eng_cryptodev.c 27 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133
  1. /*
  2. * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
  3. * Copyright (c) 2002 Theo de Raadt
  4. * Copyright (c) 2002 Markus Friedl
  5. * All rights reserved.
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. * 1. Redistributions of source code must retain the above copyright
  11. * notice, this list of conditions and the following disclaimer.
  12. * 2. Redistributions in binary form must reproduce the above copyright
  13. * notice, this list of conditions and the following disclaimer in the
  14. * documentation and/or other materials provided with the distribution.
  15. *
  16. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
  17. * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  18. * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  19. * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
  20. * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  21. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  22. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  23. * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  24. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  25. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  26. *
  27. */
  28. #include <openssl/objects.h>
  29. #include <openssl/engine.h>
  30. #include <openssl/evp.h>
  31. #include <openssl/bn.h>
  32. #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
  33. (defined(OpenBSD) || defined(__FreeBSD_version))
  34. #include <sys/param.h>
  35. # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
  36. # define HAVE_CRYPTODEV
  37. # endif
  38. # if (OpenBSD >= 200110)
  39. # define HAVE_SYSLOG_R
  40. # endif
  41. #endif
  42. #ifndef HAVE_CRYPTODEV
  43. void
  44. ENGINE_load_cryptodev(void)
  45. {
  46. /* This is a NOP on platforms without /dev/crypto */
  47. return;
  48. }
  49. #else
  50. #include <sys/types.h>
  51. #include <crypto/cryptodev.h>
  52. #include <sys/ioctl.h>
  53. #include <errno.h>
  54. #include <stdio.h>
  55. #include <unistd.h>
  56. #include <fcntl.h>
  57. #include <stdarg.h>
  58. #include <syslog.h>
  59. #include <errno.h>
  60. #include <string.h>
  61. struct dev_crypto_state {
  62. struct session_op d_sess;
  63. int d_fd;
  64. };
  65. static u_int32_t cryptodev_asymfeat = 0;
  66. static int get_asym_dev_crypto(void);
  67. static int open_dev_crypto(void);
  68. static int get_dev_crypto(void);
  69. static int cryptodev_max_iv(int cipher);
  70. static int cryptodev_key_length_valid(int cipher, int len);
  71. static int cipher_nid_to_cryptodev(int nid);
  72. static int get_cryptodev_ciphers(const int **cnids);
  73. static int get_cryptodev_digests(const int **cnids);
  74. static int cryptodev_usable_ciphers(const int **nids);
  75. static int cryptodev_usable_digests(const int **nids);
  76. static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  77. const unsigned char *in, unsigned int inl);
  78. static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  79. const unsigned char *iv, int enc);
  80. static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
  81. static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
  82. const int **nids, int nid);
  83. static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
  84. const int **nids, int nid);
  85. static int bn2crparam(const BIGNUM *a, struct crparam *crp);
  86. static int crparam2bn(struct crparam *crp, BIGNUM *a);
  87. static void zapparams(struct crypt_kop *kop);
  88. static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
  89. int slen, BIGNUM *s);
  90. static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
  91. const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
  92. static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
  93. RSA *rsa);
  94. static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
  95. static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
  96. const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
  97. static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
  98. BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
  99. BN_CTX *ctx, BN_MONT_CTX *mont);
  100. static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
  101. int dlen, DSA *dsa);
  102. static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
  103. DSA_SIG *sig, DSA *dsa);
  104. static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
  105. const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
  106. BN_MONT_CTX *m_ctx);
  107. static int cryptodev_dh_compute_key(unsigned char *key,
  108. const BIGNUM *pub_key, DH *dh);
  109. static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
  110. void (*f)());
  111. void ENGINE_load_cryptodev(void);
  112. static const ENGINE_CMD_DEFN cryptodev_defns[] = {
  113. { 0, NULL, NULL, 0 }
  114. };
  115. static struct {
  116. int id;
  117. int nid;
  118. int ivmax;
  119. int keylen;
  120. } ciphers[] = {
  121. { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, },
  122. { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, },
  123. { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, },
  124. { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, },
  125. { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, },
  126. { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, },
  127. { 0, NID_undef, 0, 0, },
  128. };
  129. static struct {
  130. int id;
  131. int nid;
  132. } digests[] = {
  133. { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, },
  134. { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, },
  135. { CRYPTO_MD5_KPDK, NID_undef, },
  136. { CRYPTO_SHA1_KPDK, NID_undef, },
  137. { CRYPTO_MD5, NID_md5, },
  138. { CRYPTO_SHA1, NID_undef, },
  139. { 0, NID_undef, },
  140. };
  141. /*
  142. * Return a fd if /dev/crypto seems usable, 0 otherwise.
  143. */
  144. static int
  145. open_dev_crypto(void)
  146. {
  147. static int fd = -1;
  148. if (fd == -1) {
  149. if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
  150. return (-1);
  151. /* close on exec */
  152. if (fcntl(fd, F_SETFD, 1) == -1) {
  153. close(fd);
  154. fd = -1;
  155. return (-1);
  156. }
  157. }
  158. return (fd);
  159. }
  160. static int
  161. get_dev_crypto(void)
  162. {
  163. int fd, retfd;
  164. if ((fd = open_dev_crypto()) == -1)
  165. return (-1);
  166. if (ioctl(fd, CRIOGET, &retfd) == -1)
  167. return (-1);
  168. /* close on exec */
  169. if (fcntl(retfd, F_SETFD, 1) == -1) {
  170. close(retfd);
  171. return (-1);
  172. }
  173. return (retfd);
  174. }
  175. /* Caching version for asym operations */
  176. static int
  177. get_asym_dev_crypto(void)
  178. {
  179. static int fd = -1;
  180. if (fd == -1)
  181. fd = get_dev_crypto();
  182. return fd;
  183. }
  184. /*
  185. * XXXX this needs to be set for each alg - and determined from
  186. * a running card.
  187. */
  188. static int
  189. cryptodev_max_iv(int cipher)
  190. {
  191. int i;
  192. for (i = 0; ciphers[i].id; i++)
  193. if (ciphers[i].id == cipher)
  194. return (ciphers[i].ivmax);
  195. return (0);
  196. }
  197. /*
  198. * XXXX this needs to be set for each alg - and determined from
  199. * a running card. For now, fake it out - but most of these
  200. * for real devices should return 1 for the supported key
  201. * sizes the device can handle.
  202. */
  203. static int
  204. cryptodev_key_length_valid(int cipher, int len)
  205. {
  206. int i;
  207. for (i = 0; ciphers[i].id; i++)
  208. if (ciphers[i].id == cipher)
  209. return (ciphers[i].keylen == len);
  210. return (0);
  211. }
  212. /* convert libcrypto nids to cryptodev */
  213. static int
  214. cipher_nid_to_cryptodev(int nid)
  215. {
  216. int i;
  217. for (i = 0; ciphers[i].id; i++)
  218. if (ciphers[i].nid == nid)
  219. return (ciphers[i].id);
  220. return (0);
  221. }
  222. /*
  223. * Find out what ciphers /dev/crypto will let us have a session for.
  224. * XXX note, that some of these openssl doesn't deal with yet!
  225. * returning them here is harmless, as long as we return NULL
  226. * when asked for a handler in the cryptodev_engine_ciphers routine
  227. */
  228. static int
  229. get_cryptodev_ciphers(const int **cnids)
  230. {
  231. static int nids[CRYPTO_ALGORITHM_MAX];
  232. struct session_op sess;
  233. int fd, i, count = 0;
  234. if ((fd = get_dev_crypto()) < 0) {
  235. *cnids = NULL;
  236. return (0);
  237. }
  238. memset(&sess, 0, sizeof(sess));
  239. sess.key = (caddr_t)"123456781234567812345678";
  240. for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
  241. if (ciphers[i].nid == NID_undef)
  242. continue;
  243. sess.cipher = ciphers[i].id;
  244. sess.keylen = ciphers[i].keylen;
  245. sess.mac = 0;
  246. if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
  247. ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
  248. nids[count++] = ciphers[i].nid;
  249. }
  250. close(fd);
  251. if (count > 0)
  252. *cnids = nids;
  253. else
  254. *cnids = NULL;
  255. return (count);
  256. }
  257. /*
  258. * Find out what digests /dev/crypto will let us have a session for.
  259. * XXX note, that some of these openssl doesn't deal with yet!
  260. * returning them here is harmless, as long as we return NULL
  261. * when asked for a handler in the cryptodev_engine_digests routine
  262. */
  263. static int
  264. get_cryptodev_digests(const int **cnids)
  265. {
  266. static int nids[CRYPTO_ALGORITHM_MAX];
  267. struct session_op sess;
  268. int fd, i, count = 0;
  269. if ((fd = get_dev_crypto()) < 0) {
  270. *cnids = NULL;
  271. return (0);
  272. }
  273. memset(&sess, 0, sizeof(sess));
  274. for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
  275. if (digests[i].nid == NID_undef)
  276. continue;
  277. sess.mac = digests[i].id;
  278. sess.cipher = 0;
  279. if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
  280. ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
  281. nids[count++] = digests[i].nid;
  282. }
  283. close(fd);
  284. if (count > 0)
  285. *cnids = nids;
  286. else
  287. *cnids = NULL;
  288. return (count);
  289. }
  290. /*
  291. * Find the useable ciphers|digests from dev/crypto - this is the first
  292. * thing called by the engine init crud which determines what it
  293. * can use for ciphers from this engine. We want to return
  294. * only what we can do, anythine else is handled by software.
  295. *
  296. * If we can't initialize the device to do anything useful for
  297. * any reason, we want to return a NULL array, and 0 length,
  298. * which forces everything to be done is software. By putting
  299. * the initalization of the device in here, we ensure we can
  300. * use this engine as the default, and if for whatever reason
  301. * /dev/crypto won't do what we want it will just be done in
  302. * software
  303. *
  304. * This can (should) be greatly expanded to perhaps take into
  305. * account speed of the device, and what we want to do.
  306. * (although the disabling of particular alg's could be controlled
  307. * by the device driver with sysctl's.) - this is where we
  308. * want most of the decisions made about what we actually want
  309. * to use from /dev/crypto.
  310. */
  311. static int
  312. cryptodev_usable_ciphers(const int **nids)
  313. {
  314. return (get_cryptodev_ciphers(nids));
  315. }
  316. static int
  317. cryptodev_usable_digests(const int **nids)
  318. {
  319. /*
  320. * XXXX just disable all digests for now, because it sucks.
  321. * we need a better way to decide this - i.e. I may not
  322. * want digests on slow cards like hifn on fast machines,
  323. * but might want them on slow or loaded machines, etc.
  324. * will also want them when using crypto cards that don't
  325. * suck moose gonads - would be nice to be able to decide something
  326. * as reasonable default without having hackery that's card dependent.
  327. * of course, the default should probably be just do everything,
  328. * with perhaps a sysctl to turn algoritms off (or have them off
  329. * by default) on cards that generally suck like the hifn.
  330. */
  331. *nids = NULL;
  332. return (0);
  333. }
  334. static int
  335. cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  336. const unsigned char *in, unsigned int inl)
  337. {
  338. struct crypt_op cryp;
  339. struct dev_crypto_state *state = ctx->cipher_data;
  340. struct session_op *sess = &state->d_sess;
  341. void *iiv;
  342. unsigned char save_iv[EVP_MAX_IV_LENGTH];
  343. if (state->d_fd < 0)
  344. return (0);
  345. if (!inl)
  346. return (1);
  347. if ((inl % ctx->cipher->block_size) != 0)
  348. return (0);
  349. memset(&cryp, 0, sizeof(cryp));
  350. cryp.ses = sess->ses;
  351. cryp.flags = 0;
  352. cryp.len = inl;
  353. cryp.src = (caddr_t) in;
  354. cryp.dst = (caddr_t) out;
  355. cryp.mac = 0;
  356. cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
  357. if (ctx->cipher->iv_len) {
  358. cryp.iv = (caddr_t) ctx->iv;
  359. if (!ctx->encrypt) {
  360. iiv = (void *) in + inl - ctx->cipher->iv_len;
  361. memcpy(save_iv, iiv, ctx->cipher->iv_len);
  362. }
  363. } else
  364. cryp.iv = NULL;
  365. if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) {
  366. /* XXX need better errror handling
  367. * this can fail for a number of different reasons.
  368. */
  369. return (0);
  370. }
  371. if (ctx->cipher->iv_len) {
  372. if (ctx->encrypt)
  373. iiv = (void *) out + inl - ctx->cipher->iv_len;
  374. else
  375. iiv = save_iv;
  376. memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
  377. }
  378. return (1);
  379. }
  380. static int
  381. cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  382. const unsigned char *iv, int enc)
  383. {
  384. struct dev_crypto_state *state = ctx->cipher_data;
  385. struct session_op *sess = &state->d_sess;
  386. int cipher;
  387. if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
  388. return (0);
  389. if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
  390. return (0);
  391. if (!cryptodev_key_length_valid(cipher, ctx->key_len))
  392. return (0);
  393. memset(sess, 0, sizeof(struct session_op));
  394. if ((state->d_fd = get_dev_crypto()) < 0)
  395. return (0);
  396. sess->key = (unsigned char *)key;
  397. sess->keylen = ctx->key_len;
  398. sess->cipher = cipher;
  399. if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
  400. close(state->d_fd);
  401. state->d_fd = -1;
  402. return (0);
  403. }
  404. return (1);
  405. }
  406. /*
  407. * free anything we allocated earlier when initting a
  408. * session, and close the session.
  409. */
  410. static int
  411. cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
  412. {
  413. int ret = 0;
  414. struct dev_crypto_state *state = ctx->cipher_data;
  415. struct session_op *sess = &state->d_sess;
  416. if (state->d_fd < 0)
  417. return (0);
  418. /* XXX if this ioctl fails, someting's wrong. the invoker
  419. * may have called us with a bogus ctx, or we could
  420. * have a device that for whatever reason just doesn't
  421. * want to play ball - it's not clear what's right
  422. * here - should this be an error? should it just
  423. * increase a counter, hmm. For right now, we return
  424. * 0 - I don't believe that to be "right". we could
  425. * call the gorpy openssl lib error handlers that
  426. * print messages to users of the library. hmm..
  427. */
  428. if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) {
  429. ret = 0;
  430. } else {
  431. ret = 1;
  432. }
  433. close(state->d_fd);
  434. state->d_fd = -1;
  435. return (ret);
  436. }
  437. /*
  438. * libcrypto EVP stuff - this is how we get wired to EVP so the engine
  439. * gets called when libcrypto requests a cipher NID.
  440. */
  441. /* DES CBC EVP */
  442. const EVP_CIPHER cryptodev_des_cbc = {
  443. NID_des_cbc,
  444. 8, 8, 8,
  445. EVP_CIPH_CBC_MODE,
  446. cryptodev_init_key,
  447. cryptodev_cipher,
  448. cryptodev_cleanup,
  449. sizeof(struct dev_crypto_state),
  450. EVP_CIPHER_set_asn1_iv,
  451. EVP_CIPHER_get_asn1_iv,
  452. NULL
  453. };
  454. /* 3DES CBC EVP */
  455. const EVP_CIPHER cryptodev_3des_cbc = {
  456. NID_des_ede3_cbc,
  457. 8, 24, 8,
  458. EVP_CIPH_CBC_MODE,
  459. cryptodev_init_key,
  460. cryptodev_cipher,
  461. cryptodev_cleanup,
  462. sizeof(struct dev_crypto_state),
  463. EVP_CIPHER_set_asn1_iv,
  464. EVP_CIPHER_get_asn1_iv,
  465. NULL
  466. };
  467. const EVP_CIPHER cryptodev_bf_cbc = {
  468. NID_bf_cbc,
  469. 8, 16, 8,
  470. EVP_CIPH_CBC_MODE,
  471. cryptodev_init_key,
  472. cryptodev_cipher,
  473. cryptodev_cleanup,
  474. sizeof(struct dev_crypto_state),
  475. EVP_CIPHER_set_asn1_iv,
  476. EVP_CIPHER_get_asn1_iv,
  477. NULL
  478. };
  479. const EVP_CIPHER cryptodev_cast_cbc = {
  480. NID_cast5_cbc,
  481. 8, 16, 8,
  482. EVP_CIPH_CBC_MODE,
  483. cryptodev_init_key,
  484. cryptodev_cipher,
  485. cryptodev_cleanup,
  486. sizeof(struct dev_crypto_state),
  487. EVP_CIPHER_set_asn1_iv,
  488. EVP_CIPHER_get_asn1_iv,
  489. NULL
  490. };
  491. const EVP_CIPHER cryptodev_aes_cbc = {
  492. NID_aes_128_cbc,
  493. 16, 16, 16,
  494. EVP_CIPH_CBC_MODE,
  495. cryptodev_init_key,
  496. cryptodev_cipher,
  497. cryptodev_cleanup,
  498. sizeof(struct dev_crypto_state),
  499. EVP_CIPHER_set_asn1_iv,
  500. EVP_CIPHER_get_asn1_iv,
  501. NULL
  502. };
  503. /*
  504. * Registered by the ENGINE when used to find out how to deal with
  505. * a particular NID in the ENGINE. this says what we'll do at the
  506. * top level - note, that list is restricted by what we answer with
  507. */
  508. static int
  509. cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
  510. const int **nids, int nid)
  511. {
  512. if (!cipher)
  513. return (cryptodev_usable_ciphers(nids));
  514. switch (nid) {
  515. case NID_des_ede3_cbc:
  516. *cipher = &cryptodev_3des_cbc;
  517. break;
  518. case NID_des_cbc:
  519. *cipher = &cryptodev_des_cbc;
  520. break;
  521. case NID_bf_cbc:
  522. *cipher = &cryptodev_bf_cbc;
  523. break;
  524. case NID_cast5_cbc:
  525. *cipher = &cryptodev_cast_cbc;
  526. break;
  527. case NID_aes_128_cbc:
  528. *cipher = &cryptodev_aes_cbc;
  529. break;
  530. default:
  531. *cipher = NULL;
  532. break;
  533. }
  534. return (*cipher != NULL);
  535. }
  536. static int
  537. cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
  538. const int **nids, int nid)
  539. {
  540. if (!digest)
  541. return (cryptodev_usable_digests(nids));
  542. switch (nid) {
  543. case NID_md5:
  544. *digest = NULL; /* need to make a clean md5 critter */
  545. break;
  546. default:
  547. *digest = NULL;
  548. break;
  549. }
  550. return (*digest != NULL);
  551. }
  552. /*
  553. * Convert a BIGNUM to the representation that /dev/crypto needs.
  554. * Upon completion of use, the caller is responsible for freeing
  555. * crp->crp_p.
  556. */
  557. static int
  558. bn2crparam(const BIGNUM *a, struct crparam *crp)
  559. {
  560. int i, j, k;
  561. ssize_t words, bytes, bits;
  562. u_char *b;
  563. crp->crp_p = NULL;
  564. crp->crp_nbits = 0;
  565. bits = BN_num_bits(a);
  566. bytes = (bits + 7) / 8;
  567. b = malloc(bytes);
  568. if (b == NULL)
  569. return (1);
  570. crp->crp_p = b;
  571. crp->crp_nbits = bits;
  572. for (i = 0, j = 0; i < a->top; i++) {
  573. for (k = 0; k < BN_BITS2 / 8; k++) {
  574. if ((j + k) >= bytes)
  575. return (0);
  576. b[j + k] = a->d[i] >> (k * 8);
  577. }
  578. j += BN_BITS2 / 8;
  579. }
  580. return (0);
  581. }
  582. /* Convert a /dev/crypto parameter to a BIGNUM */
  583. static int
  584. crparam2bn(struct crparam *crp, BIGNUM *a)
  585. {
  586. u_int8_t *pd;
  587. int i, bytes;
  588. bytes = (crp->crp_nbits + 7) / 8;
  589. if (bytes == 0)
  590. return (-1);
  591. if ((pd = (u_int8_t *) malloc(bytes)) == NULL)
  592. return (-1);
  593. for (i = 0; i < bytes; i++)
  594. pd[i] = crp->crp_p[bytes - i - 1];
  595. BN_bin2bn(pd, bytes, a);
  596. free(pd);
  597. return (0);
  598. }
  599. static void
  600. zapparams(struct crypt_kop *kop)
  601. {
  602. int i;
  603. for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
  604. if (kop->crk_param[i].crp_p)
  605. free(kop->crk_param[i].crp_p);
  606. kop->crk_param[i].crp_p = NULL;
  607. kop->crk_param[i].crp_nbits = 0;
  608. }
  609. }
  610. static int
  611. cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s)
  612. {
  613. int fd, ret = -1;
  614. if ((fd = get_asym_dev_crypto()) < 0)
  615. return (ret);
  616. if (r) {
  617. kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char));
  618. kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8;
  619. kop->crk_oparams++;
  620. }
  621. if (s) {
  622. kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char));
  623. kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8;
  624. kop->crk_oparams++;
  625. }
  626. if (ioctl(fd, CIOCKEY, kop) == 0) {
  627. if (r)
  628. crparam2bn(&kop->crk_param[kop->crk_iparams], r);
  629. if (s)
  630. crparam2bn(&kop->crk_param[kop->crk_iparams+1], s);
  631. ret = 0;
  632. }
  633. return (ret);
  634. }
  635. static int
  636. cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  637. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
  638. {
  639. struct crypt_kop kop;
  640. int ret = 1;
  641. /* Currently, we know we can do mod exp iff we can do any
  642. * asymmetric operations at all.
  643. */
  644. if (cryptodev_asymfeat == 0) {
  645. ret = BN_mod_exp(r, a, p, m, ctx);
  646. return (ret);
  647. }
  648. memset(&kop, 0, sizeof kop);
  649. kop.crk_op = CRK_MOD_EXP;
  650. /* inputs: a^p % m */
  651. if (bn2crparam(a, &kop.crk_param[0]))
  652. goto err;
  653. if (bn2crparam(p, &kop.crk_param[1]))
  654. goto err;
  655. if (bn2crparam(m, &kop.crk_param[2]))
  656. goto err;
  657. kop.crk_iparams = 3;
  658. if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
  659. const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
  660. ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
  661. }
  662. err:
  663. zapparams(&kop);
  664. return (ret);
  665. }
  666. static int
  667. cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
  668. {
  669. int r;
  670. BN_CTX *ctx;
  671. ctx = BN_CTX_new();
  672. r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
  673. BN_CTX_free(ctx);
  674. return (r);
  675. }
  676. static int
  677. cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  678. {
  679. struct crypt_kop kop;
  680. int ret = 1;
  681. if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
  682. /* XXX 0 means failure?? */
  683. return (0);
  684. }
  685. memset(&kop, 0, sizeof kop);
  686. kop.crk_op = CRK_MOD_EXP_CRT;
  687. /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */
  688. if (bn2crparam(rsa->p, &kop.crk_param[0]))
  689. goto err;
  690. if (bn2crparam(rsa->q, &kop.crk_param[1]))
  691. goto err;
  692. if (bn2crparam(I, &kop.crk_param[2]))
  693. goto err;
  694. if (bn2crparam(rsa->dmp1, &kop.crk_param[3]))
  695. goto err;
  696. if (bn2crparam(rsa->dmq1, &kop.crk_param[4]))
  697. goto err;
  698. if (bn2crparam(rsa->iqmp, &kop.crk_param[5]))
  699. goto err;
  700. kop.crk_iparams = 6;
  701. if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
  702. const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
  703. ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
  704. }
  705. err:
  706. zapparams(&kop);
  707. return (ret);
  708. }
  709. static RSA_METHOD cryptodev_rsa = {
  710. "cryptodev RSA method",
  711. NULL, /* rsa_pub_enc */
  712. NULL, /* rsa_pub_dec */
  713. NULL, /* rsa_priv_enc */
  714. NULL, /* rsa_priv_dec */
  715. NULL,
  716. NULL,
  717. NULL, /* init */
  718. NULL, /* finish */
  719. 0, /* flags */
  720. NULL, /* app_data */
  721. NULL, /* rsa_sign */
  722. NULL /* rsa_verify */
  723. };
  724. static int
  725. cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
  726. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
  727. {
  728. return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
  729. }
  730. static int
  731. cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
  732. BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
  733. BN_CTX *ctx, BN_MONT_CTX *mont)
  734. {
  735. BIGNUM t2;
  736. int ret = 0;
  737. BN_init(&t2);
  738. /* v = ( g^u1 * y^u2 mod p ) mod q */
  739. /* let t1 = g ^ u1 mod p */
  740. ret = 0;
  741. if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont))
  742. goto err;
  743. /* let t2 = y ^ u2 mod p */
  744. if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont))
  745. goto err;
  746. /* let u1 = t1 * t2 mod p */
  747. if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx))
  748. goto err;
  749. BN_copy(t1,u1);
  750. ret = 1;
  751. err:
  752. BN_free(&t2);
  753. return(ret);
  754. }
  755. static DSA_SIG *
  756. cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  757. {
  758. struct crypt_kop kop;
  759. BIGNUM *r = NULL, *s = NULL;
  760. DSA_SIG *dsaret = NULL;
  761. if ((r = BN_new()) == NULL)
  762. goto err;
  763. if ((s = BN_new()) == NULL) {
  764. BN_free(r);
  765. goto err;
  766. }
  767. memset(&kop, 0, sizeof kop);
  768. kop.crk_op = CRK_DSA_SIGN;
  769. /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
  770. kop.crk_param[0].crp_p = (caddr_t)dgst;
  771. kop.crk_param[0].crp_nbits = dlen * 8;
  772. if (bn2crparam(dsa->p, &kop.crk_param[1]))
  773. goto err;
  774. if (bn2crparam(dsa->q, &kop.crk_param[2]))
  775. goto err;
  776. if (bn2crparam(dsa->g, &kop.crk_param[3]))
  777. goto err;
  778. if (bn2crparam(dsa->priv_key, &kop.crk_param[4]))
  779. goto err;
  780. kop.crk_iparams = 5;
  781. if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r,
  782. BN_num_bytes(dsa->q), s) == 0) {
  783. dsaret = DSA_SIG_new();
  784. dsaret->r = r;
  785. dsaret->s = s;
  786. } else {
  787. const DSA_METHOD *meth = DSA_OpenSSL();
  788. BN_free(r);
  789. BN_free(s);
  790. dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa);
  791. }
  792. err:
  793. kop.crk_param[0].crp_p = NULL;
  794. zapparams(&kop);
  795. return (dsaret);
  796. }
  797. static int
  798. cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
  799. DSA_SIG *sig, DSA *dsa)
  800. {
  801. struct crypt_kop kop;
  802. int dsaret = 1;
  803. memset(&kop, 0, sizeof kop);
  804. kop.crk_op = CRK_DSA_VERIFY;
  805. /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
  806. kop.crk_param[0].crp_p = (caddr_t)dgst;
  807. kop.crk_param[0].crp_nbits = dlen * 8;
  808. if (bn2crparam(dsa->p, &kop.crk_param[1]))
  809. goto err;
  810. if (bn2crparam(dsa->q, &kop.crk_param[2]))
  811. goto err;
  812. if (bn2crparam(dsa->g, &kop.crk_param[3]))
  813. goto err;
  814. if (bn2crparam(dsa->pub_key, &kop.crk_param[4]))
  815. goto err;
  816. if (bn2crparam(sig->r, &kop.crk_param[5]))
  817. goto err;
  818. if (bn2crparam(sig->s, &kop.crk_param[6]))
  819. goto err;
  820. kop.crk_iparams = 7;
  821. if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
  822. dsaret = kop.crk_status;
  823. } else {
  824. const DSA_METHOD *meth = DSA_OpenSSL();
  825. dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa);
  826. }
  827. err:
  828. kop.crk_param[0].crp_p = NULL;
  829. zapparams(&kop);
  830. return (dsaret);
  831. }
  832. static DSA_METHOD cryptodev_dsa = {
  833. "cryptodev DSA method",
  834. NULL,
  835. NULL, /* dsa_sign_setup */
  836. NULL,
  837. NULL, /* dsa_mod_exp */
  838. NULL,
  839. NULL, /* init */
  840. NULL, /* finish */
  841. 0, /* flags */
  842. NULL /* app_data */
  843. };
  844. static int
  845. cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
  846. const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
  847. BN_MONT_CTX *m_ctx)
  848. {
  849. return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
  850. }
  851. static int
  852. cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
  853. {
  854. struct crypt_kop kop;
  855. int dhret = 1;
  856. int fd, keylen;
  857. if ((fd = get_asym_dev_crypto()) < 0) {
  858. const DH_METHOD *meth = DH_OpenSSL();
  859. return ((meth->compute_key)(key, pub_key, dh));
  860. }
  861. keylen = BN_num_bits(dh->p);
  862. memset(&kop, 0, sizeof kop);
  863. kop.crk_op = CRK_DH_COMPUTE_KEY;
  864. /* inputs: dh->priv_key pub_key dh->p key */
  865. if (bn2crparam(dh->priv_key, &kop.crk_param[0]))
  866. goto err;
  867. if (bn2crparam(pub_key, &kop.crk_param[1]))
  868. goto err;
  869. if (bn2crparam(dh->p, &kop.crk_param[2]))
  870. goto err;
  871. kop.crk_iparams = 3;
  872. kop.crk_param[3].crp_p = key;
  873. kop.crk_param[3].crp_nbits = keylen * 8;
  874. kop.crk_oparams = 1;
  875. if (ioctl(fd, CIOCKEY, &kop) == -1) {
  876. const DH_METHOD *meth = DH_OpenSSL();
  877. dhret = (meth->compute_key)(key, pub_key, dh);
  878. }
  879. err:
  880. kop.crk_param[3].crp_p = NULL;
  881. zapparams(&kop);
  882. return (dhret);
  883. }
  884. static DH_METHOD cryptodev_dh = {
  885. "cryptodev DH method",
  886. NULL, /* cryptodev_dh_generate_key */
  887. NULL,
  888. NULL,
  889. NULL,
  890. NULL,
  891. 0, /* flags */
  892. NULL /* app_data */
  893. };
  894. /*
  895. * ctrl right now is just a wrapper that doesn't do much
  896. * but I expect we'll want some options soon.
  897. */
  898. static int
  899. cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
  900. {
  901. #ifdef HAVE_SYSLOG_R
  902. struct syslog_data sd = SYSLOG_DATA_INIT;
  903. #endif
  904. switch (cmd) {
  905. default:
  906. #ifdef HAVE_SYSLOG_R
  907. syslog_r(LOG_ERR, &sd,
  908. "cryptodev_ctrl: unknown command %d", cmd);
  909. #else
  910. syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd);
  911. #endif
  912. break;
  913. }
  914. return (1);
  915. }
  916. void
  917. ENGINE_load_cryptodev(void)
  918. {
  919. ENGINE *engine = ENGINE_new();
  920. int fd;
  921. if (engine == NULL)
  922. return;
  923. if ((fd = get_dev_crypto()) < 0) {
  924. ENGINE_free(engine);
  925. return;
  926. }
  927. /*
  928. * find out what asymmetric crypto algorithms we support
  929. */
  930. if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
  931. close(fd);
  932. ENGINE_free(engine);
  933. return;
  934. }
  935. close(fd);
  936. if (!ENGINE_set_id(engine, "cryptodev") ||
  937. !ENGINE_set_name(engine, "BSD cryptodev engine") ||
  938. !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
  939. !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
  940. !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
  941. !ENGINE_set_cmd_defns(engine, cryptodev_defns)) {
  942. ENGINE_free(engine);
  943. return;
  944. }
  945. if (ENGINE_set_RSA(engine, &cryptodev_rsa)) {
  946. const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay();
  947. cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp;
  948. cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp;
  949. cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
  950. cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
  951. cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc;
  952. cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
  953. if (cryptodev_asymfeat & CRF_MOD_EXP) {
  954. cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp;
  955. if (cryptodev_asymfeat & CRF_MOD_EXP_CRT)
  956. cryptodev_rsa.rsa_mod_exp =
  957. cryptodev_rsa_mod_exp;
  958. else
  959. cryptodev_rsa.rsa_mod_exp =
  960. cryptodev_rsa_nocrt_mod_exp;
  961. }
  962. }
  963. if (ENGINE_set_DSA(engine, &cryptodev_dsa)) {
  964. const DSA_METHOD *meth = DSA_OpenSSL();
  965. memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD));
  966. if (cryptodev_asymfeat & CRF_DSA_SIGN)
  967. cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign;
  968. if (cryptodev_asymfeat & CRF_MOD_EXP) {
  969. cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp;
  970. cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp;
  971. }
  972. if (cryptodev_asymfeat & CRF_DSA_VERIFY)
  973. cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
  974. }
  975. if (ENGINE_set_DH(engine, &cryptodev_dh)){
  976. const DH_METHOD *dh_meth = DH_OpenSSL();
  977. cryptodev_dh.generate_key = dh_meth->generate_key;
  978. cryptodev_dh.compute_key = dh_meth->compute_key;
  979. cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp;
  980. if (cryptodev_asymfeat & CRF_MOD_EXP) {
  981. cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh;
  982. if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY)
  983. cryptodev_dh.compute_key =
  984. cryptodev_dh_compute_key;
  985. }
  986. }
  987. ENGINE_add(engine);
  988. ENGINE_free(engine);
  989. ERR_clear_error();
  990. }
  991. #endif /* HAVE_CRYPTODEV */