@@ -0,0 +1,6 @@ | |||
[submodule "bssl/src"] | |||
path = bssl/src | |||
url = https://github.com/google/boringssl.git | |||
[submodule "mbedtls/src"] | |||
path = mbedtls/src | |||
url = https://github.com/ARMmbed/mbedtls.git |
@@ -0,0 +1,278 @@ | |||
# Additional information | |||
A lot of, mostly useless, details | |||
## Appendix A | |||
Default NDK flags | |||
* CC: | |||
``` | |||
--target=aarch64-none-linux-android | |||
-DBORINGSSL_IMPLEMENTATION | |||
-g | |||
-DANDROID | |||
-ffunction-sections | |||
-funwind-tables | |||
-fstack-protector-strong | |||
-no-canonical-prefixes | |||
-Wa,--noexecstack | |||
-Wformat | |||
-Werror=format-security | |||
-Werror | |||
-Wformat=2 | |||
-Wsign-compare | |||
-Wmissing-field-initializers | |||
-Wwrite-strings | |||
-Wall | |||
-ggdb | |||
-fvisibility=hidden | |||
-fno-common | |||
-Wnewline-eof | |||
-fcolor-diagnostics | |||
-Wimplicit-fallthrough | |||
-Wmissing-prototypes | |||
-Wold-style-definition | |||
-Wstrict-prototypes | |||
-Wshadow | |||
-D_XOPEN_SOURCE=700 | |||
-O2 | |||
-DNDEBUG | |||
-fPIC | |||
``` | |||
* CPP: | |||
``` | |||
-cc1 | |||
-triple aarch64-none-linux-android | |||
-emit-obj | |||
-mnoexecstack | |||
-disable-free | |||
-disable-llvm-verifier | |||
-discard-value-names | |||
-mrelocation-model pic | |||
-pic-level 2 | |||
-pic-is-pie | |||
-mthread-model posix | |||
-mdisable-fp-elim | |||
-fmath-errno | |||
-masm-verbose | |||
-mconstructor-aliases | |||
-munwind-tables | |||
-fuse-init-array | |||
-target-cpu generic | |||
-target-feature +neon | |||
-target-abi aapcs | |||
-dwarf-column-info | |||
-debug-info-kind=limited | |||
-dwarf-version=4 | |||
-debugger-tuning=gdb | |||
-ffunction-sections | |||
-D BORINGSSL_IMPLEMENTATION | |||
-D ANDROID | |||
-D NDEBUG | |||
-O2 | |||
-Wformat | |||
-Werror=format-security | |||
-Werror | |||
-Wformat=2 | |||
-Wsign-compare | |||
-Wmissing-field-initializers | |||
-Wwrite-strings | |||
-Wall | |||
-Wnewline-eof | |||
-Wimplicit-fallthrough | |||
-Wmissing-declarations | |||
-Wmissing-prototypes | |||
-Wshadow | |||
-std=c++11 | |||
-fdeprecated-macro | |||
-fdebug-compilation-dir /home/hdc/repos/mbedtls_vs_boringssl/bssl/src/build/crypto | |||
-ferror-limit 19 | |||
-fmessage-length 238 | |||
-fvisibility hidden | |||
-femulated-tls | |||
-stack-protector 2 | |||
-fallow-half-arguments-and-returns | |||
-fno-rtti | |||
-fno-signed-char | |||
-fobjc-runtime=gcc | |||
-fno-common | |||
-fdiagnostics-show-option | |||
-fcolor-diagnostics | |||
-vectorize-loops | |||
-vectorize-slp | |||
``` | |||
## Appendix B | |||
Test platform settings | |||
``` | |||
[ro.build.id]: [OPR6.170623.013] | |||
[ro.bootimage.build.date]: [Wed Oct 11 15:46:15 BST 2017] | |||
[ro.bootimage.build.fingerprint]: [Android/hikey/hikey:8.0.0/OPR6.170623.013/110:userdebug/test-keys] | |||
[ro.product.cpu.abi]: [arm64-v8a] | |||
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi] | |||
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi] | |||
[ro.product.cpu.abilist64]: [arm64-v8a] | |||
[ro.build.version.sdk]: [26] | |||
[ro.build.version.security_patch]: [2017-08-05] | |||
``` | |||
## Appendix C | |||
Performance measures provied by ``bssl speed``: | |||
| Operation | Small | Default | | |||
|-----------|------|---------| | |||
|RSA 2048 signing | (59.5 ops/sec) | (108.1 ops/sec) | | |||
|RSA 2048 verify | (2377.5 ops/sec) | (4078.3 ops/sec) | | |||
|RSA 4096 signing | (8.3 ops/sec) | (14.9 ops/sec) | | |||
|RSA 4096 verify | (668.0 ops/sec) | (1088.4 ops/sec) | | |||
|AES-128-GCM (16 bytes) | (497832.2 ops/sec): 8.0 MB/s | (1690241.1 ops/sec): 27.0 MB/s | | |||
|AES-128-GCM (1350 bytes) | (17675.4 ops/sec): 23.9 MB/s | (291430.3 ops/sec): 393.4 MB/s | | |||
|AES-128-GCM (8192 bytes) | (2991.6 ops/sec): 24.5 MB/s | (57088.8 ops/sec): 467.7 MB/s | | |||
|AES-256-GCM (16 bytes) | (444847.4 ops/sec): 7.1 MB/s | (1615148.8 ops/sec): 25.8 MB/s | | |||
|AES-256-GCM (1350 bytes) | (14792.6 ops/sec): 20.0 MB/s | (254718.5 ops/sec): 343.9 MB/s | | |||
|AES-256-GCM (8192 bytes) | (2525.7 ops/sec): 20.7 MB/s | (49056.6 ops/sec): 401.9 MB/s | | |||
|ChaCha20-Poly1305 (16 bytes) | (385043.6 ops/sec): 6.2 MB/s | (460788.5 ops/sec): 7.4 MB/s | | |||
|ChaCha20-Poly1305 (1350 bytes) | (33108.8 ops/sec): 44.7 MB/s | (67622.8 ops/sec): 91.3 MB/s | | |||
|ChaCha20-Poly1305 (8192 bytes) | (5905.1 ops/sec): 48.4 MB/s | (13219.5 ops/sec): 108.3 MB/s | | |||
|DES-EDE3-CBC-SHA1 (16 bytes) | (100311.5 ops/sec): 1.6 MB/s | (110073.3 ops/sec): 1.8 MB/s | | |||
|DES-EDE3-CBC-SHA1 (1350 bytes) | (3787.2 ops/sec): 5.1 MB/s | (3926.7 ops/sec): 5.3 MB/s | | |||
|DES-EDE3-CBC-SHA1 (8192 bytes) | (638.4 ops/sec): 5.2 MB/s | (661.2 ops/sec): 5.4 MB/s | | |||
|AES-128-CBC-SHA1 (16 bytes) | (268159.9 ops/sec): 4.3 MB/s | (540844.8 ops/sec): 8.7 MB/s | | |||
|AES-128-CBC-SHA1 (1350 bytes) | (22535.6 ops/sec): 30.4 MB/s | (162597.6 ops/sec): 219.5 MB/s | | |||
|AES-128-CBC-SHA1 (8192 bytes) | (3959.9 ops/sec): 32.4 MB/s | (37787.3 ops/sec): 309.6 MB/s | | |||
|AES-256-CBC-SHA1 (16 bytes) | (244904.2 ops/sec): 3.9 MB/s | (524976.9 ops/sec): 8.4 MB/s | | |||
|AES-256-CBC-SHA1 (1350 bytes) | (18272.3 ops/sec): 24.7 MB/s | (141626.7 ops/sec): 191.2 MB/s | | |||
|AES-256-CBC-SHA1 (8192 bytes) | (3181.3 ops/sec): 26.1 MB/s | (31195.9 ops/sec): 255.6 MB/s | | |||
|AES-128-GCM-SIV (16 bytes) | (244929.5 ops/sec): 3.9 MB/s | (776750.7 ops/sec): 12.4 MB/s | | |||
|AES-128-GCM-SIV (1350 bytes) | (14640.5 ops/sec): 19.8 MB/s | (66627.7 ops/sec): 89.9 MB/s | | |||
|AES-128-GCM-SIV (8192 bytes) | (2531.6 ops/sec): 20.7 MB/s | (11850.0 ops/sec): 97.1 MB/s | | |||
|AES-256-GCM-SIV (16 bytes) | (171899.3 ops/sec): 2.8 MB/s | (660748.9 ops/sec): 10.6 MB/s | | |||
|AES-256-GCM-SIV (1350 bytes) | (12489.6 ops/sec): 16.9 MB/s | (61124.5 ops/sec): 82.5 MB/s | | |||
|AES-256-GCM-SIV (8192 bytes) | (2182.7 ops/sec): 17.9 MB/s | (10936.1 ops/sec): 89.6 MB/s | | |||
|AES-128-GCM-SIV (16 bytes) | (239698.0 ops/sec): 3.8 MB/s | (733661.0 ops/sec): 11.7 MB/s | | |||
|AES-128-GCM-SIV (1350 bytes) | (14616.0 ops/sec): 19.7 MB/s | (65984.0 ops/sec): 89.1 MB/s | | |||
|AES-128-GCM-SIV (8192 bytes) | (2529.8 ops/sec): 20.7 MB/s | (11745.7 ops/sec): 96.2 MB/s | | |||
|AES-256-GCM-SIV (16 bytes) | (170826.1 ops/sec): 2.7 MB/s | (626465.6 ops/sec): 10.0 MB/s | | |||
|AES-256-GCM-SIV (1350 bytes) | (12474.8 ops/sec): 16.8 MB/s | (60595.5 ops/sec): 81.8 MB/s | | |||
|AES-256-GCM-SIV (8192 bytes) | (2182.1 ops/sec): 17.9 MB/s | (10841.9 ops/sec): 88.8 MB/s | | |||
|AES-128-CCM-Bluetooth (16 bytes) | (438558.8 ops/sec): 7.0 MB/s | (1405567.1 ops/sec): 22.5 MB/s | | |||
|AES-128-CCM-Bluetooth (1350 bytes) | (14776.5 ops/sec): 19.9 MB/s | (140168.4 ops/sec): 189.2 MB/s | | |||
|AES-128-CCM-Bluetooth (8192 bytes) | (2498.7 ops/sec): 20.5 MB/s | (25890.2 ops/sec): 212.1 MB/s | | |||
|SHA-1 (16 bytes) | (1244563.2 ops/sec): 19.9 MB/s | (2567122.0 ops/sec): 41.1 MB/s | | |||
|SHA-1 (256 bytes) | (341934.0 ops/sec): 87.5 MB/s | (1162590.8 ops/sec): 297.6 MB/s | | |||
|SHA-1 (8192 bytes) | (14574.3 ops/sec): 119.4 MB/s | (66844.3 ops/sec): 547.6 MB/s | | |||
|SHA-256 (16 bytes) | (691326.6 ops/sec): 11.1 MB/s | (2431927.0 ops/sec): 38.9 MB/s | | |||
|SHA-256 (256 bytes) | (166138.9 ops/sec): 42.5 MB/s | (1120621.2 ops/sec): 286.9 MB/s | | |||
|SHA-256 (8192 bytes) | (6824.7 ops/sec): 55.9 MB/s | (63214.7 ops/sec): 517.9 MB/s | | |||
|SHA-512 (16 bytes) | (688007.9 ops/sec): 11.0 MB/s | (729988.3 ops/sec): 11.7 MB/s | | |||
|SHA-512 (256 bytes) | (272146.5 ops/sec): 69.7 MB/s | (289178.7 ops/sec): 74.0 MB/s | | |||
|SHA-512 (8192 bytes) | (14014.7 ops/sec): 114.8 MB/s | (14759.6 ops/sec): 120.9 MB/s | | |||
|RNG (16 bytes) | (137217.4 ops/sec): 2.2 MB/s | (249239.3 ops/sec): 4.0 MB/s | | |||
|RNG (256 bytes) | (69898.9 ops/sec): 17.9 MB/s | (224698.5 ops/sec): 57.5 MB/s | | |||
|RNG (8192 bytes) | (4058.7 ops/sec): 33.2 MB/s | (55705.4 ops/sec): 456.3 MB/s | | |||
|ECDH P-224 operations | (151.0 ops/sec) | (1602.4 ops/sec) | | |||
|ECDH P-256 operations | (594.7 ops/sec) | (642.8 ops/sec) | | |||
|ECDH P-384 operations | (59.0 ops/sec) | (97.4 ops/sec) | | |||
|ECDH P-521 operations | (27.1 ops/sec) | (43.4 ops/sec) | | |||
|ECDSA P-224 signing | (277.8 ops/sec) | (3312.7 ops/sec) | | |||
|ECDSA P-224 verify | (241.2 ops/sec) | (1451.7 ops/sec) | | |||
|ECDSA P-256 signing | (1396.6 ops/sec) | (1738.5 ops/sec) | | |||
|ECDSA P-256 verify | (672.1 ops/sec) | (704.2 ops/sec) | | |||
|ECDSA P-384 signing | (107.0 ops/sec) | (177.6 ops/sec) | | |||
|ECDSA P-384 verify | (94.4 ops/sec) | (156.9 ops/sec) | | |||
|ECDSA P-521 signing | (49.0 ops/sec) | (78.2 ops/sec) | | |||
|ECDSA P-521 verify | (43.8 ops/sec) | (70.8 ops/sec) | | |||
Performance measures provided by ``benchmark``: | |||
| Algo | Small | Normal | | |||
|-------------------------------|----------------------|----------------------| | |||
|MD5 | 131223 KiB/s | 131761 KiB/s | | |||
|RIPEMD160 | 81451 KiB/s | 89899 KiB/s | | |||
|SHA-1 | 104117 KiB/s | 104375 KiB/s | | |||
|SHA-256 | 46809 KiB/s | 52044 KiB/s | | |||
|SHA-512 | 56760 KiB/s | 57648 KiB/s | | |||
|ARC4 | 65014 KiB/s | 65023 KiB/s | | |||
|3DES | 7785 KiB/s | 7885 KiB/s | | |||
|DES | 19071 KiB/s | 19512 KiB/s | | |||
|AES-CBC-128 | 32460 KiB/s | 35995 KiB/s | | |||
|AES-CBC-192 | 28392 KiB/s | 31044 KiB/s | | |||
|AES-CBC-256 | 25213 KiB/s | 27296 KiB/s | | |||
|AES-GCM-128 | 16399 KiB/s | 16398 KiB/s | | |||
|AES-GCM-192 | 15272 KiB/s | 15271 KiB/s | | |||
|AES-GCM-256 | 14287 KiB/s | 14286 KiB/s | | |||
|AES-CCM-128 | 15824 KiB/s | 15887 KiB/s | | |||
|AES-CCM-192 | 13853 KiB/s | 13899 KiB/s | | |||
|AES-CCM-256 | 12315 KiB/s | 12356 KiB/s | | |||
|CAMELLIA-CBC-128 | 19735 KiB/s | 26762 KiB/s | | |||
|CAMELLIA-CBC-192 | 15458 KiB/s | 20839 KiB/s | | |||
|CAMELLIA-CBC-256 | 15459 KiB/s | 20839 KiB/s | | |||
|BLOWFISH-CBC-128 | 25188 KiB/s | 28955 KiB/s | | |||
|BLOWFISH-CBC-192 | 25189 KiB/s | 28954 KiB/s | | |||
|BLOWFISH-CBC-256 | 25183 KiB/s | 28955 KiB/s | | |||
|CTR_DRBG (NOPR) | 27122 KiB/s | 27050 KiB/s | | |||
|CTR_DRBG (PR) | 18397 KiB/s | 19111 KiB/s | | |||
|HMAC_DRBG SHA-1 (NOPR) | 6746 KiB/s | 6968 KiB/s | | |||
|HMAC_DRBG SHA-1 (PR) | 6208 KiB/s | 6426 KiB/s | | |||
|HMAC_DRBG SHA-256 (NOPR) | 5321 KiB/s | 5795 KiB/s | | |||
|HMAC_DRBG SHA-256 (PR) | 4657 KiB/s | 5083 KiB/s | | |||
|RSA-2048 | 652 public/s | 653 public/s | | |||
|RSA-2048 | 17 private/s | 17 private/s | | |||
|RSA-4096 | 168 public/s | 168 public/s | | |||
|RSA-4096 | 3 private/s | 3 private/s | | |||
|DHE-2048 | 3 handshake/s | 3 handshake/s | | |||
|DH-2048 | 5 handshake/s | 6 handshake/s | | |||
|DHE-3072 | 1 handshake/s | 1 handshake/s | | |||
|DH-3072 | 2 handshake/s | 2 handshake/s | | |||
|ECDSA-secp521r1 | 70 sign/s | 74 sign/s | | |||
|ECDSA-brainpoolP512r1 | 8 sign/s | 9 sign/s | | |||
|ECDSA-secp384r1 | 126 sign/s | 133 sign/s | | |||
|ECDSA-brainpoolP384r1 | 16 sign/s | 18 sign/s | | |||
|ECDSA-secp256r1 | 189 sign/s | 195 sign/s | | |||
|ECDSA-secp256k1 | 176 sign/s | 189 sign/s | | |||
|ECDSA-brainpoolP256r1 | 27 sign/s | 31 sign/s | | |||
|ECDSA-secp224r1 | 277 sign/s | 291 sign/s | | |||
|ECDSA-secp224k1 | 216 sign/s | 230 sign/s | | |||
|ECDSA-secp192r1 | 329 sign/s | 352 sign/s | | |||
|ECDSA-secp192k1 | 264 sign/s | 277 sign/s | | |||
|ECDSA-secp521r1 | 19 verify/s | 21 verify/s | | |||
|ECDSA-brainpoolP512r1 | 2 verify/s | 2 verify/s | | |||
|ECDSA-secp384r1 | 35 verify/s | 36 verify/s | | |||
|ECDSA-brainpoolP384r1 | 4 verify/s | 4 verify/s | | |||
|ECDSA-secp256r1 | 54 verify/s | 57 verify/s | | |||
|ECDSA-secp256k1 | 53 verify/s | 57 verify/s | | |||
|ECDSA-brainpoolP256r1 | 7 verify/s | 8 verify/s | | |||
|ECDSA-secp224r1 | 82 verify/s | 86 verify/s | | |||
|ECDSA-secp224k1 | 63 verify/s | 67 verify/s | | |||
|ECDSA-secp192r1 | 102 verify/s | 110 verify/s | | |||
|ECDSA-secp192k1 | 77 verify/s | 82 verify/s | | |||
|ECDHE-secp521r1 | 20 handshake/s | 21 handshake/s | | |||
|ECDHE-brainpoolP512r1 | 2 handshake/s | 2 handshake/s | | |||
|ECDHE-secp384r1 | 37 handshake/s | 39 handshake/s | | |||
|ECDHE-brainpoolP384r1 | 4 handshake/s | 4 handshake/s | | |||
|ECDHE-secp256r1 | 57 handshake/s | 60 handshake/s | | |||
|ECDHE-secp256k1 | 56 handshake/s | 60 handshake/s | | |||
|ECDHE-brainpoolP256r1 | 7 handshake/s | 8 handshake/s | | |||
|ECDHE-secp224r1 | 89 handshake/s | 92 handshake/s | | |||
|ECDHE-secp224k1 | 67 handshake/s | 71 handshake/s | | |||
|ECDHE-secp192r1 | 111 handshake/s | 118 handshake/s | | |||
|ECDHE-secp192k1 | 83 handshake/s | 87 handshake/s | | |||
|ECDHE-Curve25519 | 41 handshake/s | 41 handshake/s | | |||
|ECDH-secp521r1 | 27 handshake/s | 28 handshake/s | | |||
|ECDH-brainpoolP512r1 | 3 handshake/s | 3 handshake/s | | |||
|ECDH-secp384r1 | 49 handshake/s | 51 handshake/s | | |||
|ECDH-brainpoolP384r1 | 5 handshake/s | 5 handshake/s | | |||
|ECDH-secp256r1 | 77 handshake/s | 81 handshake/s | | |||
|ECDH-secp256k1 | 78 handshake/s | 82 handshake/s | | |||
|ECDH-brainpoolP256r1 | 9 handshake/s | 11 handshake/s | | |||
|ECDH-secp224r1 | 121 handshake/s | 126 handshake/s | | |||
|ECDH-secp224k1 | 91 handshake/s | 97 handshake/s | | |||
|ECDH-secp192r1 | 150 handshake/s | 159 handshake/s | | |||
|ECDH-secp192k1 | 113 handshake/s | 120 handshake/s | | |||
|ECDH-Curve25519 | 80 handshake/s | 82 handshake/s | | |||
@@ -0,0 +1,60 @@ | |||
# Test app | |||
It's a implementation of simple C-based test application, which compiles and links against library under test and run on ARMv8 platform running Android operating system. The app is composed of client and server. As we are only interested in client side of the TLS end, we fix the server to always use same library (it's based on ``BoringSSL``). Server is configured to support only TLSv1.2 (as 1.3 is not supported by ``mbedTLS``, yet [OZAPTF]). It's always run with an argument which specifies cetificate type to be used (RSA, ECDSA or EdDSA based). Once run it always enforces same cipher suite to be used - for example in case of RSA it will be ECDHE key agreement with RSA signature and AES/256 in GCM AEAD mode. | |||
Client application is the one which we want to benchmark. We have implemented one which uses ``mbedTLS`` API and links with this library and similar one for ``BoringSSL``. Client always establishes TCP connection in blocking mode (simplicity). It implements 3 different tests: | |||
* **Handshake** : during this test client opens TCP connection and performs many handshake without closing the connection. Performance of this test highly depends on key type used for certificate signing and symmetric key agreement algorithm (as well as elliptic curve used), hence this test is performed multiple times, once for each certificate type | |||
* **Write**: clients opens TCP connection and sends few hundred megabytes of data. This test is done mostly to assess performance of symmetric encryption | |||
* **Read**: clients opens TCP connection and sends a request to the server which sends back few hundred megabytes of data. This test is done mostly to assess performance of symmetric decryption | |||
## Compilation | |||
In order to compile an app one needs to have Android NDK already installed. After cloning, location of the NDK needs be specified in [``common.mk``](https://git.amongbytes.com/playground/tls_comparision/blob/master/common.mk). Then, execute following commands in the app directory. | |||
``` | |||
git submodule init | |||
git submodule update | |||
cd bssl; make -f Makefile.aarch64 | |||
cd mbedtls; make -f Makefile.aarch64 | |||
cd testapp; make -f Makefile.aarch64 | |||
``` | |||
Output of an execution is set of binaries for ARMv8 that run on Android: | |||
* BoringSSL | |||
* MbedTLS | |||
* Testing application | |||
- ``server``: BoringSSL based test server | |||
- ``b_client``: BoringSSL based client | |||
- ``m_client``: mbedTLS based client | |||
## Pushing tests to target | |||
Execute following target to push needed binaries and all needed files (certificates): | |||
``` | |||
cd testapp; make -f Makefile.aarch64 push | |||
``` | |||
### Server | |||
Tests always use ``BoringSSL``-based server. Following command will start server which will accept only ECDSA certificate. Server always supports only 1 cipher suite (for example - in case of RSA it supports only ``TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`` ). It's done deliberatelly in order to make sure that when client connects to serwer it always uses same cipher, so that comparision between different clients is accurate. | |||
``` | |||
./server ECDSA_256 | |||
``` | |||
### Client | |||
There are two clients called ``m_client`` and ``b_client``, respectively, mbedTLS-based and BoringSSL-based. Client application connects to the server app and initiates a test. Once test is over, both client and server will exit. Client application can be started in following way: | |||
Example of ``mbedTLS`` test execution: | |||
``` | |||
./m_client test_Handshake | |||
``` | |||
Example of ``BoringSSL`` test execution: | |||
``` | |||
./b_client test_Handshake | |||
``` | |||
The structure of both clients is being kept as similar as possible. |
@@ -0,0 +1,29 @@ | |||
include ../common.mk | |||
BUILD_DIR = src/build | |||
MAKE = cmake --build . | |||
all: prepare build | |||
clean: | |||
rm -rf $(BUILD_DIR) | |||
prepare: clean | |||
rm -rf $(BUILD_DIR) | |||
mkdir -p $(BUILD_DIR) | |||
cd $(BUILD_DIR); \ | |||
cmake \ | |||
-DANDROID_TOOLCHAIN_NAME=aarch64-linux-android-clang5.0 \ | |||
-DCMAKE_TOOLCHAIN_FILE=${ANDROID_NDK}/build/cmake/android.toolchain.cmake \ | |||
-DANDROID_NATIVE_API_LEVEL=$(NDK_TARGETVER) \ | |||
-DCMAKE_BUILD_TYPE=Release \ | |||
-DANDROID_ABI=arm64-v8a \ | |||
-DOPENSSL_SMALL=1 \ | |||
-DCMAKE_C_FLAGS_RELEASE="-Os -fdata-sections" \ | |||
-DCMAKE_CXX_FLAGS_RELEASE="-Os -fdata-sections" \ | |||
-DCMAKE_EXE_LINKER_FLAGS="-Wl,--gc-sections" \ | |||
.. | |||
build: | |||
cd $(BUILD_DIR); \ | |||
$(MAKE) | |||
python ../print_bssl_size.py " -fdata-sections (+)" |
@@ -0,0 +1,20 @@ | |||
include ../common.mk | |||
BUILD_DIR = src/build | |||
MAKE = cmake --build . | |||
all: prepare build | |||
prepare: | |||
rm -rf $(BUILD_DIR) | |||
mkdir -p $(BUILD_DIR) | |||
cd $(BUILD_DIR); \ | |||
cmake -DCMAKE_BUILD_TYPE=Release \ | |||
-DOPENSSL_SMALL=1 \ | |||
-DCMAKE_C_FLAGS_RELEASE="-Os -fdata-sections" \ | |||
-DCMAKE_CXX_FLAGS_RELEASE="-Os -fdata-sections" \ | |||
.. | |||
build: | |||
cd $(BUILD_DIR); \ | |||
$(MAKE) | |||
python ~/print_bssl_size.py " -fdata-sections (+)" |
@@ -0,0 +1 @@ | |||
Subproject commit eb7c3008cc85c9cfedca7690f147f5773483f941 |
@@ -0,0 +1,5 @@ | |||
# Constants and makefile shit used in build | |||
mkfile_path = $(abspath $(lastword $(MAKEFILE_LIST))) | |||
current_dir = $(notdir $(patsubst %/,%,$(dir $(mkfile_path)))) | |||
ANDROID_NDK = /home/hdc/android-ndk-r16b | |||
NDK_TARGETVER = 27 |
@@ -0,0 +1,48 @@ | |||
include ../common.mk | |||
## NDK configuration. | |||
NDK = $(ANDROID_NDK) | |||
NDK_TARGETARCH = aarch64-linux-android | |||
NDK_TARGETSHORTARCH = arm64 | |||
NDK_TOOLVER = 4.9 | |||
NDK_HOSTARCH = linux-x86_64 | |||
NDK_TOOLS = $(NDK)/toolchains/llvm/prebuilt/$(NDK_HOSTARCH)/bin | |||
NDK_SYSROOT = $(NDK)/sysroot | |||
NDK_TOOL = $(NDK_TOOLS)/clang | |||
NDK_LIBS = $(NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/lib/gcc/$(NDK_TARGETARCH)/4.9.x | |||
NDK_INCLUDES = -I$(NDK)/sysroot/usr/include -I$(NDK)/sysroot/usr/include/$(NDK_TARGETARCH) | |||
NDK_SYSROOT = $(NDK)/platforms/android-$(NDK_TARGETVER)/arch-$(NDK_TARGETSHORTARCH) | |||
OPT = -std=c99 -Os \ | |||
-fdata-sections \ | |||
-ffunction-sections \ | |||
-fPIE \ | |||
-Wall \ | |||
-target $(NDK_TARGETARCH) | |||
CFLAGS = $(OPT) \ | |||
$(NDK_INCLUDES) \ | |||
-D__ANDROID_API__=$(NDK_TARGETVER) \ | |||
-D_SOCKLEN_T_DECLARED | |||
LDFLAGS = $(OPT) \ | |||
-pie \ | |||
-Wl,--gc-sections \ | |||
--sysroot=$(NDK_SYSROOT) \ | |||
-B $(ANDROID_NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/$(NDK_TARGETARCH)/bin \ | |||
-L$(NDK_LIBS) | |||
all: | |||
CC=$(NDK_TOOL) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" make -C src | |||
clean: | |||
make -C src clean | |||
push: | |||
adb root | |||
adb remount | |||
adb shell "rm -rf /data/app/mbedtls/*" | |||
adb shell "mkdir -p /data/app/mbedtls" | |||
adb push src/programs/ssl/ssl_client1 /data/app/mbedtls/ | |||
adb push src/programs/ssl/ssl_server /data/app/mbedtls/ | |||
adb push src/programs/test/benchmark /data/app/mbedtls/ |
@@ -0,0 +1,13 @@ | |||
include ../common.mk | |||
OPT = -D_SOCKLEN_T_DECLARED -Os -fdata-sections | |||
CFLAGS = $(OPT) | |||
LDFLAGS = | |||
all: | |||
CC=gcc CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" make -C src | |||
clean: | |||
make -C src clean | |||
@@ -0,0 +1 @@ | |||
Subproject commit 4ca9a457561fc774ca54898a72754bf53d60dba2 |
@@ -0,0 +1,107 @@ | |||
include ../common.mk | |||
DBG ?= 0 | |||
SRCDIR = src | |||
OBJDIR = obj | |||
BORINGSSL_DIR = ../bssl/src | |||
MBEDTLS_DIR = ../mbedtls/src | |||
## Debug/Release configuration | |||
ifeq ($(DBG),1) | |||
DEBUG = -DDEBUG -g -O0 | |||
RELEASE = | |||
STRIP = true | |||
else | |||
DEBUG = | |||
RELEASE = -Os -fdata-sections -ffunction-sections | |||
STRIP = $(NDK)/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/aarch64-linux-android/bin/strip | |||
endif | |||
## NDK configuration. | |||
NDK = $(ANDROID_NDK) | |||
NDK_TARGETARCH = aarch64-linux-android | |||
NDK_TARGETSHORTARCH = arm64 | |||
NDK_TOOLVER = 4.9 | |||
NDK_HOSTARCH = linux-x86_64 | |||
NDK_TOOLS = $(NDK)/toolchains/llvm/prebuilt/$(NDK_HOSTARCH)/bin | |||
NDK_SYSROOT = $(NDK)/sysroot | |||
NDK_TOOL = $(NDK_TOOLS)/clang | |||
NDK_LIBS = $(NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/lib/gcc/$(NDK_TARGETARCH)/4.9.x | |||
NDK_INCLUDES = -I$(NDK)/sysroot/usr/include \ | |||
-I$(NDK)/sysroot/usr/include/$(NDK_TARGETARCH) | |||
NDK_SYSROOT = $(NDK)/platforms/android-$(NDK_TARGETVER)/arch-$(NDK_TARGETSHORTARCH) | |||
OPT = $(DEBUG) \ | |||
$(RELEASE) \ | |||
-std=c99 \ | |||
-fPIE \ | |||
-Wall \ | |||
-target $(NDK_TARGETARCH) | |||
CFLAGS = $(OPT) \ | |||
$(NDK_INCLUDES) | |||
CFLAGS_BORINGSSL = $(CFLAGS) \ | |||
-I$(BORINGSSL_DIR) -I$(BORINGSSL_DIR)/include | |||
CFLAGS_MBEDTLS = $(CFLAGS) \ | |||
-I$(MBEDTLS_DIR)/include | |||
LDFLAGS = $(OPT) \ | |||
$(DEBUG) $(RELEASE) \ | |||
-pie \ | |||
--sysroot=$(NDK_SYSROOT) \ | |||
-B $(ANDROID_NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/$(NDK_TARGETARCH)/bin \ | |||
-L$(NDK_LIBS) \ | |||
-Wl,--gc-sections | |||
LDFLAGS_BORINGSSL = $(LDFLAGS) \ | |||
-L$(BORINGSSL_DIR)/build/crypto -L$(BORINGSSL_DIR)/build/ssl \ | |||
-lssl -lcrypto | |||
LDFLAGS_MBEDTLS = $(LDFLAGS) \ | |||
-L$(MBEDTLS_DIR)/library -lmbedx509 -lmbedtls -lmbedcrypto | |||
.PHONY: print_boring_ld print_mbed_ld | |||
all: init b_client m_client server | |||
init: | |||
mkdir -p $(OBJDIR) | |||
# Create 1MB file with random data | |||
dd if=/dev/urandom of=etc/random_data bs=1024 count=1024 | |||
clean: | |||
rm -rf $(OBJDIR) | |||
rm -rf b_client | |||
rm -rf m_client | |||
rm -rf server | |||
b_client: common | |||
$(NDK_TOOL) -c $(SRCDIR)/b_client.c -o $(OBJDIR)/b_client.o $(CFLAGS_BORINGSSL) | |||
$(NDK_TOOL) -o b_client $(OBJDIR)/b_client.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(LDFLAGS_BORINGSSL) | |||
$(STRIP) -s b_client | |||
m_client: common | |||
$(NDK_TOOL) -c $(SRCDIR)/m_client.c -o $(OBJDIR)/m_client.o $(CFLAGS_MBEDTLS) | |||
$(NDK_TOOL) -o m_client $(OBJDIR)/m_client.o $(OBJDIR)/common.o $(LDFLAGS_MBEDTLS) | |||
$(STRIP) -s m_client | |||
server: common | |||
$(NDK_TOOL) -c $(SRCDIR)/server.c -o $(OBJDIR)/server.o $(CFLAGS_BORINGSSL) | |||
$(NDK_TOOL) -o server $(OBJDIR)/server.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(LDFLAGS_BORINGSSL) | |||
$(STRIP) -s server | |||
common: | |||
$(NDK_TOOL) -c $(SRCDIR)/common.c -o $(OBJDIR)/common.o $(CFLAGS) | |||
$(NDK_TOOL) -c $(SRCDIR)/common_boring.c -o $(OBJDIR)/common_boring.o $(CFLAGS_BORINGSSL) | |||
adb-prepare: | |||
adb root | |||
adb remount | |||
adb shell rm -rf /data/app/test_space/* | |||
adb shell mkdir -p /data/app/test_space/etc | |||
# Need to reset date to 10th of April this year, otherwise, cert verification fails | |||
adb shell "toybox date 041910002018" | |||
push: adb-prepare | |||
adb push b_client /data/app/test_space/ | |||
adb push m_client /data/app/test_space/ | |||
adb push server /data/app/test_space/ | |||
adb push etc/* /data/app/test_space/etc/ |
@@ -0,0 +1,64 @@ | |||
BORINGSSL_DIR=/home/hdc/repos/mbedtls_vs_boringssl/bssl/src | |||
BORINGSSL_LIB=$(BORINGSSL_DIR)/build | |||
MBEDTLS_DIR=/home/hdc/repos/mbedtls_vs_boringssl/mbedtls/src | |||
MBEDTLS_LIB=$(MBEDTLS_DIR)/build | |||
DBG?=0 | |||
ifeq ($(DBG),1) | |||
DEBUG=-DDEBUG -g -O0 | |||
STRIP=true | |||
else | |||
DEBUG=-Os -fdata-sections -ffunction-sections | |||
STRIP=strip | |||
endif | |||
CC=clang | |||
CFLAGS_COMMON=-std=c99 $(DEBUG) | |||
BORINGSSL_CFLAGS=$(CFLAGS_COMMON) -I$(BORINGSSL_DIR)/ -I$(BORINGSSL_DIR)/include | |||
BORINGSSL_LDFLAGS=-L$(BORINGSSL_LIB)/crypto -L$(BORINGSSL_LIB)/ssl -lssl -lcrypto -lpthread | |||
MBEDTLS_CFLAGS=$(CFLAGS_COMMON) -I$(MBEDTLS_DIR)/include | |||
MBEDTLS_LDFLAGS=-L$(MBEDTLS_DIR)/library -lmbedx509 -lmbedtls -lmbedcrypto | |||
SRCDIR=src | |||
OBJDIR=obj | |||
.PHONY: print_boring_ld print_mbed_ld | |||
all: init server b_client m_client | |||
init: | |||
mkdir -p obj | |||
# Create 1MB file with random data | |||
dd if=/dev/urandom of=etc/random_data bs=1024 count=1024 | |||
clean: | |||
rm -rf $(OBJDIR) | |||
rm b_client | |||
rm m_client | |||
rm server | |||
b_client: common | |||
$(CC) -c $(SRCDIR)/b_client.c -o $(OBJDIR)/b_client.o $(BORINGSSL_CFLAGS) | |||
$(CC) -o b_client $(OBJDIR)/b_client.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(BORINGSSL_LDFLAGS) | |||
$(STRIP) b_client | |||
m_client: common | |||
$(CC) -c $(SRCDIR)/m_client.c -o $(OBJDIR)/m_client.o $(MBEDTLS_CFLAGS) | |||
$(CC) -o m_client $(OBJDIR)/m_client.o $(OBJDIR)/common.o $(MBEDTLS_LDFLAGS) | |||
$(STRIP) m_client | |||
server: common | |||
$(CC) -c $(SRCDIR)/server.c -o $(OBJDIR)/server.o $(BORINGSSL_CFLAGS) | |||
$(CC) -o server $(OBJDIR)/server.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(BORINGSSL_LDFLAGS) | |||
$(STRIP) server | |||
common: | |||
$(CC) -c $(SRCDIR)/common.c -o $(OBJDIR)/common.o | |||
$(CC) -c $(SRCDIR)/common_boring.c -o $(OBJDIR)/common_boring.o $(BORINGSSL_CFLAGS) | |||
print_boring_ld: | |||
@echo $(BORINGSSL_LIB)/crypto:$(BORINGSSL_LIB)/ssl | |||
print_mbed_ld: | |||
@echo $(MBEDTLS_LIB)/crypto:$(MBEDTLS_LIB)/ssl | |||
@@ -0,0 +1,24 @@ | |||
-----BEGIN CERTIFICATE----- | |||
MIID8jCCAtqgAwIBAgIJALuIdyUDX1d+MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD | |||
VQQGEwJGUjENMAsGA1UECAwEUEFDQTEXMBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIx | |||
JjAkBgNVBAsMHURvbWFpbiBDb250cm9sIFZhbGlkYXRlZCBTQVJMMSYwJAYDVQQD | |||
DB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDAeFw0xODA0MDkxNjMxMDVa | |||
Fw00NTA4MjUxNjMxMDVaMIGFMQswCQYDVQQGEwJGUjENMAsGA1UECAwEUEFDQTEX | |||
MBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIxJjAkBgNVBAsMHURvbWFpbiBDb250cm9s | |||
IFZhbGlkYXRlZCBTQVJMMSYwJAYDVQQDDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0 | |||
ZWQgU0FSTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBjh23Spt4I | |||
AvaFLNL9LXDngLy6OyJbqPYNOEfn9vdvzcCJZbBDhD1HNoIuJux340wcio5TZajX | |||
sJCIUl/n+e+8BGwxzZvp3qM2e/Rs94roZjlUWHMaX/a8Q7MvrR9XWM1SaEp2fHa9 | |||
nBgdfSo+BvvILq8lZU7vO+xw7Yjtx0YNk1v3IAMoQyrfaeZcb9uE1tuAj0oPwmEp | |||
CWqGVkQEIJ6MJBbA+6SW6yi/5h3s0mbc7hdcmLr+vSv5Bkg8qOaPwh0ffuTCMuGq | |||
8q9en4WSW/mnbDZpPdGZwp4Ub7po4Zp9dVQoD7Skf9chz26+pivmIfUB1Xwr48b2 | |||
gFfbZcwDsFsCAwEAAaNjMGEwHQYDVR0OBBYEFPSjEiJgM3NjauAc0lzUrgExAgvg | |||
MB8GA1UdIwQYMBaAFPSjEiJgM3NjauAc0lzUrgExAgvgMA8GA1UdEwEB/wQFMAMB | |||
Af8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAQALRSOq1IwOMG | |||
qZeXvNmd+jGomDH4IDV+s+agGWWneVzRJzP1qSxvrG5BgyP+STzvxEJBgGfCZKHw | |||
qW2HH2bt3vU0KhF90zthmLlZSphuF3XTBUyWfhmUgxuSWxgScBLHrk2vwQv55Mxn | |||
N88DPwYfRLjJUfEIDhzgNRsrVP1mbP0tmXjfmuQzE9Ht8L3fqJ+Tfk/eHdJIOkeM | |||
YRYSOT6oa7g49Vi6ONE7m+BqCDS7D+2p6t6Zb/1lEI82TvmbUq7gd9xHCROFmhis | |||
gBKsJxp0aVI5pB9mLqnluB21c4sVqt6si8sWcJjtTCmojp192aSxB3A6hVI0P8qY | |||
7iJBFwa1 | |||
-----END CERTIFICATE----- |
@@ -0,0 +1,8 @@ | |||
-----BEGIN EC PARAMETERS----- | |||
BggqhkjOPQMBBw== | |||
-----END EC PARAMETERS----- | |||
-----BEGIN EC PRIVATE KEY----- | |||
MHcCAQEEIF8KXjVrcF0u+J3dDxrOPHr3/xQlxwpZowwdDxiM72iUoAoGCCqGSM49 | |||
AwEHoUQDQgAE7HJPLOV22gIiLMIR1btCTDQMbtwwWqhuErrk2r4+p3Oino2fSDBm | |||
9T76CNfnLjmUue1qoLj144aK86GB0rGy4A== | |||
-----END EC PRIVATE KEY----- |
@@ -0,0 +1,15 @@ | |||
-----BEGIN CERTIFICATE----- | |||
MIICTTCCATUCCQD7FNAespFtBDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC | |||
RlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSYwJAYD | |||
VQQLDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDEmMCQGA1UEAwwdRG9t | |||
YWluIENvbnRyb2wgVmFsaWRhdGVkIFNBUkwwHhcNMTgwNDA5MjAxMTEwWhcNNDUw | |||
ODI0MjAxMTEwWjAWMRQwEgYDVQQDDAt3d3cuZG12LmNvbTBZMBMGByqGSM49AgEG | |||
CCqGSM49AwEHA0IABOxyTyzldtoCIizCEdW7Qkw0DG7cMFqobhK65Nq+Pqdzop6N | |||
n0gwZvU++gjX5y45lLntaqC49eOGivOhgdKxsuAwDQYJKoZIhvcNAQELBQADggEB | |||
ADEx+x0XXiTyBjEi5wVFEx/36tD4TMck5GLzyWFBPMgY5rVk0/scyYslqikF7j/M | |||
OY/Z+3WG/Wx0OqH+inA+aYb2xg6qLd4JR9eIRU7luSKyFDRCK3BYcpPYa9DQKVim | |||
Q4jA17rLRKqLLSDWUr0VO+YaXk9EqpkjjEeo3Dn1xIKtwwqvEocFUWlc1MPUrfgX | |||
OpPP4fSyqPcE0I75vWsznGyrYax9k7fAFV/UdC2p/jQPs+lVVesml2DJA9IjEdpJ | |||
1HOKpzjPXrPkCixoXqjM0HZRLuCNUb1sl8bWvpCQ6xTtDH0mkt8yHO6HeqKLpgpZ | |||
2O99VHKVMmEzsFOyE+4khVM= | |||
-----END CERTIFICATE----- |
@@ -0,0 +1,30 @@ | |||
-----BEGIN RSA PRIVATE KEY----- | |||
Proc-Type: 4,ENCRYPTED | |||
DEK-Info: AES-256-CBC,298AA9B5B7606E863BB9183F689D9346 | |||
VvURRUrBBi/AlUA4AlFUKm+aVzvnG4TQrhHKTV3nFGOHeqB+Sua+3R+e6svyiY+p | |||
d0VaZtlpS2mE7lxPqy0+VOarCYYkJOF2juGVMwFzEG8lkoEUyC8qyOobaRj4OCcb | |||
PgIk9b3i5Lv2PBLTpC4lxo6FrUykKXqLKeg0Lp4EEfFRGOKQB5CQBDeGOA1oBeqt | |||
cwRxXP8k3KPiIs+P+Lswk5qLD4gTtlf8ycQmJuCDFUQ3ARgRvngqFvu/44fm5Ztv | |||
6fBvAQvoHXJ9I+HuJAJcT1wGn9itZYFRMXyA2pf1Q2WHpxm1ZS7AiZrn5nyqPpnV | |||
aoBlwR7D0OxyoRumSHA3Y4YheN+uId27Gg12AWUalDcFes3DD2DZOkSQrzsIT0X3 | |||
EifJSSnuOTLe8w+SSvUVIMxkW5CRE0uOi/wuZHTpRN0ZxsvmeL+EHQmqtAOcjS5g | |||
RPMidMdSGfCnqC0N2EAalUU2BsIGRgG5yvmG5ZIqu0Bm6WIIX1T34HS8HUhDqgRX | |||
jOi8Ch7J/6xMZcxSeqRvdss96s6SzehqpG3kW7EsualJqWwmAGF0oJOxX6LupIRd | |||
0GacwZv+NcWPYKL9oDNINPrU8hvobhaSeLvK8Gum8DK4TTd0evng6LYvkgejIcRF | |||
pzfC+ONTiHZO4ayxleJVFAdph2LY3itO/TKD6KBLq0vnd+HvOKPWq0s0zDtQ/mSF | |||
PMEwZ0DvYq5mtko5MOIqlIJKXS+p+jmzAhIZzqPt57HoyZjuRKTKkvlTeOoY7cax | |||
UDGJffDrnagbP3R12i+bm7Bmz7aQQktuwhV7/SrEnJDM2PLDOYuWnGV5v/Cb+L/7 | |||
gGMFs9PTro8p4OkCLcpyGS/FoA7J5B1JixhUJ4tSEzEkTBSYz5WCi7NqrRZ9nnDf | |||
drYBNpMHlK4DNRe9qhusdRPrbd9srDH8g74QQgzWorYx0TqBUS45NLyyUZPydFxJ | |||
vAT1lmdWo7DhhnqSkPAcrwKdakDIravzvw0Ex+iEzAPSaflDvVybu6Gf8r6FrFIR | |||
SrR2pT4EztvPViaS9KZHZ0PQYKporwsWM1ZLyGX2qi3d5+YFijE3IT67rSLuEBMO | |||
/RFY0OCHbmKNrOiCaXk51+04hXg8ptjAxD8YCFpOzaDlSW2LX9D2QAfghoArZVTb | |||
OHThemZ4zIvamGkZLQB44nuvduIRGBA2LiQ0YiH4FhuJCP7zTCtCqQu4Wnn6J4tb | |||
YCEtm9ntFSGGCipErqqENPTBhxz6exO8emd2/y0INY4d9xJYjfhqCrKShpeF+/Lf | |||
6pJ3Pj9qA3D8wWcizER5N4R1fzmhTOSCxinC6OVJOzdk76M6gi+bD5RV8HD60TyG | |||
VEmTusA8lrLlKSYiE+4VFYBJjBSCopybJAaNsKXaYM3hwaPTPJwsgPWxwQ5m/vPT | |||
7dvkPOnhqwQ7DEvr2y3AgEUJxXxtsNwQEiKgMuRxNIQNE5mp68dJ5hMFnbJUPvvo | |||
80IsUH11LLDQJV60aLLF8M37BFvNPUayaS+oP78UwRMbnpC92nuHNgvGfdXFKhV3 | |||
/8z6lNYPlMGgBwdCD6NBXpXHkp7rxOAGvHx5eUocjgXfF2b8zSXyN/9egK9sfMZZ | |||
-----END RSA PRIVATE KEY----- |
@@ -0,0 +1,19 @@ | |||
-----BEGIN CERTIFICATE----- | |||
MIIDGDCCAgACCQD7FNAespFtAjANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC | |||
RlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSYwJAYD | |||
VQQLDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDEmMCQGA1UEAwwdRG9t | |||
YWluIENvbnRyb2wgVmFsaWRhdGVkIFNBUkwwHhcNMTgwNDA5MTYzMjEwWhcNNDUw | |||
ODI0MTYzMjEwWjAWMRQwEgYDVQQDDAt3d3cuZG12LmNvbTCCASIwDQYJKoZIhvcN | |||
AQEBBQADggEPADCCAQoCggEBANDw1tIr4IHqfivyIBMn4MPRaPQFxOZPIRaIOo85 | |||
4gaeHD11tLbxIh++lzfxk//ubC5a5K/PUDsVhLupTQVNKklcg4eRymZROkXoqgRg | |||
+ibEH5IYRu64aVlhQe4lGiK/Z8njUtq31zeyn2RaYWW/4uq/wmOKB/qVinARISKf | |||
lvTjtSN5cBg55tyDV5Cb7GgpSBXVGc8J4WKU6BAn43FTqgj8XkVvGYR3C/X5ZR/+ | |||
3xXVqe/VwLHyYNe61ySYRmymdoXJnJE7l0+MJhcpvepzEZ1pCULomNbHcxGfSZnc | |||
XsajvNKp/Y+cjC/IYmzkpTHgHhUEVs1rAdotNr0j5vRS/iECAwEAATANBgkqhkiG | |||
9w0BAQsFAAOCAQEAXjyhGLvT1waoYofYhkN3xmrkDxtM8HmG/xGad1vhkx6Qi2M/ | |||
kdX/UlEMwlkh1Of20iJVcMmTPleiOcIO2cE8F0BQ4wIGN3PGw8guxa11ToyyMarg | |||
cWNUWdA4gwYvMQv6tceUtsJUjNp0O6JW563jejVaiqBHhG50riJ2wfzqgMItjZY0 | |||
/TLVRQbEJ+NGeYZJ9/jL5xmHxoL8ROQ3RXtZjxU6Jr0pe3Y7XKT27QE3007EkCYb | |||
XG7K1U/rbixqfphXys677gjJ8xXChunjNqCijNk2xjHmu2MakspSqIB86oB50oLj | |||
Pu+AVI/SGD1qlJBC9qlgDoUkm9VI9mTIKJzALg== | |||
-----END CERTIFICATE----- |
@@ -0,0 +1,40 @@ | |||
-----BEGIN PRIVATE KEY----- | |||
MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDChoUsywwSGecu | |||
aHGGNMY8PrvM7nPjXpFXD0MK1OG0Yf3eV/QqRC3ahS7SICUvhRTiDzClez45NOKx | |||
YpH1C0u/M/DvojFgrGJlKVvO0vdckxlWCyK6DVKiwBP7ySkXjy+TuRuIZ4kxHzWC | |||
AEldbgPHlIGPxvhU4dAHXHcdHGdAgHL+7AhZh32acIDq3pkla3PQAawKcl/72l7v | |||
PXju594jWZkzrqPjXKpJ2GRX8q5XFoMNUe3hDR1Fk4aij7Y2k5aWmkD3WVGHti9K | |||
Zdjua2CYIp1+BUZ205wxOiWHlshpXzs73Exj2uv9OM/fcVliy5T+uR87a6KoIq+7 | |||
vrU642yWCWOx3pzhvfgBANCnJRWXCq4CPAyImNUaapgnrM9TIWRyBmtD7/qsfQ0b | |||
DKJItf+p4Zzx1QatLKFG8qaaoP+6liQQaYFRP/v+cXM7c9LaU7elKI3yyClLSUoV | |||
rg6vp/xUsIcaYjUP2j+3VMv54Dy18eWt2FkmRB1ompSp+g6XoI8CAQMCggGBAIGv | |||
A3MyCAwRRMma9ll4hCgp0oie9+zptjoKLLHjQSLr/pQ6osbYHpGuHzbAGMpYuJa0 | |||
yxj81CYjQcuXC/iyMn939fUWy5XIQZjGPTSMpOhiEOQHbHwI4cHVYqfbcLpfdQ0m | |||
ElrvsMtqI6wAMOj0AoUNq7UvUDiWiq+S+hNoRNWq91SdWuZaU7xLAJyUZhjyTTVW | |||
crGhlVKRlJ9+UJ9FPsI7u3fJwpeTHDE67Y/3HuS5rLOL8+teE4O3rxcKeXm3uI/h | |||
4O6rL2hwJDWSZ0LDnCCRpPQQwjlh6/xg57+R7Fgn8UW9u6dtyuNTHHpR+iiouE+Y | |||
7unzF5SC/ipQDFUYHmNiygGZL6KMy1H5NlosQiQZ/BY7A6UsNnySa6XwZu1/HTMt | |||
6pEtFbiXs3XaR6aA9Ervjt6OEHTldQ5/mBc2A6cvtvLB/wa74fkX5vhA2ruapTWr | |||
T501rYPTKhUKxmyaSe0U7qZ4rLcgOpxKbr/Rh6fkoXfgBOov5supefCRPeCsuwKB | |||
wQDpmuped2B80mnSchyL3KG/x5GFxSfALgnWGYovzHLHPxJQGLrSa841N4j+Qggb | |||
4n/r4e93+L1Ps++9Zl4A9HFQ+F0oKE+j18mB6LEkvFCqhIRC29mJcQyfNbchFqhl | |||
Ph+6XE/Ul8p5UdF2gZfNyQoJ5TGnWPEusxwD8T3IY5helGd6i8SY6FztIzlsNv/p | |||
hZ/9YjHjP9ngmGruXjgQBb1NFKuELbGE2gMw60faiKbPmJVHtotVwauS8OA+67jH | |||
w30CgcEA1SyFMuEp7juPJ5ghfmlUp4CUiib7YJKwYI8/uG9zHeQ/Ayb4FkptcwSc | |||
KbRaCewAm3HJZIZB+apCvuBEukrNr/zXh1CFyhL9hCJN+yZhtl8vngeth2V2wFk/ | |||
ja2MiaSY6uU7lZSPnkeuc8OfASuHL5UU/Kb8zyFVrUIEr2xh4ToqKbq+Lj3MG6pf | |||
WtuK12Yf10Vko7fLJPQgB7+s/LrQI/x1nH+AeE/km/nd/51KaoJeMlHGcTqXpCt9 | |||
gjR4/tn7AoHBAJu8nD76QFM28Tb2vbKTFn/aYQPYxSrJW+QRBsqITITUtuAQfIxH | |||
3s4lBf7WsBKW//KWn6VQfjUin9OZlACi9jX66MVwNRflMQFFy23S4HGtrYHn5lug | |||
sxTOehYPGu4panw9io26hvuL4PmruokwsVvuIRo7S3R3aAKg09rtED8NmlGygxCa | |||
6J4Xe515//EDv/5Bdpd/5pW68fQ+0AqufjNjHQLJIQM8AiCc2pGwbzUQY4UkXOPW | |||
cmH16tSdJdqCUwKBwQCOHa4h63FJfQoaZWupm43FAGMGxKeVtyBAX3/QSky+mCoC | |||
Gfq5hvOiAxLGeDwGnVW89oZDBCv7xtcp6th8Md51UzpaNa6Gt1OtbDP8xEEkP3UU | |||
BR5aQ6SAO3+zyQhbwxCcmNJjuF++2nRNLRSrclofuLiob1M0wOPI1q3KSEFA0XFx | |||
Jyl0KTK9HD+R57Hk7r/k2O3Ceodt+BVaf8iofIrCqE5oVQBQNUMSppP/vjGcVul2 | |||
4S72Jw/Cx6kBeFCp5qcCgcBF+fb8F59HYjZJAjV4Qv2obehNvcb7swHMOYTLBkBq | |||
j9cnVysTQ9lc6vwB5Vh4rzwOSmJRKPvv6+1oinImwtzZFLuggunkXxmrPLiRcF82 | |||
Gj7RL62D6msMbNo0vMXmXa20D/M3lATSuWuOsBz1BAfFrkO/kwAz02s9dleOidX3 | |||
YkuSiPhm3bQD3qezO3OQmZ2s1OfzZMQpXE8+4ymTWW5H9KtKxrDs7/05goy1/OPk | |||
u5evFUiLOWw7CJ9Sy1/Jaws= | |||
-----END PRIVATE KEY----- |
@@ -0,0 +1,18 @@ | |||
-----BEGIN CERTIFICATE----- | |||
MIIC1DCCAnsCCQCY04gkucQIkzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJGUjEN | |||
MAsGA1UECAwEUEFDQTEXMBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIxIjAgBgNVBAsM | |||
GUNlcnQgVGVzdGluZyBPcmdhbml6YXRpb24xIjAgBgNVBAMMGUNlcnQgVGVzdGlu | |||
ZyBPcmdhbml6YXRpb24wHhcNMTgwNDE3MTMyNzA4WhcNMTgwNTE3MTMyNzA4WjAf | |||
MR0wGwYDVQQDDBR3d3cuY2VydF90ZXN0aW5nLmNvbTCCAaAwDQYJKoZIhvcNAQEB | |||
BQADggGNADCCAYgCggGBAMKGhSzLDBIZ5y5ocYY0xjw+u8zuc+NekVcPQwrU4bRh | |||
/d5X9CpELdqFLtIgJS+FFOIPMKV7Pjk04rFikfULS78z8O+iMWCsYmUpW87S91yT | |||
GVYLIroNUqLAE/vJKRePL5O5G4hniTEfNYIASV1uA8eUgY/G+FTh0Adcdx0cZ0CA | |||
cv7sCFmHfZpwgOremSVrc9ABrApyX/vaXu89eO7n3iNZmTOuo+NcqknYZFfyrlcW | |||
gw1R7eENHUWThqKPtjaTlpaaQPdZUYe2L0pl2O5rYJginX4FRnbTnDE6JYeWyGlf | |||
OzvcTGPa6/04z99xWWLLlP65Hztroqgir7u+tTrjbJYJY7HenOG9+AEA0KclFZcK | |||
rgI8DIiY1RpqmCesz1MhZHIGa0Pv+qx9DRsMoki1/6nhnPHVBq0soUbyppqg/7qW | |||
JBBpgVE/+/5xcztz0tpTt6UojfLIKUtJShWuDq+n/FSwhxpiNQ/aP7dUy/ngPLXx | |||
5a3YWSZEHWialKn6DpegjwIBAzAKBggqhkjOPQQDAgNHADBEAiBiXGvdsqXGxDtR | |||
09lV6d2w2rYVteso/RVCQVxUWo5BuQIgRXF5XrvhRbpTOaRgLgnOpyLZv7nEwWNG | |||
cRb2Q37V4VM= | |||
-----END CERTIFICATE----- |
@@ -0,0 +1,205 @@ | |||
#include <unistd.h> | |||
#include "common.h" | |||
// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution) | |||
#include <include/openssl/ssl.h> | |||
#include <pthread.h> | |||
// Buffer used for read/write tests | |||
unsigned char rw_buf[BUFFER_SIZE]; | |||
SSL_CTX *setup_client_ctx(void) | |||
{ | |||
SSL_CTX* ctx; | |||
ctx = SSL_CTX_new(TLS_with_buffers_method()); | |||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); | |||
if( SSL_CTX_load_verify_locations(ctx, CACERT, NULL) != 1) { | |||
ERR("Error loading CA DIR"); | |||
} | |||
return ctx; | |||
} | |||
int do_client_loop(SSL* ssl) | |||
{ | |||
int err, nwritten; | |||
char buf[80]; | |||
for(;;) | |||
{ | |||
if( !fgets(buf, sizeof(buf), stdin) ) | |||
break; | |||
for(nwritten = 0; nwritten < strlen(buf); nwritten += err) | |||
{ | |||
err = SSL_write(ssl, buf + nwritten, strlen(buf) - nwritten); | |||
if(err<=0) | |||
return 0; | |||
} | |||
} | |||
return 1; | |||
} | |||
void test_Handshake(size_t handshake_nb) { | |||
SSL* ssl; | |||
SSL_CTX* ctx; | |||
int err; | |||
init(); | |||
ctx = setup_client_ctx(); | |||
DBG("Trying to connect"); | |||
int fd = connect_once(); | |||
for (size_t i=0; i<handshake_nb; i++) { | |||
DBG("SSL ctx setup"); | |||
if (!(ssl = SSL_new(ctx))) { | |||
ERR("Error creating an SSL context"); | |||
} | |||
SSL_set_fd(ssl, fd); | |||
DBG("SSL handshake"); | |||
// OZAPTF: do handshake thing | |||
err = SSL_connect(ssl); | |||
if (err<=0) { | |||
ERR("Error connecting SSL err=%d", err); | |||
} | |||
// assert(!SSL_session_reused(ssl)); | |||
SSL_set_read_ahead(ssl, 0); | |||
assert(SSL_shutdown(ssl) == 0); | |||
assert(SSL_shutdown(ssl) == 1); | |||
SSL_free(ssl); | |||
} | |||
SSL_CTX_free(ctx); | |||
close(fd); | |||
} | |||
void test_Read() { | |||
int err, nread=0; | |||
SSL* ssl; | |||
SSL_CTX* ctx; | |||
init(); | |||
ctx = setup_client_ctx(); | |||
DBG("Trying to connect"); | |||
int fd = connect_once(); | |||
DBG("SSL ctx setup"); | |||
if (!(ssl = SSL_new(ctx))) { | |||
ERR("Error creating an SSL context"); | |||
} | |||
SSL_set_fd(ssl, fd); | |||
DBG("SSL handshake"); | |||
err = SSL_connect(ssl); | |||
if (err<=0) { | |||
ERR("Error connecting SSL err=%d", err); | |||
} | |||
DBG("SSL writing"); | |||
if (SSL_write(ssl, (unsigned char*)READ_REQUEST, sizeof(READ_REQUEST) ) <= 0) { | |||
ERR("SSL_write"); | |||
} | |||
DBG("Continue reading"); | |||
do { | |||
#ifdef DEBUG | |||
fwrite(rw_buf,1, nread, stdout); | |||
#endif | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if(err <= 0) { | |||
break; | |||
} | |||
} | |||
} while(err>0); | |||
if (0==(SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN)) { | |||
ERR("SSL_Read"); | |||
} | |||
DBG("Shutdown"); | |||
SSL_set_read_ahead(ssl, 0); | |||
assert(SSL_shutdown(ssl) == 1); | |||
SSL_free(ssl); | |||
SSL_CTX_free(ctx); | |||
close(fd); | |||
} | |||
void test_Write() { | |||
SSL* ssl; | |||
SSL_CTX* ctx; | |||
int err,nread=0; | |||
init(); | |||
ctx = setup_client_ctx(); | |||
DBG("Trying to connect"); | |||
int fd = connect_once(); | |||
DBG("SSL ctx setup"); | |||
if (!(ssl = SSL_new(ctx))) { | |||
ERR("Error creating an SSL context"); | |||
} | |||
SSL_set_fd(ssl, fd); | |||
DBG("SSL handshake"); | |||
err = SSL_connect(ssl); | |||
if (err<=0) { | |||
ERR("Error connecting SSL err=%d", err); | |||
} | |||
DBG("Writing"); | |||
fill_buffer_from_file(rw_buf, sizeof(rw_buf)); | |||
for (size_t i=0; i<RW_ITERATIONS; i++) { | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = SSL_write(ssl, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if(err <= 0) { | |||
ERR("SSL_write"); | |||
} | |||
} | |||
} | |||
DBG("Shutdown"); | |||
SSL_set_read_ahead(ssl, 0); | |||
assert(SSL_shutdown(ssl) == 0); | |||
assert(SSL_shutdown(ssl) == 1); | |||
SSL_free(ssl); | |||
SSL_CTX_free(ctx); | |||
close(fd); | |||
} | |||
int main(int argc, char* argv[]) { | |||
if (argc < 2) { | |||
goto usage; | |||
} | |||
if (!strncmp("test_Handshake", argv[1], strlen("test_Handshake"))) { | |||
test_Handshake(HANDHAKE_REPS); | |||
} else if (!strncmp("test_Read", argv[1], strlen("test_Read"))) { | |||
test_Read(); | |||
} else if (!strncmp("test_Write", argv[1], strlen("test_Write"))) { | |||
test_Write(); | |||
} else { | |||
printf("Unknown test"); | |||
goto usage; | |||
} | |||
exit: | |||
cleanup(); | |||
return 0; | |||
usage: | |||
ERR("\n\nUsage: %s test_name \nOptions for 'test_name':\n\t" | |||
"test_Handshake\n\ttest_Write\n\ttest_Read\n", argv[0]); | |||
goto exit; | |||
} |
@@ -0,0 +1,53 @@ | |||
#include "common.h" | |||
#include <stdio.h> | |||
#include <stdlib.h> | |||
#include <fcntl.h> | |||
#include <netinet/tcp.h> | |||
#include <sys/socket.h> | |||
#include <arpa/inet.h> | |||
#include <unistd.h> | |||
/* ----------------------------------------------------------------------------- | |||
* @brief Performs TCP 3-way handshake with IP:PORT | |||
* -------------------------------------------------------------------------------- */ | |||
int connect_once(void) { | |||
struct sockaddr_in a; | |||
int fd = socket(AF_INET, SOCK_STREAM, 0); | |||
memset(&a, 0, sizeof(a)); | |||
a.sin_family = AF_INET; | |||
a.sin_addr.s_addr = inet_addr(IP); | |||
a.sin_port = htons(PORT); | |||
// Set socket to blocking, in order to make things simplere | |||
if (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK )<0) { | |||
ERR("fcntl"); | |||
} | |||
if (connect(fd, (struct sockaddr *) &a, sizeof(a))<0) { | |||
ERR("Econnect"); | |||
} | |||
DBG("Connected"); | |||
return fd; | |||
} | |||
/* ----------------------------------------------------------------------------- | |||
* @brief Fills the buffer with random data. | |||
*------------------------------------------------------------------------------ */ | |||
void fill_buffer_from_file(unsigned char *b, size_t sz) { | |||
FILE * fd = fopen(RANDOM_DATA_FILE, "r"); | |||
if (!fd) { | |||
ERR("fopen"); | |||
} | |||
if (fread(b, 1, sz, fd) < sz) { | |||
// Random data file smaller than a buffer | |||
ERR("fread"); | |||
} | |||
if (fclose(fd)) { | |||
ERR("fclose"); | |||
} | |||
} |
@@ -0,0 +1,64 @@ | |||
#ifndef __COMMON_H__ | |||
#define __COMMON_H__ | |||
#include <string.h> | |||
#include <stdlib.h> | |||
#include <assert.h> | |||
#ifdef DEBUG | |||
#include <stdio.h> | |||
#endif | |||
#define PORT 1443 | |||
#define IP "127.0.0.1" | |||
#define SERVER "localhost" | |||
#define CLIENT "localhost" | |||
#define CACERT "etc/ca/ca.cert.pem" | |||
//#define CERT_HOSTNAME "www.cert_testing.com" | |||
#define CERT_HOSTNAME "www.dmv.com" | |||
#define KEYFILE_PASS "test123" | |||
#define READ_REQUEST "ReadRequest" | |||
#define HANDHAKE_REPS 200 | |||
// Keep random data file must at least same size as a buffer size | |||
#define RANDOM_DATA_FILE "etc/random_data" | |||
#define BUFFER_SIZE 1024 | |||
// Amount bytes of plaintext data exchanged in read-write stets is BUFFER_SIZE*RW_ITERATOIONS | |||
#ifdef DEBUG | |||
#define RW_ITERATIONS (1024*10) // 10 MB | |||
#else | |||
#define RW_ITERATIONS (1024*200) // 1GB | |||
#endif | |||
// Utils | |||
#define LOG_I(...) \ | |||
do { \ | |||
(void) fprintf(stdout, "[%s() %s:%d] ", __func__, __FILE__, __LINE__); \ | |||
(void) fprintf(stdout, __VA_ARGS__); \ | |||
(void) fprintf(stdout, "\n"); \ | |||
} while (0) | |||
#define ERR(...) \ | |||
do { \ | |||
LOG_I(__VA_ARGS__); \ | |||
exit(-1); \ | |||
} while (0) | |||
#define LOG(...) LOG_I(__VA_ARGS__) | |||
#ifdef DEBUG | |||
#define DBG(...) LOG_I(__VA_ARGS__) | |||
#else | |||
#define DBG(...) | |||
#endif | |||
#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0])) | |||
int connect_once(void); | |||
void init(void); | |||
void cleanup(void); | |||
void fill_buffer_from_file(unsigned char *b, size_t sz); | |||
// Available tests | |||
void test_Write(void); | |||
void test_Read(void); | |||
void test_Handshake(size_t); | |||
#endif // __COMMON_H__ |
@@ -0,0 +1,30 @@ | |||
#include "common.h" | |||
// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution) | |||
#include <include/openssl/rand.h> | |||
#include <include/openssl/ssl.h> | |||
#include <include/openssl/x509v3.h> | |||
#include <pthread.h> | |||
void init(void) { | |||
OpenSSL_add_all_algorithms(); | |||
SSL_load_error_strings(); | |||
SSL_library_init(); | |||
CRYPTO_library_init(); | |||
if(!SSL_library_init()) | |||
{ | |||
fprintf(stderr, "** OpenSSL initialization failed!\n"); | |||
exit(-1); | |||
} | |||
} | |||
void cleanup(void) { | |||
ERR_free_strings(); | |||
ERR_clear_error(); | |||
CRYPTO_set_locking_callback(NULL); | |||
CRYPTO_set_id_callback(NULL); | |||
EVP_cleanup(); | |||
CRYPTO_cleanup_all_ex_data(); | |||
} |
@@ -0,0 +1,244 @@ | |||
#include <unistd.h> | |||
#include "mbedtls/net.h" | |||
#include "mbedtls/ssl.h" | |||
#include "mbedtls/entropy.h" | |||
#include "mbedtls/ctr_drbg.h" | |||
#ifdef DEBUG | |||
#include "mbedtls/debug.h" | |||
#endif | |||
#include "common.h" | |||
mbedtls_net_context server_fd; | |||
mbedtls_entropy_context entropy; | |||
mbedtls_ctr_drbg_context ctr_drbg; | |||
mbedtls_ssl_context ctx; | |||
mbedtls_ssl_config conf; | |||
mbedtls_x509_crt cacert; | |||
// Buffer used for read/write tests | |||
unsigned char rw_buf[BUFFER_SIZE]; | |||
// Function calls 'mbedtls_ssl_handshake' and 'mbedtls_ssl_close_notify' | |||
#define HANDLE_OP_RW_NEEDS(op, ctx) \ | |||
do { \ | |||
while ((ret = (op)((ctx)))) { \ | |||
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { \ | |||
ERR("Critical error when performing " #op); \ | |||
} \ | |||
} \ | |||
} while (0); | |||
#ifdef DEBUG | |||
static void my_debug( void *ctx, int level, | |||
const char *file, int line, const char *str ) { | |||
((void) level); | |||
fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str ); | |||
fflush( (FILE *) ctx ); | |||
} | |||
#endif | |||
void init() { | |||
int ret; | |||
mbedtls_net_init( &server_fd ); | |||
mbedtls_ssl_init( &ctx ); | |||
mbedtls_ssl_config_init( &conf ); | |||
mbedtls_x509_crt_init( &cacert ); | |||
mbedtls_ctr_drbg_init( &ctr_drbg ); | |||
mbedtls_entropy_init( &entropy ); | |||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); | |||
ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, | |||
(const unsigned char *) CLIENT, | |||
strlen( CLIENT ) ); | |||
if (ret) { | |||
ERR( "mbedtls_ctr_drbg_seed"); | |||
} | |||
ret = mbedtls_ssl_config_defaults(&conf, | |||
MBEDTLS_SSL_IS_CLIENT, | |||
MBEDTLS_SSL_TRANSPORT_STREAM, // TLS not DTLS | |||
MBEDTLS_SSL_PRESET_DEFAULT ); | |||
if (ret) { | |||
ERR("mbedtls_ssl_config_defaults"); | |||
} | |||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); | |||
if (ret) { | |||
ERR( "mbedtls_ssl_conf_authmode"); | |||
} | |||
ret = mbedtls_x509_crt_parse_file(&cacert, CACERT); | |||
if (ret) { | |||
ERR("mbedtls_x509_crt_parse"); | |||
} | |||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); | |||
//mbedtls_ssl_conf_ciphersuites( &conf, AllowedCiphers); | |||
#ifdef DEBUG | |||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); | |||
mbedtls_debug_set_threshold(4); | |||
#endif | |||
// end of 'conf' object setup | |||
ret = mbedtls_ssl_setup(&ctx, &conf); | |||
if (ret) { | |||
ERR("mbedtls_ssl_setup"); | |||
} | |||
} | |||
void cleanup(void) { | |||
mbedtls_x509_crt_free(&cacert); | |||
mbedtls_net_free( &server_fd ); | |||
mbedtls_ssl_free( &ctx ); | |||
mbedtls_ssl_config_free( &conf ); | |||
mbedtls_ctr_drbg_free( &ctr_drbg ); | |||
mbedtls_entropy_free( &entropy ); | |||
} | |||
static void setup_client_ctx(void) | |||
{ | |||
if (mbedtls_ssl_set_hostname(&ctx, CERT_HOSTNAME) ) { | |||
ERR("mbedtls_ssl_set_hostname"); | |||
} | |||
mbedtls_ssl_set_bio(&ctx, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); | |||
} | |||
void test_Handshake(size_t handshake_nb) { | |||
int ret; | |||
init(); | |||
DBG("Trying to connect"); | |||
server_fd.fd = connect_once(); | |||
setup_client_ctx(); | |||
for (int i=0; i<handshake_nb; i++) { | |||
DBG("SSL handshake"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx); | |||
DBG("Send 'close notify'"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx); | |||
DBG("SSL reset"); | |||
mbedtls_ssl_session_reset(&ctx); | |||
} | |||
close(server_fd.fd); | |||
cleanup(); | |||
} | |||
void test_Write() { | |||
int ret, err, nread =0; | |||
init(); | |||
DBG("Trying to connect"); | |||
server_fd.fd = connect_once(); | |||
setup_client_ctx(); | |||
DBG("SSL handshake"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx); | |||
fprintf(stderr, "%s\n", mbedtls_ssl_get_version(&ctx)); | |||
fprintf(stderr, "%s\n", mbedtls_ssl_get_ciphersuite(&ctx)); | |||
fill_buffer_from_file(rw_buf, sizeof(rw_buf)); | |||
for (size_t i=0; i<RW_ITERATIONS; i++) { | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = mbedtls_ssl_write(&ctx, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if (err == MBEDTLS_ERR_SSL_WANT_READ && err == MBEDTLS_ERR_SSL_WANT_WRITE) { | |||
// From spec: when this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, | |||
// it must be called later with the same arguments, until | |||
// it returns a positive value. | |||
err = 0; | |||
continue; | |||
} | |||
if(err <= 0) { | |||
ERR("mbedtls_ssl_write"); | |||
} | |||
} | |||
} | |||
DBG("Send 'close notify'"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx); | |||
close(server_fd.fd); | |||
cleanup(); | |||
} | |||
void test_Read() { | |||
int ret, err, nread = 0; | |||
init(); | |||
DBG("Trying to connect"); | |||
server_fd.fd = connect_once(); | |||
setup_client_ctx(); | |||
DBG("SSL handshake"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx); | |||
if (mbedtls_ssl_write( &ctx, (unsigned char*)READ_REQUEST, sizeof(READ_REQUEST) ) <= 0) { | |||
ERR("mbedtls_ssl_write"); | |||
} | |||
do { | |||
#ifdef DEBUG | |||
fwrite(rw_buf,1, nread, stdout); | |||
#endif | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = mbedtls_ssl_read(&ctx, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if (err == MBEDTLS_ERR_SSL_WANT_READ && err == MBEDTLS_ERR_SSL_WANT_WRITE) { | |||
// I assume as for mbedtls_ssl_write, the read function will handle | |||
// MBEDTLS_ERR_SSL_WANT_WRITE/READ return codes | |||
err = 0; | |||
continue; | |||
} | |||
if(!err) break; | |||
} | |||
} while(err>0); | |||
if (err != MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { | |||
ERR("mbedtls_ssl_read"); | |||
} | |||
DBG("Send 'close notify'"); | |||
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx); | |||
close(server_fd.fd); | |||
cleanup(); | |||
} | |||
int main(int argc, char* argv[]) { | |||
if (argc < 2) { | |||
goto usage; | |||
} | |||
if (!strncmp("test_Handshake", argv[1], strlen("test_Handshake"))) { | |||
test_Handshake(HANDHAKE_REPS); | |||
} else if (!strncmp("test_Read", argv[1], strlen("test_Read"))) { | |||
test_Read(); | |||
} else if (!strncmp("test_Write", argv[1], strlen("test_Write"))) { | |||
test_Write(); | |||
} else { | |||
printf("Unknown test"); | |||
goto usage; | |||
} | |||
exit: | |||
return 0; | |||
usage: | |||
ERR("\n\nUsage: %s test_name \nOptions for 'test_name':\n\t" | |||
"test_Handshake\n\ttest_Write\n\ttest_Read\n", argv[0]); | |||
goto exit; | |||
} |
@@ -0,0 +1,264 @@ | |||
#include <netinet/tcp.h> | |||
#include <sys/socket.h> | |||
#include <arpa/inet.h> | |||
// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution) | |||
#include <include/openssl/rand.h> | |||
#include <include/openssl/ssl.h> | |||
#include <include/openssl/x509v3.h> | |||
#include <pthread.h> | |||
#include "common.h" | |||
// Enforce this protocol version | |||
#define TLS_PROT_VERSION TLS1_2_VERSION | |||
#define ENFORCED_CURVE NID_X9_62_prime256v1 | |||
// Not supported by mbedTLS | |||
//#define ENFORCED_CURVE NID_X25519 | |||
static const int Curves[1] = {ENFORCED_CURVE}; | |||
static const struct CertDesc_t { | |||
const char* arg; | |||
const char* cert; | |||
const char* key; | |||
const char* cipher; | |||
const int* curves; | |||
} Certs[] = { | |||
{ | |||
.arg = "RSA_2048", | |||
.key = "etc/rsa_2048.key", | |||
.cert = "etc/rsa_2048.pem", | |||
.cipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | |||
.curves = Curves, | |||
}, | |||
{ | |||
.arg = "RSA_3072", | |||
.key = "etc/rsa_3072.key", | |||
.cert = "etc/rsa_3072.pem", | |||
.cipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | |||
.curves = Curves, | |||
}, | |||
{ | |||
.arg = "ECDSA_256", | |||
.key = "etc/ecdsa_256.key", | |||
.cert = "etc/ecdsa_256.pem", | |||
.cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", | |||
.curves = Curves, | |||
} | |||
}; | |||
const struct CertDesc_t* get_cert_desc(const char* c) { | |||
for(size_t i=0; i<ARRAY_SIZE(Certs); i++) { | |||
if (!memcmp(Certs[i].arg, c, strlen(Certs[i].arg))) { | |||
return &Certs[i]; | |||
} | |||
} | |||
ERR("Critical error"); | |||
} | |||
// Buffer used for read/write tests | |||
unsigned char rw_buf[BUFFER_SIZE]; | |||
int pass_cb(char *buf, int size, int rwflag, void *u) { | |||
DBG("Using password " KEYFILE_PASS); | |||
// password for all keys is "test123" | |||
memcpy(buf, KEYFILE_PASS, strlen(KEYFILE_PASS)); | |||
return strlen(KEYFILE_PASS); | |||
} | |||
static int accept_once(void) { | |||
int fd, client; | |||
int reuseval = 1; | |||
struct sockaddr_in a; | |||
size_t a_len = sizeof(a); | |||
// configure | |||
memset(&a, 0, a_len); | |||
a.sin_family = AF_INET; | |||
a.sin_port = htons(PORT); | |||
a.sin_addr.s_addr = INADDR_ANY; | |||
fd = socket(PF_INET, SOCK_STREAM, 0); | |||
if (setsockopt(fd,SOL_SOCKET, SO_REUSEADDR, &reuseval, sizeof(reuseval))) { | |||
ERR("setsockopt"); | |||
} | |||
if (bind(fd, (struct sockaddr *)&a, sizeof(a))) { | |||
ERR("bind"); | |||
} | |||
if (listen(fd, 1)) { | |||
ERR("listen"); | |||
} | |||
client = accept(fd, (struct sockaddr *)&a, (socklen_t *)&a_len); | |||
if (client<0) { | |||
ERR("accept"); | |||
} | |||
return client; | |||
} | |||
static SSL_CTX* setup_server_ctx(const char* cert_name) { | |||
SSL_CTX* ctx = SSL_CTX_new(TLS_method()); | |||
assert(ctx); | |||
const struct CertDesc_t *c = get_cert_desc(cert_name); | |||
SSL_CTX_set_default_passwd_cb(ctx, &pass_cb); | |||
if(SSL_CTX_use_certificate_file(ctx, c->cert, SSL_FILETYPE_PEM) != 1) | |||
ERR("Error loading certificate from file"); | |||
if(SSL_CTX_use_PrivateKey_file(ctx, c->key, SSL_FILETYPE_PEM) != 1) | |||
ERR("Error loading private key from file"); | |||
if (SSL_CTX_set_strict_cipher_list(ctx, c->cipher) != 1) { | |||
ERR("Error setting cipher list"); | |||
} | |||
if (!SSL_CTX_set1_curves(ctx, c->curves, 1)) { | |||
ERR("Enforcing curve"); | |||
} | |||
if (SSL_CTX_set_min_proto_version(ctx, TLS_PROT_VERSION) != 1 || | |||
SSL_CTX_set_max_proto_version(ctx, TLS_PROT_VERSION) != 1) { | |||
ERR("Enforcing protocol to TLSv1.2"); | |||
} | |||
return ctx; | |||
} | |||
static void start_writing(SSL *ssl) { | |||
int nread,err; | |||
DBG("Start writing"); | |||
fill_buffer_from_file(rw_buf, sizeof(rw_buf)); | |||
for (size_t i=0; i<RW_ITERATIONS; i++) { | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = SSL_write(ssl, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if(err <= 0) { | |||
ERR("SSL_write"); | |||
} | |||
} | |||
} | |||
} | |||
static int do_server_loop(SSL* ssl) { | |||
int nread,err; | |||
DBG("Check if first packet is ReadRequest"); | |||
for(nread=0; nread<strlen(READ_REQUEST); nread+=err) { | |||
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if (err <=0) { | |||
break; | |||
} | |||
} | |||
DBG("Check if server loop should be finished"); | |||
// Stop here if shutdown requested | |||
if (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) { | |||
return 1; | |||
} | |||
// Check if client wants to read | |||
if (nread && !memcmp(READ_REQUEST, rw_buf, nread)) { | |||
start_writing(ssl); | |||
return 2; // server initiated closure | |||
} | |||
// Keep reading till connection closed | |||
DBG("Continue reading"); | |||
do { | |||
for(nread=0; nread<sizeof(rw_buf); nread+=err) { | |||
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread); | |||
if(err <= 0) { | |||
break; | |||
} | |||
} | |||
} while(err>0); | |||
return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0; | |||
} | |||
#ifdef DEBUG | |||
static const char* DBG_get_curve(SSL* ssl) { | |||
const int id = SSL_get_curve_id(ssl); | |||
if (!id) return "N/A"; | |||
return SSL_get_curve_name(id); | |||
} | |||
#endif | |||
// Interface for accepting | |||
int main(int argc, char *argv[]) | |||
{ | |||
SSL *ssl; | |||
SSL_CTX *ctx; | |||
int fd, ret; | |||
if (argc < 2) { | |||
goto usage; | |||
} | |||
// Start server | |||
init(); | |||
ctx = setup_server_ctx(argv[1]); | |||
fd = accept_once(); | |||
for(;;) { | |||
DBG("SSL Accepting"); | |||
if(!(ssl = SSL_new(ctx))) { | |||
DBG("Error creating SSL context"); | |||
} | |||
SSL_set_fd(ssl, fd); | |||
ret = SSL_accept(ssl); | |||
//printf("%s\n", SSL_get_curve_name(SSL_get_curve_id(ssl))); | |||
if (ret<=0) { | |||
ret = SSL_get_error(ssl, ret); | |||
if (ret == SSL_ERROR_SYSCALL) { | |||
DBG("Connection closed"); | |||
goto end; | |||
} else { | |||
ERR("Critical error occured %d", ret); | |||
} | |||
} | |||
DBG("Protocol: %s Cipher %s Curve %s", SSL_get_version(ssl), SSL_get_cipher_name(ssl), DBG_get_curve(ssl)); | |||
DBG("server loop"); | |||
ret = do_server_loop(ssl); | |||
if(ret) { | |||
DBG("Shutdown"); | |||
SSL_set_read_ahead(ssl, 0); | |||
if (ret==2) { | |||
// Server is closing | |||
SSL_shutdown(ssl); | |||
} | |||
assert(SSL_shutdown(ssl)==1); | |||
} | |||
else { | |||
DBG("Shutdown - error case"); | |||
goto end; | |||
} | |||
SSL_clear(ssl); | |||
} | |||
SSL_CTX_free(ctx); | |||
end: | |||
cleanup(); | |||
return 0; | |||
usage: | |||
ERR("\n\nUsage: %s server certificate \nOptions for 'server certificate':\n\t" | |||
"RSA_2048\n\t" | |||
"RSA_3072\n\t" | |||
"ECDSA_256\n\t", | |||
argv[0]); | |||
goto end; | |||
} |