# OpenSSL+engine



## mahdieh (Jul 23, 2012)

Hello
I'm pretty newcomer to FreeBSD. I have FreeBSD-9.0-RELEASE installed on my system. I wanted to use OCF framework sofware engine(*I* mean /dev/crypto) through OpenSSL engine. But when *I* execute the command:
[cmd=]openssl speed -evp aes-128-cbc -engien cryptodev[/cmd]

*I* get the following error

```
cryptodev engine not found.
error: engine routines: Dynamic_Load: dso not found: /usr/src/secure/lib/libcrypto/../../../crypto/engine/eng-dyn 
...
```
my OpenSSL version is 1.0.0_7

kldstat(8) shows that *I* don't have crypto.ko, how should I load cryto.ko module?
*C*an anyone give a step by step way of activating engine for OpenSSL on FreeBSD?


*T*hanks


----------



## zhoopin (Jul 29, 2012)

You can load cryto.ko file into the kernel by
`#  kldload /boot/kernel/cryto.ko`

BUT before that, please take a look at following HOWTOs
http://forums.freebsd.org/showthread.php?t=6490&highlight=openssl
http://forums.freebsd.org/showthread.php?t=4473&highlight=openssl

I had successful result by following above HOWTOs instructions, merely by using just base system utilities.


----------



## mahdieh (Jul 30, 2012)

I want to know if using cryptodev engine without any hardware could cause acceleration in cryptography? I tested
openssl -speed
and
openssl speed -engine cryptodev 

But the results were almost the same,Although somewhere it has claimed that it can cause acceleration.


----------



## zhoopin (Jul 30, 2012)

cryptodev use /dev/crypto and /dev/crypto operates in an ioctl(2) based model (query device capabilities, submit transactions, and get results). In my experience ioctl(2) deal with Hardware.There's some facts about cryptographic hardware, kernel and userland on ioctl(2), cryptodev(4) and crypto(9). So, 


			
				mahdieh said:
			
		

> I want to know if using cryptodev engine without any hardware could cause acceleration in cryptography?



In my opinion/experience: No, but I'm *not* 100% sure.


----------



## zhoopin (Jul 31, 2012)

*Hardware Crypto* is ported (With some Important Modifications) from OpenBSD Cryptographic Framework (OCF) to FreeBSD Project.

OCF is a service virtualization layer that provide a uniform interface to cryptographic resources and a device interface for user-level access to *hardware-accelerated* cryptographic operations, by hiding *card-specific* details behind a API.

OCF is comprised of three components:

Core crypto support: that manages a registry of crypto device drivers, dispatches crypto operations to drivers, and coordinates the return of results from drivers to the submitter.
Crypto device drivers: that submit crypto operations to hardware devices and return results to the crypto core.
   These drivers register the algorithms supported by the device and export the appropriate callback functions to the OCF.
/dev/crypto pseudo-device driver: that provides linkage between user-level software and the Core crypto support.
/dev/crypto abstracts all the OCF functionality and provides a command set that can be used by OpenSSL or other software that uses /dev/crypto.
/dev/crypto is based on ioctl(2) calls.
 
Conclusion:
cryptodev(4) manage cryptographic *hardware* accelerator cards by FreeBSD.

Reference:
crypto(4), crypto(9), crypto(3), ioctl(2)
_Cryptographic Device Support for FreeBSD by Samuel J. Leffler
The Design of the OpenBSD Cryptographic Framework by Angelos D. Keromytis, Jason L. Wright and Theo de Raadt_


----------



## mahdieh (Jul 31, 2012)

I have already read the two references you mentioned. But what made me think that  it should accelerate cryptography are the results in *Table9* in the first article.
it has compared doing cryptography on the software on the host with doing that with 5822 and doing that without any hardware accelerator.


----------



## zhoopin (Jul 31, 2012)

There's no comparable results (Empty/Dashed) available in even columns (2, 4, ...), because the tests failed to complete for OpenBSD system.
Just FreeBSD system passed the test Successfully.
Both testing system have used Broadcom BCM5822 cryto-card.


----------



## mahdieh (Aug 1, 2012)

YES, thank you. I was wrong. 
But another reason is that in the article it has said OCF reduces the context switches in FreeBSD and this is also applied when using just the cryptodev engine without any hardware.


----------

