diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c index e7cfbb5374..67baf713cf 100644 --- a/src/lib-dcrypt/dcrypt-openssl.c +++ b/src/lib-dcrypt/dcrypt-openssl.c @@ -134,6 +134,16 @@ bool dcrypt_openssl_error(const char **error_r) return FALSE; } +static +bool dcrypt_openssl_initialize(const struct dcrypt_settings *set, const char **error_r) +{ + if (set->crypto_device != NULL && set->crypto_device[0] != '\0') { + if (dovecot_openssl_common_global_set_engine(set->crypto_device, error_r) <= 0) + return FALSE; + } + return TRUE; +} + /* legacy function for old formats that generates hex encoded point from EC public key */ @@ -2006,6 +2016,7 @@ bool dcrypt_openssl_private_key_id(struct dcrypt_private_key *key, const char *a static struct dcrypt_vfs dcrypt_openssl_vfs = { + .initialize = dcrypt_openssl_initialize, .ctx_sym_create = dcrypt_openssl_ctx_sym_create, .ctx_sym_destroy = dcrypt_openssl_ctx_sym_destroy, .ctx_sym_set_key = dcrypt_openssl_ctx_sym_set_key, diff --git a/src/lib-dcrypt/dcrypt-private.h b/src/lib-dcrypt/dcrypt-private.h index 523b03b0cb..c8d1e121e9 100644 --- a/src/lib-dcrypt/dcrypt-private.h +++ b/src/lib-dcrypt/dcrypt-private.h @@ -9,6 +9,8 @@ #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2 struct dcrypt_vfs { + bool (*initialize)(const struct dcrypt_settings *set, const char **error_r); + bool (*ctx_sym_create)(const char *algorithm, enum dcrypt_sym_mode mode, struct dcrypt_context_symmetric **ctx_r, const char **error_r); diff --git a/src/lib-dcrypt/dcrypt.c b/src/lib-dcrypt/dcrypt.c index fa5b427515..76468991fe 100644 --- a/src/lib-dcrypt/dcrypt.c +++ b/src/lib-dcrypt/dcrypt.c @@ -5,8 +5,9 @@ static struct module *dcrypt_module = NULL; static struct dcrypt_vfs *dcrypt_vfs = NULL; +static const struct dcrypt_settings dcrypt_default_set; -bool dcrypt_initialize(const char *backend, const char **error_r) +bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r) { struct module_dir_load_settings mod_set; const char *error; @@ -15,6 +16,8 @@ bool dcrypt_initialize(const char *backend, const char **error_r) return TRUE; } if (backend == NULL) backend = "openssl"; /* default for now */ + if (set == NULL) + set = &dcrypt_default_set; const char *implementation = t_strconcat("dcrypt_",backend,NULL); @@ -29,6 +32,12 @@ bool dcrypt_initialize(const char *backend, const char **error_r) } module_dir_init(dcrypt_module); i_assert(dcrypt_vfs != NULL); + if (dcrypt_vfs->initialize != NULL) { + if (!dcrypt_vfs->initialize(set, error_r)) { + dcrypt_deinitialize(); + return FALSE; + } + } /* Destroy SSL module after(most of) the others. Especially lib-fs backends may still want to access SSL module in their own atexit-callbacks. */ @@ -39,6 +48,7 @@ bool dcrypt_initialize(const char *backend, const char **error_r) void dcrypt_deinitialize(void) { module_dir_unload(&dcrypt_module); + dcrypt_vfs = NULL; } void dcrypt_set_vfs(struct dcrypt_vfs *vfs) diff --git a/src/lib-dcrypt/dcrypt.h b/src/lib-dcrypt/dcrypt.h index 70c4d89660..94f8b4c2b2 100644 --- a/src/lib-dcrypt/dcrypt.h +++ b/src/lib-dcrypt/dcrypt.h @@ -49,10 +49,15 @@ enum dcrypt_key_kind { DCRYPT_KEY_KIND_PRIVATE }; +struct dcrypt_settings { + /* OpenSSL engine to use */ + const char *crypto_device; +}; + /** * load and initialize dcrypt backend, use either openssl or gnutls */ -bool dcrypt_initialize(const char *backend, const char **error_r); +bool dcrypt_initialize(const char *backend, const struct dcrypt_settings *set, const char **error_r); /** * deinitialize dcrypt diff --git a/src/lib-dcrypt/test-crypto.c b/src/lib-dcrypt/test-crypto.c index a7199dedc4..3af434b088 100644 --- a/src/lib-dcrypt/test-crypto.c +++ b/src/lib-dcrypt/test-crypto.c @@ -308,7 +308,7 @@ void test_load_v2_public_key(void) } int main(void) { - dcrypt_initialize("openssl", NULL); + dcrypt_initialize("openssl", NULL, NULL); random_init(); static void (*test_functions[])(void) = { test_cipher_test_vectors, diff --git a/src/lib-dcrypt/test-stream.c b/src/lib-dcrypt/test-stream.c index 959f4cab03..2384ba2924 100644 --- a/src/lib-dcrypt/test-stream.c +++ b/src/lib-dcrypt/test-stream.c @@ -217,7 +217,7 @@ void test_write_read_v2(void) } int main(void) { - dcrypt_initialize("openssl", NULL); + dcrypt_initialize("openssl", NULL, NULL); random_init(); dcrypt_key_load_private(&test_v1_kp.priv, DCRYPT_FORMAT_PEM, key_v1_priv, NULL, NULL, NULL);