Bug 1437

Summary:

OpenSSL engine support not enabled

Product:

Portable OpenSSH

Reporter:

Ian Lister <openssh-bugs>

Component:

Miscellaneous

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

dtucker, tim

Priority:

Version:

4.7p1

Hardware:

Other

OS:

Mac OS X

Bug Depends on:

Bug Blocks:

1353

Attachments:

Description	Flags
Patch to include the compatibility definition in all files	none
refix openssl engine support	none

Description Ian Lister 2008-02-04 22:36:57 AEDT

The support for OpenSSL's hardware crypto engines introduced in configure.ac r1.331, openbsd-compat/openssl-compat.c r1.3, etc doesn't actually do anything; the redefinition of SSLeay_add_all_algorithms in openbsd-compat/openssl-compat.h doesn't get included in ssh.c, scp.c, etc where SSLeay_add_all_algorithms is invoked.

Ian

Comment 1 Ian Lister 2008-02-04 22:51:25 AEDT

Created attachment 1451 [details]
Patch to include the compatibility definition in all files

This patch includes openbsd-compat/openssl-compat.h in ssh.c, scp.c, and the other files that refer to SSLeay_add_all_algorithms. I have verified that it dramatically improves throughput on a VIA C7 chip (with its Padlock engine) with FreeBSD 6.2's stock OpenSSL 0.9.7e-p1. However, it looks like it might be a regression of openbsd-compat/openbsd-compat.h r1.29; the OpenSSH developers might prefer a slightly different approach.

Ian

Comment 2 Darren Tucker 2008-02-05 12:06:12 AEDT

Thanks, we will look at this for 4.8.

Ah, the joys of working with things you can't actually test yourself :-)

Comment 3 Darren Tucker 2008-02-25 21:14:15 AEDT

Patch applied and will be in 4.8.  Thanks.

Comment 4 Tim Rice 2008-02-26 06:18:21 AEDT

(In reply to comment #3)
> Patch applied and will be in 4.8.  Thanks.

The patch broke UnixWare. Here is a snip from the build log
(cd openbsd-compat && gmake)
gmake[1]: Entering directory `/usr/local/src/networking/openssh/openbsd-compat'
cc -g  -I. -I.. -I/opt/src/networking/openssh/openssh/openbsd-compat -I/opt/src/networking/openssh/openssh/openbsd-compat/..  -I/usr/local/include -DHAVE_CONFIG_H -c /opt/src/networking/openssh/openssh/openbsd-compat/xcrypt.c
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: (
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: const
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: )
UX:acomp: WARNING: "/usr/include/crypt.h", line 38: syntax error:  empty declaration
UX:acomp: WARNING: "/opt/src/networking/openssh/openssh/openbsd-compat/xcrypt.c", line 116: statement not reached
gmake[1]: *** [xcrypt.o] Error 1

And a snip from /usr/include/crypt.h with line numbers
37:extern int   crypt_close(int *);
38:extern char  *des_crypt(const char *, const char *);
39:extern void  des_encrypt(char *, int);

I haven't tracked down a fix yet and probably will not have time untill the weekend.

Comment 5 Darren Tucker 2008-02-28 14:07:03 AEDT

BTW I see a very similar error from Solaris 8.

Comment 6 Darren Tucker 2008-02-28 18:20:09 AEDT

Created attachment 1458 [details]
refix openssl engine support

It looks like some versions of OpenSSL have SSLeay_add_all_algorithms as a macro, so attempting to define them before the openssl headers is doomed to failure.  I think this is the way to go...

Comment 7 Darren Tucker 2008-02-28 22:01:37 AEDT

Patch #1458 tests OK on Solaris and has been committed, so I believe this is now resolved.  Please reopen if his is not the case.

Comment 8 Damien Miller 2008-03-31 15:23:54 AEDT

Fix shipped in 4.9/4.9p1 release.