cvs commit: src/crypto/openssl/crypto/engine eng_cryptodev.c

Sam Leffler sam at errno.com
Sun Jan 13 16:05:41 PST 2008 

Simon L. Nielsen wrote:
> On 2008.01.13 11:01:46 -0800, Sam Leffler wrote:
>   
>> Simon L. Nielsen wrote:
>>     
>>> On 2008.01.13 11:44:47 +0000, Simon L. Nielsen wrote:
>>>   
>>>       
>>>> simon       2008-01-13 11:44:47 UTC
>>>>
>>>>   FreeBSD src repository
>>>>
>>>>   Modified files:
>>>>     crypto/openssl/crypto/engine eng_cryptodev.c   Log:
>>>>   Unbreak detection of cryptodev support for FreeBSD which was broken
>>>>   with OpenSSL 0.9.8 import.
>>>>     Note that this does not enable cryptodev by default, as it was the
>>>>   case with OpenSSL 0.9.7 in FreeBSD base, but this change makes it
>>>>   possible to enable cryptodev at all.
>>>>     
>>>>         
>>> With this change it is possible to enable cryptodev by default for
>>> openssl(1) with lines like below in etc/ssl/openssl.cnf.
>>> Unfortunately openssh does not call the functions to read the config
>>> file so it's not possible to enable cryptodev in openssh in a similar
>>> fashion. I have yet figure out how to do support cryptodev by default
>>> cleanly...
>>>       
> [...]
>   
>> I gave you a patch to make cryptodev the default (if present) w/o modifying 
>> openssl.cnf.  That is how things used to work in freebsd and how things 
>> work on systems like openbsd.  Was there a problem w/ it?
>>     
>
> I'm not certain that is the correct way and that it won't have any
> other side-effects.  I should have found some OpenSSL people to bug
> about this, but I haven't gotten around to doing that yet.
>   

Ok, I thought you were going to do that before this commit; hence my 
question.

> Part of what worries me some, is that I can't find out why OpenSSL
> stopped just using cryptodev by default, neither in docs nor in the
> code.
>   

I would expect openssl folks had no clue they broke it because openbsd 
doesn't track their code (in this area at least).  The only worry I have 
about my change is if it makes it impossible to override it's use (e.g. 
via openssl.cnf).  If you can override the default then I can see 
nothing wrong w/ the change and it will "fix ssh".

    Sam

More information about the cvs-src mailing list