[Git][NTPsec/ntpsec][master] 3 commits: Minor crypto speedups

Hal Murray gitlab at mg.gitlab.com
Thu Feb 15 10:06:46 UTC 2018


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
de72d173 by Hal Murray at 2018-02-14T01:57:08-08:00
Minor crypto speedups

use global EVP_MD_CTX
  saves 2x calls to EVP_MD_CTX_create/destroy per encrypted packet
remove redundant calls to ssl_init()
  it's called from ntpd.c

- - - - -
1f32af39 by Hal Murray at 2018-02-14T03:05:15-08:00
Cleanup auth cache
	It is now local to authkeys - not in ntp_stdlib.h

- - - - -
581044e2 by Hal Murray at 2018-02-15T02:05:36-08:00
Fix crypto to work on (slightly) older versions of OpenSSL

- - - - -


7 changed files:

- include/ntp_stdlib.h
- libntp/authkeys.c
- libntp/macencrypt.c
- libntp/ssl_init.c
- tests/common/tests_main.c
- tests/libntp/authkeys.c
- tests/libntp/macencrypt.c


Changes:

=====================================
include/ntp_stdlib.h
=====================================
--- a/include/ntp_stdlib.h
+++ b/include/ntp_stdlib.h
@@ -10,6 +10,7 @@
 #include <signal.h>
 #include <errno.h>
 #include <stdarg.h>
+#include <openssl/evp.h>
 
 #include "declcond.h"	/* ntpd uses ntpd/declcond.h, others include/ */
 #include "ntp_net.h"
@@ -68,8 +69,8 @@ int ntp_getopt_long(int argc, char* const argv[], const char *optstring,
 		    const struct option *longopts, int *longindex);
 
 /* mac_md5encrypt.c */
-extern	bool	mac_authdecrypt	(int, uint8_t *, uint32_t *, int, int);
-extern	int	mac_authencrypt	(int, uint8_t *, uint32_t *, int);
+extern	bool	mac_authdecrypt	(int, uint8_t *, int, uint32_t *, int, int);
+extern	int	mac_authencrypt	(int, uint8_t *, int, uint32_t *, int);
 extern	void	mac_setkey	(keyid_t, int, const uint8_t *, size_t);
 extern	uint32_t	addr2refid	(sockaddr_u *);
 
@@ -143,15 +144,6 @@ extern unsigned int	authdecryptions;	/* calls to decrypt */
 
 extern int	authnumfreekeys;
 
-/*
- * The key cache. We cache the last key we looked at here.
- */
-extern keyid_t		cache_keyid;		/* key identifier */
-extern int		cache_type;		/* key type */
-extern uint8_t *	cache_secret;		/* secret */
-extern unsigned short	cache_secretsize;	/* secret octets */
-extern unsigned short	cache_flags;		/* KEY_ bit flags */
-
 /* getopt.c */
 extern char *	ntp_optarg;		/* global argument pointer */
 extern int	ntp_optind;		/* global argv index */
@@ -161,7 +153,11 @@ extern bool	ipv4_works;
 extern bool	ipv6_works;
 
 /* ssl_init.c */
-extern	void	ssl_init		(void);
+extern	void	ssl_init	(void);
+
+/* Avoid 2x create/destroy per packet.
+ * need per thread if we start using threads. */
+EVP_MD_CTX *digest_ctx;
 
 /* strl-obsd.c */
 #ifndef HAVE_STRLCPY		/* + */


=====================================
libntp/authkeys.c
=====================================
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -85,11 +85,11 @@ int authnumfreekeys;
 /*
  * The key cache. We cache the last key we looked at here.
  */
-keyid_t	cache_keyid;			/* key identifier */
-uint8_t *cache_secret;			/* secret */
-unsigned short cache_secretsize;	/* secret length */
-int cache_type;				/* OpenSSL digest NID */
-unsigned short cache_flags;		/* flags that wave */
+static keyid_t	cache_keyid;		/* key identifier */
+static uint8_t *cache_secret;		/* secret */
+static unsigned short cache_secretsize;	/* secret length */
+static int cache_type;			/* OpenSSL digest NID */
+static unsigned short cache_flags;	/* flags that wave */
 
 
 /*
@@ -554,7 +554,9 @@ authencrypt(
 		return 0;
 	}
 
-	return mac_authencrypt(cache_type, cache_secret, pkt, length);
+	return mac_authencrypt(cache_type,
+		cache_secret, cache_secretsize,
+		pkt, length);
 }
 
 
@@ -581,5 +583,7 @@ authdecrypt(
 		return false;
 	}
 
-	return mac_authdecrypt(cache_type, cache_secret, pkt, length, size);
+	return mac_authdecrypt(cache_type,
+		cache_secret, cache_secretsize,
+		pkt, length, size);
 }


=====================================
libntp/macencrypt.c
=====================================
--- a/libntp/macencrypt.c
+++ b/libntp/macencrypt.c
@@ -14,6 +14,12 @@
 #include "ntp_stdlib.h"
 #include "ntp.h"
 
+#ifndef EVP_MD_CTX_reset
+/* Slightly older version of OpenSSL */
+/* Similar hack in ssl_init.c */
+#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_init(ctx)
+#endif
+
 /* ctmemeq - test two blocks memory for equality without leaking
  * timing information.
  *
@@ -45,30 +51,29 @@ int
 mac_authencrypt(
 	int	type,		/* hash algorithm */
 	uint8_t	*key,		/* key pointer */
+	int	key_size,	/* key size */
 	uint32_t *pkt,		/* packet pointer */
 	int	length		/* packet length */
 	)
 {
 	uint8_t	digest[EVP_MAX_MD_SIZE];
 	unsigned int	len;
-	EVP_MD_CTX *ctx;
+	EVP_MD_CTX *ctx = digest_ctx;
 
 	/*
 	 * Compute digest of key concatenated with packet. Note: the
 	 * key type and digest type have been verified when the key
 	 * was created.
 	 */
-	ssl_init();
-	ctx = EVP_MD_CTX_create();
+	EVP_MD_CTX_reset(ctx);
 	if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
 		msyslog(LOG_ERR,
 		    "MAC: encrypt: digest init failed");
 		return (0);
 	}
-	EVP_DigestUpdate(ctx, key, cache_secretsize);
+	EVP_DigestUpdate(ctx, key, key_size);
 	EVP_DigestUpdate(ctx, (uint8_t *)pkt, (unsigned int)length);
 	EVP_DigestFinal_ex(ctx, digest, &len);
-	EVP_MD_CTX_destroy(ctx);
 	memmove((uint8_t *)pkt + length + 4, digest, len);
 	return (int)(len + 4);
 }
@@ -83,31 +88,30 @@ bool
 mac_authdecrypt(
 	int	type,		/* hash algorithm */
 	uint8_t	*key,		/* key pointer */
-	uint32_t	*pkt,		/* packet pointer */
+	int	key_size,	/* key size */
+	uint32_t	*pkt,	/* packet pointer */
 	int	length,	 	/* packet length */
 	int	size		/* MAC size */
 	)
 {
 	uint8_t	digest[EVP_MAX_MD_SIZE];
 	unsigned int	len;
-	EVP_MD_CTX *ctx;
+	EVP_MD_CTX *ctx = digest_ctx;
 
 	/*
 	 * Compute digest of key concatenated with packet. Note: the
 	 * key type and digest type have been verified when the key
 	 * was created.
 	 */
-	ssl_init();
-	ctx = EVP_MD_CTX_create();
+	EVP_MD_CTX_reset(ctx);
 	if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
 		msyslog(LOG_ERR,
 		    "MAC: decrypt: digest init failed");
 		return false;
 	}
-	EVP_DigestUpdate(ctx, key, cache_secretsize);
+	EVP_DigestUpdate(ctx, key, key_size);
 	EVP_DigestUpdate(ctx, (uint8_t *)pkt, (unsigned int)length);
 	EVP_DigestFinal_ex(ctx, digest, &len);
-	EVP_MD_CTX_destroy(ctx);
 	if ((unsigned int)size != len + 4) {
 		msyslog(LOG_ERR,
 		    "MAC: decrypt: MAC length error");
@@ -134,8 +138,6 @@ addr2refid(sockaddr_u *addr)
 	if (IS_IPV4(addr))
 		return (NSRCADR(addr));
 
-	ssl_init();
-
 	ctx = EVP_MD_CTX_create();
 #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
 	/* MD5 is not used as a crypto hash here. */


=====================================
libntp/ssl_init.c
=====================================
--- a/libntp/ssl_init.c
+++ b/libntp/ssl_init.c
@@ -11,11 +11,18 @@
 #include <stdbool.h>
 #include <openssl/evp.h>
 
+#ifndef EVP_MD_CTX_new
+/* Slightly older version of OpenSSL */
+/* Similar hack in macencrypt.c */
+#define EVP_MD_CTX_new() EVP_MD_CTX_create()
+#endif
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void	atexit_ssl_cleanup(void);
 #endif
 
 static bool ssl_init_done;
+EVP_MD_CTX *digest_ctx;
 
 void
 ssl_init(void)
@@ -28,6 +35,7 @@ ssl_init(void)
 	atexit(&atexit_ssl_cleanup);
 #endif
 
+	digest_ctx = EVP_MD_CTX_new();
 	ssl_init_done = true;
 }
 


=====================================
tests/common/tests_main.c
=====================================
--- a/tests/common/tests_main.c
+++ b/tests/common/tests_main.c
@@ -77,6 +77,7 @@ static void RunAllTests(void)
 
 int main(int argc, const char * argv[]) {
 
+	ssl_init();
 	init_auth();
 	init_network();
 


=====================================
tests/libntp/authkeys.c
=====================================
--- a/tests/libntp/authkeys.c
+++ b/tests/libntp/authkeys.c
@@ -18,14 +18,6 @@ TEST_SETUP(authkeys) {
 	 */
 	authnumkeys = 0;
 
-	/*
-	 * Especially, empty the key cache!
-	 */
-	cache_keyid = 0;
-	cache_type = 0;
-	cache_flags = 0;
-	cache_secret = NULL;
-	cache_secretsize = 0;
 }
 
 TEST_TEAR_DOWN(authkeys) {}


=====================================
tests/libntp/macencrypt.c
=====================================
--- a/tests/libntp/macencrypt.c
+++ b/tests/libntp/macencrypt.c
@@ -32,12 +32,13 @@ TEST(macencrypt, Encrypt) {
 	memset(packetPtr+packetLength, 0, (size_t)keyIdLength);
 	memcpy(packetPtr, packet, (size_t)packetLength);
 
-	cache_secretsize = keyLength;
+	int length = mac_authencrypt(keytype,
+		(unsigned char*)key, keyLength,
+		(uint32_t*)packetPtr, packetLength);
 
-	int length = mac_authencrypt(keytype, (unsigned char*)key,
-                                     (uint32_t*)packetPtr, packetLength);
-
-	TEST_ASSERT_TRUE(mac_authdecrypt(keytype, (unsigned char*)key, (uint32_t*)packetPtr, packetLength, length));
+	TEST_ASSERT_TRUE(mac_authdecrypt(keytype,
+		(unsigned char*)key, keyLength,
+		(uint32_t*)packetPtr, packetLength, length));
 
 	TEST_ASSERT_EQUAL(20, length);
 //XXX	TEST_ASSERT_TRUE(memcmp(expectedPacket, packetPtr, totalLength) == 0);  Does not pass
@@ -45,19 +46,17 @@ TEST(macencrypt, Encrypt) {
 }
 
 TEST(macencrypt, DecryptValid) {
-	cache_secretsize = keyLength;
-
-	TEST_ASSERT_TRUE(mac_authdecrypt(keytype, (unsigned char*)key,
-                         (uint32_t*)expectedPacket, packetLength, 20));
+	TEST_ASSERT_TRUE(mac_authdecrypt(keytype,
+		(unsigned char*)key, keyLength,
+		(uint32_t*)expectedPacket, packetLength, 20));
 }
 
 TEST(macencrypt, DecryptInvalid) {
-	cache_secretsize = keyLength;
-
 	char invalidPacket[] = "ijklmnopqrstuvwx\0\0\0\0\x0c\x0e\x84\xcf\x0b\xb7\xa8\x68\x8e\x52\x38\xdb\xbc\x1c\x39\x54";
 
-	TEST_ASSERT_FALSE(mac_authdecrypt(keytype, (unsigned char*)key,
-                          (uint32_t*)invalidPacket, packetLength, 20));
+	TEST_ASSERT_FALSE(mac_authdecrypt(keytype,
+		(unsigned char*)key, keyLength,
+		(uint32_t*)invalidPacket, packetLength, 20));
 }
 
 TEST(macencrypt, IPv4AddressToRefId) {



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/42dbd0ed883451aa6a03cc41f85eec40f7a555eb...581044e22179960609200aa8bf8d0e940d73904a

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/42dbd0ed883451aa6a03cc41f85eec40f7a555eb...581044e22179960609200aa8bf8d0e940d73904a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20180215/5b43799c/attachment.html>


More information about the vc mailing list