tls.py: add support for requiring cert in PHA

tomato42 · tomato42 · commit 114cdd518746 · 2019-11-26T20:22:22.000+01:00
diff --git a/scripts/tls.py b/scripts/tls.py
@@ -79,7 +79,7 @@ def printUsage(s=None):
     [-c CERT] [-k KEY] [-t TACK] [-v VERIFIERDB] [-d DIR] [-l LABEL] [-L LENGTH]
     [--reqcert] [--param DHFILE] [--psk PSK] [--psk-ident IDENTITY]
     [--psk-sha384] [--ssl3] [--max-ver VER] [--tickets COUNT] [--cipherlist]
-    [--request-pha]
+    [--request-pha] [--require-pha]
     HOST:PORT
 
   client
@@ -103,6 +103,9 @@ def printUsage(s=None):
                     finished
   --cipherlist - comma separated ciphers to enable. For ex. aes128ccm,3des
                  You can specify this option multiple times.
+  --request-pha - ask client for post-handshake authentication
+  --require-pha - abort connection if client didn't provide certificate in
+                  post-handshake authentication
   CERT, KEY - the file with key and certificates that will be used by client or
         server. The server can accept multiple pairs of `-c` and `-k` options
         to configure different certificates (like RSA and ECDSA)
@@ -161,6 +164,7 @@ def handleArgs(argv, argString, flagsList=[]):
     tickets = None
     ciphers = []
     request_pha = False
+    require_pha = False
 
     for opt, arg in opts:
         if opt == "-k":
@@ -236,6 +240,8 @@ def handleArgs(argv, argString, flagsList=[]):
             ciphers.append(arg)
         elif opt == "--request-pha":
             request_pha = True
+        elif opt == "--require-pha":
+            require_pha = True
         else:
             assert(False)
 
@@ -300,6 +306,8 @@ def handleArgs(argv, argString, flagsList=[]):
         retList.append(ciphers)
     if "request-pha" in flagsList:
         retList.append(request_pha)
+    if "require-pha" in flagsList:
+        retList.append(require_pha)
     return retList
 
 
@@ -500,11 +508,11 @@ def serverCmd(argv):
     (address, privateKey, cert_chain, virtual_hosts, tacks, verifierDB,
             directory, reqCert,
             expLabel, expLength, dhparam, psk, psk_ident, psk_hash, ssl3,
-            max_ver, tickets, cipherlist, request_pha) = \
+            max_ver, tickets, cipherlist, request_pha, require_pha) = \
         handleArgs(argv, "kctbvdlL",
                    ["reqcert", "param=", "psk=",
                     "psk-ident=", "psk-sha384", "ssl3", "max-ver=",
-                    "tickets=", "cipherlist=", "request-pha"])
+                    "tickets=", "cipherlist=", "request-pha", "require-pha"])
 
 
     if (cert_chain and not privateKey) or (not cert_chain and privateKey):
@@ -604,6 +612,7 @@ def handshake(self, connection):
                                       1)
                 connection.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
                                       struct.pack('ii', 1, 5))
+                connection.client_cert_required = require_pha
                 connection.handshakeServer(certChain=cert_chain,
                                               privateKey=privateKey,
                                               verifierDB=verifierDB,
