From owner-freebsd-stable@FreeBSD.ORG  Thu Nov 29 23:30:17 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ED58416A418;
	Thu, 29 Nov 2007 23:30:17 +0000 (UTC) (envelope-from sam@errno.com)
Received: from ebb.errno.com (ebb.errno.com [69.12.149.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 6213313C465;
	Thu, 29 Nov 2007 23:30:17 +0000 (UTC) (envelope-from sam@errno.com)
Received: from trouble.errno.com (trouble.errno.com [10.0.0.248])
	(authenticated bits=0)
	by ebb.errno.com (8.13.6/8.12.6) with ESMTP id lATNUFdL040062
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 29 Nov 2007 15:30:16 -0800 (PST) (envelope-from sam@errno.com)
Message-ID: <474F4B87.2020603@errno.com>
Date: Thu, 29 Nov 2007 15:30:15 -0800
From: Sam Leffler <sam@errno.com>
User-Agent: Thunderbird 2.0.0.9 (X11/20071125)
MIME-Version: 1.0
To: Norikatsu Shigemura <nork@freebsd.org>
References: <20071127092729.189bcbae@titan.flintsbach.schmalzbauer.de>	<200711271237.lARCbdMB077950@lava.sentex.ca>
	<20071129015144.24c67521.nork@FreeBSD.org>
In-Reply-To: <20071129015144.24c67521.nork@FreeBSD.org>
Content-Type: multipart/mixed; boundary="------------060805020707070709030508"
X-DCC-Rhyolite-Metrics: o.com; whitelist
Cc: Harald Schmalzbauer <h.schmalzbauer@omnisec.de>, freebsd-stable@freebsd.org,
	simon@freebsd.org
Subject: Re: cryptodev and ssh on RELENG_7
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2007 23:30:18 -0000

This is a multi-part message in MIME format.
--------------060805020707070709030508
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Norikatsu Shigemura wrote:
> On Tue, 27 Nov 2007 07:37:49 -0500
> Mike Tancsa <mike@sentex.net> wrote:
>   
>>> I have a HiFN crypto card and can remember that it was used for ssh
>>> connections with 3des encryption (on 6.1 afair).
>>> But with RELENG_7 it isn't used at all (no interrupts) if I
>>> 'ssh -v -c 3des-cbc user@host'
>>> Any ideas what is wrong?
>>> dmesg:
>>> hifn0 mem
>>> 0x80000000-0x80000fff,0x80040000-0x80041fff,0x80080000-0x80087fff irq
>>> 12 at device 13.0 on pci0 hifn0: [ITHREAD] hifn0: Hifn 7955, rev 0,
>>> 32KB dram, pll=0x801<ext clk, 4x mult>
>>> crw-rw-rw-  1 root  wheel  -   0,  41 Nov 27 08:13:41 2007 /dev/crypto
>>>       
>> Hi,
>>          Are you sure you have device crypto and device cryptodev in 
>> the kernel?  Also, there is a program in 
>> /usr/src/tools/tools/crypto  called hifnstats.  It will show some 
>> usuage stats. e.g.
>>     
>
> 	This issue is one of a gcc42 issue.  But gcc42 is not wrong.
> 	OpenSSL has a using __FreeBSD_version issue.  So to fix this
> 	issue, you should apply following patch.
>
> --- crypto/openssl/crypto/engine/eng_cryptodev.c.orig	2006-07-30 04:10:18.000000000 +0900
> +++ crypto/openssl/crypto/engine/eng_cryptodev.c	2007-11-08 01:55:35.000000000 +0900
> @@ -32,7 +32,7 @@
>  #include <openssl/bn.h>
>  
>  #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
> -	(defined(OpenBSD) || defined(__FreeBSD_version))
> +	(defined(OpenBSD) || defined(__FreeBSD__))
>  #include <sys/param.h>
>  # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
>  #  define HAVE_CRYPTODEV
>   

It appears openssl has been busted in it's handling of /dev/crypto since 
the engine code was roto-tilled.  Attached is an updated version of your 
patch that forces /dev/crypto to be installed as the default engine for 
all ciphers it supports.  I'm not sure this is the right change but it 
definitely makes ssh start using it (I note however that openssl speed 
does not use cryptodev unless explicity forced w/ cmd args).

It would be a good idea to get someone familiar with openssl to review 
this before committing.

    Sam


--------------060805020707070709030508
Content-Type: text/plain;
 name="cryptodev.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="cryptodev.patch"

Index: eng_cryptodev.c
===================================================================
RCS file: /usr/ncvs/src/crypto/openssl/crypto/engine/eng_cryptodev.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 eng_cryptodev.c
--- eng_cryptodev.c	29 Jul 2006 19:10:18 -0000	1.1.1.1
+++ eng_cryptodev.c	29 Nov 2007 23:22:03 -0000
@@ -32,7 +32,7 @@
 #include <openssl/bn.h>
 
 #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
-	(defined(OpenBSD) || defined(__FreeBSD_version))
+	(defined(OpenBSD) || defined(__FreeBSD__))
 #include <sys/param.h>
 # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
 #  define HAVE_CRYPTODEV
@@ -1126,6 +1126,7 @@
 	}
 
 	ENGINE_add(engine);
+	ENGINE_set_default_ciphers(engine);
 	ENGINE_free(engine);
 	ERR_clear_error();
 }

--------------060805020707070709030508--