aesni doesn't play nice with krb5
Alan Somers
asomers at freebsd.org
Wed Jan 27 23:55:19 UTC 2016
I'm experimenting with Kerberized NFS, but my performance sucks when I
use krb5p. I tracked the problem down to an interaction between aesni
and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session
and requests support for two algorithms: CRYPTO_SHA1_HMAC and
CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So
crypto_select_driver returns cryptosoft and krb5 uses software for
both algorithms.
It's too bad that aesni doesn't support SHA1, but other software like
OpenSSL deals with it by using hardware for AES and software for SHA1.
It seems to me like krb5 could be made to do the same by registering
for two sessions, one for each algorithm. In fact, it seems like it
would be pretty easy to do. The changes would probably be confined
strictly to crypto_aes.c. Is there any reason why this wouldn't work?
-Alan
More information about the freebsd-hackers
mailing list