OpenSSL ENIGNE support for OpenSSH

Dan Kaminsky dan at doxpara.com
Thu Jul 1 06:51:26 EST 2004 

Michal--

    For what possible reason does OpenSSL not do engine initialization 
by default?

--Dan


Michal Ludvig wrote:

>Hi all,
>
>attached is a patch that enables using hardware crypto accelerators
>available through OpenSSL library for SSH operations. Especially in
>ssh/sshd it can bring a significant speed improvement. OTOH if no crypto
>engine is available, nothing bad happens and default software crypto
>routines are used.
>
>This patch is used in SUSE Linux OpenSSH package and proved to work (at
>least it didn't break anything) both with and without crypto engines.
>Tested also with VIA PadLock crypto engine (patches for OpenSSL are at
>http://www.logix.cz/michal/devel/padlock/ )
>
>Would you consider including it in the official OpenSSH release?
>
>Thanks!
>
>Michal Ludvig
>  
>
>------------------------------------------------------------------------
>
># Load drivers for available hardware crypto accelerators.
>#                                      -- mludvig at suse.cz
>Index: openssh-3.8p1/ssh-add.c
>===================================================================
>--- openssh-3.8p1.orig/ssh-add.c
>+++ openssh-3.8p1/ssh-add.c
>@@ -38,6 +38,7 @@
> RCSID("$OpenBSD: ssh-add.c,v 1.69 2003/11/21 11:57:03 djm Exp $");
> 
> #include <openssl/evp.h>
>+#include <openssl/engine.h>
> 
> #include "ssh.h"
> #include "rsa.h"
>@@ -325,6 +326,10 @@ main(int argc, char **argv)
> 
> 	SSLeay_add_all_algorithms();
> 
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	/* At first, get a connection to the authentication agent. */
> 	ac = ssh_get_authentication_connection();
> 	if (ac == NULL) {
>Index: openssh-3.8p1/ssh-agent.c
>===================================================================
>--- openssh-3.8p1.orig/ssh-agent.c
>+++ openssh-3.8p1/ssh-agent.c
>@@ -39,6 +39,7 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.117 200
> 
> #include <openssl/evp.h>
> #include <openssl/md5.h>
>+#include <openssl/engine.h>
> 
> #include "ssh.h"
> #include "rsa.h"
>@@ -1025,6 +1026,10 @@ main(int ac, char **av)
> 
> 	SSLeay_add_all_algorithms();
> 
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	__progname = ssh_get_progname(av[0]);
> 	init_rng();
> 	seed_rng();
>Index: openssh-3.8p1/ssh-keygen.c
>===================================================================
>--- openssh-3.8p1.orig/ssh-keygen.c
>+++ openssh-3.8p1/ssh-keygen.c
>@@ -16,6 +16,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.113 20
> 
> #include <openssl/evp.h>
> #include <openssl/pem.h>
>+#include <openssl/engine.h>
> 
> #include "xmalloc.h"
> #include "key.h"
>@@ -807,6 +808,11 @@ main(int ac, char **av)
> 	__progname = ssh_get_progname(av[0]);
> 
> 	SSLeay_add_all_algorithms();
>+
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
> 
> 	init_rng();
>Index: openssh-3.8p1/ssh-keysign.c
>===================================================================
>--- openssh-3.8p1.orig/ssh-keysign.c
>+++ openssh-3.8p1/ssh-keysign.c
>@@ -27,6 +27,7 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.15 20
> #include <openssl/evp.h>
> #include <openssl/rand.h>
> #include <openssl/rsa.h>
>+#include <openssl/engine.h>
> 
> #include "log.h"
> #include "key.h"
>@@ -182,6 +183,11 @@ main(int argc, char **argv)
> 	pw = pwcopy(pw);
> 
> 	SSLeay_add_all_algorithms();
>+
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	for (i = 0; i < 256; i++)
> 		rnd[i] = arc4random();
> 	RAND_seed(rnd, sizeof(rnd));
>Index: openssh-3.8p1/ssh.c
>===================================================================
>--- openssh-3.8p1.orig/ssh.c
>+++ openssh-3.8p1/ssh.c
>@@ -44,6 +44,7 @@ RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/1
> 
> #include <openssl/evp.h>
> #include <openssl/err.h>
>+#include <openssl/engine.h>
> 
> #include "ssh.h"
> #include "ssh1.h"
>@@ -512,6 +513,10 @@ again:
> 	SSLeay_add_all_algorithms();
> 	ERR_load_crypto_strings();
> 
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	/* Initialize the command to execute on remote host. */
> 	buffer_init(&command);
> 
>Index: openssh-3.8p1/sshd.c
>===================================================================
>--- openssh-3.8p1.orig/sshd.c
>+++ openssh-3.8p1/sshd.c
>@@ -48,6 +48,7 @@ RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/
> #include <openssl/bn.h>
> #include <openssl/md5.h>
> #include <openssl/rand.h>
>+#include <openssl/engine.h>
> #ifdef HAVE_SECUREWARE
> #include <sys/security.h>
> #include <prot.h>
>@@ -991,6 +992,10 @@ main(int ac, char **av)
> 	SSLeay_add_all_algorithms();
> 	channel_set_af(IPv4or6);
> 
>+	/* Init available hardware crypto engines. */
>+	ENGINE_load_builtin_engines();
>+	ENGINE_register_all_complete();
>+
> 	/*
> 	 * Force logging to stderr until we have loaded the private host
> 	 * key (unless started from inetd)
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>  
>

More information about the openssh-unix-dev mailing list