Hardware accelerated SHA1 failure

Moderator: nferre

dmi
Posts: 6
Joined: Fri Nov 21, 2014 8:56 pm

Hardware accelerated SHA1 failure

Wed Aug 19, 2015 8:19 pm

Hi,

We decided to enable HW cryptography/digest acceleration in our SAMA5D3 Xplained.
For this, we built and loaded cryptodev module in our Yocto image and after that, started to get the unusual disconnects in our client-server application that is using SSL.

To troubleshoot the issue, we slightly modified the BOOST's sample ssl client and server (client sends 1000000 bytes to echo server) and ran it on the core-image-minimal and got to the same result: no issues when cryptodev is not loaded and 100% disconnect in case if it is.

We checked the acceleration is working by running "openssl speed sha1" (the difference in case of HW and SW is visible) and made sure our ssl server can do only one cipher suite - AES128-SHA (hard-coded only available suite).

Minimal set of actions required to reproduce the issue:

1) Build the core-image-minimal yocto image with local.conf including openssl, cryptodev-module, needed boost and ssh modules:

Things we added to local.conf (for full config see local.conf.zip):
IMAGE_FEATURES="ssh-server-dropbear"

CORE_IMAGE_EXTRA_INSTALL = " \
openssl \
cryptodev-module \
openssh-sftp-server \
libstdc++ \
boost-system \
boost-filesystem \
boost-thread \
"
. oe-init-build-env build-atmel
bitbake core-image-minimal
2) Build and launch the sample ssl server (server.cpp from sources.zip)
server 5000

3) Build and launch the sample ssl client (client.cpp from sources.zip)
client localhost 5000

4) Client should send and receive 1000000 bytes of data with no problem

5) Stop the server

6) Load cryptodev
modprobe cryptodev
7) Run server and client - client gets a disconnect while receiving the data
Attachments
cert.zip
self-signed cert to use in the test
(2.48 KiB) Downloaded 210 times
sources.zip
sample server.cpp and client.cpp
(3.01 KiB) Downloaded 212 times
local.conf.zip
local.conf
(4.19 KiB) Downloaded 220 times
dmi
Posts: 6
Joined: Fri Nov 21, 2014 8:56 pm

Re: Hardware accelerated SHA1 failure

Fri Sep 25, 2015 11:16 pm

We came up with the easier way of spotting the issue - using solely the standard utilities.
After enabling cryptodev:
1) Start openssl s_server:
openssl s_server -port 4000 -cert root.crt -key root.key

2) Create 10 MB testfile:
dd bs=10M count=1 </dev/zero > testfile

3) Connect to the s_server with s_client and send our testfile:
cat testfile | openssl s_client -connect localhost:4000 -cipher AES128-SHA

3) s_server immediately drops the connection
ERROR
3069371600:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:518:
shutting down SSL
CONNECTION CLOSED

Is there something we are doing wrong? Has anyone tried to use OpenSSL encryption and digests with hardware acceleration enabled?

Thanks!

Return to “SAMA5-based”

Who is online

Users browsing this forum: No registered users and 2 guests