X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=tools%2Fclient.c;h=37b8877c8570c47504e420295aea1e994491f8f1;hp=102d43b77cbcd74a4076365c4eb0e12a5b2e535a;hb=3f00688b9d9f483a6ca97e659eea104995ea15b7;hpb=e61ad42191511226309bad2cbde8cd9e8cc743cb

diff --git a/tools/client.c b/tools/client.c
index 102d43b..37b8877 100644
--- a/tools/client.c
+++ b/tools/client.c
@@ -29,6 +29,10 @@
 #include <errno.h>
 #include <signal.h>
 
+#ifdef _WIN32
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
@@ -37,14 +41,17 @@
 #include <unistd.h>
 #include <fcntl.h>
 
+#define SOCKET             int
+#define INVALID_SOCKET     (-1)
+#endif
+
 #include "brssl.h"
-#include "bearssl.h"
 
 static int
 host_connect(const char *host, const char *port, int verbose)
 {
 	struct addrinfo hints, *si, *p;
-	int fd;
+	SOCKET fd;
 	int err;
 
 	memset(&hints, 0, sizeof hints);
@@ -54,9 +61,9 @@ host_connect(const char *host, const char *port, int verbose)
 	if (err != 0) {
 		fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
 			gai_strerror(err));
-		return -1;
+		return INVALID_SOCKET;
 	}
-	fd = -1;
+	fd = INVALID_SOCKET;
 	for (p = si; p != NULL; p = p->ai_next) {
 		if (verbose) {
 			struct sockaddr *sa;
@@ -84,17 +91,21 @@ host_connect(const char *host, const char *port, int verbose)
 			fprintf(stderr, "connecting to: %s\n", tmp);
 		}
 		fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
-		if (fd < 0) {
+		if (fd == INVALID_SOCKET) {
 			if (verbose) {
 				perror("socket()");
 			}
 			continue;
 		}
-		if (connect(fd, p->ai_addr, p->ai_addrlen) < 0) {
+		if (connect(fd, p->ai_addr, p->ai_addrlen) == INVALID_SOCKET) {
 			if (verbose) {
 				perror("connect()");
 			}
+#ifdef _WIN32
+			closesocket(fd);
+#else
 			close(fd);
+#endif
 			continue;
 		}
 		break;
@@ -102,7 +113,7 @@ host_connect(const char *host, const char *port, int verbose)
 	if (p == NULL) {
 		freeaddrinfo(si);
 		fprintf(stderr, "ERROR: failed to connect\n");
-		return -1;
+		return INVALID_SOCKET;
 	}
 	freeaddrinfo(si);
 	if (verbose) {
@@ -111,9 +122,18 @@ host_connect(const char *host, const char *port, int verbose)
 
 	/*
 	 * We make the socket non-blocking, since we are going to use
-	 * poll() to organise I/O.
+	 * poll() or select() to organise I/O.
 	 */
+#ifdef _WIN32
+	{
+		u_long arg;
+
+		arg = 1;
+		ioctlsocket(fd, FIONBIO, &arg);
+	}
+#else
 	fcntl(fd, F_SETFL, O_NONBLOCK);
+#endif
 	return fd;
 }
 
@@ -319,13 +339,19 @@ cc_choose(const br_ssl_client_certificate_class **pctx,
 
 static uint32_t
 cc_do_keyx(const br_ssl_client_certificate_class **pctx,
-	unsigned char *data, size_t len)
+	unsigned char *data, size_t *len)
 {
 	ccert_context *zc;
+	size_t xoff, xlen;
+	uint32_t r;
 
 	zc = (ccert_context *)pctx;
-	return br_ec_prime_i31.mul(data, len, zc->sk->key.ec.x,
+	r = br_ec_all_m15.mul(data, *len, zc->sk->key.ec.x,
 		zc->sk->key.ec.xlen, zc->sk->key.ec.curve);
+	xoff = br_ec_all_m15.xoff(zc->sk->key.ec.curve, &xlen);
+	memmove(data, data + xoff, xlen);
+	*len = xlen;
+	return r;
 }
 
 static size_t
@@ -392,7 +418,7 @@ cc_do_sign(const br_ssl_client_certificate_class **pctx,
 			}
 			return 0;
 		}
-		sig_len = br_ecdsa_i31_sign_asn1(&br_ec_prime_i31,
+		sig_len = br_ecdsa_i31_sign_asn1(&br_ec_all_m15,
 			hc, hv, &zc->sk->key.ec, data);
 		if (sig_len == 0) {
 			if (zc->verbose) {
@@ -419,6 +445,12 @@ static const br_ssl_client_certificate_class ccert_vtable = {
 	cc_do_sign
 };
 
+static void
+free_alpn(void *alpn)
+{
+	xfree(*(char **)alpn);
+}
+
 static void
 usage_client(void)
 {
@@ -462,6 +494,10 @@ usage_client(void)
 "   -fallback       send the TLS_FALLBACK_SCSV (i.e. claim a downgrade)\n");
 	fprintf(stderr,
 "   -noreneg        prohibit renegotiations\n");
+	fprintf(stderr,
+"   -alpn name      add protocol name to list of protocols (ALPN extension)\n");
+	fprintf(stderr,
+"   -strictalpn     fail on ALPN mismatch\n");
 }
 
 /* see brssl.h */
@@ -478,6 +514,7 @@ do_client(int argc, char *argv[])
 	const char *sni;
 	anchor_list anchors = VEC_INIT;
 	unsigned vmin, vmax;
+	VECTOR(char *) alpn_names = VEC_INIT;
 	cipher_suite *suites;
 	size_t num_suites;
 	uint16_t *suite_ids;
@@ -497,7 +534,7 @@ do_client(int argc, char *argv[])
 	size_t minhello_len;
 	int fallback;
 	uint32_t flags;
-	int fd;
+	SOCKET fd;
 
 	retcode = 0;
 	verbose = 1;
@@ -522,7 +559,7 @@ do_client(int argc, char *argv[])
 	minhello_len = (size_t)-1;
 	fallback = 0;
 	flags = 0;
-	fd = -1;
+	fd = INVALID_SOCKET;
 	for (i = 0; i < argc; i ++) {
 		const char *arg;
 
@@ -744,6 +781,16 @@ do_client(int argc, char *argv[])
 			fallback = 1;
 		} else if (eqstr(arg, "-noreneg")) {
 			flags |= BR_OPT_NO_RENEGOTIATION;
+		} else if (eqstr(arg, "-alpn")) {
+			if (++ i >= argc) {
+				fprintf(stderr,
+					"ERROR: no argument for '-alpn'\n");
+				usage_client();
+				goto client_exit_error;
+			}
+			VEC_ADD(alpn_names, xstrdup(argv[i]));
+		} else if (eqstr(arg, "-strictalpn")) {
+			flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
 		} else {
 			fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
 			usage_client();
@@ -915,6 +962,15 @@ do_client(int argc, char *argv[])
 				&br_sslrec_in_gcm_vtable,
 				&br_sslrec_out_gcm_vtable);
 		}
+		if ((req & REQ_CHAPOL) != 0) {
+			br_ssl_engine_set_chacha20(&cc.eng,
+				&br_chacha20_ct_run);
+			br_ssl_engine_set_poly1305(&cc.eng,
+				&br_poly1305_ctmul_run);
+			br_ssl_engine_set_chapol(&cc.eng,
+				&br_sslrec_in_chapol_vtable,
+				&br_sslrec_out_chapol_vtable);
+		}
 		if ((req & REQ_3DESCBC) != 0) {
 			br_ssl_engine_set_des_cbc(&cc.eng,
 				&br_des_ct_cbcenc_vtable,
@@ -927,17 +983,17 @@ do_client(int argc, char *argv[])
 			br_ssl_client_set_rsapub(&cc, &br_rsa_i31_public);
 		}
 		if ((req & REQ_ECDHE_RSA) != 0) {
-			br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
+			br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15);
 			br_ssl_engine_set_rsavrfy(&cc.eng,
 				&br_rsa_i31_pkcs1_vrfy);
 		}
 		if ((req & REQ_ECDHE_ECDSA) != 0) {
-			br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
+			br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15);
 			br_ssl_engine_set_ecdsa(&cc.eng,
 				&br_ecdsa_i31_vrfy_asn1);
 		}
 		if ((req & REQ_ECDH) != 0) {
-			br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
+			br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15);
 		}
 	}
 	if (fallback) {
@@ -971,7 +1027,7 @@ do_client(int argc, char *argv[])
 	}
 	br_x509_minimal_set_rsa(&xc, &br_rsa_i31_pkcs1_vrfy);
 	br_x509_minimal_set_ecdsa(&xc,
-		&br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);
+		&br_ec_all_m15, &br_ecdsa_i31_vrfy_asn1);
 
 	/*
 	 * If there is no provided trust anchor, then certificate validation
@@ -993,6 +1049,11 @@ do_client(int argc, char *argv[])
 		br_ssl_client_set_min_clienthello_len(&cc, minhello_len);
 	}
 	br_ssl_engine_set_all_flags(&cc.eng, flags);
+	if (VEC_LEN(alpn_names) != 0) {
+		br_ssl_engine_set_protocol_names(&cc.eng,
+			(const char **)&VEC_ELT(alpn_names, 0),
+			VEC_LEN(alpn_names));
+	}
 
 	if (chain != NULL) {
 		zc.vtable = &ccert_vtable;
@@ -1015,15 +1076,17 @@ do_client(int argc, char *argv[])
 	br_ssl_client_reset(&cc, sni, 0);
 
 	/*
-	 * We need to avoid SIGPIPE.
+	 * On Unix systems, we need to avoid SIGPIPE.
 	 */
+#ifndef _WIN32
 	signal(SIGPIPE, SIG_IGN);
+#endif
 
 	/*
 	 * Connect to the peer.
 	 */
 	fd = host_connect(host, port, verbose);
-	if (fd < 0) {
+	if (fd == INVALID_SOCKET) {
 		goto client_exit_error;
 	}
 
@@ -1048,11 +1111,16 @@ client_exit:
 	xfree(suites);
 	xfree(suite_ids);
 	VEC_CLEAREXT(anchors, &free_ta_contents);
+	VEC_CLEAREXT(alpn_names, &free_alpn);
 	free_certificates(chain, chain_len);
 	free_private_key(sk);
 	xfree(iobuf);
-	if (fd >= 0) {
+	if (fd != INVALID_SOCKET) {
+#ifdef _WIN32
+		closesocket(fd);
+#else
 		close(fd);
+#endif
 	}
 	return retcode;