diff options
author | Jack Lloyd <[email protected]> | 2016-03-16 01:02:15 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-03-16 01:02:15 -0400 |
commit | 93966abb3c51a77edf867abe7d7388ec542411bb (patch) | |
tree | 1875c02ef8a141d581a4e303d89e35646d46267f | |
parent | 539170d9acbe73f9e3b6a17bec41dfeb817a9fb8 (diff) |
TLS client features
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2
Update todo
-rw-r--r-- | doc/todo.rst | 11 | ||||
-rw-r--r-- | src/cli/tls_client.cpp | 61 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 3 |
3 files changed, 63 insertions, 12 deletions
diff --git a/doc/todo.rst b/doc/todo.rst index a98ec9f76..32927e6d7 100644 --- a/doc/todo.rst +++ b/doc/todo.rst @@ -3,18 +3,21 @@ Projects Request a new feature by opening a pull request to update this file. -Commands +CLI ---------------------------------------- +* Rewrite `tls_client` and `tls_server` to use asio. See `tls_proxy` + for an example * `encrypt` / `decrypt` tools providing password and/or public key based file encryption TLS ---------------------------------------- -* Make DTLS and SRP6 support optional in build +* Make DTLS support optional at build time +* Make TLS v1.0 and v1.1 optional at build time * Curve25519 key exchange -* Support for server key stored in TPM +* IETF standard ChaCha20Poly1305 * TLS OCSP stapling (RFC 6066) * Encrypt-then-MAC extension (RFC 7366) * Authentication using TOFU (sqlite3 storage) @@ -23,6 +26,7 @@ TLS * OpenPGP authentication (RFC 5081) * DTLS-SCTP (RFC 6083) * Perspectives (http://perspectives-project.org/) +* Support for server key stored in TPM PKIX ---------------------------------------- @@ -57,6 +61,7 @@ FFI (Python, OCaml) * Expose certificates * Expose TLS +* Write a CLI in Python Symmetric Algorithms, Hashes, ... ---------------------------------------- diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index 62c909d5d..6af2f56f8 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -38,31 +38,53 @@ namespace Botan_CLI { class TLS_Client final : public Command { public: - TLS_Client() : Command("tls_client host --port=443 --type=tcp " - "--session-db= --session-db-pass= --next-protocols=") {} + TLS_Client() : Command("tls_client host --port=443 --print-certs --policy= " + "--tls1.0 --tls1.1 --tls1.2 " + "--session-db= --session-db-pass= --next-protocols= --type=tcp") {} void go() override { - Botan::TLS::Policy policy; // TODO read from a file - // TODO client cert auth std::unique_ptr<Botan::TLS::Session_Manager> session_mgr; -#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - const std::string sessions_passphrase = get_arg("session-db-pass"); const std::string sessions_db = get_arg("session-db"); if(!sessions_db.empty()) { +#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) + const std::string sessions_passphrase = get_arg("session-db-pass"); session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db)); - } +#else + error_output() << "Ignoring session DB file, sqlite not enabled\n"; #endif + } + if(!session_mgr) { session_mgr.reset(new Botan::TLS::Session_Manager_In_Memory(rng())); } + std::string policy_file = get_arg("policy"); + + std::unique_ptr<Botan::TLS::Policy> policy; + + if(policy_file.size() > 0) + { + std::ifstream policy_stream(policy_file); + if(!policy_stream.good()) + { + error_output() << "Failed reading policy file\n"; + return; + } + policy.reset(new Botan::TLS::Text_Policy(policy_stream)); + } + + if(!policy) + { + policy.reset(new Botan::TLS::Policy); + } + Basic_Credentials_Manager creds; const std::string host = get_arg("host"); @@ -85,7 +107,16 @@ class TLS_Client final : public Command std::bind(stream_socket_write, sockfd, _1, _2) : std::bind(dgram_socket_write, sockfd, _1, _2); - auto version = policy.latest_supported_version(!use_tcp); + auto version = policy->latest_supported_version(!use_tcp); + + if(flag_set("tls1.0")) + { + version = Botan::TLS::Protocol_Version::TLS_V10; + } + else if(flag_set("tls1.1")) + { + version = Botan::TLS::Protocol_Version::TLS_V11; + } Botan::TLS::Client client(socket_write, std::bind(&TLS_Client::process_data, this, _1, _2), @@ -93,7 +124,7 @@ class TLS_Client final : public Command std::bind(&TLS_Client::handshake_complete, this, _1), *session_mgr, creds, - policy, + *policy, rng(), Botan::TLS::Server_Information(host, port), version, @@ -236,6 +267,18 @@ class TLS_Client final : public Command if(!session.session_ticket().empty()) output() << "Session ticket " << Botan::hex_encode(session.session_ticket()) << "\n"; + if(flag_set("print-certs")) + { + const std::vector<Botan::X509_Certificate>& certs = session.peer_certs(); + + for(size_t i = 0; i != certs.size(); ++i) + { + output() << "Certificate " << i+1 << "/" << certs.size() << "\n"; + output() << certs[i].to_string(); + output() << certs[i].PEM_encode(); + } + } + return true; } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 67388b115..769bb8eeb 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -290,6 +290,9 @@ class BOTAN_DLL Text_Policy : public Policy u32bit session_ticket_lifetime() const override { return get_len("session_ticket_lifetime", Policy::session_ticket_lifetime()); } + bool send_fallback_scsv(Protocol_Version version) const override + { return get_bool("send_fallback_scsv", false) ? Policy::send_fallback_scsv(version) : false; } + std::vector<u16bit> srtp_profiles() const override { std::vector<u16bit> r; |