tls-crypto: Rework cipher suite preference order
authorPascal Knecht <pascal.knecht@hsr.ch>
Fri, 4 Sep 2020 17:36:40 +0000 (19:36 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
The reworked list follows the order of modern browsers such as
Firefox. The new order prefers more secure ciphers over weaker ones.

src/libtls/tls_crypto.c

index f24713d..a7ad738 100644 (file)
@@ -483,22 +483,34 @@ typedef struct {
 
 /**
  * Mapping suites to a set of algorithms
+ *
+ * The order represents the descending preference of cipher suites and follows
+ * this rule set:
+ *
+ *   1. TLS 1.3 > Legacy TLS
+ *   2. AES > CAMELLIA > NULL
+ *   3. AES256 > AES128
+ *   4. GCM > CBC
+ *   5. ECDHE > DHE > NULL
+ *   6. ECDSA > RSA
+ *   7. SHA384 > SHA256 > SHA1
+ *
  */
 static suite_algs_t suite_algs[] = {
        /* Cipher suites of TLS 1.3: key exchange and authentication
         * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
-       { TLS_AES_128_GCM_SHA256,
-               KEY_ANY, MODP_NONE,
-               HASH_SHA256, PRF_UNDEFINED,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
-               TLS_1_3, TLS_1_3,
-       },
        { TLS_AES_256_GCM_SHA384,
                KEY_ANY, MODP_NONE,
                HASH_SHA384, PRF_UNDEFINED,
                AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
                TLS_1_3, TLS_1_3,
        },
+       { TLS_AES_128_GCM_SHA256,
+               KEY_ANY, MODP_NONE,
+               HASH_SHA256, PRF_UNDEFINED,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
+               TLS_1_3, TLS_1_3,
+       },
        { TLS_CHACHA20_POLY1305_SHA256,
                KEY_ANY, MODP_NONE,
                HASH_SHA256, PRF_UNDEFINED,
@@ -518,16 +530,16 @@ static suite_algs_t suite_algs[] = {
                TLS_1_3, TLS_1_3,
        },
        /* Legacy TLS cipher suites */
-       { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-               KEY_ECDSA, ECP_256_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
-               TLS_1_0, TLS_1_2,
+       { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+               KEY_ECDSA, ECP_384_BIT,
+               HASH_SHA384, PRF_HMAC_SHA2_384,
+               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+               TLS_1_2, TLS_1_2,
        },
-       { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-               KEY_ECDSA, ECP_256_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+       { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+               KEY_ECDSA, ECP_384_BIT,
+               HASH_SHA384, PRF_HMAC_SHA2_384,
+               AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
        { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
@@ -536,41 +548,29 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
                TLS_1_0, TLS_1_2,
        },
-       { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-               KEY_ECDSA, ECP_384_BIT,
-               HASH_SHA384, PRF_HMAC_SHA2_384,
-               AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
-               TLS_1_2, TLS_1_2,
-       },
        { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                KEY_ECDSA, ECP_256_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-               KEY_ECDSA, ECP_384_BIT,
-               HASH_SHA384, PRF_HMAC_SHA2_384,
-               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+       { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+               KEY_ECDSA, ECP_256_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-               KEY_RSA, ECP_256_BIT,
+       { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+               KEY_ECDSA, ECP_256_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
                TLS_1_0, TLS_1_2,
        },
-       { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-               KEY_RSA, ECP_256_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
-               TLS_1_2, TLS_1_2,
-       },
-       { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+       { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                KEY_RSA, ECP_384_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
-               TLS_1_0, TLS_1_2,
+               HASH_SHA384, PRF_HMAC_SHA2_384,
+               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+               TLS_1_2, TLS_1_2,
        },
        { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                KEY_RSA, ECP_384_BIT,
@@ -578,28 +578,40 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
+       { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+               KEY_RSA, ECP_384_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
+               TLS_1_0, TLS_1_2,
+       },
        { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                KEY_RSA, ECP_256_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-               KEY_RSA, ECP_384_BIT,
-               HASH_SHA384, PRF_HMAC_SHA2_384,
-               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+       { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+               KEY_RSA, ECP_256_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-               KEY_RSA, MODP_2048_BIT,
-               HASH_SHA256,PRF_HMAC_SHA2_256,
+       { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+               KEY_RSA, ECP_256_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
-               SSL_3_0, TLS_1_2,
+               TLS_1_0, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-               KEY_RSA, MODP_3072_BIT,
+       { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+               KEY_RSA, MODP_4096_BIT,
+               HASH_SHA384, PRF_HMAC_SHA2_384,
+               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+               TLS_1_2, TLS_1_2,
+       },
+       { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+               KEY_RSA, MODP_4096_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
        { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
@@ -608,28 +620,34 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
                SSL_3_0, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+       { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
                KEY_RSA, MODP_4096_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
+               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
+       { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+               KEY_RSA, MODP_3072_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
+               SSL_3_0, TLS_1_2,
+       },
        { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                KEY_RSA, MODP_3072_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-               KEY_RSA, MODP_4096_BIT,
-               HASH_SHA384, PRF_HMAC_SHA2_384,
-               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+       { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+               KEY_RSA, MODP_3072_BIT,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+       { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                KEY_RSA, MODP_2048_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
+               HASH_SHA256,PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
                SSL_3_0, TLS_1_2,
        },
        { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@@ -638,34 +656,22 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-               KEY_RSA, MODP_3072_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
-               SSL_3_0, TLS_1_2,
-       },
-       { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
-               KEY_RSA, MODP_4096_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
-               TLS_1_2, TLS_1_2,
-       },
-       { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+       { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
                KEY_RSA, MODP_2048_BIT,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
+               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
                SSL_3_0, TLS_1_2,
        },
-       { TLS_RSA_WITH_AES_128_CBC_SHA,
+       { TLS_RSA_WITH_AES_256_GCM_SHA384,
                KEY_RSA, MODP_NONE,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
-               SSL_3_0, TLS_1_2,
+               HASH_SHA384, PRF_HMAC_SHA2_384,
+               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+               TLS_1_2, TLS_1_2,
        },
-       { TLS_RSA_WITH_AES_128_CBC_SHA256,
+       { TLS_RSA_WITH_AES_256_CBC_SHA256,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
        { TLS_RSA_WITH_AES_256_CBC_SHA,
@@ -674,34 +680,28 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
                SSL_3_0, TLS_1_2,
        },
-       { TLS_RSA_WITH_AES_256_CBC_SHA256,
-               KEY_RSA, MODP_NONE,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
-               TLS_1_2, TLS_1_2,
-       },
        { TLS_RSA_WITH_AES_128_GCM_SHA256,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_RSA_WITH_AES_256_GCM_SHA384,
+       { TLS_RSA_WITH_AES_128_CBC_SHA256,
                KEY_RSA, MODP_NONE,
-               HASH_SHA384, PRF_HMAC_SHA2_384,
-               AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+               HASH_SHA256, PRF_HMAC_SHA2_256,
+               AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+       { TLS_RSA_WITH_AES_128_CBC_SHA,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
+               AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
                SSL_3_0, TLS_1_2,
        },
-       { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+       { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
+               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
                TLS_1_2, TLS_1_2,
        },
        { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
@@ -710,28 +710,16 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
                SSL_3_0, TLS_1_2,
        },
-       { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+       { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
+               AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-               KEY_ECDSA, ECP_256_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
-               TLS_1_0, TLS_1_2,
-       },
-       { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-               KEY_RSA, ECP_256_BIT,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
-               TLS_1_0, TLS_1_2,
-       },
-       { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+       { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
+               AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
                SSL_3_0, TLS_1_2,
        },
        { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
@@ -746,23 +734,17 @@ static suite_algs_t suite_algs[] = {
                AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
                TLS_1_0, TLS_1_2,
        },
-       { TLS_RSA_WITH_NULL_SHA,
-               KEY_RSA, MODP_NONE,
-               HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
-               SSL_3_0, TLS_1_2,
-       },
        { TLS_RSA_WITH_NULL_SHA256,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
                AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
                TLS_1_2, TLS_1_2,
        },
-       { TLS_RSA_WITH_NULL_MD5,
+       { TLS_RSA_WITH_NULL_SHA,
                KEY_RSA, MODP_NONE,
                HASH_SHA256, PRF_HMAC_SHA2_256,
-               AUTH_HMAC_MD5_128, ENCR_NULL, 0,
-               SSL_2_0, TLS_1_2,
+               AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
+               SSL_3_0, TLS_1_2,
        },
 };
 
@@ -1013,12 +995,6 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
                                        suites[remaining++] = suites[i];
                                        break;
                                }
-                               if (strcaseeq(token, "3des") &&
-                                       suites[i].encr == ENCR_3DES)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
                                if (strcaseeq(token, "null") &&
                                        suites[i].encr == ENCR_NULL)
                                {
@@ -1051,12 +1027,6 @@ static void filter_mac_config_suites(private_tls_crypto_t *this,
                        enumerator = enumerator_create_token(config, ",", " ");
                        while (enumerator->enumerate(enumerator, &token))
                        {
-                               if (strcaseeq(token, "md5") &&
-                                       suites[i].mac == AUTH_HMAC_MD5_128)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
                                if (strcaseeq(token, "sha1") &&
                                        suites[i].mac == AUTH_HMAC_SHA1_160)
                                {