-
Notifications
You must be signed in to change notification settings - Fork 10
Ridgerun's autotools version of af_alg OpenSSL engine
License
RidgeRun/af-alg-rr
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
af_alg-rr for OpenSSL
This is RidgeRun's autotools version of the original af_alg project.
REQUIREMENTS
linux kernel >= 2.6.38
libssl-dev
COMPILE
./configure
make
INSTALL
make install
TEST
openssl speed -evp aes-128-cbc -engine af_alg -elapsed
CONFIGURATION - OPENSSL CONFIG
The algorithms run by af_alg can be configured in the openssl.cnf
by setting the CIPHERS and DIGEST values. Not setting them will speedup nothing.
Idea is only to run algorithms via af_alg which can be accelerated via hardware.
As I'm not aware of a way to query this, you have to set them manually.
-------------
--- /etc/ssl/openssl.cnf.orig
+++ /etc/ssl/openssl.cnf
@@ -12,6 +12,18 @@
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
+
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = openssl_engines
+
+[openssl_engines]
+af_alg = af_alg_engine
+
+[af_alg_engine]
+default_algorithms = ALL
+CIPHERS=aes-128-cbc aes-192-cbc aes-256-cbc des-cbc des-ede3-cbc
+DIGESTS=md4 md5 sha1 sha224 sha256 sha512
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
-------------
This will enforce loading the af_alg OpenSSL dynamic engine by default,
so it can be used by OpenSSH.
Starting with OpenSSH 5.4p1 OpenSSH honors the openssl config and will
use your default engines specified.
KERNEL MODULES REQUIRED
Make sure you have at least:
algif_hash 12943 0
algif_skcipher 17369 0
af_alg 14686 2 algif_hash,algif_skcipher
in your lsmod
and - if you can't load the modules:
CONFIG_CRYPTO_USER_API=m
CONFIG_CRYPTO_USER_API_HASH=m
CONFIG_CRYPTO_USER_API_SKCIPHER=m
in your kernel config.
PERFORMANCE
If you have hardware crypto support,
for large block sizes, AF_ALG is supposed to increase performance,
for small block sizes, the overhead introduced by AF_ALG will slow things down.
In case you are looking for performance, get cryptodev.
It is faster.
DEBUGGING
OpenSSL ships evp_test, which can be used to verify things work.
A patch on OpenSSL is required to force evp_test using the config.
-------
diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c
index ad36b84..d40c461 100644
--- a/crypto/evp/evp_test.c
+++ b/crypto/evp/evp_test.c
@@ -532,8 +532,8 @@ int main(int argc,char **argv)
/* Load all compiled-in ENGINEs */
ENGINE_load_builtin_engines();
#endif
-#if 0
- OPENSSL_config();
+#if 1
+ OPENSSL_config(NULL);
#endif
#ifndef OPENSSL_NO_ENGINE
/* Register all available ENGINE implementations of ciphers and digests.
-----------
create a config /tmp/af_alg.cnf with mentioned modifications to force using the engine.
export OPENSSL_CONF=/tmp/af_alg.cnf
openssl/test$ ./evp_test evptests.txt
It will fail if the computed results do not match the expected results.
Compiling the engine with
make CFLAGS=-DDEBUG clean all
may help as well.
OTHERS
cconf can be used to modify the crypto priorities on kernels >= 3.2
REFERENCES
http://article.gmane.org/gmane.linux.kernel.cryptoapi/5292
http://article.gmane.org/gmane.linux.kernel.cryptoapi/5296
https://bugzilla.mindrot.org/show_bug.cgi?id=1707
http://thread.gmane.org/gmane.linux.kernel.cryptoapi/6045
http://sourceforge.net/projects/crconf/
http://carnivore.it/2011/04/23/openssl_-_af_alg
AUTHOR
Markus Koetter
Carsten Behling <carsten.behling@ridgerun.com>
About
Ridgerun's autotools version of af_alg OpenSSL engine
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published