Botan  2.1.0
Crypto and TLS for C++11
tls_policy.cpp
Go to the documentation of this file.
1 /*
2 * Policies for TLS
3 * (C) 2004-2010,2012,2015,2016 Jack Lloyd
4 * 2016 Christian Mainka
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_policy.h>
10 #include <botan/tls_ciphersuite.h>
11 #include <botan/tls_magic.h>
12 #include <botan/tls_exceptn.h>
13 #include <botan/internal/stl_util.h>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 std::vector<std::string> Policy::allowed_ciphers() const
20  {
21  return {
22  //"AES-256/OCB(12)",
23  //"AES-128/OCB(12)",
24  "ChaCha20Poly1305",
25  "AES-256/GCM",
26  "AES-128/GCM",
27  "AES-256/CCM",
28  "AES-128/CCM",
29  //"AES-256/CCM(8)",
30  //"AES-128/CCM(8)",
31  //"Camellia-256/GCM",
32  //"Camellia-128/GCM",
33  "AES-256",
34  "AES-128",
35  //"Camellia-256",
36  //"Camellia-128",
37  //"SEED"
38  //"3DES",
39  };
40  }
41 
42 std::vector<std::string> Policy::allowed_signature_hashes() const
43  {
44  return {
45  "SHA-512",
46  "SHA-384",
47  "SHA-256",
48  //"SHA-1",
49  };
50  }
51 
52 std::vector<std::string> Policy::allowed_macs() const
53  {
54  /*
55  SHA-256 is preferred because the Lucky13 countermeasure works
56  somewhat better for SHA-256 vs SHA-384:
57  https://github.com/randombit/botan/pull/675
58  */
59  return {
60  "AEAD",
61  "SHA-256",
62  "SHA-384",
63  "SHA-1",
64  };
65  }
66 
67 std::vector<std::string> Policy::allowed_key_exchange_methods() const
68  {
69  return {
70  //"SRP_SHA",
71  //"ECDHE_PSK",
72  //"DHE_PSK",
73  //"PSK",
74  "CECPQ1",
75  "ECDH",
76  "DH",
77  //"RSA",
78  };
79  }
80 
81 std::vector<std::string> Policy::allowed_signature_methods() const
82  {
83  return {
84  "ECDSA",
85  "RSA",
86  //"DSA",
87  //"" (anon)
88  };
89  }
90 
91 bool Policy::allowed_signature_method(const std::string& sig_method) const
92  {
93  return value_exists(allowed_signature_methods(), sig_method);
94  }
95 
96 std::vector<std::string> Policy::allowed_ecc_curves() const
97  {
98  // Default list is ordered by performance
99 
100  return {
101  "x25519",
102  "secp256r1",
103  "secp521r1",
104  "secp384r1",
105  "brainpool256r1",
106  "brainpool384r1",
107  "brainpool512r1",
108  };
109  }
110 
111 bool Policy::allowed_ecc_curve(const std::string& curve) const
112  {
113  return value_exists(allowed_ecc_curves(), curve);
114  }
115 
117  {
118  return false;
119  }
120 
121 /*
122 * Choose an ECC curve to use
123 */
124 std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const
125  {
126  const std::vector<std::string> our_curves = allowed_ecc_curves();
127 
128  for(size_t i = 0; i != our_curves.size(); ++i)
129  if(value_exists(curve_names, our_curves[i]))
130  return our_curves[i];
131 
132  return ""; // no shared curve
133  }
134 
135 std::string Policy::dh_group() const
136  {
137  // We offer 2048 bit DH because we can
138  return "modp/ietf/2048";
139  }
140 
142  {
143  return 2048;
144  }
145 
147  {
148  // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
149  return 256;
150  }
151 
153  {
154  // x25519 is smallest curve currently supported for TLS key exchange
155  return 255;
156  }
157 
159  {
160  return 110;
161  }
162 
164  {
165  return true;
166  }
167 
169  {
170  /* Default assumption is all end-entity certificates should
171  be at least 2048 bits these days.
172 
173  If you are connecting to arbitrary servers on the Internet
174  (ie as a web browser or SMTP client) you'll probably have to reduce this
175  to 1024 bits, or perhaps even lower.
176  */
177  return 2048;
178  }
179 
181  {
182  // FIPS 186-3
183  return 2048;
184  }
185 
186 void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
187  {
188  const std::string algo_name = public_key.algo_name();
189 
190  const size_t keylength = public_key.key_length();
191  size_t expected_keylength = 0;
192 
193  if(algo_name == "RSA")
194  {
195  expected_keylength = minimum_rsa_bits();
196  }
197  else if(algo_name == "DH")
198  {
199  expected_keylength = minimum_dh_group_size();
200  }
201  else if(algo_name == "DSA")
202  {
203  expected_keylength = minimum_dsa_group_size();
204  }
205  else if(algo_name == "ECDH" || algo_name == "Curve25519")
206  {
207  expected_keylength = minimum_ecdh_group_size();
208  }
209  else if(algo_name == "ECDSA")
210  {
211  expected_keylength = minimum_ecdsa_group_size();
212  }
213  // else some other algo, so leave expected_keylength as zero and the check is a no-op
214 
215  if(keylength < expected_keylength)
217  "Peer sent " +
218  std::to_string(keylength) + " bit " + algo_name + " key"
219  ", policy requires at least " +
220  std::to_string(expected_keylength));
221  }
222 
223 /*
224 * Return allowed compression algorithms
225 */
226 std::vector<uint8_t> Policy::compression() const
227  {
228  return std::vector<uint8_t>{ NO_COMPRESSION };
229  }
230 
232  {
233  return 86400; // ~1 day
234  }
235 
237  {
238  return version != latest_supported_version(version.is_datagram_protocol());
239  }
240 
242  {
243  // Uses boolean optimization:
244  // First check the current version (left part), then if it is allowed
245  // (right part)
246  // checks are ordered according to their probability
247  return (
248  ( ( version == Protocol_Version::TLS_V12) && allow_tls12() ) ||
249  ( ( version == Protocol_Version::TLS_V10) && allow_tls10() ) ||
250  ( ( version == Protocol_Version::TLS_V11) && allow_tls11() ) ||
251  ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
252  ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
253  );
254  }
255 
257  {
258  if(datagram)
260  else
262  }
263 
265  {
266  return true;
267  }
268 
269 bool Policy::allow_server_initiated_renegotiation() const { return false; }
270 bool Policy::allow_insecure_renegotiation() const { return false; }
271 bool Policy::allow_tls10() const { return true; }
272 bool Policy::allow_tls11() const { return true; }
273 bool Policy::allow_tls12() const { return true; }
274 bool Policy::allow_dtls10() const { return false; }
275 bool Policy::allow_dtls12() const { return true; }
276 bool Policy::include_time_in_hello_random() const { return true; }
277 bool Policy::hide_unknown_users() const { return false; }
279 bool Policy::negotiate_encrypt_then_mac() const { return true; }
280 
281 // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
282 size_t Policy::dtls_initial_timeout() const { return 1*1000; }
283 size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
284 
286  {
287  // default MTU is IPv6 min MTU minus UDP/IP headers
288  return 1280 - 40 - 8;
289  }
290 
291 std::vector<uint16_t> Policy::srtp_profiles() const
292  {
293  return std::vector<uint16_t>();
294  }
295 
296 namespace {
297 
298 class Ciphersuite_Preference_Ordering
299  {
300  public:
301  Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
302  const std::vector<std::string>& macs,
303  const std::vector<std::string>& kex,
304  const std::vector<std::string>& sigs) :
305  m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
306 
307  bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
308  {
309  if(a.kex_algo() != b.kex_algo())
310  {
311  for(size_t i = 0; i != m_kex.size(); ++i)
312  {
313  if(a.kex_algo() == m_kex[i])
314  return true;
315  if(b.kex_algo() == m_kex[i])
316  return false;
317  }
318  }
319 
320  if(a.cipher_algo() != b.cipher_algo())
321  {
322  for(size_t i = 0; i != m_ciphers.size(); ++i)
323  {
324  if(a.cipher_algo() == m_ciphers[i])
325  return true;
326  if(b.cipher_algo() == m_ciphers[i])
327  return false;
328  }
329  }
330 
331  if(a.cipher_keylen() != b.cipher_keylen())
332  {
333  if(a.cipher_keylen() < b.cipher_keylen())
334  return false;
335  if(a.cipher_keylen() > b.cipher_keylen())
336  return true;
337  }
338 
339  if(a.sig_algo() != b.sig_algo())
340  {
341  for(size_t i = 0; i != m_sigs.size(); ++i)
342  {
343  if(a.sig_algo() == m_sigs[i])
344  return true;
345  if(b.sig_algo() == m_sigs[i])
346  return false;
347  }
348  }
349 
350  if(a.mac_algo() != b.mac_algo())
351  {
352  for(size_t i = 0; i != m_macs.size(); ++i)
353  {
354  if(a.mac_algo() == m_macs[i])
355  return true;
356  if(b.mac_algo() == m_macs[i])
357  return false;
358  }
359  }
360 
361  return false; // equal (?!?)
362  }
363  private:
364  std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
365  };
366 
367 }
368 
369 std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
370  bool have_srp) const
371  {
372  const std::vector<std::string> ciphers = allowed_ciphers();
373  const std::vector<std::string> macs = allowed_macs();
374  const std::vector<std::string> kex = allowed_key_exchange_methods();
375  const std::vector<std::string> sigs = allowed_signature_methods();
376 
377  std::vector<Ciphersuite> ciphersuites;
378 
379  for(auto&& suite : Ciphersuite::all_known_ciphersuites())
380  {
381  // Can we use it?
382  if(suite.valid() == false)
383  continue;
384 
385  // Is it acceptable to the policy?
386  if(!this->acceptable_ciphersuite(suite))
387  continue;
388 
389  // Are we doing SRP?
390  if(!have_srp && suite.kex_algo() == "SRP_SHA")
391  continue;
392 
393  if(!version.supports_aead_modes())
394  {
395  // Are we doing AEAD in a non-AEAD version?
396  if(suite.mac_algo() == "AEAD")
397  continue;
398 
399  // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
400  if(suite.mac_algo() != "SHA-1")
401  continue;
402  }
403 
404  if(!value_exists(kex, suite.kex_algo()))
405  continue; // unsupported key exchange
406 
407  if(!value_exists(ciphers, suite.cipher_algo()))
408  continue; // unsupported cipher
409 
410  if(!value_exists(macs, suite.mac_algo()))
411  continue; // unsupported MAC algo
412 
413  if(!value_exists(sigs, suite.sig_algo()))
414  {
415  // allow if it's an empty sig algo and we want to use PSK
416  if(suite.sig_algo() != "" || !suite.psk_ciphersuite())
417  continue;
418  }
419 
420  /*
421  CECPQ1 always uses x25519 for ECDH, so treat the applications
422  removal of x25519 from the ECC curve list as equivalent to
423  saying they do not trust CECPQ1
424  */
425  if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
426  continue;
427 
428  // OK, consider it
429  ciphersuites.push_back(suite);
430  }
431 
432  if(ciphersuites.empty())
433  {
434  throw Exception("Policy does not allow any available cipher suite");
435  }
436 
437  Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
438  std::sort(ciphersuites.begin(), ciphersuites.end(), order);
439 
440  std::vector<uint16_t> ciphersuite_codes;
441  for(auto i : ciphersuites)
442  ciphersuite_codes.push_back(i.ciphersuite_code());
443  return ciphersuite_codes;
444  }
445 
446 namespace {
447 
448 void print_vec(std::ostream& o,
449  const char* key,
450  const std::vector<std::string>& v)
451  {
452  o << key << " = ";
453  for(size_t i = 0; i != v.size(); ++i)
454  {
455  o << v[i];
456  if(i != v.size() - 1)
457  o << ' ';
458  }
459  o << '\n';
460  }
461 
462 void print_bool(std::ostream& o,
463  const char* key, bool b)
464  {
465  o << key << " = " << (b ? "true" : "false") << '\n';
466  }
467 
468 }
469 
470 void Policy::print(std::ostream& o) const
471  {
472  print_bool(o, "allow_tls10", allow_tls10());
473  print_bool(o, "allow_tls11", allow_tls11());
474  print_bool(o, "allow_tls12", allow_tls12());
475  print_bool(o, "allow_dtls10", allow_dtls10());
476  print_bool(o, "allow_dtls12", allow_dtls12());
477  print_vec(o, "ciphers", allowed_ciphers());
478  print_vec(o, "macs", allowed_macs());
479  print_vec(o, "signature_hashes", allowed_signature_hashes());
480  print_vec(o, "signature_methods", allowed_signature_methods());
481  print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
482  print_vec(o, "ecc_curves", allowed_ecc_curves());
483 
484  print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
485  print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
486  print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
487  print_bool(o, "hide_unknown_users", hide_unknown_users());
488  print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
489  print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
490  o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
491  o << "dh_group = " << dh_group() << '\n';
492  o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
493  o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
494  o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
495  o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
496  }
497 
498 std::string Policy::to_string() const
499  {
500  std::ostringstream oss;
501  this->print(oss);
502  return oss.str();
503  }
504 
505 std::vector<std::string> Strict_Policy::allowed_ciphers() const
506  {
507  return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
508  }
509 
510 std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
511  {
512  return { "SHA-512", "SHA-384"};
513  }
514 
515 std::vector<std::string> Strict_Policy::allowed_macs() const
516  {
517  return { "AEAD" };
518  }
519 
520 std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
521  {
522  return { "CECPQ1", "ECDH" };
523  }
524 
525 bool Strict_Policy::allow_tls10() const { return false; }
526 bool Strict_Policy::allow_tls11() const { return false; }
527 bool Strict_Policy::allow_tls12() const { return true; }
528 bool Strict_Policy::allow_dtls10() const { return false; }
529 bool Strict_Policy::allow_dtls12() const { return true; }
530 
531 }
532 
533 }
virtual std::vector< std::string > allowed_ciphers() const
Definition: tls_policy.cpp:19
virtual size_t minimum_dh_group_size() const
Definition: tls_policy.cpp:141
virtual void print(std::ostream &o) const
Definition: tls_policy.cpp:470
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:270
static Protocol_Version latest_dtls_version()
Definition: tls_version.h:44
virtual std::vector< std::string > allowed_ecc_curves() const
Definition: tls_policy.cpp:96
std::vector< std::string > m_sigs
Definition: tls_policy.cpp:364
virtual bool require_cert_revocation_info() const
Definition: tls_policy.cpp:163
std::string to_string() const
Definition: tls_policy.cpp:498
virtual bool send_fallback_scsv(Protocol_Version version) const
Definition: tls_policy.cpp:236
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:291
virtual std::vector< std::string > allowed_signature_methods() const
Definition: tls_policy.cpp:81
bool allow_dtls10() const override
Definition: tls_policy.cpp:528
std::vector< std::string > m_macs
Definition: tls_policy.cpp:364
bool allow_tls11() const override
Definition: tls_policy.cpp:526
virtual bool server_uses_own_ciphersuite_preferences() const
Definition: tls_policy.cpp:278
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:91
bool allow_dtls12() const override
Definition: tls_policy.cpp:529
virtual std::vector< uint8_t > compression() const
Definition: tls_policy.cpp:226
virtual std::string algo_name() const =0
static Protocol_Version latest_tls_version()
Definition: tls_version.h:36
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:47
virtual size_t minimum_ecdh_group_size() const
Definition: tls_policy.cpp:152
virtual size_t minimum_dsa_group_size() const
Definition: tls_policy.cpp:180
std::vector< std::string > m_ciphers
Definition: tls_policy.cpp:364
virtual bool hide_unknown_users() const
Definition: tls_policy.cpp:277
virtual std::string choose_curve(const std::vector< std::string > &curve_names) const
Definition: tls_policy.cpp:124
bool allow_tls12() const override
Definition: tls_policy.cpp:527
std::vector< std::string > allowed_signature_hashes() const override
Definition: tls_policy.cpp:510
bool allowed_ecc_curve(const std::string &curve) const
Definition: tls_policy.cpp:111
virtual std::string dh_group() const
Definition: tls_policy.cpp:135
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
Definition: tls_policy.cpp:369
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:269
virtual size_t minimum_ecdsa_group_size() const
Definition: tls_policy.cpp:146
virtual size_t key_length() const =0
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:42
virtual size_t minimum_rsa_bits() const
Definition: tls_policy.cpp:168
virtual size_t dtls_initial_timeout() const
Definition: tls_policy.cpp:282
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:241
std::vector< std::string > allowed_macs() const override
Definition: tls_policy.cpp:515
Definition: alg_id.cpp:13
virtual size_t dtls_maximum_timeout() const
Definition: tls_policy.cpp:283
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:116
std::vector< std::string > allowed_key_exchange_methods() const override
Definition: tls_policy.cpp:520
virtual size_t dtls_default_mtu() const
Definition: tls_policy.cpp:285
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:231
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual bool allow_tls10() const
Definition: tls_policy.cpp:271
std::vector< std::string > m_kex
Definition: tls_policy.cpp:364
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition: tls_policy.cpp:186
virtual size_t minimum_signature_strength() const
Definition: tls_policy.cpp:158
bool supports_aead_modes() const
Definition: tls_version.cpp:81
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:275
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:264
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:274
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:256
virtual bool include_time_in_hello_random() const
Definition: tls_policy.cpp:276
std::vector< std::string > allowed_ciphers() const override
Definition: tls_policy.cpp:505
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition: tls_policy.cpp:67
bool allow_tls10() const override
Definition: tls_policy.cpp:525
bool is_datagram_protocol() const
Definition: tls_version.cpp:34
static const std::vector< Ciphersuite > & all_known_ciphersuites()
virtual bool allow_tls11() const
Definition: tls_policy.cpp:272
virtual std::vector< std::string > allowed_macs() const
Definition: tls_policy.cpp:52
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:279
virtual bool allow_tls12() const
Definition: tls_policy.cpp:273