Botan 3.11.0
Crypto and TLS for C&
tls_policy.cpp
Go to the documentation of this file.
1/*
2* Policies for TLS
3* (C) 2004-2010,2012,2015,2016 Jack Lloyd
4* 2016 Christian Mainka
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/tls_policy.h>
12
13#include <botan/pk_keys.h>
14#include <botan/tls_algos.h>
15#include <botan/tls_ciphersuite.h>
16#include <botan/tls_exceptn.h>
17#include <botan/tls_signature_scheme.h>
18#include <botan/internal/stl_util.h>
19#include <algorithm>
20#include <optional>
21#include <sstream>
22
23namespace Botan::TLS {
24
25bool Policy::allow_ssl_key_log_file() const {
26 return false;
27}
28
29std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const {
30 std::vector<Signature_Scheme> schemes;
31
32 for(const Signature_Scheme scheme : Signature_Scheme::all_available_schemes()) {
33 const bool sig_allowed = allowed_signature_method(scheme.algorithm_name());
34 const bool hash_allowed = allowed_signature_hash(scheme.hash_function_name());
35
36 if(sig_allowed && hash_allowed) {
37 schemes.push_back(scheme);
38 }
39 }
40
41 return schemes;
42}
43
44std::vector<Signature_Scheme> Policy::acceptable_signature_schemes() const {
45 return this->allowed_signature_schemes();
46}
47
48std::optional<std::vector<Signature_Scheme>> Policy::acceptable_certificate_signature_schemes() const {
49 // the restrictions of ::acceptable_signature_schemes() shall apply
50 return std::nullopt;
51}
52
53std::vector<std::string> Policy::allowed_ciphers() const {
54 return {
55 //"AES-256/OCB(12)",
56 "AES-256/GCM",
57 "AES-128/GCM",
58 "ChaCha20Poly1305",
59 //"AES-256/CCM",
60 //"AES-128/CCM",
61 //"AES-256/CCM(8)",
62 //"AES-128/CCM(8)",
63 //"Camellia-256/GCM",
64 //"Camellia-128/GCM",
65 //"ARIA-256/GCM",
66 //"ARIA-128/GCM",
67 //"AES-256",
68 //"AES-128",
69 //"3DES",
70 };
71}
72
73std::vector<std::string> Policy::allowed_signature_hashes() const {
74 return {
75 "SHA-512",
76 "SHA-384",
77 "SHA-256",
78 };
79}
80
81std::vector<std::string> Policy::allowed_macs() const {
82 /*
83 SHA-256 is preferred because the Lucky13 countermeasure works
84 somewhat better for SHA-256 vs SHA-384:
85 https://github.com/randombit/botan/pull/675
86 */
87 return {
88 "AEAD",
89 "SHA-256",
90 "SHA-384",
91 "SHA-1",
92 };
93}
94
95std::vector<std::string> Policy::allowed_key_exchange_methods() const {
96 return {
97 //"ECDHE_PSK",
98 //"PSK",
99 "ECDH",
100 "DH",
101 //"RSA",
102 };
103}
104
105std::vector<std::string> Policy::allowed_signature_methods() const {
106 return {
107 "ECDSA", "RSA",
108 //"IMPLICIT",
109 };
110}
111
112bool Policy::allowed_signature_method(std::string_view sig_method) const {
113 return value_exists(allowed_signature_methods(), sig_method);
114}
115
116bool Policy::allowed_signature_hash(std::string_view sig_hash) const {
117 return value_exists(allowed_signature_hashes(), sig_hash);
118}
119
120bool Policy::use_ecc_point_compression() const {
121 return false;
122}
123
124Group_Params Policy::choose_key_exchange_group(const std::vector<Group_Params>& supported_by_peer,
125 const std::vector<Group_Params>& offered_by_peer) const {
126 if(supported_by_peer.empty()) {
127 return Group_Params::NONE;
128 }
129
130 const auto our_groups = key_exchange_groups();
131
132 // First check if the peer sent a PQ share of a group we also support
133 for(auto share : offered_by_peer) {
134 if(share.is_post_quantum() && value_exists(our_groups, share)) {
135 return share;
136 }
137 }
138
139 // Then check if the peer offered a PQ algo we also support
140 for(auto share : supported_by_peer) {
141 if(share.is_post_quantum() && value_exists(our_groups, share)) {
142 return share;
143 }
144 }
145
146 // Prefer groups that were offered by the peer for the sake of saving
147 // an additional round trip. For TLS 1.2, this won't be used.
148 for(auto g : offered_by_peer) {
149 if(value_exists(our_groups, g)) {
150 return g;
151 }
152 }
153
154 // If no pre-offered groups fit our supported set, we prioritize our
155 // own preference.
156 for(auto g : our_groups) {
157 if(value_exists(supported_by_peer, g)) {
158 return g;
159 }
160 }
161
162 return Group_Params::NONE;
163}
164
165Group_Params Policy::default_dh_group() const {
166 /*
167 * Return the first listed or just default to 2048
168 */
169 for(auto g : key_exchange_groups()) {
170 if(g.is_dh_named_group()) {
171 return g;
172 }
173 }
174
175 return Group_Params::FFDHE_2048;
176}
177
178std::vector<Group_Params> Policy::key_exchange_groups() const {
179 return {
180 // clang-format off
181#if defined(BOTAN_HAS_X25519)
182 Group_Params::X25519,
183#endif
184
185 Group_Params::SECP256R1,
186
187#if defined(BOTAN_HAS_ML_KEM) && defined(BOTAN_HAS_TLS_13_PQC)
188
189#if defined(BOTAN_HAS_X25519)
190 Group_Params_Code::HYBRID_X25519_ML_KEM_768,
191#endif
192
193 Group_Params_Code::HYBRID_SECP256R1_ML_KEM_768,
194 Group_Params_Code::HYBRID_SECP384R1_ML_KEM_1024,
195#endif
196
197#if defined(BOTAN_HAS_X448)
198 Group_Params::X448,
199#endif
200
201 Group_Params::SECP384R1,
202 Group_Params::SECP521R1,
203
204 Group_Params::BRAINPOOL256R1,
205 Group_Params::BRAINPOOL384R1,
206 Group_Params::BRAINPOOL512R1,
207
208 Group_Params::FFDHE_2048,
209 Group_Params::FFDHE_3072,
210
211 // clang-format on
212 };
213}
214
215std::vector<Group_Params> Policy::key_exchange_groups_to_offer() const {
216 std::vector<Group_Params> groups_to_offer;
217
218 const auto supported_groups = key_exchange_groups();
219 BOTAN_ASSERT(!supported_groups.empty(), "Policy allows at least one key exchange group");
220
221 /*
222 * Initially prefer sending a key share only of the first pure-ECC
223 * group, since these shares are small and PQ support is still not
224 * that widespread.
225 */
226 for(auto group : key_exchange_groups()) {
227 if(group.is_pure_ecc_group()) {
228 groups_to_offer.push_back(group);
229 break;
230 }
231 }
232
233 /*
234 * If for some reason no pure ECC groups are enabled then simply
235 * send a share of whatever the policy's top preference is.
236 */
237 if(groups_to_offer.empty()) {
238 groups_to_offer.push_back(supported_groups.front());
239 }
240
241 return groups_to_offer;
242}
243
244size_t Policy::minimum_dh_group_size() const {
245 return 2048;
246}
247
248size_t Policy::minimum_ecdsa_group_size() const {
249 // Here we are at the mercy of whatever the CA signed, but most certs should be 256 bit by now
250 return 256;
251}
252
253size_t Policy::minimum_ecdh_group_size() const {
254 // x25519 is smallest curve currently supported for TLS key exchange
255 return 255;
256}
257
258size_t Policy::minimum_signature_strength() const {
259 return 110;
260}
261
262bool Policy::require_cert_revocation_info() const {
263 return true;
264}
265
266size_t Policy::minimum_rsa_bits() const {
267 /* Default assumption is all end-entity certificates should
268 be at least 2048 bits these days.
269
270 If you are connecting to arbitrary servers on the Internet
271 (ie as a web browser or SMTP client) you'll probably have to reduce this
272 to 1024 bits, or perhaps even lower.
273 */
274 return 2048;
275}
276
277void Policy::check_peer_key_acceptable(const Public_Key& public_key) const {
278 const std::string algo_name = public_key.algo_name();
279
280 const size_t keylength = public_key.key_length();
281 size_t expected_keylength = 0;
282
283 if(algo_name == "RSA") {
284 expected_keylength = minimum_rsa_bits();
285 } else if(algo_name == "DH") {
286 expected_keylength = minimum_dh_group_size();
287 } else if(algo_name == "ECDH" || algo_name == "X25519" || algo_name == "X448") {
288 expected_keylength = minimum_ecdh_group_size();
289 } else if(algo_name == "ECDSA") {
290 expected_keylength = minimum_ecdsa_group_size();
291 }
292 // else some other algo, so leave expected_keylength as zero and the check is a no-op
293
294 if(keylength < expected_keylength) {
295 throw TLS_Exception(Alert::InsufficientSecurity,
296 "Peer sent " + std::to_string(keylength) + " bit " + algo_name +
297 " key"
298 ", policy requires at least " +
299 std::to_string(expected_keylength));
300 }
301}
302
303size_t Policy::maximum_session_tickets_per_client_hello() const {
304 return 1;
305}
306
307std::chrono::seconds Policy::session_ticket_lifetime() const {
308 return std::chrono::days(1);
309}
310
311bool Policy::reuse_session_tickets() const {
312 return false;
313}
314
315size_t Policy::new_session_tickets_upon_handshake_success() const {
316 return 1;
317}
318
319bool Policy::acceptable_protocol_version(Protocol_Version version) const {
320#if defined(BOTAN_HAS_TLS_13)
321 if(version == Protocol_Version::TLS_V13 && allow_tls13()) {
322 return true;
323 }
324#endif
325
326#if defined(BOTAN_HAS_TLS_12)
327 if(version == Protocol_Version::TLS_V12 && allow_tls12()) {
328 return true;
329 }
330
331 if(version == Protocol_Version::DTLS_V12 && allow_dtls12()) {
332 return true;
333 }
334#endif
335
336 BOTAN_UNUSED(version);
337 return false;
338}
339
340Protocol_Version Policy::latest_supported_version(bool datagram) const {
341 if(datagram) {
342 if(acceptable_protocol_version(Protocol_Version::DTLS_V12)) {
343 return Protocol_Version::DTLS_V12;
344 }
345 } else {
346 if(acceptable_protocol_version(Protocol_Version::TLS_V13)) {
347 return Protocol_Version::TLS_V13;
348 }
349 if(acceptable_protocol_version(Protocol_Version::TLS_V12)) {
350 return Protocol_Version::TLS_V12;
351 }
352 }
353
354 throw Invalid_State("Policy forbids all available TLS version");
355}
356
357bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const {
358 return value_exists(allowed_ciphers(), ciphersuite.cipher_algo()) &&
359 value_exists(allowed_macs(), ciphersuite.mac_algo());
360}
361
362bool Policy::allow_client_initiated_renegotiation() const {
363 return false;
364}
365
366bool Policy::allow_server_initiated_renegotiation() const {
367 return false;
368}
369
370bool Policy::allow_insecure_renegotiation() const {
371 return false;
372}
373
374bool Policy::allow_tls12() const {
375#if defined(BOTAN_HAS_TLS_12)
376 return true;
377#else
378 return false;
379#endif
380}
381
382bool Policy::allow_tls13() const {
383#if defined(BOTAN_HAS_TLS_13)
384 return true;
385#else
386 return false;
387#endif
388}
389
390bool Policy::allow_dtls12() const {
391#if defined(BOTAN_HAS_TLS_12)
392 return true;
393#else
394 return false;
395#endif
396}
397
398bool Policy::include_time_in_hello_random() const {
399 return true;
400}
401
402bool Policy::hide_unknown_users() const {
403 return false;
404}
405
406bool Policy::server_uses_own_ciphersuite_preferences() const {
407 return true;
408}
409
410bool Policy::negotiate_encrypt_then_mac() const {
411 return true;
412}
413
414std::optional<uint16_t> Policy::record_size_limit() const {
415 return std::nullopt;
416}
417
418bool Policy::support_cert_status_message() const {
419 return true;
420}
421
422bool Policy::allow_resumption_for_renegotiation() const {
423 return true;
424}
425
426bool Policy::tls_13_middlebox_compatibility_mode() const {
427 return true;
428}
429
430bool Policy::hash_hello_random() const {
431 return true;
432}
433
434bool Policy::only_resume_with_exact_version() const {
435 return true;
436}
437
438bool Policy::require_client_certificate_authentication() const {
439 return false;
440}
441
445
446bool Policy::abort_connection_on_undesired_renegotiation() const {
447 return false;
448}
449
450std::vector<Certificate_Type> Policy::accepted_client_certificate_types() const {
451 return {Certificate_Type::X509};
452}
453
454std::vector<Certificate_Type> Policy::accepted_server_certificate_types() const {
455 return {Certificate_Type::X509};
456}
457
458bool Policy::allow_dtls_epoch0_restart() const {
459 return false;
460}
461
462size_t Policy::maximum_certificate_chain_size() const {
463 return 0;
464}
465
466// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1
467size_t Policy::dtls_initial_timeout() const {
468 return 1 * 1000;
469}
470
471size_t Policy::dtls_maximum_timeout() const {
472 return 60 * 1000;
473}
474
475size_t Policy::dtls_default_mtu() const {
476 // default MTU is IPv6 min MTU minus UDP/IP headers
477 return 1280 - 40 - 8;
478}
479
480std::vector<uint16_t> Policy::srtp_profiles() const {
481 return std::vector<uint16_t>();
482}
483
484namespace {
485
486class Ciphersuite_Preference_Ordering final {
487 public:
488 Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
489 const std::vector<std::string>& macs,
490 const std::vector<std::string>& kex,
491 const std::vector<std::string>& sigs) :
492 m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
493
494 bool operator()(const Ciphersuite& a, const Ciphersuite& b) const {
495 if(a.kex_method() != b.kex_method()) {
496 for(const auto& i : m_kex) {
497 if(a.kex_algo() == i) {
498 return true;
499 }
500 if(b.kex_algo() == i) {
501 return false;
502 }
503 }
504 }
505
506 if(a.cipher_algo() != b.cipher_algo()) {
507 for(const auto& m_cipher : m_ciphers) {
508 if(a.cipher_algo() == m_cipher) {
509 return true;
510 }
511 if(b.cipher_algo() == m_cipher) {
512 return false;
513 }
514 }
515 }
516
517 if(a.cipher_keylen() != b.cipher_keylen()) {
518 if(a.cipher_keylen() < b.cipher_keylen()) {
519 return false;
520 }
521 if(a.cipher_keylen() > b.cipher_keylen()) {
522 return true;
523 }
524 }
525
526 if(a.auth_method() != b.auth_method()) {
527 for(const auto& m_sig : m_sigs) {
528 if(a.sig_algo() == m_sig) {
529 return true;
530 }
531 if(b.sig_algo() == m_sig) {
532 return false;
533 }
534 }
535 }
536
537 if(a.mac_algo() != b.mac_algo()) {
538 for(const auto& m_mac : m_macs) {
539 if(a.mac_algo() == m_mac) {
540 return true;
541 }
542 if(b.mac_algo() == m_mac) {
543 return false;
544 }
545 }
546 }
547
548 return false; // equal (?!?)
549 }
550
551 private:
552 std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
553};
554
555} // namespace
556
557std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version) const {
558 const std::vector<std::string> ciphers = allowed_ciphers();
559 const std::vector<std::string> macs = allowed_macs();
560 const std::vector<std::string> kex = allowed_key_exchange_methods();
561 const std::vector<std::string> sigs = allowed_signature_methods();
562
563 std::vector<Ciphersuite> ciphersuites;
564
565 for(auto&& suite : Ciphersuite::all_known_ciphersuites()) {
566 // Can we use it?
567 if(!suite.valid()) {
568 continue;
569 }
570
571 // Can we use it in this version?
572 if(!suite.usable_in_version(version)) {
573 continue;
574 }
575
576 // Is it acceptable to the policy?
577 if(!this->acceptable_ciphersuite(suite)) {
578 continue;
579 }
580
581 if(!value_exists(ciphers, suite.cipher_algo())) {
582 continue; // unsupported cipher
583 }
584
585 // these checks are irrelevant for TLS 1.3
586 // TODO: consider making a method for this logic
587 if(version.is_pre_tls_13()) {
588 if(!value_exists(kex, suite.kex_algo())) {
589 continue; // unsupported key exchange
590 }
591
592 if(!value_exists(macs, suite.mac_algo())) {
593 continue; // unsupported MAC algo
594 }
595
596 if(!value_exists(sigs, suite.sig_algo())) {
597 // allow if it's an empty sig algo and we want to use PSK
598 if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite()) {
599 continue;
600 }
601 }
602 }
603
604 // OK, consider it
605 ciphersuites.push_back(suite);
606 }
607
608 if(ciphersuites.empty()) {
609 throw Invalid_State("Policy does not allow any available cipher suite");
610 }
611
612 const Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
613 std::sort(ciphersuites.begin(), ciphersuites.end(), order);
614
615 std::vector<uint16_t> ciphersuite_codes;
616 ciphersuite_codes.reserve(ciphersuites.size());
617 for(const auto& i : ciphersuites) {
618 ciphersuite_codes.push_back(i.ciphersuite_code());
619 }
620 return ciphersuite_codes;
621}
622
623namespace {
624
625void print_vec(std::ostream& o, const char* key, const std::vector<std::string>& v) {
626 o << key << " = ";
627 for(size_t i = 0; i != v.size(); ++i) {
628 o << v[i];
629 if(i != v.size() - 1) {
630 o << ' ';
631 }
632 }
633 o << '\n';
634}
635
636void print_vec(std::ostream& o, const char* key, const std::vector<Group_Params>& params) {
637 // first filter out any groups we don't have a name for:
638 std::vector<std::string> names;
639 for(auto p : params) {
640 if(auto name = p.to_string()) {
641 names.push_back(name.value());
642 }
643 }
644
645 o << key << " = ";
646
647 for(size_t i = 0; i != names.size(); ++i) {
648 o << names[i];
649 if(i != names.size() - 1) {
650 o << " ";
651 }
652 }
653 o << "\n";
654}
655
656void print_vec(std::ostream& o, const char* key, const std::vector<Certificate_Type>& types) {
657 o << key << " = ";
658 for(size_t i = 0; i != types.size(); ++i) {
659 o << certificate_type_to_string(types[i]);
660 if(i != types.size() - 1) {
661 o << ' ';
662 }
663 }
664 o << '\n';
665}
666
667void print_bool(std::ostream& o, const char* key, bool b) {
668 o << key << " = " << (b ? "true" : "false") << '\n';
669}
670
671} // namespace
672
673void Policy::print(std::ostream& o) const {
674 print_bool(o, "allow_tls12", allow_tls12());
675 print_bool(o, "allow_tls13", allow_tls13());
676 print_bool(o, "allow_dtls12", allow_dtls12());
677 print_bool(o, "allow_ssl_key_log_file", allow_ssl_key_log_file());
678 print_vec(o, "ciphers", allowed_ciphers());
679 print_vec(o, "macs", allowed_macs());
680 print_vec(o, "signature_hashes", allowed_signature_hashes());
681 print_vec(o, "signature_methods", allowed_signature_methods());
682 print_vec(o, "key_exchange_methods", allowed_key_exchange_methods());
683 print_vec(o, "key_exchange_groups", key_exchange_groups());
684 const auto groups_to_offer = key_exchange_groups_to_offer();
685 if(groups_to_offer.empty()) {
686 print_vec(o, "key_exchange_groups_to_offer", {std::string("none")});
687 } else {
688 print_vec(o, "key_exchange_groups_to_offer", groups_to_offer);
689 }
690 print_bool(o, "allow_insecure_renegotiation", allow_insecure_renegotiation());
691 print_bool(o, "include_time_in_hello_random", include_time_in_hello_random());
692 print_bool(o, "allow_server_initiated_renegotiation", allow_server_initiated_renegotiation());
693 print_bool(o, "hide_unknown_users", hide_unknown_users());
694 print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences());
695 print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac());
696 print_bool(o, "support_cert_status_message", support_cert_status_message());
697 print_bool(o, "tls_13_middlebox_compatibility_mode", tls_13_middlebox_compatibility_mode());
698 print_vec(o, "accepted_client_certificate_types", accepted_client_certificate_types());
699 print_vec(o, "accepted_server_certificate_types", accepted_server_certificate_types());
700 print_bool(o, "hash_hello_random", hash_hello_random());
701 if(record_size_limit().has_value()) {
702 o << "record_size_limit = " << record_size_limit().value() << '\n';
703 }
704 o << "maximum_session_tickets_per_client_hello = " << maximum_session_tickets_per_client_hello() << '\n';
705 o << "session_ticket_lifetime = " << session_ticket_lifetime().count() << '\n';
706 print_bool(o, "reuse_session_tickets", reuse_session_tickets());
707 o << "new_session_tickets_upon_handshake_success = " << new_session_tickets_upon_handshake_success() << '\n';
708 o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n';
709 o << "minimum_ecdh_group_size = " << minimum_ecdh_group_size() << '\n';
710 o << "minimum_rsa_bits = " << minimum_rsa_bits() << '\n';
711 o << "minimum_signature_strength = " << minimum_signature_strength() << '\n';
712}
713
714std::string Policy::to_string() const {
715 std::ostringstream oss;
716 this->print(oss);
717 return oss.str();
718}
719
720std::vector<std::string> Strict_Policy::allowed_ciphers() const {
721 return {"AES-256/GCM", "AES-128/GCM", "ChaCha20Poly1305"};
722}
723
724std::vector<std::string> Strict_Policy::allowed_signature_hashes() const {
725 return {"SHA-512", "SHA-384"};
726}
727
728std::vector<std::string> Strict_Policy::allowed_macs() const {
729 return {"AEAD"};
730}
731
732std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const {
733 return {"ECDH"};
734}
735
736} // namespace Botan::TLS
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:144
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Asymmetric_Key::algo_name
virtual std::string algo_name() const =0
Botan::Invalid_State
Definition exceptn.h:207
Botan::Public_Key
Definition pk_keys.h:148
Botan::Public_Key::key_length
virtual size_t key_length() const =0
Botan::TLS::Ciphersuite::all_known_ciphersuites
static const std::vector< Ciphersuite > & all_known_ciphersuites()
Definition tls_suite_info.cpp:15
Botan::TLS::Ciphersuite::mac_algo
std::string mac_algo() const
Definition tls_ciphersuite.h:113
Botan::TLS::Ciphersuite::cipher_algo
std::string cipher_algo() const
Definition tls_ciphersuite.h:108
Botan::TLS::Group_Params
Definition tls_algos.h:137
Botan::TLS::Policy::include_time_in_hello_random
virtual bool include_time_in_hello_random() const
Definition tls_policy.cpp:398
Botan::TLS::Policy::check_peer_key_acceptable
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition tls_policy.cpp:277
Botan::TLS::Policy::abort_connection_on_undesired_renegotiation
virtual bool abort_connection_on_undesired_renegotiation() const
Definition tls_policy.cpp:446
Botan::TLS::Policy::dtls_maximum_timeout
virtual size_t dtls_maximum_timeout() const
Definition tls_policy.cpp:471
Botan::TLS::Policy::minimum_ecdh_group_size
virtual size_t minimum_ecdh_group_size() const
Definition tls_policy.cpp:253
Botan::TLS::Policy::dtls_default_mtu
virtual size_t dtls_default_mtu() const
Definition tls_policy.cpp:475
Botan::TLS::Policy::allow_tls12
virtual bool allow_tls12() const
Definition tls_policy.cpp:374
Botan::TLS::Policy::allowed_signature_schemes
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition tls_policy.cpp:29
Botan::TLS::Policy::to_string
std::string to_string() const
Definition tls_policy.cpp:714
Botan::TLS::Policy::reuse_session_tickets
virtual bool reuse_session_tickets() const
Definition tls_policy.cpp:311
Botan::TLS::Policy::ciphersuite_list
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version) const
Definition tls_policy.cpp:557
Botan::TLS::Policy::accepted_server_certificate_types
virtual std::vector< Certificate_Type > accepted_server_certificate_types() const
Definition tls_policy.cpp:454
Botan::TLS::Policy::accepted_client_certificate_types
virtual std::vector< Certificate_Type > accepted_client_certificate_types() const
Definition tls_policy.cpp:450
Botan::TLS::Policy::allowed_signature_method
bool allowed_signature_method(std::string_view sig_method) const
Definition tls_policy.cpp:112
Botan::TLS::Policy::require_client_certificate_authentication
virtual bool require_client_certificate_authentication() const
Definition tls_policy.cpp:438
Botan::TLS::Policy::key_exchange_groups
virtual std::vector< Group_Params > key_exchange_groups() const
Definition tls_policy.cpp:178
Botan::TLS::Policy::new_session_tickets_upon_handshake_success
virtual size_t new_session_tickets_upon_handshake_success() const
Definition tls_policy.cpp:315
Botan::TLS::Policy::key_exchange_groups_to_offer
virtual std::vector< Group_Params > key_exchange_groups_to_offer() const
Definition tls_policy.cpp:215
Botan::TLS::Policy::allowed_signature_hash
bool allowed_signature_hash(std::string_view hash) const
Definition tls_policy.cpp:116
Botan::TLS::Policy::minimum_rsa_bits
virtual size_t minimum_rsa_bits() const
Definition tls_policy.cpp:266
Botan::TLS::Policy::tls_13_middlebox_compatibility_mode
virtual bool tls_13_middlebox_compatibility_mode() const
Definition tls_policy.cpp:426
Botan::TLS::Policy::only_resume_with_exact_version
virtual bool only_resume_with_exact_version() const
Definition tls_policy.cpp:434
Botan::TLS::Policy::allow_client_initiated_renegotiation
virtual bool allow_client_initiated_renegotiation() const
Definition tls_policy.cpp:362
Botan::TLS::Policy::allow_ssl_key_log_file
virtual bool allow_ssl_key_log_file() const
Definition tls_policy.cpp:25
Botan::TLS::Policy::allow_dtls_epoch0_restart
virtual bool allow_dtls_epoch0_restart() const
Definition tls_policy.cpp:458
Botan::TLS::Policy::request_client_certificate_authentication
virtual bool request_client_certificate_authentication() const
Definition tls_policy.cpp:442
Botan::TLS::Policy::require_cert_revocation_info
virtual bool require_cert_revocation_info() const
Definition tls_policy.cpp:262
Botan::TLS::Policy::negotiate_encrypt_then_mac
virtual bool negotiate_encrypt_then_mac() const
Definition tls_policy.cpp:410
Botan::TLS::Policy::server_uses_own_ciphersuite_preferences
virtual bool server_uses_own_ciphersuite_preferences() const
Definition tls_policy.cpp:406
Botan::TLS::Policy::latest_supported_version
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition tls_policy.cpp:340
Botan::TLS::Policy::acceptable_protocol_version
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition tls_policy.cpp:319
Botan::TLS::Policy::srtp_profiles
virtual std::vector< uint16_t > srtp_profiles() const
Definition tls_policy.cpp:480
Botan::TLS::Policy::support_cert_status_message
virtual bool support_cert_status_message() const
Definition tls_policy.cpp:418
Botan::TLS::Policy::acceptable_ciphersuite
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition tls_policy.cpp:357
Botan::TLS::Policy::allowed_macs
virtual std::vector< std::string > allowed_macs() const
Definition tls_policy.cpp:81
Botan::TLS::Policy::hide_unknown_users
virtual bool hide_unknown_users() const
Definition tls_policy.cpp:402
Botan::TLS::Policy::acceptable_certificate_signature_schemes
virtual std::optional< std::vector< Signature_Scheme > > acceptable_certificate_signature_schemes() const
Definition tls_policy.cpp:48
Botan::TLS::Policy::hash_hello_random
virtual bool hash_hello_random() const
Definition tls_policy.cpp:430
Botan::TLS::Policy::allow_tls13
virtual bool allow_tls13() const
Definition tls_policy.cpp:382
Botan::TLS::Policy::allowed_key_exchange_methods
virtual std::vector< std::string > allowed_key_exchange_methods() const
Definition tls_policy.cpp:95
Botan::TLS::Policy::dtls_initial_timeout
virtual size_t dtls_initial_timeout() const
Definition tls_policy.cpp:467
Botan::TLS::Policy::maximum_session_tickets_per_client_hello
virtual size_t maximum_session_tickets_per_client_hello() const
Definition tls_policy.cpp:303
Botan::TLS::Policy::acceptable_signature_schemes
virtual std::vector< Signature_Scheme > acceptable_signature_schemes() const
Definition tls_policy.cpp:44
Botan::TLS::Policy::use_ecc_point_compression
virtual bool use_ecc_point_compression() const
Definition tls_policy.cpp:120
Botan::TLS::Policy::allow_dtls12
virtual bool allow_dtls12() const
Definition tls_policy.cpp:390
Botan::TLS::Policy::minimum_dh_group_size
virtual size_t minimum_dh_group_size() const
Definition tls_policy.cpp:244
Botan::TLS::Policy::allow_insecure_renegotiation
virtual bool allow_insecure_renegotiation() const
Definition tls_policy.cpp:370
Botan::TLS::Policy::record_size_limit
virtual std::optional< uint16_t > record_size_limit() const
Definition tls_policy.cpp:414
Botan::TLS::Policy::allowed_ciphers
virtual std::vector< std::string > allowed_ciphers() const
Definition tls_policy.cpp:53
Botan::TLS::Policy::session_ticket_lifetime
virtual std::chrono::seconds session_ticket_lifetime() const
Definition tls_policy.cpp:307
Botan::TLS::Policy::minimum_signature_strength
virtual size_t minimum_signature_strength() const
Definition tls_policy.cpp:258
Botan::TLS::Policy::default_dh_group
virtual Group_Params default_dh_group() const
Definition tls_policy.cpp:165
Botan::TLS::Policy::maximum_certificate_chain_size
virtual size_t maximum_certificate_chain_size() const
Definition tls_policy.cpp:462
Botan::TLS::Policy::allowed_signature_methods
virtual std::vector< std::string > allowed_signature_methods() const
Definition tls_policy.cpp:105
Botan::TLS::Policy::minimum_ecdsa_group_size
virtual size_t minimum_ecdsa_group_size() const
Definition tls_policy.cpp:248
Botan::TLS::Policy::choose_key_exchange_group
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &supported_by_peer, const std::vector< Group_Params > &offered_by_peer) const
Definition tls_policy.cpp:124
Botan::TLS::Policy::allow_resumption_for_renegotiation
virtual bool allow_resumption_for_renegotiation() const
Definition tls_policy.cpp:422
Botan::TLS::Policy::allowed_signature_hashes
virtual std::vector< std::string > allowed_signature_hashes() const
Definition tls_policy.cpp:73
Botan::TLS::Policy::allow_server_initiated_renegotiation
virtual bool allow_server_initiated_renegotiation() const
Definition tls_policy.cpp:366
Botan::TLS::Policy::print
virtual void print(std::ostream &o) const
Definition tls_policy.cpp:673
Botan::TLS::Protocol_Version
Definition tls_version.h:34
Botan::TLS::Protocol_Version::is_pre_tls_13
bool is_pre_tls_13() const
Definition tls_version.cpp:58
Botan::TLS::Signature_Scheme
Definition tls_signature_scheme.h:29
Botan::TLS::Signature_Scheme::all_available_schemes
static const std::vector< Signature_Scheme > & all_available_schemes()
Definition tls_signature_scheme.cpp:17
Botan::TLS::Strict_Policy::allowed_macs
std::vector< std::string > allowed_macs() const override
Definition tls_policy.cpp:728
Botan::TLS::Strict_Policy::allowed_ciphers
std::vector< std::string > allowed_ciphers() const override
Definition tls_policy.cpp:720
Botan::TLS::Strict_Policy::allowed_key_exchange_methods
std::vector< std::string > allowed_key_exchange_methods() const override
Definition tls_policy.cpp:732
Botan::TLS::Strict_Policy::allowed_signature_hashes
std::vector< std::string > allowed_signature_hashes() const override
Definition tls_policy.cpp:724
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::TLS::certificate_type_to_string
std::string certificate_type_to_string(Certificate_Type type)
Definition tls_algos.cpp:408
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const V &val)
Definition stl_util.h:43
Generated by doxygen 1.15.0