diff --git a/README.md b/README.md index b19bbf6..5efbf40 100644 --- a/README.md +++ b/README.md @@ -400,7 +400,7 @@ CertVerify est l'extension dans le ServerHello qui signe la discussion passée a Il a fallu désactiver la réutilisation de session, qui en TLS1.3 passe par le PSK, pour pouvoir mesurer le CertVerify. -## Size overhead and usage survey +### Size overhead and usage survey ```bash openssl s_server -port 8000 -cert /dev/shm/exp/certs/prime256v1/wikipedia.org.crt -key /dev/shm/exp/certs/prime256v1/wikipedia.org.key @@ -414,7 +414,7 @@ python crawler.py crawl /dev/shm/top1K.csv python crawler.py stat /dev/shm/crawl.json ``` -## 0-RTT +### 0-RTT ```bash echo "hello world" > /dev/shm/ed @@ -424,3 +424,9 @@ echo | openssl s_client -no-interactive -keylogfile /dev/shm/client.txt -sess_ou # Second req, using 0-RTT for early data echo | openssl s_client -no-interactive -early_data /dev/shm/ed -keylogfile /dev/shm/client.txt -sess_in sessions 127.0.0.1:8000 ``` + +### Re-issuing certificates + +```bash +openssl x509 -in oldcert -CA cacertfile -CAkey capkeyfile -out newcert -days 365 +``` diff --git a/exp.py b/exp.py index 5b3d66a..d11f287 100644 --- a/exp.py +++ b/exp.py @@ -1,5 +1,5 @@ #!/usr/bin/python3 -import os, sys, subprocess, socket +import os, sys, subprocess, socket, signal CONFIGS = { "debug": { @@ -47,11 +47,11 @@ CONFIGS = { "server", ], "tls": [ - False, + #False, True, ], "records": [ - { "filename": "wikipedia", "repeat": 1 }, + { "filename": "wikipedia", "repeat": 10 }, ], "repo_dir": "/home/tuxmain/reps/tlsbench", "exp_dir": "/dev/shm/exp", @@ -60,7 +60,7 @@ CONFIGS = { "remote_addr": "127.0.0.1", "remote_repo_dir": "/home/tuxmain/reps/tlsbench", "wattmeter": False, - "perf": False, + "perf": True, "rapl": False, "perf_dir": "/home/tuxmain/.cache/exp", "listen_port": 8080, @@ -70,21 +70,21 @@ CONFIGS = { # i7-4790 -> pi3 "pi3": { "experiments": [ - #"impl-cipher-ver", + "impl-cipher-ver", "impl-cert-ver", - #"impl-kex-ver", - #"zrtt" + "impl-kex-ver", + "zrtt" ], "sides": [ "client", - #"server", + "server", ], "tls": [ - #False, + False, True, ], "records": [ - { "filename": "wikipedia", "repeat": 400 }, + { "filename": "wikipedia", "repeat": 1000 }, ], "repo_dir": "/home/tuxmain/reps/tlsbench", "exp_dir": "/dev/shm/exp", @@ -98,7 +98,7 @@ CONFIGS = { "perf": False, "rapl": False, "listen_port": 8080, - "idle": "idle - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -", + "idle": "idle - - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -", "notify_listen": ("0.0.0.0", 8090), "notify_addr": "192.168.3.1:8090", }, @@ -164,7 +164,7 @@ CONFIGS = { "perf": False, "rapl": False, "listen_port": 8080, - "idle": "idle - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -", + "idle": "idle - - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -", "notify_listen": ("0.0.0.0", 8090), "notify_addr": "192.168.3.1:8090", }, @@ -228,7 +228,7 @@ CONFIGS = { "perf": False, "rapl": True, "listen_port": 8080, - "idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -", + "idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -", "notify_listen": ("0.0.0.0", 8090), "notify_addr": "192.168.3.1:8090", }, @@ -291,7 +291,7 @@ CONFIGS = { "perf": False, "rapl": False, "listen_port": 8080, - "idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO + "idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO "notify_listen": ("0.0.0.0", 8090), "notify_addr": "TODO:8090", }, @@ -348,11 +348,11 @@ CERT_SIGN_ALGS = [ "rsa2048", "rsa3072", "rsa4096", # widely used ] IMPLS = [ - "aws-lc", # Amazon's Rust crypto widely used in Rust stuff - #"boring", # Google's fork of OpenSSL used in Chrome and Android + "aws-lc", # Amazon's crypto widely used in Rust stuff + "boring", # Google's fork of OpenSSL used in Chrome and Android #"graviola", # New crypto in Rust - #"openssl", # widely used - #"ring", # used in most Rust stuff + "openssl", # widely used + "ring", # used in most Rust stuff #"symcrypt", # Microsoft's crypto #"wolfcrypt" # used in embedded (won't build with rpxy for now) ] @@ -388,9 +388,9 @@ EXPERIMENTS = { "AES_128_GCM_SHA256", "AES_256_GCM_SHA384", "CHACHA20_POLY1305_SHA256", - "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + #"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", + #"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384", + #"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", ], "kexes": ["X25519"], "cert": ["prime256v1"], @@ -401,7 +401,7 @@ EXPERIMENTS = { "impls": IMPLS, "ciphers": [ "AES_128_GCM_SHA256", - "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", + #"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", ], "kexes": ["X25519"], "cert": [ @@ -418,7 +418,7 @@ EXPERIMENTS = { "impls": IMPLS, "ciphers": [ "AES_128_GCM_SHA256", - "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", + #"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", ], "kexes": [ "X25519", @@ -436,8 +436,8 @@ EXPERIMENTS = { "impls": IMPLS, "ciphers": [ "AES_128_GCM_SHA256", - #"AES_256_GCM_SHA384", - #"CHACHA20_POLY1305_SHA256", + "AES_256_GCM_SHA384", + "CHACHA20_POLY1305_SHA256", ], "kexes": ["X25519"], "cert": ["prime256v1"], @@ -659,12 +659,14 @@ def ssh_run_bg(ssh, cmd, env={}, **kwargs): strvars += "export "+var+"="+env[var].replace(" ", "\\ ")+" && " return ssh.run(f"{strvars}dtach -n `mktemp -u /tmp/dtach.XXXX` {cmd}", **kwargs) -def get_cpu_stat(ssh): +def get_cpu_stat(ssh, process_names): res = ssh_run(ssh, "/sbin/sa --list-all-names", hide=True) + s = 0.0 for line in res.split("\n"): - if "rpxy" in line: - return float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1)) - return 0.0 + for process_name in process_names: + if process_name[:15] in line: + s += float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1)) + return s def get_net_stat(ssh): res = ssh_run(ssh, "cat /proc/net/netstat", hide=True) @@ -682,6 +684,14 @@ def get_rapl_energy(ssh, repo_dir): energy += int(item) return energy +class Timeout(Exception): + pass + +def timeout_handler(signum, frame): + raise Timeout + +signal.signal(signal.SIGALRM, timeout_handler) + def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): ssh = None if "remote_ssh" in config: @@ -715,7 +725,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): logfile_name = "log-"+timestr logfile_path = exp_dir+"/"+logfile_name logfile = open(logfile_path, "w") - logfile.write("exp impl alg kex cipher ed side tls record time cpu bytes_in bytes_out Wh Wh_rapl prof\n") + logfile.write("exp impl alg kex cipher ed side tls record n time cpu bytes_in bytes_out Wh Wh_rapl prof\n") logfile.close() perf_dir = "" @@ -725,7 +735,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): if idle: print("Measuring idle...") - rpxy_cpu = get_cpu_stat(ssh) remote_bytes_in, remote_bytes_out = get_net_stat(ssh) energy = 0 energy_rapl = 0 @@ -735,7 +744,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): energy_rapl = get_rapl_energy(ssh, remote_path) start = time.time() - time.sleep(600) + time.sleep(1200) end = time.time() new_energy = 0 @@ -745,8 +754,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): if config["rapl"]: new_energy_rapl = get_rapl_energy(ssh, remote_path) new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh) - new_rpxy_cpu = get_cpu_stat(ssh) - rpxy_cpu_diff = new_rpxy_cpu - rpxy_cpu remote_bytes_in_diff = new_remote_bytes_in - remote_bytes_in remote_bytes_out_diff = new_remote_bytes_out - remote_bytes_out energy_diff = new_energy - energy @@ -755,7 +762,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): while True: try: with open(logfile_path, "a") as logfile: - logfile.write(f"idle - - - - - - - - {time_diff} {rpxy_cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n") + logfile.write(f"idle - - - - - - - - - {time_diff} 0 {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n") logfile.close() break except Exception as e: @@ -871,11 +878,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): prof_filename = "-" if config["perf"]: prof_filename = f"{perf_dir}/perf-{timestr}-{run_id}.data" - process_pid = ssh_run(ssh, "pidof netreplay"+("" if side == "server" else ("-"+impl))).removesuffix("\n") - ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {rpxy_pid}") + process_pid = ssh_run(ssh, "pidof netreplay-"+impl).removesuffix("\n") + ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {process_pid}") # Measure - cpu = get_cpu_stat(ssh) + cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"]) remote_bytes_in, remote_bytes_out = get_net_stat(ssh) energy = 0 energy_rapl = 0 @@ -886,7 +893,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): start = time.time() # Wait for the client to terminate - notify_socket.recv(4) + signal.alarm(600) + try: + notify_socket.recv(4) + except Timeout: + print("TIMEOUT: stop") # Measure end = time.time() @@ -897,7 +908,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): if config["rapl"]: new_energy_rapl = get_rapl_energy(ssh, remote_path) new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh) - new_cpu = get_cpu_stat(ssh) # Kill server if side == "client": @@ -910,6 +920,9 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): ssh_run(ssh, "killall netreplay-"+impl) except invoke.exceptions.UnexpectedExit as e: pass + + # Measure CPU after (as it may update only after the process is killed) + new_cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"]) record_filename = record["filename"] cpu_diff = new_cpu - cpu @@ -918,10 +931,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False): energy_diff = new_energy - energy energy_rapl_diff = new_energy_rapl - energy_rapl time_diff = end - start + repeats = record["repeat"] while True: try: with open(logfile_path, "a") as logfile: - logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n") + logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {repeats} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n") logfile.close() break except Exception as e: diff --git a/makecerts.py b/makecerts.py index 4c48743..3df04da 100644 --- a/makecerts.py +++ b/makecerts.py @@ -1,13 +1,190 @@ # Get certificates from domains and make a similar chain. +import os import OpenSSL import ssl +#import asn1 +CERTS_DIR = "/dev/shm/exp/certs/" +ALGS = ["prime256v1", "secp384r1", "rsa2048", "rsa3072", "rsa4096"] +DOMAINS = [ + #"txmn.tk", + "wikipedia.org", + #"youtube.com" +] + +def sh(cmds): + if type(cmds) == list: + for cmd in cmds: + print(cmd) + os.system(cmd) + elif type(cmds) == str: + print(cmds) + os.system(cmds) + else: + raise TypeError + +def make_sk(outpath, alg): + sh({ + "ed25519": [ + f"openssl genpkey -out {outpath}.sec1 -algorithm ed25519", + f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM" + ], + "prime256v1": [ + f"openssl ecparam -genkey -name prime256v1 -noout -out {outpath}.sec1", + f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM" + ], + "rsa2048": [ + f"openssl genrsa -out {outpath} 2048" + ], + "rsa3072": [ + f"openssl genrsa -out {outpath} 3072" + ], + "rsa4096": [ + f"openssl genrsa -out {outpath} 4096" + ], + "secp384r1": [ + f"openssl ecparam -genkey -name secp384r1 -noout -out {outpath}.sec1", + f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM" + ], + }[alg]) + +# Connect to a server and return its certificate def get_server_cert(domain, port=443): cert_pem = ssl.get_server_certificate((domain, port)) cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) for i in range(cert.get_extension_count()): ext = cert.get_extension(i) ext_name = ext.get_short_name() - if ext_name == "": + #if ext_name == "": return cert + +# Replace CA and key of a certificate while keeping everything else the same +def replace_keys(cert, key, cas): + # Choose CA with the same signature algorithm + ca_cert, ca_key = cas[(key.type(), key.bits())] + + # Get Key id + ca_key_id = None + for i in range(ca_cert.get_extension_count()): + ext = cert.get_extension(i) + ext_name = ext.get_short_name() + if ext_name == b"subjectKeyIdentifier": + ca_key_id = ext.__str__() + + # Create new certificate + cert2 = OpenSSL.crypto.X509() + + # Set fields + cert2.set_version(cert.get_version()) + cert2.set_issuer(ca_cert.get_subject()) + cert2.set_serial_number(cert.get_serial_number()) + cert2.set_notAfter(cert.get_notAfter()) + cert2.set_notBefore(cert.get_notBefore()) + cert2.set_subject(cert.get_subject()) + cert2.set_pubkey(key) + + # Set extensions + exts = [] + for i in range(cert.get_extension_count()): + # They had the good idea to have different input and output formats. + # Output is ASN.1 but input is text. + # Text output from __str__ is NOT the same encoding as the expected text input. + # Because why not. + # Input format doc is here: https://docs.openssl.org/3.0/man5/x509v3_config + ext = cert.get_extension(i) + ext_name = ext.get_short_name() + ext_data = ext.get_data() + ext_str = ext.__str__() + #dec = asn1.Decoder() + #dec.start(ext_data) + #tag, val = dec.read() + #print(ext_name, ":", ext_data, "::", ext_str) + if ext_name == b"authorityKeyIdentifier": + ext_data = b"keyid:always" + #elif ext_name == b"keyUsage": + # ext_data = b"digitalSignature" + #elif ext_name == b"extendedKeyUsage": + # ext_data = b"" + # for j in ext_str.split(", "): + # if len(ext_data) > 0: + # ext_data += b"," + # ext_data += { + # "TLS Web Server Authentication": b"serverAuth", + # "TLS Web Client Authentication": b"clientAuth", + # }[j] + #elif ext_name == b"basicConstraints": + # ext_data = ext_str.encode() + #elif ext_name == b"subjectKeyIdentifier": + # ext_data = ext_str.encode() + #elif ext_name == b"authorityInfoAccess": + # ext_data = ext_str.replace(" - ", ";").replace("CA Issuers", "caIssuers").encode() + #elif ext_name == b"subjectAltName": + # ext_data = ext_str.encode() + #elif ext_name == b"certificatePolicies": + # #ext_data = ext_str.replace("Policy: ", "").encode() + # continue # weird error + #elif ext_name == b"crlDistributionPoints": + # print(ext_str.encode()) + # ext_data = ext_str.replace("Full Name:\n ", "").replace("\n", "").encode() + else: + ext_data = b"DER:"+ext_data.hex().encode() + exts.append(OpenSSL.crypto.X509Extension(ext_name, ext.get_critical()==1, ext_data, issuer=ca_cert)) + cert2.add_extensions(exts) + + # Sign + digest = None + sig_alg = cert.get_signature_algorithm() + if b"SHA384" in sig_alg: + digest = "sha384" + elif b"SHA256" in sig_alg: + digest = "sha256" + elif b"SHA512" in sig_alg: + digest = "sha512" + if digest == None: + print("Unknown signature algorithm:", sig_alg) + raise Exception + cert2.sign(ca_key, digest) + + return cert2 + +# Save certificate to a PEM file +def save_cert(cert, out_path): + f = open(out_path, "wb") + f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)) + f.close() + +# Fetch CA certs and keys and map them by algorithm +def fetch_cas(): + cas = {} + for alg in ALGS: + f = open(f"{CERTS_DIR}{alg}/ca.crt", "rb") + ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read()) + f.close() + f = open(f"{CERTS_DIR}{alg}/ca.key", "rb") + ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read()) + f.close() + cas[(ca_key.type(), ca_key.bits())] = (ca_cert, ca_key) + return cas + +if __name__ == "__main__": + os.makedirs(f"{CERTS_DIR}realistic", exist_ok=True) + cas = fetch_cas() + for domain in DOMAINS: + cert = get_server_cert(domain) + pk = cert.get_pubkey() + pk_alg = (pk.type(), pk.bits()) + alg = { + (OpenSSL.crypto.TYPE_EC, 256): "prime256v1", + (OpenSSL.crypto.TYPE_EC, 384): "secp384r1", + (OpenSSL.crypto.TYPE_RSA, 2048): "rsa2048", + (OpenSSL.crypto.TYPE_RSA, 3072): "rsa3072", + (OpenSSL.crypto.TYPE_RSA, 4096): "rsa4096", + }[pk_alg] + key2_path = f"{CERTS_DIR}realistic/{domain}.key" + make_sk(key2_path, alg) + f = open(key2_path, "rb") + key2 = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read()) + f.close() + cert2 = replace_keys(cert, key2, cas) + save_cert(cert2, f"{CERTS_DIR}realistic/{domain}.crt") diff --git a/plots.py b/plots.py index 4c6de16..3a29f91 100644 --- a/plots.py +++ b/plots.py @@ -54,7 +54,7 @@ COL = { # Physical units by object UNIT = { "cpu": "s", - "energy": "W", + "energy": "J", "profile": "samples", } # Titles for criteria @@ -115,6 +115,7 @@ def gnuplot_stacked_histogram(**kwargs): kwargs["machine"] = ", " + kwargs["machine"] else: kwargs["machine"] = "" + titleline = "" if kwargs["maketitle"]: titleline = 'set title font "CMU Sans Serif,12" "{object_title} by {criterion_title} ({record}, {side}{machine}) ({unit})"'.format(**kwargs) cluster = "" @@ -155,14 +156,19 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version impls = [] plain_line = None idle_val = None + conv_factor = 1.0 + if obj == "energy": + # Convert Wh to Ws + conv_factor = 3600.0 for log in logs: if log["exp"] == "idle": - idle_val = float(log[COL[obj]]) / float(log["time"]) + idle_val = float(log[COL[obj]]) / float(log["time"]) * conv_factor if log["exp"] != exp or log["record"] != record: continue if log["side"] == side and log["tls"] == "0": - plain_line = "plain {}".format(float(log[COL[obj]]) - idle_val * float(log["time"])) + n = float(log.get("n", "1000")) + plain_line = "plain {}".format((float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n) if plain_line == None: return @@ -177,7 +183,8 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version continue if log[COL[criterion]] not in ciphers: ciphers[log[COL[criterion]]] = {} - ciphers[log[COL[criterion]]][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"]) + n = float(log.get("n", "1000")) + ciphers[log[COL[criterion]]][log["impl"]] = (float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n if log["impl"] not in impls: impls.append(log["impl"]) impls.sort() @@ -217,13 +224,15 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version maketitle=maketitle ) -def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, maketitle=False): +def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, version=None, maketitle=False): f = open(f"/dev/shm/plots/profile_by_{criterion}_{side}_{record}.dat", "w") runs = [] functions = [] for log in logs: - if log["exp"] == exp and log["record"] == record and log["setup"] == side: + if version != None and VER_LABEL[log["cipher"]] != version: + continue + if log["exp"] == exp and log["record"] == record and log["side"] == side and log["tls"] == "1": svg_filename = log["prof"] + ".svg" if not no_flamegraph: os.system("flamegraph --perfdata {} -o {}".format(log["prof"], svg_filename)) @@ -407,11 +416,11 @@ if __name__ == "__main__": make_log_plot(logs, "zrtt", "ed", side, "energy", record, machine=machine, maketitle=maketitle, version="1.3") #cmp_versions(logs, ["impl-cipher-ver", "impl-cert-ver", "impl-kex-ver"], ["side", "cipher", "cert", "kex", "record"], ["cpu", "energy"]) elif cmd == "prof": - for side in ["client-local", "server-local"]: + for side in ["client", "server"]: for record in records: - make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle) - make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle) - make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle) + make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3") + make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3") + make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3") elif cmd == "correl": from scipy import stats import matplotlib.pyplot as plt diff --git a/profile.py b/profile.py index 1b591fd..e5cf911 100644 --- a/profile.py +++ b/profile.py @@ -24,7 +24,7 @@ FUNCTIONS = { "<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::hash_len": "hkdf", "<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::expand_slice": "hkdf", "<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::extract_from_secret": "hkdf", - "<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf", + #"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf", "ring::hkdf::fill_okm": "hkdf", #"ring::hkdf::Salt::extract": "hkdf", @@ -37,9 +37,13 @@ FUNCTIONS = { # Emit TLS CertVerify (sign headers using certificate's secret key) "rustls::server::tls13::client_hello::emit_certificate_verify_tls13": "certVerify", + #"<[a-zA-Z0-9_:<>]+ as rustls::crypto::signer::Signer>::sign": "cert", # Verify TLS CertVerify - "rustls::webpki::verify::verify_tls13_signature": "certVerify", + #"rustls::webpki::verify::verify_tls13_signature": "certVerify", + "rustls::tls13::key_schedule::KeyScheduleSuite::sign_verify_data": "certVerify", + "::verify_tls13_signature": "certVerify", + "::verify_tls12_signature": "certVerify", # Verify certificate "::verify_server_cert": "cert"