Re: [openssl-users] af_alg engine: digests work but ciphers do not?
I've spent the last few days configuring the cryptodev engine on my platform and I am also seeing the same behavior with that engine as I did with af_alg. It seems like OpenSSL does not even attempt to use the engine for ciphers. My next step is to start plowing through the openssl code to figure out how control is supposed to get passed to an engine - I believe this happens in evp_enc.c. Something tells me I'm just missing something fundamental here... like a configuration option on build or maybe something I missed in openssl.conf. Does anybody have any expertise in this? Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 From: openssl-users [openssl-users-boun...@openssl.org] on behalf of Barbe, Charles [charles.ba...@allworx.com] Sent: Wednesday, April 15, 2015 5:43 PM To: openssl-users@openssl.org Subject: [openssl-users] af_alg engine: digests work but ciphers do not? I'm wondering if anybody has any experience with the af_alg engine located here: http://src.carnivore.it/users/common/af_alg/about/ I am able to compile the engine and can run commands such as: openssl speed md5 -engine af_alg and I see that openssl has loaded the engine as indicated by this line in the output: engine af_alg set and can enable dmesg logging on the linux driver for my particular hardware and see that the driver is being used as expected. However, if I try to do a cipher instead of a digest, my driver is not used. For example, when I run: openssl speed aes-256-cbc -engine af_alg I see the engine get loaded but my dmesg logging indicates that the kernel driver was not used. And i get the same results for any of my supported ciphers. I have followed all the instructions in the URL located above including modifying my openssl.conf to include the proper configuration of the supported ciphers for my hardware but to no avail. Here is what the top of my openssl.conf looks like: # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids openssl_conf = openssl_def [openssl_def] engines = openssl_engines [openssl_engines] af_alg = af_alg_engine [af_alg_engine] default_algorithms = ALL CIPHERS=aes-128-cbc aes-192-cbc aes-256-cbc des-cbc des-ede3-cbc DIGESTS=md4 md5 sha1 sha224 sha256 sha512 # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. For reference, I am running the following: linux kernel v 3.19 openssl v 1.0.1m running on a TI am3352 Any help on why digests seem to be working with the af_alg engine but ciphers do not would be much appreciated. Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 -- This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] af_alg engine: digests work but ciphers do not?
On Tue, Apr 21, 2015, Barbe, Charles wrote: I've spent the last few days configuring the cryptodev engine on my platform and I am also seeing the same behavior with that engine as I did with af_alg. It seems like OpenSSL does not even attempt to use the engine for ciphers. My next step is to start plowing through the openssl code to figure out how control is supposed to get passed to an engine - I believe this happens in evp_enc.c. Something tells me I'm just missing something fundamental here... like a configuration option on build or maybe something I missed in openssl.conf. [snip] However, if I try to do a cipher instead of a digest, my driver is not used. For example, when I run: openssl speed aes-256-cbc -engine af_alg The speed command uses EVP for all digest operations but uses low level APIs for cipher operations when you don't include the -evp option. ENGINEs only work at the EVP level so your above command will just use the built in ciphers. If instead you do: openssl speed -evp aes-256-cbc It should work if you've set up an ENGINE to provide the default implementation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] af_alg engine: digests work but ciphers do not?
That was it... thank you so much!!! Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 From: openssl-users [openssl-users-boun...@openssl.org] on behalf of Dr. Stephen Henson [st...@openssl.org] Sent: Tuesday, April 21, 2015 10:05 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] af_alg engine: digests work but ciphers do not? On Tue, Apr 21, 2015, Barbe, Charles wrote: I've spent the last few days configuring the cryptodev engine on my platform and I am also seeing the same behavior with that engine as I did with af_alg. It seems like OpenSSL does not even attempt to use the engine for ciphers. My next step is to start plowing through the openssl code to figure out how control is supposed to get passed to an engine - I believe this happens in evp_enc.c. Something tells me I'm just missing something fundamental here... like a configuration option on build or maybe something I missed in openssl.conf. [snip] However, if I try to do a cipher instead of a digest, my driver is not used. For example, when I run: openssl speed aes-256-cbc -engine af_alg The speed command uses EVP for all digest operations but uses low level APIs for cipher operations when you don't include the -evp option. ENGINEs only work at the EVP level so your above command will just use the built in ciphers. If instead you do: openssl speed -evp aes-256-cbc It should work if you've set up an ENGINE to provide the default implementation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] af_alg engine: digests work but ciphers do not?
I'm wondering if anybody has any experience with the af_alg engine located here: http://src.carnivore.it/users/common/af_alg/about/ I am able to compile the engine and can run commands such as: openssl speed md5 -engine af_alg and I see that openssl has loaded the engine as indicated by this line in the output: engine af_alg set and can enable dmesg logging on the linux driver for my particular hardware and see that the driver is being used as expected. However, if I try to do a cipher instead of a digest, my driver is not used. For example, when I run: openssl speed aes-256-cbc -engine af_alg I see the engine get loaded but my dmesg logging indicates that the kernel driver was not used. And i get the same results for any of my supported ciphers. I have followed all the instructions in the URL located above including modifying my openssl.conf to include the proper configuration of the supported ciphers for my hardware but to no avail. Here is what the top of my openssl.conf looks like: # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids openssl_conf = openssl_def [openssl_def] engines = openssl_engines [openssl_engines] af_alg = af_alg_engine [af_alg_engine] default_algorithms = ALL CIPHERS=aes-128-cbc aes-192-cbc aes-256-cbc des-cbc des-ede3-cbc DIGESTS=md4 md5 sha1 sha224 sha256 sha512 # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. For reference, I am running the following: linux kernel v 3.19 openssl v 1.0.1m running on a TI am3352 Any help on why digests seem to be working with the af_alg engine but ciphers do not would be much appreciated. Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 -- This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users