by Sergeanter » Sun Apr 30, 2017 9:23 pm
@kriztioan
Thank you so much for the hint regarding the sandbox.
Changing 'UsePrivilegeSeparation' from 'sandbox' to 'yes' in /etc/ssh/sshd_config did fix sshd connection with accelerated ciphers.
Also, I confirm that acceleration is working properly.
Baseline benchmark with openssl 1.0.2.k-1
$this->bbcode_second_pass_code('', 'openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 1605427 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 485871 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 256 size blocks: 128527 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 32593 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 8192 size blocks: 4089 aes-256-cbc's in 3.00s
OpenSSL 1.0.2k 26 Jan 2017
built on: reproducible build, date unspecified
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -D_FORTIFY_SOURCE=2 -march=armv5te -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -Wl,-O1,--sort-common,--as-needed,-z,relro -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 8562.28k 10399.91k 10967.64k 11199.74k 11165.70k
')
Benchmark with openssl-cryptodev-1.0.2.h-1
$this->bbcode_second_pass_code('', '
openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 48691 aes-256-cbc's in 0.10s
Doing aes-256-cbc for 3s on 64 size blocks: 48619 aes-256-cbc's in 0.13s
Doing aes-256-cbc for 3s on 256 size blocks: 43764 aes-256-cbc's in 0.16s
Doing aes-256-cbc for 3s on 1024 size blocks: 30701 aes-256-cbc's in 0.07s
Doing aes-256-cbc for 3s on 8192 size blocks: 7577 aes-256-cbc's in 0.06s
OpenSSL 1.0.2h 3 May 2016
built on: reproducible build, date unspecified
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DHASH_MAX_LEN=64 -Wa,--noexecstack -D_FORTIFY_SOURCE=2 -march=armv5te -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -Wl,-O1,--sort-common,--as-needed,-z,relro -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 7790.56k 23935.51k 70022.40k 449111.77k 1034513.07k
')