Recent

Author Topic: OpenSSL version  (Read 769 times)

Tz

  • New Member
  • *
  • Posts: 40
  • Tz with FPC Pen Cil
OpenSSL version
« on: August 12, 2019, 06:18:26 pm »
It looks like our openssl.pas version hasn't been updated yet

https://www.openssl.org/news/changelog.html

  { ADD NEW ONES WHEN THEY APPEAR!
    Always make .so/dylib first, then versions, in descending order!
    Add "." .before the version, first is always just "" }
  DLLVersions: array[1..16] of string = ('', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
                                        '.1.0.2', '.1.0.1','.1.0.0','.0.9.8',
                                        '.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4',
                                        '.0.9.3', '.0.9.2', '.0.9.1');

while some os has their own naming

Free BSD
FreeBSD bsd 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64

/usr/lib
-r--r--r--  1 root  wheel  4395354 Dec  7  2018 libssl.a
lrwxr-xr-x  1 root  wheel       13 Dec  7  2018 libssl.so -> libssl.so.111
-r--r--r--  1 root  wheel   604936 Dec  7  2018 libssl.so.111
-r--r--r--  1 root  wheel  4502998 Dec  7  2018 libssl_p.a
-r--r--r--  1 root  wheel  15543118 Dec  7  2018 libcrypto.a
lrwxr-xr-x  1 root  wheel        26 Dec  7  2018 libcrypto.so -> ../../lib/libcrypto.so.111
-r--r--r--  1 root  wheel  16188388 Dec  7  2018 libcrypto_p.a


Red Hat 8.0
Linux localhost.localdomain 4.18.0-32.el8.x86_64 #1 SMP Sat Oct 27 19:26:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

/usr/lib64
lrwxrwxrwx. 1 root root     15 Oct 15  2018 libssl.so.1.1 -> libssl.so.1.1.1
-rwxr-xr-x. 1 root root 629160 Oct 15  2018 libssl.so.1.1.1
lrwxrwxrwx. 1 root root      18 Oct 15  2018 libcrypto.so.1.1 -> libcrypto.so.1.1.1
-rwxr-xr-x. 1 root root 3290624 Oct 15  2018 libcrypto.so.1.1.1


Red Hat 7.7
Linux localhost.localdomain 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
/usr/lib64
-rwxr-xr-x. 1 root root 370584 Jun  6 22:53 libssl3.so
lrwxrwxrwx. 1 root root     16 Aug 12 22:28 libssl.so.10 -> libssl.so.1.0.2k
-rwxr-xr-x. 1 root root 470360 Apr  9 18:47 libssl.so.1.0.2k
lrwxrwxrwx. 1 root root      19 Aug 12 22:28 libcrypto.so.10 -> libcrypto.so.1.0.2k
-rwxr-xr-x. 1 root root 2521008 Apr  9 18:47 libcrypto.so.1.0.2k

Centos 8.0  as of today currently still not available it must be same as red hat 8.0

Centos 7.6
Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
/usr/lib64
-rwxr-xr-x. 1 root root 340976 Sep 27 2018 libssl3.so
lrwxrwxrwx. 1 root root     16 Agu 12 21:25 libssl.so.10 -> libssl.so.1.0.2k
-rwxr-xr-x. 1 root root 470360 Okt 31 2018 libssl.so.1.0.2k
lrwxrwxrwx. 1 root root      19 Agu 12 21:25 libcrypto.so.10 -> libcrypto.so.1.0.2k
-rwxr-xr-x. 1 root root 2513000 Okt 31 2018 libcrypto.so.1.0.2k

create symbolic link can solve
ln -s libcrypto.so.1.0.2k libssl.so.1.0.2


Ubuntu 18.04.3 LTS
Linux me 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

/usr/lib/x86_64-linux-gnu
-rw-r--r-- 1 root root 328128 Jul 12 19:16 libssl3.so
-rw-r--r-- 1 root root 426232 Feb 27 02:46 libssl.so.1.0.0
-rw-r--r-- 1 root root 577312 Jun 21 00:36 libssl.so.1.1
-rw-r--r-- 1 root root 2357760 Feb 27 02:46 libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2917216 Jun 21 00:36 libcrypto.so.1.1

on ubuntu so.1.0.0 actualy is version 1.0.2


Raspberry pi
2019-07-10-raspbian-buster-lite.img
Linux raspberrypi 4.19.57+ #1244 Thu Jul 4 18:42:50 BST 2019 armv6l GNU/Linux

/usr/lib/arm-linux-gnueabihf
-rw-r--r-- 1 root root 454924 May 30 22:27 libssl.so.1.1
-rw-r--r-- 1 root root 2081180 May 30 22:27 libcrypto.so.1.1


it's better to update like this

  DLLVersions: array[1..16] of string = ('', '.1.1', '.10', '.1.1.1', '.1.1.0',
                                        '.1.0.2', '.1.0.1','.1.0.0','.0.9.8',
                                        '.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4',
                                        '.0.9.3', '.0.9.2', '.0.9.1');

version := OpenSSLGetVersion(0);  // from 1.1.0
if version = '' then 
   version := SSLeay_version(0);  // 1.0.2 and below

if version < 1.1.0 then
   // still need load
   


Is there someone who can make our lives younger?


han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #1 on: August 20, 2019, 04:00:19 pm »
I think this could be my problem under Debian Buster for the Pi3/4. It has OpenSSL 1.1.1c

I get the following runtime error for LNet v0.66:

"Unable to initialize OpenSSL library, please check your openSSL installation"

Same for xubuntu with OpenSSL 1.1.1b

Does anyone has an instruction how to fix this?

Han


« Last Edit: August 20, 2019, 04:20:05 pm by han »

trev

  • Full Member
  • ***
  • Posts: 185
Re: OpenSSL version
« Reply #2 on: August 20, 2019, 04:33:55 pm »
I had the same issue under FreeBSD. A Linux user suggested I should upgrade to FPC 3.3.1 which I did and then I only need to add the OpenSSLSockets unit to the project and SSL worked :)
o Lazarus v2.1.0 r61775, FPC v3.3.1 r42640, macOS 10.14.6 (with sup update), Xcode 10.3
o Lazarus v2.1.0 r61574, FPC v3.3.1 r42318, FreeBSD 12.0 (Parallels VM)
o Lazarus v2.1.0 r61574, FPC v3.0.4, Ubuntu 18.04 (Parallels VM)

k1ng

  • New Member
  • *
  • Posts: 36
Re: OpenSSL version
« Reply #3 on: August 20, 2019, 04:44:46 pm »
The issue might be that FPC 3.0.x does only support OpenSSL 1.0.2 due to outdated SSL headers. (In 1.1.x they changed a lot of library names which causes failures on loading OpenSSL)
But all distros moved to OpenSSL 1.1.x with their newest version. So you should try FPC 3.2+ :)
A very easy way it with fpcupdeluxe ;D

bonmario

  • Sr. Member
  • ****
  • Posts: 294
Re: OpenSSL version
« Reply #4 on: August 20, 2019, 06:07:56 pm »

han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #5 on: August 23, 2019, 09:04:20 pm »
As suggested in the other post, I have downloaded FPC 3.3 from

ftp://ftp.freepascal.org/pub/fpc/snapshot/v33/

Installed it somewhere at my /home. Set in Lazarus FPC path to the new compiler 3.3, but somehow the compiler is not used. If I switch between FPC 3.04 and 3.3 the compiled file has the same size??? The compiled program is also reporting FPC 3.0.4. Why is the FPC 3.3 not used?. I also couldn't find the source files.

Nevertheless, after installing Lazarus 2.0.4 the OpenSSL problem was fixed with compiler 3.0.4. :)


han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #6 on: August 24, 2019, 12:00:25 pm »
Well it worked for Xubuntu but not for Raspian Buster. There I get a new error:

Error creating SSL CTX: SSLCTXNew

I got a suggestion: The issue is the new entry point in the ssl library is TLS_method instead of SSLv23_method.

I'm using LNET v0.66 for the TCP/IP communication.  Has anybody an idea how to fix this next problem :(


Later:  I have some success with LNET forcing the method SSLmethodTLSv1, but I think I have to upgrade FPC including OpenSSL.pas......
« Last Edit: August 24, 2019, 02:37:32 pm by han »

han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #7 on: August 25, 2019, 06:55:25 pm »
FPC 3.3.1 (thanks FPCUPdeluxe) doesn't solve the problem.

It looks like LNET v0.66 is outdated. I can force TLS 1.0 as indicated below in lnetssl.pas. This works but not for all webpages. I assume I need TLS 1.2 or 1.3. But the protcols are is not supported by LNET v0.66  But updating LNET is out of reach for me.

See: https://en.wikipedia.org/wiki/Transport_Layer_Security


I posted a new message about LNET at
https://forum.lazarus.freepascal.org/index.php/topic,46527.0.html

Code: [Select]
//  FSSLContext := SSLCTXNew(aMethod);
//  if not Assigned(FSSLContext) then
//    raise Exception.Create('Error creating SSL CTX: SSLCTXNew');

  {new}
  FSSLContext := SSLCTXNew(SslMethodTLSV1);{try TLS 1}
  if not Assigned(FSSLContext) then
  begin
    FSSLContext := SSLCTXNew(SslMethodV23); {try SSL 2 or 3}
    if not Assigned(FSSLContext) then
    raise Exception.Create('Error creating SSL CTX: SSLCTXNew');
  end;
  {new}

« Last Edit: August 25, 2019, 07:10:43 pm by han »

Tz

  • New Member
  • *
  • Posts: 40
  • Tz with FPC Pen Cil
Re: OpenSSL version
« Reply #8 on: August 25, 2019, 09:11:00 pm »
New openssl version come with good news and bad news

good news we dont need to init again, and add some security feature such TLS 1.3
bad news some api change for create and destroy like, etc
init -> new
cleanup -> free
 
example here  I update from trunk, and added
 
function EVP_CIPHER_CTX_new: PEVP_CIPHER_CTX;             
procedure EVP_CIPHER_CTX_free(ctx :PEVP_CIPHER_CTX);     

and some function

function RSA_get0_n(const d :PRSA) :PBIGNUM;
function RSA_get0_e(const d :PRSA) :PBIGNUM;
function RSA_get_version(r :PRSA) :cint;
function EVP_PKEY_new_mac_key(type_: cint; e: PENGINE; key: PByte; keylen :cint): PEVP_PKEY; 
function BN_bn2hex(const a:PBIGNUM):PChar;
 
attach openssl.txt, zcrypto.txt

test code

Code: Pascal  [Select]
  1. {$MODE OBJFPC}
  2. {$H+}
  3. program TestCrypto;
  4.  
  5. uses SysUtils, zCrypto;
  6.  
  7. var
  8.    sha1, sha2, sha3  :TDigest;
  9.    des, aes          :TCipher;
  10.    rsa               :TRsa;
  11.    plaindata,
  12.    encrypted,
  13.    decrypted,
  14.    key, iv, hmac,
  15.    a, b, c           :TCryptoBytes;
  16.    tls               :TTls;
  17.  
  18. begin
  19.  
  20.    // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
  21.  
  22.    WriteLn(TEngine.Version);
  23.    WriteLn;
  24.  
  25.    a := TRandom.Generate(16);
  26.    b := TRandom.Generate(16);
  27.  
  28.    WriteLn('a           : ', a.ToHexString);
  29.    WriteLn('b           : ', b.ToHexString);
  30.  
  31.    c := a.XorWith(b);
  32.    WriteLn('a xor b     : ', c.ToHexString);
  33.    c := a.OrWith(b);
  34.    WriteLn('a  or b     : ', c.ToHexString);
  35.    c := a.AndWith(b);
  36.    WriteLn('a and b     : ', c.ToHexString);
  37.  
  38.    WriteLn;
  39.  
  40.    // test short message len 0
  41.    sha1 := TDigest.Create('sha1');        // MD = da39a3ee5e6b4b0d3255bfef95601890afd80709
  42.    sha2 := TDigest.Create('sha256');      // MD = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  43.    sha3 := TDigest.Create('sha3-512');    // MD = a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26
  44.  
  45.    WriteLn('digest');
  46.  
  47.    WriteLn('sha1        : ', sha1.Digest(BytesOf('')).ToHexString);
  48.    WriteLn('sha2        : ', sha2.Digest(BytesOf('')).ToHexString);
  49.    WriteLn('sha3        : ', sha3.Digest(BytesOf('')).ToHexString);
  50.  
  51. {
  52.    // https://tools.ietf.org/html/rfc2202 sha1
  53.    test_case =     1
  54.    key =           0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
  55.    key_len =       20
  56.    data =          "Hi There"
  57.    data_len =      8
  58.    digest =        0xb617318655057264e28bc0b6fb378c8ef146be00
  59. }
  60.    plaindata   := BytesOf('Hi There');
  61.    key         := BytesOf(#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b#$0b);
  62.  
  63.    hmac := sha1.Sign(plaindata, key);
  64.    WriteLn;
  65.    WriteLn('sha1 sign   : ', hmac.ToHexString);
  66.    WriteLn('sha1 verify : ', sha1.Verify(plaindata, key, hmac));
  67.  
  68. {
  69.    https://tools.ietf.org/html/rfc4231
  70.    Key =          0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
  71.                   0b0b0b0b                          (20 bytes)
  72.    Data =         4869205468657265                  ("Hi There")
  73.    HMAC-SHA-256 = b0344c61d8db38535ca8afceaf0bf12b
  74.                   881dc200c9833da726e9376c2e32cff7
  75. }
  76.    hmac := sha2.Sign(plaindata, key);
  77.    WriteLn;
  78.    WriteLn('sha2 sign   : ', hmac.ToHexString);
  79.    WriteLn('sha2 verify : ', sha2.Verify(plaindata, key, hmac));
  80.  
  81. // test vector ????
  82.    hmac := sha3.Sign(plaindata, key);
  83.    WriteLn;
  84.    WriteLn('sha3 sign   : ', hmac.ToHexString);
  85.    WriteLn('sha3 verify : ', sha3.Verify(plaindata, key, hmac));
  86.  
  87.  
  88.    des := TCipher.Create('des-ede3-cbc');
  89. {
  90.    COUNT = 0
  91.    KEY1 = 46133dcbf232b519
  92.    KEY2 = 64e0d95e83208f15
  93.    KEY3 = 6732bf75b673abf1
  94.    IV = 34814c87f47fd59d
  95.    PLAINTEXT = de655a0ea771436c
  96.    CIPHERTEXT = 092368405296744a
  97. }
  98.    key         := BytesOf(#$46#$13#$3d#$cb#$f2#$32#$b5#$19#$64#$e0#$d9#$5e#$83#$20#$8f#$15#$67#$32#$bf#$75#$b6#$73#$ab#$f1);
  99.    iv          := BytesOf(#$34#$81#$4c#$87#$f4#$7f#$d5#$9d);
  100.    plaindata   := BytesOf(#$de#$65#$5a#$0e#$a7#$71#$43#$6c);
  101.    encrypted   := des.Encrypt(plaindata, key, iv);
  102.    decrypted   := des.Decrypt(encrypted, key, iv);
  103.  
  104.    WriteLn;
  105.    WriteLn('des');
  106.    WriteLn('key         : ', key.ToHexString);
  107.    WriteLn('iv          : ', iv.ToHexString);
  108.    WriteLn('kcv         : ', des.GetCheckValue(key).ToHexString);
  109.    WriteLn('plaindata   : ', plaindata.ToHexString);
  110.    WriteLn('encrypted   : ', encrypted.ToHexString);
  111.    WriteLn('decrypted   : ', decrypted.ToHexString);
  112.  
  113.    aes := TCipher.Create('aes-256-cbc');
  114. {
  115.    COUNT = 0
  116.    KEY = 6ed76d2d97c69fd1339589523931f2a6cff554b15f738f21ec72dd97a7330907
  117.    IV = 851e8764776e6796aab722dbb644ace8
  118.    PLAINTEXT = 6282b8c05c5c1530b97d4816ca434762
  119.    CIPHERTEXT = 6acc04142e100a65f51b97adf5172c41
  120. }
  121.    key         := BytesOf(#$6e#$d7#$6d#$2d#$97#$c6#$9f#$d1#$33#$95#$89#$52#$39#$31#$f2#$a6#$cf#$f5#$54#$b1#$5f#$73#$8f#$21#$ec#$72#$dd#$97#$a7#$33#$09#$07);
  122.    iv          := BytesOf(#$85#$1e#$87#$64#$77#$6e#$67#$96#$aa#$b7#$22#$db#$b6#$44#$ac#$e8);
  123.    plaindata   := BytesOf(#$62#$82#$b8#$c0#$5c#$5c#$15#$30#$b9#$7d#$48#$16#$ca#$43#$47#$62);
  124.    encrypted   := aes.Encrypt(plaindata, key, iv);
  125.    decrypted   := aes.Decrypt(encrypted, key, iv);
  126.  
  127.    WriteLn;
  128.    WriteLn('aes');
  129.    WriteLn('key         : ', key.ToHexString);
  130.    WriteLn('iv          : ', iv.ToHexString);
  131.    WriteLn('kcv         : ', aes.GetCheckValue(key).ToHexString);
  132.    WriteLn('plaindata   : ', plaindata.ToHexString);
  133.    WriteLn('encrypted   : ', encrypted.ToHexString);
  134.    WriteLn('decrypted   : ', decrypted.ToHexString);
  135.  
  136.  
  137.    rsa := TRsa.Create(2048, $010001);
  138.  
  139.    if rsa.GenerateKeyPair then
  140.    begin
  141.  
  142.       WriteLn;
  143.       WriteLn('version     : ', rsa.GetVersion);
  144.       WriteLn('modulus     : ', rsa.GetModulus);
  145.       WriteLn('exponent    : ', rsa.GetExponent);
  146.       WriteLn('public key  : ', rsa.GetPublicKey.ToHexString);
  147.  
  148.       plaindata := BytesOf('Hello');
  149.       encrypted := rsa.PublicEncrypt   (plaindata);
  150.       decrypted := rsa.PrivateDecrypt  (encrypted);
  151.  
  152.       WriteLn;
  153.       WriteLn('public encrypt private decrypt');
  154.       WriteLn('plaindata   : ', plaindata.ToHexString);
  155.       WriteLn('encrypted   : ', encrypted.ToHexString);
  156.       WriteLn('decrypted   : ', decrypted.ToHexString);
  157.  
  158.       plaindata := BytesOf('Hello');
  159.       encrypted := rsa.PrivateEncrypt  (plaindata);
  160.       decrypted := rsa.PublicDecrypt   (encrypted);
  161.  
  162.       WriteLn;
  163.       WriteLn('private encrypt public decrypt');
  164.       WriteLn('plaindata   : ', plaindata.ToHexString);
  165.       WriteLn('encrypted   : ', encrypted.ToHexString);
  166.       WriteLn('decrypted   : ', decrypted.ToHexString);
  167.  
  168.    end;
  169.  
  170.    // TLS
  171.    tls := TTls.Create;
  172.  
  173.    WriteLn;
  174.    WriteLn('tls');
  175.    WriteLn('tls version : ', tls.Version);
  176.    WriteLn('tls cipher  : ', tls.GetCipherName);
  177.  
  178.    tls.Free;
  179.  
  180.    sha3.Free;
  181.    sha2.Free;
  182.    sha1.Free;
  183.  
  184.    des.Free;
  185.    aes.Free;
  186.    rsa.Free;
  187. end.
  188.  
  189.  
  190.  

under ubuntu



OpenSSL 1.1.1  11 Sep 2018

... too long

tls
tls version : TLSv1.3
tls cipher  : (NONE)




@han, try first, if it work, then try change openssl.txt to lopenssl.pas for lnet

hope it work.


han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #9 on: August 26, 2019, 11:22:47 pm »
Tz,

I got your program running and it is reporting TLS 1.3.  I also installed the latest LNET v0.66 with 2019 patches from Github.

I replaced the lopenssl.pas with your unit but no success.

Error message in Lubuntu 19.4:

Unable to initialize OpenSSL library, please check your OpenSSL installation.

I'm using FPC 3.2 downloaded via SVN.

Highly frustrating.  :(
« Last Edit: August 26, 2019, 11:28:06 pm by han »

dbannon

  • Hero Member
  • *****
  • Posts: 644
    • tomboy-ng, a rewrite of the classic Tomboy
Re: OpenSSL version
« Reply #10 on: August 27, 2019, 02:28:02 am »
Han, did you see this thread ?

https://forum.lazarus.freepascal.org/index.php/topic,39206.msg318360.html

There are, I suspect, several issues going on here. The change in openSSL is one, an issue with GET not following all the redirects it should may be another.

I am using 3.0.4 and was planning to try trunk but seems your experience says thats not going to help.

Sigh ...

Davo
Lazarus 2, Linux (and reluctantly Win10, OSX)
My Project - https://github.com/tomboy-notes/tomboy-ng

Tz

  • New Member
  • *
  • Posts: 40
  • Tz with FPC Pen Cil
Re: OpenSSL version
« Reply #11 on: August 27, 2019, 05:15:27 am »

@han, It seem your error is in lnetssl.pp

make sure of it  use lopenssl or openssl

  {$ifndef VER3}
  lOpenSSL,
  {$else}
  OpenSSL,
  {$endif}


procedure TLSSLSession.CreateSSLContext;
var
  aMethod: PSSL_METHOD;
begin
  if not IsSSLloaded then  // You should initalize openssl first
    raise Exception.Create('Unable to initialize OpenSSL library, please check your OpenSSL installation');


call InitSSLInterface;  once

han

  • Jr. Member
  • **
  • Posts: 58
Re: OpenSSL version
« Reply #12 on: August 27, 2019, 08:24:21 pm »