Bug 1882

Summary: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
Product: Portable OpenSSH Reporter: opod
Component: scpAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: dtucker
Priority: P2    
Version: 5.7p1   
Hardware: ix86   
OS: Linux   
Bug Depends on: 1845    
Bug Blocks:    
Attachments:
Description Flags
5.6p1 client
none
5.8p1 client
none
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for compat hook djm: ok+

Description opod 2011-03-27 04:52:07 AEDT 
I have a VIA C7 box which supports hardware acceleration for aes-cbc with OpenSSL 'padlock' engine.

I have defined the padlock engine as default in /etc/ssl/openssl.conf and it has worked for OpenSSH versions 5.4p1 through 5.6p1. With 5.7p1 and 5.8p1 the hardware acceleration is no longer used. 

Both OpenSSH versions are configured as such:

./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
		--sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=nobody \
		--with-md5-passwords --with-pam --with-mantype=man --mandir=/usr/share/man \
		--with-xauth=/usr/bin/xauth --with-kerberos5=/usr --with-ssl-engine \
		--with-libedit=/usr/lib

I am enclosing verbose client logs, but I don't know if they will be of any use. I'll be happy to provide any additional information that is required.

I am filing this against scp as this is how I can verify if the hardware acceleration is working or not, but this is probably a deeper problem.
Comment 1 opod 2011-03-27 04:52:40 AEDT 
Created attachment 2022 [details]
5.6p1 client
Comment 2 opod 2011-03-27 04:53:11 AEDT 
Created attachment 2023 [details]
5.8p1 client
Comment 3 opod 2011-05-06 02:42:55 AEST 
The bug still persists with 5.8p2. I'll happily provide more information, just tell me what you need.
Comment 4 Darren Tucker 2011-05-06 10:22:30 AEST 
You can forcibly enable hardware support with
./configure --with-ssl-engine

although I'm not sure what would have changed to stop an override in openssl.cnf from working (without --with-ssl-engine it does the same thing it used to do).
Comment 5 Darren Tucker 2011-05-06 11:59:41 AEST 
... which you have.  I'm going to attach a patch to add some debugging, please try again with that and attach the output of the client with ssh -vvv.
Comment 6 Darren Tucker 2011-05-06 12:12:49 AEST 
Created attachment 2041 [details]
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for compat hook

ah, I think I see what happened.  We changed from the old (undocumented) SSLeay_add_all_algorithms() function the new (documented) OpenSSL_add_all_algorithms() function, and in doing so we no longer called the hook in the compat library we use to enable this.

Please try the attached patch.
Comment 7 opod 2011-05-07 03:25:55 AEST 
This does indeed work, thank you for addressing this issue.
Comment 8 Darren Tucker 2011-05-10 11:13:55 AEST 
Committed, thanks.
Comment 9 Damien Miller 2011-09-06 15:32:53 AEST 
close resolved bugs now that openssh-5.9 has been released