Subject: bin/32414: openssl can no longer leverage opencrypto since recent import
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <ijk@speakeasy.net>
List: netbsd-bugs
Date: 12/29/2005 21:25:00
>Number: 32414
>Category: bin
>Synopsis: openssl can no longer leverage opencrypto since recent import
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 29 21:25:00 +0000 2005
>Originator: Jeff Ito
>Release: NetBSD 3.99.14
>Organization:
>Environment:
NetBSD 3.99.14 (LAB) #0: Wed Dec 21 11:01:54 EST 2005
>Description:
It appears that since the recent openssl import, hardware crypto via
openssl is broken.
in the past
$ openssl engine
would yield
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support
(cswift) CryptoSwift hardware engine support
(chil) nCipher hardware engine support
(atalla) Atalla hardware engine support
(nuron) Nuron hardware engine support
(ubsec) UBSEC hardware engine support
(aep) Aep hardware engine support
(sureware) SureWare hardware engine support
(4758cca) IBM 4758 CCA hardware engine support
Now i see
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(padlock) VIA PadLock (no-RNG, no-ACE)
I do see this in openssl CHANGES
----
*) Change the ENGINE framework to automatically load engines
dynamically from specific directories unless they could be
found to already be built in or loaded. Move all the
current engines except for the cryptodev one to a new
directory engines/.
The engines in engines/ are built as shared libraries if
the "shared" options was given to ./Configure or ./config.
Otherwise, they are inserted in libcrypto.a.
/usr/local/ssl/engines is the default directory for dynamic
engines, but that can be overriden at configure time through
the usual use of --prefix and/or --openssldir, and at run
time with the environment variable OPENSSL_ENGINES.
[Geoff Thorpe and Richard Levitte]
----
and
{681} strings libcrypto.so | grep -i cryptodev
ENGINE_setup_bsd_cryptodev
ENGINE_load_cryptodev
That said,
* it doesnt seem to be "just working" transparently, as the
speed tests show ~identical results on the machine w/ and w/o the hifn
card.
* rndctl shows the card is functioning as RNG
>How-To-Repeat:
$ openssl engine
or
$ openssl speed -engine cryptodev
>Fix:
unknown.