Add Strict_Policy. Disable server initiated renegotiation by default.

3 files changed, 51 insertions, 18 deletions

diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index 4ac7b5cb3..b581c978c 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -491,7 +491,10 @@ TLS Policies
 ----------------------------------------
 
 ``TLS::Policy`` is how an application can control details of what will
-be negotiated during a handshake.
+be negotiated during a handshake. The base class acts as the default
+policy. There is also a ``Strict_Policy`` (which forces only secure
+options, reducing compatability) and ``Text_Policy`` which reads
+policy settings from a file.
 
 .. cpp:class:: TLS::Policy
 
@@ -617,7 +620,7 @@ be negotiated during a handshake.
      server-initiated renegotiation attempt. Otherwise it will send
      the server a non-fatal ``no_renegotiation`` alert.
 
-     Default: true
+     Default: false
 
  .. cpp:function:: bool allow_insecure_renegotiation() const
 
@@ -628,11 +631,11 @@ be negotiated during a handshake.
 
      Default: false
 
- .. cpp:function:: DL_Group dh_group() const
+ .. cpp:function:: std::string dh_group() const
 
      For ephemeral Diffie-Hellman key exchange, the server sends a
-     group parameter. Return the group parameter a server should
-     use.
+     group parameter. Return a string specifying the group parameter a
+     server should use.
 
      Default: 2048 bit IETF IPsec group ("modp/ietf/2048")
 
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index e9f5bb209..7bbf7cd7e 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -168,15 +168,12 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite&) const
    return true;
    }
 
-bool Policy::negotiate_heartbeat_support() const
-   {
-   return false;
-   }
-
-bool Policy::allow_server_initiated_renegotiation() const
-   {
-   return true;
-   }
+bool Policy::negotiate_heartbeat_support() const { return false; }
+bool Policy::allow_server_initiated_renegotiation() const { return false; }
+bool Policy::allow_insecure_renegotiation() const { return false; }
+bool Policy::include_time_in_hello_random() const { return true; }
+bool Policy::hide_unknown_users() const { return false; }
+bool Policy::server_uses_own_ciphersuite_preferences() const { return true; }
 
 std::vector<u16bit> Policy::srtp_profiles() const
    {
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index fdfbb6478..247510326 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -87,7 +87,7 @@ class BOTAN_DLL Policy
       * @warning Changing this to true exposes you to injected
       * plaintext attacks. Read RFC 5746 for background.
       */
-      virtual bool allow_insecure_renegotiation() const { return false; }
+      virtual bool allow_insecure_renegotiation() const;
 
       /**
       * The protocol dictates that the first 32 bits of the random
@@ -95,7 +95,7 @@ class BOTAN_DLL Policy
       * client fingerprinting attacks. Set to false to disable, in
       * which case random bytes will be used instead.
       */
-      virtual bool include_time_in_hello_random() const { return true; }
+      virtual bool include_time_in_hello_random() const;
 
       /**
       * Allow servers to initiate a new handshake
@@ -117,7 +117,7 @@ class BOTAN_DLL Policy
       * proceed, causing the handshake to eventually fail without
       * revealing that the username does not exist on this system.
       */
-      virtual bool hide_unknown_users() const { return false; }
+      virtual bool hide_unknown_users() const;
 
       /**
       * Return the allowed lifetime of a session ticket. If 0, session
@@ -165,7 +165,7 @@ class BOTAN_DLL Policy
       *         their highest preference, rather than the clients.
       *         Has no effect on client side.
       */
-      virtual bool server_uses_own_ciphersuite_preferences() const { return true; }
+      virtual bool server_uses_own_ciphersuite_preferences() const;
 
       /**
       * Return allowed ciphersuites, in order of preference
@@ -219,6 +219,39 @@ class BOTAN_DLL Datagram_Policy : public Policy
          { return version == Protocol_Version::DTLS_V12; }
    };
 
+/*
+* This policy requires a secure version of TLS and disables all insecure
+* algorithms. It is compatible with other botan TLSes (including those using the
+* default policy) and with many other recent implementations. It is a great idea
+* to use if you control both sides of the protocol and don't have to worry
+* about ancient and/or bizarre TLS implementations.
+*/
+class BOTAN_DLL Strict_Policy : public Policy
+   {
+   public:
+      std::vector<std::string> allowed_ciphers() const override
+         {
+         return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
+         }
+
+      std::vector<std::string> allowed_signature_hashes() const override
+         { return { "SHA-512", "SHA-384"}; }
+
+      std::vector<std::string> allowed_macs() const override
+         { return { "AEAD" }; }
+
+      std::vector<std::string> allowed_key_exchange_methods() const override
+         { return { "ECDH" }; }
+
+      bool acceptable_protocol_version(Protocol_Version version) const override
+         {
+         if(version.is_datagram_protocol())
+            return (version >= Protocol_Version::DTLS_V12);
+         else
+            return (version >= Protocol_Version::TLS_V12);
+         }
+   };
+
 class BOTAN_DLL Text_Policy : public Policy
    {
    public: