2
0

cipher_driver.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603
  1. /*
  2. * cipher_driver.c
  3. *
  4. * A driver for the generic cipher type
  5. *
  6. * David A. McGrew
  7. * Cisco Systems, Inc.
  8. */
  9. /*
  10. *
  11. * Copyright (c) 2001-2017 Cisco Systems, Inc.
  12. * All rights reserved.
  13. *
  14. * Redistribution and use in source and binary forms, with or without
  15. * modification, are permitted provided that the following conditions
  16. * are met:
  17. *
  18. * Redistributions of source code must retain the above copyright
  19. * notice, this list of conditions and the following disclaimer.
  20. *
  21. * Redistributions in binary form must reproduce the above
  22. * copyright notice, this list of conditions and the following
  23. * disclaimer in the documentation and/or other materials provided
  24. * with the distribution.
  25. *
  26. * Neither the name of the Cisco Systems, Inc. nor the names of its
  27. * contributors may be used to endorse or promote products derived
  28. * from this software without specific prior written permission.
  29. *
  30. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  31. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  32. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  33. * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  34. * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
  35. * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  36. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  37. * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  38. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  39. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  40. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  41. * OF THE POSSIBILITY OF SUCH DAMAGE.
  42. *
  43. */
  44. #ifdef HAVE_CONFIG_H
  45. #include <config.h>
  46. #endif
  47. #include <stdio.h> /* for printf() */
  48. #include "getopt_s.h"
  49. #include "cipher.h"
  50. #include "cipher_priv.h"
  51. #ifdef GCM
  52. #include "aes_icm_ext.h"
  53. #include "aes_gcm.h"
  54. #else
  55. #include "aes_icm.h"
  56. #endif
  57. #define PRINT_DEBUG 0
  58. void cipher_driver_test_throughput(srtp_cipher_t *c);
  59. srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct);
  60. /*
  61. * cipher_driver_test_buffering(ct) tests the cipher's output
  62. * buffering for correctness by checking the consistency of succesive
  63. * calls
  64. */
  65. srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c);
  66. /*
  67. * functions for testing cipher cache thrash
  68. */
  69. srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct,
  70. int klen,
  71. int num_cipher);
  72. void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher);
  73. uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[],
  74. int num_cipher,
  75. unsigned octets_in_buffer,
  76. int num_trials);
  77. srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[],
  78. int num_cipher);
  79. srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***cipher_array,
  80. int num_ciphers,
  81. srtp_cipher_type_t *ctype,
  82. int klen);
  83. void usage(char *prog_name)
  84. {
  85. printf("usage: %s [ -t | -v | -a ]\n", prog_name);
  86. exit(255);
  87. }
  88. void check_status(srtp_err_status_t s)
  89. {
  90. if (s) {
  91. printf("error (code %d)\n", s);
  92. exit(s);
  93. }
  94. return;
  95. }
  96. /*
  97. * null_cipher and srtp_aes_icm are the cipher meta-objects
  98. * defined in the files in crypto/cipher subdirectory. these are
  99. * declared external so that we can use these cipher types here
  100. */
  101. extern srtp_cipher_type_t srtp_null_cipher;
  102. extern srtp_cipher_type_t srtp_aes_icm_128;
  103. extern srtp_cipher_type_t srtp_aes_icm_256;
  104. #ifdef GCM
  105. extern srtp_cipher_type_t srtp_aes_icm_192;
  106. extern srtp_cipher_type_t srtp_aes_gcm_128;
  107. extern srtp_cipher_type_t srtp_aes_gcm_256;
  108. #endif
  109. int main(int argc, char *argv[])
  110. {
  111. srtp_cipher_t *c = NULL;
  112. srtp_err_status_t status;
  113. /* clang-format off */
  114. unsigned char test_key[48] = {
  115. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  116. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  117. 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  118. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
  119. 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
  120. 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
  121. };
  122. /* clang-format on */
  123. int q;
  124. unsigned do_timing_test = 0;
  125. unsigned do_validation = 0;
  126. unsigned do_array_timing_test = 0;
  127. /* process input arguments */
  128. while (1) {
  129. q = getopt_s(argc, argv, "tva");
  130. if (q == -1)
  131. break;
  132. switch (q) {
  133. case 't':
  134. do_timing_test = 1;
  135. break;
  136. case 'v':
  137. do_validation = 1;
  138. break;
  139. case 'a':
  140. do_array_timing_test = 1;
  141. break;
  142. default:
  143. usage(argv[0]);
  144. }
  145. }
  146. printf("cipher test driver\n"
  147. "David A. McGrew\n"
  148. "Cisco Systems, Inc.\n");
  149. if (!do_validation && !do_timing_test && !do_array_timing_test)
  150. usage(argv[0]);
  151. /* arry timing (cache thrash) test */
  152. if (do_array_timing_test) {
  153. int max_num_cipher = 1 << 16; /* number of ciphers in cipher_array */
  154. int num_cipher;
  155. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
  156. cipher_driver_test_array_throughput(&srtp_null_cipher, 0,
  157. num_cipher);
  158. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
  159. cipher_driver_test_array_throughput(
  160. &srtp_aes_icm_128, SRTP_AES_ICM_128_KEY_LEN_WSALT, num_cipher);
  161. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
  162. cipher_driver_test_array_throughput(
  163. &srtp_aes_icm_256, SRTP_AES_ICM_256_KEY_LEN_WSALT, num_cipher);
  164. #ifdef GCM
  165. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
  166. cipher_driver_test_array_throughput(
  167. &srtp_aes_icm_192, SRTP_AES_ICM_192_KEY_LEN_WSALT, num_cipher);
  168. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) {
  169. cipher_driver_test_array_throughput(
  170. &srtp_aes_gcm_128, SRTP_AES_GCM_128_KEY_LEN_WSALT, num_cipher);
  171. }
  172. for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) {
  173. cipher_driver_test_array_throughput(
  174. &srtp_aes_gcm_256, SRTP_AES_GCM_256_KEY_LEN_WSALT, num_cipher);
  175. }
  176. #endif
  177. }
  178. if (do_validation) {
  179. cipher_driver_self_test(&srtp_null_cipher);
  180. cipher_driver_self_test(&srtp_aes_icm_128);
  181. cipher_driver_self_test(&srtp_aes_icm_256);
  182. #ifdef GCM
  183. cipher_driver_self_test(&srtp_aes_icm_192);
  184. cipher_driver_self_test(&srtp_aes_gcm_128);
  185. cipher_driver_self_test(&srtp_aes_gcm_256);
  186. #endif
  187. }
  188. /* do timing and/or buffer_test on srtp_null_cipher */
  189. status = srtp_cipher_type_alloc(&srtp_null_cipher, &c, 0, 0);
  190. check_status(status);
  191. status = srtp_cipher_init(c, NULL);
  192. check_status(status);
  193. if (do_timing_test)
  194. cipher_driver_test_throughput(c);
  195. if (do_validation) {
  196. status = cipher_driver_test_buffering(c);
  197. check_status(status);
  198. }
  199. status = srtp_cipher_dealloc(c);
  200. check_status(status);
  201. /* run the throughput test on the aes_icm cipher (128-bit key) */
  202. status = srtp_cipher_type_alloc(&srtp_aes_icm_128, &c,
  203. SRTP_AES_ICM_128_KEY_LEN_WSALT, 0);
  204. if (status) {
  205. fprintf(stderr, "error: can't allocate cipher\n");
  206. exit(status);
  207. }
  208. status = srtp_cipher_init(c, test_key);
  209. check_status(status);
  210. if (do_timing_test)
  211. cipher_driver_test_throughput(c);
  212. if (do_validation) {
  213. status = cipher_driver_test_buffering(c);
  214. check_status(status);
  215. }
  216. status = srtp_cipher_dealloc(c);
  217. check_status(status);
  218. /* repeat the tests with 256-bit keys */
  219. status = srtp_cipher_type_alloc(&srtp_aes_icm_256, &c,
  220. SRTP_AES_ICM_256_KEY_LEN_WSALT, 0);
  221. if (status) {
  222. fprintf(stderr, "error: can't allocate cipher\n");
  223. exit(status);
  224. }
  225. status = srtp_cipher_init(c, test_key);
  226. check_status(status);
  227. if (do_timing_test)
  228. cipher_driver_test_throughput(c);
  229. if (do_validation) {
  230. status = cipher_driver_test_buffering(c);
  231. check_status(status);
  232. }
  233. status = srtp_cipher_dealloc(c);
  234. check_status(status);
  235. #ifdef GCM
  236. /* run the throughput test on the aes_gcm_128 cipher */
  237. status = srtp_cipher_type_alloc(&srtp_aes_gcm_128, &c,
  238. SRTP_AES_GCM_128_KEY_LEN_WSALT, 8);
  239. if (status) {
  240. fprintf(stderr, "error: can't allocate GCM 128 cipher\n");
  241. exit(status);
  242. }
  243. status = srtp_cipher_init(c, test_key);
  244. check_status(status);
  245. if (do_timing_test) {
  246. cipher_driver_test_throughput(c);
  247. }
  248. // GCM ciphers don't do buffering; they're "one shot"
  249. status = srtp_cipher_dealloc(c);
  250. check_status(status);
  251. /* run the throughput test on the aes_gcm_256 cipher */
  252. status = srtp_cipher_type_alloc(&srtp_aes_gcm_256, &c,
  253. SRTP_AES_GCM_256_KEY_LEN_WSALT, 16);
  254. if (status) {
  255. fprintf(stderr, "error: can't allocate GCM 256 cipher\n");
  256. exit(status);
  257. }
  258. status = srtp_cipher_init(c, test_key);
  259. check_status(status);
  260. if (do_timing_test) {
  261. cipher_driver_test_throughput(c);
  262. }
  263. // GCM ciphers don't do buffering; they're "one shot"
  264. status = srtp_cipher_dealloc(c);
  265. check_status(status);
  266. #endif
  267. return 0;
  268. }
  269. void cipher_driver_test_throughput(srtp_cipher_t *c)
  270. {
  271. int i;
  272. int min_enc_len = 32;
  273. int max_enc_len = 2048; /* should be a power of two */
  274. int num_trials = 1000000;
  275. printf("timing %s throughput, key length %d:\n", c->type->description,
  276. c->key_len);
  277. fflush(stdout);
  278. for (i = min_enc_len; i <= max_enc_len; i = i * 2)
  279. printf("msg len: %d\tgigabits per second: %f\n", i,
  280. srtp_cipher_bits_per_second(c, i, num_trials) / 1e9);
  281. }
  282. srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct)
  283. {
  284. srtp_err_status_t status;
  285. printf("running cipher self-test for %s...", ct->description);
  286. status = srtp_cipher_type_self_test(ct);
  287. if (status) {
  288. printf("failed with error code %d\n", status);
  289. exit(status);
  290. }
  291. printf("passed\n");
  292. return srtp_err_status_ok;
  293. }
  294. /*
  295. * cipher_driver_test_buffering(ct) tests the cipher's output
  296. * buffering for correctness by checking the consistency of succesive
  297. * calls
  298. */
  299. #define INITIAL_BUFLEN 1024
  300. srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c)
  301. {
  302. int i, j, num_trials = 1000;
  303. unsigned len, buflen = INITIAL_BUFLEN;
  304. uint8_t buffer0[INITIAL_BUFLEN], buffer1[INITIAL_BUFLEN], *current, *end;
  305. uint8_t idx[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  306. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34 };
  307. srtp_err_status_t status;
  308. printf("testing output buffering for cipher %s...", c->type->description);
  309. for (i = 0; i < num_trials; i++) {
  310. /* set buffers to zero */
  311. for (j = 0; j < (int)buflen; j++) {
  312. buffer0[j] = buffer1[j] = 0;
  313. }
  314. /* initialize cipher */
  315. status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt);
  316. if (status)
  317. return status;
  318. /* generate 'reference' value by encrypting all at once */
  319. status = srtp_cipher_encrypt(c, buffer0, &buflen);
  320. if (status)
  321. return status;
  322. /* re-initialize cipher */
  323. status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt);
  324. if (status)
  325. return status;
  326. /* now loop over short lengths until buffer1 is encrypted */
  327. current = buffer1;
  328. end = buffer1 + buflen;
  329. while (current < end) {
  330. /* choose a short length */
  331. len = srtp_cipher_rand_u32_for_tests() & 0x01f;
  332. /* make sure that len doesn't cause us to overreach the buffer */
  333. if (current + len > end)
  334. len = end - current;
  335. status = srtp_cipher_encrypt(c, current, &len);
  336. if (status)
  337. return status;
  338. /* advance pointer into buffer1 to reflect encryption */
  339. current += len;
  340. /* if buffer1 is all encrypted, break out of loop */
  341. if (current == end)
  342. break;
  343. }
  344. /* compare buffers */
  345. for (j = 0; j < (int)buflen; j++) {
  346. if (buffer0[j] != buffer1[j]) {
  347. #if PRINT_DEBUG
  348. printf("test case %d failed at byte %d\n", i, j);
  349. printf("computed: %s\n",
  350. octet_string_hex_string(buffer1, buflen));
  351. printf("expected: %s\n",
  352. octet_string_hex_string(buffer0, buflen));
  353. #endif
  354. return srtp_err_status_algo_fail;
  355. }
  356. }
  357. }
  358. printf("passed\n");
  359. return srtp_err_status_ok;
  360. }
  361. /*
  362. * The function cipher_test_throughput_array() tests the effect of CPU
  363. * cache thrash on cipher throughput.
  364. *
  365. * cipher_array_alloc_init(ctype, array, num_ciphers) creates an array
  366. * of srtp_cipher_t of type ctype
  367. */
  368. srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***ca,
  369. int num_ciphers,
  370. srtp_cipher_type_t *ctype,
  371. int klen)
  372. {
  373. int i, j;
  374. srtp_err_status_t status;
  375. uint8_t *key;
  376. srtp_cipher_t **cipher_array;
  377. /* pad klen allocation, to handle aes_icm reading 16 bytes for the
  378. 14-byte salt */
  379. int klen_pad = ((klen + 15) >> 4) << 4;
  380. /* allocate array of pointers to ciphers */
  381. cipher_array = (srtp_cipher_t **)srtp_crypto_alloc(sizeof(srtp_cipher_t *) *
  382. num_ciphers);
  383. if (cipher_array == NULL)
  384. return srtp_err_status_alloc_fail;
  385. /* set ca to location of cipher_array */
  386. *ca = cipher_array;
  387. /* allocate key */
  388. key = srtp_crypto_alloc(klen_pad);
  389. if (key == NULL) {
  390. srtp_crypto_free(cipher_array);
  391. return srtp_err_status_alloc_fail;
  392. }
  393. /* allocate and initialize an array of ciphers */
  394. for (i = 0; i < num_ciphers; i++) {
  395. /* allocate cipher */
  396. status = srtp_cipher_type_alloc(ctype, cipher_array, klen, 16);
  397. if (status)
  398. return status;
  399. /* generate random key and initialize cipher */
  400. srtp_cipher_rand_for_tests(key, klen);
  401. for (j = klen; j < klen_pad; j++)
  402. key[j] = 0;
  403. status = srtp_cipher_init(*cipher_array, key);
  404. if (status)
  405. return status;
  406. /* printf("%dth cipher is at %p\n", i, *cipher_array); */
  407. /* printf("%dth cipher description: %s\n", i, */
  408. /* (*cipher_array)->type->description); */
  409. /* advance cipher array pointer */
  410. cipher_array++;
  411. }
  412. srtp_crypto_free(key);
  413. return srtp_err_status_ok;
  414. }
  415. srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[],
  416. int num_cipher)
  417. {
  418. int i;
  419. for (i = 0; i < num_cipher; i++) {
  420. srtp_cipher_dealloc(cipher_array[i]);
  421. }
  422. srtp_crypto_free(cipher_array);
  423. return srtp_err_status_ok;
  424. }
  425. /*
  426. * cipher_array_bits_per_second(c, l, t) computes (an estimate of) the
  427. * number of bits that a cipher implementation can encrypt in a second
  428. * when distinct keys are used to encrypt distinct messages
  429. *
  430. * c is a cipher (which MUST be allocated an initialized already), l
  431. * is the length in octets of the test data to be encrypted, and t is
  432. * the number of trials
  433. *
  434. * if an error is encountered, the value 0 is returned
  435. */
  436. uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[],
  437. int num_cipher,
  438. unsigned octets_in_buffer,
  439. int num_trials)
  440. {
  441. int i;
  442. v128_t nonce;
  443. clock_t timer;
  444. unsigned char *enc_buf;
  445. int cipher_index = srtp_cipher_rand_u32_for_tests() % num_cipher;
  446. /* Over-alloc, for NIST CBC padding */
  447. enc_buf = srtp_crypto_alloc(octets_in_buffer + 17);
  448. if (enc_buf == NULL)
  449. return 0; /* indicate bad parameters by returning null */
  450. /* time repeated trials */
  451. v128_set_to_zero(&nonce);
  452. timer = clock();
  453. for (i = 0; i < num_trials; i++, nonce.v32[3] = i) {
  454. /* length parameter to srtp_cipher_encrypt is in/out -- out is total,
  455. * padded
  456. * length -- so reset it each time. */
  457. unsigned octets_to_encrypt = octets_in_buffer;
  458. /* encrypt buffer with cipher */
  459. srtp_cipher_set_iv(cipher_array[cipher_index], (uint8_t *)&nonce,
  460. srtp_direction_encrypt);
  461. srtp_cipher_encrypt(cipher_array[cipher_index], enc_buf,
  462. &octets_to_encrypt);
  463. /* choose a cipher at random from the array*/
  464. cipher_index = (*((uint32_t *)enc_buf)) % num_cipher;
  465. }
  466. timer = clock() - timer;
  467. srtp_crypto_free(enc_buf);
  468. if (timer == 0) {
  469. /* Too fast! */
  470. return 0;
  471. }
  472. return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer;
  473. }
  474. void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher)
  475. {
  476. int i;
  477. int min_enc_len = 16;
  478. int max_enc_len = 2048; /* should be a power of two */
  479. int num_trials = 1000000;
  480. printf("timing %s throughput with key length %d, array size %d:\n",
  481. (ca[0])->type->description, (ca[0])->key_len, num_cipher);
  482. fflush(stdout);
  483. for (i = min_enc_len; i <= max_enc_len; i = i * 4)
  484. printf("msg len: %d\tgigabits per second: %f\n", i,
  485. cipher_array_bits_per_second(ca, num_cipher, i, num_trials) /
  486. 1e9);
  487. }
  488. srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct,
  489. int klen,
  490. int num_cipher)
  491. {
  492. srtp_cipher_t **ca = NULL;
  493. srtp_err_status_t status;
  494. status = cipher_array_alloc_init(&ca, num_cipher, ct, klen);
  495. if (status) {
  496. printf("error: cipher_array_alloc_init() failed with error code %d\n",
  497. status);
  498. return status;
  499. }
  500. cipher_array_test_throughput(ca, num_cipher);
  501. cipher_array_delete(ca, num_cipher);
  502. return srtp_err_status_ok;
  503. }