diff --git a/src/internal.c b/src/internal.c index 6b63d0dc0..5c886117a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -82,7 +82,13 @@ * WOLFSSL_HARDEN_TLS * Implement the recommendations specified in RFC9325. This macro needs to * be defined to the desired amount of bits of security. The currently - * implemented values are 112 and 128 bits. + * implemented values are 112 and 128 bits. The following macros disable + * certain checks. + * - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC + * - WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS + * - WOLFSSL_HARDEN_TLS_NO_SCR_CHECK + * - WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK + * - WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES */ @@ -7137,7 +7143,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) int useSecureReneg = ssl->ctx->useSecureReneg; /* use secure renegotiation by default (not recommend) */ #if defined(WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT) || \ - (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12)) + (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \ + !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK)) useSecureReneg = 1; #endif if (useSecureReneg) { @@ -26994,7 +27001,7 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, } #endif -#ifdef WOLFSSL_HARDEN_TLS +#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK) if (ssl->secure_renegotiation == NULL || !ssl->secure_renegotiation->enabled) { /* If the server does not acknowledge the extension, the client diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f693a0b89..e149e6e11 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -304,11 +304,15 @@ #undef HAVE_AES_CBC #endif - /* When adding new ciphersuites, make sure that they have appropriate - * guards for WOLFSSL_HARDEN_TLS. */ +/* When adding new ciphersuites, make sure that they have appropriate + * guards for WOLFSSL_HARDEN_TLS. */ +#ifndef WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES +/* Use a separate define (undef'ed later) to simplify macro logic. */ +#define WSSL_HARDEN_TLS WOLFSSL_HARDEN_TLS +#endif #ifndef WOLFSSL_AEAD_ONLY - #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if defined(WOLFSSL_STATIC_RSA) @@ -381,7 +385,7 @@ #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -466,7 +470,7 @@ #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -504,7 +508,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WOLFSSL_HARDEN_TLS) + !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -634,7 +638,7 @@ #endif #endif #endif /* NO_AES */ - #if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA) @@ -659,8 +663,8 @@ #endif #endif #endif - #if !defined(NO_DES3) && !(defined(WOLFSSL_HARDEN_TLS) && \ - WOLFSSL_HARDEN_TLS > 112) + #if !defined(NO_DES3) && !(defined(WSSL_HARDEN_TLS) && \ + WSSL_HARDEN_TLS > 112) /* 3DES offers only 112 bits of security. * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ @@ -713,7 +717,7 @@ #if !defined(NO_RSA) && defined(HAVE_ECC) #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -726,7 +730,7 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -738,7 +742,7 @@ #endif /* !WOLFSSL_MAX_STRENGTH */ #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WOLFSSL_HARDEN_TLS) + !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -753,7 +757,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WOLFSSL_HARDEN_TLS) + !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -826,7 +830,7 @@ #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -949,7 +953,7 @@ #define BUILD_AES #endif -#if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) +#if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #undef BUILD_ARC4 @@ -976,7 +980,7 @@ #define HAVE_PFS #endif -#ifdef WOLFSSL_HARDEN_TLS +#ifdef WSSL_HARDEN_TLS #ifdef HAVE_NULL_CIPHER #error "NULL ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" #endif @@ -991,6 +995,8 @@ #endif #endif +#undef WSSL_HARDEN_TLS + /* actual cipher values, 2nd byte */ enum { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, @@ -1177,7 +1183,7 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -1191,7 +1197,8 @@ enum { #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 @@ -1825,7 +1832,7 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -1839,7 +1846,8 @@ enum Misc { #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9156bad71..cb31afecf 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2023,7 +2023,8 @@ extern void uITRON4_free(void *p) ; #ifdef WOLFSSL_MIN_ECC_BITS #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -2040,7 +2041,8 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 @@ -2989,14 +2991,14 @@ extern void uITRON4_free(void *p) ; #endif #ifdef WOLFSSL_HARDEN_TLS - #ifdef HAVE_TRUNCATED_HMAC + #if defined(HAVE_TRUNCATED_HMAC) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC) #error "Truncated HMAC Extension not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.6" #endif - #ifndef NO_OLD_TLS + #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS) #error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1" #endif #if !defined(WOLFSSL_NO_TLS12) && !defined(HAVE_SECURE_RENEGOTIATION) && \ - !defined(HAVE_SERVER_RENEGOTIATION_INFO) + !defined(HAVE_SERVER_RENEGOTIATION_INFO) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK) #error "TLS 1.2 requires at least HAVE_SERVER_RENEGOTIATION_INFO to send the secure renegotiation extension https://www.rfc-editor.org/rfc/rfc9325#section-3.5" #endif #if !defined(WOLFSSL_EXTRA_ALERTS) || !defined(WOLFSSL_CHECK_ALERT_ON_ERR)