Red Hat Bugzilla – Bug 559655
Allow OpenSSH to use hardware crypto engine if available.
Last modified: 2010-03-10 04:23:45 EST
Created attachment 387380 [details]
patch to have openssh call OPENSSL_config()
Description of problem:
I have several systems that have a VIA C7 CPU, which has a very fast onboard AES crypto engine. The OpenSSL libs support this via the 'padlock' engine. With a tweak to the openssl.cnf, the 'openssl' tool and suitably-enabled applications can take advantage of this engine for vast increases in throughput.
OpenSSH supposedly is one of these applications, but as it's shipped, is lacking a crucial library call to actually load up the openssl.cnf file and switch over to the padlock engine.
Version-Release number of selected component (if applicable):
All versions of openssh are affected, including upstream development head. I've already reported this upstream, but in the mean time it would be nice if this would be applied in Fedora.
upstream ticket: https://bugzilla.mindrot.org/show_bug.cgi?id=1707
Steps to Reproduce:
1. Tweak /etc/pki/tls/openssl.cnf to enable padlock engine
openssl_conf = openssl_init
engines = openssl_engines
padlock = padlock_engine
default_algorithms = ALL
dynamic_path = /usr/lib/openssl/engines/libpadlock.so
init = 1
2. test 'openssl speed' to verify that engine works
openssl speed -evp aes-128-ecb
3. test openssh (via scp) to verify that it is using padlock engine
dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null
'openssl speed' without the hardware engine shows roughly 11MB/s throughput. With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size. (yes, really, 1.9GB/s!)
openssh however shows no change in throughput or CPU utilization, roughly 5MB/s on this CPU.
openssh should go faster. With the attached patch applied, openssh's throughput jumps to over 12MB/s, clearly taking advantage of hardware crypto acceleration. If the openssl.cnf file is tweaked to disable the hardware engine, throughput drops back down again.
Basically, without this patch openssh will not use the hardware engine unless the openssl libraries are tweaked to use it by default. See the upstream ticket for further details.
FYI -- I modified F12's openssh-5.2p1-31.src.rpm to include this patch, and am using the resultant binaries for my tests.
This patch has been accepted upstream and the referenced bug ticket closed; it will go into openssh-5.4p1.
openssh-5.3p1-19.fc12 has been submitted as an update for Fedora 12.
Can you test the package and report the status?
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1742
openssh-5.3p1-19.fc12 from updates-testing works on i686, including hardware accel.
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.