From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:42:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA6EF16A4CE for ; Thu, 8 Apr 2004 07:42:59 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C0BF43D31 for ; Thu, 8 Apr 2004 07:42:59 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i38Eguan071765; Thu, 8 Apr 2004 10:42:56 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i38Egv3x019642; Thu, 8 Apr 2004 10:42:57 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i38EguX8094314; Thu, 8 Apr 2004 10:42:56 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040408103201.0949ba98@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 08 Apr 2004 10:43:39 -0400 To: "Poul-Henning Kamp" From: Mike Tancsa In-Reply-To: <26215.1081434517@critter.freebsd.dk> References: <26215.1081434517@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:42:59 -0000 At 10:28 AM 08/04/2004, Poul-Henning Kamp wrote: >It is not clear to me exactly what is broken. I have seen problems >reported but as far as I know they were all IPSEC related, and I >have not seen a trace of trouble in my use with GBDE. >I'm not saying that the driver is _not_ broken, but it is certainly >not known to me to be broken for the use Michael asked about. Actually, I have found it to wedge when using it in conjunction with openssl. Here again are the steps to reproduce the bug. The same can be done in OpenBSD BTW. I tried it with 3 different 1401 cards. * Login with an non accelerated ssh session (e.g. blowfish as the cipher) * Make a file called big. dd if=/dev/urandom of=big bs=1024k count=768 * In another session, login with using 3des (ie. one that will get offloaded to the Hifn card * In the blowfish session, start an encryption process, pipe it through ssh to dump to another machine e.g /usr/bin/openssl enc -des3 -in big -k passphrase | ssh -c 3des mdtancsa@192.168.43.26 "cat - > /home/mdtancsa/targetfile.enc" At random periods, the process will get "stuck" * In the 3des session, just hit the enter key. The ssl | ssh commands will become "unstuck." Basically, you just need to do something else that touches the crypto card. e.g. If you are on the console, head /dev/urandom | openssl 3des -out /dev/null -k pass will do the trick. When I had the releng5/CURRENT box up it would hang the same way as RELENG4 releng5-test# ps -p 647 -auxjwwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND PPID PGID JOBC mdtancsa 647 0.0 0.4 2668 2008 p1 I+ 2:27PM 0:05.17 /usr/bin/openssl 635 647 2 releng5-test# releng5-test# ps -p 648 -auwwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND mdtancsa 648 0.0 0.5 3328 2756 p1 D+ 2:27PM 0:12.03 ssh -c 3des mdtancsa@192.168.43.26 cat - > /home/mdtancsa/targetfile.enc releng5-test# PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 648 mdtancsa 8 0 3328K 2756K crydev 0:12 0.00% 0.00% ssh 647 mdtancsa -8 0 2668K 2008K pipdwt 0:05 0.00% 0.00% openssl