kris
/
boringssl
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5667 커밋
12 브랜치
38 MiB
 
 
 
 
 
 
트리: 9978f0a865
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from '9978f0a865'
${ noResults }
boringssl/tool/speed.cc

883 lines
28 KiB
Raw Blame 히스토리 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <algorithm>

  16. #include <string>

  17. #include <functional>

  18. #include <memory>

  19. #include <vector>

  20. 

  21. #include <assert.h>

  22. #include <stdint.h>

  23. #include <stdlib.h>

  24. #include <string.h>

  25. 

  26. #include <openssl/aead.h>

  27. #include <openssl/bn.h>

  28. #include <openssl/curve25519.h>

  29. #include <openssl/digest.h>

  30. #include <openssl/err.h>

  31. #include <openssl/ec.h>

  32. #include <openssl/ecdsa.h>

  33. #include <openssl/ec_key.h>

  34. #include <openssl/evp.h>

  35. #include <openssl/hrss.h>

  36. #include <openssl/nid.h>

  37. #include <openssl/rand.h>

  38. #include <openssl/rsa.h>

  39. 

  40. #if defined(OPENSSL_WINDOWS)

  41. OPENSSL_MSVC_PRAGMA(warning(push, 3))

  42. #include <windows.h>

  43. OPENSSL_MSVC_PRAGMA(warning(pop))

  44. #elif defined(OPENSSL_APPLE)

  45. #include <sys/time.h>

  46. #else

  47. #include <time.h>

  48. #endif

  49. 

  50. #include "../crypto/internal.h"

  51. #include "internal.h"

  52. 

  53. 

  54. // TimeResults represents the results of benchmarking a function.

  55. struct TimeResults {

  56.   // num_calls is the number of function calls done in the time period.

  57.   unsigned num_calls;

  58.   // us is the number of microseconds that elapsed in the time period.

  59.   unsigned us;

  60. 

  61.   void Print(const std::string &description) {

  62.     printf("Did %u %s operations in %uus (%.1f ops/sec)\n", num_calls,

  63.            description.c_str(), us,

  64.            (static_cast<double>(num_calls) / us) * 1000000);

  65.   }

  66. 

  67.   void PrintWithBytes(const std::string &description, size_t bytes_per_call) {

  68.     printf("Did %u %s operations in %uus (%.1f ops/sec): %.1f MB/s\n",

  69.            num_calls, description.c_str(), us,

  70.            (static_cast<double>(num_calls) / us) * 1000000,

  71.            static_cast<double>(bytes_per_call * num_calls) / us);

  72.   }

  73. };

  74. 

  75. #if defined(OPENSSL_WINDOWS)

  76. static uint64_t time_now() { return GetTickCount64() * 1000; }

  77. #elif defined(OPENSSL_APPLE)

  78. static uint64_t time_now() {

  79.   struct timeval tv;

  80.   uint64_t ret;

  81. 

  82.   gettimeofday(&tv, NULL);

  83.   ret = tv.tv_sec;

  84.   ret *= 1000000;

  85.   ret += tv.tv_usec;

  86.   return ret;

  87. }

  88. #else

  89. static uint64_t time_now() {

  90.   struct timespec ts;

  91.   clock_gettime(CLOCK_MONOTONIC, &ts);

  92. 

  93.   uint64_t ret = ts.tv_sec;

  94.   ret *= 1000000;

  95.   ret += ts.tv_nsec / 1000;

  96.   return ret;

  97. }

  98. #endif

  99. 

  100. static uint64_t g_timeout_seconds = 1;

  101. 

  102. static bool TimeFunction(TimeResults *results, std::function<bool()> func) {

  103.   // total_us is the total amount of time that we'll aim to measure a function

  104.   // for.

  105.   const uint64_t total_us = g_timeout_seconds * 1000000;

  106.   uint64_t start = time_now(), now, delta;

  107.   unsigned done = 0, iterations_between_time_checks;

  108. 

  109.   if (!func()) {

  110.     return false;

  111.   }

  112.   now = time_now();

  113.   delta = now - start;

  114.   if (delta == 0) {

  115.     iterations_between_time_checks = 250;

  116.   } else {

  117.     // Aim for about 100ms between time checks.

  118.     iterations_between_time_checks =

  119.         static_cast<double>(100000) / static_cast<double>(delta);

  120.     if (iterations_between_time_checks > 1000) {

  121.       iterations_between_time_checks = 1000;

  122.     } else if (iterations_between_time_checks < 1) {

  123.       iterations_between_time_checks = 1;

  124.     }

  125.   }

  126. 

  127.   for (;;) {

  128.     for (unsigned i = 0; i < iterations_between_time_checks; i++) {

  129.       if (!func()) {

  130.         return false;

  131.       }

  132.       done++;

  133.     }

  134. 

  135.     now = time_now();

  136.     if (now - start > total_us) {

  137.       break;

  138.     }

  139.   }

  140. 

  141.   results->us = now - start;

  142.   results->num_calls = done;

  143.   return true;

  144. }

  145. 

  146. static bool SpeedRSA(const std::string &selected) {

  147.   if (!selected.empty() && selected.find("RSA") == std::string::npos) {

  148.     return true;

  149.   }

  150. 

  151.   static const struct {

  152.     const char *name;

  153.     const uint8_t *key;

  154.     const size_t key_len;

  155.   } kRSAKeys[] = {

  156.     {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len},

  157.     {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len},

  158.   };

  159. 

  160.   for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kRSAKeys); i++) {

  161.     const std::string name = kRSAKeys[i].name;

  162. 

  163.     bssl::UniquePtr<RSA> key(

  164.         RSA_private_key_from_bytes(kRSAKeys[i].key, kRSAKeys[i].key_len));

  165.     if (key == nullptr) {

  166.       fprintf(stderr, "Failed to parse %s key.\n", name.c_str());

  167.       ERR_print_errors_fp(stderr);

  168.       return false;

  169.     }

  170. 

  171.     std::unique_ptr<uint8_t[]> sig(new uint8_t[RSA_size(key.get())]);

  172.     const uint8_t fake_sha256_hash[32] = {0};

  173.     unsigned sig_len;

  174. 

  175.     TimeResults results;

  176.     if (!TimeFunction(&results,

  177.                       [&key, &sig, &fake_sha256_hash, &sig_len]() -> bool {

  178.           // Usually during RSA signing we're using a long-lived |RSA| that has

  179.           // already had all of its |BN_MONT_CTX|s constructed, so it makes

  180.           // sense to use |key| directly here.

  181.           return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),

  182.                           sig.get(), &sig_len, key.get());

  183.         })) {

  184.       fprintf(stderr, "RSA_sign failed.\n");

  185.       ERR_print_errors_fp(stderr);

  186.       return false;

  187.     }

  188.     results.Print(name + " signing");

  189. 

  190.     if (!TimeFunction(&results,

  191.                       [&key, &fake_sha256_hash, &sig, sig_len]() -> bool {

  192.           return RSA_verify(

  193.               NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),

  194.               sig.get(), sig_len, key.get());

  195.         })) {

  196.       fprintf(stderr, "RSA_verify failed.\n");

  197.       ERR_print_errors_fp(stderr);

  198.       return false;

  199.     }

  200.     results.Print(name + " verify (same key)");

  201. 

  202.     if (!TimeFunction(&results,

  203.                       [&key, &fake_sha256_hash, &sig, sig_len]() -> bool {

  204.           // Usually during RSA verification we have to parse an RSA key from a

  205.           // certificate or similar, in which case we'd need to construct a new

  206.           // RSA key, with a new |BN_MONT_CTX| for the public modulus. If we

  207.           // were to use |key| directly instead, then these costs wouldn't be

  208.           // accounted for.

  209.           bssl::UniquePtr<RSA> verify_key(RSA_new());

  210.           if (!verify_key) {

  211.             return false;

  212.           }

  213.           verify_key->n = BN_dup(key->n);

  214.           verify_key->e = BN_dup(key->e);

  215.           if (!verify_key->n ||

  216.               !verify_key->e) {

  217.             return false;

  218.           }

  219.           return RSA_verify(NID_sha256, fake_sha256_hash,

  220.                             sizeof(fake_sha256_hash), sig.get(), sig_len,

  221.                             verify_key.get());

  222.         })) {

  223.       fprintf(stderr, "RSA_verify failed.\n");

  224.       ERR_print_errors_fp(stderr);

  225.       return false;

  226.     }

  227.     results.Print(name + " verify (fresh key)");

  228.   }

  229. 

  230.   return true;

  231. }

  232. 

  233. static bool SpeedRSAKeyGen(const std::string &selected) {

  234.   // Don't run this by default because it's so slow.

  235.   if (selected != "RSAKeyGen") {

  236.     return true;

  237.   }

  238. 

  239.   bssl::UniquePtr<BIGNUM> e(BN_new());

  240.   if (!BN_set_word(e.get(), 65537)) {

  241.     return false;

  242.   }

  243. 

  244.   const std::vector<int> kSizes = {2048, 3072, 4096};

  245.   for (int size : kSizes) {

  246.     const uint64_t start = time_now();

  247.     unsigned num_calls = 0;

  248.     unsigned us;

  249.     std::vector<unsigned> durations;

  250. 

  251.     for (;;) {

  252.       bssl::UniquePtr<RSA> rsa(RSA_new());

  253. 

  254.       const uint64_t iteration_start = time_now();

  255.       if (!RSA_generate_key_ex(rsa.get(), size, e.get(), nullptr)) {

  256.         fprintf(stderr, "RSA_generate_key_ex failed.\n");

  257.         ERR_print_errors_fp(stderr);

  258.         return false;

  259.       }

  260.       const uint64_t iteration_end = time_now();

  261. 

  262.       num_calls++;

  263.       durations.push_back(iteration_end - iteration_start);

  264. 

  265.       us = iteration_end - start;

  266.       if (us > 30 * 1000000 /* 30 secs */) {

  267.         break;

  268.       }

  269.     }

  270. 

  271.     std::sort(durations.begin(), durations.end());

  272.     printf("Did %u RSA %d key-gen operations in %uus (%.1f ops/sec)\n",

  273.            num_calls, size, us,

  274.            (static_cast<double>(num_calls) / us) * 1000000);

  275.     const size_t n = durations.size();

  276.     assert(n > 0);

  277.     unsigned median = n & 1 ? durations[n / 2]

  278.                             : (durations[n / 2 - 1] + durations[n / 2]) / 2;

  279.     printf("  min: %uus, median: %uus, max: %uus\n", durations[0], median,

  280.            durations[n - 1]);

  281.   }

  282. 

  283.   return true;

  284. }

  285. 

  286. static uint8_t *align(uint8_t *in, unsigned alignment) {

  287.   return reinterpret_cast<uint8_t *>(

  288.       (reinterpret_cast<uintptr_t>(in) + alignment) &

  289.       ~static_cast<size_t>(alignment - 1));

  290. }

  291. 

  292. static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,

  293.                            size_t chunk_len, size_t ad_len,

  294.                            evp_aead_direction_t direction) {

  295.   static const unsigned kAlignment = 16;

  296. 

  297.   bssl::ScopedEVP_AEAD_CTX ctx;

  298.   const size_t key_len = EVP_AEAD_key_length(aead);

  299.   const size_t nonce_len = EVP_AEAD_nonce_length(aead);

  300.   const size_t overhead_len = EVP_AEAD_max_overhead(aead);

  301. 

  302.   std::unique_ptr<uint8_t[]> key(new uint8_t[key_len]);

  303.   OPENSSL_memset(key.get(), 0, key_len);

  304.   std::unique_ptr<uint8_t[]> nonce(new uint8_t[nonce_len]);

  305.   OPENSSL_memset(nonce.get(), 0, nonce_len);

  306.   std::unique_ptr<uint8_t[]> in_storage(new uint8_t[chunk_len + kAlignment]);

  307.   // N.B. for EVP_AEAD_CTX_seal_scatter the input and output buffers may be the

  308.   // same size. However, in the direction == evp_aead_open case we still use

  309.   // non-scattering seal, hence we add overhead_len to the size of this buffer.

  310.   std::unique_ptr<uint8_t[]> out_storage(

  311.       new uint8_t[chunk_len + overhead_len + kAlignment]);

  312.   std::unique_ptr<uint8_t[]> in2_storage(

  313.       new uint8_t[chunk_len + overhead_len + kAlignment]);

  314.   std::unique_ptr<uint8_t[]> ad(new uint8_t[ad_len]);

  315.   OPENSSL_memset(ad.get(), 0, ad_len);

  316.   std::unique_ptr<uint8_t[]> tag_storage(

  317.       new uint8_t[overhead_len + kAlignment]);

  318. 

  319. 

  320.   uint8_t *const in = align(in_storage.get(), kAlignment);

  321.   OPENSSL_memset(in, 0, chunk_len);

  322.   uint8_t *const out = align(out_storage.get(), kAlignment);

  323.   OPENSSL_memset(out, 0, chunk_len + overhead_len);

  324.   uint8_t *const tag = align(tag_storage.get(), kAlignment);

  325.   OPENSSL_memset(tag, 0, overhead_len);

  326.   uint8_t *const in2 = align(in2_storage.get(), kAlignment);

  327. 

  328.   if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.get(), key_len,

  329.                                         EVP_AEAD_DEFAULT_TAG_LENGTH,

  330.                                         evp_aead_seal)) {

  331.     fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");

  332.     ERR_print_errors_fp(stderr);

  333.     return false;

  334.   }

  335. 

  336.   TimeResults results;

  337.   if (direction == evp_aead_seal) {

  338.     if (!TimeFunction(&results,

  339.                       [chunk_len, nonce_len, ad_len, overhead_len, in, out, tag,

  340.                        &ctx, &nonce, &ad]() -> bool {

  341.                         size_t tag_len;

  342.                         return EVP_AEAD_CTX_seal_scatter(

  343.                             ctx.get(), out, tag, &tag_len, overhead_len,

  344.                             nonce.get(), nonce_len, in, chunk_len, nullptr, 0,

  345.                             ad.get(), ad_len);

  346.                       })) {

  347.       fprintf(stderr, "EVP_AEAD_CTX_seal failed.\n");

  348.       ERR_print_errors_fp(stderr);

  349.       return false;

  350.     }

  351.   } else {

  352.     size_t out_len;

  353.     EVP_AEAD_CTX_seal(ctx.get(), out, &out_len, chunk_len + overhead_len,

  354.                       nonce.get(), nonce_len, in, chunk_len, ad.get(), ad_len);

  355. 

  356.     ctx.Reset();

  357.     if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.get(), key_len,

  358.                                           EVP_AEAD_DEFAULT_TAG_LENGTH,

  359.                                           evp_aead_open)) {

  360.       fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");

  361.       ERR_print_errors_fp(stderr);

  362.       return false;

  363.     }

  364. 

  365.     if (!TimeFunction(&results,

  366.                       [chunk_len, overhead_len, nonce_len, ad_len, in2, out,

  367.                        out_len, &ctx, &nonce, &ad]() -> bool {

  368.                         size_t in2_len;

  369.                         // N.B. EVP_AEAD_CTX_open_gather is not implemented for

  370.                         // all AEADs.

  371.                         return EVP_AEAD_CTX_open(ctx.get(), in2, &in2_len,

  372.                                                  chunk_len + overhead_len,

  373.                                                  nonce.get(), nonce_len, out,

  374.                                                  out_len, ad.get(), ad_len);

  375.                       })) {

  376.       fprintf(stderr, "EVP_AEAD_CTX_open failed.\n");

  377.       ERR_print_errors_fp(stderr);

  378.       return false;

  379.     }

  380.   }

  381. 

  382.   results.PrintWithBytes(

  383.       name + (direction == evp_aead_seal ? " seal" : " open"), chunk_len);

  384.   return true;

  385. }

  386. 

  387. static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name,

  388.                       size_t ad_len, const std::string &selected) {

  389.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  390.     return true;

  391.   }

  392. 

  393.   return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len,

  394.                         evp_aead_seal) &&

  395.          SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len,

  396.                         evp_aead_seal) &&

  397.          SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len,

  398.                         evp_aead_seal);

  399. }

  400. 

  401. static bool SpeedAEADOpen(const EVP_AEAD *aead, const std::string &name,

  402.                           size_t ad_len, const std::string &selected) {

  403.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  404.     return true;

  405.   }

  406. 

  407.   return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len,

  408.                         evp_aead_open) &&

  409.          SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len,

  410.                         evp_aead_open) &&

  411.          SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len,

  412.                         evp_aead_open);

  413. }

  414. 

  415. static bool SpeedHashChunk(const EVP_MD *md, const std::string &name,

  416.                            size_t chunk_len) {

  417.   bssl::ScopedEVP_MD_CTX ctx;

  418.   uint8_t scratch[8192];

  419. 

  420.   if (chunk_len > sizeof(scratch)) {

  421.     return false;

  422.   }

  423. 

  424.   TimeResults results;

  425.   if (!TimeFunction(&results, [&ctx, md, chunk_len, &scratch]() -> bool {

  426.         uint8_t digest[EVP_MAX_MD_SIZE];

  427.         unsigned int md_len;

  428. 

  429.         return EVP_DigestInit_ex(ctx.get(), md, NULL /* ENGINE */) &&

  430.                EVP_DigestUpdate(ctx.get(), scratch, chunk_len) &&

  431.                EVP_DigestFinal_ex(ctx.get(), digest, &md_len);

  432.       })) {

  433.     fprintf(stderr, "EVP_DigestInit_ex failed.\n");

  434.     ERR_print_errors_fp(stderr);

  435.     return false;

  436.   }

  437. 

  438.   results.PrintWithBytes(name, chunk_len);

  439.   return true;

  440. }

  441. static bool SpeedHash(const EVP_MD *md, const std::string &name,

  442.                       const std::string &selected) {

  443.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  444.     return true;

  445.   }

  446. 

  447.   return SpeedHashChunk(md, name + " (16 bytes)", 16) &&

  448.          SpeedHashChunk(md, name + " (256 bytes)", 256) &&

  449.          SpeedHashChunk(md, name + " (8192 bytes)", 8192);

  450. }

  451. 

  452. static bool SpeedRandomChunk(const std::string &name, size_t chunk_len) {

  453.   uint8_t scratch[8192];

  454. 

  455.   if (chunk_len > sizeof(scratch)) {

  456.     return false;

  457.   }

  458. 

  459.   TimeResults results;

  460.   if (!TimeFunction(&results, [chunk_len, &scratch]() -> bool {

  461.         RAND_bytes(scratch, chunk_len);

  462.         return true;

  463.       })) {

  464.     return false;

  465.   }

  466. 

  467.   results.PrintWithBytes(name, chunk_len);

  468.   return true;

  469. }

  470. 

  471. static bool SpeedRandom(const std::string &selected) {

  472.   if (!selected.empty() && selected != "RNG") {

  473.     return true;

  474.   }

  475. 

  476.   return SpeedRandomChunk("RNG (16 bytes)", 16) &&

  477.          SpeedRandomChunk("RNG (256 bytes)", 256) &&

  478.          SpeedRandomChunk("RNG (8192 bytes)", 8192);

  479. }

  480. 

  481. static bool SpeedECDHCurve(const std::string &name, int nid,

  482.                            const std::string &selected) {

  483.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  484.     return true;

  485.   }

  486. 

  487.   bssl::UniquePtr<EC_KEY> peer_key(EC_KEY_new_by_curve_name(nid));

  488.   if (!peer_key ||

  489.       !EC_KEY_generate_key(peer_key.get())) {

  490.     return false;

  491.   }

  492. 

  493.   size_t peer_value_len = EC_POINT_point2oct(

  494.       EC_KEY_get0_group(peer_key.get()), EC_KEY_get0_public_key(peer_key.get()),

  495.       POINT_CONVERSION_UNCOMPRESSED, nullptr, 0, nullptr);

  496.   if (peer_value_len == 0) {

  497.     return false;

  498.   }

  499.   std::unique_ptr<uint8_t[]> peer_value(new uint8_t[peer_value_len]);

  500.   peer_value_len = EC_POINT_point2oct(

  501.       EC_KEY_get0_group(peer_key.get()), EC_KEY_get0_public_key(peer_key.get()),

  502.       POINT_CONVERSION_UNCOMPRESSED, peer_value.get(), peer_value_len, nullptr);

  503.   if (peer_value_len == 0) {

  504.     return false;

  505.   }

  506. 

  507.   TimeResults results;

  508.   if (!TimeFunction(&results, [nid, peer_value_len, &peer_value]() -> bool {

  509.         bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  510.         if (!key ||

  511.             !EC_KEY_generate_key(key.get())) {

  512.           return false;

  513.         }

  514.         const EC_GROUP *const group = EC_KEY_get0_group(key.get());

  515.         bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group));

  516.         bssl::UniquePtr<EC_POINT> peer_point(EC_POINT_new(group));

  517.         bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());

  518. 

  519.         bssl::UniquePtr<BIGNUM> x(BN_new());

  520.         bssl::UniquePtr<BIGNUM> y(BN_new());

  521. 

  522.         if (!point || !peer_point || !ctx || !x || !y ||

  523.             !EC_POINT_oct2point(group, peer_point.get(), peer_value.get(),

  524.                                 peer_value_len, ctx.get()) ||

  525.             !EC_POINT_mul(group, point.get(), NULL, peer_point.get(),

  526.                           EC_KEY_get0_private_key(key.get()), ctx.get()) ||

  527.             !EC_POINT_get_affine_coordinates_GFp(group, point.get(), x.get(),

  528.                                                  y.get(), ctx.get())) {

  529.           return false;

  530.         }

  531. 

  532.         return true;

  533.       })) {

  534.     return false;

  535.   }

  536. 

  537.   results.Print(name);

  538.   return true;

  539. }

  540. 

  541. static bool SpeedECDSACurve(const std::string &name, int nid,

  542.                             const std::string &selected) {

  543.   if (!selected.empty() && name.find(selected) == std::string::npos) {

  544.     return true;

  545.   }

  546. 

  547.   bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));

  548.   if (!key ||

  549.       !EC_KEY_generate_key(key.get())) {

  550.     return false;

  551.   }

  552. 

  553.   uint8_t signature[256];

  554.   if (ECDSA_size(key.get()) > sizeof(signature)) {

  555.     return false;

  556.   }

  557.   uint8_t digest[20];

  558.   OPENSSL_memset(digest, 42, sizeof(digest));

  559.   unsigned sig_len;

  560. 

  561.   TimeResults results;

  562.   if (!TimeFunction(&results, [&key, &signature, &digest, &sig_len]() -> bool {

  563.         return ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len,

  564.                           key.get()) == 1;

  565.       })) {

  566.     return false;

  567.   }

  568. 

  569.   results.Print(name + " signing");

  570. 

  571.   if (!TimeFunction(&results, [&key, &signature, &digest, sig_len]() -> bool {

  572.         return ECDSA_verify(0, digest, sizeof(digest), signature, sig_len,

  573.                             key.get()) == 1;

  574.       })) {

  575.     return false;

  576.   }

  577. 

  578.   results.Print(name + " verify");

  579. 

  580.   return true;

  581. }

  582. 

  583. static bool SpeedECDH(const std::string &selected) {

  584.   return SpeedECDHCurve("ECDH P-224", NID_secp224r1, selected) &&

  585.          SpeedECDHCurve("ECDH P-256", NID_X9_62_prime256v1, selected) &&

  586.          SpeedECDHCurve("ECDH P-384", NID_secp384r1, selected) &&

  587.          SpeedECDHCurve("ECDH P-521", NID_secp521r1, selected);

  588. }

  589. 

  590. static bool SpeedECDSA(const std::string &selected) {

  591.   return SpeedECDSACurve("ECDSA P-224", NID_secp224r1, selected) &&

  592.          SpeedECDSACurve("ECDSA P-256", NID_X9_62_prime256v1, selected) &&

  593.          SpeedECDSACurve("ECDSA P-384", NID_secp384r1, selected) &&

  594.          SpeedECDSACurve("ECDSA P-521", NID_secp521r1, selected);

  595. }

  596. 

  597. static bool Speed25519(const std::string &selected) {

  598.   if (!selected.empty() && selected.find("25519") == std::string::npos) {

  599.     return true;

  600.   }

  601. 

  602.   TimeResults results;

  603. 

  604.   uint8_t public_key[32], private_key[64];

  605. 

  606.   if (!TimeFunction(&results, [&public_key, &private_key]() -> bool {

  607.         ED25519_keypair(public_key, private_key);

  608.         return true;

  609.       })) {

  610.     return false;

  611.   }

  612. 

  613.   results.Print("Ed25519 key generation");

  614. 

  615.   static const uint8_t kMessage[] = {0, 1, 2, 3, 4, 5};

  616.   uint8_t signature[64];

  617. 

  618.   if (!TimeFunction(&results, [&private_key, &signature]() -> bool {

  619.         return ED25519_sign(signature, kMessage, sizeof(kMessage),

  620.                             private_key) == 1;

  621.       })) {

  622.     return false;

  623.   }

  624. 

  625.   results.Print("Ed25519 signing");

  626. 

  627.   if (!TimeFunction(&results, [&public_key, &signature]() -> bool {

  628.         return ED25519_verify(kMessage, sizeof(kMessage), signature,

  629.                               public_key) == 1;

  630.       })) {

  631.     fprintf(stderr, "Ed25519 verify failed.\n");

  632.     return false;

  633.   }

  634. 

  635.   results.Print("Ed25519 verify");

  636. 

  637.   if (!TimeFunction(&results, []() -> bool {

  638.         uint8_t out[32], in[32];

  639.         OPENSSL_memset(in, 0, sizeof(in));

  640.         X25519_public_from_private(out, in);

  641.         return true;

  642.       })) {

  643.     fprintf(stderr, "Curve25519 base-point multiplication failed.\n");

  644.     return false;

  645.   }

  646. 

  647.   results.Print("Curve25519 base-point multiplication");

  648. 

  649.   if (!TimeFunction(&results, []() -> bool {

  650.         uint8_t out[32], in1[32], in2[32];

  651.         OPENSSL_memset(in1, 0, sizeof(in1));

  652.         OPENSSL_memset(in2, 0, sizeof(in2));

  653.         in1[0] = 1;

  654.         in2[0] = 9;

  655.         return X25519(out, in1, in2) == 1;

  656.       })) {

  657.     fprintf(stderr, "Curve25519 arbitrary point multiplication failed.\n");

  658.     return false;

  659.   }

  660. 

  661.   results.Print("Curve25519 arbitrary point multiplication");

  662. 

  663.   return true;

  664. }

  665. 

  666. static bool SpeedSPAKE2(const std::string &selected) {

  667.   if (!selected.empty() && selected.find("SPAKE2") == std::string::npos) {

  668.     return true;

  669.   }

  670. 

  671.   TimeResults results;

  672. 

  673.   static const uint8_t kAliceName[] = {'A'};

  674.   static const uint8_t kBobName[] = {'B'};

  675.   static const uint8_t kPassword[] = "password";

  676.   bssl::UniquePtr<SPAKE2_CTX> alice(SPAKE2_CTX_new(spake2_role_alice,

  677.                                     kAliceName, sizeof(kAliceName), kBobName,

  678.                                     sizeof(kBobName)));

  679.   uint8_t alice_msg[SPAKE2_MAX_MSG_SIZE];

  680.   size_t alice_msg_len;

  681. 

  682.   if (!SPAKE2_generate_msg(alice.get(), alice_msg, &alice_msg_len,

  683.                            sizeof(alice_msg),

  684.                            kPassword, sizeof(kPassword))) {

  685.     fprintf(stderr, "SPAKE2_generate_msg failed.\n");

  686.     return false;

  687.   }

  688. 

  689.   if (!TimeFunction(&results, [&alice_msg, alice_msg_len]() -> bool {

  690.         bssl::UniquePtr<SPAKE2_CTX> bob(SPAKE2_CTX_new(spake2_role_bob,

  691.                                         kBobName, sizeof(kBobName), kAliceName,

  692.                                         sizeof(kAliceName)));

  693.         uint8_t bob_msg[SPAKE2_MAX_MSG_SIZE], bob_key[64];

  694.         size_t bob_msg_len, bob_key_len;

  695.         if (!SPAKE2_generate_msg(bob.get(), bob_msg, &bob_msg_len,

  696.                                  sizeof(bob_msg), kPassword,

  697.                                  sizeof(kPassword)) ||

  698.             !SPAKE2_process_msg(bob.get(), bob_key, &bob_key_len,

  699.                                 sizeof(bob_key), alice_msg, alice_msg_len)) {

  700.           return false;

  701.         }

  702. 

  703.         return true;

  704.       })) {

  705.     fprintf(stderr, "SPAKE2 failed.\n");

  706.   }

  707. 

  708.   results.Print("SPAKE2 over Ed25519");

  709. 

  710.   return true;

  711. }

  712. 

  713. static bool SpeedScrypt(const std::string &selected) {

  714.   if (!selected.empty() && selected.find("scrypt") == std::string::npos) {

  715.     return true;

  716.   }

  717. 

  718.   TimeResults results;

  719. 

  720.   static const char kPassword[] = "password";

  721.   static const uint8_t kSalt[] = "NaCl";

  722. 

  723.   if (!TimeFunction(&results, [&]() -> bool {

  724.         uint8_t out[64];

  725.         return !!EVP_PBE_scrypt(kPassword, sizeof(kPassword) - 1, kSalt,

  726.                                 sizeof(kSalt) - 1, 1024, 8, 16, 0 /* max_mem */,

  727.                                 out, sizeof(out));

  728.       })) {

  729.     fprintf(stderr, "scrypt failed.\n");

  730.     return false;

  731.   }

  732.   results.Print("scrypt (N = 1024, r = 8, p = 16)");

  733. 

  734.   if (!TimeFunction(&results, [&]() -> bool {

  735.         uint8_t out[64];

  736.         return !!EVP_PBE_scrypt(kPassword, sizeof(kPassword) - 1, kSalt,

  737.                                 sizeof(kSalt) - 1, 16384, 8, 1, 0 /* max_mem */,

  738.                                 out, sizeof(out));

  739.       })) {

  740.     fprintf(stderr, "scrypt failed.\n");

  741.     return false;

  742.   }

  743.   results.Print("scrypt (N = 16384, r = 8, p = 1)");

  744. 

  745.   return true;

  746. }

  747. 

  748. static bool SpeedHRSS(const std::string &selected) {

  749.   if (!selected.empty() && selected != "HRSS") {

  750.     return true;

  751.   }

  752. 

  753.   TimeResults results;

  754. 

  755.   if (!TimeFunction(&results, []() -> bool {

  756.     struct HRSS_public_key pub;

  757.     struct HRSS_private_key priv;

  758.     uint8_t entropy[HRSS_GENERATE_KEY_BYTES];

  759.     RAND_bytes(entropy, sizeof(entropy));

  760.     HRSS_generate_key(&pub, &priv, entropy);

  761.     return true;

  762.   })) {

  763.     fprintf(stderr, "Failed to time HRSS_generate_key.\n");

  764.     return false;

  765.   }

  766. 

  767.   results.Print("HRSS generate");

  768. 

  769.   struct HRSS_public_key pub;

  770.   struct HRSS_private_key priv;

  771.   uint8_t key_entropy[HRSS_GENERATE_KEY_BYTES];

  772.   RAND_bytes(key_entropy, sizeof(key_entropy));

  773.   HRSS_generate_key(&pub, &priv, key_entropy);

  774. 

  775.   uint8_t ciphertext[HRSS_CIPHERTEXT_BYTES];

  776.   if (!TimeFunction(&results, [&pub, &ciphertext]() -> bool {

  777.     uint8_t entropy[HRSS_ENCAP_BYTES];

  778.     uint8_t shared_key[HRSS_KEY_BYTES];

  779.     RAND_bytes(entropy, sizeof(entropy));

  780.     HRSS_encap(ciphertext, shared_key, &pub, entropy);

  781.     return true;

  782.   })) {

  783.     fprintf(stderr, "Failed to time HRSS_encap.\n");

  784.     return false;

  785.   }

  786. 

  787.   results.Print("HRSS encap");

  788. 

  789.   if (!TimeFunction(&results, [&priv, &ciphertext]() -> bool {

  790.     uint8_t shared_key[HRSS_KEY_BYTES];

  791.     HRSS_decap(shared_key, &priv, ciphertext, sizeof(ciphertext));

  792.     return true;

  793.   })) {

  794.     fprintf(stderr, "Failed to time HRSS_encap.\n");

  795.     return false;

  796.   }

  797. 

  798.   results.Print("HRSS decap");

  799. 

  800.   return true;

  801. }

  802. 

  803. static const struct argument kArguments[] = {

  804.     {

  805.      "-filter", kOptionalArgument,

  806.      "A filter on the speed tests to run",

  807.     },

  808.     {

  809.      "-timeout", kOptionalArgument,

  810.      "The number of seconds to run each test for (default is 1)",

  811.     },

  812.     {

  813.      "", kOptionalArgument, "",

  814.     },

  815. };

  816. 

  817. bool Speed(const std::vector<std::string> &args) {

  818.   std::map<std::string, std::string> args_map;

  819.   if (!ParseKeyValueArguments(&args_map, args, kArguments)) {

  820.     PrintUsage(kArguments);

  821.     return false;

  822.   }

  823. 

  824.   std::string selected;

  825.   if (args_map.count("-filter") != 0) {

  826.     selected = args_map["-filter"];

  827.   }

  828. 

  829.   if (args_map.count("-timeout") != 0) {

  830.     g_timeout_seconds = atoi(args_map["-timeout"].c_str());

  831.   }

  832. 

  833.   // kTLSADLen is the number of bytes of additional data that TLS passes to

  834.   // AEADs.

  835.   static const size_t kTLSADLen = 13;

  836.   // kLegacyADLen is the number of bytes that TLS passes to the "legacy" AEADs.

  837.   // These are AEADs that weren't originally defined as AEADs, but which we use

  838.   // via the AEAD interface. In order for that to work, they have some TLS

  839.   // knowledge in them and construct a couple of the AD bytes internally.

  840.   static const size_t kLegacyADLen = kTLSADLen - 2;

  841. 

  842.   if (!SpeedRSA(selected) ||

  843.       !SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen, selected) ||

  844.       !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen, selected) ||

  845.       !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen,

  846.                  selected) ||

  847.       !SpeedAEAD(EVP_aead_des_ede3_cbc_sha1_tls(), "DES-EDE3-CBC-SHA1",

  848.                  kLegacyADLen, selected) ||

  849.       !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",

  850.                  kLegacyADLen, selected) ||

  851.       !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",

  852.                  kLegacyADLen, selected) ||

  853.       !SpeedAEADOpen(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",

  854.                      kLegacyADLen, selected) ||

  855.       !SpeedAEADOpen(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",

  856.                      kLegacyADLen, selected) ||

  857.       !SpeedAEAD(EVP_aead_aes_128_gcm_siv(), "AES-128-GCM-SIV", kTLSADLen,

  858.                  selected) ||

  859.       !SpeedAEAD(EVP_aead_aes_256_gcm_siv(), "AES-256-GCM-SIV", kTLSADLen,

  860.                  selected) ||

  861.       !SpeedAEADOpen(EVP_aead_aes_128_gcm_siv(), "AES-128-GCM-SIV", kTLSADLen,

  862.                      selected) ||

  863.       !SpeedAEADOpen(EVP_aead_aes_256_gcm_siv(), "AES-256-GCM-SIV", kTLSADLen,

  864.                      selected) ||

  865.       !SpeedAEAD(EVP_aead_aes_128_ccm_bluetooth(), "AES-128-CCM-Bluetooth",

  866.                  kTLSADLen, selected) ||

  867.       !SpeedHash(EVP_sha1(), "SHA-1", selected) ||

  868.       !SpeedHash(EVP_sha256(), "SHA-256", selected) ||

  869.       !SpeedHash(EVP_sha512(), "SHA-512", selected) ||

  870.       !SpeedRandom(selected) ||

  871.       !SpeedECDH(selected) ||

  872.       !SpeedECDSA(selected) ||

  873.       !Speed25519(selected) ||

  874.       !SpeedSPAKE2(selected) ||

  875.       !SpeedScrypt(selected) ||

  876.       !SpeedRSAKeyGen(selected) ||

  877.       !SpeedHRSS(selected)) {

  878.     return false;

  879.   }

  880. 

  881.   return true;

  882. }