[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: OpenSSL / OpenVPN / Padlock anomaly with small blocks of data.

  • Subject: Re: [Openvpn-users] Re: OpenSSL / OpenVPN / Padlock anomaly with small blocks of data.
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 6 Apr 2005 18:40:56 -0600 (MDT)
On Thu, 7 Apr 2005, Michal Ludvig wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Rolf Fokkens wrote:
> 
> > Using the VIA Advanced Encryption Engine (ACE, Padlock) with OpenSSL
> > seems to work fine, except for small blocks of data, as may be
> > illustrated by the following OpenVPN execution.
> > [...]
> > This is just a test run, but without the padlock engine no error shows
> > up. Actually using OpenVPN with padlock works very well, except for
> > small packets caused by the "ping" option.
> > [...]
> > Slowing down the ebove test process by intruducing printf's of usleep's
> > in the test loop solves the problem. Given this fact I changed the
> > OpenSSL padlock code instead of the OpenVPN code to reproduce this
> > solution, and guess what: IT WORKS! Look at the following diff:
> 
> Rolf,
> 
> I have never seen this kind of problem neither in userspace (OpenSSL)
> nor in the kernel (CryptoAPI) where the execution can't be interrupted.
> 
> Actually I wasn't able to reproduce it with your test case neither (just
> tried in SuSE Linux 9.2 with OpenVPN 2.0-rc20 and OpenSSL openssl-0.9.7d
> with PadLock patch).
> 
> I guess there might be a problem with your CPU - what model/stepping
> have you got? Or perhaps a miscompilation of either OpenSSL or OpenVPN?

I have personally seen this behavior as well with the Padlock, though it
was last year (June or July) and I don't have model/stepping info.  In my
case it was fixed by inserting sleep(0) calls immediately after OpenSSL
EVP crypto calls.  So it appeared to be timing-related.

Test with:

openvpn --genkey --secret key

openvpn --test-crypto --secret key --cipher AES-128-CBC --verb 0 --engine padlock --tun-mtu 10000

This will cause a crypto loopback test of packets sizes from 1 to 10000 
bytes.  Use --verb 3 to see per-iteration detail.

In my testing, the problem was very intermittent, and also seemed to be 
triggered more frequently with small packet sizes.

James

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00093.html on line 225

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00093.html on line 225