aesni doesn't play nice with krb5
Alan Somers
asomers at freebsd.org
Sun Jan 31 03:24:01 UTC 2016
Fast work! I should be able to test it by Tuesday. By inspection,
the code looks good.
-Alan
On Sat, Jan 30, 2016 at 4:01 PM, Conrad Meyer <cem at freebsd.org> wrote:
> I have an untested patch to fix this issue:
> https://reviews.freebsd.org/D5146 . If you have time, please review
> or test the patch.
>
> Thanks,
> Conrad
>
> On Wed, Jan 27, 2016 at 3:55 PM, Alan Somers <asomers at freebsd.org> wrote:
>> I'm experimenting with Kerberized NFS, but my performance sucks when I
>> use krb5p. I tracked the problem down to an interaction between aesni
>> and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session
>> and requests support for two algorithms: CRYPTO_SHA1_HMAC and
>> CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So
>> crypto_select_driver returns cryptosoft and krb5 uses software for
>> both algorithms.
>>
>> It's too bad that aesni doesn't support SHA1, but other software like
>> OpenSSL deals with it by using hardware for AES and software for SHA1.
>> It seems to me like krb5 could be made to do the same by registering
>> for two sessions, one for each algorithm. In fact, it seems like it
>> would be pretty easy to do. The changes would probably be confined
>> strictly to crypto_aes.c. Is there any reason why this wouldn't work?
>>
>> -Alan
More information about the freebsd-hackers
mailing list