--- /dev/null
+/*
+ * Measure performance of SecureTransport - setup and sustained data
+ * throughput.
+ *
+ * Written by Doug Mitchell.
+ */
+#include <Security/SecureTransport.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <security_utilities/devrandom.h>
+
+/* default - run both server and client on this machine, port 1200 */
+#define HOST_DEF "localhost"
+#define PORT_DEF 1200
+
+/* default keychain */
+#define DEFAULT_KC "localcert"
+
+#define XFERSIZE_DEF (1024 * 1024)
+#define BUFSIZE 1024
+
+#define DH_PARAM_FILE "dhParams_1024.der"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s s[erver]|c[lient] [option ...]\n", argv[0]);
+ printf("Options:\n");
+ printf(" -h hostname (default = %s)\n", HOST_DEF);
+ printf(" -p port (default = %d)\n", PORT_DEF);
+ printf(" -k keychain (default = %s)\n", DEFAULT_KC);
+ printf(" -x transferSize (default = %d)\n", XFERSIZE_DEF);
+ printf(" -c cipher (default = RSA/AES128; server side only)\n");
+ printf(" ciphers: r=RSA/RC4; d=RSA/DES; D=RSA/3DES; h=DHA/RC4; "
+ "H=DH/DSS/DES; A=AES256\n");
+ printf(" -v version (t|2|3 default = t(TLS1); server side only)\n");
+ printf(" -b bufsize (default = %d)\n", BUFSIZE);
+ printf(" -w password (unlock server keychain with password)\n");
+ printf(" -a (enable client authentication)\n");
+ printf(" -B non-blocking I/O\n");
+ exit(1);
+}
+
+
+int main(int argc, char **argv)
+{
+ /* user-spec'd variables */
+ const char *kcName = DEFAULT_KC;
+ unsigned xferSize = XFERSIZE_DEF;
+ int port = PORT_DEF;
+ const char *hostName = HOST_DEF;
+ SSLCipherSuite cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA;
+ SSLProtocol prot = kTLSProtocol1Only;
+ char password[200];
+ bool clientAuthEnable = false;
+ bool isServer = false;
+ unsigned bufSize = BUFSIZE;
+ bool diffieHellman = false;
+ int nonBlocking = 0;
+
+ if(argc < 2) {
+ usage(argv);
+ }
+ password[0] = 0;
+ switch(argv[1][0]) {
+ case 's':
+ isServer = true;
+ break;
+ case 'c':
+ isServer = false;
+ break;
+ default:
+ usage(argv);
+ }
+
+ extern int optind;
+ extern char *optarg;
+ int arg;
+ optind = 2;
+ while ((arg = getopt(argc, argv, "h:p:k:x:c:v:w:b:aB")) != -1) {
+ switch (arg) {
+ case 'h':
+ hostName = optarg;
+ break;
+ case 'p':
+ port = atoi(optarg);
+ break;
+ case 'k':
+ kcName = optarg;
+ break;
+ case 'x':
+ xferSize = atoi(optarg);
+ break;
+ case 'c':
+ if(!isServer) {
+ printf("***Specify cipherSuite on server side.\n");
+ exit(1);
+ }
+ switch(optarg[0]) {
+ case 'r':
+ cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
+ break;
+ case 'd':
+ cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
+ break;
+ case 'D':
+ cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
+ break;
+ case 'h':
+ cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
+ diffieHellman = true;
+ break;
+ case 'H':
+ cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
+ diffieHellman = true;
+ break;
+ case 'A':
+ cipherSuite = TLS_RSA_WITH_AES_256_CBC_SHA;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'v':
+ if(!isServer) {
+ printf("***Specify protocol on server side.\n");
+ exit(1);
+ }
+ switch(optarg[0]) {
+ case 't':
+ prot = kTLSProtocol1Only;
+ break;
+ case '2':
+ prot = kSSLProtocol2;
+ break;
+ case '3':
+ prot = kSSLProtocol3Only;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'w':
+ strcpy(password, optarg);
+ break;
+ case 'b':
+ bufSize = atoi(optarg);
+ break;
+ case 'a':
+ clientAuthEnable = true;
+ break;
+ case 'B':
+ nonBlocking = 1;
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ /* per-transfer buffer - make it random for server */
+ char *buf = (char *)malloc(bufSize);
+ if(isServer) {
+ Security::DevRandomGenerator rng;
+ rng.random(buf, bufSize);
+ }
+
+ /* gather Diffie-Hellman params from cwd */
+ unsigned char *dhParams = NULL;
+ unsigned dhParamsLen = 0;
+ if(diffieHellman && isServer) {
+ if(readFile(DH_PARAM_FILE, &dhParams, &dhParamsLen)) {
+ printf("***Error reading Diffie-Hellman Params. Prepare to "
+ "wait for a minute during SSL handshake.\n");
+ }
+ }
+
+ /*
+ * Open keychain; both sides use the same one.
+ */
+ OSStatus ortn;
+ SecKeychainRef certKc = NULL;
+ CFAbsoluteTime kcOpenStart = CFAbsoluteTimeGetCurrent();
+ ortn = SecKeychainOpen(kcName, &certKc);
+ if(ortn) {
+ printf("Error opening keychain %s (%d); aborting.\n",
+ kcName, (int)ortn);
+ exit(1);
+ }
+ if(password[0]) {
+ ortn = SecKeychainUnlock(certKc, strlen(password), password, true);
+ if(ortn) {
+ printf("SecKeychainUnlock returned %d\n", (int)ortn);
+ /* oh well */
+ }
+ }
+ CFAbsoluteTime kcOpenEnd = CFAbsoluteTimeGetCurrent();
+
+ otSocket peerSock = 0;
+ otSocket listenSock = 0; // for server only
+ PeerSpec peerId;
+
+ if(isServer) {
+ printf("...listening for client connection on port %d\n", port);
+ ortn = ListenForClients(port, nonBlocking, &listenSock);
+ if(ortn) {
+ printf("...error establishing a listen socket. Aborting.\n");
+ exit(1);
+ }
+ ortn = AcceptClientConnection(listenSock, &peerSock, &peerId);
+ if(ortn) {
+ printf("...error listening for connection. Aborting.\n");
+ exit(1);
+ }
+ }
+ else {
+ printf("...connecting to host %s at port %d\n", hostName, port);
+ ortn = MakeServerConnection(hostName, port, nonBlocking, &peerSock,
+ &peerId);
+ if(ortn) {
+ printf("...error connecting to server %s. Aborting.\n",
+ hostName);
+ exit(1);
+ }
+ }
+
+ /* start timing SSL setup */
+ CFAbsoluteTime setupStart = CFAbsoluteTimeGetCurrent();
+
+ SSLContextRef ctx;
+ ortn = SSLNewContext(isServer, &ctx);
+ if(ortn) {
+ printSslErrStr("SSLNewContext", ortn);
+ exit(1);
+ }
+ ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
+ if(ortn) {
+ printSslErrStr("SSLSetIOFuncs", ortn);
+ exit(1);
+ }
+ ortn = SSLSetConnection(ctx, (SSLConnectionRef)peerSock);
+ if(ortn) {
+ printSslErrStr("SSLSetConnection", ortn);
+ exit(1);
+ }
+ ortn = SSLSetPeerDomainName(ctx, hostName, strlen(hostName) + 1);
+ if(ortn) {
+ printSslErrStr("SSLSetPeerDomainName", ortn);
+ exit(1);
+ }
+
+ /*
+ * Server/client specific setup.
+ *
+ * Client uses the same keychain as server, but it uses it for
+ * sslAddTrustedRoots() instead of getSslCerts() and
+ * SSLSetCertificate().
+ */
+ CFArrayRef myCerts = NULL;
+ if(clientAuthEnable || isServer) {
+ myCerts = sslKcRefToCertArray(certKc, CSSM_FALSE, CSSM_FALSE, NULL, NULL);
+ if(myCerts == NULL) {
+ exit(1);
+ }
+ ortn = addIdentityAsTrustedRoot(ctx, myCerts);
+ if(ortn) {
+ exit(1);
+ }
+ ortn = SSLSetCertificate(ctx, myCerts);
+ if(ortn) {
+ printSslErrStr("SSLSetCertificate", ortn);
+ exit(1);
+ }
+ }
+ if(isServer) {
+ SSLAuthenticate auth;
+ if(clientAuthEnable) {
+ auth = kAlwaysAuthenticate;
+ }
+ else {
+ auth = kNeverAuthenticate;
+ }
+ ortn = SSLSetClientSideAuthenticate(ctx, auth);
+ if(ortn) {
+ printSslErrStr("SSLSetClientSideAuthenticate", ortn);
+ exit(1);
+ }
+ ortn = SSLSetEnabledCiphers(ctx, &cipherSuite, 1);
+ if(ortn) {
+ printSslErrStr("SSLSetEnabledCiphers", ortn);
+ exit(1);
+ }
+ ortn = SSLSetProtocolVersion(ctx, prot);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersion", ortn);
+ exit(1);
+ }
+ if(dhParams != NULL) {
+ ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
+ if(ortn) {
+ printSslErrStr("SSLSetDiffieHellmanParams", ortn);
+ exit(1);
+ }
+ }
+ }
+ else {
+ /* client setup */
+ if(!clientAuthEnable) {
+ /* We're not presenting a cert; trust the server certs */
+ bool foundOne;
+ ortn = sslAddTrustedRoots(ctx, certKc, &foundOne);
+ if(ortn) {
+ printSslErrStr("sslAddTrustedRoots", ortn);
+ exit(1);
+ }
+ }
+ }
+
+ /*
+ * Context setup complete. Start timing handshake.
+ */
+ CFAbsoluteTime hshakeStart = CFAbsoluteTimeGetCurrent();
+ do {
+ ortn = SSLHandshake(ctx);
+ } while (ortn == errSSLWouldBlock);
+ if(ortn) {
+ printSslErrStr("SSLHandshake", ortn);
+ exit(1);
+ }
+ CFAbsoluteTime hshakeEnd = CFAbsoluteTimeGetCurrent();
+
+ /* snag these before data xfer possibly shuts down connection */
+ SSLProtocol negVersion;
+ SSLCipherSuite negCipher;
+ SSLClientCertificateState certState; // RETURNED
+
+ SSLGetNegotiatedCipher(ctx, &negCipher);
+ SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
+ SSLGetClientCertificateState(ctx, &certState);
+
+ /* server sends xferSize bytes to client and shuts down */
+ size_t bytesMoved;
+
+ CFAbsoluteTime dataStart = CFAbsoluteTimeGetCurrent();
+ size_t totalMoved = 0;
+ if(isServer) {
+ size_t bytesToGo = xferSize;
+ bool done = false;
+ do {
+ size_t thisMove = bufSize;
+ if(thisMove > bytesToGo) {
+ thisMove = bytesToGo;
+ }
+ ortn = SSLWrite(ctx, buf, thisMove, &bytesMoved);
+ switch(ortn) {
+ case noErr:
+ case errSSLWouldBlock:
+ break;
+ default:
+ done = true;
+ break;
+ }
+ bytesToGo -= bytesMoved;
+ totalMoved += bytesMoved;
+ if(bytesToGo == 0) {
+ done = true;
+ }
+ } while(!done);
+ if(ortn != noErr) {
+ printSslErrStr("SSLWrite", ortn);
+ exit(1);
+ }
+ }
+ else {
+ /* client reads until error or errSSLClosedGraceful */
+ bool done = false;
+ do {
+ ortn = SSLRead(ctx, buf, bufSize, &bytesMoved);
+ switch(ortn) {
+ case errSSLClosedGraceful:
+ done = true;
+ break;
+ case noErr:
+ case errSSLWouldBlock:
+ break;
+ default:
+ done = true;
+ break;
+ }
+ totalMoved += bytesMoved;
+ } while(!done);
+ if(ortn != errSSLClosedGraceful) {
+ printSslErrStr("SSLRead", ortn);
+ exit(1);
+ }
+ }
+
+ /* shut down channel */
+ ortn = SSLClose(ctx);
+ if(ortn) {
+ printSslErrStr("SSLCLose", ortn);
+ exit(1);
+ }
+ CFAbsoluteTime dataEnd = CFAbsoluteTimeGetCurrent();
+
+ /* how'd we do? */
+ printf("SSL version : %s\n",
+ sslGetProtocolVersionString(negVersion));
+ printf("CipherSuite : %s\n",
+ sslGetCipherSuiteString(negCipher));
+ printf("Client Cert State : %s\n",
+ sslGetClientCertStateString(certState));
+
+ if(password[0]) {
+ printf("keychain open/unlock : ");
+ }
+ else {
+ printf("keychain open : ");
+ }
+ printf("%f s\n", kcOpenEnd - kcOpenStart);
+ printf("SSLContext setup : %f s\n", hshakeStart - setupStart);
+ printf("SSL Handshake : %f s\n", hshakeEnd - hshakeStart);
+ printf("Data Transfer : %u bytes in %f s\n", (unsigned)totalMoved,
+ dataEnd - dataStart);
+ printf(" : %.1f Kbytes/s\n",
+ totalMoved / (dataEnd - dataStart) / 1024.0);
+ return 0;
+}
+
+
+
projects / apple / security.git / blobdiff