diff options
author | EKR <ekr@rtfm.com> | 2018-06-30 16:45:09 -0700 |
---|---|---|
committer | EKR <ekr@rtfm.com> | 2018-06-30 16:45:09 -0700 |
commit | 288c01f2e525389939c32524cd08b7281aa59a5c (patch) | |
tree | 8167ed433ab8e0401b36889eab068d0f03f1ec90 /cmd | |
parent | eac3f6ceb7152afcae1bd29662baaa27fc678138 (diff) | |
download | nss-hg-288c01f2e525389939c32524cd08b7281aa59a5c.tar.gz |
Bug 1494901 - Implement ESNI. r=mt
Phabricator: https://phabricator.services.mozilla.com/D6042
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/tstclnt/Makefile | 2 | ||||
-rw-r--r-- | cmd/tstclnt/tstclnt.c | 33 |
2 files changed, 32 insertions, 3 deletions
diff --git a/cmd/tstclnt/Makefile b/cmd/tstclnt/Makefile index a27a3ce97..aae7b445c 100644 --- a/cmd/tstclnt/Makefile +++ b/cmd/tstclnt/Makefile @@ -1,5 +1,5 @@ #! gmake -# +# # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c index b09b29222..520eeff64 100644 --- a/cmd/tstclnt/tstclnt.c +++ b/cmd/tstclnt/tstclnt.c @@ -28,6 +28,7 @@ #include "prio.h" #include "prnetdb.h" #include "nss.h" +#include "nssb64.h" #include "ocsp.h" #include "ssl.h" #include "sslproto.h" @@ -224,7 +225,8 @@ PrintUsageHeader() " [-V [min-version]:[max-version]] [-K] [-T] [-U]\n" " [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n" " [-I groups] [-J signatureschemes]\n" - " [-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n" + " [-A requestfile] [-L totalconnections] [-P {client,server}]\n" + " [-N encryptedSniKeys] [-Q]\n" "\n", progName); } @@ -308,6 +310,7 @@ PrintParameterUsage() fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello"); fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}"); fprintf(stderr, "%-20s Exit after handshake\n", "-Q"); + fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N"); } static void @@ -985,6 +988,7 @@ PRBool stopAfterHandshake = PR_FALSE; PRBool requestToExit = PR_FALSE; char *versionString = NULL; PRBool handshakeComplete = PR_FALSE; +char *encryptedSNIKeys = NULL; static int writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb) @@ -1424,6 +1428,26 @@ run() } } + if (encryptedSNIKeys) { + SECItem esniKeysBin = { siBuffer, NULL, 0 }; + + if (!NSSBase64_DecodeBuffer(NULL, &esniKeysBin, encryptedSNIKeys, + strlen(encryptedSNIKeys))) { + SECU_PrintError(progName, "ESNIKeys record is invalid base64"); + error = 1; + goto done; + } + + rv = SSL_EnableESNI(s, esniKeysBin.data, esniKeysBin.len, + "dummy.invalid"); + SECITEM_FreeItem(&esniKeysBin, PR_FALSE); + if (rv < 0) { + SECU_PrintError(progName, "SSL_EnableESNI failed"); + error = 1; + goto done; + } + } + serverCertAuth.dbHandle = CERT_GetDefaultCertDB(); SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth); @@ -1683,7 +1707,7 @@ main(int argc, char **argv) * Please leave some time before reusing these. */ optstate = PL_CreateOptState(argc, argv, - "46A:CDFGHI:J:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:"); + "46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1760,6 +1784,10 @@ main(int argc, char **argv) }; break; + case 'N': + encryptedSNIKeys = PORT_Strdup(optstate->value); + break; + case 'P': useDTLS = PR_TRUE; if (!strcmp(optstate->value, "server")) { @@ -2108,6 +2136,7 @@ done: PORT_Free(pwdata.data); PORT_Free(host); PORT_Free(zeroRttData); + PORT_Free(encryptedSNIKeys); if (enabledGroups) { PORT_Free(enabledGroups); |