dovecot-2.1: lib-ssl-iostream: Added crypto_device setting to se...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.1/rev/e56409d9615c
changeset: 13774:e56409d9615c
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Nov 24 01:49:58 2011 +0200
description:
lib-ssl-iostream: Added crypto_device setting to set OpenSSL engine.
Multiple engines aren't supported, so the first crypto_device value gets
used for all SSL connections.

diffstat:

 src/lib-ssl-iostream/iostream-openssl-context.c |  27 +++++++++++++++++++++---
 src/lib-ssl-iostream/iostream-ssl.h             |   1 +
 2 files changed, 24 insertions(+), 4 deletions(-)

diffs (87 lines):

diff -r 9a474b7934c9 -r e56409d9615c src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Nov 24 01:49:40 2011 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Nov 24 01:49:58 2011 +0200
@@ -6,6 +6,7 @@
 
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
+#include <openssl/engine.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -17,9 +18,10 @@
 };
 
 static bool ssl_global_initialized = FALSE;
+static ENGINE *ssl_iostream_engine;
 int dovecot_ssl_extdata_index;
 
-static void ssl_iostream_init_global(void);
+static void ssl_iostream_init_global(const struct ssl_iostream_settings *set);
 
 const char *ssl_iostream_error(void)
 {
@@ -369,7 +371,7 @@
 	struct ssl_iostream_context *ctx;
 	SSL_CTX *ssl_ctx;
 
-	ssl_iostream_init_global();
+	ssl_iostream_init_global(set);
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
 		i_error("SSL_CTX_new() failed: %s", ssl_iostream_error());
 		return -1;
@@ -393,7 +395,7 @@
 	struct ssl_iostream_context *ctx;
 	SSL_CTX *ssl_ctx;
 
-	ssl_iostream_init_global();
+	ssl_iostream_init_global(set);
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
 		i_error("SSL_CTX_new() failed: %s", ssl_iostream_error());
 		return -1;
@@ -422,11 +424,14 @@
 
 static void ssl_iostream_deinit_global(void)
 {
+	if (ssl_iostream_engine != NULL)
+		ENGINE_finish(ssl_iostream_engine);
+	ENGINE_cleanup();
 	EVP_cleanup();
 	ERR_free_strings();
 }
 
-static void ssl_iostream_init_global(void)
+static void ssl_iostream_init_global(const struct ssl_iostream_settings *set)
 {
 	static char dovecot[] = "dovecot";
 	unsigned char buf;
@@ -448,4 +453,18 @@
 	   the first try, so this function may fail. It's still been
 	   initialized though. */
 	(void)RAND_bytes(&buf, 1);
+
+	if (set->crypto_device != NULL && *set->crypto_device != '\0') {
+		ENGINE_load_builtin_engines();
+		ssl_iostream_engine = ENGINE_by_id(set->crypto_device);
+		if (ssl_iostream_engine == NULL) {
+			i_error("Unknown ssl_crypto_device: %s",
+				set->crypto_device);
+		} else {
+			ENGINE_init(ssl_iostream_engine);
+			ENGINE_set_default_RSA(ssl_iostream_engine);
+			ENGINE_set_default_DSA(ssl_iostream_engine);
+			ENGINE_set_default_ciphers(ssl_iostream_engine);
+		}
+	}
 }
diff -r 9a474b7934c9 -r e56409d9615c src/lib-ssl-iostream/iostream-ssl.h
--- a/src/lib-ssl-iostream/iostream-ssl.h	Thu Nov 24 01:49:40 2011 +0200
+++ b/src/lib-ssl-iostream/iostream-ssl.h	Thu Nov 24 01:49:58 2011 +0200
@@ -11,6 +11,7 @@
 	const char *key;
 	const char *key_password;
 	const char *cert_username_field;
+	const char *crypto_device;
 
 	bool verbose, verbose_invalid_cert;
 	bool verify_remote_cert;