diff options
author | Jack Lloyd <[email protected]> | 2016-11-02 13:52:20 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-11-02 13:52:20 -0400 |
commit | 4c972845183f4b640a44d9746d634e163173e18e (patch) | |
tree | 1f13aa6d98fe851b47843ee7fc4e49f0bbe9e944 | |
parent | 4a0d88a564e6c7218aa0cec4457d86862a2a2ac9 (diff) |
Change TLS default policy to disable DSA, CCM-8, and static RSA
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
-rw-r--r-- | doc/manual/tls.rst | 78 | ||||
-rw-r--r-- | news.rst | 15 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 31 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 12 |
4 files changed, 107 insertions, 29 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index 20546eb0b..24dc5093a 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -63,9 +63,8 @@ information about the connection. For TLS the record number will always increase. - For DTLS, it is possible to receive records with the `rec_no` field - field out of order or repeated. It is even possible (from a malicious or - faulty peer) to receive multiple copies of a single record with differing plaintexts. + For DTLS, it is possible to receive records with the `rec_no` field out of + order, or with gaps, cooresponding to reordered or lost datagrams. .. cpp:function:: void tls_alert(Alert alert) @@ -98,10 +97,17 @@ information about the connection. This callback is optional, and can be used to inspect all handshake messages while the session establishment occurs. - .. cpp:function:: void tls_log_debug(const char*) + .. cpp:function:: void tls_log_error(const char* msg) - This callback is for exerimental purposes and currently unused. It may be - removed or modified in a future release. + Optional logging for an error message. (Not currently used) + + .. cpp:function:: void tls_log_debug(const char* msg) + + Optional logging for an debug message. (Not currently used) + + .. cpp:function:: void tls_log_debug_bin(const char* descr, const uint8_t val[], size_t len) + + Optional logging for an debug value. (Not currently used) Versions from 1.11.0 to 1.11.30 did not have ``TLS::Callbacks`` and instead used independent std::functions to pass the various callback functions. @@ -514,14 +520,13 @@ policy settings from a file. authentication, sending data in cleartext) are also not supported by the implementation and cannot be negotiated. - Values without an explicit mode use old-style CBC with HMAC encryption. + Cipher names without an explicit mode refers to CBC+HMAC ciphersuites. Default value: "AES-256/GCM", "AES-128/GCM", "ChaCha20Poly1305", - "AES-256/CCM", "AES-128/CCM", "AES-256/CCM(8)", "AES-128/CCM(8)", - "AES-256", "AES-128" + "AES-256/CCM", "AES-128/CCM", "AES-256", "AES-128" - Also allowed: "Camellia-256/GCM", "Camellia-128/GCM", - "Camellia-256", "Camellia-128" + Also allowed: "AES-256/CCM(8)", "AES-128/CCM(8)", + "Camellia-256/GCM", "Camellia-128/GCM", "Camellia-256", "Camellia-128" Also allowed (though currently experimental): "AES-128/OCB(12)", "AES-256/OCB(12)" @@ -547,18 +552,32 @@ policy settings from a file. Returns the list of algorithms we are willing to use for message authentication, in order of preference. - Default: "AEAD", "SHA-384", "SHA-256", "SHA-1" + Default: "AEAD", "SHA-256", "SHA-384", "SHA-1" A plain hash function indicates HMAC - .. cpp:function:: std::vector<std::string> allowed_key_exchange_methods() const + .. note:: + + SHA-256 is preferred over SHA-384 in CBC mode because the + protections against the Lucky13 attack are somewhat more + effective for SHA-256 than SHA-384. + +.. cpp:function:: std::vector<std::string> allowed_key_exchange_methods() const Returns the list of key exchange methods we are willing to use, in order of preference. - Default: "ECDH", "DH", "RSA" + Default: "ECDH", "DH" + + Also allowed: "RSA", "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK" + + .. note:: - Also allowed: "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK" + Static RSA ciphersuites are disabled by default since 1.11.34. + In addition to not providing forward security, any server which is + willing to negotiate these ciphersuites exposes themselves to a variety + of chosen ciphertext oracle attacks which are all easily avoided by + signing (as in PFS) instead of decrypting. .. cpp:function:: std::vector<std::string> allowed_signature_hashes() const @@ -577,9 +596,9 @@ policy settings from a file. .. cpp:function:: std::vector<std::string> allowed_signature_methods() const - Default: "ECDSA", "RSA", "DSA" + Default: "ECDSA", "RSA" - Also allowed (disabled by default): "" (meaning anonymous) + Also allowed (disabled by default): "DSA", "" (empty string meaning anonymous) .. note:: @@ -614,7 +633,7 @@ policy settings from a file. .. note:: - TLS compression is not currently supported. + TLS data compression is not currently supported. .. cpp:function:: bool acceptable_protocol_version(Protocol_Version version) @@ -677,6 +696,29 @@ policy settings from a file. Default: 1024 bits +.. cpp:function:: size_t minimum_rsa_bits() const + + Minimum accepted RSA key size. Default 2048 bits. + +.. cpp:function:: size_t minimum_dsa_group_size() const + + Minimum accepted DSA key size. Default 2048 bits. + +.. cpp:function:: size_t minimum_ecdsa_group_size() const + + Minimum size for ECDSA keys (256 bits). + +.. cpp:function:: size_t minimum_ecdh_group_size() const + + Minimum size for ECDH keys (255 bits). + +.. cpp:function:: void check_peer_key_acceptable(const Public_Key& public_key) const + + Allows the policy to examine peer public keys. Throw an exception + if the key should be rejected. Default implementation checks + against policy values `minimum_dh_group_size`, `minimum_rsa_bits`, + `minimum_ecdsa_group_size`, and `minimum_ecdh_group_size`. + .. cpp:function:: bool hide_unknown_users() const The SRP and PSK suites work using an identifier along with a @@ -17,6 +17,21 @@ Version 1.11.34, Not Yet Released * Salsa20 now accepts a null IV as equivalent to an all-zero one (GH #697) +* Optimize ECKCDSA verification (GH #700 #701 #702) + +* A plain sockets version of the HTTP client has been added, so OCSP + checks occur even in non-Boost builds. + +* The default TLS policy now disables static RSA ciphersuites, all DSA ciphersuites, + and the AES CCM-8 ciphersuites. + + Disabling static RSA by default protects servers from oracle attacks, + as well as enforcing a forward secure ciphersuite. Some applications + may be forced to re-enable RSA to interop with old or misconfigured peers. + + DSA and CCM-8 are rarely used, and likely should not be negotiated + outside of special circumstances. + * The deprecated RNGs HMAC_RNG and X9.31 RNG have been removed. Now the only userspace PRNG included in the library is HMAC_DRBG. (GH #692) diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 6ee1e0eac..3ed02f4c5 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -26,8 +26,8 @@ std::vector<std::string> Policy::allowed_ciphers() const "ChaCha20Poly1305", "AES-256/CCM", "AES-128/CCM", - "AES-256/CCM(8)", - "AES-128/CCM(8)", + //"AES-256/CCM(8)", + //"AES-128/CCM(8)", //"Camellia-256/GCM", //"Camellia-128/GCM", "AES-256", @@ -51,10 +51,15 @@ std::vector<std::string> Policy::allowed_signature_hashes() const std::vector<std::string> Policy::allowed_macs() const { + /* + SHA-256 is preferred because the Lucky13 countermeasure works + somewhat better for SHA-256 vs SHA-384: + https://github.com/randombit/botan/pull/675 + */ return { "AEAD", - "SHA-384", "SHA-256", + "SHA-384", "SHA-1", }; } @@ -68,7 +73,7 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const //"PSK", "ECDH", "DH", - "RSA", + //"RSA", }; } @@ -77,7 +82,7 @@ std::vector<std::string> Policy::allowed_signature_methods() const return { "ECDSA", "RSA", - "DSA", + //"DSA", //"" (anon) }; } @@ -144,8 +149,8 @@ size_t Policy::minimum_ecdsa_group_size() const size_t Policy::minimum_ecdh_group_size() const { - // P-256 is smallest curve currently supplrted for TLS key exchange (after 1.11.29) - return 256; + // x25519 is smallest curve currently supported for TLS key exchange + return 255; } size_t Policy::minimum_rsa_bits() const @@ -160,6 +165,12 @@ size_t Policy::minimum_rsa_bits() const return 2048; } +size_t Policy::minimum_dsa_group_size() const + { + // FIPS 186-3 + return 2048; + } + void Policy::check_peer_key_acceptable(const Public_Key& public_key) const { const std::string algo_name = public_key.algo_name(); @@ -177,7 +188,11 @@ void Policy::check_peer_key_acceptable(const Public_Key& public_key) const { expected_keylength = minimum_dh_group_size(); } - else if(algo_name == "ECDH") + else if(algo_name == "DSA") + { + expected_keylength = minimum_dsa_group_size(); + } + else if(algo_name == "ECDH" || algo_name == "Curve25519") { expected_keylength = minimum_ecdh_group_size(); } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index f387361f6..efef7e1f7 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -151,11 +151,12 @@ class BOTAN_DLL Policy * Return the minimum ECDH group size we're willing to use * for key exchange * - * Default 256, allowing P-256 and larger - * P-256 is the smallest curve we will negotiate + * Default 255, allowing x25519 and larger + * x25519 is the smallest curve we will negotiate + * P-521 is the largest */ virtual size_t minimum_ecdh_group_size() const; - + /** * Return the minimum bit size we're willing to accept for RSA * key exchange or server signatures. @@ -170,6 +171,11 @@ class BOTAN_DLL Policy virtual size_t minimum_rsa_bits() const; /** + * Minimum DSA group size, default 2048 bits + */ + virtual size_t minimum_dsa_group_size() const; + + /** * Throw an exception if you don't like the peer's key. * Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size, * or minimum_ecdh_group_size depending on the key's type. |