SHA256 openssl-1.1.1i Checksum Error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SHA256 openssl-1.1.1i Checksum Error

Chris Outwin
This is my first post.  OpenSSL is not my forte.

The code below returns an unexpected checksum value for openssl-1.1.1i..  Strangely, when the same code is run for a previous version, the correct checksum value is returned.   Here is what I’ve tried:

1.  Downloaded the current SHA256 value for openssl-1.1.1i.tar.gz from https://www.openssl.org/source/
2.  Included that checksum value in the code below
3.  Run the code in macOS Version10.15.7’s Terminal app (using bash)
4.  Observed that the checksum value does not match the downloaded value in Step 1 above

Here is the part of the script associated with the problem.  Notice an incorrect checksum of c413e17d876098e89478c85e1d2b96db79bcdc943ad54550f0351da4f141ec5e is returned at the end.  What am I doing wrong? 

#!/bin/zsh
# This script builds OpenSSL libssl and libcrypto for 64-bit devices.
# Binary distribution for ios64-cross-arm64 and ios64-cross-arm64e

VERSION=“1.1.1i”
VERSION_SHA256_CHECKSUM="e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242"

##############################################################

# Checksum to verify OpenSSL files are not corrupted.
FILE_CHECKSUM=$(shasum -a 256 openssl-$VERSION.tar.gz | awk '{print $1; exit}')
if [ "$FILE_CHECKSUM" != "$VERSION_SHA256_CHECKSUM" ]; then
echo "OpenSSL version $VERSION failed checksum."
echo "Checksum should be:" $VERSION_SHA256_CHECKSUM
echo "Actual downloaded file checksum:" $FILE_CHECKSUM
exit 1
fi

Here is the verbose listing returned by the script:

chrisoutwin@Chriss-iMac OpenSSL % bash build.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 23.2.168.18...
* TCP_NODELAY set
* Connected to www.openssl.org (23.2.168.18) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [229 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2556 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=www.openssl.org
*  start date: Oct 30 19:31:03 2020 GMT
*  expire date: Jan 28 19:31:03 2021 GMT
*  subjectAltName: host "www.openssl.org" matched cert's "www.openssl.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /source/openssl-“1.1.1i”.tar.gz HTTP/1.1
> User-Agent: curl/7.64.1
> Accept: */*
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 404 Not Found
< Server: Apache/2.4.29 (Ubuntu)
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Accept-Ranges: bytes
< Content-Type: text/html; charset=UTF-8
< Content-Length: 4182
< Cache-Control: max-age=172800
< Expires: Wed, 30 Dec 2020 15:20:43 GMT
< Date: Mon, 28 Dec 2020 15:20:43 GMT
< Connection: keep-alive
{ [1536 bytes data]
100  4182  100  4182    0     0   5873      0 --:--:-- --:--:-- --:--:--  5873
* Connection #0 to host www.openssl.org left intact
* Closing connection 0
OpenSSL version “1.1.1i” failed checksum.
Checksum should be: e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242
Actual downloaded file checksum: c413e17d876098e89478c85e1d2b96db79bcdc943ad54550f0351da4f141ec5e


Reply | Threaded
Open this post in threaded view
|

RE: SHA256 openssl-1.1.1i Checksum Error

Dr. Matthias St. Pierre

I have no experience with zsh, but it seems that quoting is handled differently by zsh?

At least it looks like the double quotes ended up in the GET line and you simply received

an HTTP 404 Not Found (which is the reason why your digest isn’t correct.)

 

HTH,

Matthias

 

 

> GET /source/openssl-“1.1.1i”.tar.gz HTTP/1.1

> Host: www.openssl.org

> User-Agent: curl/7.64.1

> Accept: */*

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 404 Not Found


smime.p7s (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: SHA256 openssl-1.1.1i Checksum Error

Michael Wojcik
> From: openssl-users <[hidden email]> On Behalf Of Dr. Matthias St. Pierre
> Sent: Monday, 28 December, 2020 11:50

> I have no experience with zsh, but it seems that quoting is handled
> differently by zsh?

Is the problem that quoting is handled differently, or that he actually had Unicode left-double-quote and right-double-quote characters there rather than proper ASCII double-quote characters? That's how it appears in the message as I received it.

> At least it looks like the double quotes ended up in the GET line

Agreed.

> and you simply received an HTTP 404 Not Found (which is the reason why your
> digest isn’t correct.)

Agreed.

I'll add: Don't check the checksum. Check the signature:

1. Install an OpenPGP implementation such as gpg, if you don't already have one. (One may come with macOS; I have no idea.)

2. Download the .asc file corresponding to the tarball you downloaded.

3. Check the signature. With gpg2, for example:

   $ gpg2 --verify openssl-1.1.1i.tar.gz.asc openssl-1.1.1i.tar.gz
   gpg: Signature made 12/08/20 06:21:06 MST using RSA key ID 0E604491

Now, you presumably won't have the signing public key (for 1.1.1i that's a key owned by Matt Caswell) in your keyring. You can download it from a public keyserver and mark it as trusted, so you'll also get verification that the signature was generated with the correct key:

   gpg: Good signature from "Matt Caswell <[hidden email]>" [full]
   gpg:                 aka "Matt Caswell <[hidden email]>" [full]

While checking the signature runs into all the well-documented issues with the PGP Web of Trust, it's still stronger (in the sense that it prunes more of the attack tree, under sensible threat models) than just checking the hash. And once you're set up to do it, it's a simpler operation for future downloads.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

RE: SHA256 openssl-1.1.1i Checksum Error

Dr. Matthias St. Pierre
In reply to this post by Dr. Matthias St. Pierre

You’re welcome. As Michael Woijcik pointed out in his reply to the list, the problem had nothing

to do with zsh specifics. It was caused by the fact that those weren’t normal double quotes, but

unicode left and right double quotes, which weren’t understood by the shell.

 

Regards,

Matthias

 

 

From: Chris Outwin <[hidden email]>
Sent: Monday, December 28, 2020 9:43 PM
To: Dr. Matthias St. Pierre <[hidden email]>
Subject: Re: SHA256 openssl-1.1.1i Checksum Error

 

Thank you for your prompt reply. Removing the quotes from VERSION=“1.1.1i” allowed the script to run.



On Dec 28, 2020, at 12:49 PM, Dr. Matthias St. Pierre <[hidden email]> wrote:

 

I have no experience with zsh, but it seems that quoting is handled differently by zsh?

At least it looks like the double quotes ended up in the GET line and you simply received

an HTTP 404 Not Found (which is the reason why your digest isn’t correct.)

 

HTH,

Matthias

 

 

> GET /source/openssl-“1.1.1i”.tar.gz HTTP/1.1

> Host: www.openssl.org

> User-Agent: curl/7.64.1

> Accept: */*

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 404 Not Found

 

<NCP_logo_2f45208a-c14d-4000-bcd3-1ab400c0e48c.gif>

Dr. Matthias St. Pierre 

Senior Software Engineer 
[hidden email] 
Phone: +49 911 9968-0
www.ncp-e.com


Follow us on:
 Facebook | Twitter | Xing | YouTube | LinkedIn

Headquarters Germany: NCP engineering GmbH • Dombuehler Str. 2 • 90449 • Nuremberg 
North American HQ: NCP engineering Inc. • 601 Cleveland Str., Suite 501-25 • Clearwater, FL 33755 

Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate Dietrich 
Registry Court: Lower District Court of Nuremberg 
Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE 133557619

This e-mail message including any attachments is for the sole use of the intended recipient(s) and may contain privileged or confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and delete the original message and destroy all copies thereof.

 


smime.p7s (10K) Download Attachment