Re: [openssl.org #3530] Problems measuring openssl speed
Hello Matt,
the improved patch is attached. It uses the EVP_DigestSign* API instead of
EVP_digest and does not modify any header files.
Thank you!
On Wed, Sep 17, 2014 at 2:22 AM, Matt Caswell via RT r...@openssl.org wrote:
On 16/09/14 19:31, Dmitry Belyavsky wrote: Hello!
I've made a quick fix to solve this problem (attached). The main problem
with this fix is to move locally-defined engine constants to the level
of evp.h, so if you suggest a better solution, I am ready to implement
it.
Thank you!
On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org
mailto:r...@openssl.org wrote:
Hello Openssl Team!
I use openssl 1.0.1i with some patches in the GOST engine.
The command line is
openssl speed -engine gost -evp gost-mac
I get an error:
3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not
set:gost_crypt.c:654:
(the line number where the error occurs may differ from the current one
from 1.0.1i).
So gost-mac is treated as digest and the tests are using the EVP_Digest
method. But the gost-mac differs from common digests because it usage
requires a mac key to be set.
What is the best way to fix it? Should I hardcode the gost-mac
support in
apps/speed.c to process it correctly or there is a better way?
Thank you!
speed does not currently support EVP style MACs of any description (i.e. it
can't do an EVP HMAC or an EVP CMAC).
The EVP way of doing MACs is described here:
http://wiki.openssl.org/index.php/EVP_Signing_and_Verifying
i.e. you use EVP_DigestSign*, and NOT EVP_Digest as in your patch.
I don't know anything about the GOST engine, so I don't know whether it
supports this style of operation or not. However if I were going to add
support
for this into speed then I would start by implementing support for EVP
style
HMAC/CMAC - and then extend it to GOST.
I'm closing this ticket for now. Please reply and cc r...@openssl.org to
reopen
it if you come back with a different patch.
Matt
--
SY, Dmitry Belyavsky
Index: apps/speed.c
===
--- apps/speed.c(revision 10555)
+++ apps/speed.c(working copy)
@@ -1985,17 +1985,44 @@
EVP_CIPHER_CTX_cleanup(ctx);
}
if (evp_md)
- {
+ {
names[D_EVP]=OBJ_nid2ln(evp_md-type);
print_message(names[D_EVP],save_count,
- lengths[j]);
+ lengths[j]);
+ if (evp_md-type == NID_id_Gost28147_89_MAC)
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+ {
+ EVP_MD_CTX mac_ctx;
+ EVP_PKEY * mac_key;
+ size_t mac_key_size=32;
+ size_t siglen = sizeof(md);
- Time_F(START);
- for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
-
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+ EVP_MD_CTX_init(mac_ctx);
+
EVP_MD_CTX_set_flags(mac_ctx,EVP_MD_CTX_FLAG_ONESHOT);
- d=Time_F(STOP);
+ mac_key =
EVP_PKEY_new_mac_key(evp_md-type, NULL, key32, mac_key_size);
+
+ EVP_DigestSignInit(mac_ctx,
NULL, evp_md, NULL, mac_key);
+ EVP_PKEY_free(mac_key);
+
+ EVP_DigestSignUpdate(mac_ctx,
buf, lengths[j]);
+ EVP_DigestSignFinal(mac_ctx,
md, siglen);
+ EVP_MD_CTX_cleanup(mac_ctx);
+ }
+
+ d=Time_F(STOP);
}
+ else
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+
+ d=Time_F(STOP);
+ }
+ }
print_result(D_EVP,j,count,d);
Re: [openssl.org #3530] Problems measuring openssl speed
Hello Matt,
the improved patch is attached. It uses the EVP_DigestSign* API instead of
EVP_digest and does not modify any header files.
Thank you!
On Wed, Sep 17, 2014 at 2:22 AM, Matt Caswell via RT r...@openssl.org wrote:
On 16/09/14 19:31, Dmitry Belyavsky wrote: Hello!
I've made a quick fix to solve this problem (attached). The main problem
with this fix is to move locally-defined engine constants to the level
of evp.h, so if you suggest a better solution, I am ready to implement
it.
Thank you!
On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org
mailto:r...@openssl.org wrote:
Hello Openssl Team!
I use openssl 1.0.1i with some patches in the GOST engine.
The command line is
openssl speed -engine gost -evp gost-mac
I get an error:
3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not
set:gost_crypt.c:654:
(the line number where the error occurs may differ from the current one
from 1.0.1i).
So gost-mac is treated as digest and the tests are using the EVP_Digest
method. But the gost-mac differs from common digests because it usage
requires a mac key to be set.
What is the best way to fix it? Should I hardcode the gost-mac
support in
apps/speed.c to process it correctly or there is a better way?
Thank you!
speed does not currently support EVP style MACs of any description (i.e. it
can't do an EVP HMAC or an EVP CMAC).
The EVP way of doing MACs is described here:
http://wiki.openssl.org/index.php/EVP_Signing_and_Verifying
i.e. you use EVP_DigestSign*, and NOT EVP_Digest as in your patch.
I don't know anything about the GOST engine, so I don't know whether it
supports this style of operation or not. However if I were going to add
support
for this into speed then I would start by implementing support for EVP
style
HMAC/CMAC - and then extend it to GOST.
I'm closing this ticket for now. Please reply and cc r...@openssl.org to
reopen
it if you come back with a different patch.
Matt
--
SY, Dmitry Belyavsky
Index: apps/speed.c
===
--- apps/speed.c(revision 10555)
+++ apps/speed.c(working copy)
@@ -1985,17 +1985,44 @@
EVP_CIPHER_CTX_cleanup(ctx);
}
if (evp_md)
- {
+ {
names[D_EVP]=OBJ_nid2ln(evp_md-type);
print_message(names[D_EVP],save_count,
- lengths[j]);
+ lengths[j]);
+ if (evp_md-type == NID_id_Gost28147_89_MAC)
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+ {
+ EVP_MD_CTX mac_ctx;
+ EVP_PKEY * mac_key;
+ size_t mac_key_size=32;
+ size_t siglen = sizeof(md);
- Time_F(START);
- for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
-
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+ EVP_MD_CTX_init(mac_ctx);
+
EVP_MD_CTX_set_flags(mac_ctx,EVP_MD_CTX_FLAG_ONESHOT);
- d=Time_F(STOP);
+ mac_key =
EVP_PKEY_new_mac_key(evp_md-type, NULL, key32, mac_key_size);
+
+ EVP_DigestSignInit(mac_ctx,
NULL, evp_md, NULL, mac_key);
+ EVP_PKEY_free(mac_key);
+
+ EVP_DigestSignUpdate(mac_ctx,
buf, lengths[j]);
+ EVP_DigestSignFinal(mac_ctx,
md, siglen);
+ EVP_MD_CTX_cleanup(mac_ctx);
+ }
+
+ d=Time_F(STOP);
}
+ else
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+
+ d=Time_F(STOP);
+ }
+ }
print_result(D_EVP,j,count,d);
Re: [openssl.org #3530] Problems measuring openssl speed
Hello!
I've made a quick fix to solve this problem (attached). The main problem
with this fix is to move locally-defined engine constants to the level of
evp.h, so if you suggest a better solution, I am ready to implement it.
Thank you!
On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT r...@openssl.org
wrote:
Hello Openssl Team!
I use openssl 1.0.1i with some patches in the GOST engine.
The command line is
openssl speed -engine gost -evp gost-mac
I get an error:
3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not
set:gost_crypt.c:654:
(the line number where the error occurs may differ from the current one
from 1.0.1i).
So gost-mac is treated as digest and the tests are using the EVP_Digest
method. But the gost-mac differs from common digests because it usage
requires a mac key to be set.
What is the best way to fix it? Should I hardcode the gost-mac support in
apps/speed.c to process it correctly or there is a better way?
Thank you!
--
SY, Dmitry Belyavsky
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
--
SY, Dmitry Belyavsky
Index: crypto/evp/evp.h
===
--- crypto/evp/evp.h(revision 10555)
+++ crypto/evp/evp.h(working copy)
@@ -227,6 +227,8 @@
/* Minimum Algorithm specific ctrl value */
#defineEVP_MD_CTRL_ALG_CTRL0x1000
+#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3)
+#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4)
#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0}
Index: engines/ccgost/gost_lcl.h
===
--- engines/ccgost/gost_lcl.h (revision 10555)
+++ engines/ccgost/gost_lcl.h (working copy)
@@ -172,8 +172,8 @@
extern EVP_CIPHER cipher_gost;
extern EVP_CIPHER cipher_gost_cpacnt;
extern EVP_CIPHER cipher_gost_cpcnt_12;
-#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3)
-#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4)
+/*#define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3)
+#define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4)*/
/* EVP_PKEY_METHOD key encryption callbacks */
/* From gost94_keyx.c */
int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t
*outlen, const unsigned char* key, size_t key_len );
Index: apps/speed.c
===
--- apps/speed.c(revision 10555)
+++ apps/speed.c(working copy)
@@ -1985,17 +1985,37 @@
EVP_CIPHER_CTX_cleanup(ctx);
}
if (evp_md)
- {
+ {
names[D_EVP]=OBJ_nid2ln(evp_md-type);
print_message(names[D_EVP],save_count,
- lengths[j]);
+ lengths[j]);
+ if (evp_md-type == NID_id_Gost28147_89_MAC)
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+ {
+ EVP_MD_CTX ctx;
- Time_F(START);
- for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
-
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+ EVP_MD_CTX_init(ctx);
+
EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_ONESHOT);
+ EVP_DigestInit_ex(ctx, evp_md,
NULL);
+ evp_md-md_ctrl(ctx,
EVP_MD_CTRL_SET_KEY, 32, (void *)key32);
+ EVP_DigestUpdate(ctx, buf,
lengths[j]);
+ EVP_DigestFinal_ex(ctx, md,
NULL);
+ EVP_MD_CTX_cleanup(ctx);
+ }
- d=Time_F(STOP);
+ d=Time_F(STOP);
}
+ else
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+
EVP_Digest(buf,lengths[j],(md[0]),NULL,evp_md,NULL);
+
+
RE: [openssl.org #3530] Problems measuring openssl speed
Thanks for working on this. I haven’t looked at the patch yet. Can we just put the constants in engine.h? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
