msquic icon indicating copy to clipboard operation
msquic copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Avoid fetching OpenSSL digests and ciphers

Open paulidale opened this issue 2 years ago • 36 comments

The old cipher returning calls like EVP_aes_128_gcm() perform late binding which means they fetch on initialisation. Fetching in OpenSSL 3.0 is a relatively expensive operation. Instead of fetching every time a cipher is required, it is faster to pre-fetch and reuse the same EVP_CIPHER object.

Likewise, HMAC is better prefetched but it has the additional complexity of fetching a digest internally. Instead of just prefetching the EVP_MAC object, it is better to create an EVP_MAC_CTX object and call EVP_MAC_CTX_dup() as required.

According to the profiling I've done, this represents a circa 4% boost in HPS.

paulidale avatar Mar 28 '22 02:03 paulidale

CLA assistant check
Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

:x: paulidale sign now
You have signed the CLA already but the status is still pending? Let us recheck it.

ghost avatar Mar 28 '22 02:03 ghost

/azp run

nibanks avatar Mar 28 '22 11:03 nibanks

Azure Pipelines successfully started running 2 pipeline(s).

azure-pipelines[bot] avatar Mar 28 '22 11:03 azure-pipelines[bot]

You also need to run ./scripts/update-sidecar.ps1 but only after all event code changes are made.

nibanks avatar Mar 29 '22 12:03 nibanks

You also need to run ./scripts/update-sidecar.ps1 but only after all event code changes are made.

That exploded nicely :(

dotnet: /home/pauli/work/msquic/msquic/scripts/update-sidecar.ps1:45
Line |
  45 |  dotnet publish ../submodules/clog/src/clog -o ${ClogDir} -f net6.0
     |  ~~~~~~
     | The term 'dotnet' is not recognized as a name of a cmdlet,
     | function, script file, or executable program. Check the
     | spelling of the name, or if a path was included, verify that
     | the path is correct and try again.

/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
/home/pauli/work/msquic/msquic/build/clog/clog: The term '/home/pauli/work/msquic/msquic/build/clog/clog' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

paulidale avatar Mar 30 '22 00:03 paulidale

Also, please verify you've signed the Microsoft CLA.

The CLA is underway, I'll need an OMC vote before I can confirm that my employer is agreeable. I've added this to the next meeting's agenda.

paulidale avatar Mar 30 '22 00:03 paulidale

You need .net 6 installed to run update-sidecar.ps1. https://docs.microsoft.com/en-us/dotnet/core/install/linux

thhous-msft avatar Mar 30 '22 00:03 thhous-msft

/azp run ci

nibanks avatar Mar 30 '22 12:03 nibanks

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Mar 30 '22 12:03 azure-pipelines[bot]

I've run the update script and pushed. Still trying to figure out the ChaCha20-Poly1305 issue.

paulidale avatar Mar 31 '22 08:03 paulidale

/azp run ci

nibanks avatar Apr 01 '22 21:04 nibanks

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Apr 01 '22 21:04 azure-pipelines[bot]

/azp run ci

nibanks avatar Apr 03 '22 23:04 nibanks

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Apr 03 '22 23:04 azure-pipelines[bot]

/azp run ci

nibanks avatar Apr 05 '22 11:04 nibanks

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Apr 05 '22 11:04 azure-pipelines[bot]

The TLS changes give me better than 2x improvement to handshakes/second. There is another one coming that will (hopefully) be better.

paulidale avatar Apr 05 '22 23:04 paulidale

/azp run

nibanks avatar Apr 05 '22 23:04 nibanks

Azure Pipelines successfully started running 2 pipeline(s).

azure-pipelines[bot] avatar Apr 05 '22 23:04 azure-pipelines[bot]

/azp run

nibanks avatar Apr 06 '22 12:04 nibanks

Azure Pipelines successfully started running 2 pipeline(s).

azure-pipelines[bot] avatar Apr 06 '22 12:04 azure-pipelines[bot]

Also, please verify you've signed the Microsoft CLA.

The CLA is underway, I'll need an OMC vote before I can confirm that my employer is agreeable. I've added this to the next meeting's agenda.

@paulidale when is the next meeting? This PR seems to be pretty close to done so I'm just trying to get an idea of how much longer until it might be merged.

nibanks avatar Apr 06 '22 12:04 nibanks

The perf results are in (below), and I don't see a significant difference in HPS. Is this PR primarily for 3.0 perf?

Windows OpenSSL (1.1.1)

Run 1: 6073 HPS
Run 2: 6025 HPS
Run 3: 6183 HPS
Run 4: 6041 HPS
Run 5: 6192 HPS
Median: 6073 HPS (+.11%)
Remote: 6066.6 HPS

Linux OpenSSL (1.1.1)

Run 1: 12672 HPS
Run 2: 12834 HPS
Run 3: 12497 HPS
Run 4: 13086 HPS
Run 5: 12887 HPS
Median: 12834 HPS (+1.23%)
Remote: 12678.4 HPS

nibanks avatar Apr 06 '22 14:04 nibanks

I missed the OMC meeting yesterday and the item slipped a week.

Yes, this is for 3.x performance. I doubt it will make a noticeable change to 1.1.1.

The other change is avoid calls to SSL_CTX_new() which is a pretty heavy operation (more so in 3.x than in 1.1.1). A new SSL_CTX object is currently being created for every connection whereas the usual approach is to just create one, configure it and create the SSL objects from that. It's not quite that straightforward with SNI and ALPN where you might need several pre-created SSL_CTX objects swapping in the correct one using SSL_set_SSL_CTX().

I'm not sure how to fit this into the library/performance test framework. It might be better done as a separate PR: it will be a set of quite distinct changes to what is here and likely involve more widespread modifications in the OpenSSL platform code.

paulidale avatar Apr 07 '22 04:04 paulidale

I missed the OMC meeting yesterday and the item slipped a week.

Ok. So when is the next one? Is this something you might be able to ask and get approval via email earlier?

Yes, this is for 3.x performance. I doubt it will make a noticeable change to 1.1.1.

Ok. That's fine.

The other change is avoid calls to SSL_CTX_new() which is a pretty heavy operation (more so in 3.x than in 1.1.1). A new SSL_CTX object is currently being created for every connection whereas the usual approach is to just create one, configure it and create the SSL objects from that. It's not quite that straightforward with SNI and ALPN where you might need several pre-created SSL_CTX objects swapping in the correct one using SSL_set_SSL_CTX().

I'm not sure how to fit this into the library/performance test framework. It might be better done as a separate PR: it will be a set of quite distinct changes to what is here and likely involve more widespread modifications in the OpenSSL platform code.

Yeah, that seems fairly complicated. Definitely put it into a separate PR. Thanks.

nibanks avatar Apr 07 '22 13:04 nibanks

An email discussion is unlikely to be faster. That's why we have regular calls. This Wednesday hopefully.

paulidale avatar Apr 11 '22 02:04 paulidale

An email discussion is unlikely to be faster. That's why we have regular calls. This Wednesday hopefully.

Any updates on getting approval @paulidale?

nibanks avatar Apr 15 '22 19:04 nibanks

Not yet :(

paulidale avatar Apr 28 '22 03:04 paulidale

@paulidale any updates? Is there some particular hold up on getting approval to sign?

nibanks avatar May 07 '22 19:05 nibanks

The committee wants some input from our lawyers and this is but no means the highest priority. It will happen, the question at the moment is when.

paulidale avatar May 08 '22 06:05 paulidale