From d107198fcba3880a6f576205a7f9b4fadc2e80b0 Mon Sep 17 00:00:00 2001 From: Pascal Knecht Date: Fri, 4 Sep 2020 19:36:40 +0200 Subject: [PATCH] tls-crypto: Rework cipher suite preference order The reworked list follows the order of modern browsers such as Firefox. The new order prefers more secure ciphers over weaker ones. --- src/libtls/tls_crypto.c | 224 +++++++++++++++++----------------------- 1 file changed, 97 insertions(+), 127 deletions(-) diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index f24713de13..a7ad738e6b 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -483,22 +483,34 @@ typedef struct { /** * Mapping suites to a set of algorithms + * + * The order represents the descending preference of cipher suites and follows + * this rule set: + * + * 1. TLS 1.3 > Legacy TLS + * 2. AES > CAMELLIA > NULL + * 3. AES256 > AES128 + * 4. GCM > CBC + * 5. ECDHE > DHE > NULL + * 6. ECDSA > RSA + * 7. SHA384 > SHA256 > SHA1 + * */ static suite_algs_t suite_algs[] = { /* Cipher suites of TLS 1.3: key exchange and authentication * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */ - { TLS_AES_128_GCM_SHA256, - KEY_ANY, MODP_NONE, - HASH_SHA256, PRF_UNDEFINED, - AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16, - TLS_1_3, TLS_1_3, - }, { TLS_AES_256_GCM_SHA384, KEY_ANY, MODP_NONE, HASH_SHA384, PRF_UNDEFINED, AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32, TLS_1_3, TLS_1_3, }, + { TLS_AES_128_GCM_SHA256, + KEY_ANY, MODP_NONE, + HASH_SHA256, PRF_UNDEFINED, + AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16, + TLS_1_3, TLS_1_3, + }, { TLS_CHACHA20_POLY1305_SHA256, KEY_ANY, MODP_NONE, HASH_SHA256, PRF_UNDEFINED, @@ -518,16 +530,16 @@ static suite_algs_t suite_algs[] = { TLS_1_3, TLS_1_3, }, /* Legacy TLS cipher suites */ - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - KEY_ECDSA, ECP_256_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, - TLS_1_0, TLS_1_2, + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + KEY_ECDSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + TLS_1_2, TLS_1_2, }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - KEY_ECDSA, ECP_256_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + KEY_ECDSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32, TLS_1_2, TLS_1_2, }, { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, @@ -536,41 +548,29 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32, TLS_1_0, TLS_1_2, }, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - KEY_ECDSA, ECP_384_BIT, - HASH_SHA384, PRF_HMAC_SHA2_384, - AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32, - TLS_1_2, TLS_1_2, - }, { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, KEY_ECDSA, ECP_256_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16, TLS_1_2, TLS_1_2, }, - { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - KEY_ECDSA, ECP_384_BIT, - HASH_SHA384, PRF_HMAC_SHA2_384, - AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - KEY_RSA, ECP_256_BIT, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + KEY_ECDSA, ECP_256_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, TLS_1_0, TLS_1_2, }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - KEY_RSA, ECP_256_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, - TLS_1_2, TLS_1_2, - }, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, KEY_RSA, ECP_384_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32, - TLS_1_0, TLS_1_2, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + TLS_1_2, TLS_1_2, }, { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, KEY_RSA, ECP_384_BIT, @@ -578,28 +578,40 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32, TLS_1_2, TLS_1_2, }, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + KEY_RSA, ECP_384_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32, + TLS_1_0, TLS_1_2, + }, { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, KEY_RSA, ECP_256_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16, TLS_1_2, TLS_1_2, }, - { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - KEY_RSA, ECP_384_BIT, - HASH_SHA384, PRF_HMAC_SHA2_384, - AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + KEY_RSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - KEY_RSA, MODP_2048_BIT, - HASH_SHA256,PRF_HMAC_SHA2_256, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + KEY_RSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, - SSL_3_0, TLS_1_2, + TLS_1_0, TLS_1_2, }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - KEY_RSA, MODP_3072_BIT, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + KEY_RSA, MODP_4096_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + TLS_1_2, TLS_1_2, + }, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + KEY_RSA, MODP_4096_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32, TLS_1_2, TLS_1_2, }, { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, @@ -608,28 +620,34 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32, SSL_3_0, TLS_1_2, }, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, KEY_RSA, MODP_4096_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32, TLS_1_2, TLS_1_2, }, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + KEY_RSA, MODP_3072_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32, + SSL_3_0, TLS_1_2, + }, { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, KEY_RSA, MODP_3072_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16, TLS_1_2, TLS_1_2, }, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, - KEY_RSA, MODP_4096_BIT, - HASH_SHA384, PRF_HMAC_SHA2_384, - AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + KEY_RSA, MODP_3072_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, KEY_RSA, MODP_2048_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16, + HASH_SHA256,PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, SSL_3_0, TLS_1_2, }, { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, @@ -638,34 +656,22 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - KEY_RSA, MODP_3072_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32, - SSL_3_0, TLS_1_2, - }, - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - KEY_RSA, MODP_4096_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32, - TLS_1_2, TLS_1_2, - }, - { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, KEY_RSA, MODP_2048_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_3DES, 0, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16, SSL_3_0, TLS_1_2, }, - { TLS_RSA_WITH_AES_128_CBC_SHA, + { TLS_RSA_WITH_AES_256_GCM_SHA384, KEY_RSA, MODP_NONE, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, - SSL_3_0, TLS_1_2, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + TLS_1_2, TLS_1_2, }, - { TLS_RSA_WITH_AES_128_CBC_SHA256, + { TLS_RSA_WITH_AES_256_CBC_SHA256, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32, TLS_1_2, TLS_1_2, }, { TLS_RSA_WITH_AES_256_CBC_SHA, @@ -674,34 +680,28 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32, SSL_3_0, TLS_1_2, }, - { TLS_RSA_WITH_AES_256_CBC_SHA256, - KEY_RSA, MODP_NONE, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32, - TLS_1_2, TLS_1_2, - }, { TLS_RSA_WITH_AES_128_GCM_SHA256, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16, TLS_1_2, TLS_1_2, }, - { TLS_RSA_WITH_AES_256_GCM_SHA384, + { TLS_RSA_WITH_AES_128_CBC_SHA256, KEY_RSA, MODP_NONE, - HASH_SHA384, PRF_HMAC_SHA2_384, - AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + { TLS_RSA_WITH_AES_128_CBC_SHA, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16, SSL_3_0, TLS_1_2, }, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32, TLS_1_2, TLS_1_2, }, { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, @@ -710,28 +710,16 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32, SSL_3_0, TLS_1_2, }, - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16, TLS_1_2, TLS_1_2, }, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - KEY_ECDSA, ECP_256_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_3DES, 0, - TLS_1_0, TLS_1_2, - }, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - KEY_RSA, ECP_256_BIT, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_3DES, 0, - TLS_1_0, TLS_1_2, - }, - { TLS_RSA_WITH_3DES_EDE_CBC_SHA, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_3DES, 0, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16, SSL_3_0, TLS_1_2, }, { TLS_ECDHE_ECDSA_WITH_NULL_SHA, @@ -746,23 +734,17 @@ static suite_algs_t suite_algs[] = { AUTH_HMAC_SHA1_160, ENCR_NULL, 0, TLS_1_0, TLS_1_2, }, - { TLS_RSA_WITH_NULL_SHA, - KEY_RSA, MODP_NONE, - HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_SHA1_160, ENCR_NULL, 0, - SSL_3_0, TLS_1_2, - }, { TLS_RSA_WITH_NULL_SHA256, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0, TLS_1_2, TLS_1_2, }, - { TLS_RSA_WITH_NULL_MD5, + { TLS_RSA_WITH_NULL_SHA, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, - AUTH_HMAC_MD5_128, ENCR_NULL, 0, - SSL_2_0, TLS_1_2, + AUTH_HMAC_SHA1_160, ENCR_NULL, 0, + SSL_3_0, TLS_1_2, }, }; @@ -1013,12 +995,6 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this, suites[remaining++] = suites[i]; break; } - if (strcaseeq(token, "3des") && - suites[i].encr == ENCR_3DES) - { - suites[remaining++] = suites[i]; - break; - } if (strcaseeq(token, "null") && suites[i].encr == ENCR_NULL) { @@ -1051,12 +1027,6 @@ static void filter_mac_config_suites(private_tls_crypto_t *this, enumerator = enumerator_create_token(config, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - if (strcaseeq(token, "md5") && - suites[i].mac == AUTH_HMAC_MD5_128) - { - suites[remaining++] = suites[i]; - break; - } if (strcaseeq(token, "sha1") && suites[i].mac == AUTH_HMAC_SHA1_160) { -- 2.47.2