Re: [openssl.org #2459] ecdsa_method declaration prevents use in implementing a dynamic engine

Douglas E. Engert via RT Wed, 11 Sep 2013 13:43:04 -0700


On 9/11/2013 2:01 PM, Stephen Henson via RT wrote:
> On Wed Sep 11 17:52:03 2013, deeng...@anl.gov wrote:
>>
>> Attached is a patch to move the definition of ecdsa_method
>> from src/crypto/ecdsa/ecs_locl.h to ecdsa.h
>> and move the definition if ecdh_method
>> from src/crypto/ecdh/ech_locl.h to ecdh.h
>>
>
> It's been policy that we should avoiding direct structure access in
> applications code and use opaque structures where possible.
>
> I had to change ecdsa_method for the FIPS builds (add the flags field) and if
> it had been public would've meant that it would no longer be binary compatible
> across minor versions (1.0.0 incompatible with 1.0.1 and later) which would be
> a major headache.
>
> The preferred technique would be to create a function to allocate and
> initialise the structure without exposing it in a public header. See the
> EVP_PKEY_METHOD structure for example.


Would you accept a modification to do that?

If yes, I will get a modification for ECDSA.

The current code in libp11 needs to change the do_sign and do_sign_setup.

ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
{
         static ECDSA_METHOD ops;

         if (!ops.ecdsa_do_sign) {
                 ops = *ECDSA_get_default_method();
                 ops.ecdsa_do_sign = pkcs11_ecdsa_do_sign;
                 ops.ecdsa_sign_setup = pkcs11_ecdsa_do_sign_setup;
         }
         return &ops;
}

Copies the existing structure and sets the ecdsa_do_sign and
ecdsa_do_sign_setup.

The RSA_METHOD structure is exposed, and I suspect other engines take advantage
of that. The libp11 does:

RSA_METHOD *PKCS11_get_rsa_method(void)
{
         static RSA_METHOD ops;
         if (!ops.rsa_priv_enc) {
                 ops = *RSA_get_default_method();
                 ops.rsa_priv_enc = pkcs11_rsa_encrypt;
                 ops.rsa_priv_dec = pkcs11_rsa_decrypt;
                 ops.rsa_sign = pkcs11_rsa_sign;
                 ops.rsa_verify = pkcs11_rsa_verify;
         }
         return &ops;
}

Are there any plans to hide the RSA_METHOD?


>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>

-- 

  Douglas E. Engert  <deeng...@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Re: [openssl.org #2459] ecdsa_method declaration prevents use in implementing a dynamic engine

Reply via email to