1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include "includes.h"
27 #include "log.h"
28 #include "engine.h"
29
30 #define PKCS11_ENGINE "pkcs11"
31
32 /*
33 * Loads the PKCS#11 engine if the UseOpenSSLEngine is set to yes which is the
34 * default value.
35 */
36 ENGINE *
pkcs11_engine_load(int use_engine)37 pkcs11_engine_load(int use_engine)
38 {
39 ENGINE *e = NULL;
40
41 debug("use_engine is '%s'", use_engine == 1 ? "yes" : "no");
42 if (use_engine == 0)
43 return (NULL);
44
45 ENGINE_load_pk11();
46 /* get structural reference */
47 if ((e = ENGINE_by_id(PKCS11_ENGINE)) == NULL) {
48 error("%s engine does not exist", PKCS11_ENGINE);
49 return (NULL);
50 }
51
52 /* get functional reference */
53 if (ENGINE_init(e) == 0) {
54 error("can't initialize %s engine", PKCS11_ENGINE);
55 return (NULL);
56 }
57
58 debug("%s engine initialized, now setting it as default for "
59 "RSA, DSA, and symmetric ciphers", PKCS11_ENGINE);
60
61 /*
62 * Offloading RSA, DSA and symmetric ciphers to the engine is all we
63 * want. We don't offload Diffie-Helmann since we use longer DH keys
64 * than supported in ncp/n2cp (2048 bits). And, we don't offload digest
65 * operations since that would be beneficial if only big packets were
66 * processed (~8K). However, that's not the case. For example,
67 * SSH_MSG_CHANNEL_WINDOW_ADJUST messages are always small. Given the
68 * fact that digest operations are fast in software and the inherent
69 * overhead of offloading anything to HW is quite big, not offloading
70 * digests to HW actually makes SSH data transfer faster.
71 */
72 if (!ENGINE_set_default_RSA(e)) {
73 error("can't use %s engine for RSA", PKCS11_ENGINE);
74 return (NULL);
75 }
76 if (!ENGINE_set_default_DSA(e)) {
77 error("can't use %s engine for DSA", PKCS11_ENGINE);
78 return (NULL);
79 }
80 if (!ENGINE_set_default_ciphers(e)) {
81 error("can't use %s engine for symmetric ciphers",
82 PKCS11_ENGINE);
83 return (NULL);
84 }
85
86 debug("%s engine initialization complete", PKCS11_ENGINE);
87 return (e);
88 }
89
90 /*
91 * Finishes the PKCS#11 engine after all remaining structural and functional
92 * references to the ENGINE structure are freed.
93 */
94 void
pkcs11_engine_finish(void * engine)95 pkcs11_engine_finish(void *engine)
96 {
97 ENGINE *e = (ENGINE *)engine;
98
99 debug("in pkcs11_engine_finish(), engine pointer is %p", e);
100 /* UseOpenSSLEngine was 'no' */
101 if (engine == NULL)
102 return;
103
104 debug("unregistering RSA");
105 ENGINE_unregister_RSA(e);
106 debug("unregistering DSA");
107 ENGINE_unregister_DSA(e);
108 debug("unregistering ciphers");
109 ENGINE_unregister_ciphers(e);
110
111 debug("calling ENGINE_finish()");
112 ENGINE_finish(engine);
113 debug("calling ENGINE_remove()");
114 ENGINE_remove(engine);
115 debug("calling ENGINE_free()");
116 ENGINE_free(engine);
117 debug("%s engine finished", PKCS11_ENGINE);
118 }
119