Because AI bots are shredding through the AF_ALG code in the kernel,
upstream has decided to deprecate AF_ALG:
https://lore.kernel.org/all/
20260430011544.31823-1-ebiggers@kernel.org/
Follow their lead and do the same here.
afalg_engine AFAIK is a faster version of what OpenSSL provides last
time I used it. Although I don't think it was useful for long. OpenSSH's
sandbox conflicts with AF_ALG.
Signed-off-by: Rosen Penev <redacted>
+++ /dev/null
-if PACKAGE_libopenssl-afalg_sync
- comment "Build Options"
-
- config AFALG_DIGESTS
- bool "Build support for digest acceleration"
- help
- Digests are fast in software, and accessing AF_ALG adds latency, so
- you'll need a large request (16KB) just to match software speed.
- This increases memory usage, and has problems when process fork
- with open digest contexts (openssh will not work because of it).
-
- config AFALG_UPDATE_CTR_IV
- bool "Don't rely on kernel to update CTR IV"
- default y
- help
- Don't count on the kernel driver to update the CTR-mode counter
- (IV). At least one driver does not update the IV as a workaround
- for DMA issues. With this option turned on, the engine will keep
- track of the counter, and the IV will be sent with every update.
- If fallback is enabled, then the counter needs to be updated by
- the engine anyway, and sent with the request everytime there's a
- switch from software to hardware, so this won't bring much gain in
- that case.
-
- config AFALG_ZERO_COPY
- bool "Use Zero-Copy Mode"
- help
- Uses a Zero-Copy interface. Even though it is supposed to improve
- performance, actual measurements indicate otherwise.
-endif
+++ /dev/null
-# Copyright (C) 2019 Eneas Ulir de Queiroz <cotequeiroz@gmail.com>
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=afalg_engine
-PKG_VERSION:=1.2.2
-PKG_RELEASE:=1
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/cotequeiroz/afalg_engine/archive/v$(PKG_VERSION)
-PKG_HASH:=6fe451cf37b0c9911445e46bfe96926aad5dc486c9cb81ecf7b87bb3ffff1c1a
-
-PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
-PKG_LICENSE:=Apache-2.0
-PKG_LICENSE_FILES:=LICENSE
-PKG_CONFIG_DEPENDS:= \
- CONFIG_AFALG_DIGESTS \
- CONFIG_AFALG_FALLBACK \
- CONFIG_AFALG_UPDATE_CTR_IV \
- CONFIG_AFALG_ZERO_COPY
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/cmake.mk
-include $(INCLUDE_DIR)/openssl-module.mk
-
-TARGET_CFLAGS += -Wno-deprecated-declarations
-
-$(eval $(call Package/openssl/add-engine,afalg,libopenssl-afalg_sync))
-define Package/libopenssl-afalg_sync
- $(call Package/openssl/engine/Default)
- TITLE:=AF_ALG engine using sync crypto API
- URL:=https://github.com/cotequeiroz/afalg_engine
- DEPENDS += @!OPENSSL_ENGINE_BUILTIN_AFALG +kmod-crypto-user
- CONFLICTS:=libopenssl-afalg
- MENU:=1
-endef
-
-define Package/libopenssl-afalg_sync/description
- This is an alternate AF_ALG engine for openssl, based on the devcrypto
- engine, but using the AF_ALG interface instead of /dev/crypto
-
- It is different than the AF_ALG engine that ships with OpenSSL:
- - it is faster
- - it uses sync calls, instead of async
- - it supports more algorithms
-endef
-
-define Package/libopenssl-afalg_sync/config
- source "$(SOURCE)/Config.in"
-endef
-
-CMAKE_OPTIONS += \
- -DOPENSSL_ENGINES_DIR=/usr/lib/$(ENGINES_DIR) \
- -DDIGESTS=$(if $(CONFIG_AFALG_DIGESTS),ON,OFF) \
- -DUPDATE_CTR_IV=$(if $(CONFIG_AFALG_UPDATE_CTR_IV),ON,OFF) \
- -DUSE_ZERO_COPY=$(if $(CONFIG_AFALG_ZERO_COPY),ON,OFF)
-
-$(eval $(call BuildPackage,libopenssl-afalg_sync))
+++ /dev/null
-[afalg_sect]
-# Leave this alone and configure algorithms with CIPERS/DIGESTS below
-default_algorithms = ALL
-
-# The following commands are only available if using the alternative
-# (sync) AFALG engine
-# Configuration commands:
-# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
-# list of supported algorithms, along with their driver, whether they
-# are hw accelerated or not, and the engine's configuration commands.
-
-# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
-# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
-# if acceleration can't be determined) [default=2]
-#USE_SOFTDRIVERS = 2
-
-# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
-# comma-separated list of ciphers to enable [default=NO_ECB]
-# Starting in 1.2.0, if you use a cipher list, each cipher may be
-# followed by a colon (:) and the minimum request length to use
-# AF_ALG drivers for that cipher; smaller requests are processed by
-# softare; a negative value will use the default for that cipher
-#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
-
-# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
-# enable [default=NONE]
-# It is strongly recommended not to enable digests; their performance
-# is poor, and there are many cases in which they will not work,
-# especially when calling fork with open crypto contexts. Openssh,
-# for example, does this, and you may not be able to login.
-#DIGESTS = NONE
-
+++ /dev/null
-#!/bin/sh
-
-test_afalg_engine() {
- apk add openssl-util
- openssl engine -t -c -v -pre DUMP_INFO afalg
-}
-
-case "$1" in
- libopenssl-afalg_sync)
- test_afalg_engine
- ;;
- *)
- echo "Unexpected package '$1'" >&2
- exit 1
- ;;
-esac
git.99rst.org / openwrt-packages.git / commitdiff