diff options
author | Jack Lloyd <[email protected]> | 2016-11-02 13:52:20 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-11-02 13:52:20 -0400 |
commit | 4c972845183f4b640a44d9746d634e163173e18e (patch) | |
tree | 1f13aa6d98fe851b47843ee7fc4e49f0bbe9e944 /src | |
parent | 4a0d88a564e6c7218aa0cec4457d86862a2a2ac9 (diff) |
Change TLS default policy to disable DSA, CCM-8, and static RSA
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 31 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 12 |
2 files changed, 32 insertions, 11 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 6ee1e0eac..3ed02f4c5 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -26,8 +26,8 @@ std::vector<std::string> Policy::allowed_ciphers() const "ChaCha20Poly1305", "AES-256/CCM", "AES-128/CCM", - "AES-256/CCM(8)", - "AES-128/CCM(8)", + //"AES-256/CCM(8)", + //"AES-128/CCM(8)", //"Camellia-256/GCM", //"Camellia-128/GCM", "AES-256", @@ -51,10 +51,15 @@ std::vector<std::string> Policy::allowed_signature_hashes() const std::vector<std::string> Policy::allowed_macs() const { + /* + SHA-256 is preferred because the Lucky13 countermeasure works + somewhat better for SHA-256 vs SHA-384: + https://github.com/randombit/botan/pull/675 + */ return { "AEAD", - "SHA-384", "SHA-256", + "SHA-384", "SHA-1", }; } @@ -68,7 +73,7 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const //"PSK", "ECDH", "DH", - "RSA", + //"RSA", }; } @@ -77,7 +82,7 @@ std::vector<std::string> Policy::allowed_signature_methods() const return { "ECDSA", "RSA", - "DSA", + //"DSA", //"" (anon) }; } @@ -144,8 +149,8 @@ size_t Policy::minimum_ecdsa_group_size() const size_t Policy::minimum_ecdh_group_size() const { - // P-256 is smallest curve currently supplrted for TLS key exchange (after 1.11.29) - return 256; + // x25519 is smallest curve currently supported for TLS key exchange + return 255; } size_t Policy::minimum_rsa_bits() const @@ -160,6 +165,12 @@ size_t Policy::minimum_rsa_bits() const return 2048; } +size_t Policy::minimum_dsa_group_size() const + { + // FIPS 186-3 + return 2048; + } + void Policy::check_peer_key_acceptable(const Public_Key& public_key) const { const std::string algo_name = public_key.algo_name(); @@ -177,7 +188,11 @@ void Policy::check_peer_key_acceptable(const Public_Key& public_key) const { expected_keylength = minimum_dh_group_size(); } - else if(algo_name == "ECDH") + else if(algo_name == "DSA") + { + expected_keylength = minimum_dsa_group_size(); + } + else if(algo_name == "ECDH" || algo_name == "Curve25519") { expected_keylength = minimum_ecdh_group_size(); } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index f387361f6..efef7e1f7 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -151,11 +151,12 @@ class BOTAN_DLL Policy * Return the minimum ECDH group size we're willing to use * for key exchange * - * Default 256, allowing P-256 and larger - * P-256 is the smallest curve we will negotiate + * Default 255, allowing x25519 and larger + * x25519 is the smallest curve we will negotiate + * P-521 is the largest */ virtual size_t minimum_ecdh_group_size() const; - + /** * Return the minimum bit size we're willing to accept for RSA * key exchange or server signatures. @@ -170,6 +171,11 @@ class BOTAN_DLL Policy virtual size_t minimum_rsa_bits() const; /** + * Minimum DSA group size, default 2048 bits + */ + virtual size_t minimum_dsa_group_size() const; + + /** * Throw an exception if you don't like the peer's key. * Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size, * or minimum_ecdh_group_size depending on the key's type. |