Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Hi Jiri, is there any progress? Please let me know when I can test new version of openssl package and I'll report back... Cheers, Valent. On Thu, May 2, 2013 at 11:10 AM, Jiri Slachta slac...@cesnet.cz wrote: Hello Valent, strace shows system calls used by program. I think there is nothing wrong with openssl package, package Makefile is just not yet fully adapted to work with openssl engines (imho it is compile time issue). It needs to be rewritten a little. Jiri Dne 2.5.2013 8:10, valent.turko...@gmail.com napsal(a): What do strace logs show? How long ago were engines removed from openssl? Did upstream change some things that introduces bugs in openwrt? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel -- follow me - www.twitter.com/valentt http://kernelreloaded.blog385.com linux, anime, spirituality, wireless, scuba, linuxmce smart home, zwave ICQ: 2125241, Skype: valent.turkovic, MSN: valent.turko...@hotmail.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
On Wed, May 1, 2013 at 12:52 AM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: On Tue, Apr 30, 2013 at 10:46 PM, Jiri Slachta slac...@cesnet.cz wrote: Dne 30.4.2013 22:08, valent.turko...@gmail.com napsal(a): On Tue, Apr 30, 2013 at 9:36 PM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I had missed package with engines ;) Now I got images built correctly and installed on CF card. Can you or somebody else check out what is the issue? Please connect to: ssh r...@valentt.no-ip.org -p 22001 password is openwrt I see few connections, did anybody get debug logs? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel Hey, the first thing I see is: [8.341688] padlock_aes: Unknown symbol blkcipher_walk_done (err 0) [8.360643] padlock_aes: Unknown symbol blkcipher_walk_virt (err 0) [8.379562] padlock_aes: Unknown symbol crypto_blkcipher_type (err 0) Could you try to enable package kmod-crypto-manager that enables CONFIG_CRYPTO_BLKCIPHER in kernel config and loads specific kernel modules? I actually do not know, where the problem is, but the uknown symbol error messages should disappear. Jiri New fimware is now on CF card with kmod-crypto-manager, I still see same issue, but please check it yourself. What do strace logs show? How long ago were engines removed from openssl? Did upstream change some things that introduces bugs in openwrt? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Hello Valent, strace shows system calls used by program. I think there is nothing wrong with openssl package, package Makefile is just not yet fully adapted to work with openssl engines (imho it is compile time issue). It needs to be rewritten a little. Jiri Dne 2.5.2013 8:10, valent.turko...@gmail.com napsal(a): What do strace logs show? How long ago were engines removed from openssl? Did upstream change some things that introduces bugs in openwrt? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
I had missed package with engines ;) Now I got images built correctly and installed on CF card. Can you or somebody else check out what is the issue? Please connect to: ssh r...@valentt.no-ip.org -p 22001 password is openwrt ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
On Tue, Apr 30, 2013 at 9:36 PM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I had missed package with engines ;) Now I got images built correctly and installed on CF card. Can you or somebody else check out what is the issue? Please connect to: ssh r...@valentt.no-ip.org -p 22001 password is openwrt I see few connections, did anybody get debug logs? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Dne 30.4.2013 22:08, valent.turko...@gmail.com napsal(a): On Tue, Apr 30, 2013 at 9:36 PM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I had missed package with engines ;) Now I got images built correctly and installed on CF card. Can you or somebody else check out what is the issue? Please connect to: ssh r...@valentt.no-ip.org -p 22001 password is openwrt I see few connections, did anybody get debug logs? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel Hey, the first thing I see is: [8.341688] padlock_aes: Unknown symbol blkcipher_walk_done (err 0) [8.360643] padlock_aes: Unknown symbol blkcipher_walk_virt (err 0) [8.379562] padlock_aes: Unknown symbol crypto_blkcipher_type (err 0) Could you try to enable package kmod-crypto-manager that enables CONFIG_CRYPTO_BLKCIPHER in kernel config and loads specific kernel modules? I actually do not know, where the problem is, but the uknown symbol error messages should disappear. Jiri ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
On Tue, Apr 30, 2013 at 10:46 PM, Jiri Slachta slac...@cesnet.cz wrote: Dne 30.4.2013 22:08, valent.turko...@gmail.com napsal(a): On Tue, Apr 30, 2013 at 9:36 PM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I had missed package with engines ;) Now I got images built correctly and installed on CF card. Can you or somebody else check out what is the issue? Please connect to: ssh r...@valentt.no-ip.org -p 22001 password is openwrt I see few connections, did anybody get debug logs? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel Hey, the first thing I see is: [8.341688] padlock_aes: Unknown symbol blkcipher_walk_done (err 0) [8.360643] padlock_aes: Unknown symbol blkcipher_walk_virt (err 0) [8.379562] padlock_aes: Unknown symbol crypto_blkcipher_type (err 0) Could you try to enable package kmod-crypto-manager that enables CONFIG_CRYPTO_BLKCIPHER in kernel config and loads specific kernel modules? I actually do not know, where the problem is, but the uknown symbol error messages should disappear. Jiri New fimware is now on CF card with kmod-crypto-manager, I still see same issue, but please check it yourself. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
I had some issues with .config file and latest trunk images so I started fresh. Here are the steps I did: svn checkout svn://svn.openwrt.org/openwrt/trunk/ cd trunk cp ../openssl.diff . patch -p0 openssl.diff ./scripts/feeds update -a ./scripts/feeds install -a make defconfig make prereq make menuconfig - Target System (*) x86 - libraries SSL (*) libopenssl Configuration (*) Crypto acceleration, (*) Digests acceleration support - Kernel modules Cryptographic API modules (*) kmod-crypto-hw-padlock - Utilities (*) openssl-util ionice -c 3 nice -n 20 make -j 2 Now I again get no engines! :( What am I doing wrong? Fastest way to check is to open bin/x86/openwrt-x86-generic-rootfs.tar.gz and see if there are any files located in /usr/lib/engines/ directory. Can somebody redo these steps and see id you also get no engine libraries. Cheers, Valent. [1] https://dl.dropboxusercontent.com/u/184632/openssl.diff ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Is there anything else that should be done to get padlock working? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
I meant lack of hardware support for engine padlock. I should read my mail first before I send it. Dne 6.4.2013 17:32, Jiri Slachta napsal(a): Hello Valent, I am sorry for late response. I am unable to locate the problem between engine and openssl engine due to lack of hardware I use. I'd suggest at first try stracing to use gdb to debug and locate, what openssl needs to run with engine libraries. I am not that experienced in debugging with gdb, so I can't give you a hand in this. :-( If you can paste your log to pastebin and provide links to it, I am sure that someone will take a look at it (at least I will). Jiri Dne 6.4.2013 10:13, valent.turko...@gmail.com napsal(a): Is there anything else that should be done to get padlock working? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Hello Valent, I think is not the openssl lib fault. If you take a look at: [ 423.683985] padlock_sha: Fallback driver 'sha1' could not be loaded! [ 423.703224] BUG: unable to handle kernel NULL pointer dereference at 0052 [ 423.713155] IP: [f8883103] init_module+0x9b3/0xb20 [cryptosoft] It says that it can't load sha1 kernel module. I would recommend you to enable kmod-crypto-sha1 and kmod-crypto-sha256 in menuconfig and try it again. Good luck with that. Do not hesitate to ask if you need any info. Jiri ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Thanks for sticking with me, I appreciate it a lot. I figured out that I was missing kernel module for sha1 and now with that module compiled I get this error: invalid engine padlock 3078260360:error:2506406A:lib(37):func(100):reason(106):NA:0:symname(bind_engine): Unable to resolve symbol 3078260360:error:2506C06A:lib(37):func(108):reason(106):NA:0: 3078260360:error:260B6068:lib(38):func(182):reason(104):NA:0: 3078260360:error:2606A074:lib(38):func(106):reason(116):NA:0:id=padlock 3078260360:error:25066067:lib(37):func(102):reason(103):NA:0:filename(libpadlock.so): File not found 3078260360:error:25070067:lib(37):func(112):reason(103):NA:0: 3078260360:error:260B6084:lib(38):func(182):reason(132):NA:0: Strange bit is that module is located in /usl/lib/engines and previous error mentioned that full path is missing, now error is a bit vague because file is libpadlock is there where it should be... after delting the libpadlock I get this error: rm /usr/lib/engines/libpadlock.so invalid engine padlock 3078284936:error:25066067:lib(37):func(102):reason(103):NA:0:filename(/usr/lib/engines/libpadlock.so): File not found 3078284936:error:25070067:lib(37):func(112):reason(103):NA:0: 3078284936:error:260B6084:lib(38):func(182):reason(132):NA:0: 3078284936:error:2606A074:lib(38):func(106):reason(116):NA:0:id=padlock 3078284936:error:25066067:lib(37):func(102):reason(103):NA:0:filename(libpadlock.so): File not found 3078284936:error:25070067:lib(37):func(112):reason(103):NA:0: 3078284936:error:260B6084:lib(38):func(182):reason(132):NA:0: So my guess is that there is an issue with libpadlock engine file, right? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
You are awesome! I'll test is tomorrow.
On 27 Mar 2013 01:58, Jiri Slachta slac...@cesnet.cz wrote:
Hello Valent,
those engine libraries are not installed because of /install macro of
openssl package. I've prepared a small unofficial patch for you, it's a
package libopenssl-engines. If it should be official, I suppose it should
be rewritten a little into separate engine packages.
You can grab my patch by URL below:
http://suzelly.opf.slu.cz/~sla463/openssl.diff
or here's the diff for openssl package to be applied from the root of
openwrt src directory. I hope that patchwork skips this patch.
~ Jiri Slachta
Index: package/libs/openssl/patches/140-makefile-dirs.patch
===
--- package/libs/openssl/patches/140-makefile-dirs.patch(revision
36132)
+++ package/libs/openssl/patches/140-makefile-dirs.patch(working
copy)
@@ -5,7 +5,7 @@
BASEADDR=
-DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl apps
++DIRS= crypto ssl engines apps
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
Index: package/libs/openssl/patches/150-no_engines.patch
===
--- package/libs/openssl/patches/150-no_engines.patch (revision 36132)
+++ package/libs/openssl/patches/150-no_engines.patch (working copy)
@@ -1,81 +0,0 @@
a/Configure
-+++ b/Configure
-@@ -2003,6 +2003,11 @@ EOF
- close(OUT);
- }
-
-+# ugly hack to disable engines
-+if($target eq mingwx) {
-+ system(sed -e s/^LIB/XLIB/g -i engines/Makefile);
-+}
-+
- print EOF;
-
- Configured for $target.
a/util/libeay.num
-+++ b/util/libeay.num
-@@ -2071,7 +2071,6 @@ PKCS7_ATTR_SIGN_it
- UI_add_error_string 2633 EXIST::FUNCTION:
- KRB5_CHECKSUM_free 2634 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext2635 EXIST::FUNCTION:
--ENGINE_load_ubsec 2636
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE
- PKEY_USAGE_PERIOD_it2638
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKEY_USAGE_PERIOD_it2638
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2545,7 +2544,6 @@ OCSP_RESPONSE_new
- AES_set_encrypt_key 3024 EXIST::FUNCTION:AES
- OCSP_resp_count 3025 EXIST::FUNCTION:
- KRB5_CHECKSUM_new 3026 EXIST::FUNCTION:
--ENGINE_load_cswift 3027
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_onereq_get0_id 3028 EXIST::FUNCTION:
- ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE
- NOTICEREF_it3030
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2576,7 +2574,6 @@ ASN1_primitive_free
- i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION:
- i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION:
- asn1_enc_save 3054 EXIST::FUNCTION:
--ENGINE_load_nuron 3055
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES
- PKCS12_MAC_DATA_it 3057
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- PKCS12_MAC_DATA_it 3057
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-@@ -2600,7 +2597,6 @@ asn1_get_choice_selector
- i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION:
- ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE
- AES_options 3074 EXIST::FUNCTION:AES
--ENGINE_load_chil3075
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- OCSP_id_cmp 3076 EXIST::FUNCTION:
- OCSP_BASICRESP_new 3077 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION:
-@@ -2667,7 +2663,6 @@ OCSP_CRLID_it
- OCSP_CRLID_it 3127
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- i2d_KRB5_AUTHENTBODY3128 EXIST::FUNCTION:
- OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION:
--ENGINE_load_atalla 3130
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
- X509_NAME_it3131
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
- X509_NAME_it3131
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- USERNOTICE_it 3132
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-@@ -2762,8 +2757,6 @@ DES_read_2passwords
- DES_read_password 3207 EXIST::FUNCTION:DES
- UI_UTIL_read_pw 3208 EXIST::FUNCTION:
- UI_UTIL_read_pw_string 3209 EXIST::FUNCTION:
--ENGINE_load_aep 3210
EXIST::FUNCTION:ENGINE,STATIC_ENGINE
--ENGINE_load_sureware3211
Re: [OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Who is responsible openssl patches? I can't get openssl engines to be included in final openwrt image, libraries for engines get compiled but not copied into final image... I used menuconfig (libsSSLopenssl stuff) to include engines etc. your .config should have these parameters set: CONFIG_PACKAGE_libopenssl=y CONFIG_OPENSSL_ENGINE_CRYPTO=y CONFIG_OPENSSL_ENGINE_DIGEST=y And then there is a manual step needed : edit package/libs/openssl/patches/140-makefile-dirs.patch to include building the engines # cat package/libs/openssl/patches/140-makefile-dirs.patch --- a/Makefile.org +++ b/Makefile.org @@ -135,7 +135,7 @@ FIPSCANLIB= BASEADDR= -DIRS= crypto ssl engines apps test tools +DIRS= crypto ssl engines apps ENGDIRS= ccgost SHLIBDIRS= crypto ssl ### and remove package/libs/openssl/patches/150-no_engines.patch But still don't get engines to be included into final openwrt image... ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] how to enable openssl hardware encryption engine ?
Hi, I have hardware capable of using VIA padlock encryption engine but it is far from trivial to get it working on openwrt. I didn't find any documentation regarding openssl engine support in openwrt, only one mention on this mailing list, a patch being submitted over two years ago... So any help is much appreciated. Also if it is not possible to use padlock openssl engine also tell me and put me out of my misery ;) when I try to use openssl -engine padlock on stock openwrt I get error that libpadlock.so file is missing: (/usr/lib/engines/libpadlock.so): File not found Is there any package that has this library so that I can just install it? I followed instructions on the wiki: http://wiki.openwrt.org/inbox/benchmark.openssl#enable.hardware.acceleration my custom openwrt image has now openssl with enabled hardware encryption but I still get the same missing engine library error... So I'm running in circles and don't see a way out... Some guys from belgian hackerspace did manage to pull this out (or atleast it seams so to me) but they are sparse with the information on how they did that: http://hackerspace.be/AllHands There is a discussion also on the forum: https://forum.openwrt.org/viewtopic.php?id=42879 Any help is much appreciated! Cheers, Valent. -- follow me - www.twitter.com/valentt http://kernelreloaded.blog385.com linux, anime, spirituality, wireless, scuba, linuxmce smart home, zwave ICQ: 2125241, Skype: valent.turkovic, MSN: valent.turko...@hotmail.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
