openssh bugs - Jan 2010 - [Bug 1707] New: Tweak OpenSSL ENGINE support to use openssl config system

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

           Summary: Tweak OpenSSL ENGINE support to use openssl config
                    system
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: pizza at shaftnet.org


from the OPENSSL_config manpage:

 "OPENSSL_config() configures OpenSSL using the standard openssl.cnf
  configuration file name using config_name. If config_name is NULL
then
  the default name openssl_conf will be used."
  ...
 "It is strongly recommended that all new applications call
  OPENSSL_config() or the more sophisticated functions such as
  CONF_modules_load() during initialization (that is before starting
any
  threads). By doing this an application does not need to keep track of
  all configuration options and some new functionality can be supported
  automatically."

The attached patch adds a call to OPENSSL_config() at the end of the
calls to the ENGINE initialization.  If the sysadmin has enabled
hardware accelerated crypto support in the openssl.cnf file, openssh
will use those settings.

Without this patch, unless the sysadmin has hardwired the openssl
libraries to default to a hardware crypto engine, openssh cannot take
advantage of said engine.

With this patch and the appropriate openssl.cnf tweaks, I easily double
the throughput of scp on a system with a VIA Padlock crypto engine.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

--- Comment #1 from Solomon Peachy <pizza at shaftnet.org> 2010-01-29
04:17:48 EST ---
Created an attachment (id=1786)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1786)
adds call to OPENSSL_config()

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1626

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-01-29
08:53:05 EST ---
I suggested this over in bug #1440 bug I don't have any crypto hardware
so I could not test it.  Nice to hear it works :-)

It looks like OPENSSL_config is not present in all versions of OpenSSL
that OpenSSH supports (seems to have bee introduced around 0.9.8) so
there will need to be a configure test for it.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

--- Comment #3 from Solomon Peachy <pizza at shaftnet.org> 2010-01-29
09:28:54 EST ---
According to the man page OPENSSL_config() was introduced in v0.9.7,
which is also when engine support was merged into the mainline openssl
release with its current API.

v0.9.6 had an optional engine package, but its API was different and
openssh's engine support won't work with it anyway -- the autoconf test
will fail.

So if the existing autoconf test for --with-ssl-engine succeeds, it
means we have openssl 0.9.7 and subsequently support OPENSSL_config().

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1786|                            |ok+
               Flag|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2010-01-29
10:56:59 EST ---
Well argued :-)

This has been applied and will be in the 5.4p1 release.  Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1707

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
10:51:02 EST ---
With the release of 5.4p1, this bug is now considered closed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.