alternative to deprecated ENGINE_* API for external engines for openssl-3.0.0

Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

alternative to deprecated ENGINE_* API for external engines for openssl-3.0.0

Emeric Brun
Trying to compile my soft using openssl-3.0.0alpha5, I notice a lot of warnings about deprecated ENGINE_* functions (since commit 8dab4de53887639abc1152288fac76506beb87b3).

Is-there any documentation on a new API/functions to handle external crypto engines?

R,
Emeric


Reply | Threaded
Open this post in threaded view
|

Re: alternative to deprecated ENGINE_* API for external engines for openssl-3.0.0

Matt Caswell-2


On 30/07/2020 16:06, Emeric Brun wrote:
> Trying to compile my soft using openssl-3.0.0alpha5, I notice a lot of warnings about deprecated ENGINE_* functions (since commit 8dab4de53887639abc1152288fac76506beb87b3).
>
> Is-there any documentation on a new API/functions to handle external crypto engines?

As noted in the CHANGES file the preferred alternative is to use the new
"provider" APIs. Providers are fundamental to OpenSSL 3.0. You can read
about how they're used and configured in 3.0 on this wiki page:

https://wiki.openssl.org/index.php/OpenSSL_3.0

There's some more detailed documentation about providers here:

https://www.openssl.org/docs/manmaster/man7/provider.html

If you're interested in writing providers then there's an example one on
this man page:

https://www.openssl.org/docs/manmaster/man7/provider-base.html


OpenSSL 3.0 comes with a number of built-in or out-of-the-box providers
which are documented here:

https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html
https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-FIPS.html
https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-legacy.html
https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-null.html

There's also a number of other pages for provider authors about the
various hooks available for different types of algorithm, e.g. see:

https://www.openssl.org/docs/manmaster/man7/provider-cipher.html

This gives details about the hooks for symmetric ciphers. There are
other similar pages for different algorithm types linked from here:

https://www.openssl.org/docs/manmaster/man7/


Hope that helps,

Matt
Reply | Threaded
Open this post in threaded view
|

Re: alternative to deprecated ENGINE_* API for external engines for openssl-3.0.0

Emeric Brun
Hi Matt,

On 7/30/20 5:39 PM, Matt Caswell wrote:

>
>
> On 30/07/2020 16:06, Emeric Brun wrote:
>> Trying to compile my soft using openssl-3.0.0alpha5, I notice a lot of warnings about deprecated ENGINE_* functions (since commit 8dab4de53887639abc1152288fac76506beb87b3).
>>
>> Is-there any documentation on a new API/functions to handle external crypto engines?
>
> As noted in the CHANGES file the preferred alternative is to use the new
> "provider" APIs. Providers are fundamental to OpenSSL 3.0. You can read
> about how they're used and configured in 3.0 on this wiki page:
>
> https://wiki.openssl.org/index.php/OpenSSL_3.0
>
> There's some more detailed documentation about providers here:
>
> https://www.openssl.org/docs/manmaster/man7/provider.html
>
> If you're interested in writing providers then there's an example one on
> this man page:
>
> https://www.openssl.org/docs/manmaster/man7/provider-base.html
>
>
> OpenSSL 3.0 comes with a number of built-in or out-of-the-box providers
> which are documented here:
>
> https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html
> https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-FIPS.html
> https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-legacy.html
> https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-null.html
>
> There's also a number of other pages for provider authors about the
> various hooks available for different types of algorithm, e.g. see:
>
> https://www.openssl.org/docs/manmaster/man7/provider-cipher.html
>
> This gives details about the hooks for symmetric ciphers. There are
> other similar pages for different algorithm types linked from here:
>
> https://www.openssl.org/docs/manmaster/man7/
>
>
> Hope that helps,
>
> Matt
>

Thanks! A lot to read!

I have few questions:

Do those changes have an impact on the external engine side API, specially for Async engines? The most used engine with my application is the Intel Quick Assist, in async mode.

Does intel have someting to do to be compliant with the new v3.0.0's "provider" model for the intel quick assist engine ?

https://github.com/intel/QAT_Engine

R,
Emeric

Reply | Threaded
Open this post in threaded view
|

Re: alternative to deprecated ENGINE_* API for external engines for openssl-3.0.0

Matt Caswell-2


On 31/07/2020 16:57, Emeric Brun wrote:

>
> Thanks! A lot to read!
>
> I have few questions:
>
> Do those changes have an impact on the external engine side API, specially for Async engines? The most used engine with my application is the Intel Quick Assist, in async mode.
>
> Does intel have someting to do to be compliant with the new v3.0.0's "provider" model for the intel quick assist engine ?
>
> https://github.com/intel/QAT_Engine

Yes and no!

The entire ENGINE API is deprecated. Existing ENGINE authors should look
to convert their engines to providers instead.

However, although they are deprecated they do still *work*, i.e. the
ENGINE support has not been removed (yet). So if you need to use an
ENGINE in 3.0, then it should be fine - but until such time as the
ENGINE authors update the ENGINE to be a provider you will have to live
with the various deprecation warnings (or suppress them).

Matt