WiP: make it possible to set DH group id for setting CECPQ2 / 2b

This commit is contained in:
Henry Case 2019-07-23 18:16:52 +01:00
parent 50b4fa4334
commit 412c2d4294
3 changed files with 62 additions and 46 deletions

View File

@ -126,7 +126,7 @@ conn_init(Conn *conn)
{ {
SSL_set_tlsext_host_name(conn->ssl, param.tls_server_name); SSL_set_tlsext_host_name(conn->ssl, param.tls_server_name);
} }
if (param.ssl_cipher_list) { if (param.ssl_cipher_list) {
/* set order of ciphers */ /* set order of ciphers */
int ssl_err = SSL_set_cipher_list(conn->ssl, param.ssl_cipher_list); int ssl_err = SSL_set_cipher_list(conn->ssl, param.ssl_cipher_list);
@ -136,6 +136,15 @@ conn_init(Conn *conn)
"core_ssl_connect: set_cipher_list returned %d\n", "core_ssl_connect: set_cipher_list returned %d\n",
ssl_err); ssl_err);
} }
if (param.ssl_groups) {
int ssl_err = SSL_set1_curves_list(conn->ssl, param.ssl_groups);
if (DBG > 2)
fprintf(stderr,
"core_ssl_connect: set_grtou returned %d\n",
ssl_err);
}
} }
#endif #endif
} }

View File

@ -1,56 +1,56 @@
/* /*
* Copyright (C) 2000-2007 Hewlett-Packard Company * Copyright (C) 2000-2007 Hewlett-Packard Company
* Copyright (C) 2007 Ted Bullock <tbullock@comlore.com> * Copyright (C) 2007 Ted Bullock <tbullock@comlore.com>
* *
* This file is part of httperf, a web server performance measurment tool. * This file is part of httperf, a web server performance measurment tool.
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free * under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option) * Software Foundation; either version 2 of the License, or (at your option)
* any later version. * any later version.
* *
* In addition, as a special exception, the copyright holders give permission * In addition, as a special exception, the copyright holders give permission
* to link the code of this work with the OpenSSL project's "OpenSSL" library * to link the code of this work with the OpenSSL project's "OpenSSL" library
* (or with modified versions of it that use the same license as the "OpenSSL" * (or with modified versions of it that use the same license as the "OpenSSL"
* library), and distribute linked combinations including the two. You must * library), and distribute linked combinations including the two. You must
* obey the GNU General Public License in all respects for all of the code * obey the GNU General Public License in all respects for all of the code
* used other than "OpenSSL". If you modify this file, you may extend this * used other than "OpenSSL". If you modify this file, you may extend this
* exception to your version of the file, but you are not obligated to do so. * exception to your version of the file, but you are not obligated to do so.
* If you do not wish to do so, delete this exception statement from your * If you do not wish to do so, delete this exception statement from your
* version. * version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT * This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details. * more details.
* *
* You should have received a copy of the GNU General Public License along * You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc., 51 * with this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/ */
/* /*
* Fundamentals: * Fundamentals:
* *
* There are three subsystems to httperf: * There are three subsystems to httperf:
* *
* 1) The load generator which determines what URI is fetched next. * 1) The load generator which determines what URI is fetched next.
* *
* 2) The core engine that handles the mechanics of issuing a request. * 2) The core engine that handles the mechanics of issuing a request.
* *
* 3) The instrumentation infrastructure that measures various aspects of the * 3) The instrumentation infrastructure that measures various aspects of the
* transaction(s). * transaction(s).
* *
* Since there is considerable potential variation in all three, it seems like * Since there is considerable potential variation in all three, it seems like
* an event-based approach might be ideal in tying the three together. * an event-based approach might be ideal in tying the three together.
* Ideally, it should be possible to write a new load generator without * Ideally, it should be possible to write a new load generator without
* modifications to the other subsystems. Similarly, it should be possible to * modifications to the other subsystems. Similarly, it should be possible to
* add instrumentation without requiring changes to the load generator or http * add instrumentation without requiring changes to the load generator or http
* engine. * engine.
* *
* Axioms: - The only point at which the client will fall back is if the * Axioms: - The only point at which the client will fall back is if the
* client itself is overloaded. There is no point trying to fix up this * client itself is overloaded. There is no point trying to fix up this
* case---simply declare defeat and abort the test. * case---simply declare defeat and abort the test.
*/ */
#include "config.h" #include "config.h"
@ -144,6 +144,7 @@ static struct option longopts[] = {
#ifdef HAVE_SSL #ifdef HAVE_SSL
{"ssl", no_argument, &param.use_ssl, 1}, {"ssl", no_argument, &param.use_ssl, 1},
{"ssl-ciphers", required_argument, (int *) &param.ssl_cipher_list, 0}, {"ssl-ciphers", required_argument, (int *) &param.ssl_cipher_list, 0},
{"ssl-groups", required_argument, (int *) &param.ssl_groups, 0},
{"tls-server-name", required_argument, (int *) &param.tls_server_name, 0}, {"tls-server-name", required_argument, (int *) &param.tls_server_name, 0},
{"ssl-no-reuse", no_argument, &param.ssl_reuse, 0}, {"ssl-no-reuse", no_argument, &param.ssl_reuse, 0},
{"ssl-certificate", required_argument, (int *) &param.ssl_cert, 0}, {"ssl-certificate", required_argument, (int *) &param.ssl_cert, 0},
@ -186,6 +187,7 @@ usage(void)
"\t[--ssl-certificate file] [--ssl-key file]\n" "\t[--ssl-certificate file] [--ssl-key file]\n"
"\t[--ssl-ca-file file] [--ssl-ca-path path]\n" "\t[--ssl-ca-file file] [--ssl-ca-path path]\n"
"\t[--ssl-verify [yes|no]] [--ssl-protocol S]\n" "\t[--ssl-verify [yes|no]] [--ssl-protocol S]\n"
"\t[--ssl-groups L]\n"
#endif #endif
"\t[--think-timeout X] [--timeout X] [--verbose] [--version]\n" "\t[--think-timeout X] [--timeout X] [--verbose] [--version]\n"
"\t[--wlog y|n,file] [--wsess N,N,X] [--wsesslog N,X,file]\n" "\t[--wlog y|n,file] [--wsess N,N,X] [--wsesslog N,X,file]\n"
@ -220,7 +222,7 @@ perf_sample(struct Timer *t, Any_Type regarg)
event_signal(EV_PERF_SAMPLE, 0, callarg); event_signal(EV_PERF_SAMPLE, 0, callarg);
/* /*
* prepare for next sample interval: * prepare for next sample interval:
*/ */
perf_sample_start = timer_now(); perf_sample_start = timer_now();
if (timer_schedule(perf_sample, regarg, RATE_INTERVAL) == NULL) if (timer_schedule(perf_sample, regarg, RATE_INTERVAL) == NULL)
@ -261,7 +263,7 @@ main(int argc, char **argv)
/* /*
* This works around a bug in earlier versions of FreeBSD that cause * This works around a bug in earlier versions of FreeBSD that cause
* non-finite IEEE arithmetic to cause SIGFPE instead of the * non-finite IEEE arithmetic to cause SIGFPE instead of the
* non-finite arithmetic as defined by IEEE. * non-finite arithmetic as defined by IEEE.
*/ */
fpsetmask(0); fpsetmask(0);
#endif #endif
@ -279,7 +281,7 @@ main(int argc, char **argv)
param.num_conns = 1; param.num_conns = 1;
/* /*
* These should be set to the minimum of 2*bandwidth*delay and the * These should be set to the minimum of 2*bandwidth*delay and the
* maximum request/reply size for single-call connections. * maximum request/reply size for single-call connections.
*/ */
param.send_buffer_size = 4096; param.send_buffer_size = 4096;
param.recv_buffer_size = 16384; param.recv_buffer_size = 16384;
@ -291,7 +293,7 @@ main(int argc, char **argv)
#endif #endif
/* /*
* get program name: * get program name:
*/ */
prog_name = strrchr(argv[0], '/'); prog_name = strrchr(argv[0], '/');
if (prog_name) if (prog_name)
@ -300,7 +302,7 @@ main(int argc, char **argv)
prog_name = argv[0]; prog_name = argv[0];
/* /*
* process command line options: * process command line options:
*/ */
while ((ch = while ((ch =
getopt_long(argc, argv, "d:hvVn", longopts, &longindex)) >= 0) { getopt_long(argc, argv, "d:hvVn", longopts, &longindex)) >= 0) {
@ -428,7 +430,7 @@ main(int argc, char **argv)
param.rate.mean_iat = param.rate.mean_iat =
1 / param.rate.rate_param; 1 / param.rate.rate_param;
param.rate.dist = DETERMINISTIC; param.rate.dist = DETERMINISTIC;
} else if (flag == &param.rate.mean_iat) { /* --period } else if (flag == &param.rate.mean_iat) { /* --period
*/ */
param.rate.dist = DETERMINISTIC; param.rate.dist = DETERMINISTIC;
if (!isdigit(*optarg)) if (!isdigit(*optarg))
@ -457,7 +459,7 @@ main(int argc, char **argv)
/* /*
* remaining params depend on selected * remaining params depend on selected
* distribution: * distribution:
*/ */
errno = 0; errno = 0;
switch (param.rate.dist) { switch (param.rate.dist) {
@ -647,6 +649,8 @@ main(int argc, char **argv)
#ifdef HAVE_SSL #ifdef HAVE_SSL
else if (flag == &param.ssl_cipher_list) else if (flag == &param.ssl_cipher_list)
param.ssl_cipher_list = optarg; param.ssl_cipher_list = optarg;
else if (flag == &param.ssl_groups)
param.ssl_groups = optarg;
else if (flag == &param.ssl_cert) else if (flag == &param.ssl_cert)
param.ssl_cert = optarg; param.ssl_cert = optarg;
else if (flag == &param.ssl_key) else if (flag == &param.ssl_key)
@ -877,18 +881,18 @@ main(int argc, char **argv)
optarg = end + 1; optarg = end + 1;
/* /*
* simulate parsing of string * simulate parsing of string
*/ */
param.wsesslog.file = optarg; param.wsesslog.file = optarg;
if ((end = strchr(optarg, ',')) == NULL) if ((end = strchr(optarg, ',')) == NULL)
/* /*
* must be last param, position end at * must be last param, position end at
* final \0 * final \0
*/ */
end = optarg + strlen(optarg); end = optarg + strlen(optarg);
else else
/* /*
* terminate end of string * terminate end of string
*/ */
*end++ = '\0'; *end++ = '\0';
optarg = end; optarg = end;
@ -996,7 +1000,7 @@ main(int argc, char **argv)
* Invalid or ambiguous option name or extraneous * Invalid or ambiguous option name or extraneous
* parameter. getopt_long () already issued an * parameter. getopt_long () already issued an
* explanation to the user, so all we do is call it * explanation to the user, so all we do is call it
* quites. * quites.
*/ */
exit(1); exit(1);
@ -1034,7 +1038,7 @@ main(int argc, char **argv)
switch (param.ssl_protocol) switch (param.ssl_protocol)
{ {
/* 0/auto for highest available */ /* 0/auto for highest available */
case 0: case 0:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ()); break; ssl_ctx = SSL_CTX_new (TLS_client_method ()); break;
#else #else
@ -1043,7 +1047,7 @@ main(int argc, char **argv)
#ifndef OPENSSL_NO_SSL2 #ifndef OPENSSL_NO_SSL2
/* 2/SSLv2 */ /* 2/SSLv2 */
case 2: case 2:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ()); ssl_ctx = SSL_CTX_new (TLS_client_method ());
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
@ -1058,7 +1062,7 @@ main(int argc, char **argv)
#ifndef OPENSSL_NO_SSL3 #ifndef OPENSSL_NO_SSL3
/* 3/SSLv3 */ /* 3/SSLv3 */
case 3: case 3:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ()); ssl_ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_min_proto_version(ssl_ctx, SSL3_VERSION); SSL_CTX_set_min_proto_version(ssl_ctx, SSL3_VERSION);
@ -1069,9 +1073,9 @@ main(int argc, char **argv)
#endif #endif
#endif #endif
/* 4/TLSv1.0 */ /* 4/TLSv1.0 */
case 4: case 4:
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ssl_ctx = SSL_CTX_new (TLS_client_method ()); ssl_ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
break; break;
@ -1114,7 +1118,7 @@ main(int argc, char **argv)
#endif #endif
} }
if (!ssl_ctx) { if (!ssl_ctx) {
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
exit(-1); exit(-1);
@ -1122,7 +1126,7 @@ main(int argc, char **argv)
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
RAND_seed(buf, sizeof(buf)); RAND_seed(buf, sizeof(buf));
/* set server certificate verification */ /* set server certificate verification */
if (param.ssl_verify == 1) if (param.ssl_verify == 1)
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, NULL);
@ -1175,7 +1179,7 @@ main(int argc, char **argv)
"SSL certificate and key failed consistency check\n"); "SSL certificate and key failed consistency check\n");
exit (1); exit (1);
} }
} }
} }
#endif #endif
if (param.port < 0) if (param.port < 0)
@ -1199,7 +1203,7 @@ main(int argc, char **argv)
gen[num_gen++] = &misc; gen[num_gen++] = &misc;
/* /*
* echo command invocation for logging purposes: * echo command invocation for logging purposes:
*/ */
printf("%s", prog_name); printf("%s", prog_name);
if (verbose) if (verbose)
@ -1265,7 +1269,7 @@ main(int argc, char **argv)
case DETERMINISTIC: case DETERMINISTIC:
/* /*
* for backwards compatibility, continue to use * for backwards compatibility, continue to use
* --rate: * --rate:
*/ */
printf(" --rate=%g", param.rate.rate_param); printf(" --rate=%g", param.rate.rate_param);
break; break;
@ -1310,6 +1314,8 @@ main(int argc, char **argv)
printf(" --ssl-ciphers=%s", param.ssl_cipher_list); printf(" --ssl-ciphers=%s", param.ssl_cipher_list);
if (param.tls_server_name) if (param.tls_server_name)
printf(" --tls-server-name=%s", param.tls_server_name); printf(" --tls-server-name=%s", param.tls_server_name);
if (param.ssl_groups)
printf(" --ssl-groups=%s", param.ssl_groups);
if (!param.ssl_reuse) if (!param.ssl_reuse)
printf(" --ssl-no-reuse"); printf(" --ssl-no-reuse");
if (param.ssl_cert) printf (" --ssl-cert=%s", param.ssl_cert); if (param.ssl_cert) printf (" --ssl-cert=%s", param.ssl_cert);
@ -1345,7 +1351,7 @@ main(int argc, char **argv)
if (param.wsesslog.num_sessions) { if (param.wsesslog.num_sessions) {
/* /*
* This overrides any --wsess, --num-conns, --num-calls, * This overrides any --wsess, --num-conns, --num-calls,
* --burst-length and any uri generator * --burst-length and any uri generator
*/ */
printf(" --wsesslog=%u,%.3f,%s", param.wsesslog.num_sessions, printf(" --wsesslog=%u,%.3f,%s", param.wsesslog.num_sessions,
param.wsesslog.think_time, param.wsesslog.file); param.wsesslog.think_time, param.wsesslog.file);
@ -1390,12 +1396,12 @@ main(int argc, char **argv)
/* /*
* Update `now'. This is to keep things accurate even when some of * Update `now'. This is to keep things accurate even when some of
* the initialization routines take a long time to execute. * the initialization routines take a long time to execute.
*/ */
timer_now_forced(); timer_now_forced();
/* /*
* ensure that clients sample rates at different times: * ensure that clients sample rates at different times:
*/ */
t = (param.client.id + 1.0) * RATE_INTERVAL / param.client.num_clients; t = (param.client.id + 1.0) * RATE_INTERVAL / param.client.num_clients;
arg.l = 0; arg.l = 0;

View File

@ -9,7 +9,7 @@
modify it under the terms of the GNU General Public License as modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version. License, or (at your option) any later version.
In addition, as a special exception, the copyright holders give In addition, as a special exception, the copyright holders give
permission to link the code of this work with the OpenSSL project's permission to link the code of this work with the OpenSSL project's
"OpenSSL" library (or with modified versions of it that use the same "OpenSSL" library (or with modified versions of it that use the same
@ -27,7 +27,7 @@
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA 02110-1301, USA
*/ */
@ -127,6 +127,7 @@ typedef struct Cmdline_Params
const char *ssl_key; /* client key file name */ const char *ssl_key; /* client key file name */
const char *ssl_ca_file; /* certificate authority file */ const char *ssl_ca_file; /* certificate authority file */
const char *ssl_ca_path; /* certificate authority path */ const char *ssl_ca_path; /* certificate authority path */
const char *ssl_groups; /* client's list of SSL key exchange algorithms */
#endif #endif
int use_timer_cache; int use_timer_cache;
const char *additional_header; /* additional request header(s) */ const char *additional_header; /* additional request header(s) */