[PATCH] OpenSSL dynamic engines under 2.0.48

[Serge Hallyn <se...@us.ibm.com>]

Hi,

We have a need to use a dynamic OpenSSL engine under apache.  The
attached patch (against 2.0.48) directs apache to accept ssl.conf
directives such as:

SSLCryptoDevice dynamic
SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
SSLCryptoDevID ibmca

directing openssl to load hw_ibmca.so dynamically as engine id ibmca.

Is there a fundamental complaint against incorporation of this feature?

thanks,
-serge
-- 
=======================================================
Serge Hallyn
Security Software Engineer, IBM Linux Technology Center
serue@us.ibm.com

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

[Jeff Trawick <tr...@attglobal.net>]

Serge E. Hallyn wrote:
> Jeff Trawick <tr...@attglobal.net> wrote:
> 
> 
>>why not
>>
>>SSLCryptoDevice ibmca /usr/local/lib/hw_ibmca.so
>>
>>for dynamically loaded crypto devices?
> 
> 
> That's nice and clean.  I can put up a new patch to do this.  Alternatively,
> I could resubmit Geoof Thorpe's SSLCryptoDeviceCtrl patch.  This would make
> the above case uglier, but would be far more powerful, allowing arbitrary
> control commands to be sent to any openssl engines.
> 
> Is there a preference?

I think you're safe ignoring me, as I didn't know the big picture and was just 
looking to improve within a limited context.

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

["Serge E. Hallyn" <se...@us.ibm.com>]

Jeff Trawick <tr...@attglobal.net> wrote:

> why not
> 
> SSLCryptoDevice ibmca /usr/local/lib/hw_ibmca.so
> 
> for dynamically loaded crypto devices?

That's nice and clean.  I can put up a new patch to do this.  Alternatively,
I could resubmit Geoof Thorpe's SSLCryptoDeviceCtrl patch.  This would make
the above case uglier, but would be far more powerful, allowing arbitrary
control commands to be sent to any openssl engines.

Is there a preference?

thanks,
-serge

STATUS (was [PATCH] OpenSSL dynamic engines under 2.0.48)

[Geoff Thorpe <ge...@geoffthorpe.net>]

On February 17, 2004 04:21 pm, Sander Temme wrote:
> I haven't reviewed the above, but isn't a bunch of logic for using
> hardware crypto devices already in HEAD? This is up for backport at
> line 151 of the httpd-2.0 STATUS.

I took a quick look and you are maybe thinking of something else. If its 
the "ENGINE_init()" versus SSL_EXPERIMENTAL_ENGINE stuff you're referring 
to, then that's more of an underlying autoconf-level issue.

However, I did notice something else - both the httpd-2.0 and httpd-2.1 
STATUS files seem to have this comment;

    * the shmcb code should just align its memory segment rather than
      jumping through all the "safe" memcpy and memset hoops

Could this please be removed, as it makes no sense. Anyone who has read 
and understood the internals would know why. There are certainly things 
that could be done to improve the code however (and I really should find 
time to do that), but the current comment is likely to lead someone to 
doing something very painful to themselves.

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

[Sander Temme <sa...@temme.net>]

> Serge Hallyn wrote:
>> Hi,
>> 
>> We have a need to use a dynamic OpenSSL engine under apache.  The
>> attached patch (against 2.0.48) directs apache to accept ssl.conf
>> directives such as:
>> 
>> SSLCryptoDevice dynamic
>> SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
>> SSLCryptoDevID ibmca
> 
> why not
> 
> SSLCryptoDevice ibmca /usr/local/lib/hw_ibmca.so
> 
> for dynamically loaded crypto devices?

I haven't reviewed the above, but isn't a bunch of logic for using hardware
crypto devices already in HEAD? This is up for backport at line 151 of the
httpd-2.0 STATUS. 

S.

-- 
sander@temme.net              http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

[Jeff Trawick <tr...@attglobal.net>]

Serge Hallyn wrote:
> Hi,
> 
> We have a need to use a dynamic OpenSSL engine under apache.  The
> attached patch (against 2.0.48) directs apache to accept ssl.conf
> directives such as:
> 
> SSLCryptoDevice dynamic
> SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
> SSLCryptoDevID ibmca

why not

SSLCryptoDevice ibmca /usr/local/lib/hw_ibmca.so

for dynamically loaded crypto devices?

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

[Kent E Yoder <yo...@us.ibm.com>]

Hi Geoff,

Geoff Thorpe <ge...@geoffthorpe.net> wrote on 17/02/2004 03:46:21 PM:

> As another example of where this can go, using HSM keys (or smart-cards, 

> usb-keys, etc) via custom control commands could be entirely supported 
in 
> this way - without needing to recompile openssl or apache. (An engine 
can 
> expose control commands to identify and load private keys, and the 
> private key file loaded by Apache could instead contain stub data 
> interpreted by the engine implementation to refer to the HSM keys). It's 

> a bit of an ugly hack, but it works. The point being; the only limit on 

  I think ours is winning the "hack" contest at this point. :-)  Yours 
would be
considerably more flexible.  Has the control command patch been explicitly 

rejected in the past?

> what you can do from the configuration file is what the engine 
> implementation exposes in the way of control commands - neither apache 
> nor openssl need to be adjusted for each feature.

  True, and this is mainly what we were shooting for..  Dynamic engines 
can
be compiled outside the openssl source, so there wouldn't need to be a 
recompile of either openssl (since the openssl project isn't accepting
static engines any longer) or apache (once a dynamic engine patch is
accepted).  All you'd need to do is compile the engine.
 
> Note also that as of openssl 0.9.8, platforms that have DSO_METHOD 
support 
> implemented will be able automatically load shared-library engines 
> without any of this. ENGINE_by_id("foo") will attempt to automatically 
> load and bind libfoo.so (dlfcn), "foo.dll" (win32), [etc] from a 
specific 
> sub-directory of the openssl installation if the "foo" ENGINE doesn't 
> already exist. So if Apache doesn't want to go the route of generalised 
> control commands, they could wait until 0.9.8 is out and then this basic 

> use-case will be available transparently, without any change to what's 
> there now.

  Would putting our patch inside #ifdef OPENSSL_VERSION < 0x00908000 be 
more acceptable? (For either patch)...

Kent
 
> Cheers,
> Geoff
> 
> -- 
> Geoff Thorpe
> geoff@geoffthorpe.net
> http://www.geoffthorpe.net/
> 

Re: [PATCH] OpenSSL dynamic engines under 2.0.48

[Geoff Thorpe <ge...@geoffthorpe.net>]

Hi there,

On February 17, 2004 03:26 pm, Serge Hallyn wrote:
> We have a need to use a dynamic OpenSSL engine under apache.  The
> attached patch (against 2.0.48) directs apache to accept ssl.conf
> directives such as:
>
> SSLCryptoDevice dynamic
> SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
> SSLCryptoDevID ibmca
>
> directing openssl to load hw_ibmca.so dynamically as engine id ibmca.
>
> Is there a fundamental complaint against incorporation of this feature?

Not a fundamental one, but something more aesthetic, yeah :-) I wrote a 
patch ages ago (that hasn't been updated since) to add more generalised 
control-command support to Apache. That was for mod_ssl/apache-1.3 
though, so it has only illustrative value for now. You can link to the 
patch and the explanatory email down in the "news" section of;
   http://www.geoffthorpe.net/crypto/
(yes, another page that hasn't been updated in a while).

The idea of control-commands is more general than supplying a 
shared-library path or an ID, so I think it makes sense to add the more 
general mechanism if we are going to go this route at all. Eg. your above 
example would then be;

SSLCryptoDevice		dynamic
SSLCryptoDeviceCtrl	SO_PATH:/usr/local/lib/hw_ibmca.so
SSLCryptoDeviceCtrl	ID:ibmca

As another example of where this can go, using HSM keys (or smart-cards, 
usb-keys, etc) via custom control commands could be entirely supported in 
this way - without needing to recompile openssl or apache. (An engine can 
expose control commands to identify and load private keys, and the 
private key file loaded by Apache could instead contain stub data 
interpreted by the engine implementation to refer to the HSM keys). It's 
a bit of an ugly hack, but it works. The point being; the only limit on 
what you can do from the configuration file is what the engine 
implementation exposes in the way of control commands - neither apache 
nor openssl need to be adjusted for each feature.

Note also that as of openssl 0.9.8, platforms that have DSO_METHOD support 
implemented will be able automatically load shared-library engines 
without any of this. ENGINE_by_id("foo") will attempt to automatically 
load and bind libfoo.so (dlfcn), "foo.dll" (win32), [etc] from a specific 
sub-directory of the openssl installation if the "foo" ENGINE doesn't 
already exist. So if Apache doesn't want to go the route of generalised 
control commands, they could wait until 0.9.8 is out and then this basic 
use-case will be available transparently, without any change to what's 
there now.

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/