Feature #23552
opencache PK11Context in Connection and probably other consumers of CryptoKeyHandler
0%
Description
please see attached flamegraph, the 0.67% CPU cycle is used by PK11_CreateContextBySymKey(), if we cache the PK11Context returned by this function, we can save the cost. but please note, the PK11Context is not thread safe: we cannot share the same PK11Context instance across multiple threads. So, if we decide to cache it, we will need to move it to the upper level, for example, the messenger's Connection class, that would cover both simple and async messengers. so there will be only a single thread at a give time accessing it.
Files
Updated by Kefu Chai about 6 years ago
per Radoslaw Zarzynski
the overhead between `CreateContextBySym` and `DigestBegin` is small
and probably we can find a light-weighted replacement for NSS, because it's way too expensive to create a PK11Ctx every time when we decrypt or encrypt a buffer.
Updated by Radoslaw Zarzynski about 6 years ago
Summary of the discussion:
`check_message_signature` in `AsyncConnection::process` is being already protected by `AsyncConnection::lock` > `first instance of CephxSessionHandler>check_message_signature_thread_safe()`.
In turn `CephxSessionHandler::sign_message` is called from `AsyncConnection::write_message` where we do `assert(center->in_thread())` > ` second instance of CephxSessionHandler>sign_message_thread_safe()` .
However, PK11 of NSS still can be too costly even after that.
Updated by Josh Durgin about 6 years ago
How costly is just the authentication piece, i.e. keep cephx but turn off message signing?
Updated by Greg Farnum about 6 years ago
You don't really have authentication without the message signing. Since we don't do full encryption, signing is the only way to prevent man-in-the-middle, and without that detection the value of any kind of cryptography is basically nil.