openssh bugs - Mar 2011 - [Bug 1882] New: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

           Summary: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL
                    hardware engine
           Product: Portable OpenSSH
           Version: 5.7p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: scp
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: opod at nic-nac-project.org


I have a VIA C7 box which supports hardware acceleration for aes-cbc
with OpenSSL 'padlock' engine.

I have defined the padlock engine as default in /etc/ssl/openssl.conf
and it has worked for OpenSSH versions 5.4p1 through 5.6p1. With 5.7p1
and 5.8p1 the hardware acceleration is no longer used. 

Both OpenSSH versions are configured as such:

./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
        --sysconfdir=/etc/ssh --with-tcp-wrappers
--with-privsep-user=nobody \
        --with-md5-passwords --with-pam --with-mantype=man
--mandir=/usr/share/man \
        --with-xauth=/usr/bin/xauth --with-kerberos5=/usr
--with-ssl-engine \
        --with-libedit=/usr/lib

I am enclosing verbose client logs, but I don't know if they will be of
any use. I'll be happy to provide any additional information that is
required.

I am filing this against scp as this is how I can verify if the
hardware acceleration is working or not, but this is probably a deeper
problem.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

--- Comment #1 from opod at nic-nac-project.org 2011-03-27 04:52:40 EST ---
Created attachment 2022
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2022
5.6p1 client

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

--- Comment #2 from opod at nic-nac-project.org 2011-03-27 04:53:11 EST ---
Created attachment 2023
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2023
5.8p1 client

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

--- Comment #3 from opod at nic-nac-project.org 2011-05-06 02:42:55 EST ---
The bug still persists with 5.8p2. I'll happily provide more
information, just tell me what you need.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
         Depends on|                            |1845

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2011-05-06
10:22:30 EST ---
You can forcibly enable hardware support with
./configure --with-ssl-engine

although I'm not sure what would have changed to stop an override in
openssl.cnf from working (without --with-ssl-engine it does the same
thing it used to do).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2011-05-06
11:59:41 EST ---
... which you have.  I'm going to attach a patch to add some debugging,
please try again with that and attach the output of the client with ssh
-vvv.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2041|                            |ok?(djm at mindrot.org)
              Flags|                            |

--- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2011-05-06
12:12:49 EST ---
Created attachment 2041
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2041
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for
compat hook

ah, I think I see what happened.  We changed from the old
(undocumented) SSLeay_add_all_algorithms() function the new
(documented) OpenSSL_add_all_algorithms() function, and in doing so we
no longer called the hook in the compat library we use to enable this.

Please try the attached patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2041|ok?(djm at mindrot.org)        |ok+
              Flags|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

opod at nic-nac-project.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #7 from opod at nic-nac-project.org 2011-05-07 03:25:55 EST ---
This does indeed work, thank you for addressing this issue.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2011-05-10
11:13:55 EST ---
Committed, thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> 2011-09-06 15:32:53
EST ---
close resolved bugs now that openssh-5.9 has been released

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1882

Bug 1882 depends on bug 1845, which changed state.

Bug 1845 Summary: Bugs intended to be fixed in 5.9
https://bugzilla.mindrot.org/show_bug.cgi?id=1845

           What    |Old Value                   |New Value
----------------------------------------------------------------------------
         Resolution|                            |FIXED
             Status|NEW                         |RESOLVED

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.