Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1528262, add -J option to strsclnt to specify sigschemes, r=mt
Reviewers: mt

Reviewed By: mt

Bug #: 1528262

Differential Revision: https://phabricator.services.mozilla.com/D21516

--HG--
extra : amend_source : 20e7d735daa6fea12f4dd006e2ce34d033b4accb
  • Loading branch information
ueno committed Mar 4, 2019
1 parent 08f2912 commit 34e8f12
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 3 deletions.
39 changes: 36 additions & 3 deletions cmd/strsclnt/strsclnt.c
Expand Up @@ -121,6 +121,9 @@ static PRBool enableCertStatus = PR_FALSE;

PRIntervalTime maxInterval = PR_INTERVAL_NO_TIMEOUT;

static const SSLSignatureScheme *enabledSigSchemes = NULL;
static unsigned int enabledSigSchemeCount = 0;

char *progName;

secuPWData pwdata = { PW_NONE, 0 };
Expand All @@ -143,7 +146,8 @@ Usage(void)
"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
" [-BDNovqs] [-f filename] [-N | -P percentage]\n"
" [-w dbpasswd] [-C cipher(s)] [-t threads] [-W pwfile]\n"
" [-V [min-version]:[max-version]] [-a sniHostName] hostname\n"
" [-V [min-version]:[max-version]] [-a sniHostName]\n"
" [-J signatureschemes] hostname\n"
" where -v means verbose\n"
" -o flag is interpreted as follows:\n"
" 1 -o means override the result of server certificate validation.\n"
Expand All @@ -161,7 +165,17 @@ Usage(void)
" -T enable the cert_status extension (OCSP stapling)\n"
" -u enable TLS Session Ticket extension\n"
" -z enable compression\n"
" -g enable false start\n",
" -g enable false start\n"
" -J enable signature schemes\n"
" This takes a comma separated list of signature schemes in preference\n"
" order.\n"
" Possible values are:\n"
" rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
" ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
" ecdsa_secp521r1_sha512,\n"
" rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
" rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
" dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
progName);
exit(1);
}
Expand Down Expand Up @@ -1158,6 +1172,14 @@ client_main(
errExit("error setting SSL/TLS version range ");
}

if (enabledSigSchemes) {
rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes,
enabledSigSchemeCount);
if (rv < 0) {
errExit("SSL_SignatureSchemePrefSet");
}
}

if (bigBuf.data) { /* doing FDX */
rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
if (rv < 0) {
Expand Down Expand Up @@ -1316,7 +1338,7 @@ main(int argc, char **argv)
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
optstate = PL_CreateOptState(argc, argv,
"C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
"C:DJ:NP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'C':
Expand All @@ -1330,6 +1352,15 @@ main(int argc, char **argv)
case 'I': /* reserved for OCSP multi-stapling */
break;

case 'J':
rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad signature scheme specified.\n");
Usage();
}
break;

case 'N':
NoReuse = 1;
break;
Expand Down Expand Up @@ -1516,6 +1547,8 @@ main(int argc, char **argv)

PL_strfree(hostName);

PORT_Free((SSLSignatureScheme *)enabledSigSchemes);

/* some final stats. */
printf(
"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
Expand Down
46 changes: 46 additions & 0 deletions tests/ssl/ssl.sh
Expand Up @@ -1225,6 +1225,51 @@ ssl_scheme()
html "</TABLE><BR>"
}

############################ ssl_scheme_stress ##########################
# local shell function to test strsclnt and selfserv handling of signature schemes
#########################################################################
ssl_scheme_stress()
{
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
return 0
fi

html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"

NO_ECC_CERTS=1
schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
for sscheme in "${schemes[@]}"; do
for cscheme in "${schemes[@]}"; do
testname="ssl_scheme server='$sscheme' client='$cscheme'"
echo "${testname}"

start_selfserv -V tls1.2:tls1.2 -J "$sscheme"

echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE}"
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE} 2>&1
ret=$?
# If both schemes include just one option and those options don't
# match, then the test should fail; otherwise, assume that it works.
if [ "${cscheme#*,}" = "$cscheme" -a \
"${sscheme#*,}" = "$sscheme" -a \
"$cscheme" != "$sscheme" ]; then
expected=1
else
expected=0
fi
html_msg $ret $expected "${testname}" \
"produced a returncode of $ret, expected is $expected"
kill_selfserv
done
done
NO_ECC_CERTS=0

html "</TABLE><BR>"
}

############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
# sourced)
Expand Down Expand Up @@ -1267,6 +1312,7 @@ ssl_run()
;;
"scheme")
ssl_scheme
ssl_scheme_stress
;;
esac
done
Expand Down

0 comments on commit 34e8f12

Please sign in to comment.