2.1 hifn driver doesn't work with AES 256 CBC

vodolej

Hi,

unfortunately the old bug is not fixed yet and still exists in the 2.1
https://redmine.pfsense.org/issues/754

Is there any chance to get it fixed?

Thanks for your answer

Honeybadger

2nd the motion!

jimp

It's a FreeBSD issue, which has a PR listed in the redmine ticket… http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120270

If it gets fixed in FreeBSD, the fix will eventually make its way into pfSense.

If you can reproduce the issue on a stock FreeBSD install on FreeBSD 9.x or 10.x, update that PR and nudge someone on the FreeBSD side to have a look.

Honeybadger

Is this now just an Alix board issue and fixed on Soekris boards?

Weird, I thought Alix were Soekris clones…

Can anyone confirm this?

vodolej

@jimp:

It's a FreeBSD issue, which has a PR listed in the redmine ticket… http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120270

If it gets fixed in FreeBSD, the fix will eventually make its way into pfSense.

If you can reproduce the issue on a stock FreeBSD install on FreeBSD 9.x or 10.x, update that PR and nudge someone on the FreeBSD side to have a look.

There is a patch available under Fix-Section on the freebsd-site:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern%2F120270&getpatch=1

Is it possible to compile pfSense with this patch?

jimp

@vodolej:

There is a patch available under Fix-Section on the freebsd-site:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern%2F120270&getpatch=1

Is it possible to compile pfSense with this patch?

If someone can reproduce the problem on a stock FreeBSD install with that card and then try with that fix and confirm it works, we can look into getting it into our builds.

vodolej

Jimp,

are there instructions available, how to test it on Alix board with / without patch?
I'm ready to do that, but don't know, how.

Alternatively I can lend you my Soekris card with the hifn 7955-chip for tests, now it is unused because of this issue.

vodolej

Will be any answer to the the question?
How the fix can be tested?

doktornotor

@vodolej:

How the fix can be tested?

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

vodolej

@doktornotor:

@vodolej:

How the fix can be tested?

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

It is not the answer to my question. I have already an accelerator, but it doesn't work with AES256.

The question is:
How to test the FreeBSD/pfSense with the fix available on above mentioned link on Alix board?

I'm trying to push the process since months, but there is unfortunately no motion from pfSense-team.

doktornotor

Dunno, but both the PR link and the one I posted tell you HOW to test it using openssl… Not really sure what you are pushing where.  ::) Also, the entire PR appears irrelevant after rotting there for 6 years.

vodolej

@doktornotor:

Dunno, but both the PR link and the one I posted tell you HOW to test it using openssl… Not really sure what you are pushing where.  ::) Also, the entire PR appears irrelevant after rotting there for 6 years.

The link you posted shows only how to test openssl ciphers with / without hardware accelerators. When executing these tests I discovered the same problem like other users: the performance of some ciphers like i.e. AES256 is the same with and without accelerator. The accelerator is not used because of the bug in FreeBSD.

It is correct, that the issue is open already for 6 years. And it is still relevant. I'm wondering, why nobody takes care of it. I know users, who are still waiting for the fix and are now using another platforms because of this issue.

I'm asking not for general information, but for a tutorial:
How to integrate the compile FreeBSD with the fix and how to test pfSense on this platform.

doktornotor

With openssl 1.0.1(ef) used in 2.1/2.1.1 - which is what is actually used for OpenVPN, IPsec etc., the patch is irrelevant, as noted on the PR. Seriously cannot see how is that patch still relevant, but perhaps you have better ideas about openssl than its FreeBSD maintainer.

If things still do not work for you, afraid you need to start looking elsewhere for fixes, rather than trying to use 6+ years old patch for totally obsolete openssl version. An easy-enough test is to use stock FreeBSD 10 install instead of pfSense.

vodolej

ok, now I got you.

With my config (Alix-Board, soekres-accelerator) it seems not easy to install the stock FreeBSD. I found no installation images, only one tutorial.
It says: "On most Alix boards (all except the one that has Video card) the only way to configure FreeBSD (at least until you can access it via SSH) is through serial port. "

But I don't have any PC's with serial port.

Any ideas how to install FreeBSD on Alix?

doktornotor

There are USB->COM dongles available, if you search the forum, you'll definitely find out some tested working ones. Of course, installing FBSD on another machine and sticking the CF card into an Alix board after that could be another option. Can do anything else via SSH afterwards.

Guest

http://www.freebsdonline.com/content/view/589/506/

Seems like the kind of thing we should try internally, however.