/* This internal function is used by ENGINE_pkcs11() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, PKCS11_ENGINE_ID) ||
!ENGINE_set_destroy_function(e, engine_destroy) ||
!ENGINE_set_init_function(e, engine_init) ||
!ENGINE_set_finish_function(e, engine_finish) ||
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
#ifndef OPENSSL_NO_EC
/* PKCS11_get_ec_key_method combines ECDSA and ECDH */
!ENGINE_set_EC(e, PKCS11_get_ec_key_method()) ||
#endif /* OPENSSL_NO_EC */
#else /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ECDSA
!ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) ||
#endif
#ifndef OPENSSL_NO_ECDH
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
#endif
#endif /* OPENSSL_VERSION_NUMBER */
!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
!ENGINE_set_load_privkey_function(e, load_privkey)) {
return 0;
} else {
return 1;
}
}
static ENGINE* LoadEngine()
{
// This function creates an engine for PKCS#11 and inspired by
// the "ENGINE_load_dynamic" function from OpenSSL, in file
// "crypto/engine/eng_dyn.c"
ENGINE* engine = ENGINE_new();
if (!engine)
{
LOG(ERROR) << "Cannot create an OpenSSL engine for PKCS#11";
throw OrthancException(ErrorCode_InternalError);
}
// Create a PKCS#11 context using libp11
context_ = pkcs11_new();
if (!context_)
{
LOG(ERROR) << "Cannot create a libp11 context for PKCS#11";
ENGINE_free(engine);
throw OrthancException(ErrorCode_InternalError);
}
if (!ENGINE_set_id(engine, PKCS11_ENGINE_ID) ||
!ENGINE_set_name(engine, PKCS11_ENGINE_NAME) ||
!ENGINE_set_cmd_defns(engine, PKCS11_ENGINE_COMMANDS) ||
// Register the callback functions
!ENGINE_set_init_function(engine, EngineInitialize) ||
!ENGINE_set_finish_function(engine, EngineFinalize) ||
!ENGINE_set_destroy_function(engine, EngineDestroy) ||
!ENGINE_set_ctrl_function(engine, EngineControl) ||
!ENGINE_set_load_pubkey_function(engine, EngineLoadPublicKey) ||
!ENGINE_set_load_privkey_function(engine, EngineLoadPrivateKey) ||
!ENGINE_set_RSA(engine, PKCS11_get_rsa_method()) ||
!ENGINE_set_ECDSA(engine, PKCS11_get_ecdsa_method()) ||
!ENGINE_set_ECDH(engine, PKCS11_get_ecdh_method()) ||
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
!ENGINE_set_EC(engine, PKCS11_get_ec_key_method()) ||
#endif
// Make OpenSSL know about our PKCS#11 engine
!ENGINE_add(engine))
{
LOG(ERROR) << "Cannot initialize the OpenSSL engine for PKCS#11";
pkcs11_finish(context_);
ENGINE_free(engine);
throw OrthancException(ErrorCode_InternalError);
}
// If the "ENGINE_add" worked, it gets a structural
// reference. We release our just-created reference.
ENGINE_free(engine);
return ENGINE_by_id(PKCS11_ENGINE_ID);
}
static int bind_devcrypto(ENGINE *e) {
if (!ENGINE_set_id(e, engine_devcrypto_id)
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
|| !ENGINE_set_cmd_defns(e, devcrypto_cmds)
|| !ENGINE_set_ctrl_function(e, devcrypto_ctrl))
return 0;
prepare_cipher_methods();
#ifdef IMPLEMENT_DIGEST
prepare_digest_methods();
#endif
return (ENGINE_set_ciphers(e, devcrypto_ciphers)
#ifdef IMPLEMENT_DIGEST
&& ENGINE_set_digests(e, devcrypto_digests)
#endif
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
* parameters in its crypt_kop, the manual crypto(4) has this to say:
*
* The semantics of these arguments are currently undocumented.
*
* Reading through the FreeBSD source code doesn't give much more than
* their CRK_MOD_EXP implementation for ubsec.
*
* It doesn't look much better with cryptodev-linux. They have the crypt_kop
* structure as well as the command (CRK_*) in cryptodev.h, but no support
* seems to be implemented at all for the moment.
*
* At the time of writing, it seems impossible to write proper support for
* FreeBSD's asym features without some very deep knowledge and access to
* specific kernel modules.
*
* /Richard Levitte, 2017-05-11
*/
#if 0
# ifndef OPENSSL_NO_RSA
&& ENGINE_set_RSA(e, devcrypto_rsa)
# endif
# ifndef OPENSSL_NO_DSA
&& ENGINE_set_DSA(e, devcrypto_dsa)
# endif
# ifndef OPENSSL_NO_DH
&& ENGINE_set_DH(e, devcrypto_dh)
# endif
# ifndef OPENSSL_NO_EC
&& ENGINE_set_EC(e, devcrypto_ec)
# endif
#endif
);
}
/*
* This internal function is used by ENGINE_openssl() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_openssl_id)
|| !ENGINE_set_name(e, engine_openssl_name)
|| !ENGINE_set_destroy_function(e, openssl_destroy)
#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
# ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, RSA_get_default_method())
# endif
# ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, DSA_get_default_method())
# endif
# ifndef OPENSSL_NO_EC
|| !ENGINE_set_EC(e, EC_KEY_OpenSSL())
# endif
# ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, DH_get_default_method())
# endif
|| !ENGINE_set_RAND(e, RAND_OpenSSL())
# ifdef TEST_ENG_OPENSSL_RC4
|| !ENGINE_set_ciphers(e, openssl_ciphers)
# endif
# ifdef TEST_ENG_OPENSSL_SHA
|| !ENGINE_set_digests(e, openssl_digests)
# endif
#endif
#ifdef TEST_ENG_OPENSSL_PKEY
|| !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
#endif
#ifdef TEST_ENG_OPENSSL_HMAC
|| !ossl_register_hmac_meth()
|| !ENGINE_set_pkey_meths(e, ossl_pkey_meths)
#endif
)
return 0;
/*
* If we add errors to this ENGINE, ensure the error handling is setup
* here
*/
/* openssl_load_error_strings(); */
return 1;
}
/******************************************************************************
* function:
* bind_qat(ENGINE *e,
* const char *id)
*
* @param e [IN] - OpenSSL engine pointer
* @param id [IN] - engine id
*
* description:
* Connect Qat engine to OpenSSL engine library
******************************************************************************/
static int bind_qat(ENGINE *e, const char *id)
{
int ret = 0;
WARN("QAT Warnings enabled.\n");
DEBUG("QAT Debug enabled.\n");
DEBUG("[%s] id=%s\n", __func__, id);
if (id && (strcmp(id, engine_qat_id) != 0)) {
WARN("ENGINE_id defined already!\n");
goto end;
}
if (!ENGINE_set_id(e, engine_qat_id)) {
WARN("ENGINE_set_id failed\n");
goto end;
}
if (!ENGINE_set_name(e, engine_qat_name)) {
WARN("ENGINE_set_name failed\n");
goto end;
}
/* Ensure the QAT error handling is set up */
ERR_load_QAT_strings();
/*
* Create static structures for ciphers now
* as this function will be called by a single thread.
*/
qat_create_ciphers();
#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
CRYPTO_THREAD_run_once(&qat_pkt_threshold_table_once,qat_pkt_threshold_table_make_key);
#endif
DEBUG("%s: About to set mem functions\n", __func__);
if (!ENGINE_set_RSA(e, qat_get_RSA_methods())) {
WARN("ENGINE_set_RSA failed\n");
goto end;
}
if (!ENGINE_set_DSA(e, qat_get_DSA_methods())) {
WARN("ENGINE_set_DSA failed\n");
goto end;
}
if (!ENGINE_set_DH(e, qat_get_DH_methods())) {
WARN("ENGINE_set_DH failed\n");
goto end;
}
if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
WARN("ENGINE_set_EC failed\n");
goto end;
}
if (!ENGINE_set_ciphers(e, qat_ciphers)) {
WARN("ENGINE_set_ciphers failed\n");
goto end;
}
if (!ENGINE_set_pkey_meths(e, qat_PRF_pkey_methods)) {
WARN("ENGINE_set_pkey_meths failed\n");
goto end;
}
pthread_atfork(engine_fork_handler, NULL, NULL);
if (!ENGINE_set_destroy_function(e, qat_engine_destroy)
|| !ENGINE_set_init_function(e, qat_engine_init)
|| !ENGINE_set_finish_function(e, qat_engine_finish)
|| !ENGINE_set_ctrl_function(e, qat_engine_ctrl)
|| !ENGINE_set_cmd_defns(e, qat_cmd_defns)) {
WARN("[%s] failed reg destroy, init or finish\n", __func__);
goto end;
}
ret = 1;
end:
return ret;
}
/*
* This engine is always built into libcrypto, so it doesn't offer any
* ability to be dynamically loadable.
*/
void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
if (access("/dev/crypto", R_OK | W_OK) < 0) {
fprintf(stderr,
"/dev/crypto not present, not enabling devcrypto engine\n");
return;
}
prepare_cipher_methods();
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
prepare_digest_methods();
#endif
if ((e = ENGINE_new()) == NULL)
return;
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
* parameters in its crypt_kop, the manual crypto(4) has this to say:
*
* The semantics of these arguments are currently undocumented.
*
* Reading through the FreeBSD source code doesn't give much more than
* their CRK_MOD_EXP implementation for ubsec.
*
* It doesn't look much better with cryptodev-linux. They have the crypt_kop
* structure as well as the command (CRK_*) in cryptodev.h, but no support
* seems to be implemented at all for the moment.
*
* At the time of writing, it seems impossible to write proper support for
* FreeBSD's asym features without some very deep knowledge and access to
* specific kernel modules.
*
* /Richard Levitte, 2017-05-11
*/
#if 0
# ifndef OPENSSL_NO_RSA
|| !ENGINE_set_RSA(e, devcrypto_rsa)
# endif
# ifndef OPENSSL_NO_DSA
|| !ENGINE_set_DSA(e, devcrypto_dsa)
# endif
# ifndef OPENSSL_NO_DH
|| !ENGINE_set_DH(e, devcrypto_dh)
# endif
# ifndef OPENSSL_NO_EC
|| !ENGINE_set_EC(e, devcrypto_ec)
# endif
#endif
|| !ENGINE_set_ciphers(e, devcrypto_ciphers)
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|| !ENGINE_set_digests(e, devcrypto_digests)
#endif
) {
ENGINE_free(e);
return;
}
ENGINE_add(e);
ENGINE_free(e); /* Loose our local reference */
ERR_clear_error();
}
/******************************************************************************
* function:
* bind_qat(ENGINE *e,
* const char *id)
*
* @param e [IN] - OpenSSL engine pointer
* @param id [IN] - engine id
*
* description:
* Connect Qat engine to OpenSSL engine library
******************************************************************************/
static int bind_qat(ENGINE *e, const char *id)
{
int ret = 0;
#ifndef OPENSSL_ENABLE_QAT_UPSTREAM_DRIVER
int upstream_flags = 0;
unsigned int devmasks[] = { 0, 0, 0, 0, 0 };
#endif
QAT_DEBUG_LOG_INIT();
WARN("QAT Warnings enabled.\n");
DEBUG("QAT Debug enabled.\n");
DEBUG("id=%s\n", id);
if (access(QAT_DEV, F_OK) != 0) {
WARN("Qat memory driver not present\n");
QATerr(QAT_F_BIND_QAT, QAT_R_MEM_DRV_NOT_PRESENT);
goto end;
}
#ifndef OPENSSL_ENABLE_QAT_UPSTREAM_DRIVER
if (!getDevices(devmasks, &upstream_flags)) {
WARN("Qat device not present\n");
QATerr(QAT_F_BIND_QAT, QAT_R_QAT_DEV_NOT_PRESENT);
goto end;
}
#endif
if (id && (strcmp(id, engine_qat_id) != 0)) {
WARN("ENGINE_id defined already!\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_ID_ALREADY_DEFINED);
goto end;
}
if (!ENGINE_set_id(e, engine_qat_id)) {
WARN("ENGINE_set_id failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_ID_FAILURE);
goto end;
}
if (!ENGINE_set_name(e, engine_qat_name)) {
WARN("ENGINE_set_name failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_NAME_FAILURE);
goto end;
}
/* Ensure the QAT error handling is set up */
ERR_load_QAT_strings();
/*
* Create static structures for ciphers now
* as this function will be called by a single thread.
*/
qat_create_ciphers();
if (!ENGINE_set_RSA(e, qat_get_RSA_methods())) {
WARN("ENGINE_set_RSA failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_RSA_FAILURE);
goto end;
}
if (!ENGINE_set_DSA(e, qat_get_DSA_methods())) {
WARN("ENGINE_set_DSA failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_DSA_FAILURE);
goto end;
}
if (!ENGINE_set_DH(e, qat_get_DH_methods())) {
WARN("ENGINE_set_DH failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_DH_FAILURE);
goto end;
}
if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
WARN("ENGINE_set_EC failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_EC_FAILURE);
goto end;
}
if (!ENGINE_set_ciphers(e, qat_ciphers)) {
WARN("ENGINE_set_ciphers failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_CIPHER_FAILURE);
goto end;
}
if (!ENGINE_set_pkey_meths(e, qat_PRF_pkey_methods)) {
WARN("ENGINE_set_pkey_meths failed\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_SET_PKEY_FAILURE);
goto end;
}
pthread_atfork(engine_finish_before_fork_handler, NULL,
engine_init_child_at_fork_handler);
ret = 1;
ret &= ENGINE_set_destroy_function(e, qat_engine_destroy);
ret &= ENGINE_set_init_function(e, qat_engine_init);
ret &= ENGINE_set_finish_function(e, qat_engine_finish);
ret &= ENGINE_set_ctrl_function(e, qat_engine_ctrl);
ret &= ENGINE_set_cmd_defns(e, qat_cmd_defns);
if (ret == 0) {
WARN("Engine failed to register init, finish or destroy functions\n");
QATerr(QAT_F_BIND_QAT, QAT_R_ENGINE_REGISTER_FUNC_FAILURE);
}
end:
return ret;
}
