Compiling OpenSSL 1.1.0e with AF_ALG engine

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Compiling OpenSSL 1.1.0e with AF_ALG engine

David Oberhollenzer
Hi,

I'm trying to compile OpenSSL 1.1.0e with the afalg engine on a
recent CentOS 7. I removed the kernel version check for the
afalg engine from the Configure script since AFAIK the CentOS
kernel should have all of that back ported. I ran the following
configure command:

$ ./Configure linux-x86_64 shared enable-engine enable-dso \
  enable-afalgeng --prefix=/opt/openssl --openssldir=/opt/openssl


After make, I get an afalg.so in the output, but after installing
it and running openssl speed I get complaints about bind_engine
not being exported:


$ /opt/openssl/bin/openssl speed -evp aes-128-cbc -engine afalg
invalid engine "afalg"
140034190133056:error:2506406A:DSO support
routines:dlfcn_bind_func:could not bind to the requested symbol
name:crypto/dso/dso_dlfcn.c:178:symname(bind_engine):
/opt/openssl/lib/engines-1.1/afalg.so: undefined symbol: bind_engine
140034190133056:error:2506C06A:DSO support routines:DSO_bind_func:could
not bind to the requested symbol name:crypto/dso/dso_lib.c:185:
140034190133056:error:260B6068:engine routines:dynamic_load:DSO
failure:crypto/engine/eng_dyn.c:427:
140034190133056:error:2606A074:engine routines:ENGINE_by_id:no such
engine:crypto/engine/eng_list.c:339:id=afalg
140034190133056:error:25066067:DSO support routines:dlfcn_load:could not
load the shared
library:crypto/dso/dso_dlfcn.c:113:filename(libafalg.so): libafalg.so:
cannot open shared object file: No such file or directory
140034190133056:error:25070067:DSO support routines:DSO_load:could not
load the shared library:crypto/dso/dso_lib.c:161:
140034190133056:error:260B6084:engine routines:dynamic_load:dso not
found:crypto/engine/eng_dyn.c:414:
...


Running readelf on afalg.so confirms that the symbol is indeed not
in the binary. Am I missing some magic configure options or is there
some other problem?


Thanks,

David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Compiling OpenSSL 1.1.0e with AF_ALG engine

Matt Caswell-2


On 22/02/17 09:11, David Oberhollenzer wrote:
> Running readelf on afalg.so confirms that the symbol is indeed not
> in the binary. Am I missing some magic configure options or is there
> some other problem?

I just tried the exact same Configure line as you on 1.1.0e and it all
works fine:

$ readelf afalg.so -s | grep bind_engine
    66: 0000000000002840   319 FUNC    GLOBAL DEFAULT   12 bind_engine
    95: 0000000000002840   319 FUNC    GLOBAL DEFAULT   12 bind_engine


You said you:

> removed the kernel version check for the
> afalg engine from the Configure script since AFAIK the CentOS
> kernel should have all of that back ported.

There is a similar check in engines/afalg/e_afalg.c which checks the
version of the kernel headers. Did you also amend that:


#if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) || \
    !defined(AF_ALG)
# ifndef PEDANTIC
#  warning "AFALG ENGINE requires Kernel Headers >= 4.1.0"
#  warning "Skipping Compilation of AFALG engine"
# endif
void engine_load_afalg_int(void);
void engine_load_afalg_int(void)
{
}
#else


Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Compiling OpenSSL 1.1.0e with AF_ALG engine

Richard Weinberger-2
In reply to this post by David Oberhollenzer
Am 22.02.2017 um 12:24 schrieb David Oberhollenzer:
> Sorry, never mind. After taking a closer look at the source code I saw
> that there are further compile time and run-time kernel version
> checks in e_afalg.c. I adjusted the version number and got that to
> work now.

Well, why does the afalg engine depend on Linux 4.1?
AF_ALG is part of Linux since 2.6.38.

Furthermore it is not clear to me why the Kernel version is being
checked during the build.
What if I build on an older kernel?
Does your build system offer a config option for that?

Thanks,
//richard

--
sigma star gmbh - Eduard-Bodem-Gasse 6 - 6020 Innsbruck - Austria
ATU66964118 - FN 374287y
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Compiling OpenSSL 1.1.0e with AF_ALG engine

Matt Caswell-2


On 22/02/17 20:20, Richard Weinberger wrote:
> Am 22.02.2017 um 12:24 schrieb David Oberhollenzer:
>> Sorry, never mind. After taking a closer look at the source code I saw
>> that there are further compile time and run-time kernel version
>> checks in e_afalg.c. I adjusted the version number and got that to
>> work now.
>
> Well, why does the afalg engine depend on Linux 4.1?
> AF_ALG is part of Linux since 2.6.38.

I think its the dependence on the AIO stuff. The AFALG engine is an
async aware engine. If your application is also async aware (i.e. uses
the new async APIs in 1.1.0) then you can offload crypto work onto the
kernel while you application gets on with something else.

At the moment though the crypto support in that engine is quite limited.
It only supports offloading of AES128-CBC.

>
> Furthermore it is not clear to me why the Kernel version is being
> checked during the build.
> What if I build on an older kernel?
> Does your build system offer a config option for that?

No - I guess the assumption is that it is more normal to do it the other
way around (i.e. build on a newer kernel but target an older one).

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Compiling OpenSSL 1.1.0e with AF_ALG engine

Jeffrey Walton-3
In reply to this post by Richard Weinberger-2
>> Sorry, never mind. After taking a closer look at the source code I saw
>> that there are further compile time and run-time kernel version
>> checks in e_afalg.c. I adjusted the version number and got that to
>> work now.
>
> Well, why does the afalg engine depend on Linux 4.1?
> AF_ALG is part of Linux since 2.6.38.
>
> Furthermore it is not clear to me why the Kernel version is being
> checked during the build.
> What if I build on an older kernel?
> Does your build system offer a config option for that?

Also see https://mta.openssl.org/pipermail/openssl-dev/2016-March/006171.html

Its been my experience that most AFALG issues are due to the kernel
and problems with its implementation, and not OpenSSL.

Kernel test vectors are virtually non-existent, so things randomly
move in and out of a state of "it works as expected" to other various
states. For example, here are the AFALG test vectors:
https://github.com/tstruk/afalg_async_test. They are not in the kernel
proper, they are incomplete, and its hits or miss whether they will
work as expected.

You can learn if an async driver is available with:

   cat /proc/crypto | egrep '^(name|driver|async|$)'

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...