[EMAIL PROTECTED] wrote: > Hello > > As part of a project I am compiling OpenSSL on multiple different Unix > flavours and have had many different problems when trying to > get OpenSSL > to compile. >
Hi Peter, Let be give you just a bit of advice. OpenSSL is extremely sensitive to half-assed gcc installations. There's way too many gcc RPMs, gcc binary packages, and such that are out there which people slap into these UNIX flavors then have lots of problems. If you really want to get accurate results you MUST at minimum recompile gcc -twice-. What I have learned to do with the Solaris variants is I get the canned gcc package, install it, then download the gcc source and compile that, delete the package, do a make install, then continue -repeating- this process until a compare of the newly compiled gcc binary is identical to the installed gcc binary. > So, I was wondering if anyone has done any work on minimum compiler > requirements on a per flavour basis: > > IE: > > Solaris 2.6, 2.7, 8, 9: > GNU - (GCC 3.2 + Binutuils 2.15 + GNU Make 3.80) or higher Now you see, this is just flat out not true. OpenSSL will compile up just fine on Solaris 2.xx even with gcc 2.7, as long as the gcc binary has been correctly compiled - and with using the Sun-supplied linker and make tools. It isn't necessary to pollute your system with the GNU binutils and GNU make if you don't wish to do so. > > The same applies to the random number generator (prngd or egd) on a > per-flavour basis. There doesn't seem to be a place where you are > told if the platform you are wanting to compile against has a random > number generator or not (or when support was added via a patch etc). > Yes you can check for /dev/random or /dev/urandom but if you don't > know you need > it then how can you look for it? > I don't have a lot of sympathy for this argument since the FAQ for openssl discusses this here: http://www.openssl.org/support/faq.html#USER1 If you haven't at least read the OpenSSL FAQ, why do you think your qualified to compile it in the first place? And even then the FAQ is no substitute for the documentation. One thing though that the FAQ is missing is a good general discussion of randomness. I'll try to write one here, perhaps Andy would see fit to include it? Q) What is the difference between PRNGD, EGD, and the system devices /dev/random and /dev/urandom and what do I need? A) It's extremely important to have a high quality source of randomness to generate really unbreakable keys and such. Getting this in a computer is pretty difficult to do in software. The best randomess is obtained by hardware cards such as the hifn ones, here's a press release on these: http://www.hifn.com/info/pr/pressreleases/print/pr_121603_2.html This card touts a "true random generator" and if you need really truly absolute randomness, for perhaps research applications, then you need to be looking into this. Or, you could figure out how to hook a lava lamp to your computer. (another highly random device) But, for the rest of us the randomness that the computer can generate is sufficient for most ordinary encryption. OpenSSL tries to obtain this from the /dev/urandom device, falling back to /dev/random if /dev/urandom isn't available. These devices try to obtain randomness from things such as different changing kernel statistics, (simple but not very random) and/or counting hardware interrupts (better, but extremely OS version specific) On most UNIXs, /dev/random is a blocking driver and /dev/urandom is non-blocking. If /dev/random runs out of randomness to supply then the application that depends on it pretty much freezes until more randomness is available, if /dev/urandom runs out of randomess to supply to an application then it just makes extra, using a not particularly random algorithim. EGD, available here: http://egd.sourceforge.net/ is basically a software implementation of /dev/random for systems that lack the /dev/random driver, and PRNGD, available jere: http://freshmeat.net/projects/prngd is a software implementation of /dev/urandom for systems that lack that as well. There are several other PRNGD projects available than the one on freshmeat. There are some applications out there besides OpenSSL that require /dev/random or /dev/urandom, so if given a choice between installing a random driver or using PRNGD, it is better to install a /dev/random and /dev/urandom driver. Most UNIX implementations did not start including these drivers until very recently. The 3 major commercial ones are: Solaris: version 9 included by default, version 8, 2.7, and 2.6 available from a patch from Sun located here: http://sunsolve.sun.com/search/document.do?assetkey=1-25-27606-1. Version 2.5.1, and 2.4 available from an open source driver here: http://www.cosy.sbg.ac.at/~andi/SUNrand HP-UX: Version 11i available from HP here: http://docs.hp.com/en/5990-7263/index.html also available as an open source for version 11 (non-i) from here: http://www.josvisser.nl/hpux11-random/ Previous versions must use PRNGD/EGD (or someone could possibly backport the josvisser driver?) AIX: Included by IBM first in version 5.2. Older versions must use PRNGD/EGD or possibly port the Andreas Maier driver? People should also be aware that many of the vendor /dev/random implementations out there produce low-quality randomness, or they produce it slowly, or they don't produce a lot of it. It is not easy in a computer to produce hig quality randomness without using a chip. There is a paper available here: http://www.schneier.com/paper-prngs.html which shows how unrandom many randomness generators are. That site also has their own PRNG program here: http://www.schneier.com/yarrow.html Linux/FreeBSD/OpenBSD/etc. : These open source UNIXes all include openSSL now in their current versions and all do have a random device. DEC/Compaq/HP OSF/1 4.x and 5.x, SGI IRIX 6.5, and IBM AIX 4.2: Use PRNGD/EGD If you do install a /dev/random driver you can test it's effectiveness with the following program: http://www.fourmilab.ch/random/ Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
