[From nobody Thu Jun 25 05:55:04 2020 Received: from sonic316-21.consmr.mail.ne1.yahoo.com ([66.163.187.147]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gz6v1-0000ZA-ET for openwrt-devel@lists.openwrt.org; Wed, 27 Feb 2019 21:39:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1551303548; bh=Cexi6Kg3T/RBDQcXsNbrYyqAXKL1CcjCit1L/OMz1Xc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=j8J+XmJfwHFLXkjcfl1pwjjC7u33whiJcMhQiWr4kRDGJUx8yEyluZ9JhQi9W2xkZM+RV03Mm0UuTabL7jZ9+USyGNQ5KkvudxA6z85Hpb5UrwQK/yYDwhVY+zdKKGys8TwKlQbe90726elJRuTQ3V9qLGWModgy8n1hGJXJxU0Jxd+VB3tnukmYpDGBYHBIx2Vofx0TrN8Q0o+vGIIaEZQgiKi8X9BUE4rZz/5HKidX5BGC+f1iFtT+moX0JuNHIRELni/UbNbEJcqEln+zlfLEippZav4V2UQ7FTN/9U2dTGnqG8SxczO1jTpWiVbLNtXsQ2nFCvWLXJHQv5uKJg== X-YMail-OSG: UuiYiHEVM1nG5Z4wfpx5O1dHhuioVzRr_v7fem8fpOL4neJnRwKlMJv7k1SFP2U XZGRq8WCoJvRHGUWXX1t2SOhKTZYREPsbzd2aEHCrCWACA1kph6SRb0p_PQ41E9x57GpMEc4AHuA krHBh7vwSSdUlAiehA.fq7_DiCQupjWzNNK5CL07O2QwxVpbOG5Uqd1UzPiCdvwsN0fwN.L0UBBF KJ1nFw2i5apR2oRxc5xtB.GGoq94e4IwSKYAlZzcZgPrsi.iL3XMU9z8iO5i9RV5GaqnmdahVLjR XSEeEDHsE4xILxr1BCKMiDWpqRjk5TvJrt3e1aejL0ynkW5ZQ4Y6FqAkbYj2zKwXCTJnf7f6gqQb 4juzQ4KZ7mFqigrlebf9Bdf3voNlC3ZoP5GDXC2GCximNETacthIXf.B0xWDTzbtG42vOGCtNErB Ccxz99.ybMNJ5K42WTB95he57DLXXSoMmfo8B3aBlXmreIdXDHhbyacS0fZOXJQr4qf8YcfAKm7e t82892ei.N6eVAtfErglnbrb20wph1RrgJnjvekDoQCKua2rga2JHpel0jPIj2sq9GkYPjg3pgpF IUBfnEnbtIAAERKajG440eb1KCQDUfSWOuz5YnHE3ZbagSDPyy07nHOdKqQ5eOObRAgkISGNEmbX Cp1lbiesEI_6sj0AizGXtdTi67G8eGgjjA2qr9b910zh8n9s88t.mg3h0o8nGUMEfN5DgEx5Ibk6 Q_O4KpjL_acTSEdsy9fVmMMhp2xf89xopALEhEehMIdIPFdrI7H9LFkyKUhsq2qMcyRQxAAJFrld Fmk.BKxQY5ArFIP0BVC_k1R.SI6f8XvRhhH8Jw4cwnYknpzyUCJ1X94oTn_dxLcZvgX658zsJHfC EEGKSLKQkT4O6HL5_zrVJzFkAGhh515JZoAwq_bg.MgjlRsicXCXox81bt6o9U8RrfXvZvFEEuAu tugAgbsv9Jq9OF5aGz.SdIoGhZX4eBV0OLsRQhoBo.hbfguoQBM7otZ.2U7sXuYGRe9c20QbpOXp 81YjMJq8u55rNrgVRAAt4wBR_Tr3HBpE- Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Wed, 27 Feb 2019 21:39:08 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp410.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID bc430e88a776695cac0d2e0bfd2b88c1; Wed, 27 Feb 2019 21:39:05 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH v4] openssl: backport devcrypto changes from master Date: Wed, 27 Feb 2019 18:38:42 -0300 Message-Id: <20190227213842.28783-1-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <mailman.23692.1551117680.2376.openwrt-devel@lists.openwrt.org> References: <mailman.23692.1551117680.2376.openwrt-devel@lists.openwrt.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190227_133911_697374_40A743F6 X-CRM114-Status: GOOD ( 15.72 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [66.163.187.147 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid The patches to the /dev/crypto engine were commited to openssl master, and will be in the next major version (3.0). Changes: - Optimization in computing a digest in one operation, saving an ioctl - Runtime configuration options for the choice of algorithms to use - Command to dump useful information about the algorithms supported by the engine and the system. - Build the devcrypto engine as a dynamic module, like other engines. The devcrypto engine is built as a separate package by default, but options were added to allow building the engines into the main library. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> --- This should be applied on top of 'openssl: bump to release 1.1.1b'. Run-tested on Linksys WRT3200ACM, WRT610N (software-only), & ASUS RT-N56U (software-only). Changes: v4: rebased on top of openssl-1.1.1b v3: remove PKG_BUILD_DEPENDS:=cryptodev-linux, as it has been properly added to DEPENDS now. v2: accommodate changes from openssl: fix devcrypto engine md blocksize increased PKG_RELEASE diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 3ad8a66b9e..235f38e787 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -253,18 +253,41 @@ config OPENSSL_ENGINE Note that you need to enable KERNEL_AIO to be able to build the afalg engine package. -config OPENSSL_ENGINE_CRYPTO +config OPENSSL_ENGINE_BUILTIN + bool "Build chosen engines into libcrypto" + depends on OPENSSL_ENGINE + help + This builds all chosen engines into libcrypto.so, instead of building + them as dynamic engines in separate packages. + The benefit of building the engines into libcrypto is that they won't + require any configuration to be used by default. + +config OPENSSL_ENGINE_BUILTIN_AFALG bool - select OPENSSL_ENGINE - select PACKAGE_kmod-cryptodev + prompt "Acceleration support through AF_ALG sockets engine" + depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18 select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + AF_ALG kenrel interface. + +config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO + bool prompt "Acceleration support through /dev/crypto" + depends on OPENSSL_ENGINE_BUILTIN + select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. - You must install kmod-cryptodev (under Kernel modules, Cryptographic - API modules) for /dev/crypto to show up and use hardware - acceleration; otherwise it falls back to software. + +config OPENSSL_ENGINE_BUILTIN_PADLOCK + bool + prompt "VIA Padlock Acceleration support engine" + depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + VIA Padlock module. config OPENSSL_WITH_ASYNC bool diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index ab02f09f0e..a9dd16f3e7 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,12 +11,11 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=b PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=0 -PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -32,7 +31,10 @@ PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE \ - CONFIG_OPENSSL_ENGINE_CRYPTO \ + CONFIG_OPENSSL_ENGINE_BUILTIN \ + CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \ + CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \ + CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ @@ -89,7 +91,10 @@ endef define Package/libopenssl $(call Package/openssl/Default) SUBMENU:=SSL - DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib + DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \ + +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \ + +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \ + +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock TITLE+= (libraries) ABI_VERSION:=1.1 MENU:=1 @@ -134,7 +139,7 @@ define Package/libopenssl-afalg SUBMENU:=SSL TITLE:=AFALG hardware acceleration engine DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user \ - +libopenssl-conf + +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description @@ -145,12 +150,28 @@ See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration- The engine_id is "afalg" endef +define Package/libopenssl-devcrypto + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=/dev/crypto hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE +kmod-cryptodev +libopenssl-conf \ + @!OPENSSL_ENGINE_BUILTIN +endef + +define Package/libopenssl-devcrypto/description +This package adds an engine that enables hardware acceleration +through the /dev/crypto kernel interface. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +The engine_id is "devcrypto" +endef + define Package/libopenssl-padlock $(call Package/openssl/Default) SUBMENU:=SSL TITLE:=VIA Padlock hardware acceleration engine DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock \ - +libopenssl-conf + +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description @@ -241,14 +262,27 @@ else endif ifdef CONFIG_OPENSSL_ENGINE - ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += enable-devcryptoeng - endif - ifndef CONFIG_PACKAGE_libopenssl-afalg - OPENSSL_OPTIONS += no-afalgeng - endif - ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock + ifdef CONFIG_OPENSSL_ENGINE_BUILTIN + OPENSSL_OPTIONS += disable-dynamic-engine + ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG + OPENSSL_OPTIONS += no-afalgeng + endif + ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO + OPENSSL_OPTIONS += enable-devcryptoeng + endif + ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK + OPENSSL_OPTIONS += no-hw-padlock + endif + else + ifdef CONFIG_PACKAGE_libopenssl-devcrypto + OPENSSL_OPTIONS += enable-devcryptoeng + endif + ifndef CONFIG_PACKAGE_libopenssl-afalg + OPENSSL_OPTIONS += no-afalgeng + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif endif else OPENSSL_OPTIONS += no-engine @@ -361,6 +395,11 @@ define Package/libopenssl-afalg/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) endef +define Package/libopenssl-devcrypto/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) +endef + define Package/libopenssl-padlock/install $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) @@ -369,5 +408,6 @@ endef $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) +$(eval $(call BuildPackage,libopenssl-devcrypto)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch new file mode 100644 index 0000000000..1a89d52241 --- /dev/null +++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch @@ -0,0 +1,60 @@ +From 48e2c9202ea345347da91f4c583e5915eb010d50 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 5 Nov 2018 15:54:17 -0200 +Subject: [PATCH 1/4] eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT + +Since each ioctl causes a context switch, slowing things down, if +EVP_MD_CTX_FLAG_ONESHOT is set, then: + - call the ioctl in digest_update, saving the result; and + - just copy the result in digest_final, instead of using another ioctl. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 717d7c2779..f4c495e06e 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -461,6 +461,7 @@ struct digest_ctx { + struct session_op sess; + /* This signals that the init function was called, not that it succeeded. */ + int init_called; ++ unsigned char digest_res[HASH_MAX_LEN]; + }; + + static const struct digest_data_st { +@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) + if (digest_ctx == NULL) + return 0; + +- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) ++ return 1; ++ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { ++ return 1; + } + +- return 1; ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; + } + + static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) +@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) + + if (md == NULL || digest_ctx == NULL) + return 0; +- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { ++ ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); ++ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch new file mode 100644 index 0000000000..c0abd1cfec --- /dev/null +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -0,0 +1,569 @@ +From 800272d22acf95070f22c870eca15bdba0539a6a Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Sat, 3 Nov 2018 15:41:10 -0300 +Subject: [PATCH 2/4] eng_devcrypto: add configuration options + +USE_SOFTDRIVERS: whether to use software (not accelerated) drivers +CIPHERS: list of ciphers to enable +DIGESTS: list of digests to enable + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index f4c495e06e..8992d4efe3 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -16,6 +16,7 @@ + #include <unistd.h> + #include <assert.h> + ++#include <openssl/conf.h> + #include <openssl/evp.h> + #include <openssl/err.h> + #include <openssl/engine.h> +@@ -36,6 +37,30 @@ + * saner... why re-open /dev/crypto for every session? + */ + static int cfd; ++#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ ++#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ ++#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ ++ ++#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE ++static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; ++ ++/* ++ * cipher/digest status & acceleration definitions ++ * Make sure the defaults are set to 0 ++ */ ++struct driver_info_st { ++ enum devcrypto_status_t { ++ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ ++ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ ++ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ ++ } status; ++ ++ enum devcrypto_accelerated_t { ++ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ ++ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ ++ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ ++ } accelerated; ++}; + + static int clean_devcrypto_session(struct session_op *sess) { + if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { +@@ -119,13 +144,22 @@ static const struct cipher_data_st { + #endif + }; + +-static size_t get_cipher_data_index(int nid) ++static size_t find_cipher_data_index(int nid) + { + size_t i; + + for (i = 0; i < OSSL_NELEM(cipher_data); i++) + if (nid == cipher_data[i].nid) + return i; ++ return (size_t)-1; ++} ++ ++static size_t get_cipher_data_index(int nid) ++{ ++ size_t i = find_cipher_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; + + /* + * Code further down must make sure that only NIDs in the table above +@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + } + + /* +- * Keep a table of known nids and associated methods. ++ * Keep tables of known nids, associated methods, selected ciphers, and driver ++ * info. + * Note that known_cipher_nids[] isn't necessarily indexed the same way as +- * cipher_data[] above, which known_cipher_methods[] is. ++ * cipher_data[] above, which the other tables are. + */ + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; ++static int selected_ciphers[OSSL_NELEM(cipher_data)]; ++static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; ++ ++ ++static int devcrypto_test_cipher(size_t cipher_data_index) ++{ ++ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_ciphers[cipher_data_index] == 1 ++ && (cipher_driver_info[cipher_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (cipher_driver_info[cipher_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} + + static void prepare_cipher_methods(void) + { + size_t i; + struct session_op sess; + unsigned long cipher_mode; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ ++ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; +@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void) + for (i = 0, known_cipher_nids_amount = 0; + i < OSSL_NELEM(cipher_data); i++) { + ++ selected_ciphers[i] = 1; + /* +- * Check that the algo is really availably by trying to open and close +- * a session. ++ * Check that the cipher is usable + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; +- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 +- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) ++ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + continue; ++ } + + cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; + +@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void) + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], + sizeof(struct cipher_ctx))) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + EVP_CIPHER_meth_free(known_cipher_methods[i]); + known_cipher_methods[i] = NULL; + } else { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++#ifdef CIOCGSESSINFO ++ siop.ses = sess.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ else ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++#endif /* CIOCGSESSINFO */ ++ } ++ ioctl(cfd, CIOCFSESSION, &sess.ses); ++ if (devcrypto_test_cipher(i)) { + known_cipher_nids[known_cipher_nids_amount++] = + cipher_data[i].nid; + } + } + } + ++static void rebuild_known_cipher_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { ++ if (devcrypto_test_cipher(i)) ++ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; ++ } ++ ENGINE_unregister_ciphers(e); ++ ENGINE_register_ciphers(e); ++} ++ + static const EVP_CIPHER *get_cipher_method(int nid) + { + size_t i = get_cipher_data_index(nid); +@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + return *cipher != NULL; + } + ++static void devcrypto_select_all_ciphers(int *cipher_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ cipher_list[i] = 1; ++} ++ ++static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) ++{ ++ int *cipher_list = (int *)usr; ++ char *name; ++ const EVP_CIPHER *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_cipherbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); ++ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) ++ cipher_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: cipher %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ + /* + * We only support digests if the cryptodev implementation supports multiple + * data updates and session copying. Otherwise, we would be forced to maintain +@@ -493,13 +605,22 @@ static const struct digest_data_st { + #endif + }; + +-static size_t get_digest_data_index(int nid) ++static size_t find_digest_data_index(int nid) + { + size_t i; + + for (i = 0; i < OSSL_NELEM(digest_data); i++) + if (nid == digest_data[i].nid) + return i; ++ return (size_t)-1; ++} ++ ++static size_t get_digest_data_index(int nid) ++{ ++ size_t i = find_digest_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; + + /* + * Code further down must make sure that only NIDs in the table above +@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid) + } + + /* +- * Following are the four necessary functions to map OpenSSL functionality +- * with cryptodev. ++ * Following are the five necessary functions to map OpenSSL functionality ++ * with cryptodev: init, update, final, cleanup, and copy. + */ + + static int digest_init(EVP_MD_CTX *ctx) +@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx) + return clean_devcrypto_session(&digest_ctx->sess); + } + +-static int devcrypto_test_digest(size_t digest_data_index) +-{ +- struct session_op sess1, sess2; +- struct cphash_op cphash; +- int ret=0; +- +- memset(&sess1, 0, sizeof(sess1)); +- memset(&sess2, 0, sizeof(sess2)); +- sess1.mac = digest_data[digest_data_index].devcryptoid; +- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) +- return 0; +- /* Make sure the driver is capable of hash state copy */ +- sess2.mac = sess1.mac; +- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { +- cphash.src_ses = sess1.ses; +- cphash.dst_ses = sess2.ses; +- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) +- ret = 1; +- ioctl(cfd, CIOCFSESSION, &sess2.ses); +- } +- ioctl(cfd, CIOCFSESSION, &sess1.ses); +- return ret; +-} +- + /* +- * Keep a table of known nids and associated methods. ++ * Keep tables of known nids, associated methods, selected digests, and ++ * driver info. + * Note that known_digest_nids[] isn't necessarily indexed the same way as +- * digest_data[] above, which known_digest_methods[] is. ++ * digest_data[] above, which the other tables are. + */ + static int known_digest_nids[OSSL_NELEM(digest_data)]; + static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; ++static int selected_digests[OSSL_NELEM(digest_data)]; ++static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; ++ ++static int devcrypto_test_digest(size_t digest_data_index) ++{ ++ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_digests[digest_data_index] == 1 ++ && (digest_driver_info[digest_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (digest_driver_info[digest_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} ++ ++static void rebuild_known_digest_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ } ++ ENGINE_unregister_digests(e); ++ ENGINE_register_digests(e); ++} + + static void prepare_digest_methods(void) + { + size_t i; ++ struct session_op sess1, sess2; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ struct cphash_op cphash; ++ ++ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); ++ ++ memset(&sess1, 0, sizeof(sess1)); ++ memset(&sess2, 0, sizeof(sess2)); + + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + ++ selected_digests[i] = 1; ++ + /* +- * Check that the algo is usable ++ * Check that the digest is usable + */ +- if (!devcrypto_test_digest(i)) +- continue; ++ sess1.mac = digest_data[i].devcryptoid; ++ sess2.ses = 0; ++ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } + ++#ifdef CIOCGSESSINFO ++ /* gather hardware acceleration info from the driver */ ++ siop.ses = sess1.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ else ++ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++#endif ++ ++ /* digest must be capable of hash state copy */ ++ sess2.mac = sess1.mac; ++ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } ++ cphash.src_ses = sess1.ses; ++ cphash.dst_ses = sess2.ses; ++ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } + if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, + NID_undef)) == NULL + || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], +@@ -689,11 +852,18 @@ static void prepare_digest_methods(void) + || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) + || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], + sizeof(struct digest_ctx))) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + EVP_MD_meth_free(known_digest_methods[i]); + known_digest_methods[i] = NULL; +- } else { +- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ goto finish; + } ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++finish: ++ ioctl(cfd, CIOCFSESSION, &sess1.ses); ++ if (sess2.ses != 0) ++ ioctl(cfd, CIOCFSESSION, &sess2.ses); ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; + } + } + +@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, + return *digest != NULL; + } + ++static void devcrypto_select_all_digests(int *digest_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ digest_list[i] = 1; ++} ++ ++static int cryptodev_select_digest_cb(const char *str, int len, void *usr) ++{ ++ int *digest_list = (int *)usr; ++ char *name; ++ const EVP_MD *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_digestbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown digest %s\n", name); ++ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) ++ digest_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: digest %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ ++#endif ++ ++/****************************************************************************** ++ * ++ * CONTROL COMMANDS ++ * ++ *****/ ++ ++#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE ++#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) ++#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) ++#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) ++ ++/* Helper macros for CPP string composition */ ++#ifndef OPENSSL_MSTR ++# define OPENSSL_MSTR_HELPER(x) #x ++# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) ++#endif ++ ++static const ENGINE_CMD_DEFN devcrypto_cmds[] = { ++#ifdef CIOCGSESSINFO ++ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, ++ "USE_SOFTDRIVERS", ++ "specifies whether to use software (not accelerated) drivers (" ++ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) ++ "=use if acceleration can't be determined) [default=" ++ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", ++ ENGINE_CMD_FLAG_NUMERIC}, ++#endif ++ ++ {DEVCRYPTO_CMD_CIPHERS, ++ "CIPHERS", ++ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, ++ ++#ifdef IMPLEMENT_DIGEST ++ {DEVCRYPTO_CMD_DIGESTS, ++ "DIGESTS", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, + #endif + ++ {0, NULL, NULL, 0} ++}; ++ ++static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) ++{ ++ int *new_list; ++ switch (cmd) { ++#ifdef CIOCGSESSINFO ++ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: ++ switch (i) { ++ case DEVCRYPTO_REQUIRE_ACCELERATED: ++ case DEVCRYPTO_USE_SOFTWARE: ++ case DEVCRYPTO_REJECT_SOFTWARE: ++ break; ++ default: ++ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); ++ return 0; ++ } ++ if (use_softdrivers == i) ++ return 1; ++ use_softdrivers = i; ++#ifdef IMPLEMENT_DIGEST ++ rebuild_known_digest_nids(e); ++#endif ++ rebuild_known_cipher_nids(e); ++ return 1; ++#endif /* CIOCGSESSINFO */ ++ ++ case DEVCRYPTO_CMD_CIPHERS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_ciphers(selected_ciphers); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_ciphers, 0, sizeof(selected_ciphers)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_cipher_nids(e); ++ return 1; ++ ++#ifdef IMPLEMENT_DIGEST ++ case DEVCRYPTO_CMD_DIGESTS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_digests(selected_digests); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_digests, 0, sizeof(selected_digests)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_digests)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_digests, new_list, sizeof(selected_digests)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_digest_nids(e); ++ return 1; ++#endif /* IMPLEMENT_DIGEST */ ++ ++ default: ++ break; ++ } ++ return 0; ++} ++ + /****************************************************************************** + * + * LOAD / UNLOAD +@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() + + if (!ENGINE_set_id(e, "devcrypto") + || !ENGINE_set_name(e, "/dev/crypto engine") ++ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) ++ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) + + /* + * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch new file mode 100644 index 0000000000..95181b8a9d --- /dev/null +++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch @@ -0,0 +1,275 @@ +From ced41f7d44cb8cd3c4523f7271530d9d92e4f064 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Tue, 6 Nov 2018 22:54:07 -0200 +Subject: [PATCH 3/4] eng_devcrypto: add command to dump driver info + +This is useful to determine the kernel driver running each algorithm. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 8992d4efe3..bbe825455a 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; + */ + struct driver_info_st { + enum devcrypto_status_t { +- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ +- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ +- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ ++ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ ++ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ ++ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ ++ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ ++ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ + } status; + + enum devcrypto_accelerated_t { +- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ +- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ +- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ ++ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ ++ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ ++ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ + } accelerated; ++ ++ char *driver_name; + }; + + static int clean_devcrypto_session(struct session_op *sess) { +@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void) + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; + if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + continue; + } + +@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void) + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], + sizeof(struct cipher_ctx))) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + EVP_CIPHER_meth_free(known_cipher_methods[i]); + known_cipher_methods[i] = NULL; + } else { + cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; + #ifdef CIOCGSESSINFO + siop.ses = sess.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { + cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) +- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; +- else +- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ } else { ++ cipher_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.cipher_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ else ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ } + #endif /* CIOCGSESSINFO */ + } + ioctl(cfd, CIOCFSESSION, &sess.ses); +@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void) + { + size_t i; + +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { + destroy_cipher_method(cipher_data[i].nid); ++ OPENSSL_free(cipher_driver_info[i].driver_name); ++ cipher_driver_info[i].driver_name = NULL; ++ } + } + + static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, +@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) + return 1; + } + ++static void dump_cipher_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { ++ name = OBJ_nid2sn(cipher_data[i].nid); ++ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", ++ name ? name : "unknown", cipher_data[i].nid, ++ cipher_data[i].devcryptoid); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { ++ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); ++ continue; ++ } ++ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? ++ cipher_driver_info[i].driver_name : "unknown"); ++ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, "(hw accelerated)"); ++ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, "(software)"); ++ else ++ fprintf(stderr, "(acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed"); ++ fprintf(stderr, "\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ + /* + * We only support digests if the cryptodev implementation supports multiple + * data updates and session copying. Otherwise, we would be forced to maintain +@@ -812,31 +858,36 @@ static void prepare_digest_methods(void) + sess1.mac = digest_data[i].devcryptoid; + sess2.ses = 0; + if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + goto finish; + } + + #ifdef CIOCGSESSINFO + /* gather hardware acceleration info from the driver */ + siop.ses = sess1.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { + digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) +- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; +- else +- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ } else { ++ digest_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.hash_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ else ++ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ } + #endif + + /* digest must be capable of hash state copy */ + sess2.mac = sess1.mac; + if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + goto finish; + } + cphash.src_ses = sess1.ses; + cphash.dst_ses = sess2.ses; + if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; + goto finish; + } + if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, +@@ -852,7 +903,7 @@ static void prepare_digest_methods(void) + || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) + || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], + sizeof(struct digest_ctx))) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + EVP_MD_meth_free(known_digest_methods[i]); + known_digest_methods[i] = NULL; + goto finish; +@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void) + { + size_t i; + +- for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { + destroy_digest_method(digest_data[i].nid); ++ OPENSSL_free(digest_driver_info[i].driver_name); ++ digest_driver_info[i].driver_name = NULL; ++ } + } + + static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, +@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr) + return 1; + } + ++static void dump_digest_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about digests supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { ++ name = OBJ_nid2sn(digest_data[i].nid); ++ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", ++ name ? name : "unknown", digest_data[i].nid, ++ digest_data[i].devcryptoid, ++ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); ++ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { ++ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); ++ continue; ++ } ++ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, " (hw accelerated)"); ++ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, " (software)"); ++ else ++ fprintf(stderr, " (acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed\n"); ++ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) ++ fprintf(stderr, ", CIOCCPHASH failed\n"); ++ else ++ fprintf(stderr, ", CIOCCPHASH capable\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ + #endif + + /****************************************************************************** +@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + ENGINE_CMD_FLAG_STRING}, + #endif + ++ {DEVCRYPTO_CMD_DUMP_INFO, ++ "DUMP_INFO", ++ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", ++ ENGINE_CMD_FLAG_NO_INPUT}, ++ + {0, NULL, NULL, 0} + }; + +@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) + return 1; + #endif /* IMPLEMENT_DIGEST */ + ++ case DEVCRYPTO_CMD_DUMP_INFO: ++ dump_cipher_info(); ++#ifdef IMPLEMENT_DIGEST ++ dump_digest_info(); ++#endif ++ return 1; ++ + default: + break; + } diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch new file mode 100644 index 0000000000..773ed27522 --- /dev/null +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -0,0 +1,368 @@ +From 37a5c14aad5051201e4bd18faf1a4b25a824cc30 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Tue, 6 Nov 2018 10:57:03 -0200 +Subject: [PATCH 4/4] e_devcrypto: make the /dev/crypto engine dynamic + +Engine has been moved from crypto/engine/eng_devcrypto.c to +engines/e_devcrypto.c. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +diff --git a/crypto/engine/build.info b/crypto/engine/build.info +index e00802a3fd..47fe948966 100644 +--- a/crypto/engine/build.info ++++ b/crypto/engine/build.info +@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ + tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ + eng_openssl.c eng_cnf.c eng_dyn.c \ + eng_rdrand.c +-IF[{- !$disabled{devcryptoeng} -}] +- SOURCE[../../libcrypto]=eng_devcrypto.c +-ENDIF +diff --git a/crypto/init.c b/crypto/init.c +index b9a7334a7e..b5988fc672 100644 +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -330,18 +330,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) + engine_load_openssl_int(); + return 1; + } +-# ifndef OPENSSL_NO_DEVCRYPTOENG +-static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; +-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) +-{ +-# ifdef OPENSSL_INIT_DEBUG +- fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " +- "engine_load_devcrypto_int()\n"); +-# endif +- engine_load_devcrypto_int(); +- return 1; +-} +-# endif + + # ifndef OPENSSL_NO_RDRAND + static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; +@@ -366,6 +354,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) + return 1; + } + # ifndef OPENSSL_NO_STATIC_ENGINE ++# ifndef OPENSSL_NO_DEVCRYPTOENG ++static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) ++{ ++# ifdef OPENSSL_INIT_DEBUG ++ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " ++ "engine_load_devcrypto_int()\n"); ++# endif ++ engine_load_devcrypto_int(); ++ return 1; ++} ++# endif + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; + DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) +@@ -714,11 +714,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) + && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) + return 0; +-# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) +- if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) +- && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) +- return 0; +-# endif + # ifndef OPENSSL_NO_RDRAND + if ((opts & OPENSSL_INIT_ENGINE_RDRAND) + && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) +@@ -728,6 +723,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) + return 0; + # ifndef OPENSSL_NO_STATIC_ENGINE ++# ifndef OPENSSL_NO_DEVCRYPTOENG ++ if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) ++ && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) ++ return 0; ++# endif + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) + && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) +diff --git a/engines/build.info b/engines/build.info +index df173ea69d..dc0cbeb0a3 100644 +--- a/engines/build.info ++++ b/engines/build.info +@@ -10,6 +10,9 @@ IF[{- !$disabled{"engine"} -}] + IF[{- !$disabled{afalgeng} -}] + SOURCE[../libcrypto]=e_afalg.c + ENDIF ++ IF[{- !$disabled{"devcryptoeng"} -}] ++ SOURCE[../libcrypto]=e_devcrypto.c ++ ENDIF + ELSE + ENGINES=padlock + SOURCE[padlock]=e_padlock.c {- $target{padlock_asm_src} -} +@@ -27,6 +30,12 @@ IF[{- !$disabled{"engine"} -}] + DEPEND[afalg]=../libcrypto + INCLUDE[afalg]= ../include + ENDIF ++ IF[{- !$disabled{"devcryptoeng"} -}] ++ ENGINES=devcrypto ++ SOURCE[devcrypto]=e_devcrypto.c ++ DEPEND[devcrypto]=../libcrypto ++ INCLUDE[devcrypto]=../include ++ ENDIF + + ENGINES_NO_INST=ossltest dasync + SOURCE[dasync]=e_dasync.c +diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c +similarity index 95% +rename from crypto/engine/eng_devcrypto.c +rename to engines/e_devcrypto.c +index bbe825455a..da3702d217 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -7,7 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + +-#include "e_os.h" ++#include "../e_os.h" + #include <string.h> + #include <sys/types.h> + #include <sys/stat.h> +@@ -23,26 +23,26 @@ + #include <openssl/objects.h> + #include <crypto/cryptodev.h> + +-#include "internal/engine.h" +- + /* #define ENGINE_DEVCRYPTO_DEBUG */ + + #ifdef CRYPTO_ALGORITHM_MIN + # define CHECK_BSD_STYLE_MACROS + #endif + ++#define engine_devcrypto_id "devcrypto" ++ + /* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +-static int cfd; ++static int cfd = -1; + #define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ + #define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ + #define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ + +-#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE +-static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; ++#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE ++static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; + + /* + * cipher/digest status & acceleration definitions +@@ -66,6 +66,10 @@ struct driver_info_st { + char *driver_name; + }; + ++#ifdef OPENSSL_NO_DYNAMIC_ENGINE ++void engine_load_devcrypto_int(void); ++#endif ++ + static int clean_devcrypto_session(struct session_op *sess) { + if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { + SYSerr(SYS_F_IOCTL, errno); +@@ -341,6 +345,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) + struct cipher_ctx *to_cipher_ctx; + + switch (type) { ++ + case EVP_CTRL_COPY: + if (cipher_ctx == NULL) + return 1; +@@ -702,7 +707,6 @@ static int digest_init(EVP_MD_CTX *ctx) + SYSerr(SYS_F_IOCTL, errno); + return 0; + } +- + return 1; + } + +@@ -1058,7 +1062,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " + OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) + "=use if acceleration can't be determined) [default=" +- OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", ++ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", + ENGINE_CMD_FLAG_NUMERIC}, + #endif + +@@ -1166,55 +1170,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) + * + *****/ + +-static int devcrypto_unload(ENGINE *e) +-{ +- destroy_all_cipher_methods(); +-#ifdef IMPLEMENT_DIGEST +- destroy_all_digest_methods(); +-#endif +- +- close(cfd); +- +- return 1; +-} + /* +- * This engine is always built into libcrypto, so it doesn't offer any +- * ability to be dynamically loadable. ++ * Opens /dev/crypto + */ +-void engine_load_devcrypto_int() ++static int open_devcrypto(void) + { +- ENGINE *e = NULL; ++ if (cfd >= 0) ++ return 1; + + if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + #ifndef ENGINE_DEVCRYPTO_DEBUG + if (errno != ENOENT) + #endif + fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); +- return; ++ return 0; + } + +- if ((e = ENGINE_new()) == NULL +- || !ENGINE_set_destroy_function(e, devcrypto_unload)) { +- ENGINE_free(e); +- /* +- * We know that devcrypto_unload() won't be called when one of the +- * above two calls have failed, so we close cfd explicitly here to +- * avoid leaking resources. +- */ +- close(cfd); +- return; ++ return 1; ++} ++ ++static int close_devcrypto(void) ++{ ++ int ret; ++ ++ if (cfd < 0) ++ return 1; ++ ret = close(cfd); ++ cfd = -1; ++ if (ret != 0) { ++ fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); ++ return 0; + } ++ return 1; ++} + +- prepare_cipher_methods(); ++static int devcrypto_unload(ENGINE *e) ++{ ++ destroy_all_cipher_methods(); + #ifdef IMPLEMENT_DIGEST +- prepare_digest_methods(); ++ destroy_all_digest_methods(); + #endif + +- if (!ENGINE_set_id(e, "devcrypto") ++ close_devcrypto(); ++ ++ return 1; ++} ++ ++static int bind_devcrypto(ENGINE *e) { ++ ++ if (!ENGINE_set_id(e, engine_devcrypto_id) + || !ENGINE_set_name(e, "/dev/crypto engine") ++ || !ENGINE_set_destroy_function(e, devcrypto_unload) + || !ENGINE_set_cmd_defns(e, devcrypto_cmds) +- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) ++ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) ++ return 0; ++ ++ prepare_cipher_methods(); ++#ifdef IMPLEMENT_DIGEST ++ prepare_digest_methods(); ++#endif + ++ return (ENGINE_set_ciphers(e, devcrypto_ciphers) ++#ifdef IMPLEMENT_DIGEST ++ && ENGINE_set_digests(e, devcrypto_digests) ++#endif + /* + * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD + * implementations, it seems to only exist in FreeBSD, and regarding the +@@ -1237,23 +1256,36 @@ void engine_load_devcrypto_int() + */ + #if 0 + # ifndef OPENSSL_NO_RSA +- || !ENGINE_set_RSA(e, devcrypto_rsa) ++ && ENGINE_set_RSA(e, devcrypto_rsa) + # endif + # ifndef OPENSSL_NO_DSA +- || !ENGINE_set_DSA(e, devcrypto_dsa) ++ && ENGINE_set_DSA(e, devcrypto_dsa) + # endif + # ifndef OPENSSL_NO_DH +- || !ENGINE_set_DH(e, devcrypto_dh) ++ && ENGINE_set_DH(e, devcrypto_dh) + # endif + # ifndef OPENSSL_NO_EC +- || !ENGINE_set_EC(e, devcrypto_ec) ++ && ENGINE_set_EC(e, devcrypto_ec) + # endif + #endif +- || !ENGINE_set_ciphers(e, devcrypto_ciphers) +-#ifdef IMPLEMENT_DIGEST +- || !ENGINE_set_digests(e, devcrypto_digests) +-#endif +- ) { ++ ); ++} ++ ++#ifdef OPENSSL_NO_DYNAMIC_ENGINE ++/* ++ * In case this engine is built into libcrypto, then it doesn't offer any ++ * ability to be dynamically loadable. ++ */ ++void engine_load_devcrypto_int(void) ++{ ++ ENGINE *e = NULL; ++ ++ if (!open_devcrypto()) ++ return; ++ ++ if ((e = ENGINE_new()) == NULL ++ || !bind_devcrypto(e)) { ++ close_devcrypto(); + ENGINE_free(e); + return; + } +@@ -1262,3 +1294,22 @@ void engine_load_devcrypto_int() + ENGINE_free(e); /* Loose our local reference */ + ERR_clear_error(); + } ++ ++#else ++ ++static int bind_helper(ENGINE *e, const char *id) ++{ ++ if ((id && (strcmp(id, engine_devcrypto_id) != 0)) ++ || !open_devcrypto()) ++ return 0; ++ if (!bind_devcrypto(e)) { ++ close_devcrypto(); ++ return 0; ++ } ++ return 1; ++} ++ ++IMPLEMENT_DYNAMIC_CHECK_FN() ++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) ++ ++#endif ]