aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/cli/tls_client.cpp5
-rw-r--r--src/lib/tls/tls_callbacks.cpp6
-rw-r--r--src/lib/tls/tls_callbacks.h4
-rw-r--r--src/lib/tls/tls_client.cpp3
-rw-r--r--src/lib/tls/tls_policy.cpp5
-rw-r--r--src/lib/tls/tls_policy.h9
-rw-r--r--src/lib/tls/tls_server.cpp3
7 files changed, 28 insertions, 7 deletions
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index 6fbb59e6f..8e21e21e5 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -255,12 +255,13 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
const std::vector<Botan::X509_Certificate>& cert_chain,
const std::vector<Botan::Certificate_Store*>& trusted_roots,
Botan::Usage_Type usage,
- const std::string& hostname) override
+ const std::string& hostname,
+ const Botan::TLS::Policy& policy) override
{
if(cert_chain.empty())
throw std::invalid_argument("Certificate chain was empty");
- Botan::Path_Validation_Restrictions restrictions(true, 80);
+ Botan::Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength());
auto ocsp_timeout = std::chrono::milliseconds(300);
diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp
index f43890e20..e95b1c0f7 100644
--- a/src/lib/tls/tls_callbacks.cpp
+++ b/src/lib/tls/tls_callbacks.cpp
@@ -6,6 +6,7 @@
*/
#include <botan/tls_callbacks.h>
+#include <botan/tls_policy.h>
#include <botan/x509path.h>
#include <botan/ocsp.h>
#include <botan/certstor.h>
@@ -28,12 +29,13 @@ void TLS::Callbacks::tls_verify_cert_chain(
const std::vector<X509_Certificate>& cert_chain,
const std::vector<Certificate_Store*>& trusted_roots,
Usage_Type usage,
- const std::string& hostname)
+ const std::string& hostname,
+ const TLS::Policy& policy)
{
if(cert_chain.empty())
throw Invalid_Argument("Certificate chain was empty");
- Path_Validation_Restrictions restrictions;
+ Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength());
Path_Validation_Result result =
x509_path_validate(cert_chain,
diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h
index 8714058c1..200885173 100644
--- a/src/lib/tls/tls_callbacks.h
+++ b/src/lib/tls/tls_callbacks.h
@@ -26,6 +26,7 @@ class Response;
namespace TLS {
class Handshake_Message;
+class Policy;
/**
* Encapsulates the callbacks that a TLS channel will make which are due to
@@ -122,7 +123,8 @@ class BOTAN_DLL Callbacks
const std::vector<X509_Certificate>& cert_chain,
const std::vector<Certificate_Store*>& trusted_roots,
Usage_Type usage,
- const std::string& hostname);
+ const std::string& hostname,
+ const TLS::Policy& policy);
/**
* Called by default `tls_verify_cert_chain` to get the timeout to use for OCSP
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 99b4ac731..185084734 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -396,7 +396,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
callbacks().tls_verify_cert_chain(server_certs,
trusted_CAs,
Usage_Type::TLS_SERVER_AUTH,
- m_info.hostname());
+ m_info.hostname(),
+ policy());
}
catch(std::exception& e)
{
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 49a8ad1fc..4dc1206e7 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -156,6 +156,11 @@ size_t Policy::minimum_ecdh_group_size() const
return 255;
}
+size_t Policy::minimum_signature_strength() const
+ {
+ return 110;
+ }
+
size_t Policy::minimum_rsa_bits() const
{
/* Default assumption is all end-entity certificates should
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index efef7e1f7..92814277f 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -57,6 +57,15 @@ class BOTAN_DLL Policy
*/
virtual std::vector<std::string> allowed_signature_methods() const;
+ /**
+ * The minimum signature strength we will accept
+ * Returning 80 allows RSA 1024 and SHA-1. Values larger than 80 disable SHA-1 support.
+ * Returning 110 allows RSA 2048.
+ * Return 128 to force ECC (P-256) or large (~3000 bit) RSA keys.
+ * Default is 110
+ */
+ virtual size_t minimum_signature_strength() const;
+
bool allowed_signature_method(const std::string& sig_method) const;
/**
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index abe22df3c..4e07b5f7c 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -529,7 +529,8 @@ void Server::process_certificate_verify_msg(Server_Handshake_State& pending_stat
callbacks().tls_verify_cert_chain(client_certs,
trusted_CAs,
Usage_Type::TLS_CLIENT_AUTH,
- sni_hostname);
+ sni_hostname,
+ policy());
}
catch ( std::exception& e )
{