Add SNI support to redbean and improve SSL perf

This change makes SSL virtual hosting possible. You can now load multiple certificates for multiple domains and redbean will just figure out which one to use, even if you only have 1 ip address. You can also use a jumbo certificate that lists all your domains in the the subject alternative names. This change also makes performance improvements to MbedTLS. Here are some benchmarks vs. cc1920749e BEFORE AFTER (microsecs) suite_ssl.com 2512881 191738 13.11x faster suite_pkparse.com 36291 3295 11.01x faster suite_x509parse.com 854669 120293 7.10x faster suite_pkwrite.com 6549 1265 5.18x faster suite_ecdsa.com 53347 18778 2.84x faster suite_pk.com 49051 18717 2.62x faster suite_ecdh.com 19535 9502 2.06x faster suite_shax.com 15848 7965 1.99x faster suite_rsa.com 353257 184828 1.91x faster suite_x509write.com 162646 85733 1.90x faster suite_ecp.com 20503 11050 1.86x faster suite_hmac_drbg.no_reseed.com 19528 11417 1.71x faster suite_hmac_drbg.nopr.com 12460 8010 1.56x faster suite_mpi.com 687124 442661 1.55x faster suite_hmac_drbg.pr.com 11890 7752 1.53x faster There aren't any special tricks to the performance imporvements. It's mostly due to code cleanup, assembly and intel instructions like mulx, adox, and adcx.
2025-05-28 00:02:28 +00:00 · 2021-07-19 14:55:20 -07:00 · 2021-07-19 14:55:20 -07:00 · 398f0c16fb
commit 398f0c16fb
parent f3e28aa192
190 changed files with 14367 additions and 8928 deletions
--- a/third_party/mbedtls/bignum.h
+++ b/third_party/mbedtls/bignum.h
@ -1,7 +1,9 @@
 #ifndef MBEDTLS_BIGNUM_H_
 #define MBEDTLS_BIGNUM_H_
 #include "libc/stdio/stdio.h"
+#include "third_party/mbedtls/bignum_internal.h"
 #include "third_party/mbedtls/config.h"
+#include "third_party/mbedtls/platform.h"
 COSMOPOLITAN_C_START_
 /* clang-format off */

@ -16,7 +18,7 @@ COSMOPOLITAN_C_START_
 #define MBEDTLS_MPI_CHK(f)       \
    do                           \
    {                            \
-        if( ( ret = (f) ) != 0 ) \
+        if( ( ret = (f) ) )      \
            goto cleanup;        \
    } while( 0 )

@ -81,11 +83,11 @@ typedef uint64_t mbedtls_mpi_uint;
 */
 typedef struct mbedtls_mpi
 {
-    int s;              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
-    size_t n;           /*!<  total # of limbs  */
+    int s;                        /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
+    unsigned n;                   /*!<  total # of limbs  */
    mbedtls_mpi_uint *p;          /*!<  pointer to limbs  */
 }
-mbedtls_mpi;
+mbedtls_mpi forcealign(16);

 /**
 * \brief Flags for mbedtls_mpi_gen_prime()
@ -98,53 +100,92 @@ typedef enum {
    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
 } mbedtls_mpi_gen_prime_flag_t;

-void mbedtls_mpi_init( mbedtls_mpi * );
-void mbedtls_mpi_free( mbedtls_mpi * );
-int mbedtls_mpi_grow( mbedtls_mpi *, size_t );
-int mbedtls_mpi_shrink( mbedtls_mpi *, size_t );
-int mbedtls_mpi_copy( mbedtls_mpi *, const mbedtls_mpi * );
-void mbedtls_mpi_swap( mbedtls_mpi *, mbedtls_mpi * );
-int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *, const mbedtls_mpi *, unsigned char );
-int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *, mbedtls_mpi *, unsigned char );
-int mbedtls_mpi_lset( mbedtls_mpi *, mbedtls_mpi_sint );
-int mbedtls_mpi_get_bit( const mbedtls_mpi *, size_t );
-int mbedtls_mpi_set_bit( mbedtls_mpi *, size_t, unsigned char );
-size_t mbedtls_mpi_lsb( const mbedtls_mpi * );
-size_t mbedtls_mpi_bitlen( const mbedtls_mpi * );
-size_t mbedtls_mpi_size( const mbedtls_mpi * );
-int mbedtls_mpi_read_string( mbedtls_mpi *, int, const char * );
-int mbedtls_mpi_write_string( const mbedtls_mpi *, int, char *, size_t, size_t * );
-int mbedtls_mpi_read_file( mbedtls_mpi *, int, FILE * );
-int mbedtls_mpi_write_file( const char *, const mbedtls_mpi *, int, FILE * );
-int mbedtls_mpi_read_binary( mbedtls_mpi *, const unsigned char *, size_t );
-int mbedtls_mpi_read_binary_le( mbedtls_mpi *, const unsigned char *, size_t );
-int mbedtls_mpi_write_binary( const mbedtls_mpi *, unsigned char *, size_t );
-int mbedtls_mpi_write_binary_le( const mbedtls_mpi *, unsigned char *, size_t );
-int mbedtls_mpi_shift_l( mbedtls_mpi *, size_t );
-int mbedtls_mpi_shift_r( mbedtls_mpi *, size_t );
-int mbedtls_mpi_cmp_abs( const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *, const mbedtls_mpi *, unsigned * );
-int mbedtls_mpi_cmp_int( const mbedtls_mpi *, mbedtls_mpi_sint );
 int mbedtls_mpi_add_abs( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_sub_abs( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_add_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_sub_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
 int mbedtls_mpi_add_int( mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_sint );
-int mbedtls_mpi_sub_int( mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_sint );
-int mbedtls_mpi_mul_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_mul_int( mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_uint );
-int mbedtls_mpi_div_mpi( mbedtls_mpi *, mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_add_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *, mbedtls_mpi_sint );
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_copy( mbedtls_mpi *, const mbedtls_mpi * );
 int mbedtls_mpi_div_int( mbedtls_mpi *, mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_sint );
-int mbedtls_mpi_mod_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
-int mbedtls_mpi_mod_int( mbedtls_mpi_uint *, const mbedtls_mpi *, mbedtls_mpi_sint );
+int mbedtls_mpi_div_mpi( mbedtls_mpi *, mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
 int mbedtls_mpi_exp_mod( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi * );
 int mbedtls_mpi_fill_random( mbedtls_mpi *, size_t, int (*)(void *, unsigned char *, size_t), void * );
 int mbedtls_mpi_gcd( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_gen_prime( mbedtls_mpi *, size_t, int, int (*)(void *, unsigned char *, size_t), void * );
+int mbedtls_mpi_get_bit( const mbedtls_mpi *, size_t );
+int mbedtls_mpi_grow( mbedtls_mpi *, size_t );
 int mbedtls_mpi_inv_mod( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
 int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *, int, int (*)(void *, unsigned char *, size_t), void * );
-int mbedtls_mpi_gen_prime( mbedtls_mpi *, size_t, int, int (*)(void *, unsigned char *, size_t), void * );
+int mbedtls_mpi_lset( mbedtls_mpi *, mbedtls_mpi_sint );
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *, const mbedtls_mpi *, unsigned * );
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *, const mbedtls_mpi *, mbedtls_mpi_sint );
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_mul_int( mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_uint );
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_read_binary( mbedtls_mpi *, const unsigned char *, size_t );
+int mbedtls_mpi_read_binary_le( mbedtls_mpi *, const unsigned char *, size_t );
+int mbedtls_mpi_read_file( mbedtls_mpi *, int, FILE * );
+int mbedtls_mpi_read_string( mbedtls_mpi *, int, const char * );
+int mbedtls_mpi_resize( mbedtls_mpi *, size_t );
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *, const mbedtls_mpi *, unsigned char );
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *, mbedtls_mpi *, unsigned char );
 int mbedtls_mpi_self_test( int );
+int mbedtls_mpi_set_bit( mbedtls_mpi *, size_t, unsigned char );
+int mbedtls_mpi_shift_l( mbedtls_mpi *, size_t );
+int mbedtls_mpi_shift_r( mbedtls_mpi *, size_t );
+int mbedtls_mpi_shrink( mbedtls_mpi *, size_t );
+int mbedtls_mpi_sub_abs( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_sub_int( mbedtls_mpi *, const mbedtls_mpi *, mbedtls_mpi_sint );
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *, const mbedtls_mpi *, const mbedtls_mpi * );
+int mbedtls_mpi_write_binary( const mbedtls_mpi *, unsigned char *, size_t );
+int mbedtls_mpi_write_binary_le( const mbedtls_mpi *, unsigned char *, size_t );
+int mbedtls_mpi_write_file( const char *, const mbedtls_mpi *, int, FILE * );
+int mbedtls_mpi_write_string( const mbedtls_mpi *, int, char *, size_t, size_t * );
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi * );
+size_t mbedtls_mpi_lsb( const mbedtls_mpi * );
+size_t mbedtls_mpi_size( const mbedtls_mpi * );
+void mbedtls_mpi_free( mbedtls_mpi * );
+void mbedtls_mpi_swap( mbedtls_mpi *, mbedtls_mpi * );
+
+/**
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
+ *                  but does not define a value for the MPI.
+ *
+ * \param X         The MPI context to initialize. This must not be \c NULL.
+ */
+forceinline void mbedtls_mpi_init(mbedtls_mpi *X)
+{
+    MBEDTLS_INTERNAL_VALIDATE(X);
+    typedef int mbedtls_mpi_lol
+            __attribute__((__vector_size__(16), __aligned__(16)));
+    *(mbedtls_mpi_lol *)X = (mbedtls_mpi_lol){1};
+}
+
+forceinline size_t mbedtls_mpi_limbs(const mbedtls_mpi *X) {
+  size_t i;
+  for (i = X->n; i; i--) {
+    if (X->p[i - 1]) {
+      break;
+    }
+  }
+  return i;
+}
+
+static inline bool mbedtls_mpi_is_zero(const mbedtls_mpi *X)
+{
+    if (X->n && *X->p) return false;
+    if (!mbedtls_mpi_limbs(X)) return true;
+    return false;
+}
+
+static inline bool mbedtls_mpi_is_one(const mbedtls_mpi *X)
+{
+    if (!X->n || *X->p != 1 || X->s != 1) return false;
+    return mbedtls_mpi_limbs(X) == 1;
+}

 COSMOPOLITAN_C_END_
 #endif /* MBEDTLS_BIGNUM_H_ */