From 1b0c816cc15d5c8fb865145bbdfcb9440cec2b65 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Fri, 10 Nov 2023 03:31:01 +0000 Subject: [PATCH 1/5] bench: length cert chain Most commonly aws service retain a 3 certificate chain, with a leaf cert, intermediate CA, and root CA. This commit updates our benchmarking configuration to reflect that. --- bindings/rust/bench/Cargo.toml | 8 ----- bindings/rust/bench/benches/resumption.rs | 8 +++-- bindings/rust/bench/certs/config/client.cnf | 3 ++ bindings/rust/bench/certs/config/server.cnf | 3 ++ bindings/rust/bench/scripts/generate-certs.sh | 36 +++++++++++++++---- bindings/rust/bench/src/harness.rs | 4 ++- 6 files changed, 44 insertions(+), 18 deletions(-) diff --git a/bindings/rust/bench/Cargo.toml b/bindings/rust/bench/Cargo.toml index ea0f0a03976..73c56f9349c 100644 --- a/bindings/rust/bench/Cargo.toml +++ b/bindings/rust/bench/Cargo.toml @@ -49,14 +49,6 @@ required-features = ["memory"] name = "graph_perf" required-features = ["historical-perf"] -[[bench]] -name = "handshake" -harness = false - -[[bench]] -name = "throughput" -harness = false - [[bench]] name = "resumption" harness = false diff --git a/bindings/rust/bench/benches/resumption.rs b/bindings/rust/bench/benches/resumption.rs index 7b0872660ff..5ea1d8a40d7 100644 --- a/bindings/rust/bench/benches/resumption.rs +++ b/bindings/rust/bench/benches/resumption.rs @@ -1,6 +1,6 @@ use bench::{ harness::TlsBenchConfig, CipherSuite, CryptoConfig, HandshakeType, KXGroup, S2NConnection, - SigType, TlsConnPair, TlsConnection, + SigType, TlsConnPair, TlsConnection, RustlsConnection, }; use criterion::{ criterion_group, criterion_main, measurement::WallTime, BatchSize, BenchmarkGroup, Criterion, @@ -67,16 +67,20 @@ where /// s2n-tls?". pub fn bench_resumption(c: &mut Criterion) { // compare resumption savings across both client and server - for sig_type in [SigType::Rsa2048, SigType::Ecdsa384] { + for sig_type in [SigType::Rsa2048, SigType::Ecdsa256] { let mut bench_group = c.benchmark_group(format!("resumption-pair-{:?}", sig_type)); + bench_group.sample_size(10); bench_handshake_pair::(&mut bench_group, sig_type); + bench_handshake_pair::(&mut bench_group, sig_type); } // only look at resumption savings for the server, specifically the work // done in the first rtt. for sig_type in [SigType::Rsa2048, SigType::Ecdsa384] { let mut bench_group = c.benchmark_group(format!("resumption-server-1rtt-{:?}", sig_type)); + bench_group.sample_size(10); bench_handshake_server_1rtt::(&mut bench_group, sig_type); + bench_handshake_server_1rtt::(&mut bench_group, sig_type); } } diff --git a/bindings/rust/bench/certs/config/client.cnf b/bindings/rust/bench/certs/config/client.cnf index 2018077e6c3..a0e87cf3f21 100644 --- a/bindings/rust/bench/certs/config/client.cnf +++ b/bindings/rust/bench/certs/config/client.cnf @@ -22,3 +22,6 @@ subjectAltName = @alt_names [alt_names] DNS = localhost + +[ usr_cert ] +basicConstraints=CA:TRUE # prev value was FALSE \ No newline at end of file diff --git a/bindings/rust/bench/certs/config/server.cnf b/bindings/rust/bench/certs/config/server.cnf index 403932d8fcf..ee4980b70e2 100644 --- a/bindings/rust/bench/certs/config/server.cnf +++ b/bindings/rust/bench/certs/config/server.cnf @@ -22,3 +22,6 @@ subjectAltName = @alt_names [alt_names] DNS = localhost + +[ usr_cert ] +basicConstraints=CA:TRUE # prev value was FALSE \ No newline at end of file diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh index 8fab212fc60..ac74a0fdd87 100755 --- a/bindings/rust/bench/scripts/generate-certs.sh +++ b/bindings/rust/bench/scripts/generate-certs.sh @@ -36,22 +36,43 @@ cert-gen () { cd $dir_name echo "generating CA private key and certificate" - openssl req -new -nodes -x509 -newkey $key_family -pkeyopt $argname$key_size -keyout ca-key.pem -out ca-cert.pem -days 65536 -config ../config/ca.cnf + openssl req -new -noenc -x509 \ + -newkey $key_family \ + -pkeyopt $argname$key_size \ + -keyout ca-key.pem \ + -out ca-cert.pem \ + -days 65536 \ + -config ../config/ca.cnf \ + -subj "/C=US/CN=root" + + echo "generating intermediate private key and CSR" + openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout intermediate-key.pem -out intermediate.csr -subj "/C=US/CN=branch" -addext "basicConstraints = critical,CA:true" -addext "keyUsage = critical,keyCertSign" echo "generating server private key and CSR" - openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout server-key.pem -out server.csr -config ../config/server.cnf + openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout server-key.pem -out server.csr -config ../config/server.cnf -subj "/C=US/CN=leaf" echo "generating client private key and CSR" openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout client-key.pem -out client.csr -config ../config/client.cnf + echo "generating intermediate certificate and signing it" + openssl x509 -days 65536 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out intermediate-cert.pem -copy_extensions=copyall + echo "generating server certificate and signing it" - openssl x509 -days 65536 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extensions req_ext -extfile ../config/server.cnf + openssl x509 -days 65536 -req -in server.csr -CA intermediate-cert.pem -CAkey intermediate-key.pem -CAcreateserial -out server-cert.pem -extensions req_ext -extfile ../config/server.cnf echo "generating client certificate and signing it" openssl x509 -days 65536 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extensions req_ext -extfile ../config/client.cnf - echo "verifying generated certificates" - openssl verify -CAfile ca-cert.pem server-cert.pem + touch server-chain.pem + cat server-cert.pem >> server-chain.pem + cat intermediate-cert.pem >> server-chain.pem + cat ca-cert.pem >> server-chain.pem + + echo "verifying server certificates" + openssl verify -CAfile ca-cert.pem intermediate-cert.pem + openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem server-cert.pem + + echo "verifying client certificates" openssl verify -CAfile ca-cert.pem client-cert.pem echo "cleaning up temporary files" @@ -62,13 +83,14 @@ cert-gen () { cd .. } -if [[ $1 != "clean" ]] +if [[ $1 != "clean" ]] then + cert-gen ec 256 ecdsa256 cert-gen ec 384 ecdsa384 cert-gen rsa 2048 rsa2048 cert-gen rsa 3072 rsa3072 cert-gen rsa 4096 rsa4096 -else +else echo "cleaning certs" rm -rf ecdsa*/ rsa*/ fi diff --git a/bindings/rust/bench/src/harness.rs b/bindings/rust/bench/src/harness.rs index 5e7697cad80..237fbee534d 100644 --- a/bindings/rust/bench/src/harness.rs +++ b/bindings/rust/bench/src/harness.rs @@ -25,7 +25,7 @@ impl PemType { fn get_filename(&self) -> &str { match self { PemType::ServerKey => "server-key.pem", - PemType::ServerCertChain => "server-cert.pem", + PemType::ServerCertChain => "server-chain.pem", PemType::ClientKey => "client-key.pem", PemType::ClientCertChain => "client-cert.pem", PemType::CACert => "ca-cert.pem", @@ -40,6 +40,7 @@ pub enum SigType { Rsa4096, #[default] Ecdsa384, + Ecdsa256, } impl SigType { @@ -49,6 +50,7 @@ impl SigType { SigType::Rsa3072 => "rsa3072", SigType::Rsa4096 => "rsa4096", SigType::Ecdsa384 => "ecdsa384", + SigType::Ecdsa256 => "ecdsa256", } } } From 4199aa562e1d982c04c20b56cf03d1e0e3965e49 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 14 Nov 2023 00:19:45 +0000 Subject: [PATCH 2/5] save my failures --- bindings/rust/bench/scripts/generate-certs.sh | 48 ++++++++++++++++--- bindings/rust/bench/src/harness.rs | 44 +++++++++++++++++ 2 files changed, 86 insertions(+), 6 deletions(-) diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh index ac74a0fdd87..4d1c8524c87 100755 --- a/bindings/rust/bench/scripts/generate-certs.sh +++ b/bindings/rust/bench/scripts/generate-certs.sh @@ -46,22 +46,58 @@ cert-gen () { -subj "/C=US/CN=root" echo "generating intermediate private key and CSR" - openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout intermediate-key.pem -out intermediate.csr -subj "/C=US/CN=branch" -addext "basicConstraints = critical,CA:true" -addext "keyUsage = critical,keyCertSign" + openssl req -new -noenc \ + -newkey $key_family \ + -pkeyopt $argname$key_size \ + -keyout intermediate-key.pem \ + -out intermediate.csr \ + -subj "/C=US/CN=branch" \ + -addext "basicConstraints = critical,CA:true" \ + -addext "keyUsage = critical,keyCertSign" echo "generating server private key and CSR" - openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout server-key.pem -out server.csr -config ../config/server.cnf -subj "/C=US/CN=leaf" + openssl req -new -noenc \ + -newkey $key_family \ + -pkeyopt $argname$key_size \ + -keyout server-key.pem \ + -out server.csr \ + -config ../config/server.cnf \ + -subj "/C=US/CN=leaf" echo "generating client private key and CSR" - openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout client-key.pem -out client.csr -config ../config/client.cnf + openssl req -new -noenc \ + -newkey $key_family \ + -pkeyopt $argname$key_size \ + -keyout client-key.pem \ + -out client.csr \ + -config ../config/client.cnf echo "generating intermediate certificate and signing it" - openssl x509 -days 65536 -req -in intermediate.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out intermediate-cert.pem -copy_extensions=copyall + openssl x509 -days 65536 \ + -req -in intermediate.csr \ + -CA ca-cert.pem \ + -CAkey ca-key.pem \ + -CAcreateserial \ + -out intermediate-cert.pem \ + -copy_extensions=copyall echo "generating server certificate and signing it" - openssl x509 -days 65536 -req -in server.csr -CA intermediate-cert.pem -CAkey intermediate-key.pem -CAcreateserial -out server-cert.pem -extensions req_ext -extfile ../config/server.cnf + openssl x509 -days 65536 \ + -req -in server.csr \ + -CA intermediate-cert.pem \ + -CAkey intermediate-key.pem \ + -CAcreateserial -out server-cert.pem \ + -extensions req_ext \ + -extfile ../config/server.cnf echo "generating client certificate and signing it" - openssl x509 -days 65536 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extensions req_ext -extfile ../config/client.cnf + openssl x509 -days 65536 \ + -req -in client.csr \ + -CA ca-cert.pem \ + -CAkey ca-key.pem \ + -CAcreateserial -out client-cert.pem \ + -extensions req_ext \ + -extfile ../config/client.cnf touch server-chain.pem cat server-cert.pem >> server-chain.pem diff --git a/bindings/rust/bench/src/harness.rs b/bindings/rust/bench/src/harness.rs index 237fbee534d..97a4c70b0c9 100644 --- a/bindings/rust/bench/src/harness.rs +++ b/bindings/rust/bench/src/harness.rs @@ -485,6 +485,50 @@ mod tests { } } + #[test] + fn rsa_2048() + { + let mut crypto_config = CryptoConfig::default(); + crypto_config.sig_type = SigType::Rsa2048; + let mut conn_pair = + TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); + conn_pair.handshake().unwrap(); + assert!(conn_pair.handshake_completed()); + } + + #[test] + fn rsa_4096() + { + let mut crypto_config = CryptoConfig::default(); + crypto_config.sig_type = SigType::Rsa4096; + let mut conn_pair = + TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); + conn_pair.handshake().unwrap(); + assert!(conn_pair.handshake_completed()); + } + + #[test] + fn ecdsa_256() + { + let mut crypto_config = CryptoConfig::default(); + crypto_config.sig_type = SigType::Ecdsa256; + let mut conn_pair = + TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); + conn_pair.handshake().unwrap(); + assert!(conn_pair.handshake_completed()); + } + + #[test] + fn ecdsa_384() + { + let mut crypto_config = CryptoConfig::default(); + crypto_config.sig_type = SigType::Ecdsa384; + let mut conn_pair = + TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); + conn_pair.handshake().unwrap(); + assert!(conn_pair.handshake_completed()); + } + fn session_resumption() where S: TlsConnection, From 042e133925742efeda84db805a169f95fc9f65c6 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 14 Nov 2023 00:25:05 +0000 Subject: [PATCH 3/5] removed config for ca --- bindings/rust/bench/certs/config/ca.cnf | 13 ------------- bindings/rust/bench/scripts/generate-certs.sh | 5 +++-- 2 files changed, 3 insertions(+), 15 deletions(-) delete mode 100644 bindings/rust/bench/certs/config/ca.cnf diff --git a/bindings/rust/bench/certs/config/ca.cnf b/bindings/rust/bench/certs/config/ca.cnf deleted file mode 100644 index 66447a71611..00000000000 --- a/bindings/rust/bench/certs/config/ca.cnf +++ /dev/null @@ -1,13 +0,0 @@ -[ req ] -prompt = no -distinguished_name = ca_distinguished_name - -[ ca_distinguished_name ] -# country name -C = JP -# state or province -ST = Chiba -L = Chiba City -O = Tessier-Ashpool -CN = develop.localca -emailAddress = ca@develop.localca diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh index 4d1c8524c87..d0a3f23e06b 100755 --- a/bindings/rust/bench/scripts/generate-certs.sh +++ b/bindings/rust/bench/scripts/generate-certs.sh @@ -42,8 +42,9 @@ cert-gen () { -keyout ca-key.pem \ -out ca-cert.pem \ -days 65536 \ - -config ../config/ca.cnf \ - -subj "/C=US/CN=root" + -subj "/C=US/CN=root" \ + -addext "basicConstraints = critical,CA:true" \ + -addext "keyUsage = critical,keyCertSign" echo "generating intermediate private key and CSR" openssl req -new -noenc \ From 45ce1127cb628bded23f03b07e87e842b46543a0 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 14 Nov 2023 00:30:22 +0000 Subject: [PATCH 4/5] remove server config --- bindings/rust/bench/certs/config/server.cnf | 27 ------------------- bindings/rust/bench/scripts/generate-certs.sh | 7 +++-- 2 files changed, 3 insertions(+), 31 deletions(-) delete mode 100644 bindings/rust/bench/certs/config/server.cnf diff --git a/bindings/rust/bench/certs/config/server.cnf b/bindings/rust/bench/certs/config/server.cnf deleted file mode 100644 index ee4980b70e2..00000000000 --- a/bindings/rust/bench/certs/config/server.cnf +++ /dev/null @@ -1,27 +0,0 @@ -[req] -distinguished_name = server_distinguished_name -prompt = no - -# these fields are used to force x509 to v3 certificates -# rustls will complain otherwise -x509_extensions = v3_req -req_extensions = req_ext - -[server_distinguished_name] -countryName = US -stateOrProvinceName = Washington -localityName = Seattle -organizationName = server -commonName = server.localhost - -[v3_req] -subjectAltName = @alt_names - -[req_ext] -subjectAltName = @alt_names - -[alt_names] -DNS = localhost - -[ usr_cert ] -basicConstraints=CA:TRUE # prev value was FALSE \ No newline at end of file diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh index d0a3f23e06b..032e24ea3e0 100755 --- a/bindings/rust/bench/scripts/generate-certs.sh +++ b/bindings/rust/bench/scripts/generate-certs.sh @@ -62,8 +62,8 @@ cert-gen () { -pkeyopt $argname$key_size \ -keyout server-key.pem \ -out server.csr \ - -config ../config/server.cnf \ - -subj "/C=US/CN=leaf" + -subj "/C=US/CN=leaf" \ + -addext "subjectAltName = DNS:localhost" echo "generating client private key and CSR" openssl req -new -noenc \ @@ -88,8 +88,7 @@ cert-gen () { -CA intermediate-cert.pem \ -CAkey intermediate-key.pem \ -CAcreateserial -out server-cert.pem \ - -extensions req_ext \ - -extfile ../config/server.cnf + -copy_extensions=copyall echo "generating client certificate and signing it" openssl x509 -days 65536 \ From 417a42e9434f4841d3257d8a4f2c5d1bf23763ca Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 14 Nov 2023 00:41:40 +0000 Subject: [PATCH 5/5] document cert generation --- bindings/rust/bench/Cargo.toml | 8 ++++ bindings/rust/bench/README.md | 33 ++++++++++---- bindings/rust/bench/benches/resumption.rs | 6 +-- bindings/rust/bench/certs/config/client.cnf | 27 ------------ bindings/rust/bench/scripts/generate-certs.sh | 16 +++++-- bindings/rust/bench/src/harness.rs | 44 ------------------- 6 files changed, 46 insertions(+), 88 deletions(-) delete mode 100644 bindings/rust/bench/certs/config/client.cnf diff --git a/bindings/rust/bench/Cargo.toml b/bindings/rust/bench/Cargo.toml index 73c56f9349c..ea0f0a03976 100644 --- a/bindings/rust/bench/Cargo.toml +++ b/bindings/rust/bench/Cargo.toml @@ -49,6 +49,14 @@ required-features = ["memory"] name = "graph_perf" required-features = ["historical-perf"] +[[bench]] +name = "handshake" +harness = false + +[[bench]] +name = "throughput" +harness = false + [[bench]] name = "resumption" harness = false diff --git a/bindings/rust/bench/README.md b/bindings/rust/bench/README.md index 98926ebbbca..b541d5c0146 100644 --- a/bindings/rust/bench/README.md +++ b/bindings/rust/bench/README.md @@ -23,13 +23,13 @@ cargo bench --bench handshake --bench throughput -- --profile-time 5 rm -rf .cargo ``` -## Setup +## Setup -Setup is easy! Just have OpenSSL installed, generate Rust bindings for s2n-tls using `../generate.sh`, and generate certs using `scripts/generate-certs.sh`. +Setup is easy! Just have OpenSSL installed, generate Rust bindings for s2n-tls using `../generate.sh`, and generate certs using `scripts/generate-certs.sh`. -Dependencies are the same as with s2n-tls. Currently, this crate has only been tested on Ubuntu (both x86 and ARM), but we expect everything to work with other Unix environments. +Dependencies are the same as with s2n-tls. Currently, this crate has only been tested on Ubuntu (both x86 and ARM), but we expect everything to work with other Unix environments. -To bench with AWS-LC, Amazon's custom libcrypto implementation, first run `scripts/install-aws-lc.sh` to install AWS-LC for the bench crate. To then run the benchmarks with AWS-LC, use Cargo with either the flag `--config aws-lc-config/s2n.toml` or `--config aws-lc-config/rustls.toml` (or both). You can also append these configs to `.cargo/config.toml` to let Cargo automatically detect the settings without specifying the flags each time. +To bench with AWS-LC, Amazon's custom libcrypto implementation, first run `scripts/install-aws-lc.sh` to install AWS-LC for the bench crate. To then run the benchmarks with AWS-LC, use Cargo with either the flag `--config aws-lc-config/s2n.toml` or `--config aws-lc-config/rustls.toml` (or both). You can also append these configs to `.cargo/config.toml` to let Cargo automatically detect the settings without specifying the flags each time. ### Features @@ -37,7 +37,7 @@ Default features (`rustls` and `openssl`) can be disabled by running the benches ## Performance benchmarks -The handshake and throughput benchmarks can be run with the `cargo bench` command. Criterion will auto-generate an HTML report in `target/criterion/`. +The handshake and throughput benchmarks can be run with the `cargo bench` command. Criterion will auto-generate an HTML report in `target/criterion/`. Throughput benchmarks measure round-trip throughput with the client and server connections in the same thread for symmetry. In practice, a machine would either host only the client or only the server and use multiple threads, so throughput for a single connection could theoretically be up to ~4x higher than the values from the benchmarks (when run on the same machine). @@ -74,9 +74,24 @@ heaptrack target/release/memory (pair|client|server) (s2n-tls|rustls|openssl) To do historical benchmarks, run `scripts/bench-past.sh`. This will checkout old versions of s2n-tls back to v1.3.16 in `target/` and run benchmarks on those with the `historical-perf` feature, disabling Rustls and OpenSSL benches. +## PKI Structure +``` + ┌────root──────┐ + │ │ + │ │ + ▼ │ + branch │ + │ │ + │ │ + │ │ + ▼ ▼ + leaf client +``` +`generate-certs.sh` will generate 4 certificates for each key type, with the signing relationships that are indicated in the diagram above. This cert chain length was chosen because it matches the cert chain length used by public AWS services. + ### Caveats -The last version benched is v1.3.16, since before that, the s2n-tls Rust bindings have a different API and would thus require a different bench harness to test. +The last version benched is v1.3.16, since before that, the s2n-tls Rust bindings have a different API and would thus require a different bench harness to test. v1.3.30-1.3.37 are not benched because of depedency issues when generating the Rust bindings. However, versions before and after are benched, so the overall trend in performance can still be seen without the data from these versions. @@ -87,7 +102,7 @@ Because these benches take a longer time to generate (>30 min), we include the r Notes: - Two sets of parameters for the handshake couldn't be benched before 1.3.40, since security policies that negotiated those policies as their top choice did not exist before then. - There is no data from 1.3.30 to 1.3.37 because those versions have a dependency issue that cause the Rust bindings not to build. However, there is data before and after that period, so the performance for those versions can be inferred via interpolation. -- The improvement in throughput in 1.3.28 was most likely caused by the addition of LTO to the default Rust bindings build. +- The improvement in throughput in 1.3.28 was most likely caused by the addition of LTO to the default Rust bindings build. - Since the benches are run over a long time, noise on the machine can cause variability, and background processes can cause spikes. - The variability can be seen with throughput especially because it is calculated as the inverse of time taken. @@ -97,11 +112,11 @@ Notes: ## Implementation details -We use Rust bindings for s2n-tls and OpenSSL. All of our benchmarks are run in Rust on a single thread for consistency. +We use Rust bindings for s2n-tls and OpenSSL. All of our benchmarks are run in Rust on a single thread for consistency. ### IO -To remove external factors, we use custom IO with our benchmarks, bypassing the networking layer and having the client and server connections transfer data to each other via a local buffer. +To remove external factors, we use custom IO with our benchmarks, bypassing the networking layer and having the client and server connections transfer data to each other via a local buffer. ### Certificate generation diff --git a/bindings/rust/bench/benches/resumption.rs b/bindings/rust/bench/benches/resumption.rs index 5ea1d8a40d7..e98887521e0 100644 --- a/bindings/rust/bench/benches/resumption.rs +++ b/bindings/rust/bench/benches/resumption.rs @@ -1,6 +1,6 @@ use bench::{ harness::TlsBenchConfig, CipherSuite, CryptoConfig, HandshakeType, KXGroup, S2NConnection, - SigType, TlsConnPair, TlsConnection, RustlsConnection, + SigType, TlsConnPair, TlsConnection, }; use criterion::{ criterion_group, criterion_main, measurement::WallTime, BatchSize, BenchmarkGroup, Criterion, @@ -69,18 +69,14 @@ pub fn bench_resumption(c: &mut Criterion) { // compare resumption savings across both client and server for sig_type in [SigType::Rsa2048, SigType::Ecdsa256] { let mut bench_group = c.benchmark_group(format!("resumption-pair-{:?}", sig_type)); - bench_group.sample_size(10); bench_handshake_pair::(&mut bench_group, sig_type); - bench_handshake_pair::(&mut bench_group, sig_type); } // only look at resumption savings for the server, specifically the work // done in the first rtt. for sig_type in [SigType::Rsa2048, SigType::Ecdsa384] { let mut bench_group = c.benchmark_group(format!("resumption-server-1rtt-{:?}", sig_type)); - bench_group.sample_size(10); bench_handshake_server_1rtt::(&mut bench_group, sig_type); - bench_handshake_server_1rtt::(&mut bench_group, sig_type); } } diff --git a/bindings/rust/bench/certs/config/client.cnf b/bindings/rust/bench/certs/config/client.cnf deleted file mode 100644 index a0e87cf3f21..00000000000 --- a/bindings/rust/bench/certs/config/client.cnf +++ /dev/null @@ -1,27 +0,0 @@ -[req] -distinguished_name = client_distinguished_name -prompt = no - -# these fields are used to force x509 to v3 certificates -# rustls will complain otherwise -x509_extensions = v3_req -req_extensions = req_ext - -[client_distinguished_name] -countryName = US -stateOrProvinceName = Washington -localityName = Seattle -organizationName = client -commonName = client.localhost - -[v3_req] -subjectAltName = @alt_names - -[req_ext] -subjectAltName = @alt_names - -[alt_names] -DNS = localhost - -[ usr_cert ] -basicConstraints=CA:TRUE # prev value was FALSE \ No newline at end of file diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh index 032e24ea3e0..b2ac029a4f7 100755 --- a/bindings/rust/bench/scripts/generate-certs.sh +++ b/bindings/rust/bench/scripts/generate-certs.sh @@ -35,6 +35,15 @@ cert-gen () { mkdir -p $dir_name cd $dir_name + # The "basicConstraints" and "keyUsage" extensions are necessary for CA + # certificates that sign other certificates. Normally the openssl x509 tool + # will ignore the extensions requests in the .csr, but by using the + # copy_extensions=copyall flag we can pass the extensions from the .csr on + # to the final public certificate. + + # The advantage of manually specifying the extensions is that there is no + # dependency on any openssl config files + echo "generating CA private key and certificate" openssl req -new -noenc -x509 \ -newkey $key_family \ @@ -71,7 +80,8 @@ cert-gen () { -pkeyopt $argname$key_size \ -keyout client-key.pem \ -out client.csr \ - -config ../config/client.cnf + -subj "/C=US/CN=client" \ + -addext "subjectAltName = DNS:localhost" echo "generating intermediate certificate and signing it" openssl x509 -days 65536 \ @@ -96,8 +106,7 @@ cert-gen () { -CA ca-cert.pem \ -CAkey ca-key.pem \ -CAcreateserial -out client-cert.pem \ - -extensions req_ext \ - -extfile ../config/client.cnf + -copy_extensions=copyall touch server-chain.pem cat server-cert.pem >> server-chain.pem @@ -113,6 +122,7 @@ cert-gen () { echo "cleaning up temporary files" rm server.csr + rm intermediate.csr rm client.csr rm ca-key.pem diff --git a/bindings/rust/bench/src/harness.rs b/bindings/rust/bench/src/harness.rs index 97a4c70b0c9..237fbee534d 100644 --- a/bindings/rust/bench/src/harness.rs +++ b/bindings/rust/bench/src/harness.rs @@ -485,50 +485,6 @@ mod tests { } } - #[test] - fn rsa_2048() - { - let mut crypto_config = CryptoConfig::default(); - crypto_config.sig_type = SigType::Rsa2048; - let mut conn_pair = - TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); - conn_pair.handshake().unwrap(); - assert!(conn_pair.handshake_completed()); - } - - #[test] - fn rsa_4096() - { - let mut crypto_config = CryptoConfig::default(); - crypto_config.sig_type = SigType::Rsa4096; - let mut conn_pair = - TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); - conn_pair.handshake().unwrap(); - assert!(conn_pair.handshake_completed()); - } - - #[test] - fn ecdsa_256() - { - let mut crypto_config = CryptoConfig::default(); - crypto_config.sig_type = SigType::Ecdsa256; - let mut conn_pair = - TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); - conn_pair.handshake().unwrap(); - assert!(conn_pair.handshake_completed()); - } - - #[test] - fn ecdsa_384() - { - let mut crypto_config = CryptoConfig::default(); - crypto_config.sig_type = SigType::Ecdsa384; - let mut conn_pair = - TlsConnPair::::new_bench_pair(crypto_config, HandshakeType::ServerAuth).unwrap(); - conn_pair.handshake().unwrap(); - assert!(conn_pair.handshake_completed()); - } - fn session_resumption() where S: TlsConnection,