从OpenSSL-1.0.1r删除OPENSSL_cleanse [英] Removing OPENSSL_cleanse from OpenSSL-1.0.1r
问题描述
我发现OPENSSL_cleanse
在我的项目中浪费了很多时间.例如,如果它运行25秒,则return;
放在此函数中任何操作开始之前.
I found out that OPENSSL_cleanse
wastes a lot of time in my project. For example, if it runs for 25 seconds, 3 seconds are wasted by OPENSSL_cleanse
. I checked the code of this function and decided that it isn't doing anything very useful for me. I know it fills memory with garbage data for security reasons but I don't really care about it. So I decided to place return;
just before the start of any operations in this function.
void OPENSSL_cleanse(void *ptr, size_t len)
{
return;
// original OpenSSL code goes here
}
我正在使用Mac OS和Xcode.我已经编译了该库,并通过Configure
脚本的--openssldir
选项将其安装在/Users/ForceBru/Desktop/openssl
中.我已将其添加到Build Settings->Link Binary With Libraries
中的项目中,并在Build Settings->Search Paths->Header Search Paths
和Build Settings->Search Paths->Library Search Paths
中添加了包含目录.
I'm using Mac OS and Xcode. I've compiled the lib and installed it in /Users/ForceBru/Desktop/openssl
via the --openssldir
option of the Configure
script. I've added it to my project in Build Settings->Link Binary With Libraries
and added include dirs in Build Settings->Search Paths->Header Search Paths
and Build Settings->Search Paths->Library Search Paths
.
项目编译正常,但是时间分析器仍然显示对OPENSSL_cleanse
的调用.
The project compiled fine, but the time profiler still shows pretty expensive calls to OPENSSL_cleanse
.
编辑:C
标记是因为OpenSSL是用C编写的,而C++
标记是因为我的代码是使用C ++的.也许这些信息会有所帮助.
the C
tag is because OpenSSL is written in C, and the C++
tag is because my code is in C++. Maybe this information will be helpful.
问题是,我在做什么错?如何删除对OPENSSL_cleanse
的呼叫?我认为这与链接有关,因为命令行包含-lcrypto
,这意味着该库实际上可以从任何地方获取(对吗?),而不必从/Users/ForceBru/Desktop/openssl
获取.
The question is, what am I doing wrong? How do I remove the calls to OPENSSL_cleanse
? I think this has to do with linking, because the command line includes -lcrypto
, which means this library can actually be taken from anywhere (right?), not necessarily from /Users/ForceBru/Desktop/openssl
.
编辑#2::我已经编辑了链接器选项,以使用/Users/ForceBru/Desktop/openssl
中的.a
文件并将其从Build Settings->Link Binary With Libraries
中删除.仍然没有效果.
Edit #2: I've edited the linker options to use the .a
file in /Users/ForceBru/Desktop/openssl
and removed it from Build Settings->Link Binary With Libraries
. Still no effect.
推荐答案
这并不是您一直在寻找的答案,但它可能会帮助您...
This isn't quite the answer that you were looking for, but it may help you along...
从OpenSSL-1.0.1r中删除OPENSSL_cleanse ...
我检查了该函数的代码,并确定它对我没有任何帮助...
Removing OPENSSL_cleanse from OpenSSL-1.0.1r...
I checked the code of this function and decided that it isn't doing anything very useful for me...
这可能不是一个好主意,但是我们需要更多地了解您的威胁模型.归零可让您确定性地从内存中删除敏感材料.
That's probably a bad idea, but we would need to know more about your threat model. Zeroization allows you to deterministically remove sensitive material from memory.
它也是认证与鉴定(C& A)"项目.例如,即使在级别1上, FIPS 140-2 也需要归零.
Its also a Certification and Accreditation (C&A) item. For example, FIPS 140-2 requires zeroization even at Level 1.
此外,您无法删除OPENSSL_cleanse
本身,因为OPENSSL_clear_realloc
,OPENSSL_clear_free
和朋友称之为.另请参见 OPENSSL_cleanse
手册页.
Also, you can't remove OPENSSL_cleanse
per se because OPENSSL_clear_realloc
, OPENSSL_clear_free
and friends call it. Also see the OPENSSL_cleanse
man page.
例如,如果运行25秒,则OPENSSL_cleanse浪费了3秒
For example, if it runs for 25 seconds, 3 seconds are wasted by OPENSSL_cleanse
好的,所以这是一个不同的问题. OPENSSL_cleanse 有点令人费解,并且确实浪费了一些周期,以使优化过程不受影响.
OK, so this is a different problem. OPENSSL_cleanse is kind of convoluted, and it does waste some cycles in an effort to survive the optimization pass.
如果您检查 140 /a>,那么您将看到它已在OpenSSL 1.1.0中更改为以下内容.也许您可以改用它?
If you check Commit 380f18ed5f140e0a, then you will see it has been changed in OpenSSL 1.1.0 to the following. Maybe you could use it instead?
diff --git a/crypto/mem_clr.c b/crypto/mem_clr.c
index e6450a1..3389919 100644 (file)
--- a/crypto/mem_clr.c
+++ b/crypto/mem_clr.c
@@ -59,23 +59,16 @@
#include <string.h>
#include <openssl/crypto.h>
-extern unsigned char cleanse_ctr;
-unsigned char cleanse_ctr = 0;
+/*
+ * Pointer to memset is volatile so that compiler must de-reference
+ * the pointer and can't assume that it points to any function in
+ * particular (such as memset, which it then might further "optimize")
+ */
+typedef void *(*memset_t)(void *,int,size_t);
+
+static volatile memset_t memset_func = memset;
void OPENSSL_cleanse(void *ptr, size_t len)
{
- unsigned char *p = ptr;
- size_t loop = len, ctr = cleanse_ctr;
-
- if (ptr == NULL)
- return;
-
- while (loop--) {
- *(p++) = (unsigned char)ctr;
- ctr += (17 + ((size_t)p & 0xF));
- }
- p = memchr(ptr, (unsigned char)ctr, len);
- if (p)
- ctr += (63 + (size_t)p);
- cleanse_ctr = (unsigned char)ctr;
+ memset_func(ptr, 0, len);
}
另请参见问题455:在OpenSSL的GitHub上重新实现非asm OPENSSL_cleanse()
如何删除对OPENSSL_cleanse的调用?
How do I remove the calls to OPENSSL_cleanse?
好的,所以这是一个不同的问题.您必须找到所有呼叫者,并对每个呼叫者进行操作.看来您需要修改大约185个位置:
OK, so this is a different problem. You have to locate all callers and do something with each. It looks like there's about 185 places you will need to modify things:
$ cd openssl
$ grep -IR _cleanse * | wc -l
185
代替此:
Instead of this:
void OPENSSL_cleanse(void *ptr, size_t len)
{
return;
// original OpenSSL code goes here
}
也许您可以删除该功能,然后:
Maybe you can delete the function, and then:
#define OPENSSL_cleanse(x, y)
然后,函数调用将成为一个宏,在优化过程中该宏将消失.从函数更改为宏后,请务必执行make clean
.
Then the function calls becomes a macro that simply disappears during optimization. Be sure to perform a make clean
after changing from a function to a macro.
但是我不建议这样做.
项目编译正常,但时间分析器仍显示对OPENSSL_cleanse的调用非常昂贵.
The project compiled fine, but the time profiler still shows pretty expensive calls to OPENSSL_cleanse.
我的猜测是(1)在更改OpenSSL库后没有执行make clean
,或者(2)编译并链接到错误版本的OpenSSL库.但是我可能都错了.
My guess here is either (1) you did not perform a make clean
after the changes to the OpenSSL library, or (2) you compiled and linked to the wrong version of the OpenSSL library. But I could be wrong on both.
您可以使用otool -L
查看可执行文件的运行时依赖项.确保它是预期的.另外请记住,OpenSSL不使用-install_name
.
You can see what your executable's runtime dependencies are with otool -L
. Make sure its the expected one. Also keep in mind OpenSSL does not use -install_name
.
在运行可执行文件之前,可以设置 dyld(1)手册页.
Before you run your executable, you can set DYLD_LIBRARY_PATH to ensure the dylib you are modifying is loaded. Also see the dyld(1) man pages.
这篇关于从OpenSSL-1.0.1r删除OPENSSL_cleanse的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!