Re: [openssl-dev] Work on a new RNG for OpenSSL
Great news and congratulations to everyone on landing this work. I see that the RNG is now capable of automatically reseeding itself on fork, which will be a huge win for applications that aren't rigorous about doing so themselves (read: most of them). However, it appears that OPENSSL_INIT_ATFORK is not set as an option when OpenSSL calls OPENSSL_init_crypto. Would it be possible to make this default? This would be a large improvement in terms of protecting applications linking against OpenSSL. -Paul Kehrer (reaperhulk) On Mon, Aug 14, 2017 at 10:45 AM, Salz, Rich via openssl-devwrote: > Thanks everyone for the discussion (mainly in June) about this. There’s a > blog post describing what we’ve done for the 1.1.1 release: > https://www.openssl.org/blog/blog/2017/08/12/random/ > > > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017
On 16/08/17 09:00, Jitendra Lulla wrote: > Hi Matt, > > Thanks, I could find that the /usr/include/linux/version.h has #define > LINUX_VERSION_CODE 199168 for my booted kernel 4.9.37. Which is why I see the > following warnings also: > > gcc -Iinclude -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM > -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -DOPENSSL_USE_NODELETE -MMD -MF > engines/afalg/e_afalg.d.tmp -MT engines/afalg/e_afalg.o -c -o > engines/afalg/e_afalg.o engines/afalg/e_afalg.c > engines/afalg/e_afalg.c:30:4: warning: #warning "AFALG ENGINE requires Kernel > Headers >= 4.1.0" [-Wcpp] > # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" > ^ > engines/afalg/e_afalg.c:31:4: warning: #warning "Skipping Compilation of > AFALG engine" [-Wcpp] > # warning "Skipping Compilation of AFALG engine" > > > I will fix this problem now by having proper setup. Will update if I face any > more issues. Yes - your kernel headers must be at least at 4.1.0 or better for afalg to work. Matt > > Thanks > Jitendra > > > > > > On Wed, 8/16/17, Jitendra Lullawrote: > > Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017 > To: "openssl-dev@openssl.org" , "Matt Caswell" > > Cc: "Jitendra Lulla" > Date: Wednesday, August 16, 2017, 6:30 AM > > Hi Matt, > > > I have linux 4.9.37 on RHEL7.3. > [root@localhost > jlulla]# uname -a > Linux localhost.localdomain 4.9.37 #1 > SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64 > GNU/Linux > > > [root@localhost > test]# OPENSSL_ENGINES=../engines/afalg > ../util/shlib_wrap.sh ./afalgtest > AFALG not supported - skipping AFALG > tests > PASS > [root@localhost > test]# > > > I am getting here: > # if LINUX_VERSION_CODE <= > KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) > /* > * If we get here then it looks like > there is a mismatch between the linux > * headers and the actual kernel > version, so we have tried to compile with > * afalg support, but then skipped it > in e_afalg.c. As far as this test is > * concerned we behave as if we had > been configured without support > */ > # define OPENSSL_NO_AFALGENG > # endif > > > Following is the value for > KERNEL_VERSION for me: > > [root@localhost > jlulla]# ./kernelversion (program at the bottom of this > mail) > KERNEL_VERSION: 262400 > LINUX_VERSION_CODE 199168 > condition:1 > > > Where should I look to fix it? > > Thanks > Jitrendra > > > [root@localhost > jlulla]# cat kernelversion.c > #define LINUX_VERSION_CODE 199168 > #define KERNEL_VERSION(a,b,c) (((a) > << 16) + ((b) << 8) + (c)) > #define RHEL_MAJOR 7 > #define RHEL_MINOR 3 > #define RHEL_RELEASE_VERSION(a,b) (((a) > << 8) + (b)) > #define RHEL_RELEASE_CODE 1795 > #define RHEL_RELEASE "514" > > # define K_MAJ 4 > # define K_MIN1 1 > # define K_MIN2 0 > #include > > int main() > { > > printf("KERNEL_VERSION: %d\n", KERNEL_VERSION(K_MAJ, > K_MIN1, K_MIN2)); > > printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE); > > printf("condition:%d\n", > > > (LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, > K_MIN2))); > } > > > > > On Mon, 8/14/17, Matt Caswell > wrote: > > Subject: Re: afalg with OpenSSL 1.1.0f > 25 May 2017 > To: "openssl-dev@openssl.org" > > Cc: "Jitendra Lulla" > Date: Monday, August 14, 2017, 3:44 > PM > > Comments inserted. > > On 14/08/17 08:20, Jitendra > Lulla wrote: > > Hi, > > > > > I am trying to use afalg on > Linux > 4.9.37 with OpenSSL 1.1.0f. > > > > I am facing 2 issues: > > > > > ONE: when I issue the speed > command, I > see the following: > > > > [root@localhost > apps]# ./openssl speed -evp > aes-128-cbc -engine afalg > > invalid engine "afalg" > > > 139853452924736:error:2506406A:DSO support > routines:dlfcn_bind_func:could not > bind to the requested > symbol > name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine): > /usr/local/lib64/engines-1.1/afalg.so: > undefined symbol: > bind_engine > > > 139853452924736:error:2506C06A:DSO > support > routines:DSO_bind_func:could not bind > to the requested > symbol name:crypto/dso/dso_lib.c:185: > > > 139853452924736:error:260B6068:engine > routines:dynamic_load:DSO >
Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017
Hi Matt, Thanks, I could find that the /usr/include/linux/version.h has #define LINUX_VERSION_CODE 199168 for my booted kernel 4.9.37. Which is why I see the following warnings also: gcc -Iinclude -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -DOPENSSL_USE_NODELETE -MMD -MF engines/afalg/e_afalg.d.tmp -MT engines/afalg/e_afalg.o -c -o engines/afalg/e_afalg.o engines/afalg/e_afalg.c engines/afalg/e_afalg.c:30:4: warning: #warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" [-Wcpp] # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" ^ engines/afalg/e_afalg.c:31:4: warning: #warning "Skipping Compilation of AFALG engine" [-Wcpp] # warning "Skipping Compilation of AFALG engine" I will fix this problem now by having proper setup. Will update if I face any more issues. Thanks Jitendra On Wed, 8/16/17, Jitendra Lullawrote: Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017 To: "openssl-dev@openssl.org" , "Matt Caswell" Cc: "Jitendra Lulla" Date: Wednesday, August 16, 2017, 6:30 AM Hi Matt, I have linux 4.9.37 on RHEL7.3. [root@localhost jlulla]# uname -a Linux localhost.localdomain 4.9.37 #1 SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux [root@localhost test]# OPENSSL_ENGINES=../engines/afalg ../util/shlib_wrap.sh ./afalgtest AFALG not supported - skipping AFALG tests PASS [root@localhost test]# I am getting here: # if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) /* * If we get here then it looks like there is a mismatch between the linux * headers and the actual kernel version, so we have tried to compile with * afalg support, but then skipped it in e_afalg.c. As far as this test is * concerned we behave as if we had been configured without support */ # define OPENSSL_NO_AFALGENG # endif Following is the value for KERNEL_VERSION for me: [root@localhost jlulla]# ./kernelversion (program at the bottom of this mail) KERNEL_VERSION: 262400 LINUX_VERSION_CODE 199168 condition:1 Where should I look to fix it? Thanks Jitrendra [root@localhost jlulla]# cat kernelversion.c #define LINUX_VERSION_CODE 199168 #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c)) #define RHEL_MAJOR 7 #define RHEL_MINOR 3 #define RHEL_RELEASE_VERSION(a,b) (((a) << 8) + (b)) #define RHEL_RELEASE_CODE 1795 #define RHEL_RELEASE "514" # define K_MAJ 4 # define K_MIN1 1 # define K_MIN2 0 #include int main() { printf("KERNEL_VERSION: %d\n", KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)); printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE); printf("condition:%d\n", (LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2))); } On Mon, 8/14/17, Matt Caswell wrote: Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017 To: "openssl-dev@openssl.org" Cc: "Jitendra Lulla" Date: Monday, August 14, 2017, 3:44 PM Comments inserted. On 14/08/17 08:20, Jitendra Lulla wrote: > Hi, > > I am trying to use afalg on Linux 4.9.37 with OpenSSL 1.1.0f. > > I am facing 2 issues: > > ONE: when I issue the speed command, I see the following: > > [root@localhost apps]# ./openssl speed -evp aes-128-cbc -engine afalg > invalid engine "afalg" > 139853452924736:error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine): /usr/local/lib64/engines-1.1/afalg.so: undefined symbol: bind_engine > 139853452924736:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto/dso/dso_lib.c:185: > 139853452924736:error:260B6068:engine routines:dynamic_load:DSO failure:crypto/engine/eng_dyn.c:427: > 139853452924736:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=afalg > 139853452924736:error:25066067:DS > > > nm afalg.so doesn't show bind_engine > Assuming you have already successfully built OpenSSL using "make", from the "test" subdir of the directory where you downloaded the source, what happens if you execute: OPENSSL_ENGINES=../engines/afalg ../util/shlib_wrap.sh
Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017
Hi Matt, I have linux 4.9.37 on RHEL7.3. [root@localhost jlulla]# uname -a Linux localhost.localdomain 4.9.37 #1 SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux [root@localhost test]# OPENSSL_ENGINES=../engines/afalg ../util/shlib_wrap.sh ./afalgtest AFALG not supported - skipping AFALG tests PASS [root@localhost test]# I am getting here: # if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) /* * If we get here then it looks like there is a mismatch between the linux * headers and the actual kernel version, so we have tried to compile with * afalg support, but then skipped it in e_afalg.c. As far as this test is * concerned we behave as if we had been configured without support */ # define OPENSSL_NO_AFALGENG # endif Following is the value for KERNEL_VERSION for me: [root@localhost jlulla]# ./kernelversion (program at the bottom of this mail) KERNEL_VERSION: 262400 LINUX_VERSION_CODE 199168 condition:1 Where should I look to fix it? Thanks Jitrendra [root@localhost jlulla]# cat kernelversion.c #define LINUX_VERSION_CODE 199168 #define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c)) #define RHEL_MAJOR 7 #define RHEL_MINOR 3 #define RHEL_RELEASE_VERSION(a,b) (((a) << 8) + (b)) #define RHEL_RELEASE_CODE 1795 #define RHEL_RELEASE "514" # define K_MAJ 4 # define K_MIN1 1 # define K_MIN2 0 #include int main() { printf("KERNEL_VERSION: %d\n", KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)); printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE); printf("condition:%d\n", (LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2))); } On Mon, 8/14/17, Matt Caswellwrote: Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017 To: "openssl-dev@openssl.org" Cc: "Jitendra Lulla" Date: Monday, August 14, 2017, 3:44 PM Comments inserted. On 14/08/17 08:20, Jitendra Lulla wrote: > Hi, > > I am trying to use afalg on Linux 4.9.37 with OpenSSL 1.1.0f. > > I am facing 2 issues: > > ONE: when I issue the speed command, I see the following: > > [root@localhost apps]# ./openssl speed -evp aes-128-cbc -engine afalg > invalid engine "afalg" > 139853452924736:error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine): /usr/local/lib64/engines-1.1/afalg.so: undefined symbol: bind_engine > 139853452924736:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto/dso/dso_lib.c:185: > 139853452924736:error:260B6068:engine routines:dynamic_load:DSO failure:crypto/engine/eng_dyn.c:427: > 139853452924736:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=afalg > 139853452924736:error:25066067:DS > > > nm afalg.so doesn't show bind_engine > Assuming you have already successfully built OpenSSL using "make", from the "test" subdir of the directory where you downloaded the source, what happens if you execute: OPENSSL_ENGINES=../engines/afalg ../util/shlib_wrap.sh ./afalgtest Another thing to try is (from the top level source dir) touch engines/afalg/e_afalg.c make Check to see if there are any warnings generated during the compilation of the engine. > > When I modify the openssl.cnf file with the engine name and the CIPHERS, still I dont get it working. The command output and the change in the openssl.cnf pasted at the end of the mail. > > > TWO: I had to create a softlink to libcrypto.so.1.1 and libssl.so.1.1 like the following to make openssl command work: > ln -s /usr/local/lib64/libssl.so.1.1 /lib64/libssl.so.1.1 > ln -s /usr/local/lib64/libcrypto.so.1.1 /lib64/libcrypto.so.1.1 > > Is creating the softlinks a known issue and will be fixed? No, this will not be fixed and may not be the most appropriate thing to do on all systems. Matt > > I have pasted the complete information about the OS/distro environment and installation commands I ran at the bottom. > Could you please suggest what wrong I am doing to make afalg work. > > Thanks > Jitendra Lulla > > > > > BEFORE INSTALLATION: > > [root@localhost jlulla]# rpm -qa |grep openssl > openssl-1.0.1e-60.el7.x86_64 > openssl-devel-1.0.1e-60.el7.x86_64 > openssl-libs-1.0.1e-60.el7.x86_64 > > [root@localhost jlulla]# openssl version > OpenSSL 1.0.1e-fips 11 Feb 2013 > > > > PLEASE SEE FROM HERE PLEASE SEE FROM HERE PLEASE SEE FROM HERE > > STEP 1 : SOURCE TAKEN FROM https://www.openssl.org/source/openssl-1.1.0f.tar.gz 2017-May-25 13:09:51 > > [root@localhost jlulla]# uname -a > Linux localhost.localdomain 4.9.37 #1 SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux > > [root@localhost jlulla]#