From owner-freebsd-security@FreeBSD.ORG Mon Apr 24 15:37:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52C9716A401 for ; Mon, 24 Apr 2006 15:37:00 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE3243D45 for ; Mon, 24 Apr 2006 15:36:59 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 73D3252C10; Mon, 24 Apr 2006 17:36:57 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D949B52C72; Mon, 24 Apr 2006 17:36:48 +0200 (CEST) Date: Mon, 24 Apr 2006 17:35:23 +0200 From: Pawel Jakub Dawidek To: Mike Tancsa Message-ID: <20060424153523.GD814@garage.freebsd.pl> References: <200604231916.k3NJGDph098368@lurza.secnetix.de> <20060424142738.GC814@garage.freebsd.pl> <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZARJHfwaSJQLOEUz" Content-Disposition: inline In-Reply-To: <6.2.3.4.0.20060424104727.08cb81a8@64.7.153.2> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 15:37:00 -0000 --ZARJHfwaSJQLOEUz Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 24, 2006 at 10:50:37AM -0400, Mike Tancsa wrote: +> At 10:27 AM 24/04/2006, Pawel Jakub Dawidek wrote: +> >On Sun, Apr 23, 2006 at 09:16:13PM +0200, Oliver Fromme wrote: +> >+> Winston Tsai wrote: +> >+> > I got roughly the same performance results when I use the openssl= speed +> >+> > test with and without a hifn 7956 cryto card +> >+> > [...] +> >+> > Then I ran: +> >+> > Openssl speed des-cbc +> >+> > [...] +> >+> > My understanding is that openssl will detect the presence of an +> >+> > accelerator card and use it (via \dev\crypto) instead of the cryp= to +> >+> > library. +> >+> > Did I miss something here? +> >+> +> >+> I don't know if the openssl speed test picks up the crypto- +> >+> dev hardware automatically. But ssh/scp definitely does. +> >+> +> >+> I have run several tests on my VIA C3 Nehemiah+RNG+ACE, +> >+> which accelerates AES encryption. When the padlock(4) +> >+> module is loaded (it contains the Nehemiah ACE support), +> >+> ssh/scp performance is roughly doubled. It's quite +> >+> noticeable when transfering large files. +> >+> +> >+> Best regards +> >+> Oliver +> >+> +> >+> PS: I can provide some benchmark numbers if interested. +> > +> >The problem is that OpenSSL don't know how to accelerate AES192 and +> >AES256 with cryptodev. The patch which fix this is available here: +> > +> > http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch +> > +> >PS. For AES128 cryptodev can be used without the patch. +>=20 +>=20 +> If you use the padlock engine, you will also need the patch discussed in +>=20 +> http://cvs.openssl.org/chngview?cn=3D13061 +>=20 +> http://sourceforge.net/mailarchive/message.php?msg_id=3D11419213 +>=20 +>=20 +> Without it, apps like openvpn will running into periodic crypto errors. It depends which engine one is using. One can use openssl's 'padlock' engine or 'cryptodev' engine which will use padlock(4) driver. The first one is of course faster for use with OpenSSL as it doesn't go to the kernel. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZARJHfwaSJQLOEUz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFETPA7ForvXbEpPzQRApaxAKDNJ/4TUvHdtm01NlzqqqfclsbAFgCgyXoT QAWGArRKrS7ag+XNc4ukukc= =kG5s -----END PGP SIGNATURE----- --ZARJHfwaSJQLOEUz--