From f4f6726262d1096974d191de3f3220b6e1a41c06 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Fri, 25 Nov 2016 12:01:10 -0500 Subject: Add TLS::Policy::minimum_signature_strength Changes TLS callback API for cert verify to accept Policy& Sets default signature strength to 110 to force RSA ~2048. --- src/lib/tls/tls_policy.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/lib/tls/tls_policy.cpp') diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 49a8ad1fc..4dc1206e7 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -156,6 +156,11 @@ size_t Policy::minimum_ecdh_group_size() const return 255; } +size_t Policy::minimum_signature_strength() const + { + return 110; + } + size_t Policy::minimum_rsa_bits() const { /* Default assumption is all end-entity certificates should -- cgit v1.2.3 From c821af9ecb9df8b8e2e5ce0f9616a03193b23f55 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Fri, 25 Nov 2016 12:09:57 -0500 Subject: Add minimum_signature_strenght to Text_Policy Also (unrelated) enable CECPQ1 in Strict_Policy --- src/lib/tls/tls_policy.cpp | 3 ++- src/lib/tls/tls_policy.h | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'src/lib/tls/tls_policy.cpp') diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 4dc1206e7..4bd071d0b 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -471,6 +471,7 @@ void Policy::print(std::ostream& o) const o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n'; o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n'; o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n'; + o << "minimum_signature_strength = " << minimum_signature_strength() << '\n'; } std::vector Strict_Policy::allowed_ciphers() const @@ -490,7 +491,7 @@ std::vector Strict_Policy::allowed_macs() const std::vector Strict_Policy::allowed_key_exchange_methods() const { - return { "ECDH" }; + return { "CECPQ1", "ECDH" }; } bool Strict_Policy::allow_tls10() const { return false; } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 92814277f..519139fff 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -310,7 +310,9 @@ class BOTAN_DLL NSA_Suite_B_128 : public Policy std::vector allowed_ecc_curves() const override { return std::vector({"secp256r1"}); } - + + size_t minimum_signature_strength() const override { return 128; } + bool allow_tls10() const override { return false; } bool allow_tls11() const override { return false; } bool allow_tls12() const override { return true; } @@ -428,7 +430,10 @@ class BOTAN_DLL Text_Policy : public Policy size_t minimum_rsa_bits() const override { return get_len("minimum_rsa_bits", Policy::minimum_rsa_bits()); } - + + size_t minimum_signature_strength() const override + { return get_len("minimum_signature_strength", Policy::minimum_signature_strength()); } + bool hide_unknown_users() const override { return get_bool("hide_unknown_users", Policy::hide_unknown_users()); } -- cgit v1.2.3