-
Notifications
You must be signed in to change notification settings - Fork 10
Ridgerun's autotools version of af_alg OpenSSL engine
License
RidgeRun/af-alg-rr
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
af_alg-rr for OpenSSL This is RidgeRun's autotools version of the original af_alg project. REQUIREMENTS linux kernel >= 2.6.38 libssl-dev COMPILE ./configure make INSTALL make install TEST openssl speed -evp aes-128-cbc -engine af_alg -elapsed CONFIGURATION - OPENSSL CONFIG The algorithms run by af_alg can be configured in the openssl.cnf by setting the CIPHERS and DIGEST values. Not setting them will speedup nothing. Idea is only to run algorithms via af_alg which can be accelerated via hardware. As I'm not aware of a way to query this, you have to set them manually. ------------- --- /etc/ssl/openssl.cnf.orig +++ /etc/ssl/openssl.cnf @@ -12,6 +12,18 @@ #oid_file = $ENV::HOME/.oid oid_section = new_oids + +openssl_conf = openssl_def + +[openssl_def] +engines = openssl_engines + +[openssl_engines] +af_alg = af_alg_engine + +[af_alg_engine] +default_algorithms = ALL +CIPHERS=aes-128-cbc aes-192-cbc aes-256-cbc des-cbc des-ede3-cbc +DIGESTS=md4 md5 sha1 sha224 sha256 sha512 # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: ------------- This will enforce loading the af_alg OpenSSL dynamic engine by default, so it can be used by OpenSSH. Starting with OpenSSH 5.4p1 OpenSSH honors the openssl config and will use your default engines specified. KERNEL MODULES REQUIRED Make sure you have at least: algif_hash 12943 0 algif_skcipher 17369 0 af_alg 14686 2 algif_hash,algif_skcipher in your lsmod and - if you can't load the modules: CONFIG_CRYPTO_USER_API=m CONFIG_CRYPTO_USER_API_HASH=m CONFIG_CRYPTO_USER_API_SKCIPHER=m in your kernel config. PERFORMANCE If you have hardware crypto support, for large block sizes, AF_ALG is supposed to increase performance, for small block sizes, the overhead introduced by AF_ALG will slow things down. In case you are looking for performance, get cryptodev. It is faster. DEBUGGING OpenSSL ships evp_test, which can be used to verify things work. A patch on OpenSSL is required to force evp_test using the config. ------- diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index ad36b84..d40c461 100644 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -532,8 +532,8 @@ int main(int argc,char **argv) /* Load all compiled-in ENGINEs */ ENGINE_load_builtin_engines(); #endif -#if 0 - OPENSSL_config(); +#if 1 + OPENSSL_config(NULL); #endif #ifndef OPENSSL_NO_ENGINE /* Register all available ENGINE implementations of ciphers and digests. ----------- create a config /tmp/af_alg.cnf with mentioned modifications to force using the engine. export OPENSSL_CONF=/tmp/af_alg.cnf openssl/test$ ./evp_test evptests.txt It will fail if the computed results do not match the expected results. Compiling the engine with make CFLAGS=-DDEBUG clean all may help as well. OTHERS cconf can be used to modify the crypto priorities on kernels >= 3.2 REFERENCES http://article.gmane.org/gmane.linux.kernel.cryptoapi/5292 http://article.gmane.org/gmane.linux.kernel.cryptoapi/5296 https://bugzilla.mindrot.org/show_bug.cgi?id=1707 http://thread.gmane.org/gmane.linux.kernel.cryptoapi/6045 http://sourceforge.net/projects/crconf/ http://carnivore.it/2011/04/23/openssl_-_af_alg AUTHOR Markus Koetter Carsten Behling <carsten.behling@ridgerun.com>
About
Ridgerun's autotools version of af_alg OpenSSL engine
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published