diff options
Diffstat (limited to 'security/nss/cmd/tstclnt')
-rw-r--r-- | security/nss/cmd/tstclnt/Makefile | 2 | ||||
-rw-r--r-- | security/nss/cmd/tstclnt/tstclnt.c | 134 |
2 files changed, 111 insertions, 25 deletions
diff --git a/security/nss/cmd/tstclnt/Makefile b/security/nss/cmd/tstclnt/Makefile index a27a3ce97..aae7b445c 100644 --- a/security/nss/cmd/tstclnt/Makefile +++ b/security/nss/cmd/tstclnt/Makefile @@ -1,5 +1,5 @@ #! gmake -# +# # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 6f5a43146..520eeff64 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -28,6 +28,7 @@ #include "prio.h" #include "prnetdb.h" #include "nss.h" +#include "nssb64.h" #include "ocsp.h" #include "ssl.h" #include "sslproto.h" @@ -106,6 +107,45 @@ secuPWData pwdata = { PW_NONE, 0 }; SSLNamedGroup *enabledGroups = NULL; unsigned int enabledGroupsCount = 0; +const SSLSignatureScheme *enabledSigSchemes = NULL; +unsigned int enabledSigSchemeCount = 0; + +const char * +signatureSchemeName(SSLSignatureScheme scheme) +{ + switch (scheme) { +#define strcase(x) \ + case ssl_sig_##x: \ + return #x + strcase(none); + strcase(rsa_pkcs1_sha1); + strcase(rsa_pkcs1_sha256); + strcase(rsa_pkcs1_sha384); + strcase(rsa_pkcs1_sha512); + strcase(ecdsa_sha1); + strcase(ecdsa_secp256r1_sha256); + strcase(ecdsa_secp384r1_sha384); + strcase(ecdsa_secp521r1_sha512); + strcase(rsa_pss_rsae_sha256); + strcase(rsa_pss_rsae_sha384); + strcase(rsa_pss_rsae_sha512); + strcase(ed25519); + strcase(ed448); + strcase(rsa_pss_pss_sha256); + strcase(rsa_pss_pss_sha384); + strcase(rsa_pss_pss_sha512); + strcase(dsa_sha1); + strcase(dsa_sha256); + strcase(dsa_sha384); + strcase(dsa_sha512); +#undef strcase + case ssl_sig_rsa_pkcs1_sha1md5: + return "RSA PKCS#1 SHA1+MD5"; + default: + break; + } + return "Unknown Scheme"; +} void printSecurityInfo(PRFileDesc *fd) @@ -132,11 +172,13 @@ printSecurityInfo(PRFileDesc *fd) suite.macBits, suite.macAlgorithmName); FPRINTF(stderr, "tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n" - " Compression: %s, Extended Master Secret: %s\n", + " Compression: %s, Extended Master Secret: %s\n" + " Signature Scheme: %s\n", channel.authKeyBits, suite.authAlgorithmName, channel.keaKeyBits, suite.keaTypeName, channel.compressionMethodName, - channel.extendedMasterSecretUsed ? "Yes" : "No"); + channel.extendedMasterSecretUsed ? "Yes" : "No", + signatureSchemeName(channel.signatureScheme)); } } cert = SSL_RevealCert(fd); @@ -178,11 +220,13 @@ PrintUsageHeader() { fprintf(stderr, "Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n" - "[-D | -d certdir] [-C] [-b | -R root-module] \n" - "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n" - "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n" - "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n" - "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n" + " [-D | -d certdir] [-C] [-b | -R root-module] \n" + " [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n" + " [-V [min-version]:[max-version]] [-K] [-T] [-U]\n" + " [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n" + " [-I groups] [-J signatureschemes]\n" + " [-A requestfile] [-L totalconnections] [-P {client,server}]\n" + " [-N encryptedSniKeys] [-Q]\n" "\n", progName); } @@ -225,7 +269,6 @@ PrintParameterUsage() fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds"); fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N"); fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u"); - fprintf(stderr, "%-20s Enable compression.\n", "-z"); fprintf(stderr, "%-20s Enable false start.\n", "-g"); fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T"); fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U"); @@ -255,9 +298,19 @@ PrintParameterUsage() "%-20s The following values are valid:\n" "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n", "-I", "", ""); + fprintf(stderr, "%-20s Comma separated list of signature schemes in preference order.\n" + "%-20s The following values are valid:\n" + "%-20s rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n" + "%-20s ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n" + "%-20s ecdsa_secp521r1_sha512,\n" + "%-20s rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n" + "%-20s rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n" + "%-20s dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n", + "-J", "", "", "", "", "", "", ""); fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello"); fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}"); fprintf(stderr, "%-20s Exit after handshake\n", "-Q"); + fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N"); } static void @@ -906,7 +959,6 @@ int multiplier = 0; SSLVersionRange enabledVersions; int disableLocking = 0; int enableSessionTickets = 0; -int enableCompression = 0; int enableFalseStart = 0; int enableCertStatus = 0; int enableSignedCertTimestamps = 0; @@ -936,6 +988,7 @@ PRBool stopAfterHandshake = PR_FALSE; PRBool requestToExit = PR_FALSE; char *versionString = NULL; PRBool handshakeComplete = PR_FALSE; +char *encryptedSNIKeys = NULL; static int writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb) @@ -1283,14 +1336,6 @@ run() goto done; } - /* enable compression. */ - rv = SSL_OptionSet(s, SSL_ENABLE_DEFLATE, enableCompression); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling compression"); - error = 1; - goto done; - } - /* enable false start. */ rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart); if (rv != SECSuccess) { @@ -1374,6 +1419,35 @@ run() } } + if (enabledSigSchemes) { + rv = SSL_SignatureSchemePrefSet(s, enabledSigSchemes, enabledSigSchemeCount); + if (rv < 0) { + SECU_PrintError(progName, "SSL_SignatureSchemePrefSet failed"); + error = 1; + goto done; + } + } + + if (encryptedSNIKeys) { + SECItem esniKeysBin = { siBuffer, NULL, 0 }; + + if (!NSSBase64_DecodeBuffer(NULL, &esniKeysBin, encryptedSNIKeys, + strlen(encryptedSNIKeys))) { + SECU_PrintError(progName, "ESNIKeys record is invalid base64"); + error = 1; + goto done; + } + + rv = SSL_EnableESNI(s, esniKeysBin.data, esniKeysBin.len, + "dummy.invalid"); + SECITEM_FreeItem(&esniKeysBin, PR_FALSE); + if (rv < 0) { + SECU_PrintError(progName, "SSL_EnableESNI failed"); + error = 1; + goto done; + } + } + serverCertAuth.dbHandle = CERT_GetDefaultCertDB(); SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth); @@ -1628,10 +1702,12 @@ main(int argc, char **argv) } } - /* XXX: 'B' was used in the past but removed in 3.28, - * please leave some time before resuing it. */ + /* Note: 'B' was used in the past but removed in 3.28 + * 'z' was removed in 3.39 + * Please leave some time before reusing these. + */ optstate = PL_CreateOptState(argc, argv, - "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); + "46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1708,6 +1784,10 @@ main(int argc, char **argv) }; break; + case 'N': + encryptedSNIKeys = PORT_Strdup(optstate->value); + break; + case 'P': useDTLS = PR_TRUE; if (!strcmp(optstate->value, "server")) { @@ -1850,10 +1930,6 @@ main(int argc, char **argv) pwdata.data = PORT_Strdup(optstate->value); break; - case 'z': - enableCompression = 1; - break; - case 'I': rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount); if (rv != SECSuccess) { @@ -1862,6 +1938,15 @@ main(int argc, char **argv) Usage(); } break; + + case 'J': + rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Bad signature scheme specified.\n"); + Usage(); + } + break; } } PL_DestroyOptState(optstate); @@ -2051,6 +2136,7 @@ done: PORT_Free(pwdata.data); PORT_Free(host); PORT_Free(zeroRttData); + PORT_Free(encryptedSNIKeys); if (enabledGroups) { PORT_Free(enabledGroups); |