Hi, We have a need to use a dynamic OpenSSL engine under apache. The attached patch (against 2.0.48) directs apache to accept ssl.conf directives such as:
SSLCryptoDevice dynamic SSLCryptoLibpath /usr/local/lib/hw_ibmca.so SSLCryptoDevID ibmca directing openssl to load hw_ibmca.so dynamically as engine id ibmca. Is there a fundamental complaint against incorporation of this feature? thanks, -serge -- ======================================================= Serge Hallyn Security Software Engineer, IBM Linux Technology Center [EMAIL PROTECTED]
diff -Nru httpd-2.0.48/modules/ssl/mod_ssl.c httpd-2.0.48-dyn/modules/ssl/mod_ssl.c --- httpd-2.0.48/modules/ssl/mod_ssl.c 2003-03-10 22:40:43.000000000 -0800 +++ httpd-2.0.48-dyn/modules/ssl/mod_ssl.c 2004-02-13 12:44:59.000000000 -0800 @@ -120,6 +120,12 @@ SSL_CMD_SRV(CryptoDevice, TAKE1, "SSL external Crypto Device usage " "(`builtin', `...')") + SSL_CMD_SRV(CryptoLibpath, TAKE1, + "Full path to dynamic SSL engine " + "(`builtin', `...')") + SSL_CMD_SRV(CryptoDevID, TAKE1, + "Engine ID for dynamic engine " + "(`builtin', `...')") #endif SSL_CMD_SRV(RandomSeed, TAKE23, "SSL Pseudo Random Number Generator (PRNG) seeding source " diff -Nru httpd-2.0.48/modules/ssl/mod_ssl.h httpd-2.0.48-dyn/modules/ssl/mod_ssl.h --- httpd-2.0.48/modules/ssl/mod_ssl.h 2003-09-15 18:00:06.000000000 -0700 +++ httpd-2.0.48-dyn/modules/ssl/mod_ssl.h 2004-02-13 12:44:49.000000000 -0800 @@ -445,6 +445,8 @@ apr_hash_t *tPrivateKey; #ifdef SSL_EXPERIMENTAL_ENGINE char *szCryptoDevice; + char *szCryptoLibpath; + char *szCryptoDevID; #endif struct { void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; @@ -559,6 +561,8 @@ const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCryptoLibpath(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCryptoDevID(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); diff -Nru httpd-2.0.48/modules/ssl/ssl_engine_config.c httpd-2.0.48-dyn/modules/ssl/ssl_engine_config.c --- httpd-2.0.48/modules/ssl/ssl_engine_config.c 2003-09-15 18:00:06.000000000 -0700 +++ httpd-2.0.48-dyn/modules/ssl/ssl_engine_config.c 2004-02-13 12:32:05.000000000 -0800 @@ -109,6 +109,8 @@ mc->tPublicCert = apr_hash_make(pool); #ifdef SSL_EXPERIMENTAL_ENGINE mc->szCryptoDevice = NULL; + mc->szCryptoLibpath = NULL; + mc->szCryptoDevID = NULL; #endif memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); @@ -525,6 +527,24 @@ } #ifdef SSL_EXPERIMENTAL_ENGINE +const char *ssl_cmd_SSLCryptoLibpath(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLModConfigRec *mc = myModConfig(cmd->server); + mc->szCryptoLibpath = arg; + return NULL; +} + +const char *ssl_cmd_SSLCryptoDevID(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLModConfigRec *mc = myModConfig(cmd->server); + mc->szCryptoDevID = arg; + return NULL; +} + const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, void *dcfg, const char *arg) diff -Nru httpd-2.0.48/modules/ssl/ssl_engine_init.c httpd-2.0.48-dyn/modules/ssl/ssl_engine_init.c --- httpd-2.0.48/modules/ssl/ssl_engine_init.c 2003-05-16 11:12:18.000000000 -0700 +++ httpd-2.0.48-dyn/modules/ssl/ssl_engine_init.c 2004-02-17 08:52:46.000000000 -0800 @@ -352,6 +352,7 @@ #ifdef SSL_EXPERIMENTAL_ENGINE void ssl_init_Engine(server_rec *s, apr_pool_t *p) { + static int need_to_init_dynamic = 1; SSLModConfigRec *mc = myModConfig(s); ENGINE *e; @@ -363,6 +364,33 @@ ssl_die(); } + if (need_to_init_dynamic && strEQ(mc->szCryptoDevice, "dynamic")) { + if (!mc->szCryptoLibpath) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Dynamic engine specified, but no library path.\n"); + ENGINE_free(e); + return; + } + if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", mc->szCryptoLibpath, 0) || + (mc->szCryptoDevID && !ENGINE_ctrl_cmd_string(e, "ID", mc->szCryptoDevID, 0)) || + !ENGINE_ctrl_cmd_string(e, "LIST_ADD", "1", 0)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Error setting the dynamic engine details.\n"); + ENGINE_free(e); + return; + } + + if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Error LOADing the dynamic engine %s %s\n", + mc->szCryptoLibpath, + (mc->szCryptoDevID ? mc->szCryptoDevID : "(no ID)")); + ENGINE_free(e); + return; + } + need_to_init_dynamic = 0; + } + if (strEQ(mc->szCryptoDevice, "chil")) { ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); }