Bug 559655 - Allow OpenSSH to use hardware crypto engine if available.
Allow OpenSSH to use hardware crypto engine if available.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 563574
  Show dependency treegraph
 
Reported: 2010-01-28 12:12 EST by Solomon Peachy
Modified: 2010-03-10 04:23 EST (History)
4 users (show)

See Also:
Fixed In Version: openssh-5.3p1-19.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 563574 (view as bug list)
Environment:
Last Closed: 2010-03-10 01:40:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to have openssh call OPENSSL_config() (331 bytes, patch)
2010-01-28 12:12 EST, Solomon Peachy
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 1707 None None None Never

  None (edit)
Description Solomon Peachy 2010-01-28 12:12:02 EST
Created attachment 387380 [details]
patch to have openssh call OPENSSL_config()

Description of problem:

I have several systems that have a VIA C7 CPU, which has a very fast onboard AES crypto engine.  The OpenSSL libs support this via the 'padlock' engine.  With a tweak to the openssl.cnf, the 'openssl' tool and suitably-enabled applications can take advantage of this engine for vast increases in throughput. 

OpenSSH supposedly is one of these applications, but as it's shipped, is lacking a crucial library call to actually load up the openssl.cnf file and switch over to the padlock engine.  

Version-Release number of selected component (if applicable):

All versions of openssh are affected, including upstream development head. I've already reported this upstream, but in the mean time it would be nice if this would be applied in Fedora.

    upstream ticket:  https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Steps to Reproduce:
1.  Tweak /etc/pki/tls/openssl.cnf to enable padlock engine

  openssl_conf = openssl_init
  [openssl_init]
  engines = openssl_engines
  [openssl_engines]
  padlock = padlock_engine
  [padlock_engine]
  default_algorithms = ALL
  dynamic_path = /usr/lib/openssl/engines/libpadlock.so
  init = 1

2.  test 'openssl speed' to verify that engine works
  
  openssl speed -evp aes-128-ecb
  
3.  test openssh (via scp) to verify that it is using padlock engine
    
  dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null
Actual results:

'openssl speed' without the hardware engine shows roughly 11MB/s throughput.  With padlock turned on, it jumps to 98MB/s-1.9GB/s depending on block size.  (yes, really, 1.9GB/s!)

openssh however shows no change in throughput or CPU utilization, roughly 5MB/s on this CPU.

Expected results:

openssh should go faster.  With the attached patch applied, openssh's throughput jumps to over 12MB/s, clearly taking advantage of hardware crypto acceleration.  If the openssl.cnf file is tweaked to disable the hardware engine, throughput drops back down again.

Basically, without this patch openssh will not use the hardware engine unless the openssl libraries are tweaked to use it by default.  See the upstream ticket for further details.
Comment 1 Solomon Peachy 2010-01-28 12:16:04 EST
FYI -- I modified F12's openssh-5.2p1-31.src.rpm to include this patch, and am using the resultant binaries for my tests.
Comment 2 Solomon Peachy 2010-01-28 20:38:36 EST
This patch has been accepted upstream and the referenced bug ticket closed; it will go into openssh-5.4p1.
Comment 3 Fedora Update System 2010-02-10 12:15:10 EST
openssh-5.3p1-19.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssh-5.3p1-19.fc12
Comment 4 Jan F. Chadima 2010-02-11 04:25:47 EST
Can you test the package and report the status?
Comment 5 Fedora Update System 2010-02-11 09:50:58 EST
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openssh'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1742
Comment 6 Solomon Peachy 2010-02-15 15:15:54 EST
openssh-5.3p1-19.fc12 from updates-testing works on i686, including hardware accel.
Comment 7 Fedora Update System 2010-03-10 01:40:37 EST
openssh-5.3p1-19.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.