[openssl.org #2840] [PATCH] Restore alg_section to 1.0.1c
)) + { + int m; + if (!X509V3_get_value_bool(oval, m)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE); + return 0; + } + if (m 0) + { +#ifdef OPENSSL_FIPS + if (!FIPS_mode() !FIPS_mode_set(1)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE); + return 0; + } +#else + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED); + return 0; +#endif + } + } + else + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION); + ERR_add_error_data(4, name=, oval-name, + , value=, oval-value); + } + + } + return 1; + } + +void EVP_add_alg_module(void) + { + CONF_module_add(alg_section, alg_module_init, 0); + } --- openssl-1.0.1c/crypto/evp/evp.h.orig2012-06-27 09:35:14.178665838 -0400 +++ openssl-1.0.1c/crypto/evp/evp.h 2012-06-27 09:35:35.398671000 -0400 @@ -1257,6 +1257,7 @@ #define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_XTS 172 #define EVP_F_AES_XTS_CIPHER175 +#define EVP_F_ALG_MODULE_INIT 177 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CMAC_INIT 173 #define EVP_F_D2I_PKEY 100 @@ -1350,15 +1351,19 @@ #define EVP_R_DIFFERENT_PARAMETERS 153 #define EVP_R_DISABLED_FOR_FIPS 163 #define EVP_R_ENCODE_ERROR 115 +#define EVP_R_ERROR_LOADING_SECTION 165 +#define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY142 +#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST152 +#define EVP_R_INVALID_FIPS_MODE 168 #define EVP_R_INVALID_KEY_LENGTH130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1383,6 +1388,7 @@ #define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER160 #define EVP_R_UNKNOWN_DIGEST161 +#define EVP_R_UNKNOWN_OPTION169 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_ALGORITHM 156 --- openssl-1.0.1c/crypto/evp/evp.h.orig2012-06-27 09:41:01.898667961 -0400 +++ openssl-1.0.1c/crypto/evp/evp.h 2012-06-27 09:41:04.678672767 -0400 @@ -1243,6 +1243,8 @@ int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)); +void EVP_add_alg_module(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. --- openssl-1.0.1c/crypto/conf/conf_mall.c.orig 2012-06-27 09:39:14.598644891 -0400 +++ openssl-1.0.1c/crypto/conf/conf_mall.c 2012-06-27 09:39:33.408683861 -0400 @@ -76,5 +76,6 @@ #ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); #endif + EVP_add_alg_module(); } -- David McCullough, david_mccullo...@mcafee.com, Ph:+61 734352815 McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH] Restore alg_section to 1.0.1c
)) + { + int m; + if (!X509V3_get_value_bool(oval, m)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE); + return 0; + } + if (m 0) + { +#ifdef OPENSSL_FIPS + if (!FIPS_mode() !FIPS_mode_set(1)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE); + return 0; + } +#else + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED); + return 0; +#endif + } + } + else + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION); + ERR_add_error_data(4, name=, oval-name, + , value=, oval-value); + } + + } + return 1; + } + +void EVP_add_alg_module(void) + { + CONF_module_add(alg_section, alg_module_init, 0); + } --- openssl-1.0.1c/crypto/evp/evp.h.orig2012-06-27 09:35:14.178665838 -0400 +++ openssl-1.0.1c/crypto/evp/evp.h 2012-06-27 09:35:35.398671000 -0400 @@ -1257,6 +1257,7 @@ #define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_XTS 172 #define EVP_F_AES_XTS_CIPHER175 +#define EVP_F_ALG_MODULE_INIT 177 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CMAC_INIT 173 #define EVP_F_D2I_PKEY 100 @@ -1350,15 +1351,19 @@ #define EVP_R_DIFFERENT_PARAMETERS 153 #define EVP_R_DISABLED_FOR_FIPS 163 #define EVP_R_ENCODE_ERROR 115 +#define EVP_R_ERROR_LOADING_SECTION 165 +#define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY142 +#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST152 +#define EVP_R_INVALID_FIPS_MODE 168 #define EVP_R_INVALID_KEY_LENGTH130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1383,6 +1388,7 @@ #define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER160 #define EVP_R_UNKNOWN_DIGEST161 +#define EVP_R_UNKNOWN_OPTION169 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_ALGORITHM 156 --- openssl-1.0.1c/crypto/evp/evp.h.orig2012-06-27 09:41:01.898667961 -0400 +++ openssl-1.0.1c/crypto/evp/evp.h 2012-06-27 09:41:04.678672767 -0400 @@ -1243,6 +1243,8 @@ int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)); +void EVP_add_alg_module(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. --- openssl-1.0.1c/crypto/conf/conf_mall.c.orig 2012-06-27 09:39:14.598644891 -0400 +++ openssl-1.0.1c/crypto/conf/conf_mall.c 2012-06-27 09:39:33.408683861 -0400 @@ -76,5 +76,6 @@ #ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); #endif + EVP_add_alg_module(); } -- David McCullough, david_mccullo...@mcafee.com, Ph:+61 734352815 McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [CVS] OpenSSL: openssl/crypto/engine/ eng_cryptodev.c
Jivin Dr. Stephen Henson lays it down ... On Sun, Jul 26, 2009, Ben Laurie wrote: +#if 0 /* not (yet?) used */ static struct { int id; int nid; @@ -163,6 +164,7 @@ { CRYPTO_SHA1, NID_sha1, 20}, { 0,NID_undef, 0}, }; +#endif /* 0 */ I think that stuff is used if you set USE_CRYPTODEV_DIGESTS so it should have that round it. That looks like the version of eng_cryptodev.c before any of the OCF changes, at least thats my memory of it. It was permanently disabled. I am trying to get some more time to revisit that patch for you guys, hopefulyl soon :-) Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Any known issues with cryptodev digests in 0.9.8k?
sha1 for 3s on 256 size blocks: 26720 sha1's in 0.06s Doing sha1 for 3s on 1024 size blocks: 14137 sha1's in 0.05s Doing sha1 for 3s on 2048 size blocks: 8712 sha1's in 0.02s OpenSSL 0.9.8k 25 Mar 2009 built on: Fri Jul 3 11:48:06 PDT 2009 options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr) compiler: /home/philipp/vpn/build_i586/staging_dir/bin/i586-linux-uclibc-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -I/home/philipp/vpn/build_i586/staging_dir/include -DTERMIO -O3 -fomit-frame-pointer -Wall -Os -pipe -fomit-frame-pointer -march=k6-2 -fno-align-functions -fno-align-loops -fno-align-jumps -fno-align-labels available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 2048 bytes sha1 5572.51k22030.08k 114005.33k 289525.76k 892108.80k # If I compute a digest on a large file, it fails: # ls -l /oldroot/cdrom/os/astlinux-trunk-2849.run -rwxr-xr-x1 root root 39694336 Jul 3 12:11 /oldroot/cdrom/os/astlinux-trunk-2849.run # openssl sha1 /oldroot/cdrom/os/astlinux-trunk-2849.run cryptodev_digest_final: digest failed SHA1(/oldroot/cdrom/os/astlinux-trunk-2849.run)= 57bf5d5c81395f12bfdb3cf3c497abffbef8dbe4 # What am I missing? Try enabling debug in the cryptodev module, might give you a hint as to why it's failing. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1974] [PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
Jivin Stephen Henson via RT lays it down ... [david_mccullo...@securecomputing.com - Wed Jul 01 05:41:07 2009]: Jivin Stephen Henson via RT lays it down ... The equivalent to the two configure options can be done by including -Dfoo to Configure, for example Configure [options] -DHAVE_CRYPTODEV . Ok, thats works for me if it's the preferred solution. OK, that has been added. It's unfortunate that there is a need to enable digests separately because it is possible at the ENGINE level to selectively enable algorithm implementations. Presumably this is to cover cases where applications just blindly use all algorithms and have no option to avoid using digests. Maybe there is a better way, I am not and openssl expert thats for sure :-) The reason the option exists is that in all but the most unusual cases, using cryptodev hashing via some HW device is not worth it by any measure. There are some people using it, but they have specific applications/needs. I wasn't aware of a way to allow an engine to selectively support different combinations of hashes and ciphers, but if there is by all means point me at it and I will see what I can do to remove that ifdef. This patch also does considerably more than the above description, adding new symmetric algorithms, changing the behaviour of existing code etc. This should preferably be split into smaller patches which can be more easily analysed with full descriptions of the reasoning for changes. Sorry about that, I'll sync up with whatever changes have gone in and generate new patches for the cryptodev engine related bits. Should they appear in new rt tickets of their own or keep it within this one ? I'll apply some of the bits where I know what they do. The main bit I wasn't sure about was the reason for a change to a static fd in get_dev_crypto(): there was no comment in the ticket of the patch as to why this was done. No problems, I have the log here, it's just with version changes over the years the code/reasons get moved around. The log for that change: Clean up the cryptodev handling to not burn file descriptors or open the main channel more than needed. But looking at the code I can't see how it achieves that. I know that ocf-linux had a lot of kernel issues in this area in the early days and I can only guess this is somehow a remanent of working around that, sorry for the noise :-( Short answer, drop the fd changes in the patch. Thanks, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1973] [PATCH 11/14] Ensure 'make links' gets all headers correctly.
Jivin Stephen Henson via RT lays it down ... This would add e_os.h to the openssl header files which includes details which are not part of the public interface and we don't really want to do this because we can't then change anything in there that would break compatibility in future. Why do you want to make this header file public? I don't, I wasn't aware of that side affect. At some point openssl was failing to build in a cross compile environment because it was not finding this internal header. This change fixed it. It's probably safe to assume it's fixed, and if it's not, I'll find a better way, Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1973] [PATCH 11/14] Ensure 'make links' gets all headers correctly.
Jivin Stephen Henson via RT lays it down ... This would add e_os.h to the openssl header files which includes details which are not part of the public interface and we don't really want to do this because we can't then change anything in there that would break compatibility in future. Why do you want to make this header file public? I don't, I wasn't aware of that side affect. At some point openssl was failing to build in a cross compile environment because it was not finding this internal header. This change fixed it. It's probably safe to assume it's fixed, and if it's not, I'll find a better way, Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1968] [PATCH 06/14] Allow overriding of settings for cross compilation.
Jivin Stephen Henson via RT lays it down ... This isn't really the way the config script was intended to be used. It is supposed to auto detect the machine type and call Configure with the appropriate target. If you want to cross compile you should call Configure directly and use any additional arguments you need such as --cross-compile-prefix . Ok, just for context, I moved all the ocf-linux changes from 0.9.8k over the last week and tested. The --cross-compile-prefix option was not available in the 0.9.8 series and I haven't looked at how/if I can take advantage of that yet. If this change is not suitable that ok. I still feel that in a cross compiled embedded system, the output of uname on the build host is next to useless information for most decision making. It's possible for same target to be built on a Windows/Linux/BSD/whatever system. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1968] [PATCH 06/14] Allow overriding of settings for cross compilation.
Jivin Stephen Henson via RT lays it down ... This isn't really the way the config script was intended to be used. It is supposed to auto detect the machine type and call Configure with the appropriate target. If you want to cross compile you should call Configure directly and use any additional arguments you need such as --cross-compile-prefix . Ok, just for context, I moved all the ocf-linux changes from 0.9.8k over the last week and tested. The --cross-compile-prefix option was not available in the 0.9.8 series and I haven't looked at how/if I can take advantage of that yet. If this change is not suitable that ok. I still feel that in a cross compiled embedded system, the output of uname on the build host is next to useless information for most decision making. It's possible for same target to be built on a Windows/Linux/BSD/whatever system. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1974] [PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
Jivin Thor Lancelot Simon lays it down ... On Thu, Jul 02, 2009 at 12:28:36AM +0200, David McCullough via RT wrote: The reason the option exists is that in all but the most unusual cases, using cryptodev hashing via some HW device is not worth it by any measure. There are some people using it, but they have specific applications/needs. This is an API limitation -- or was -- within OpenSSL. The way hashes are fed to the ENGINE effectively cuts performance in half because almost all accellerators can do HMAC in one pass for the hshes they support. But there were not, at least a year or so ago, separate EVPs for HMAC. I have noticed that those EVPs exist now. That would make hashing in the ENGINE a lot more efficient. More generally, the approach taken by the original authors of the cryptodev engine to enabling/disabling functionality according to its performance was the wrong one. The engine *already* has a protracted startup process in which it tries every algorithm to see which work; it could very easily do a quick-and-dirty calibration of the crossover point, in terms of request size, for where hardware vs. software handling of a request will be quicker. Yes, but the cross over is not that easy really. If your requirement is straight speed alone, yes, easy, but if CPU utilisation and/or parallelisation come into play, then it gets trickier. Having some HW doing crypto, albiet slower than the CPU can still be beneficial if there is significant other processing you can get done while waiting for the crypto HW to return. But yes, for the simple cases it can be automatically determined. Do you know if NetBSD has done anything to fix the 8K request failures I see on some OCF HW drivers (from memory hifn and safenet, but it's been a while so I may be wrong on one of them). Add to that cryptodevs 64K request limit which is also not handled by openssl. The other things to remember with regard to cryptodev, particularly on embedded platforms, sare: 1) If you have a single, single-core CPU, it can do _one_ operation at a time at the speed you'll measure with openssl speed -elapsed. But the bottleneck going out to an accellerator via /dev/crypto is really a *syscall latency* bottleneck, which can be overcome with parallelism; for hashes, and even for small encryption requests, a test with, say, -multi 64 (which is a lot more realistic for most applications), will reveal that doing most things in hardware is a win. Agreed, but if the overheads of the copyin/copyout to kernel space exceed the cost of just doing the hash, you are better off avoiding /dev/crypto. The usual trend we see is small packets don't cost in that well and larger ones do. Mostly due to the context switching/copying overheads becoming insignificant as the size increases. 2) The original cryptodev engine suffered from a serious misunderstanding of the /dev/crypto API, probably because the documentation was unclear. It basically does twice as many ioctls per session as it has to. We fixed this in NetBSD but I don't think the change made it back to upstream OpenSSL. Anything that halves the ioctls is a good thing from my point of view :-) 3) There are backwards-compatible changes to the /dev/crypto API itself available (checked into NetBSD quite some time ago, shipped in NetBSD 5) which were designed to make it much more efficient for realistic use cases including OpenSSL. Specifically, they streamline the session creation process, allow asynchronous operation via select/poll/kqueue, and allow multiple results to be retrieved with a single operation. We intended to write a new OpenSSL engine to service multiple threads within an application using a single engine worker thread but that part isn't done yet. Anyway, the basic support for this is there for the taking. Supposedly, FreeBSD will pick it up when someone gets the time. How is/was the helper thread being used ? I sort of figured the kernel/user seperations of /dev/crypto avoided and real need for threads to help out in user space, but that may be my wishfull thinking on my part. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 02/14] Only use gcc if CC has not been provided.
When cross compiling for embedded targets gcc is unlikely to be the best choice of compiler for making decisions. Only use gcc if CC is not provided. --- config |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/config b/config index 31986f5..ac244b8 100755 --- a/config +++ b/config @@ -407,7 +407,7 @@ exit 0 # this is where the translation occurs into SSLeay terms # --- -GCCVER=`(gcc -dumpversion) 2/dev/null` +GCCVER=`(${CC:-gcc} -dumpversion) 2/dev/null` if [ $GCCVER != ]; then # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 06/14] Allow overriding of settings for cross compilation.
Allow the build environment to override settings such as MACHINE etc so that cross compilation for embedded systems is much easier. --- Makefile.shared |8 config |8 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile.shared b/Makefile.shared index adf7d4e..3a522b8 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -6,13 +6,13 @@ # properly # CC contains the current compiler. This one MUST be defined -CC=cc -CFLAGS=$(CFLAG) +CC?=cc +CFLAGS?=$(CFLAG) # LDFLAGS contains flags to be used when temporary object files (when building # shared libraries) are created, or when an application is linked. # SHARED_LDFLAGS contains flags to be used when the shared library is created. -LDFLAGS= -SHARED_LDFLAGS= +LDFLAGS?= +SHARED_LDFLAGS?= NM=nm diff --git a/config b/config index ac244b8..159fa18 100755 --- a/config +++ b/config @@ -48,10 +48,10 @@ done # First get uname entries that we use below -MACHINE=`(uname -m) 2/dev/null` || MACHINE=unknown -RELEASE=`(uname -r) 2/dev/null` || RELEASE=unknown -SYSTEM=`(uname -s) 2/dev/null` || SYSTEM=unknown -VERSION=`(uname -v) 2/dev/null` || VERSION=unknown +[ $MACHINE ] || MACHINE=`(uname -m) 2/dev/null` || MACHINE=unknown +[ $RELEASE ] || RELEASE=`(uname -r) 2/dev/null` || RELEASE=unknown +[ $SYSTEM ] || SYSTEM=`(uname -s) 2/dev/null` || SYSTEM=unknown +[ $VERSION ] || VERSION=`(uname -v) 2/dev/null` || VERSION=unknown # Now test for ISC and SCO, since it is has a braindamaged uname. -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 10/14] Add support for building with the uClinux-dist.
Add support for building within the uClinux-dist cross-compile framework for embedded systems (with and without MMU). --- Configure |4 config|6 ++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/Configure b/Configure index 11c507a..5376ed3 100755 --- a/Configure +++ b/Configure @@ -571,6 +571,10 @@ my %table=( # Compaq Non-Stop Kernel (Tandem) tandem-c89,c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::, +# uClinux +uClinux-dist,$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):BN_LLONG:::$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::, +uClinux-dist64,$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):SIXTY_FOUR_BIT_LONG:::$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::, + ); my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A diff --git a/config b/config index 159fa18..a41d025 100755 --- a/config +++ b/config @@ -496,6 +496,12 @@ echo Operating system: $GUESSOS # script above so we end up with values in vars but that would take # more time that I want to waste at the moment case $GUESSOS in + uClinux*64*) +OUT=uClinux-dist64 + ;; + uClinux*) +OUT=uClinux-dist + ;; mips2-sgi-irix) CPU=`(hinv -t cpu) 2/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 02/14] Only use gcc if CC has not been provided. (RESEND)
When cross compiling for embedded targets gcc is unlikely to be the best choice of compiler for making decisions. Only use gcc if CC is not provided. --- config |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/config b/config index 31986f5..ac244b8 100755 --- a/config +++ b/config @@ -407,7 +407,7 @@ exit 0 # this is where the translation occurs into SSLeay terms # --- -GCCVER=`(gcc -dumpversion) 2/dev/null` +GCCVER=`(${CC:-gcc} -dumpversion) 2/dev/null` if [ $GCCVER != ]; then # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1963] [PATCH 01/14] Build should fail if makedepend is not present.
If makedepend fails (for example, if it isn't in the path), then domd should fail so the build can stop on the error. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/util/domd b/util/domd index 27c0211..bab48cb 100755 --- a/util/domd +++ b/util/domd @@ -22,13 +22,17 @@ if expr $MAKEDEPEND : '.*gcc$' /dev/null; then done sed -e '/^# DO NOT DELETE.*/,$d' Makefile Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' Makefile.tmp -${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit +${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit 1 ${PERL} $TOP/util/clean-depend.pl Makefile.tmp Makefile.new +RC=$? rm -f Makefile.tmp else -${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@ +${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@ \ ${PERL} $TOP/util/clean-depend.pl Makefile Makefile.new +RC=$? fi mv Makefile.new Makefile # unfake the presence of Kerberos rm $TOP/krb5.h + +exit $RC
[openssl.org #1964] [PATCH 02/14] Only use gcc if CC has not been provided.
When cross compiling for embedded targets gcc is unlikely to be the best choice of compiler for making decisions. Only use gcc if CC is not provided. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/config b/config index 31986f5..ac244b8 100755 --- a/config +++ b/config @@ -407,7 +407,7 @@ exit 0 # this is where the translation occurs into SSLeay terms # --- -GCCVER=`(gcc -dumpversion) 2/dev/null` +GCCVER=`(${CC:-gcc} -dumpversion) 2/dev/null` if [ $GCCVER != ]; then # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. -- 1.6.0.4
[openssl.org #1965] [PATCH 03/14] Make sure defines to remove SHA are correct.
Some combinations of algorithm removal cause compilation errors. Fix this case for SHA/SHA1. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c index 5032e7c..aa565a6 100644 --- a/crypto/evp/c_alld.c +++ b/crypto/evp/c_alld.c @@ -81,7 +81,7 @@ void OpenSSL_add_all_digests(void) EVP_add_digest(EVP_dss()); #endif #endif -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) !defined(OPENSSL_NO_SHA1) EVP_add_digest(EVP_sha1()); EVP_add_digest_alias(SN_sha1,ssl3-sha1); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); -- 1.6.0.4
[openssl.org #1966] [PATCH 04/14] Ensure OCSP can be disabled.
Some support for OCSP was not ifdef'd and prevents its exclusion from openssl via the config options. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/apps/progs.h b/apps/progs.h index d323a1c..79e479a 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -142,7 +142,9 @@ FUNCTION functions[] = { #ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,engine,engine_main}, #endif +#ifndef OPENSSL_NO_OCSP {FUNC_TYPE_GENERAL,ocsp,ocsp_main}, +#endif {FUNC_TYPE_GENERAL,prime,prime_main}, {FUNC_TYPE_GENERAL,ts,ts_main}, #ifndef OPENSSL_NO_MD2 -- 1.6.0.4
[openssl.org #1967] [PATCH 05/14] Do not run off the end of the params array.
Do not run off the end of the RSA params arrays freeing values or we will crash (or worse, corrupt the heap). Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index ab38cd5..4f2470b 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -681,7 +681,7 @@ zapparams(struct crypt_kop *kop) { int i; - for (i = 0; i = kop-crk_iparams + kop-crk_oparams; i++) { + for (i = 0; i kop-crk_iparams + kop-crk_oparams; i++) { if (kop-crk_param[i].crp_p) free(kop-crk_param[i].crp_p); kop-crk_param[i].crp_p = NULL; -- 1.6.0.4
[openssl.org #1968] [PATCH 06/14] Allow overriding of settings for cross compilation.
Allow the build environment to override settings such as MACHINE etc so that cross compilation for embedded systems is much easier. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/Makefile.shared b/Makefile.shared index adf7d4e..3a522b8 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -6,13 +6,13 @@ # properly # CC contains the current compiler. This one MUST be defined -CC=cc -CFLAGS=$(CFLAG) +CC?=cc +CFLAGS?=$(CFLAG) # LDFLAGS contains flags to be used when temporary object files (when building # shared libraries) are created, or when an application is linked. # SHARED_LDFLAGS contains flags to be used when the shared library is created. -LDFLAGS= -SHARED_LDFLAGS= +LDFLAGS?= +SHARED_LDFLAGS?= NM=nm diff --git a/config b/config index ac244b8..159fa18 100755 --- a/config +++ b/config @@ -48,10 +48,10 @@ done # First get uname entries that we use below -MACHINE=`(uname -m) 2/dev/null` || MACHINE=unknown -RELEASE=`(uname -r) 2/dev/null` || RELEASE=unknown -SYSTEM=`(uname -s) 2/dev/null` || SYSTEM=unknown -VERSION=`(uname -v) 2/dev/null` || VERSION=unknown +[ $MACHINE ] || MACHINE=`(uname -m) 2/dev/null` || MACHINE=unknown +[ $RELEASE ] || RELEASE=`(uname -r) 2/dev/null` || RELEASE=unknown +[ $SYSTEM ] || SYSTEM=`(uname -s) 2/dev/null` || SYSTEM=unknown +[ $VERSION ] || VERSION=`(uname -v) 2/dev/null` || VERSION=unknown # Now test for ISC and SCO, since it is has a braindamaged uname. -- 1.6.0.4
[openssl.org #1970] [PATCH 08/14] Fix unused variable words and uninited data b.
words was unused (compiler warning) remove it. b was uninited memory causing us to generate bogus numbers to pass into cryptodev. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 2259916..16afaf7 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -625,7 +625,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) { int i, j, k; - ssize_t words, bytes, bits; + ssize_t bytes, bits; u_char *b; crp-crp_p = NULL; @@ -637,6 +637,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) b = malloc(bytes); if (b == NULL) return (1); + memset(b, 0, bytes); crp-crp_p = b; crp-crp_nbits = bits; -- 1.6.0.4
[openssl.org #1971] [PATCH 09/14] Only test speeds up to 4K packets.
Change the speed test to only test sizes up to 4096. Most cryptodev HW drivers fail with 8192 sized requests. 4K seems like a reasonable limit to test up to. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/apps/speed.c b/apps/speed.c index cd41252..52bc481 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -205,7 +205,7 @@ static int do_multi(int multi); #endif #define ALGOR_NUM 29 -#define SIZE_NUM 5 +#define SIZE_NUM 6 #define RSA_NUM 4 #define DSA_NUM 3 @@ -221,7 +221,7 @@ static const char *names[ALGOR_NUM]={ evp,sha256,sha512,whirlpool, aes-128 ige,aes-192 ige,aes-256 ige}; static double results[ALGOR_NUM][SIZE_NUM]; -static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024}; static double rsa_results[RSA_NUM][2]; static double dsa_results[DSA_NUM][2]; #ifndef OPENSSL_NO_ECDSA -- 1.6.0.4
[openssl.org #1972] [PATCH 10/14] Add support for building with the uClinux-dist.
Add support for building within the uClinux-dist cross-compile framework for embedded systems (with and without MMU). Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/Configure b/Configure index 11c507a..5376ed3 100755 --- a/Configure +++ b/Configure @@ -571,6 +571,10 @@ my %table=( # Compaq Non-Stop Kernel (Tandem) tandem-c89,c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::, +# uClinux +uClinux-dist,$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):BN_LLONG:::$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::, +uClinux-dist64,$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):SIXTY_FOUR_BIT_LONG:::$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::, + ); my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A diff --git a/config b/config index 159fa18..a41d025 100755 --- a/config +++ b/config @@ -496,6 +496,12 @@ echo Operating system: $GUESSOS # script above so we end up with values in vars but that would take # more time that I want to waste at the moment case $GUESSOS in + uClinux*64*) +OUT=uClinux-dist64 + ;; + uClinux*) +OUT=uClinux-dist + ;; mips2-sgi-irix) CPU=`(hinv -t cpu) 2/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} -- 1.6.0.4
[openssl.org #1973] [PATCH 11/14] Ensure 'make links' gets all headers correctly.
Needed to include all the headers in the links target to get openssl cross compiling nicely within the uClinux-dist. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/Makefile.org b/Makefile.org index ba29744..57265c6 100644 --- a/Makefile.org +++ b/Makefile.org @@ -379,7 +379,7 @@ files: links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl - @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl include/openssl $(HEADER) $(EXHEADER) @set -e; target=links; $(RECURSIVE_BUILD_CMD) gentests: -- 1.6.0.4
[openssl.org #1974] [PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
Add --with-cryptodev option to config so that an OS like linux may enable cryptodev support if it has been ported (ie., ocf-linux). Add --with-cryptodev-digests to optionally include hash support via cryptodev (disabled by default as it is usually too slow to be useful). Add a working cryptodev hash implementation. Fix up RSA API compliance for rsa_nocrt_mod_exp method while here. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/Configure b/Configure index 5376ed3..a2681c3 100755 --- a/Configure +++ b/Configure @@ -34,6 +34,8 @@ my $usage=Usage: Configure [no-cipher ...] [enable-cipher ...] [experimenta # (Default: KRB5_DIR/include) # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently # supported values are MIT and Heimdal. A value is required. +# --with-cryptodev Force support for cryptodev (ie., ocf-linux) +# --with-cryptodev-digests Force support for cryptodev digests (generally slow) # # --test-sanity Make a number of sanity checks on the data in this file. # This is a debugging tool for OpenSSL developers. @@ -628,6 +630,8 @@ my $no_rfc3779=1; # but no-rfc3779 is default my $no_asm=0; my $no_dso=0; my $no_gmp=0; +my $have_cryptodev=0; +my $use_cryptodev_digests=0; my @skip=(); my $Makefile=Makefile; my $des_locl=crypto/des/des_locl.h; @@ -771,6 +775,14 @@ PROCESS_ARGS: { exit(test_sanity()); } + elsif (/^--with-cryptodev$/) + { +$have_cryptodev = 1; + } + elsif (/^--with-cryptodev-digests$/) + { +$use_cryptodev_digests = 1; + } elsif (/^reconfigure/ || /^reconf/) { if (open(IN,$Makefile)) @@ -1145,6 +1157,16 @@ if (!$no_krb5) $withargs{krb5-dir} ne ; } +# enable the linux cryptodev (ocf-linux) support +if ($have_cryptodev) + { + if ($use_cryptodev_digests) + { + $cflags = -DUSE_CRYPTODEV_DIGESTS $cflags; + } + $cflags = -DHAVE_CRYPTODEV $cflags; + } + # The DSO code currently always implements all functions so that no # applications will have to worry about that from a compilation point # of view. However, the methods may return zero unless that platform diff --git a/INSTALL b/INSTALL index 85e2660..4d98ac0 100644 --- a/INSTALL +++ b/INSTALL @@ -103,6 +103,12 @@ define preprocessor symbols, specify additional libraries, library directories or other compiler options. + --with-cryptodev Enabled the BSD cryptodev engine even if we are not using + BSD. Useful if you are running ocf-linux or something + similar. Once enabled you can also enable the use of + cryptodev digests, with is usually slower unless you have + large amounts data. Use --with-cryptodev-digests to force + it. Installation in Detail -- diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c index 623485d..3165b98 100644 --- a/crypto/engine/eng_all.c +++ b/crypto/engine/eng_all.c @@ -68,7 +68,7 @@ void ENGINE_load_builtin_engines(void) * *no* builtin implementations). */ ENGINE_load_openssl(); #endif -#if defined(__OpenBSD__) || defined(__FreeBSD__) +#if !defined(OPENSSL_NO_HW) (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)) ENGINE_load_cryptodev(); #endif #if !defined(OPENSSL_NO_HW) !defined(OPENSSL_NO_HW_AESNI) @@ -117,7 +117,7 @@ void ENGINE_load_builtin_engines(void) #endif } -#if defined(__OpenBSD__) || defined(__FreeBSD__) +#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) void ENGINE_setup_bsd_cryptodev(void) { static int bsd_cryptodev_default_loaded = 0; if (!bsd_cryptodev_default_loaded) { diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 16afaf7..186eb36 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -68,6 +68,16 @@ ENGINE_load_cryptodev(void) struct dev_crypto_state { struct session_op d_sess; int d_fd; + +#ifdef USE_CRYPTODEV_DIGESTS + char dummy_mac_key[20]; + + unsigned char digest_res[20]; + char *mac_data; + int mac_len; + + int copy; +#endif }; static u_int32_t cryptodev_asymfeat = 0; @@ -75,9 +85,6 @@ static u_int32_t cryptodev_asymfeat = 0; static int get_asym_dev_crypto(void); static int open_dev_crypto(void); static int get_dev_crypto(void); -static int cryptodev_max_iv(int cipher); -static int cryptodev_key_length_valid(int cipher, int len); -static int cipher_nid_to_cryptodev(int nid); static int get_cryptodev_ciphers(const int **cnids); static int get_cryptodev_digests(const int **cnids); static int cryptodev_usable_ciphers(const int **nids); @@ -100,7 +107,7 @@ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int
[openssl.org #1975] [PATCH 13/14] Add support for CPU usage reporting.
Add support for calculating the CPU usage while doing crypto. This is useful for showing the gains through HW acceleration other than just speed. It is best used with the '-elapsed' option to get real-world values. Currently only linux supports cpu calculations, but it should be easy to add get_cpu/calc_cpu functions for other OS's. Also includes a few compile time warning fixes. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/apps/speed.c b/apps/speed.c index 52bc481..a4bef32 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -257,6 +257,80 @@ static SIGRETTYPE sig_done(int sig) #define START 0 #define STOP 1 +#ifdef __linux__ + +#define HAVE_CPU_USAGE 1 + +/* + * record CPU usage as well + */ + +struct cpu_stat { + unsigned int user; + unsigned int nice; + unsigned int system; + unsigned int idle; + unsigned int total; +}; + +static unsigned int cpu_usage[ALGOR_NUM][SIZE_NUM]; +static unsigned int rsa_cpu_usage[RSA_NUM][2]; +static unsigned int dsa_cpu_usage[DSA_NUM][2]; +static struct cpu_stat cpu_start, cpu_finish; + +static void +get_cpu(int s) +{ + FILE *fp = NULL; + unsigned char buf[80]; + struct cpu_stat *st = s == START ? cpu_start : cpu_finish; + + memset(st, 0, sizeof(*st)); + + if (fp == NULL) + fp = fopen(/proc/stat, r); + if (!fp) + return; + if (fseek(fp, 0, SEEK_SET) == -1) { + fclose(fp); + return; + } + if (fscanf(fp, %s %d %d %d %d, buf[0], st-user, st-nice, + st-system, st-idle) == 5) + st-total = st-user + st-nice + st-system + st-idle; + fclose(fp); +} + +static unsigned int +calc_cpu() +{ + unsigned int total, res; + + total = cpu_finish.total - cpu_start.total; + if (total = 0) + return 0; +#if 1 // busy + res = ((cpu_finish.system + cpu_finish.user + cpu_finish.nice) - + (cpu_start.system + cpu_start.user + cpu_start.nice)) * + 100 / total; +#endif +#if 0 // system + res = (cpu_finish.system - cpu_start.system) * 100 / total; +#endif +#if 0 // user + res = (cpu_finish.user - cpu_start.user) * 100 / total; +#endif +#if 0 // nice + res = (cpu_finish.nice - cpu_start.nice) * 100 / total; +#endif +#if 0 // idle + res = (cpu_finish.idle - cpu_start.idle) * 100 / total; +#endif + return(res); +} + +#endif + #if defined(_WIN32) #define SIGALRM @@ -273,6 +347,9 @@ static DWORD WINAPI sleepy(VOID *arg) static double Time_F(int s) { + if (do_cpu) + get_cpu(s); + if (s == START) { HANDLE thr; @@ -294,6 +371,8 @@ static double Time_F(int s) static double Time_F(int s) { + if (do_cpu) + get_cpu(s); return app_tminterval(s,usertime); } #endif @@ -316,6 +395,14 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen) #endif /* OPENSSL_NO_ECDH */ +static int do_cpu = 0; +#ifndef HAVE_CPU_USAGE +/* stub out the cpu functions if we do not support it */ +static void get_cpu(int s) {} +static unsigned int calc_cpu() { return 0; } +#endif + + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -670,6 +757,14 @@ int MAIN(int argc, char **argv) j--; /* Otherwise, -elapsed gets confused with an algorithm. */ } +#ifdef HAVE_CPU_USAGE + else if ((argc 0) (strcmp(*argv,-cpu) == 0)) + { + do_cpu = 1; + j--; /* Otherwise, -cpu gets confused with + an algorithm. */ + } +#endif else if ((argc 0) (strcmp(*argv,-evp) == 0)) { argc--; @@ -1106,6 +1201,9 @@ int MAIN(int argc, char **argv) #ifdef HAVE_FORK BIO_printf(bio_err,-multi nrun n benchmarks in parallel.\n); #endif +#ifdef HAVE_CPU_USAGE + BIO_printf(bio_err,-cpucalculate cpu utilisation.\n); +#endif goto end; } argc--; @@ -1113,11 +1211,6 @@ int MAIN(int argc, char **argv) j++; } -#ifdef HAVE_FORK - if(multi do_multi(multi)) - goto show_res; -#endif - if (j == 0) { for (i=0; iALGOR_NUM; i++) @@ -1457,6 +1550,11 @@ int MAIN(int argc, char **argv) #endif #endif /* SIGALRM */ +#ifdef HAVE_FORK /* Do this as late as possible to give better CPU readings */ + if(multi do_multi(multi)) + goto show_res; +#endif + #ifndef OPENSSL_NO_MD2 if (doit[D_MD2]) { @@ -1903,8 +2001,6 @@ int MAIN(int argc, char **argv) /* -O3 -fschedule-insns messes up an * optimization here! names[D_EVP] * somehow becomes NULL */ -print_message(names[D_EVP],save_count, - lengths[j]); EVP_CIPHER_CTX_init(ctx); if(decrypt) @@ -1913,6 +2009,9 @@ int MAIN(int argc, char **argv) EVP_EncryptInit_ex(ctx,evp_cipher,NULL,key16,iv); EVP_CIPHER_CTX_set_padding(ctx, 0); +print_message(names[D_EVP],save_count, + lengths[j]); + Time_F(START); if(decrypt) for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) @@ -1977,6 +2076,8 @@ int MAIN(int argc, char **argv) } } d=Time_F
[openssl.org #1976] [PATCH 14/14] Cleanup some compile time warnings/magic numbers.
Cleanup some compile time warnings/magic numbers. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 186eb36..1e5d3a3 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -70,9 +70,9 @@ struct dev_crypto_state { int d_fd; #ifdef USE_CRYPTODEV_DIGESTS - char dummy_mac_key[20]; + char dummy_mac_key[HASH_MAX_LEN]; - unsigned char digest_res[20]; + unsigned char digest_res[HASH_MAX_LEN]; char *mac_data; int mac_len; @@ -90,7 +90,7 @@ static int get_cryptodev_digests(const int **cnids); static int cryptodev_usable_ciphers(const int **nids); static int cryptodev_usable_digests(const int **nids); static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -const unsigned char *in, unsigned int inl); +const unsigned char *in, size_t inl); static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); @@ -350,7 +350,7 @@ cryptodev_usable_digests(const int **nids) static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -const unsigned char *in, unsigned int inl) +const unsigned char *in, size_t inl) { struct crypt_op cryp; struct dev_crypto_state *state = ctx-cipher_data; @@ -428,7 +428,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, if ((state-d_fd = get_dev_crypto()) 0) return (0); - sess-key = (unsigned char *)key; + sess-key = (caddr_t)key; sess-keylen = ctx-key_len; sess-cipher = cipher; @@ -730,7 +730,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, cryp.len = count; cryp.src = (caddr_t) data; cryp.dst = NULL; - cryp.mac = state-digest_res; + cryp.mac = (caddr_t) state-digest_res; if (ioctl(state-d_fd, CIOCCRYPT, cryp) 0) { printf(cryptodev_digest_update: digest failed\n); return (0); @@ -761,7 +761,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) cryp.len = state-mac_len; cryp.src = state-mac_data; cryp.dst = NULL; - cryp.mac = md; + cryp.mac = (caddr_t)md; if (ioctl(state-d_fd, CIOCCRYPT, cryp) 0) { printf(cryptodev_digest_final: digest failed\n); @@ -906,7 +906,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) return (1); memset(b, 0, bytes); - crp-crp_p = b; + crp-crp_p = (caddr_t) b; crp-crp_nbits = bits; for (i = 0, j = 0; i a-top; i++) { @@ -1260,7 +1260,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; kop.crk_iparams = 3; - kop.crk_param[3].crp_p = key; + kop.crk_param[3].crp_p = (caddr_t) key; kop.crk_param[3].crp_nbits = keylen * 8; kop.crk_oparams = 1; -- 1.6.0.4
Re: [PATCH 09/14] Only test speeds up to 4K packets.
Jivin Thor Lancelot Simon lays it down ... On Tue, Jun 30, 2009 at 12:56:38PM +1000, David McCullough wrote: Change the speed test to only test sizes up to 4096. Most cryptodev HW drivers fail with 8192 sized requests. 4K seems like a reasonable limit to test up to. No. This is a bug in whatever cryptodev HW drivers you are referring to. If a driver can't handle a request which can be generated by the SSL layer (or which is legal to be directly invoked by the OpenSSL API) it needs to split that request accordingly, not blindly fail it. This is true of OpenSSL engines in general. Since you say cryptodev perhaps you think this is a generic limitation of /dev/crypto. But it's not. I _might_ not be averse to changing the single engine for /dev/crypto to split requests to 4K, but it would take some persuasion since that is not a documented limitation of the API and many backend drivers DTRT. If you change the speed test this way, it won't even give any indication that some hardware drivers don't work right. Fair call, I agree FWIW. Currently the crptodev hifn and safenet drivers (IIRC) fail, and like you said, that should be fixed. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH 14/14] Cleanup some compile time warnings/magic numbers.
Jivin Tim Rice lays it down ... On Tue, 30 Jun 2009, David McCullough wrote: Cleanup some compile time warnings/magic numbers. --- diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 186eb36..1e5d3a3 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -70,9 +70,9 @@ struct dev_crypto_state { int d_fd; #ifdef USE_CRYPTODEV_DIGESTS - char dummy_mac_key[20]; + char dummy_mac_key[HASH_MAX_LEN]; [snip] Where is HASH_MAX_LEN defined? It comes from the cryptodev.h provided by *BSD and ocf-linux, Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1966] [PATCH 04/14] Ensure OCSP can be disabled.
Jivin Stephen Henson via RT lays it down ... [david_mccullo...@securecomputing.com - Tue Jun 30 13:54:34 2009]: Some support for OCSP was not ifdef'd and prevents its exclusion from openssl via the config options. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html Note progs.h is auto generated by progs.pl so you need to edit both otherwise progs.h will get overwritten. Thanks for fixing it up, I missed that. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1966] [PATCH 04/14] Ensure OCSP can be disabled.
Jivin Stephen Henson via RT lays it down ... [david_mccullo...@securecomputing.com - Tue Jun 30 13:54:34 2009]: Some support for OCSP was not ifdef'd and prevents its exclusion from openssl via the config options. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html Note progs.h is auto generated by progs.pl so you need to edit both otherwise progs.h will get overwritten. Thanks for fixing it up, I missed that. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1976] [PATCH 14/14] Cleanup some compile time warnings/magic numbers.
Jivin Green, Paul lays it down ... David McCullough proposed the following patch to crypto/engine/eng_cryptodev.c: (extracted from a larger change set): @@ -428,7 +428,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, if ((state-d_fd = get_dev_crypto()) 0) return (0); - sess-key = (unsigned char *)key; + sess-key = (caddr_t)key; sess-keylen = ctx-key_len; sess-cipher = cipher; Please be aware that the caddr_t (core(!) addr) data type is not included in the POSIX-2001 standard(1). My copy of SuSE Linux make it visible in sys/types.h under the control of the _BSD_SOURCE macro. If you are going to use this data type in OpenSSL, you should ensure that it is defined by OpenSSL if the standard headers do not already define it. IMHO, a better solution would be to use only POSIX data types. (1) http://www.opengroup.org/onlinepubs/009695399/toc.htm Agreed, I would normally use it, however eng_cryptodev was already using caddr_t in a few places, and the cryptodev.h file defines the kernel API, and it uses caddr_t. Other than changing the kernel API I don't see a nice way to avoid using caddr_t, but I am open to suggestions :-) Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1974] [PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
Jivin Stephen Henson via RT lays it down ... [david_mccullo...@securecomputing.com - Tue Jun 30 13:55:14 2009]: Add --with-cryptodev option to config so that an OS like linux may enable cryptodev support if it has been ported (ie., ocf-linux). Add --with-cryptodev-digests to optionally include hash support via cryptodev (disabled by default as it is usually too slow to be useful). Add a working cryptodev hash implementation. Fix up RSA API compliance for rsa_nocrt_mod_exp method while here. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html The equivalent to the two configure options can be done by including -Dfoo to Configure, for example Configure [options] -DHAVE_CRYPTODEV . Ok, thats works for me if it's the preferred solution. This patch also does considerably more than the above description, adding new symmetric algorithms, changing the behaviour of existing code etc. This should preferably be split into smaller patches which can be more easily analysed with full descriptions of the reasoning for changes. Sorry about that, I'll sync up with whatever changes have gone in and generate new patches for the cryptodev engine related bits. Should they appear in new rt tickets of their own or keep it within this one ? Thanks, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1974] [PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
Jivin Stephen Henson via RT lays it down ... [david_mccullo...@securecomputing.com - Tue Jun 30 13:55:14 2009]: Add --with-cryptodev option to config so that an OS like linux may enable cryptodev support if it has been ported (ie., ocf-linux). Add --with-cryptodev-digests to optionally include hash support via cryptodev (disabled by default as it is usually too slow to be useful). Add a working cryptodev hash implementation. Fix up RSA API compliance for rsa_nocrt_mod_exp method while here. Overview : http://www.mail-archive.com/openssl-dev@openssl.org/msg26096.html The equivalent to the two configure options can be done by including -Dfoo to Configure, for example Configure [options] -DHAVE_CRYPTODEV . Ok, thats works for me if it's the preferred solution. This patch also does considerably more than the above description, adding new symmetric algorithms, changing the behaviour of existing code etc. This should preferably be split into smaller patches which can be more easily analysed with full descriptions of the reasoning for changes. Sorry about that, I'll sync up with whatever changes have gone in and generate new patches for the cryptodev engine related bits. Should they appear in new rt tickets of their own or keep it within this one ? Thanks, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 00/14] Patches from the ocf-linux and uClinux-dist projects
Hi openssl-dev, Here is a series of patches against the openssl-SNAP-20090628 release. The patches fix a number of bugs and also add functionality from the ocf-linux and uClinux-dist projects. ocf-linux is a linux port of the OCF framework from BSD. The project has been running since 2004. uClinux-dist is a full source distribution thats allows for easy cross compilation for many different CPU/platform/vendor combinations, including both systems with and without MMUs. It has been running since before 2002. I have split the patches up into small unit changes so that they are easier to review and apply. Most if not all of the patches can be used in isolation against a current openssl source tree. Please let me know if there are any issues or if some other format is preferred, Thanks, Davidm ocf-linux:http://ocf-linux.sourceforge.net/ uClinux-dist: http://www.uclinux.org/pub/uClinux/dist/ -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 01/14] Build should fail if makedepend is not present.
If makedepend fails (for example, if it isn't in the path), then domd should fail so the build can stop on the error. --- util/domd |8 ++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/util/domd b/util/domd index 27c0211..bab48cb 100755 --- a/util/domd +++ b/util/domd @@ -22,13 +22,17 @@ if expr $MAKEDEPEND : '.*gcc$' /dev/null; then done sed -e '/^# DO NOT DELETE.*/,$d' Makefile Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' Makefile.tmp -${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit +${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit 1 ${PERL} $TOP/util/clean-depend.pl Makefile.tmp Makefile.new +RC=$? rm -f Makefile.tmp else -${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@ +${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@ \ ${PERL} $TOP/util/clean-depend.pl Makefile Makefile.new +RC=$? fi mv Makefile.new Makefile # unfake the presence of Kerberos rm $TOP/krb5.h + +exit $RC -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 03/14] Make sure defines to remove SHA are correct.
Some combinations of algorithm removal cause compilation errors. Fix this case for SHA/SHA1. --- crypto/evp/c_alld.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c index 5032e7c..aa565a6 100644 --- a/crypto/evp/c_alld.c +++ b/crypto/evp/c_alld.c @@ -81,7 +81,7 @@ void OpenSSL_add_all_digests(void) EVP_add_digest(EVP_dss()); #endif #endif -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) !defined(OPENSSL_NO_SHA1) EVP_add_digest(EVP_sha1()); EVP_add_digest_alias(SN_sha1,ssl3-sha1); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 04/14] Ensure OCSP can be disabled.
Some support for OCSP was not ifdef'd and prevents its exclusion from openssl via the config options. --- apps/progs.h |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/apps/progs.h b/apps/progs.h index d323a1c..79e479a 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -142,7 +142,9 @@ FUNCTION functions[] = { #ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,engine,engine_main}, #endif +#ifndef OPENSSL_NO_OCSP {FUNC_TYPE_GENERAL,ocsp,ocsp_main}, +#endif {FUNC_TYPE_GENERAL,prime,prime_main}, {FUNC_TYPE_GENERAL,ts,ts_main}, #ifndef OPENSSL_NO_MD2 -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 05/14] Do not run off the end of the params array.
Do not run off the end of the RSA params arrays freeing values or we will crash (or worse, corrupt the heap). --- crypto/engine/eng_cryptodev.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index ab38cd5..4f2470b 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -681,7 +681,7 @@ zapparams(struct crypt_kop *kop) { int i; - for (i = 0; i = kop-crk_iparams + kop-crk_oparams; i++) { + for (i = 0; i kop-crk_iparams + kop-crk_oparams; i++) { if (kop-crk_param[i].crp_p) free(kop-crk_param[i].crp_p); kop-crk_param[i].crp_p = NULL; -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 07/14] Use a stronger key when testing algs.
Some implementations of DES (ie., linux kernel) will not tolerate extremely weak keys, fix this by making it non-repetitive. --- crypto/engine/eng_cryptodev.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 4f2470b..2259916 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -264,7 +264,7 @@ get_cryptodev_ciphers(const int **cnids) return (0); } memset(sess, 0, sizeof(sess)); - sess.key = (caddr_t)123456781234567812345678; + sess.key = (caddr_t)123456789abcdefghijklmno; for (i = 0; ciphers[i].id count CRYPTO_ALGORITHM_MAX; i++) { if (ciphers[i].nid == NID_undef) -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 08/14] Fix unused variable words and uninited data b.
words was unsed (compiler warning) remove it. b was uninited memory causing us to generate bogus numbers to pass into cryptodev. --- crypto/engine/eng_cryptodev.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 2259916..16afaf7 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -625,7 +625,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) { int i, j, k; - ssize_t words, bytes, bits; + ssize_t bytes, bits; u_char *b; crp-crp_p = NULL; @@ -637,6 +637,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) b = malloc(bytes); if (b == NULL) return (1); + memset(b, 0, bytes); crp-crp_p = b; crp-crp_nbits = bits; -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 09/14] Only test speeds up to 4K packets.
Change the speed test to only test sizes up to 4096. Most cryptodev HW drivers fail with 8192 sized requests. 4K seems like a reasonable limit to test up to. --- apps/speed.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index cd41252..52bc481 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -205,7 +205,7 @@ static int do_multi(int multi); #endif #define ALGOR_NUM 29 -#define SIZE_NUM 5 +#define SIZE_NUM 6 #define RSA_NUM4 #define DSA_NUM3 @@ -221,7 +221,7 @@ static const char *names[ALGOR_NUM]={ evp,sha256,sha512,whirlpool, aes-128 ige,aes-192 ige,aes-256 ige}; static double results[ALGOR_NUM][SIZE_NUM]; -static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024}; static double rsa_results[RSA_NUM][2]; static double dsa_results[DSA_NUM][2]; #ifndef OPENSSL_NO_ECDSA -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 11/14] Ensure 'make links' gets all headers correctly.
Needed to include all the headers in the links target to get openssl cross compiling nicely within the uClinux-dist. --- Makefile.org |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Makefile.org b/Makefile.org index ba29744..57265c6 100644 --- a/Makefile.org +++ b/Makefile.org @@ -379,7 +379,7 @@ files: links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl - @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl include/openssl $(HEADER) $(EXHEADER) @set -e; target=links; $(RECURSIVE_BUILD_CMD) gentests: -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 12/14] Config option for cryptodev on other OS's (+ hash)
, + cryptodev_digest_update, + cryptodev_digest_final, + cryptodev_digest_copy, + cryptodev_digest_cleanup, + EVP_PKEY_NULL_method, + 64 /* MD5_CBLOCK */, + sizeof(struct dev_crypto_state), +}; + +#endif /* USE_CRYPTODEV_DIGESTS */ + + static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid) @@ -606,10 +868,15 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, return (cryptodev_usable_digests(nids)); switch (nid) { +#ifdef USE_CRYPTODEV_DIGESTS case NID_md5: - *digest = NULL; /* need to make a clean md5 critter */ + *digest = cryptodev_md5; break; + case NID_sha1: + *digest = cryptodev_sha1; + break; default: +#endif /* USE_CRYPTODEV_DIGESTS */ *digest = NULL; break; } @@ -757,11 +1024,9 @@ err: } static int -cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { int r; - BN_CTX *ctx; - ctx = BN_CTX_new(); r = cryptodev_bn_mod_exp(r0, I, rsa-d, rsa-n, ctx, NULL); BN_CTX_free(ctx); diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 9bc8a31..1f5d9d8 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -733,7 +733,7 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, * values. */ void *ENGINE_get_static_state(void); -#if defined(__OpenBSD__) || defined(__FreeBSD__) +#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) void ENGINE_setup_bsd_cryptodev(void); #endif diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index a5da52e..766c4ce 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -83,7 +83,7 @@ void OPENSSL_add_all_algorithms_noconf(void) OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); #ifndef OPENSSL_NO_ENGINE -# if defined(__OpenBSD__) || defined(__FreeBSD__) +# if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) ENGINE_setup_bsd_cryptodev(); # endif #endif -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 13/14] Add support for CPU usage reporting.
=atoi(sstrsep(p,sep)); sstrsep(p,sep); + /* before we move the token along */ + if (do_cpu strchr(p, '/')) + rsa_cpu_usage[k][0] = atoi(strchr(p, '/') + 1); d=atof(sstrsep(p,sep)); if(n) rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d); else rsa_results[k][0]=d; + /* before we move the token along */ + if (do_cpu strchr(p, '/')) + rsa_cpu_usage[k][1] = atoi(strchr(p, '/') + 1); d=atof(sstrsep(p,sep)); if(n) rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d); @@ -2704,12 +2827,18 @@ static int do_multi(int multi) k=atoi(sstrsep(p,sep)); sstrsep(p,sep); + /* before we move the token along */ + if (do_cpu strchr(p, '/')) + dsa_cpu_usage[k][0] = atoi(strchr(p, '/') + 1); d=atof(sstrsep(p,sep)); if(n) dsa_results[k][0]=1/(1/dsa_results[k][0]+1/d); else dsa_results[k][0]=d; + /* before we move the token along */ + if (do_cpu strchr(p, '/')) + dsa_cpu_usage[k][1] = atoi(strchr(p, '/') + 1); d=atof(sstrsep(p,sep)); if(n) dsa_results[k][1]=1/(1/dsa_results[k][1]+1/d); diff --git a/apps/speed.c b/apps/speed.c index a4bef32..c6f5b0e 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -277,6 +277,7 @@ static unsigned int cpu_usage[ALGOR_NUM][SIZE_NUM]; static unsigned int rsa_cpu_usage[RSA_NUM][2]; static unsigned int dsa_cpu_usage[DSA_NUM][2]; static struct cpu_stat cpu_start, cpu_finish; +static int do_cpu = 0; static void get_cpu(int s) @@ -395,7 +396,6 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen) #endif /* OPENSSL_NO_ECDH */ -static int do_cpu = 0; #ifndef HAVE_CPU_USAGE /* stub out the cpu functions if we do not support it */ static void get_cpu(int s) {} -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 14/14] Cleanup some compile time warnings/magic numbers.
Cleanup some compile time warnings/magic numbers. --- crypto/engine/eng_cryptodev.c | 18 +- 1 files changed, 9 insertions(+), 9 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 186eb36..1e5d3a3 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -70,9 +70,9 @@ struct dev_crypto_state { int d_fd; #ifdef USE_CRYPTODEV_DIGESTS - char dummy_mac_key[20]; + char dummy_mac_key[HASH_MAX_LEN]; - unsigned char digest_res[20]; + unsigned char digest_res[HASH_MAX_LEN]; char *mac_data; int mac_len; @@ -90,7 +90,7 @@ static int get_cryptodev_digests(const int **cnids); static int cryptodev_usable_ciphers(const int **nids); static int cryptodev_usable_digests(const int **nids); static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -const unsigned char *in, unsigned int inl); +const unsigned char *in, size_t inl); static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); @@ -350,7 +350,7 @@ cryptodev_usable_digests(const int **nids) static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -const unsigned char *in, unsigned int inl) +const unsigned char *in, size_t inl) { struct crypt_op cryp; struct dev_crypto_state *state = ctx-cipher_data; @@ -428,7 +428,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, if ((state-d_fd = get_dev_crypto()) 0) return (0); - sess-key = (unsigned char *)key; + sess-key = (caddr_t)key; sess-keylen = ctx-key_len; sess-cipher = cipher; @@ -730,7 +730,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, cryp.len = count; cryp.src = (caddr_t) data; cryp.dst = NULL; - cryp.mac = state-digest_res; + cryp.mac = (caddr_t) state-digest_res; if (ioctl(state-d_fd, CIOCCRYPT, cryp) 0) { printf(cryptodev_digest_update: digest failed\n); return (0); @@ -761,7 +761,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) cryp.len = state-mac_len; cryp.src = state-mac_data; cryp.dst = NULL; - cryp.mac = md; + cryp.mac = (caddr_t)md; if (ioctl(state-d_fd, CIOCCRYPT, cryp) 0) { printf(cryptodev_digest_final: digest failed\n); @@ -906,7 +906,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) return (1); memset(b, 0, bytes); - crp-crp_p = b; + crp-crp_p = (caddr_t) b; crp-crp_nbits = bits; for (i = 0, j = 0; i a-top; i++) { @@ -1260,7 +1260,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; kop.crk_iparams = 3; - kop.crk_param[3].crp_p = key; + kop.crk_param[3].crp_p = (caddr_t) key; kop.crk_param[3].crp_nbits = keylen * 8; kop.crk_oparams = 1; -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH 00/14] Patches from the ocf-linux and uClinux-dist projects
Jivin Kyle Hamilton lays it down ... Please mail these each as attachments to r...@openssl.org. This will ensure that each gets entered into a trackable state, and also ensures that the formatting for the patch files stays consistent. No problems, I wasn't sure if I should do that or not, so I opted to not spam two lists ;-) It seems the mailing list ate 3 of the patches (#2 #6 and #10), hopefully RT will deal with them, Thanks, Davidm On Mon, Jun 29, 2009 at 7:54 PM, David McCulloughdavid_mccullo...@securecomputing.com wrote: Hi openssl-dev, Here is a series of patches against the openssl-SNAP-20090628 release. The patches fix a number of bugs and also add functionality from the ocf-linux and uClinux-dist projects. ocf-linux is a linux port of the OCF framework from BSD. The project has been running since 2004. uClinux-dist is a full source distribution thats allows for easy cross compilation for many different CPU/platform/vendor combinations, including both systems with and without MMUs. It has been running since before 2002. I have split the patches up into small unit changes so that they are easier to review and apply. Most if not all of the patches can be used in isolation against a current openssl source tree. Please let me know if there are any issues or if some other format is preferred, Thanks, Davidm ocf-linux: http://ocf-linux.sourceforge.net/ uClinux-dist: http://www.uclinux.org/pub/uClinux/dist/ -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1957] OpenSSL 0.9.8k Solaris build failure in apps; Makefile variables not quoted
Jivin Mark Ashley via RT lays it down ... FIPSLD_CC and CC need to be quoted, probably in more than one Makefile than this to be safe, but certainly this one to allow the build to complete. This is required because CC is cc -m64 -xcode=pic32 -w make(1) will try to grok the CC arguments '-m64 -xcode=pic32 -w' after assigning the initial 'cc' part. openssl-0.9.8k/apps root# diff Makefile Makefile.orig 156c156 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ --- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ 161c161 CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ --- CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ I was just preparing a patch for the same thing :-) Here's a patch against 0.9.8k that gets all the instances I could find, Cheers, Davidm diff --git a/apps/Makefile b/apps/Makefile index 402981a..06d5351 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -153,12 +153,12 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ shlib_target=$(SHLIB_TARGET); \ elif [ -n $(FIPSCANLIB) ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES=$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) ; \ [ x$(FIPSCANLIB) = xlibfips ] LIBRARIES=$$LIBRARIES -lfips; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ + CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} -(cd ..; \ diff --git a/test/Makefile b/test/Makefile index 228ee36..66a30b7 100644 --- a/test/Makefile +++ b/test/Makefile @@ -402,13 +402,13 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ if [ $(FIPSCANLIB) = libfips ]; then \ LIBRARIES=-L$(TOP) -lfips; \ elif [ -n $(FIPSCANLIB) ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ LIBRARIES=$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o; \ else \ LIBRARIES=$(LIBCRYPTO); \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} @@ -417,11 +417,11 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ fi; \ LIBRARIES=$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5); \ if [ -z $(SHARED_LIBS) -a -n $(FIPSCANLIB) ] ; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ [ $(FIPSCANLIB) = libfips ] LIBRARIES=$$LIBRARIES -lfips; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1957] OpenSSL 0.9.8k Solaris build failure in apps; Makefile variables not quoted
Jivin Mark Ashley via RT lays it down ... FIPSLD_CC and CC need to be quoted, probably in more than one Makefile than this to be safe, but certainly this one to allow the build to complete. This is required because CC is cc -m64 -xcode=pic32 -w make(1) will try to grok the CC arguments '-m64 -xcode=pic32 -w' after assigning the initial 'cc' part. openssl-0.9.8k/apps root# diff Makefile Makefile.orig 156c156 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ --- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ 161c161 CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ --- CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ I was just preparing a patch for the same thing :-) Here's a patch against 0.9.8k that gets all the instances I could find, Cheers, Davidm diff --git a/apps/Makefile b/apps/Makefile index 402981a..06d5351 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -153,12 +153,12 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ shlib_target=$(SHLIB_TARGET); \ elif [ -n $(FIPSCANLIB) ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES=$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) ; \ [ x$(FIPSCANLIB) = xlibfips ] LIBRARIES=$$LIBRARIES -lfips; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ + CC=$${CC} APPNAME=$(EXE) OBJECTS=$(PROGRAM).o $(E_OBJ) \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} -(cd ..; \ diff --git a/test/Makefile b/test/Makefile index 228ee36..66a30b7 100644 --- a/test/Makefile +++ b/test/Makefile @@ -402,13 +402,13 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ if [ $(FIPSCANLIB) = libfips ]; then \ LIBRARIES=-L$(TOP) -lfips; \ elif [ -n $(FIPSCANLIB) ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ LIBRARIES=$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o; \ else \ LIBRARIES=$(LIBCRYPTO); \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} @@ -417,11 +417,11 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if [ -n $(SHARED_LIBS) ]; then \ fi; \ LIBRARIES=$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5); \ if [ -z $(SHARED_LIBS) -a -n $(FIPSCANLIB) ] ; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ [ $(FIPSCANLIB) = libfips ] LIBRARIES=$$LIBRARIES -lfips; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS=$$target.o \ LIBDEPS=$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) \ link_app.$${shlib_target} -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Best version for submitting patches ?
Hi openssl-devs, Just wanted to query the best openssl version for basing patches on. I have a number of patches relating to the ocf-linux project and other embedded linux work that I'd like to post for review and/or inclusion. I am currently based on 0.9.8k, but 1.0.0 beta or a snapshot is no problem, Thanks, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 McAfee - SnapGear http://www.snapgear.comhttp://www.uCdot.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: AES hardware accelerator in OpenSSL with/without OCF
Jivin Palacios, Hector lays it down ... Greetings, I have a Netsilicon CPU (NS9215) which contains an AES accelerator which I want to use with OpenSSL. I have a Linux driver for this hardware AES module which uses the kernel 2.6.26 CryptoAPI. This driver basically registers the cbc(aes) and ecb(aes) ciphers. / # cat /proc/crypto name : cbc(aes) driver : ns921x-aes module : kernel priority : 0 refcnt : 1 type : ablkcipher async: yes blocksize: 16 min keysize : 16 max keysize : 32 ivsize : 0 geniv: default name : ecb(aes) driver : ns921x-aes module : kernel priority : 400 refcnt : 1 type : ablkcipher async: yes blocksize: 16 min keysize : 16 max keysize : 32 ivsize : 0 geniv: default I would like to have OpenSSL use this driver to accelerate encryption when using these ciphers. Looking in the Internet I found the OCF project (http://ocf-linux.sourceforge.net/) which is supposed to do the link between the kernel CryptoAPI and OpenSSL by means of an engine called 'cryptodev' which makes use of device node /dev/crypto. I'm using openssl-0.9.8g and have integrated the OCF patches for the 2.6.26 version and for OpenSSL 0.9.8g (similarly as done in http://www.docunext.com/wiki/My_Notes_on_Patching_2.6.22_with_OCF). It builds ok and I obtain several modules: ocf.ko, cryptodev.ko cryptosoft.ko. By executing the OpenSSL commands with option '-engine cryptodev', OpenSSL seems to be using this engine. However, just with that my specific driver functions are not being called. For example I have tried with: # openssl speed -engine cryptodev -evp aes128 and with # time openssl enc aes128 -engine cryptodev -in testfile -out /dev/null -k test I would appreciate any hint of how to tell OpenSSL or OCF to use my driver functions. Have you loaded the cryptosoft driver ? It is needed to talk to the cryptoAPI in the kernel. modprobe ocf modprobe cryptosoft modprobe cryptodev You can check that cryptosoft is being used by loading it with the debug parameter, or enabling debug later with: echo 1 /sys/module/cryptosoft/parameters/swcr_debug Check your syslog (or console output) for driver messages from cryptosoft which will confirm it is being used when you run openssl. Probably best to move this discussion to the ocf-linux mailing list, not sure it belongs on the openssl list ;-) http://lists.sourceforge.net/mailman/listinfo/ocf-linux-users Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1823] Linux configuration options for OCF/HAVE_CRYPTODEV needed
Jivin Philip Prindeville via RT lays it down ... The OCF code has been ported to Linux: http://sourceforge.net/project/showfiles.php?group_id=133575 it would be very nice if this were supported in openssl without patching. For instance, crypto/engine/eng_all.c tests for: #if defined(__OpenBSD__) || defined(__FreeBSD__) but why not test for HAVE_CRYPTODEV instead, and allow this to be set by the configuration environment? I am more than happy to cleanup/post the openssl patch from the ocf-linux releases if any one is interested. It's something I've been meaning to do but haven't got around to. Cheers, Davidm -- David McCullough, david_mccullo...@securecomputing.com, Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Crypto engine asynchronously
Jivin Prashant Kumar lays it down ... Hello Group, I am using Broadcom (ubsec) based hardware accelerator on a Vxworks 5.x platform. I see that my CPU usage is just 40 % when I hit the max number of TLS connection. I have a queue between the TCP stack and the application where I am running the TLS. I am running TLS using the memory bios. What I see is that the queue between the TCP stack and my TLS application is getting full because the TLS application is not picking the packets from the queue fast enough eventhough it is running at a higher priority. My preliminary thinking was that because I am using a blocking call to the Hardware accelerator, my TLS application is wasting a lot of time waiting for the operation to complete and not keeping up with the TCP since my TLS application is just using 40% of the CPU. My question is even if I get my Broadcom to run asynchronously, how can i make openssl engine to behave asynchronous as I understand from the code that the operation is very synchronous. If you make the engine async, then it will benefit multiple openssl instances. So something like: openssl speed -evp des -elapsed -multi 10 where you run 10 processes at the same time should get more throughput. An async engine will not improve a single thread of execution though, since the API in user space is still sync. Cheers, Davidm Girish Venkatachalam [EMAIL PROTECTED] wrote: --- Prashant Kumar wrote: Hello Group, Is there anyway I could use the crypto hardware engine asynchronously with OpenSsl. Looking at the code it doesn't look like. The reason I am asking this is, in our deployment, I see that the CPU on which I am running OpenSsl is loaded just 40% and I still hit the maximum number of TLS sessions i could process. My assumption is that it could be because we are using synchronous call with the hardware accelerator and are blocked waiting for the hardware engine to do its works (that is decryption/encryption of each packet). Did you try opessl speed -engine rsa ? Do your results correspond to the documentation given with your hardware device? Try to isolate the problem first. How do you say you are hitting the maximum number of TLS sessions? It could mean various things like network, your card, CPU anything. More details on what crypto you are accelerating could help. regards, Girish Any help is appreciated. Thanks, Prashant. - Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] - Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1?/min. -- David McCullough, [EMAIL PROTECTED], Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Crypto engine asynchronously
Jivin Prashant Kumar lays it down ... Hello Group, Is there anyway I could use the crypto hardware engine asynchronously with OpenSsl. Looking at the code it doesn't look like. Which HW engine are you using and on what OS ? The reason I am asking this is, in our deployment, I see that the CPU on which I am running OpenSsl is loaded just 40% and I still hit the maximum number of TLS sessions i could process. My assumption is that it could be because we are using synchronous call with the hardware accelerator and are blocked waiting for the hardware engine to do its works (that is decryption/encryption of each packet). The cryptodev engine (OpenBSD/FreeBSD/linux) can provide async support so that multiple SSL users are being processed at once. How are you testing the performance ? On box or using networking ? Cheers, Davidm -- David McCullough, [EMAIL PROTECTED], Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]