I am still using
openssl_tpm_engine-0.4.1.tar.gz<http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download>,
and I have been experiencing poor performance with ssl session caching in
an application that makes many frequent connections. Profiling the code I
could see it was repeatedly loading the key, but not using it. I made these
changes to improve the performance and now it is really fast as expected.
Basically I just added 4 key slots that cache a copy of loaded keys. If
there is interest I can work on merging this to the latest code base and
repost.
$ diff ./e_tpm.c ~/Downloads/openssl_tpm_engine-0.4.1/e_tpm.c
204,289d203
< #define KEYENTRY_COUNT 4
< #define KEYBLOB_LEN 4096
< typedef struct _KeyEntry
< {
< int set;
< int blobLen;
< BYTE blob[KEYBLOB_LEN];
< TSS_HKEY hKey;
< }
< KeyEntry;
< static KeyEntry keyList[KEYENTRY_COUNT];
<
< static TSS_RESULT LoadKey(BYTE *blob, int blobLen, TSS_HKEY *hKey);
< static TSS_RESULT UnloadKey(TSS_HKEY hKey);
<
< TSS_RESULT UnloadKey(TSS_HKEY hKey)
< {
< int idx;
<
< /* dont release registered keys */
< for(idx = 0; idx < KEYENTRY_COUNT; idx++)
< {
< if(keyList[idx].set == TRUE)
< {
< if(keyList[idx].hKey == hKey)
< {
< return TSS_SUCCESS;
< }
< }
< }
<
< return p_tspi_Context_CloseObject(hContext, hKey);
< }
<
< TSS_RESULT LoadKey(BYTE *blob, int blobLen, TSS_HKEY *hKey)
< {
< int idx;
<
< /* validate input */
< if(blobLen > KEYBLOB_LEN || hKey == NULL)
< {
< printf("invalid key size\n");
< return TSS_E_BAD_PARAMETER;
< }
<
< /* see if key has already been cached */
< for(idx = 0; idx < KEYENTRY_COUNT; idx++)
< {
< if(keyList[idx].set == TRUE)
< {
< if(keyList[idx].blobLen == blobLen &&
memcmp(keyList[idx].blob, blob, keyList[idx].blobLen) == 0)
< {
< *hKey = keyList[idx].hKey;
< return TSS_SUCCESS;
< }
< }
< else
< {
< break;
< }
< }
<
< /* see if there is an open slot */
< if(idx >= KEYENTRY_COUNT)
< {
< printf("no more slots\n");
< return TSS_E_OUTOFMEMORY;
< }
<
< /* load key from TPM */
< if(p_tspi_Context_LoadKeyByBlob(hContext, hSRK, blobLen, blob, hKey)
!= TSS_SUCCESS)
< {
< printf("load key by blob failed\n");
< return TSS_E_INTERNAL_ERROR;
< }
<
< /* store keylist data */
< keyList[idx].set = TRUE;
< keyList[idx].hKey = *hKey;
< keyList[idx].blobLen = blobLen;
< memcpy(keyList[idx].blob, blob, blobLen);
<
< return TSS_SUCCESS;
< }
<
<
608,609d521
< int idx;
<
617,622d528
< for(idx = 0; idx < KEYENTRY_COUNT; idx++)
< {
< keyList[idx].set = FALSE;
< p_tspi_Context_CloseObject(hContext, keyList[idx].hKey);
< }
<
751c657,658
< if ((result = LoadKey(blob_buf, rc, &hKey))) {
---
> if ((result = p_tspi_Context_LoadKeyByBlob(hContext, hSRK, rc,
> blob_buf, &hKey))) {
946,957d852
< if(app_data != NULL && app_data->hHash != NULL_HHASH)
< {
< p_tspi_Context_CloseObject(hContext, app_data->hHash);
< app_data->hHash = NULL_HHASH;
< }
<
< if(app_data != NULL && app_data->hKey != NULL_HKEY)
< {
< UnloadKey(app_data->hKey);
< app_data->hKey = NULL_HKEY;
< }
<
1421,1428d1315
< int idx;
<
< /* init key list cache */
< for(idx = 0; idx < KEYENTRY_COUNT; idx++)
< {
< keyList[idx].set = FALSE;
< }
<
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
