Building 32-bit openssl libraries with the Sun C compiler

This week I needed to install OpenSSL 0.9.8g on one of my servers. When I went to configure and build the libraries with the Sun C compiler, I noticed that 64-bit libraries were produced by default. It turns out that this is the default behavior if you try to build OpenSSL on a 64-bit platform. To build 32-bit shared libraries, I ran Configure with the “shared” and “solaris-x86-cc” options:

$ cd openssl-0.9.8g

$ ./Configure shared –prefix=/usr/local solaris-x86-cc

$ make

$ make install

There may be other ways to do this, but this method appears to work ok.

Removing messages from POP3S servers

While checking my e-mail recently, I noticed that my inbox contained several new messages that were roughly 3MB in size. The quantity of messages was choking my poor text-based e-mail client, so I needed to figure out what has happening. After spending a few minutes reviewing my maillog, I noticed that my mail retrieval program was erroring out while popping the 3MB message (it transferred the message, but wasn’t issuing a dele when it finished). Since my mail retrieval program was having issues retrieivng the 3MB file, I decided to fire up openssl and delete the message myself:

$ openssl s_client -quiet -connect mail.prefetch.net:995

depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=21:unable to verify the first certificate
verify return:1

+OK mail.prefetch.net Cyrus POP3 v2.2.12 server ready <1499164100.1140385444@mail.prefetch.net>

user myaccount
+OK Name is a valid mailbox

pass MYSPECIALPASSWORD
+OK Mailbox locked and ready

list
+OK scan listing follows
1 1893014
2 599397
3 4219
.

dele 1
+OK message deleted

quit
+OK
read:errno=0

I really dig openssl, and find myself using it daily. Giddie up!

Measuring approximate CPU speeds with openssl

I use a variety of hardware in my day-to-day activities, and was curious to see how they compared to each other. While I could run a micro benchmarking tool to get detailed information on memory, cpu, network and disk throughput, I thought it would be easier to use openssl’s ‘speed’ option to get a rough approximation of each machines capabilities. The results are listed below:

Ultra 10 with (1) 440 MHZ UltraSPARC IIi CPU:

$ openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 3028371 blowfish cbc's in 2.98s
Doing blowfish cbc for 3s on 64 size blocks: 835818 blowfish cbc's in 2.98s
Doing blowfish cbc for 3s on 256 size blocks: 214738 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 1024 size blocks: 54125 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 8192 size blocks: 6279 blowfish cbc's in 2.98s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial) blowfish(ptr) 
compiler: information not available
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     16259.71k    17950.45k    18385.59k    18536.45k    17260.93k

Fujitsu 250 with (1) 900 MHZ UltraSPARC64V CPU:

$ openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 4086473 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 64 size blocks: 1095008 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 256 size blocks: 278583 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 1024 size blocks: 69931 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 8192 size blocks: 8754 blowfish cbc's in 2.99s
OpenSSL 0.9.7d 17 Mar 2004
built on: Wed Mar 17 14:57:19 EST 2004
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     21794.52k    23360.17k    23772.42k    23869.78k    23984.20k

Powerbook G4 with (1) 1.5 GHZ G4:

$ openssl speed blowfish

To get the most accurate results, try to run this
program when this computer is idle.
Doing blowfish cbc for 3s on 16 size blocks: 6564697 blowfish cbc's in 2.28s
Doing blowfish cbc for 3s on 64 size blocks: 1781080 blowfish cbc's in 2.23s
Doing blowfish cbc for 3s on 256 size blocks: 482751 blowfish cbc's in 2.35s
Doing blowfish cbc for 3s on 1024 size blocks: 118350 blowfish cbc's in 2.29s
Doing blowfish cbc for 3s on 8192 size blocks: 15444 blowfish cbc's in 2.38s
OpenSSL 0.9.7g 11 Apr 2005
built on: Mon Aug 22 04:38:18 PDT 2005
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr) 
compiler: cc -arch i386 -arch ppc -g -Os -pipe -arch i386 -arch ppc -pipe -DOPENSSL_NO_IDEA -DFAR=
available timing options: TIMEB USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     45997.30k    51100.78k    52532.67k    52895.72k    53053.47k

IBM HS20 Blade with (1) 3.0 GHZ Intel Xeon CPU w/ Hyperthreading:

$ /usr/sfw/bin/openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 14394701 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 64 size blocks: 3827438 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 256 size blocks: 979301 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 1024 size blocks: 250691 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 8192 size blocks: 31586 blowfish cbc's in 3.00s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,cisc,16,long) aes(partial) blowfish(ptr)
compiler: information not available
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     77028.50k    81652.01k    83567.02k    85569.19k    86250.84k

Generating random numbers

Randomness is a key element in cryptography (seeds and shared secrets), TCP (ISNs), and can be useful when simulating client access patterns in test scripts. If an OS supports the /dev/random pseudo-device, the dd, od, and awk utiltiies can be used to generate random values:

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2}’
007

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3}’
035170

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3$4}’
018183199

This will pipe a string of entropy to od, which will use od’s type field to generate an unsigned random integer, which will then be piped into awk to print the second value in the string. You can also use openssl to generate entropy on a system:

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
51

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
120

I am sure there are more efficient ways to do this, and would love to get feedback. :)

No md5sum? Use OpenSSL!

I constantly find myself generating checksums, and for some reason each Operating System likes to implement their open message digest command ( if they provide one at all ). If your system is missing a digest command, you can use the openssl utility to generate one-time hashes. OpenSSL supports the SHA1, MD5 and RIPEMD160 algorithms, and accepts one or more files as arguments:

$ openssl md5 passwd
MD5(passwd)= eb1e5c787c3d85b9cf214c70c1095934

$ openssl sha1 passwd
SHA1(passwd)= 1163c343091756010a77f95068aca4c4e360b932

$ openssl rmd160 passwd
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ openssl rmd160 passwd passwd /etc/services
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(/etc/services)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ cat passwd | openssl md5
eb1e5c787c3d85b9cf214c70c1095934

The OpenSSL source code can be downloaded from the main OpenSSL website:

http://www.openssl.org/source/