xref: /openbsd-src/usr.bin/openssl/s_time.c (revision 23cc9d400791825fb9615b5c61d55ff2adb3056b) 
1 /* $OpenBSD: s_time.c,v 1.39 2025/01/02 13:10:03 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 
59 /*-----------------------------------------
60    s_time - SSL client connection timer program
61    Written and donated by Larry Streepy <streepy@healthcare.com>
62   -----------------------------------------*/
63 
64 #include <sys/types.h>
65 #include <sys/socket.h>
66 
67 #include <stdio.h>
68 #include <stdlib.h>
69 #include <limits.h>
70 #include <string.h>
71 #include <unistd.h>
72 #include <poll.h>
73 
74 #include "apps.h"
75 
76 #include <openssl/err.h>
77 #include <openssl/pem.h>
78 #include <openssl/ssl.h>
79 #include <openssl/x509.h>
80 
81 #define SSL_CONNECT_NAME	"localhost:4433"
82 
83 #define BUFSIZZ 1024*10
84 
85 #define MYBUFSIZ 1024*8
86 
87 #define SECONDS	30
88 extern int verify_depth;
89 
90 static void s_time_usage(void);
91 static int run_test(SSL *);
92 static int benchmark(int);
93 static void print_tally_mark(SSL *);
94 
95 static SSL_CTX *tm_ctx = NULL;
96 static const SSL_METHOD *s_time_meth = NULL;
97 static long bytes_read = 0;
98 
99 static struct {
100 	int bugs;
101 	char *CAfile;
102 	char *CApath;
103 	char *certfile;
104 	char *cipher;
105 	char *host;
106 	char *keyfile;
107 	time_t maxtime;
108 	int nbio;
109 	int no_shutdown;
110 	int perform;
111 	int verify;
112 	int verify_depth;
113 	char *www_path;
114 } cfg;
115 
116 static const struct option s_time_options[] = {
117 	{
118 		.name = "bugs",
119 		.desc = "Enable workarounds for known SSL/TLS bugs",
120 		.type = OPTION_FLAG,
121 		.opt.flag = &cfg.bugs,
122 	},
123 	{
124 		.name = "CAfile",
125 		.argname = "file",
126 		.desc = "File containing trusted certificates in PEM format",
127 		.type = OPTION_ARG,
128 		.opt.arg = &cfg.CAfile,
129 	},
130 	{
131 		.name = "CApath",
132 		.argname = "path",
133 		.desc = "Directory containing trusted certificates",
134 		.type = OPTION_ARG,
135 		.opt.arg = &cfg.CApath,
136 	},
137 	{
138 		.name = "cert",
139 		.argname = "file",
140 		.desc = "Client certificate to use, if one is requested",
141 		.type = OPTION_ARG,
142 		.opt.arg = &cfg.certfile,
143 	},
144 	{
145 		.name = "cipher",
146 		.argname = "list",
147 		.desc = "List of cipher suites to send to the server",
148 		.type = OPTION_ARG,
149 		.opt.arg = &cfg.cipher,
150 	},
151 	{
152 		.name = "connect",
153 		.argname = "host:port",
154 		.desc = "Host and port to connect to (default "
155 		    SSL_CONNECT_NAME ")",
156 		.type = OPTION_ARG,
157 		.opt.arg = &cfg.host,
158 	},
159 	{
160 		.name = "key",
161 		.argname = "file",
162 		.desc = "Client private key to use, if one is required",
163 		.type = OPTION_ARG,
164 		.opt.arg = &cfg.keyfile,
165 	},
166 	{
167 		.name = "nbio",
168 		.desc = "Use non-blocking I/O",
169 		.type = OPTION_FLAG,
170 		.opt.flag = &cfg.nbio,
171 	},
172 	{
173 		.name = "new",
174 		.desc = "Use a new session ID for each connection",
175 		.type = OPTION_VALUE,
176 		.opt.value = &cfg.perform,
177 		.value = 1,
178 	},
179 	{
180 		.name = "no_shutdown",
181 		.desc = "Shut down the connection without notifying the server",
182 		.type = OPTION_FLAG,
183 		.opt.flag = &cfg.no_shutdown,
184 	},
185 	{
186 		.name = "reuse",
187 		.desc = "Reuse the same session ID for each connection",
188 		.type = OPTION_VALUE,
189 		.opt.value = &cfg.perform,
190 		.value = 2,
191 	},
192 	{
193 		.name = "time",
194 		.argname = "seconds",
195 		.desc = "Duration to perform timing tests for (default 30)",
196 		.type = OPTION_ARG_TIME,
197 		.opt.tvalue = &cfg.maxtime,
198 	},
199 	{
200 		.name = "verify",
201 		.argname = "depth",
202 		.desc = "Enable peer certificate verification with given depth",
203 		.type = OPTION_ARG_INT,
204 		.opt.value = &cfg.verify_depth,
205 	},
206 	{
207 		.name = "www",
208 		.argname = "page",
209 		.desc = "Page to GET from the server (default none)",
210 		.type = OPTION_ARG,
211 		.opt.arg = &cfg.www_path,
212 	},
213 	{ NULL },
214 };
215 
216 static void
217 s_time_usage(void)
218 {
219 	fprintf(stderr,
220 	    "usage: s_time "
221 	    "[-bugs] [-CAfile file] [-CApath directory] [-cert file]\n"
222 	    "    [-cipher cipherlist] [-connect host:port] [-key keyfile]\n"
223 	    "    [-nbio] [-new] [-no_shutdown] [-reuse] [-time seconds]\n"
224 	    "    [-verify depth] [-www page]\n\n");
225 	options_usage(s_time_options);
226 }
227 
228 /***********************************************************************
229  * MAIN - main processing area for client
230  *			real name depends on MONOLITH
231  */
232 int
233 s_time_main(int argc, char **argv)
234 {
235 	int ret = 1;
236 
237 	if (pledge("stdio rpath inet dns", NULL) == -1) {
238 		perror("pledge");
239 		exit(1);
240 	}
241 
242 	s_time_meth = TLS_client_method();
243 
244 	verify_depth = 0;
245 
246 	memset(&cfg, 0, sizeof(cfg));
247 
248 	cfg.host = SSL_CONNECT_NAME;
249 	cfg.maxtime = SECONDS;
250 	cfg.perform = 3;
251 	cfg.verify = SSL_VERIFY_NONE;
252 	cfg.verify_depth = -1;
253 
254 	if (options_parse(argc, argv, s_time_options, NULL, NULL) != 0) {
255 		s_time_usage();
256 		goto end;
257 	}
258 
259 	if (cfg.verify_depth >= 0) {
260 		cfg.verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
261 		verify_depth = cfg.verify_depth;
262 		BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
263 	}
264 
265 	if (cfg.www_path != NULL &&
266 	    strlen(cfg.www_path) > MYBUFSIZ - 100) {
267 		BIO_printf(bio_err, "-www option too long\n");
268 		goto end;
269 	}
270 
271 	if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
272 		return (1);
273 
274 	SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
275 
276 	if (cfg.bugs)
277 		SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
278 
279 	if (cfg.cipher != NULL) {
280 		if (!SSL_CTX_set_cipher_list(tm_ctx, cfg.cipher)) {
281 			BIO_printf(bio_err, "error setting cipher list\n");
282 			ERR_print_errors(bio_err);
283 			goto end;
284 		}
285 	}
286 
287 	SSL_CTX_set_verify(tm_ctx, cfg.verify, NULL);
288 
289 	if (!set_cert_stuff(tm_ctx, cfg.certfile,
290 	    cfg.keyfile))
291 		goto end;
292 
293 	if ((!SSL_CTX_load_verify_locations(tm_ctx, cfg.CAfile,
294 	    cfg.CApath)) ||
295 	    (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
296 		/*
297 		 * BIO_printf(bio_err,"error setting default verify
298 		 * locations\n");
299 		 */
300 		ERR_print_errors(bio_err);
301 		/* goto end; */
302 	}
303 
304 	/* Loop and time how long it takes to make connections */
305 	if (cfg.perform & 1) {
306 		printf("Collecting connection statistics for %lld seconds\n",
307 		    (long long)cfg.maxtime);
308 		if (benchmark(0))
309 			goto end;
310 	}
311 	/*
312 	 * Now loop and time connections using the same session id over and
313 	 * over
314 	 */
315 	if (cfg.perform & 2) {
316 		printf("\n\nNow timing with session id reuse.\n");
317 		if (benchmark(1))
318 			goto end;
319 	}
320 	ret = 0;
321  end:
322 	if (tm_ctx != NULL) {
323 		SSL_CTX_free(tm_ctx);
324 		tm_ctx = NULL;
325 	}
326 
327 	return (ret);
328 }
329 
330 /***********************************************************************
331  * run_test - make a connection, get a file, and shut down the connection
332  *
333  * Args:
334  *		scon	= SSL connection
335  * Returns:
336  *		1 on success, 0 on error
337  */
338 static int
339 run_test(SSL *scon)
340 {
341 	char buf[1024 * 8];
342 	struct pollfd pfd[1];
343 	BIO *conn;
344 	long verify_error;
345 	int i, retval;
346 
347 	if ((conn = BIO_new(BIO_s_connect())) == NULL)
348 		return 0;
349 	BIO_set_conn_hostname(conn, cfg.host);
350 	SSL_set_connect_state(scon);
351 	SSL_set_bio(scon, conn, conn);
352 	for (;;) {
353 		i = SSL_connect(scon);
354 		if (BIO_sock_should_retry(i)) {
355 			BIO_printf(bio_err, "DELAY\n");
356 			pfd[0].fd = SSL_get_fd(scon);
357 			pfd[0].events = POLLIN;
358 			poll(pfd, 1, -1);
359 			continue;
360 		}
361 		break;
362 	}
363 	if (i <= 0) {
364 		BIO_printf(bio_err, "ERROR\n");
365 		verify_error = SSL_get_verify_result(scon);
366 		if (verify_error != X509_V_OK)
367 			BIO_printf(bio_err, "verify error:%s\n",
368 			    X509_verify_cert_error_string(verify_error));
369 		else
370 			ERR_print_errors(bio_err);
371 		return 0;
372 	}
373 	if (cfg.www_path != NULL) {
374 		retval = snprintf(buf, sizeof buf,
375 		    "GET %s HTTP/1.0\r\n\r\n", cfg.www_path);
376 		if (retval < 0 || retval >= sizeof buf) {
377 			fprintf(stderr, "URL too long\n");
378 			return 0;
379 		}
380 		if (SSL_write(scon, buf, retval) != retval)
381 			return 0;
382 		while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
383 			bytes_read += i;
384 	}
385 	if (cfg.no_shutdown)
386 		SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN |
387 		    SSL_RECEIVED_SHUTDOWN);
388 	else
389 		SSL_shutdown(scon);
390 	return 1;
391 }
392 
393 static void
394 print_tally_mark(SSL *scon)
395 {
396 	int ver;
397 
398 	if (SSL_session_reused(scon))
399 		ver = 'r';
400 	else {
401 		ver = SSL_version(scon);
402 		if (ver == TLS1_VERSION)
403 			ver = 't';
404 		else
405 			ver = '*';
406 	}
407 	fputc(ver, stdout);
408 	fflush(stdout);
409 }
410 
411 static int
412 benchmark(int reuse_session)
413 {
414 	double elapsed, totalTime;
415 	int nConn = 0;
416 	SSL *scon = NULL;
417 	int ret = 1;
418 
419 	if (reuse_session) {
420 		/* Get an SSL object so we can reuse the session id */
421 		if ((scon = SSL_new(tm_ctx)) == NULL)
422 			goto end;
423 		if (!run_test(scon)) {
424 			fprintf(stderr, "Unable to get connection\n");
425 			goto end;
426 		}
427 		printf("starting\n");
428 	}
429 
430 	nConn = 0;
431 	bytes_read = 0;
432 
433 	app_timer_real(TM_RESET);
434 	app_timer_user(TM_RESET);
435 	for (;;) {
436 		elapsed = app_timer_real(TM_GET);
437 		if (elapsed > cfg.maxtime)
438 			break;
439 		if (scon == NULL) {
440 			if ((scon = SSL_new(tm_ctx)) == NULL)
441 				goto end;
442 		}
443 		if (!run_test(scon))
444 			goto end;
445 		nConn += 1;
446 		print_tally_mark(scon);
447 		if (!reuse_session) {
448 			SSL_free(scon);
449 			scon = NULL;
450 		}
451 	}
452 	totalTime = app_timer_user(TM_GET);
453 
454 	printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
455 	    nConn, totalTime, ((double) nConn / totalTime), bytes_read);
456 	printf("%d connections in %.0f real seconds, %ld bytes read per connection\n",
457 	    nConn, elapsed, nConn > 0 ? bytes_read / nConn : 0);
458 
459 	ret = 0;
460  end:
461 	SSL_free(scon);
462 	return ret;
463 }
464