Botan 3.5.0
Crypto and TLS for C&
tls_text_policy.cpp
Go to the documentation of this file.
1/*
2* Text-Based TLS Policy
3* (C) 2016,2017 Jack Lloyd
4* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/tls_policy.h>
10
11#include <botan/exceptn.h>
12#include <botan/internal/parsing.h>
13#include <optional>
14#include <sstream>
15
16namespace Botan::TLS {
17
19 return get_bool("allow_ssl_key_log_file", Policy::allow_ssl_key_log_file());
20}
21
22std::vector<std::string> Text_Policy::allowed_ciphers() const {
23 return get_list("ciphers", Policy::allowed_ciphers());
24}
25
26std::vector<std::string> Text_Policy::allowed_signature_hashes() const {
27 return get_list("signature_hashes", Policy::allowed_signature_hashes());
28}
29
30std::vector<std::string> Text_Policy::allowed_macs() const {
31 return get_list("macs", Policy::allowed_macs());
32}
33
34std::vector<std::string> Text_Policy::allowed_key_exchange_methods() const {
35 return get_list("key_exchange_methods", Policy::allowed_key_exchange_methods());
36}
37
38std::vector<std::string> Text_Policy::allowed_signature_methods() const {
39 return get_list("signature_methods", Policy::allowed_signature_methods());
40}
41
43 return get_bool("use_ecc_point_compression", Policy::use_ecc_point_compression());
44}
45
47 return get_bool("allow_tls12", Policy::allow_tls12());
48}
49
51 return get_bool("allow_tls13", Policy::allow_tls13());
52}
53
55 return get_bool("allow_dtls12", Policy::allow_dtls12());
56}
57
59 return get_bool("allow_insecure_renegotiation", Policy::allow_insecure_renegotiation());
60}
61
63 return get_bool("include_time_in_hello_random", Policy::include_time_in_hello_random());
64}
65
67 return get_bool("require_client_certificate_authentication", Policy::require_client_certificate_authentication());
68}
69
71 return get_bool("allow_client_initiated_renegotiation", Policy::allow_client_initiated_renegotiation());
72}
73
74std::vector<Certificate_Type> Text_Policy::accepted_client_certificate_types() const {
75 const auto cert_types = get_str("accepted_client_certificate_types");
76 return (cert_types.empty()) ? Policy::accepted_client_certificate_types() : read_cert_type_list(cert_types);
77}
78
79std::vector<Certificate_Type> Text_Policy::accepted_server_certificate_types() const {
80 const auto cert_types = get_str("accepted_server_certificate_types");
81 return (cert_types.empty()) ? Policy::accepted_server_certificate_types() : read_cert_type_list(cert_types);
82}
83
85 return get_bool("allow_server_initiated_renegotiation", Policy::allow_server_initiated_renegotiation());
86}
87
89 return get_bool("server_uses_own_ciphersuite_preferences", Policy::server_uses_own_ciphersuite_preferences());
90}
91
93 return get_bool("negotiate_encrypt_then_mac", Policy::negotiate_encrypt_then_mac());
94}
95
96std::optional<uint16_t> Text_Policy::record_size_limit() const {
97 const auto limit = get_len("record_size_limit", 0);
98 // RFC 8449 4.
99 // TLS 1.3 uses a limit of 2^14+1 octets.
100 BOTAN_ARG_CHECK(limit <= 16385, "record size limit too large");
101 return (limit > 0) ? std::make_optional(static_cast<uint16_t>(limit)) : std::nullopt;
102}
103
105 return get_bool("support_cert_status_message", Policy::support_cert_status_message());
106}
107
108std::vector<Group_Params> Text_Policy::key_exchange_groups() const {
109 std::string group_str = get_str("key_exchange_groups");
110
111 if(group_str.empty()) {
112 // fall back to previously used name
113 group_str = get_str("groups");
114 }
115
116 if(group_str.empty()) {
118 }
119
120 return read_group_list(group_str);
121}
122
123std::vector<Group_Params> Text_Policy::key_exchange_groups_to_offer() const {
124 std::string group_str = get_str("key_exchange_groups_to_offer", "notset");
125
126 if(group_str.empty() || group_str == "notset") {
127 // policy was not set, fall back to default behaviour
129 }
130
131 if(group_str == "none") {
132 return {};
133 }
134
135 return read_group_list(group_str);
136}
137
139 return get_len("minimum_ecdh_group_size", Policy::minimum_ecdh_group_size());
140}
141
143 return get_len("minimum_ecdsa_group_size", Policy::minimum_ecdsa_group_size());
144}
145
147 return get_len("minimum_dh_group_size", Policy::minimum_dh_group_size());
148}
149
151 return get_len("minimum_rsa_bits", Policy::minimum_rsa_bits());
152}
153
155 return get_len("minimum_signature_strength", Policy::minimum_signature_strength());
156}
157
159 return get_len("dtls_default_mtu", Policy::dtls_default_mtu());
160}
161
163 return get_len("dtls_initial_timeout", Policy::dtls_initial_timeout());
164}
165
167 return get_len("dtls_maximum_timeout", Policy::dtls_maximum_timeout());
168}
169
171 return get_bool("require_cert_revocation_info", Policy::require_cert_revocation_info());
172}
173
175 return get_bool("hide_unknown_users", Policy::hide_unknown_users());
176}
177
179 return get_len("maximum_session_tickets_per_client_hello", Policy::maximum_session_tickets_per_client_hello());
180}
181
182std::chrono::seconds Text_Policy::session_ticket_lifetime() const {
183 return get_duration("session_ticket_lifetime", Policy::session_ticket_lifetime());
184}
185
187 return get_bool("reuse_session_tickets", Policy::reuse_session_tickets());
188}
189
191 return get_len("new_session_tickets_upon_handshake_success", Policy::new_session_tickets_upon_handshake_success());
192}
193
194std::vector<uint16_t> Text_Policy::srtp_profiles() const {
195 std::vector<uint16_t> r;
196 for(const auto& p : get_list("srtp_profiles", std::vector<std::string>())) {
197 r.push_back(to_uint16(p));
198 }
199 return r;
200}
201
203 return get_bool("tls_13_middlebox_compatibility_mode", Policy::tls_13_middlebox_compatibility_mode());
204}
205
207 return get_bool("hash_hello_random", Policy::hash_hello_random());
208}
209
210void Text_Policy::set(const std::string& key, const std::string& value) {
211 m_kv[key] = value;
212}
213
214Text_Policy::Text_Policy(std::string_view s) {
215 std::istringstream iss{std::string(s)}; // FIXME C++23 avoid copy
216 m_kv = read_cfg(iss);
217}
218
219Text_Policy::Text_Policy(std::istream& in) : m_kv(read_cfg(in)) {}
220
221std::vector<std::string> Text_Policy::get_list(const std::string& key, const std::vector<std::string>& def) const {
222 const std::string v = get_str(key);
223
224 if(v.empty()) {
225 return def;
226 }
227
228 return split_on(v, ' ');
229}
230
231std::vector<Group_Params> Text_Policy::read_group_list(std::string_view group_str) const {
232 std::vector<Group_Params> groups;
233 for(const auto& group_name : split_on(group_str, ' ')) {
234 Group_Params group_id = Group_Params::from_string(group_name).value_or(Group_Params::NONE);
235
236#if !defined(BOTAN_HAS_X25519)
237 if(group_id == Group_Params::X25519)
238 continue;
239#endif
240#if !defined(BOTAN_HAS_X448)
241 if(group_id == Group_Params::X448)
242 continue;
243#endif
244
245 if(group_id == Group_Params::NONE) {
246 try {
247 size_t consumed = 0;
248 unsigned long ll_id = std::stoul(group_name, &consumed, 0);
249 if(consumed != group_name.size()) {
250 continue; // some other cruft
251 }
252
253 const uint16_t id = static_cast<uint16_t>(ll_id);
254
255 if(id != ll_id) {
256 continue; // integer too large
257 }
258
259 group_id = static_cast<Group_Params>(id);
260 } catch(...) {
261 continue;
262 }
263 }
264
265 if(group_id != Group_Params::NONE) {
266 groups.push_back(group_id);
267 }
268 }
269
270 return groups;
271}
272
273std::vector<Certificate_Type> Text_Policy::read_cert_type_list(const std::string& cert_type_names) const {
274 std::vector<Certificate_Type> cert_types;
275 for(const std::string& cert_type_name : split_on(cert_type_names, ' ')) {
276 cert_types.push_back(certificate_type_from_string(cert_type_name));
277 }
278
279 return cert_types;
280}
281
282size_t Text_Policy::get_len(const std::string& key, size_t def) const {
283 const std::string v = get_str(key);
284
285 if(v.empty()) {
286 return def;
287 }
288
289 return to_u32bit(v);
290}
291
292std::chrono::seconds Text_Policy::get_duration(const std::string& key, std::chrono::seconds def) const {
293 using rep_t = std::chrono::seconds::rep;
294 constexpr rep_t max_seconds = std::chrono::seconds::max().count();
295 constexpr auto max_sizet = std::numeric_limits<size_t>::max();
296 using ull = unsigned long long;
297
298 // The concrete type of `rep` is not specified exactly. Let's play it extra safe...
299 // e.g. on 32-bit platforms size_t is 32 bits but rep_t is "at least 35 bits"
300
301 // at least zero and certainly fitting into rep_t
302 const rep_t positive_default = std::max(def.count(), rep_t(0));
303 // at least zero but capped to whatever size_t can handle
304 const size_t positive_capped_default = static_cast<size_t>(std::min<ull>(positive_default, max_sizet));
305 // at least zero but capped to whatever rep_t can handle
306 const rep_t result = static_cast<rep_t>(std::min<ull>(get_len(key, positive_capped_default), max_seconds));
307
308 return std::chrono::seconds(result);
309}
310
311bool Text_Policy::get_bool(const std::string& key, bool def) const {
312 const std::string v = get_str(key);
313
314 if(v.empty()) {
315 return def;
316 }
317
318 if(v == "true" || v == "True") {
319 return true;
320 } else if(v == "false" || v == "False") {
321 return false;
322 } else {
323 throw Decoding_Error("Invalid boolean '" + v + "'");
324 }
325}
326
327std::string Text_Policy::get_str(const std::string& key, const std::string& def) const {
328 auto i = m_kv.find(key);
329 if(i == m_kv.end()) {
330 return def;
331 }
332
333 return i->second;
334}
335
336bool Text_Policy::set_value(const std::string& key, std::string_view val, bool overwrite) {
337 auto i = m_kv.find(key);
338
339 if(overwrite == false && i != m_kv.end()) {
340 return false;
341 }
342
343 m_kv.insert(i, std::make_pair(key, val));
344 return true;
345}
346
347} // namespace Botan::TLS
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
static std::optional< Group_Params > from_string(std::string_view group_name)
virtual bool include_time_in_hello_random() const
virtual size_t dtls_maximum_timeout() const
virtual size_t minimum_ecdh_group_size() const
virtual size_t dtls_default_mtu() const
virtual bool allow_tls12() const
virtual bool reuse_session_tickets() const
virtual std::vector< Certificate_Type > accepted_server_certificate_types() const
virtual std::vector< Certificate_Type > accepted_client_certificate_types() const
virtual bool require_client_certificate_authentication() const
virtual std::vector< Group_Params > key_exchange_groups() const
virtual size_t new_session_tickets_upon_handshake_success() const
virtual std::vector< Group_Params > key_exchange_groups_to_offer() const
virtual size_t minimum_rsa_bits() const
virtual bool tls_13_middlebox_compatibility_mode() const
virtual bool allow_client_initiated_renegotiation() const
virtual bool allow_ssl_key_log_file() const
virtual bool require_cert_revocation_info() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual bool support_cert_status_message() const
virtual std::vector< std::string > allowed_macs() const
virtual bool hide_unknown_users() const
virtual bool hash_hello_random() const
virtual bool allow_tls13() const
virtual std::vector< std::string > allowed_key_exchange_methods() const
virtual size_t dtls_initial_timeout() const
virtual size_t maximum_session_tickets_per_client_hello() const
virtual bool use_ecc_point_compression() const
virtual bool allow_dtls12() const
virtual size_t minimum_dh_group_size() const
virtual bool allow_insecure_renegotiation() const
virtual std::vector< std::string > allowed_ciphers() const
virtual std::chrono::seconds session_ticket_lifetime() const
virtual size_t minimum_signature_strength() const
virtual std::vector< std::string > allowed_signature_methods() const
virtual size_t minimum_ecdsa_group_size() const
virtual std::vector< std::string > allowed_signature_hashes() const
virtual bool allow_server_initiated_renegotiation() const
size_t dtls_initial_timeout() const override
bool allow_dtls12() const override
bool server_uses_own_ciphersuite_preferences() const override
bool hash_hello_random() const override
std::chrono::seconds session_ticket_lifetime() const override
std::optional< uint16_t > record_size_limit() const override
bool allow_ssl_key_log_file() const override
bool include_time_in_hello_random() const override
bool allow_client_initiated_renegotiation() const override
std::string get_str(const std::string &key, const std::string &def="") const
bool support_cert_status_message() const override
std::vector< std::string > allowed_signature_methods() const override
std::vector< Group_Params > key_exchange_groups() const override
bool require_cert_revocation_info() const override
std::vector< std::string > allowed_key_exchange_methods() const override
size_t minimum_ecdsa_group_size() const override
bool set_value(const std::string &key, std::string_view val, bool overwrite)
bool allow_tls13() const override
size_t maximum_session_tickets_per_client_hello() const override
std::vector< Certificate_Type > accepted_server_certificate_types() const override
std::vector< Group_Params > key_exchange_groups_to_offer() const override
std::chrono::seconds get_duration(const std::string &key, std::chrono::seconds def) const
size_t new_session_tickets_upon_handshake_success() const override
std::vector< std::string > allowed_signature_hashes() const override
std::vector< uint16_t > srtp_profiles() const override
bool hide_unknown_users() const override
std::vector< std::string > allowed_ciphers() const override
Text_Policy(std::string_view s)
size_t minimum_ecdh_group_size() const override
void set(const std::string &key, const std::string &value)
bool allow_server_initiated_renegotiation() const override
bool get_bool(const std::string &key, bool def) const
size_t minimum_signature_strength() const override
std::vector< Certificate_Type > accepted_client_certificate_types() const override
bool negotiate_encrypt_then_mac() const override
bool require_client_certificate_authentication() const override
bool tls_13_middlebox_compatibility_mode() const override
size_t dtls_maximum_timeout() const override
bool reuse_session_tickets() const override
size_t get_len(const std::string &key, size_t def) const
bool allow_insecure_renegotiation() const override
bool allow_tls12() const override
bool use_ecc_point_compression() const override
std::vector< Certificate_Type > read_cert_type_list(const std::string &cert_type_str) const
size_t dtls_default_mtu() const override
std::vector< Group_Params > read_group_list(std::string_view group_str) const
size_t minimum_rsa_bits() const override
std::vector< std::string > allowed_macs() const override
size_t minimum_dh_group_size() const override
std::vector< std::string > get_list(const std::string &key, const std::vector< std::string > &def) const
Certificate_Type certificate_type_from_string(const std::string &type_str)
uint32_t to_u32bit(std::string_view str_view)
Definition parsing.cpp:32
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22
std::map< std::string, std::string > read_cfg(std::istream &is)
Definition read_cfg.cpp:34
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111