|
10 | 10 |
|
11 | 11 | set -x |
12 | 12 |
|
| 13 | +. ./common_util.sh |
| 14 | + |
13 | 15 | INSTALL_ROOT=${BENCH_INSTALL_ROOT:-"/tmp/bench.binaries"} |
14 | 16 | RESULT_DIR=${BENCH_RESULTS:-"${INSTALL_ROOT}/results"} |
15 | 17 | WORKSPACE_ROOT=${BENCH_WORKSPACE_ROOT:-"/tmp/bench.workspace"} |
16 | 18 | MAKE_OPTS=${BENCH_MAKE_OPTS} |
17 | | -HAPROXY_NOSSL_PORT='42128' |
18 | | -HAPROXY_C2P_PORT='42132' |
19 | | -HAPROXY_P2S_PORT='42134' |
20 | | -HAPROXY_C2S_PORT='42136' |
| 19 | +HAPROXY_BUILD_TARG=${BENCH_HAPROXY_BUILD_TARG:-'linux-glibc'} |
21 | 20 | CERT_SUBJ=${BENCH_CERT_SUBJ:-'/CN=localhost'} |
22 | 21 | CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1'} |
23 | 22 | HOST=${BENCH_HOST:-'127.0.0.1'} |
| 23 | +PORT_RSA_REUSE=${BENCH_PORT_RSA_REUSE:-7000} |
| 24 | +PORT_RSA=${BENCH_PORT_RSA:-7100} |
| 25 | +PORT_EC_REUSE=${BENCH_PORT_EC_REUSE:-7200} |
| 26 | +PORT_EC=${BENCH_PORT_EC:-7300} |
24 | 27 | HAPROXY_VERSION='v3.2.0' |
| 28 | +CERT_SUBJ=${BENCH_CERT_SUBJ:-'/CN=localhost'} |
| 29 | +CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1'} |
| 30 | +PROXY_CHAIN=${BENCH_PROXY_CHAIN:-21} |
| 31 | +HOST=${BENCH_HOST:-'127.0.0.1'} |
| 32 | + |
| 33 | +function install_httpterm { |
| 34 | + typeset SSL_LIB=$1 |
| 35 | + # |
| 36 | + # FixMe: with https://github.com/wtarreau/httpterm, |
| 37 | + # once https://github.com/wtarreau/httpterm/pull/1 |
| 38 | + # will be merged |
| 39 | + # |
| 40 | + typeset HTTPTERM_REPO="https://github.com/sashan/httpterm" |
| 41 | + typeset BASENAME='httpterm' |
| 42 | + typeset DIRNAME="${BASENAME}" |
| 43 | + typeset SSL_CFLAGS='' |
| 44 | + typeset SSL_LFLAGS='' |
| 45 | + |
| 46 | + if [[ -z "${SSL_LIB}" ]] ; then |
| 47 | + SSL_LIB="openssl-master" |
| 48 | + fi |
| 49 | + |
| 50 | + cd "${WORKSPACE_ROOT}" || exit 1 |
| 51 | + git clone -b fix.null-deref "${HTTPTERM_REPO}" "${DIRNAME}" || exit 1 |
| 52 | + cd ${DIRNAME} || exit 1 |
| 53 | + make || exit 1 |
| 54 | + install httpterm "${INSTALL_ROOT}/${SSL_LIB}/bin/httpterm" || exit 1 |
| 55 | +} |
| 56 | + |
| 57 | +function install_h1load { |
| 58 | + typeset SSL_LIB=$1 |
| 59 | + typeset H1LOAD_REPO="https://github.com/sashan/h1load" |
| 60 | + typeset BASENAME='h1load' |
| 61 | + typeset DIRNAME="${BASENAME}" |
| 62 | + typeset SSL_CFLAGS='' |
| 63 | + typeset SSL_LFLAGS='' |
| 64 | + |
| 65 | + if [[ -z "${SSL_LIB}" ]] ; then |
| 66 | + SSL_LIB="openssl-master" |
| 67 | + fi |
| 68 | + |
| 69 | + echo $SSL_LIB | grep 'wolfssl' > /dev/null |
| 70 | + if [[ $? -eq 0 ]] ; then |
| 71 | + # |
| 72 | + # adjust flags for wolfssl |
| 73 | + # |
| 74 | + SSL_CFLAGS="-I${INSTALL_ROOT}/${SSL_LIB}/include/wolfssl" |
| 75 | + SSL_CFLAGS="${SSL_CFLAGS} -I${INSTALL_ROOT}/${SSL_LIB}/include" |
| 76 | + SSL_CFLAGS="${SSL_CFLAGS} -include ${INSTALL_ROOT}/${SSL_LIB}/include/wolfssl/options.h" |
| 77 | + SSL_LFLAGS="-L ${INSTALL_ROOT}/${SSL_LIB}/lib -lwolfssl -Wl,-rpath=${INSTALL_ROOT}/lib" |
| 78 | + else |
| 79 | + SSL_CFLAGS="-I${INSTALL_ROOT}/${SSL_LIB}/include" |
| 80 | + SSL_LFLAGS="-L ${INSTALL_ROOT}/${SSL_LIB}/lib -lssl -lcrypto" |
| 81 | + fi |
| 82 | + # |
| 83 | + # this fork adds -u option to keep time as uptime |
| 84 | + # |
| 85 | + cd "${WORKSPACE_ROOT}" || exit 1 |
| 86 | + git clone -b float "${H1LOAD_REPO}" "${DIRNAME}" || exit 1 |
| 87 | + cd ${DIRNAME} || exit 1 |
| 88 | + make SSL_CFLAGS="${SSL_CFLAGS}" SSL_LFLAGS="${SSL_LFLAGS}" || exit 1 |
| 89 | + install h1load "${INSTALL_ROOT}/${SSL_LIB}/bin/h1load" || exit 1 |
| 90 | + cd scripts |
| 91 | + for i in *.sh ; do |
| 92 | + install $i "${INSTALL_ROOT}/${SSL_LIB}/bin/$i" || exit 1 |
| 93 | + done |
| 94 | +} |
25 | 95 |
|
26 | 96 | function install_haproxy { |
27 | 97 | typeset SSL_LIB=$1 |
28 | 98 | typeset VERSION=${HAPROXY_VERSION:-v3.2.0} |
29 | 99 | typeset HAPROXY_REPO="https://github.com/haproxy/haproxy.git" |
30 | 100 | typeset BASENAME='haproxy' |
31 | 101 | typeset DIRNAME="${BASENAME}-${VERSION}" |
32 | | - typeset CERTDIR="${INSTALL_ROOT}/${SSL_LIB}/conf/certs" |
| 102 | + typeset USE_LIB='' |
33 | 103 |
|
34 | 104 | if [[ -z "${SSL_LIB}" ]] ; then |
35 | 105 | SSL_LIB="openssl-master" |
36 | 106 | fi |
37 | 107 |
|
| 108 | + case ${SSL_LIB} in |
| 109 | + wolf*) |
| 110 | + USE_LIB='USE_OPENSSL_WOLFSSL=1' |
| 111 | + ;; |
| 112 | + *) |
| 113 | + USE_LIB='USE_OPENSSL=1' |
| 114 | + ;; |
| 115 | + esac |
| 116 | + |
38 | 117 | if [[ -f "${INSTALL_ROOT}/${SSL_LIB}/sbin/haproxy" ]] ; then |
39 | 118 | echo "haproxy already installed; skipping.." |
40 | 119 | else |
41 | | - cd "${WORKSPACE_ROOT}" |
| 120 | + cd "${WORKSPACE_ROOT}" || exit 1 |
42 | 121 | mkdir -p "${DIRNAME}" || exit 1 |
43 | 122 | cd "${DIRNAME}" |
44 | 123 | git clone "${HAPROXY_REPO}" -b ${VERSION} --depth 1 . || exit 1 |
45 | 124 |
|
46 | 125 | # haproxy does not have a configure script; only a big makefile |
47 | 126 | make clean |
48 | 127 | make ${MAKE_OPTS} \ |
49 | | - TARGET=generic \ |
50 | | - USE_OPENSSL=1 \ |
| 128 | + TARGET=${HAPROXY_BUILD_TARG} \ |
| 129 | + ${USE_LIB} \ |
| 130 | + USE_OPENSSL=USE_QUIC \ |
51 | 131 | SSL_INC="${INSTALL_ROOT}/${SSL_LIB}/include" \ |
52 | 132 | SSL_LIB="${INSTALL_ROOT}/${SSL_LIB}/lib" || exit 1 |
53 | 133 |
|
54 | 134 | make install ${MAKE_OPTS} \ |
55 | 135 | PREFIX="${INSTALL_ROOT}/${SSL_LIB}" || exit 1 |
56 | 136 | fi |
57 | 137 |
|
58 | | - mkdir -p ${CERTDIR} |
59 | | - |
60 | | - # now generate the certificates |
61 | | - echo "generating new certificates for haproxy" |
62 | | - OPENSSL_BIN="env LD_LIBRARY_PATH=${INSTALL_ROOT}/${SSL_LIB}/lib ${INSTALL_ROOT}/${SSL_LIB}/bin/openssl" |
63 | | - |
64 | | - # generating the key, cert of ca |
65 | | - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/ca_key.pem" || exit 1 |
66 | | - $OPENSSL_BIN req -new -x509 -days 1 -key "${CERTDIR}/ca_key.pem" -out "${CERTDIR}/ca_cert.pem" -subj "/CN=Root CA" \ |
67 | | - -addext "basicConstraints=critical,CA:true" \ |
68 | | - -addext "keyUsage=critical,keyCertSign,cRLSign" || exit 1 |
69 | | - |
70 | | - # generating the client side |
71 | | - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/client_key.pem" || exit 1 |
72 | | - $OPENSSL_BIN pkey -in "${CERTDIR}/client_key.pem" -pubout -out "${CERTDIR}/client_key_pub.pem" || exit 1 |
73 | | - $OPENSSL_BIN req -new -out "${CERTDIR}/client_csr.pem" -subj "/CN=${HOST}" -key "${CERTDIR}/client_key.pem" \ |
74 | | - -addext "${CERT_ALT_SUBJ}" \ |
75 | | - -addext "keyUsage=critical,digitalSignature" || exit 1 |
76 | | - $OPENSSL_BIN x509 -req -out "${CERTDIR}/client_cert.pem" -CAkey "${CERTDIR}/ca_key.pem" -CA "${CERTDIR}/ca_cert.pem" \ |
77 | | - -days 1 -in "${CERTDIR}/client_csr.pem" -copy_extensions copy -ext "subjectAltName,keyUsage" \ |
78 | | - -extfile <(printf "basicConstraints=critical,CA:false\nsubjectKeyIdentifier=none\n") || exit 1 |
79 | | - |
80 | | - # generating the server side |
81 | | - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/server_key.pem" || exit 1 |
82 | | - $OPENSSL_BIN pkey -in "${CERTDIR}/server_key.pem" -pubout -out "${CERTDIR}/server_key_pub.pem" || exit 1 |
83 | | - $OPENSSL_BIN req -new -out "${CERTDIR}/server_csr.pem" -subj "/CN=${HOST}" -key "${CERTDIR}/server_key.pem" \ |
84 | | - -addext "${CERT_ALT_SUBJ}" \ |
85 | | - -addext "keyUsage=critical,digitalSignature" || exit 1 |
86 | | - $OPENSSL_BIN x509 -req -out "${CERTDIR}/server_cert.pem" -CAkey "${CERTDIR}/ca_key.pem" -CA "${CERTDIR}/ca_cert.pem" \ |
87 | | - -days 1 -in "${CERTDIR}/server_csr.pem" -copy_extensions copy -ext "subjectAltName,keyUsage" \ |
88 | | - -extfile <(printf "subjectKeyIdentifier=none\n" |
89 | | - printf "${CERT_ALT_SUBJ}\n" |
90 | | - printf "basicConstraints=critical,CA:false\n" |
91 | | - printf "keyUsage=critical,keyEncipherment\n") || exit 1 |
92 | | - |
93 | | - # HAProxy PEM must be: server cert + server key (+ chain) |
94 | | - cat "${CERTDIR}/server_cert.pem" "${CERTDIR}/server_key.pem" "${CERTDIR}/ca_cert.pem" > "${CERTDIR}/haproxy_server.pem" |
95 | | - |
96 | | - # setting up SSL Termination mode for now |
97 | | - # haproxy modes: encoding from client to haproxy, to server from haproxy, both |
98 | | - # the first needs a non TLS connection to the server - use the HTTP_PORT, otherwise use the HTTPS_PORT |
99 | | - cat <<EOF > "${INSTALL_ROOT}/${SSL_LIB}/conf/haproxy.cfg" |
100 | | -defaults |
101 | | - timeout server 10s |
102 | | - timeout client 10s |
103 | | - timeout connect 10s |
104 | | -
|
105 | | -frontend test_no_ssl |
106 | | - mode http |
107 | | - bind :${HAPROXY_NOSSL_PORT} |
108 | | - default_backend http_test |
109 | | -
|
110 | | -frontend test_client2proxy |
111 | | - mode http |
112 | | - bind :${HAPROXY_C2P_PORT} ssl crt ${CERTDIR}/haproxy_server.pem ca-file ${CERTDIR}/ca_cert.pem verify required |
113 | | - default_backend http_test |
114 | | -
|
115 | | -frontend test_proxy2server |
116 | | - mode http |
117 | | - bind :${HAPROXY_P2S_PORT} |
118 | | - default_backend https_test |
119 | | -
|
120 | | -frontend test_client2server |
121 | | - mode http |
122 | | - bind :${HAPROXY_C2S_PORT} ssl crt ${CERTDIR}/haproxy_server.pem ca-file ${CERTDIR}/ca_cert.pem verify required |
123 | | - default_backend https_test |
124 | | -
|
125 | | -backend http_test |
126 | | - mode http |
127 | | - balance random |
128 | | - server s1 ${HOST}:${HTTP_PORT} |
129 | | -
|
130 | | -backend https_test |
131 | | - mode http |
132 | | - balance random |
133 | | - server s2 ${HOST}:${HTTPS_PORT} ssl verify required ca-file ${INSTALL_ROOT}/${SSL_LIB}/conf/server.crt |
| 138 | + cd ${WORKSPACE_ROOT} |
| 139 | +} |
| 140 | + |
| 141 | +# |
| 142 | +# function creates haproxy.conf which ishould be |
| 143 | +# identical to configuration used here [1]. |
| 144 | +# |
| 145 | +# The configuration file defines 4 proxy variants: |
| 146 | +# ssl-reause with rsa+dh certificate, |
| 147 | +# https client connects to port 7020 |
| 148 | +# |
| 149 | +# no-ssl-reuse, with rsa+dh certificate, |
| 150 | +# https client connects to port 7120 |
| 151 | +# |
| 152 | +# ssl-reuse with ecdsa-256 certificate, |
| 153 | +# https client connects to port 7220 |
| 154 | +# |
| 155 | +# no-ssl-reuse with ecdsa-256 certificate, |
| 156 | +# https client connects to port 7320 |
| 157 | +# |
| 158 | +# [1] https://www.haproxy.com/blog/state-of-ssl-stacks |
| 159 | +# search for 'daisy-chain' |
| 160 | +# |
| 161 | +function config_haproxy { |
| 162 | + typeset SSL_LIB=$1 |
| 163 | + typeset RSACERTKEY='' |
| 164 | + typeset ECCERTKEY='' |
| 165 | + typeset HAPROXY_CONF='etc/haproxy.conf' |
| 166 | + typeset BASEPORT='' |
| 167 | + typeset TOPPORT='' |
| 168 | + typeset PORT='' |
| 169 | + typeset SSL_REUSE='' |
| 170 | + typeset REUSE_LABEL='' |
| 171 | + |
| 172 | + if [[ -z "${SSL_LIB}" ]] ; then |
| 173 | + SSL_LIB='openssl-=master' |
| 174 | + fi |
| 175 | + |
| 176 | + mkdir -p ${INSTALL_ROOT}/${SSL_LIB}/etc || exit 1 |
| 177 | + HAPROXY_CONF=${INSTALL_ROOT}/${SSL_LIB}/${HAPROXY_CONF} |
| 178 | + RSACERTKEY=${INSTALL_ROOT}/${SSL_LIB}/etc/dh-rsa-2048.pem |
| 179 | + ECCERTKEY=${INSTALL_ROOT}/${SSL_LIB}/etc/ec-dsa-256.pem |
| 180 | + |
| 181 | +cat <<EOF > ${HAPROXY_CONF} |
| 182 | +global |
| 183 | + default-path config |
| 184 | + tune.listener.default-shards by-thread |
| 185 | + tune.idle-pool.shared off |
| 186 | + ssl-default-bind-options ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 |
| 187 | + ssl-server-verify none |
| 188 | +
|
134 | 189 | EOF |
| 190 | + |
| 191 | + for BASEPORT in ${PORT_RSA_REUSE} ${PORT_RSA} ${PORT_EC_REUSE} ${PORT_EC} ; do |
| 192 | + if [[ ${BASEPORT} -eq ${PORT_RSA_REUSE} || ${BASEPORT} -eq ${PORT_RSA} ]] ; then |
| 193 | + PROXYCERT=${RSACERTKEY} |
| 194 | + else |
| 195 | + PROXYCERT=${ECCERTKEY} |
| 196 | + fi |
| 197 | + if [[ ${BASEPORT} -eq ${PORT_RSA_REUSE} || ${BASEPORT} -eq ${PORT_EC_REUSE} ]] ; then |
| 198 | + SSL_REUSE='' |
| 199 | + REUSE_LABEL='ssl-reuse' |
| 200 | + else |
| 201 | + SSL_REUSE='no-ssl-reuse' |
| 202 | + REUSE_LABEL='no-ssl-reuse' |
| 203 | + fi |
| 204 | +cat <<EOF >> ${HAPROXY_CONF} |
| 205 | +defaults ${REUSE_LABEL} |
| 206 | + mode http |
| 207 | + http-reuse never |
| 208 | + default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 ${SSL_REUSE} |
| 209 | + option httpclose |
| 210 | + timeout client 10s |
| 211 | + timeout server 10s |
| 212 | + timeout connect 10s |
| 213 | +
|
| 214 | +frontend port${BASEPORT} |
| 215 | + bind :${BASEPORT} ssl crt ${PROXYCERT} |
| 216 | + http-request return status 200 content-type "text/plain" string "it works" |
| 217 | +
|
| 218 | +EOF |
| 219 | + BASEPORT=$(( ${BASEPORT} + 1)) |
| 220 | + TOPPORT=$(( ${BASEPORT} + ${PROXY_CHAIN} - 1 )) |
| 221 | +cat <<EOF >> ${HAPROXY_CONF} |
| 222 | +listen port${BASEPORT} |
| 223 | + bind :${BASEPORT} ssl crt ${PROXYCERT} |
| 224 | + stats uri /stats |
| 225 | + server next ${HOST}:$(( ${BASEPORT} - 1)) |
| 226 | +
|
| 227 | +EOF |
| 228 | + |
| 229 | + BASEPORT=$(( ${BASEPORT} + 1)) |
| 230 | + for PORT in $(seq ${BASEPORT} ${TOPPORT}) ; do |
| 231 | +cat <<EOF >> ${HAPROXY_CONF} |
| 232 | +listen port${PORT} |
| 233 | + bind :${PORT} ssl crt ${PROXYCERT} |
| 234 | + server next ${HOST}:$(( ${PORT} - 1)) |
| 235 | +
|
| 236 | +EOF |
| 237 | + done |
| 238 | + done |
| 239 | + gen_certkey ${RSACERTKEY} ${RSACERTKEY}.key |
| 240 | + gen_certkey_ec ${ECCERTKEY} ${ECCERTKEY}.key |
| 241 | + cd ${WORKSPACE_ROOT} || exit 1 |
| 242 | +} |
| 243 | + |
| 244 | +function setup_tests { |
| 245 | + typeset i=0 |
| 246 | + cd "${WORKSPACE_ROOT}" |
| 247 | + install_openssl master |
| 248 | + install_haproxy openssl-master |
| 249 | + install_httpterm openssl-master |
| 250 | + install_h1load openssl-master |
| 251 | + config_haproxy openssl-master |
| 252 | + clean_build |
| 253 | + |
| 254 | + for i in 3.0 3.1 3.2 3.3 3.4 3.5 3.6 ; do |
| 255 | + cd "${WORKSPACE_ROOT}" |
| 256 | + install_openssl openssl-$i ; |
| 257 | + install_haproxy openssl-$i |
| 258 | + install_httpterm openssl-$i |
| 259 | + install_h1load openssl-$i |
| 260 | + config_haproxy openssl-$i |
| 261 | + clean_build |
| 262 | + done |
| 263 | + |
| 264 | + cd "${WORKSPACE_ROOT}" |
| 265 | + install_openssl OpenSSL_1_1_1-stable |
| 266 | + install_haproxy OpenSSL_1_1_1-stable |
| 267 | + install_httpterm OpenSSL_1_1_1-stable |
| 268 | + install_h1load OpenSSL_1_1_1-stable |
| 269 | + config_haproxy OpenSSL_1_1_1-stable |
| 270 | + clean_build |
| 271 | + |
| 272 | + cd "${WORKSPACE_ROOT}" |
| 273 | + install_wolfssl 5.8.2 '--enable-haproxy --enable-quic' |
| 274 | + install_haproxy wolfssl-5.8.2 |
| 275 | + install_httpterm wolfssl-5.8.2 |
| 276 | + install_h1load wolfssl-5.8.2 |
| 277 | + config_haproxy wolfssl-5.8.2 |
| 278 | + clean_build |
| 279 | + |
| 280 | + cd "${WORKSPACE_ROOT}" |
| 281 | + install_libressl 4.1.0 |
| 282 | + install_haproxy libressl-4.1.0 |
| 283 | + install_httpterm libressl-4.1.0 |
| 284 | + install_h1load libressl-4.1.0 |
| 285 | + config_haproxy libressl-4.1.0 |
| 286 | + clean_build |
| 287 | + |
| 288 | + # |
| 289 | + # does not build with boring |
| 290 | + # |
| 291 | + #install_boringssl |
| 292 | + #install_haproxy boringssl |
| 293 | + #install_httpterm boringssl |
| 294 | + #install_h1load boringssl |
| 295 | + #config_haproxy boringssl |
| 296 | + #cd "${WORKSPACE_ROOT}" |
| 297 | + #clean_build |
| 298 | + |
| 299 | + cd "${WORKSPACE_ROOT}" |
| 300 | + install_aws_lc |
| 301 | + install_haproxy aws-lc |
| 302 | + install_httpterm aws-lc |
| 303 | + install_h1load aws-lc |
| 304 | + config_haproxy aws-lc |
| 305 | + clean_build aws-lc |
135 | 306 | } |
| 307 | + |
| 308 | +check_env |
| 309 | +setup_tests |
0 commit comments