Add version_suites option to ssl_server2

This commit is contained in:
Manuel Pégourié-Gonnard 2014-06-11 13:50:34 +02:00
parent 10c3c9fda8
commit 6dc0781aba

View File

@ -79,6 +79,7 @@
#define DFL_PSK_IDENTITY "Client_identity" #define DFL_PSK_IDENTITY "Client_identity"
#define DFL_PSK_LIST NULL #define DFL_PSK_LIST NULL
#define DFL_FORCE_CIPHER 0 #define DFL_FORCE_CIPHER 0
#define DFL_VERSION_SUITES NULL
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED #define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
@ -130,6 +131,7 @@ struct options
const char *psk_identity; /* the pre-shared key identity */ const char *psk_identity; /* the pre-shared key identity */
char *psk_list; /* list of PSK id/key pairs for callback */ char *psk_list; /* list of PSK id/key pairs for callback */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
const char *version_suites; /* per-version ciphersuites */
int renegotiation; /* enable / disable renegotiation */ int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */ int allow_legacy; /* allow legacy renegotiation */
int renegotiate; /* attempt renegotiation? */ int renegotiate; /* attempt renegotiation? */
@ -296,6 +298,9 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
" force_version=%%s default: \"\" (none)\n" \ " force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \ " options: ssl3, tls1, tls1_1, tls1_2\n" \
"\n" \ "\n" \
" version_suites=a,b,c,d per-version ciphersuites\n" \
" in order from ssl3 to tls1_2\n" \
" default: all enabled\n" \
" force_ciphersuite=<name> default: all enabled\n" \ " force_ciphersuite=<name> default: all enabled\n" \
" acceptable ciphersuite names:\n" " acceptable ciphersuite names:\n"
@ -556,6 +561,7 @@ int main( int argc, char *argv[] )
int ret = 0, len, written, frags; int ret = 0, len, written, frags;
int listen_fd; int listen_fd;
int client_fd = -1; int client_fd = -1;
int version_suites[4][2];
unsigned char buf[SSL_MAX_CONTENT_LEN + 1]; unsigned char buf[SSL_MAX_CONTENT_LEN + 1];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MAX_PSK_LEN]; unsigned char psk[MAX_PSK_LEN];
@ -657,6 +663,7 @@ int main( int argc, char *argv[] )
opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST; opt.psk_list = DFL_PSK_LIST;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.version_suites = DFL_VERSION_SUITES;
opt.renegotiation = DFL_RENEGOTIATION; opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY; opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.renegotiate = DFL_RENEGOTIATE; opt.renegotiate = DFL_RENEGOTIATE;
@ -732,6 +739,8 @@ int main( int argc, char *argv[] )
} }
opt.force_ciphersuite[1] = 0; opt.force_ciphersuite[1] = 0;
} }
else if( strcmp( p, "version_suites" ) == 0 )
opt.version_suites = q;
else if( strcmp( p, "renegotiation" ) == 0 ) else if( strcmp( p, "renegotiation" ) == 0 )
{ {
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED : opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
@ -889,6 +898,47 @@ int main( int argc, char *argv[] )
opt.min_version = ciphersuite_info->min_minor_ver; opt.min_version = ciphersuite_info->min_minor_ver;
} }
if( opt.version_suites != NULL )
{
const char *name[4] = { 0 };
/* Parse 4-element coma-separated list */
for( i = 0, p = (char *) opt.version_suites;
i < 4 && *p != '\0';
i++ )
{
name[i] = p;
/* Terminate the current string and move on to next one */
while( *p != ',' && *p != '\0' )
p++;
if( *p == ',' )
*p++ = '\0';
}
if( i != 4 )
{
printf( "too few values for version_suites\n" );
ret = 1;
goto exit;
}
memset( version_suites, 0, sizeof( version_suites ) );
/* Get the suites identifiers from their name */
for( i = 0; i < 4; i++ )
{
version_suites[i][0] = ssl_get_ciphersuite_id( name[i] );
if( version_suites[i][0] == 0 )
{
printf( "unknown ciphersuite: '%s'\n", name[i] );
ret = 2;
goto usage;
}
}
}
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
/* /*
* Unhexify the pre-shared key and parse the list if any given * Unhexify the pre-shared key and parse the list if any given
@ -1189,6 +1239,22 @@ int main( int argc, char *argv[] )
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
if( opt.version_suites != NULL )
{
ssl_set_ciphersuites_for_version( &ssl, version_suites[0],
SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0 );
ssl_set_ciphersuites_for_version( &ssl, version_suites[1],
SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1 );
ssl_set_ciphersuites_for_version( &ssl, version_suites[2],
SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2 );
ssl_set_ciphersuites_for_version( &ssl, version_suites[3],
SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3 );
}
ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy );