+++ /dev/null
-/*
- * Measure performance of SecureTransport handshake
- *
- * Written by Doug Mitchell.
- */
-#include <Security/SecureTransport.h>
-#include <clAppUtils/sslAppUtils.h>
-#include <clAppUtils/ioSock.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-/* default - run both server and client on this machine, port 1200 */
-#define HOST_DEF "localhost"
-#define PORT_DEF 1200
-
-/* default keychain */
-#define DEFAULT_KC "localcert"
-
-#define DH_PARAM_FILE "dhParams_1024.der"
-
-#define GET_MSG "GET / HTTP/1.0\r\n\r\n"
-
-static void usage(char **argv)
-{
- printf("Usage: %s s[erver]|c[lient] loops [option ...]\n", argv[0]);
- printf("Options:\n");
- printf(" -h hostname (default = %s)\n", HOST_DEF);
- printf(" -p port (default = %d)\n", PORT_DEF);
- printf(" -k keychain (default = %s)\n", DEFAULT_KC);
- printf(" -c cipher (default = RSA/RC4; server side only)\n");
- printf(" ciphers: r=RSA/RC4; d=RSA/DES; D=RSA/3DES; h=DHA/RC4; "
- "H=DH/DSS/DES\n");
- printf(" -v version (t|2|3 default = t(TLS1); server side only)\n");
- printf(" -w password (unlock server keychain with password)\n");
- printf(" -a (enable client authentication)\n");
- printf(" -r (resumable session enabled; default is disabled)\n");
- printf(" -n (No client side anchor specification; root is in system KC)\n");
- printf(" -d (disable cert verify)\n");
- printf(" -o (Allow hostname spoofing)\n");
- printf(" -g Send GET msg (needs for talking to real servers)\n");
- printf(" -V (verbose)\n");
- exit(1);
-}
-
-#include <signal.h>
-
-void sigpipe(int sig)
-{
- fflush(stdin);
- printf("***SIGPIPE***\n");
-}
-
-int main(int argc, char **argv)
-{
- /* user-spec'd variables */
- unsigned loops;
- char *kcName = DEFAULT_KC;
- int port = PORT_DEF;
- char *hostName = HOST_DEF;
- SSLCipherSuite cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
- SSLProtocol prot = kTLSProtocol1Only;
- char password[200];
- bool clientAuthEnable = false;
- bool isServer = false;
- bool diffieHellman = false;
- bool verbose = false;
- bool resumeEnable = false;
- bool setClientAnchor = true;
- bool certVerifyEnable = true;
- bool checkHostName = true;
- bool sendGet = false;
-
- otSocket listenSock = 0; // for server only
- CFArrayRef myCerts = NULL;
-
- signal(SIGPIPE, sigpipe);
- if(argc < 3) {
- usage(argv);
- }
- password[0] = 0;
- switch(argv[1][0]) {
- case 's':
- isServer = true;
- break;
- case 'c':
- isServer = false;
- break;
- default:
- usage(argv);
- }
- loops = atoi(argv[2]);
- if(loops == 0) {
- usage(argv);
- }
-
- extern int optind;
- extern char *optarg;
- int arg;
- optind = 3;
- while ((arg = getopt(argc, argv, "h:p:k:x:c:v:w:b:aVrndog")) != -1) {
- switch (arg) {
- case 'h':
- hostName = optarg;
- break;
- case 'p':
- port = atoi(optarg);
- break;
- case 'k':
- kcName = optarg;
- break;
- case 'c':
- if(!isServer) {
- printf("***Specify cipherSuite on server side.\n");
- exit(1);
- }
- switch(optarg[0]) {
- case 'r':
- cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
- break;
- case 'd':
- cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
- break;
- case 'D':
- cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
- break;
- case 'h':
- cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
- diffieHellman = true;
- break;
- case 'H':
- cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
- diffieHellman = true;
- break;
- default:
- usage(argv);
- }
- break;
- case 'v':
- if(!isServer) {
- printf("***Specify protocol on server side.\n");
- exit(1);
- }
- switch(optarg[0]) {
- case 't':
- prot = kTLSProtocol1Only;
- break;
- case '2':
- prot = kSSLProtocol2;
- break;
- case '3':
- prot = kSSLProtocol3Only;
- break;
- default:
- usage(argv);
- }
- break;
- case 'w':
- strcpy(password, optarg);
- break;
- case 'a':
- clientAuthEnable = true;
- break;
- case 'V':
- verbose = true;
- break;
- case 'r':
- resumeEnable = true;
- break;
- case 'n':
- setClientAnchor = false;
- break;
- case 'd':
- certVerifyEnable = false;
- break;
- case 'o':
- checkHostName = false;
- break;
- case 'g':
- sendGet = true;
- break;
- default:
- usage(argv);
- }
- }
-
- /* gather Diffie-Hellman params from cwd */
- if(JAGUAR_BUILD && diffieHellman) {
- printf("***SOrry, DIffie Hellman not available in this config.\n");
- exit(1);
- }
- unsigned char *dhParams = NULL;
- unsigned dhParamsLen = 0;
- if(diffieHellman && isServer) {
- if(readFile(DH_PARAM_FILE, &dhParams, &dhParamsLen)) {
- printf("***Error reading Diffie-Hellman Params. Prepare to "
- "wait for a minute during SSL handshake.\n");
- }
- }
-
- /*
- * Open keychain; both sides use the same one.
- */
- OSStatus ortn;
- SecKeychainRef certKc = NULL;
- if(isServer || clientAuthEnable || setClientAnchor) {
- ortn = SecKeychainOpen(kcName, &certKc);
- if(ortn) {
- printf("Error opening keychain %s (%d); aborting.\n",
- kcName, (int)ortn);
- exit(1);
- }
- if(password[0]) {
- ortn = SecKeychainUnlock(certKc, strlen(password), password, true);
- if(ortn) {
- printf("SecKeychainUnlock returned %lu\n", ortn);
- /* oh well */
- }
- }
- }
-
- /* just do this once */
- if(clientAuthEnable || isServer || setClientAnchor) {
- myCerts = sslKcRefToCertArray(certKc, CSSM_FALSE, CSSM_TRUE, NULL);
- if(myCerts == NULL) {
- exit(1);
- }
- }
-
- /* server sets up listen port just once */
- if(isServer) {
- printf("...listening for client connection on port %d\n", port);
- ortn = ListenForClients(port, 0, &listenSock);
- if(ortn) {
- printf("...error establishing a listen socket. Aborting.\n");
- exit(1);
- }
- }
-
- CFAbsoluteTime setupTotal = 0;
- CFAbsoluteTime handShakeTotal = 0;
-
- for(unsigned loop=0; loop<loops; loop++) {
- otSocket peerSock = 0;
- PeerSpec peerId;
-
- if(isServer) {
- ortn = AcceptClientConnection(listenSock, &peerSock, &peerId);
- if(ortn) {
- printf("...error listening for connection. Aborting.\n");
- exit(1);
- }
- }
- else {
- /* client side */
- if(verbose) {
- printf("...connecting to host %s at port %d\n", hostName, port);
- }
- ortn = MakeServerConnection(hostName, port, 0, &peerSock,
- &peerId);
- if(ortn) {
- printf("...error connecting to server %s. Aborting.\n",
- hostName);
- exit(1);
- }
- }
-
- /* start timing SSL setup */
- CFAbsoluteTime setupStart = CFAbsoluteTimeGetCurrent();
-
- SSLContextRef ctx;
- ortn = SSLNewContext(isServer, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewContext", ortn);
- exit(1);
- }
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- exit(1);
- }
- ortn = SSLSetConnection(ctx, peerSock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- exit(1);
- }
- if(checkHostName) {
- ortn = SSLSetPeerDomainName(ctx, hostName, strlen(hostName) + 1);
- if(ortn) {
- printSslErrStr("SSLSetPeerDomainName", ortn);
- exit(1);
- }
- }
- if(resumeEnable) {
- ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- exit(1);
- }
- }
- if(!certVerifyEnable) {
- /*
- * Do this before setting up certs to allow for optimization
- * on server side (setting valid cert without verifying them)
- */
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- exit(1);
- }
- }
-
- /*
- * Server/client specific setup.
- *
- * Client uses the same keychain as server, but it uses it for
- * sslAddTrustedRoots() instead of getSslCerts() and
- * SSLSetCertificate().
- */
- if(clientAuthEnable || isServer) {
- if(!certVerifyEnable) {
- /* don't bother...this is heavyweight */
- ortn = addIdentityAsTrustedRoot(ctx, myCerts);
- if(ortn) {
- exit(1);
- }
- }
- ortn = SSLSetCertificate(ctx, myCerts);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- exit(1);
- }
- }
- if(isServer) {
- SSLAuthenticate auth;
- if(clientAuthEnable) {
- auth = kAlwaysAuthenticate;
- }
- else {
- auth = kNeverAuthenticate;
- }
- ortn = SSLSetClientSideAuthenticate(ctx, auth);
- if(ortn) {
- printSslErrStr("SSLSetClientSideAuthenticate", ortn);
- exit(1);
- }
- ortn = SSLSetEnabledCiphers(ctx, &cipherSuite, 1);
- if(ortn) {
- printSslErrStr("SSLSetEnabledCiphers", ortn);
- exit(1);
- }
- #if 0
- /* FIXME why does this fail on Jaguar? */
- ortn = SSLSetProtocolVersion(ctx, prot);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- exit(1);
- }
- #endif
- #if !JAGUAR_BUILD
- if(dhParams != NULL) {
- ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
- if(ortn) {
- printSslErrStr("SSLSetDiffieHellmanParams", ortn);
- exit(1);
- }
- }
- #endif
- }
- else {
- /* client setup */
- if(!clientAuthEnable && setClientAnchor) {
- /* We're not presenting a cert; trust the server certs */
- bool foundOne;
- if(certKc == NULL) {
- printf("sslAddTrustedRoots screwup\n");
- exit(1);
- }
- ortn = sslAddTrustedRoots(ctx, certKc, &foundOne);
- if(ortn) {
- printSslErrStr("sslAddTrustedRoots", ortn);
- exit(1);
- }
- }
- }
-
- /*
- * Context setup complete. Start timing handshake.
- */
- CFAbsoluteTime hshakeStart = CFAbsoluteTimeGetCurrent();
- do {
- ortn = SSLHandshake(ctx);
- } while (ortn == errSSLWouldBlock);
- if(ortn) {
- printSslErrStr("SSLHandshake", ortn);
- exit(1);
- }
- CFAbsoluteTime hshakeEnd = CFAbsoluteTimeGetCurrent();
-
- /* snag these before data xfer possibly shuts down connection */
- SSLProtocol negVersion;
- SSLCipherSuite negCipher;
- SSLClientCertificateState certState; // RETURNED
-
- SSLGetNegotiatedCipher(ctx, &negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
- SSLGetClientCertificateState(ctx, &certState);
-
- /*
- * Shut down. Server does the SSLClose while client tries to read. Client gets
- * a errSSLClosedGraceful then does its SSLCLose.
- */
- if(!isServer) {
- char data[2];
- size_t actRead;
- bool done = false;
- if(sendGet) {
- ortn = SSLWrite(ctx, GET_MSG, strlen(GET_MSG), &actRead);
- if(ortn) {
- printSslErrStr("SSLWrite", ortn);
- }
- }
- do {
- ortn = SSLRead(ctx, data, 2, &actRead);
- switch(ortn) {
- case errSSLClosedGraceful:
- done = true;
- break;
- case noErr:
- /* try again */
- break;
- default:
- printf("Unexpected rtn on client SSLRead(); bytesRead %u\n",
- (unsigned)actRead);
- printSslErrStr("SSLRead", ortn);
- done = true;
- /* ah, keep going */
- break;
- }
- } while(!done);
- }
- /* shut down channel */
- ortn = SSLClose(ctx);
- if(ortn) {
- printSslErrStr("SSLCLose", ortn);
- exit(1);
- }
-
- /* how'd we do? */
- if(verbose) {
- printf("SSL version : %s\n",
- sslGetProtocolVersionString(negVersion));
- printf("CipherSuite : %s\n",
- sslGetCipherSuiteString(negCipher));
- printf("Client Cert State : %s\n",
- sslGetClientCertStateString(certState));
- printf("SSLContext setup : %f s\n", hshakeStart - setupStart);
- printf("SSL Handshake : %f s\n", hshakeEnd - hshakeStart);
- }
- setupTotal += (hshakeStart - setupStart);
- handShakeTotal += (hshakeEnd - hshakeStart);
- }
-
- printf("\n");
- printf("SSL setup avg %f s\n", setupTotal / loops);
- printf("SSL handshake avg %f s\n", handShakeTotal / loops);
- return 0;
-}
-
-
-
projects / apple / security.git / blobdiff