crypto engine: practical use with openssl, curl, ...

Wim De Witte

Intellectual 300 points

Hi Folks,

In latest SDK, I enabled the OCF crypto driver. openssl is patched to use cryptodev.

Openssh is not working anymore, setting up a connection (both ssh and scp) ends with:

Corrupted MAC on input.
Disconnecting: Packet corrupt

Same error occurs in both directions: PC <-> AM335x

debugging output of sshd and ssh, is not helpfull to analyze the problem.

openssl crypto test is resulting as expected (openssl speed -evp aes-128-cbc -engine cryptodev).

also reproduced on beaglebone.

Has anyone a working ssh solution which uses the hardware crypto?

Also https calls with curl (with underlying openssl library) fails:

... Unknown SSL protocol error in connection to ...

Is anyone having a working end-application on top of openssl?

Regards, Wim

over 13 years ago

0 Lo over 13 years ago

TI__Expert 3020 points

Hello Wim,

using the latest SDK 5.05 (released 15 November 2012) it now works for OpenSSH:

Versions used:

SDK 5.05 (toolchain, libc, kernel, basic rootfs)

zlib-1.2.6 (cross compiling 1.2.7 fails, this is probably a zlib configure issue)

OpenSSL-1.0.0j

OpenSSH-6.1p1 (depends on zlib and OpenSSL)

Building:

export PATH=$PATH:/home/lf/ti/ti-sdk-am335x-evm-5.05/linux-devkit/bin/

export OUT=/home/lf/ti/crypto/out/

export CHOST=arm-arago-linux-gnueabi

tar zxf zlib-1.2.6.tar.gz

cd zlib-1.2.6

./configure --shared --prefix=$OUT

make

make install

export CC=arm-arago-linux-gnueabi-gcc

export RANLIB=arm-arago-linux-gnueabi-ranlib

export AR=arm-arago-linux-gnueabi-ar

tar zxf openssl-1.0.0j.tar.gz

cd openssl-1.0.0j

./Configure linux-armv4 --prefix=$OUT --openssldir=$OUT -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS

make

make install

export LDFLAGS="-L $OUT/lib"

export CFLAGS="-I $OUT/lib –I /home/lf/ti/ti-sdk-am335x-evm-5.05/arm-arago-linux-gnueabi/usr/include"

tar zxf openssh-6.1p1.tar.gz

cd openssh-6.1p1

./configure --host=arm-linux-gnueabi --prefix=$OUT --disable-strip --with-ssl-engine

make

make install

Regards,

0 Qmax over 13 years ago in reply to Lo

Expert 2280 points

Hi Lo,

I suppose you mean SDK 5.05.01: is there any crypto-releted difference with previous SDK 5.05.00 ?

I'm using the previous SDK, and it includes zlib 1.2.3 and openssl 1.0.0d (if I am not wrong). Are these packages ok, or is there any known issue about them?

Looking at SDK 5.05.01 Relese Notes, it seems latest SDK is just missing some components/packages (multimedia). Anything else?

Thanks in advance for the clarifications.

Regards,

Max

0 Lo over 13 years ago in reply to Qmax

TI__Expert 3020 points

Hello Max,

last time I tried to build OpenSSH, as alternative for the dropbear, I used the SDK version 5.04.

I was able to compile, but the binaries didn't work, getting the same messages as Wim posted here.

Building the OpenSSH using the SDK 5.05 works. Just to make sure it does not depend on anything special I built OpenSSL, zlib and OpenSSH from source.

So as long as you use an SDK >= 5.05 you should be safe, I'm not aware of any crypto related changes in 5.05.01

Lint to release notes: http://processors.wiki.ti.com/index.php/Sitara_SDK_5.05.01_Release_Notes

Regards,

0 babs76er over 12 years ago in reply to Lo

Prodigy 225 points

FYI,

I am using SDK 5.04 with DM8148 and have just got openssl working with cryptodev. Initially I had the "Corrupt MAC" issue with ssh, but I backed out the patch (I applied and shouldn't have) found at:

http://processors.wiki.ti.com/index.php/Build_OpenSSL_for_Sitara

So now ssh, scp, https is all working. Let me know if you need help and I can give you my email.

Processors

Processors forum

crypto engine: practical use with openssl, curl, ...