[Bug 119295] Re: OpenSSH should support VIA PadLock

[Craig Ringer]

** These bugs are fixed upstream in OpenSSH 4.9 and OpenSSL 0.9.8h **

You can apply the fix to OpenSSH 4.7 from Ubuntu just fine:
https://bugzilla.mindrot.org/attachment.cgi?id=1458 . It applies cleanly
except for two rejects at points where the changes have already been
applied, so the rejects can be safely ignored. With the patch I get
100Mbit wire speed with the aes128-cbc cipher. You will also need to
apply Ian Lister's OpenSSL patch above.

PLEASE merge both these patches (the openssl cache logic fix and the
openssh engine init fix) for the next hardy update.

I can confirm that with both patches OpenSSH performs vastly better and
with much lower CPU use.


As for why the tests I was doing weren't working:

It's necessary to  specify "-evp aes-128-cbc" instead of just
"aes-128-cbc" to get an engine to work; just passing "-engine padlock"
is insufficient. The "engine" argument requests loading of a given
engine, but doesn't tell "openssl speed" to use the engine system; it
still calls the AES code directly. -evp tells openssl speed to use the
engine system, but doesn't say anything about which engine.

/usr/bin/openssl speed -evp aes-128-cbc -engine padlock:
aes-128-cbc      30934.33k   102451.76k   251594.56k   391449.69k   468731.35k

/usr/bin/openssl speed aes-128-cbc -engine padlock:
aes-128 cbc       6827.95k     9055.61k     9926.85k    10172.77k    10244.14k

-- 
OpenSSH should support VIA PadLock
https://bugs.launchpad.net/bugs/119295
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.