Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread Wouter Verhelst 

On 30-05-17 17:25, Salz, Rich via openssl-users wrote:
>> The results are both functional, but the v102l build is missing
>> sha{224|256|384|512} digests
> 
> Right; those digests are not in 1.0.2

They are, they're just not advertised:

$ openssl version
OpenSSL 1.0.2k  26 Jan 2017
$ openssl help
[...]
Message Digest commands (see the `dgst' command for more details)
md4   md5   mdc2  rmd160
sha   sha1
[...]
$ openssl dgst -sha256 .bash_history
SHA256(.bash_history)=
b8f9308c4b9141993b4af1cee6cdffe36339bc2e05c0bf16206f9944f85aa102
$ openssl sha224 .bash_history
SHA224(.bash_history)=
a13d7f83a0dc0dcfb6032cb3cd7c4669958a2fb0e01dbb72c95e1d02

etc.

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

2017-05-30 Thread Jakob Bohm 

On 28/05/2017 23:31, Salz, Rich via openssl-users wrote:

The openssl program will use the wrong libssl.so and libcrypto.so.

Yes, got it.

But that's small potatoes compared to everyone else finding the wrong shared library, and 
just saying "use rpath" doesn't help all those others.

Change the /usr/lib/libssl.so symlink to point to libssl.so.1.1,
not libssl.so.1.0 while compiling with OpenSSL 1.1.x headers.

Ditto for libcrypto.so.

Alternatively, place such symlinks in the lib directory that is
next to the include directory with OpenSSL 1.1.x headers.

This should cause the resulting programs to refer to the right
so-name (libssl.so.1.1 etc.) and thus either load the right
library generation (1.1.x) or report that it isn't installed on
the local library path (typically, /lib/, /usr/lib/ and
/usr/local/lib/ in some system dependent order).

After all, this is the whole point of the versioned .so file names.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread PGNet Dev 

On 5/30/17 9:01 AM, Jakob Bohm wrote:

Actually, in my testing of earlier 1.0.x releases, sha256 etc. are
only missing from the help message, they are actually there, also as
commands.


On 5/30/17 9:14 AM, Salz, Rich wrote:
>> Then I've misunderstood the presence of the "-DSHA256_ASM" flag.
>>
>> What's it specifically used for?
>
> To remind me to double-check my answers? :(
>
> Sorry, they are present.  The difference is that the help message in 
1.0.2 isn't complete.  Did you try the commands directly?


Well,

touch /tmp/test.txt
/usr/local/openssl10/bin/openssl dgst -sha256 /tmp/test.txt
		SHA256(/tmp/test.txt)= 
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855


/usr/local/openssl11/bin/openssl dgst -sha256 /tmp/test.txt
		SHA256(/tmp/test.txt)= 
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855


NOW I have!

See? THAT'S what you get when you waste time RTFM-ing! ;-)

Thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread Salz, Rich via openssl-users 
> Then I've misunderstood the presence of the "-DSHA256_ASM" flag.
> 
> What's it specifically used for?

To remind me to double-check my answers? :(

Sorry, they are present.  The difference is that the help message in 1.0.2 
isn't complete.  Did you try the commands directly?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL and RPATH's

2017-05-30 Thread PGNet Dev 

The only reason why you would ever want to use RPATH with OpenSSL is
because you need to install a particular old version of libssl (or
libcrypto) that has the same SONAME as the system-default, but where you
don't want to use that system-default one -- but why would you want to
do that? Security updates are a good thing, usually.


On 5/30/17 8:58 AM, Jakob Bohm wrote:
> On 29/05/2017 16:39, Wouter Verhelst wrote:
>> ...
>> The only reason why you would ever want to use RPATH with OpenSSL is
...

Well, 'different strokes' to be sure ...

but, here, especially with lots of apps still not at all v110 
compatible, or at best broken in their attempts, having local builds of 
both v110x and v102x is extremely useful -- and RPATH'ing makes that 
trivially manageable.


My $.02.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread Jakob Bohm 

On 30/05/2017 17:20, PGNet Dev wrote:

I'm building separate local instances of latest Openssl v1.1.0 & v1.0.2 on 
linux64, to keep not-yet-v110-compliant apps happy.

The results are both functional, but the v102l build is missing 
sha{224|256|384|512} digests

v 1.0.2l
/usr/local/openssl10/bin/openssl version
OpenSSL 1.0.2l  26 Jan 2017
/usr/local/openssl10/bin/openssl version -f
compiler: /usr/bin/gcc-7 -I. -I.. -I../include  -fPIC 
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEAT -DPURIFY 
-DSSL_FORBID_ENULL -DTERMIO -Wa,--noexecstack -Wall -fno-common 
-Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
/usr/local/openssl10/bin/openssl help
...
Message Digest commands (see the `dgst' command for more 
details)
md4   md5   rmd160sha
sha1
...
ldd /usr/local/openssl10/bin/openssl | egrep 'lib(ssl|crypto)'
libssl.so.1.0.0 => /usr/local/openssl10/lib64/libssl.so.1.0.0 
(0x7f1619534000)
libcrypto.so.1.0.0 => 
/usr/local/openssl10/lib64/libcrypto.so.1.0.0 (0x7f16190aa000)

Actually, in my testing of earlier 1.0.x releases, sha256 etc. are
only missing from the help message, they are actually there, also as
commands.


v 1.1.0f
/usr/local/openssl11/bin/openssl version
OpenSSL 1.1.0f  25 May 2017
/usr/local/openssl11/bin/openssl version -f
/usr/local/openssl11/bin/openssl version -f
compiler: /usr/bin/gcc-7 -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS 
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSL_API_COMPAT=0x1010L -D_GNU_SOURCE 
-DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEAT -DPURIFY -DSSL_FORBID_ENULL -DTERMIO 
-DOPENSSLDIR="\"/usr/local/openssl11\"" 
-DENGINESDIR="\"/usr/local/openssl11/lib64/engines-1.1\""  -Wa,--noexecstack -Wall -fno-common 
-Wa,--noexecstack
/usr/local/openssl11/bin/openssl help
...
Message Digest commands (see the `dgst' command for more 
details)
blake2b512blake2s256gost  md4
md5   rmd160sha1  sha224
sha256sha384sha512
...
ldd /usr/local/openssl11/bin/openssl | egrep 'lib(ssl|crypto)'
libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 
(0x7fc9c70f4000)
libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 
(0x7fc9c6c48000)


The "-DSHA256_ASM" flag is present for the 102l build.  Is there an additional, 
specific flag required to enable the higher bit-depth digests for v102l that I've missed.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL and RPATH's (was: Cannot find SSL_CTX_get0_param in libssl library)

2017-05-30 Thread Jakob Bohm 

On 29/05/2017 16:39, Wouter Verhelst wrote:

...
The only reason why you would ever want to use RPATH with OpenSSL is
because you need to install a particular old version of libssl (or
libcrypto) that has the same SONAME as the system-default, but where you
don't want to use that system-default one -- but why would you want to
do that? Security updates are a good thing, usually.

There is another, converse case: If the system comes with a (patched)
old version of the OpenSSL libraries (for example, Debian 7 comes with
a patched OpenSSL 1.0.1 that ensures 100% compatibility with programs
compiled against version 1.0.1t headers), then you may also need a
special SO name or RPATH to link locally compiled software against the
latest 1.0.x release, rather than 1.0.1 .


RPATH support is nice for corner cases, but it should not be the
default, ever.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread PGNet Dev 

On 5/30/17 8:25 AM, Salz, Rich wrote:

The results are both functional, but the v102l build is missing
sha{224|256|384|512} digests


Right; those digests are not in 1.0.2



Then I've misunderstood the presence of the "-DSHA256_ASM" flag.

What's it specifically used for?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread Salz, Rich via openssl-users 
> The results are both functional, but the v102l build is missing
> sha{224|256|384|512} digests

Right; those digests are not in 1.0.2

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

2017-05-30 Thread PGNet Dev 
I'm building separate local instances of latest Openssl v1.1.0 & v1.0.2 on 
linux64, to keep not-yet-v110-compliant apps happy.

The results are both functional, but the v102l build is missing 
sha{224|256|384|512} digests

v 1.0.2l
/usr/local/openssl10/bin/openssl version
OpenSSL 1.0.2l  26 Jan 2017
/usr/local/openssl10/bin/openssl version -f
compiler: /usr/bin/gcc-7 -I. -I.. -I../include  -fPIC 
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
-D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEAT -DPURIFY 
-DSSL_FORBID_ENULL -DTERMIO -Wa,--noexecstack -Wall -fno-common 
-Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
/usr/local/openssl10/bin/openssl help
...
Message Digest commands (see the `dgst' command for more 
details)
md4   md5   rmd160sha
sha1
...
ldd /usr/local/openssl10/bin/openssl | egrep 'lib(ssl|crypto)'
libssl.so.1.0.0 => /usr/local/openssl10/lib64/libssl.so.1.0.0 
(0x7f1619534000)
libcrypto.so.1.0.0 => 
/usr/local/openssl10/lib64/libcrypto.so.1.0.0 (0x7f16190aa000)

v 1.1.0f
/usr/local/openssl11/bin/openssl version
OpenSSL 1.1.0f  25 May 2017
/usr/local/openssl11/bin/openssl version -f
/usr/local/openssl11/bin/openssl version -f
compiler: /usr/bin/gcc-7 -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG 
-DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DOPENSSL_API_COMPAT=0x1010L -D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS 
-DOPENSSL_NO_HEARTBEAT -DPURIFY -DSSL_FORBID_ENULL -DTERMIO 
-DOPENSSLDIR="\"/usr/local/openssl11\"" 
-DENGINESDIR="\"/usr/local/openssl11/lib64/engines-1.1\""  -Wa,--noexecstack 
-Wall -fno-common -Wa,--noexecstack
/usr/local/openssl11/bin/openssl help
...
Message Digest commands (see the `dgst' command for more 
details)
blake2b512blake2s256gost  md4
md5   rmd160sha1  sha224
sha256sha384sha512
...
ldd /usr/local/openssl11/bin/openssl | egrep 'lib(ssl|crypto)'
libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 
(0x7fc9c70f4000)
libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 
(0x7fc9c6c48000)


The "-DSHA256_ASM" flag is present for the 102l build.  Is there an additional, 
specific flag required to enable the higher bit-depth digests for v102l that 
I've missed.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users