Comment 7 for bug 119295

Revision history for this message
Ian Lister (ubuntu-bugs-lister) wrote :

From the OpenSSL engine documentation at http://www.openssl.org/docs/crypto/engine.html :

> Automatically using builtin ENGINE implementations
>
> Here we'll assume we want to load and register all ENGINE implementations
> bundled with OpenSSL, such that for any cryptographic algorithm required by
> OpenSSL - if there is an ENGINE that implements it and can be initialise, it
> should be used. The following code illustrates how this can work;
>
> /* Load all bundled ENGINEs into memory and make them visible */
> ENGINE_load_builtin_engines();
> /* Register all of them for every algorithm they collectively implement */
> ENGINE_register_all_complete();
>
> That's all that's required. Eg. the next time OpenSSL tries to set up an RSA
> key, any bundled ENGINEs that implement RSA_METHOD will be passed to
> ENGINE_init() and if any of those succeed, that ENGINE will be set as the
> default for RSA use from then on.

From the above, as long as the Padlock engine loads successfully it should be used where possible. The output of "openssl engine" should indicate whether the engine is able to load successfully, and calling ENGINE_set_default_ciphers() shouldn't affect what's loaded or not loaded.

At the time I posted my previous comment I was testing with OpenSSH 4.7p1 on FreeBSD 6.2 and its system OpenSSL 0.9.7e-p1. Since then I've updated the machine to FreeBSD 7.0 (with its system OpenSSL 0.9.8e). Like you, I do *not* now see any acceleration unless I add a call to ENGINE_set_default_ciphers(). Further, a call to ENGINE_get_cipher_engine(NID_aes_128_ecb) immediately prior to calling ENGINE_set_default_ciphers() returns NULL, but a call immediately afterwards returns non-NULL.

I thought I previously didn't need to call ENGINE_set_default_ciphers() at all (and that I was seeing acceleration without any configuration or other code changes), but it's possible I confused myself and only ever tested a version with an explicit ENGINE_set_default_ciphers() call. It's also possible that the behaviour changed between versions. Either way the current behaviour we're both seeing doesn't match the documentation above, which would be a bug in OpenSSL. I'll have a further dig when I get a chance (unless you or somebody else beats me to it).