This is a discussion on Re: HMAC_Final()/tls1_P_hash() problem with PKCS#11 - Openssl ; Jan Pechanec wrote: > On Sun, 24 Jun 2007, Nanno Langstraat wrote: > >>> where some memory is allocated in dgst init and freed in ctx cleanup >>> (not dgst final) in OpenSSL, but allocated in dgst init and freed ...
Jan Pechanec wrote:
> On Sun, 24 Jun 2007, Nanno Langstraat wrote:
>>> where some memory is allocated in dgst init and freed in ctx cleanup
>>> (not dgst final) in OpenSSL, but allocated in dgst init and freed in dgst
>>> final in PKCS#11 tokens. So, if you don't call xyzFinal() it's fine wrt
>>> memory usage in OpenSSL but it's a problem in PKCS#11 app.
>>> it's usually not a problem because when there is digest init there is
>>> also digest final some time after that. However, not for HMAC computation.
>> This sounds almost exactly why I added the SHA1_Drop() function to the
>> "save/load SHA1 state" patch, discussed on this list a week ago.
>> (or SHA1_Abandon(), SHA1_Cancel(), whatever name you prefer for the function)
>> Even though it's a no-op for the current SHA1 C implementation, it creates a
>> clean hook to deallocate any memory without having to do an unnecessary Final()
> hi Nanno, I don't think it's very similar. The problem is that one
> can't change PKCS#11 API.
But as far as I can see we _have_ been bitten by the exact same API
non-orthagonality, i.e. 'Final()' being designed as a fused-operation of
"do significant work + clean up object", plus the absence of a "only
clean up" function that is mandatory to call.
The main difference is that you are stuck with a different "copy" of
that same API, one that is frozen in stone and has to be worked around,
whereas I could change the one I encountered.
Uninformed suggestion 1:
* Optimizes for "minimal changes to OpenSSL"
* In the EVP engine for PCKS #11, use a boolean flag to track
whether DigestInit() has been called. During DigestInit() and
CTX.clean(), check this flag and do a bogus PKCS #11 final if
* Add a function EVP_DigestAbandon(), and require all users of EVP
to call either EVP_DigestFinal() or EVP_DigestAbandon().
* Add a function HMAC_Abandon(), and require all users of HMAC to
call either HMAC_Final() or HMAC_Abandon().
* This gives the PKCS #11 engine the chance to clean up (by doing a
bogus PKCS #11 final). Because the tls1_P_hash() function will
call HMAC_Abandon(&ctx_tmp), which will call
EVP_DigestAbandon(i_ctx / o_ctx).
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com