diff options
author | Jack Lloyd <[email protected]> | 2018-09-12 14:33:03 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-09-12 15:43:38 -0400 |
commit | 2b378c73f5b5a4576336dba5bdd8c2f642702b02 (patch) | |
tree | 4c0dd5d70c7ca3fc42278e0c61930a32a0676053 | |
parent | 101513906ad8729603b8b78bb7488d1ffb029b0d (diff) |
Fix TLS client CLI which was broken by disabling v1.0/v1.1 by default
-rw-r--r-- | src/cli/tls_client.cpp | 58 | ||||
-rw-r--r-- | src/cli/tls_utils.cpp | 10 |
2 files changed, 56 insertions, 12 deletions
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index c7bb134e2..aef8e2512 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -31,6 +31,31 @@ namespace Botan_CLI { +class CLI_Policy : public Botan::TLS::Policy + { + public: + + CLI_Policy(Botan::TLS::Protocol_Version req_version) : m_version(req_version) {} + + std::vector<std::string> allowed_ciphers() const override + { + // Allow CBC mode only in versions which don't support AEADs + if(m_version.supports_aead_modes() == false) + { + return { "AES-256", "AES-128" }; + } + + return Botan::TLS::Policy::allowed_ciphers(); + } + + bool allow_tls10() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V10; } + bool allow_tls11() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V11; } + bool allow_tls12() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V12; } + + private: + Botan::TLS::Protocol_Version m_version; + }; + class TLS_Client final : public Command, public Botan::TLS::Callbacks { public: @@ -101,11 +126,6 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks policy.reset(new Botan::TLS::Text_Policy(policy_stream)); } - if(!policy) - { - policy.reset(new Botan::TLS::Policy); - } - if(transport != "tcp" && transport != "udp") { throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS"); @@ -115,19 +135,35 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks const std::vector<std::string> protocols_to_offer = Botan::split_on(next_protos, ','); - m_sockfd = connect_to_host(host, port, use_tcp); - - using namespace std::placeholders; - - auto version = policy->latest_supported_version(!use_tcp); + Botan::TLS::Protocol_Version version = + use_tcp ? Botan::TLS::Protocol_Version::TLS_V12 : Botan::TLS::Protocol_Version::DTLS_V12; if(flag_set("tls1.0")) { version = Botan::TLS::Protocol_Version::TLS_V10; + if(!policy) + policy.reset(new CLI_Policy(version)); } else if(flag_set("tls1.1")) { version = Botan::TLS::Protocol_Version::TLS_V11; + if(!policy) + policy.reset(new CLI_Policy(version)); + } + else if(flag_set("tls1.2")) + { + version = Botan::TLS::Protocol_Version::TLS_V12; + if(!policy) + policy.reset(new CLI_Policy(version)); + } + else if(!policy) + { + policy.reset(new Botan::TLS::Policy); + } + + if(policy->acceptable_protocol_version(version) == false) + { + throw CLI_Usage_Error("The policy specified does not allow the requested TLS version"); } struct sockaddr_storage addrbuf; @@ -139,6 +175,8 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks hostname = host; } + m_sockfd = connect_to_host(host, port, use_tcp); + Basic_Credentials_Manager creds(use_system_cert_store, trusted_CAs); Botan::TLS::Client client(*this, *session_mgr, creds, *policy, rng(), diff --git a/src/cli/tls_utils.cpp b/src/cli/tls_utils.cpp index 2429b5de6..16813c13a 100644 --- a/src/cli/tls_utils.cpp +++ b/src/cli/tls_utils.cpp @@ -55,8 +55,8 @@ class TLS_All_Policy final : public Botan::TLS::Policy return { "ECDSA", "RSA", "DSA" }; } - bool allow_tls10() const override { return false; } - bool allow_tls11() const override { return false; } + bool allow_tls10() const override { return true; } + bool allow_tls11() const override { return true; } bool allow_tls12() const override { return true; } }; @@ -138,6 +138,12 @@ class TLS_Ciphersuites final : public Command policy.reset(new Botan::TLS::Text_Policy(policy_txt)); } + if(policy->acceptable_protocol_version(version) == false) + { + error_output() << "Error: the policy specified does not allow the given TLS version\n"; + return; + } + for(uint16_t suite_id : policy->ciphersuite_list(version, with_srp)) { const Botan::TLS::Ciphersuite suite(Botan::TLS::Ciphersuite::by_id(suite_id)); |