From owner-freebsd-stable@freebsd.org Fri Dec 7 00:18:24 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FE9B1321D47 for ; Fri, 7 Dec 2018 00:18:24 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0248A6D9CB; Fri, 7 Dec 2018 00:18:24 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (static-71-168-218-4.cmdnnj.fios.verizon.net [71.168.218.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jkim/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id CA80BFDD1; Fri, 7 Dec 2018 00:18:23 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: /dev/crypto not being used in 12-STABLE To: John Nielsen , Xin LI Cc: FreeBSD Stable References: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> From: Jung-uk Kim Openpgp: preference=signencrypt Autocrypt: addr=jkim@FreeBSD.org; prefer-encrypt=mutual; keydata= xsBNBFJBztUBCAChqNyGqmFuNo0U7MBzsD+q/G6Cv0l7LGVrOAsgh34M8wIWhD+tztDWMVfn AhxNDd0ceCj2bYOe67sTQxAScEcbt2FfvPOLp9MEXb9qohZj172Gwkk7dnhOhZZKhVGVZKM4 NcsuBDUzgf4f3Vdzj4wg6WlqplnTZo8lPE4hZWvZHoFIyunPTJWenybeV1xnxK7JkUdSvQR0 fA59RfTTECMwTrSEfYGUnxIDBraxJ7Ecs/0hGQ7sljIj8WBvlRDU5fU1xfF35aw56T8POQRq F4E6RVJW3YGuTpSwgtGZOTfygcLRhAiq3dFC3JNLaTVTpM8PjOinJyt9AU6RoITGOKwDABEB AAHNHkp1bmctdWsgS2ltIDxqa2ltQEZyZWVCU0Qub3JnPsLAfQQTAQoAJwUCUkHO1QIbAwUJ E0/POwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRB8n5Ym/NvxRqyzB/wL7QtsIpeGfGIA ZPMtgXMucM3NWzomyQMln2j2efUkDKthzh9jBxgF53TjOr7imwIt0PT2k1bqctPrq5IRqnu9 mGroqaCLE3LG2/E3jEaao4k9PO6efwlioyivUo5NrqIQOQ4k3EAXw7d2y0Dk1VpTgdMrnUAB hj7lGlLqS4ydcrf24DdbCRGdEQwqd9DBeBgbWynxAJMgbZBhYVEyIHuQKkJ8qY0ibIPXXuF0 KYDeH0qUHtWV2K3srNyPtymUkBQD84Pl1GWRYx05XdUHDmnX0JV3lg0BfYJZgZv0ehPQrMfY Fd9abTkf9FHQYz1JtsC8wUuRgqElRd6+YAGf8Tt9zsBNBFJBztUBCADLtSrP44El2VoJmH14 OFrlOgxzZnbn+Y/Gf1k12mJBiR+A+pBeRLD50p7AiTrjHRxO3cHcl9Dh0uf1VSbXgp8Or0ye iP/86fZPd4k5HXNmDTLL0HecPE08SCqGZ0W8vllQrokB1QxxRUB+fFMPJyMCjDAZ7P9fFTOS dTw1bJSTtOD8Sx8MpZUa9ti06bXFlVYDlaqSdgk181SSx+ZbSKkQR8CIMARlHwiLsa3Z9q9O EJr20HPyxe0AlTvwvFndH61hg7ds63eRvglwRnNON28VXO/lvKXq7Br/CiiyhFdKfINIx2Z5 htYq22tgGTW7mBURbIKoECFBTX9Lv6BXz6w9ABEBAAHCwGUEGAEKAA8FAlJBztUCGwwFCRNP zzsACgkQfJ+WJvzb8UZcJQf+IsTCxUEqY7W/pT84sMg5/QD3s6ufTRncvq14fEOxCNq1Rf4Q 9P+tOFa8GZfKDGB2BFGIrW7uT5mlmKdK1vO6ZIA930y5kUsnCmBUEBJkE2ciSQk01aB/1o62 Q3Gk/F6BwtNY9OXiqF7AcAo+K/BMIaqb26QKeh+IIgK1NN9dQiq3ByTbl4zpGZa6MmsnnRTu mzGKt2nkz7vBzH6+hZp1OzGZikgjjhYWVFoJo1dvf/rv4obs0ZJEqFPQs/1Qa1dbkKBv6odB XJpPH0ssOluTY24d1XxTiKTwmWvHeQkOKRAIfD7VTtF4TesoZYkf7hsh3e3VwXhptSLFnEOi WwYofg== Message-ID: Date: Thu, 6 Dec 2018 19:18:19 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2 MIME-Version: 1.0 In-Reply-To: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oOzpbl2i7zuMQy3GqzS1mE7eumiM6O8rN" X-Rspamd-Queue-Id: 0248A6D9CB X-Spamd-Result: default: False [-2.50 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.94)[-0.939,0]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-0.59)[-0.592,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2018 00:18:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --oOzpbl2i7zuMQy3GqzS1mE7eumiM6O8rN Content-Type: multipart/mixed; boundary="LBYCDNGDJ1U1Ktkr0eCpANnh8bg74iwgB"; protected-headers="v1" From: Jung-uk Kim To: John Nielsen , Xin LI Cc: FreeBSD Stable Message-ID: Subject: Re: /dev/crypto not being used in 12-STABLE References: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> In-Reply-To: <65a51dc6-7b20-70f3-ad53-8a3d99afbd8b@FreeBSD.org> --LBYCDNGDJ1U1Ktkr0eCpANnh8bg74iwgB Content-Type: multipart/mixed; boundary="------------4DD66C0B0B8C23E8586603B3" Content-Language: en-US This is a multi-part message in MIME format. --------------4DD66C0B0B8C23E8586603B3 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 18. 12. 6., Jung-uk Kim wrote: > On 18. 12. 6., John Nielsen wrote: >>> On Dec 6, 2018, at 4:04 PM, Xin LI wrote: >>> >>> On Thu, Dec 6, 2018 at 11:37 AM John Nielsen wro= te: >>>> >>>> I have upgraded two physical machines from 11-STABLE to 12-STABLE re= cently (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r= 341391). I noticed today that neither machine seems to be utilizing /dev/= crypto. Typically I see at least ssh/sshd have the device open plus some = programs from ports. But 'fuser' doesn't list any processes on either mac= hine: >>>> >>>> # fuser /dev/crypto >>>> /dev/crypto: >>>> >>>> Both machines are running custom kernels that include "device crypto= " and "device cryptodev". One of them additionally has "device aesni". >>>> >>>> Is anyone else seeing this? Any idea what would cause it? >>> >>> Your average OpenSSL applications should not use /dev/crypto, if your= >>> goal is to utilize AES-NI (which does not require /dev/crypto). On >>> capable systems, AES-NI would be used automatically (and it's faster >>> this way). >> >> Thanks for the response. Is there a way to verify that AES-NI is being= used for e.g. ssh? >> I'm also curious why/when/how the change to not use (or support?) /dev= /crypto from base >> openssl was made. >=20 > OpenSSL 1.1.1 removed the old cryptodev: >=20 > https://svnweb.freebsd.org/base/vendor-crypto/openssl/dist/CHANGES?revi= sion=3D340690&view=3Dmarkup#l400 >=20 > Instead, OpenSSL added devcrypto engine for Linux: >=20 > https://github.com/openssl/openssl/commit/619eb33 >=20 > and added BSD support: >=20 > https://github.com/openssl/openssl/commit/4f79aff >=20 > then, completely removed BSD-specific cryptodev: >=20 > https://github.com/openssl/openssl/commit/f39a550 >=20 > However, it is disabled by default. Theoretically, it is functionally > equivalent but it wasn't tested much. >=20 > I can enable the new engine on head if many users request it. FYI, the attached patch should enable the new engine. Jung-uk Kim --------------4DD66C0B0B8C23E8586603B3 Content-Type: text/x-patch; name="devcrypto.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="devcrypto.diff" Index: secure/lib/libcrypto/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- secure/lib/libcrypto/Makefile (revision 341666) +++ secure/lib/libcrypto/Makefile (working copy) @@ -192,8 +192,8 @@ SRCS+=3D ecp_nistz256-x86.S ecp_nistz256.c .endif =20 # engine -SRCS+=3D eng_all.c eng_cnf.c eng_ctrl.c eng_dyn.c eng_err.c eng_fat.c -SRCS+=3D eng_init.c eng_lib.c eng_list.c eng_openssl.c eng_pkey.c +SRCS+=3D eng_all.c eng_cnf.c eng_ctrl.c eng_devcrypto.c eng_dyn.c eng_er= r.c +SRCS+=3D eng_fat.c eng_init.c eng_lib.c eng_list.c eng_openssl.c eng_pke= y.c SRCS+=3D eng_rdrand.c eng_table.c tb_asnmth.c tb_cipher.c tb_dh.c tb_dig= est.c SRCS+=3D tb_dsa.c tb_eckey.c tb_pkmeth.c tb_rand.c tb_rsa.c =20 Index: secure/lib/libcrypto/opensslconf.h.in =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- secure/lib/libcrypto/opensslconf.h.in (revision 341666) +++ secure/lib/libcrypto/opensslconf.h.in (working copy) @@ -46,9 +46,6 @@ extern "C" { #ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE # define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE #endif -#ifndef OPENSSL_NO_DEVCRYPTOENG -# define OPENSSL_NO_DEVCRYPTOENG -#endif #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define OPENSSL_NO_EC_NISTP_64_GCC_128 #endif --------------4DD66C0B0B8C23E8586603B3-- --LBYCDNGDJ1U1Ktkr0eCpANnh8bg74iwgB-- --oOzpbl2i7zuMQy3GqzS1mE7eumiM6O8rN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEl1bqgKaRyqfWXu/CfJ+WJvzb8UYFAlwJvEsACgkQfJ+WJvzb 8UbsjAgAk3WENN9P4r4KmWisTNwrSHUl/6raF1TBtsyRwv+6TDuL4QQqxnZW7fnJ TZ7wOabLQaG4UELOeiKKryLuwd3wuFLDNoC4SLYDmzQmQig7urY4J23r5LZBgGVT cpYsq9pjQsNvCLtplcpXy8RFqdgWhBClfbUY8+1XexczpTS53+3waBibjqEfd3J4 gp99EgybvcbMxwImWynqzffMyN+11Asdr/FNbaCsyA+/LxDC5g0dEVmMFROVQ63X j7OBSbz1mIuVJrJq8GcajE0bAew2jKqlud2U0Gnfu+w569UYcrk5HjVvRFTZUzRw k0LSNFRrY90zGUsKegd6JL3CAvglqg== =nswm -----END PGP SIGNATURE----- --oOzpbl2i7zuMQy3GqzS1mE7eumiM6O8rN--