Bug 200894 - security/libressl not using hardware aesni acceleration
Summary: security/libressl not using hardware aesni acceleration
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Many People
Assignee: Vsevolod Stakhov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-16 02:48 UTC by dewayne
Modified: 2016-04-14 07:27 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (vsevolod)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2015-06-16 02:48:03 UTC
While testing the features of libressl 2.1.7 on FreeBSD 10.1Stable it appeared  that libressl is not using hardware acceleration.

openssl aes256 encrypt/decrypt 160MB file: 0.686157 secs (244509876
bytes/sec)
libressl aes256 encrypt/decrypt 160MB file:  1.768195 secs (94883282
bytes/sec)

openssl speed -evp aes-256-cbc: 74691.70k   288535.11k   876427.49k 
5323319.66k 29095886.85k
libressl, speed -evp aes-256-cbc:  95036.12k   103030.42k   104839.86k  
105190.19k   105840.81k

These results were on a Xeon 1230Lv3 cpu (using aesni features).

The encrypt/decrypt test used 
dd if=/dev/zero bs=1m count=160 | openssl enc -e -aes-256-cbc -pass
pass:p1 | openssl enc -aes-256-cbc -d -pass pass:p1 > /dev/null

The performance of using des3-cbc was similar (as it was not affected by hardware acceleration).
Comment 1 Bernard Spil freebsd_committer 2015-09-14 08:20:07 UTC
Hi Dewayne,

Kan you throw this patch in security/ports/patch-configure and rebuild?

--- configure.orig      2015-08-29 04:28:57 UTC
+++ configure
@@ -13209,7 +13209,7 @@ fi


 # Conditionally enable assembly by default
- if test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"; then
+ if test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "amd64" -a "x$enable_asm" != "xno"; then
   HOST_ASM_ELF_X86_64_TRUE=
   HOST_ASM_ELF_X86_64_FALSE='#'
 else


This fixes it for me. FreeBSD uses amd64 as CPU not x86_64 like other platforms. Upstream will include a fix for this in next releases.
Comment 2 Bernard Spil freebsd_committer 2015-09-14 08:27:11 UTC
After using the patch

build# /usr/local/bin/openssl version
LibreSSL 2.2.3
build# /usr/local/bin/openssl speed -evp AES128
Doing aes-128-cbc for 3s on 16 size blocks: 121606329 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 34361962 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 256 size blocks: 8715281 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2200406 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 271890 aes-128-cbc's in 3.00s
LibreSSL 2.2.3
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     648567.09k   729256.98k   743703.98k   751071.91k   742440.96k
build# /usr/local/bin/openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 15068733 aes-128 cbc's in 3.03s
Doing aes-128 cbc for 3s on 64 size blocks: 4228095 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 256 size blocks: 1077888 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 269797 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 33828 aes-128 cbc's in 3.00s
LibreSSL 2.2.3
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      79538.05k    89965.08k    91979.78k    92090.71k    92372.99k
Comment 3 Bernard Spil freebsd_committer 2015-09-14 10:55:38 UTC
Simpler patch...

Add this just above regression-test in the Makefile, no need for other patches.
```
.if ${ARCH} == "amd64"
CONFIGURE_TARGET=       x86_64-portbld-${OPSYS:tl}${OSREL}
.endif
```
Expect this to work after the next update of the port.
Comment 4 Vsevolod Stakhov freebsd_committer 2015-09-14 12:18:45 UTC
Bernard, I would suggest you to add your patch before the next release (by just bumping PORTREVISION). This is pretty critical performance fix and I would be happy to see it in the port a.s.a.p. (this means that you have my approval for this patch).
Comment 5 commit-hook freebsd_committer 2015-09-15 19:23:00 UTC
A commit references this bug:

Author: brnrd
Date: Tue Sep 15 19:22:47 UTC 2015
New revision: 397017
URL: https://svnweb.freebsd.org/changeset/ports/397017

Log:
  security/libressl: Fix AESNI support

  PR:		200894
  Approved by:	vsevolod (maintainer, mentor)

Changes:
  head/security/libressl/Makefile
Comment 6 Bernard Spil freebsd_committer 2016-04-13 14:57:54 UTC
Closed, upstream fixed by now.
Comment 7 dewayne 2016-04-14 07:27:47 UTC
(In reply to Bernard Spil from comment #6)
Confirmed (a while back), thankyou for following-up.  As FYI, libressl is a little quicker on large encryption runs, which is how we store offsite backups, than openssl.  :)

Alas our 32bit customers that use padlock devices (yes as servers) remain on openssl.