[Git][NTPsec/ntpsec][master] 3 commits: Minor crypto speedups
Hal Murray
gitlab at mg.gitlab.com
Thu Feb 15 10:06:46 UTC 2018
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
de72d173 by Hal Murray at 2018-02-14T01:57:08-08:00
Minor crypto speedups
use global EVP_MD_CTX
saves 2x calls to EVP_MD_CTX_create/destroy per encrypted packet
remove redundant calls to ssl_init()
it's called from ntpd.c
- - - - -
1f32af39 by Hal Murray at 2018-02-14T03:05:15-08:00
Cleanup auth cache
It is now local to authkeys - not in ntp_stdlib.h
- - - - -
581044e2 by Hal Murray at 2018-02-15T02:05:36-08:00
Fix crypto to work on (slightly) older versions of OpenSSL
- - - - -
7 changed files:
- include/ntp_stdlib.h
- libntp/authkeys.c
- libntp/macencrypt.c
- libntp/ssl_init.c
- tests/common/tests_main.c
- tests/libntp/authkeys.c
- tests/libntp/macencrypt.c
Changes:
=====================================
include/ntp_stdlib.h
=====================================
--- a/include/ntp_stdlib.h
+++ b/include/ntp_stdlib.h
@@ -10,6 +10,7 @@
#include <signal.h>
#include <errno.h>
#include <stdarg.h>
+#include <openssl/evp.h>
#include "declcond.h" /* ntpd uses ntpd/declcond.h, others include/ */
#include "ntp_net.h"
@@ -68,8 +69,8 @@ int ntp_getopt_long(int argc, char* const argv[], const char *optstring,
const struct option *longopts, int *longindex);
/* mac_md5encrypt.c */
-extern bool mac_authdecrypt (int, uint8_t *, uint32_t *, int, int);
-extern int mac_authencrypt (int, uint8_t *, uint32_t *, int);
+extern bool mac_authdecrypt (int, uint8_t *, int, uint32_t *, int, int);
+extern int mac_authencrypt (int, uint8_t *, int, uint32_t *, int);
extern void mac_setkey (keyid_t, int, const uint8_t *, size_t);
extern uint32_t addr2refid (sockaddr_u *);
@@ -143,15 +144,6 @@ extern unsigned int authdecryptions; /* calls to decrypt */
extern int authnumfreekeys;
-/*
- * The key cache. We cache the last key we looked at here.
- */
-extern keyid_t cache_keyid; /* key identifier */
-extern int cache_type; /* key type */
-extern uint8_t * cache_secret; /* secret */
-extern unsigned short cache_secretsize; /* secret octets */
-extern unsigned short cache_flags; /* KEY_ bit flags */
-
/* getopt.c */
extern char * ntp_optarg; /* global argument pointer */
extern int ntp_optind; /* global argv index */
@@ -161,7 +153,11 @@ extern bool ipv4_works;
extern bool ipv6_works;
/* ssl_init.c */
-extern void ssl_init (void);
+extern void ssl_init (void);
+
+/* Avoid 2x create/destroy per packet.
+ * need per thread if we start using threads. */
+EVP_MD_CTX *digest_ctx;
/* strl-obsd.c */
#ifndef HAVE_STRLCPY /* + */
=====================================
libntp/authkeys.c
=====================================
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -85,11 +85,11 @@ int authnumfreekeys;
/*
* The key cache. We cache the last key we looked at here.
*/
-keyid_t cache_keyid; /* key identifier */
-uint8_t *cache_secret; /* secret */
-unsigned short cache_secretsize; /* secret length */
-int cache_type; /* OpenSSL digest NID */
-unsigned short cache_flags; /* flags that wave */
+static keyid_t cache_keyid; /* key identifier */
+static uint8_t *cache_secret; /* secret */
+static unsigned short cache_secretsize; /* secret length */
+static int cache_type; /* OpenSSL digest NID */
+static unsigned short cache_flags; /* flags that wave */
/*
@@ -554,7 +554,9 @@ authencrypt(
return 0;
}
- return mac_authencrypt(cache_type, cache_secret, pkt, length);
+ return mac_authencrypt(cache_type,
+ cache_secret, cache_secretsize,
+ pkt, length);
}
@@ -581,5 +583,7 @@ authdecrypt(
return false;
}
- return mac_authdecrypt(cache_type, cache_secret, pkt, length, size);
+ return mac_authdecrypt(cache_type,
+ cache_secret, cache_secretsize,
+ pkt, length, size);
}
=====================================
libntp/macencrypt.c
=====================================
--- a/libntp/macencrypt.c
+++ b/libntp/macencrypt.c
@@ -14,6 +14,12 @@
#include "ntp_stdlib.h"
#include "ntp.h"
+#ifndef EVP_MD_CTX_reset
+/* Slightly older version of OpenSSL */
+/* Similar hack in ssl_init.c */
+#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_init(ctx)
+#endif
+
/* ctmemeq - test two blocks memory for equality without leaking
* timing information.
*
@@ -45,30 +51,29 @@ int
mac_authencrypt(
int type, /* hash algorithm */
uint8_t *key, /* key pointer */
+ int key_size, /* key size */
uint32_t *pkt, /* packet pointer */
int length /* packet length */
)
{
uint8_t digest[EVP_MAX_MD_SIZE];
unsigned int len;
- EVP_MD_CTX *ctx;
+ EVP_MD_CTX *ctx = digest_ctx;
/*
* Compute digest of key concatenated with packet. Note: the
* key type and digest type have been verified when the key
* was created.
*/
- ssl_init();
- ctx = EVP_MD_CTX_create();
+ EVP_MD_CTX_reset(ctx);
if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
msyslog(LOG_ERR,
"MAC: encrypt: digest init failed");
return (0);
}
- EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, key, key_size);
EVP_DigestUpdate(ctx, (uint8_t *)pkt, (unsigned int)length);
EVP_DigestFinal_ex(ctx, digest, &len);
- EVP_MD_CTX_destroy(ctx);
memmove((uint8_t *)pkt + length + 4, digest, len);
return (int)(len + 4);
}
@@ -83,31 +88,30 @@ bool
mac_authdecrypt(
int type, /* hash algorithm */
uint8_t *key, /* key pointer */
- uint32_t *pkt, /* packet pointer */
+ int key_size, /* key size */
+ uint32_t *pkt, /* packet pointer */
int length, /* packet length */
int size /* MAC size */
)
{
uint8_t digest[EVP_MAX_MD_SIZE];
unsigned int len;
- EVP_MD_CTX *ctx;
+ EVP_MD_CTX *ctx = digest_ctx;
/*
* Compute digest of key concatenated with packet. Note: the
* key type and digest type have been verified when the key
* was created.
*/
- ssl_init();
- ctx = EVP_MD_CTX_create();
+ EVP_MD_CTX_reset(ctx);
if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
msyslog(LOG_ERR,
"MAC: decrypt: digest init failed");
return false;
}
- EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, key, key_size);
EVP_DigestUpdate(ctx, (uint8_t *)pkt, (unsigned int)length);
EVP_DigestFinal_ex(ctx, digest, &len);
- EVP_MD_CTX_destroy(ctx);
if ((unsigned int)size != len + 4) {
msyslog(LOG_ERR,
"MAC: decrypt: MAC length error");
@@ -134,8 +138,6 @@ addr2refid(sockaddr_u *addr)
if (IS_IPV4(addr))
return (NSRCADR(addr));
- ssl_init();
-
ctx = EVP_MD_CTX_create();
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
=====================================
libntp/ssl_init.c
=====================================
--- a/libntp/ssl_init.c
+++ b/libntp/ssl_init.c
@@ -11,11 +11,18 @@
#include <stdbool.h>
#include <openssl/evp.h>
+#ifndef EVP_MD_CTX_new
+/* Slightly older version of OpenSSL */
+/* Similar hack in macencrypt.c */
+#define EVP_MD_CTX_new() EVP_MD_CTX_create()
+#endif
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void atexit_ssl_cleanup(void);
#endif
static bool ssl_init_done;
+EVP_MD_CTX *digest_ctx;
void
ssl_init(void)
@@ -28,6 +35,7 @@ ssl_init(void)
atexit(&atexit_ssl_cleanup);
#endif
+ digest_ctx = EVP_MD_CTX_new();
ssl_init_done = true;
}
=====================================
tests/common/tests_main.c
=====================================
--- a/tests/common/tests_main.c
+++ b/tests/common/tests_main.c
@@ -77,6 +77,7 @@ static void RunAllTests(void)
int main(int argc, const char * argv[]) {
+ ssl_init();
init_auth();
init_network();
=====================================
tests/libntp/authkeys.c
=====================================
--- a/tests/libntp/authkeys.c
+++ b/tests/libntp/authkeys.c
@@ -18,14 +18,6 @@ TEST_SETUP(authkeys) {
*/
authnumkeys = 0;
- /*
- * Especially, empty the key cache!
- */
- cache_keyid = 0;
- cache_type = 0;
- cache_flags = 0;
- cache_secret = NULL;
- cache_secretsize = 0;
}
TEST_TEAR_DOWN(authkeys) {}
=====================================
tests/libntp/macencrypt.c
=====================================
--- a/tests/libntp/macencrypt.c
+++ b/tests/libntp/macencrypt.c
@@ -32,12 +32,13 @@ TEST(macencrypt, Encrypt) {
memset(packetPtr+packetLength, 0, (size_t)keyIdLength);
memcpy(packetPtr, packet, (size_t)packetLength);
- cache_secretsize = keyLength;
+ int length = mac_authencrypt(keytype,
+ (unsigned char*)key, keyLength,
+ (uint32_t*)packetPtr, packetLength);
- int length = mac_authencrypt(keytype, (unsigned char*)key,
- (uint32_t*)packetPtr, packetLength);
-
- TEST_ASSERT_TRUE(mac_authdecrypt(keytype, (unsigned char*)key, (uint32_t*)packetPtr, packetLength, length));
+ TEST_ASSERT_TRUE(mac_authdecrypt(keytype,
+ (unsigned char*)key, keyLength,
+ (uint32_t*)packetPtr, packetLength, length));
TEST_ASSERT_EQUAL(20, length);
//XXX TEST_ASSERT_TRUE(memcmp(expectedPacket, packetPtr, totalLength) == 0); Does not pass
@@ -45,19 +46,17 @@ TEST(macencrypt, Encrypt) {
}
TEST(macencrypt, DecryptValid) {
- cache_secretsize = keyLength;
-
- TEST_ASSERT_TRUE(mac_authdecrypt(keytype, (unsigned char*)key,
- (uint32_t*)expectedPacket, packetLength, 20));
+ TEST_ASSERT_TRUE(mac_authdecrypt(keytype,
+ (unsigned char*)key, keyLength,
+ (uint32_t*)expectedPacket, packetLength, 20));
}
TEST(macencrypt, DecryptInvalid) {
- cache_secretsize = keyLength;
-
char invalidPacket[] = "ijklmnopqrstuvwx\0\0\0\0\x0c\x0e\x84\xcf\x0b\xb7\xa8\x68\x8e\x52\x38\xdb\xbc\x1c\x39\x54";
- TEST_ASSERT_FALSE(mac_authdecrypt(keytype, (unsigned char*)key,
- (uint32_t*)invalidPacket, packetLength, 20));
+ TEST_ASSERT_FALSE(mac_authdecrypt(keytype,
+ (unsigned char*)key, keyLength,
+ (uint32_t*)invalidPacket, packetLength, 20));
}
TEST(macencrypt, IPv4AddressToRefId) {
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/42dbd0ed883451aa6a03cc41f85eec40f7a555eb...581044e22179960609200aa8bf8d0e940d73904a
---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/42dbd0ed883451aa6a03cc41f85eec40f7a555eb...581044e22179960609200aa8bf8d0e940d73904a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20180215/5b43799c/attachment.html>
More information about the vc
mailing list