summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-06-28 20:40:25 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-06-28 20:40:25 +0000
commitdfd8064e30433d4371b5737d0fde9a7c15e741f7 (patch)
tree37fa599eae96995b2d367038031c6be0cd4888a3
parent88a25fc9704cabb8da7b08456df30f2c386d1e7d (diff)
Implement the default security level callback
And here is where the fun starts. The tentacles will grow everywhere. ok beck jsing sthen
-rw-r--r--lib/libssl/Makefile3
-rw-r--r--lib/libssl/ssl_locl.h7
-rw-r--r--lib/libssl/ssl_seclevel.c194
3 files changed, 202 insertions, 2 deletions
diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile
index 5a0a7bbc020..e6930b0b9f6 100644
--- a/lib/libssl/Makefile
+++ b/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.74 2022/01/14 09:09:30 tb Exp $
+# $OpenBSD: Makefile,v 1.75 2022/06/28 20:40:24 tb Exp $
.include <bsd.own.mk>
.ifndef NOMAN
@@ -58,6 +58,7 @@ SRCS= \
ssl_packet.c \
ssl_pkt.c \
ssl_rsa.c \
+ ssl_seclevel.c \
ssl_sess.c \
ssl_sigalgs.c \
ssl_srvr.c \
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 5b976bddc78..ab547ea5bc0 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.395 2022/06/28 20:31:43 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.396 2022/06/28 20:40:24 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1282,6 +1282,11 @@ int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain);
int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert);
int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert);
+int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
+ int bits, int nid, void *other, void *ex_data);
+int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
+ int bits, int nid, void *other, void *ex_data);
+
int ssl_get_new_session(SSL *s, int session);
int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
int *alert);
diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
new file mode 100644
index 00000000000..3da78c65b79
--- /dev/null
+++ b/lib/libssl/ssl_seclevel.c
@@ -0,0 +1,194 @@
+/* $OpenBSD: ssl_seclevel.c,v 1.1 2022/06/28 20:40:24 tb Exp $ */
+/*
+ * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+
+#include <openssl/ossl_typ.h>
+#include <openssl/ssl.h>
+#include <openssl/tls1.h>
+
+#include "ssl_locl.h"
+
+static int
+ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
+{
+ int security_level;
+
+ if (ctx != NULL)
+ security_level = SSL_CTX_get_security_level(ctx);
+ else
+ security_level = SSL_get_security_level(ssl);
+
+ if (security_level < 0)
+ security_level = 0;
+ if (security_level > 5)
+ security_level = 5;
+
+ *out_level = security_level;
+
+ return 1;
+}
+
+static int
+ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
+{
+ if (security_level < 0)
+ return 0;
+
+ if (security_level == 0)
+ *out_minimum_bits = 0;
+ else if (security_level == 1)
+ *out_minimum_bits = 80;
+ else if (security_level == 2)
+ *out_minimum_bits = 112;
+ else if (security_level == 3)
+ *out_minimum_bits = 128;
+ else if (security_level == 4)
+ *out_minimum_bits = 192;
+ else if (security_level >= 5)
+ *out_minimum_bits = 256;
+
+ return 1;
+}
+
+static int
+ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
+ int *out_level, int *out_minimum_bits)
+{
+ int security_level = 0, minimum_bits = 0;
+
+ if (!ssl_security_normalize_level(ctx, ssl, &security_level))
+ return 0;
+ if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
+ return 0;
+
+ if (out_level != NULL)
+ *out_level = security_level;
+ if (out_minimum_bits != NULL)
+ *out_minimum_bits = minimum_bits;
+
+ return 1;
+}
+
+static int
+ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
+ void *arg)
+{
+ const SSL_CIPHER *cipher = arg;
+ int security_level, minimum_bits;
+
+ if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
+ &minimum_bits))
+ return 0;
+
+ if (security_level <= 0)
+ return 1;
+
+ if (bits < minimum_bits)
+ return 0;
+
+ /* No unauthenticated ciphersuites */
+ if (cipher->algorithm_auth & SSL_aNULL)
+ return 0;
+
+ if (security_level <= 1)
+ return 1;
+
+ if (cipher->algorithm_enc == SSL_RC4)
+ return 0;
+
+ if (security_level <= 2)
+ return 1;
+
+ /* XXX TLSv1.3 */
+ if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)
+ return 0;
+
+ return 1;
+}
+
+static int
+ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
+{
+ int min_version = TLS1_2_VERSION;
+ int security_level;
+
+ if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
+ return 0;
+
+ if (security_level < 4)
+ min_version = TLS1_1_VERSION;
+ if (security_level < 3)
+ min_version = TLS1_VERSION;
+
+ return ssl_tls_version(version) >= min_version;
+}
+
+static int
+ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
+{
+ return 0;
+}
+
+static int
+ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
+{
+ int security_level;
+
+ if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
+ return 0;
+
+ return security_level < 3;
+}
+
+static int
+ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
+{
+ int minimum_bits;
+
+ if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
+ return 0;
+
+ return bits >= minimum_bits;
+}
+
+int
+ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits,
+ int version, void *cipher, void *ex_data)
+{
+ switch (op) {
+ case SSL_SECOP_CIPHER_SUPPORTED:
+ case SSL_SECOP_CIPHER_SHARED:
+ case SSL_SECOP_CIPHER_CHECK:
+ return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
+ case SSL_SECOP_VERSION:
+ return ssl_security_secop_version(ctx, ssl, version);
+ case SSL_SECOP_COMPRESSION:
+ return ssl_security_secop_compression(ctx, ssl);
+ case SSL_SECOP_TICKET:
+ return ssl_security_secop_tickets(ctx, ssl);
+ default:
+ return ssl_security_secop_default(ctx, ssl, bits);
+ }
+}
+
+int
+ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits,
+ int version, void *cipher, void *ex_data)
+{
+ return 1;
+}