aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-02 13:52:20 -0400
committerJack Lloyd <[email protected]>2016-11-02 13:52:20 -0400
commit4c972845183f4b640a44d9746d634e163173e18e (patch)
tree1f13aa6d98fe851b47843ee7fc4e49f0bbe9e944 /src
parent4a0d88a564e6c7218aa0cec4457d86862a2a2ac9 (diff)
Change TLS default policy to disable DSA, CCM-8, and static RSA
Disables static RSA by default. The advantage here is twofold: enforcing forward security and protecting TLS servers from oracle attacks since by default they will never negotiate a suite which forces them to act as a decryption oracle. Some applications/users may be forced to enable RSA in order to speak with old or misconfigured peers, but these can be the exception not the default. Disable DSA and CCM-8 by default: if you need to enable these things, you know it. Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits. Remove an incorrect warning about DTLS in the manual; the sequence number window check prevents this scenario from occuring.
Diffstat (limited to 'src')
-rw-r--r--src/lib/tls/tls_policy.cpp31
-rw-r--r--src/lib/tls/tls_policy.h12
2 files changed, 32 insertions, 11 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 6ee1e0eac..3ed02f4c5 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -26,8 +26,8 @@ std::vector<std::string> Policy::allowed_ciphers() const
"ChaCha20Poly1305",
"AES-256/CCM",
"AES-128/CCM",
- "AES-256/CCM(8)",
- "AES-128/CCM(8)",
+ //"AES-256/CCM(8)",
+ //"AES-128/CCM(8)",
//"Camellia-256/GCM",
//"Camellia-128/GCM",
"AES-256",
@@ -51,10 +51,15 @@ std::vector<std::string> Policy::allowed_signature_hashes() const
std::vector<std::string> Policy::allowed_macs() const
{
+ /*
+ SHA-256 is preferred because the Lucky13 countermeasure works
+ somewhat better for SHA-256 vs SHA-384:
+ https://github.com/randombit/botan/pull/675
+ */
return {
"AEAD",
- "SHA-384",
"SHA-256",
+ "SHA-384",
"SHA-1",
};
}
@@ -68,7 +73,7 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const
//"PSK",
"ECDH",
"DH",
- "RSA",
+ //"RSA",
};
}
@@ -77,7 +82,7 @@ std::vector<std::string> Policy::allowed_signature_methods() const
return {
"ECDSA",
"RSA",
- "DSA",
+ //"DSA",
//"" (anon)
};
}
@@ -144,8 +149,8 @@ size_t Policy::minimum_ecdsa_group_size() const
size_t Policy::minimum_ecdh_group_size() const
{
- // P-256 is smallest curve currently supplrted for TLS key exchange (after 1.11.29)
- return 256;
+ // x25519 is smallest curve currently supported for TLS key exchange
+ return 255;
}
size_t Policy::minimum_rsa_bits() const
@@ -160,6 +165,12 @@ size_t Policy::minimum_rsa_bits() const
return 2048;
}
+size_t Policy::minimum_dsa_group_size() const
+ {
+ // FIPS 186-3
+ return 2048;
+ }
+
void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
{
const std::string algo_name = public_key.algo_name();
@@ -177,7 +188,11 @@ void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
{
expected_keylength = minimum_dh_group_size();
}
- else if(algo_name == "ECDH")
+ else if(algo_name == "DSA")
+ {
+ expected_keylength = minimum_dsa_group_size();
+ }
+ else if(algo_name == "ECDH" || algo_name == "Curve25519")
{
expected_keylength = minimum_ecdh_group_size();
}
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index f387361f6..efef7e1f7 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -151,11 +151,12 @@ class BOTAN_DLL Policy
* Return the minimum ECDH group size we're willing to use
* for key exchange
*
- * Default 256, allowing P-256 and larger
- * P-256 is the smallest curve we will negotiate
+ * Default 255, allowing x25519 and larger
+ * x25519 is the smallest curve we will negotiate
+ * P-521 is the largest
*/
virtual size_t minimum_ecdh_group_size() const;
-
+
/**
* Return the minimum bit size we're willing to accept for RSA
* key exchange or server signatures.
@@ -170,6 +171,11 @@ class BOTAN_DLL Policy
virtual size_t minimum_rsa_bits() const;
/**
+ * Minimum DSA group size, default 2048 bits
+ */
+ virtual size_t minimum_dsa_group_size() const;
+
+ /**
* Throw an exception if you don't like the peer's key.
* Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size,
* or minimum_ecdh_group_size depending on the key's type.