Mercurial > dovecot > core-2.2
changeset 13774:e56409d9615c
lib-ssl-iostream: Added crypto_device setting to set OpenSSL engine.
Multiple engines aren't supported, so the first crypto_device value gets
used for all SSL connections.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 24 Nov 2011 01:49:58 +0200 |
parents | 9a474b7934c9 |
children | e8c6ff480a18 |
files | src/lib-ssl-iostream/iostream-openssl-context.c src/lib-ssl-iostream/iostream-ssl.h |
diffstat | 2 files changed, 24 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Thu Nov 24 01:49:40 2011 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl-context.c Thu Nov 24 01:49:58 2011 +0200 @@ -6,6 +6,7 @@ #include <openssl/crypto.h> #include <openssl/x509.h> +#include <openssl/engine.h> #include <openssl/pem.h> #include <openssl/ssl.h> #include <openssl/err.h> @@ -17,9 +18,10 @@ }; static bool ssl_global_initialized = FALSE; +static ENGINE *ssl_iostream_engine; int dovecot_ssl_extdata_index; -static void ssl_iostream_init_global(void); +static void ssl_iostream_init_global(const struct ssl_iostream_settings *set); const char *ssl_iostream_error(void) { @@ -369,7 +371,7 @@ struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - ssl_iostream_init_global(); + ssl_iostream_init_global(set); if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { i_error("SSL_CTX_new() failed: %s", ssl_iostream_error()); return -1; @@ -393,7 +395,7 @@ struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - ssl_iostream_init_global(); + ssl_iostream_init_global(set); if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { i_error("SSL_CTX_new() failed: %s", ssl_iostream_error()); return -1; @@ -422,11 +424,14 @@ static void ssl_iostream_deinit_global(void) { + if (ssl_iostream_engine != NULL) + ENGINE_finish(ssl_iostream_engine); + ENGINE_cleanup(); EVP_cleanup(); ERR_free_strings(); } -static void ssl_iostream_init_global(void) +static void ssl_iostream_init_global(const struct ssl_iostream_settings *set) { static char dovecot[] = "dovecot"; unsigned char buf; @@ -448,4 +453,18 @@ the first try, so this function may fail. It's still been initialized though. */ (void)RAND_bytes(&buf, 1); + + if (set->crypto_device != NULL && *set->crypto_device != '\0') { + ENGINE_load_builtin_engines(); + ssl_iostream_engine = ENGINE_by_id(set->crypto_device); + if (ssl_iostream_engine == NULL) { + i_error("Unknown ssl_crypto_device: %s", + set->crypto_device); + } else { + ENGINE_init(ssl_iostream_engine); + ENGINE_set_default_RSA(ssl_iostream_engine); + ENGINE_set_default_DSA(ssl_iostream_engine); + ENGINE_set_default_ciphers(ssl_iostream_engine); + } + } }
--- a/src/lib-ssl-iostream/iostream-ssl.h Thu Nov 24 01:49:40 2011 +0200 +++ b/src/lib-ssl-iostream/iostream-ssl.h Thu Nov 24 01:49:58 2011 +0200 @@ -11,6 +11,7 @@ const char *key; const char *key_password; const char *cert_username_field; + const char *crypto_device; bool verbose, verbose_invalid_cert; bool verify_remote_cert;