CertVerify

README.md

@@ -230,6 +230,8 @@ sudo apt install acct
 sudo chmod +s /sbin/sa
 ```
 
+Run:
+
 ```bash
 python exp.py make pi -c
 python exp.py send pi
@@ -271,12 +273,20 @@ Install OpenSSL with debug symbols:
 Backup your system's `libcrypto.so` and `libssl.so` and replace them with the new ones.
 It would be simpler with `LD_PRELOAD` but Rust loads dynamic libraries in a particuliar way so it doesn't work.
 
+Authorize non-root users to use perf:
+
+```bash
+sudo sysctl kernel.perf_event_paranoid=-1
+```
+
+Run:
+
 ```bash
 python exp.py make local -c
 python exp.py send local
 python exp.py update-certs
 python exp.py run local
-
+python plots.py prof <path/to/log>
 ```
 
 ## Problems
@@ -285,3 +295,11 @@ python exp.py run local
 
 Youtube utilise des trucs aléatoires en `RANDOM.googlevideo.com` pour la vidéo. Cependant il y a quelques domaines utilisés qui ne changent pas, du moins sur un même navigateur avec la même vidéo et sur une courte période.
 Avant d'enregistrer le trafic, il faut observer les domaines utilisés puis générer les certificats et les redirections en fonction.
+
+## Notes
+
+### CertVerify
+
+CertVerify est l'extension dans le ServerHello qui signe la discussion passée avec la clé secrète du certificat.
+
+Il a fallu désactiver la réutilisation de session, qui en TLS1.3 passe par le PSK, pour pouvoir mesurer le CertVerify.

exp.py

@@ -26,9 +26,9 @@ CONFIGS = {
 	},
 	"local": {
 		"experiments": [
-			#"impl-cipher-ver",
+			"impl-cipher-ver",
 			"impl-cert-ver",
-			#"impl-kex-ver",
+			"impl-kex-ver",
 		],
 		"setups": [
 			"none-local",
@@ -76,7 +76,7 @@ DOMAINS_ = [
 ]
 
 RECORDS = [
-	{ "filename": "youtube", "repeat": 1 },
+	{ "filename": "youtube", "repeat": 10 },
 	#{ "filename": "peertube", "repeat": 10 },
 	#{ "filename": "wikipedia", "repeat": 1 },
 	#{ "filename": "apple", "repeat": 1000 },
@@ -91,8 +91,8 @@ CERT_SIGN_ALGS = [
 IMPLS = [
 	"aws_lc_rs", # Amazon's Rust crypto widely used in Rust stuff
 	#"boring", # Google's fork of OpenSSL used in Chrome and Android
-	#"openssl", # widely used
-	#"ring", # used in most Rust stuff
+	"openssl", # widely used
+	"ring", # used in most Rust stuff
 	#"symcrypt", # Microsoft's crypto
 	#"wolfcrypt" # used in embedded (won't build with rpxy for now)
 ]

plots.py

@@ -100,7 +100,7 @@ set style histogram rowstacked
 set style data histograms
 set title font "CMU Sans Serif,12" "{object_title} by {criterion_title} ({record}, {side} side) ({unit})"
 set xtics border in scale 0,0 nomirror noenhanced rotate by -15 autojustify
-set key fixed right top vertical Right noenhanced autotitle nobox invert
+set key fixed left top vertical Left noenhanced autotitle nobox invert reverse opaque
 set colorbox vertical origin screen 0.9, 0.2 size screen 0.05, 0.6 front noinvert bdefault
 set xrange [ * : * ] noreverse writeback
 set yrange [ 0 : * ]

profile.py

@@ -34,6 +34,15 @@ FUNCTIONS = {
 	"rustls::crypto::aws_lc_rs::tls13::AeadAlgorithm::encrypter": "encrypt",
 
 	"rustls::crypto::aws_lc_rs::tls13::AeadAlgorithm::decrypter": "decrypt",
+
+	# Emit TLS CertVerify (sign headers using certificate's secret key)
+	"rustls::server::tls13::client_hello::emit_certificate_verify_tls13": "certVerify",
+
+	# Verify TLS CertVerify
+	"rustls::webpki::verify::verify_tls13_signature": "certVerify",
+
+	# Verify certificate
+	"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_server_cert": "cert"
 }
 
 def extract_function(data, name):