PKCS#11 engine support for OpenSSL 0.9.7m ========================================= [May 25, 2007] This patch containing code available in OpenSolaris adds support for PKCS#11 engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against OpenSSL 0.9.7m. Your system must provide PKCS#11 backend otherwise the patch is useless. Patch can be applied like this: tar xfzv openssl-0.9.7m.tar.gz cd openssl-0.9.7m patch -p1 < ../pkcs11_engine-0.9.7m.patch.2007-05-19 It is designed to support pure acceleration for RSA, DSA, DH and all the symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA. You must provide the location of PKCS#11 library in your system to the configure script, eg. if you use libraries from openCryptoki project on Linux AMD64 box, run configure like this: ./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so To check whether newly built openssl really supports PKCS#11 it's enough to run "apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the output. This patch was tested on Solaris against PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project (see openCryptoki website http://sourceforge.net/projects/opencryptoki for more information). Some Linux distributions even ship those libraries with the system. The patch should work on any system that is supported by OpenSSL itself and has functional PKCS#11 library. The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are copyrighted by RSA Security Inc., see pkcs11.h for more information. Other added/modified code in this patch is copyrighted by Sun Microsystems, Inc. and is released under the OpenSSL license (see LICENSE file for more information). Revisions of patch for 0.9.7 branch =================================== 2007-05-25 - contains fix for: 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers 2007-05-19 - adapted for 0.9.7m - fixed typo in README; the patch implements PKCS#11 v2.20, not v2.11 - fixed Configure that advertised '--pk11_libname' while '--pk11-libname' was the correct option name - contains fixes for: 6540060 race in pkcs#11 engine in multithreaded environment 6554248 OpenSSL pkcs#11 engine doesn't strip leading zeros from a computed Diffie-Hellman shared secret Feedback ======== Please send feedback to security-discuss@opensolaris.org. The patch was created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.