| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issuer cache holds a pair of SHA-512 of parent and child cert plus
the result of the signature verification. Since CRLs also have a cached
hash of their DER, we can easily add them to the same cache. This way we
also avoid the cost of repeated signature verification for CRLs.
For ordinary workloads the cache is larger than necessary and it won't
currently take up more space than ~8M anyway, so the cost of doing this
is negligible.
For applications like rpki-client where the same (CA, CRL) pair is used
to verify multiple EE certs, the gain is significant. In fact, the current
worst case is a single pair being used for > 50k EE certs, responsible for
about 20-25% of the total runtime of an ordinary rpki-client run if a
hw-accelerated version of SHA-2 is available and even more if it isn't.
In both cases the cost of processing of this pair is reduced by more than
an order of magnitude.
The implementation is a translation of x509_verify_parent_signature() to
the case of CRLs and is entirely trivial thanks to the cache's design.
Found while investigating a performance bottleneck found by job
tested by job
ok beck
|
| |
|
|
| |
Fix includes while there
|
| |
|
|
|
|
|
| |
The parent certificate outlives the signature check, so we don't have
to take a refcount of its pubkey and then release it again.
ok beck
|
| |
|
|
|
|
|
|
| |
If a signature mismatch is cached, the same error should be passed to the
verify callback as if the mismatch was detected by doing the calculation,
rather than falling back to the "unable to find the issuer cert locally".
ok beck
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is simpler, doesn't need an auxiliary function of dubious value,
avouds an auxiliary variable and gets rid of a bunch of comments that
are hard to make sense of.
This doesn't bother to invalidate recp->shift since on error you should
not be reusing the RECP_CTX without reinitializing it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The fast path where no division is performed can be dealt with without
BN_CTX, so do that up front so there's no need to clean up before return.
Error check BN_CTX_get() on each use asd simplify the logic for optional
input parameters. KNF for an ugly comment.
ok jsing
|
| |
|
|
|
|
| |
CID 532326
ok djm jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The RC4_INDEX define switches between base pointer indexing and per-byte
pointer increment. This supposedly made a huge difference to performance
on x86 at some point, however compilers have improved somewhat since then.
There is no change (or effectively no change) in generated assembly on
a the majority of LLVM platforms and even when there is some change
(e.g. aarch64), there is no noticable performance difference.
Simplify the (still messy) macros/code and mop up RC4_INDEX.
ok tb@
|
| |
|
|
|
| |
This was needed to avoid truncation on BIO_write(). With the switch to
BIO_printf() in the previous commit this is no longer needed.
|
| |
|
|
|
|
| |
This handles the empty string, which ruby-openssl checks.
Pointed out by anton
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is legacy API that we can unexport since nothing uses it directly.
Unfortunately we need to keep the functions because there are plenty of
things that use it indirectly by passing XN_FLAG_COMPAT to X509_print_ex().
The old implementation parsed the X509_NAME_oneline() output in order to
remove the / preceding the (one or two-uppercase letters) name and to
insert ", " afterward. This is just stupid in so many ways, not least
because there's basically no limit to the garbage that you can stuff into
an X.500 name.
So rework this and only include the name entries whose short names are
one or two letters long. This way, this becomes slightly saner and less
fragile.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This splits the horrid spaghetti into a few relatively straightforward
helpers which do one thing at a time. There are still some spectacular
dances around ASN1_GENERALSTRING, but let's blame that one on X.500.
In brief, X509_NAME_ENTRY_oneline() iterates over the name entries, and
writes out a line /name1=value1,/name2=value2,... which you may have seen
variations of in issuer or subject output.
The name is the short name or the long name or the textual representation
of the OID (truncated to 79 characters) and the value is a string where
printable ASCII characters are represented as themselves and otherwise as
hexadecimal digits preceded by \x. Except for GENERALSTRING, where the four
octet representation is shortened to single-octet representation if none of
the top three octets in the entire string is populated.
It's the mother of all pretty things. But, hey, you could do worse and try
to parse this garbage...
ok jsing
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
EC_GROUP_method_of() and EC_METHOD_get_field_type() only ever used chained
together as a convoluted means to retrieve the field type of a group. This
is no longer useful since the answer will always be NID_X9_62_prime_field.
EC_POINT_method_of(), EC_GROUP{,_have}_precompute_mult(): exposed by one of
those expose-everything perl XS modules.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This hasn't done anything in a long time. Only dovecot uses an unchecked
call to this. With this we can remove EC_GROUP_precompute_mult().
ok jsing
|
| |
|
|
|
|
|
|
| |
At this point the NID is always NID_X9_62_prime_field, so we can use
SN_X9_62_prime_field directly rather than getting the field type from
the method and then converting the nid to an sn with OBJ_nid2sn().
ok jsing
|
| |
|
|
|
|
|
| |
The field_type is always NID_X9_62_prime_field, no need to encode and
retrieve this from the group method.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This appears to be about 5% faster than the current perlasm version on a
modern Intel CPU.
While here rename md5_block_asm_data_order to md5_block_data_order, for
consistency with other hashes.
ok tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Instead of doing a weird dance, set the sign on N in BN_RECP_CTX_create().
Since we're not exposing a general purpose calculator API, we can simplify.
ok jsing
|
| | |
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
| |
There's no need for BN_mod_mul_reciprocal() to have this complication.
The caller knows when x == y, so place the burden on the caller. This
simplifies both the caller side and the implementation in bn_recp.c.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
There's no need for a separate mul_generator_ct() function pointer - we
really only need mul_single_ct() and mul_double_nonct(). And rather than
calling ec_mul_ct() and having it figure out which point to use, explicitly
pass the generator point when calling mul_single_ct().
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
This macro references variable names that are in the consuming function and
are not actually passed to the macro. Expanding it makes the logic clearer.
If we wanted to reduce code the middle six group of rounds could be
implemented using a for loop (which the compiler can then choose to
unroll).
ok tb@
|
| |
|
|
|
|
|
|
| |
load_u32_be() and store_u32_be() are not symmetrical, with load_u32_be()
having a rather unexpected indexing interface. Fix up the callers to
perform their own indexing and use crypto_{load,store}_be32toh() instead.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
No caller ever passes y == NULL, so remove the corresponding contortions
and unindent the relevant bits.
ok jsing
|
| |
|
|
| |
ok tb@
|
