From c0b0c14a1544f1ad6bc5861a1370e6e265d348e0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 27 Mar 2023 15:42:19 +0200 Subject: [PATCH] Allow user to choose between 112 and 128 bits of security --- configure.ac | 12 ++++++-- wolfssl/internal.h | 55 ++++++++++++++++++------------------ wolfssl/wolfcrypt/settings.h | 25 ++++++++++------ 3 files changed, 53 insertions(+), 39 deletions(-) diff --git a/configure.ac b/configure.ac index 4e2152e8e..03c16b05b 100644 --- a/configure.ac +++ b/configure.ac @@ -179,14 +179,22 @@ ENABLED_CERTS="no" # Implements requirements from RFC9325 AC_ARG_ENABLE([harden-tls], - [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325 (default: disabled)])], + [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are , <112>, or <128> (default: disabled)])], [ ENABLED_HARDEN_TLS=$enableval ], [ ENABLED_HARDEN_TLS=no ] ) if test "x$ENABLED_HARDEN_TLS" != "xno" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS" + if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112" + elif test "x$ENABLED_HARDEN_TLS" == "x128" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128" + else + AC_MSG_ERROR([Invalid value for --enable-harden-tls]) + fi fi # Support for forcing 32-bit mode diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ede8a7c56..f693a0b89 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -304,6 +304,9 @@ #undef HAVE_AES_CBC #endif + /* When adding new ciphersuites, make sure that they have appropriate + * guards for WOLFSSL_HARDEN_TLS. */ + #ifndef WOLFSSL_AEAD_ONLY #if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WOLFSSL_HARDEN_TLS) /* MUST NOT negotiate RC4 cipher suites @@ -318,12 +321,7 @@ #endif #endif - #if !defined(NO_RSA) && !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 - * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ + #if !defined(NO_RSA) && !defined(NO_DES3) #if !defined(NO_SHA) #if defined(WOLFSSL_STATIC_RSA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA @@ -661,10 +659,9 @@ #endif #endif #endif - #if !defined(NO_DES3) && !defined(WOLFSSL_HARDEN_TLS) - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 + #if !defined(NO_DES3) && !(defined(WOLFSSL_HARDEN_TLS) && \ + WOLFSSL_HARDEN_TLS > 112) + /* 3DES offers only 112 bits of security. * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ #ifndef NO_SHA @@ -1181,25 +1178,26 @@ enum { /* set minimum DH key size allowed */ #ifndef WOLFSSL_MIN_DHKEY_BITS #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define WOLFSSL_MIN_DHKEY_BITS 3072 + #if WOLFSSL_HARDEN_TLS >= 128 + #define WOLFSSL_MIN_DHKEY_BITS 3072 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define WOLFSSL_MIN_DHKEY_BITS 2048 + #endif #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_DHKEY_BITS 2048 #else #define WOLFSSL_MIN_DHKEY_BITS 1024 #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 3072 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security DH needs at least 3072 bit keys" + #error "For 112 bits of security DH needs at least 2048 bit keys" #endif #if (WOLFSSL_MIN_DHKEY_BITS % 8) #error DH minimum bit size must be multiple of 8 @@ -1828,25 +1826,26 @@ enum Misc { /* set minimum RSA key size allowed */ #ifndef WOLFSSL_MIN_RSA_BITS #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define WOLFSSL_MIN_RSA_BITS 3072 + #if WOLFSSL_HARDEN_TLS >= 128 + #define WOLFSSL_MIN_RSA_BITS 3072 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define WOLFSSL_MIN_RSA_BITS 2048 + #endif #elif defined(WOLFSSL_MAX_STRENGTH) #define WOLFSSL_MIN_RSA_BITS 2048 #else #define WOLFSSL_MIN_RSA_BITS 1024 #endif #endif /* WOLFSSL_MIN_RSA_BITS */ -#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 3072 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security RSA needs at least 3072 bit keys" + #error "For 112 bits of security RSA needs at least 2048 bit keys" #endif #if (WOLFSSL_MIN_RSA_BITS % 8) /* This is to account for the example case of a min size of 2050 bits but diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index bfec83597..cf9e01bbb 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -306,6 +306,12 @@ #endif +#ifdef WOLFSSL_HARDEN_TLS + #if WOLFSSL_HARDEN_TLS != 112 && WOLFSSL_HARDEN_TLS != 128 + #error "WOLFSSL_HARDEN_TLS must be defined either to 112 or 128 bits of security." + #endif +#endif + #if defined(_WIN32) && !defined(_M_X64) && \ defined(HAVE_AESGCM) && defined(WOLFSSL_AESNI) @@ -2018,12 +2024,13 @@ extern void uITRON4_free(void *p) ; #define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS #else #ifdef WOLFSSL_HARDEN_TLS - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. - * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 - * Using guidance from section 5.6.1 + /* Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #define ECC_MIN_KEY_SZ 256 + #if WOLFSSL_HARDEN_TLS >= 128 + #define ECC_MIN_KEY_SZ 256 + #elif WOLFSSL_HARDEN_TLS >= 112 + #define ECC_MIN_KEY_SZ 224 + #endif #elif FIPS_VERSION_GE(2,0) /* FIPSv2 and ready (for now) includes 192-bit support */ #define ECC_MIN_KEY_SZ 192 @@ -2033,13 +2040,13 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 256 - /* SHOULD NOT negotiate cipher suites that use algorithms offering - * less than 128 bits of security. +#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 + /* Implementations MUST NOT negotiate cipher suites offering less than + * 112 bits of security. * https://www.rfc-editor.org/rfc/rfc9325#section-4.1 * Using guidance from section 5.6.1 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ - #error "For 128 bits of security ECC needs at least 256 bit keys" + #error "For 112 bits of security ECC needs at least 224 bit keys" #endif /* ECC Configs */