Re: [openssl.org #2459] ecdsa_method declaration prevents use in implementing a dynamic engine

Wed, 11 Sep 2013 14:41:17 -0700 


On 9/11/2013 2:01 PM, Stephen Henson via RT wrote:

On Wed Sep 11 17:52:03 2013, deeng...@anl.gov wrote:


Attached is a patch to move the definition of ecdsa_method
from src/crypto/ecdsa/ecs_locl.h to ecdsa.h
and move the definition if ecdh_method
from src/crypto/ecdh/ech_locl.h to ecdh.h



It's been policy that we should avoiding direct structure access in
applications code and use opaque structures where possible.

I had to change ecdsa_method for the FIPS builds (add the flags field) and if
it had been public would've meant that it would no longer be binary compatible
across minor versions (1.0.0 incompatible with 1.0.1 and later) which would be
a major headache.

The preferred technique would be to create a function to allocate and
initialise the structure without exposing it in a public header. See the
EVP_PKEY_METHOD structure for example.


Would you accept a modification to do that?

If yes, I will get a modification for ECDSA.

The current code in libp11 needs to change the do_sign and do_sign_setup.

ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
{
        static ECDSA_METHOD ops;

        if (!ops.ecdsa_do_sign) {
                ops = *ECDSA_get_default_method();
                ops.ecdsa_do_sign = pkcs11_ecdsa_do_sign;
                ops.ecdsa_sign_setup = pkcs11_ecdsa_do_sign_setup;
        }
        return &ops;
}

Copies the existing structure and sets the ecdsa_do_sign and
ecdsa_do_sign_setup.

The RSA_METHOD structure is exposed, and I suspect other engines take advantage
of that. The libp11 does:

RSA_METHOD *PKCS11_get_rsa_method(void)
{
        static RSA_METHOD ops;
        if (!ops.rsa_priv_enc) {
                ops = *RSA_get_default_method();
                ops.rsa_priv_enc = pkcs11_rsa_encrypt;
                ops.rsa_priv_dec = pkcs11_rsa_decrypt;
                ops.rsa_sign = pkcs11_rsa_sign;
                ops.rsa_verify = pkcs11_rsa_verify;
        }
        return &ops;
}

Are there any plans to hide the RSA_METHOD?




Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org



--

 Douglas E. Engert  <deeng...@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to