Open DeoMortis opened 4 years ago
I rebuilt it just now and tried it with the openssl engine
command, using the system installed OpenSSL:
: ; openssl version
OpenSSL 1.1.1c 28 May 2019
: ; OPENSSL_ENGINES=./.libs openssl engine -c -t -vvvv chil
(chil) CHIL hardware engine support
[RSA, DH, RAND]
[ unavailable ]
SO_PATH: Specifies the path to the 'hwcrhk' shared library
(input flags): STRING
FORK_CHECK: Turns fork() checking on (non-zero) or off (zero)
(input flags): NUMERIC
THREAD_LOCKING: Turns thread-safe locking on (zero) or off (non-zero)
(input flags): NUMERIC
SET_USER_INTERFACE: Set the global user interface (internal)
(input flags): [Internal]
SET_CALLBACK_DATA: Set the global user interface extra data (internal)
(input flags): [Internal]
What did you try that gave you a segfault?
(note that you don't have to install the engine to try it, all you need is to set the environment variable OPENSSL_ENGINES
to point at the directory where it resides)
BTW hwcrhk's functions are now fully thread safe (since v12.40) so you may need to do less locking from chil.
You don't actually have to install the engine to get it to work:
$ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl speed -seconds 10 -elapsed -engine chil rsa2048
engine "chil" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing 2048 bits private rsa's for 10s: 231 2048 bits private RSA's in 10.04s
Doing 2048 bits public rsa's for 10s: 231 2048 bits public RSA's in 10.04s
OpenSSL 1.1.1c 28 May 2019
built on: Thu May 30 15:27:48 2019 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-of5rlU/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
sign verify sign/s verify/s
rsa 2048 bits 0.043463s 0.043463s 23.0 23.0
Which shows it working fine (ignore the speed, I'm not actually using a real HSM with accelerator chips)
Doing an actual signature using an embed key:
$ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl dgst -engine chil -sign embedkey -sha256 -out README.md.sig README.md
engine "chil" set.
$ OPENSSL_ENGINES=.libs LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk /usr/bin/openssl rsa -in embedkey -out embedkey.pub -pubout -engine chil
$ openssl dgst -signature README.md.sig -verify embedkey.pub README.md
Verified OK
Hi. I was wondering if this engine is compatible with OpenSSL 1.1.1? I compiled it successfully using
--with-openssl
configuration option together with OpenSSL 1.1.1c. However, the library files produced are in folder../lib/engines
instead of what i'd expect../lib/engines-1.1/
. If i try to use them anyway i get segmentation fault then.