[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HiFn 7955 makes OpenSSH fail
- To: Jochen Eisinger <jochen@penguin-breeder.org>
- Subject: Re: HiFn 7955 makes OpenSSH fail
- From: Damien Miller <djm@mindrot.org>
- Date: Wed, 04 Aug 2004 13:46:06 +1000
- Cc: misc@openbsd.org
- References: <4106C146.4070806@penguin-breeder.org>
- User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626)
I haven't been able to reproduce this on either:
- a Soekris Net4501 w/ vpn1401 PCI card
- a Pentium3 with a full-size 7955 card
So these problems may be peculiar to the the net4801, the mini-pci
vpn1411 or the combination of the two together. There has been some
talk on the soekris-tech mailing list (see attached) that may be
relevant.
-d
Jochen Eisinger wrote:
> Hi,
>
> I'm running OpenBSD 3.5 on a soekris net4801 with a vpn1411 mini-pci
> (hifn 7955) card (see dmesg)
>
> The vpn1411 appears to work (openssl speed with[1] and without[2] hifn)
> per se.
>
> Now watch this:
>
> $ cat /bsd | ssh -c aes256-cbc 127.0.0.1 "cat - >/dev/null"
> Disconnecting: Corrupted MAC on input.
> $ cat /bsd | ssh -c blowfish 127.0.0.1 "cat - >/dev/null"
> $ sudo sysctl -w kern.usercrypto=0
> kern.usercrypto: 1 -> 0
> $ cat /bsd | ssh -c aes256-cbc 127.0.0.1 "cat - >/dev/null"
> $
>
> Note however, that this behaviour is not totally reproducable, so I
> might get the error instantly, after some time, or not at all. I figured
> out it's more probable to get this error when transfering large amounts
> of data (i.e. a normal ssh session won't die). Also when multiple
> applications are using the hifn, the failure gets more probable.
>
> I found a bug report in the OpenBSD system which describes something
> simliar (applications gets stuck when multiple apps use the hifn:
> http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=3739)
> however, I don't think that's the same, because the ssh doesn't get
> stuck but fails to decrypt something.
>
> I say "fails to decrypt" because the openssl lib won't use the mac
> functions of the hardware, so if the mac is wrong, the data was
> decrypted incorrectly.
>
> Ok, my question now is: who's fault is this?
>
> o OpenSSH
> o OpenSSL libcrypto
> o OpenBSD hifn driver
> o vpn1411 chip
> o something else?
>
> any other things I could test? I also tried various power supplies to
> ensure it's not due to limited power or something (how to watch the
> power consumption with the hw.sensors.* sysctls?)
Return-Path: <soekris-tech-bounces+djm=mindrot.org@lists.soekris.com>
X-Original-To: djm@mindrot.org
Delivered-To: djm@mindrot.org
Received: from mail.forko.com (cinematic.forko.com [69.36.226.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested)
by shitei.mindrot.org (Postfix) with ESMTP id C90A127C188
for <djm@mindrot.org>; Fri, 18 Jun 2004 08:17:34 +1000 (EST)
Received: (qmail 83447 invoked
by uid 89); 17 Jun 2004 22:11:56 -0000
Received: from unknown (HELO cinematic.forko.com) (mailman@127.0.0.1)
by 127.0.0.1 with SMTP; 17 Jun 2004 22:11:56 -0000
Delivered-To: lists.soekris.com-soekris-tech@lists.soekris.com
Received: (qmail 59870 invoked
by uid 89); 17 Jun 2004 20:16:11 -0000
Received: from adsl-68-122-44-73.dsl.pltn13.pacbell.net (HELO gateway.soekris.com) (68.122.44.73)
by cinematic.forko.com with SMTP; 17 Jun 2004 20:16:11 -0000
Received: from soekris.com (1.4.soekris.com [192.168.1.4] (may be forged))
by gateway.soekris.com (8.11.6/8.11.6) with ESMTP id i5HKX2X12144; Thu, 17 Jun 2004 13:33:02 -0700 (PDT) (envelope-from soren@soekris.com)
Message-ID: <40D1FD21.8050602@soekris.com>
Date: Thu, 17 Jun 2004 13:20:49 -0700
From: Soren Kristensen <soren@soekris.com>
Organization: Soekris Engineering
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jukka Salmi <jukka-soekris@2004.salmi.ch>
Subject: Re: [Soekris] Re: vpn1411 problem
References: <20040615132830.GB9819@himo.salmi.ch> <20040616172545.GA7417@himo.salmi.ch>
In-Reply-To: <20040616172545.GA7417@himo.salmi.ch>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: soekris-tech@lists.soekris.com
X-BeenThere: soekris-tech@lists.soekris.com
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: soekris-tech.lists.soekris.com
List-Unsubscribe: <http://lists.soekris.com/mailman/listinfo/soekris-tech>, <mailto:soekris-tech-request@lists.soekris.com?subject=unsubscribe>
List-Archive: <http://lists.forko.com/pipermail/soekris-tech>
List-Post: <mailto:soekris-tech@lists.soekris.com>
List-Help: <mailto:soekris-tech-request@lists.soekris.com?subject=help>
List-Subscribe: <http://lists.soekris.com/mailman/listinfo/soekris-tech>, <mailto:soekris-tech-request@lists.soekris.com?subject=subscribe>
Sender: soekris-tech-bounces+djm=mindrot.org@lists.soekris.com
Errors-To: soekris-tech-bounces+djm=mindrot.org@lists.soekris.com
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on shitei.mindrot.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63
Hi Jukka & List,
Jukka Salmi wrote:
> Hello,
>
> I just noticed the following: my vpn1411 only doesn't work with _some_
> net4501. Two net4501 I ordered about half a year ago detect the vpn1411
> without any problems; all the net4501 I ordered some weeks ago don't. All
> of them run the same comBIOS release (1.24) and the same OS (m0n0wall
> 1.0, i.e. FreeBSD 4.9). Any hints?
I have been investigating this for a while and it seems like that there
is an issue with noise on the reset line on the net4501, net4511 &
net4521 boards that affect some Mini-PCI boards with newer chips using
very fast technologies (like 0.18u or smaller).
I need to do a little more testing before deciding what to do, but it
will probably be possible to fix it by adding a small capacitor the
right place.
Regards,
Soren Kristensen
_______________________________________________
Soekris-tech mailing list
Soekris-tech@lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech