diff --git a/.gitignore b/.gitignore
index 9e0f3f8506edc729dffa08bcae7f110f0b2bd58b..2dc9425f8e2c8459242bee44fef14c77063e73f6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,3 +49,5 @@ tags
emulation-exp/code/tmp/
# emulation-exp/code/kex/data
# emulation-exp/code/sig/data
+
+tmp/
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/Makefile b/pq-tls-benchmark-framework/emulation-exp/code/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..4d60f59dbeb1f4e287f61b038f2cbf0d84565491
--- /dev/null
+++ b/pq-tls-benchmark-framework/emulation-exp/code/Makefile
@@ -0,0 +1,41 @@
+PWD=$(shell pwd)
+
+
+
+install_curl: install_ngtcp2 install_quictls
+ cd tmp && \
+ wget https://curl.se/download/curl-8.8.0.tar.gz && \
+ tar -zxvf curl-8.8.0.tar.gz
+ cd tmp/curl-8.8.0 && \
+ ./configure --prefix=${PWD}/tmp/curl --with-openssl=${PWD}/tmp/openssl && \
+ exit 1
+ make && \
+ make install
+
+install_ngtcp2: ensure_tmp_dir_exists install_libev
+ cd tmp && \
+ sh ../install-ngtcp2.sh
+
+# install_quictls: ensure_tmp_dir_exists
+# cd tmp && \
+# git clone --depth 1 -b openssl-3.1.4+quic https://github.com/quictls/openssl && \
+# cd openssl && \
+# ./config enable-tls1_3 --prefix=<somewhere1> && \
+# make && \
+# make install
+
+install_libev:
+ sudo apt install libev-dev
+
+ensure_tmp_dir_exists:
+ mkdir -p tmp
+
+clean:
+ rm -rf tmp/curl-8.8.0
+ rm -rf tmp/curl-8.8.0.tar.gz
+ rm -rf tmp/ngtcp2
+ rm -rf tmp/wolfssl
+ rm -rf tmp/nghttp3
+
+echo_pwd:
+ echo $(PWD)
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh b/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh
new file mode 100644
index 0000000000000000000000000000000000000000..f7f0e2a209c9ef3eedc493845ba3b43872c96412
--- /dev/null
+++ b/pq-tls-benchmark-framework/emulation-exp/code/install-ngtcp2.sh
@@ -0,0 +1,29 @@
+# This script is copied from the ngtcp2 repositories README.md, it got modified sligthly. It gets executed by a Makefile.
+set -eux
+git clone --depth 1 -b v5.7.0-stable https://github.com/wolfSSL/wolfssl
+cd wolfssl
+autoreconf -i
+# For wolfSSL < v5.6.6, append --enable-quic.
+./configure --prefix=$PWD/build \
+ --enable-all --enable-aesni --enable-harden --enable-keylog-export \
+ --disable-ech
+make -j$(nproc)
+make install
+cd ..
+
+git clone --recursive https://github.com/ngtcp2/nghttp3
+cd nghttp3
+autoreconf -i
+./configure --prefix=$PWD/build --enable-lib-only
+make -j$(nproc) check
+make install
+cd ..
+
+git clone --recursive https://github.com/ngtcp2/ngtcp2
+cd ngtcp2
+autoreconf -i
+# For Mac users who have installed libev with MacPorts, append
+# LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
+./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
+ --with-wolfssl
+make -j$(nproc) check
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh b/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh
index b389a0361073c215f9cce89fa9f5b4574d509924..46d3cba3848270f03b6030a08038c2e241292ccf 100755
--- a/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh
+++ b/pq-tls-benchmark-framework/emulation-exp/code/install-prereqs-ubuntu.sh
@@ -1,8 +1,10 @@
#!/bin/bash
set -ex
-apt update
-apt install -y git \
+# Make sure to have a recent version of openssl installed by default. For example by having an up to date os version.
+
+sudo apt update
+sudo apt install -y git \
build-essential \
autoconf \
automake \
@@ -12,45 +14,64 @@ apt install -y git \
libpcre3-dev \
wget
-NGINX_VERSION=1.20.1
-CMAKE_VERSION=3.18
-CMAKE_BUILD=3
+NGINX_VERSION=1.26.1
+CMAKE_VERSION=3.30
+CMAKE_BUILD=0
mkdir -p tmp
cd tmp
ROOT=$(pwd)
# Fetch all the files we need
-wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-Linux-x86_64.sh
-git clone -n --single-branch --branch main https://github.com/open-quantum-safe/liboqs.git
-cd liboqs
-git checkout 2e2ddb4e0493014694820471396984b30d59cf97
-cd ..
-git clone -n --single-branch --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git
-cd openssl
-git checkout 63b48cdde3cdf8dab966e31ea277e03e2d233f57
-cd ..
+wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh
+git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/liboqs.git
+(cd liboqs && git checkout d2089c5017fc45f4dce2f6516b3e9ad337946600)
+git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/oqs-provider.git
+(cd oqs-provider && git checkout 8f37521d5e27ab4d1e0d69a4b4a5bd17927b24b9)
+git clone --no-checkout --single-branch --branch master https://github.com/openssl/openssl.git
+(cd openssl && git checkout 2a45839778955ffcab01918f10544d46e42f9a5b)
wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz
# Install the latest CMake
mkdir cmake
-sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-Linux-x86_64.sh --skip-license --prefix=${ROOT}/cmake
+sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh --skip-license --prefix=${ROOT}/cmake
+
+# Build OpenSSL so 'libcrypto.so' is avaiable for the build of liboqs. With Ubuntu 22.04 not longer needed.
+# (
+# cd openssl-source
+# ./Configure --prefix=${ROOT}/openssl/ --openssldir=${ROOT}/openssl/
+# make
+# make install
+# )
+
# build liboqs
-cd liboqs
-mkdir build && cd build
-${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs ..
-ninja && ninja install
+(
+ cd liboqs
+ mkdir build && cd build
+ # --install-prefix could do the same
+ # It needs the libcrypto library, either in .a or .so format, in 'openssl' it is .so and in 'openssl-source' it is .a
+ # -- Found OpenSSL: /absolute-path-to/tmp/openssl/lib64/libcrypto.so (found suitable version "3.0.2", minimum required is "1.1.1")
+ # OPENSSL_ROOT_DIR=${ROOT}/openssl/ ${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs ..
+ ${ROOT}/cmake/bin/cmake -GNinja -DCMAKE_INSTALL_PREFIX=${ROOT}/openssl/oqs ..
+ ninja && ninja install
+)
# build nginx (which builds OQS-OpenSSL)
-cd ${ROOT}
-cd nginx-${NGINX_VERSION}
-./configure --prefix=${ROOT}/nginx \
- --with-debug \
- --with-http_ssl_module --with-openssl=${ROOT}/openssl \
- --without-http_gzip_module \
- --with-cc-opt="-I ${ROOT}/openssl/oqs/include" \
- --with-ld-opt="-L ${ROOT}/openssl/oqs/lib";
-sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile;
-sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c;
-make && make install;
+# NOTE openssl gets built a second time here, maybe this can be avoided
+(
+ cd nginx-${NGINX_VERSION}
+ # NOTE why --without-http_gzip_module
+ ./configure --prefix=${ROOT}/nginx \
+ --with-debug \
+ --with-http_v2_module \
+ --with-http_v3_module \
+ --with-http_ssl_module --with-openssl=${ROOT}/openssl \
+ --without-http_gzip_module \
+ --with-cc-opt="-I ${ROOT}/openssl/include" \
+ --with-ld-opt="-L ${ROOT}/openssl/lib64";
+ # sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile;
+ # NOTE why change this?
+ sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c;
+ make && make install;
+)
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf
index 99e2a997adb29c032ccd9d87529b6baba68064a6..d1e2fabf1ce17ca25be5f9487043488d4925df56 100644
--- a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf
+++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf
@@ -1,115 +1,63 @@
-# Our experiment used: worker_processes 21
-worker_processes 4;
+# Running nginx with sudo results in a 403 Forbidden error. This can be solved by running ngins without sudo through using ports which do not require root access. For example, 8080 and 8443.
-error_log logs/error.log;
-#error_log logs/error.log debug;
-
-#pid logs/nginx.pid;
+worker_processes 4;
+error_log logs/debug.log debug;
+error_log logs/error.log;
events {
- worker_connections 1024;
+ worker_connections 1024;
}
-
http {
- include mime.types;
- default_type application/octet-stream;
-
- #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- # '$status $body_bytes_sent "$http_referer" '
- # '"$http_user_agent" "$http_x_forwarded_for"';
+ include mime.types;
+ default_type application/octet-stream;
- #access_log logs/access.log main;
+ log_format quic '$remote_addr - $remote_user [$time_local] '
+ '"$request" $status $body_bytes_sent '
+ '"$http_referer" "$http_user_agent" "$http3"';
+ access_log logs/access.log quic;
- sendfile on;
- #tcp_nopush on;
-
- #keepalive_timeout 0;
- keepalive_timeout 65;
-
- #gzip on;
+ sendfile on;
+ keepalive_timeout 65;
+ # gzip on;
server {
- listen 80;
- server_name localhost;
-
- #charset koi8-r;
+ listen 8080;
+ # server_name can matter if multiple virtual servers are running on the same port, otherwise the first one defined is used anyway.
+ server_name localhost;
- #access_log logs/host.access.log main;
+ # redirect to https
+ return 307 https://$host:8443$request_uri;
- location / {
- root html;
- index index.html index.htm;
- }
-
- #error_page 404 /404.html;
-
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
-
- # proxy the PHP scripts to Apache listening on 127.0.0.1:80
- #
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
-
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
-
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
+ # location / {
+ # root html;
+ # index index.html index.htm;
+ # }
}
-
- # another virtual host using mix of IP-, name-, and port-based configuration
- #
- #server {
- # listen 8000;
- # listen somename:8080;
- # server_name somename alias another.alias;
-
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
-
-
- # HTTPS server
- #
server {
- listen 10.0.0.1:4433 ssl;
- server_name localhost;
-
- ssl_certificate server.crt;
- ssl_certificate_key server.key;
+ listen 8443 quic reuseport default_server;
+ listen [::]:8443 quic reuseport default_server; # for ipv6 addresses
+ listen 8443 ssl;
+ listen [::]:8443 ssl;
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 5m;
+ http3 on;
+ # ssl_protocols TLSv1.3;
- ssl_protocols TLSv1.3;
- client_header_timeout 67234s;
+ # quic_retry on;
+ # ssl_early_data on;
+ ssl_certificate server.crt;
+ ssl_certificate_key server.key;
location / {
- root html;
- index index.html index.htm;
+ root html;
+ index index.html index.htm;
+
+ add_header alt-svc 'h3=":$server_port", ma=1800'; # h3-23 is the draft version of the HTTP/3 protocol
+ add_header x-quic 'h3';
+ add_header Cache-Control 'no-store';
}
}
-}
+}
\ No newline at end of file
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old
new file mode 100644
index 0000000000000000000000000000000000000000..f3339b2fdf62a0d5bc280572e3250ac62cac49fc
--- /dev/null
+++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/nginx.conf.old
@@ -0,0 +1,142 @@
+# Our experiment used: worker_processes 21
+worker_processes 4;
+
+error_log logs/debug.log debug;
+error_log logs/error.log;
+#error_log logs/error.log debug;
+
+#pid logs/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+
+ #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ # '$status $body_bytes_sent "$http_referer" '
+ # '"$http_user_agent" "$http_x_forwarded_for"';
+
+ log_format quic '$remote_addr - $remote_user [$time_local] '
+ '"$request" $status $body_bytes_sent '
+ '"$http_referer" "$http_user_agent" "$http3"';
+
+ access_log logs/access.log quic;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ #keepalive_timeout 0;
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ server {
+ listen 80;
+ server_name localhost;
+
+ #charset koi8-r;
+
+ #access_log logs/host.access.log main;
+
+ location / {
+ root html;
+ index index.html index.htm;
+ }
+
+ #error_page 404 /404.html;
+
+ # redirect server error pages to the static page /50x.html
+ #
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root html;
+ }
+
+ # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+ #
+ #location ~ \.php$ {
+ # proxy_pass http://127.0.0.1;
+ #}
+
+ # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+ #
+ #location ~ \.php$ {
+ # root html;
+ # fastcgi_pass 127.0.0.1:9000;
+ # fastcgi_index index.php;
+ # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
+ # include fastcgi_params;
+ #}
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+ }
+
+
+ # another virtual host using mix of IP-, name-, and port-based configuration
+ #
+ #server {
+ # listen 8000;
+ # listen somename:8080;
+ # server_name somename alias another.alias;
+
+ # location / {
+ # root html;
+ # index index.html index.htm;
+ # }
+ #}
+
+
+ # HTTPS/TLS server
+ #
+ server {
+ # listen 10.0.0.1:4433 ssl;
+ listen 4433 ssl;
+ server_name localhost;
+
+ ssl_certificate server.crt;
+ ssl_certificate_key server.key;
+
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_timeout 5m;
+
+ ssl_protocols TLSv1.3;
+ client_header_timeout 67234s;
+
+ location / {
+ root html;
+ index index.html index.htm;
+ }
+ }
+
+ # HTTPS/QUIC server
+ server {
+ # listen 10.0.0.1:8443 quic;
+ listen 8443 quic reuseport;
+ listen 8443 ssl;
+ server_name localhost;
+
+ ssl_certificate server.crt;
+ ssl_certificate_key server.key;
+
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_timeout 5m;
+
+ location / {
+ # used to advertise the availability of HTTP/3
+ add_header Alt-Svc 'h3=":8443"; ma=86400';
+ root html;
+ index index.html index.htm;
+ }
+ }
+
+}
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh
index 45c406c25abb25273b3c13f7c3cc75e59333d52a..becff33d760dd93732c62480f693d1fd49e37ab8 100755
--- a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh
+++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/setup.sh
@@ -17,19 +17,22 @@ make s_timer.o
##########################
# Setup network namespaces
##########################
-${ROOT}/setup_ns.sh
+sudo ${ROOT}/setup_ns.sh
##########################
# Generate ECDSA P-256 cert
##########################
+# Add custom build OpenSSL to the ld library path, so it can be used by the openssl binary
+# export LD_LIBRARY_PATH=${ROOT}/tmp/openssl/lib64:$LD_LIBRARY_PATH
+
# generate curve parameters
${OPENSSL} ecparam -out prime256v1.pem -name prime256v1
# generate CA key and cert
-${OPENSSL} req -x509 -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/CA.key -out ${NGINX_CONF_DIR}/CA.crt -nodes -subj "/CN=OQS test ecdsap256 CA" -days 365 -config ${OPENSSL_CNF}
+${OPENSSL} req -x509 -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/CA.key -out ${NGINX_CONF_DIR}/CA.crt -noenc -subj "/CN=oqstest CA ecdsap256" -days 365 -config ${OPENSSL_CNF}
# generate server CSR
-${OPENSSL} req -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/server.key -out ${NGINX_CONF_DIR}/server.csr -nodes -subj "/CN=oqstest CA ecdsap256" -config ${OPENSSL_CNF}
+${OPENSSL} req -new -newkey ec:prime256v1.pem -keyout ${NGINX_CONF_DIR}/server.key -out ${NGINX_CONF_DIR}/server.csr -noenc -subj "/CN=oqstest server ecdsap256" -config ${OPENSSL_CNF}
# generate server cert
${OPENSSL} x509 -req -in ${NGINX_CONF_DIR}/server.csr -out ${NGINX_CONF_DIR}/server.crt -CA ${NGINX_CONF_DIR}/CA.crt -CAkey ${NGINX_CONF_DIR}/CA.key -CAcreateserial -days 365
@@ -38,4 +41,6 @@ ${OPENSSL} x509 -req -in ${NGINX_CONF_DIR}/server.csr -out ${NGINX_CONF_DIR}/ser
# Start nginx
##########################
cp nginx.conf ${NGINX_CONF_DIR}/nginx.conf
-ip netns exec srv_ns ${NGINX_APP}
+echo "EXITING EARLY NOW"
+exit 0
+sudo ip netns exec srv_ns ${NGINX_APP}
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh
index efc4eaf092086813a143dd42398ec90ddd985669..b2a71b631934753fb039c143a99452894429c739 100755
--- a/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh
+++ b/pq-tls-benchmark-framework/emulation-exp/code/kex/scripts/teardown.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+set -x
ROOT="$(dirname $(pwd))"
NGINX_APP=${ROOT}/tmp/nginx/sbin/nginx
@@ -6,7 +7,7 @@ NGINX_APP=${ROOT}/tmp/nginx/sbin/nginx
##########################
# Stop nginx
##########################
-ip netns exec srv_ns ${NGINX_APP} -s stop
+sudo ip netns exec srv_ns ${NGINX_APP} -s stop
##########################
# Remove files
@@ -18,5 +19,5 @@ rm -r scripts/__pycache__
##########################
# Remove network namespaces
##########################
-ip netns del cli_ns
-ip netns del srv_ns
+sudo ip netns del cli_ns
+sudo ip netns del srv_ns
diff --git a/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh b/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh
index 6fc3e29721f23b77b7b0077a0b088f917fc5fb38..5e5e4d709580e5a2f5e55b8ab271cd39356c5271 100755
--- a/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh
+++ b/pq-tls-benchmark-framework/emulation-exp/code/setup_ns.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-set -x
+set -ex
##########################
# Setup network namespaces