Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Allow OpenSSH to use hardware crypto engine if available.|
|Product:||[Fedora] Fedora||Reporter:||Solomon Peachy <pizza>|
|Component:||openssh||Assignee:||Jan F. Chadima <jchadima>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||12||CC:||jchadima, mgrepl, nsoranzo, tmraz|
|Fixed In Version:||openssh-5.3p1-19.fc12||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||563574 (view as bug list)||Environment:|
|Last Closed:||2010-03-10 01:40:42 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Solomon Peachy 2010-01-28 12:12:02 EST
Created attachment 387380 [details] patch to have openssh call OPENSSL_config() Description of problem: I have several systems that have a VIA C7 CPU, which has a very fast onboard AES crypto engine. The OpenSSL libs support this via the 'padlock' engine. With a tweak to the openssl.cnf, the 'openssl' tool and suitably-enabled applications can take advantage of this engine for vast increases in throughput. OpenSSH supposedly is one of these applications, but as it's shipped, is lacking a crucial library call to actually load up the openssl.cnf file and switch over to the padlock engine. Version-Release number of selected component (if applicable): All versions of openssh are affected, including upstream development head. I've already reported this upstream, but in the mean time it would be nice if this would be applied in Fedora. upstream ticket: https://bugzilla.mindrot.org/show_bug.cgi?id=1707 Steps to Reproduce: 1. Tweak /etc/pki/tls/openssl.cnf to enable padlock engine openssl_conf = openssl_init [openssl_init] engines = openssl_engines [openssl_engines] padlock = padlock_engine [padlock_engine] default_algorithms = ALL dynamic_path = /usr/lib/openssl/engines/libpadlock.so init = 1 2. test 'openssl speed' to verify that engine works openssl speed -evp aes-128-ecb 3. test openssh (via scp) to verify that it is using padlock engine dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null Actual results: 'openssl speed' without the hardware engine shows roughly 11MB/s throughput. With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size. (yes, really, 1.9GB/s!) openssh however shows no change in throughput or CPU utilization, roughly 5MB/s on this CPU. Expected results: openssh should go faster. With the attached patch applied, openssh's throughput jumps to over 12MB/s, clearly taking advantage of hardware crypto acceleration. If the openssl.cnf file is tweaked to disable the hardware engine, throughput drops back down again. Basically, without this patch openssh will not use the hardware engine unless the openssl libraries are tweaked to use it by default. See the upstream ticket for further details.
Comment 1 Solomon Peachy 2010-01-28 12:16:04 EST
FYI -- I modified F12's openssh-5.2p1-31.src.rpm to include this patch, and am using the resultant binaries for my tests.
Comment 2 Solomon Peachy 2010-01-28 20:38:36 EST
This patch has been accepted upstream and the referenced bug ticket closed; it will go into openssh-5.4p1.
Comment 3 Fedora Update System 2010-02-10 12:15:10 EST
openssh-5.3p1-19.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openssh-5.3p1-19.fc12
Comment 4 Jan F. Chadima 2010-02-11 04:25:47 EST
Can you test the package and report the status?
Comment 5 Fedora Update System 2010-02-11 09:50:58 EST
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1742
Comment 6 Solomon Peachy 2010-02-15 15:15:54 EST
openssh-5.3p1-19.fc12 from updates-testing works on i686, including hardware accel.
Comment 7 Fedora Update System 2010-03-10 01:40:37 EST
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.