From 2b378c73f5b5a4576336dba5bdd8c2f642702b02 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Wed, 12 Sep 2018 14:33:03 -0400 Subject: Fix TLS client CLI which was broken by disabling v1.0/v1.1 by default --- src/cli/tls_client.cpp | 58 +++++++++++++++++++++++++++++++++++++++++--------- src/cli/tls_utils.cpp | 10 +++++++-- 2 files changed, 56 insertions(+), 12 deletions(-) diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index c7bb134e2..aef8e2512 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -31,6 +31,31 @@ namespace Botan_CLI { +class CLI_Policy : public Botan::TLS::Policy + { + public: + + CLI_Policy(Botan::TLS::Protocol_Version req_version) : m_version(req_version) {} + + std::vector allowed_ciphers() const override + { + // Allow CBC mode only in versions which don't support AEADs + if(m_version.supports_aead_modes() == false) + { + return { "AES-256", "AES-128" }; + } + + return Botan::TLS::Policy::allowed_ciphers(); + } + + bool allow_tls10() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V10; } + bool allow_tls11() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V11; } + bool allow_tls12() const override { return m_version == Botan::TLS::Protocol_Version::TLS_V12; } + + private: + Botan::TLS::Protocol_Version m_version; + }; + class TLS_Client final : public Command, public Botan::TLS::Callbacks { public: @@ -101,11 +126,6 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks policy.reset(new Botan::TLS::Text_Policy(policy_stream)); } - if(!policy) - { - policy.reset(new Botan::TLS::Policy); - } - if(transport != "tcp" && transport != "udp") { throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS"); @@ -115,19 +135,35 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks const std::vector protocols_to_offer = Botan::split_on(next_protos, ','); - m_sockfd = connect_to_host(host, port, use_tcp); - - using namespace std::placeholders; - - auto version = policy->latest_supported_version(!use_tcp); + Botan::TLS::Protocol_Version version = + use_tcp ? Botan::TLS::Protocol_Version::TLS_V12 : Botan::TLS::Protocol_Version::DTLS_V12; if(flag_set("tls1.0")) { version = Botan::TLS::Protocol_Version::TLS_V10; + if(!policy) + policy.reset(new CLI_Policy(version)); } else if(flag_set("tls1.1")) { version = Botan::TLS::Protocol_Version::TLS_V11; + if(!policy) + policy.reset(new CLI_Policy(version)); + } + else if(flag_set("tls1.2")) + { + version = Botan::TLS::Protocol_Version::TLS_V12; + if(!policy) + policy.reset(new CLI_Policy(version)); + } + else if(!policy) + { + policy.reset(new Botan::TLS::Policy); + } + + if(policy->acceptable_protocol_version(version) == false) + { + throw CLI_Usage_Error("The policy specified does not allow the requested TLS version"); } struct sockaddr_storage addrbuf; @@ -139,6 +175,8 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks hostname = host; } + m_sockfd = connect_to_host(host, port, use_tcp); + Basic_Credentials_Manager creds(use_system_cert_store, trusted_CAs); Botan::TLS::Client client(*this, *session_mgr, creds, *policy, rng(), diff --git a/src/cli/tls_utils.cpp b/src/cli/tls_utils.cpp index 2429b5de6..16813c13a 100644 --- a/src/cli/tls_utils.cpp +++ b/src/cli/tls_utils.cpp @@ -55,8 +55,8 @@ class TLS_All_Policy final : public Botan::TLS::Policy return { "ECDSA", "RSA", "DSA" }; } - bool allow_tls10() const override { return false; } - bool allow_tls11() const override { return false; } + bool allow_tls10() const override { return true; } + bool allow_tls11() const override { return true; } bool allow_tls12() const override { return true; } }; @@ -138,6 +138,12 @@ class TLS_Ciphersuites final : public Command policy.reset(new Botan::TLS::Text_Policy(policy_txt)); } + if(policy->acceptable_protocol_version(version) == false) + { + error_output() << "Error: the policy specified does not allow the given TLS version\n"; + return; + } + for(uint16_t suite_id : policy->ciphersuite_list(version, with_srp)) { const Botan::TLS::Ciphersuite suite(Botan::TLS::Ciphersuite::by_id(suite_id)); -- cgit v1.2.3