X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/SecurityTests/clxutils/sslHdshakeTime/sslHdshakeTime.cpp

diff --git a/SecurityTests/clxutils/sslHdshakeTime/sslHdshakeTime.cpp b/SecurityTests/clxutils/sslHdshakeTime/sslHdshakeTime.cpp
new file mode 100644
index 00000000..6a4d714e
--- /dev/null
+++ b/SecurityTests/clxutils/sslHdshakeTime/sslHdshakeTime.cpp
@@ -0,0 +1,479 @@
+/*
+ * Measure performance of SecureTransport handshake
+ *
+ * Written by Doug Mitchell. 
+ */
+#include <Security/SecureTransport.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <clAppUtils/ioSock.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+#include <sys/param.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+/* default - run both server and client on this machine, port 1200  */
+#define HOST_DEF		"localhost"
+#define PORT_DEF		1200
+
+/* default keychain */
+#define DEFAULT_KC		"localcert"
+
+#define DH_PARAM_FILE	"dhParams_1024.der"
+
+#define GET_MSG			"GET / HTTP/1.0\r\n\r\n"
+
+static void usage(char **argv)
+{
+    printf("Usage: %s s[erver]|c[lient] loops [option ...]\n", argv[0]);
+    printf("Options:\n");
+	printf("   -h hostname (default = %s)\n", HOST_DEF);
+	printf("   -p port (default = %d)\n", PORT_DEF);
+	printf("   -k keychain (default = %s)\n", DEFAULT_KC);
+	printf("   -c cipher (default = RSA/RC4; server side only)\n");
+	printf("      ciphers: r=RSA/RC4; d=RSA/DES; D=RSA/3DES; h=DHA/RC4; "
+					"H=DH/DSS/DES\n");
+	printf("   -v version (t|2|3 default = t(TLS1); server side only)\n");
+	printf("   -w password  (unlock server keychain with password)\n");
+	printf("   -a (enable client authentication)\n");
+	printf("   -r (resumable session enabled; default is disabled)\n");
+	printf("   -n (No client side anchor specification; root is in system KC)\n");
+	printf("   -d (disable cert verify)\n");
+	printf("   -o (Allow hostname spoofing)\n");
+	printf("   -g Send GET msg (needs for talking to real servers)\n");
+	printf("   -V (verbose)\n");
+    exit(1);
+}
+
+#include <signal.h>
+
+void sigpipe(int sig) 
+{ 
+	fflush(stdin);
+	printf("***SIGPIPE***\n");
+}
+
+int main(int argc, char **argv)
+{
+	/* user-spec'd variables */
+	unsigned		loops;
+	char 			*kcName = DEFAULT_KC;
+	int 			port = PORT_DEF;
+	char 			*hostName = HOST_DEF;
+	SSLCipherSuite 	cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
+	SSLProtocol 	prot = kTLSProtocol1Only;
+	char 			password[200];
+	bool 			clientAuthEnable = false;
+	bool 			isServer = false;
+	bool			diffieHellman = false;
+	bool 			verbose = false;
+	bool			resumeEnable = false;
+	bool			setClientAnchor = true;
+	bool			certVerifyEnable = true;
+	bool			checkHostName = true;
+	bool			sendGet = false;
+	
+	otSocket 		listenSock = 0;			// for server only
+	CFArrayRef 		myCerts = NULL;
+	
+	signal(SIGPIPE, sigpipe);
+	if(argc < 3) {
+		usage(argv);
+	}
+	password[0] = 0;
+	switch(argv[1][0]) {
+		case 's':
+			isServer = true;
+			break;
+		case 'c':
+			isServer = false;
+			break;
+		default:
+			usage(argv);
+	}
+	loops = atoi(argv[2]);
+	if(loops == 0) {
+		usage(argv);
+	}
+	
+	extern int optind;
+	extern char *optarg;
+	int arg;
+	optind = 3;
+	while ((arg = getopt(argc, argv, "h:p:k:x:c:v:w:b:aVrndog")) != -1) {
+		switch (arg) {
+			case 'h':
+				hostName = optarg;
+				break;
+			case 'p':
+				port = atoi(optarg);
+				break;
+			case 'k':
+				kcName = optarg;
+				break;
+			case 'c':
+				if(!isServer) {
+					printf("***Specify cipherSuite on server side.\n");
+					exit(1);
+				}
+				switch(optarg[0]) {
+					case 'r':
+						cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
+						break;
+					case 'd':
+						cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
+						break;
+					case 'D':
+						cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
+						break;
+					case 'h':
+						cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
+						diffieHellman = true;
+						break;
+					case 'H':
+						cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
+						diffieHellman = true;
+						break;
+					default:
+						usage(argv);
+				}
+				break;
+			case 'v':
+				if(!isServer) {
+					printf("***Specify protocol on server side.\n");
+					exit(1);
+				}
+				switch(optarg[0]) {
+					case 't':
+						prot = kTLSProtocol1Only;
+						break;
+					case '2':
+						prot = kSSLProtocol2;
+						break;
+					case '3':
+						prot = kSSLProtocol3Only;
+						break;
+					default:
+						usage(argv);
+				}
+				break;
+			case 'w':
+				strcpy(password, optarg);
+				break;
+			case 'a':
+				clientAuthEnable = true;
+				break;
+			case 'V':
+				verbose = true;
+				break;
+			case 'r':
+				resumeEnable = true;
+				break;
+			case 'n':
+				setClientAnchor = false;
+				break;
+			case 'd':
+				certVerifyEnable = false;
+				break;
+			case 'o':
+				checkHostName = false;
+				break;
+			case 'g':
+				sendGet = true;
+				break;
+			default:
+				usage(argv);
+		}
+	}
+	
+	/* gather Diffie-Hellman params from cwd */
+	if(JAGUAR_BUILD && diffieHellman) {
+		printf("***SOrry, DIffie Hellman not available in this config.\n");
+		exit(1);
+	}
+	unsigned char *dhParams = NULL;
+	unsigned dhParamsLen = 0;
+	if(diffieHellman && isServer) {
+		if(readFile(DH_PARAM_FILE, &dhParams, &dhParamsLen)) {
+			printf("***Error reading Diffie-Hellman Params. Prepare to "
+				"wait for a minute during SSL handshake.\n");
+		}
+	}
+	
+	/*
+	 * Open keychain; both sides use the same one.
+	 */
+	OSStatus ortn;
+	SecKeychainRef certKc = NULL;
+	if(isServer || clientAuthEnable || setClientAnchor) {
+		ortn = SecKeychainOpen(kcName, &certKc);
+		if(ortn) {
+			printf("Error opening keychain %s (%d); aborting.\n",
+				kcName, (int)ortn);
+			exit(1);
+		}
+		if(password[0]) {
+			ortn = SecKeychainUnlock(certKc, strlen(password), password, true);
+			if(ortn) {
+				printf("SecKeychainUnlock returned %lu\n", ortn);
+				/* oh well */
+			}
+		}
+	}
+
+	/* just do this once */
+	if(clientAuthEnable || isServer || setClientAnchor) {
+		myCerts = sslKcRefToCertArray(certKc, CSSM_FALSE, CSSM_TRUE, NULL);
+		if(myCerts == NULL) {
+			exit(1);
+		}
+	}
+	
+	/* server sets up listen port just once */
+	if(isServer) {
+		printf("...listening for client connection on port %d\n", port);
+		ortn = ListenForClients(port, 0, &listenSock);
+		if(ortn) {
+			printf("...error establishing a listen socket. Aborting.\n");
+			exit(1);
+		}
+	}
+
+	CFAbsoluteTime setupTotal = 0;
+	CFAbsoluteTime handShakeTotal = 0;
+	
+	for(unsigned loop=0; loop<loops; loop++) {
+		otSocket peerSock = 0;
+		PeerSpec peerId;
+		
+		if(isServer) {
+			ortn = AcceptClientConnection(listenSock, &peerSock, &peerId);
+			if(ortn) {
+				printf("...error listening for connection. Aborting.\n");
+				exit(1);
+			}
+		}
+		else {
+			/* client side */
+			if(verbose) {
+				printf("...connecting to host %s at port %d\n", hostName, port);
+			}
+			ortn = MakeServerConnection(hostName, port, 0, &peerSock,
+				&peerId);
+			if(ortn) {
+				printf("...error connecting to server %s. Aborting.\n",
+					hostName);
+				exit(1);
+			}
+		}
+	
+		/* start timing SSL setup */
+		CFAbsoluteTime setupStart = CFAbsoluteTimeGetCurrent();
+	
+		SSLContextRef ctx;
+		ortn = SSLNewContext(isServer, &ctx);
+		if(ortn) {
+			printSslErrStr("SSLNewContext", ortn);
+			exit(1);
+		} 
+		ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
+		if(ortn) {
+			printSslErrStr("SSLSetIOFuncs", ortn);
+			exit(1);
+		} 
+		ortn = SSLSetConnection(ctx, peerSock);
+		if(ortn) {
+			printSslErrStr("SSLSetConnection", ortn);
+			exit(1);
+		}
+		if(checkHostName) {
+			ortn = SSLSetPeerDomainName(ctx, hostName, strlen(hostName) + 1);
+			if(ortn) {
+				printSslErrStr("SSLSetPeerDomainName", ortn);
+				exit(1);
+			}	
+		}
+		if(resumeEnable) {
+			ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
+			if(ortn) {
+				printSslErrStr("SSLSetPeerID", ortn);
+				exit(1);
+			}
+		}
+		if(!certVerifyEnable) {
+			/*
+			 * Do this before setting up certs to allow for optimization 
+			 * on server side (setting valid cert without verifying them)
+			 */
+			ortn = SSLSetEnableCertVerify(ctx, false);
+			if(ortn) {
+				printSslErrStr("SSLSetPeerID", ortn);
+				exit(1);
+			}
+		}
+		
+		/*
+		 * Server/client specific setup.
+		 *
+		 * Client uses the same keychain as server, but it uses it for 
+		 * sslAddTrustedRoots() instead of getSslCerts() and 
+		 * SSLSetCertificate().
+		 */
+		if(clientAuthEnable || isServer) {
+			if(!certVerifyEnable) {
+				/* don't bother...this is heavyweight */
+				ortn = addIdentityAsTrustedRoot(ctx, myCerts);
+				if(ortn) {
+					exit(1);
+				}
+			}
+			ortn = SSLSetCertificate(ctx, myCerts);
+			if(ortn) {
+				printSslErrStr("SSLSetCertificate", ortn);
+				exit(1);
+			}
+		}
+		if(isServer) {
+			SSLAuthenticate auth;
+			if(clientAuthEnable) {
+				auth = kAlwaysAuthenticate;
+			}
+			else {
+				auth = kNeverAuthenticate;
+			}
+			ortn = SSLSetClientSideAuthenticate(ctx, auth);
+			if(ortn) {
+				printSslErrStr("SSLSetClientSideAuthenticate", ortn);
+				exit(1);
+			}
+			ortn = SSLSetEnabledCiphers(ctx, &cipherSuite, 1);
+			if(ortn) {
+				printSslErrStr("SSLSetEnabledCiphers", ortn);
+				exit(1);
+			}
+			#if 0
+			/* FIXME why does this fail on Jaguar? */
+			ortn = SSLSetProtocolVersion(ctx, prot);
+			if(ortn) {
+				printSslErrStr("SSLSetProtocolVersion", ortn);
+				exit(1);
+			}
+			#endif
+			#if !JAGUAR_BUILD
+			if(dhParams != NULL) {
+				ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
+				if(ortn) {
+					printSslErrStr("SSLSetDiffieHellmanParams", ortn);
+					exit(1);
+				}
+			}
+			#endif
+		}
+		else {
+			/* client setup */
+			if(!clientAuthEnable && setClientAnchor) {
+				/* We're not presenting a cert; trust the server certs */
+				bool foundOne;
+				if(certKc == NULL) {
+					printf("sslAddTrustedRoots screwup\n");
+					exit(1);
+				}
+				ortn = sslAddTrustedRoots(ctx, certKc, &foundOne);
+				if(ortn) {
+					printSslErrStr("sslAddTrustedRoots", ortn);
+					exit(1);
+				}
+			}
+		}
+		
+		/*
+		 * Context setup complete. Start timing handshake.
+		 */
+		CFAbsoluteTime hshakeStart = CFAbsoluteTimeGetCurrent();
+		do {   
+			ortn = SSLHandshake(ctx);
+		} while (ortn == errSSLWouldBlock);
+		if(ortn) {
+			printSslErrStr("SSLHandshake", ortn);
+			exit(1);
+		}
+		CFAbsoluteTime hshakeEnd = CFAbsoluteTimeGetCurrent();
+		
+		/* snag these before data xfer possibly shuts down connection */
+		SSLProtocol	negVersion;
+		SSLCipherSuite negCipher;
+		SSLClientCertificateState certState;		// RETURNED
+	
+		SSLGetNegotiatedCipher(ctx, &negCipher);
+		SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
+		SSLGetClientCertificateState(ctx, &certState);
+			
+		/*
+		 * Shut down. Server does the SSLClose while client tries to read. Client gets
+		 * a errSSLClosedGraceful then does its SSLCLose.
+		 */
+		if(!isServer) {
+			char data[2];
+			size_t actRead;
+			bool done = false;
+			if(sendGet) {
+				ortn = SSLWrite(ctx, GET_MSG, strlen(GET_MSG), &actRead);
+				if(ortn) {
+					printSslErrStr("SSLWrite", ortn);
+				}
+			}
+			do {
+				ortn = SSLRead(ctx, data, 2, &actRead);
+				switch(ortn) {
+					case errSSLClosedGraceful:
+						done = true;
+						break;
+					case noErr:
+						/* try again */
+						break;
+					default:
+						printf("Unexpected rtn on client SSLRead(); bytesRead %u\n",
+							(unsigned)actRead);
+						printSslErrStr("SSLRead", ortn);
+						done = true;
+						/* ah, keep going */
+						break;
+				}
+			} while(!done);
+		}
+		/* shut down channel */
+		ortn = SSLClose(ctx);
+		if(ortn) {
+			printSslErrStr("SSLCLose", ortn);
+			exit(1);
+		}
+	
+		/* how'd we do? */
+		if(verbose) {
+			printf("SSL version          : %s\n", 
+				sslGetProtocolVersionString(negVersion));
+			printf("CipherSuite          : %s\n",
+				sslGetCipherSuiteString(negCipher));
+			printf("Client Cert State    : %s\n",
+					sslGetClientCertStateString(certState));
+			printf("SSLContext setup     : %f s\n", hshakeStart - setupStart);
+			printf("SSL Handshake        : %f s\n", hshakeEnd - hshakeStart);
+		}
+		setupTotal     += (hshakeStart - setupStart);
+		handShakeTotal += (hshakeEnd - hshakeStart);
+	}
+	
+	printf("\n");
+	printf("SSL setup     avg %f s\n", setupTotal / loops);
+	printf("SSL handshake avg %f s\n", handShakeTotal / loops);
+	return 0;
+}
+
+
+