src/tls/tls_policy.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

/*
* Policies
* (C) 2004-2006 Jack Lloyd
*
* Released under the terms of the Botan license
*/

#ifndef BOTAN_TLS_POLICY_H__
#define BOTAN_TLS_POLICY_H__

#include <botan/tls_magic.h>
#include <botan/x509cert.h>
#include <botan/dl_group.h>
#include <vector>

namespace Botan {

/**
* TLS Policy Base Class
* Inherit and overload as desired to suite local policy concerns
*/
class BOTAN_DLL TLS_Policy
   {
   public:
      /*
      * Return allowed ciphersuites, in order of preference
      */
      std::vector<u16bit> ciphersuite_list(bool have_srp) const;

      u16bit choose_suite(const std::vector<u16bit>& client_suites,
                          bool have_rsa,
                          bool have_dsa,
                          bool have_srp) const;

      byte choose_compression(const std::vector<byte>& client_algos) const;

      std::vector<std::string> allowed_ciphers() const;

      std::vector<std::string> allowed_hashes() const;

      std::vector<std::string> allowed_key_exchange_methods() const;

      std::vector<std::string> allowed_signature_methods() const;

      virtual std::vector<byte> compression() const;

      virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const = 0;

      /**
      * If client authentication is desired, returns a list of allowable
      * CAs for same. If not desired, returns empty list.
      */
      virtual std::vector<X509_Certificate> client_auth_CAs() const
         { return std::vector<X509_Certificate>(); }

      /**
      * Require support for RFC 5746 extensions to enable
      * renegotiation.
      *
      * @warning Changing this to false exposes you to injected
      * plaintext attacks.
      */
      virtual bool require_secure_renegotiation() const { return true; }

      /**
      * Return the group to use for ephemeral Diffie-Hellman key agreement
      */
      virtual DL_Group dh_group() const { return DL_Group("modp/ietf/1536"); }

      /*
      * @return the minimum version that we will negotiate
      */
      virtual Version_Code min_version() const { return SSL_V3; }

      /*
      * @return the version we would prefer to negotiate
      */
      virtual Version_Code pref_version() const { return TLS_V12; }

      virtual ~TLS_Policy() {}
   };

}

#endif