View previous topic :: View next topic |
Author |
Message |
Jonte_77 n00b
Joined: 30 Aug 2006 Posts: 5
|
Posted: Thu Apr 19, 2007 6:27 pm Post subject: [HOWTO] Enable Padlock hardware encryption in OpenSSL |
|
|
I know this is not the most gentoo-ish way to do this, but this worked for me.
If anyone feels like explaining the proper way, please do!
First you have to enable Padlock encryption in your kernel.
Check that it works with:
Code: |
#dmesg | grep padlock
padlock: Using VIA PadLock ACE for AES algorithm.
|
Although the padlock engine always compiles statically, OpenSSL doesn't realize that and errors if you test it by typing:
Code: |
#openssl engine padlock
21867:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared library:dso_dlfcn.c:162:filename(/usr/lib/engines/libpadlock.so):
/usr/lib/engines/libpadlock.so: cannot open shared object file: No such
file or directory
|
To make OpenSSL find the padlock engine, the sources need to be patched:
Code: |
#ebuild /usr/portage/dev-libs/openssl/openssl-0.9.8d.ebuild fetch
#ebuild /usr/portage/dev-libs/openssl/openssl-0.9.8d.ebuild unpack
#cd /var/tmp/portage/dev-libs/openssl-0.9.8d/work
|
Patch with this:
Code: |
# PadLock engine is never compiled as a shared object although
# OpenSSL sometimes thinks so. This patch fixes the
# initialization sequence so that it works with static PadLock
# again.
# Taken from Fedora Core 5
Index: openssl/crypto/engine/eng_all.c
===================================================================
--- openssl.orig/crypto/engine/eng_all.c
+++ openssl/crypto/engine/eng_all.c
@@ -68,6 +68,9 @@ void ENGINE_load_builtin_engines(void)
#if 0
ENGINE_load_openssl();
#endif
+#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
+ ENGINE_load_padlock();
+#endif
ENGINE_load_dynamic();
#ifndef OPENSSL_NO_STATIC_ENGINE
#ifndef OPENSSL_NO_HW
@@ -95,9 +98,6 @@ void ENGINE_load_builtin_engines(void)
#ifndef OPENSSL_NO_HW_UBSEC
ENGINE_load_ubsec();
#endif
-#ifndef OPENSSL_NO_HW_PADLOCK
- ENGINE_load_padlock();
-#endif
#endif
#if defined(__OpenBSD__) || defined(__FreeBSD__)
ENGINE_load_cryptodev();
|
Code: |
#ebuild /usr/portage/dev-libs/openssl/openssl-0.9.8d.ebuild compile
#ebuild /usr/portage/dev-libs/openssl/openssl-0.9.8d.ebuild install
#ebuild /usr/portage/dev-libs/openssl/openssl-0.9.8d.ebuild qmerge
|
Done! Check again with:
Code: |
#openssl engine padlock
(padlock) VIA PadLock (no-RNG, ACE)
|
Now compare the results:
Code: |
#openssl speed -evp aes-256-ecb
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-ecb 9557.79k 10264.00k 10466.74k 10563.24k 10581.33k
#openssl speed -evp aes-256-ecb -engine padlock
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-ecb 60301.58k 221950.94k 562066.03k 907653.19k 1109879.47k
|
As you can see, the throughput goes through the roof! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|