Bug 559655 - Allow OpenSSH to use hardware crypto engine if available.
Summary: Allow OpenSSH to use hardware crypto engine if available.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan F. Chadima
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 563574
TreeView+ depends on / blocked
 
Reported: 2010-01-28 17:12 UTC by Solomon Peachy
Modified: 2010-03-10 09:23 UTC (History)
4 users (show)

Fixed In Version: openssh-5.3p1-19.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 563574 (view as bug list)
Environment:
Last Closed: 2010-03-10 06:40:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch to have openssh call OPENSSL_config() (331 bytes, patch)
2010-01-28 17:12 UTC, Solomon Peachy
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 1707 0 None None None Never

Description Solomon Peachy 2010-01-28 17:12:02 UTC
Created attachment 387380 [details]
patch to have openssh call OPENSSL_config()

Description of problem:

I have several systems that have a VIA C7 CPU, which has a very fast onboard AES crypto engine.  The OpenSSL libs support this via the 'padlock' engine.  With a tweak to the openssl.cnf, the 'openssl' tool and suitably-enabled applications can take advantage of this engine for vast increases in throughput. 

OpenSSH supposedly is one of these applications, but as it's shipped, is lacking a crucial library call to actually load up the openssl.cnf file and switch over to the padlock engine.  

Version-Release number of selected component (if applicable):

All versions of openssh are affected, including upstream development head. I've already reported this upstream, but in the mean time it would be nice if this would be applied in Fedora.

    upstream ticket:  https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Steps to Reproduce:
1.  Tweak /etc/pki/tls/openssl.cnf to enable padlock engine

  openssl_conf = openssl_init
  [openssl_init]
  engines = openssl_engines
  [openssl_engines]
  padlock = padlock_engine
  [padlock_engine]
  default_algorithms = ALL
  dynamic_path = /usr/lib/openssl/engines/libpadlock.so
  init = 1

2.  test 'openssl speed' to verify that engine works
  
  openssl speed -evp aes-128-ecb
  
3.  test openssh (via scp) to verify that it is using padlock engine
    
  dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null
Actual results:

'openssl speed' without the hardware engine shows roughly 11MB/s throughput.  With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size.  (yes, really, 1.9GB/s!)

openssh however shows no change in throughput or CPU utilization, roughly 5MB/s on this CPU.

Expected results:

openssh should go faster.  With the attached patch applied, openssh's throughput jumps to over 12MB/s, clearly taking advantage of hardware crypto acceleration.  If the openssl.cnf file is tweaked to disable the hardware engine, throughput drops back down again.

Basically, without this patch openssh will not use the hardware engine unless the openssl libraries are tweaked to use it by default.  See the upstream ticket for further details.

Comment 1 Solomon Peachy 2010-01-28 17:16:04 UTC
FYI -- I modified F12's openssh-5.2p1-31.src.rpm to include this patch, and am using the resultant binaries for my tests.

Comment 2 Solomon Peachy 2010-01-29 01:38:36 UTC
This patch has been accepted upstream and the referenced bug ticket closed; it will go into openssh-5.4p1.

Comment 3 Fedora Update System 2010-02-10 17:15:10 UTC
openssh-5.3p1-19.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssh-5.3p1-19.fc12

Comment 4 Jan F. Chadima 2010-02-11 09:25:47 UTC
Can you test the package and report the status?

Comment 5 Fedora Update System 2010-02-11 14:50:58 UTC
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openssh'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1742

Comment 6 Solomon Peachy 2010-02-15 20:15:54 UTC
openssh-5.3p1-19.fc12 from updates-testing works on i686, including hardware accel.

Comment 7 Fedora Update System 2010-03-10 06:40:37 UTC
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.