--- embedaddon/strongswan/scripts/tls_test.c 2020/06/03 09:46:49 1.1
+++ embedaddon/strongswan/scripts/tls_test.c 2021/03/17 00:20:15 1.1.1.2
@@ -1,4 +1,8 @@
/*
+ * Copyright (C) 2020 Pascal Knecht
+ * Copyright (C) 2020 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
@@ -33,8 +37,28 @@
static void usage(FILE *out, char *cmd)
{
fprintf(out, "usage:\n");
- fprintf(out, " %s --connect
--port [--key ]+ [--times ]\n", cmd);
- fprintf(out, " %s --listen --port --key [--cert ]+ [--times ]\n", cmd);
+ fprintf(out, " %s --connect --port [--key ] [--cacert ]+ [--times ]\n", cmd);
+ fprintf(out, " %s --listen --port --key --cert [--cacert ]+ [--auth-optional] [--times ]\n", cmd);
+ fprintf(out, "\n");
+ fprintf(out, "options:\n");
+ fprintf(out, " --help print help and exit\n");
+ fprintf(out, " --connect connect to a server on dns name or ip address\n");
+ fprintf(out, " --listen listen on dns name or ip address\n");
+ fprintf(out, " --port specify the port to use\n");
+ fprintf(out, " --cert certificate to authenticate itself\n");
+ fprintf(out, " --key private key to authenticate itself\n");
+ fprintf(out, " --cacert certificate to verify other peer\n");
+ fprintf(out, " --auth-optional don't enforce client authentication\n");
+ fprintf(out, " --times specify the amount of repeated connection establishments\n");
+ fprintf(out, " --ipv4 use IPv4\n");
+ fprintf(out, " --ipv6 use IPv6\n");
+ fprintf(out, " --min-version specify the minimum TLS version, supported versions:\n");
+ fprintf(out, " 1.0 (default), 1.1, 1.2 and 1.3\n");
+ fprintf(out, " --max-version specify the maximum TLS version, supported versions:\n");
+ fprintf(out, " 1.0, 1.1, 1.2 and 1.3 (default)\n");
+ fprintf(out, " --version set one specific TLS version to use, supported versions:\n");
+ fprintf(out, " 1.0, 1.1, 1.2 and 1.3\n");
+ fprintf(out, " --debug set debug level, default is 1\n");
}
/**
@@ -85,14 +109,17 @@ static identification_t *find_client_id()
* Client routine
*/
static int run_client(host_t *host, identification_t *server,
- identification_t *client, int times, tls_cache_t *cache)
+ identification_t *client, int times, tls_cache_t *cache,
+ tls_version_t min_version, tls_version_t max_version,
+ tls_flag_t flags)
{
tls_socket_t *tls;
int fd, res;
while (times == -1 || times-- > 0)
{
- fd = socket(AF_INET, SOCK_STREAM, 0);
+ DBG2(DBG_TLS, "connecting to %#H", host);
+ fd = socket(host->get_family(host), SOCK_STREAM, 0);
if (fd == -1)
{
DBG1(DBG_TLS, "opening socket failed: %s", strerror(errno));
@@ -105,7 +132,8 @@ static int run_client(host_t *host, identification_t *
close(fd);
return 1;
}
- tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE);
+ tls = tls_socket_create(FALSE, server, client, fd, cache, min_version,
+ max_version, flags);
if (!tls)
{
close(fd);
@@ -125,8 +153,9 @@ static int run_client(host_t *host, identification_t *
/**
* Server routine
*/
-static int serve(host_t *host, identification_t *server,
- int times, tls_cache_t *cache)
+static int serve(host_t *host, identification_t *server, identification_t *client,
+ int times, tls_cache_t *cache, tls_version_t min_version,
+ tls_version_t max_version, tls_flag_t flags)
{
tls_socket_t *tls;
int fd, cfd;
@@ -162,7 +191,8 @@ static int serve(host_t *host, identification_t *serve
}
DBG1(DBG_TLS, "%#H connected", host);
- tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
+ tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
+ max_version, flags);
if (!tls)
{
close(fd);
@@ -207,8 +237,8 @@ static bool load_key(char *filename)
{
private_key_t *key;
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_FROM_FILE, filename, BUILD_END);
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_FROM_FILE, filename, BUILD_END);
if (!key)
{
DBG1(DBG_TLS, "loading key from '%s' failed", filename);
@@ -251,11 +281,14 @@ static void cleanup()
*/
static void init()
{
+ char *plugins;
+
library_init(NULL, "tls_test");
dbg = dbg_tls;
- lib->plugins->load(lib->plugins, PLUGINS);
+ plugins = getenv("PLUGINS") ?: PLUGINS;
+ lib->plugins->load(lib->plugins, plugins);
creds = mem_cred_create();
lib->credmgr->add_set(lib->credmgr, &creds->set);
@@ -267,8 +300,10 @@ int main(int argc, char *argv[])
{
char *address = NULL;
bool listen = FALSE;
- int port = 0, times = -1, res;
- identification_t *server, *client;
+ int port = 0, times = -1, res, family = AF_UNSPEC;
+ identification_t *server, *client = NULL;
+ tls_version_t min_version = TLS_SUPPORTED_MIN, max_version = TLS_SUPPORTED_MAX;
+ tls_flag_t flags = TLS_FLAG_ENCRYPTION_OPTIONAL;
tls_cache_t *cache;
host_t *host;
@@ -277,14 +312,21 @@ int main(int argc, char *argv[])
while (TRUE)
{
struct option long_opts[] = {
- {"help", no_argument, NULL, 'h' },
- {"connect", required_argument, NULL, 'c' },
- {"listen", required_argument, NULL, 'l' },
- {"port", required_argument, NULL, 'p' },
- {"cert", required_argument, NULL, 'x' },
- {"key", required_argument, NULL, 'k' },
- {"times", required_argument, NULL, 't' },
- {"debug", required_argument, NULL, 'd' },
+ {"help", no_argument, NULL, 'h' },
+ {"connect", required_argument, NULL, 'c' },
+ {"listen", required_argument, NULL, 'l' },
+ {"port", required_argument, NULL, 'p' },
+ {"cert", required_argument, NULL, 'x' },
+ {"key", required_argument, NULL, 'k' },
+ {"cacert", required_argument, NULL, 'f' },
+ {"times", required_argument, NULL, 't' },
+ {"ipv4", no_argument, NULL, '4' },
+ {"ipv6", no_argument, NULL, '6' },
+ {"min-version", required_argument, NULL, 'm' },
+ {"max-version", required_argument, NULL, 'M' },
+ {"version", required_argument, NULL, 'v' },
+ {"auth-optional", no_argument, NULL, 'n' },
+ {"debug", required_argument, NULL, 'd' },
{0,0,0,0 }
};
switch (getopt_long(argc, argv, "", long_opts, NULL))
@@ -306,6 +348,13 @@ int main(int argc, char *argv[])
return 1;
}
continue;
+ case 'f':
+ if (!load_certificate(optarg))
+ {
+ return 1;
+ }
+ client = identification_create_from_encoding(ID_ANY, chunk_empty);
+ continue;
case 'l':
listen = TRUE;
/* fall */
@@ -326,6 +375,40 @@ int main(int argc, char *argv[])
case 'd':
tls_level = atoi(optarg);
continue;
+ case '4':
+ family = AF_INET;
+ continue;
+ case '6':
+ family = AF_INET6;
+ continue;
+ case 'm':
+ if (!enum_from_name(tls_numeric_version_names, optarg,
+ &min_version))
+ {
+ fprintf(stderr, "unknown minimum TLS version: %s\n", optarg);
+ return 1;
+ }
+ continue;
+ case 'M':
+ if (!enum_from_name(tls_numeric_version_names, optarg,
+ &max_version))
+ {
+ fprintf(stderr, "unknown maximum TLS version: %s\n", optarg);
+ return 1;
+ }
+ continue;
+ case 'v':
+ if (!enum_from_name(tls_numeric_version_names, optarg,
+ &min_version))
+ {
+ fprintf(stderr, "unknown TLS version: %s\n", optarg);
+ return 1;
+ }
+ max_version = min_version;
+ continue;
+ case 'n':
+ flags |= TLS_FLAG_CLIENT_AUTH_OPTIONAL;
+ continue;
default:
usage(stderr, argv[0]);
return 1;
@@ -337,7 +420,7 @@ int main(int argc, char *argv[])
usage(stderr, argv[0]);
return 1;
}
- host = host_create_from_dns(address, 0, port);
+ host = host_create_from_dns(address, family, port);
if (!host)
{
DBG1(DBG_TLS, "resolving hostname %s failed", address);
@@ -347,12 +430,15 @@ int main(int argc, char *argv[])
cache = tls_cache_create(100, 30);
if (listen)
{
- res = serve(host, server, times, cache);
+ res = serve(host, server, client, times, cache, min_version,
+ max_version, flags);
}
else
{
+ DESTROY_IF(client);
client = find_client_id();
- res = run_client(host, server, client, times, cache);
+ res = run_client(host, server, client, times, cache, min_version,
+ max_version, flags);
DESTROY_IF(client);
}
cache->destroy(cache);