search

engine-corner / engine-chil

The CHIL engine from OpenSSL
3 stars 7 forks source link

Compatibility with OpenSSL 1.1.1 #12

Open DeoMortis opened 4 years ago

DeoMortis commented 4 years ago

Hi. I was wondering if this engine is compatible with OpenSSL 1.1.1? I compiled it successfully using --with-openssl configuration option together with OpenSSL 1.1.1c. However, the library files produced are in folder ../lib/engines instead of what i'd expect ../lib/engines-1.1/. If i try to use them anyway i get segmentation fault then.

levitte commented 4 years ago

I rebuilt it just now and tried it with the openssl engine command, using the system installed OpenSSL:

: ; openssl version
OpenSSL 1.1.1c  28 May 2019
: ; OPENSSL_ENGINES=./.libs openssl engine -c -t -vvvv chil
(chil) CHIL hardware engine support
 [RSA, DH, RAND]
     [ unavailable ]
     SO_PATH: Specifies the path to the 'hwcrhk' shared library
          (input flags): STRING
     FORK_CHECK: Turns fork() checking on (non-zero) or off (zero)
          (input flags): NUMERIC
     THREAD_LOCKING: Turns thread-safe locking on (zero) or off (non-zero)
          (input flags): NUMERIC
     SET_USER_INTERFACE: Set the global user interface (internal)
          (input flags): [Internal] 
     SET_CALLBACK_DATA: Set the global user interface extra data (internal)
          (input flags): [Internal]

What did you try that gave you a segfault?

levitte commented 4 years ago

(note that you don't have to install the engine to try it, all you need is to set the environment variable OPENSSL_ENGINES to point at the directory where it resides)

inorton commented 4 years ago

BTW hwcrhk's functions are now fully thread safe (since v12.40) so you may need to do less locking from chil.

inorton commented 4 years ago

You don't actually have to install the engine to get it to work:

 $ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl speed -seconds 10 -elapsed -engine chil rsa2048
engine "chil" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing 2048 bits private rsa's for 10s: 231 2048 bits private RSA's in 10.04s
Doing 2048 bits public rsa's for 10s: 231 2048 bits public RSA's in 10.04s
OpenSSL 1.1.1c  28 May 2019
built on: Thu May 30 15:27:48 2019 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-of5rlU/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.043463s 0.043463s     23.0     23.0

Which shows it working fine (ignore the speed, I'm not actually using a real HSM with accelerator chips)

Doing an actual signature using an embed key:

$ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl dgst -engine chil -sign embedkey -sha256 -out README.md.sig README.md
engine "chil" set.
$ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl rsa -in embedkey -out embedkey.pub -pubout -engine chil
$ openssl dgst -signature README.md.sig -verify embedkey.pub README.md
Verified OK