From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 11 23:47:38 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2D6AB44 for ; Thu, 11 Sep 2014 23:47:38 +0000 (UTC) Received: from nskntqsrv01p.mx.bigpond.com (nskntqsrv01p.mx.bigpond.com [61.9.168.231]) by mx1.freebsd.org (Postfix) with ESMTP id 4B8A27E1 for ; Thu, 11 Sep 2014 23:47:37 +0000 (UTC) Received: from nskntcmgw07p ([61.9.169.167]) by nskntmtas03p.mx.bigpond.com with ESMTP id <20140911231516.SGTB7575.nskntmtas03p.mx.bigpond.com@nskntcmgw07p> for ; Thu, 11 Sep 2014 23:15:16 +0000 Received: from hermes.heuristicsystems.com.au ([121.210.107.100]) by nskntcmgw07p with BigPond Outbound id pzFG1o00U29zwdD01zFGdt; Thu, 11 Sep 2014 23:15:16 +0000 X-Authority-Analysis: v=2.0 cv=JN65Qr2b c=1 sm=1 a=SEJ2iDwVkb98DYvesvueMw==:17 a=0aGaYNJWb7cA:10 a=esKmG0L1hUUA:10 a=k80-YZaA8ycA:10 a=N659UExz7-8A:10 a=GHIR_BbyAAAA:8 a=6I5d2MoRAAAA:8 a=enLiN83gAY6DEwUNq44A:9 a=pILNOxqGKmIA:10 a=SV7veod9ZcQA:10 a=SEJ2iDwVkb98DYvesvueMw==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id s8BNFBhX014416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Fri, 12 Sep 2014 09:15:13 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <54122CFD.3070702@heuristicsystems.com.au> Date: Fri, 12 Sep 2014 09:15:09 +1000 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: openssl with aes-in or padlock References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 23:47:38 -0000 On 12/09/2014 2:58 AM, Wojciech Puchar wrote: > how to check if openssl is actually using these instructions? > > on machine with padlock: > > #openssl speed -evp aes-256-cbc > Doing aes-256-cbc for 3s on 16 size blocks: 732600 aes-256-cbc's in 2.91s > Doing aes-256-cbc for 3s on 64 size blocks: 199833 aes-256-cbc's in 2.92s > Doing aes-256-cbc for 3s on 256 size blocks: 50469 aes-256-cbc's in 2.91s > Doing aes-256-cbc for 3s on 1024 size blocks: 25060 aes-256-cbc's in > 2.92s > Doing aes-256-cbc for 3s on 8192 size blocks: 3145 aes-256-cbc's in 2.93s > OpenSSL 1.0.1e-freebsd 11 Feb 2013 > built on: date not available > options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) > idea(int) blowfish(idx) > compiler: cc > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes > 8192 bytes > aes-256-cbc 4033.24k 4377.09k 4445.61k 8782.52k > 8794.06k > > > #openssl engine > (dynamic) Dynamic engine loading support > > > > in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s > > how to enable padlock or aes-in in openssl? > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" > > Wojciech, I have a very old single core VIA-15000 (1.5MHz) padlock server in use, so the numbers may be adversely affected: # openssl speed -evp aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256-cbc for 3s on 16 size blocks: 14239761 aes-256-cbc's in 2.97s Doing aes-256-cbc for 3s on 64 size blocks: 10999641 aes-256-cbc's in 2.96s Doing aes-256-cbc for 3s on 256 size blocks: 5845504 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 1024 size blocks: 2023702 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 8192 size blocks: 283165 aes-256-cbc's in 2.96s OpenSSL 0.9.7e-p1 25 Oct 2004 built on: Thu Sep 27 11:13:38 EST 2007 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 76594.07k 237795.53k 501951.53k 694914.86k 782587.93k On a single core VIA C7 Processor 1000MHz (FreeBSD 8.2 firewall) # openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 8270982 aes-256-cbc's in 2.91s Doing aes-256-cbc for 3s on 64 size blocks: 6672866 aes-256-cbc's in 2.96s Doing aes-256-cbc for 3s on 256 size blocks: 3652460 aes-256-cbc's in 2.95s Doing aes-256-cbc for 3s on 1024 size blocks: 1313482 aes-256-cbc's in 2.97s Doing aes-256-cbc for 3s on 8192 size blocks: 188472 aes-256-cbc's in 2.98s OpenSSL 1.0.0d 8 Feb 2011 built on: Mon Mar 7 14:18:26 EST 2011 options:bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -O2 -pipe -pipe -O2 -g0 -ggdb0 -DSTRIP_FBSDID -UDEBUGGING -UEBUGGING -march=prescott -mtune=prescott -march=prescott -O3 -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 45412.79k 144232.50k 317463.69k 453054.51k 518706.60k These are the kind of figures that you should expect on a padlock device. We turn on the padlock option during the build, and add these to our openssl.cnf (though it may no longer be necessary with the 8.x or later). openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] padlock = padlock_section [padlock_section] default_algorithms = ALL Please note - the only reliable measure is to actually encrypt and decrypt files, we've found that the openssl speed test really isn't a comparative good measure. I'd suggest something like: dd if=/dev/zero bs=1m count=100 | openssl enc -e -aes-256-cbc -pass pass:obscure | openssl enc -d -aes-256-cbc -pass pass:obscure > /dev/null So for reference: the VIA/padlock 1.5MHz server transfers in 1.4 seconds (around 74MB/s), the 1MHz firewall transfers in 1.98s. Regards, Dewayne.