kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5554 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 045ee41928
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '045ee41928'
${ noResults }
boringssl/tool/speed.cc

826 lines
27 KiB
Raw Blame History 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <algorithm>

  16. #include <string>

  17. #include <functional>

  18. #include <memory>

  19. #include <vector>

  20. 

  21. #include <assert.h>

  22. #include <stdint.h>

  23. #include <stdlib.h>

  24. #include <string.h>

  25. 

  26. #include <openssl/aead.h>

  27. #include <openssl/bn.h>

  28. #include <openssl/curve25519.h>

  29. #include <openssl/digest.h>

  30. #include <openssl/err.h>

  31. #include <openssl/ec.h>

  32. #include <openssl/ecdsa.h>

  33. #include <openssl/ec_key.h>

  34. #include <openssl/evp.h>

  35. #include <openssl/nid.h>

  36. #include <openssl/rand.h>

  37. #include <openssl/rsa.h>

  38. 

  39. #if defined(OPENSSL_WINDOWS)

  40. OPENSSL_MSVC_PRAGMA(warning(push, 3))

  41. #include <windows.h>

  42. OPENSSL_MSVC_PRAGMA(warning(pop))

  43. #elif defined(OPENSSL_APPLE)

  44. #include <sys/time.h>

  45. #else

  46. #include <time.h>

  47. #endif

  48. 

  49. #include "../crypto/internal.h"

  50. #include "internal.h"

  51. 

  52. 

  53. // TimeResults represents the results of benchmarking a function.

  54. struct TimeResults {

  55.   // num_calls is the number of function calls done in the time period.

  56.   unsigned num_calls;

  57.   // us is the number of microseconds that elapsed in the time period.

  58.   unsigned us;

  59. 

  60.   void Print(const std::string &description) {

  61.     printf("Did %u %s operations in %uus (%.1f ops/sec)\n", num_calls,

  62.            description.c_str(), us,

  63.            (static_cast<double>(num_calls) / us) * 1000000);

  64.   }

  65. 

  66.   void PrintWithBytes(const std::string &description, size_t bytes_per_call) {

  67.     printf("Did %u %s operations in %uus (%.1f ops/sec): %.1f MB/s\n",

  68.            num_calls, description.c_str(), us,

  69.            (static_cast<double>(num_calls) / us) * 1000000,

  70.            static_cast<double>(bytes_per_call * num_calls) / us);

  71.   }

  72. };

  73. 

  74. #if defined(OPENSSL_WINDOWS)

  75. static uint64_t time_now() { return GetTickCount64() * 1000; }

  76. #elif defined(OPENSSL_APPLE)

  77. static uint64_t time_now() {

  78.   struct timeval tv;

  79.   uint64_t ret;

  80. 

  81.   gettimeofday(&tv, NULL);

  82.   ret = tv.tv_sec;

  83.   ret *= 1000000;

  84.   ret += tv.tv_usec;

  85.   return ret;

  86. }

  87. #else

  88. static uint64_t time_now() {

  89.   struct timespec ts;

  90.   clock_gettime(CLOCK_MONOTONIC, &ts);

  91. 

  92.   uint64_t ret = ts.tv_sec;

  93.   ret *= 1000000;

  94.   ret += ts.tv_nsec / 1000;

  95.   return ret;

  96. }

  97. #endif

  98. 

  99. static uint64_t g_timeout_seconds = 1;

  100. 

  101. static bool TimeFunction(TimeResults *results, std::function<bool()> func) {

  102.   // total_us is the total amount of time that we'll aim to measure a function

  103.   // for.

  104.   const uint64_t total_us = g_timeout_seconds * 1000000;

  105.   uint64_t start = time_now(), now, delta;

  106.   unsigned done = 0, iterations_between_time_checks;

  107. 

  108.   if (!func()) {

  109.     return false;

  110.   }

  111.   now = time_now();

  112.   delta = now - start;

  113.   if (delta == 0) {

  114.     iterations_between_time_checks = 250;

  115.   } else {

  116.     // Aim for about 100ms between time checks.

  117.     iterations_between_time_checks =

  118.         static_cast<double>(100000) / static_cast<double>(delta);

  119.     if (iterations_between_time_checks > 1000) {

  120.       iterations_between_time_checks = 1000;

  121.     } else if (iterations_between_time_checks < 1) {

  122.       iterations_between_time_checks = 1;

  123.     }

  124.   }

  125. 

  126.   for (;;) {

  127.     for (unsigned i = 0; i < iterations_between_time_checks; i++) {

  128.       if (!func()) {

  129.         return false;

  130.       }

  131.       done++;

  132.     }

  133. 

  134.     now = time_now();

  135.     if (now - start > total_us) {

  136.       break;

  137.     }

  138.   }

  139. 

  140.   results->us = now - start;

  141.   results->num_calls = done;

  142.   return true;

  143. }

  144. 

  145. static bool SpeedRSA(const std::string &selected) {

  146.   if (!selected.empty() && selected.find("RSA") == std::string::npos) {

  147.     return true;

  148.   }

  149. 

  150.   static const struct {

  151.     const char *name;

  152.     const uint8_t *key;

  153.     const size_t key_len;

  154.   } kRSAKeys[] = {

  155.     {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len},

  156.     {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len},

  157.   };

  158. 

  159.   for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kRSAKeys); i++) {

  160.     const std::string name = kRSAKeys[i].name;

  161. 

  162.     bssl::UniquePtr<RSA> key(

  163.         RSA_private_key_from_bytes(kRSAKeys[i].key, kRSAKeys[i].key_len));

  164.     if (key == nullptr) {

  165.       fprintf(stderr, "Failed to parse %s key.\n", name.c_str());

  166.       ERR_print_errors_fp(stderr);

  167.       return false;

  168.     }

  169. 

  170.     std::unique_ptr<uint8_t[]> sig(new uint8_t[RSA_size(key.get())]);

  171.     const uint8_t fake_sha256_hash[32] = {0};

  172.     unsigned sig_len;

  173. 

  174.     TimeResults results;

  175.     if (!TimeFunction(&results,

  176.                       [&key, &sig, &fake_sha256_hash, &sig_len]() -> bool {

  177.           // Usually during RSA signing we're using a long-lived |RSA| that has

  178.           // already had all of its |BN_MONT_CTX|s constructed, so it makes

  179.           // sense to use |key| directly here.

  180.           return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),

  181.                           sig.get(), &sig_len, key.get());

  182.         })) {

  183.       fprintf(stderr, "RSA_sign failed.\n");

  184.       ERR_print_errors_fp(stderr);

  185.       return false;

  186.     }

  187.     results.Print(name + " signing");

  188. 

  189.     if (!TimeFunction(&results,

  190.                       [&key, &fake_sha256_hash, &sig, sig_len]() -> bool {

  191.           return RSA_verify(

  192.               NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),

  193.               sig.get(), sig_len, key.get());

  194.         })) {

  195.       fprintf(stderr, "RSA_verify failed.\n");

  196.       ERR_print_errors_fp(stderr);

  197.       return false;

  198.     }

  199.     results.Print(name + " verify (same key)");

  200. 

  201.     if (!TimeFunction(&results,

  202.                       [&key, &fake_sha256_hash, &sig, sig_len]() -> bool {

  203.           // Usually during RSA verification we have to parse an RSA key from a

  204.           // certificate or similar, in which case we'd need to construct a new

  205.           // RSA key, with a new |BN_MONT_CTX| for the public modulus. If we

  206.           // were to use |key| directly instead, then these costs wouldn't be

  207.           // accounted for.

  208.           bssl::UniquePtr<RSA> verify_key(RSA_new());

  209.           if (!verify_key) {

  210.             return false;

  211.           }

  212.           verify_key->n = BN_dup(key->n);

  213.           verify_key->e = BN_dup(key->e);

  214.           if (!verify_key->n ||

  215.               !verify_key->e) {

  216.             return false;

  217.           }

  218.           return RSA_verify(NID_sha256, fake_sha256_hash,

  219.                             sizeof(fake_sha256_hash), sig.get(), sig_len,

  220.                             verify_key.get());

  221.         })) {

  222.       fprintf(stderr, "RSA_verify failed.\n");

  223.       ERR_print_errors_fp(stderr);

  224.       return false;

  225.     }

  226.     results.Print(name + " verify (fresh key)");

  227.   }

  228. 

  229.   return true;

  230. }

  231. 

  232. static bool SpeedRSAKeyGen(const std::string &selected) {

  233.   // Don't run this by default because it's so slow.

  234.   if (selected != "RSAKeyGen") {

  235.     return true;

  236.   }

  237. 

  238.   bssl::UniquePtr<BIGNUM> e(BN_new());

  239.   if (!BN_set_word(e.get(), 65537)) {

  240.     return false;

  241.   }

  242. 

  243.   const std::vector<int> kSizes = {2048, 3072, 4096};

  244.   for (int size : kSizes) {

  245.     const uint64_t start = time_now();

  246.     unsigned num_calls = 0;

  247.     unsigned us;

  248.     std::vector<unsigned> durations;

  249. 

  250.     for (;;) {

  251.       bssl::UniquePtr<RSA> rsa(RSA_new());

  252. 

  253.       const uint64_t iteration_start = time_now();

  254.       if (!RSA_generate_key_ex(rsa.get(), size, e.get(), nullptr)) {

  255.         fprintf(stderr, "RSA_generate_key_ex failed.\n");

  256.         ERR_print_errors_fp(stderr);

  257.         return false;

  258.       }

  259.       const uint64_t iteration_end = time_now();

  260. 

  261.       num_calls++;

  262.       durations.push_back(iteration_end - iteration_start);

  263. 

  264.       us = iteration_end - start;

  265.       if (us > 30 * 1000000 /* 30 secs */) {

  266.         break;

  267.       }

  268.     }

  269. 

  270.     std::sort(durations.begin(), durations.end());

  271.     printf("Did %u RSA %d key-gen operations in %uus (%.1f ops/sec)\n",

  272.            num_calls, size, us,

  273.            (static_cast<double>(num_calls) / us) * 1000000);

  274.     const size_t n = durations.size();

  275.     assert(n > 0);

  276.     unsigned median = n & 1 ? durations[n / 2]

  277.                             : (durations[n / 2 - 1] + durations[n / 2]) / 2;

  278.     printf("  min: %uus, median: %uus, max: %uus\n", durations[0], median,

  279.            durations[n - 1]);

  280.   }

  281. 

  282.   return true;

  283. }

  284. 

  285. static uint8_t *align(uint8_t *in, unsigned alignment) {

  286.   return reinterpret_cast<uint8_t *>(

  287.       (reinterpret_cast<uintptr_t>(in) + alignment) &

  288.       ~static_cast<size_t>(alignment - 1));

  289. }

  290. 

  291. static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,

  292.                            size_t chunk_len, size_t ad_len,

  293.                            evp_aead_direction_t direction) {

  294.   static const unsigned kAlignment = 16;

  295. 

  296.   bssl::ScopedEVP_AEAD_CTX ctx;

  297.   const size_t key_len = EVP_AEAD_key_length(aead);

  298.   const size_t nonce_len = EVP_AEAD_nonce_length(aead);

  299.   const size_t overhead_len = EVP_AEAD_max_overhead(aead);

  300. 

  301.   std::unique_ptr<uint8_t[]> key(new uint8_t[key_len]);

  302.   OPENSSL_memset(key.get(), 0, key_len);

  303.   std::unique_ptr<uint8_t[]> nonce(new uint8_t[nonce_len]);

  304.   OPENSSL_memset(nonce.get(), 0, nonce_len);

  305.   std::unique_ptr<uint8_t[]> in_storage(new uint8_t[chunk_len + kAlignment]);

  306.   // N.B. for EVP_AEAD_CTX_seal_scatter the input and output buffers may be the

  307.   // same size. However, in the direction == evp_aead_open case we still use

  308.   // non-scattering seal, hence we add overhead_len to the size of this buffer.

  309.   std::unique_ptr<uint8_t[]> out_storage(

  310.       new uint8_t[chunk_len + overhead_len + kAlignment]);

  311.   std::unique_ptr<uint8_t[]> in2_storage(

  312.       new uint8_t[chunk_len + overhead_len + kAlignment]);

  313.   std::unique_ptr<uint8_t[]> ad(new uint8_t[ad_len]);

  314.   OPENSSL_memset(ad.get(), 0, ad_len);

  315.   std::unique_ptr<uint8_t[]> tag_storage(

  316.       new uint8_t[overhead_len + kAlignment]);

  317. 

  318. 

  319.   uint8_t *const in = align(in_storage.get(), kAlignment);

  320.   OPENSSL_memset(in, 0, chunk_len);

  321.   uint8_t *const out = align(out_storage.get(), kAlignment);

  322.   OPENSSL_memset(out, 0, chunk_len + overhead_len);

  323.   uint8_t *const tag = align(tag_storage.get(), kAlignment);

  324.   OPENSSL_memset(tag, 0, overhead_len);

  325.   uint8_t *const in2 = align(in2_storage.get(), kAlignment);

  326. 

  327.   if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.get(), key_len,

  328.                                         EVP_AEAD_DEFAULT_TAG_LENGTH,

  329.                                         evp_aead_seal)) {

  330.     fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");

  331.     ERR_print_errors_fp(stderr);

  332.     return false;

  333.   }

  334. 

  335.   TimeResults results;

  336.   if (direction == evp_aead_seal) {

  337.     if (!TimeFunction(&results,

  338.                       [chunk_len, nonce_len, ad_len, overhead_len, in, out, tag,

  339.                        &ctx, &nonce, &ad]() -> bool {

  340.                         size_t tag_len;

  341.                         return EVP_AEAD_CTX_seal_scatter(

  342.                             ctx.get(), out, tag, &tag_len, overhead_len,

  343.                             nonce.get(), nonce_len, in, chunk_len, nullptr, 0,

  344.                             ad.get(), ad_len);

  345.                       })) {

  346.       fprintf(stderr, "EVP_AEAD_CTX_seal failed.\n");

  347.       ERR_print_errors_fp(stderr);

  348.       return false;

  349.     }

  350.   } else {

  351.     size_t out_len;

  352.     EVP_AEAD_CTX_seal(ctx.get(), out, &out_len, chunk_len + overhead_len,

  353.                       nonce.get(), nonce_len, in, chunk_len, ad.get(), ad_len);

  354. 

  355.     ctx.Reset();

  356.     if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.get(), key_len,

  357.                                           EVP_AEAD_DEFAULT_TAG_LENGTH,

  358.                                           evp_aead_open)) {

  359.       fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");

  360.       ERR_print_errors_fp(stderr);

  361.       return false;

  362.     }

  363. 

  364.     if (!TimeFunction(&results,

  365.                       [chunk_len, overhead_len, nonce_len, ad_len, in2, out,

  366.                        out_len, &ctx, &nonce, &ad]() -> bool {

  367.                         size_t in2_len;

  368.                         // N.B. EVP_AEAD_CTX_open_gather is not implemented for

  369.                         // all AEADs.

  370.                         return EVP_AEAD_CTX_open(ctx.get(), in2, &in2_len,

  371.                                                  chunk_len + overhead_len,

  372.                                                  nonce.get(), nonce_len, out,

  373.                                                  out_len, ad.get(), ad_len);

  374.                       })) {

  375.       fprintf(stderr, "EVP_AEAD_CTX_open failed.\n");

  376.       ERR_print_errors_fp(stderr);

  377.       return false;

  378.     }

  379.   }

  380. 

  381.   results.PrintWithBytes(

  382.       name + (direction == evp_aead_seal ? " seal" : " open"), chunk_len);

  383.   return true;

  384. }

  385. 

  386. static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name,

  387.                       size_t ad_len, const std::string &selected) {

  388.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  389.     return true;

  390.   }

  391. 

  392.   return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len,

  393.                         evp_aead_seal) &&

  394.          SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len,

  395.                         evp_aead_seal) &&

  396.          SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len,

  397.                         evp_aead_seal);

  398. }

  399. 

  400. static bool SpeedAEADOpen(const EVP_AEAD *aead, const std::string &name,

  401.                           size_t ad_len, const std::string &selected) {

  402.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  403.     return true;

  404.   }

  405. 

  406.   return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len,

  407.                         evp_aead_open) &&

  408.          SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len,

  409.                         evp_aead_open) &&

  410.          SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len,

  411.                         evp_aead_open);

  412. }

  413. 

  414. static bool SpeedHashChunk(const EVP_MD *md, const std::string &name,

  415.                            size_t chunk_len) {

  416.   bssl::ScopedEVP_MD_CTX ctx;

  417.   uint8_t scratch[8192];

  418. 

  419.   if (chunk_len > sizeof(scratch)) {

  420.     return false;

  421.   }

  422. 

  423.   TimeResults results;

  424.   if (!TimeFunction(&results, [&ctx, md, chunk_len, &scratch]() -> bool {

  425.         uint8_t digest[EVP_MAX_MD_SIZE];

  426.         unsigned int md_len;

  427. 

  428.         return EVP_DigestInit_ex(ctx.get(), md, NULL /* ENGINE */) &&

  429.                EVP_DigestUpdate(ctx.get(), scratch, chunk_len) &&

  430.                EVP_DigestFinal_ex(ctx.get(), digest, &md_len);

  431.       })) {

  432.     fprintf(stderr, "EVP_DigestInit_ex failed.\n");

  433.     ERR_print_errors_fp(stderr);

  434.     return false;

  435.   }

  436. 

  437.   results.PrintWithBytes(name, chunk_len);

  438.   return true;

  439. }

  440. static bool SpeedHash(const EVP_MD *md, const std::string &name,

  441.                       const std::string &selected) {

  442.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  443.     return true;

  444.   }

  445. 

  446.   return SpeedHashChunk(md, name + " (16 bytes)", 16) &&

  447.          SpeedHashChunk(md, name + " (256 bytes)", 256) &&

  448.          SpeedHashChunk(md, name + " (8192 bytes)", 8192);

  449. }

  450. 

  451. static bool SpeedRandomChunk(const std::string &name, size_t chunk_len) {

  452.   uint8_t scratch[8192];

  453. 

  454.   if (chunk_len > sizeof(scratch)) {

  455.     return false;

  456.   }

  457. 

  458.   TimeResults results;

  459.   if (!TimeFunction(&results, [chunk_len, &scratch]() -> bool {

  460.         RAND_bytes(scratch, chunk_len);

  461.         return true;

  462.       })) {

  463.     return false;

  464.   }

  465. 

  466.   results.PrintWithBytes(name, chunk_len);

  467.   return true;

  468. }

  469. 

  470. static bool SpeedRandom(const std::string &selected) {

  471.   if (!selected.empty() && selected != "RNG") {

  472.     return true;

  473.   }

  474. 

  475.   return SpeedRandomChunk("RNG (16 bytes)", 16) &&

  476.          SpeedRandomChunk("RNG (256 bytes)", 256) &&

  477.          SpeedRandomChunk("RNG (8192 bytes)", 8192);

  478. }

  479. 

  480. static bool SpeedECDHCurve(const std::string &name, int nid,

  481.                            const std::string &selected) {

  482.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  483.     return true;

  484.   }

  485. 

  486.   bssl::UniquePtr<EC_KEY> peer_key(EC_KEY_new_by_curve_name(nid));

  487.   if (!peer_key ||

  488.       !EC_KEY_generate_key(peer_key.get())) {

  489.     return false;

  490.   }

  491. 

  492.   size_t peer_value_len = EC_POINT_point2oct(

  493.       EC_KEY_get0_group(peer_key.get()), EC_KEY_get0_public_key(peer_key.get()),

  494.       POINT_CONVERSION_UNCOMPRESSED, nullptr, 0, nullptr);

  495.   if (peer_value_len == 0) {

  496.     return false;

  497.   }

  498.   std::unique_ptr<uint8_t[]> peer_value(new uint8_t[peer_value_len]);

  499.   peer_value_len = EC_POINT_point2oct(

  500.       EC_KEY_get0_group(peer_key.get()), EC_KEY_get0_public_key(peer_key.get()),

  501.       POINT_CONVERSION_UNCOMPRESSED, peer_value.get(), peer_value_len, nullptr);

  502.   if (peer_value_len == 0) {

  503.     return false;

  504.   }

  505. 

  506.   TimeResults results;

  507.   if (!TimeFunction(&results, [nid, peer_value_len, &peer_value]() -> bool {

  508.         bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  509.         if (!key ||

  510.             !EC_KEY_generate_key(key.get())) {

  511.           return false;

  512.         }

  513.         const EC_GROUP *const group = EC_KEY_get0_group(key.get());

  514.         bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group));

  515.         bssl::UniquePtr<EC_POINT> peer_point(EC_POINT_new(group));

  516.         bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());

  517. 

  518.         bssl::UniquePtr<BIGNUM> x(BN_new());

  519.         bssl::UniquePtr<BIGNUM> y(BN_new());

  520. 

  521.         if (!point || !peer_point || !ctx || !x || !y ||

  522.             !EC_POINT_oct2point(group, peer_point.get(), peer_value.get(),

  523.                                 peer_value_len, ctx.get()) ||

  524.             !EC_POINT_mul(group, point.get(), NULL, peer_point.get(),

  525.                           EC_KEY_get0_private_key(key.get()), ctx.get()) ||

  526.             !EC_POINT_get_affine_coordinates_GFp(group, point.get(), x.get(),

  527.                                                  y.get(), ctx.get())) {

  528.           return false;

  529.         }

  530. 

  531.         return true;

  532.       })) {

  533.     return false;

  534.   }

  535. 

  536.   results.Print(name);

  537.   return true;

  538. }

  539. 

  540. static bool SpeedECDSACurve(const std::string &name, int nid,

  541.                             const std::string &selected) {

  542.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  543.     return true;

  544.   }

  545. 

  546.   bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  547.   if (!key ||

  548.       !EC_KEY_generate_key(key.get())) {

  549.     return false;

  550.   }

  551. 

  552.   uint8_t signature[256];

  553.   if (ECDSA_size(key.get()) > sizeof(signature)) {

  554.     return false;

  555.   }

  556.   uint8_t digest[20];

  557.   OPENSSL_memset(digest, 42, sizeof(digest));

  558.   unsigned sig_len;

  559. 

  560.   TimeResults results;

  561.   if (!TimeFunction(&results, [&key, &signature, &digest, &sig_len]() -> bool {

  562.         return ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len,

  563.                           key.get()) == 1;

  564.       })) {

  565.     return false;

  566.   }

  567. 

  568.   results.Print(name + " signing");

  569. 

  570.   if (!TimeFunction(&results, [&key, &signature, &digest, sig_len]() -> bool {

  571.         return ECDSA_verify(0, digest, sizeof(digest), signature, sig_len,

  572.                             key.get()) == 1;

  573.       })) {

  574.     return false;

  575.   }

  576. 

  577.   results.Print(name + " verify");

  578. 

  579.   return true;

  580. }

  581. 

  582. static bool SpeedECDH(const std::string &selected) {

  583.   return SpeedECDHCurve("ECDH P-224", NID_secp224r1, selected) &&

  584.          SpeedECDHCurve("ECDH P-256", NID_X9_62_prime256v1, selected) &&

  585.          SpeedECDHCurve("ECDH P-384", NID_secp384r1, selected) &&

  586.          SpeedECDHCurve("ECDH P-521", NID_secp521r1, selected);

  587. }

  588. 

  589. static bool SpeedECDSA(const std::string &selected) {

  590.   return SpeedECDSACurve("ECDSA P-224", NID_secp224r1, selected) &&

  591.          SpeedECDSACurve("ECDSA P-256", NID_X9_62_prime256v1, selected) &&

  592.          SpeedECDSACurve("ECDSA P-384", NID_secp384r1, selected) &&

  593.          SpeedECDSACurve("ECDSA P-521", NID_secp521r1, selected);

  594. }

  595. 

  596. static bool Speed25519(const std::string &selected) {

  597.   if (!selected.empty() && selected.find("25519") == std::string::npos) {

  598.     return true;

  599.   }

  600. 

  601.   TimeResults results;

  602. 

  603.   uint8_t public_key[32], private_key[64];

  604. 

  605.   if (!TimeFunction(&results, [&public_key, &private_key]() -> bool {

  606.         ED25519_keypair(public_key, private_key);

  607.         return true;

  608.       })) {

  609.     return false;

  610.   }

  611. 

  612.   results.Print("Ed25519 key generation");

  613. 

  614.   static const uint8_t kMessage[] = {0, 1, 2, 3, 4, 5};

  615.   uint8_t signature[64];

  616. 

  617.   if (!TimeFunction(&results, [&private_key, &signature]() -> bool {

  618.         return ED25519_sign(signature, kMessage, sizeof(kMessage),

  619.                             private_key) == 1;

  620.       })) {

  621.     return false;

  622.   }

  623. 

  624.   results.Print("Ed25519 signing");

  625. 

  626.   if (!TimeFunction(&results, [&public_key, &signature]() -> bool {

  627.         return ED25519_verify(kMessage, sizeof(kMessage), signature,

  628.                               public_key) == 1;

  629.       })) {

  630.     fprintf(stderr, "Ed25519 verify failed.\n");

  631.     return false;

  632.   }

  633. 

  634.   results.Print("Ed25519 verify");

  635. 

  636.   if (!TimeFunction(&results, []() -> bool {

  637.         uint8_t out[32], in[32];

  638.         OPENSSL_memset(in, 0, sizeof(in));

  639.         X25519_public_from_private(out, in);

  640.         return true;

  641.       })) {

  642.     fprintf(stderr, "Curve25519 base-point multiplication failed.\n");

  643.     return false;

  644.   }

  645. 

  646.   results.Print("Curve25519 base-point multiplication");

  647. 

  648.   if (!TimeFunction(&results, []() -> bool {

  649.         uint8_t out[32], in1[32], in2[32];

  650.         OPENSSL_memset(in1, 0, sizeof(in1));

  651.         OPENSSL_memset(in2, 0, sizeof(in2));

  652.         in1[0] = 1;

  653.         in2[0] = 9;

  654.         return X25519(out, in1, in2) == 1;

  655.       })) {

  656.     fprintf(stderr, "Curve25519 arbitrary point multiplication failed.\n");

  657.     return false;

  658.   }

  659. 

  660.   results.Print("Curve25519 arbitrary point multiplication");

  661. 

  662.   return true;

  663. }

  664. 

  665. static bool SpeedSPAKE2(const std::string &selected) {

  666.   if (!selected.empty() && selected.find("SPAKE2") == std::string::npos) {

  667.     return true;

  668.   }

  669. 

  670.   TimeResults results;

  671. 

  672.   static const uint8_t kAliceName[] = {'A'};

  673.   static const uint8_t kBobName[] = {'B'};

  674.   static const uint8_t kPassword[] = "password";

  675.   bssl::UniquePtr<SPAKE2_CTX> alice(SPAKE2_CTX_new(spake2_role_alice,

  676.                                     kAliceName, sizeof(kAliceName), kBobName,

  677.                                     sizeof(kBobName)));

  678.   uint8_t alice_msg[SPAKE2_MAX_MSG_SIZE];

  679.   size_t alice_msg_len;

  680. 

  681.   if (!SPAKE2_generate_msg(alice.get(), alice_msg, &alice_msg_len,

  682.                            sizeof(alice_msg),

  683.                            kPassword, sizeof(kPassword))) {

  684.     fprintf(stderr, "SPAKE2_generate_msg failed.\n");

  685.     return false;

  686.   }

  687. 

  688.   if (!TimeFunction(&results, [&alice_msg, alice_msg_len]() -> bool {

  689.         bssl::UniquePtr<SPAKE2_CTX> bob(SPAKE2_CTX_new(spake2_role_bob,

  690.                                         kBobName, sizeof(kBobName), kAliceName,

  691.                                         sizeof(kAliceName)));

  692.         uint8_t bob_msg[SPAKE2_MAX_MSG_SIZE], bob_key[64];

  693.         size_t bob_msg_len, bob_key_len;

  694.         if (!SPAKE2_generate_msg(bob.get(), bob_msg, &bob_msg_len,

  695.                                  sizeof(bob_msg), kPassword,

  696.                                  sizeof(kPassword)) ||

  697.             !SPAKE2_process_msg(bob.get(), bob_key, &bob_key_len,

  698.                                 sizeof(bob_key), alice_msg, alice_msg_len)) {

  699.           return false;

  700.         }

  701. 

  702.         return true;

  703.       })) {

  704.     fprintf(stderr, "SPAKE2 failed.\n");

  705.   }

  706. 

  707.   results.Print("SPAKE2 over Ed25519");

  708. 

  709.   return true;

  710. }

  711. 

  712. static bool SpeedScrypt(const std::string &selected) {

  713.   if (!selected.empty() && selected.find("scrypt") == std::string::npos) {

  714.     return true;

  715.   }

  716. 

  717.   TimeResults results;

  718. 

  719.   static const char kPassword[] = "password";

  720.   static const uint8_t kSalt[] = "NaCl";

  721. 

  722.   if (!TimeFunction(&results, [&]() -> bool {

  723.         uint8_t out[64];

  724.         return !!EVP_PBE_scrypt(kPassword, sizeof(kPassword) - 1, kSalt,

  725.                                 sizeof(kSalt) - 1, 1024, 8, 16, 0 /* max_mem */,

  726.                                 out, sizeof(out));

  727.       })) {

  728.     fprintf(stderr, "scrypt failed.\n");

  729.     return false;

  730.   }

  731.   results.Print("scrypt (N = 1024, r = 8, p = 16)");

  732. 

  733.   if (!TimeFunction(&results, [&]() -> bool {

  734.         uint8_t out[64];

  735.         return !!EVP_PBE_scrypt(kPassword, sizeof(kPassword) - 1, kSalt,

  736.                                 sizeof(kSalt) - 1, 16384, 8, 1, 0 /* max_mem */,

  737.                                 out, sizeof(out));

  738.       })) {

  739.     fprintf(stderr, "scrypt failed.\n");

  740.     return false;

  741.   }

  742.   results.Print("scrypt (N = 16384, r = 8, p = 1)");

  743. 

  744.   return true;

  745. }

  746. 

  747. static const struct argument kArguments[] = {

  748.     {

  749.      "-filter", kOptionalArgument,

  750.      "A filter on the speed tests to run",

  751.     },

  752.     {

  753.      "-timeout", kOptionalArgument,

  754.      "The number of seconds to run each test for (default is 1)",

  755.     },

  756.     {

  757.      "", kOptionalArgument, "",

  758.     },

  759. };

  760. 

  761. bool Speed(const std::vector<std::string> &args) {

  762.   std::map<std::string, std::string> args_map;

  763.   if (!ParseKeyValueArguments(&args_map, args, kArguments)) {

  764.     PrintUsage(kArguments);

  765.     return false;

  766.   }

  767. 

  768.   std::string selected;

  769.   if (args_map.count("-filter") != 0) {

  770.     selected = args_map["-filter"];

  771.   }

  772. 

  773.   if (args_map.count("-timeout") != 0) {

  774.     g_timeout_seconds = atoi(args_map["-timeout"].c_str());

  775.   }

  776. 

  777.   // kTLSADLen is the number of bytes of additional data that TLS passes to

  778.   // AEADs.

  779.   static const size_t kTLSADLen = 13;

  780.   // kLegacyADLen is the number of bytes that TLS passes to the "legacy" AEADs.

  781.   // These are AEADs that weren't originally defined as AEADs, but which we use

  782.   // via the AEAD interface. In order for that to work, they have some TLS

  783.   // knowledge in them and construct a couple of the AD bytes internally.

  784.   static const size_t kLegacyADLen = kTLSADLen - 2;

  785. 

  786.   if (!SpeedRSA(selected) ||

  787.       !SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen, selected) ||

  788.       !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen, selected) ||

  789.       !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen,

  790.                  selected) ||

  791.       !SpeedAEAD(EVP_aead_des_ede3_cbc_sha1_tls(), "DES-EDE3-CBC-SHA1",

  792.                  kLegacyADLen, selected) ||

  793.       !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",

  794.                  kLegacyADLen, selected) ||

  795.       !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",

  796.                  kLegacyADLen, selected) ||

  797.       !SpeedAEADOpen(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",

  798.                      kLegacyADLen, selected) ||

  799.       !SpeedAEADOpen(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",

  800.                      kLegacyADLen, selected) ||

  801.       !SpeedAEAD(EVP_aead_aes_128_gcm_siv(), "AES-128-GCM-SIV", kTLSADLen,

  802.                  selected) ||

  803.       !SpeedAEAD(EVP_aead_aes_256_gcm_siv(), "AES-256-GCM-SIV", kTLSADLen,

  804.                  selected) ||

  805.       !SpeedAEADOpen(EVP_aead_aes_128_gcm_siv(), "AES-128-GCM-SIV", kTLSADLen,

  806.                      selected) ||

  807.       !SpeedAEADOpen(EVP_aead_aes_256_gcm_siv(), "AES-256-GCM-SIV", kTLSADLen,

  808.                      selected) ||

  809.       !SpeedAEAD(EVP_aead_aes_128_ccm_bluetooth(), "AES-128-CCM-Bluetooth",

  810.                  kTLSADLen, selected) ||

  811.       !SpeedHash(EVP_sha1(), "SHA-1", selected) ||

  812.       !SpeedHash(EVP_sha256(), "SHA-256", selected) ||

  813.       !SpeedHash(EVP_sha512(), "SHA-512", selected) ||

  814.       !SpeedRandom(selected) ||

  815.       !SpeedECDH(selected) ||

  816.       !SpeedECDSA(selected) ||

  817.       !Speed25519(selected) ||

  818.       !SpeedSPAKE2(selected) ||

  819.       !SpeedScrypt(selected) ||

  820.       !SpeedRSAKeyGen(selected)) {

  821.     return false;

  822.   }

  823. 

  824.   return true;

  825. }