static int bind_helper (ENGINE *e) {
if (!ENGINE_set_id(e, FS_ENGINE_ID) ||
!ENGINE_set_name (e, FS_ENGINE_NAME) ||
!ENGINE_set_destroy_function (e, engine_fs_destroy) ||
!ENGINE_set_finish_function (e, engine_fs_finish) ||
!ENGINE_set_ctrl_function (e, engine_fs_ctrl) ||
!ENGINE_set_load_privkey_function (e, engine_fs_load_private_key) ||
!ENGINE_set_RSA (e, &engine_fs_rsa) /*||
!ENGINE_set_load_pubkey_function (e, engine_fs_load_public_key) ||
!ENGINE_set_init_function (e, engine_fs_init) ||
!ENGINE_set_DSA (e, engine_fs_dsa) ||
!ENGINE_set_ECDH (e, engine_fs_dh) ||
!ENGINE_set_ECDSA (e, engine_fs_dh) ||
!ENGINE_set_DH (e, engine_fs_dh) ||
!ENGINE_set_RAND (e, engine_fs_rand) ||
!ENGINE_set_STORE (e, asn1_i2d_ex_primitiveengine_fs_rand) ||
!ENGINE_set_ciphers (e, engine_fs_syphers_f) ||
!ENGINE_set_digests (e, engine_fs_digest_f) ||
!ENGINE_set_flags (e, engine_fs_flags) ||
!ENGINE_set_cmd_defns (e, engine_fs_cmd_defns)*/) {
return (0);
}
if (!ENGINE_set_RSA (e, &engine_fs_rsa)
|| !register_rsa_methods ()) {
return 0;
}
return (1);
}
/* This internal function is used by ENGINE_gmp() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
#ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
#endif
if(!ENGINE_set_id(e, engine_e_gmp_id) ||
!ENGINE_set_name(e, engine_e_gmp_name) ||
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &e_gmp_rsa) ||
#endif
!ENGINE_set_destroy_function(e, e_gmp_destroy) ||
!ENGINE_set_init_function(e, e_gmp_init) ||
!ENGINE_set_finish_function(e, e_gmp_finish) ||
!ENGINE_set_ctrl_function(e, e_gmp_ctrl) ||
!ENGINE_set_cmd_defns(e, e_gmp_cmd_defns))
return 0;
#ifndef OPENSSL_NO_RSA
meth1 = RSA_PKCS1_SSLeay();
e_gmp_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
e_gmp_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
e_gmp_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
e_gmp_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
e_gmp_rsa.bn_mod_exp = meth1->bn_mod_exp;
#endif
/* Ensure the e_gmp error handling is set up */
ERR_load_GMP_strings();
return 1;
}
/* This internal function is used by ENGINE_pkcs11() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, PKCS11_ENGINE_ID) ||
!ENGINE_set_destroy_function(e, engine_destroy) ||
!ENGINE_set_init_function(e, engine_init) ||
!ENGINE_set_finish_function(e, engine_finish) ||
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
#ifndef OPENSSL_NO_EC
/* PKCS11_get_ec_key_method combines ECDSA and ECDH */
!ENGINE_set_EC(e, PKCS11_get_ec_key_method()) ||
#endif /* OPENSSL_NO_EC */
#else /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ECDSA
!ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) ||
#endif
#ifndef OPENSSL_NO_ECDH
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
#endif
#endif /* OPENSSL_VERSION_NUMBER */
!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
!ENGINE_set_load_privkey_function(e, load_privkey)) {
return 0;
} else {
return 1;
}
}
static int keystore_engine_setup(ENGINE* e) {
ALOGV("keystore_engine_setup");
if (!ENGINE_set_id(e, KEYSTORE_ENGINE_ID)
|| !ENGINE_set_name(e, KEYSTORE_ENGINE_NAME)
|| !ENGINE_set_load_privkey_function(e, keystore_loadkey)
|| !ENGINE_set_load_pubkey_function(e, keystore_loadkey)
|| !ENGINE_set_cmd_defns(e, keystore_cmd_defns)) {
ALOGE("Could not set up keystore engine");
return 0;
}
if (!ENGINE_set_RSA(e, &keystore_rsa_meth)
|| !register_rsa_methods()) {
ALOGE("Could not set up keystore RSA methods");
return 0;
}
/* We need a handle in the RSA keys as well for keygen if it's not already initialized. */
pthread_once(&rsa_key_handle_control, init_rsa_key_handle);
if (rsa_key_handle < 0) {
ALOGE("Could not set up RSA ex_data index");
return 0;
}
return 1;
}
/* ---------------------*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_cluster_labs_id) ||
!ENGINE_set_name(e, engine_cluster_labs_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &cluster_labs_rsa) ||
# endif
# ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &cluster_labs_dsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &cluster_labs_dh) ||
# endif
!ENGINE_set_RAND(e, &cluster_labs_rand) ||
!ENGINE_set_destroy_function(e, cluster_labs_destroy) ||
!ENGINE_set_init_function(e, cluster_labs_init) ||
!ENGINE_set_finish_function(e, cluster_labs_finish) ||
!ENGINE_set_ctrl_function(e, cluster_labs_ctrl) ||
!ENGINE_set_cmd_defns(e, cluster_labs_cmd_defns))
return 0;
/* Ensure the error handling is set up */
ERR_load_CL_strings();
return 1;
}
/*
* This internal function is used by ENGINE_ubsec() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
# ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
# endif
# ifndef OPENSSL_NO_DH
# ifndef HAVE_UBSEC_DH
const DH_METHOD *meth3;
# endif /* HAVE_UBSEC_DH */
# endif
if (!ENGINE_set_id(e, engine_ubsec_id) ||
!ENGINE_set_name(e, engine_ubsec_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &ubsec_rsa) ||
# endif
# ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &ubsec_dsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &ubsec_dh) ||
# endif
!ENGINE_set_destroy_function(e, ubsec_destroy) ||
!ENGINE_set_init_function(e, ubsec_init) ||
!ENGINE_set_finish_function(e, ubsec_finish) ||
!ENGINE_set_ctrl_function(e, ubsec_ctrl) ||
!ENGINE_set_cmd_defns(e, ubsec_cmd_defns))
return 0;
# ifndef OPENSSL_NO_RSA
/*
* We know that the "PKCS1_OpenSSL()" functions hook properly to the
* Broadcom-specific mod_exp and mod_exp_crt so we use those functions.
* NB: We don't use ENGINE_openssl() or anything "more generic" because
* something like the RSAref code may not hook properly, and if you own
* one of these cards then you have the right to do RSA operations on it
* anyway!
*/
meth1 = RSA_PKCS1_OpenSSL();
ubsec_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
ubsec_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
ubsec_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
ubsec_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
# endif
# ifndef OPENSSL_NO_DH
# ifndef HAVE_UBSEC_DH
/* Much the same for Diffie-Hellman */
meth3 = DH_OpenSSL();
ubsec_dh.generate_key = meth3->generate_key;
ubsec_dh.compute_key = meth3->compute_key;
# endif /* HAVE_UBSEC_DH */
# endif
/* Ensure the ubsec error handling is set up */
ERR_load_UBSEC_strings();
return 1;
}
void
ca_engine_init(void)
{
ENGINE *e;
const char *errstr, *name;
if ((e = ENGINE_get_default_RSA()) == NULL) {
if ((e = ENGINE_new()) == NULL) {
errstr = "ENGINE_new";
goto fail;
}
if (!ENGINE_set_name(e, rsae_method.name)) {
errstr = "ENGINE_set_name";
goto fail;
}
if ((rsa_default = RSA_get_default_method()) == NULL) {
errstr = "RSA_get_default_method";
goto fail;
}
} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
errstr = "ENGINE_get_RSA";
goto fail;
}
if ((name = ENGINE_get_name(e)) == NULL)
name = "unknown RSA engine";
log_debug("debug: %s: using %s", __func__, name);
if (rsa_default->flags & RSA_FLAG_SIGN_VER)
fatalx("unsupported RSA engine");
if (rsa_default->rsa_mod_exp == NULL)
rsae_method.rsa_mod_exp = NULL;
if (rsa_default->bn_mod_exp == NULL)
rsae_method.bn_mod_exp = NULL;
if (rsa_default->rsa_keygen == NULL)
rsae_method.rsa_keygen = NULL;
rsae_method.flags = rsa_default->flags |
RSA_METHOD_FLAG_NO_CHECK;
rsae_method.app_data = rsa_default->app_data;
if (!ENGINE_set_RSA(e, &rsae_method)) {
errstr = "ENGINE_set_RSA";
goto fail;
}
if (!ENGINE_set_default_RSA(e)) {
errstr = "ENGINE_set_default_RSA";
goto fail;
}
return;
fail:
ssl_error(errstr);
fatalx("%s", errstr);
}
static ENGINE* LoadEngine()
{
// This function creates an engine for PKCS#11 and inspired by
// the "ENGINE_load_dynamic" function from OpenSSL, in file
// "crypto/engine/eng_dyn.c"
ENGINE* engine = ENGINE_new();
if (!engine)
{
LOG(ERROR) << "Cannot create an OpenSSL engine for PKCS#11";
throw OrthancException(ErrorCode_InternalError);
}
// Create a PKCS#11 context using libp11
context_ = pkcs11_new();
if (!context_)
{
LOG(ERROR) << "Cannot create a libp11 context for PKCS#11";
ENGINE_free(engine);
throw OrthancException(ErrorCode_InternalError);
}
if (!ENGINE_set_id(engine, PKCS11_ENGINE_ID) ||
!ENGINE_set_name(engine, PKCS11_ENGINE_NAME) ||
!ENGINE_set_cmd_defns(engine, PKCS11_ENGINE_COMMANDS) ||
// Register the callback functions
!ENGINE_set_init_function(engine, EngineInitialize) ||
!ENGINE_set_finish_function(engine, EngineFinalize) ||
!ENGINE_set_destroy_function(engine, EngineDestroy) ||
!ENGINE_set_ctrl_function(engine, EngineControl) ||
!ENGINE_set_load_pubkey_function(engine, EngineLoadPublicKey) ||
!ENGINE_set_load_privkey_function(engine, EngineLoadPrivateKey) ||
!ENGINE_set_RSA(engine, PKCS11_get_rsa_method()) ||
!ENGINE_set_ECDSA(engine, PKCS11_get_ecdsa_method()) ||
!ENGINE_set_ECDH(engine, PKCS11_get_ecdh_method()) ||
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
!ENGINE_set_EC(engine, PKCS11_get_ec_key_method()) ||
#endif
// Make OpenSSL know about our PKCS#11 engine
!ENGINE_add(engine))
{
LOG(ERROR) << "Cannot initialize the OpenSSL engine for PKCS#11";
pkcs11_finish(context_);
ENGINE_free(engine);
throw OrthancException(ErrorCode_InternalError);
}
// If the "ENGINE_add" worked, it gets a structural
// reference. We release our just-created reference.
ENGINE_free(engine);
return ENGINE_by_id(PKCS11_ENGINE_ID);
}
static
PKCS11H_BOOL
__pkcs11h_openssl_session_setRSA(
IN const pkcs11h_openssl_session_t openssl_session,
IN EVP_PKEY * evp
) {
PKCS11H_BOOL ret = FALSE;
RSA *rsa = NULL;
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: __pkcs11h_openssl_session_setRSA - entered openssl_session=%p, evp=%p",
(void *)openssl_session,
(void *)evp
);
if (
(rsa = EVP_PKEY_get1_RSA (evp)) == NULL
) {
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
goto cleanup;
}
RSA_set_method (rsa, __openssl_methods.rsa);
RSA_set_ex_data (rsa, __openssl_methods.rsa_index, openssl_session);
#if OPENSSL_VERSION_NUMBER < 0x10100001L
rsa->flags |= RSA_FLAG_SIGN_VER;
#endif
#ifdef BROKEN_OPENSSL_ENGINE
if (!rsa->engine) {
rsa->engine = ENGINE_get_default_RSA ();
}
ENGINE_set_RSA(ENGINE_get_default_RSA (), &openssl_session->rsa);
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled");
#endif
ret = TRUE;
cleanup:
if (rsa != NULL) {
RSA_free (rsa);
rsa = NULL;
}
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: __pkcs11h_openssl_session_setRSA - return ret=%d",
ret
);
return ret;
}
static int bind_devcrypto(ENGINE *e) {
if (!ENGINE_set_id(e, engine_devcrypto_id)
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
|| !ENGINE_set_cmd_defns(e, devcrypto_cmds)
|| !ENGINE_set_ctrl_function(e, devcrypto_ctrl))
return 0;
prepare_cipher_methods();
#ifdef IMPLEMENT_DIGEST
prepare_digest_methods();
#endif
return (ENGINE_set_ciphers(e, devcrypto_ciphers)
#ifdef IMPLEMENT_DIGEST
&& ENGINE_set_digests(e, devcrypto_digests)
#endif
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
* parameters in its crypt_kop, the manual crypto(4) has this to say:
*
* The semantics of these arguments are currently undocumented.
*
* Reading through the FreeBSD source code doesn't give much more than
* their CRK_MOD_EXP implementation for ubsec.
*
* It doesn't look much better with cryptodev-linux. They have the crypt_kop
* structure as well as the command (CRK_*) in cryptodev.h, but no support
* seems to be implemented at all for the moment.
*
* At the time of writing, it seems impossible to write proper support for
* FreeBSD's asym features without some very deep knowledge and access to
* specific kernel modules.
*
* /Richard Levitte, 2017-05-11
*/
#if 0
# ifndef OPENSSL_NO_RSA
&& ENGINE_set_RSA(e, devcrypto_rsa)
# endif
# ifndef OPENSSL_NO_DSA
&& ENGINE_set_DSA(e, devcrypto_dsa)
# endif
# ifndef OPENSSL_NO_DH
&& ENGINE_set_DH(e, devcrypto_dh)
# endif
# ifndef OPENSSL_NO_EC
&& ENGINE_set_EC(e, devcrypto_ec)
# endif
#endif
);
}
/*
* This internal function is used by ENGINE_chil() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
# ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
# endif
# ifndef OPENSSL_NO_DH
const DH_METHOD *meth2;
# endif
if (!ENGINE_set_id(e, engine_hwcrhk_id) ||
!ENGINE_set_name(e, engine_hwcrhk_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &hwcrhk_rsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &hwcrhk_dh) ||
# endif
!ENGINE_set_RAND(e, &hwcrhk_rand) ||
!ENGINE_set_destroy_function(e, hwcrhk_destroy) ||
!ENGINE_set_init_function(e, hwcrhk_init) ||
!ENGINE_set_finish_function(e, hwcrhk_finish) ||
!ENGINE_set_ctrl_function(e, hwcrhk_ctrl) ||
!ENGINE_set_load_privkey_function(e, hwcrhk_load_privkey) ||
!ENGINE_set_load_pubkey_function(e, hwcrhk_load_pubkey) ||
!ENGINE_set_cmd_defns(e, hwcrhk_cmd_defns))
return 0;
# ifndef OPENSSL_NO_RSA
/*
* We know that the "PKCS1_SSLeay()" functions hook properly to the
* cswift-specific mod_exp and mod_exp_crt so we use those functions. NB:
* We don't use ENGINE_openssl() or anything "more generic" because
* something like the RSAref code may not hook properly, and if you own
* one of these cards then you have the right to do RSA operations on it
* anyway!
*/
meth1 = RSA_PKCS1_SSLeay();
hwcrhk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
# endif
# ifndef OPENSSL_NO_DH
/* Much the same for Diffie-Hellman */
meth2 = DH_OpenSSL();
hwcrhk_dh.generate_key = meth2->generate_key;
hwcrhk_dh.compute_key = meth2->compute_key;
# endif
/* Ensure the hwcrhk error handling is set up */
ERR_load_HWCRHK_strings();
return 1;
}
static int bind_dasync(ENGINE *e)
{
/* Ensure the dasync error handling is set up */
ERR_load_DASYNC_strings();
if (!ENGINE_set_id(e, engine_dasync_id)
|| !ENGINE_set_name(e, engine_dasync_name)
|| !ENGINE_set_RSA(e, &dasync_rsa_method)
|| !ENGINE_set_digests(e, dasync_digests)
|| !ENGINE_set_destroy_function(e, dasync_destroy)
|| !ENGINE_set_init_function(e, dasync_init)
|| !ENGINE_set_finish_function(e, dasync_finish)) {
DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED);
return 0;
}
return 1;
}
static int bind_rsaref(ENGINE *e)
{
const RSA_METHOD *meth1;
if(!ENGINE_set_id(e, engine_rsaref_id)
|| !ENGINE_set_name(e, engine_rsaref_name)
|| !ENGINE_set_RSA(e, &rsaref_rsa)
|| !ENGINE_set_ciphers(e, rsaref_ciphers)
|| !ENGINE_set_digests(e, rsaref_digests)
|| !ENGINE_set_destroy_function(e, rsaref_destroy)
|| !ENGINE_set_init_function(e, rsaref_init)
|| !ENGINE_set_finish_function(e, rsaref_finish)
/* || !ENGINE_set_ctrl_function(e, rsaref_ctrl) */
/* || !ENGINE_set_cmd_defns(e, rsaref_cmd_defns) */)
return 0;
/* Ensure the rsaref error handling is set up */
ERR_load_RSAREF_strings();
return 1;
}
static ENGINE *
sc_get_engine(void)
{
static ENGINE *smart_engine = NULL;
if ((smart_engine = ENGINE_new()) == NULL)
fatal("ENGINE_new failed");
ENGINE_set_id(smart_engine, "sectok");
ENGINE_set_name(smart_engine, "libsectok");
ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
ENGINE_set_RAND(smart_engine, RAND_SSLeay());
ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
return smart_engine;
}
/*
* This internal function is used by ENGINE_openssl() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_openssl_id)
|| !ENGINE_set_name(e, engine_openssl_name)
|| !ENGINE_set_destroy_function(e, openssl_destroy)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
# ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, RSA_get_default_method())
# endif
# ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, DSA_get_default_method())
# endif
# ifndef OPENSSL_NO_EC
|| !ENGINE_set_EC(e, EC_KEY_OpenSSL())
# endif
# ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, DH_get_default_method())
# endif
|| !ENGINE_set_RAND(e, RAND_OpenSSL())
# ifdef TEST_ENG_OPENSSL_RC4
|| !ENGINE_set_ciphers(e, openssl_ciphers)
# endif
# ifdef TEST_ENG_OPENSSL_SHA
|| !ENGINE_set_digests(e, openssl_digests)
# endif
#endif
#ifdef TEST_ENG_OPENSSL_PKEY
|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#ifdef TEST_ENG_OPENSSL_HMAC
|| !ossl_register_hmac_meth()
|| !ENGINE_set_pkey_meths(e, ossl_pkey_meths)
#endif
)
return 0;
/*
* If we add errors to this ENGINE, ensure the error handling is setup
* here
*/
/* openssl_load_error_strings(); */
return 1;
}
static int bind_capi(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_capi_id)
|| !ENGINE_set_name(e, engine_capi_name)
|| !ENGINE_set_init_function(e, capi_init)
|| !ENGINE_set_finish_function(e, capi_finish)
|| !ENGINE_set_destroy_function(e, capi_destroy)
|| !ENGINE_set_RSA(e, &capi_rsa_method)
|| !ENGINE_set_DSA(e, &capi_dsa_method)
|| !ENGINE_set_load_privkey_function(e, capi_load_privkey)
|| !ENGINE_set_load_ssl_client_cert_function(e,
capi_load_ssl_client_cert)
|| !ENGINE_set_cmd_defns(e, capi_cmd_defns)
|| !ENGINE_set_ctrl_function(e, capi_ctrl))
return 0;
ERR_load_CAPI_strings();
return 1;
}
/* This internal function is used by ENGINE_tpm() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE * e)
{
if (!ENGINE_set_id(e, engine_tpm_id) ||
!ENGINE_set_name(e, engine_tpm_name) ||
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &tpm_rsa) ||
#endif
!ENGINE_set_RAND(e, &tpm_rand) ||
!ENGINE_set_destroy_function(e, tpm_engine_destroy) ||
!ENGINE_set_init_function(e, tpm_engine_init) ||
!ENGINE_set_finish_function(e, tpm_engine_finish) ||
!ENGINE_set_ctrl_function(e, tpm_engine_ctrl) ||
!ENGINE_set_load_pubkey_function(e, tpm_engine_load_key) ||
!ENGINE_set_load_privkey_function(e, tpm_engine_load_key) ||
!ENGINE_set_cmd_defns(e, tpm_cmd_defns))
return 0;
/* Ensure the tpm error handling is set up */
ERR_load_TPM_strings();
return 1;
}
/* This internal function is used by ENGINE_openssl() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
if(!ENGINE_set_id(e, engine_openssl_id)
|| !ENGINE_set_name(e, engine_openssl_name)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
#ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, RSA_get_default_method())
#endif
#ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, DSA_get_default_method())
#endif
#ifndef OPENSSL_NO_ECDH
|| !ENGINE_set_ECDH(e, ECDH_OpenSSL())
#endif
#ifndef OPENSSL_NO_ECDSA
|| !ENGINE_set_ECDSA(e, ECDSA_OpenSSL())
#endif
#ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, DH_get_default_method())
#endif
|| !ENGINE_set_RAND(e, RAND_SSLeay())
#ifdef TEST_ENG_OPENSSL_RC4
|| !ENGINE_set_ciphers(e, openssl_ciphers)
#endif
#ifdef TEST_ENG_OPENSSL_SHA
|| !ENGINE_set_digests(e, openssl_digests)
#endif
#endif
//MS:
#ifndef OPENSSL_NO_STDIO
#ifdef TEST_ENG_OPENSSL_PKEY
|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#endif
)
return 0;
/* If we add errors to this ENGINE, ensure the error handling is setup here */
/* openssl_load_error_strings(); */
return 1;
}
/* ---------------------*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_4758_cca_id) ||
!ENGINE_set_name(e, engine_4758_cca_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &ibm_4758_cca_rsa) ||
# endif
!ENGINE_set_RAND(e, &ibm_4758_cca_rand) ||
!ENGINE_set_destroy_function(e, ibm_4758_cca_destroy) ||
!ENGINE_set_init_function(e, ibm_4758_cca_init) ||
!ENGINE_set_finish_function(e, ibm_4758_cca_finish) ||
!ENGINE_set_ctrl_function(e, ibm_4758_cca_ctrl) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_load_privkey_function(e, ibm_4758_load_privkey) ||
!ENGINE_set_load_pubkey_function(e, ibm_4758_load_pubkey) ||
# endif
!ENGINE_set_cmd_defns(e, cca4758_cmd_defns))
return 0;
/* Ensure the error handling is set up */
ERR_load_CCA4758_strings();
return 1;
}
static int bind_HCSP(ENGINE* e)
{
if (!ENGINE_set_id(e, engine_HCSP_id)
|| !ENGINE_set_name(e, engine_HCSP_name)
|| !ENGINE_set_RSA(e, &HCSP_rsa)
|| !ENGINE_set_destroy_function(e, HCSP_destroy)
|| !ENGINE_set_init_function(e, HCSP_init)
|| !ENGINE_set_finish_function(e, HCSP_finish)
|| !ENGINE_set_load_pubkey_function(e, HCSP_load_key)
|| !ENGINE_set_load_privkey_function(e, HCSP_load_key)
#ifdef FILE_CONFIG
|| !ENGINE_set_ctrl_function(e, HCSP_ctrl)
|| !ENGINE_set_cmd_defns(e, HCSP_cmd_defns)
#endif
) return 0;
/* Ensure the rsaref error handling is set up */
#ifndef OPENSSL_NO_ERR
ERR_load_HCSP_strings();
#endif
return 1;
}
/*
* This engine is always built into libcrypto, so it doesn't offer any
* ability to be dynamically loadable.
*/
void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
if (access("/dev/crypto", R_OK | W_OK) < 0) {
fprintf(stderr,
"/dev/crypto not present, not enabling devcrypto engine\n");
return;
}
prepare_cipher_methods();
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
prepare_digest_methods();
#endif
if ((e = ENGINE_new()) == NULL)
return;
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
* parameters in its crypt_kop, the manual crypto(4) has this to say:
*
* The semantics of these arguments are currently undocumented.
*
* Reading through the FreeBSD source code doesn't give much more than
* their CRK_MOD_EXP implementation for ubsec.
*
* It doesn't look much better with cryptodev-linux. They have the crypt_kop
* structure as well as the command (CRK_*) in cryptodev.h, but no support
* seems to be implemented at all for the moment.
*
* At the time of writing, it seems impossible to write proper support for
* FreeBSD's asym features without some very deep knowledge and access to
* specific kernel modules.
*
* /Richard Levitte, 2017-05-11
*/
#if 0
# ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, devcrypto_rsa)
# endif
# ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, devcrypto_dsa)
# endif
# ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, devcrypto_dh)
# endif
# ifndef OPENSSL_NO_EC
|| !ENGINE_set_EC(e, devcrypto_ec)
# endif
#endif
|| !ENGINE_set_ciphers(e, devcrypto_ciphers)
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|| !ENGINE_set_digests(e, devcrypto_digests)
#endif
) {
ENGINE_free(e);
return;
}
ENGINE_add(e);
ENGINE_free(e); /* Loose our local reference */
ERR_clear_error();
}
/*
* This internal function is used by ENGINE_nuron() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
# ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
# endif
# ifndef OPENSSL_NO_DSA
const DSA_METHOD *meth2;
# endif
# ifndef OPENSSL_NO_DH
const DH_METHOD *meth3;
# endif
if (!ENGINE_set_id(e, engine_nuron_id) ||
!ENGINE_set_name(e, engine_nuron_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &nuron_rsa) ||
# endif
# ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &nuron_dsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &nuron_dh) ||
# endif
!ENGINE_set_destroy_function(e, nuron_destroy) ||
!ENGINE_set_init_function(e, nuron_init) ||
!ENGINE_set_finish_function(e, nuron_finish) ||
!ENGINE_set_ctrl_function(e, nuron_ctrl) ||
!ENGINE_set_cmd_defns(e, nuron_cmd_defns))
return 0;
# ifndef OPENSSL_NO_RSA
/*
* We know that the "PKCS1_SSLeay()" functions hook properly to the
* nuron-specific mod_exp and mod_exp_crt so we use those functions. NB:
* We don't use ENGINE_openssl() or anything "more generic" because
* something like the RSAref code may not hook properly, and if you own
* one of these cards then you have the right to do RSA operations on it
* anyway!
*/
meth1 = RSA_PKCS1_SSLeay();
nuron_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
nuron_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
nuron_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
nuron_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
# endif
# ifndef OPENSSL_NO_DSA
/*
* Use the DSA_OpenSSL() method and just hook the mod_exp-ish bits.
*/
meth2 = DSA_OpenSSL();
nuron_dsa.dsa_do_sign = meth2->dsa_do_sign;
nuron_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
nuron_dsa.dsa_do_verify = meth2->dsa_do_verify;
# endif
# ifndef OPENSSL_NO_DH
/* Much the same for Diffie-Hellman */
meth3 = DH_OpenSSL();
nuron_dh.generate_key = meth3->generate_key;
nuron_dh.compute_key = meth3->compute_key;
# endif
/* Ensure the nuron error handling is set up */
ERR_load_NURON_strings();
return 1;
}
/* ARGSUSED */
static int
t4_bind(ENGINE *e)
{
_Bool aes_engage, digest_engage, des_engage, montmul_engage;
t4_instructions_present(&aes_engage, &des_engage, &digest_engage,
&montmul_engage);
#ifdef DEBUG_T4
(void) fprintf(stderr,
"t4_bind: engage aes=%d, des=%d, digest=%d\n",
aes_engage, des_engage, digest_engage);
#endif
#ifndef OPENSSL_NO_DES
if (!des_engage) { /* Remove DES ciphers from list */
t4_cipher_count -= t4_des_cipher_count;
}
#endif
#ifndef SOLARIS_NO_AES_CTR
/*
* We must do this before we start working with slots since we need all
* NIDs there.
*/
if (aes_engage) {
if (t4_add_aes_ctr_NIDs() == 0) {
T4_FREE_AES_CTR_NIDS;
return (0);
}
}
#endif /* !SOLARIS_NO_AES_CTR */
#ifdef DEBUG_T4
(void) fprintf(stderr, "t4_cipher_count = %d; t4_cipher_nids[] =\n",
t4_cipher_count);
for (int i = 0; i < t4_cipher_count; ++i) {
(void) fprintf(stderr, " %d", t4_cipher_nids[i]);
}
(void) fprintf(stderr, "\n");
#endif /* DEBUG_T4 */
/* Register T4 engine ID, name, and functions */
if (!ENGINE_set_id(e, ENGINE_T4_ID) ||
!ENGINE_set_name(e,
aes_engage ? ENGINE_T4_NAME: ENGINE_NO_T4_NAME) ||
!ENGINE_set_init_function(e, t4_init) ||
(aes_engage && !ENGINE_set_ciphers(e, t4_get_all_ciphers)) ||
(digest_engage && !ENGINE_set_digests(e, t4_get_all_digests)) ||
#ifndef OPENSSL_NO_RSA
(montmul_engage && !ENGINE_set_RSA(e, t4_RSA())) ||
#endif /* OPENSSL_NO_RSA */
#ifndef OPENSSL_NO_DH
(montmul_engage && !ENGINE_set_DH(e, t4_DH())) ||
#endif /* OPENSSL_NO_DH */
#ifndef OPENSSL_NO_DSA
(montmul_engage && !ENGINE_set_DSA(e, t4_DSA())) ||
#endif /* OPENSSL_NO_DSA */
!ENGINE_set_destroy_function(e, t4_destroy)) {
T4_FREE_AES_CTR_NIDS;
return (0);
}
return (1);
}
void
ENGINE_load_builtin_engines(void)
{
ENGINE *engine;
int ret;
engine = ENGINE_new();
if (engine == NULL)
return;
ENGINE_set_id(engine, "builtin");
ENGINE_set_name(engine,
"Heimdal crypto builtin (ltm) engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_ltm_method());
ENGINE_set_DH(engine, DH_ltm_method());
ret = add_engine(engine);
if (ret != 1)
ENGINE_finish(engine);
#ifdef USE_HCRYPTO_TFM
/*
* TFM
*/
engine = ENGINE_new();
if (engine == NULL)
return;
ENGINE_set_id(engine, "tfm");
ENGINE_set_name(engine,
"Heimdal crypto tfm engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_tfm_method());
ENGINE_set_DH(engine, DH_tfm_method());
ret = add_engine(engine);
if (ret != 1)
ENGINE_finish(engine);
#endif /* USE_HCRYPTO_TFM */
#ifdef USE_HCRYPTO_LTM
/*
* ltm
*/
engine = ENGINE_new();
if (engine == NULL)
return;
ENGINE_set_id(engine, "ltm");
ENGINE_set_name(engine,
"Heimdal crypto ltm engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_ltm_method());
ENGINE_set_DH(engine, DH_ltm_method());
ret = add_engine(engine);
if (ret != 1)
ENGINE_finish(engine);
#endif
#ifdef HAVE_GMP
/*
* gmp
*/
engine = ENGINE_new();
if (engine == NULL)
return;
ENGINE_set_id(engine, "gmp");
ENGINE_set_name(engine,
"Heimdal crypto gmp engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_gmp_method());
ret = add_engine(engine);
if (ret != 1)
ENGINE_finish(engine);
#endif
}
/* As this is only ever called once, there's no need for locking
* (indeed - the lock will already be held by our caller!!!) */
static int bind_sureware(ENGINE *e)
{
#ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
#endif
#ifndef OPENSSL_NO_DSA
const DSA_METHOD *meth2;
#endif
#ifndef OPENSSL_NO_DH
const DH_METHOD *meth3;
#endif
if(!ENGINE_set_id(e, engine_sureware_id) ||
!ENGINE_set_name(e, engine_sureware_name) ||
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &surewarehk_rsa) ||
#endif
#ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &surewarehk_dsa) ||
#endif
#ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &surewarehk_dh) ||
#endif
!ENGINE_set_RAND(e, &surewarehk_rand) ||
!ENGINE_set_destroy_function(e, surewarehk_destroy) ||
!ENGINE_set_init_function(e, surewarehk_init) ||
!ENGINE_set_finish_function(e, surewarehk_finish) ||
!ENGINE_set_ctrl_function(e, (ENGINE_CTRL_FUNC_PTR)surewarehk_ctrl) ||
!ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) ||
!ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey))
return 0;
#ifndef OPENSSL_NO_RSA
/* We know that the "PKCS1_SSLeay()" functions hook properly
* to the cswift-specific mod_exp and mod_exp_crt so we use
* those functions. NB: We don't use ENGINE_openssl() or
* anything "more generic" because something like the RSAref
* code may not hook properly, and if you own one of these
* cards then you have the right to do RSA operations on it
* anyway! */
meth1 = RSA_PKCS1_SSLeay();
if (meth1)
{
surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
}
#endif
#ifndef OPENSSL_NO_DSA
/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
* bits. */
meth2 = DSA_OpenSSL();
if (meth2)
{
surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;
}
#endif
#ifndef OPENSSL_NO_DH
/* Much the same for Diffie-Hellman */
meth3 = DH_OpenSSL();
if (meth3)
{
surewarehk_dh.generate_key = meth3->generate_key;
surewarehk_dh.compute_key = meth3->compute_key;
}
#endif
/* Ensure the sureware error handling is set up */
ERR_load_SUREWARE_strings();
return 1;
}
void
ENGINE_load_cryptodev(void)
{
ENGINE *engine = ENGINE_new();
int fd;
if (engine == NULL)
return;
if ((fd = get_dev_crypto()) < 0) {
ENGINE_free(engine);
return;
}
/*
* find out what asymmetric crypto algorithms we support
*/
if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
close(fd);
ENGINE_free(engine);
return;
}
close(fd);
if (!ENGINE_set_id(engine, "cryptodev") ||
!ENGINE_set_name(engine, "BSD cryptodev engine") ||
!ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
!ENGINE_set_digests(engine, cryptodev_engine_digests) ||
!ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
!ENGINE_set_cmd_defns(engine, cryptodev_defns)) {
ENGINE_free(engine);
return;
}
if (ENGINE_set_RSA(engine, &cryptodev_rsa)) {
const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay();
cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp;
cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp;
cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc;
cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
if (cryptodev_asymfeat & CRF_MOD_EXP) {
cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp;
if (cryptodev_asymfeat & CRF_MOD_EXP_CRT)
cryptodev_rsa.rsa_mod_exp =
cryptodev_rsa_mod_exp;
else
cryptodev_rsa.rsa_mod_exp =
cryptodev_rsa_nocrt_mod_exp;
}
}
if (ENGINE_set_DSA(engine, &cryptodev_dsa)) {
const DSA_METHOD *meth = DSA_OpenSSL();
memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD));
if (cryptodev_asymfeat & CRF_DSA_SIGN)
cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign;
if (cryptodev_asymfeat & CRF_MOD_EXP) {
cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp;
cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp;
}
if (cryptodev_asymfeat & CRF_DSA_VERIFY)
cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
}
if (ENGINE_set_DH(engine, &cryptodev_dh)){
const DH_METHOD *dh_meth = DH_OpenSSL();
cryptodev_dh.generate_key = dh_meth->generate_key;
cryptodev_dh.compute_key = dh_meth->compute_key;
cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp;
if (cryptodev_asymfeat & CRF_MOD_EXP) {
cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh;
if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY)
cryptodev_dh.compute_key =
cryptodev_dh_compute_key;
}
}
ENGINE_add(engine);
ENGINE_free(engine);
ERR_clear_error();
}
int neverbleed_init(neverbleed_t *nb, char *errbuf)
{
int pipe_fds[2] = {-1, -1}, listen_fd = -1;
char *tempdir = NULL;
const RSA_METHOD *default_method = RSA_PKCS1_SSLeay();
rsa_method.rsa_pub_enc = default_method->rsa_pub_enc;
rsa_method.rsa_pub_dec = default_method->rsa_pub_dec;
rsa_method.rsa_verify = default_method->rsa_verify;
/* setup the daemon */
if (pipe(pipe_fds) != 0) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "pipe(2) failed:%s", strerror(errno));
goto Fail;
}
fcntl(pipe_fds[1], F_SETFD, O_CLOEXEC);
if ((tempdir = strdup("/tmp/openssl-privsep.XXXXXX")) == NULL) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "no memory");
goto Fail;
}
if (mkdtemp(tempdir) == NULL) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to create temporary directory under /tmp:%s", strerror(errno));
goto Fail;
}
memset(&nb->sun_, 0, sizeof(nb->sun_));
nb->sun_.sun_family = AF_UNIX;
snprintf(nb->sun_.sun_path, sizeof(nb->sun_.sun_path), "%s/_", tempdir);
RAND_bytes(nb->auth_token, sizeof(nb->auth_token));
if ((listen_fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "socket(2) failed:%s", strerror(errno));
goto Fail;
}
if (bind(listen_fd, (void *)&nb->sun_, sizeof(nb->sun_)) != 0) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to bind to %s:%s", nb->sun_.sun_path, strerror(errno));
goto Fail;
}
if (listen(listen_fd, SOMAXCONN) != 0) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "listen(2) failed:%s", strerror(errno));
goto Fail;
}
switch (fork()) {
case -1:
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "fork(2) failed:%s", strerror(errno));
goto Fail;
case 0:
close(pipe_fds[1]);
#ifdef __linux__
prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
#endif
memcpy(daemon_auth_token, nb->auth_token, NEVERBLEED_AUTH_TOKEN_SIZE);
daemon_main(listen_fd, pipe_fds[0], tempdir);
break;
default:
break;
}
close(listen_fd);
listen_fd = -1;
close(pipe_fds[0]);
pipe_fds[0] = -1;
/* setup engine */
if ((nb->engine = ENGINE_new()) == NULL ||
!ENGINE_set_id(nb->engine, "neverbleed") ||
!ENGINE_set_name(nb->engine, "privilege separation software engine") ||
!ENGINE_set_RSA(nb->engine, &rsa_method)) {
snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to initialize the OpenSSL engine");
goto Fail;
}
ENGINE_add(nb->engine);
/* setup thread key */
pthread_key_create(&nb->thread_key, dispose_thread_data);
free(tempdir);
return 0;
Fail:
if (pipe_fds[0] != -1)
close(pipe_fds[0]);
if (pipe_fds[1] != -1)
close(pipe_fds[1]);
if (tempdir != NULL) {
unlink_dir(tempdir);
free(tempdir);
}
if (listen_fd != -1)
close(listen_fd);
if (nb->engine != NULL) {
ENGINE_free(nb->engine);
nb->engine = NULL;
}
return -1;
}
void
ENGINE_load_builtin_engines(void)
{
ENGINE *engine;
int ret;
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "builtin");
ENGINE_set_name(engine,
"cryptoshims builtin engine version " PACKAGE_VERSION);
/*
* XXX <radr://problem/107832242> and <rda://problem/8174874> are
* blocking the use of CommonCrypto's RSA code for OpenSSH.
*
* XXX <rdar://problem/10488503> is blocking the use of
* CommonCrypto's (non-existing) DSA.
*
* XXX <rdar://problem/10771223> and <rdar://problem/10771188> are
* blocking the use of CommonCrypto's DH code.
*/
#if !defined(PR_10783242_FIXED) || !defined(PR_8174774_FIXED) || !defined(PR_10488503_FIXED) || !defined(PR_10771223_FIXED) || !defined(PR_10771188_FIXED)
ENGINE_set_DH(engine, DH_eay_method());
ENGINE_set_DSA(engine, DSA_eay_method());
ENGINE_set_RSA(engine, RSA_eay_method());
#elif defined(HAVE_COMMONCRYPTO_COMMONRSACRYPTOR_H) && defined(HAVE_COMMONCRYPTO_COMMONDH_H) && defined(HAVE_COMMONCRYPTO_COMMONDSACRYPTOR_H)
ENGINE_set_DH(engine, DH_eay_method());
ENGINE_set_DSA(engine, DSA_eay_method());
ENGINE_set_RSA(engine, RSA_cc_method());
#elif HAVE_CDSA
ENGINE_set_DH(engine, DH_cdsa_method());
ENGINE_set_DSA(engine, DSA_null_method());
ENGINE_set_RSA(engine, RSA_cdsa_method());
#elif defined(__APPLE_TARGET_EMBEDDED__)
ENGINE_set_DH(engine, DH_null_method());
ENGINE_set_DSA(engine, DSA_null_method());
ENGINE_set_RSA(engine, RSA_null_method());
#elif defined(HEIM_HC_SF)
ENGINE_set_RSA(engine, RSA_ltm_method());
ENGINE_set_DH(engine, DH_sf_method());
ENGINE_set_DSA(engine, DSA_null_method());
#elif defined(HEIM_HC_LTM)
ENGINE_set_RSA(engine, RSA_ltm_method());
ENGINE_set_DH(engine, DH_ltm_method());
ENGINE_set_DSA(engine, DSA_null_method());
#else
ENGINE_set_RSA(engine, RSA_tfm_method());
ENGINE_set_DH(engine, DH_tfm_method());
ENGINE_set_DSA(engine, DSA_null_method());
#endif
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#if !defined(PR_10783242_FIXED) || !defined(PR_8174774_FIXED) || !defined(PR_1048850_FIXED) || !defined(PR_10771223_FIXED) || !defined(PR_10771188_FIXED)
/*
* EAY
*/
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "eay");
ENGINE_set_name(engine,
"ossl eay engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_eay_method());
ENGINE_set_DH(engine, DH_eay_method());
ENGINE_set_DSA(engine, DSA_eay_method());
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#endif
#if defined(HAVE_COMMONCRYPTO_COMMONRSACRYPTOR_H) && defined(HAVE_COMMONCRYPTO_COMMONDH_H) && defined(HAVE_COMMONCRYPTO_COMMONDSACRYPTOR_H)
/*
* CC
*/
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "cc");
ENGINE_set_name(engine,
"ossl cc engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_cc_method());
ENGINE_set_DH(engine, DH_cc_method());
ENGINE_set_DSA(engine, DSA_eay_method());
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#endif /* COMMONCRYPTO */
#ifdef USE_HCRYPTO_TFM
/*
* TFM
*/
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "tfm");
ENGINE_set_name(engine,
"ossl tfm engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_tfm_method());
ENGINE_set_DH(engine, DH_tfm_method());
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#endif /* USE_HCRYPTO_TFM */
#ifdef USE_HCRYPTO_LTM
/*
* ltm
*/
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "ltm");
ENGINE_set_name(engine,
"ossl ltm engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_ltm_method());
ENGINE_set_DH(engine, DH_ltm_method());
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#endif
#ifdef HAVE_GMP
/*
* gmp
*/
engine = ENGINE_new();
if (engine == NULL) {
return;
}
ENGINE_set_id(engine, "gmp");
ENGINE_set_name(engine,
"ossl gmp engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_gmp_method());
ret = add_engine(engine);
if (ret != 1) {
ENGINE_finish(engine);
}
#endif
}
static int bind_dasync(ENGINE *e)
{
/* Setup RSA_METHOD */
if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL
|| RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0
|| RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0
|| RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0
|| RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0
|| RSA_meth_set_mod_exp(dasync_rsa_method, dasync_rsa_mod_exp) == 0
|| RSA_meth_set_bn_mod_exp(dasync_rsa_method, BN_mod_exp_mont) == 0
|| RSA_meth_set_init(dasync_rsa_method, dasync_rsa_init) == 0
|| RSA_meth_set_finish(dasync_rsa_method, dasync_rsa_finish) == 0) {
DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED);
return 0;
}
/* Ensure the dasync error handling is set up */
ERR_load_DASYNC_strings();
if (!ENGINE_set_id(e, engine_dasync_id)
|| !ENGINE_set_name(e, engine_dasync_name)
|| !ENGINE_set_RSA(e, dasync_rsa_method)
|| !ENGINE_set_digests(e, dasync_digests)
|| !ENGINE_set_ciphers(e, dasync_ciphers)
|| !ENGINE_set_destroy_function(e, dasync_destroy)
|| !ENGINE_set_init_function(e, dasync_init)
|| !ENGINE_set_finish_function(e, dasync_finish)) {
DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED);
return 0;
}
/*
* Set up the EVP_CIPHER and EVP_MD objects for the ciphers/digests
* supplied by this engine
*/
_hidden_sha1_md = EVP_MD_meth_new(NID_sha1, NID_sha1WithRSAEncryption);
if (_hidden_sha1_md == NULL
|| !EVP_MD_meth_set_result_size(_hidden_sha1_md, SHA_DIGEST_LENGTH)
|| !EVP_MD_meth_set_input_blocksize(_hidden_sha1_md, SHA_CBLOCK)
|| !EVP_MD_meth_set_app_datasize(_hidden_sha1_md,
sizeof(EVP_MD *) + sizeof(SHA_CTX))
|| !EVP_MD_meth_set_flags(_hidden_sha1_md, EVP_MD_FLAG_DIGALGID_ABSENT)
|| !EVP_MD_meth_set_init(_hidden_sha1_md, dasync_sha1_init)
|| !EVP_MD_meth_set_update(_hidden_sha1_md, dasync_sha1_update)
|| !EVP_MD_meth_set_final(_hidden_sha1_md, dasync_sha1_final)) {
EVP_MD_meth_free(_hidden_sha1_md);
_hidden_sha1_md = NULL;
}
_hidden_aes_128_cbc = EVP_CIPHER_meth_new(NID_aes_128_cbc,
16 /* block size */,
16 /* key len */);
if (_hidden_aes_128_cbc == NULL
|| !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc,16)
|| !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc,
EVP_CIPH_FLAG_DEFAULT_ASN1
| EVP_CIPH_CBC_MODE
| EVP_CIPH_FLAG_PIPELINE)
|| !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc,
dasync_aes128_init_key)
|| !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc,
dasync_aes128_cbc_cipher)
|| !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc,
dasync_aes128_cbc_cleanup)
|| !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc,
dasync_aes128_cbc_ctrl)
|| !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc,
sizeof(struct dasync_pipeline_ctx))) {
EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
_hidden_aes_128_cbc = NULL;
}
_hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new(
NID_aes_128_cbc_hmac_sha1,
16 /* block size */,
16 /* key len */);
if (_hidden_aes_128_cbc_hmac_sha1 == NULL
|| !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
|| !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
EVP_CIPH_CBC_MODE
| EVP_CIPH_FLAG_DEFAULT_ASN1
| EVP_CIPH_FLAG_AEAD_CIPHER
| EVP_CIPH_FLAG_PIPELINE)
|| !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
dasync_aes128_cbc_hmac_sha1_init_key)
|| !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
dasync_aes128_cbc_hmac_sha1_cipher)
|| !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc_hmac_sha1,
dasync_aes128_cbc_hmac_sha1_cleanup)
|| !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1,
dasync_aes128_cbc_hmac_sha1_ctrl)
|| !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1,
sizeof(struct dasync_pipeline_ctx))) {
EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
_hidden_aes_128_cbc_hmac_sha1 = NULL;
}
return 1;
}
/******************************************************************************
* function:
* bind_qat(ENGINE *e,
* const char *id)
*
* @param e [IN] - OpenSSL engine pointer
* @param id [IN] - engine id
*
* description:
* Connect Qat engine to OpenSSL engine library
******************************************************************************/
static int bind_qat(ENGINE *e, const char *id)
{
int ret = 0;
WARN("QAT Warnings enabled.\n");
DEBUG("QAT Debug enabled.\n");
DEBUG("[%s] id=%s\n", __func__, id);
if (id && (strcmp(id, engine_qat_id) != 0)) {
WARN("ENGINE_id defined already!\n");
goto end;
}
if (!ENGINE_set_id(e, engine_qat_id)) {
WARN("ENGINE_set_id failed\n");
goto end;
}
if (!ENGINE_set_name(e, engine_qat_name)) {
WARN("ENGINE_set_name failed\n");
goto end;
}
/* Ensure the QAT error handling is set up */
ERR_load_QAT_strings();
/*
* Create static structures for ciphers now
* as this function will be called by a single thread.
*/
qat_create_ciphers();
#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
CRYPTO_THREAD_run_once(&qat_pkt_threshold_table_once,qat_pkt_threshold_table_make_key);
#endif
DEBUG("%s: About to set mem functions\n", __func__);
if (!ENGINE_set_RSA(e, qat_get_RSA_methods())) {
WARN("ENGINE_set_RSA failed\n");
goto end;
}
if (!ENGINE_set_DSA(e, qat_get_DSA_methods())) {
WARN("ENGINE_set_DSA failed\n");
goto end;
}
if (!ENGINE_set_DH(e, qat_get_DH_methods())) {
WARN("ENGINE_set_DH failed\n");
goto end;
}
if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
WARN("ENGINE_set_EC failed\n");
goto end;
}
if (!ENGINE_set_ciphers(e, qat_ciphers)) {
WARN("ENGINE_set_ciphers failed\n");
goto end;
}
if (!ENGINE_set_pkey_meths(e, qat_PRF_pkey_methods)) {
WARN("ENGINE_set_pkey_meths failed\n");
goto end;
}
pthread_atfork(engine_fork_handler, NULL, NULL);
if (!ENGINE_set_destroy_function(e, qat_engine_destroy)
|| !ENGINE_set_init_function(e, qat_engine_init)
|| !ENGINE_set_finish_function(e, qat_engine_finish)
|| !ENGINE_set_ctrl_function(e, qat_engine_ctrl)
|| !ENGINE_set_cmd_defns(e, qat_cmd_defns)) {
WARN("[%s] failed reg destroy, init or finish\n", __func__);
goto end;
}
ret = 1;
end:
return ret;
}
