diff options
author | Miloslav Trmač <mitr@redhat.com> | 2010-08-23 20:28:32 +0200 |
---|---|---|
committer | Miloslav Trmač <mitr@redhat.com> | 2010-08-23 20:28:32 +0200 |
commit | b3fcd1e159bf7bd5b318d4558198fca090deb2fe (patch) | |
tree | d1821ce0be2ede05bc3417bcba2ace0e2002e250 | |
parent | c3eeccf6491c632037dfef737f3e40ed24e5bf72 (diff) | |
parent | a3fe06856efe0a7b4ad713ff73a14f6af995d07e (diff) | |
download | cryptodev-linux-integration.tar.gz cryptodev-linux-integration.tar.xz cryptodev-linux-integration.zip |
Merge branch 'userspace' into integrationintegration
Conflicts:
examples/Makefile
-rw-r--r-- | .gitignore | 5 | ||||
-rw-r--r-- | Makefile | 3 | ||||
-rw-r--r-- | examples/Makefile | 18 | ||||
-rw-r--r-- | examples/ncr_lib.c | 471 | ||||
-rw-r--r-- | examples/pk_lib.c | 741 | ||||
-rw-r--r-- | userspace/Makefile | 24 | ||||
-rw-r--r-- | userspace/ncrypto.h | 230 | ||||
-rw-r--r-- | userspace/ncrypto_fd.c | 72 | ||||
-rw-r--r-- | userspace/ncrypto_generate_params.c | 182 | ||||
-rw-r--r-- | userspace/ncrypto_internal.h | 36 | ||||
-rw-r--r-- | userspace/ncrypto_key.c | 390 | ||||
-rw-r--r-- | userspace/ncrypto_masterkey.c | 61 | ||||
-rw-r--r-- | userspace/ncrypto_params.c | 146 | ||||
-rw-r--r-- | userspace/ncrypto_session.c | 245 |
14 files changed, 2478 insertions, 146 deletions
@@ -8,10 +8,15 @@ Module.symvers *.mod.c modules.order examples/ncr +examples/ncr_lib examples/pk +examples/pk_lib examples/speed releases scripts userspace/ncr-setkey +userspace/libcryptodev.so +userspace/libcryptodev.so.* +userspace/linux version.h tags @@ -77,6 +77,8 @@ obj-m += cryptodev.o build: @$(MAKE) version.h $(MAKE) -C $(KERNEL_DIR) SUBDIRS=`pwd` modules + $(MAKE) -C userspace + $(MAKE) -C examples install: $(MAKE) -C $(KERNEL_DIR) SUBDIRS=`pwd` modules_install @@ -86,6 +88,7 @@ install: clean: $(MAKE) -C $(KERNEL_DIR) SUBDIRS=`pwd` clean rm -f $(hostprogs) + $(MAKE) -C userspace clean KERNEL_DIR=$(KERNEL_DIR) $(MAKE) -C examples clean check: diff --git a/examples/Makefile b/examples/Makefile index d149088..69c1f5c 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -1,7 +1,9 @@ CC = gcc -CFLAGS = -Wall -g -O2 +CFLAGS = -Wall -g -O2 -I../userspace +GNUTLS_LDFLAGS = -L/usr/local/lib -lgnutls +USERSPACE_LDFLAGS = -L../userspace -lcryptodev -progs := ncr pk speed +progs := ncr ncr_lib pk pk_lib speed all: $(progs) @@ -11,13 +13,21 @@ speed: speed.c ncr: ncr.c $(CC) $(CFLAGS) $< -o $@ +ncr_lib: ncr_lib.c + $(CC) $(CFLAGS) $< $(USERSPACE_LDFLAGS) -o $@ + pk: pk.c - $(CC) $(CFLAGS) $< -o $@ -L/usr/local/lib -lgnutls + $(CC) $(CFLAGS) $< -o $@ $(GNUTLS_LDFLAGS) + +pk_lib: pk_lib.c + $(CC) $(CFLAGS) $< $(GNUTLS_LDFLAGS) $(USERSPACE_LDFLAGS) -o $@ check: $(progs) ./ncr + LD_LIBRARY_PATH=../userspace ./ncr_lib ./pk + LD_LIBRARY_PATH=../userspace ./pk_lib ./speed clean: - rm -f *.o *~ ncr pk speed + rm -f *.o *~ $(progs)
\ No newline at end of file diff --git a/examples/ncr_lib.c b/examples/ncr_lib.c new file mode 100644 index 0000000..29a7fbe --- /dev/null +++ b/examples/ncr_lib.c @@ -0,0 +1,471 @@ +/* + * Demo on how to use libcryptodev for HMAC. + * + * Placed under public domain. + * + */ +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <time.h> +#include <sys/types.h> +#include <stdlib.h> + +#include <ncrypto.h> + +#define DATA_SIZE 4096 +#define KEY_DATA_SIZE 16 +#define WRAPPED_KEY_DATA_SIZE 32 +#define DKEY "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF" +#define DIAGNOSTIC_CALL(f,p...) \ + if ((output_size = f(p)) < 0) { \ + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); \ + perror(#f); \ + return 1; \ + } +#define DIAGNOSTIC_ERROR(p...) \ + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); \ + fprintf(stderr, p); +#define DIAGNOSTIC_DUMP(d,l) \ + { \ + int out_index; \ + \ + for (out_index = 0; out_index < l; out_index++) \ + fprintf(stderr, "%.2x:", (int)d[out_index]); \ + fprintf(stderr, "\n"); \ + } + +static void randomize_data(uint8_t * data, size_t data_size) +{ + int i; + + srand(time(0) * getpid()); + for (i = 0; i < data_size; i++) { + data[i] = rand() & 0xff; + } +} + +static int +test_ncr_key(void) +{ + ncr_key_t key; + uint8_t data[KEY_DATA_SIZE]; + uint8_t data_bak[KEY_DATA_SIZE]; + ssize_t output_size; + ncr_key_generate_params_t params; + + fprintf(stdout, "Tests on Keys:\n"); + + /* test 1: generate a key in userspace import it + * to kernel via data and export it. + */ + + fprintf(stdout, "\tKey import...\n"); + randomize_data(data, sizeof(data)); + memcpy(data_bak, data, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_init, &key); + /* import into a key */ + DIAGNOSTIC_CALL(ncr_key_import, key, data, sizeof(data), "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE); + /* now try to read it */ + fprintf(stdout, "\tKey export...\n"); + DIAGNOSTIC_CALL(ncr_key_export, key, data, sizeof(data)); + if ((output_size != sizeof(data)) || memcmp(data, data_bak, sizeof(data))) { + DIAGNOSTIC_ERROR("data returned but differ!\n"); + return 1; + } + DIAGNOSTIC_CALL(ncr_key_deinit, key); + + /* finished, we keep data for next test */ + + /* test 2: generate a key in kernel space and + * export it. + */ + + fprintf(stdout, "\tKey generation...\n"); + DIAGNOSTIC_CALL(ncr_key_generate_params_init, ¶ms); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, params, NCR_ALG_AES_CBC); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, params, NCR_KEY_FLAG_EXPORTABLE); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_secret_bits, params, 128); /* 16 bytes */ + DIAGNOSTIC_CALL(ncr_key_init, &key); + /* generate a key */ + DIAGNOSTIC_CALL(ncr_key_generate, key, params); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, params); + memset(data, 0, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_export, key, data, sizeof(data)); + if (output_size == 0 || (data[0] == 0 && data[1] == 0 && data[2] == 0 && data[4] == 0)) { + DIAGNOSTIC_ERROR("Generated key: "); + DIAGNOSTIC_DUMP(data, 16); + return 1; + } + DIAGNOSTIC_CALL(ncr_key_deinit, key); + + /* test 3: generate an unexportable key in kernel space and + * try to export it. + */ + fprintf(stdout, "\tKey protection of non-exportable keys...\n"); + DIAGNOSTIC_CALL(ncr_key_generate_params_init, ¶ms); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, params, NCR_ALG_AES_CBC); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, params, 0); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_secret_bits, params, 128); /* 16 bytes */ + DIAGNOSTIC_CALL(ncr_key_init, &key); + DIAGNOSTIC_CALL(ncr_key_generate, key, params); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, params); + memset(data, 0, sizeof(data)); + /* try to get the output data - should fail */ + if (ncr_key_export(key, data, sizeof(data)) >= 0) { + DIAGNOSTIC_ERROR("Data were exported, but shouldn't be!\n"); + return 1; + } + DIAGNOSTIC_CALL(ncr_key_deinit, key); + return 0; +} + +/* Key wrapping */ +static int +test_ncr_wrap_key(void) +{ + ncr_key_t key, key2; + uint8_t data[WRAPPED_KEY_DATA_SIZE]; + ssize_t output_size, data_size; + + fprintf(stdout, "Tests on Keys:\n"); + + /* test 1: generate a key in userspace import it + * to kernel via data and export it. + */ + + fprintf(stdout, "\tKey Wrap test...\n"); + DIAGNOSTIC_CALL(ncr_key_init, &key); + /* import into a key */ + DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE); + DIAGNOSTIC_CALL(ncr_key_init, &key2); + /* import into a key2 */ + DIAGNOSTIC_CALL(ncr_key_import, key2, DKEY, 16, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE); + /* now try wrapping key2 using key */ + DIAGNOSTIC_CALL(ncr_key_wrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, sizeof(data)); + data_size = output_size; + if (output_size != 24 || memcmp(data, "\x1F\xA6\x8B\x0A\x81\x12\xB4\x47\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82\x9D\x3E\x86\x23\x71\xD2\xCF\xE5", 24) != 0) { + DIAGNOSTIC_ERROR("Wrapped data do not match.\nData[%d]: ", (int) output_size); + DIAGNOSTIC_DUMP(data, output_size); + return 1; + } + DIAGNOSTIC_CALL(ncr_key_deinit, key2); + /* test unwrapping */ + fprintf(stdout, "\tKey Unwrap test...\n"); + + /* create empty key2 */ + DIAGNOSTIC_CALL(ncr_key_init, &key2); + DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size); + /* now export the unwrapped */ +#if 0 + /* this cannot be performed like that, because unwrap + * always sets keys as unexportable. Maybe we can implement + * a data comparison ioctl(). + */ +#endif + DIAGNOSTIC_CALL(ncr_key_deinit, key2); + DIAGNOSTIC_CALL(ncr_key_deinit, key); + + return 0; +} + +static int +test_ncr_store_wrap_key(void) +{ + ncr_key_t key2; + uint8_t data[DATA_SIZE]; + int data_size; + ssize_t output_size; + + fprintf(stdout, "Tests on Key storage:\n"); + + /* test 1: generate a key in userspace import it + * to kernel via data and export it. + */ + + fprintf(stdout, "\tKey Storage wrap test...\n"); + /* create empty key2 */ + DIAGNOSTIC_CALL(ncr_key_init, &key2); + /* import into a key2 */ + DIAGNOSTIC_CALL(ncr_key_import, key2, DKEY, 16, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE); + /* now try wrapping key2 using masterkey */ + DIAGNOSTIC_CALL(ncr_key_storage_wrap, key2, data, sizeof(data)); + /* test unwrapping */ + data_size = output_size; + fprintf(stdout, "\tKey Storage Unwrap test...\n"); + /* reset key2 */ + DIAGNOSTIC_CALL(ncr_key_deinit, key2); + DIAGNOSTIC_CALL(ncr_key_init, &key2); + DIAGNOSTIC_CALL(ncr_key_storage_unwrap, key2, data, data_size); + /* now export the unwrapped */ + DIAGNOSTIC_CALL(ncr_key_export, key2, data, sizeof(data)); + if (output_size != 16 || memcmp(data, DKEY, 16)) { + DIAGNOSTIC_ERROR("Unwrapped data do not match.\n"); + DIAGNOSTIC_DUMP(data, output_size); + return 1; + } + DIAGNOSTIC_CALL(ncr_key_deinit, key2); + + return 0; + +} + +struct aes_vectors_st { + const uint8_t* key; + const uint8_t* plaintext; + const uint8_t* ciphertext; +} aes_vectors[] = { + { + .key = (uint8_t*)"\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .plaintext = (uint8_t*)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .ciphertext = (uint8_t*)"\x4b\xc3\xf8\x83\x45\x0c\x11\x3c\x64\xca\x42\xe1\x11\x2a\x9e\x87", + }, + { + .key = (uint8_t*)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .plaintext = (uint8_t*)"\xf3\x44\x81\xec\x3c\xc6\x27\xba\xcd\x5d\xc3\xfb\x08\xf2\x73\xe6", + .ciphertext = (uint8_t*)"\x03\x36\x76\x3e\x96\x6d\x92\x59\x5a\x56\x7c\xc9\xce\x53\x7f\x5e", + }, + { + .key = (uint8_t*)"\x10\xa5\x88\x69\xd7\x4b\xe5\xa3\x74\xcf\x86\x7c\xfb\x47\x38\x59", + .plaintext = (uint8_t*)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .ciphertext = (uint8_t*)"\x6d\x25\x1e\x69\x44\xb0\x51\xe0\x4e\xaa\x6f\xb4\xdb\xf7\x84\x65", + }, + { + .key = (uint8_t*)"\xca\xea\x65\xcd\xbb\x75\xe9\x16\x9e\xcd\x22\xeb\xe6\xe5\x46\x75", + .plaintext = (uint8_t*)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .ciphertext = (uint8_t*)"\x6e\x29\x20\x11\x90\x15\x2d\xf4\xee\x05\x81\x39\xde\xf6\x10\xbb", + }, + { + .key = (uint8_t*)"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe", + .plaintext = (uint8_t*)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .ciphertext = (uint8_t*)"\x9b\xa4\xa9\x14\x3f\x4e\x5d\x40\x48\x52\x1c\x4f\x88\x77\xd8\x8e", + }, +}; + +/* AES cipher */ +static int +test_ncr_aes(void) +{ + ncr_key_t key; + uint8_t data[KEY_DATA_SIZE]; + int i; + ssize_t output_size; + + /* convert it to key */ + DIAGNOSTIC_CALL(ncr_key_init, &key); + + fprintf(stdout, "Tests on AES Encryption\n"); + for (i = 0; i < sizeof(aes_vectors) / sizeof(aes_vectors[0]); i++) { + DIAGNOSTIC_CALL(ncr_key_import, key, (void*)aes_vectors[i].key, 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE); + /* encrypt */ + DIAGNOSTIC_CALL(ncr_session_once_direct_data, key, NULL, NCR_OP_ENCRYPT, NCR_ALG_AES_ECB, (void*)aes_vectors[i].plaintext, 16, data, 16); + /* verify */ + if (output_size != 16 || memcmp(data, aes_vectors[i].ciphertext, 16)) { + DIAGNOSTIC_ERROR("AES test vector %d failed!\n", i); + fprintf(stderr, "Cipher[%d]: ", (int)output_size); + DIAGNOSTIC_DUMP(data, output_size); + fprintf(stderr, "Expected[%d]: ", 16); + DIAGNOSTIC_DUMP(aes_vectors[i].ciphertext, 16); + return 1; + } + } + + fprintf(stdout, "Tests on AES Decryption\n"); + for (i = 0; i < sizeof(aes_vectors) / sizeof(aes_vectors[0]); i++) { + DIAGNOSTIC_CALL(ncr_key_import, key, (void*)aes_vectors[i].key, 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE); + /* decrypt */ + DIAGNOSTIC_CALL(ncr_session_once_direct_data, key, NULL, NCR_OP_DECRYPT, NCR_ALG_AES_ECB, (void*)aes_vectors[i].ciphertext, 16, data, 16); + if (output_size != 16 || memcmp(data, aes_vectors[i].plaintext, 16)) { + DIAGNOSTIC_ERROR("AES test vector %d failed!\n", i); + fprintf(stderr, "Plain[%d]: ", (int)output_size); + DIAGNOSTIC_DUMP(data, output_size); + fprintf(stderr, "Expected[%d]: ", 16); + DIAGNOSTIC_DUMP(aes_vectors[i].plaintext, 16); + return 1; + } + } + + DIAGNOSTIC_CALL(ncr_key_deinit, key); + fprintf(stdout, "\n"); + + return 0; +} + +struct hash_vectors_st { + const char* name; + ncr_algorithm_t algorithm; + const uint8_t* key; /* if hmac */ + int key_size; + const uint8_t* plaintext; + int plaintext_size; + const uint8_t* output; + int output_size; + ncr_crypto_op_t op; +} hash_vectors[] = { + { + .name = "SHA1", + .algorithm = NCR_ALG_SHA1, + .key = NULL, + .plaintext = (uint8_t*)"what do ya want for nothing?", + .plaintext_size = sizeof("what do ya want for nothing?")-1, + .output = (uint8_t*)"\x8f\x82\x03\x94\xf9\x53\x35\x18\x20\x45\xda\x24\xf3\x4d\xe5\x2b\xf8\xbc\x34\x32", + .output_size = 20, + .op = NCR_OP_SIGN, + }, + { + .name = "HMAC-MD5", + .algorithm = NCR_ALG_HMAC_MD5, + .key = (uint8_t*)"Jefe", + .key_size = 4, + .plaintext = (uint8_t*)"what do ya want for nothing?", + .plaintext_size = sizeof("what do ya want for nothing?")-1, + .output = (uint8_t*)"\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38", + .output_size = 16, + .op = NCR_OP_SIGN, + }, + /* from rfc4231 */ + { + .name = "HMAC-SHA224", + .algorithm = NCR_ALG_HMAC_SHA2_224, + .key = (uint8_t*)"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", + .key_size = 20, + .plaintext = (uint8_t*)"Hi There", + .plaintext_size = sizeof("Hi There")-1, + .output = (uint8_t*)"\x89\x6f\xb1\x12\x8a\xbb\xdf\x19\x68\x32\x10\x7c\xd4\x9d\xf3\x3f\x47\xb4\xb1\x16\x99\x12\xba\x4f\x53\x68\x4b\x22", + .output_size = 28, + .op = NCR_OP_SIGN, + }, + { + .name = "HMAC-SHA256", + .algorithm = NCR_ALG_HMAC_SHA2_256, + .key = (uint8_t*)"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", + .key_size = 20, + .plaintext = (uint8_t*)"Hi There", + .plaintext_size = sizeof("Hi There")-1, + .output = (uint8_t*)"\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7", + .output_size = 32, + .op = NCR_OP_SIGN, + }, + { + .name = "HMAC-SHA384", + .algorithm = NCR_ALG_HMAC_SHA2_384, + .key = (uint8_t*)"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", + .key_size = 20, + .plaintext = (uint8_t*)"Hi There", + .plaintext_size = sizeof("Hi There")-1, + .output = (uint8_t*)"\xaf\xd0\x39\x44\xd8\x48\x95\x62\x6b\x08\x25\xf4\xab\x46\x90\x7f\x15\xf9\xda\xdb\xe4\x10\x1e\xc6\x82\xaa\x03\x4c\x7c\xeb\xc5\x9c\xfa\xea\x9e\xa9\x07\x6e\xde\x7f\x4a\xf1\x52\xe8\xb2\xfa\x9c\xb6", + .output_size = 48, + .op = NCR_OP_SIGN, + }, + { + .name = "HMAC-SHA512", + .algorithm = NCR_ALG_HMAC_SHA2_512, + .key = (uint8_t*)"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", + .key_size = 20, + .plaintext = (uint8_t*)"Hi There", + .plaintext_size = sizeof("Hi There")-1, + .output = (uint8_t*)"\x87\xaa\x7c\xde\xa5\xef\x61\x9d\x4f\xf0\xb4\x24\x1a\x1d\x6c\xb0\x23\x79\xf4\xe2\xce\x4e\xc2\x78\x7a\xd0\xb3\x05\x45\xe1\x7c\xde\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae\xa3\xf4\xe4\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20\x3a\x12\x68\x54", + .output_size = 64, + .op = NCR_OP_SIGN, + }, +}; + +#define HASH_DATA_SIZE 64 + +/* SHA1 and other hashes */ +static int +test_ncr_hash(void) +{ + ncr_key_t key = 0; + uint8_t data[HASH_DATA_SIZE]; + int i; + int output_size; + + /* convert it to key */ + DIAGNOSTIC_CALL(ncr_key_init, &key); + fprintf(stdout, "Tests on Hashes\n"); + for (i = 0; i < sizeof(hash_vectors) / sizeof(hash_vectors[0]); i++) { + /* encrypt */ + if (hash_vectors[i].key != NULL) { + DIAGNOSTIC_CALL(ncr_key_import, key, (void*)hash_vectors[i].key, hash_vectors[i].key_size, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE); + DIAGNOSTIC_CALL(ncr_session_once_direct_data, key, NULL, hash_vectors[i].op, hash_vectors[i].algorithm, (void*)hash_vectors[i].plaintext, hash_vectors[i].plaintext_size, data, sizeof(data)); + } else { + DIAGNOSTIC_CALL(ncr_session_once_direct_data, NCR_KEY_INVALID, NULL, hash_vectors[i].op, hash_vectors[i].algorithm, (void*)hash_vectors[i].plaintext, hash_vectors[i].plaintext_size, data, sizeof(data)); + } + if (output_size != hash_vectors[i].output_size || memcmp(data, hash_vectors[i].output, hash_vectors[i].output_size)) { + DIAGNOSTIC_ERROR("HASH test vector %d failed!\n", i); + fprintf(stderr, "Output[%d]: ", (int)output_size); + DIAGNOSTIC_DUMP(data, output_size); + fprintf(stderr, "Expected[%d]: ", hash_vectors[i].output_size); + DIAGNOSTIC_DUMP(hash_vectors[i].output, hash_vectors[i].output_size); + return 1; + } + } + + DIAGNOSTIC_CALL(ncr_key_deinit, key); + fprintf(stdout, "\n"); + + return 0; + +} + +static int +test_ncr_hash_key(void) +{ + ncr_key_t key; + uint8_t data[HASH_DATA_SIZE]; + ncr_session_t session; + const uint8_t *output = (void*)"\xe2\xd7\x2c\x2e\x14\xad\x97\xc8\xd2\xdb\xce\xd8\xb3\x52\x9f\x1c\xb3\x2c\x5c\xec"; + int output_size; + + /* convert it to key */ + DIAGNOSTIC_CALL(ncr_key_init, &key); + + fprintf(stdout, "Tests on Hashes of Keys\n"); + fprintf(stdout, "\t%s:\n", hash_vectors[0].name); + + /* import key */ + DIAGNOSTIC_CALL(ncr_key_import, key, (void*)hash_vectors[0].plaintext, hash_vectors[0].plaintext_size, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE); + + + /* encrypt */ + DIAGNOSTIC_CALL(ncr_session_init, &session, NCR_KEY_INVALID, NULL, hash_vectors[0].op, hash_vectors[0].algorithm); + DIAGNOSTIC_CALL(ncr_session_update_direct_data, session, (void*)hash_vectors[0].plaintext, hash_vectors[0].plaintext_size, NULL, 0); + DIAGNOSTIC_CALL(ncr_session_update_key_data, session, key, NULL, 0); + DIAGNOSTIC_CALL(ncr_session_final, session, data, sizeof(data)); + if (output_size != hash_vectors[0].output_size || memcmp(data, output, hash_vectors[0].output_size) != 0) { + DIAGNOSTIC_ERROR("HASH test vector %d failed!\n", 0); + fprintf(stderr, "Output[%d]: ", (int)output_size); + DIAGNOSTIC_DUMP(data, output_size); + fprintf(stderr, "Expected[%d]: ", hash_vectors[0].output_size); + DIAGNOSTIC_DUMP(hash_vectors[0].output, hash_vectors[0].output_size); + return 1; + } + + fprintf(stdout, "\n"); + return 0; +} + +int +main() +{ + /* Open the crypto device */ + ncr_global_init(0); + if (test_ncr_key()) + return 1; + if (test_ncr_aes()) + return 1; + if (test_ncr_hash()) + return 1; + if (test_ncr_hash_key()) + return 1; + if (test_ncr_wrap_key()) + return 1; + if (test_ncr_store_wrap_key()) + return 1; + /* Close the original descriptor */ + ncr_global_deinit(); + + return 0; +} diff --git a/examples/pk_lib.c b/examples/pk_lib.c new file mode 100644 index 0000000..b184b78 --- /dev/null +++ b/examples/pk_lib.c @@ -0,0 +1,741 @@ +/* + * Demo on how to use /dev/crypto device for HMAC. + * + * Placed under public domain. + * + */ +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include <stdlib.h> + +#include <ncrypto.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#if GNUTLS_VERSION_NUMBER >= 0x020b00 +# include <gnutls/abstract.h> +#endif + +#define DATA_SIZE 4096 + +#define DIAGNOSTIC_CALL(f,p...) \ + if ((output_size = f(p)) < 0) { \ + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); \ + perror(#f); \ + return 1; \ + } +#define DIAGNOSTIC_ERROR(p...) \ + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); \ + fprintf(stderr, p); +#define DIAGNOSTIC_DUMP(d,l) \ + { \ + int out_index; \ + \ + for (out_index = 0; out_index < l; out_index++) \ + fprintf(stderr, "%.2x:", (int)d[out_index]); \ + fprintf(stderr, "\n"); \ + } + +static void +print_hex_datum (gnutls_datum_t * dat) +{ + unsigned int j; +#define SPACE "\t" + fprintf (stdout, "\n" SPACE); + for (j = 0; j < dat->size; j++) + { + fprintf (stdout, "%.2x:", (unsigned char) dat->data[j]); + if ((j + 1) % 15 == 0) + fprintf (stdout, "\n" SPACE); + } + fprintf (stdout, "\n"); +} + +static void +print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p, + gnutls_datum_t * q, gnutls_datum_t * g) +{ + if (x) + { + fprintf (stdout, "private key:"); + print_hex_datum (x); + } + fprintf (stdout, "public key:"); + print_hex_datum (y); + fprintf (stdout, "p:"); + print_hex_datum (p); + fprintf (stdout, "q:"); + print_hex_datum (q); + fprintf (stdout, "g:"); + print_hex_datum (g); +} + +static void +print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d, + gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u, + gnutls_datum_t * exp1, gnutls_datum_t *exp2) +{ + fprintf (stdout, "modulus:"); + print_hex_datum (m); + fprintf (stdout, "public exponent:"); + print_hex_datum (e); + if (d) + { + fprintf (stdout, "private exponent:"); + print_hex_datum (d); + fprintf (stdout, "prime1:"); + print_hex_datum (p); + fprintf (stdout, "prime2:"); + print_hex_datum (q); + fprintf (stdout, "coefficient:"); + print_hex_datum (u); + if (exp1 && exp2) + { + fprintf (stdout, "exp1:"); + print_hex_datum (exp1); + fprintf (stdout, "exp2:"); + print_hex_datum (exp2); + } + } +} + +static const char * +raw_to_string (const unsigned char *raw, size_t raw_size) +{ + static char buf[1024]; + size_t i; + if (raw_size == 0) + return NULL; + + if (raw_size * 3 + 1 >= sizeof (buf)) + return NULL; + + for (i = 0; i < raw_size; i++) { + sprintf (&(buf[i * 3]), "%02X%s", raw[i], + (i == raw_size - 1) ? "" : ":"); + } + buf[sizeof (buf) - 1] = '\0'; + + return buf; +} + +int privkey_info (void* data, int data_size, int verbose) +{ + gnutls_x509_privkey_t key; + size_t size; + int ret; + gnutls_datum_t der; + unsigned char buffer[5*1024]; + const char *cprint; + + ret = gnutls_x509_privkey_init (&key); + if (ret < 0) { + fprintf(stderr, "error in privkey_init\n"); + return 1; + } + + der.data = data; + der.size = data_size; + + ret = gnutls_x509_privkey_import (key, &der, GNUTLS_X509_FMT_DER); + if (ret < 0) { + fprintf(stderr, "unable to import privkey\n"); + return 1; + } + + if (verbose > 0) { + /* Public key algorithm + */ + fprintf (stdout, "Public Key Info:\n"); + ret = gnutls_x509_privkey_get_pk_algorithm (key); + + fprintf (stdout, "\tPublic Key Algorithm: "); + cprint = gnutls_pk_algorithm_get_name (ret); + fprintf (stdout, "%s\n", cprint ? cprint : "Unknown"); + + /* Print the raw public and private keys + */ + if (ret == GNUTLS_PK_RSA) { + gnutls_datum_t m, e, d, p, q, u, exp1={NULL,0}, exp2={NULL,0}; + +#if GNUTLS_VERSION_NUMBER >= 0x020b00 + ret = gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u, &exp1, &exp2); +#else + ret = gnutls_x509_privkey_export_rsa_raw (key, &m, &e, &d, &p, &q, &u); +#endif + if (ret < 0) + fprintf (stderr, "Error in key RSA data export: %s\n", + gnutls_strerror (ret)); + else { + print_rsa_pkey (&m, &e, &d, &p, &q, &u, &exp1, &exp2); + gnutls_free (m.data); + gnutls_free (e.data); + gnutls_free (d.data); + gnutls_free (p.data); + gnutls_free (q.data); + gnutls_free (u.data); + gnutls_free (exp1.data); + gnutls_free (exp2.data); + } + } else if (ret == GNUTLS_PK_DSA) { + gnutls_datum_t p, q, g, y, x; + + ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x); + if (ret < 0) + fprintf (stderr, "Error in key DSA data export: %s\n", + gnutls_strerror (ret)); + else { + print_dsa_pkey (&x, &y, &p, &q, &g); + gnutls_free (x.data); + gnutls_free (y.data); + gnutls_free (p.data); + gnutls_free (q.data); + gnutls_free (g.data); + } + } + + fprintf (stdout, "\n"); + + size = sizeof (buffer); + if ((ret = gnutls_x509_privkey_get_key_id (key, 0, buffer, &size)) < 0) { + fprintf (stderr, "Error in key id calculation: %s\n", + gnutls_strerror (ret)); + } else { + fprintf (stdout, "Public Key ID: %s\n", raw_to_string (buffer, size)); + } + + size = sizeof (buffer); + ret = gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &size); + if (ret < 0) { + fprintf(stderr, "Error in privkey_export\n"); + return 1; + } + + fprintf (stdout, "\n%s\n", buffer); + } + + gnutls_x509_privkey_deinit (key); + + return 0; +} + + + +int pubkey_info(void* data, int data_size, int verbose) +{ +#if GNUTLS_VERSION_NUMBER >= 0x020b00 + gnutls_pubkey_t key; + size_t size; + int ret; + gnutls_datum_t der; + unsigned char buffer[5*1024]; + const char *cprint; + + ret = gnutls_pubkey_init (&key); + if (ret < 0) { + fprintf(stderr, "error in pubkey_init\n"); + return 1; + } + + der.data = data; + der.size = data_size; + + ret = gnutls_pubkey_import (key, &der, GNUTLS_X509_FMT_DER); + if (ret < 0) { + fprintf(stderr, "unable to import pubkey\n"); + return 1; + } + + if (verbose > 0) { + /* Public key algorithm + */ + fprintf (stdout, "Public Key Info:\n"); + ret = gnutls_pubkey_get_pk_algorithm (key, NULL); + + fprintf (stdout, "\tPublic Key Algorithm: "); + cprint = gnutls_pk_algorithm_get_name (ret); + fprintf (stdout, "%s\n", cprint ? cprint : "Unknown"); + + /* Print the raw public and private keys + */ + if (ret == GNUTLS_PK_RSA) { + gnutls_datum_t m, e; + + ret = gnutls_pubkey_get_pk_rsa_raw (key, &m, &e); + if (ret < 0) + fprintf (stderr, "Error in key RSA data export: %s\n", + gnutls_strerror (ret)); + else { + print_rsa_pkey (&m, &e, NULL, NULL, NULL, NULL, NULL, NULL); + gnutls_free (m.data); + gnutls_free (e.data); + } + } else if (ret == GNUTLS_PK_DSA) { + gnutls_datum_t p, q, g, y; + + ret = gnutls_pubkey_get_pk_dsa_raw (key, &p, &q, &g, &y); + if (ret < 0) + fprintf (stderr, "Error in key DSA data export: %s\n", + gnutls_strerror (ret)); + else { + print_dsa_pkey (NULL, &y, &p, &q, &g); + gnutls_free (y.data); + gnutls_free (p.data); + gnutls_free (q.data); + gnutls_free (g.data); + } + } + + fprintf (stdout, "\n"); + + size = sizeof (buffer); + if ((ret = gnutls_pubkey_get_key_id (key, 0, buffer, &size)) < 0) { + fprintf (stderr, "Error in key id calculation: %s\n", + gnutls_strerror (ret)); + } else { + fprintf (stdout, "Public Key ID: %s\n", raw_to_string (buffer, size)); + } + + size = sizeof (buffer); + ret = gnutls_pubkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &size); + if (ret < 0) { + fprintf(stderr, "Error in privkey_export\n"); + return 1; + } + + fprintf (stdout, "\n%s\n", buffer); + } + + gnutls_pubkey_deinit (key); +#endif + return 0; +} + +/* Diffie Hellman */ +const char dh_params_txt[] = "-----BEGIN DH PARAMETERS-----\n"\ +"MIGHAoGBAKMox0/IjuGqSaGMJESYMhdmXiTe1pY8gkSzWZ/ktWaUdaYAzgAZp7r3\n"\ +"OCh68YslS9Oi7/UQjmBbgGuOucMKgq3tYeYzY8G2epIuIzM4TAogaEqwkdSrXlth\n"\ +"MMsP2FhLhHg8m6V6iItitnMOz9r8t3BEf04GRlfzgZraM0gUUwTjAgEF\n"\ +"-----END DH PARAMETERS-----\n"; + +static int test_ncr_dh(void) +{ +ncr_key_generate_params_t kgen; +ncr_key_t private1, public1, public2, private2; +ncr_key_t z1, z2; +int ret; +gnutls_datum g, p, params; +gnutls_dh_params_t dhp; +unsigned char y1[1024], y2[1024]; +size_t y1_size, y2_size; +ncr_key_params_t kderive; +ssize_t output_size; + + fprintf(stdout, "Tests on DH key exchange:"); + fflush(stdout); + + params.data = (void*)dh_params_txt; + params.size = sizeof(dh_params_txt)-1; + + ret = gnutls_dh_params_init(&dhp); + if (ret < 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + fprintf(stderr, "gnutls: %s\n", gnutls_strerror(ret)); + return 1; + } + + ret = gnutls_dh_params_import_pkcs3(dhp, ¶ms, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + fprintf(stderr, "gnutls: %s\n", gnutls_strerror(ret)); + return 1; + } + + ret = gnutls_dh_params_export_raw(dhp, &p, &g, NULL); + if (ret < 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + fprintf(stderr, "gnutls: %s\n", gnutls_strerror(ret)); + return 1; + } + + /* generate a DH key */ + DIAGNOSTIC_CALL(ncr_key_init, &private1); + DIAGNOSTIC_CALL(ncr_key_init, &public1); + + DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen, + NCR_ALG_DH); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen, + NCR_KEY_FLAG_EXPORTABLE); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_dh, kgen, p.data, p.size, + g.data, g.size); + + DIAGNOSTIC_CALL(ncr_key_generate_pair, private1, public1, kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, kgen); + + /* generate another DH key */ + DIAGNOSTIC_CALL(ncr_key_init, &private2); + DIAGNOSTIC_CALL(ncr_key_init, &public2); + + DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen, + NCR_ALG_DH); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen, + NCR_KEY_FLAG_EXPORTABLE); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_dh, kgen, p.data, p.size, + g.data, g.size); + + DIAGNOSTIC_CALL(ncr_key_generate_pair, private2, public2, kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, kgen); + + /* export y1=g^x1 */ + DIAGNOSTIC_CALL(ncr_key_export, public1, y1, sizeof(y1)); + y1_size = output_size; + + DIAGNOSTIC_CALL(ncr_key_deinit, public1); + + /* export y2=g^x2 */ + DIAGNOSTIC_CALL(ncr_key_export, public2, y2, sizeof(y2)); + y2_size = output_size; + + DIAGNOSTIC_CALL(ncr_key_deinit, public2); + + /* z1=y1^x2 */ + DIAGNOSTIC_CALL(ncr_key_init, &z1); + + DIAGNOSTIC_CALL(ncr_key_params_init, &kderive); + DIAGNOSTIC_CALL(ncr_key_params_set_dh_pub, kderive, y2, y2_size); + + DIAGNOSTIC_CALL(ncr_key_derive, z1, NCR_KEY_FLAG_EXPORTABLE, private1, + NCR_DERIVE_DH, kderive); + ncr_key_params_deinit(kderive); + DIAGNOSTIC_CALL(ncr_key_deinit, private1); + + /* z2=y2^x1 */ + DIAGNOSTIC_CALL(ncr_key_init, &z2); + + DIAGNOSTIC_CALL(ncr_key_params_init, &kderive); + DIAGNOSTIC_CALL(ncr_key_params_set_dh_pub, kderive, y1, y1_size); + + DIAGNOSTIC_CALL(ncr_key_derive, z2, NCR_KEY_FLAG_EXPORTABLE, private2, + NCR_DERIVE_DH, kderive); + ncr_key_params_deinit(kderive); + DIAGNOSTIC_CALL(ncr_key_deinit, private2); + + /* z1==z2 */ + DIAGNOSTIC_CALL(ncr_key_export, z1, y1, sizeof(y1)); + y1_size = output_size; + DIAGNOSTIC_CALL(ncr_key_deinit, z1); + + DIAGNOSTIC_CALL(ncr_key_export, z2, y2, sizeof(y2)); + y2_size = output_size; + DIAGNOSTIC_CALL(ncr_key_deinit, z2); + + if (y1_size == 0 || y1_size != y2_size || memcmp(y1, y2, y1_size) != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + DIAGNOSTIC_ERROR("Output in DH does not match (%d, %d)!\n", + (int)y1_size, (int)y2_size); + + fprintf(stderr, "Key1[%d]: ", (int) y1_size); + DIAGNOSTIC_DUMP(y1, y1_size); + + fprintf(stderr, "Key2[%d]: ", (int) y2_size); + DIAGNOSTIC_DUMP(y2, y2_size); + + return 1; + } + + + fprintf(stdout, " Success\n"); + + return 0; +} + +#define RSA_ENCRYPT_SIZE 32 + +static int rsa_key_encrypt(ncr_key_t privkey, ncr_key_t pubkey, int oaep) +{ + ncr_key_params_t params; + uint8_t data[DATA_SIZE]; + uint8_t vdata[RSA_ENCRYPT_SIZE]; + int enc_size; + ssize_t output_size; + + fprintf(stdout, "Tests on RSA (%s) key encryption:", (oaep!=0)?"OAEP":"PKCS V1.5"); + fflush(stdout); + + memset(data, 0x3, sizeof(data)); + memcpy(vdata, data, sizeof(vdata)); + + /* do encryption */ + DIAGNOSTIC_CALL(ncr_key_params_init, ¶ms); + if (oaep) { + DIAGNOSTIC_CALL(ncr_key_params_set_rsa_type, params, + RSA_PKCS1_OAEP); + DIAGNOSTIC_CALL(ncr_key_params_set_rsa_oaep_hash, params, + NCR_ALG_SHA1); + } else { + DIAGNOSTIC_CALL(ncr_key_params_set_rsa_type, params, + RSA_PKCS1_V1_5); + } + + DIAGNOSTIC_CALL(ncr_session_once_direct_data, pubkey, params, + NCR_OP_ENCRYPT, NCR_ALG_RSA, data, RSA_ENCRYPT_SIZE, + data, sizeof(data)); + enc_size = output_size; + + /* decrypt data */ + DIAGNOSTIC_CALL(ncr_session_once_direct_data, privkey, params, + NCR_OP_DECRYPT, NCR_ALG_RSA, data, enc_size, + data, sizeof(data)); + + if (memcmp(vdata, data, sizeof(vdata)) != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + fprintf(stderr, "Decrypted data do not match!\n"); + return 1; + } + + ncr_key_params_deinit(params); + fprintf(stdout, " Success\n"); + + return 0; + +} + +#define DATA_TO_SIGN 52 + +static int rsa_key_sign_verify(ncr_key_t privkey, ncr_key_t pubkey, int pss) +{ + ncr_key_params_t params; + uint8_t data[DATA_SIZE]; + uint8_t sig[DATA_SIZE]; + int sig_size; + ssize_t output_size; + + fprintf(stdout, "Tests on RSA (%s) key signature:", (pss!=0)?"PSS":"PKCS V1.5"); + fflush(stdout); + + memset(data, 0x3, sizeof(data)); + + /* sign datad */ + DIAGNOSTIC_CALL(ncr_key_params_init, ¶ms); + DIAGNOSTIC_CALL(ncr_key_params_set_rsa_type, params, + (pss != 0) ? RSA_PKCS1_PSS : RSA_PKCS1_V1_5); + DIAGNOSTIC_CALL(ncr_key_params_set_rsa_sign_hash, params, NCR_ALG_SHA1); + + DIAGNOSTIC_CALL(ncr_session_once_direct_data, privkey, params, + NCR_OP_SIGN, NCR_ALG_RSA, data, DATA_TO_SIGN, sig, + sizeof(sig)); + sig_size = output_size; + + /* verify signature */ + memset(data, 0x3, sizeof(data)); + + DIAGNOSTIC_CALL(ncr_session_once_direct_data, pubkey, params, + NCR_OP_VERIFY, NCR_ALG_RSA, data, DATA_TO_SIGN, sig, + sig_size); + + ncr_key_params_deinit(params); + + fprintf(stdout, " Success\n"); + + return 0; + +} + +static int dsa_key_sign_verify(ncr_key_t privkey, ncr_key_t pubkey) +{ + ncr_key_params_t params; + uint8_t data[DATA_SIZE]; + uint8_t sig[DATA_SIZE]; + int sig_size; + ssize_t output_size; + + fprintf(stdout, "Tests on DSA key signature:"); + fflush(stdout); + + memset(data, 0x3, sizeof(data)); + + /* sign datad */ + DIAGNOSTIC_CALL(ncr_key_params_init, ¶ms); + DIAGNOSTIC_CALL(ncr_key_params_set_dsa_sign_hash, params, NCR_ALG_SHA1); + + DIAGNOSTIC_CALL(ncr_session_once_direct_data, privkey, params, + NCR_OP_SIGN, NCR_ALG_DSA, data, DATA_TO_SIGN, sig, + sizeof(sig)); + sig_size = output_size; + + /* verify signature */ + DIAGNOSTIC_CALL(ncr_session_once_direct_data, pubkey, params, + NCR_OP_VERIFY, NCR_ALG_DSA, data, DATA_TO_SIGN, sig, + sig_size); + + ncr_key_params_deinit(params); + + fprintf(stdout, " Success\n"); + + return 0; +} + + +static int test_ncr_rsa(void) +{ + int ret; + ncr_key_generate_params_t kgen; + ncr_key_t pubkey, privkey; + uint8_t data[DATA_SIZE]; + ssize_t output_size; + + fprintf(stdout, "Tests on RSA key generation:"); + fflush(stdout); + + /* convert it to key */ + DIAGNOSTIC_CALL(ncr_key_init, &privkey); + + DIAGNOSTIC_CALL(ncr_key_init, &pubkey); + + DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen, + NCR_ALG_RSA); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen, + NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_rsa_bits, kgen, 1024); + + DIAGNOSTIC_CALL(ncr_key_generate_pair, privkey, pubkey, kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, kgen); + + /* export the private key */ + memset(data, 0, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_export, privkey, data, sizeof(data)); + + ret = privkey_info(data, output_size, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + /* export the public key */ + + memset(data, 0, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_export, pubkey, data, sizeof(data)); + + ret = pubkey_info(data, output_size, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + fprintf(stdout, " Success\n"); + + ret = rsa_key_sign_verify(privkey, pubkey, 1); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + ret = rsa_key_sign_verify(privkey, pubkey, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + ret = rsa_key_encrypt(privkey, pubkey, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + ret = rsa_key_encrypt(privkey, pubkey, 1); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + return 0; + +} + +static int test_ncr_dsa(void) +{ + int ret; + ncr_key_generate_params_t kgen; + ncr_key_t pubkey, privkey; + uint8_t data[DATA_SIZE]; + ssize_t output_size; + + fprintf(stdout, "Tests on DSA key generation:"); + fflush(stdout); + + /* convert it to key */ + DIAGNOSTIC_CALL(ncr_key_init, &privkey); + DIAGNOSTIC_CALL(ncr_key_init, &pubkey); + + DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen, + NCR_ALG_DSA); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen, + NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_dsa_q_bits, kgen, 160); + DIAGNOSTIC_CALL(ncr_key_generate_params_set_dsa_p_bits, kgen, 1024); + + DIAGNOSTIC_CALL(ncr_key_generate_pair, privkey, pubkey, kgen); + DIAGNOSTIC_CALL(ncr_key_generate_params_deinit, kgen); + + memset(data, 0, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_export, privkey, data, sizeof(data)); + + ret = privkey_info(data, output_size, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + /* export the public key */ + + memset(data, 0, sizeof(data)); + DIAGNOSTIC_CALL(ncr_key_export, pubkey, data, sizeof(data)); + + ret = pubkey_info(data, output_size, 0); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + fprintf(stdout, " Success\n"); + + ret = dsa_key_sign_verify(privkey, pubkey); + if (ret != 0) { + fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__); + return 1; + } + + return 0; + +} + + +int +main() +{ + gnutls_global_init(); + + /* actually test if the initial close + * will really delete all used lists */ + + ncr_global_init(0); + + if (test_ncr_dh()) + return 1; + + if (test_ncr_rsa()) + return 1; + + if (test_ncr_dsa()) + return 1; + + /* Close the original descriptor */ + ncr_global_deinit(); + + return 0; +} diff --git a/userspace/Makefile b/userspace/Makefile index fddefb3..a2757a4 100644 --- a/userspace/Makefile +++ b/userspace/Makefile @@ -1,12 +1,30 @@ CC = gcc +AM_CFLAGS = -I. -fPIC CFLAGS = -Wall -g -O2 progs := ncr-setkey -all: $(progs) +libobj = ncrypto_fd.o ncrypto_generate_params.o ncrypto_key.o ncrypto_masterkey.o ncrypto_params.o ncrypto_session.o + +all: $(progs) libcryptodev.so ncr-setkey: setkey.c - $(CC) $(CFLAGS) $< -o $@ + $(CC) $(AM_CFLAGS) $(CFLAGS) $< -o $@ + +libcryptodev.so: ${libobj} + $(CC) $(AM_CFLAGS) $(CFLAGS) -shared -o libcryptodev.so.0.0 \ + -Wl,-soname,libcryptodev.so.0 ${libobj} + ln -sf libcryptodev.so.0.0 libcryptodev.so.0 + ln -sf libcryptodev.so.0.0 libcryptodev.so + +$(libobj): linux/ncr.h ncrypto_internal.h + +linux/ncr.h: ../ncr.h + mkdir -p linux + cp $< linux/ncr.h clean: - rm -f *.o *~ ncr-setkey + rm -rf *.o *~ libcryptodev.so* ncr-setkey linux + +.c.o: + $(CC) $(AM_CFLAGS) $(CFLAGS) -c -o $@ $<
\ No newline at end of file diff --git a/userspace/ncrypto.h b/userspace/ncrypto.h index 546b6ba..5bcb4a7 100644 --- a/userspace/ncrypto.h +++ b/userspace/ncrypto.h @@ -1,141 +1,93 @@ -#include <crypto/ncr.h> - -int ncr_global_init(unsigned int flags); /* open device */ -void ncr_global_deinit(void); /* close device */ - - -/* parameters for key generation +/* + * Copyright (c) 2010 Katholieke Universiteit Leuven + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO + * EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> + * Red Hat author: Jan Chadima <jchadima@redhat.com> */ -int ncr_generate_params_init(ncr_generate_params_t*); /* userspace */ -void ncr_generate_params_deinit(ncr_generate_params_t); /* userspace */ - -/* common for ciphers and public key algorithms */ -void ncr_generate_params_set_algorithm(ncr_generate_params_t, ncr_algorithm_t); /* userspace */ - -/* public key algorithms */ -void ncr_generate_params_set_bits(ncr_generate_params_t, unsigned int bits); /* RSA+DSA */ -int ncr_generate_params_set_rsa_e(ncr_generate_params_t, void* e, unsigned int e_size); /* RSA */ - -/* parameters for encryption/decryption/derivation - */ -int ncr_params_init(ncr_params_t*); /* userspace */ -void ncr_params_deinit(ncr_params_t); /* userspace */ - -int ncr_params_set_cipher_iv(ncr_params_t, void* iv, unsigned int iv_size); /* userspace */ - -int ncr_params_set_dh_key(ncr_params_t, ncr_key_t dh_priv); /* DH */ - - -/* data flags are of NCR_DATA_FLAG_* type */ - -int ncr_data_init(ncr_data_t *, size_t max_object_size, unsigned int dataflags); /* ioctl DATA_INIT */ -size_t ncr_data_get_size(ncr_data_t); /* ioctl DATA_GET */ -int ncr_data_get_data(ncr_data_t, void* data_ptr, size_t *data_size); /* ioctl DATA_GET */ -int ncr_data_set_data(ncr_data_t, void* data_ptr, size_t data_size); /* ioctl DATA_SET */ -int ncr_data_append_data(ncr_data_t, void* data_ptr, size_t data_size); /* ioctl DATA_SET */ -void ncr_data_deinit(ncr_data_t); /* ioctl DATA_DEINIT */ - -/* key flags are NCR_KEY_FLAG_* */ - -int ncr_key_init(ncr_key_t* key); /* ioctl KEY_INIT */ -int ncr_key_generate(ncr_key_t key, ncr_algorithm_t algorithm, unsigned int bits, unsigned int keyflags); /* ioctl KEY_GENERATE */ -int ncr_key_generate_pair(ncr_key_t public_key, ncr_key_t private_key, ncr_generate_params_t params, unsigned int keyflags); /* ioctl KEY_GENERATE_PAIR */ -int ncr_key_derive(ncr_key_t newkey, ncr_params_t params, unsigned int keyflags, ncr_key_t data); /* ioctl KEY_DERIVE */ -unsigned int ncr_key_get_flags(ncr_key_t key); /* ioctl KEY_GET_INFO */ -ncr_key_type_t ncr_key_get_type(ncr_key_t key); /* ioctl KEY_GET_INFO */ -int ncr_key_export(ncr_key_t key, ncr_data_t obj); /* ioctl KEY_EXPORT */ -int ncr_key_import(ncr_key_t key, ncr_data_t obj); /* ioctl KEY_IMPORT */ -int ncr_key_get_id(ncr_key_t, void* id, size_t* id_size); /* KEY_GET_INFO */ -void ncr_key_deinit(ncr_key_t); /* ioctl KEY_DEINIT */ - -typedef enum { - NCR_RSA_MODULUS, - NCR_RSA_EXPONENT, - NCR_DSA_P, - NCR_DSA_Q, - NCR_DSA_Y, -} ncr_public_param_t; - -int ncr_key_get_public_param(ncr_key_t key, ncr_public_param_t, void* output, size_t* output_size); - -/* store keys */ -int ncr_storage_store(const char* label, mode_t mode, ncr_key_t key); /* ioctl STORE_STORE */ -int ncr_storage_mkstemp(char* template, mode_t mode, ncr_key_t key);/* ioctl STORE_MKSTEMP */ -ncr_key_t ncr_storage_load(const char* label); /* ioctl STORE_LOAD */ - -int ncr_storage_chmod(const char* label, mode_t newmode); /* ioctl STORE_CHMOD */ -int ncr_storage_chown(const char* label, uid_t owner, gid_t grp); /* ioctl STORE_CHOWN */ -int ncr_storage_remove(const char* label); /* ioctl STORE_REMOVE */ -typedef struct {} * ncr_metadata_t; - -int ncr_metadata_init(ncr_metadata_t* metadata); /* userspace */ -void ncr_metadata_deinit(ncr_metadata_t metadata);/* userspace */ - -/* read info from metadata */ -const char* ncr_metadata_get_label(ncr_metadata_t); /* userspace */ -ncr_key_type_t ncr_metadata_get_type(ncr_metadata_t); /* userspace */ - -/* id of the key. For public/private key pairs it should be the same */ -int ncr_metadata_get_id(ncr_metadata_t, void* id, size_t* id_size); /* userspace */ -/* this has meaning only if type is public or private key */ -ncr_algorithm_t ncr_metadata_get_algorithm(ncr_metadata_t); /* userspace */ - -uid_t ncr_metadata_get_uid(ncr_metadata_t); /* userspace */ -gid_t ncr_metadata_get_gid(ncr_metadata_t); /* userspace */ -mode_t ncr_metadata_get_mode(ncr_metadata_t); /*userspace */ - -/* load metadata for particular file */ -int ncr_metadata_load(const char* label, ncr_metadata_t metadata); /* ioctl STORE_METADATA_GET_INFO */ - -/* traverse all storage entries */ -int ncr_storage_traverse_init(ncr_traverse_t* tr); /* ioctl STORE_METADATA_TRAVERSE_INIT */ -int ncr_storage_traverse_next(ncr_traverse_t, ncr_metadata_t metadata); /* ioctl STORE_METADATA_TRAVERSE_NEXT */ -void ncr_storage_traverse_deinit(ncr_traverse_t); /* ioctl STORE_METADATA_TRAVERSE_DEINIT */ - -/* wrap unwrap */ -int ncr_key_wrap(ncr_key_t wrapping_key, ncr_params_t params, ncr_key_t key, void* output_data, size_t output_data_size); /* ioctl KEY_WRAP */ -int ncr_key_unwrap(ncr_key_t*key, ncr_key_t wrapping_key, ncr_params_t params, unsigned int keyflags, void* input_data, size_t input_data_size); /* ioctl KEY_UNWRAP */ - -/* operations to objects result in objects that have the same properties as the original - * object. I.e. encrypting a secret key under an object will not allow you to export it. - */ - -int ncr_session_copy(ncr_session_t* copy, ncr_session_t source); /* ioctl SESSION_COPY */ - -/* encryption functions */ -int ncr_encrypt_init(ncr_session_t* session, ncr_key_t key, ncr_params_t params); /* ioctl SESSION_INIT */ -int ncr_encrypt_once(ncr_key_t key, ncr_params_t params, const ncr_data_t plaintext, ncr_data_t ciphertext); /*userspace */ -int ncr_encrypt_update(ncr_session_t session, const ncr_data_t plaintext, ncr_data_t ciphertext); /* ioctl SESSION_UPDATE */ -int ncr_encrypt_final(ncr_session_t session, ncr_data_t obj); /* ioctl SESSION_FINAL */ - -/* decryption functions */ -int ncr_decrypt_init(ncr_session_t* session, ncr_key_t key, ncr_params_t params); -int ncr_decrypt_once(ncr_key_t key, ncr_params_t params, const ncr_data_t ciphertext, ncr_data_t plaintext); -int ncr_decrypt_update(ncr_session_t session, const ncr_data_t ciphertext, ncr_data_t plaintext); -int ncr_decrypt_final(ncr_session_t session, ncr_data_t obj); - -/* PK hash functions */ -int ncr_digest_init(ncr_session_t* session, ncr_params_t params); -int ncr_digest_once(ncr_key_t key, ncr_params_t params, const ncr_data_t plaintext, ncr_data_t hash); -int ncr_digest_update(ncr_session_t session, const ncr_data_t plaintext); -int ncr_digest_final(ncr_session_t session, ncr_data_t hash); - -/* PK SIGN and MAC functions */ -int ncr_sign_init(ncr_session_t* session, ncr_key_t key, ncr_params_t params); -int ncr_sign_once(ncr_key_t key, ncr_params_t params, const ncr_data_t plaintext, ncr_data_t signature); -int ncr_sign_update(ncr_session_t session, const ncr_data_t plaintext); -int ncr_sign_final(ncr_session_t session, ncr_data_t signature); - -/* Verify PK signature or MAC signature */ -int ncr_verify_init(ncr_session_t* session, ncr_key_t key, ncr_params_t params); -int ncr_verify_once(ncr_key_t key, ncr_params_t params, const ncr_data_t plaintext, const ncr_data_t signature); -int ncr_verify_update(ncr_session_t session, const ncr_data_t plaintext); -int ncr_verify_final(ncr_session_t session, const ncr_data_t signature); - -/* Everything looks straight forward except for authentication - * algorithms such as Diffie Hellman. This should be done as in PKCS #11 - * as: - * ncr_key_generate_pair(our_pubkey, our_privkey) - * ncr_key_derive(shared_key, params -contain our privkey-, flags_for_new_key, peer_pubkey); - */ +#ifndef __NCRYPT_H__ +#define __NCRYPT_H__ + +#include <linux/ncr.h> + +#define NCR_DATA_GET_LAST 1 +//#define NCR_DATA_SET_APPEND 1 +#define NCR_SESSION_FINAL 1 + +//struct ncr_key_generate_params_st; +typedef struct ncr_key_generate_params_st *ncr_key_generate_params_t; +//struct ncr_key_params_st; +typedef struct ncr_key_params_st *ncr_key_params_t; + +int ncr_global_init(unsigned int flags); +void ncr_global_deinit(void); + +int ncr_key_generate_params_init(ncr_key_generate_params_t *params); +int ncr_key_generate_params_deinit(ncr_key_generate_params_t params); +int ncr_key_generate_params_set_algorithm(ncr_key_generate_params_t params, ncr_algorithm_t algorithm); +int ncr_key_generate_params_set_keyflags(ncr_key_generate_params_t params, unsigned int keyflags); +int ncr_key_generate_params_set_secret_bits(ncr_key_generate_params_t params, unsigned int bits); +int ncr_key_generate_params_set_rsa_bits(ncr_key_generate_params_t params, unsigned int bits); +int ncr_key_generate_params_set_rsa_e(ncr_key_generate_params_t params, void *e, size_t e_size); +int ncr_key_generate_params_set_dsa_p_bits(ncr_key_generate_params_t params, unsigned int p_bits); +int ncr_key_generate_params_set_dsa_q_bits(ncr_key_generate_params_t params, unsigned int q_bits); +int ncr_key_generate_params_set_dh(ncr_key_generate_params_t params, void *p, size_t p_size, void *g, size_t g_size); + +int ncr_key_init(ncr_key_t *key); +int ncr_key_generate(ncr_key_t key, ncr_key_generate_params_t params); +int ncr_key_generate_pair(ncr_key_t key1, ncr_key_t key2, ncr_key_generate_params_t params); +int ncr_key_derive(ncr_key_t newkey, unsigned int keyflags, ncr_key_t key, ncr_derive_t derive, ncr_key_params_t key_params); +ncr_algorithm_t ncr_key_get_algorithm(ncr_key_t key); +int ncr_key_get_flags(ncr_key_t key); +ncr_key_type_t ncr_key_get_type(ncr_key_t key); +int ncr_key_get_id(ncr_key_t key, void *id, size_t *id_size); +int ncr_key_export(ncr_key_t key, void *idata, size_t idata_size); +int ncr_key_import(ncr_key_t key, void *idata, size_t idata_size, void *id, size_t id_size, ncr_algorithm_t algorithm, unsigned int type, unsigned int flags); +int ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size); +int ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size); +int ncr_key_storage_wrap(ncr_key_t keytowrap, void *idata, size_t idata_size); +int ncr_key_storage_unwrap(ncr_key_t keytowrap, void *idata, size_t idata_size); +int ncr_key_deinit(ncr_key_t key); + +int ncr_masterkey_set(void *key, size_t key_size); + +int ncr_key_params_init(ncr_key_params_t *key_params); +void ncr_key_params_deinit(ncr_key_params_t key_params); +int ncr_key_params_set_cipher_iv(ncr_key_params_t key_params, void* iv, unsigned int iv_size); +int ncr_key_params_set_dh_pub(ncr_key_params_t params, void *pub, size_t pub_size); +int ncr_key_params_set_rsa_type(ncr_key_params_t params, ncr_rsa_type_t type); +int ncr_key_params_set_rsa_oaep_hash(ncr_key_params_t params, ncr_algorithm_t oaep_hash); +int ncr_key_params_set_rsa_sign_hash(ncr_key_params_t params, ncr_algorithm_t sign_hash); +int ncr_key_params_set_rsa_pss_salt(ncr_key_params_t params, unsigned int pss_salt); +int ncr_key_params_set_dsa_sign_hash(ncr_key_params_t params, ncr_algorithm_t sign_hash); + +int ncr_session_once_key_data(ncr_key_t key, ncr_key_params_t params, ncr_crypto_op_t op, ncr_algorithm_t algorithm, ncr_key_t input, void *output, size_t output_size); +int ncr_session_once_direct_data(ncr_key_t key, ncr_key_params_t params, ncr_crypto_op_t op, ncr_algorithm_t algorithm, void *input, size_t input_size, void *output, size_t output_size); +int ncr_session_init(ncr_session_t *session, ncr_key_t key, ncr_key_params_t key_params, ncr_crypto_op_t op, ncr_algorithm_t algorithm); +int ncr_session_update_key_data(ncr_session_t session, ncr_key_t input, void *output, size_t output_size); +int ncr_session_update_direct_data(ncr_session_t session, void *input, size_t input_size, void *output, size_t output_size); +int ncr_session_final(ncr_session_t session, void *output, size_t output_size); + +#endif diff --git a/userspace/ncrypto_fd.c b/userspace/ncrypto_fd.c new file mode 100644 index 0000000..7a9aa5f --- /dev/null +++ b/userspace/ncrypto_fd.c @@ -0,0 +1,72 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat author: Jan Chadima <jchadima@redhat.com> + */ + +#include <sys/types.h> +#include <fcntl.h> +#include <pthread.h> +#include <unistd.h> +#include <linux/ncr.h> +#include "ncrypto.h" +#include "ncrypto_internal.h" + +int __ncr_file_descriptor = -1; +static int open_count = 0; +static pthread_mutex_t open_lock = PTHREAD_MUTEX_INITIALIZER; + +int +__ncr_global_init() +{ + int rv = 0; + + /* Open the crypto device unles is not already initialized */ + pthread_mutex_lock(&open_lock); + if ((__ncr_file_descriptor < 0) && ((__ncr_file_descriptor = open("/dev/crypto", O_RDWR|O_CLOEXEC)) < 0)) + rv = -1; + else + ++open_count; + pthread_mutex_unlock(&open_lock); + return rv; +} + +int +ncr_global_init(unsigned int flags) +{ + return __ncr_global_init(); +} + +void +ncr_global_deinit(void) +{ + pthread_mutex_lock(&open_lock); + if (!--open_count && (__ncr_file_descriptor >= 0)) { + close(__ncr_file_descriptor); + __ncr_file_descriptor = -1; + } + pthread_mutex_unlock(&open_lock); +} + diff --git a/userspace/ncrypto_generate_params.c b/userspace/ncrypto_generate_params.c new file mode 100644 index 0000000..a993360 --- /dev/null +++ b/userspace/ncrypto_generate_params.c @@ -0,0 +1,182 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat authors: Jan Chadima <jchadima@redhat.com> + * Miloslav Trmač <mitr@redhat.com + */ + +#include <limits.h> +#include <stdint.h> +#include <sys/types.h> +#include <stdlib.h> +#include <errno.h> +#include <linux/ncr.h> +#include "ncrypto.h" + +int +ncr_key_generate_params_init(ncr_key_generate_params_t *params) +{ + ncr_key_generate_params_t rv; + + if (!params) { + errno = EINVAL; + return -1; + } + + if (!(rv = calloc(1, sizeof(*rv)))) { + errno = ENOMEM; + return -1; + } + + rv->algorithm = NCR_ALG_NONE; + *params = rv; + + return 0; +} + +int +ncr_key_generate_params_deinit(ncr_key_generate_params_t params) +{ + if (params) + free(params); + + return 0; +} + +int +ncr_key_generate_params_set_algorithm(ncr_key_generate_params_t params, ncr_algorithm_t algorithm) +{ + if (!params) { + errno = EINVAL; + return -1; + } + + params->algorithm = algorithm; + + return 0; +} + +int +ncr_key_generate_params_set_keyflags(ncr_key_generate_params_t params, unsigned int keyflags) +{ + if (!params) { + errno = EINVAL; + return -1; + } + + params->keyflags = keyflags; + + return 0; +} + +int +ncr_key_generate_params_set_secret_bits(ncr_key_generate_params_t params, unsigned int bits) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.secret.bits = bits; + + return 0; +} + +int +ncr_key_generate_params_set_rsa_bits(ncr_key_generate_params_t params, unsigned int bits) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.rsa.bits = bits; + + return 0; +} + +int +ncr_key_generate_params_set_rsa_e(ncr_key_generate_params_t params, void *e, size_t e_size) +{ + unsigned long value; + const uint8_t *p; + + if (!params || !e) { + errno = EINVAL; + return -1; + } + value = 0; + for (p = e; p < (const uint8_t *)e + e_size; p++) { + if (value > (ULONG_MAX - *p) / 256) { + errno = EOVERFLOW; + return -1; + } + value = value * 256 + *p; + } + + params->params.rsa.e = value; + return 0; +} + +int +ncr_key_generate_params_set_dsa_p_bits(ncr_key_generate_params_t params, + unsigned int p_bits) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.dsa.p_bits = p_bits; + + return 0; +} + +int +ncr_key_generate_params_set_dsa_q_bits(ncr_key_generate_params_t params, + unsigned int q_bits) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.dsa.q_bits = q_bits; + + return 0; +} + +int +ncr_key_generate_params_set_dh(ncr_key_generate_params_t params, void *p, size_t p_size, void *g, size_t g_size) +{ + if (!params) { + errno = EINVAL; + return -1; + } + + params->params.dh.p = p; + params->params.dh.p_size = p_size; + params->params.dh.g = g; + params->params.dh.g_size = g_size; + + return 0; +} + diff --git a/userspace/ncrypto_internal.h b/userspace/ncrypto_internal.h new file mode 100644 index 0000000..1a60631 --- /dev/null +++ b/userspace/ncrypto_internal.h @@ -0,0 +1,36 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat author: Miloslav Trmač <mitr@redhat.com> + */ + +#ifndef NCRYPTO_INTERNAL_H__ +#define NCRYPTO_INTERNAL_H__ + +extern int __ncr_file_descriptor __attribute__((visibility ("hidden"))); + +extern int __ncr_global_init(void) __attribute__((visibility ("hidden"))); + +#endif diff --git a/userspace/ncrypto_key.c b/userspace/ncrypto_key.c new file mode 100644 index 0000000..66bbc96 --- /dev/null +++ b/userspace/ncrypto_key.c @@ -0,0 +1,390 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat author: Jan Chadima <jchadima@redhat.com> + */ + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <string.h> +#include <errno.h> +#include <linux/ncr.h> +#include "ncrypto.h" +#include "ncrypto_internal.h" + +int +ncr_key_init(ncr_key_t *key) +{ + if ((__ncr_file_descriptor < 0) && (__ncr_global_init() < 0)) + return -1; + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_INIT, key) < 0) + return -1; + + return 0; +} + +int +ncr_key_generate(ncr_key_t key, ncr_key_generate_params_t params) +{ + struct ncr_key_generate_st io; + memset(&io, 0, sizeof(io)); + + if (key == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + io.desc = key; + if (params) + memmove(&io.params, params, sizeof(io.params)); + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_GENERATE, &io) < 0) + return -1; + + return 0; +} + +int +ncr_key_generate_pair(ncr_key_t key1, ncr_key_t key2, ncr_key_generate_params_t params) +{ + struct ncr_key_generate_st io; + memset(&io, 0, sizeof(io)); + + if (key1 == NCR_KEY_INVALID|| key2 == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + io.desc = key1; + io.desc2 = key2; + if (params) + memmove(&io.params, params, sizeof(io.params)); + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_GENERATE_PAIR, &io) < 0) + return -1; + + return 0; +} + +int +ncr_key_derive(ncr_key_t newkey, unsigned int keyflags, ncr_key_t key, ncr_derive_t derive, ncr_key_params_t params) +{ + struct ncr_key_derivation_params_st io; + memset(&io, 0, sizeof(io)); + + if (newkey == NCR_KEY_INVALID || key == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + io.derive = derive; + io.newkey = newkey; + io.key = key; + io.keyflags = keyflags; + if (params) + memmove(&io.params, params, sizeof(io.params)); + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_DERIVE, &io) < 0) + return -1; + + return 0; +} + +static int +ncr_key_get_info(struct ncr_key_info_st *dest, ncr_key_t key) +{ + if (key == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + memset(dest, 0, sizeof(*dest)); + dest->key = key; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_GET_INFO, dest) < 0) + return -1; + + return 0; +} + +ncr_algorithm_t +ncr_key_get_algorithm(ncr_key_t key) +{ + struct ncr_key_info_st io; + + if (ncr_key_get_info(&io, key) < 0) + return -1; + return io.algorithm; +} + +int +ncr_key_get_flags(ncr_key_t key) +{ + struct ncr_key_info_st io; + + if (ncr_key_get_info(&io, key) < 0) + return -1; + return io.flags; +} + +ncr_key_type_t +ncr_key_get_type(ncr_key_t key) +{ + struct ncr_key_info_st io; + + if (ncr_key_get_info(&io, key) < 0) + return -1; + return io.type; +} + +int +ncr_key_get_id(ncr_key_t key, void *id, size_t *id_size) +{ + struct ncr_key_info_st io; + + if (ncr_key_get_info(&io, key) < 0) + return -1; + + if (io.key_id_size < *id_size) + *id_size = io.key_id_size; + + memmove(id, &io.key_id, *id_size); + + return 0; +} + +int +ncr_key_export(ncr_key_t key, void *idata, size_t idata_size) +{ + struct ncr_key_data_st io; + memset(&io, 0, sizeof(io)); + + if (key == NCR_KEY_INVALID || !idata || !idata_size) { + errno = EINVAL; + return -1; + } + + io.key = key; + io.idata = idata; + io.idata_size = idata_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_EXPORT, &io) < 0) + return -1; + + return io.idata_size; +} + +int +ncr_key_import(ncr_key_t key, void *idata, size_t idata_size, void *id, size_t id_size, ncr_algorithm_t algorithm, unsigned int type, unsigned int flags) +{ + struct ncr_key_data_st io; + memset(&io, 0, sizeof(io)); + + if (key == NCR_KEY_INVALID || !idata || !idata_size || (!id && id_size != 0) || algorithm == NCR_ALG_NONE) { + errno = EINVAL; + return -1; + } + + io.key = key; + io.idata = idata; + io.idata_size = idata_size; + if (id_size > MAX_KEY_ID_SIZE) { + errno = EOVERFLOW; + return -1; + } + memmove(&io.key_id, id, id_size); + io.key_id_size = id_size; + io.algorithm = algorithm; + io.type = type; + io.flags = flags; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_IMPORT, &io) < 0) + return -1; + + return 0; +} + +int +ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size) +{ + struct ncr_key_wrap_st io; + memset(&io, 0, sizeof(io)); + + if (key == NCR_KEY_INVALID || keytowrap == NCR_KEY_INVALID || !idata || !idata_size) { + errno = EINVAL; + return -1; + } + + io.key = key; + io.algorithm = algorithm; + if (params) + memmove(&io.params, params, sizeof(io.params)); + io.keytowrap = keytowrap; + io.io = idata; + io.io_size = idata_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_WRAP, &io) < 0) + return -1; + + return io.io_size; +} + +int +ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size) +{ + struct ncr_key_wrap_st io; + memset(&io, 0, sizeof(io)); + + if (key == NCR_KEY_INVALID || keytowrap == NCR_KEY_INVALID || !idata || !idata_size) { + errno = EINVAL; + return -1; + } + + io.key = key; + io.algorithm = algorithm; + if (params) + memmove(&io.params, params, sizeof(io.params)); + io.keytowrap = keytowrap; + io.io = idata; + io.io_size = idata_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_UNWRAP, &io) < 0) + return -1; + + return 0; +} + +int +ncr_key_storage_wrap(ncr_key_t keytowrap, void *idata, size_t idata_size) +{ + struct ncr_key_storage_wrap_st io; + memset(&io, 0, sizeof(io)); + + if (keytowrap == NCR_KEY_INVALID || !idata || !idata_size) { + errno = EINVAL; + return -1; + } + + io.keytowrap = keytowrap; + io.io = idata; + io.io_size = idata_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_STORAGE_WRAP, &io) < 0) + return -1; + + return io.io_size; +} + +int +ncr_key_storage_unwrap(ncr_key_t keytowrap, void *idata, size_t idata_size) +{ + struct ncr_key_storage_wrap_st io; + memset(&io, 0, sizeof(io)); + + if (keytowrap == NCR_KEY_INVALID|| !idata || !idata_size) { + errno = EINVAL; + return -1; + } + + io.keytowrap = keytowrap; + io.io = idata; + io.io_size = idata_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_STORAGE_UNWRAP, &io) < 0) + return -1; + + return 0; +} + +int +ncr_key_deinit(ncr_key_t key) +{ + if (key == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_KEY_DEINIT, &key) < 0) + return -1; + + return 0; +} + diff --git a/userspace/ncrypto_masterkey.c b/userspace/ncrypto_masterkey.c new file mode 100644 index 0000000..72aab75 --- /dev/null +++ b/userspace/ncrypto_masterkey.c @@ -0,0 +1,61 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat author: Jan Chadima <jchadima@redhat.com> + */ + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <string.h> +#include <errno.h> +#include <linux/ncr.h> +#include "ncrypto.h" +#include "ncrypto_internal.h" + +int +ncr_masterkey_set(void *key, size_t key_size) +{ + struct ncr_master_key_st io; + memset(&io, 0, sizeof(io)); + + if (!key || !key_size) { + errno = EINVAL; + return -1; + } + + io.key = key = key; + io.key_size = key_size; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_MASTER_KEY_SET, &io) < 0) + return -1; + + return 0; +} + diff --git a/userspace/ncrypto_params.c b/userspace/ncrypto_params.c new file mode 100644 index 0000000..7a4936d --- /dev/null +++ b/userspace/ncrypto_params.c @@ -0,0 +1,146 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat authors: Jan Chadima <jchadima@redhat.com> + * Miloslav Trmač <mitr@redhat.com + */ + +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <linux/ncr.h> +#include "ncrypto.h" + +int +ncr_key_params_init(ncr_key_params_t *params) +{ + ncr_key_params_t rv; + + if (!params) { + errno = EINVAL; + return -1; + } + if (!(rv = calloc(1, sizeof(*rv)))) { + errno = ENOMEM; + return -1; + } + *params = rv; + return 0; +} + +void +ncr_key_params_deinit(ncr_key_params_t params) +{ + if (params) + free(params); +} + +int +ncr_key_params_set_cipher_iv(ncr_key_params_t params, void* iv, unsigned int iv_size) +{ + if (!params) { + errno = EINVAL; + return -1; + } + if (iv_size > NCR_CIPHER_MAX_BLOCK_LEN) { + errno = EOVERFLOW; + return -1; + } + memmove(params->params.cipher.iv, iv, iv_size); + params->params.cipher.iv_size = iv_size; + return 0; +} + +int +ncr_key_params_set_dh_pub(ncr_key_params_t params, void *pub, size_t pub_size) +{ + if (!params || !pub || !pub_size) { + errno = EINVAL; + return -1; + } + params->params.dh.pub = pub; + params->params.dh.pub_size = pub_size; + return 0; +} + +int +ncr_key_params_set_rsa_type(ncr_key_params_t params, ncr_rsa_type_t type) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.rsa.type = type; + return 0; +} + +int +ncr_key_params_set_rsa_oaep_hash(ncr_key_params_t params, + ncr_algorithm_t oaep_hash) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.rsa.oaep_hash = oaep_hash; + return 0; +} + +int +ncr_key_params_set_rsa_sign_hash(ncr_key_params_t params, + ncr_algorithm_t sign_hash) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.rsa.sign_hash = sign_hash; + return 0; +} + +int +ncr_key_params_set_rsa_pss_salt(ncr_key_params_t params, unsigned int pss_salt) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.rsa.pss_salt = pss_salt; + return 0; +} + +int +ncr_key_params_set_dsa_sign_hash(ncr_key_params_t params, + ncr_algorithm_t sign_hash) +{ + if (!params) { + errno = EINVAL; + return -1; + } + params->params.dsa.sign_hash = sign_hash; + return 0; +} + diff --git a/userspace/ncrypto_session.c b/userspace/ncrypto_session.c new file mode 100644 index 0000000..a81fb8c --- /dev/null +++ b/userspace/ncrypto_session.c @@ -0,0 +1,245 @@ +/* + * Copyright 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL RED HAT, INC. OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Red Hat author: Jan Chadima <jchadima@redhat.com> + */ + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <string.h> +#include <errno.h> +#include <linux/ncr.h> +#include "ncrypto.h" +#include "ncrypto_internal.h" + +int +ncr_session_once_key_data(ncr_key_t key, ncr_key_params_t params, ncr_crypto_op_t op, ncr_algorithm_t algorithm, ncr_key_t input, void *output, size_t output_size) +{ + struct ncr_session_once_op_st io; + memset(&io, 0, sizeof(io)); + + if (input == NCR_KEY_INVALID || !output || !output_size) { + errno = EINVAL; + return -1; + } + + io.init.algorithm = algorithm; + io.init.key = key; + if (params) + memmove(&io.init.params, params, sizeof(io.init.params)); + io.init.op = op; + io.op.data.kdata.input = input; + io.op.data.kdata.output = output; + io.op.data.kdata.output_size = output_size; + io.op.type = NCR_KEY_DATA; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_ONCE, &io) < 0) + return -1; + + switch (io.op.err) { + case NCR_VERIFICATION_FAILED: + errno = EDOM; + return -1; + case NCR_SUCCESS: + errno = 0; + return io.op.data.kdata.output_size; + default: + errno = EFAULT; + return -1; + } +} + +int +ncr_session_once_direct_data(ncr_key_t key, ncr_key_params_t params, ncr_crypto_op_t op, ncr_algorithm_t algorithm, void *input, size_t input_size, void *output, size_t output_size) +{ + struct ncr_session_once_op_st io; + memset(&io, 0, sizeof(io)); + + if (!input || !input_size || !output || !output_size) { + errno = EINVAL; + return -1; + } + + io.init.key = key; + if (params) + memmove(&io.init.params, params, sizeof(io.init.params)); + io.init.algorithm = algorithm; + io.init.op = op; + io.op.data.udata.input = input; + io.op.data.udata.input_size = input_size; + io.op.data.udata.output = output; + io.op.data.udata.output_size = output_size; + io.op.type = NCR_DIRECT_DATA; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_ONCE, &io) < 0) + return -1; + + switch (io.op.err) { + case NCR_VERIFICATION_FAILED: + errno = EDOM; + return -1; + case NCR_SUCCESS: + errno = 0; + return io.op.data.udata.output_size; + default: + errno = EFAULT; + return -1; + } +} + +int +ncr_session_init(ncr_session_t *session, ncr_key_t key, ncr_key_params_t params, ncr_crypto_op_t op, ncr_algorithm_t algorithm) +{ + struct ncr_session_st io; + memset(&io, 0, sizeof(io)); + + if (!session) { + errno = EINVAL; + return -1; + } + + io.algorithm = algorithm; + io.key = key; + if (params) + memmove(&io.params, params, sizeof(io.params)); + io.op = op; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_INIT, &io) < 0) + return -1; + + *session = io.ses; + + return 0; +} + +int +ncr_session_update_key_data(ncr_session_t session, ncr_key_t input, void *output, size_t output_size) +{ + struct ncr_session_op_st io; + memset(&io, 0, sizeof(io)); + + if (session == NCR_SESSION_INVALID || input == NCR_KEY_INVALID) { + errno = EINVAL; + return -1; + } + + io.ses = session; + io.data.kdata.input = input; + io.data.kdata.output = output; + io.data.kdata.output_size = output_size; + io.type = NCR_KEY_DATA; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_UPDATE, &io) < 0) + return -1; + + return io.data.kdata.output_size; +} + +int +ncr_session_update_direct_data(ncr_session_t session, void *input, size_t input_size, void *output, size_t output_size) +{ + struct ncr_session_op_st io; + memset(&io, 0, sizeof(io)); + + if (session == NCR_SESSION_INVALID || !input || !input_size) { + errno = EINVAL; + return -1; + } + + io.ses = session; + io.data.udata.input = input; + io.data.udata.input_size = input_size; + io.data.udata.output = output; + io.data.udata.output_size = output_size; + io.type = NCR_DIRECT_DATA; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_UPDATE, &io) < 0) + return -1; + + return io.data.udata.output_size; +} + +int +ncr_session_final(ncr_session_t session, void *output, size_t output_size) +{ + struct ncr_session_op_st io; + memset(&io, 0, sizeof(io)); + + if (session == NCR_SESSION_INVALID) { + errno = EINVAL; + return -1; + } + + io.ses = session; + io.data.udata.output = output; + io.data.udata.output_size = output_size; + io.type = NCR_DIRECT_DATA; + + if (__ncr_file_descriptor < 0) { + errno = EBADF; + return -1; + } + + if (ioctl(__ncr_file_descriptor, NCRIO_SESSION_FINAL, &io) < 0) + return -1; + + switch (io.err) { + case NCR_VERIFICATION_FAILED: + errno = EDOM; + return -1; + case NCR_SUCCESS: + errno = 0; + return io.data.udata.output_size; + default: + errno = EFAULT; + return -1; + } +} + |