Date: Sat, 30 Jan 2016 15:01:25 -0800 From: Conrad Meyer <cem@FreeBSD.org> To: Alan Somers <asomers@freebsd.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: aesni doesn't play nice with krb5 Message-ID: <CAG6CVpWnBQ9re%2Bbzh2GYuo2y=TgfoyaTPD=WTDJKLbf4J1EShA@mail.gmail.com> In-Reply-To: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com> References: <CAOtMX2hxYQQfx7T=unLbJUtjQ2hmHHt5Dgu7E5q9EWCegh9OQQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have an untested patch to fix this issue: https://reviews.freebsd.org/D5146 . If you have time, please review or test the patch. Thanks, Conrad On Wed, Jan 27, 2016 at 3:55 PM, Alan Somers <asomers@freebsd.org> wrote: > I'm experimenting with Kerberized NFS, but my performance sucks when I > use krb5p. I tracked the problem down to an interaction between aesni > and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session > and requests support for two algorithms: CRYPTO_SHA1_HMAC and > CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So > crypto_select_driver returns cryptosoft and krb5 uses software for > both algorithms. > > It's too bad that aesni doesn't support SHA1, but other software like > OpenSSL deals with it by using hardware for AES and software for SHA1. > It seems to me like krb5 could be made to do the same by registering > for two sessions, one for each algorithm. In fact, it seems like it > would be pretty easy to do. The changes would probably be confined > strictly to crypto_aes.c. Is there any reason why this wouldn't work? > > -Alan > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpWnBQ9re%2Bbzh2GYuo2y=TgfoyaTPD=WTDJKLbf4J1EShA>