Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

neqo-crypto: use SSL_PeerCertificateChainDER #2009

Merged
merged 10 commits into from
Aug 1, 2024
Merged

neqo-crypto: use SSL_PeerCertificateChainDER #2009

merged 10 commits into from
Aug 1, 2024

Conversation

jschanck
Copy link
Contributor

@jschanck jschanck commented Jul 26, 2024
edited
Loading

The SSL_PeerCertificateChainDER function was added in NSS 3.103 to allow an application to retrieve the peer's presented certificate chain without constructing CERTCertificates. This is expected to improve performance, as constructing a CERTCertificate will typically involve querying the NSS certificate database.

We switched PSM over to SSL_PeerCertificateChainDER in Bug 1899431.

Assuming you land this, you'll need to apply the following patch to neqo-glue when you uplift to M-C:

diff --git netwerk/socket/neqo_glue/src/lib.rs netwerk/socket/neqo_glue/src/lib.rs
--- netwerk/socket/neqo_glue/src/lib.rs
+++ netwerk/socket/neqo_glue/src/lib.rs
@@ -1218,14 +1218,11 @@ pub extern "C" fn neqo_http3conn_peer_ce
     conn: &mut NeqoHttp3Conn,
     neqo_certs_info: &mut NeqoCertificateInfo,
 ) -> nsresult {
-    let mut certs_info = match conn.conn.peer_certificate() {
-        Some(certs) => certs,
-        None => return NS_ERROR_NOT_AVAILABLE,
+    let Some(certs_info) = conn.conn.peer_certificate() else {
+        return NS_ERROR_NOT_AVAILABLE;
     };

-    neqo_certs_info.certs = certs_info
-        .map(|cert| cert.iter().cloned().collect())
-        .collect();
+    neqo_certs_info.certs = certs_info.iter().map(ThinVec::from).collect();

     match &mut certs_info.stapled_ocsp_responses() {
         Some(ocsp_val) => {

@jschanck
neqo-crypto: use SSL_PeerCertificateChainDER
58d55af 
The SSL_PeerCertificateChainDER function was added in NSS 3.103 to allow
an application to retrieve the peer's presented certificate chain without
constructing CERTCertificates. This is expected to improve performance,
as constructing a CERTCertificate will typically involve querying the
NSS certificate database.
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 26, 2024
edited
Loading

Failed Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest as server

All results

Succeeded Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest as server

Unsupported Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest as server

@github-actions GitHub Actions
Copy link

Firefox builds for this PR

The following builds are available for testing. Crossed-out builds did not succeed.

@larseggert
Copy link
Collaborator

@jschanck I'll need to fix CI Monday, then will rebase.

martinthomson
martinthomson reviewed Jul 27, 2024
View reviewed changes
Copy link
Member

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the patch to the glue, consider using let Some(info) = ... else { return NS_ERROR_FAILURE; }; instead.

neqo-crypto/src/p11.rs Outdated Show resolved Hide resolved
neqo-crypto/src/cert.rs Show resolved Hide resolved
@larseggert larseggert mentioned this pull request Jul 29, 2024
Merged
@larseggert
Copy link
Collaborator

@jschanck I rebased, now the NSS build is breaking due to https://bugzilla.mozilla.org/show_bug.cgi?id=1902078#c13

@larseggert larseggert added the needs-review Needs a review by a CODEOWNER. label Jul 30, 2024
martinthomson
martinthomson approved these changes Jul 30, 2024
View reviewed changes
Copy link
Member

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems legit.

neqo-crypto/src/p11.rs Outdated Show resolved Hide resolved
@codecov Codecov
Copy link

codecov bot commented Jul 31, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.00%. Comparing base (c80630b) to head (c28dc64).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2009      +/-   ##
==========================================
- Coverage   95.00%   95.00%   -0.01%     
==========================================
  Files         112      112              
  Lines       36394    36400       +6     
==========================================
+ Hits        34577    34581       +4     
- Misses       1817     1819       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 31, 2024
edited
Loading

Benchmark results

Performance differences relative to c80630b.

coalesce_acked_from_zero 1+1 entries: 💔 Performance has regressed.
       time:   [198.20 ns 198.67 ns 199.19 ns]
       change: [+3.3734% +3.7985% +4.2063%] (p = 0.00 < 0.05)

Found 15 outliers among 100 measurements (15.00%)

5 (5.00%) high mild

10 (10.00%) high severe

coalesce_acked_from_zero 3+1 entries: 💔 Performance has regressed.
       time:   [243.05 ns 244.22 ns 246.12 ns]
       change: [+3.7287% +4.3037% +4.9116%] (p = 0.00 < 0.05)

Found 13 outliers among 100 measurements (13.00%)

1 (1.00%) low mild

12 (12.00%) high severe

coalesce_acked_from_zero 10+1 entries: 💔 Performance has regressed.
       time:   [242.83 ns 243.54 ns 244.40 ns]
       change: [+3.2778% +4.1230% +4.8243%] (p = 0.00 < 0.05)

Found 7 outliers among 100 measurements (7.00%)

7 (7.00%) high severe

coalesce_acked_from_zero 1000+1 entries: 💔 Performance has regressed.
       time:   [224.31 ns 224.47 ns 224.68 ns]
       change: [+3.2674% +3.9504% +4.6547%] (p = 0.00 < 0.05)

Found 14 outliers among 100 measurements (14.00%)

6 (6.00%) high mild

8 (8.00%) high severe

RxStreamOrderer::inbound_frame(): Change within noise threshold.
       time:   [120.78 ms 120.83 ms 120.89 ms]
       change: [+0.1832% +0.3814% +0.5134%] (p = 0.00 < 0.05)

Found 8 outliers among 100 measurements (8.00%)

6 (6.00%) high mild

2 (2.00%) high severe

transfer/pacing-false/varying-seeds: No change in performance detected.
       time:   [41.373 ms 43.153 ms 44.971 ms]
       change: [-3.7790% +2.1895% +8.8402%] (p = 0.50 > 0.05)

Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) high mild

transfer/pacing-true/varying-seeds: No change in performance detected.
       time:   [53.740 ms 56.730 ms 59.728 ms]
       change: [-6.8131% +0.3312% +8.0992%] (p = 0.93 > 0.05)
transfer/pacing-false/same-seed: No change in performance detected.
       time:   [47.147 ms 48.743 ms 50.296 ms]
       change: [-7.3968% -3.3797% +0.9063%] (p = 0.11 > 0.05)

Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) low mild

transfer/pacing-true/same-seed: No change in performance detected.
       time:   [69.367 ms 75.934 ms 82.415 ms]
       change: [-9.2663% +2.8539% +15.277%] (p = 0.64 > 0.05)
1-conn/1-100mb-resp (aka. Download)/client: 💚 Performance has improved.
       time:   [168.09 ms 176.20 ms 185.51 ms]
       thrpt:  [539.05 MiB/s 567.54 MiB/s 594.92 MiB/s]
change:
       time:   [-39.266% -35.647% -31.297%] (p = 0.00 < 0.05)
       thrpt:  [+45.553% +55.392% +64.653%]

Found 8 outliers among 100 measurements (8.00%)

8 (8.00%) high severe

1-conn/10_000-parallel-1b-resp (aka. RPS)/client: Change within noise threshold.
       time:   [403.16 ms 406.34 ms 409.52 ms]
       thrpt:  [24.419 Kelem/s 24.610 Kelem/s 24.804 Kelem/s]
change:
       time:   [-3.2701% -2.1244% -0.9752%] (p = 0.00 < 0.05)
       thrpt:  [+0.9848% +2.1705% +3.3807%]

Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) low mild

1-conn/1-1b-resp (aka. HPS)/client: 💚 Performance has improved.
       time:   [46.055 ms 46.778 ms 47.496 ms]
       thrpt:  [21.054  elem/s 21.378  elem/s 21.713  elem/s]
change:
       time:   [-31.603% -30.349% -29.139%] (p = 0.00 < 0.05)
       thrpt:  [+41.122% +43.572% +46.206%]

Client/server transfer results

Transfer of 33554432 bytes over loopback.

Client Server CC Pacing Mean [ms] Min [ms] Max [ms] Relative
msquic msquic 203.7 ± 104.4 104.0 441.0 1.00
neqo msquic reno on 302.3 ± 78.0 251.7 468.5 1.00
neqo msquic reno 261.9 ± 5.8 252.5 271.9 1.00
neqo msquic cubic on 264.3 ± 11.0 249.5 282.9 1.00
neqo msquic cubic 293.1 ± 45.1 253.2 387.6 1.00
msquic neqo reno on 205.8 ± 84.3 147.5 428.0 1.00
msquic neqo reno 202.1 ± 83.3 141.2 359.1 1.00
msquic neqo cubic on 192.3 ± 77.1 139.9 363.7 1.00
msquic neqo cubic 210.2 ± 70.1 110.5 364.0 1.00
neqo neqo reno on 174.1 ± 19.1 149.9 215.3 1.00
neqo neqo reno 205.9 ± 59.9 164.9 377.9 1.00
neqo neqo cubic on 193.8 ± 72.4 144.6 466.2 1.00
neqo neqo cubic 250.8 ± 96.2 167.3 429.1 1.00

⬇️ Download logs

larseggert
larseggert approved these changes Jul 31, 2024
View reviewed changes
Copy link
Collaborator

@larseggert larseggert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jschanck any chance we could add some test to improve coverage? See https://app.codecov.io/gh/mozilla/neqo/pull/2009/blob/neqo-crypto/src/cert.rs

@larseggert larseggert removed the needs-review Needs a review by a CODEOWNER. label Jul 31, 2024
@jschanck jschanck requested a review from mxinden as a code owner August 1, 2024 22:28
martinthomson
martinthomson approved these changes Aug 1, 2024
View reviewed changes
Copy link
Member

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to merge this now. Thanks for the exemplary change, John.

@martinthomson martinthomson enabled auto-merge August 1, 2024 22:40
@martinthomson martinthomson added this pull request to the merge queue Aug 1, 2024
Merged via the queue into mozilla:main with commit d5c656a Aug 1, 2024
56 of 57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinthomson martinthomson martinthomson approved these changes

@larseggert larseggert larseggert approved these changes

@KershawChang KershawChang Awaiting requested review from KershawChang KershawChang is a code owner

@mxinden mxinden Awaiting requested review from mxinden mxinden is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jschanck @larseggert @martinthomson