Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/tls/tls_policy.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* Policies for TLS
3
* (C) 2004-2010,2012,2015,2016 Jack Lloyd
4
*     2016 Christian Mainka
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_policy.h>
11
#include <botan/tls_ciphersuite.h>
12
#include <botan/tls_algos.h>
13
#include <botan/tls_exceptn.h>
14
#include <botan/internal/stl_util.h>
15
#include <botan/pk_keys.h>
16
#include <sstream>
17
18
namespace Botan {
19
20
namespace TLS {
21
22
std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
23
2.17k
   {
24
2.17k
   std::vector<Signature_Scheme> schemes;
25
26
2.17k
   for(Signature_Scheme scheme : all_signature_schemes())
27
19.5k
      {
28
19.5k
      if(signature_scheme_is_known(scheme) == false)
29
0
         continue;
30
19.5k
      const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
31
19.5k
      const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
32
33
19.5k
      if(sig_allowed && hash_allowed)
34
19.5k
         {
35
19.5k
         schemes.push_back(scheme);
36
19.5k
         }
37
19.5k
      }
38
39
2.17k
   return schemes;
40
2.17k
   }
41
42
std::vector<Signature_Scheme> Policy::acceptable_signature_schemes() const
43
2.05k
   {
44
2.05k
   return this->allowed_signature_schemes();
45
2.05k
   }
46
47
std::vector<std::string> Policy::allowed_ciphers() const
48
0
   {
49
0
   return {
50
      //"AES-256/OCB(12)",
51
0
      "ChaCha20Poly1305",
52
0
      "AES-256/GCM",
53
0
      "AES-128/GCM",
54
      //"AES-256/CCM",
55
      //"AES-128/CCM",
56
      //"AES-256/CCM(8)",
57
      //"AES-128/CCM(8)",
58
      //"Camellia-256/GCM",
59
      //"Camellia-128/GCM",
60
      //"ARIA-256/GCM",
61
      //"ARIA-128/GCM",
62
      //"AES-256",
63
      //"AES-128",
64
      //"3DES",
65
0
      };
66
0
   }
67
68
std::vector<std::string> Policy::allowed_signature_hashes() const
69
19.8k
   {
70
19.8k
   return {
71
19.8k
      "SHA-512",
72
19.8k
      "SHA-384",
73
19.8k
      "SHA-256",
74
19.8k
      };
75
19.8k
   }
76
77
std::vector<std::string> Policy::allowed_macs() const
78
0
   {
79
   /*
80
   SHA-256 is preferred because the Lucky13 countermeasure works
81
   somewhat better for SHA-256 vs SHA-384:
82
   https://github.com/randombit/botan/pull/675
83
   */
84
0
   return {
85
0
      "AEAD",
86
0
      "SHA-256",
87
0
      "SHA-384",
88
0
      "SHA-1",
89
0
      };
90
0
   }
91
92
std::vector<std::string> Policy::allowed_key_exchange_methods() const
93
0
   {
94
0
   return {
95
      //"ECDHE_PSK",
96
      //"PSK",
97
0
      "CECPQ1",
98
0
      "ECDH",
99
0
      "DH",
100
      //"RSA",
101
0
      };
102
0
   }
103
104
std::vector<std::string> Policy::allowed_signature_methods() const
105
19.5k
   {
106
19.5k
   return {
107
19.5k
      "ECDSA",
108
19.5k
      "RSA",
109
      //"DSA",
110
      //"IMPLICIT",
111
19.5k
      };
112
19.5k
   }
113
114
bool Policy::allowed_signature_method(const std::string& sig_method) const
115
19.5k
   {
116
19.5k
   return value_exists(allowed_signature_methods(), sig_method);
117
19.5k
   }
118
119
bool Policy::allowed_signature_hash(const std::string& sig_hash) const
120
19.8k
   {
121
19.8k
   return value_exists(allowed_signature_hashes(), sig_hash);
122
19.8k
   }
123
124
bool Policy::use_ecc_point_compression() const
125
12.7k
   {
126
12.7k
   return false;
127
12.7k
   }
128
129
Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& peer_groups) const
130
65.3k
   {
131
65.3k
   if(peer_groups.empty())
132
629
      return Group_Params::NONE;
133
134
64.7k
   const std::vector<Group_Params> our_groups = key_exchange_groups();
135
136
64.7k
   for(auto g : our_groups)
137
355k
      {
138
355k
      if(value_exists(peer_groups, g))
139
64.6k
         return g;
140
355k
      }
141
142
91
   return Group_Params::NONE;
143
64.7k
   }
144
145
Group_Params Policy::default_dh_group() const
146
0
   {
147
   /*
148
   * Return the first listed or just default to 2048
149
   */
150
0
   for(auto g : key_exchange_groups())
151
0
      {
152
0
      if(group_param_is_dh(g))
153
0
         return g;
154
0
      }
155
156
0
   return Group_Params::FFDHE_2048;
157
0
   }
158
159
std::vector<Group_Params> Policy::key_exchange_groups() const
160
66.7k
   {
161
   // Default list is ordered by performance
162
66.7k
   return {
163
164
66.7k
#if defined(BOTAN_HAS_CURVE_25519)
165
66.7k
      Group_Params::X25519,
166
66.7k
#endif
167
168
66.7k
      Group_Params::SECP256R1,
169
66.7k
      Group_Params::BRAINPOOL256R1,
170
66.7k
      Group_Params::SECP384R1,
171
66.7k
      Group_Params::BRAINPOOL384R1,
172
66.7k
      Group_Params::SECP521R1,
173
66.7k
      Group_Params::BRAINPOOL512R1,
174
175
66.7k
      Group_Params::FFDHE_2048,
176
66.7k
      Group_Params::FFDHE_3072,
177
66.7k
      Group_Params::FFDHE_4096,
178
66.7k
      Group_Params::FFDHE_6144,
179
66.7k
      Group_Params::FFDHE_8192,
180
66.7k
      };
181
66.7k
   }
182
183
size_t Policy::minimum_dh_group_size() const
184
0
   {
185
0
   return 2048;
186
0
   }
187
188
size_t Policy::minimum_ecdsa_group_size() const
189
0
   {
190
   // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
191
0
   return 256;
192
0
   }
193
194
size_t Policy::minimum_ecdh_group_size() const
195
0
   {
196
   // x25519 is smallest curve currently supported for TLS key exchange
197
0
   return 255;
198
0
   }
199
200
size_t Policy::minimum_signature_strength() const
201
0
   {
202
0
   return 110;
203
0
   }
204
205
bool Policy::require_cert_revocation_info() const
206
0
   {
207
0
   return true;
208
0
   }
209
210
size_t Policy::minimum_rsa_bits() const
211
0
   {
212
   /* Default assumption is all end-entity certificates should
213
      be at least 2048 bits these days.
214
215
      If you are connecting to arbitrary servers on the Internet
216
      (ie as a web browser or SMTP client) you'll probably have to reduce this
217
      to 1024 bits, or perhaps even lower.
218
   */
219
0
   return 2048;
220
0
   }
221
222
void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
223
0
   {
224
0
   const std::string algo_name = public_key.algo_name();
225
226
0
   const size_t keylength = public_key.key_length();
227
0
   size_t expected_keylength = 0;
228
229
0
   if(algo_name == "RSA")
230
0
      {
231
0
      expected_keylength = minimum_rsa_bits();
232
0
      }
233
0
   else if(algo_name == "DH")
234
0
      {
235
0
      expected_keylength = minimum_dh_group_size();
236
0
      }
237
0
   else if(algo_name == "ECDH" || algo_name == "Curve25519")
238
0
      {
239
0
      expected_keylength = minimum_ecdh_group_size();
240
0
      }
241
0
   else if(algo_name == "ECDSA")
242
0
      {
243
0
      expected_keylength = minimum_ecdsa_group_size();
244
0
      }
245
   // else some other algo, so leave expected_keylength as zero and the check is a no-op
246
247
0
   if(keylength < expected_keylength)
248
0
      throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
249
0
                          "Peer sent " +
250
0
                           std::to_string(keylength) + " bit " + algo_name + " key"
251
0
                           ", policy requires at least " +
252
0
                           std::to_string(expected_keylength));
253
0
   }
254
255
uint32_t Policy::session_ticket_lifetime() const
256
23.0k
   {
257
23.0k
   return 86400; // ~1 day
258
23.0k
   }
259
260
bool Policy::acceptable_protocol_version(Protocol_Version version) const
261
44.0k
   {
262
44.0k
   if(version == Protocol_Version::TLS_V12 && allow_tls12())
263
24.8k
      return true;
264
265
19.1k
   if(version == Protocol_Version::DTLS_V12 && allow_dtls12())
266
19.1k
      return true;
267
268
0
   return false;
269
0
   }
270
271
Protocol_Version Policy::latest_supported_version(bool datagram) const
272
33.4k
   {
273
33.4k
   if(datagram)
274
10.7k
      {
275
10.7k
      if(acceptable_protocol_version(Protocol_Version::DTLS_V12))
276
10.7k
         return Protocol_Version::DTLS_V12;
277
0
      throw Invalid_State("Policy forbids all available DTLS version");
278
0
      }
279
22.6k
   else
280
22.6k
      {
281
22.6k
      if(acceptable_protocol_version(Protocol_Version::TLS_V12))
282
22.6k
         return Protocol_Version::TLS_V12;
283
0
      throw Invalid_State("Policy forbids all available TLS version");
284
0
      }
285
33.4k
   }
286
287
bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
288
0
   {
289
0
   return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
290
0
          value_exists(allowed_macs(), ciphersuite.mac_algo());
291
0
   }
292
293
0
bool Policy::allow_client_initiated_renegotiation() const { return false; }
294
0
bool Policy::allow_server_initiated_renegotiation() const { return false; }
295
34.1k
bool Policy::allow_insecure_renegotiation() const { return false; }
296
26.9k
bool Policy::allow_tls12()  const { return true; }
297
20.2k
bool Policy::allow_dtls12() const { return true; }
298
46.7k
bool Policy::include_time_in_hello_random() const { return true; }
299
0
bool Policy::hide_unknown_users() const { return false; }
300
22.6k
bool Policy::server_uses_own_ciphersuite_preferences() const { return true; }
301
2.34k
bool Policy::negotiate_encrypt_then_mac() const { return true; }
302
2.78k
bool Policy::support_cert_status_message() const { return true; }
303
0
bool Policy::allow_resumption_for_renegotiation() const { return true; }
304
0
bool Policy::only_resume_with_exact_version() const { return true; }
305
22.1k
bool Policy::require_client_certificate_authentication() const { return false; }
306
22.1k
bool Policy::request_client_certificate_authentication() const { return require_client_certificate_authentication(); }
307
0
bool Policy::abort_connection_on_undesired_renegotiation() const { return false; }
308
744
bool Policy::allow_dtls_epoch0_restart() const { return false; }
309
310
0
size_t Policy::maximum_certificate_chain_size() const { return 0; }
311
312
// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
313
659
size_t Policy::dtls_initial_timeout() const { return 1*1000; }
314
659
size_t Policy::dtls_maximum_timeout() const { return 60*1000; }
315
316
size_t Policy::dtls_default_mtu() const
317
659
   {
318
   // default MTU is IPv6 min MTU minus UDP/IP headers
319
659
   return 1280 - 40 - 8;
320
659
   }
321
322
std::vector<uint16_t> Policy::srtp_profiles() const
323
0
   {
324
0
   return std::vector<uint16_t>();
325
0
   }
326
327
namespace {
328
329
class Ciphersuite_Preference_Ordering final
330
   {
331
   public:
332
      Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
333
                                      const std::vector<std::string>& macs,
334
                                      const std::vector<std::string>& kex,
335
                                      const std::vector<std::string>& sigs) :
336
0
         m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
337
338
      bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
339
0
         {
340
0
         if(a.kex_method() != b.kex_method())
341
0
            {
342
0
            for(size_t i = 0; i != m_kex.size(); ++i)
343
0
               {
344
0
               if(a.kex_algo() == m_kex[i])
345
0
                  return true;
346
0
               if(b.kex_algo() == m_kex[i])
347
0
                  return false;
348
0
               }
349
0
            }
350
351
0
         if(a.cipher_algo() != b.cipher_algo())
352
0
            {
353
0
            for(size_t i = 0; i != m_ciphers.size(); ++i)
354
0
               {
355
0
               if(a.cipher_algo() == m_ciphers[i])
356
0
                  return true;
357
0
               if(b.cipher_algo() == m_ciphers[i])
358
0
                  return false;
359
0
               }
360
0
            }
361
362
0
         if(a.cipher_keylen() != b.cipher_keylen())
363
0
            {
364
0
            if(a.cipher_keylen() < b.cipher_keylen())
365
0
               return false;
366
0
            if(a.cipher_keylen() > b.cipher_keylen())
367
0
               return true;
368
0
            }
369
370
0
         if(a.auth_method() != b.auth_method())
371
0
            {
372
0
            for(size_t i = 0; i != m_sigs.size(); ++i)
373
0
               {
374
0
               if(a.sig_algo() == m_sigs[i])
375
0
                  return true;
376
0
               if(b.sig_algo() == m_sigs[i])
377
0
                  return false;
378
0
               }
379
0
            }
380
381
0
         if(a.mac_algo() != b.mac_algo())
382
0
            {
383
0
            for(size_t i = 0; i != m_macs.size(); ++i)
384
0
               {
385
0
               if(a.mac_algo() == m_macs[i])
386
0
                  return true;
387
0
               if(b.mac_algo() == m_macs[i])
388
0
                  return false;
389
0
               }
390
0
            }
391
392
0
         return false; // equal (?!?)
393
0
         }
394
   private:
395
      std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
396
   };
397
398
}
399
400
std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version) const
401
0
   {
402
0
   const std::vector<std::string> ciphers = allowed_ciphers();
403
0
   const std::vector<std::string> macs = allowed_macs();
404
0
   const std::vector<std::string> kex = allowed_key_exchange_methods();
405
0
   const std::vector<std::string> sigs = allowed_signature_methods();
406
407
0
   std::vector<Ciphersuite> ciphersuites;
408
409
0
   for(auto&& suite : Ciphersuite::all_known_ciphersuites())
410
0
      {
411
      // Can we use it?
412
0
      if(!suite.valid())
413
0
         continue;
414
415
      // Can we use it in this version?
416
0
      if(!suite.usable_in_version(version))
417
0
         continue;
418
419
      // Is it acceptable to the policy?
420
0
      if(!this->acceptable_ciphersuite(suite))
421
0
         continue;
422
423
0
      if(!value_exists(kex, suite.kex_algo()))
424
0
         continue; // unsupported key exchange
425
426
0
      if(!value_exists(ciphers, suite.cipher_algo()))
427
0
         continue; // unsupported cipher
428
429
0
      if(!value_exists(macs, suite.mac_algo()))
430
0
         continue; // unsupported MAC algo
431
432
0
      if(!value_exists(sigs, suite.sig_algo()))
433
0
         {
434
         // allow if it's an empty sig algo and we want to use PSK
435
0
         if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
436
0
            continue;
437
0
         }
438
439
      /*
440
      CECPQ1 always uses x25519 for ECDH, so treat the applications
441
      removal of x25519 from the ECC curve list as equivalent to
442
      saying they do not trust CECPQ1
443
      */
444
0
      if(suite.kex_method() == Kex_Algo::CECPQ1)
445
0
         {
446
0
         if(value_exists(key_exchange_groups(), Group_Params::X25519) == false)
447
0
            continue;
448
0
         }
449
450
      // OK, consider it
451
0
      ciphersuites.push_back(suite);
452
0
      }
453
454
0
   if(ciphersuites.empty())
455
0
      {
456
0
      throw Invalid_State("Policy does not allow any available cipher suite");
457
0
      }
458
459
0
   Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
460
0
   std::sort(ciphersuites.begin(), ciphersuites.end(), order);
461
462
0
   std::vector<uint16_t> ciphersuite_codes;
463
0
   for(auto i : ciphersuites)
464
0
      ciphersuite_codes.push_back(i.ciphersuite_code());
465
0
   return ciphersuite_codes;
466
0
   }
467
468
namespace {
469
470
void print_vec(std::ostream& o,
471
               const char* key,
472
               const std::vector<std::string>& v)
473
0
   {
474
0
   o << key << " = ";
475
0
   for(size_t i = 0; i != v.size(); ++i)
476
0
      {
477
0
      o << v[i];
478
0
      if(i != v.size() - 1)
479
0
         o << ' ';
480
0
      }
481
0
   o << '\n';
482
0
   }
483
484
void print_vec(std::ostream& o,
485
               const char* key,
486
               const std::vector<Group_Params>& v)
487
0
   {
488
0
   o << key << " = ";
489
0
   for(size_t i = 0; i != v.size(); ++i)
490
0
      {
491
0
      o << group_param_to_string(v[i]);
492
0
      if(i != v.size() - 1)
493
0
         o << ' ';
494
0
      }
495
0
   o << '\n';
496
0
   }
497
498
void print_bool(std::ostream& o,
499
                const char* key, bool b)
500
0
   {
501
0
   o << key << " = " << (b ? "true" : "false") << '\n';
502
0
   }
503
504
}
505
506
void Policy::print(std::ostream& o) const
507
0
   {
508
0
   print_bool(o, "allow_tls12", allow_tls12());
509
0
   print_bool(o, "allow_dtls12", allow_dtls12());
510
0
   print_vec(o, "ciphers", allowed_ciphers());
511
0
   print_vec(o, "macs", allowed_macs());
512
0
   print_vec(o, "signature_hashes", allowed_signature_hashes());
513
0
   print_vec(o, "signature_methods", allowed_signature_methods());
514
0
   print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
515
0
   print_vec(o, "key_exchange_groups", key_exchange_groups());
516
517
0
   print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
518
0
   print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
519
0
   print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
520
0
   print_bool(o, "hide_unknown_users", hide_unknown_users());
521
0
   print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
522
0
   print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
523
0
   print_bool(o, "support_cert_status_message", support_cert_status_message());
524
0
   o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n';
525
0
   o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
526
0
   o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
527
0
   o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
528
0
   o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
529
0
   }
530
531
std::string Policy::to_string() const
532
0
   {
533
0
   std::ostringstream oss;
534
0
   this->print(oss);
535
0
   return oss.str();
536
0
   }
537
538
std::vector<std::string> Strict_Policy::allowed_ciphers() const
539
0
   {
540
0
   return { "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" };
541
0
   }
542
543
std::vector<std::string> Strict_Policy::allowed_signature_hashes() const
544
0
   {
545
0
   return { "SHA-512", "SHA-384"};
546
0
   }
547
548
std::vector<std::string> Strict_Policy::allowed_macs() const
549
0
   {
550
0
   return { "AEAD" };
551
0
   }
552
553
std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
554
0
   {
555
0
   return { "CECPQ1", "ECDH" };
556
0
   }
557
558
0
bool Strict_Policy::allow_tls12()  const { return true;  }
559
0
bool Strict_Policy::allow_dtls12() const { return true;  }
560
561
}
562
563
}