From owner-freebsd-stable@FreeBSD.ORG  Tue Dec 14 07:08:12 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D8F1C106566B
	for <freebsd-stable@freebsd.org>; Tue, 14 Dec 2010 07:08:12 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200])
	by mx1.freebsd.org (Postfix) with ESMTP id 6E1EB8FC17
	for <freebsd-stable@freebsd.org>; Tue, 14 Dec 2010 07:08:12 +0000 (UTC)
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id oBE788g9029050
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 14 Dec 2010 09:08:08 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id
	oBE788wv044021; Tue, 14 Dec 2010 09:08:08 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id oBE7871Z044020; 
	Tue, 14 Dec 2010 09:08:07 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Tue, 14 Dec 2010 09:08:07 +0200
From: Kostik Belousov <kostikbel@gmail.com>
To: Mike Tancsa <mike@sentex.net>
Message-ID: <20101214070807.GJ33073@deviant.kiev.zoral.com.ua>
References: <4D063B44.4050303@sentex.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="332CIdRmeZdukXAd"
Content-Disposition: inline
In-Reply-To: <4D063B44.4050303@sentex.net>
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DNS_FROM_OPENWHOIS autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	skuns.kiev.zoral.com.ua
Cc: stable-list freebsd <freebsd-stable@freebsd.org>
Subject: Re: cryptodev cipher registration (aesni and padlock)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 07:08:12 -0000


--332CIdRmeZdukXAd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 13, 2010 at 10:27:00AM -0500, Mike Tancsa wrote:
> While doing some testing with the aesni driver, it seems some ciphers are=
 registered with openssl and some are not.
>=20
> e.g. if I start an ssh session using aes128, I see the following
>=20
> [pyroxene]% ssh -c aes128-cbc smarthost1 "cryptostats" | grep sym
> 654198 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]% ssh -c aes128-cbc smarthost1 "cryptostats" | grep sym
> 654225 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]%=20
>=20
> ie it shows the hardware transformation count increasing.  But if I do ae=
s 192 or 256, it does not
>=20
> [pyroxene]% ssh -c aes256-cbc smarthost1 "cryptostats" | grep sym
> 654231 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]% ssh -c aes192-cbc smarthost1 "cryptostats" | grep sym
> 654231 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]% ssh -c aes192-cbc smarthost1 "cryptostats" | grep sym
> 654231 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]% ssh -c aes192-cbc smarthost1 "cryptostats" | grep sym
> 654231 symmetric crypto ops (0 errors, 0 times driver blocked)
> [pyroxene]%=20
> Yet the are supposed to be supported, no ?  Where in openssl is this conf=
igured ? The padlock driver does the same thing
>=20
> % ssh -c aes256-cbc smarthost1 "cryptotest -z"
>    0.000 sec,       2    aes crypts,      16 bytes,  4000000 byte/sec,   =
 30.5 Mb/sec
>    0.000 sec,       2    aes crypts,      32 bytes, 16000000 byte/sec,   =
122.1 Mb/sec
>    0.000 sec,       2    aes crypts,      64 bytes, 32000000 byte/sec,   =
244.1 Mb/sec
>    0.000 sec,       2    aes crypts,     128 bytes, 64000000 byte/sec,   =
488.3 Mb/sec
>    0.000 sec,       2    aes crypts,     256 bytes, 128000000 byte/sec,  =
 976.6 Mb/sec
>    0.000 sec,       2    aes crypts,     512 bytes, 170666667 byte/sec,  =
1302.1 Mb/sec
>    0.000 sec,       2    aes crypts,    1024 bytes, 292571429 byte/sec,  =
2232.1 Mb/sec
>    0.000 sec,       2    aes crypts,    2048 bytes, 455111111 byte/sec,  =
3472.2 Mb/sec
>    0.000 sec,       2    aes crypts,    4096 bytes, 512000000 byte/sec,  =
3906.2 Mb/sec
>    0.000 sec,       2    aes crypts,    8192 bytes, 420102564 byte/sec,  =
3205.1 Mb/sec
>    0.000 sec,       2 aes192 crypts,      16 bytes,  8000000 byte/sec,   =
 61.0 Mb/sec
>    0.000 sec,       2 aes192 crypts,      32 bytes, 16000000 byte/sec,   =
122.1 Mb/sec
>    0.000 sec,       2 aes192 crypts,      64 bytes, 32000000 byte/sec,   =
244.1 Mb/sec
>    0.000 sec,       2 aes192 crypts,     128 bytes, 64000000 byte/sec,   =
488.3 Mb/sec
>    0.000 sec,       2 aes192 crypts,     256 bytes, 128000000 byte/sec,  =
 976.6 Mb/sec
>    0.000 sec,       2 aes192 crypts,     512 bytes, 204800000 byte/sec,  =
1562.5 Mb/sec
>    0.000 sec,       2 aes192 crypts,    1024 bytes, 341333333 byte/sec,  =
2604.2 Mb/sec
>    0.000 sec,       2 aes192 crypts,    2048 bytes, 409600000 byte/sec,  =
3125.0 Mb/sec
>    0.000 sec,       2 aes192 crypts,    4096 bytes, 546133333 byte/sec,  =
4166.7 Mb/sec
>    0.000 sec,       2 aes192 crypts,    8192 bytes, 496484848 byte/sec,  =
3787.9 Mb/sec
>    0.000 sec,       2 aes256 crypts,      16 bytes, 10666667 byte/sec,   =
 81.4 Mb/sec
>    0.000 sec,       2 aes256 crypts,      32 bytes, 21333333 byte/sec,   =
162.8 Mb/sec
>    0.000 sec,       2 aes256 crypts,      64 bytes, 32000000 byte/sec,   =
244.1 Mb/sec
>    0.000 sec,       2 aes256 crypts,     128 bytes, 51200000 byte/sec,   =
390.6 Mb/sec
>    0.000 sec,       2 aes256 crypts,     256 bytes, 102400000 byte/sec,  =
 781.2 Mb/sec
>    0.000 sec,       2 aes256 crypts,     512 bytes, 204800000 byte/sec,  =
1562.5 Mb/sec
>    0.000 sec,       2 aes256 crypts,    1024 bytes, 292571429 byte/sec,  =
2232.1 Mb/sec
>    0.000 sec,       2 aes256 crypts,    2048 bytes, 409600000 byte/sec,  =
3125.0 Mb/sec
>    0.000 sec,       2 aes256 crypts,    4096 bytes, 512000000 byte/sec,  =
3906.2 Mb/sec
>    0.000 sec,       2 aes256 crypts,    8192 bytes, 442810811 byte/sec,  =
3378.4 Mb/secW

=46rom my reading of src/crypto/openssl/crypto/engine/eng_cryptodev.c,
and browsing
http://cvs.openssl.org/rlog?f=3Dopenssl/crypto/engine/eng_cryptodev.c
it seems that only OpenSSL HEAD and 1.0 branch have support for
AES-192 and AES-256 when working with /dev/crypto.

--332CIdRmeZdukXAd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iEYEARECAAYFAk0HF9cACgkQC3+MBN1Mb4j8dwCcCRyZzbaZRPcf9TNggJ3gRUW0
k3oAoIZRLVFtFRBmye8kX1gBLWI4tD/s
=oncn
-----END PGP SIGNATURE-----

--332CIdRmeZdukXAd--