On Tue, Mar 19, 2024 at 11:45 AM Randy MacLeod <randy.macl...@windriver.com> wrote: > > Hi Haitao, et al, > > > Summary: > > I think we could bring these two commits back to kirkstone even though > upstream openssl mtc > does not plan to do so, at least not without "very good reasons". > > but I have some comments and questions below that I'd like you to respond to > before sending a v2. > > ../Randy > > > > Typo in the subject: > [OE-core][kirkstone][PATCH] openssl: Improve FIPS RSA keygen performac > should be: > [OE-core][kirkstone][PATCH] openssl: Improve FIPS RSA keygen performance > > On 2024-03-18 2:55 a.m., jason.lau via lists.openembedded.org wrote: > > The ssh-keygen would take a long time to generate the entropy of a key > > It's best to be more specific. > > You mentioned in: > > https://github.com/openssl/openssl/issues/23766 > > that "ssh-keygen (built with openssl3.0) is taking 1-2s to execute whereas in > openssl3.1 it was hardly half a second" > > so you should mention that in the commit log. > > You should also include a link to the upstream issue you opened to explain > that: > > "Performance fixes are in general not eligible for backports to stable > release branches. > In specific cases an exception could be given by OTC but there would have > to be very good reasons for such an exception." > > I saw that comment last week and wondered if we should push harder for > upstream to backport these commits but > I understand your reluctance to do that when it might make sense to just > backport here in oe-core. > > Note that the commits are only part of 3.2.0+: > > ❯ git tag --contains dd1d7bcb69994d81662e709b0ad838880b943870 > openssl-3.2.0 > openssl-3.2.0-alpha1 > openssl-3.2.0-alpha2 > openssl-3.2.0-beta1 > openssl-3.2.1 > > ❯ git tag --contains d2f6e66d2837bff1f5f7636bb2118e3a45c9df61 > openssl-3.2.0 > openssl-3.2.0-alpha1 > openssl-3.2.0-alpha2 > openssl-3.2.0-beta1 > openssl-3.2.1 > > so they'd also have to be back-ported to nanbield technically: > > https://git.openembedded.org/openembedded-core/tree/meta/recipes-connectivity/openssl/openssl_3.1.4.bb?h=nanbield > > Steve, > Given that nanbield is a week or so away from EOL, is it worth doing that?
I'm going to close down changes to nanbield in the next day or so, so there probably isn't time to get such a change in. And I suspect that the kirkstone v2 patch won't make it through testing until after the nanbield final release is done, so I don't have an issue with taking it. Steve > > Note that the original commits were from Nov 2, 2022 so they've had some time > to ummm, bake but > the 3.2.0 release was 'only' on Nov 23, 2023: > https://www.openssl.org/source/old/3.2/index.html > so it's got 3 or 4 months of the public being able to test it. > > I've taken a look at the commits and haven't seen a problem with the backport. > > Haitao, > Did you have to adjust the patches at all? If so please explain what you did. > > Your tests show that openssl is faster, have you tested for correctness at > all? > Does it make sense to run: test/bntest.c ? Steve will likely run the ptests > of course. > > Do we need the oneline change: "Fix incorrect error branch in > ossl_bn_rsa_fips186_4_derive_prime()" > from: > openssl.git on master > ❯ git log --oneline crypto/bn/bn_rsa_fips186_4.c > da1c088f59 Copyright year updates > 835b90a19c Fix incorrect error branch in ossl_bn_rsa_fips186_4_derive_prime() > d2f6e66d28 Improve FIPS RSA keygen performance. > dd1d7bcb69 Improve FIPS RSA keygen performance. > > > Are there any other changes to the files touched by these commits that would > affect > the correctness or performance of the code introduced? > > ../Randy > > > > The following commits have fixed the issue. > https://github.com/openssl/openssl/commit/dd1d7bcb69994d81662e709b0ad838880b943870 > https://github.com/openssl/openssl/commit/d2f6e66d2837bff1f5f7636bb2118e3a45c9df61 > > Signed-off-by: Haitao Liu <haitao....@windriver.com> > --- > ...-Improve-FIPS-RSA-keygen-performance.patch | 271 ++++++++++++++++++ > ...-Improve-FIPS-RSA-keygen-performance.patch | 185 ++++++++++++ > .../openssl/openssl_3.0.13.bb | 2 + > 3 files changed, 458 insertions(+) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/0001-Improve-FIPS-RSA-keygen-performance.patch > create mode 100644 > meta/recipes-connectivity/openssl/openssl/0002-Improve-FIPS-RSA-keygen-performance.patch > > diff --git > a/meta/recipes-connectivity/openssl/openssl/0001-Improve-FIPS-RSA-keygen-performance.patch > > b/meta/recipes-connectivity/openssl/openssl/0001-Improve-FIPS-RSA-keygen-performance.patch > new file mode 100644 > index 0000000000..aed0e1a5c1 > --- /dev/null > +++ > b/meta/recipes-connectivity/openssl/openssl/0001-Improve-FIPS-RSA-keygen-performance.patch > @@ -0,0 +1,271 @@ > +From a940dfa152707ba82f3efc2c147f6313c28f7662 Mon Sep 17 00:00:00 2001 > +From: slontis <shane.lon...@oracle.com> > +Date: Wed, 2 Nov 2022 12:01:34 +1000 > +Subject: [PATCH 1/2] Improve FIPS RSA keygen performance. > + > +FIPS 186-4 has 5 different algorithms for key generation, > +and all of them rely on testing GCD(a,n) == 1 many times. > + > +Cachegrind was showing that during a RSA keygen operation, > +the function BN_gcd() was taking a considerable percentage > +of the total cycles. > + > +The default provider uses multiprime keygen, which seemed to > +be much faster. This is because it uses BN_mod_inverse() > +instead. > + > +For a 4096 bit key, the entropy of a key that was taking a > +long time to generate was recorded and fed back into subsequent > +runs. Roughly 40% of the cycle time was BN_gcd() with most of the > +remainder in the prime testing. Changing to use the inverse > +resulted in the cycle count being 96% in the prime testing. > + > +Reviewed-by: Paul Dale <pa...@openssl.org> > +Reviewed-by: Tomas Mraz <to...@openssl.org> > +(Merged from https://github.com/openssl/openssl/pull/19578) > + > +(cherry picked from commit dd1d7bcb69994d81662e709b0ad838880b943870) > + > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/dd1d7bcb69994d81662e709b0ad838880b943870] > + > +Signed-off-by: Haitao Liu <haitao....@windriver.com> > +--- > + crypto/bn/bn_gcd.c | 31 +++++++++++++++++++++++++++++++ > + crypto/bn/bn_rsa_fips186_4.c | 24 +++++++++++++++--------- > + doc/man3/BN_cmp.pod | 14 +++++++++++++- > + include/openssl/bn.h | 1 + > + test/bntest.c | 26 ++++++++++++++++++++++++-- > + util/libcrypto.num | 1 + > + 6 files changed, 85 insertions(+), 12 deletions(-) > + > +diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c > +index cd0b015..879a84b 100644 > +--- a/crypto/bn/bn_gcd.c > ++++ b/crypto/bn/bn_gcd.c > +@@ -534,6 +534,37 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, > + return rv; > + } > + > ++/* > ++ * The numbers a and b are coprime if the only positive integer that is a > ++ * divisor of both of them is 1. > ++ * i.e. gcd(a,b) = 1. > ++ * > ++ * Coprimes have the property: b has a multiplicative inverse modulo a > ++ * i.e there is some value x such that bx = 1 (mod a). > ++ * > ++ * Testing the modulo inverse is currently much faster than the constant > ++ * time version of BN_gcd(). > ++ */ > ++int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) > ++{ > ++ int ret = 0; > ++ BIGNUM *tmp; > ++ > ++ BN_CTX_start(ctx); > ++ tmp = BN_CTX_get(ctx); > ++ if (tmp == NULL) > ++ goto end; > ++ > ++ ERR_set_mark(); > ++ BN_set_flags(a, BN_FLG_CONSTTIME); > ++ ret = (BN_mod_inverse(tmp, a, b, ctx) != NULL); > ++ /* Clear any errors (an error is returned if there is no inverse) */ > ++ ERR_pop_to_mark(); > ++end: > ++ BN_CTX_end(ctx); > ++ return ret; > ++} > ++ > + /*- > + * This function is based on the constant-time GCD work by Bernstein and > Yang: > + * https://eprint.iacr.org/2019/266 > +diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c > +index 62d8685..55efaf2 100644 > +--- a/crypto/bn/bn_rsa_fips186_4.c > ++++ b/crypto/bn/bn_rsa_fips186_4.c > +@@ -286,14 +286,20 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, > BIGNUM *X, const BIGNUM *Xin, > + goto err; > + } > + > ++ /* > ++ * (Step 1) GCD(2r1, r2) = 1. > ++ * Note: This algorithm was doing a gcd(2r1, r2)=1 test before doing > an > ++ * mod_inverse(2r1, r2) which are effectively the same operation. > ++ * (The algorithm assumed that the gcd test would be faster). Since > the > ++ * mod_inverse is currently faster than calling the constant time > ++ * BN_gcd(), the call to BN_gcd() has been omitted. The inverse > result > ++ * is used further down. > ++ */ > + if (!(BN_lshift1(r1x2, r1) > +- /* (Step 1) GCD(2r1, r2) = 1 */ > +- && BN_gcd(tmp, r1x2, r2, ctx) > +- && BN_is_one(tmp) > ++ && (BN_mod_inverse(tmp, r1x2, r2, ctx) != NULL) > + /* (Step 2) R = ((r2^-1 mod 2r1) * r2) - ((2r1^-1 mod r2)*2r1) > */ > +- && BN_mod_inverse(R, r2, r1x2, ctx) > ++ && (BN_mod_inverse(R, r2, r1x2, ctx) != NULL) > + && BN_mul(R, R, r2, ctx) /* R = (r2^-1 mod 2r1) * r2 */ > +- && BN_mod_inverse(tmp, r1x2, r2, ctx) > + && BN_mul(tmp, tmp, r1x2, ctx) /* tmp = (2r1^-1 mod r2)*2r1 */ > + && BN_sub(R, R, tmp) > + /* Calculate 2r1r2 */ > +@@ -305,7 +311,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM > *X, const BIGNUM *Xin, > + > + /* > + * In FIPS 186-4 imax was set to 5 * nlen/2. > +- * Analysis by Allen Roginsky (See > https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf > ++ * Analysis by Allen Roginsky > ++ * (See > https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf > + * page 68) indicates this has a 1 in 2 million chance of failure. > + * The number has been updated to 20 * nlen/2 as used in > + * FIPS186-5 Appendix B.9 Step 9. > +@@ -337,10 +344,9 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, > BIGNUM *X, const BIGNUM *Xin, > + > + /* (Step 7) If GCD(Y-1) == 1 & Y is probably prime then return > Y */ > + if (BN_copy(y1, Y) == NULL > +- || !BN_sub_word(y1, 1) > +- || !BN_gcd(tmp, y1, e, ctx)) > ++ || !BN_sub_word(y1, 1)) > + goto err; > +- if (BN_is_one(tmp)) { > ++ if (BN_are_coprime(y1, e, ctx)) { > + int rv = BN_check_prime(Y, ctx, cb); > + > + if (rv > 0) > +diff --git a/doc/man3/BN_cmp.pod b/doc/man3/BN_cmp.pod > +index f302818..e9ddf8f 100644 > +--- a/doc/man3/BN_cmp.pod > ++++ b/doc/man3/BN_cmp.pod > +@@ -2,7 +2,8 @@ > + > + =head1 NAME > + > +-BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, > BN_is_odd - BIGNUM comparison and test functions > ++BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, > BN_is_odd, BN_are_coprime > ++- BIGNUM comparison and test functions > + > + =head1 SYNOPSIS > + > +@@ -17,6 +18,8 @@ BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, > BN_abs_is_word, BN_is_odd - > + int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); > + int BN_is_odd(const BIGNUM *a); > + > ++ int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); > ++ > + =head1 DESCRIPTION > + > + BN_cmp() compares the numbers I<a> and I<b>. BN_ucmp() compares their > +@@ -26,6 +29,10 @@ BN_is_zero(), BN_is_one(), BN_is_word() and > BN_abs_is_word() test if > + I<a> equals 0, 1, I<w>, or E<verbar>I<w>E<verbar> respectively. > + BN_is_odd() tests if I<a> is odd. > + > ++BN_are_coprime() determines if B<a> and B<b> are coprime. > ++B<ctx> is used internally for storing temporary variables. > ++The values of B<a> and B<b> and B<ctx> must not be NULL. > ++ > + =head1 RETURN VALUES > + > + BN_cmp() returns -1 if I<a> E<lt> I<b>, 0 if I<a> == I<b> and 1 if > +@@ -35,11 +42,16 @@ of I<a> and I<b>. > + BN_is_zero(), BN_is_one() BN_is_word(), BN_abs_is_word() and > + BN_is_odd() return 1 if the condition is true, 0 otherwise. > + > ++BN_are_coprime() returns 1 if the B<BIGNUM>'s are coprime, otherwise it > ++returns 0. > ++ > + =head1 HISTORY > + > + Prior to OpenSSL 1.1.0, BN_is_zero(), BN_is_one(), BN_is_word(), > + BN_abs_is_word() and BN_is_odd() were macros. > + > ++The function BN_are_coprime() was added in OpenSSL 3.1. > ++ > + =head1 COPYRIGHT > + > + Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. > +diff --git a/include/openssl/bn.h b/include/openssl/bn.h > +index ecd7f01..73895a5 100644 > +--- a/include/openssl/bn.h > ++++ b/include/openssl/bn.h > +@@ -344,6 +344,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, > BN_CTX *ctx); > + int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns > + * -2 for > + * error */ > ++int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); > + BIGNUM *BN_mod_inverse(BIGNUM *ret, > + const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); > + BIGNUM *BN_mod_sqrt(BIGNUM *ret, > +diff --git a/test/bntest.c b/test/bntest.c > +index c5894c1..eec6222 100644 > +--- a/test/bntest.c > ++++ b/test/bntest.c > +@@ -38,6 +38,7 @@ typedef struct mpitest_st { > + > + static const int NUM0 = 100; /* number of tests */ > + static const int NUM1 = 50; /* additional tests for some > functions */ > ++static const int NUM_PRIME_TESTS = 20; > + static BN_CTX *ctx; > + > + /* > +@@ -2573,6 +2574,25 @@ static int test_ctx_consttime_flag(void) > + return st; > + } > + > ++static int test_coprime(void) > ++{ > ++ BIGNUM *a = NULL, *b = NULL; > ++ int ret = 0; > ++ > ++ ret = TEST_ptr(a = BN_new()) > ++ && TEST_ptr(b = BN_new()) > ++ && TEST_true(BN_set_word(a, 66)) > ++ && TEST_true(BN_set_word(b, 99)) > ++ && TEST_int_eq(BN_are_coprime(a, b, ctx), 0) > ++ && TEST_int_eq(BN_are_coprime(b, a, ctx), 0) > ++ && TEST_true(BN_set_word(a, 67)) > ++ && TEST_int_eq(BN_are_coprime(a, b, ctx), 1) > ++ && TEST_int_eq(BN_are_coprime(b, a, ctx), 1); > ++ BN_free(a); > ++ BN_free(b); > ++ return ret; > ++} > ++ > + static int test_gcd_prime(void) > + { > + BIGNUM *a = NULL, *b = NULL, *gcd = NULL; > +@@ -2585,11 +2605,12 @@ static int test_gcd_prime(void) > + > + if (!TEST_true(BN_generate_prime_ex(a, 1024, 0, NULL, NULL, NULL))) > + goto err; > +- for (i = 0; i < NUM0; i++) { > ++ for (i = 0; i < NUM_PRIME_TESTS; i++) { > + if (!TEST_true(BN_generate_prime_ex(b, 1024, 0, > + NULL, NULL, NULL)) > + || !TEST_true(BN_gcd(gcd, a, b, ctx)) > +- || !TEST_true(BN_is_one(gcd))) > ++ || !TEST_true(BN_is_one(gcd)) > ++ || !TEST_true(BN_are_coprime(a, b, ctx))) > + goto err; > + } > + > +@@ -3066,6 +3087,7 @@ int setup_tests(void) > + ADD_ALL_TESTS(test_is_prime, (int)OSSL_NELEM(primes)); > + ADD_ALL_TESTS(test_not_prime, (int)OSSL_NELEM(not_primes)); > + ADD_TEST(test_gcd_prime); > ++ ADD_TEST(test_coprime); > + ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests)); > + ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests)); > + ADD_TEST(test_mod_exp2_mont); > +diff --git a/util/libcrypto.num b/util/libcrypto.num > +index 0f6f30b..a1d1ed9 100644 > +--- a/util/libcrypto.num > ++++ b/util/libcrypto.num > +@@ -5429,3 +5429,4 @@ OPENSSL_strcasecmp 5556 3_0_3 > EXIST::FUNCTION: > + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: > + OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP > + OSSL_CMP_MSG_update_recipNonce 5559 3_0_9 EXIST::FUNCTION:CMP > ++BN_are_coprime 5560 3_0_0 EXIST::FUNCTION: > +-- > +2.25.1 > + > diff --git > a/meta/recipes-connectivity/openssl/openssl/0002-Improve-FIPS-RSA-keygen-performance.patch > > b/meta/recipes-connectivity/openssl/openssl/0002-Improve-FIPS-RSA-keygen-performance.patch > new file mode 100644 > index 0000000000..1a6b601f65 > --- /dev/null > +++ > b/meta/recipes-connectivity/openssl/openssl/0002-Improve-FIPS-RSA-keygen-performance.patch > @@ -0,0 +1,185 @@ > +From dfb8e0e716a1fd060eb13402d85cc46c8f64f929 Mon Sep 17 00:00:00 2001 > +From: slontis <shane.lon...@oracle.com> > +Date: Wed, 2 Nov 2022 13:20:55 +1000 > +Subject: [PATCH 2/2] Improve FIPS RSA keygen performance. > + > +Reduce the Miller Rabin counts to the values specified by FIPS 186-5. > +The old code was using a fixed value of 64. > + > +Reviewed-by: Paul Dale <pa...@openssl.org> > +Reviewed-by: Tomas Mraz <to...@openssl.org> > +(Merged from https://github.com/openssl/openssl/pull/19579) > + > +(cherry picked from commit d2f6e66d2837bff1f5f7636bb2118e3a45c9df61) > + > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/d2f6e66d2837bff1f5f7636bb2118e3a45c9df61] > + > +Signed-off-by: Haitao Liu <haitao....@windriver.com> > +--- > + crypto/bn/bn_prime.c | 11 ++++++++ > + crypto/bn/bn_rsa_fips186_4.c | 49 ++++++++++++++++++++++++++++++------ > + include/crypto/bn.h | 2 ++ > + 3 files changed, 54 insertions(+), 8 deletions(-) > + > +diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c > +index ddd31a0..79776f1 100644 > +--- a/crypto/bn/bn_prime.c > ++++ b/crypto/bn/bn_prime.c > +@@ -252,6 +252,17 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, > BN_CTX *ctx, > + return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); > + } > + > ++/* > ++ * Use this only for key generation. > ++ * It always uses trial division. The number of checks > ++ * (MR rounds) passed in is used without being clamped to a minimum value. > ++ */ > ++int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, > ++ BN_GENCB *cb) > ++{ > ++ return bn_is_prime_int(w, checks, ctx, 1, cb); > ++} > ++ > + int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) > + { > + return ossl_bn_check_prime(p, 0, ctx, 1, cb); > +diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c > +index 55efaf2..c3466df 100644 > +--- a/crypto/bn/bn_rsa_fips186_4.c > ++++ b/crypto/bn/bn_rsa_fips186_4.c > +@@ -48,6 +48,34 @@ const BIGNUM ossl_bn_inv_sqrt_2 = { > + BN_FLG_STATIC_DATA > + }; > + > ++/* > ++ * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin > ++ * required for generation of RSA aux primes (p1, p2, q1 and q2). > ++ */ > ++static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits) > ++{ > ++ if (nbits >= 4096) > ++ return 44; > ++ if (nbits >= 3072) > ++ return 41; > ++ if (nbits >= 2048) > ++ return 38; > ++ return 0; /* Error */ > ++} > ++ > ++/* > ++ * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin > ++ * required for generation of RSA primes (p and q) > ++ */ > ++static int bn_rsa_fips186_5_prime_MR_rounds(int nbits) > ++{ > ++ if (nbits >= 3072) > ++ return 4; > ++ if (nbits >= 2048) > ++ return 5; > ++ return 0; /* Error */ > ++} > ++ > + /* > + * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". > + * (FIPS 186-5 has an entry for >= 4096 bits). > +@@ -97,11 +125,13 @@ static int > bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) > + * Xp1 The passed in starting point to find a probably prime. > + * p1 The returned probable prime (first odd integer >= Xp1) > + * ctx A BN_CTX object. > ++ * rounds The number of Miller Rabin rounds > + * cb An optional BIGNUM callback. > + * Returns: 1 on success otherwise it returns 0. > + */ > + static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, > + BIGNUM *p1, BN_CTX *ctx, > ++ int rounds, > + BN_GENCB *cb) > + { > + int ret = 0; > +@@ -117,7 +147,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const > BIGNUM *Xp1, > + i++; > + BN_GENCB_call(cb, 0, i); > + /* MR test with trial division */ > +- tmp = BN_check_prime(p1, ctx, cb); > ++ tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb); > + if (tmp > 0) > + break; > + if (tmp < 0) > +@@ -160,7 +190,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, > BIGNUM *Xpout, > + { > + int ret = 0; > + BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; > +- int bitlen; > ++ int bitlen, rounds; > + > + if (p == NULL || Xpout == NULL) > + return 0; > +@@ -177,6 +207,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, > BIGNUM *Xpout, > + bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); > + if (bitlen == 0) > + goto err; > ++ rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen); > + > + /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ > + if (Xp1 == NULL) { > +@@ -194,8 +225,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, > BIGNUM *Xpout, > + } > + > + /* (Steps 4.2/5.2) - find first auxiliary probable primes */ > +- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) > +- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) > ++ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) > ++ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, > rounds, cb)) > + goto err; > + /* (Table B.1) auxiliary prime Max length check */ > + if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= > +@@ -243,11 +274,11 @@ err: > + */ > + int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM > *Xin, > + const BIGNUM *r1, const BIGNUM *r2, > +- int nlen, const BIGNUM *e, BN_CTX > *ctx, > +- BN_GENCB *cb) > ++ int nlen, const BIGNUM *e, > ++ BN_CTX *ctx, BN_GENCB *cb) > + { > + int ret = 0; > +- int i, imax; > ++ int i, imax, rounds; > + int bits = nlen >> 1; > + BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; > + BIGNUM *base, *range; > +@@ -317,6 +348,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM > *X, const BIGNUM *Xin, > + * The number has been updated to 20 * nlen/2 as used in > + * FIPS186-5 Appendix B.9 Step 9. > + */ > ++ rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen); > + imax = 20 * bits; /* max = 20/2 * nbits */ > + for (;;) { > + if (Xin == NULL) { > +@@ -346,8 +378,9 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM > *X, const BIGNUM *Xin, > + if (BN_copy(y1, Y) == NULL > + || !BN_sub_word(y1, 1)) > + goto err; > ++ > + if (BN_are_coprime(y1, e, ctx)) { > +- int rv = BN_check_prime(Y, ctx, cb); > ++ int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb); > + > + if (rv > 0) > + goto end; > +diff --git a/include/crypto/bn.h b/include/crypto/bn.h > +index fd1c09d..00544d9 100644 > +--- a/include/crypto/bn.h > ++++ b/include/crypto/bn.h > +@@ -95,6 +95,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM > *m, > + > + int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX > *ctx, > + BN_GENCB *cb, int enhanced, int *status); > ++int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, > ++ BN_GENCB *cb); > + > + const BIGNUM *ossl_bn_get0_small_factors(void); > + > +-- > +2.25.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb > b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb > index 5e43fdc2de..5b09493ccd 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb > @@ -12,6 +12,8 @@ SRC_URI = > "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > + file://0001-Improve-FIPS-RSA-keygen-performance.patch \ > + file://0002-Improve-FIPS-RSA-keygen-performance.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > > > > > > -- > # Randy MacLeod > # Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197345): https://lists.openembedded.org/g/openembedded-core/message/197345 Mute This Topic: https://lists.openembedded.org/mt/104998278/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
