OpenSSL BN_CTX usage
2016-03-14 20:24
615 查看
14down vote | Here I am answering my own question. I guess it happens all the time in SO. BIGNUM in OpenSSL is a complicated structure that holds an arbitrarily big number, and hence creating and freeing BIGNUM instances repeatedly will result in a considerable overhead. BIGNUM context, or BN_CTX, is created and used to save this overhead. Structure The BN_CTX structure contains two structures: BN_POOLand BN_STACK. The BN_POOLkeeps a bundle of temporary bignums with a linked-list, while the BN_STACKmanages the stack frame. On Create A BN_CTXinstance ctxis created with BN_CTX_new(). A function must call BN_CTX_start()to get a new stack frame first. By calling BN_CTX_get(ctx), OpenSSL looks for an unused bignum in the BN_POOLof ctx. If there isn't any available temp bignum, OpenSSL will create one and link to the linked-list. This must be done before passing ctxas argument to other functions. Of course there's a mechanism for preventing user creating too many temporary bignums. The predefined number of bignums you can create within a BN_POOLis 16. Once the limit is exceeded, probable segmentation fault will occur at random location in OpenSSL library. On Exit After the function is done with the BIGNUM instance it got from ctxand is ready to exit, BN_CTX_end()is called to release temporary bignums, meaning that these bignums become "unused" and can be requested by the next BN_CTX_get(). Finally, probably after several times of BN_CTX_start()and BN_CTX_end(), BN_CTX_end()is called to free BN_STACKstructure, and clear free bignums in BN_POOL. Example Code void foo(){ BN_CTX* ctx; ctx = BN_CTX_new(); /* Using BIGNUM context in a series of BIGNUM operations */ bar(ctx); bar(ctx); bar(ctx); /* Using BIGNUM context in a function called in loops */ while(/*condition*/){ bar(ctx); } BN_CTX_free(ctx); } And here's the function bar( ) void bar(BN_CTX* ctx){ BIGNUM *bn; BN_CTX_start(ctx); bn = BN_CTX_get(ctx); /* Do something with bn */ BN_CTX_end(ctx); } The function foo()creates a new BIGNUM context and pass it as argument to function bar(). Upon the first time bar()calls BN_CTX_get(), a temporary bignum is created and stored in the BN_POOLand is returned. BN_CTX_get()in the subsequent bar()will not create new bignum but instead returns the one it created in the first place. This temporary bignum will finally be clear-freed by BN_CTX_free()in foo(). Conclusion When performance is in concern, use BN_CTXto save the overhead of BIGNUM creation by passing it to functions that require BIGNUM structures to hold temporary big numbers, and are called sequentially to perform certain bignum operations, or are repeatedly called in loops. Be aware that there is a limitation for the number of bignums stored in BN_CTX. If performance is not an issue, then using bn = BN_new(); if (bn) BN_free(bn); is just fine. 转载自:http://stackoverflow.com/questions/16437475/openssl-bn-ctx-usage/16578756#16578756 |
相关文章推荐
- OpenSSL编程之RSA
- 怎样安装openssl 2011-12-11
- 如何正确使用Nodejs 的 c++ module 链接到 OpenSSL
- Java OpenSSL生成的RSA公私钥进行数据加解密详细介绍
- linux openssl基础介绍
- 使用openssl实现rsa非对称加密算法示例
- openSUSE下的Ruby安装openssl出错解决方法
- 一个检测OpenSSL心脏出血漏洞的Python脚本分享
- 针对OpenSSL安全漏洞调整Nginx服务器的方法
- docker 设置TLS远程访问
- AFNetworking+Nginx+HTTPS自签名服务器安全通信
- Tomcat配置SSL,使用openssl制作证书
- 解析OpenSSL程序概念及震惊业界的“心脏出血”漏洞
- openssl生成ssl证书
- 创建自己的CA机构 - openssl cert 双向认证
- 图解openssl实现私有CA
- 使用Openssl验证证书链
- 使用openssl操作P12证书
- mac 源码安装Openssl