Hi all, For the simple smoke test, on AArch64 for AmazonLinux2 (OpenSSL 1.0.2k) and Ubuntu 20.04 (OpenSSL 1.1.1f) everything loads ok with the current Jar that Gary posted.
-Geoff AL2 output: java -cp commons-crypto-1.1.0-20200824.190246-21.jar org.apache.commons.crypto.Crypto Apache Commons Crypto 1.1.0-SNAPSHOT Native code loaded OK: 1.1.0-SNAPSHOT Native name: Apache Commons Crypto Native built: Aug 18 2020 OpenSSL library loaded OK, version: 0x100020bf OpenSSL library info: OpenSSL 1.0.2k-fips 26 Jan 2017 Random instance created OK: org.apache.commons.crypto.random.OpenSslCryptoRandom@54bedef2 Cipher AES/CTR/NoPadding instance created OK: org.apache.commons.crypto.cipher.OpenSslCipher@13221655 Additional OpenSSL_version(n) details: 1: not available 2: compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -Wa,--noexecstack -DPURIFY -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 3: built on: reproducible build, date unspecified 4: platform: linux-aarch64 5: OPENSSLDIR: "/etc/pki/tls" Ubuntu output: java -cp commons-crypto-1.1.0-20200824.190246-21.jar org.apache.commons.crypto.Crypto Apache Commons Crypto 1.1.0-SNAPSHOT Native code loaded OK: 1.1.0-SNAPSHOT Native name: Apache Commons Crypto Native built: Aug 18 2020 OpenSSL library loaded OK, version: 0x1010106f OpenSSL library info: OpenSSL 1.1.1f 31 Mar 2020 Random instance created OK: org.apache.commons.crypto.random.OpenSslCryptoRandom@65b54208 Cipher AES/CTR/NoPadding instance created OK: org.apache.commons.crypto.cipher.OpenSslCipher@119d7047 Additional OpenSSL_version(n) details: 1: compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-9j6sUa/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 2: built on: Mon Apr 20 11:53:50 2020 UTC 3: platform: debian-arm64 4: OPENSSLDIR: "/usr/lib/ssl" 5: ENGINESDIR: "/usr/lib/aarch64-linux-gnu/engines-1.1" On Thu, Aug 27, 2020 at 10:05 PM Matt Sicker <boa...@gmail.com> wrote: > For a library with as many vulnerabilities as OpenSSL, I’m surprised macOS > keeps such an ancient version! It’s not like they ship a trimmed down and > audited version of LibreSSL, either. > > On Thu, Aug 27, 2020 at 20:19 Gary Gregory <garydgreg...@gmail.com> wrote: > > > The issue for me is that it was a PITA to override macos' baked in > > > > (ancient) LibreSSL. > > > > > > > > Gary > > > > > > > > On Thu, Aug 27, 2020, 20:03 Alex Remily <alex.rem...@gmail.com> wrote: > > > > > > > > > Interesting. If I understand correctly, you did get it to run > > > > > successfully to completion, but only after placing a compatible > > > > > libcrypto in the directory of execution, probably the first place > > > > > dlopen looks for it. Would you agree then that the error was caused > > > > > by loading an incompatible libcrypto? I'm inclined to think this is a > > > > > configuration issue that should be well documented, as opposed to one > > > > > that should be addressed through code. Like you, I also tried setting > > > > > the LD_LIBRARY_PATH environment variable with no success. I was able > > > > > to symlink the libcrypto in the usr/local/lib directory, though, which > > > > > fixed the issue, but I agree this is a limitation. A user should be > > > > > able to run more than one instance of libcrypto on the same host. I'm > > > > > unsure as to the best way to proceed. > > > > > > > > > > > > > > > On Thu, Aug 27, 2020 at 6:41 PM Gary Gregory <garydgreg...@gmail.com> > > > > > wrote: > > > > > > > > > > > > On Mon, Aug 24, 2020 at 7:28 PM Alex Remily <alex.rem...@gmail.com> > > > > > wrote: > > > > > > > > > > > > > Gary, > > > > > > > > > > > > > > Can you check that your libcrypto.dylib is symlinked to the > libcrypto > > > > > > > for OpenSSL 1.1.1.g? Mine wasn't, and I was getting different > output > > > > > > > from the main function than from the unit test output. I'm not > > > > > > > confident that this is the root of the problem, but it may at least > > > > > > > eliminate a possibility. > > > > > > > > > > > > > > On my machine I had to set /usr/local/lib/libcrypto.dylib --> > > > > > > > /usr/local/Cellar/openssl@1.1/1.1.1g/lib/libcrypto.1.1.dylib. The > > JNI > > > > > > > libraries use dlopen to find and load libcrypto, and dlopen looks > for > > > > > > > > > > > > > > > > > > > That did not work for me. The only thing that works is copying the > > dylib > > > > > > file to the current dir. Hack! > > > > > > > > > > > > Gary > > > > > > > > > > > > > > > > > > > it in /usr/local/lib/, among other places. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dlopen.3.html > > > > > > > > > > > > > > If that doesn't work I'm going to need to step through the code. > My > > > > > > > output: > > > > > > > > > > > > > > WARNING in native method: JNI call made without checking exceptions > > > > > > > when required to from CallStaticObjectMethod > > > > > > > WARNING in native method: JNI call made without checking exceptions > > > > > > > when required to from CallObjectMethod > > > > > > > Apache Commons Crypto 1.1.0-SNAPSHOT > > > > > > > Native code loaded OK 1.1.0-SNAPSHOT > > > > > > > Native Name Apache Commons Crypto > > > > > > > Native Built Aug 24 2020 > > > > > > > OpenSSL library loaded OK, version: 0x1010107f > > > > > > > OpenSSL library info OpenSSL 1.1.1g 21 Apr 2020 > > > > > > > Random instance created OK > > > > > > > Cipher instance created OK > > > > > > > Additional OpenSSL_version(n) details: > > > > > > > 1: compiler: clang -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN > > > > > > > -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 > > > > > > > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > > > > > > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM > > > > > > > -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM > > > > > > > -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG > > > > > > > 2: built on: Tue Apr 21 13:29:43 2020 UTC > > > > > > > 3: platform: darwin64-x86_64-cc > > > > > > > 4: OPENSSLDIR: "/usr/local/etc/openssl@1.1" > > > > > > > 5: ENGINESDIR: "/usr/local/Cellar/openssl@1.1 > > /1.1.1g/lib/engines-1.1" > > > > > > > > > > > > > > Alex > > > > > > > > > > > > > > On Sun, Aug 23, 2020 at 9:50 PM Gary Gregory < > garydgreg...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > I do have LibreSSL but I used homebrew to install OpenSSL 1.1.1g > > > > > which I > > > > > > > > put first on the PATH. Maybe something is off in my setup... > > > > > > > > > > > > > > > > Gary > > > > > > > > > > > > > > > > On Sun, Aug 23, 2020, 21:46 Alex Remily <alex.rem...@gmail.com> > > > > > wrote: > > > > > > > > > > > > > > > > > Gary, > > > > > > > > > > > > > > > > > > I'll have a look. I did the 1.1 support stuff and I'm familiar > > > > > with > > > > > > > > > that class and that error, although I don't recall seeing that > > > > > > > > > specific error in that class. The JNI libraries check the > > OpenSSL > > > > > > > > > version at runtime, but maybe a compile time dependency got > > > > > through. > > > > > > > > > > > > > > > > > > Out of curiosity, I assume you also have LibreSSL installed? I > > > > > have > > > > > > > > > run into issues on my Mac with which librypto gets loaded by > the > > > > > JNI > > > > > > > > > libraries during the dlsym. I wonder if the runtime is > referring > > > > > to > > > > > > > > > one version and the JNI library is loading another. > > > > > > > > > > > > > > > > > > Anyway, I'll poke around and see what I can figure out. I'll > try > > > > > to > > > > > > > > > get to it with the rest of the testing this week. > > > > > > > > > > > > > > > > > > Alex > > > > > > > > > > > > > > > > > > On Sun, Aug 23, 2020 at 11:18 AM Gary Gregory < > > > > > garydgreg...@gmail.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > I wondering if anyone can confirm the following issue and/or > > help > > > > > > > explain > > > > > > > > > > it, on MacOS 10.15.6 with OpenSSL 1.1.1g, running: > > > > > > > > > > > > > > > > > > > > mvn package > > > > > > > > > > > > > > > > > > > > then: > > > > > > > > > > > > > > > > > > > > java -Xdiag -Xcheck:jni -cp target/classes > > > > > > > > > > -Dcommons.crypto.lib.tempdir=target/ > > > > > org.apache.commons.crypto.Crypto > > > > > > > > > > WARNING in native method: JNI call made without checking > > > > > exceptions > > > > > > > when > > > > > > > > > > required to from CallStaticObjectMethod > > > > > > > > > > WARNING in native method: JNI call made without checking > > > > > exceptions > > > > > > > when > > > > > > > > > > required to from CallObjectMethod > > > > > > > > > > Apache Commons Crypto 1.1.0-SNAPSHOT > > > > > > > > > > Native code loaded OK: 1.1.0-SNAPSHOT > > > > > > > > > > Native name: Apache Commons Crypto > > > > > > > > > > Native built: Aug 22 2020 > > > > > > > > > > Exception in thread "main" java.lang.UnsatisfiedLinkError: > > > > > > > > > OpenSSL_version > > > > > > > > > > at > org.apache.commons.crypto.OpenSslInfoNative.OpenSSL(Native > > > > > > > Method) > > > > > > > > > > at org.apache.commons.crypto.Crypto.main(Crypto.java:144) > > > > > > > > > > > > > > > > > > > > I wonder if we have issues on 1.1.x vs 1.0.x. > > > > > > > > > > > > > > > > > > > > My versions: > > > > > > > > > > > > > > > > > > > > openssl version > > > > > > > > > > OpenSSL 1.1.1g 21 Apr 2020 > > > > > > > > > > > > > > > > > > > > mvn -version > > > > > > > > > > Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f) > > > > > > > > > > Maven home: /opt/apache-maven-3.6.3 > > > > > > > > > > Java version: 1.8.0_265, vendor: AdoptOpenJDK, runtime: > > > > > > > > > > > > > > > > > > > /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre > > > > > > > > > > Default locale: en_US, platform encoding: UTF-8 > > > > > > > > > > OS name: "mac os x", version: "10.15.6", arch: "x86_64", > > family: > > > > > > > "mac" > > > > > > > > > > > > > > > > > > > > Thank you, > > > > > > > > > > Gary > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Aug 22, 2020 at 7:48 PM Gary Gregory < > > > > > garydgreg...@gmail.com > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > > > > > > > I intent on creating a release candidate for Commons Crypto > > > > > soon. > > > > > > > > > > > > > > > > > > > > > > I pushed a snapshot today which contains native binaries > for > > > > > > > Windows 32 > > > > > > > > > > > and 64, Linux 32 and 64, Mac 64, and ARM and ARM HF. > > > > > > > > > > > > > > > > > > > > > > Please help testing these on whatever platforms you may > have > > > > > > > access to. > > > > > > > > > > > > > > > > > > > > > > Gary > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > > > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > -- > Matt Sicker <boa...@gmail.com> >
