recommended SSL-friendly crypto accelerator

Mike Tancsa mike at sentex.net
Thu Apr 8 07:42:59 PDT 2004 

At 10:28 AM 08/04/2004, Poul-Henning Kamp wrote:

>It is not clear to me exactly what is broken.  I have seen problems
>reported but as far as I know they were all IPSEC related, and I
>have not seen a trace of trouble in my use with GBDE.


>I'm not saying that the driver is _not_ broken, but it is certainly
>not known to me to be broken for the use Michael asked about.

Actually, I have found it to wedge when using it in conjunction with 
openssl. Here again are the steps to reproduce the bug.  The same can be 
done in OpenBSD BTW. I tried it with 3 different 1401 cards.


         *  Login with an non accelerated ssh session (e.g. blowfish as the 
cipher)
         *  Make a file called big.  dd if=/dev/urandom of=big bs=1024k 
count=768
         *  In another session, login with using 3des (ie. one that will 
get offloaded to the Hifn card
         *  In the blowfish session, start an encryption process, pipe it 
through ssh to dump
            to another machine  e.g

/usr/bin/openssl enc -des3 -in big -k passphrase | ssh -c 3des 
mdtancsa at 192.168.43.26 "cat - >  /home/mdtancsa/targetfile.enc"


         At random periods, the process will get "stuck"
         *  In the 3des session, just hit the enter key.  The ssl | ssh 
commands will become
            "unstuck."  Basically, you just need to do something else that 
touches the crypto card. e.g.
            If you are on the console,
                head /dev/urandom | openssl 3des  -out /dev/null -k pass
            will do the trick.

When I had the releng5/CURRENT box up it would hang the same way as RELENG4
releng5-test# ps -p 647 -auxjwwww
USER       PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME 
COMMAND           PPID  PGID JOBC
mdtancsa   647  0.0  0.4  2668 2008  p1  I+    2:27PM   0:05.17 
/usr/bin/openssl   635   647    2
releng5-test#
releng5-test# ps -p 648 -auwwww
USER       PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
mdtancsa   648  0.0  0.5  3328 2756  p1  D+    2:27PM   0:12.03 ssh -c 3des 
mdtancsa at 192.168.43.26 cat - >  /home/mdtancsa/targetfile.enc
releng5-test#
   PID USERNAME PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
   648 mdtancsa   8    0  3328K  2756K crydev   0:12  0.00%  0.00% ssh
   647 mdtancsa  -8    0  2668K  2008K pipdwt   0:05  0.00%  0.00% openssl

More information about the freebsd-security mailing list