It was noted, not long ago, that the engine code doesn't look at
OPENSSL_NO_* macros, and therefore fails to compile if any of the
algorithms RSA, DSA or DH have been disabled.
So, checking for those macros and disabling a number of functions
isn't very hard, but I'm wondering about the thoughts behind that.
The way this currently works is that if RSA is disabled
(OPENSSL_NO_RSA is defined), you can't even include rsa.h, and the RSA
functions are completely missing. This is absolutely fine as long as
we only live within OpenSSL itself.
Enters the ENGINE, which provides and interface to external devices
which might have RSA functionality. The way things are done in
OpenSSL, if RSA is disabled, it will not only be disabled within
OpenSSL, but also in the interface to the external crypto device, thus
rendering it useless.
I perfectly understand that patent laws and other stuff like that
makes disabling mandatory in certain countries, but to what extent?
Must it really remove all functions, and not only those that actually
implement the algorithm in question? Unless this philosophy is
changed, OpenSSL with RSA, DSA or DH disabled won't be able to use
those algorithms in external crypto devices either. Honestly, that
sucks badly.
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
