How to integrate PKCS11 engine patch into OpenSSL you built

Normally, you don't have to do this, as Jan Pechanec's two excellent blogs explain why this is so and talk about OpenSSL in Solaris and the PKCS#11 engine patch that Sun contributed to OpenSSL community. Please read the blogs and you will probably stop here :-).

If, for some reason, you have to build your own OpenSSL from source, and would still like to take advantage of MAU in UltraSPARC T1 on Sun Fire T2000/T1000 to speed up the RSA/DSA operations, I'll show you what I did.

First, download the PKCS#11 engine patch from OpenSSL's Contribution area. There are three PKCS#11 engine patch entries at the bottom of the list -- two for openssl-0.9.7d and one for openssl-0.9.7l. You have to apply the appropriate patch to either OpenSSL 0.9.7d or 0.9.7l, no other versions. For OpenSSL 0.9.7d, use pkcs11_engine-0.9.7d.patch.2006-09-12.gz as the other one suffers from Bug 6411001.

Before starting, there is one subtle thing to note -- the patch command. This PKCS#11 engine patch requires GNU patch and does not work with Solaris patch, so we have to use /usr/bin/gpatch.

Assume you want to patch OpenSSL 0.9.7l. At the directory level same as openssl-0.9.7l directory, unzip the patch:

#gunzip pkcs11_engine-0.9.7l.patch.2006-10-13.gz
Then cd into top-level OpenSSL directory and apply the patch
#cd openssl-0.9.7l
#gpatch -p 1 < ../pkcs11_engine-0.9.7l.patch.2006-10-13
patching file Configure
patching file Makefile.org
patching file README.pkcs11
patching file crypto/engine/Makefile
patching file crypto/engine/cryptoki.h
patching file crypto/engine/eng_all.c
patching file crypto/engine/engine.h
patching file crypto/engine/hw.ec
patching file crypto/engine/hw_pk11.c
patching file crypto/engine/hw_pk11_err.c
patching file crypto/engine/hw_pk11_err.h
patching file crypto/engine/hw_pk11_pub.c
patching file crypto/engine/pkcs11.h
patching file crypto/engine/pkcs11f.h
patching file crypto/engine/pkcs11t.h

(At this point, you can take a look at README.pkcs11. Most of the details are there.)

To build OpenSSL, you need to specify a PKCS#11 library on the system. On Solaris 10 or Solaris Express, it's libpkcs11.so under /usr/lib (32-bit) or /usr/lib/sparcv9 (64-bit). This is how I built 64-bit OpenSSL on a T2000 using Sun Studio cc:

#./Configure solaris64-sparcv9-cc shared --pk11-libname=/usr/lib/sparcv9/libpkcs11.so
#make
Note that libcrypto.so and libssl.so will reside in the current directory after the make. To verify whether this self-built OpenSSL really takes advantage of MAU on T2000, do this:
#apps/openssl speed rsa1024 -engine pkcs11 -elapsed -multi 32

[ .. snip .. ]

available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used:
                  sign    verify    sign/s verify/s
rsa 1024 bits 0.000078s 0.000022s  12846.6  45807.1
If it's close to 13000 signs/s, MAU is engaged. You can also use
#kstat -n ncp0 | grep rsa
to compare the RSA counters before and after the speed test.

Comments:

Post a Comment:
Comments are closed for this entry.
About

chichang_lin

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks