Avoid fetching OpenSSL digests and ciphers

[paulidale]

The old cipher returning calls like EVP_aes_128_gcm() perform late binding which means they fetch on initialisation. Fetching in OpenSSL 3.0 is a relatively expensive operation. Instead of fetching every time a cipher is required, it is faster to pre-fetch and reuse the same EVP_CIPHER object.

Likewise, HMAC is better prefetched but it has the additional complexity of fetching a digest internally. Instead of just prefetching the EVP_MAC object, it is better to create an EVP_MAC_CTX object and call EVP_MAC_CTX_dup() as required.

According to the profiling I've done, this represents a circa 4% boost in HPS.

[ghost]

Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

❌ paulidale sign now
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[nibanks]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[nibanks]

Thanks a lot for making these changes. I few things need a bit of clean up before we can merge this. Also, please verify you've signed the Microsoft CLA. Thanks!

[nibanks]

You also need to run ./scripts/update-sidecar.ps1 but only after all event code changes are made.

[paulidale]

You also need to run ./scripts/update-sidecar.ps1 but only after all event code changes are made.

That exploded nicely :(

dotnet: /home/pauli/work/msquic/msquic/scripts/update-sidecar.ps1:45
Line |
  45 |  dotnet publish ../submodules/clog/src/clog -o ${ClogDir} -f net6.0
     |  ~~~~~~
     | The term 'dotnet' is not recognized as a name of a cmdlet,
     | function, script file, or executable program. Check the
     | spelling of the name, or if a path was included, verify that
     | the path is correct and try again.

/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

[paulidale]

Also, please verify you've signed the Microsoft CLA.

The CLA is underway, I'll need an OMC vote before I can confirm that my employer is agreeable. I've added this to the next meeting's agenda.

[thhous-msft]

You need .net 6 installed to run update-sidecar.ps1. https://docs.microsoft.com/en-us/dotnet/core/install/linux

[nibanks]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[paulidale]

I've run the update script and pushed.
Still trying to figure out the ChaCha20-Poly1305 issue.

[nibanks]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[nibanks]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[nibanks]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[paulidale]

The TLS changes give me better than 2x improvement to handshakes/second. There is another one coming that will (hopefully) be better.

[nibanks]

@paulidale any updates? Is there some particular hold up on getting approval to sign?

[paulidale]

The committee wants some input from our lawyers and this is but no means the highest priority. It will happen, the question at the moment is when.

[nibanks]

The committee wants some input from our lawyers and this is but no means the highest priority. It will happen, the question at the moment is when.

Just checking in. It's been another two weeks. Any updates or ETA?

[paulidale]

Sadly, nope 😢

[nibanks]

It's been another month @paulidale. We'd really appreciate if you could poke the folks you're blocked on to get resolution here. Thanks.

[paulidale]

Poking won't help. The person who deals with the legals has more important concerns which aren't going away anytime soon. We are working on getting an alternate.

I do apologise for the delay.

[nibanks]

It's been another month @paulidale. Do you have any idea how long until you can get approval? Would you please poke the necessary people? Thanks!

[paulidale]

Sorry, I've been on vacation. I'll prod this week.

[nibanks]

@paulidale another ping. Without this change, we'll never be able to move to openssl 3.0

[paulidale]

Our admin person is looking into this now. The CLA link up top is broken.

Edit: found it.

[nibanks]

Thanks for the update @paulidale. I think if you push a new commit, the link would probably refresh. BTW, you have a merge conflict with the latest main which needs to be fixed anyways.

[nibanks]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[paulidale]

I've finally got permission to sign the CLA on behalf of the project.
The links above are still broken and it's not clear how to sign from the CLA page.

[nibanks]

Weird. Perhaps try to close and reopen the PR? Otherwise might have to recreate the PR. Or just create a different temp PR to get a new link.

[paulidale]

@microsoft-github-policy-service agree company="OpenSSL Software Services"

[paulidale]

Got it. The entire process has changed and the CLA page hasn't.

[nibanks]

Got it. The entire process has changed and the CLA page hasn't.

Great. Would you mind merging or rebasing on main to fix some CI issues, please? Then hopefully we can get this merged ASAP today. Thanks again!

[nibanks]

Know what, never mind. All the issues are fixed issues. I'm going to merge this. Thanks!

[paulidale]

Thanks. I'm on holiday for a few days and wouldn't have got to it until next week.

BTW: there are other performance fixes in OpenSSL's master branch that would be very worthwhile here.