OpenSSLのFIPS版とFIPS無しのパフォーマンス比較

提供: セキュリティ
2015年11月14日 (土) 20:16時点におけるDaemon (トーク | 投稿記録)による版

(差分) ←前の版 | 最新版 (差分) | 次の版→ (差分)
移動: 案内検索
スポンサーリンク

RedHat/CentOSのOpenSSLには、FIPSのパッチが入っていて、遅いようです。CentOS環境で、比較しました。

読み方

OpenSSL
おーぷん えすえすえる

概要

FIPS無しのOpenSSLが必要だったので、自分でビルドしました。 比較するバージョンが違っていますが、以下のバージョンを比較しました。

  • 自分でビルドした 1.0.1p
  • 自分でビルドした 1.0.1p fips
  • OpenSSL 1.0.1e-fips 11 Feb 2013

結論

自分でビルドした 1.0.1p のほうが 1.0.1e-fips よりと若干高速でした。

bytes 1.0.1p 1.0.1p fips 1.0.1e-fips
16bytes 23636.25k 20092.77k 19477.13k
64bytes 51426.23k 46316.72k 58752.54k
256bytes 99728.59k 86949.59k 86939.11k
1024bytes 118058.43k 79991.68k 102855.30k
8192bytes 120578.76k 159210.33k 100640.73k

実験環境

  • VMware Player
  • CentOS 7

ビルド方法

FIPS無効

tar zxfp openssl-1.0.1p.tar.gz
cd openssl-1.0.1p
sudo yum install zlib-devel
sh config zlib
make

FIPS有効

先にfips用のライブラリをビルドします。

wget https://www.openssl.org/source/openssl-fips-2.0.10.tar.gz
tar zxfp openssl-fips-2.0.10.tar.gz
cd openssl-fips-2.0.10
sh config zlib
make
sudo make install
tar zxfp openssl-1.0.1p.tar.gz
cd openssl-1.0.1p
sudo yum install zlib-devel
sh config zlib fips
make

ベンチマーク

独自ビルド OpenSSL 1.0.1p

$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl version
OpenSSL 1.0.1p 9 Jul 2015
$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3648846 sha256's in 2.47s
Doing sha256 for 3s on 64 size blocks: 1960625 sha256's in 2.44s
Doing sha256 for 3s on 256 size blocks: 973912 sha256's in 2.50s
Doing sha256 for 3s on 1024 size blocks: 296299 sha256's in 2.57s
Doing sha256 for 3s on 8192 size blocks: 35473 sha256's in 2.41s
OpenSSL 1.0.1p 9 Jul 2015
built on: Sat Nov 14 16:13:48 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           23636.25k    51426.23k    99728.59k   118058.43k   120578.76k

独自ビルド OpenSSL 1.0.1p fips

$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl version
OpenSSL 1.0.1p-fips 9 Jul 2015
$ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 2850662 sha256's in 2.27s
Doing sha256 for 3s on 64 size blocks: 1686218 sha256's in 2.33s
Doing sha256 for 3s on 256 size blocks: 804963 sha256's in 2.37s
Doing sha256 for 3s on 1024 size blocks: 189824 sha256's in 2.43s
Doing sha256 for 3s on 8192 size blocks: 46838 sha256's in 2.41s
OpenSSL 1.0.1p-fips 9 Jul 2015
built on: Sat Nov 14 20:03:28 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
-DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           20092.77k    46316.72k    86949.59k    79991.68k   159210.33k

CentOS OpenSSL 1.0.1e-fips

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
$ openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 2872877 sha256's in 2.36s
Doing sha256 for 3s on 64 size blocks: 2267481 sha256's in 2.47s
Doing sha256 for 3s on 256 size blocks: 862599 sha256's in 2.54s
Doing sha256 for 3s on 1024 size blocks: 243076 sha256's in 2.42s
Doing sha256 for 3s on 8192 size blocks: 29976 sha256's in 2.44s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Mar 23 21:01:31 UTC 2015
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
-Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           19477.13k    58752.54k    86939.11k   102855.30k   100640.73k

perf

1.0.1p

$ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3772148 sha256's in 2.38s
Doing sha256 for 3s on 64 size blocks: 1972414 sha256's in 2.33s
Doing sha256 for 3s on 256 size blocks: 866078 sha256's in 2.37s
Doing sha256 for 3s on 1024 size blocks: 283361 sha256's in 2.57s
Doing sha256 for 3s on 8192 size blocks: 33218 sha256's in 2.42s
OpenSSL 1.0.1p 9 Jul 2015
built on: Sat Nov 14 16:13:48 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           25358.98k    54177.90k    93551.04k   112903.37k   112447.05k
 
 Performance counter stats for 'env
 OPENSSL_CONF=/home/kaworu/tmp/openssl/openssl-1.0.1p/apps/openssl.cnf
 ./apps/openssl speed sha256':
 
      12098.084736      task-clock (msec)         #    0.803 CPUs utilized          
               527      context-switches          #    0.044 K/sec                  
                 0      cpu-migrations            #    0.000 K/sec                  
               737      page-faults               #    0.061 K/sec                  
   <not supported>      cycles                   
                 0      stalled-cycles-frontend   #    0.00% frontend cycles idle   
                 0      stalled-cycles-backend    #    0.00% backend  cycles idle   
   <not supported>      instructions             
   <not supported>      branches                 
   <not supported>      branch-misses            
 
      15.067666256 seconds time elapsed

独自ビルド OpenSSL 1.0.1p fips

薫 $ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 2850662 sha256's in 2.27s
Doing sha256 for 3s on 64 size blocks: 1686218 sha256's in 2.33s
Doing sha256 for 3s on 256 size blocks: 804963 sha256's in 2.37s
Doing sha256 for 3s on 1024 size blocks: 189824 sha256's in 2.43s
Doing sha256 for 3s on 8192 size blocks: 46838 sha256's in 2.41s
OpenSSL 1.0.1p-fips 9 Jul 2015
built on: Sat Nov 14 20:03:28 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
-DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           20092.77k    46316.72k    86949.59k    79991.68k   159210.33k
 
 Performance counter stats for 'env
 OPENSSL_CONF=/home/kaworu/tmp/openssl/fips/openssl-1.0.1p/apps/openssl.cnf
 ./apps/openssl speed sha256':
 
      11829.388424      task-clock (msec)         #    0.787 CPUs utilized          
               697      context-switches          #    0.059 K/sec                  
                 0      cpu-migrations            #    0.000 K/sec                  
               805      page-faults               #    0.068 K/sec                  
   <not supported>      cycles                   
                 0      stalled-cycles-frontend   #    0.00% frontend cycles idle   
                 0      stalled-cycles-backend    #    0.00% backend  cycles idle   
   <not supported>      instructions             
   <not supported>      branches                 
   <not supported>      branch-misses            
 
      15.022019046 seconds time elapsed

FIPS

$ perf stat  openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3492088 sha256's in 2.29s
Doing sha256 for 3s on 64 size blocks: 2013046 sha256's in 2.38s
Doing sha256 for 3s on 256 size blocks: 927551 sha256's in 2.44s
Doing sha256 for 3s on 1024 size blocks: 259522 sha256's in 2.47s
Doing sha256 for 3s on 8192 size blocks: 33543 sha256's in 2.42s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Mar 23 21:01:31 UTC 2015
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
-Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           24398.87k    54132.33k    97316.83k   107591.31k   113547.21k
 
 Performance counter stats for 'openssl speed sha256':
 
      12032.697699      task-clock (msec)         #    0.794 CPUs utilized          
               691      context-switches          #    0.057 K/sec                  
                 0      cpu-migrations            #    0.000 K/sec                  
               763      page-faults               #    0.063 K/sec                  
   <not supported>      cycles                   
                 0      stalled-cycles-frontend   #    0.00% frontend cycles idle   
                 0      stalled-cycles-backend    #    0.00% backend  cycles idle   
   <not supported>      instructions             
   <not supported>      branches                 
   <not supported>      branch-misses            
 
      15.148459993 seconds time elapsed

関連項目




スポンサーリンク