--- embedaddon/strongswan/scripts/tls_test.c 2020/06/03 09:46:49 1.1.1.1 +++ embedaddon/strongswan/scripts/tls_test.c 2021/03/17 00:20:15 1.1.1.2 @@ -1,4 +1,8 @@ /* + * Copyright (C) 2020 Pascal Knecht + * Copyright (C) 2020 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -33,8 +37,28 @@ static void usage(FILE *out, char *cmd) { fprintf(out, "usage:\n"); - fprintf(out, " %s --connect
--port [--key ]+ [--times ]\n", cmd); - fprintf(out, " %s --listen
--port --key [--cert ]+ [--times ]\n", cmd); + fprintf(out, " %s --connect
--port [--key ] [--cacert ]+ [--times ]\n", cmd); + fprintf(out, " %s --listen
--port --key --cert [--cacert ]+ [--auth-optional] [--times ]\n", cmd); + fprintf(out, "\n"); + fprintf(out, "options:\n"); + fprintf(out, " --help print help and exit\n"); + fprintf(out, " --connect
connect to a server on dns name or ip address\n"); + fprintf(out, " --listen
listen on dns name or ip address\n"); + fprintf(out, " --port specify the port to use\n"); + fprintf(out, " --cert certificate to authenticate itself\n"); + fprintf(out, " --key private key to authenticate itself\n"); + fprintf(out, " --cacert certificate to verify other peer\n"); + fprintf(out, " --auth-optional don't enforce client authentication\n"); + fprintf(out, " --times specify the amount of repeated connection establishments\n"); + fprintf(out, " --ipv4 use IPv4\n"); + fprintf(out, " --ipv6 use IPv6\n"); + fprintf(out, " --min-version specify the minimum TLS version, supported versions:\n"); + fprintf(out, " 1.0 (default), 1.1, 1.2 and 1.3\n"); + fprintf(out, " --max-version specify the maximum TLS version, supported versions:\n"); + fprintf(out, " 1.0, 1.1, 1.2 and 1.3 (default)\n"); + fprintf(out, " --version set one specific TLS version to use, supported versions:\n"); + fprintf(out, " 1.0, 1.1, 1.2 and 1.3\n"); + fprintf(out, " --debug set debug level, default is 1\n"); } /** @@ -85,14 +109,17 @@ static identification_t *find_client_id() * Client routine */ static int run_client(host_t *host, identification_t *server, - identification_t *client, int times, tls_cache_t *cache) + identification_t *client, int times, tls_cache_t *cache, + tls_version_t min_version, tls_version_t max_version, + tls_flag_t flags) { tls_socket_t *tls; int fd, res; while (times == -1 || times-- > 0) { - fd = socket(AF_INET, SOCK_STREAM, 0); + DBG2(DBG_TLS, "connecting to %#H", host); + fd = socket(host->get_family(host), SOCK_STREAM, 0); if (fd == -1) { DBG1(DBG_TLS, "opening socket failed: %s", strerror(errno)); @@ -105,7 +132,8 @@ static int run_client(host_t *host, identification_t * close(fd); return 1; } - tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE); + tls = tls_socket_create(FALSE, server, client, fd, cache, min_version, + max_version, flags); if (!tls) { close(fd); @@ -125,8 +153,9 @@ static int run_client(host_t *host, identification_t * /** * Server routine */ -static int serve(host_t *host, identification_t *server, - int times, tls_cache_t *cache) +static int serve(host_t *host, identification_t *server, identification_t *client, + int times, tls_cache_t *cache, tls_version_t min_version, + tls_version_t max_version, tls_flag_t flags) { tls_socket_t *tls; int fd, cfd; @@ -162,7 +191,8 @@ static int serve(host_t *host, identification_t *serve } DBG1(DBG_TLS, "%#H connected", host); - tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE); + tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version, + max_version, flags); if (!tls) { close(fd); @@ -207,8 +237,8 @@ static bool load_key(char *filename) { private_key_t *key; - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_FROM_FILE, filename, BUILD_END); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_FROM_FILE, filename, BUILD_END); if (!key) { DBG1(DBG_TLS, "loading key from '%s' failed", filename); @@ -251,11 +281,14 @@ static void cleanup() */ static void init() { + char *plugins; + library_init(NULL, "tls_test"); dbg = dbg_tls; - lib->plugins->load(lib->plugins, PLUGINS); + plugins = getenv("PLUGINS") ?: PLUGINS; + lib->plugins->load(lib->plugins, plugins); creds = mem_cred_create(); lib->credmgr->add_set(lib->credmgr, &creds->set); @@ -267,8 +300,10 @@ int main(int argc, char *argv[]) { char *address = NULL; bool listen = FALSE; - int port = 0, times = -1, res; - identification_t *server, *client; + int port = 0, times = -1, res, family = AF_UNSPEC; + identification_t *server, *client = NULL; + tls_version_t min_version = TLS_SUPPORTED_MIN, max_version = TLS_SUPPORTED_MAX; + tls_flag_t flags = TLS_FLAG_ENCRYPTION_OPTIONAL; tls_cache_t *cache; host_t *host; @@ -277,14 +312,21 @@ int main(int argc, char *argv[]) while (TRUE) { struct option long_opts[] = { - {"help", no_argument, NULL, 'h' }, - {"connect", required_argument, NULL, 'c' }, - {"listen", required_argument, NULL, 'l' }, - {"port", required_argument, NULL, 'p' }, - {"cert", required_argument, NULL, 'x' }, - {"key", required_argument, NULL, 'k' }, - {"times", required_argument, NULL, 't' }, - {"debug", required_argument, NULL, 'd' }, + {"help", no_argument, NULL, 'h' }, + {"connect", required_argument, NULL, 'c' }, + {"listen", required_argument, NULL, 'l' }, + {"port", required_argument, NULL, 'p' }, + {"cert", required_argument, NULL, 'x' }, + {"key", required_argument, NULL, 'k' }, + {"cacert", required_argument, NULL, 'f' }, + {"times", required_argument, NULL, 't' }, + {"ipv4", no_argument, NULL, '4' }, + {"ipv6", no_argument, NULL, '6' }, + {"min-version", required_argument, NULL, 'm' }, + {"max-version", required_argument, NULL, 'M' }, + {"version", required_argument, NULL, 'v' }, + {"auth-optional", no_argument, NULL, 'n' }, + {"debug", required_argument, NULL, 'd' }, {0,0,0,0 } }; switch (getopt_long(argc, argv, "", long_opts, NULL)) @@ -306,6 +348,13 @@ int main(int argc, char *argv[]) return 1; } continue; + case 'f': + if (!load_certificate(optarg)) + { + return 1; + } + client = identification_create_from_encoding(ID_ANY, chunk_empty); + continue; case 'l': listen = TRUE; /* fall */ @@ -326,6 +375,40 @@ int main(int argc, char *argv[]) case 'd': tls_level = atoi(optarg); continue; + case '4': + family = AF_INET; + continue; + case '6': + family = AF_INET6; + continue; + case 'm': + if (!enum_from_name(tls_numeric_version_names, optarg, + &min_version)) + { + fprintf(stderr, "unknown minimum TLS version: %s\n", optarg); + return 1; + } + continue; + case 'M': + if (!enum_from_name(tls_numeric_version_names, optarg, + &max_version)) + { + fprintf(stderr, "unknown maximum TLS version: %s\n", optarg); + return 1; + } + continue; + case 'v': + if (!enum_from_name(tls_numeric_version_names, optarg, + &min_version)) + { + fprintf(stderr, "unknown TLS version: %s\n", optarg); + return 1; + } + max_version = min_version; + continue; + case 'n': + flags |= TLS_FLAG_CLIENT_AUTH_OPTIONAL; + continue; default: usage(stderr, argv[0]); return 1; @@ -337,7 +420,7 @@ int main(int argc, char *argv[]) usage(stderr, argv[0]); return 1; } - host = host_create_from_dns(address, 0, port); + host = host_create_from_dns(address, family, port); if (!host) { DBG1(DBG_TLS, "resolving hostname %s failed", address); @@ -347,12 +430,15 @@ int main(int argc, char *argv[]) cache = tls_cache_create(100, 30); if (listen) { - res = serve(host, server, times, cache); + res = serve(host, server, client, times, cache, min_version, + max_version, flags); } else { + DESTROY_IF(client); client = find_client_id(); - res = run_client(host, server, client, times, cache); + res = run_client(host, server, client, times, cache, min_version, + max_version, flags); DESTROY_IF(client); } cache->destroy(cache);