-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Don't use CRYPTO_AES_CTR if it isn't defined.
- Loading branch information
Showing
1 changed file
with
6 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if somebody is looking at this bug: http://rt.openssl.org/Ticket/Display.html?id=2770&user=guest&pass=guest
Bug report has been there for a while. Patches were updated yesterday and I can confirm they work on Kirkwood Armv5 SoC. Without these patches any https connectivity breaks: easily tested with wget.
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This patch works under the assumption that CRYPTO_AES_CTR ice declared with a define (like in https://github.com/openbsd/src/blob/master/sys/crypto/cryptodev.h).
It doesn't work correctly if it is instead declared with an enum (like in https://github.com/cryptodev-linux/cryptodev-linux/blob/master/crypto/cryptodev.h).
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very true. We've worked with the assumption that you will have to run with a modern enough cryptodev-linux. If there is some other safe way to detect what's available, PR welcome!
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, I was not able to find a good alternative here... I patched my working copy of OpenSSL with replacing CRYPTO_AES_CTR with a USE_CRYPTO_AES_CTR, defining it later at config time. But I didn't like too much the idea to patch OpenSSL at every new release.
So i raised the issue in cryptodev-linux/cryptodev-linux#44, and I proposed and alternative cryptodev-linux in https://github.com/Retropotenza/cryptodev-linux/blob/master/crypto/cryptodev.h that retain both the defines and enums. Is not elegant, but is compatible with anything out on the field (the cryptodev-linux header enums are there since 2011 at least).
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the latest OpenSSL releases, there is a CHECK_BSD_STYLE_MACROS that at the end control the usage of CRYPTO_AES_CTR.
Looking at https://github.com/openssl/openssl/blob/master/engines/e_devcrypto.c, if a CRYPTO_ALGORITHM_MIN define is declared CRYPTO_AES_CTR is handled as a define.
I was not able to find where this CRYPTO_ALGORITHM_MIN is defined... without it, the check on CRYPTO_AES_CTR is basically skipped (which make cryptodev-linux working fine... this approach maybe could be back ported in older OpesSSL branches).
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CRYPTO_ALGORITHM_MIN is defined on FreeBSD:
https://github.com/freebsd/freebsd/blob/master/sys/opencrypto/cryptodev.h#L167
But you seem to be right that it isn't on OpenBSD:
https://github.com/openbsd/src/blob/master/sys/crypto/cryptodev.h
Maybe we should look at CRYPTO_ALGORITHM_MAX instead...
BTW, discussing in a single commit is pretty fruitless. Please raise an issue.
6ecbc2b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right. I created #8911.