[PATCH] Optionally enable OpenSSL hardware support

Darren Tucker dtucker at zip.com.au
Sun Nov 20 14:15:16 EST 2005


Hi all.

While on the subject of the OpenSSL interface, this patch optionally
enables OpenSSL's ENGINE support at build time.

Apply to a snapshot, autoreconf and "./configure --with-ssl-engine".

Testing (esp. with a real hardware engine) would be appreciated.

Index: INSTALL
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/INSTALL,v
retrieving revision 1.70
diff -u -p -r1.70 INSTALL
--- INSTALL	24 Apr 2005 07:52:23 -0000	1.70
+++ INSTALL	1 Oct 2005 08:36:24 -0000
@@ -165,6 +165,8 @@ created.
 --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
 are installed.
 
+--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
+
 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
 
Index: configure.ac
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
retrieving revision 1.307
diff -u -p -r1.307 configure.ac
--- configure.ac	12 Nov 2005 07:42:37 -0000	1.307
+++ configure.ac	20 Nov 2005 03:06:37 -0000
@@ -1745,6 +1745,24 @@ Also see contrib/findssl.sh for help ide
 	]
 )
 
+AC_ARG_WITH(ssl-engine,
+	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
+	[ if test "x$withval" != "xno" ; then
+		AC_MSG_CHECKING(for OpenSSL ENGINE support)
+		AC_TRY_COMPILE(
+			[ #include <openssl/engine.h>],
+			[
+int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();}
+			],
+			[ AC_MSG_RESULT(yes)
+			  AC_DEFINE(USE_OPENSSL_ENGINE, 1,
+			     [Enable OpenSSL engine support])
+			],
+			[ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
+		)
+	  fi ]
+)
+
 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
 # because the system crypt() is more featureful.
 if test "x$check_for_libcrypt_before" = "x1"; then
Index: openbsd-compat/openssl-compat.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/openssl-compat.c,v
retrieving revision 1.2
diff -u -p -r1.2 openssl-compat.c
--- openbsd-compat/openssl-compat.c	17 Jun 2005 11:15:21 -0000	1.2
+++ openbsd-compat/openssl-compat.c	1 Oct 2005 08:58:50 -0000
@@ -18,7 +18,11 @@
 
 #include "includes.h"
 
-#define SSH_DONT_REDEF_EVP
+#ifdef USE_OPENSSL_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 
 #ifdef SSH_OLD_EVP
@@ -44,3 +48,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
 	return 1;
 }
 #endif
+
+void
+ssh_SSLeay_add_all_algorithms(void)
+{
+	SSLeay_add_all_algorithms();
+
+#ifdef	USE_OPENSSL_ENGINE
+	/* Enable use of crypto hardware */
+	ENGINE_load_builtin_engines();
+	ENGINE_register_all_complete();
+#endif
+}
Index: openbsd-compat/openssl-compat.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/openssl-compat.h,v
retrieving revision 1.2
diff -u -p -r1.2 openssl-compat.h
--- openbsd-compat/openssl-compat.h	20 Nov 2005 03:10:00 -0000	1.2
+++ openbsd-compat/openssl-compat.h	20 Nov 2005 03:10:30 -0000
@@ -52,7 +52,7 @@ extern const EVP_CIPHER *evp_acss(void);
  */
 #ifdef SSH_OLD_EVP
 
-# ifndef SSH_DONT_REDEF_EVP
+# ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 
 #  ifdef EVP_Cipher
 #   undef EVP_Cipher
@@ -68,3 +68,8 @@ int ssh_EVP_CipherInit(EVP_CIPHER_CTX *,
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
 int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
 #endif
+
+#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
+# define SSLeay_add_all_algorithms()	ssh_SSLeay_add_all_algorithms()
+#endif
+void ssh_SSLeay_add_all_algorithms(void);

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list