OpenVPN cryptodev

Hello,

Actually I use the kernel 4.14 from @frank-w on bananapiR2.

I discovered that openvpn didn’t detect the cryptodev engine. But openssl as crytodev enabled.

root # openssl engine -tt -v -c
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, hmacWithMD5, hmacWithSHA1, MD5, SHA1]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
root # openvpn --show-engines
OpenSSL Crypto Engines

Dynamic engine loading support [dynamic]

Do you have any idea thy openssl detect cryptodev but not openssl ?

imho openssl has to be compiled with cryptodev-support maybe it’s the same for openvpn

I have tried to find all build option in openvpn and I didn’t found anything about that.

Hi Frank,

Is OpenVPN + cryptodev working on kernel 4.19 ? From your github page i see that currently only 4.14 has support for it.

You can try 4.19 have not tested it,but compilation works

The Open VPN will help you secure your internet connectivity by hiding your actual IP address. After activating the VPN suddenly router was showing an error like this connection failed with error 651 and the connection could not be established.

I’m using latest 4.19 kernel (4.19.26) from your github repo. I have checked now and it seems this version does not have cryptodev included so I cannot load the module.

# modprobe cryptodev
modprobe: FATAL: Module cryptodev not found in directory /lib/modules/4.19.26-bpi-r2-main

It works fine on 4.14 latest version 4.14.104.

Imho it’s not included in default build,but compile itsrlf worked. I check that…

I have included cryptodev in default build of 4.19-main…travis creating release at the moment

Please give me feedback if it is working

Hello,

I have installed the latest kernel version 4.19.26 from github but it still doesn’t work. It seems the module is not included I have checked the modules.dep on 4.14.104 and 4.19.26 and for 4.19 is not listed.

For 4.14.104 cat /lib/modules/4.14.104-bpi-r2-main/modules.dep | grep cryptodev kernel/extras/cryptodev.ko:

For 4.19.26 cat /lib/modules/4.19.26-bpi-r2-main/modules.dep | grep cryptodev

empty

# modprobe cryptodev
modprobe: FATAL: Module cryptodev not found in directory /lib/modules/4.19.26-bpi-r2-main

sorry, i’ve forgot that travis uses “./build.sh build” instead of only “build.sh” which i have used for testing

build-option had not compiled cryptodev, only “build.sh” alone, have pushed fix…travis will now build it

Mhm…fixed another bug with travis…

https://travis-ci.com/frank-w/BPI-R2-4.14/builds/103415677

Thanks I have installed the latest build and now cryptodev module is loaded properly Also I can see OpenVPN has cryptodev engine support

# openvpn --show-engines
OpenSSL Crypto Engines

/dev/crypto engine [devcrypto]
Dynamic engine loading support [dynamic]

do have default debian/ubuntu-openvpn or have you compiled by yourself?

I’m using the OpenVPN package provided by Debian.

Hello,

I’ve tried to use crytodev and I strangly I didn’t see any hardware driver. I build openssl from the debian repository and I added some patch from openwrt (available here: https://github.com/openwrt/openwrt/tree/master/package/libs/openssl/patches).

After installing the openssl and libssl package I can see a lot of information about each driver in cryptodev:

[root@r2] kernel # openssl engine -t -c -vv -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=cbc(des-generic) (software)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=cbc(des3_ede-generic) (software)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc-aes-mtk (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc-aes-mtk (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc-aes-mtk (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr-aes-mtk (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr-aes-mtk (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr-aes-mtk (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb-aes-mtk (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb-aes-mtk (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb-aes-mtk (software)
Cipher CAMELLIA-128-CBC, NID=751, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-192-CBC, NID=752, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed
Cipher CAMELLIA-256-CBC, NID=753, /dev/crypto info: id=101, CIOCGSESSION (session open call) failed

[Success]: DUMP_INFO
     [ available ]
     USE_SOFTDRIVERS: specifies whether to use software (not accelerated) drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use if acceleration can't be determined) [default=2]
     CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]
     DUMP_INFO: dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'  

Generally we get something like this (as mentionned here https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators):

Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=mv-cbc-aes (hw accelerated)

So as I understand there are not hardware acceleration. Note that I’m using the kernel 5.4 from the @frank-w repository and I build cryptodev v1.11 from the official repository.