[Bug 1605511] Re: openssl engine error if trying to exploit hw crypto on z due to library issue

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Oct 4 15:34:08 UTC 2016 

Please try packages from:

sudo add-apt-repository ppa:ci-train-ppa-service/2043
sudo apt update
sudo apt full-upgrade

With packages there, libica.so is still attempted to be loaded first. If
that fails, libica.so.2 is attempted to be loaded, and that should
succeed.

Before:
$ openssl engine ibmca
(ibmca) Ibmca hardware engine support
4396855273104:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4396855273104:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4396855273104:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:

After:
$ openssl engine ibmca
(ibmca) Ibmca hardware engine support
4396661810832:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4396661810832:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:

Which is still a bit ugly messaging, but should work out of the box.

** Changed in: openssl-ibmca (Ubuntu Xenial)
       Status: Confirmed => In Progress

** Changed in: openssl-ibmca (Ubuntu Yakkety)
       Status: Confirmed => Fix Committed

** Changed in: openssl-ibmca (Ubuntu Yakkety)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1605511

Title:
  openssl engine error if trying to exploit hw crypto on z due to
  library issue

Status in libica package in Ubuntu:
  Invalid
Status in openssl package in Ubuntu:
  Invalid
Status in openssl-ibmca package in Ubuntu:
  Fix Committed
Status in libica source package in Xenial:
  Invalid
Status in openssl source package in Xenial:
  Invalid
Status in openssl-ibmca source package in Xenial:
  In Progress
Status in libica source package in Yakkety:
  Invalid
Status in openssl source package in Yakkety:
  Invalid
Status in openssl-ibmca source package in Yakkety:
  Fix Committed

Bug description:
  openssl-ibmca usually requires libica2 and libica-utils for proper
  functioning and all required tooling (like icainfo, icastats, etc.)

  But after the installation of these packages and the configuration, with is like this:
  sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo vi /etc/ssl/openssl.cnf
  adding the following line as the first active one:
  openssl_conf = openssl_def
  and removing or commenting all other occurrences of that line in the config file
  and saving and closing the openssl.cnf file
  this output of the openssl engine command is expected:

  $ openssl engine
  (dynamic) Dynamic engine loading support
  (ibmca) Ibmca hardware engine support

  or even more precise these chiphers should be listed in case of "-c":

  $ openssl engine -c
  (dynamic) Dynamic engine loading support
  (ibmca) Ibmca hardware engine support
   [RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]

  But instead openssl is giving this error, due to a missing "libica.so":
  $ openssl engine
  Error configuring OpenSSL
  4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
  4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
  4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
  4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
  4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
  4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
  4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
  4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1      
  $

  There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
  $ sudo find / -name "libica.so" 2>/dev/null
  ubuntu at HWE0001:~$ 

  But there is a different verison of that libica:
  $ sudo find / -name "*libica.so*" 2>/dev/null
  /usr/lib/s390x-linux-gnu/libica.so.2
  /usr/lib/s390x-linux-gnu/libica.so.2.6.1
  $ 

  So there are right now two workarounds:
  1)
  creating a (symbolic) link from libica.so.2 to libica.so, like
  $ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so 
  that allows openssl to find a library named 'libica.so':
  18:15:00: frank.heimes at canonical.com: ubuntu at HWE0001:~$ openssl engine
  (dynamic) Dynamic engine loading support
  (ibmca) Ibmca hardware engine support
  But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
  2)
  installation of the "libica-dev" package that provides a (development) version of libica.so:
  $ dpkg -L libica-dev | grep libica.so
  /usr/lib/s390x-linux-gnu/libica.so
  $

  But the hardware crypto exploitation should work out of the box w/o
  the link or the libica-dev package.

  Either libica.so should be shipped (in addition to libica.so.2) with
  the proper dependency to openssl-ibmca - openssh-ibmca should make use
  of libica2 instead of libica.so.2...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libica/+bug/1605511/+subscriptions

More information about the foundations-bugs mailing list