upstream/oracle/userland-gate: comparison components/openssl/openssl-1.0.0/engines/devcrypto/e

equal deleted inserted replaced

-:65a016eaa866
+:227137d9fbce
-/*
-* CDDL HEADER START
-*
-* The contents of this file are subject to the terms of the
-* Common Development and Distribution License (the "License").
-* You may not use this file except in compliance with the License.
-*
-* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-* or http://www.opensolaris.org/os/licensing.
-* See the License for the specific language governing permissions
-* and limitations under the License.
-*
-* When distributing Covered Code, include this CDDL HEADER in each
-* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-* If applicable, add the following below this CDDL HEADER, with the
-* fields enclosed by brackets "[]" replaced with your own identifying
-* information: Portions Copyright [yyyy] [name of copyright owner]
-*
-* CDDL HEADER END
-*
-* Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
-*/
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <string.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <errno.h>
-#include <cryptoutil.h>
-#include <sys/crypto/ioctl.h>
-#include <sys/crypto/api.h>
-#include <openssl/bio.h>
-#include <openssl/aes.h>
-#include <openssl/engine.h>
-#include <security/cryptoki.h>
-#define	DEVCRYPTO_LIB_NAME "devcrypto engine"
-#include "e_devcrypto_err.c"
-/* DEVCRYPTO CONTEXT */
-typedef struct devcrypto_ctx {
-	uint_t session_id;
-} devcrypto_ctx_t;
-/* Index for the supported ciphers */
-typedef enum {
-	DEV_DES_CBC,
-	DEV_DES3_CBC,
-	DEV_DES_ECB,
-	DEV_DES3_ECB,
-	DEV_RC4,
-	DEV_AES_128_CBC,
-	DEV_AES_192_CBC,
-	DEV_AES_256_CBC,
-	DEV_AES_128_ECB,
-	DEV_AES_192_ECB,
-	DEV_AES_256_ECB,
-	DEV_BLOWFISH_CBC,
-	DEV_AES_128_CTR,
-	DEV_AES_192_CTR,
-	DEV_AES_256_CTR,
-	DEV_CIPHER_MAX
-} DEV_CIPHER_ID;
-typedef struct devcrypto_cipher {
-	DEV_CIPHER_ID		id;
-	int			nid;
-	int			iv_len;
-	int			min_key_len;
-	int			max_key_len;
-	CK_KEY_TYPE		key_type;
-	CK_MECHANISM_TYPE	mech_type;
-	unsigned long		flags;
-	crypto_mech_type_t	pn_internal_number;
-} devcrypto_cipher_t;
-/* Constants used when creating the ENGINE */
-static const char *ENGINE_DEVCRYPTO_ID = "devcrypto";
-static const char *ENGINE_DEVCRYPTO_NAME = "/dev/crypto engine support";
-static const char *CRYPTO_DEVICE = "/dev/crypto";
-/* static variables */
-static int kernel_fd = -1;
-static int kernel_fd_ref = 0;
-static int slot_count = 0;
-static CK_SLOT_ID *kernel_provider_id = NULL;
-static int cipher_count = 0;
-static int *cipher_nids = NULL;
-pthread_mutex_t *kernel_fd_lock;
-/*
-* NIDs for AES counter mode. They will be defined during the engine
-* initialization.
-*/
-static int NID_aes_128_ctr = NID_undef;
-static int NID_aes_192_ctr = NID_undef;
-static int NID_aes_256_ctr = NID_undef;
-/*
-* Cipher Table for all supported symmetric ciphers.
-*/
-static devcrypto_cipher_t cipher_table[] = {
-	/* id,			nid,		iv_len, min_, max_key_len, */
-		/* key_type,	mech_type, flags, pn_internal_number */
-	{ DEV_DES_CBC,		NID_des_cbc,		8,	 8,   8,
-		CKK_DES,	CKM_DES_CBC, 0, CRYPTO_MECH_INVALID},
-	{ DEV_DES3_CBC,		NID_des_ede3_cbc,	8,	24,  24,
-		CKK_DES3,	CKM_DES3_CBC, 0, CRYPTO_MECH_INVALID},
-	{ DEV_DES_ECB,		NID_des_ecb,		0,	 8,   8,
-		CKK_DES,	CKM_DES_ECB, 0, CRYPTO_MECH_INVALID},
-	{ DEV_DES3_ECB,		NID_des_ede3_ecb,	0,	24,  24,
-		CKK_DES3,	CKM_DES3_ECB, 0, CRYPTO_MECH_INVALID},
-	{ DEV_RC4,		NID_rc4,		0,	16, 256,
-		CKK_RC4,	CKM_RC4, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
-		CKK_AES,	CKM_AES_CBC, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
-		CKK_AES,	CKM_AES_CBC, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
-		CKK_AES,	CKM_AES_CBC, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
-		CKK_AES,	CKM_AES_ECB, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
-		CKK_AES,	CKM_AES_ECB, 0, CRYPTO_MECH_INVALID},
-	{ DEV_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
-		CKK_AES,	CKM_AES_ECB, 0, CRYPTO_MECH_INVALID},
-	{ DEV_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
-		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, 0, CRYPTO_MECH_INVALID},
-	/*
-	 * For the following 3 AES counter mode entries, we don't know the
-	 * NIDs until the engine is initialized
-	 */
-	{ DEV_AES_128_CTR,	NID_undef,		16,	16,  16,
-		CKK_AES,	CKM_AES_CTR, EVP_CIPH_NO_PADDING,
-		CRYPTO_MECH_INVALID},
-	{ DEV_AES_192_CTR,	NID_undef,		16,	24,  24,
-		CKK_AES,	CKM_AES_CTR, EVP_CIPH_NO_PADDING,
-		CRYPTO_MECH_INVALID},
-	{ DEV_AES_256_CTR,	NID_undef,		16,	32,  32,
-		CKK_AES,	CKM_AES_CTR, EVP_CIPH_NO_PADDING,
-		CRYPTO_MECH_INVALID},
-	};
-/* Formal declaration for functions in EVP_CIPHER structure */
-static int devcrypto_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-const unsigned char *iv, int enc);
-static int devcrypto_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-const unsigned char *in, size_t inl);
-static int devcrypto_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-/*
-* Cipher Algorithms
-*
-* OpenSSL's libcrypto EVP stuff. This is how this engine gets wired to EVP.
-* EVP_CIPHER is defined in evp.h.  To maintain binary compatibility the
-* definition cannot be modified.
-* Stuff specific to the devcrypto engine is kept in devcrypto_ctx_t, which is
-* pointed to by cipher_data or md_data.
-*
-* Fields: nid, block_size, key_len, iv_len, flags,
-*	init(), do_cipher(), cleanup(),
-*	ctx_size,
-*	set_asn1_parameters(), get_asn1_parameters(), ctrl(), app_data
-*/
-static const EVP_CIPHER dev_des_cbc = {
-	NID_des_cbc,
-	8, 8, 8,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-static const EVP_CIPHER dev_3des_cbc = {
-	NID_des_ede3_cbc,
-	8, 24, 8,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-/*
-* ECB modes don't use an Initial Vector, therefore set_asn1_parameters and
-* get_asn1_parameters fields are set to NULL.
-*/
-static const EVP_CIPHER dev_des_ecb = {
-	NID_des_ecb,
-	8, 8, 8,
-	EVP_CIPH_ECB_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_3des_ecb = {
-	NID_des_ede3_ecb,
-	8, 24, 8,
-	EVP_CIPH_ECB_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_rc4 = {
-	NID_rc4,
-	1, 16, 0,
-	EVP_CIPH_VARIABLE_LENGTH,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_aes_128_cbc = {
-	NID_aes_128_cbc,
-	16, 16, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-static const EVP_CIPHER dev_aes_192_cbc = {
-	NID_aes_192_cbc,
-	16, 24, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-static const EVP_CIPHER dev_aes_256_cbc = {
-	NID_aes_256_cbc,
-	16, 32, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-/*
-* ECB modes don't use IV, therefore set_asn1_parameters and
-* get_asn1_parameters are set to NULL.
-*/
-static const EVP_CIPHER dev_aes_128_ecb = {
-	NID_aes_128_ecb,
-	16, 16, 0,
-	EVP_CIPH_ECB_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_aes_192_ecb = {
-	NID_aes_192_ecb,
-	16, 24, 0,
-	EVP_CIPH_ECB_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_aes_256_ecb = {
-	NID_aes_256_ecb,
-	16, 32, 0,
-	EVP_CIPH_ECB_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	NULL,
-	NULL,
-	NULL
-};
-static const EVP_CIPHER dev_bf_cbc = {
-	NID_bf_cbc,
-	8, 16, 8,
-	EVP_CIPH_VARIABLE_LENGTH,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-/*
-* NID_undef's will be changed for AES counter mode, as soon they are created.
-*/
-static EVP_CIPHER dev_aes_128_ctr = {
-	NID_undef,
-	16, 16, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-static EVP_CIPHER dev_aes_192_ctr = {
-	NID_undef,
-	16, 24, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-static EVP_CIPHER dev_aes_256_ctr = {
-	NID_undef,
-	16, 32, 16,
-	EVP_CIPH_CBC_MODE,
-	devcrypto_cipher_init,
-	devcrypto_cipher_do_cipher,
-	devcrypto_cipher_cleanup,
-	sizeof (devcrypto_ctx_t),
-	EVP_CIPHER_set_asn1_iv,
-	EVP_CIPHER_get_asn1_iv,
-	NULL
-};
-/*
-* This function creates a new NID.
-*/
-static int
-devcrypto_add_NID(char *sn, char *ln)
-{
-	ASN1_OBJECT *o;
-	int nid;
-	if ((o = ASN1_OBJECT_create(OBJ_new_nid(1), (unsigned char *)"",
-	    1, sn, ln)) == NULL) {
-		return (0);
-	}
-	nid = OBJ_add_object(o); /* will return NID_undef on error */
-	ASN1_OBJECT_free(o);
-	return (nid);
-}
-/*
-* This function creates new NIDs for AES counter mode algorithms.
-* Note that OpenSSL doesn't support them now so we have to help
-* ourselves here.
-*/
-static int
-devcrypto_add_aes_ctr_NIDs(void)
-{
-	if (NID_aes_256_ctr != NID_undef) /* already set */
-		return (1);
-	NID_aes_128_ctr = devcrypto_add_NID("AES-128-CTR", "aes-128-ctr");
-	if (NID_aes_128_ctr == NID_undef)
-		goto failed;
-	cipher_table[DEV_AES_128_CTR].nid =
-	    dev_aes_128_ctr.nid = NID_aes_128_ctr;
-	NID_aes_192_ctr = devcrypto_add_NID("AES-192-CTR", "aes-192-ctr");
-	if (NID_aes_192_ctr == NID_undef)
-		goto failed;
-	cipher_table[DEV_AES_192_CTR].nid =
-	    dev_aes_192_ctr.nid = NID_aes_192_ctr;
-	NID_aes_256_ctr = devcrypto_add_NID("AES-256-CTR", "aes-256-ctr");
-	if (NID_aes_256_ctr == NID_undef)
-		goto failed;
-	cipher_table[DEV_AES_256_CTR].nid =
-	    dev_aes_256_ctr.nid = NID_aes_256_ctr;
-	return (1);
-failed:
-	return (0);
-}
-static void
-devcrypto_free_aes_ctr_NIDs(void)
-{
-	ASN1_OBJECT *ob = NULL;
-	if (NID_aes_128_ctr != NID_undef) {
-		ob = OBJ_nid2obj(NID_aes_128_ctr);
-		if (ob != NULL)
-			ASN1_OBJECT_free(ob);
-	}
-	if (NID_aes_192_ctr != NID_undef) {
-		ob = OBJ_nid2obj(NID_aes_192_ctr);
-		if (ob != NULL)
-			ASN1_OBJECT_free(ob);
-	}
-	if (NID_aes_256_ctr != NID_undef) {
-		ob = OBJ_nid2obj(NID_aes_256_ctr);
-		if (ob != NULL)
-		ASN1_OBJECT_free(ob);
-	}
-}
-/*
-* Open the /dev/crypto device
-*/
-static int
-devcrypto_open(void)
-{
-	int fd = -1;
-	if (kernel_fd != -1) {  /* already open */
-		(void) pthread_mutex_lock(kernel_fd_lock);
-		kernel_fd_ref++;
-		(void) pthread_mutex_unlock(kernel_fd_lock);
-		return (1);
-	}
-	(void) pthread_mutex_lock(kernel_fd_lock);
-	fd = open(CRYPTO_DEVICE, O_RDWR);
-	if (fd == -1) {
-#ifdef DEBUG
-		(void) fprintf(stderr,
-		    "libdevcrypto: open /dev/crypto failed, errno=%x\n",
-		    errno);
-#endif
-		(void) pthread_mutex_unlock(kernel_fd_lock);
-		return (0);
-	}
-	if (fcntl(fd, F_SETFD, FD_CLOEXEC) != 0) {
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto: failed to fcntl\n");
-#endif
-		(void) close(fd);
-		(void) pthread_mutex_unlock(kernel_fd_lock);
-		return (0);
-	}
-	kernel_fd = fd;
-	kernel_fd_ref++;
-	(void) pthread_mutex_unlock(kernel_fd_lock);
-	return (1);
-}
-/*
-* This function gets the total number of hardware providers presented in
-* the system first.  If there is any hardware providers, then it will get
-* the kernel provider id for each hardware slot also.
-*/
-static int
-devcrypto_get_slot_info(void)
-{
-	crypto_get_provider_list_t *pl = NULL;
-	int ret = 1;
-	int r;
-	int i;
-	/* Already have the information */
-	if (kernel_provider_id != NULL)
-		return (1);
-	/* Find out how many hardware slots are presented. */
-	pl = OPENSSL_malloc(sizeof (crypto_get_provider_list_t));
-	if (pl == NULL)
-		return (0);
-	pl->pl_count = 0;
-	while ((r = ioctl(kernel_fd, CRYPTO_GET_PROVIDER_LIST, pl)) < 0) {
-		if (errno != EINTR)
-			break;
-	}
-	if (r < 0 || pl->pl_return_value != CRYPTO_SUCCESS) {
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto:CRYPTO_GET_PROVIDER_LIST:"
-		    "ret (r) = 0x%x, (rv) = 0x%x\n", r,  pl->pl_return_value);
-#endif /* DEBUG */
-		ret = 0;
-		goto out;
-	}
-	slot_count = pl->pl_count;
-	if (slot_count == 0) {
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto: no hw providers\n");
-#endif /* DEBUG */
-		ret = 0;
-		goto out;
-	}
-	/* Get the provider ID for each slot from kernel and save it */
-	kernel_provider_id = OPENSSL_malloc(sizeof (CK_SLOT_ID) * slot_count);
-	if (kernel_provider_id == NULL) {
-		ret = 0;
-		goto out;
-	}
-	(void) OPENSSL_free(pl);
-	pl = OPENSSL_malloc(slot_count * sizeof (crypto_get_provider_list_t));
-	if (pl == NULL) {
-		ret = 0;
-		goto out;
-	}
-	pl->pl_count = slot_count;
-	while ((r = ioctl(kernel_fd, CRYPTO_GET_PROVIDER_LIST, pl)) < 0) {
-		if (errno != EINTR)
-			break;
-	}
-	if (r < 0 || (pl->pl_return_value != CRYPTO_SUCCESS)) {
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto:CRYPTO_GET_PROVIDER_LIST:"
-		    "ret (r) = 0x%x, (rv) = 0x%x\n", r,  pl->pl_return_value);
-#endif /* DEBUG */
-		ret = 0;
-		goto out;
-	}
-	for (i = 0; i < slot_count; i++) {
-		kernel_provider_id[i] = pl->pl_list[i].pe_provider_id;
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto: i = %d, "
-		    "kernel_provider_id = %d\n", i, kernel_provider_id[i]);
-#endif /* DEBUG */
-	}
-out:
-	if (pl != NULL)
-		(void) OPENSSL_free(pl);
-	if (ret == 0 && kernel_provider_id != NULL) {
-		(void) OPENSSL_free(kernel_provider_id);
-		kernel_provider_id = NULL;
-	}
-	return (ret);
-}
-/*
-* This function checks if the "nid" is already in the nid list.
-*/
-static int
-nid_in_list(int nid, int *nid_list, int count)
-{
-	int i = 0;
-	if (nid_list == NULL || count <= 0)
-		return (0);
-	while (i < count) {
-		if (nid == nid_list[i])
-			break;
-		i++;
-	}
-	return (i < count ? 1 : 0);
-}
-/*
-* This function is to get all the ciphers supported by hardware providers.
-* If this function is successfully completed, then the following 2 global
-* variables will be set.
-* cipher_count - the number of ciphers found in all hardware providers.
-* cipher_nids - the nid list for all the ciphers.
-*/
-static int
-devcrypto_get_hw_ciphers(void)
-{
-	crypto_get_provider_mechanism_info_t mechinfo;
-	int max_cipher_count;
-	int *tmp_nids = NULL;
-	const char *mech_string;
-	int r;
-	int i, j;
-	if (slot_count <= 0)  /* no hardware provider */
-		return (0);
-	max_cipher_count = slot_count * DEV_CIPHER_MAX + 1;
-	tmp_nids = OPENSSL_malloc(max_cipher_count * sizeof (int));
-	if (tmp_nids == NULL) {
-		/* not enough memory */
-		goto failed;
-	}
-	for (i = 0; i < slot_count; i++) {
-		mechinfo.mi_provider_id = kernel_provider_id[i];
-		for (j = 0; j < DEV_CIPHER_MAX; j++) {
-			mech_string =
-			    pkcs11_mech2str(cipher_table[j].mech_type);
-			if (mech_string == NULL) {
-				continue; /* shouldn't happen; skip it */
-			}
-			(void) strlcpy(mechinfo.mi_mechanism_name,
-			    mech_string, CRYPTO_MAX_MECH_NAME);
-			while ((r = ioctl(kernel_fd,
-			    CRYPTO_GET_PROVIDER_MECHANISM_INFO,
-			    &mechinfo)) < 0) {
-				if (errno != EINTR)
-					break;
-			}
-			if (r < 0) {
-				goto failed;
-			}
-			if (mechinfo.mi_return_value == CRYPTO_SUCCESS) {
-				/*
-				 * Found this mechanism in hardware providers.
-				 * If it is not in the nid list yet, add it.
-				 */
-				if (!nid_in_list(cipher_table[j].nid,
-				    tmp_nids, cipher_count)) {
-					tmp_nids[cipher_count] =
-					    cipher_table[j].nid;
-					cipher_count++;
-				}
-			}
-		}
-	}
-	if (cipher_count > 0) {
-		cipher_nids = tmp_nids;
-	}
-	return (1);
-failed:
-	if (r < 0 || cipher_count == 0) {
-		if (tmp_nids != NULL)
-			OPENSSL_free(tmp_nids);
-	}
-	return (0);
-}
-/*
-* Registered by the ENGINE when used to find out how to deal with
-* a particular NID in the ENGINE. This says what we'll do at the
-* top level - note, that list is restricted by what we answer with.
-*/
-static int
-devcrypto_get_all_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-const int **nids, int nid)
-{
-	if (!cipher) {
-		*nids = (cipher_count > 0) ? cipher_nids : NULL;
-		return (cipher_count);
-	}
-	switch (nid) {
-	case NID_des_cbc:
-	*cipher = &dev_des_cbc;
-		break;
-	case NID_des_ede3_cbc:
-		*cipher = &dev_3des_cbc;
-		break;
-	case NID_des_ecb:
-		*cipher = &dev_des_ecb;
-		break;
-	case NID_des_ede3_ecb:
-		*cipher = &dev_3des_ecb;
-		break;
-	case NID_rc4:
-		*cipher = &dev_rc4;
-		break;
-	case NID_aes_128_cbc:
-		*cipher = &dev_aes_128_cbc;
-		break;
-	case NID_aes_192_cbc:
-		*cipher = &dev_aes_192_cbc;
-		break;
-	case NID_aes_256_cbc:
-		*cipher = &dev_aes_256_cbc;
-		break;
-	case NID_aes_128_ecb:
-		*cipher = &dev_aes_128_ecb;
-		break;
-	case NID_aes_192_ecb:
-		*cipher = &dev_aes_192_ecb;
-		break;
-	case NID_aes_256_ecb:
-		*cipher = &dev_aes_256_ecb;
-		break;
-	case NID_bf_cbc:
-		*cipher = &dev_bf_cbc;
-		break;
-	default:
-		/*
-		 * We cannot put the NIDs for AES counter mode in separated
-		 * cases as above because they are not constants.
-		 */
-		if (nid == NID_aes_128_ctr)
-			*cipher = &dev_aes_128_ctr;
-		else if (nid == NID_aes_192_ctr)
-			*cipher = &dev_aes_192_ctr;
-		else if (nid == NID_aes_256_ctr)
-			*cipher = &dev_aes_256_ctr;
-		else
-			*cipher = NULL;
-		break;
-	}
-	return (*cipher != NULL);
-}
-static int
-get_cipher_id_by_nid(int nid)
-{
-	int i;
-	for (i = 0; i < DEV_CIPHER_MAX; i++)
-		if (cipher_table[i].nid == nid)
-			return (cipher_table[i].id);
-	return (-1);
-}
-static int
-get_slotid_by_mechanism(const char *mech_string, CK_SLOT_ID *slot_id)
-{
-	crypto_get_provider_mechanism_info_t mechanism_info;
-	uint_t rv;
-	int r;
-	int i = 0;
-	(void) strlcpy(mechanism_info.mi_mechanism_name, mech_string,
-	    CRYPTO_MAX_MECH_NAME);
-	while (i < slot_count) {
-		mechanism_info.mi_provider_id = kernel_provider_id[i];
-		while ((r = ioctl(kernel_fd,
-		    CRYPTO_GET_PROVIDER_MECHANISM_INFO,
-		    &mechanism_info)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		if (r < 0) {
-			return (0); /* ioctl function failed */
-		}
-		rv = mechanism_info.mi_return_value;
-		if (rv == 0) { /* found it */
-			*slot_id = kernel_provider_id[i];
-			return (1);
-		}
-		i++;
-	}
-	return (0);
-}
-static int
-devcrypto_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-const unsigned char *iv, int enc)
-{
-	devcrypto_ctx_t *devc_ctx = ctx->cipher_data;
-	crypto_encrypt_init_t encrypt_init;
-	crypto_decrypt_init_t decrypt_init;
-	crypto_open_session_t session;
-	crypto_get_mechanism_number_t get_number;
-	CK_AES_CTR_PARAMS aes_ctr_params;
-	devcrypto_cipher_t *the_cipher;
-	const char *mech_string;
-	CK_SLOT_ID slot_id;
-	int index;
-	int r;
-	uint_t rv = 0;
-	if (key == NULL) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_CIPHER_KEY);
-		return (0);
-	}
-	/* get the cipher entry index in cipher_table from nid */
-	index = get_cipher_id_by_nid(ctx->cipher->nid);
-	if (index < 0 || index >= DEV_CIPHER_MAX) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_CIPHER_NID);
-		return (0);
-	}
-	the_cipher = &cipher_table[index];
-	/* check key size */
-	if (ctx->cipher->iv_len < the_cipher->iv_len ||
-	    ctx->key_len < the_cipher->min_key_len ||
-	    ctx->key_len > the_cipher->max_key_len) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_KEY_OR_IV_LEN_PROBLEM);
-		return (0);
-	}
-	/* Set cipher flags, if any */
-	ctx->flags |= the_cipher->flags;
-	/* get the mechanism string */
-	mech_string = pkcs11_mech2str(the_cipher->mech_type);
-	if (mech_string == NULL) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_MECH_STRING);
-		return (0);
-	}
-#ifdef DEBUG
-	(void) fprintf(stderr, "libdevcrypto: mech_string=%s\n", mech_string);
-#endif
-	/* Find the slot that supports this mechanism */
-	if (!get_slotid_by_mechanism(mech_string, &slot_id)) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_FIND_SLOT_BY_MECH);
-#ifdef DEBUG
-		(void) fprintf(stderr,
-		    "libdevcrypto: failed to find a slot with %s\n",
-		    mech_string);
-#endif
-		return (0);
-	}
-#ifdef DEBUG
-	(void) fprintf(stderr, "libdevcrypto: found a slot with %s, "
-	    "slot_id = %d\n", mech_string, slot_id);
-#endif
-	/* Open a session on this slot */
-	session.os_provider_id = slot_id;
-	session.os_flags = CKF_RW_SESSION | CKF_SERIAL_SESSION;
-	while ((r = ioctl(kernel_fd, CRYPTO_OPEN_SESSION, &session)) < 0) {
-		if (errno != EINTR)
-			break;
-	}
-	rv = session.os_return_value;
-	if (r || rv) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_OPEN_SESSION);
-#ifdef DEBUG
-		(void) fprintf(stderr,
-		    "libdevcrypto:cipher_init:failed to open a session\n");
-#endif /* DEBUG */
-		goto failed;
-	}
-#ifdef DEBUG
-	(void) fprintf(stderr, "libdevcrypto:cipher_init: open session = %d\n",
-	    session.os_session);
-#endif /* DEBUG */
-	/* save the session_id */
-	devc_ctx->session_id = session.os_session;
-	/*
-	 * Get the kernel mechanism number for this mechanism, if it has not
-	 * been retrieved yet.
-	 */
-	if (the_cipher->pn_internal_number == CRYPTO_MECH_INVALID) {
-		get_number.pn_mechanism_string = (char *)mech_string;
-		get_number.pn_mechanism_len = strlen(mech_string) + 1;
-		while ((r = ioctl(kernel_fd, CRYPTO_GET_MECHANISM_NUMBER,
-		    &get_number)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = get_number.pn_return_value;
-		if (r || rv) {
-			DEVCRYPTOerr(DEVC_F_CIPHER_INIT,
-			    DEVC_R_GET_MECHANISM_NUMBER);
-#ifdef DEBUG
-			(void) fprintf(stderr, "libdevcrypto:cipher_init: "
-			    "failed to get the kernel mech number.\n");
-#endif /* DEBUG */
-			goto failed;
-		}
-		the_cipher->pn_internal_number = get_number.pn_internal_number;
-	}
-	/* Crypto Init */
-	if (ctx->encrypt) {
-		encrypt_init.ei_session = session.os_session;
-		encrypt_init.ei_key.ck_format = CRYPTO_KEY_RAW;
-		encrypt_init.ei_key.ck_obj_id = 0;
-		encrypt_init.ei_key.ck_data = (void *) key;
-		encrypt_init.ei_key.ck_length = ctx->key_len * 8;
-		encrypt_init.ei_mech.cm_type = the_cipher->pn_internal_number;
-		if (ctx->cipher->nid == NID_aes_128_ctr ||
-		    ctx->cipher->nid == NID_aes_192_ctr ||
-		    ctx->cipher->nid == NID_aes_256_ctr) {
-			encrypt_init.ei_mech.cm_param =
-			    (void *) (&aes_ctr_params);
-			encrypt_init.ei_mech.cm_param_len =
-			    sizeof (aes_ctr_params);
-			aes_ctr_params.ulCounterBits = AES_BLOCK_SIZE * 8;
-			OPENSSL_assert(ctx->cipher->iv_len == AES_BLOCK_SIZE);
-			(void) memcpy(aes_ctr_params.cb, ctx->iv,
-			    AES_BLOCK_SIZE);
-		} else {
-			if (the_cipher->iv_len > 0) {
-				encrypt_init.ei_mech.cm_param =
-				    (char *)ctx->iv;
-				encrypt_init.ei_mech.cm_param_len =
-				    ctx->cipher->iv_len;
-			} else {
-				encrypt_init.ei_mech.cm_param = NULL;
-				encrypt_init.ei_mech.cm_param_len = 0;
-			}
-		}
-		while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_INIT,
-		    &encrypt_init)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = encrypt_init.ei_return_value;
-	} else {
-		decrypt_init.di_session = session.os_session;
-		decrypt_init.di_key.ck_format = CRYPTO_KEY_RAW;
-		decrypt_init.di_key.ck_obj_id = 0;
-		decrypt_init.di_key.ck_data = (void *) key;
-		decrypt_init.di_key.ck_length = ctx->key_len * 8;
-		decrypt_init.di_mech.cm_type = the_cipher->pn_internal_number;
-		if (ctx->cipher->nid == NID_aes_128_ctr ||
-		    ctx->cipher->nid == NID_aes_192_ctr ||
-		    ctx->cipher->nid == NID_aes_256_ctr) {
-			decrypt_init.di_mech.cm_param =
-			    (void *)(&aes_ctr_params);
-			decrypt_init.di_mech.cm_param_len =
-			    sizeof (aes_ctr_params);
-			aes_ctr_params.ulCounterBits = AES_BLOCK_SIZE * 8;
-			OPENSSL_assert(ctx->cipher->iv_len == AES_BLOCK_SIZE);
-			(void) memcpy(aes_ctr_params.cb, ctx->iv,
-			    AES_BLOCK_SIZE);
-		} else {
-			if (the_cipher->iv_len > 0) {
-				decrypt_init.di_mech.cm_param =
-				    (char *)ctx->iv;
-				decrypt_init.di_mech.cm_param_len =
-				    ctx->cipher->iv_len;
-			} else {
-				decrypt_init.di_mech.cm_param = NULL;
-				decrypt_init.di_mech.cm_param_len = 0;
-			}
-		}
-		while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_INIT,
-		    &decrypt_init)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = decrypt_init.di_return_value;
-	}
-failed:
-	if (r || rv) {
-		if (ctx->encrypt)
-			DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_ENCRYPT_INIT);
-		else
-			DEVCRYPTOerr(DEVC_F_CIPHER_INIT, DEVC_R_DECRYPT_INIT);
-		return (0);
-	}
-	return (1);
-}
-/*
-* ENCRYPT_UPDATE or DECRYPT_UPDATE
-*/
-static int
-devcrypto_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-const unsigned char *in, size_t inl)
-{
-	crypto_encrypt_update_t encrypt_update;
-	crypto_decrypt_update_t decrypt_update;
-	devcrypto_ctx_t *devc_ctx = ctx->cipher_data;
-	int r = 0, rv = 0;
-	if (ctx->encrypt) {
-		encrypt_update.eu_session = devc_ctx->session_id;
-		encrypt_update.eu_databuf = (char *)in;
-		encrypt_update.eu_datalen = inl;
-		encrypt_update.eu_encrbuf = (char *)out;
-		encrypt_update.eu_encrlen = inl;
-		while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_UPDATE,
-		    &encrypt_update)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = encrypt_update.eu_return_value;
-	} else { /* decrypt */
-		decrypt_update.du_session = devc_ctx->session_id;
-		decrypt_update.du_encrbuf = (char *)in;
-		decrypt_update.du_encrlen = inl;
-		decrypt_update.du_databuf = (char *)out;
-		decrypt_update.du_datalen = inl;
-		while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_UPDATE,
-		    &decrypt_update)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = decrypt_update.du_return_value;
-	}
-	if (r || rv) {
-		if (ctx->encrypt)
-			DEVCRYPTOerr(DEVC_F_CIPHER_DO_CIPHER,
-			    DEVC_R_ENCRYPT_UPDATE);
-		else
-			DEVCRYPTOerr(DEVC_F_CIPHER_DO_CIPHER,
-			    DEVC_R_DECRYPT_UPDATE);
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto:crypto_do ret (r) = 0x%x,"
-		    "crypto ret (rv) = 0x%x,", r, rv);
-#endif /* DEBUG */
-		return (0);
-	}
-	return (1);
-}
-/*
-* ENCRYPT_FINAL or DECRYPT_FINAL
-*/
-static int
-devcrypto_cipher_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	crypto_encrypt_final_t encrypt_final;
-	crypto_decrypt_final_t decrypt_final;
-	crypto_close_session_t session;
-	devcrypto_ctx_t *devc_ctx = ctx->cipher_data;
-	char buf[EVP_MAX_BLOCK_LENGTH];
-	int r;
-	uint_t rv = 0;
-	int ret = 1;
-	if (ctx->encrypt) {
-		encrypt_final.ef_session = devc_ctx->session_id;
-		encrypt_final.ef_encrbuf = buf;
-		encrypt_final.ef_encrlen = sizeof (buf);
-		while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_FINAL,
-		    &encrypt_final)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = encrypt_final.ef_return_value;
-	} else {
-		decrypt_final.df_session = devc_ctx->session_id;
-		decrypt_final.df_databuf = buf;
-		decrypt_final.df_datalen = sizeof (buf);
-		while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_FINAL,
-		    &decrypt_final)) < 0) {
-			if (errno != EINTR)
-				break;
-		}
-		rv = decrypt_final.df_return_value;
-	}
-#ifdef DEBUG
-	if (ctx->encrypt)
-		(void) fprintf(stderr, "libdevcrypto:CRYPTO_ENCRYPT_FINAL "
-		    "ret (r) = 0x%x, (rv) = 0x%x\n", r, rv);
-	else
-		(void) fprintf(stderr, "libdevcrypto:CRYPTO_DECRYPT_FINAL "
-		    "ret (r) = 0x%x, (rv) = 0x%x\n", r, rv);
-#endif /* DEBUG */
-	if (r || rv) {
-		if (ctx->encrypt)
-			DEVCRYPTOerr(DEVC_F_CIPHER_CLEANUP,
-			    DEVC_R_ENCRYPT_FINAL);
-		else
-			DEVCRYPTOerr(DEVC_F_CIPHER_CLEANUP,
-			    DEVC_R_DECRYPT_FINAL);
-		ret = 0;
-	}
-	/* close the session */
-	session.cs_session = devc_ctx->session_id;
-	while ((r = ioctl(kernel_fd, CRYPTO_CLOSE_SESSION, &session)) < 0) {
-		if (errno != EINTR)
-			break;
-	}
-#ifdef DEBUG
-	(void) fprintf(stderr, "libdevcrypto:CRYPTO_CLOSE_SESSION, "
-	    "session id = %d ret (r) = 0x%x, crypto ret (rv) = 0x%x\n",
-	    devc_ctx->session_id, r, rv);
-#endif /* DEBUG */
-	if (r || rv) {
-		DEVCRYPTOerr(DEVC_F_CIPHER_CLEANUP, DEVC_R_CLOSE_SESSION);
-		ret = 0;
-	}
-	return (ret);
-}
-static void
-devcrypto_cleanup(void)
-{
-	if (kernel_fd == -1)
-		return;
-	(void) pthread_mutex_lock(kernel_fd_lock);
-	kernel_fd_ref--;
-	(void) pthread_mutex_unlock(kernel_fd_lock);
-	if (kernel_fd_ref == 0) {
-		(void) pthread_mutex_lock(kernel_fd_lock);
-		(void) close(kernel_fd);
-		kernel_fd = -1;
-		if (kernel_provider_id != NULL) {
-			OPENSSL_free(kernel_provider_id);
-			kernel_provider_id = NULL;
-		}
-		if (cipher_nids != NULL) {
-			OPENSSL_free(cipher_nids);
-			cipher_nids = NULL;
-		}
-		devcrypto_free_aes_ctr_NIDs();
-		(void) pthread_mutex_unlock(kernel_fd_lock);
-		(void) pthread_mutex_destroy(kernel_fd_lock);
-		OPENSSL_free(kernel_fd_lock);
-		kernel_fd_lock = NULL;
-	}
-}
-static int
-devcrypto_destroy(ENGINE *e)
-{
-	ERR_unload_devcrypto_strings();
-	return (1);
-}
-static int
-devcrypto_finish(ENGINE *e)
-{
-	devcrypto_cleanup();
-	return (1);
-}
-/*
-* Set up the engine info and get the /dev/crypto engine ready.
-*/
-static int
-devcrypto_bind(ENGINE *e)
-{
-#ifdef DEBUG
-	int i;
-#endif
-	/* Get the NIDs for AES counter mode algorithms first. */
-	if (devcrypto_add_aes_ctr_NIDs() == 0) {
-		return (0);
-	}
-	/* Create a lock for the devcrypto device file descriptor */
-	if (kernel_fd_lock == NULL) {
-		kernel_fd_lock = OPENSSL_malloc(sizeof (pthread_mutex_t));
-		if (kernel_fd_lock == NULL) {
-			devcrypto_free_aes_ctr_NIDs();
-			return (0);
-		}
-		if (pthread_mutex_init(kernel_fd_lock, NULL) != 0) {
-			devcrypto_free_aes_ctr_NIDs();
-			OPENSSL_free(kernel_fd_lock);
-			kernel_fd_lock = NULL;
-			return (0);
-		}
-	}
-	/* Open the /dev/crypto device */
-	if (devcrypto_open() == 0) {
-		devcrypto_free_aes_ctr_NIDs();
-		pthread_mutex_destroy(kernel_fd_lock);
-		OPENSSL_free(kernel_fd_lock);
-		kernel_fd_lock = NULL;
-		return (0);
-	}
-	/* Get all hardware providers' information */
-	if (devcrypto_get_slot_info() == 0) {
-		goto failed;
-	}
-	if (devcrypto_get_hw_ciphers() == 0) {
-		goto failed;
-	}
-#ifdef DEBUG
-	(void) fprintf(stderr, "cipher_count = %d\n", cipher_count);
-	for (i = 0; i < cipher_count; i++) {
-		(void) fprintf(stderr,
-		    "cipher_nids[i] = %d\n", cipher_nids[i]);
-	}
-#endif /* DEBUG */
-	if (!ENGINE_set_id(e, ENGINE_DEVCRYPTO_ID) ||
-	    !ENGINE_set_name(e, ENGINE_DEVCRYPTO_NAME) ||
-	    !ENGINE_set_ciphers(e, devcrypto_get_all_ciphers) ||
-	    !ENGINE_set_destroy_function(e, devcrypto_destroy) ||
-	    !ENGINE_set_finish_function(e, devcrypto_finish)) {
-		goto failed;
-	}
-	/* Set up the devcrypto error handling */
-	ERR_load_devcrypto_strings();
-	return (1);
-failed:
-	devcrypto_cleanup();
-	return (0);
-}
-static int
-bind_helper(ENGINE *e, const char *id)
-{
-	if (id != NULL && (strcmp(id, ENGINE_DEVCRYPTO_ID) != 0)) {
-#ifdef DEBUG
-		(void) fprintf(stderr, "libdevcrypto - bad engine id\n");
-#endif /* DEBUG */
-		return (0);
-	}
-	if (!devcrypto_bind(e)) {
-#ifdef DEBUG
-		(void) fprintf(stderr,
-		    "libdevcrypto - failed to bind engine\n");
-#endif /* DEBUG */
-		return (0);
-	}
-	return (1);
-}
-IMPLEMENT_DYNAMIC_CHECK_FN()
-IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)

changeset 1158	227137d9fbce
parent 1157	65a016eaa866
child 1159	24e95e0bf738