From owner-freebsd-security@freebsd.org Mon Dec 14 20:53:19 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29A324C2CDD for ; Mon, 14 Dec 2020 20:53:19 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02on2058.outbound.protection.outlook.com [40.107.89.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvtrt1J6Qz3pd8 for ; Mon, 14 Dec 2020 20:53:17 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cJsjtsL8LV9z55wIis+ZV8gkZm1wYhfiIJkEIyKvqQqbG6aGBmF3kOxNbFD6t2pZwfgCzuEYU7ssxKRc6RCRxIoCAX15kLBvx2yjxxrpLZABlgHVrU6yA06JFk5YpdzjcZjTnWzI0PlWlhB52tcZqembNfVCyFeZq6n1CZCiWTuCs3YJW6K3hW/7yHecPBkho3VNVuPKJic724As30/WU0xv3/9/MisjKzv1MY1HJzwCedR7KB9tnPwZKszyLXIBrjs+9JoDGGX+jAzab2hMMWf1TTzVrANzQK5xFjjKIZuvl2mlxHqAuUajYv+gNQoFdhH3oX/FcbvBSy+ATAyadw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q92IvUWe9HokuuJpFHE8nSbTFd/gBeGkQJKO/QQxusY=; b=B+Rzs1lmDt023bRtS2QnYKJOJMWvXkVzfodyTuh5Noj5NF34S9MLpzGSG7Od8ERUFLeL/E9eAqVp0JknR5WsgycYIw4aZ7Idy/AacorFVVxgK4IiLsTvmxilpZFufSry758TnrEATU5cMBe3IM1hPDb+sOuVAHResmfWy70+JeFiwDC0lzbHTrTl3f4H3sLrc8uoke9SA+/DDe/tdpDPA+5mQTzYZnVQS/q7ZDIY8UMLLYKHpbhzzIX8gTxVH46QOPxJFe981172lPvHIwwY0jp2kkfLmHAkPAwip7W+klUbZaib6V69JOt+3dPwQvnyHKO8J5DPooTJOmcY2pEHIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q92IvUWe9HokuuJpFHE8nSbTFd/gBeGkQJKO/QQxusY=; b=h8jcaAIZsKZ6bki0/s8t6fdKuI3wDisWqQtpM3p5vD22/8LSxKrlHON9ytBs56t2bt/q34roV0JWX//quViPS4yXSNJbZIuGROphyyf5nM5OVgD1qpwvbxEyLt2AeND9KPWnL1/HL+tjGCGsNigJrSEwdp6evo9hg4cliy31xk0VllGrd6hDwUuN/XImWjpSySaIOJxtO21wpK4tj6/gem78lKvH7pafhq2S+Y8zJO+AbdV7HMRtOOElUd6kBuuuEcIR+aoe+LHLZF8WAKm5CiyoM0BhYE9YRl+vlLr/OOCfqE/ihFLgzd35KzuJkbmKbGyj4S4Yj4h7dyFSzX/UhA== Received: from DM6PR09MB4807.namprd09.prod.outlook.com (2603:10b6:5:260::13) by DM8PR09MB6680.namprd09.prod.outlook.com (2603:10b6:5:2ed::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Mon, 14 Dec 2020 20:53:16 +0000 Received: from DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::7911:f495:f483:3a1b]) by DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::7911:f495:f483:3a1b%6]) with mapi id 15.20.3654.025; Mon, 14 Dec 2020 20:53:16 +0000 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Index: AQHWzn+FUV7Lu6uu7Um+ycG7B5eg06nxdbQAgAJqhICAAFiMAIACzUyAgAAFdjs= Date: Mon, 14 Dec 2020 20:53:16 +0000 Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com>, <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> In-Reply-To: <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.48.157.2] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5e989d64-8682-4552-9015-08d8a07247b6 x-ms-traffictypediagnostic: DM8PR09MB6680: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Mcl7WKrAAcsFWzXhin2+r/VAdmOzjBtGAh3Y1mqFBb8n6Gg8wmTn2+JaIBwGmJA7sRW3oEQRbg9D2ePn/3jbJmuJ9R852BYcMYKRVoDoppKVQ8P/h8lF9TnjJ9JUbwt+OQA2ZUepL+1ht1kMyOjgdf93IPxsqivvLhmXhmC8XsWpDEIDleQ8+5f03pwV8K/MeLoweWKy0ZRg+DUaJXSK51AX/Veiy1zC2PBUBf+0PVS+Q3/gQKh/g5K97Lf9A2goB0Q0B/XO4IefKu6Za2Yh7t7H8JvaAzS5tOzUB49YigVjTeehYo0IFCiUFrUxc/SA x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB4807.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(136003)(366004)(71200400001)(66556008)(508600001)(86362001)(91956017)(15650500001)(66446008)(9686003)(8936002)(6916009)(26005)(6506007)(8676002)(33656002)(55016002)(186003)(2906002)(5660300002)(76116006)(66946007)(7696005)(66476007)(52536014)(64756008)(83380400001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?pJ1p23JbjDcLl1l8xOpikUGDVwiHzzSfwZxAaHsa/MOlD9gqCWzhqrw8a/?= =?iso-8859-1?Q?zRiVzrOEL/daDIfQztPzP+mvV+DOURA6b8qVhLNZWfhWqi4TXKuEFktc+d?= =?iso-8859-1?Q?GH66qgO4qLOtNWY1OWwjFuDFTa0PniQ12OLfPH1spaRdo7AQ3Uz9X6WzHB?= =?iso-8859-1?Q?5w3HcxWOc3iGVpJky8ajyqeMk81xPkGZs9Oj+E8tQ99A7pVblQqflJB9VG?= =?iso-8859-1?Q?AGmcK5NKNupvrsHITVTnlpDalcHCdoBeBLL980/nhvZu+41AoLr/UEfZPO?= =?iso-8859-1?Q?oBOHiPgnZjLUkzY+VdVGK++6twDEeP+tNh4SEBkRyE1crGk724GFWpICSN?= =?iso-8859-1?Q?s3Y8flF6GbpHOpWod4SQthCk9HbTNZJBMZBspjw2oYK9LABrrITvzrIEVE?= =?iso-8859-1?Q?0EBvIKX7PiCEjmPUpjmWOyG4l/ET3g2VKFdTqmA2l7PLC3TqNHnM1UPyn6?= =?iso-8859-1?Q?x/oVPBzlhsTT1acEiKJu+Fe1I3Sq5tCgyidEwAXz4hXGuT/tQJlEbeEMLu?= =?iso-8859-1?Q?043Z7R1yIPTohmeS1fhB2C4srrQAlvlLdleIuQHnFbe1nmbzTLEYU/C5NK?= =?iso-8859-1?Q?Y89OYkniPa/US6p+s7bTx9CGfYqbH0lI0WaRKgNjiOiF5B8te+bF9D8Idu?= =?iso-8859-1?Q?5QEuKbV+sdCPJztnMwpXZsp9xrPuQjoCOdvCUae7B7IvmPXFJQ1XdLcisa?= =?iso-8859-1?Q?6HsjDBFYUIUJ9SiwRkESFfRhehoaT4nEMBZgjNJ7R/qD58bYnUgVNnZWiN?= =?iso-8859-1?Q?Kx+ZvMLgzigEluaqDO9qsSDmQQpkQ38eN43+x36PGSx2SQvWEPwB50B44s?= =?iso-8859-1?Q?frVi8fgm55EDSHCHy4O8BdhGIiaAprh2bG6z0xLs5HsabrQJ3nQ2Q+S9Ku?= =?iso-8859-1?Q?2Vn8JPA4pD2NC20rhlFbmmzA39WM/UesvMQsPJ/Mu1rCCS/XR5WeVI4KRu?= =?iso-8859-1?Q?JuCTvebZXjy+yLevb8A5Yq7f5oD4QQmzLgVOyMd80ru8LqL0ZtUwVTxCQk?= =?iso-8859-1?Q?OVBuWH5cEXZeDt+P4=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR09MB4807.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5e989d64-8682-4552-9015-08d8a07247b6 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2020 20:53:16.1463 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3Ft+wG4amBcxf1MRpR0yJmGugHgBAtpOmdHFvtrAUqF0nqjfl7SSBq0w6zgiT1ss0usavDWQgmxyujgjsGbibA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR09MB6680 X-Rspamd-Queue-Id: 4Cvtrt1J6Qz3pd8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=h8jcaAIZ; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 40.107.89.58 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-4.60 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RBL_DBL_DONT_QUERY_IPS(0.00)[40.107.89.58:from]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[redcom.com]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[40.107.89.58:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.89.58:from]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[40.107.89.58:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 20:53:19 -0000 As a party with a vested interest in FIPS, you can guess were I stand on re= placing OpenSSL with some other crypto engine in FreeBSD.=A0 ;)=0A= We are currently building FreeBSD 11.4 against a copy of the latest OpenSSL= 1.0.2 release by diverting the build to a separate part of our source tree= in secure/lib/Makefile.=A0 This has been working quite well for us.=A0 We'= ll see what happens with our ongoing 12.2 upgrade.=0A= =0A= Not really the point of this email though. Regarding /dev/crypto:=0A= > Also, when I have tested it with actual offload hardware, it doesn't=0A= > really compete with native AES instructions on the CPU running in=0A= > userland.=0A= =0A= Here you're really comparing two hardware accelerators, one with extra kern= el overhead, so it's not really fair.=0A= Have you compared RSA or EC signing and verifying between libcrypto and /de= v/crypto?=A0 This would give you a better idea of /dev/crypto performance i= mprovement.=A0 (I'll say that /dev/crypto is not really of interest to me p= rofessionally, because FIPS)=0A= =0A= > KTLS does help because you can use sendfile, but=0A= > /dev/crypto is not a win in my testing.=A0 I had to make additional=0A= > changes to teach the engine in 1.0.2 to use AES-GCM with the=0A= > extensions needed for TLS as well as wire the user buffers to avoid=0A= > copies, and with that I got a hardware co-processor to break even=0A= > with AES-NI in userland in terms of both throughput and CPU usage=0A= > for HTTPS.=A0 sendfile-enabled KTLS, OTOH, is able to achieve=0A= > significantly higher throughput.=0A= =0A= I don't know anything about KTLS - is that using OpenSSL for it's crypto?= =A0 If so, can it load a FIPS canister/provider? If not, then FIPS may be = an issue for us (and other commercial users of FreeBSD), I hope it's someth= ing we can disable... Is there some documentation about this someone can p= oint me to?=0A= =0A= - Steve Wall=