search

MicrochipTech / cryptoauth-openssl-engine

DEPRECATED: Use https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup
Other
76 stars 49 forks source link

ECDHE / need to use ecc508 to generate EC key pair at "client key exchange" #4

Open realbright opened 7 years ago

realbright commented 7 years ago

ssl3_send_client_key_exchange seem to not use ecc508 when generating new ECDH key pair.

Currently, it uses EC_KEY_generate_key (openssl default) but I think, it have to be replaced by ECDH_generate_key() same as "server key exchange"

right?

agostrer commented 7 years ago

I will need to review the code (didn't do it for over a year). TLS handles differently the client and the server so ecc508 is called from different places. I remember that we tested all combinations and both client and server were calling ecc508. However it depends on the command line. Try all examples.

Regards, Alex

Sent from my iPad

On Apr 16, 2017, at 7:40 PM, realbright notifications@github.com wrote:

ssl3_send_client_key_exchange seem to not use ecc508 when generating new ECDH key pair.

Currently, it uses EC_KEY_generate_key (openssl default) but I think, it have to be replaced by ECDH_generate_key() same as "server key exchange"

right?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

realbright commented 7 years ago

Actually it depends on the behavior of server not command line. If server want to verify client it request certificate of client. Upon client receive this message it will send ClientVerifiy matched with ssl3_send_client_key_exchange. and in case of ECDH(E) openssl generate key pair using EC_KEY_generate_key (not engine's genkey)

As you can see the patch: 'ecdhe_patch.diff' you add ECDH_generate_key function in server key exchange to accelerate computation. but you seem to forgot in client side :)

agostrer commented 7 years ago

I remember that ecc508 ECDH was called from different place on the client. But like I said, time passed, probably I forgot something. Maybe it is a bug. You can enable logging in the Makefile and see if ecc508 ECDH is called.

Sent from my iPad

On Apr 16, 2017, at 9:51 PM, realbright notifications@github.com wrote:

Actually it depends on the behavior of server not command line. If server want to verify client it request certificate of client. Upon client receive this message it will send ClientVerifiy matched with ssl3_send_client_key_exchange. and in case of ECDH(E) openssl generate key pair using EC_KEY_generate_key (not engine's genkey)

As you can see the patch: 'ecdhe_patch.diff' you add ECDH_generate_key function in server key exchange to accelerate computation. but you seem to forgot in client side :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.