Thursday Nov 05, 2009

FIPS Capable OpenSSL for OpenSolaris

Earlier this morning I integrated into the SFW consolidation the changes for

PSARC/2009/507 FIPS Capable OpenSSL
6562055 FIPS-capable version of OpenSSL

A FIPS Capable OpenSSL is a regular OpenSSL built with the OpenSSL FIPS 140-2 Object Module which has been certified by NIST to be 140-2 compliant. It can be used in both a FIPS mode and as a regular OpenSSL. The certification for the OpenSSL FIPS 140-2 Object module was very unusual in that it was given for the source code instead of for a binary object. As long as the certified source has not been modified in any way and the security policy is strictly followed when building the source the certification remains valid. If you would like to see how OpenSSL is built for OpenSolaris, the full source for the SFW consolidation can be downloaded here.

The only application included in OpenSolaris which works properly in FIPS mode with the FIPS Capable OpenSSL is openssl(1).

$ LD_LIBRARY_PATH=/lib/openssl/fips-140 OPENSSL_FIPS=1 openssl version
OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-2409)

Unfortunately it was not possible to simply replace the existing version of OpenSSL with the FIPS Capable OpenSSL. The main issue was one of performance - the OpenSSL FIPS Object Module is based on older code than the 0.9.8k release and performs poorly on some newer CPUs. We didn't feel that it was viable to introduce such a performance regression especially as most people aren't interested in a FIPS Capable OpenSSL. More information can be found in the PSARC mail logs.

We may deliver a version of SunSSH which can be run in a "FIPS mode" which will make use of the FIPS Capable OpenSSL.

The FIPS Capable OpenSSL will be available build 128.

Friday Aug 07, 2009

Big speed-ups for OpenSSL

I just integrated the fix for

6850713 32bit openssl x86 performance can be greatly improved by enabling hand-crafted asm

The result is 32bit applications on x86 using OpenSSL will see large performance increases for many ciphers. Most modern Linux distributions enable the same ASM so fixing this brings us up to par with Linux. Especially nice are the speed-ups for AES. On my test machines I see a 2-3x speedup for AES.

One of the consumers of OpenSSL in OpenSolaris is SunSSH. By default SunSSH will prefer to use AES ciphers when possible - see Ciphers in ssh_config(1)/sshd_config(4).I ran a couple of quick tests to see what sort of performance improvement would be seen when using SunSSH with the updated OpenSSL libraries. I ran the following on my x2100 test machine with the old libraries and then again with the new libraries.

time dd if=/dev/zero bs=1024k count=500 | ssh hst cat >/dev/null'
and got back:

First run (with original OpenSSL libraries).

real       17.7
user        0.0
sys         0.6

Second run (with updated OpenSSL libraries).

real        9.5
user        0.0
sys         0.6

Overall a very nice speed-up! Expect to see this in build 122.

Thursday Jun 11, 2009

OpenSSL 0.9.8k

I just upgraded OpenSSL to version 0.9.8k. 0.9.8k is the latest stable version of OpenSSL. OpenSSL in OpenSolaris before this was at version 0.9.8a with backported security fixes. I moved OpenSSL from ON to SFW a couple of weeks ago so as to make the work of upgrading simpler. There were a couple of motivators for upgrading but the one with the biggest impact is undoubtedly performance - particularly on amd64 platforms. OpenSSL 0.9.8k comes with most ciphers implemented in hand-coded assembly for maximal performance on amd64. Almost all of this can be enabled on OpenSolaris (to maintain ABI compatibility I couldn't enable this for rc4). Simple comparisons of openssl speed of before and after show larger performance gains in many ciphers.

Here are a couple of specific speed-ups I saw:

Sun Fire 2100 - AMD Opteron CPU

md5 (8192):1.55x
sha256 (8192):2.30x
aes128 (8192):1.73x
rsa2048 (sign):3.43x
rsa2048 (verify):2.83x

Sun Fire x4150 - Intel Xeon CPU

md5 (8192): 1.71x
sha256 (8192): 2.05x
aes128 (8192): 1.40x
rsa2048 (sign): 3.00x
rsa2048 (verify): 2.55x

There is also hand-coded assembly for 32bit x86. This wasn't enabled with the latest putback but expect to see it soon giving very nice speed-ups for 32bit applications on x86.

Of course there are other advantages to keeping OpenSSL up-to-date - bug fixes being the other primary advantage.




« February 2016