VIA C3 Padlock crypto engine missing?!
-
I am running pfSense 2.2.5 – OpenVPN does not list Padlock as a Hardware Crypto?
Motherboard: VIA EPIA-MII EPIA-MII12000.
pfSense Dashboard shows: Hardware crypto VIA Padlock
dmesg
CPU: VIA Nehemiah (1199.81-MHz 686-class CPU)
VIA Padlock Features=0xdd <rng,aes>/usr/bin/openssl engine -t -c(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]openssl speed -evp aes-128-cbc -engine padlock
invalid engine "padlock"
675592508:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:185:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engines/libpadlock.so"
675592508:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
675592508:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:447:
675592508:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:418:id=padlock
675592508:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:185:filename(libpadlock.so): Shared object "libpadlock.so" not found, required by "openssl"
675592508:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
675592508:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:447:Has Padlock support been removed? Is there a way to get it back by installing another version of OpenSSL?
..Or would I need to install a older version of pfSense? If thats the case, what was the last version what supported the padlock engine?Hope you can help. :)</rng,aes>
-
It wasn't intentionally removed but apparently the openssl in base FreeBSD doesn't have padlock support, so when we got away from dual openssl versions, that no longer worked (and maybe prior to that). There isn't a way to get a different openssl on the system without potentially breaking a lot of things. Might be able to pkg install it, but you're on your own there.
-
Oh pity I can't pkg install a version of OpenSSL what supports it without breaking stuff. >:(
Do you know the last / previous version of pfSense what supports the Padlock engine by any chance?
Actually by looking here: https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD
Maybe pfSense 2.1.5 what uses FreeBSD 8.3-RELEASE-p16 ?
-
Speeding up your crypto by using unmaintained versions that now have a slew of security holes (granted, none all that serious in most usage) is counterproductive.
You can try pkg installing openssl. Just be prepared to possibly break things and be ready to wipe and reinstall the box if it really goes south.
-
How can I install a older version of OpenSSL on pfSense 2.2.5?
I have found the package:
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.2-release/security/openssl-1.0.0_4.tbz
But not sure on what command to use to install it?
-
Have you run openssl speed tests on an older supported version and on the new 2.2 version of pfsense? I am curious if the padlock stuff was added into openssl similar to how aes-ni was. It may be wishful thinking but I am running into the same problem with a 64 bit VIA Nano board. I am trying to benchmark vs. linux installs. The pfsense numbers i'm getting (for a 1.6 ghz nano) are:
openssl speed -evp aes-128-cbc:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 39334.77k 185436.84k 1302134.78k 3322120.07k 17558786.42kopenssl speed -evp aes-128-cbc -engine cryptodev:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 34315.05k 140591.87k 728903.31k 2726613.71k 18504954.68kI don't have an install of the 2.1 branch with hardware crypto acceleration though.
The difference between those two benches is small. I wonder if either you cannot turn the padlock engine off, or if you cannot turn it on.If you install 2.1, would you post the speeds you are getting please. Let me know if you can think of any other tests to run.
Edit: From the pfsense mailing list, I also found this if you want to test your hwrng speed
$ dd if=/dev/random of=/dev/null bs=1M count=100