diff options
| author | clucey <catriona.lucey@intel.com> | 2016-02-17 13:38:36 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-03-07 13:36:17 +0000 |
| commit | 7f458a48ff3a231d5841466525d2aacbcd4f6b77 (patch) | |
| tree | 85f066e1efad61b09242ec27d23f300ae9742fa9 /engines | |
| parent | b63447c1150f659cfc54ed290df33345e8ce7cbd (diff) | |
ALG: Add AFALG engine
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'engines')
| -rw-r--r-- | engines/Makefile.in | 13 | ||||
| -rw-r--r-- | engines/afalg/Makefile.in | 89 | ||||
| -rw-r--r-- | engines/afalg/build.info | 8 | ||||
| -rw-r--r-- | engines/afalg/e_afalg.c | 839 | ||||
| -rw-r--r-- | engines/afalg/e_afalg.ec | 1 | ||||
| -rw-r--r-- | engines/afalg/e_afalg.h | 111 | ||||
| -rw-r--r-- | engines/afalg/e_afalg_err.c | 151 | ||||
| -rw-r--r-- | engines/afalg/e_afalg_err.h | 99 |
8 files changed, 1310 insertions, 1 deletions
diff --git a/engines/Makefile.in b/engines/Makefile.in index cfe550fb49..7a284cf57a 100644 --- a/engines/Makefile.in +++ b/engines/Makefile.in @@ -10,6 +10,11 @@ CFLAG=-g MAKEFILE= Makefile AR= ar r +RECURSIVE_MAKE= [ -z "$(ENGDIRS)" ] || for i in $(ENGDIRS) ; do \ + (cd $$i && echo "making $$target in $(DIR)/$$i..." && \ + $(MAKE) -e TOP=../.. DIR=$$i $$target ) || exit 1; \ + done; + PADLOCK_ASM_OBJ= PLIB_LDFLAG= @@ -49,7 +54,7 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) all) -all: lib +all: lib subdirs lib: $(LIBOBJ) $(TESTLIBOBJ) @if [ "$(DYNAMIC_ENGINES)" = 1 ]; then \ @@ -71,8 +76,12 @@ e_padlock-x86.s: asm/e_padlock-x86.pl e_padlock-x86_64.s: asm/e_padlock-x86_64.pl $(PERL) asm/e_padlock-x86_64.pl $(PERLASM_SCHEME) > $@ +subdirs: + @target=all; $(RECURSIVE_MAKE) + files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + @target=files; $(RECURSIVE_MAKE) install: @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... @@ -94,6 +103,7 @@ uninstall: $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$${l}$(DSO_EXT); \ done; \ fi + @target=install; $(RECURSIVE_MAKE) errors: set -e; for l in $(LIBNAMES); do \ @@ -107,5 +117,6 @@ depend: clean: rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + @target=clean; $(RECURSIVE_MAKE) # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/engines/afalg/Makefile.in b/engines/afalg/Makefile.in new file mode 100644 index 0000000000..8120272324 --- /dev/null +++ b/engines/afalg/Makefile.in @@ -0,0 +1,89 @@ +# +# OpenSSL/engines/afalg/Makefile +# + +DIR= afalg +TOP= ../.. +CC= cc +INCLUDES= -I../../include +CFLAG=-g +MAKEFILE= Makefile +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) +LIB=$(TOP)/libcrypto.a + +LIBNAME=afalg +LIBSRC= e_afalg.c +LIBOBJ= e_afalg.o e_afalg_err.o + +SRC= $(LIBSRC) + +top: + (cd $(TOP); $(MAKE) DIRS=engines sub_all) + +all: errors lib + +errors: + $(PERL) $(TOP)/util/mkerr.pl -conf e_afalg.ec -nostatic -write $(SRC) + +lib: $(LIBOBJ) + @if [ -n "$(SHARED_LIBS)" ]; then \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + LIBNAME=$(LIBNAME) \ + LIBEXTRAS='$(LIBOBJ)' \ + LIBDEPS='-L$(TOP) -lcrypto' \ + link_o.$(SHLIB_TARGET); \ + else \ + $(AR) $(LIB) $(LIBOBJ); \ + fi + @touch lib + +install: + [ -n "$(INSTALLTOP)" ] # should be set by top Makefile... + if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ + echo installing $(LIBNAME); \ + pfx=lib; \ + if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ + sfx=".so"; \ + cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ + else \ + case "$(CFLAGS)" in \ + *DSO_DLFCN*) sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;; \ + *DSO_DL*) sfx=".sl";; \ + *DSO_WIN32*) sfx="eay32.dll"; pfx=;; \ + *) sfx=".bad";; \ + esac; \ + cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ + fi; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx; \ + fi + +depend: + @[ -z "$(THIS)" ] || $(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) $(TESTLIBSRC) + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +clean: + rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff *.so *.dll *.dylib + +# DO NOT DELETE THIS LINE -- make depend depends on it. +e_afalg.o: e_afalg.c ../../include/openssl/engine.h \ + ../../include/openssl/opensslconf.h ../../include/openssl/bn.h \ + ../../include/openssl/e_os2.h ../../include/openssl/ossl_typ.h \ + ../../include/openssl/crypto.h ../../include/openssl/stack.h \ + ../../include/openssl/safestack.h ../../include/openssl/opensslv.h \ + ../../include/openssl/symhacks.h ../../include/openssl/rsa.h \ + ../../include/openssl/asn1.h ../../include/openssl/bio.h \ + ../../include/openssl/dsa.h ../../include/openssl/dh.h \ + ../../include/openssl/ec.h ../../include/openssl/rand.h \ + ../../include/openssl/ui.h ../../include/openssl/err.h \ + ../../include/openssl/lhash.h ../../include/openssl/x509.h \ + ../../include/openssl/buffer.h ../../include/openssl/evp.h \ + ../../include/openssl/objects.h ../../include/openssl/obj_mac.h \ + ../../include/openssl/sha.h ../../include/openssl/x509_vfy.h \ + ../../include/openssl/pkcs7.h ../../include/openssl/async.h e_afalg.h \ + e_afalg_err.h diff --git a/engines/afalg/build.info b/engines/afalg/build.info new file mode 100644 index 0000000000..5336de7995 --- /dev/null +++ b/engines/afalg/build.info @@ -0,0 +1,8 @@ +{- use File::Spec::Functions qw/:DEFAULT rel2abs/; -} + +IF[{- $config{afalg} eq "afalg" -}] + ENGINES=libafalg + SOURCE[libafalg]=e_afalg.c e_afalg_err.c + DEPEND[libafalg]=../../libcrypto + INCLUDE[libafalg]= {- rel2abs(catdir($builddir,"../include")) -} ../../include +ENDIF diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c new file mode 100644 index 0000000000..b3ca38accb --- /dev/null +++ b/engines/afalg/e_afalg.c @@ -0,0 +1,839 @@ +/* ==================================================================== + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* Required for vmsplice */ +#define _GNU_SOURCE +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include <openssl/engine.h> +#include <openssl/async.h> + +#include <linux/version.h> +#define K_MAJ 4 +#define K_MIN1 1 +#define K_MIN2 0 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) +# warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" +# warning "Skipping Compilation of AFALG engine" +#else + +# include <linux/if_alg.h> +# include <sys/socket.h> +# include <fcntl.h> +# include <sys/utsname.h> + +# include <linux/aio_abi.h> +# include <sys/syscall.h> +# include <errno.h> + +# include "e_afalg.h" + +# define AFALG_LIB_NAME "AFALG" +# include "e_afalg_err.h" + +# ifndef SOL_ALG +# define SOL_ALG 279 +# endif + +# ifdef ALG_ZERO_COPY +# ifndef SPLICE_F_GIFT +# define SPLICE_F_GIFT (0x08) +# endif +# endif + +# define ALG_AES_IV_LEN 16 +# define ALG_IV_LEN(len) (sizeof(struct af_alg_iv) + (len)) +# define ALG_OP_TYPE unsigned int +# define ALG_OP_LEN (sizeof(ALG_OP_TYPE)) + +/* Local Linkage Functions */ +static int afalg_init_aio(afalg_aio *aio); +static int afalg_fin_cipher_aio(afalg_aio *ptr, int sfd, + unsigned char *buf, size_t len); +static int afalg_create_bind_sk(void); +static int afalg_destroy(ENGINE *e); +static int afalg_init(ENGINE *e); +static int afalg_finish(ENGINE *e); +const EVP_CIPHER *afalg_aes_128_cbc(void); +static int afalg_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid); +static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +static int afalg_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); +static int afalg_cipher_cleanup(EVP_CIPHER_CTX *ctx); +static int afalg_chk_platform(void); + +/* Engine Id and Name */ +static const char *engine_afalg_id = "afalg"; +static const char *engine_afalg_name = "AFLAG engine support"; + +int afalg_cipher_nids[] = { + NID_aes_128_cbc +}; + +static EVP_CIPHER *_hidden_aes_128_cbc = NULL; + +static inline int io_setup(unsigned n, aio_context_t *ctx) +{ + return syscall(__NR_io_setup, n, ctx); +} + +static inline int eventfd(int n) +{ + return syscall(__NR_eventfd, n); +} + +static inline int io_destroy(aio_context_t ctx) +{ + return syscall(__NR_io_destroy, ctx); +} + +static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) +{ + return syscall(__NR_io_submit, ctx, n, iocb); +} + +static inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) +{ + return syscall(__NR_io_getevents, ctx, min, max, events, timeout); +} + +static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, + OSSL_ASYNC_FD waitfd, void *custom) +{ + close(waitfd); +} + +static int afalg_setup_async_event_notification(afalg_aio *aio) +{ + ASYNC_JOB *job; + ASYNC_WAIT_CTX *waitctx; + void *custom = NULL; + + if ((job = ASYNC_get_current_job()) != NULL) { + /* Async mode */ + waitctx = ASYNC_get_wait_ctx(job); + if (waitctx == NULL) { + ALG_WARN("%s: ASYNC_get_wait_ctx error", __func__); + return 0; + } + /* Get waitfd from ASYNC_WAIT_CTX if it is alreday set */ + if (0 == ASYNC_WAIT_CTX_get_fd(waitctx, engine_afalg_id, + &aio->efd_async, &custom)) { + /* waitfd is not set in ASYNC_WAIT_CTX so we set it */ + /* efd_async will be signaled when AIO operation completes */ + aio->efd_async = eventfd(0); + if (aio->efd_async == -1) { + ALG_PERR("%s: Failed to get eventfd : ", __func__); + AFALGerr(AFALG_F_AFALG_SETUP_ASYNC_EVENT_NOTIFICATION, + AFALG_R_EVENTFD_FAILED); + return 0; + } + if (0 == + ASYNC_WAIT_CTX_set_wait_fd(waitctx, engine_afalg_id, + aio->efd_async, custom, + afalg_waitfd_cleanup)) { + ALG_WARN("%s: Failed to set wait fd", __func__); + close(aio->efd_async); + return 0; + } + /* make fd non-blocking in async mode */ + if (fcntl(aio->efd_async, F_SETFL, O_NONBLOCK) != 0) { + ALG_WARN("%s: Failed to set event fd as NONBLOCKING", + __func__); + } + } + /* efd_async is the active fd to be used */ + aio->efd = aio->efd_async; + } else { + /* Sync mode */ + /* efd_sync will be signaled when AIO operation completes */ + aio->efd_sync = eventfd(0); + if (aio->efd_sync == -1) { + ALG_PERR("%s: Failed to get eventfd : ", __func__); + AFALGerr(AFALG_F_AFALG_SETUP_ASYNC_EVENT_NOTIFICATION, + AFALG_R_EVENTFD_FAILED); + return 0; + } + /* efd_async is the active fd to be used */ + aio->efd = aio->efd_sync; + } + return 1; +} + +int afalg_init_aio(afalg_aio *aio) +{ + int r = -1; + + /* Initialise for AIO */ + aio->aio_ctx = 0; + r = io_setup(MAX_INFLIGHTS, &aio->aio_ctx); + if (r < 0) { + ALG_PERR("%s: io_setup error : ", __func__); + AFALGerr(AFALG_F_AFALG_INIT_AIO, AFALG_R_IO_SETUP_FAILED); + return 0; + } + + memset(aio->cbt, 0, sizeof(aio->cbt)); + aio->efd_sync = -1; + aio->efd_async = -1; + aio->efd = -1; + + return 1; +} + +int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, + size_t len) +{ + int r; + int retry = 0; + unsigned int done = 0; + struct iocb *cb; + struct timespec timeout; + struct io_event events[MAX_INFLIGHTS]; + u_int64_t eval = 0; + + timeout.tv_sec = 0; + timeout.tv_nsec = 0; + + /* if efd has not been initialised yet do it here */ + if (aio->efd == -1) { + r = afalg_setup_async_event_notification(aio); + if (r == 0) + return 0; + } + + cb = &(aio->cbt[0 % MAX_INFLIGHTS]); + memset(cb, '\0', sizeof(*cb)); + cb->aio_fildes = sfd; + cb->aio_lio_opcode = IOCB_CMD_PREAD; + cb->aio_buf = (unsigned long)buf; + cb->aio_offset = 0; + cb->aio_data = 0; + cb->aio_nbytes = len; + cb->aio_flags = IOCB_FLAG_RESFD; + cb->aio_resfd = aio->efd; + + /* + * Perform AIO read on AFALG socket, this in turn performs an async + * crypto operation in kernel space + */ + r = io_read(aio->aio_ctx, 1, &cb); + if (r < 0) { + ALG_PERR("%s: io_read failed : ", __func__); + return 0; + } + + do { + /* While AIO read is being performed pause job */ + ASYNC_pause_job(); + + /* Check for completion of AIO read */ + r = read(aio->efd, &eval, sizeof(eval)); + if (r < 0) { + if (errno == EAGAIN || errno == EWOULDBLOCK) + continue; + ALG_PERR("%s: read failed for event fd : ", __func__); + return 0; + } else if (r == 0 || eval <= 0) { + ALG_WARN("%s: eventfd read %d bytes, eval = %lu\n", __func__, r, + eval); + } + if (eval > 0) { + + /* Get results of AIO read */ + r = io_getevents(aio->aio_ctx, 1, 1, events, &timeout); + if (r > 0) { + /* + * events.res indicates the actual status of the operation. + * Handle the error condition first. + */ + if (events[0].res < 0) { + /* + * Underlying operation cannot be completed at the time + * of previous submission. Resubmit for the operation. + */ + if (events[0].res == -EBUSY && retry++ < 3) { + r = io_read(aio->aio_ctx, 1, &cb); + if (r < 0) { + ALG_PERR("%s: retry %d for io_read failed : ", + __func__, retry); + return 0; + } + continue; + } else { + /* + * Retries exceed for -EBUSY or unrecoverable error + * condition for this instance of operation. + */ + ALG_WARN + ("%s: Crypto Operation failed with code %lld\n", + __func__, events[0].res); + return 0; + } + } + /* Operation successful. */ + done = 1; + } else if (r < 0) { + ALG_PERR("%s: io_getevents failed : ", __func__); + return 0; + } else { + ALG_WARN("%s: io_geteventd read 0 bytes\n", __func__); + } + } + } while (!done); + + return 1; +} + +static int afalg_create_bind_sk(void) +{ + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "skcipher", + .salg_name = "cbc(aes)" + }; + + int sfd; + int r = -1; + + /* Create AFALG socket for crypto processing */ + sfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sfd == -1) { + ALG_PERR("%s: Failed to open socket : ", __func__); + AFALGerr(AFALG_F_AFALG_CREATE_BIND_SK, AFALG_R_SOCKET_CREATE_FAILED); + goto err; + } + + /* Set cipher algorithm for aes-cbc */ + r = bind(sfd, (struct sockaddr *)&sa, sizeof(sa)); + if (r < 0) { + ALG_PERR("%s: Failed to bind socket : ", __func__); + AFALGerr(AFALG_F_AFALG_CREATE_BIND_SK, AFALG_R_SOCKET_BIND_FAILED); + goto err; + } + + return sfd; + + err: + if (sfd >= 0) + close(sfd); + return r; +} + +static inline void afalg_set_op_sk(struct cmsghdr *cmsg, + const unsigned int op) +{ + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(ALG_OP_LEN); + *CMSG_DATA(cmsg) = (char)op; +} + +static void afalg_set_iv_sk(struct cmsghdr *cmsg, const unsigned char *iv, + const unsigned int len) +{ + struct af_alg_iv *aiv; + + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(ALG_IV_LEN(len)); + aiv = (struct af_alg_iv *)CMSG_DATA(cmsg); + aiv->ivlen = len; + memcpy(aiv->iv, iv, len); +} + +static void afalg_socket(afalg_ctx *actx, const unsigned char *key, + const int klen) +{ + int ret; + + actx->bfd = actx->sfd = -1; + + actx->bfd = afalg_create_bind_sk(); + if (actx->bfd < 0) { + return; + } + + /* + * Send cipher key to the kernel in preparation for future crypto + * requests + */ + ret = setsockopt(actx->bfd, SOL_ALG, ALG_SET_KEY, key, klen); + if (ret < 0) { + ALG_PERR("%s: Failed to set socket option : ", __func__); + AFALGerr(AFALG_F_AFALG_SOCKET, AFALG_R_SOCKET_SET_KEY_FAILED); + goto err; + } + + /* Get fd to perform future aes-cbc operations with given key */ + actx->sfd = accept(actx->bfd, NULL, 0); + if (actx->sfd < 0) { + ALG_PERR("%s: Socket Accept Failed : ", __func__); + AFALGerr(AFALG_F_AFALG_SOCKET, AFALG_R_SOCKET_BIND_FAILED); + goto err; + } + + return; + + err: + if (actx->bfd >= 0) + close(actx->bfd); + if (actx->sfd >= 0) + close(actx->sfd); + actx->bfd = actx->sfd = -1; + return; +} + +static int afalg_start_cipher_sk(afalg_ctx *actx, const unsigned char *in, + size_t inl, const unsigned char *iv, + unsigned int enc) +{ + struct msghdr msg = { 0 }; + struct cmsghdr *cmsg; + struct iovec iov; + ssize_t sbytes; +# ifdef ALG_ZERO_COPY + int ret; +# endif + + const ssize_t cbuf_sz = CMSG_SPACE(ALG_IV_LEN(ALG_AES_IV_LEN)) + + CMSG_SPACE(ALG_OP_LEN); + char cbuf[cbuf_sz]; + + memset(cbuf, 0, cbuf_sz); + msg.msg_control = cbuf; + msg.msg_controllen = cbuf_sz; + + /* + * cipher direction (i.e. encrypt or decrypt) and iv are sent to the + * kernel as part of sendmsg()'s ancillary data + */ + cmsg = CMSG_FIRSTHDR(&msg); + afalg_set_op_sk(cmsg, enc); + cmsg = CMSG_NXTHDR(&msg, cmsg); + afalg_set_iv_sk(cmsg, iv, ALG_AES_IV_LEN); + + /* iov that describes input data */ + iov.iov_base = (unsigned char *)in; + iov.iov_len = inl; + + msg.msg_flags = MSG_MORE; + +# ifdef ALG_ZERO_COPY + /* + * ZERO_COPY mode + * Works best when buffer is 4k aligned + * OPENS: out of place processing (i.e. out != in) + */ + + /* Input data is not sent as part of call to sendmsg() */ + msg.msg_iovlen = 0; + msg.msg_iov = NULL; + + /* Sendmsg() sends iv and cipher direction to the kernel */ + sbytes = sendmsg(actx->sfd, &msg, 0); + if (sbytes < 0) { + ALG_PERR("%s: sendmsg failed for zero copy cipher operation : ", + __func__); + return 0; + } + + /* + * vmsplice and splice are used to pin the user space input buffer for + * kernel space processing avoiding copys from user to kernel space + */ + ret = vmsplice(actx->zc_pipe[1], &iov, 1, SPLICE_F_GIFT); + if (ret < 0) { + ALG_PERR("%s: vmsplice failed : ", __func__); + return 0; + } + + ret = splice(actx->zc_pipe[0], NULL, actx->sfd, NULL, inl, 0); + if (ret < 0) { + ALG_PERR("%s: splice failed : ", __func__); + return 0; + } +# else + msg.msg_iovlen = 1; + msg.msg_iov = &iov; + + /* Sendmsg() sends iv, cipher direction and input data to the kernel */ + sbytes = sendmsg(actx->sfd, &msg, 0); + if (sbytes < 0) { + ALG_PERR("%s: sendmsg failed for cipher operation : ", __func__); + return 0; + } + + if (sbytes != (ssize_t) inl) { + ALG_ERR("Cipher operation send bytes %zd != inlen %zd\n", sbytes, + inl); + return 0; + } +# endif + + return 1; +} + +static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + int ciphertype; + afalg_ctx *actx; + + if (ctx == NULL || key == NULL) { + ALG_WARN("%s: Null Parameter\n", __func__); + return 0; + } + + if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + ALG_WARN("%s: Cipher object NULL\n", __func__); + return 0; + } + + actx = EVP_CIPHER_CTX_cipher_data(ctx); + if (actx == NULL) { + ALG_WARN("%s: Cipher data NULL\n", __func__); + return 0; + } + + ciphertype = EVP_CIPHER_CTX_nid(ctx); + switch (ciphertype) { + case NID_aes_128_cbc: + break; + default: + ALG_WARN("%s: Unsupported Cipher type %d\n", __func__, ciphertype); + return 0; + } + + if (ALG_AES_IV_LEN != EVP_CIPHER_CTX_iv_length(ctx)) { + ALG_ERR("%s: Unsupported IV length :%d\n", __func__, + EVP_CIPHER_CTX_iv_length(ctx)); + return 0; + } + + /* Setup AFALG socket for crypto processing */ + afalg_socket(actx, key, EVP_CIPHER_CTX_key_length(ctx)); + if (actx->sfd < 0) { + return 0; + } + + /* Setup AIO ctx to allow async AFALG crypto processing */ + if (afalg_init_aio(&actx->aio) == 0) { + close(actx->sfd); + close(actx->bfd); + return 0; + } +# ifdef ALG_ZERO_COPY + pipe(actx->zc_pipe); +# endif + + actx->init_done = MAGIC_INIT_NUM; + + return 1; +} + +static int afalg_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + afalg_ctx *actx; + int ret; + char nxtiv[ALG_AES_IV_LEN] = { 0 }; + + if (ctx == NULL || out == NULL || in == NULL) { + ALG_WARN("NULL parameter passed to function %s\n", __func__); + return 0; + } + + actx = (afalg_ctx *) EVP_CIPHER_CTX_cipher_data(ctx); + if (actx == NULL || actx->init_done != MAGIC_INIT_NUM) { + ALG_WARN("%s afalg ctx passed\n", + ctx == NULL ? "NULL" : "Uninitialised"); + return 0; + } + + /* + * set iv now for decrypt operation as the input buffer can be + * overwritten for inplace operation where in = out. + */ + if (EVP_CIPHER_CTX_encrypting(ctx) == 0) { + memcpy(nxtiv, in + (inl - ALG_AES_IV_LEN), ALG_AES_IV_LEN); + } + + /* Send input data to kernel space */ + ret = afalg_start_cipher_sk(actx, (unsigned char *)in, inl, + EVP_CIPHER_CTX_iv(ctx), + EVP_CIPHER_CTX_encrypting(ctx)); + if (ret < 1) { + return 0; + } + + /* Perform async crypto operation in kernel space */ + ret = afalg_fin_cipher_aio(&actx->aio, actx->sfd, out, inl); + if (ret < 1) { + ALG_WARN("%s: Socket cipher operation failed\n", __func__); + return 0; + } + + if (EVP_CIPHER_CTX_encrypting(ctx)) { + memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), out + (inl - ALG_AES_IV_LEN), + ALG_AES_IV_LEN); + } else { + memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), nxtiv, ALG_AES_IV_LEN); + } + + return 1; +} + +static int afalg_cipher_cleanup(EVP_CIPHER_CTX *ctx) +{ + afalg_ctx *actx; + + if (ctx == NULL) { + ALG_WARN("NULL parameter passed to function %s\n", __func__); + return 0; + } + + actx = (afalg_ctx *) EVP_CIPHER_CTX_cipher_data(ctx); + if (actx == NULL || actx->init_done != MAGIC_INIT_NUM) { + ALG_WARN("%s afalg ctx passed\n", + ctx == NULL ? "NULL" : "Uninitialised"); + return 0; + } + + close(actx->sfd); + close(actx->bfd); +# ifdef ALG_ZERO_COPY + close(actx->zc_pipe[0]); + close(actx->zc_pipe[1]); +# endif + /* close sync mode efd, async mode is closed in afalg_waitfd_cleanup() */ + if (actx->aio.efd_sync >= 0) + close(actx->aio.efd_sync); + io_destroy(actx->aio.aio_ctx); + + return 1; +} + +const EVP_CIPHER *afalg_aes_128_cbc(void) +{ + if (_hidden_aes_128_cbc == NULL + && ((_hidden_aes_128_cbc = + EVP_CIPHER_meth_new(NID_aes_128_cbc, + AES_BLOCK_SIZE, + AES_KEY_SIZE_128)) == NULL + || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc, AES_IV_LEN) + || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc, + EVP_CIPH_CBC_MODE | + EVP_CIPH_FLAG_DEFAULT_ASN1) + || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc, + afalg_cipher_init) + || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc, + afalg_do_cipher) + || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc, + afalg_cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc, + sizeof(afalg_ctx)))) { + EVP_CIPHER_meth_free(_hidden_aes_128_cbc); + _hidden_aes_128_cbc = NULL; + } + return _hidden_aes_128_cbc; +} + +static int afalg_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid) +{ + int r = 1; + + if (cipher == NULL) { + *nids = afalg_cipher_nids; + return (sizeof(afalg_cipher_nids) / sizeof(afalg_cipher_nids[0])); + } + + switch (nid) { + case NID_aes_128_cbc: + *cipher = afalg_aes_128_cbc(); + break; + default: + *cipher = NULL; + r = 0; + } + + return r; +} + +static int bind_afalg(ENGINE *e) +{ + /* Ensure the afalg error handling is set up */ + ERR_load_AFALG_strings(); + + if (!ENGINE_set_id(e, engine_afalg_id) + || !ENGINE_set_name(e, engine_afalg_name) + || !ENGINE_set_destroy_function(e, afalg_destroy) + || !ENGINE_set_init_function(e, afalg_init) + || !ENGINE_set_finish_function(e, afalg_finish)) { + AFALGerr(AFALG_F_BIND_AFALG, AFALG_R_INIT_FAILED); + return 0; + } + + if (!ENGINE_set_ciphers(e, afalg_ciphers)) { + AFALGerr(AFALG_F_BIND_AFALG, AFALG_R_INIT_FAILED); + return 0; + } + + return 1; +} + +# ifndef OPENSSL_NO_DYNAMIC_ENGINE +static int bind_helper(ENGINE *e, const char *id) +{ + if (id && (strcmp(id, engine_afalg_id) != 0)) + return 0; + + if (!afalg_chk_platform()) + return 0; + + if (!bind_afalg(e)) + return 0; + return 1; +} + +IMPLEMENT_DYNAMIC_CHECK_FN() + IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) +# endif +static int afalg_chk_platform(void) +{ + int ret; + int i; + int kver[3] = { -1, -1, -1 }; + char *str; + struct utsname ut; + + ret = uname(&ut); + if (ret != 0) { + ALG_ERR("%s: Failed to get system information\n", __func__); + return 0; + } + + str = strtok(ut.release, "."); + for (i = 0; i < 3 && str != NULL; i++) { + kver[i] = atoi(str); + str = strtok(NULL, "."); + } + + if (KERNEL_VERSION(kver[0], kver[1], kver[2]) + < KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)) { + ALG_WARN("ASYNC AFALG not supported this kernel(%d.%d.%d)\n", + kver[0], kver[1], kver[2]); + ALG_WARN("ASYNC AFALG requires kernel version %d.%d.%d or later\n", + K_MAJ, K_MIN1, K_MIN2); + AFALGerr(AFALG_F_AFALG_CHK_PLATFORM, + AFALG_R_KERNEL_DOES_NOT_SUPPORT_ASYNC_AFALG); + return 0; + } + + return 1; +} + +# ifdef OPENSSL_NO_DYNAMIC_ENGINE +static ENGINE *engine_afalg(void) +{ + ENGINE *ret = ENGINE_new(); + if (ret == NULL) + return NULL; + if (!bind_afalg(ret)) { + ENGINE_free(ret); + return NULL; + } + return ret; +} + +static void ENGINE_load_afalg(void) +{ + ENGINE *toadd; + + if (!afalg_chk_platform()) + return; + + toadd = engine_afalg(); + if (toadd == NULL) + return; + ENGINE_add(toadd); + ENGINE_free(toadd); + ERR_clear_error(); +} +# endif + +static int afalg_init(ENGINE *e) +{ + return 1; +} + +static int afalg_finish(ENGINE *e) +{ + return 1; +} + +static int afalg_destroy(ENGINE *e) +{ + ERR_unload_AFALG_strings(); + return 1; +} + +#endif /* KERNEL VERSION */ diff --git a/engines/afalg/e_afalg.ec b/engines/afalg/e_afalg.ec new file mode 100644 index 0000000000..2d14d6597d --- /dev/null +++ b/engines/afalg/e_afalg.ec @@ -0,0 +1 @@ +L AFALG e_afalg_err.h e_afalg_err.c diff --git a/engines/afalg/e_afalg.h b/engines/afalg/e_afalg.h new file mode 100644 index 0000000000..6c92485f3f --- /dev/null +++ b/engines/afalg/e_afalg.h @@ -0,0 +1,111 @@ +/* ==================================================================== + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning fea |