VIA C3 Padlock crypto engine missing?!



  • I am running pfSense 2.2.5 – OpenVPN does not list Padlock as a Hardware Crypto?

    Motherboard: VIA EPIA-MII EPIA-MII12000.

    pfSense Dashboard shows: Hardware crypto  VIA Padlock

    dmesg

    CPU: VIA Nehemiah (1199.81-MHz 686-class CPU)
      VIA Padlock Features=0xdd <rng,aes>/usr/bin/openssl engine -t -c

    (cryptodev) BSD cryptodev engine
    [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
        [ available ]
    (dynamic) Dynamic engine loading support
        [ unavailable ]

    openssl speed -evp aes-128-cbc -engine padlock
    invalid engine "padlock"
    675592508:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:185:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engines/libpadlock.so"
    675592508:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
    675592508:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:447:
    675592508:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:418:id=padlock
    675592508:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:185:filename(libpadlock.so): Shared object "libpadlock.so" not found, required by "openssl"
    675592508:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244:
    675592508:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:447:

    Has Padlock support been removed? Is there a way to get it back by installing another version of OpenSSL?
    ..Or would I need to install a older version of pfSense? If thats the case, what was the last version what supported the padlock engine?

    Hope you can help.  :)</rng,aes>



  • It wasn't intentionally removed but apparently the openssl in base FreeBSD doesn't have padlock support, so when we got away from dual openssl versions, that no longer worked (and maybe prior to that). There isn't a way to get a different openssl on the system without potentially breaking a lot of things. Might be able to pkg install it, but you're on your own there.



  • Oh pity I can't pkg install a version of OpenSSL what supports it without breaking stuff.  >:(

    Do you know the last / previous version of pfSense what supports the Padlock engine by any chance?

    Actually by looking here: https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD

    Maybe pfSense 2.1.5 what uses FreeBSD 8.3-RELEASE-p16 ?



  • Speeding up your crypto by using unmaintained versions that now have a slew of security holes (granted, none all that serious in most usage) is counterproductive.

    You can try pkg installing openssl. Just be prepared to possibly break things and be ready to wipe and reinstall the box if it really goes south.



  • How can I install a older version of OpenSSL on pfSense 2.2.5?

    I have found the package:

    ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.2-release/security/openssl-1.0.0_4.tbz

    But not sure on what command to use to install it?



  • Have you run openssl speed tests on an older supported version and on the new 2.2 version of pfsense? I am curious if the padlock stuff was added into openssl similar to how aes-ni was. It may be wishful thinking but I am running into the same problem with a 64 bit VIA Nano board. I am trying to benchmark vs. linux installs. The pfsense numbers i'm getting (for a 1.6 ghz nano) are:

    openssl speed -evp aes-128-cbc:
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-128-cbc      39334.77k  185436.84k  1302134.78k  3322120.07k 17558786.42k

    openssl speed -evp aes-128-cbc -engine cryptodev:
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-128-cbc      34315.05k  140591.87k  728903.31k  2726613.71k 18504954.68k

    I don't have an install of the 2.1 branch with hardware crypto acceleration though.
    The difference between those two benches is small. I wonder if either you cannot turn the padlock engine off, or if you cannot turn it on.

    If you install 2.1, would you post the speeds you are getting please. Let me know if you can think of any other tests to run.

    Edit: From the pfsense mailing list, I also found this if you want to test your hwrng speed
    $ dd if=/dev/random of=/dev/null bs=1M count=100


Log in to reply