Hi all.
While on the subject of the OpenSSL interface, this patch optionally
enables OpenSSL's ENGINE support at build time.
Apply to a snapshot, autoreconf and "./configure --with-ssl-engine".
Testing (esp. with a real hardware engine) would be appreciated.
Index: INSTALL
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/INSTALL,v
retrieving revision 1.70
diff -u -p -r1.70 INSTALL
--- INSTALL 24 Apr 2005 07:52:23 -0000 1.70
+++ INSTALL 1 Oct 2005 08:36:24 -0000
@@ -165,6 +165,8 @@ created.
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
are installed.
+--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
+
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
Index: configure.ac
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
retrieving revision 1.307
diff -u -p -r1.307 configure.ac
--- configure.ac 12 Nov 2005 07:42:37 -0000 1.307
+++ configure.ac 20 Nov 2005 03:06:37 -0000
@@ -1745,6 +1745,24 @@ Also see contrib/findssl.sh for help ide
]
)
+AC_ARG_WITH(ssl-engine,
+ [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
+ [ if test "x$withval" != "xno" ; then
+ AC_MSG_CHECKING(for OpenSSL ENGINE support)
+ AC_TRY_COMPILE(
+ [ #include <openssl/engine.h>],
+ [
+int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();}
+ ],
+ [ AC_MSG_RESULT(yes)
+ AC_DEFINE(USE_OPENSSL_ENGINE, 1,
+ [Enable OpenSSL engine support])
+ ],
+ [ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
+ )
+ fi ]
+)
+
# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
# because the system crypt() is more featureful.
if test "x$check_for_libcrypt_before" = "x1"; then
Index: openbsd-compat/openssl-compat.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/openssl-compat.c,v
retrieving revision 1.2
diff -u -p -r1.2 openssl-compat.c
--- openbsd-compat/openssl-compat.c 17 Jun 2005 11:15:21 -0000 1.2
+++ openbsd-compat/openssl-compat.c 1 Oct 2005 08:58:50 -0000
@@ -18,7 +18,11 @@
#include "includes.h"
-#define SSH_DONT_REDEF_EVP
+#ifdef USE_OPENSSL_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
#include "openssl-compat.h"
#ifdef SSH_OLD_EVP
@@ -44,3 +48,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
return 1;
}
#endif
+
+void
+ssh_SSLeay_add_all_algorithms(void)
+{
+ SSLeay_add_all_algorithms();
+
+#ifdef USE_OPENSSL_ENGINE
+ /* Enable use of crypto hardware */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+#endif
+}
Index: openbsd-compat/openssl-compat.h
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/openssl-compat.h,v
retrieving revision 1.2
diff -u -p -r1.2 openssl-compat.h
--- openbsd-compat/openssl-compat.h 20 Nov 2005 03:10:00 -0000 1.2
+++ openbsd-compat/openssl-compat.h 20 Nov 2005 03:10:30 -0000
@@ -52,7 +52,7 @@ extern const EVP_CIPHER *evp_acss(void);
*/
#ifdef SSH_OLD_EVP
-# ifndef SSH_DONT_REDEF_EVP
+# ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
# ifdef EVP_Cipher
# undef EVP_Cipher
@@ -68,3 +68,8 @@ int ssh_EVP_CipherInit(EVP_CIPHER_CTX *,
int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
#endif
+
+#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
+# define SSLeay_add_all_algorithms() ssh_SSLeay_add_all_algorithms()
+#endif
+void ssh_SSLeay_add_all_algorithms(void);
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
