[From nobody Thu Jun 25 05:55:05 2020 Received: from sonic308-9.consmr.mail.ne1.yahoo.com ([66.163.187.32]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3S2H-0003j1-VE for openwrt-devel@lists.openwrt.org; Mon, 11 Mar 2019 21:00:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1552338036; bh=+AmHKg5Q6ERqflVs2sRvxB9yh9NIcVvabwu0mIM6vfE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=locTAL5zHcSo9IJO2yPtPeWB0/zcHGZ4VLRmNGGp1pNP32moMjue2rJXEcBX+38S2Dp4jyVAo8gVKM03WqVhUG1YpXF+j0Yt4h6ZVF9JN4KlekjfErZD9uvmVuTZ9oy5EMPmhT77KUObLDSCDk2DfafvZXCo27FQhpWbzkJboVtyhOFRzWc9jN057r5apc9diyudanAKHY5emE8bg1OU+i4CQLyFIp2u68BW93mIcROsQzJXgSwoXoUC+J5fhRiQo0TcZ5Qd78ha/snWtqnpwL8y+bcuue1lINCUcnEXnl2/q8i4s1KtionT6qjXRu5O10bc9WQkJLkL55XtHoO0fw== X-YMail-OSG: HrJu08sVM1mhgbFQxBO_C__orTukb7DfD8VFdxUvQ8oTpXy.NXpfkESrHOltuzW DRKTz.7G3QSXHClzeH.lLVjsyv8zuXoU_WzEWyvRx6T8KjKFGnjcPCCrBjDQ08Uyu4zaiBETGFj6 8ACy51FW7H0wupDWFSogoAV2cb3pinkA0oxGeU8hPiw9iJfC9J1Q58BEP5_HpW9c.Iy6r.oDQVQa usgBAcZOWV30VAnAkiiYpZeEhFT.ghI2KALq7QpevlNx3t8JZ6vL9csIzfCL_EMf7KXbJM1UI2Vy ZTgduJdPqNBIyXnSSIl4h30hCFPEcm58ilzh1ysR.WBUbm.jyNSN.8Za46NVEUIqdWSYDj7FV5VI i8CNvQ9ckY_vpBN2N9mCeJmdSGe4fNhtpKwfpuZ9wkgfhDWlle06spZu9UR9IObdpbZ1Q0gL9lfs tObzVj3ImFP3mZZJwWunx2makGs4WLBk0BCQnI6PzrSoYLWD2m1uZFDvgPYSrlJpJc9d6_gdzqkT Ijk1j9Z1IDEoVYApQhegYyc556Cr_e6sJ127OuhPL6xCkNjULn5MYmd893kJTTa199AHVh0kYdf1 c92YA0ONiTW.jGbh79g0Ovarm_SwAtIYuLb25G2rj3d4eiN5NaHmeAI3Kiv7vtX4nsD1CiBMMMeb m4KXLkEwF8tbnVy.7Ke8pEDHzgwE_ZKAo4NhdFcGFPItSTuv.326sZOnkdLTiesNDIall9nrvNcJ 5YKW_X_iVa2A5_YDNa3TzSPj9MgWq.ObCQJt7jxlqlzpJedTiUoHufgi4vkPHAQLRRtC3P6RsLEH DG_GJYe2pHvMVHaR2BDzCwfNaffgp3liiRUnwBNmSHWCaAUsB71.y8Y4Ff3Xtk3S_vjz5lCTo9kn 5awQXdG.GX2tMx5Xdc.LL1nadYZ.GTMhdIT5Ip47KCmDA2Gjch3HSAh43sjI.7Tr8gJ1S_yuFT7A _kQDCjGyT8IP5fbpvzdRNuVnldZJgzwvY7XJg66fo1qL5JjExbeEqHDXWH8I0_Eae4t49T3caDwg EACwSPZ8V.HN_ZKVgSPKJQ8m5IZYOajwxDa8ujElKEg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Mon, 11 Mar 2019 21:00:36 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp401.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 80cf8c1360524f4f6abde70ae9f4ac62; Mon, 11 Mar 2019 21:00:35 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH] openssl: disable digests by default, misc fixes Date: Mon, 11 Mar 2019 18:00:17 -0300 Message-Id: <20190311210017.15831-3-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190311210017.15831-1-cote2004-github@yahoo.com> References: <20190311210017.15831-1-cote2004-github@yahoo.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190311_140038_049648_5D8ECDB7 X-CRM114-Status: GOOD ( 13.37 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [66.163.187.32 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Openssh uses digest contexts across forks, which is not supported by the /dev/crypto engine. The speed of digests is usually not worth enabling them anyway. This changes the default of the DIGESTS option to NONE, so the user still has the option to enable them. Added another patch related to the use of encryption contexts across forks, that ignores a failure to close a previous open session when reinitializing a context, instead of failing the reinitialization. Added a link to the Cryptographic Hardware Accelerators document to the engine pacakges description, to provide more detailed instructions to configure the engines. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 235f38e787..72ff64634f 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -269,7 +269,7 @@ config OPENSSL_ENGINE_BUILTIN_AFALG select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through the - AF_ALG kenrel interface. + AF_ALG kernel interface. config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO bool @@ -279,6 +279,9 @@ config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. + Even though configuraion is not strictly needed, it is worth seeing + https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + for information on how to configure the engine. config OPENSSL_ENGINE_BUILTIN_PADLOCK bool diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index ef840e28ad..cb25c5557c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=b PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -147,6 +147,7 @@ This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef @@ -163,6 +164,7 @@ This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef @@ -178,6 +180,7 @@ define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. To use it, you need to configure it in /etc/ssl/openssl.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch new file mode 100644 index 0000000000..52bc8d2118 --- /dev/null +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -0,0 +1,41 @@ +From 5d3be6bc8ed7d73ab2c4d389fb0f0a03dacd04b1 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 09:29:13 -0300 +Subject: [PATCH] e_devcrypto: default to not use digests in engine + +Digests are almost always slower when using /dev/crypto because of the +cost of the context switches. Only for large blocks it is worth it. + +Also, when forking, the open context structures are duplicated, but the +internal kernel sessions are still shared between forks, which means an +update/close operation in one fork affects all processes using that +session. + +This affects digests, especially for HMAC, where the session with the +key hash is used as a source for subsequent operations. At least one +popular application does this across a fork. Disabling digests by +default will mitigate the problem, while still allowing the user to +turn them on if it is safe and fast enough. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -854,7 +854,7 @@ static void prepare_digest_methods(void) + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + +- selected_digests[i] = 1; ++ selected_digests[i] = 0; + + /* + * Check that the digest is usable +@@ -1068,7 +1068,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + #ifdef IMPLEMENT_DIGEST + {DEVCRYPTO_CMD_DIGESTS, + "DIGESTS", +- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", + ENGINE_CMD_FLAG_STRING}, + #endif + diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch new file mode 100644 index 0000000000..160c23df30 --- /dev/null +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -0,0 +1,24 @@ +From b6e6d157367bae91a8015434769572e430257d40 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 10:15:14 -0300 +Subject: [PATCH] e_devcrypto: ignore error when closing session + +In cipher_init, ignore an eventual error when closing the previous +session. It may have been closed by another process after a fork. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); + + /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; ++ if (cipher_ctx->sess.ses != 0) ++ clean_devcrypto_session(&cipher_ctx->sess); + + cipher_ctx->sess.cipher = cipher_d->devcryptoid; + cipher_ctx->sess.keylen = cipher_d->keylen; ]