Botan  2.7.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_policy.h>
11 #include <botan/tls_ciphersuite.h>
12 #include <botan/tls_algos.h>
13 #include <botan/tls_exceptn.h>
14 #include <botan/internal/stl_util.h>
15 #include <botan/pk_keys.h>
16 #include <sstream>
17 
18 namespace Botan {
19 
20 namespace TLS {
21 
22 std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23  {
24  std::vector<Signature_Scheme> schemes;
25 
27  {
28  const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
29  const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
30 
31  if(sig_allowed && hash_allowed)
32  {
33  schemes.push_back(scheme);
34  }
35  }
36 
37  return schemes;
38  }
39 
40 std::vector<std::string> Policy::allowed_ciphers() const
41  {
42  return {
43  //"AES-256/OCB(12)",
44  //"AES-128/OCB(12)",
45  "ChaCha20Poly1305",
46  "AES-256/GCM",
47  "AES-128/GCM",
48  "AES-256/CCM",
49  "AES-128/CCM",
50  //"AES-256/CCM(8)",
51  //"AES-128/CCM(8)",
52  //"Camellia-256/GCM",
53  //"Camellia-128/GCM",
54  //"ARIA-256/GCM",
55  //"ARIA-128/GCM",
56  "AES-256",
57  "AES-128",
58  //"Camellia-256",
59  //"Camellia-128",
60  //"SEED"
61  //"3DES",
62  };
63  }
64 
65 std::vector<std::string> Policy::allowed_signature_hashes() const
66  {
67  return {
68  "SHA-512",
69  "SHA-384",
70  "SHA-256",
71  //"SHA-1",
72  };
73  }
74 
75 std::vector<std::string> Policy::allowed_macs() const
76  {
77  /*
78  SHA-256 is preferred because the Lucky13 countermeasure works
79  somewhat better for SHA-256 vs SHA-384:
80  https://github.com/randombit/botan/pull/675
81  */
82  return {
83  "AEAD",
84  "SHA-256",
85  "SHA-384",
86  "SHA-1",
87  };
88  }
89 
90 std::vector<std::string> Policy::allowed_key_exchange_methods() const
91  {
92  return {
93  //"SRP_SHA",
94  //"ECDHE_PSK",
95  //"DHE_PSK",
96  //"PSK",
97  "CECPQ1",
98  "ECDH",
99  "DH",
100  //"RSA",
101  };
102  }
103 
104 std::vector<std::string> Policy::allowed_signature_methods() const
105  {
106  return {
107  "ECDSA",
108  "RSA",
109  //"DSA",
110  //"IMPLICIT",
111  //"ANONYMOUS" (anon)
112  };
113  }
114 
115 bool Policy::allowed_signature_method(const std::string& sig_method) const
116  {
117  return value_exists(allowed_signature_methods(), sig_method);
118  }
119 
120 bool Policy::allowed_signature_hash(const std::string& sig_hash) const
121  {
122  return value_exists(allowed_signature_hashes(), sig_hash);
123  }
124 
126  {
127  return false;
128  }
129 
130 Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
131  {
132  if(peer_groups.empty())
133  return Group_Params::NONE;
134 
135  const std::vector<Group_Params> our_groups = key_exchange_groups();
136 
137  for(auto g : our_groups)
138  {
139  if(value_exists(peer_groups, g))
140  return g;
141  }
142 
143  return Group_Params::NONE;
144  }
145 
147  {
148  /*
149  * Return the first listed or just default to 2048
150  */
151  for(auto g : key_exchange_groups())
152  {
153  if(group_param_is_dh(g))
154  return g;
155  }
156 
158  }
159 
160 std::vector<Group_Params> Policy::key_exchange_groups() const
161  {
162  // Default list is ordered by performance
163  return {
164 
165 #if defined(BOTAN_HAS_CURVE_25519)
167 #endif
168 
175 
181  };
182  }
183 
185  {
186  return 2048;
187  }
188 
190  {
191  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
192  return 256;
193  }
194 
196  {
197  // x25519 is smallest curve currently supported for TLS key exchange
198  return 255;
199  }
200 
202  {
203  return 110;
204  }
205 
207  {
208  return true;
209  }
210 
212  {
213  /* Default assumption is all end-entity certificates should
214  be at least 2048 bits these days.
215 
216  If you are connecting to arbitrary servers on the Internet
217  (ie as a web browser or SMTP client) you'll probably have to reduce this
218  to 1024 bits, or perhaps even lower.
219  */
220  return 2048;
221  }
222 
224  {
225  // FIPS 186-3
226  return 2048;
227  }
228 
229 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
230  {
231  const std::string algo_name = public_key.algo_name();
232 
233  const size_t keylength = public_key.key_length();
234  size_t expected_keylength = 0;
235 
236  if(algo_name == "RSA")
237  {
238  expected_keylength = minimum_rsa_bits();
239  }
240  else if(algo_name == "DH")
241  {
242  expected_keylength = minimum_dh_group_size();
243  }
244  else if(algo_name == "DSA")
245  {
246  expected_keylength = minimum_dsa_group_size();
247  }
248  else if(algo_name == "ECDH" || algo_name == "Curve25519")
249  {
250  expected_keylength = minimum_ecdh_group_size();
251  }
252  else if(algo_name == "ECDSA")
253  {
254  expected_keylength = minimum_ecdsa_group_size();
255  }
256  // else some other algo, so leave expected_keylength as zero and the check is a no-op
257 
258  if(keylength < expected_keylength)
260  "Peer sent " +
261  std::to_string(keylength) + " bit " + algo_name + " key"
262  ", policy requires at least " +
263  std::to_string(expected_keylength));
264  }
265 
267  {
268  return 86400; // ~1 day
269  }
270 
272  {
273  return version != latest_supported_version(version.is_datagram_protocol());
274  }
275 
277  {
278  // Uses boolean optimization:
279  // First check the current version (left part), then if it is allowed
280  // (right part)
281  // checks are ordered according to their probability
282  return (
283  ( ( version == Protocol_Version::TLS_V12) && allow_tls12() ) ||
284  ( ( version == Protocol_Version::TLS_V10) && allow_tls10() ) ||
285  ( ( version == Protocol_Version::TLS_V11) && allow_tls11() ) ||
286  ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
287  ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
288  );
289  }
290 
292  {
293  if(datagram)
294  {
295  if(allow_dtls12())
297  if(allow_dtls10())
299  throw Invalid_State("Policy forbids all available DTLS version");
300  }
301  else
302  {
303  if(allow_tls12())
305  if(allow_tls11())
307  if(allow_tls10())
309  throw Invalid_State("Policy forbids all available TLS version");
310  }
311  }
312 
313 bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
314  {
315  return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
316  value_exists(allowed_macs(), ciphersuite.mac_algo());
317  }
318 
319 bool Policy::allow_client_initiated_renegotiation() const { return false; }
320 bool Policy::allow_server_initiated_renegotiation() const { return false; }
321 bool Policy::allow_insecure_renegotiation() const { return false; }
322 bool Policy::allow_tls10() const { return true; }
323 bool Policy::allow_tls11() const { return true; }
324 bool Policy::allow_tls12() const { return true; }
325 bool Policy::allow_dtls10() const { return false; }
326 bool Policy::allow_dtls12() const { return true; }
327 bool Policy::include_time_in_hello_random() const { return true; }
328 bool Policy::hide_unknown_users() const { return false; }
330 bool Policy::negotiate_encrypt_then_mac() const { return true; }
331 bool Policy::support_cert_status_message() const { return true; }
332 
333 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
334 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
335 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
336 
338  {
339  // default MTU is IPv6 min MTU minus UDP/IP headers
340  return 1280 - 40 - 8;
341  }
342 
343 std::vector<uint16_t> Policy::srtp_profiles() const
344  {
345  return std::vector<uint16_t>();
346  }
347 
348 namespace {
349 
350 class Ciphersuite_Preference_Ordering final
351  {
352  public:
353  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
354  const std::vector<std::string>& macs,
355  const std::vector<std::string>& kex,
356  const std::vector<std::string>& sigs) :
357  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
358 
359  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
360  {
361  if(a.kex_method() != b.kex_method())
362  {
363  for(size_t i = 0; i != m_kex.size(); ++i)
364  {
365  if(a.kex_algo() == m_kex[i])
366  return true;
367  if(b.kex_algo() == m_kex[i])
368  return false;
369  }
370  }
371 
372  if(a.cipher_algo() != b.cipher_algo())
373  {
374  for(size_t i = 0; i != m_ciphers.size(); ++i)
375  {
376  if(a.cipher_algo() == m_ciphers[i])
377  return true;
378  if(b.cipher_algo() == m_ciphers[i])
379  return false;
380  }
381  }
382 
383  if(a.cipher_keylen() != b.cipher_keylen())
384  {
385  if(a.cipher_keylen() < b.cipher_keylen())
386  return false;
387  if(a.cipher_keylen() > b.cipher_keylen())
388  return true;
389  }
390 
391  if(a.auth_method() != b.auth_method())
392  {
393  for(size_t i = 0; i != m_sigs.size(); ++i)
394  {
395  if(a.sig_algo() == m_sigs[i])
396  return true;
397  if(b.sig_algo() == m_sigs[i])
398  return false;
399  }
400  }
401 
402  if(a.mac_algo() != b.mac_algo())
403  {
404  for(size_t i = 0; i != m_macs.size(); ++i)
405  {
406  if(a.mac_algo() == m_macs[i])
407  return true;
408  if(b.mac_algo() == m_macs[i])
409  return false;
410  }
411  }
412 
413  return false; // equal (?!?)
414  }
415  private:
416  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
417  };
418 
419 }
420 
421 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
422  bool have_srp) const
423  {
424  const std::vector<std::string> ciphers = allowed_ciphers();
425  const std::vector<std::string> macs = allowed_macs();
426  const std::vector<std::string> kex = allowed_key_exchange_methods();
427  const std::vector<std::string> sigs = allowed_signature_methods();
428 
429  std::vector<Ciphersuite> ciphersuites;
430 
431  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
432  {
433  // Can we use it?
434  if(suite.valid() == false)
435  continue;
436 
437  // Is it acceptable to the policy?
438  if(!this->acceptable_ciphersuite(suite))
439  continue;
440 
441  // Are we doing SRP?
442  if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
443  continue;
444 
445  if(!version.supports_aead_modes())
446  {
447  // Are we doing AEAD in a non-AEAD version?
448  if(suite.mac_algo() == "AEAD")
449  continue;
450 
451  // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
452  if(suite.mac_algo() != "SHA-1")
453  continue;
454  }
455 
456  if(!value_exists(kex, suite.kex_algo()))
457  continue; // unsupported key exchange
458 
459  if(!value_exists(ciphers, suite.cipher_algo()))
460  continue; // unsupported cipher
461 
462  if(!value_exists(macs, suite.mac_algo()))
463  continue; // unsupported MAC algo
464 
465  if(!value_exists(sigs, suite.sig_algo()))
466  {
467  // allow if it's an empty sig algo and we want to use PSK
468  if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
469  continue;
470  }
471 
472  /*
473  CECPQ1 always uses x25519 for ECDH, so treat the applications
474  removal of x25519 from the ECC curve list as equivalent to
475  saying they do not trust CECPQ1
476  */
477  if(suite.kex_method() == Kex_Algo::CECPQ1)
478  {
480  continue;
481  }
482 
483  // OK, consider it
484  ciphersuites.push_back(suite);
485  }
486 
487  if(ciphersuites.empty())
488  {
489  throw Exception("Policy does not allow any available cipher suite");
490  }
491 
492  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
493  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
494 
495  std::vector<uint16_t> ciphersuite_codes;
496  for(auto i : ciphersuites)
497  ciphersuite_codes.push_back(i.ciphersuite_code());
498  return ciphersuite_codes;
499  }
500 
501 namespace {
502 
503 void print_vec(std::ostream& o,
504  const char* key,
505  const std::vector<std::string>& v)
506  {
507  o << key << " = ";
508  for(size_t i = 0; i != v.size(); ++i)
509  {
510  o << v[i];
511  if(i != v.size() - 1)
512  o << ' ';
513  }
514  o << '\n';
515  }
516 
517 void print_vec(std::ostream& o,
518  const char* key,
519  const std::vector<Group_Params>& v)
520  {
521  o << key << " = ";
522  for(size_t i = 0; i != v.size(); ++i)
523  {
524  o << group_param_to_string(v[i]);
525  if(i != v.size() - 1)
526  o << ' ';
527  }
528  o << '\n';
529  }
530 
531 void print_bool(std::ostream& o,
532  const char* key, bool b)
533  {
534  o << key << " = " << (b ? "true" : "false") << '\n';
535  }
536 
537 }
538 
539 void Policy::print(std::ostream& o) const
540  {
541  print_bool(o, "allow_tls10", allow_tls10());
542  print_bool(o, "allow_tls11", allow_tls11());
543  print_bool(o, "allow_tls12", allow_tls12());
544  print_bool(o, "allow_dtls10", allow_dtls10());
545  print_bool(o, "allow_dtls12", allow_dtls12());
546  print_vec(o, "ciphers", allowed_ciphers());
547  print_vec(o, "macs", allowed_macs());
548  print_vec(o, "signature_hashes", allowed_signature_hashes());
549  print_vec(o, "signature_methods", allowed_signature_methods());
550  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
551  print_vec(o, "key_exchange_groups", key_exchange_groups());
552 
553  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
554  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
555  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
556  print_bool(o, "hide_unknown_users", hide_unknown_users());
557  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
558  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
559  print_bool(o, "support_cert_status_message", support_cert_status_message());
560  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
561  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
562  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
563  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
564  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
565  }
566 
567 std::string Policy::to_string() const
568  {
569  std::ostringstream oss;
570  this->print(oss);
571  return oss.str();
572  }
573 
574 std::vector<std::string> Strict_Policy::allowed_ciphers() const
575  {
576  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
577  }
578 
579 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
580  {
581  return { "SHA-512", "SHA-384"};
582  }
583 
584 std::vector<std::string> Strict_Policy::allowed_macs() const
585  {
586  return { "AEAD" };
587  }
588 
589 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
590  {
591  return { "CECPQ1", "ECDH" };
592  }
593 
594 bool Strict_Policy::allow_tls10() const { return false; }
595 bool Strict_Policy::allow_tls11() const { return false; }
596 bool Strict_Policy::allow_tls12() const { return true; }
597 bool Strict_Policy::allow_dtls10() const { return false; }
598 bool Strict_Policy::allow_dtls12() const { return true; }
599 
600 }
601 
602 }
virtual bool allow_tls11() const
Definition: tls_policy.cpp:323
std::string mac_algo() const
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:337
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:195
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:320
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:229
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:539
bool allow_dtls10() const override
Definition: tls_policy.cpp:597
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:211
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:313
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:330
bool allow_tls11() const override
Definition: tls_policy.cpp:595
Signature_Scheme
Definition: tls_algos.h:84
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:327
bool allow_dtls12() const override
Definition: tls_policy.cpp:598
std::string group_param_to_string(Group_Params group)
Definition: tls_algos.cpp:155
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:40
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:343
virtual std::string algo_name() const =0
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:75
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &peer_groups) const
Definition: tls_policy.cpp:130
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:125
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:65
virtual Group_Params default_dh_group() const
Definition: tls_policy.cpp:146
bool allow_tls12() const override
Definition: tls_policy.cpp:596
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:184
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:579
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:206
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:321
virtual std::vector< Group_Params > key_exchange_groups() const
Definition: tls_policy.cpp:160
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:334
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:189
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:115
virtual size_t key_length() const =0
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:271
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:90
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:325
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:584
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:120
Definition: alg_id.cpp:13
const std::vector< Signature_Scheme > & all_signature_schemes()
Definition: tls_algos.cpp:229
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:331
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:201
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:421
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:589
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:335
virtual bool allow_tls12() const
Definition: tls_policy.cpp:324
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:326
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:104
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:276
std::string cipher_algo() const
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:329
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:328
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:574
virtual bool allow_client_initiated_renegotiation() const
Definition: tls_policy.cpp:319
std::string to_string() const
Definition: tls_policy.cpp:567
bool allow_tls10() const override
Definition: tls_policy.cpp:594
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:266
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22
static const std::vector< Ciphersuite > & all_known_ciphersuites()
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:223
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:291
virtual bool allow_tls10() const
Definition: tls_policy.cpp:322