From c4219fa2d46b05224eb0e0a8c519f7ef1317d7ec Mon Sep 17 00:00:00 2001 From: hehongjie Date: Fri, 22 Jun 2018 21:36:26 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E6=94=AF=E6=8C=81=E6=8C=87=E5=AE=9A?= =?UTF-8?q?=E6=8F=A1=E6=89=8B=E5=8D=8F=E8=AE=AE=E7=AE=97=E6=B3=95=E5=92=8C?= =?UTF-8?q?=E5=8F=8C=E5=90=91=E8=AE=A4=E8=AF=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/ssl.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++--- src/ssl.h | 7 ++++++- src/wrk.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 113 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a4a88c4..555947d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -23,7 +23,13 @@ static unsigned long ssl_id() { return (unsigned long) pthread_self(); } -SSL_CTX *ssl_init() { +#ifdef KOAL_SSL_EXTENSION +SSL_CTX *ssl_init(char *ssl_protocol, char *clientcert, char *clientkey, + char *cafile, char *capath) { +#else /* KOAL_SSL_EXTENSION */ +SSL_CTX *ssl_init(char *clientcert, char *clientkey, + char *cafile, char *capath) { +#endif /* KOAL_SSL_EXTENSION */ SSL_CTX *ctx = NULL; SSL_load_error_strings(); @@ -38,17 +44,60 @@ SSL_CTX *ssl_init() { CRYPTO_set_locking_callback(ssl_lock); CRYPTO_set_id_callback(ssl_id); +#ifdef KOAL_SSL_EXTENSION + if (strcmp(ssl_protocol, "ssl3") == 0) + ctx = SSL_CTX_new(SSLv3_client_method()); +#ifndef OPENSSL_NO_SSL2 + else if (strcmp(ssl_protocol, "ssl2") == 0) + ctx = SSL_CTX_new(SSLv2_client_method()); +#endif +#ifndef OPENSSL_NO_TLS1 + else if (strcmp(ssl_protocol, "tls1") == 0) + ctx = SSL_CTX_new(TLSv1_client_method()); + else if (strcmp(ssl_protocol, "tls1.1") == 0) + ctx = SSL_CTX_new(TLSv1_1_client_method()); + else if (strcmp(ssl_protocol, "tls1.2") == 0) + ctx = SSL_CTX_new(TLSv1_2_client_method()); +#endif + else + ctx = SSL_CTX_new(SSLv23_client_method()); + if (NULL != ctx) { +#else /* KOAL_SSL_EXTENSION */ if ((ctx = SSL_CTX_new(SSLv23_client_method()))) { - SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_verify_depth(ctx, 0); +#endif /* KOAL_SSL_EXTENSION */ + if (!cafile && !capath) { + SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_verify_depth(ctx, 0); + } else { + SSL_CTX_load_verify_locations(ctx, cafile, capath); + } SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); + + if (clientcert) { + if(1 != SSL_CTX_use_certificate_chain_file(ctx, clientcert)) { + fprintf(stderr, "unable to load client certificate chain\n"); + return NULL; + } + if(1 != SSL_CTX_use_PrivateKey_file( + ctx, clientkey, SSL_FILETYPE_PEM)) { + fprintf(stderr, "unable to load client key\n"); + return NULL; + } + } } } return ctx; } +status ssl_set_cipher_list(SSL_CTX *ctx, char *ciphers) { + if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { + return ERROR; + } + return OK; +} + status ssl_connect(connection *c, char *host) { int r; SSL_set_fd(c->ssl, c->fd); diff --git a/src/ssl.h b/src/ssl.h index 181d5b3..c01fae6 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -3,8 +3,13 @@ #include "net.h" -SSL_CTX *ssl_init(); +#ifdef KOAL_SSL_EXTENSION +SSL_CTX *ssl_init(char *, char *, char *, char*, char*); +#else /* KOAL_SSL_EXTENSION */ +SSL_CTX *ssl_init(char *, char *, char*, char*); +#endif /* KOAL_SSL_EXTENSION */ +status ssl_set_cipher_list(SSL_CTX *, char *); status ssl_connect(connection *, char *); status ssl_close(connection *); status ssl_read(connection *, size_t *); diff --git a/src/wrk.c b/src/wrk.c index 1049f0b..c3aa86c 100644 --- a/src/wrk.c +++ b/src/wrk.c @@ -23,6 +23,14 @@ static struct config { bool record_all_responses; char *host; char *script; + char *clientcert; + char *clientkey; + char *cafile; + char *capath; + char *ciphers; +#ifdef KOAL_SSL_EXTENSION + char *protocol; +#endif /* KOAL_SSL_EXTENSION */ SSL_CTX *ctx; } cfg; @@ -57,10 +65,18 @@ static void usage() { " -t, --threads Number of threads to use \n" " \n" " -s, --script Load Lua script file \n" + " -z, --ciphers Specify SSL/TLS ciphers \n" +#ifdef KOAL_SSL_EXTENSION + " -p, --protocol Specify SSL/TLS protocol \n" +#endif /* KOAL_SSL_EXTENSION */ " -H, --header Add header to request \n" " -L --latency Print latency statistics \n" " -U --u_latency Print uncorrected latency statistics\n" " --timeout Socket/request timeout \n" + " -C --clientcert SSL client PEM cert chain \n" + " -K --clientkey SSL client PEM key file \n" + " -F --cafile SSL trusted CAs PEM file \n" + " -P --capath

SSL trusted CAs directory \n" " -B, --batch_latency Measure latency of whole \n" " batches of pipelined ops \n" " (as opposed to each op) \n" @@ -89,7 +105,17 @@ int main(int argc, char **argv) { char *service = port ? port : schema; if (!strncmp("https", schema, 5)) { - if ((cfg.ctx = ssl_init()) == NULL) { +#ifdef KOAL_SSL_EXTENSION + if (NULL == cfg.protocol) { + cfg.protocol = "all"; + } + + if ((cfg.ctx = ssl_init(cfg.protocol, cfg.clientcert, + cfg.clientkey, cfg.cafile, cfg.capath)) == NULL) { +#else /* KOAL_SSL_EXTENSION */ + if ((cfg.ctx = ssl_init(cfg.clientcert, cfg.clientkey, + cfg.cafile, cfg.capath)) == NULL) { +#endif /* KOAL_SSL_EXTENSION */ fprintf(stderr, "unable to initialize SSL\n"); ERR_print_errors_fp(stderr); exit(1); @@ -696,11 +722,19 @@ static struct option longopts[] = { { "duration", required_argument, NULL, 'd' }, { "threads", required_argument, NULL, 't' }, { "script", required_argument, NULL, 's' }, + { "ciphers", required_argument, NULL, 'z' }, +#ifdef KOAL_SSL_EXTENSION + { "protocol", required_argument, NULL, 'p' }, +#endif /* KOAL_SSL_EXTENSION */ { "header", required_argument, NULL, 'H' }, { "latency", no_argument, NULL, 'L' }, { "u_latency", no_argument, NULL, 'U' }, { "batch_latency", no_argument, NULL, 'B' }, { "timeout", required_argument, NULL, 'T' }, + { "clientcert", required_argument, NULL, 'C' }, + { "clientkey", required_argument, NULL, 'K' }, + { "cafile", required_argument, NULL, 'F' }, + { "capath", required_argument, NULL, 'P' }, { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "rate", required_argument, NULL, 'R' }, @@ -732,6 +766,26 @@ static int parse_args(struct config *cfg, char **url, struct http_parser_url *pa case 's': cfg->script = optarg; break; + case 'C': + cfg->clientcert = optarg; + break; + case 'K': + cfg->clientkey = optarg; + break; + case 'F': + cfg->cafile = optarg; + break; + case 'P': + cfg->capath = optarg; + break; + case 'z': + cfg->ciphers = optarg; + break; +#ifdef KOAL_SSL_EXTENSION + case 'p': + cfg->protocol = optarg; + break; +#endif /* KOAL_SSL_EXTENSION */ case 'H': *header++ = optarg; break; From 20dcbaecc5a25d7f7ec2f41855388cb55ba6088d Mon Sep 17 00:00:00 2001 From: hehongjie Date: Tue, 24 Jul 2018 21:27:40 +0800 Subject: [PATCH 2/2] add CFLAGS and LDFLAGS --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index eea2bad..a8c51e2 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -CFLAGS := -std=c99 -Wall -O2 -D_REENTRANT +CFLAGS := -std=c99 -Wall -O2 -D_REENTRANT -DKOAL_SSL_EXTENSION LIBS := -lpthread -lm -lcrypto -lssl TARGET := $(shell uname -s | tr '[A-Z]' '[a-z]' 2>/dev/null || echo unknown) @@ -29,7 +29,7 @@ OBJ := $(patsubst %.c,$(ODIR)/%.o,$(SRC)) $(ODIR)/bytecode.o LDIR = deps/luajit/src LIBS := -lluajit $(LIBS) CFLAGS += -I$(LDIR) -LDFLAGS += -L$(LDIR) +LDFLAGS += -L$(LDIR) -L/usr/local/ssl/lib/ all: $(BIN)