[Soekris] OpenBSD 3.5 & vpn1411: MAC errors with OpenSSH (hardware defect?)

Jochen Eisinger jochen at penguin-breeder.org
Tue Jul 27 12:34:34 UTC 2004 

Hi,

I have a 4801, running plain OpenBSD 3.5 with a vpn1411 and a 2.5"
laptop hd (dmesg [3])

The vpn1411 appears to work (openssl speed with[1] and without[2] hifn)
per se.

Now watch this:

$ cat /bsd | ssh -c aes256-cbc 127.0.0.1 "cat - >/dev/null"
Disconnecting: Corrupted MAC on input.
$ cat /bsd | ssh -c blowfish 127.0.0.1 "cat - >/dev/null"
$ sudo sysctl -w kern.usercrypto=0
kern.usercrypto: 1 -> 0
$ cat /bsd | ssh -c aes256-cbc 127.0.0.1 "cat - >/dev/null"
$

Note however, that this behaviour is not totally reproducable, so I
might get the error instantly, after some time, or not at all. I figured
out it's more probable to get this error when transfering large amounts
of data (i.e. a normal ssh session won't die). Also when multiple
applications are using the hifn, the failure gets more probable.

I found a bug report in the OpenBSD system which describes something
simliar (applications gets stuck when multiple apps use the hifn:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=3739)
however, I don't think that's the same, because the ssh doesn't get
stuck but fails to decrypt something.

I say "fails to decrypt" because the openssl lib won't use the mac
functions of the hardware, so if the mac is wrong, the data was
decrypted incorrectly.

Ok, my question now is: who's fault is this?

 o OpenSSH
 o OpenSSL libcrypto
 o OpenBSD hifn driver
 o vpn1411 chip
 o something else?

any other things I could test? I also tried various power supplies to
ensure it's not due to limited power or something (how to watch the
power consumption with the hw.sensors.* sysctls?)

kind regards
-- jochen

attachments:
[1] openssl-with-hifn.txt: benchmark for aes256-cbc with hifn enabled
[2] openssl-without-hifn.txt: benachmark with hifn disabled
[3] dmesg output
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dmesg.txt
Url: http://lists.soekris.com/pipermail/soekris-tech/attachments/20040727/0196c5de/dmesg.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssl-with-hifn.txt
Url: http://lists.soekris.com/pipermail/soekris-tech/attachments/20040727/0196c5de/openssl-with-hifn.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssl-without-hifn.txt
Url: http://lists.soekris.com/pipermail/soekris-tech/attachments/20040727/0196c5de/openssl-without-hifn.txt

More information about the Soekris-tech mailing list