Re: [Dovecot] Solaris hardware crypto engines
Hello, after serveral tests (and reading a lot of howto's) I'm now fairly convinced that the Solaris HW-crypto engine is not automatically used. Even when dovecot ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e; ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11"))); ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login.
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in the various articles). Is there any chance that Dovecot gets updated/patched for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
Regards. Martin
Chris Hoogendyk wrote:
On 4/18/11 6:30 AM, Martin Preen wrote:
Hello, I tried to find out how about to use the hardware crypto engines under Solaris (Sun Fire T2000). It seems, that its not just a compilation issue:
For operations that are to be offloaded, it is necessary to restrict use to subset of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 engine; something like the following works for bulk ciphers (the process for RSA is similar):
ENGINE *e; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); ENGINE_set_default_ciphers(e); EVP_CIPHER_CTX_init (&ctx); EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv); EVP_EncryptUpdate (.....);
Since I'm not familiar with SSL programming, I wonder if it's possible to modify the dovecot 1.2.x source code. Maybe someone has already tried this or can give me hint.
You don't want to do that.
The objective is for the ssl engine to be low level and basically invisible to layers of application above that use it. So, build openssl properly and it just works for everything else.
I'm not at work today, so I don't have reference to my notes. Ah, just found an email I sent to my colleagues -- copied it below.
Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany
phone: ++49 761 203-8250 preen@informatik.uni-freiburg.de fax: ++49 761 203-8242 swt.informatik.uni-freiburg.de/~preen
On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
Hello, after serveral tests (and reading a lot of howto's) I'm now fairly convinced that the Solaris HW-crypto engine is not automatically used. Even when dovecot ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e; ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
Does "openssl engine" return this "pkcs11" string?
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login.
It should work for POP3 as well, all of the SSL code is shared.
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in the various articles). Is there any chance that Dovecot gets updated/patched for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
I guess I could add ssl_crypto_device setting for this. But I'll need to figure out proper ifdefs to avoid compile failures with older OpenSSL versions.
On 11/21/11 4:52 PM, Timo Sirainen wrote:
On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
Hello, after serveral tests (and reading a lot of howto's) I'm now fairly convinced that the Solaris HW-crypto engine is not automatically used. Even when dovecot ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e; ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11"))); Does "openssl engine" return this "pkcs11" string?
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login. It should work for POP3 as well, all of the SSL code is shared.
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in the various articles). Is there any chance that Dovecot gets updated/patched for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl. I guess I could add ssl_crypto_device setting for this. But I'll need to figure out proper ifdefs to avoid compile failures with older OpenSSL versions.
Just a quick comment -- the Sun instructions for setting up Apache specifically noted the importance of specifying "SSLCryptoDevice pkcs11" in httpd.conf.
So, the OpenSSL provided by Solaris will do what it should, IFF pkcs11 is specified by the program that is calling it.
I had an email exchange with a Solaris developer at some point, who said that GnuPG simply could not use the crypto device, because it was built with libcrypt, did not use the pkcs11 engine, and it would take a significant rewrite to make it do so.
--
Chris Hoogendyk
- O__ ---- Systems Administrator c/ /'_ --- Biology& Geology Departments (*) \(*) -- 140 Morrill Science Center
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Timo Sirainen wrote:
On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
Hello, after serveral tests (and reading a lot of howto's) I'm now fairly convinced that the Solaris HW-crypto engine is not automatically used. Even when dovecot ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e; ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
Does "openssl engine" return this "pkcs11" string?
This requires the Solaris OpenSSL version (or another version using the pkcs11 patch).
# /usr/sfw/bin/openssl engine (pkcs11) PKCS #11 engine support
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login.
It should work for POP3 as well, all of the SSL code is shared.
I couldn't find the EncryptUpdate call which has to be changed too (due to the howto documents). Maybe some other call needs e patch. But I don't know which.
Martin
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in the various articles). Is there any chance that Dovecot gets updated/patched for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
I guess I could add ssl_crypto_device setting for this. But I'll need to figure out proper ifdefs to avoid compile failures with older OpenSSL versions.
On Mon, 2011-11-21 at 23:49 +0100, Martin Preen wrote:
# /usr/sfw/bin/openssl engine (pkcs11) PKCS #11 engine support
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login.
It should work for POP3 as well, all of the SSL code is shared.
I couldn't find the EncryptUpdate call which has to be changed too (due to the howto documents). Maybe some other call needs e patch. But I don't know which.
What EncryptUpdate?.. I've anyway added the engine init/deinit calls in your email to v2.1 hg. Lets hope it works :) At least it didn't break when I tried it with "dynamic" value (which is the only engine my OpenSSL supports).
On Thu, 2011-11-24 at 01:55 +0200, Timo Sirainen wrote:
What EncryptUpdate?.. I've anyway added the engine init/deinit calls in your email to v2.1 hg. Lets hope it works :) At least it didn't break when I tried it with "dynamic" value (which is the only engine my OpenSSL supports).
Oh, and in Solaris "pkcs11" value also works. But I don't know if it's actually using hardware crypto.
Timo Sirainen wrote:
On Mon, 2011-11-21 at 23:49 +0100, Martin Preen wrote:
# /usr/sfw/bin/openssl engine (pkcs11) PKCS #11 engine support
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login. It should work for POP3 as well, all of the SSL code is shared. I couldn't find the EncryptUpdate call which has to be changed too (due to the howto documents). Maybe some other call needs e patch. But I don't know which.
What EncryptUpdate?.. I've anyway added the engine init/deinit calls in your email to v2.1 hg. Lets hope it works :) At least it didn't break when I tried it with "dynamic" value (which is the only engine my OpenSSL supports).
Probably I'm wrong (I have no experience with SSL programming). I thught the EncryptUpdate was necessary for the encoding of the SSL data stream. But maybe there has to be a link between engine initialization and the SSL contexts ?
Martin
Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany
phone: ++49 761 203-8250 preen@informatik.uni-freiburg.de fax: ++49 761 203-8242 swt.informatik.uni-freiburg.de/~preen
participants (3)
-
Chris Hoogendyk
-
Martin Preen
-
Timo Sirainen