DeterministicESPAsyncWebServer v6.28.0
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
tls_policy.cpp
Go to the documentation of this file.
1// Copyright (C) 2026 Douglas Quigg (dstroy0) <dquigg123@gmail.com>
2// SPDX-License-Identifier: AGPL-3.0-or-later
3
4/**
5 * @file tls_policy.cpp
6 * @brief TLS version negotiation + pinned cipher-suite policy (see tls_policy.h).
7 */
8
10
11#if DETWS_ENABLE_TLS_POLICY
12
13uint16_t detws_tls_negotiate_version(uint16_t client_max, uint16_t server_min, uint16_t server_max)
14{
15 if (server_min > server_max)
16 return 0;
17 if (client_max < server_min)
18 return 0; // the client cannot go as high as we require
19 uint16_t chosen = client_max < server_max ? client_max : server_max;
20 return chosen;
21}
22
23const char *detws_tls_version_name(uint16_t version)
24{
25 switch (version)
26 {
27 case TLS_VERSION_1_2:
28 return "TLS 1.2";
29 case TLS_VERSION_1_3:
30 return "TLS 1.3";
31 default:
32 return "unknown";
33 }
34}
35
36uint16_t detws_tls_select_cipher(const uint16_t *client_offered, size_t n_client, const uint16_t *server_pinned,
37 size_t n_server)
38{
39 if (!client_offered || !server_pinned)
40 return 0;
41 // Server preference: walk the pinned list in order, take the first the client also offered.
42 for (size_t i = 0; i < n_server; i++)
43 for (size_t j = 0; j < n_client; j++)
44 if (server_pinned[i] == client_offered[j])
45 return server_pinned[i];
46 return 0;
47}
48
49bool detws_tls_is_aead(uint16_t suite)
50{
51 switch (suite)
52 {
53 // TLS 1.3 AEAD suites.
54 case 0x1301: // TLS_AES_128_GCM_SHA256
55 case 0x1302: // TLS_AES_256_GCM_SHA384
56 case 0x1303: // TLS_CHACHA20_POLY1305_SHA256
57 // TLS 1.2 ECDHE AEAD suites.
58 case 0xC02B: // ECDHE_ECDSA_AES_128_GCM_SHA256
59 case 0xC02C: // ECDHE_ECDSA_AES_256_GCM_SHA384
60 case 0xC02F: // ECDHE_RSA_AES_128_GCM_SHA256
61 case 0xC030: // ECDHE_RSA_AES_256_GCM_SHA384
62 case 0xCCA8: // ECDHE_RSA_CHACHA20_POLY1305
63 case 0xCCA9: // ECDHE_ECDSA_CHACHA20_POLY1305
64 return true;
65 default:
66 return false;
67 }
68}
69
70#endif // DETWS_ENABLE_TLS_POLICY
TLS version negotiation + pinned cipher-suite policy (DETWS_ENABLE_TLS_POLICY).