Solved (sorta) /dev/crypto No Ciphers or Hashes

For Developers
11

I just thought that as openssl 1.1.1 changed quite a lot of config items for openssl itself and also changed some kmod dependencies, you may need to check that the same relevant kmods are still included in your builds as earlier. E.g. in https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=d971ae51a51cb1b145b6fbbf7d1327a99be257b1

I assume that you have already compared the usual suspects, diffconfig output and manifest.

Similarly, the jump from kernel 4.4 to 4.14 may have caused kmod / dependency / kernel config changes, which are maybe best documented upstream at Linux mailing lists and source repos.

12

thanks;

great minds think alike; fools seldom differ...
just reviewed kernel config diffs, some (new) selected modules are not created as packages. Theory is that failing due to missing (unpackaged) modules. Changed all kernel modules that are not packaged as openwrt modules to builtin.

Compiling, will advise...

13

Nope; same failures

14

root@SecureOffice:~# cat /proc/crypto

name         : ecb(aes)
driver       : ecb(aes-asm)
module       : ecb
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 0
geniv        : <default>

name         : ctr(aes)
driver       : ctr(aes-asm)
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 16
max keysize  : 32
ivsize       : 16
geniv        : chainiv

name         : cbc(aes)
driver       : cbc(aes-asm)
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : no
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
chunksize    : 16
walksize     : 16

name         : cbc(des3_ede)
driver       : cbc(des3_ede-generic)
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : no
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8
chunksize    : 8
walksize     : 8

name         : cbc(des)
driver       : cbc(des-generic)
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : no
blocksize    : 8
min keysize  : 8
max keysize  : 8
ivsize       : 8
chunksize    : 8
walksize     : 8

name         : md5
driver       : md5-generic
module       : md5
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 16

name         : md4
driver       : md4-generic
module       : md4
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 16

name         : des3_ede
driver       : des3_ede-generic
module       : des_generic
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 8
min keysize  : 24
max keysize  : 24

name         : des
driver       : des-generic
module       : des_generic
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 8
min keysize  : 8
max keysize  : 8

name         : jitterentropy_rng
driver       : jitterentropy_rng
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha256
module       : kernel
priority     : 207
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha512
module       : kernel
priority     : 206
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha384
module       : kernel
priority     : 205
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha1
module       : kernel
priority     : 204
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha256
module       : kernel
priority     : 203
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha512
module       : kernel
priority     : 202
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha384
module       : kernel
priority     : 201
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha1
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : crct10dif
driver       : crct10dif-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 2

name         : crc32c
driver       : crc32c-generic
module       : kernel
priority     : 100
refcnt       : 4
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 4

name         : ecb(arc4)
driver       : ecb(arc4)-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 1
max keysize  : 256
ivsize       : 0
geniv        : <default>

name         : arc4
driver       : arc4-generic
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
internal     : no
type         : cipher
blocksize    : 1
min keysize  : 1
max keysize  : 256

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : sha224
driver       : sha224-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 28

name         : sha256
driver       : sha256-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 32

name         : sha1
driver       : sha1-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 20

name         : digest_null
driver       : digest_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 0

name         : compress_null
driver       : compress_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : compression

name         : ecb(cipher_null)
driver       : ecb-cipher_null
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 0
max keysize  : 0
ivsize       : 0
geniv        : <default>

name         : cipher_null
driver       : cipher_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 1
min keysize  : 0
max keysize  : 0

name         : sha224
driver       : sha224-ssse3
module       : kernel
priority     : 150
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 28

name         : sha256
driver       : sha256-ssse3
module       : kernel
priority     : 150
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 32

name         : sha1
driver       : sha1-ssse3
module       : kernel
priority     : 150
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 20

name         : aes
driver       : aes-asm
module       : kernel
priority     : 200
refcnt       : 5
selftest     : passed
internal     : no
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
15

going to try to replicate with trunk. Be awhile

16

what your router's cpu ? i don't see your cpu support aes-ni instruction.

17

quad core; here's one (previous rev worked; this hardware / cpu)
cat /proc/cpuinfo

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 58
model name      : Intel(R) Celeron(R) CPU 1037U @ 1.80GHz
stepping        : 9
microcode       : 0x1c
cpu MHz         : 1148.336
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
apicid          : 2
initial apicid  : 2
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer xsave lahf_lm cpuid_fault epb pti tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm arat pln pts
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
bogomips        : 3591.82
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:
18

Celeron 1037U does not support aes-ni instruction set.
see here: https://ark.intel.com/content/www/us/en/ark/products/71995/intel-celeron-processor-1037u-2m-cache-1-80-ghz.html

this is my Pentium G2020 not support aes-ni, same of your too:

root@OpenWrt:~# cat /proc/crypto |grep aes
name         : aes
driver       : aes-generic
name         : aes
driver       : aes-asm
root@OpenWrt:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
     [ unavailable ]

this my cpu Celeron J3355 have aes-ni:

root@ASR:~# cat /proc/crypto |grep aes
name         : xts(aes)
driver       : xts-aes-aesni
name         : ctr(aes)
driver       : ctr-aes-aesni
name         : cbc(aes)
driver       : cbc-aes-aesni
name         : ecb(aes)
driver       : ecb-aes-aesni
name         : gcm(aes)
driver       : generic-gcm-aesni
name         : __generic-gcm-aes-aesni
driver       : __driver-generic-gcm-aes-aesni
name         : rfc4106(gcm(aes))
driver       : rfc4106-gcm-aesni
name         : __gcm-aes-aesni
driver       : __driver-gcm-aes-aesni
name         : __xts(aes)
driver       : __xts-aes-aesni
name         : __ctr(aes)
driver       : __ctr-aes-aesni
name         : __cbc(aes)
driver       : __cbc-aes-aesni
name         : __ecb(aes)
driver       : __ecb-aes-aesni
name         : __aes
driver       : __aes-aesni
name         : aes
driver       : aes-aesni
name         : aes
driver       : aes-generic
name         : aes
driver       : aes-asm
root@ASR:~# openssl engine -t -c
(rdrand) Intel RDRAND engine
 [RAND]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
19

is not the issue, that is for openssl specific engines, which I have as builtin. Don't need it

what I need is
root@SecureOffice:~# openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, hmacWithMD5, MD5]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]

in other words; the algs in /dev/crypto ([RSA, DSA, ...), which you are apparently not using. My /proc/crypto (kernel crypto modules) is OK

20

That /proc/crypto output tells me that you apparently have no hw-crypto that needs it.
/dev/crypto presence does not mean that there is any hardware-accelerated crypto available. By hw-accelerated, I'm not talking AES-NI, and other CPU instructions; from openssl point of view, they're 100% software (just another assembly instruction), and the default openssl provider most likely already uses them.
In openssl 1.1.1, the devcrypto engine only enables hardware-accelerated drivers by default. You can force the software drivers, restoring the old behavior, by using USE_SOFTDRIVERS=1. I strongly recommend against it. Read this for some more info:
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators

If you want further help with this, especially if you're convinced that you do have hw-crypto, the output of openssl engine -t -c -pre DUMP_INFO is really helpful.
Here's the output from a WRT3200ACM (with hardware crypto):

# openssl engine -t -c -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=mv-cbc-des (hw accelerated)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=mv-cbc-des3-ede (hw accelerated)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr-aes-neonbs (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr-aes-neonbs (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr-aes-neonbs (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=mv-ecb-aes (hw accelerated)
Cipher CAMELLIA-128-CBC, NID=751, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-192-CBC, NID=752, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-256-CBC, NID=753, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=mv-md5 (hw accelerated), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=mv-sha1 (hw accelerated), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-neon (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=mv-sha256 (hw accelerated), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-neon (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-neon (software), CIOCCPHASH capable

[Success]: DUMP_INFO
 [DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB, MD5, SHA1, SHA256]
     [ available ]

Here's the output from my x86_64 machine (sotware only, but AES-NI), with the USE_SOFTDRIVERS=1:

openssl engine -t -c -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=cbc(des-generic) (software)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=cbc(des3_ede-generic) (software)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, driver=cbc-blowfish-asm (software)
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher CAMELLIA-128-CBC, NID=751, /dev/crypto info: id=101, driver=cbc-camellia-aesni (software)
Cipher CAMELLIA-192-CBC, NID=752, /dev/crypto info: id=101, driver=cbc-camellia-aesni (software)
Cipher CAMELLIA-256-CBC, NID=753, /dev/crypto info: id=101, driver=cbc-camellia-aesni (software)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=md5-generic (software), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-avx (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=rmd160-generic (software), CIOCCPHASH capable
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-avx (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-avx (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-avx (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-avx (software), CIOCCPHASH capable

[Success]: DUMP_INFO
 [DES-CBC, DES-EDE3-CBC, BF-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, AES-128-ECB, AES-192-ECB, AES-256-ECB, CAMELLIA-128-CBC, CAMELLIA-192-CBC, CAMELLIA-256-CBC, MD5, SHA1, RIPEMD160, SHA224, SHA256, SHA384, SHA512]
     [ available ]

Here's the most important part of my /proc/crypto from openwrt:

# cat /proc/crypto | egrep -A 3 aes | egrep '^(--|name|driver|priority)'
name         : __ctr(aes)
driver       : cryptd(__ctr-aes-neonbs)
priority     : 300
--
name         : xts(aes)
driver       : xts-aes-neonbs
priority     : 250
--
name         : ctr(aes)
driver       : ctr-aes-neonbs
priority     : 250
--
name         : cbc(aes)
driver       : cbc-aes-neonbs
priority     : 250
--
name         : ecb(aes)
driver       : ecb-aes-neonbs
priority     : 250
--
name         : __xts(aes)
driver       : __xts-aes-neonbs
priority     : 250
--
name         : __ctr(aes)
driver       : __ctr-aes-neonbs
priority     : 250
--
name         : __cbc(aes)
driver       : __cbc-aes-neonbs
priority     : 250
--
name         : __ecb(aes)
driver       : __ecb-aes-neonbs
priority     : 250
--
name         : cbc(aes)
driver       : mv-cbc-aes
priority     : 300
--
name         : ecb(aes)
driver       : mv-ecb-aes
priority     : 300
--
name         : aes
driver       : aes-generic
priority     : 100
--
name         : aes
driver       : aes-arm
priority     : 200

I hope this helps.
Cheers

21

Thanks; given me some food for thought, especially USE_SOFTDRIVERS=1

...may be the smoking gun in upgrading openssl. My issues is not primarily openssl, I just use it as a simple testcase for /dev/crypto capabilities.

I have a custom app using /dev/crypto which is not easily changed (custom ld.so, which is static and cannot dynamically link to anything. /dev/crypto is the most lightweight crypt interface I could find). It exhibits the same symptoms and error behavior (no ciphers) as openssl, yet is independent of openssl.

So my issue is kernel and, I suspect version is borked, which is why I am attempting to replicate on trunk, so I can at least submit a bug if so.

I do not have hardware crypto, this platform. I have successfully used it before on some ARM platforms.

22

af_alg may be worth a try to test behaviour

23

Hi @cotequeiroz

I see you are author of openssl ?
Have a question, I'm compile 19.07-snapshot branch myself. Have enabled openssl devcrypto.
But can't see hw accelerated when running command as you suggested ?. My router's cpu is J3355 aesni supported.

root@ASR:~# openssl engine -t -c -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=cbc(des-generic) (software)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=cbc(des3_ede-generic) (software)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, driver=cbc-blowfish-asm (software)
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher CAMELLIA-128-CBC, NID=751, /dev/crypto info: id=101, driver=cbc-camellia-asm (software)
Cipher CAMELLIA-192-CBC, NID=752, /dev/crypto info: id=101, driver=cbc-camellia-asm (software)
Cipher CAMELLIA-256-CBC, NID=753, /dev/crypto info: id=101, driver=cbc-camellia-asm (software)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=md5-generic (software), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-ni (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-ni (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-ni (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-ssse3 (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-ssse3 (software), CIOCCPHASH capable

[Success]: DUMP_INFO
     [ available ]
24

If you are interested in AF_ALG, and want to use openssl to aid you, check out https://github.com/openwrt/openwrt/pull/1547, which should give you a "mirror" of the /dev/crypto engine using AF_ALG.

25

You do not have a hardware crypto accelerator that needs /dev/crypto. Plain openssl will use your AESNI acceleration just fine without the engine, just make sure you don't disable OPENSSL_WITH_ASM ("Compile with optimized assembly code"), which is enabled by default. You should disable /dev/crypto engine and drivers.

26

Well, that is clear. Tks you.

27

I had been until the nehab push broke things, but I see you have rebased the PR so I will add it back into my image, Thanks.

28

Seeing same (no crypt algs) behavior on trunk.

Could it be due to this kernel crypto change:
https://codeberg.org/mirror/git.kernel.org_pub_scm_linux_kernel_git_stable_linux/commit/e2861fa71641c6414831d628a1f4f793b6562580

which appears in both kernel 4.14.111 and 4.19.57 (trunk)

further, openssl.cnf additions:
[openssl_def]
engines=engine_section

[engine_section]
devcrypto=devcrypto_section

[devcrypto_section]
USE_SOFTDRIVERS=1
CIPHERS=ALL
DIGESTS=ALL

has no effect: still no /dev/crypto algs

29

After struggling with this for far too long...
Concluded: since there is absolutely zero reason or positive performance advantage to access software crypt algs via /dev/crypto, it is probable that this kernel capability was removed and, whole lotta work to determine how and undo.

Abandon /dev/crypto interface for my custom app and, use an alternative crypto solution embedded in my app.

Since I only need AES_CBC_256, used Tiny-AES: https://github.com/kokke/tiny-AES-c

1 Like
30

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.