projects
/
BearSSL
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fixed buffer overflow, and also NULL pointer dereference, in ECDSA signature handling.
[BearSSL]
/
tools
/
client.c
diff --git
a/tools/client.c
b/tools/client.c
index
90ba7e5
..
72bdbd1
100644
(file)
--- a/
tools/client.c
+++ b/
tools/client.c
@@
-27,6
+27,7
@@
#include <string.h>
#include <stdint.h>
#include <errno.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/socket.h>
@@
-149,6
+150,10
@@
usage_client(void)
" -hf names add support for some hash functions (comma-separated)\n");
fprintf(stderr,
" -minhello len set minimum ClientHello length (in bytes)\n");
" -hf names add support for some hash functions (comma-separated)\n");
fprintf(stderr,
" -minhello len set minimum ClientHello length (in bytes)\n");
+ fprintf(stderr,
+" -fallback send the TLS_FALLBACK_SCSV (i.e. claim a downgrade)\n");
+ fprintf(stderr,
+" -noreneg prohibit renegotiations\n");
}
/* see brssl.h */
}
/* see brssl.h */
@@
-177,6
+182,8
@@
do_client(int argc, char *argv[])
unsigned char *iobuf;
size_t iobuf_len;
size_t minhello_len;
unsigned char *iobuf;
size_t iobuf_len;
size_t minhello_len;
+ int fallback;
+ uint32_t flags;
int fd;
retcode = 0;
int fd;
retcode = 0;
@@
-196,6
+203,8
@@
do_client(int argc, char *argv[])
iobuf = NULL;
iobuf_len = 0;
minhello_len = (size_t)-1;
iobuf = NULL;
iobuf_len = 0;
minhello_len = (size_t)-1;
+ fallback = 0;
+ flags = 0;
fd = -1;
for (i = 0; i < argc; i ++) {
const char *arg;
fd = -1;
for (i = 0; i < argc; i ++) {
const char *arg;
@@
-376,6
+385,10
@@
do_client(int argc, char *argv[])
usage_client();
goto client_exit_error;
}
usage_client();
goto client_exit_error;
}
+ } else if (eqstr(arg, "-fallback")) {
+ fallback = 1;
+ } else if (eqstr(arg, "-noreneg")) {
+ flags |= BR_OPT_NO_RENEGOTIATION;
} else {
fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
usage_client();
} else {
fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
usage_client();
@@
-457,7
+470,7
@@
do_client(int argc, char *argv[])
/*
* Compute implementation requirements and inject implementations.
*/
/*
* Compute implementation requirements and inject implementations.
*/
- suite_ids = xmalloc(
num_suites
* sizeof *suite_ids);
+ suite_ids = xmalloc(
(num_suites + 1)
* sizeof *suite_ids);
br_ssl_client_zero(&cc);
br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
dnhash = NULL;
br_ssl_client_zero(&cc);
br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
dnhash = NULL;
@@
-557,6
+570,9
@@
do_client(int argc, char *argv[])
br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
}
}
br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
}
}
+ if (fallback) {
+ suite_ids[num_suites ++] = 0x5600;
+ }
br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
for (u = 0; hash_functions[u].name; u ++) {
br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
for (u = 0; hash_functions[u].name; u ++) {
@@
-606,10
+622,16
@@
do_client(int argc, char *argv[])
if (minhello_len != (size_t)-1) {
br_ssl_client_set_min_clienthello_len(&cc, minhello_len);
}
if (minhello_len != (size_t)-1) {
br_ssl_client_set_min_clienthello_len(&cc, minhello_len);
}
+ br_ssl_engine_set_all_flags(&cc.eng, flags);
br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
br_ssl_client_reset(&cc, sni, 0);
br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
br_ssl_client_reset(&cc, sni, 0);
+ /*
+ * We need to avoid SIGPIPE.
+ */
+ signal(SIGPIPE, SIG_IGN);
+
/*
* Connect to the peer.
*/
/*
* Connect to the peer.
*/