From 4fb917263ac30373cb3e5dfe3e207369eb238def Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sun, 22 Nov 2020 15:46:34 +0000 Subject: Add SSL_PROTOCOL and SSL_CIPHER support, fix some bugs --- src/sbearssl/deps-lib/sbearssl | 8 +- src/sbearssl/sbearssl-internal.h | 51 ++++++++ src/sbearssl/sbearssl_send_environment.c | 31 +++++ src/sbearssl/sbearssl_suite_bits.c | 16 +++ src/sbearssl/sbearssl_suite_list.c | 201 +++++++++++++++++++++++++++++++ src/sbearssl/sbearssl_suite_name.c | 14 +++ 6 files changed, 319 insertions(+), 2 deletions(-) create mode 100644 src/sbearssl/sbearssl_send_environment.c create mode 100644 src/sbearssl/sbearssl_suite_bits.c create mode 100644 src/sbearssl/sbearssl_suite_list.c create mode 100644 src/sbearssl/sbearssl_suite_name.c (limited to 'src/sbearssl') diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index 13df389..dfa4f29 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -3,6 +3,7 @@ sbearssl_cert_from.o sbearssl_cert_readbigpem.o sbearssl_cert_readfile.o sbearssl_cert_to.o +sbearssl_client_init_and_run.o sbearssl_drop.o sbearssl_ec_issuer_keytype.o sbearssl_ec_pkey_from.o @@ -21,9 +22,14 @@ sbearssl_rsa_pkey_to.o sbearssl_rsa_skey_from.o sbearssl_rsa_skey_to.o sbearssl_run.o +sbearssl_send_environment.o +sbearssl_server_init_and_run.o sbearssl_skey_from.o sbearssl_skey_readfile.o sbearssl_skey_to.o +sbearssl_suite_bits.o +sbearssl_suite_list.o +sbearssl_suite_name.o sbearssl_ta_cert.o sbearssl_ta_certs.o sbearssl_ta_from.o @@ -33,7 +39,5 @@ sbearssl_ta_to.o sbearssl_x500_name_len.o sbearssl_x500_from_ta.o sbearssl_x509_minimal_set_tai.o -sbearssl_client_init_and_run.o -sbearssl_server_init_and_run.o -lbearssl -lskarnet diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h index 2d98680..bfaad73 100644 --- a/src/sbearssl/sbearssl-internal.h +++ b/src/sbearssl/sbearssl-internal.h @@ -5,9 +5,12 @@ #include #include + #include + #include #include + #include typedef struct sbearssl_strallocerr_s sbearssl_strallocerr, *sbearssl_strallocerr_ref ; @@ -17,8 +20,56 @@ struct sbearssl_strallocerr_s int err ; } ; +typedef enum sbearssl_suite_prop_e sbearssl_suite_prop ; +enum sbearssl_suite_prop_e +{ + /* key exchange */ + kRSA = 1<<0, + ECDHE = 1<<1, + + /* authentication */ + aRSA = 1<<2, + ECDSA = 1<<3, + + /* encryption */ + TRIPLEDES = 1<<4, + AES128 = 1<<5, + AES256 = 1<<6, + AESGCM = 1<<7, + AESCCM = 1<<8, + AESCCM8 = 1<<9, + CHACHA20 = 1<<10, + + /* MAC */ + AEAD = 1<<11, + SHA1 = 1<<12, + SHA256 = 1<<13, + SHA384 = 1<<14, + + /* minimum TLS version */ + TLS10 = 1<<15, + TLS12 = 1<<16, + + /* strength */ + HIGH = 1<<17, + MEDIUM = 1<<18, + LOW = 1<<19, +} ; + +typedef struct sbearssl_suiteinfo_s sbearssl_suiteinfo, *sbearssl_suiteinfo_ref ; +struct sbearssl_suiteinfo_s +{ + char name[32] ; + uint16_t id ; + sbearssl_suite_prop prop ; + uint16_t bits ; +} ; + extern void sbearssl_drop (void) ; extern void sbearssl_append (void *, void const *, size_t) ; extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ; +extern sbearssl_suiteinfo const *const sbearssl_suite_list ; +extern size_t const sbearssl_suite_list_len ; + #endif diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c new file mode 100644 index 0000000..3e1f1e1 --- /dev/null +++ b/src/sbearssl/sbearssl_send_environment.c @@ -0,0 +1,31 @@ +/* ISC license. */ + +#include +#include + +#include + +#include + +int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd) +{ + char buf[4096] ; + buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ; + unsigned int v = br_ssl_engine_get_version(ctx) ; + char const *suite ; + br_ssl_session_parameters params ; + + br_ssl_engine_get_session_parameters(ctx, ¶ms) ; + suite = sbearssl_suite_name(¶ms) ; + byte_zzero((char *)params.master_secret, 48) ; + if (!suite) suite = "" ; + + if (buffer_puts(&b, "SSL_PROTOCOL=") < 0 + || buffer_puts(&b, v == BR_TLS12 ? "TLSv1.2" : v == BR_TLS11 ? "TLSv1.1" : v == BR_TLS10 ? "TLSv1" : "unknown") < 0 + || buffer_put(&b, "", 1) < 0 + || buffer_puts(&b, "SSL_CIPHER=") < 0 + || buffer_puts(&b, suite) < 0 + || buffer_putflush(&b, "\0", 2) < 0) + return 0 ; + return 1 ; +} diff --git a/src/sbearssl/sbearssl_suite_bits.c b/src/sbearssl/sbearssl_suite_bits.c new file mode 100644 index 0000000..8e2584e --- /dev/null +++ b/src/sbearssl/sbearssl_suite_bits.c @@ -0,0 +1,16 @@ +/* ISC license. */ + +#include + +#include + +#include +#include "sbearssl-internal.h" + +uint16_t sbearssl_suite_bits (br_ssl_session_parameters const *params) +{ + for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++) + if (sbearssl_suite_list[i].id == params->cipher_suite) + return sbearssl_suite_list[i].bits ; + return 0 ; +} diff --git a/src/sbearssl/sbearssl_suite_list.c b/src/sbearssl/sbearssl_suite_list.c new file mode 100644 index 0000000..b51c480 --- /dev/null +++ b/src/sbearssl/sbearssl_suite_list.c @@ -0,0 +1,201 @@ +/* ISC license. */ + +/* Copied from Michael Forney's libtls-bearssl */ + +#include "sbearssl-internal.h" + +static sbearssl_suiteinfo const sbearssl_suite_list_[] = +{ + { + "ECDHE-ECDSA-CHACHA20-POLY1305", + BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + ECDHE|ECDSA|CHACHA20|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-CHACHA20-POLY1305", + BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + ECDHE|aRSA|CHACHA20|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-GCM-SHA256", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + ECDHE|ECDSA|AES128|AESGCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-GCM-SHA256", + BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + ECDHE|aRSA|AES128|AESGCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-GCM-SHA384", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + ECDHE|ECDSA|AES256|AESGCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-GCM-SHA384", + BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + ECDHE|aRSA|AES256|AESGCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-CCM", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + ECDHE|ECDSA|AES128|AESCCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-CCM", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + ECDHE|ECDSA|AES256|AESCCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-CCM8", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + ECDHE|ECDSA|AES128|AESCCM8|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-CCM8", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + ECDHE|ECDSA|AES256|AESCCM8|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-SHA256", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + ECDHE|ECDSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-SHA256", + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + ECDHE|aRSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-SHA384", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + ECDHE|ECDSA|AES256|SHA384|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-SHA384", + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + ECDHE|aRSA|AES256|SHA384|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-SHA", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + ECDHE|ECDSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-SHA", + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + ECDHE|aRSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-SHA", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + ECDHE|ECDSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-SHA", + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + ECDHE|aRSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + /* ECDH suites, used in BearSSL "full" profile do + * not have corresponding OpenSSL + */ + { + "AES128-GCM-SHA256", + BR_TLS_RSA_WITH_AES_128_GCM_SHA256, + kRSA|aRSA|AES128|AESGCM|SHA256|TLS12|HIGH, + 128, + }, + { + "AES256-GCM-SHA384", + BR_TLS_RSA_WITH_AES_256_GCM_SHA384, + kRSA|aRSA|AES256|AESGCM|SHA384|TLS12|HIGH, + 256, + }, + { + "AES128-CCM", + BR_TLS_RSA_WITH_AES_128_CCM, + kRSA|aRSA|AES128|AESCCM|TLS12|HIGH, + 128, + }, + { + "AES256-CCM", + BR_TLS_RSA_WITH_AES_256_CCM, + kRSA|aRSA|AES256|AESCCM|TLS12|HIGH, + 256, + }, + { + "AES128-CCM8", + BR_TLS_RSA_WITH_AES_128_CCM_8, + kRSA|aRSA|AES128|AESCCM8|TLS12|HIGH, + 128, + }, + { + "AES256-CCM8", + BR_TLS_RSA_WITH_AES_256_CCM_8, + kRSA|aRSA|AES256|AESCCM8|TLS12|HIGH, + 256, + }, + { + "AES128-SHA256", + BR_TLS_RSA_WITH_AES_128_CBC_SHA256, + kRSA|aRSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "AES256-SHA256", + BR_TLS_RSA_WITH_AES_256_CBC_SHA256, + kRSA|aRSA|AES256|SHA256|TLS12|HIGH, + 256, + }, + { + "AES128-SHA", + BR_TLS_RSA_WITH_AES_128_CBC_SHA, + kRSA|aRSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "AES256-SHA", + BR_TLS_RSA_WITH_AES_256_CBC_SHA, + kRSA|aRSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + { + "ECDHE-ECDSA-DES-CBC3-SHA", + BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + ECDHE|ECDSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, + { + "ECDHE-RSA-DES-CBC3-SHA", + BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + ECDHE|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, + { + "DES-CBC3-SHA", + BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA, + kRSA|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, +}; + +sbearssl_suiteinfo const *const sbearssl_suite_list = sbearssl_suite_list_ ; +size_t const sbearssl_suite_list_len = sizeof(sbearssl_suite_list_) / sizeof(sbearssl_suiteinfo) ; diff --git a/src/sbearssl/sbearssl_suite_name.c b/src/sbearssl/sbearssl_suite_name.c new file mode 100644 index 0000000..97cc593 --- /dev/null +++ b/src/sbearssl/sbearssl_suite_name.c @@ -0,0 +1,14 @@ +/* ISC license. */ + +#include + +#include +#include "sbearssl-internal.h" + +char const *sbearssl_suite_name (br_ssl_session_parameters const *params) +{ + for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++) + if (sbearssl_suite_list[i].id == params->cipher_suite) + return sbearssl_suite_list[i].name ; + return 0 ; +} -- cgit v1.2.3