On 09/07/2011 09:43 AM, Andy Polyakov wrote: >>> As for SHA. It was shown that there is a way to use SHA even on >>> pre-Nano, see >>> http://www.mail-archive.com/openssl-dev@openssl.org/msg21787.html. >>> Challenge is to make it multi-thread safe. It would take allocation of >>> dynamic lock and serializing access to "crash page" allocated at engine >>> load. >> >> No, there's more problem on using the "crash page" than benefit. >> I've had the "crash page" patch on production system, and couple >> of situation it broke things. > > If not much trouble could you elaborate? About the way it broke things > and under which circumstances? Even if we choose to discard the approach > it's valuable knowledge... A lot of thanks in advance.
Some apps (like VMs in e.g. Java) do also hook SIGSEGV for various reasons (or at leased used to). You need a lot of special attention to chain the signal handlers properly; and this was not done right in the patch. And you also need to check various other things to be correct in the signal; otherwise you might be trying to fix a real SIGSEGV in another thread. And this is pretty much unfixable if the application has multiple threads and one of the threads goes switch SIGSEGV handlers behind our backs. I believe the one major bug we had, ended up being a bug in kernel grsec patchset that caused some breakage in signal handlers. But it just seemed to be caused by the "crash page". >> There's also additional overhead in >> copying the data to the specifically crafted memory area, and it >> causes this kludge to be not as beneficial. > > But it's still several times faster than software and that's what counts. You will get additional penalty from: * hooking signal handler and restoring it (two syscalls) * handling of the page fault * copying data from user's buffer to the mmap():ed buffer While this will be still faster with large amounts of data, the hack is not general purpose. The speed-up is even greater if you teach your application to properly use the ONESHOT flag, and the finalizing form can used properly then. - Timo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
