diff options
| author | Jack Lloyd <[email protected]> | 2016-12-30 21:46:04 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-12-30 21:46:04 -0500 |
| commit | 122754bf3dd27ffb81262affc16c78b5a513ed9e (patch) | |
| tree | b13f1efcb2a1b99e88e6b10c53b6e1d597b00337 /src/lib/tls | |
| parent | 0012c59f23ff0d99dc3fd91594040255cd2924bd (diff) | |
Increase default TLS DH min to 2048 bits, and add BSI policy class.
Moves BSI policy file to test data dir where it can be compared with
what the hardcoded class outputs.
Diffstat (limited to 'src/lib/tls')
| -rw-r--r-- | src/lib/tls/tls_policy.cpp | 3 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.h | 55 |
2 files changed, 56 insertions, 2 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index ae200ff47..1fff936fa 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -140,8 +140,7 @@ std::string Policy::dh_group() const size_t Policy::minimum_dh_group_size() const { - // Many servers still send 1024 bit - return 1024; + return 2048; } size_t Policy::minimum_ecdsa_group_size() const diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 9fd3561a3..6f617c673 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -334,6 +334,61 @@ class BOTAN_DLL NSA_Suite_B_128 : public Policy }; /** +* BSI TR-02102-2 Policy +*/ +class BOTAN_DLL BSI_TR_02102_2 : public Policy + { + public: + std::vector<std::string> allowed_ciphers() const override + { + return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256", "AES-128" }); + } + + std::vector<std::string> allowed_signature_hashes() const override + { + return std::vector<std::string>({"SHA-384", "SHA-256"}); + } + + std::vector<std::string> allowed_macs() const override + { + return std::vector<std::string>({"AEAD", "SHA-384", "SHA-256"}); + } + + std::vector<std::string> allowed_key_exchange_methods() const override + { + return std::vector<std::string>({"ECDH", "DH", "PSK", "ECDHE_PSK", "DHE_PSK"}); + } + + std::vector<std::string> allowed_signature_methods() const override + { + return std::vector<std::string>({"ECDSA", "RSA", "DSA"}); + } + + std::vector<std::string> allowed_ecc_curves() const override + { + return std::vector<std::string>({"brainpool512r1", "brainpool384r1", "brainpool256r1", "secp384r1", "secp256r1"}); + } + + bool allow_insecure_renegotiation() const override { return false; } + bool allow_server_initiated_renegotiation() const override { return true; } + bool server_uses_own_ciphersuite_preferences() const override { return true; } + bool negotiate_encrypt_then_mac() const override { return true; } + + size_t minimum_rsa_bits() const override { return 2000; } + size_t minimum_dh_group_size() const override { return 2000; } + size_t minimum_dsa_group_size() const override { return 2000; } + + size_t minimum_ecdh_group_size() const override { return 250; } + size_t minimum_ecdsa_group_size() const override { return 250; } + + bool allow_tls10() const override { return false; } + bool allow_tls11() const override { return false; } + bool allow_tls12() const override { return true; } + bool allow_dtls10() const override { return false; } + bool allow_dtls12() const override { return false; } + }; + +/** * Policy for DTLS. We require DTLS v1.2 and an AEAD mode. */ class BOTAN_DLL Datagram_Policy : public Policy |