Vladimir.Kotal at Sun.COM wrote: > Brian Smith wrote: > > (http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6562155). > > Indeed. You can look at OpenSSL PKCS#11 engine (or _generically_ > speaking any other OpenSSL engine) as a way how to provide alternative > implementation to EVP class (or RSA/DSA/DH, but nothing else) functions. > This means that for the engine to support SHA-2 OpenSSL itself must > implement SHA-2 via EVP API.
This is tricky if you want your binary to run on both S10 and Indiana. The EVP interface is different between 0.9.7 and 0.9.8; IIRC, some parameters in the EVP interface are "long" in one version and "size_t" in the other. Also, I think some members of the EVP MD structs are different between the two versions. That means that you *must* build the workaround EVP_sha256 implementation against 0.9.7 and you *must never* use that substitute implementation when linked to 0.9.8 (in Indiana). The safest way to do this is to check for the absence of sha256 and 0x000907000 <= SSLeay_version() < 0x000908000. > (Solaris Crypto Framework, libpkcs11.so) directly via PKCS#11 API seems > to be the only option here. The good news is that you don't need to use SCF just to get SHA-256. S10u4 and later include libmd which includes a SHA-256 interface that is much simpler than PKCS#11; it is almost the same as the OpenSSL interface. If an application just needs digests then it would probably be better to just switch wholesale to libmd on Solaris. My application needs HMAC-SHA256 so I will have to use OpenSSL's HMAC operations in combination with libmd's SHA-256. - Brian
