search for: use_openssl_engine

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...enbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index b87ce59e..3ebdcca1 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -113,6 +113,10 @@ void ssh_OpenSSL_add_all_algorithms(void); #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ +#if !defined(USE_OPENSSL_ENGINE) && !defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS) +# define OpenSSL_add_all_algorithms +#endif + /* LibreSSL/OpenSSL 1.1x API compat */ #ifndef HAVE_DSA_GET0_PQG void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, -- 2.19.1

...[ if test "x$withval" != "xno" ; then + AC_MSG_CHECKING(for OpenSSL ENGINE support) + AC_TRY_COMPILE( + [ #include <openssl/engine.h>], + [ +int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();} + ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(USE_OPENSSL_ENGINE, 1, + [Enable OpenSSL engine support]) + ], + [ AC_MSG_ERROR(OpenSSL ENGINE support not found)] + ) + fi ] +) + # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before"...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

...gine Identity added: %s\n", file); + } + if (pin) + free (pin); + return ret; +} + static int delete_file(int agent_fd, const char *filename, int key_only, int qflag) { @@ -609,6 +632,9 @@ usage(void) #ifdef WITH_XMSS " [-M maxsign] [-m minleft]\n" #endif +#ifdef USE_OPENSSL_ENGINE +" [-o engine]\n" +#endif " [file ...]\n" " ssh-add -s pkcs11\n" " ssh-add -e pkcs11\n" @@ -622,7 +648,7 @@ main(int argc, char **argv) extern char *optarg; extern int optind; int agent_fd; - char *pkcs11provid...

Hi all, attached is a patch that enables using hardware crypto accelerators available through OpenSSL library for SSH operations. Especially in ssh/sshd it can bring a significant speed improvement. OTOH if no crypto engine is available, nothing bad happens and default software crypto routines are used. This patch is used in SUSE Linux OpenSSH package and proved to work (at least it didn't

...u_char *, size_t); */ #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS +/* OpenSSL >= 1.1.0 without deprecated APIs needs this.*/ +#ifndef SSLEAY_VERSION +# define SSLEAY_VERSION OPENSSL_VERSION +# define SSLeay_version OpenSSL_version +# define SSLeay OpenSSL_version_num +#endif + # ifdef USE_OPENSSL_ENGINE # ifdef OpenSSL_add_all_algorithms # undef OpenSSL_add_all_algorithms -- 2.19.1

...AC_TRY_COMPILE( [ #include <openssl/engine.h>], [ int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();} ], [ AC_MSG_RESULT(yes) AC_DEFINE(USE_OPENSSL_ENGINE, 1, [Enable OpenSSL engine support]) ], [ AC_MSG_ERROR(OpenSSL ENGINE support not found)] ) This generates code in configure lines 17887 onward: int main () { int main(void){ENGINE_load_builtin_...