OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: minime on July 23, 2016, 04:50:17 pm
-
Hi,
I tried now with Chrome and IE, but the board seems to have an issue with the toolbar...I can't make use of it and can't format or insert a picture...sorry about that.
It seems that AES-NI is not working, what am I doing wrong?
I have the following system:
Versions OPNsense 16.1.20-amd64
FreeBSD 10.2-RELEASE-p19
OpenSSL 1.0.2h 3 May 2016
CPU Type Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz (4 cores)
I set the "Cryptographic Hardware Acceleration" option to "AES-NI CPU-based Acceleration (aesni)" unter >System>Settings>Miscellaneous
root@OPNsense:~ # /usr/bin/openssl engine -t
(rsax) RSAX engine support
[ available ]
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
root@OPNsense:~ # openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 89939962 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 25695979 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 6574131 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 1656024 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 8192 size blocks: 206741 aes-128-cbc's in 3.02s
OpenSSL 1.0.1p-freebsd 9 Jul 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 480932.23k 546757.04k 558085.82k 560874.36k 561615.68k
-
Hi minime,
What would lead you to think AES-NI is not working?
Some general hints here:
1) AES-NI kernel module is not used by OpenSSL, it's built into the assembler commands into the envelope mode (-evp). There is no engine support. Same for LibreSSL.
2) The binary that OPNsense uses is /usr/local/bin/openssl, as FreeBSD comes with a base OpenSSL under /usr/local/bin which cannot easily be removed / switched to LibreSSL. Therefore we use the crypto Library from the FreeBSD ports instead.
Here's my dump:
# /usr/local/bin/openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 46675878 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 15835897 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 256 size blocks: 4955092 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 1326968 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 8192 size blocks: 167984 aes-128-cbc's in 3.02s
OpenSSL 1.0.2h 3 May 2016
built on: reproducible build, date unspecified
options:bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O3 -Wall -O2 -pipe -fstack-protector -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 248291.42k 336082.04k 420643.66k 449427.26k 456331.58k
Yours is definitely faster. ;)
Cheers,
Franco
-
Hmmm...interesting. Thanks for the explanation! I just thought it should be much faster ;D