For NSS 3.11, shlibsign will run up to 4 times in a single NSS build, and up to 7 times when building both 32-bit and 64-bit for the same platform. Each time it runs, it generates a large prime number, which often takes quite a while, slowing the builds. It was bad enough when we only did one or two shlibsigns per build, but 7 is taking too long. Given that these are DSA signatures, the only prime that is needed is P, part of the PQG parameters. Surely we don't need to generate new PQG parmeters for every shlibsign run. One would think that a single set of PQG params would suffice for all future NSS builds. I can see at least the following two alternatives: a) Use a file of PQG params in nss/cmd/shlibsign/$OBJDIR. If the file doesn't exist, then generate it. If it does exist, use it. This allows us to build at most one set of PQG params per build. b) like a, but either b1) put the file in nss/cmd/shlibsign and check it in, or b2) just compile the PQG params into shlibsign itself. Either way, this obviates prime number finding during builds. Bob, would you be willing to do this?
This is not going to make 3.11.x, so I'm retargetting to 3.12 . IMO, machines are fast enough that the build time isn't a problem, even with 4 libraries to sign, and this is a good candidate for a WONTFIX .
I propose to change shlibsign to use these precompiled PQG values. Any objections? Prime: 97:44:1d:cc:0d:39:0d:8d:cb:75:dc:24:25:6f:01:92: a1:11:07:6b:70:ac:73:d7:82:28:df:ab:82:0c:41:0c: 95:b3:3c:3d:ea:8a:e6:44:0a:b8:ab:90:15:41:11:e8: 48:7b:8d:b0:9c:d3:f2:69:66:ff:66:4b:70:2b:bf:fb: d6:68:85:76:1e:34:aa:c5:57:6e:23:02:08:60:6e:fd: 67:76:e1:7c:c8:cb:51:77:cf:b1:3b:00:2e:fa:21:cd: 34:76:75:01:19:fe:f8:5d:43:c5:34:f3:7a:95:dc:c2: 58:07:19:2f:1d:6f:9a:77:7e:55:aa:e7:5a:50:43:d3 Subprime: d8:16:23:34:8a:9e:3a:f5:d9:10:13:35:aa:f3:f3:54: 0b:31:24:f1 Base: 03:3a:ad:fa:3a:0c:ea:0a:4e:43:32:92:bb:87:f1:11: c0:ad:39:38:56:1a:db:23:66:b1:08:da:b6:19:51:42: 93:4f:c3:44:43:a8:05:c1:f8:71:62:6f:3d:e2:ab:6f: d7:80:22:6f:ca:0d:f6:9f:45:27:83:ec:86:0c:da:aa: d6:e0:d0:84:fd:b1:4f:dc:08:cd:68:3a:77:c2:c5:f1: 99:0f:15:1b:6a:8c:3d:18:2b:6f:dc:2b:d8:b5:9b:b8: 2d:57:92:1c:46:27:af:6d:e1:45:cf:0b:3f:fa:07:cc: 14:8e:e7:b8:aa:d5:d1:36:1d:7e:5e:7d:fa:5b:77:1f h: 41:87:47:79:d8:ba:4e:ac:44:4f:6b:d2:16:5e:04:c6: c2:29:93:5e:bd:c7:a9:8f:23:a1:c8:ee:80:64:d5:67: 3c:ba:59:9a:06:0c:cc:29:56:c0:b2:21:e0:5b:52:cd: 84:73:57:fd:d8:c3:5b:13:54:d7:4a:06:86:63:09:a5: b0:59:e2:32:9e:09:a3:9f:49:62:cc:a6:f9:54:d5:b2: c3:08:71:7e:e3:37:50:d6:7b:a7:c2:60:c1:eb:51:32: fa:ad:35:25:17:f0:7f:23:e5:a8:01:52:cf:2f:d9:a9: f6:00:21:15:f1:f7:70:b7:57:8a:d0:59:6a:82:dc:9c SEED: cc:4c:69:74:f6:72:24:68:24:4f:d7:50:11:40:81:ed: 19:3c:8a:25:bc:78:0a:85:82:53:70:20:f6:54:a5:1b: f4:15:cd:ff:c4:88:a7:9d:f3:47:1c:0a:be:10:29:83: b9:0f:4c:df:90:16:83:a2:b3:e3:2e:c1:c2:24:6a:c4: 9d:57:ba:cb:0f:18:75:00:33:46:82:ec:d6:94:77:c3: 4f:4c:58:1c:7f:61:3c:36:d5:2f:a5:66:d8:2f:ce:6e: 8e:20:48:4a:bb:e3:e0:b2:50:33:63:8a:5b:2d:6a:be: 4c:28:81:53:5b:e4:f6:fc:64:06:13:51:eb:4a:91:9c g: 1024 counter: 1496
Created attachment 334823 [details] [diff] [review] replace PQGgen with constant PQG params This seems to do the trick.
Julien, please review.
Comment on attachment 334823 [details] [diff] [review] replace PQGgen with constant PQG params r+ can check in as is, though I would like it if shlibsign had an option to generate new PQG on the fly. But not enough to reject the patch as is to get the performance win of pregenerated. (I think a reading from a file is overkill -- especially for a tool that hopefully will start generating SHA-2 MACs soon instead:).
Checking in shlibsign.c; new revision: 1.17; previous revision: 1.16