wolfssl-sys 4.0.0

System bindings for WolfSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

# Cavium Nitrox V Support

## Directory Structure:
`/`
    `/CNN55XX-SDK`
    `/wolfssl`

## Building Cavium Driver

Tested using `CNN55XX-Driver-Linux-KVM-XEN-PF-SDK-1.4.14.tar`

### Installation

```sh
$ cd CN55XX-SDK
$ make clean
$ make
$ cd bin
$ sudo perl ./init_nitrox.pl

NITROX-V devices found: 1
NITROX-V driver(nitrox_drv.ko) load: SUCCESS
NITROX-V Device-0 part:  CNN5560-900BG676-C45-G

Reading config file: ../microcode/ssl.conf
Device count: 1  Config file device count: 2

 NITROX Model: 0x1200 [ CNN55XX PASS 1.0 ]

 Microcode Details:
    Version : CNN5x-MC-AE-MAIN-0001
    Core Count : 80
    Code length : 9514
    Block number: 0

 Microcode Details:
    Version : CNN5x-MC-SE-SSL-0004
    Core Count : 64
    Code length : 23738
    Block number: 1

 Microcode Load Succeed on device: 0

 [ AE ] Microcode: CNN5x-MC-AE-MAIN-0001
    Group : 0
    Core Mask [Hi Low]: ffff ffffffffffffffff [ 80 ]

 [ SE ] Microcode: CNN5x-MC-SE-SSL-0004
    Group : 0
    Core Mask : ffffffffffffffff [ 64 ]

Microcode Load success
```

```sh
$ lspci | grep Cavium
09:00.0 Network and computing encryption device: Cavium, Inc. Nitrox XL NPX (rev 01)
81:00.0 Network and computing encryption device: Cavium, Inc. Device 0012
```

#### Issues

1. Fixes to Nitrox Driver for includes into wolfSSL

a. Modify `include/vf_defs.h:120` -> `vf_config_mode_str()` function to:

```c
static inline const char *vf_config_mode_str(vf_config_type_t vf_mode)
{
    const char *vf_mode_str;
```

b. Add `case PF:` to `include/vf_defs.h:82` above `default:` in `vf_config_mode_to_num_vfs()`.

c. In `include/linux/sysdep.h:46` rename `__BYTED_ORDER` to `__BYTE_ORDER`.


2. If the CNN55XX driver is not extracted on the Linux box it can cause issues with the symbolic links in the microcode folder. Fix was to resolve the symbolic links in `./microcode`.

```sh
NITROX Model: 0x1200 [ CNN55XX PASS 1.0 ]
Invalid microcode
ucode_dload: failed to initialize
```

Resolve Links:
```sh
cd microcode
rm main_asym.out
ln -s ./build/main_ae.out ./main_asym.out
rm main_ipsec.out
ln -s ./build/main_ipsec.out ./main_ipsec.out
rm main_ssl.out
ls -s ./build/main_ssl.out ./main_ssl.out
```


## Building wolfSSL

```sh
./configure --with-cavium-v=../CNN55XX-SDK --enable-asynccrypt --enable-aesni --enable-intelasm
make
sudo make install
```

### CFLAGS

`CFLAGS+= -DHAVE_CAVIUM -DHAVE_CAVIUM_V -DWOLFSSL_ASYNC_CRYPT -DHAVE_WOLF_EVENT -DHAVE_WOLF_BIGINT`
`CFLAGS+= -I../CNN55XX-SDK/include -lrt -lcrypto`

* `HAVE_CAVIUM`: The Cavium define
* `HAVE_CAVIUM_V`: Nitrox V
* `WOLFSSL_ASYNC_CRYPT`: Enable asynchronous wolfCrypt.
* `HAVE_WOLF_EVENT`: Enable wolf event support (required for async)
* `HAVE_WOLF_BIGINT`: Enable wolf big integer support (required for async)


### LDFLAGS

Include the libnitrox static library:
`LDFLAGS+= ../CNN55XX-SDK/lib/libnitrox.a`


### wolfSSL Build Issues

a. If building with debug `-g` and using an older binutils LD version 2.23 or less you may see a linker crash. Example of error: `BFD (GNU Binutils) 2.23.2 internal error, aborting at merge.c line 873 in _bfd_merged_section_offset`. Resolution is to use this in the CFLAGS `-g -fno-merge-debug-strings -fdebug-types-section`.


## Usage

Note: Must run applications with `sudo` to access device.

```
sudo ./wolfcrypt/benchmark/benchmark
sudo ./wolfcrypt/test/testwolfcrypt
```


## TLS Code Template

```c
/* GLOBAL DEVICE IDENTIFIER */
#ifdef WOLFSSL_ASYNC_CRYPT
    static int devId = INVALID_DEVID;
#endif


/* DONE AT INIT */
#ifdef WOLFSSL_ASYNC_CRYPT
    if (wolfAsync_DevOpen(&devId) != 0) {
        fprintf(stderr, "Async device open failed\nRunning without async\n");
    }

    wolfSSL_CTX_UseAsync(ctx, devId);
#endif

/* DONE IN YOUR WORKER LOOP IN WC_PENDING_E CASES AGAINST YOUR WOLFSSL_CTX */
#ifdef WOLFSSL_ASYNC_CRYPT
    int ret;
    WOLF_EVENT* wolfEvents[MAX_WOLF_EVENTS];
    int eventCount, i;

    /* get list of events that are done (not pending) */
    ret = wolfSSL_CTX_AsyncPoll(ctx, wolfEvents, MAX_WOLF_EVENTS, WOLF_POLL_FLAG_CHECK_HW, &eventCount);
    if (ret != 0)
        goto error;

    for (i = 0; i < eventCount; i++) {
        WOLFSSL* ssl = (WOLFSSL*)wolfEvents[i]->context;
        if (ssl) {
            /* your SSL object is ready to be called again */
        }
    }
#endif

/* DONE AT CLEANUP */
#ifdef WOLFSSL_ASYNC_CRYPT
    wolfAsync_DevClose(&devId);
#endif
```

## Benchmarks

Nitrox V: CNN5560-900-C45
Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
CentOS: Kernel 3.10.0-514.16.1.el7.x86_64
Single Thread

```
./configure --with-cavium-v=../CNN55XX-SDK --enable-asynccrypt --enable-aesni --enable-intelasm --enable-sp --enable-sp-asm CFLAGS="-DWC_NO_ASYNC_THREADING" && make

sudo ./wolfcrypt/benchmark/benchmark

wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RNG             SW   135 MB took 1.012 seconds,  133.356 MB/s Cycles per byte =  25.69
RNG             HW    85 MB took 1.049 seconds,   81.039 MB/s Cycles per byte =  42.27
AES-128-CBC-enc SW   845 MB took 1.001 seconds,  844.293 MB/s Cycles per byte =   4.06
AES-128-CBC-dec SW  6060 MB took 1.001 seconds, 6055.102 MB/s Cycles per byte =   0.57
AES-192-CBC-enc SW   710 MB took 1.004 seconds,  707.248 MB/s Cycles per byte =   4.84
AES-192-CBC-dec SW  5055 MB took 1.001 seconds, 5050.086 MB/s Cycles per byte =   0.68
AES-256-CBC-enc SW   610 MB took 1.003 seconds,  608.296 MB/s Cycles per byte =   5.63
AES-256-CBC-dec SW  4330 MB took 1.001 seconds, 4326.604 MB/s Cycles per byte =   0.79
AES-128-CBC-enc HW   240 MB took 1.018 seconds,  235.801 MB/s Cycles per byte =  14.53
AES-128-CBC-dec HW   240 MB took 1.011 seconds,  237.312 MB/s Cycles per byte =  14.43
AES-192-CBC-enc HW   220 MB took 1.021 seconds,  215.411 MB/s Cycles per byte =  15.90
AES-192-CBC-dec HW   215 MB took 1.002 seconds,  214.516 MB/s Cycles per byte =  15.97
AES-256-CBC-enc HW   200 MB took 1.016 seconds,  196.910 MB/s Cycles per byte =  17.40
AES-256-CBC-dec HW   200 MB took 1.016 seconds,  196.758 MB/s Cycles per byte =  17.41
AES-128-GCM-enc SW  3095 MB took 1.000 seconds, 3093.571 MB/s Cycles per byte =   1.11
AES-128-GCM-dec SW  3090 MB took 1.001 seconds, 3087.702 MB/s Cycles per byte =   1.11
AES-192-GCM-enc SW  2825 MB took 1.002 seconds, 2820.654 MB/s Cycles per byte =   1.21
AES-192-GCM-dec SW  2815 MB took 1.000 seconds, 2814.153 MB/s Cycles per byte =   1.22
AES-256-GCM-enc SW  2550 MB took 1.001 seconds, 2548.379 MB/s Cycles per byte =   1.34
AES-256-GCM-dec SW  2555 MB took 1.002 seconds, 2550.183 MB/s Cycles per byte =   1.34
AES-128-GCM-enc HW   135 MB took 1.018 seconds,  132.618 MB/s Cycles per byte =  25.83
AES-128-GCM-dec HW   130 MB took 1.022 seconds,  127.202 MB/s Cycles per byte =  26.93
AES-192-GCM-enc HW   135 MB took 1.019 seconds,  132.435 MB/s Cycles per byte =  25.86
AES-192-GCM-dec HW   130 MB took 1.025 seconds,  126.789 MB/s Cycles per byte =  27.02
AES-256-GCM-enc HW   135 MB took 1.019 seconds,  132.418 MB/s Cycles per byte =  25.87
AES-256-GCM-dec HW   130 MB took 1.023 seconds,  127.071 MB/s Cycles per byte =  26.96
CHACHA          SW  3245 MB took 1.001 seconds, 3241.680 MB/s Cycles per byte =   1.06
CHA-POLY        SW  1930 MB took 1.000 seconds, 1929.817 MB/s Cycles per byte =   1.77
MD5             SW   710 MB took 1.005 seconds,  706.678 MB/s Cycles per byte =   4.85
POLY1305        SW  4850 MB took 1.000 seconds, 4849.127 MB/s Cycles per byte =   0.71
SHA             SW   560 MB took 1.008 seconds,  555.558 MB/s Cycles per byte =   6.17
SHA-224         SW   460 MB took 1.002 seconds,  459.021 MB/s Cycles per byte =   7.46
SHA-256         SW   460 MB took 1.002 seconds,  459.013 MB/s Cycles per byte =   7.46
SHA-384         SW   690 MB took 1.002 seconds,  688.368 MB/s Cycles per byte =   4.98
SHA-512         SW   690 MB took 1.002 seconds,  688.414 MB/s Cycles per byte =   4.98
SHA3-224        SW   330 MB took 1.007 seconds,  327.713 MB/s Cycles per byte =  10.45
SHA3-256        SW   310 MB took 1.000 seconds,  309.909 MB/s Cycles per byte =  11.05
SHA3-384        SW   235 MB took 1.007 seconds,  233.355 MB/s Cycles per byte =  14.68
SHA3-512        SW   170 MB took 1.027 seconds,  165.547 MB/s Cycles per byte =  20.69
HMAC-MD5        SW   705 MB took 1.002 seconds,  703.344 MB/s Cycles per byte =   4.87
HMAC-MD5        HW 62670 MB took 1.000 seconds,62666.115 MB/s Cycles per byte =   0.05
HMAC-SHA        SW   555 MB took 1.000 seconds,  554.964 MB/s Cycles per byte =   6.17
HMAC-SHA        HW 62745 MB took 1.000 seconds,62744.312 MB/s Cycles per byte =   0.05
HMAC-SHA224     SW   475 MB took 1.005 seconds,  472.870 MB/s Cycles per byte =   7.24
HMAC-SHA224     HW 62415 MB took 1.000 seconds,62412.262 MB/s Cycles per byte =   0.05
HMAC-SHA256     SW   475 MB took 1.005 seconds,  472.710 MB/s Cycles per byte =   7.25
HMAC-SHA256     HW 63185 MB took 1.000 seconds,63180.255 MB/s Cycles per byte =   0.05
HMAC-SHA384     SW   690 MB took 1.005 seconds,  686.794 MB/s Cycles per byte =   4.99
HMAC-SHA384     HW 62575 MB took 1.000 seconds,62573.195 MB/s Cycles per byte =   0.05
HMAC-SHA512     SW   690 MB took 1.004 seconds,  687.563 MB/s Cycles per byte =   4.98
HMAC-SHA512     HW 62430 MB took 1.000 seconds,62428.497 MB/s Cycles per byte =   0.05
RSA     2048 public    SW   3900 ops took 1.026 sec, avg 0.263 ms, 3801.211 ops/sec
RSA     2048 private   SW    300 ops took 1.035 sec, avg 3.452 ms, 289.722 ops/sec
RSA     2048 public    HW 140900 ops took 1.001 sec, avg 0.007 ms, 140825.228 ops/sec
RSA     2048 private   HW   8300 ops took 1.004 sec, avg 0.121 ms, 8267.789 ops/sec
DH      2048 key gen   SW   1010 ops took 1.004 sec, avg 0.994 ms, 1005.939 ops/sec
DH      2048 agree     SW   1000 ops took 1.005 sec, avg 1.005 ms, 995.404 ops/sec
ECC      256 key gen   SW   1090 ops took 1.001 sec, avg 0.918 ms, 1089.153 ops/sec
ECDHE    256 agree     SW   1400 ops took 1.038 sec, avg 0.742 ms, 1348.211 ops/sec
ECDSA    256 sign      SW   1400 ops took 1.076 sec, avg 0.769 ms, 1300.595 ops/sec
ECDSA    256 verify    SW   1900 ops took 1.016 sec, avg 0.535 ms, 1870.353 ops/sec
ECDHE    256 agree     HW  10500 ops took 1.001 sec, avg 0.095 ms, 10485.383 ops/sec
ECDSA    256 sign      HW  22200 ops took 1.001 sec, avg 0.045 ms, 22169.233 ops/sec
ECDSA    256 verify    HW   7500 ops took 1.012 sec, avg 0.135 ms, 7408.213 ops/sec
```


## Support

For questions or issues email us at support@wolfssl.com.