mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 305147: add -B (bypass SSL) and -s (disable SSL locking) to server and client commands; add bypass testing to SSL test suite.

This commit is contained in:
saul.edwards%sun.com 2005-09-09 04:50:07 +00:00
Родитель 4b56704437
Коммит d016e006b8
4 изменённых файлов: 147 добавлений и 36 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

28
security/nss/cmd/selfserv/selfserv.c
Просмотреть файл

@ -200,16 +200,17 @@ Usage(const char *progName)
{
fprintf(stderr,
"Usage: %s -n rsa_nickname -p port [-3DNRSTbmrvx] [-w password] [-t threads]\n"
"Usage: %s -n rsa_nickname -p port [-3BDENRSTblmrsvx] [-w password] [-t threads]\n"
#ifdef NSS_ENABLE_ECC
" [-i pid_file] [-c ciphers] [-d dbdir] [-e ec_nickname] \n"
" [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
" [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
#else
" [-i pid_file] [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n"
" [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
" [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
#endif /* NSS_ENABLE_ECC */
"-S means disable SSL v2\n"
"-3 means disable SSL v3\n"
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
"-D means disable Nagle delays in TCP\n"
"-E means disable export ciphersuites and SSL step down key gen\n"
"-T means disable TLS\n"
@ -221,6 +222,7 @@ Usage(const char *progName)
" 2 -r's mean request and require, cert on initial handshake.\n"
" 3 -r's mean request, not require, cert on second handshake.\n"
" 4 -r's mean request and require, cert on second handshake.\n"
"-s means disable SSL socket locking for performance\n"
"-v means verbose output\n"
"-x means use export policy.\n"
"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
@ -687,6 +689,8 @@ PRBool disableRollBack = PR_FALSE;
PRBool NoReuse = PR_FALSE;
PRBool hasSidCache = PR_FALSE;
PRBool disableStepDown = PR_FALSE;
PRBool bypassPKCS11 = PR_FALSE;
PRBool disableLocking = PR_FALSE;
static const char stopCmd[] = { "GET /stop " };
static const char getCmd[] = { "GET " };
@ -1405,6 +1409,18 @@ server_main(
errExit("error disabling SSL StepDown ");
}
}
if (bypassPKCS11) {
rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
if (rv != SECSuccess) {
errExit("error enabling PKCS11 bypass ");
}
}
if (disableLocking) {
rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE);
if (rv != SECSuccess) {
errExit("error disabling SSL socket locking ");
}
}
for (kea = kt_rsa; kea < kt_kea_size; kea++) {
if (cert[kea] != NULL) {
@ -1647,7 +1663,7 @@ main(int argc, char **argv)
** numbers, then capital letters, then lower case, alphabetical.
*/
optstate = PL_CreateOptState(argc, argv,
"2:3DEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
"2:3BDEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rst:vw:xy");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch(optstate->option) {
@ -1655,6 +1671,8 @@ main(int argc, char **argv)
case '3': disableSSL3 = PR_TRUE; break;
case 'B': bypassPKCS11 = PR_TRUE; break;
case 'D': noDelay = PR_TRUE; break;
case 'E': disableStepDown = PR_TRUE; break;
@ -1712,6 +1730,8 @@ main(int argc, char **argv)
case 'r': ++requestCert; break;
case 's': disableLocking = PR_TRUE; break;
case 't':
maxThreads = PORT_Atoi(optstate->value);
if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;

32
security/nss/cmd/strsclnt/strsclnt.c
Просмотреть файл

@ -176,6 +176,8 @@ static SSL3Statistics * ssl3stats;
static int failed_already = 0;
static PRBool disableSSL3 = PR_FALSE;
static PRBool disableTLS = PR_FALSE;
static PRBool bypassPKCS11 = PR_FALSE;
static PRBool disableLocking = PR_FALSE;
char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
@ -201,19 +203,21 @@ Usage(const char *progName)
{
fprintf(stderr,
"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
" [-3DTovq] [-2 filename] [-P fullhandshakespercentage | -N]\n"
" [-3BDNTovqs] [-2 filename] [-P fullhandshakespercentage | -N]\n"
" [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n"
" where -v means verbose\n"
" -o flag is interpreted as follows:\n"
" 1 -o means override the result of server certificate validation.\n"
" 2 -o's mean skip server certificate validation altogether.\n"
" -3 means disable SSL3\n"
" -D means no TCP delays\n"
" -q means quit when server gone (timeout rather than retry forever)\n"
" -s means disable SSL socket locking\n"
" -N means no session reuse\n"
" -P means do a specified percentage of full handshakes (0-100)\n"
" -P means do a specified percentage of full handshakes (0-100)\n"
" -3 means disable SSL3\n"
" -T means disable TLS\n"
" -U means enable throttling up threads\n",
" -U means enable throttling up threads\n"
" -B bypasses the PKCS11 layer for SSL encryption and MACing\n",
progName);
exit(1);
}
@ -1199,6 +1203,20 @@ client_main(
}
}
if (bypassPKCS11) {
rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1);
if (rv < 0) {
errExit("SSL_OptionSet SSL_BYPASS_PKCS11");
}
}
if (disableLocking) {
rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1);
if (rv < 0) {
errExit("SSL_OptionSet SSL_NO_LOCKS");
}
}
SSL_SetURL(model_sock, hostName);
SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate,
@ -1305,7 +1323,7 @@ main(int argc, char **argv)
progName = progName ? progName + 1 : tmp;
optstate = PL_CreateOptState(argc, argv, "2:3C:DNP:TUc:d:n:op:qt:vw:");
optstate = PL_CreateOptState(argc, argv, "2:3BC:DNP:TUc:d:n:op:qst:vw:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch(optstate->option) {
@ -1313,6 +1331,8 @@ main(int argc, char **argv)
case '3': disableSSL3 = PR_TRUE; break;
case 'B': bypassPKCS11 = PR_TRUE; break;
case 'C': cipherString = optstate->value; break;
case 'D': NoDelay = PR_TRUE; break;
@ -1337,6 +1357,8 @@ main(int argc, char **argv)
case 'q': QuitOnTimeout = PR_TRUE; break;
case 's': disableLocking = PR_TRUE; break;
case 't':
tmpInt = PORT_Atoi(optstate->value);
if (tmpInt > 0 && tmpInt < MAX_THREADS)

28
security/nss/cmd/tstclnt/tstclnt.c
Просмотреть файл

@ -214,7 +214,7 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
static void Usage(const char *progName)
{
fprintf(stderr,
"Usage: %s -h host [-p port] [-d certdir] [-n nickname] [-23Tfovx] \n"
"Usage: %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvx] \n"
" [-c ciphers] [-w passwd] [-q]\n", progName);
fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
@ -223,11 +223,14 @@ static void Usage(const char *progName)
"-d certdir");
fprintf(stderr, "%-20s Nickname of key and cert for client auth\n",
"-n nickname");
fprintf(stderr,
"%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
fprintf(stderr, "%-20s Disable SSL v2.\n", "-2");
fprintf(stderr, "%-20s Disable SSL v3.\n", "-3");
fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T");
fprintf(stderr, "%-20s Client speaks first. \n", "-f");
fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
fprintf(stderr, "%-20s Use export policy.\n", "-x");
fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
@ -448,6 +451,8 @@ int main(int argc, char **argv)
int disableSSL2 = 0;
int disableSSL3 = 0;
int disableTLS = 0;
int bypassPKCS11 = 0;
int disableLocking = 0;
int useExportPolicy = 0;
PRSocketOptionData opt;
PRNetAddr addr;
@ -466,7 +471,7 @@ int main(int argc, char **argv)
progName = strrchr(argv[0], '\\');
progName = progName ? progName+1 : argv[0];
optstate = PL_CreateOptState(argc, argv, "23Tfc:h:p:d:m:n:oqvw:x");
optstate = PL_CreateOptState(argc, argv, "23BTfc:h:p:d:m:n:oqsvw:x");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -476,6 +481,8 @@ int main(int argc, char **argv)
case '3': disableSSL3 = 1; break;
case 'B': bypassPKCS11 = 1; break;
case 'T': disableTLS = 1; break;
case 'c': cipherString = strdup(optstate->value); break;
@ -503,6 +510,8 @@ int main(int argc, char **argv)
case 'q': pingServerFirst = PR_TRUE; break;
case 's': disableLocking = 1; break;
case 'v': verbose++; break;
case 'w':
@ -703,6 +712,21 @@ int main(int argc, char **argv)
return 1;
}
/* enable PKCS11 bypass */
rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling PKCS11 bypass");
return 1;
}
/* disable SSL socket locking */
rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error disabling SSL socket locking");
return 1;
}
if (useCommandLinePassword) {
SSL_SetPKCS11PinArg(s, password);
}

95
security/nss/tests/ssl/ssl.sh
Просмотреть файл

@ -136,15 +136,17 @@ is_selfserv_alive()
########################################################################
wait_for_selfserv()
{
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
#echo "tstclnt -q started at `date`"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
html_failed "<TR><TD> Wait for Server "
echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then
html_passed "<TR><TD> Wait for Server"
fi
@ -187,15 +189,15 @@ start_selfserv()
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
echo "selfserv started at `date`"
if [ ${fileout} -eq 1 ]; then
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose \
> ${SERVEROUTFILE} 2>&1 &
else
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose &
fi
# The PID $! returned by the MKS or Cygwin shell is not the PID of
@ -219,7 +221,7 @@ start_selfserv()
########################################################################
ssl_cov()
{
html_head "SSL Cipher Coverage $NORM_EXT"
html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING"
testname=""
sparam="-c ABCDEFabcdefghijklmnvyz"
@ -231,7 +233,7 @@ ssl_cov()
do
p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ "$tls" != "#" ] ; then
echo "$SCRIPTNAME: running $testname ----------------------------"
@ -241,11 +243,11 @@ ssl_cov()
fi
is_selfserv_alive
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\"
echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \
tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@ -264,7 +266,7 @@ ssl_cov()
########################################################################
ssl_auth()
{
html_head "SSL Client Authentication $NORM_EXT"
html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING"
while read value sparam cparam testname
do
@ -272,10 +274,10 @@ ssl_auth()
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@ -297,12 +299,12 @@ ssl_auth()
########################################################################
ssl_stress()
{
html_head "SSL Stress Test $NORM_EXT"
html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING"
while read value sparam cparam testname
do
p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ $value != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g'`
@ -312,10 +314,10 @@ ssl_stress()
ps -ef | grep selfserv
fi
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\"
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
echo " $verbose ${HOSTADDR}"
echo "strsclnt started at `date`"
strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \
strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
$verbose ${HOSTADDR}
ret=$?
echo "strsclnt completed at `date`"
@ -610,16 +612,16 @@ ssl_cleanup()
. common/cleanup.sh
}
################## main #################################################
#this script may be sourced from the distributed stress test - in this case do nothing...
if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
############################## ssl_run ### #############################
# local shell function to run both standard and extended ssl tests
########################################################################
ssl_run()
{
ssl_init
ssl_cov
ssl_auth
ssl_crl_ssl
ssl_crl_cache
ssl_stress
SERVERDIR=$EXT_SERVERDIR
@ -629,10 +631,53 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
P_R_SERVERDIR=$P_R_EXT_SERVERDIR
P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
USER_NICKNAME=ExtendedSSLUser
NORM_EXT="Extended test"
NORM_EXT="Extended Test"
cd ${CLIENTDIR}
ssl_cov
ssl_auth
ssl_stress
# the next round off ssl tests will only run if these vars are reset
SERVERDIR=$ORIG_SERVERDIR
CLIENTDIR=$ORIG_CLIENTDIR
R_SERVERDIR=$ORIG_R_SERVERDIR
R_CLIENTDIR=$ORIG_R_CLIENTDIR
P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
USER_NICKNAME=TestUser
NORM_EXT=
cd ${QADIR}/ssl
ssl_cleanup
}
################## main #################################################
#this script may be sourced from the distributed stress test - in this case do nothing...
if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
ssl_init
# save the directories as setup by init.sh
ORIG_SERVERDIR=$SERVERDIR
ORIG_CLIENTDIR=$CLIENTDIR
ORIG_R_SERVERDIR=$R_SERVERDIR
ORIG_R_CLIENTDIR=$R_CLIENTDIR
ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
ssl_crl_ssl
ssl_crl_cache
ssl_cleanup
# Test all combinations of server bypass and client bypass
CLIENT_OPTIONS="-B -s"
SERVER_OPTIONS=""
BYPASS_STRING="Client Bypass"
ssl_run
SERVER_OPTIONS="-B -s"
CLIENT_OPTIONS=""
BYPASS_STRING="Server Bypass"
ssl_run
fi