@@ -321,6 +321,18 @@ Maintainer-visible changes

   i386/i686 builds on RHEL5.

+Version 2.4.5

+=============

+

+New features

+------------

+- The new option ``--tls-cert-profile`` can be used to restrict the set of

+  allowed crypto algorithms in TLS certificates in mbed TLS builds.  The

+  default profile is 'legacy' for now, which allows SHA1+, RSA-1024+ and any

+  elliptic curve certificates.  The default will be changed to the 'preferred'

+  profile in the future, which requires SHA2+, RSA-2048+ and any curve.

+

+

 Version 2.4.3

 =============

@@ -4917,6 +4917,37 @@ when using mbed TLS or

 OpenSSL.

 .\"*********************************************************

 .TP

+.B \-\-tls\-cert\-profile profile

+Set the allowed cryptographic algorithms for certificates according to

+.B profile\fN.

+

+The following profiles are supported:

+

+.B legacy

+(default): SHA1 and newer, RSA 2048-bit+, any elliptic curve.

+

+.B preferred

+: SHA2 and newer, RSA 2048-bit+, any elliptic curve.

+

+.B suiteb

+: SHA256/SHA384, ECDSA with P-256 or P-384.

+

+This option is only fully supported for mbed TLS builds.  OpenSSL builds use

+the following approximation:

+

+.B legacy

+(default): sets "security level 1"

+

+.B preferred

+: sets "security level 2"

+

+.B suiteb

+: sets "security level 3" and \-\-tls\-cipher "SUITEB128".

+

+OpenVPN will migrate to 'preferred' as default in the future.  Please ensure

+that your keys already comply.

+.\"*********************************************************

+.TP

 .B \-\-tls\-timeout n

 Packet retransmit timeout on TLS control channel

 if no acknowledgment from remote within

@@ -1016,7 +1016,8 @@ print_openssl_info(const struct options *options)

         }

         if (options->show_tls_ciphers)

         {

-            show_available_tls_ciphers(options->cipher_list);

+            show_available_tls_ciphers(options->cipher_list,

+                                       options->tls_cert_profile);

         }

         if (options->show_curves)

         {

@@ -599,6 +599,8 @@ static const char usage_message[] =

 #endif

     "--tls-cipher l  : A list l of allowable TLS ciphers separated by : (optional).\n"

     "                : Use --show-tls to see a list of supported TLS ciphers.\n"

+    "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"

+    "                  (default=legacy).\n"

     "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"

     "                  if no ACK from remote within n seconds (default=%d).\n"

     "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"

@@ -875,6 +877,7 @@ init_options(struct options *o, const bool init_gc)

     o->renegotiate_seconds_min = -1;

     o->handshake_window = 60;

     o->transition_window = 3600;

+    o->tls_cert_profile = NULL;

     o->ecdh_curve = NULL;

 #ifdef ENABLE_X509ALTUSERNAME

     o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;

@@ -1753,6 +1756,7 @@ show_settings(const struct options *o)

     SHOW_STR(cryptoapi_cert);

 #endif

     SHOW_STR(cipher_list);

+    SHOW_STR(tls_cert_profile);

     SHOW_STR(tls_verify);

     SHOW_STR(tls_export_cert);

     SHOW_INT(verify_x509_type);

@@ -2732,6 +2736,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec

         MUST_BE_UNDEF(pkcs12_file);

 #endif

         MUST_BE_UNDEF(cipher_list);

+        MUST_BE_UNDEF(tls_cert_profile);

         MUST_BE_UNDEF(tls_verify);

         MUST_BE_UNDEF(tls_export_cert);

         MUST_BE_UNDEF(verify_x509_name);

@@ -7834,6 +7839,11 @@ add_option(struct options *options,

         VERIFY_PERMISSION(OPT_P_GENERAL);

         options->cipher_list = p[1];

     }

+    else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])

+    {

+        VERIFY_PERMISSION(OPT_P_GENERAL);

+        options->tls_cert_profile = p[1];

+    }

     else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))

                                                    || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])

     {

@@ -502,6 +502,7 @@ struct options

     const char *priv_key_file;

     const char *pkcs12_file;

     const char *cipher_list;

+    const char *tls_cert_profile;

     const char *ecdh_curve;

     const char *tls_verify;

     int verify_x509_type;

@@ -616,6 +616,9 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)

         tls_ctx_client_new(new_ctx);

     }

+    /* Restrict allowed certificate crypto algorithms */

+    tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);

+

     /* Allowable ciphers */

     /* Since @SECLEVEL also influces loading of certificates, set the

      * cipher restrictions before loading certificates */

@@ -177,6 +177,16 @@ void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);

 void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);

 /**

+ * Set the TLS certificate profile.  The profile defines which crypto

+ * algorithms may be used in the supplied certificate.

+ *

+ * @param ctx           TLS context to restrict, must be valid.

+ * @param profile       The profile name ('preferred', 'legacy' or 'suiteb').

+ *                      Defaults to 'preferred' if NULL.

+ */

+void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);

+

+/**

  * Check our certificate notBefore and notAfter fields, and warn if the cert is

  * either not yet valid or has expired.  Note that this is a non-fatal error,

  * since we compare against the system time, which might be incorrect.

@@ -505,9 +515,12 @@ void print_details(struct key_state_ssl *ks_ssl, const char *prefix);

  * Show the TLS ciphers that are available for us to use in the OpenSSL

  * library.

  *

- * @param               - list of allowed TLS cipher, or NULL.

+ * @param cipher_list       list of allowed TLS cipher, or NULL.

+ * @param tls_cert_profile  TLS certificate crypto profile name.

  */

-void show_available_tls_ciphers(const char *tls_ciphers);

+void

+show_available_tls_ciphers(const char *cipher_list,

+                           const char *tls_cert_profile);

 /*

  * Show the available elliptic curves in the crypto library

@@ -62,6 +62,34 @@

 #include <mbedtls/pem.h>

 #include <mbedtls/sha256.h>

+static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =

+{

+    /* Hashes from SHA-1 and above */

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),

+    0xFFFFFFF, /* Any PK alg    */

+    0xFFFFFFF, /* Any curve     */

+    1024,      /* RSA-1024 and larger */

+};

+

+static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred =

+{

+    /* SHA-2 and above */

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |

+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),

+    0xFFFFFFF, /* Any PK alg    */

+    0xFFFFFFF, /* Any curve     */

+    2048,      /* RSA-2048 and larger */

+};

+

+#define openvpn_x509_crt_profile_suiteb mbedtls_x509_crt_profile_suiteb;

+

 void

 tls_init_lib(void)

 {

@@ -251,6 +279,27 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)

 }

 void

+tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)

+{

+    if (!profile || 0 == strcmp(profile, "legacy"))

+    {

+        ctx->cert_profile = openvpn_x509_crt_profile_legacy;

+    }

+    else if (0 == strcmp(profile, "preferred"))

+    {

+        ctx->cert_profile = openvpn_x509_crt_profile_preferred;

+    }

+    else if (0 == strcmp(profile, "suiteb"))

+    {

+        ctx->cert_profile = openvpn_x509_crt_profile_suiteb;

+    }

+    else

+    {

+        msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile);

+    }

+}

+

+void

 tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)

 {

     ASSERT(ctx);

@@ -917,6 +966,8 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,

     mbedtls_ssl_conf_rng(&ks_ssl->ssl_config, mbedtls_ctr_drbg_random,

                          rand_ctx_get());

+    mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &ssl_ctx->cert_profile);

+

     if (ssl_ctx->allowed_ciphers)

     {

         mbedtls_ssl_conf_ciphersuites(&ks_ssl->ssl_config, ssl_ctx->allowed_ciphers);

@@ -1271,12 +1322,14 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)

 }

 void

-show_available_tls_ciphers(const char *cipher_list)

+show_available_tls_ciphers(const char *cipher_list,

+                           const char *tls_cert_profile)

 {

     struct tls_root_ctx tls_ctx;

     const int *ciphers = mbedtls_ssl_list_ciphersuites();

     tls_ctx_server_new(&tls_ctx);

+    tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);

     tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);

     if (tls_ctx.allowed_ciphers)

@@ -82,6 +82,7 @@ struct tls_root_ctx {

     struct external_context *external_key; /**< Management external key */

 #endif

     int *allowed_ciphers;       /**< List of allowed ciphers for this connection */

+    mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */

 };

 struct key_state_ssl {

@@ -384,6 +384,40 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)

 }

 void

+tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)

+{

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000)

+    /* OpenSSL does not have certificate profiles, but a complex set of

+     * callbacks that we could try to implement to achieve something similar.

+     * For now, use OpenSSL's security levels to achieve similar (but not equal)

+     * behaviour. */

+    if (!profile || 0 == strcmp(profile, "legacy"))

+    {

+        SSL_CTX_set_security_level(ctx->ctx, 1);

+    }

+    else if (0 == strcmp(profile, "preferred"))

+    {

+        SSL_CTX_set_security_level(ctx->ctx, 2);

+    }

+    else if (0 == strcmp(profile, "suiteb"))

+    {

+        SSL_CTX_set_security_level(ctx->ctx, 3);

+        SSL_CTX_set_cipher_list(ctx->ctx, "SUITEB128");

+    }

+    else

+    {

+        msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);

+    }

+#else

+    if (profile)

+    {

+        msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile"

+            ", ignoring user-set profile: '%s'", profile);

+    }

+#endif

+}

+

+void

 tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)

 {

     int ret;

@@ -1722,7 +1756,8 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)

 }

 void

-show_available_tls_ciphers(const char *cipher_list)

+show_available_tls_ciphers(const char *cipher_list,

+                           const char *tls_cert_profile)

 {

     struct tls_root_ctx tls_ctx;

     SSL *ssl;

@@ -1742,6 +1777,7 @@ show_available_tls_ciphers(const char *cipher_list)

         crypto_msg(M_FATAL, "Cannot create SSL object");

     }

+    tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);

     tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);

     printf("Available TLS Ciphers,\n");