From 7791b8ff4dee3b0dfae1bd9b715aaa498b59dca8 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 16:42:56 +0100 Subject: [PATCH 01/13] Add config option --- configure.ac | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/configure.ac b/configure.ac index 884583ae8..4bd23105e 100644 --- a/configure.ac +++ b/configure.ac @@ -177,6 +177,17 @@ AS_IF([test "$ax_enable_debug" = "yes"], # enabled ENABLED_CERTS="no" +# Implements requirements from RFC9325 +AC_ARG_ENABLE([harden-tls], + [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325 (default: disabled)])], + [ ENABLED_HARDEN_TLS=$enableval ], + [ ENABLED_HARDEN_TLS=no ] + ) + +if test "x$ENABLED_HARDEN_TLS" != "xno" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS" +fi # Support for forcing 32-bit mode # To force 32-bit instructions use: From 94cf845c0540ce0938bdebea268400858de7938a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 16:43:34 +0100 Subject: [PATCH 02/13] Truncated hmac check --- wolfssl/wolfcrypt/settings.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 95ddcd513..6c8346e9a 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2965,6 +2965,12 @@ extern void uITRON4_free(void *p) ; #error "Dynamic session cache currently does not support persistent session cache." #endif +#ifdef WOLFSSL_HARDEN_TLS + #ifdef HAVE_TRUNCATED_HMAC + #error "Truncated HMAC Extension not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.6" + #endif +#endif + #ifdef __cplusplus } /* extern "C" */ #endif From e465089798bad6b62fb82ecabdc90985baa80cb8 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 16:44:01 +0100 Subject: [PATCH 03/13] No old TLS check --- configure.ac | 2 +- wolfssl/wolfcrypt/settings.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 4bd23105e..4e2152e8e 100644 --- a/configure.ac +++ b/configure.ac @@ -3492,7 +3492,7 @@ AC_ARG_ENABLE([oldtls], [ ENABLED_OLD_TLS=yes ] ) -if test "$ENABLED_CRYPTONLY" = "yes" +if test "$ENABLED_CRYPTONLY" = "yes" || test "x$ENABLED_HARDEN_TLS" != "xno" then ENABLED_OLD_TLS=no fi diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 6c8346e9a..633ec9295 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2969,6 +2969,9 @@ extern void uITRON4_free(void *p) ; #ifdef HAVE_TRUNCATED_HMAC #error "Truncated HMAC Extension not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.6" #endif + #ifndef NO_OLD_TLS + #error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1" + #endif #endif #ifdef __cplusplus From 40cbb32b2363e0732887d901d4502647ef6b66fe Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 16:44:33 +0100 Subject: [PATCH 04/13] Ciphersuite check https://www.rfc-editor.org/rfc/rfc9325#section-4.1 --- wolfssl/internal.h | 73 ++++++++++++++++++++++++++++++------ wolfssl/wolfcrypt/settings.h | 1 + 2 files changed, 62 insertions(+), 12 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b9e164fb1..707c3c890 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -305,7 +305,9 @@ #endif #ifndef WOLFSSL_AEAD_ONLY - #if !defined(NO_RSA) && !defined(NO_RC4) + #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + /* MUST NOT negotiate RC4 cipher suites + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if defined(WOLFSSL_STATIC_RSA) #if !defined(NO_SHA) #define BUILD_SSL_RSA_WITH_RC4_128_SHA @@ -316,7 +318,12 @@ #endif #endif - #if !defined(NO_RSA) && !defined(NO_DES3) + #if !defined(NO_RSA) && !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if !defined(NO_SHA) #if defined(WOLFSSL_STATIC_RSA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA @@ -376,7 +383,10 @@ #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif #endif - #if !defined(NO_DH) + #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA @@ -458,7 +468,10 @@ #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) + !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA) #if defined(WOLFSSL_AES_128) && defined(HAVE_AES_CBC) @@ -492,7 +505,11 @@ #endif #endif - #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) + #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ + !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #ifndef NO_SHA256 #if !defined(NO_AES) && defined(WOLFSSL_AES_128) && \ defined(HAVE_AES_CBC) @@ -619,7 +636,9 @@ #endif #endif #endif /* NO_AES */ - #if !defined(NO_RC4) + #if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + /* MUST NOT negotiate RC4 cipher suites + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA) #if !defined(NO_RSA) #ifndef WOLFSSL_AEAD_ONLY @@ -692,7 +711,10 @@ #if !defined(NO_RSA) && defined(HAVE_ECC) #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(NO_RSA) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #endif #endif /* NO_OLD_POLY1305 */ @@ -702,7 +724,10 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #ifndef NO_DH + #ifndef NO_DH && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #define BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif #endif /* !NO_PSK */ @@ -711,7 +736,10 @@ #endif /* !WOLFSSL_MAX_STRENGTH */ #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) + !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA256) && defined(WOLFSSL_AES_128) #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 @@ -722,7 +750,11 @@ #endif #endif -#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) +#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ + !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #ifndef NO_SHA256 #if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 @@ -792,7 +824,10 @@ #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(NO_RSA) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites based on ephemeral + * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" + * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif @@ -912,7 +947,9 @@ #define BUILD_AES #endif -#ifndef NO_RC4 +#if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + /* MUST NOT negotiate RC4 cipher suites + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #undef BUILD_ARC4 #define BUILD_ARC4 #endif @@ -937,6 +974,18 @@ #define HAVE_PFS #endif +#ifdef WOLFSSL_HARDEN_TLS + #ifdef HAVE_NULL_CIPHER + #error "NULL ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" + #endif + #ifdef WOLFSSL_STATIC_RSA + #error "Static RSA ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" + #endif + #ifdef WOLFSSL_STATIC_DH + #error "Static DH ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" + #endif +#endif + /* actual cipher values, 2nd byte */ enum { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 633ec9295..8c271a15c 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2972,6 +2972,7 @@ extern void uITRON4_free(void *p) ; #ifndef NO_OLD_TLS #error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1" #endif + /* Ciphersuite check done in internal.h */ #endif #ifdef __cplusplus From 3b759580b26a21bbdd017eea1a145a0bc9f2200f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 18:23:59 +0100 Subject: [PATCH 05/13] Require 128 bits of security for public keys --- wolfssl/internal.h | 50 +++++++++++++++++++++++++++++++++--- wolfssl/wolfcrypt/settings.h | 18 ++++++++++++- 2 files changed, 63 insertions(+), 5 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 707c3c890..ede8a7c56 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -661,7 +661,12 @@ #endif #endif #endif - #if !defined(NO_DES3) + #if !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #ifndef NO_SHA #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA @@ -724,7 +729,7 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #ifndef NO_DH && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -984,6 +989,9 @@ #ifdef WOLFSSL_STATIC_DH #error "Static DH ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" #endif + #ifdef HAVE_ANON + #error "At least the server side has to be authenticated" + #endif #endif /* actual cipher values, 2nd byte */ @@ -1172,12 +1180,27 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_MAX_STRENGTH + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define WOLFSSL_MIN_DHKEY_BITS 3072 + #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_DHKEY_BITS 2048 #else #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 3072 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security DH needs at least 3072 bit keys" +#endif #if (WOLFSSL_MIN_DHKEY_BITS % 8) #error DH minimum bit size must be multiple of 8 #endif @@ -1205,6 +1228,10 @@ enum { #endif #define MAX_DHKEY_SZ (WOLFSSL_MAX_DHKEY_BITS / 8) +#if WOLFSSL_MAX_DHKEY_BITS < WOLFSSL_MIN_DHKEY_BITS +#error "WOLFSSL_MAX_DHKEY_BITS has to be greater than WOLFSSL_MIN_DHKEY_BITS" +#endif + #ifndef MAX_PSK_ID_LEN /* max psk identity/hint supported */ #if defined(WOLFSSL_TLS13) @@ -1800,12 +1827,27 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_MAX_STRENGTH + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define WOLFSSL_MIN_RSA_BITS 3072 + #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_RSA_BITS 2048 #else #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 3072 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security RSA needs at least 3072 bit keys" +#endif #if (WOLFSSL_MIN_RSA_BITS % 8) /* This is to account for the example case of a min size of 2050 bits but still allows 2049 bit key. So we need the measurement to be in bytes. */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8c271a15c..bfec83597 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2017,7 +2017,14 @@ extern void uITRON4_free(void *p) ; #ifdef WOLFSSL_MIN_ECC_BITS #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else - #if FIPS_VERSION_GE(2,0) + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define ECC_MIN_KEY_SZ 256 + #elif FIPS_VERSION_GE(2,0) /* FIPSv2 and ready (for now) includes 192-bit support */ #define ECC_MIN_KEY_SZ 192 #else @@ -2026,6 +2033,15 @@ extern void uITRON4_free(void *p) ; #endif #endif +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 256 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security ECC needs at least 256 bit keys" +#endif + /* ECC Configs */ #ifdef HAVE_ECC /* By default enable Sign, Verify, DHE, Key Import and Key Export unless From c0b0c14a1544f1ad6bc5861a1370e6e265d348e0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 27 Mar 2023 15:42:19 +0200 Subject: [PATCH 06/13] Allow user to choose between 112 and 128 bits of security --- configure.ac | 12 ++++++-- wolfssl/internal.h | 55 ++++++++++++++++++------------------ wolfssl/wolfcrypt/settings.h | 25 ++++++++++------ 3 files changed, 53 insertions(+), 39 deletions(-) diff --git a/configure.ac b/configure.ac index 4e2152e8e..03c16b05b 100644 --- a/configure.ac +++ b/configure.ac @@ -179,14 +179,22 @@ ENABLED_CERTS="no" # Implements requirements from RFC9325 AC_ARG_ENABLE([harden-tls], - [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325 (default: disabled)])], + [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are , <112>, or <128> (default: disabled)])], [ ENABLED_HARDEN_TLS=$enableval ], [ ENABLED_HARDEN_TLS=no ] ) if test "x$ENABLED_HARDEN_TLS" != "xno" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS" + if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112" + elif test "x$ENABLED_HARDEN_TLS" == "x128" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128" + else + AC_MSG_ERROR([Invalid value for --enable-harden-tls]) + fi fi # Support for forcing 32-bit mode diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ede8a7c56..f693a0b89 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -304,6 +304,9 @@ #undef HAVE_AES_CBC #endif + /* When adding new ciphersuites, make sure that they have appropriate + * guards for WOLFSSL_HARDEN_TLS. */ + #ifndef WOLFSSL_AEAD_ONLY #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites @@ -318,12 +321,7 @@ #endif #endif - #if !defined(NO_RSA) && !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 - * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #if !defined(NO_RSA) && !defined(NO_DES3) #if !defined(NO_SHA) #if defined(WOLFSSL_STATIC_RSA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA @@ -661,10 +659,9 @@ #endif #endif #endif - #if !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + #if !defined(NO_DES3) && !(defined(WOLFSSL_HARDEN_TLS) && \ + WOLFSSL_HARDEN_TLS > 112) + /* 3DES offers only 112 bits of security. * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #ifndef NO_SHA @@ -1181,25 +1178,26 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define WOLFSSL_MIN_DHKEY_BITS 3072 + #if WOLFSSL_HARDEN_TLS >= 128 + #define WOLFSSL_MIN_DHKEY_BITS 3072 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define WOLFSSL_MIN_DHKEY_BITS 2048 + #endif #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_DHKEY_BITS 2048 #else #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 3072 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security DH needs at least 3072 bit keys" + #error "For 112 bits of security DH needs at least 2048 bit keys" #endif #if (WOLFSSL_MIN_DHKEY_BITS % 8) #error DH minimum bit size must be multiple of 8 @@ -1828,25 +1826,26 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define WOLFSSL_MIN_RSA_BITS 3072 + #if WOLFSSL_HARDEN_TLS >= 128 + #define WOLFSSL_MIN_RSA_BITS 3072 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define WOLFSSL_MIN_RSA_BITS 2048 + #endif #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_RSA_BITS 2048 #else #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 3072 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security RSA needs at least 3072 bit keys" + #error "For 112 bits of security RSA needs at least 2048 bit keys" #endif #if (WOLFSSL_MIN_RSA_BITS % 8) /* This is to account for the example case of a min size of 2050 bits but diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index bfec83597..cf9e01bbb 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -306,6 +306,12 @@ #endif +#ifdef WOLFSSL_HARDEN_TLS + #if WOLFSSL_HARDEN_TLS != 112 && WOLFSSL_HARDEN_TLS != 128 + #error "WOLFSSL_HARDEN_TLS must be defined either to 112 or 128 bits of security." + #endif +#endif + #if defined(_WIN32) && !defined(_M_X64) && \ defined(HAVE_AESGCM) && defined(WOLFSSL_AESNI) @@ -2018,12 +2024,13 @@ extern void uITRON4_free(void *p) ; #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define ECC_MIN_KEY_SZ 256 + #if WOLFSSL_HARDEN_TLS >= 128 + #define ECC_MIN_KEY_SZ 256 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define ECC_MIN_KEY_SZ 224 + #endif #elif FIPS_VERSION_GE(2,0) /* FIPSv2 and ready (for now) includes 192-bit support */ #define ECC_MIN_KEY_SZ 192 @@ -2033,13 +2040,13 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 256 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security ECC needs at least 256 bit keys" + #error "For 112 bits of security ECC needs at least 224 bit keys" #endif /* ECC Configs */ From 28fd14621a746bafc04ad19db33725258c51b0c0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 27 Mar 2023 17:20:16 +0200 Subject: [PATCH 07/13] Add harden config to testing --- .github/workflows/os-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 213cf9d70..218e439f3 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -14,6 +14,7 @@ jobs: '', '--enable-all --enable-asn=template', '--enable-all --enable-asn=original', + '--enable-harden-tls', ] name: make check runs-on: ${{ matrix.os }} From f0ad01f552f44efcef73b95cd14115a56fffce22 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 27 Mar 2023 17:53:59 +0200 Subject: [PATCH 08/13] Send secure renegotiation extension by default - Add test for terminating the connection - Add ProcessReplyEx(ssl, 1) to wolfSSL_accept --- configure.ac | 1 + src/internal.c | 18 ++++++++- src/ssl.c | 27 ++++++++++++++ tests/api.c | 72 ++++++++++++++++++++++++++++++++++++ wolfssl/wolfcrypt/settings.h | 7 ++++ 5 files changed, 123 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 03c16b05b..91868887d 100644 --- a/configure.ac +++ b/configure.ac @@ -195,6 +195,7 @@ then else AC_MSG_ERROR([Invalid value for --enable-harden-tls]) fi + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_CHECK_ALERT_ON_ERR" fi # Support for forcing 32-bit mode diff --git a/src/internal.c b/src/internal.c index 8bca1bbd3..5e30694b4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7127,11 +7127,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) } #endif -#ifdef HAVE_SECURE_RENEGOTIATION +#if defined(HAVE_SECURE_RENEGOTIATION) || \ + defined(HAVE_SERVER_RENEGOTIATION_INFO) if (ssl->options.side == WOLFSSL_CLIENT_END) { int useSecureReneg = ssl->ctx->useSecureReneg; /* use secure renegotiation by default (not recommend) */ - #ifdef WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT + #if defined(WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT) || \ + (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12)) useSecureReneg = 1; #endif if (useSecureReneg) { @@ -26988,6 +26990,18 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, } #endif +#ifdef WOLFSSL_HARDEN_TLS + if (ssl->secure_renegotiation == NULL || + !ssl->secure_renegotiation->enabled) { + /* If the server does not acknowledge the extension, the client + * MUST generate a fatal handshake_failure alert prior to + * terminating the connection. + * https://www.rfc-editor.org/rfc/rfc9325#name-renegotiation-in-tls-12 */ + WOLFSSL_MSG("ServerHello did not contain SCR extension"); + return SECURE_RENEGOTIATION_E; + } +#endif + ssl->options.serverState = SERVER_HELLO_COMPLETE; if (IsEncryptionOn(ssl, 0)) { diff --git a/src/ssl.c b/src/ssl.c index 57a3b48d2..73c391893 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13959,6 +13959,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case ACCEPT_FIRST_REPLY_DONE : if ( (ssl->error = SendServerHello(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13975,6 +13978,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13987,6 +13993,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -14003,6 +14012,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -14015,6 +14027,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -14032,6 +14047,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CERT_REQ_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -14070,6 +14088,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -14088,6 +14109,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendChangeCipher(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -14097,6 +14121,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR + ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/tests/api.c b/tests/api.c index f29e35983..40f197a09 100644 --- a/tests/api.c +++ b/tests/api.c @@ -63519,6 +63519,77 @@ static int test_extra_alerts_bad_psk(void) return TEST_SKIPPED; } #endif + +#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) +static int test_harden_no_secure_renegotiation_io_cb(WOLFSSL *ssl, char *buf, + int sz, void *ctx) +{ + static int sentServerHello = FALSE; + + if (!sentServerHello) { + byte renegExt[] = { 0xFF, 0x01, 0x00, 0x01, 0x00 }; + size_t i; + + if (sz < (int)sizeof(renegExt)) + return WOLFSSL_CBIO_ERR_GENERAL; + + /* Remove SCR from ServerHello */ + for (i = 0; i < sz - sizeof(renegExt); i++) { + if (XMEMCMP(buf + i, renegExt, sizeof(renegExt)) == 0) { + /* Found the extension. Change it to something unrecognized. */ + buf[i+1] = 0x11; + break; + } + } + sentServerHello = TRUE; + } + + return EmbedSend(ssl, buf, sz, ctx); +} + +static void test_harden_no_secure_renegotiation_ssl_ready(WOLFSSL* ssl) +{ + wolfSSL_SSLSetIOSend(ssl, test_harden_no_secure_renegotiation_io_cb); +} + +static void test_harden_no_secure_renegotiation_on_cleanup(WOLFSSL* ssl) +{ + WOLFSSL_ALERT_HISTORY h; + AssertIntEQ(wolfSSL_get_alert_history(ssl, &h), WOLFSSL_SUCCESS); + AssertIntEQ(h.last_rx.code, handshake_failure); + AssertIntEQ(h.last_rx.level, alert_fatal); +} + +static int test_harden_no_secure_renegotiation(void) +{ + callback_functions client_cbs, server_cbs; + + XMEMSET(&client_cbs, 0, sizeof(client_cbs)); + XMEMSET(&server_cbs, 0, sizeof(server_cbs)); + + client_cbs.method = wolfTLSv1_2_client_method; + server_cbs.method = wolfTLSv1_2_server_method; + + server_cbs.ssl_ready = test_harden_no_secure_renegotiation_ssl_ready; + server_cbs.on_cleanup = test_harden_no_secure_renegotiation_on_cleanup; + test_wolfSSL_client_server_nofail(&client_cbs, &server_cbs); + + AssertIntEQ(client_cbs.return_code, TEST_FAIL); + AssertIntEQ(client_cbs.last_err, SECURE_RENEGOTIATION_E); + AssertIntEQ(server_cbs.return_code, TEST_FAIL); + AssertIntEQ(server_cbs.last_err, SOCKET_ERROR_E); + + return TEST_RES_CHECK(1); +} +#else +static int test_harden_no_secure_renegotiation(void) +{ + return TEST_SKIPPED; +} +#endif + + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -64539,6 +64610,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_extra_alerts_wrong_cs), TEST_DECL(test_extra_alerts_skip_hs), TEST_DECL(test_extra_alerts_bad_psk), + TEST_DECL(test_harden_no_secure_renegotiation), /* If at some point a stub get implemented this test should fail indicating * a need to implement a new test case */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index cf9e01bbb..9156bad71 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2995,6 +2995,13 @@ extern void uITRON4_free(void *p) ; #ifndef NO_OLD_TLS #error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1" #endif + #if !defined(WOLFSSL_NO_TLS12) && !defined(HAVE_SECURE_RENEGOTIATION) && \ + !defined(HAVE_SERVER_RENEGOTIATION_INFO) + #error "TLS 1.2 requires at least HAVE_SERVER_RENEGOTIATION_INFO to send the secure renegotiation extension https://www.rfc-editor.org/rfc/rfc9325#section-3.5" + #endif + #if !defined(WOLFSSL_EXTRA_ALERTS) || !defined(WOLFSSL_CHECK_ALERT_ON_ERR) + #error "RFC9325 requires some additional alerts to be sent" + #endif /* Ciphersuite check done in internal.h */ #endif From 7116f1e005eab01b8d1e47244a2bb859f0aa14ad Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 28 Mar 2023 14:14:40 +0200 Subject: [PATCH 09/13] Add comment. --- configure.ac | 2 +- src/internal.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 91868887d..f086fc2db 100644 --- a/configure.ac +++ b/configure.ac @@ -179,7 +179,7 @@ ENABLED_CERTS="no" # Implements requirements from RFC9325 AC_ARG_ENABLE([harden-tls], - [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are , <112>, or <128> (default: disabled)])], + [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are , <112>, or <128>. is equivalent to <112>. (default: disabled)])], [ ENABLED_HARDEN_TLS=$enableval ], [ ENABLED_HARDEN_TLS=no ] ) diff --git a/src/internal.c b/src/internal.c index 5e30694b4..6b63d0dc0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -79,6 +79,10 @@ * by default. * https://www.rfc-editor.org/rfc/rfc8446#section-5.5 * https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits + * WOLFSSL_HARDEN_TLS + * Implement the recommendations specified in RFC9325. This macro needs to + * be defined to the desired amount of bits of security. The currently + * implemented values are 112 and 128 bits. */ From 4a75d7868246d7866acc08068f6339d8a4861f5c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 29 Mar 2023 14:22:31 +0200 Subject: [PATCH 10/13] Add flags to disable certain checks --- src/internal.c | 13 +++++++--- wolfssl/internal.h | 48 +++++++++++++++++++++--------------- wolfssl/wolfcrypt/settings.h | 12 +++++---- 3 files changed, 45 insertions(+), 28 deletions(-) diff --git a/src/internal.c b/src/internal.c index 6b63d0dc0..5c886117a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -82,7 +82,13 @@ * WOLFSSL_HARDEN_TLS * Implement the recommendations specified in RFC9325. This macro needs to * be defined to the desired amount of bits of security. The currently - * implemented values are 112 and 128 bits. + * implemented values are 112 and 128 bits. The following macros disable + * certain checks. + * - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC + * - WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS + * - WOLFSSL_HARDEN_TLS_NO_SCR_CHECK + * - WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK + * - WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES */ @@ -7137,7 +7143,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) int useSecureReneg = ssl->ctx->useSecureReneg; /* use secure renegotiation by default (not recommend) */ #if defined(WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT) || \ - (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12)) + (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \ + !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK)) useSecureReneg = 1; #endif if (useSecureReneg) { @@ -26994,7 +27001,7 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, } #endif -#ifdef WOLFSSL_HARDEN_TLS +#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK) if (ssl->secure_renegotiation == NULL || !ssl->secure_renegotiation->enabled) { /* If the server does not acknowledge the extension, the client diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f693a0b89..e149e6e11 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -304,11 +304,15 @@ #undef HAVE_AES_CBC #endif - /* When adding new ciphersuites, make sure that they have appropriate - * guards for WOLFSSL_HARDEN_TLS. */ +/* When adding new ciphersuites, make sure that they have appropriate + * guards for WOLFSSL_HARDEN_TLS. */ +#ifndef WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES +/* Use a separate define (undef'ed later) to simplify macro logic. */ +#define WSSL_HARDEN_TLS WOLFSSL_HARDEN_TLS +#endif #ifndef WOLFSSL_AEAD_ONLY - #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if defined(WOLFSSL_STATIC_RSA) @@ -381,7 +385,7 @@ #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -466,7 +470,7 @@ #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -504,7 +508,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WOLFSSL_HARDEN_TLS) + !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -634,7 +638,7 @@ #endif #endif #endif /* NO_AES */ - #if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #if !defined(NO_SHA) @@ -659,8 +663,8 @@ #endif #endif #endif - #if !defined(NO_DES3) && !(defined(WOLFSSL_HARDEN_TLS) && \ - WOLFSSL_HARDEN_TLS > 112) + #if !defined(NO_DES3) && !(defined(WSSL_HARDEN_TLS) && \ + WSSL_HARDEN_TLS > 112) /* 3DES offers only 112 bits of security. * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ @@ -713,7 +717,7 @@ #if !defined(NO_RSA) && defined(HAVE_ECC) #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -726,7 +730,7 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -738,7 +742,7 @@ #endif /* !WOLFSSL_MAX_STRENGTH */ #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WOLFSSL_HARDEN_TLS) + !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -753,7 +757,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WOLFSSL_HARDEN_TLS) + !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -826,7 +830,7 @@ #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -949,7 +953,7 @@ #define BUILD_AES #endif -#if !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) +#if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ #undef BUILD_ARC4 @@ -976,7 +980,7 @@ #define HAVE_PFS #endif -#ifdef WOLFSSL_HARDEN_TLS +#ifdef WSSL_HARDEN_TLS #ifdef HAVE_NULL_CIPHER #error "NULL ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" #endif @@ -991,6 +995,8 @@ #endif #endif +#undef WSSL_HARDEN_TLS + /* actual cipher values, 2nd byte */ enum { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, @@ -1177,7 +1183,7 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -1191,7 +1197,8 @@ enum { #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 @@ -1825,7 +1832,7 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -1839,7 +1846,8 @@ enum Misc { #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9156bad71..cb31afecf 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2023,7 +2023,8 @@ extern void uITRON4_free(void *p) ; #ifdef WOLFSSL_MIN_ECC_BITS #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else - #ifdef WOLFSSL_HARDEN_TLS + #if defined(WOLFSSL_HARDEN_TLS) && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #if WOLFSSL_HARDEN_TLS >= 128 @@ -2040,7 +2041,8 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 && \ + !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK) /* Implementations MUST NOT negotiate cipher suites offering less than * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 @@ -2989,14 +2991,14 @@ extern void uITRON4_free(void *p) ; #endif #ifdef WOLFSSL_HARDEN_TLS - #ifdef HAVE_TRUNCATED_HMAC + #if defined(HAVE_TRUNCATED_HMAC) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC) #error "Truncated HMAC Extension not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.6" #endif - #ifndef NO_OLD_TLS + #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS) #error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1" #endif #if !defined(WOLFSSL_NO_TLS12) && !defined(HAVE_SECURE_RENEGOTIATION) && \ - !defined(HAVE_SERVER_RENEGOTIATION_INFO) + !defined(HAVE_SERVER_RENEGOTIATION_INFO) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK) #error "TLS 1.2 requires at least HAVE_SERVER_RENEGOTIATION_INFO to send the secure renegotiation extension https://www.rfc-editor.org/rfc/rfc9325#section-3.5" #endif #if !defined(WOLFSSL_EXTRA_ALERTS) || !defined(WOLFSSL_CHECK_ALERT_ON_ERR) From 4338ed9b7b64ed066ca257168af0787d0c9f4918 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 30 Mar 2023 14:56:31 +0200 Subject: [PATCH 11/13] Add missing define --- wolfssl/internal.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index e149e6e11..da761f2a9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -306,7 +306,8 @@ /* When adding new ciphersuites, make sure that they have appropriate * guards for WOLFSSL_HARDEN_TLS. */ -#ifndef WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES +#if defined(WOLFSSL_HARDEN_TLS) && \ + !defined(WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES) /* Use a separate define (undef'ed later) to simplify macro logic. */ #define WSSL_HARDEN_TLS WOLFSSL_HARDEN_TLS #endif From 9120712438abf0010195aab389a9906bef37ce8b Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 30 Mar 2023 15:35:52 +0200 Subject: [PATCH 12/13] Address code review --- src/internal.c | 2 +- wolfssl/internal.h | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5c886117a..0f9aaf969 100644 --- a/src/internal.c +++ b/src/internal.c @@ -81,7 +81,7 @@ * https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits * WOLFSSL_HARDEN_TLS * Implement the recommendations specified in RFC9325. This macro needs to - * be defined to the desired amount of bits of security. The currently + * be defined to the desired number of bits of security. The currently * implemented values are 112 and 128 bits. The following macros disable * certain checks. * - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC diff --git a/wolfssl/internal.h b/wolfssl/internal.h index da761f2a9..1da5e6b50 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -310,6 +310,7 @@ !defined(WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES) /* Use a separate define (undef'ed later) to simplify macro logic. */ #define WSSL_HARDEN_TLS WOLFSSL_HARDEN_TLS +#define NO_TLS_DH #endif #ifndef WOLFSSL_AEAD_ONLY @@ -386,7 +387,7 @@ #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -471,7 +472,7 @@ #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) + !defined(NO_RSA) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -509,7 +510,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WSSL_HARDEN_TLS) + !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -718,7 +719,7 @@ #if !defined(NO_RSA) && defined(HAVE_ECC) #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -731,7 +732,7 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #if !defined(NO_DH) && !defined(WSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -743,7 +744,7 @@ #endif /* !WOLFSSL_MAX_STRENGTH */ #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(WSSL_HARDEN_TLS) + !defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -758,7 +759,7 @@ #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - !defined(WSSL_HARDEN_TLS) + !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -831,7 +832,7 @@ #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif - #if !defined(NO_DH) && !defined(NO_RSA) && !defined(WSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(NO_RSA) && !defined(NO_TLS_DH) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ From 505ab746c619bed72450feda46dea74d0a15b8f0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 3 Apr 2023 18:24:01 +0200 Subject: [PATCH 13/13] Tabs -> spaces --- configure.ac | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index f086fc2db..9aef79102 100644 --- a/configure.ac +++ b/configure.ac @@ -186,15 +186,15 @@ AC_ARG_ENABLE([harden-tls], if test "x$ENABLED_HARDEN_TLS" != "xno" then - if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112" - then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112" - elif test "x$ENABLED_HARDEN_TLS" == "x128" - then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128" + if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112" + elif test "x$ENABLED_HARDEN_TLS" == "x128" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128" else - AC_MSG_ERROR([Invalid value for --enable-harden-tls]) - fi + AC_MSG_ERROR([Invalid value for --enable-harden-tls]) + fi AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_CHECK_ALERT_ON_ERR" fi