OpenVPN Padlock

I'm trying to get routed OpenVPN to work with a couple of VIA C7 machines on FreeBSD 6.2 so I can utilize the Padlock engine to accelerate OpenVPN. So far it's not working for some reason and I'm not sure why. I have a server machine with a single nic behind a FreeBSD 6.2 IPF firewall and a single nic FreeBSD 6.2 client machine and I've set it up so the subnet behind the client can access the subnet behind the server. This all works fine except for the fact that the Padlock acceleration isn't working. I'm trying to use 'cipher AES-128-CBC' on both the server and client and I also put 'engine padlock' at the end of both config files.

When I run an openssl speed test using the padlock engine it's significantly faster than the cryptodev engine, so it seems like padlock is working, but it's not with OpenVPN because I notice no speed difference at all. When I run 'openssl engine padlock' it returns '(padlock) VIA PadLock (no-RNG, ACE)'. I have crypto.ko, cryptodev.ko, and padlock.ko loading at startup. When the system starts, it displays the following errors: Padlock: 'No ACE support.' and 'module_register_init: MOD_LOAD (padlock, 0xc34cd57c, 0) error 22'. Another odd thing is that when I run 'dmesg | grep CPU' it returns this:
Code:
CPU: VIA/IDT Unknown (1999.59-MHz 686-class CPU)
cpu0: <ACPI CPU> on acpi0
acpi_perf0: <ACPI CPU Frequency Control> on cpu0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
CPU: VIA/IDT Unknown (1999.60-MHz 686-class CPU)
cpu0: <ACPI CPU> on acpi0
acpi_perf0: <ACPI CPU Frequency Control> on cpu0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
It seems that the OS isn't properly recognizing the CPU, which might be part of the problem, but I'm not sure what to do about that. How do you guys think I should proceed? Try FreeBSD 7.2?
 
I'm using the version of OpenSSL that came with 6.2, which is 0.9.7e-p1. This version doesn't appear to be working properly with Padlock. I did testing using scp and got the following results:

Code:
#scp -c aes128-cbc myfile.dat root@localhost:/dev/null
myfile.dat                                    100%  100MB   5.6MB/s   00:18

# scp -c blowfish myfile.dat root@localhost:/dev/null
myfile.dat                                    100%  100MB   8.3MB/s   00:12

Clearly Padlock acceleration is not working and I suspect OpenSSL is the problem. I used portsnap to update the ports collection and tried updating OpenSSL. It wasn't recognizing the upgrade attempt it kept saying I was using 0.9.7e-p1, so I did some digging and found this page:

http://lists.freebsd.org/pipermail/freebsd-questions/2008-November/186441.html

After editing /root/.cshrc like the above link suggests, the OS recognizes the new version of OpenSSL, version 0.9.8k, but now when I run 'openssl engine' it only lists cryptodev and dynamic. Are the padlock kernel modules I need compatible with this version of OpenSSL? How do I get it to recognize where they are? Am I on the right track?
 
I had a spare HD sitting around so I decided to install FreeBSD 7.2 on it to see how the machine I've been having difficulties with would behave. 7.2 seems more promising, but it still seems like it isn't working properly. Here are the results of dmesg that lead me to believe I'm getting closer:

Code:
# dmesg |grep CPU
CPU: VIA C7 Processor 2000MHz (1999.59-MHz 686-class CPU)
cpu0: <ACPI CPU> on acpi0
p4tcc0: <CPU Frequency Thermal Control> on cpu0

# dmesg |grep Padlock
  VIA Padlock Features=0xffcc<RNG,AES,AES-CTR,SHA1,SHA256,RSA>

# dmesg |grep padlock
padlock0: <AES-CBC,SHA1,SHA256> on motherboard

I have the following kernel modules loaded:

Code:
# kldstat
Id Refs Address    Size     Name
 1   12 0xc0400000 9fab28   kernel
 2    3 0xc0dfb000 25ff8    crypto.ko
 3    3 0xc0e21000 ab40     zlib.ko
 4    1 0xc0e2c000 442c     cryptodev.ko
 5    1 0xc0e31000 4b64     padlock.ko
 6    1 0xc0e36000 6a45c    acpi.ko
 7    1 0xc312a000 e000     ipfw.ko
 8    1 0xc3177000 22000    linux.ko

My scp results are about the same as before:

Code:
# scp -c aes128-cbc myfile.dat root@localhost:/dev/null
myfile.dat                                    100%  100MB   6.3MB/s   00:16

# scp -c blowfish myfile.dat root@localhost:/dev/null
myfile.dat                                    100%  100MB   9.1MB/s   00:11

What am I doing wrong here?
 
cdm710 said:
I'm running the i386 version of 7.2

And with 7.2, does padlock(4) recognize the ACE engine?

You have two ways to use the ACE engine : the first is with openssl and the padlock engine. In this case openssl uses the special instructions set for padlock. With the driver padlock(4), you must use the engine cryptodev. The best is to use the openssl padlock engine because there is no need to go in the kernel.

If you want to check both, use openssl to encrypt or decrypt a big file

Something like :
Code:
openssl enc -e -aes-128-cbc -k toto -in abigfile -out /dev/null -nosalt [-engine padlock | -engine cryptodev | nothing]
If you see a large difference in speed, ACE is working.

Then check with openVPN, on freebsd > 7 there is a bug and openssl does not use by default the cryptodev driver. You must patch openssl, I use an old patch and I don't know if it still applies :

Code:
--- eng_cryptodev.c.orig	2008-02-05 18:10:31.000000000 +0000
+++ eng_cryptodev.c	2008-06-14 18:25:36.175353823 +0100
@@ -1127,6 +1127,7 @@
 	}
 
 	ENGINE_add(engine);
+	ENGINE_set_default_ciphers(engine);
 	ENGINE_free(engine);
 	ERR_clear_error();
 }
 
plamaiziere said:
And with 7.2, does padlock(4) recognize the ACE engine?

Yes, it recognizes it. When I type 'openssl engine' padlock with ACE support is in the list.

plamaiziere said:
If you want to check both, use openssl to encrypt or decrypt a big file

Something like :
Code:

openssl enc -e -aes-128-cbc -k toto -in abigfile -out /dev/null -nosalt [-engine padlock | -engine cryptodev | nothing]

If you see a large difference in speed, ACE is working.

It's significantly faster when I use the padlock engine. Cryptodev and nothing are about the same speed.

Forgive my ignorance, but what exactly do I apply the suggested patch to? Thanks for the help, I feel like I'm getting somewhere.
 
cdm710 said:
Yes, it recognizes it. When I type 'openssl engine' padlock with ACE support is in the list.

It's significantly faster when I use the padlock engine. Cryptodev and nothing are about the same speed.

Forgive my ignorance, but what exactly do I apply the suggested patch to? Thanks for the help, I feel like I'm getting somewhere.

Ok so you don't need to use the cryptodev engine. You just need to tell to openVPN to use openssl with the engine padlock. I don't know how you can achieve this.

The patch I posted was for the cryptodev engine.
 
Ok so I put FreeBSD 7.2 on both machines I'm working on and I reran this test:
Code:
openssl enc -e -aes-128-cbc -k toto -in abigfile -out /dev/null -nosalt [-engine padlock | -engine cryptodev | nothing]
Now padlock and cryptodev are about the same speed on both machines, both significantly faster than 'nothing'. Not sure why cryptodev was slower before... I tested OpenVPN using both 'engine padlock' and 'engine cryptodev' and it's still not working. Both of those engines show up as options when I run 'openvpn --show-engines'.

So how do I apply that cryptodev patch that was posted?
 
Ok I figured out how to apply the patch (I think) and it's still not working. I ran '/usr/src/patch < cryptodev_patch' where cryptodev_patch contained the patch code you provided. Tried OpenVPN with both 'engine padlock' and 'engine cryptodev' and no speed boost still. Frustrating...
 
cdm710 said:
Ok I figured out how to apply the patch (I think) and it's still not working. I ran '/usr/src/patch < cryptodev_patch' where cryptodev_patch contained the patch code you provided. Tried OpenVPN with both 'engine padlock' and 'engine cryptodev' and no speed boost still. Frustrating...

I've not tested this patch with OpenVPN but it worked for sure with OpenSSH.

Which cyphers are you using with OpenVPN? padlock(4) will be used only if it is able to handle *all* the cyphers.

You can use the tools located in /usr/src/tools/tools/crypto to see what happens with the crypto framework (cryptostats tool and cryptotest tool)
 
plamaiziere said:
I've not tested this patch with OpenVPN but it worked for sure with OpenSSH.

Which cyphers are you using with OpenVPN? padlock(4) will be used only if it is able to handle *all* the cyphers.

You can use the tools located in /usr/src/tools/tools/crypto to see what happens with the crypto framework (cryptostats tool and cryptotest tool)

I'm trying to use aes-128-cbc with openvpn. I managed to install the tools you referred to, but I'm not sure what to do with them. Here's what happens when I run cryptostats:
Code:
# /usr/local/bin/cryptostats
0 symmetric crypto ops (0 errors, 0 times driver blocked)
0 key ops (0 errors, 0 times driver blocked)
0 crypto dispatch thread activations
0 crypto return thread activations
I tried running that while doing an openssl speed test using the padlock engine, cryptodev engine, and the default software engine and I got the same results. I guess that's not how you're supposed to use that command, but I can't seem to figure out what to do with it...
 
I played around on my 7.2-RELEASE-p4 VIA C7 box. After updating from OpenSSL 0.9.8e to OpenSSL 0.9.8k the transfer rate with scp increased from 3MBytes/sec to 10MBytes/sec :)

cheers,
honk
 
honk said:
I played around on my 7.2-RELEASE-p4 VIA C7 box. After updating from OpenSSL 0.9.8e to OpenSSL 0.9.8k the transfer rate with scp increased from 3MBytes/sec to 10MBytes/sec :)

cheers,
honk
I really hate to ask this, but how did you update to 0.9.8k? Updating from the ports tree isn't working and I can't seem to figure out how to do it. I'll keep looking, but I would really appreciate some help. Thanks.
 
Why isn't 'updating from ports' working? Just call /usr/local/bin/openssl, or put /usr/local earlier in your $PATH, or move /usr/bin/openssl out of the way, making it a symlink to /usr/local/bin/openssl. Or switch to 8.0 (which has 0.98k in the base).
 
DutchDaemon said:
Why isn't 'updating from ports' working? Just call /usr/local/bin/openssl, or put /usr/local earlier in your $PATH, or move /usr/bin/openssl out of the way, making it a symlink to /usr/local/bin/openssl. Or switch to 8.0 (which has 0.98k in the base).
I created a symlink as you suggested and now the padlock engine isn't listed anymore when I type 'openssl engine', so that doesn't quite work as intended. I also tried putting /usr/local earlier in $PATH in a couple of different places in front of /usr/bin which also didn't work because openssl still reported that it was version 0.9.8e. I'm assuming you were talking about modifying path in /root/.cshrc right?
 
Are /etc/ssl/openssl.cnf and /usr/local/openssl/openssl.cnf 'in agreement'?
[cmd=]diff /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf[/cmd] or even [cmd=]diff /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf.sample[/cmd] if you haven't created it yet ..)
 
DutchDaemon said:
Are /etc/ssl/openssl.cnf and /usr/local/openssl/openssl.cnf 'in agreement'?
[cmd=][/cmd] or even [cmd=]diff /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf.sample[/cmd] if you haven't created it yet ..)
When I copy /etc/ssl/openssl.cnf to /usr/local/openssl/openssl.cnf and run 'openssl engine' cryptodev and dynamic show up. When I run 'diff /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf.sample' I get the following:
Code:
1d0
< # $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.8.8.1 2009/04/15 03:14:26 kensmith Exp $
16,26d14
< #enable padlock engine by default:
< #openssl_conf = openssl_def
< #[openssl_def]
< #engines = openssl_engines
< #[openssl_engines]
< #padlock = padlock_engine
< #[padlock_engine]
< #default_algorithms = ALL
< #end of crazy configfile syntax
<
<
49c37
< dir           = /usr/local/etc/openvpn                # Where everything is kept
---
> dir           = ./demoCA              # Where everything is kept
57c45
< certificate   = $dir/certs/cacert.pem         # The CA certificate
---
> certificate   = $dir/cacert.pem       # The CA certificate
80c68
< default_days  = 3650                  # how long to certify for
---
> default_days  = 365                   # how long to certify for
137c125
< countryName_default           = US
---
> countryName_default           = AU
142c130
< stateOrProvinceName_default   = Ohio
---
> stateOrProvinceName_default   = Some-State
145d132
< localityName_default          = Columbus
148c135
< 0.organizationName_default    = xxxxx
---
> 0.organizationName_default    = Internet Widgits Pty Ltd
158d144
< commonName_default            = Enter User's Name
162d147
< emailAddress_default          = username@xxxxx
196c181
< nsCertType = client, email, objsign
---
> # nsCertType = client, email, objsign
206c191
< authorityKeyIdentifier=keyid,issuer:always
---
> authorityKeyIdentifier=keyid,issuer
If I just copy openssl.cnf.sample over openssl.cnf in /usr/local/openssl and run 'openssl engine' cryptodev and dynamic are still the only engines that are recognized.
 
What I'm trying to say is that if you want to use openssl from ports, you'll have to use /usr/local/openssl/openssl.cnf. So if you want Padlock with openssl from ports, you'll have to put the padlock stuff in the correct config file. Note that you had Padlock commented out in the diff you posted above, so I guess that's what prevents it from showing up now.
 
DutchDaemon said:
What I'm trying to say is that if you want to use openssl from ports, you'll have to use /usr/local/openssl/openssl.cnf. So if you want Padlock with openssl from ports, you'll have to put the padlock stuff in the correct config file. Note that you had Padlock commented out in the diff you posted above, so I guess that's what prevents it from showing up now.
The padlock code in the openssl.cnf file just tells openssl to use the padlock engine by default. Even if I uncomment it 'openssl engine' doesn't show padlock as being supported. It appears that for some reason it's not recognizing the kernel module and I'm not sure why. I tried unloading the padlock kernel module and reloading it, but that didn't do anything.
 
honk said:
I played around on my 7.2-RELEASE-p4 VIA C7 box. After updating from OpenSSL 0.9.8e to OpenSSL 0.9.8k the transfer rate with scp increased from 3MBytes/sec to 10MBytes/sec :)

cheers,
honk
Would you mind explaining the process you used to upgrade from 0.9.8e to 0.9.8k? Clearly I did something different than you.
 
Ok, so I uncommented the following in /usr/local/openssl/openssl.cnf and restarted the system:
Code:
#enable padlock engine by default:
openssl_conf = openssl_def
[openssl_def]
engines = openssl_engines
[openssl_engines]
padlock = padlock_engine
[padlock_engine]
default_algorithms = ALL
Now when I run 'openssl engine' I get the following error:
Code:
Error configuring OpenSSL
2345:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/usr/local/lib/engines
/libpadlock.so): Cannot open "/usr/local/lib/engines/libpadlock.so"
2345:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
2345:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
2345:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:415:id=padlock
2345:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, 
retcode=-1
What's odd is that I don't appear to have libpadlock.so anywhere on my system. Is this an OpenSSL bug or something? Another thing that's different is when I run dmesg |grep padlock the following is returned:
Code:
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
padlock0: detached
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
padlock0: detached
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
padlock0: detached
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
padlock0: <AES-CBC,SHA1,SHA256> on motherboard
I'm assuming this is happening because OpenSSL can't load the padlock engine.
 
Back
Top