[Dovecot] Solaris hardware crypto engines

Martin Preen preen at informatik.uni-freiburg.de
Mon Nov 21 11:18:02 EET 2011 

Hello,
after serveral tests (and reading a lot of howto's) I'm now fairly convinced
that the Solaris HW-crypto engine is not automatically used. Even when dovecot
ist compiled with the OpenSSL version provided by Solaris.

Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with

  ENGINE *e;
  ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
  ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
  ENGINE_set_default_ciphers(e);

in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
the crypto device gets used. I'm sure that this is not the whole story since
this only seems to affect the IMAP login.

One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
the various articles). Is there any chance that Dovecot gets updated/patched
for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.

Regards.
Martin

Chris Hoogendyk wrote:
> 
> On 4/18/11 6:30 AM, Martin Preen wrote:
>> Hello,
>> I tried to find out how about to use the hardware crypto engines under
>> Solaris (Sun Fire T2000). It seems, that its not just a compilation 
>> issue:
>>
>>> For operations that are to be offloaded, it is necessary to restrict 
>>> use to subset
>> > of OpenSSL functions (the EVP_ functions) and explicitly indicate 
>> the use of the PKCS11
>> > engine; something like the following works for bulk ciphers (the 
>> process for RSA is similar):
>>>
>>> ENGINE *e;
>>> ENGINE_load_builtin_engines();
>>> e = ENGINE_by_id("pkcs11");
>>> ENGINE_set_default_ciphers(e);
>>> EVP_CIPHER_CTX_init (&ctx);
>>> EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
>>> EVP_EncryptUpdate (.....);
>>
>> Since I'm not familiar with SSL programming, I wonder if it's possible to
>> modify the dovecot 1.2.x source code. Maybe someone has already tried 
>> this
>> or can give me hint.
> 
> You don't want to do that.
> 
> The objective is for the ssl engine to be low level and basically 
> invisible to layers of application above that use it. So, build openssl 
> properly and it just works for everything else.
> 
> I'm not at work today, so I don't have reference to my notes. Ah, just 
> found an email I sent to my colleagues -- copied it below.

---------------------------------------------------------------
Martin Preen, Universität Freiburg, Institut für Informatik
Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany

phone: ++49 761 203-8250      preen at informatik.uni-freiburg.de
fax: ++49 761 203-8242        swt.informatik.uni-freiburg.de/~preen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6337 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20111121/66a69671/attachment.bin>

More information about the dovecot mailing list