[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_8-36-gd373c54
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_8-36-gd373c54 |
|
Date: |
Thu, 08 Dec 2011 17:26:52 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=d373c54e0a3b56e629fd2601a0e031e022e88c71
The branch, master has been updated
via d373c54e0a3b56e629fd2601a0e031e022e88c71 (commit)
via 49b17e461a1c3c9c17555c97b60217569a1906a6 (commit)
via 5f4cd8317cad1146043ec2f64ec0974732bf3882 (commit)
via 5cc97db938c2c9a8862c27799ef8411f4892e025 (commit)
from b81cee49452ad2ad546719a2093eb62cc8b0ffd4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d373c54e0a3b56e629fd2601a0e031e022e88c71
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Dec 8 18:29:27 2011 +0100
renamed hardware tokens to security modules.
commit 49b17e461a1c3c9c17555c97b60217569a1906a6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Dec 8 18:19:57 2011 +0100
Added section 'Managing encrypted keys' to include PKCS 12 structures.
commit 5f4cd8317cad1146043ec2f64ec0974732bf3882
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Dec 8 18:17:32 2011 +0100
Added RSA key exchange to comparison.
commit 5cc97db938c2c9a8862c27799ef8411f4892e025
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Dec 8 18:15:44 2011 +0100
Exported gnutls_cpuid() and gnutls_have_cpuid().
-----------------------------------------------------------------------
Summary of changes:
devel/perlasm/cpuid-x86.pl | 8 +-
devel/perlasm/cpuid-x86_64.pl | 8 +-
doc/Makefile.am | 2 +-
doc/cha-cert-auth2.texi | 76 +++++++++----
lib/accelerated/accelerated.c | 2 +-
lib/accelerated/x86/aes-padlock.c | 2 +-
lib/accelerated/x86/aes-x86.c | 6 +-
lib/accelerated/x86/asm-coff/cpuid-x86-64-coff.s | 6 +-
lib/accelerated/x86/asm-coff/cpuid-x86-coff.s | 12 ++-
lib/accelerated/x86/asm/cpuid-x86-64.s | 8 +-
lib/accelerated/x86/asm/cpuid-x86.s | 16 ++-
lib/accelerated/x86/x86.h | 4 +-
src/benchmark-tls.c | 133 +++++++++++++++++++++-
13 files changed, 227 insertions(+), 56 deletions(-)
diff --git a/devel/perlasm/cpuid-x86.pl b/devel/perlasm/cpuid-x86.pl
index 50def40..8eb12ef 100644
--- a/devel/perlasm/cpuid-x86.pl
+++ b/devel/perlasm/cpuid-x86.pl
@@ -12,7 +12,7 @@ require "x86asm.pl";
&asm_init($ARGV[0],$0);
-&function_begin_B("_gnutls_cpuid");
+&function_begin_B("gnutls_cpuid");
&push ("ebp");
&mov ("ebp", "esp");
&sub ("esp", 12);
@@ -39,9 +39,9 @@ require "x86asm.pl";
&mov ("esp","ebp");
&pop ("ebp");
&ret ();
-&function_end_B("_gnutls_cpuid");
+&function_end_B("gnutls_cpuid");
-&function_begin_B("_gnutls_have_cpuid");
+&function_begin_B("gnutls_have_cpuid");
&pushf ();
&pop ("eax");
&or ("eax",0x200000);
@@ -51,7 +51,7 @@ require "x86asm.pl";
&pop ("eax");
&and ("eax",0x200000);
&ret ();
-&function_end_B("_gnutls_have_cpuid");
+&function_end_B("gnutls_have_cpuid");
&asciz("CPUID for x86");
&asm_finish();
diff --git a/devel/perlasm/cpuid-x86_64.pl b/devel/perlasm/cpuid-x86_64.pl
index b821a49..ef1c95c 100644
--- a/devel/perlasm/cpuid-x86_64.pl
+++ b/devel/perlasm/cpuid-x86_64.pl
@@ -26,10 +26,10 @@ $code=".text\n";
$code.=<<___;
-.globl _gnutls_cpuid
-.type _gnutls_cpuid,address@hidden
+.globl gnutls_cpuid
+.type gnutls_cpuid,address@hidden
.align 16
-_gnutls_cpuid:
+gnutls_cpuid:
pushq %rbp
movq %rsp, %rbp
pushq %rbx
@@ -58,7 +58,7 @@ _gnutls_cpuid:
popq %rbx
leave
ret
-.size _gnutls_cpuid,.-_gnutls_cpuid
+.size gnutls_cpuid,.-gnutls_cpuid
___
$code =~ s/\`([^\`]*)\`/eval($1)/gem;
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 950815d..8b64841 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -31,7 +31,7 @@ endif
info_TEXINFOS = gnutls.texi gnutls-guile.texi
gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi lgpl-2.1.texi gpl-3.0.texi \
- cha-bib.texi cha-cert-auth.texi \
+ cha-bib.texi cha-cert-auth.texi cha-cert-auth2.texi \
cha-ciphersuites.texi cha-copying.texi cha-functions.texi \
cha-gtls-app.texi cha-internals.texi cha-intro-tls.texi \
cha-library.texi cha-preface.texi cha-programs.texi \
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 6a59fd3..61fe854 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -5,7 +5,7 @@
@menu
* PKCS 10 certificate requests::
* PKIX certificate revocation lists::
-* PKCS 12 structures::
+* Managing encrypted keys::
* The certtool application::
* Hardware tokens::
* Abstract key types::
@@ -111,8 +111,40 @@ CRL number extension and the authority key identifier.
@showfuncB{gnutls_x509_crl_set_number,gnutls_x509_crl_set_authority_key_id}
address@hidden PKCS 12 structures
address@hidden @acronym{PKCS} #12 structures
address@hidden Managing encrypted keys
address@hidden Managing encrypted keys
address@hidden Encrypted keys
+
+Transferring or storing private keys in plain might not be a
+good idea. Any access on the keys becomes a fatal compromise.
+Storing the keys in hardware tokens (see @ref{Hardware tokens})
+could solve the storage problem but it is not always practical
+or efficient enough. This section describes alternative ways
+that involve encryption of the private keys to store and
+transfer.
+
+There are two alternatives to use for key encryption,
+PKCS #8 and #12 methods of private key encryption. The PKCS #8
+method only allows encryption of the private key, whilst the
+PKCS #12 method allows in addition the bundling of other
+data into the structure. That could be bundling together the
+certificate as well as the trusted CA certificate.
+
address@hidden @acronym{PKCS} #8 structures
address@hidden PKCS #8
+
+PKCS #8 keys can be imported and exported as normal private keys using
+the functions below. An addition to the normal import functions, are
+a password and a flags argument. The flags can be any element of the
@code{gnutls_pkcs_encrypt_flags_t}
+enumeration. Note however, that GnuTLS only supports the PKCS #5 PBES2
+encryption scheme. Keys encrypted with the obsolete PBES1 scheme cannot
+be decrypted.
+
address@hidden,gnutls_x509_privkey_export_pkcs8}
+
address@hidden,Encryption flags}
+
address@hidden @acronym{PKCS} #12 structures
@cindex PKCS #12
A @acronym{PKCS} #12 structure @xcite{PKCS12} usually contains a user's
@@ -483,13 +515,14 @@ signing_key
@node Hardware tokens
address@hidden Hardware tokens
address@hidden Security modules
@cindex PKCS #11 tokens
@cindex hardware tokens
address@hidden hardware security modules
@cindex smart cards
@menu
-* Introduction on hardware tokens::
+* Introduction on security modules::
* PKCS11 Initialization::
* Reading objects::
* Writing objects::
@@ -497,25 +530,28 @@ signing_key
* The p11tool application::
@end menu
address@hidden Introduction on hardware tokens
address@hidden Introduction on security modules
@subsection Introduction
-This section copes with hardware token support in @acronym{GnuTLS} using
address@hidden #11 @xcite{PKCS11}.
+In this section we present the smart-card and hardware security module support
+in @acronym{GnuTLS} using @acronym{PKCS} #11 @xcite{PKCS11}. Hardware security
+modules and smart cards provide a way to store private keys and perform
+operations on them without exposing them. This allows decoupling cryptographic
+keys from the applications that use them providing an additional security
layer.
+Since this can also be achieved in software components such as in Gnome
keyring,
+we will use the term security module to describe such an isolation interface.
+
@acronym{PKCS} #11 is plugin API allowing applications to access cryptographic
-operations on a token, as well as to objects residing on the token. A token
can
-be a real hardware token such as a smart card and a trusted platform module
(TPM),
-or it can be a software component such as @acronym{Gnome Keyring}. The objects
residing
-on such token can be
-certificates, public keys, private keys or even plain data or secret keys. Of
those
-certificates and public/private key pairs can be used with @acronym{GnuTLS}.
Its
-main advantage is that it allows operations on private key objects such as
decryption
+operations on a security module, as well as to objects residing on it. PKCS
+#11 modules exist for hardware tokens such as smart
address@hidden@url{http://www.opensc-project.org}},
+the trusted
+platform module (TPM)@address@hidden://trousers.sourceforge.net/}}
+as well as for software modules like @acronym{Gnome Keyring}.
+The objects residing on a security module may be certificates, public keys,
+private keys or secret keys. Of those certificates and public/private key
+pairs can be used with @acronym{GnuTLS}. PKCS #11's main advantage is that
+it allows operations on private key objects such as decryption
and signing without exposing the key.
-A @acronym{PKCS} #11 module to access smart cards is provided by the
address@hidden@url{http://www.opensc-project.org}} project, and a
-module to access the TPM chip on a PC is available from the
address@hidden@url{http://trousers.sourceforge.net/}}
-project.
-
Moreover @acronym{PKCS} #11 can be (ab)used to allow all applications in the
same operating system to access
shared cryptographic keys and certificates in a uniform way, as in
@ref{fig:pkcs11-vision}.
That way applications could load their trusted certificate list, as well as
user
diff --git a/lib/accelerated/accelerated.c b/lib/accelerated/accelerated.c
index 8d138f0..6047dd1 100644
--- a/lib/accelerated/accelerated.c
+++ b/lib/accelerated/accelerated.c
@@ -30,7 +30,7 @@
void _gnutls_register_accel_crypto(void)
{
#if defined(ASM_X86)
- if (_gnutls_have_cpuid() != 0)
+ if (gnutls_have_cpuid() != 0)
{
register_x86_crypto ();
register_padlock_crypto ();
diff --git a/lib/accelerated/x86/aes-padlock.c
b/lib/accelerated/x86/aes-padlock.c
index 881eb75..962c1bb 100644
--- a/lib/accelerated/x86/aes-padlock.c
+++ b/lib/accelerated/x86/aes-padlock.c
@@ -214,7 +214,7 @@ static unsigned
check_via (void)
{
unsigned int a, b, c, d;
- _gnutls_cpuid (0, &a, &b, &c, &d);
+ gnutls_cpuid (0, &a, &b, &c, &d);
if ((memcmp (&b, "Cent", 4) == 0 &&
memcmp (&d, "aurH", 4) == 0 && memcmp (&c, "auls", 4) == 0))
diff --git a/lib/accelerated/x86/aes-x86.c b/lib/accelerated/x86/aes-x86.c
index 5f465a5..7987781 100644
--- a/lib/accelerated/x86/aes-x86.c
+++ b/lib/accelerated/x86/aes-x86.c
@@ -126,7 +126,7 @@ static unsigned
check_optimized_aes (void)
{
unsigned int a, b, c, d;
- _gnutls_cpuid (1, &a, &b, &c, &d);
+ gnutls_cpuid (1, &a, &b, &c, &d);
return (c & 0x2000000);
}
@@ -136,7 +136,7 @@ static unsigned
check_pclmul (void)
{
unsigned int a, b, c, d;
- _gnutls_cpuid (1, &a, &b, &c, &d);
+ gnutls_cpuid (1, &a, &b, &c, &d);
return (c & 0x2);
}
@@ -146,7 +146,7 @@ static unsigned
check_intel_or_amd (void)
{
unsigned int a, b, c, d;
- _gnutls_cpuid (0, &a, &b, &c, &d);
+ gnutls_cpuid (0, &a, &b, &c, &d);
if ((memcmp (&b, "Genu", 4) == 0 &&
memcmp (&d, "ineI", 4) == 0 &&
diff --git a/lib/accelerated/x86/asm-coff/cpuid-x86-64-coff.s
b/lib/accelerated/x86/asm-coff/cpuid-x86-64-coff.s
index 3ca96a9..432bce7 100644
--- a/lib/accelerated/x86/asm-coff/cpuid-x86-64-coff.s
+++ b/lib/accelerated/x86/asm-coff/cpuid-x86-64-coff.s
@@ -19,10 +19,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
.text
-.globl _gnutls_cpuid
-.def _gnutls_cpuid; .scl 2; .type 32; .endef
+.globl gnutls_cpuid
+.def gnutls_cpuid; .scl 2; .type 32; .endef
.p2align 4
-_gnutls_cpuid:
+gnutls_cpuid:
pushq %rbp
movq %rsp,%rbp
pushq %rbx
diff --git a/lib/accelerated/x86/asm-coff/cpuid-x86-coff.s
b/lib/accelerated/x86/asm-coff/cpuid-x86-coff.s
index 076b193..9c6142a 100644
--- a/lib/accelerated/x86/asm-coff/cpuid-x86-coff.s
+++ b/lib/accelerated/x86/asm-coff/cpuid-x86-coff.s
@@ -20,9 +20,11 @@
#
.file "devel/perlasm/cpuid-x86.s"
.text
-.def __gnutls_cpuid; .scl 3; .type 32; .endef
+.globl _gnutls_cpuid
+.def _gnutls_cpuid; .scl 2; .type 32; .endef
.align 16
-__gnutls_cpuid:
+_gnutls_cpuid:
+.L_gnutls_cpuid_begin:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
@@ -49,9 +51,11 @@ __gnutls_cpuid:
movl %ebp,%esp
popl %ebp
ret
-.def __gnutls_have_cpuid; .scl 3; .type 32; .endef
+.globl _gnutls_have_cpuid
+.def _gnutls_have_cpuid; .scl 2; .type 32; .endef
.align 16
-__gnutls_have_cpuid:
+_gnutls_have_cpuid:
+.L_gnutls_have_cpuid_begin:
pushfl
popl %eax
orl $2097152,%eax
diff --git a/lib/accelerated/x86/asm/cpuid-x86-64.s
b/lib/accelerated/x86/asm/cpuid-x86-64.s
index db6a580..0a8e8b3 100644
--- a/lib/accelerated/x86/asm/cpuid-x86-64.s
+++ b/lib/accelerated/x86/asm/cpuid-x86-64.s
@@ -19,10 +19,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
.text
-.globl _gnutls_cpuid
-.type _gnutls_cpuid,@function
+.globl gnutls_cpuid
+.type gnutls_cpuid,@function
.align 16
-_gnutls_cpuid:
+gnutls_cpuid:
pushq %rbp
movq %rsp,%rbp
pushq %rbx
@@ -51,6 +51,6 @@ _gnutls_cpuid:
popq %rbx
leave
.byte 0xf3,0xc3
-.size _gnutls_cpuid,.-_gnutls_cpuid
+.size gnutls_cpuid,.-gnutls_cpuid
.section .note.GNU-stack,"",%progbits
diff --git a/lib/accelerated/x86/asm/cpuid-x86.s
b/lib/accelerated/x86/asm/cpuid-x86.s
index 2d28bdc..d32009b 100644
--- a/lib/accelerated/x86/asm/cpuid-x86.s
+++ b/lib/accelerated/x86/asm/cpuid-x86.s
@@ -20,9 +20,11 @@
#
.file "devel/perlasm/cpuid-x86.s"
.text
-.type _gnutls_cpuid,@function
+.globl gnutls_cpuid
+.type gnutls_cpuid,@function
.align 16
-_gnutls_cpuid:
+gnutls_cpuid:
+.L_gnutls_cpuid_begin:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
@@ -49,10 +51,12 @@ _gnutls_cpuid:
movl %ebp,%esp
popl %ebp
ret
-.size _gnutls_cpuid,.-_gnutls_cpuid
-.type _gnutls_have_cpuid,@function
+.size gnutls_cpuid,.-.L_gnutls_cpuid_begin
+.globl gnutls_have_cpuid
+.type gnutls_have_cpuid,@function
.align 16
-_gnutls_have_cpuid:
+gnutls_have_cpuid:
+.L_gnutls_have_cpuid_begin:
pushfl
popl %eax
orl $2097152,%eax
@@ -62,7 +66,7 @@ _gnutls_have_cpuid:
popl %eax
andl $2097152,%eax
ret
-.size _gnutls_have_cpuid,.-_gnutls_have_cpuid
+.size gnutls_have_cpuid,.-.L_gnutls_have_cpuid_begin
.byte 67,80,85,73,68,32,102,111,114,32,120,56,54,0
.section .note.GNU-stack,"",%progbits
diff --git a/lib/accelerated/x86/x86.h b/lib/accelerated/x86/x86.h
index 6730fa8..a5f7967 100644
--- a/lib/accelerated/x86/x86.h
+++ b/lib/accelerated/x86/x86.h
@@ -24,10 +24,10 @@
#if defined(ASM_X86)
-void _gnutls_cpuid(unsigned int func, unsigned int *ax, unsigned int *bx,
unsigned int *cx, unsigned int* dx);
+void gnutls_cpuid(unsigned int func, unsigned int *ax, unsigned int *bx,
unsigned int *cx, unsigned int* dx);
# ifdef ASM_X86_32
-unsigned int _gnutls_have_cpuid(void);
+unsigned int gnutls_have_cpuid(void);
# else
# define _gnutls_have_cpuid() 1
# endif /* ASM_X86_32 */
diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c
index 81b236b..dcfdbe6 100644
--- a/src/benchmark-tls.c
+++ b/src/benchmark-tls.c
@@ -40,14 +40,57 @@
#include "../tests/eagain-common.h"
#include "benchmark.h"
-#define PRIO_DH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
-#define PRIO_ECDH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-SECP224R1"
+#define PRIO_DH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+DHE-RSA"
+#define PRIO_ECDH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ECDHE-RSA:+CURVE-SECP224R1"
+#define PRIO_RSA
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA"
#define PRIO_AES_CBC_SHA1
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
#define PRIO_ARCFOUR_128_MD5
"NONE:+VERS-TLS1.0:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+ANON-DH"
#define PRIO_AES_GCM
"NONE:+VERS-TLS1.2:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-NULL:+ANON-DH"
#define PRIO_CAMELLIA_CBC_SHA1
"NONE:+VERS-TLS1.0:+CAMELLIA-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
+#ifdef PARAMS_1024
+const char *pkcs3 =
+ "-----BEGIN DH PARAMETERS-----\n"
+ "MIGHAoGBAO6vCrmts43WnDP4CvqPxehgcmGHdf88C56iMUycJWV21nTfdJbqgdM4\n"
+ "O0gT1pLG4ODV2OJQuYvkjklcHWCJ2tFdx9e0YVTWts6O9K1psV1JglWbKXvPGIXF\n"
+ "KfVmZg5X7GjtvDwFcmzAL9TL9Jduqpr9UTj+g3ZDW5/GHS/A6wbjAgEC\n"
+ "-----END DH PARAMETERS-----\n";
+
+/* RSA key of 1024 bits */
+static unsigned char server_cert_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
+ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
+ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
+ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
+ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
+ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
+ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
+ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
+ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
+ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
+ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
+ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
+ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
+static unsigned char server_key_pem[] =
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
+ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
+ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
+ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
+ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
+ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
+ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
+ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
+ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
+ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
+ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
+ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
+ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
+ "-----END RSA PRIVATE KEY-----\n";
+
+#else
/* DH of 2432 bits that is pretty equivalent to 224 bits of ECDH.
*/
const char *pkcs3 =
@@ -67,6 +110,74 @@ const char *pkcs3 =
"mPny0He9Qafb1DaNMcXBBG9tZVMJD7HwobjciAQJx+bz9Ckb0EvkyD5N2t5ovw==\n"
"-----END DH PARAMETERS-----\n" "\n";
+static unsigned char server_cert_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDfDCCAjSgAwIBAgIETuDcSzANBgkqhkiG9w0BAQsFADAcMQswCQYDVQQGEwJU\n"
+ "RTENMAsGA1UEChMEVGVzdDAeFw0xMTEyMDgxNTQ4MjhaFw0xNzA3MTcxNTQ4MzNa\n"
+ "MBwxCzAJBgNVBAYTAlRFMQ0wCwYDVQQKEwRUZXN0MIIBUjANBgkqhkiG9w0BAQEF\n"
+ "AAOCAT8AMIIBOgKCATEA0TxV0Cmz6FWfCsp/A9EDTvg73O4c76pGmDub2JLlVAHW\n"
+ "ayC+3ovSgr6wKx1czC6smO2Q2LHsGMIYGBXekpdqOTMv5W40MwI7pQapHgjMZVoT\n"
+ "fkUAP8ADiM/1qX1ehWjJ+Qj7U+wYN/O9UE6N0mRT/PIyIzit6sJ5DcGukKHwELho\n"
+ "kYGsbWmozckbsIBcDyTZRQnN9d0puAACvGb7vtufiI/BCAKqCP+oczgXQUzeipEB\n"
+ "wZlLWt+pDrfpqVec+A4NoJoMM/yOtmpwmdRJiczAhFyYKJFb9qwWQaqLhWCT4VAn\n"
+ "MGD4wIBKmHzHettNgSwbtYJaaIY75eJjgCio+Q4CxGl0+JHQdymejgnA0hy1geG5\n"
+ "fKxStGE/6ZU3pltmQ+D1iBPf53LbSYHwtyMJhrfsYwIDAQABo2YwZDAMBgNVHRMB\n"
+ "Af8EAjAAMA8GA1UdEQQIMAaCBHRlc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYD\n"
+ "VR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUbgzSzUa25oFNSFNk47uKeEBMkWUwDQYJ\n"
+ "KoZIhvcNAQELBQADggExAKCDFHsfu/plC+Xiz+9dGk7PIxHuS8jPZRLSIsoI1c7H\n"
+ "1zge+HzRm9ZaUY8ph8+7soKiqFVmAK/WajNQ4JdhQQUFo/0oreobJmUwZSSE+Ldn\n"
+ "bRRTVo0yrgQ4r/7aemsG70yQnFjC+Ir1lPuYfaeC170rK0zbMIr1trRSU19UICYg\n"
+ "JPK8Uud24sf0h1YCIMza9OpVQIijeRg7RV/Wmux5NR7os/VGjIVC17Li/I5mR1QF\n"
+ "+HUSbyul/nMluBRdmUFJKF/OA47JS6Z6ck3AsTKXiYvSauprWfhjIvMt6BIU0Ktj\n"
+ "g9aaTXRYhanfR/epxAnvcM51BeAfofPr69yR5ZHCUqCR0AYLuQ2oy6Hw0VP56SrS\n"
+ "dcFFMceU7oOpOD0C72fDKCABg15liSCb2sUS58M5ts8=\n"
+ "-----END CERTIFICATE-----\n";
+
+static unsigned char server_key_pem[] =
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIIFfAIBAAKCATEA0TxV0Cmz6FWfCsp/A9EDTvg73O4c76pGmDub2JLlVAHWayC+\n"
+ "3ovSgr6wKx1czC6smO2Q2LHsGMIYGBXekpdqOTMv5W40MwI7pQapHgjMZVoTfkUA\n"
+ "P8ADiM/1qX1ehWjJ+Qj7U+wYN/O9UE6N0mRT/PIyIzit6sJ5DcGukKHwELhokYGs\n"
+ "bWmozckbsIBcDyTZRQnN9d0puAACvGb7vtufiI/BCAKqCP+oczgXQUzeipEBwZlL\n"
+ "Wt+pDrfpqVec+A4NoJoMM/yOtmpwmdRJiczAhFyYKJFb9qwWQaqLhWCT4VAnMGD4\n"
+ "wIBKmHzHettNgSwbtYJaaIY75eJjgCio+Q4CxGl0+JHQdymejgnA0hy1geG5fKxS\n"
+ "tGE/6ZU3pltmQ+D1iBPf53LbSYHwtyMJhrfsYwIDAQABAoIBMHrVWuNruAxrR4UE\n"
+ "P/CzoaeYnzwiJaalZfA0/lb0VeEtev1FKghoOVs8KxwEjtfnhrf4r5InUZ1vRMnO\n"
+ "/O0+KsQNws6EFezkILPO5zWUoLnXWZ5FT9IdHXYR7/xidz0GuZuTpEguUEF4u+kL\n"
+ "VMLw10Wlwb1fpuos5Pgofhy2lMKcH/dcEyfgYZL9v12s3V6emVaoXNs7zSQQ/aMs\n"
+ "ll39Lv1XlE64E0EX1hgW3YZLPRSd73lIRokbI6fIrM9NfwFerUKEWWj3ZNcgHksF\n"
+ "JEIFYalyUiwOul9pSdN1rGOPmj4QWoVyilnD8HzhpEpXhB1VJquxadJYGLKnMt72\n"
+ "jgLALpkrqMLaa6khSuFhQK8EZEGm+QZYCut3+SHjd3vRslTqK/aWmbHxI84cr0/c\n"
+ "ULHIj9ECgZkA743ONjCm4wQMci3ffu9CRg9RZfKGHaF+HUIBW2LDZYDWng1k/A1e\n"
+ "4jYG90llsIGRCLDkTPX7gQqTpOn8OR/v13X47SBeBcsuNOqG8cQcpPz9btDxc3au\n"
+ "eSGwyaX+q+Pg8O9ehMR6+/rtisk+9P+XpiL07ShcDrAuKlVuYMxcLJjvjymW/RZT\n"
+ "+UgVnCwVfJYmlQmZ7DW3t38CgZkA35mupxBReXhRvTzFe39xdMFeMr5vpUV2WoeN\n"
+ "nKCTGLKDkLq9XoFvlM4lL/Lmuo07hwCdlxk6tqdj+VY81jLrgYdct3iqXcS5ut/Q\n"
+ "huW5bTQ3MpPFUa9MTa6bPyij1Z2IhhLWDwLGkk8lDlM7tjjKnwNEZsBNSshq8qw3\n"
+ "9h1kGgXk0hQiY4SiBNrgrgDkT8LUmFE/z+RBXR0CgZkAon9m6ouGKWiNqMZFXS2f\n"
+ "nza02JrzLxZlHiOwF/We5jPHYd9kKTZIrtpHT2eSe3DomSSlOS+DM72g+bVfSsDH\n"
+ "STjVasUSAowZA/wzHb0SUTjsEUfbAZ/4KmMYMTFQ1/j0lXtKenVtl5BXolVxR3A5\n"
+ "xpDf5CAEklIgfscE4NS/keEMX+iua2/B9s9XGWEuEh0ofuDMcNbfkLECgZhFnj7v\n"
+ "yzfi3yBsECDYm8yCcrZWjE6Mob0A4NWpn6FM/j/SbyII67oHFcwkSrel+9U96mYm\n"
+ "pndOaX3KIxycAIys7q1ifpJk0ZyWX5s4dQwvwSMyfynfjfnu8d9qYcfo+byJKhI1\n"
+ "6EJVSYkbFbUwvivwKH9Ckrs9/nq2BgMCgRIqvA0Lj7NJUwFzC4cLBkIPx3ST3DBH\n"
+ "FSV4zQKBmQCiO2PI+qvCtn04rl1cKsdbUncLQO/y8FQkaEz6Q1q9+973zn4s4ich\n"
+ "IfLgwyw0udrXbo6j0oMICbcyDjtTsS6D2wCvLozopkeUbXDNX+ajZV9B/GfjEMm0\n"
+ "IOVSBxPEaJDrP69i6skise6gYRD+LFi4IWEV/tH+glFlAIEWnwGrLj0igPM4ZCYq\n"
+ "8bZaNY7zXZVgrVoVGCvq6Q==\n"
+ "-----END RSA PRIVATE KEY-----\n";
+#endif
+
+
+const gnutls_datum_t server_cert = { server_cert_pem,
+ sizeof (server_cert_pem)
+};
+
+
+const gnutls_datum_t server_key = { server_key_pem,
+ sizeof (server_key_pem)
+};
+
char buffer[64 * 1024];
static void tls_log_func(int level, const char *str)
@@ -186,16 +297,25 @@ static void test_ciphersuite_kx(const char *cipher_prio)
const char *suite = NULL;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
+ gnutls_certificate_credentials_t c_certcred, s_certcred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
+ gnutls_certificate_allocate_credentials(&s_certcred);
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
- gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
+ if ((ret=gnutls_dh_params_import_pkcs3(dh_params, &p3,
GNUTLS_X509_FMT_PEM)) < 0) {
+ fprintf(stderr, "Error importing the PKCS #3 params: %s\n",
gnutls_strerror(ret));
+ exit(1);
+ }
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
+ gnutls_certificate_set_dh_params(s_certcred, dh_params);
+
+ gnutls_certificate_set_x509_key_mem (s_certcred, &server_cert, &server_key,
+ GNUTLS_X509_FMT_PEM);
start_benchmark(&st);
@@ -207,6 +327,7 @@ static void test_ciphersuite_kx(const char *cipher_prio)
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
@@ -214,6 +335,8 @@ static void test_ciphersuite_kx(const char *cipher_prio)
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
+ gnutls_certificate_allocate_credentials(&c_certcred);
+
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
@@ -222,6 +345,8 @@ static void test_ciphersuite_kx(const char *cipher_prio)
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
+ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred);
+
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
@@ -257,6 +382,7 @@ void benchmark_tls(int debug_level)
gnutls_global_init();
printf("Testing throughput in cipher/MAC combinations:\n");
+
test_ciphersuite(PRIO_ARCFOUR_128_MD5, 1024);
test_ciphersuite(PRIO_ARCFOUR_128_MD5, 4096);
test_ciphersuite(PRIO_ARCFOUR_128_MD5, 8 * 1024);
@@ -281,6 +407,7 @@ void benchmark_tls(int debug_level)
printf("Testing key exchanges:\n");
test_ciphersuite_kx(PRIO_DH);
test_ciphersuite_kx(PRIO_ECDH);
+ test_ciphersuite_kx(PRIO_RSA);
gnutls_global_deinit();
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_8-36-gd373c54,
Nikos Mavrogiannopoulos <=