Re: Apache with Security Processor - Interesting

Tue, 19 Oct 2004 11:30:34 -0700 

On Tue, 19 Oct 2004 11:18:15 +0100, Joe Orton <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 14, 2004 at 10:03:50AM -0700, Madhusudan Mathihalli wrote:
> > Well.. not exactly based on my experience (may be I'm wrong or worked
> > around something)
> >
> > Here's what I did:
> > 1. Enable loading of 'dynamic' engine by default
> > 2. Specify "SSLCryptoDevice <my_engine>"
> > 3. Put lib<my_engine>.so in apache/lib
> > 4. set SHLIB_PATH/LD_LIBRARY_PATH in apachectl to point to apache/lib
> >
> > This enabled me to start up Apache with the configured crypto engine.
> > I think the only limitation here is :
> 
> Is this with OpenSSL 0.9.7 or .8? Best I can tell this won't work out of
> the box with 0.9.7, though if you made a bunch of changes in (1) of
> course that's great.  What changes did you make?

It was with 0.9.7d. Here's a patch against Apache 2.1 - please note
that the original changes were made for 2.0, and tested against 2.0.

Thanks
-Madhu

Index: ssl_engine_config.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.94
diff -u -r1.94 ssl_engine_config.c
--- ssl_engine_config.c 3 Jun 2004 15:00:15 -0000       1.94
+++ ssl_engine_config.c 19 Oct 2004 18:24:12 -0000
@@ -476,6 +476,20 @@
 }
 
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+
+ENGINE *ssl_load_dynamic_engine(const char *engine)
+{
+    ENGINE *e = ENGINE_by_id("dynamic");
+    if (e) {
+        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) ||
+            !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+            ENGINE_free(e);
+            e = NULL;
+        }
+    }
+    return e;
+}
+
 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
                                     void *dcfg,
                                     const char *arg)
@@ -491,7 +505,7 @@
     if (strcEQ(arg, "builtin")) {
         mc->szCryptoDevice = NULL;
     }
-    else if ((e = ENGINE_by_id(arg))) {
+    else if ( (e = ENGINE_by_id(arg)) || (e = ssl_load_dynamic_engine(arg)) ) {
         mc->szCryptoDevice = arg;
         ENGINE_free(e);
     }
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.129
diff -u -r1.129 ssl_engine_init.c
--- ssl_engine_init.c   8 Oct 2004 11:59:32 -0000       1.129
+++ ssl_engine_init.c   19 Oct 2004 18:24:12 -0000
@@ -317,7 +317,8 @@
     ENGINE *e;
 
     if (mc->szCryptoDevice) {
-        if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
+        if ( !(e = ENGINE_by_id(mc->szCryptoDevice)) ||
+             !(e = ssl_load_dynamic_engine(mc->szCryptoDevice)) ) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                          "Init: Failed to load Crypto Device API `%s'",
                          mc->szCryptoDevice);
Index: ssl_private.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_private.h,v
retrieving revision 1.7
diff -u -r1.7 ssl_private.h
--- ssl_private.h       3 Jun 2004 15:00:15 -0000       1.7
+++ ssl_private.h       19 Oct 2004 18:24:12 -0000
@@ -636,4 +636,8 @@
 
 #define APR_SHM_MAXSIZE (64 * 1024 * 1024)
 
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+ENGINE *ssl_load_dynamic_engine(const char *engine);
+#endif
+
 #endif /* SSL_PRIVATE_H */

Reply via email to