Botan 3.8.1
Crypto and TLS for C&
tls_text_policy.cpp
Go to the documentation of this file.
1/*
2* Text-Based TLS Policy
3* (C) 2016,2017 Jack Lloyd
4* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/tls_policy.h>
10
11#include <botan/assert.h>
12#include <botan/exceptn.h>
13#include <botan/internal/parsing.h>
14#include <optional>
15#include <sstream>
16
17namespace Botan::TLS {
18
20 return get_bool("allow_ssl_key_log_file", Policy::allow_ssl_key_log_file());
21}
22
23std::vector<std::string> Text_Policy::allowed_ciphers() const {
24 return get_list("ciphers", Policy::allowed_ciphers());
25}
26
27std::vector<std::string> Text_Policy::allowed_signature_hashes() const {
28 return get_list("signature_hashes", Policy::allowed_signature_hashes());
29}
30
31std::vector<std::string> Text_Policy::allowed_macs() const {
32 return get_list("macs", Policy::allowed_macs());
33}
34
35std::vector<std::string> Text_Policy::allowed_key_exchange_methods() const {
36 return get_list("key_exchange_methods", Policy::allowed_key_exchange_methods());
37}
38
39std::vector<std::string> Text_Policy::allowed_signature_methods() const {
40 return get_list("signature_methods", Policy::allowed_signature_methods());
41}
42
44 return get_bool("use_ecc_point_compression", Policy::use_ecc_point_compression());
45}
46
48 return get_bool("allow_tls12", Policy::allow_tls12());
49}
50
52 return get_bool("allow_tls13", Policy::allow_tls13());
53}
54
56 return get_bool("allow_dtls12", Policy::allow_dtls12());
57}
58
60 return get_bool("allow_insecure_renegotiation", Policy::allow_insecure_renegotiation());
61}
62
64 return get_bool("include_time_in_hello_random", Policy::include_time_in_hello_random());
65}
66
68 return get_bool("require_client_certificate_authentication", Policy::require_client_certificate_authentication());
69}
70
72 return get_bool("allow_client_initiated_renegotiation", Policy::allow_client_initiated_renegotiation());
73}
74
75std::vector<Certificate_Type> Text_Policy::accepted_client_certificate_types() const {
76 const auto cert_types = get_str("accepted_client_certificate_types");
77 return (cert_types.empty()) ? Policy::accepted_client_certificate_types() : read_cert_type_list(cert_types);
78}
79
80std::vector<Certificate_Type> Text_Policy::accepted_server_certificate_types() const {
81 const auto cert_types = get_str("accepted_server_certificate_types");
82 return (cert_types.empty()) ? Policy::accepted_server_certificate_types() : read_cert_type_list(cert_types);
83}
84
86 return get_bool("allow_server_initiated_renegotiation", Policy::allow_server_initiated_renegotiation());
87}
88
90 return get_bool("server_uses_own_ciphersuite_preferences", Policy::server_uses_own_ciphersuite_preferences());
91}
92
94 return get_bool("negotiate_encrypt_then_mac", Policy::negotiate_encrypt_then_mac());
95}
96
97std::optional<uint16_t> Text_Policy::record_size_limit() const {
98 const auto limit = get_len("record_size_limit", 0);
99 // RFC 8449 4.
100 // TLS 1.3 uses a limit of 2^14+1 octets.
101 BOTAN_ARG_CHECK(limit <= 16385, "record size limit too large");
102 return (limit > 0) ? std::make_optional(static_cast<uint16_t>(limit)) : std::nullopt;
103}
104
106 return get_bool("support_cert_status_message", Policy::support_cert_status_message());
107}
108
109std::vector<Group_Params> Text_Policy::key_exchange_groups() const {
110 std::string group_str = get_str("key_exchange_groups");
111
112 if(group_str.empty()) {
113 // fall back to previously used name
114 group_str = get_str("groups");
115 }
116
117 if(group_str.empty()) {
119 }
120
121 return read_group_list(group_str);
122}
123
124std::vector<Group_Params> Text_Policy::key_exchange_groups_to_offer() const {
125 std::string group_str = get_str("key_exchange_groups_to_offer", "notset");
126
127 if(group_str.empty() || group_str == "notset") {
128 // policy was not set, fall back to default behaviour
130 }
131
132 if(group_str == "none") {
133 return {};
134 }
135
136 return read_group_list(group_str);
137}
138
140 return get_len("minimum_ecdh_group_size", Policy::minimum_ecdh_group_size());
141}
142
144 return get_len("minimum_ecdsa_group_size", Policy::minimum_ecdsa_group_size());
145}
146
148 return get_len("minimum_dh_group_size", Policy::minimum_dh_group_size());
149}
150
152 return get_len("minimum_rsa_bits", Policy::minimum_rsa_bits());
153}
154
156 return get_len("minimum_signature_strength", Policy::minimum_signature_strength());
157}
158
160 return get_len("dtls_default_mtu", Policy::dtls_default_mtu());
161}
162
164 return get_len("dtls_initial_timeout", Policy::dtls_initial_timeout());
165}
166
168 return get_len("dtls_maximum_timeout", Policy::dtls_maximum_timeout());
169}
170
172 return get_bool("require_cert_revocation_info", Policy::require_cert_revocation_info());
173}
174
176 return get_bool("hide_unknown_users", Policy::hide_unknown_users());
177}
178
180 return get_len("maximum_session_tickets_per_client_hello", Policy::maximum_session_tickets_per_client_hello());
181}
182
183std::chrono::seconds Text_Policy::session_ticket_lifetime() const {
184 return get_duration("session_ticket_lifetime", Policy::session_ticket_lifetime());
185}
186
188 return get_bool("reuse_session_tickets", Policy::reuse_session_tickets());
189}
190
192 return get_len("new_session_tickets_upon_handshake_success", Policy::new_session_tickets_upon_handshake_success());
193}
194
195std::vector<uint16_t> Text_Policy::srtp_profiles() const {
196 std::vector<uint16_t> r;
197 for(const auto& p : get_list("srtp_profiles", std::vector<std::string>())) {
198 r.push_back(to_uint16(p));
199 }
200 return r;
201}
202
204 return get_bool("tls_13_middlebox_compatibility_mode", Policy::tls_13_middlebox_compatibility_mode());
205}
206
208 return get_bool("hash_hello_random", Policy::hash_hello_random());
209}
210
211void Text_Policy::set(const std::string& key, const std::string& value) {
212 m_kv[key] = value;
213}
214
215Text_Policy::Text_Policy(std::string_view s) {
216 std::istringstream iss{std::string(s)}; // FIXME C++23 avoid copy
217 m_kv = read_cfg(iss);
218}
219
220Text_Policy::Text_Policy(std::istream& in) : m_kv(read_cfg(in)) {}
221
222std::vector<std::string> Text_Policy::get_list(const std::string& key, const std::vector<std::string>& def) const {
223 const std::string v = get_str(key);
224
225 if(v.empty()) {
226 return def;
227 }
228
229 return split_on(v, ' ');
230}
231
232std::vector<Group_Params> Text_Policy::read_group_list(std::string_view group_str) const {
233 std::vector<Group_Params> groups;
234 for(const auto& group_name : split_on(group_str, ' ')) {
235 Group_Params group_id = Group_Params::from_string(group_name).value_or(Group_Params::NONE);
236
237 if(!group_id.is_available()) {
238 continue;
239 }
240
241 if(group_id == Group_Params::NONE) {
242 try {
243 size_t consumed = 0;
244 unsigned long ll_id = std::stoul(group_name, &consumed, 0);
245 if(consumed != group_name.size()) {
246 continue; // some other cruft
247 }
248
249 const uint16_t id = static_cast<uint16_t>(ll_id);
250
251 if(id != ll_id) {
252 continue; // integer too large
253 }
254
255 group_id = static_cast<Group_Params>(id);
256 } catch(...) {
257 continue;
258 }
259 }
260
261 if(group_id != Group_Params::NONE) {
262 groups.push_back(group_id);
263 }
264 }
265
266 return groups;
267}
268
269std::vector<Certificate_Type> Text_Policy::read_cert_type_list(const std::string& cert_type_names) const {
270 std::vector<Certificate_Type> cert_types;
271 for(const std::string& cert_type_name : split_on(cert_type_names, ' ')) {
272 cert_types.push_back(certificate_type_from_string(cert_type_name));
273 }
274
275 return cert_types;
276}
277
278size_t Text_Policy::get_len(const std::string& key, size_t def) const {
279 const std::string v = get_str(key);
280
281 if(v.empty()) {
282 return def;
283 }
284
285 return to_u32bit(v);
286}
287
288std::chrono::seconds Text_Policy::get_duration(const std::string& key, std::chrono::seconds def) const {
289 using rep_t = std::chrono::seconds::rep;
290 constexpr rep_t max_seconds = std::chrono::seconds::max().count();
291 constexpr auto max_sizet = std::numeric_limits<size_t>::max();
292 using ull = unsigned long long;
293
294 // The concrete type of `rep` is not specified exactly. Let's play it extra safe...
295 // e.g. on 32-bit platforms size_t is 32 bits but rep_t is "at least 35 bits"
296
297 // at least zero and certainly fitting into rep_t
298 const rep_t positive_default = std::max(def.count(), rep_t(0));
299 // at least zero but capped to whatever size_t can handle
300 const size_t positive_capped_default = static_cast<size_t>(std::min<ull>(positive_default, max_sizet));
301 // at least zero but capped to whatever rep_t can handle
302 const rep_t result = static_cast<rep_t>(std::min<ull>(get_len(key, positive_capped_default), max_seconds));
303
304 return std::chrono::seconds(result);
305}
306
307bool Text_Policy::get_bool(const std::string& key, bool def) const {
308 const std::string v = get_str(key);
309
310 if(v.empty()) {
311 return def;
312 }
313
314 if(v == "true" || v == "True") {
315 return true;
316 } else if(v == "false" || v == "False") {
317 return false;
318 } else {
319 throw Decoding_Error("Invalid boolean '" + v + "'");
320 }
321}
322
323std::string Text_Policy::get_str(const std::string& key, const std::string& def) const {
324 auto i = m_kv.find(key);
325 if(i == m_kv.end()) {
326 return def;
327 }
328
329 return i->second;
330}
331
332bool Text_Policy::set_value(const std::string& key, std::string_view val, bool overwrite) {
333 auto i = m_kv.find(key);
334
335 if(overwrite == false && i != m_kv.end()) {
336 return false;
337 }
338
339 m_kv.insert(i, std::make_pair(key, val));
340 return true;
341}
342
343} // namespace Botan::TLS
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:31
static std::optional< Group_Params > from_string(std::string_view group_name)
virtual bool include_time_in_hello_random() const
virtual size_t dtls_maximum_timeout() const
virtual size_t minimum_ecdh_group_size() const
virtual size_t dtls_default_mtu() const
virtual bool allow_tls12() const
virtual bool reuse_session_tickets() const
virtual std::vector< Certificate_Type > accepted_server_certificate_types() const
virtual std::vector< Certificate_Type > accepted_client_certificate_types() const
virtual bool require_client_certificate_authentication() const
virtual std::vector< Group_Params > key_exchange_groups() const
virtual size_t new_session_tickets_upon_handshake_success() const
virtual std::vector< Group_Params > key_exchange_groups_to_offer() const
virtual size_t minimum_rsa_bits() const
virtual bool tls_13_middlebox_compatibility_mode() const
virtual bool allow_client_initiated_renegotiation() const
virtual bool allow_ssl_key_log_file() const
virtual bool require_cert_revocation_info() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual bool support_cert_status_message() const
virtual std::vector< std::string > allowed_macs() const
virtual bool hide_unknown_users() const
virtual bool hash_hello_random() const
virtual bool allow_tls13() const
virtual std::vector< std::string > allowed_key_exchange_methods() const
virtual size_t dtls_initial_timeout() const
virtual size_t maximum_session_tickets_per_client_hello() const
virtual bool use_ecc_point_compression() const
virtual bool allow_dtls12() const
virtual size_t minimum_dh_group_size() const
virtual bool allow_insecure_renegotiation() const
virtual std::vector< std::string > allowed_ciphers() const
virtual std::chrono::seconds session_ticket_lifetime() const
virtual size_t minimum_signature_strength() const
virtual std::vector< std::string > allowed_signature_methods() const
virtual size_t minimum_ecdsa_group_size() const
virtual std::vector< std::string > allowed_signature_hashes() const
virtual bool allow_server_initiated_renegotiation() const
size_t dtls_initial_timeout() const override
bool allow_dtls12() const override
bool server_uses_own_ciphersuite_preferences() const override
bool hash_hello_random() const override
std::chrono::seconds session_ticket_lifetime() const override
std::optional< uint16_t > record_size_limit() const override
bool allow_ssl_key_log_file() const override
bool include_time_in_hello_random() const override
bool allow_client_initiated_renegotiation() const override
std::string get_str(const std::string &key, const std::string &def="") const
bool support_cert_status_message() const override
std::vector< std::string > allowed_signature_methods() const override
std::vector< Group_Params > key_exchange_groups() const override
bool require_cert_revocation_info() const override
std::vector< std::string > allowed_key_exchange_methods() const override
size_t minimum_ecdsa_group_size() const override
bool set_value(const std::string &key, std::string_view val, bool overwrite)
bool allow_tls13() const override
size_t maximum_session_tickets_per_client_hello() const override
std::vector< Certificate_Type > accepted_server_certificate_types() const override
std::vector< Group_Params > key_exchange_groups_to_offer() const override
std::chrono::seconds get_duration(const std::string &key, std::chrono::seconds def) const
size_t new_session_tickets_upon_handshake_success() const override
std::vector< std::string > allowed_signature_hashes() const override
std::vector< uint16_t > srtp_profiles() const override
bool hide_unknown_users() const override
std::vector< std::string > allowed_ciphers() const override
Text_Policy(std::string_view s)
size_t minimum_ecdh_group_size() const override
void set(const std::string &key, const std::string &value)
bool allow_server_initiated_renegotiation() const override
bool get_bool(const std::string &key, bool def) const
size_t minimum_signature_strength() const override
std::vector< Certificate_Type > accepted_client_certificate_types() const override
bool negotiate_encrypt_then_mac() const override
bool require_client_certificate_authentication() const override
bool tls_13_middlebox_compatibility_mode() const override
size_t dtls_maximum_timeout() const override
bool reuse_session_tickets() const override
size_t get_len(const std::string &key, size_t def) const
bool allow_insecure_renegotiation() const override
bool allow_tls12() const override
bool use_ecc_point_compression() const override
std::vector< Certificate_Type > read_cert_type_list(const std::string &cert_type_str) const
size_t dtls_default_mtu() const override
std::vector< Group_Params > read_group_list(std::string_view group_str) const
size_t minimum_rsa_bits() const override
std::vector< std::string > allowed_macs() const override
size_t minimum_dh_group_size() const override
std::vector< std::string > get_list(const std::string &key, const std::vector< std::string > &def) const
Certificate_Type certificate_type_from_string(const std::string &type_str)
uint32_t to_u32bit(std::string_view str_view)
Definition parsing.cpp:32
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22
std::map< std::string, std::string > read_cfg(std::istream &is)
Definition read_cfg.cpp:34
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111