feat: In-place crypto

[larseggert]

Fixes #2246 (eventually)

[codecov]

Codecov Report

Attention: Patch coverage is 99.59677% with 1 line in your changes missing coverage. Please review.

Project coverage is 95.33%. Comparing base (379722c) to head (5498522).

Files with missing lines	Patch %	Lines
neqo-crypto/src/aead.rs	97.77%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #2385    +/-   ##
========================================
  Coverage   95.32%   95.33%            
========================================
  Files         114      114            
  Lines       36868    36968   +100     
  Branches    36868    36968   +100     
========================================
+ Hits        35146    35243    +97     
- Misses       1718     1719     +1     
- Partials        4        6     +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Failed Interop Tests

QUIC Interop Runner, client vs. server, differences relative to 108fb8d.

neqo-latest as client

• neqo-latest vs. aioquic: ⚠️Z
• neqo-latest vs. go-x-net: BP BA
• neqo-latest vs. haproxy: 🚀L1 BP BA
• neqo-latest vs. kwik: BP BA
• neqo-latest vs. msquic: 🚀Z A 🚀C1
• neqo-latest vs. mvfst: A L1 C1 BP BA
• neqo-latest vs. nginx: BP BA
• neqo-latest vs. quic-go: BP BA
• neqo-latest vs. quiche: 🚀U L1 ⚠️C1 BP BA
• neqo-latest vs. s2n-quic: 🚀BP BA CM
• neqo-latest vs. xquic: run cancelled after min

neqo-latest as server

• aioquic vs. neqo-latest: CM
• go-x-net vs. neqo-latest: CM
• kwik vs. neqo-latest: BP BA CM
• lsquic vs. neqo-latest: run cancelled after min
• msquic vs. neqo-latest: Z 🚀U CM
• mvfst vs. neqo-latest: run cancelled after min
• ngtcp2 vs. neqo-latest: run cancelled after min
• quic-go vs. neqo-latest: CM
• quiche vs. neqo-latest: run cancelled after min
• quinn vs. neqo-latest: V2 CM
• s2n-quic vs. neqo-latest: CM
• xquic vs. neqo-latest: run cancelled after min

All results

Succeeded Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

• neqo-latest vs. aioquic: ⚠️H DC LR C20 M S R 3 B U A L1 L2 C1 C2 6 V2 BP BA
• neqo-latest vs. go-x-net: H DC LR M B U A L2 C2 6
• neqo-latest vs. haproxy: H DC LR C20 M S R Z 3 B U A ⚠️L1 L2 C1 C2 6 V2
• neqo-latest vs. kwik: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2
• neqo-latest vs. lsquic: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA
• neqo-latest vs. msquic: H DC LR C20 M S R ⚠️Z B U L1 L2 ⚠️C1 C2 6 V2 BP BA
• neqo-latest vs. mvfst: H DC LR M R Z 3 B U L2 C2 6
• neqo-latest vs. neqo: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA ⚠️CM
• neqo-latest vs. neqo-latest: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA ⚠️CM
• neqo-latest vs. nginx: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6
• neqo-latest vs. ngtcp2: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 ⚠️BP BA
• neqo-latest vs. picoquic: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA
• neqo-latest vs. quic-go: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6
• neqo-latest vs. quiche: H DC LR C20 M S R Z 3 B ⚠️U A ⚠️L1 L2 🚀C1 C2 6
• neqo-latest vs. quinn: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA
• neqo-latest vs. s2n-quic: H DC LR C20 M S R 3 B U E A L1 L2 C1 C2 6 ⚠️BP

neqo-latest as server

• aioquic vs. neqo-latest: H DC LR C20 M S R Z 3 B A L1 L2 C1 C2 6 V2 BP BA
• chrome vs. neqo-latest: 3
• go-x-net vs. neqo-latest: H DC LR M B U A L2 C2 6 BP BA
• kwik vs. neqo-latest: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2
• msquic vs. neqo-latest: H DC LR C20 M S R B ⚠️U A L1 L2 C1 C2 6 V2 BP BA
• neqo vs. neqo-latest: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA ⚠️CM
• picoquic vs. neqo-latest: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA ⚠️CM
• quic-go vs. neqo-latest: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 BP BA
• quinn vs. neqo-latest: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA
• s2n-quic vs. neqo-latest: H DC LR M S R 3 B E A L1 L2 C1 C2 6 BP BA

Unsupported Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

• neqo-latest vs. aioquic: ⚠️E CM
• neqo-latest vs. go-x-net: C20 S R Z 3 E L1 C1 V2 CM
• neqo-latest vs. haproxy: E CM
• neqo-latest vs. kwik: E CM
• neqo-latest vs. lsquic: CM
• neqo-latest vs. msquic: 3 E CM
• neqo-latest vs. mvfst: C20 S E V2 CM
• neqo-latest vs. nginx: E V2 CM
• neqo-latest vs. ngtcp2: CM
• neqo-latest vs. picoquic: CM
• neqo-latest vs. quic-go: E V2 CM
• neqo-latest vs. quiche: E V2 CM
• neqo-latest vs. quinn: V2 CM
• neqo-latest vs. s2n-quic: Z V2

neqo-latest as server

• aioquic vs. neqo-latest: U E
• chrome vs. neqo-latest: H DC LR C20 M S R Z B U E A L1 L2 C1 C2 6 V2 BP BA CM
• go-x-net vs. neqo-latest: C20 S R Z 3 E L1 C1 V2
• kwik vs. neqo-latest: E
• msquic vs. neqo-latest: 3 E
• quic-go vs. neqo-latest: E V2
• s2n-quic vs. neqo-latest: C20 Z U V2

[github-actions]

Benchmark results

Performance differences relative to 379722c.

decode 4096 bytes, mask ff: No change in performance detected.

       time:   [11.840 µs 11.876 µs 11.918 µs]
       change: [-0.9427% -0.2009% +0.5321%] (p = 0.64 > 0.05)
Found 16 outliers among 100 measurements (16.00%)

1 (1.00%) low severe

4 (4.00%) low mild

1 (1.00%) high mild

10 (10.00%) high severe

decode 1048576 bytes, mask ff: Change within noise threshold.

       time:   [2.8846 ms 2.8924 ms 2.9017 ms]
       change: [-1.8770% -1.4110% -0.9559%] (p = 0.00 < 0.05)
Found 7 outliers among 100 measurements (7.00%)

7 (7.00%) high severe

decode 4096 bytes, mask 7f: No change in performance detected.

       time:   [19.815 µs 19.884 µs 19.958 µs]
       change: [-0.4636% +3.8130% +12.051%] (p = 0.54 > 0.05)
Found 19 outliers among 100 measurements (19.00%)

1 (1.00%) low mild

1 (1.00%) high mild

17 (17.00%) high severe

decode 1048576 bytes, mask 7f: Change within noise threshold.

       time:   [5.0703 ms 5.0832 ms 5.0967 ms]
       change: [+0.0402% +0.4171% +0.7929%] (p = 0.03 < 0.05)
Found 16 outliers among 100 measurements (16.00%)

16 (16.00%) high severe

decode 4096 bytes, mask 3f: No change in performance detected.

       time:   [6.9116 µs 6.9545 µs 7.0079 µs]
       change: [-1.3035% +0.0195% +1.1017%] (p = 0.98 > 0.05)
Found 18 outliers among 100 measurements (18.00%)

4 (4.00%) low mild

3 (3.00%) high mild

11 (11.00%) high severe

decode 1048576 bytes, mask 3f: No change in performance detected.

       time:   [1.4152 ms 1.4208 ms 1.4277 ms]
       change: [-0.4010% +0.1870% +0.7749%] (p = 0.55 > 0.05)
Found 10 outliers among 100 measurements (10.00%)

3 (3.00%) high mild

7 (7.00%) high severe

coalesce_acked_from_zero 1+1 entries: Change within noise threshold.

       time:   [98.872 ns 99.075 ns 99.280 ns]
       change: [+0.1926% +0.5738% +0.9919%] (p = 0.00 < 0.05)
Found 8 outliers among 100 measurements (8.00%)

2 (2.00%) high mild

6 (6.00%) high severe

coalesce_acked_from_zero 3+1 entries: No change in performance detected.

       time:   [117.25 ns 117.61 ns 117.99 ns]
       change: [-1.1860% -0.1557% +0.5782%] (p = 0.79 > 0.05)
Found 14 outliers among 100 measurements (14.00%)

3 (3.00%) low mild

1 (1.00%) high mild

10 (10.00%) high severe

coalesce_acked_from_zero 10+1 entries: No change in performance detected.

       time:   [117.01 ns 117.56 ns 118.17 ns]
       change: [-0.3171% +0.2601% +0.7536%] (p = 0.36 > 0.05)
Found 12 outliers among 100 measurements (12.00%)

2 (2.00%) low severe

1 (1.00%) low mild

1 (1.00%) high mild

8 (8.00%) high severe

coalesce_acked_from_zero 1000+1 entries: No change in performance detected.

       time:   [97.589 ns 97.718 ns 97.868 ns]
       change: [-1.0319% +0.0511% +1.0381%] (p = 0.93 > 0.05)
Found 13 outliers among 100 measurements (13.00%)

7 (7.00%) high mild

6 (6.00%) high severe

RxStreamOrderer::inbound_frame(): No change in performance detected.

       time:   [111.21 ms 111.27 ms 111.33 ms]
       change: [-0.1102% -0.0334% +0.0452%] (p = 0.41 > 0.05)
Found 23 outliers among 100 measurements (23.00%)

11 (11.00%) low severe

1 (1.00%) high mild

11 (11.00%) high severe

SentPackets::take_ranges: No change in performance detected.

       time:   [5.4988 µs 5.6582 µs 5.8251 µs]
       change: [-14.582% -3.1118% +4.8905%] (p = 0.74 > 0.05)
Found 7 outliers among 100 measurements (7.00%)

5 (5.00%) high mild

2 (2.00%) high severe

transfer/pacing-false/varying-seeds: 💚 Performance has improved.

       time:   [39.778 ms 39.856 ms 39.939 ms]
       change: [-8.4091% -8.1545% -7.9079%] (p = 0.00 < 0.05)
Found 2 outliers among 100 measurements (2.00%)

1 (1.00%) low mild

1 (1.00%) high severe

transfer/pacing-true/varying-seeds: 💚 Performance has improved.

       time:   [40.172 ms 40.260 ms 40.356 ms]
       change: [-7.2430% -6.9256% -6.5994%] (p = 0.00 < 0.05)
Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) high severe

transfer/pacing-false/same-seed: 💚 Performance has improved.

       time:   [40.091 ms 40.175 ms 40.265 ms]
       change: [-7.3297% -7.0459% -6.7661%] (p = 0.00 < 0.05)
Found 2 outliers among 100 measurements (2.00%)

1 (1.00%) low mild

1 (1.00%) high severe

transfer/pacing-true/same-seed: 💚 Performance has improved.

       time:   [40.165 ms 40.237 ms 40.319 ms]
       change: [-8.2108% -7.9660% -7.7219%] (p = 0.00 < 0.05)
Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) high severe

1-conn/1-100mb-resp/mtu-1504 (aka. Download)/client: 💚 Performance has improved.

       time:   [877.81 ms 888.75 ms 899.85 ms]
       thrpt:  [111.13 MiB/s 112.52 MiB/s 113.92 MiB/s]
change:
       time:   [-5.2321% -3.7353% -2.2598%] (p = 0.00 < 0.05)
       thrpt:  [+2.3121% +3.8802% +5.5210%]

1-conn/10_000-parallel-1b-resp/mtu-1504 (aka. RPS)/client: Change within noise threshold.

       time:   [313.16 ms 315.40 ms 317.72 ms]
       thrpt:  [31.474 Kelem/s 31.706 Kelem/s 31.933 Kelem/s]
change:
       time:   [-2.6314% -1.7000% -0.7082%] (p = 0.00 < 0.05)
       thrpt:  [+0.7133% +1.7294% +2.7025%]
Found 2 outliers among 100 measurements (2.00%)

2 (2.00%) high mild

1-conn/1-1b-resp/mtu-1504 (aka. HPS)/client: No change in performance detected.

       time:   [34.044 ms 34.215 ms 34.401 ms]
       thrpt:  [29.069  elem/s 29.227  elem/s 29.374  elem/s]
change:
       time:   [-1.3788% -0.6632% +0.0845%] (p = 0.06 > 0.05)
       thrpt:  [-0.0844% +0.6676% +1.3981%]
Found 6 outliers among 100 measurements (6.00%)

2 (2.00%) low mild

2 (2.00%) high mild

2 (2.00%) high severe

1-conn/1-100mb-resp/mtu-1504 (aka. Upload)/client: 💚 Performance has improved.

       time:   [1.5393 s 1.5551 s 1.5713 s]
       thrpt:  [63.644 MiB/s 64.304 MiB/s 64.965 MiB/s]
change:
       time:   [-10.431% -9.0563% -7.6859%] (p = 0.00 < 0.05)
       thrpt:  [+8.3258% +9.9582% +11.646%]

Client/server transfer results

Transfer of 33554432 bytes over loopback.

Client	Server	CC	Pacing	MTU	Mean [ms]	Min [ms]	Max [ms]
gquiche	gquiche			1504	578.6 ± 91.2	507.9	799.7
neqo	gquiche	reno	on	1504	774.0 ± 36.3	737.8	861.9
neqo	gquiche	reno		1504	783.2 ± 87.9	737.9	1031.2
neqo	gquiche	cubic	on	1504	733.6 ± 10.7	715.4	753.9
neqo	gquiche	cubic		1504	762.5 ± 25.2	742.0	827.2
msquic	msquic			1504	166.3 ± 88.2	101.9	352.8
neqo	msquic	reno	on	1504	292.6 ± 147.0	207.2	710.2
neqo	msquic	reno		1504	220.5 ± 12.7	205.5	253.0
neqo	msquic	cubic	on	1504	252.1 ± 89.3	195.9	484.4
neqo	msquic	cubic		1504	287.4 ± 88.9	207.3	451.0
gquiche	neqo	reno	on	1504	677.4 ± 103.9	540.8	847.6
gquiche	neqo	reno		1504	686.3 ± 107.8	545.5	899.8
gquiche	neqo	cubic	on	1504	707.7 ± 94.2	589.3	881.5
gquiche	neqo	cubic		1504	667.2 ± 93.3	536.2	795.5
msquic	neqo	reno	on	1504	486.8 ± 45.2	464.5	613.7
msquic	neqo	reno		1504	469.9 ± 12.2	454.6	493.6
msquic	neqo	cubic	on	1504	475.9 ± 43.0	444.4	564.7
msquic	neqo	cubic		1504	490.5 ± 60.4	447.5	612.4
neqo	neqo	reno	on	1504	452.6 ± 62.0	414.9	619.6
neqo	neqo	reno		1504	450.2 ± 42.3	420.7	546.5
neqo	neqo	cubic	on	1504	459.2 ± 47.1	434.5	590.8
neqo	neqo	cubic		1504	489.2 ± 50.3	451.3	614.0

⬇️ Download logs

[larseggert]

@mxinden when you have a moment, would you take a look at the borrow-checker issue in PublicPacket::decode? It's the last one I couldn't figure out how to address.

[mxinden]

Took a quick look.

            let dcid = Self::opt(dcid_decoder.decode_cid(&mut decoder))?;
            if decoder.remaining() < SAMPLE_OFFSET + SAMPLE_SIZE {
                return Err(Error::InvalidPacket);
            }
            let header_len = decoder.offset();
            return Ok((
                Self {
                    packet_type: PacketType::Short,
                    dcid,
                    scid: None,
                    token: &[],
                    header_len,
                    version: None,
                    data,
                },
                &[],
                &mut [],
            ));

• decoder has an immutable reference to data.
• Through decoder dcid has an immutable reference to data.
• The function returns both dcid (immutable reference to data) AND data. In other words, it returns both an immutable and a mutable reference to data, which is disallowed.

I can take a deeper look and try to fix it.

[larseggert]

Thanks for the analysis! Wonder if we can make dcid a Range into data...

[mxinden]

Ah, never seen this before. That would be error prone as the bytes within the range in data could change at any point in time, right? I will give this more thought.

[mxinden]

The above described issue, namely that of dcid and data being a conflicting (im-) mutable borrow, can be fixed by "allocating" dcid on the stack via an owned ConnectionId backed by a SmallVec:

diff --git a/neqo-transport/src/packet/mod.rs b/neqo-transport/src/packet/mod.rs
index 73b47bcc..779ca72b 100644
--- a/neqo-transport/src/packet/mod.rs
+++ b/neqo-transport/src/packet/mod.rs
@@ -563,7 +563,7 @@ pub struct PublicPacket<'a> {
     /// The packet type.
     packet_type: PacketType,
     /// The recovered destination connection ID.
-    dcid: ConnectionIdRef<'a>,
+    dcid: ConnectionId,
     /// The source connection ID, if this is a long header packet.
     scid: Option<ConnectionIdRef<'a>>,
     /// Any token that is included in the packet (Retry always has a token; Initial sometimes

That leaves us with another issue, namely rustc not being able to infer that early returns of data don't interfere with the final return of remainder. I have an idea which I will explore tomorrow.

[mxinden]

Okay, I got it.

Let's take a look at PacketBuilder on main:

/// `PublicPacket` holds information from packets that is public only.  This allows for
/// processing of packets prior to decryption.
pub struct PublicPacket<'a> {
    /// The packet type.
    packet_type: PacketType,
    /// The recovered destination connection ID.
    dcid: ConnectionIdRef<'a>,
    /// The source connection ID, if this is a long header packet.
    scid: Option<ConnectionIdRef<'a>>,
    /// Any token that is included in the packet (Retry always has a token; Initial sometimes
    /// does). This is empty when there is no token.
    token: &'a [u8],
    /// The size of the header, not including the packet number.
    header_len: usize,
    /// Protocol version, if present in header.
    version: Option<WireVersion>,
    /// A reference to the entire packet, including the header.
    data: &'a [u8],
}

dcid, scid, token and data are all immutable references into the same underlying memory allocation, here our long lived receive buffer.

This pull request introduces the following change:

@@ -564,7 +574,7 @@ pub struct PublicPacket<'a> {
     /// Protocol version, if present in header.
     version: Option<WireVersion>,
     /// A reference to the entire packet, including the header.
-    data: &'a [u8],
+    data: &'a mut [u8],
 }

While dcid, scid and token are untouched, data is now a mutable reference. Having both immutable and mutable references to the same memory allocation is illegal, thus the compiler error.

An easy fix would be to make dcid, scid and token owned types. Given their small footprint, this is likely fine. There might be some additional optimizations, but I doubt they are worth it.

diff --git a/neqo-transport/src/packet/mod.rs b/neqo-transport/src/packet/mod.rs
index 73b47bcc..dc85bbd0 100644
--- a/neqo-transport/src/packet/mod.rs
+++ b/neqo-transport/src/packet/mod.rs
@@ -563,12 +563,12 @@ pub struct PublicPacket<'a> {
     /// The packet type.
     packet_type: PacketType,
     /// The recovered destination connection ID.
-    dcid: ConnectionIdRef<'a>,
+    dcid: ConnectionId,
     /// The source connection ID, if this is a long header packet.
-    scid: Option<ConnectionIdRef<'a>>,
+    scid: Option<ConnectionId>,
     /// Any token that is included in the packet (Retry always has a token; Initial sometimes
     /// does). This is empty when there is no token.
-    token: &'a [u8],
+    token: Vec<u8>,
     /// The size of the header, not including the packet number.
     header_len: usize,
     /// Protocol version, if present in header.

The above, plus a couple of smaller lifetime changes resolve the borrow checker issues.

I will propose a commit with my local changes.

[mxinden]

@larseggert let me know what you think of larseggert#34.

Note that it only addresses the borrow-checker issues in neqo-transport/src/packet/mod.rs.

Happy to look at the neqo-http3 failures as well.

[martinthomson]

I'm looking at the calling code and I think that we can change this to take self instead of &mut self. There is some use of the public packet after decryption, but it seems like the necessary pieces can be moved to the decrypted packet.

[larseggert]

I'd suggest a separate PR for this.

[martinthomson]

FWIW, I looked at the aead crate interface here. I don't think that is going to fit our needs very well.

[larseggert]

FWIW, I looked at the aead crate interface here. I don't think that is going to fit our needs very well.

I actually think they might? Our API after the last round of changes is very similar. (Or I'm missing something.)