OpenSSLのFIPS版とFIPS無しのパフォーマンス比較
提供: セキュリティ
スポンサーリンク
RedHat/CentOSのOpenSSLには、FIPSのパッチが入っていて、遅いようです。CentOS環境で、比較しました。
読み方
- OpenSSL
- おーぷん えすえすえる
目次
概要
FIPS無しのOpenSSLが必要だったので、自分でビルドしました。 比較するバージョンが違っていますが、以下のバージョンを比較しました。
- 自分でビルドした 1.0.1p
- 自分でビルドした 1.0.1p fips
- OpenSSL 1.0.1e-fips 11 Feb 2013
結論
自分でビルドした 1.0.1p のほうが 1.0.1e-fips よりと若干高速でした。
| bytes | 1.0.1p | 1.0.1p fips | 1.0.1e-fips |
|---|---|---|---|
| 16bytes | 23636.25k | 20092.77k | 19477.13k |
| 64bytes | 51426.23k | 46316.72k | 58752.54k |
| 256bytes | 99728.59k | 86949.59k | 86939.11k |
| 1024bytes | 118058.43k | 79991.68k | 102855.30k |
| 8192bytes | 120578.76k | 159210.33k | 100640.73k |
実験環境
- VMware Player
- CentOS 7
ビルド方法
FIPS無効
tar zxfp openssl-1.0.1p.tar.gz cd openssl-1.0.1p sudo yum install zlib-devel sh config zlib make
FIPS有効
先にfips用のライブラリをビルドします。
wget https://www.openssl.org/source/openssl-fips-2.0.10.tar.gz tar zxfp openssl-fips-2.0.10.tar.gz cd openssl-fips-2.0.10 sh config zlib make sudo make install
tar zxfp openssl-1.0.1p.tar.gz cd openssl-1.0.1p sudo yum install zlib-devel sh config zlib fips make
ベンチマーク
独自ビルド OpenSSL 1.0.1p
$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl version OpenSSL 1.0.1p 9 Jul 2015
$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 3648846 sha256's in 2.47s Doing sha256 for 3s on 64 size blocks: 1960625 sha256's in 2.44s Doing sha256 for 3s on 256 size blocks: 973912 sha256's in 2.50s Doing sha256 for 3s on 1024 size blocks: 296299 sha256's in 2.57s Doing sha256 for 3s on 8192 size blocks: 35473 sha256's in 2.41s OpenSSL 1.0.1p 9 Jul 2015 built on: Sat Nov 14 16:13:48 2015 options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 23636.25k 51426.23k 99728.59k 118058.43k 120578.76k
独自ビルド OpenSSL 1.0.1p fips
$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl version OpenSSL 1.0.1p-fips 9 Jul 2015
$ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 2850662 sha256's in 2.27s Doing sha256 for 3s on 64 size blocks: 1686218 sha256's in 2.33s Doing sha256 for 3s on 256 size blocks: 804963 sha256's in 2.37s Doing sha256 for 3s on 1024 size blocks: 189824 sha256's in 2.43s Doing sha256 for 3s on 8192 size blocks: 46838 sha256's in 2.41s OpenSSL 1.0.1p-fips 9 Jul 2015 built on: Sat Nov 14 20:03:28 2015 options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 20092.77k 46316.72k 86949.59k 79991.68k 159210.33k
CentOS OpenSSL 1.0.1e-fips
$ openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
$ openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 2872877 sha256's in 2.36s Doing sha256 for 3s on 64 size blocks: 2267481 sha256's in 2.47s Doing sha256 for 3s on 256 size blocks: 862599 sha256's in 2.54s Doing sha256 for 3s on 1024 size blocks: 243076 sha256's in 2.42s Doing sha256 for 3s on 8192 size blocks: 29976 sha256's in 2.44s OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Mon Mar 23 21:01:31 UTC 2015 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 19477.13k 58752.54k 86939.11k 102855.30k 100640.73k
perf
1.0.1p
$ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 3772148 sha256's in 2.38s Doing sha256 for 3s on 64 size blocks: 1972414 sha256's in 2.33s Doing sha256 for 3s on 256 size blocks: 866078 sha256's in 2.37s Doing sha256 for 3s on 1024 size blocks: 283361 sha256's in 2.57s Doing sha256 for 3s on 8192 size blocks: 33218 sha256's in 2.42s OpenSSL 1.0.1p 9 Jul 2015 built on: Sat Nov 14 16:13:48 2015 options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 25358.98k 54177.90k 93551.04k 112903.37k 112447.05k Performance counter stats for 'env OPENSSL_CONF=/home/kaworu/tmp/openssl/openssl-1.0.1p/apps/openssl.cnf ./apps/openssl speed sha256': 12098.084736 task-clock (msec) # 0.803 CPUs utilized 527 context-switches # 0.044 K/sec 0 cpu-migrations # 0.000 K/sec 737 page-faults # 0.061 K/sec <not supported> cycles 0 stalled-cycles-frontend # 0.00% frontend cycles idle 0 stalled-cycles-backend # 0.00% backend cycles idle <not supported> instructions <not supported> branches <not supported> branch-misses 15.067666256 seconds time elapsed
独自ビルド OpenSSL 1.0.1p fips
薫 $ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 2850662 sha256's in 2.27s Doing sha256 for 3s on 64 size blocks: 1686218 sha256's in 2.33s Doing sha256 for 3s on 256 size blocks: 804963 sha256's in 2.37s Doing sha256 for 3s on 1024 size blocks: 189824 sha256's in 2.43s Doing sha256 for 3s on 8192 size blocks: 46838 sha256's in 2.41s OpenSSL 1.0.1p-fips 9 Jul 2015 built on: Sat Nov 14 20:03:28 2015 options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 20092.77k 46316.72k 86949.59k 79991.68k 159210.33k Performance counter stats for 'env OPENSSL_CONF=/home/kaworu/tmp/openssl/fips/openssl-1.0.1p/apps/openssl.cnf ./apps/openssl speed sha256': 11829.388424 task-clock (msec) # 0.787 CPUs utilized 697 context-switches # 0.059 K/sec 0 cpu-migrations # 0.000 K/sec 805 page-faults # 0.068 K/sec <not supported> cycles 0 stalled-cycles-frontend # 0.00% frontend cycles idle 0 stalled-cycles-backend # 0.00% backend cycles idle <not supported> instructions <not supported> branches <not supported> branch-misses 15.022019046 seconds time elapsed
FIPS
$ perf stat openssl speed sha256 Doing sha256 for 3s on 16 size blocks: 3492088 sha256's in 2.29s Doing sha256 for 3s on 64 size blocks: 2013046 sha256's in 2.38s Doing sha256 for 3s on 256 size blocks: 927551 sha256's in 2.44s Doing sha256 for 3s on 1024 size blocks: 259522 sha256's in 2.47s Doing sha256 for 3s on 8192 size blocks: 33543 sha256's in 2.42s OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Mon Mar 23 21:01:31 UTC 2015 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha256 24398.87k 54132.33k 97316.83k 107591.31k 113547.21k Performance counter stats for 'openssl speed sha256': 12032.697699 task-clock (msec) # 0.794 CPUs utilized 691 context-switches # 0.057 K/sec 0 cpu-migrations # 0.000 K/sec 763 page-faults # 0.063 K/sec <not supported> cycles 0 stalled-cycles-frontend # 0.00% frontend cycles idle 0 stalled-cycles-backend # 0.00% backend cycles idle <not supported> instructions <not supported> branches <not supported> branch-misses 15.148459993 seconds time elapsed
関連項目
ツイート
スポンサーリンク