[PATCH] OpenSSL dynamic engines under 2.0.48

Tue, 17 Feb 2004 12:21:58 -0800 

Hi,

We have a need to use a dynamic OpenSSL engine under apache.  The
attached patch (against 2.0.48) directs apache to accept ssl.conf
directives such as:

SSLCryptoDevice dynamic
SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
SSLCryptoDevID ibmca

directing openssl to load hw_ibmca.so dynamically as engine id ibmca.

Is there a fundamental complaint against incorporation of this feature?

thanks,
-serge
-- 
=======================================================
Serge Hallyn
Security Software Engineer, IBM Linux Technology Center
[EMAIL PROTECTED]

diff -Nru httpd-2.0.48/modules/ssl/mod_ssl.c httpd-2.0.48-dyn/modules/ssl/mod_ssl.c
--- httpd-2.0.48/modules/ssl/mod_ssl.c	2003-03-10 22:40:43.000000000 -0800
+++ httpd-2.0.48-dyn/modules/ssl/mod_ssl.c	2004-02-13 12:44:59.000000000 -0800
@@ -120,6 +120,12 @@
     SSL_CMD_SRV(CryptoDevice, TAKE1,
                 "SSL external Crypto Device usage "
                 "(`builtin', `...')")
+    SSL_CMD_SRV(CryptoLibpath, TAKE1,
+                "Full path to dynamic SSL engine "
+                "(`builtin', `...')")
+    SSL_CMD_SRV(CryptoDevID, TAKE1,
+                "Engine ID for dynamic engine "
+                "(`builtin', `...')")
 #endif
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
diff -Nru httpd-2.0.48/modules/ssl/mod_ssl.h httpd-2.0.48-dyn/modules/ssl/mod_ssl.h
--- httpd-2.0.48/modules/ssl/mod_ssl.h	2003-09-15 18:00:06.000000000 -0700
+++ httpd-2.0.48-dyn/modules/ssl/mod_ssl.h	2004-02-13 12:44:49.000000000 -0800
@@ -445,6 +445,8 @@
     apr_hash_t     *tPrivateKey;
 #ifdef SSL_EXPERIMENTAL_ENGINE
     char           *szCryptoDevice;
+    char           *szCryptoLibpath;
+    char           *szCryptoDevID;
 #endif
     struct {
         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
@@ -559,6 +561,8 @@
 const char  *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCryptoLibpath(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCryptoDevID(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, int);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
diff -Nru httpd-2.0.48/modules/ssl/ssl_engine_config.c httpd-2.0.48-dyn/modules/ssl/ssl_engine_config.c
--- httpd-2.0.48/modules/ssl/ssl_engine_config.c	2003-09-15 18:00:06.000000000 -0700
+++ httpd-2.0.48-dyn/modules/ssl/ssl_engine_config.c	2004-02-13 12:32:05.000000000 -0800
@@ -109,6 +109,8 @@
     mc->tPublicCert            = apr_hash_make(pool);
 #ifdef SSL_EXPERIMENTAL_ENGINE
     mc->szCryptoDevice         = NULL;
+    mc->szCryptoLibpath        = NULL;
+    mc->szCryptoDevID          = NULL;
 #endif
 
     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
@@ -525,6 +527,24 @@
 }
 
 #ifdef SSL_EXPERIMENTAL_ENGINE
+const char *ssl_cmd_SSLCryptoLibpath(cmd_parms *cmd,
+                                    void *dcfg,
+                                    const char *arg)
+{
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+    mc->szCryptoLibpath = arg;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLCryptoDevID(cmd_parms *cmd,
+                                    void *dcfg,
+                                    const char *arg)
+{
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+    mc->szCryptoDevID = arg;
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
                                     void *dcfg,
                                     const char *arg)
diff -Nru httpd-2.0.48/modules/ssl/ssl_engine_init.c httpd-2.0.48-dyn/modules/ssl/ssl_engine_init.c
--- httpd-2.0.48/modules/ssl/ssl_engine_init.c	2003-05-16 11:12:18.000000000 -0700
+++ httpd-2.0.48-dyn/modules/ssl/ssl_engine_init.c	2004-02-17 08:52:46.000000000 -0800
@@ -352,6 +352,7 @@
 #ifdef SSL_EXPERIMENTAL_ENGINE
 void ssl_init_Engine(server_rec *s, apr_pool_t *p)
 {
+    static int need_to_init_dynamic = 1;
     SSLModConfigRec *mc = myModConfig(s);
     ENGINE *e;
 
@@ -363,6 +364,33 @@
             ssl_die();
         }
 
+	if (need_to_init_dynamic && strEQ(mc->szCryptoDevice, "dynamic")) {
+	    if (!mc->szCryptoLibpath) {
+		    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+				 "Init: Dynamic engine specified, but no library path.\n");
+		    ENGINE_free(e);
+		    return;
+	    }
+	    if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", mc->szCryptoLibpath, 0) ||
+		(mc->szCryptoDevID && !ENGINE_ctrl_cmd_string(e, "ID", mc->szCryptoDevID, 0)) ||
+		!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "1", 0)) {
+		    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+				 "Init: Error setting the dynamic engine details.\n");
+		    ENGINE_free(e);
+		    return;
+	    }
+
+	    if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+		    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+				 "Init: Error LOADing the dynamic engine %s %s\n",
+				 mc->szCryptoLibpath,
+				 (mc->szCryptoDevID ? mc->szCryptoDevID : "(no ID)"));
+		    ENGINE_free(e);
+		    return;
+	    }
+	    need_to_init_dynamic = 0;
+	}
+
         if (strEQ(mc->szCryptoDevice, "chil")) {
             ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
         }

Reply via email to