summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2007-06-05 18:30:18 +1000
committerDarren Tucker <dtucker@zip.com.au>2007-06-05 18:30:18 +1000
commit5f3d5be52f02d2d149cc11ec4a511d022444d2b1 (patch)
treede550fe7966f77cc548a1d4029ceaef4774cce4c
parent7b21cb5bdc6d0e587f646397b6c6f6ef87505e0b (diff)
- djm@cvs.openbsd.org 2007/06/05 06:52:37
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
Diffstat
-rw-r--r--ChangeLog8
-rw-r--r--kex.c4
-rw-r--r--kex.h4
-rw-r--r--mac.c36
-rw-r--r--mac.h6
-rw-r--r--monitor_wrap.c4
-rw-r--r--packet.c12
7 files changed, 49 insertions, 25 deletions
diff --git a/ChangeLog b/ChangeLog
index f0668460a..c5c0c9dde 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,12 @@
18 - djm@cvs.openbsd.org 2007/06/02 09:04:58 18 - djm@cvs.openbsd.org 2007/06/02 09:04:58
19 [bufbn.c] 19 [bufbn.c]
20 memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca 20 memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
21 - djm@cvs.openbsd.org 2007/06/05 06:52:37
22 [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
23 Preserve MAC ctx between packets, saving 2xhash calls per-packet.
24 Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
25 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
26 committing at his request)
21 27
2220070520 2820070520
23 - (dtucker) OpenBSD CVS Sync 29 - (dtucker) OpenBSD CVS Sync
@@ -2961,4 +2967,4 @@
2961 OpenServer 6 and add osr5bigcrypt support so when someone migrates 2967 OpenServer 6 and add osr5bigcrypt support so when someone migrates
2962 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 2968 passwords between UnixWare and OpenServer they will still work. OK dtucker@
2963 2969
2964$Id: ChangeLog,v 1.4675 2007/06/05 08:29:35 dtucker Exp $ 2970$Id: ChangeLog,v 1.4676 2007/06/05 08:30:18 dtucker Exp $
diff --git a/kex.c b/kex.c
index ad2e93cc1..332fadf6e 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.78 2007/05/30 05:58:13 djm Exp $ */ 1/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -279,7 +279,7 @@ choose_mac(Mac *mac, char *client, char *server)
279 if (name == NULL) 279 if (name == NULL)
280 fatal("no matching mac found: client %s server %s", 280 fatal("no matching mac found: client %s server %s",
281 client, server); 281 client, server);
282 if (mac_init(mac, name) < 0) 282 if (mac_setup(mac, name) < 0)
283 fatal("unsupported mac %s", name); 283 fatal("unsupported mac %s", name);
284 /* truncate the key */ 284 /* truncate the key */
285 if (datafellows & SSH_BUG_HMAC) 285 if (datafellows & SSH_BUG_HMAC)
diff --git a/kex.h b/kex.h
index b1b20f500..ecf43130f 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: kex.h,v 1.45 2007/06/05 06:52:37 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -28,6 +28,7 @@
28 28
29#include <signal.h> 29#include <signal.h>
30#include <openssl/evp.h> 30#include <openssl/evp.h>
31#include <openssl/hmac.h>
31 32
32#define KEX_DH1 "diffie-hellman-group1-sha1" 33#define KEX_DH1 "diffie-hellman-group1-sha1"
33#define KEX_DH14 "diffie-hellman-group14-sha1" 34#define KEX_DH14 "diffie-hellman-group14-sha1"
@@ -90,6 +91,7 @@ struct Mac {
90 u_int mac_len; 91 u_int mac_len;
91 u_char *key; 92 u_char *key;
92 u_int key_len; 93 u_int key_len;
94 HMAC_CTX ctx;
93}; 95};
94struct Comp { 96struct Comp {
95 int type; 97 int type;
diff --git a/mac.c b/mac.c
index e5d5bfa88..6a5fd4766 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: mac.c,v 1.13 2007/06/05 06:52:37 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -57,7 +57,7 @@ struct {
57}; 57};
58 58
59int 59int
60mac_init(Mac *mac, char *name) 60mac_setup(Mac *mac, char *name)
61{ 61{
62 int i, evp_len; 62 int i, evp_len;
63 63
@@ -71,34 +71,44 @@ mac_init(Mac *mac, char *name)
71 if (macs[i].truncatebits != 0) 71 if (macs[i].truncatebits != 0)
72 mac->mac_len = macs[i].truncatebits/8; 72 mac->mac_len = macs[i].truncatebits/8;
73 } 73 }
74 debug2("mac_init: found %s", name); 74 debug2("mac_setup: found %s", name);
75 return (0); 75 return (0);
76 } 76 }
77 } 77 }
78 debug2("mac_init: unknown %s", name); 78 debug2("mac_setup: unknown %s", name);
79 return (-1); 79 return (-1);
80} 80}
81 81
82void
83mac_init(Mac *mac)
84{
85 if (mac->key == NULL)
86 fatal("mac_init: no key");
87 HMAC_Init(&mac->ctx, mac->key, mac->key_len, mac->md);
88}
89
82u_char * 90u_char *
83mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) 91mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
84{ 92{
85 HMAC_CTX c;
86 static u_char m[EVP_MAX_MD_SIZE]; 93 static u_char m[EVP_MAX_MD_SIZE];
87 u_char b[4]; 94 u_char b[4];
88 95
89 if (mac->key == NULL)
90 fatal("mac_compute: no key");
91 if (mac->mac_len > sizeof(m)) 96 if (mac->mac_len > sizeof(m))
92 fatal("mac_compute: mac too long"); 97 fatal("mac_compute: mac too long");
93 HMAC_Init(&c, mac->key, mac->key_len, mac->md);
94 put_u32(b, seqno); 98 put_u32(b, seqno);
95 HMAC_Update(&c, b, sizeof(b)); 99 HMAC_Init(&mac->ctx, NULL, 0, NULL); /* reset HMAC context */
96 HMAC_Update(&c, data, datalen); 100 HMAC_Update(&mac->ctx, b, sizeof(b));
97 HMAC_Final(&c, m, NULL); 101 HMAC_Update(&mac->ctx, data, datalen);
98 HMAC_cleanup(&c); 102 HMAC_Final(&mac->ctx, m, NULL);
99 return (m); 103 return (m);
100} 104}
101 105
106void
107mac_clear(Mac *mac)
108{
109 HMAC_cleanup(&mac->ctx);
110}
111
102/* XXX copied from ciphers_valid */ 112/* XXX copied from ciphers_valid */
103#define MAC_SEP "," 113#define MAC_SEP ","
104int 114int
@@ -111,7 +121,7 @@ mac_valid(const char *names)
111 maclist = cp = xstrdup(names); 121 maclist = cp = xstrdup(names);
112 for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0'; 122 for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
113 (p = strsep(&cp, MAC_SEP))) { 123 (p = strsep(&cp, MAC_SEP))) {
114 if (mac_init(NULL, p) < 0) { 124 if (mac_setup(NULL, p) < 0) {
115 debug("bad mac %s [%s]", p, names); 125 debug("bad mac %s [%s]", p, names);
116 xfree(maclist); 126 xfree(maclist);
117 return (0); 127 return (0);
diff --git a/mac.h b/mac.h
index 960cc5c50..2010c9d36 100644
--- a/mac.h
+++ b/mac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */ 1/* $OpenBSD: mac.h,v 1.5 2007/06/05 06:52:37 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -24,5 +24,7 @@
24 */ 24 */
25 25
26int mac_valid(const char *); 26int mac_valid(const char *);
27int mac_init(Mac *, char *); 27int mac_setup(Mac *, char *);
28void mac_init(Mac *);
28u_char *mac_compute(Mac *, u_int32_t, u_char *, int); 29u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
30void mac_clear(Mac *);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 27cc1c5f1..61f7c6889 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.56 2007/06/05 06:52:37 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -476,7 +476,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
476 476
477 /* Mac structure */ 477 /* Mac structure */
478 mac->name = buffer_get_string(&b, NULL); 478 mac->name = buffer_get_string(&b, NULL);
479 if (mac->name == NULL || mac_init(mac, mac->name) == -1) 479 if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
480 fatal("%s: can not init mac %s", __func__, mac->name); 480 fatal("%s: can not init mac %s", __func__, mac->name);
481 mac->enabled = buffer_get_int(&b); 481 mac->enabled = buffer_get_int(&b);
482 mac->key = buffer_get_string(&b, &len); 482 mac->key = buffer_get_string(&b, &len);
diff --git a/packet.c b/packet.c
index a2e9f5987..274898018 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.146 2007/05/31 23:34:29 djm Exp $ */ 1/* $OpenBSD: packet.c,v 1.147 2007/06/05 06:52:37 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -629,7 +629,8 @@ set_newkeys(int mode)
629 enc = &newkeys[mode]->enc; 629 enc = &newkeys[mode]->enc;
630 mac = &newkeys[mode]->mac; 630 mac = &newkeys[mode]->mac;
631 comp = &newkeys[mode]->comp; 631 comp = &newkeys[mode]->comp;
632 memset(mac->key, 0, mac->key_len); 632 if (mac->md != NULL)
633 mac_clear(mac);
633 xfree(enc->name); 634 xfree(enc->name);
634 xfree(enc->iv); 635 xfree(enc->iv);
635 xfree(enc->key); 636 xfree(enc->key);
@@ -644,14 +645,17 @@ set_newkeys(int mode)
644 enc = &newkeys[mode]->enc; 645 enc = &newkeys[mode]->enc;
645 mac = &newkeys[mode]->mac; 646 mac = &newkeys[mode]->mac;
646 comp = &newkeys[mode]->comp; 647 comp = &newkeys[mode]->comp;
647 if (mac->md != NULL) 648 if (mac->md != NULL) {
649 mac_init(mac);
648 mac->enabled = 1; 650 mac->enabled = 1;
651 }
649 DBG(debug("cipher_init_context: %d", mode)); 652 DBG(debug("cipher_init_context: %d", mode));
650 cipher_init(cc, enc->cipher, enc->key, enc->key_len, 653 cipher_init(cc, enc->cipher, enc->key, enc->key_len,
651 enc->iv, enc->block_size, crypt_type); 654 enc->iv, enc->block_size, crypt_type);
652 /* Deleting the keys does not gain extra security */ 655 /* Deleting the keys does not gain extra security */
653 /* memset(enc->iv, 0, enc->block_size); 656 /* memset(enc->iv, 0, enc->block_size);
654 memset(enc->key, 0, enc->key_len); */ 657 memset(enc->key, 0, enc->key_len);
658 memset(mac->key, 0, mac->key_len); */
655 if ((comp->type == COMP_ZLIB || 659 if ((comp->type == COMP_ZLIB ||
656 (comp->type == COMP_DELAYED && after_authentication)) && 660 (comp->type == COMP_DELAYED && after_authentication)) &&
657 comp->enabled == 0) { 661 comp->enabled == 0) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 19:58:00 +0000