[Dovecot] Solaris hardware crypto engines
Hello, I tried to find out how about to use the hardware crypto engines under Solaris (Sun Fire T2000). It seems, that its not just a compilation issue:
For operations that are to be offloaded, it is necessary to restrict use to subset of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 engine; something like the following works for bulk ciphers (the process for RSA is similar):
ENGINE *e; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); ENGINE_set_default_ciphers(e); EVP_CIPHER_CTX_init (&ctx); EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv); EVP_EncryptUpdate (.....);
Since I'm not familiar with SSL programming, I wonder if it's possible to modify the dovecot 1.2.x source code. Maybe someone has already tried this or can give me hint.
Regards. Martin
Martin Preen put forth on 4/18/2011 5:30 AM:
Hello, I tried to find out how about to use the hardware crypto engines under Solaris (Sun Fire T2000). It seems, that its not just a compilation issue:
For operations that are to be offloaded, it is necessary to restrict use to subset of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 engine; something like the following works for bulk ciphers (the process for RSA is similar):
ENGINE *e; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); ENGINE_set_default_ciphers(e); EVP_CIPHER_CTX_init (&ctx); EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv); EVP_EncryptUpdate (.....);
Since I'm not familiar with SSL programming, I wonder if it's possible to modify the dovecot 1.2.x source code. Maybe someone has already tried this or can give me hint.
I would think that this would be handled transparently at the system library level. Doesn't SUN ship a set of replacement Solaris crypto libraries which make use the hardware engine in the CPU instead of the normal software routines?
-- Stan
participants (2)
-
Martin Preen
-
Stan Hoeppner