From 04630522c2d9977896f57b7a5f3c876a61462232 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Fri, 15 Apr 2016 09:45:47 +0100 Subject: [PATCH] Opacity. Reviewed-by: Matt Caswell --- crypto/engine/eng_cryptodev.c | 134 +++++++++++++++++----------------- 1 file changed, 65 insertions(+), 69 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 151529c951..59eab5a744 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -1308,12 +1308,12 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) { const RSA_METHOD *meth = RSA_PKCS1_OpenSSL(); printf("OCF asym process failed, Running in software\n"); - ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); + ret = RSA_meth_get_bn_mod_exp(meth)(r, a, p, m, ctx, in_mont); } else if (ECANCELED == kop.crk_status) { const RSA_METHOD *meth = RSA_PKCS1_OpenSSL(); printf("OCF hardware operation cancelled. Running in Software\n"); - ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); + ret = RSA_meth_get_bn_mod_exp(meth)(r, a, p, m, ctx, in_mont); } /* else cryptodev operation worked ok ==> ret = 1 */ @@ -1327,8 +1327,12 @@ cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { int r; + BIGNUM *n = NULL; + BIGNUM *d = NULL; + ctx = BN_CTX_new(); - r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); + RSA_get0_key(rsa, &n, NULL, &d); + r = cryptodev_bn_mod_exp(r0, I, d, n, ctx, NULL); BN_CTX_free(ctx); return (r); } @@ -1338,8 +1342,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { struct crypt_kop kop; int ret = 1; - - if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { + BIGNUM *p = NULL; + BIGNUM *q = NULL; + BIGNUM *dmp1 = NULL; + BIGNUM *dmq1 = NULL; + BIGNUM *iqmp = NULL; + BIGNUM *n = NULL; + + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); + RSA_get0_key(rsa, &n, NULL, NULL); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { /* XXX 0 means failure?? */ return (0); } @@ -1347,29 +1361,29 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) memset(&kop, 0, sizeof(kop)); kop.crk_op = CRK_MOD_EXP_CRT; /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */ - if (bn2crparam(rsa->p, &kop.crk_param[0])) + if (bn2crparam(p, &kop.crk_param[0])) goto err; - if (bn2crparam(rsa->q, &kop.crk_param[1])) + if (bn2crparam(q, &kop.crk_param[1])) goto err; if (bn2crparam(I, &kop.crk_param[2])) goto err; - if (bn2crparam(rsa->dmp1, &kop.crk_param[3])) + if (bn2crparam(dmp1, &kop.crk_param[3])) goto err; - if (bn2crparam(rsa->dmq1, &kop.crk_param[4])) + if (bn2crparam(dmq1, &kop.crk_param[4])) goto err; - if (bn2crparam(rsa->iqmp, &kop.crk_param[5])) + if (bn2crparam(iqmp, &kop.crk_param[5])) goto err; kop.crk_iparams = 6; - if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) { + if (cryptodev_asym(&kop, BN_num_bytes(n), r0, 0, NULL)) { const RSA_METHOD *meth = RSA_PKCS1_OpenSSL(); printf("OCF asym process failed, running in Software\n"); - ret = (*meth->rsa_mod_exp) (r0, I, rsa, ctx); + ret = RSA_meth_get_mod_exp(meth)(r0, I, rsa, ctx); } else if (ECANCELED == kop.crk_status) { const RSA_METHOD *meth = RSA_PKCS1_OpenSSL(); printf("OCF hardware operation cancelled. Running in Software\n"); - ret = (*meth->rsa_mod_exp) (r0, I, rsa, ctx); + ret = RSA_meth_get_mod_exp(meth)(r0, I, rsa, ctx); } /* else cryptodev operation worked ok ==> ret = 1 */ @@ -1378,21 +1392,7 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) return (ret); } -static RSA_METHOD cryptodev_rsa = { - "cryptodev RSA method", - NULL, /* rsa_pub_enc */ - NULL, /* rsa_pub_dec */ - NULL, /* rsa_priv_enc */ - NULL, /* rsa_priv_dec */ - NULL, - NULL, - NULL, /* init */ - NULL, /* finish */ - 0, /* flags */ - NULL, /* app_data */ - NULL, /* rsa_sign */ - NULL /* rsa_verify */ -}; +static RSA_METHOD *cryptodev_rsa; #ifndef OPENSSL_NO_DSA static int @@ -1556,24 +1556,29 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) struct crypt_kop kop; int dhret = 1; int fd, keylen; + BIGNUM *p = NULL; + BIGNUM *priv_key = NULL; if ((fd = get_asym_dev_crypto()) < 0) { const DH_METHOD *meth = DH_OpenSSL(); - return ((meth->compute_key) (key, pub_key, dh)); + return DH_meth_get_compute_key(meth)(key, pub_key, dh); } - keylen = BN_num_bits(dh->p); + DH_get0_pqg(dh, &p, NULL, NULL); + DH_get0_key(dh, NULL, &priv_key); + + keylen = BN_num_bits(p); memset(&kop, 0, sizeof(kop)); kop.crk_op = CRK_DH_COMPUTE_KEY; /* inputs: dh->priv_key pub_key dh->p key */ - if (bn2crparam(dh->priv_key, &kop.crk_param[0])) + if (bn2crparam(priv_key, &kop.crk_param[0])) goto err; if (bn2crparam(pub_key, &kop.crk_param[1])) goto err; - if (bn2crparam(dh->p, &kop.crk_param[2])) + if (bn2crparam(p, &kop.crk_param[2])) goto err; kop.crk_iparams = 3; @@ -1584,7 +1589,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (ioctl(fd, CIOCKEY, &kop) == -1) { const DH_METHOD *meth = DH_OpenSSL(); - dhret = (meth->compute_key) (key, pub_key, dh); + dhret = DH_meth_get_compute_key(meth)(key, pub_key, dh); } err: kop.crk_param[3].crp_p = NULL; @@ -1592,16 +1597,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) return (dhret); } -static DH_METHOD cryptodev_dh = { - "cryptodev DH method", - NULL, /* cryptodev_dh_generate_key */ - NULL, - NULL, - NULL, - NULL, - 0, /* flags */ - NULL /* app_data */ -}; +static DH_METHOD *cryptodev_dh; #endif /* ndef OPENSSL_NO_DH */ @@ -1661,21 +1657,19 @@ void engine_load_cryptodev_int(void) return; } - if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { - const RSA_METHOD *rsa_meth = RSA_PKCS1_OpenSSL(); - - cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; - cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; - cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; - cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; - cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; - cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; - if (cryptodev_asymfeat & CRF_MOD_EXP) { - cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; - if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) - cryptodev_rsa.rsa_mod_exp = cryptodev_rsa_mod_exp; - else - cryptodev_rsa.rsa_mod_exp = cryptodev_rsa_nocrt_mod_exp; + cryptodev_rsa = RSA_meth_dup(RSA_PKCS1_OpenSSL()); + if (cryptodev_rsa != NULL) { + RSA_meth_set1_name(cryptodev_rsa, "cryptodev RSA method"); + RSA_meth_set_flags(cryptodev_rsa, 0); + if (ENGINE_set_RSA(engine, cryptodev_rsa)) { + if (cryptodev_asymfeat & CRF_MOD_EXP) { + RSA_meth_set_bn_mod_exp(cryptodev_rsa, cryptodev_bn_mod_exp); + if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) + RSA_meth_set_mod_exp(cryptodev_rsa, cryptodev_rsa_mod_exp); + else + RSA_meth_set_mod_exp(cryptodev_rsa, + cryptodev_rsa_nocrt_mod_exp); + } } } @@ -1688,7 +1682,8 @@ void engine_load_cryptodev_int(void) if (cryptodev_asymfeat & CRF_DSA_SIGN) DSA_meth_set_sign(cryptodev_dsa, cryptodev_dsa_do_sign); if (cryptodev_asymfeat & CRF_MOD_EXP) { - DSA_meth_set_bn_mod_exp(cryptodev_dsa, cryptodev_dsa_bn_mod_exp); + DSA_meth_set_bn_mod_exp(cryptodev_dsa, + cryptodev_dsa_bn_mod_exp); DSA_meth_set_mod_exp(cryptodev_dsa, cryptodev_dsa_dsa_mod_exp); } if (cryptodev_asymfeat & CRF_DSA_VERIFY) @@ -1701,16 +1696,17 @@ void engine_load_cryptodev_int(void) #endif #ifndef OPENSSL_NO_DH - if (ENGINE_set_DH(engine, &cryptodev_dh)) { - const DH_METHOD *dh_meth = DH_OpenSSL(); - - cryptodev_dh.generate_key = dh_meth->generate_key; - cryptodev_dh.compute_key = dh_meth->compute_key; - cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; - if (cryptodev_asymfeat & CRF_MOD_EXP) { - cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; - if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) - cryptodev_dh.compute_key = cryptodev_dh_compute_key; + cryptodev_dh = DH_meth_dup(DH_OpenSSL()); + if (cryptodev_dh != NULL) { + DH_meth_set1_name(cryptodev_dh, "cryptodev DH method"); + DH_meth_set_flags(cryptodev_dh, 0); + if (ENGINE_set_DH(engine, cryptodev_dh)) { + if (cryptodev_asymfeat & CRF_MOD_EXP) { + DH_meth_set_bn_mod_exp(cryptodev_dh, cryptodev_mod_exp_dh); + if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) + DH_meth_set_compute_key(cryptodev_dh, + cryptodev_dh_compute_key); + } } } #endif -- 2.25.1