Re: sshd fails when using cryptodev-linux to compute hmac

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Peter,

На 9.10.24 г. в 20:31 ч., Peter Rashleigh написа:
Hi Damien,

I don't know anything about cryptodev-linux, but I assume it's an openssl engine?
Cryptodev-linux is a kernel module that provides access to kernel crypto drivers, especially hardware-accelerated crypto, through the /dev/crypto device. Openssl implements an engine which interfaces to it.

OpenBSD hates loadable modules. So you cannot expect support for such functionality.


If so it's possible sshd's multiprocess model and/or file descriptor handling is confusing it.
This seems like a reasonable explanation based on what I've seen so far.


PKIX-SSH support loadable modules(engines) and so, try to ensure proper management of cryptographic library. This includes slightly different management of file descriptors taking into account that some openssl configurations require open descriptors to devices. Also note that this could be a loadable module.


It's not a configuration we test, so you're mostly on your own to debug it. It's entirely possible there's a bug there; if so, I'd expect it to be something like a fd being closed while devcrypto is still depending on it.

I'd suggest turning on LogVerbose=* so you can see which process (represented by it's PID) is doing what, though that probably won't be represented in the devcrypto debug messages unless you hack something similar in.
Too bad, I was hoping it was a tested/supported configuration. Since that doesn't seem to be the case, I suspect the easiest way forward for me is going to be disabling the openssl engine entirely so that openssh works properly. I doubt that hardware-accelerated crypto is going to have much benefit for SSH workloads anyway.


Unfortunately or not I'm not able to confirm issue on 64 bit AMD. Environment:
 - qemu virtual machine,
 - OpenSUSE leap 15.4,
 - current pxis-ssh (15.3+)
 - current openssl stable (3.3.2+),
 - current cryptodev kernel modile (1.14+),
- openssl configuration with described devcrypto engine and activated(init = 1)

All regression test pass. Also putty interoperability regression tests pass as well.


About '... custom buildroot Linux 6.1.53 running on ARMv8...'

You could test build without so called "hardening" options. Some options are not maintained and code may fail on non-x86 processors.



Thanks,
Peter

Roumen

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux