From owner-freebsd-hackers@freebsd.org  Thu Jan 28 02:21:25 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 423EFA6FD16
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Thu, 28 Jan 2016 02:21:25 +0000 (UTC)
 (envelope-from stas@FreeBSD.org)
Received: from mx0.deglitch.com (mx0.deglitch.com
 [IPv6:2a00:13c0:63:7194:1::3])
 by mx1.freebsd.org (Postfix) with ESMTP id 0BD341CCF;
 Thu, 28 Jan 2016 02:21:25 +0000 (UTC)
 (envelope-from stas@FreeBSD.org)
Received: from [IPv6:2620:10d:c082:1803:1501:3fff:d17f:e85] (unknown
 [IPv6:2620:10d:c090:200::f:636d])
 by mx0.deglitch.com (Postfix) with ESMTPSA id 5626F8FC0A;
 Wed, 27 Jan 2016 18:21:14 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: aesni doesn't play nice with krb5
From: Stanislav Sedov <stas@FreeBSD.org>
In-Reply-To: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com>
Date: Wed, 27 Jan 2016 18:21:11 -0800
Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Content-Transfer-Encoding: 7bit
Message-Id: <F9B17F79-93B0-4648-8BBF-827BD26FA420@FreeBSD.org>
References: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com>
To: Alan Somers <asomers@FreeBSD.org>
X-Mailer: Apple Mail (2.3112)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 02:21:25 -0000


> On Jan 27, 2016, at 3:55 PM, Alan Somers <asomers@FreeBSD.org> wrote:
> 
> I'm experimenting with Kerberized NFS, but my performance sucks when I
> use krb5p.  I tracked the problem down to an interaction between aesni
> and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session
> and requests support for two algorithms: CRYPTO_SHA1_HMAC and
> CRYPTO_AES_CBC.  aesni(4) supports the latter, but not the former.  So
> crypto_select_driver returns cryptosoft and krb5 uses software for
> both algorithms.
> 
> It's too bad that aesni doesn't support SHA1, but other software like
> OpenSSL deals with it by using hardware for AES and software for SHA1.
> It seems to me like krb5 could be made to do the same by registering
> for two sessions, one for each algorithm.  In fact, it seems like it
> would be pretty easy to do.  The changes would probably be confined
> strictly to crypto_aes.c.  Is there any reason why this wouldn't work?
> 

This sounds great to me.  Might be worth checking with the upstream
Heimdal project to see if they might have some suggestions.  But we
can definitely apply this change locally in FreeBSD as we're probably
affected by this more than other Heimdal consumers (who do not rely on
encryption that much).

--
Stanislav Sedov
ST4096-RIPE