Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libressl sha1 performance regression vs openssl. #3555

Open
mharvey-jt opened this issue Mar 26, 2024 · 3 comments · May be fixed by #3576
Open

libressl sha1 performance regression vs openssl. #3555

mharvey-jt opened this issue Mar 26, 2024 · 3 comments · May be fixed by #3576
Assignees
@jblomer
Labels
improvement

Comments

@mharvey-jt
Copy link
Contributor

mharvey-jt commented Mar 26, 2024
edited

Looks like the sha1 code in libressl uses SSSE3 instructions, but not the newer SHA1 instruction extensions, which are used by openssl. This is showing up as a performance regression with 2.11 vs 2.8.
@mharvey-jt mharvey-jt changed the title libressl ssl performance regression vs openssl. libressl ssl performance regression vs openssl. Mar 26, 2024
@mharvey-jt mharvey-jt changed the title libressl ssl performance regression vs openssl. libressl sha1 performance regression vs openssl. Mar 26, 2024
@jblomer jblomer self-assigned this Mar 28, 2024
@jblomer
Copy link
Member

jblomer commented Mar 28, 2024
edited

Thank you! That went unnoticed. The micro benchmarks (on my machine) confirm a factor 2 slowdown of libressl vs. openssl. This is true also for the latest version of libressl. Unfortunately, the OpenSSL 3 interface changes make it unusable for cvmfs. Not sure what a good option is. Possibilities are

  • Patching libressl with the openssl code Edit: not trivial, most likely a bad idea
  • Using a sha-1 standalone library (to be found) Edit: possible libraries with SHA support include botan and GnuTLS

Let's see with the libressl project first. I'll open an issue.

This seems to be the relevant commit. Merged for OpenSSL 1.0.2, unfortunately briefly after LibreSSL was forked.

@jblomer
Copy link
Member

jblomer commented Apr 2, 2024

We should also not exclude moving back to OpenSSL. At least we should note down exactly where API functionality was really removed as compared to where we only need to use it differently.

@jblomer jblomer mentioned this issue Apr 2, 2024
Open
@jblomer
Copy link
Member

jblomer commented Apr 7, 2024
edited

Both GnuTLS and Botan make it difficult to control memory allocation/deallocation of the hash context. But nettle looks interesting. It has the same SHA-1 performance than OpenSSL. Nettle is a crypto backend of GnuTLS.

@jblomer jblomer linked a pull request Apr 11, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jblomer jblomer

Labels
improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] Uses libnettle as low-level crypto library cvmfs/cvmfs
2 participants
@jblomer @mharvey-jt