Botan 3.3.0
Crypto and TLS for C&
tls_policy.cpp
Go to the documentation of this file.
1/*
2* Policies for TLS
3* (C) 2004-2010,2012,2015,2016 Jack Lloyd
4* 2016 Christian Mainka
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/tls_policy.h>
12
13#include <botan/pk_keys.h>
14#include <botan/tls_algos.h>
15#include <botan/tls_ciphersuite.h>
16#include <botan/tls_exceptn.h>
17#include <botan/internal/stl_util.h>
18#include <optional>
19#include <sstream>
20
21namespace Botan::TLS {
22
23std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const {
24 std::vector<Signature_Scheme> schemes;
25
27 const bool sig_allowed = allowed_signature_method(scheme.algorithm_name());
28 const bool hash_allowed = allowed_signature_hash(scheme.hash_function_name());
29
30 if(sig_allowed && hash_allowed) {
31 schemes.push_back(scheme);
32 }
33 }
34
35 return schemes;
36}
37
38std::vector<Signature_Scheme> Policy::acceptable_signature_schemes() const {
39 return this->allowed_signature_schemes();
40}
41
42std::optional<std::vector<Signature_Scheme>> Policy::acceptable_certificate_signature_schemes() const {
43 // the restrictions of ::acceptable_signature_schemes() shall apply
44 return std::nullopt;
45}
46
47std::vector<std::string> Policy::allowed_ciphers() const {
48 return {
49 //"AES-256/OCB(12)",
50 "ChaCha20Poly1305",
51 "AES-256/GCM",
52 "AES-128/GCM",
53 //"AES-256/CCM",
54 //"AES-128/CCM",
55 //"AES-256/CCM(8)",
56 //"AES-128/CCM(8)",
57 //"Camellia-256/GCM",
58 //"Camellia-128/GCM",
59 //"ARIA-256/GCM",
60 //"ARIA-128/GCM",
61 //"AES-256",
62 //"AES-128",
63 //"3DES",
64 };
65}
66
67std::vector<std::string> Policy::allowed_signature_hashes() const {
68 return {
69 "SHA-512",
70 "SHA-384",
71 "SHA-256",
72 };
73}
74
75std::vector<std::string> Policy::allowed_macs() const {
76 /*
77 SHA-256 is preferred because the Lucky13 countermeasure works
78 somewhat better for SHA-256 vs SHA-384:
79 https://github.com/randombit/botan/pull/675
80 */
81 return {
82 "AEAD",
83 "SHA-256",
84 "SHA-384",
85 "SHA-1",
86 };
87}
88
89std::vector<std::string> Policy::allowed_key_exchange_methods() const {
90 return {
91 //"ECDHE_PSK",
92 //"PSK",
93 "ECDH",
94 "DH",
95 //"RSA",
96 };
97}
98
99std::vector<std::string> Policy::allowed_signature_methods() const {
100 return {
101 "ECDSA", "RSA",
102 //"IMPLICIT",
103 };
104}
105
106bool Policy::allowed_signature_method(std::string_view sig_method) const {
107 return value_exists(allowed_signature_methods(), sig_method);
108}
109
110bool Policy::allowed_signature_hash(std::string_view sig_hash) const {
111 return value_exists(allowed_signature_hashes(), sig_hash);
112}
113
115 return false;
116}
117
118Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& supported_by_peer,
119 const std::vector<Group_Params>& offered_by_peer) const {
120 if(supported_by_peer.empty()) {
121 return Group_Params::NONE;
122 }
123
124 const std::vector<Group_Params> our_groups = key_exchange_groups();
125
126 // Prefer groups that were offered by the peer for the sake of saving
127 // an additional round trip. For TLS 1.2, this won't be used.
128 for(auto g : offered_by_peer) {
129 if(value_exists(our_groups, g)) {
130 return g;
131 }
132 }
133
134 // If no pre-offered groups fit our supported set, we prioritize our
135 // own preference.
136 for(auto g : our_groups) {
137 if(value_exists(supported_by_peer, g)) {
138 return g;
139 }
140 }
141
142 return Group_Params::NONE;
143}
144
146 /*
147 * Return the first listed or just default to 2048
148 */
149 for(auto g : key_exchange_groups()) {
150 if(g.is_dh_named_group()) {
151 return g;
152 }
153 }
154
155 return Group_Params::FFDHE_2048;
156}
157
158std::vector<Group_Params> Policy::key_exchange_groups() const {
159 // Default list is ordered by performance
160 return {
161#if defined(BOTAN_HAS_CURVE_25519)
162 Group_Params::X25519,
163#endif
164
165 Group_Params::SECP256R1, Group_Params::BRAINPOOL256R1, Group_Params::SECP384R1, Group_Params::BRAINPOOL384R1,
166 Group_Params::SECP521R1, Group_Params::BRAINPOOL512R1,
167
168 Group_Params::FFDHE_2048, Group_Params::FFDHE_3072, Group_Params::FFDHE_4096, Group_Params::FFDHE_6144,
169 Group_Params::FFDHE_8192,
170 };
171}
172
173std::vector<Group_Params> Policy::key_exchange_groups_to_offer() const {
174 // by default, we offer a key share for the most-preferred group, only
175 std::vector<Group_Params> groups_to_offer;
176 const auto supported_groups = key_exchange_groups();
177 if(!supported_groups.empty()) {
178 groups_to_offer.push_back(supported_groups.front());
179 }
180 return groups_to_offer;
181}
182
184 return 2048;
185}
186
188 // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
189 return 256;
190}
191
193 // x25519 is smallest curve currently supported for TLS key exchange
194 return 255;
195}
196
198 return 110;
199}
200
202 return true;
203}
204
206 /* Default assumption is all end-entity certificates should
207 be at least 2048 bits these days.
208
209 If you are connecting to arbitrary servers on the Internet
210 (ie as a web browser or SMTP client) you'll probably have to reduce this
211 to 1024 bits, or perhaps even lower.
212 */
213 return 2048;
214}
215
216void Policy::check_peer_key_acceptable(const Public_Key& public_key) const {
217 const std::string algo_name = public_key.algo_name();
218
219 const size_t keylength = public_key.key_length();
220 size_t expected_keylength = 0;
221
222 if(algo_name == "RSA") {
223 expected_keylength = minimum_rsa_bits();
224 } else if(algo_name == "DH") {
225 expected_keylength = minimum_dh_group_size();
226 } else if(algo_name == "ECDH" || algo_name == "Curve25519") {
227 expected_keylength = minimum_ecdh_group_size();
228 } else if(algo_name == "ECDSA") {
229 expected_keylength = minimum_ecdsa_group_size();
230 }
231 // else some other algo, so leave expected_keylength as zero and the check is a no-op
232
233 if(keylength < expected_keylength) {
234 throw TLS_Exception(Alert::InsufficientSecurity,
235 "Peer sent " + std::to_string(keylength) + " bit " + algo_name +
236 " key"
237 ", policy requires at least " +
238 std::to_string(expected_keylength));
239 }
240}
241
243 return 1;
244}
245
246std::chrono::seconds Policy::session_ticket_lifetime() const {
247 return std::chrono::days(1);
248}
249
251 return false;
252}
253
255 return 1;
256}
257
259#if defined(BOTAN_HAS_TLS_13)
260 if(version == Protocol_Version::TLS_V13 && allow_tls13()) {
261 return true;
262 }
263#endif
264
265#if defined(BOTAN_HAS_TLS_12)
266 if(version == Protocol_Version::TLS_V12 && allow_tls12()) {
267 return true;
268 }
269
270 if(version == Protocol_Version::DTLS_V12 && allow_dtls12()) {
271 return true;
272 }
273#endif
274
275 return false;
276}
277
279 if(datagram) {
280 if(acceptable_protocol_version(Protocol_Version::DTLS_V12)) {
281 return Protocol_Version::DTLS_V12;
282 }
283 throw Invalid_State("Policy forbids all available DTLS version");
284 } else {
285#if defined(BOTAN_HAS_TLS_13)
286 if(acceptable_protocol_version(Protocol_Version::TLS_V13)) {
287 return Protocol_Version::TLS_V13;
288 }
289#endif
290 if(acceptable_protocol_version(Protocol_Version::TLS_V12)) {
291 return Protocol_Version::TLS_V12;
292 }
293 throw Invalid_State("Policy forbids all available TLS version");
294 }
295}
296
297bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const {
298 return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
299 value_exists(allowed_macs(), ciphersuite.mac_algo());
300}
301
303 return false;
304}
305
307 return false;
308}
309
311 return false;
312}
313
315#if defined(BOTAN_HAS_TLS_12)
316 return true;
317#else
318 return false;
319#endif
320}
321
323#if defined(BOTAN_HAS_TLS_13)
324 return true;
325#else
326 return false;
327#endif
328}
329
331#if defined(BOTAN_HAS_TLS_12)
332 return true;
333#else
334 return false;
335#endif
336}
337
339 return true;
340}
341
343 return false;
344}
345
347 return true;
348}
349
351 return true;
352}
353
354std::optional<uint16_t> Policy::record_size_limit() const {
355 return std::nullopt;
356}
357
359 return true;
360}
361
363 return true;
364}
365
367 return true;
368}
369
371 return true;
372}
373
375 return true;
376}
377
379 return false;
380}
381
385
387 return false;
388}
389
390std::vector<Certificate_Type> Policy::accepted_client_certificate_types() const {
391 return {Certificate_Type::X509};
392}
393
394std::vector<Certificate_Type> Policy::accepted_server_certificate_types() const {
395 return {Certificate_Type::X509};
396}
397
399 return false;
400}
401
403 return 0;
404}
405
406// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
408 return 1 * 1000;
409}
410
412 return 60 * 1000;
413}
414
416 // default MTU is IPv6 min MTU minus UDP/IP headers
417 return 1280 - 40 - 8;
418}
419
420std::vector<uint16_t> Policy::srtp_profiles() const {
421 return std::vector<uint16_t>();
422}
423
424namespace {
425
426class Ciphersuite_Preference_Ordering final {
427 public:
428 Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
429 const std::vector<std::string>& macs,
430 const std::vector<std::string>& kex,
431 const std::vector<std::string>& sigs) :
432 m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
433
434 bool operator()(const Ciphersuite& a, const Ciphersuite& b) const {
435 if(a.kex_method() != b.kex_method()) {
436 for(const auto& i : m_kex) {
437 if(a.kex_algo() == i) {
438 return true;
439 }
440 if(b.kex_algo() == i) {
441 return false;
442 }
443 }
444 }
445
446 if(a.cipher_algo() != b.cipher_algo()) {
447 for(const auto& m_cipher : m_ciphers) {
448 if(a.cipher_algo() == m_cipher) {
449 return true;
450 }
451 if(b.cipher_algo() == m_cipher) {
452 return false;
453 }
454 }
455 }
456
457 if(a.cipher_keylen() != b.cipher_keylen()) {
458 if(a.cipher_keylen() < b.cipher_keylen()) {
459 return false;
460 }
461 if(a.cipher_keylen() > b.cipher_keylen()) {
462 return true;
463 }
464 }
465
466 if(a.auth_method() != b.auth_method()) {
467 for(const auto& m_sig : m_sigs) {
468 if(a.sig_algo() == m_sig) {
469 return true;
470 }
471 if(b.sig_algo() == m_sig) {
472 return false;
473 }
474 }
475 }
476
477 if(a.mac_algo() != b.mac_algo()) {
478 for(const auto& m_mac : m_macs) {
479 if(a.mac_algo() == m_mac) {
480 return true;
481 }
482 if(b.mac_algo() == m_mac) {
483 return false;
484 }
485 }
486 }
487
488 return false; // equal (?!?)
489 }
490
491 private:
492 std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
493};
494
495} // namespace
496
497std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version) const {
498 const std::vector<std::string> ciphers = allowed_ciphers();
499 const std::vector<std::string> macs = allowed_macs();
500 const std::vector<std::string> kex = allowed_key_exchange_methods();
501 const std::vector<std::string> sigs = allowed_signature_methods();
502
503 std::vector<Ciphersuite> ciphersuites;
504
505 for(auto&& suite : Ciphersuite::all_known_ciphersuites()) {
506 // Can we use it?
507 if(!suite.valid()) {
508 continue;
509 }
510
511 // Can we use it in this version?
512 if(!suite.usable_in_version(version)) {
513 continue;
514 }
515
516 // Is it acceptable to the policy?
517 if(!this->acceptable_ciphersuite(suite)) {
518 continue;
519 }
520
521 if(!value_exists(ciphers, suite.cipher_algo())) {
522 continue; // unsupported cipher
523 }
524
525 // these checks are irrelevant for TLS 1.3
526 // TODO: consider making a method for this logic
527 if(version.is_pre_tls_13()) {
528 if(!value_exists(kex, suite.kex_algo())) {
529 continue; // unsupported key exchange
530 }
531
532 if(!value_exists(macs, suite.mac_algo())) {
533 continue; // unsupported MAC algo
534 }
535
536 if(!value_exists(sigs, suite.sig_algo())) {
537 // allow if it's an empty sig algo and we want to use PSK
538 if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite()) {
539 continue;
540 }
541 }
542 }
543
544 // OK, consider it
545 ciphersuites.push_back(suite);
546 }
547
548 if(ciphersuites.empty()) {
549 throw Invalid_State("Policy does not allow any available cipher suite");
550 }
551
552 Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
553 std::sort(ciphersuites.begin(), ciphersuites.end(), order);
554
555 std::vector<uint16_t> ciphersuite_codes;
556 ciphersuite_codes.reserve(ciphersuites.size());
557 for(auto i : ciphersuites) {
558 ciphersuite_codes.push_back(i.ciphersuite_code());
559 }
560 return ciphersuite_codes;
561}
562
563namespace {
564
565void print_vec(std::ostream& o, const char* key, const std::vector<std::string>& v) {
566 o << key << " = ";
567 for(size_t i = 0; i != v.size(); ++i) {
568 o << v[i];
569 if(i != v.size() - 1) {
570 o << ' ';
571 }
572 }
573 o << '\n';
574}
575
576void print_vec(std::ostream& o, const char* key, const std::vector<Group_Params>& params) {
577 // first filter out any groups we don't have a name for:
578 std::vector<std::string> names;
579 for(auto p : params) {
580 if(auto name = p.to_string()) {
581 names.push_back(name.value());
582 }
583 }
584
585 o << key << " = ";
586
587 for(size_t i = 0; i != names.size(); ++i) {
588 o << names[i];
589 if(i != names.size() - 1) {
590 o << " ";
591 }
592 }
593 o << "\n";
594}
595
596void print_vec(std::ostream& o, const char* key, const std::vector<Certificate_Type>& types) {
597 o << key << " = ";
598 for(size_t i = 0; i != types.size(); ++i) {
599 o << certificate_type_to_string(types[i]);
600 if(i != types.size() - 1) {
601 o << ' ';
602 }
603 }
604 o << '\n';
605}
606
607void print_bool(std::ostream& o, const char* key, bool b) {
608 o << key << " = " << (b ? "true" : "false") << '\n';
609}
610
611} // namespace
612
613void Policy::print(std::ostream& o) const {
614 print_bool(o, "allow_tls12", allow_tls12());
615 print_bool(o, "allow_tls13", allow_tls13());
616 print_bool(o, "allow_dtls12", allow_dtls12());
617 print_vec(o, "ciphers", allowed_ciphers());
618 print_vec(o, "macs", allowed_macs());
619 print_vec(o, "signature_hashes", allowed_signature_hashes());
620 print_vec(o, "signature_methods", allowed_signature_methods());
621 print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
622 print_vec(o, "key_exchange_groups", key_exchange_groups());
623 const auto groups_to_offer = key_exchange_groups_to_offer();
624 if(groups_to_offer.empty()) {
625 print_vec(o, "key_exchange_groups_to_offer", {std::string("none")});
626 } else {
627 print_vec(o, "key_exchange_groups_to_offer", groups_to_offer);
628 }
629 print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
630 print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
631 print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
632 print_bool(o, "hide_unknown_users", hide_unknown_users());
633 print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
634 print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
635 print_bool(o, "support_cert_status_message", support_cert_status_message());
636 print_bool(o, "tls_13_middlebox_compatibility_mode", tls_13_middlebox_compatibility_mode());
637 print_vec(o, "accepted_client_certificate_types", accepted_client_certificate_types());
638 print_vec(o, "accepted_server_certificate_types", accepted_server_certificate_types());
639 print_bool(o, "hash_hello_random", hash_hello_random());
640 if(record_size_limit().has_value()) {
641 o << "record_size_limit = " << record_size_limit().value() << '\n';
642 }
643 o << "maximum_session_tickets_per_client_hello = " << maximum_session_tickets_per_client_hello() << '\n';
644 o << "session_ticket_lifetime = " << session_ticket_lifetime().count() << '\n';
645 o << "reuse_session_tickets = " << reuse_session_tickets() << '\n';
646 o << "new_session_tickets_upon_handshake_success = " << new_session_tickets_upon_handshake_success() << '\n';
647 o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
648 o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
649 o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
650 o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
651}
652
653std::string Policy::to_string() const {
654 std::ostringstream oss;
655 this->print(oss);
656 return oss.str();
657}
658
659std::vector<std::string> Strict_Policy::allowed_ciphers() const {
660 return {"ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM"};
661}
662
663std::vector<std::string> Strict_Policy::allowed_signature_hashes() const {
664 return {"SHA-512", "SHA-384"};
665}
666
667std::vector<std::string> Strict_Policy::allowed_macs() const {
668 return {"AEAD"};
669}
670
671std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const {
672 return {"ECDH"};
673}
674
675} // namespace Botan::TLS
virtual std::string algo_name() const =0
virtual size_t key_length() const =0
static const std::vector< Ciphersuite > & all_known_ciphersuites()
std::string mac_algo() const
std::string cipher_algo() const
virtual bool include_time_in_hello_random() const
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
virtual bool abort_connection_on_undesired_renegotiation() const
virtual size_t dtls_maximum_timeout() const
virtual size_t minimum_ecdh_group_size() const
virtual size_t dtls_default_mtu() const
virtual bool allow_tls12() const
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
std::string to_string() const
virtual bool reuse_session_tickets() const
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version) const
virtual std::vector< Certificate_Type > accepted_server_certificate_types() const
virtual std::vector< Certificate_Type > accepted_client_certificate_types() const
bool allowed_signature_method(std::string_view sig_method) const
virtual bool require_client_certificate_authentication() const
virtual std::vector< Group_Params > key_exchange_groups() const
virtual size_t new_session_tickets_upon_handshake_success() const
virtual std::vector< Group_Params > key_exchange_groups_to_offer() const
bool allowed_signature_hash(std::string_view hash) const
virtual size_t minimum_rsa_bits() const
virtual bool tls_13_middlebox_compatibility_mode() const
virtual bool only_resume_with_exact_version() const
virtual bool allow_client_initiated_renegotiation() const
virtual bool allow_dtls_epoch0_restart() const
virtual bool request_client_certificate_authentication() const
virtual bool require_cert_revocation_info() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual Protocol_Version latest_supported_version(bool datagram) const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual std::vector< uint16_t > srtp_profiles() const
virtual bool support_cert_status_message() const
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
virtual std::vector< std::string > allowed_macs() const
virtual bool hide_unknown_users() const
virtual std::optional< std::vector< Signature_Scheme > > acceptable_certificate_signature_schemes() const
virtual bool hash_hello_random() const
virtual bool allow_tls13() const
virtual std::vector< std::string > allowed_key_exchange_methods() const
virtual size_t dtls_initial_timeout() const
virtual size_t maximum_session_tickets_per_client_hello() const
virtual std::vector< Signature_Scheme > acceptable_signature_schemes() const
virtual bool use_ecc_point_compression() const
virtual bool allow_dtls12() const
virtual size_t minimum_dh_group_size() const
virtual bool allow_insecure_renegotiation() const
virtual std::optional< uint16_t > record_size_limit() const
virtual std::vector< std::string > allowed_ciphers() const
virtual std::chrono::seconds session_ticket_lifetime() const
virtual size_t minimum_signature_strength() const
virtual Group_Params default_dh_group() const
virtual size_t maximum_certificate_chain_size() const
virtual std::vector< std::string > allowed_signature_methods() const
virtual size_t minimum_ecdsa_group_size() const
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &supported_by_peer, const std::vector< Group_Params > &offered_by_peer) const
virtual bool allow_resumption_for_renegotiation() const
virtual std::vector< std::string > allowed_signature_hashes() const
virtual bool allow_server_initiated_renegotiation() const
virtual void print(std::ostream &o) const
static const std::vector< Signature_Scheme > & all_available_schemes()
std::vector< std::string > allowed_macs() const override
std::vector< std::string > allowed_ciphers() const override
std::vector< std::string > allowed_key_exchange_methods() const override
std::vector< std::string > allowed_signature_hashes() const override
std::string name
int(* final)(unsigned char *, CTX *)
std::string certificate_type_to_string(Certificate_Type type)
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:117