New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Darwin + ARM7l binaries #362

Closed
drwetter opened this Issue May 26, 2016 · 26 comments

Comments

Projects
None yet
3 participants
@drwetter
Owner

drwetter commented May 26, 2016

HI,

can anybody (e.g. @jpluimers , @f-s ) provide those?

I did already a set of Linux+FreeBSD binaries, see https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz . I used Peter's (@PeterMosmans) fork and snapshot it @
https://github.com/drwetter/openssl so that all binaries have the same code base.

Compile instructions: https://github.com/drwetter/testssl.sh/blob/master/bin/Readme.md. The fork I created from Peter's has IPv6 for all Unices already. Please use also-DOPENSSL_USE_IPV6 while compiling. It (only) indicates that the binary should have IPv6 enabled.

The set of binaries which I prepared for a PR but not committed yet are stripped. The ones @ testssl.sh are not. Don't know how we can exchange binaries but it would be great if you could provide me with both stripped and not stripped binaries too.

For the sake if lightweightness/dealing with github I may not include @ github:

  • kerberos binaries
  • Linux.i386 (feedback requested)
  • Darwin.i386 (feedback for relevance requested)
  • Arm7l (feedback for relevance needed)

In any case I would provide them externally @ testssl.sh

Cheers, Dirk

References: #127, #164, #180 , #143

@drwetter drwetter added this to the 2.7dev (2.8) milestone May 26, 2016

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 27, 2016

Let me give it a go.

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 29, 2016

See also https://gitter.im/drwetter/testssl.sh
Can you check the report and test outputs at https://gist.github.com/jpluimers/cf064f2893fd489f0f936097c11f794b

If they are OK:

  • where do you want me to put the binaries?
  • can you help me integrating my build-script into yours?
@drwetter

This comment has been minimized.

Owner

drwetter commented May 30, 2016

Hi Jereon,

thx!

Am 05/29/2016 um 08:53 PM schrieb Jeroen Wiert Pluimers:

See also https://gitter.im/drwetter/testssl.sh
Can you check the report and test outputs at
https://gist.github.com/jpluimers/cf064f2893fd489f0f936097c11f794b

Hm... there's an error in "make report" which looks familiar to me.

Was that because of the GOST configure option?

It should go through w/o problems.

If they are OK:

  • where do you want me to put the binaries?

Pls just do a PR for each binary and I'll pick later.

As stated in this thread, we should take care that this repo doesn't
get more bloated because of the binaries.

My initial idea/suggestion was to exclude the ones mentioned earlier in this
thread and to provide them externally. (Feedback?)

BTW: Here I also think that stripped binaries should it. It
saves ~10%. On https://testssl.sh I do not care and there I have
already for Linux+FreeBSD full blown binaries.

  • can you help me integrating my build-script into yours?

Ones we have a working binary on your side, sure.

Cheers, Dirk

Set from my mobile. Excuse my brevity&typos

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 30, 2016

Found the make report thing back: it's at #164 (comment) (you have good memory!)

I'm not sure how I can do pull request for individual things. I recall that GitHub merges pull requests.

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 30, 2016

And now I remember more from back then; here are the test results you did want to see: https://gist.github.com/jpluimers/ca0ed0f53c279aa87fc2ffd505d3fc8a

Everything is in my /tmp right now and I need to reboot soon.
Where can I dump them in the mean time?

@drwetter

This comment has been minimized.

Owner

drwetter commented May 30, 2016

Am 05/30/2016 um 10:21 PM schrieb Jeroen Wiert Pluimers:

And now I remember more from back then; here are the test results you did want to see:
https://gist.github.com/jpluimers/ca0ed0f53c279aa87fc2ffd505d3fc8a

Everything is in my /tmp right now and I need to reboot soon.
Where can I dump them in the mean time?

df -k ;-)

Set from my mobile. Excuse my brevity&typos

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 30, 2016

Yeah yeah (:

But since I've no idea how to strip binaries and how to send separate pull requests.
So I could use some help here.
Just ping me on skype (jpluimers) or G+ hangouts (https://plus.google.com/+JeroenPluimers) if you have time....

@f-s

This comment has been minimized.

Contributor

f-s commented May 31, 2016

@drwetter also did some work, please compare!

@drwetter

This comment has been minimized.

Owner

drwetter commented May 31, 2016

Am 31. Mai 2016 08:52:10 MESZ, schrieb f-s notifications@github.com:

@drwetter also did some work, please compare!

Yes, I noticed that with a big smile. Thanks! I need to work on it.

Sanitiy check:

Q: did make report go through w/o problems?

Q: how many ciphers does your binary list?

Q: do you have the output of ' openssl version -a' handy?

Cheers, Dirk

You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#362 (comment)

Set from my mobile. Excuse my brevity&typos

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 31, 2016

I salvaged the files, rebooted and restored them (long story short: too many Chrome Windows open which I need later, but since Chrome on any OS leaks memory like crazy the swap space was trashing the SSD...). Now I am ready to "binary strip" if you explain me how.

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented May 31, 2016

Found out how to use git in order to push binaries to a gist: these are the un-stripped versions: https://gist.github.com/jpluimers/9257ba6e27afea1b98376d9d4411c88c

and the stripped ones as well:

mv openssl.darwin-i386-cc openssl.Darwin.i386
mv openssl.darwin64-x86_64-cc openssl.Darwin.x86_64
strip openssl.Darwin.i386 
strip openssl.Darwin.x86_64 
git add openssl.Darwin.*
git commit -m "Darwin i386 and x86_64 renamed and stripped binaries #362 - https://github.com/drwetter/testssl.sh/issues/362"
git push

Wonderful!

@f-s

This comment has been minimized.

Contributor

f-s commented May 31, 2016

@drwetter regarding #370

Q: did make report go through w/o problems?

no errors

Q: how many ciphers does your binary list?

179 w/o Kerberos

Q: do you have the output of ' openssl version -a' handy?

OpenSSL 1.0.2-chacha (1.0.2i-dev)
built on: Tue May 31 06:25:34 2016
platform: linux-armv4
options:  bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -static -DOPENSSL_USE_BUILD_DATE -DOPENSSL_USE_IPV6 -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"
@drwetter

This comment has been minimized.

Owner

drwetter commented Jun 1, 2016

@jpluimers : thx.

There's a thing though which needs to be discussed.

Q: make report go through w/o problems?

Q: did you still configure with -DGOST_...* ?

@f-s and myself don't have those two ciphers:

--- dw  2016-06-01 14:32:24.456437996 +0200
+++ jp  2016-06-01 14:35:52.558249038 +0200
@@ -49,8 +49,10 @@
           0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
           0x00,0x3D - AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
           0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
+          0xFF,0x01 - GOST-GOST94             SSLv3 Kx=RSA      Au=RSA  Enc=GOST89(256) Mac=GOST94
           0x00,0xC0 - CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
           0x00,0x84 - CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
+          0xFF,0x00 - GOST-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=GOST89(256) Mac=MD5
           0x00,0x95 - RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
           0x00,0x8D - PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
           0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

Unless it changed ( @PeterMosmans ?) those two will cause problems and probably also are the reason why make report failed.

Cheers, Dirk

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jun 3, 2016

Hi @drwetter ,

The reports are unchanged at https://gist.github.com/jpluimers/cf064f2893fd489f0f936097c11f794b
I'm not sure what you regard as failed or not, as I don't have report files of other platforms.

GHOST is not enabled in my build script: https://gist.github.com/jpluimers/f4de3937630b87753133

I've no idea what is causing the different ciphers and since I'm pretty much a n00b here, I need some help figuring that out.

As I'm really busy during the week, I'm limited to little time in the weekens.

I can setup a TeamViewer setting somewhere sunday morning. PM me on Skype, Twitter or Hangouts for that.

--jeroen

@drwetter

This comment has been minimized.

Owner

drwetter commented Jun 3, 2016

Hi Jereon,

they failed because of -DTEMP_GOST_TLS -- for sure you have GOST enabled. :-)

At least on my platforms I have then a failure during make report. And IIRC that was the last time an issue as you helped compiling OSX binaries. The issue was with testing SSLv3 cipher list order: ....failed 300ff03 vs. 300cc13. FF03 ist one of the GOST ciphers, see https://testssl.sh/openssl-rfc.mappping.html . CC13 is on of the old CHACHA/POLY ciphers. (what the conflict is -- can't recall).

I am pretty sure if you remove `-DTEMP_GOST_TLS`` all is fine.

Sunday I am on the road, best is to DM me.

Cheers! Dirk

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jun 4, 2016

Oh dang, I searched for GHOST. Will change that and rebuild.

BTW: should we make GOST an issue? As I totally forgot it was on my mental todo list: #127 (comment)
(did I mention I'm professionally chaotic?)

Note you've -DTEMP_GOST_TLS enabled as well: https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh

Does it fail on your systems as well?

When not: do you really want to have it turned off for Mac OS X builds?

@drwetter

This comment has been minimized.

Owner

drwetter commented Jun 4, 2016

Am 4. Juni 2016 08:21:29 MESZ, schrieb Jeroen Wiert Pluimers notifications@github.com:

Oh dang, I searched for GHOST. Will change that and rebuild.

BTW: should we make GOST an issue?

@PeterMosmans did a while back, see https://rt.openssl.org/m/ticket/history?id=3430 (guest, guest)

As I totally forgot it was on my
mental todo list:
#127 (comment)
(did I mention I'm professionally chaotic?)

Never mind. That's one of the things which works for me... ;-)

Cheers, Dirk

Set from my mobile. Excuse my brevity&typos

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jun 4, 2016

@drwetter new build:

Not sure why the make report/make test are still looking odd even though GOST isn't used (see the cipher cuonts).

https://gist.github.com/jpluimers/ca0ed0f53c279aa87fc2ffd505d3fc8a/revisions

Let me know what you think.

--jeroen

@drwetter

This comment has been minimized.

Owner

drwetter commented Jun 6, 2016

Special thx to @jpluimers, @f-s and @lainegholson !

I put all binaries first to https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/ and decide on a few which one will be included to github.

Please raise your arm if you think "this should be definitely included" or "this can be provided externally". ;-)

Thx! Dirk

@f-s

This comment has been minimized.

Contributor

f-s commented Jun 7, 2016

Please raise your arm if you think "this should be definitely included" or "this can be provided externally". ;-)

drop darwin-i386 include smallest, functional armv7 only

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jun 10, 2016

Cool!
@drwetter can we get together on-line some day to improve my build script and see if it can be integrated in your build-script?
That way I can try to put future builds in the same gist repo make the process to your site easier.

--jeroen

@drwetter

This comment has been minimized.

Owner

drwetter commented Jun 23, 2016

@jpluimers, sorry I haven't found the time yet.

Best would be if you of would just change it and do a PR. I just committed a version which has an empty 'Darwin' case statement: 6efc3e9 . If you could add your changes to it and throw it back at me, that would be appreciated.

@drwetter drwetter closed this Jun 23, 2016

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jun 24, 2016

@drwetter I will give it a shot, but it will take a while.

Before I even start on it:

  • what kind of outputs do you want (I'm guessing both stripped and unstripped)?
  • what file names do you want to use for the unstripped and stripped binaries (right now I'm taking the easy way, but I seem to recall you renamed a few things)?

--jeroen

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Jul 7, 2016

My script is kind of large: https://gist.github.com/jpluimers/f4de3937630b87753133

So it could be integrated, but probably better as an external script.

The good thing is that the uname output can be used to set OSX apart:

$ uname
Darwin
$ uname -m
x86_64
@drwetter

This comment has been minimized.

Owner

drwetter commented Sep 14, 2018

FYI: I tried to fix the GOST vs. CHACHA issue during make report but I didn't succeed.

see drwetter/openssl-1.0.2.bad@07c3c3b

@jpluimers

This comment has been minimized.

Contributor

jpluimers commented Sep 15, 2018

At least it is one step of progress (:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment