Bug 1437 - OpenSSL engine support not enabled
Summary: OpenSSL engine support not enabled
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Miscellaneous (show other bugs)
Version: 4.7p1
Hardware: Other Mac OS X
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_4_8
  Show dependency treegraph
 
Reported: 2008-02-04 22:36 AEDT by Ian Lister
Modified: 2008-03-31 15:23 AEDT (History)
2 users (show)

See Also:

Attachments
Patch to include the compatibility definition in all files (1.06 KB, patch)
2008-02-04 22:51 AEDT, Ian Lister 		no flags Details | Diff
refix openssl engine support (4.27 KB, patch)
2008-02-28 18:20 AEDT, Darren Tucker 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Lister 2008-02-04 22:36:57 AEDT 
The support for OpenSSL's hardware crypto engines introduced in configure.ac r1.331, openbsd-compat/openssl-compat.c r1.3, etc doesn't actually do anything; the redefinition of SSLeay_add_all_algorithms in openbsd-compat/openssl-compat.h doesn't get included in ssh.c, scp.c, etc where SSLeay_add_all_algorithms is invoked.

Ian
Comment 1 Ian Lister 2008-02-04 22:51:25 AEDT 
Created attachment 1451 [details]
Patch to include the compatibility definition in all files

This patch includes openbsd-compat/openssl-compat.h in ssh.c, scp.c, and the other files that refer to SSLeay_add_all_algorithms. I have verified that it dramatically improves throughput on a VIA C7 chip (with its Padlock engine) with FreeBSD 6.2's stock OpenSSL 0.9.7e-p1. However, it looks like it might be a regression of openbsd-compat/openbsd-compat.h r1.29; the OpenSSH developers might prefer a slightly different approach.

Ian
Comment 2 Darren Tucker 2008-02-05 12:06:12 AEDT 
Thanks, we will look at this for 4.8.

Ah, the joys of working with things you can't actually test yourself :-)
Comment 3 Darren Tucker 2008-02-25 21:14:15 AEDT 
Patch applied and will be in 4.8.  Thanks.
Comment 4 Tim Rice 2008-02-26 06:18:21 AEDT 
(In reply to comment #3)
> Patch applied and will be in 4.8.  Thanks.

The patch broke UnixWare. Here is a snip from the build log
(cd openbsd-compat && gmake)
gmake[1]: Entering directory `/usr/local/src/networking/openssh/openbsd-compat'
cc -g  -I. -I.. -I/opt/src/networking/openssh/openssh/openbsd-compat -I/opt/src/networking/openssh/openssh/openbsd-compat/..  -I/usr/local/include -DHAVE_CONFIG_H -c /opt/src/networking/openssh/openssh/openbsd-compat/xcrypt.c
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: (
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: const
UX:acomp: ERROR: "/usr/include/crypt.h", line 38: Syntax error before or at: )
UX:acomp: WARNING: "/usr/include/crypt.h", line 38: syntax error:  empty declaration
UX:acomp: WARNING: "/opt/src/networking/openssh/openssh/openbsd-compat/xcrypt.c", line 116: statement not reached
gmake[1]: *** [xcrypt.o] Error 1

And a snip from /usr/include/crypt.h with line numbers
37:extern int   crypt_close(int *);
38:extern char  *des_crypt(const char *, const char *);
39:extern void  des_encrypt(char *, int);

I haven't tracked down a fix yet and probably will not have time untill the weekend.
Comment 5 Darren Tucker 2008-02-28 14:07:03 AEDT 
BTW I see a very similar error from Solaris 8.
Comment 6 Darren Tucker 2008-02-28 18:20:09 AEDT 
Created attachment 1458 [details]
refix openssl engine support

It looks like some versions of OpenSSL have SSLeay_add_all_algorithms as a macro, so attempting to define them before the openssl headers is doomed to failure.  I think this is the way to go...
Comment 7 Darren Tucker 2008-02-28 22:01:37 AEDT 
Patch #1458 tests OK on Solaris and has been committed, so I believe this is now resolved.  Please reopen if his is not the case.
Comment 8 Damien Miller 2008-03-31 15:23:54 AEDT 
Fix shipped in 4.9/4.9p1 release.