Add renegotiation_info and SCSV support

2026-06-19 19:33:38 +08:00 · 2026-06-11 23:46:16 +08:00
parent 6ff18acae3
commit 0c974eaa25
4 changed files with 204 additions and 1 deletions
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -40,6 +40,9 @@ static const char *help =
 "    -pass str              Password to decrypt private key\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
 "    -server_name str       Send server_name (SNI) request\n"
+"    -renegotiation_info    Send renegotiation_info extension\n"
+"    -renegotiation_info_scsv\n"
+"                          Send TLS_EMPTY_RENEGOTIATION_INFO_SCSV\n"
 "    -status_request        Send status_request (OCSP Stapling) request\n"
 "\n"
 #include "tls12_help.h"
@@ -64,6 +67,8 @@ int tls12_client_main(int argc, char *argv[])
 	char *pass = NULL;
 	int client_cert_optional = 0;
 	char *server_name = NULL;
+	int renegotiation_info = 0;
+	int empty_renegotiation_info_scsv = 0;
 	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	struct hostent *hp;
@@ -155,6 +160,10 @@ int tls12_client_main(int argc, char *argv[])
 		} else if (!strcmp(*argv, "-server_name")) {
 			if (--argc < 1) goto bad;
 			server_name = *(++argv);
+		} else if (!strcmp(*argv, "-renegotiation_info")) {
+			renegotiation_info = 1;
+		} else if (!strcmp(*argv, "-renegotiation_info_scsv")) {
+			empty_renegotiation_info_scsv = 1;
 		} else if (!strcmp(*argv, "-client_cert_optional")) {
 			client_cert_optional = 1;
 		} else {
@@ -214,6 +223,19 @@ bad:
 		}
 	}

+	if (renegotiation_info) {
+		if (tls12_ctx_set_renegotiation_info(&ctx, 1) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+	if (empty_renegotiation_info_scsv) {
+		if (tls12_ctx_set_empty_renegotiation_info_scsv(&ctx, 1) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+
 	if (certfile) {
 		if (!keyfile) {
 			fprintf(stderr, "%s: option '-key' missing\n", prog);
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -34,6 +34,7 @@ static const char *help =
 "    -cacert file           CA certificate for client certificate verification\n"
 "    -verify_depth num      Certificate verification depth\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
+"    -renegotiation_info    Send renegotiation_info response when client supports RFC 5746\n"
 "\n"
 #include "tls12_help.h"
 "\n";
@@ -60,6 +61,7 @@ int tls12_server_main(int argc , char **argv)
 	char *cacertfile = NULL;
 	int verify_depth = TLS_DEFAULT_VERIFY_DEPTH;
 	int client_cert_optional = 0;
+	int renegotiation_info = 0;
 	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	char buf[1600] = {0};
@@ -165,6 +167,8 @@ int tls12_server_main(int argc , char **argv)
 			}
 		} else if (!strcmp(*argv, "-client_cert_optional")) {
 			client_cert_optional = 1;
+		} else if (!strcmp(*argv, "-renegotiation_info")) {
+			renegotiation_info = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -224,6 +228,13 @@ bad:
 		}
 	}

+	if (renegotiation_info) {
+		if (tls12_ctx_set_renegotiation_info(&ctx, 1) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+
 	// Certificate
 	for (i = 0; i < certfiles_cnt; i++) {
 		if (tls_ctx_add_certificate_chain_and_key(&ctx, certfiles[i], keyfiles[i], passes[i]) != 1) {