From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 14:51:06 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC2E516A408; Mon, 24 Apr 2006 14:51:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25C5A43D76; Mon, 24 Apr 2006 14:51:02 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k3OEp16K024560; Mon, 24 Apr 2006 10:51:01 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3P/8.13.3) with ESMTP id k3OEp0lg050903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 24 Apr 2006 10:51:00 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Mon, 24 Apr 2006 10:50:37 -0400 To: Pawel Jakub Dawidek , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <20060424142738.GC814@garage.freebsd.pl> References: <200604231916.k3NJGDph098368@lurza.secnetix.de> <20060424142738.GC814@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Cc: Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 14:51:07 -0000 At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote: >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: >+> Winston Tsai wrote: >+> > I got roughly the same performance results when I use the openssl speed >+> > test with and without a hifn 7956 cryto card >+> > [...] >+> > Then I ran: >+> > Openssl speed des-cbc >+> > [...] >+> > My understanding is that openssl will detect the presence of an >+> > accelerator card and use it (via \dev\crypto) instead of the crypto >+> > library. >+> > Did I miss something here? >+> >+> I don't know if the openssl speed test picks up the crypto- >+> dev hardware automatically. But ssh/scp definitely does. >+> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, >+> which accelerates AES encryption. When the padlock(4) >+> module is loaded (it contains the Nehemiah ACE support), >+> ssh/scp performance is roughly doubled. It's quite >+> noticeable when transfering large files. >+> >+> Best regards >+> Oliver >+> >+> PS: I can provide some benchmark numbers if interested. > >The problem is that OpenSSL don't know how to accelerate AES192 and >AES256 with cryptodev. The patch which fix this is available here: > > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch > >PS. For AES128 cryptodev can be used without the patch. If you use the padlock engine, you will also need the patch discussed in http://cvs.openssl.org/chngview?cn=13061 http://sourceforge.net/mailarchive/message.php?msg_id=11419213 Without it, apps like openvpn will running into periodic crypto errors. ---Mike begin 644 patch M+2TM(&5N9U]P861L;V-K+F,),C`P-2\P-"\P-"`Q-SHP-3HP-@DQ+C$R"BLK M*R!E;F=?<&%D;&]C:RYC"3(P,#4O,#0O,30@,#'0L96-X"B`)"7T*('T*"@`` ` end