[PATCH] patch to OpenCrypto framework

Kennedy, Brendan brendan.kennedy at intel.com
Wed Feb 24 16:54:15 UTC 2010 

Hi Philip, All,



Attached is a patch to the OpenCrypto framework. It has been tested with FreeBSD 7.1, but the relevant code sections do not seem to have changed for FreeBSD 8.

I have also attached a patch to OpenSSL as a reference (that patch will be released to OpenSSL HEAD also). One of the changes to cryptodev.c effects how it communicates with eng_cryptodev.c in openssl.



This OpenCrypto patch does a number of updates:

1) It updates Cryptodev to allocate contiguous memory blocks – a requirement for some hardware drivers

2) It allows the Cryptodev driver to differentiate between a process fail and an algorithm fail – mainly effecting DSA verify functionality. Please also see the OpenSSL patch to get the full picture. If a driver does not support certain key sizes, it should still be possible to run the verify in software.



I’ve commented within the patch code below.



diff -rup kernelsrc.orig/sys/opencrypto/cryptodev.c kernelsrc.patched/sys/opencrypto/cryptodev.c

--- kernelsrc.orig/sys/opencrypto/cryptodev.c   2008-11-25 02:59:29.000000000 +0000

+++ kernelsrc.patched/sys/opencrypto/cryptodev.c        2009-04-28 14:47:09.000000000 +0000

@@ -397,8 +392,10 @@

                cse->uio.uio_iov[0].iov_len = cop->len;

                if (cse->thash)

                                cse->uio.uio_iov[0].iov_len += cse->thash->hashsize;

-              cse->uio.uio_iov[0].iov_base = malloc(cse->uio.uio_iov[0].iov_len,

-                  M_XDATA, M_WAITOK);

+

+             cse->uio.uio_iov[0].iov_base = contigmalloc(cse->uio.uio_iov[0].iov_len,

+                             M_DEVBUF, 0, 0, (1L << 31),

+                             8, 1024 * 1024);



                crp = crypto_getreq((cse->txform != NULL) + (cse->thash != NULL));

                if (crp == NULL) {

@@ -519,7 +516,8 @@

                if (crp)

                                crypto_freereq(crp);

                if (cse->uio.uio_iov[0].iov_base)

-                              free(cse->uio.uio_iov[0].iov_base, M_XDATA);

+                             contigfree(cse->uio.uio_iov[0].iov_base,

+                                             cse->uio.uio_iov[0].iov_len, M_DEVBUF);



---------------------------

[Brendan] these are the changes for contig allocation/freeing

---------------------------



                return (error);

 }

@@ -601,10 +599,13 @@

                krp->krp_status = 0;

                krp->krp_callback = (int (*) (struct cryptkop *)) cryptodevkey_cb;



-              for (i = 0; i < CRK_MAXPARAM; i++) {

-                              if (kop->crk_param[i].crp_nbits > 65536)

+             for (i = 0; i < in + out; i++) {

+                             if (kop->crk_param[i].crp_nbits > 65536) {

                                                /* Limit is the same as in OpenBSD */

+                                             printf("<crypto>: arg size limit breached, size= %d\n",

+                                                                             kop->crk_param[i].crp_nbits);

                                                goto fail;

+                             }

---------------------------

[Brendan] A slight optimization + some debug. However this could cause a crash if Cryptodev is fed bad parameters from userspace

---------------------------





                                krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits;

                }

                for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) {

@@ -630,7 +631,6 @@



                kop->crk_crid = krp->krp_crid;                  /* device that did the work */

                if (krp->krp_status != 0) {

-                              error = krp->krp_status;

                                goto fail;

                }

---------------------------

[Brendan] For DSA verify – if the Hardware process fails (as opposed to the algorithm saying ‘not verified’), it can still be run in software. This is helpful for hardware that only supports certain key sizes.

---------------------------







--------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: opencrypto_FreeBSD7.1.patch
Type: application/octet-stream
Size: 3363 bytes
Desc: opencrypto_FreeBSD7.1.patch
Url : http://lists.freebsd.org/pipermail/freebsd-drivers/attachments/20100224/b1e5d775/opencrypto_FreeBSD7.1.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocf-openssl-0 9 8_1_0_0_eng_cryptodev_PKE_fix.patch
Type: application/octet-stream
Size: 3740 bytes
Desc: ocf-openssl-0 9 8_1_0_0_eng_cryptodev_PKE_fix.patch
Url : http://lists.freebsd.org/pipermail/freebsd-drivers/attachments/20100224/b1e5d775/ocf-openssl-098_1_0_0_eng_cryptodev_PKE_fix.obj

More information about the freebsd-drivers mailing list