1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
/*
* Policies
* (C) 2004-2006 Jack Lloyd
*
* Released under the terms of the Botan license
*/
#ifndef BOTAN_TLS_POLICY_H__
#define BOTAN_TLS_POLICY_H__
#include <botan/tls_version.h>
#include <botan/x509cert.h>
#include <botan/dl_group.h>
#include <vector>
namespace Botan {
namespace TLS {
/**
* TLS Policy Base Class
* Inherit and overload as desired to suit local policy concerns
*/
class BOTAN_DLL Policy
{
public:
/**
* Returns a list of ciphers we are willing to negotiate, in
* order of preference. Allowed values: any block cipher name, or
* ARC4.
*/
virtual std::vector<std::string> allowed_ciphers() const;
/**
* Returns a list of hash algorithms we are willing to use, in
* order of preference. This is used for both MACs and signatures.
* Allowed values: any hash name, though currently only MD5,
* SHA-1, and the SHA-2 variants are used.
*/
virtual std::vector<std::string> allowed_hashes() const;
/**
* Returns a list of key exchange algorithms we are willing to
* use, in order of preference. Allowed values: DH, empty string
* (representing RSA using server certificate key)
*/
virtual std::vector<std::string> allowed_key_exchange_methods() const;
/**
* Returns a list of signature algorithms we are willing to
* use, in order of preference. Allowed values RSA and DSA.
*/
virtual std::vector<std::string> allowed_signature_methods() const;
/**
* Return list of ECC curves we are willing to use in order of preference
*/
virtual std::vector<std::string> allowed_ecc_curves() const;
/**
* Returns a list of signature algorithms we are willing to use,
* in order of preference. Allowed values any value of
* Compression_Method.
*/
virtual std::vector<byte> compression() const;
/**
* Choose an elliptic curve to use
*/
virtual std::string choose_curve(const std::vector<std::string>& curve_names) const;
/**
* Require support for RFC 5746 extensions to enable
* renegotiation.
*
* @warning Changing this to false exposes you to injected
* plaintext attacks. Read the RFC for background.
*/
virtual bool require_secure_renegotiation() const { return true; }
/**
* Return the group to use for ephemeral Diffie-Hellman key agreement
*/
virtual DL_Group dh_group() const;
/**
* If this function returns false, unknown SRP/PSK identifiers
* will be rejected with an unknown_psk_identifier alert as soon
* as the non-existence is identified. Otherwise, a false
* identifier value will be used and the protocol allowed to
* proceed, causing the handshake to eventually fail without
* revealing that the username does not exist on this system.
*/
virtual bool hide_unknown_users() const { return false; }
/**
* Return the allowed lifetime of a session ticket. If 0, session
* tickets do not expire until the session ticket key rolls over.
* Expired session tickets cannot be used to resume a session.
*/
virtual u32bit session_ticket_lifetime() const;
/**
* @return the minimum version that we are willing to negotiate
*/
virtual Protocol_Version min_version() const;
/**
* @return the version we would prefer to negotiate
*/
virtual Protocol_Version pref_version() const;
virtual ~Policy() {}
};
/**
* Return allowed ciphersuites, in order of preference
*/
std::vector<u16bit> ciphersuite_list(const Policy& policy,
bool have_srp);
}
}
#endif
|