Skip to content
Permalink
Browse files

openssl: backport devcrypto changes from master

The patches to the /dev/crypto engine were commited to openssl master,
and will be in the next major version (3.0).

Changes:
- Optimization in computing a digest in one operation, saving an ioctl
- Runtime configuration options for the choice of algorithms to use
- Command to dump useful information about the algorithms supported by
  the engine and the system.
- Build the devcrypto engine as a dynamic module, like other engines.

The devcrypto engine is built as a separate package by default, but
options were added to allow building the engines into the main library.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[refresh patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
  • Loading branch information
cotequeiroz authored and hauke committed Feb 27, 2019
1 parent c3425be commit d971ae51a51cb1b145b6fbbf7d1327a99be257b1
@@ -253,18 +253,41 @@ config OPENSSL_ENGINE
Note that you need to enable KERNEL_AIO to be able to build the
afalg engine package.

config OPENSSL_ENGINE_CRYPTO
config OPENSSL_ENGINE_BUILTIN
bool "Build chosen engines into libcrypto"
depends on OPENSSL_ENGINE
help
This builds all chosen engines into libcrypto.so, instead of building
them as dynamic engines in separate packages.
The benefit of building the engines into libcrypto is that they won't
require any configuration to be used by default.

config OPENSSL_ENGINE_BUILTIN_AFALG
bool
select OPENSSL_ENGINE
select PACKAGE_kmod-cryptodev
prompt "Acceleration support through AF_ALG sockets engine"
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
AF_ALG kenrel interface.

config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
prompt "Acceleration support through /dev/crypto"
depends on OPENSSL_ENGINE_BUILTIN
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
You must install kmod-cryptodev (under Kernel modules, Cryptographic
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.

config OPENSSL_ENGINE_BUILTIN_PADLOCK
bool
prompt "VIA Padlock Acceleration support engine"
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
VIA Padlock module.

config OPENSSL_WITH_ASYNC
bool
@@ -11,12 +11,11 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=b
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1

PKG_BUILD_PARALLEL:=0
PKG_BUILD_DEPENDS:=cryptodev-linux

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@@ -32,7 +31,10 @@ PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_BUILTIN \
CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
@@ -89,7 +91,10 @@ endef
define Package/libopenssl
$(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock
TITLE+= (libraries)
ABI_VERSION:=1.1
MENU:=1
@@ -134,7 +139,7 @@ define Package/libopenssl-afalg
SUBMENU:=SSL
TITLE:=AFALG hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user \
+libopenssl-conf
+libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
endef

define Package/libopenssl-afalg/description
@@ -145,12 +150,28 @@ See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-
The engine_id is "afalg"
endef

define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/dev/crypto hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE +kmod-cryptodev +libopenssl-conf \
@!OPENSSL_ENGINE_BUILTIN
endef

define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "devcrypto"
endef

define Package/libopenssl-padlock
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=VIA Padlock hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock \
+libopenssl-conf
+libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
endef

define Package/libopenssl-padlock/description
@@ -241,14 +262,27 @@ else
endif

ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
OPENSSL_OPTIONS += disable-dynamic-engine
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
OPENSSL_OPTIONS += no-afalgeng
endif
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
OPENSSL_OPTIONS += no-hw-padlock
endif
else
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
endif
endif
else
OPENSSL_OPTIONS += no-engine
@@ -361,6 +395,11 @@ define Package/libopenssl-afalg/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef

define Package/libopenssl-devcrypto/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
endef

define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
@@ -369,5 +408,6 @@ endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
@@ -10,7 +10,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

--- a/Configure
+++ b/Configure
@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
@@ -1559,7 +1559,9 @@ unless ($disabled{"crypto-mdebug-backtra

unless ($disabled{afalgeng}) {
$config{afalgeng}="";
@@ -9,7 +9,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

--- a/Configure
+++ b/Configure
@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads
@@ -302,7 +302,7 @@ my $auto_threads=1; # enable threads
my $default_ranlib;

# Top level directories to build
@@ -18,7 +18,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
@@ -311,7 +311,7 @@ $config{sdirs} = [
@@ -314,7 +314,7 @@ $config{sdirs} = [
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
# test/ subdirectories to build
@@ -37,7 +37,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
"TLS_AES_128_GCM_SHA256"
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1466,11 +1466,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
&tail);

@@ -67,7 +67,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

/*
* ...and generally, our preferred cipher is AES.
@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1526,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* Within each group, ciphers remain sorted by strength and previous
* preference, i.e.,
* 1) ECDHE > DHE
@@ -0,0 +1,58 @@
From 48e2c9202ea345347da91f4c583e5915eb010d50 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 15:54:17 -0200
Subject: [PATCH 1/4] eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT

Since each ioctl causes a context switch, slowing things down, if
EVP_MD_CTX_FLAG_ONESHOT is set, then:
- call the ioctl in digest_update, saving the result; and
- just copy the result in digest_final, instead of using another ioctl.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -461,6 +461,7 @@ struct digest_ctx {
struct session_op sess;
/* This signals that the init function was called, not that it succeeded. */
int init_called;
+ unsigned char digest_res[HASH_MAX_LEN];
};

static const struct digest_data_st {
@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx
if (digest_ctx == NULL)
return 0;

- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) {
+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0)
+ return 1;
+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) {
+ return 1;
}

- return 1;
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
}

static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx,

if (md == NULL || digest_ctx == NULL)
return 0;
- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
+
+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) {
+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx));
+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}

0 comments on commit d971ae5

Please sign in to comment.
You can’t perform that action at this time.