2000-11-13 02:03:58 +01:00
|
|
|
|
|
|
|
ENGINE
|
|
|
|
======
|
|
|
|
|
|
|
|
With OpenSSL 0.9.6, a new component has been added to support external
|
|
|
|
crypto devices, for example accelerator cards. The component is called
|
|
|
|
ENGINE, and has still a pretty experimental status and almost no
|
2002-01-27 04:13:07 +01:00
|
|
|
documentation. It's designed to be fairly easily extensible by the
|
2000-11-13 02:03:58 +01:00
|
|
|
calling programs.
|
|
|
|
|
|
|
|
There's currently built-in support for the following crypto devices:
|
|
|
|
|
|
|
|
o CryptoSwift
|
|
|
|
o Compaq Atalla
|
|
|
|
o nCipher CHIL
|
|
|
|
|
|
|
|
A number of things are still needed and are being worked on:
|
|
|
|
|
|
|
|
o An openssl utility command to handle or at least check available
|
|
|
|
engines.
|
|
|
|
o A better way of handling the methods that are handled by the
|
|
|
|
engines.
|
|
|
|
o Documentation!
|
|
|
|
|
|
|
|
What already exists is fairly stable as far as it has been tested, but
|
|
|
|
the test base has been a bit small most of the time.
|
|
|
|
|
|
|
|
Because of this experimental status and what's lacking, the ENGINE
|
|
|
|
component is not yet part of the default OpenSSL distribution. However,
|
|
|
|
we have made a separate kit for those who want to try this out, to be
|
|
|
|
found in the same places as the default OpenSSL distribution, but with
|
|
|
|
"-engine-" being part of the kit file name. For example, version 0.9.6
|
|
|
|
is distributed in the following two files:
|
|
|
|
|
|
|
|
openssl-0.9.6.tar.gz
|
|
|
|
openssl-engine-0.9.6.tar.gz
|
|
|
|
|
|
|
|
NOTES
|
|
|
|
=====
|
|
|
|
|
|
|
|
openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do
|
|
|
|
not need to download both.
|
|
|
|
|
|
|
|
openssl-engine-0.9.6.tar.gz is usable even if you don't have an external
|
|
|
|
crypto device. The internal OpenSSL functions are contained in the
|
|
|
|
engine "openssl", and will be used by default.
|
|
|
|
|
|
|
|
No external crypto device is chosen unless you say so. You have actively
|
|
|
|
tell the openssl utility commands to use it through a new command line
|
|
|
|
switch called "-engine". And if you want to use the ENGINE library to
|
2002-01-27 04:13:07 +01:00
|
|
|
do something similar, you must also explicitly choose an external crypto
|
2000-11-13 02:03:58 +01:00
|
|
|
device, or the built-in crypto routines will be used, just as in the
|
|
|
|
default OpenSSL distribution.
|
|
|
|
|
|
|
|
|
|
|
|
PROBLEMS
|
|
|
|
========
|
|
|
|
|
2002-01-27 04:13:07 +01:00
|
|
|
It seems like the ENGINE part doesn't work too well with CryptoSwift on
|
2000-11-13 02:03:58 +01:00
|
|
|
Win32. A quick test done right before the release showed that trying
|
|
|
|
"openssl speed -engine cswift" generated errors. If the DSO gets enabled,
|
|
|
|
an attempt is made to write at memory address 0x00000002.
|
|
|
|
|