Bug 305147: add -B (bypass SSL) and -s (disable SSL locking) to server and client commands; add bypass testing to SSL test suite.

3 files changed, 77 insertions, 11 deletions

diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index c936e71c8..b7e4b99c3 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -200,16 +200,17 @@ Usage(const char *progName)
 {
     fprintf(stderr, 
 
-"Usage: %s -n rsa_nickname -p port [-3DNRSTbmrvx] [-w password] [-t threads]\n"
+"Usage: %s -n rsa_nickname -p port [-3BDENRSTblmrsvx] [-w password] [-t threads]\n"
 #ifdef NSS_ENABLE_ECC
 "         [-i pid_file] [-c ciphers] [-d dbdir] [-e ec_nickname] \n"
-"         [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
+"         [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 #else
 "         [-i pid_file] [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n"
-"         [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
+"         [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 #endif /* NSS_ENABLE_ECC */
 "-S means disable SSL v2\n"
 "-3 means disable SSL v3\n"
+"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
 "-D means disable Nagle delays in TCP\n"
 "-E means disable export ciphersuites and SSL step down key gen\n"
 "-T means disable TLS\n"
@@ -221,6 +222,7 @@ Usage(const char *progName)
 "    2 -r's mean request  and require, cert on initial handshake.\n"
 "    3 -r's mean request, not require, cert on second handshake.\n"
 "    4 -r's mean request  and require, cert on second handshake.\n"
+"-s means disable SSL socket locking for performance\n"
 "-v means verbose output\n"
 "-x means use export policy.\n"
 "-L seconds means log statistics every 'seconds' seconds (default=30).\n"
@@ -687,6 +689,8 @@ PRBool disableRollBack = PR_FALSE;
 PRBool NoReuse         = PR_FALSE;
 PRBool hasSidCache     = PR_FALSE;
 PRBool disableStepDown = PR_FALSE;
+PRBool bypassPKCS11    = PR_FALSE;
+PRBool disableLocking  = PR_FALSE;
 
 static const char stopCmd[] = { "GET /stop " };
 static const char getCmd[]  = { "GET " };
@@ -1405,6 +1409,18 @@ server_main(
 	    errExit("error disabling SSL StepDown ");
 	}
     }
+    if (bypassPKCS11) {
+       rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error enabling PKCS11 bypass ");
+	}
+    }
+    if (disableLocking) {
+       rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error disabling SSL socket locking ");
+	}
+    } 
 
     for (kea = kt_rsa; kea < kt_kea_size; kea++) {
 	if (cert[kea] != NULL) {
@@ -1647,7 +1663,7 @@ main(int argc, char **argv)
     ** numbers, then capital letters, then lower case, alphabetical. 
     */
     optstate = PL_CreateOptState(argc, argv, 
-    	"2:3DEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
+    	"2:3BDEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rst:vw:xy");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	++optionsFound;
 	switch(optstate->option) {
@@ -1655,6 +1671,8 @@ main(int argc, char **argv)
 
 	case '3': disableSSL3 = PR_TRUE; break;
 
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
 	case 'D': noDelay = PR_TRUE; break;
 	case 'E': disableStepDown = PR_TRUE; break;
 
@@ -1712,6 +1730,8 @@ main(int argc, char **argv)
 
 	case 'r': ++requestCert; break;
 
+	case 's': disableLocking = PR_TRUE; break;
+
 	case 't':
 	    maxThreads = PORT_Atoi(optstate->value);
 	    if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index 6399f2438..d0c91d551 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -176,6 +176,8 @@ static SSL3Statistics * ssl3stats;
 static int failed_already = 0;
 static PRBool disableSSL3     = PR_FALSE;
 static PRBool disableTLS      = PR_FALSE;
+static PRBool bypassPKCS11    = PR_FALSE;
+static PRBool disableLocking  = PR_FALSE;
 
 
 char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
@@ -201,19 +203,21 @@ Usage(const char *progName)
 {
     fprintf(stderr, 
     	"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
- 	"          [-3DTovq] [-2 filename] [-P fullhandshakespercentage | -N]\n"
+ 	"          [-3BDNTovqs] [-2 filename] [-P fullhandshakespercentage | -N]\n"
 	"          [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n"
 	" where -v means verbose\n"
         "       -o flag is interpreted as follows:\n"
         "          1 -o   means override the result of server certificate validation.\n"
         "          2 -o's mean skip server certificate validation altogether.\n"
-        "       -3 means disable SSL3\n"
 	"       -D means no TCP delays\n"
 	"       -q means quit when server gone (timeout rather than retry forever)\n"
+	"       -s means disable SSL socket locking\n"
 	"       -N means no session reuse\n"
- 	"       -P means do a specified percentage of full handshakes (0-100)\n"
+	"       -P means do a specified percentage of full handshakes (0-100)\n"
+        "       -3 means disable SSL3\n"
         "       -T means disable TLS\n"
-        "       -U means enable throttling up threads\n",
+        "       -U means enable throttling up threads\n"
+	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n",
 	progName);
     exit(1);
 }
@@ -1199,6 +1203,20 @@ client_main(
 	}
     }
 
+    if (bypassPKCS11) {
+	rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_BYPASS_PKCS11");
+	}
+    }
+
+    if (disableLocking) {
+        rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_NO_LOCKS");
+	}
+    }
+
     SSL_SetURL(model_sock, hostName);
 
     SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
@@ -1305,7 +1323,7 @@ main(int argc, char **argv)
     progName = progName ? progName + 1 : tmp;
  
 
-    optstate = PL_CreateOptState(argc, argv, "2:3C:DNP:TUc:d:n:op:qt:vw:");
+    optstate = PL_CreateOptState(argc, argv, "2:3BC:DNP:TUc:d:n:op:qst:vw:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 
@@ -1313,6 +1331,8 @@ main(int argc, char **argv)
 
 	case '3': disableSSL3 = PR_TRUE; break;
 
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
 	case 'C': cipherString = optstate->value; break;
 
 	case 'D': NoDelay = PR_TRUE; break;
@@ -1337,6 +1357,8 @@ main(int argc, char **argv)
 
 	case 'q': QuitOnTimeout = PR_TRUE; break;
 
+	case 's': disableLocking = PR_TRUE; break;
+
 	case 't':
 	    tmpInt = PORT_Atoi(optstate->value);
 	    if (tmpInt > 0 && tmpInt < MAX_THREADS) 
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index af03c42b6..f4e337a48 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -214,7 +214,7 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
 static void Usage(const char *progName)
 {
     fprintf(stderr, 
-"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23Tfovx] \n"
+"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvx] \n"
 "                   [-c ciphers] [-w passwd] [-q]\n", progName);
     fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
     fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
@@ -223,11 +223,14 @@ static void Usage(const char *progName)
 	    "-d certdir");
     fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
                     "-n nickname");
+    fprintf(stderr, 
+            "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
     fprintf(stderr, "%-20s Disable SSL v2.\n", "-2");
     fprintf(stderr, "%-20s Disable SSL v3.\n", "-3");
     fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T");
     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
+    fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
     fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
@@ -448,6 +451,8 @@ int main(int argc, char **argv)
     int                disableSSL2 = 0;
     int                disableSSL3 = 0;
     int                disableTLS  = 0;
+    int                bypassPKCS11 = 0;
+    int                disableLocking = 0;
     int                useExportPolicy = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
@@ -466,7 +471,7 @@ int main(int argc, char **argv)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
-    optstate = PL_CreateOptState(argc, argv, "23Tfc:h:p:d:m:n:oqvw:x");
+    optstate = PL_CreateOptState(argc, argv, "23BTfc:h:p:d:m:n:oqsvw:x");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
@@ -476,6 +481,8 @@ int main(int argc, char **argv)
 
           case '3': disableSSL3 = 1; 			break;
 
+          case 'B': bypassPKCS11 = 1; 			break;
+
           case 'T': disableTLS  = 1; 			break;
 
           case 'c': cipherString = strdup(optstate->value); break;
@@ -503,6 +510,8 @@ int main(int argc, char **argv)
 
 	  case 'q': pingServerFirst = PR_TRUE;          break;
 
+	  case 's': disableLocking = 1;                 break;
+
 	  case 'v': verbose++;	 			break;
 
 	  case 'w':
@@ -703,6 +712,21 @@ int main(int argc, char **argv)
 	return 1;
     }
 
+    /* enable PKCS11 bypass */
+    rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling PKCS11 bypass");
+	return 1;
+    }
+
+    /* disable SSL socket locking */
+    rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error disabling SSL socket locking");
+	return 1;
+    }
+
+
     if (useCommandLinePassword) {
 	SSL_SetPKCS11PinArg(s, password);
     }