9#ifndef BOTAN_TLS_POLICY_H_
10#define BOTAN_TLS_POLICY_H_
12#include <botan/tls_version.h>
13#include <botan/tls_algos.h>
14#include <botan/tls_ciphersuite.h>
36 virtual std::vector<std::string> allowed_ciphers()
const;
42 virtual std::vector<std::string> allowed_signature_hashes()
const;
47 virtual std::vector<std::string> allowed_macs()
const;
54 virtual std::vector<std::string> allowed_key_exchange_methods()
const;
60 virtual std::vector<std::string> allowed_signature_methods()
const;
62 virtual std::vector<Signature_Scheme> allowed_signature_schemes()
const;
71 virtual size_t minimum_signature_strength()
const;
78 virtual bool require_cert_revocation_info()
const;
80 bool allowed_signature_method(
const std::string& sig_method)
const;
81 bool allowed_signature_hash(
const std::string&
hash)
const;
87 virtual std::vector<Group_Params> key_exchange_groups()
const;
92 virtual bool use_ecc_point_compression()
const;
98 virtual Group_Params choose_key_exchange_group(
const std::vector<Group_Params>& peer_groups)
const;
107 virtual bool allow_insecure_renegotiation()
const;
115 virtual bool include_time_in_hello_random()
const;
120 virtual bool allow_client_initiated_renegotiation()
const;
125 virtual bool allow_server_initiated_renegotiation()
const;
131 virtual bool abort_connection_on_undesired_renegotiation()
const;
133 virtual bool only_resume_with_exact_version()
const;
138 virtual bool allow_tls10()
const;
143 virtual bool allow_tls11()
const;
148 virtual bool allow_tls12()
const;
153 virtual bool allow_dtls10()
const;
158 virtual bool allow_dtls12()
const;
166 virtual size_t minimum_dh_group_size()
const;
173 virtual size_t minimum_ecdsa_group_size()
const;
183 virtual size_t minimum_ecdh_group_size()
const;
196 virtual size_t minimum_rsa_bits()
const;
201 virtual size_t minimum_dsa_group_size()
const;
210 virtual void check_peer_key_acceptable(
const Public_Key& public_key)
const;
220 virtual bool hide_unknown_users()
const;
227 virtual uint32_t session_ticket_lifetime()
const;
234 virtual std::vector<uint16_t> srtp_profiles()
const;
261 virtual bool acceptable_ciphersuite(
const Ciphersuite& suite)
const;
268 virtual bool server_uses_own_ciphersuite_preferences()
const;
274 virtual bool negotiate_encrypt_then_mac()
const;
279 virtual bool support_cert_status_message()
const;
286 virtual bool require_client_certificate_authentication()
const;
292 virtual bool request_client_certificate_authentication()
const;
298 virtual bool allow_dtls_epoch0_restart()
const;
304 bool have_srp)
const;
309 virtual size_t dtls_default_mtu()
const;
314 virtual size_t dtls_initial_timeout()
const;
319 virtual size_t dtls_maximum_timeout()
const;
325 virtual size_t maximum_certificate_chain_size()
const;
327 virtual bool allow_resumption_for_renegotiation()
const;
333 virtual void print(std::ostream& o)
const;
339 std::string to_string()
const;
356 {
return std::vector<std::string>({
"AES-128/GCM"}); }
359 {
return std::vector<std::string>({
"SHA-256"}); }
362 {
return std::vector<std::string>({
"AEAD"}); }
365 {
return std::vector<std::string>({
"ECDH"}); }
368 {
return std::vector<std::string>({
"ECDSA"}); }
371 {
return {Group_Params::SECP256R1}; }
389 {
return std::vector<std::string>({
"AES-256/GCM"}); }
392 {
return std::vector<std::string>({
"SHA-384"}); }
395 {
return std::vector<std::string>({
"AEAD"}); }
398 {
return std::vector<std::string>({
"ECDH"}); }
401 {
return std::vector<std::string>({
"ECDSA"}); }
404 {
return {Group_Params::SECP384R1}; }
423 return std::vector<std::string>({
"AES-256/GCM",
"AES-128/GCM",
"AES-256/CCM",
"AES-128/CCM",
"AES-256",
"AES-128"});
428 return std::vector<std::string>({
"SHA-512",
"SHA-384",
"SHA-256"});
433 return std::vector<std::string>({
"AEAD",
"SHA-384",
"SHA-256"});
438 return std::vector<std::string>({
"ECDH",
"DH",
"ECDHE_PSK",
"DHE_PSK"});
443 return std::vector<std::string>({
"ECDSA",
"RSA",
"DSA"});
448 return std::vector<Group_Params>({
449 Group_Params::BRAINPOOL512R1,
450 Group_Params::BRAINPOOL384R1,
451 Group_Params::BRAINPOOL256R1,
452 Group_Params::SECP384R1,
453 Group_Params::SECP256R1,
454 Group_Params::FFDHE_4096,
455 Group_Params::FFDHE_3072,
456 Group_Params::FFDHE_2048
486 {
return std::vector<std::string>({
"AEAD"}); }
505 std::vector<std::string> allowed_ciphers()
const override;
507 std::vector<std::string> allowed_signature_hashes()
const override;
509 std::vector<std::string> allowed_macs()
const override;
511 std::vector<std::string> allowed_key_exchange_methods()
const override;
513 bool allow_tls10()
const override;
514 bool allow_tls11()
const override;
515 bool allow_tls12()
const override;
516 bool allow_dtls10()
const override;
517 bool allow_dtls12()
const override;
524 std::vector<std::string> allowed_ciphers()
const override;
526 std::vector<std::string> allowed_signature_hashes()
const override;
528 std::vector<std::string> allowed_macs()
const override;
530 std::vector<std::string> allowed_key_exchange_methods()
const override;
532 std::vector<std::string> allowed_signature_methods()
const override;
534 std::vector<Group_Params> key_exchange_groups()
const override;
536 bool use_ecc_point_compression()
const override;
538 bool allow_tls10()
const override;
540 bool allow_tls11()
const override;
542 bool allow_tls12()
const override;
544 bool allow_dtls10()
const override;
546 bool allow_dtls12()
const override;
548 bool allow_insecure_renegotiation()
const override;
550 bool include_time_in_hello_random()
const override;
552 bool allow_client_initiated_renegotiation()
const override;
553 bool allow_server_initiated_renegotiation()
const override;
555 bool server_uses_own_ciphersuite_preferences()
const override;
557 bool negotiate_encrypt_then_mac()
const override;
559 bool support_cert_status_message()
const override;
561 bool require_client_certificate_authentication()
const override;
563 size_t minimum_ecdh_group_size()
const override;
565 size_t minimum_ecdsa_group_size()
const override;
567 size_t minimum_dh_group_size()
const override;
569 size_t minimum_rsa_bits()
const override;
571 size_t minimum_signature_strength()
const override;
573 size_t dtls_default_mtu()
const override;
575 size_t dtls_initial_timeout()
const override;
577 size_t dtls_maximum_timeout()
const override;
579 bool require_cert_revocation_info()
const override;
581 bool hide_unknown_users()
const override;
583 uint32_t session_ticket_lifetime()
const override;
587 std::vector<uint16_t> srtp_profiles()
const override;
589 void set(
const std::string& k,
const std::string& v);
597 std::vector<std::string> get_list(
const std::string& key,
598 const std::vector<std::string>& def)
const;
600 size_t get_len(
const std::string& key,
size_t def)
const;
602 bool get_bool(
const std::string& key,
bool def)
const;
604 std::string get_str(
const std::string& key,
const std::string& def =
"")
const;
606 bool set_value(
const std::string& key,
const std::string& val,
bool overwrite);
609 std::map<std::string, std::string> m_kv;
bool allow_dtls12() const override
bool allow_tls11() const override
size_t minimum_ecdh_group_size() const override
size_t minimum_dsa_group_size() const override
std::vector< std::string > allowed_signature_hashes() const override
bool negotiate_encrypt_then_mac() const override
std::vector< std::string > allowed_ciphers() const override
std::vector< std::string > allowed_signature_methods() const override
bool allow_server_initiated_renegotiation() const override
bool server_uses_own_ciphersuite_preferences() const override
bool allow_tls10() const override
bool allow_tls12() const override
std::vector< std::string > allowed_macs() const override
size_t minimum_rsa_bits() const override
bool allow_dtls10() const override
std::vector< Group_Params > key_exchange_groups() const override
size_t minimum_dh_group_size() const override
bool allow_insecure_renegotiation() const override
size_t minimum_ecdsa_group_size() const override
std::vector< std::string > allowed_key_exchange_methods() const override
bool allow_dtls12() const override
bool allow_dtls10() const override
bool allow_tls11() const override
bool allow_tls10() const override
bool allow_tls12() const override
std::vector< std::string > allowed_macs() const override
std::vector< std::string > allowed_macs() const override
bool allow_dtls12() const override
bool allow_tls11() const override
std::vector< Group_Params > key_exchange_groups() const override
bool allow_tls10() const override
size_t minimum_signature_strength() const override
bool allow_dtls10() const override
std::vector< std::string > allowed_signature_methods() const override
std::vector< std::string > allowed_key_exchange_methods() const override
std::vector< std::string > allowed_signature_hashes() const override
std::vector< std::string > allowed_ciphers() const override
bool allow_tls12() const override
bool allow_dtls10() const override
std::vector< Group_Params > key_exchange_groups() const override
bool allow_tls10() const override
bool allow_tls12() const override
std::vector< std::string > allowed_macs() const override
bool allow_tls11() const override
bool allow_dtls12() const override
std::vector< std::string > allowed_ciphers() const override
std::vector< std::string > allowed_key_exchange_methods() const override
size_t minimum_signature_strength() const override
std::vector< std::string > allowed_signature_methods() const override
std::vector< std::string > allowed_signature_hashes() const override
virtual ~Policy()=default
#define BOTAN_PUBLIC_API(maj, min)