Botan  2.4.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_policy.h>
11 #include <botan/tls_ciphersuite.h>
12 #include <botan/tls_magic.h>
13 #include <botan/tls_exceptn.h>
14 #include <botan/tls_extensions.h>
15 #include <botan/internal/stl_util.h>
16 #include <botan/pk_keys.h>
17 #include <sstream>
18 
19 namespace Botan {
20 
21 namespace TLS {
22 
23 std::vector<std::string> Policy::allowed_ciphers() const
24  {
25  return {
26  //"AES-256/OCB(12)",
27  //"AES-128/OCB(12)",
28  "ChaCha20Poly1305",
29  "AES-256/GCM",
30  "AES-128/GCM",
31  "AES-256/CCM",
32  "AES-128/CCM",
33  //"AES-256/CCM(8)",
34  //"AES-128/CCM(8)",
35  //"Camellia-256/GCM",
36  //"Camellia-128/GCM",
37  //"ARIA-256/GCM",
38  //"ARIA-128/GCM",
39  "AES-256",
40  "AES-128",
41  //"Camellia-256",
42  //"Camellia-128",
43  //"SEED"
44  //"3DES",
45  };
46  }
47 
48 std::vector<std::string> Policy::allowed_signature_hashes() const
49  {
50  return {
51  "SHA-512",
52  "SHA-384",
53  "SHA-256",
54  //"SHA-1",
55  };
56  }
57 
58 std::vector<std::string> Policy::allowed_macs() const
59  {
60  /*
61  SHA-256 is preferred because the Lucky13 countermeasure works
62  somewhat better for SHA-256 vs SHA-384:
63  https://github.com/randombit/botan/pull/675
64  */
65  return {
66  "AEAD",
67  "SHA-256",
68  "SHA-384",
69  "SHA-1",
70  };
71  }
72 
73 std::vector<std::string> Policy::allowed_key_exchange_methods() const
74  {
75  return {
76  //"SRP_SHA",
77  //"ECDHE_PSK",
78  //"DHE_PSK",
79  //"PSK",
80  "CECPQ1",
81  "ECDH",
82  "DH",
83  //"RSA",
84  };
85  }
86 
87 std::vector<std::string> Policy::allowed_signature_methods() const
88  {
89  return {
90  "ECDSA",
91  "RSA",
92  //"DSA",
93  //"" (anon)
94  };
95  }
96 
97 bool Policy::allowed_signature_method(const std::string& sig_method) const
98  {
99  return value_exists(allowed_signature_methods(), sig_method);
100  }
101 
102 bool Policy::allowed_signature_hash(const std::string& sig_hash) const
103  {
104  return value_exists(allowed_signature_hashes(), sig_hash);
105  }
106 
107 std::vector<std::string> Policy::allowed_ecc_curves() const
108  {
109  // Default list is ordered by performance
110 
111  return {
112  "x25519",
113  "secp256r1",
114  "secp521r1",
115  "secp384r1",
116  "brainpool256r1",
117  "brainpool384r1",
118  "brainpool512r1",
119  };
120  }
121 
122 bool Policy::allowed_ecc_curve(const std::string& curve) const
123  {
124  if(!allowed_ecc_curves().empty())
125  {
126  return value_exists(allowed_ecc_curves(), curve);
127  }
128  return value_exists(allowed_groups(), curve);
129  }
130 
132  {
133  return false;
134  }
135 
136 /*
137 * Choose an ECC curve to use
138 */
139 std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const
140  {
141  const std::vector<std::string> our_groups = allowed_groups();
142 
143  for(size_t i = 0; i != our_groups.size(); ++i)
144  if(!Supported_Groups::is_dh_group(our_groups[i])
145  && value_exists(curve_names, our_groups[i]))
146  return our_groups[i];
147 
148  return ""; // no shared curve
149  }
150 
151 /*
152 * Choose an FFDHE group to use
153 */
154 std::string Policy::choose_dh_group(const std::vector<std::string>& dh_groups) const
155  {
156  const std::vector<std::string> our_groups = allowed_groups();
157 
158  for(size_t i = 0; i != our_groups.size(); ++i)
159  if(Supported_Groups::is_dh_group(our_groups[i])
160  && value_exists(dh_groups, our_groups[i]))
161  return our_groups[i];
162 
163  return ""; // no shared ffdhe group
164  }
165 
166 std::string Policy::dh_group() const
167  {
168  // We offer 2048 bit DH because we can
169  return "modp/ietf/2048";
170  }
171 
172 std::vector<std::string> Policy::allowed_groups() const
173  {
174  // Default list is ordered by performance
175  return {
176  "x25519",
177  "secp256r1",
178  "secp521r1",
179  "secp384r1",
180  "brainpool256r1",
181  "brainpool384r1",
182  "brainpool512r1",
183  "ffdhe/ietf/2048",
184  "ffdhe/ietf/3072",
185  "ffdhe/ietf/4096",
186  "ffdhe/ietf/6144",
187  "ffdhe/ietf/8192"
188  };
189  }
190 
192  {
193  return 2048;
194  }
195 
197  {
198  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
199  return 256;
200  }
201 
203  {
204  // x25519 is smallest curve currently supported for TLS key exchange
205  return 255;
206  }
207 
209  {
210  return 110;
211  }
212 
214  {
215  return true;
216  }
217 
219  {
220  /* Default assumption is all end-entity certificates should
221  be at least 2048 bits these days.
222 
223  If you are connecting to arbitrary servers on the Internet
224  (ie as a web browser or SMTP client) you'll probably have to reduce this
225  to 1024 bits, or perhaps even lower.
226  */
227  return 2048;
228  }
229 
231  {
232  // FIPS 186-3
233  return 2048;
234  }
235 
236 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
237  {
238  const std::string algo_name = public_key.algo_name();
239 
240  const size_t keylength = public_key.key_length();
241  size_t expected_keylength = 0;
242 
243  if(algo_name == "RSA")
244  {
245  expected_keylength = minimum_rsa_bits();
246  }
247  else if(algo_name == "DH")
248  {
249  expected_keylength = minimum_dh_group_size();
250  }
251  else if(algo_name == "DSA")
252  {
253  expected_keylength = minimum_dsa_group_size();
254  }
255  else if(algo_name == "ECDH" || algo_name == "Curve25519")
256  {
257  expected_keylength = minimum_ecdh_group_size();
258  }
259  else if(algo_name == "ECDSA")
260  {
261  expected_keylength = minimum_ecdsa_group_size();
262  }
263  // else some other algo, so leave expected_keylength as zero and the check is a no-op
264 
265  if(keylength < expected_keylength)
267  "Peer sent " +
268  std::to_string(keylength) + " bit " + algo_name + " key"
269  ", policy requires at least " +
270  std::to_string(expected_keylength));
271  }
272 
273 /*
274 * Return allowed compression algorithms
275 */
276 std::vector<uint8_t> Policy::compression() const
277  {
278  return std::vector<uint8_t>{ NO_COMPRESSION };
279  }
280 
282  {
283  return 86400; // ~1 day
284  }
285 
287  {
288  return version != latest_supported_version(version.is_datagram_protocol());
289  }
290 
292  {
293  // Uses boolean optimization:
294  // First check the current version (left part), then if it is allowed
295  // (right part)
296  // checks are ordered according to their probability
297  return (
298  ( ( version == Protocol_Version::TLS_V12) && allow_tls12() ) ||
299  ( ( version == Protocol_Version::TLS_V10) && allow_tls10() ) ||
300  ( ( version == Protocol_Version::TLS_V11) && allow_tls11() ) ||
301  ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
302  ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
303  );
304  }
305 
307  {
308  if(datagram)
309  {
310  if(allow_dtls12())
312  if(allow_dtls10())
314  throw Invalid_State("Policy forbids all available DTLS version");
315  }
316  else
317  {
318  if(allow_tls12())
320  if(allow_tls11())
322  if(allow_tls10())
324  throw Invalid_State("Policy forbids all available TLS version");
325  }
326  }
327 
329  {
330  return true;
331  }
332 
333 bool Policy::allow_client_initiated_renegotiation() const { return false; }
334 bool Policy::allow_server_initiated_renegotiation() const { return false; }
335 bool Policy::allow_insecure_renegotiation() const { return false; }
336 bool Policy::allow_tls10() const { return true; }
337 bool Policy::allow_tls11() const { return true; }
338 bool Policy::allow_tls12() const { return true; }
339 bool Policy::allow_dtls10() const { return false; }
340 bool Policy::allow_dtls12() const { return true; }
341 bool Policy::include_time_in_hello_random() const { return true; }
342 bool Policy::hide_unknown_users() const { return false; }
344 bool Policy::negotiate_encrypt_then_mac() const { return true; }
345 bool Policy::support_cert_status_message() const { return true; }
346 
347 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
348 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
349 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
350 
352  {
353  // default MTU is IPv6 min MTU minus UDP/IP headers
354  return 1280 - 40 - 8;
355  }
356 
357 std::vector<uint16_t> Policy::srtp_profiles() const
358  {
359  return std::vector<uint16_t>();
360  }
361 
362 namespace {
363 
364 class Ciphersuite_Preference_Ordering final
365  {
366  public:
367  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
368  const std::vector<std::string>& macs,
369  const std::vector<std::string>& kex,
370  const std::vector<std::string>& sigs) :
371  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
372 
373  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
374  {
375  if(a.kex_algo() != b.kex_algo())
376  {
377  for(size_t i = 0; i != m_kex.size(); ++i)
378  {
379  if(a.kex_algo() == m_kex[i])
380  return true;
381  if(b.kex_algo() == m_kex[i])
382  return false;
383  }
384  }
385 
386  if(a.cipher_algo() != b.cipher_algo())
387  {
388  for(size_t i = 0; i != m_ciphers.size(); ++i)
389  {
390  if(a.cipher_algo() == m_ciphers[i])
391  return true;
392  if(b.cipher_algo() == m_ciphers[i])
393  return false;
394  }
395  }
396 
397  if(a.cipher_keylen() != b.cipher_keylen())
398  {
399  if(a.cipher_keylen() < b.cipher_keylen())
400  return false;
401  if(a.cipher_keylen() > b.cipher_keylen())
402  return true;
403  }
404 
405  if(a.sig_algo() != b.sig_algo())
406  {
407  for(size_t i = 0; i != m_sigs.size(); ++i)
408  {
409  if(a.sig_algo() == m_sigs[i])
410  return true;
411  if(b.sig_algo() == m_sigs[i])
412  return false;
413  }
414  }
415 
416  if(a.mac_algo() != b.mac_algo())
417  {
418  for(size_t i = 0; i != m_macs.size(); ++i)
419  {
420  if(a.mac_algo() == m_macs[i])
421  return true;
422  if(b.mac_algo() == m_macs[i])
423  return false;
424  }
425  }
426 
427  return false; // equal (?!?)
428  }
429  private:
430  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
431  };
432 
433 }
434 
435 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
436  bool have_srp) const
437  {
438  const std::vector<std::string> ciphers = allowed_ciphers();
439  const std::vector<std::string> macs = allowed_macs();
440  const std::vector<std::string> kex = allowed_key_exchange_methods();
441  const std::vector<std::string> sigs = allowed_signature_methods();
442 
443  std::vector<Ciphersuite> ciphersuites;
444 
445  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
446  {
447  // Can we use it?
448  if(suite.valid() == false)
449  continue;
450 
451  // Is it acceptable to the policy?
452  if(!this->acceptable_ciphersuite(suite))
453  continue;
454 
455  // Are we doing SRP?
456  if(!have_srp && suite.kex_algo() == "SRP_SHA")
457  continue;
458 
459  if(!version.supports_aead_modes())
460  {
461  // Are we doing AEAD in a non-AEAD version?
462  if(suite.mac_algo() == "AEAD")
463  continue;
464 
465  // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
466  if(suite.mac_algo() != "SHA-1")
467  continue;
468  }
469 
470  if(!value_exists(kex, suite.kex_algo()))
471  continue; // unsupported key exchange
472 
473  if(!value_exists(ciphers, suite.cipher_algo()))
474  continue; // unsupported cipher
475 
476  if(!value_exists(macs, suite.mac_algo()))
477  continue; // unsupported MAC algo
478 
479  if(!value_exists(sigs, suite.sig_algo()))
480  {
481  // allow if it's an empty sig algo and we want to use PSK
482  if(suite.sig_algo() != "" || !suite.psk_ciphersuite())
483  continue;
484  }
485 
486  /*
487  CECPQ1 always uses x25519 for ECDH, so treat the applications
488  removal of x25519 from the ECC curve list as equivalent to
489  saying they do not trust CECPQ1
490  */
491  if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
492  continue;
493 
494  // OK, consider it
495  ciphersuites.push_back(suite);
496  }
497 
498  if(ciphersuites.empty())
499  {
500  throw Exception("Policy does not allow any available cipher suite");
501  }
502 
503  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
504  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
505 
506  std::vector<uint16_t> ciphersuite_codes;
507  for(auto i : ciphersuites)
508  ciphersuite_codes.push_back(i.ciphersuite_code());
509  return ciphersuite_codes;
510  }
511 
512 namespace {
513 
514 void print_vec(std::ostream& o,
515  const char* key,
516  const std::vector<std::string>& v)
517  {
518  o << key << " = ";
519  for(size_t i = 0; i != v.size(); ++i)
520  {
521  o << v[i];
522  if(i != v.size() - 1)
523  o << ' ';
524  }
525  o << '\n';
526  }
527 
528 void print_bool(std::ostream& o,
529  const char* key, bool b)
530  {
531  o << key << " = " << (b ? "true" : "false") << '\n';
532  }
533 
534 }
535 
536 void Policy::print(std::ostream& o) const
537  {
538  print_bool(o, "allow_tls10", allow_tls10());
539  print_bool(o, "allow_tls11", allow_tls11());
540  print_bool(o, "allow_tls12", allow_tls12());
541  print_bool(o, "allow_dtls10", allow_dtls10());
542  print_bool(o, "allow_dtls12", allow_dtls12());
543  print_vec(o, "ciphers", allowed_ciphers());
544  print_vec(o, "macs", allowed_macs());
545  print_vec(o, "signature_hashes", allowed_signature_hashes());
546  print_vec(o, "signature_methods", allowed_signature_methods());
547  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
548  print_vec(o, "ecc_curves", allowed_ecc_curves());
549  print_vec(o, "groups", allowed_groups());
550 
551  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
552  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
553  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
554  print_bool(o, "hide_unknown_users", hide_unknown_users());
555  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
556  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
557  print_bool(o, "support_cert_status_message", support_cert_status_message());
558  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
559  o << "dh_group = " << dh_group() << '\n';
560  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
561  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
562  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
563  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
564  }
565 
566 std::string Policy::to_string() const
567  {
568  std::ostringstream oss;
569  this->print(oss);
570  return oss.str();
571  }
572 
573 std::vector<std::string> Strict_Policy::allowed_ciphers() const
574  {
575  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
576  }
577 
578 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
579  {
580  return { "SHA-512", "SHA-384"};
581  }
582 
583 std::vector<std::string> Strict_Policy::allowed_macs() const
584  {
585  return { "AEAD" };
586  }
587 
588 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
589  {
590  return { "CECPQ1", "ECDH" };
591  }
592 
593 bool Strict_Policy::allow_tls10() const { return false; }
594 bool Strict_Policy::allow_tls11() const { return false; }
595 bool Strict_Policy::allow_tls12() const { return true; }
596 bool Strict_Policy::allow_dtls10() const { return false; }
597 bool Strict_Policy::allow_dtls12() const { return true; }
598 
599 }
600 
601 }
virtual bool allow_tls11() const
Definition: tls_policy.cpp:337
std::string mac_algo() const
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:351
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:202
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:334
std::string kex_algo() const
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:236
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:536
bool allow_dtls10() const override
Definition: tls_policy.cpp:596
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:218
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:328
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:344
bool allow_tls11() const override
Definition: tls_policy.cpp:594
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:341
bool allow_dtls12() const override
Definition: tls_policy.cpp:597
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:23
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:357
virtual std::string algo_name() const =0
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:58
virtual std::string dh_group() const
Definition: tls_policy.cpp:166
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:131
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:108
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:48
bool allowed_ecc_curve(const std::string &curve) const
Definition: tls_policy.cpp:122
bool allow_tls12() const override
Definition: tls_policy.cpp:595
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:191
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:578
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:213
virtual std::string choose_dh_group(const std::vector< std::string > &dh_group_names) const
Definition: tls_policy.cpp:154
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:335
size_t cipher_keylen() const
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:348
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:196
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:97
virtual size_t key_length() const =0
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:286
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:73
virtual std::vector< std::string > allowed_groups() const
Definition: tls_policy.cpp:172
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:339
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:583
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:102
Definition: alg_id.cpp:13
virtual std::vector< uint8_t > compression() const
Definition: tls_policy.cpp:276
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:345
virtual std::vector< std::string > allowed_ecc_curves() const
Definition: tls_policy.cpp:107
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:208
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:435
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:588
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:349
virtual bool allow_tls12() const
Definition: tls_policy.cpp:338
std::string sig_algo() const
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:340
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:87
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:291
std::string cipher_algo() const
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:343
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:342
virtual std::string choose_curve(const std::vector< std::string > &curve_names) const
Definition: tls_policy.cpp:139
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:573
virtual bool allow_client_initiated_renegotiation() const
Definition: tls_policy.cpp:333
std::string to_string() const
Definition: tls_policy.cpp:566
bool allow_tls10() const override
Definition: tls_policy.cpp:593
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:281
static const std::vector< Ciphersuite > & all_known_ciphersuites()
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:230
static bool is_dh_group(const std::string &group_name)
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:306
virtual bool allow_tls10() const
Definition: tls_policy.cpp:336