[From nobody Thu Jun 25 05:55:05 2020 Received: from sonic313-9.consmr.mail.ne1.yahoo.com ([66.163.185.32]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3S2H-0003iw-Mx for openwrt-devel@lists.openwrt.org; Mon, 11 Mar 2019 21:00:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1552338034; bh=+gnelNXakE01qipXyMot8FdJny+eODVHrJPmgHIDssk=; h=From:To:Cc:Subject:Date:From:Subject; b=TiIQIhh4rbjNTV6ONIAdPNPr+wNPFRZ4Q3FkElGNnI0G0BtDt4rqY925nfZE5SXkhQCjy+1p/qPUfWD4Fo1j2zG/4KjQYGQRNbsqEUZkMX7/+jmE9amaZ5Nxq5Vwx9xfnKmkO9mAXZog9nFTHTuXKAeoL5DR5QV+s/tJImAEo90bCXXhTUU2WE1FHFELQ3OaJo9E1AtEo3W6OTuO8E0Zr61TMaaNu5dpswV8KXYymbja+uDv98KbY2jJF5TJ6ZxcfFDHQg5xFxpXKR/YL2keMAelp7ydMlwLZkiZftdjoRX+jJG02KIt+8joZc/9SoaqPmj6oGtliI0pC+HGG7EJNQ== X-YMail-OSG: LsmKmqkVM1l71aXNVQGkkbVu.ZOoRymmXbEnjk_1UN3F103bdSEmRElVuinoUjI Uhh0jjAvPkpIWyvidCSJMgPeCi5yHE.sTQt.WPP3.I9tsFkcuoASDIU58Moq4ddclmYyZjRixU.H t8kENmXi7gnR5hXCyj4yiBLeTBhOke9yy567dEklFx7C3v1pqOG.Pv4VNGEJ2.uSdPfp47kFTiUw vuj1uIZdrN_yZQMoOFisztGZ_nPY5SX92nIGoVj5BYGui_jO7GrBCM5g6Xzo8xb5qqJSWSijw74a yhT._h2BbbwWp7VST2mPX8VK92YLF5LtZfa8xs2AhyG3s26Z7mSEmFh3ZjqCjgKOJUmnOG7JDT2. rfC6AF13gz.a3.j2I0huV3kRZEi3wcu.HrSzWRx2HMzeIDFZabAAUuR4bvLpk0jObnI4W_qMr9qd y0tTIvFBPqItE0kt.w45h7QhyLhEsSzpwDDymrrUoFiUBZmrPTRgGP5AtFv8XG6a_upfyPuo_HbF d5dQTgJVGgh_ARnIkJt_TYoHCZxxWRPtpvBW2Y7DByRM424kccIaB9ooYdfV58..C8WdUAHScViL 6E9yNgHn.LBjo_08OqbO3X0he.lRWxSNc2sgt1hpMAHkPsEqdsM7ydsy_LaoOrHLIRcmU0tcyWsM QVuyoMRZeDzsEl7.aWRZPsGdwH.JSn8pxYwGyMMFSic1fdKo3EFqiWO4E.YAaCIsECqaDRkirJEa 6j.TBOFKSgL9Qr38JeB6WS7aRB9ENv31LUPncuhZhCrwKuCLpCE.26B_AvuE6jmKZBs1y9sfJGxz zvg4cPwpU9nqNLERMhLSpuNsu.53O1Ra3jtjj2IFMBhU3e8aJGg0Q6QWXCXnyS6.5O99XW9zIWRA chjns72sjLWJCA6mTnY6MYwdk6e22dlYey9jvoxbNtKt_R.n16tVEnKUh.AFOIPEAb7qJ5UTZR2Q aPG12_25DaBfB.zG_mnmT606qgf1JsPbEE8Irhee6inZ9LsuzZFZtCNKwsaPRmHrUTaJQsYz1z4O zS3wrUdSS0RvS2vZp4njYTKn6DE3Fn.Of4eIhvMqD2whZts7LqFOntg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Mon, 11 Mar 2019 21:00:34 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp401.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 80cf8c1360524f4f6abde70ae9f4ac62; Mon, 11 Mar 2019 21:00:33 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: openssl devcrypto changes Date: Mon, 11 Mar 2019 18:00:15 -0300 Message-Id: <20190311210017.15831-1-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190311_140037_795935_548BA7BE X-CRM114-Status: GOOD ( 10.65 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [66.163.185.32 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain I'm sending two patches, which I haven't made part of a series, since they can be applied (and reverted, if needed) independently. One of them is to re-enable parallel building. I couldn't find out exactly what was failing when it was disabled, back in 1.0.2, but the openssl build system has changed so much since then, that enabling it may be possible. I've tested it with about 10 different targets, and compared the resulting packages, all checked. The other patch is about a limitation of using engines that affects openssh, and can lock one out of ssh access. When using a hw-crypto engine, you can't copy an open crypo context across a fork. If using the main library, that operation works because all of the necessary state information is kept in userspace, and each process gets its own copy. When using an engine, there's a session open within the kernel, which does not get duplicated, so both processes end up sharing that session. When the first process closes (or updates it, which is not the actual case), the other process gets locked out. This is done in sshd as a HMAC optimization, where the first part of the digest computation, which does not change, is copied from one operation to the next, even accross forks. I reported the issue at https://github.com/openssl/openssl/issues/8430, and proposed the patches' idea (not yet the patches themselves) to mitigate the problem. I haven't got feedback on them yet, but decided to send the patches here anyway to avoid user pain. Another option is to patch openssh, but there's nothing that documents this restriction, and other applications may use the same logic. I've edited the document about Cryptographic Hardware Accelerators, to provide detailed instructions on how to configure the engines, with /dev/crypto examples. I'm adding a link to it in the engine packages' description. It is not trivial to just add the configuration to openssl.cnf, as openssl will complain if you configure nonexisting engines. Please review my additions to the document as well. I will probably get in trouble for writing instructions on how to measure performance, but I feel it is useful anyway. Eneas U de Queiroz (2): openssl: revert disallowing parallel build openssl: disable digests by default, misc fixes package/libs/openssl/Config.in | 5 ++- package/libs/openssl/Makefile | 7 +++- ...default-to-not-use-digests-in-engine.patch | 41 +++++++++++++++++++ ...to-ignore-error-when-closing-session.patch | 24 +++++++++++ 4 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch create mode 100644 package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch ]