Anthony Scarpino wrote: > Brian Smith wrote: > > I know that the Solaris Cryptographic Framework on Solaris 10 > > supports SHA-256 because I see it in "digest -l". I also know > > that Solaris 10 has an adapter that implements part of the > > OpenSSL API using the Cryptographic Framework. Is it possible > > to add SHA-256 support using that adapter? Or, do I have to > > add the SHA-256 support using the Cryptographic Framework's > > PKCS#11 API? > > I believe you're referring to the pkcs11_engine. That's is one way to > do it if you prefer the OpenSSL API..
It didn't work. The engine works fine for SHA1 and MD5, but if I request digest 672 (hard-coded value of NID_sha256, since NID_sha256 isn't in the openssl headers), it fails. If I use the PKCS#11 interface, CKM_SHA256 works just fine. Maybe this is because bug 6562155 (http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6562155). > You will have to make sure you compile with the pkcs11_engine enabled. > Alas the exact way one does that I haven't had to do yet.. I will include the test program at the end of this email. > If you are using a machine with a hardware accelerator (a UltraSparc-T2 > machine or a crypto card), metaslot will pick the hardware accelerator > first.. For short messages it can be quicker to use software because of > the software overhead to use the crypto provider. But unless you're > writing a performance critical application, I doubt you will notice the > difference.. It is a DNS server, so the messages are very small and the latency is important. Thank you for your help. Regards, Brian Here is my test program. Compile it with: Run it as: ./a.out ; echo $? #include <stdlib.h> #include <openssl/engine.h> #include <openssl/objects.h> int main() { ENGINE *e; const EVP_MD *hmac_sha1; const EVP_MD *hmac_sha256; ENGINE_DIGESTS_PTR get_digests; int n_digests; const int *nids; int i; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); if (e == NULL) return 1; if (!ENGINE_init(e)) return 2; if (!ENGINE_register_digests(e)) return 3; hmac_sha1 = ENGINE_get_digest(e, NID_sha1); if (hmac_sha1 == NULL) return 4; get_digests = ENGINE_get_digests(e); if (get_digests == NULL) return 5; n_digests = get_digests(e, NULL, &nids, NULL); if (n_digests < 0) return 6; for (i = 0; i < n_digests; ++i) { printf("%d\n", nids[i]); } hmac_sha256 = ENGINE_get_digest(e, 672); if (hmac_sha256 == NULL) return 7; return 0; }
