8 #ifndef BOTAN_TLS_POLICY_H__
9 #define BOTAN_TLS_POLICY_H__
11 #include <botan/tls_version.h>
12 #include <botan/tls_ciphersuite.h>
13 #include <botan/x509cert.h>
14 #include <botan/dl_group.h>
34 virtual std::vector<std::string> allowed_ciphers()
const;
40 virtual std::vector<std::string> allowed_signature_hashes()
const;
45 virtual std::vector<std::string> allowed_macs()
const;
52 virtual std::vector<std::string> allowed_key_exchange_methods()
const;
58 virtual std::vector<std::string> allowed_signature_methods()
const;
67 virtual size_t minimum_signature_strength()
const;
74 virtual bool require_cert_revocation_info()
const;
76 bool allowed_signature_method(
const std::string& sig_method)
const;
81 virtual std::vector<std::string> allowed_ecc_curves()
const;
83 bool allowed_ecc_curve(
const std::string& curve)
const;
88 virtual bool use_ecc_point_compression()
const;
97 virtual std::vector<uint8_t> compression()
const;
102 virtual std::string choose_curve(
const std::vector<std::string>& curve_names)
const;
111 virtual bool allow_insecure_renegotiation()
const;
119 virtual bool include_time_in_hello_random()
const;
124 virtual bool allow_server_initiated_renegotiation()
const;
129 virtual bool allow_tls10()
const;
134 virtual bool allow_tls11()
const;
139 virtual bool allow_tls12()
const;
144 virtual bool allow_dtls10()
const;
149 virtual bool allow_dtls12()
const;
151 virtual std::string dh_group()
const;
157 virtual size_t minimum_dh_group_size()
const;
164 virtual size_t minimum_ecdsa_group_size()
const;
174 virtual size_t minimum_ecdh_group_size()
const;
187 virtual size_t minimum_rsa_bits()
const;
192 virtual size_t minimum_dsa_group_size()
const;
201 virtual void check_peer_key_acceptable(
const Public_Key& public_key)
const;
211 virtual bool hide_unknown_users()
const;
218 virtual uint32_t session_ticket_lifetime()
const;
225 virtual std::vector<uint16_t> srtp_profiles()
const;
252 virtual bool acceptable_ciphersuite(
const Ciphersuite& suite)
const;
259 virtual bool server_uses_own_ciphersuite_preferences()
const;
265 virtual bool negotiate_encrypt_then_mac()
const;
271 bool have_srp)
const;
276 virtual size_t dtls_default_mtu()
const;
281 virtual size_t dtls_initial_timeout()
const;
286 virtual size_t dtls_maximum_timeout()
const;
292 virtual void print(std::ostream& o)
const;
300 virtual ~
Policy() =
default;
310 {
return std::vector<std::string>({
"AES-128/GCM"}); }
313 {
return std::vector<std::string>({
"SHA-256"}); }
316 {
return std::vector<std::string>({
"AEAD"}); }
319 {
return std::vector<std::string>({
"ECDH"}); }
322 {
return std::vector<std::string>({
"ECDSA"}); }
325 {
return std::vector<std::string>({
"secp256r1"}); }
344 return std::vector<std::string>({
"AES-256/GCM",
"AES-128/GCM",
"AES-256",
"AES-128" });
349 return std::vector<std::string>({
"SHA-384",
"SHA-256"});
354 return std::vector<std::string>({
"AEAD",
"SHA-384",
"SHA-256"});
359 return std::vector<std::string>({
"ECDH",
"DH",
"PSK",
"ECDHE_PSK",
"DHE_PSK"});
364 return std::vector<std::string>({
"ECDSA",
"RSA",
"DSA"});
369 return std::vector<std::string>({
"brainpool512r1",
"brainpool384r1",
"brainpool256r1",
"secp384r1",
"secp256r1"});
398 {
return std::vector<std::string>({
"AEAD"}); }
417 std::vector<std::string> allowed_ciphers()
const override;
419 std::vector<std::string> allowed_signature_hashes()
const override;
421 std::vector<std::string> allowed_macs()
const override;
423 std::vector<std::string> allowed_key_exchange_methods()
const override;
425 bool allow_tls10()
const override;
426 bool allow_tls11()
const override;
427 bool allow_tls12()
const override;
428 bool allow_dtls10()
const override;
429 bool allow_dtls12()
const override;
516 std::vector<uint16_t> r;
517 for(
auto&& p : get_list(
"srtp_profiles", std::vector<std::string>()))
524 void set(
const std::string& k,
const std::string& v) { m_kv[k] = v; }
528 std::istringstream iss(s);
537 std::vector<std::string> get_list(
const std::string& key,
538 const std::vector<std::string>& def)
const
540 const std::string v = get_str(key);
548 size_t get_len(
const std::string& key,
size_t def)
const
550 const std::string v = get_str(key);
558 bool get_bool(
const std::string& key,
bool def)
const
560 const std::string v = get_str(key);
565 if(v ==
"true" || v ==
"True")
567 else if(v ==
"false" || v ==
"False")
570 throw Exception(
"Invalid boolean '" + v +
"'");
573 std::string get_str(
const std::string& key,
const std::string& def =
"")
const
575 auto i = m_kv.find(key);
582 std::map<std::string, std::string> m_kv;
uint32_t session_ticket_lifetime() const override
uint32_t to_u32bit(const std::string &str)
virtual std::vector< std::string > allowed_ciphers() const
virtual size_t minimum_dh_group_size() const
bool allow_tls10() const override
virtual bool allow_insecure_renegotiation() const
bool allow_tls12() const override
virtual std::vector< std::string > allowed_ecc_curves() const
bool allow_tls11() const override
bool use_ecc_point_compression() const override
bool negotiate_encrypt_then_mac() const override
bool allow_dtls10() const override
std::vector< std::string > allowed_signature_hashes() const override
std::string dh_group() const override
size_t minimum_rsa_bits() const override
virtual bool send_fallback_scsv(Protocol_Version version) const
virtual std::vector< std::string > allowed_signature_methods() const
virtual bool server_uses_own_ciphersuite_preferences() const
std::vector< std::string > allowed_signature_hashes() const override
size_t minimum_ecdsa_group_size() const override
std::vector< std::string > allowed_key_exchange_methods() const override
bool allow_tls11() const override
std::vector< std::string > split_on(const std::string &str, char delim)
bool server_uses_own_ciphersuite_preferences() const override
std::vector< std::string > allowed_macs() const override
bool allow_tls12() const override
bool allow_tls12() const override
size_t minimum_dsa_group_size() const override
virtual size_t minimum_ecdh_group_size() const
bool send_fallback_scsv(Protocol_Version version) const override
virtual bool hide_unknown_users() const
size_t minimum_signature_strength() const override
std::vector< std::string > allowed_ecc_curves() const override
bool allow_dtls10() const override
std::vector< std::string > allowed_macs() const override
std::map< std::string, std::string > BOTAN_DLL read_cfg(std::istream &is)
Text_Policy(std::istream &in)
std::vector< std::string > allowed_ciphers() const override
bool allow_tls11() const override
std::vector< std::string > allowed_signature_methods() const override
std::vector< std::string > allowed_ecc_curves() const override
virtual std::string dh_group() const
virtual bool allow_server_initiated_renegotiation() const
virtual size_t minimum_ecdsa_group_size() const
std::vector< std::string > allowed_macs() const override
bool allow_tls10() const override
bool allow_dtls12() const override
virtual std::vector< std::string > allowed_signature_hashes() const
std::vector< std::string > allowed_ecc_curves() const override
virtual size_t minimum_rsa_bits() const
bool allow_server_initiated_renegotiation() const override
bool allow_server_initiated_renegotiation() const override
bool hide_unknown_users() const override
size_t minimum_ecdh_group_size() const override
std::vector< uint16_t > srtp_profiles() const override
size_t minimum_dh_group_size() const override
bool include_time_in_hello_random() const override
bool allow_dtls10() const override
Text_Policy(const std::string &s)
bool allow_insecure_renegotiation() const override
bool allow_tls10() const override
virtual bool use_ecc_point_compression() const
bool allow_dtls10() const override
void set(const std::string &k, const std::string &v)
std::vector< std::string > allowed_macs() const override
std::vector< std::string > allowed_ciphers() const override
virtual uint32_t session_ticket_lifetime() const
std::vector< std::string > allowed_key_exchange_methods() const override
std::string to_string(const secure_vector< uint8_t > &bytes)
size_t minimum_rsa_bits() const override
bool allow_tls10() const override
bool allow_tls12() const override
virtual bool allow_tls10() const
size_t minimum_ecdh_group_size() const override
bool server_uses_own_ciphersuite_preferences() const override
std::vector< std::string > allowed_signature_hashes() const override
size_t minimum_dh_group_size() const override
bool allow_dtls12() const override
bool allow_insecure_renegotiation() const override
std::vector< std::string > allowed_signature_methods() const override
size_t minimum_signature_strength() const override
bool allow_dtls12() const override
virtual size_t minimum_signature_strength() const
virtual bool allow_dtls12() const
virtual bool allow_dtls10() const
virtual bool include_time_in_hello_random() const
std::vector< std::string > allowed_signature_methods() const override
bool allow_tls11() const override
bool negotiate_encrypt_then_mac() const override
virtual std::vector< std::string > allowed_key_exchange_methods() const
std::vector< std::string > allowed_ciphers() const override
size_t minimum_ecdsa_group_size() const override
std::vector< std::string > allowed_key_exchange_methods() const override
bool allow_dtls12() const override
virtual bool allow_tls11() const
virtual std::vector< std::string > allowed_macs() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool allow_tls12() const