TLS does not invoke hardware acceleration except on Intel/AMD platform

Matt Caswell matt at openssl.org
Thu Sep 26 08:35:25 UTC 2019



On 25/09/2019 18:02, Mark Hack wrote:
> This was on 1.0.2 and I just checked 1.1.1, and for libssl I still only
> see the call for libcrypto. I can recompile and confirm later in the
> day to be 100% certain.

The call to OPENSSL_cpuid_setup() in 1.1.1 is inside ossl_init_base in
libcrypto. That gets called as soon as OPENSSL_init_crypto() gets called the
first time. This should happen automatically as soon as you do almost anything
with the libraries (either libssl or libcrypto). If it doesn't get called then
nothing would work at all.

Looking at the code for 1.0.2 it seems to happen in various different ways:

1) In the "ini" section on various platforms - so it should get invoked
automatically when OpenSSL is loaded
2) When OpenSSL_add_all_algorithms() is called. This is part of the usual
OpenSSL initialisation that applications are required to do before they use
libcrypto. Strictly speaking its not required to use libssl, but I think many
applications do this anyway.
3) On Windows as part of the DllMain DLL_PROCESS_ATTACH message. This gets
called automatically as soon as OpenSSL is loaded if using dynamic linking
4) As part of a call to ENGINE_load_builtin_engines(). This is called
automatically if you call OPENSSL_config()

So it looks like, from code examination, you could end up not calling it on some
platforms. Since 1.0.2 is nearing EOL and is currently only receiving security
fixes this is unlikely to get fixed.

My suggested workaround would be to call OpenSSL_add_all_algorithms() in 1.0.2
based applications even if you're only planning to use libssl.


Matt

> 
> 
> 
> On Wed, 2019-09-25 at 16:26 +0100, Matt Caswell wrote:
>>
>> On 25/09/2019 15:26, Mark Hack wrote:
>>> ssl_algs.c is missing the required call to OPENSSL_cpuid_setup()
>>> which
>>> means that all the platforms which rely on the CPU ID to be set
>>> (everything except Intel/AMD) never use any of the EVP calls and do
>>> not
>>> hardware accelerate TLS. Yes, the performance tests work but these
>>> do
>>> not use libssl.
>>>
>>> Patching ssl_algs.c corrects this and the performance improvement
>>> is
>>> immediatly noticable. This is the patch applied and tested on PPC.
>>>
>>> int SSL_library_init(void)
>>> {
>>> 	OPENSSL_cpuid_init_setup();	/* Identify the HW platform */
>>>
>>> ...
>>
>> Which version of OpenSSL do you see this in? In 1.1.1 at least I see
>> the call to
>> OPENSSL_cpuid_setup() in the default initialisation code:
>>
>>
> https://github.com/openssl/openssl/blob/19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9/crypto/init.c#L45-L70
>>
>> Matt
>>
> 


More information about the openssl-users mailing list