Botan  2.10.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_policy.h>
11 #include <botan/tls_ciphersuite.h>
12 #include <botan/tls_algos.h>
13 #include <botan/tls_exceptn.h>
14 #include <botan/internal/stl_util.h>
15 #include <botan/pk_keys.h>
16 #include <sstream>
17 
18 namespace Botan {
19 
20 namespace TLS {
21 
22 std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23  {
24  std::vector<Signature_Scheme> schemes;
25 
27  {
28  const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
29  const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
30 
31  if(sig_allowed && hash_allowed)
32  {
33  schemes.push_back(scheme);
34  }
35  }
36 
37  return schemes;
38  }
39 
40 std::vector<std::string> Policy::allowed_ciphers() const
41  {
42  return {
43  //"AES-256/OCB(12)",
44  //"AES-128/OCB(12)",
45  "ChaCha20Poly1305",
46  "AES-256/GCM",
47  "AES-128/GCM",
48  //"AES-256/CCM",
49  //"AES-128/CCM",
50  //"AES-256/CCM(8)",
51  //"AES-128/CCM(8)",
52  //"Camellia-256/GCM",
53  //"Camellia-128/GCM",
54  //"ARIA-256/GCM",
55  //"ARIA-128/GCM",
56  //"AES-256",
57  //"AES-128",
58  //"Camellia-256",
59  //"Camellia-128",
60  //"SEED"
61  //"3DES",
62  };
63  }
64 
65 std::vector<std::string> Policy::allowed_signature_hashes() const
66  {
67  return {
68  "SHA-512",
69  "SHA-384",
70  "SHA-256",
71  //"SHA-1",
72  };
73  }
74 
75 std::vector<std::string> Policy::allowed_macs() const
76  {
77  /*
78  SHA-256 is preferred because the Lucky13 countermeasure works
79  somewhat better for SHA-256 vs SHA-384:
80  https://github.com/randombit/botan/pull/675
81  */
82  return {
83  "AEAD",
84  "SHA-256",
85  "SHA-384",
86  "SHA-1",
87  };
88  }
89 
90 std::vector<std::string> Policy::allowed_key_exchange_methods() const
91  {
92  return {
93  //"SRP_SHA",
94  //"ECDHE_PSK",
95  //"DHE_PSK",
96  //"PSK",
97  "CECPQ1",
98  "ECDH",
99  "DH",
100  //"RSA",
101  };
102  }
103 
104 std::vector<std::string> Policy::allowed_signature_methods() const
105  {
106  return {
107  "ECDSA",
108  "RSA",
109  //"DSA",
110  //"IMPLICIT",
111  //"ANONYMOUS" (anon)
112  };
113  }
114 
115 bool Policy::allowed_signature_method(const std::string& sig_method) const
116  {
117  return value_exists(allowed_signature_methods(), sig_method);
118  }
119 
120 bool Policy::allowed_signature_hash(const std::string& sig_hash) const
121  {
122  return value_exists(allowed_signature_hashes(), sig_hash);
123  }
124 
125 bool Policy::use_ecc_point_compression() const
126  {
127  return false;
128  }
129 
130 Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
131  {
132  if(peer_groups.empty())
133  return Group_Params::NONE;
134 
135  const std::vector<Group_Params> our_groups = key_exchange_groups();
136 
137  for(auto g : our_groups)
138  {
139  if(value_exists(peer_groups, g))
140  return g;
141  }
142 
143  return Group_Params::NONE;
144  }
145 
146 Group_Params Policy::default_dh_group() const
147  {
148  /*
149  * Return the first listed or just default to 2048
150  */
151  for(auto g : key_exchange_groups())
152  {
153  if(group_param_is_dh(g))
154  return g;
155  }
156 
158  }
159 
160 std::vector<Group_Params> Policy::key_exchange_groups() const
161  {
162  // Default list is ordered by performance
163  return {
164 
165 #if defined(BOTAN_HAS_CURVE_25519)
167 #endif
168 
175 
181  };
182  }
183 
184 size_t Policy::minimum_dh_group_size() const
185  {
186  return 2048;
187  }
188 
189 size_t Policy::minimum_ecdsa_group_size() const
190  {
191  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
192  return 256;
193  }
194 
195 size_t Policy::minimum_ecdh_group_size() const
196  {
197  // x25519 is smallest curve currently supported for TLS key exchange
198  return 255;
199  }
200 
201 size_t Policy::minimum_signature_strength() const
202  {
203  return 110;
204  }
205 
206 bool Policy::require_cert_revocation_info() const
207  {
208  return true;
209  }
210 
211 size_t Policy::minimum_rsa_bits() const
212  {
213  /* Default assumption is all end-entity certificates should
214  be at least 2048 bits these days.
215 
216  If you are connecting to arbitrary servers on the Internet
217  (ie as a web browser or SMTP client) you'll probably have to reduce this
218  to 1024 bits, or perhaps even lower.
219  */
220  return 2048;
221  }
222 
223 size_t Policy::minimum_dsa_group_size() const
224  {
225  // FIPS 186-3
226  return 2048;
227  }
228 
229 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
230  {
231  const std::string algo_name = public_key.algo_name();
232 
233  const size_t keylength = public_key.key_length();
234  size_t expected_keylength = 0;
235 
236  if(algo_name == "RSA")
237  {
238  expected_keylength = minimum_rsa_bits();
239  }
240  else if(algo_name == "DH")
241  {
242  expected_keylength = minimum_dh_group_size();
243  }
244  else if(algo_name == "DSA")
245  {
246  expected_keylength = minimum_dsa_group_size();
247  }
248  else if(algo_name == "ECDH" || algo_name == "Curve25519")
249  {
250  expected_keylength = minimum_ecdh_group_size();
251  }
252  else if(algo_name == "ECDSA")
253  {
254  expected_keylength = minimum_ecdsa_group_size();
255  }
256  // else some other algo, so leave expected_keylength as zero and the check is a no-op
257 
258  if(keylength < expected_keylength)
259  throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
260  "Peer sent " +
261  std::to_string(keylength) + " bit " + algo_name + " key"
262  ", policy requires at least " +
263  std::to_string(expected_keylength));
264  }
265 
266 uint32_t Policy::session_ticket_lifetime() const
267  {
268  return 86400; // ~1 day
269  }
270 
271 bool Policy::send_fallback_scsv(Protocol_Version version) const
272  {
273  return version != latest_supported_version(version.is_datagram_protocol());
274  }
275 
276 bool Policy::acceptable_protocol_version(Protocol_Version version) const
277  {
278  // Uses boolean optimization:
279  // First check the current version (left part), then if it is allowed
280  // (right part)
281  // checks are ordered according to their probability
282  return (
283  ( ( version == Protocol_Version::TLS_V12) && allow_tls12() ) ||
284  ( ( version == Protocol_Version::TLS_V10) && allow_tls10() ) ||
285  ( ( version == Protocol_Version::TLS_V11) && allow_tls11() ) ||
286  ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
287  ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
288  );
289  }
290 
291 Protocol_Version Policy::latest_supported_version(bool datagram) const
292  {
293  if(datagram)
294  {
295  if(allow_dtls12())
296  return Protocol_Version::DTLS_V12;
297  if(allow_dtls10())
298  return Protocol_Version::DTLS_V10;
299  throw Invalid_State("Policy forbids all available DTLS version");
300  }
301  else
302  {
303  if(allow_tls12())
304  return Protocol_Version::TLS_V12;
305  if(allow_tls11())
306  return Protocol_Version::TLS_V11;
307  if(allow_tls10())
308  return Protocol_Version::TLS_V10;
309  throw Invalid_State("Policy forbids all available TLS version");
310  }
311  }
312 
313 bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
314  {
315  return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
316  value_exists(allowed_macs(), ciphersuite.mac_algo());
317  }
318 
319 bool Policy::allow_client_initiated_renegotiation() const { return false; }
320 bool Policy::allow_server_initiated_renegotiation() const { return false; }
321 bool Policy::allow_insecure_renegotiation() const { return false; }
322 bool Policy::allow_tls10() const { return false; }
323 bool Policy::allow_tls11() const { return false; }
324 bool Policy::allow_tls12() const { return true; }
325 bool Policy::allow_dtls10() const { return false; }
326 bool Policy::allow_dtls12() const { return true; }
327 bool Policy::include_time_in_hello_random() const { return true; }
328 bool Policy::hide_unknown_users() const { return false; }
329 bool Policy::server_uses_own_ciphersuite_preferences() const { return true; }
330 bool Policy::negotiate_encrypt_then_mac() const { return true; }
331 bool Policy::support_cert_status_message() const { return true; }
332 
333 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
334 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
335 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
336 
337 size_t Policy::dtls_default_mtu() const
338  {
339  // default MTU is IPv6 min MTU minus UDP/IP headers
340  return 1280 - 40 - 8;
341  }
342 
343 std::vector<uint16_t> Policy::srtp_profiles() const
344  {
345  return std::vector<uint16_t>();
346  }
347 
348 namespace {
349 
350 class Ciphersuite_Preference_Ordering final
351  {
352  public:
353  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
354  const std::vector<std::string>& macs,
355  const std::vector<std::string>& kex,
356  const std::vector<std::string>& sigs) :
357  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
358 
359  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
360  {
361  if(a.kex_method() != b.kex_method())
362  {
363  for(size_t i = 0; i != m_kex.size(); ++i)
364  {
365  if(a.kex_algo() == m_kex[i])
366  return true;
367  if(b.kex_algo() == m_kex[i])
368  return false;
369  }
370  }
371 
372  if(a.cipher_algo() != b.cipher_algo())
373  {
374  for(size_t i = 0; i != m_ciphers.size(); ++i)
375  {
376  if(a.cipher_algo() == m_ciphers[i])
377  return true;
378  if(b.cipher_algo() == m_ciphers[i])
379  return false;
380  }
381  }
382 
383  if(a.cipher_keylen() != b.cipher_keylen())
384  {
385  if(a.cipher_keylen() < b.cipher_keylen())
386  return false;
387  if(a.cipher_keylen() > b.cipher_keylen())
388  return true;
389  }
390 
391  if(a.auth_method() != b.auth_method())
392  {
393  for(size_t i = 0; i != m_sigs.size(); ++i)
394  {
395  if(a.sig_algo() == m_sigs[i])
396  return true;
397  if(b.sig_algo() == m_sigs[i])
398  return false;
399  }
400  }
401 
402  if(a.mac_algo() != b.mac_algo())
403  {
404  for(size_t i = 0; i != m_macs.size(); ++i)
405  {
406  if(a.mac_algo() == m_macs[i])
407  return true;
408  if(b.mac_algo() == m_macs[i])
409  return false;
410  }
411  }
412 
413  return false; // equal (?!?)
414  }
415  private:
416  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
417  };
418 
419 }
420 
421 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
422  bool have_srp) const
423  {
424  const std::vector<std::string> ciphers = allowed_ciphers();
425  const std::vector<std::string> macs = allowed_macs();
426  const std::vector<std::string> kex = allowed_key_exchange_methods();
427  const std::vector<std::string> sigs = allowed_signature_methods();
428 
429  std::vector<Ciphersuite> ciphersuites;
430 
431  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
432  {
433  // Can we use it?
434  if(suite.valid() == false)
435  continue;
436 
437  // Is it acceptable to the policy?
438  if(!this->acceptable_ciphersuite(suite))
439  continue;
440 
441  // Are we doing SRP?
442  if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
443  continue;
444 
445  if(!version.supports_aead_modes())
446  {
447  // Are we doing AEAD in a non-AEAD version?
448  if(suite.mac_algo() == "AEAD")
449  continue;
450 
451  // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
452  if(suite.mac_algo() != "SHA-1")
453  continue;
454  }
455 
456  if(!value_exists(kex, suite.kex_algo()))
457  continue; // unsupported key exchange
458 
459  if(!value_exists(ciphers, suite.cipher_algo()))
460  continue; // unsupported cipher
461 
462  if(!value_exists(macs, suite.mac_algo()))
463  continue; // unsupported MAC algo
464 
465  if(!value_exists(sigs, suite.sig_algo()))
466  {
467  // allow if it's an empty sig algo and we want to use PSK
468  if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
469  continue;
470  }
471 
472  /*
473  CECPQ1 always uses x25519 for ECDH, so treat the applications
474  removal of x25519 from the ECC curve list as equivalent to
475  saying they do not trust CECPQ1
476  */
477  if(suite.kex_method() == Kex_Algo::CECPQ1)
478  {
479  if(value_exists(key_exchange_groups(), Group_Params::X25519) == false)
480  continue;
481  }
482 
483  // OK, consider it
484  ciphersuites.push_back(suite);
485  }
486 
487  if(ciphersuites.empty())
488  {
489  throw Invalid_State("Policy does not allow any available cipher suite");
490  }
491 
492  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
493  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
494 
495  std::vector<uint16_t> ciphersuite_codes;
496  for(auto i : ciphersuites)
497  ciphersuite_codes.push_back(i.ciphersuite_code());
498  return ciphersuite_codes;
499  }
500 
501 namespace {
502 
503 void print_vec(std::ostream& o,
504  const char* key,
505  const std::vector<std::string>& v)
506  {
507  o << key << " = ";
508  for(size_t i = 0; i != v.size(); ++i)
509  {
510  o << v[i];
511  if(i != v.size() - 1)
512  o << ' ';
513  }
514  o << '\n';
515  }
516 
517 void print_vec(std::ostream& o,
518  const char* key,
519  const std::vector<Group_Params>& v)
520  {
521  o << key << " = ";
522  for(size_t i = 0; i != v.size(); ++i)
523  {
524  o << group_param_to_string(v[i]);
525  if(i != v.size() - 1)
526  o << ' ';
527  }
528  o << '\n';
529  }
530 
531 void print_bool(std::ostream& o,
532  const char* key, bool b)
533  {
534  o << key << " = " << (b ? "true" : "false") << '\n';
535  }
536 
537 }
538 
539 void Policy::print(std::ostream& o) const
540  {
541  print_bool(o, "allow_tls10", allow_tls10());
542  print_bool(o, "allow_tls11", allow_tls11());
543  print_bool(o, "allow_tls12", allow_tls12());
544  print_bool(o, "allow_dtls10", allow_dtls10());
545  print_bool(o, "allow_dtls12", allow_dtls12());
546  print_vec(o, "ciphers", allowed_ciphers());
547  print_vec(o, "macs", allowed_macs());
548  print_vec(o, "signature_hashes", allowed_signature_hashes());
549  print_vec(o, "signature_methods", allowed_signature_methods());
550  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
551  print_vec(o, "key_exchange_groups", key_exchange_groups());
552 
553  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
554  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
555  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
556  print_bool(o, "hide_unknown_users", hide_unknown_users());
557  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
558  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
559  print_bool(o, "support_cert_status_message", support_cert_status_message());
560  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
561  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
562  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
563  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
564  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
565  }
566 
567 std::string Policy::to_string() const
568  {
569  std::ostringstream oss;
570  this->print(oss);
571  return oss.str();
572  }
573 
574 std::vector<std::string> Strict_Policy::allowed_ciphers() const
575  {
576  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
577  }
578 
579 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
580  {
581  return { "SHA-512", "SHA-384"};
582  }
583 
584 std::vector<std::string> Strict_Policy::allowed_macs() const
585  {
586  return { "AEAD" };
587  }
588 
589 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
590  {
591  return { "CECPQ1", "ECDH" };
592  }
593 
594 bool Strict_Policy::allow_tls10() const { return false; }
595 bool Strict_Policy::allow_tls11() const { return false; }
596 bool Strict_Policy::allow_tls12() const { return true; }
597 bool Strict_Policy::allow_dtls10() const { return false; }
598 bool Strict_Policy::allow_dtls12() const { return true; }
599 
600 }
601 
602 }
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
bool const OID & b
Definition: asn1_oid.h:109
int(* final)(unsigned char *, CTX *)
Signature_Scheme
Definition: tls_algos.h:84
std::string group_param_to_string(Group_Params group)
Definition: tls_algos.cpp:155
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
size_t const BigInt & a
Definition: numthry.h:111
const char * algo_name
Definition: ffi.h:932
Definition: alg_id.cpp:13
const std::vector< Signature_Scheme > & all_signature_schemes()
Definition: tls_algos.cpp:229
const uint8_t * key
Definition: ffi.h:359
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
std::pair< BigInt, SymmetricKey > BOTAN_PUBLIC_API(2, 0) srp6_client_agree(const std BigInt BOTAN_PUBLIC_API(2, 0) generate_srp6_verifier(const std std::string const BigInt & g
Definition: srp6.h:61
const Private_Key const Public_Key & public_key
Definition: keypair.h:28