1/* 2 * Copyright (c) 2002 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2002 Theo de Raadt 4 * Copyright (c) 2002 Markus Friedl 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY 17 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY 20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 * 27 */ 28 29#include <openssl/objects.h> 30#include <openssl/engine.h> 31#include <openssl/evp.h> 32 33#if (defined(__unix__) || defined(unix)) && !defined(USG) 34#include <sys/param.h> 35# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) 36# define HAVE_CRYPTODEV 37# endif 38# if (OpenBSD >= 200110) 39# define HAVE_SYSLOG_R 40# endif 41#endif 42 43#ifndef HAVE_CRYPTODEV 44 45void 46ENGINE_load_cryptodev(void) 47{ 48 /* This is a NOP on platforms without /dev/crypto */ 49 return; 50} 51 52#else 53 54#include <sys/types.h> 55#include <crypto/cryptodev.h> 56#include <sys/ioctl.h> 57#include <errno.h> 58#include <stdio.h> 59#include <unistd.h> 60#include <fcntl.h> 61#include <stdarg.h> 62#include <syslog.h> 63#include <errno.h> 64#include <string.h> 65 66struct dev_crypto_state { 67 struct session_op d_sess; 68 int d_fd; 69}; 70 71static u_int32_t cryptodev_asymfeat = 0; 72 73static int get_asym_dev_crypto(void); 74static int open_dev_crypto(void); 75static int get_dev_crypto(void); 76static int cryptodev_max_iv(int cipher); 77static int cryptodev_key_length_valid(int cipher, int len); 78static int cipher_nid_to_cryptodev(int nid); 79static int get_cryptodev_ciphers(const int **cnids); 80/*static int get_cryptodev_digests(const int **cnids);*/ 81static int cryptodev_usable_ciphers(const int **nids); 82static int cryptodev_usable_digests(const int **nids); 83static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 84 const unsigned char *in, unsigned int inl); 85static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 86 const unsigned char *iv, int enc); 87static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); 88static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 89 const int **nids, int nid); 90static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, 91 const int **nids, int nid); 92static int bn2crparam(const BIGNUM *a, struct crparam *crp); 93static int crparam2bn(struct crparam *crp, BIGNUM *a); 94static void zapparams(struct crypt_kop *kop); 95static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, 96 int slen, BIGNUM *s); 97 98static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, 99 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 100static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, 101 RSA *rsa); 102static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); 103static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, 104 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 105static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, 106 BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, 107 BN_CTX *ctx, BN_MONT_CTX *mont); 108static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, 109 int dlen, DSA *dsa); 110static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len, 111 DSA_SIG *sig, DSA *dsa); 112static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, 113 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, 114 BN_MONT_CTX *m_ctx); 115static int cryptodev_dh_compute_key(unsigned char *key, 116 const BIGNUM *pub_key, DH *dh); 117static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, 118 void (*f)()); 119void ENGINE_load_cryptodev(void); 120 121static const ENGINE_CMD_DEFN cryptodev_defns[] = { 122 { 0, NULL, NULL, 0 } 123}; 124 125static struct { 126 int id; 127 int nid; 128 int ivmax; 129 int keylen; 130} ciphers[] = { 131 { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, 132 { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, 133 { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, 134 { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, 135 { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, 136 { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, 137 { 0, NID_undef, 0, 0, }, 138}; 139 140#if 0 /* UNUSED */ 141static struct { 142 int id; 143 int nid; 144} digests[] = { 145 { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, }, 146 { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, }, 147 { CRYPTO_MD5_KPDK, NID_undef, }, 148 { CRYPTO_SHA1_KPDK, NID_undef, }, 149 { CRYPTO_MD5, NID_md5, }, 150 { CRYPTO_SHA1, NID_undef, }, 151 { 0, NID_undef, }, 152}; 153#endif 154 155/* 156 * Return a fd if /dev/crypto seems usable, 0 otherwise. 157 */ 158static int 159open_dev_crypto(void) 160{ 161 static int fd = -1; 162 163 if (fd == -1) { 164 if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) 165 return (-1); 166 /* close on exec */ 167 if (fcntl(fd, F_SETFD, 1) == -1) { 168 close(fd); 169 fd = -1; 170 return (-1); 171 } 172 } 173 return (fd); 174} 175 176static int 177get_dev_crypto(void) 178{ 179 int fd, retfd; 180 181 if ((fd = open_dev_crypto()) == -1) 182 return (-1); 183 if (ioctl(fd, CRIOGET, &retfd) == -1) 184 return (-1); 185 186 /* close on exec */ 187 if (fcntl(retfd, F_SETFD, 1) == -1) { 188 close(retfd); 189 return (-1); 190 } 191 return (retfd); 192} 193 194/* Caching version for asym operations */ 195static int 196get_asym_dev_crypto(void) 197{ 198 static int fd = -1; 199 200 if (fd == -1) 201 fd = get_dev_crypto(); 202 return fd; 203} 204 205/* 206 * XXXX this needs to be set for each alg - and determined from 207 * a running card. 208 */ 209static int 210cryptodev_max_iv(int cipher) 211{ 212 int i; 213 214 for (i = 0; ciphers[i].id; i++) 215 if (ciphers[i].id == cipher) 216 return (ciphers[i].ivmax); 217 return (0); 218} 219 220/* 221 * XXXX this needs to be set for each alg - and determined from 222 * a running card. For now, fake it out - but most of these 223 * for real devices should return 1 for the supported key 224 * sizes the device can handle. 225 */ 226static int 227cryptodev_key_length_valid(int cipher, int len) 228{ 229 int i; 230 231 for (i = 0; ciphers[i].id; i++) 232 if (ciphers[i].id == cipher) 233 return (ciphers[i].keylen == len); 234 return (0); 235} 236 237/* convert libcrypto nids to cryptodev */ 238static int 239cipher_nid_to_cryptodev(int nid) 240{ 241 int i; 242 243 for (i = 0; ciphers[i].id; i++) 244 if (ciphers[i].nid == nid) 245 return (ciphers[i].id); 246 return (0); 247} 248 249/* 250 * Find out what ciphers /dev/crypto will let us have a session for. 251 * XXX note, that some of these openssl doesn't deal with yet! 252 * returning them here is harmless, as long as we return NULL 253 * when asked for a handler in the cryptodev_engine_ciphers routine 254 */ 255static int 256get_cryptodev_ciphers(const int **cnids) 257{ 258 static int nids[CRYPTO_ALGORITHM_MAX]; 259 struct session_op sess; 260 int fd, i, count = 0; 261 262 if ((fd = get_dev_crypto()) < 0) { 263 *cnids = NULL; 264 return (0); 265 } 266 memset(&sess, 0, sizeof(sess)); 267 sess.key = (caddr_t)"123456781234567812345678"; 268 269 for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { 270 if (ciphers[i].nid == NID_undef) 271 continue; 272 sess.cipher = ciphers[i].id; 273 sess.keylen = ciphers[i].keylen; 274 sess.mac = 0; 275 if (ioctl(fd, CIOCGSESSION, &sess) != -1 && 276 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 277 nids[count++] = ciphers[i].nid; 278 } 279 close(fd); 280 281 if (count > 0) 282 *cnids = nids; 283 else 284 *cnids = NULL; 285 return (count); 286} 287 288/* 289 * Find out what digests /dev/crypto will let us have a session for. 290 * XXX note, that some of these openssl doesn't deal with yet! 291 * returning them here is harmless, as long as we return NULL 292 * when asked for a handler in the cryptodev_engine_digests routine 293 */ 294#if 0 /* UNUSED */ 295static int 296get_cryptodev_digests(const int **cnids) 297{ 298 static int nids[CRYPTO_ALGORITHM_MAX]; 299 struct session_op sess; 300 int fd, i, count = 0; 301 302 if ((fd = get_dev_crypto()) < 0) { 303 *cnids = NULL; 304 return (0); 305 } 306 memset(&sess, 0, sizeof(sess)); 307 for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { 308 if (digests[i].nid == NID_undef) 309 continue; 310 sess.mac = digests[i].id; 311 sess.cipher = 0; 312 if (ioctl(fd, CIOCGSESSION, &sess) != -1 && 313 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 314 nids[count++] = digests[i].nid; 315 } 316 close(fd); 317 318 if (count > 0) 319 *cnids = nids; 320 else 321 *cnids = NULL; 322 return (count); 323} 324#endif 325 326/* 327 * Find the useable ciphers|digests from dev/crypto - this is the first 328 * thing called by the engine init crud which determines what it 329 * can use for ciphers from this engine. We want to return 330 * only what we can do, anythine else is handled by software. 331 * 332 * If we can't initialize the device to do anything useful for 333 * any reason, we want to return a NULL array, and 0 length, 334 * which forces everything to be done is software. By putting 335 * the initalization of the device in here, we ensure we can 336 * use this engine as the default, and if for whatever reason 337 * /dev/crypto won't do what we want it will just be done in 338 * software 339 * 340 * This can (should) be greatly expanded to perhaps take into 341 * account speed of the device, and what we want to do. 342 * (although the disabling of particular alg's could be controlled 343 * by the device driver with sysctl's.) - this is where we 344 * want most of the decisions made about what we actually want 345 * to use from /dev/crypto. 346 */ 347static int 348cryptodev_usable_ciphers(const int **nids) 349{ 350 return (get_cryptodev_ciphers(nids)); 351} 352 353static int 354cryptodev_usable_digests(const int **nids) 355{ 356 /* 357 * XXXX just disable all digests for now, because it sucks. 358 * we need a better way to decide this - i.e. I may not 359 * want digests on slow cards like hifn on fast machines, 360 * but might want them on slow or loaded machines, etc. 361 * will also want them when using crypto cards that don't 362 * suck moose gonads - would be nice to be able to decide something 363 * as reasonable default without having hackery that's card dependent. 364 * of course, the default should probably be just do everything, 365 * with perhaps a sysctl to turn algoritms off (or have them off 366 * by default) on cards that generally suck like the hifn. 367 */ 368 *nids = NULL; 369 return (0); 370} 371 372static int 373cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 374 const unsigned char *in, unsigned int inl) 375{ 376 struct crypt_op cryp; 377 struct dev_crypto_state *state = ctx->cipher_data; 378 struct session_op *sess = &state->d_sess; 379 void *iiv; 380 unsigned char save_iv[EVP_MAX_IV_LENGTH]; 381 382 if (state->d_fd < 0) 383 return (0); 384 if (!inl) 385 return (1); 386 if ((inl % ctx->cipher->block_size) != 0) 387 return (0); 388 389 memset(&cryp, 0, sizeof(cryp)); 390 391 cryp.ses = sess->ses; 392 cryp.flags = 0; 393 cryp.len = inl; 394 cryp.src = (caddr_t) in; 395 cryp.dst = (caddr_t) out; 396 cryp.mac = 0; 397 398 cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; 399 400 if (ctx->cipher->iv_len) { 401 cryp.iv = (caddr_t) ctx->iv; 402 if (!ctx->encrypt) { 403 iiv = (void *) in + inl - ctx->cipher->iv_len; 404 memcpy(save_iv, iiv, ctx->cipher->iv_len); 405 } 406 } else 407 cryp.iv = NULL; 408 409 if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) { 410 /* XXX need better errror handling 411 * this can fail for a number of different reasons. 412 */ 413 return (0); 414 } 415 416 if (ctx->cipher->iv_len) { 417 if (ctx->encrypt) 418 iiv = (void *) out + inl - ctx->cipher->iv_len; 419 else 420 iiv = save_iv; 421 memcpy(ctx->iv, iiv, ctx->cipher->iv_len); 422 } 423 return (1); 424} 425 426static int 427cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 428 const unsigned char *iv, int enc) 429{ 430 struct dev_crypto_state *state = ctx->cipher_data; 431 struct session_op *sess = &state->d_sess; 432 int cipher; 433 434 if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) 435 return (0); 436 437 if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) 438 return (0); 439 440 if (!cryptodev_key_length_valid(cipher, ctx->key_len)) 441 return (0); 442 443 memset(sess, 0, sizeof(struct session_op)); 444 445 if ((state->d_fd = get_dev_crypto()) < 0) 446 return (0); 447 448 sess->key = (unsigned char *)key; 449 sess->keylen = ctx->key_len; 450 sess->cipher = cipher; 451 452 if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { 453 close(state->d_fd); 454 state->d_fd = -1; 455 return (0); 456 } 457 return (1); 458} 459 460/* 461 * free anything we allocated earlier when initting a 462 * session, and close the session. 463 */ 464static int 465cryptodev_cleanup(EVP_CIPHER_CTX *ctx) 466{ 467 int ret = 0; 468 struct dev_crypto_state *state = ctx->cipher_data; 469 struct session_op *sess = &state->d_sess; 470 471 if (state->d_fd < 0) 472 return (0); 473 474 /* XXX if this ioctl fails, someting's wrong. the invoker 475 * may have called us with a bogus ctx, or we could 476 * have a device that for whatever reason just doesn't 477 * want to play ball - it's not clear what's right 478 * here - should this be an error? should it just 479 * increase a counter, hmm. For right now, we return 480 * 0 - I don't believe that to be "right". we could 481 * call the gorpy openssl lib error handlers that 482 * print messages to users of the library. hmm.. 483 */ 484 485 if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) { 486 ret = 0; 487 } else { 488 ret = 1; 489 } 490 close(state->d_fd); 491 state->d_fd = -1; 492 493 return (ret); 494} 495 496/* 497 * libcrypto EVP stuff - this is how we get wired to EVP so the engine 498 * gets called when libcrypto requests a cipher NID. 499 */ 500 501/* DES CBC EVP */ 502const EVP_CIPHER cryptodev_des_cbc = { 503 NID_des_cbc, 504 8, 8, 8, 505 EVP_CIPH_CBC_MODE, 506 cryptodev_init_key, 507 cryptodev_cipher, 508 cryptodev_cleanup, 509 sizeof(struct dev_crypto_state), 510 EVP_CIPHER_set_asn1_iv, 511 EVP_CIPHER_get_asn1_iv, 512 NULL 513}; 514 515/* 3DES CBC EVP */ 516const EVP_CIPHER cryptodev_3des_cbc = { 517 NID_des_ede3_cbc, 518 8, 24, 8, 519 EVP_CIPH_CBC_MODE, 520 cryptodev_init_key, 521 cryptodev_cipher, 522 cryptodev_cleanup, 523 sizeof(struct dev_crypto_state), 524 EVP_CIPHER_set_asn1_iv, 525 EVP_CIPHER_get_asn1_iv, 526 NULL 527}; 528 529const EVP_CIPHER cryptodev_bf_cbc = { 530 NID_bf_cbc, 531 8, 16, 8, 532 EVP_CIPH_CBC_MODE, 533 cryptodev_init_key, 534 cryptodev_cipher, 535 cryptodev_cleanup, 536 sizeof(struct dev_crypto_state), 537 EVP_CIPHER_set_asn1_iv, 538 EVP_CIPHER_get_asn1_iv, 539 NULL 540}; 541 542const EVP_CIPHER cryptodev_cast_cbc = { 543 NID_cast5_cbc, 544 8, 16, 8, 545 EVP_CIPH_CBC_MODE, 546 cryptodev_init_key, 547 cryptodev_cipher, 548 cryptodev_cleanup, 549 sizeof(struct dev_crypto_state), 550 EVP_CIPHER_set_asn1_iv, 551 EVP_CIPHER_get_asn1_iv, 552 NULL 553}; 554 555const EVP_CIPHER cryptodev_aes_cbc = { 556 NID_aes_128_cbc, 557 16, 16, 16, 558 EVP_CIPH_CBC_MODE, 559 cryptodev_init_key, 560 cryptodev_cipher, 561 cryptodev_cleanup, 562 sizeof(struct dev_crypto_state), 563 EVP_CIPHER_set_asn1_iv, 564 EVP_CIPHER_get_asn1_iv, 565 NULL 566}; 567 568/* 569 * Registered by the ENGINE when used to find out how to deal with 570 * a particular NID in the ENGINE. this says what we'll do at the 571 * top level - note, that list is restricted by what we answer with 572 */ 573static int 574cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 575 const int **nids, int nid) 576{ 577 if (!cipher) 578 return (cryptodev_usable_ciphers(nids)); 579 580 switch (nid) { 581 case NID_des_ede3_cbc: 582 *cipher = &cryptodev_3des_cbc; 583 break; 584 case NID_des_cbc: 585 *cipher = &cryptodev_des_cbc; 586 break; 587 case NID_bf_cbc: 588 *cipher = &cryptodev_bf_cbc; 589 break; 590 case NID_cast5_cbc: 591 *cipher = &cryptodev_cast_cbc; 592 break; 593 case NID_aes_128_cbc: 594 *cipher = &cryptodev_aes_cbc; 595 break; 596 default: 597 *cipher = NULL; 598 break; 599 } 600 return (*cipher != NULL); 601} 602 603static int 604cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, 605 const int **nids, int nid) 606{ 607 if (!digest) 608 return (cryptodev_usable_digests(nids)); 609 610 switch (nid) { 611 case NID_md5: 612 *digest = NULL; /* need to make a clean md5 critter */ 613 break; 614 default: 615 *digest = NULL; 616 break; 617 } 618 return (*digest != NULL); 619} 620 621/* 622 * Convert a BIGNUM to the representation that /dev/crypto needs. 623 * Upon completion of use, the caller is responsible for freeing 624 * crp->crp_p. 625 */ 626static int 627bn2crparam(const BIGNUM *a, struct crparam *crp) 628{ 629 int i, j, k; 630 ssize_t bytes, bits; 631 u_char *b; 632 633 crp->crp_p = NULL; 634 crp->crp_nbits = 0; 635 636 bits = BN_num_bits(a); 637 bytes = (bits + 7) / 8; 638 639 b = malloc(bytes); 640 if (b == NULL) 641 return (1); 642 643 crp->crp_p = b; 644 crp->crp_nbits = bits; 645 646 for (i = 0, j = 0; i < a->top; i++) { 647 for (k = 0; k < BN_BITS2 / 8; k++) { 648 if ((j + k) >= bytes) 649 return (0); 650 b[j + k] = a->d[i] >> (k * 8); 651 } 652 j += BN_BITS2 / 8; 653 } 654 return (0); 655} 656 657/* Convert a /dev/crypto parameter to a BIGNUM */ 658static int 659crparam2bn(struct crparam *crp, BIGNUM *a) 660{ 661 u_int8_t *pd; 662 int i, bytes; 663 664 bytes = (crp->crp_nbits + 7) / 8; 665 666 if (bytes == 0) 667 return (-1); 668 669 if ((pd = (u_int8_t *) malloc(bytes)) == NULL) 670 return (-1); 671 672 for (i = 0; i < bytes; i++) 673 pd[i] = crp->crp_p[bytes - i - 1]; 674 675 BN_bin2bn(pd, bytes, a); 676 free(pd); 677 678 return (0); 679} 680 681static void 682zapparams(struct crypt_kop *kop) 683{ 684 int i; 685 686 for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) { 687 if (kop->crk_param[i].crp_p) 688 free(kop->crk_param[i].crp_p); 689 kop->crk_param[i].crp_p = NULL; 690 kop->crk_param[i].crp_nbits = 0; 691 } 692} 693 694static int 695cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) 696{ 697 int fd, ret = -1; 698 699 if ((fd = get_asym_dev_crypto()) < 0) 700 return (ret); 701 702 if (r) { 703 kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); 704 kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; 705 kop->crk_oparams++; 706 } 707 if (s) { 708 kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); 709 kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; 710 kop->crk_oparams++; 711 } 712 713 if (ioctl(fd, CIOCKEY, kop) == 0) { 714 if (r) 715 crparam2bn(&kop->crk_param[kop->crk_iparams], r); 716 if (s) 717 crparam2bn(&kop->crk_param[kop->crk_iparams+1], s); 718 ret = 0; 719 } 720 721 return (ret); 722} 723 724static int 725cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 726 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) 727{ 728 struct crypt_kop kop; 729 int ret = 1; 730 731 /* Currently, we know we can do mod exp iff we can do any 732 * asymmetric operations at all. 733 */ 734 if (cryptodev_asymfeat == 0) { 735 ret = BN_mod_exp(r, a, p, m, ctx); 736 return (ret); 737 } 738 739 memset(&kop, 0, sizeof kop); 740 kop.crk_op = CRK_MOD_EXP; 741 742 /* inputs: a^p % m */ 743 if (bn2crparam(a, &kop.crk_param[0])) 744 goto err; 745 if (bn2crparam(p, &kop.crk_param[1])) 746 goto err; 747 if (bn2crparam(m, &kop.crk_param[2])) 748 goto err; 749 kop.crk_iparams = 3; 750 751 if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { 752 const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); 753 ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); 754 } 755err: 756 zapparams(&kop); 757 return (ret); 758} 759 760static int 761cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 762{ 763 int r; 764 BN_CTX *ctx; 765 766 ctx = BN_CTX_new(); 767 r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); 768 BN_CTX_free(ctx); 769 return (r); 770} 771 772static int 773cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) 774{ 775 struct crypt_kop kop; 776 int ret = 1; 777 778 if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { 779 /* XXX 0 means failure?? */ 780 return (0); 781 } 782 783 memset(&kop, 0, sizeof kop); 784 kop.crk_op = CRK_MOD_EXP_CRT; 785 /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */ 786 if (bn2crparam(rsa->p, &kop.crk_param[0])) 787 goto err; 788 if (bn2crparam(rsa->q, &kop.crk_param[1])) 789 goto err; 790 if (bn2crparam(I, &kop.crk_param[2])) 791 goto err; 792 if (bn2crparam(rsa->dmp1, &kop.crk_param[3])) 793 goto err; 794 if (bn2crparam(rsa->dmq1, &kop.crk_param[4])) 795 goto err; 796 if (bn2crparam(rsa->iqmp, &kop.crk_param[5])) 797 goto err; 798 kop.crk_iparams = 6; 799 800 if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { 801 const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); 802 ret = (*meth->rsa_mod_exp)(r0, I, rsa); 803 } 804err: 805 zapparams(&kop); 806 return (ret); 807} 808 809static RSA_METHOD cryptodev_rsa = { 810 "cryptodev RSA method", 811 NULL, /* rsa_pub_enc */ 812 NULL, /* rsa_pub_dec */ 813 NULL, /* rsa_priv_enc */ 814 NULL, /* rsa_priv_dec */ 815 NULL, 816 NULL, 817 NULL, /* init */ 818 NULL, /* finish */ 819 0, /* flags */ 820 NULL, /* app_data */ 821 NULL, /* rsa_sign */ 822 NULL /* rsa_verify */ 823}; 824 825static int 826cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, 827 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) 828{ 829 return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); 830} 831 832static int 833cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, 834 BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, 835 BN_CTX *ctx, BN_MONT_CTX *mont) 836{ 837 BIGNUM t2; 838 int ret = 0; 839 840 BN_init(&t2); 841 842 /* v = ( g^u1 * y^u2 mod p ) mod q */ 843 /* let t1 = g ^ u1 mod p */ 844 ret = 0; 845 846 if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont)) 847 goto err; 848 849 /* let t2 = y ^ u2 mod p */ 850 if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont)) 851 goto err; 852 /* let u1 = t1 * t2 mod p */ 853 if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx)) 854 goto err; 855 856 BN_copy(t1,u1); 857 858 ret = 1; 859err: 860 BN_free(&t2); 861 return(ret); 862} 863 864static DSA_SIG * 865cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 866{ 867 struct crypt_kop kop; 868 BIGNUM *r = NULL, *s = NULL; 869 DSA_SIG *dsaret = NULL; 870 871 if ((r = BN_new()) == NULL) 872 goto err; 873 if ((s = BN_new()) == NULL) { 874 BN_free(r); 875 goto err; 876 } 877 878 memset(&kop, 0, sizeof kop); 879 kop.crk_op = CRK_DSA_SIGN; 880 881 /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ 882 kop.crk_param[0].crp_p = (caddr_t)dgst; 883 kop.crk_param[0].crp_nbits = dlen * 8; 884 if (bn2crparam(dsa->p, &kop.crk_param[1])) 885 goto err; 886 if (bn2crparam(dsa->q, &kop.crk_param[2])) 887 goto err; 888 if (bn2crparam(dsa->g, &kop.crk_param[3])) 889 goto err; 890 if (bn2crparam(dsa->priv_key, &kop.crk_param[4])) 891 goto err; 892 kop.crk_iparams = 5; 893 894 if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, 895 BN_num_bytes(dsa->q), s) == 0) { 896 dsaret = DSA_SIG_new(); 897 dsaret->r = r; 898 dsaret->s = s; 899 } else { 900 const DSA_METHOD *meth = DSA_OpenSSL(); 901 BN_free(r); 902 BN_free(s); 903 dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); 904 } 905err: 906 kop.crk_param[0].crp_p = NULL; 907 zapparams(&kop); 908 return (dsaret); 909} 910 911static int 912cryptodev_dsa_verify(const unsigned char *dgst, int dlen, 913 DSA_SIG *sig, DSA *dsa) 914{ 915 struct crypt_kop kop; 916 int dsaret = 1; 917 918 memset(&kop, 0, sizeof kop); 919 kop.crk_op = CRK_DSA_VERIFY; 920 921 /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ 922 kop.crk_param[0].crp_p = (caddr_t)dgst; 923 kop.crk_param[0].crp_nbits = dlen * 8; 924 if (bn2crparam(dsa->p, &kop.crk_param[1])) 925 goto err; 926 if (bn2crparam(dsa->q, &kop.crk_param[2])) 927 goto err; 928 if (bn2crparam(dsa->g, &kop.crk_param[3])) 929 goto err; 930 if (bn2crparam(dsa->pub_key, &kop.crk_param[4])) 931 goto err; 932 if (bn2crparam(sig->r, &kop.crk_param[5])) 933 goto err; 934 if (bn2crparam(sig->s, &kop.crk_param[6])) 935 goto err; 936 kop.crk_iparams = 7; 937 938 if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { 939 dsaret = kop.crk_status; 940 } else { 941 const DSA_METHOD *meth = DSA_OpenSSL(); 942 943 dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa); 944 } 945err: 946 kop.crk_param[0].crp_p = NULL; 947 zapparams(&kop); 948 return (dsaret); 949} 950 951static DSA_METHOD cryptodev_dsa = { 952 "cryptodev DSA method", 953 NULL, 954 NULL, /* dsa_sign_setup */ 955 NULL, 956 NULL, /* dsa_mod_exp */ 957 NULL, 958 NULL, /* init */ 959 NULL, /* finish */ 960 0, /* flags */ 961 NULL /* app_data */ 962}; 963 964static int 965cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, 966 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, 967 BN_MONT_CTX *m_ctx) 968{ 969 return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); 970} 971 972static int 973cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 974{ 975 struct crypt_kop kop; 976 int dhret = 1; 977 int fd, keylen; 978 979 if ((fd = get_asym_dev_crypto()) < 0) { 980 const DH_METHOD *meth = DH_OpenSSL(); 981 982 return ((meth->compute_key)(key, pub_key, dh)); 983 } 984 985 keylen = BN_num_bits(dh->p); 986 987 memset(&kop, 0, sizeof kop); 988 kop.crk_op = CRK_DH_COMPUTE_KEY; 989 990 /* inputs: dh->priv_key pub_key dh->p key */ 991 if (bn2crparam(dh->priv_key, &kop.crk_param[0])) 992 goto err; 993 if (bn2crparam(pub_key, &kop.crk_param[1])) 994 goto err; 995 if (bn2crparam(dh->p, &kop.crk_param[2])) 996 goto err; 997 kop.crk_iparams = 3; 998 999 kop.crk_param[3].crp_p = key; 1000 kop.crk_param[3].crp_nbits = keylen * 8; 1001 kop.crk_oparams = 1; 1002 1003 if (ioctl(fd, CIOCKEY, &kop) == -1) { 1004 const DH_METHOD *meth = DH_OpenSSL(); 1005 1006 dhret = (meth->compute_key)(key, pub_key, dh); 1007 } 1008err: 1009 kop.crk_param[3].crp_p = NULL; 1010 zapparams(&kop); 1011 return (dhret); 1012} 1013 1014static DH_METHOD cryptodev_dh = { 1015 "cryptodev DH method", 1016 NULL, /* cryptodev_dh_generate_key */ 1017 NULL, 1018 NULL, 1019 NULL, 1020 NULL, 1021 0, /* flags */ 1022 NULL /* app_data */ 1023}; 1024 1025/* 1026 * ctrl right now is just a wrapper that doesn't do much 1027 * but I expect we'll want some options soon. 1028 */ 1029static int 1030cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) 1031{ 1032#ifdef HAVE_SYSLOG_R 1033 struct syslog_data sd = SYSLOG_DATA_INIT; 1034#endif 1035 1036 switch (cmd) { 1037 default: 1038#ifdef HAVE_SYSLOG_R 1039 syslog_r(LOG_ERR, &sd, 1040 "cryptodev_ctrl: unknown command %d", cmd); 1041#else 1042 syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd); 1043#endif 1044 break; 1045 } 1046 return (1); 1047} 1048 1049void 1050ENGINE_load_cryptodev(void) 1051{ 1052 ENGINE *engine = ENGINE_new(); 1053 int fd; 1054 1055 if (engine == NULL) 1056 return; 1057 if ((fd = get_dev_crypto()) < 0) { 1058 ENGINE_free(engine); 1059 return; 1060 } 1061 1062 /* 1063 * find out what asymmetric crypto algorithms we support 1064 */ 1065 if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { 1066 close(fd); 1067 ENGINE_free(engine); 1068 return; 1069 } 1070 close(fd); 1071 1072 if (!ENGINE_set_id(engine, "cryptodev") || 1073 !ENGINE_set_name(engine, "BSD cryptodev engine") || 1074 !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || 1075 !ENGINE_set_digests(engine, cryptodev_engine_digests) || 1076 !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || 1077 !ENGINE_set_cmd_defns(engine, cryptodev_defns)) { 1078 ENGINE_free(engine); 1079 return; 1080 } 1081 1082 if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { 1083 const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay(); 1084 1085 cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; 1086 cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; 1087 cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; 1088 cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; 1089 cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; 1090 cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; 1091 if (cryptodev_asymfeat & CRF_MOD_EXP) { 1092 cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; 1093 if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) 1094 cryptodev_rsa.rsa_mod_exp = 1095 cryptodev_rsa_mod_exp; 1096 else 1097 cryptodev_rsa.rsa_mod_exp = 1098 cryptodev_rsa_nocrt_mod_exp; 1099 } 1100 } 1101 1102 if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { 1103 const DSA_METHOD *meth = DSA_OpenSSL(); 1104 1105 memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); 1106 if (cryptodev_asymfeat & CRF_DSA_SIGN) 1107 cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; 1108 if (cryptodev_asymfeat & CRF_MOD_EXP) { 1109 cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; 1110 cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; 1111 } 1112 if (cryptodev_asymfeat & CRF_DSA_VERIFY) 1113 cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; 1114 } 1115 1116 if (ENGINE_set_DH(engine, &cryptodev_dh)){ 1117 const DH_METHOD *dh_meth = DH_OpenSSL(); 1118 1119 cryptodev_dh.generate_key = dh_meth->generate_key; 1120 cryptodev_dh.compute_key = dh_meth->compute_key; 1121 cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; 1122 if (cryptodev_asymfeat & CRF_MOD_EXP) { 1123 cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; 1124 if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) 1125 cryptodev_dh.compute_key = 1126 cryptodev_dh_compute_key; 1127 } 1128 } 1129 1130 ENGINE_add(engine); 1131 ENGINE_free(engine); 1132 ERR_clear_error(); 1133} 1134 1135#endif /* HAVE_CRYPTODEV */ 1136