Botan 2.19.1
Crypto and TLS for C&
|
#include <tls_policy.h>
Public Member Functions | |
virtual bool | abort_connection_on_undesired_renegotiation () const |
virtual bool | acceptable_ciphersuite (const Ciphersuite &suite) const |
virtual bool | acceptable_protocol_version (Protocol_Version version) const |
bool | allow_client_initiated_renegotiation () const override |
bool | allow_dtls10 () const override |
bool | allow_dtls12 () const override |
virtual bool | allow_dtls_epoch0_restart () const |
bool | allow_insecure_renegotiation () const override |
virtual bool | allow_resumption_for_renegotiation () const |
bool | allow_server_initiated_renegotiation () const override |
bool | allow_tls10 () const override |
bool | allow_tls11 () const override |
bool | allow_tls12 () const override |
std::vector< std::string > | allowed_ciphers () const override |
std::vector< std::string > | allowed_key_exchange_methods () const override |
std::vector< std::string > | allowed_macs () const override |
bool | allowed_signature_hash (const std::string &hash) const |
std::vector< std::string > | allowed_signature_hashes () const override |
bool | allowed_signature_method (const std::string &sig_method) const |
std::vector< std::string > | allowed_signature_methods () const override |
virtual std::vector< Signature_Scheme > | allowed_signature_schemes () const |
virtual void | check_peer_key_acceptable (const Public_Key &public_key) const |
virtual Group_Params | choose_key_exchange_group (const std::vector< Group_Params > &peer_groups) const |
virtual std::vector< uint16_t > | ciphersuite_list (Protocol_Version version, bool have_srp) const |
virtual Group_Params | default_dh_group () const |
size_t | dtls_default_mtu () const override |
size_t | dtls_initial_timeout () const override |
size_t | dtls_maximum_timeout () const override |
bool | hide_unknown_users () const override |
bool | include_time_in_hello_random () const override |
std::vector< Group_Params > | key_exchange_groups () const override |
virtual Protocol_Version | latest_supported_version (bool datagram) const |
virtual size_t | maximum_certificate_chain_size () const |
size_t | minimum_dh_group_size () const override |
virtual size_t | minimum_dsa_group_size () const |
size_t | minimum_ecdh_group_size () const override |
size_t | minimum_ecdsa_group_size () const override |
size_t | minimum_rsa_bits () const override |
size_t | minimum_signature_strength () const override |
bool | negotiate_encrypt_then_mac () const override |
virtual bool | only_resume_with_exact_version () const |
virtual void | print (std::ostream &o) const |
virtual bool | request_client_certificate_authentication () const |
bool | require_cert_revocation_info () const override |
bool | require_client_certificate_authentication () const override |
bool | send_fallback_scsv (Protocol_Version version) const override |
bool | server_uses_own_ciphersuite_preferences () const override |
uint32_t | session_ticket_lifetime () const override |
void | set (const std::string &k, const std::string &v) |
std::vector< uint16_t > | srtp_profiles () const override |
bool | support_cert_status_message () const override |
Text_Policy (const std::string &s) | |
Text_Policy (std::istream &in) | |
std::string | to_string () const |
bool | use_ecc_point_compression () const override |
Protected Member Functions | |
bool | get_bool (const std::string &key, bool def) const |
size_t | get_len (const std::string &key, size_t def) const |
std::vector< std::string > | get_list (const std::string &key, const std::vector< std::string > &def) const |
std::string | get_str (const std::string &key, const std::string &def="") const |
bool | set_value (const std::string &key, const std::string &val, bool overwrite) |
Definition at line 520 of file tls_policy.h.
|
explicit |
Definition at line 237 of file tls_text_policy.cpp.
References Botan::read_cfg().
|
explicit |
Definition at line 243 of file tls_text_policy.cpp.
|
virtualinherited |
If true, a request to renegotiate will close the connection with a fatal alert. Otherwise, a warning alert is sent.
Definition at line 349 of file tls_policy.cpp.
|
virtualinherited |
Allows policy to reject any ciphersuites which are undesirable for whatever reason without having to reimplement ciphersuite_list
Definition at line 326 of file tls_policy.cpp.
References Botan::TLS::Policy::allowed_ciphers(), Botan::TLS::Policy::allowed_macs(), Botan::TLS::Ciphersuite::cipher_algo(), Botan::TLS::Ciphersuite::mac_algo(), and Botan::value_exists().
Referenced by Botan::TLS::Policy::ciphersuite_list().
|
virtualinherited |
Definition at line 278 of file tls_policy.cpp.
References Botan::TLS::Policy::allow_dtls10(), Botan::TLS::Policy::allow_dtls12(), Botan::TLS::Policy::allow_tls10(), Botan::TLS::Policy::allow_tls11(), Botan::TLS::Policy::allow_tls12(), Botan::TLS::Protocol_Version::DTLS_V10, Botan::TLS::Protocol_Version::DTLS_V12, Botan::TLS::Protocol_Version::TLS_V10, Botan::TLS::Protocol_Version::TLS_V11, and Botan::TLS::Protocol_Version::TLS_V12.
Referenced by Botan::TLS::Client_Hello::Client_Hello(), and Botan::TLS::Policy::latest_supported_version().
|
overridevirtual |
Consulted by server side. If true, allows clients to initiate a new handshake
Reimplemented from Botan::TLS::Policy.
Definition at line 88 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_client_initiated_renegotiation(), and get_bool().
|
overridevirtual |
Allow DTLS v1.0
Reimplemented from Botan::TLS::Policy.
Definition at line 63 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_dtls10(), and get_bool().
|
overridevirtual |
Allow DTLS v1.2
Reimplemented from Botan::TLS::Policy.
Definition at line 68 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_dtls12(), and get_bool().
|
virtualinherited |
If true, then allow a DTLS client to restart a connection to the same server association as described in section 4.2.8 of the DTLS RFC
Definition at line 350 of file tls_policy.cpp.
Referenced by Botan::TLS::Channel::received_data().
|
overridevirtual |
Allow renegotiation even if the counterparty doesn't support the secure renegotiation extension.
Reimplemented from Botan::TLS::Policy.
Definition at line 73 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_insecure_renegotiation(), and get_bool().
|
virtualinherited |
Definition at line 345 of file tls_policy.cpp.
Referenced by Botan::TLS::Channel::renegotiate().
|
overridevirtual |
Consulted by client side. If true, allows servers to initiate a new handshake
Reimplemented from Botan::TLS::Policy.
Definition at line 93 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_server_initiated_renegotiation(), and get_bool().
|
overridevirtual |
Allow TLS v1.0
Reimplemented from Botan::TLS::Policy.
Definition at line 48 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_tls10(), and get_bool().
|
overridevirtual |
Allow TLS v1.1
Reimplemented from Botan::TLS::Policy.
Definition at line 53 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_tls11(), and get_bool().
|
overridevirtual |
Allow TLS v1.2
Reimplemented from Botan::TLS::Policy.
Definition at line 58 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allow_tls12(), and get_bool().
|
overridevirtual |
Returns a list of ciphers we are willing to negotiate, in order of preference.
Reimplemented from Botan::TLS::Policy.
Definition at line 18 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allowed_ciphers(), and get_list().
|
overridevirtual |
Returns a list of key exchange algorithms we are willing to use, in order of preference. Allowed values: DH, empty string (representing RSA using server certificate key)
Reimplemented from Botan::TLS::Policy.
Definition at line 33 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allowed_key_exchange_methods(), and get_list().
|
overridevirtual |
Returns a list of MAC algorithms we are willing to use.
Reimplemented from Botan::TLS::Policy.
Definition at line 28 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allowed_macs(), and get_list().
|
inherited |
Definition at line 122 of file tls_policy.cpp.
References Botan::TLS::Policy::allowed_signature_hashes(), and Botan::value_exists().
Referenced by Botan::TLS::Policy::allowed_signature_schemes(), and Botan::TLS::Handshake_State::choose_sig_format().
|
overridevirtual |
Returns a list of hash algorithms we are willing to use for signatures, in order of preference.
Reimplemented from Botan::TLS::Policy.
Definition at line 23 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allowed_signature_hashes(), and get_list().
|
inherited |
Definition at line 117 of file tls_policy.cpp.
References Botan::TLS::Policy::allowed_signature_methods(), and Botan::value_exists().
Referenced by Botan::TLS::Policy::allowed_signature_schemes(), and Botan::TLS::Handshake_State::parse_sig_format().
|
overridevirtual |
Returns a list of signature algorithms we are willing to use, in order of preference. Allowed values RSA and DSA.
Reimplemented from Botan::TLS::Policy.
Definition at line 38 of file tls_text_policy.cpp.
References Botan::TLS::Policy::allowed_signature_methods(), and get_list().
|
virtualinherited |
Definition at line 22 of file tls_policy.cpp.
References Botan::TLS::all_signature_schemes(), Botan::TLS::Policy::allowed_signature_hash(), Botan::TLS::Policy::allowed_signature_method(), Botan::TLS::hash_function_of_scheme(), Botan::TLS::signature_algorithm_of_scheme(), and Botan::TLS::signature_scheme_is_known().
Referenced by Botan::TLS::Handshake_State::choose_sig_format(), and Botan::TLS::Client_Hello::Client_Hello().
|
virtualinherited |
Throw an exception if you don't like the peer's key. Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size, or minimum_ecdh_group_size depending on the key's type. Override if you'd like to perform some other kind of test on (or logging of) the peer's keys.
Definition at line 231 of file tls_policy.cpp.
References Botan::Public_Key::algo_name(), Botan::TLS::Alert::INSUFFICIENT_SECURITY, Botan::Public_Key::key_length(), Botan::TLS::Policy::minimum_dh_group_size(), Botan::TLS::Policy::minimum_dsa_group_size(), Botan::TLS::Policy::minimum_ecdh_group_size(), Botan::TLS::Policy::minimum_ecdsa_group_size(), Botan::TLS::Policy::minimum_rsa_bits(), and Botan::ASN1::to_string().
Referenced by Botan::TLS::Callbacks::tls_dh_agree(), Botan::TLS::Callbacks::tls_ecdh_agree(), Botan::TLS::Server_Key_Exchange::verify(), and Botan::TLS::Certificate_Verify::verify().
|
virtualinherited |
Select a key exchange group to use, from the list of groups sent by the peer. If none are acceptable, return Group_Params::NONE
Definition at line 132 of file tls_policy.cpp.
References Botan::TLS::Policy::key_exchange_groups(), Botan::TLS::NONE, and Botan::value_exists().
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
|
virtualinherited |
Return allowed ciphersuites, in order of preference
Definition at line 442 of file tls_policy.cpp.
References Botan::TLS::Policy::acceptable_ciphersuite(), Botan::TLS::Ciphersuite::all_known_ciphersuites(), Botan::TLS::Policy::allowed_ciphers(), Botan::TLS::Policy::allowed_key_exchange_methods(), Botan::TLS::Policy::allowed_macs(), Botan::TLS::Policy::allowed_signature_methods(), Botan::TLS::CECPQ1, Botan::TLS::IMPLICIT, Botan::TLS::Policy::key_exchange_groups(), Botan::TLS::SRP_SHA, Botan::value_exists(), and Botan::TLS::X25519.
|
virtualinherited |
Definition at line 148 of file tls_policy.cpp.
References Botan::TLS::FFDHE_2048, Botan::TLS::group_param_is_dh(), and Botan::TLS::Policy::key_exchange_groups().
Referenced by Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
|
overridevirtual |
Reimplemented from Botan::TLS::Policy.
Definition at line 187 of file tls_text_policy.cpp.
References Botan::TLS::Policy::dtls_default_mtu(), and get_len().
|
overridevirtual |
Reimplemented from Botan::TLS::Policy.
Definition at line 192 of file tls_text_policy.cpp.
References Botan::TLS::Policy::dtls_initial_timeout(), and get_len().
|
overridevirtual |
Reimplemented from Botan::TLS::Policy.
Definition at line 197 of file tls_text_policy.cpp.
References Botan::TLS::Policy::dtls_maximum_timeout(), and get_len().
|
protected |
Definition at line 272 of file tls_text_policy.cpp.
References get_str().
Referenced by allow_client_initiated_renegotiation(), allow_dtls10(), allow_dtls12(), allow_insecure_renegotiation(), allow_server_initiated_renegotiation(), allow_tls10(), allow_tls11(), allow_tls12(), hide_unknown_users(), include_time_in_hello_random(), negotiate_encrypt_then_mac(), require_cert_revocation_info(), require_client_certificate_authentication(), send_fallback_scsv(), server_uses_own_ciphersuite_preferences(), support_cert_status_message(), and use_ecc_point_compression().
|
protected |
Definition at line 260 of file tls_text_policy.cpp.
References get_str(), and Botan::to_u32bit().
Referenced by dtls_default_mtu(), dtls_initial_timeout(), dtls_maximum_timeout(), minimum_dh_group_size(), minimum_ecdh_group_size(), minimum_ecdsa_group_size(), minimum_rsa_bits(), minimum_signature_strength(), and session_ticket_lifetime().
|
protected |
Definition at line 247 of file tls_text_policy.cpp.
References get_str(), and Botan::split_on().
Referenced by allowed_ciphers(), allowed_key_exchange_methods(), allowed_macs(), allowed_signature_hashes(), allowed_signature_methods(), and srtp_profiles().
|
protected |
Definition at line 295 of file tls_text_policy.cpp.
Referenced by get_bool(), get_len(), get_list(), and key_exchange_groups().
|
overridevirtual |
If this function returns false, unknown SRP/PSK identifiers will be rejected with an unknown_psk_identifier alert as soon as the non-existence is identified. Otherwise, a false identifier value will be used and the protocol allowed to proceed, causing the handshake to eventually fail without revealing that the username does not exist on this system.
Reimplemented from Botan::TLS::Policy.
Definition at line 207 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::hide_unknown_users().
|
overridevirtual |
The protocol dictates that the first 32 bits of the random field are the current time in seconds. However this allows client fingerprinting attacks. Set to false to disable, in which case random bytes will be used instead.
Reimplemented from Botan::TLS::Policy.
Definition at line 78 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::include_time_in_hello_random().
|
overridevirtual |
Return list of ECC curves and FFDHE groups we are willing to use in order of preference.
Reimplemented from Botan::TLS::Policy.
Definition at line 113 of file tls_text_policy.cpp.
References get_str(), Botan::TLS::group_param_from_string(), Botan::TLS::Policy::key_exchange_groups(), Botan::TLS::NONE, and Botan::split_on().
|
virtualinherited |
Returns the more recent protocol version we are willing to use, for either TLS or DTLS depending on datagram param. Shouldn't ever need to override this unless you want to allow a user to disable use of TLS v1.2 (which is not recommended)
Definition at line 300 of file tls_policy.cpp.
References Botan::TLS::Policy::acceptable_protocol_version(), Botan::TLS::Protocol_Version::DTLS_V10, Botan::TLS::Protocol_Version::DTLS_V12, Botan::TLS::Protocol_Version::TLS_V10, Botan::TLS::Protocol_Version::TLS_V11, and Botan::TLS::Protocol_Version::TLS_V12.
Referenced by Botan::TLS::Policy::send_fallback_scsv().
|
virtualinherited |
Definition at line 352 of file tls_policy.cpp.
Referenced by Botan::TLS::Certificate::Certificate().
|
overridevirtual |
Return the minimum DH group size we're willing to use Default is currently 1024 (insecure), should be 2048
Reimplemented from Botan::TLS::Policy.
Definition at line 172 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::minimum_dh_group_size().
|
virtualinherited |
Minimum DSA group size, default 2048 bits
Reimplemented in Botan::TLS::BSI_TR_02102_2.
Definition at line 225 of file tls_policy.cpp.
Referenced by Botan::TLS::Policy::check_peer_key_acceptable().
|
overridevirtual |
Return the minimum ECDH group size we're willing to use for key exchange
Default 255, allowing x25519 and larger x25519 is the smallest curve we will negotiate P-521 is the largest
Reimplemented from Botan::TLS::Policy.
Definition at line 162 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::minimum_ecdh_group_size().
|
overridevirtual |
For ECDSA authenticated ciphersuites, the smallest key size the client will accept. This policy is currently only enforced on the server by the client.
Reimplemented from Botan::TLS::Policy.
Definition at line 167 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::minimum_ecdsa_group_size().
|
overridevirtual |
Return the minimum bit size we're willing to accept for RSA key exchange or server signatures.
It does not place any requirements on the size of any RSA signature(s) which were used to check the server certificate. This is only concerned with the server's public key.
Default is 2048 which is smallest RSA key size still secure for medium term security.
Reimplemented from Botan::TLS::Policy.
Definition at line 177 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::minimum_rsa_bits().
|
overridevirtual |
The minimum signature strength we will accept Returning 80 allows RSA 1024 and SHA-1. Values larger than 80 disable SHA-1 support. Returning 110 allows RSA 2048. Return 128 to force ECC (P-256) or large (~3000 bit) RSA keys. Default is 110
Reimplemented from Botan::TLS::Policy.
Definition at line 182 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::minimum_signature_strength().
|
overridevirtual |
Indicates whether the encrypt-then-MAC extension should be negotiated (RFC 7366)
Reimplemented from Botan::TLS::Policy.
Definition at line 103 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::negotiate_encrypt_then_mac().
|
virtualinherited |
Definition at line 346 of file tls_policy.cpp.
|
virtualinherited |
Convert this policy to a printable format.
o | stream to be printed to |
Definition at line 553 of file tls_policy.cpp.
References Botan::TLS::Policy::allow_dtls10(), Botan::TLS::Policy::allow_dtls12(), Botan::TLS::Policy::allow_insecure_renegotiation(), Botan::TLS::Policy::allow_server_initiated_renegotiation(), Botan::TLS::Policy::allow_tls10(), Botan::TLS::Policy::allow_tls11(), Botan::TLS::Policy::allow_tls12(), Botan::TLS::Policy::allowed_ciphers(), Botan::TLS::Policy::allowed_key_exchange_methods(), Botan::TLS::Policy::allowed_macs(), Botan::TLS::Policy::allowed_signature_hashes(), Botan::TLS::Policy::allowed_signature_methods(), Botan::TLS::Policy::hide_unknown_users(), Botan::TLS::Policy::include_time_in_hello_random(), Botan::TLS::Policy::key_exchange_groups(), Botan::TLS::Policy::minimum_dh_group_size(), Botan::TLS::Policy::minimum_ecdh_group_size(), Botan::TLS::Policy::minimum_rsa_bits(), Botan::TLS::Policy::minimum_signature_strength(), Botan::TLS::Policy::negotiate_encrypt_then_mac(), Botan::TLS::Policy::server_uses_own_ciphersuite_preferences(), Botan::TLS::Policy::session_ticket_lifetime(), and Botan::TLS::Policy::support_cert_status_message().
Referenced by Botan::TLS::Policy::to_string().
|
virtualinherited |
Indicate if client certificate authentication is requested. If true, then a cert will be requested.
Definition at line 348 of file tls_policy.cpp.
References Botan::TLS::Policy::require_client_certificate_authentication().
|
overridevirtual |
Return if cert revocation info (CRL/OCSP) is required If true, validation will fail unless a valid CRL or OCSP response was examined.
Reimplemented from Botan::TLS::Policy.
Definition at line 202 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::require_cert_revocation_info().
|
overridevirtual |
Indicate if client certificate authentication is required. If true, then a cert will be requested and if the client does not send a certificate the connection will be closed.
Reimplemented from Botan::TLS::Policy.
Definition at line 83 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::require_client_certificate_authentication().
|
overridevirtual |
When offering this version, should we send a fallback SCSV? Default returns true iff version is not the latest version the policy allows, exists to allow override in case of interop problems.
Reimplemented from Botan::TLS::Policy.
Definition at line 217 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::send_fallback_scsv().
|
overridevirtual |
Reimplemented from Botan::TLS::Policy.
Definition at line 98 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::server_uses_own_ciphersuite_preferences().
|
overridevirtual |
Return the allowed lifetime of a session ticket. If 0, session tickets do not expire until the session ticket key rolls over. Expired session tickets cannot be used to resume a session.
Reimplemented from Botan::TLS::Policy.
Definition at line 212 of file tls_text_policy.cpp.
References get_len(), and Botan::TLS::Policy::session_ticket_lifetime().
void Botan::TLS::Text_Policy::set | ( | const std::string & | k, |
const std::string & | v | ||
) |
Definition at line 232 of file tls_text_policy.cpp.
|
protected |
Definition at line 306 of file tls_text_policy.cpp.
|
overridevirtual |
If this returns a non-empty vector, and DTLS is negotiated, then we will also attempt to negotiate the SRTP extension from RFC 5764 using the returned values as the profile ids.
Reimplemented from Botan::TLS::Policy.
Definition at line 222 of file tls_text_policy.cpp.
References get_list(), and Botan::to_uint16().
|
overridevirtual |
Indicates whether certificate status messages should be supported
Reimplemented from Botan::TLS::Policy.
Definition at line 108 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::support_cert_status_message().
|
inherited |
Convert this policy to a printable format. Same as calling print
on a ostringstream and reading o.str()
Definition at line 581 of file tls_policy.cpp.
References Botan::TLS::Policy::print().
|
overridevirtual |
Request that ECC curve points are sent compressed
Reimplemented from Botan::TLS::Policy.
Definition at line 43 of file tls_text_policy.cpp.
References get_bool(), and Botan::TLS::Policy::use_ecc_point_compression().