diff options
-rw-r--r-- | src/cli/tls_client.cpp | 5 | ||||
-rw-r--r-- | src/lib/tls/tls_callbacks.cpp | 6 | ||||
-rw-r--r-- | src/lib/tls/tls_callbacks.h | 4 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 3 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 5 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 9 | ||||
-rw-r--r-- | src/lib/tls/tls_server.cpp | 3 |
7 files changed, 28 insertions, 7 deletions
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index 6fbb59e6f..8e21e21e5 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -255,12 +255,13 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks const std::vector<Botan::X509_Certificate>& cert_chain, const std::vector<Botan::Certificate_Store*>& trusted_roots, Botan::Usage_Type usage, - const std::string& hostname) override + const std::string& hostname, + const Botan::TLS::Policy& policy) override { if(cert_chain.empty()) throw std::invalid_argument("Certificate chain was empty"); - Botan::Path_Validation_Restrictions restrictions(true, 80); + Botan::Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength()); auto ocsp_timeout = std::chrono::milliseconds(300); diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp index f43890e20..e95b1c0f7 100644 --- a/src/lib/tls/tls_callbacks.cpp +++ b/src/lib/tls/tls_callbacks.cpp @@ -6,6 +6,7 @@ */ #include <botan/tls_callbacks.h> +#include <botan/tls_policy.h> #include <botan/x509path.h> #include <botan/ocsp.h> #include <botan/certstor.h> @@ -28,12 +29,13 @@ void TLS::Callbacks::tls_verify_cert_chain( const std::vector<X509_Certificate>& cert_chain, const std::vector<Certificate_Store*>& trusted_roots, Usage_Type usage, - const std::string& hostname) + const std::string& hostname, + const TLS::Policy& policy) { if(cert_chain.empty()) throw Invalid_Argument("Certificate chain was empty"); - Path_Validation_Restrictions restrictions; + Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength()); Path_Validation_Result result = x509_path_validate(cert_chain, diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h index 8714058c1..200885173 100644 --- a/src/lib/tls/tls_callbacks.h +++ b/src/lib/tls/tls_callbacks.h @@ -26,6 +26,7 @@ class Response; namespace TLS { class Handshake_Message; +class Policy; /** * Encapsulates the callbacks that a TLS channel will make which are due to @@ -122,7 +123,8 @@ class BOTAN_DLL Callbacks const std::vector<X509_Certificate>& cert_chain, const std::vector<Certificate_Store*>& trusted_roots, Usage_Type usage, - const std::string& hostname); + const std::string& hostname, + const TLS::Policy& policy); /** * Called by default `tls_verify_cert_chain` to get the timeout to use for OCSP diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 99b4ac731..185084734 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -396,7 +396,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state, callbacks().tls_verify_cert_chain(server_certs, trusted_CAs, Usage_Type::TLS_SERVER_AUTH, - m_info.hostname()); + m_info.hostname(), + policy()); } catch(std::exception& e) { diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 49a8ad1fc..4dc1206e7 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -156,6 +156,11 @@ size_t Policy::minimum_ecdh_group_size() const return 255; } +size_t Policy::minimum_signature_strength() const + { + return 110; + } + size_t Policy::minimum_rsa_bits() const { /* Default assumption is all end-entity certificates should diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index efef7e1f7..92814277f 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -57,6 +57,15 @@ class BOTAN_DLL Policy */ virtual std::vector<std::string> allowed_signature_methods() const; + /** + * The minimum signature strength we will accept + * Returning 80 allows RSA 1024 and SHA-1. Values larger than 80 disable SHA-1 support. + * Returning 110 allows RSA 2048. + * Return 128 to force ECC (P-256) or large (~3000 bit) RSA keys. + * Default is 110 + */ + virtual size_t minimum_signature_strength() const; + bool allowed_signature_method(const std::string& sig_method) const; /** diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index abe22df3c..4e07b5f7c 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -529,7 +529,8 @@ void Server::process_certificate_verify_msg(Server_Handshake_State& pending_stat callbacks().tls_verify_cert_chain(client_certs, trusted_CAs, Usage_Type::TLS_CLIENT_AUTH, - sni_hostname); + sni_hostname, + policy()); } catch ( std::exception& e ) { |