Jason Burrell wrote:
> NSS supports PKCS#11 which most hardware crypto
accelerators
(including
> things like smartcards and offloading coprocessors) use. As far as I
> know, the only OpenSSL PKCS#11 library is external to it, from the
> OpenSC people.
Hmm... Are the relevant kernel drivers and interfaces in place for
PKCS#11 for any of the crypto offload engines discussed (Kirkwood,
Tegra, Freescale)? Can somebody point me at the relevant interface docs?
Generally, the CPU-based "crypto" hardware is actually just a few
acceleration functions, so you don't usually access it through PKCS#11.
I know NSS supports the Intel AES instructions directly (not via
PKCS#11), so it should be possible to add others as well.
Accelerating instructions are something for the compilers and assemblers
to deal with. I was specifically talking about asynchronous offload
engines that ARM SoCs often to have.
So are you saying that the number of organizations that
_don't_ use
OpenSSH, OpenLDAP, mod_ssl, etc. is greater than those that do (limiting
the field here to those that use some unix-like OS)? That would surprise
me if it really is the case.
I don't have figures as to the number of deployments of any of those
tools, but only OpenSSH is listed as not yet supporting NSS anyway.
I do think there are many deployments of OpenSSL that aren't following
its license's advertising requirements. As you stated, OpenSSH is used
pretty much everywhere, but I don't even remember the last time I saw a
statement saying a product included software from OpenSSL, except in
hidden about boxes, which isn't what a clear reading for the Four-clause
BSD license states.
Just out of interest, have OpenSSL maintainers complained at having just
about every distribution on the planet break their licencing terms?
Gordan