Bug 1882 - Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
Summary: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: scp (show other bugs)
Version: 5.7p1
Hardware: ix86 Linux
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on: V_5_9
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-27 04:52 AEDT by opod
Modified: 2011-09-06 15:32 AEST (History)
1 user (show)

See Also:

Attachments
5.6p1 client (6.68 KB, text/plain)
2011-03-27 04:52 AEDT, opod 		no flags Details
5.8p1 client (7.44 KB, text/plain)
2011-03-27 04:53 AEDT, opod 		no flags Details
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for compat hook (1.81 KB, patch)
2011-05-06 12:12 AEST, Darren Tucker 		djm: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description opod 2011-03-27 04:52:07 AEDT 
I have a VIA C7 box which supports hardware acceleration for aes-cbc with OpenSSL 'padlock' engine.

I have defined the padlock engine as default in /etc/ssl/openssl.conf and it has worked for OpenSSH versions 5.4p1 through 5.6p1. With 5.7p1 and 5.8p1 the hardware acceleration is no longer used. 

Both OpenSSH versions are configured as such:

./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
		--sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=nobody \
		--with-md5-passwords --with-pam --with-mantype=man --mandir=/usr/share/man \
		--with-xauth=/usr/bin/xauth --with-kerberos5=/usr --with-ssl-engine \
		--with-libedit=/usr/lib

I am enclosing verbose client logs, but I don't know if they will be of any use. I'll be happy to provide any additional information that is required.

I am filing this against scp as this is how I can verify if the hardware acceleration is working or not, but this is probably a deeper problem.
Comment 1 opod 2011-03-27 04:52:40 AEDT 
Created attachment 2022 [details]
5.6p1 client
Comment 2 opod 2011-03-27 04:53:11 AEDT 
Created attachment 2023 [details]
5.8p1 client
Comment 3 opod 2011-05-06 02:42:55 AEST 
The bug still persists with 5.8p2. I'll happily provide more information, just tell me what you need.
Comment 4 Darren Tucker 2011-05-06 10:22:30 AEST 
You can forcibly enable hardware support with
./configure --with-ssl-engine

although I'm not sure what would have changed to stop an override in openssl.cnf from working (without --with-ssl-engine it does the same thing it used to do).
Comment 5 Darren Tucker 2011-05-06 11:59:41 AEST 
... which you have.  I'm going to attach a patch to add some debugging, please try again with that and attach the output of the client with ssh -vvv.
Comment 6 Darren Tucker 2011-05-06 12:12:49 AEST 
Created attachment 2041 [details]
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for compat hook

ah, I think I see what happened.  We changed from the old (undocumented) SSLeay_add_all_algorithms() function the new (documented) OpenSSL_add_all_algorithms() function, and in doing so we no longer called the hook in the compat library we use to enable this.

Please try the attached patch.
Comment 7 opod 2011-05-07 03:25:55 AEST 
This does indeed work, thank you for addressing this issue.
Comment 8 Darren Tucker 2011-05-10 11:13:55 AEST 
Committed, thanks.
Comment 9 Damien Miller 2011-09-06 15:32:53 AEST 
close resolved bugs now that openssh-5.9 has been released