"A sleep(1) is put into all SSL_read() and SSL_write() calls..." (opens in new tab)

(bugs.python.org)

105 pointsshmeedogg16y ago50 comments

50 comments

21 comments · 7 top-level

po16y ago· 6 in thread

I bet removing this causes something somewhere to break.

typedef_void16y ago

is sleep(1) noisy?

if so, it might be vs timing attacks

jakevoytko16y ago

Sleep(1) is very noisy on Windows machines. The time slice given by default is ~15-20ms [1], and calling Sleep(<15) relinquishes the rest of the time slice. Windows has a multimedia API that can be used to get intervals down to 1ms, but it requires system calls that increase your system load. So you usually just need to use proper synchronization anyways, which is what the Python guys should have done :)

This crummy Sleep() implementation has some nice effects on programmers. Those who like to solve problems with lots of copy/paste code are forced to think about using proper synchronization primitives when running high resolution loops that wait for events, or their code just won't run very fast.

[1] http://social.msdn.microsoft.com/forums/en-US/clr/thread/fac...

3 more replies

tptacek16y ago

This has nothing to do with timing attacks and would do nothing to defend against them. Read 'daeken's comment below, though.

igravious16y ago

Excuse my ignorance: what do you mean by noisy?

1 more reply

ComputerGuru16y ago

Sleep is noisy.

When you do sleep, depending on the hardware, the OS, the configuration, the kernel flags, etc. the minimum you actually get is around 38.

But that varies.

1 more reply

typedef_void16y ago

on second thought, my comment makes little sense,

if they wanted noisy sleep, it should be something like

sleep(func(rand()))

1 more reply

kqr216y ago· 3 in thread

It looks like someone forgot to remove the "speed-up loop".

http://thedailywtf.com/Articles/The-Speedup-Loop.aspx

fourneau16y ago

That's both hilarious and frightening all at once. Luckily static analysis tools catch that kind of stuff very easily now...

dschobel16y ago

Additionally I think you'd be hard pressed to find a modern compiler (for some loose definition of modern) which would not optimize that loop away.

1 more reply

sprout16y ago

Not in the cloud they don't.

timf16y ago· 3 in thread

A second long sleep on every read or write? If this was actually happening, it sounds like it could create unheard of performance issues for any significant transfer.

Or was this not noticed because all the major frameworks like cherrypy and twisted are still using the pyopenssl wrapper?

Is there any evidence that this bugfix actually changes the performance?

MrRage16y ago

Don't you mean a millisecond long sleep? I never saw a sleep function that interpreted its parameter as seconds. Edit: Well, now I know better.

dmm16y ago

Both the POSIX sleep() program and the sleep(unsigned int seconds) function in unistd.h interpret the argument as seconds.

kingkilr16y ago

It does on Linux, from `man 3 sleep`:

http://paste.pocoo.org/show/229678/

1 more reply

jamesseda16y ago· 2 in thread

I have been working on a replay tool in python. I had to add sleeps because it was sending packets faster than the NIC could send them in order.

ars16y ago

That's not a reliable way to do that. It should block.

jamesseda16y ago

it is actually more reliable to sleep than to block. by definition blocking is unreliable because you don't know exactly when it will unblock. You do know when a sleep will end though. I also want a variable delay between writes.

1 more reply

dredge16y ago

As the bug report mentions, the sleep(1) call appears to be wrapped in a #define that (I assume) won't be active in normal OpenSSL builds. At least in v0.9.8o (the only one I checked) the only references I see are:

ssl/s2_pkt.c:

    #ifdef PKT_DEBUG
        if (s->debug & 0x01) sleep(1);
    #endif

There are two references like that to PKT_DEBUG (read and write); the only other is:

ssl/ssl_locl.h:

    /*#define PKT_DEBUG 1   */

I suspect this is a non-issue. Interesting though.

hartror16y ago

Wow I wonder how many people gave up using the ssl lib as too slow due to this bug?

Aaronontheweb16y ago

I love Ben's response in the discussion prior to the SVN check-in.

j / k navigate · click thread line to collapse

50 comments

21 comments · 7 top-level

po16y ago· 6 in thread

I bet removing this causes something somewhere to break.

typedef_void16y ago

is sleep(1) noisy?

if so, it might be vs timing attacks

jakevoytko16y ago

[1] http://social.msdn.microsoft.com/forums/en-US/clr/thread/fac...

3 more replies

tptacek16y ago

This has nothing to do with timing attacks and would do nothing to defend against them. Read 'daeken's comment below, though.

igravious16y ago

Excuse my ignorance: what do you mean by noisy?

1 more reply

ComputerGuru16y ago

Sleep is noisy.

When you do sleep, depending on the hardware, the OS, the configuration, the kernel flags, etc. the minimum you actually get is around 38.

But that varies.

1 more reply

typedef_void16y ago

on second thought, my comment makes little sense,

if they wanted noisy sleep, it should be something like

sleep(func(rand()))

1 more reply

kqr216y ago· 3 in thread

It looks like someone forgot to remove the "speed-up loop".

http://thedailywtf.com/Articles/The-Speedup-Loop.aspx

fourneau16y ago

That's both hilarious and frightening all at once. Luckily static analysis tools catch that kind of stuff very easily now...

dschobel16y ago

Additionally I think you'd be hard pressed to find a modern compiler (for some loose definition of modern) which would not optimize that loop away.

1 more reply

sprout16y ago

Not in the cloud they don't.

timf16y ago· 3 in thread

A second long sleep on every read or write? If this was actually happening, it sounds like it could create unheard of performance issues for any significant transfer.

Or was this not noticed because all the major frameworks like cherrypy and twisted are still using the pyopenssl wrapper?

Is there any evidence that this bugfix actually changes the performance?

MrRage16y ago

Don't you mean a millisecond long sleep? I never saw a sleep function that interpreted its parameter as seconds. Edit: Well, now I know better.

dmm16y ago

Both the POSIX sleep() program and the sleep(unsigned int seconds) function in unistd.h interpret the argument as seconds.

kingkilr16y ago

It does on Linux, from `man 3 sleep`:

http://paste.pocoo.org/show/229678/

1 more reply

jamesseda16y ago· 2 in thread

I have been working on a replay tool in python. I had to add sleeps because it was sending packets faster than the NIC could send them in order.

ars16y ago

That's not a reliable way to do that. It should block.

jamesseda16y ago

1 more reply

dredge16y ago

ssl/s2_pkt.c:

    #ifdef PKT_DEBUG
        if (s->debug & 0x01) sleep(1);
    #endif

There are two references like that to PKT_DEBUG (read and write); the only other is:

ssl/ssl_locl.h:

    /*#define PKT_DEBUG 1   */

I suspect this is a non-issue. Interesting though.

hartror16y ago

Wow I wonder how many people gave up using the ssl lib as too slow due to this bug?

Aaronontheweb16y ago

I love Ben's response in the discussion prior to the SVN check-in.

j / k navigate · click thread line to collapse