OpenSSH & T2 (contd)

Following from the recent post discussing modifying OpenSSL to enable OpenSSH to take advantage of the UltraSPARC T2 crypto accelerators, I should also mention that it is possible to just use the PKCS11 engine modified OpenSSL that Sun provides. You should use the –with-ssl-engine when you configure OpenSSH. Further, it may just be my mistake, but I am having problems getting OpenSSH to use the PKCS11 engine unless I modify openssl-compat.c. In the unmodified code, ssh_SSLeay_add_all_algorithms() does:

/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();

I changed this to:

ENGINE *pkcengine;
/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
pkcengine = ENGINE_by_id("pkcs11");
ENGINE_init(pkcengine);
ENGINE_set_default_ciphers(pkcengine);

and things started working fine. I need to find some cycles to go back I see if I had things misconfigured.

Posted on: Sep 22, 2008

Posted by: sprack

Category: Crypto

Permanent link to this entry

Comments:

The above relies on current behavior of PKCS#11 engine which detects fork() and does cleanup of all PKCS#11 state. This "feature" might go away in the future. The correct thing (in terms of PKCS#11 spec) is to finish the engine before fork() and reinitialize it after it (as SunSSH does). Also, the above only enables offloading for symmetric ciphers, whereas SunSSH also offloads RSA/DSA.

Posted by Vladimir Kotal on October 07, 2008 at 03:46 AM PDT #

Post a Comment:
Comments are closed for this entry.

This blog copyright 2009 by sprack