Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace OpenSSL usage with BoringSSL #1233

Closed
wants to merge 13 commits into from
Closed

Replace OpenSSL usage with BoringSSL #1233

wants to merge 13 commits into from

Conversation

vladtr
Copy link
Contributor

@vladtr vladtr commented Jun 5, 2023
edited
Loading

This PR replaces OpenSSL usage with BoringSSL in leap. This is based on the previous effort EOSIO/eos#9026 and described in detail here - #644 including all technical challenges of replacement.

Integration of BoringSSL in this PR following same approach as Chromium https://source.chromium.org/chromium/chromium/src/+/main:third_party/boringssl/ and based on a python script that generates all the build structure (generate_build_files.py).

We had to patch build environment generation script to include missing dependencies for leap and detailed description of what needs to be done to upgrade BoringSSL in future is described in readme: https://github.com/AntelopeIO/leap/blob/5d1ce58cdd79eb96a2e83c98b8c27c1155273c80/libraries/libfc/third_party/boringssl/README.md

All tests seems to pass, but this is still in draft for now pending additional testing

Following, benchmarks of BoringSSL vs OpenSSL (2970WX CPU):

-BORINGSSL---------------------------------------------------------------------------

function                    runs        average       minimum       maximum

alt_bn_128:
alt_bn128_add               1,000      25,773 ns      25,257 ns      36,098 ns
alt_bn128_mul               1,000     123,121 ns     112,201 ns     241,455 ns
alt_bn128_pair (1 pair)     1,000   2,963,966 ns   2,941,270 ns   3,686,675 ns
alt_bn128_pair (10 pairs)   1,000  11,161,420 ns  11,028,624 ns  15,951,337 ns

blake2:
blake2                      1,000         368 ns         340 ns       6,513 ns

hash:
sha1 (64 bytes)             1,000         100 ns          90 ns       8,627 ns
sha1 (4096 bytes)           1,000       1,947 ns       1,913 ns       2,415 ns
sha256 (64 bytes)           1,000          98 ns          90 ns         701 ns
sha256 (4096 bytes)         1,000       2,077 ns       2,033 ns       6,693 ns
sha512 (64 bytes)           1,000         251 ns         240 ns       5,440 ns
sha512 (4096 bytes)         1,000       6,977 ns       6,923 ns      10,219 ns
ripemd160 (64 bytes)        1,000         298 ns         290 ns       4,809 ns
ripemd160 (4096 bytes)      1,000       8,299 ns       8,215 ns      11,873 ns
sha3-256 (64 bytes)         1,000         777 ns         741 ns       1,904 ns
sha3-256 (4096 bytes)       1,000      22,996 ns      22,702 ns      32,281 ns
keccak256 (64 bytes)        1,000         780 ns         741 ns         982 ns
keccak256 (4096 bytes)      1,000      23,014 ns      22,782 ns      27,772 ns

key:
k1_sign_non_canonical       1,000      34,026 ns      33,623 ns      96,572 ns
k1_recover                  1,000      46,708 ns      46,347 ns     130,296 ns
r1_sign                     1,000     244,953 ns     170,571 ns     349,448 ns
r1_recover                  1,000      93,744 ns      91,843 ns     237,738 ns
webauthn_sign               1,000     235,457 ns     162,085 ns     315,244 ns
webauthn_recover            1,000      95,646 ns      93,226 ns     239,611 ns

modexp:
1024 bit width              1,000     336,372 ns     333,749 ns     374,225 ns
2048 bit width              1,000   2,417,955 ns   2,399,289 ns   3,630,097 ns


-OPENSSL---------------------------------------------------------------------------

function                    runs        average       minimum       maximum

alt_bn_128:
alt_bn128_add               1,000      26,168 ns      25,217 ns      35,747 ns
alt_bn128_mul               1,000     126,114 ns     112,421 ns     286,800 ns
alt_bn128_pair (1 pair)     1,000   2,959,887 ns   2,938,313 ns   5,028,780 ns
alt_bn128_pair (10 pairs)   1,000  11,136,242 ns  10,997,047 ns  14,019,633 ns

blake2:
blake2                      1,000         363 ns         340 ns       8,386 ns

hash:
sha1 (64 bytes)             1,000         108 ns         100 ns       6,983 ns
sha1 (4096 bytes)           1,000       1,957 ns       1,923 ns       2,475 ns
sha256 (64 bytes)           1,000         117 ns         110 ns       4,990 ns
sha256 (4096 bytes)         1,000       2,121 ns       2,053 ns       2,696 ns
sha512 (64 bytes)           1,000         278 ns         260 ns       5,300 ns
sha512 (4096 bytes)         1,000       5,876 ns       5,660 ns       9,148 ns
ripemd160 (64 bytes)        1,000         453 ns         440 ns       6,452 ns
ripemd160 (4096 bytes)      1,000      12,697 ns      12,404 ns      16,943 ns
sha3-256 (64 bytes)         1,000         784 ns         751 ns       1,192 ns
sha3-256 (4096 bytes)       1,000      23,106 ns      22,753 ns      35,007 ns
keccak256 (64 bytes)        1,000         767 ns         742 ns         962 ns
keccak256 (4096 bytes)      1,000      23,373 ns      22,814 ns      28,264 ns

key:
k1_sign_non_canonical       1,000      34,327 ns      33,434 ns      87,489 ns
k1_recover                  1,000      46,875 ns      46,309 ns     115,954 ns
r1_sign                     1,000     310,009 ns     229,171 ns     853,674 ns
r1_recover                  1,000     116,314 ns     114,661 ns     249,651 ns
webauthn_sign               1,000     296,020 ns     205,166 ns     788,148 ns
webauthn_recover            1,000     118,712 ns     116,164 ns     324,676 ns

modexp:
1024 bit width              1,000     336,217 ns     332,671 ns     730,477 ns
2048 bit width              1,000   2,408,765 ns   2,391,695 ns   3,676,871 ns

@vladtr vladtr linked an issue Jun 5, 2023 that may be closed by this pull request
Replace OpenSSL usage with BoringSSL #644
Closed
1 task
@vladtr vladtr marked this pull request as ready for review June 8, 2023 13:32
@spoonincode
Copy link
Member

the libtester changes need more work. As a quick sniff test of one use case, can run reference-contracts CI with this branch's leap-dev.deb,
Screenshot 2023-06-08 at 13-28-28 AntelopeIO_reference-contracts
Here is a run that fails,
https://github.com/AntelopeIO/reference-contracts/actions/runs/5214060361

@vladtr
Copy link
Contributor Author

vladtr commented Jun 9, 2023

Now it's working :) https://github.com/AntelopeIO/reference-contracts/actions/runs/5217601903

@spoonincode
Copy link
Member

Update docs such as,

leap/README.md

Line 51 in 142792e

- openssl 1.1+

and

leap/README.md

Line 138 in 142792e

libssl-dev \

Remove from base images such as

leap/.cicd/platforms/ubuntu20.Dockerfile

Line 12 in 142792e

libssl-dev \

and

leap/.cicd/platforms/ubuntu22.Dockerfile

Line 12 in 142792e

libssl-dev \

(although installing libcurl is probably going to bring it along for the ride anyways)

Remove from pinned dep script

leap/scripts/install_deps.sh

Line 17 in 142792e

libssl-dev \

Remove from dev package

leap/package.cmake

Line 64 in 142792e

set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libboost-all-dev, libssl-dev, libgmp-dev, python3-numpy")

I think we need to add license

leap/CMakeLists.txt

Line 232 in 142792e

configure_file(programs/cleos/LICENSE.CLI11 licenses/leap/LICENSE.CLI11 COPYONLY)

@spoonincode spoonincode marked this pull request as draft June 23, 2023 16:42
@spoonincode spoonincode mentioned this pull request Sep 6, 2023
Merged
@spoonincode
Copy link
Member

#1599 replaces

@spoonincode spoonincode closed this Sep 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace OpenSSL usage with BoringSSL
2 participants
@vladtr @spoonincode