支持指定握手协议算法和双向认证

Makefile

@@ -1,4 +1,4 @@
-CFLAGS  := -std=c99 -Wall -O2 -D_REENTRANT
+CFLAGS  := -std=c99 -Wall -O2 -D_REENTRANT -DKOAL_SSL_EXTENSION
 LIBS    := -lpthread -lm -lcrypto -lssl
 
 TARGET  := $(shell uname -s | tr '[A-Z]' '[a-z]' 2>/dev/null || echo unknown)
@@ -29,7 +29,7 @@ OBJ  := $(patsubst %.c,$(ODIR)/%.o,$(SRC)) $(ODIR)/bytecode.o
 LDIR     = deps/luajit/src
 LIBS    := -lluajit $(LIBS)
 CFLAGS  += -I$(LDIR)
-LDFLAGS += -L$(LDIR)
+LDFLAGS += -L$(LDIR) -L/usr/local/ssl/lib/
 
 all: $(BIN)
 

src/ssl.c

@@ -23,7 +23,13 @@ static unsigned long ssl_id() {
     return (unsigned long) pthread_self();
 }
 
-SSL_CTX *ssl_init() {
+#ifdef KOAL_SSL_EXTENSION
+SSL_CTX *ssl_init(char *ssl_protocol, char *clientcert, char *clientkey,
+      char *cafile, char *capath) {
+#else /* KOAL_SSL_EXTENSION */
+SSL_CTX *ssl_init(char *clientcert, char *clientkey,
+      char *cafile, char *capath) {
+#endif /* KOAL_SSL_EXTENSION */
     SSL_CTX *ctx = NULL;
 
     SSL_load_error_strings();
@@ -38,17 +44,60 @@ SSL_CTX *ssl_init() {
         CRYPTO_set_locking_callback(ssl_lock);
         CRYPTO_set_id_callback(ssl_id);
 
+#ifdef KOAL_SSL_EXTENSION
+        if (strcmp(ssl_protocol, "ssl3") == 0)
+            ctx = SSL_CTX_new(SSLv3_client_method());
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(ssl_protocol, "ssl2") == 0)
+            ctx = SSL_CTX_new(SSLv2_client_method());
+#endif
+#ifndef OPENSSL_NO_TLS1
+        else if (strcmp(ssl_protocol, "tls1") == 0)
+            ctx = SSL_CTX_new(TLSv1_client_method());
+        else if (strcmp(ssl_protocol, "tls1.1") == 0)
+            ctx = SSL_CTX_new(TLSv1_1_client_method());
+        else if (strcmp(ssl_protocol, "tls1.2") == 0)
+            ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+        else
+            ctx = SSL_CTX_new(SSLv23_client_method());
+        if (NULL != ctx) {
+#else /* KOAL_SSL_EXTENSION */
         if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
-            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
-            SSL_CTX_set_verify_depth(ctx, 0);
+#endif /* KOAL_SSL_EXTENSION */
+            if (!cafile && !capath) {
+                SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+                SSL_CTX_set_verify_depth(ctx, 0);
+            } else {
+                SSL_CTX_load_verify_locations(ctx, cafile, capath);
+            }
             SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
             SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
+
+            if (clientcert) {
+                if(1 != SSL_CTX_use_certificate_chain_file(ctx, clientcert)) {
+                    fprintf(stderr, "unable to load client certificate chain\n");
+                    return NULL;
+                }
+                if(1 != SSL_CTX_use_PrivateKey_file(
+                      ctx, clientkey, SSL_FILETYPE_PEM)) {
+                    fprintf(stderr, "unable to load client key\n");
+                    return NULL;
+                }
+            }
         }
     }
 
     return ctx;
 }
 
+status ssl_set_cipher_list(SSL_CTX *ctx, char *ciphers) {
+    if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
+        return ERROR;
+    }
+    return OK;
+}
+
 status ssl_connect(connection *c, char *host) {
     int r;
     SSL_set_fd(c->ssl, c->fd);

src/ssl.h

@@ -3,8 +3,13 @@
 
 #include "net.h"
 
-SSL_CTX *ssl_init();
+#ifdef KOAL_SSL_EXTENSION
+SSL_CTX *ssl_init(char *, char *, char *, char*, char*);
+#else /* KOAL_SSL_EXTENSION */
+SSL_CTX *ssl_init(char *, char *, char*, char*);
+#endif /* KOAL_SSL_EXTENSION */
 
+status ssl_set_cipher_list(SSL_CTX *, char *);
 status ssl_connect(connection *, char *);
 status ssl_close(connection *);
 status ssl_read(connection *, size_t *);

src/wrk.c

@@ -23,6 +23,14 @@ static struct config {
     bool     record_all_responses;
     char    *host;
     char    *script;
+    char    *clientcert;
+    char    *clientkey;
+    char    *cafile;
+    char    *capath;
+    char    *ciphers;
+#ifdef KOAL_SSL_EXTENSION
+    char    *protocol;
+#endif /* KOAL_SSL_EXTENSION */
     SSL_CTX *ctx;
 } cfg;
 
@@ -57,10 +65,18 @@ static void usage() {
            "    -t, --threads     <N>  Number of threads to use   \n"
            "                                                      \n"
            "    -s, --script      <S>  Load Lua script file       \n"
+           "    -z, --ciphers     <S>  Specify SSL/TLS ciphers    \n"
+#ifdef KOAL_SSL_EXTENSION
+           "    -p, --protocol    <S>  Specify SSL/TLS protocol   \n"
+#endif /* KOAL_SSL_EXTENSION */
            "    -H, --header      <H>  Add header to request      \n"
            "    -L  --latency          Print latency statistics   \n"
            "    -U  --u_latency        Print uncorrected latency statistics\n"
            "        --timeout     <T>  Socket/request timeout     \n"
+           "    -C  --clientcert  <C>  SSL client PEM cert chain  \n"
+           "    -K  --clientkey   <K>  SSL client PEM key file    \n"
+           "    -F  --cafile      <F>  SSL trusted CAs PEM file   \n"
+           "    -P  --capath      <P>  SSL trusted CAs directory  \n"
            "    -B, --batch_latency    Measure latency of whole   \n"
            "                           batches of pipelined ops   \n"
            "                           (as opposed to each op)    \n"
@@ -89,7 +105,17 @@ int main(int argc, char **argv) {
     char *service = port ? port : schema;
 
     if (!strncmp("https", schema, 5)) {
-        if ((cfg.ctx = ssl_init()) == NULL) {
+#ifdef KOAL_SSL_EXTENSION
+        if (NULL == cfg.protocol) {
+          cfg.protocol = "all";
+        }
+
+        if ((cfg.ctx = ssl_init(cfg.protocol, cfg.clientcert,
+                cfg.clientkey, cfg.cafile, cfg.capath)) == NULL) {
+#else /* KOAL_SSL_EXTENSION */
+        if ((cfg.ctx = ssl_init(cfg.clientcert, cfg.clientkey,
+                  cfg.cafile, cfg.capath)) == NULL) {
+#endif /* KOAL_SSL_EXTENSION */
             fprintf(stderr, "unable to initialize SSL\n");
             ERR_print_errors_fp(stderr);
             exit(1);
@@ -696,11 +722,19 @@ static struct option longopts[] = {
     { "duration",       required_argument, NULL, 'd' },
     { "threads",        required_argument, NULL, 't' },
     { "script",         required_argument, NULL, 's' },
+    { "ciphers",        required_argument, NULL, 'z' },
+#ifdef KOAL_SSL_EXTENSION
+    { "protocol",       required_argument, NULL, 'p' },
+#endif /* KOAL_SSL_EXTENSION */
     { "header",         required_argument, NULL, 'H' },
     { "latency",        no_argument,       NULL, 'L' },
     { "u_latency",      no_argument,       NULL, 'U' },
     { "batch_latency",  no_argument,       NULL, 'B' },
     { "timeout",        required_argument, NULL, 'T' },
+    { "clientcert",     required_argument, NULL, 'C' },
+    { "clientkey",      required_argument, NULL, 'K' },
+    { "cafile",         required_argument, NULL, 'F' },
+    { "capath",         required_argument, NULL, 'P' },
     { "help",           no_argument,       NULL, 'h' },
     { "version",        no_argument,       NULL, 'v' },
     { "rate",           required_argument, NULL, 'R' },
@@ -732,6 +766,26 @@ static int parse_args(struct config *cfg, char **url, struct http_parser_url *pa
             case 's':
                 cfg->script = optarg;
                 break;
+            case 'C':
+                cfg->clientcert = optarg;
+                break;
+            case 'K':
+                cfg->clientkey = optarg;
+                break;
+            case 'F':
+                cfg->cafile = optarg;
+                break;
+            case 'P':
+                cfg->capath = optarg;
+                break;
+            case 'z':
+                cfg->ciphers = optarg;
+                break;
+#ifdef KOAL_SSL_EXTENSION
+            case 'p':
+                cfg->protocol = optarg;
+                break;
+#endif /* KOAL_SSL_EXTENSION */
             case 'H':
                 *header++ = optarg;
                 break;