|Summary:||security/openssl padlock patch location|
|Product:||Ports & Packages||Reporter:||dewayne|
|Component:||Individual Port(s)||Assignee:||Bernard Spil <brnrd>|
|Severity:||Affects Some People||CC:||mojolicious, rene|
Description dewayne 2018-05-03 09:19:19 UTC
There was some difficulty in locating the padlock patch for openssl 1.0.2o. Perhaps this should be placed at the top of the selection list. https://git.alpinelinux.org/cgit/aports/plain/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch The file is the same size and sha256 value per /usr/ports/security/openssl/distinfo
Comment 1 Evgeny 2019-04-04 17:03:11 UTC
These padlock patches breaks openssl functionality (atm 1.0.2r). I've checked this: just downloaded and placed them into corresponding port building directory and checked "VIA padlock" during configuring building. So, as result, while openssl built successfully, openvpn causes 'segmentation fault' error at start, strongswan doesn't work as well. OpenVPN and StrongSwan were built from ports and linked with 1.0.x openssl port's version. Looks like the FreeBSD doesn't care about openssl padlock engine, but cryptodev. I've got padlock acceleration worked thanks to the adding make option to the StrongSwan's port Makefile, smth like --enable-padlock. Atm make option isn't presented(maybe patch this?). Make sure, you enabled option padlock_enable="YES" into /etc/rc.conf or WITH_PADLOCK="YES" into kernel configuration file. According to the swanctl --log and by performing few benchmarks, i can conclude that strongswan works nice with padlock kernel module. (ike=aes128-aes256-sha1-modp1204; esp=aes128-aes256-sha1) Unfortunately, openvpn padlock acceleration goes away...
Comment 2 Rene Ladan 2019-12-31 16:21:42 UTC
FYI, security/openssl is being removed today.