Date: Sat, 30 Jan 2016 20:23:59 -0700 From: Alan Somers <asomers@freebsd.org> To: cem@freebsd.org Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: aesni doesn't play nice with krb5 Message-ID: <CAOtMX2gYqrM%2Bmu45CrDvZz3db11GvNNikUttGBtYfv0RHhZfPg@mail.gmail.com> In-Reply-To: <CAG6CVpWnBQ9re%2Bbzh2GYuo2y=TgfoyaTPD=WTDJKLbf4J1EShA@mail.gmail.com> References: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com> <CAG6CVpWnBQ9re%2Bbzh2GYuo2y=TgfoyaTPD=WTDJKLbf4J1EShA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Fast work! I should be able to test it by Tuesday. By inspection, the code looks good. -Alan On Sat, Jan 30, 2016 at 4:01 PM, Conrad Meyer <cem@freebsd.org> wrote: > I have an untested patch to fix this issue: > https://reviews.freebsd.org/D5146 . If you have time, please review > or test the patch. > > Thanks, > Conrad > > On Wed, Jan 27, 2016 at 3:55 PM, Alan Somers <asomers@freebsd.org> wrote: >> I'm experimenting with Kerberized NFS, but my performance sucks when I >> use krb5p. I tracked the problem down to an interaction between aesni >> and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session >> and requests support for two algorithms: CRYPTO_SHA1_HMAC and >> CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So >> crypto_select_driver returns cryptosoft and krb5 uses software for >> both algorithms. >> >> It's too bad that aesni doesn't support SHA1, but other software like >> OpenSSL deals with it by using hardware for AES and software for SHA1. >> It seems to me like krb5 could be made to do the same by registering >> for two sessions, one for each algorithm. In fact, it seems like it >> would be pretty easy to do. The changes would probably be confined >> strictly to crypto_aes.c. Is there any reason why this wouldn't work? >> >> -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gYqrM%2Bmu45CrDvZz3db11GvNNikUttGBtYfv0RHhZfPg>