Allow user to choose between 112 and 128 bits of security

configure.ac

@@ -179,14 +179,22 @@ ENABLED_CERTS="no"
 
 # Implements requirements from RFC9325
 AC_ARG_ENABLE([harden-tls],
-    [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325 (default: disabled)])],
+    [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are <yes>, <112>, or <128> (default: disabled)])],
     [ ENABLED_HARDEN_TLS=$enableval ],
     [ ENABLED_HARDEN_TLS=no ]
     )
 
 if test "x$ENABLED_HARDEN_TLS" != "xno"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS"
+	if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112"
+	then
+	    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112"
+	elif test "x$ENABLED_HARDEN_TLS" == "x128"
+	then
+	    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128"
+    else
+    	AC_MSG_ERROR([Invalid value for --enable-harden-tls])
+	fi
 fi
 
 # Support for forcing 32-bit mode

wolfssl/internal.h

@@ -304,6 +304,9 @@
     #undef HAVE_AES_CBC
 #endif
 
+    /* When adding new ciphersuites, make sure that they have appropriate
+     * guards for WOLFSSL_HARDEN_TLS. */
+
 #ifndef WOLFSSL_AEAD_ONLY
     #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS)
         /* MUST NOT negotiate RC4 cipher suites
@@ -318,12 +321,7 @@
         #endif
     #endif
 
-    #if !defined(NO_RSA) && !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS)
-        /* SHOULD NOT negotiate cipher suites that use algorithms offering
-         * less than 128 bits of security.
-         * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
-         * Using guidance from section 5.6.1
-         * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
+    #if !defined(NO_RSA) && !defined(NO_DES3)
         #if !defined(NO_SHA)
             #if defined(WOLFSSL_STATIC_RSA)
                 #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
@@ -661,10 +659,9 @@
                 #endif
             #endif
         #endif
-        #if !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS)
-            /* SHOULD NOT negotiate cipher suites that use algorithms offering
-             * less than 128 bits of security.
-             * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
+        #if !defined(NO_DES3) && !(defined(WOLFSSL_HARDEN_TLS) && \
+                                           WOLFSSL_HARDEN_TLS > 112)
+            /* 3DES offers only 112 bits of security.
              * Using guidance from section 5.6.1
              * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
             #ifndef NO_SHA
@@ -1181,25 +1178,26 @@ enum {
 /* set minimum DH key size allowed */
 #ifndef WOLFSSL_MIN_DHKEY_BITS
     #ifdef WOLFSSL_HARDEN_TLS
-        /* SHOULD NOT negotiate cipher suites that use algorithms offering
-         * less than 128 bits of security.
-         * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
-         * Using guidance from section 5.6.1
+        /* Using guidance from section 5.6.1
          * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-        #define WOLFSSL_MIN_DHKEY_BITS 3072
+        #if WOLFSSL_HARDEN_TLS >= 128
+            #define WOLFSSL_MIN_DHKEY_BITS 3072
+        #elif WOLFSSL_HARDEN_TLS >= 112
+            #define WOLFSSL_MIN_DHKEY_BITS 2048
+        #endif
     #elif defined(WOLFSSL_MAX_STRENGTH)
         #define WOLFSSL_MIN_DHKEY_BITS 2048
     #else
         #define WOLFSSL_MIN_DHKEY_BITS 1024
     #endif
 #endif
-#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 3072
-    /* SHOULD NOT negotiate cipher suites that use algorithms offering
-     * less than 128 bits of security.
+#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048
+    /* Implementations MUST NOT negotiate cipher suites offering less than
+     * 112 bits of security.
      * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
      * Using guidance from section 5.6.1
      * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-    #error "For 128 bits of security DH needs at least 3072 bit keys"
+    #error "For 112 bits of security DH needs at least 2048 bit keys"
 #endif
 #if (WOLFSSL_MIN_DHKEY_BITS % 8)
     #error DH minimum bit size must be multiple of 8
@@ -1828,25 +1826,26 @@ enum Misc {
 /* set minimum RSA key size allowed */
 #ifndef WOLFSSL_MIN_RSA_BITS
     #ifdef WOLFSSL_HARDEN_TLS
-        /* SHOULD NOT negotiate cipher suites that use algorithms offering
-         * less than 128 bits of security.
-         * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
-         * Using guidance from section 5.6.1
+        /* Using guidance from section 5.6.1
          * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-        #define WOLFSSL_MIN_RSA_BITS 3072
+        #if WOLFSSL_HARDEN_TLS >= 128
+            #define WOLFSSL_MIN_RSA_BITS 3072
+        #elif WOLFSSL_HARDEN_TLS >= 112
+            #define WOLFSSL_MIN_RSA_BITS 2048
+        #endif
     #elif defined(WOLFSSL_MAX_STRENGTH)
         #define WOLFSSL_MIN_RSA_BITS 2048
     #else
         #define WOLFSSL_MIN_RSA_BITS 1024
     #endif
 #endif /* WOLFSSL_MIN_RSA_BITS */
-#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 3072
-    /* SHOULD NOT negotiate cipher suites that use algorithms offering
-     * less than 128 bits of security.
+#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048
+    /* Implementations MUST NOT negotiate cipher suites offering less than
+     * 112 bits of security.
      * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
      * Using guidance from section 5.6.1
      * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-    #error "For 128 bits of security RSA needs at least 3072 bit keys"
+    #error "For 112 bits of security RSA needs at least 2048 bit keys"
 #endif
 #if (WOLFSSL_MIN_RSA_BITS % 8)
     /* This is to account for the example case of a min size of 2050 bits but

wolfssl/wolfcrypt/settings.h

@@ -306,6 +306,12 @@
 #endif
 
 
+#ifdef WOLFSSL_HARDEN_TLS
+    #if WOLFSSL_HARDEN_TLS != 112 && WOLFSSL_HARDEN_TLS != 128
+        #error "WOLFSSL_HARDEN_TLS must be defined either to 112 or 128 bits of security."
+    #endif
+#endif
+
 #if defined(_WIN32) && !defined(_M_X64) && \
     defined(HAVE_AESGCM) && defined(WOLFSSL_AESNI)
 
@@ -2018,12 +2024,13 @@ extern void uITRON4_free(void *p) ;
         #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS
     #else
         #ifdef WOLFSSL_HARDEN_TLS
-            /* SHOULD NOT negotiate cipher suites that use algorithms offering
-             * less than 128 bits of security.
-             * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
-             * Using guidance from section 5.6.1
+            /* Using guidance from section 5.6.1
              * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-            #define ECC_MIN_KEY_SZ 256
+            #if WOLFSSL_HARDEN_TLS >= 128
+                #define ECC_MIN_KEY_SZ 256
+            #elif WOLFSSL_HARDEN_TLS >= 112
+                #define ECC_MIN_KEY_SZ 224
+            #endif
         #elif FIPS_VERSION_GE(2,0)
             /* FIPSv2 and ready (for now) includes 192-bit support */
             #define ECC_MIN_KEY_SZ 192
@@ -2033,13 +2040,13 @@ extern void uITRON4_free(void *p) ;
     #endif
 #endif
 
-#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 256
-    /* SHOULD NOT negotiate cipher suites that use algorithms offering
-     * less than 128 bits of security.
+#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224
+    /* Implementations MUST NOT negotiate cipher suites offering less than
+     * 112 bits of security.
      * https://www.rfc-editor.org/rfc/rfc9325#section-4.1
      * Using guidance from section 5.6.1
      * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
-    #error "For 128 bits of security ECC needs at least 256 bit keys"
+    #error "For 112 bits of security ECC needs at least 224 bit keys"
 #endif
 
 /* ECC Configs */