From owner-freebsd-current@FreeBSD.ORG Tue May 16 19:56:47 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEBE16A8DD; Tue, 16 May 2006 19:56:46 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id D846443D78; Tue, 16 May 2006 19:56:37 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 9EEF652DDD; Tue, 16 May 2006 21:56:35 +0200 (CEST) Received: from localhost (dkp162.neoplus.adsl.tpnet.pl [83.24.19.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 686F650E96; Tue, 16 May 2006 21:56:29 +0200 (CEST) Date: Tue, 16 May 2006 21:54:39 +0200 From: Pawel Jakub Dawidek To: freebsd-current@FreeBSD.org Message-ID: <20060516195439.GA94621@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: gnn@FreeBSD.org, bz@FreeBSD.org Subject: Opencrypto changes. Review request. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 19:56:48 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I'd like to ask for a review of the patches below: http://people.freebsd.org/~pjd/patches/netipsec.patch http://people.freebsd.org/~pjd/patches/opencrypto.patch http://people.freebsd.org/~pjd/patches/cryptodevs.patch There are comments inside the patches, so I don't want to repeat them, just some random comments what they gave us: - Proper HMAC/SHA384 and HMAC/SHA512 handling. Currently the block size used for those functions is wrong, which makes caculation of the HMAC wrong. The block size for those functions should be 128, not 64 bytes. The same bug exists in NetBSD, OpenBSD and some other independed implementations I looked at. - De-IPsecing of HMACs. Currently crypto(9) framework calculates only 96 bits long HMACs, which are only usable for IPsec. This will allow to use crypto(9) for other interesting things, like data authentication in geli(8), which is waiting in perforce. - Allows to use HMAC/{SHA256,SHA384,SHA512} with any key length. Currently the hash function is choosen based on the key length, which is not right, as any key can be used with any function. - Removes Giant-like lock the from most important code path in the crypto(9) framework and actually makes the path lockless. I haven't saw much improvement in running many IPsec tunnels in parallel. The lock contention is entirely removed for the lock, but there are other bottlenecks. On the other hang, on a 4 way amd64 machine I see more than 300% speed-up in geli(8) encryption/decryption. I did some extensive testing of fast_ipsec(4) and geli(8) with those changes and I see no problems [1]. I tested software crypto, hifn(4), ubsec(4). safe(4) was only compile-tested, as I don't have access to the hardware. padlock(4) is not affected by the changes, as it doesn't handle HMACs yet. [1] Actually there was one problem, but not related to the change. It was causing SAD entries disappearing. This patch fixes the problem: http://people.freebsd.org/~pjd/patches/key.c.2.patch Thank you in advance! PS. I'd like to thank Mike Tancsa and Sentex from giving me access to the test hardware (machines and crypto cards) and all the help. I'd also like to thank all netperf cluster sponsors. The netperf cluster is very, very useful. There is more interesting work comming from me, which was possible to do, because of its existence. Thank you!:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEai3/ForvXbEpPzQRAgiDAJ9M8WtnKsF5ONJlo+WJZAnEaMq9IACfd+Kt zUwsGtA20vq07GTRhEXxknY= =GhyI -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd--