[Bug 1605511] Re: openssl engine error if trying to exploit hw crypto on z due to library issue
Frank Heimes
1605511 at bugs.launchpad.net
Fri Nov 18 20:50:00 UTC 2016
Yepp both works for me - in Xenial and Yakkety:
Xenial:
-------
ubuntu at s1lp14:~$ sudo apt-cache policy openssl-ibmca
openssl-ibmca:
Installed: (none)
Candidate: 1.3.0-0ubuntu2.16.04.1
Version table:
1.3.0-0ubuntu2.16.04.1 500
500 http://ports.ubuntu.com xenial-proposed/universe s390x Packages
1.3.0-0ubuntu2 500
500 http://ports.ubuntu.com xenial/universe s390x Packages
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ sudo apt --yes install openssl-ibmca libica-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libica2
The following NEW packages will be installed:
libica-utils libica2 openssl-ibmca
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 92.3 kB of archives.
After this operation, 333 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com xenial/universe s390x libica2 s390x 2.6.1-3 [60.0 kB]
Get:2 http://ports.ubuntu.com xenial/universe s390x libica-utils s390x 2.6.1-3 [15.2 kB]
Get:3 http://ports.ubuntu.com xenial-proposed/universe s390x openssl-ibmca s390x 1.3.0-0ubuntu2.16.10.1 [17.1 kB]
Fetched 92.3 kB in 0s (287 kB/s)
Selecting previously unselected package libica2:s390x.
(Reading database ... 44591 files and directories currently installed.)
Preparing to unpack .../0-libica2_2.6.1-3_s390x.deb ...
Unpacking libica2:s390x (2.6.1-3) ...
Selecting previously unselected package libica-utils.
Preparing to unpack .../1-libica-utils_2.6.1-3_s390x.deb ...
Unpacking libica-utils (2.6.1-3) ...
Selecting previously unselected package openssl-ibmca.
Preparing to unpack .../2-openssl-ibmca_1.3.0-0ubuntu2.16.10.1_s390x.deb ...
Unpacking openssl-ibmca (1.3.0-0ubuntu2.16.10.1) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libica2:s390x (2.6.1-3) ...
Setting up openssl-ibmca (1.3.0-0ubuntu2.16.10.1) ...
Setting up libica-utils (2.6.1-3) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ sudo apt-cache policy openssl-ibmca
openssl-ibmca:
Installed: 1.3.0-0ubuntu2.16.04.1
Candidate: 1.3.0-0ubuntu2.16.04.1
Version table:
*** 1.3.0-0ubuntu2.16.04.1 500
500 http://ports.ubuntu.com xenial-proposed/universe s390x Packages
100 /var/lib/dpkg/status
1.3.0-0ubuntu2 500
500 http://ports.ubuntu.com xenial/universe s390x Packages
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ sudo cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf_`date +%Y%m%d`.backup
ubuntu at s1lp14:~$ ls -la /etc/ssl/openssl.cnf*
-rw-r--r-- 1 root root 10835 Nov 18 15:28 /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Sep 23 08:22 /etc/ssl/openssl.cnf_20161118.backup
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
...
ubuntu at s1lp14:~$ ls -la /etc/ssl/openssl.cnf*
-rw-r--r-- 1 root root 12251 Nov 18 15:33 /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Sep 23 08:22 /etc/ssl/openssl.cnf_20161118.backup
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ sudo vi /etc/ssl/openssl.cnf
357: openssl_conf = openssl_def
=>
357: # openssl_conf = openssl_def
and insert:
10: openssl_conf = openssl_def
ubuntu at s1lp14:~$ sudo systemctl reload-or-restart sshd.service
ubuntu at s1lp14:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ openssl engine -c -vvvv
(dynamic) Dynamic engine loading support
SO_PATH: Specifies the path to the new ENGINE shared library
(input flags): STRING
NO_VCHECK: Specifies to continue even if version checking fails (boolean)
(input flags): NUMERIC
ID: Specifies an ENGINE id name for loading
(input flags): STRING
LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_ADD: Adds a directory from which ENGINEs can be loaded
(input flags): STRING
LOAD: Load up the ENGINE specified by other settings
(input flags): NO_INPUT
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
SO_PATH: Specifies the path to the 'atasi' shared library
(input flags): STRING
ubuntu at s1lp14:~$
ubuntu at s1lp14:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 23898360 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 16122460 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 6459690 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 1024 size blocks: 2160212 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 287433 des-ede3-cbc's in 2.99s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 127884.20k 343945.81k 551226.88k 737352.36k 787508.74k
ubuntu at s1lp14:~$
_________
Yakkety:
--------
ubuntu at s1lp15:~$ sudo apt-cache policy openssl-ibmca
openssl-ibmca:
Installed: (none)
Candidate: 1.3.0-0ubuntu2.16.10.1
Version table:
1.3.0-0ubuntu2.16.10.1 500
500 http://ports.ubuntu.com yakkety-proposed/universe s390x Packages
1.3.0-0ubuntu2 500
500 http://ports.ubuntu.com yakkety/universe s390x Packages
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ sudo apt --yes install openssl-ibmca libica-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libica2
The following NEW packages will be installed:
libica-utils libica2 openssl-ibmca
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 92.3 kB of archives.
After this operation, 333 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com yakkety/universe s390x libica2 s390x 2.6.1-3 [60.0 kB]
Get:2 http://ports.ubuntu.com yakkety/universe s390x libica-utils s390x 2.6.1-3 [15.2 kB]
Get:3 http://ports.ubuntu.com yakkety-proposed/universe s390x openssl-ibmca s390x 1.3.0-0ubuntu2.16.10.1 [17.1 kB]
Fetched 92.3 kB in 0s (287 kB/s)
Selecting previously unselected package libica2:s390x.
(Reading database ... 44591 files and directories currently installed.)
Preparing to unpack .../0-libica2_2.6.1-3_s390x.deb ...
Unpacking libica2:s390x (2.6.1-3) ...
Selecting previously unselected package libica-utils.
Preparing to unpack .../1-libica-utils_2.6.1-3_s390x.deb ...
Unpacking libica-utils (2.6.1-3) ...
Selecting previously unselected package openssl-ibmca.
Preparing to unpack .../2-openssl-ibmca_1.3.0-0ubuntu2.16.10.1_s390x.deb ...
Unpacking openssl-ibmca (1.3.0-0ubuntu2.16.10.1) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libica2:s390x (2.6.1-3) ...
Setting up openssl-ibmca (1.3.0-0ubuntu2.16.10.1) ...
Setting up libica-utils (2.6.1-3) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ apt-cache policy openssl-ibmca
openssl-ibmca:
Installed: 1.3.0-0ubuntu2.16.10.1
Candidate: 1.3.0-0ubuntu2.16.10.1
Version table:
*** 1.3.0-0ubuntu2.16.10.1 500
500 http://ports.ubuntu.com yakkety-proposed/universe s390x Packages
100 /var/lib/dpkg/status
1.3.0-0ubuntu2 500
500 http://ports.ubuntu.com yakkety/universe s390x Packages
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ sudo cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf_`date +%Y%m%d`.backup
ubuntu at s1lp15:~$ ls -la /etc/ssl/openssl.cnf*
-rw-r--r-- 1 root root 10835 Sep 23 11:00 /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Sep 23 11:00 /etc/ssl/openssl.cnf_20161118.backup
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
...
ubuntu at s1lp15:~$ ls -la /etc/ssl/openssl.cnf*
-rw-r--r-- 1 root root 12251 Nov 18 15:43 /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Sep 23 11:00 /etc/ssl/openssl.cnf_20161118.backup
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ sudo vi /etc/ssl/openssl.cnf
357: openssl_conf = openssl_def
=>
357: # openssl_conf = openssl_def
and insert:
10: openssl_conf = openssl_def
ubuntu at s1lp15:~$ sudo systemctl reload-or-restart sshd.service
ubuntu at s1lp15:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
ubuntu at s1lp15:~$ openssl engine -c -vvvv
(dynamic) Dynamic engine loading support
SO_PATH: Specifies the path to the new ENGINE shared library
(input flags): STRING
NO_VCHECK: Specifies to continue even if version checking fails (boolean)
(input flags): NUMERIC
ID: Specifies an ENGINE id name for loading
(input flags): STRING
LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
(input flags): NUMERIC
DIR_ADD: Adds a directory from which ENGINEs can be loaded
(input flags): STRING
LOAD: Load up the ENGINE specified by other settings
(input flags): NO_INPUT
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
SO_PATH: Specifies the path to the 'atasi' shared library
(input flags): STRING
ubuntu at s1lp15:~$
ubuntu at s1lp15:~$ openssl speed -evp des-ede3-cbc
Doing des-ede3-cbc for 3s on 16 size blocks: 24176781 des-ede3-cbc's in 2.99s
Doing des-ede3-cbc for 3s on 64 size blocks: 16233351 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 256 size blocks: 7023676 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 1024 size blocks: 2158831 des-ede3-cbc's in 3.00s
Doing des-ede3-cbc for 3s on 8192 size blocks: 287383 des-ede3-cbc's in 3.00s
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,char) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -g -O2 -fdebug-prefix-map=/build/openssl-tmX0Mb/openssl-1.0.2g=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-ede3-cbc 129374.08k 346311.49k 599353.69k 736880.98k 784747.18k
ubuntu at s1lp15:~$
Thx !
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1605511
Title:
openssl engine error if trying to exploit hw crypto on z due to
library issue
Status in libica package in Ubuntu:
Invalid
Status in openssl package in Ubuntu:
Invalid
Status in openssl-ibmca package in Ubuntu:
Fix Released
Status in libica source package in Xenial:
Invalid
Status in openssl source package in Xenial:
Invalid
Status in openssl-ibmca source package in Xenial:
Fix Committed
Status in libica source package in Yakkety:
Invalid
Status in openssl source package in Yakkety:
Invalid
Status in openssl-ibmca source package in Yakkety:
Fix Committed
Bug description:
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
[Impact]
* Out of the box stock configuration results in non-usable engine which errors out
* Thus currently, without workarounds, the acceleration engine does not work. Meaning regression potential is low
Please note this is the first time we are integrating openssl-ibmca,
and it is not enabled by default. Hopefully things will be better /
more stable going forward.
openssl-ibmca usually requires libica2 and libica-utils for proper
functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu at HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes at canonical.com: ubuntu at HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o
the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with
the proper dependency to openssl-ibmca - openssh-ibmca should make use
of libica2 instead of libica.so.2...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libica/+bug/1605511/+subscriptions
More information about the foundations-bugs
mailing list