Botan 2.19.0
Crypto and TLS for C&
tls_policy.cpp
Go to the documentation of this file.
1/*
2* Policies for TLS
3* (C) 2004-2010,2012,2015,2016 Jack Lloyd
4* 2016 Christian Mainka
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/tls_policy.h>
11#include <botan/tls_ciphersuite.h>
12#include <botan/tls_algos.h>
13#include <botan/tls_exceptn.h>
14#include <botan/internal/stl_util.h>
15#include <botan/pk_keys.h>
16#include <sstream>
17
18namespace Botan {
19
20namespace TLS {
21
22std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23 {
24 std::vector<Signature_Scheme> schemes;
25
27 {
28 if(signature_scheme_is_known(scheme) == false)
29 continue;
30 const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
31 const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
32
33 if(sig_allowed && hash_allowed)
34 {
35 schemes.push_back(scheme);
36 }
37 }
38
39 return schemes;
40 }
41
42std::vector<std::string> Policy::allowed_ciphers() const
43 {
44 return {
45 //"AES-256/OCB(12)",
46 //"AES-128/OCB(12)",
47 "ChaCha20Poly1305",
48 "AES-256/GCM",
49 "AES-128/GCM",
50 //"AES-256/CCM",
51 //"AES-128/CCM",
52 //"AES-256/CCM(8)",
53 //"AES-128/CCM(8)",
54 //"Camellia-256/GCM",
55 //"Camellia-128/GCM",
56 //"ARIA-256/GCM",
57 //"ARIA-128/GCM",
58 //"AES-256",
59 //"AES-128",
60 //"Camellia-256",
61 //"Camellia-128",
62 //"SEED",
63 //"3DES",
64 };
65 }
66
67std::vector<std::string> Policy::allowed_signature_hashes() const
68 {
69 return {
70 "SHA-512",
71 "SHA-384",
72 "SHA-256",
73 //"SHA-1",
74 };
75 }
76
77std::vector<std::string> Policy::allowed_macs() const
78 {
79 /*
80 SHA-256 is preferred because the Lucky13 countermeasure works
81 somewhat better for SHA-256 vs SHA-384:
82 https://github.com/randombit/botan/pull/675
83 */
84 return {
85 "AEAD",
86 "SHA-256",
87 "SHA-384",
88 "SHA-1",
89 };
90 }
91
92std::vector<std::string> Policy::allowed_key_exchange_methods() const
93 {
94 return {
95 //"SRP_SHA",
96 //"ECDHE_PSK",
97 //"DHE_PSK",
98 //"PSK",
99 "CECPQ1",
100 "ECDH",
101 "DH",
102 //"RSA",
103 };
104 }
105
106std::vector<std::string> Policy::allowed_signature_methods() const
107 {
108 return {
109 "ECDSA",
110 "RSA",
111 //"DSA",
112 //"IMPLICIT",
113 //"ANONYMOUS" (anon)
114 };
115 }
116
117bool Policy::allowed_signature_method(const std::string& sig_method) const
118 {
119 return value_exists(allowed_signature_methods(), sig_method);
120 }
121
122bool Policy::allowed_signature_hash(const std::string& sig_hash) const
123 {
124 return value_exists(allowed_signature_hashes(), sig_hash);
125 }
126
128 {
129 return false;
130 }
131
132Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
133 {
134 if(peer_groups.empty())
135 return Group_Params::NONE;
136
137 const std::vector<Group_Params> our_groups = key_exchange_groups();
138
139 for(auto g : our_groups)
140 {
141 if(value_exists(peer_groups, g))
142 return g;
143 }
144
145 return Group_Params::NONE;
146 }
147
149 {
150 /*
151 * Return the first listed or just default to 2048
152 */
153 for(auto g : key_exchange_groups())
154 {
155 if(group_param_is_dh(g))
156 return g;
157 }
158
160 }
161
162std::vector<Group_Params> Policy::key_exchange_groups() const
163 {
164 // Default list is ordered by performance
165 return {
166
167#if defined(BOTAN_HAS_CURVE_25519)
169#endif
170
177
183 };
184 }
185
187 {
188 return 2048;
189 }
190
192 {
193 // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
194 return 256;
195 }
196
198 {
199 // x25519 is smallest curve currently supported for TLS key exchange
200 return 255;
201 }
202
204 {
205 return 110;
206 }
207
209 {
210 return true;
211 }
212
214 {
215 /* Default assumption is all end-entity certificates should
216 be at least 2048 bits these days.
217
218 If you are connecting to arbitrary servers on the Internet
219 (ie as a web browser or SMTP client) you'll probably have to reduce this
220 to 1024 bits, or perhaps even lower.
221 */
222 return 2048;
223 }
224
226 {
227 // FIPS 186-3
228 return 2048;
229 }
230
232 {
233 const std::string algo_name = public_key.algo_name();
234
235 const size_t keylength = public_key.key_length();
236 size_t expected_keylength = 0;
237
238 if(algo_name == "RSA")
239 {
240 expected_keylength = minimum_rsa_bits();
241 }
242 else if(algo_name == "DH")
243 {
244 expected_keylength = minimum_dh_group_size();
245 }
246 else if(algo_name == "DSA")
247 {
248 expected_keylength = minimum_dsa_group_size();
249 }
250 else if(algo_name == "ECDH" || algo_name == "Curve25519")
251 {
252 expected_keylength = minimum_ecdh_group_size();
253 }
254 else if(algo_name == "ECDSA")
255 {
256 expected_keylength = minimum_ecdsa_group_size();
257 }
258 // else some other algo, so leave expected_keylength as zero and the check is a no-op
259
260 if(keylength < expected_keylength)
262 "Peer sent " +
263 std::to_string(keylength) + " bit " + algo_name + " key"
264 ", policy requires at least " +
265 std::to_string(expected_keylength));
266 }
267
269 {
270 return 86400; // ~1 day
271 }
272
274 {
275 return version != latest_supported_version(version.is_datagram_protocol());
276 }
277
279 {
280 if(version == Protocol_Version::TLS_V12 && allow_tls12())
281 return true;
282
283 if(version == Protocol_Version::DTLS_V12 && allow_dtls12())
284 return true;
285
286#if defined(BOTAN_HAS_TLS_V10)
287
288 if(version == Protocol_Version::TLS_V11 && allow_tls11())
289 return true;
290 if(version == Protocol_Version::TLS_V10 && allow_tls10())
291 return true;
292 if(version == Protocol_Version::DTLS_V10 && allow_dtls10())
293 return true;
294
295#endif
296
297 return false;
298 }
299
301 {
302 if(datagram)
303 {
306#if defined(BOTAN_HAS_TLS_V10)
309#endif
310 throw Invalid_State("Policy forbids all available DTLS version");
311 }
312 else
313 {
316#if defined(BOTAN_HAS_TLS_V10)
321#endif
322 throw Invalid_State("Policy forbids all available TLS version");
323 }
324 }
325
326bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
327 {
328 return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
329 value_exists(allowed_macs(), ciphersuite.mac_algo());
330 }
331
334bool Policy::allow_insecure_renegotiation() const { return false; }
335bool Policy::allow_tls10() const { return false; }
336bool Policy::allow_tls11() const { return false; }
337bool Policy::allow_tls12() const { return true; }
338bool Policy::allow_dtls10() const { return false; }
339bool Policy::allow_dtls12() const { return true; }
340bool Policy::include_time_in_hello_random() const { return true; }
341bool Policy::hide_unknown_users() const { return false; }
343bool Policy::negotiate_encrypt_then_mac() const { return true; }
344bool Policy::support_cert_status_message() const { return true; }
346bool Policy::only_resume_with_exact_version() const { return true; }
350bool Policy::allow_dtls_epoch0_restart() const { return false; }
351
352size_t Policy::maximum_certificate_chain_size() const { return 0; }
353
354// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
355size_t Policy::dtls_initial_timeout() const { return 1*1000; }
356size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
357
359 {
360 // default MTU is IPv6 min MTU minus UDP/IP headers
361 return 1280 - 40 - 8;
362 }
363
364std::vector<uint16_t> Policy::srtp_profiles() const
365 {
366 return std::vector<uint16_t>();
367 }
368
369namespace {
370
371class Ciphersuite_Preference_Ordering final
372 {
373 public:
374 Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
375 const std::vector<std::string>& macs,
376 const std::vector<std::string>& kex,
377 const std::vector<std::string>& sigs) :
378 m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
379
380 bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
381 {
382 if(a.kex_method() != b.kex_method())
383 {
384 for(size_t i = 0; i != m_kex.size(); ++i)
385 {
386 if(a.kex_algo() == m_kex[i])
387 return true;
388 if(b.kex_algo() == m_kex[i])
389 return false;
390 }
391 }
392
393 if(a.cipher_algo() != b.cipher_algo())
394 {
395 for(size_t i = 0; i != m_ciphers.size(); ++i)
396 {
397 if(a.cipher_algo() == m_ciphers[i])
398 return true;
399 if(b.cipher_algo() == m_ciphers[i])
400 return false;
401 }
402 }
403
404 if(a.cipher_keylen() != b.cipher_keylen())
405 {
406 if(a.cipher_keylen() < b.cipher_keylen())
407 return false;
408 if(a.cipher_keylen() > b.cipher_keylen())
409 return true;
410 }
411
412 if(a.auth_method() != b.auth_method())
413 {
414 for(size_t i = 0; i != m_sigs.size(); ++i)
415 {
416 if(a.sig_algo() == m_sigs[i])
417 return true;
418 if(b.sig_algo() == m_sigs[i])
419 return false;
420 }
421 }
422
423 if(a.mac_algo() != b.mac_algo())
424 {
425 for(size_t i = 0; i != m_macs.size(); ++i)
426 {
427 if(a.mac_algo() == m_macs[i])
428 return true;
429 if(b.mac_algo() == m_macs[i])
430 return false;
431 }
432 }
433
434 return false; // equal (?!?)
435 }
436 private:
437 std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
438 };
439
440}
441
442std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
443 bool have_srp) const
444 {
445 const std::vector<std::string> ciphers = allowed_ciphers();
446 const std::vector<std::string> macs = allowed_macs();
447 const std::vector<std::string> kex = allowed_key_exchange_methods();
448 const std::vector<std::string> sigs = allowed_signature_methods();
449
450 std::vector<Ciphersuite> ciphersuites;
451
452 for(auto&& suite : Ciphersuite::all_known_ciphersuites())
453 {
454 // Can we use it?
455 if(!suite.valid())
456 continue;
457
458 // Can we use it in this version?
459 if(!suite.usable_in_version(version))
460 continue;
461
462 // Is it acceptable to the policy?
463 if(!this->acceptable_ciphersuite(suite))
464 continue;
465
466 // Are we doing SRP?
467 if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
468 continue;
469
470 if(!value_exists(kex, suite.kex_algo()))
471 continue; // unsupported key exchange
472
473 if(!value_exists(ciphers, suite.cipher_algo()))
474 continue; // unsupported cipher
475
476 if(!value_exists(macs, suite.mac_algo()))
477 continue; // unsupported MAC algo
478
479 if(!value_exists(sigs, suite.sig_algo()))
480 {
481 // allow if it's an empty sig algo and we want to use PSK
482 if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
483 continue;
484 }
485
486 /*
487 CECPQ1 always uses x25519 for ECDH, so treat the applications
488 removal of x25519 from the ECC curve list as equivalent to
489 saying they do not trust CECPQ1
490 */
491 if(suite.kex_method() == Kex_Algo::CECPQ1)
492 {
494 continue;
495 }
496
497 // OK, consider it
498 ciphersuites.push_back(suite);
499 }
500
501 if(ciphersuites.empty())
502 {
503 throw Invalid_State("Policy does not allow any available cipher suite");
504 }
505
506 Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
507 std::sort(ciphersuites.begin(), ciphersuites.end(), order);
508
509 std::vector<uint16_t> ciphersuite_codes;
510 for(auto i : ciphersuites)
511 ciphersuite_codes.push_back(i.ciphersuite_code());
512 return ciphersuite_codes;
513 }
514
515namespace {
516
517void print_vec(std::ostream& o,
518 const char* key,
519 const std::vector<std::string>& v)
520 {
521 o << key << " = ";
522 for(size_t i = 0; i != v.size(); ++i)
523 {
524 o << v[i];
525 if(i != v.size() - 1)
526 o << ' ';
527 }
528 o << '\n';
529 }
530
531void print_vec(std::ostream& o,
532 const char* key,
533 const std::vector<Group_Params>& v)
534 {
535 o << key << " = ";
536 for(size_t i = 0; i != v.size(); ++i)
537 {
538 o << group_param_to_string(v[i]);
539 if(i != v.size() - 1)
540 o << ' ';
541 }
542 o << '\n';
543 }
544
545void print_bool(std::ostream& o,
546 const char* key, bool b)
547 {
548 o << key << " = " << (b ? "true" : "false") << '\n';
549 }
550
551}
552
553void Policy::print(std::ostream& o) const
554 {
555 print_bool(o, "allow_tls10", allow_tls10());
556 print_bool(o, "allow_tls11", allow_tls11());
557 print_bool(o, "allow_tls12", allow_tls12());
558 print_bool(o, "allow_dtls10", allow_dtls10());
559 print_bool(o, "allow_dtls12", allow_dtls12());
560 print_vec(o, "ciphers", allowed_ciphers());
561 print_vec(o, "macs", allowed_macs());
562 print_vec(o, "signature_hashes", allowed_signature_hashes());
563 print_vec(o, "signature_methods", allowed_signature_methods());
564 print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
565 print_vec(o, "key_exchange_groups", key_exchange_groups());
566
567 print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
568 print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
569 print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
570 print_bool(o, "hide_unknown_users", hide_unknown_users());
571 print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
572 print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
573 print_bool(o, "support_cert_status_message", support_cert_status_message());
574 o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
575 o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
576 o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
577 o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
578 o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
579 }
580
581std::string Policy::to_string() const
582 {
583 std::ostringstream oss;
584 this->print(oss);
585 return oss.str();
586 }
587
588std::vector<std::string> Strict_Policy::allowed_ciphers() const
589 {
590 return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
591 }
592
593std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
594 {
595 return { "SHA-512", "SHA-384"};
596 }
597
598std::vector<std::string> Strict_Policy::allowed_macs() const
599 {
600 return { "AEAD" };
601 }
602
603std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
604 {
605 return { "CECPQ1", "ECDH" };
606 }
607
608bool Strict_Policy::allow_tls10() const { return false; }
609bool Strict_Policy::allow_tls11() const { return false; }
610bool Strict_Policy::allow_tls12() const { return true; }
611bool Strict_Policy::allow_dtls10() const { return false; }
612bool Strict_Policy::allow_dtls12() const { return true; }
613
614}
615
616}
virtual size_t key_length() const =0
virtual std::string algo_name() const =0
static const std::vector< Ciphersuite > & all_known_ciphersuites()
std::string mac_algo() const
std::string cipher_algo() const
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:340
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:231
virtual bool abort_connection_on_undesired_renegotiation() const
Definition: tls_policy.cpp:349
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:356
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:197
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:358
virtual bool allow_tls12() const
Definition: tls_policy.cpp:337
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:442
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22
std::string to_string() const
Definition: tls_policy.cpp:581
virtual bool require_client_certificate_authentication() const
Definition: tls_policy.cpp:347
virtual std::vector< Group_Params > key_exchange_groups() const
Definition: tls_policy.cpp:162
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:338
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:213
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:117
virtual bool only_resume_with_exact_version() const
Definition: tls_policy.cpp:346
virtual bool allow_client_initiated_renegotiation() const
Definition: tls_policy.cpp:332
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:225
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:122
virtual bool allow_dtls_epoch0_restart() const
Definition: tls_policy.cpp:350
virtual bool request_client_certificate_authentication() const
Definition: tls_policy.cpp:348
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:208
virtual bool allow_tls10() const
Definition: tls_policy.cpp:335
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:343
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:342
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:300
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:278
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:364
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:268
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:344
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:326
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:77
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:341
virtual bool allow_tls11() const
Definition: tls_policy.cpp:336
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:92
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:355
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:127
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:339
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:186
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:334
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &peer_groups) const
Definition: tls_policy.cpp:132
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:42
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:273
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:203
virtual Group_Params default_dh_group() const
Definition: tls_policy.cpp:148
virtual size_t maximum_certificate_chain_size() const
Definition: tls_policy.cpp:352
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:106
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:191
virtual bool allow_resumption_for_renegotiation() const
Definition: tls_policy.cpp:345
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:67
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:333
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:553
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:598
bool allow_dtls12() const override
Definition: tls_policy.cpp:612
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:588
bool allow_tls12() const override
Definition: tls_policy.cpp:610
bool allow_tls11() const override
Definition: tls_policy.cpp:609
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:603
bool allow_tls10() const override
Definition: tls_policy.cpp:608
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:593
bool allow_dtls10() const override
Definition: tls_policy.cpp:611
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
const std::vector< Signature_Scheme > & all_signature_schemes()
Definition: tls_algos.cpp:229
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
Signature_Scheme
Definition: tls_algos.h:86
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
std::string group_param_to_string(Group_Params group)
Definition: tls_algos.cpp:155
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
Definition: alg_id.cpp:13
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86