1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include "includes.h" 27 #include "log.h" 28 #include "engine.h" 29 30 #define PKCS11_ENGINE "pkcs11" 31 32 /* 33 * Loads the PKCS#11 engine if the UseOpenSSLEngine is set to yes which is the 34 * default value. 35 */ 36 ENGINE * 37 pkcs11_engine_load(int use_engine) 38 { 39 ENGINE *e = NULL; 40 41 debug("use_engine is '%s'", use_engine == 1 ? "yes" : "no"); 42 if (use_engine == 0) 43 return (NULL); 44 45 ENGINE_load_pk11(); 46 /* get structural reference */ 47 if ((e = ENGINE_by_id(PKCS11_ENGINE)) == NULL) { 48 fatal("%s engine does not exist", PKCS11_ENGINE); 49 } 50 51 /* get functional reference */ 52 if (ENGINE_init(e) == 0) { 53 fatal("can't initialize %s engine", PKCS11_ENGINE); 54 } 55 56 debug("%s engine initialized, now setting it as default for " 57 "RSA, DSA, and symmetric ciphers", PKCS11_ENGINE); 58 59 /* 60 * Offloading RSA, DSA and symmetric ciphers to the engine is all we 61 * want. We don't offload Diffie-Helmann since we use longer DH keys 62 * than supported in ncp/n2cp (2048 bits). And, we don't offload digest 63 * operations since that would be beneficial if only big packets were 64 * processed (~8K). However, that's not the case. For example, 65 * SSH_MSG_CHANNEL_WINDOW_ADJUST messages are always small. Given the 66 * fact that digest operations are fast in software and the inherent 67 * overhead of offloading anything to HW is quite big, not offloading 68 * digests to HW actually makes SSH data transfer faster. 69 */ 70 if (!ENGINE_set_default_RSA(e)) { 71 fatal("can't use %s engine for RSA", PKCS11_ENGINE); 72 } 73 if (!ENGINE_set_default_DSA(e)) { 74 fatal("can't use %s engine for DSA", PKCS11_ENGINE); 75 } 76 if (!ENGINE_set_default_ciphers(e)) { 77 fatal("can't use %s engine for ciphers", PKCS11_ENGINE); 78 } 79 80 debug("%s engine initialization complete", PKCS11_ENGINE); 81 return (e); 82 } 83 84 /* 85 * Finishes the PKCS#11 engine after all remaining structural and functional 86 * references to the ENGINE structure are freed. 87 */ 88 void 89 pkcs11_engine_finish(void *engine) 90 { 91 ENGINE *e = (ENGINE *)engine; 92 93 debug("in pkcs11_engine_finish(), engine pointer is %p", e); 94 /* UseOpenSSLEngine was 'no' */ 95 if (engine == NULL) 96 return; 97 98 debug("unregistering RSA"); 99 ENGINE_unregister_RSA(e); 100 debug("unregistering DSA"); 101 ENGINE_unregister_DSA(e); 102 debug("unregistering ciphers"); 103 ENGINE_unregister_ciphers(e); 104 105 debug("calling ENGINE_finish()"); 106 ENGINE_finish(engine); 107 debug("calling ENGINE_remove()"); 108 ENGINE_remove(engine); 109 debug("calling ENGINE_free()"); 110 ENGINE_free(engine); 111 debug("%s engine finished", PKCS11_ENGINE); 112 } 113