Bug 559655

Summary: Allow OpenSSH to use hardware crypto engine if available.
Product: [Fedora] Fedora Reporter: Solomon Peachy <pizza>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: jchadima, mgrepl, nsoranzo, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.3p1-19.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 563574 (view as bug list) Environment:
Last Closed: 2010-03-10 06:40:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 563574    
Attachments:
Description Flags
patch to have openssh call OPENSSL_config() none

Description Solomon Peachy 2010-01-28 17:12:02 UTC 
Created attachment 387380 [details]
patch to have openssh call OPENSSL_config()

Description of problem:

I have several systems that have a VIA C7 CPU, which has a very fast onboard AES crypto engine.  The OpenSSL libs support this via the 'padlock' engine.  With a tweak to the openssl.cnf, the 'openssl' tool and suitably-enabled applications can take advantage of this engine for vast increases in throughput. 

OpenSSH supposedly is one of these applications, but as it's shipped, is lacking a crucial library call to actually load up the openssl.cnf file and switch over to the padlock engine.  

Version-Release number of selected component (if applicable):

All versions of openssh are affected, including upstream development head. I've already reported this upstream, but in the mean time it would be nice if this would be applied in Fedora.

    upstream ticket:  https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Steps to Reproduce:
1.  Tweak /etc/pki/tls/openssl.cnf to enable padlock engine

  openssl_conf = openssl_init
  [openssl_init]
  engines = openssl_engines
  [openssl_engines]
  padlock = padlock_engine
  [padlock_engine]
  default_algorithms = ALL
  dynamic_path = /usr/lib/openssl/engines/libpadlock.so
  init = 1

2.  test 'openssl speed' to verify that engine works
  
  openssl speed -evp aes-128-ecb
  
3.  test openssh (via scp) to verify that it is using padlock engine
    
  dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null
Actual results:

'openssl speed' without the hardware engine shows roughly 11MB/s throughput.  With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size.  (yes, really, 1.9GB/s!)

openssh however shows no change in throughput or CPU utilization, roughly 5MB/s on this CPU.

Expected results:

openssh should go faster.  With the attached patch applied, openssh's throughput jumps to over 12MB/s, clearly taking advantage of hardware crypto acceleration.  If the openssl.cnf file is tweaked to disable the hardware engine, throughput drops back down again.

Basically, without this patch openssh will not use the hardware engine unless the openssl libraries are tweaked to use it by default.  See the upstream ticket for further details.
Comment 1 Solomon Peachy 2010-01-28 17:16:04 UTC 
FYI -- I modified F12's openssh-5.2p1-31.src.rpm to include this patch, and am using the resultant binaries for my tests.
Comment 2 Solomon Peachy 2010-01-29 01:38:36 UTC 
This patch has been accepted upstream and the referenced bug ticket closed; it will go into openssh-5.4p1.
Comment 3 Fedora Update System 2010-02-10 17:15:10 UTC 
openssh-5.3p1-19.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssh-5.3p1-19.fc12
Comment 4 Jan F. Chadima 2010-02-11 09:25:47 UTC 
Can you test the package and report the status?
Comment 5 Fedora Update System 2010-02-11 14:50:58 UTC 
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openssh'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1742
Comment 6 Solomon Peachy 2010-02-15 20:15:54 UTC 
openssh-5.3p1-19.fc12 from updates-testing works on i686, including hardware accel.
Comment 7 Fedora Update System 2010-03-10 06:40:37 UTC 
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.