LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-29-2015, 11:13 PM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 348

Rep: Reputation: Disabled
Would Strongswan make use of the "AES NI" instruction set on Intel i-series CPUs?


Title says it. I am able to confirm the presence of "aesni_intel" as loaded, via "lsmod | grep aes"

Code:
aesni_intel           167997  16
aes_x86_64             16719  1 aesni_intel
lrw                    12757  1 aesni_intel
glue_helper            12649  1 aesni_intel
ablk_helper            12572  1 aesni_intel
cryptd                 18553  11 ghash_clmulni_intel,aesni_intel,ablk_helper
 
Old 01-31-2015, 08:09 AM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
The openssl plugin for strongswan is able to take advantage of AES NI, for example when using AES-GCM.

You can check if your your openssl supports AES-NI by
Code:
openssl engine

Last edited by neonsignal; 01-31-2015 at 08:10 AM.
 
Old 02-01-2015, 10:04 PM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 348

Original Poster
Rep: Reputation: Disabled
Does strongswan use openssl all the time? or does it specifically need to be enabled?
 
Old 02-01-2015, 11:32 PM   #4
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
Quote:
Originally Posted by psycroptic View Post
Does strongswan use openssl all the time? or does it specifically need to be enabled?
This depends on which plugins are enabled and their order. You can start the server, list the plugins, and list the algorithms used.

The plugins are mostly for the Internet Key Exchange (IKE) part, for setting up the security association. The Encapsulating Security Payload (ESP) part will typically be handled by the kernel (although I believe you can also bypass this with a plugin). The kernel too will be making use of AES-NI (though I gather there may have been an issue with 256 bit GCM mode at some point).

The strongSwan documentation lists the support for the different algorithms.
 
Old 02-01-2015, 11:39 PM   #5
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 348

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by neonsignal View Post
The Encapsulating Security Payload (ESP) part will typically be handled by the kernel (although I believe you can also bypass this with a plugin). The kernel too will be making use of AES-NI
Yes, this is what I was primarily aiming for.

Quote:
Originally Posted by neonsignal View Post
(though I gather there may have been an issue with 256 bit GCM mode at some point)
Why might you say that?
 
Old 02-01-2015, 11:58 PM   #6
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
Quote:
Originally Posted by psycroptic View Post
Why might you say that?
There was a strongSwan bug report where the aesni module was causing failures for AES-GCM with a 256 bit key (but this will be an obvious failure, as there was no fallback to software mode).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"Recommended" Strongswan phase 1 & 2 reauthentication times..... psycroptic Linux - Server 1 01-29-2015 11:10 PM
"Enabling" AES-NI on Intel CPUs? psycroptic Linux - Networking 1 11-12-2014 06:03 AM
How to make "make" use all cpus? kairen Slackware 12 09-07-2007 02:15 PM
Any way to get "Alice"; "Call of Duty" series and "Descent 3" to work? JBailey742 Linux - Games 13 06-23-2006 01:34 PM
Which linux instruction is equivalent to windows' instruction "tracert"? backpacker Linux - Software 1 04-04-2006 10:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration