While testing the features of libressl 2.1.7 on FreeBSD 10.1Stable it appeared that libressl is not using hardware acceleration. openssl aes256 encrypt/decrypt 160MB file: 0.686157 secs (244509876 bytes/sec) libressl aes256 encrypt/decrypt 160MB file: 1.768195 secs (94883282 bytes/sec) openssl speed -evp aes-256-cbc: 74691.70k 288535.11k 876427.49k 5323319.66k 29095886.85k libressl, speed -evp aes-256-cbc: 95036.12k 103030.42k 104839.86k 105190.19k 105840.81k These results were on a Xeon 1230Lv3 cpu (using aesni features). The encrypt/decrypt test used dd if=/dev/zero bs=1m count=160 | openssl enc -e -aes-256-cbc -pass pass:p1 | openssl enc -aes-256-cbc -d -pass pass:p1 > /dev/null The performance of using des3-cbc was similar (as it was not affected by hardware acceleration).
Hi Dewayne, Kan you throw this patch in security/ports/patch-configure and rebuild? --- configure.orig 2015-08-29 04:28:57 UTC +++ configure @@ -13209,7 +13209,7 @@ fi # Conditionally enable assembly by default - if test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"; then + if test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "amd64" -a "x$enable_asm" != "xno"; then HOST_ASM_ELF_X86_64_TRUE= HOST_ASM_ELF_X86_64_FALSE='#' else This fixes it for me. FreeBSD uses amd64 as CPU not x86_64 like other platforms. Upstream will include a fix for this in next releases.
After using the patch build# /usr/local/bin/openssl version LibreSSL 2.2.3 build# /usr/local/bin/openssl speed -evp AES128 Doing aes-128-cbc for 3s on 16 size blocks: 121606329 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 34361962 aes-128-cbc's in 3.02s Doing aes-128-cbc for 3s on 256 size blocks: 8715281 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 2200406 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 271890 aes-128-cbc's in 3.00s LibreSSL 2.2.3 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 648567.09k 729256.98k 743703.98k 751071.91k 742440.96k build# /usr/local/bin/openssl speed aes-128-cbc Doing aes-128 cbc for 3s on 16 size blocks: 15068733 aes-128 cbc's in 3.03s Doing aes-128 cbc for 3s on 64 size blocks: 4228095 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 256 size blocks: 1077888 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 1024 size blocks: 269797 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 33828 aes-128 cbc's in 3.00s LibreSSL 2.2.3 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 79538.05k 89965.08k 91979.78k 92090.71k 92372.99k
Simpler patch... Add this just above regression-test in the Makefile, no need for other patches. ``` .if ${ARCH} == "amd64" CONFIGURE_TARGET= x86_64-portbld-${OPSYS:tl}${OSREL} .endif ``` Expect this to work after the next update of the port.
Bernard, I would suggest you to add your patch before the next release (by just bumping PORTREVISION). This is pretty critical performance fix and I would be happy to see it in the port a.s.a.p. (this means that you have my approval for this patch).
A commit references this bug: Author: brnrd Date: Tue Sep 15 19:22:47 UTC 2015 New revision: 397017 URL: https://svnweb.freebsd.org/changeset/ports/397017 Log: security/libressl: Fix AESNI support PR: 200894 Approved by: vsevolod (maintainer, mentor) Changes: head/security/libressl/Makefile
Closed, upstream fixed by now.
(In reply to Bernard Spil from comment #6) Confirmed (a while back), thankyou for following-up. As FYI, libressl is a little quicker on large encryption runs, which is how we store offsite backups, than openssl. :) Alas our 32bit customers that use padlock devices (yes as servers) remain on openssl.