<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Ben,<br><br>4096 is fixed in the standard to map "Passphrase" to PSK using PBKDF2 method. Modifying this would break the interoperability. <br><br>Regards<br>Sohail<br><br>--- On <b>Thu, 3/2/11, Ben Greear <i><greearb@candelatech.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Ben Greear <greearb@candelatech.com><br>Subject: Re: Optimizing use of SSL?<br>To: hostap@lists.shmoo.com<br>Date: Thursday, 3 February, 2011, 5:35 AM<br><br><div class="plainMail">On 02/02/2011 03:38 PM, Ben Greear wrote:<br>> I've been looking at ways to optimize wpa_supplicant for when we are using<br>> lots and lots of vifs (say, 128). These are configured to use WPA,<br>> and the NIC (ath9k) is set to software-encryption in order to work with multiple<br>>
vifs.<br>><br>> I ran it under callgrind (valgrind --tool=callgrind) with only<br>> 16 vifs, and libcrypto seems to be using most of the CPU.<br>><br>> I'm wondering if anyone has any ideas for ways to optimize<br>> supplicant to work better in this case. I was thinking it<br>> should only be passing relatively few pkts around, so I'm<br>> not too sure why it's such a CPU hog.<br><br>Hrm, seems that a lot of the cost is calculating<br>the digest:<br><br> Frame: Backtrace for Thread 1<br> [ 0] EVP_DigestInit_ex (209361 x)<br> [ 1] openssl_digest_vector (209361 x)<br> [ 2] sha1_vector (104681 x)<br> [ 3] hmac_sha1_vector (104655 x)<br> [ 4] hmac_sha1 (104629 x)<br> [ 5] pbkdf2_sha1 (13 x)<br> [ 6] wpa_config_update_psk (13 x)<br> [ 7] wpa_config_read (13
x)<br> [ 8] wpa_supplicant_add_iface (13 x)<br> [ 9] main (1 x)<br> [10] (below main) (1 x)<br> [11] 0x0804c220 (1 x)<br> [12] 0x4d80d870<br><br>Specifically, this method has a pretty mean loop:<br><br>pbkdf2_sha1_f()<br><br>It loops for all iterations, which is passed in as 4096<br>by this method below:<br><br>/**<br> * wpa_config_update_psk - Update WPA PSK based on passphrase and SSID<br> * @ssid: Pointer to network configuration data<br> *<br> * This function must be called to update WPA PSK when either SSID or the<br> * passphrase has changed for the network configuration.<br> */<br>void wpa_config_update_psk(struct wpa_ssid *ssid)<br>{<br>#ifndef CONFIG_NO_PBKDF2<br> pbkdf2_sha1(ssid->passphrase,<br> (char *) ssid->ssid, ssid->ssid_len,
4096,<br> ssid->psk, PMK_LEN);<br> wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",<br> ssid->psk, PMK_LEN);<br> ssid->psk_set = 1;<br>#endif /* CONFIG_NO_PBKDF2 */<br>}<br><br><br>Is it required to do that 4096 times, or is it just higher<br>grade encryption that way? If something lesser would be<br>adequate, maybe I can make it a configurable value?<br><br></div></blockquote></td></tr></table><br>