[Openvpn-devel] Does Openvpn really support cryptodev hardware accelerators

li yuqian Fri, 24 Jul 2015 08:40:27 +0000
Hi,
I am working on try use the cryptodev hardware accelerator in Openvpn, i know 
this question is belong to user list, but i got confused for the issue, so, i 
think maybe need developer to help :) 
I have two boards, one is Freescale LS1021a ARM cpu, another one is INTEL E3815 
cpu, both of them i can enable the cryptodev hardware accelerator, and tested 
them in openssl, it working good when enabled the cryptodev, i can got about 72 
times performance improved with command "openssl speed -evp aes-128-cbc", here 
is a INTEL cpu test result----------with cryptodev 
support:----------root@ubuntu:/etc/openvpn# /usr/local/ssl/bin/openssl speed 
-evp aes-128-cbcDoing aes-128-cbc for 3s on 16 size blocks: 1324358 
aes-128-cbc's in 0.47sDoing aes-128-cbc for 3s on 64 size blocks: 986320 
aes-128-cbc's in 0.33sDoing aes-128-cbc for 3s on 256 size blocks: 487522 
aes-128-cbc's in 0.19sDoing aes-128-cbc for 3s on 1024 size blocks: 157636 
aes-128-cbc's in 0.05sDoing aes-128-cbc for 3s on 8192 size blocks: 22318 
aes-128-cbc's in 0.01sOpenSSL 1.0.2 22 Jan 2015built on: reproducible build, 
date unspecifiedoptions:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) 
aes(partial) idea(int) blowfish(idx)compiler: gcc -I. -I.. -I../include  
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV 
-DUSE_CRYPTDEV_DIGESTS -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM 
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMThe 
'numbers' are in 1000s of bytes per second processed.type             16 bytes  
   64 bytes    256 bytes   1024 bytes   8192 bytesaes-128-cbc      45084.53k   
191286.30k   656871.75k  3228385.28k 
18282905.60kroot@ubuntu:/etc/openvpn#----------without  cryptodev 
support:----------root@ubuntu:/etc/openvpn# /usr/local/ssl/bin/openssl speed 
-evp aes-128-cbcDoing aes-128-cbc for 3s on 16 size blocks: 29624370 
aes-128-cbc's in 2.99sDoing aes-128-cbc for 3s on 64 size blocks: 10070739 
aes-128-cbc's in 3.01sDoing aes-128-cbc for 3s on 256 size blocks: 2846673 
aes-128-cbc's in 3.00sDoing aes-128-cbc for 3s on 1024 size blocks: 735685 
aes-128-cbc's in 3.01sDoing aes-128-cbc for 3s on 8192 size blocks: 92783 
aes-128-cbc's in 3.00sOpenSSL 1.0.2 22 Jan 2015built on: reproducible build, 
date unspecifiedoptions:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) 
aes(partial) idea(int) blowfish(idx)compiler: gcc -I. -I.. -I../include  
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV 
-DUSE_CRYPTDEV_DIGESTS -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM 
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASMThe 
'numbers' are in 1000s of bytes per second processed.type             16 bytes  
   64 bytes    256 bytes   1024 bytes   8192 bytesaes-128-cbc     158525.06k   
214128.67k   242916.10k   250279.55k   253359.45k----------
it was got big improved with  cryptodev hardware accelerator you can see from 
above shows
but when i configured and compiled Openvpn with HAVE_OPENSSL_ENGINE supported, 
and i can make sure Openvpn can working with cryptodev 
------root@ubuntu:/etc/openvpn# /opt/openvpn/sbin/openvpn --show-enginesOpenSSL 
Crypto Engines
BSD cryptodev engine [cryptodev]Intel RDRAND engine [rdrand]Dynamic engine 
loading support [dynamic]IBM 4758 CCA hardware engine support [4758cca]Aep 
hardware engine support [aep]Atalla hardware engine support [atalla]CryptoSwift 
hardware engine support [cswift]CHIL hardware engine support [chil]Nuron 
hardware engine support [nuron]SureWare hardware engine support [sureware]UBSEC 
hardware engine support [ubsec]Reference implementation of GOST engine 
[gost]-------
without cryptodev------root@ubuntu:/etc/openvpn# iperf 
-s------------------------------------------------------------Server listening 
on TCP port 5001TCP window size: 85.3 KByte 
(default)------------------------------------------------------------[  4] 
local 192.168.1.13 port 5001 connected with 192.168.1.110 port 52444[ ID] 
Interval       Transfer     Bandwidth[  4]  0.0-10.1 sec  82.1 MBytes  68.4 
Mbits/sec-------with cryptodev-------[  5] local 192.168.1.13 port 5001 
connected with 192.168.1.110 port 52446[  5]  0.0-10.1 sec  43.1 MBytes  35.7 
Mbits/sec-------
the iperf shows throughput even cut down from 68Mbis/sec to 35.7Mbits/sec!!!
i can make sure the cryptodev engine has been loaded in openvpn, and used 
cipher is aes-128-cbc in openvpn configuration file------Fri Jul 24 16:35:21 
2015 Initializing OpenSSL support for engine 'cryptodev'Fri Jul 24 16:35:21 
2015 Diffie-Hellman initialized with 2048 bit keyFri Jul 24 16:35:21 2015 
Control Channel Authentication: using 'ta.key' as a OpenVPN static key fileFri 
Jul 24 16:35:21 2015 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authenticationFri Jul 24 16:35:21 2015 Incoming 
Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC 
authenticationFri Jul 24 16:35:21 2015 Socket Buffers: R=[212992->131072] 
S=[212992->131072]Fri Jul 24 16:35:21 2015 TUN/TAP device tap0 openedFri Jul 24 
16:35:21 2015 TUN/TAP TX queue length set to 100Fri Jul 24 16:35:21 2015 
/etc/openvpn/up.sh br0 tap0 1500 1589   initFri Jul 24 16:35:21 2015 GID set to 
nogroupFri Jul 24 16:35:21 2015 UID set to nobodyFri Jul 24 16:35:21 2015 UDPv4 
link local (bound): [undef]Fri Jul 24 16:35:21 2015 UDPv4 link remote: 
[undef]Fri Jul 24 16:35:21 2015 MULTI: multi_init called, r=256 v=256Fri Jul 24 
16:35:21 2015 IFCONFIG POOL: base=192.168.1.110 size=9, ipv6=0Fri Jul 24 
16:35:21 2015 ifconfig_pool_read(), in='client,192.168.1.110', TODO: IPv6Fri 
Jul 24 16:35:21 2015 succeeded -> ifconfig_pool_set()Fri Jul 24 16:35:21 2015 
IFCONFIG POOL LISTFri Jul 24 16:35:21 2015 client,192.168.1.110Fri Jul 24 
16:35:21 2015 Initialization Sequence Completed----Fri Jul 24 16:35:32 2015 
192.168.2.187:48539 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 
128 bit keyFri Jul 24 16:35:32 2015 192.168.2.187:48539 Data Channel Encrypt: 
Using 160 bit message hash 'SHA1' for HMAC authenticationFri Jul 24 16:35:32 
2015 192.168.2.187:48539 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized 
with 128 bit keyFri Jul 24 16:35:32 2015 192.168.2.187:48539 Data Channel 
Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationFri Jul 24 
16:35:32 2015 192.168.2.187:48539 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSAFri Jul 24 16:35:32 2015 192.168.2.187:48539 
[client] Peer Connection Initiated with [AF_INET]192.168.2.187:48539Fri Jul 24 
16:35:32 2015 client/192.168.2.187:48539 MULTI_sva: pool returned 
IPv4=192.168.1.110, IPv6=(Not enabled)Fri Jul 24 16:35:34 2015 
client/192.168.2.187:48539 PUSH: Received control message: 'PUSH_REQUEST'Fri 
Jul 24 16:35:34 2015 client/192.168.2.187:48539 send_push_reply(): 
safe_cap=940Fri Jul 24 16:35:34 2015 client/192.168.2.187:48539 SENT CONTROL 
[client]: 'PUSH_REPLY,route-gateway 192.168.1.13,ping 10,ping-restart 
120,ifconfig 192.168.1.110 255.255.255.0' (status=1)Fri Jul 24 16:35:34 2015 
client/192.168.2.187:48539 MULTI: Learn: da:78:09:89:40:24 -> 
client/192.168.2.187:48539----
any ideas, and does Openvpn really support cryptodev hardware accelerator? 
thank you!
Yuqian
[Openvpn-devel] Does Openvpn really support cryptodev hardware accelerators

Reply via email to
