Re: [openssl.org #3530] Problems measuring openssl speed
Hello Matt, the improved patch is attached. It uses the EVP_DigestSign* API instead of EVP_digest and does not modify any header files. Thank you! On Wed, Sep 17, 2014 at 2:22 AM, Matt Caswell via RT r...@openssl.org wrote: On 16/09/14 19:31, Dmitry Belyavsky wrote: Hello! I've made a quick fix to solve this problem (attached). The main problem with this fix is to move locally-defined engine constants to the level of evp.h, so if you suggest a better solution, I am ready to implement it. Thank you! On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org mailto:r...@openssl.org wrote: Hello Openssl Team! I use openssl 1.0.1i with some patches in the GOST engine. The command line is openssl speed -engine gost -evp gost-mac I get an error: 3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:654: (the line number where the error occurs may differ from the current one from 1.0.1i). So gost-mac is treated as digest and the tests are using the EVP_Digest method. But the gost-mac differs from common digests because it usage requires a mac key to be set. What is the best way to fix it? Should I hardcode the gost-mac support in apps/speed.c to process it correctly or there is a better way? Thank you! speed does not currently support EVP style MACs of any description (i.e. it can't do an EVP HMAC or an EVP CMAC). The EVP way of doing MACs is described here: http://wiki.openssl.org/index.php/EVP_Signing_and_Verifying i.e. you use EVP_DigestSign*, and NOT EVP_Digest as in your patch. I don't know anything about the GOST engine, so I don't know whether it supports this style of operation or not. However if I were going to add support for this into speed then I would start by implementing support for EVP style HMAC/CMAC - and then extend it to GOST. I'm closing this ticket for now. Please reply and cc r...@openssl.org to reopen it if you come back with a different patch. Matt -- SY, Dmitry Belyavsky Index: apps/speed.c === --- apps/speed.c(revision 10555) +++ apps/speed.c(working copy) @@ -1985,17 +1985,44 @@ EVP_CIPHER_CTX_cleanup(ctx); } if (evp_md) - { + { names[D_EVP]=OBJ_nid2ln(evp_md-type); print_message(names[D_EVP],save_count, - lengths[j]); + lengths[j]); + if (evp_md-type == NID_id_Gost28147_89_MAC) + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + { + EVP_MD_CTX mac_ctx; + EVP_PKEY * mac_key; + size_t mac_key_size=32; + size_t siglen = sizeof(md); - Time_F(START); - for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) - EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + EVP_MD_CTX_init(mac_ctx); + EVP_MD_CTX_set_flags(mac_ctx,EVP_MD_CTX_FLAG_ONESHOT); - d=Time_F(STOP); + mac_key = EVP_PKEY_new_mac_key(evp_md-type, NULL, key32, mac_key_size); + + EVP_DigestSignInit(mac_ctx, NULL, evp_md, NULL, mac_key); + EVP_PKEY_free(mac_key); + + EVP_DigestSignUpdate(mac_ctx, buf, lengths[j]); + EVP_DigestSignFinal(mac_ctx, md, siglen); + EVP_MD_CTX_cleanup(mac_ctx); + } + + d=Time_F(STOP); } + else + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + + d=Time_F(STOP); + } + } print_result(D_EVP,j,count,d);
Re: [openssl.org #3530] Problems measuring openssl speed
Hello Matt, the improved patch is attached. It uses the EVP_DigestSign* API instead of EVP_digest and does not modify any header files. Thank you! On Wed, Sep 17, 2014 at 2:22 AM, Matt Caswell via RT r...@openssl.org wrote: On 16/09/14 19:31, Dmitry Belyavsky wrote: Hello! I've made a quick fix to solve this problem (attached). The main problem with this fix is to move locally-defined engine constants to the level of evp.h, so if you suggest a better solution, I am ready to implement it. Thank you! On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org mailto:r...@openssl.org wrote: Hello Openssl Team! I use openssl 1.0.1i with some patches in the GOST engine. The command line is openssl speed -engine gost -evp gost-mac I get an error: 3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:654: (the line number where the error occurs may differ from the current one from 1.0.1i). So gost-mac is treated as digest and the tests are using the EVP_Digest method. But the gost-mac differs from common digests because it usage requires a mac key to be set. What is the best way to fix it? Should I hardcode the gost-mac support in apps/speed.c to process it correctly or there is a better way? Thank you! speed does not currently support EVP style MACs of any description (i.e. it can't do an EVP HMAC or an EVP CMAC). The EVP way of doing MACs is described here: http://wiki.openssl.org/index.php/EVP_Signing_and_Verifying i.e. you use EVP_DigestSign*, and NOT EVP_Digest as in your patch. I don't know anything about the GOST engine, so I don't know whether it supports this style of operation or not. However if I were going to add support for this into speed then I would start by implementing support for EVP style HMAC/CMAC - and then extend it to GOST. I'm closing this ticket for now. Please reply and cc r...@openssl.org to reopen it if you come back with a different patch. Matt -- SY, Dmitry Belyavsky Index: apps/speed.c === --- apps/speed.c(revision 10555) +++ apps/speed.c(working copy) @@ -1985,17 +1985,44 @@ EVP_CIPHER_CTX_cleanup(ctx); } if (evp_md) - { + { names[D_EVP]=OBJ_nid2ln(evp_md-type); print_message(names[D_EVP],save_count, - lengths[j]); + lengths[j]); + if (evp_md-type == NID_id_Gost28147_89_MAC) + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + { + EVP_MD_CTX mac_ctx; + EVP_PKEY * mac_key; + size_t mac_key_size=32; + size_t siglen = sizeof(md); - Time_F(START); - for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) - EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + EVP_MD_CTX_init(mac_ctx); + EVP_MD_CTX_set_flags(mac_ctx,EVP_MD_CTX_FLAG_ONESHOT); - d=Time_F(STOP); + mac_key = EVP_PKEY_new_mac_key(evp_md-type, NULL, key32, mac_key_size); + + EVP_DigestSignInit(mac_ctx, NULL, evp_md, NULL, mac_key); + EVP_PKEY_free(mac_key); + + EVP_DigestSignUpdate(mac_ctx, buf, lengths[j]); + EVP_DigestSignFinal(mac_ctx, md, siglen); + EVP_MD_CTX_cleanup(mac_ctx); + } + + d=Time_F(STOP); } + else + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + + d=Time_F(STOP); + } + } print_result(D_EVP,j,count,d);
Re: [openssl.org #3530] Problems measuring openssl speed
Hello! I've made a quick fix to solve this problem (attached). The main problem with this fix is to move locally-defined engine constants to the level of evp.h, so if you suggest a better solution, I am ready to implement it. Thank you! On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org wrote: Hello Openssl Team! I use openssl 1.0.1i with some patches in the GOST engine. The command line is openssl speed -engine gost -evp gost-mac I get an error: 3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:654: (the line number where the error occurs may differ from the current one from 1.0.1i). So gost-mac is treated as digest and the tests are using the EVP_Digest method. But the gost-mac differs from common digests because it usage requires a mac key to be set. What is the best way to fix it? Should I hardcode the gost-mac support in apps/speed.c to process it correctly or there is a better way? Thank you! -- SY, Dmitry Belyavsky __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- SY, Dmitry Belyavsky Index: crypto/evp/evp.h === --- crypto/evp/evp.h(revision 10555) +++ crypto/evp/evp.h(working copy) @@ -227,6 +227,8 @@ /* Minimum Algorithm specific ctrl value */ #defineEVP_MD_CTRL_ALG_CTRL0x1000 +#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3) +#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4) #define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} Index: engines/ccgost/gost_lcl.h === --- engines/ccgost/gost_lcl.h (revision 10555) +++ engines/ccgost/gost_lcl.h (working copy) @@ -172,8 +172,8 @@ extern EVP_CIPHER cipher_gost; extern EVP_CIPHER cipher_gost_cpacnt; extern EVP_CIPHER cipher_gost_cpcnt_12; -#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3) -#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4) +/*#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3) +#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4)*/ /* EVP_PKEY_METHOD key encryption callbacks */ /* From gost94_keyx.c */ int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char* key, size_t key_len ); Index: apps/speed.c === --- apps/speed.c(revision 10555) +++ apps/speed.c(working copy) @@ -1985,17 +1985,37 @@ EVP_CIPHER_CTX_cleanup(ctx); } if (evp_md) - { + { names[D_EVP]=OBJ_nid2ln(evp_md-type); print_message(names[D_EVP],save_count, - lengths[j]); + lengths[j]); + if (evp_md-type == NID_id_Gost28147_89_MAC) + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + { + EVP_MD_CTX ctx; - Time_F(START); - for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) - EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + EVP_MD_CTX_init(ctx); + EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_ONESHOT); + EVP_DigestInit_ex(ctx, evp_md, NULL); + evp_md-md_ctrl(ctx, EVP_MD_CTRL_SET_KEY, 32, (void *)key32); + EVP_DigestUpdate(ctx, buf, lengths[j]); + EVP_DigestFinal_ex(ctx, md, NULL); + EVP_MD_CTX_cleanup(ctx); + } - d=Time_F(STOP); + d=Time_F(STOP); } + else + { + Time_F(START); + for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) + EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL); + +
RE: [openssl.org #3530] Problems measuring openssl speed
Thanks for working on this. I haven’t looked at the patch yet. Can we just put the constants in engine.h? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz