WiP: make it possible to set DH group id for setting CECPQ2 / 2b

Cette révision appartient à :
Henry Case 2019-07-23 18:16:52 +01:00
Parent 50b4fa4334
révision 412c2d4294
3 fichiers modifiés avec 62 ajouts et 46 suppressions

Voir le fichier

@ -126,7 +126,7 @@ conn_init(Conn *conn)
{
SSL_set_tlsext_host_name(conn->ssl, param.tls_server_name);
}
if (param.ssl_cipher_list) {
/* set order of ciphers */
int ssl_err = SSL_set_cipher_list(conn->ssl, param.ssl_cipher_list);
@ -136,6 +136,15 @@ conn_init(Conn *conn)
"core_ssl_connect: set_cipher_list returned %d\n",
ssl_err);
}
if (param.ssl_groups) {
int ssl_err = SSL_set1_curves_list(conn->ssl, param.ssl_groups);
if (DBG > 2)
fprintf(stderr,
"core_ssl_connect: set_grtou returned %d\n",
ssl_err);
}
}
#endif
}

Voir le fichier

@ -1,56 +1,56 @@
/*
* Copyright (C) 2000-2007 Hewlett-Packard Company
* Copyright (C) 2007 Ted Bullock <tbullock@comlore.com>
*
*
* This file is part of httperf, a web server performance measurment tool.
*
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*
*
* In addition, as a special exception, the copyright holders give permission
* to link the code of this work with the OpenSSL project's "OpenSSL" library
* (or with modified versions of it that use the same license as the "OpenSSL"
* (or with modified versions of it that use the same license as the "OpenSSL"
* library), and distribute linked combinations including the two. You must
* obey the GNU General Public License in all respects for all of the code
* used other than "OpenSSL". If you modify this file, you may extend this
* exception to your version of the file, but you are not obligated to do so.
* If you do not wish to do so, delete this exception statement from your
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/*
* Fundamentals:
*
*
* There are three subsystems to httperf:
*
*
* 1) The load generator which determines what URI is fetched next.
*
*
* 2) The core engine that handles the mechanics of issuing a request.
*
*
* 3) The instrumentation infrastructure that measures various aspects of the
* transaction(s).
*
* Since there is considerable potential variation in all three, it seems like
*
* Since there is considerable potential variation in all three, it seems like
* an event-based approach might be ideal in tying the three together.
* Ideally, it should be possible to write a new load generator without
* modifications to the other subsystems. Similarly, it should be possible to
* add instrumentation without requiring changes to the load generator or http
* modifications to the other subsystems. Similarly, it should be possible to
* add instrumentation without requiring changes to the load generator or http
* engine.
*
*
* Axioms: - The only point at which the client will fall back is if the
* client itself is overloaded. There is no point trying to fix up this
* case---simply declare defeat and abort the test.
* case---simply declare defeat and abort the test.
*/
#include "config.h"
@ -144,6 +144,7 @@ static struct option longopts[] = {
#ifdef HAVE_SSL
{"ssl", no_argument, &param.use_ssl, 1},
{"ssl-ciphers", required_argument, (int *) &param.ssl_cipher_list, 0},
{"ssl-groups", required_argument, (int *) &param.ssl_groups, 0},
{"tls-server-name", required_argument, (int *) &param.tls_server_name, 0},
{"ssl-no-reuse", no_argument, &param.ssl_reuse, 0},
{"ssl-certificate", required_argument, (int *) &param.ssl_cert, 0},
@ -186,6 +187,7 @@ usage(void)
"\t[--ssl-certificate file] [--ssl-key file]\n"
"\t[--ssl-ca-file file] [--ssl-ca-path path]\n"
"\t[--ssl-verify [yes|no]] [--ssl-protocol S]\n"
"\t[--ssl-groups L]\n"
#endif
"\t[--think-timeout X] [--timeout X] [--verbose] [--version]\n"
"\t[--wlog y|n,file] [--wsess N,N,X] [--wsesslog N,X,file]\n"
@ -220,7 +222,7 @@ perf_sample(struct Timer *t, Any_Type regarg)
event_signal(EV_PERF_SAMPLE, 0, callarg);
/*
* prepare for next sample interval:
* prepare for next sample interval:
*/
perf_sample_start = timer_now();
if (timer_schedule(perf_sample, regarg, RATE_INTERVAL) == NULL)
@ -261,7 +263,7 @@ main(int argc, char **argv)
/*
* This works around a bug in earlier versions of FreeBSD that cause
* non-finite IEEE arithmetic to cause SIGFPE instead of the
* non-finite arithmetic as defined by IEEE.
* non-finite arithmetic as defined by IEEE.
*/
fpsetmask(0);
#endif
@ -279,7 +281,7 @@ main(int argc, char **argv)
param.num_conns = 1;
/*
* These should be set to the minimum of 2*bandwidth*delay and the
* maximum request/reply size for single-call connections.
* maximum request/reply size for single-call connections.
*/
param.send_buffer_size = 4096;
param.recv_buffer_size = 16384;
@ -291,7 +293,7 @@ main(int argc, char **argv)
#endif
/*
* get program name:
* get program name:
*/
prog_name = strrchr(argv[0], '/');
if (prog_name)
@ -300,7 +302,7 @@ main(int argc, char **argv)
prog_name = argv[0];
/*
* process command line options:
* process command line options:
*/
while ((ch =
getopt_long(argc, argv, "d:hvVn", longopts, &longindex)) >= 0) {
@ -428,7 +430,7 @@ main(int argc, char **argv)
param.rate.mean_iat =
1 / param.rate.rate_param;
param.rate.dist = DETERMINISTIC;
} else if (flag == &param.rate.mean_iat) { /* --period
} else if (flag == &param.rate.mean_iat) { /* --period
*/
param.rate.dist = DETERMINISTIC;
if (!isdigit(*optarg))
@ -457,7 +459,7 @@ main(int argc, char **argv)
/*
* remaining params depend on selected
* distribution:
* distribution:
*/
errno = 0;
switch (param.rate.dist) {
@ -647,6 +649,8 @@ main(int argc, char **argv)
#ifdef HAVE_SSL
else if (flag == &param.ssl_cipher_list)
param.ssl_cipher_list = optarg;
else if (flag == &param.ssl_groups)
param.ssl_groups = optarg;
else if (flag == &param.ssl_cert)
param.ssl_cert = optarg;
else if (flag == &param.ssl_key)
@ -877,18 +881,18 @@ main(int argc, char **argv)
optarg = end + 1;
/*
* simulate parsing of string
* simulate parsing of string
*/
param.wsesslog.file = optarg;
if ((end = strchr(optarg, ',')) == NULL)
/*
* must be last param, position end at
* final \0
* must be last param, position end at
* final \0
*/
end = optarg + strlen(optarg);
else
/*
* terminate end of string
* terminate end of string
*/
*end++ = '\0';
optarg = end;
@ -996,7 +1000,7 @@ main(int argc, char **argv)
* Invalid or ambiguous option name or extraneous
* parameter. getopt_long () already issued an
* explanation to the user, so all we do is call it
* quites.
* quites.
*/
exit(1);
@ -1034,7 +1038,7 @@ main(int argc, char **argv)
switch (param.ssl_protocol)
{
/* 0/auto for highest available */
case 0:
case 0:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ()); break;
#else
@ -1043,7 +1047,7 @@ main(int argc, char **argv)
#ifndef OPENSSL_NO_SSL2
/* 2/SSLv2 */
case 2:
case 2:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ());
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
@ -1058,7 +1062,7 @@ main(int argc, char **argv)
#ifndef OPENSSL_NO_SSL3
/* 3/SSLv3 */
case 3:
case 3:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_min_proto_version(ssl_ctx, SSL3_VERSION);
@ -1069,9 +1073,9 @@ main(int argc, char **argv)
#endif
#endif
/* 4/TLSv1.0 */
case 4:
case 4:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ());
ssl_ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
break;
@ -1114,7 +1118,7 @@ main(int argc, char **argv)
#endif
}
if (!ssl_ctx) {
ERR_print_errors_fp(stderr);
exit(-1);
@ -1122,7 +1126,7 @@ main(int argc, char **argv)
memset(buf, 0, sizeof(buf));
RAND_seed(buf, sizeof(buf));
/* set server certificate verification */
if (param.ssl_verify == 1)
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, NULL);
@ -1175,7 +1179,7 @@ main(int argc, char **argv)
"SSL certificate and key failed consistency check\n");
exit (1);
}
}
}
}
#endif
if (param.port < 0)
@ -1199,7 +1203,7 @@ main(int argc, char **argv)
gen[num_gen++] = &misc;
/*
* echo command invocation for logging purposes:
* echo command invocation for logging purposes:
*/
printf("%s", prog_name);
if (verbose)
@ -1265,7 +1269,7 @@ main(int argc, char **argv)
case DETERMINISTIC:
/*
* for backwards compatibility, continue to use
* --rate:
* --rate:
*/
printf(" --rate=%g", param.rate.rate_param);
break;
@ -1310,6 +1314,8 @@ main(int argc, char **argv)
printf(" --ssl-ciphers=%s", param.ssl_cipher_list);
if (param.tls_server_name)
printf(" --tls-server-name=%s", param.tls_server_name);
if (param.ssl_groups)
printf(" --ssl-groups=%s", param.ssl_groups);
if (!param.ssl_reuse)
printf(" --ssl-no-reuse");
if (param.ssl_cert) printf (" --ssl-cert=%s", param.ssl_cert);
@ -1345,7 +1351,7 @@ main(int argc, char **argv)
if (param.wsesslog.num_sessions) {
/*
* This overrides any --wsess, --num-conns, --num-calls,
* --burst-length and any uri generator
* --burst-length and any uri generator
*/
printf(" --wsesslog=%u,%.3f,%s", param.wsesslog.num_sessions,
param.wsesslog.think_time, param.wsesslog.file);
@ -1390,12 +1396,12 @@ main(int argc, char **argv)
/*
* Update `now'. This is to keep things accurate even when some of
* the initialization routines take a long time to execute.
* the initialization routines take a long time to execute.
*/
timer_now_forced();
/*
* ensure that clients sample rates at different times:
* ensure that clients sample rates at different times:
*/
t = (param.client.id + 1.0) * RATE_INTERVAL / param.client.num_clients;
arg.l = 0;

Voir le fichier

@ -9,7 +9,7 @@
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
In addition, as a special exception, the copyright holders give
permission to link the code of this work with the OpenSSL project's
"OpenSSL" library (or with modified versions of it that use the same
@ -27,7 +27,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA
*/
@ -127,6 +127,7 @@ typedef struct Cmdline_Params
const char *ssl_key; /* client key file name */
const char *ssl_ca_file; /* certificate authority file */
const char *ssl_ca_path; /* certificate authority path */
const char *ssl_groups; /* client's list of SSL key exchange algorithms */
#endif
int use_timer_cache;
const char *additional_header; /* additional request header(s) */