Optimizing use of SSL?

Md Sohail Ahmad sohail_alig at yahoo.com
Thu Feb 3 02:23:12 EST 2011


Ben,

4096 is fixed in the standard to map "Passphrase" to PSK using PBKDF2 method. Modifying this would break the interoperability. 

Regards
Sohail

--- On Thu, 3/2/11, Ben Greear <greearb at candelatech.com> wrote:

From: Ben Greear <greearb at candelatech.com>
Subject: Re: Optimizing use of SSL?
To: hostap at lists.shmoo.com
Date: Thursday, 3 February, 2011, 5:35 AM

On 02/02/2011 03:38 PM, Ben Greear wrote:
> I've been looking at ways to optimize wpa_supplicant for when we are using
> lots and lots of vifs (say, 128).  These are configured to use WPA,
> and the NIC (ath9k) is set to software-encryption in order to work with multiple
> vifs.
>
> I ran it under callgrind (valgrind --tool=callgrind) with only
> 16 vifs, and libcrypto seems to be using most of the CPU.
>
> I'm wondering if anyone has any ideas for ways to optimize
> supplicant to work better in this case.  I was thinking it
> should only be passing relatively few pkts around, so I'm
> not too sure why it's such a CPU hog.

Hrm, seems that a lot of the cost is calculating
the digest:

   Frame: Backtrace for Thread 1
    [ 0]  EVP_DigestInit_ex (209361 x)
    [ 1]  openssl_digest_vector (209361 x)
    [ 2]  sha1_vector (104681 x)
    [ 3]  hmac_sha1_vector (104655 x)
    [ 4]  hmac_sha1 (104629 x)
    [ 5]  pbkdf2_sha1 (13 x)
    [ 6]  wpa_config_update_psk (13 x)
    [ 7]  wpa_config_read (13 x)
    [ 8]  wpa_supplicant_add_iface (13 x)
    [ 9]  main (1 x)
    [10]  (below main) (1 x)
    [11]  0x0804c220 (1 x)
    [12]  0x4d80d870

Specifically, this method has a pretty mean loop:

pbkdf2_sha1_f()

It loops for all iterations, which is passed in as 4096
by this method below:

/**
  * wpa_config_update_psk - Update WPA PSK based on passphrase and SSID
  * @ssid: Pointer to network configuration data
  *
  * This function must be called to update WPA PSK when either SSID or the
  * passphrase has changed for the network configuration.
  */
void wpa_config_update_psk(struct wpa_ssid *ssid)
{
#ifndef CONFIG_NO_PBKDF2
    pbkdf2_sha1(ssid->passphrase,
            (char *) ssid->ssid, ssid->ssid_len, 4096,
            ssid->psk, PMK_LEN);
    wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
            ssid->psk, PMK_LEN);
    ssid->psk_set = 1;
#endif /* CONFIG_NO_PBKDF2 */
}


Is it required to do that 4096 times, or is it just higher
grade encryption that way?  If something lesser would be
adequate, maybe I can make it a configurable value?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20110203/fdc05281/attachment.htm 


More information about the HostAP mailing list