Re: OpenSSL 1.1.1g Windows build slow rsa tests

[Dr Paul Dale]

I'd suggest giving a build without the no-asm option a try.  The 
performance difference is usually quite significant.


Statis vs dynamic builds wouldn't normally be associated with such a 
large difference.  If the difference were routinely this large, nobody 
would use dynamic linking.



Pauli

On 21/1/21 10:37 am, Michael Wojcik wrote:

From: openssl-users  On Behalf Of Dr Paul
Dale
Sent: Wednesday, 20 January, 2021 16:19

Try building without the no-asm configuration option.


That was my first thought, but according to Dan's message, the firedaemon 
version is also built with no-asm.

The only relevant differences I see between the two builds are static (Dan's) 
versus dynamic (firedaemon's) linkage:


On 21/1/21 6:18 am, Dan Heinz wrote:



compiler: cl /Fdossl_static.pdb  /Gs0 /GF /Gy /MT /Zi /W3 /wd4090
/nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED


/MT uses the static-linked MSVC runtime.


Here is the downloaded binary from
https://kb.firedaemon.com/support/solutions/articles/4000121705
:
compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo
/O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED


/MD uses the dynamic-linked MSVC runtime.


Here are my configure parameters:
Configure VC-WIN64A no-shared  no-asm no-idea no-mdc2 no-rc5 no-ssl2
no-ssl3 no-zlib no-comp no-pinshared no-ui-console
   -DOPENSSL_NO_DEPRECATED --api=1.1.0

And their configure parameters:
Configure VC-WIN64Ano-asm no-ssl3 no-zlib no-comp no-ui-console
--api=1.1.0 --prefix="%openssl-dst%" --openssldir=ssl
-DOPENSSL_NO_DEPRECATED


Assuming the lack of a space between "VC_WIN64A" and "no-asm" is a typo, 
they're also building with no-asm, and the only significant difference for this case that I can see 
is no-shared. (no-pinshared looks even less likely to affect this test, and does it even have any 
effect when building no-shared?)

Linking with /MT will affect code size and layout, which could adversely affect 
code caching. It's not impossible that would have a factor-of-four penalty on 
compute-bound code. I'm reluctant to conclude that's the problem, though, 
without more evidence.

Unfortunately tracking this down would likely require profiling.

That's assuming Dan is correct about the firedaemon build being configured with 
no-asm.

--
Michael Wojcik

Re: Parsing and generating CBOR certificates?

[Blumenthal, Uri - 0553 - MITLL]

On 1/20/21, 19:42, "Benjamin Kaduk"  wrote:
>And again, where do you believe such a conversion is specified?

What do you mean "specified"? There's an ASN.1 "specification" of the 
certificate format, which theoretically can be encoded into whatever - DER, 
PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I 
use) generates from ASN.1 file codecs for many encoding formats, and is able to 
convert between them.

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why 
I'm asking here.

>   The IETF internet-draft I reference is a way to do so, but it is (to repeat)
>   very much a work in progress.

Understood. Do you know if there's any code behind it? Or just the "theory"?

Thanks!

On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL 
wrote:
> I meant not "CBOR protocol" (which,  in all likelihood, doesn't and 
shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, 
does exists).
> 
> At least, I'm looking for a tool that would convert between these two 
encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
> 
> Thanks
> 
> Regards,
> Uri
> 
> > On Jan 20, 2021, at 19:26, Kaduk, Ben  wrote:
> > 
> > No.  OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
> > know of any such thing other than
> > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> > which is very much still a work in progress.
> > 
> > -Ben
> > 
> > 
> > From: Blumenthal, Uri - 0553 - MITLL 
> > Sent: Wednesday, January 20, 2021 4:22 PM
> > To: openssl-users
> > Subject: Parsing and generating CBOR certificates?
> > 
> > I need to work with CBOR-encoded certificates. Is there any way to use 
OpenSSL to parse and/or generate certs in CBOR encoding?
> > 
> > Thanks
> > 
> > Regards,
> > Uri




smime.p7s
Description: S/MIME cryptographic signature

Re: Parsing and generating CBOR certificates?

[Benjamin Kaduk via openssl-users]

And again, where do you believe such a conversion is specified?
The IETF internet-draft I reference is a way to do so, but it is (to repeat)
very much a work in progress.

-Ben

On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL wrote:
> I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't 
> exist) but CBOR encoding of X.509 certificates (which, hopefully, does 
> exists).
> 
> At least, I'm looking for a tool that would convert between these two 
> encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
> 
> Thanks
> 
> Regards,
> Uri
> 
> > On Jan 20, 2021, at 19:26, Kaduk, Ben  wrote:
> > 
> > No.  OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
> > know of any such thing other than
> > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> > which is very much still a work in progress.
> > 
> > -Ben
> > 
> > 
> > From: Blumenthal, Uri - 0553 - MITLL 
> > Sent: Wednesday, January 20, 2021 4:22 PM
> > To: openssl-users
> > Subject: Parsing and generating CBOR certificates?
> > 
> > I need to work with CBOR-encoded certificates. Is there any way to use 
> > OpenSSL to parse and/or generate certs in CBOR encoding?
> > 
> > Thanks
> > 
> > Regards,
> > Uri

RE: OpenSSL 1.1.1g Windows build slow rsa tests

[Michael Wojcik]

> From: openssl-users  On Behalf Of Dr Paul
> Dale
> Sent: Wednesday, 20 January, 2021 16:19
>
> Try building without the no-asm configuration option.

That was my first thought, but according to Dan's message, the firedaemon 
version is also built with no-asm.

The only relevant differences I see between the two builds are static (Dan's) 
versus dynamic (firedaemon's) linkage:

> On 21/1/21 6:18 am, Dan Heinz wrote:

> > compiler: cl /Fdossl_static.pdb  /Gs0 /GF /Gy /MT /Zi /W3 /wd4090
> > /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED

/MT uses the static-linked MSVC runtime.

> > Here is the downloaded binary from
> > https://kb.firedaemon.com/support/solutions/articles/4000121705
> > :
> > compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo
> > /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED

/MD uses the dynamic-linked MSVC runtime.

> > Here are my configure parameters:
> > Configure VC-WIN64A no-shared  no-asm no-idea no-mdc2 no-rc5 no-ssl2
> > no-ssl3 no-zlib no-comp no-pinshared no-ui-console
> >   -DOPENSSL_NO_DEPRECATED --api=1.1.0
> >
> > And their configure parameters:
> > Configure VC-WIN64Ano-asm no-ssl3 no-zlib no-comp no-ui-console
> > --api=1.1.0 --prefix="%openssl-dst%" --openssldir=ssl
> > -DOPENSSL_NO_DEPRECATED

Assuming the lack of a space between "VC_WIN64A" and "no-asm" is a typo, 
they're also building with no-asm, and the only significant difference for this 
case that I can see is no-shared. (no-pinshared looks even less likely to 
affect this test, and does it even have any effect when building no-shared?)

Linking with /MT will affect code size and layout, which could adversely affect 
code caching. It's not impossible that would have a factor-of-four penalty on 
compute-bound code. I'm reluctant to conclude that's the problem, though, 
without more evidence.

Unfortunately tracking this down would likely require profiling.

That's assuming Dan is correct about the firedaemon build being configured with 
no-asm.

--
Michael Wojcik

Re: Parsing and generating CBOR certificates?

[Blumenthal, Uri - 0553 - MITLL]

I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't 
exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).

At least, I'm looking for a tool that would convert between these two encodings 
(DER and CBOR) for specific objects (X.509-conformant certificates).

Thanks

Regards,
Uri

> On Jan 20, 2021, at 19:26, Kaduk, Ben  wrote:
> 
> No.  OpenSSL does not include any CBOR protocol support.
> I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
> know of any such thing other than
> https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> which is very much still a work in progress.
> 
> -Ben
> 
> 
> From: Blumenthal, Uri - 0553 - MITLL 
> Sent: Wednesday, January 20, 2021 4:22 PM
> To: openssl-users
> Subject: Parsing and generating CBOR certificates?
> 
> I need to work with CBOR-encoded certificates. Is there any way to use 
> OpenSSL to parse and/or generate certs in CBOR encoding?
> 
> Thanks
> 
> Regards,
> Uri


smime.p7s
Description: S/MIME cryptographic signature

Re: Parsing and generating CBOR certificates?

[Kaduk, Ben via openssl-users]

No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben


From: Blumenthal, Uri - 0553 - MITLL 
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL 
to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

Parsing and generating CBOR certificates?

[Blumenthal, Uri - 0553 - MITLL]

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL 
to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

smime.p7s
Description: S/MIME cryptographic signature

Re: OpenSSL 1.1.1g Windows build slow rsa tests

[Dr Paul Dale]

Try building without the no-asm configuration option.

Pauli

On 21/1/21 6:18 am, Dan Heinz wrote:

Hello,

I’m building openssl 1.1.1g  on multiple platforms and I found that the 
rsa speed tests are significantly slower in my build than on the other 
OS platforms (Linux and macOS).


I downloaded a Windows 64-bit binary distribution of openssl from 
https://kb.firedaemon.com/support/solutions/articles/4000121705 
 as 
they include the configure parameters used for their build.


I ran the speed rsa tests on their openssl Windows 64-bit binary and 
they were much faster than the tests on my build.


Here’s some output.
My openssl binary executed with openssl speed rsa:

Doing 2048 bits private rsa's for 10s: 409 2048 bits private RSA's in 10.00s

Doing 2048 bits public rsa's for 10s: 15663 2048 bits public RSA's in 10.02s

Doing 4096 bits private rsa's for 10s: 60 4096 bits private RSA's in 10.00s

Doing 4096 bits public rsa's for 10s: 4316 4096 bits public RSA's in 10.02s

OpenSSL 1.1.1g  21 Apr 2020

built on: Wed Jan 20 18:38:14 2021 UTC

options:bn(64,64) rc4(int) des(long) aes(partial) blowfish(ptr)

compiler: cl /Fdossl_static.pdb  /Gs0 /GF /Gy /MT /Zi /W3 /wd4090 
/nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED


   sign    verify    sign/s verify/s

rsa 2048 bits 0.024450s 0.000639s 40.9   1563.9

rsa 4096 bits 0.17s 0.002321s  6.0    430.9

Here is the downloaded binary from 
https://kb.firedaemon.com/support/solutions/articles/4000121705 
:
Doing 2048 bits private rsa's for 10s: 1622 2048 bits private RSA's in 
10.02s


Doing 2048 bits public rsa's for 10s: 72622 2048 bits public RSA's in 10.00s

Doing 4096 bits private rsa's for 10s: 255 4096 bits private RSA's in 10.03s

Doing 4096 bits public rsa's for 10s: 18976 4096 bits public RSA's in 10.00s

OpenSSL 1.1.1j-dev  xx XXX 

built on: Wed Jan  6 11:11:12 2021 UTC

options:bn(64,64) rc4(int) des(long) aes(partial) idea(int) blowfish(ptr)

compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo 
/O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED


   sign    verify    sign/s verify/s

rsa 2048 bits 0.006175s 0.000138s    161.9   7262.2

rsa 4096 bits 0.039338s 0.000527s 25.4   1897.6

That is a little over 4 times faster.

Here are my configure parameters:
Configure VC-WIN64A no-shared  no-asm no-idea no-mdc2 no-rc5 no-ssl2 
no-ssl3 no-zlib no-comp no-pinshared no-ui-console 
  -DOPENSSL_NO_DEPRECATED --api=1.1.0


And their configure parameters:
Configure VC-WIN64Ano-asm no-ssl3 no-zlib no-comp no-ui-console 
--api=1.1.0 --prefix="%openssl-dst%" --openssldir=ssl 
-DOPENSSL_NO_DEPRECATED


Both my build and theirs are built with Visual Studio 2015.

Any ideas why my build is so much slower?  Is there something in my 
configuration that might cause this?

OpenSSL 1.1.1g Windows build slow rsa tests

[Dan Heinz]

Hello,

I'm building openssl 1.1.1g  on multiple platforms and I found that the rsa 
speed tests are significantly slower in my build than on the other OS platforms 
(Linux and macOS).

I downloaded a Windows 64-bit binary distribution of openssl from 
https://kb.firedaemon.com/support/solutions/articles/4000121705 as they include 
the configure parameters used for their build.
I ran the speed rsa tests on their openssl Windows 64-bit binary and they were 
much faster than the tests on my build.

Here's some output.
My openssl binary executed with openssl speed rsa:
Doing 2048 bits private rsa's for 10s: 409 2048 bits private RSA's in 10.00s
Doing 2048 bits public rsa's for 10s: 15663 2048 bits public RSA's in 10.02s
Doing 4096 bits private rsa's for 10s: 60 4096 bits private RSA's in 10.00s
Doing 4096 bits public rsa's for 10s: 4316 4096 bits public RSA's in 10.02s
OpenSSL 1.1.1g  21 Apr 2020
built on: Wed Jan 20 18:38:14 2021 UTC
options:bn(64,64) rc4(int) des(long) aes(partial) blowfish(ptr)
compiler: cl /Fdossl_static.pdb  /Gs0 /GF /Gy /MT /Zi /W3 /wd4090 /nologo /O2 
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED
  signverifysign/s verify/s
rsa 2048 bits 0.024450s 0.000639s 40.9   1563.9
rsa 4096 bits 0.17s 0.002321s  6.0430.9

Here is the downloaded binary from 
https://kb.firedaemon.com/support/solutions/articles/4000121705:
Doing 2048 bits private rsa's for 10s: 1622 2048 bits private RSA's in 10.02s
Doing 2048 bits public rsa's for 10s: 72622 2048 bits public RSA's in 10.00s
Doing 4096 bits private rsa's for 10s: 255 4096 bits private RSA's in 10.03s
Doing 4096 bits public rsa's for 10s: 18976 4096 bits public RSA's in 10.00s
OpenSSL 1.1.1j-dev  xx XXX 
built on: Wed Jan  6 11:11:12 2021 UTC
options:bn(64,64) rc4(int) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_NO_DEPRECATED
  signverifysign/s verify/s
rsa 2048 bits 0.006175s 0.000138s161.9   7262.2
rsa 4096 bits 0.039338s 0.000527s 25.4   1897.6

That is a little over 4 times faster.

Here are my configure parameters:
Configure VC-WIN64A no-shared  no-asm no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3 
no-zlib no-comp no-pinshared no-ui-console  -DOPENSSL_NO_DEPRECATED --api=1.1.0

And their configure parameters:
Configure VC-WIN64A no-asm no-ssl3 no-zlib no-comp no-ui-console --api=1.1.0 
--prefix="%openssl-dst%" --openssldir=ssl -DOPENSSL_NO_DEPRECATED

Both my build and theirs are built with Visual Studio 2015.
Any ideas why my build is so much slower?  Is there something in my 
configuration that might cause this?