Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the ENGINE in OpenSSL and what is it used for?

I cannot find a good explanation of what the ENGINE in OpenSSL is. It is used in functions like EVP_PKEY_CTX_new.

I am using EVP_PKEY_CTX_new just before I encrypt/decrypt something using EVP_PKEY_encrypt and EVP_PKEY_decrypt but do I really need to specify the ENGINE parameter when calling EVP_PKEY_CTX_new. Everywhere I look inside the OpenSSL the parameter is specified as null.

So my question is: What is the ENGINE in OpenSSL and what is it used for and what difference does it make when it is not specified?

like image 923
Blurry Sterk Avatar asked Feb 24 '15 08:02

Blurry Sterk


1 Answers

The engine is the hardware or software implementation used for performing cryptographic operations. The default engine ID is openssl and uses the built-in functions of OpenSSL.

Assume we have a hardware device with a super fast implementation of AES. Now when we use AES encryption we can set the engine to that hardware device (instead of NULL), which means that the operations are now computed by the hardware device instead of the default OpenSSL software layer.


This is explained in Section 4.6 of the Network Security with OpenSSL book.

OpenSSL has built-in support for cryptographic acceleration. Using the ENGINE object type, an application can get a reference to a changeable, underlying representation, most often a hardware device. (...)

The general idea is simple: we retrieve an object representing the type of hardware we wish to utilize, then we tell OpenSSL to use the device we chose.

Example 4-17 shows a small code example of how we would perform this operation.

ENGINE *e;
if (!(e = ENGINE_by_id("cswift")))
    fprintf(stderr, "Error finding specified ENGINE\n");
else if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
    fprintf(stderr, "Error using ENGINE\n");
else
    fprintf(stderr, "Engine successfully enabled\n");

The function call ENGINE_by_id will look up an implementation from the built-in methods available and return an ENGINE object. The single argument to this function should be the string identifier of the underlying implementation we wish to use. (...)

The ENGINE object that we receive from the lookup should be used in the call to ENGINE_set_default to allow cryptographic functions to utilize the capabilities of the specific ENGINE. The second parameter allows us to specify constraints on what we allow the engine to implement. (...)

NOTE: cswift is "used for CryptoSwift" acceleration hardware."

like image 73
Daniel Avatar answered Sep 22 '22 18:09

Daniel