OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: recommended SSL-friendly crypto accelerator

From: Mike Tancsa (mikesentex.net)
Date: Thu Apr 08 2004 - 09:43:39 CDT

At 10:28 AM 08/04/2004, Poul-Henning Kamp wrote:

>It is not clear to me exactly what is broken. I have seen problems
>reported but as far as I know they were all IPSEC related, and I
>have not seen a trace of trouble in my use with GBDE.

>I'm not saying that the driver is _not_ broken, but it is certainly
>not known to me to be broken for the use Michael asked about.

Actually, I have found it to wedge when using it in conjunction with
openssl. Here again are the steps to reproduce the bug. The same can be
done in OpenBSD BTW. I tried it with 3 different 1401 cards.

         * Login with an non accelerated ssh session (e.g. blowfish as the
cipher)
         * Make a file called big. dd if=/dev/urandom of=big bs=1024k
count=768
         * In another session, login with using 3des (ie. one that will
get offloaded to the Hifn card
         * In the blowfish session, start an encryption process, pipe it
through ssh to dump
            to another machine e.g

/usr/bin/openssl enc -des3 -in big -k passphrase | ssh -c 3des
mdtancsa192.168.43.26 "cat - > /home/mdtancsa/targetfile.enc"

         At random periods, the process will get "stuck"
         * In the 3des session, just hit the enter key. The ssl | ssh
commands will become
            "unstuck." Basically, you just need to do something else that
touches the crypto card. e.g.
            If you are on the console,
                head /dev/urandom | openssl 3des -out /dev/null -k pass
            will do the trick.

When I had the releng5/CURRENT box up it would hang the same way as RELENG4
releng5-test# ps -p 647 -auxjwwww
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
COMMAND PPID PGID JOBC
mdtancsa 647 0.0 0.4 2668 2008 p1 I+ 2:27PM 0:05.17
/usr/bin/openssl 635 647 2
releng5-test#
releng5-test# ps -p 648 -auwwww
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
mdtancsa 648 0.0 0.5 3328 2756 p1 D+ 2:27PM 0:12.03 ssh -c 3des
mdtancsa192.168.43.26 cat - > /home/mdtancsa/targetfile.enc
releng5-test#
   PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
   648 mdtancsa 8 0 3328K 2756K crydev 0:12 0.00% 0.00% ssh
   647 mdtancsa -8 0 2668K 2008K pipdwt 0:05 0.00% 0.00% openssl

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"