tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Upgrading in-tree OpenSSL to 0.9.9-current



I am about to check in some rather large changes to the OpenSSL "cryptodev"
engine (which we maintain locally in our tree) and to opencrypto itself to
increase performance when there are many concurrent requests.

It will be quite wasteful to do this with the current in-tree OpenSSL as
engine performance is hamstrung by:

        1) The fact that we build OpenSSL without threading support, and
           the engine interface is blocking.

        2) The lack of HMAC support in the 0.9.8 engine interface, which
           results in every HMAC operation being decomposed into a series
           of MAC operations, roughly halving HMAC performance and causing
           MAC accelleration to be completely disabled in the engine.

Unfortunately I can't get any good sense of when OpenSSL 0.9.9 will
actually be released, but the head of the OpenSSL tree seems quite stable
right now and I'd like to check it in and do my best to keep it up to date
as it changes to become 0.9.9.  This will yield several other performance
wins including an approximate doubling of RSA performance on a number of
architectures (better than that with certain CPUs on i386, in fact) and
many bugfixes to lesser-used but useful features such as DTLS.

I figure, it's NetBSD-current, so including OpenSSL-current is not such a
big deal.  And I will try to keep up to date as there are major changes
in OpenSSL through 0.9.9 -- if in fact there are any.

Opinions?

-- 
  Thor Lancelot Simon                                        
tls%rek.tjls.com@localhost

  "The inconsistency is startling, though admittedly, if consistency is to
   be abandoned or transcended, there is no problem."         - Noam Chomsky


Home | Main Index | Thread Index | Old Index