Subject: Re: Hifn crypto driver: does it work for anyone?
To: None <tech-kern@netbsd.org, tech-security@netbsd.org,>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 10/16/2005 17:49:28
On Sun, Oct 16, 2005 at 04:35:03PM -0400, Thor Lancelot Simon wrote:
>
> However, that same machine still displays the symptom where the whole
> crypto subsystem grinds to a halt after it's run for a minute or so (and
> a few tens of kilobytes of traffic via ipsec, plus a few megabytes via
> OpenSSH's use of /dev/crypto have flowed through). I'm rebuilding it
> with options KTRACE so at least I can see what error code, exactly,
> the /dev/crypto operations are returning. When this happens, IPsec
> traffic stops too.
So, more to report: a 7955 on Soekris VPN1401 card works fine in my
desktop machine, with the patch; but a 7955 on Soekris VPN1411 does
not work in my Soekris 4501 router, displaying the "grinds to a halt"
symptom described above and in earlier messages. I was hopeful that
this was just a result of the Soekris PCI BIOS misconfiguring the
card, but the most recent Soekris BIOS seems to get things right (sane
latency values, and bus mastering enabled -- unlike the very old BIOS I
had before) and the problem is, if anything, worse.
What's going on with /dev/crypto when things get jammed up is that
OpenSSL tries to call CIOCCRYPT and it fails with ENOMEM:
476 openssl CALL ioctl(7,CIOCCRYPT,0xbfbfe5d0)
476 openssl GIO fd 7 wrote 28 bytes
"\0\0\0\0\^A\0\0\0\0\^D\0\0\0@
\b\240\M^@
\b\0\0\0\0004\M^@
\b"
476 openssl RET ioctl -1 errno 12 Cannot allocate memory
Note that you can't use "openssl speed" to see this, there seems to be
a bug in openssl speed such that it never uses /dev/crypto. But you
can encrypt a small file with "openssl aes-128-cbc" or "openssl des-cbc"
and see the problem.
This seems to be the same problem described by an OpenBSD user at
http://archives.neohapsis.com/archives/openbsd/2004-08/2054.html and
I have, in fact, seen the "overrun" and "resetting" messages once (albeit
before upgrading the Soekris BIOS).
Sam, Jonathan? How can I best see where the ENOMEM is percolating up
from?
--
Thor Lancelot Simon tls@rek.tjls.com
"The inconsistency is startling, though admittedly, if consistency is to be
abandoned or transcended, there is no problem." - Noam Chomsky