lib-dcrypt: Allow specifying crypto_device (OpenSSL engine).

diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c
index 7cd00dd273e795ee442626e8feaf75379fad5b1b..f5662b831a73af00d436aeb7baf3000b913f1e60 100644 (file)
--- a/src/lib-dcrypt/dcrypt-openssl.c
+++ b/src/lib-dcrypt/dcrypt-openssl.c
@@ -134,6 +134,16 @@ bool dcrypt_openssl_error(const char **error_r)
        return FALSE;
 }
 
+static
+bool dcrypt_openssl_initialize(const struct dcrypt_settings *set, const char **error_r)
+{
+       if (set->crypto_device != NULL && set->crypto_device[0] != '\0') {
+               if (dovecot_openssl_common_global_set_engine(set->crypto_device, error_r) <= 0)
+                       return FALSE;
+       }
+       return TRUE;
+}
+
 /* legacy function for old formats that generates
    hex encoded point from EC public key
  */
@@ -2006,6 +2016,7 @@ bool dcrypt_openssl_private_key_id(struct dcrypt_private_key *key, const char *a
 
 
 static struct dcrypt_vfs dcrypt_openssl_vfs = {
+       .initialize = dcrypt_openssl_initialize,
        .ctx_sym_create = dcrypt_openssl_ctx_sym_create,
        .ctx_sym_destroy = dcrypt_openssl_ctx_sym_destroy,
        .ctx_sym_set_key = dcrypt_openssl_ctx_sym_set_key,

diff --git a/src/lib-dcrypt/dcrypt-private.h b/src/lib-dcrypt/dcrypt-private.h
index 523b03b0cbb3f470c751f530b21db122740ba106..c8d1e121e9a45be0b557ae4e384972ece63870be 100644 (file)
--- a/src/lib-dcrypt/dcrypt-private.h
+++ b/src/lib-dcrypt/dcrypt-private.h
@@ -9,6 +9,8 @@
 #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2
 
 struct dcrypt_vfs {
+       bool (*initialize)(const struct dcrypt_settings *set, const char **error_r);
+
        bool (*ctx_sym_create)(const char *algorithm,
                enum dcrypt_sym_mode mode,
                struct dcrypt_context_symmetric **ctx_r, const char **error_r);

diff --git a/src/lib-dcrypt/dcrypt.c b/src/lib-dcrypt/dcrypt.c
index fa5b4275156cef1a5eaeb11b3dfb1af1c2ce7991..76468991fe8ca1112cbed6fb2b7961cf649c4b51 100644 (file)
--- a/src/lib-dcrypt/dcrypt.c
+++ b/src/lib-dcrypt/dcrypt.c
@@ -5,8 +5,9 @@
 
 static struct module *dcrypt_module = NULL;
 static struct dcrypt_vfs *dcrypt_vfs = NULL;
+static const struct dcrypt_settings dcrypt_default_set;
 
-bool dcrypt_initialize(const char *backend, const char **error_r)
+bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r)
 {
        struct module_dir_load_settings mod_set;
        const char *error;
@@ -15,6 +16,8 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
                return TRUE;
        }
        if (backend == NULL) backend = "openssl"; /* default for now */
+       if (set == NULL)
+               set = &dcrypt_default_set;
 
        const char *implementation = t_strconcat("dcrypt_",backend,NULL);
 
@@ -29,6 +32,12 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
        }
        module_dir_init(dcrypt_module);
        i_assert(dcrypt_vfs != NULL);
+       if (dcrypt_vfs->initialize != NULL) {
+               if (!dcrypt_vfs->initialize(set, error_r)) {
+                       dcrypt_deinitialize();
+                       return FALSE;
+               }
+       }
        /* Destroy SSL module after(most of) the others. Especially lib-fs
           backends may still want to access SSL module in their own
           atexit-callbacks. */
@@ -39,6 +48,7 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
 void dcrypt_deinitialize(void)
 {
        module_dir_unload(&dcrypt_module);
+       dcrypt_vfs = NULL;
 }
 
 void dcrypt_set_vfs(struct dcrypt_vfs *vfs)

diff --git a/src/lib-dcrypt/dcrypt.h b/src/lib-dcrypt/dcrypt.h
index 70c4d896607693ab267e35dedf203192faaf3423..94f8b4c2b2c9054b464c49c1388defd3126cf56a 100644 (file)
--- a/src/lib-dcrypt/dcrypt.h
+++ b/src/lib-dcrypt/dcrypt.h
@@ -49,10 +49,15 @@ enum dcrypt_key_kind {
        DCRYPT_KEY_KIND_PRIVATE
 };
 
+struct dcrypt_settings {
+       /* OpenSSL engine to use */
+       const char *crypto_device;
+};
+
 /**
  * load and initialize dcrypt backend, use either openssl or gnutls
  */
-bool dcrypt_initialize(const char *backend, const char **error_r);
+bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r);
 
 /**
  * deinitialize dcrypt

diff --git a/src/lib-dcrypt/test-crypto.c b/src/lib-dcrypt/test-crypto.c
index a7199dedc4bbfe76acbc086478f9274eeecaf9c0..3af434b08851b1f44f987090a010edea6f518066 100644 (file)
--- a/src/lib-dcrypt/test-crypto.c
+++ b/src/lib-dcrypt/test-crypto.c
@@ -308,7 +308,7 @@ void test_load_v2_public_key(void)
 }
 
 int main(void) {
-       dcrypt_initialize("openssl", NULL);
+       dcrypt_initialize("openssl", NULL, NULL);
        random_init();
        static void (*test_functions[])(void) = {
                test_cipher_test_vectors,

diff --git a/src/lib-dcrypt/test-stream.c b/src/lib-dcrypt/test-stream.c
index 959f4cab03412ab6f9f5780ef6ff834c0814d8f2..2384ba292464c3762552c58d7819a1f8cfd68d97 100644 (file)
--- a/src/lib-dcrypt/test-stream.c
+++ b/src/lib-dcrypt/test-stream.c
@@ -217,7 +217,7 @@ void test_write_read_v2(void)
 }
 
 int main(void) {
-       dcrypt_initialize("openssl", NULL);
+       dcrypt_initialize("openssl", NULL, NULL);
        random_init();
 
        dcrypt_key_load_private(&test_v1_kp.priv, DCRYPT_FORMAT_PEM, key_v1_priv, NULL, NULL, NULL);