1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
/*
* (C) 2016 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include "cli.h"
#if defined(BOTAN_HAS_TLS)
#include <botan/tls_policy.h>
#include <botan/tls_version.h>
namespace Botan_CLI {
class TLS_All_Policy : public Botan::TLS::Policy
{
public:
std::vector<std::string> allowed_ciphers() const override
{
return std::vector<std::string>{
"ChaCha20Poly1305",
"AES-256/OCB(12)",
"AES-128/OCB(12)",
"AES-256/GCM",
"AES-128/GCM",
"AES-256/CCM",
"AES-128/CCM",
"AES-256/CCM(8)",
"AES-128/CCM(8)",
"Camellia-256/GCM",
"Camellia-128/GCM",
"AES-256",
"AES-128",
"Camellia-256",
"Camellia-128",
"SEED"
"3DES"
};
}
std::vector<std::string> allowed_key_exchange_methods() const override
{
return { "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK",
"CECPQ1", "ECDH", "DH", "RSA" };
}
std::vector<std::string> allowed_signature_methods() const override
{
return { "ECDSA", "RSA", "DSA" };
};
};
class TLS_Ciphersuites final : public Command
{
public:
TLS_Ciphersuites() : Command("tls_ciphers --policy=default --version=tls1.2") {}
static Botan::TLS::Protocol_Version::Version_Code tls_version_from_str(const std::string& str)
{
if(str == "tls1.2" || str == "TLS1.2" || str == "TLS-1.2")
return Botan::TLS::Protocol_Version::TLS_V12;
else if(str == "tls1.1" || str == "TLS1.1" || str == "TLS-1.1")
return Botan::TLS::Protocol_Version::TLS_V11;
else if(str == "tls1.0" || str == "TLS1.1" || str == "TLS-1.1")
return Botan::TLS::Protocol_Version::TLS_V10;
if(str == "dtls1.2" || str == "DTLS1.2" || str == "DTLS-1.2")
return Botan::TLS::Protocol_Version::DTLS_V12;
else if(str == "dtls1.0" || str == "DTLS1.0" || str == "DTLS-1.0")
return Botan::TLS::Protocol_Version::DTLS_V10;
else
throw CLI_Error("Unknown TLS version '" + str + "'");
}
void go() override
{
const std::string policy_type = get_arg("policy");
const Botan::TLS::Protocol_Version version(tls_version_from_str(get_arg("version")));
const bool with_srp = false; // fixme
std::unique_ptr<Botan::TLS::Policy> policy;
if(policy_type == "default")
{
policy.reset(new Botan::TLS::Policy);
}
else if(policy_type == "suiteb")
{
policy.reset(new Botan::TLS::NSA_Suite_B_128);
}
else if(policy_type == "strict")
{
policy.reset(new Botan::TLS::Strict_Policy);
}
else if(policy_type == "all")
{
policy.reset(new TLS_All_Policy);
}
else
{
std::ifstream policy_file(policy_type);
if(!policy_file.good())
{
throw CLI_Error("Error TLS policy '" + policy_type +
"' is neither a file nor a known policy type");
}
policy.reset(new Botan::TLS::Text_Policy(policy_file));
}
for(uint16_t suite_id : policy->ciphersuite_list(version, with_srp))
{
const Botan::TLS::Ciphersuite suite(Botan::TLS::Ciphersuite::by_id(suite_id));
output() << suite.to_string() << "\n";
}
}
};
BOTAN_REGISTER_COMMAND("tls_ciphers", TLS_Ciphersuites);
}
#endif
|