aesni doesn't play nice with krb5
Conrad Meyer
cem at FreeBSD.org
Sat Jan 30 23:09:32 UTC 2016
I have an untested patch to fix this issue:
https://reviews.freebsd.org/D5146 . If you have time, please review
or test the patch.
Thanks,
Conrad
On Wed, Jan 27, 2016 at 3:55 PM, Alan Somers <asomers at freebsd.org> wrote:
> I'm experimenting with Kerberized NFS, but my performance sucks when I
> use krb5p. I tracked the problem down to an interaction between aesni
> and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session
> and requests support for two algorithms: CRYPTO_SHA1_HMAC and
> CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So
> crypto_select_driver returns cryptosoft and krb5 uses software for
> both algorithms.
>
> It's too bad that aesni doesn't support SHA1, but other software like
> OpenSSL deals with it by using hardware for AES and software for SHA1.
> It seems to me like krb5 could be made to do the same by registering
> for two sessions, one for each algorithm. In fact, it seems like it
> would be pretty easy to do. The changes would probably be confined
> strictly to crypto_aes.c. Is there any reason why this wouldn't work?
>
> -Alan
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list