EVP_MAC_init() in 3.0 alpha 13
tomas at openssl.org
Mon Apr 12 13:05:37 UTC 2021
On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote:
> > Did you attempt to pass NULL for the key and zero for it's length
> > to the
> > EVP_MAC_init() call?
> We can do better. If we have to use dup/free, we can move the
> to before the dup, out of the timing path.
> My model is that initialization is 2 parts. The first is turning the
> key into
> a big table. The second is initializing a small amount of state that
> whatever is needed/updated by EVP_MAC_update().
> I was hoping that EVP_MAC_init() with NULL key would bypass the first
> step and
> do the second.
We would have to introduce the special semantics similar to
EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit()
with NULL key keeps the key schedule from the previous initialization.
> If the second step involves a lot of computation we get into the
> tradeoff of computing it during step one and saving it in case
> EVP_MAC_init is
> called with NULL key.
> If there was a copy operation we could use it instead of dup/free.
I do not think we want to introduce the copy operation. We are trying
to get out of the copy() pattern as it is much harder to handle
correctly than the dup().
> Where is the code that does the key setup? I expect it will be
> obvious after
> I see it, but I don't know my way around that linkage yet. I'm using
> default AES-128-CBC.
> I don't think I've said it explicitly, but thanks for the change to
> the API
> for EVP_MAC_init()
> Should PKEY be a potentially interesting approach for something like
> this? I
> think it was suggested months ago. One advantage is that the code
> works with
> It's horribly slow in 3.0
> 0.777 CMAC
> 7.533 PKEY
> 3.323 PKEY preload
> 0.392 EVP_MAC
> 0.308 EVP_MAC Preload with dup+free
> 0.102 EVP_MAC Preload (no dup, wrong answer)
> 0.285 CMAC
> 0.550 PKEY
> 0.196 PKEY preload
No matter how far down the wrong road you've gone, turn back.
[You'll know whether the road is wrong if you carefully listen to your
More information about the openssl-users