X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=tools%2Fclient.c;h=ce3c6d6020322e8ff90154550f54d2b56fecb4c5;hp=dcf888a6c3fe122eefcbf118667ee25eaf03e084;hb=3655193439d4e093bb80a2f0d9e02179d424de08;hpb=b42bd5972f935ffc32019acac6f8a07ae08ae9c2 diff --git a/tools/client.c b/tools/client.c index dcf888a..ce3c6d6 100644 --- a/tools/client.c +++ b/tools/client.c @@ -319,13 +319,19 @@ cc_choose(const br_ssl_client_certificate_class **pctx, static uint32_t cc_do_keyx(const br_ssl_client_certificate_class **pctx, - unsigned char *data, size_t len) + unsigned char *data, size_t *len) { ccert_context *zc; + size_t xoff, xlen; + uint32_t r; zc = (ccert_context *)pctx; - return br_ec_prime_i31.mul(data, len, zc->sk->key.ec.x, + r = br_ec_all_m15.mul(data, *len, zc->sk->key.ec.x, zc->sk->key.ec.xlen, zc->sk->key.ec.curve); + xoff = br_ec_all_m15.xoff(zc->sk->key.ec.curve, &xlen); + memmove(data, data + xoff, xlen); + *len = xlen; + return r; } static size_t @@ -392,7 +398,7 @@ cc_do_sign(const br_ssl_client_certificate_class **pctx, } return 0; } - sig_len = br_ecdsa_i31_sign_asn1(&br_ec_prime_i31, + sig_len = br_ecdsa_i31_sign_asn1(&br_ec_all_m15, hc, hv, &zc->sk->key.ec, data); if (sig_len == 0) { if (zc->verbose) { @@ -419,6 +425,12 @@ static const br_ssl_client_certificate_class ccert_vtable = { cc_do_sign }; +static void +free_alpn(void *alpn) +{ + xfree(*(char **)alpn); +} + static void usage_client(void) { @@ -462,6 +474,10 @@ usage_client(void) " -fallback send the TLS_FALLBACK_SCSV (i.e. claim a downgrade)\n"); fprintf(stderr, " -noreneg prohibit renegotiations\n"); + fprintf(stderr, +" -alpn name add protocol name to list of protocols (ALPN extension)\n"); + fprintf(stderr, +" -strictalpn fail on ALPN mismatch\n"); } /* see brssl.h */ @@ -478,6 +494,7 @@ do_client(int argc, char *argv[]) const char *sni; anchor_list anchors = VEC_INIT; unsigned vmin, vmax; + VECTOR(const char *) alpn_names = VEC_INIT; cipher_suite *suites; size_t num_suites; uint16_t *suite_ids; @@ -744,6 +761,16 @@ do_client(int argc, char *argv[]) fallback = 1; } else if (eqstr(arg, "-noreneg")) { flags |= BR_OPT_NO_RENEGOTIATION; + } else if (eqstr(arg, "-alpn")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-alpn'\n"); + usage_client(); + goto client_exit_error; + } + VEC_ADD(alpn_names, xstrdup(argv[i])); + } else if (eqstr(arg, "-strictalpn")) { + flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH; } else { fprintf(stderr, "ERROR: unknown option: '%s'\n", arg); usage_client(); @@ -936,17 +963,17 @@ do_client(int argc, char *argv[]) br_ssl_client_set_rsapub(&cc, &br_rsa_i31_public); } if ((req & REQ_ECDHE_RSA) != 0) { - br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31); + br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15); br_ssl_engine_set_rsavrfy(&cc.eng, &br_rsa_i31_pkcs1_vrfy); } if ((req & REQ_ECDHE_ECDSA) != 0) { - br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31); + br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15); br_ssl_engine_set_ecdsa(&cc.eng, &br_ecdsa_i31_vrfy_asn1); } if ((req & REQ_ECDH) != 0) { - br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31); + br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15); } } if (fallback) { @@ -980,7 +1007,7 @@ do_client(int argc, char *argv[]) } br_x509_minimal_set_rsa(&xc, &br_rsa_i31_pkcs1_vrfy); br_x509_minimal_set_ecdsa(&xc, - &br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1); + &br_ec_all_m15, &br_ecdsa_i31_vrfy_asn1); /* * If there is no provided trust anchor, then certificate validation @@ -1002,6 +1029,10 @@ do_client(int argc, char *argv[]) br_ssl_client_set_min_clienthello_len(&cc, minhello_len); } br_ssl_engine_set_all_flags(&cc.eng, flags); + if (VEC_LEN(alpn_names) != 0) { + br_ssl_engine_set_protocol_names(&cc.eng, + &VEC_ELT(alpn_names, 0), VEC_LEN(alpn_names)); + } if (chain != NULL) { zc.vtable = &ccert_vtable; @@ -1057,6 +1088,7 @@ client_exit: xfree(suites); xfree(suite_ids); VEC_CLEAREXT(anchors, &free_ta_contents); + VEC_CLEAREXT(alpn_names, &free_alpn); free_certificates(chain, chain_len); free_private_key(sk); xfree(iobuf);