Reproduce certs, fixes

2026-02-13 15:58:21 +01:00 · 2026-02-13 15:58:21 +01:00 · aa3bb124fc
commit aa3bb124fc
parent 5d4d3e8672
5 changed files with 266 additions and 56 deletions
--- a/README.md
+++ b/README.md
@ -400,7 +400,7 @@ CertVerify est l'extension dans le ServerHello qui signe la discussion passée a

 Il a fallu désactiver la réutilisation de session, qui en TLS1.3 passe par le PSK, pour pouvoir mesurer le CertVerify.

-## Size overhead and usage survey
+### Size overhead and usage survey

 ```bash
 openssl s_server -port 8000 -cert /dev/shm/exp/certs/prime256v1/wikipedia.org.crt -key /dev/shm/exp/certs/prime256v1/wikipedia.org.key
@ -414,7 +414,7 @@ python crawler.py crawl /dev/shm/top1K.csv
 python crawler.py stat /dev/shm/crawl.json
 ```

-## 0-RTT
+### 0-RTT

 ```bash
 echo "hello world" > /dev/shm/ed
@ -424,3 +424,9 @@ echo | openssl s_client -no-interactive -keylogfile /dev/shm/client.txt -sess_ou
 # Second req, using 0-RTT for early data
 echo | openssl s_client -no-interactive -early_data /dev/shm/ed -keylogfile /dev/shm/client.txt -sess_in sessions 127.0.0.1:8000
 ```
+
+### Re-issuing certificates
+
+```bash
+openssl x509 -in oldcert -CA cacertfile -CAkey capkeyfile -out newcert -days 365
+```
--- a/exp.py
+++ b/exp.py
@ -1,5 +1,5 @@
 #!/usr/bin/python3
-import os, sys, subprocess, socket
+import os, sys, subprocess, socket, signal

 CONFIGS = {
 	"debug": {
@ -47,11 +47,11 @@ CONFIGS = {
 			"server",
 		],
 		"tls": [
-			False,
+			#False,
 			True,
 		],
 		"records": [
-			{ "filename": "wikipedia", "repeat": 1 },
+			{ "filename": "wikipedia", "repeat": 10 },
 		],
 		"repo_dir": "/home/tuxmain/reps/tlsbench",
 		"exp_dir": "/dev/shm/exp",
@ -60,7 +60,7 @@ CONFIGS = {
 		"remote_addr": "127.0.0.1",
 		"remote_repo_dir": "/home/tuxmain/reps/tlsbench",
 		"wattmeter": False,
-		"perf": False,
+		"perf": True,
 		"rapl": False,
 		"perf_dir": "/home/tuxmain/.cache/exp",
 		"listen_port": 8080,
@ -70,21 +70,21 @@ CONFIGS = {
 	# i7-4790 -> pi3
 	"pi3": {
 		"experiments": [
-			#"impl-cipher-ver",
+			"impl-cipher-ver",
 			"impl-cert-ver",
-			#"impl-kex-ver",
-			#"zrtt"
+			"impl-kex-ver",
+			"zrtt"
 		],
 		"sides": [
 			"client",
-			#"server",
+			"server",
 		],
 		"tls": [
-			#False,
+			False,
 			True,
 		],
 		"records": [
-			{ "filename": "wikipedia", "repeat": 400 },
+			{ "filename": "wikipedia", "repeat": 1000 },
 		],
 		"repo_dir": "/home/tuxmain/reps/tlsbench",
 		"exp_dir": "/dev/shm/exp",
@ -98,7 +98,7 @@ CONFIGS = {
 		"perf": False,
 		"rapl": False,
 		"listen_port": 8080,
-		"idle": "idle - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -",
+		"idle": "idle - - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -",
 		"notify_listen": ("0.0.0.0", 8090),
 		"notify_addr": "192.168.3.1:8090",
 	},
@ -164,7 +164,7 @@ CONFIGS = {
 		"perf": False,
 		"rapl": False,
 		"listen_port": 8080,
-		"idle": "idle - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -",
+		"idle": "idle - - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -",
 		"notify_listen": ("0.0.0.0", 8090),
 		"notify_addr": "192.168.3.1:8090",
 	},
@ -228,7 +228,7 @@ CONFIGS = {
 		"perf": False,
 		"rapl": True,
 		"listen_port": 8080,
-		"idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",
+		"idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",
 		"notify_listen": ("0.0.0.0", 8090),
 		"notify_addr": "192.168.3.1:8090",
 	},
@ -291,7 +291,7 @@ CONFIGS = {
 		"perf": False,
 		"rapl": False,
 		"listen_port": 8080,
-		"idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO
+		"idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO
 		"notify_listen": ("0.0.0.0", 8090),
 		"notify_addr": "TODO:8090",
 	},
@ -348,11 +348,11 @@ CERT_SIGN_ALGS = [
 	"rsa2048", "rsa3072", "rsa4096", # widely used
 ]
 IMPLS = [
-	"aws-lc", # Amazon's Rust crypto widely used in Rust stuff
-	#"boring", # Google's fork of OpenSSL used in Chrome and Android
+	"aws-lc", # Amazon's crypto widely used in Rust stuff
+	"boring", # Google's fork of OpenSSL used in Chrome and Android
 	#"graviola", # New crypto in Rust
-	#"openssl", # widely used
-	#"ring", # used in most Rust stuff
+	"openssl", # widely used
+	"ring", # used in most Rust stuff
 	#"symcrypt", # Microsoft's crypto
 	#"wolfcrypt" # used in embedded (won't build with rpxy for now)
 ]
@ -388,9 +388,9 @@ EXPERIMENTS = {
 			"AES_128_GCM_SHA256",
 			"AES_256_GCM_SHA384",
 			"CHACHA20_POLY1305_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-			"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			#"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		],
 		"kexes": ["X25519"],
 		"cert": ["prime256v1"],
@ -401,7 +401,7 @@ EXPERIMENTS = {
 		"impls": IMPLS,
 		"ciphers": [
 			"AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 		],
 		"kexes": ["X25519"],
 		"cert": [
@ -418,7 +418,7 @@ EXPERIMENTS = {
 		"impls": IMPLS,
 		"ciphers": [
 			"AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 		],
 		"kexes": [
 			"X25519",
@ -436,8 +436,8 @@ EXPERIMENTS = {
 		"impls": IMPLS,
 		"ciphers": [
 			"AES_128_GCM_SHA256",
-			#"AES_256_GCM_SHA384",
-			#"CHACHA20_POLY1305_SHA256",
+			"AES_256_GCM_SHA384",
+			"CHACHA20_POLY1305_SHA256",
 		],
 		"kexes": ["X25519"],
 		"cert": ["prime256v1"],
@ -659,12 +659,14 @@ def ssh_run_bg(ssh, cmd, env={}, **kwargs):
 			strvars += "export "+var+"="+env[var].replace(" ", "\\ ")+" && "
 		return ssh.run(f"{strvars}dtach -n `mktemp -u /tmp/dtach.XXXX` {cmd}", **kwargs)

-def get_cpu_stat(ssh):
+def get_cpu_stat(ssh, process_names):
 	res = ssh_run(ssh, "/sbin/sa --list-all-names", hide=True)
+	s = 0.0
 	for line in res.split("\n"):
-		if "rpxy" in line:
-			return float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1))
-	return 0.0
+		for process_name in process_names:
+			if process_name[:15] in line:
+				s += float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1))
+	return s

 def get_net_stat(ssh):
 	res = ssh_run(ssh, "cat /proc/net/netstat", hide=True)
@ -682,6 +684,14 @@ def get_rapl_energy(ssh, repo_dir):
 			energy += int(item)
 	return energy

+class Timeout(Exception):
+	pass
+
+def timeout_handler(signum, frame):
+	raise Timeout
+
+signal.signal(signal.SIGALRM, timeout_handler)
+
 def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 	ssh = None
 	if "remote_ssh" in config:
@ -715,7 +725,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 	logfile_name = "log-"+timestr
 	logfile_path = exp_dir+"/"+logfile_name
 	logfile = open(logfile_path, "w")
-	logfile.write("exp impl alg kex cipher ed side tls record time cpu bytes_in bytes_out Wh Wh_rapl prof\n")
+	logfile.write("exp impl alg kex cipher ed side tls record n time cpu bytes_in bytes_out Wh Wh_rapl prof\n")
 	logfile.close()

 	perf_dir = ""
@ -725,7 +735,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):

 	if idle:
 		print("Measuring idle...")
-		rpxy_cpu = get_cpu_stat(ssh)
 		remote_bytes_in, remote_bytes_out = get_net_stat(ssh)
 		energy = 0
 		energy_rapl = 0
@ -735,7 +744,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 			energy_rapl = get_rapl_energy(ssh, remote_path)
 		start = time.time()

-		time.sleep(600)
+		time.sleep(1200)

 		end = time.time()
 		new_energy = 0
@ -745,8 +754,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 		if config["rapl"]:
 			new_energy_rapl = get_rapl_energy(ssh, remote_path)
 		new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh)
-		new_rpxy_cpu = get_cpu_stat(ssh)
-		rpxy_cpu_diff = new_rpxy_cpu - rpxy_cpu
 		remote_bytes_in_diff = new_remote_bytes_in - remote_bytes_in
 		remote_bytes_out_diff = new_remote_bytes_out - remote_bytes_out
 		energy_diff = new_energy - energy
@ -755,7 +762,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 		while True:
 			try:
 				with open(logfile_path, "a") as logfile:
-					logfile.write(f"idle - - - - - - - - {time_diff} {rpxy_cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n")
+					logfile.write(f"idle - - - - - - - - - {time_diff} 0 {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n")
 					logfile.close()
 					break
 			except Exception as e:
@ -871,11 +878,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 										prof_filename = "-"
 										if config["perf"]:
 											prof_filename = f"{perf_dir}/perf-{timestr}-{run_id}.data"
-											process_pid = ssh_run(ssh, "pidof netreplay"+("" if side == "server" else ("-"+impl))).removesuffix("\n")
-											ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {rpxy_pid}")
+											process_pid = ssh_run(ssh, "pidof netreplay-"+impl).removesuffix("\n")
+											ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {process_pid}")
 										
 										# Measure
-										cpu = get_cpu_stat(ssh)
+										cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"])
 										remote_bytes_in, remote_bytes_out = get_net_stat(ssh)
 										energy = 0
 										energy_rapl = 0
@ -886,7 +893,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 										start = time.time()
 										
 										# Wait for the client to terminate
-										notify_socket.recv(4)
+										signal.alarm(600)
+										try:
+											notify_socket.recv(4)
+										except Timeout:
+											print("TIMEOUT: stop")

 										# Measure
 										end = time.time()
@ -897,7 +908,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 										if config["rapl"]:
 											new_energy_rapl = get_rapl_energy(ssh, remote_path)
 										new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh)
-										new_cpu = get_cpu_stat(ssh)

 										# Kill server
 										if side == "client":
@ -911,6 +921,9 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 											except invoke.exceptions.UnexpectedExit as e:
 												pass
 										
+										# Measure CPU after (as it may update only after the process is killed)
+										new_cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"])
+
 										record_filename = record["filename"]
 										cpu_diff = new_cpu - cpu
 										remote_bytes_in_diff = new_remote_bytes_in - remote_bytes_in
@ -918,10 +931,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 										energy_diff = new_energy - energy
 										energy_rapl_diff = new_energy_rapl - energy_rapl
 										time_diff = end - start
+										repeats = record["repeat"]
 										while True:
 											try:
 												with open(logfile_path, "a") as logfile:
-													logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n")
+													logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {repeats} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n")
 													logfile.close()
 													break
 											except Exception as e:
--- a/makecerts.py
+++ b/makecerts.py
@ -1,13 +1,190 @@
 # Get certificates from domains and make a similar chain.

+import os
 import OpenSSL
 import ssl
+#import asn1

+CERTS_DIR = "/dev/shm/exp/certs/"
+ALGS = ["prime256v1", "secp384r1", "rsa2048", "rsa3072", "rsa4096"]
+DOMAINS = [
+	#"txmn.tk",
+	"wikipedia.org",
+	#"youtube.com"
+]
+
+def sh(cmds):
+	if type(cmds) == list:
+		for cmd in cmds:
+			print(cmd)
+			os.system(cmd)
+	elif type(cmds) == str:
+		print(cmds)
+		os.system(cmds)
+	else:
+		raise TypeError
+
+def make_sk(outpath, alg):
+	sh({
+		"ed25519": [
+			f"openssl genpkey -out {outpath}.sec1 -algorithm ed25519",
+			f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
+		],
+		"prime256v1": [
+			f"openssl ecparam -genkey -name prime256v1 -noout -out {outpath}.sec1",
+			f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
+		],
+		"rsa2048": [
+			f"openssl genrsa -out {outpath} 2048"
+		],
+		"rsa3072": [
+			f"openssl genrsa -out {outpath} 3072"
+		],
+		"rsa4096": [
+			f"openssl genrsa -out {outpath} 4096"
+		],
+		"secp384r1": [
+			f"openssl ecparam -genkey -name secp384r1 -noout -out {outpath}.sec1",
+			f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
+		],
+	}[alg])
+
+# Connect to a server and return its certificate
 def get_server_cert(domain, port=443):
 	cert_pem = ssl.get_server_certificate((domain, port))
 	cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem)
 	for i in range(cert.get_extension_count()):
 		ext = cert.get_extension(i)
 		ext_name = ext.get_short_name()
-		if ext_name == "":
+		#if ext_name == "":
 	return cert
+
+# Replace CA and key of a certificate while keeping everything else the same
+def replace_keys(cert, key, cas):
+	# Choose CA with the same signature algorithm
+	ca_cert, ca_key = cas[(key.type(), key.bits())]
+
+	# Get Key id
+	ca_key_id = None
+	for i in range(ca_cert.get_extension_count()):
+		ext = cert.get_extension(i)
+		ext_name = ext.get_short_name()
+		if ext_name == b"subjectKeyIdentifier":
+			ca_key_id = ext.__str__()
+
+	# Create new certificate
+	cert2 = OpenSSL.crypto.X509()
+
+	# Set fields
+	cert2.set_version(cert.get_version())
+	cert2.set_issuer(ca_cert.get_subject())
+	cert2.set_serial_number(cert.get_serial_number())
+	cert2.set_notAfter(cert.get_notAfter())
+	cert2.set_notBefore(cert.get_notBefore())
+	cert2.set_subject(cert.get_subject())
+	cert2.set_pubkey(key)
+
+	# Set extensions
+	exts = []
+	for i in range(cert.get_extension_count()):
+		# They had the good idea to have different input and output formats.
+		# Output is ASN.1 but input is text.
+		# Text output from __str__ is NOT the same encoding as the expected text input.
+		# Because why not.
+		# Input format doc is here: https://docs.openssl.org/3.0/man5/x509v3_config
+		ext = cert.get_extension(i)
+		ext_name = ext.get_short_name()
+		ext_data = ext.get_data()
+		ext_str = ext.__str__()
+		#dec = asn1.Decoder()
+		#dec.start(ext_data)
+		#tag, val = dec.read()
+		#print(ext_name, ":", ext_data, "::", ext_str)
+		if ext_name == b"authorityKeyIdentifier":
+			ext_data = b"keyid:always"
+		#elif ext_name == b"keyUsage":
+		#	ext_data = b"digitalSignature"
+		#elif ext_name == b"extendedKeyUsage":
+		#	ext_data = b""
+		#	for j in ext_str.split(", "):
+		#		if len(ext_data) > 0:
+		#			ext_data += b","
+		#		ext_data += {
+		#			"TLS Web Server Authentication": b"serverAuth",
+		#			"TLS Web Client Authentication": b"clientAuth",
+		#		}[j]
+		#elif ext_name == b"basicConstraints":
+		#	ext_data = ext_str.encode()
+		#elif ext_name == b"subjectKeyIdentifier":
+		#	ext_data = ext_str.encode()
+		#elif ext_name == b"authorityInfoAccess":
+		#	ext_data = ext_str.replace(" - ", ";").replace("CA Issuers", "caIssuers").encode()
+		#elif ext_name == b"subjectAltName":
+		#	ext_data = ext_str.encode()
+		#elif ext_name == b"certificatePolicies":
+		#	#ext_data = ext_str.replace("Policy: ", "").encode()
+		#	continue # weird error
+		#elif ext_name == b"crlDistributionPoints":
+		#	print(ext_str.encode())
+		#	ext_data = ext_str.replace("Full Name:\n  ", "").replace("\n", "").encode()
+		else:
+			ext_data = b"DER:"+ext_data.hex().encode()
+		exts.append(OpenSSL.crypto.X509Extension(ext_name, ext.get_critical()==1, ext_data, issuer=ca_cert))
+	cert2.add_extensions(exts)
+
+	# Sign
+	digest = None
+	sig_alg = cert.get_signature_algorithm()
+	if b"SHA384" in sig_alg:
+		digest = "sha384"
+	elif b"SHA256" in sig_alg:
+		digest = "sha256"
+	elif b"SHA512" in sig_alg:
+		digest = "sha512"
+	if digest == None:
+		print("Unknown signature algorithm:", sig_alg)
+		raise Exception
+	cert2.sign(ca_key, digest)
+
+	return cert2
+
+# Save certificate to a PEM file
+def save_cert(cert, out_path):
+	f = open(out_path, "wb")
+	f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
+	f.close()
+
+# Fetch CA certs and keys and map them by algorithm
+def fetch_cas():
+	cas = {}
+	for alg in ALGS:
+		f = open(f"{CERTS_DIR}{alg}/ca.crt", "rb")
+		ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
+		f.close()
+		f = open(f"{CERTS_DIR}{alg}/ca.key", "rb")
+		ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())
+		f.close()
+		cas[(ca_key.type(), ca_key.bits())] = (ca_cert, ca_key)
+	return cas
+
+if __name__ == "__main__":
+	os.makedirs(f"{CERTS_DIR}realistic", exist_ok=True)
+	cas = fetch_cas()
+	for domain in DOMAINS:
+		cert = get_server_cert(domain)
+		pk = cert.get_pubkey()
+		pk_alg = (pk.type(), pk.bits())
+		alg = {
+			(OpenSSL.crypto.TYPE_EC, 256): "prime256v1",
+			(OpenSSL.crypto.TYPE_EC, 384): "secp384r1",
+			(OpenSSL.crypto.TYPE_RSA, 2048): "rsa2048",
+			(OpenSSL.crypto.TYPE_RSA, 3072): "rsa3072",
+			(OpenSSL.crypto.TYPE_RSA, 4096): "rsa4096",
+		}[pk_alg]
+		key2_path = f"{CERTS_DIR}realistic/{domain}.key"
+		make_sk(key2_path, alg)
+		f = open(key2_path, "rb")
+		key2 = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())
+		f.close()
+		cert2 = replace_keys(cert, key2, cas)
+		save_cert(cert2, f"{CERTS_DIR}realistic/{domain}.crt")
--- a/plots.py
+++ b/plots.py
@ -54,7 +54,7 @@ COL = {
 # Physical units by object
 UNIT = {
 	"cpu": "s",
-	"energy": "W",
+	"energy": "J",
 	"profile": "samples",
 }
 # Titles for criteria
@ -115,6 +115,7 @@ def gnuplot_stacked_histogram(**kwargs):
 		kwargs["machine"] = ", " + kwargs["machine"]
 	else:
 		kwargs["machine"] = ""
+	titleline = ""
 	if kwargs["maketitle"]:
 		titleline = 'set title font "CMU Sans Serif,12" "{object_title} by {criterion_title} ({record}, {side}{machine}) ({unit})"'.format(**kwargs)
 	cluster = ""
@ -155,14 +156,19 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
 	impls = []
 	plain_line = None
 	idle_val = None
+	conv_factor = 1.0
+	if obj == "energy":
+		# Convert Wh to Ws
+		conv_factor = 3600.0
 	
 	for log in logs:
 		if log["exp"] == "idle":
-			idle_val = float(log[COL[obj]]) / float(log["time"])
+			idle_val = float(log[COL[obj]]) / float(log["time"]) * conv_factor
 		if log["exp"] != exp or log["record"] != record:
 			continue
 		if log["side"] == side and log["tls"] == "0":
-			plain_line = "plain {}".format(float(log[COL[obj]]) - idle_val * float(log["time"]))
+			n = float(log.get("n", "1000"))
+			plain_line = "plain {}".format((float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n)
 	
 	if plain_line == None:
 		return
@ -177,7 +183,8 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
 				continue
 			if log[COL[criterion]] not in ciphers:
 				ciphers[log[COL[criterion]]] = {}
-			ciphers[log[COL[criterion]]][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"])
+			n = float(log.get("n", "1000"))
+			ciphers[log[COL[criterion]]][log["impl"]] = (float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n
 			if log["impl"] not in impls:
 				impls.append(log["impl"])
 	impls.sort()
@ -217,13 +224,15 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
 		maketitle=maketitle
 	)

-def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, maketitle=False):
+def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, version=None, maketitle=False):
 	f = open(f"/dev/shm/plots/profile_by_{criterion}_{side}_{record}.dat", "w")
 	runs = []
 	functions = []
 	
 	for log in logs:
-		if log["exp"] == exp and log["record"] == record and log["setup"] == side:
+		if version != None and VER_LABEL[log["cipher"]] != version:
+			continue
+		if log["exp"] == exp and log["record"] == record and log["side"] == side and log["tls"] == "1":
 			svg_filename = log["prof"] + ".svg"
 			if not no_flamegraph:
 				os.system("flamegraph --perfdata {} -o {}".format(log["prof"], svg_filename))
@ -407,11 +416,11 @@ if __name__ == "__main__":
 				make_log_plot(logs, "zrtt", "ed", side, "energy", record, machine=machine, maketitle=maketitle, version="1.3")
 		#cmp_versions(logs, ["impl-cipher-ver", "impl-cert-ver", "impl-kex-ver"], ["side", "cipher", "cert", "kex", "record"], ["cpu", "energy"])
 	elif cmd == "prof":
-		for side in ["client-local", "server-local"]:
+		for side in ["client", "server"]:
 			for record in records:
-				make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
-				make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
-				make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
+				make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
+				make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
+				make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
 	elif cmd == "correl":
 		from scipy import stats
 		import matplotlib.pyplot as plt
--- a/profile.py
+++ b/profile.py
@ -24,7 +24,7 @@ FUNCTIONS = {
 	"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::hash_len": "hkdf",
 	"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::expand_slice": "hkdf",
 	"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::extract_from_secret": "hkdf",
-	"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf",
+	#"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf",

 	"ring::hkdf::fill_okm": "hkdf",
 	#"ring::hkdf::Salt::extract": "hkdf",
@ -37,9 +37,13 @@ FUNCTIONS = {

 	# Emit TLS CertVerify (sign headers using certificate's secret key)
 	"rustls::server::tls13::client_hello::emit_certificate_verify_tls13": "certVerify",
+	#"<[a-zA-Z0-9_:<>]+ as rustls::crypto::signer::Signer>::sign": "cert",

 	# Verify TLS CertVerify
-	"rustls::webpki::verify::verify_tls13_signature": "certVerify",
+	#"rustls::webpki::verify::verify_tls13_signature": "certVerify",
+	"rustls::tls13::key_schedule::KeyScheduleSuite::sign_verify_data": "certVerify",
+	"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_tls13_signature": "certVerify",
+	"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_tls12_signature": "certVerify",

 	# Verify certificate
 	"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_server_cert": "cert"