lib-dcrypt: Allow specifying crypto_device (OpenSSL engine).

src/lib-dcrypt/dcrypt-openssl.c

@@ -134,6 +134,16 @@ bool dcrypt_openssl_error(const char **error_r)
 	return FALSE;
 }
 
+static
+bool dcrypt_openssl_initialize(const struct dcrypt_settings *set, const char **error_r)
+{
+	if (set->crypto_device != NULL && set->crypto_device[0] != '\0') {
+		if (dovecot_openssl_common_global_set_engine(set->crypto_device, error_r) <= 0)
+			return FALSE;
+	}
+	return TRUE;
+}
+
 /* legacy function for old formats that generates
    hex encoded point from EC public key
  */
@@ -2006,6 +2016,7 @@ bool dcrypt_openssl_private_key_id(struct dcrypt_private_key *key, const char *a
 
 
 static struct dcrypt_vfs dcrypt_openssl_vfs = {
+	.initialize = dcrypt_openssl_initialize,
 	.ctx_sym_create = dcrypt_openssl_ctx_sym_create,
 	.ctx_sym_destroy = dcrypt_openssl_ctx_sym_destroy,
 	.ctx_sym_set_key = dcrypt_openssl_ctx_sym_set_key,

src/lib-dcrypt/dcrypt-private.h

@@ -9,6 +9,8 @@
 #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2
 
 struct dcrypt_vfs {
+	bool (*initialize)(const struct dcrypt_settings *set, const char **error_r);
+
 	bool (*ctx_sym_create)(const char *algorithm,
 		enum dcrypt_sym_mode mode,
 		struct dcrypt_context_symmetric **ctx_r, const char **error_r);

src/lib-dcrypt/dcrypt.c

@@ -5,8 +5,9 @@
 
 static struct module *dcrypt_module = NULL;
 static struct dcrypt_vfs *dcrypt_vfs = NULL;
+static const struct dcrypt_settings dcrypt_default_set;
 
-bool dcrypt_initialize(const char *backend, const char **error_r)
+bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r)
 {
 	struct module_dir_load_settings mod_set;
 	const char *error;
@@ -15,6 +16,8 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
 		return TRUE;
 	}
 	if (backend == NULL) backend = "openssl"; /* default for now */
+	if (set == NULL)
+		set = &dcrypt_default_set;
 
 	const char *implementation = t_strconcat("dcrypt_",backend,NULL);
 
@@ -29,6 +32,12 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
 	}
 	module_dir_init(dcrypt_module);
 	i_assert(dcrypt_vfs != NULL);
+	if (dcrypt_vfs->initialize != NULL) {
+		if (!dcrypt_vfs->initialize(set, error_r)) {
+			dcrypt_deinitialize();
+			return FALSE;
+		}
+	}
 	/* Destroy SSL module after(most of) the others. Especially lib-fs
 	   backends may still want to access SSL module in their own
 	   atexit-callbacks. */
@@ -39,6 +48,7 @@ bool dcrypt_initialize(const char *backend, const char **error_r)
 void dcrypt_deinitialize(void)
 {
 	module_dir_unload(&dcrypt_module);
+	dcrypt_vfs = NULL;
 }
 
 void dcrypt_set_vfs(struct dcrypt_vfs *vfs)

src/lib-dcrypt/dcrypt.h

@@ -49,10 +49,15 @@ enum dcrypt_key_kind {
 	DCRYPT_KEY_KIND_PRIVATE
 };
 
+struct dcrypt_settings {
+	/* OpenSSL engine to use */
+	const char *crypto_device;
+};
+
 /**
  * load and initialize dcrypt backend, use either openssl or gnutls
  */
-bool dcrypt_initialize(const char *backend, const char **error_r);
+bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r);
 
 /**
  * deinitialize dcrypt

src/lib-dcrypt/test-crypto.c

@@ -308,7 +308,7 @@ void test_load_v2_public_key(void)
 }
 
 int main(void) {
-	dcrypt_initialize("openssl", NULL);
+	dcrypt_initialize("openssl", NULL, NULL);
 	random_init();
 	static void (*test_functions[])(void) = {
 		test_cipher_test_vectors,

src/lib-dcrypt/test-stream.c

@@ -217,7 +217,7 @@ void test_write_read_v2(void)
 }
 
 int main(void) {
-	dcrypt_initialize("openssl", NULL);
+	dcrypt_initialize("openssl", NULL, NULL);
 	random_init();
 
 	dcrypt_key_load_private(&test_v1_kp.priv, DCRYPT_FORMAT_PEM, key_v1_priv, NULL, NULL, NULL);