Exemple #1
0
static int
g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
    const u_char *key, size_t keysize)
{
	struct cryptoini cri;
	struct cryptop *crp;
	struct cryptodesc *crd;
	uint64_t sid;
	u_char *p;
	int error;

	KASSERT(algo != CRYPTO_AES_XTS,
	    ("%s: CRYPTO_AES_XTS unexpected here", __func__));

	bzero(&cri, sizeof(cri));
	cri.cri_alg = algo;
	cri.cri_key = __DECONST(void *, key);
	cri.cri_klen = keysize;
	error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
	if (error != 0)
		return (error);
	p = malloc(sizeof(*crp) + sizeof(*crd), M_ELI, M_NOWAIT | M_ZERO);
	if (p == NULL) {
		crypto_freesession(sid);
		return (ENOMEM);
	}
	crp = (struct cryptop *)p;	p += sizeof(*crp);
	crd = (struct cryptodesc *)p;	p += sizeof(*crd);

	crd->crd_skip = 0;
	crd->crd_len = datasize;
	crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
	if (enc)
		crd->crd_flags |= CRD_F_ENCRYPT;
	crd->crd_alg = algo;
	crd->crd_key = __DECONST(void *, key);
	crd->crd_klen = keysize;
	bzero(crd->crd_iv, sizeof(crd->crd_iv));
	crd->crd_next = NULL;

	crp->crp_sid = sid;
	crp->crp_ilen = datasize;
	crp->crp_olen = datasize;
	crp->crp_opaque = NULL;
	crp->crp_callback = g_eli_crypto_done;
	crp->crp_buf = (void *)data;
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
	crp->crp_desc = crd;

	error = crypto_dispatch(crp);
	if (error == 0) {
		while (crp->crp_opaque == NULL)
			tsleep(crp, PRIBIO, "geli", hz / 5);
		error = crp->crp_etype;
	}

	free(crp, M_ELI);
	crypto_freesession(sid);
	return (error);
}
Exemple #2
0
static void
aes_destroy(struct krb5_key_state *ks)
{
	struct aes_state *as = ks->ks_priv;

	if (as->as_session_aes != 0)
		crypto_freesession(as->as_session_aes);
	if (as->as_session_sha1 != 0)
		crypto_freesession(as->as_session_sha1);
	mtx_destroy(&as->as_lock);
	free(ks->ks_priv, M_GSSAPI);
}
Exemple #3
0
static void
aes_set_key(struct krb5_key_state *ks, const void *in)
{
	void *kp = ks->ks_key;
	struct aes_state *as = ks->ks_priv;
	struct cryptoini cri[2];

	if (kp != in)
		bcopy(in, kp, ks->ks_class->ec_keylen);

	if (as->as_session)
		crypto_freesession(as->as_session);

	bzero(cri, sizeof(cri));

	/*
	 * We only want the first 96 bits of the HMAC.
	 */
	cri[0].cri_alg = CRYPTO_SHA1_HMAC;
	cri[0].cri_klen = ks->ks_class->ec_keybits;
	cri[0].cri_mlen = 12;
	cri[0].cri_key = ks->ks_key;
	cri[0].cri_next = &cri[1];

	cri[1].cri_alg = CRYPTO_AES_CBC;
	cri[1].cri_klen = ks->ks_class->ec_keybits;
	cri[1].cri_mlen = 0;
	cri[1].cri_key = ks->ks_key;
	cri[1].cri_next = NULL;

	crypto_newsession(&as->as_session, cri,
	    CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
}
Exemple #4
0
static void
des3_set_key(struct krb5_key_state *ks, const void *in)
{
	void *kp = ks->ks_key;
	struct des3_state *ds = ks->ks_priv;
	struct cryptoini cri[2];

	if (kp != in)
		bcopy(in, kp, ks->ks_class->ec_keylen);

	if (ds->ds_session)
		crypto_freesession(ds->ds_session);

	bzero(cri, sizeof(cri));

	cri[0].cri_alg = CRYPTO_SHA1_HMAC;
	cri[0].cri_klen = 192;
	cri[0].cri_mlen = 0;
	cri[0].cri_key = ks->ks_key;
	cri[0].cri_next = &cri[1];

	cri[1].cri_alg = CRYPTO_3DES_CBC;
	cri[1].cri_klen = 192;
	cri[1].cri_mlen = 0;
	cri[1].cri_key = ks->ks_key;
	cri[1].cri_next = NULL;

	crypto_newsession(&ds->ds_session, cri,
	    CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
}
Exemple #5
0
static void
des3_destroy(struct krb5_key_state *ks)
{
	struct des3_state *ds = ks->ks_priv;

	if (ds->ds_session)
		crypto_freesession(ds->ds_session);
	mtx_destroy(&ds->ds_lock);
	free(ks->ks_priv, M_GSSAPI);
}
Exemple #6
0
int ipsec_ocf_sa_free(struct ipsec_sa *ipsp)
{
	KLIPS_PRINT(debug_pfkey, "klips_debug:ipsec_ocf_sa_free()\n");
	if (!ipsp->ocf_in_use)
		printk("KLIPS: ipsec_ocf_sa_free received SA that is not initted?\n");


	crypto_freesession(ipsp->ocf_cryptoid);
	ipsp->ocf_cryptoid = -1;
	ipsp->ocf_in_use = 0;
	return 1;
}
Exemple #7
0
/*
 * Paranoia.
 *
 * NB: public for use by esp_zeroize (XXX).
 */
int
ah_zeroize(struct secasvar *sav)
{
	int err;

	if (sav->key_auth)
		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));

	err = crypto_freesession(sav->tdb_cryptoid);
	sav->tdb_cryptoid = 0;
	sav->tdb_authalgxform = NULL;
	sav->tdb_xform = NULL;
	return err;
}
Exemple #8
0
/*
 * Paranoia.
 */
int
ah_zeroize(struct tdb *tdbp)
{
	int err;

	if (tdbp->tdb_amxkey) {
		explicit_bzero(tdbp->tdb_amxkey, tdbp->tdb_amxkeylen);
		free(tdbp->tdb_amxkey, M_XDATA);
		tdbp->tdb_amxkey = NULL;
	}

	err = crypto_freesession(tdbp->tdb_cryptoid);
	tdbp->tdb_cryptoid = 0;
	return err;
}
Exemple #9
0
static int
g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
                    const u_char *key, size_t keysize)
{
    struct cryptoini cri;
    struct cryptop *crp;
    struct cryptodesc *crd;
    struct uio *uio;
    struct iovec *iov;
    uint64_t sid;
    u_char *p;
    int error;

    bzero(&cri, sizeof(cri));
    cri.cri_alg = algo;
    cri.cri_key = __DECONST(void *, key);
    cri.cri_klen = keysize;
    error = crypto_newsession(&sid, &cri, CRYPTOCAP_F_SOFTWARE);
    if (error != 0)
        return (error);
    p = malloc(sizeof(*crp) + sizeof(*crd) + sizeof(*uio) + sizeof(*iov),
               M_ELI, M_NOWAIT | M_ZERO);
    if (p == NULL) {
        crypto_freesession(sid);
        return (ENOMEM);
    }
    crp = (struct cryptop *)p;
    p += sizeof(*crp);
    crd = (struct cryptodesc *)p;
    p += sizeof(*crd);
    uio = (struct uio *)p;
    p += sizeof(*uio);
    iov = (struct iovec *)p;
    p += sizeof(*iov);

    iov->iov_len = datasize;
    iov->iov_base = data;

    uio->uio_iov = iov;
    uio->uio_iovcnt = 1;
    uio->uio_segflg = UIO_SYSSPACE;
    uio->uio_resid = datasize;

    crd->crd_skip = 0;
    crd->crd_len = datasize;
    crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
    if (enc)
        crd->crd_flags |= CRD_F_ENCRYPT;
    crd->crd_alg = algo;
    crd->crd_key = __DECONST(void *, key);
    crd->crd_klen = keysize;
    bzero(crd->crd_iv, sizeof(crd->crd_iv));
    crd->crd_next = NULL;

    crp->crp_sid = sid;
    crp->crp_ilen = datasize;
    crp->crp_olen = datasize;
    crp->crp_opaque = NULL;
    crp->crp_callback = g_eli_crypto_done;
    crp->crp_buf = (void *)uio;
    crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIFSYNC | CRYPTO_F_REL;
    crp->crp_desc = crd;

    error = crypto_dispatch(crp);
    if (error == 0) {
        while (crp->crp_opaque == NULL)
            tsleep(crp, PRIBIO, "geli", hz / 5);
        error = crp->crp_etype;
    }

    free(crp, M_ELI);
    crypto_freesession(sid);
    return (error);
}
Exemple #10
0
int
ocfbench_init(void)
{
	int i,j, jstart, jstop;

	printk("Crypto Speed tests\n");

	requests = kmalloc(sizeof(request_t) * request_q_len, GFP_KERNEL);
	if (!requests) {
		printk("malloc failed\n");
		return -EINVAL;
	}

	if(request_size %8 != 0) {
		printk("request_size must be a multiple of 8!!! \n");
	}
	
	for (i = 0; i < request_q_len; i++) {
		/* +64 for return data */
		requests[i].buffer = kmalloc(request_size + 128, GFP_DMA);
		if (!requests[i].buffer) {
			printk("malloc failed\n");
			return -EINVAL;
		}
#ifdef DECC
		requests[i].encrypt = 1;
		requests[i].index = i;
#endif
	for(j=0; j < request_size + 128; j++)
		*(char *)(((char *)requests[i].buffer) + j ) = 0x2;

	}

#ifdef DECC
	requests2 = kmalloc(sizeof(request_t) * request_q_len, GFP_KERNEL);
	if (!requests) {
		printk("malloc failed\n");
		return -EINVAL;
	}

	for (i = 0; i < request_q_len; i++) {
		/* +64 for return data */
		requests2[i].buffer = kmalloc(request_size + 128, GFP_DMA);
		if (!requests2[i].buffer) {
			printk("malloc failed\n");
			return -EINVAL;
		}
		memcpy(requests2[i].buffer, requests[i].buffer, request_size);
	}
#endif
	/*
	 * OCF benchmark
	 */
	printk("OCF: testing ...\n");
	ocf_init();
	total = outstanding = 0;
	jstart = jiffies;
	for (i = 0; i < request_q_len; i++) {
		outstanding++;
		ocf_request(&requests[i]);
	}

	while (outstanding > 0) {
#if 0
		if(jiffies - jstart > 500){
			return -EINVAL;	
		}
#endif
		schedule();
	}
	jstop = jiffies;

	printk("OCF: %d requests of %d bytes in %d jiffies\n", total, request_size,
			jstop - jstart);

#ifdef DECC
	for (i = 0; i < request_q_len; i++) {
		if(memcmp(requests2[i].buffer, requests[i].buffer, request_size) != 0){
			printk("buf %d is differnt \n",i);
			printk("ORIGINAL: \n");
			hexdump(requests2[i].buffer, request_size);
			printk("AFTER \n");
			hexdump(requests[i].buffer, request_size);
			break;
		}
	}
	
#ifdef BOTH
	for (i = 0; i < request_q_len; i++) {
		if(memcmp(requests[i].buffer + request_size + 32, requests[i].buffer + request_size + 64, 16) != 0){
			printk("buf %d is differnt \n",i);
			printk("ORIGINAL: \n");
			hexdump(requests[i].buffer + request_size + 32, 16);
			printk("AFTER \n");
			hexdump(requests[i].buffer + request_size + 64, 16);
			break;
		}
	}
#endif
#endif

	for (i = 0; i < request_q_len; i++)
		kfree(requests[i].buffer);
	kfree(requests);

#ifdef DECC
	for (i = 0; i < request_q_len; i++)
		kfree(requests2[i].buffer);
	kfree(requests2);
#endif
	crypto_freesession(ocf_cryptoid);

	return -EINVAL; /* always fail to load so it can be re-run quickly ;-) */
}
Exemple #11
0
static void
ocf_done(void)
{
	crypto_freesession(ocf_cryptoid);
}
Exemple #12
0
/*
 * ESP input callback from the crypto driver.
 */
static int
esp_input_cb(struct cryptop *crp)
{
	IPSEC_DEBUG_DECLARE(char buf[128]);
	u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN];
	const struct auth_hash *esph;
	const struct enc_xform *espx;
	struct mbuf *m;
	struct cryptodesc *crd;
	struct xform_data *xd;
	struct secasvar *sav;
	struct secasindex *saidx;
	caddr_t ptr;
	uint64_t cryptoid;
	int hlen, skip, protoff, error, alen;

	crd = crp->crp_desc;
	IPSEC_ASSERT(crd != NULL, ("null crypto descriptor!"));

	m = (struct mbuf *) crp->crp_buf;
	xd = (struct xform_data *) crp->crp_opaque;
	sav = xd->sav;
	skip = xd->skip;
	protoff = xd->protoff;
	cryptoid = xd->cryptoid;
	saidx = &sav->sah->saidx;
	esph = sav->tdb_authalgxform;
	espx = sav->tdb_encalgxform;

	/* Check for crypto errors */
	if (crp->crp_etype) {
		if (crp->crp_etype == EAGAIN) {
			/* Reset the session ID */
			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
				crypto_freesession(cryptoid);
			xd->cryptoid = crp->crp_sid;
			return (crypto_dispatch(crp));
		}
		ESPSTAT_INC(esps_noxform);
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
		error = crp->crp_etype;
		goto bad;
	}

	/* Shouldn't happen... */
	if (m == NULL) {
		ESPSTAT_INC(esps_crypto);
		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
		error = EINVAL;
		goto bad;
	}
	ESPSTAT_INC(esps_hist[sav->alg_enc]);

	/* If authentication was performed, check now. */
	if (esph != NULL) {
		alen = xform_ah_authsize(esph);
		AHSTAT_INC(ahs_hist[sav->alg_auth]);
		/* Copy the authenticator from the packet */
		m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
		ptr = (caddr_t) (xd + 1);

		/* Verify authenticator */
		if (timingsafe_bcmp(ptr, aalg, alen) != 0) {
			DPRINTF(("%s: authentication hash mismatch for "
			    "packet in SA %s/%08lx\n", __func__,
			    ipsec_address(&saidx->dst, buf, sizeof(buf)),
			    (u_long) ntohl(sav->spi)));
			ESPSTAT_INC(esps_badauth);
			error = EACCES;
			goto bad;
		}
		m->m_flags |= M_AUTHIPDGM;
		/* Remove trailing authenticator */
		m_adj(m, -alen);
	}

	/* Release the crypto descriptors */
	free(xd, M_XDATA), xd = NULL;
	crypto_freereq(crp), crp = NULL;

	/*
	 * Packet is now decrypted.
	 */
	m->m_flags |= M_DECRYPTED;

	/*
	 * Update replay sequence number, if appropriate.
	 */
	if (sav->replay) {
		u_int32_t seq;

		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
			   sizeof (seq), (caddr_t) &seq);
		SECASVAR_LOCK(sav);
		if (ipsec_updatereplay(ntohl(seq), sav)) {
			SECASVAR_UNLOCK(sav);
			DPRINTF(("%s: packet replay check for %s\n", __func__,
			    ipsec_sa2str(sav, buf, sizeof(buf))));
			ESPSTAT_INC(esps_replay);
			error = EACCES;
			goto bad;
		}
		SECASVAR_UNLOCK(sav);
	}