Dynamic Engine II

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic Engine II

Sara Fonseca
Hello everybody,

is there any documenation on how to create a dynamic engine, other
than README.ENGINE?  I checked the eng_dyn.c file on crypto/engine in
the 9.8a OpenSSL distribuition. Is that a good start?

thanks

Sara
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic Engine II

1.41421
   OpenSSL's Achilles's heel is its incomplete documentation, and the fact that apparently nobody seems to know the answer to a large percentage of questions, if this forum is a measure of that. Anyway,  having gone through the exercise of putting together a crypto engine for OpenSSL, just about the only thing that helped me was the code available for other crypto engines already in the OpenSSL distribution itself.



On 1/23/06, Sara Fonseca <[hidden email]> wrote:
Hello everybody,

is there any documenation on how to create a dynamic engine, other
than README.ENGINE?  I checked the eng_dyn.c file on crypto/engine in
the 9.8a OpenSSL distribuition. Is that a good start?

thanks

Sara
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Dynamic Engine II

Sara Fonseca
Ok... If i wanted to test those example engines, how could i do that?
Is there any way to test them without the hardware? I loaded it
sucessfully:

 ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:./libatalla.so
[Success]: LOAD
Loaded: (atalla) Atalla hardware engine support

How could I use it now?

thanks again

Sara

On 1/23/06, JCA <[hidden email]> wrote:

>    OpenSSL's Achilles's heel is its incomplete documentation, and the fact
> that apparently nobody seems to know the answer to a large percentage of
> questions, if this forum is a measure of that. Anyway,  having gone through
> the exercise of putting together a crypto engine for OpenSSL, just about the
> only thing that helped me was the code available for other crypto engines
> already in the OpenSSL distribution itself.
>
>
>
>
> On 1/23/06, Sara Fonseca <[hidden email]> wrote:
> >
> > Hello everybody,
> >
> > is there any documenation on how to create a dynamic engine, other
> > than README.ENGINE?  I checked the eng_dyn.c file on crypto/engine in
> > the 9.8a OpenSSL distribuition. Is that a good start?
> >
> > thanks
> >
> > Sara
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager
> [hidden email]
> >
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic Engine II

1.41421
        I would have thought that without the appropriate hardware you won't be able to use the engine. But, assuming that you have it, you would something like this:
      
        #define CRYPTO_ENGINE_NAME       "EngineName"


        ENGINE * engine ;

        // Initialize the OpenSSL library.

        SSL_library_init() ;
        SSL_load_error_strings();

        // Load the specified crypto engine, and make it the default for OpenSSL
        // in the cases specified below.

        ENGINE_load_builtin_engines() ;
        engine = ENGINE_by_id(CRYPTO_ENGINE_NAME) ;
        if (engine) {
                ENGINE_set_default_RAND(engine) ;
                ENGINE_set_default_RSA(engine) ;
                ENGINE_set_default_ciphers(engine) ;
                ENGINE_set_default_digests(engine) ;
                ENGINE_finish(engine) ;
                ENGINE_free(engine) ;
        }

        From this point onwards, calls to the EVP interface will use the particular crypto engine that you have specified. Your engine might not implement all of this crypto though. Also, you have to make use of the EVP interface - otherwise you are screwed. The non EVP interface for crypto in OpenSSL is just another item that will hopefully some day be removed from the OpenSSL API, in order to make it slightly less cumbersome and monstrous.


On 1/23/06, Sara Fonseca <[hidden email]> wrote:
Ok... If i wanted to test those example engines, how could i do that?
Is there any way to test them without the hardware? I loaded it
sucessfully:

../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:./libatalla.so
[Success]: LOAD
Loaded: (atalla) Atalla hardware engine support

How could I use it now?

thanks again

Sara

On 1/23/06, JCA <[hidden email]> wrote:

>    OpenSSL's Achilles's heel is its incomplete documentation, and the fact
> that apparently nobody seems to know the answer to a large percentage of
> questions, if this forum is a measure of that. Anyway,  having gone through
> the exercise of putting together a crypto engine for OpenSSL, just about the
> only thing that helped me was the code available for other crypto engines
> already in the OpenSSL distribution itself.
>
>
>
>
> On 1/23/06, Sara Fonseca <[hidden email]> wrote:
> >
> > Hello everybody,
> >
> > is there any documenation on how to create a dynamic engine, other
> > than README.ENGINE?  I checked the eng_dyn.c file on crypto/engine in
> > the 9.8a OpenSSL distribuition. Is that a good start?
> >
> > thanks
> >
> > Sara
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager
> [hidden email]
> >
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Dynamic Engine II

Frédéric Donnat-2
In reply to this post by Sara Fonseca
Hi,

Maybe you could have a look at "ssl/man/man3/engine.3", there is some explanation on how engine works.

Some sample code could also be found in fiel apps/apps.c the following function:
  ENGINE *setup_engine(BIO *err, const char *engine, int debug)

You could also have a lok at apps/engine.c file.

hope it could help.

Fred

-----Original Message-----
From: JCA [mailto:[hidden email]]
Sent: Mon 1/23/2006 9:00 PM
To: [hidden email]
Cc:
Subject: Re: Dynamic Engine II
        I would have thought that without the appropriate hardware you won't
be able to use the engine. But, assuming that you have it, you would
something like this:

        #define CRYPTO_ENGINE_NAME       "EngineName"


        ENGINE * engine ;

        // Initialize the OpenSSL library.

        SSL_library_init() ;
        SSL_load_error_strings();

        // Load the specified crypto engine, and make it the default for
OpenSSL
        // in the cases specified below.

        ENGINE_load_builtin_engines() ;
        engine = ENGINE_by_id(CRYPTO_ENGINE_NAME) ;
        if (engine) {
                ENGINE_set_default_RAND(engine) ;
                ENGINE_set_default_RSA(engine) ;
                ENGINE_set_default_ciphers(engine) ;
                ENGINE_set_default_digests(engine) ;
                ENGINE_finish(engine) ;
                ENGINE_free(engine) ;
        }

        From this point onwards, calls to the EVP interface will use the
particular crypto engine that you have specified. Your engine might not
implement all of this crypto though. Also, you have to make use of the EVP
interface - otherwise you are screwed. The non EVP interface for crypto in
OpenSSL is just another item that will hopefully some day be removed from
the OpenSSL API, in order to make it slightly less cumbersome and monstrous.


On 1/23/06, Sara Fonseca <[hidden email]> wrote:

>
> Ok... If i wanted to test those example engines, how could i do that?
> Is there any way to test them without the hardware? I loaded it
> sucessfully:
>
> ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:./libatalla.so
> [Success]: LOAD
> Loaded: (atalla) Atalla hardware engine support
>
> How could I use it now?
>
> thanks again
>
> Sara
>
> On 1/23/06, JCA <[hidden email]> wrote:
> >    OpenSSL's Achilles's heel is its incomplete documentation, and the
> fact
> > that apparently nobody seems to know the answer to a large percentage of
> > questions, if this forum is a measure of that. Anyway,  having gone
> through
> > the exercise of putting together a crypto engine for OpenSSL, just about
> the
> > only thing that helped me was the code available for other crypto
> engines
> > already in the OpenSSL distribution itself.
> >
> >
> >
> >
> > On 1/23/06, Sara Fonseca <[hidden email]> wrote:
> > >
> > > Hello everybody,
> > >
> > > is there any documenation on how to create a dynamic engine, other
> > > than README.ENGINE?  I checked the eng_dyn.c file on crypto/engine in
> > > the 9.8a OpenSSL distribuition. Is that a good start?
> > >
> > > thanks
> > >
> > > Sara
> > >
> > ______________________________________________________________________
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing List                    [hidden email]
> > > Automated List Manager
> > [hidden email]
> > >
> >
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic Engine II

Dr. Stephen Henson
In reply to this post by Sara Fonseca
On Mon, Jan 23, 2006, Sara Fonseca wrote:

> Ok... If i wanted to test those example engines, how could i do that?
> Is there any way to test them without the hardware? I loaded it
> sucessfully:
>
>  ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:./libatalla.so
> [Success]: LOAD
> Loaded: (atalla) Atalla hardware engine support
>
> How could I use it now?
>

Almost all the ENGINEs need a specific piece of hardware. YOu often wont even
get that far because they also often need a proprietary library to work and
the ENGINE will fail because it can't load it.

There is a test engine which just uses OpenSL itself for crypto and a GMP one
which uses the GMP library. Neither is compiled by default.

One of the easiest ways to load an ENGINE in an application is the auto config
method where the settings can be embedded in a config file. The "openssl"
utility supports that in openssl.cnf. Check the manual pages for the syntax
and details about how to add support to an application.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]