Subject: Re: Hifn crypto driver: does it work for anyone?
To: None <tech-kern@netbsd.org, tech-security@netbsd.org,>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 10/16/2005 17:49:28
On Sun, Oct 16, 2005 at 04:35:03PM -0400, Thor Lancelot Simon wrote:
> 
> However, that same machine still displays the symptom where the whole
> crypto subsystem grinds to a halt after it's run for a minute or so (and
> a few tens of kilobytes of traffic via ipsec, plus a few megabytes via
> OpenSSH's use of /dev/crypto have flowed through).  I'm rebuilding it
> with options KTRACE so at least I can see what error code, exactly,
> the /dev/crypto operations are returning.  When this happens, IPsec
> traffic stops too.

So, more to report: a 7955 on Soekris VPN1401 card works fine in my
desktop machine, with the patch; but a 7955 on Soekris VPN1411 does
not work in my Soekris 4501 router, displaying the "grinds to a halt"
symptom described above and in earlier messages.  I was hopeful that
this was just a result of the Soekris PCI BIOS misconfiguring the
card, but the most recent Soekris BIOS seems to get things right (sane
latency values, and bus mastering enabled -- unlike the very old BIOS I
had before) and the problem is, if anything, worse.

What's going on with /dev/crypto when things get jammed up is that
OpenSSL tries to call CIOCCRYPT and it fails with ENOMEM:

   476 openssl  CALL  ioctl(7,CIOCCRYPT,0xbfbfe5d0)
   476 openssl  GIO   fd 7 wrote 28 bytes
       "\0\0\0\0\^A\0\0\0\0\^D\0\0\0@
        \b\240\M^@
        \b\0\0\0\0004\M^@
        \b"
   476 openssl  RET   ioctl -1 errno 12 Cannot allocate memory

Note that you can't use "openssl speed" to see this, there seems to be
a bug in openssl speed such that it never uses /dev/crypto.  But you
can encrypt a small file with "openssl aes-128-cbc" or "openssl des-cbc"
and see the problem.

This seems to be the same problem described by an OpenBSD user at
http://archives.neohapsis.com/archives/openbsd/2004-08/2054.html and
I have, in fact, seen the "overrun" and "resetting" messages once (albeit
before upgrading the Soekris BIOS).

Sam, Jonathan?  How can I best see where the ENOMEM is percolating up
from?

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky