# OpenSSL with Padlock RNG engine broken?



## Jimmy (Sep 24, 2014)

The base installation of OpenSSL used to be able to load the padlock engine in FreeBSD 9.x although it was doubtful that it actually worked.  However in 10.1 it isn't apparently able to load padlock?


```
[root@diesel /home/diesel/jim]# openssl speed aes-256-cbc -engine padlock
invalid engine "padlock"
675480924:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shar                                                                                        ed library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_                                                                                        dlfcn.c:187:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engi                                                                                        nes/libpadlock.so"
675480924:error:25070067:DSO support routines:DSO_load:could not load the shared                                                                                         library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_li                                                                                        b.c:244:
675480924:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/sec                                                                                        ure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
675480924:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/src/se                                                                                        cure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:417:id=padlo                                                                                        ck
675480924:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shar                                                                                        ed library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_                                                                                        dlfcn.c:187:filename(libpadlock.so): Shared object "libpadlock.so" not found, re                                                                                        quired by "openssl"
675480924:error:25070067:DSO support routines:DSO_load:could not load the shared                                                                                         library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_li                                                                                        b.c:244:
675480924:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/sec                                                                                        ure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
Doing aes-256 cbc for 3s on 16 size blocks: ^[[A^[[D^[[A1488155 aes-256 cbc's in                                                                                         2.98s
Doing aes-256 cbc for 3s on 64 size blocks: ^C
[root@diesel /home/diesel/jim]# openssl speed aes-256C^Cbc -engine padlock
[root@diesel /home/diesel/jim]# /usr/bin/openssl speed -engine padlock
invalid engine "padlock"
675480924:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shar                                                                                        ed library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_                                                                                        dlfcn.c:187:filename(/usr/lib/engines/libpadlock.so): Cannot open "/usr/lib/engi                                                                                        nes/libpadlock.so"
675480924:error:25070067:DSO support routines:DSO_load:could not load the shared                                                                                         library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_li                                                                                        b.c:244:
675480924:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/sec                                                                                        ure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
675480924:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/src/se                                                                                        cure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:417:id=padlo                                                                                        ck
675480924:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shar                                                                                        ed library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_                                                                                        dlfcn.c:187:filename(libpadlock.so): Shared object "libpadlock.so" not found, re                                                                                        quired by "openssl"
675480924:error:25070067:DSO support routines:DSO_load:could not load the shared                                                                                         library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_li                                                                                        b.c:244:
675480924:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/sec                                                                                        ure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450:
```


```
[root@diesel /home/diesel/jim]# kldstat -v
Id Refs Address    Size     Name
 2    1 0xc1677000 5154     padlock.ko (/boot/kernel/padlock.ko)
        Contains modules:
                Id Name
                 2 nexus/padlock
 3    2 0xc167d000 24818    crypto.ko (/boot/kernel/crypto.ko)
        Contains modules:
                Id Name
                 1 nexus/cryptosoft
```


```
[root@diesel /home/diesel/jim]# /usr/bin/openssl engine -c -tt
(dynamic) Dynamic engine loading support
     [ unavailable ]
```


```
[root@diesel /home/diesel/jim]# uname -a
FreeBSD diesel.steppingstones 10.0-RELEASE-p7 FreeBSD 10.0-RELEASE-p7 #0: Tue Jul  8 06:34:23 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
```


```
[root@diesel /home/diesel/jim]# sysctl -a |grep random
kern.random.adaptors: dummy,yarrow
kern.random.active_adaptor: yarrow
kern.random.live_entropy_sources: Hardware, VIA Nehemiah Padlock RNG
kern.random.yarrow.gengateinterval: 10
kern.random.yarrow.bins: 10
kern.random.yarrow.fastthresh: 96
kern.random.yarrow.slowthresh: 128
kern.random.yarrow.slowoverthresh: 2
kern.random.sys.seeded: 1
kern.random.sys.harvest.ethernet: 1
kern.random.sys.harvest.point_to_point: 1
kern.random.sys.harvest.interrupt: 1
kern.random.sys.harvest.swi: 1
kern.randompid: 0
device  random
```

=====

Port also appears to be broken:


```
/usr/local/bin/openssl engine -c -tt
(dynamic) Dynamic engine loading support
     [ unavailable ]
```


```
[root@diesel /home/diesel/jim]# /usr/local/bin/openssl speed -engine padlock
invalid engine "padlock"
675550556:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
675550556:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=padlock
675550556:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libpadlock.so): Shared object "libpadlock.so" not found, required by "openssl"
675550556:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
675550556:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
```

With the following additional entries added to /usr/local/openssl/openssl.cnf to enable padlock.


```
## New entries after this line
openssl_conf = openssl_def

[ openssl_def ]
engines = openssl_engines

[ openssl_engines ]
padlock = padlock_engine

[ padlock_engine ]
default_algorithms = ALL
init = 1
```


----------



## SirDice (Sep 24, 2014)

This might have something to do with it: http://arstechnica.com/security/2013/12 ... opers-say/


----------



## Jimmy (Sep 24, 2014)

Ah thanks for that but the article states:



> It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more."



Also not sure if the article is sensationalised? I remember reading it last year think it got some publicity on Slashdot but didn't Intel and via deny the claims?

Plus reading this https://wiki.freebsd.org/WhatsNew/FreeBSD10 states that rdrand adds support for the Intel RNG in FreeBSD 10 which contradicts what is stated in the article.


----------

