Browse code

Add support for tls-ciphersuites for TLS 1.3

OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.

Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.

OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:

-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used

For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>

Arne Schwabe authored on 2018/10/08 06:55:39
Showing 7 changed files
... ...
@@ -4937,11 +4937,13 @@ determines the derivation of the tunnel session keys.
4937 4937
 .\"*********************************************************
4938 4938
 .TP
4939 4939
 .B \-\-tls\-cipher l
4940
+.TQ
4941
+.B \-\-tls\-ciphersuites l
4940 4942
 A list
4941 4943
 .B l
4942 4944
 of allowable TLS ciphers delimited by a colon (":").
4943 4945
 
4944
-This setting can be used to ensure that certain cipher suites are used (or
4946
+These setting can be used to ensure that certain cipher suites are used (or
4945 4947
 not used) for the TLS connection.  OpenVPN uses TLS to secure the control
4946 4948
 channel, over which the keys that are used to protect the actual VPN traffic
4947 4949
 are exchanged.
... ...
@@ -4950,20 +4952,32 @@ The supplied list of ciphers is (after potential OpenSSL/IANA name translation)
4950 4950
 simply supplied to the crypto library.  Please see the OpenSSL and/or mbed TLS
4951 4951
 documentation for details on the cipher list interpretation.
4952 4952
 
4953
+For OpenSSL, the
4954
+.B \-\-tls-cipher
4955
+is used for TLS 1.2 and below. For TLS 1.3 and up, the
4956
+.B \-\-tls\-ciphersuites
4957
+setting is used. mbed TLS has no TLS 1.3 support yet and only the
4958
+.B \-\-tls-cipher
4959
+setting is used.
4960
+
4953 4961
 Use
4954 4962
 .B \-\-show\-tls
4955 4963
 to see a list of TLS ciphers supported by your crypto library.
4956 4964
 
4957 4965
 Warning!
4958 4966
 .B \-\-tls\-cipher
4959
-is an expert feature, which \- if used correcly \- can improve the security of
4960
-your VPN connection.  But it is also easy to unwittingly use it to carefully
4967
+and
4968
+.B \-\-tls\-ciphersuites
4969
+are expert features, which \- if used correcly \- can improve the security of
4970
+your VPN connection.  But it is also easy to unwittingly use them to carefully
4961 4971
 align a gun with your foot, or just break your connection.  Use with care!
4962 4972
 
4963 4973
 The default for \-\-tls\-cipher is to use mbed TLS's default cipher list
4964 4974
 when using mbed TLS or
4965 4975
 "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using
4966 4976
 OpenSSL.
4977
+
4978
+The default for \-\-tls\-ciphersuites is to use the crypto library's default.
4967 4979
 .\"*********************************************************
4968 4980
 .TP
4969 4981
 .B \-\-tls\-cert\-profile profile
... ...
@@ -1760,6 +1760,7 @@ show_settings(const struct options *o)
1760 1760
     SHOW_STR(cryptoapi_cert);
1761 1761
 #endif
1762 1762
     SHOW_STR(cipher_list);
1763
+    SHOW_STR(cipher_list_tls13);
1763 1764
     SHOW_STR(tls_cert_profile);
1764 1765
     SHOW_STR(tls_verify);
1765 1766
     SHOW_STR(tls_export_cert);
... ...
@@ -2750,6 +2751,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
2750 2750
         MUST_BE_UNDEF(pkcs12_file);
2751 2751
 #endif
2752 2752
         MUST_BE_UNDEF(cipher_list);
2753
+        MUST_BE_UNDEF(cipher_list_tls13);
2753 2754
         MUST_BE_UNDEF(tls_cert_profile);
2754 2755
         MUST_BE_UNDEF(tls_verify);
2755 2756
         MUST_BE_UNDEF(tls_export_cert);
... ...
@@ -7872,6 +7874,11 @@ add_option(struct options *options,
7872 7872
         VERIFY_PERMISSION(OPT_P_GENERAL);
7873 7873
         options->tls_cert_profile = p[1];
7874 7874
     }
7875
+    else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
7876
+    {
7877
+        VERIFY_PERMISSION(OPT_P_GENERAL);
7878
+        options->cipher_list_tls13 = p[1];
7879
+    }
7875 7880
     else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
7876 7881
                                                    || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
7877 7882
     {
... ...
@@ -507,6 +507,7 @@ struct options
507 507
     const char *priv_key_file;
508 508
     const char *pkcs12_file;
509 509
     const char *cipher_list;
510
+    const char *cipher_list_tls13;
510 511
     const char *tls_cert_profile;
511 512
     const char *ecdh_curve;
512 513
     const char *tls_verify;
... ...
@@ -618,9 +618,10 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
618 618
     tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
619 619
 
620 620
     /* Allowable ciphers */
621
-    /* Since @SECLEVEL also influces loading of certificates, set the
621
+    /* Since @SECLEVEL also influences loading of certificates, set the
622 622
      * cipher restrictions before loading certificates */
623 623
     tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
624
+    tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13);
624 625
 
625 626
     if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
626 627
     {
... ...
@@ -169,7 +169,8 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
169 169
 bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
170 170
 
171 171
 /**
172
- * Restrict the list of ciphers that can be used within the TLS context.
172
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.2
173
+ * and below
173 174
  *
174 175
  * @param ctx           TLS context to restrict, must be valid.
175 176
  * @param ciphers       String containing : delimited cipher names, or NULL to use
... ...
@@ -178,6 +179,16 @@ bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
178 178
 void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
179 179
 
180 180
 /**
181
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.3
182
+ * and higher
183
+ *
184
+ * @param ctx           TLS context to restrict, must be valid.
185
+ * @param ciphers       String containing : delimited cipher names, or NULL to use
186
+ *                                      sane defaults.
187
+ */
188
+void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers);
189
+
190
+/**
181 191
  * Set the TLS certificate profile.  The profile defines which crypto
182 192
  * algorithms may be used in the supplied certificate.
183 193
  *
... ...
@@ -223,6 +223,19 @@ tls_translate_cipher_name(const char *cipher_name)
223 223
 }
224 224
 
225 225
 void
226
+tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
227
+{
228
+    if (ciphers == NULL)
229
+    {
230
+        /* Nothing to do, return without warning message */
231
+        return;
232
+    }
233
+
234
+    msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. "
235
+                "Ignoring TLS 1.3 cipher list: %s", ciphers);
236
+}
237
+
238
+void
226 239
 tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
227 240
 {
228 241
     char *tmp_ciphers, *tmp_ciphers_orig, *token;
... ...
@@ -391,6 +391,7 @@ convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *cipher
391 391
         openssl_ciphers[openssl_ciphers_len-1] = '\0';
392 392
     }
393 393
 }
394
+
394 395
 void
395 396
 tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
396 397
 {
... ...
@@ -427,6 +428,61 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
427 427
 }
428 428
 
429 429
 void
430
+convert_tls13_list_to_openssl(char* openssl_ciphers, size_t len, const char *ciphers)
431
+{
432
+    /*
433
+     * OpenSSL (and official IANA) cipher names have _ in them. We
434
+     * historically used names with - in them. Silently convert names
435
+     * with - to names with _ to support both
436
+     */
437
+    if (strlen(ciphers) >= (len - 1))
438
+    {
439
+        msg(M_FATAL,
440
+            "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
441
+            (int) (len - 1));
442
+    }
443
+
444
+    strncpy(openssl_ciphers, ciphers, len);
445
+
446
+    for (size_t i = 0; i < strlen(openssl_ciphers); i++)
447
+    {
448
+        if (openssl_ciphers[i] == '-')
449
+        {
450
+            openssl_ciphers[i] = '_';
451
+        }
452
+    }
453
+}
454
+
455
+void
456
+tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
457
+{
458
+    if (ciphers == NULL)
459
+    {
460
+        /* default cipher list of OpenSSL 1.1.1 is sane, do not set own
461
+         * default as we do with tls-cipher */
462
+        return;
463
+    }
464
+
465
+#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
466
+        crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
467
+                       "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
468
+                        ciphers);
469
+#else
470
+    ASSERT(NULL != ctx);
471
+
472
+    char openssl_ciphers[4096];
473
+    convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers),
474
+                                  ciphers);
475
+
476
+    if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers))
477
+    {
478
+        crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s",
479
+                   openssl_ciphers);
480
+    }
481
+#endif
482
+}
483
+
484
+void
430 485
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
431 486
 {
432 487
 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL