summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/engine/hw_cryptodev.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/engine/hw_cryptodev.c')
-rw-r--r--src/lib/libcrypto/engine/hw_cryptodev.c511
1 files changed, 413 insertions, 98 deletions
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
index 3e7fff1c1e..5a715aca4f 100644
--- a/src/lib/libcrypto/engine/hw_cryptodev.c
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -29,14 +29,16 @@
29#include <openssl/objects.h> 29#include <openssl/objects.h>
30#include <openssl/engine.h> 30#include <openssl/engine.h>
31#include <openssl/evp.h> 31#include <openssl/evp.h>
32#include <openssl/bn.h>
32 33
33#if (defined(__unix__) || defined(unix)) && !defined(USG) 34#if (defined(__unix__) || defined(unix)) && !defined(USG) && \
35 (defined(OpenBSD) || defined(__FreeBSD__))
34#include <sys/param.h> 36#include <sys/param.h>
35# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) 37# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
36# define HAVE_CRYPTODEV 38# define HAVE_CRYPTODEV
37# endif 39# endif
38# if (OpenBSD >= 200110) 40# if (OpenBSD >= 200110)
39# define HAVE_SYSLOG_R 41# define HAVE_SYSLOG_R
40# endif 42# endif
41#endif 43#endif
42 44
@@ -50,9 +52,13 @@ ENGINE_load_cryptodev(void)
50} 52}
51 53
52#else 54#else
53 55
54#include <sys/types.h> 56#include <sys/types.h>
55#include <crypto/cryptodev.h> 57#include <crypto/cryptodev.h>
58#include <crypto/dh/dh.h>
59#include <crypto/dsa/dsa.h>
60#include <crypto/err/err.h>
61#include <crypto/rsa/rsa.h>
56#include <sys/ioctl.h> 62#include <sys/ioctl.h>
57#include <errno.h> 63#include <errno.h>
58#include <stdio.h> 64#include <stdio.h>
@@ -66,6 +72,14 @@ ENGINE_load_cryptodev(void)
66struct dev_crypto_state { 72struct dev_crypto_state {
67 struct session_op d_sess; 73 struct session_op d_sess;
68 int d_fd; 74 int d_fd;
75
76#ifdef USE_CRYPTODEV_DIGESTS
77 char dummy_mac_key[HASH_MAX_LEN];
78
79 unsigned char digest_res[HASH_MAX_LEN];
80 char *mac_data;
81 int mac_len;
82#endif
69}; 83};
70 84
71static u_int32_t cryptodev_asymfeat = 0; 85static u_int32_t cryptodev_asymfeat = 0;
@@ -73,15 +87,14 @@ static u_int32_t cryptodev_asymfeat = 0;
73static int get_asym_dev_crypto(void); 87static int get_asym_dev_crypto(void);
74static int open_dev_crypto(void); 88static int open_dev_crypto(void);
75static int get_dev_crypto(void); 89static int get_dev_crypto(void);
76static int cryptodev_max_iv(int cipher);
77static int cryptodev_key_length_valid(int cipher, int len);
78static int cipher_nid_to_cryptodev(int nid);
79static int get_cryptodev_ciphers(const int **cnids); 90static int get_cryptodev_ciphers(const int **cnids);
80/*static int get_cryptodev_digests(const int **cnids);*/ 91#ifdef USE_CRYPTODEV_DIGESTS
92static int get_cryptodev_digests(const int **cnids);
93#endif
81static int cryptodev_usable_ciphers(const int **nids); 94static int cryptodev_usable_ciphers(const int **nids);
82static int cryptodev_usable_digests(const int **nids); 95static int cryptodev_usable_digests(const int **nids);
83static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 96static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
84 const unsigned char *in, unsigned int inl); 97 const unsigned char *in, size_t inl);
85static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 98static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
86 const unsigned char *iv, int enc); 99 const unsigned char *iv, int enc);
87static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); 100static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
@@ -98,8 +111,8 @@ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
98static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, 111static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
99 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 112 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
100static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, 113static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
101 RSA *rsa); 114 RSA *rsa, BN_CTX *ctx);
102static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); 115static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
103static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, 116static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
104 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 117 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
105static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, 118static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
@@ -115,7 +128,7 @@ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
115static int cryptodev_dh_compute_key(unsigned char *key, 128static int cryptodev_dh_compute_key(unsigned char *key,
116 const BIGNUM *pub_key, DH *dh); 129 const BIGNUM *pub_key, DH *dh);
117static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, 130static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
118 void (*f)()); 131 void (*f)(void));
119void ENGINE_load_cryptodev(void); 132void ENGINE_load_cryptodev(void);
120 133
121static const ENGINE_CMD_DEFN cryptodev_defns[] = { 134static const ENGINE_CMD_DEFN cryptodev_defns[] = {
@@ -128,27 +141,32 @@ static struct {
128 int ivmax; 141 int ivmax;
129 int keylen; 142 int keylen;
130} ciphers[] = { 143} ciphers[] = {
144 { CRYPTO_ARC4, NID_rc4, 0, 16, },
131 { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, 145 { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, },
132 { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, 146 { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, },
133 { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, 147 { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, },
148 { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, },
149 { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, },
134 { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, 150 { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, },
135 { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, 151 { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, },
136 { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, 152 { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, },
137 { 0, NID_undef, 0, 0, }, 153 { 0, NID_undef, 0, 0, },
138}; 154};
139 155
140#if 0 /* UNUSED */ 156#ifdef USE_CRYPTODEV_DIGESTS
141static struct { 157static struct {
142 int id; 158 int id;
143 int nid; 159 int nid;
160 int keylen;
144} digests[] = { 161} digests[] = {
145 { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, }, 162 { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16},
146 { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, }, 163 { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20},
147 { CRYPTO_MD5_KPDK, NID_undef, }, 164 { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16/*?*/},
148 { CRYPTO_SHA1_KPDK, NID_undef, }, 165 { CRYPTO_MD5_KPDK, NID_undef, 0},
149 { CRYPTO_MD5, NID_md5, }, 166 { CRYPTO_SHA1_KPDK, NID_undef, 0},
150 { CRYPTO_SHA1, NID_undef, }, 167 { CRYPTO_MD5, NID_md5, 16},
151 { 0, NID_undef, }, 168 { CRYPTO_SHA1, NID_sha1, 20},
169 { 0, NID_undef, 0},
152}; 170};
153#endif 171#endif
154 172
@@ -180,6 +198,7 @@ get_dev_crypto(void)
180 198
181 if ((fd = open_dev_crypto()) == -1) 199 if ((fd = open_dev_crypto()) == -1)
182 return (-1); 200 return (-1);
201#ifndef CRIOGET_NOT_NEEDED
183 if (ioctl(fd, CRIOGET, &retfd) == -1) 202 if (ioctl(fd, CRIOGET, &retfd) == -1)
184 return (-1); 203 return (-1);
185 204
@@ -188,9 +207,19 @@ get_dev_crypto(void)
188 close(retfd); 207 close(retfd);
189 return (-1); 208 return (-1);
190 } 209 }
210#else
211 retfd = fd;
212#endif
191 return (retfd); 213 return (retfd);
192} 214}
193 215
216static void put_dev_crypto(int fd)
217{
218#ifndef CRIOGET_NOT_NEEDED
219 close(fd);
220#endif
221}
222
194/* Caching version for asym operations */ 223/* Caching version for asym operations */
195static int 224static int
196get_asym_dev_crypto(void) 225get_asym_dev_crypto(void)
@@ -203,50 +232,6 @@ get_asym_dev_crypto(void)
203} 232}
204 233
205/* 234/*
206 * XXXX this needs to be set for each alg - and determined from
207 * a running card.
208 */
209static int
210cryptodev_max_iv(int cipher)
211{
212 int i;
213
214 for (i = 0; ciphers[i].id; i++)
215 if (ciphers[i].id == cipher)
216 return (ciphers[i].ivmax);
217 return (0);
218}
219
220/*
221 * XXXX this needs to be set for each alg - and determined from
222 * a running card. For now, fake it out - but most of these
223 * for real devices should return 1 for the supported key
224 * sizes the device can handle.
225 */
226static int
227cryptodev_key_length_valid(int cipher, int len)
228{
229 int i;
230
231 for (i = 0; ciphers[i].id; i++)
232 if (ciphers[i].id == cipher)
233 return (ciphers[i].keylen == len);
234 return (0);
235}
236
237/* convert libcrypto nids to cryptodev */
238static int
239cipher_nid_to_cryptodev(int nid)
240{
241 int i;
242
243 for (i = 0; ciphers[i].id; i++)
244 if (ciphers[i].nid == nid)
245 return (ciphers[i].id);
246 return (0);
247}
248
249/*
250 * Find out what ciphers /dev/crypto will let us have a session for. 235 * Find out what ciphers /dev/crypto will let us have a session for.
251 * XXX note, that some of these openssl doesn't deal with yet! 236 * XXX note, that some of these openssl doesn't deal with yet!
252 * returning them here is harmless, as long as we return NULL 237 * returning them here is harmless, as long as we return NULL
@@ -264,7 +249,7 @@ get_cryptodev_ciphers(const int **cnids)
264 return (0); 249 return (0);
265 } 250 }
266 memset(&sess, 0, sizeof(sess)); 251 memset(&sess, 0, sizeof(sess));
267 sess.key = (caddr_t)"123456781234567812345678"; 252 sess.key = (caddr_t)"123456789abcdefghijklmno";
268 253
269 for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { 254 for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
270 if (ciphers[i].nid == NID_undef) 255 if (ciphers[i].nid == NID_undef)
@@ -276,7 +261,7 @@ get_cryptodev_ciphers(const int **cnids)
276 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 261 ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
277 nids[count++] = ciphers[i].nid; 262 nids[count++] = ciphers[i].nid;
278 } 263 }
279 close(fd); 264 put_dev_crypto(fd);
280 265
281 if (count > 0) 266 if (count > 0)
282 *cnids = nids; 267 *cnids = nids;
@@ -285,13 +270,13 @@ get_cryptodev_ciphers(const int **cnids)
285 return (count); 270 return (count);
286} 271}
287 272
273#ifdef USE_CRYPTODEV_DIGESTS
288/* 274/*
289 * Find out what digests /dev/crypto will let us have a session for. 275 * Find out what digests /dev/crypto will let us have a session for.
290 * XXX note, that some of these openssl doesn't deal with yet! 276 * XXX note, that some of these openssl doesn't deal with yet!
291 * returning them here is harmless, as long as we return NULL 277 * returning them here is harmless, as long as we return NULL
292 * when asked for a handler in the cryptodev_engine_digests routine 278 * when asked for a handler in the cryptodev_engine_digests routine
293 */ 279 */
294#if 0 /* UNUSED */
295static int 280static int
296get_cryptodev_digests(const int **cnids) 281get_cryptodev_digests(const int **cnids)
297{ 282{
@@ -304,16 +289,18 @@ get_cryptodev_digests(const int **cnids)
304 return (0); 289 return (0);
305 } 290 }
306 memset(&sess, 0, sizeof(sess)); 291 memset(&sess, 0, sizeof(sess));
292 sess.mackey = (caddr_t)"123456789abcdefghijklmno";
307 for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { 293 for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
308 if (digests[i].nid == NID_undef) 294 if (digests[i].nid == NID_undef)
309 continue; 295 continue;
310 sess.mac = digests[i].id; 296 sess.mac = digests[i].id;
297 sess.mackeylen = digests[i].keylen;
311 sess.cipher = 0; 298 sess.cipher = 0;
312 if (ioctl(fd, CIOCGSESSION, &sess) != -1 && 299 if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
313 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 300 ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
314 nids[count++] = digests[i].nid; 301 nids[count++] = digests[i].nid;
315 } 302 }
316 close(fd); 303 put_dev_crypto(fd);
317 304
318 if (count > 0) 305 if (count > 0)
319 *cnids = nids; 306 *cnids = nids;
@@ -321,7 +308,7 @@ get_cryptodev_digests(const int **cnids)
321 *cnids = NULL; 308 *cnids = NULL;
322 return (count); 309 return (count);
323} 310}
324#endif 311#endif /* 0 */
325 312
326/* 313/*
327 * Find the useable ciphers|digests from dev/crypto - this is the first 314 * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -353,6 +340,9 @@ cryptodev_usable_ciphers(const int **nids)
353static int 340static int
354cryptodev_usable_digests(const int **nids) 341cryptodev_usable_digests(const int **nids)
355{ 342{
343#ifdef USE_CRYPTODEV_DIGESTS
344 return (get_cryptodev_digests(nids));
345#else
356 /* 346 /*
357 * XXXX just disable all digests for now, because it sucks. 347 * XXXX just disable all digests for now, because it sucks.
358 * we need a better way to decide this - i.e. I may not 348 * we need a better way to decide this - i.e. I may not
@@ -367,16 +357,17 @@ cryptodev_usable_digests(const int **nids)
367 */ 357 */
368 *nids = NULL; 358 *nids = NULL;
369 return (0); 359 return (0);
360#endif
370} 361}
371 362
372static int 363static int
373cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 364cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
374 const unsigned char *in, unsigned int inl) 365 const unsigned char *in, size_t inl)
375{ 366{
376 struct crypt_op cryp; 367 struct crypt_op cryp;
377 struct dev_crypto_state *state = ctx->cipher_data; 368 struct dev_crypto_state *state = ctx->cipher_data;
378 struct session_op *sess = &state->d_sess; 369 struct session_op *sess = &state->d_sess;
379 void *iiv; 370 const void *iiv;
380 unsigned char save_iv[EVP_MAX_IV_LENGTH]; 371 unsigned char save_iv[EVP_MAX_IV_LENGTH];
381 372
382 if (state->d_fd < 0) 373 if (state->d_fd < 0)
@@ -400,7 +391,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
400 if (ctx->cipher->iv_len) { 391 if (ctx->cipher->iv_len) {
401 cryp.iv = (caddr_t) ctx->iv; 392 cryp.iv = (caddr_t) ctx->iv;
402 if (!ctx->encrypt) { 393 if (!ctx->encrypt) {
403 iiv = (void *) in + inl - ctx->cipher->iv_len; 394 iiv = in + inl - ctx->cipher->iv_len;
404 memcpy(save_iv, iiv, ctx->cipher->iv_len); 395 memcpy(save_iv, iiv, ctx->cipher->iv_len);
405 } 396 }
406 } else 397 } else
@@ -415,7 +406,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
415 406
416 if (ctx->cipher->iv_len) { 407 if (ctx->cipher->iv_len) {
417 if (ctx->encrypt) 408 if (ctx->encrypt)
418 iiv = (void *) out + inl - ctx->cipher->iv_len; 409 iiv = out + inl - ctx->cipher->iv_len;
419 else 410 else
420 iiv = save_iv; 411 iiv = save_iv;
421 memcpy(ctx->iv, iiv, ctx->cipher->iv_len); 412 memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
@@ -429,28 +420,32 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
429{ 420{
430 struct dev_crypto_state *state = ctx->cipher_data; 421 struct dev_crypto_state *state = ctx->cipher_data;
431 struct session_op *sess = &state->d_sess; 422 struct session_op *sess = &state->d_sess;
432 int cipher; 423 int cipher = -1, i;
433 424
434 if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) 425 for (i = 0; ciphers[i].id; i++)
435 return (0); 426 if (ctx->cipher->nid == ciphers[i].nid &&
436 427 ctx->cipher->iv_len <= ciphers[i].ivmax &&
437 if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) 428 ctx->key_len == ciphers[i].keylen) {
438 return (0); 429 cipher = ciphers[i].id;
430 break;
431 }
439 432
440 if (!cryptodev_key_length_valid(cipher, ctx->key_len)) 433 if (!ciphers[i].id) {
434 state->d_fd = -1;
441 return (0); 435 return (0);
436 }
442 437
443 memset(sess, 0, sizeof(struct session_op)); 438 memset(sess, 0, sizeof(struct session_op));
444 439
445 if ((state->d_fd = get_dev_crypto()) < 0) 440 if ((state->d_fd = get_dev_crypto()) < 0)
446 return (0); 441 return (0);
447 442
448 sess->key = (unsigned char *)key; 443 sess->key = (caddr_t)key;
449 sess->keylen = ctx->key_len; 444 sess->keylen = ctx->key_len;
450 sess->cipher = cipher; 445 sess->cipher = cipher;
451 446
452 if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { 447 if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
453 close(state->d_fd); 448 put_dev_crypto(state->d_fd);
454 state->d_fd = -1; 449 state->d_fd = -1;
455 return (0); 450 return (0);
456 } 451 }
@@ -487,7 +482,7 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
487 } else { 482 } else {
488 ret = 1; 483 ret = 1;
489 } 484 }
490 close(state->d_fd); 485 put_dev_crypto(state->d_fd);
491 state->d_fd = -1; 486 state->d_fd = -1;
492 487
493 return (ret); 488 return (ret);
@@ -498,6 +493,20 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
498 * gets called when libcrypto requests a cipher NID. 493 * gets called when libcrypto requests a cipher NID.
499 */ 494 */
500 495
496/* RC4 */
497const EVP_CIPHER cryptodev_rc4 = {
498 NID_rc4,
499 1, 16, 0,
500 EVP_CIPH_VARIABLE_LENGTH,
501 cryptodev_init_key,
502 cryptodev_cipher,
503 cryptodev_cleanup,
504 sizeof(struct dev_crypto_state),
505 NULL,
506 NULL,
507 NULL
508};
509
501/* DES CBC EVP */ 510/* DES CBC EVP */
502const EVP_CIPHER cryptodev_des_cbc = { 511const EVP_CIPHER cryptodev_des_cbc = {
503 NID_des_cbc, 512 NID_des_cbc,
@@ -565,6 +574,32 @@ const EVP_CIPHER cryptodev_aes_cbc = {
565 NULL 574 NULL
566}; 575};
567 576
577const EVP_CIPHER cryptodev_aes_192_cbc = {
578 NID_aes_192_cbc,
579 16, 24, 16,
580 EVP_CIPH_CBC_MODE,
581 cryptodev_init_key,
582 cryptodev_cipher,
583 cryptodev_cleanup,
584 sizeof(struct dev_crypto_state),
585 EVP_CIPHER_set_asn1_iv,
586 EVP_CIPHER_get_asn1_iv,
587 NULL
588};
589
590const EVP_CIPHER cryptodev_aes_256_cbc = {
591 NID_aes_256_cbc,
592 16, 32, 16,
593 EVP_CIPH_CBC_MODE,
594 cryptodev_init_key,
595 cryptodev_cipher,
596 cryptodev_cleanup,
597 sizeof(struct dev_crypto_state),
598 EVP_CIPHER_set_asn1_iv,
599 EVP_CIPHER_get_asn1_iv,
600 NULL
601};
602
568/* 603/*
569 * Registered by the ENGINE when used to find out how to deal with 604 * Registered by the ENGINE when used to find out how to deal with
570 * a particular NID in the ENGINE. this says what we'll do at the 605 * a particular NID in the ENGINE. this says what we'll do at the
@@ -578,6 +613,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
578 return (cryptodev_usable_ciphers(nids)); 613 return (cryptodev_usable_ciphers(nids));
579 614
580 switch (nid) { 615 switch (nid) {
616 case NID_rc4:
617 *cipher = &cryptodev_rc4;
618 break;
581 case NID_des_ede3_cbc: 619 case NID_des_ede3_cbc:
582 *cipher = &cryptodev_3des_cbc; 620 *cipher = &cryptodev_3des_cbc;
583 break; 621 break;
@@ -593,6 +631,12 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
593 case NID_aes_128_cbc: 631 case NID_aes_128_cbc:
594 *cipher = &cryptodev_aes_cbc; 632 *cipher = &cryptodev_aes_cbc;
595 break; 633 break;
634 case NID_aes_192_cbc:
635 *cipher = &cryptodev_aes_192_cbc;
636 break;
637 case NID_aes_256_cbc:
638 *cipher = &cryptodev_aes_256_cbc;
639 break;
596 default: 640 default:
597 *cipher = NULL; 641 *cipher = NULL;
598 break; 642 break;
@@ -600,6 +644,256 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
600 return (*cipher != NULL); 644 return (*cipher != NULL);
601} 645}
602 646
647
648#ifdef USE_CRYPTODEV_DIGESTS
649
650/* convert digest type to cryptodev */
651static int
652digest_nid_to_cryptodev(int nid)
653{
654 int i;
655
656 for (i = 0; digests[i].id; i++)
657 if (digests[i].nid == nid)
658 return (digests[i].id);
659 return (0);
660}
661
662
663static int
664digest_key_length(int nid)
665{
666 int i;
667
668 for (i = 0; digests[i].id; i++)
669 if (digests[i].nid == nid)
670 return digests[i].keylen;
671 return (0);
672}
673
674
675static int cryptodev_digest_init(EVP_MD_CTX *ctx)
676{
677 struct dev_crypto_state *state = ctx->md_data;
678 struct session_op *sess = &state->d_sess;
679 int digest;
680
681 if ((digest = digest_nid_to_cryptodev(ctx->digest->type)) == NID_undef){
682 printf("cryptodev_digest_init: Can't get digest \n");
683 return (0);
684 }
685
686 memset(state, 0, sizeof(struct dev_crypto_state));
687
688 if ((state->d_fd = get_dev_crypto()) < 0) {
689 printf("cryptodev_digest_init: Can't get Dev \n");
690 return (0);
691 }
692
693 sess->mackey = state->dummy_mac_key;
694 sess->mackeylen = digest_key_length(ctx->digest->type);
695 sess->mac = digest;
696
697 if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
698 put_dev_crypto(state->d_fd);
699 state->d_fd = -1;
700 printf("cryptodev_digest_init: Open session failed\n");
701 return (0);
702 }
703
704 return (1);
705}
706
707static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
708 size_t count)
709{
710 struct crypt_op cryp;
711 struct dev_crypto_state *state = ctx->md_data;
712 struct session_op *sess = &state->d_sess;
713
714 if (!data || state->d_fd < 0) {
715 printf("cryptodev_digest_update: illegal inputs \n");
716 return (0);
717 }
718
719 if (!count) {
720 return (0);
721 }
722
723 if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
724 /* if application doesn't support one buffer */
725 state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count);
726
727 if (!state->mac_data) {
728 printf("cryptodev_digest_update: realloc failed\n");
729 return (0);
730 }
731
732 memcpy(state->mac_data + state->mac_len, data, count);
733 state->mac_len += count;
734
735 return (1);
736 }
737
738 memset(&cryp, 0, sizeof(cryp));
739
740 cryp.ses = sess->ses;
741 cryp.flags = 0;
742 cryp.len = count;
743 cryp.src = (caddr_t) data;
744 cryp.dst = NULL;
745 cryp.mac = (caddr_t) state->digest_res;
746 if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
747 printf("cryptodev_digest_update: digest failed\n");
748 return (0);
749 }
750 return (1);
751}
752
753
754static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
755{
756 struct crypt_op cryp;
757 struct dev_crypto_state *state = ctx->md_data;
758 struct session_op *sess = &state->d_sess;
759
760 int ret = 1;
761
762 if (!md || state->d_fd < 0) {
763 printf("cryptodev_digest_final: illegal input\n");
764 return(0);
765 }
766
767 if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) {
768 /* if application doesn't support one buffer */
769 memset(&cryp, 0, sizeof(cryp));
770 cryp.ses = sess->ses;
771 cryp.flags = 0;
772 cryp.len = state->mac_len;
773 cryp.src = state->mac_data;
774 cryp.dst = NULL;
775 cryp.mac = (caddr_t)md;
776 if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
777 printf("cryptodev_digest_final: digest failed\n");
778 return (0);
779 }
780
781 return 1;
782 }
783
784 memcpy(md, state->digest_res, ctx->digest->md_size);
785
786 return (ret);
787}
788
789
790static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
791{
792 int ret = 1;
793 struct dev_crypto_state *state = ctx->md_data;
794 struct session_op *sess = &state->d_sess;
795
796 if (state == NULL)
797 return 0;
798
799 if (state->d_fd < 0) {
800 printf("cryptodev_digest_cleanup: illegal input\n");
801 return (0);
802 }
803
804 if (state->mac_data) {
805 OPENSSL_free(state->mac_data);
806 state->mac_data = NULL;
807 state->mac_len = 0;
808 }
809
810 if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) {
811 printf("cryptodev_digest_cleanup: failed to close session\n");
812 ret = 0;
813 } else {
814 ret = 1;
815 }
816 put_dev_crypto(state->d_fd);
817 state->d_fd = -1;
818
819 return (ret);
820}
821
822static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
823{
824 struct dev_crypto_state *fstate = from->md_data;
825 struct dev_crypto_state *dstate = to->md_data;
826 struct session_op *sess;
827 int digest;
828
829 if (dstate == NULL || fstate == NULL)
830 return 1;
831
832 memcpy(dstate, fstate, sizeof(struct dev_crypto_state));
833
834 sess = &dstate->d_sess;
835
836 digest = digest_nid_to_cryptodev(to->digest->type);
837
838 sess->mackey = dstate->dummy_mac_key;
839 sess->mackeylen = digest_key_length(to->digest->type);
840 sess->mac = digest;
841
842 dstate->d_fd = get_dev_crypto();
843
844 if (ioctl(dstate->d_fd, CIOCGSESSION, sess) < 0) {
845 put_dev_crypto(dstate->d_fd);
846 dstate->d_fd = -1;
847 printf("cryptodev_digest_init: Open session failed\n");
848 return (0);
849 }
850
851 if (fstate->mac_len != 0) {
852 if (fstate->mac_data != NULL)
853 {
854 dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
855 memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
856 dstate->mac_len = fstate->mac_len;
857 }
858 }
859
860 return 1;
861}
862
863
864const EVP_MD cryptodev_sha1 = {
865 NID_sha1,
866 NID_undef,
867 SHA_DIGEST_LENGTH,
868 EVP_MD_FLAG_ONESHOT,
869 cryptodev_digest_init,
870 cryptodev_digest_update,
871 cryptodev_digest_final,
872 cryptodev_digest_copy,
873 cryptodev_digest_cleanup,
874 EVP_PKEY_NULL_method,
875 SHA_CBLOCK,
876 sizeof(struct dev_crypto_state),
877};
878
879const EVP_MD cryptodev_md5 = {
880 NID_md5,
881 NID_undef,
882 16 /* MD5_DIGEST_LENGTH */,
883 EVP_MD_FLAG_ONESHOT,
884 cryptodev_digest_init,
885 cryptodev_digest_update,
886 cryptodev_digest_final,
887 cryptodev_digest_copy,
888 cryptodev_digest_cleanup,
889 EVP_PKEY_NULL_method,
890 64 /* MD5_CBLOCK */,
891 sizeof(struct dev_crypto_state),
892};
893
894#endif /* USE_CRYPTODEV_DIGESTS */
895
896
603static int 897static int
604cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, 898cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
605 const int **nids, int nid) 899 const int **nids, int nid)
@@ -608,10 +902,15 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
608 return (cryptodev_usable_digests(nids)); 902 return (cryptodev_usable_digests(nids));
609 903
610 switch (nid) { 904 switch (nid) {
905#ifdef USE_CRYPTODEV_DIGESTS
611 case NID_md5: 906 case NID_md5:
612 *digest = NULL; /* need to make a clean md5 critter */ 907 *digest = &cryptodev_md5;
613 break; 908 break;
909 case NID_sha1:
910 *digest = &cryptodev_sha1;
911 break;
614 default: 912 default:
913#endif /* USE_CRYPTODEV_DIGESTS */
615 *digest = NULL; 914 *digest = NULL;
616 break; 915 break;
617 } 916 }
@@ -639,8 +938,9 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
639 b = malloc(bytes); 938 b = malloc(bytes);
640 if (b == NULL) 939 if (b == NULL)
641 return (1); 940 return (1);
941 memset(b, 0, bytes);
642 942
643 crp->crp_p = b; 943 crp->crp_p = (caddr_t) b;
644 crp->crp_nbits = bits; 944 crp->crp_nbits = bits;
645 945
646 for (i = 0, j = 0; i < a->top; i++) { 946 for (i = 0, j = 0; i < a->top; i++) {
@@ -683,7 +983,7 @@ zapparams(struct crypt_kop *kop)
683{ 983{
684 int i; 984 int i;
685 985
686 for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) { 986 for (i = 0; i < kop->crk_iparams + kop->crk_oparams; i++) {
687 if (kop->crk_param[i].crp_p) 987 if (kop->crk_param[i].crp_p)
688 free(kop->crk_param[i].crp_p); 988 free(kop->crk_param[i].crp_p);
689 kop->crk_param[i].crp_p = NULL; 989 kop->crk_param[i].crp_p = NULL;
@@ -748,21 +1048,27 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
748 goto err; 1048 goto err;
749 kop.crk_iparams = 3; 1049 kop.crk_iparams = 3;
750 1050
751 if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { 1051 if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
1052 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
1053 printf("OCF asym process failed, Running in software\n");
1054 ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
1055
1056 } else if (ECANCELED == kop.crk_status) {
752 const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); 1057 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
1058 printf("OCF hardware operation cancelled. Running in Software\n");
753 ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); 1059 ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
754 } 1060 }
1061 /* else cryptodev operation worked ok ==> ret = 1*/
1062
755err: 1063err:
756 zapparams(&kop); 1064 zapparams(&kop);
757 return (ret); 1065 return (ret);
758} 1066}
759 1067
760static int 1068static int
761cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 1069cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
762{ 1070{
763 int r; 1071 int r;
764 BN_CTX *ctx;
765
766 ctx = BN_CTX_new(); 1072 ctx = BN_CTX_new();
767 r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); 1073 r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
768 BN_CTX_free(ctx); 1074 BN_CTX_free(ctx);
@@ -770,7 +1076,7 @@ cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
770} 1076}
771 1077
772static int 1078static int
773cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 1079cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
774{ 1080{
775 struct crypt_kop kop; 1081 struct crypt_kop kop;
776 int ret = 1; 1082 int ret = 1;
@@ -797,10 +1103,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
797 goto err; 1103 goto err;
798 kop.crk_iparams = 6; 1104 kop.crk_iparams = 6;
799 1105
800 if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { 1106 if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
1107 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
1108 printf("OCF asym process failed, running in Software\n");
1109 ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
1110
1111 } else if (ECANCELED == kop.crk_status) {
801 const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); 1112 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
802 ret = (*meth->rsa_mod_exp)(r0, I, rsa); 1113 printf("OCF hardware operation cancelled. Running in Software\n");
1114 ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
803 } 1115 }
1116 /* else cryptodev operation worked ok ==> ret = 1*/
1117
804err: 1118err:
805 zapparams(&kop); 1119 zapparams(&kop);
806 return (ret); 1120 return (ret);
@@ -936,7 +1250,8 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
936 kop.crk_iparams = 7; 1250 kop.crk_iparams = 7;
937 1251
938 if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { 1252 if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
939 dsaret = kop.crk_status; 1253/*OCF success value is 0, if not zero, change dsaret to fail*/
1254 if(0 != kop.crk_status) dsaret = 0;
940 } else { 1255 } else {
941 const DSA_METHOD *meth = DSA_OpenSSL(); 1256 const DSA_METHOD *meth = DSA_OpenSSL();
942 1257
@@ -996,7 +1311,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
996 goto err; 1311 goto err;
997 kop.crk_iparams = 3; 1312 kop.crk_iparams = 3;
998 1313
999 kop.crk_param[3].crp_p = key; 1314 kop.crk_param[3].crp_p = (caddr_t) key;
1000 kop.crk_param[3].crp_nbits = keylen * 8; 1315 kop.crk_param[3].crp_nbits = keylen * 8;
1001 kop.crk_oparams = 1; 1316 kop.crk_oparams = 1;
1002 1317
@@ -1027,7 +1342,7 @@ static DH_METHOD cryptodev_dh = {
1027 * but I expect we'll want some options soon. 1342 * but I expect we'll want some options soon.
1028 */ 1343 */
1029static int 1344static int
1030cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) 1345cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
1031{ 1346{
1032#ifdef HAVE_SYSLOG_R 1347#ifdef HAVE_SYSLOG_R
1033 struct syslog_data sd = SYSLOG_DATA_INIT; 1348 struct syslog_data sd = SYSLOG_DATA_INIT;
@@ -1063,11 +1378,11 @@ ENGINE_load_cryptodev(void)
1063 * find out what asymmetric crypto algorithms we support 1378 * find out what asymmetric crypto algorithms we support
1064 */ 1379 */
1065 if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { 1380 if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
1066 close(fd); 1381 put_dev_crypto(fd);
1067 ENGINE_free(engine); 1382 ENGINE_free(engine);
1068 return; 1383 return;
1069 } 1384 }
1070 close(fd); 1385 put_dev_crypto(fd);
1071 1386
1072 if (!ENGINE_set_id(engine, "cryptodev") || 1387 if (!ENGINE_set_id(engine, "cryptodev") ||
1073 !ENGINE_set_name(engine, "BSD cryptodev engine") || 1388 !ENGINE_set_name(engine, "BSD cryptodev engine") ||
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 08:09:06 +0000