-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid fetching OpenSSL digests and ciphers #2588
Conversation
|
e8bde23
to
93d0706
Compare
/azp run |
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for making these changes. I few things need a bit of clean up before we can merge this. Also, please verify you've signed the Microsoft CLA. Thanks!
You also need to run |
a452b12
to
fce2c31
Compare
That exploded nicely :(
|
The CLA is underway, I'll need an OMC vote before I can confirm that my employer is agreeable. I've added this to the next meeting's agenda. |
You need .net 6 installed to run update-sidecar.ps1. https://docs.microsoft.com/en-us/dotnet/core/install/linux |
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
I've run the update script and pushed. |
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
The TLS changes give me better than 2x improvement to handshakes/second. There is another one coming that will (hopefully) be better. |
@paulidale any updates? Is there some particular hold up on getting approval to sign? |
The committee wants some input from our lawyers and this is but no means the highest priority. It will happen, the question at the moment is when. |
Just checking in. It's been another two weeks. Any updates or ETA? |
Sadly, nope 😢 |
It's been another month @paulidale. We'd really appreciate if you could poke the folks you're blocked on to get resolution here. Thanks. |
Poking won't help. The person who deals with the legals has more important concerns which aren't going away anytime soon. We are working on getting an alternate. I do apologise for the delay. |
It's been another month @paulidale. Do you have any idea how long until you can get approval? Would you please poke the necessary people? Thanks! |
Sorry, I've been on vacation. I'll prod this week. |
@paulidale another ping. Without this change, we'll never be able to move to openssl 3.0 |
Our admin person is looking into this now. The CLA link up top is broken. Edit: found it. |
Thanks for the update @paulidale. I think if you push a new commit, the link would probably refresh. BTW, you have a merge conflict with the latest main which needs to be fixed anyways. |
974a3e3
to
84ed874
Compare
The old cipher returning calls like EVP_aes_128_gcm() perform late binding which means they fetch on init. Fetch in OpenSSL 3.0 is a relatively expensive operation. Instead of fetching every time a cipher is required, it is faster to pre-fetch and reuse the same EVP_CIPHER object. Likewise, HMAC is better prefetched but it has the additional complexity of fetching a digest internally. Instead of just prefetching the EVP_MAC object, it is better to create an EVP_MAC_CTX object and call EVP_MAC_CTX_dup() as required. According to the profiling I've done, this represents a circa 4% boost in HPS.
84ed874
to
59f2a7a
Compare
/azp run |
Azure Pipelines successfully started running 2 pipeline(s). |
I've finally got permission to sign the CLA on behalf of the project. |
Weird. Perhaps try to close and reopen the PR? Otherwise might have to recreate the PR. Or just create a different temp PR to get a new link. |
@microsoft-github-policy-service agree company="OpenSSL Software Services" |
Got it. The entire process has changed and the CLA page hasn't. |
Great. Would you mind merging or rebasing on |
Know what, never mind. All the issues are fixed issues. I'm going to merge this. Thanks! |
Thanks. I'm on holiday for a few days and wouldn't have got to it until next week. BTW: there are other performance fixes in OpenSSL's master branch that would be very worthwhile here. |
The old cipher returning calls like
EVP_aes_128_gcm()
perform late binding which means they fetch on initialisation. Fetching in OpenSSL 3.0 is a relatively expensive operation. Instead of fetching every time a cipher is required, it is faster to pre-fetch and reuse the sameEVP_CIPHER
object.Likewise, HMAC is better prefetched but it has the additional complexity of fetching a digest internally. Instead of just prefetching the
EVP_MAC
object, it is better to create anEVP_MAC_CTX
object and callEVP_MAC_CTX_dup()
as required.According to the profiling I've done, this represents a circa 4% boost in HPS.