Re: Re: Hardware acceleration using VIA Padlock (was Re: [Openvpn-users] a couple of questions)

Miika Keskinen <miika.keskinen@xxxxxxxxxxx> said:

> Eric E. Bowles wrote:
> > Hi there,
> > 
> > I found a page describing how to use the VIA Padlock ACE (AES encryption 
> > in hardware) on recent Nehemiah processors.
> > 
> > http://www.logix.cz/michal/devel/padlock/#openssl
> > 
> > There's a patch to OpenSSL 0.9.7d that provides access to the Padlock ACE 
> > through the ENGINE interface.
> > 
> > It also gives instructions on how to enable ENGINE support in applications:
> > 
> >  | Applications using OpenSSL
> >  |
> >  | Applications that use OpenSSL library for their cryptographic needs 
> > (such 
> >  | as OpenSSH) must explicitly load the available hardware crypto engines. 
> >  | This can be done with these simple calls during startup of the program:
> >  |
> >  | #include <openssl/engine.h>
> >  |
> >  | int main ()
> >  | {
> >  |  [...]
> >  |  /* Init available hardware crypto engines. */
> >  |  ENGINE_load_builtin_engines();
> >  |  ENGINE_register_all_complete();
> >  |  [...]
> >  | }        
> > 
> > I didn't find any calls to the ENGINE_* functions in the OpenVPN source, 
> > so I suspect that you'd need to add these two calls somewhere.
> > 
> 
> I think proper place might be  (in crypto.c)
>     1443 void init_crypto_lib ()
>     1444 {
>     1445 }
> 
> but then again, that openssl patch (at least for me) caused some 
> breakage and when I asked one thing about padlock and aes-256-cbc I got 
> following answer:
> 
> OpenSSL patch doesn't (yet) support AES256 and AES512. Only AES128

Here is a way to test whether or not OpenVPN can get access to the hardware
acceleration, and if so, what level of speedup in OpenVPN can be achieved.

Add the ENGINE_x calls to crypto.c as described above.  I agree that the
init_crypto_lib() function is a good place to put them.

Now on OpenVPN 1.6 or 2.0-beta6 (but not beta5) try a crypto loopback test:

 openvpn --genkey --secret tmp-key
 time openvpn --test-crypto --secret tmp-key --verb 0 --tun-mtu 10000 --cipher
aes-128-cbc

This test will generate 10000 random packets starting at a size of 1 byte and
going up to 10000 bytes, and loop them back through the the encryption and
decryption algorithms.

On my unaccelerated modern laptop, I am getting numbers like these:

real    0m7.277s
user    0m7.154s
sys     0m0.010s

Try this test with a stock version of OpenVPN, and then again with the ENGINE_
calls added to crypto.c and see if it makes a difference in the benchmark 
numbers.

James



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com