New IT forum
12 August 2022, 03:18:43 pm *
Welcome, %1$s. Please login or register.

: PiHub now in stock.
 
Pages: [1]

Author Topic: Cryptodev with OpenSSH  (Read 12055 times)

rift

  • Newbie
  • *
  • Posts: 7
Cryptodev with OpenSSH
« on: 01 November 2011, 05:26:09 pm »

Hi,

I compiled OpenSSL with cryptodev support which seems to work:
Code: [Select]
dream:/home/rift# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 21840 aes-128-cbc's in 0.06s
Doing aes-128-cbc for 3s on 64 size blocks: 23827 aes-128-cbc's in 0.03s
Doing aes-128-cbc for 3s on 256 size blocks: 20711 aes-128-cbc's in 0.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 14042 aes-128-cbc's in 0.08s
Doing aes-128-cbc for 3s on 2048 size blocks: 8394 aes-128-cbc's in 0.02s
OpenSSL 0.9.8n 24 Mar 2010
built on: Fri Oct 28 23:56:19 UTC 2011
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
aes-128-cbc       5824.00k    50830.93k   265100.80k   179737.60k   859545.60k
dream:/home/rift#

But now i want to enable cryptodev support on OpenSSH, i configured all my ssh server to use aes-128-cbc cipher but i guess i have to do other things because i dont have any improvement in performances (ssh still use high cpu load like 60% for 4mb/s)

Other things, openssl seems to use cryptodev only when i use it as root...

If anybody have experiences same issues..
Thanks for the answers,
Logged

dp

  • Newbie
  • *
  • Posts: 32
Re: Cryptodev with OpenSSH
« Reply #1 on: 02 November 2011, 09:00:48 am »

Hi,

Did you look at this thread (http://www.newit.co.uk/forum/index.php/topic,2030.0.html) ?

Hope it helps.
Logged

rift

  • Newbie
  • *
  • Posts: 7
Re: Cryptodev with OpenSSH
« Reply #2 on: 02 November 2011, 09:08:25 pm »

sure i have read that, but no fix in this thread
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: Cryptodev with OpenSSH
« Reply #3 on: 02 November 2011, 11:06:15 pm »

Which direction did you test in ?
Stating the obvious, ssh'ing out of the plug will require you to configure the ssh client for aes-128-cbc...
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

rift

  • Newbie
  • *
  • Posts: 7
Re: Cryptodev with OpenSSH
« Reply #4 on: 06 November 2011, 07:09:27 pm »

i'm trying in both sides, and i forced the ssh deamon to use aes-128-cbc
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: Cryptodev with OpenSSH
« Reply #5 on: 06 November 2011, 07:56:39 pm »

Without hardware crypt on the dreamplug I can easily hit 98% load.
If its only using 60%, what is slowing it down ?

This is the test I use
Code: [Select]
dd if=/dev/zero bs=4096 count=40000 | ssh [email protected] 'dd of=/dev/null'

and this is the result I get (using the af_alg interface, cryptodev should be better)
Code: [Select]
40000+0 records in
40000+0 records out
163840000 bytes (164 MB) copied, 21.1747 s, 7.7 MB/s
320000+0 records in
320000+0 records out
163840000 bytes (164 MB) copied, 15.1005 s, 10.8 MB/s

using software crypt, I get
Code: [Select]
40000+0 records in
40000+0 records out
163840000 bytes (164 MB) copied, 30.6538 s, 5.3 MB/s
320000+0 records in
320000+0 records out
163840000 bytes (164 MB) copied, 24.2266 s, 6.8 MB/s

The workstation is reasonably powerful, and should have little impact on the figures.

EDIT: After some basic testing it seems that a blocksize of 65536 has the least impact when reading /dev/zero
« Last Edit: 16 November 2011, 03:09:08 pm by Confusticated »
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

rift

  • Newbie
  • *
  • Posts: 7
Re: Cryptodev with OpenSSH
« Reply #6 on: 15 November 2011, 09:50:31 pm »

I'm strill trying to understand why the ssh deamon didnt use cryptodev, but i have another remark: only root can use cryptodev device
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: Cryptodev with OpenSSH
« Reply #7 on: 15 November 2011, 10:14:49 pm »

Quote
only root can use cryptodev
What are the permissions ('ls -l /dev/crypto') ?
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

rift

  • Newbie
  • *
  • Posts: 7
Re: Cryptodev with OpenSSH
« Reply #8 on: 16 November 2011, 06:44:50 pm »

I changed the permission to /dev/crypto but still no change...

Code: [Select]
[email protected]:/data/sd/root# openssl speed -evp aes128
Doing aes-128-cbc for 3s on 16 size blocks: 79906 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 77536 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 256 size blocks: 63942 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 1024 size blocks: 38673 aes-128-cbc's in 0.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 7967 aes-128-cbc's in 0.00s
OpenSSL 1.0.0e 6 Sep 2011
built on: Wed Nov 16 17:50:12 UTC 2011
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 -Wa,--noexecstack -DTERMIO -O3 -Wall -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      14205.51k    45111.85k   163691.52k  3960115.20k         infk
[email protected]:/data/sd/root# man ssh
man: can't set the locale; make sure $LC_* and $LANG are correct
man: can't resolve /usr/share/man/man1/ssh.1.gz: No such file or directory
No manual entry for ssh
See 'man 7 undocumented' for help when manual pages are not available.
[email protected]:/data/sd/root# dd if=/dev/zero bs=4096 count=40000 | ssh [email protected] -c aes128-cbc 'dd of=/dev/null'
[email protected]'s password:
40000+0 records in
40000+0 records out
163840000 bytes (164 MB) copied, 26.9406 s, 6.1 MB/s
320000+0 records in
320000+0 records out
163840000 bytes (164 MB) copied, 24.0498 s, 6.8 MB/s
[email protected]:/data/sd/root#
Logged

Confusticated

  • New IT customer
  • Hero Member
  • *
  • Posts: 663
Re: Cryptodev with OpenSSH
« Reply #9 on: 16 November 2011, 07:43:05 pm »

Quote
[email protected]:/data/sd/root# openssl speed -evp aes128
Doing aes-128-cbc for 3s on 16 size blocks: 79906 aes-128-cbc's in 0.09s
Doing aes-128-cbc for 3s on 64 size blocks: 77536 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 256 size blocks: 63942 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 1024 size blocks: 38673 aes-128-cbc's in 0.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 7967 aes-128-cbc's in 0.00s
These are good figures

Quote
40000+0 records in
40000+0 records out
163840000 bytes (164 MB) copied, 26.9406 s, 6.1 MB/s
320000+0 records in
320000+0 records out
163840000 bytes (164 MB) copied, 24.0498 s, 6.8 MB/s
I suspect that ssh is not defaulting to a supported crypt type

Excerpt /etc/shh/ssh_config
Quote
.....
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3d
es-cbc
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes12
8-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
.....
I have reordered the default to negotiate to use 'aes128-cbc' first.
Changes will need to be made to /etc/ssh/sshd_config for incoming connections.

EDIT: or does the patch to OpenSSL override the use of the  SSH config files ?

« Last Edit: 16 November 2011, 08:20:20 pm by Confusticated »
Logged
Advocatus Diaboli - My agenda is not to give you the answer, but to guide your thoughts so you derive it for yourself!

rift

  • Newbie
  • *
  • Posts: 7
Re: Cryptodev with OpenSSH
« Reply #10 on: 16 November 2011, 09:06:29 pm »


I'm using openssl 1.0.0e that support natively cryptodev (whitout patching)
I configured ALL my ssh daemon to ONLY use aes128-cbc, but no luck... :(

When I ssh to a server, the numer in /proc/interrupt for crypto doesn't incremente but it does with the openssl test
Logged
Pages: [1]
 
 

Powered by MySQL Powered by PHP SMF 2.0.10 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!