** Changed in: openssl-ibmca (Ubuntu Yakkety)
Status: Fix Committed => In Progress
** Changed in: openssl-ibmca (Ubuntu Xenial)
Assignee: (unassigned) => Dimitri John Ledkov (xnox)
** Description changed:
- openssl-ibmca usually requires libica2 and libica-utils for proper
- functioning and all required tooling (like icainfo, icastats, etc.)
+ [Testcase]
+ * configure ibmca engine as per below instructions
+ * execute openssl engine -c -vvvv
+ * it should complete without any loading errors
+
+
+ openssl-ibmca usually requires libica2 and libica-utils for proper
functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is
like this:
sudo tee -a /etc/ssl/openssl.cnf <
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config
file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
- [RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC,
DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC,
AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB,
AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
+ [RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC,
DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC,
AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB,
AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load
the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open
shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load
the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open
shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
- 4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:223:module=engines, value=engine_section,
retcode=-1
+ 4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:223:module=engines, value=engine_section,
retcode=-1
$
There is no libica.so that is shipped with any of the above packages
(verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
- ubuntu@HWE0001:~$
+ ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
- $
+ $
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
- $ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so
+ $ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.hei...@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface
changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development)
version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o the
link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with the
proper dependency to openssl-ibmca - openssh-ibmca should make use of
libica2 instead of libica.so.2...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1605511
Title:
openssl engine error if trying to exploit hw crypto on z due to
library issue
Status in libica package in Ubuntu:
Invalid
Status in openssl package in Ubuntu:
Invalid
Status in openssl-ibmca package in Ubuntu:
Fix Committed
Status in libica source package in Xenial:
Invalid
Status in openssl source package in Xenial:
Invalid
Status in openssl-ibmca source package in Xenial:
In Progress
Status in libica source package in Yakkety:
Invalid
Status in openssl source package in Yakkety:
Invalid
Status in openssl-ibmca source package in Yakkety:
In Progress
Bug description:
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
openssl-ibmca usually requires libica2 and libica-utils for proper
functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is
like this:
sudo tee -a /etc/ssl/openssl.cnf <
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config
file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC,
DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC,
AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB,
AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load
the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open
shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load
the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open
shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:223:module=engines, value=engine_section,
retcode=-1
$
There is no libica.so that is shipped with any of the above packages
(verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.hei...@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface
changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development)
version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o
the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with
the proper dependency to openssl-ibmca - openssh-ibmca should make use
of libica2 instead of libica.so.2...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libica/+bug/1605511/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
