1707 – Tweak OpenSSL ENGINE support to use openssl config system

Bug 1707 - Tweak OpenSSL ENGINE support to use openssl config system

Summary: Tweak OpenSSL ENGINE support to use openssl config system

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	5.3p1
Hardware:	All Linux

Importance:	P2 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_5_4
	Show dependency tree / graph

Reported:	2010-01-29 03:52 AEDT by Solomon Peachy
Modified:	2010-03-26 10:51 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
adds call to OPENSSL_config() (331 bytes, patch) 2010-01-29 04:17 AEDT, Solomon Peachy	djm: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Solomon Peachy 2010-01-29 03:52:12 AEDT

from the OPENSSL_config manpage:

 "OPENSSL_config() configures OpenSSL using the standard openssl.cnf
  configuration file name using config_name. If config_name is NULL then
  the default name openssl_conf will be used."
  ...
 "It is strongly recommended that all new applications call
  OPENSSL_config() or the more sophisticated functions such as
  CONF_modules_load() during initialization (that is before starting any
  threads). By doing this an application does not need to keep track of
  all configuration options and some new functionality can be supported
  automatically."

The attached patch adds a call to OPENSSL_config() at the end of the calls to the ENGINE initialization.  If the sysadmin has enabled hardware accelerated crypto support in the openssl.cnf file, openssh will use those settings.

Without this patch, unless the sysadmin has hardwired the openssl libraries to default to a hardware crypto engine, openssh cannot take advantage of said engine.

With this patch and the appropriate openssl.cnf tweaks, I easily double the throughput of scp on a system with a VIA Padlock crypto engine.

Comment 1 Solomon Peachy 2010-01-29 04:17:48 AEDT

Created attachment 1786 [details]
adds call to OPENSSL_config()

Comment 2 Darren Tucker 2010-01-29 08:53:05 AEDT

I suggested this over in bug #1440 bug I don't have any crypto hardware so I could not test it.  Nice to hear it works :-)

It looks like OPENSSL_config is not present in all versions of OpenSSL that OpenSSH supports (seems to have bee introduced around 0.9.8) so there will need to be a configure test for it.

Comment 3 Solomon Peachy 2010-01-29 09:28:54 AEDT

According to the man page OPENSSL_config() was introduced in v0.9.7, which is also when engine support was merged into the mainline openssl release with its current API.

v0.9.6 had an optional engine package, but its API was different and openssh's engine support won't work with it anyway -- the autoconf test will fail.

So if the existing autoconf test for --with-ssl-engine succeeds, it means we have openssl 0.9.7 and subsequently support OPENSSL_config().

Comment 4 Darren Tucker 2010-01-29 10:56:59 AEDT

Well argued :-)

This has been applied and will be in the 5.4p1 release.  Thanks.

Comment 5 Darren Tucker 2010-03-26 10:51:02 AEDT

With the release of 5.4p1, this bug is now considered closed.