2.5.0 OpenVPN no AES-NI

hec

I see on the dashboard Hardware Crypto is enabled and active but i can't choose it in the OpenVPN configuration.

Version: built on Sat Aug 08 01:03:06 EDT 2020

I thought this bug was solved or not?
Bug 9646

If this is not fixed is there any timeframe this will be fixed.

Yes i know i'm running a dev version but i think this bug is grave.

 openssl engine -t -c -pre DUMP_INFO
(dynamic) Dynamic engine loading support
[Failure]: DUMP_INFO
34370871296:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:/build/ce-crossbuild-master/sources/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:87:
34370871296:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/build/ce-crossbuild-master/sources/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:255:
     [ unavailable ]

Ok looks like this is not working.
CPU has AES-NI features und it was working in the past on these servers (Dell R210 II )

sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: amd64
hw.model: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
hw.ncpu: 4
hw.machine_arch: amd64
dmesg -a | grep Features
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x1fbae3ff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX>

 openssl engine -c -t
(dynamic) Dynamic engine loading support
     [ unavailable ]

jimp

Did you set AES-NI under System > Advanced, Misc. in the crypto module options?

hec

Yes i tried both - AES-NI and BSD Cyptodev

jimp

Any messages in the system log about aesni? Check /var/log/dmesg.boot specifically.

You should see a line like this:

Aug 10 10:37:45 pfSense kernel: aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard

Is it enabled in your BIOS?

hec

Yes it is enabled in the BIOS as you see above the CPU does report the correct features

I only see the CPU features in the dmesg.boot.

jimp

Is aesni loaded in kldstat output?

hec

kldstat
Id Refs Address                Size Name
 1   19 0xffffffff80200000  38d7128 kernel
 2    2 0xffffffff83ad9000     a448 opensolaris.ko
 3    1 0xffffffff83ae4000   3ba750 zfs.ko
 4    1 0xffffffff8423d000     1000 cpuctl.ko
 5    1 0xffffffff8423e000     8c90 aesni.ko
 6    1 0xffffffff84247000     37e8 cryptodev.ko

mervincm

This post is deleted!

yon 0

I have reported this issue before.

hec

OK so there is an patch for ssl but this patch is causing problems as i read.

OpenSSL was patched in 2018 but this bug exists in pfsense in 2020? Or is there another bug which is causing this?

Bob.Dig

In 2.4.* it is also not showing and, as far as I remember, never was (Hyper-V), so I hope it is working automagically.

jimp

AES-NI will never show on the OpenVPN page. OpenVPN/OpenSSL will detect and use AES-NI automatically.

The only place you can pick AES-NI from a list is under System > Advanced on the Misc tab to tell the system whether or not to load the kernel module. Primarily that will affect IPsec, not OpenVPN.

hec

Thank you for the clarification.

But why is there the option if it will be NEVER shown in the OpenVPN configuration?

jimp

Those are two completely different sets of crypto controls. One for the operating system in general, and one specifically for OpenVPN. There are many more uses for crypto on pfSense than OpenVPN.

AES-NI never shows in OpenVPN because it isn't a relevant option. It is not considered a crypto "engine" to OpenVPN or OpenSSL, because it uses it automatically. Some devices have to be selected manually.