Bug 164795 - Add Via Padlock support to security/openssl (patch included)
Summary: Add Via Padlock support to security/openssl (patch included)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Dirk Meyer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-05 12:40 UTC by stadtkind2
Modified: 2012-06-16 01:03 UTC (History)
0 users

See Also:


Attachments
file.diff (724 bytes, patch)
2012-02-05 12:40 UTC, stadtkind2
no flags Details | Diff
file.diff (1.59 KB, patch)
2012-02-05 12:40 UTC, stadtkind2
no flags Details | Diff
openssl.patch (2.30 KB, patch)
2012-06-08 22:58 UTC, stadtkind2
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description stadtkind2 2012-02-05 12:40:08 UTC
Via Padlock support in OpenSSL is suboptimal at the moment, the attached patch adds some 3rd party openssl patches to enable full support for Via Padlock CPUs:

$ dmesg | grep CPU
CPU: VIA Nano U3300@1200MHz (1197.03-MHz K8-class CPU)
$ /usr/local/bin/openssl engine -c -tt
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(padlock) VIA PadLock: RNG ACE2 PHE PMM NANO
 [AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, SHA1, DSA, SHA224, SHA256]
     [ available ]
$ /usr/local/bin/openssl speed sha1 sha256 hmac-sha1 -engine padlock
engine "padlock" set.
..
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha1             31285.09k    93837.78k   216682.72k   322326.58k   376196.59k
sha256           28490.06k    84352.09k   190977.55k   279109.44k   322914.87k
hmac(sha1)       11233.03k    40204.20k   122229.52k   249804.46k   361585.79k

Fix: +.if defined(WITH_PADLOCK)
+PATCH_DIST_STRIP= -p1
+PATCH_SITES+=  http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
+PATCHFILES+=   0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
+       0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch:padlock \
+       0003-engines-e_padlock-backport-cvs-head-changes.patch:padlock \
+       0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
+       0005-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
+.endif
+
 .if defined(WITH_GMP)
 EXTRACONFIGURE+=       enable-gmp
 IGNORE=                GMP is LGPLv3 an can not be linked.
How-To-Repeat: There's no support for Via CPUs's sha1/sha224/sha256/hmac-sha1 in OpenSSL. Running "/usr/local/bin/openssl speed sha1 sha256 hmac-sha1 -engine padlock" will not make use of hw accel.

The third patch (0003-engines-e_padlock-backport-cvs-head-changes.patch) also fixes 64bit issues with newer Via Nano 64bit CPUs.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2012-02-05 12:40:17 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Dirk Meyer freebsd_committer freebsd_triage 2012-02-15 06:55:43 UTC
State Changed
From-To: open->analyzed

patch in testing
Comment 3 Dirk Meyer freebsd_committer freebsd_triage 2012-02-22 05:10:54 UTC
State Changed
From-To: analyzed->feedback


sorry but this don't work well with all other patches. 

===>  Vulnerability check disabled, database not found 
===>  License check disabled, port has not defined LICENSE 
===>  Extracting for openssl-full-current-1.0.0_10 
===>  Vulnerability check disabled, database not found 
===>  License check disabled, port has not defined LICENSE 
=> SHA256 Checksum OK for openssl-1.0.0g/openssl-1.0.0g.tar.gz. 
=> SHA256 Checksum OK for openssl-1.0.0g/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch. 
=> SHA256 Checksum OK for openssl-1.0.0g/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch. 
=> SHA256 Checksum OK for openssl-1.0.0g/0003-engines-e_padlock-backport-cvs-head-changes.patch. 
=> SHA256 Checksum OK for openssl-1.0.0g/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch. 
=> SHA256 Checksum OK for openssl-1.0.0g/0005-crypto-engine-autoload-padlock-dynamic-engine.patch. 
=> SHA256 Checksum OK for openssl-1.0.0g/dtls-sctp-24.patch. 
===>   openssl-full-current-1.0.0_10 depends on file: /usr/local/bin/perl5.12.4 - found 
===>  Patching for openssl-full-current-1.0.0_10 
===>   openssl-full-current-1.0.0_10 depends on file: /usr/local/bin/perl5.12.4 - found 
===>  Applying distribution patches for openssl-full-current-1.0.0_10 
No file to patch.  Skipping... 
6 out of 6 hunks ignored--saving rejects to bio/bio.h.rej 
Can't create bio/bio.h.rej, output is in /tmp//patchrTUNKFd: No such file or directory 
No file to patch.  Skipping... 
11 out of 11 hunks ignored--saving rejects to bio/bss_dgram.c.rej 
Can't create bio/bss_dgram.c.rej, output is in /tmp//patchrTUNKFd: No such file or directory 
No file to patch.  Skipping... 
1 out of 1 hunks ignored--saving rejects to d1_both.c.rej 
No file to patch.  Skipping... 
13 out of 13 hunks ignored--saving rejects to d1_clnt.c.rej 
No file to patch.  Skipping... 
1 out of 1 hunks ignored--saving rejects to d1_lib.c.rej 
No file to patch.  Skipping... 
8 out of 8 hunks ignored--saving rejects to d1_pkt.c.rej 
No file to patch.  Skipping... 
12 out of 12 hunks ignored--saving rejects to d1_srvr.c.rej 
No file to patch.  Skipping... 
3 out of 3 hunks ignored--saving rejects to dtls1.h.rej 
No file to patch.  Skipping... 
2 out of 2 hunks ignored--saving rejects to ssl3.h.rej 
No file to patch.  Skipping... 
2 out of 2 hunks ignored--saving rejects to ssl_locl.h.rej 
*** Error code 59 

Stop in /usr/ports/current/openssl-full. 
*** Error code 1 

Stop in /usr/ports/current/openssl-full.
Comment 4 stadtkind2 2012-03-04 22:31:43 UTC
On Wed, 22 Feb 2012, dinoex@FreeBSD.org wrote:

> Synopsis: Add Via Padlock support to security/openssl (patch included)
> 
> State-Changed-From-To: analyzed->feedback
> State-Changed-By: dinoex
> State-Changed-When: Wed Feb 22 06:10:54 CET 2012
> State-Changed-Why: 
> 
> sorry but this don't work well with all other patches.
> 
> ===>  Vulnerability check disabled, database not found
> ===>  License check disabled, port has not defined LICENSE
> ===>  Extracting for openssl-full-current-1.0.0_10
> ===>  Vulnerability check disabled, database not found
> ===>  License check disabled, port has not defined LICENSE
> => SHA256 Checksum OK for openssl-1.0.0g/openssl-1.0.0g.tar.gz.
> => SHA256 Checksum OK for openssl-1.0.0g/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch.
> => SHA256 Checksum OK for openssl-1.0.0g/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch.
> => SHA256 Checksum OK for openssl-1.0.0g/0003-engines-e_padlock-backport-cvs-head-changes.patch.
> => SHA256 Checksum OK for openssl-1.0.0g/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch.
> => SHA256 Checksum OK for openssl-1.0.0g/0005-crypto-engine-autoload-padlock-dynamic-engine.patch.
> => SHA256 Checksum OK for openssl-1.0.0g/dtls-sctp-24.patch.
> ===>   openssl-full-current-1.0.0_10 depends on file: /usr/local/bin/perl5.12.4 - found
> ===>  Patching for openssl-full-current-1.0.0_10
> ===>   openssl-full-current-1.0.0_10 depends on file: /usr/local/bin/perl5.12.4 - found
> ===>  Applying distribution patches for openssl-full-current-1.0.0_10
> No file to patch.  Skipping...
> 6 out of 6 hunks ignored--saving rejects to bio/bio.h.rej
> Can't create bio/bio.h.rej, output is in /tmp//patchrTUNKFd: No such file or directory
> No file to patch.  Skipping...
> 11 out of 11 hunks ignored--saving rejects to bio/bss_dgram.c.rej
> Can't create bio/bss_dgram.c.rej, output is in /tmp//patchrTUNKFd: No such file or directory
> No file to patch.  Skipping...
> 1 out of 1 hunks ignored--saving rejects to d1_both.c.rej
> No file to patch.  Skipping...
> 13 out of 13 hunks ignored--saving rejects to d1_clnt.c.rej
> No file to patch.  Skipping...
> 1 out of 1 hunks ignored--saving rejects to d1_lib.c.rej
> No file to patch.  Skipping...
> 8 out of 8 hunks ignored--saving rejects to d1_pkt.c.rej
> No file to patch.  Skipping...
> 12 out of 12 hunks ignored--saving rejects to d1_srvr.c.rej
> No file to patch.  Skipping...
> 3 out of 3 hunks ignored--saving rejects to dtls1.h.rej
> No file to patch.  Skipping...
> 2 out of 2 hunks ignored--saving rejects to ssl3.h.rej
> No file to patch.  Skipping...
> 2 out of 2 hunks ignored--saving rejects to ssl_locl.h.rej
> *** Error code 59
> 
> Stop in /usr/ports/current/openssl-full.
> *** Error code 1
> 
> Stop in /usr/ports/current/openssl-full.
> 
> 
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=164795

Hm, that's strange, because the padlock patches don't touch any of the files
you mentioned at all:

me@host:/usr/ports/distfiles/openssl-1.0.0g $ grep diff 000*
0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:diff --git
a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch:diff --git
a/apps/speed.c b/apps/speed.c
0003-engines-e_padlock-backport-cvs-head-changes.patch:diff --git
a/engines/e_padlock.c b/engines/e_padlock.c
0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:diff --git
a/engines/e_padlock.c b/engines/e_padlock.c
0005-crypto-engine-autoload-padlock-dynamic-engine.patch:diff --git
a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c

Is the DTLS patch broken?
Comment 5 Farid 2012-03-15 12:00:03 UTC
The patches work with my VIA VB8001 board.
Thank you!

I had no errors while compiling and installing.
Comment 6 nukama 2012-03-15 14:56:36 UTC
Patch applies fine after extracting from wrangled PR.

Updated Patch against current version (including ports/166064):
https://redports.org/export/2622/Nukama/Attic/patches/openssl-164795.patch

Builds on all redports backends:
https://redports.org/buildarchive/20120314145625-42451/

Builds with current patched version from ports:
https://redports.org/buildarchive/20120314184501-48586/

And runs on my VIA board.
https://forums.freebsd.org/showpost.php?p=170214&postcount=3
Comment 7 Dirk Meyer freebsd_committer freebsd_triage 2012-03-19 17:29:30 UTC
State Changed
From-To: feedback->analyzed

patchset only works if no other patches are applied. 
sadly  we can support only one PATCH_DIST_STRIP= 
and for now it collids with the the sctp patches, that will return shortly.
Comment 8 Dirk Meyer freebsd_committer freebsd_triage 2012-06-02 10:15:39 UTC
State Changed
From-To: analyzed->feedback


please update your patch for openssl 1.0.1
Comment 9 stadtkind2 2012-06-08 22:58:34 UTC
On Sat, 02 Jun 2012, dinoex@FreeBSD.org wrote:

> Synopsis: Add Via Padlock support to security/openssl (patch included)
> 
> State-Changed-From-To: analyzed->feedback
> State-Changed-By: dinoex
> State-Changed-When: Sat Jun 2 11:15:39 CEST 2012
> State-Changed-Why: 
> 
> please update your patch for openssl 1.0.1
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=164795

See attached patch
Comment 10 dfilter service freebsd_committer freebsd_triage 2012-06-15 22:08:10 UTC
dinoex      2012-06-15 21:07:56 UTC

  FreeBSD ports repository

  Modified files:
    security/openssl     Makefile distinfo 
  Log:
  - use OPTIONS_DEFINE
  
  - add VIA padlock support
  PR:             164795
  Submitted by:   Stefan Krüger
  
  Revision  Changes    Path
  1.188     +42 -27    ports/security/openssl/Makefile
  1.74      +8 -0      ports/security/openssl/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 11 Dirk Meyer freebsd_committer freebsd_triage 2012-06-15 22:08:34 UTC
State Changed
From-To: feedback->closed

committed, thanks.