Inicio Explorar Axuda
Iniciar sesión
yosoyhendrix
/
vlmcsd
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: svn1113
Ramas Etiquetas
vlmcsd
/
README.openssl

README.openssl 2.3 KB
Permalink Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. IMPORTANT
    2. 

  2. =========
    3. 

  3. 

  4. 1. Do not use any of the OpenSSL binaries
    5. 

  5. 2. Do not compile OpenSSL binaries yourself
    6. 

  6. 

  7. (except for doing some research into the deep internals of OpenSSL)
    8. 

  8. 

  9. REASONS
    10. 

  10. =======
    11. 

  11. 

  12. All OpenSSL binaries included are highly experimental and are likely to fail
    13. 

  13. in many cases. To get some real benefit from OpenSSL (or PolarSSL) it should
    14. 

  14. handle all crypting/hashing.
    15. 

  15. 

  16. However this is not possible because Microsoft has slightly altered AES
    17. 

  17. encryption in KMSv6 and uses a non-AES variant of the Rijndael CMAC in
    18. 

  18. KMSv4. OpenSSL is not able to handle this if you use it correctly.
    19. 

  19. 

  20. This means OpenSSL can be used safely only for SHA256 and HMAC SHA256
    21. 

  21. calculations used in KMSv5 and KMSv6 but the code size benefit is only
    22. 

  22. 100 to 300 bytes (depending on the architecture).
    23. 

  23. 

  24. To benefit more from OpenSSL (getting it performing the AES stuff) I do
    25. 

  25. the first phase of AES encryption/decryption (called key expansion) with my
    26. 

  26. own code. I then poke the expanded key into internal OpenSSL structs to make
    27. 

  27. it behave in a way not intended by the OpenSSL developers but in a way to
    28. 

  28. perform non-standard AES crypting as required by KMSv4 and KMSv6. KMSv5 is
    29. 

  29. the only protocol that could use OpenSSL without hacking the OpenSSL internals.
    30. 

  30. 

  31. That means vlmcsd still needs about 40% of the internal AES code plus some
    32. 

  32. OpenSSL hacking code to poke the expanded key into OpenSSL.
    33. 

  33. 

  34. The entire OpenSSL hacking does not work in every case because the internal
    35. 

  35. OpenSSL structs differ depending on the OpenSSL version, OpenSSL configuration
    36. 

  36. at compile time (whether it is configured to use compiled C code or assembler
    37. 

  37. code), CPU architecture and CPU features (whether it can perform AES in
    38. 

  38. hardware).
    39. 

  39. 

  40. SUMMARY
    41. 

  41. =======
    42. 

  42. 

  43. If you use OpenSSL in a safe way (compile with CRYPTO=openssl), there is not
    44. 

  44. much benefit from it. The binary may become bigger or smaller and you
    45. 

  45. definitely need more RAM when you run vlmcsd or vlmcs.
    46. 

  46. 

  47. If you use hacked OpenSSL (compile with CRYPTO=openssl_with_aes or
    48. 

  48. CRYPTO=openssl_with_aes_soft) you risk malfunction of vlmcs/vlmcsd even if it
    49. 

  49. performed correctly several times before.
    50. 

  50. 

  51. Both vlmcs and vlmcsd do not have more features when compiled with OpenSSL
    52. 

  52. support. It may be faster (especially on CPUs with hardware assisted AES) but
    53. 

  53. uses more memory and may fail or perform unreliably.
    54. 

  54. 

  55.