Hi All,
Attached is a patch to the OpenSSL cryptodev engine
(crypto/engine/eng_cryptodev.c). It was initially tested against OpenSSL0.9.8g,
however before sending this email I validated the changes with the latest 1.0.0
and 0.9.8 stable snapshots.
I include a description of each change below. The main point is that Cryptodev
(linux OCF and FreeBSD Opencrypto) success code is a zero, whereas openssl
success code is a 1.
Best Regards,
Brendan
diff -rup openssl-0.9.8g.orig/crypto/engine/eng_cryptodev.c
openssl-0.9.8g.patched/crypto/engine/eng_cryptodev.c
--- openssl-0.9.8g.orig/crypto/engine/eng_cryptodev.c 2009-10-14
11:55:14.000000000 +0100
+++ openssl-0.9.8g.patched/crypto/engine/eng_cryptodev.c 2009-10-14
11:56:20.000000000 +0100
@@ -1029,10 +1029,18 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BI
goto err;
kop.crk_iparams = 3;
- if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
+ printf("OCF asym process failed, Running in
software\n");
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+
+ } else if (ECANCELED == kop.crk_status) {
+ printf("OCF hardware operation cancelled. Running
in Software\n");
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
ret = meth->bn_mod_exp(r, a, p, m, ctx,
in_mont);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
-----------------------------------------------------------------------------------------
[Brendan] Some hardware does not support some key sizes – in this case it is
good to run the operation in software.
Opencrypto (FreeBSD) and OCF-linux have a bug where they treat process and
algorithm errors as the same error.
I have/will soon be sending patches to those projects to get that bug fixed
also.
-----------------------------------------------------------------------------------------
err:
zapparams(&kop);
return (ret);
@@ -1076,10 +1084,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const
goto err;
kop.crk_iparams = 6;
- if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) ==
-1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
+ printf("OCF asym process failed, running in
Software\n");
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+
+ } else if (ECANCELED == kop.crk_status) {
+ printf("OCF hardware operation cancelled. Running
in Software\n");
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
-----------------------------------------------------------------------------------------
[Brendan] Same as before
-----------------------------------------------------------------------------------------
err:
zapparams(&kop);
return (ret);
@@ -1215,7 +1231,8 @@ cryptodev_dsa_verify(const unsigned char
kop.crk_iparams = 7;
if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
- dsaret = kop.crk_status;
+/*OCF success value is 0, if not zero, change dsaret to fail*/
+ if(0 != kop.crk_status) dsaret = 0;
} else {
const DSA_METHOD *meth = DSA_OpenSSL();
-----------------------------------------------------------------------------------------
[Brendan] OCF Success is 0, dsaret should only be set if OCF status is non zero
-----------------------------------------------------------------------------------------
--------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare
This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.
|
Hi All, Attached is a patch to the OpenSSL cryptodev engine
(crypto/engine/eng_cryptodev.c). It was initially tested against OpenSSL0.9.8g,
however before sending this email I validated the changes with the latest 1.0.0
and 0.9.8 stable snapshots. I include a description of each change below. The main point
is that Cryptodev (linux OCF and FreeBSD Opencrypto) success code is a zero,
whereas openssl success code is a 1. Best Regards, diff -rup openssl-0.9.8g.orig/crypto/engine/eng_cryptodev.c
openssl-0.9.8g.patched/crypto/engine/eng_cryptodev.c ---
openssl-0.9.8g.orig/crypto/engine/eng_cryptodev.c
2009-10-14 11:55:14.000000000 +0100 +++
openssl-0.9.8g.patched/crypto/engine/eng_cryptodev.c 2009-10-14
11:56:20.000000000 +0100 @@ -1029,10 +1029,18 @@ cryptodev_bn_mod_exp(BIGNUM *r,
const BI
goto err;
kop.crk_iparams = 3; -
if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { +
if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) { +
printf("OCF asym process failed, Running in software\n"); +
const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); +
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); + +
} else if (ECANCELED == kop.crk_status) { +
printf("OCF hardware operation cancelled. Running in Software\n");
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
} +
/* else cryptodev operation worked ok ==> ret = 1*/ + ----------------------------------------------------------------------------------------- [Brendan] Some hardware does not support some key sizes – in
this case it is good to run the operation in software. Opencrypto (FreeBSD) and OCF-linux have a bug where they
treat process and algorithm errors as the same error. I have/will soon be sending patches to those projects
to get that bug fixed also. ----------------------------------------------------------------------------------------- err:
zapparams(&kop);
return (ret); @@ -1076,10 +1084,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0,
const
goto err;
kop.crk_iparams = 6; -
if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { +
if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) { +
printf("OCF asym process failed, running in Software\n"); +
const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); +
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); + +
} else if (ECANCELED == kop.crk_status) { +
printf("OCF hardware operation cancelled. Running in Software\n");
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
} +
/* else cryptodev operation worked ok ==> ret = 1*/ + ----------------------------------------------------------------------------------------- [Brendan] Same as before ----------------------------------------------------------------------------------------- err:
zapparams(&kop);
return (ret); @@ -1215,7 +1231,8 @@ cryptodev_dsa_verify(const unsigned
char
kop.crk_iparams = 7;
if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { -
dsaret = kop.crk_status; +/*OCF success value is 0, if not zero, change dsaret to
fail*/ +
if(0 != kop.crk_status) dsaret = 0;
} else {
const DSA_METHOD *meth = DSA_OpenSSL(); ----------------------------------------------------------------------------------------- [Brendan] OCF Success is 0, dsaret should only be set if OCF
status is non zero ----------------------------------------------------------------------------------------- -------------------------------------------------------------- Intel Shannon Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 Business address: Dromore House, East Park, Shannon, Co. Clare This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. |
ocf-openssl-0 9 8_1_0_0_eng_cryptodev_PKE_fix.patch
Description: Binary data
