10#include <botan/tls_policy.h>
11#include <botan/tls_ciphersuite.h>
12#include <botan/tls_algos.h>
13#include <botan/tls_exceptn.h>
14#include <botan/internal/stl_util.h>
15#include <botan/pk_keys.h>
24 std::vector<Signature_Scheme> schemes;
33 if(sig_allowed && hash_allowed)
35 schemes.push_back(scheme);
134 if(peer_groups.empty())
139 for(
auto g : our_groups)
167#if defined(BOTAN_HAS_CURVE_25519)
233 const std::string algo_name = public_key.
algo_name();
235 const size_t keylength = public_key.
key_length();
236 size_t expected_keylength = 0;
238 if(algo_name ==
"RSA")
242 else if(algo_name ==
"DH")
246 else if(algo_name ==
"DSA")
250 else if(algo_name ==
"ECDH" || algo_name ==
"Curve25519")
254 else if(algo_name ==
"ECDSA")
260 if(keylength < expected_keylength)
263 std::to_string(keylength) +
" bit " + algo_name +
" key"
264 ", policy requires at least " +
265 std::to_string(expected_keylength));
286#if defined(BOTAN_HAS_TLS_V10)
306#if defined(BOTAN_HAS_TLS_V10)
310 throw Invalid_State(
"Policy forbids all available DTLS version");
316#if defined(BOTAN_HAS_TLS_V10)
322 throw Invalid_State(
"Policy forbids all available TLS version");
361 return 1280 - 40 - 8;
366 return std::vector<uint16_t>();
371class Ciphersuite_Preference_Ordering
final
374 Ciphersuite_Preference_Ordering(
const std::vector<std::string>& ciphers,
375 const std::vector<std::string>& macs,
376 const std::vector<std::string>& kex,
377 const std::vector<std::string>& sigs) :
378 m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
380 bool operator()(
const Ciphersuite& a,
const Ciphersuite& b)
const
382 if(a.kex_method() != b.kex_method())
384 for(
size_t i = 0; i != m_kex.size(); ++i)
386 if(a.kex_algo() == m_kex[i])
388 if(b.kex_algo() == m_kex[i])
393 if(a.cipher_algo() != b.cipher_algo())
395 for(
size_t i = 0; i != m_ciphers.size(); ++i)
397 if(a.cipher_algo() == m_ciphers[i])
399 if(b.cipher_algo() == m_ciphers[i])
404 if(a.cipher_keylen() != b.cipher_keylen())
406 if(a.cipher_keylen() < b.cipher_keylen())
408 if(a.cipher_keylen() > b.cipher_keylen())
412 if(a.auth_method() != b.auth_method())
414 for(
size_t i = 0; i != m_sigs.size(); ++i)
416 if(a.sig_algo() == m_sigs[i])
418 if(b.sig_algo() == m_sigs[i])
423 if(a.mac_algo() != b.mac_algo())
425 for(
size_t i = 0; i != m_macs.size(); ++i)
427 if(a.mac_algo() == m_macs[i])
429 if(b.mac_algo() == m_macs[i])
437 std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
450 std::vector<Ciphersuite> ciphersuites;
459 if(!suite.usable_in_version(version))
498 ciphersuites.push_back(suite);
501 if(ciphersuites.empty())
503 throw Invalid_State(
"Policy does not allow any available cipher suite");
506 Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
507 std::sort(ciphersuites.begin(), ciphersuites.end(), order);
509 std::vector<uint16_t> ciphersuite_codes;
510 for(
auto i : ciphersuites)
511 ciphersuite_codes.push_back(i.ciphersuite_code());
512 return ciphersuite_codes;
517void print_vec(std::ostream& o,
519 const std::vector<std::string>& v)
522 for(
size_t i = 0; i != v.size(); ++i)
525 if(i != v.size() - 1)
531void print_vec(std::ostream& o,
533 const std::vector<Group_Params>& v)
536 for(
size_t i = 0; i != v.size(); ++i)
539 if(i != v.size() - 1)
545void print_bool(std::ostream& o,
546 const char* key,
bool b)
548 o << key <<
" = " << (b ?
"true" :
"false") <<
'\n';
583 std::ostringstream oss;
590 return {
"ChaCha20Poly1305",
"AES-256/GCM",
"AES-128/GCM" };
595 return {
"SHA-512",
"SHA-384"};
605 return {
"CECPQ1",
"ECDH" };
virtual size_t key_length() const =0
virtual std::string algo_name() const =0
static const std::vector< Ciphersuite > & all_known_ciphersuites()
std::string mac_algo() const
std::string cipher_algo() const
virtual bool include_time_in_hello_random() const
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
virtual bool abort_connection_on_undesired_renegotiation() const
virtual size_t dtls_maximum_timeout() const
virtual size_t minimum_ecdh_group_size() const
virtual size_t dtls_default_mtu() const
virtual bool allow_tls12() const
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version, bool have_srp) const
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
std::string to_string() const
virtual bool require_client_certificate_authentication() const
virtual std::vector< Group_Params > key_exchange_groups() const
virtual bool allow_dtls10() const
virtual size_t minimum_rsa_bits() const
bool allowed_signature_method(const std::string &sig_method) const
virtual bool only_resume_with_exact_version() const
virtual bool allow_client_initiated_renegotiation() const
virtual size_t minimum_dsa_group_size() const
bool allowed_signature_hash(const std::string &hash) const
virtual bool allow_dtls_epoch0_restart() const
virtual bool request_client_certificate_authentication() const
virtual bool require_cert_revocation_info() const
virtual bool allow_tls10() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual Protocol_Version latest_supported_version(bool datagram) const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual std::vector< uint16_t > srtp_profiles() const
virtual uint32_t session_ticket_lifetime() const
virtual bool support_cert_status_message() const
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
virtual std::vector< std::string > allowed_macs() const
virtual bool hide_unknown_users() const
virtual bool allow_tls11() const
virtual std::vector< std::string > allowed_key_exchange_methods() const
virtual size_t dtls_initial_timeout() const
virtual bool use_ecc_point_compression() const
virtual bool allow_dtls12() const
virtual size_t minimum_dh_group_size() const
virtual bool allow_insecure_renegotiation() const
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &peer_groups) const
virtual std::vector< std::string > allowed_ciphers() const
virtual bool send_fallback_scsv(Protocol_Version version) const
virtual size_t minimum_signature_strength() const
virtual Group_Params default_dh_group() const
virtual size_t maximum_certificate_chain_size() const
virtual std::vector< std::string > allowed_signature_methods() const
virtual size_t minimum_ecdsa_group_size() const
virtual bool allow_resumption_for_renegotiation() const
virtual std::vector< std::string > allowed_signature_hashes() const
virtual bool allow_server_initiated_renegotiation() const
virtual void print(std::ostream &o) const
bool is_datagram_protocol() const
std::vector< std::string > allowed_macs() const override
bool allow_dtls12() const override
std::vector< std::string > allowed_ciphers() const override
bool allow_tls12() const override
bool allow_tls11() const override
std::vector< std::string > allowed_key_exchange_methods() const override
bool allow_tls10() const override
std::vector< std::string > allowed_signature_hashes() const override
bool allow_dtls10() const override
int(* final)(unsigned char *, CTX *)
const std::vector< Signature_Scheme > & all_signature_schemes()
bool signature_scheme_is_known(Signature_Scheme scheme)
bool group_param_is_dh(Group_Params group)
std::string hash_function_of_scheme(Signature_Scheme scheme)
std::string group_param_to_string(Group_Params group)
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
bool value_exists(const std::vector< T > &vec, const T &val)