aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_policy.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Remove trailing whitespaceJack Lloyd2019-01-131-2/+2
|
* Make exceptions easier to translate to error codesJack Lloyd2018-11-231-1/+1
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Default disable support for TLS v1.0/v1.1 and all CBC and CCM suitesJack Lloyd2018-08-221-6/+6
|
* TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-151-2/+6
| | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* Use enums for TLS key exchange group paramsJack Lloyd2018-02-131-75/+57
|
* Use enums to represent TLS signature and kex algorithms.Jack Lloyd2018-01-281-6/+28
| | | | Adds support for PSS signatures (currently verifying only).
* Avoid resuming a session if policy doesn't allow itJack Lloyd2018-01-281-2/+3
| | | | Previously if the policy changed we'd continue to resume. #1431
* Remove vestigial support for TLS compressionJack Lloyd2018-01-211-8/+0
| | | | | It was never supported and never will be. Removing negotiation entirely simplifies the code a bit.
* Add copyright statements to files modified in the preceding 2 commitsHarry Reimann2017-12-041-0/+1
|
* Make support for certificate status messages optional via policyHarry Reimann2017-12-041-0/+2
| | | | | | | | Don't postpone the verification of a server certificate if certificate status messages are not expected in client handshake. When using an external crypto device it may be necessary to verify the certificate before using the public key for verification of the signature in the server key exchange message.
* Add support for ARIA GCM ciphersuitesJack Lloyd2017-11-031-0/+2
| | | | Tested against OpenSSL master
* Add supported groups TLS extension (RFC 7919)René Korthaus2017-10-171-5/+46
|
* Apply final annotations to the library alsoJack Lloyd2017-09-221-1/+1
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.
* De-inline TLS::Text_PolicyJack Lloyd2017-09-211-0/+2
| | | | | Getting a little large to be all defined in a header, and sticking it in a source file allows removing several includes from tls_policy.h
* More include header cleanupsJack Lloyd2017-09-211-1/+0
|
* Header file cleanupsJack Lloyd2017-09-211-0/+1
| | | | Some help from include-what-you-use
* Merge GH #872 Add ability for TLS servers to prohibit renegotiationJack Lloyd2017-09-191-0/+1
|\
| * Fix logic of renegotiation checkJack Lloyd2017-02-201-1/+1
| | | | | | | | | | | | Turning the policy off broke the server entirely. Expose the new flag to Text_Policy
| * Add TLS::Policy::allow_client_initiated_renegotiationJack Lloyd2017-02-191-0/+1
| | | | | | | | Parallel of the server policy flag.
* | Correct TLS::Policy::latest_supported_versionJack Lloyd2017-09-041-2/+16
| | | | | | | | | | This would do the wrong thing if TLS v1.2 was disabled but v1.0/v1.1 allowed.
* | Enforce signature hash policy properlyJack Lloyd2017-08-311-0/+5
|/ | | | | | | | Previously if the client did not send signature_algorithms, or if it only included algos not in the policy, we would just fallback to the hardcoded SHA-1 default of TLS v1.2 Instead check the policy before accepting anything.
* Avoid negotiating CECPQ1 if x25519 ECC is disabledJack Lloyd2017-01-051-0/+10
|
* Increase default TLS DH min to 2048 bits, and add BSI policy class.Jack Lloyd2016-12-301-2/+1
| | | | | Moves BSI policy file to test data dir where it can be compared with what the hardcoded class outputs.
* Prohibit SHA256/SHA384 ciphersuites in TLS 1.0/1.1 (GH #496)Jack Lloyd2016-12-281-3/+10
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-181-7/+7
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Add TLS::Policy::require_cert_revocation_infoJack Lloyd2016-11-281-0/+5
|
* Add TLS::Policy::to_stringJack Lloyd2016-11-261-0/+7
|
* Add minimum_signature_strenght to Text_PolicyJack Lloyd2016-11-251-1/+2
| | | | Also (unrelated) enable CECPQ1 in Strict_Policy
* Add TLS::Policy::minimum_signature_strengthJack Lloyd2016-11-251-0/+5
| | | | | | Changes TLS callback API for cert verify to accept Policy& Sets default signature strength to 110 to force RSA ~2048.
* Order default TLS ECC curve preferences by performanceJack Lloyd2016-11-191-4/+6
| | | | | | | | | | | | Moves x25519 to the front for best by-default side channel resistance, and orders remaining NIST/BP curves by performance rather than size. That means putting P-521 before P-384, since P-521 is much faster at least in Botan (due to much simpler modular reduction for P-521 prime), and Brainpools to the end due to being quite slow (no fast reductions). All of the supported curves seem strong enough, and if someone can break P-256 they can probably break P-384 as well so there doesn't seem much advantage in preferring slower curves by default.
* Add CECPQ1 TLS ciphersuitesJack Lloyd2016-11-171-1/+2
| | | | | | | | | | | | | Tested against BoringSSL (as client + server) and google.com (as client). Fix a stupid crashing bug in NewHope's BoringSSL mode. Remove unneeded error return from curve25519_donna - always returned 0. Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which means the default no-extra-configuration ciphersuite (for Botan client speaking to Botan server) is a ciphersuite which is both implemented in constant time on all platforms and (hopefully) provides post quantum security. Good Things.
* Pubkey cleanupsJack Lloyd2016-11-121-3/+1
| | | | | | | | | | Add Public_Key::key_length usable for policy checking (as in TLS::Policy::check_peer_key_acceptable) Remove Public_Key::max_input_bits because it didn't make much sense for most algorithms actually. Remove message_parts and message_part_size from PK_Ops
* Change TLS default policy to disable DSA, CCM-8, and static RSAJack Lloyd2016-11-021-8/+23
| | | | | | | | | | | | | | | Disables static RSA by default. The advantage here is twofold: enforcing forward security and protecting TLS servers from oracle attacks since by default they will never negotiate a suite which forces them to act as a decryption oracle. Some applications/users may be forced to enable RSA in order to speak with old or misconfigured peers, but these can be the exception not the default. Disable DSA and CCM-8 by default: if you need to enable these things, you know it. Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits. Remove an incorrect warning about DTLS in the manual; the sequence number window check prevents this scenario from occuring.
* X25519 key exchange for TLSJack Lloyd2016-10-211-0/+1
| | | | | Client interops with google.com, server not tested against an independent client yet.
* TLS: Split CBC+HMAC modes to standalone AEAD_ModeJack Lloyd2016-10-071-1/+8
| | | | | Now record layer only deals with an AEAD, and the weird complications of CBC modes mostly hidden in tls_cbc.cpp
* Support encoding of supported point formats extensionRené Korthaus2016-10-031-0/+5
|
* Address some issues with PR 492Jack Lloyd2016-08-131-9/+60
| | | | | | | | | | | | | | | | Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit for the changes in 7c7fcecbe6a and 6d327f879c Add Policy::check_peer_key_acceptable which lets the app set an arbitrary callback for examining keys - both the end entity signature keys from certificates and the peer PFS public keys. Default impl checks that the algorithm size matches the min keylength. This centralizes this logic and lets the application do interesting things. Adds a policy for ECDSA group size checks. Increases default policy minimums to 2048 RSA and 256 ECC. (Maybe I'm an optimist after all.)
* Encrypt-then-MAC extension (RFC 7366)Juraj Somorovsky2016-05-111-0/+2
| | | | | | Introduced a countermeasure against the logjam attack Short TLS records (AES-CBC) now return BAD_RECORD_MAC Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
* TLS Policy supportChristian Mainka2016-05-031-11/+39
| | | | | | | * --policy works for TLS Server and TLS Client * Example policy BSI_TR-02102-2.txt * Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2 * Minimum ecdh and rsa group size
* Remove support for TLS v1.2 MD5 and SHA-224 signatures.Jack Lloyd2016-03-171-11/+0
| | | | | | | | | Remove support for weak ECC curves (anything under P-256) from TLS. This includes secp256k1 since we don't take advantage of the special form for any performance advantage; might as well use P-256. The manual still mentioned that it was possible to use MD5 in Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
* Client must verify that the server sent an ECC curve which policy accepts.Jack Lloyd2016-03-171-0/+5
| | | | | Otherwise a MITM who can in real time break any supported ECC curve can downgrade us.
* Check that TLS signature type is accepted by the policy.Jack Lloyd2016-03-061-0/+5
| | | | | | Previously the signature hashes and algos info was used to set the v1.2 signature_algorithms extension, but if the counterparty ignored the extension and sent something else, we wouldn't notice.
* Make SRP6 support optional in TLSJack Lloyd2016-02-071-2/+2
| | | | | | | | Remove SRP_SHA from the default policy, since normal applications do not need it. Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange constructor, that's the default unique_ptr already.
* Remove TLS heartbeat support.Jack Lloyd2016-02-071-2/+0
| | | | | The signature of the alert callback remains unchanged to avoid breaking applications, though now the buffer parameter is never set.
* Avoid set<Ciphersuite>Jack Lloyd2016-01-171-6/+7
| | | | Works around a libstdc++ bug when fuzzing with libFuzzer
* Remove all remaining uses of throwing a std:: exception directlyJack Lloyd2015-12-191-1/+1
| | | | See GH #340 and 6b9a3a5 for background
* Add TLS_PSK testsJack Lloyd2015-11-131-5/+2
| | | | | | | | | | | Fix a bug which rejected any short server key exchanges. These can occur with a plain PSK with short or empty identity hints. Disable SHA-224 by default. Remove some vestigal RC4 cruft. Push more on the TLS corruption tests.
* TLS improvementsJack Lloyd2015-10-251-2/+11
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Add a runtime map of string->func() which when called returnlloyd2015-01-281-14/+42
| | | | | | | | | | | | | | | | | Transforms and BlockCiphers. Registration for all types is done at startup but is very cheap as just a std::function and a std::map entry are created, no actual objects are created until needed. This is a huge improvement over Algorithm_Factory which used T::clone() as the function and thus kept a prototype object of each type in memory. Replace existing lookup mechanisms for ciphers, AEADs, and compression to use the transform lookup. The existing Engine framework remains in place for BlockCipher, but the engines now just call to the registry instead of having hardcoded lookups. s/Transformation/Transform/ with typedefs for compatability. Remove lib/selftest code (for runtime selftesting): not the right approach.
* Add Strict_Policy. Disable server initiated renegotiation by default.lloyd2015-01-231-9/+6
|