Yet another update to PKCS#11 engine patch

When working on 6540060 I found another race regarding engine use in multithreaded environment, for example Apache in a worker mode. I fixed it today in Nevada:

  • 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers

Updated engine patches against latest source code releases of OpenSSL: pkcs11_engine-0.9.7m.patch.2007-05-25 (README), pkcs11_engine-0.9.8e.patch.2007-05-25 (README).

Escalations have been filed and I hope we might get that to upcoming S10u4, and also both CR's included in previous versions of the patch - 6540060, 6554248.

Posted on: May 25, 2007

Posted by: janp

Category: Sun

Permanent link to this entry

Comments:

The 2007-05-19 release seems to have fixed the "bad record mac" issue with DHE-* ciphers for me (Solaris10/sparc) FYI: openssl-0.9.7m with GCC on Solaris has a compile issue (with -march=ultrasparc) See: http://rt.openssl.org/Ticket/Display.html?id=1493

Posted by conormc on May 29, 2007 at 02:19 PM CEST #

It seems that when the pkcs11 engine is enabled, you experience a huge improvement in RSA speed but see a decrease in performance for other algorithms. In our case, not only did the SHA and MD5 algorithms perform much slower, they seemed to occasionally produce incorrect data. A mod_ssl compiled with this code using the pkcs11 engine on a T1000 will start to fail SSL connections periodically when the system was stressed using benchmarking software. Reverting back to the "builtin" engine resolved the problems but RSA signing performance was very poor. Our solution was to modify mod_ssl to only use the pkcs11 engine for RSA. This produces excellent benchmarking performance and no errors.

Posted by Tony on June 17, 2007 at 11:04 PM CEST #

In addition to the previous comment. This is the error in the ssl_error log - [error] OpenSSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac We are using openssl-0.9.7m with your patch : pkcs11_engine-0.9.7m.patch.2007-05-25 applied. mod_ssl-2.8.20-1.3.31 is used with the Oracle Apache webserver on a T1000.

Posted by Tony on June 17, 2007 at 11:11 PM CEST #

Tony, could you please contact me directly at jan.pechanec-at-sun-com? Thanks.

Posted by Jan on June 17, 2007 at 11:15 PM CEST #

I've seent this speed issue as well, it seems the pkcs11 engine does not use the card for md5/sha1 operations - the docs tell me the card supports it, and kstat shows me the counters (all 0 of course). It seems there's an extra copying overhead which is very noticable on small block sizes - pkcs11 is a factor 4 slower than using the openssl software engine for small blocks. (I'm not sure if the libpkcs11 API provides access to the md5/sha1 capability??)

Posted by conormc on June 22, 2007 at 02:30 PM CEST #

Thanks for these patches. I am keen to use them with SCA6000 cards. Do they include the ability to log in to the keystore by passing a PIN through to pkcs11? Last time I played with the engine provided with Solaris you could not do this and I have been using the opensc engine instead.

Posted by John Dickinson on June 26, 2007 at 05:41 PM CEST #

to John: sorry, no. I wonder how opensc does that because it seems from what I read about it that it uses external command to log into the card. According to PKCS#11 standard, only the process that called C_Login() should be allowed to access the token.

Posted by Jan on June 28, 2007 at 07:14 PM CEST #

I dont understand. If I write a application that links to libcrypto and tells it to use the pkcs11 engine then it is all one process isn't it? If you are interested, my notes on using these cards with openssl and the opensc engine can be found at http://blog.nominet.org.uk/tech/category/crypto/

Posted by John Dickinson on June 29, 2007 at 10:21 AM CEST #

sure, that's correct. I thought that OpenSC could only provide the PIN via an external command which I can see now was not true.

just to confirm - so far, we support SO_PATH control command only, not PIN or other commands as OpenSC does. The main reason for the engine was to access hardware crypto accelerators connected to the Solaris Crypto Framework.

Posted by Jan on July 03, 2007 at 04:13 PM CEST #

Hi Jan, Thanks for your PKCS11 engine for OpenSSL.

I am seeing its source code and have a question.

At hw_pk11.c:1992 [in pk11_choose_slot function], following if loop is there.
if (!found_candidate_slot && (slot_has_rsa || slot_has_dsa || slot_has_dh)). Documentation in the beginning of that function says that rsa, dsa and dh are required mechanisms for choosing slot. But in the code, you have put (slot_has_rsa || slot_has_dsa || slot_has_dh) which will be evaluated to true if one of either 3 algos is present. Once the control goes into if loop, values of pk11_have_rsa, pk11_have_dsa and pk11_have_dh are set and can't be changed as this if loop is entered only once. My question is whether this is a mistake in documentation or a bug in logic?

Please let me know if I am missing anything, if it is not a valid problem.

Thanks
DP

Posted by DP on August 22, 2007 at 01:25 PM CEST #

hi DP, I haven't written the code, but what I can see is that the slot with partial set of mechanisms is chosen only if it's the first slot that have at least "something"; see "!" in the condition predicate.

You can see in the code that follows that if there are slots that have more mechanisms, they are chosen after that.

It's logical - better to pick a slot that have, say, RSA/DH only (and not DSA) than no slot.

Yes, the comment is a little bit misleading.

Posted by Jan on September 04, 2007 at 06:55 PM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by janp