Bug 1707

Summary:

Tweak OpenSSL ENGINE support to use openssl config system

Product:

Portable OpenSSH

Reporter:

Solomon Peachy <pizza>

Component:

Miscellaneous

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

dtucker

Priority:

Version:

5.3p1

Hardware:

All

OS:

Linux

Bug Depends on:

Bug Blocks:

1626

Attachments:

Description	Flags
adds call to OPENSSL_config()	djm: ok+

Description Solomon Peachy 2010-01-29 03:52:12 AEDT

from the OPENSSL_config manpage:

 "OPENSSL_config() configures OpenSSL using the standard openssl.cnf
  configuration file name using config_name. If config_name is NULL then
  the default name openssl_conf will be used."
  ...
 "It is strongly recommended that all new applications call
  OPENSSL_config() or the more sophisticated functions such as
  CONF_modules_load() during initialization (that is before starting any
  threads). By doing this an application does not need to keep track of
  all configuration options and some new functionality can be supported
  automatically."

The attached patch adds a call to OPENSSL_config() at the end of the calls to the ENGINE initialization.  If the sysadmin has enabled hardware accelerated crypto support in the openssl.cnf file, openssh will use those settings.

Without this patch, unless the sysadmin has hardwired the openssl libraries to default to a hardware crypto engine, openssh cannot take advantage of said engine.

With this patch and the appropriate openssl.cnf tweaks, I easily double the throughput of scp on a system with a VIA Padlock crypto engine.

Comment 1 Solomon Peachy 2010-01-29 04:17:48 AEDT

Created attachment 1786 [details]
adds call to OPENSSL_config()

Comment 2 Darren Tucker 2010-01-29 08:53:05 AEDT

I suggested this over in bug #1440 bug I don't have any crypto hardware so I could not test it.  Nice to hear it works :-)

It looks like OPENSSL_config is not present in all versions of OpenSSL that OpenSSH supports (seems to have bee introduced around 0.9.8) so there will need to be a configure test for it.

Comment 3 Solomon Peachy 2010-01-29 09:28:54 AEDT

According to the man page OPENSSL_config() was introduced in v0.9.7, which is also when engine support was merged into the mainline openssl release with its current API.

v0.9.6 had an optional engine package, but its API was different and openssh's engine support won't work with it anyway -- the autoconf test will fail.

So if the existing autoconf test for --with-ssl-engine succeeds, it means we have openssl 0.9.7 and subsequently support OPENSSL_config().

Comment 4 Darren Tucker 2010-01-29 10:56:59 AEDT

Well argued :-)

This has been applied and will be in the 5.4p1 release.  Thanks.

Comment 5 Darren Tucker 2010-03-26 10:51:02 AEDT

With the release of 5.4p1, this bug is now considered closed.