TLS does not invoke hardware acceleration except on Intel/AMD platform

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS does not invoke hardware acceleration except on Intel/AMD platform

Mark Hack
ssl_algs.c is missing the required call to OPENSSL_cpuid_setup() which
means that all the platforms which rely on the CPU ID to be set
(everything except Intel/AMD) never use any of the EVP calls and do not
hardware accelerate TLS. Yes, the performance tests work but these do
not use libssl.

Patching ssl_algs.c corrects this and the performance improvement is
immediatly noticable. This is the patch applied and tested on PPC.

int SSL_library_init(void)
{
        OPENSSL_cpuid_init_setup(); /* Identify the HW platform */

...

Regards

Mark Hack

Reply | Threaded
Open this post in threaded view
|

Re: TLS does not invoke hardware acceleration except on Intel/AMD platform

Matt Caswell-2


On 25/09/2019 15:26, Mark Hack wrote:

> ssl_algs.c is missing the required call to OPENSSL_cpuid_setup() which
> means that all the platforms which rely on the CPU ID to be set
> (everything except Intel/AMD) never use any of the EVP calls and do not
> hardware accelerate TLS. Yes, the performance tests work but these do
> not use libssl.
>
> Patching ssl_algs.c corrects this and the performance improvement is
> immediatly noticable. This is the patch applied and tested on PPC.
>
> int SSL_library_init(void)
> {
> OPENSSL_cpuid_init_setup(); /* Identify the HW platform */
>
> ...

Which version of OpenSSL do you see this in? In 1.1.1 at least I see the call to
OPENSSL_cpuid_setup() in the default initialisation code:

https://github.com/openssl/openssl/blob/19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9/crypto/init.c#L45-L70

Matt

Reply | Threaded
Open this post in threaded view
|

Re: TLS does not invoke hardware acceleration except on Intel/AMD platform

Mark Hack
This was on 1.0.2 and I just checked 1.1.1, and for libssl I still only
see the call for libcrypto. I can recompile and confirm later in the
day to be 100% certain.



On Wed, 2019-09-25 at 16:26 +0100, Matt Caswell wrote:

>
> On 25/09/2019 15:26, Mark Hack wrote:
> > ssl_algs.c is missing the required call to OPENSSL_cpuid_setup()
> > which
> > means that all the platforms which rely on the CPU ID to be set
> > (everything except Intel/AMD) never use any of the EVP calls and do
> > not
> > hardware accelerate TLS. Yes, the performance tests work but these
> > do
> > not use libssl.
> >
> > Patching ssl_algs.c corrects this and the performance improvement
> > is
> > immediatly noticable. This is the patch applied and tested on PPC.
> >
> > int SSL_library_init(void)
> > {
> > OPENSSL_cpuid_init_setup(); /* Identify the HW platform */
> >
> > ...
>
> Which version of OpenSSL do you see this in? In 1.1.1 at least I see
> the call to
> OPENSSL_cpuid_setup() in the default initialisation code:
>
>
https://github.com/openssl/openssl/blob/19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9/crypto/init.c#L45-L70
>
> Matt
>

Reply | Threaded
Open this post in threaded view
|

Re: TLS does not invoke hardware acceleration except on Intel/AMD platform

Matt Caswell-2


On 25/09/2019 18:02, Mark Hack wrote:
> This was on 1.0.2 and I just checked 1.1.1, and for libssl I still only
> see the call for libcrypto. I can recompile and confirm later in the
> day to be 100% certain.

The call to OPENSSL_cpuid_setup() in 1.1.1 is inside ossl_init_base in
libcrypto. That gets called as soon as OPENSSL_init_crypto() gets called the
first time. This should happen automatically as soon as you do almost anything
with the libraries (either libssl or libcrypto). If it doesn't get called then
nothing would work at all.

Looking at the code for 1.0.2 it seems to happen in various different ways:

1) In the "ini" section on various platforms - so it should get invoked
automatically when OpenSSL is loaded
2) When OpenSSL_add_all_algorithms() is called. This is part of the usual
OpenSSL initialisation that applications are required to do before they use
libcrypto. Strictly speaking its not required to use libssl, but I think many
applications do this anyway.
3) On Windows as part of the DllMain DLL_PROCESS_ATTACH message. This gets
called automatically as soon as OpenSSL is loaded if using dynamic linking
4) As part of a call to ENGINE_load_builtin_engines(). This is called
automatically if you call OPENSSL_config()

So it looks like, from code examination, you could end up not calling it on some
platforms. Since 1.0.2 is nearing EOL and is currently only receiving security
fixes this is unlikely to get fixed.

My suggested workaround would be to call OpenSSL_add_all_algorithms() in 1.0.2
based applications even if you're only planning to use libssl.


Matt

>
>
>
> On Wed, 2019-09-25 at 16:26 +0100, Matt Caswell wrote:
>>
>> On 25/09/2019 15:26, Mark Hack wrote:
>>> ssl_algs.c is missing the required call to OPENSSL_cpuid_setup()
>>> which
>>> means that all the platforms which rely on the CPU ID to be set
>>> (everything except Intel/AMD) never use any of the EVP calls and do
>>> not
>>> hardware accelerate TLS. Yes, the performance tests work but these
>>> do
>>> not use libssl.
>>>
>>> Patching ssl_algs.c corrects this and the performance improvement
>>> is
>>> immediatly noticable. This is the patch applied and tested on PPC.
>>>
>>> int SSL_library_init(void)
>>> {
>>> OPENSSL_cpuid_init_setup(); /* Identify the HW platform */
>>>
>>> ...
>>
>> Which version of OpenSSL do you see this in? In 1.1.1 at least I see
>> the call to
>> OPENSSL_cpuid_setup() in the default initialisation code:
>>
>>
> https://github.com/openssl/openssl/blob/19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9/crypto/init.c#L45-L70
>>
>> Matt
>>
>