kris
/
mbedtls_vs_boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Procházet zdrojové kódy

Initial commit

master
Henry D. Case před 6 roky
revize
0f494ae8f1
26 změnil soubory, kde provedl 4525 přidání a 0 odebrání
Rozdělené zobrazení
Diff Options
Zobrazit statistiky Stáhněte soubor opravy Stáhněte rozdílový soubor
  1. +6
    -0
      .gitmodules
  2. +278
    -0
      APPENDIX.md
  3. +60
    -0
      README.md
  4. +29
    -0
      bssl/Makefile.aarch64
  5. +20
    -0
      bssl/Makefile.native
  6. +1
    -0
      bssl/src
  7. +5
    -0
      common.mk
  8. +48
    -0
      mbedtls/Makefile.aarch64
  9. +13
    -0
      mbedtls/Makefile.native
  10. +2879
    -0
      mbedtls/config_mbedTLS_minimal.h
  11. +1
    -0
      mbedtls/src
  12. +107
    -0
      testapp/Makefile.aarch64
  13. +64
    -0
      testapp/Makefile.native
  14. +24
    -0
      testapp/etc/ca/ca.cert.pem
  15. +8
    -0
      testapp/etc/ecdsa_256.key
  16. +15
    -0
      testapp/etc/ecdsa_256.pem
  17. +30
    -0
      testapp/etc/rsa_2048.key
  18. +19
    -0
      testapp/etc/rsa_2048.pem
  19. +40
    -0
      testapp/etc/rsa_3072.key
  20. +18
    -0
      testapp/etc/rsa_3072.pem
  21. +205
    -0
      testapp/src/b_client.c
  22. +53
    -0
      testapp/src/common.c
  23. +64
    -0
      testapp/src/common.h
  24. +30
    -0
      testapp/src/common_boring.c
  25. +244
    -0
      testapp/src/m_client.c
  26. +264
    -0
      testapp/src/server.c

+ 6
- 0
.gitmodules Zobrazit soubor

@@ -0,0 +1,6 @@
[submodule "bssl/src"]
path = bssl/src
url = https://github.com/google/boringssl.git
[submodule "mbedtls/src"]
path = mbedtls/src
url = https://github.com/ARMmbed/mbedtls.git

+ 278
- 0
APPENDIX.md Zobrazit soubor

@@ -0,0 +1,278 @@
# Additional information

A lot of, mostly useless, details

## Appendix A

Default NDK flags

* CC:
```
--target=aarch64-none-linux-android
-DBORINGSSL_IMPLEMENTATION
-g
-DANDROID
-ffunction-sections
-funwind-tables
-fstack-protector-strong
-no-canonical-prefixes
-Wa,--noexecstack
-Wformat
-Werror=format-security
-Werror
-Wformat=2
-Wsign-compare
-Wmissing-field-initializers
-Wwrite-strings
-Wall
-ggdb
-fvisibility=hidden
-fno-common
-Wnewline-eof
-fcolor-diagnostics
-Wimplicit-fallthrough
-Wmissing-prototypes
-Wold-style-definition
-Wstrict-prototypes
-Wshadow
-D_XOPEN_SOURCE=700
-O2
-DNDEBUG
-fPIC
```

* CPP:
```
-cc1
-triple aarch64-none-linux-android
-emit-obj
-mnoexecstack
-disable-free
-disable-llvm-verifier
-discard-value-names
-mrelocation-model pic
-pic-level 2
-pic-is-pie
-mthread-model posix
-mdisable-fp-elim
-fmath-errno
-masm-verbose
-mconstructor-aliases
-munwind-tables
-fuse-init-array
-target-cpu generic
-target-feature +neon
-target-abi aapcs
-dwarf-column-info
-debug-info-kind=limited
-dwarf-version=4
-debugger-tuning=gdb
-ffunction-sections
-D BORINGSSL_IMPLEMENTATION
-D ANDROID
-D NDEBUG
-O2
-Wformat
-Werror=format-security
-Werror
-Wformat=2
-Wsign-compare
-Wmissing-field-initializers
-Wwrite-strings
-Wall
-Wnewline-eof
-Wimplicit-fallthrough
-Wmissing-declarations
-Wmissing-prototypes
-Wshadow
-std=c++11
-fdeprecated-macro
-fdebug-compilation-dir /home/hdc/repos/mbedtls_vs_boringssl/bssl/src/build/crypto
-ferror-limit 19
-fmessage-length 238
-fvisibility hidden
-femulated-tls
-stack-protector 2
-fallow-half-arguments-and-returns
-fno-rtti
-fno-signed-char
-fobjc-runtime=gcc
-fno-common
-fdiagnostics-show-option
-fcolor-diagnostics
-vectorize-loops
-vectorize-slp
```

## Appendix B

Test platform settings

```
[ro.build.id]: [OPR6.170623.013]
[ro.bootimage.build.date]: [Wed Oct 11 15:46:15 BST 2017]
[ro.bootimage.build.fingerprint]: [Android/hikey/hikey:8.0.0/OPR6.170623.013/110:userdebug/test-keys]
[ro.product.cpu.abi]: [arm64-v8a]
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: [arm64-v8a]
[ro.build.version.sdk]: [26]
[ro.build.version.security_patch]: [2017-08-05]
```

## Appendix C

Performance measures provied by ``bssl speed``:

| Operation | Small | Default |
|-----------|------|---------|
|RSA 2048 signing | (59.5 ops/sec) | (108.1 ops/sec) |
|RSA 2048 verify | (2377.5 ops/sec) | (4078.3 ops/sec) |
|RSA 4096 signing | (8.3 ops/sec) | (14.9 ops/sec) |
|RSA 4096 verify | (668.0 ops/sec) | (1088.4 ops/sec) |
|AES-128-GCM (16 bytes) | (497832.2 ops/sec): 8.0 MB/s | (1690241.1 ops/sec): 27.0 MB/s |
|AES-128-GCM (1350 bytes) | (17675.4 ops/sec): 23.9 MB/s | (291430.3 ops/sec): 393.4 MB/s |
|AES-128-GCM (8192 bytes) | (2991.6 ops/sec): 24.5 MB/s | (57088.8 ops/sec): 467.7 MB/s |
|AES-256-GCM (16 bytes) | (444847.4 ops/sec): 7.1 MB/s | (1615148.8 ops/sec): 25.8 MB/s |
|AES-256-GCM (1350 bytes) | (14792.6 ops/sec): 20.0 MB/s | (254718.5 ops/sec): 343.9 MB/s |
|AES-256-GCM (8192 bytes) | (2525.7 ops/sec): 20.7 MB/s | (49056.6 ops/sec): 401.9 MB/s |
|ChaCha20-Poly1305 (16 bytes) | (385043.6 ops/sec): 6.2 MB/s | (460788.5 ops/sec): 7.4 MB/s |
|ChaCha20-Poly1305 (1350 bytes) | (33108.8 ops/sec): 44.7 MB/s | (67622.8 ops/sec): 91.3 MB/s |
|ChaCha20-Poly1305 (8192 bytes) | (5905.1 ops/sec): 48.4 MB/s | (13219.5 ops/sec): 108.3 MB/s |
|DES-EDE3-CBC-SHA1 (16 bytes) | (100311.5 ops/sec): 1.6 MB/s | (110073.3 ops/sec): 1.8 MB/s |
|DES-EDE3-CBC-SHA1 (1350 bytes) | (3787.2 ops/sec): 5.1 MB/s | (3926.7 ops/sec): 5.3 MB/s |
|DES-EDE3-CBC-SHA1 (8192 bytes) | (638.4 ops/sec): 5.2 MB/s | (661.2 ops/sec): 5.4 MB/s |
|AES-128-CBC-SHA1 (16 bytes) | (268159.9 ops/sec): 4.3 MB/s | (540844.8 ops/sec): 8.7 MB/s |
|AES-128-CBC-SHA1 (1350 bytes) | (22535.6 ops/sec): 30.4 MB/s | (162597.6 ops/sec): 219.5 MB/s |
|AES-128-CBC-SHA1 (8192 bytes) | (3959.9 ops/sec): 32.4 MB/s | (37787.3 ops/sec): 309.6 MB/s |
|AES-256-CBC-SHA1 (16 bytes) | (244904.2 ops/sec): 3.9 MB/s | (524976.9 ops/sec): 8.4 MB/s |
|AES-256-CBC-SHA1 (1350 bytes) | (18272.3 ops/sec): 24.7 MB/s | (141626.7 ops/sec): 191.2 MB/s |
|AES-256-CBC-SHA1 (8192 bytes) | (3181.3 ops/sec): 26.1 MB/s | (31195.9 ops/sec): 255.6 MB/s |
|AES-128-GCM-SIV (16 bytes) | (244929.5 ops/sec): 3.9 MB/s | (776750.7 ops/sec): 12.4 MB/s |
|AES-128-GCM-SIV (1350 bytes) | (14640.5 ops/sec): 19.8 MB/s | (66627.7 ops/sec): 89.9 MB/s |
|AES-128-GCM-SIV (8192 bytes) | (2531.6 ops/sec): 20.7 MB/s | (11850.0 ops/sec): 97.1 MB/s |
|AES-256-GCM-SIV (16 bytes) | (171899.3 ops/sec): 2.8 MB/s | (660748.9 ops/sec): 10.6 MB/s |
|AES-256-GCM-SIV (1350 bytes) | (12489.6 ops/sec): 16.9 MB/s | (61124.5 ops/sec): 82.5 MB/s |
|AES-256-GCM-SIV (8192 bytes) | (2182.7 ops/sec): 17.9 MB/s | (10936.1 ops/sec): 89.6 MB/s |
|AES-128-GCM-SIV (16 bytes) | (239698.0 ops/sec): 3.8 MB/s | (733661.0 ops/sec): 11.7 MB/s |
|AES-128-GCM-SIV (1350 bytes) | (14616.0 ops/sec): 19.7 MB/s | (65984.0 ops/sec): 89.1 MB/s |
|AES-128-GCM-SIV (8192 bytes) | (2529.8 ops/sec): 20.7 MB/s | (11745.7 ops/sec): 96.2 MB/s |
|AES-256-GCM-SIV (16 bytes) | (170826.1 ops/sec): 2.7 MB/s | (626465.6 ops/sec): 10.0 MB/s |
|AES-256-GCM-SIV (1350 bytes) | (12474.8 ops/sec): 16.8 MB/s | (60595.5 ops/sec): 81.8 MB/s |
|AES-256-GCM-SIV (8192 bytes) | (2182.1 ops/sec): 17.9 MB/s | (10841.9 ops/sec): 88.8 MB/s |
|AES-128-CCM-Bluetooth (16 bytes) | (438558.8 ops/sec): 7.0 MB/s | (1405567.1 ops/sec): 22.5 MB/s |
|AES-128-CCM-Bluetooth (1350 bytes) | (14776.5 ops/sec): 19.9 MB/s | (140168.4 ops/sec): 189.2 MB/s |
|AES-128-CCM-Bluetooth (8192 bytes) | (2498.7 ops/sec): 20.5 MB/s | (25890.2 ops/sec): 212.1 MB/s |
|SHA-1 (16 bytes) | (1244563.2 ops/sec): 19.9 MB/s | (2567122.0 ops/sec): 41.1 MB/s |
|SHA-1 (256 bytes) | (341934.0 ops/sec): 87.5 MB/s | (1162590.8 ops/sec): 297.6 MB/s |
|SHA-1 (8192 bytes) | (14574.3 ops/sec): 119.4 MB/s | (66844.3 ops/sec): 547.6 MB/s |
|SHA-256 (16 bytes) | (691326.6 ops/sec): 11.1 MB/s | (2431927.0 ops/sec): 38.9 MB/s |
|SHA-256 (256 bytes) | (166138.9 ops/sec): 42.5 MB/s | (1120621.2 ops/sec): 286.9 MB/s |
|SHA-256 (8192 bytes) | (6824.7 ops/sec): 55.9 MB/s | (63214.7 ops/sec): 517.9 MB/s |
|SHA-512 (16 bytes) | (688007.9 ops/sec): 11.0 MB/s | (729988.3 ops/sec): 11.7 MB/s |
|SHA-512 (256 bytes) | (272146.5 ops/sec): 69.7 MB/s | (289178.7 ops/sec): 74.0 MB/s |
|SHA-512 (8192 bytes) | (14014.7 ops/sec): 114.8 MB/s | (14759.6 ops/sec): 120.9 MB/s |
|RNG (16 bytes) | (137217.4 ops/sec): 2.2 MB/s | (249239.3 ops/sec): 4.0 MB/s |
|RNG (256 bytes) | (69898.9 ops/sec): 17.9 MB/s | (224698.5 ops/sec): 57.5 MB/s |
|RNG (8192 bytes) | (4058.7 ops/sec): 33.2 MB/s | (55705.4 ops/sec): 456.3 MB/s |
|ECDH P-224 operations | (151.0 ops/sec) | (1602.4 ops/sec) |
|ECDH P-256 operations | (594.7 ops/sec) | (642.8 ops/sec) |
|ECDH P-384 operations | (59.0 ops/sec) | (97.4 ops/sec) |
|ECDH P-521 operations | (27.1 ops/sec) | (43.4 ops/sec) |
|ECDSA P-224 signing | (277.8 ops/sec) | (3312.7 ops/sec) |
|ECDSA P-224 verify | (241.2 ops/sec) | (1451.7 ops/sec) |
|ECDSA P-256 signing | (1396.6 ops/sec) | (1738.5 ops/sec) |
|ECDSA P-256 verify | (672.1 ops/sec) | (704.2 ops/sec) |
|ECDSA P-384 signing | (107.0 ops/sec) | (177.6 ops/sec) |
|ECDSA P-384 verify | (94.4 ops/sec) | (156.9 ops/sec) |
|ECDSA P-521 signing | (49.0 ops/sec) | (78.2 ops/sec) |
|ECDSA P-521 verify | (43.8 ops/sec) | (70.8 ops/sec) |

Performance measures provided by ``benchmark``:

| Algo | Small | Normal |
|-------------------------------|----------------------|----------------------|
|MD5 | 131223 KiB/s | 131761 KiB/s |
|RIPEMD160 | 81451 KiB/s | 89899 KiB/s |
|SHA-1 | 104117 KiB/s | 104375 KiB/s |
|SHA-256 | 46809 KiB/s | 52044 KiB/s |
|SHA-512 | 56760 KiB/s | 57648 KiB/s |
|ARC4 | 65014 KiB/s | 65023 KiB/s |
|3DES | 7785 KiB/s | 7885 KiB/s |
|DES | 19071 KiB/s | 19512 KiB/s |
|AES-CBC-128 | 32460 KiB/s | 35995 KiB/s |
|AES-CBC-192 | 28392 KiB/s | 31044 KiB/s |
|AES-CBC-256 | 25213 KiB/s | 27296 KiB/s |
|AES-GCM-128 | 16399 KiB/s | 16398 KiB/s |
|AES-GCM-192 | 15272 KiB/s | 15271 KiB/s |
|AES-GCM-256 | 14287 KiB/s | 14286 KiB/s |
|AES-CCM-128 | 15824 KiB/s | 15887 KiB/s |
|AES-CCM-192 | 13853 KiB/s | 13899 KiB/s |
|AES-CCM-256 | 12315 KiB/s | 12356 KiB/s |
|CAMELLIA-CBC-128 | 19735 KiB/s | 26762 KiB/s |
|CAMELLIA-CBC-192 | 15458 KiB/s | 20839 KiB/s |
|CAMELLIA-CBC-256 | 15459 KiB/s | 20839 KiB/s |
|BLOWFISH-CBC-128 | 25188 KiB/s | 28955 KiB/s |
|BLOWFISH-CBC-192 | 25189 KiB/s | 28954 KiB/s |
|BLOWFISH-CBC-256 | 25183 KiB/s | 28955 KiB/s |
|CTR_DRBG (NOPR) | 27122 KiB/s | 27050 KiB/s |
|CTR_DRBG (PR) | 18397 KiB/s | 19111 KiB/s |
|HMAC_DRBG SHA-1 (NOPR) | 6746 KiB/s | 6968 KiB/s |
|HMAC_DRBG SHA-1 (PR) | 6208 KiB/s | 6426 KiB/s |
|HMAC_DRBG SHA-256 (NOPR) | 5321 KiB/s | 5795 KiB/s |
|HMAC_DRBG SHA-256 (PR) | 4657 KiB/s | 5083 KiB/s |
|RSA-2048 | 652 public/s | 653 public/s |
|RSA-2048 | 17 private/s | 17 private/s |
|RSA-4096 | 168 public/s | 168 public/s |
|RSA-4096 | 3 private/s | 3 private/s |
|DHE-2048 | 3 handshake/s | 3 handshake/s |
|DH-2048 | 5 handshake/s | 6 handshake/s |
|DHE-3072 | 1 handshake/s | 1 handshake/s |
|DH-3072 | 2 handshake/s | 2 handshake/s |
|ECDSA-secp521r1 | 70 sign/s | 74 sign/s |
|ECDSA-brainpoolP512r1 | 8 sign/s | 9 sign/s |
|ECDSA-secp384r1 | 126 sign/s | 133 sign/s |
|ECDSA-brainpoolP384r1 | 16 sign/s | 18 sign/s |
|ECDSA-secp256r1 | 189 sign/s | 195 sign/s |
|ECDSA-secp256k1 | 176 sign/s | 189 sign/s |
|ECDSA-brainpoolP256r1 | 27 sign/s | 31 sign/s |
|ECDSA-secp224r1 | 277 sign/s | 291 sign/s |
|ECDSA-secp224k1 | 216 sign/s | 230 sign/s |
|ECDSA-secp192r1 | 329 sign/s | 352 sign/s |
|ECDSA-secp192k1 | 264 sign/s | 277 sign/s |
|ECDSA-secp521r1 | 19 verify/s | 21 verify/s |
|ECDSA-brainpoolP512r1 | 2 verify/s | 2 verify/s |
|ECDSA-secp384r1 | 35 verify/s | 36 verify/s |
|ECDSA-brainpoolP384r1 | 4 verify/s | 4 verify/s |
|ECDSA-secp256r1 | 54 verify/s | 57 verify/s |
|ECDSA-secp256k1 | 53 verify/s | 57 verify/s |
|ECDSA-brainpoolP256r1 | 7 verify/s | 8 verify/s |
|ECDSA-secp224r1 | 82 verify/s | 86 verify/s |
|ECDSA-secp224k1 | 63 verify/s | 67 verify/s |
|ECDSA-secp192r1 | 102 verify/s | 110 verify/s |
|ECDSA-secp192k1 | 77 verify/s | 82 verify/s |
|ECDHE-secp521r1 | 20 handshake/s | 21 handshake/s |
|ECDHE-brainpoolP512r1 | 2 handshake/s | 2 handshake/s |
|ECDHE-secp384r1 | 37 handshake/s | 39 handshake/s |
|ECDHE-brainpoolP384r1 | 4 handshake/s | 4 handshake/s |
|ECDHE-secp256r1 | 57 handshake/s | 60 handshake/s |
|ECDHE-secp256k1 | 56 handshake/s | 60 handshake/s |
|ECDHE-brainpoolP256r1 | 7 handshake/s | 8 handshake/s |
|ECDHE-secp224r1 | 89 handshake/s | 92 handshake/s |
|ECDHE-secp224k1 | 67 handshake/s | 71 handshake/s |
|ECDHE-secp192r1 | 111 handshake/s | 118 handshake/s |
|ECDHE-secp192k1 | 83 handshake/s | 87 handshake/s |
|ECDHE-Curve25519 | 41 handshake/s | 41 handshake/s |
|ECDH-secp521r1 | 27 handshake/s | 28 handshake/s |
|ECDH-brainpoolP512r1 | 3 handshake/s | 3 handshake/s |
|ECDH-secp384r1 | 49 handshake/s | 51 handshake/s |
|ECDH-brainpoolP384r1 | 5 handshake/s | 5 handshake/s |
|ECDH-secp256r1 | 77 handshake/s | 81 handshake/s |
|ECDH-secp256k1 | 78 handshake/s | 82 handshake/s |
|ECDH-brainpoolP256r1 | 9 handshake/s | 11 handshake/s |
|ECDH-secp224r1 | 121 handshake/s | 126 handshake/s |
|ECDH-secp224k1 | 91 handshake/s | 97 handshake/s |
|ECDH-secp192r1 | 150 handshake/s | 159 handshake/s |
|ECDH-secp192k1 | 113 handshake/s | 120 handshake/s |
|ECDH-Curve25519 | 80 handshake/s | 82 handshake/s |


+ 60
- 0
README.md Zobrazit soubor

@@ -0,0 +1,60 @@
# Test app

It's a implementation of simple C-based test application, which compiles and links against library under test and run on ARMv8 platform running Android operating system. The app is composed of client and server. As we are only interested in client side of the TLS end, we fix the server to always use same library (it's based on ``BoringSSL``). Server is configured to support only TLSv1.2 (as 1.3 is not supported by ``mbedTLS``, yet [OZAPTF]). It's always run with an argument which specifies cetificate type to be used (RSA, ECDSA or EdDSA based). Once run it always enforces same cipher suite to be used - for example in case of RSA it will be ECDHE key agreement with RSA signature and AES/256 in GCM AEAD mode.

Client application is the one which we want to benchmark. We have implemented one which uses ``mbedTLS`` API and links with this library and similar one for ``BoringSSL``. Client always establishes TCP connection in blocking mode (simplicity). It implements 3 different tests:

* **Handshake** : during this test client opens TCP connection and performs many handshake without closing the connection. Performance of this test highly depends on key type used for certificate signing and symmetric key agreement algorithm (as well as elliptic curve used), hence this test is performed multiple times, once for each certificate type
* **Write**: clients opens TCP connection and sends few hundred megabytes of data. This test is done mostly to assess performance of symmetric encryption
* **Read**: clients opens TCP connection and sends a request to the server which sends back few hundred megabytes of data. This test is done mostly to assess performance of symmetric decryption

## Compilation
In order to compile an app one needs to have Android NDK already installed. After cloning, location of the NDK needs be specified in [``common.mk``](https://git.amongbytes.com/playground/tls_comparision/blob/master/common.mk). Then, execute following commands in the app directory.

```
git submodule init
git submodule update

cd bssl; make -f Makefile.aarch64
cd mbedtls; make -f Makefile.aarch64
cd testapp; make -f Makefile.aarch64
```

Output of an execution is set of binaries for ARMv8 that run on Android:
* BoringSSL
* MbedTLS
* Testing application
- ``server``: BoringSSL based test server
- ``b_client``: BoringSSL based client
- ``m_client``: mbedTLS based client

## Pushing tests to target

Execute following target to push needed binaries and all needed files (certificates):
```
cd testapp; make -f Makefile.aarch64 push
```

### Server
Tests always use ``BoringSSL``-based server. Following command will start server which will accept only ECDSA certificate. Server always supports only 1 cipher suite (for example - in case of RSA it supports only ``TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`` ). It's done deliberatelly in order to make sure that when client connects to serwer it always uses same cipher, so that comparision between different clients is accurate.

```
./server ECDSA_256
```

### Client
There are two clients called ``m_client`` and ``b_client``, respectively, mbedTLS-based and BoringSSL-based. Client application connects to the server app and initiates a test. Once test is over, both client and server will exit. Client application can be started in following way:

Example of ``mbedTLS`` test execution:

```
./m_client test_Handshake
```

Example of ``BoringSSL`` test execution:

```
./b_client test_Handshake
```

The structure of both clients is being kept as similar as possible.

+ 29
- 0
bssl/Makefile.aarch64 Zobrazit soubor

@@ -0,0 +1,29 @@
include ../common.mk

BUILD_DIR = src/build
MAKE = cmake --build .

all: prepare build

clean:
rm -rf $(BUILD_DIR)

prepare: clean
rm -rf $(BUILD_DIR)
mkdir -p $(BUILD_DIR)
cd $(BUILD_DIR); \
cmake \
-DANDROID_TOOLCHAIN_NAME=aarch64-linux-android-clang5.0 \
-DCMAKE_TOOLCHAIN_FILE=${ANDROID_NDK}/build/cmake/android.toolchain.cmake \
-DANDROID_NATIVE_API_LEVEL=$(NDK_TARGETVER) \
-DCMAKE_BUILD_TYPE=Release \
-DANDROID_ABI=arm64-v8a \
-DOPENSSL_SMALL=1 \
-DCMAKE_C_FLAGS_RELEASE="-Os -fdata-sections" \
-DCMAKE_CXX_FLAGS_RELEASE="-Os -fdata-sections" \
-DCMAKE_EXE_LINKER_FLAGS="-Wl,--gc-sections" \
..
build:
cd $(BUILD_DIR); \
$(MAKE)
python ../print_bssl_size.py " -fdata-sections (+)"

+ 20
- 0
bssl/Makefile.native Zobrazit soubor

@@ -0,0 +1,20 @@
include ../common.mk

BUILD_DIR = src/build
MAKE = cmake --build .

all: prepare build

prepare:
rm -rf $(BUILD_DIR)
mkdir -p $(BUILD_DIR)
cd $(BUILD_DIR); \
cmake -DCMAKE_BUILD_TYPE=Release \
-DOPENSSL_SMALL=1 \
-DCMAKE_C_FLAGS_RELEASE="-Os -fdata-sections" \
-DCMAKE_CXX_FLAGS_RELEASE="-Os -fdata-sections" \
..
build:
cd $(BUILD_DIR); \
$(MAKE)
python ~/print_bssl_size.py " -fdata-sections (+)"

+ 1
- 0
bssl/src

@@ -0,0 +1 @@
Subproject commit eb7c3008cc85c9cfedca7690f147f5773483f941

+ 5
- 0
common.mk Zobrazit soubor

@@ -0,0 +1,5 @@
# Constants and makefile shit used in build
mkfile_path = $(abspath $(lastword $(MAKEFILE_LIST)))
current_dir = $(notdir $(patsubst %/,%,$(dir $(mkfile_path))))
ANDROID_NDK = /home/hdc/android-ndk-r16b
NDK_TARGETVER = 27

+ 48
- 0
mbedtls/Makefile.aarch64 Zobrazit soubor

@@ -0,0 +1,48 @@
include ../common.mk

## NDK configuration.
NDK = $(ANDROID_NDK)
NDK_TARGETARCH = aarch64-linux-android
NDK_TARGETSHORTARCH = arm64
NDK_TOOLVER = 4.9
NDK_HOSTARCH = linux-x86_64
NDK_TOOLS = $(NDK)/toolchains/llvm/prebuilt/$(NDK_HOSTARCH)/bin
NDK_SYSROOT = $(NDK)/sysroot
NDK_TOOL = $(NDK_TOOLS)/clang
NDK_LIBS = $(NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/lib/gcc/$(NDK_TARGETARCH)/4.9.x
NDK_INCLUDES = -I$(NDK)/sysroot/usr/include -I$(NDK)/sysroot/usr/include/$(NDK_TARGETARCH)
NDK_SYSROOT = $(NDK)/platforms/android-$(NDK_TARGETVER)/arch-$(NDK_TARGETSHORTARCH)

OPT = -std=c99 -Os \
-fdata-sections \
-ffunction-sections \
-fPIE \
-Wall \
-target $(NDK_TARGETARCH)

CFLAGS = $(OPT) \
$(NDK_INCLUDES) \
-D__ANDROID_API__=$(NDK_TARGETVER) \
-D_SOCKLEN_T_DECLARED

LDFLAGS = $(OPT) \
-pie \
-Wl,--gc-sections \
--sysroot=$(NDK_SYSROOT) \
-B $(ANDROID_NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/$(NDK_TARGETARCH)/bin \
-L$(NDK_LIBS)

all:
CC=$(NDK_TOOL) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" make -C src

clean:
make -C src clean

push:
adb root
adb remount
adb shell "rm -rf /data/app/mbedtls/*"
adb shell "mkdir -p /data/app/mbedtls"
adb push src/programs/ssl/ssl_client1 /data/app/mbedtls/
adb push src/programs/ssl/ssl_server /data/app/mbedtls/
adb push src/programs/test/benchmark /data/app/mbedtls/

+ 13
- 0
mbedtls/Makefile.native Zobrazit soubor

@@ -0,0 +1,13 @@
include ../common.mk

OPT = -D_SOCKLEN_T_DECLARED -Os -fdata-sections

CFLAGS = $(OPT)
LDFLAGS =

all:
CC=gcc CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" make -C src

clean:
make -C src clean


+ 2879
- 0
mbedtls/config_mbedTLS_minimal.h
Diff nebyl zobrazen, protože je příliš veliký
Zobrazit soubor


+ 1
- 0
mbedtls/src

@@ -0,0 +1 @@
Subproject commit 4ca9a457561fc774ca54898a72754bf53d60dba2

+ 107
- 0
testapp/Makefile.aarch64 Zobrazit soubor

@@ -0,0 +1,107 @@
include ../common.mk

DBG ?= 0
SRCDIR = src
OBJDIR = obj
BORINGSSL_DIR = ../bssl/src
MBEDTLS_DIR = ../mbedtls/src

## Debug/Release configuration
ifeq ($(DBG),1)
DEBUG = -DDEBUG -g -O0
RELEASE =
STRIP = true
else
DEBUG =
RELEASE = -Os -fdata-sections -ffunction-sections
STRIP = $(NDK)/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/aarch64-linux-android/bin/strip
endif

## NDK configuration.
NDK = $(ANDROID_NDK)
NDK_TARGETARCH = aarch64-linux-android
NDK_TARGETSHORTARCH = arm64
NDK_TOOLVER = 4.9
NDK_HOSTARCH = linux-x86_64
NDK_TOOLS = $(NDK)/toolchains/llvm/prebuilt/$(NDK_HOSTARCH)/bin
NDK_SYSROOT = $(NDK)/sysroot
NDK_TOOL = $(NDK_TOOLS)/clang
NDK_LIBS = $(NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/lib/gcc/$(NDK_TARGETARCH)/4.9.x
NDK_INCLUDES = -I$(NDK)/sysroot/usr/include \
-I$(NDK)/sysroot/usr/include/$(NDK_TARGETARCH)
NDK_SYSROOT = $(NDK)/platforms/android-$(NDK_TARGETVER)/arch-$(NDK_TARGETSHORTARCH)

OPT = $(DEBUG) \
$(RELEASE) \
-std=c99 \
-fPIE \
-Wall \
-target $(NDK_TARGETARCH)
CFLAGS = $(OPT) \
$(NDK_INCLUDES)
CFLAGS_BORINGSSL = $(CFLAGS) \
-I$(BORINGSSL_DIR) -I$(BORINGSSL_DIR)/include
CFLAGS_MBEDTLS = $(CFLAGS) \
-I$(MBEDTLS_DIR)/include
LDFLAGS = $(OPT) \
$(DEBUG) $(RELEASE) \
-pie \
--sysroot=$(NDK_SYSROOT) \
-B $(ANDROID_NDK)/toolchains/$(NDK_TARGETARCH)-$(NDK_TOOLVER)/prebuilt/linux-x86_64/$(NDK_TARGETARCH)/bin \
-L$(NDK_LIBS) \
-Wl,--gc-sections

LDFLAGS_BORINGSSL = $(LDFLAGS) \
-L$(BORINGSSL_DIR)/build/crypto -L$(BORINGSSL_DIR)/build/ssl \
-lssl -lcrypto

LDFLAGS_MBEDTLS = $(LDFLAGS) \
-L$(MBEDTLS_DIR)/library -lmbedx509 -lmbedtls -lmbedcrypto

.PHONY: print_boring_ld print_mbed_ld

all: init b_client m_client server

init:
mkdir -p $(OBJDIR)
# Create 1MB file with random data
dd if=/dev/urandom of=etc/random_data bs=1024 count=1024

clean:
rm -rf $(OBJDIR)
rm -rf b_client
rm -rf m_client
rm -rf server

b_client: common
$(NDK_TOOL) -c $(SRCDIR)/b_client.c -o $(OBJDIR)/b_client.o $(CFLAGS_BORINGSSL)
$(NDK_TOOL) -o b_client $(OBJDIR)/b_client.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(LDFLAGS_BORINGSSL)
$(STRIP) -s b_client

m_client: common
$(NDK_TOOL) -c $(SRCDIR)/m_client.c -o $(OBJDIR)/m_client.o $(CFLAGS_MBEDTLS)
$(NDK_TOOL) -o m_client $(OBJDIR)/m_client.o $(OBJDIR)/common.o $(LDFLAGS_MBEDTLS)
$(STRIP) -s m_client

server: common
$(NDK_TOOL) -c $(SRCDIR)/server.c -o $(OBJDIR)/server.o $(CFLAGS_BORINGSSL)
$(NDK_TOOL) -o server $(OBJDIR)/server.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(LDFLAGS_BORINGSSL)
$(STRIP) -s server

common:
$(NDK_TOOL) -c $(SRCDIR)/common.c -o $(OBJDIR)/common.o $(CFLAGS)
$(NDK_TOOL) -c $(SRCDIR)/common_boring.c -o $(OBJDIR)/common_boring.o $(CFLAGS_BORINGSSL)

adb-prepare:
adb root
adb remount
adb shell rm -rf /data/app/test_space/*
adb shell mkdir -p /data/app/test_space/etc
# Need to reset date to 10th of April this year, otherwise, cert verification fails
adb shell "toybox date 041910002018"

push: adb-prepare
adb push b_client /data/app/test_space/
adb push m_client /data/app/test_space/
adb push server /data/app/test_space/
adb push etc/* /data/app/test_space/etc/

+ 64
- 0
testapp/Makefile.native Zobrazit soubor

@@ -0,0 +1,64 @@
BORINGSSL_DIR=/home/hdc/repos/mbedtls_vs_boringssl/bssl/src
BORINGSSL_LIB=$(BORINGSSL_DIR)/build
MBEDTLS_DIR=/home/hdc/repos/mbedtls_vs_boringssl/mbedtls/src
MBEDTLS_LIB=$(MBEDTLS_DIR)/build

DBG?=0

ifeq ($(DBG),1)
DEBUG=-DDEBUG -g -O0
STRIP=true
else
DEBUG=-Os -fdata-sections -ffunction-sections
STRIP=strip
endif

CC=clang

CFLAGS_COMMON=-std=c99 $(DEBUG)
BORINGSSL_CFLAGS=$(CFLAGS_COMMON) -I$(BORINGSSL_DIR)/ -I$(BORINGSSL_DIR)/include
BORINGSSL_LDFLAGS=-L$(BORINGSSL_LIB)/crypto -L$(BORINGSSL_LIB)/ssl -lssl -lcrypto -lpthread
MBEDTLS_CFLAGS=$(CFLAGS_COMMON) -I$(MBEDTLS_DIR)/include
MBEDTLS_LDFLAGS=-L$(MBEDTLS_DIR)/library -lmbedx509 -lmbedtls -lmbedcrypto
SRCDIR=src
OBJDIR=obj

.PHONY: print_boring_ld print_mbed_ld

all: init server b_client m_client

init:
mkdir -p obj
# Create 1MB file with random data
dd if=/dev/urandom of=etc/random_data bs=1024 count=1024

clean:
rm -rf $(OBJDIR)
rm b_client
rm m_client
rm server

b_client: common
$(CC) -c $(SRCDIR)/b_client.c -o $(OBJDIR)/b_client.o $(BORINGSSL_CFLAGS)
$(CC) -o b_client $(OBJDIR)/b_client.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(BORINGSSL_LDFLAGS)
$(STRIP) b_client

m_client: common
$(CC) -c $(SRCDIR)/m_client.c -o $(OBJDIR)/m_client.o $(MBEDTLS_CFLAGS)
$(CC) -o m_client $(OBJDIR)/m_client.o $(OBJDIR)/common.o $(MBEDTLS_LDFLAGS)
$(STRIP) m_client

server: common
$(CC) -c $(SRCDIR)/server.c -o $(OBJDIR)/server.o $(BORINGSSL_CFLAGS)
$(CC) -o server $(OBJDIR)/server.o $(OBJDIR)/common.o $(OBJDIR)/common_boring.o $(BORINGSSL_LDFLAGS)
$(STRIP) server

common:
$(CC) -c $(SRCDIR)/common.c -o $(OBJDIR)/common.o
$(CC) -c $(SRCDIR)/common_boring.c -o $(OBJDIR)/common_boring.o $(BORINGSSL_CFLAGS)

print_boring_ld:
@echo $(BORINGSSL_LIB)/crypto:$(BORINGSSL_LIB)/ssl
print_mbed_ld:
@echo $(MBEDTLS_LIB)/crypto:$(MBEDTLS_LIB)/ssl


+ 24
- 0
testapp/etc/ca/ca.cert.pem Zobrazit soubor

@@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIID8jCCAtqgAwIBAgIJALuIdyUDX1d+MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJGUjENMAsGA1UECAwEUEFDQTEXMBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIx
JjAkBgNVBAsMHURvbWFpbiBDb250cm9sIFZhbGlkYXRlZCBTQVJMMSYwJAYDVQQD
DB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDAeFw0xODA0MDkxNjMxMDVa
Fw00NTA4MjUxNjMxMDVaMIGFMQswCQYDVQQGEwJGUjENMAsGA1UECAwEUEFDQTEX
MBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIxJjAkBgNVBAsMHURvbWFpbiBDb250cm9s
IFZhbGlkYXRlZCBTQVJMMSYwJAYDVQQDDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQgU0FSTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBjh23Spt4I
AvaFLNL9LXDngLy6OyJbqPYNOEfn9vdvzcCJZbBDhD1HNoIuJux340wcio5TZajX
sJCIUl/n+e+8BGwxzZvp3qM2e/Rs94roZjlUWHMaX/a8Q7MvrR9XWM1SaEp2fHa9
nBgdfSo+BvvILq8lZU7vO+xw7Yjtx0YNk1v3IAMoQyrfaeZcb9uE1tuAj0oPwmEp
CWqGVkQEIJ6MJBbA+6SW6yi/5h3s0mbc7hdcmLr+vSv5Bkg8qOaPwh0ffuTCMuGq
8q9en4WSW/mnbDZpPdGZwp4Ub7po4Zp9dVQoD7Skf9chz26+pivmIfUB1Xwr48b2
gFfbZcwDsFsCAwEAAaNjMGEwHQYDVR0OBBYEFPSjEiJgM3NjauAc0lzUrgExAgvg
MB8GA1UdIwQYMBaAFPSjEiJgM3NjauAc0lzUrgExAgvgMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAQALRSOq1IwOMG
qZeXvNmd+jGomDH4IDV+s+agGWWneVzRJzP1qSxvrG5BgyP+STzvxEJBgGfCZKHw
qW2HH2bt3vU0KhF90zthmLlZSphuF3XTBUyWfhmUgxuSWxgScBLHrk2vwQv55Mxn
N88DPwYfRLjJUfEIDhzgNRsrVP1mbP0tmXjfmuQzE9Ht8L3fqJ+Tfk/eHdJIOkeM
YRYSOT6oa7g49Vi6ONE7m+BqCDS7D+2p6t6Zb/1lEI82TvmbUq7gd9xHCROFmhis
gBKsJxp0aVI5pB9mLqnluB21c4sVqt6si8sWcJjtTCmojp192aSxB3A6hVI0P8qY
7iJBFwa1
-----END CERTIFICATE-----

+ 8
- 0
testapp/etc/ecdsa_256.key Zobrazit soubor

@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIF8KXjVrcF0u+J3dDxrOPHr3/xQlxwpZowwdDxiM72iUoAoGCCqGSM49
AwEHoUQDQgAE7HJPLOV22gIiLMIR1btCTDQMbtwwWqhuErrk2r4+p3Oino2fSDBm
9T76CNfnLjmUue1qoLj144aK86GB0rGy4A==
-----END EC PRIVATE KEY-----

+ 15
- 0
testapp/etc/ecdsa_256.pem Zobrazit soubor

@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICTTCCATUCCQD7FNAespFtBDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
RlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSYwJAYD
VQQLDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDEmMCQGA1UEAwwdRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkIFNBUkwwHhcNMTgwNDA5MjAxMTEwWhcNNDUw
ODI0MjAxMTEwWjAWMRQwEgYDVQQDDAt3d3cuZG12LmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABOxyTyzldtoCIizCEdW7Qkw0DG7cMFqobhK65Nq+Pqdzop6N
n0gwZvU++gjX5y45lLntaqC49eOGivOhgdKxsuAwDQYJKoZIhvcNAQELBQADggEB
ADEx+x0XXiTyBjEi5wVFEx/36tD4TMck5GLzyWFBPMgY5rVk0/scyYslqikF7j/M
OY/Z+3WG/Wx0OqH+inA+aYb2xg6qLd4JR9eIRU7luSKyFDRCK3BYcpPYa9DQKVim
Q4jA17rLRKqLLSDWUr0VO+YaXk9EqpkjjEeo3Dn1xIKtwwqvEocFUWlc1MPUrfgX
OpPP4fSyqPcE0I75vWsznGyrYax9k7fAFV/UdC2p/jQPs+lVVesml2DJA9IjEdpJ
1HOKpzjPXrPkCixoXqjM0HZRLuCNUb1sl8bWvpCQ6xTtDH0mkt8yHO6HeqKLpgpZ
2O99VHKVMmEzsFOyE+4khVM=
-----END CERTIFICATE-----

+ 30
- 0
testapp/etc/rsa_2048.key Zobrazit soubor

@@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,298AA9B5B7606E863BB9183F689D9346

VvURRUrBBi/AlUA4AlFUKm+aVzvnG4TQrhHKTV3nFGOHeqB+Sua+3R+e6svyiY+p
d0VaZtlpS2mE7lxPqy0+VOarCYYkJOF2juGVMwFzEG8lkoEUyC8qyOobaRj4OCcb
PgIk9b3i5Lv2PBLTpC4lxo6FrUykKXqLKeg0Lp4EEfFRGOKQB5CQBDeGOA1oBeqt
cwRxXP8k3KPiIs+P+Lswk5qLD4gTtlf8ycQmJuCDFUQ3ARgRvngqFvu/44fm5Ztv
6fBvAQvoHXJ9I+HuJAJcT1wGn9itZYFRMXyA2pf1Q2WHpxm1ZS7AiZrn5nyqPpnV
aoBlwR7D0OxyoRumSHA3Y4YheN+uId27Gg12AWUalDcFes3DD2DZOkSQrzsIT0X3
EifJSSnuOTLe8w+SSvUVIMxkW5CRE0uOi/wuZHTpRN0ZxsvmeL+EHQmqtAOcjS5g
RPMidMdSGfCnqC0N2EAalUU2BsIGRgG5yvmG5ZIqu0Bm6WIIX1T34HS8HUhDqgRX
jOi8Ch7J/6xMZcxSeqRvdss96s6SzehqpG3kW7EsualJqWwmAGF0oJOxX6LupIRd
0GacwZv+NcWPYKL9oDNINPrU8hvobhaSeLvK8Gum8DK4TTd0evng6LYvkgejIcRF
pzfC+ONTiHZO4ayxleJVFAdph2LY3itO/TKD6KBLq0vnd+HvOKPWq0s0zDtQ/mSF
PMEwZ0DvYq5mtko5MOIqlIJKXS+p+jmzAhIZzqPt57HoyZjuRKTKkvlTeOoY7cax
UDGJffDrnagbP3R12i+bm7Bmz7aQQktuwhV7/SrEnJDM2PLDOYuWnGV5v/Cb+L/7
gGMFs9PTro8p4OkCLcpyGS/FoA7J5B1JixhUJ4tSEzEkTBSYz5WCi7NqrRZ9nnDf
drYBNpMHlK4DNRe9qhusdRPrbd9srDH8g74QQgzWorYx0TqBUS45NLyyUZPydFxJ
vAT1lmdWo7DhhnqSkPAcrwKdakDIravzvw0Ex+iEzAPSaflDvVybu6Gf8r6FrFIR
SrR2pT4EztvPViaS9KZHZ0PQYKporwsWM1ZLyGX2qi3d5+YFijE3IT67rSLuEBMO
/RFY0OCHbmKNrOiCaXk51+04hXg8ptjAxD8YCFpOzaDlSW2LX9D2QAfghoArZVTb
OHThemZ4zIvamGkZLQB44nuvduIRGBA2LiQ0YiH4FhuJCP7zTCtCqQu4Wnn6J4tb
YCEtm9ntFSGGCipErqqENPTBhxz6exO8emd2/y0INY4d9xJYjfhqCrKShpeF+/Lf
6pJ3Pj9qA3D8wWcizER5N4R1fzmhTOSCxinC6OVJOzdk76M6gi+bD5RV8HD60TyG
VEmTusA8lrLlKSYiE+4VFYBJjBSCopybJAaNsKXaYM3hwaPTPJwsgPWxwQ5m/vPT
7dvkPOnhqwQ7DEvr2y3AgEUJxXxtsNwQEiKgMuRxNIQNE5mp68dJ5hMFnbJUPvvo
80IsUH11LLDQJV60aLLF8M37BFvNPUayaS+oP78UwRMbnpC92nuHNgvGfdXFKhV3
/8z6lNYPlMGgBwdCD6NBXpXHkp7rxOAGvHx5eUocjgXfF2b8zSXyN/9egK9sfMZZ
-----END RSA PRIVATE KEY-----

+ 19
- 0
testapp/etc/rsa_2048.pem Zobrazit soubor

@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDGDCCAgACCQD7FNAespFtAjANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
RlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSYwJAYD
VQQLDB1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgU0FSTDEmMCQGA1UEAwwdRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkIFNBUkwwHhcNMTgwNDA5MTYzMjEwWhcNNDUw
ODI0MTYzMjEwWjAWMRQwEgYDVQQDDAt3d3cuZG12LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANDw1tIr4IHqfivyIBMn4MPRaPQFxOZPIRaIOo85
4gaeHD11tLbxIh++lzfxk//ubC5a5K/PUDsVhLupTQVNKklcg4eRymZROkXoqgRg
+ibEH5IYRu64aVlhQe4lGiK/Z8njUtq31zeyn2RaYWW/4uq/wmOKB/qVinARISKf
lvTjtSN5cBg55tyDV5Cb7GgpSBXVGc8J4WKU6BAn43FTqgj8XkVvGYR3C/X5ZR/+
3xXVqe/VwLHyYNe61ySYRmymdoXJnJE7l0+MJhcpvepzEZ1pCULomNbHcxGfSZnc
XsajvNKp/Y+cjC/IYmzkpTHgHhUEVs1rAdotNr0j5vRS/iECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAXjyhGLvT1waoYofYhkN3xmrkDxtM8HmG/xGad1vhkx6Qi2M/
kdX/UlEMwlkh1Of20iJVcMmTPleiOcIO2cE8F0BQ4wIGN3PGw8guxa11ToyyMarg
cWNUWdA4gwYvMQv6tceUtsJUjNp0O6JW563jejVaiqBHhG50riJ2wfzqgMItjZY0
/TLVRQbEJ+NGeYZJ9/jL5xmHxoL8ROQ3RXtZjxU6Jr0pe3Y7XKT27QE3007EkCYb
XG7K1U/rbixqfphXys677gjJ8xXChunjNqCijNk2xjHmu2MakspSqIB86oB50oLj
Pu+AVI/SGD1qlJBC9qlgDoUkm9VI9mTIKJzALg==
-----END CERTIFICATE-----

+ 40
- 0
testapp/etc/rsa_3072.key Zobrazit soubor

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDChoUsywwSGecu
aHGGNMY8PrvM7nPjXpFXD0MK1OG0Yf3eV/QqRC3ahS7SICUvhRTiDzClez45NOKx
YpH1C0u/M/DvojFgrGJlKVvO0vdckxlWCyK6DVKiwBP7ySkXjy+TuRuIZ4kxHzWC
AEldbgPHlIGPxvhU4dAHXHcdHGdAgHL+7AhZh32acIDq3pkla3PQAawKcl/72l7v
PXju594jWZkzrqPjXKpJ2GRX8q5XFoMNUe3hDR1Fk4aij7Y2k5aWmkD3WVGHti9K
Zdjua2CYIp1+BUZ205wxOiWHlshpXzs73Exj2uv9OM/fcVliy5T+uR87a6KoIq+7
vrU642yWCWOx3pzhvfgBANCnJRWXCq4CPAyImNUaapgnrM9TIWRyBmtD7/qsfQ0b
DKJItf+p4Zzx1QatLKFG8qaaoP+6liQQaYFRP/v+cXM7c9LaU7elKI3yyClLSUoV
rg6vp/xUsIcaYjUP2j+3VMv54Dy18eWt2FkmRB1ompSp+g6XoI8CAQMCggGBAIGv
A3MyCAwRRMma9ll4hCgp0oie9+zptjoKLLHjQSLr/pQ6osbYHpGuHzbAGMpYuJa0
yxj81CYjQcuXC/iyMn939fUWy5XIQZjGPTSMpOhiEOQHbHwI4cHVYqfbcLpfdQ0m
ElrvsMtqI6wAMOj0AoUNq7UvUDiWiq+S+hNoRNWq91SdWuZaU7xLAJyUZhjyTTVW
crGhlVKRlJ9+UJ9FPsI7u3fJwpeTHDE67Y/3HuS5rLOL8+teE4O3rxcKeXm3uI/h
4O6rL2hwJDWSZ0LDnCCRpPQQwjlh6/xg57+R7Fgn8UW9u6dtyuNTHHpR+iiouE+Y
7unzF5SC/ipQDFUYHmNiygGZL6KMy1H5NlosQiQZ/BY7A6UsNnySa6XwZu1/HTMt
6pEtFbiXs3XaR6aA9Ervjt6OEHTldQ5/mBc2A6cvtvLB/wa74fkX5vhA2ruapTWr
T501rYPTKhUKxmyaSe0U7qZ4rLcgOpxKbr/Rh6fkoXfgBOov5supefCRPeCsuwKB
wQDpmuped2B80mnSchyL3KG/x5GFxSfALgnWGYovzHLHPxJQGLrSa841N4j+Qggb
4n/r4e93+L1Ps++9Zl4A9HFQ+F0oKE+j18mB6LEkvFCqhIRC29mJcQyfNbchFqhl
Ph+6XE/Ul8p5UdF2gZfNyQoJ5TGnWPEusxwD8T3IY5helGd6i8SY6FztIzlsNv/p
hZ/9YjHjP9ngmGruXjgQBb1NFKuELbGE2gMw60faiKbPmJVHtotVwauS8OA+67jH
w30CgcEA1SyFMuEp7juPJ5ghfmlUp4CUiib7YJKwYI8/uG9zHeQ/Ayb4FkptcwSc
KbRaCewAm3HJZIZB+apCvuBEukrNr/zXh1CFyhL9hCJN+yZhtl8vngeth2V2wFk/
ja2MiaSY6uU7lZSPnkeuc8OfASuHL5UU/Kb8zyFVrUIEr2xh4ToqKbq+Lj3MG6pf
WtuK12Yf10Vko7fLJPQgB7+s/LrQI/x1nH+AeE/km/nd/51KaoJeMlHGcTqXpCt9
gjR4/tn7AoHBAJu8nD76QFM28Tb2vbKTFn/aYQPYxSrJW+QRBsqITITUtuAQfIxH
3s4lBf7WsBKW//KWn6VQfjUin9OZlACi9jX66MVwNRflMQFFy23S4HGtrYHn5lug
sxTOehYPGu4panw9io26hvuL4PmruokwsVvuIRo7S3R3aAKg09rtED8NmlGygxCa
6J4Xe515//EDv/5Bdpd/5pW68fQ+0AqufjNjHQLJIQM8AiCc2pGwbzUQY4UkXOPW
cmH16tSdJdqCUwKBwQCOHa4h63FJfQoaZWupm43FAGMGxKeVtyBAX3/QSky+mCoC
Gfq5hvOiAxLGeDwGnVW89oZDBCv7xtcp6th8Md51UzpaNa6Gt1OtbDP8xEEkP3UU
BR5aQ6SAO3+zyQhbwxCcmNJjuF++2nRNLRSrclofuLiob1M0wOPI1q3KSEFA0XFx
Jyl0KTK9HD+R57Hk7r/k2O3Ceodt+BVaf8iofIrCqE5oVQBQNUMSppP/vjGcVul2
4S72Jw/Cx6kBeFCp5qcCgcBF+fb8F59HYjZJAjV4Qv2obehNvcb7swHMOYTLBkBq
j9cnVysTQ9lc6vwB5Vh4rzwOSmJRKPvv6+1oinImwtzZFLuggunkXxmrPLiRcF82
Gj7RL62D6msMbNo0vMXmXa20D/M3lATSuWuOsBz1BAfFrkO/kwAz02s9dleOidX3
YkuSiPhm3bQD3qezO3OQmZ2s1OfzZMQpXE8+4ymTWW5H9KtKxrDs7/05goy1/OPk
u5evFUiLOWw7CJ9Sy1/Jaws=
-----END PRIVATE KEY-----

+ 18
- 0
testapp/etc/rsa_3072.pem Zobrazit soubor

@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC1DCCAnsCCQCY04gkucQIkzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJGUjEN
MAsGA1UECAwEUEFDQTEXMBUGA1UEBwwOQ2FnbmVzIHN1ciBNZXIxIjAgBgNVBAsM
GUNlcnQgVGVzdGluZyBPcmdhbml6YXRpb24xIjAgBgNVBAMMGUNlcnQgVGVzdGlu
ZyBPcmdhbml6YXRpb24wHhcNMTgwNDE3MTMyNzA4WhcNMTgwNTE3MTMyNzA4WjAf
MR0wGwYDVQQDDBR3d3cuY2VydF90ZXN0aW5nLmNvbTCCAaAwDQYJKoZIhvcNAQEB
BQADggGNADCCAYgCggGBAMKGhSzLDBIZ5y5ocYY0xjw+u8zuc+NekVcPQwrU4bRh
/d5X9CpELdqFLtIgJS+FFOIPMKV7Pjk04rFikfULS78z8O+iMWCsYmUpW87S91yT
GVYLIroNUqLAE/vJKRePL5O5G4hniTEfNYIASV1uA8eUgY/G+FTh0Adcdx0cZ0CA
cv7sCFmHfZpwgOremSVrc9ABrApyX/vaXu89eO7n3iNZmTOuo+NcqknYZFfyrlcW
gw1R7eENHUWThqKPtjaTlpaaQPdZUYe2L0pl2O5rYJginX4FRnbTnDE6JYeWyGlf
OzvcTGPa6/04z99xWWLLlP65Hztroqgir7u+tTrjbJYJY7HenOG9+AEA0KclFZcK
rgI8DIiY1RpqmCesz1MhZHIGa0Pv+qx9DRsMoki1/6nhnPHVBq0soUbyppqg/7qW
JBBpgVE/+/5xcztz0tpTt6UojfLIKUtJShWuDq+n/FSwhxpiNQ/aP7dUy/ngPLXx
5a3YWSZEHWialKn6DpegjwIBAzAKBggqhkjOPQQDAgNHADBEAiBiXGvdsqXGxDtR
09lV6d2w2rYVteso/RVCQVxUWo5BuQIgRXF5XrvhRbpTOaRgLgnOpyLZv7nEwWNG
cRb2Q37V4VM=
-----END CERTIFICATE-----

+ 205
- 0
testapp/src/b_client.c Zobrazit soubor

@@ -0,0 +1,205 @@
#include <unistd.h>
#include "common.h"

// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution)
#include <include/openssl/ssl.h>
#include <pthread.h>

// Buffer used for read/write tests
unsigned char rw_buf[BUFFER_SIZE];

SSL_CTX *setup_client_ctx(void)
{
SSL_CTX* ctx;

ctx = SSL_CTX_new(TLS_with_buffers_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
if( SSL_CTX_load_verify_locations(ctx, CACERT, NULL) != 1) {
ERR("Error loading CA DIR");
}
return ctx;
}

int do_client_loop(SSL* ssl)
{
int err, nwritten;
char buf[80];

for(;;)
{
if( !fgets(buf, sizeof(buf), stdin) )
break;
for(nwritten = 0; nwritten < strlen(buf); nwritten += err)
{
err = SSL_write(ssl, buf + nwritten, strlen(buf) - nwritten);
if(err<=0)
return 0;
}
}
return 1;
}

void test_Handshake(size_t handshake_nb) {

SSL* ssl;
SSL_CTX* ctx;
int err;

init();
ctx = setup_client_ctx();

DBG("Trying to connect");
int fd = connect_once();

for (size_t i=0; i<handshake_nb; i++) {

DBG("SSL ctx setup");
if (!(ssl = SSL_new(ctx))) {
ERR("Error creating an SSL context");
}
SSL_set_fd(ssl, fd);

DBG("SSL handshake");
// OZAPTF: do handshake thing
err = SSL_connect(ssl);
if (err<=0) {
ERR("Error connecting SSL err=%d", err);
}
// assert(!SSL_session_reused(ssl));

SSL_set_read_ahead(ssl, 0);
assert(SSL_shutdown(ssl) == 0);
assert(SSL_shutdown(ssl) == 1);

SSL_free(ssl);
}

SSL_CTX_free(ctx);
close(fd);
}

void test_Read() {
int err, nread=0;
SSL* ssl;
SSL_CTX* ctx;

init();
ctx = setup_client_ctx();

DBG("Trying to connect");
int fd = connect_once();

DBG("SSL ctx setup");
if (!(ssl = SSL_new(ctx))) {
ERR("Error creating an SSL context");
}
SSL_set_fd(ssl, fd);

DBG("SSL handshake");
err = SSL_connect(ssl);
if (err<=0) {
ERR("Error connecting SSL err=%d", err);
}

DBG("SSL writing");
if (SSL_write(ssl, (unsigned char*)READ_REQUEST, sizeof(READ_REQUEST) ) <= 0) {
ERR("SSL_write");
}

DBG("Continue reading");
do {
#ifdef DEBUG
fwrite(rw_buf,1, nread, stdout);
#endif
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread);
if(err <= 0) {
break;
}
}
} while(err>0);

if (0==(SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN)) {
ERR("SSL_Read");
}

DBG("Shutdown");
SSL_set_read_ahead(ssl, 0);
assert(SSL_shutdown(ssl) == 1);

SSL_free(ssl);
SSL_CTX_free(ctx);
close(fd);
}

void test_Write() {
SSL* ssl;
SSL_CTX* ctx;
int err,nread=0;

init();
ctx = setup_client_ctx();

DBG("Trying to connect");
int fd = connect_once();

DBG("SSL ctx setup");
if (!(ssl = SSL_new(ctx))) {
ERR("Error creating an SSL context");
}
SSL_set_fd(ssl, fd);

DBG("SSL handshake");
err = SSL_connect(ssl);
if (err<=0) {
ERR("Error connecting SSL err=%d", err);
}

DBG("Writing");

fill_buffer_from_file(rw_buf, sizeof(rw_buf));
for (size_t i=0; i<RW_ITERATIONS; i++) {
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = SSL_write(ssl, rw_buf+nread, sizeof(rw_buf) - nread);
if(err <= 0) {
ERR("SSL_write");
}
}
}

DBG("Shutdown");
SSL_set_read_ahead(ssl, 0);
assert(SSL_shutdown(ssl) == 0);
assert(SSL_shutdown(ssl) == 1);

SSL_free(ssl);
SSL_CTX_free(ctx);
close(fd);
}

int main(int argc, char* argv[]) {

if (argc < 2) {
goto usage;
}

if (!strncmp("test_Handshake", argv[1], strlen("test_Handshake"))) {
test_Handshake(HANDHAKE_REPS);
} else if (!strncmp("test_Read", argv[1], strlen("test_Read"))) {
test_Read();
} else if (!strncmp("test_Write", argv[1], strlen("test_Write"))) {
test_Write();
} else {
printf("Unknown test");
goto usage;
}

exit:
cleanup();
return 0;

usage:
ERR("\n\nUsage: %s test_name \nOptions for 'test_name':\n\t"
"test_Handshake\n\ttest_Write\n\ttest_Read\n", argv[0]);
goto exit;
}

+ 53
- 0
testapp/src/common.c Zobrazit soubor

@@ -0,0 +1,53 @@
#include "common.h"
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#include <netinet/tcp.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

/* -----------------------------------------------------------------------------
* @brief Performs TCP 3-way handshake with IP:PORT
* -------------------------------------------------------------------------------- */
int connect_once(void) {

struct sockaddr_in a;

int fd = socket(AF_INET, SOCK_STREAM, 0);
memset(&a, 0, sizeof(a));
a.sin_family = AF_INET;
a.sin_addr.s_addr = inet_addr(IP);
a.sin_port = htons(PORT);

// Set socket to blocking, in order to make things simplere
if (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK )<0) {
ERR("fcntl");
}

if (connect(fd, (struct sockaddr *) &a, sizeof(a))<0) {
ERR("Econnect");
}
DBG("Connected");
return fd;
}

/* -----------------------------------------------------------------------------
* @brief Fills the buffer with random data.
*------------------------------------------------------------------------------ */
void fill_buffer_from_file(unsigned char *b, size_t sz) {
FILE * fd = fopen(RANDOM_DATA_FILE, "r");
if (!fd) {
ERR("fopen");
}

if (fread(b, 1, sz, fd) < sz) {
// Random data file smaller than a buffer
ERR("fread");
}

if (fclose(fd)) {
ERR("fclose");
}
}

+ 64
- 0
testapp/src/common.h Zobrazit soubor

@@ -0,0 +1,64 @@
#ifndef __COMMON_H__
#define __COMMON_H__

#include <string.h>
#include <stdlib.h>
#include <assert.h>

#ifdef DEBUG
#include <stdio.h>
#endif

#define PORT 1443
#define IP "127.0.0.1"
#define SERVER "localhost"
#define CLIENT "localhost"
#define CACERT "etc/ca/ca.cert.pem"
//#define CERT_HOSTNAME "www.cert_testing.com"
#define CERT_HOSTNAME "www.dmv.com"
#define KEYFILE_PASS "test123"
#define READ_REQUEST "ReadRequest"
#define HANDHAKE_REPS 200
// Keep random data file must at least same size as a buffer size
#define RANDOM_DATA_FILE "etc/random_data"
#define BUFFER_SIZE 1024
// Amount bytes of plaintext data exchanged in read-write stets is BUFFER_SIZE*RW_ITERATOIONS
#ifdef DEBUG
#define RW_ITERATIONS (1024*10) // 10 MB
#else
#define RW_ITERATIONS (1024*200) // 1GB
#endif
// Utils
#define LOG_I(...) \
do { \
(void) fprintf(stdout, "[%s() %s:%d] ", __func__, __FILE__, __LINE__); \
(void) fprintf(stdout, __VA_ARGS__); \
(void) fprintf(stdout, "\n"); \
} while (0)
#define ERR(...) \
do { \
LOG_I(__VA_ARGS__); \
exit(-1); \
} while (0)

#define LOG(...) LOG_I(__VA_ARGS__)

#ifdef DEBUG
#define DBG(...) LOG_I(__VA_ARGS__)
#else
#define DBG(...)
#endif

#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))

int connect_once(void);
void init(void);
void cleanup(void);
void fill_buffer_from_file(unsigned char *b, size_t sz);

// Available tests
void test_Write(void);
void test_Read(void);
void test_Handshake(size_t);

#endif // __COMMON_H__

+ 30
- 0
testapp/src/common_boring.c Zobrazit soubor

@@ -0,0 +1,30 @@
#include "common.h"

// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution)
#include <include/openssl/rand.h>
#include <include/openssl/ssl.h>
#include <include/openssl/x509v3.h>
#include <pthread.h>

void init(void) {
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
SSL_library_init();
CRYPTO_library_init();

if(!SSL_library_init())
{
fprintf(stderr, "** OpenSSL initialization failed!\n");
exit(-1);
}
}

void cleanup(void) {

ERR_free_strings();
ERR_clear_error();
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
}

+ 244
- 0
testapp/src/m_client.c Zobrazit soubor

@@ -0,0 +1,244 @@
#include <unistd.h>

#include "mbedtls/net.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#ifdef DEBUG
#include "mbedtls/debug.h"
#endif

#include "common.h"

mbedtls_net_context server_fd;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ctx;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;

// Buffer used for read/write tests
unsigned char rw_buf[BUFFER_SIZE];

// Function calls 'mbedtls_ssl_handshake' and 'mbedtls_ssl_close_notify'
#define HANDLE_OP_RW_NEEDS(op, ctx) \
do { \
while ((ret = (op)((ctx)))) { \
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { \
ERR("Critical error when performing " #op); \
} \
} \
} while (0);


#ifdef DEBUG
static void my_debug( void *ctx, int level,
const char *file, int line, const char *str ) {
((void) level);
fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str );
fflush( (FILE *) ctx );
}
#endif

void init() {
int ret;

mbedtls_net_init( &server_fd );
mbedtls_ssl_init( &ctx );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );

mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) CLIENT,
strlen( CLIENT ) );
if (ret) {
ERR( "mbedtls_ctr_drbg_seed");
}

ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM, // TLS not DTLS
MBEDTLS_SSL_PRESET_DEFAULT );
if (ret) {
ERR("mbedtls_ssl_config_defaults");
}

mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
if (ret) {
ERR( "mbedtls_ssl_conf_authmode");
}

ret = mbedtls_x509_crt_parse_file(&cacert, CACERT);
if (ret) {
ERR("mbedtls_x509_crt_parse");
}

mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
//mbedtls_ssl_conf_ciphersuites( &conf, AllowedCiphers);
#ifdef DEBUG
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
mbedtls_debug_set_threshold(4);
#endif
// end of 'conf' object setup

ret = mbedtls_ssl_setup(&ctx, &conf);
if (ret) {
ERR("mbedtls_ssl_setup");
}
}

void cleanup(void) {
mbedtls_x509_crt_free(&cacert);
mbedtls_net_free( &server_fd );
mbedtls_ssl_free( &ctx );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
}

static void setup_client_ctx(void)
{

if (mbedtls_ssl_set_hostname(&ctx, CERT_HOSTNAME) ) {
ERR("mbedtls_ssl_set_hostname");
}
mbedtls_ssl_set_bio(&ctx, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
}

void test_Handshake(size_t handshake_nb) {
int ret;
init();

DBG("Trying to connect");
server_fd.fd = connect_once();
setup_client_ctx();

for (int i=0; i<handshake_nb; i++) {

DBG("SSL handshake");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx);

DBG("Send 'close notify'");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx);

DBG("SSL reset");
mbedtls_ssl_session_reset(&ctx);
}

close(server_fd.fd);
cleanup();
}

void test_Write() {
int ret, err, nread =0;
init();

DBG("Trying to connect");
server_fd.fd = connect_once();
setup_client_ctx();

DBG("SSL handshake");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx);

fprintf(stderr, "%s\n", mbedtls_ssl_get_version(&ctx));
fprintf(stderr, "%s\n", mbedtls_ssl_get_ciphersuite(&ctx));

fill_buffer_from_file(rw_buf, sizeof(rw_buf));
for (size_t i=0; i<RW_ITERATIONS; i++) {
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = mbedtls_ssl_write(&ctx, rw_buf+nread, sizeof(rw_buf) - nread);
if (err == MBEDTLS_ERR_SSL_WANT_READ && err == MBEDTLS_ERR_SSL_WANT_WRITE) {
// From spec: when this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
// it must be called later with the same arguments, until
// it returns a positive value.
err = 0;
continue;
}

if(err <= 0) {
ERR("mbedtls_ssl_write");
}
}
}

DBG("Send 'close notify'");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx);

close(server_fd.fd);
cleanup();

}

void test_Read() {

int ret, err, nread = 0;

init();

DBG("Trying to connect");
server_fd.fd = connect_once();
setup_client_ctx();

DBG("SSL handshake");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_handshake, &ctx);

if (mbedtls_ssl_write( &ctx, (unsigned char*)READ_REQUEST, sizeof(READ_REQUEST) ) <= 0) {
ERR("mbedtls_ssl_write");
}

do {
#ifdef DEBUG
fwrite(rw_buf,1, nread, stdout);
#endif
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = mbedtls_ssl_read(&ctx, rw_buf+nread, sizeof(rw_buf) - nread);
if (err == MBEDTLS_ERR_SSL_WANT_READ && err == MBEDTLS_ERR_SSL_WANT_WRITE) {
// I assume as for mbedtls_ssl_write, the read function will handle
// MBEDTLS_ERR_SSL_WANT_WRITE/READ return codes
err = 0;
continue;
}

if(!err) break;
}
} while(err>0);

if (err != MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
ERR("mbedtls_ssl_read");
}

DBG("Send 'close notify'");
HANDLE_OP_RW_NEEDS(mbedtls_ssl_close_notify, &ctx);

close(server_fd.fd);
cleanup();
}

int main(int argc, char* argv[]) {

if (argc < 2) {
goto usage;
}

if (!strncmp("test_Handshake", argv[1], strlen("test_Handshake"))) {
test_Handshake(HANDHAKE_REPS);
} else if (!strncmp("test_Read", argv[1], strlen("test_Read"))) {
test_Read();
} else if (!strncmp("test_Write", argv[1], strlen("test_Write"))) {
test_Write();
} else {
printf("Unknown test");
goto usage;
}

exit:
return 0;

usage:
ERR("\n\nUsage: %s test_name \nOptions for 'test_name':\n\t"
"test_Handshake\n\ttest_Write\n\ttest_Read\n", argv[0]);
goto exit;
}

+ 264
- 0
testapp/src/server.c Zobrazit soubor

@@ -0,0 +1,264 @@
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <arpa/inet.h>

// include/ path is here for a reason - to make sure we compile against boringssl (temporary solution)
#include <include/openssl/rand.h>
#include <include/openssl/ssl.h>
#include <include/openssl/x509v3.h>
#include <pthread.h>

#include "common.h"

// Enforce this protocol version
#define TLS_PROT_VERSION TLS1_2_VERSION
#define ENFORCED_CURVE NID_X9_62_prime256v1
// Not supported by mbedTLS
//#define ENFORCED_CURVE NID_X25519

static const int Curves[1] = {ENFORCED_CURVE};

static const struct CertDesc_t {
const char* arg;
const char* cert;
const char* key;
const char* cipher;
const int* curves;
} Certs[] = {
{
.arg = "RSA_2048",
.key = "etc/rsa_2048.key",
.cert = "etc/rsa_2048.pem",
.cipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
.curves = Curves,
},
{
.arg = "RSA_3072",
.key = "etc/rsa_3072.key",
.cert = "etc/rsa_3072.pem",
.cipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
.curves = Curves,
},
{
.arg = "ECDSA_256",
.key = "etc/ecdsa_256.key",
.cert = "etc/ecdsa_256.pem",
.cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
.curves = Curves,
}
};

const struct CertDesc_t* get_cert_desc(const char* c) {
for(size_t i=0; i<ARRAY_SIZE(Certs); i++) {
if (!memcmp(Certs[i].arg, c, strlen(Certs[i].arg))) {
return &Certs[i];
}
}
ERR("Critical error");
}

// Buffer used for read/write tests
unsigned char rw_buf[BUFFER_SIZE];

int pass_cb(char *buf, int size, int rwflag, void *u) {
DBG("Using password " KEYFILE_PASS);
// password for all keys is "test123"
memcpy(buf, KEYFILE_PASS, strlen(KEYFILE_PASS));
return strlen(KEYFILE_PASS);
}

static int accept_once(void) {

int fd, client;
int reuseval = 1;
struct sockaddr_in a;
size_t a_len = sizeof(a);

// configure
memset(&a, 0, a_len);
a.sin_family = AF_INET;
a.sin_port = htons(PORT);
a.sin_addr.s_addr = INADDR_ANY;

fd = socket(PF_INET, SOCK_STREAM, 0);

if (setsockopt(fd,SOL_SOCKET, SO_REUSEADDR, &reuseval, sizeof(reuseval))) {
ERR("setsockopt");
}

if (bind(fd, (struct sockaddr *)&a, sizeof(a))) {
ERR("bind");
}

if (listen(fd, 1)) {
ERR("listen");
}


client = accept(fd, (struct sockaddr *)&a, (socklen_t *)&a_len);
if (client<0) {
ERR("accept");
}
return client;
}

static SSL_CTX* setup_server_ctx(const char* cert_name) {
SSL_CTX* ctx = SSL_CTX_new(TLS_method());
assert(ctx);

const struct CertDesc_t *c = get_cert_desc(cert_name);
SSL_CTX_set_default_passwd_cb(ctx, &pass_cb);

if(SSL_CTX_use_certificate_file(ctx, c->cert, SSL_FILETYPE_PEM) != 1)
ERR("Error loading certificate from file");
if(SSL_CTX_use_PrivateKey_file(ctx, c->key, SSL_FILETYPE_PEM) != 1)
ERR("Error loading private key from file");

if (SSL_CTX_set_strict_cipher_list(ctx, c->cipher) != 1) {
ERR("Error setting cipher list");
}

if (!SSL_CTX_set1_curves(ctx, c->curves, 1)) {
ERR("Enforcing curve");
}

if (SSL_CTX_set_min_proto_version(ctx, TLS_PROT_VERSION) != 1 ||
SSL_CTX_set_max_proto_version(ctx, TLS_PROT_VERSION) != 1) {
ERR("Enforcing protocol to TLSv1.2");

}
return ctx;
}

static void start_writing(SSL *ssl) {
int nread,err;

DBG("Start writing");

fill_buffer_from_file(rw_buf, sizeof(rw_buf));
for (size_t i=0; i<RW_ITERATIONS; i++) {
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = SSL_write(ssl, rw_buf+nread, sizeof(rw_buf) - nread);
if(err <= 0) {
ERR("SSL_write");
}
}
}
}

static int do_server_loop(SSL* ssl) {
int nread,err;

DBG("Check if first packet is ReadRequest");
for(nread=0; nread<strlen(READ_REQUEST); nread+=err) {
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread);
if (err <=0) {
break;
}
}

DBG("Check if server loop should be finished");
// Stop here if shutdown requested
if (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) {
return 1;
}

// Check if client wants to read
if (nread && !memcmp(READ_REQUEST, rw_buf, nread)) {
start_writing(ssl);
return 2; // server initiated closure
}

// Keep reading till connection closed
DBG("Continue reading");
do {
for(nread=0; nread<sizeof(rw_buf); nread+=err) {
err = SSL_read(ssl, rw_buf+nread, sizeof(rw_buf) - nread);
if(err <= 0) {
break;
}
}
} while(err>0);
return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0;
}

#ifdef DEBUG
static const char* DBG_get_curve(SSL* ssl) {
const int id = SSL_get_curve_id(ssl);
if (!id) return "N/A";
return SSL_get_curve_name(id);
}
#endif

// Interface for accepting
int main(int argc, char *argv[])
{
SSL *ssl;
SSL_CTX *ctx;
int fd, ret;

if (argc < 2) {
goto usage;
}

// Start server
init();

ctx = setup_server_ctx(argv[1]);
fd = accept_once();

for(;;) {

DBG("SSL Accepting");
if(!(ssl = SSL_new(ctx))) {
DBG("Error creating SSL context");
}


SSL_set_fd(ssl, fd);
ret = SSL_accept(ssl);
//printf("%s\n", SSL_get_curve_name(SSL_get_curve_id(ssl)));
if (ret<=0) {
ret = SSL_get_error(ssl, ret);

if (ret == SSL_ERROR_SYSCALL) {
DBG("Connection closed");
goto end;
} else {
ERR("Critical error occured %d", ret);
}
}

DBG("Protocol: %s Cipher %s Curve %s", SSL_get_version(ssl), SSL_get_cipher_name(ssl), DBG_get_curve(ssl));

DBG("server loop");
ret = do_server_loop(ssl);
if(ret) {

DBG("Shutdown");
SSL_set_read_ahead(ssl, 0);
if (ret==2) {
// Server is closing
SSL_shutdown(ssl);
}
assert(SSL_shutdown(ssl)==1);
}
else {
DBG("Shutdown - error case");
goto end;
}
SSL_clear(ssl);
}
SSL_CTX_free(ctx);

end:
cleanup();
return 0;
usage:
ERR("\n\nUsage: %s server certificate \nOptions for 'server certificate':\n\t"
"RSA_2048\n\t"
"RSA_3072\n\t"
"ECDSA_256\n\t",
argv[0]);
goto end;
}

Zapsat Náhled
Načítá se…
Zrušit
Uložit