kristoferssolo/tls-pq-bench
1
0
Fork 0
mirror of https://github.com/kristoferssolo/tls-pq-bench.git synced 2026-03-21 16:26:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kristoferssolo:99f2e0bb72276037beedb3a0854de9b7f27dea33
Branches Tags
kristoferssolo:main
...
compare: kristoferssolo:2cfe85ad824c7f029dbdbf32c2a8dd61d79b85ea
Branches Tags
kristoferssolo:main

5 Commits
99f2e0bb72 ... 2cfe85ad82

Author SHA1 Message Date
Kristofers Solo
2cfe85ad82 test(server): add http1 request and path parsing coverage 2026-02-27 13:44:24 +02:00
Kristofers Solo
4b2324d131 feat(server): implement http1 /bytes/{n} endpoint over TLS 2026-02-26 17:20:35 +02:00
Kristofers Solo
6198e3ab2e feat(common,server): add ProtocolMode and route server through protocol dispatch 2026-02-26 14:50:49 +02:00
Kristofers Solo
0ea39e7663 refactor(common): add prelude module 2026-02-26 14:20:47 +02:00
Kristofers Solo
8f0d2a6efc refactor(server): separate into smaller modules 2026-02-25 18:39:33 +02:00
23 changed files with 634 additions and 178 deletions
Expand all files Collapse all files

97
Cargo.lock generated
View File

@@ -115,6 +115,12 @@ dependencies = [
"syn",
]
[[package]]
name = "atomic-waker"
version = "1.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]]
name = "autocfg"
version = "1.5.0"
@@ -282,6 +288,7 @@ version = "0.1.0"
dependencies = [
"cargo-husky",
"claims",
"clap",
"miette",
"rcgen",
"rustls",
@@ -496,6 +503,86 @@ version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "http"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
dependencies = [
"bytes",
"itoa",
]
[[package]]
name = "http-body"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
dependencies = [
"bytes",
"http",
]
[[package]]
name = "http-body-util"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
dependencies = [
"bytes",
"futures-core",
"http",
"http-body",
"pin-project-lite",
]
[[package]]
name = "httparse"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
[[package]]
name = "httpdate"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
[[package]]
name = "hyper"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
dependencies = [
"atomic-waker",
"bytes",
"futures-channel",
"futures-core",
"http",
"http-body",
"httparse",
"httpdate",
"itoa",
"pin-project-lite",
"pin-utils",
"smallvec",
"tokio",
]
[[package]]
name = "hyper-util"
version = "0.1.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
dependencies = [
"bytes",
"http",
"http-body",
"hyper",
"pin-project-lite",
"tokio",
]
[[package]]
name = "indexmap"
version = "2.13.0"
@@ -776,6 +863,12 @@ version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
[[package]]
name = "pin-utils"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]]
name = "powerfmt"
version = "0.2.0"
@@ -1012,9 +1105,13 @@ name = "server"
version = "0.1.0"
dependencies = [
"base64",
"bytes",
"claims",
"clap",
"common",
"http-body-util",
"hyper",
"hyper-util",
"miette",
"rustls",
"thiserror",

4
Cargo.toml
View File

@@ -13,8 +13,12 @@ common = { path = "common" }
aws-lc-rs = "1"
base64 = "0.22"
bytes = "1.11"
clap = { version = "4.5", features = ["derive"] }
futures = "0.3"
http-body-util = "0.1"
hyper = { version = "1.8", features = ["http1"] }
hyper-util = { version = "0.1", features = ["tokio"] }
miette = { version = "7", features = ["fancy"] }
rcgen = "0.14"
rustls = { version = "0.23", default-features = false, features = [

1
common/Cargo.toml
View File

@@ -5,6 +5,7 @@ authors.workspace = true
edition.workspace = true
[dependencies]
clap.workspace = true
miette.workspace = true
rcgen.workspace = true
rustls.workspace = true

5
common/src/cert.rs
View File

@@ -1,8 +1,3 @@
//! Self-signed certificate generation for local testing.
//!
//! Generates a CA certificate and server certificate for TLS benchmarking.
//! These certificates are NOT suitable for production use.
use rcgen::{BasicConstraints, CertificateParams, DnType, IsCa, Issuer, KeyPair, SanType};
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};

2
common/src/error.rs
View File

@@ -1,7 +1,7 @@
use miette::Diagnostic;
use thiserror::Error;
/// Result type using the common's custom error type.
/// Result type using the `common`'s custom error type.
pub type Result<T> = std::result::Result<T, Error>;
#[derive(Debug, Error, Diagnostic)]

39
common/src/lib.rs
View File

@@ -1,25 +1,43 @@
//! Common types and utilities for the TLS benchmark harness
pub mod cert;
pub mod error;
pub mod prelude;
pub mod protocol;
use clap::ValueEnum;
pub use error::Error;
use serde::{Deserialize, Serialize};
use std::fmt;
use strum::{Display, EnumString};
use strum::Display;
/// TLS key exchange mode
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, EnumString, Display)]
/// TLS 1.3 key exchange mode used for benchmark runs
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Display, ValueEnum)]
#[strum(serialize_all = "lowercase")]
#[serde(rename_all = "lowercase")]
pub enum KeyExchangeMode {
/// Classical X25519 ECDH.
X25519,
#[value(name = "x25519mlkem768")]
/// Hybrid post-quantum: X25519 + ML-KEM-768.
X25519Mlkem768,
}
/// Application protocol carried over TLS in benchmark runs.
///
/// `Raw` is a minimal custom framing protocol (8-byte LE length request, then N payload bytes)
/// used for low-overhead microbenchmarks.
///
/// `Http1` is an HTTP/1.1 request/response mode (`GET /bytes/{n}`) used for realism-oriented
/// comparisons where HTTP parsing and headers are part of measured overhead.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Display, ValueEnum)]
#[strum(serialize_all = "lowercase")]
#[serde(rename_all = "lowercase")]
pub enum ProtocolMode {
/// Minimal custom framing protocol for primary microbenchmarks.
Raw,
/// HTTP/1.1 mode for realism-oriented comparisons.
Http1,
}
/// A single benchmark measurement record, output as NDJSON
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BenchRecord {
@@ -61,7 +79,6 @@ mod tests {
use super::*;
use claims::{assert_err, assert_ok};
use serde_json::Value;
use std::str::FromStr;
#[test]
fn bench_record_serializes_to_ndjson() {
@@ -101,18 +118,18 @@ mod tests {
#[test]
fn key_exchange_mode_from_str() {
let mode = assert_ok!(KeyExchangeMode::from_str("x25519"));
let mode = assert_ok!(KeyExchangeMode::from_str("x25519", true));
assert_eq!(mode, KeyExchangeMode::X25519);
let mode = assert_ok!(KeyExchangeMode::from_str("x25519mlkem768"));
let mode = assert_ok!(KeyExchangeMode::from_str("x25519mlkem768", true));
assert_eq!(mode, KeyExchangeMode::X25519Mlkem768);
}
#[test]
fn key_exchange_mode_parse_error() {
assert_err!(KeyExchangeMode::from_str("invalid"));
assert_err!(KeyExchangeMode::from_str("x25519invalid"));
assert_err!(KeyExchangeMode::from_str(""));
assert_err!(KeyExchangeMode::from_str("invalid", true));
assert_err!(KeyExchangeMode::from_str("x25519invalid", true));
assert_err!(KeyExchangeMode::from_str("", true));
}
#[test]

7
common/src/prelude.rs Normal file
View File

@@ -0,0 +1,7 @@
pub use crate::{
BenchRecord, KeyExchangeMode, ProtocolMode,
protocol::{
MAX_PAYLOAD_SIZE, generate_payload, read_payload, read_request, write_payload,
write_request,
},
};

9
common/src/protocol.rs
View File

@@ -1,11 +1,3 @@
//! Benchmark protocol implementation.
//!
//! Protocol specification:
//! 1. Client sends 8-byte little-endian u64: requested payload size N
//! 2. Server responds with exactly N bytes (deterministic pattern)
//!
//! The deterministic pattern is a repeating sequence of bytes 0x00..0xFF.
// Casts are intentional: MAX_PAYLOAD_SIZE (16 MiB) fits in usize on 64-bit,
// and byte patterns are explicitly masked to 0xFF before casting.
#![allow(clippy::cast_possible_truncation)]
@@ -50,6 +42,7 @@ pub async fn write_request<W: AsyncWriteExt + Unpin>(writer: &mut W, size: u64)
/// Generate deterministic payload of the given size.
///
/// The pattern is a repeating sequence: 0x00, 0x01, ..., 0xFF, 0x00, ...
#[inline]
#[must_use]
pub fn generate_payload(size: u64) -> Vec<u8> {
(0..size).map(|i| (i & 0xFF) as u8).collect()

4
justfile
View File

@@ -61,8 +61,8 @@ setup:
# Run server (default: x25519 on localhost:4433)
[group("run")]
server mode="x25519" listen="127.0.0.1:4433":
cargo run --release --bin server -- --mode {{mode}} --listen {{listen}}
server mode="x25519" proto="raw" listen="127.0.0.1:4433":
cargo run --release --bin server -- --mode {{mode}} --proto {{proto}} --listen {{listen}}
# Run benchmark runner
[group("run")]

18
runner/src/args.rs
View File

@@ -1,5 +1,5 @@
use clap::Parser;
use common::KeyExchangeMode;
use common::prelude::*;
use std::{net::SocketAddr, path::PathBuf};
/// TLS benchmark runner.
@@ -10,31 +10,31 @@ pub struct Args {
#[arg(long, default_value = "x25519")]
pub mode: KeyExchangeMode,
/// Server address to connect to.
/// Server address to connect to
#[arg(long, required_unless_present = "config")]
pub server: Option<SocketAddr>,
/// Payload size in bytes to request from server.
/// Payload size in bytes to request from server
#[arg(long, default_value = "1024")]
pub payload_bytes: u32,
/// Number of benchmark iterations (excluding warmup).
/// Number of benchmark iterations (excluding warmup)
#[arg(long, default_value = "100")]
pub iters: u32,
/// Number of warmup iterations (not recorded).
/// Number of warmup iterations (not recorded)
#[arg(long, default_value = "10")]
pub warmup: u32,
/// Number of concurrent connections.
/// Number of concurrent connections
#[arg(long, default_value = "1")]
pub concurrency: u32,
/// Output file for NDJSON records (stdout if not specified).
/// Output file for NDJSON records (stdout if not specified)
#[arg(long)]
pub out: Option<PathBuf>,
/// Config file for matrix benchmarks (TOML).
#[arg(long)]
/// Config file for matrix benchmarks (TOML)
#[arg(long, short)]
pub config: Option<PathBuf>,
}

5
runner/src/bench.rs
View File

@@ -1,7 +1,4 @@
use common::{
BenchRecord, KeyExchangeMode,
protocol::{read_payload, write_request},
};
use common::prelude::*;
use futures::{StreamExt, stream::FuturesUnordered};
use miette::{Context, IntoDiagnostic};
use rustls::pki_types::ServerName;

2
runner/src/config/mod.rs
View File

@@ -5,7 +5,7 @@ use crate::{
config::utils::validate_config,
error::{self, ConfigError},
};
use common::{self, KeyExchangeMode};
use common::prelude::*;
use miette::{NamedSource, SourceSpan};
use serde::Deserialize;
use std::{fs::read_to_string, net::SocketAddr, path::Path};

2
runner/src/error.rs
View File

@@ -5,7 +5,7 @@ use miette::{Diagnostic, NamedSource, SourceSpan};
use std::path::PathBuf;
use thiserror::Error;
/// Result type using the runner's custom error type.
/// Result type using the `runner`'s custom error type.
pub type Result<T> = std::result::Result<T, Error>;
/// Errors that can occur during benchmark execution.

13
runner/src/main.rs
View File

@@ -12,6 +12,12 @@ mod config;
mod error;
mod tls;
use crate::{
args::Args,
bench::run_benchmark,
config::{load_from_cli, load_from_file},
tls::build_tls_config,
};
use clap::Parser;
use miette::{Context, IntoDiagnostic};
use rustls::pki_types::ServerName;
@@ -21,13 +27,6 @@ use tracing::info;
use tracing_subscriber::EnvFilter;
use uuid::Uuid;
use crate::{
args::Args,
bench::run_benchmark,
config::{load_from_cli, load_from_file},
tls::build_tls_config,
};
#[tokio::main]
async fn main() -> miette::Result<()> {
let run_id = Uuid::new_v4();

2
runner/src/tls.rs
View File

@@ -1,4 +1,4 @@
use common::KeyExchangeMode;
use common::prelude::*;
use miette::{Context, IntoDiagnostic};
use rustls::{
ClientConfig, DigitallySignedStruct, SignatureScheme,

4
server/Cargo.toml
View File

@@ -6,8 +6,12 @@ edition.workspace = true
[dependencies]
base64.workspace = true
bytes.workspace = true
clap.workspace = true
common.workspace = true
http-body-util.workspace = true
hyper-util = { workspace = true, features = ["server"] }
hyper = { workspace = true, features = ["server"] }
miette.workspace = true
rustls.workspace = true
thiserror.workspace = true

2
server/src/error.rs
View File

@@ -1,7 +1,7 @@
use miette::Diagnostic;
use thiserror::Error;
/// Result type using the servers's custom error type.
/// Result type using the `servers`'s custom error type.
pub type Result<T> = std::result::Result<T, Error>;
#[derive(Debug, Error, Diagnostic)]

1
server/src/lib.rs
View File

@@ -1 +0,0 @@
pub mod error;

142
server/src/main.rs
View File

@@ -5,146 +5,34 @@
//! - Responds with exactly N bytes (deterministic pattern)
mod error;
mod server;
mod tls;
use crate::{server::run_server, tls::build_tls_config};
use base64::prelude::*;
use clap::Parser;
use common::{
KeyExchangeMode,
cert::{CaCertificate, ServerCertificate},
protocol::{read_request, write_payload},
};
use rustls::{
ServerConfig,
crypto::aws_lc_rs::{
self,
kx_group::{X25519, X25519MLKEM768},
},
pki_types::{CertificateDer, PrivateKeyDer},
server::Acceptor,
version::TLS13,
};
use std::{env, io::ErrorKind, net::SocketAddr, sync::Arc};
use tokio::{
io::AsyncWriteExt,
net::{TcpListener, TcpStream},
};
use tokio_rustls::LazyConfigAcceptor;
use tracing::{debug, error, info, warn};
use common::{cert::CaCertificate, prelude::*};
use std::{env, net::SocketAddr};
use tracing::{error, info};
use tracing_subscriber::EnvFilter;
/// TLS benchmark server.
#[derive(Debug, Parser)]
#[command(name = "server", version, about)]
struct Args {
/// Key exchange mode.
/// Key exchange mode
#[arg(long, default_value = "x25519")]
mode: KeyExchangeMode,
/// Address to listen on.
/// Protocol carrier
#[arg(long, default_value = "raw")]
proto: ProtocolMode,
/// Address to listen on
#[arg(long, default_value = "127.0.0.1:4433")]
listen: SocketAddr,
}
/// Build TLS server config for the given key exchange mode.
fn build_tls_config(
mode: KeyExchangeMode,
server_cert: &ServerCertificate,
) -> error::Result<Arc<ServerConfig>> {
let mut provider = aws_lc_rs::default_provider();
provider.kx_groups = match mode {
KeyExchangeMode::X25519 => vec![X25519],
KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
};
let certs = server_cert
.cert_chain_der
.iter()
.map(|der| CertificateDer::from(der.clone()))
.collect::<Vec<_>>();
let key = PrivateKeyDer::try_from(server_cert.private_key_der.clone())
.map_err(|e| error::Error::invalid_cert(format!("invalid private_key: {e}")))?;
let config = ServerConfig::builder_with_provider(Arc::new(provider))
.with_protocol_versions(&[&TLS13])
.map_err(common::Error::Tls)?
.with_no_client_auth()
.with_single_cert(certs, key)
.map_err(common::Error::Tls)?;
Ok(Arc::new(config))
}
async fn handle_connection(stream: TcpStream, peer: SocketAddr, tls_config: Arc<ServerConfig>) {
let acceptor = LazyConfigAcceptor::new(Acceptor::default(), stream);
let start_handshake = match acceptor.await {
Ok(sh) => sh,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS accept error");
}
};
let mut tls_stream = match start_handshake.into_stream(tls_config).await {
Ok(s) => s,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS handshake error");
}
};
let (_, conn) = tls_stream.get_ref();
info!(
cipher = ?conn.negotiated_cipher_suite(),
version = ?conn.protocol_version(),
"connection established"
);
loop {
let payload_size = match read_request(&mut tls_stream).await {
Ok(size) => size,
Err(e) if e.kind() == ErrorKind::UnexpectedEof => {
debug!(peer = %peer, "client disconnected");
break;
}
Err(e) => {
warn!(peer = %peer, error = %e, "connection error");
break;
}
};
if let Err(e) = write_payload(&mut tls_stream, payload_size).await {
warn!(peer = %peer, error = %e, "write error");
break;
}
// Flush to ensure data is sent
if let Err(e) = tls_stream.flush().await {
warn!(peer = %peer, error = %e, "flush error");
break;
}
}
}
async fn run_server(args: Args, tls_config: Arc<ServerConfig>) -> error::Result<()> {
let listener = TcpListener::bind(args.listen)
.await
.map_err(|e| error::Error::network(format!("failed to bind to {}: {e}", args.listen)))?;
info!(listen = %args.listen, mode = %args.mode, "listening");
loop {
let (stream, peer) = match listener.accept().await {
Ok(conn) => conn,
Err(e) => {
error!(error = %e, "accept error");
continue;
}
};
let config = tls_config.clone();
tokio::spawn(handle_connection(stream, peer, config));
}
}
#[tokio::main]
async fn main() -> miette::Result<()> {
tracing_subscriber::fmt()
@@ -161,6 +49,7 @@ async fn main() -> miette::Result<()> {
command = env::args().collect::<Vec<_>>().join(" "),
listen = %args.listen,
mode = %args.mode,
proto = %args.proto,
"server started"
);
@@ -181,19 +70,20 @@ async fn main() -> miette::Result<()> {
"CA cert (truncated)"
);
Ok(run_server(args, tls_config).await?)
Ok(run_server(&args, tls_config).await?)
}
#[cfg(test)]
mod tests {
use super::*;
use claims::assert_ok;
use common::cert::CaCertificate;
use std::sync::Arc;
#[test]
fn default_args() {
let args = Args::parse_from(["server"]);
assert_eq!(args.mode, KeyExchangeMode::X25519);
assert_eq!(args.proto, ProtocolMode::Raw);
assert_eq!(args.listen.to_string(), "127.0.0.1:4433");
}

307
server/src/server/http1.rs Normal file
View File

@@ -0,0 +1,307 @@
use bytes::Bytes;
use common::prelude::*;
use http_body_util::Full;
use hyper::{
Method, Request, Response, StatusCode,
header::{ALLOW, CONNECTION, CONTENT_LENGTH, CONTENT_TYPE, HeaderValue},
server::conn::http1::Builder,
service::service_fn,
};
use hyper_util::rt::TokioIo;
use rustls::{ServerConfig, server::Acceptor};
use std::{convert::Infallible, net::SocketAddr, sync::Arc};
use tokio::net::TcpStream;
use tokio_rustls::LazyConfigAcceptor;
use tracing::{info, warn};
type RespBody = Full<Bytes>;
pub async fn handle_http1_connection(
stream: TcpStream,
peer: SocketAddr,
tls_config: Arc<ServerConfig>,
) {
let acceptor = LazyConfigAcceptor::new(Acceptor::default(), stream);
let start_handshake = match acceptor.await {
Ok(sh) => sh,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS accept error");
}
};
let tls_stream = match start_handshake.into_stream(tls_config).await {
Ok(s) => s,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS handshake error");
}
};
let (_, conn) = tls_stream.get_ref();
info!(
cipher = ?conn.negotiated_cipher_suite(),
version = ?conn.protocol_version(),
"connection established"
);
let service = service_fn(move |req| async move { Ok::<_, Infallible>(handle_request(&req)) });
let io = TokioIo::new(tls_stream);
if let Err(e) = Builder::new()
.keep_alive(false)
.serve_connection(io, service)
.await
{
warn!(peer = %peer, error = %e, "http1 serve error");
}
}
fn handle_request<B>(req: &Request<B>) -> Response<RespBody> {
if req.method() != Method::GET {
let mut response = text_response(StatusCode::METHOD_NOT_ALLOWED, "method not allowed");
response
.headers_mut()
.insert(ALLOW, HeaderValue::from_static("GET"));
return response;
}
let n = match parse_bytes_path(req.uri().path()) {
Ok(n) => n,
Err(status) => {
let msg = match status {
StatusCode::NOT_FOUND => "not found",
StatusCode::PAYLOAD_TOO_LARGE => "payload too large",
_ => "bad request",
};
return text_response(status, msg);
}
};
let payload = generate_payload(n);
let mut response = Response::new(Full::new(Bytes::from(payload)));
*response.status_mut() = StatusCode::OK;
let headers = response.headers_mut();
headers.insert(
CONTENT_TYPE,
HeaderValue::from_static("application/octet-stream"),
);
headers.insert(CONNECTION, HeaderValue::from_static("close"));
#[allow(clippy::option_if_let_else)]
match HeaderValue::from_str(&n.to_string()) {
Ok(v) => {
headers.insert(CONTENT_LENGTH, v);
response
}
Err(_) => text_response(StatusCode::INTERNAL_SERVER_ERROR, "internal server error"),
}
}
fn parse_bytes_path(path: &str) -> Result<u64, StatusCode> {
let Some(rest) = path.strip_prefix("/bytes/") else {
return Err(StatusCode::NOT_FOUND);
};
if rest.is_empty() || rest.contains('/') {
return Err(StatusCode::BAD_REQUEST);
}
let n = rest.parse::<u64>().map_err(|_| StatusCode::BAD_REQUEST)?;
if n > MAX_PAYLOAD_SIZE {
return Err(StatusCode::PAYLOAD_TOO_LARGE);
}
Ok(n)
}
fn text_response(status: StatusCode, msg: &'static str) -> Response<RespBody> {
let mut response = Response::new(Full::new(Bytes::from_static(msg.as_bytes())));
*response.status_mut() = status;
response.headers_mut().insert(
CONTENT_TYPE,
HeaderValue::from_static("text/plain; charset=utf-8"),
);
response
.headers_mut()
.insert(CONNECTION, HeaderValue::from_static("close"));
response
}
#[cfg(test)]
mod tests {
use super::*;
use claims::{assert_err, assert_none, assert_ok, assert_some};
use http_body_util::BodyExt;
fn make_get_request(uri: &str) -> Request<()> {
assert_ok!(Request::builder().method(Method::GET).uri(uri).body(()))
}
#[test]
fn parse_bytes_path_accepts_valid_numeric_size() {
let min_n = assert_ok!(parse_bytes_path("/bytes/0"));
assert_eq!(min_n, 0);
let n = assert_ok!(parse_bytes_path("/bytes/1024"));
assert_eq!(n, 1024);
let max_n = assert_ok!(parse_bytes_path(&format!("/bytes/{MAX_PAYLOAD_SIZE}")));
assert_eq!(max_n, MAX_PAYLOAD_SIZE);
}
#[test]
fn parse_bytes_path_rejects_non_bytes_prefix() {
let status = assert_err!(parse_bytes_path("/foo/1024"));
assert_eq!(status, StatusCode::NOT_FOUND);
}
#[test]
fn parse_bytes_path_rejects_empty_size_segment() {
let status = assert_err!(parse_bytes_path("/bytes/"));
assert_eq!(status, StatusCode::BAD_REQUEST);
}
#[test]
fn parse_bytes_path_rejects_non_numeric_size() {
let status = assert_err!(parse_bytes_path("/bytes/foo"));
assert_eq!(status, StatusCode::BAD_REQUEST);
}
#[test]
fn parse_bytes_path_rejects_nested_segments() {
let status = assert_err!(parse_bytes_path("/bytes/16/extra"));
assert_eq!(status, StatusCode::BAD_REQUEST);
}
#[test]
fn parse_bytes_path_rejects_payload_above_max() {
let status = assert_err!(parse_bytes_path(&format!(
"/bytes/{}",
MAX_PAYLOAD_SIZE + 1
)));
assert_eq!(status, StatusCode::PAYLOAD_TOO_LARGE);
}
#[test]
fn handle_request_get_bytes_returns_200_with_expected_headers() {
let req = make_get_request("/bytes/16");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::OK);
let content_type = assert_some!(resp.headers().get("content-type"));
assert_eq!(content_type, "application/octet-stream");
let content_length = assert_some!(resp.headers().get("content-length"));
assert_eq!(content_length, "16");
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
assert_none!(resp.headers().get("allow"));
}
#[tokio::test]
async fn handle_request_get_bytes_returns_body_with_requested_length() {
let req = make_get_request("/bytes/32");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::OK);
let content_length = assert_some!(resp.headers().get("content-length"));
assert_eq!(content_length, "32");
let body = assert_ok!(resp.into_body().collect().await).to_bytes();
assert_eq!(body.len(), 32);
assert_eq!(body[0], 0x00);
assert_eq!(body[1], 0x01);
assert_eq!(body[31], 0x1F);
}
#[test]
fn handle_request_get_unknown_path_returns_404() {
let req = make_get_request("/unknown");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
let content_type = assert_some!(resp.headers().get("content-type"));
assert_eq!(content_type, "text/plain; charset=utf-8");
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
#[test]
fn handle_request_post_bytes_returns_405_and_allow_get() {
let req = Request::builder()
.method(Method::POST)
.uri("/bytes/32")
.body(())
.expect("post request");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::METHOD_NOT_ALLOWED);
let allow = assert_some!(resp.headers().get("allow"));
assert_eq!(allow, "GET");
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
#[test]
fn handle_request_get_bytes_without_size_segment_returns_404() {
let req = make_get_request("/bytes");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
assert_none!(resp.headers().get("content-length"));
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
#[test]
fn handle_request_get_bytes_with_non_numeric_size_returns_400() {
let req = make_get_request("/bytes/foo");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
assert_none!(resp.headers().get("content-length"));
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
#[test]
fn handle_request_get_bytes_with_nested_path_returns_400() {
let req = make_get_request("/bytes/16/extra");
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
assert_none!(resp.headers().get("content-length"));
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
#[test]
fn handle_request_get_bytes_exceeding_max_payload_returns_413() {
let req = make_get_request(&format!("/bytes/{}", MAX_PAYLOAD_SIZE + 1));
let resp = handle_request(&req);
assert_eq!(resp.status(), StatusCode::PAYLOAD_TOO_LARGE);
assert_none!(resp.headers().get("content-length"));
let connection = assert_some!(resp.headers().get("connection"));
assert_eq!(connection, "close");
}
}

45
server/src/server/mod.rs Normal file
View File

@@ -0,0 +1,45 @@
mod http1;
mod raw;
use crate::{
Args,
error::{Error as ServerError, Result as ServerResult},
server::{http1::handle_http1_connection, raw::handle_raw_connection},
};
use common::prelude::*;
use rustls::ServerConfig;
use std::sync::Arc;
use tokio::net::TcpListener;
use tracing::{error, info};
pub async fn run_server(args: &Args, tls_config: Arc<ServerConfig>) -> ServerResult<()> {
let listener = TcpListener::bind(args.listen)
.await
.map_err(|e| ServerError::network(format!("failed to bind to {}: {e}", args.listen)))?;
info!(
listen = %args.listen,
mode = %args.mode,
proto = %args.proto,
"listening"
);
loop {
let (stream, peer) = match listener.accept().await {
Ok(conn) => conn,
Err(e) => {
error!(error = %e, "accept error");
continue;
}
};
let config = tls_config.clone();
let proto = args.proto;
tokio::spawn(async move {
match proto {
ProtocolMode::Raw => handle_raw_connection(stream, peer, config).await,
ProtocolMode::Http1 => handle_http1_connection(stream, peer, config).await,
}
});
}
}

59
server/src/server/raw.rs Normal file
View File

@@ -0,0 +1,59 @@
use common::prelude::*;
use rustls::{ServerConfig, server::Acceptor};
use std::{io::ErrorKind, net::SocketAddr, sync::Arc};
use tokio::{io::AsyncWriteExt, net::TcpStream};
use tokio_rustls::LazyConfigAcceptor;
use tracing::{debug, info, warn};
pub async fn handle_raw_connection(
stream: TcpStream,
peer: SocketAddr,
tls_config: Arc<ServerConfig>,
) {
let acceptor = LazyConfigAcceptor::new(Acceptor::default(), stream);
let start_handshake = match acceptor.await {
Ok(sh) => sh,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS accept error");
}
};
let mut tls_stream = match start_handshake.into_stream(tls_config).await {
Ok(s) => s,
Err(e) => {
return warn!(peer = %peer, error = %e, "TLS handshake error");
}
};
let (_, conn) = tls_stream.get_ref();
info!(
cipher = ?conn.negotiated_cipher_suite(),
version = ?conn.protocol_version(),
"connection established"
);
loop {
let payload_size = match read_request(&mut tls_stream).await {
Ok(size) => size,
Err(e) if e.kind() == ErrorKind::UnexpectedEof => {
debug!(peer = %peer, "client disconnected");
break;
}
Err(e) => {
warn!(peer = %peer, error = %e, "connection error");
break;
}
};
if let Err(e) = write_payload(&mut tls_stream, payload_size).await {
warn!(peer = %peer, error = %e, "write error");
break;
}
// Flush to ensure data is sent
if let Err(e) = tls_stream.flush().await {
warn!(peer = %peer, error = %e, "flush error");
break;
}
}
}

42
server/src/tls.rs Normal file
View File

@@ -0,0 +1,42 @@
use crate::error;
use common::{cert::ServerCertificate, prelude::*};
use rustls::{
ServerConfig,
crypto::aws_lc_rs::{
self,
kx_group::{X25519, X25519MLKEM768},
},
pki_types::{CertificateDer, PrivateKeyDer},
version::TLS13,
};
use std::sync::Arc;
/// Build TLS server config for the given key exchange mode.
pub fn build_tls_config(
mode: KeyExchangeMode,
server_cert: &ServerCertificate,
) -> error::Result<Arc<ServerConfig>> {
let mut provider = aws_lc_rs::default_provider();
provider.kx_groups = match mode {
KeyExchangeMode::X25519 => vec![X25519],
KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
};
let certs = server_cert
.cert_chain_der
.iter()
.map(|der| CertificateDer::from(der.clone()))
.collect::<Vec<_>>();
let key = PrivateKeyDer::try_from(server_cert.private_key_der.clone())
.map_err(|e| error::Error::invalid_cert(format!("invalid private_key: {e}")))?;
let config = ServerConfig::builder_with_provider(Arc::new(provider))
.with_protocol_versions(&[&TLS13])
.map_err(common::Error::Tls)?
.with_no_client_auth()
.with_single_cert(certs, key)
.map_err(common::Error::Tls)?;
Ok(Arc::new(config))
}