security/openssl speed issues

John-Mark Gurney jmg at funkthat.com
Tue Aug 27 16:15:02 UTC 2013


Ollivier Robert wrote this message on Tue, Aug 27, 2013 at 17:32 +0200:
> As I got a new machine with the AES-NI crypto extensions, I'm getting interested with it and as you may have seen, I've already merged into stable/9 two changesets for AES-NI support in GELI & cryptodev.
> 
> Now, I'm trying to measure the impact of said AES extentions, I tumbled on a very weird difference in behaviour between our base system openssl and the one in ports.
> 
> /usr/bin/openssl:
> OpenSSL 0.9.8y 5 Feb 2013
> 
> /usr/local/bin/openssl:
> OpenSSL 1.0.1e 11 Feb 2013
> 
> The one is base is not supposed to have cryptodev (and aesni) support at all as it was added apparently in 1.0.1.  Fine.
> 
> 1. Trying to run both on a machine without the AES-NI extensions, I should have similar results in running speed tests but:
> 
> 1181 [17:18] roberto at centre:/usr/ports> /usr/bin/openssl speed aes-256-cbc
> ...
> OpenSSL 0.9.8y 5 Feb 2013			(9.1-BETA1)
> built on: date not available
> options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
> compiler: cc
> available timing options: USE_TOD HZ=128 [sysconf value]
> timing function used: getrusage
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
> aes-256 cbc      58919.92k    62134.88k    62611.08k    62776.47k    62910.03k
> 
> and 
> 
> 1182 [17:19] roberto at centre:/usr/ports> /usr/local/bin/openssl speed aes-256-cbc
> ...
> OpenSSL 1.0.1e 11 Feb 2013			
> built on: Sun Jul 28 16:36:48 CEST 2013
> options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O -pipe -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
> aes-256 cbc      38790.95k    41415.66k    42009.00k    42257.07k    42213.38k
> 
> Wow, how would you explain the 37% (in the worng direction!) difference?  Is there something I could add/change in the port's configuration to fix that?
> 
> 2. I have another machine with the AES-NI extensions, with a E3-1220 CPU.  If I load crypto, aesni and cryptodev, it is indentified as using them:
> 
> cryptosoft0: <software crypto> on motherboard
> aesni0: <AES-CBC,AES-XTS> on motherboard
> 
> Results of openssl speed with the base one are better as you would expect, CPU is faster:
> 
> % /usr/bin/openssl speed aes-256-cbc
> ...
> OpenSSL 0.9.8x 10 May 2012				(9.1-RELEASE)
> built on: date not available
> options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
> compiler: cc
> available timing options: USE_TOD HZ=128 [sysconf value]
> timing function used: getrusage
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
> aes-256 cbc     125404.07k   129849.19k   130514.37k   131242.71k   131164.72k
>  
> but...
> 
> % /usr/local/bin/openssl speed -engine cryptodev aes-256-cbc
> engine "cryptodev" set.
> ...
> OpenSSL 1.0.1c 10 May 2012
> built on: Mon Apr  8 19:45:18 UTC 2013
> options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> The 'numbers' are in 1000s of bytes per second processed.
> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
> aes-256 cbc      71203.16k    74667.39k    75631.27k    75975.34k    76090.03k
> 
> Still 42% diff and no "aesni" usage at all!?
> 
> I'm guessing we have an issue there...

I discovered a similar issue on HEAD w/ 1.0.1e where openssl speed -engine
aes-256-cbc when ktraced would not issue any ioctl's during the speed
test... You can see that it opens the device, but then it gets a number
of failures:
 11466 openssl  CALL  ioctl(0x4,CIOCGSESSION,0x7fffffffd590)
 11466 openssl  RET   ioctl -1 errno 22 Invalid argument

and then you see no more ioctl's

As far as I can tell, 1.0.1e doesn't properly detect AES-NI and uses
these instructions when present, and cryptodev usage doesn't work, and
doesn't warn when it fails...

My own program that tests cryptodev out performs openssl because of
this..

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the freebsd-security mailing list