Botan  2.13.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_policy.h>
11 #include <botan/tls_ciphersuite.h>
12 #include <botan/tls_algos.h>
13 #include <botan/tls_exceptn.h>
14 #include <botan/internal/stl_util.h>
15 #include <botan/pk_keys.h>
16 #include <sstream>
17 
18 namespace Botan {
19 
20 namespace TLS {
21 
22 std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23  {
24  std::vector<Signature_Scheme> schemes;
25 
27  {
28  if(signature_scheme_is_known(scheme) == false)
29  continue;
30  const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
31  const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
32 
33  if(sig_allowed && hash_allowed)
34  {
35  schemes.push_back(scheme);
36  }
37  }
38 
39  return schemes;
40  }
41 
42 std::vector<std::string> Policy::allowed_ciphers() const
43  {
44  return {
45  //"AES-256/OCB(12)",
46  //"AES-128/OCB(12)",
47  "ChaCha20Poly1305",
48  "AES-256/GCM",
49  "AES-128/GCM",
50  //"AES-256/CCM",
51  //"AES-128/CCM",
52  //"AES-256/CCM(8)",
53  //"AES-128/CCM(8)",
54  //"Camellia-256/GCM",
55  //"Camellia-128/GCM",
56  //"ARIA-256/GCM",
57  //"ARIA-128/GCM",
58  //"AES-256",
59  //"AES-128",
60  //"Camellia-256",
61  //"Camellia-128",
62  //"SEED",
63  //"3DES",
64  };
65  }
66 
67 std::vector<std::string> Policy::allowed_signature_hashes() const
68  {
69  return {
70  "SHA-512",
71  "SHA-384",
72  "SHA-256",
73  //"SHA-1",
74  };
75  }
76 
77 std::vector<std::string> Policy::allowed_macs() const
78  {
79  /*
80  SHA-256 is preferred because the Lucky13 countermeasure works
81  somewhat better for SHA-256 vs SHA-384:
82  https://github.com/randombit/botan/pull/675
83  */
84  return {
85  "AEAD",
86  "SHA-256",
87  "SHA-384",
88  "SHA-1",
89  };
90  }
91 
92 std::vector<std::string> Policy::allowed_key_exchange_methods() const
93  {
94  return {
95  //"SRP_SHA",
96  //"ECDHE_PSK",
97  //"DHE_PSK",
98  //"PSK",
99  "CECPQ1",
100  "ECDH",
101  "DH",
102  //"RSA",
103  };
104  }
105 
106 std::vector<std::string> Policy::allowed_signature_methods() const
107  {
108  return {
109  "ECDSA",
110  "RSA",
111  //"DSA",
112  //"IMPLICIT",
113  //"ANONYMOUS" (anon)
114  };
115  }
116 
117 bool Policy::allowed_signature_method(const std::string& sig_method) const
118  {
119  return value_exists(allowed_signature_methods(), sig_method);
120  }
121 
122 bool Policy::allowed_signature_hash(const std::string& sig_hash) const
123  {
124  return value_exists(allowed_signature_hashes(), sig_hash);
125  }
126 
128  {
129  return false;
130  }
131 
132 Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
133  {
134  if(peer_groups.empty())
135  return Group_Params::NONE;
136 
137  const std::vector<Group_Params> our_groups = key_exchange_groups();
138 
139  for(auto g : our_groups)
140  {
141  if(value_exists(peer_groups, g))
142  return g;
143  }
144 
145  return Group_Params::NONE;
146  }
147 
149  {
150  /*
151  * Return the first listed or just default to 2048
152  */
153  for(auto g : key_exchange_groups())
154  {
155  if(group_param_is_dh(g))
156  return g;
157  }
158 
160  }
161 
162 std::vector<Group_Params> Policy::key_exchange_groups() const
163  {
164  // Default list is ordered by performance
165  return {
166 
167 #if defined(BOTAN_HAS_CURVE_25519)
169 #endif
170 
177 
183  };
184  }
185 
187  {
188  return 2048;
189  }
190 
192  {
193  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
194  return 256;
195  }
196 
198  {
199  // x25519 is smallest curve currently supported for TLS key exchange
200  return 255;
201  }
202 
204  {
205  return 110;
206  }
207 
209  {
210  return true;
211  }
212 
214  {
215  /* Default assumption is all end-entity certificates should
216  be at least 2048 bits these days.
217 
218  If you are connecting to arbitrary servers on the Internet
219  (ie as a web browser or SMTP client) you'll probably have to reduce this
220  to 1024 bits, or perhaps even lower.
221  */
222  return 2048;
223  }
224 
226  {
227  // FIPS 186-3
228  return 2048;
229  }
230 
231 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
232  {
233  const std::string algo_name = public_key.algo_name();
234 
235  const size_t keylength = public_key.key_length();
236  size_t expected_keylength = 0;
237 
238  if(algo_name == "RSA")
239  {
240  expected_keylength = minimum_rsa_bits();
241  }
242  else if(algo_name == "DH")
243  {
244  expected_keylength = minimum_dh_group_size();
245  }
246  else if(algo_name == "DSA")
247  {
248  expected_keylength = minimum_dsa_group_size();
249  }
250  else if(algo_name == "ECDH" || algo_name == "Curve25519")
251  {
252  expected_keylength = minimum_ecdh_group_size();
253  }
254  else if(algo_name == "ECDSA")
255  {
256  expected_keylength = minimum_ecdsa_group_size();
257  }
258  // else some other algo, so leave expected_keylength as zero and the check is a no-op
259 
260  if(keylength < expected_keylength)
262  "Peer sent " +
263  std::to_string(keylength) + " bit " + algo_name + " key"
264  ", policy requires at least " +
265  std::to_string(expected_keylength));
266  }
267 
269  {
270  return 86400; // ~1 day
271  }
272 
274  {
275  return version != latest_supported_version(version.is_datagram_protocol());
276  }
277 
279  {
280  if(version == Protocol_Version::TLS_V12 && allow_tls12())
281  return true;
282 
283  if(version == Protocol_Version::DTLS_V12 && allow_dtls12())
284  return true;
285 
286 #if defined(BOTAN_HAS_TLS_V10)
287 
288  if(version == Protocol_Version::TLS_V11 && allow_tls11())
289  return true;
290  if(version == Protocol_Version::TLS_V10 && allow_tls10())
291  return true;
292  if(version == Protocol_Version::DTLS_V10 && allow_dtls10())
293  return true;
294 
295 #endif
296 
297  return false;
298  }
299 
301  {
302  if(datagram)
303  {
306 #if defined(BOTAN_HAS_TLS_V10)
309 #endif
310  throw Invalid_State("Policy forbids all available DTLS version");
311  }
312  else
313  {
316 #if defined(BOTAN_HAS_TLS_V10)
321 #endif
322  throw Invalid_State("Policy forbids all available TLS version");
323  }
324  }
325 
326 bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
327  {
328  return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
329  value_exists(allowed_macs(), ciphersuite.mac_algo());
330  }
331 
332 bool Policy::allow_client_initiated_renegotiation() const { return false; }
333 bool Policy::allow_server_initiated_renegotiation() const { return false; }
334 bool Policy::allow_insecure_renegotiation() const { return false; }
335 bool Policy::allow_tls10() const { return false; }
336 bool Policy::allow_tls11() const { return false; }
337 bool Policy::allow_tls12() const { return true; }
338 bool Policy::allow_dtls10() const { return false; }
339 bool Policy::allow_dtls12() const { return true; }
340 bool Policy::include_time_in_hello_random() const { return true; }
341 bool Policy::hide_unknown_users() const { return false; }
343 bool Policy::negotiate_encrypt_then_mac() const { return true; }
344 bool Policy::support_cert_status_message() const { return true; }
345 bool Policy::allow_resumption_for_renegotiation() const { return true; }
346 bool Policy::only_resume_with_exact_version() const { return true; }
350 bool Policy::allow_dtls_epoch0_restart() const { return false; }
351 
352 size_t Policy::maximum_certificate_chain_size() const { return 0; }
353 
354 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
355 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
356 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
357 
359  {
360  // default MTU is IPv6 min MTU minus UDP/IP headers
361  return 1280 - 40 - 8;
362  }
363 
364 std::vector<uint16_t> Policy::srtp_profiles() const
365  {
366  return std::vector<uint16_t>();
367  }
368 
369 namespace {
370 
371 class Ciphersuite_Preference_Ordering final
372  {
373  public:
374  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
375  const std::vector<std::string>& macs,
376  const std::vector<std::string>& kex,
377  const std::vector<std::string>& sigs) :
378  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
379 
380  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
381  {
382  if(a.kex_method() != b.kex_method())
383  {
384  for(size_t i = 0; i != m_kex.size(); ++i)
385  {
386  if(a.kex_algo() == m_kex[i])
387  return true;
388  if(b.kex_algo() == m_kex[i])
389  return false;
390  }
391  }
392 
393  if(a.cipher_algo() != b.cipher_algo())
394  {
395  for(size_t i = 0; i != m_ciphers.size(); ++i)
396  {
397  if(a.cipher_algo() == m_ciphers[i])
398  return true;
399  if(b.cipher_algo() == m_ciphers[i])
400  return false;
401  }
402  }
403 
404  if(a.cipher_keylen() != b.cipher_keylen())
405  {
406  if(a.cipher_keylen() < b.cipher_keylen())
407  return false;
408  if(a.cipher_keylen() > b.cipher_keylen())
409  return true;
410  }
411 
412  if(a.auth_method() != b.auth_method())
413  {
414  for(size_t i = 0; i != m_sigs.size(); ++i)
415  {
416  if(a.sig_algo() == m_sigs[i])
417  return true;
418  if(b.sig_algo() == m_sigs[i])
419  return false;
420  }
421  }
422 
423  if(a.mac_algo() != b.mac_algo())
424  {
425  for(size_t i = 0; i != m_macs.size(); ++i)
426  {
427  if(a.mac_algo() == m_macs[i])
428  return true;
429  if(b.mac_algo() == m_macs[i])
430  return false;
431  }
432  }
433 
434  return false; // equal (?!?)
435  }
436  private:
437  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
438  };
439 
440 }
441 
442 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
443  bool have_srp) const
444  {
445  const std::vector<std::string> ciphers = allowed_ciphers();
446  const std::vector<std::string> macs = allowed_macs();
447  const std::vector<std::string> kex = allowed_key_exchange_methods();
448  const std::vector<std::string> sigs = allowed_signature_methods();
449 
450  std::vector<Ciphersuite> ciphersuites;
451 
452  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
453  {
454  // Can we use it?
455  if(!suite.valid())
456  continue;
457 
458  // Can we use it in this version?
459  if(!suite.usable_in_version(version))
460  continue;
461 
462  // Is it acceptable to the policy?
463  if(!this->acceptable_ciphersuite(suite))
464  continue;
465 
466  // Are we doing SRP?
467  if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
468  continue;
469 
470  if(!value_exists(kex, suite.kex_algo()))
471  continue; // unsupported key exchange
472 
473  if(!value_exists(ciphers, suite.cipher_algo()))
474  continue; // unsupported cipher
475 
476  if(!value_exists(macs, suite.mac_algo()))
477  continue; // unsupported MAC algo
478 
479  if(!value_exists(sigs, suite.sig_algo()))
480  {
481  // allow if it's an empty sig algo and we want to use PSK
482  if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
483  continue;
484  }
485 
486  /*
487  CECPQ1 always uses x25519 for ECDH, so treat the applications
488  removal of x25519 from the ECC curve list as equivalent to
489  saying they do not trust CECPQ1
490  */
491  if(suite.kex_method() == Kex_Algo::CECPQ1)
492  {
494  continue;
495  }
496 
497  // OK, consider it
498  ciphersuites.push_back(suite);
499  }
500 
501  if(ciphersuites.empty())
502  {
503  throw Invalid_State("Policy does not allow any available cipher suite");
504  }
505 
506  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
507  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
508 
509  std::vector<uint16_t> ciphersuite_codes;
510  for(auto i : ciphersuites)
511  ciphersuite_codes.push_back(i.ciphersuite_code());
512  return ciphersuite_codes;
513  }
514 
515 namespace {
516 
517 void print_vec(std::ostream& o,
518  const char* key,
519  const std::vector<std::string>& v)
520  {
521  o << key << " = ";
522  for(size_t i = 0; i != v.size(); ++i)
523  {
524  o << v[i];
525  if(i != v.size() - 1)
526  o << ' ';
527  }
528  o << '\n';
529  }
530 
531 void print_vec(std::ostream& o,
532  const char* key,
533  const std::vector<Group_Params>& v)
534  {
535  o << key << " = ";
536  for(size_t i = 0; i != v.size(); ++i)
537  {
538  o << group_param_to_string(v[i]);
539  if(i != v.size() - 1)
540  o << ' ';
541  }
542  o << '\n';
543  }
544 
545 void print_bool(std::ostream& o,
546  const char* key, bool b)
547  {
548  o << key << " = " << (b ? "true" : "false") << '\n';
549  }
550 
551 }
552 
553 void Policy::print(std::ostream& o) const
554  {
555  print_bool(o, "allow_tls10", allow_tls10());
556  print_bool(o, "allow_tls11", allow_tls11());
557  print_bool(o, "allow_tls12", allow_tls12());
558  print_bool(o, "allow_dtls10", allow_dtls10());
559  print_bool(o, "allow_dtls12", allow_dtls12());
560  print_vec(o, "ciphers", allowed_ciphers());
561  print_vec(o, "macs", allowed_macs());
562  print_vec(o, "signature_hashes", allowed_signature_hashes());
563  print_vec(o, "signature_methods", allowed_signature_methods());
564  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
565  print_vec(o, "key_exchange_groups", key_exchange_groups());
566 
567  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
568  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
569  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
570  print_bool(o, "hide_unknown_users", hide_unknown_users());
571  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
572  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
573  print_bool(o, "support_cert_status_message", support_cert_status_message());
574  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
575  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
576  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
577  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
578  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
579  }
580 
581 std::string Policy::to_string() const
582  {
583  std::ostringstream oss;
584  this->print(oss);
585  return oss.str();
586  }
587 
588 std::vector<std::string> Strict_Policy::allowed_ciphers() const
589  {
590  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
591  }
592 
593 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
594  {
595  return { "SHA-512", "SHA-384"};
596  }
597 
598 std::vector<std::string> Strict_Policy::allowed_macs() const
599  {
600  return { "AEAD" };
601  }
602 
603 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
604  {
605  return { "CECPQ1", "ECDH" };
606  }
607 
608 bool Strict_Policy::allow_tls10() const { return false; }
609 bool Strict_Policy::allow_tls11() const { return false; }
610 bool Strict_Policy::allow_tls12() const { return true; }
611 bool Strict_Policy::allow_dtls10() const { return false; }
612 bool Strict_Policy::allow_dtls12() const { return true; }
613 
614 }
615 
616 }
virtual bool allow_tls11() const
Definition: tls_policy.cpp:336
std::string mac_algo() const
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:358
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:197
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:333
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:231
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:553
bool allow_dtls10() const override
Definition: tls_policy.cpp:611
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:213
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:326
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:343
bool allow_tls11() const override
Definition: tls_policy.cpp:609
int(* final)(unsigned char *, CTX *)
Signature_Scheme
Definition: tls_algos.h:86
virtual bool require_client_certificate_authentication() const
Definition: tls_policy.cpp:347
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:340
bool allow_dtls12() const override
Definition: tls_policy.cpp:612
std::string group_param_to_string(Group_Params group)
Definition: tls_algos.cpp:155
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:42
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:364
virtual std::string algo_name() const =0
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:77
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &peer_groups) const
Definition: tls_policy.cpp:132
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:127
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:67
virtual Group_Params default_dh_group() const
Definition: tls_policy.cpp:148
bool allow_tls12() const override
Definition: tls_policy.cpp:610
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:186
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:593
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:208
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:334
virtual std::vector< Group_Params > key_exchange_groups() const
Definition: tls_policy.cpp:162
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:355
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:191
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:117
virtual size_t key_length() const =0
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:273
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:92
virtual bool only_resume_with_exact_version() const
Definition: tls_policy.cpp:346
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:338
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:598
virtual size_t maximum_certificate_chain_size() const
Definition: tls_policy.cpp:352
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:122
Definition: alg_id.cpp:13
const std::vector< Signature_Scheme > & all_signature_schemes()
Definition: tls_algos.cpp:229
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:344
virtual bool request_client_certificate_authentication() const
Definition: tls_policy.cpp:348
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:203
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:442
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:603
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:356
virtual bool allow_dtls_epoch0_restart() const
Definition: tls_policy.cpp:350
virtual bool allow_tls12() const
Definition: tls_policy.cpp:337
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:339
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:106
virtual bool allow_resumption_for_renegotiation() const
Definition: tls_policy.cpp:345
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:278
std::string cipher_algo() const
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:342
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:341
virtual bool abort_connection_on_undesired_renegotiation() const
Definition: tls_policy.cpp:349
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:588
virtual bool allow_client_initiated_renegotiation() const
Definition: tls_policy.cpp:332
std::string to_string() const
Definition: tls_policy.cpp:581
bool allow_tls10() const override
Definition: tls_policy.cpp:608
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:268
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22
static const std::vector< Ciphersuite > & all_known_ciphersuites()
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:225
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:300
virtual bool allow_tls10() const
Definition: tls_policy.cpp:335