Re: [CVS] OpenSSL: OpenSSL_1_0_2-stable: openssl/ CHANGES openssl/apps/ s_...
Why go via SSL_CTX_ctrl and SSL_ctrl? In fact, why do those exist at all?
On Wed, Dec 26, 2012 at 2:25 PM, Dr. Stephen Henson st...@openssl.org wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: st...@openssl.org
Module: openssl Date: 26-Dec-2012 15:25:40
Branch: OpenSSL_1_0_2-stable Handle: 2012122614252009
Modified files: (Branch: OpenSSL_1_0_2-stable)
openssl CHANGES
openssl/appss_client.c s_server.c
openssl/ssl s3_lib.c s3_srvr.c ssl.h ssl_cert.c ssl_locl.h
t1_lib.c tls1.h
Log:
Add support for application defined signature algorithms for use with
TLS v1.2. These are sent as an extension for clients and during a
certificate
request for servers.
TODO: add support for shared signature algorithms, respect shared
algorithms
when deciding which ciphersuites and certificates to permit.
(backport from HEAD)
Summary:
RevisionChanges Path
1.1481.2.56.2.86.2.38+5 -0 openssl/CHANGES
1.123.2.6.2.15.2.8+12 -0 openssl/apps/s_client.c
1.136.2.15.2.18.2.11+21 -0 openssl/apps/s_server.c
1.126.2.4.2.17.2.12+12 -0 openssl/ssl/s3_lib.c
1.171.2.21.2.24.2.14+1 -1 openssl/ssl/s3_srvr.c
1.221.2.24.2.29.2.15+11 -0 openssl/ssl/ssl.h
1.68.2.3.2.1.2.11+20 -5 openssl/ssl/ssl_cert.c
1.100.2.10.2.17.2.16+16 -4 openssl/ssl/ssl_locl.h
1.64.2.14.2.32.2.17+147 -18openssl/ssl/t1_lib.c
1.40.2.3.2.14.2.3+8 -0 openssl/ssl/tls1.h
patch -p0 '@@ .'
Index: openssl/CHANGES
$ cvs diff -u -r1.1481.2.56.2.86.2.37 -r1.1481.2.56.2.86.2.38 CHANGES
--- openssl/CHANGES 26 Dec 2012 14:18:48 - 1.1481.2.56.2.86.2.37
+++ openssl/CHANGES 26 Dec 2012 14:25:20 - 1.1481.2.56.2.86.2.38
@@ -4,6 +4,11 @@
Changes between 1.0.1 and 1.0.2 [xx XXX ]
+ *) Add new functions to allow customised supported signature algorithms
+ for SSL and SSL_CTX structures. Add options to s_client and s_server
+ to support them.
+ [Steve Henson]
+
*) New function SSL_certs_clear() to delete all references to
certificates
from an SSL structure. Before this once a certificate had been added
it couldn't be removed.
@@ .
patch -p0 '@@ .'
Index: openssl/apps/s_client.c
$ cvs diff -u -r1.123.2.6.2.15.2.7 -r1.123.2.6.2.15.2.8 s_client.c
--- openssl/apps/s_client.c 20 Nov 2012 00:28:22 -
1.123.2.6.2.15.2.7
+++ openssl/apps/s_client.c 26 Dec 2012 14:25:21 -
1.123.2.6.2.15.2.8
@@ -605,6 +605,7 @@
#ifndef OPENSSL_NO_TLSEXT
char *servername = NULL;
char *curves=NULL;
+ char *sigalgs=NULL;
tlsextctx tlsextcbp =
{NULL,0};
# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -948,6 +949,11 @@
if (--argc 1) goto bad;
curves= *(++argv);
}
+ else if (strcmp(*argv,-sigalgs) == 0)
+ {
+ if (--argc 1) goto bad;
+ sigalgs= *(++argv);
+ }
#endif
#ifndef OPENSSL_NO_JPAKE
else if (strcmp(*argv,-jpake) == 0)
@@ -1192,6 +1198,12 @@
ERR_print_errors(bio_err);
goto end;
}
+ if (sigalgs != NULL)
+ if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) {
+ BIO_printf(bio_err,error setting signature algorithms
list\n);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
if (servername != NULL)
{
tlsextcbp.biodebug = bio_err;
@@ .
patch -p0 '@@ .'
Index: openssl/apps/s_server.c
$ cvs diff -u -r1.136.2.15.2.18.2.10 -r1.136.2.15.2.18.2.11 s_server.c
--- openssl/apps/s_server.c 20 Nov 2012 00:28:22 -
1.136.2.15.2.18.2.10
+++ openssl/apps/s_server.c 26 Dec 2012 14:25:21 -
1.136.2.15.2.18.2.11
@@ -271,6 +271,7 @@
#ifndef OPENSSL_NO_TLSEXT
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
static char *curves=NULL;
+static char *sigalgs=NULL;
#endif
static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
#ifdef FIONBIO
@@ -1193,6 +1194,11 @@
[openssl.org #2948] thousands of getpid called inside libcrypto.sl.0.9.8
Hi Openssl team, I have an performance issue with openssl_fips. My application use openssl_fips version 0.9.8. Recently, I found that the fips lib make my application slow. When my application initialize the fips setting, it introduces 7000+ getpid() call. And this will cost 5 seconds. Is this an real issue? Looking forward to your reply. Thanks. The call trace is as followed: Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8 #2 0x7a40bbd8 in FIPS_mode_set+0xf0 () from libcrypto.sl.0.9.8 #3 0x2695f8 in main+0x168 () Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8 #2 0x7a40b3b0 in FIPS_mode+0x70 () from libcrypto.sl.0.9.8 #3 0x7a4445a4 in HMAC_Init_ex+0x224 () from libcrypto.sl.0.9.8 #4 0x7a44471c in HMAC_Init+0x6c () from libcrypto.sl.0.9.8 #5 0x7a40b890 in FIPS_incore_fingerprint+0x98 () from libcrypto.sl.0.9.8 #6 0x7a40b9b8 in FIPS_check_incore_fingerprint+0x30 () from libcrypto.sl.0.9.8 #7 0x7a40bd08 in FIPS_mode_set+0x220 () from libcrypto.sl.0.9.8 #8 0x2695f8 in main+0x168 () Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8 #2 0x7a40b5ec in FIPS_selftest_failed+0x6c () from libcrypto.sl.0.9.8 #3 0x7a420764 in EVP_DigestInit_ex+0x34 () from libcrypto.sl.0.9.8 #4 0x7aa4 in HMAC_Init_ex+0x124 () from /libcrypto.sl.0.9.8 #5 0x7a44471c in HMAC_Init+0x6c () from libcrypto.sl.0.9.8 #6 0x7a40b890 in FIPS_incore_fingerprint+0x98 () from libcrypto.sl.0.9.8 #7 0x7a40b9b8 in FIPS_check_incore_fingerprint+0x30 () from libcrypto.sl.0.9.8 #8 0x7a40bd08 in FIPS_mode_set+0x220 () from libcrypto.sl.0.9.8 #9 0x2695f8 in main+0x168 () Best Regards, -Meiling Hi Openssl team,I have an performance issue with openssl_fips.My application use openssl_fips version 0.9.8.Recently, I found that the fips lib make my application slow.When my application initialize the fips setting, it introduces 7000+ getpid() call.And this will cost 5 seconds.Is this an real issue?Looking forward to your reply.Thanks.The call trace is as followed:Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8#2 0x7a40bbd8 in FIPS_mode_set+0xf0 () from libcrypto.sl.0.9.8#3 0x2695f8 in main+0x168 ()Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8#2 0x7a40b3b0 in FIPS_mode+0x70 () from libcrypto.sl.0.9.8#3 0x7a4445a4 in HMAC_Init_ex+0x224 () from libcrypto.sl.0.9.8#4 0x7a44471c in HMAC_Init+0x6c () from libcrypto.sl.0.9.8#5 0x7a40b890 in FIPS_incore_fingerprint+0x98 () from libcrypto.sl.0.9.8#6 0x7a40b9b8 in FIPS_check_incore_fingerprint+0x30 () from libcrypto.sl.0.9.8#7 0x7a40bd08 in FIPS_mode_set+0x220 () from libcrypto.sl.0.9.8#8 0x2695f8 in main+0x168 ()Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2#1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8#2 0x7a40b5ec in FIPS_selftest_failed+0x6c () from libcrypto.sl.0.9.8#3 0x7a420764 in EVP_DigestInit_ex+0x34 () from libcrypto.sl.0.9.8#4 0x7aa4 in HMAC_Init_ex+0x124 () from /libcrypto.sl.0.9.8#5 0x7a44471c in HMAC_Init+0x6c () from libcrypto.sl.0.9.8#6 0x7a40b890 in FIPS_incore_fingerprint+0x98 () from libcrypto.sl.0.9.8#7 0x7a40b9b8 in FIPS_check_incore_fingerprint+0x30 () from libcrypto.sl.0.9.8#8 0x7a40bd08 in FIPS_mode_set+0x220 () from libcrypto.sl.0.9.8#9 0x2695f8 in main+0x168 ()Best Regards,-Meiling
Re: [openssl.org #2948] thousands of getpid called inside libcrypto.sl.0.9.8
On Wed, Dec 26, 2012 at 09:07:58PM +0100, Ge, Meiling via RT wrote: Hi Openssl team, I have an performance issue with openssl_fips. My application use openssl_fips version 0.9.8. Recently, I found that the fips lib make my application slow. When my application initialize the fips setting, it introduces 7000+ getpid() call. And this will cost 5 seconds. Is this an real issue? Yes, the cost of the getpid() calls made by OpenSSL is real, and users often patch them away. If these calls come from code within the FIPS canister, you may not be able to easily do so except by linking to or preloading another library that reimplements fork() and getpid(), so that the PID is cached in a global variable. There's just no reason why getpid() should require a trap into the kernel... Thor __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2948] thousands of getpid called inside libcrypto.sl.0.9.8
[meiling...@emc.com - Wed Dec 26 21:07:57 2012]: Hi Openssl team, I have an performance issue with openssl_fips. My application use openssl_fips version 0.9.8. Recently, I found that the fips lib make my application slow. When my application initialize the fips setting, it introduces 7000+ getpid() call. And this will cost 5 seconds. Is this an real issue? Looking forward to your reply. Thanks. The call trace is as followed: Breakpoint 1, 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #0 0x7af3a278 in getpid+0 () from /usr/lib/libc.2 #1 0x7a41c454 in CRYPTO_thread_id+0x24 () from libcrypto.sl.0.9.8 #2 0x7a40bbd8 in FIPS_mode_set+0xf0 () from libcrypto.sl.0.9.8 #3 0x2695f8 in main+0x168 () These all go through a user settable callback which defaults to getpid() on most platforms. You can supply a more efficient equivalent in an application. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
