I my attempts to get my hardware engine working with OpenVPN I can’t seem to be able to figure out why it fails. The only reference on this I could find was someone doing the same with the Padlock engine almost 10 years ago. His solution was to add a dummy system call to flush the buffers before the engine returned the data,
OpenSSL encrypt and decryption works fine on files, I tested both using the hardware engine as well as encrypted with engine and decrypt with software and visa versa to make sure the hardware itself is generating the proper output. File compare shows no difference using either software or hardware so I am concluding the hardware and driver work fine.
BUT: as soon as I add -engine cryptodev to the OpenVPN configuration it fails. So I tried the local OpenVPN —test-crypto and that fails when using the cryptodev. Log output shows that OpenSSL is using the engine (as it does without OpenVPN). Without the cryptodev the OpenVPN test runs just fine.
How do I throubleshoot this problem since I don’t get any log output about the reason why it fails??
I will and I realize it’s not Lede related, but a lot of smart people are gathered here with probably more experience in throubleshooting these kind of problems, compared to the OpenVPN forum where I have the feeling they will blame the OpenSSL library which is known to have issues with cryptodev. And like I said, the padlock hw engine solution was to add a dummy system call to flush the buffers before returning the data which seems strange but apparently worked for that driver with minimal patching or delay.
Please post the error output/log, and post info related to your hardware and which version/release of Lede are you using and tell if you are installing openvpn/openssl via opkg or somewhere else.
I don't understand that perspective, as the OpenVPN forum has some extremely knowledgeable members about everything OpenVPN... either way, it only takes a few minutes to copy and paste your original post, as well as a link to this thread.
It’s not like I’m not posting that question on the OpenVPN forum. I wanted to include the same lots as requested above to give them more material to work with. Again, I’m not sure if it’s really an openvpn problem. I will post my full finding sofar in a few hours.
If you do decide to post in the OpenVPN forum, please include the link here, and the link to this thread on that forum, so everyone knows what is going on.
I didn't realize I wasn't even registered on the OpenVPN Forum Now my post has to be approve by a modurator so I don't have a link yet.
Modifying the crypto.c source quick and dirty to give me some extra output about the buffer-length gives me this result running the same test a few times in a row: 1st run the source buffer and decrypted buffer length are the same. All other runs, the decrypted buffer returns "0".
root@OpenWrt:/tmp# openvpn --test-crypto --secret key --cipher AES-256-CBC --engine cryptodev
Sun Dec 17 11:56:01 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun Dec 17 11:56:01 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:02 2017 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Dec 17 11:56:02 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:03 2017 Initializing OpenSSL support for engine 'cryptodev'
Sun Dec 17 11:56:03 2017 Entering OpenVPN crypto self-test mode.
Sun Dec 17 11:56:03 2017 TESTING ENCRYPT/DECRYPT of packet length=100
Sun Dec 17 11:56:03 2017 OpenVPNEnc. buf.len=148
Sun Dec 17 11:56:03 2017 OpenVPNDec buf.len=100
Sun Dec 17 11:56:03 2017 SELF TEST FAILED, pos=0 in=87 out=75
Sun Dec 17 11:56:03 2017 Exiting due to fatal error
root@OpenWrt:/tmp# openvpn --test-crypto --secret key --cipher AES-256-CBC --engine cryptodev
Sun Dec 17 11:56:44 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun Dec 17 11:56:44 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:44 2017 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Dec 17 11:56:44 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:45 2017 Initializing OpenSSL support for engine 'cryptodev'
Sun Dec 17 11:56:45 2017 Entering OpenVPN crypto self-test mode.
Sun Dec 17 11:56:45 2017 TESTING ENCRYPT/DECRYPT of packet length=100
Sun Dec 17 11:56:45 2017 OpenVPNEnc. buf.len=148
Sun Dec 17 11:56:45 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3800655692 / time = (2990300221) Tue Aug 28 16:28:45 1928 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Dec 17 11:56:45 2017 OpenVPNDec buf.len=0
Sun Dec 17 11:56:45 2017 SELF TEST FAILED, src.len=100 buf.len=0
Sun Dec 17 11:56:45 2017 Exiting due to fatal error
root@OpenWrt:/tmp# openvpn --test-crypto --secret key --cipher AES-256-CBC --engine cryptodev
Sun Dec 17 11:56:51 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun Dec 17 11:56:51 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:51 2017 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Dec 17 11:56:51 2017 OpenVPN 2.4.4 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Dec 17 11:56:52 2017 Initializing OpenSSL support for engine 'cryptodev'
Sun Dec 17 11:56:52 2017 Entering OpenVPN crypto self-test mode.
Sun Dec 17 11:56:52 2017 TESTING ENCRYPT/DECRYPT of packet length=100
Sun Dec 17 11:56:52 2017 OpenVPNEnc. buf.len=148
Sun Dec 17 11:56:52 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2887217725 / time = (4121479353) Fri Jul 3 00:54:17 1964 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Dec 17 11:56:52 2017 OpenVPNDec buf.len=0
Sun Dec 17 11:56:52 2017 SELF TEST FAILED, src.len=100 buf.len=0
Sun Dec 17 11:56:52 2017 Exiting due to fatal error
root@OpenWrt:/tmp#
The OpenVPN forum has had some major problems with spamming by bot spammers over the years to the point it was causing major issues for actual users, so they implemented that policy for new users under a certain number of posts some years back.
This may or may not help as I have very little knowledge about crypto engine usage in OpenVPN, but I know for the WRT AC Series, we had to patch our crypto makefile (<buildroot>/package/kernel/linux/modules/crypto.mk) with a new crypto option for Marvell-CESA, of which then had to be manually selected in menuconfig.
The problem is not compiling or loading the hw driver or cryptodev module. It works if I use the OpenSSL utils directly to encrypt and decrypt a file. OpenVPN calls OpenSSL which in turn calls via the cryptodev my hw engine. This can seem in the log when I enable the debug options in the driver.
Going over parts of the OpenVPN code, I noticed that I could compile with a depreciated API. I will try that tonight to see if that would make the difference. OpenSSL was compiled with this option selected by default.
If I have to patch the OpenVPN code anyway to get this to work, it would be interesting to see if I could add a simple logic based on packet length to use the HW or just do Software. Small packets (let’s say <200 bytes), don’t benefit and are even slower due to context switching.
This is true for most hw solutions, so I will discuss this on the OpenVPN forum if we could add this as a “feature”
Now my post has to be approve by a modurator so I don't have a link yet.