AW: AW: Performance Issue With OpenSSL 1.1.1c
Yay, there are some controversial discussions taking place on https://github.com/openssl/openssl/issues/9078 It would be great if you could join us and provide more details about the circumstances of your issue. In particular, information like kernel/os version and whether the significant startup delay is encountered only at early boot time or also when you start the daemon manually when the system is up and running. Matthias
debugging a make/dependency issue
I am importing some code into openssl and getting a strange build error: make[1]: *** No rule to make target 'crypto/bn/crypto/include.o', needed by 'libcrypto.a'. Stop. Any common ideas on what to look for (e.g., missing header file, wrong INCLUDE settings in build.info, etc) ?
Re: AW: Performance Issue With OpenSSL 1.1.1c
Hi, I opened an issue on GitHub to discuss this problem in more detail. https://github.com/openssl/openssl/issues/9078 It would be nice if you could join the discussion there. Matthias @Jay: in particular I'm interested to learn, which linux version and distribution you were using. On newer systems, `getentropy()` should be the method of choice, because it does not share the deficiencies of the `/dev/urandom` device. On 30.05.19 02:11, Dr. Matthias St. Pierre wrote: To workaround the /dev/random blocking issue, you can just add: -DDEVRANDOM="\"/dev/urandom\"" as a parameter to ./Configure This will remove the special handling of /dev/urandom and /dev/random in 1.1.1c. Tomáš, Jay, I'm afraid this suggestion won't help, because `DEVRANDOM_WAIT` is defined unconditionally in e_os.h: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/e_os.h#L30-L34 This means that the select() call will happen on linux independently of what `DEVRANDOM` is defined to be: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/crypto/rand/rand_unix.c#L509-L535 I think that pull request #8251 needs to be reconsidered. Give me one day or two, I'll create a GitHub issue for that and post the link here when it's ready. Matthias
Re: Signing using EVP_PKEY_encrypt when using pkcs11 engine
On Mon, Jun 3, 2019 at 4:35 PM Martin Townsend wrote:
>
> Hi,
>
> I'm trying to modify the evm/ima utility so that it can use a HSM to
> perform signing. I've setup SoftHSM and used this to create a
> certificate with an RSA public key pair. The evmctl code creates the
> hash and then calls a function to perform the sign operation which
> ends up calling
> len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig,
> key, RSA_PKCS1_PADDING);
>
> My idea was to keep the hash calculation as is, and replace the
> RSA_private_encrypt with code that uses the private key in the HSM to
> encrypt the hash buffer that has been calculated.
>
> My initialisation looks like this
> /* Load the configuration using OPENSSL_CONF environment variable */
> OPENSSL_config(NULL);
> /* Try and load PKCS11 engine */
> const char* s = getenv("OPENSSL_CONF");
> printf("Trying to load pkcs#11 engine\n");
> printf("OPENSSL_CONF=%s\n", s);
> pkcs_engine = ENGINE_by_id("pkcs11");
> if (!pkcs_engine) {
> printf("PKCS#11 engine not found, not using HSM\n");
> } else {
> int rv = ENGINE_init(pkcs_engine);
>
> if (!rv) {
> fprintf(stderr, "PKCS#11 could not be initialised\n");
> ENGINE_free(pkcs_engine);
> pkcs_engine = NULL;
> }
>
> ENGINE_set_default(pkcs_engine, ENGINE_METHOD_ALL);
> }
>
> OpenSSL_add_all_algorithms();
> OpenSSL_add_all_digests();
> ERR_load_crypto_strings();
>
> and then I load the private key with
>
> key = ENGINE_load_private_key(pkcs_engine, keyid, UI_OpenSSL(), NULL);
> if (!key) {
> log_err("%s: Failed to load private key with id: %s\n", keyid,
> __func__);
> ERR_print_errors_fp(stderr);
> }
>
>
> and then use the following to perform the encryption
>
> /* Create context */
> hsm_key_ctx = EVP_PKEY_CTX_new(hsm_key, NULL);
> if (hsm_key_ctx == NULL) {
> log_err("sign_hash_v2: failed to create context\n");
> ERR_print_errors_fp(stderr);
> return -1;
> }
> rv = EVP_PKEY_encrypt_init(hsm_key_ctx);
> if (rv <= 0) {
> log_err("sign_hash_v2: failed to init encrypt (rv=%d\n", rv);
> ERR_print_errors_fp(stderr);
> EVP_PKEY_CTX_free(hsm_key_ctx);
> return -1;
> }
> /* TODO: What padding??? RSA_PKCS1_PSS_PADDING?? */
> rv = EVP_PKEY_CTX_set_rsa_padding(hsm_key_ctx, RSA_PKCS1_PADDING);
> if (rv <= 0) {
> log_err("sign_hash_v2: failed to set RSA_PKCS1_PADDING
> (rv=%d\n", rv);
> ERR_print_errors_fp(stderr);
> EVP_PKEY_CTX_free(hsm_key_ctx);
> return -1;
> }
> if (rv <= 0) {
> log_err("sign_hash_v2: failed to set RSA_PKCS1_PADDING
> (rv=%d\n", rv);
> ERR_print_errors_fp(stderr);
> EVP_PKEY_CTX_free(hsm_key_ctx);
> return -1;
> }
>
> /* Create signature */
> outlen = 0;
> rv = EVP_PKEY_encrypt(hsm_key_ctx, NULL, , buf, size +
> asn1->size);
> if ((rv <= 0) || (outlen == 0)) {
> log_err("sign_hash_v2: failed to learn needed output buf
> len (rv=%d)\n", rv);
> ERR_print_errors_fp(stderr);
> EVP_PKEY_CTX_free(hsm_key_ctx);
> return -1;
> }
> /*outlen = 256;*/
> log_info("EVP_PKEY_encrypt: outlen: %lu\n", outlen);
> rv = EVP_PKEY_encrypt(hsm_key_ctx, hdr->sig, , buf,
> size + asn1->size);
> if (rv <= 0) {
> log_err("sign_hash_v2: EVP_PKEY_encrypt() failed (rv=%d)\n", rv);
> ERR_print_errors_fp(stderr);
> EVP_PKEY_CTX_free(hsm_key_ctx);
> return -1;
> }
>
> But I find that when I create a signature for a particular file it's
> always different with each invocation of the utility. If I try and
> verify it using the associated public key I get:
>
> RSA_public_decrypt() failed: -1
> errno: No data available (61)
> error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
> 01
> error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
>
> Is there something I am missing in my code above? I tried setting the
> Engine in EVP_PKEY_CTX_new but get:
> sign_hash_v2: failed to create context
> 140174165591744:error:260C0065:engine
> routines:ENGINE_get_pkey_meth:unimplemented public key
> method:tb_pkmeth.c:128:
> 140174165591744:error:0609D09C:digital envelope
> routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:166:
> errno: Invalid argument (22)
>
> Any help appreciated,
> Martin.
I switched over to using the Cryptoki API of SoftHSMv2 and encryption
using the private key isn't allowed (I get
CKR_KEY_FUNCTION_NOT_PERMITTED error as I'm guessing the CKA_ENCRYPT
flag isn't set) which makes sense as you don't usually encrypt with a
private key but this means that I can't do what I wanted with
Fw: Building openssl outside of the source tree" doesn't work well
Dear, Please help check this. I attached the config dump in previous email. Thanks, Wenbin - Forwarded Message - From: dengwenbin_0301 Date: 05/27/2019 14:24 To: Richard Levitte Subject: Re:Re: Fw:Re:Re: Building openssl outside of the source tree" doesn't work well Sorry, the previously attached dump might too large to send out successfully. I copied it directly here. Command line (with current working directory = .): /usr/bin/perl ../Configure linux-x86_64 Perl information: /usr/bin/perl 5.22.1 for x86_64-linux-gnu-thread-multi Enabled features: afalgeng aria asm async autoalginit autoerrinit autoload-config bf blake2 camellia capieng cast chacha cmac cms comp crmf ct deprecated des dgram dh dsa dtls dynamic-engine ec ec2m ecdh ecdsa engine err filenames fips gost idea legacy makedepend md4 mdc2 module multiblock nextprotoneg pinshared ocb ocsp padlockeng pic poly1305 posix-io psk rc2 rc4 rdrand rfc3779 rmd160 scrypt seed shared siphash siv sm2 sm3 sm4 sock srp srtp sse2 ssl static-engine stdio tests threads tls ts ui-console whirlpool tls1 tls1-method tls1_1 tls1_1-method tls1_2 tls1_2-method tls1_3 dtls1 dtls1-method dtls1_2 dtls1_2-method Disabled features: ktls[default] OPENSSL_NO_KTLS asan[default] OPENSSL_NO_ASAN buildtest-c++ [default] crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE devcryptoeng[default] OPENSSL_NO_DEVCRYPTOENG ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 egd [default] OPENSSL_NO_EGD external-tests [default] OPENSSL_NO_EXTERNAL_TESTS fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER fuzz-afl[default] OPENSSL_NO_FUZZ_AFL md2 [default] OPENSSL_NO_MD2 (skip crypto/md2) msan[default] OPENSSL_NO_MSAN rc5 [default] OPENSSL_NO_RC5 (skip crypto/rc5) sctp[default] OPENSSL_NO_SCTP ssl-trace [default] OPENSSL_NO_SSL_TRACE trace [default] OPENSSL_NO_TRACE ubsan [default] OPENSSL_NO_UBSAN unit-test [default] OPENSSL_NO_UNIT_TEST weak-ssl-ciphers[default] OPENSSL_NO_WEAK_SSL_CIPHERS zlib[default] zlib-dynamic[default] ssl3[default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD Config target attributes: AR => "ar", ARFLAGS => "r", CC => "gcc", CFLAGS => "-Wall -O3", CXX => "g++", CXXFLAGS => "-Wall -O3", HASHBANGPERL => "/usr/bin/env perl", RANLIB => "ranlib", RC => "windres", aes_asm_src => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s", aes_obj => "aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o", apps_aux_src => "", apps_init_src => "", apps_obj => "", bf_asm_src => "bf_enc.c", bf_obj => "bf_enc.o", bn_asm_src => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s", bn_obj => "asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o", bn_ops => "SIXTY_FOUR_BIT_LONG", build_file => "Makefile", build_scheme => [ "unified", "unix" ], cast_asm_src => "c_enc.c", cast_obj => "c_enc.o", cflags => "-pthread -m64", chacha_asm_src => "chacha-x86_64.s", chacha_obj => "chacha-x86_64.o", cmll_asm_src => "cmll-x86_64.s cmll_misc.c", cmll_obj => "cmll-x86_64.o cmll_misc.o", cppflags => "", cpuid_asm_src => "x86_64cpuid.s", cpuid_obj => "x86_64cpuid.o", cxxflags => "-std=c++11 -pthread -m64", defines => [ ], des_asm_src => "des_enc.c fcrypt_b.c", des_obj => "des_enc.o fcrypt_b.o", disable => [ ], dso_ldflags => "-z defs", dso_scheme => "dlfcn", ec_asm_src => "ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s", ec_obj => "ecp_nistz256.o ecp_nistz256-x86_64.o x25519-x86_64.o", enable => [ "afalgeng" ], ex_libs => "-ldl -pthread", includes => [ ], keccak1600_asm_src => "keccak1600-x86_64.s", keccak1600_obj => "keccak1600-x86_64.o", lflags => "", lib_cflags => "", lib_cppflags => "-DOPENSSL_USE_NODELETE -DL_ENDIAN", lib_defines => [ ], md5_asm_src =>
Re: Dyanmic engine for OpenSSL 1.1.1b
You built with the no-shared option. None of these are errors, they just aren’t supported without shared library support. As for the linking, the difference is a single (larger) executable or a smaller executable plus a shared library. If lots of applications use the same shared library, there is a space saving. Pauli -- Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia > On 4 Jun 2019, at 6:30 pm, shiva kumar wrote: > > Hi, > when I am performing make test while building OpenSSL 1.1.1b I got error as : > > ../test/recipes/70-test_sslcbcpadding.t skipped: > test_sslcbcpadding needs the dynamic engine feature enabled > ../test/recipes/70-test_sslcertstatus.t skipped: > test_sslcertstatus needs the dynamic engine feature enabled > ../test/recipes/70-test_sslextension.t . skipped: > test_sslextension needs the dynamic engine feature enabled > ../test/recipes/70-test_sslmessages.t .. skipped: > test_sslmessages needs the dynamic engine feature enabled > ../test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords > needs the dynamic engine feature enabled > ../test/recipes/70-test_sslsessiontick.t ... skipped: > test_sslsessiontick needs the dynamic engine feature enabled > > what is meant by enabling dynamic engine feature ? > can anyone please explain me ? > > I also got as > ../test/recipes/90-test_shlibload.t skipped: Test only > supported in a shared build > > is they any problem if I create a no-shared build ? > how is the linking works in no-shared build comapred to shared build ? > please explain me. > > Thanks and Regards > Shivakumar
Dyanmic engine for OpenSSL 1.1.1b
Hi, when I am performing make test while building OpenSSL 1.1.1b I got error as : ../test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs the dynamic engine feature enabled ../test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled ../test/recipes/70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled ../test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled ../test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled ../test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled what is meant by enabling dynamic engine feature ? can anyone please explain me ? I also got as ../test/recipes/90-test_shlibload.t skipped: Test only supported in a shared build is they any problem if I create a n*o-shared* build ? how is the linking works in *no-shared* build comapred to shared build ? please explain me. Thanks and Regards Shivakumar
