README.ENGINE revision 68651
168651Skris 268651Skris ENGINE 368651Skris ====== 468651Skris 568651Skris With OpenSSL 0.9.6, a new component has been added to support external 668651Skris crypto devices, for example accelerator cards. The component is called 768651Skris ENGINE, and has still a pretty experimental status and almost no 868651Skris documentation. It's designed to be faily easily extensible by the 968651Skris calling programs. 1068651Skris 1168651Skris There's currently built-in support for the following crypto devices: 1268651Skris 1368651Skris o CryptoSwift 1468651Skris o Compaq Atalla 1568651Skris o nCipher CHIL 1668651Skris 1768651Skris A number of things are still needed and are being worked on: 1868651Skris 1968651Skris o An openssl utility command to handle or at least check available 2068651Skris engines. 2168651Skris o A better way of handling the methods that are handled by the 2268651Skris engines. 2368651Skris o Documentation! 2468651Skris 2568651Skris What already exists is fairly stable as far as it has been tested, but 2668651Skris the test base has been a bit small most of the time. 2768651Skris 2868651Skris Because of this experimental status and what's lacking, the ENGINE 2968651Skris component is not yet part of the default OpenSSL distribution. However, 3068651Skris we have made a separate kit for those who want to try this out, to be 3168651Skris found in the same places as the default OpenSSL distribution, but with 3268651Skris "-engine-" being part of the kit file name. For example, version 0.9.6 3368651Skris is distributed in the following two files: 3468651Skris 3568651Skris openssl-0.9.6.tar.gz 3668651Skris openssl-engine-0.9.6.tar.gz 3768651Skris 3868651Skris NOTES 3968651Skris ===== 4068651Skris 4168651Skris openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do 4268651Skris not need to download both. 4368651Skris 4468651Skris openssl-engine-0.9.6.tar.gz is usable even if you don't have an external 4568651Skris crypto device. The internal OpenSSL functions are contained in the 4668651Skris engine "openssl", and will be used by default. 4768651Skris 4868651Skris No external crypto device is chosen unless you say so. You have actively 4968651Skris tell the openssl utility commands to use it through a new command line 5068651Skris switch called "-engine". And if you want to use the ENGINE library to 5168651Skris do something similar, you must also explicitely choose an external crypto 5268651Skris device, or the built-in crypto routines will be used, just as in the 5368651Skris default OpenSSL distribution. 5468651Skris 5568651Skris 5668651Skris PROBLEMS 5768651Skris ======== 5868651Skris 5968651Skris It seems like the ENGINE part doesn't work too well with Cryptoswift on 6068651Skris Win32. A quick test done right before the release showed that trying 6168651Skris "openssl speed -engine cswift" generated errors. If the DSO gets enabled, 6268651Skris an attempt is made to write at memory address 0x00000002. 6368651Skris 64