1 files changed, 29 insertions, 1 deletions

diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index 333cf0ee1..499ae91ba 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -77,13 +77,25 @@ class BOTAN_PUBLIC_API(2,0) Policy
       bool allowed_signature_hash(const std::string& hash) const;
 
       /**
-      * Return list of ECC curves we are willing to use in order of preference
+      * Return list of ECC curves we are willing to use in order of preference.
+      * Allowed values: x25519, secp256r1, secp384r1, secp521r1,
+      *                 brainpool256r1, brainpool384r1, brainpool512r1
       */
       virtual std::vector<std::string> allowed_ecc_curves() const;
 
       bool allowed_ecc_curve(const std::string& curve) const;
 
       /**
+      * Return list of ECC curves and FFDHE groups
+      * we are willing to use in order of preference.
+      * Allowed values: x25519, secp256r1, secp384r1, secp521r1,
+      *                 brainpool256r1, brainpool384r1, brainpool512r1,
+      *                 ffdhe/ietf/2048, ffdhe/ietf/3072, ffdhe/ietf/4096,
+      *                 ffdhe/ietf/6144, ffdhe/ietf/8192
+      */
+      virtual std::vector<std::string> allowed_groups() const;
+
+      /**
       * Request that ECC curve points are sent compressed
       */
       virtual bool use_ecc_point_compression() const;
@@ -103,6 +115,11 @@ class BOTAN_PUBLIC_API(2,0) Policy
       virtual std::string choose_curve(const std::vector<std::string>& curve_names) const;
 
       /**
+      * Choose an FFHDE group to use
+      */
+      virtual std::string choose_dh_group(const std::vector<std::string>& dh_group_names) const;
+
+      /**
       * Allow renegotiation even if the counterparty doesn't
       * support the secure renegotiation extension.
       *
@@ -330,6 +347,9 @@ class BOTAN_PUBLIC_API(2,0) NSA_Suite_B_128 final : public Policy
       std::vector<std::string> allowed_ecc_curves() const override
          { return std::vector<std::string>({"secp256r1"}); }
 
+      std::vector<std::string> allowed_groups() const override
+         { return allowed_ecc_curves(); }
+
       size_t minimum_signature_strength() const override { return 128; }
 
       bool allow_tls10()  const override { return false; }
@@ -375,6 +395,12 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 final : public Policy
          return std::vector<std::string>({"brainpool512r1", "brainpool384r1", "brainpool256r1", "secp384r1", "secp256r1"});
          }
 
+      std::vector<std::string> allowed_groups() const override
+         {
+         return std::vector<std::string>({"brainpool512r1", "brainpool384r1", "brainpool256r1", "secp384r1",
+            "secp256r1", "ffdhe/ietf/8192", "ffdhe/ietf/6144", "ffdhe/ietf/4096", "ffdhe/ietf/3072", "ffdhe/ietf/2048"});
+         }
+
       bool allow_insecure_renegotiation() const override { return false; }
       bool allow_server_initiated_renegotiation() const override { return true; }
       bool server_uses_own_ciphersuite_preferences() const override { return true; }
@@ -451,6 +477,8 @@ class BOTAN_PUBLIC_API(2,0) Text_Policy : public Policy
 
       std::vector<std::string> allowed_ecc_curves() const override;
 
+      std::vector<std::string> allowed_groups() const override;
+
       bool use_ecc_point_compression() const override;
 
       bool allow_tls10() const override;