summaryrefslogtreecommitdiff
path: root/package/openssl/patches/patch-crypto_engine_eng_cryptodev_c
diff options
context:
space:
mode:
authorWaldemar Brodkorb <wbx@openadk.org>2015-04-06 16:10:52 +0200
committerWaldemar Brodkorb <wbx@openadk.org>2015-04-06 16:10:52 +0200
commit82a266c21bdd3fd746fc862654abd131f74c2f51 (patch)
treee12fe567a150dc445211f07ce9ee34de71135aab /package/openssl/patches/patch-crypto_engine_eng_cryptodev_c
parent131c2c6d2339f15e2789d69bfa985994c84d5459 (diff)
update openssl, fix Cygwin host build
Diffstat (limited to 'package/openssl/patches/patch-crypto_engine_eng_cryptodev_c')
-rw-r--r--package/openssl/patches/patch-crypto_engine_eng_cryptodev_c2613
1 files changed, 2386 insertions, 227 deletions
diff --git a/package/openssl/patches/patch-crypto_engine_eng_cryptodev_c b/package/openssl/patches/patch-crypto_engine_eng_cryptodev_c
index 7b8898a5d..603e33133 100644
--- a/package/openssl/patches/patch-crypto_engine_eng_cryptodev_c
+++ b/package/openssl/patches/patch-crypto_engine_eng_cryptodev_c
@@ -1,5 +1,5 @@
---- openssl-1.0.1e.orig/crypto/engine/eng_cryptodev.c 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_cryptodev.c 2013-08-09 16:51:49.915851335 +0200
+--- openssl-1.0.2a.orig/crypto/engine/eng_cryptodev.c 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/engine/eng_cryptodev.c 2015-02-02 21:02:31.009892700 +0100
@@ -2,6 +2,7 @@
* Copyright (c) 2002 Bob Beck <beck@openbsd.org>
* Copyright (c) 2002 Theo de Raadt
@@ -8,250 +8,1502 @@
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
-@@ -74,9 +75,7 @@ struct dev_crypto_state {
- int d_fd;
+@@ -32,8 +33,8 @@
+ #include <openssl/bn.h>
- #ifdef USE_CRYPTODEV_DIGESTS
-- char dummy_mac_key[HASH_MAX_LEN];
+ #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
+- (defined(OpenBSD) || defined(__FreeBSD__))
+-# include <sys/param.h>
++ (defined(OpenBSD) || defined(__FreeBSD__))
++#include <sys/param.h>
+ # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
+ # define HAVE_CRYPTODEV
+ # endif
+@@ -44,39 +45,40 @@
+
+ #ifndef HAVE_CRYPTODEV
+
+-void ENGINE_load_cryptodev(void)
++void
++ENGINE_load_cryptodev(void)
+ {
+- /* This is a NOP on platforms without /dev/crypto */
+- return;
++ /* This is a NOP on platforms without /dev/crypto */
++ return;
+ }
+
+-#else
-
-- unsigned char digest_res[HASH_MAX_LEN];
+-# include <sys/types.h>
+-# include <crypto/cryptodev.h>
+-# include <openssl/dh.h>
+-# include <openssl/dsa.h>
+-# include <openssl/err.h>
+-# include <openssl/rsa.h>
+-# include <sys/ioctl.h>
+-# include <errno.h>
+-# include <stdio.h>
+-# include <unistd.h>
+-# include <fcntl.h>
+-# include <stdarg.h>
+-# include <syslog.h>
+-# include <errno.h>
+-# include <string.h>
++#else
++
++#include <sys/types.h>
++#include <crypto/cryptodev.h>
++#include <crypto/dh/dh.h>
++#include <crypto/dsa/dsa.h>
++#include <crypto/err/err.h>
++#include <crypto/rsa/rsa.h>
++#include <sys/ioctl.h>
++#include <errno.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <fcntl.h>
++#include <stdarg.h>
++#include <syslog.h>
++#include <errno.h>
++#include <string.h>
+
+ struct dev_crypto_state {
+- struct session_op d_sess;
+- int d_fd;
+-# ifdef USE_CRYPTODEV_DIGESTS
+- char dummy_mac_key[HASH_MAX_LEN];
+- unsigned char digest_res[HASH_MAX_LEN];
+- char *mac_data;
+- int mac_len;
+-# endif
++ struct session_op d_sess;
++ int d_fd;
++
++#ifdef USE_CRYPTODEV_DIGESTS
+ unsigned char digest_res[64];
- char *mac_data;
- int mac_len;
- #endif
-@@ -157,15 +156,21 @@ static struct {
++ char *mac_data;
++ int mac_len;
++#endif
+ };
+
+ static u_int32_t cryptodev_asymfeat = 0;
+@@ -85,196 +87,153 @@ static int get_asym_dev_crypto(void);
+ static int open_dev_crypto(void);
+ static int get_dev_crypto(void);
+ static int get_cryptodev_ciphers(const int **cnids);
+-# ifdef USE_CRYPTODEV_DIGESTS
++#ifdef USE_CRYPTODEV_DIGESTS
+ static int get_cryptodev_digests(const int **cnids);
+-# endif
++#endif
+ static int cryptodev_usable_ciphers(const int **nids);
+ static int cryptodev_usable_digests(const int **nids);
+ static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+- const unsigned char *in, size_t inl);
++ const unsigned char *in, size_t inl);
+ static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+- const unsigned char *iv, int enc);
++ const unsigned char *iv, int enc);
+ static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
+ static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+- const int **nids, int nid);
++ const int **nids, int nid);
+ static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+- const int **nids, int nid);
++ const int **nids, int nid);
+ static int bn2crparam(const BIGNUM *a, struct crparam *crp);
+ static int crparam2bn(struct crparam *crp, BIGNUM *a);
+ static void zapparams(struct crypt_kop *kop);
+ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
+- int slen, BIGNUM *s);
++ int slen, BIGNUM *s);
+
+ static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
+- const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+- BN_MONT_CTX *m_ctx);
+-static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+- BN_CTX *ctx);
+-static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+- BN_CTX *ctx);
++ const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
++static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
++ RSA *rsa, BN_CTX *ctx);
++static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+ static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
+- const BIGNUM *p, const BIGNUM *m,
+- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
++ const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+ static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
+- BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2,
+- BIGNUM *p, BN_CTX *ctx,
+- BN_MONT_CTX *mont);
+-static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
+- DSA *dsa);
++ BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
++ BN_CTX *ctx, BN_MONT_CTX *mont);
++static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
++ int dlen, DSA *dsa);
+ static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
+- DSA_SIG *sig, DSA *dsa);
++ DSA_SIG *sig, DSA *dsa);
+ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+- const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+- BN_MONT_CTX *m_ctx);
+-static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key,
+- DH *dh);
++ const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
++ BN_MONT_CTX *m_ctx);
++static int cryptodev_dh_compute_key(unsigned char *key,
++ const BIGNUM *pub_key, DH *dh);
+ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+- void (*f) (void));
++ void (*f)(void));
+ void ENGINE_load_cryptodev(void);
+
+ static const ENGINE_CMD_DEFN cryptodev_defns[] = {
+- {0, NULL, NULL, 0}
++ { 0, NULL, NULL, 0 }
+ };
+
+ static struct {
+- int id;
+- int nid;
+- int ivmax;
+- int keylen;
++ int id;
++ int nid;
++ int ivmax;
++ int keylen;
+ } ciphers[] = {
+- {
+- CRYPTO_ARC4, NID_rc4, 0, 16,
+- },
+- {
+- CRYPTO_DES_CBC, NID_des_cbc, 8, 8,
+- },
+- {
+- CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24,
+- },
+- {
+- CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16,
+- },
+- {
+- CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24,
+- },
+- {
+- CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32,
+- },
+-# ifdef CRYPTO_AES_CTR
+- {
+- CRYPTO_AES_CTR, NID_aes_128_ctr, 14, 16,
+- },
+- {
+- CRYPTO_AES_CTR, NID_aes_192_ctr, 14, 24,
+- },
+- {
+- CRYPTO_AES_CTR, NID_aes_256_ctr, 14, 32,
+- },
+-# endif
+- {
+- CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16,
+- },
+- {
+- CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16,
+- },
+- {
+- CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0,
+- },
+- {
+- 0, NID_undef, 0, 0,
+- },
++ { CRYPTO_ARC4, NID_rc4, 0, 16, },
++ { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, },
++ { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, },
++ { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, },
++ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, },
++ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, },
++ { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, },
++ { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, },
++ { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, },
++ { 0, NID_undef, 0, 0, },
+ };
+
+-# ifdef USE_CRYPTODEV_DIGESTS
++#ifdef USE_CRYPTODEV_DIGESTS
static struct {
- int id;
- int nid;
-- int keylen;
+- int id;
+- int nid;
+- int keylen;
++ int id;
++ int nid;
+ int digestlen;
} digests[] = {
+- {
+- CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16
+- },
+- {
+- CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20
+- },
+- {
+- CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16
+- /* ? */
+- },
+- {
+- CRYPTO_MD5_KPDK, NID_undef, 0
+- },
+- {
+- CRYPTO_SHA1_KPDK, NID_undef, 0
+- },
+- {
+- CRYPTO_MD5, NID_md5, 16
+- },
+- {
+- CRYPTO_SHA1, NID_sha1, 20
+- },
+- {
+- 0, NID_undef, 0
+- },
+#if 0
+ /* HMAC is not supported */
- { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16},
- { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20},
-- { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16/*?*/},
-- { CRYPTO_MD5_KPDK, NID_undef, 0},
-- { CRYPTO_SHA1_KPDK, NID_undef, 0},
++ { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16},
++ { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20},
+ { CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32},
+ { CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48},
+ { CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64},
+#endif
- { CRYPTO_MD5, NID_md5, 16},
- { CRYPTO_SHA1, NID_sha1, 20},
++ { CRYPTO_MD5, NID_md5, 16},
++ { CRYPTO_SHA1, NID_sha1, 20},
+ { CRYPTO_SHA2_256, NID_sha256, 32},
+ { CRYPTO_SHA2_384, NID_sha384, 48},
+ { CRYPTO_SHA2_512, NID_sha512, 64},
- { 0, NID_undef, 0},
++ { 0, NID_undef, 0},
};
- #endif
-@@ -182,7 +187,7 @@ open_dev_crypto(void)
- if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
- return (-1);
- /* close on exec */
-- if (fcntl(fd, F_SETFD, 1) == -1) {
+-# endif
++#endif
+
+ /*
+ * Return a fd if /dev/crypto seems usable, 0 otherwise.
+ */
+-static int open_dev_crypto(void)
++static int
++open_dev_crypto(void)
+ {
+- static int fd = -1;
++ static int fd = -1;
+
+- if (fd == -1) {
+- if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
+- return (-1);
+- /* close on exec */
+- if (fcntl(fd, F_SETFD, 1) == -1) {
+- close(fd);
+- fd = -1;
+- return (-1);
+- }
+- }
+- return (fd);
++ if (fd == -1) {
++ if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
++ return (-1);
++ /* close on exec */
+ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
- close(fd);
- fd = -1;
- return (-1);
-@@ -243,13 +248,14 @@ get_cryptodev_ciphers(const int **cnids)
- static int nids[CRYPTO_ALGORITHM_MAX];
- struct session_op sess;
- int fd, i, count = 0;
++ close(fd);
++ fd = -1;
++ return (-1);
++ }
++ }
++ return (fd);
+ }
+
+-static int get_dev_crypto(void)
++static int
++get_dev_crypto(void)
+ {
+- int fd, retfd;
++ int fd, retfd;
+
+- if ((fd = open_dev_crypto()) == -1)
+- return (-1);
+-# ifndef CRIOGET_NOT_NEEDED
+- if (ioctl(fd, CRIOGET, &retfd) == -1)
+- return (-1);
++ if ((fd = open_dev_crypto()) == -1)
++ return (-1);
++#ifndef CRIOGET_NOT_NEEDED
++ if (ioctl(fd, CRIOGET, &retfd) == -1)
++ return (-1);
+
+- /* close on exec */
+- if (fcntl(retfd, F_SETFD, 1) == -1) {
+- close(retfd);
+- return (-1);
+- }
+-# else
+- retfd = fd;
+-# endif
+- return (retfd);
++ /* close on exec */
++ if (fcntl(retfd, F_SETFD, 1) == -1) {
++ close(retfd);
++ return (-1);
++ }
++#else
++ retfd = fd;
++#endif
++ return (retfd);
+ }
+
+ static void put_dev_crypto(int fd)
+ {
+-# ifndef CRIOGET_NOT_NEEDED
+- close(fd);
+-# endif
++#ifndef CRIOGET_NOT_NEEDED
++ close(fd);
++#endif
+ }
+
+ /* Caching version for asym operations */
+-static int get_asym_dev_crypto(void)
++static int
++get_asym_dev_crypto(void)
+ {
+- static int fd = -1;
++ static int fd = -1;
+
+- if (fd == -1)
+- fd = get_dev_crypto();
+- return fd;
++ if (fd == -1)
++ fd = get_dev_crypto();
++ return fd;
+ }
+
+ /*
+@@ -283,76 +242,80 @@ static int get_asym_dev_crypto(void)
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_ciphers routine
+ */
+-static int get_cryptodev_ciphers(const int **cnids)
++static int
++get_cryptodev_ciphers(const int **cnids)
+ {
+- static int nids[CRYPTO_ALGORITHM_MAX];
+- struct session_op sess;
+- int fd, i, count = 0;
++ static int nids[CRYPTO_ALGORITHM_MAX];
++ struct session_op sess;
++ int fd, i, count = 0;
+ unsigned char fake_key[EVP_MAX_KEY_LENGTH];
- if ((fd = get_dev_crypto()) < 0) {
- *cnids = NULL;
- return (0);
- }
- memset(&sess, 0, sizeof(sess));
-- sess.key = (caddr_t)"123456789abcdefghijklmno";
+- if ((fd = get_dev_crypto()) < 0) {
+- *cnids = NULL;
+- return (0);
+- }
+- memset(&sess, 0, sizeof(sess));
+- sess.key = (caddr_t) "123456789abcdefghijklmno";
++ if ((fd = get_dev_crypto()) < 0) {
++ *cnids = NULL;
++ return (0);
++ }
++ memset(&sess, 0, sizeof(sess));
+ sess.key = (void*)fake_key;
- for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
- if (ciphers[i].nid == NID_undef)
-@@ -281,6 +287,7 @@ static int
- get_cryptodev_digests(const int **cnids)
+- for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+- if (ciphers[i].nid == NID_undef)
+- continue;
+- sess.cipher = ciphers[i].id;
+- sess.keylen = ciphers[i].keylen;
+- sess.mac = 0;
+- if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+- ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
+- nids[count++] = ciphers[i].nid;
+- }
+- put_dev_crypto(fd);
++ for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
++ if (ciphers[i].nid == NID_undef)
++ continue;
++ sess.cipher = ciphers[i].id;
++ sess.keylen = ciphers[i].keylen;
++ sess.mac = 0;
++ if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
++ ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
++ nids[count++] = ciphers[i].nid;
++ }
++ put_dev_crypto(fd);
+
+- if (count > 0)
+- *cnids = nids;
+- else
+- *cnids = NULL;
+- return (count);
++ if (count > 0)
++ *cnids = nids;
++ else
++ *cnids = NULL;
++ return (count);
+ }
+
+-# ifdef USE_CRYPTODEV_DIGESTS
++#ifdef USE_CRYPTODEV_DIGESTS
+ /*
+ * Find out what digests /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_digests routine
+ */
+-static int get_cryptodev_digests(const int **cnids)
++static int
++get_cryptodev_digests(const int **cnids)
{
- static int nids[CRYPTO_ALGORITHM_MAX];
+- static int nids[CRYPTO_ALGORITHM_MAX];
+- struct session_op sess;
+- int fd, i, count = 0;
++ static int nids[CRYPTO_ALGORITHM_MAX];
+ unsigned char fake_key[EVP_MAX_KEY_LENGTH];
- struct session_op sess;
- int fd, i, count = 0;
-
-@@ -289,12 +296,12 @@ get_cryptodev_digests(const int **cnids)
- return (0);
- }
- memset(&sess, 0, sizeof(sess));
-- sess.mackey = (caddr_t)"123456789abcdefghijklmno";
++ struct session_op sess;
++ int fd, i, count = 0;
+
+- if ((fd = get_dev_crypto()) < 0) {
+- *cnids = NULL;
+- return (0);
+- }
+- memset(&sess, 0, sizeof(sess));
+- sess.mackey = (caddr_t) "123456789abcdefghijklmno";
+- for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+- if (digests[i].nid == NID_undef)
+- continue;
+- sess.mac = digests[i].id;
+- sess.mackeylen = digests[i].keylen;
+- sess.cipher = 0;
+- if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+- ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
+- nids[count++] = digests[i].nid;
+- }
+- put_dev_crypto(fd);
++ if ((fd = get_dev_crypto()) < 0) {
++ *cnids = NULL;
++ return (0);
++ }
++ memset(&sess, 0, sizeof(sess));
+ sess.mackey = fake_key;
- for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
- if (digests[i].nid == NID_undef)
- continue;
- sess.mac = digests[i].id;
-- sess.mackeylen = digests[i].keylen;
++ for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
++ if (digests[i].nid == NID_undef)
++ continue;
++ sess.mac = digests[i].id;
+ sess.mackeylen = 8;
- sess.cipher = 0;
- if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
- ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
-@@ -382,14 +389,14 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, un
- cryp.ses = sess->ses;
- cryp.flags = 0;
- cryp.len = inl;
-- cryp.src = (caddr_t) in;
-- cryp.dst = (caddr_t) out;
++ sess.cipher = 0;
++ if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
++ ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
++ nids[count++] = digests[i].nid;
++ }
++ put_dev_crypto(fd);
+
+- if (count > 0)
+- *cnids = nids;
+- else
+- *cnids = NULL;
+- return (count);
++ if (count > 0)
++ *cnids = nids;
++ else
++ *cnids = NULL;
++ return (count);
+ }
+-# endif /* 0 */
++#endif /* 0 */
+
+ /*
+ * Find the useable ciphers|digests from dev/crypto - this is the first
+@@ -375,158 +338,161 @@ static int get_cryptodev_digests(const i
+ * want most of the decisions made about what we actually want
+ * to use from /dev/crypto.
+ */
+-static int cryptodev_usable_ciphers(const int **nids)
++static int
++cryptodev_usable_ciphers(const int **nids)
+ {
+- return (get_cryptodev_ciphers(nids));
++ return (get_cryptodev_ciphers(nids));
+ }
+
+-static int cryptodev_usable_digests(const int **nids)
++static int
++cryptodev_usable_digests(const int **nids)
+ {
+-# ifdef USE_CRYPTODEV_DIGESTS
+- return (get_cryptodev_digests(nids));
+-# else
+- /*
+- * XXXX just disable all digests for now, because it sucks.
+- * we need a better way to decide this - i.e. I may not
+- * want digests on slow cards like hifn on fast machines,
+- * but might want them on slow or loaded machines, etc.
+- * will also want them when using crypto cards that don't
+- * suck moose gonads - would be nice to be able to decide something
+- * as reasonable default without having hackery that's card dependent.
+- * of course, the default should probably be just do everything,
+- * with perhaps a sysctl to turn algoritms off (or have them off
+- * by default) on cards that generally suck like the hifn.
+- */
+- *nids = NULL;
+- return (0);
+-# endif
++#ifdef USE_CRYPTODEV_DIGESTS
++ return (get_cryptodev_digests(nids));
++#else
++ /*
++ * XXXX just disable all digests for now, because it sucks.
++ * we need a better way to decide this - i.e. I may not
++ * want digests on slow cards like hifn on fast machines,
++ * but might want them on slow or loaded machines, etc.
++ * will also want them when using crypto cards that don't
++ * suck moose gonads - would be nice to be able to decide something
++ * as reasonable default without having hackery that's card dependent.
++ * of course, the default should probably be just do everything,
++ * with perhaps a sysctl to turn algoritms off (or have them off
++ * by default) on cards that generally suck like the hifn.
++ */
++ *nids = NULL;
++ return (0);
++#endif
+ }
+
+ static int
+ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+- const unsigned char *in, size_t inl)
++ const unsigned char *in, size_t inl)
+ {
+- struct crypt_op cryp;
+- struct dev_crypto_state *state = ctx->cipher_data;
+- struct session_op *sess = &state->d_sess;
+- const void *iiv;
+- unsigned char save_iv[EVP_MAX_IV_LENGTH];
++ struct crypt_op cryp;
++ struct dev_crypto_state *state = ctx->cipher_data;
++ struct session_op *sess = &state->d_sess;
++ const void *iiv;
++ unsigned char save_iv[EVP_MAX_IV_LENGTH];
+
+- if (state->d_fd < 0)
+- return (0);
+- if (!inl)
+- return (1);
+- if ((inl % ctx->cipher->block_size) != 0)
+- return (0);
++ if (state->d_fd < 0)
++ return (0);
++ if (!inl)
++ return (1);
++ if ((inl % ctx->cipher->block_size) != 0)
++ return (0);
+
+- memset(&cryp, 0, sizeof(cryp));
++ memset(&cryp, 0, sizeof(cryp));
+
+- cryp.ses = sess->ses;
+- cryp.flags = 0;
+- cryp.len = inl;
+- cryp.src = (caddr_t) in;
+- cryp.dst = (caddr_t) out;
+- cryp.mac = 0;
++ cryp.ses = sess->ses;
++ cryp.flags = 0;
++ cryp.len = inl;
+ cryp.src = (void*) in;
+ cryp.dst = (void*) out;
- cryp.mac = 0;
++ cryp.mac = 0;
- cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+- cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
++ cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
- if (ctx->cipher->iv_len) {
-- cryp.iv = (caddr_t) ctx->iv;
+- if (ctx->cipher->iv_len) {
+- cryp.iv = (caddr_t) ctx->iv;
+- if (!ctx->encrypt) {
+- iiv = in + inl - ctx->cipher->iv_len;
+- memcpy(save_iv, iiv, ctx->cipher->iv_len);
+- }
+- } else
+- cryp.iv = NULL;
++ if (ctx->cipher->iv_len) {
+ cryp.iv = (void*) ctx->iv;
- if (!ctx->encrypt) {
- iiv = in + inl - ctx->cipher->iv_len;
- memcpy(save_iv, iiv, ctx->cipher->iv_len);
-@@ -440,7 +447,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx,
- if ((state->d_fd = get_dev_crypto()) < 0)
- return (0);
-
-- sess->key = (caddr_t)key;
++ if (!ctx->encrypt) {
++ iiv = in + inl - ctx->cipher->iv_len;
++ memcpy(save_iv, iiv, ctx->cipher->iv_len);
++ }
++ } else
++ cryp.iv = NULL;
+
+- if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) {
+- /*
+- * XXX need better errror handling this can fail for a number of
+- * different reasons.
+- */
+- return (0);
+- }
++ if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) {
++ /* XXX need better errror handling
++ * this can fail for a number of different reasons.
++ */
++ return (0);
++ }
+
+- if (ctx->cipher->iv_len) {
+- if (ctx->encrypt)
+- iiv = out + inl - ctx->cipher->iv_len;
+- else
+- iiv = save_iv;
+- memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
+- }
+- return (1);
++ if (ctx->cipher->iv_len) {
++ if (ctx->encrypt)
++ iiv = out + inl - ctx->cipher->iv_len;
++ else
++ iiv = save_iv;
++ memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
++ }
++ return (1);
+ }
+
+ static int
+ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+- const unsigned char *iv, int enc)
++ const unsigned char *iv, int enc)
+ {
+- struct dev_crypto_state *state = ctx->cipher_data;
+- struct session_op *sess = &state->d_sess;
+- int cipher = -1, i;
++ struct dev_crypto_state *state = ctx->cipher_data;
++ struct session_op *sess = &state->d_sess;
++ int cipher = -1, i;
+
+- for (i = 0; ciphers[i].id; i++)
+- if (ctx->cipher->nid == ciphers[i].nid &&
+- ctx->cipher->iv_len <= ciphers[i].ivmax &&
+- ctx->key_len == ciphers[i].keylen) {
+- cipher = ciphers[i].id;
+- break;
+- }
++ for (i = 0; ciphers[i].id; i++)
++ if (ctx->cipher->nid == ciphers[i].nid &&
++ ctx->cipher->iv_len <= ciphers[i].ivmax &&
++ ctx->key_len == ciphers[i].keylen) {
++ cipher = ciphers[i].id;
++ break;
++ }
+
+- if (!ciphers[i].id) {
+- state->d_fd = -1;
+- return (0);
+- }
++ if (!ciphers[i].id) {
++ state->d_fd = -1;
++ return (0);
++ }
+
+- memset(sess, 0, sizeof(struct session_op));
++ memset(sess, 0, sizeof(struct session_op));
+
+- if ((state->d_fd = get_dev_crypto()) < 0)
+- return (0);
++ if ((state->d_fd = get_dev_crypto()) < 0)
++ return (0);
+
+- sess->key = (caddr_t) key;
+- sess->keylen = ctx->key_len;
+- sess->cipher = cipher;
+ sess->key = (void*)key;
- sess->keylen = ctx->key_len;
- sess->cipher = cipher;
++ sess->keylen = ctx->key_len;
++ sess->cipher = cipher;
-@@ -660,18 +667,6 @@ digest_nid_to_cryptodev(int nid)
+- if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
+- put_dev_crypto(state->d_fd);
+- state->d_fd = -1;
+- return (0);
+- }
+- return (1);
++ if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
++ put_dev_crypto(state->d_fd);
++ state->d_fd = -1;
++ return (0);
++ }
++ return (1);
}
+ /*
+ * free anything we allocated earlier when initting a
+ * session, and close the session.
+ */
+-static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
++static int
++cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+- int ret = 0;
+- struct dev_crypto_state *state = ctx->cipher_data;
+- struct session_op *sess = &state->d_sess;
++ int ret = 0;
++ struct dev_crypto_state *state = ctx->cipher_data;
++ struct session_op *sess = &state->d_sess;
--static int
--digest_key_length(int nid)
--{
-- int i;
+- if (state->d_fd < 0)
+- return (0);
++ if (state->d_fd < 0)
++ return (0);
+
+- /*
+- * XXX if this ioctl fails, someting's wrong. the invoker may have called
+- * us with a bogus ctx, or we could have a device that for whatever
+- * reason just doesn't want to play ball - it's not clear what's right
+- * here - should this be an error? should it just increase a counter,
+- * hmm. For right now, we return 0 - I don't believe that to be "right".
+- * we could call the gorpy openssl lib error handlers that print messages
+- * to users of the library. hmm..
+- */
++ /* XXX if this ioctl fails, someting's wrong. the invoker
++ * may have called us with a bogus ctx, or we could
++ * have a device that for whatever reason just doesn't
++ * want to play ball - it's not clear what's right
++ * here - should this be an error? should it just
++ * increase a counter, hmm. For right now, we return
++ * 0 - I don't believe that to be "right". we could
++ * call the gorpy openssl lib error handlers that
++ * print messages to users of the library. hmm..
++ */
+
+- if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) {
+- ret = 0;
+- } else {
+- ret = 1;
+- }
+- put_dev_crypto(state->d_fd);
+- state->d_fd = -1;
++ if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) {
++ ret = 0;
++ } else {
++ ret = 1;
++ }
++ put_dev_crypto(state->d_fd);
++ state->d_fd = -1;
+
+- return (ret);
++ return (ret);
+ }
+
+ /*
+@@ -536,151 +502,111 @@ static int cryptodev_cleanup(EVP_CIPHER_
+
+ /* RC4 */
+ const EVP_CIPHER cryptodev_rc4 = {
+- NID_rc4,
+- 1, 16, 0,
+- EVP_CIPH_VARIABLE_LENGTH,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- NULL,
+- NULL,
+- NULL
++ NID_rc4,
++ 1, 16, 0,
++ EVP_CIPH_VARIABLE_LENGTH,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ NULL,
++ NULL,
++ NULL
+ };
+
+ /* DES CBC EVP */
+ const EVP_CIPHER cryptodev_des_cbc = {
+- NID_des_cbc,
+- 8, 8, 8,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_des_cbc,
++ 8, 8, 8,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ /* 3DES CBC EVP */
+ const EVP_CIPHER cryptodev_3des_cbc = {
+- NID_des_ede3_cbc,
+- 8, 24, 8,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_des_ede3_cbc,
++ 8, 24, 8,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ const EVP_CIPHER cryptodev_bf_cbc = {
+- NID_bf_cbc,
+- 8, 16, 8,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_bf_cbc,
++ 8, 16, 8,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ const EVP_CIPHER cryptodev_cast_cbc = {
+- NID_cast5_cbc,
+- 8, 16, 8,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_cast5_cbc,
++ 8, 16, 8,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ const EVP_CIPHER cryptodev_aes_cbc = {
+- NID_aes_128_cbc,
+- 16, 16, 16,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_aes_128_cbc,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ const EVP_CIPHER cryptodev_aes_192_cbc = {
+- NID_aes_192_cbc,
+- 16, 24, 16,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_aes_192_cbc,
++ 16, 24, 16,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+ const EVP_CIPHER cryptodev_aes_256_cbc = {
+- NID_aes_256_cbc,
+- 16, 32, 16,
+- EVP_CIPH_CBC_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
+-};
-
-- for (i = 0; digests[i].id; i++)
-- if (digests[i].nid == nid)
-- return digests[i].keylen;
-- return (0);
--}
+-# ifdef CRYPTO_AES_CTR
+-const EVP_CIPHER cryptodev_aes_ctr = {
+- NID_aes_128_ctr,
+- 16, 16, 14,
+- EVP_CIPH_CTR_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
+-};
-
+-const EVP_CIPHER cryptodev_aes_ctr_192 = {
+- NID_aes_192_ctr,
+- 16, 24, 14,
+- EVP_CIPH_CTR_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
++ NID_aes_256_cbc,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE,
++ cryptodev_init_key,
++ cryptodev_cipher,
++ cryptodev_cleanup,
++ sizeof(struct dev_crypto_state),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
+ };
+
+-const EVP_CIPHER cryptodev_aes_ctr_256 = {
+- NID_aes_256_ctr,
+- 16, 32, 14,
+- EVP_CIPH_CTR_MODE,
+- cryptodev_init_key,
+- cryptodev_cipher,
+- cryptodev_cleanup,
+- sizeof(struct dev_crypto_state),
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL
+-};
+-# endif
+ /*
+ * Registered by the ENGINE when used to find out how to deal with
+ * a particular NID in the ENGINE. this says what we'll do at the
+@@ -688,316 +614,353 @@ const EVP_CIPHER cryptodev_aes_ctr_256 =