Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Kyle Hamilton]

On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
 Thanks a lot for the explanation. We have range of products that
 provides network connectivity.

 1.  On these  we would be using TPM to provide additional security.

 2.  On the products that are bit slow in software cryptographic
 operation, we also would be using hardware acceleration chips, that
 would do crypto operations.

I'm going to guess that you are grouping these into class 1 (related
to the TPM) and class 2 (related to offloading).  Since you already
have a thread for class 1, I'll only respond to your class 2
questions here.

For background, FIPS is basically a specific mode of operation for US
Federal agencies, and is targeted specifically to Federal procurement
mandates.  In government systems which are actually required to use FIPS
mode, you are not allowed to use any crypto services (whether from
OpenSSL or from any other device) that don't use an approved FIPS mode
of operation.  No other people actually *need* FIPS mode.  (I tend to
use it whenever I can because it tends to reduce crypto container
information leakage, and also makes it more likely that the cryptography
is correct and interoperable.)

 In this post I wanted to know to support an hardware accelerator that
 supports FIPS enabled algorithms implemented apart from supporting the
 hardware from OpenSSL side, do we need to make changes in FIPS module
 as well.

If I understand you correctly, you wish to alter the FIPS canister to
offload time-consuming operations to hardware acceleration.  If this
understanding is correct, I must regretfully inform you that it cannot
legitimately be done.  Oh, sure, you can technically do it -- but it
would be a modification of the black box, and require a new
validation.  (I don't believe that such an implementation could in fact
be validated, though I could be wrong.  I am not an expert.  But even if
it can be, it cannot be validated with a private-label validation and
would cost upwards of $200,000 to validate.)

Remember, the FIPS canister *as written* is the only way to legitimately
have FIPS mode from OpenSSL.  Once FIPS mode is set, only cryptographic
operations which are provided by the FIPS canister can be performed, and
only by the unmodified code within the FIPS canister.  It cannot be
offloaded, because the FIPS canister cannot be modified to perform the
offloading.  Also, by offloading, you change the boundaries of the
cryptographic provider to include additional, unverified, and quite
possibly incorrect functionality.

To see the requirements of FIPS 140-2, I recommend you download the five
pieces of the specification itself from
http://csrc.nist.gov/publications/PubsFIPS.html .  It is written in
bureaucratese, and you'll likely need several servings of alcohol to get
through it.  You should also read FIPS 200, which describes the minimum
security requirements for federal information and the systems used to
process federal information.  You'll probably want to budget several
servings of alcohol for this one, too.  Once you read these, you'll have
a much stronger understanding of how incredibly foreign the US federal
government's policy on cryptography is to the rest of society.

And remember: for US federal procurement, these are law, and the law
cannot be ignored or violated just because it would make things faster
or easier.  US government doesn't really care about how long it takes,
US government cares that it is done correctly.

-Kyle H

 Both posts looks similar. I apologize  I should have clearly mentioned
 these 2 posts are in different contexts.

 Thanks a lot.

 Regards
 Jayalakshmi




smime.p7s
Description: S/MIME Cryptographic Signature

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Jakob Bohm]

On 7/6/2014 10:44 AM, Kyle Hamilton wrote:


On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:

Thanks a lot for the explanation. We have range of products that
provides network connectivity.

1.  On these  we would be using TPM to provide additional security.

2.  On the products that are bit slow in software cryptographic
operation, we also would be using hardware acceleration chips, that
would do crypto operations.


I'm going to guess that you are grouping these into class 1 (related
to the TPM) and class 2 (related to offloading).  Since you already
have a thread for class 1, I'll only respond to your class 2
questions here.

For background, FIPS is basically a specific mode of operation for US
Federal agencies, and is targeted specifically to Federal procurement
mandates.  In government systems which are actually required to use FIPS
mode, you are not allowed to use any crypto services (whether from
OpenSSL or from any other device) that don't use an approved FIPS mode
of operation.  No other people actually *need* FIPS mode.  (I tend to
use it whenever I can because it tends to reduce crypto container
information leakage, and also makes it more likely that the cryptography
is correct and interoperable.)


(In the case of OpenSSL, this actually wins you very little).

Let me try to approach this from a different angle.

LEGALLY:

If you have the luxury of having more than one FIPS validated device
available to you, you probably (ask a lawyer to be absolutely sure),
can use all of them together.  However to claim FIPS compliance of the
resulting application, you must not do any cryptography outside those
devices, and it must be impossible for the FIPS-mode variant of your
application to fall back to any non-validated implementations in case
of errors etc.  Additionally you may or may not (really ask a lawyer)
be legally (not technically) required to treat any keys, passwords
etc. handed from one device to another AS IF those keys were traveling
over an insecure connection even though they never leave your process
address space on an EAL-whatever-level certified operating system on an
EAL-whatever-level certified computer.

TECHNICALLY:

If you want to combine the use of multiple FIPS validated devices,
one of which happens to be the OpenSSL FIPS cannister, and another
one a piece of hardware accessed using an OpenSSL Engine, it is an
open technical question if the FIPS-enabled OpenSSL (which is legally
outside both devices and /can/ be changed) will correctly combine use
of the OpenSSL FIPS canister with the ENGINE for accessing the hardware
device, or if it will somehow fail to do so.

For instance I am unsure what happens if the ENGINE plugin for the
FIPS validated hardware device calls back to OpenSSL for cryptographic
operations outside the scope of that device (it might do that because
that piece of hardware is also used outside USGov and the ENGINE code
was written for that case).  Will OpenSSL pass the calls to the FIPS
canister (if in FIPS mode) or use the non-validated software
implementations?

I am also unsure if the FIPS-enabled OpenSSL library allows use of
Engines when (runtime) configured in FIPS mode?

Finally /if/ it is legally required to go through additional
gymnastics when transporting parameters from one FIPS device to
another, I am unsure if the FIPS-enabled OpenSSL library will do so
when the transport is internal to OpenSSL and its ENGINE plugins.




To see the requirements of FIPS 140-2, I recommend you download the five
pieces of the specification itself from
http://csrc.nist.gov/publications/PubsFIPS.html .  It is written in
bureaucratese, and you'll likely need several servings of alcohol to get
through it.  You should also read FIPS 200, which describes the minimum
security requirements for federal information and the systems used to
process federal information.  You'll probably want to budget several
servings of alcohol for this one, too.  Once you read these, you'll have
a much stronger understanding of how incredibly foreign the US federal
government's policy on cryptography is to the rest of society.

And remember: for US federal procurement, these are law, and the law
cannot be ignored or violated just because it would make things faster
or easier.  US government doesn't really care about how long it takes,
US government cares that it is done correctly.

-Kyle H


Both posts looks similar. I apologize  I should have clearly mentioned
these 2 posts are in different contexts.

Thanks a lot.

Regards
Jayalakshmi






Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing List   

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Jayalakshmi bhat]

Hi Kyle,

Thanks a lot for detailed explaination, it helped me lots.

Regards
Jayalakshmi

On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote:


 On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
  Thanks a lot for the explanation. We have range of products that
  provides network connectivity.
 
  1.  On these  we would be using TPM to provide additional security.
 
  2.  On the products that are bit slow in software cryptographic
  operation, we also would be using hardware acceleration chips, that
  would do crypto operations.

 I'm going to guess that you are grouping these into class 1 (related
 to the TPM) and class 2 (related to offloading).  Since you already
 have a thread for class 1, I'll only respond to your class 2
 questions here.

 For background, FIPS is basically a specific mode of operation for US
 Federal agencies, and is targeted specifically to Federal procurement
 mandates.  In government systems which are actually required to use FIPS
 mode, you are not allowed to use any crypto services (whether from
 OpenSSL or from any other device) that don't use an approved FIPS mode
 of operation.  No other people actually *need* FIPS mode.  (I tend to
 use it whenever I can because it tends to reduce crypto container
 information leakage, and also makes it more likely that the cryptography
 is correct and interoperable.)

  In this post I wanted to know to support an hardware accelerator that
  supports FIPS enabled algorithms implemented apart from supporting the
  hardware from OpenSSL side, do we need to make changes in FIPS module
  as well.

 If I understand you correctly, you wish to alter the FIPS canister to
 offload time-consuming operations to hardware acceleration.  If this
 understanding is correct, I must regretfully inform you that it cannot
 legitimately be done.  Oh, sure, you can technically do it -- but it
 would be a modification of the black box, and require a new
 validation.  (I don't believe that such an implementation could in fact
 be validated, though I could be wrong.  I am not an expert.  But even if
 it can be, it cannot be validated with a private-label validation and
 would cost upwards of $200,000 to validate.)

 Remember, the FIPS canister *as written* is the only way to legitimately
 have FIPS mode from OpenSSL.  Once FIPS mode is set, only cryptographic
 operations which are provided by the FIPS canister can be performed, and
 only by the unmodified code within the FIPS canister.  It cannot be
 offloaded, because the FIPS canister cannot be modified to perform the
 offloading.  Also, by offloading, you change the boundaries of the
 cryptographic provider to include additional, unverified, and quite
 possibly incorrect functionality.

 To see the requirements of FIPS 140-2, I recommend you download the five
 pieces of the specification itself from
 http://csrc.nist.gov/publications/PubsFIPS.html .  It is written in
 bureaucratese, and you'll likely need several servings of alcohol to get
 through it.  You should also read FIPS 200, which describes the minimum
 security requirements for federal information and the systems used to
 process federal information.  You'll probably want to budget several
 servings of alcohol for this one, too.  Once you read these, you'll have
 a much stronger understanding of how incredibly foreign the US federal
 government's policy on cryptography is to the rest of society.

 And remember: for US federal procurement, these are law, and the law
 cannot be ignored or violated just because it would make things faster
 or easier.  US government doesn't really care about how long it takes,
 US government cares that it is done correctly.

 -Kyle H

  Both posts looks similar. I apologize  I should have clearly mentioned
  these 2 posts are in different contexts.
 
  Thanks a lot.
 
  Regards
  Jayalakshmi

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Jayalakshmi bhat]

Hi Jakob,

Thank you very much for detailed and helpful explanation.

Regards
Jayalakshmi

On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote:

 On 7/6/2014 10:44 AM, Kyle Hamilton wrote:


 On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:

 Thanks a lot for the explanation. We have range of products that
 provides network connectivity.

 1.  On these  we would be using TPM to provide additional security.

 2.  On the products that are bit slow in software cryptographic
 operation, we also would be using hardware acceleration chips, that
 would do crypto operations.


 I'm going to guess that you are grouping these into class 1 (related
 to the TPM) and class 2 (related to offloading).  Since you already
 have a thread for class 1, I'll only respond to your class 2
 questions here.

 For background, FIPS is basically a specific mode of operation for US
 Federal agencies, and is targeted specifically to Federal procurement
 mandates.  In government systems which are actually required to use FIPS
 mode, you are not allowed to use any crypto services (whether from
 OpenSSL or from any other device) that don't use an approved FIPS mode
 of operation.  No other people actually *need* FIPS mode.  (I tend to
 use it whenever I can because it tends to reduce crypto container
 information leakage, and also makes it more likely that the cryptography
 is correct and interoperable.)

 (In the case of OpenSSL, this actually wins you very little).

 Let me try to approach this from a different angle.

 LEGALLY:

 If you have the luxury of having more than one FIPS validated device
 available to you, you probably (ask a lawyer to be absolutely sure),
 can use all of them together.  However to claim FIPS compliance of the
 resulting application, you must not do any cryptography outside those
 devices, and it must be impossible for the FIPS-mode variant of your
 application to fall back to any non-validated implementations in case
 of errors etc.  Additionally you may or may not (really ask a lawyer)
 be legally (not technically) required to treat any keys, passwords
 etc. handed from one device to another AS IF those keys were traveling
 over an insecure connection even though they never leave your process
 address space on an EAL-whatever-level certified operating system on an
 EAL-whatever-level certified computer.

 TECHNICALLY:

 If you want to combine the use of multiple FIPS validated devices,
 one of which happens to be the OpenSSL FIPS cannister, and another
 one a piece of hardware accessed using an OpenSSL Engine, it is an
 open technical question if the FIPS-enabled OpenSSL (which is legally
 outside both devices and /can/ be changed) will correctly combine use
 of the OpenSSL FIPS canister with the ENGINE for accessing the hardware
 device, or if it will somehow fail to do so.

 For instance I am unsure what happens if the ENGINE plugin for the
 FIPS validated hardware device calls back to OpenSSL for cryptographic
 operations outside the scope of that device (it might do that because
 that piece of hardware is also used outside USGov and the ENGINE code
 was written for that case).  Will OpenSSL pass the calls to the FIPS
 canister (if in FIPS mode) or use the non-validated software
 implementations?

 I am also unsure if the FIPS-enabled OpenSSL library allows use of
 Engines when (runtime) configured in FIPS mode?

 Finally /if/ it is legally required to go through additional
 gymnastics when transporting parameters from one FIPS device to
 another, I am unsure if the FIPS-enabled OpenSSL library will do so
 when the transport is internal to OpenSSL and its ENGINE plugins.




 To see the requirements of FIPS 140-2, I recommend you download the five
 pieces of the specification itself from
 http://csrc.nist.gov/publications/PubsFIPS.html .  It is written in
 bureaucratese, and you'll likely need several servings of alcohol to get
 through it.  You should also read FIPS 200, which describes the minimum
 security requirements for federal information and the systems used to
 process federal information.  You'll probably want to budget several
 servings of alcohol for this one, too.  Once you read these, you'll have
 a much stronger understanding of how incredibly foreign the US federal
 government's policy on cryptography is to the rest of society.

 And remember: for US federal procurement, these are law, and the law
 cannot be ignored or violated just because it would make things faster
 or easier.  US government doesn't really care about how long it takes,
 US government cares that it is done correctly.

 -Kyle H

 Both posts looks similar. I apologize  I should have clearly mentioned
 these 2 posts are in different contexts.

 Thanks a lot.

 Regards
 Jayalakshmi





 Enjoy

 Jakob
 --
 Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
 Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
 This public discussion message is non-binding and may contain errors.
 

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Steve Marquess]

On 07/05/2014 02:09 AM, Jayalakshmi bhat wrote:
 Hi All,
 
 We want to support a hardware accelerator on our device. We are using
 OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
 engine support in OpenSSL FIPS Object module.
 
 I welcome all valuable inputs.

First, please don't cross post to both lists. The openssl-users list
would suffice.

You've more or less asked this question already.

The OpenSSL FIPS Object Module source code is available under an open
source license, so subject to the very liberal terms of that license you
can hack that code to your hearts content.

However...

The FIPS 140-2 Level 1 validation of that module (certificate #1747) is
a different thing entirely. The instant you touch the code that
validation no longer applies.  The code without the validation is
worthless (it does nothing regular OpenSSL doesn't do better, faster,
more securely). A new validation will be necessary. You will find such a
validation a significant challenge even without the source code mods you
contemplate.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Dr. Stephen Henson]

On Sat, Jul 05, 2014, Jayalakshmi bhat wrote:

 Hi All,
 
 We want to support a hardware accelerator on our device. We are using
 OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
 engine support in OpenSSL FIPS Object module.
 

If you literally mean adding ENGINE support to the OpenSSL FIPS Object module
then you can but it would IMHO be a pointless exercise. The ENGINE code was
stripped out to keep the number of dependencies down in the module.

If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need
to as ENGINE support is already there.

I suggest you explain exactly what you want to do.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL engine support in OpenSSL FIPS Object Module

[Jayalakshmi bhat]

Hi Steve,

Thanks a lot for the explanation. We have range of products that provides
network connectivity.

1.  On these  we would be using TPM to provide additional security.

2.  On the products that are bit slow in software cryptographic operation,
we also would be using hardware acceleration chips, that would do crypto
operations.


In my previous post related to TPM like how to deal with Non-FIPS compliant
TPM chips, does it need any change in FIPS module size etc?

In this post I wanted to know to support an hardware accelerator that
supports FIPS enabled algorithms implemented apart from supporting the
hardware from OpenSSL side, do we need to make changes in FIPS module as
well.

Both posts looks similar. I apologize  I should have clearly mentioned
these 2 posts are in different contexts.

Thanks a lot.

Regards
Jayalakshmi


On Sat, Jul 5, 2014 at 10:46 PM, Dr. Stephen Henson st...@openssl.org
wrote:

 On Sat, Jul 05, 2014, Jayalakshmi bhat wrote:

  Hi All,
 
  We want to support a hardware accelerator on our device. We are using
  OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
  engine support in OpenSSL FIPS Object module.
 

 If you literally mean adding ENGINE support to the OpenSSL FIPS Object
 module
 then you can but it would IMHO be a pointless exercise. The ENGINE code was
 stripped out to keep the number of dependencies down in the module.

 If you mean add ENGINE support to the FIPS capable OpenSSL then you don't
 need
 to as ENGINE support is already there.

 I suggest you explain exactly what you want to do.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: Openssl Engine for Utimaco CryptoServer

[Ralf Hornik Mailings]

Ralf Hornik Mailings r...@best.homeunix.org wrote:


[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Failure]: MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so
7104:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd  
name:eng_ctrl.c:134:

7104:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid


What does INT_CTRL_HELPER:invalid cmd name mean? As mentioned in  
documentation the cmd_name has to be set to SO_PATH. So cmd_name set  
to MODULE_NAME will always fail. Is that a bug?

Regards

Ralf


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Openssl Engine Performance Benchmarks

[David Schwartz]

 Is it 
 openssl speed -evp aes-128-cbc -engine xx -elapsed 
 or
 openssl speed -evp aes-128-cbc -engine xx

It depends what you want to measure.

 I have seen examples with both of them on the internet and I get
 different results with each of them. What exactly does elapsed
 option add here?

-elapsedmeasure time in real time instead of CPU user time.

So, do you want to know which one is faster or which one uses less CPU?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl Engine Performance Benchmarks

[Geoff Thorpe]

On Tuesday 31 March 2009 23:16:10 Shasi Thati wrote:
 Hi,

 I have a question regarding the openssl speed command. When I use this
 command to test the crypto offload engine performance  what is the
 right command to use?

 Is it

 openssl speed -evp aes-128-cbc -engine xx -elapsed

 or

 openssl speed -evp aes-128-cbc -engine xx

 I have seen examples with both of them on the internet and I get
 different results with each of them. What exactly does elapsed
 option  add here?

It means elapsed. :-) Ie. how much time elapsed during the benchmark. 
The normal measurement is cpu usage, which is something less than or 
equal to the elapsed time - if the benchmark used half the available cpu 
cycles during the elapsed period (according to scheduler stats, accurate 
or otherwise), the time given would be half the elapsed time.

The usefulness of using cpu-time (instead of -elapsed) is to eliminate;
(a) skewed statistics due to the system running other tasks while the 
benchmark was in progress (ie. you're only billed for what you use), and
(b) to eliminate time the s/w (and driver) spent waiting for the crypto 
accelerator to respond to crypto operations.
The value of (b) is to interpolate certain theoretical limits. Ie. if 80% 
of the time is spent waiting on the accelerator, the cpu-time for the 
benchmark run would be 1/5 of the elapsed time and so the calculated 
number of crypto ops per second would be 5 times what actually happened 
in real/elapsed time. If the latency of the accelerator is roughly 
constant but it can process multiple things at once due to having 
multiple execution units, then this inflated number is a 
useful estimate of how much you could theoretically process if you had 
multiple threads/processes keeping the cpu busy rather than waiting. In 
this example you'd need at least 5 threads to achieve such a performance 
level. (Which also assumes the accelerator performance would continue to 
scale up that far.)

Cheers,
Geoff

-- 
Un terrien, c'est un singe avec des clefs de char...
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl Engine calling code (soft pkcs11) also written in openssl conflict

[Nils Larsch]

Christopher Nebergall wrote:

I've been working with some patches to curl I found on the curl mailing
list to support openssl and opensc's engine_pkcs11.  

Basically it consists of 


Curl 7.14 + patch which adds dynamic engine support - opensc-20050826
[engine_pkcs11.so] - soft-pkcs11 1.2 


on

Ubuntu Linux (5.04) Kernel 2.6.10-5-386 


actually the openssl version would be more interesting



The problem is that engine_pkcs11 from opensc registers custom rsa
functions for its purposes.  They dlopen a pkcs11 library in my case
soft-pkcs11 which is also implemented using openssl.  The problem is
that the soft token seems to be calling the rsa functions registered by
opensc and not the original versions.  I need some advice or background
on overriding crypto implementations to figure out how to make
soft-pkcs11 not inherit the opensc's overridden functions. 


you could use RSA_set_method with RSA_PKCS1_SSLeay for example


I would have
thought since soft-pkcs11 was dlopened that this wouldn't have inherited
the modified functions.  


the default engine is a global parameter

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl Engine

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Tue, 24 Sep 2002 14:55:53 +0200, 
Michiels Olivier [EMAIL PROTECTED] said:

olivier.michiels Hi,
olivier.michiels Currently I've an application that creates keys, certificate 
requests 
olivier.michiels and certificates using NFast and openssl-0.9.5.
olivier.michiels I've updated my code to use the openssl-engine.
olivier.michiels Everything works perferctly with some modifications.
olivier.michiels Now, I would like to use the ENGINE concept with my NFast.
olivier.michiels I've already understood that the identifier of my ENGINE is chil and 
olivier.michiels I've wrote some code to test if I can have a new pointer to a ENGINE 
olivier.michiels structure.
olivier.michiels What I would like to know is how to use this ENGINE pointer with my 
olivier.michiels existing code, for example, what are the commands available for the 
olivier.michiels NFAST. I've tried this little code but it doesn't work.
olivier.michiels 
olivier.michiels #include openssl/engine.h
olivier.michiels #include openssl/bio.h
olivier.michiels 
olivier.michiels int main(int argc,char* argv[])
olivier.michiels {
olivier.michiels ENGINE *e;
olivier.michiels BIO *err;
olivier.michiels

It would be a good thing to insert a call to ERR_load_crypto_strings()
here, so the errors get displayed with humanly readable reasons
instead of all those numbers.

olivier.michiels ENGINE_load_builtin_engines();
olivier.michiels if ((e = ENGINE_by_id(argv[1])) == NULL)
olivier.michiels {
olivier.michiels fprintf(stderr,Error for: %s\n,argv[1]);
olivier.michiels return -1;
olivier.michiels }
olivier.michiels
olivier.michiels err = BIO_new_fp(stderr,BIO_NOCLOSE);
olivier.michiels if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
olivier.michiels {
olivier.michiels BIO_printf(err,can't use that engine\n);
olivier.michiels ERR_print_errors(err);
olivier.michiels ENGINE_free(e);
olivier.michiels return -1;
olivier.michiels }
olivier.michiels BIO_printf(err,engine \%s\ set.\n, ENGINE_get_id(e));
olivier.michiels 
olivier.michiels 
olivier.michiels if (ENGINE_ctrl_cmd_string(e,get_passphrase,Password:,0) == 
0)
olivier.michiels {
olivier.michiels ERR_print_errors(err);
olivier.michiels ENGINE_free(e);
olivier.michiels return -1;
olivier.michiels }

And exactly what was that supposed to accomplish?

olivier.michiels 
olivier.michiels /* Free our structural reference. */
olivier.michiels ENGINE_free(e);
olivier.michiels
olivier.michiels return 0;
olivier.michiels }
olivier.michiels 
olivier.michiels The output is has follows:
olivier.michiels engine chil set.
olivier.michiels 25983:error:260AC089:engine 
routines:func(172):reason(137):eng_ctrl.c:136:
olivier.michiels 25983:error:260AB089:engine 
routines:func(171):reason(137):eng_ctrl.c:314:
olivier.michiels 
olivier.michiels I need to ask passwords in order to have my NFast working.
olivier.michiels How can I do that ?

No, you don't need to ask for passwords at the OpenSSL level.  They
will be prompted for automatically when needed.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RE : openssl engine use

[Geoff Thorpe]

Hey there,

On Thu, 25 Jul 2002, Frederic DONNAT wrote:

 A sample of programming with engine is mod-ssl (initialize ENGINE before
 everything else). You can also see apps directory of OpenSSL s_client,
 s_server ... files

 Be also carefull between openssl-engine-0.9.6x and openssl-0.9.7 there
 is some diff for engine use.
[snip]
 -Message d'origine-
 De : Rob McMonigal [mailto:[EMAIL PROTECTED]]
[snip]
 I like to know how difficult it would be to have an existing application that
 uses openssl to be converted over to use the engine version openssl and the
 hardware accelerator functions.  I cannot find any information on programming
 openssl with hardware accelerators.  Any help would be appreciated.
[snip]

I'm also in the process of rejigging mistakes in the 0.9.7-dev
documentation (it wasn't adjusted to constification and ENGINEification
changes for RSA/DSA/DH/etc...) and at the same time have a monster
engine.pod in progress that I intend to include before the next 0.9.7
beta. That man page may sound terrifying (and no, I haven't split it out
to provide API documentation per-function), but at least it'll be better
than zero documentation. Hopefully.

Failing that - take a read of engine.h (it's relatively well
self-documented) and check out the source that Frederic suggested.

Cheers,
Geoff

-- 
Geoff Thorpe
[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl engine?

[Richard Koenning]

At 20:33 12.10.2001 +0200, Helmut Heilig wrote:
can anybody tell me the difference between openssl and openssl-engine.
Couldn't find anything about that in the FAQ.

See: http://www.openssl.org/support/faq.html

[MISC] 6. What is an 'engine' version?

Ciao,
Richard
-- 
Dr. Richard W. Könning
Fujitsu Siemens Computers GmbH, EP LP COM 5
Phone/Fax: +49-89-636-47852 / 47655
E-Mail: [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl engine version beta2 compilation problems

[David Maurus]

I've had the same problem and discovered the following patch:

http://marc.theaimsgroup.com/?l=openssl-devm=96923042325868w=2

The functions are loaded dynamically, so it is necessary to check whether they
loaded or not (or your executable will crash on all machines which don't provide
the NetStatisticsGet-Function). The patch above includes theses tests which are
missing in the plain beta2-tree.

Additionally, I couldn't compile with VC60 because LMSTR was an unknown type. I
had to replace these definitions by LPWSTR:

typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
(LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);

Regards,
David Maurus

Lin Geng wrote:

 However, the file rand_win.c compiles if you make the following changes:

 1. comment out the two typedefs

 typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
 (LMSTR, LMSTR, DWORD, DWORD, LPBYTE*);
 typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);

 2. add two defines

 #define NETSTATGET FARPROC
 #define NETFREE FARPROC

 The build should go through.


David Maurus

__
equinux Aktiengesellschaft
Informationstechnologien
Gabelsbergerstr. 30
80333 München - Germany
Tel. 089/520465-0
Fax. 089/520465-299
mailto:[EMAIL PROTECTED]
http://www.equinux.de

MyJack - Das innovative Messagingsystem der equinux AG
http://www.myjack.de


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]