Date: Thu, 29 Nov 2007 15:30:15 -0800 From: Sam Leffler <sam@errno.com> To: Norikatsu Shigemura <nork@freebsd.org> Cc: Harald Schmalzbauer <h.schmalzbauer@omnisec.de>, freebsd-stable@freebsd.org, simon@freebsd.org Subject: Re: cryptodev and ssh on RELENG_7 Message-ID: <474F4B87.2020603@errno.com> In-Reply-To: <20071129015144.24c67521.nork@FreeBSD.org> References: <20071127092729.189bcbae@titan.flintsbach.schmalzbauer.de> <200711271237.lARCbdMB077950@lava.sentex.ca> <20071129015144.24c67521.nork@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------060805020707070709030508
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Norikatsu Shigemura wrote:
> On Tue, 27 Nov 2007 07:37:49 -0500
> Mike Tancsa <mike@sentex.net> wrote:
>
>>> I have a HiFN crypto card and can remember that it was used for ssh
>>> connections with 3des encryption (on 6.1 afair).
>>> But with RELENG_7 it isn't used at all (no interrupts) if I
>>> 'ssh -v -c 3des-cbc user@host'
>>> Any ideas what is wrong?
>>> dmesg:
>>> hifn0 mem
>>> 0x80000000-0x80000fff,0x80040000-0x80041fff,0x80080000-0x80087fff irq
>>> 12 at device 13.0 on pci0 hifn0: [ITHREAD] hifn0: Hifn 7955, rev 0,
>>> 32KB dram, pll=0x801<ext clk, 4x mult>
>>> crw-rw-rw- 1 root wheel - 0, 41 Nov 27 08:13:41 2007 /dev/crypto
>>>
>> Hi,
>> Are you sure you have device crypto and device cryptodev in
>> the kernel? Also, there is a program in
>> /usr/src/tools/tools/crypto called hifnstats. It will show some
>> usuage stats. e.g.
>>
>
> This issue is one of a gcc42 issue. But gcc42 is not wrong.
> OpenSSL has a using __FreeBSD_version issue. So to fix this
> issue, you should apply following patch.
>
> --- crypto/openssl/crypto/engine/eng_cryptodev.c.orig 2006-07-30 04:10:18.000000000 +0900
> +++ crypto/openssl/crypto/engine/eng_cryptodev.c 2007-11-08 01:55:35.000000000 +0900
> @@ -32,7 +32,7 @@
> #include <openssl/bn.h>
>
> #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
> - (defined(OpenBSD) || defined(__FreeBSD_version))
> + (defined(OpenBSD) || defined(__FreeBSD__))
> #include <sys/param.h>
> # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
> # define HAVE_CRYPTODEV
>
It appears openssl has been busted in it's handling of /dev/crypto since
the engine code was roto-tilled. Attached is an updated version of your
patch that forces /dev/crypto to be installed as the default engine for
all ciphers it supports. I'm not sure this is the right change but it
definitely makes ssh start using it (I note however that openssl speed
does not use cryptodev unless explicity forced w/ cmd args).
It would be a good idea to get someone familiar with openssl to review
this before committing.
Sam
--------------060805020707070709030508
Content-Type: text/plain;
name="cryptodev.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="cryptodev.patch"
Index: eng_cryptodev.c
===================================================================
RCS file: /usr/ncvs/src/crypto/openssl/crypto/engine/eng_cryptodev.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 eng_cryptodev.c
--- eng_cryptodev.c 29 Jul 2006 19:10:18 -0000 1.1.1.1
+++ eng_cryptodev.c 29 Nov 2007 23:22:03 -0000
@@ -32,7 +32,7 @@
#include <openssl/bn.h>
#if (defined(__unix__) || defined(unix)) && !defined(USG) && \
- (defined(OpenBSD) || defined(__FreeBSD_version))
+ (defined(OpenBSD) || defined(__FreeBSD__))
#include <sys/param.h>
# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
# define HAVE_CRYPTODEV
@@ -1126,6 +1126,7 @@
}
ENGINE_add(engine);
+ ENGINE_set_default_ciphers(engine);
ENGINE_free(engine);
ERR_clear_error();
}
--------------060805020707070709030508--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?474F4B87.2020603>