On Mon, Jan 27, 2020 at 06:20:27PM +0000, Dan Heinz wrote: > I upgraded a library that used OpenSSL 1.0.2 to the OpenSSL 1.1.1d. > On Windows, I have found that the time to decrypt had doubled. After > a bit of timestamp logging, I found the RSA_private_decrypt function > is taking twice as long with 1.1.1d as it did with 1.0.2t. This is > being called from a Windows 64-bit DLL. RSA is not intended for bulk data decryption, its intended uses are key transport and signing. Bulk data decryption is done via AES or similar. > For example, decrypting 8680 bytes of data averages about .3 seconds > with the OpenSSL 1.0.2t library (statically linked). Decrypting the > same data with the OpenSSL 1.1.1d library averages about .6 seconds. Are you sure that's seconds and not milliseconds? These are absurdly long times, almost certainly dominated by factors other than the encryption algorithms. On my 2015 laptop (MacOS) I get: OpenSSL 1.0.2h: options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: cc -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM sign verify sign/s verify/s rsa 2048 bits 0.000883s 0.000027s 1132.3 37397.7 OpenSSL 1.1.1a: options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: cc -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG -DOPENSSL_API_COMPAT=0x10100000L sign verify sign/s verify/s rsa 2048 bits 0.000883s 0.000026s 1132.8 38377.8 Which shows an RSA 2048-bit signature (private key decrypt operation) taking less than 1ms, and not materially different between 1.0.2 and 1.1.1. > I'm wondering if perhaps my build configuration is incorrect or > missing something for the 1.1.1d build. Here are the configuration > parameters for the 64-bit build: There's probably a deeper issue with what you're doing, you need to be much more specific about what you're measuring. Is this SMIME? CMS? What is the RSA key size? What is the bulk encryption cipher? > Configure VC-WIN64A --prefix=%RootPath_ThirdParty%\%OPENSSL_VERSION% > -DPURIFY -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-asm > no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3 no-zlib no-comp no-pinshared PURIFY must not be enabled in production builds, it is only for memory allocation/safety debugging. You've also disabled assembly optimizations, which reduces side-channel resistance and hurts performance. > I logged things granular enough to see the speed difference was in > RSA_private_decrypt, but I'm not sure why it is so much slower with > 1.1.1d. Any help or ideas would be appreciated! At 600ms for 8KB, it is not plausible that the time is spend doing cryptography. That's barely fast enough to feed a 1980's modem. -- Viktor.