From 3b759580b26a21bbdd017eea1a145a0bc9f2200f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Mar 2023 18:23:59 +0100 Subject: [PATCH] Require 128 bits of security for public keys --- wolfssl/internal.h | 50 +++++++++++++++++++++++++++++++++--- wolfssl/wolfcrypt/settings.h | 18 ++++++++++++- 2 files changed, 63 insertions(+), 5 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 707c3c890..ede8a7c56 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -661,7 +661,12 @@ #endif #endif #endif - #if !defined(NO_DES3) + #if !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #ifndef NO_SHA #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA @@ -724,7 +729,7 @@ defined(HAVE_ED448) #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 #endif - #ifndef NO_DH && !defined(WOLFSSL_HARDEN_TLS) + #if !defined(NO_DH) && !defined(WOLFSSL_HARDEN_TLS) /* SHOULD NOT negotiate cipher suites based on ephemeral * finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*" * suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */ @@ -984,6 +989,9 @@ #ifdef WOLFSSL_STATIC_DH #error "Static DH ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1" #endif + #ifdef HAVE_ANON + #error "At least the server side has to be authenticated" + #endif #endif /* actual cipher values, 2nd byte */ @@ -1172,12 +1180,27 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_MAX_STRENGTH + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define WOLFSSL_MIN_DHKEY_BITS 3072 + #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_DHKEY_BITS 2048 #else #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 3072 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security DH needs at least 3072 bit keys" +#endif #if (WOLFSSL_MIN_DHKEY_BITS % 8) #error DH minimum bit size must be multiple of 8 #endif @@ -1205,6 +1228,10 @@ enum { #endif #define MAX_DHKEY_SZ (WOLFSSL_MAX_DHKEY_BITS / 8) +#if WOLFSSL_MAX_DHKEY_BITS < WOLFSSL_MIN_DHKEY_BITS +#error "WOLFSSL_MAX_DHKEY_BITS has to be greater than WOLFSSL_MIN_DHKEY_BITS" +#endif + #ifndef MAX_PSK_ID_LEN /* max psk identity/hint supported */ #if defined(WOLFSSL_TLS13) @@ -1800,12 +1827,27 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_MAX_STRENGTH + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define WOLFSSL_MIN_RSA_BITS 3072 + #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_RSA_BITS 2048 #else #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 3072 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security RSA needs at least 3072 bit keys" +#endif #if (WOLFSSL_MIN_RSA_BITS % 8) /* This is to account for the example case of a min size of 2050 bits but still allows 2049 bit key. So we need the measurement to be in bytes. */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8c271a15c..bfec83597 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2017,7 +2017,14 @@ extern void uITRON4_free(void *p) ; #ifdef WOLFSSL_MIN_ECC_BITS #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else - #if FIPS_VERSION_GE(2,0) + #ifdef WOLFSSL_HARDEN_TLS + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #define ECC_MIN_KEY_SZ 256 + #elif FIPS_VERSION_GE(2,0) /* FIPSv2 and ready (for now) includes 192-bit support */ #define ECC_MIN_KEY_SZ 192 #else @@ -2026,6 +2033,15 @@ extern void uITRON4_free(void *p) ; #endif #endif +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 256 + /* SHOULD NOT negotiate cipher suites that use algorithms offering + * less than 128 bits of security. + * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + * Using guidance from section 5.6.1 + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #error "For 128 bits of security ECC needs at least 256 bit keys" +#endif + /* ECC Configs */ #ifdef HAVE_ECC /* By default enable Sign, Verify, DHE, Key Import and Key Export unless