Merge branch 'master' of git.amongbytes.com:kris/qrtesting

pq_t1: certs

See merge request kris/qrtesting!3

README.md

@@ -1,14 +1,24 @@
-# TLS testing
+# Servers
 
-## Servers
+## Quantum-resistant key exchange
 
-### Quantum-resistant key exchange
+### golang based
 
-* ``pq-t1.amongbytes.com``: SIDH tests
-* ``pq-t2.amongbytes.com``: SIDH tests - TLS 1.3 only is supported
+* ``pq.amongbytes.com``: SIDH/P503-x25519, SIDH/751-x448
+* ``pq-t1.amongbytes.com``: SIDH tests: Test phase 1. Allowed to be broken
 
-### TLS-TRIS 
-* ``gotls13-t1.amongbytes.com``: Testing branch of tls-tris. It supports only TLS 1.3 (0x0304)
-* ``gotls13-t2.amongbytes.com``: Testing branch of tls-tris. It supports only TLS 1.3 Draft 28
-* ``gotls13-p1.amongbytes.com``: Testing branch of tls-tris - master branch
-* ``gotls13-r1.amongbytes.com``: Testing branch of tls-tris - latest release
+### BoringSSL based (SIDH/P503-X25519 only - mainly for toure/interoperability testing)
+| domain | SNI | desc |
+|--------|-----|------|
+| pq.amongbytes.com | pq-clang.amongbytes.com | Clang on X64_64 with all optims |
+| pq.amongbytes.com | pq-clang-san.amongbytes.com | Clang with sanitizers on x86_64 with optims |
+| pq.amongbytes.com | pq-gcc.amongbytes.com | GCC with all optims on x86_64 |
+| pq.amongbytes.com | pq-gcc-nop.amongbytes.com | GCC without optims on x86_64 |
+| pq.amongbytes.com | pq-arm8.amongbytes.com | ARMv8 with optims and out of order execution |
+| pq.amongbytes.com | pq-arm8-nop.amongbytes.com | aarch64 without optims out of order execution  |
+| pq.amongbytes.com | pq-arm8-noo.amongbytes.com | aarch64 without optims without OoO|
+| pq.amongbytes.com | pq-arm7.amongbytes.com | armv7 without optims without OoO|
+
+
+## TLS-TRIS 
+* ``gotls13.amongbytes.com``: Currently alias to gotls13-p1 (referenced at https://github.com/tlswg/tls13-spec/wiki/Implementations)

images/gotls13-t2/Makefile

@@ -1,4 +1,4 @@
-NAME=gotls13-p2
+NAME=gotls13-t2
 PORT=50603
 build:
 	mkdir -p certs
@@ -13,4 +13,3 @@ restart:
 	docker rm ${NAME}
 	docker run --detach --restart always --name ${NAME} -p ${PORT}:443 ${NAME}
 
-

images/pq-connect-amd64-gcc/Dockerfile

@@ -0,0 +1,8 @@
+FROM buildpack-deps
+
+EXPOSE 443
+
+ADD bin/bssl /bin
+ADD bin/bssl_client /
+ADD req.txt /
+CMD [ "/bssl_client" ]

images/pq-connect-amd64-gcc/Makefile

@@ -0,0 +1,8 @@
+NAME=pq-gcc-amd64-client
+build:
+	docker build -t ${NAME} .
+run:
+	docker run --detach --restart always --name ${NAME} ${NAME}
+
+restart:
+	docker restart ${NAME}

images/pq-connect-amd64-gcc/bin/bssl_client

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+COUNT=0
+while [ 1 ]; do
+	bssl client -curves CECPQ2 -connect www.cloudflare.com -server-name www.cloudflare.com < /req.txt
+	bssl client -curves X25519-SIDHp503 -connect www.cloudflare.com -server-name www.cloudflare.com < /req.txt
+	bssl client -curves P-521 -connect www.cloudflare.com -server-name www.cloudflare.com < /req.txt
+	COUNT=$((COUNT + 1))
+	if [ $COUNT -eq 1000 ]; then
+		COUNT=0
+		echo "SLEEPING"
+		sleep 1
+	fi
+done
+

images/pq-connect-amd64-gcc/req.txt

@@ -0,0 +1,4 @@
+GET / HTTP/1.0
+Host: www.cloudflare.com
+
+

images/pq-gcc/Dockerfile

@@ -0,0 +1,9 @@
+FROM buildpack-deps
+
+EXPOSE 443
+
+ADD bin/bssl /
+CMD mkdir certs
+ADD certs/privkey.pem certs/
+ADD certs/fullchain.pem certs/
+CMD [ "./bssl", "server", "-curves", "CECPQ2:X25519-SIDHp503:X25519:P-256:P-384:P-224:P-521", "-accept", "443", "-loop", "-www", "-cert", "certs/fullchain.pem", "-key", "certs/privkey.pem" ]

images/pq-gcc/Makefile

@@ -0,0 +1,12 @@
+NAME=pq-gcc-amd64
+PORT=50601
+build:
+	mkdir -p certs
+	cp ../../cert/fullchain.pem certs/
+	cp ../../cert/privkey.pem certs/
+	docker build -t ${NAME} .
+run:
+	docker run --detach --restart always --name ${NAME} -p ${PORT}:443 ${NAME}
+
+restart:
+	docker restart ${NAME}

images/pq-t1/Makefile

@@ -1,9 +1,12 @@
 NAME=pq-t1
 PORT=50510
 build:
+	mkdir -p certs
+	cp ../../cert/fullchain.pem certs/
+	cp ../../cert/privkey.pem certs/
 	docker build -t ${NAME} .
 run:
-	docker run --detach --restart always --name ${NAME} -p 50510:443 ${NAME}
+	docker run --detach --restart always --name ${NAME} -p ${PORT}:443 ${NAME}
 
 restart:
 	docker restart ${NAME}

images/pq-t2/Makefile

@@ -1,6 +1,9 @@
 NAME=pq-t2
 PORT=50511
 build:
+	mkdir -p certs
+	cp ../../cert/fullchain.pem certs/
+	cp ../../cert/privkey.pem certs/
 	docker build -t ${NAME} .
 run:
 	docker run --detach --restart always --name ${NAME} -p ${PORT}:443 ${NAME}

images/pq/Caddyfile

@@ -0,0 +1,12 @@
+:443 {
+	tls fullchain.pem privkey.pem
+	tls {
+	        protocols tls1.0 tls1.3
+        	curves X25519 P256 "SIDH/503-X25519"
+	}
+	log stdout
+	markdown / {
+		ext .html
+		template index.html
+	}
+}

images/pq/Dockerfile

@@ -0,0 +1,10 @@
+FROM buildpack-deps
+
+EXPOSE 443
+
+ADD certs/privkey.pem /
+ADD certs/fullchain.pem /
+ADD bin/caddy /
+ADD Caddyfile /
+ADD index.html /
+CMD [ "/caddy", "-conf", "/Caddyfile" ]

images/pq/Makefile

@@ -0,0 +1,12 @@
+NAME=pq
+PORT=50511
+build:
+	mkdir -p certs
+	cp ../../cert/fullchain.pem certs/
+	cp ../../cert/privkey.pem certs/ 
+	docker build -t ${NAME} .
+run:
+	docker run --detach --restart always --name ${NAME} -p ${PORT}:443 ${NAME}
+
+restart:
+	docker restart ${NAME}

images/pq/index.html

@@ -0,0 +1,14 @@
+<html>
+	<head>
+		<title>TLSv1.3/Post-Quantum test server</title>
+	</head>
+	<body>
+		Connection sucessful <br />
+		You are using TLS Version: {{.TLSVersion}}
+		
+		<p>
+		This page uses <a href="https://github.com/cloudflare/tls-tris">this tls</a> package and <a href="https://caddyserver.com/">Caddy</a> HTTP server.</p>
+		<p>It was built <a href="http://hdc.amongbytes.com/post/201810-baby-steps-to-pq-https-server/">this</a> way and is used for experimenting with post-quantum cryptography.</p>
+
+	</body>
+</html>