[Bug 119295] Re: OpenSSH should support VIA PadLock
Craig Ringer
craig at postnewspapers.com.au
Wed Jun 4 16:42:02 BST 2008
** These bugs are fixed upstream in OpenSSH 4.9 and OpenSSL 0.9.8h **
You can apply the fix to OpenSSH 4.7 from Ubuntu just fine:
https://bugzilla.mindrot.org/attachment.cgi?id=1458 . It applies cleanly
except for two rejects at points where the changes have already been
applied, so the rejects can be safely ignored. With the patch I get
100Mbit wire speed with the aes128-cbc cipher. You will also need to
apply Ian Lister's OpenSSL patch above.
PLEASE merge both these patches (the openssl cache logic fix and the
openssh engine init fix) for the next hardy update.
I can confirm that with both patches OpenSSH performs vastly better and
with much lower CPU use.
As for why the tests I was doing weren't working:
It's necessary to specify "-evp aes-128-cbc" instead of just
"aes-128-cbc" to get an engine to work; just passing "-engine padlock"
is insufficient. The "engine" argument requests loading of a given
engine, but doesn't tell "openssl speed" to use the engine system; it
still calls the AES code directly. -evp tells openssl speed to use the
engine system, but doesn't say anything about which engine.
/usr/bin/openssl speed -evp aes-128-cbc -engine padlock:
aes-128-cbc 30934.33k 102451.76k 251594.56k 391449.69k 468731.35k
/usr/bin/openssl speed aes-128-cbc -engine padlock:
aes-128 cbc 6827.95k 9055.61k 9926.85k 10172.77k 10244.14k
--
OpenSSH should support VIA PadLock
https://bugs.launchpad.net/bugs/119295
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list