Open sharkcz opened 1 year ago
The problem is that when you build both, engine and provider and then do a make install
, then both are installed into the same directory (i.e. /usr/local/lib). So they can't be name the same obviously.
Sure, if you enable only engine or only provider, then that's not a problem, you can then specify --libdir
to point to the OpenSSL modules or engine directory right away, as described in README.md.
The other problem is that changing the name would have a hit in the OpenSSL configuration file:
[ibmca_sect]
identity = ibmca
module = ibmca-provider.so <---- see here
activate = 1
So I guess its quite impossible to silently change this without the users requiring some action.... We (you) could certainly create a symlink named ibmca.so to point to ibmca-provider.so in the OpenSSL modules directory during RPM installation..... That way you would be able to use the short name if wanted.
Thanks for the reply, it aligns with my understanding. Although engine or provider is becoming an "exclusive or", right?
I think adding the short symlink would be a user-friendly addition ...
Although engine or provider is becoming an "exclusive or", right?
At some point in time probably yes, but currently OpenSSL 3.0 still supports engines (with some limitations though, i.e. only for applications that use the old APIs, not for applications that use the OpenSSL 3.0 provider specific APIs).
I think adding the short symlink would be a user-friendly addition ...
Certainly, but it would be the distribution partner who needs to do so.
Please be aware that the -provider
options of the openssl
command is probably not the recommended way to configure a provider. Users should add the providers they want to use to their OpenSSL config file, and set the default_properties
in the alg_section
as needed so that the applicating transparently fetch the algorithms from the providers.
[openssl_def]
providers = provider_sect
alg_section = evp_properties
...
[evp_properties]
default_properties = ?provider=ibmca
Fetching algorithms strongly depends on the property queries used by the applications (or the default property query). Just loading a provider may not have any effect at all. I would assume that openssl speed -provider ibmca-provider
without specifying a property query like -propquery ?provider=ibmca
will not use the IBMCA provider for anything, unless you have configured it in your OpenSSL configuration file as shown above (If configured in the OpenSSL config file, you should not need to specify the -provider
option at all though).
Currently the provider filename is
ibmca-provider.so
, but would it be possible to useibmca.so
instead, which is more obvious in my opinion?openssl speed -engine ibmca
vsopenssl speed -provider ibmca-provider
The 'provider' string looks redundant ...Not sure if it was causing some filename conflicts previously when both engine and provider were built, but with switching to using provider exclusively in systems with openssl >=3, it shouldn't be an issue.