compiling openssl shared library

PSD,

Can you describe what is broken? If you can let us know what is broken, we can try to address this by upgrading or patching it.

SDK comes with a cross compiler toolchain, see the below link on cross compiling libraries.

http://processors.wiki.ti.com/index.php/Sitara_Linux_SDK_GCC_Toolchain#Cross-Compiled_Libraries

You will need to download the required sources from OpenSSL and cross compile.

Regards, Joel

Hi Joel,

Thanks for looking into this issue. Here's the problem. I have compiled two different applications with the OpenSSL shared object given in the SDK. One is OpenVPN and another is Python. When I initiate a SSL connection with either of the two apps with a remote machine, the remote side always complains that the HMAC authentication failed. It looks like the HMAC signature does not match the actual HMAC of the payload. The following are the messages that I see in OpenVPN and Python on the remote side.

OpenVPN: Sat Feb 16 11:03:35 2013 Authenticate/Decrypt packet error: packet HMAC authentication failed

Python: ssl.SSLError: [Errno 1] _ssl.c:504: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

I have already cross compiled latest version of OpenSSL and recompiled OpenVPN and Python with it and I don't see these errors. My only problem is that I was only able to compile static libraries. OpenSSL has "./config shared" option as shown in its INSTALL file to compile  shared libraries, but one needs to run the command in the actual machine where it needs to be compiled. This script looks for various machine related options available to generate relevant compile flags. Since we are compiling in cross environment it's not possible to use this option. I need a Makefile or some information on the flags to use to compile a shared object.

Another evidence for broken version of OpenSSL in a previous SDK is shown here: http://e2e.ti.com/support/arm/sitara_arm/f/791/p/216077/815556.aspx

Thanks,

PSD

"I have already cross compiled latest version of OpenSSL and recompiled OpenVPN and Python"

Can you explain how you cross compiled these pieces of software? We have a toolchain and an environment-setup file in our SDK that is for cross compiling software. Is that what you are using? This is talked about briefly in this training: http://processors.wiki.ti.com/index.php/Sitara_Linux_Training:_Hands_on_with_the_SDK#Using_the_Built-in_GCC_Toolchain. Are you following similar steps or are you cross compiling it in a different way?

The steps I used are similar to the guide you mentioned except for some OpenSSL tool chain related specific changes. This only compiles static libraries. 

tar -xvzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
mv Makefile Makefile_old
python ../CrossCompileOpenSSL.py Makefile_old `pwd`/arago_target # this script modifies the target location for CC, RANLIB, etc to point to arm-arago-linux-guneabi-
source ~/ti-sdk-am335x-evm-05.06.00.00/linux-devkit/environment-setup 
make
make install

I need to compile shared library object since in my project multiple processes will use OpenSSL

To compile shared libraries, OpenSSL build process has following option as mentioned in it's INSTALL file

tar -xvzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config shared #this script checks for various system related  options available to add appropriate flags apart from -fPIC to compile proper shared library
make
make install

In cross-compile environment, I don't have the option to run the "./config shared" as it checks the host machines' options and not of the target for which we are trying to compile. Basically, OpenSSL does not support cross compilation out-of-box is my understanding. But since a shared object was available in the SDK, I thought may be someone from TI would be able to help me out with compiling a shared object for the newer version on OpenSSL.

Thanks,
PSD 

Hi psd,

I want you to try something and let me know if it works for you. Ignore everything openssl tells you and just follow the below steps.

1. start from scratch. Please delete your current openssl-1.0.1.c directory and untar it again to get a completely clean directory.

2. Second download the file2438.Configure.txt

3. Rename that file from 2438.Configure.txt to Configure and use it to overwrite the Configure file located in the openssl-1.0.1.c directory

4. run "source ~/ti-sdk-am335x-evm-05.06.00.00/linux-devkit/environment-setup"

5. run "./Configure  shared --prefix=/usr --openssldir=/usr/lib/ssl  linux-elf-arm"

6. Let me know if it works.

Hello Franklin,

First of all I would like to thank you for getting back to me so quickly. I was able to compile the OpenSSL shared library and also able to compile OpenVPN with that shared library with the configure script modifications that you gave me. But there is something wrong, since I get this message when I try to run the newly compiled OpenVPN on the target where the new shared libraries have been installed. 

openvpn: symbol lookup error: /usr/lib/libssl.so.1.0.0: undefined symbol: EVP_aes_128_gcm

Thanks,

PSD

Hi;

I was seeing a similar problem with both 5.05 and 5.07 of the sdk. With these instructions, the undefined symbol went away after I created a /etc/ld.so.conf file and ran ldconfig. This page http://processors.wiki.ti.com/index.php/Build_OpenSSL_for_Sitara has instructions that also worked for me, but those instructions did not create a shared file, just the openssl program.

Note that I was using "apt-get source openssl" to fetch the openssl code instead of grabbing the tarball from the openssl page.

As for "broken", neither 5.05 nor 5.07 could create a cert using something like " openssl req -new -x509 -nodes -out test.pem -days 1095" without deleting /dev/crypto first. And of course, while that entry is gone, you lose the hardware acceleration in the chip. In 5.05, you could see the delete in the generate certificate demo script and that script would do a "mknod" to put it back before exiting.

Jimmy

I am developing a system using am335x based on TISDK 7.0.

I just found the openssl I in the SDK 7.0 is 1.0.1e, which contains the famous heartbleed bug.

Without upgrading a newer SDK, I tried to cross-compile the latest openssl-1.0.2g.

I copied the 2438.Configure.txt to replace the default Configure, and added the following line

"linux-gnueabihf-arm","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

under the Linux on ARM section.

However, when I tried to cross-compile the openssl, with the following command:

./Configure shared --prefix=${COMMON_ROOT}/openssl-1.0.2g/build --openssldir=openssl linux-gnueabihf-arm |  tee -a ${OPENSSL_LOG}

make depend | tee -a ${OPENSSL_LOG} || (exit 1)
make | tee -a ${OPENSSL_LOG} || (exit 1)

I got the following error in the end:

if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \
		(cd ..; make libcrypto.so.1.0.0); \
	fi
make[2]: Entering directory `/home/jshao/Development/source/common/openssl-1.0.2g'
[ -z "" ] || /home/jshao/Development/cross_compiler/linux-devkit/sysroots/i686-arago-linux/usr/bin/arm-linux-gnueabihf-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Iinclude \
		-DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso  \
		fips_premain.c fipscanister.o \
		libcrypto.a -ldl
make[3]: Entering directory `/home/jshao/Development/source/common/openssl-1.0.2g'
make[4]: Entering directory `/home/jshao/Development/source/common/openssl-1.0.2g'
/home/jshao/Development/cross_compiler/linux-devkit/sysroots/i686-arago-linux/usr/bin/../lib/gcc/arm-linux-gnueabihf/4.7.3/../../../../arm-linux-gnueabihf/bin/ld: libcrypto.a(e_gost_err.o): relocation R_ARM_THM_MOVW_ABS_NC against `a local symbol' can not be used when making a shared object; recompile with -fPIC
libcrypto.a(e_gost_err.o): could not read symbols: Bad value
collect2: error: ld returned 1 exit status
make[4]: *** [link_a.gnu] Error 1

I am not sure how to resolve the issue. Any help will be greatly appreciated.

Jing