I will proceed with an RC today! :-) Gary
On Fri, Aug 28, 2020 at 10:42 AM Gary Gregory <garydgreg...@gmail.com> wrote: > Thanks Geoffrey, updating our tally: > > Here is what community testing we have so far for the Crypto.main() smoke > test: > > - darwin64-x86_64-cc; OpenSSL 1.1.1g; Gary Gregory, Alex Remily > - debian-amd64; OpenSSL 1.0.1f; Gary Gregory > - debian-amd64; OpenSSL 1.1.1g; Bruno P. Kinoshita > - Linux x86_64; OpenSSL 1.1.1; Alex Remily > - Windows 64 (mingw64); OpenSSL 1.1.1d; Alex Remily > - linux-aarch64; OpenSSL 1.0.2k-fips; Geoffrey Blake > - debian-arm64; OpenSSL 1.1.1f; Geoffrey Blake > > Gary > > > On Fri, Aug 28, 2020 at 10:25 AM Geoffrey Blake < > geoffrey.w.bl...@gmail.com> wrote: > >> Hi all, >> >> For the simple smoke test, on AArch64 for AmazonLinux2 (OpenSSL 1.0.2k) >> and >> Ubuntu 20.04 (OpenSSL 1.1.1f) everything loads ok with the current Jar >> that >> Gary posted. >> >> -Geoff >> >> AL2 output: >> java -cp commons-crypto-1.1.0-20200824.190246-21.jar >> org.apache.commons.crypto.Crypto >> Apache Commons Crypto 1.1.0-SNAPSHOT >> Native code loaded OK: 1.1.0-SNAPSHOT >> Native name: Apache Commons Crypto >> Native built: Aug 18 2020 >> OpenSSL library loaded OK, version: 0x100020bf >> OpenSSL library info: OpenSSL 1.0.2k-fips 26 Jan 2017 >> Random instance created OK: >> org.apache.commons.crypto.random.OpenSslCryptoRandom@54bedef2 >> Cipher AES/CTR/NoPadding instance created OK: >> org.apache.commons.crypto.cipher.OpenSslCipher@13221655 >> Additional OpenSSL_version(n) details: >> 1: not available >> 2: compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB >> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT >> -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches >> -Wa,--noexecstack -DPURIFY -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM >> 3: built on: reproducible build, date unspecified >> 4: platform: linux-aarch64 >> 5: OPENSSLDIR: "/etc/pki/tls" >> >> Ubuntu output: >> java -cp commons-crypto-1.1.0-20200824.190246-21.jar >> org.apache.commons.crypto.Crypto >> Apache Commons Crypto 1.1.0-SNAPSHOT >> Native code loaded OK: 1.1.0-SNAPSHOT >> Native name: Apache Commons Crypto >> Native built: Aug 18 2020 >> OpenSSL library loaded OK, version: 0x1010106f >> OpenSSL library info: OpenSSL 1.1.1f 31 Mar 2020 >> Random instance created OK: >> org.apache.commons.crypto.random.OpenSslCryptoRandom@65b54208 >> Cipher AES/CTR/NoPadding instance created OK: >> org.apache.commons.crypto.cipher.OpenSslCipher@119d7047 >> Additional OpenSSL_version(n) details: >> 1: compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack >> -g -O2 -fdebug-prefix-map=/build/openssl-9j6sUa/openssl-1.1.1f=. >> -fstack-protector-strong -Wformat -Werror=format-security >> -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC >> -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM >> -DPOLY1305_ASM >> -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 >> 2: built on: Mon Apr 20 11:53:50 2020 UTC >> 3: platform: debian-arm64 >> 4: OPENSSLDIR: "/usr/lib/ssl" >> 5: ENGINESDIR: "/usr/lib/aarch64-linux-gnu/engines-1.1" >> >> On Thu, Aug 27, 2020 at 10:05 PM Matt Sicker <boa...@gmail.com> wrote: >> >> > For a library with as many vulnerabilities as OpenSSL, I’m surprised >> macOS >> > keeps such an ancient version! It’s not like they ship a trimmed down >> and >> > audited version of LibreSSL, either. >> > >> > On Thu, Aug 27, 2020 at 20:19 Gary Gregory <garydgreg...@gmail.com> >> wrote: >> > >> > > The issue for me is that it was a PITA to override macos' baked in >> > > >> > > (ancient) LibreSSL. >> > > >> > > >> > > >> > > Gary >> > > >> > > >> > > >> > > On Thu, Aug 27, 2020, 20:03 Alex Remily <alex.rem...@gmail.com> >> wrote: >> > > >> > > >> > > >> > > > Interesting. If I understand correctly, you did get it to run >> > > >> > > > successfully to completion, but only after placing a compatible >> > > >> > > > libcrypto in the directory of execution, probably the first place >> > > >> > > > dlopen looks for it. Would you agree then that the error was caused >> > > >> > > > by loading an incompatible libcrypto? I'm inclined to think this >> is a >> > > >> > > > configuration issue that should be well documented, as opposed to >> one >> > > >> > > > that should be addressed through code. Like you, I also tried >> setting >> > > >> > > > the LD_LIBRARY_PATH environment variable with no success. I was >> able >> > > >> > > > to symlink the libcrypto in the usr/local/lib directory, though, >> which >> > > >> > > > fixed the issue, but I agree this is a limitation. A user should be >> > > >> > > > able to run more than one instance of libcrypto on the same host. >> I'm >> > > >> > > > unsure as to the best way to proceed. >> > > >> > > > >> > > >> > > > >> > > >> > > > On Thu, Aug 27, 2020 at 6:41 PM Gary Gregory < >> garydgreg...@gmail.com> >> > > >> > > > wrote: >> > > >> > > > > >> > > >> > > > > On Mon, Aug 24, 2020 at 7:28 PM Alex Remily < >> alex.rem...@gmail.com> >> > > >> > > > wrote: >> > > >> > > > > >> > > >> > > > > > Gary, >> > > >> > > > > > >> > > >> > > > > > Can you check that your libcrypto.dylib is symlinked to the >> > libcrypto >> > > >> > > > > > for OpenSSL 1.1.1.g? Mine wasn't, and I was getting different >> > output >> > > >> > > > > > from the main function than from the unit test output. I'm not >> > > >> > > > > > confident that this is the root of the problem, but it may at >> least >> > > >> > > > > > eliminate a possibility. >> > > >> > > > > > >> > > >> > > > > > On my machine I had to set /usr/local/lib/libcrypto.dylib --> >> > > >> > > > > > /usr/local/Cellar/openssl@1.1/1.1.1g/lib/libcrypto.1.1.dylib. >> The >> > > JNI >> > > >> > > > > > libraries use dlopen to find and load libcrypto, and dlopen >> looks >> > for >> > > >> > > > > > >> > > >> > > > > >> > > >> > > > > That did not work for me. The only thing that works is copying the >> > > dylib >> > > >> > > > > file to the current dir. Hack! >> > > >> > > > > >> > > >> > > > > Gary >> > > >> > > > > >> > > >> > > > > >> > > >> > > > > > it in /usr/local/lib/, among other places. >> > > >> > > > > > >> > > >> > > > > > >> > > >> > > > > > >> > > >> > > > >> > > >> > >> https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dlopen.3.html >> > > >> > > > > > >> > > >> > > > > > If that doesn't work I'm going to need to step through the code. >> > My >> > > >> > > > > > output: >> > > >> > > > > > >> > > >> > > > > > WARNING in native method: JNI call made without checking >> exceptions >> > > >> > > > > > when required to from CallStaticObjectMethod >> > > >> > > > > > WARNING in native method: JNI call made without checking >> exceptions >> > > >> > > > > > when required to from CallObjectMethod >> > > >> > > > > > Apache Commons Crypto 1.1.0-SNAPSHOT >> > > >> > > > > > Native code loaded OK 1.1.0-SNAPSHOT >> > > >> > > > > > Native Name Apache Commons Crypto >> > > >> > > > > > Native Built Aug 24 2020 >> > > >> > > > > > OpenSSL library loaded OK, version: 0x1010107f >> > > >> > > > > > OpenSSL library info OpenSSL 1.1.1g 21 Apr 2020 >> > > >> > > > > > Random instance created OK >> > > >> > > > > > Cipher instance created OK >> > > >> > > > > > Additional OpenSSL_version(n) details: >> > > >> > > > > > 1: compiler: clang -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN >> > > >> > > > > > -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 >> > > >> > > > > > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 >> -DOPENSSL_BN_ASM_GF2m >> > > >> > > > > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM >> > > >> > > > > > -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM >> > > >> > > > > > -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG >> > > >> > > > > > 2: built on: Tue Apr 21 13:29:43 2020 UTC >> > > >> > > > > > 3: platform: darwin64-x86_64-cc >> > > >> > > > > > 4: OPENSSLDIR: "/usr/local/etc/openssl@1.1" >> > > >> > > > > > 5: ENGINESDIR: "/usr/local/Cellar/openssl@1.1 >> > > /1.1.1g/lib/engines-1.1" >> > > >> > > > > > >> > > >> > > > > > Alex >> > > >> > > > > > >> > > >> > > > > > On Sun, Aug 23, 2020 at 9:50 PM Gary Gregory < >> > garydgreg...@gmail.com >> > > > >> > > >> > > > > > wrote: >> > > >> > > > > > > >> > > >> > > > > > > I do have LibreSSL but I used homebrew to install OpenSSL >> 1.1.1g >> > > >> > > > which I >> > > >> > > > > > > put first on the PATH. Maybe something is off in my setup... >> > > >> > > > > > > >> > > >> > > > > > > Gary >> > > >> > > > > > > >> > > >> > > > > > > On Sun, Aug 23, 2020, 21:46 Alex Remily < >> alex.rem...@gmail.com> >> > > >> > > > wrote: >> > > >> > > > > > > >> > > >> > > > > > > > Gary, >> > > >> > > > > > > > >> > > >> > > > > > > > I'll have a look. I did the 1.1 support stuff and I'm >> familiar >> > > >> > > > with >> > > >> > > > > > > > that class and that error, although I don't recall seeing >> that >> > > >> > > > > > > > specific error in that class. The JNI libraries check the >> > > OpenSSL >> > > >> > > > > > > > version at runtime, but maybe a compile time dependency got >> > > >> > > > through. >> > > >> > > > > > > > >> > > >> > > > > > > > Out of curiosity, I assume you also have LibreSSL >> installed? I >> > > >> > > > have >> > > >> > > > > > > > run into issues on my Mac with which librypto gets loaded by >> > the >> > > >> > > > JNI >> > > >> > > > > > > > libraries during the dlsym. I wonder if the runtime is >> > referring >> > > >> > > > to >> > > >> > > > > > > > one version and the JNI library is loading another. >> > > >> > > > > > > > >> > > >> > > > > > > > Anyway, I'll poke around and see what I can figure out. >> I'll >> > try >> > > >> > > > to >> > > >> > > > > > > > get to it with the rest of the testing this week. >> > > >> > > > > > > > >> > > >> > > > > > > > Alex >> > > >> > > > > > > > >> > > >> > > > > > > > On Sun, Aug 23, 2020 at 11:18 AM Gary Gregory < >> > > >> > > > garydgreg...@gmail.com> >> > > >> > > > > > > > wrote: >> > > >> > > > > > > > > >> > > >> > > > > > > > > I wondering if anyone can confirm the following issue >> and/or >> > > help >> > > >> > > > > > explain >> > > >> > > > > > > > > it, on MacOS 10.15.6 with OpenSSL 1.1.1g, running: >> > > >> > > > > > > > > >> > > >> > > > > > > > > mvn package >> > > >> > > > > > > > > >> > > >> > > > > > > > > then: >> > > >> > > > > > > > > >> > > >> > > > > > > > > java -Xdiag -Xcheck:jni -cp target/classes >> > > >> > > > > > > > > -Dcommons.crypto.lib.tempdir=target/ >> > > >> > > > org.apache.commons.crypto.Crypto >> > > >> > > > > > > > > WARNING in native method: JNI call made without checking >> > > >> > > > exceptions >> > > >> > > > > > when >> > > >> > > > > > > > > required to from CallStaticObjectMethod >> > > >> > > > > > > > > WARNING in native method: JNI call made without checking >> > > >> > > > exceptions >> > > >> > > > > > when >> > > >> > > > > > > > > required to from CallObjectMethod >> > > >> > > > > > > > > Apache Commons Crypto 1.1.0-SNAPSHOT >> > > >> > > > > > > > > Native code loaded OK: 1.1.0-SNAPSHOT >> > > >> > > > > > > > > Native name: Apache Commons Crypto >> > > >> > > > > > > > > Native built: Aug 22 2020 >> > > >> > > > > > > > > Exception in thread "main" java.lang.UnsatisfiedLinkError: >> > > >> > > > > > > > OpenSSL_version >> > > >> > > > > > > > > at >> > org.apache.commons.crypto.OpenSslInfoNative.OpenSSL(Native >> > > >> > > > > > Method) >> > > >> > > > > > > > > at >> org.apache.commons.crypto.Crypto.main(Crypto.java:144) >> > > >> > > > > > > > > >> > > >> > > > > > > > > I wonder if we have issues on 1.1.x vs 1.0.x. >> > > >> > > > > > > > > >> > > >> > > > > > > > > My versions: >> > > >> > > > > > > > > >> > > >> > > > > > > > > openssl version >> > > >> > > > > > > > > OpenSSL 1.1.1g 21 Apr 2020 >> > > >> > > > > > > > > >> > > >> > > > > > > > > mvn -version >> > > >> > > > > > > > > Apache Maven 3.6.3 >> (cecedd343002696d0abb50b32b541b8a6ba2883f) >> > > >> > > > > > > > > Maven home: /opt/apache-maven-3.6.3 >> > > >> > > > > > > > > Java version: 1.8.0_265, vendor: AdoptOpenJDK, runtime: >> > > >> > > > > > > > > >> > > >> > > > > > >> > > /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre >> > > >> > > > > > > > > Default locale: en_US, platform encoding: UTF-8 >> > > >> > > > > > > > > OS name: "mac os x", version: "10.15.6", arch: "x86_64", >> > > family: >> > > >> > > > > > "mac" >> > > >> > > > > > > > > >> > > >> > > > > > > > > Thank you, >> > > >> > > > > > > > > Gary >> > > >> > > > > > > > > >> > > >> > > > > > > > > >> > > >> > > > > > > > > On Sat, Aug 22, 2020 at 7:48 PM Gary Gregory < >> > > >> > > > garydgreg...@gmail.com >> > > >> > > > > > > >> > > >> > > > > > > > wrote: >> > > >> > > > > > > > > >> > > >> > > > > > > > > > Hi all, >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > I intent on creating a release candidate for Commons >> Crypto >> > > >> > > > soon. >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > I pushed a snapshot today which contains native binaries >> > for >> > > >> > > > > > Windows 32 >> > > >> > > > > > > > > > and 64, Linux 32 and 64, Mac 64, and ARM and ARM HF. >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > Please help testing these on whatever platforms you may >> > have >> > > >> > > > > > access to. >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > Gary >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > >> > > >> > > > > > > > > > >> > > >> > > > > > > > >> > > >> > > > > > > > >> > > >> > > > >> --------------------------------------------------------------------- >> > > >> > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > > >> > > > > > > > For additional commands, e-mail: >> dev-h...@commons.apache.org >> > > >> > > > > > > > >> > > >> > > > > > > > >> > > >> > > > > > >> > > >> > > > > > >> > --------------------------------------------------------------------- >> > > >> > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > > >> > > > > > For additional commands, e-mail: dev-h...@commons.apache.org >> > > >> > > > > > >> > > >> > > > > > >> > > >> > > > >> > > >> > > > >> --------------------------------------------------------------------- >> > > >> > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > > >> > > > For additional commands, e-mail: dev-h...@commons.apache.org >> > > >> > > > >> > > >> > > > >> > > >> > > -- >> > Matt Sicker <boa...@gmail.com> >> > >> >
