Date: Wed, 27 Jan 2016 16:55:18 -0700 From: Alan Somers <asomers@freebsd.org> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: aesni doesn't play nice with krb5 Message-ID: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I'm experimenting with Kerberized NFS, but my performance sucks when I use krb5p. I tracked the problem down to an interaction between aesni and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session and requests support for two algorithms: CRYPTO_SHA1_HMAC and CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So crypto_select_driver returns cryptosoft and krb5 uses software for both algorithms. It's too bad that aesni doesn't support SHA1, but other software like OpenSSL deals with it by using hardware for AES and software for SHA1. It seems to me like krb5 could be made to do the same by registering for two sessions, one for each algorithm. In fact, it seems like it would be pretty easy to do. The changes would probably be confined strictly to crypto_aes.c. Is there any reason why this wouldn't work? -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ>