openssl: [RFC] alternative AF_ALG engine

[cotequeiroz]

I've written an AF_ALG engine for openssl based on the /dev/crypto engine. It does not require kernel AIO support. Please test this especially if you have hardware crypto acceleration.

Signed-off-by: Eneas U de Queiroz cote2004-github@yahoo.com

PS: This was originally a /dev/crypto PR, but the patches were submitted to the openwrt mailing list.

[cotequeiroz]

@neheb, @anomeome
I have posted this PR for the /dev/crypto engine. Please test it, upgrading to the current cryptodev-linux package if possible.

[anomeome]

Current master, patched with this PR, 1.1.1 data. Everything tested to this point appears OK.

[cotequeiroz]

Little tutorial

These are some basic instructions to help me test this.
Run openssl engine -vv -t -c -pre DUMP_INFO devcrypto to see what's available, using software and hardware acceleration.
Here's my output with software drivers only:

apcote:~# openssl engine -vv -t -c -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=cbc(des-generic) (software)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=cbc(des3_ede-generic) (software)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-128-CBC, NID=751, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-192-CBC, NID=752, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-256-CBC, NID=753, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=md5-generic (software), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-generic (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-generic (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-generic (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=unknown. CIOCGSESSION (session open) failed

[Success]: DUMP_INFO
 [DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224, SHA256]
     [ available ]
     USE_SOFTDRIVERS: specifies whether to use software (not accelerated) drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use if acceleration can't be determined [default=2])
     CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]
     DIGESTS: either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]
     DUMP_INFO: dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'

By default, only hardware-accelerated drivers are enabled. If you wish to test it with software drivers, or to change the cipher or digest lists, you can edit /etc/ssl/openssl.cnf, adding a line before any section:

openssl_conf=openssl_def

Then, add the following sections anywhere past the last of the unsectioned commands (I add this to the very end of the file)--notice that you don't need the CIPHERS or DIGESTS lines to enable all algos, I've added them here for reference:

[openssl_def]
engines=engine_section

[engine_section]
devcrypto=devcrypto_section

[devcrypto_section]
USE_SOFTDRIVERS=1
CIPHERS=ALL
DIGESTS=ALL

The following line from my example above shows the algorithms currently enabled:

[DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224, SHA256]

I'd measure the speed of the algorithms to determine if it's worth to leave them enabled. Use

openssl speed -elapsed -evp ALGO_FROM_THE_LIST

You need to use -elapsed to count the time spend by the kernel driver, otherwise, you'd get unreal results. You may add -engine devcrypto to ensure you are using devcrypto, in case you have other engines providing algorithms. My box is sw-only, and here are the results (I added time to show the difference in user/system times; use time -v for verbose time output):

1. with /dev/crypto:

apcote:~# time openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 286587 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 164919 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 64020 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 18427 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 2404 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 1204 aes-128-cbc's in 3.01s
OpenSSL 1.1.1  11 Sep 2018
built on: Thu Jan  1 00:00:01 1970 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: mipsel-openwrt-linux-musl-gcc -fPIC -pthread -mabi=32 -Wa,--noexecstack -Wall -O3 -pipe -mno-branch-likely -mips32r2 -mtune=74kc -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DBN_DIV3W -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM -DZLIB -DZLIB_SHARED -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc       1528.46k     3518.27k     5463.04k     6289.75k     6564.52k     6553.60k
real    0m 20.92s
user    0m 0.69s
sys     0m 16.97s

2. without /dev/crypto:

apcote:~# time openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 1274469 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 423751 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 116007 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 29707 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 3736 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 1866 aes-128-cbc's in 3.00s
OpenSSL 1.1.1  11 Sep 2018
built on: Thu Jan  1 00:00:01 1970 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: mipsel-openwrt-linux-musl-gcc -fPIC -pthread -mabi=32 -Wa,--noexecstack -Wall -O3 -pipe -mno-branch-likely -mips32r2 -mtune=74kc -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DBN_DIV3W -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM -DZLIB -DZLIB_SHARED -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc       6797.17k     9040.02k     9899.26k    10139.99k    10201.77k    10190.85k
real    0m 20.90s
user    0m 17.88s
sys     0m 0.07s

So, in my case, with software-only, /dev/crypto is considerably slower across the board. Please share some results here so I can get a feeling for what the speed is like.
Cheers

[dengqf6]

Cannot build wget with OpenSSL 1.1.1

ld: openssl.o: in function `ssl_init':
openssl.c:(.text+0x5f8): undefined reference to `OPENSSL_config'

[nasbdh9]

Cannot build wget with OpenSSL 1.1.1

ld: openssl.o: in function `ssl_init':
openssl.c:(.text+0x5f8): undefined reference to `OPENSSL_config'

Ye, I have encountered the same problem

[cotequeiroz]

At first sight, it looks like wget depends on openssl engine support. I get a slightly different error message, but it works with engines turned on.

[neheb]

@cotequeiroz I submitted a patch upstream patching it out but have not backported.

[neheb]

openwrt/packages#7463

[frymezim]

Does IPQ806x (EA8500) and Kirkwood (NSA325) supports hardware crypto?

[neheb]

Kirkwood does.

[anomeome]

Is the wget-ssl ld build issue not an openssl build deprecated APIs issue, like stubby (actually getdns) and possibly unbound. Regardless, it builds and WFM.

[borkra]

OpenSSL 1.1.x has built-in support for AF_ALG kernel interfaces for crypto acceleration, so why not to just enable AF_ALG in kernel config and forget about cryptodev and /dev/crypto?

[neheb]

It's slower.

[anomeome]

I had posted some numbers somewhere (previous thread ?) where, at least with the device I am testing on, /dev/crypto appeared significantly faster.

[borkra]

Yes, and /dev/crypto is not very stable.
Later kernels has zero copy interfaces to AF_ALG not sure if OpenSSL support them. They should be faster.

[cotequeiroz]

I'm working on /dev/crypto right now. I'm trying to add GCM support. After I'm finished, I'll tackle AF_ALG. No promises at either end, though.

[cotequeiroz]

Later kernels has zero copy interfaces to AF_ALG not sure if OpenSSL support them.

If you look at the cryptodev-linux code, the main crypto function uses zero-copy interface.

[borkra]

Yes, that is my understanding for the reason of /dev/crypto better performance.
As well as suggestion that similar performance gains could be achieved with AF_ALG on the later kernel.

[borkra]

With OpenSSL 1.1 zero copy is supported but it is on the #ifdef for some reason, probably because not all versions of kernel support it.

Here is the commit:
openssl/openssl@7f458a4

Bottom line it seems if right configurations are enabled AF_ALG performance should be similar to /dev/crypto

[cotequeiroz]

I wasn't able to do AES-GCM with /dev/crypto, as it doesn't work with partial message (multiple update + one final call) as openssl requires. /dev/crypto only works with a single call containing the whole message.

So, I'll see what I can do with the afalg engine next. It will take a while.

[cotequeiroz]

@borkra
My first results with AF_ALG with zero copy are not very promising. First run, AF_ALG, no zero-copy:

LD_LIBRARY_PATH=apps/openssl speed -evp AES-128-CBC -elapsed 2>/dev/null ; LD_LIBRARY_PATH=.  apps/openssl speed -elapsed -evp AES-256-CBC 2> /dev/null | egrep cbc
OpenSSL 1.1.2-dev  xx XXX xxxx
built on: Wed Nov 21 18:31:08 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wall -O0 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc       5609.31k    21794.43k    77086.63k   224118.78k   486995.29k   526472.53k
aes-256-cbc       5583.14k    21105.69k    74966.36k   196793.00k   373877.42k   391075.16k

Second run, with -DALG_ZERO_COPY:

OpenSSL 1.1.2-dev  xx XXX xxxx
built on: Wed Nov 21 18:32:48 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wall -O0 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DALG_ZERO_COPY
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc       4031.34k    15706.01k    58082.05k   180393.98k   451674.11k   505091.41k
aes-256-cbc       4287.06k    16600.47k    59339.78k   168263.68k   352193.19k   383003.31k

The third set is with /dev/crypto:

OpenSSL 1.1.2-dev  xx XXX xxxx
built on: Wed Nov 21 18:25:16 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wall -O0 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      21220.16k    77039.06k   223667.71k   429657.43k   575960.41k   591604.39k
aes-256-cbc      20943.45k    73092.86k   195304.28k   336356.35k   421030.57k   418392.75k

It might have to do with page alignment:

The zero-copy operation requires data to be aligned at the page boundary. Non-aligned data can be used as well, but may require more operations of the kernel which would defeat the speed gains obtained from the zero-copy interface.

[neheb]

IIRC this was one of the reasons for WireGuard avoiding AF_ALG and using its own thing. @zx2c4

[borkra]

My first results with AF_ALG with zero copy are not very promising. First run, AF_ALG, no zero-copy

Well, you still get huge gain over software only implementation.
And I doubt that speed of 16 byte AES has real world application.

[cotequeiroz]

@borkra
I've finished a hackish AF_ALG engine on top of the devcrypto one. In fact, I've just wrote it in place of crypto/engine/eng_devcrypto.c, and the engine is still called devcrypto--that way I can run make test and the engine will run the tests (tests will not use the engines/e_afalg.c). It has the exact same functionality as my updated /dev/crypto engine. It uses the basic sync sendmsg/read interface, so there's no zero-copy or async io.
gcm mode is a no go with current kernel crypto, as it does not work with init - update - update - final mode of operation that openssl requires. Kernel implementation requires it to be done in one shot, so it won't behave as a stream cipher like openssl does. You could buffer the whole input, and send it to the kernel at once, but with openssl gcm behaves like a stream cipher, spitting out ciphertext every time update is called.

Here's my branch that has it. All you need is to replace crypto/engine/eng_devcrypto.c to give it a try:
https://github.com/cotequeiroz/openssl/tree/eng_afalg_test

One of the problems I found with AF_ALG is the high number of open file descriptors kept open, especially after enabling ecb mode. It is used for RNG, apparently, and generating a RSA key keeps a large number of ecb cipher contexts open. Most implementations use two fds, keeping the original one open. I found that it works with that fd closed, but such behaviour is undocumented (most of the AF_ALG stuff is poorly documented). Zero-copy support needs at least 3 fds (one for the main operation, two for the zero-copy pipes) per context. I might implement zero-copy if I can find some time; openssl's async io is useless in opewrt, as it will not compile with musl. The current AF_ALG engine uses AIO.

Tell me if you're able to test it.

[borkra]

@cotequeiroz

• AF_ALG used for RNG because of FIPS, kernel DRBG is the only fully FIPS compliant RNG in Linux.
• You could patch in streamable AES-GCM into kernel...
• I am not sure how big is the issue with multiple fds for practical use

[zx2c4]

AF_ALG used for RNG because of FIPS, kernel DRBG is the only fully FIPS compliant RNG in Linux.

FWIW, that RNG seeds itself using get_random_bytes, which is the equivalent of /dev/urandom. Not sure if that invalidates what you're after, if you don't think /dev/urandom is sufficient for that.

[borkra]

@zx2c4 /dev/urandom, or /dev/random are not FIPS compliant entropy sources, and as such cannot be used for seeds or any other use in FIPS compliant design.

There is jitter entropy generator is FIPS compliant in kernel on some CPUs, and some of the CPU.

[zx2c4]

Right, that's what I assumed. So, look at crypto/drbg.c below. It might not actually satisfy whatever you're after.

[anomeome]

The last time I compared afalg and devcrypto I only looked at the mamba device, but the above made me take another look. The following would appear to indicate an inverse correlation between device capabilities and performance differential of the two. From the above numbers and new data from a run on a rango and mamba.

	AES-128-cbc	AES-128-cbc
device	afalg(16k)	devcrypto(16k)
omnia	107042.13	108937.22	1.77%
rango	106539.69	110673.92	3.88%
mamba	65170.09	76507.82	17.40%

edit: cut and paste wrong heading

[Ansuel]

@cotequeiroz i would like to report that nginx is broken if the engine support is disabled in openssl (needs it even with no engine at all))

[cotequeiroz]

@Ansuel
Thanks for reporting it. I will take a look at it as soon as I am able.

[cotequeiroz]

@Ansuel, can you give me some details of the failure? Is it a build failure, or run-time failure? Tell me the steps to reproduce the issue.

[Ansuel]

@cotequeiroz just build openssl with no engine support
build nginx
flash image
run nginx
nginx complain about missing simbols

also other package suffer from this (can't remember them but i notice them reading the forum)

[neheb]

Any chance the crypto.mk change can be upstreamed? I have a similar yet different change in my tree that I would like to get in: https://github.com/neheb/source/commit/aaa4215aa8c39ca5abf42fd05da9e2608c8fcf9c

[cotequeiroz]

I imagine you mean to submit a standalone patch for crypto.mk, since it is local to openwrt.
I thing the best way is for you to submit your changes, adding crypto_user there if you need it. I will not have a use case outside of this afalg engine. The engine will not have any broader support than cryptodev, while being consistently slower, so I will not push for its inclusion anytime soon. The official openssl afalg engine does not use the module. It adds 3K to the final package on mvebu (12,742-->15,783), a small bloat without a use case. Even if I were to put it in its own package, what name can I even use? kmod_real_crypto_user_not_algif 🤣?

[neheb]

I don't remember if my patch was for openssl or cryptsetup. In any case, I rebased and submitted.

[anomeome]

The latest openssl push has broken this.

[adschm]

Just added the "needs reviewer" tag when I realized this has "RFC" in its title. So, is this in RFC state?

[cotequeiroz]

TLDR: yes, it is still RFC, but it does need feedback.

I've created this an alternative to the upstream engine; this one uses a simpler API, with synchronous calls, but supports more algorithms. Upstream has a different approach, using the async API, which requires AIO kernel support (so it does not get built by the bots), and, at least in the most used scenario, is much slower.

I've been maintaining it since it does have its users, but I'm not sure it is worth to add it to the main repository. My doubt, is not really maintenance--I'm currently maintaining the openssl package, and it can always be dropped if I fail to maintain it--but that that we already have the devcrypto engine, which is an upstream-supported, faster alternative.

I haven't received feedback from the core developers, but we can remove the RFC label, and add "needs reviewer" if it helps, or is the right thing to do.

[adschm]

@cotequeiroz

I've been maintaining it since it does have its users, but I'm not sure it is worth to add it to the main repository. My doubt, is not really maintenance--I'm currently maintaining the openssl package, and it can always be dropped if I fail to maintain it--but that that we already have the devcrypto engine, which is an upstream-supported, faster alternative.

Well, that sounds to me like you should make sure whether there is demand. Normally, having a PR open that long without any core-developer comments tends to mean that demand is not big. Maybe it would be a good idea to discuss this matter of general interest on the mailing list, and then decide about whether the PR is kept open or closed?

[cotequeiroz]

Let me try to compile this out of the openssl tree; then I can package it separately and add it to the packages feed. That would make more sense to me. I'll close this if able; if not, I'll post to the mailing list. If you feel it should be closed now, go ahead--I'm counting on being able to take this out of the openssl tree.

[adschm]

I'm not in a hurry, just picking up loose ends....

[cotequeiroz]

It has served its purpose--I would not have come up with that idea right, had you not poked me. Thanks. I'll close this as soon as I'm done.

[cotequeiroz]

I've moved this to a separate package in the packages feed openwrt/packages#10423.

[adschm]

Perfect, thanks for taking care!