Bug 227946 - security/openssl padlock patch location
Summary: security/openssl padlock patch location
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernard Spil
Depends on:
Reported: 2018-05-03 09:19 UTC by dewayne
Modified: 2019-04-04 17:03 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (brnrd)


Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2018-05-03 09:19:19 UTC
There was some difficulty in locating the padlock patch for openssl 1.0.2o.
Perhaps this should be placed at the top of the selection list.

The file is the same size and sha256 value per /usr/ports/security/openssl/distinfo
Comment 1 mojolicious 2019-04-04 17:03:11 UTC
These padlock patches breaks openssl functionality (atm 1.0.2r). I've checked this: just downloaded and placed them into corresponding port building directory and checked "VIA padlock" during configuring building.
So, as result, while openssl built successfully, openvpn causes 'segmentation fault' error at start, strongswan doesn't work as well.
OpenVPN and StrongSwan were built from ports and linked with 1.0.x openssl port's version.
Looks like the FreeBSD doesn't care about openssl padlock engine, but cryptodev.
I've got padlock acceleration worked thanks to the adding make option to the StrongSwan's port Makefile, smth like --enable-padlock. Atm make option isn't presented(maybe patch this?). Make sure, you enabled option padlock_enable="YES" into /etc/rc.conf or WITH_PADLOCK="YES" into kernel configuration file.
According to the swanctl --log and by performing few benchmarks, i can conclude that strongswan works nice with padlock kernel module. (ike=aes128-aes256-sha1-modp1204; esp=aes128-aes256-sha1)
Unfortunately, openvpn padlock acceleration goes away...