Date: Wed, 27 Jan 2016 18:21:11 -0800 From: Stanislav Sedov <stas@FreeBSD.org> To: Alan Somers <asomers@FreeBSD.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: aesni doesn't play nice with krb5 Message-ID: <F9B17F79-93B0-4648-8BBF-827BD26FA420@FreeBSD.org> In-Reply-To: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com> References: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jan 27, 2016, at 3:55 PM, Alan Somers <asomers@FreeBSD.org> wrote: > > I'm experimenting with Kerberized NFS, but my performance sucks when I > use krb5p. I tracked the problem down to an interaction between aesni > and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session > and requests support for two algorithms: CRYPTO_SHA1_HMAC and > CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So > crypto_select_driver returns cryptosoft and krb5 uses software for > both algorithms. > > It's too bad that aesni doesn't support SHA1, but other software like > OpenSSL deals with it by using hardware for AES and software for SHA1. > It seems to me like krb5 could be made to do the same by registering > for two sessions, one for each algorithm. In fact, it seems like it > would be pretty easy to do. The changes would probably be confined > strictly to crypto_aes.c. Is there any reason why this wouldn't work? > This sounds great to me. Might be worth checking with the upstream Heimdal project to see if they might have some suggestions. But we can definitely apply this change locally in FreeBSD as we're probably affected by this more than other Heimdal consumers (who do not rely on encryption that much). -- Stanislav Sedov ST4096-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9B17F79-93B0-4648-8BBF-827BD26FA420>