diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-28 20:40:25 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-28 20:40:25 +0000 |
commit | dfd8064e30433d4371b5737d0fde9a7c15e741f7 (patch) | |
tree | 37fa599eae96995b2d367038031c6be0cd4888a3 | |
parent | 88a25fc9704cabb8da7b08456df30f2c386d1e7d (diff) |
Implement the default security level callback
And here is where the fun starts. The tentacles will grow everywhere.
ok beck jsing sthen
-rw-r--r-- | lib/libssl/Makefile | 3 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 7 | ||||
-rw-r--r-- | lib/libssl/ssl_seclevel.c | 194 |
3 files changed, 202 insertions, 2 deletions
diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile index 5a0a7bbc020..e6930b0b9f6 100644 --- a/lib/libssl/Makefile +++ b/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.74 2022/01/14 09:09:30 tb Exp $ +# $OpenBSD: Makefile,v 1.75 2022/06/28 20:40:24 tb Exp $ .include <bsd.own.mk> .ifndef NOMAN @@ -58,6 +58,7 @@ SRCS= \ ssl_packet.c \ ssl_pkt.c \ ssl_rsa.c \ + ssl_seclevel.c \ ssl_sess.c \ ssl_sigalgs.c \ ssl_srvr.c \ diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 5b976bddc78..ab547ea5bc0 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.395 2022/06/28 20:31:43 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.396 2022/06/28 20:40:24 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1282,6 +1282,11 @@ int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain); int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert); int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert); +int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, + int bits, int nid, void *other, void *ex_data); +int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, + int bits, int nid, void *other, void *ex_data); + int ssl_get_new_session(SSL *s, int session); int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert); diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c new file mode 100644 index 00000000000..3da78c65b79 --- /dev/null +++ b/lib/libssl/ssl_seclevel.c @@ -0,0 +1,194 @@ +/* $OpenBSD: ssl_seclevel.c,v 1.1 2022/06/28 20:40:24 tb Exp $ */ +/* + * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <stddef.h> + +#include <openssl/ossl_typ.h> +#include <openssl/ssl.h> +#include <openssl/tls1.h> + +#include "ssl_locl.h" + +static int +ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level) +{ + int security_level; + + if (ctx != NULL) + security_level = SSL_CTX_get_security_level(ctx); + else + security_level = SSL_get_security_level(ssl); + + if (security_level < 0) + security_level = 0; + if (security_level > 5) + security_level = 5; + + *out_level = security_level; + + return 1; +} + +static int +ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits) +{ + if (security_level < 0) + return 0; + + if (security_level == 0) + *out_minimum_bits = 0; + else if (security_level == 1) + *out_minimum_bits = 80; + else if (security_level == 2) + *out_minimum_bits = 112; + else if (security_level == 3) + *out_minimum_bits = 128; + else if (security_level == 4) + *out_minimum_bits = 192; + else if (security_level >= 5) + *out_minimum_bits = 256; + + return 1; +} + +static int +ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl, + int *out_level, int *out_minimum_bits) +{ + int security_level = 0, minimum_bits = 0; + + if (!ssl_security_normalize_level(ctx, ssl, &security_level)) + return 0; + if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits)) + return 0; + + if (out_level != NULL) + *out_level = security_level; + if (out_minimum_bits != NULL) + *out_minimum_bits = minimum_bits; + + return 1; +} + +static int +ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, + void *arg) +{ + const SSL_CIPHER *cipher = arg; + int security_level, minimum_bits; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, + &minimum_bits)) + return 0; + + if (security_level <= 0) + return 1; + + if (bits < minimum_bits) + return 0; + + /* No unauthenticated ciphersuites */ + if (cipher->algorithm_auth & SSL_aNULL) + return 0; + + if (security_level <= 1) + return 1; + + if (cipher->algorithm_enc == SSL_RC4) + return 0; + + if (security_level <= 2) + return 1; + + /* XXX TLSv1.3 */ + if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0) + return 0; + + return 1; +} + +static int +ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version) +{ + int min_version = TLS1_2_VERSION; + int security_level; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) + return 0; + + if (security_level < 4) + min_version = TLS1_1_VERSION; + if (security_level < 3) + min_version = TLS1_VERSION; + + return ssl_tls_version(version) >= min_version; +} + +static int +ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl) +{ + return 0; +} + +static int +ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl) +{ + int security_level; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) + return 0; + + return security_level < 3; +} + +static int +ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits) +{ + int minimum_bits; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits)) + return 0; + + return bits >= minimum_bits; +} + +int +ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, + int version, void *cipher, void *ex_data) +{ + switch (op) { + case SSL_SECOP_CIPHER_SUPPORTED: + case SSL_SECOP_CIPHER_SHARED: + case SSL_SECOP_CIPHER_CHECK: + return ssl_security_secop_cipher(ctx, ssl, bits, cipher); + case SSL_SECOP_VERSION: + return ssl_security_secop_version(ctx, ssl, version); + case SSL_SECOP_COMPRESSION: + return ssl_security_secop_compression(ctx, ssl); + case SSL_SECOP_TICKET: + return ssl_security_secop_tickets(ctx, ssl); + default: + return ssl_security_secop_default(ctx, ssl, bits); + } +} + +int +ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, + int version, void *cipher, void *ex_data) +{ + return 1; +} |