Re: [Dovecot] Solaris hardware crypto engines

Mon, 21 Nov 2011 01:19:46 -0800 

Hello,
after serveral tests (and reading a lot of howto's) I'm now fairly convinced
that the Solaris HW-crypto engine is not automatically used. Even when dovecot
ist compiled with the OpenSSL version provided by Solaris.

Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with

 ENGINE *e;
 ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
 ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
 ENGINE_set_default_ciphers(e);

in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
the crypto device gets used. I'm sure that this is not the whole story since
this only seems to affect the IMAP login.

One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
the various articles). Is there any chance that Dovecot gets updated/patched
for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.

Regards.
Martin

Chris Hoogendyk wrote:


On 4/18/11 6:30 AM, Martin Preen wrote:

Hello,
I tried to find out how about to use the hardware crypto engines under
Solaris (Sun Fire T2000). It seems, that its not just a compilation issue:
For operations that are to be offloaded, it is necessary to restrict use to subset
> of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 > engine; something like the following works for bulk ciphers (the process for RSA is similar): 

ENGINE *e;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
ENGINE_set_default_ciphers(e);
EVP_CIPHER_CTX_init (&ctx);
EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
EVP_EncryptUpdate (.....);


Since I'm not familiar with SSL programming, I wonder if it's possible to
modify the dovecot 1.2.x source code. Maybe someone has already tried this 
or can give me hint.


You don't want to do that.
The objective is for the ssl engine to be low level and basically invisible to layers of application above that use it. So, build openssl properly and it just works for everything else.
I'm not at work today, so I don't have reference to my notes. Ah, just found an email I sent to my colleagues -- copied it below. 

---------------------------------------------------------------
Martin Preen, Universität Freiburg, Institut für Informatik
Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany

phone: ++49 761 203-8250      pr...@informatik.uni-freiburg.de
fax: ++49 761 203-8242        swt.informatik.uni-freiburg.de/~preen

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to