From 3a1e5518ad8544822040da85d34106e73022e844 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 26 Jan 2017 17:11:32 -0800 Subject: [PATCH 1/2] =?UTF-8?q?Fixes=20for=20TLS=20perf=20examples.=20Fixe?= =?UTF-8?q?d=20issue=20with=20server-tls-epll-threaded=20not=20doing=20wol?= =?UTF-8?q?fAsync=5FDevClose.=20Enhanced=20server-tls-epll-threaded=20to?= =?UTF-8?q?=20use=20the=20wolfAsync=5FDevOpenThread=20feature=20to=20assig?= =?UTF-8?q?n=20thread=20and=20QuickAssist=20core=20affinity.=20Added=20?= =?UTF-8?q?=E2=80=9C-a=E2=80=9D=20option=20on=20servers=20to=20allow=20TLS?= =?UTF-8?q?=20version=20downgrade.=20Enhancements=20to=20the=20Makefile.?= =?UTF-8?q?=20Other=20various=20cleanups.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tls/Makefile | 15 +++++-- tls/client-tls-perf.c | 26 ++++++----- tls/server-tls-epoll-perf.c | 38 +++++++++------- tls/server-tls-epoll-threaded.c | 78 +++++++++++++++++++++------------ 4 files changed, 98 insertions(+), 59 deletions(-) diff --git a/tls/Makefile b/tls/Makefile index 6e03e5aa..012cb319 100755 --- a/tls/Makefile +++ b/tls/Makefile @@ -1,8 +1,14 @@ # TLS Examples Makefile CC=gcc -CFLAGS=-Wall -LIBS=-lwolfssl -lm +LIB_PATH=/usr/local +CFLAGS=-Wall -I$(LIB_PATH)/include +LIBS=-L$(LIB_PATH)/lib -lm +DYN_LIB=-lwolfssl +STATIC_LIB=$(LIB_PATH)/lib/libwolfssl.a DEBUG_FLAGS=-g -DDEBUG +DEBUG_INC_PATHS=-MD +OPTIMIZE=-Os + # Intel QuickAssist QAT_PATH=../../QAT1.6 @@ -13,12 +19,15 @@ QAT_FLAGS=-DDO_CRYPTO -DUSER_SPACE \ -I$(QAT_PATH)/quickassist/utilities/osal/src/linux/user_space/include \ -I$(QAT_PATH)/quickassist/lookaside/access_layer/include \ -I$(QAT_PATH)/quickassist/lookaside/access_layer/src/common/include -QAT_LIBS=-L$(QAT_PATH) -ladf_proxy -losal -licp_qa_al_s +QAT_LIBS=-L$(QAT_PATH) -ladf_proxy -losal -licp_qa_al_s -lpthread # Options #CFLAGS+=$(DEBUG_FLAGS) +CFLAGS+=$(OPTIMIZE) #CFLAGS+=$(QAT_FLAGS) #LIBS+=$(QAT_LIBS) +#LIBS+=$(STATIC_LIB) +LIBS+=$(DYN_LIB) # OS / CPU Detection diff --git a/tls/client-tls-perf.c b/tls/client-tls-perf.c index 60b8f644..9b9d2f3d 100755 --- a/tls/client-tls-perf.c +++ b/tls/client-tls-perf.c @@ -139,10 +139,10 @@ static int devId = INVALID_DEVID; #endif -/* Get the wolfSSL server method function for the specified version. +/* Get the wolfSSL client method function for the specified version. * * version Protocol version to use. - * returns The server method function or NULL when version not supported. + * returns The client method function or NULL when version not supported. */ static wolfSSL_method_func SSL_GetMethod(int version) { @@ -677,13 +677,6 @@ static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, WOLFSSL_CTX* ctx; wolfSSL_method_func method = NULL; -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_ON(); -#endif - - /* Initialize wolfSSL */ - wolfSSL_Init(); - method = SSL_GetMethod(version); if (method == NULL) return(EXIT_FAILURE); @@ -734,11 +727,10 @@ static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, */ static void WolfSSLCtx_Final(WOLFSSL_CTX* ctx) { + wolfSSL_CTX_free(ctx); #ifdef WOLFSSL_ASYNC_CRYPT wolfAsync_DevClose(&devId); #endif - wolfSSL_CTX_free(ctx); - wolfSSL_Cleanup(); } /* Create a socket to talf to server on and connect. @@ -811,7 +803,7 @@ static void Usage(void) */ int main(int argc, char* argv[]) { - socklen_t socketfd; + socklen_t socketfd = -1; int ch; WOLFSSL_CTX* ctx = NULL; SSLConn_CTX* sslConnCtx; @@ -930,6 +922,14 @@ int main(int argc, char* argv[]) } } + +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + + /* Initialize wolfSSL */ + wolfSSL_Init(); + /* Initialize wolfSSL and create a context object. */ if (WolfSSLCtx_Init(version, ourCert, ourKey, verifyCert, cipherList, &ctx) == EXIT_FAILURE) @@ -1003,6 +1003,8 @@ int main(int argc, char* argv[]) WolfSSLCtx_Final(ctx); + wolfSSL_Cleanup(); + exit(EXIT_SUCCESS); } diff --git a/tls/server-tls-epoll-perf.c b/tls/server-tls-epoll-perf.c index 944c6fd3..aad0fc0b 100755 --- a/tls/server-tls-epoll-perf.c +++ b/tls/server-tls-epoll-perf.c @@ -51,7 +51,7 @@ #define MAX_WOLF_EVENTS 10 /* The command line options. */ -#define OPTIONS "?p:v:l:c:k:A:n:N:R:W:B:" +#define OPTIONS "?p:v:al:c:k:A:n:N:R:W:B:" /* The default server certificate. */ #define SVR_CERT "../certs/server-cert.pem" @@ -151,7 +151,7 @@ static char reply[NUM_WRITE_BYTES]; * version Protocol version to use. * returns The server method function or NULL when version not supported. */ -static wolfSSL_method_func SSL_GetMethod(int version) +static wolfSSL_method_func SSL_GetMethod(int version, int allowDowngrade) { wolfSSL_method_func method = NULL; @@ -176,7 +176,7 @@ static wolfSSL_method_func SSL_GetMethod(int version) #ifndef NO_TLS case 3: - method = wolfTLSv1_2_server_method_ex; + method = allowDowngrade ? wolfSSLv23_server_method_ex : wolfTLSv1_2_server_method_ex; break; #endif } @@ -632,20 +632,13 @@ static void SSLConn_PrintStats(SSLConn_CTX* ctx) * returns EXIT_SUCCESS when a wolfSSL context object is created and * EXIT_FAILURE otherwise. */ -static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, - char* cipherList, WOLFSSL_CTX** wolfsslCtx) +static int WolfSSLCtx_Init(int version, int allowDowngrade, char* cert, + char* key, char* verifyCert, char* cipherList, WOLFSSL_CTX** wolfsslCtx) { WOLFSSL_CTX* ctx; wolfSSL_method_func method = NULL; -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_ON(); -#endif - - /* Initialize wolfSSL */ - wolfSSL_Init(); - - method = SSL_GetMethod(version); + method = SSL_GetMethod(version, allowDowngrade); if (method == NULL) return(EXIT_FAILURE); @@ -710,11 +703,10 @@ static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, */ static void WolfSSLCtx_Final(WOLFSSL_CTX* ctx) { + wolfSSL_CTX_free(ctx); #ifdef WOLFSSL_ASYNC_CRYPT wolfAsync_DevClose(&devId); #endif - wolfSSL_CTX_free(ctx); - wolfSSL_Cleanup(); } /* Create a random reply. @@ -802,6 +794,7 @@ static void Usage(void) printf("-p Port to listen on, not 0, default %d\n", wolfSSLPort); printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", SERVER_DEFAULT_VERSION); + printf("-a Allow TLS version downgrade\n"); printf("-l Cipher suite list (: delimited)\n"); printf("-c Certificate file, default %s\n", SVR_CERT); printf("-k Key file, default %s\n", SVR_KEY); @@ -836,6 +829,7 @@ int main(int argc, char* argv[]) char* ourKey = SVR_KEY; char* verifyCert = CLI_CERT; int version = SERVER_DEFAULT_VERSION; + int allowDowngrade= 0; int numConns = SSL_NUM_CONN; int numBytesRead = NUM_READ_BYTES; int numBytesWrite = NUM_WRITE_BYTES; @@ -867,6 +861,9 @@ int main(int argc, char* argv[]) exit(MY_EX_USAGE); } break; + case 'a': + allowDowngrade = 1; + break; /* List of cipher suites to use. */ case 'l': @@ -947,8 +944,15 @@ int main(int argc, char* argv[]) if (events == NULL) exit(EXIT_FAILURE); +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + + /* Initialize wolfSSL */ + wolfSSL_Init(); + /* Initialize wolfSSL and create a context object. */ - if (WolfSSLCtx_Init(version, ourCert, ourKey, verifyCert, cipherList, &ctx) + if (WolfSSLCtx_Init(version, allowDowngrade, ourCert, ourKey, verifyCert, cipherList, &ctx) == -1) exit(EXIT_FAILURE); @@ -1091,6 +1095,8 @@ int main(int argc, char* argv[]) WolfSSLCtx_Final(ctx); + wolfSSL_Cleanup(); + exit(EXIT_SUCCESS); } diff --git a/tls/server-tls-epoll-threaded.c b/tls/server-tls-epoll-threaded.c index 8beee095..e67ee436 100755 --- a/tls/server-tls-epoll-threaded.c +++ b/tls/server-tls-epoll-threaded.c @@ -53,7 +53,7 @@ #define MAX_WOLF_EVENTS 10 /* The command line options. */ -#define OPTIONS "?p:v:l:c:k:A:t:n:N:R:W:B:" +#define OPTIONS "?p:v:al:c:k:A:t:n:N:R:W:B:" /* The default server certificate. */ #define SVR_CERT "../certs/server-cert.pem" @@ -150,7 +150,7 @@ static void SSLConn_Free(SSLConn_CTX* ctx); static void SSLConn_Close(SSLConn_CTX* ctx, ThreadData* threadData, SSLConn* sslConn); static void SSLConn_FreeSSLConn(ThreadData* threadData); -static void WolfSSLCtx_Final(WOLFSSL_CTX* ctx); +static void WolfSSLCtx_Final(ThreadData* threadData); /* The index of the command line option. */ @@ -178,6 +178,8 @@ static char* ourKey = SVR_KEY; static char* verifyCert = CLI_CERT; /* The version of SSL/TLS to use. */ static int version = SERVER_DEFAULT_VERSION; +/* The flag to indicate downgrade is allowed */ +static int allowDowngrade = 0; /* The number of threads to start. */ static int numThreads = NUM_THREADS; /* The number of connections per threads to allow. */ @@ -197,7 +199,7 @@ static int maxConns = MAX_CONNECTIONS; * version Protocol version to use. * returns The server method function or NULL when version not supported. */ -static wolfSSL_method_func SSL_GetMethod(int version) +static wolfSSL_method_func SSL_GetMethod(int version, int allowDowngrade) { wolfSSL_method_func method = NULL; @@ -222,7 +224,7 @@ static wolfSSL_method_func SSL_GetMethod(int version) #ifndef NO_TLS case 3: - method = wolfTLSv1_2_server_method_ex; + method = allowDowngrade ? wolfSSLv23_server_method_ex : wolfTLSv1_2_server_method_ex; break; #endif } @@ -444,9 +446,10 @@ static void SSLConn_Free(SSLConn_CTX* ctx) while (threadData->sslConn != NULL) SSLConn_Close(ctx, threadData, threadData->sslConn); SSLConn_FreeSSLConn(threadData); - WolfSSLCtx_Final(threadData->ctx); + WolfSSLCtx_Final(threadData); } free(ctx->threadData); + ctx->threadData = NULL; free(ctx); } @@ -515,6 +518,7 @@ static void SSLConn_FreeSSLConn(ThreadData* threadData) ; #endif wolfSSL_free(sslConn->ssl); + sslConn->ssl = NULL; close(sslConn->sockfd); free(sslConn); @@ -736,69 +740,71 @@ static void SSLConn_PrintStats(SSLConn_CTX* ctx) * returns EXIT_SUCCESS when a wolfSSL context object is created and * EXIT_FAILURE otherwise. */ -static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, - char* cipherList, int* devId, - WOLFSSL_CTX** wolfsslCtx) +static int WolfSSLCtx_Init(ThreadData* threadData, int version, int allowDowngrade, + char* cert, char* key, char* verifyCert, char* cipherList) { - WOLFSSL_CTX* ctx; wolfSSL_method_func method = NULL; - method = SSL_GetMethod(version); + method = SSL_GetMethod(version, allowDowngrade); if (method == NULL) return(EXIT_FAILURE); /* Create and initialize WOLFSSL_CTX structure */ - if ((ctx = wolfSSL_CTX_new(method(NULL))) == NULL) { + if ((threadData->ctx = wolfSSL_CTX_new(method(NULL))) == NULL) { fprintf(stderr, "wolfSSL_CTX_new error.\n"); return(EXIT_FAILURE); } #ifdef WOLFSSL_ASYNC_CRYPT - if (wolfAsync_DevOpen(devId) != 0) { +#ifndef WC_NO_ASYNC_THREADING + if (wolfAsync_DevOpenThread(&threadData->devId, &threadData->thread_id) < 0) +#else + if (wolfAsync_DevOpen(&threadData->devId) < 0) +#endif + { fprintf(stderr, "Async device open failed\nRunning without async\n"); } - wolfSSL_CTX_UseAsync(ctx, *devId); + wolfSSL_CTX_UseAsync(threadData->ctx, threadData->devId); #endif /* Load server certificate into WOLFSSL_CTX */ - if (wolfSSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM) + if (wolfSSL_CTX_use_certificate_file(threadData->ctx, cert, SSL_FILETYPE_PEM) != SSL_SUCCESS) { fprintf(stderr, "Error loading %s, please check the file.\n", cert); - wolfSSL_CTX_free(ctx); + WolfSSLCtx_Final(threadData); return(EXIT_FAILURE); } /* Load server key into WOLFSSL_CTX */ - if (wolfSSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) + if (wolfSSL_CTX_use_PrivateKey_file(threadData->ctx, key, SSL_FILETYPE_PEM) != SSL_SUCCESS) { fprintf(stderr, "Error loading %s, please check the file.\n", key); - wolfSSL_CTX_free(ctx); + WolfSSLCtx_Final(threadData); return(EXIT_FAILURE); } /* Setup client authentication. */ - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) { + wolfSSL_CTX_set_verify(threadData->ctx, SSL_VERIFY_PEER, 0); + if (wolfSSL_CTX_load_verify_locations(threadData->ctx, verifyCert, 0) != SSL_SUCCESS) { fprintf(stderr, "Error loading %s, please check the file.\n", verifyCert); - wolfSSL_CTX_free(ctx); + WolfSSLCtx_Final(threadData); return(EXIT_FAILURE); } if (cipherList != NULL) { - if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) { + if (wolfSSL_CTX_set_cipher_list(threadData->ctx, cipherList) != SSL_SUCCESS) { fprintf(stderr, "Server can't set cipher list.\n"); - wolfSSL_CTX_free(ctx); + WolfSSLCtx_Final(threadData); return(EXIT_FAILURE); } } #ifndef NO_DH - SetDHCtx(ctx); + SetDHCtx(threadData->ctx); #endif - *wolfsslCtx = ctx; return EXIT_SUCCESS; } @@ -806,9 +812,14 @@ static int WolfSSLCtx_Init(int version, char* cert, char* key, char* verifyCert, * * ctx The wolfSSL context object. */ -static void WolfSSLCtx_Final(WOLFSSL_CTX* ctx) +static void WolfSSLCtx_Final(ThreadData* threadData) { - wolfSSL_CTX_free(ctx); + wolfSSL_CTX_free(threadData->ctx); + threadData->ctx = NULL; + +#ifdef WOLFSSL_ASYNC_CRYPT + wolfAsync_DevClose(&threadData->devId); +#endif } /* Create a socket to listen on and wait for first client. @@ -879,8 +890,7 @@ static void *ThreadHandler(void *data) #endif /* Initialize wolfSSL and create a context object. */ - if (WolfSSLCtx_Init(version, ourCert, ourKey, verifyCert, cipherList, - &threadData->devId, &threadData->ctx) == -1) { + if (WolfSSLCtx_Init(threadData, version, allowDowngrade, ourCert, ourKey, verifyCert, cipherList) == -1) { exit(EXIT_FAILURE); } @@ -1061,6 +1071,7 @@ static void Usage(void) printf("-p Port to listen on, not 0, default %d\n", DEFAULT_PORT); printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", SERVER_DEFAULT_VERSION); + printf("-a Allow TLS version downgrade\n"); printf("-l Cipher suite list (: delimited)\n"); printf("-c Certificate file, default %s\n", SVR_CERT); printf("-k Key file, default %s\n", SVR_KEY); @@ -1105,6 +1116,9 @@ int main(int argc, char* argv[]) exit(MY_EX_USAGE); } break; + case 'a': + allowDowngrade = 1; + break; /* List of cipher suites to use. */ case 'l': @@ -1193,6 +1207,10 @@ int main(int argc, char* argv[]) wolfSSL_Debugging_ON(); #endif +#ifdef WOLFSSL_ASYNC_CRYPT + wolfAsync_HardwareStart(); +#endif + /* Initialize wolfSSL */ wolfSSL_Init(); @@ -1222,6 +1240,10 @@ int main(int argc, char* argv[]) wolfSSL_Cleanup(); +#ifdef WOLFSSL_ASYNC_CRYPT + wolfAsync_HardwareStop(); +#endif + exit(EXIT_SUCCESS); } From a8a68e5f44bb1e24d193afdbdd387173a053879d Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Jan 2017 14:25:51 -0800 Subject: [PATCH 2/2] Fix async write handling in client-tls-perf. --- tls/client-tls-perf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tls/client-tls-perf.c b/tls/client-tls-perf.c index 9b9d2f3d..c9d58b03 100755 --- a/tls/client-tls-perf.c +++ b/tls/client-tls-perf.c @@ -212,6 +212,8 @@ static int SSL_Write(WOLFSSL* ssl, char* reply, int replyLen, int* totalBytes, return 2; if (error == SSL_ERROR_WANT_WRITE) return 3; + if (error == WC_PENDING_E) + return 4; if (error == 0) return 1; @@ -980,8 +982,7 @@ int main(int argc, char* argv[]) printf("ERROR: failed in async polling\n"); break; } - - if (ret == 1) + if (ret == 0) continue; } sslConn->err = 0;