EVP_MAC_init() in 3.0 alpha 13

Tomas Mraz tomas at openssl.org
Mon Apr 12 13:05:37 UTC 2021 

On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote:
> > Did you attempt to pass NULL for the key and zero for it's length
> > to the
> > EVP_MAC_init() call? 
> 
> Yes.
> 
> We can do better.  If we have to use dup/free, we can move the
> EVP_MAC_init() 
> to before the dup, out of the timing path.
> 
> My model is that initialization is 2 parts.  The first is turning the
> key into 
> a big table.  The second is initializing a small amount of state that
> is 
> whatever is needed/updated by EVP_MAC_update().
> 
> I was hoping that EVP_MAC_init() with NULL key would bypass the first
> step and 
> do the second.

We would have to introduce the special semantics similar to
EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit()
with NULL key keeps the key schedule from the previous initialization.

> If the second step involves a lot of computation we get into the
> space/time 
> tradeoff of computing it during step one and saving it in case
> EVP_MAC_init is 
> called with NULL key.
> 
> If there was a copy operation we could use it instead of dup/free.

I do not think we want to introduce the copy operation. We are trying
to get out of the copy() pattern as it is much harder to handle
correctly than the dup().

> Where is the code that does the key setup?  I expect it will be
> obvious after 
> I see it, but I don't know my way around that linkage yet.  I'm using
> the 
> default AES-128-CBC.
> 
> ---------
> 
> I don't think I've said it explicitly, but thanks for the change to
> the API 
> for EVP_MAC_init()
> 
> ----------
> 
> Should PKEY be a potentially interesting approach for something like
> this?  I 
> think it was suggested months ago.  One advantage is that the code
> works with 
> 1.1.1.
> 
> It's horribly slow in 3.0
> 
> alpha14:
> 0.777 CMAC
> 7.533 PKEY
> 3.323 PKEY preload
> 0.392 EVP_MAC
> 0.308 EVP_MAC Preload with dup+free
> 0.102 EVP_MAC Preload (no dup, wrong answer)
> 
> 1.1.1k:
> 0.285 CMAC
> 0.550 PKEY
> 0.196 PKEY preload
> 
> 
> 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

More information about the openssl-users mailing list