Add TLS/TCP and DTLS/UDP support for both server and client

[ordinary-hacker]

Still just a draft, right now the code compiles and it already has some stuff tied up for it to support these two encryption methods. This draft PR is mostly to keep a little bit on progress and also if anyone has any suggestions and stuff like that.

I'll keep adding more commits to this as I test stuff, change stuff, and so on.

Fixes #59

[ordinary-hacker]

Rn I mostly just need to actually test this and do some code refinements

[ordinary-hacker]

Now this is ready to merge! In case needed for vetting here's a little guide to test:

first TLS works with DER format, meanwhile DTLS with PKCS#12 format, you can generate some quick test files with:

openssl genrsa -out server-key.pem 2048 && \
openssl req -new -x509 -key server-key.pem -out server-cert.pem -days 365 -subj "/CN=localhost" && \
openssl x509 -in server-cert.pem -outform DER -out server-cert-new.der && \
openssl rsa -in server-key.pem -outform DER -out server-key-new.der && \
openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -out server-new.p12 -name "rustcat-server" -passout pass:

then for example if using rcat listener and client for TLS

# Terminal 1 (TLS Listener)
./target/debug/rcat listen -i --protocol tls --cert server-cert-new.der --key server-key-new.der 8443

# Terminal 2 (rcat TLS Client)
./target/debug/rcat connect -s bash --protocol tls localhost 8443

rcat TLS listener but with openssl client

# Terminal 1 (TLS Listener)
./target/debug/rcat listen -i --protocol tls --cert server-cert-new.der --key server-key-new.der 8443

# Terminal 2 (OpenSSL Client)
openssl s_client -connect localhost:8443 -verify_return_error

rcat for DTLS listener and client

# Terminal 1 (DTLS Listener)
./target/debug/rcat listen -i --protocol dtls --cert server-new.p12 8444

# Terminal 2 (rcat DTLS Client)
./target/debug/rcat connect -s bash --protocol dtls --cert server-new.p12 localhost 8444

if just doing some echo tests for TLS:

# Terminal 1
./target/debug/rcat listen -i --protocol tls --cert server-cert-new.der --key server-key-new.der 8443

# Terminal 2
echo "Hello TLS" | openssl s_client -connect localhost:8443 -quiet

for dtls:

# Terminal 1
./target/debug/rcat listen -i --protocol dtls --cert server-new.p12 8444

# Terminal 2
./target/debug/rcat connect -s cat --protocol dtls --cert server-new.p12 localhost 8444

[robiot]

looks cool

[ordinary-hacker]

@robiot thanks :D

could you do the merge???

[ferdnyc]

Suggestion:

Establish a standard location for these files (analogous to of $HOME/.ssh/), preferably in a path like $XDG_CONFIG_DIR/rustcat¹. The files .../server-cert.der² and .../server-key.der, stored in that directory, could be loaded automatically if --protocol tls is used but no --cert and/or no --key argument (respectively) is given. To save the user having to type them every time.

(Another command line flag could disable automatic file loading even in the absence of --cert or --key, for the paranoid or in scripts. Something like --no-user-defaults, --ignore-user-keys, etc.)

Notes

1. Where the XDG spec defines $XDG_CONFIG_DIR as either the contents of that envvar, or $HOME/.config/ if no such environment variable is set.
2. (Or default-cert.der / default-key.der, you get the idea.)

[ferdnyc]

Second suggestion: Take a page from SSH et al, and check the permissions on any files being read, whether from a default location or one passed in via --cert / --key. Refuse to load encryption files if they're world-readable or (worse!) world-writable.

(SSH recommends, but doesn't enforce, that $HOME/.ssh/ have 0700 permissions, and will refuse to use any private key that's accessible by others, i.e. their private keyfile permissions mask is 0077.)