+/*
+ * Measure performance of SecureTransport handshake
+ *
+ * Written by Doug Mitchell.
+ */
+#include <Security/SecureTransport.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+/* default - run both server and client on this machine, port 1200 */
+#define HOST_DEF "localhost"
+#define PORT_DEF 1200
+
+/* default keychain */
+#define DEFAULT_KC "localcert"
+
+#define DH_PARAM_FILE "dhParams_1024.der"
+
+#define GET_MSG "GET / HTTP/1.0\r\n\r\n"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s s[erver]|c[lient] loops [option ...]\n", argv[0]);
+ printf("Options:\n");
+ printf(" -h hostname (default = %s)\n", HOST_DEF);
+ printf(" -p port (default = %d)\n", PORT_DEF);
+ printf(" -k keychain (default = %s)\n", DEFAULT_KC);
+ printf(" -c cipher (default = RSA/RC4; server side only)\n");
+ printf(" ciphers: r=RSA/RC4; d=RSA/DES; D=RSA/3DES; h=DHA/RC4; "
+ "H=DH/DSS/DES\n");
+ printf(" -v version (t|2|3 default = t(TLS1); server side only)\n");
+ printf(" -w password (unlock server keychain with password)\n");
+ printf(" -a (enable client authentication)\n");
+ printf(" -r (resumable session enabled; default is disabled)\n");
+ printf(" -n (No client side anchor specification; root is in system KC)\n");
+ printf(" -d (disable cert verify)\n");
+ printf(" -o (Allow hostname spoofing)\n");
+ printf(" -g Send GET msg (needs for talking to real servers)\n");
+ printf(" -V (verbose)\n");
+ exit(1);
+}
+
+#include <signal.h>
+
+void sigpipe(int sig)
+{
+ fflush(stdin);
+ printf("***SIGPIPE***\n");
+}
+
+int main(int argc, char **argv)
+{
+ /* user-spec'd variables */
+ unsigned loops;
+ char *kcName = DEFAULT_KC;
+ int port = PORT_DEF;
+ char *hostName = HOST_DEF;
+ SSLCipherSuite cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
+ SSLProtocol prot = kTLSProtocol1Only;
+ char password[200];
+ bool clientAuthEnable = false;
+ bool isServer = false;
+ bool diffieHellman = false;
+ bool verbose = false;
+ bool resumeEnable = false;
+ bool setClientAnchor = true;
+ bool certVerifyEnable = true;
+ bool checkHostName = true;
+ bool sendGet = false;
+
+ otSocket listenSock = 0; // for server only
+ CFArrayRef myCerts = NULL;
+
+ signal(SIGPIPE, sigpipe);
+ if(argc < 3) {
+ usage(argv);
+ }
+ password[0] = 0;
+ switch(argv[1][0]) {
+ case 's':
+ isServer = true;
+ break;
+ case 'c':
+ isServer = false;
+ break;
+ default:
+ usage(argv);
+ }
+ loops = atoi(argv[2]);
+ if(loops == 0) {
+ usage(argv);
+ }
+
+ extern int optind;
+ extern char *optarg;
+ int arg;
+ optind = 3;
+ while ((arg = getopt(argc, argv, "h:p:k:x:c:v:w:b:aVrndog")) != -1) {
+ switch (arg) {
+ case 'h':
+ hostName = optarg;
+ break;
+ case 'p':
+ port = atoi(optarg);
+ break;
+ case 'k':
+ kcName = optarg;
+ break;
+ case 'c':
+ if(!isServer) {
+ printf("***Specify cipherSuite on server side.\n");
+ exit(1);
+ }
+ switch(optarg[0]) {
+ case 'r':
+ cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
+ break;
+ case 'd':
+ cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
+ break;
+ case 'D':
+ cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
+ break;
+ case 'h':
+ cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
+ diffieHellman = true;
+ break;
+ case 'H':
+ cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
+ diffieHellman = true;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'v':
+ if(!isServer) {
+ printf("***Specify protocol on server side.\n");
+ exit(1);
+ }
+ switch(optarg[0]) {
+ case 't':
+ prot = kTLSProtocol1Only;
+ break;
+ case '2':
+ prot = kSSLProtocol2;
+ break;
+ case '3':
+ prot = kSSLProtocol3Only;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'w':
+ strcpy(password, optarg);
+ break;
+ case 'a':
+ clientAuthEnable = true;
+ break;
+ case 'V':
+ verbose = true;
+ break;
+ case 'r':
+ resumeEnable = true;
+ break;
+ case 'n':
+ setClientAnchor = false;
+ break;
+ case 'd':
+ certVerifyEnable = false;
+ break;
+ case 'o':
+ checkHostName = false;
+ break;
+ case 'g':
+ sendGet = true;
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ /* gather Diffie-Hellman params from cwd */
+ if(JAGUAR_BUILD && diffieHellman) {
+ printf("***SOrry, DIffie Hellman not available in this config.\n");
+ exit(1);
+ }
+ unsigned char *dhParams = NULL;
+ unsigned dhParamsLen = 0;
+ if(diffieHellman && isServer) {
+ if(readFile(DH_PARAM_FILE, &dhParams, &dhParamsLen)) {
+ printf("***Error reading Diffie-Hellman Params. Prepare to "
+ "wait for a minute during SSL handshake.\n");
+ }
+ }
+
+ /*
+ * Open keychain; both sides use the same one.
+ */
+ OSStatus ortn;
+ SecKeychainRef certKc = NULL;
+ if(isServer || clientAuthEnable || setClientAnchor) {
+ ortn = SecKeychainOpen(kcName, &certKc);
+ if(ortn) {
+ printf("Error opening keychain %s (%d); aborting.\n",
+ kcName, (int)ortn);
+ exit(1);
+ }
+ if(password[0]) {
+ ortn = SecKeychainUnlock(certKc, strlen(password), password, true);
+ if(ortn) {
+ printf("SecKeychainUnlock returned %lu\n", ortn);
+ /* oh well */
+ }
+ }
+ }
+
+ /* just do this once */
+ if(clientAuthEnable || isServer || setClientAnchor) {
+ myCerts = sslKcRefToCertArray(certKc, CSSM_FALSE, CSSM_TRUE, NULL);
+ if(myCerts == NULL) {
+ exit(1);
+ }
+ }
+
+ /* server sets up listen port just once */
+ if(isServer) {
+ printf("...listening for client connection on port %d\n", port);
+ ortn = ListenForClients(port, 0, &listenSock);
+ if(ortn) {
+ printf("...error establishing a listen socket. Aborting.\n");
+ exit(1);
+ }
+ }
+
+ CFAbsoluteTime setupTotal = 0;
+ CFAbsoluteTime handShakeTotal = 0;
+
+ for(unsigned loop=0; loop<loops; loop++) {
+ otSocket peerSock = 0;
+ PeerSpec peerId;
+
+ if(isServer) {
+ ortn = AcceptClientConnection(listenSock, &peerSock, &peerId);
+ if(ortn) {
+ printf("...error listening for connection. Aborting.\n");
+ exit(1);
+ }
+ }
+ else {
+ /* client side */
+ if(verbose) {
+ printf("...connecting to host %s at port %d\n", hostName, port);
+ }
+ ortn = MakeServerConnection(hostName, port, 0, &peerSock,
+ &peerId);
+ if(ortn) {
+ printf("...error connecting to server %s. Aborting.\n",
+ hostName);
+ exit(1);
+ }
+ }
+
+ /* start timing SSL setup */
+ CFAbsoluteTime setupStart = CFAbsoluteTimeGetCurrent();
+
+ SSLContextRef ctx;
+ ortn = SSLNewContext(isServer, &ctx);
+ if(ortn) {
+ printSslErrStr("SSLNewContext", ortn);
+ exit(1);
+ }
+ ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
+ if(ortn) {
+ printSslErrStr("SSLSetIOFuncs", ortn);
+ exit(1);
+ }
+ ortn = SSLSetConnection(ctx, peerSock);
+ if(ortn) {
+ printSslErrStr("SSLSetConnection", ortn);
+ exit(1);
+ }
+ if(checkHostName) {
+ ortn = SSLSetPeerDomainName(ctx, hostName, strlen(hostName) + 1);
+ if(ortn) {
+ printSslErrStr("SSLSetPeerDomainName", ortn);
+ exit(1);
+ }
+ }
+ if(resumeEnable) {
+ ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
+ if(ortn) {
+ printSslErrStr("SSLSetPeerID", ortn);
+ exit(1);
+ }
+ }
+ if(!certVerifyEnable) {
+ /*
+ * Do this before setting up certs to allow for optimization
+ * on server side (setting valid cert without verifying them)
+ */
+ ortn = SSLSetEnableCertVerify(ctx, false);
+ if(ortn) {
+ printSslErrStr("SSLSetPeerID", ortn);
+ exit(1);
+ }
+ }
+
+ /*
+ * Server/client specific setup.
+ *
+ * Client uses the same keychain as server, but it uses it for
+ * sslAddTrustedRoots() instead of getSslCerts() and
+ * SSLSetCertificate().
+ */
+ if(clientAuthEnable || isServer) {
+ if(!certVerifyEnable) {
+ /* don't bother...this is heavyweight */
+ ortn = addIdentityAsTrustedRoot(ctx, myCerts);
+ if(ortn) {
+ exit(1);
+ }
+ }
+ ortn = SSLSetCertificate(ctx, myCerts);
+ if(ortn) {
+ printSslErrStr("SSLSetCertificate", ortn);
+ exit(1);
+ }
+ }
+ if(isServer) {
+ SSLAuthenticate auth;
+ if(clientAuthEnable) {
+ auth = kAlwaysAuthenticate;
+ }
+ else {
+ auth = kNeverAuthenticate;
+ }
+ ortn = SSLSetClientSideAuthenticate(ctx, auth);
+ if(ortn) {
+ printSslErrStr("SSLSetClientSideAuthenticate", ortn);
+ exit(1);
+ }
+ ortn = SSLSetEnabledCiphers(ctx, &cipherSuite, 1);
+ if(ortn) {
+ printSslErrStr("SSLSetEnabledCiphers", ortn);
+ exit(1);
+ }
+ #if 0
+ /* FIXME why does this fail on Jaguar? */
+ ortn = SSLSetProtocolVersion(ctx, prot);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersion", ortn);
+ exit(1);
+ }
+ #endif
+ #if !JAGUAR_BUILD
+ if(dhParams != NULL) {
+ ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
+ if(ortn) {
+ printSslErrStr("SSLSetDiffieHellmanParams", ortn);
+ exit(1);
+ }
+ }
+ #endif
+ }
+ else {
+ /* client setup */
+ if(!clientAuthEnable && setClientAnchor) {
+ /* We're not presenting a cert; trust the server certs */
+ bool foundOne;
+ if(certKc == NULL) {
+ printf("sslAddTrustedRoots screwup\n");
+ exit(1);
+ }
+ ortn = sslAddTrustedRoots(ctx, certKc, &foundOne);
+ if(ortn) {
+ printSslErrStr("sslAddTrustedRoots", ortn);
+ exit(1);
+ }
+ }
+ }
+
+ /*
+ * Context setup complete. Start timing handshake.
+ */
+ CFAbsoluteTime hshakeStart = CFAbsoluteTimeGetCurrent();
+ do {
+ ortn = SSLHandshake(ctx);
+ } while (ortn == errSSLWouldBlock);
+ if(ortn) {
+ printSslErrStr("SSLHandshake", ortn);
+ exit(1);
+ }
+ CFAbsoluteTime hshakeEnd = CFAbsoluteTimeGetCurrent();
+
+ /* snag these before data xfer possibly shuts down connection */
+ SSLProtocol negVersion;
+ SSLCipherSuite negCipher;
+ SSLClientCertificateState certState; // RETURNED
+
+ SSLGetNegotiatedCipher(ctx, &negCipher);
+ SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
+ SSLGetClientCertificateState(ctx, &certState);
+
+ /*
+ * Shut down. Server does the SSLClose while client tries to read. Client gets
+ * a errSSLClosedGraceful then does its SSLCLose.
+ */
+ if(!isServer) {
+ char data[2];
+ size_t actRead;
+ bool done = false;
+ if(sendGet) {
+ ortn = SSLWrite(ctx, GET_MSG, strlen(GET_MSG), &actRead);
+ if(ortn) {
+ printSslErrStr("SSLWrite", ortn);
+ }
+ }
+ do {
+ ortn = SSLRead(ctx, data, 2, &actRead);
+ switch(ortn) {
+ case errSSLClosedGraceful:
+ done = true;
+ break;
+ case noErr:
+ /* try again */
+ break;
+ default:
+ printf("Unexpected rtn on client SSLRead(); bytesRead %u\n",
+ (unsigned)actRead);
+ printSslErrStr("SSLRead", ortn);
+ done = true;
+ /* ah, keep going */
+ break;
+ }
+ } while(!done);
+ }
+ /* shut down channel */
+ ortn = SSLClose(ctx);
+ if(ortn) {
+ printSslErrStr("SSLCLose", ortn);
+ exit(1);
+ }
+
+ /* how'd we do? */
+ if(verbose) {
+ printf("SSL version : %s\n",
+ sslGetProtocolVersionString(negVersion));
+ printf("CipherSuite : %s\n",
+ sslGetCipherSuiteString(negCipher));
+ printf("Client Cert State : %s\n",
+ sslGetClientCertStateString(certState));
+ printf("SSLContext setup : %f s\n", hshakeStart - setupStart);
+ printf("SSL Handshake : %f s\n", hshakeEnd - hshakeStart);
+ }
+ setupTotal += (hshakeStart - setupStart);
+ handShakeTotal += (hshakeEnd - hshakeStart);
+ }
+
+ printf("\n");
+ printf("SSL setup avg %f s\n", setupTotal / loops);
+ printf("SSL handshake avg %f s\n", handShakeTotal / loops);
+ return 0;
+}
+
+
+
projects / apple / security.git / blobdiff