Re: openssl smime -enc speed question

Sat, 24 Mar 2007 05:22:15 -0800 

On Saturday March 24th 2007 at 12:58 Harald Latzko wrote:

> I compiled the 0.9.9 snapshot, resulting in a binary that has the  
> same behaviour (growing in RAM very much). Do you know how to enable  
> this experimental code and if this feature is included in the openssl  
> command line tool?

No, sorry I do not know how to enable the streaming encryption support
and it very probably will not be in the command line tool.

I only know beginnings of streaming encryption support exist from posts
by Dr. Stephen Henson on this list.

In the "CHANGES" file in the snapshot the following entries are relevant
to this feature I think:

  *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
     it yet and it is largely untested.
     [Steve Henson]

  *) Support for single pass processing for S/MIME signing. This now
     means that S/MIME signing can be done from a pipe, in addition
     cleartext signing (multipart/signed type) is effectively streaming
     and the signed data does not need to be all held in memory.

     This is done with a new flag PKCS7_STREAM. When this flag is set
     PKCS7_sign() only initializes the PKCS7 structure and the actual signing
     is done after the data is output (and digests calculated) in
     SMIME_write_PKCS7().
     [Steve Henson]

  *) Extend ASN1 encoder to support indefinite length constructed
     encoding. This can output sequences tags and octet strings in
     this form. Modify pk7_asn1.c to support indefinite length
     encoding. This is experimental and needs additional code to
     be useful, such as an ASN1 bio and some enhanced streaming
     PKCS#7 code.

     Extend template encode functionality so that tagging is passed
     down to the template encoder.
     [Steve Henson]

So unless you can look at the code itself (start with the PKCS7_STREAM
flag probably, and the PKCS7_encrypt() function) and adapt from there it
is probably not useful yet.

Sorry to have given you false hopes. The issue that all the data has to
be in working memory to be encrypted is indeed starting to become a real
annoyance in some practical circumstances. So perhaps if Stephen Henson
should develop the feature further one day we can volunteer as testers?  ;-)
-- 
Marco Roeland
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to