Hi, Having engine to be a loadable module seems to be a very flexible way of supporting hardware accelerators.
The engine support so far is limited to rsa public/private operations , encryption and decryption, modexp etc. which gives flexibility to the companies developing hardware accelerators to develop their own engine. But now lets think about expanding its functionality to support higher level functions that would do more than just encryption/decryption like: * generating client and server finished messages from clien key exchange, random values and rest of the handshake messages. * generating certificate verify message in client authentication mode. * record processing functions I have modified openssl0.9.6 for the ssl processor developed by Cavium Networks which is a programmable ssl engine with all of these (and more) functionalities supported in hardware. We have developed an API layer and device drivers for openssl to talk to the chip and I have modified openssl to make our API calls at appropriate places. I foresee that these next generation of security processors that do ssl protocol processing in hardware would be very much welcomed as they take virtually everything off the host processor and which would now do only book keeping of ssl states and tcp/ip processing. So now it would be a good time to start thinking about providing some sort of support in openssl for these type of processors. Thanks, Imran. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS Whacker Sent: Wednesday, January 09, 2002 4:25 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Adding a new hardware accelerator From: [EMAIL PROTECTED] Christian.Gohmann> My questions are: Christian.Gohmann> - How can I distribute my code to have CryptOn2 Christian.Gohmann> integrated into openssl-engine-0.9.6x? You send the changes to [EMAIL PROTECTED] I can't guarantee that it'll get, since that depends on both time and policy. Christian.Gohmann> - I looked into the current snapshot and found a Christian.Gohmann> lot of changes within the engine part. It seems to Christian.Gohmann> me that hardware accelerated symmetric crypto and Christian.Gohmann> hashing will also be supported by the future 0.9.7 Christian.Gohmann> release of openssl. How can I support you with the Christian.Gohmann> 0.9.7 integration? Do I concentrate on the engine Christian.Gohmann> adaption or on OpenBSD's /dev/crypto or on a Christian.Gohmann> PKCS#11 module? If you look closer, you will see that there is already an implementation for OpenBSD's /dev/crypto. You may want to take a look at it and try it out. Also, you may have discovered that engines in 0.9.7 can be implemented as separate dynamically loadable libraries. For an example, look in demos/engines/rsaref/. This means that you can support the engine part of your board and distribute it yourselves. We don't mind having it as part of the source, but we can't absolutely guarantee that we'll maintain it ourselves. Christian.Gohmann> - Do you need some CryptOn2 boards to verify the Christian.Gohmann> functionality? If nothing else, I'd find it pleasing to play with that. On a more serious note, having some boards and libraries from vendors to play with can help us enhance the ENGINE framework to reach a higher level of flexibility. After all, what we have implemented so far has partly been to meet the needs of the hardware interfaces we've used until now. -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
