-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORE-6: Pre-fetching algorithms #17003
CORE-6: Pre-fetching algorithms #17003
Conversation
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46014#018e2f38-e660-42c0-bde7-7a95052328be ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46185#018e3d38-911d-42f8-9f3a-093f130295db ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46213#018e3e9d-0f32-47aa-8c85-3f4b539e842c ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46213#018e3e9d-0f28-4261-bc24-e036c0c5909f |
1205e21
to
213c15e
Compare
Force push
|
Results: non-FIPS:
FIPS:
|
[CORE-6] |
213c15e
to
f8af602
Compare
Force push
|
|
||
namespace internal { | ||
EVP_MD* get_md(digest_type type) { | ||
// Map of pre-fetched MD pointers. This replaces the older way of getting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
older way
this being "implicit fetch"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct
src/v/crypto/crypto.cc
Outdated
if (!md_ptr) { | ||
throw ossl_error(fmt::format("Failed to fetch algorithm {}", alg)); | ||
} | ||
md_map.insert_or_assign(type, EVP_MD_ptr(md_ptr)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[[maybe_unused]] auto res = md_map.insert_or_assign(type, EVP_MD_ptr(md_ptr));
assert(res.second); // otherwise we'd leak the fetched algo ptr
or just a comment, tho assert
won't have any performance impact in release build.
src/v/crypto/hmac.cc
Outdated
case digest_type::SHA512: | ||
return sha512_params; | ||
default: | ||
vassert(false, "NOPE"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this isn't a covering set, the assertion is nice. But maybe print out what it is, like MD5 looks like it could be the problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ha, completely forgot to change that message... meant to go back and fix that
f8af602
to
e6bb97f
Compare
Force push
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
src/v/crypto/crypto.cc
Outdated
[[maybe_unused]] auto res = md_map.insert_or_assign( | ||
type, EVP_MD_ptr(md_ptr)); | ||
vassert( | ||
res.second, "Failed to insert/create the fetched algorithm {}", alg); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is fine. just fyi, you don't need [[maybe_unused]] if you use vassert because vassert is always compiled in so res is always used. but with vanilla assert it is compiled out in Release builds so res is not used and you need the annotation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doh!
CORE-6: Fixes this issue Signed-off-by: Michael Boquard <michael@redpanda.com>
Similar to pre-fetching the MD, this will pre-fetch the HMAC provider. Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
Added perf tests to compare GnuTLS vs OpenSSL both in and out of FIPS mode. Signed-off-by: Michael Boquard <michael@redpanda.com>
e6bb97f
to
7425d18
Compare
Force push
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
static size_t test_body(size_t msg_len, F n) { | ||
auto buffer = random_generators::gen_alphanum_string(msg_len); | ||
for (auto i = inner_iters; i--;) { | ||
auto s = n(buffer); | ||
perf_tests::do_not_optimize(s); | ||
} | ||
perf_tests::stop_measuring_time(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
q: does the time measurement include the string generation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
auto buffer = random_generators::gen_alphanum_string(msg_len); | ||
for (auto i = inner_iters; i--;) { | ||
auto s = n(buffer); | ||
perf_tests::do_not_optimize(s); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should the entire call of n(buffer)
be passed to do_not_optimize
? Here it seems just its return value is
This change improves the performance of the crypto library by pre-fetching the MD and HMAC operations.
See the performance section in OpenSSL's docs
Fixes: https://github.com/redpanda-data/core-internal/issues/1152
Fixes: https://github.com/redpanda-data/core-internal/issues/1154
CORE-8
Backports Required
Release Notes