aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-09-12 14:33:03 -0400
committerJack Lloyd <[email protected]>2018-09-12 15:43:38 -0400
commit2b378c73f5b5a4576336dba5bdd8c2f642702b02 (patch)
tree4c0dd5d70c7ca3fc42278e0c61930a32a0676053
parent101513906ad8729603b8b78bb7488d1ffb029b0d (diff)
Fix TLS client CLI which was broken by disabling v1.0/v1.1 by default
-rw-r--r--src/cli/tls_client.cpp58
-rw-r--r--src/cli/tls_utils.cpp10
2 files changed, 56 insertions, 12 deletions
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index c7bb134e2..aef8e2512 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -31,6 +31,31 @@
namespace Botan_CLI {
+class CLI_Policy : public Botan::TLS::Policy
+ {
+ public:
+
+ CLI_Policy(Botan::TLS::Protocol_Version req_version) : m_version(req_version) {}
+
+ std::vector<std::string> allowed_ciphers() const override
+ {
+ // Allow CBC mode only in versions which don't support AEADs
+ if(m_version.supports_aead_modes() == false)
+ {
+ return { "AES-256", "AES-128" };
+ }
+
+ return Botan::TLS::Policy::allowed_ciphers();
+ }
+
+ bool allow_tls10() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V10; }
+ bool allow_tls11() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V11; }
+ bool allow_tls12() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V12; }
+
+ private:
+ Botan::TLS::Protocol_Version m_version;
+ };
+
class TLS_Client final : public Command, public Botan::TLS::Callbacks
{
public:
@@ -101,11 +126,6 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
policy.reset(new Botan::TLS::Text_Policy(policy_stream));
}
- if(!policy)
- {
- policy.reset(new Botan::TLS::Policy);
- }
-
if(transport != "tcp" && transport != "udp")
{
throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS");
@@ -115,19 +135,35 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
const std::vector<std::string> protocols_to_offer = Botan::split_on(next_protos, ',');
- m_sockfd = connect_to_host(host, port, use_tcp);
-
- using namespace std::placeholders;
-
- auto version = policy->latest_supported_version(!use_tcp);
+ Botan::TLS::Protocol_Version version =
+ use_tcp ? Botan::TLS::Protocol_Version::TLS_V12 : Botan::TLS::Protocol_Version::DTLS_V12;
if(flag_set("tls1.0"))
{
version = Botan::TLS::Protocol_Version::TLS_V10;
+ if(!policy)
+ policy.reset(new CLI_Policy(version));
}
else if(flag_set("tls1.1"))
{
version = Botan::TLS::Protocol_Version::TLS_V11;
+ if(!policy)
+ policy.reset(new CLI_Policy(version));
+ }
+ else if(flag_set("tls1.2"))
+ {
+ version = Botan::TLS::Protocol_Version::TLS_V12;
+ if(!policy)
+ policy.reset(new CLI_Policy(version));
+ }
+ else if(!policy)
+ {
+ policy.reset(new Botan::TLS::Policy);
+ }
+
+ if(policy->acceptable_protocol_version(version) == false)
+ {
+ throw CLI_Usage_Error("The policy specified does not allow the requested TLS version");
}
struct sockaddr_storage addrbuf;
@@ -139,6 +175,8 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
hostname = host;
}
+ m_sockfd = connect_to_host(host, port, use_tcp);
+
Basic_Credentials_Manager creds(use_system_cert_store, trusted_CAs);
Botan::TLS::Client client(*this, *session_mgr, creds, *policy, rng(),
diff --git a/src/cli/tls_utils.cpp b/src/cli/tls_utils.cpp
index 2429b5de6..16813c13a 100644
--- a/src/cli/tls_utils.cpp
+++ b/src/cli/tls_utils.cpp
@@ -55,8 +55,8 @@ class TLS_All_Policy final : public Botan::TLS::Policy
return { "ECDSA", "RSA", "DSA" };
}
- bool allow_tls10() const override { return false; }
- bool allow_tls11() const override { return false; }
+ bool allow_tls10() const override { return true; }
+ bool allow_tls11() const override { return true; }
bool allow_tls12() const override { return true; }
};
@@ -138,6 +138,12 @@ class TLS_Ciphersuites final : public Command
policy.reset(new Botan::TLS::Text_Policy(policy_txt));
}
+ if(policy->acceptable_protocol_version(version) == false)
+ {
+ error_output() << "Error: the policy specified does not allow the given TLS version\n";
+ return;
+ }
+
for(uint16_t suite_id : policy->ciphersuite_list(version, with_srp))
{
const Botan::TLS::Ciphersuite suite(Botan::TLS::Ciphersuite::by_id(suite_id));