[Help-gnutls] Re: gnutls_handshake() is slow and is a big lock

Eric Leblond regit at inl.fr
Sat Jul 29 14:14:30 CEST 2006

Le samedi 29 juillet 2006 à 13:50 +0200, Simon Josefsson a écrit :
> Eric Leblond <regit at inl.fr> writes:
> > Hi,
> >
> > After a long benchmark week, we found some slowness in our program
> > (NuFW : http://www;nufw.org).
> Hi!  Cool.  I don't think we have really spent much time on optimizing
> GnuTLS, so your efforts are great.
> > The main point is that gnutls_handshake() is "slow". Slow means :
> >       * ~200ms on an AMD 2GHz
> >       * ~500 ms on an IBM PowerPC with 4 CPU bicore !?
> > The weirdest thing is that it takes only about 30ms on a laptop (Intel
> > Celeron 1.6Ghz)
> Maybe some thread or locking issue.
> > For that test, we use the same clients and only switch the server
> > target, thus time comes from the server.
> >
> > We dig into gnutls code, and we found *the* function which takes so much
> > time. At the server site, the function is:
> >    _gnutls_pkcs1_rsa_decrypt() -- lib/auth_rsa.c
> Can you tell whether the majority of that time is spent in
> gcry_pk_decrypt or somewhere else?
> I have been working on an abstract crypto layer between GnuTLS and
> gcrypt, to simplify adding specialized routines for a particular
> algorithm, or even hardware accelerators.  Hashing and symmetric
> operations have already been finished, but unfortunately I ran out of
> spare time for the MPI/PK part.
> > Another *BAD* point is that the handshake doesn't look to be possible on
> > multiple threads whereas server code uses a lot of thread.
> I'm not sure I follow here.  Why doesn't this work?  You shouldn't use
> the same gnutls_session from several threads at the same time, but
> presumably, you have one thread for each gnutls_session don't you?  

Yes this is it, one thread per gnutls_handshake.

> I
> haven't tried it, but I think it should work.

No sadly, it seems there's a lot in gcrypt and all gets serialized.

> > So, any idea to explain why _gnutls_pkcs1_rsa_decrypt() is so slow on my
> > computer and really faster on another one?
> Hm.  Libgcrypt seem to need strong randomness for blinding purposes,
> maybe this is what stalls everything?
> Try disabling blinding in libgcrypt and try again.  I.e., insert
> 'flags |= PUBKEY_FLAG_NO_BLINDING;' into cipher/rsa.c at the top of
> _gcry_rsa_decrypt().

Ok, I'm giving a try to this.

> > And do you think that gnutls_handshake() can be used in two
> > different threads at the same time?
> If you use different gnutls_session objects in each thread, I think
> this should work.  But I haven't tested it.  Maybe you need extra
> copies of other structures too, used by the gnutls_session.
> Hope this helps,
> Simon

More information about the Gnutls-help mailing list