OpenSSH & T2 (contd)

Following from the recent post discussing modifying OpenSSL to enable OpenSSH to take advantage of the UltraSPARC T2 crypto accelerators, I should also mention that it is possible to just use the PKCS11 engine modified OpenSSL that Sun provides. You should use the –with-ssl-engine when you configure OpenSSH. Further, it may just be my mistake, but I am having problems getting OpenSSH to use the PKCS11 engine unless I modify openssl-compat.c. In the unmodified code, ssh_SSLeay_add_all_algorithms() does:

/\* Enable use of crypto hardware \*/
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();

I changed this to:

ENGINE \*pkcengine;
/\* Enable use of crypto hardware \*/
ENGINE_load_builtin_engines();
pkcengine = ENGINE_by_id("pkcs11");
ENGINE_init(pkcengine);
ENGINE_set_default_ciphers(pkcengine);

and things started working fine. I need to find some cycles to go back I see if I had things misconfigured.

Comments:

The above relies on current behavior of PKCS#11 engine which detects fork() and does cleanup of all PKCS#11 state. This "feature" might go away in the future. The correct thing (in terms of PKCS#11 spec) is to finish the engine before fork() and reinitialize it after it (as SunSSH does). Also, the above only enables offloading for symmetric ciphers, whereas SunSSH also offloads RSA/DSA.

Posted by Vladimir Kotal on October 06, 2008 at 08:46 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

Dr. Spracklen is a senior staff engineer in the Architecture Technology Group (Sun Microelectronics), that is focused on architecting and modeling next-generation SPARC processors. His current focus is hardware accelerators.

Search

Top Tags
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today