Hello everybody,
is there any documenation on how to create a dynamic engine, other than README.ENGINE? I checked the eng_dyn.c file on crypto/engine in the 9.8a OpenSSL distribuition. Is that a good start? thanks Sara ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
OpenSSL's Achilles's heel is its incomplete documentation,
and the fact that apparently nobody seems to know the answer to a large
percentage of questions, if this forum is a measure of that.
Anyway, having gone through the exercise of putting together a
crypto engine for OpenSSL, just about the only thing that helped me was
the code available for other crypto engines already in the OpenSSL
distribution itself.
On 1/23/06, Sara Fonseca <[hidden email]> wrote: Hello everybody, |
Ok... If i wanted to test those example engines, how could i do that?
Is there any way to test them without the hardware? I loaded it sucessfully: ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD (dynamic) Dynamic engine loading support [Success]: SO_PATH:./libatalla.so [Success]: LOAD Loaded: (atalla) Atalla hardware engine support How could I use it now? thanks again Sara On 1/23/06, JCA <[hidden email]> wrote: > OpenSSL's Achilles's heel is its incomplete documentation, and the fact > that apparently nobody seems to know the answer to a large percentage of > questions, if this forum is a measure of that. Anyway, having gone through > the exercise of putting together a crypto engine for OpenSSL, just about the > only thing that helped me was the code available for other crypto engines > already in the OpenSSL distribution itself. > > > > > On 1/23/06, Sara Fonseca <[hidden email]> wrote: > > > > Hello everybody, > > > > is there any documenation on how to create a dynamic engine, other > > than README.ENGINE? I checked the eng_dyn.c file on crypto/engine in > > the 9.8a OpenSSL distribuition. Is that a good start? > > > > thanks > > > > Sara > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List [hidden email] > > Automated List Manager > [hidden email] > > > > OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
I would have thought that
without the appropriate hardware you won't be able to use the engine.
But, assuming that you have it, you would something like this:
#define CRYPTO_ENGINE_NAME "EngineName" ENGINE * engine ; // Initialize the OpenSSL library. SSL_library_init() ; SSL_load_error_strings(); // Load the specified crypto engine, and make it the default for OpenSSL // in the cases specified below. ENGINE_load_builtin_engines() ; engine = ENGINE_by_id(CRYPTO_ENGINE_NAME) ; if (engine) { ENGINE_set_default_RAND(engine) ; ENGINE_set_default_RSA(engine) ; ENGINE_set_default_ciphers(engine) ; ENGINE_set_default_digests(engine) ; ENGINE_finish(engine) ; ENGINE_free(engine) ; } From this point onwards, calls to the EVP interface will use the particular crypto engine that you have specified. Your engine might not implement all of this crypto though. Also, you have to make use of the EVP interface - otherwise you are screwed. The non EVP interface for crypto in OpenSSL is just another item that will hopefully some day be removed from the OpenSSL API, in order to make it slightly less cumbersome and monstrous. On 1/23/06, Sara Fonseca <[hidden email]> wrote: Ok... If i wanted to test those example engines, how could i do that? |
In reply to this post by Sara Fonseca
Hi,
Maybe you could have a look at "ssl/man/man3/engine.3", there is some explanation on how engine works. Some sample code could also be found in fiel apps/apps.c the following function: ENGINE *setup_engine(BIO *err, const char *engine, int debug) You could also have a lok at apps/engine.c file. hope it could help. Fred -----Original Message----- From: JCA [mailto:[hidden email]] Sent: Mon 1/23/2006 9:00 PM To: [hidden email] Cc: Subject: Re: Dynamic Engine II I would have thought that without the appropriate hardware you won't be able to use the engine. But, assuming that you have it, you would something like this: #define CRYPTO_ENGINE_NAME "EngineName" ENGINE * engine ; // Initialize the OpenSSL library. SSL_library_init() ; SSL_load_error_strings(); // Load the specified crypto engine, and make it the default for OpenSSL // in the cases specified below. ENGINE_load_builtin_engines() ; engine = ENGINE_by_id(CRYPTO_ENGINE_NAME) ; if (engine) { ENGINE_set_default_RAND(engine) ; ENGINE_set_default_RSA(engine) ; ENGINE_set_default_ciphers(engine) ; ENGINE_set_default_digests(engine) ; ENGINE_finish(engine) ; ENGINE_free(engine) ; } From this point onwards, calls to the EVP interface will use the particular crypto engine that you have specified. Your engine might not implement all of this crypto though. Also, you have to make use of the EVP interface - otherwise you are screwed. The non EVP interface for crypto in OpenSSL is just another item that will hopefully some day be removed from the OpenSSL API, in order to make it slightly less cumbersome and monstrous. On 1/23/06, Sara Fonseca <[hidden email]> wrote: > > Ok... If i wanted to test those example engines, how could i do that? > Is there any way to test them without the hardware? I loaded it > sucessfully: > > ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:./libatalla.so > [Success]: LOAD > Loaded: (atalla) Atalla hardware engine support > > How could I use it now? > > thanks again > > Sara > > On 1/23/06, JCA <[hidden email]> wrote: > > OpenSSL's Achilles's heel is its incomplete documentation, and the > fact > > that apparently nobody seems to know the answer to a large percentage of > > questions, if this forum is a measure of that. Anyway, having gone > through > > the exercise of putting together a crypto engine for OpenSSL, just about > the > > only thing that helped me was the code available for other crypto > engines > > already in the OpenSSL distribution itself. > > > > > > > > > > On 1/23/06, Sara Fonseca <[hidden email]> wrote: > > > > > > Hello everybody, > > > > > > is there any documenation on how to create a dynamic engine, other > > > than README.ENGINE? I checked the eng_dyn.c file on crypto/engine in > > > the 9.8a OpenSSL distribuition. Is that a good start? > > > > > > thanks > > > > > > Sara > > > > > ______________________________________________________________________ > > > OpenSSL Project > > http://www.openssl.org > > > User Support Mailing List [hidden email] > > > Automated List Manager > > [hidden email] > > > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Sara Fonseca
On Mon, Jan 23, 2006, Sara Fonseca wrote:
> Ok... If i wanted to test those example engines, how could i do that? > Is there any way to test them without the hardware? I loaded it > sucessfully: > > ../apps/openssl engine dynamic -pre SO_PATH:./libatalla.so -pre LOAD > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:./libatalla.so > [Success]: LOAD > Loaded: (atalla) Atalla hardware engine support > > How could I use it now? > Almost all the ENGINEs need a specific piece of hardware. YOu often wont even get that far because they also often need a proprietary library to work and the ENGINE will fail because it can't load it. There is a test engine which just uses OpenSL itself for crypto and a GMP one which uses the GMP library. Neither is compiled by default. One of the easiest ways to load an ENGINE in an application is the auto config method where the settings can be embedded in a config file. The "openssl" utility supports that in openssl.cnf. Check the manual pages for the syntax and details about how to add support to an application. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |