bits(ctx
, ssl
, &security_level
,
105 if (security_level
<= 0)
108 if (bits
< minimum_bits
)
111 /* No unauthenticated ciphersuites. */
112 if (cipher
->algorithm_auth
& SSL_aNULL
)
115 if (cipher
->algorithm_mac
& SSL_MD5
)
118 if (security_level
<= 1)
121 if (cipher
->algorithm_enc
& SSL_RC4
)
124 if (security_level
<= 2)
127 /* Security level >= 3 requires a cipher with forward secrecy. */
128 if ((cipher
->algorithm_mkey
& (SSL_kDHE
| SSL_kECDHE
)) == 0 &&
129 cipher
->algorithm_ssl
!= SSL_TLSV1_3
)
132 if (security_level
<= 3)
135 if (cipher
->algorithm_mac
& SSL_SHA1
)
142 ssl_security_secop_version(const SSL_CTX
*ctx
, const SSL
*ssl
, int version
)
144 int min_version
= TLS1_2_VERSION
;
147 if (!ssl_security_level_and_minimum_bits(ctx
, ssl
, &security_level
, NULL
))
150 if (security_level
< 4)
151 min_version
= TLS1_1_VERSION
;
152 if (security_level
< 3)
153 min_version
= TLS1_VERSION
;
155 return ssl_tls_version(version
) >= min_version
;
159 ssl_security_secop_compression(const SSL_CTX
*ctx
, const SSL
*ssl
)
165 ssl_security_secop_tickets(const SSL_CTX
*ctx
, const SSL
*ssl
)
169 if (!ssl_security_level_and_minimum_bits(ctx
, ssl
, &security_level
, NULL
))
172 return security_level
< 3;
176 ssl_security_secop_tmp_dh(const SSL_CTX
*ctx
, const SSL
*ssl
, int bits
)
178 int security_level
, minimum_bits
;
180 if (!ssl_security_level_and_minimum_bits(ctx
, ssl
, &security_level
,
184 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
185 if (security_level
<= 0 && bits
< 80)
188 return bits
>= minimum_bits
;
192 ssl_security_secop_default(const SSL_CTX
*ctx
, const SSL
*ssl
, int bits
)
196 if (!ssl_security_level_and_minimum_bits(ctx
, ssl
, NULL
, &minimum_bits
))
199 return bits
>= minimum_bits
;
203 ssl_security_default_cb(const SSL
*ssl
, const SSL_CTX
*ctx
, int secop
, int bits
,
204 int version
, void *cipher
, void *ex_data
)
207 case SSL_SECOP_CIPHER_SUPPORTED
:
208 case SSL_SECOP_CIPHER_SHARED
:
209 case SSL_SECOP_CIPHER_CHECK
:
210 return ssl_security_secop_cipher(ctx
, ssl
, bits
, cipher
);
211 case SSL_SECOP_VERSION
:
212 return ssl_security_secop_version(ctx
, ssl
, version
);
213 case SSL_SECOP_COMPRESSION
:
214 return ssl_security_secop_compression(ctx
, ssl
);
215 case SSL_SECOP_TICKET
:
216 return ssl_security_secop_tickets(ctx
, ssl
);
217 case SSL_SECOP_TMP_DH
:
218 return ssl_security_secop_tmp_dh(ctx
, ssl
, bits
);
220 return ssl_security_secop_default(ctx
, ssl
, bits
);
225 ssl_ctx_security(const SSL_CTX
*ctx
, int secop
, int bits
, int nid
, void *other
)
227 return ctx
->internal
->cert
->security_cb(NULL
, ctx
, secop
, bits
, nid
,
228 other
, ctx
->internal
->cert
->security_ex_data
);
232 ssl_security(const SSL
*ssl
, int secop
, int bits
, int nid
, void *other
)
234 return ssl
->cert
->security_cb(ssl
, NULL
, secop
, bits
, nid
, other
,
235 ssl
->cert
->security_ex_data
);
239 ssl_security_sigalg_check(const SSL
*ssl
, const EVP_PKEY
*pkey
)
243 bits
= EVP_PKEY_security_bits(pkey
);
245 return ssl_security(ssl
, SSL_SECOP_SIGALG_CHECK
, bits
, 0, NULL
);
249 ssl_security_tickets(const SSL
*ssl
)
251 return ssl_security(ssl
, SSL_SECOP_TICKET
, 0, 0, NULL
);
255 ssl_security_version(const SSL
*ssl
, int version
)
257 return ssl_security(ssl
, SSL_SECOP_VERSION
, 0, version
, NULL
);
261 ssl_security_cipher(const SSL
*ssl
, SSL_CIPHER
*cipher
, int secop
)
263 return ssl_security(ssl
, secop
, cipher
->strength_bits
, 0, cipher
);
267 ssl_security_cipher_check(const SSL
*ssl
, SSL_CIPHER
*cipher
)
269 return ssl_security_cipher(ssl
, cipher
, SSL_SECOP_CIPHER_CHECK
);
273 ssl_security_shared_cipher(const SSL
*ssl
, SSL_CIPHER
*cipher
)
275 return ssl_security_cipher(ssl
, cipher
, SSL_SECOP_CIPHER_SHARED
);
279 ssl_security_supported_cipher(const SSL
*ssl
, SSL_CIPHER
*cipher
)
281 return ssl_security_cipher(ssl
, cipher
, SSL_SECOP_CIPHER_SUPPORTED
);
285 ssl_ctx_security_dh(const SSL_CTX
*ctx
, DH
*dh
)
289 bits
= DH_security_bits(dh
);
291 return ssl_ctx_security(ctx
, SSL_SECOP_TMP_DH
, bits
, 0, dh
);
295 ssl_security_dh(const SSL
*ssl
, DH
*dh
)
299 bits
= DH_security_bits(dh
);
301 return ssl_security(ssl
, SSL_SECOP_TMP_DH
, bits
, 0, dh
);
305 ssl_cert_pubkey_security_bits(const X509
*x509
)
309 if ((pkey
= X509_get0_pubkey(x509
)) == NULL
)
313 * XXX: DSA_security_bits() returns -1 on keys without parameters and
314 * makes the default security callback fail.
317 return EVP_PKEY_security_bits(pkey
);
321 ssl_security_cert_key(const SSL_CTX
*ctx
, const SSL
*ssl
, X509
*x509
, int secop
)
325 security_bits
= ssl_cert_pubkey_security_bits(x509
);
328 return ssl_security(ssl
, secop
, security_bits
, 0, x509
);
330 return ssl_ctx_security(ctx
, secop
, security_bits
, 0, x509
);
334 ssl_cert_signature_md_nid(X509
*x509
)
336 int md_nid
, signature_nid
;
338 if ((signature_nid
= X509_get_signature_nid(x509
)) == NID_undef
)
341 if (!OBJ_find_sigid_algs(signature_nid
, &md_nid
, NULL
))
348 ssl_cert_md_nid_security_bits(int md_nid
)
352 if (md_nid
== NID_undef
)
355 if ((md
= EVP_get_digestbynid(md_nid
)) == NULL
)
358 /* Assume 4 bits of collision resistance for each hash octet. */
359 return EVP_MD_size(md
) * 4;
363 ssl_security_cert_sig(const SSL_CTX
*ctx
, const SSL
*ssl
, X509
*x509
, int secop
)
365 int md_nid
, security_bits
;
367 /* Don't check signature if self signed. */
368 if ((X509_get_extension_flags(x509
) & EXFLAG_SS
) != 0)
371 md_nid
= ssl_cert_signature_md_nid(x509
);
372 security_bits
= ssl_cert_md_nid_security_bits(md_nid
);
375 return ssl_security(ssl
, secop
, security_bits
, md_nid
, x509
);
377 return ssl_ctx_security(ctx
, secop
, security_bits
, md_nid
, x509
);
381 ssl_security_cert(const SSL_CTX
*ctx
, const SSL
*ssl
, X509
*x509
,
382 int is_ee
, int *out_error
)
384 int key_error
, operation
;
389 operation
= SSL_SECOP_EE_KEY
;
390 key_error
= SSL_R_EE_KEY_TOO_SMALL
;
392 operation
= SSL_SECOP_CA_KEY
;
393 key_error
= SSL_R_CA_KEY_TOO_SMALL
;
396 if (!ssl_security_cert_key(ctx
, ssl
, x509
, operation
)) {
397 *out_error
= key_error
;
401 if (!ssl_security_cert_sig(ctx
, ssl
, x509
, SSL_SECOP_CA_MD
)) {
402 *out_error
= SSL_R_CA_MD_TOO_WEAK
;
410 * Check security of a chain. If |sk| includes the end entity certificate
411 * then |x509| must be NULL.
414 ssl_security_cert_chain(const SSL
*ssl
, STACK_OF(X509
) *sk
, X509
*x509
,
422 x509
= sk_X509_value(sk
, 0);
427 if (!ssl_security_cert(NULL
, ssl
, x509
, is_ee
, out_error
))
431 for (i
= start_idx
; i
< sk_X509_num(sk
); i
++) {
432 x509
= sk_X509_value(sk
, i
);
434 if (!ssl_security_cert(NULL
, ssl
, x509
, is_ee
, out_error
))
442 ssl_security_group(const SSL
*ssl
, uint16_t group_id
, int secop
)
448 if (!tls1_ec_group_id2bits(group_id
, &bits
))
450 if (!tls1_ec_group_id2nid(group_id
, &nid
))
453 if (!CBB_init_fixed(&cbb
, group
, sizeof(group
)))
455 if (!CBB_add_u16(&cbb
, group_id
))
457 if (!CBB_finish(&cbb
, NULL
, NULL
))
460 return ssl_security(ssl
, secop
, bits
, nid
, group
);
464 ssl_security_shared_group(const SSL
*ssl
, uint16_t group_id
)
466 return ssl_security_group(ssl
, group_id
, SSL_SECOP_CURVE_SHARED
);
470 ssl_security_supported_group(const SSL
*ssl
, uint16_t group_id
)
472 return ssl_security_group(ssl
, group_id
, SSL_SECOP_CURVE_SUPPORTED
);