From owner-freebsd-security@FreeBSD.ORG Tue Aug 27 18:07:40 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EEC2366C; Tue, 27 Aug 2013 18:07:40 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from keltia.net (aran.keltia.net [88.191.250.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9B76228AB; Tue, 27 Aug 2013 18:07:40 +0000 (UTC) Received: from lonrach.local (foret.keltia.net [78.232.116.160]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 3849E52B1; Tue, 27 Aug 2013 20:07:40 +0200 (CEST) Date: Tue, 27 Aug 2013 20:07:37 +0200 From: Ollivier Robert To: dinoex@freebsd.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: security/openssl speed issues Message-ID: <20130827180736.GC25401@lonrach.local> References: <20130827153205.GA48196@roberto02-aw.eurocontrol.fr> <20130827161454.GL29777@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130827161454.GL29777@funkthat.com> X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Aug 2013 18:07:41 -0000 According to John-Mark Gurney: > I discovered a similar issue on HEAD w/ 1.0.1e where openssl speed -engine > aes-256-cbc when ktraced would not issue any ioctl's during the speed > test... You can see that it opens the device, but then it gets a number > of failures: > 11466 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd590) > 11466 openssl RET ioctl -1 errno 22 Invalid argument That is not the main problem, openssl is asking which ciphers are supported and not everything is through cryptodev. The issue is that it should issue other ioctl for the supported ciphers and my 1.0.1c does not do that. I've obtained a "ktrace.out" of a working version: ------ 23961 openssl CALL open(0x800c6874f,0x2,0) 23961 openssl NAMI "/dev/crypto" 23961 openssl RET open 3 23961 openssl CALL fcntl(0x3,F_SETFD,FD_CLOEXEC) 23961 openssl RET fcntl 0 23961 openssl CALL ioctl(0x3,CRIOGET,0x7fffffffd51c) 23961 openssl RET ioctl 0 23961 openssl CALL fcntl(0x4,F_SETFD,FD_CLOEXEC) 23961 openssl RET fcntl 0 23961 openssl CALL ioctl(0x4,CIOCASYMFEAT,0x800ec73e0) 23961 openssl RET ioctl 0 23961 openssl CALL close(0x4) 23961 openssl RET close 0 23961 openssl CALL ioctl(0x3,CRIOGET,0x7fffffffd47c) 23961 openssl RET ioctl 0 23961 openssl CALL fcntl(0x4,F_SETFD,FD_CLOEXEC) 23961 openssl RET fcntl 0 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl -1 errno 22 Invalid argument 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl -1 errno 22 Invalid argument 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl -1 errno 22 Invalid argument 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CDRIOCINITWRITER,0x7fffffffd4c8) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CDRIOCINITWRITER,0x7fffffffd4c8) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CDRIOCINITWRITER,0x7fffffffd4c8) 23961 openssl RET ioctl 0 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl -1 errno 22 Invalid argument 23961 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4a0) 23961 openssl RET ioctl -1 errno 22 Invalid argument 23961 openssl CALL close(0x4) 23961 openssl RET close 0 ------ Notice the CDRIOCINITWRITER? My run does not show these: so after these lines, there are no "sessions" available and cryptodev is in fact not used. ----- 2709 openssl CALL open(0x800c56cef,0x2,0) 2709 openssl NAMI "/dev/crypto" 2709 openssl RET open 3 2709 openssl CALL fcntl(0x3,F_SETFD,FD_CLOEXEC) 2709 openssl RET fcntl 0 2709 openssl CALL ioctl(0x3,CRIOGET,0x7fffffffd56c) 2709 openssl RET ioctl 0 2709 openssl CALL fcntl(0x4,F_SETFD,FD_CLOEXEC) 2709 openssl RET fcntl 0 2709 openssl CALL ioctl(0x4,CIOCASYMFEAT,0x800eb3fe0) 2709 openssl RET ioctl 0 2709 openssl CALL close(0x4) 2709 openssl RET close 0 2709 openssl CALL ioctl(0x3,CRIOGET,0x7fffffffd4cc) 2709 openssl RET ioctl 0 2709 openssl CALL fcntl(0x4,F_SETFD,FD_CLOEXEC) 2709 openssl RET fcntl 0 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl -1 errno 22 Invalid argument 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl -1 errno 22 Invalid argument 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl -1 errno 22 Invalid argument 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCFSESSION,0x7fffffffd518) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCFSESSION,0x7fffffffd518) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCFSESSION,0x7fffffffd518) 2709 openssl RET ioctl 0 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl -1 errno 22 Invalid argument 2709 openssl CALL ioctl(0x4,CIOCGSESSION,0x7fffffffd4f0) 2709 openssl RET ioctl -1 errno 22 Invalid argument 2709 openssl CALL close(0x4) 2709 openssl RET close 0 ----- Making progress... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/