version 1.1, 2020/06/03 09:46:49
|
version 1.1.1.2, 2021/03/17 00:20:15
|
Line 1
|
Line 1
|
/* |
/* |
|
* Copyright (C) 2020 Pascal Knecht |
|
* Copyright (C) 2020 Tobias Brunner |
|
* HSR Hochschule fuer Technik Rapperswil |
|
* |
* Copyright (C) 2010 Martin Willi |
* Copyright (C) 2010 Martin Willi |
* Copyright (C) 2010 revosec AG |
* Copyright (C) 2010 revosec AG |
* |
* |
Line 33
|
Line 37
|
static void usage(FILE *out, char *cmd) |
static void usage(FILE *out, char *cmd) |
{ |
{ |
fprintf(out, "usage:\n"); |
fprintf(out, "usage:\n"); |
fprintf(out, " %s --connect <address> --port <port> [--key <key] [--cert <file>]+ [--times <n>]\n", cmd); | fprintf(out, " %s --connect <address> --port <port> [--key <key] [--cert <file>] [--cacert <file>]+ [--times <n>]\n", cmd); |
fprintf(out, " %s --listen <address> --port <port> --key <key> [--cert <file>]+ [--times <n>]\n", cmd); | fprintf(out, " %s --listen <address> --port <port> --key <key> --cert <file> [--cacert <file>]+ [--auth-optional] [--times <n>]\n", cmd); |
| fprintf(out, "\n"); |
| fprintf(out, "options:\n"); |
| fprintf(out, " --help print help and exit\n"); |
| fprintf(out, " --connect <address> connect to a server on dns name or ip address\n"); |
| fprintf(out, " --listen <address> listen on dns name or ip address\n"); |
| fprintf(out, " --port <port> specify the port to use\n"); |
| fprintf(out, " --cert <file> certificate to authenticate itself\n"); |
| fprintf(out, " --key <file> private key to authenticate itself\n"); |
| fprintf(out, " --cacert <file> certificate to verify other peer\n"); |
| fprintf(out, " --auth-optional don't enforce client authentication\n"); |
| fprintf(out, " --times <n> specify the amount of repeated connection establishments\n"); |
| fprintf(out, " --ipv4 use IPv4\n"); |
| fprintf(out, " --ipv6 use IPv6\n"); |
| fprintf(out, " --min-version <version> specify the minimum TLS version, supported versions:\n"); |
| fprintf(out, " 1.0 (default), 1.1, 1.2 and 1.3\n"); |
| fprintf(out, " --max-version <version> specify the maximum TLS version, supported versions:\n"); |
| fprintf(out, " 1.0, 1.1, 1.2 and 1.3 (default)\n"); |
| fprintf(out, " --version <version> set one specific TLS version to use, supported versions:\n"); |
| fprintf(out, " 1.0, 1.1, 1.2 and 1.3\n"); |
| fprintf(out, " --debug <debug level> set debug level, default is 1\n"); |
} |
} |
|
|
/** |
/** |
Line 85 static identification_t *find_client_id()
|
Line 109 static identification_t *find_client_id()
|
* Client routine |
* Client routine |
*/ |
*/ |
static int run_client(host_t *host, identification_t *server, |
static int run_client(host_t *host, identification_t *server, |
identification_t *client, int times, tls_cache_t *cache) | identification_t *client, int times, tls_cache_t *cache, |
| tls_version_t min_version, tls_version_t max_version, |
| tls_flag_t flags) |
{ |
{ |
tls_socket_t *tls; |
tls_socket_t *tls; |
int fd, res; |
int fd, res; |
|
|
while (times == -1 || times-- > 0) |
while (times == -1 || times-- > 0) |
{ |
{ |
fd = socket(AF_INET, SOCK_STREAM, 0); | DBG2(DBG_TLS, "connecting to %#H", host); |
| fd = socket(host->get_family(host), SOCK_STREAM, 0); |
if (fd == -1) |
if (fd == -1) |
{ |
{ |
DBG1(DBG_TLS, "opening socket failed: %s", strerror(errno)); |
DBG1(DBG_TLS, "opening socket failed: %s", strerror(errno)); |
Line 105 static int run_client(host_t *host, identification_t *
|
Line 132 static int run_client(host_t *host, identification_t *
|
close(fd); |
close(fd); |
return 1; |
return 1; |
} |
} |
tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE); | tls = tls_socket_create(FALSE, server, client, fd, cache, min_version, |
| max_version, flags); |
if (!tls) |
if (!tls) |
{ |
{ |
close(fd); |
close(fd); |
Line 125 static int run_client(host_t *host, identification_t *
|
Line 153 static int run_client(host_t *host, identification_t *
|
/** |
/** |
* Server routine |
* Server routine |
*/ |
*/ |
static int serve(host_t *host, identification_t *server, | static int serve(host_t *host, identification_t *server, identification_t *client, |
int times, tls_cache_t *cache) | int times, tls_cache_t *cache, tls_version_t min_version, |
| tls_version_t max_version, tls_flag_t flags) |
{ |
{ |
tls_socket_t *tls; |
tls_socket_t *tls; |
int fd, cfd; |
int fd, cfd; |
Line 162 static int serve(host_t *host, identification_t *serve
|
Line 191 static int serve(host_t *host, identification_t *serve
|
} |
} |
DBG1(DBG_TLS, "%#H connected", host); |
DBG1(DBG_TLS, "%#H connected", host); |
|
|
tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE); | tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version, |
| max_version, flags); |
if (!tls) |
if (!tls) |
{ |
{ |
close(fd); |
close(fd); |
Line 207 static bool load_key(char *filename)
|
Line 237 static bool load_key(char *filename)
|
{ |
{ |
private_key_t *key; |
private_key_t *key; |
|
|
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, | key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, |
BUILD_FROM_FILE, filename, BUILD_END); | BUILD_FROM_FILE, filename, BUILD_END); |
if (!key) |
if (!key) |
{ |
{ |
DBG1(DBG_TLS, "loading key from '%s' failed", filename); |
DBG1(DBG_TLS, "loading key from '%s' failed", filename); |
Line 251 static void cleanup()
|
Line 281 static void cleanup()
|
*/ |
*/ |
static void init() |
static void init() |
{ |
{ |
|
char *plugins; |
|
|
library_init(NULL, "tls_test"); |
library_init(NULL, "tls_test"); |
|
|
dbg = dbg_tls; |
dbg = dbg_tls; |
|
|
lib->plugins->load(lib->plugins, PLUGINS); | plugins = getenv("PLUGINS") ?: PLUGINS; |
| lib->plugins->load(lib->plugins, plugins); |
|
|
creds = mem_cred_create(); |
creds = mem_cred_create(); |
lib->credmgr->add_set(lib->credmgr, &creds->set); |
lib->credmgr->add_set(lib->credmgr, &creds->set); |
Line 267 int main(int argc, char *argv[])
|
Line 300 int main(int argc, char *argv[])
|
{ |
{ |
char *address = NULL; |
char *address = NULL; |
bool listen = FALSE; |
bool listen = FALSE; |
int port = 0, times = -1, res; | int port = 0, times = -1, res, family = AF_UNSPEC; |
identification_t *server, *client; | identification_t *server, *client = NULL; |
| tls_version_t min_version = TLS_SUPPORTED_MIN, max_version = TLS_SUPPORTED_MAX; |
| tls_flag_t flags = TLS_FLAG_ENCRYPTION_OPTIONAL; |
tls_cache_t *cache; |
tls_cache_t *cache; |
host_t *host; |
host_t *host; |
|
|
Line 277 int main(int argc, char *argv[])
|
Line 312 int main(int argc, char *argv[])
|
while (TRUE) |
while (TRUE) |
{ |
{ |
struct option long_opts[] = { |
struct option long_opts[] = { |
{"help", no_argument, NULL, 'h' }, | {"help", no_argument, NULL, 'h' }, |
{"connect", required_argument, NULL, 'c' }, | {"connect", required_argument, NULL, 'c' }, |
{"listen", required_argument, NULL, 'l' }, | {"listen", required_argument, NULL, 'l' }, |
{"port", required_argument, NULL, 'p' }, | {"port", required_argument, NULL, 'p' }, |
{"cert", required_argument, NULL, 'x' }, | {"cert", required_argument, NULL, 'x' }, |
{"key", required_argument, NULL, 'k' }, | {"key", required_argument, NULL, 'k' }, |
{"times", required_argument, NULL, 't' }, | {"cacert", required_argument, NULL, 'f' }, |
{"debug", required_argument, NULL, 'd' }, | {"times", required_argument, NULL, 't' }, |
| {"ipv4", no_argument, NULL, '4' }, |
| {"ipv6", no_argument, NULL, '6' }, |
| {"min-version", required_argument, NULL, 'm' }, |
| {"max-version", required_argument, NULL, 'M' }, |
| {"version", required_argument, NULL, 'v' }, |
| {"auth-optional", no_argument, NULL, 'n' }, |
| {"debug", required_argument, NULL, 'd' }, |
{0,0,0,0 } |
{0,0,0,0 } |
}; |
}; |
switch (getopt_long(argc, argv, "", long_opts, NULL)) |
switch (getopt_long(argc, argv, "", long_opts, NULL)) |
Line 306 int main(int argc, char *argv[])
|
Line 348 int main(int argc, char *argv[])
|
return 1; |
return 1; |
} |
} |
continue; |
continue; |
|
case 'f': |
|
if (!load_certificate(optarg)) |
|
{ |
|
return 1; |
|
} |
|
client = identification_create_from_encoding(ID_ANY, chunk_empty); |
|
continue; |
case 'l': |
case 'l': |
listen = TRUE; |
listen = TRUE; |
/* fall */ |
/* fall */ |
Line 326 int main(int argc, char *argv[])
|
Line 375 int main(int argc, char *argv[])
|
case 'd': |
case 'd': |
tls_level = atoi(optarg); |
tls_level = atoi(optarg); |
continue; |
continue; |
|
case '4': |
|
family = AF_INET; |
|
continue; |
|
case '6': |
|
family = AF_INET6; |
|
continue; |
|
case 'm': |
|
if (!enum_from_name(tls_numeric_version_names, optarg, |
|
&min_version)) |
|
{ |
|
fprintf(stderr, "unknown minimum TLS version: %s\n", optarg); |
|
return 1; |
|
} |
|
continue; |
|
case 'M': |
|
if (!enum_from_name(tls_numeric_version_names, optarg, |
|
&max_version)) |
|
{ |
|
fprintf(stderr, "unknown maximum TLS version: %s\n", optarg); |
|
return 1; |
|
} |
|
continue; |
|
case 'v': |
|
if (!enum_from_name(tls_numeric_version_names, optarg, |
|
&min_version)) |
|
{ |
|
fprintf(stderr, "unknown TLS version: %s\n", optarg); |
|
return 1; |
|
} |
|
max_version = min_version; |
|
continue; |
|
case 'n': |
|
flags |= TLS_FLAG_CLIENT_AUTH_OPTIONAL; |
|
continue; |
default: |
default: |
usage(stderr, argv[0]); |
usage(stderr, argv[0]); |
return 1; |
return 1; |
Line 337 int main(int argc, char *argv[])
|
Line 420 int main(int argc, char *argv[])
|
usage(stderr, argv[0]); |
usage(stderr, argv[0]); |
return 1; |
return 1; |
} |
} |
host = host_create_from_dns(address, 0, port); | host = host_create_from_dns(address, family, port); |
if (!host) |
if (!host) |
{ |
{ |
DBG1(DBG_TLS, "resolving hostname %s failed", address); |
DBG1(DBG_TLS, "resolving hostname %s failed", address); |
Line 347 int main(int argc, char *argv[])
|
Line 430 int main(int argc, char *argv[])
|
cache = tls_cache_create(100, 30); |
cache = tls_cache_create(100, 30); |
if (listen) |
if (listen) |
{ |
{ |
res = serve(host, server, times, cache); | res = serve(host, server, client, times, cache, min_version, |
| max_version, flags); |
} |
} |
else |
else |
{ |
{ |
|
DESTROY_IF(client); |
client = find_client_id(); |
client = find_client_id(); |
res = run_client(host, server, client, times, cache); | res = run_client(host, server, client, times, cache, min_version, |
| max_version, flags); |
DESTROY_IF(client); |
DESTROY_IF(client); |
} |
} |
cache->destroy(cache); |
cache->destroy(cache); |