Creating MD context could be HEAVY when using crypto-devices. And then you set a key to it, what is also could be heavy operation.
Thus, you'll get severe performance degradation in general case. See [openssl.org #2937] for references. For some reasons (other than performance) I give away from cleaning up context every loop - had an impression there where a crash at some point. On 19 June 2014 17:59, Joel Fernandes <jo...@ti.com> wrote: > When using OpenSSL SSL/TLS with cryptodev or OCF engines, it appears > that some sessions are not closed. Since cryptodev (and I think OCF too) > maintain a list of open sessions in the kernel, such lists keep growing > to a point where the CPU usage goes up in the kernel finally making things > unresponsive. > > This patch fixes the issue, however I'm not sure if its the right > approach or may be introducing another issue. It appears to fix the high > CPU usage and everything works fine, however a customer is now reporting > a error from the SSL library when used from a Java application. Please > take a look at the patch and let me know if there's anything I'm doing > wrong or if there's a better fix. This applies for OpenSSL version 1.0.1g. > > Here's the trace back from the Java application: > > 2014-06-18 13:43:24,147 ERROR [synchr] WebConnection - error in post > attempt #1, dt=2080 > javax.net.ssl.SSLProtocolException: Read error: ssl=0x429afa88: Failure > in > SSL library, usually a protocol error > at com.apogee.openssl.jsse.NativeCrypto.SSL_read(Native Method) > at > com.apogee.openssl.jsse.OpenSSLSocketImpl$SSLInputStream. > read(OpenSSLSocketImpl.java:923) > at java.io.InputStream.read(InputStream.java:101) > at > com.att.dlc.xail.WebConnection.readResponse(WebConnection.java:3167) > at > com.att.dlc.xail.WebConnection.sendPost(WebConnection.java:3030) > at > com.att.dlc.xail.WebConnection.sendCommandsSync(WebConnection.java:2750) > at > com.att.dlc.xail.WebConnection.sendCommandsSync(WebConnection.java:2699) > at > com.att.dlc.xail.WebConnection.access$2200(WebConnection.java:117) > at > com.att.dlc.xail.WebConnection$ManagedObjectSynchronizer.update > (WebConnection.java:4519) > at > com.att.dlc.xail.WebConnection$ManagedObjectSynchronizer.run > (WebConnection.java:4496) > at java.lang.Thread.run(Thread.java:857) > > Cc: Dr. Stephen Henson <st...@openssl.org> > Cc: Ralf S. Engelschall <r...@openssl.org> > Cc: Andy Polyakov <ap...@openssl.org> > Signed-off-by: Joel Fernandes <jo...@ti.com> > --- > ssl/t1_enc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c > index 809ad2e..2135f1b 100644 > --- a/ssl/t1_enc.c > +++ b/ssl/t1_enc.c > @@ -195,6 +195,8 @@ static int tls1_P_hash(const EVP_MD *md, const > unsigned char *sec, > > for (;;) > { > + EVP_MD_CTX_cleanup(&ctx); > + EVP_MD_CTX_cleanup(&ctx_tmp); > /* Reinit mac contexts */ > if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) > goto err; > -- > 1.7.9.5 > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >