disable use of opencrypto for ssh login
Hi All, I am using FreeBSD 6.2. What are the steps I would need to perform in order to for opencrypto not to be used during SSH session setup (even if there is a working crypto module available underneath it)? Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Openssl port upgrade (FreeBSD 6.2)
Hi All, I ran the openssl updgrade (to OpenSSL 0.9.8d), but it seems the original openssl libs are still being used for SSH session creation and other system crypto functionality. What are the final steps needed to allow all user space programs to use the upgraded OpenSSL? Is there a good guide for this kind of upgrade somewhere? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Opencrypto patch/driver code upload
Hi All, I've a patch to opencrypto and I have a crypto driver that I would like to present for inclusion with the freebsd 7 release. Could you give me some pointers on getting that done? The opencrypto patch is relavent for FreeBSD 8 and 9 also... Some questions for the driver release: Does it necessarily have to compile if the harware API is not present? Our API is release with the dev board... Is it still possible to have new code added to FreeBSD 7, or is that now only accepting bug fixes? Any help/URLs etc is greatly appreciated. Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
[FreeBSD 6.2] _IOWR macro
Hi All, I am using the _IOWR macro in a piece of code. Although my structure gets copied to the kernel ok (the states etc are preserved), if I write back to that structure, the changes are not seen in user space. Is there a known bug with this macro for 6.2 and is it fixed in a later release? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
Hi All, I'm trying to test a hardware crypto driver, but want to run my tests through the software driver first (and possibly use the software driver to validate results). I have set the following in my GENERIC conf file: device crypto device enc options IPSEC I have rebuilt the kernel, rebooted and set the kern.cryptodevallowsoft kernel variable to 1: FreeBSD_26# sysctl -a | grep crypto kern.cryptodevallowsoft: 1 However, when I try a test, I get the following: FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des cipher 3des keylen 24 CIOCGSESSION: Invalid argument FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des cipher des keylen 8 CIOCGSESSION: Invalid argument It seems the software crypto device is not available. Do I need to do any other steps to enable it? Is there another config option that makes sure it is build as part of Opencrypto framework? Do I need to build some other software driver instead? Best Regards, Brendan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
Hi Brian, Patrick, Thanks for your responses. I agree that it looks like a bug! I'm a bit of a newb to FreeBSD. Where should I go to log this? I ran (as root ;) ) > openssl engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support (cryptodev) BSD cryptodev engine [RSA, DSA, DH] It can be seen only PKE functions are being shown as accelerated. 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' compiled as part of the kernel. I have found another issue here also - although 'openssl engine -c' shows correct accelerated functionality of the hardware driver, running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) does not result in any messages being sent to the driver apart from the initial check for available algorithms. It seems only accelerated PKE functions are run through the driver. It may be that the symmetric functions are being run through the software device driver (cryptosoft)... Could it be down to cryptodev engine being loaded twice in OpenSSL? Or would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not set? Regards, Brendan 2009/5/15 Brian A. Seklecki : > On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: >> Hi All, >> >> I'm trying to test a hardware crypto driver, but want to run my tests >> through the software driver first (and possibly use the software >> driver to validate results). >> I have set the following in my GENERIC conf file: >> > > What does kldstat(8) / openssl(1) return? > > % sudo openssl engine > (dynamic) Dynamic engine loading support > > $ openssl engine > (cryptodev) BSD cryptodev engine > (padlock) VIA PadLock (no-RNG, no-ACE) > (dynamic) Dynamic engine loading support > > $ kldstat |egrep -i 'cry|ub' > 3 3 0xc0e06000 25b78 crypto.ko > 7 1 0xc64c9000 4000 cryptodev.ko > 8 1 0xc6546000 a000 ubsec.ko > > > Return? > > ~BAS > > >> device crypto >> device enc >> options IPSEC >> >> I have rebuilt the kernel, rebooted and set the >> kern.cryptodevallowsoft kernel variable to 1: >> >> FreeBSD_26# sysctl -a | grep crypto >> kern.cryptodevallowsoft: 1 >> >> However, when I try a test, I get the following: >> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des >> cipher 3des keylen 24 >> CIOCGSESSION: Invalid argument >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des >> cipher des keylen 8 >> CIOCGSESSION: Invalid argument >> >> It seems the software crypto device is not available. Do I need to do >> any other steps to enable it? Is there another config option that >> makes sure it is build as part of Opencrypto framework? Do I need to >> build some other software driver instead? >> >> Best Regards, >> Brendan >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
Agreed! The driver doesn't seem to be getting executed through OpenSSH/OpenSSL for ssh session setup either (it used to work that way on FreeBSD 6.2, I don't know if this feature has been left up to the user to enable in FreeBSD 7.x??). thanks for the tools, I'll give them a go. The driver is being accessed properly from 'cryptotest', so I guess that's something. 2009/5/19 Brian Seklecki : > The openssl speed sub-command is a real PITA: > > Try: > > $ openssl speed -elapsed -evp aes-128-cbc (or des-ede3) > > Also goto /usr/src/tools/tools/crypto/ && make > > Run those utils to extract useful statistics out of the driver's kernel > data structures. > > ~BAS > > On Mon, 2009-05-18 at 11:21 +0100, Brendan Kennedy wrote: >> Hi Brian, Patrick, >> >> Thanks for your responses. I agree that it looks like a bug! I'm a bit >> of a newb to FreeBSD. Where should I go to log this? >> >> I ran (as root ;) ) >> >> > openssl engine >> (padlock) VIA PadLock (no-RNG, no-ACE) >> (dynamic) Dynamic engine loading support >> (cryptodev) BSD cryptodev engine >> [RSA, DSA, DH] >> >> It can be seen only PKE functions are being shown as accelerated. >> 'kldstat' only shows cryptodev.ko, but that's because I have 'crypto' >> compiled as part of the kernel. >> >> I have found another issue here also - although 'openssl engine -c' >> shows correct accelerated functionality of the hardware driver, >> running a speed test (e.g. openssl speed des-ede3 -engine cryptodev) >> does not result in any messages being sent to the driver apart from >> the initial check for available algorithms. It seems only accelerated >> PKE functions are run through the driver. It may be that the symmetric >> functions are being run through the software device driver >> (cryptosoft)... >> >> Could it be down to cryptodev engine being loaded twice in OpenSSL? Or >> would cryptodev favour the software driver if CRYPTO_F_HARDWARE is not >> set? >> >> Regards, >> Brendan >> >> >> 2009/5/15 Brian A. Seklecki : >> > On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: >> >> Hi All, >> >> >> >> I'm trying to test a hardware crypto driver, but want to run my tests >> >> through the software driver first (and possibly use the software >> >> driver to validate results). >> >> I have set the following in my GENERIC conf file: >> >> >> > >> > What does kldstat(8) / openssl(1) return? >> > >> > % sudo openssl engine >> > (dynamic) Dynamic engine loading support >> > >> > $ openssl engine >> > (cryptodev) BSD cryptodev engine >> > (padlock) VIA PadLock (no-RNG, no-ACE) >> > (dynamic) Dynamic engine loading support >> > >> > $ kldstat |egrep -i 'cry|ub' >> > 3 3 0xc0e06000 25b78 crypto.ko >> > 7 1 0xc64c9000 4000 cryptodev.ko >> > 8 1 0xc6546000 a000 ubsec.ko >> > >> > >> > Return? >> > >> > ~BAS >> > >> > >> >> device crypto >> >> device enc >> >> options IPSEC >> >> >> >> I have rebuilt the kernel, rebooted and set the >> >> kern.cryptodevallowsoft kernel variable to 1: >> >> >> >> FreeBSD_26# sysctl -a | grep crypto >> >> kern.cryptodevallowsoft: 1 >> >> >> >> However, when I try a test, I get the following: >> >> >> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des >> >> cipher 3des keylen 24 >> >> CIOCGSESSION: Invalid argument >> >> FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des >> >> cipher des keylen 8 >> >> CIOCGSESSION: Invalid argument >> >> >> >> It seems the software crypto device is not available. Do I need to do >> >> any other steps to enable it? Is there another config option that >> >> makes sure it is build as part of Opencrypto framework? Do I need to >> >> build some other software driver instead? >> >> >> >> Best Regards, >> >> Brendan >> >> ___ >> >> freebsd-questions@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> >> To unsubscribe, send any mail to >> >> "freebsd-questions-unsubscr...@freebsd.org" >> > >> > >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > > > > This mail was sent via Mail-SeCure System. > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
> openssl speed -evp des-ede3-cbc -engine cryptodev works! thanks Brian. looking for that patch now... 2009/5/19 Patrick Lamaizière : > Le Tue, 19 May 2009 14:25:24 +0100, > Brendan Kennedy : > >> Agreed! The driver doesn't seem to be getting executed through >> OpenSSH/OpenSSL for ssh session setup either (it used to work that way >> on FreeBSD 6.2, I don't know if this feature has been left up to the >> user to enable in FreeBSD 7.x??). > > This is a known problem, you must patch openssl to make it work with > cryptodev on FreeBSD 7.x (8.x). > > There are some patchs, but I don't find them right now... Check the PR > database and the mailing lists. > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
