diff options
author | Nick Mathewson <nickm@torproject.org> | 2012-12-25 17:39:09 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2012-12-25 20:14:07 -0500 |
commit | c8b3bdb78215d4d7821d9bfa15bb8f7786403ce9 (patch) | |
tree | 016d0f9deecb80b3ed63cdfb4ad97a17e60bb9ff /src/common | |
parent | 2f8fd53750737e4402adc0b896f00f789fb38181 (diff) | |
download | tor-c8b3bdb78215d4d7821d9bfa15bb8f7786403ce9.tar.gz tor-c8b3bdb78215d4d7821d9bfa15bb8f7786403ce9.zip |
Inform the user if they're passing up a 10x ECDH speedup.
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/tortls.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index bba89268e1..47b8f2815a 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -526,6 +526,38 @@ tor_tls_init(void) SSLeay_version(SSLEAY_VERSION), version); } +#if (SIZEOF_VOID_P >= 8 && \ + !defined(OPENSSL_NO_EC) && \ + OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1)) + if (version >= OPENSSL_V_SERIES(1,0,1)) { + /* Warn if we could *almost* be running with much faster ECDH. + If we're built for a 64-bit target, using OpenSSL 1.0.1, but we + don't have one of the built-in __uint128-based speedups, we are + just one build operation away from an accelerated handshake. + + (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of + doing this test, but that gives compile-time options, not runtime + behavior.) + */ + EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL; + const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL; + const int warn = (m == EC_GFp_simple_method() || + m == EC_GFp_mont_method() || + m == EC_GFp_nist_method()); + EC_KEY_free(key); + + if (warn) + log_notice(LD_GENERAL, "We were built to run on a 64-bit CPU, with " + "OpenSSL 1.0.1 or later, but with a version of OpenSSL " + "that apparently lacks accelerated support for the NIST " + "P-224 and P-256 groups. Building openssl with such " + "support (using the enable-ec_nistp_64_gcc_128 option " + "when configuring it) would make ECDH about 5-10x " + "faster."); + } +#endif + tor_tls_allocate_tor_tls_object_ex_data_index(); tls_library_is_initialized = 1; |