[Bug 1605511] Re: openssl engine error if trying to exploit hw crypto on z due to library issue
Frank Heimes
1605511 at bugs.launchpad.net
Mon Nov 14 18:49:22 UTC 2016
Being curious I tried "openssl-ibmca_1.3.0-0ubuntu3_s390x.deb" on yakkety and xenial, too.
It looks good - the error message is gone.
(Even if I do not yet know how to interpret 'built on: reproducible build, date unspecified'...)
Yakkety:
========
>>> openssl-ibmca prior to (1.3.0-0ubuntu3):
ubuntu at s1lp14:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 23686887 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 16020848 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 6971169 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 1024 size blocks: 2154635 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 287230 des-ede3-cbc's in 3.00s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fdebug-prefix-map=/build/openssl-tmX0Mb/openssl-1.0.2g=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 126752.57k 341778.09k 594873.09k 735448.75k 784329.39k
4396106589840:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4396106589840:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4396106589840:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4396106589840:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
>>> openssl-ibmca (1.3.0-0ubuntu3):
ubuntu at s1lp14:~$ sudo dpkg -i ./openssl-ibmca_1.3.0-0ubuntu3_s390x.deb
(Reading database ... 91267 files and directories currently installed.)
Preparing to unpack .../openssl-ibmca_1.3.0-0ubuntu3_s390x.deb ...
Unpacking openssl-ibmca (1.3.0-0ubuntu3) over (1.3.0-0ubuntu3) ...
Setting up openssl-ibmca (1.3.0-0ubuntu3) ...
Processing triggers for man-db (2.7.5-1) ...
ubuntu at s1lp14:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 24062744 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 16179261 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 7044115 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 1024 size blocks: 2157283 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 287455 des-ede3-cbc's in 3.00s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fdebug-prefix-map=/build/openssl-tmX0Mb/openssl-1.0.2g=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 128763.85k 345157.57k 601097.81k 736352.60k 784943.79k
ubuntu at s1lp14:~$ openssl engine -c ibmca
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
[just checking that 'libica-dev' is really not installed]
ubuntu at s1lp14:~$ dpkg -l | grep libica
ii libica-utils 2.6.1-3 s390x hardware cryptography support for Linux on z Systems (utils)
ii libica2:s390x 2.6.1-3 s390x hardware cryptography support for IBM System z hardware
ii openssl-ibmca 1.3.0-0ubuntu3 s390x libica based hardware acceleration engine for OpenSSL
ubuntu at s1lp14:~$ dpkg -l libica-dev
dpkg-query: no packages found matching libica-dev
ubuntu at s1lp14:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
ubuntu at s1lp14:~$ openssl engine -c ibmca
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
ubuntu at s1lp14:~$
Xenial:
=======
>>> openssl-ibmca prior to (1.3.0-0ubuntu3):
ubuntu at s1lp15:~$ dpkg -l | grep -i libica
ii libica-utils 2.6.1-1ubuntu2 s390x hardware cryptography support for Linux on z Systems (utils)
ii libica2:s390x 2.6.1-1ubuntu2 s390x hardware cryptography support for IBM System z hardware
ii openssl-ibmca 1.3.0-0ubuntu2 s390x libica based hardware acceleration engine for OpenSSL
ubuntu at s1lp15:~$ dpkg -l libica-dev
dpkg-query: no packages found matching libica-dev
ubuntu at s1lp15:~$ openssl engine
(dynamic) Dynamic engine loading support
ubuntu at s1lp15:~$ openssl engine -c ibmca
(ibmca) Ibmca hardware engine support
4396323653264:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4396323653264:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4396323653264:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
ubuntu at s1lp15:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 5485748 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 1407600 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 353674 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 1024 size blocks: 88576 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 11080 des-ede3-cbc's in 3.00s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 29355.17k 30028.80k 30180.18k 30233.94k 30255.79k
>>> openssl-ibmca (1.3.0-0ubuntu3):
ubuntu at s1lp15:~$ sudo dpkg -i ./openssl-ibmca_1.3.0-0ubuntu3_s390x.deb
[sudo] password for ubuntu:
(Reading database ... 99020 files and directories currently installed.)
Preparing to unpack .../openssl-ibmca_1.3.0-0ubuntu3_s390x.deb ...
Unpacking openssl-ibmca (1.3.0-0ubuntu3) over (1.3.0-0ubuntu2) ...
Setting up openssl-ibmca (1.3.0-0ubuntu3) ...
Processing triggers for man-db (2.7.5-1) ...
ubuntu at s1lp15:~$ openssl engine
(dynamic) Dynamic engine loading support
ubuntu at s1lp15:~$ openssl engine -c ibmca
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
ubuntu at s1lp15:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 5487833 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 1407538 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 353808 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 1024 size blocks: 88594 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 11082 des-ede3-cbc's in 3.00s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 29366.33k 30027.48k 30292.59k 30240.09k 30261.25k
ubuntu at s1lp15:~$
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1605511
Title:
openssl engine error if trying to exploit hw crypto on z due to
library issue
Status in libica package in Ubuntu:
Invalid
Status in openssl package in Ubuntu:
Invalid
Status in openssl-ibmca package in Ubuntu:
Fix Released
Status in libica source package in Xenial:
Invalid
Status in openssl source package in Xenial:
Invalid
Status in openssl-ibmca source package in Xenial:
In Progress
Status in libica source package in Yakkety:
Invalid
Status in openssl source package in Yakkety:
Invalid
Status in openssl-ibmca source package in Yakkety:
In Progress
Bug description:
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
openssl-ibmca usually requires libica2 and libica-utils for proper functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu at HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes at canonical.com: ubuntu at HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o
the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with
the proper dependency to openssl-ibmca - openssh-ibmca should make use
of libica2 instead of libica.so.2...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libica/+bug/1605511/+subscriptions
More information about the foundations-bugs
mailing list