[openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
OK, I looked at the no-engine patch again, and really saw no harm in it, so it's committed, and will be part of all release from 0.9.7a and on (as well as the current 0.9.7 and main snapshots). This ticket is now resolved. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #287] [PATCH] no-engine(openssl-0.9.7-stable-SNAP-20020915)
* Richard Levitte via RT ([EMAIL PROTECTED]) wrote: OK, I looked at the no-engine patch again, and really saw no harm in it, so it's committed, and will be part of all release from 0.9.7a and on (as well as the current 0.9.7 and main snapshots). This ticket is now resolved. Erm, I think there's a fundemantal problem with this. I understand the desire to build a version of openssl such that it doesn't include the engine footprint, nor its execution overheads. I could possibly accept that binary incompatibilities could be accepted between applications and/or libraries on the basis that you'd only bother doing this stuff if you were *determined* to have ENGINE surgically removed. Ie. we already state that for binary compatibility, 0.9.x !~ 0.9.(x+1), however we could perhaps also tolerate the situation where for a fixed 'x', 0.9.x-engine !~ 0.9.x-noengine. What I can't accept is that the precompiler symbol used to *build* a non-engine version of openssl is used in the exported header files in a way that alters the definitions of API structures. Ie. if you build a non-engine version of openssl, your application code will silently compile and link whether you defined OPENSSL_NO_ENGINE or not (and/or whether you define OPENSSL_NO_ENGINE before or after including the relevant headers) - *but* the resulting object code will use conflicting descriptions of data structures unless the app's author got everything correct. As for how this could impact distributions using system-wide versions of openssl as shared-libraries is obvious and so in this state, the nonengine approach would be considered untouchable even by those who want it. I know, the practise of system-wide shared libraries is not considered wise for openssl - but if distributors are vigilant about only using version-specific linking then IMHO that's OK, this type of configuration option threatens to break that. IMHO the better way to have handled this would have been to opaquely define the ENGINE type in crypto.h (this could also reduce some header dependencies on engine.h BTW) so that all the existing structures can remain as-is. Ie. if RSA has an ENGINE* member, leave it there - but disable all use of the ENGINE API in the RSA implementation (and the trick of #error in engine.h is fine). This way, whether you get ENGINE functionality, footprint, and overheads at run-time depends *only* on whether openssl was built with it or without it. It won't be essential for applications to bother defining OPENSSL_NO_ENGINE - though if they do it will correctly stop them accidently including engine.h (and thus prevent linker failures if they accidently try to use ENGINE functionality). The point is, compatibility between application object code and openssl (be it static or dynamic) won't be volatile. FYI: the easiest example to see the problem is EVP_MD_CTX in crypto/evp/evp.h:280 - the structure definition is incompatible if OPENSSL_NO_ENGINE is defined (or undefined, as the case may be). IMHO OPENSSL_NO_ENGINE shouldn't change structure definitions, it should change only the building of openssl implementation code. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.openssl.org/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #287] [PATCH] no-engine(openssl-0.9.7-stable-SNAP-20020915)
In message [EMAIL PROTECTED] on Thu, 30 Jan 2003 13:33:59 -0500, Geoff Thorpe [EMAIL PROTECTED] said: geoff Erm, I think there's a fundemantal problem with this. I understand the geoff desire to build a version of openssl such that it doesn't include the geoff engine footprint, nor its execution overheads. I could possibly accept geoff that binary incompatibilities could be accepted between applications geoff and/or libraries on the basis that you'd only bother doing this stuff if geoff you were *determined* to have ENGINE surgically removed. Ie. we already geoff state that for binary compatibility, 0.9.x !~ 0.9.(x+1), however we geoff could perhaps also tolerate the situation where for a fixed 'x', geoff 0.9.x-engine !~ 0.9.x-noengine. From a functional point of view, this is not different from, for example, specifying no-rsa. geoff What I can't accept is that the precompiler symbol used to *build* a geoff non-engine version of openssl is used in the exported header files in a geoff way that alters the definitions of API structures. Ie. if you build a [...] Very good point. However: geoff IMHO the better way to have handled this would have been to opaquely geoff define the ENGINE type in crypto.h (this could also reduce some header geoff dependencies on engine.h BTW) so that all the existing structures can No need, there's a very practical line in ossl_typ.h :-). Working on the problem. Thanks for noticing it. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
I have to ask: why do you feel the need to remove the ENGINE framework? I can understand that you might not want to have any built-in engines (the option 'no-hw' to Configure should help. If not, I'm happy to apply a corrective patch). I'd like a good explanation before I consider applying this patch, especially since the ENGINE platform may become a very integral part of OpenSSL. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
Richard, I found that the no-hw option didn't work. After discussing it on the list I agreed to contribute a no-engine option. I understand that no-engine doesn't imply the same thing as no-hw, but it still seems like a good option to have. Until the software crypto gets moved into an engine this option allows building of an OpenSSL classic which is useful when footprint is important, such as when ported to PDA's (and maybe even the next generation of mobile phones). The Windows CE port that I've been working on would require a lot more #ifndef ...CE's to be inserted into the code if no-engine isn't supported. Perhaps these are due to no-hw not being implemented fully. With seemingly silly configuration options like no-evp, no-bio, no-stack being supported, I don't think no-engine is such a bad idea. Perhaps in the future it will not be useful, but for now I need it for my port. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte via RT Sent: Friday, 4 October 2002 10:48 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915) I have to ask: why do you feel the need to remove the ENGINE framework? I can understand that you might not want to have any built-in engines (the option 'no-hw' to Configure should help. If not, I'm happy to apply a corrective patch). I'd like a good explanation before I consider applying this patch, especially since the ENGINE platform may become a very integral part of OpenSSL. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
Richard, I found that the no-hw option didn't work. After discussing it on the list I agreed to contribute a no-engine option. I understand that no-engine doesn't imply the same thing as no-hw, but it still seems like a good option to have. Until the software crypto gets moved into an engine this option allows building of an OpenSSL classic which is useful when footprint is important, such as when ported to PDA's (and maybe even the next generation of mobile phones). The Windows CE port that I've been working on would require a lot more #ifndef ...CE's to be inserted into the code if no-engine isn't supported. Perhaps these are due to no-hw not being implemented fully. With seemingly silly configuration options like no-evp, no-bio, no-stack being supported, I don't think no-engine is such a bad idea. Perhaps in the future it will not be useful, but for now I need it for my port. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte via RT Sent: Friday, 4 October 2002 10:48 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915) I have to ask: why do you feel the need to remove the ENGINE framework? I can understand that you might not want to have any built-in engines (the option 'no-hw' to Configure should help. If not, I'm happy to apply a corrective patch). I'd like a good explanation before I consider applying this patch, especially since the ENGINE platform may become a very integral part of OpenSSL. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
[[EMAIL PROTECTED] - Fri Oct 4 15:32:21 2002]: I found that the no-hw option didn't work. Hmm, I probably need to reread that thread. Could you tell me approximately when it was discussed? After discussing it on the list I agreed to contribute a no-engine option. I understand that no-engine doesn't imply the same thing as no-hw, but it still seems like a good option to have. Until the software crypto gets moved into an engine this option allows building of an OpenSSL classic which is useful when footprint is important, such as when ported to PDA's (and maybe even the next generation of mobile phones). OK, I can accept footprint as an argument. With seemingly silly configuration options like no-evp, no-bio, no-stack being supported, I entirely agree that those are silly. I've some plans for the future to do a major review of those options. Besides, supported is a matter of definition. Just the fact that you can actually give them to the Configure script doesn't really mean they're supported. Just try giving 'no-stack' and you'll probably see the build of OpenSSL fall flat and never recover (until you've caught your senses and reconfigured :-)). -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
I think it was about a month ago and would have mentioned no-hw and no-engine in the messages, in fact there probably aren't too many messages with no-engine in them. I don't recall giving any details about what was wrong with no-hw and don't recall the details now. Though I do remember that if I didn't add the no-engine option that I'd have to add a lot more #ifndef ...WINDOWS_CE blocks and that the code would be messier than need be, and messier than I was happy about. Yes, I was using the word supported loosely. I'm not sure what use a no-evp/no-stack/no-bio OpenSSL would be. :-) Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte via RT Sent: Saturday, 5 October 2002 12:12 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915) [[EMAIL PROTECTED] - Fri Oct 4 15:32:21 2002]: I found that the no-hw option didn't work. Hmm, I probably need to reread that thread. Could you tell me approximately when it was discussed? After discussing it on the list I agreed to contribute a no-engine option. I understand that no-engine doesn't imply the same thing as no-hw, but it still seems like a good option to have. Until the software crypto gets moved into an engine this option allows building of an OpenSSL classic which is useful when footprint is important, such as when ported to PDA's (and maybe even the next generation of mobile phones). OK, I can accept footprint as an argument. With seemingly silly configuration options like no-evp, no-bio, no-stack being supported, I entirely agree that those are silly. I've some plans for the future to do a major review of those options. Besides, supported is a matter of definition. Just the fact that you can actually give them to the Configure script doesn't really mean they're supported. Just try giving 'no-stack' and you'll probably see the build of OpenSSL fall flat and never recover (until you've caught your senses and reconfigured :-)). -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
I think it was about a month ago and would have mentioned no-hw and no-engine in the messages, in fact there probably aren't too many messages with no-engine in them. I don't recall giving any details about what was wrong with no-hw and don't recall the details now. Though I do remember that if I didn't add the no-engine option that I'd have to add a lot more #ifndef ...WINDOWS_CE blocks and that the code would be messier than need be, and messier than I was happy about. Yes, I was using the word supported loosely. I'm not sure what use a no-evp/no-stack/no-bio OpenSSL would be. :-) Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte via RT Sent: Saturday, 5 October 2002 12:12 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915) [[EMAIL PROTECTED] - Fri Oct 4 15:32:21 2002]: I found that the no-hw option didn't work. Hmm, I probably need to reread that thread. Could you tell me approximately when it was discussed? After discussing it on the list I agreed to contribute a no-engine option. I understand that no-engine doesn't imply the same thing as no-hw, but it still seems like a good option to have. Until the software crypto gets moved into an engine this option allows building of an OpenSSL classic which is useful when footprint is important, such as when ported to PDA's (and maybe even the next generation of mobile phones). OK, I can accept footprint as an argument. With seemingly silly configuration options like no-evp, no-bio, no-stack being supported, I entirely agree that those are silly. I've some plans for the future to do a major review of those options. Besides, supported is a matter of definition. Just the fact that you can actually give them to the Configure script doesn't really mean they're supported. Just try giving 'no-stack' and you'll probably see the build of OpenSSL fall flat and never recover (until you've caught your senses and reconfigured :-)). -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
__ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915)
The patch that I submitted is incomplete. I thought that it was working because I forgot that the tests need to be invoked manually. Looks like a little more work to do. Steven - Original Message - From: Steven Reddie via RT [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 17, 2002 5:02 PM Subject: [openssl.org #287] [PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020915) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]