aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-02 13:52:20 -0400
committerJack Lloyd <[email protected]>2016-11-02 13:52:20 -0400
commit4c972845183f4b640a44d9746d634e163173e18e (patch)
tree1f13aa6d98fe851b47843ee7fc4e49f0bbe9e944
parent4a0d88a564e6c7218aa0cec4457d86862a2a2ac9 (diff)
Change TLS default policy to disable DSA, CCM-8, and static RSA
Disables static RSA by default. The advantage here is twofold: enforcing forward security and protecting TLS servers from oracle attacks since by default they will never negotiate a suite which forces them to act as a decryption oracle. Some applications/users may be forced to enable RSA in order to speak with old or misconfigured peers, but these can be the exception not the default. Disable DSA and CCM-8 by default: if you need to enable these things, you know it. Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits. Remove an incorrect warning about DTLS in the manual; the sequence number window check prevents this scenario from occuring.
-rw-r--r--doc/manual/tls.rst78
-rw-r--r--news.rst15
-rw-r--r--src/lib/tls/tls_policy.cpp31
-rw-r--r--src/lib/tls/tls_policy.h12
4 files changed, 107 insertions, 29 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index 20546eb0b..24dc5093a 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -63,9 +63,8 @@ information about the connection.
For TLS the record number will always increase.
- For DTLS, it is possible to receive records with the `rec_no` field
- field out of order or repeated. It is even possible (from a malicious or
- faulty peer) to receive multiple copies of a single record with differing plaintexts.
+ For DTLS, it is possible to receive records with the `rec_no` field out of
+ order, or with gaps, cooresponding to reordered or lost datagrams.
.. cpp:function:: void tls_alert(Alert alert)
@@ -98,10 +97,17 @@ information about the connection.
This callback is optional, and can be used to inspect all handshake messages
while the session establishment occurs.
- .. cpp:function:: void tls_log_debug(const char*)
+ .. cpp:function:: void tls_log_error(const char* msg)
- This callback is for exerimental purposes and currently unused. It may be
- removed or modified in a future release.
+ Optional logging for an error message. (Not currently used)
+
+ .. cpp:function:: void tls_log_debug(const char* msg)
+
+ Optional logging for an debug message. (Not currently used)
+
+ .. cpp:function:: void tls_log_debug_bin(const char* descr, const uint8_t val[], size_t len)
+
+ Optional logging for an debug value. (Not currently used)
Versions from 1.11.0 to 1.11.30 did not have ``TLS::Callbacks`` and instead
used independent std::functions to pass the various callback functions.
@@ -514,14 +520,13 @@ policy settings from a file.
authentication, sending data in cleartext) are also not supported
by the implementation and cannot be negotiated.
- Values without an explicit mode use old-style CBC with HMAC encryption.
+ Cipher names without an explicit mode refers to CBC+HMAC ciphersuites.
Default value: "AES-256/GCM", "AES-128/GCM", "ChaCha20Poly1305",
- "AES-256/CCM", "AES-128/CCM", "AES-256/CCM(8)", "AES-128/CCM(8)",
- "AES-256", "AES-128"
+ "AES-256/CCM", "AES-128/CCM", "AES-256", "AES-128"
- Also allowed: "Camellia-256/GCM", "Camellia-128/GCM",
- "Camellia-256", "Camellia-128"
+ Also allowed: "AES-256/CCM(8)", "AES-128/CCM(8)",
+ "Camellia-256/GCM", "Camellia-128/GCM", "Camellia-256", "Camellia-128"
Also allowed (though currently experimental): "AES-128/OCB(12)",
"AES-256/OCB(12)"
@@ -547,18 +552,32 @@ policy settings from a file.
Returns the list of algorithms we are willing to use for
message authentication, in order of preference.
- Default: "AEAD", "SHA-384", "SHA-256", "SHA-1"
+ Default: "AEAD", "SHA-256", "SHA-384", "SHA-1"
A plain hash function indicates HMAC
- .. cpp:function:: std::vector<std::string> allowed_key_exchange_methods() const
+ .. note::
+
+ SHA-256 is preferred over SHA-384 in CBC mode because the
+ protections against the Lucky13 attack are somewhat more
+ effective for SHA-256 than SHA-384.
+
+.. cpp:function:: std::vector<std::string> allowed_key_exchange_methods() const
Returns the list of key exchange methods we are willing to use,
in order of preference.
- Default: "ECDH", "DH", "RSA"
+ Default: "ECDH", "DH"
+
+ Also allowed: "RSA", "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK"
+
+ .. note::
- Also allowed: "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK"
+ Static RSA ciphersuites are disabled by default since 1.11.34.
+ In addition to not providing forward security, any server which is
+ willing to negotiate these ciphersuites exposes themselves to a variety
+ of chosen ciphertext oracle attacks which are all easily avoided by
+ signing (as in PFS) instead of decrypting.
.. cpp:function:: std::vector<std::string> allowed_signature_hashes() const
@@ -577,9 +596,9 @@ policy settings from a file.
.. cpp:function:: std::vector<std::string> allowed_signature_methods() const
- Default: "ECDSA", "RSA", "DSA"
+ Default: "ECDSA", "RSA"
- Also allowed (disabled by default): "" (meaning anonymous)
+ Also allowed (disabled by default): "DSA", "" (empty string meaning anonymous)
.. note::
@@ -614,7 +633,7 @@ policy settings from a file.
.. note::
- TLS compression is not currently supported.
+ TLS data compression is not currently supported.
.. cpp:function:: bool acceptable_protocol_version(Protocol_Version version)
@@ -677,6 +696,29 @@ policy settings from a file.
Default: 1024 bits
+.. cpp:function:: size_t minimum_rsa_bits() const
+
+ Minimum accepted RSA key size. Default 2048 bits.
+
+.. cpp:function:: size_t minimum_dsa_group_size() const
+
+ Minimum accepted DSA key size. Default 2048 bits.
+
+.. cpp:function:: size_t minimum_ecdsa_group_size() const
+
+ Minimum size for ECDSA keys (256 bits).
+
+.. cpp:function:: size_t minimum_ecdh_group_size() const
+
+ Minimum size for ECDH keys (255 bits).
+
+.. cpp:function:: void check_peer_key_acceptable(const Public_Key& public_key) const
+
+ Allows the policy to examine peer public keys. Throw an exception
+ if the key should be rejected. Default implementation checks
+ against policy values `minimum_dh_group_size`, `minimum_rsa_bits`,
+ `minimum_ecdsa_group_size`, and `minimum_ecdh_group_size`.
+
.. cpp:function:: bool hide_unknown_users() const
The SRP and PSK suites work using an identifier along with a
diff --git a/news.rst b/news.rst
index 2055485ef..4d37c84ed 100644
--- a/news.rst
+++ b/news.rst
@@ -17,6 +17,21 @@ Version 1.11.34, Not Yet Released
* Salsa20 now accepts a null IV as equivalent to an all-zero one (GH #697)
+* Optimize ECKCDSA verification (GH #700 #701 #702)
+
+* A plain sockets version of the HTTP client has been added, so OCSP
+ checks occur even in non-Boost builds.
+
+* The default TLS policy now disables static RSA ciphersuites, all DSA ciphersuites,
+ and the AES CCM-8 ciphersuites.
+
+ Disabling static RSA by default protects servers from oracle attacks,
+ as well as enforcing a forward secure ciphersuite. Some applications
+ may be forced to re-enable RSA to interop with old or misconfigured peers.
+
+ DSA and CCM-8 are rarely used, and likely should not be negotiated
+ outside of special circumstances.
+
* The deprecated RNGs HMAC_RNG and X9.31 RNG have been removed. Now the only
userspace PRNG included in the library is HMAC_DRBG. (GH #692)
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 6ee1e0eac..3ed02f4c5 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -26,8 +26,8 @@ std::vector<std::string> Policy::allowed_ciphers() const
"ChaCha20Poly1305",
"AES-256/CCM",
"AES-128/CCM",
- "AES-256/CCM(8)",
- "AES-128/CCM(8)",
+ //"AES-256/CCM(8)",
+ //"AES-128/CCM(8)",
//"Camellia-256/GCM",
//"Camellia-128/GCM",
"AES-256",
@@ -51,10 +51,15 @@ std::vector<std::string> Policy::allowed_signature_hashes() const
std::vector<std::string> Policy::allowed_macs() const
{
+ /*
+ SHA-256 is preferred because the Lucky13 countermeasure works
+ somewhat better for SHA-256 vs SHA-384:
+ https://github.com/randombit/botan/pull/675
+ */
return {
"AEAD",
- "SHA-384",
"SHA-256",
+ "SHA-384",
"SHA-1",
};
}
@@ -68,7 +73,7 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const
//"PSK",
"ECDH",
"DH",
- "RSA",
+ //"RSA",
};
}
@@ -77,7 +82,7 @@ std::vector<std::string> Policy::allowed_signature_methods() const
return {
"ECDSA",
"RSA",
- "DSA",
+ //"DSA",
//"" (anon)
};
}
@@ -144,8 +149,8 @@ size_t Policy::minimum_ecdsa_group_size() const
size_t Policy::minimum_ecdh_group_size() const
{
- // P-256 is smallest curve currently supplrted for TLS key exchange (after 1.11.29)
- return 256;
+ // x25519 is smallest curve currently supported for TLS key exchange
+ return 255;
}
size_t Policy::minimum_rsa_bits() const
@@ -160,6 +165,12 @@ size_t Policy::minimum_rsa_bits() const
return 2048;
}
+size_t Policy::minimum_dsa_group_size() const
+ {
+ // FIPS 186-3
+ return 2048;
+ }
+
void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
{
const std::string algo_name = public_key.algo_name();
@@ -177,7 +188,11 @@ void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
{
expected_keylength = minimum_dh_group_size();
}
- else if(algo_name == "ECDH")
+ else if(algo_name == "DSA")
+ {
+ expected_keylength = minimum_dsa_group_size();
+ }
+ else if(algo_name == "ECDH" || algo_name == "Curve25519")
{
expected_keylength = minimum_ecdh_group_size();
}
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index f387361f6..efef7e1f7 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -151,11 +151,12 @@ class BOTAN_DLL Policy
* Return the minimum ECDH group size we're willing to use
* for key exchange
*
- * Default 256, allowing P-256 and larger
- * P-256 is the smallest curve we will negotiate
+ * Default 255, allowing x25519 and larger
+ * x25519 is the smallest curve we will negotiate
+ * P-521 is the largest
*/
virtual size_t minimum_ecdh_group_size() const;
-
+
/**
* Return the minimum bit size we're willing to accept for RSA
* key exchange or server signatures.
@@ -170,6 +171,11 @@ class BOTAN_DLL Policy
virtual size_t minimum_rsa_bits() const;
/**
+ * Minimum DSA group size, default 2048 bits
+ */
+ virtual size_t minimum_dsa_group_size() const;
+
+ /**
* Throw an exception if you don't like the peer's key.
* Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size,
* or minimum_ecdh_group_size depending on the key's type.