Hello Matt,
the improved patch is attached. It uses the EVP_DigestSign* API instead of
EVP_digest and does not modify any header files.
Thank you!
On Wed, Sep 17, 2014 at 2:22 AM, Matt Caswell via RT <[email protected]> wrote:
> On 16/09/14 19:31, Dmitry Belyavsky wrote:> Hello!
> >
> > I've made a quick fix to solve this problem (attached). The main problem
> > with this fix is to move locally-defined engine constants to the level
> > of evp.h, so if you suggest a better solution, I am ready to implement
> it.
> >
> > Thank you!
> >
> >
> > On Tue, Sep 16, 2014 at 9:29 PM, Dmitry Belyavsky via RT <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hello Openssl Team!
> >
> > I use openssl 1.0.1i with some patches in the GOST engine.
> > The command line is
> >
> > openssl speed -engine gost -evp gost-mac
> >
> > I get an error:
> > 3074107544:error:80073074:lib(128):GOST_IMIT_UPDATE:mac key not
> > set:gost_crypt.c:654:
> > (the line number where the error occurs may differ from the current one
> > from 1.0.1i).
> >
> > So gost-mac is treated as digest and the tests are using the EVP_Digest
> > method. But the gost-mac differs from common digests because it usage
> > requires a mac key to be set.
> >
> > What is the best way to fix it? Should I hardcode the gost-mac
> > support in
> > apps/speed.c to process it correctly or there is a better way?
> >
> > Thank you!
>
> speed does not currently support EVP style MACs of any description (i.e. it
> can't do an EVP HMAC or an EVP CMAC).
>
> The EVP way of doing MACs is described here:
> http://wiki.openssl.org/index.php/EVP_Signing_and_Verifying
>
> i.e. you use EVP_DigestSign*, and NOT EVP_Digest as in your patch.
>
> I don't know anything about the GOST engine, so I don't know whether it
> supports this style of operation or not. However if I were going to add
> support
> for this into speed then I would start by implementing support for EVP
> style
> HMAC/CMAC - and then extend it to GOST.
>
> I'm closing this ticket for now. Please reply and cc [email protected] to
> reopen
> it if you come back with a different patch.
>
> Matt
>
>
--
SY, Dmitry Belyavsky
Index: apps/speed.c
===================================================================
--- apps/speed.c (revision 10555)
+++ apps/speed.c (working copy)
@@ -1985,17 +1985,44 @@
EVP_CIPHER_CTX_cleanup(&ctx);
}
if (evp_md)
- {
+ {
names[D_EVP]=OBJ_nid2ln(evp_md->type);
print_message(names[D_EVP],save_count,
- lengths[j]);
+ lengths[j]);
+ if (evp_md->type == NID_id_Gost28147_89_MAC)
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+ {
+ EVP_MD_CTX mac_ctx;
+ EVP_PKEY * mac_key;
+ size_t mac_key_size=32;
+ size_t siglen = sizeof(md);
- Time_F(START);
- for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
-
EVP_Digest(buf,lengths[j],&(md[0]),NULL,evp_md,NULL);
+ EVP_MD_CTX_init(&mac_ctx);
+
EVP_MD_CTX_set_flags(&mac_ctx,EVP_MD_CTX_FLAG_ONESHOT);
- d=Time_F(STOP);
+ mac_key =
EVP_PKEY_new_mac_key(evp_md->type, NULL, key32, mac_key_size);
+
+ EVP_DigestSignInit(&mac_ctx,
NULL, evp_md, NULL, mac_key);
+ EVP_PKEY_free(mac_key);
+
+ EVP_DigestSignUpdate(&mac_ctx,
buf, lengths[j]);
+ EVP_DigestSignFinal(&mac_ctx,
md, &siglen);
+ EVP_MD_CTX_cleanup(&mac_ctx);
+ }
+
+ d=Time_F(STOP);
}
+ else
+ {
+ Time_F(START);
+ for (count=0,run=1;
COND(save_count*4*lengths[0]/lengths[j]); count++)
+
EVP_Digest(buf,lengths[j],&(md[0]),NULL,evp_md,NULL);
+
+ d=Time_F(STOP);
+ }
+ }
print_result(D_EVP,j,count,d);
}
}
