OpenSSL to have to opt out hardware support instead of having to opt
it in. And since the hardware support modules are self-contained and
actually check that the vendor stuff is loadable, it still works as
expected, or at least, so I think...
the 'INSTALL' file, which means that 9 times of 10, the BlowFish
headers won't get installed. Avoid this in the same way it's done in
crypto/des/Makefile.ssl, where someone apparently has thought of this...
into lexical order. Previously it depended on
the order of files in the directory.
This should now mean that all systems will
agree on the order of safestack.h and will
not change it needlessly and avoid massive
needless commits to safestack.h in future.
It wont however avoid this one :-(
it cope with OpenBSD which doesn't understand "RTLD_NOW".
* Added the dso_scheme config string entry for OpenBSD-x86 to give it
DSO support.
* 'make update' that has also absorbed some of Steve's mkstack changes
for the ASN-related macros.
This is mostly a work around for the old VC++ problem
that it treats func() as func(void).
Various prototypes had been added to 'compare' function
pointers that triggered this. This could be fixed by removing
the prototype, adding function pointer casts to every call or
changing the passed function to use the expected arguments.
I mostly did the latter.
The mkdef.pl script was modified to remove the typesafe
functions which no longer exist.
Oh and some functions called OPENSSL_freeLibrary() were
changed back to FreeLibrary(), wonder how that happened :-)
Also, make sure empty slots of the dynamic lock stack are used.
Actually, I'm not really sure this is the right thing to do, and may
remove it, with an endlessly growing stack as result...
insecure, so a static lock is added to isolate the sensitive parts.
Also, to avoid one thread freeing a lock that is used by another, a
reference counter is added.
be needed in some ENGINE code, and might serve elsewhere as well.
Note that it's implemented in such a way that the locking itself is
done through the same CRYPTO_lock function as the static locks.
WARNING: This is currently experimental and untested code (it will get
tested soon, though :-)).
sk_whatever_insert and sk_whatever_set immediately reveals the subtle
difference in parameter order.
Change mkstack.pl so that safestack.h is not rewritten when
nothing has changed.
After some messing around this seems to work but needs
a few more tests. Working out the syntax for sk_set_cmp_func()
(cast it to a function that itself returns a function pointer)
was painful :-(
Needs some testing to see what other compilers think of this
syntax.
Also needs similar stuff for ASN1_SET_OF etc etc.
"symbols" including functions (of all prototypes( and variables. Whilst
casting any function type to another violates ANSI C (I believe), it is
a necessary evil in shared-library APIs. However, it is quite
conceivable that functions in general and data symbols could very well
be represented differently to each other on some systems, as Bodo said;
> Since the function/object distinction is a lot more likely to be
> important on real-life platforms supporting DSO *and* it can be quite
> easily done *and* it will silence compilers that don't like
> assignments from void pointers to function pointer variables, why
> not do it?
I agree. So this change splits the "dso_bind" handler in DSO_METHOD
into "dso_bind_var" and "dso_bind_func". Similarly the exported
function DSO_bind() has been split in two. I've also put together
changes for the various DSO_METHOD implementations, but so far only
DSO_dlfcn() has been tested. BTW: The prototype for dso_bind had been
a bit strange so I've taken the opportunity to change its shape (in
both variations).
Also, the README has been updated - particularly with a note about
using customised native name-translation for shared libraries (and that
you can't do it yet).
It's cute to observe that Atalla having no RSA-specific form of mod_exp
causes a DSA server to achieve about 6 times as many signatures per
second than an RSA server. :-)
Atalla card, you should be able to compile with the "hw-atalla" switch
with "./config" or "perl Configure", and then you can use the command-
line switch "-engine atalla" inside speed, s_cient and s_server (after
checking out note (1)).
Notes:
(1) I've turned on native name translation when loading the shared-
library, but this means that the Unix shared library needs to be
libatasi.so rather than atasi.so. I got around this in my testing
by creating a symbollic link from /usr/lib/libatasi.so to the real
library, but something better will be needed. It also assumes in
win32 that the DLL will be called atasi.dll - but as I don't have
a win32/atalla environment to try I have no idea yet if this is
the case.
(2) Currently DSA verifies are not accelerated because I haven't yet
got a mod_exp-based variant of BN_mod_exp2_mont() that yields
correct results.
(3) Currently the "init()" doesn't fail if the shared library can
load successfully but the card is not operational. In this case,
the ENGINE_init() call will succeed, but all RSA, DSA, DH, and
the two BN_*** operations will fail until the ENGINE is switched
back to something that does work. I expect to correct this next.
(4) Although the API for the Atalla card just has the one crypto
function suggesting an RSA private key operation - this is in
fact just a straight mod_exp function that ignores all the RSA
key parameters except the (private) exponent and modulus. This is
why the only accelerator work is taking place inside the mod_exp
function and there's no optimisation of RSA private key operations
based on CRT etc.
