diff --git a/.gitignore b/.gitignore index 9e0f3f8506edc729dffa08bcae7f110f0b2bd58b..2dc9425f8e2c8459242bee44fef14c77063e73f6 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,5 @@ tags emulation-exp/code/tmp/ # emulation-exp/code/kex/data # emulation-exp/code/sig/data + +tmp/ diff --git a/pq-tls-benchmark-framework/emulation-exp/code/Makefile b/pq-tls-benchmark-framework/emulation-exp/code/Makefile new file mode 100644 index 0000000000000000000000000000000000000000..4d60f59dbeb1f4e287f61b038f2cbf0d84565491 --- /dev/null +++ b/pq-tls-benchmark-framework/emulation-exp/code/Makefile @@ -0,0 +1,41 @@ +PWD=$(shell pwd) + + + +install_curl: install_ngtcp2 install_quictls + cd tmp && \ + wget https://curl.se/download/curl-8.8.0.tar.gz && \ + tar -zxvf curl-8.8.0.tar.gz + cd tmp/curl-8.8.0 && \ + ./configure --prefix=${PWD}/tmp/curl --with-openssl=${PWD}/tmp/openssl && \ + exit 1 + make && \ + make install + +install_ngtcp2: ensure_tmp_dir_exists install_libev + cd tmp && \ + sh ../install-ngtcp2.sh + +# install_quictls: ensure_tmp_dir_exists +# cd tmp && \ +# git clone --depth 1 -b openssl-3.1.4+quic https://github.com/quictls/openssl && \ +# cd openssl && \ +# ./config enable-tls1_3 --prefix=<somewhere1> && \ +# make && \ +# make install + +install_libev: + sudo apt install libev-dev + +ensure_tmp_dir_exists: + mkdir -p tmp + +clean: + rm -rf tmp/curl-8.8.0 + rm -rf tmp/curl-8.8.0.tar.gz + rm -rf tmp/ngtcp2 + rm -rf tmp/wolfssl + rm -rf tmp/nghttp3 + +echo_pwd: + echo $(PWD) diff --git a/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh b/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh new file mode 100644 index 0000000000000000000000000000000000000000..f7f0e2a209c9ef3eedc493845ba3b43872c96412 --- /dev/null +++ b/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh @@ -0,0 +1,29 @@ +# This script is copied from the ngtcp2 repositories README.md, it got modified sligthly. It gets executed by a Makefile. +set -eux +git clone --depth 1 -b v5.7.0-stable https://github.com/wolfSSL/wolfssl +cd wolfssl +autoreconf -i +# For wolfSSL < v5.6.6, append --enable-quic. +./configure --prefix=$PWD/build \ + --enable-all --enable-aesni --enable-harden --enable-keylog-export \ + --disable-ech +make -j$(nproc) +make install +cd .. + +git clone --recursive https://github.com/ngtcp2/nghttp3 +cd nghttp3 +autoreconf -i +./configure --prefix=$PWD/build --enable-lib-only +make -j$(nproc) check +make install +cd .. + +git clone --recursive https://github.com/ngtcp2/ngtcp2 +cd ngtcp2 +autoreconf -i +# For Mac users who have installed libev with MacPorts, append +# LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev" +./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \ + --with-wolfssl +make -j$(nproc) check diff --git a/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh b/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh index b389a0361073c215f9cce89fa9f5b4574d509924..46d3cba3848270f03b6030a08038c2e241292ccf 100755 --- a/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh +++ b/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh @@ -1,8 +1,10 @@ #!/bin/bash set -ex -apt update -apt install -y git \ +# Make sure to have a recent version of openssl installed by default. For example by having an up to date os version. + +sudo apt update +sudo apt install -y git \ build-essential \ autoconf \ automake \ @@ -12,45 +14,64 @@ apt install -y git \ libpcre3-dev \ wget -NGINX_VERSION=1.20.1 -CMAKE_VERSION=3.18 -CMAKE_BUILD=3 +NGINX_VERSION=1.26.1 +CMAKE_VERSION=3.30 +CMAKE_BUILD=0 mkdir -p tmp cd tmp ROOT=$(pwd) # Fetch all the files we need -wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-Linux-x86_64.sh -git clone -n --single-branch --branch main https://github.com/open-quantum-safe/liboqs.git -cd liboqs -git checkout 2e2ddb4e0493014694820471396984b30d59cf97 -cd .. -git clone -n --single-branch --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git -cd openssl -git checkout 63b48cdde3cdf8dab966e31ea277e03e2d233f57 -cd .. +wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh +git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/liboqs.git +(cd liboqs && git checkout d2089c5017fc45f4dce2f6516b3e9ad337946600) +git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/oqs-provider.git +(cd oqs-provider && git checkout 8f37521d5e27ab4d1e0d69a4b4a5bd17927b24b9) +git clone --no-checkout --single-branch --branch master https://github.com/openssl/openssl.git +(cd openssl && git checkout 2a45839778955ffcab01918f10544d46e42f9a5b) wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz # Install the latest CMake mkdir cmake -sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-Linux-x86_64.sh --skip-license --prefix=${ROOT}/cmake +sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh --skip-license --prefix=${ROOT}/cmake + +# Build OpenSSL so 'libcrypto.so' is avaiable for the build of liboqs. With Ubuntu 22.04 not longer needed. +# ( +# cd openssl-source +# ./Configure --prefix=${ROOT}/openssl/ --openssldir=${ROOT}/openssl/ +# make +# make install +# ) + # build liboqs -cd liboqs -mkdir build && cd build -${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs .. -ninja && ninja install +( + cd liboqs + mkdir build && cd build + # --install-prefix could do the same + # It needs the libcrypto library, either in .a or .so format, in 'openssl' it is .so and in 'openssl-source' it is .a + # -- Found OpenSSL: /absolute-path-to/tmp/openssl/lib64/libcrypto.so (found suitable version "3.0.2", minimum required is "1.1.1") + # OPENSSL_ROOT_DIR=${ROOT}/openssl/ ${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs .. + ${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs .. + ninja && ninja install +) # build nginx (which builds OQS-OpenSSL) -cd ${ROOT} -cd nginx-${NGINX_VERSION} -./configure --prefix=${ROOT}/nginx \ - --with-debug \ - --with-http_ssl_module --with-openssl=${ROOT}/openssl \ - --without-http_gzip_module \ - --with-cc-opt="-I ${ROOT}/openssl/oqs/include" \ - --with-ld-opt="-L ${ROOT}/openssl/oqs/lib"; -sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile; -sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c; -make && make install; +# NOTE openssl gets built a second time here, maybe this can be avoided +( + cd nginx-${NGINX_VERSION} + # NOTE why --without-http_gzip_module + ./configure --prefix=${ROOT}/nginx \ + --with-debug \ + --with-http_v2_module \ + --with-http_v3_module \ + --with-http_ssl_module --with-openssl=${ROOT}/openssl \ + --without-http_gzip_module \ + --with-cc-opt="-I ${ROOT}/openssl/include" \ + --with-ld-opt="-L ${ROOT}/openssl/lib64"; + # sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile; + # NOTE why change this? + sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c; + make && make install; +) diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf index 99e2a997adb29c032ccd9d87529b6baba68064a6..d1e2fabf1ce17ca25be5f9487043488d4925df56 100644 --- a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf +++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf @@ -1,115 +1,63 @@ -# Our experiment used: worker_processes 21 -worker_processes 4; +# Running nginx with sudo results in a 403 Forbidden error. This can be solved by running ngins without sudo through using ports which do not require root access. For example, 8080 and 8443. -error_log logs/error.log; -#error_log logs/error.log debug; - -#pid logs/nginx.pid; +worker_processes 4; +error_log logs/debug.log debug; +error_log logs/error.log; events { - worker_connections 1024; + worker_connections 1024; } - http { - include mime.types; - default_type application/octet-stream; - - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; + include mime.types; + default_type application/octet-stream; - #access_log logs/access.log main; + log_format quic '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http3"'; + access_log logs/access.log quic; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - #gzip on; + sendfile on; + keepalive_timeout 65; + # gzip on; server { - listen 80; - server_name localhost; - - #charset koi8-r; + listen 8080; + # server_name can matter if multiple virtual servers are running on the same port, otherwise the first one defined is used anyway. + server_name localhost; - #access_log logs/host.access.log main; + # redirect to https + return 307 https://$host:8443$request_uri; - location / { - root html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} + # location / { + # root html; + # index index.html index.htm; + # } } - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - - - # HTTPS server - # server { - listen 10.0.0.1:4433 ssl; - server_name localhost; - - ssl_certificate server.crt; - ssl_certificate_key server.key; + listen 8443 quic reuseport default_server; + listen [::]:8443 quic reuseport default_server; # for ipv6 addresses + listen 8443 ssl; + listen [::]:8443 ssl; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 5m; + http3 on; + # ssl_protocols TLSv1.3; - ssl_protocols TLSv1.3; - client_header_timeout 67234s; + # quic_retry on; + # ssl_early_data on; + ssl_certificate server.crt; + ssl_certificate_key server.key; location / { - root html; - index index.html index.htm; + root html; + index index.html index.htm; + + add_header alt-svc 'h3=":$server_port", ma=1800'; # h3-23 is the draft version of the HTTP/3 protocol + add_header x-quic 'h3'; + add_header Cache-Control 'no-store'; } } -} +} \ No newline at end of file diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old new file mode 100644 index 0000000000000000000000000000000000000000..f3339b2fdf62a0d5bc280572e3250ac62cac49fc --- /dev/null +++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old @@ -0,0 +1,142 @@ +# Our experiment used: worker_processes 21 +worker_processes 4; + +error_log logs/debug.log debug; +error_log logs/error.log; +#error_log logs/error.log debug; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format quic '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http3"'; + + access_log logs/access.log quic; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + server { + listen 80; + server_name localhost; + + #charset koi8-r; + + #access_log logs/host.access.log main; + + location / { + root html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS/TLS server + # + server { + # listen 10.0.0.1:4433 ssl; + listen 4433 ssl; + server_name localhost; + + ssl_certificate server.crt; + ssl_certificate_key server.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_protocols TLSv1.3; + client_header_timeout 67234s; + + location / { + root html; + index index.html index.htm; + } + } + + # HTTPS/QUIC server + server { + # listen 10.0.0.1:8443 quic; + listen 8443 quic reuseport; + listen 8443 ssl; + server_name localhost; + + ssl_certificate server.crt; + ssl_certificate_key server.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + location / { + # used to advertise the availability of HTTP/3 + add_header Alt-Svc 'h3=":8443"; ma=86400'; + root html; + index index.html index.htm; + } + } + +} diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh index 45c406c25abb25273b3c13f7c3cc75e59333d52a..becff33d760dd93732c62480f693d1fd49e37ab8 100755 --- a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh +++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh @@ -17,19 +17,22 @@ make s_timer.o ########################## # Setup network namespaces ########################## -${ROOT}/setup_ns.sh +sudo ${ROOT}/setup_ns.sh ########################## # Generate ECDSA P-256 cert ########################## +# Add custom build OpenSSL to the ld library path, so it can be used by the openssl binary +# export LD_LIBRARY_PATH=${ROOT}/tmp/openssl/lib64:$LD_LIBRARY_PATH + # generate curve parameters ${OPENSSL} ecparam -out prime256v1.pem -name prime256v1 # generate CA key and cert -${OPENSSL} req -x509 -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/CA.key -out ${NGINX_CONF_DIR}/CA.crt -nodes -subj "/CN=OQS test ecdsap256 CA" -days 365 -config ${OPENSSL_CNF} +${OPENSSL} req -x509 -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/CA.key -out ${NGINX_CONF_DIR}/CA.crt -noenc -subj "/CN=oqstest CA ecdsap256" -days 365 -config ${OPENSSL_CNF} # generate server CSR -${OPENSSL} req -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/server.key -out ${NGINX_CONF_DIR}/server.csr -nodes -subj "/CN=oqstest CA ecdsap256" -config ${OPENSSL_CNF} +${OPENSSL} req -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/server.key -out ${NGINX_CONF_DIR}/server.csr -noenc -subj "/CN=oqstest server ecdsap256" -config ${OPENSSL_CNF} # generate server cert ${OPENSSL} x509 -req -in ${NGINX_CONF_DIR}/server.csr -out ${NGINX_CONF_DIR}/server.crt -CA ${NGINX_CONF_DIR}/CA.crt -CAkey ${NGINX_CONF_DIR}/CA.key -CAcreateserial -days 365 @@ -38,4 +41,6 @@ ${OPENSSL} x509 -req -in ${NGINX_CONF_DIR}/server.csr -out ${NGINX_CONF_DIR}/ser # Start nginx ########################## cp nginx.conf ${NGINX_CONF_DIR}/nginx.conf -ip netns exec srv_ns ${NGINX_APP} +echo "EXITING EARLY NOW" +exit 0 +sudo ip netns exec srv_ns ${NGINX_APP} diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh index efc4eaf092086813a143dd42398ec90ddd985669..b2a71b631934753fb039c143a99452894429c739 100755 --- a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh +++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -x ROOT="$(dirname $(pwd))" NGINX_APP=${ROOT}/tmp/nginx/sbin/nginx @@ -6,7 +7,7 @@ NGINX_APP=${ROOT}/tmp/nginx/sbin/nginx ########################## # Stop nginx ########################## -ip netns exec srv_ns ${NGINX_APP} -s stop +sudo ip netns exec srv_ns ${NGINX_APP} -s stop ########################## # Remove files @@ -18,5 +19,5 @@ rm -r scripts/__pycache__ ########################## # Remove network namespaces ########################## -ip netns del cli_ns -ip netns del srv_ns +sudo ip netns del cli_ns +sudo ip netns del srv_ns diff --git a/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh b/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh index 6fc3e29721f23b77b7b0077a0b088f917fc5fb38..5e5e4d709580e5a2f5e55b8ab271cd39356c5271 100755 --- a/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh +++ b/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -x +set -ex ########################## # Setup network namespaces