diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index c936e71c828d..b7e4b99c3d94 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -200,16 +200,17 @@ Usage(const char *progName) { fprintf(stderr, -"Usage: %s -n rsa_nickname -p port [-3DNRSTbmrvx] [-w password] [-t threads]\n" +"Usage: %s -n rsa_nickname -p port [-3BDENRSTblmrsvx] [-w password] [-t threads]\n" #ifdef NSS_ENABLE_ECC " [-i pid_file] [-c ciphers] [-d dbdir] [-e ec_nickname] \n" -" [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n" +" [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" #else " [-i pid_file] [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n" -" [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n" +" [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" #endif /* NSS_ENABLE_ECC */ "-S means disable SSL v2\n" "-3 means disable SSL v3\n" +"-B bypasses the PKCS11 layer for SSL encryption and MACing\n" "-D means disable Nagle delays in TCP\n" "-E means disable export ciphersuites and SSL step down key gen\n" "-T means disable TLS\n" @@ -221,6 +222,7 @@ Usage(const char *progName) " 2 -r's mean request and require, cert on initial handshake.\n" " 3 -r's mean request, not require, cert on second handshake.\n" " 4 -r's mean request and require, cert on second handshake.\n" +"-s means disable SSL socket locking for performance\n" "-v means verbose output\n" "-x means use export policy.\n" "-L seconds means log statistics every 'seconds' seconds (default=30).\n" @@ -687,6 +689,8 @@ PRBool disableRollBack = PR_FALSE; PRBool NoReuse = PR_FALSE; PRBool hasSidCache = PR_FALSE; PRBool disableStepDown = PR_FALSE; +PRBool bypassPKCS11 = PR_FALSE; +PRBool disableLocking = PR_FALSE; static const char stopCmd[] = { "GET /stop " }; static const char getCmd[] = { "GET " }; @@ -1405,6 +1409,18 @@ server_main( errExit("error disabling SSL StepDown "); } } + if (bypassPKCS11) { + rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE); + if (rv != SECSuccess) { + errExit("error enabling PKCS11 bypass "); + } + } + if (disableLocking) { + rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE); + if (rv != SECSuccess) { + errExit("error disabling SSL socket locking "); + } + } for (kea = kt_rsa; kea < kt_kea_size; kea++) { if (cert[kea] != NULL) { @@ -1647,7 +1663,7 @@ main(int argc, char **argv) ** numbers, then capital letters, then lower case, alphabetical. */ optstate = PL_CreateOptState(argc, argv, - "2:3DEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy"); + "2:3BDEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rst:vw:xy"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch(optstate->option) { @@ -1655,6 +1671,8 @@ main(int argc, char **argv) case '3': disableSSL3 = PR_TRUE; break; + case 'B': bypassPKCS11 = PR_TRUE; break; + case 'D': noDelay = PR_TRUE; break; case 'E': disableStepDown = PR_TRUE; break; @@ -1712,6 +1730,8 @@ main(int argc, char **argv) case 'r': ++requestCert; break; + case 's': disableLocking = PR_TRUE; break; + case 't': maxThreads = PORT_Atoi(optstate->value); if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 6399f2438fbe..d0c91d551eb8 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -176,6 +176,8 @@ static SSL3Statistics * ssl3stats; static int failed_already = 0; static PRBool disableSSL3 = PR_FALSE; static PRBool disableTLS = PR_FALSE; +static PRBool bypassPKCS11 = PR_FALSE; +static PRBool disableLocking = PR_FALSE; char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) @@ -201,19 +203,21 @@ Usage(const char *progName) { fprintf(stderr, "Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n" - " [-3DTovq] [-2 filename] [-P fullhandshakespercentage | -N]\n" + " [-3BDNTovqs] [-2 filename] [-P fullhandshakespercentage | -N]\n" " [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n" " where -v means verbose\n" " -o flag is interpreted as follows:\n" " 1 -o means override the result of server certificate validation.\n" " 2 -o's mean skip server certificate validation altogether.\n" - " -3 means disable SSL3\n" " -D means no TCP delays\n" " -q means quit when server gone (timeout rather than retry forever)\n" + " -s means disable SSL socket locking\n" " -N means no session reuse\n" - " -P means do a specified percentage of full handshakes (0-100)\n" + " -P means do a specified percentage of full handshakes (0-100)\n" + " -3 means disable SSL3\n" " -T means disable TLS\n" - " -U means enable throttling up threads\n", + " -U means enable throttling up threads\n" + " -B bypasses the PKCS11 layer for SSL encryption and MACing\n", progName); exit(1); } @@ -1199,6 +1203,20 @@ client_main( } } + if (bypassPKCS11) { + rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1); + if (rv < 0) { + errExit("SSL_OptionSet SSL_BYPASS_PKCS11"); + } + } + + if (disableLocking) { + rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1); + if (rv < 0) { + errExit("SSL_OptionSet SSL_NO_LOCKS"); + } + } + SSL_SetURL(model_sock, hostName); SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, @@ -1305,7 +1323,7 @@ main(int argc, char **argv) progName = progName ? progName + 1 : tmp; - optstate = PL_CreateOptState(argc, argv, "2:3C:DNP:TUc:d:n:op:qt:vw:"); + optstate = PL_CreateOptState(argc, argv, "2:3BC:DNP:TUc:d:n:op:qst:vw:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { @@ -1313,6 +1331,8 @@ main(int argc, char **argv) case '3': disableSSL3 = PR_TRUE; break; + case 'B': bypassPKCS11 = PR_TRUE; break; + case 'C': cipherString = optstate->value; break; case 'D': NoDelay = PR_TRUE; break; @@ -1337,6 +1357,8 @@ main(int argc, char **argv) case 'q': QuitOnTimeout = PR_TRUE; break; + case 's': disableLocking = PR_TRUE; break; + case 't': tmpInt = PORT_Atoi(optstate->value); if (tmpInt > 0 && tmpInt < MAX_THREADS) diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index af03c42b6a82..f4e337a48140 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -214,7 +214,7 @@ handshakeCallback(PRFileDesc *fd, void *client_data) static void Usage(const char *progName) { fprintf(stderr, -"Usage: %s -h host [-p port] [-d certdir] [-n nickname] [-23Tfovx] \n" +"Usage: %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvx] \n" " [-c ciphers] [-w passwd] [-q]\n", progName); fprintf(stderr, "%-20s Hostname to connect with\n", "-h host"); fprintf(stderr, "%-20s Port number for SSL server\n", "-p port"); @@ -223,11 +223,14 @@ static void Usage(const char *progName) "-d certdir"); fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", "-n nickname"); + fprintf(stderr, + "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B"); fprintf(stderr, "%-20s Disable SSL v2.\n", "-2"); fprintf(stderr, "%-20s Disable SSL v3.\n", "-3"); fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T"); fprintf(stderr, "%-20s Client speaks first. \n", "-f"); fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o"); + fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s"); fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v"); fprintf(stderr, "%-20s Use export policy.\n", "-x"); fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q"); @@ -448,6 +451,8 @@ int main(int argc, char **argv) int disableSSL2 = 0; int disableSSL3 = 0; int disableTLS = 0; + int bypassPKCS11 = 0; + int disableLocking = 0; int useExportPolicy = 0; PRSocketOptionData opt; PRNetAddr addr; @@ -466,7 +471,7 @@ int main(int argc, char **argv) progName = strrchr(argv[0], '\\'); progName = progName ? progName+1 : argv[0]; - optstate = PL_CreateOptState(argc, argv, "23Tfc:h:p:d:m:n:oqvw:x"); + optstate = PL_CreateOptState(argc, argv, "23BTfc:h:p:d:m:n:oqsvw:x"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -476,6 +481,8 @@ int main(int argc, char **argv) case '3': disableSSL3 = 1; break; + case 'B': bypassPKCS11 = 1; break; + case 'T': disableTLS = 1; break; case 'c': cipherString = strdup(optstate->value); break; @@ -503,6 +510,8 @@ int main(int argc, char **argv) case 'q': pingServerFirst = PR_TRUE; break; + case 's': disableLocking = 1; break; + case 'v': verbose++; break; case 'w': @@ -703,6 +712,21 @@ int main(int argc, char **argv) return 1; } + /* enable PKCS11 bypass */ + rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling PKCS11 bypass"); + return 1; + } + + /* disable SSL socket locking */ + rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error disabling SSL socket locking"); + return 1; + } + + if (useCommandLinePassword) { SSL_SetPKCS11PinArg(s, password); } diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 9ee3632f28b2..1ad1ca84322b 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -136,15 +136,17 @@ is_selfserv_alive() ######################################################################## wait_for_selfserv() { - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" #echo "tstclnt -q started at `date`" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then html_failed " Wait for Server " - echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" + echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} + tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then html_passed " Wait for Server" fi @@ -187,15 +189,15 @@ start_selfserv() echo "$SCRIPTNAME: $testname ----" fi sparam=`echo $sparam | sed -e 's;_; ;g'` - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" echo "selfserv started at `date`" if [ ${fileout} -eq 1 ]; then - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ + selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ -w nss ${sparam} -i ${R_SERVERPID} $verbose \ > ${SERVEROUTFILE} 2>&1 & else - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ + selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ -w nss ${sparam} -i ${R_SERVERPID} $verbose & fi # The PID $! returned by the MKS or Cygwin shell is not the PID of @@ -219,7 +221,7 @@ start_selfserv() ######################################################################## ssl_cov() { - html_head "SSL Cipher Coverage $NORM_EXT" + html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING" testname="" sparam="-c ABCDEFabcdefghijklmnvyz" @@ -231,7 +233,7 @@ ssl_cov() do p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then + if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" elif [ "$tls" != "#" ] ; then echo "$SCRIPTNAME: running $testname ----------------------------" @@ -241,11 +243,11 @@ ssl_cov() fi is_selfserv_alive - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\" echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ + tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -264,7 +266,7 @@ ssl_cov() ######################################################################## ssl_auth() { - html_head "SSL Client Authentication $NORM_EXT" + html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING" while read value sparam cparam testname do @@ -272,10 +274,10 @@ ssl_auth() cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -297,12 +299,12 @@ ssl_auth() ######################################################################## ssl_stress() { - html_head "SSL Stress Test $NORM_EXT" + html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING" while read value sparam cparam testname do p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then + if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" elif [ $value != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g'` @@ -312,10 +314,10 @@ ssl_stress() ps -ef | grep selfserv fi - echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\" + echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\" echo " $verbose ${HOSTADDR}" echo "strsclnt started at `date`" - strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \ + strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" @@ -610,16 +612,16 @@ ssl_cleanup() . common/cleanup.sh } -################## main ################################################# -#this script may be sourced from the distributed stress test - in this case do nothing... - -if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then +############################## ssl_run ### ############################# +# local shell function to run both standard and extended ssl tests +######################################################################## +ssl_run() +{ ssl_init + ssl_cov ssl_auth - ssl_crl_ssl - ssl_crl_cache ssl_stress SERVERDIR=$EXT_SERVERDIR @@ -629,10 +631,53 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then P_R_SERVERDIR=$P_R_EXT_SERVERDIR P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR USER_NICKNAME=ExtendedSSLUser - NORM_EXT="Extended test" + NORM_EXT="Extended Test" cd ${CLIENTDIR} ssl_cov ssl_auth ssl_stress + + # the next round off ssl tests will only run if these vars are reset + SERVERDIR=$ORIG_SERVERDIR + CLIENTDIR=$ORIG_CLIENTDIR + R_SERVERDIR=$ORIG_R_SERVERDIR + R_CLIENTDIR=$ORIG_R_CLIENTDIR + P_R_SERVERDIR=$ORIG_P_R_SERVERDIR + P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR + USER_NICKNAME=TestUser + NORM_EXT= + cd ${QADIR}/ssl ssl_cleanup +} + +################## main ################################################# + +#this script may be sourced from the distributed stress test - in this case do nothing... + +if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then + + ssl_init + + # save the directories as setup by init.sh + ORIG_SERVERDIR=$SERVERDIR + ORIG_CLIENTDIR=$CLIENTDIR + ORIG_R_SERVERDIR=$R_SERVERDIR + ORIG_R_CLIENTDIR=$R_CLIENTDIR + ORIG_P_R_SERVERDIR=$P_R_SERVERDIR + ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR + + ssl_crl_ssl + ssl_crl_cache + ssl_cleanup + + # Test all combinations of server bypass and client bypass + CLIENT_OPTIONS="-B -s" + SERVER_OPTIONS="" + BYPASS_STRING="Client Bypass" + ssl_run + SERVER_OPTIONS="-B -s" + CLIENT_OPTIONS="" + BYPASS_STRING="Server Bypass" + ssl_run + fi