Re: [openssl-dev] Work on a new RNG for OpenSSL

2017-08-16 Thread Paul Kehrer 
Great news and congratulations to everyone on landing this work.

I see that the RNG is now capable of automatically reseeding itself on
fork, which will be a huge win for applications that aren't rigorous
about doing so themselves (read: most of them). However, it appears
that OPENSSL_INIT_ATFORK is not set as an option when OpenSSL calls
OPENSSL_init_crypto. Would it be possible to make this default? This
would be a large improvement in terms of protecting applications
linking against OpenSSL.

-Paul Kehrer (reaperhulk)

On Mon, Aug 14, 2017 at 10:45 AM, Salz, Rich via openssl-dev
 wrote:
> Thanks everyone for the discussion (mainly in June) about this.  There’s a
> blog post describing what we’ve done for the 1.1.1 release:
> https://www.openssl.org/blog/blog/2017/08/12/random/
>
>
>
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017

2017-08-16 Thread Matt Caswell 


On 16/08/17 09:00, Jitendra Lulla wrote:
> Hi Matt,
> 
> Thanks, I could find that the /usr/include/linux/version.h has #define 
> LINUX_VERSION_CODE 199168 for my booted kernel 4.9.37. Which is why I see the 
> following warnings also:
> 
> gcc  -Iinclude -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS 
> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 
> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
> -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
> -DOPENSSLDIR="\"/usr/local/ssl\"" 
> -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wall -O3 -pthread -m64 
> -DL_ENDIAN  -Wa,--noexecstack -fPIC -DOPENSSL_USE_NODELETE -MMD -MF 
> engines/afalg/e_afalg.d.tmp -MT engines/afalg/e_afalg.o -c -o 
> engines/afalg/e_afalg.o engines/afalg/e_afalg.c
> engines/afalg/e_afalg.c:30:4: warning: #warning "AFALG ENGINE requires Kernel 
> Headers >= 4.1.0" [-Wcpp]
>  #  warning "AFALG ENGINE requires Kernel Headers >= 4.1.0"
> ^
> engines/afalg/e_afalg.c:31:4: warning: #warning "Skipping Compilation of 
> AFALG engine" [-Wcpp]
>  #  warning "Skipping Compilation of AFALG engine"
> 
> 
> I will fix this problem now by having proper setup. Will update if I face any 
> more issues.


Yes - your kernel headers must be at least at 4.1.0 or better for afalg
to work.

Matt


> 
> Thanks
> Jitendra
> 
> 
> 
> 
> 
> On Wed, 8/16/17, Jitendra Lulla  wrote:
> 
>  Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017
>  To: "openssl-dev@openssl.org" , "Matt Caswell" 
> 
>  Cc: "Jitendra Lulla" 
>  Date: Wednesday, August 16, 2017, 6:30 AM
>  
>  Hi Matt,
>  
>  
>  I have linux 4.9.37 on RHEL7.3.
>  [root@localhost
>  jlulla]# uname -a
>  Linux localhost.localdomain 4.9.37 #1
>  SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64
>  GNU/Linux
>  
>  
>  [root@localhost
>  test]# OPENSSL_ENGINES=../engines/afalg
>  ../util/shlib_wrap.sh ./afalgtest
>  AFALG not supported - skipping AFALG
>  tests
>  PASS
>  [root@localhost
>  test]#
>  
>  
>  I am getting here:
>  # if LINUX_VERSION_CODE <=
>  KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)
>  /*
>   * If we get here then it looks like
>  there is a mismatch between the linux
>   * headers and the actual kernel
>  version, so we have tried to compile with
>   * afalg support, but then skipped it
>  in e_afalg.c. As far as this test is
>   * concerned we behave as if we had
>  been configured without support
>   */
>  #  define OPENSSL_NO_AFALGENG 
>  # endif
>  
>  
>  Following is the value for
>  KERNEL_VERSION for me:
>  
>  [root@localhost
>  jlulla]# ./kernelversion (program at the bottom of this
>  mail)
>  KERNEL_VERSION: 262400
>  LINUX_VERSION_CODE 199168
>  condition:1
>  
>  
>  Where should I look to fix it?
>  
>  Thanks
>  Jitrendra
>  
>  
>  [root@localhost
>  jlulla]# cat kernelversion.c
>  #define LINUX_VERSION_CODE 199168
>  #define KERNEL_VERSION(a,b,c) (((a)
>  << 16) + ((b) << 8) + (c))
>  #define RHEL_MAJOR 7
>  #define RHEL_MINOR 3
>  #define RHEL_RELEASE_VERSION(a,b) (((a)
>  << 8) + (b))
>  #define RHEL_RELEASE_CODE 1795
>  #define RHEL_RELEASE "514"
>  
>  # define K_MAJ   4
>  # define K_MIN1  1
>  # define K_MIN2  0
>  #include
>  
>  int main()
>  {
> 
>  printf("KERNEL_VERSION: %d\n",  KERNEL_VERSION(K_MAJ,
>  K_MIN1, K_MIN2));
> 
>  printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE);
> 
>  printf("condition:%d\n",
>   
>   
>  (LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1,
>  K_MIN2)));
>  }
>  
>  
>  
>  
>  On Mon, 8/14/17, Matt Caswell 
>  wrote:
>  
>   Subject: Re: afalg with OpenSSL 1.1.0f
>  25 May 2017
>   To: "openssl-dev@openssl.org"
>  
>   Cc: "Jitendra Lulla" 
>   Date: Monday, August 14, 2017, 3:44
>  PM
>   
>   Comments inserted.
>   
>   On 14/08/17 08:20, Jitendra
>   Lulla wrote:
>   > Hi,
>   >
>   
>   > I am trying to use afalg on
>  Linux
>   4.9.37 with OpenSSL 1.1.0f.
>   > 
>   > I am facing 2 issues:
>   >
>   
>   > ONE: when I issue the speed
>  command, I
>   see the following:
>   > 
>   > [root@localhost
>   apps]# ./openssl speed -evp
>  aes-128-cbc -engine afalg
>   > invalid engine "afalg"
>   >
>  139853452924736:error:2506406A:DSO support
>   routines:dlfcn_bind_func:could not
>  bind to the requested
>   symbol
>  name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine):
>   /usr/local/lib64/engines-1.1/afalg.so:
>  undefined symbol:
>   bind_engine
>   >
>   139853452924736:error:2506C06A:DSO
>  support
>   routines:DSO_bind_func:could not bind
>  to the requested
>   symbol name:crypto/dso/dso_lib.c:185:
>   >
>   139853452924736:error:260B6068:engine
>   routines:dynamic_load:DSO
>

Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017

2017-08-16 Thread Jitendra Lulla via openssl-dev 
Hi Matt,

Thanks, I could find that the /usr/include/linux/version.h has #define 
LINUX_VERSION_CODE 199168 for my booted kernel 4.9.37. Which is why I see the 
following warnings also:

gcc  -Iinclude -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS 
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DOPENSSLDIR="\"/usr/local/ssl\"" 
-DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wall -O3 -pthread -m64 
-DL_ENDIAN  -Wa,--noexecstack -fPIC -DOPENSSL_USE_NODELETE -MMD -MF 
engines/afalg/e_afalg.d.tmp -MT engines/afalg/e_afalg.o -c -o 
engines/afalg/e_afalg.o engines/afalg/e_afalg.c
engines/afalg/e_afalg.c:30:4: warning: #warning "AFALG ENGINE requires Kernel 
Headers >= 4.1.0" [-Wcpp]
 #  warning "AFALG ENGINE requires Kernel Headers >= 4.1.0"
^
engines/afalg/e_afalg.c:31:4: warning: #warning "Skipping Compilation of AFALG 
engine" [-Wcpp]
 #  warning "Skipping Compilation of AFALG engine"


I will fix this problem now by having proper setup. Will update if I face any 
more issues.

Thanks
Jitendra





On Wed, 8/16/17, Jitendra Lulla  wrote:

 Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017
 To: "openssl-dev@openssl.org" , "Matt Caswell" 

 Cc: "Jitendra Lulla" 
 Date: Wednesday, August 16, 2017, 6:30 AM
 
 Hi Matt,
 
 
 I have linux 4.9.37 on RHEL7.3.
 [root@localhost
 jlulla]# uname -a
 Linux localhost.localdomain 4.9.37 #1
 SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 x86_64 x86_64
 GNU/Linux
 
 
 [root@localhost
 test]# OPENSSL_ENGINES=../engines/afalg
 ../util/shlib_wrap.sh ./afalgtest
 AFALG not supported - skipping AFALG
 tests
 PASS
 [root@localhost
 test]#
 
 
 I am getting here:
 # if LINUX_VERSION_CODE <=
 KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)
 /*
  * If we get here then it looks like
 there is a mismatch between the linux
  * headers and the actual kernel
 version, so we have tried to compile with
  * afalg support, but then skipped it
 in e_afalg.c. As far as this test is
  * concerned we behave as if we had
 been configured without support
  */
 #  define OPENSSL_NO_AFALGENG 
 # endif
 
 
 Following is the value for
 KERNEL_VERSION for me:
 
 [root@localhost
 jlulla]# ./kernelversion (program at the bottom of this
 mail)
 KERNEL_VERSION: 262400
 LINUX_VERSION_CODE 199168
 condition:1
 
 
 Where should I look to fix it?
 
 Thanks
 Jitrendra
 
 
 [root@localhost
 jlulla]# cat kernelversion.c
 #define LINUX_VERSION_CODE 199168
 #define KERNEL_VERSION(a,b,c) (((a)
 << 16) + ((b) << 8) + (c))
 #define RHEL_MAJOR 7
 #define RHEL_MINOR 3
 #define RHEL_RELEASE_VERSION(a,b) (((a)
 << 8) + (b))
 #define RHEL_RELEASE_CODE 1795
 #define RHEL_RELEASE "514"
 
 # define K_MAJ   4
 # define K_MIN1  1
 # define K_MIN2  0
 #include
 
 int main()
 {
        
 printf("KERNEL_VERSION: %d\n",  KERNEL_VERSION(K_MAJ,
 K_MIN1, K_MIN2));
        
 printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE);
        
 printf("condition:%d\n",
          
              
 (LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1,
 K_MIN2)));
 }
 
 
 
 
 On Mon, 8/14/17, Matt Caswell 
 wrote:
 
  Subject: Re: afalg with OpenSSL 1.1.0f
 25 May 2017
  To: "openssl-dev@openssl.org"
 
  Cc: "Jitendra Lulla" 
  Date: Monday, August 14, 2017, 3:44
 PM
  
  Comments inserted.
  
  On 14/08/17 08:20, Jitendra
  Lulla wrote:
  > Hi,
  >
  
  > I am trying to use afalg on
 Linux
  4.9.37 with OpenSSL 1.1.0f.
  > 
  > I am facing 2 issues:
  >
  
  > ONE: when I issue the speed
 command, I
  see the following:
  > 
  > [root@localhost
  apps]# ./openssl speed -evp
 aes-128-cbc -engine afalg
  > invalid engine "afalg"
  >
 139853452924736:error:2506406A:DSO support
  routines:dlfcn_bind_func:could not
 bind to the requested
  symbol
 name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine):
  /usr/local/lib64/engines-1.1/afalg.so:
 undefined symbol:
  bind_engine
  >
  139853452924736:error:2506C06A:DSO
 support
  routines:DSO_bind_func:could not bind
 to the requested
  symbol name:crypto/dso/dso_lib.c:185:
  >
  139853452924736:error:260B6068:engine
  routines:dynamic_load:DSO
  failure:crypto/engine/eng_dyn.c:427:
  >
  139853452924736:error:2606A074:engine
  routines:ENGINE_by_id:no such
 
 engine:crypto/engine/eng_list.c:339:id=afalg
  >
 139853452924736:error:25066067:DS
  > 
  > 
  > nm afalg.so doesn't show
  bind_engine
  > 
  Assuming
  you have already successfully built
 OpenSSL using
  "make", from
  the "test"
  subdir of the directory where you
 downloaded the source,
  what
  happens if you execute:
  
  OPENSSL_ENGINES=../engines/afalg
  ../util/shlib_wrap.sh

Re: [openssl-dev] afalg with OpenSSL 1.1.0f 25 May 2017

2017-08-16 Thread Jitendra Lulla via openssl-dev 
Hi Matt,


I have linux 4.9.37 on RHEL7.3.
[root@localhost jlulla]# uname -a
Linux localhost.localdomain 4.9.37 #1 SMP Fri Jul 21 04:52:46 PDT 2017 x86_64 
x86_64 x86_64 GNU/Linux


[root@localhost test]# OPENSSL_ENGINES=../engines/afalg ../util/shlib_wrap.sh 
./afalgtest
AFALG not supported - skipping AFALG tests
PASS
[root@localhost test]#


I am getting here:
# if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)
/*
 * If we get here then it looks like there is a mismatch between the linux
 * headers and the actual kernel version, so we have tried to compile with
 * afalg support, but then skipped it in e_afalg.c. As far as this test is
 * concerned we behave as if we had been configured without support
 */
#  define OPENSSL_NO_AFALGENG 
# endif


Following is the value for KERNEL_VERSION for me:

[root@localhost jlulla]# ./kernelversion (program at the bottom of this mail)
KERNEL_VERSION: 262400
LINUX_VERSION_CODE 199168
condition:1


Where should I look to fix it?

Thanks
Jitrendra


[root@localhost jlulla]# cat kernelversion.c
#define LINUX_VERSION_CODE 199168
#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
#define RHEL_MAJOR 7
#define RHEL_MINOR 3
#define RHEL_RELEASE_VERSION(a,b) (((a) << 8) + (b))
#define RHEL_RELEASE_CODE 1795
#define RHEL_RELEASE "514"

# define K_MAJ   4
# define K_MIN1  1
# define K_MIN2  0
#include

int main()
{
printf("KERNEL_VERSION: %d\n",  KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2));
printf("LINUX_VERSION_CODE %d\n", LINUX_VERSION_CODE);
printf("condition:%d\n",
(LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, 
K_MIN2)));
}




On Mon, 8/14/17, Matt Caswell  wrote:

 Subject: Re: afalg with OpenSSL 1.1.0f 25 May 2017
 To: "openssl-dev@openssl.org" 
 Cc: "Jitendra Lulla" 
 Date: Monday, August 14, 2017, 3:44 PM
 
 Comments inserted.
 
 On 14/08/17 08:20, Jitendra
 Lulla wrote:
 > Hi,
 >
 
 > I am trying to use afalg on Linux
 4.9.37 with OpenSSL 1.1.0f.
 > 
 > I am facing 2 issues:
 >
 
 > ONE: when I issue the speed command, I
 see the following:
 > 
 > [root@localhost
 apps]# ./openssl speed -evp aes-128-cbc -engine afalg
 > invalid engine "afalg"
 > 139853452924736:error:2506406A:DSO support
 routines:dlfcn_bind_func:could not bind to the requested
 symbol name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine):
 /usr/local/lib64/engines-1.1/afalg.so: undefined symbol:
 bind_engine
 >
 139853452924736:error:2506C06A:DSO support
 routines:DSO_bind_func:could not bind to the requested
 symbol name:crypto/dso/dso_lib.c:185:
 >
 139853452924736:error:260B6068:engine
 routines:dynamic_load:DSO
 failure:crypto/engine/eng_dyn.c:427:
 >
 139853452924736:error:2606A074:engine
 routines:ENGINE_by_id:no such
 engine:crypto/engine/eng_list.c:339:id=afalg
 > 139853452924736:error:25066067:DS
 > 
 > 
 > nm afalg.so doesn't show
 bind_engine
 > 
 Assuming
 you have already successfully built OpenSSL using
 "make", from
 the "test"
 subdir of the directory where you downloaded the source,
 what
 happens if you execute:
 
 OPENSSL_ENGINES=../engines/afalg
 ../util/shlib_wrap.sh ./afalgtest
 
 Another thing to try is (from the top level
 source dir)
 
 touch
 engines/afalg/e_afalg.c
 make
 
 Check to see if there are any
 warnings generated during the compilation
 of
 the engine.
 
 > 
 > When I modify the openssl.cnf file with
 the engine name and the CIPHERS, still I dont get it
 working. The command output and the change in the
 openssl.cnf pasted at the end of the mail.
 > 
 > 
 > TWO: I had to create a softlink to
 libcrypto.so.1.1 and libssl.so.1.1 like the following to
 make openssl command work:
 > ln -s
 /usr/local/lib64/libssl.so.1.1 /lib64/libssl.so.1.1
 > ln -s /usr/local/lib64/libcrypto.so.1.1
 /lib64/libcrypto.so.1.1
 > 
 > Is creating the softlinks a known issue
 and will be fixed? 
 No, this will not be
 fixed and may not be the most appropriate thing to
 do on all systems.
 
 
 Matt
 
 
 > 
 > I have pasted the
 complete information about the OS/distro environment and
 installation commands I ran at the bottom.
 > Could you please suggest what wrong I am
 doing to make afalg work.
 > 
 > Thanks
 > Jitendra
 Lulla
 > 
 > 
 > 
 > 
 > BEFORE INSTALLATION:
 >
 
 > [root@localhost
 jlulla]# rpm -qa  |grep openssl
 >
 openssl-1.0.1e-60.el7.x86_64
 >
 openssl-devel-1.0.1e-60.el7.x86_64
 >
 openssl-libs-1.0.1e-60.el7.x86_64
 > 
 > [root@localhost
 jlulla]# openssl version
 > OpenSSL
 1.0.1e-fips 11 Feb 2013
 > 
 > 
 > 
 > PLEASE SEE FROM HERE PLEASE SEE FROM HERE
 PLEASE SEE FROM HERE
 > 
 > STEP 1 : SOURCE
 TAKEN FROM https://www.openssl.org/source/openssl-1.1.0f.tar.gz
 2017-May-25 13:09:51
 > 
 > [root@localhost
 jlulla]# uname -a
 > Linux
 localhost.localdomain 4.9.37 #1 SMP Fri Jul 21 04:52:46 PDT
 2017 x86_64 x86_64 x86_64 GNU/Linux
 > 
 > [root@localhost
 jlulla]#