Botan  2.6.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_policy.h>
11 #include <botan/tls_ciphersuite.h>
12 #include <botan/tls_algos.h>
13 #include <botan/tls_exceptn.h>
14 #include <botan/internal/stl_util.h>
15 #include <botan/pk_keys.h>
16 #include <sstream>
17 
18 namespace Botan {
19 
20 namespace TLS {
21 
22 std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23  {
24  std::vector<Signature_Scheme> schemes;
25 
27  {
28  const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
29  const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
30 
31  if(sig_allowed && hash_allowed)
32  {
33  schemes.push_back(scheme);
34  }
35  }
36 
37  return schemes;
38  }
39 
40 std::vector<std::string> Policy::allowed_ciphers() const
41  {
42  return {
43  //"AES-256/OCB(12)",
44  //"AES-128/OCB(12)",
45  "ChaCha20Poly1305",
46  "AES-256/GCM",
47  "AES-128/GCM",
48  "AES-256/CCM",
49  "AES-128/CCM",
50  //"AES-256/CCM(8)",
51  //"AES-128/CCM(8)",
52  //"Camellia-256/GCM",
53  //"Camellia-128/GCM",
54  //"ARIA-256/GCM",
55  //"ARIA-128/GCM",
56  "AES-256",
57  "AES-128",
58  //"Camellia-256",
59  //"Camellia-128",
60  //"SEED"
61  //"3DES",
62  };
63  }
64 
65 std::vector<std::string> Policy::allowed_signature_hashes() const
66  {
67  return {
68  "SHA-512",
69  "SHA-384",
70  "SHA-256",
71  //"SHA-1",
72  };
73  }
74 
75 std::vector<std::string> Policy::allowed_macs() const
76  {
77  /*
78  SHA-256 is preferred because the Lucky13 countermeasure works
79  somewhat better for SHA-256 vs SHA-384:
80  https://github.com/randombit/botan/pull/675
81  */
82  return {
83  "AEAD",
84  "SHA-256",
85  "SHA-384",
86  "SHA-1",
87  };
88  }
89 
90 std::vector<std::string> Policy::allowed_key_exchange_methods() const
91  {
92  return {
93  //"SRP_SHA",
94  //"ECDHE_PSK",
95  //"DHE_PSK",
96  //"PSK",
97  "CECPQ1",
98  "ECDH",
99  "DH",
100  //"RSA",
101  };
102  }
103 
104 std::vector<std::string> Policy::allowed_signature_methods() const
105  {
106  return {
107  "ECDSA",
108  "RSA",
109  //"DSA",
110  //"IMPLICIT",
111  //"ANONYMOUS" (anon)
112  };
113  }
114 
115 bool Policy::allowed_signature_method(const std::string& sig_method) const
116  {
117  return value_exists(allowed_signature_methods(), sig_method);
118  }
119 
120 bool Policy::allowed_signature_hash(const std::string& sig_hash) const
121  {
122  return value_exists(allowed_signature_hashes(), sig_hash);
123  }
124 
126  {
127  return false;
128  }
129 
130 Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
131  {
132  if(peer_groups.empty())
133  return Group_Params::NONE;
134 
135  const std::vector<Group_Params> our_groups = key_exchange_groups();
136 
137  for(auto g : our_groups)
138  {
139  if(value_exists(peer_groups, g))
140  return g;
141  }
142 
143  return Group_Params::NONE;
144  }
145 
147  {
148  /*
149  * Return the first listed or just default to 2048
150  */
151  for(auto g : key_exchange_groups())
152  {
153  if(group_param_is_dh(g))
154  return g;
155  }
156 
158  }
159 
160 std::vector<Group_Params> Policy::key_exchange_groups() const
161  {
162  // Default list is ordered by performance
163  return {
171 
177  };
178  }
179 
181  {
182  return 2048;
183  }
184 
186  {
187  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
188  return 256;
189  }
190 
192  {
193  // x25519 is smallest curve currently supported for TLS key exchange
194  return 255;
195  }
196 
198  {
199  return 110;
200  }
201 
203  {
204  return true;
205  }
206 
208  {
209  /* Default assumption is all end-entity certificates should
210  be at least 2048 bits these days.
211 
212  If you are connecting to arbitrary servers on the Internet
213  (ie as a web browser or SMTP client) you'll probably have to reduce this
214  to 1024 bits, or perhaps even lower.
215  */
216  return 2048;
217  }
218 
220  {
221  // FIPS 186-3
222  return 2048;
223  }
224 
225 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
226  {
227  const std::string algo_name = public_key.algo_name();
228 
229  const size_t keylength = public_key.key_length();
230  size_t expected_keylength = 0;
231 
232  if(algo_name == "RSA")
233  {
234  expected_keylength = minimum_rsa_bits();
235  }
236  else if(algo_name == "DH")
237  {
238  expected_keylength = minimum_dh_group_size();
239  }
240  else if(algo_name == "DSA")
241  {
242  expected_keylength = minimum_dsa_group_size();
243  }
244  else if(algo_name == "ECDH" || algo_name == "Curve25519")
245  {
246  expected_keylength = minimum_ecdh_group_size();
247  }
248  else if(algo_name == "ECDSA")
249  {
250  expected_keylength = minimum_ecdsa_group_size();
251  }
252  // else some other algo, so leave expected_keylength as zero and the check is a no-op
253 
254  if(keylength < expected_keylength)
256  "Peer sent " +
257  std::to_string(keylength) + " bit " + algo_name + " key"
258  ", policy requires at least " +
259  std::to_string(expected_keylength));
260  }
261 
263  {
264  return 86400; // ~1 day
265  }
266 
268  {
269  return version != latest_supported_version(version.is_datagram_protocol());
270  }
271 
273  {
274  // Uses boolean optimization:
275  // First check the current version (left part), then if it is allowed
276  // (right part)
277  // checks are ordered according to their probability
278  return (
279  ( ( version == Protocol_Version::TLS_V12) && allow_tls12() ) ||
280  ( ( version == Protocol_Version::TLS_V10) && allow_tls10() ) ||
281  ( ( version == Protocol_Version::TLS_V11) && allow_tls11() ) ||
282  ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
283  ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
284  );
285  }
286 
288  {
289  if(datagram)
290  {
291  if(allow_dtls12())
293  if(allow_dtls10())
295  throw Invalid_State("Policy forbids all available DTLS version");
296  }
297  else
298  {
299  if(allow_tls12())
301  if(allow_tls11())
303  if(allow_tls10())
305  throw Invalid_State("Policy forbids all available TLS version");
306  }
307  }
308 
309 bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
310  {
311  return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
312  value_exists(allowed_macs(), ciphersuite.mac_algo());
313  }
314 
315 bool Policy::allow_client_initiated_renegotiation() const { return false; }
316 bool Policy::allow_server_initiated_renegotiation() const { return false; }
317 bool Policy::allow_insecure_renegotiation() const { return false; }
318 bool Policy::allow_tls10() const { return true; }
319 bool Policy::allow_tls11() const { return true; }
320 bool Policy::allow_tls12() const { return true; }
321 bool Policy::allow_dtls10() const { return false; }
322 bool Policy::allow_dtls12() const { return true; }
323 bool Policy::include_time_in_hello_random() const { return true; }
324 bool Policy::hide_unknown_users() const { return false; }
326 bool Policy::negotiate_encrypt_then_mac() const { return true; }
327 bool Policy::support_cert_status_message() const { return true; }
328 
329 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
330 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
331 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
332 
334  {
335  // default MTU is IPv6 min MTU minus UDP/IP headers
336  return 1280 - 40 - 8;
337  }
338 
339 std::vector<uint16_t> Policy::srtp_profiles() const
340  {
341  return std::vector<uint16_t>();
342  }
343 
344 namespace {
345 
346 class Ciphersuite_Preference_Ordering final
347  {
348  public:
349  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
350  const std::vector<std::string>& macs,
351  const std::vector<std::string>& kex,
352  const std::vector<std::string>& sigs) :
353  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
354 
355  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
356  {
357  if(a.kex_method() != b.kex_method())
358  {
359  for(size_t i = 0; i != m_kex.size(); ++i)
360  {
361  if(a.kex_algo() == m_kex[i])
362  return true;
363  if(b.kex_algo() == m_kex[i])
364  return false;
365  }
366  }
367 
368  if(a.cipher_algo() != b.cipher_algo())
369  {
370  for(size_t i = 0; i != m_ciphers.size(); ++i)
371  {
372  if(a.cipher_algo() == m_ciphers[i])
373  return true;
374  if(b.cipher_algo() == m_ciphers[i])
375  return false;
376  }
377  }
378 
379  if(a.cipher_keylen() != b.cipher_keylen())
380  {
381  if(a.cipher_keylen() < b.cipher_keylen())
382  return false;
383  if(a.cipher_keylen() > b.cipher_keylen())
384  return true;
385  }
386 
387  if(a.auth_method() != b.auth_method())
388  {
389  for(size_t i = 0; i != m_sigs.size(); ++i)
390  {
391  if(a.sig_algo() == m_sigs[i])
392  return true;
393  if(b.sig_algo() == m_sigs[i])
394  return false;
395  }
396  }
397 
398  if(a.mac_algo() != b.mac_algo())
399  {
400  for(size_t i = 0; i != m_macs.size(); ++i)
401  {
402  if(a.mac_algo() == m_macs[i])
403  return true;
404  if(b.mac_algo() == m_macs[i])
405  return false;
406  }
407  }
408 
409  return false; // equal (?!?)
410  }
411  private:
412  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
413  };
414 
415 }
416 
417 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
418  bool have_srp) const
419  {
420  const std::vector<std::string> ciphers = allowed_ciphers();
421  const std::vector<std::string> macs = allowed_macs();
422  const std::vector<std::string> kex = allowed_key_exchange_methods();
423  const std::vector<std::string> sigs = allowed_signature_methods();
424 
425  std::vector<Ciphersuite> ciphersuites;
426 
427  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
428  {
429  // Can we use it?
430  if(suite.valid() == false)
431  continue;
432 
433  // Is it acceptable to the policy?
434  if(!this->acceptable_ciphersuite(suite))
435  continue;
436 
437  // Are we doing SRP?
438  if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
439  continue;
440 
441  if(!version.supports_aead_modes())
442  {
443  // Are we doing AEAD in a non-AEAD version?
444  if(suite.mac_algo() == "AEAD")
445  continue;
446 
447  // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
448  if(suite.mac_algo() != "SHA-1")
449  continue;
450  }
451 
452  if(!value_exists(kex, suite.kex_algo()))
453  continue; // unsupported key exchange
454 
455  if(!value_exists(ciphers, suite.cipher_algo()))
456  continue; // unsupported cipher
457 
458  if(!value_exists(macs, suite.mac_algo()))
459  continue; // unsupported MAC algo
460 
461  if(!value_exists(sigs, suite.sig_algo()))
462  {
463  // allow if it's an empty sig algo and we want to use PSK
464  if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
465  continue;
466  }
467 
468  /*
469  CECPQ1 always uses x25519 for ECDH, so treat the applications
470  removal of x25519 from the ECC curve list as equivalent to
471  saying they do not trust CECPQ1
472  */
473  if(suite.kex_method() == Kex_Algo::CECPQ1)
474  {
476  continue;
477  }
478 
479  // OK, consider it
480  ciphersuites.push_back(suite);
481  }
482 
483  if(ciphersuites.empty())
484  {
485  throw Exception("Policy does not allow any available cipher suite");
486  }
487 
488  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
489  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
490 
491  std::vector<uint16_t> ciphersuite_codes;
492  for(auto i : ciphersuites)
493  ciphersuite_codes.push_back(i.ciphersuite_code());
494  return ciphersuite_codes;
495  }
496 
497 namespace {
498 
499 void print_vec(std::ostream& o,
500  const char* key,
501  const std::vector<std::string>& v)
502  {
503  o << key << " = ";
504  for(size_t i = 0; i != v.size(); ++i)
505  {
506  o << v[i];
507  if(i != v.size() - 1)
508  o << ' ';
509  }
510  o << '\n';
511  }
512 
513 void print_vec(std::ostream& o,
514  const char* key,
515  const std::vector<Group_Params>& v)
516  {
517  o << key << " = ";
518  for(size_t i = 0; i != v.size(); ++i)
519  {
520  o << group_param_to_string(v[i]);
521  if(i != v.size() - 1)
522  o << ' ';
523  }
524  o << '\n';
525  }
526 
527 void print_bool(std::ostream& o,
528  const char* key, bool b)
529  {
530  o << key << " = " << (b ? "true" : "false") << '\n';
531  }
532 
533 }
534 
535 void Policy::print(std::ostream& o) const
536  {
537  print_bool(o, "allow_tls10", allow_tls10());
538  print_bool(o, "allow_tls11", allow_tls11());
539  print_bool(o, "allow_tls12", allow_tls12());
540  print_bool(o, "allow_dtls10", allow_dtls10());
541  print_bool(o, "allow_dtls12", allow_dtls12());
542  print_vec(o, "ciphers", allowed_ciphers());
543  print_vec(o, "macs", allowed_macs());
544  print_vec(o, "signature_hashes", allowed_signature_hashes());
545  print_vec(o, "signature_methods", allowed_signature_methods());
546  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
547  print_vec(o, "key_exchange_groups", key_exchange_groups());
548 
549  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
550  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
551  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
552  print_bool(o, "hide_unknown_users", hide_unknown_users());
553  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
554  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
555  print_bool(o, "support_cert_status_message", support_cert_status_message());
556  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
557  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
558  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
559  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
560  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
561  }
562 
563 std::string Policy::to_string() const
564  {
565  std::ostringstream oss;
566  this->print(oss);
567  return oss.str();
568  }
569 
570 std::vector<std::string> Strict_Policy::allowed_ciphers() const
571  {
572  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
573  }
574 
575 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
576  {
577  return { "SHA-512", "SHA-384"};
578  }
579 
580 std::vector<std::string> Strict_Policy::allowed_macs() const
581  {
582  return { "AEAD" };
583  }
584 
585 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
586  {
587  return { "CECPQ1", "ECDH" };
588  }
589 
590 bool Strict_Policy::allow_tls10() const { return false; }
591 bool Strict_Policy::allow_tls11() const { return false; }
592 bool Strict_Policy::allow_tls12() const { return true; }
593 bool Strict_Policy::allow_dtls10() const { return false; }
594 bool Strict_Policy::allow_dtls12() const { return true; }
595 
596 }
597 
598 }
virtual bool allow_tls11() const
Definition: tls_policy.cpp:319
std::string mac_algo() const
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:333
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:191
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:316
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:225
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:535
bool allow_dtls10() const override
Definition: tls_policy.cpp:593
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:207
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:309
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:326
bool allow_tls11() const override
Definition: tls_policy.cpp:591
Signature_Scheme
Definition: tls_algos.h:84
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:323
bool allow_dtls12() const override
Definition: tls_policy.cpp:594
std::string group_param_to_string(Group_Params group)
Definition: tls_algos.cpp:155
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:40
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:339
virtual std::string algo_name() const =0
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:75
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &peer_groups) const
Definition: tls_policy.cpp:130
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:125
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:145
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:65
virtual Group_Params default_dh_group() const
Definition: tls_policy.cpp:146
bool allow_tls12() const override
Definition: tls_policy.cpp:592
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:180
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:575
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:202
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:317
virtual std::vector< Group_Params > key_exchange_groups() const
Definition: tls_policy.cpp:160
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:330
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:185
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:115
virtual size_t key_length() const =0
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:267
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:90
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:321
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:580
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:120
Definition: alg_id.cpp:13
const std::vector< Signature_Scheme > & all_signature_schemes()
Definition: tls_algos.cpp:229
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:327
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:197
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:417
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:585
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:331
virtual bool allow_tls12() const
Definition: tls_policy.cpp:320
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:322
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:104
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:272
std::string cipher_algo() const
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:325
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:324
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:570
virtual bool allow_client_initiated_renegotiation() const
Definition: tls_policy.cpp:315
std::string to_string() const
Definition: tls_policy.cpp:563
bool allow_tls10() const override
Definition: tls_policy.cpp:590
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:262
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22
static const std::vector< Ciphersuite > & all_known_ciphersuites()
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:219
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:287
virtual bool allow_tls10() const
Definition: tls_policy.cpp:318