aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-03-16 01:02:15 -0400
committerJack Lloyd <[email protected]>2016-03-16 01:02:15 -0400
commit93966abb3c51a77edf867abe7d7388ec542411bb (patch)
tree1875c02ef8a141d581a4e303d89e35646d46267f
parent539170d9acbe73f9e3b6a17bec41dfeb817a9fb8 (diff)
TLS client features
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2 Update todo
-rw-r--r--doc/todo.rst11
-rw-r--r--src/cli/tls_client.cpp61
-rw-r--r--src/lib/tls/tls_policy.h3
3 files changed, 63 insertions, 12 deletions
diff --git a/doc/todo.rst b/doc/todo.rst
index a98ec9f76..32927e6d7 100644
--- a/doc/todo.rst
+++ b/doc/todo.rst
@@ -3,18 +3,21 @@ Projects
Request a new feature by opening a pull request to update this file.
-Commands
+CLI
----------------------------------------
+* Rewrite `tls_client` and `tls_server` to use asio. See `tls_proxy`
+ for an example
* `encrypt` / `decrypt` tools providing password and/or public key
based file encryption
TLS
----------------------------------------
-* Make DTLS and SRP6 support optional in build
+* Make DTLS support optional at build time
+* Make TLS v1.0 and v1.1 optional at build time
* Curve25519 key exchange
-* Support for server key stored in TPM
+* IETF standard ChaCha20Poly1305
* TLS OCSP stapling (RFC 6066)
* Encrypt-then-MAC extension (RFC 7366)
* Authentication using TOFU (sqlite3 storage)
@@ -23,6 +26,7 @@ TLS
* OpenPGP authentication (RFC 5081)
* DTLS-SCTP (RFC 6083)
* Perspectives (http://perspectives-project.org/)
+* Support for server key stored in TPM
PKIX
----------------------------------------
@@ -57,6 +61,7 @@ FFI (Python, OCaml)
* Expose certificates
* Expose TLS
+* Write a CLI in Python
Symmetric Algorithms, Hashes, ...
----------------------------------------
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index 62c909d5d..6af2f56f8 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -38,31 +38,53 @@ namespace Botan_CLI {
class TLS_Client final : public Command
{
public:
- TLS_Client() : Command("tls_client host --port=443 --type=tcp "
- "--session-db= --session-db-pass= --next-protocols=") {}
+ TLS_Client() : Command("tls_client host --port=443 --print-certs --policy= "
+ "--tls1.0 --tls1.1 --tls1.2 "
+ "--session-db= --session-db-pass= --next-protocols= --type=tcp") {}
void go() override
{
- Botan::TLS::Policy policy; // TODO read from a file
-
// TODO client cert auth
std::unique_ptr<Botan::TLS::Session_Manager> session_mgr;
-#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
- const std::string sessions_passphrase = get_arg("session-db-pass");
const std::string sessions_db = get_arg("session-db");
if(!sessions_db.empty())
{
+#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
+ const std::string sessions_passphrase = get_arg("session-db-pass");
session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db));
- }
+#else
+ error_output() << "Ignoring session DB file, sqlite not enabled\n";
#endif
+ }
+
if(!session_mgr)
{
session_mgr.reset(new Botan::TLS::Session_Manager_In_Memory(rng()));
}
+ std::string policy_file = get_arg("policy");
+
+ std::unique_ptr<Botan::TLS::Policy> policy;
+
+ if(policy_file.size() > 0)
+ {
+ std::ifstream policy_stream(policy_file);
+ if(!policy_stream.good())
+ {
+ error_output() << "Failed reading policy file\n";
+ return;
+ }
+ policy.reset(new Botan::TLS::Text_Policy(policy_stream));
+ }
+
+ if(!policy)
+ {
+ policy.reset(new Botan::TLS::Policy);
+ }
+
Basic_Credentials_Manager creds;
const std::string host = get_arg("host");
@@ -85,7 +107,16 @@ class TLS_Client final : public Command
std::bind(stream_socket_write, sockfd, _1, _2) :
std::bind(dgram_socket_write, sockfd, _1, _2);
- auto version = policy.latest_supported_version(!use_tcp);
+ auto version = policy->latest_supported_version(!use_tcp);
+
+ if(flag_set("tls1.0"))
+ {
+ version = Botan::TLS::Protocol_Version::TLS_V10;
+ }
+ else if(flag_set("tls1.1"))
+ {
+ version = Botan::TLS::Protocol_Version::TLS_V11;
+ }
Botan::TLS::Client client(socket_write,
std::bind(&TLS_Client::process_data, this, _1, _2),
@@ -93,7 +124,7 @@ class TLS_Client final : public Command
std::bind(&TLS_Client::handshake_complete, this, _1),
*session_mgr,
creds,
- policy,
+ *policy,
rng(),
Botan::TLS::Server_Information(host, port),
version,
@@ -236,6 +267,18 @@ class TLS_Client final : public Command
if(!session.session_ticket().empty())
output() << "Session ticket " << Botan::hex_encode(session.session_ticket()) << "\n";
+ if(flag_set("print-certs"))
+ {
+ const std::vector<Botan::X509_Certificate>& certs = session.peer_certs();
+
+ for(size_t i = 0; i != certs.size(); ++i)
+ {
+ output() << "Certificate " << i+1 << "/" << certs.size() << "\n";
+ output() << certs[i].to_string();
+ output() << certs[i].PEM_encode();
+ }
+ }
+
return true;
}
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index 67388b115..769bb8eeb 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -290,6 +290,9 @@ class BOTAN_DLL Text_Policy : public Policy
u32bit session_ticket_lifetime() const override
{ return get_len("session_ticket_lifetime", Policy::session_ticket_lifetime()); }
+ bool send_fallback_scsv(Protocol_Version version) const override
+ { return get_bool("send_fallback_scsv", false) ? Policy::send_fallback_scsv(version) : false; }
+
std::vector<u16bit> srtp_profiles() const override
{
std::vector<u16bit> r;