X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=tools%2Fclient.c;h=72bdbd1377e7832489ebe12d3502f68e5dad1bef;hp=8fc3cd8ae4f7cb21c6e0f3886e5a03db4ad74e68;hb=2e2b17186bf66b19831c0003cacc7afe2dd3dcdf;hpb=f3ac21cb00646600475b02ecd2c592ee36e417da

diff --git a/tools/client.c b/tools/client.c
index 8fc3cd8..72bdbd1 100644
--- a/tools/client.c
+++ b/tools/client.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <stdint.h>
 #include <errno.h>
+#include <signal.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -124,29 +125,35 @@ usage_client(void)
 	fprintf(stderr,
 "options:\n");
 	fprintf(stderr,
-"   -q            suppress verbose messages\n");
+"   -q              suppress verbose messages\n");
 	fprintf(stderr,
-"   -trace        activate extra debug messages (dump of all packets)\n");
+"   -trace          activate extra debug messages (dump of all packets)\n");
 	fprintf(stderr,
-"   -sni name     use this specific name for SNI\n");
+"   -sni name       use this specific name for SNI\n");
 	fprintf(stderr,
-"   -nosni        do not send any SNI\n");
+"   -nosni          do not send any SNI\n");
 	fprintf(stderr,
-"   -mono         use monodirectional buffering\n");
+"   -mono           use monodirectional buffering\n");
 	fprintf(stderr,
-"   -buf length   set the I/O buffer length (in bytes)\n");
+"   -buf length     set the I/O buffer length (in bytes)\n");
 	fprintf(stderr,
-"   -CA file      add certificates in 'file' to trust anchors\n");
+"   -CA file        add certificates in 'file' to trust anchors\n");
 	fprintf(stderr,
-"   -list         list supported names (protocols, algorithms...)\n");
+"   -list           list supported names (protocols, algorithms...)\n");
 	fprintf(stderr,
-"   -vmin name    set minimum supported version (default: TLS-1.0)\n");
+"   -vmin name      set minimum supported version (default: TLS-1.0)\n");
 	fprintf(stderr,
-"   -vmax name    set maximum supported version (default: TLS-1.2)\n");
+"   -vmax name      set maximum supported version (default: TLS-1.2)\n");
 	fprintf(stderr,
-"   -cs names     set list of supported cipher suites (comma-separated)\n");
+"   -cs names       set list of supported cipher suites (comma-separated)\n");
 	fprintf(stderr,
-"   -hf names     add support for some hash functions (comma-separated)\n");
+"   -hf names       add support for some hash functions (comma-separated)\n");
+	fprintf(stderr,
+"   -minhello len   set minimum ClientHello length (in bytes)\n");
+	fprintf(stderr,
+"   -fallback       send the TLS_FALLBACK_SCSV (i.e. claim a downgrade)\n");
+	fprintf(stderr,
+"   -noreneg        prohibit renegotiations\n");
 }
 
 /* see brssl.h */
@@ -174,6 +181,9 @@ do_client(int argc, char *argv[])
 	const br_hash_class *dnhash;
 	unsigned char *iobuf;
 	size_t iobuf_len;
+	size_t minhello_len;
+	int fallback;
+	uint32_t flags;
 	int fd;
 
 	retcode = 0;
@@ -192,6 +202,9 @@ do_client(int argc, char *argv[])
 	suite_ids = NULL;
 	iobuf = NULL;
 	iobuf_len = 0;
+	minhello_len = (size_t)-1;
+	fallback = 0;
+	flags = 0;
 	fd = -1;
 	for (i = 0; i < argc; i ++) {
 		const char *arg;
@@ -348,6 +361,34 @@ do_client(int argc, char *argv[])
 				goto client_exit_error;
 			}
 			hfuns |= x;
+		} else if (eqstr(arg, "-minhello")) {
+			if (++ i >= argc) {
+				fprintf(stderr,
+					"ERROR: no argument for '-minhello'\n");
+				usage_client();
+				goto client_exit_error;
+			}
+			arg = argv[i];
+			if (minhello_len != (size_t)-1) {
+				fprintf(stderr, "ERROR: duplicate minium"
+					" ClientHello length\n");
+				usage_client();
+				goto client_exit_error;
+			}
+			minhello_len = parse_size(arg);
+			/*
+			 * Minimum ClientHello length must fit on 16 bits.
+			 */
+			if (minhello_len == (size_t)-1
+				|| (((minhello_len >> 12) >> 4) != 0))
+			{
+				usage_client();
+				goto client_exit_error;
+			}
+		} else if (eqstr(arg, "-fallback")) {
+			fallback = 1;
+		} else if (eqstr(arg, "-noreneg")) {
+			flags |= BR_OPT_NO_RENEGOTIATION;
 		} else {
 			fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
 			usage_client();
@@ -429,7 +470,7 @@ do_client(int argc, char *argv[])
 	/*
 	 * Compute implementation requirements and inject implementations.
 	 */
-	suite_ids = xmalloc(num_suites * sizeof *suite_ids);
+	suite_ids = xmalloc((num_suites + 1) * sizeof *suite_ids);
 	br_ssl_client_zero(&cc);
 	br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
 	dnhash = NULL;
@@ -529,6 +570,9 @@ do_client(int argc, char *argv[])
 			br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
 		}
 	}
+	if (fallback) {
+		suite_ids[num_suites ++] = 0x5600;
+	}
 	br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
 
 	for (u = 0; hash_functions[u].name; u ++) {
@@ -575,9 +619,19 @@ do_client(int argc, char *argv[])
 		br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
 	}
 
+	if (minhello_len != (size_t)-1) {
+		br_ssl_client_set_min_clienthello_len(&cc, minhello_len);
+	}
+	br_ssl_engine_set_all_flags(&cc.eng, flags);
+
 	br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
 	br_ssl_client_reset(&cc, sni, 0);
 
+	/*
+	 * We need to avoid SIGPIPE.
+	 */
+	signal(SIGPIPE, SIG_IGN);
+
 	/*
 	 * Connect to the peer.
 	 */