ocf-linux-users

[Ocf-linux-users] openssl-0.9.8g.patch codechange

[Kennedy, B. <bre...@in...>]

Hi Dave,All,

It was seen that RSA cert gen fails when using cryptodev through openssl-0.9.8g patched with the OCF 20080917 openssl patch:

/usr/local/ssl_0.9.8g/bin/openssl req -new -sha1 -x509 -days 365 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/CN=Test-Only-Certificate'
Generating a 1024 bit RSA private key
..........++++++
...........++++++
writing new private key to 'server.key'
-----
25900:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type:p_sign.c:103:
25900:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:



However with the attached patch, it works fine. I was wondering if, to your knowledge this impacts any non RSA functionality, or breaks anything (it doesn't seem to, but I haven't been able to test everything and it looks like it has the potential to break some other PKE function since it selects RSA PKE method specifically).

Regards,
Brendan


--- eng_cryptodev.c.orig        2009-05-20 17:12:03.000000000 +0100
+++ eng_cryptodev.c     2009-05-20 17:12:27.000000000 +0100
@@ -852,7 +852,7 @@ const EVP_MD cryptodev_sha1 = {
        cryptodev_digest_final,
        cryptodev_digest_copy,
        cryptodev_digest_cleanup,
-       EVP_PKEY_NULL_method,
+       EVP_PKEY_RSA_method,
        SHA_CBLOCK,
        sizeof(struct dev_crypto_state),
 };

------------------------------------------------
Brendan Kennedy
Intel Shannon Ltd.

Ireland.

Email: bre...@in...<mailto:bre...@in...>
------------------------------------------------

---------------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Re: [Ocf-linux-users] openssl-0.9.8g.patch codechange

[David M. <Dav...@se...>]

Jivin Kennedy, Brendan lays it down ...
> Hi Dave,All,
> 
> It was seen that RSA cert gen fails when using cryptodev through openssl-0.9.8g patched with the OCF 20080917 openssl patch:
> 
> /usr/local/ssl_0.9.8g/bin/openssl req -new -sha1 -x509 -days 365 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/CN=Test-Only-Certificate'
> Generating a 1024 bit RSA private key
> ..........++++++
> ...........++++++
> writing new private key to 'server.key'
> -----
> 25900:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type:p_sign.c:103:
> 25900:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:


Hmm,  I just ran this on the safenet driver and it appeared to work.  I say
appeared as I needed to dummy up an openssl.cnf and perhaps some settings
are different.

openssl most certainly used the safenet driver for some of the work, but
perhaps not as much as the ep80579 you are using.

I noticed it does no OCF calls during the printing of '.'s and does fail
a few session creations,  so it's highly likely the same code paths are not
being used.

> However with the attached patch, it works fine. I was wondering if, to
> your knowledge this impacts any non RSA functionality, or breaks anything
> (it doesn't seem to, but I haven't been able to test everything and it
> looks like it has the potential to break some other PKE function since
> it selects RSA PKE method specifically).

I have no idea.  Do you know why this fixes the problem ?
I don't understand how EVP_PKEY_NULL_method could be right, nor how
EVP_PKEY_RSA_method could be wrong or vice-versa :-)

All in all the PK support in OCF has very little use so it doesn't surprise
me if changes are needed, just need to be fairly sure its a step in the
right direction ;-)

This code only seems to be active when configured with
--with-cryptodev-digests.  Almost no one uses this setting as it is almost
certainly slower than doing the digest in SW.

This no doubt explains why I don't see the error as I don't run with
--with-cryptodev-digests :-)

Perhaps you can work out what is different between running with
--with-cryptodev-digests and without it,  might show up the real problem
with the MD5/SHA bits ?

Cheers,
Davidm

> --- eng_cryptodev.c.orig        2009-05-20 17:12:03.000000000 +0100
> +++ eng_cryptodev.c     2009-05-20 17:12:27.000000000 +0100
> @@ -852,7 +852,7 @@ const EVP_MD cryptodev_sha1 = {
>         cryptodev_digest_final,
>         cryptodev_digest_copy,
>         cryptodev_digest_cleanup,
> -       EVP_PKEY_NULL_method,
> +       EVP_PKEY_RSA_method,
>         SHA_CBLOCK,
>         sizeof(struct dev_crypto_state),
>  };


-- 
David McCullough,  dav...@se...,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

Re: [Ocf-linux-users] openssl-0.9.8g.patch codechange

[Kennedy, B. <bre...@in...>]

Hi Dave,

Thanks for the quick response! I'll post back here if I ever figure the problem out ;)

Regards,
Brendan

-----Original Message-----
From: David McCullough [mailto:Dav...@se...] 
Sent: 21 May 2009 04:32
To: Kennedy, Brendan
Cc: ocf...@li...; Vrabete, Brad
Subject: Re: [Ocf-linux-users] openssl-0.9.8g.patch codechange


Jivin Kennedy, Brendan lays it down ...
> Hi Dave,All,
> 
> It was seen that RSA cert gen fails when using cryptodev through openssl-0.9.8g patched with the OCF 20080917 openssl patch:
> 
> /usr/local/ssl_0.9.8g/bin/openssl req -new -sha1 -x509 -days 365 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/CN=Test-Only-Certificate'
> Generating a 1024 bit RSA private key
> ..........++++++
> ...........++++++
> writing new private key to 'server.key'
> -----
> 25900:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type:p_sign.c:103:
> 25900:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:


Hmm,  I just ran this on the safenet driver and it appeared to work.  I say
appeared as I needed to dummy up an openssl.cnf and perhaps some settings
are different.

openssl most certainly used the safenet driver for some of the work, but
perhaps not as much as the ep80579 you are using.

I noticed it does no OCF calls during the printing of '.'s and does fail
a few session creations,  so it's highly likely the same code paths are not
being used.

> However with the attached patch, it works fine. I was wondering if, to
> your knowledge this impacts any non RSA functionality, or breaks anything
> (it doesn't seem to, but I haven't been able to test everything and it
> looks like it has the potential to break some other PKE function since
> it selects RSA PKE method specifically).

I have no idea.  Do you know why this fixes the problem ?
I don't understand how EVP_PKEY_NULL_method could be right, nor how
EVP_PKEY_RSA_method could be wrong or vice-versa :-)

All in all the PK support in OCF has very little use so it doesn't surprise
me if changes are needed, just need to be fairly sure its a step in the
right direction ;-)

This code only seems to be active when configured with
--with-cryptodev-digests.  Almost no one uses this setting as it is almost
certainly slower than doing the digest in SW.

This no doubt explains why I don't see the error as I don't run with
--with-cryptodev-digests :-)

Perhaps you can work out what is different between running with
--with-cryptodev-digests and without it,  might show up the real problem
with the MD5/SHA bits ?

Cheers,
Davidm

> --- eng_cryptodev.c.orig        2009-05-20 17:12:03.000000000 +0100
> +++ eng_cryptodev.c     2009-05-20 17:12:27.000000000 +0100
> @@ -852,7 +852,7 @@ const EVP_MD cryptodev_sha1 = {
>         cryptodev_digest_final,
>         cryptodev_digest_copy,
>         cryptodev_digest_cleanup,
> -       EVP_PKEY_NULL_method,
> +       EVP_PKEY_RSA_method,
>         SHA_CBLOCK,
>         sizeof(struct dev_crypto_state),
>  };


-- 
David McCullough,  dav...@se...,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
---------------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.