Bug 1308198 - allow group config in selfserv and tstclnt, r=mt

--HG-- extra : rebase_source : 586f9e97163500ffee6583ba98c4aa1d21aa35d8 extra : amend_source : 9f4207cfc408a37510cd5a88827c73553ca980c8
sailfishos-mirror · Oct 10, 2016 · 7b642a1 · 7b642a1
1 parent 08ca13e
commit 7b642a1
Show file tree

Hide file tree

Showing 4 changed files with 158 additions and 13 deletions.
diff --git a/cmd/lib/basicutil.c b/cmd/lib/basicutil.c
@@ -25,6 +25,7 @@
 #endif
 
 #include "secoid.h"
+#include "sslt.h"
 
 extern long DER_GetInteger(const SECItem *src);
 
@@ -731,3 +732,94 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest)
     srcdest->len /= 2;
     return SECSuccess;
 }
+
+SSLNamedGroup
+groupNameToNamedGroup(char *name)
+{
+    if (PL_strlen(name) == 4) {
+        if (!strncmp(name, "P256", 4)) {
+            return ssl_grp_ec_secp256r1;
+        }
+        if (!strncmp(name, "P384", 4)) {
+            return ssl_grp_ec_secp384r1;
+        }
+        if (!strncmp(name, "P521", 4)) {
+            return ssl_grp_ec_secp521r1;
+        }
+    }
+    if (PL_strlen(name) == 6) {
+        if (!strncmp(name, "x25519", 6)) {
+            return ssl_grp_ec_curve25519;
+        }
+        if (!strncmp(name, "FF2048", 6)) {
+            return ssl_grp_ffdhe_2048;
+        }
+        if (!strncmp(name, "FF3072", 6)) {
+            return ssl_grp_ffdhe_3072;
+        }
+        if (!strncmp(name, "FF4096", 6)) {
+            return ssl_grp_ffdhe_4096;
+        }
+        if (!strncmp(name, "FF6144", 6)) {
+            return ssl_grp_ffdhe_6144;
+        }
+        if (!strncmp(name, "FF8192", 6)) {
+            return ssl_grp_ffdhe_8192;
+        }
+    }
+
+    return ssl_grp_none;
+}
+
+SECStatus
+parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+               unsigned int *enabledGroupsCount)
+{
+    SSLNamedGroup *groups;
+    char *str = PORT_Strdup(arg);
+    unsigned int numValues = 0;
+    unsigned int count = 0;
+
+    /* Count the number of groups. */
+    char *p = strtok(str, ",");
+    while (p) {
+        ++numValues;
+        p = strtok(NULL, ",");
+    }
+    groups = PORT_ZNewArray(SSLNamedGroup, numValues);
+    if (!groups) {
+        return SECFailure;
+    }
+    if (str) {
+        PORT_Free(str);
+    }
+
+    /* Get group names. */
+    str = PORT_Strdup(arg);
+    if (!str) {
+        goto done;
+    }
+    p = strtok(str, ",");
+    while (p) {
+        SSLNamedGroup group = groupNameToNamedGroup(p);
+        if (group == ssl_grp_none) {
+            count = 0;
+            goto done;
+        }
+        groups[count++] = group;
+        p = strtok(NULL, ",");
+    }
+
+done:
+    if (str) {
+        PORT_Free(str);
+    }
+    if (!count) {
+        PORT_Free(groups);
+        return SECFailure;
+    }
+
+    *enabledGroupsCount = count;
+    *enabledGroups = groups;
+    return SECSuccess;
+}
diff --git a/cmd/lib/basicutil.h b/cmd/lib/basicutil.h
@@ -13,6 +13,7 @@
 #include "base64.h"
 #include "secasn1.h"
 #include "secder.h"
+#include "sslt.h"
 #include <stdio.h>
 
 #ifdef SECUTIL_NEW
@@ -112,6 +113,10 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName,
 char *
 SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
 
+SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+                         unsigned int *enabledGroupsCount);
+SSLNamedGroup groupNameToNamedGroup(char *name);
+
 /*
  *
  *  Error messaging

diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
@@ -164,7 +164,7 @@ PrintUsageHeader(const char *progName)
             "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
             "         [-V [min-version]:[max-version]] [-a sni_name]\n"
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
-            "         [-C SSLCacheEntries] [-S dsa_nickname] -Q"
+            "         [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
 #ifndef NSS_DISABLE_ECC
             " [-e ec_nickname]"
 #endif /* NSS_DISABLE_ECC */
@@ -224,7 +224,10 @@ PrintParameterUsage()
         "-c Restrict ciphers\n"
         "-Y prints cipher values allowed for parameter -c and exits\n"
         "-G enables the extended master secret extension [RFC7627]\n"
-        "-Q enables ALPN for HTTP/1.1 [RFC7301]\n",
+        "-Q enables ALPN for HTTP/1.1 [RFC7301]\n"
+        "-I comma separated list of enabled groups for TLS key exchange.\n"
+        "   The following values are valid:\n"
+        "   P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
         stderr);
 }
 
@@ -801,6 +804,8 @@ PRBool failedToNegotiateName = PR_FALSE;
 PRBool enableExtendedMasterSecret = PR_FALSE;
 PRBool zeroRTT = PR_FALSE;
 PRBool enableALPN = PR_FALSE;
+SSLNamedGroup *enabledGroups = NULL;
+unsigned int enabledGroupsCount = 0;
 
 static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
 static int virtServerNameIndex = 1;
@@ -1968,6 +1973,13 @@ server_main(
         }
     }
 
+    if (enabledGroups) {
+        rv = SSL_NamedGroupConfig(model_sock, enabledGroups, enabledGroupsCount);
+        if (rv < 0) {
+            errExit("SSL_NamedGroupConfig failed");
+        }
+    }
+
     /* This cipher is not on by default. The Acceptance test
      * would like it to be. Turn this cipher on.
      */
@@ -2185,7 +2197,7 @@ main(int argc, char **argv)
     int optionsFound = 0;
     int maxProcs = 1;
     unsigned short port = 0;
-    SECStatus rv;
+    SECStatus rv = SECSuccess;
     PRStatus prStatus;
     PRBool bindOnly = PR_FALSE;
     PRBool useLocalThreads = PR_FALSE;
@@ -2214,7 +2226,7 @@ main(int argc, char **argv)
     ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
     **      in 3.28, please leave some time before resuing those. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "2:A:C:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
+                                 "2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         ++optionsFound;
         switch (optstate->option) {
@@ -2242,9 +2254,6 @@ main(int argc, char **argv)
                 enableExtendedMasterSecret = PR_TRUE;
                 break;
 
-            case 'I': /* reserved for OCSP multi-stapling */
-                break;
-
             case 'L':
                 logStats = PR_TRUE;
                 if (optstate->value == NULL) {
@@ -2442,6 +2451,16 @@ main(int argc, char **argv)
                 enableALPN = PR_TRUE;
                 break;
 
+            case 'I':
+                rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad group specified.\n");
+                    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+                    exit(5);
+                }
+                break;
+
             default:
             case '?':
                 fprintf(stderr, "Unrecognized or bad option specified.\n");
@@ -2745,6 +2764,9 @@ main(int argc, char **argv)
     if (certStatusArena) {
         PORT_FreeArena(certStatusArena, PR_FALSE);
     }
+    if (enabledGroups) {
+        PORT_Free(enabledGroups);
+    }
     if (NSS_Shutdown() != SECSuccess) {
         SECU_PrintError(progName, "NSS_Shutdown");
         if (loggerThread) {

diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
@@ -100,6 +100,9 @@ static char *progName;
 
 secuPWData pwdata = { PW_NONE, 0 };
 
+SSLNamedGroup *enabledGroups = NULL;
+unsigned int enabledGroupsCount = 0;
+
 void
 printSecurityInfo(PRFileDesc *fd)
 {
@@ -188,7 +191,7 @@ PrintUsageHeader(const char *progName)
             "[-D | -d certdir] [-C] [-b | -R root-module] \n"
             "[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
             "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
-            "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
+            "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n",
             progName);
 }
 
@@ -255,6 +258,10 @@ PrintParameterUsage(void)
     fprintf(stderr, "%-20s Require the use of FFDHE supported groups "
                     "[I-D.ietf-tls-negotiated-ff-dhe]\n",
             "-H");
+    fprintf(stderr, "%-20s Comma separated list of enabled groups for TLS key exchange.\n"
+                    "%-20s The following values are valid:\n"
+                    "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
+            "-G", "", "");
 }
 
 static void
@@ -959,7 +966,7 @@ main(int argc, char **argv)
     /* XXX: 'B' was used in the past but removed in 3.28,
      *      please leave some time before resuing it. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46CDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z");
+                                 "46CDFGHI:KM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1002,9 +1009,6 @@ main(int argc, char **argv)
                 requireDHNamedGroups = PR_TRUE;
                 break;
 
-            case 'I': /* reserved for OCSP multi-stapling */
-                break;
-
             case 'O':
                 serverCertAuth.shouldPause = PR_FALSE;
                 break;
@@ -1149,13 +1153,23 @@ main(int argc, char **argv)
             case 'z':
                 enableCompression = 1;
                 break;
+
+            case 'I':
+                rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad group specified.\n");
+                    Usage(progName);
+                }
+                break;
         }
     }
 
     PL_DestroyOptState(optstate);
 
-    if (optstatus == PL_OPT_BAD)
+    if (optstatus == PL_OPT_BAD) {
         Usage(progName);
+    }
 
     if (!host || !portno) {
         fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
@@ -1472,6 +1486,15 @@ main(int argc, char **argv)
         goto done;
     }
 
+    if (enabledGroups) {
+        rv = SSL_NamedGroupConfig(s, enabledGroups, enabledGroupsCount);
+        if (rv < 0) {
+            SECU_PrintError(progName, "SSL_NamedGroupConfig failed");
+            error = 1;
+            goto done;
+        }
+    }
+
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@@ -1738,6 +1761,9 @@ main(int argc, char **argv)
     if (s) {
         PR_Close(s);
     }
+    if (enabledGroups) {
+        PORT_Free(enabledGroups);
+    }
 
     if (NSS_IsInitialized()) {
         SSL_ClearSessionCache();