5 files changed, 56 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index 67369376f..2c0bd1e9d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+20060220
+ - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
+   Add optional enabling of OpenSSL's (hardware) Engine support, via
+   configure --with-ssl-engine.  Based in part on a diff by michal at
+   logix.cz.
 20060219
 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
   Add first attempt at regress tests for compat library.  ok djm@
@@ -3863,4 +3869,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4130 2006/02/19 11:50:20 dtucker Exp $
+$Id: ChangeLog,v 1.4131 2006/02/20 09:17:35 dtucker Exp $
diff --git a/INSTALL b/INSTALL
index 753d2d061..38f39473f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -165,6 +165,8 @@ created.
 --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
 are installed.
+--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
@@ -225,4 +227,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
-$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $
+$Id: INSTALL,v 1.71 2006/02/20 09:17:36 dtucker Exp $
diff --git a/configure.ac b/configure.ac
index c4feaf752..eb24fa00e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.330 2006/02/19 11:50:20 dtucker Exp $
+# $Id: configure.ac,v 1.331 2006/02/20 09:17:36 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.330 $)
+AC_REVISION($Revision: 1.331 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_CONFIG_HEADER(config.h)
@@ -1834,6 +1834,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
        ]
 )
+AC_ARG_WITH(ssl-engine,
+        [  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
+        [ if test "x$withval" != "xno" ; then
+                AC_MSG_CHECKING(for OpenSSL ENGINE support)
+                AC_TRY_COMPILE(
+                        [ #include <openssl/engine.h>],
+                        [
+int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();}
+                        ],
+                        [ AC_MSG_RESULT(yes)
+                          AC_DEFINE(USE_OPENSSL_ENGINE, 1,
+                             [Enable OpenSSL engine support])
+                        ],
+                        [ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
+                )
+          fi ]
+)
 # Check for OpenSSL without EVP_aes_{192,256}_cbc
 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
 AC_COMPILE_IFELSE(
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index b690e8fe6..763f84734 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.3 2006/02/20 09:17:36 dtucker Exp $ */
 /*
 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -18,7 +18,11 @@
 #include "includes.h"
-#define SSH_DONT_REDEF_EVP
+#ifdef USE_OPENSSL_ENGINE
+# include <openssl/engine.h>
+#endif
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 #ifdef SSH_OLD_EVP
@@ -44,3 +48,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
        return 1;
 }
 #endif
+void
+ssh_SSLeay_add_all_algorithms(void)
+{
+        SSLeay_add_all_algorithms();
+#ifdef  USE_OPENSSL_ENGINE
+        /* Enable use of crypto hardware */
+        ENGINE_load_builtin_engines();
+        ENGINE_register_all_complete();
+#endif
+}
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 8a015ec43..1196d71ea 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.4 2006/02/20 09:17:36 dtucker Exp $ */
 /*
 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -54,21 +54,22 @@ extern const EVP_CIPHER *evp_acss(void);
 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
 * implement the ssh_* equivalents.
 */
-#ifdef SSH_OLD_EVP
+#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
-# ifndef SSH_DONT_REDEF_EVP
+# ifdef SSH_OLD_EVP
 #  ifdef EVP_Cipher
 #   undef EVP_Cipher
 #  endif
 #  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
 #  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
 #  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif
+# endif /* SSH_OLD_EVP */
+# define SSLeay_add_all_algorithms()    ssh_SSLeay_add_all_algorithms()
+void ssh_SSLeay_add_all_algorithms(void);
 int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
    unsigned char *, int);
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
 int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
-#endif
+#endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */