wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

eng_devcrypto: add configuration options

Browse source 
USE_SOFTDRIVERS: whether to use software (not accelerated) drivers
CIPHERS: list of ciphers to enable
DIGESTS: list of digests to enable

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
This commit is contained in:
Eneas U de Queiroz 2018-11-03 15:41:10 -03:00 committed by Richard Levitte
parent b2db94d1d0
commit 166261a5e9
1 changed files with 355 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

398
crypto/engine/eng_devcrypto.c
View file

@ -16,6 +16,7 @@
#include <unistd.h>
#include <assert.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/engine.h>
@ -34,6 +35,30 @@
* saner... why re-open /dev/crypto for every session?
*/
static int cfd;
#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */
#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */
#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */
#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE
static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
/*
* cipher/digest status & acceleration definitions
* Make sure the defaults are set to 0
*/
struct driver_info_st {
enum devcrypto_status_t {
DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */
DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */
DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */
} status;
enum devcrypto_accelerated_t {
DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */
DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */
DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */
} accelerated;
};
/******************************************************************************
*
@ -108,13 +133,22 @@ static const struct cipher_data_st {
#endif
};
static size_t get_cipher_data_index(int nid)
static size_t find_cipher_data_index(int nid)
{
size_t i;
for (i = 0; i < OSSL_NELEM(cipher_data); i++)
if (nid == cipher_data[i].nid)
return i;
return (size_t)-1;
}
static size_t get_cipher_data_index(int nid)
{
size_t i = find_cipher_data_index(nid);
if (i != (size_t)-1)
return i;
/*
* Code further down must make sure that only NIDs in the table above
@ -310,19 +344,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
}
/*
* Keep a table of known nids and associated methods.
* Keep tables of known nids, associated methods, selected ciphers, and driver
* info.
* Note that known_cipher_nids[] isn't necessarily indexed the same way as
* cipher_data[] above, which known_cipher_methods[] is.
* cipher_data[] above, which the other tables are.
*/
static int known_cipher_nids[OSSL_NELEM(cipher_data)];
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
static int selected_ciphers[OSSL_NELEM(cipher_data)];
static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)];
static int devcrypto_test_cipher(size_t cipher_data_index)
{
return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE
&& selected_ciphers[cipher_data_index] == 1
&& (cipher_driver_info[cipher_data_index].accelerated
== DEVCRYPTO_ACCELERATED
|| use_softdrivers == DEVCRYPTO_USE_SOFTWARE
|| (cipher_driver_info[cipher_data_index].accelerated
!= DEVCRYPTO_NOT_ACCELERATED
&& use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE)));
}
static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
unsigned long cipher_mode;
#ifdef CIOCGSESSINFO
struct session_info_op siop;
#endif
memset(&cipher_driver_info, 0, sizeof(cipher_driver_info));
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@ -330,15 +385,16 @@ static void prepare_cipher_methods(void)
for (i = 0, known_cipher_nids_amount = 0;
i < OSSL_NELEM(cipher_data); i++) {
selected_ciphers[i] = 1;
/*
* Check that the algo is really availably by trying to open and close
* a session.
* Check that the cipher is usable
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
if (ioctl(cfd, CIOCGSESSION, &sess) < 0) {
cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
continue;
}
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
@ -363,15 +419,41 @@ static void prepare_cipher_methods(void)
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
sizeof(struct cipher_ctx))) {
cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
EVP_CIPHER_meth_free(known_cipher_methods[i]);
known_cipher_methods[i] = NULL;
} else {
cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE;
#ifdef CIOCGSESSINFO
siop.ses = sess.ses;
if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY))
cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
else
cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
#endif /* CIOCGSESSINFO */
}
ioctl(cfd, CIOCFSESSION, &sess.ses);
if (devcrypto_test_cipher(i)) {
known_cipher_nids[known_cipher_nids_amount++] =
cipher_data[i].nid;
}
}
}
static void rebuild_known_cipher_nids(ENGINE *e)
{
size_t i;
for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) {
if (devcrypto_test_cipher(i))
known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid;
}
ENGINE_unregister_ciphers(e);
ENGINE_register_ciphers(e);
}
static const EVP_CIPHER *get_cipher_method(int nid)
{
size_t i = get_cipher_data_index(nid);
@ -414,6 +496,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
return *cipher != NULL;
}
static void devcrypto_select_all_ciphers(int *cipher_list)
{
size_t i;
for (i = 0; i < OSSL_NELEM(cipher_data); i++)
cipher_list[i] = 1;
}
static int cryptodev_select_cipher_cb(const char *str, int len, void *usr)
{
int *cipher_list = (int *)usr;
char *name;
const EVP_CIPHER *EVP;
size_t i;
if (len == 0)
return 1;
if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL)
return 0;
EVP = EVP_get_cipherbyname(name);
if (EVP == NULL)
fprintf(stderr, "devcrypto: unknown cipher %s\n", name);
else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1)
cipher_list[i] = 1;
else
fprintf(stderr, "devcrypto: cipher %s not available\n", name);
OPENSSL_free(name);
return 1;
}
/*
* We only support digests if the cryptodev implementation supports multiple
* data updates and session copying. Otherwise, we would be forced to maintain
@ -468,13 +580,22 @@ static const struct digest_data_st {
#endif
};
static size_t get_digest_data_index(int nid)
static size_t find_digest_data_index(int nid)
{
size_t i;
for (i = 0; i < OSSL_NELEM(digest_data); i++)
if (nid == digest_data[i].nid)
return i;
return (size_t)-1;
}
static size_t get_digest_data_index(int nid)
{
size_t i = find_digest_data_index(nid);
if (i != (size_t)-1)
return i;
/*
* Code further down must make sure that only NIDs in the table above
@ -491,8 +612,8 @@ static const struct digest_data_st *get_digest_data(int nid)
}
/*
* Following are the four necessary functions to map OpenSSL functionality
* with cryptodev.
* Following are the five necessary functions to map OpenSSL functionality
* with cryptodev: init, update, final, cleanup, and copy.
*/
static int digest_init(EVP_MD_CTX *ctx)
@ -608,52 +729,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx)
return 1;
}
static int devcrypto_test_digest(size_t digest_data_index)
{
struct session_op sess1, sess2;
struct cphash_op cphash;
int ret=0;
memset(&sess1, 0, sizeof(sess1));
memset(&sess2, 0, sizeof(sess2));
sess1.mac = digest_data[digest_data_index].devcryptoid;
if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
return 0;
/* Make sure the driver is capable of hash state copy */
sess2.mac = sess1.mac;
if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
cphash.src_ses = sess1.ses;
cphash.dst_ses = sess2.ses;
if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
ret = 1;
ioctl(cfd, CIOCFSESSION, &sess2.ses);
}
ioctl(cfd, CIOCFSESSION, &sess1.ses);
return ret;
}
/*
* Keep a table of known nids and associated methods.
* Keep tables of known nids, associated methods, selected digests, and
* driver info.
* Note that known_digest_nids[] isn't necessarily indexed the same way as
* digest_data[] above, which known_digest_methods[] is.
* digest_data[] above, which the other tables are.
*/
static int known_digest_nids[OSSL_NELEM(digest_data)];
static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
static int selected_digests[OSSL_NELEM(digest_data)];
static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)];
static int devcrypto_test_digest(size_t digest_data_index)
{
return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE
&& selected_digests[digest_data_index] == 1
&& (digest_driver_info[digest_data_index].accelerated
== DEVCRYPTO_ACCELERATED
|| use_softdrivers == DEVCRYPTO_USE_SOFTWARE
|| (digest_driver_info[digest_data_index].accelerated
!= DEVCRYPTO_NOT_ACCELERATED
&& use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE)));
}
static void rebuild_known_digest_nids(ENGINE *e)
{
size_t i;
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) {
if (devcrypto_test_digest(i))
known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
}
ENGINE_unregister_digests(e);
ENGINE_register_digests(e);
}
static void prepare_digest_methods(void)
{
size_t i;
struct session_op sess1, sess2;
#ifdef CIOCGSESSINFO
struct session_info_op siop;
#endif
struct cphash_op cphash;
memset(&digest_driver_info, 0, sizeof(digest_driver_info));
memset(&sess1, 0, sizeof(sess1));
memset(&sess2, 0, sizeof(sess2));
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
/*
* Check that the algo is usable
*/
if (!devcrypto_test_digest(i))
continue;
selected_digests[i] = 1;
/*
* Check that the digest is usable
*/
sess1.mac = digest_data[i].devcryptoid;
sess2.ses = 0;
if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) {
digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
goto finish;
}
#ifdef CIOCGSESSINFO
/* gather hardware acceleration info from the driver */
siop.ses = sess1.ses;
if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)
digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
else
digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
#endif
/* digest must be capable of hash state copy */
sess2.mac = sess1.mac;
if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) {
digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
goto finish;
}
cphash.src_ses = sess1.ses;
cphash.dst_ses = sess2.ses;
if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) {
digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
goto finish;
}
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
NID_undef)) == NULL
|| !EVP_MD_meth_set_result_size(known_digest_methods[i],
@ -665,11 +828,18 @@ static void prepare_digest_methods(void)
|| !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup)
|| !EVP_MD_meth_set_app_datasize(known_digest_methods[i],
sizeof(struct digest_ctx))) {
digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
EVP_MD_meth_free(known_digest_methods[i]);
known_digest_methods[i] = NULL;
} else {
known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
goto finish;
}
digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE;
finish:
ioctl(cfd, CIOCFSESSION, &sess1.ses);
if (sess2.ses != 0)
ioctl(cfd, CIOCFSESSION, &sess2.ses);
if (devcrypto_test_digest(i))
known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
}
}
@ -715,8 +885,148 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
return *digest != NULL;
}
static void devcrypto_select_all_digests(int *digest_list)
{
size_t i;
for (i = 0; i < OSSL_NELEM(digest_data); i++)
digest_list[i] = 1;
}
static int cryptodev_select_digest_cb(const char *str, int len, void *usr)
{
int *digest_list = (int *)usr;
char *name;
const EVP_MD *EVP;
size_t i;
if (len == 0)
return 1;
if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL)
return 0;
EVP = EVP_get_digestbyname(name);
if (EVP == NULL)
fprintf(stderr, "devcrypto: unknown digest %s\n", name);
else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1)
digest_list[i] = 1;
else
fprintf(stderr, "devcrypto: digest %s not available\n", name);
OPENSSL_free(name);
return 1;
}
#endif
/******************************************************************************
*
* CONTROL COMMANDS
*
*****/
#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE
#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1)
#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2)
#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3)
static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
#ifdef CIOCGSESSINFO
{DEVCRYPTO_CMD_USE_SOFTDRIVERS,
"USE_SOFTDRIVERS",
"specifies whether to use software (not accelerated) drivers ("
OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, "
OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, "
OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE)
"=use if acceleration can't be determined) [default="
OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]",
ENGINE_CMD_FLAG_NUMERIC},
#endif
{DEVCRYPTO_CMD_CIPHERS,
"CIPHERS",
"either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]",
ENGINE_CMD_FLAG_STRING},
#ifdef IMPLEMENT_DIGEST
{DEVCRYPTO_CMD_DIGESTS,
"DIGESTS",
"either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
ENGINE_CMD_FLAG_STRING},
#endif
{0, NULL, NULL, 0}
};
static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
{
int *new_list;
switch (cmd) {
#ifdef CIOCGSESSINFO
case DEVCRYPTO_CMD_USE_SOFTDRIVERS:
switch (i) {
case DEVCRYPTO_REQUIRE_ACCELERATED:
case DEVCRYPTO_USE_SOFTWARE:
case DEVCRYPTO_REJECT_SOFTWARE:
break;
default:
fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i);
return 0;
}
if (use_softdrivers == i)
return 1;
use_softdrivers = i;
#ifdef IMPLEMENT_DIGEST
rebuild_known_digest_nids(e);
#endif
rebuild_known_cipher_nids(e);
return 1;
#endif /* CIOCGSESSINFO */
case DEVCRYPTO_CMD_CIPHERS:
if (p == NULL)
return 1;
if (strcasecmp((const char *)p, "ALL") == 0) {
devcrypto_select_all_ciphers(selected_ciphers);
} else if (strcasecmp((const char*)p, "NONE") == 0) {
memset(selected_ciphers, 0, sizeof(selected_ciphers));
} else {
new_list=OPENSSL_zalloc(sizeof(selected_ciphers));
if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) {
OPENSSL_free(new_list);
return 0;
}
memcpy(selected_ciphers, new_list, sizeof(selected_ciphers));
OPENSSL_free(new_list);
}
rebuild_known_cipher_nids(e);
return 1;
#ifdef IMPLEMENT_DIGEST
case DEVCRYPTO_CMD_DIGESTS:
if (p == NULL)
return 1;
if (strcasecmp((const char *)p, "ALL") == 0) {
devcrypto_select_all_digests(selected_digests);
} else if (strcasecmp((const char*)p, "NONE") == 0) {
memset(selected_digests, 0, sizeof(selected_digests));
} else {
new_list=OPENSSL_zalloc(sizeof(selected_digests));
if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) {
OPENSSL_free(new_list);
return 0;
}
memcpy(selected_digests, new_list, sizeof(selected_digests));
OPENSSL_free(new_list);
}
rebuild_known_digest_nids(e);
return 1;
#endif /* IMPLEMENT_DIGEST */
default:
break;
}
return 0;
}
/******************************************************************************
*
* LOAD / UNLOAD
@ -766,6 +1076,8 @@ void engine_load_devcrypto_int()
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_cmd_defns(e, devcrypto_cmds)
|| !ENGINE_set_ctrl_function(e, devcrypto_ctrl)
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD