tuxmain/tlsbench
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reproduce certs, fixes

Browse source
This commit is contained in:
Pascal Engélibert 2026-02-13 15:58:21 +01:00
commit aa3bb124fc
5 changed files with 266 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -400,7 +400,7 @@ CertVerify est l'extension dans le ServerHello qui signe la discussion passée a
Il a fallu désactiver la réutilisation de session, qui en TLS1.3 passe par le PSK, pour pouvoir mesurer le CertVerify.
## Size overhead and usage survey
### Size overhead and usage survey
```bash
openssl s_server -port 8000 -cert /dev/shm/exp/certs/prime256v1/wikipedia.org.crt -key /dev/shm/exp/certs/prime256v1/wikipedia.org.key
@ -414,7 +414,7 @@ python crawler.py crawl /dev/shm/top1K.csv
python crawler.py stat /dev/shm/crawl.json
```
## 0-RTT
### 0-RTT
```bash
echo "hello world" > /dev/shm/ed
@ -424,3 +424,9 @@ echo | openssl s_client -no-interactive -keylogfile /dev/shm/client.txt -sess_ou
# Second req, using 0-RTT for early data
echo | openssl s_client -no-interactive -early_data /dev/shm/ed -keylogfile /dev/shm/client.txt -sess_in sessions 127.0.0.1:8000
```
### Re-issuing certificates
```bash
openssl x509 -in oldcert -CA cacertfile -CAkey capkeyfile -out newcert -days 365
```

96
exp.py
View file

@ -1,5 +1,5 @@
#!/usr/bin/python3
import os, sys, subprocess, socket
import os, sys, subprocess, socket, signal
CONFIGS = {
"debug": {
@ -47,11 +47,11 @@ CONFIGS = {
"server",
],
"tls": [
False,
#False,
True,
],
"records": [
{ "filename": "wikipedia", "repeat": 1 },
{ "filename": "wikipedia", "repeat": 10 },
],
"repo_dir": "/home/tuxmain/reps/tlsbench",
"exp_dir": "/dev/shm/exp",
@ -60,7 +60,7 @@ CONFIGS = {
"remote_addr": "127.0.0.1",
"remote_repo_dir": "/home/tuxmain/reps/tlsbench",
"wattmeter": False,
"perf": False,
"perf": True,
"rapl": False,
"perf_dir": "/home/tuxmain/.cache/exp",
"listen_port": 8080,
@ -70,21 +70,21 @@ CONFIGS = {
# i7-4790 -> pi3
"pi3": {
"experiments": [
#"impl-cipher-ver",
"impl-cipher-ver",
"impl-cert-ver",
#"impl-kex-ver",
#"zrtt"
"impl-kex-ver",
"zrtt"
],
"sides": [
"client",
#"server",
"server",
],
"tls": [
#False,
False,
True,
],
"records": [
{ "filename": "wikipedia", "repeat": 400 },
{ "filename": "wikipedia", "repeat": 1000 },
],
"repo_dir": "/home/tuxmain/reps/tlsbench",
"exp_dir": "/dev/shm/exp",
@ -98,7 +98,7 @@ CONFIGS = {
"perf": False,
"rapl": False,
"listen_port": 8080,
"idle": "idle - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -",
"idle": "idle - - - - - - - - - 600.000081539154 0.0 896 4792 0.5399999999999991 0 -",
"notify_listen": ("0.0.0.0", 8090),
"notify_addr": "192.168.3.1:8090",
},
@ -164,7 +164,7 @@ CONFIGS = {
"perf": False,
"rapl": False,
"listen_port": 8080,
"idle": "idle - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -",
"idle": "idle - - - - - - - - - 600.0001013278961 0.0 735 4942 1.7759999999999962 0 -",
"notify_listen": ("0.0.0.0", 8090),
"notify_addr": "192.168.3.1:8090",
},
@ -228,7 +228,7 @@ CONFIGS = {
"perf": False,
"rapl": True,
"listen_port": 8080,
"idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",
"idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",
"notify_listen": ("0.0.0.0", 8090),
"notify_addr": "192.168.3.1:8090",
},
@ -291,7 +291,7 @@ CONFIGS = {
"perf": False,
"rapl": False,
"listen_port": 8080,
"idle": "idle - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO
"idle": "idle - - - - - - - - - 600.000194311142 0.0 1822 6541 1.3880000000000052 304283035 -",#TODO
"notify_listen": ("0.0.0.0", 8090),
"notify_addr": "TODO:8090",
},
@ -348,11 +348,11 @@ CERT_SIGN_ALGS = [
"rsa2048", "rsa3072", "rsa4096", # widely used
]
IMPLS = [
"aws-lc", # Amazon's Rust crypto widely used in Rust stuff
#"boring", # Google's fork of OpenSSL used in Chrome and Android
"aws-lc", # Amazon's crypto widely used in Rust stuff
"boring", # Google's fork of OpenSSL used in Chrome and Android
#"graviola", # New crypto in Rust
#"openssl", # widely used
#"ring", # used in most Rust stuff
"openssl", # widely used
"ring", # used in most Rust stuff
#"symcrypt", # Microsoft's crypto
#"wolfcrypt" # used in embedded (won't build with rpxy for now)
]
@ -388,9 +388,9 @@ EXPERIMENTS = {
"AES_128_GCM_SHA256",
"AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
#"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
],
"kexes": ["X25519"],
"cert": ["prime256v1"],
@ -401,7 +401,7 @@ EXPERIMENTS = {
"impls": IMPLS,
"ciphers": [
"AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
],
"kexes": ["X25519"],
"cert": [
@ -418,7 +418,7 @@ EXPERIMENTS = {
"impls": IMPLS,
"ciphers": [
"AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
],
"kexes": [
"X25519",
@ -436,8 +436,8 @@ EXPERIMENTS = {
"impls": IMPLS,
"ciphers": [
"AES_128_GCM_SHA256",
#"AES_256_GCM_SHA384",
#"CHACHA20_POLY1305_SHA256",
"AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256",
],
"kexes": ["X25519"],
"cert": ["prime256v1"],
@ -659,12 +659,14 @@ def ssh_run_bg(ssh, cmd, env={}, **kwargs):
strvars += "export "+var+"="+env[var].replace(" ", "\\ ")+" && "
return ssh.run(f"{strvars}dtach -n `mktemp -u /tmp/dtach.XXXX` {cmd}", **kwargs)
def get_cpu_stat(ssh):
def get_cpu_stat(ssh, process_names):
res = ssh_run(ssh, "/sbin/sa --list-all-names", hide=True)
s = 0.0
for line in res.split("\n"):
if "rpxy" in line:
return float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1))
return 0.0
for process_name in process_names:
if process_name[:15] in line:
s += float(re.finditer("\\s(\\d+\\.\\d+)cp\\s", line).__next__().group(1))
return s
def get_net_stat(ssh):
res = ssh_run(ssh, "cat /proc/net/netstat", hide=True)
@ -682,6 +684,14 @@ def get_rapl_energy(ssh, repo_dir):
energy += int(item)
return energy
class Timeout(Exception):
pass
def timeout_handler(signum, frame):
raise Timeout
signal.signal(signal.SIGALRM, timeout_handler)
def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
ssh = None
if "remote_ssh" in config:
@ -715,7 +725,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
logfile_name = "log-"+timestr
logfile_path = exp_dir+"/"+logfile_name
logfile = open(logfile_path, "w")
logfile.write("exp impl alg kex cipher ed side tls record time cpu bytes_in bytes_out Wh Wh_rapl prof\n")
logfile.write("exp impl alg kex cipher ed side tls record n time cpu bytes_in bytes_out Wh Wh_rapl prof\n")
logfile.close()
perf_dir = ""
@ -725,7 +735,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
if idle:
print("Measuring idle...")
rpxy_cpu = get_cpu_stat(ssh)
remote_bytes_in, remote_bytes_out = get_net_stat(ssh)
energy = 0
energy_rapl = 0
@ -735,7 +744,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
energy_rapl = get_rapl_energy(ssh, remote_path)
start = time.time()
time.sleep(600)
time.sleep(1200)
end = time.time()
new_energy = 0
@ -745,8 +754,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
if config["rapl"]:
new_energy_rapl = get_rapl_energy(ssh, remote_path)
new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh)
new_rpxy_cpu = get_cpu_stat(ssh)
rpxy_cpu_diff = new_rpxy_cpu - rpxy_cpu
remote_bytes_in_diff = new_remote_bytes_in - remote_bytes_in
remote_bytes_out_diff = new_remote_bytes_out - remote_bytes_out
energy_diff = new_energy - energy
@ -755,7 +762,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
while True:
try:
with open(logfile_path, "a") as logfile:
logfile.write(f"idle - - - - - - - - {time_diff} {rpxy_cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n")
logfile.write(f"idle - - - - - - - - - {time_diff} 0 {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} -\n")
logfile.close()
break
except Exception as e:
@ -871,11 +878,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
prof_filename = "-"
if config["perf"]:
prof_filename = f"{perf_dir}/perf-{timestr}-{run_id}.data"
process_pid = ssh_run(ssh, "pidof netreplay"+("" if side == "server" else ("-"+impl))).removesuffix("\n")
ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {rpxy_pid}")
process_pid = ssh_run(ssh, "pidof netreplay-"+impl).removesuffix("\n")
ssh_run_bg(ssh, f"perf record -F 997 --call-graph dwarf,64000 -g -o {prof_filename} -p {process_pid}")
# Measure
cpu = get_cpu_stat(ssh)
cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"])
remote_bytes_in, remote_bytes_out = get_net_stat(ssh)
energy = 0
energy_rapl = 0
@ -886,7 +893,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
start = time.time()
# Wait for the client to terminate
notify_socket.recv(4)
signal.alarm(600)
try:
notify_socket.recv(4)
except Timeout:
print("TIMEOUT: stop")
# Measure
end = time.time()
@ -897,7 +908,6 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
if config["rapl"]:
new_energy_rapl = get_rapl_energy(ssh, remote_path)
new_remote_bytes_in, new_remote_bytes_out = get_net_stat(ssh)
new_cpu = get_cpu_stat(ssh)
# Kill server
if side == "client":
@ -910,6 +920,9 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
ssh_run(ssh, "killall netreplay-"+impl)
except invoke.exceptions.UnexpectedExit as e:
pass
# Measure CPU after (as it may update only after the process is killed)
new_cpu = get_cpu_stat(ssh, ["netreplay-"+impl, "tokio-runtime-w"])
record_filename = record["filename"]
cpu_diff = new_cpu - cpu
@ -918,10 +931,11 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
energy_diff = new_energy - energy
energy_rapl_diff = new_energy_rapl - energy_rapl
time_diff = end - start
repeats = record["repeat"]
while True:
try:
with open(logfile_path, "a") as logfile:
logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n")
logfile.write(f"{expname} {impl} {alg} {kex} {cipher} {earlydata} {side} {tls_int} {record_filename} {repeats} {time_diff} {cpu_diff} {remote_bytes_in_diff} {remote_bytes_out_diff} {energy_diff} {energy_rapl_diff} {prof_filename}\n")
logfile.close()
break
except Exception as e:

179
makecerts.py
View file

@ -1,13 +1,190 @@
# Get certificates from domains and make a similar chain.
import os
import OpenSSL
import ssl
#import asn1
CERTS_DIR = "/dev/shm/exp/certs/"
ALGS = ["prime256v1", "secp384r1", "rsa2048", "rsa3072", "rsa4096"]
DOMAINS = [
#"txmn.tk",
"wikipedia.org",
#"youtube.com"
]
def sh(cmds):
if type(cmds) == list:
for cmd in cmds:
print(cmd)
os.system(cmd)
elif type(cmds) == str:
print(cmds)
os.system(cmds)
else:
raise TypeError
def make_sk(outpath, alg):
sh({
"ed25519": [
f"openssl genpkey -out {outpath}.sec1 -algorithm ed25519",
f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
],
"prime256v1": [
f"openssl ecparam -genkey -name prime256v1 -noout -out {outpath}.sec1",
f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
],
"rsa2048": [
f"openssl genrsa -out {outpath} 2048"
],
"rsa3072": [
f"openssl genrsa -out {outpath} 3072"
],
"rsa4096": [
f"openssl genrsa -out {outpath} 4096"
],
"secp384r1": [
f"openssl ecparam -genkey -name secp384r1 -noout -out {outpath}.sec1",
f"openssl pkcs8 -topk8 -nocrypt -in {outpath}.sec1 -out {outpath} -outform PEM"
],
}[alg])
# Connect to a server and return its certificate
def get_server_cert(domain, port=443):
cert_pem = ssl.get_server_certificate((domain, port))
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem)
for i in range(cert.get_extension_count()):
ext = cert.get_extension(i)
ext_name = ext.get_short_name()
if ext_name == "":
#if ext_name == "":
return cert
# Replace CA and key of a certificate while keeping everything else the same
def replace_keys(cert, key, cas):
# Choose CA with the same signature algorithm
ca_cert, ca_key = cas[(key.type(), key.bits())]
# Get Key id
ca_key_id = None
for i in range(ca_cert.get_extension_count()):
ext = cert.get_extension(i)
ext_name = ext.get_short_name()
if ext_name == b"subjectKeyIdentifier":
ca_key_id = ext.__str__()
# Create new certificate
cert2 = OpenSSL.crypto.X509()
# Set fields
cert2.set_version(cert.get_version())
cert2.set_issuer(ca_cert.get_subject())
cert2.set_serial_number(cert.get_serial_number())
cert2.set_notAfter(cert.get_notAfter())
cert2.set_notBefore(cert.get_notBefore())
cert2.set_subject(cert.get_subject())
cert2.set_pubkey(key)
# Set extensions
exts = []
for i in range(cert.get_extension_count()):
# They had the good idea to have different input and output formats.
# Output is ASN.1 but input is text.
# Text output from __str__ is NOT the same encoding as the expected text input.
# Because why not.
# Input format doc is here: https://docs.openssl.org/3.0/man5/x509v3_config
ext = cert.get_extension(i)
ext_name = ext.get_short_name()
ext_data = ext.get_data()
ext_str = ext.__str__()
#dec = asn1.Decoder()
#dec.start(ext_data)
#tag, val = dec.read()
#print(ext_name, ":", ext_data, "::", ext_str)
if ext_name == b"authorityKeyIdentifier":
ext_data = b"keyid:always"
#elif ext_name == b"keyUsage":
# ext_data = b"digitalSignature"
#elif ext_name == b"extendedKeyUsage":
# ext_data = b""
# for j in ext_str.split(", "):
# if len(ext_data) > 0:
# ext_data += b","
# ext_data += {
# "TLS Web Server Authentication": b"serverAuth",
# "TLS Web Client Authentication": b"clientAuth",
# }[j]
#elif ext_name == b"basicConstraints":
# ext_data = ext_str.encode()
#elif ext_name == b"subjectKeyIdentifier":
# ext_data = ext_str.encode()
#elif ext_name == b"authorityInfoAccess":
# ext_data = ext_str.replace(" - ", ";").replace("CA Issuers", "caIssuers").encode()
#elif ext_name == b"subjectAltName":
# ext_data = ext_str.encode()
#elif ext_name == b"certificatePolicies":
# #ext_data = ext_str.replace("Policy: ", "").encode()
# continue # weird error
#elif ext_name == b"crlDistributionPoints":
# print(ext_str.encode())
# ext_data = ext_str.replace("Full Name:\n ", "").replace("\n", "").encode()
else:
ext_data = b"DER:"+ext_data.hex().encode()
exts.append(OpenSSL.crypto.X509Extension(ext_name, ext.get_critical()==1, ext_data, issuer=ca_cert))
cert2.add_extensions(exts)
# Sign
digest = None
sig_alg = cert.get_signature_algorithm()
if b"SHA384" in sig_alg:
digest = "sha384"
elif b"SHA256" in sig_alg:
digest = "sha256"
elif b"SHA512" in sig_alg:
digest = "sha512"
if digest == None:
print("Unknown signature algorithm:", sig_alg)
raise Exception
cert2.sign(ca_key, digest)
return cert2
# Save certificate to a PEM file
def save_cert(cert, out_path):
f = open(out_path, "wb")
f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
f.close()
# Fetch CA certs and keys and map them by algorithm
def fetch_cas():
cas = {}
for alg in ALGS:
f = open(f"{CERTS_DIR}{alg}/ca.crt", "rb")
ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
f.close()
f = open(f"{CERTS_DIR}{alg}/ca.key", "rb")
ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())
f.close()
cas[(ca_key.type(), ca_key.bits())] = (ca_cert, ca_key)
return cas
if __name__ == "__main__":
os.makedirs(f"{CERTS_DIR}realistic", exist_ok=True)
cas = fetch_cas()
for domain in DOMAINS:
cert = get_server_cert(domain)
pk = cert.get_pubkey()
pk_alg = (pk.type(), pk.bits())
alg = {
(OpenSSL.crypto.TYPE_EC, 256): "prime256v1",
(OpenSSL.crypto.TYPE_EC, 384): "secp384r1",
(OpenSSL.crypto.TYPE_RSA, 2048): "rsa2048",
(OpenSSL.crypto.TYPE_RSA, 3072): "rsa3072",
(OpenSSL.crypto.TYPE_RSA, 4096): "rsa4096",
}[pk_alg]
key2_path = f"{CERTS_DIR}realistic/{domain}.key"
make_sk(key2_path, alg)
f = open(key2_path, "rb")
key2 = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())
f.close()
cert2 = replace_keys(cert, key2, cas)
save_cert(cert2, f"{CERTS_DIR}realistic/{domain}.crt")

29
plots.py
View file

@ -54,7 +54,7 @@ COL = {
# Physical units by object
UNIT = {
"cpu": "s",
"energy": "W",
"energy": "J",
"profile": "samples",
}
# Titles for criteria
@ -115,6 +115,7 @@ def gnuplot_stacked_histogram(**kwargs):
kwargs["machine"] = ", " + kwargs["machine"]
else:
kwargs["machine"] = ""
titleline = ""
if kwargs["maketitle"]:
titleline = 'set title font "CMU Sans Serif,12" "{object_title} by {criterion_title} ({record}, {side}{machine}) ({unit})"'.format(**kwargs)
cluster = ""
@ -155,14 +156,19 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
impls = []
plain_line = None
idle_val = None
conv_factor = 1.0
if obj == "energy":
# Convert Wh to Ws
conv_factor = 3600.0
for log in logs:
if log["exp"] == "idle":
idle_val = float(log[COL[obj]]) / float(log["time"])
idle_val = float(log[COL[obj]]) / float(log["time"]) * conv_factor
if log["exp"] != exp or log["record"] != record:
continue
if log["side"] == side and log["tls"] == "0":
plain_line = "plain {}".format(float(log[COL[obj]]) - idle_val * float(log["time"]))
n = float(log.get("n", "1000"))
plain_line = "plain {}".format((float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n)
if plain_line == None:
return
@ -177,7 +183,8 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
continue
if log[COL[criterion]] not in ciphers:
ciphers[log[COL[criterion]]] = {}
ciphers[log[COL[criterion]]][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"])
n = float(log.get("n", "1000"))
ciphers[log[COL[criterion]]][log["impl"]] = (float(log[COL[obj]]) * conv_factor - idle_val * float(log["time"])) / n
if log["impl"] not in impls:
impls.append(log["impl"])
impls.sort()
@ -217,13 +224,15 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version
maketitle=maketitle
)
def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, maketitle=False):
def make_profile_plot(logs, exp, criterion, side, record, no_flamegraph=False, machine=None, version=None, maketitle=False):
f = open(f"/dev/shm/plots/profile_by_{criterion}_{side}_{record}.dat", "w")
runs = []
functions = []
for log in logs:
if log["exp"] == exp and log["record"] == record and log["setup"] == side:
if version != None and VER_LABEL[log["cipher"]] != version:
continue
if log["exp"] == exp and log["record"] == record and log["side"] == side and log["tls"] == "1":
svg_filename = log["prof"] + ".svg"
if not no_flamegraph:
os.system("flamegraph --perfdata {} -o {}".format(log["prof"], svg_filename))
@ -407,11 +416,11 @@ if __name__ == "__main__":
make_log_plot(logs, "zrtt", "ed", side, "energy", record, machine=machine, maketitle=maketitle, version="1.3")
#cmp_versions(logs, ["impl-cipher-ver", "impl-cert-ver", "impl-kex-ver"], ["side", "cipher", "cert", "kex", "record"], ["cpu", "energy"])
elif cmd == "prof":
for side in ["client-local", "server-local"]:
for side in ["client", "server"]:
for record in records:
make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle)
make_profile_plot(logs, "impl-cipher-ver", "cipher", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
make_profile_plot(logs, "impl-cert-ver", "cert", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
make_profile_plot(logs, "impl-kex-ver", "kex", side, record, no_flamegraph=no_flamegraph, machine=machine, maketitle=maketitle, version="1.3")
elif cmd == "correl":
from scipy import stats
import matplotlib.pyplot as plt

8
profile.py
View file

@ -24,7 +24,7 @@ FUNCTIONS = {
"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::hash_len": "hkdf",
"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::HkdfExpander>::expand_slice": "hkdf",
"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::extract_from_secret": "hkdf",
"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf",
#"<[a-zA-Z0-9_:<>]+ as rustls::crypto::tls13::Hkdf>::hmac_sign": "hkdf",
"ring::hkdf::fill_okm": "hkdf",
#"ring::hkdf::Salt::extract": "hkdf",
@ -37,9 +37,13 @@ FUNCTIONS = {
# Emit TLS CertVerify (sign headers using certificate's secret key)
"rustls::server::tls13::client_hello::emit_certificate_verify_tls13": "certVerify",
#"<[a-zA-Z0-9_:<>]+ as rustls::crypto::signer::Signer>::sign": "cert",
# Verify TLS CertVerify
"rustls::webpki::verify::verify_tls13_signature": "certVerify",
#"rustls::webpki::verify::verify_tls13_signature": "certVerify",
"rustls::tls13::key_schedule::KeyScheduleSuite::sign_verify_data": "certVerify",
"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_tls13_signature": "certVerify",
"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_tls12_signature": "certVerify",
# Verify certificate
"<rustls_platform_verifier::verification::others::Verifier as rustls::verify::ServerCertVerifier>::verify_server_cert": "cert"