HP-UX slow login problem found?
Kevin Steves
kevin at atomicgears.com
Sat Jul 13 05:35:41 EST 2002
./Configure hpux-parisc2-cc
will pull in asm/pa-risc2.o
I'll copy Chris (author of that code) in case he has
any thoughts.
On Fri, Jul 12, 2002 at 03:54:29AM -0400, Deron Meranda wrote:
> I think I finally figured out the problem that many people have been
> having with extremely long login times under HP-UX 11.x. The problem
> is really in OpenSSL, and in particular the Diffie-Hellman parameter
> generation routines under the PA-RISC processor. I suspect this may
> not be a problem with the IA64 (Itanium) processors. This especially
> shows up if you use the gcc compiler. Fortunately I have access to
> Rational Quantify, a very powerful profiler which led me down to just
> a few lines of assembly code causing almost the whole delay.
>
> I finally have an ssh/sshd executable under HP which logs in almost
> instantaneously. I wouldn't consider this a complete solution yet,
> especially if you don't have access to HP's ANSI C compiler, and I
> haven't thoroughly tested this whole configuration. But this
> information may still prove quite useful.
>
> I'm using the latest of everything...
>
> OpenSSH 3.4p1
> OpenSSL 0.9.7 Beta 2
> libz 1.1.4
> gcc 3.1 (using gas from binutils 2.12.1)
> HP ANSI C compiler (version B.11.01.06)
>
> Although this is a 64-bit OS, I'm compiling everything in 32-bit mode.
>
> I'm running on an 9000/L2000-44 under HP-UX 11.0. This is a
> two-processor 440MHz PA-RISC 2.0 system. If you only have a PA-RISC
> 1.x processor I think you may still be out of luck?? You can check
> your processor version by running the command "getconf CPU_VERSION".
> If it returns 532 or higher you have a 2.0 processor.
>
> There are basically two extremely slow routines in OpenSSL which show
> up if you compile it "out of the box": RSA operations and DH parameter
> generation. You can test how fast these are with the following...
>
> $ openssl speed rsa # tests all RSA operations
> $ openssl dhparam -text 128 # generates DH parameters (128-bit)
>
> The RSA test is pretty accurate--you can compare this with other
> systems like Linux on a PC. The DH test is unfortunately very
> random..some runs will be quick and others slow. You'll have to run
> it many times and with different bit sizes to guage how slow it is.
> Again, comparing to a Linux box may be useful. You will almost
> defintely see the HP version being much slower than Linux/Intel (on
> Pentium3/Athlon). This is because in practice the Intel chips seem to
> have much faster integer performance; whereas the PA-RISC is much
> faster with floating point. Unfortunately for you, most crypto is
> integer based. Just to give you a comparison point, here's my numbers
> (after optimizing it as described below)...
>
> sign verify sign/s verify/s
> rsa 512 bits 0.0023s 0.0002s 432.2 5402.4
> rsa 1024 bits 0.0094s 0.0005s 106.8 2132.8
> rsa 2048 bits 0.0519s 0.0014s 19.3 690.2
> rsa 4096 bits 0.3258s 0.0049s 3.1 203.4
>
> Without my changes, even with gcc -O3, my speeds were about 100 times
> slower! The DH speed is much harder to measure, but it was definitely
> real slow with the gcc compiled version.
>
> Okay, what's going on inside the OpenSSL code.... there are two small
> functions which are responsible for about 95% of the CPU clock cycles.
> These are bn_mul_add_words() in the file crypto/bn/bn_asm.c and the
> function BN_mod_word() in the file crypto/bn/bn_word.c. The first is
> responsible for the miserable RSA speeds, and the later for the
> horrible DH speeds. I'll discuss how to speed each of these up
> separately.
>
> The bn_mul_add_words() function is by default implemented in the file
> bn_asm.c. However, neither the gcc or HP C compiler seem to be able
> to optimize that implementation very well. As that function can be
> called thousands if not millions of times, every last clock cycle is
> extremely important. Fortunately there is some hand-crafted assembly
> code in an alternate implementation. It can be found in the OpenSSL
> distribution in the file crypto/bn/asm/pa-risc2.s. You need to use
> that file instead of the generic bn_asm.c file. However, there are
> some restrictions...that file only works with HP's assembler (not
> gas), only on PA-RISC 2.0 systems, and it is not relocatable/PIC
> (can't be used in a shared library).
>
> I haven't completely figured out OpenSSL's non-standard configure
> scripts. But it is easy enough to just assemble it yourself and then
> replace that object in the libcrypto.a library.
>
> ar d libcrypto.a bn_asm.o
> ar r libcrypto.a pa-risc2.o
> ranlib libcrypt.a
>
> Then relink the openssl executable. Rerun your RSA speed
> test..hopefully the results should be very pleasant.
>
>
> Now, for the Diffie-Hellman part (the primary reason for SSH
> slowness). There is no assembly version of the bn_word.c file. And
> unfortunately gcc's optimizer, even with gcc 3.1 and with -O3 and
> -march=2.0, is pretty poor. This basically is because gcc invokes
> some millicode routines to do the 64-bit modulus "%" operation. I've
> found though that HP's ANSI C compiler with the correct optimization
> arguments is able to produce some PA-RISC 2.0 specific instructions
> which make it very fast in comparison (say by 100 clock cycles).
>
> cc +O3 +ESlit +DA2.0 +DS2.0 -Ae \
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 \
> -I/opt/gnu/include \
> -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -D_REENTRANT \
> -DB_ENDIAN -DMD32_XARRAY -c bn_word.c -o bn_word.o
>
> Also throw in +Z if you're trying to make a shared library (but see
> note about pa-risc2.s file above).
>
> Except for those two files (pa-risc2.s and bn_word.c), you can use gcc
> for everything else. I've been using gcc 3.1, with -O3 -march=2.0
>
> Now, if all goes well, you'll have a new libcrypto.a. Compile and
> link OpenSSH against that one and you should see fast logins, finally!
> Note, both the server (sshd) and the client (ssh) need to be
> recompiled/relinked, as both generate their half of the DH parameters.
>
> Deron Meranda
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list