#include <string.h>
#include <stdint.h>
#include <errno.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
fprintf(stderr,
"options:\n");
fprintf(stderr,
-" -q suppress verbose messages\n");
+" -q suppress verbose messages\n");
fprintf(stderr,
-" -trace activate extra debug messages (dump of all packets)\n");
+" -trace activate extra debug messages (dump of all packets)\n");
fprintf(stderr,
-" -sni name use this specific name for SNI\n");
+" -sni name use this specific name for SNI\n");
fprintf(stderr,
-" -nosni do not send any SNI\n");
+" -nosni do not send any SNI\n");
fprintf(stderr,
-" -mono use monodirectional buffering\n");
+" -mono use monodirectional buffering\n");
fprintf(stderr,
-" -buf length set the I/O buffer length (in bytes)\n");
+" -buf length set the I/O buffer length (in bytes)\n");
fprintf(stderr,
-" -CA file add certificates in 'file' to trust anchors\n");
+" -CA file add certificates in 'file' to trust anchors\n");
fprintf(stderr,
-" -list list supported names (protocols, algorithms...)\n");
+" -list list supported names (protocols, algorithms...)\n");
fprintf(stderr,
-" -vmin name set minimum supported version (default: TLS-1.0)\n");
+" -vmin name set minimum supported version (default: TLS-1.0)\n");
fprintf(stderr,
-" -vmax name set maximum supported version (default: TLS-1.2)\n");
+" -vmax name set maximum supported version (default: TLS-1.2)\n");
fprintf(stderr,
-" -cs names set list of supported cipher suites (comma-separated)\n");
+" -cs names set list of supported cipher suites (comma-separated)\n");
fprintf(stderr,
-" -hf names add support for some hash functions (comma-separated)\n");
+" -hf names add support for some hash functions (comma-separated)\n");
+ fprintf(stderr,
+" -minhello len set minimum ClientHello length (in bytes)\n");
+ fprintf(stderr,
+" -fallback send the TLS_FALLBACK_SCSV (i.e. claim a downgrade)\n");
+ fprintf(stderr,
+" -noreneg prohibit renegotiations\n");
}
/* see brssl.h */
const br_hash_class *dnhash;
unsigned char *iobuf;
size_t iobuf_len;
+ size_t minhello_len;
+ int fallback;
+ uint32_t flags;
int fd;
retcode = 0;
suite_ids = NULL;
iobuf = NULL;
iobuf_len = 0;
+ minhello_len = (size_t)-1;
+ fallback = 0;
+ flags = 0;
fd = -1;
for (i = 0; i < argc; i ++) {
const char *arg;
goto client_exit_error;
}
hfuns |= x;
+ } else if (eqstr(arg, "-minhello")) {
+ if (++ i >= argc) {
+ fprintf(stderr,
+ "ERROR: no argument for '-minhello'\n");
+ usage_client();
+ goto client_exit_error;
+ }
+ arg = argv[i];
+ if (minhello_len != (size_t)-1) {
+ fprintf(stderr, "ERROR: duplicate minium"
+ " ClientHello length\n");
+ usage_client();
+ goto client_exit_error;
+ }
+ minhello_len = parse_size(arg);
+ /*
+ * Minimum ClientHello length must fit on 16 bits.
+ */
+ if (minhello_len == (size_t)-1
+ || (((minhello_len >> 12) >> 4) != 0))
+ {
+ usage_client();
+ goto client_exit_error;
+ }
+ } else if (eqstr(arg, "-fallback")) {
+ fallback = 1;
+ } else if (eqstr(arg, "-noreneg")) {
+ flags |= BR_OPT_NO_RENEGOTIATION;
} else {
fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
usage_client();
/*
* Compute implementation requirements and inject implementations.
*/
- suite_ids = xmalloc(num_suites * sizeof *suite_ids);
+ suite_ids = xmalloc((num_suites + 1) * sizeof *suite_ids);
br_ssl_client_zero(&cc);
br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
dnhash = NULL;
br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
}
}
+ if (fallback) {
+ suite_ids[num_suites ++] = 0x5600;
+ }
br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
for (u = 0; hash_functions[u].name; u ++) {
br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
}
+ if (minhello_len != (size_t)-1) {
+ br_ssl_client_set_min_clienthello_len(&cc, minhello_len);
+ }
+ br_ssl_engine_set_all_flags(&cc.eng, flags);
+
br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
br_ssl_client_reset(&cc, sni, 0);
+ /*
+ * We need to avoid SIGPIPE.
+ */
+ signal(SIGPIPE, SIG_IGN);
+
/*
* Connect to the peer.
*/
projects / BearSSL / blobdiff