[From nobody Thu Jun 25 05:55:05 2020 Received: from sonic314-13.consmr.mail.bf2.yahoo.com ([74.6.132.123]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3hG9-0006RJ-SF for openwrt-devel@lists.openwrt.org; Tue, 12 Mar 2019 13:15:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1552396555; bh=kfIs5zJMxPkQ6Gef2N+7MjG0lk9pp2EwP+E+3a+CUGk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=OZcU2nA0iaKRYO+MTYS8v4ZJ+1L5iBdWcLPBleRshfLVZFWgmyGoNljpUHsnuMoQib0jknO0SwuhroQWWdgnu66LWoyikJthKaSb8H+ubvqM+I+CBwH4UMBA1b1sioSrLAm8DT4CDU8Kv+U++4gEiKGCIOE1vhYEO6JylPgBVtU35hUN+9EnQZHnEb7eLrTVXZ/C1AKH3dEQLlj4xEHG9IsBfk4u2q9uuQUD7hbI3haflQurr8fExoomABvKsGlYJB97dYxYvQ8oQ7WTscnxWGtkjPrM4OWpKqwTJrKhU00Nk1U4J2o2OMqZ3L4efTO6XxJysjwypUGMTZo+gQbwcw== X-YMail-OSG: m13OymIVM1kBmPP3HVqwVaMIDvw6UBiglctoWdrrRSY2ZqhIE5LMj45_mQfieM. U_EuS3O5YWplpYMG.crjqpfX5_u8Huboi8qwNZdsocjX8yCnbP9W6OWDK5ApfdoFnt1eF1_1Zui2 sjX15EFtgXj0Ikhl_818HSdZ1RAgDuss6ChBt.4clZiOVu_2FZACk.P_4lQfl5sQtCYSxxmUgw5n P11b6W7QYIgYW00MPNGD2uVpKfkCnvN8anzU1sMiGTzbrJIJvbfmvaoGUjcz_LA4aKdhrKMzTZpw DlJS60E9ldXk_md7oUU98UEZIACLzx9T3XzkjdfkbUYhusbT4JAsLuQaqPf0LxZNPEoeuBqTq5Y1 NDySPJqyk35t47gY5Tak.ygFvcQRz0vXHrmrSPINKnhaol8_jGoKDCFwBYzRbtj_88IwIiquyO7m yWW22CApP4f7Ujhu3_Aab5hiDVXv4189cCj7RlY3FcNF6TArAF.HWr2m9kIyXqtHkL39MnHWW5ru BEr7w0N2H5vqO.vJHNWtfuaD3ewaM6tMm0hX4W0TNvOdLU.CWLBkIqYadEQCJwIeqkRfBIv_4dCu 7.JuilUlFj1HFnSj____3Fyo8F5Zu7jC1prCyAtH0PsSd_2D7G9eFazaUU3JMPaunYd7crQPn2Fo AKYtIKswrfHmp8Ps0P2Bi16hfXTQEd09GtVlXxqZPbImerQOA64RWvPbvGgNTWBvjXDSHPYCbi6T aETNp4_Lnf08whzpR.DrEtlun7rpgQ40iGLZRxvBnogrta1EjRsA1_snv8Z29Yome2Kzg01bfr2q KvnCjsXuM1wX4.wIieHJw9yvITPpBKl.8Qgn4ShVlp.eh33iIowdzxp1Zf929SfXimCH_PVMFUpH 6FRVbNmtVpOG7af4PE0MpO9NK7A_iOvv8jfEK1kxEq4GydV1iDlQpuuc50hBP6FYa9t_G2t32PoO 4cyI5ZuUCSS7YyQDrerTknVUw0JxHpDpzwMJL6f5VnWus7H4F7CDCG8pIf2Vy9AqD4fOOY5eBrFC B6rRble2flyxGUJT3LDiY5iVPZT2mc37RleNNL0ocnFwnNg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.bf2.yahoo.com with HTTP; Tue, 12 Mar 2019 13:15:55 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp429.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a6eede7b30c0cf40d13b5cdee0073904; Tue, 12 Mar 2019 13:15:51 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH v2] openssl: disable digests by default, misc fixes Date: Tue, 12 Mar 2019 10:15:38 -0300 Message-Id: <20190312131538.899-1-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <mailman.26323.1552338040.2376.openwrt-devel@lists.openwrt.org> References: <mailman.26323.1552338040.2376.openwrt-devel@lists.openwrt.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190312_061557_985585_AA920330 X-CRM114-Status: GOOD ( 12.20 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [74.6.132.123 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Openssh uses digest contexts across forks, which is not supported by the /dev/crypto engine. The speed of digests is usually not worth enabling them anyway. This changes the default of the DIGESTS option to NONE, so the user still has the option to enable them. Added another patch related to the use of encryption contexts across forks, that ignores a failure to close a previous open session when reinitializing a context, instead of failing the reinitialization. Added a link to the Cryptographic Hardware Accelerators document to the engine pacakges description, to provide more detailed instructions to configure the engines. Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used by openssh. There is an open PR to update openssh; when merged, this symbol can be safely removed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> --- Notes: ChangeLog: v2: Reverted the removal of OPENSSL_ENGINE_CRYPTO SYMBOL Fixed a typo in Config.in --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -269,7 +269,13 @@ config OPENSSL_ENGINE_BUILTIN_AFALG select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through the - AF_ALG kenrel interface. + AF_ALG kernel interface. + +config OPENSSL_ENGINE_CRYPTO + # This symbol is deprecated. Currently it is used by the openssh package. + # Once openwrt/packages#8272 is merged, this can be safely removed. + bool + default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO bool @@ -279,6 +285,9 @@ config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. + Even though configuration is not strictly needed, it is worth seeing + https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + for information on how to configure the engine. config OPENSSL_ENGINE_BUILTIN_PADLOCK bool --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=b PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -147,6 +147,7 @@ This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef @@ -163,6 +164,7 @@ This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef @@ -178,6 +180,7 @@ define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. To use it, you need to configure it in /etc/ssl/openssl.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef --- /dev/null +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -0,0 +1,41 @@ +From 5d3be6bc8ed7d73ab2c4d389fb0f0a03dacd04b1 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 09:29:13 -0300 +Subject: [PATCH] e_devcrypto: default to not use digests in engine + +Digests are almost always slower when using /dev/crypto because of the +cost of the context switches. Only for large blocks it is worth it. + +Also, when forking, the open context structures are duplicated, but the +internal kernel sessions are still shared between forks, which means an +update/close operation in one fork affects all processes using that +session. + +This affects digests, especially for HMAC, where the session with the +key hash is used as a source for subsequent operations. At least one +popular application does this across a fork. Disabling digests by +default will mitigate the problem, while still allowing the user to +turn them on if it is safe and fast enough. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -854,7 +854,7 @@ static void prepare_digest_methods(void) + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + +- selected_digests[i] = 1; ++ selected_digests[i] = 0; + + /* + * Check that the digest is usable +@@ -1068,7 +1068,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + #ifdef IMPLEMENT_DIGEST + {DEVCRYPTO_CMD_DIGESTS, + "DIGESTS", +- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", + ENGINE_CMD_FLAG_STRING}, + #endif + --- /dev/null +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -0,0 +1,24 @@ +From b6e6d157367bae91a8015434769572e430257d40 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 10:15:14 -0300 +Subject: [PATCH] e_devcrypto: ignore error when closing session + +In cipher_init, ignore an eventual error when closing the previous +session. It may have been closed by another process after a fork. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); + + /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; ++ if (cipher_ctx->sess.ses != 0) ++ clean_devcrypto_session(&cipher_ctx->sess); + + cipher_ctx->sess.cipher = cipher_d->devcryptoid; + cipher_ctx->sess.keylen = cipher_d->keylen; ]