ports/164795: Add Via Padlock support to security/openssl (patch included)

Stefan Krüger stadtkind2 at gmx.de
Sun Feb 5 12:40:08 UTC 2012 

>Number:         164795
>Category:       ports
>Synopsis:       Add Via Padlock support to security/openssl (patch included)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 05 12:40:08 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Stefan Krüger
>Release:        FreeBSD 9.0-REL amd64
>Organization:
>Environment:
...
>Description:
Via Padlock support in OpenSSL is suboptimal at the moment, the attached patch adds some 3rd party openssl patches to enable full support for Via Padlock CPUs:

$ dmesg | grep CPU
CPU: VIA Nano U3300 at 1200MHz (1197.03-MHz K8-class CPU)
$ /usr/local/bin/openssl engine -c -tt
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(padlock) VIA PadLock: RNG ACE2 PHE PMM NANO
 [AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, SHA1, DSA, SHA224, SHA256]
     [ available ]
$ /usr/local/bin/openssl speed sha1 sha256 hmac-sha1 -engine padlock
engine "padlock" set.
..
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha1             31285.09k    93837.78k   216682.72k   322326.58k   376196.59k
sha256           28490.06k    84352.09k   190977.55k   279109.44k   322914.87k
hmac(sha1)       11233.03k    40204.20k   122229.52k   249804.46k   361585.79k

>How-To-Repeat:
There's no support for Via CPUs's sha1/sha224/sha256/hmac-sha1 in OpenSSL. Running "/usr/local/bin/openssl speed sha1 sha256 hmac-sha1 -engine padlock" will not make use of hw accel.

The third patch (0003-engines-e_padlock-backport-cvs-head-changes.patch) also fixes 64bit issues with newer Via Nano 64bit CPUs.
>Fix:
diff -uNr openssl.orig/Makefile openssl/Makefile
--- openssl.orig/Makefile       2012-02-05 12:05:00.000000000 +0100
+++ openssl/Makefile    2012-02-05 13:04:36.000000000 +0100
@@ -33,6 +33,7 @@
                ZLIB    "Build with zlib compression" on \
                MD2     "Build with MD2 hash (obsolete)" on \
                RC5     "Build with RC5 chipher (patented)" off \
+               PADLOCK "Build with Via Padlock support" off \
                RFC3779 "Build with RFC3779 support" off \
        DTLS_RENEGOTIATION      "Build with DTLS Abbr. renegotiations" off \
        DTLS_HEARTBEAT          "Build with DTLS Heartbeat Extension" off \
@@ -1092,6 +1093,16 @@
 PLIST_SUB+=    WITH_RC5="@comment "
 .endif

+.if defined(WITH_PADLOCK)
+PATCH_DIST_STRIP= -p1
+PATCH_SITES+=  http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
+PATCHFILES+=   0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
+       0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch:padlock \
+       0003-engines-e_padlock-backport-cvs-head-changes.patch:padlock \
+       0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
+       0005-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
+.endif
+
 .if defined(WITH_GMP)
 EXTRACONFIGURE+=       enable-gmp
 IGNORE=                GMP is LGPLv3 an can not be linked.
diff -uNr openssl.orig/distinfo openssl/distinfo
--- openssl.orig/distinfo       2012-02-05 12:05:00.000000000 +0100
+++ openssl/distinfo    2012-02-05 12:14:48.000000000 +0100
@@ -6,3 +6,13 @@
 SIZE (openssl-1.0.0g/dtls-heartbeats.patch) = 14132
 SHA256 (openssl-1.0.0g/dtls-sctp-24.patch) = 8335423c6f4767b899d923091244ec90cab4aabbd6e557358d04d0daf023001a
 SIZE (openssl-1.0.0g/dtls-sctp-24.patch) = 57229
+SHA256 (openssl-1.0.0g/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 7f40edec04115e97ae2c64e77d3324f6083963200add148f9a4dec090c60550b
+SIZE (openssl-1.0.0g/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3089
+SHA256 (openssl-1.0.0g/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch) = 7e00b1e36ea7e00a87c33c095c4d1379f21c6ef8f83a65ab457fd03166f6e0e9
+SIZE (openssl-1.0.0g/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch) = 10561
+SHA256 (openssl-1.0.0g/0003-engines-e_padlock-backport-cvs-head-changes.patch) = cc5e464d7bf8e181bb454de65772366ed90ee91716ecbadaaf2dfda2e080fdc2
+SIZE (openssl-1.0.0g/0003-engines-e_padlock-backport-cvs-head-changes.patch) = 5897
+SHA256 (openssl-1.0.0g/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = bff8308f6652c8ddade1dd3261e5519fa3aa1660bea3474fc9996a53382a26b5
+SIZE (openssl-1.0.0g/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20552
+SHA256 (openssl-1.0.0g/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = 5a2d80da0f24ae7675f38bdb3227ebe081eaefdfe3ba390acdb5d8dbefa80e93
+SIZE (openssl-1.0.0g/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = 838

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list