Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-20 Thread Brendan Kennedy
 openssl speed -evp des-ede3-cbc -engine cryptodev

works! thanks Brian.

looking for that patch now...

2009/5/19 Patrick Lamaizière patf...@davenulle.org:
 Le Tue, 19 May 2009 14:25:24 +0100,
 Brendan Kennedy brendan.kenn...@gmail.com:

 Agreed! The driver doesn't seem to be getting executed through
 OpenSSH/OpenSSL for ssh session setup either (it used to work that way
 on FreeBSD 6.2, I don't know if this feature has been left up to the
 user to enable in FreeBSD 7.x??).

 This is a known problem, you must patch openssl to make it work with
 cryptodev on FreeBSD 7.x (8.x).

 There are some patchs, but I don't find them right now... Check the PR
 database and the mailing lists.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-19 Thread Brendan Kennedy
Agreed! The driver doesn't seem to be getting executed through
OpenSSH/OpenSSL for ssh session setup either (it used to work that way
on FreeBSD 6.2, I don't know if this feature has been left up to the
user to enable in FreeBSD 7.x??).

thanks for the tools, I'll give them a go. The driver is being
accessed properly from 'cryptotest', so I guess that's something.

2009/5/19 Brian Seklecki sekle...@noc.cfi.pgh.pa.us:
 The openssl speed sub-command is a real PITA:

 Try:

  $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3)

 Also goto /usr/src/tools/tools/crypto/  make

 Run those utils to extract useful statistics out of the driver's kernel
 data structures.

 ~BAS

 On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote:
 Hi Brian, Patrick,

 Thanks for your responses. I agree that it looks like a bug! I'm a bit
 of a newb to FreeBSD. Where should I go to log this?

 I ran (as root ;) )

  openssl engine
 (padlock) VIA PadLock (no-RNG, no-ACE)
 (dynamic) Dynamic engine loading support
 (cryptodev) BSD cryptodev engine
                              [RSA, DSA, DH]

 It can be seen only PKE functions are being shown as accelerated.
 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto'
 compiled as part of the kernel.

 I have found another issue here also - although 'openssl engine -c'
 shows correct accelerated functionality of the hardware driver,
 running a speed test (e.g. openssl speed des-ede3 -engine cryptodev)
 does not result in any messages being sent to the driver apart from
 the initial check for available algorithms. It seems only accelerated
 PKE functions are run through the driver. It may be that the symmetric
 functions are being run through the software device driver
 (cryptosoft)...

 Could it be down to cryptodev engine being loaded twice in OpenSSL? Or
 would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not
 set?

 Regards,
 Brendan


 2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us:
  On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
  Hi All,
 
  I'm trying to test a hardware crypto driver, but want to run my tests
  through the software driver first (and possibly use the software
  driver to validate results).
  I have set the following in my GENERIC conf file:
 
 
  What does kldstat(8) / openssl(1) return?
 
  % sudo openssl engine
  (dynamic) Dynamic engine loading support
 
  $ openssl engine
  (cryptodev) BSD cryptodev engine
  (padlock) VIA PadLock (no-RNG, no-ACE)
  (dynamic) Dynamic engine loading support
 
  $ kldstat |egrep -i 'cry|ub'
   3    3 0xc0e06000 25b78    crypto.ko
   7    1 0xc64c9000 4000     cryptodev.ko
   8    1 0xc6546000 a000     ubsec.ko
 
 
  Return?
 
  ~BAS
 
 
  device          crypto
  device          enc
  options         IPSEC
 
  I have rebuilt the kernel, rebooted and set the
  kern.cryptodevallowsoft kernel variable to 1:
 
  FreeBSD_26# sysctl -a | grep crypto
  kern.cryptodevallowsoft: 1
 
  However, when I try a test, I get the following:
 
  FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
  cipher 3des keylen 24
  CIOCGSESSION: Invalid argument
  FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
  cipher des keylen 8
  CIOCGSESSION: Invalid argument
 
  It seems the software crypto device is not available. Do I need to do
  any other steps to enable it? Is there another config option that
  makes sure it is build as part of Opencrypto framework? Do I need to
  build some other software driver instead?
 
  Best Regards,
  Brendan
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to 
  freebsd-questions-unsubscr...@freebsd.org
 
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org




 This mail was sent via Mail-SeCure System.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-19 Thread Patrick Lamaizière
Le Tue, 19 May 2009 14:25:24 +0100,
Brendan Kennedy brendan.kenn...@gmail.com:

 Agreed! The driver doesn't seem to be getting executed through
 OpenSSH/OpenSSL for ssh session setup either (it used to work that way
 on FreeBSD 6.2, I don't know if this feature has been left up to the
 user to enable in FreeBSD 7.x??).

This is a known problem, you must patch openssl to make it work with
cryptodev on FreeBSD 7.x (8.x).

There are some patchs, but I don't find them right now... Check the PR
database and the mailing lists.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-18 Thread Brendan Kennedy
Hi Brian, Patrick,

Thanks for your responses. I agree that it looks like a bug! I'm a bit
of a newb to FreeBSD. Where should I go to log this?

I ran (as root ;) )

 openssl engine
(padlock) VIA PadLock (no-RNG, no-ACE)
(dynamic) Dynamic engine loading support
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH]

It can be seen only PKE functions are being shown as accelerated.
'kldstat' only shows cryptodev.ko, but that's because I have 'crypto'
compiled as part of the kernel.

I have found another issue here also - although 'openssl engine -c'
shows correct accelerated functionality of the hardware driver,
running a speed test (e.g. openssl speed des-ede3 -engine cryptodev)
does not result in any messages being sent to the driver apart from
the initial check for available algorithms. It seems only accelerated
PKE functions are run through the driver. It may be that the symmetric
functions are being run through the software device driver
(cryptosoft)...

Could it be down to cryptodev engine being loaded twice in OpenSSL? Or
would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not
set?

Regards,
Brendan


2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us:
 On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
 Hi All,

 I'm trying to test a hardware crypto driver, but want to run my tests
 through the software driver first (and possibly use the software
 driver to validate results).
 I have set the following in my GENERIC conf file:


 What does kldstat(8) / openssl(1) return?

 % sudo openssl engine
 (dynamic) Dynamic engine loading support

 $ openssl engine
 (cryptodev) BSD cryptodev engine
 (padlock) VIA PadLock (no-RNG, no-ACE)
 (dynamic) Dynamic engine loading support

 $ kldstat |egrep -i 'cry|ub'
  3    3 0xc0e06000 25b78    crypto.ko
  7    1 0xc64c9000 4000     cryptodev.ko
  8    1 0xc6546000 a000     ubsec.ko


 Return?

 ~BAS


 device          crypto
 device          enc
 options         IPSEC

 I have rebuilt the kernel, rebooted and set the
 kern.cryptodevallowsoft kernel variable to 1:

 FreeBSD_26# sysctl -a | grep crypto
 kern.cryptodevallowsoft: 1

 However, when I try a test, I get the following:

 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
 cipher 3des keylen 24
 CIOCGSESSION: Invalid argument
 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
 cipher des keylen 8
 CIOCGSESSION: Invalid argument

 It seems the software crypto device is not available. Do I need to do
 any other steps to enable it? Is there another config option that
 makes sure it is build as part of Opencrypto framework? Do I need to
 build some other software driver instead?

 Best Regards,
 Brendan
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-18 Thread Brian Seklecki
The openssl speed sub-command is a real PITA:

Try: 

  $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3)

Also goto /usr/src/tools/tools/crypto/  make

Run those utils to extract useful statistics out of the driver's kernel
data structures.

~BAS

On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote:
 Hi Brian, Patrick,
 
 Thanks for your responses. I agree that it looks like a bug! I'm a bit
 of a newb to FreeBSD. Where should I go to log this?
 
 I ran (as root ;) )
 
  openssl engine
 (padlock) VIA PadLock (no-RNG, no-ACE)
 (dynamic) Dynamic engine loading support
 (cryptodev) BSD cryptodev engine
  [RSA, DSA, DH]
 
 It can be seen only PKE functions are being shown as accelerated.
 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto'
 compiled as part of the kernel.
 
 I have found another issue here also - although 'openssl engine -c'
 shows correct accelerated functionality of the hardware driver,
 running a speed test (e.g. openssl speed des-ede3 -engine cryptodev)
 does not result in any messages being sent to the driver apart from
 the initial check for available algorithms. It seems only accelerated
 PKE functions are run through the driver. It may be that the symmetric
 functions are being run through the software device driver
 (cryptosoft)...
 
 Could it be down to cryptodev engine being loaded twice in OpenSSL? Or
 would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not
 set?
 
 Regards,
 Brendan
 
 
 2009/5/15 Brian A. Seklecki sekle...@noc.cfi.pgh.pa.us:
  On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
  Hi All,
 
  I'm trying to test a hardware crypto driver, but want to run my tests
  through the software driver first (and possibly use the software
  driver to validate results).
  I have set the following in my GENERIC conf file:
 
 
  What does kldstat(8) / openssl(1) return?
 
  % sudo openssl engine
  (dynamic) Dynamic engine loading support
 
  $ openssl engine
  (cryptodev) BSD cryptodev engine
  (padlock) VIA PadLock (no-RNG, no-ACE)
  (dynamic) Dynamic engine loading support
 
  $ kldstat |egrep -i 'cry|ub'
   33 0xc0e06000 25b78crypto.ko
   71 0xc64c9000 4000 cryptodev.ko
   81 0xc6546000 a000 ubsec.ko
 
 
  Return?
 
  ~BAS
 
 
  device  crypto
  device  enc
  options IPSEC
 
  I have rebuilt the kernel, rebooted and set the
  kern.cryptodevallowsoft kernel variable to 1:
 
  FreeBSD_26# sysctl -a | grep crypto
  kern.cryptodevallowsoft: 1
 
  However, when I try a test, I get the following:
 
  FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
  cipher 3des keylen 24
  CIOCGSESSION: Invalid argument
  FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
  cipher des keylen 8
  CIOCGSESSION: Invalid argument
 
  It seems the software crypto device is not available. Do I need to do
  any other steps to enable it? Is there another config option that
  makes sure it is build as part of Opencrypto framework? Do I need to
  build some other software driver instead?
 
  Best Regards,
  Brendan
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to 
  freebsd-questions-unsubscr...@freebsd.org
 
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org




This mail was sent via Mail-SeCure System.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-15 Thread Brian A. Seklecki
On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote:
 Hi All,
 
 I'm trying to test a hardware crypto driver, but want to run my tests
 through the software driver first (and possibly use the software
 driver to validate results).
 I have set the following in my GENERIC conf file:
 

What does kldstat(8) / openssl(1) return?

% sudo openssl engine 
(dynamic) Dynamic engine loading support

$ openssl engine
(cryptodev) BSD cryptodev engine
(padlock) VIA PadLock (no-RNG, no-ACE)
(dynamic) Dynamic engine loading support

$ kldstat |egrep -i 'cry|ub'
 33 0xc0e06000 25b78crypto.ko
 71 0xc64c9000 4000 cryptodev.ko
 81 0xc6546000 a000 ubsec.ko


Return?

~BAS


 device  crypto
 device  enc
 options IPSEC
 
 I have rebuilt the kernel, rebooted and set the
 kern.cryptodevallowsoft kernel variable to 1:
 
 FreeBSD_26# sysctl -a | grep crypto
 kern.cryptodevallowsoft: 1
 
 However, when I try a test, I get the following:
 
 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
 cipher 3des keylen 24
 CIOCGSESSION: Invalid argument
 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
 cipher des keylen 8
 CIOCGSESSION: Invalid argument
 
 It seems the software crypto device is not available. Do I need to do
 any other steps to enable it? Is there another config option that
 makes sure it is build as part of Opencrypto framework? Do I need to
 build some other software driver instead?
 
 Best Regards,
 Brendan
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-15 Thread Patrick Lamaizière
Le Tue, 12 May 2009 19:14:38 +0100,
Brendan Kennedy brendan.kenn...@gmail.com:

 Hi All,

Hello,

 FreeBSD_26# sysctl -a | grep crypto
 kern.cryptodevallowsoft: 1
 
 However, when I try a test, I get the following:
 
 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
 cipher 3des keylen 24
 CIOCGSESSION: Invalid argument
 FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
 cipher des keylen 8
 CIOCGSESSION: Invalid argument
 
 It seems the software crypto device is not available. Do I need to do
 any other steps to enable it? Is there another config option that
 makes sure it is build as part of Opencrypto framework? Do I need to
 build some other software driver instead?

Cryptodev fails because it checks that the requested crypto driver
provides hardware crypto. function checkforsoftware in cryptodev.c
And it does not take care about the sysctl kern.cryptodevallowsoft. 

Looks like a bug and not a feature. OpenBSD's cryptodev seems to take
care about the sysctl and i think you can use the cryptosoft driver
with it. 

Regards.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


FreeBSD 7.1 opencrypto -- kern.cryptodevallowsoft

2009-05-12 Thread Brendan Kennedy
Hi All,

I'm trying to test a hardware crypto driver, but want to run my tests
through the software driver first (and possibly use the software
driver to validate results).
I have set the following in my GENERIC conf file:

device  crypto
device  enc
options IPSEC

I have rebuilt the kernel, rebooted and set the
kern.cryptodevallowsoft kernel variable to 1:

FreeBSD_26# sysctl -a | grep crypto
kern.cryptodevallowsoft: 1

However, when I try a test, I get the following:

FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des
cipher 3des keylen 24
CIOCGSESSION: Invalid argument
FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des
cipher des keylen 8
CIOCGSESSION: Invalid argument

It seems the software crypto device is not available. Do I need to do
any other steps to enable it? Is there another config option that
makes sure it is build as part of Opencrypto framework? Do I need to
build some other software driver instead?

Best Regards,
Brendan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org