From c111dd151b4a4e2b8bd33634e26412e06a472d6b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 6 Sep 2010 13:37:15 +0200 Subject: Added config flag CONFIG_ASSYMETRIC, that will disable all assymetric algorithm support when building the module. As a side-effect (due to DER requirements) key wrapping is disabled as well. --- Makefile | 22 +++++++++++++--------- ncr-key-storage.c | 7 ++++++- ncr-key-wrap.c | 10 ++++++++++ ncr-key.c | 23 ++++++++++++++++++++--- ncr-pk.c | 4 ++++ ncr-sessions.c | 32 ++++++++++++++++++++++++++++++-- 6 files changed, 83 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 73e9ebb..6821cd2 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,7 @@ KERNEL_DIR = /lib/modules/$(shell uname -r)/build VERSION = 0.99 +CONFIG_ASYMMETRIC=y +EXTRA_CFLAGS += -DCONFIG_ASSYMETRIC EXTRA_CFLAGS += -I$(SUBDIRS)/libtommath -I$(SUBDIRS)/libtomcrypt/headers -I$(SUBDIRS)/ -DLTC_SOURCE -Wall @@ -30,11 +32,6 @@ TOMMATH_OBJECTS = libtommath/bncore.o libtommath/bn_mp_init.o libtommath/bn_mp_c libtommath/bn_mp_to_signed_bin_n.o libtommath/bn_mp_to_unsigned_bin_n.o TOMCRYPT_OBJECTS = libtomcrypt/misc/zeromem.o libtomcrypt/misc/crypt/crypt_argchk.o \ - libtomcrypt/math/rand_prime.o libtomcrypt/hashes/hash_get_oid.o \ - libtomcrypt/hashes/crypt_hash_is_valid.o libtomcrypt/hashes/hash_memory.o libtomcrypt/hashes/hash_memory_multi.o \ - libtomcrypt/pk/dsa/dsa_make_key.o libtomcrypt/pk/dsa/dsa_export.o libtomcrypt/pk/dsa/dsa_import.o \ - libtomcrypt/pk/dsa/dsa_free.o libtomcrypt/pk/dsa/dsa_sign_hash.o libtomcrypt/pk/dsa/dsa_verify_hash.o \ - libtomcrypt/pk/dsa/dsa_verify_key.o \ libtomcrypt/pk/asn1/der/bit/der_decode_bit_string.o libtomcrypt/pk/asn1/der/bit/der_encode_bit_string.o \ libtomcrypt/pk/asn1/der/bit/der_length_bit_string.o libtomcrypt/pk/asn1/der/boolean/der_decode_boolean.o \ libtomcrypt/pk/asn1/der/boolean/der_encode_boolean.o libtomcrypt/pk/asn1/der/boolean/der_length_boolean.o \ @@ -55,6 +52,12 @@ TOMCRYPT_OBJECTS = libtomcrypt/misc/zeromem.o libtomcrypt/misc/crypt/crypt_argch libtomcrypt/pk/asn1/der/utctime/der_length_utctime.o libtomcrypt/pk/asn1/der/utf8/der_decode_utf8_string.o \ libtomcrypt/pk/asn1/der/utf8/der_encode_utf8_string.o libtomcrypt/pk/asn1/der/utf8/der_length_utf8_string.o \ libtomcrypt/pk/asn1/der/set/der_encode_set.o libtomcrypt/pk/asn1/der/set/der_encode_setof.o \ + libtomcrypt/pk/asn1/der/x509/der_decode_subject_public_key_info.o \ + libtomcrypt/math/rand_prime.o libtomcrypt/hashes/hash_get_oid.o \ + libtomcrypt/hashes/crypt_hash_is_valid.o libtomcrypt/hashes/hash_memory.o libtomcrypt/hashes/hash_memory_multi.o \ + libtomcrypt/pk/dsa/dsa_make_key.o libtomcrypt/pk/dsa/dsa_export.o libtomcrypt/pk/dsa/dsa_import.o \ + libtomcrypt/pk/dsa/dsa_free.o libtomcrypt/pk/dsa/dsa_sign_hash.o libtomcrypt/pk/dsa/dsa_verify_hash.o \ + libtomcrypt/pk/dsa/dsa_verify_key.o \ libtomcrypt/pk/rsa/rsa_decrypt_key.o libtomcrypt/pk/rsa/rsa_encrypt_key.o libtomcrypt/pk/rsa/rsa_export.o \ libtomcrypt/pk/rsa/rsa_exptmod.o libtomcrypt/pk/rsa/rsa_free.o libtomcrypt/pk/rsa/rsa_import.o \ libtomcrypt/pk/rsa/rsa_make_key.o libtomcrypt/pk/rsa/rsa_sign_hash.o libtomcrypt/pk/rsa/rsa_verify_hash.o \ @@ -65,13 +68,14 @@ TOMCRYPT_OBJECTS = libtomcrypt/misc/zeromem.o libtomcrypt/misc/crypt/crypt_argch libtomcrypt/pk/asn1/der/x509/der_decode_subject_public_key_info.o cryptodev-objs = cryptodev_main.o cryptodev_cipher.o ncr.o \ - ncr-key.o ncr-limits.o ncr-pk.o ncr-sessions.o ncr-dh.o \ - ncr-key-wrap.o ncr-key-storage.o utils.o $(TOMMATH_OBJECTS) \ - $(TOMCRYPT_OBJECTS) - + ncr-key.o ncr-limits.o ncr-sessions.o \ + ncr-key-storage.o utils.o ncr-key-wrap.o obj-m += cryptodev.o +cryptodev-$(CONFIG_ASYMMETRIC) += $(TOMMATH_OBJECTS) \ + $(TOMCRYPT_OBJECTS) ncr-dh.o ncr-pk.o + build: @$(MAKE) version.h $(MAKE) -C $(KERNEL_DIR) SUBDIRS=`pwd` modules diff --git a/ncr-key-storage.c b/ncr-key-storage.c index bc64131..921134a 100644 --- a/ncr-key-storage.c +++ b/ncr-key-storage.c @@ -68,6 +68,7 @@ int key_to_storage_data( uint8_t** sdata, size_t * sdata_size, const struct key_ if (key->type == NCR_KEY_TYPE_SECRET) { pkey->raw_size = key->key.secret.size; memcpy(pkey->raw, key->key.secret.data, pkey->raw_size); +#ifdef CONFIG_ASSYMETRIC } else if (key->type == NCR_KEY_TYPE_PRIVATE || key->type == NCR_KEY_TYPE_PUBLIC) { pkey->raw_size = sizeof(pkey->raw); ret = ncr_pk_pack( key, pkey->raw, &pkey->raw_size); @@ -75,6 +76,7 @@ int key_to_storage_data( uint8_t** sdata, size_t * sdata_size, const struct key_ err(); goto fail; } +#endif } else { err(); ret = -EINVAL; @@ -94,7 +96,6 @@ fail: int key_from_storage_data(struct key_item_st* key, const void* data, size_t data_size) { const struct packed_key * pkey = data; - int ret; if (data_size != sizeof(*pkey) || pkey->version != THIS_VERSION || pkey->key_id_size > MAX_KEY_ID_SIZE) { @@ -120,13 +121,17 @@ int key_from_storage_data(struct key_item_st* key, const void* data, size_t data } key->key.secret.size = pkey->raw_size; memcpy(key->key.secret.data, pkey->raw, pkey->raw_size); +#ifdef CONFIG_ASSYMETRIC } else if (key->type == NCR_KEY_TYPE_PUBLIC || key->type == NCR_KEY_TYPE_PRIVATE) { + int ret; + ret = ncr_pk_unpack( key, pkey->raw, pkey->raw_size); if (ret < 0) { err(); return ret; } +#endif } else { err(); return -EINVAL; diff --git a/ncr-key-wrap.c b/ncr-key-wrap.c index a15d371..d3ff07e 100644 --- a/ncr-key-wrap.c +++ b/ncr-key-wrap.c @@ -535,6 +535,7 @@ int kek_level, wkey_level; int ncr_key_wrap(struct ncr_lists *lst, const struct ncr_key_wrap *wrap, struct nlattr *tb[]) { +#ifdef CONFIG_ASSYMETRIC const struct nlattr *nla; struct key_item_st* wkey = NULL; struct key_item_st* key = NULL; @@ -638,6 +639,9 @@ fail: kfree(data); return ret; +#else + return -EOPNOTSUPP; +#endif } /* Unwraps keys. All keys unwrapped are not accessible by @@ -646,6 +650,7 @@ fail: int ncr_key_unwrap(struct ncr_lists *lst, const struct ncr_key_unwrap *wrap, struct nlattr *tb[]) { +#ifdef CONFIG_ASSYMETRIC const struct nlattr *nla; struct key_item_st* wkey = NULL; struct key_item_st* key = NULL; @@ -715,6 +720,9 @@ fail: if (data != NULL) kfree(data); return ret; +#else + return -EOPNOTSUPP; +#endif } int ncr_key_storage_wrap(struct ncr_lists *lst, @@ -1050,6 +1058,7 @@ static int key_from_packed_data(struct nlattr *tb[], struct key_item_st *key, } key->key.secret.size = pkey_size; memcpy(key->key.secret.data, pkey, pkey_size); +#ifdef CONFIG_ASSYMETRIC } else if (key->type == NCR_KEY_TYPE_PUBLIC || key->type == NCR_KEY_TYPE_PRIVATE) { @@ -1058,6 +1067,7 @@ static int key_from_packed_data(struct nlattr *tb[], struct key_item_st *key, err(); return ret; } +#endif } else { err(); return -EINVAL; diff --git a/ncr-key.c b/ncr-key.c index 8e082d1..94b6f80 100644 --- a/ncr-key.c +++ b/ncr-key.c @@ -247,6 +247,7 @@ int ret; ret = item->key.secret.size; break; +#ifdef CONFIG_ASSYMETRIC case NCR_KEY_TYPE_PUBLIC: case NCR_KEY_TYPE_PRIVATE: tmp_size = data->buffer_size; @@ -273,6 +274,7 @@ int ret; ret = tmp_size; break; +#endif default: err(); ret = -EINVAL; @@ -376,6 +378,7 @@ size_t tmp_size; memcpy(item->key.secret.data, tmp, tmp_size); item->key.secret.size = tmp_size; break; +#ifdef CONFIG_ASSYMETRIC case NCR_KEY_TYPE_PRIVATE: case NCR_KEY_TYPE_PUBLIC: ret = ncr_pk_unpack( item, tmp, tmp_size); @@ -384,7 +387,7 @@ size_t tmp_size; goto fail; } break; - +#endif default: err(); ret = -EINVAL; @@ -404,11 +407,13 @@ fail: void ncr_key_clear(struct key_item_st* item) { /* clears any previously allocated parameters */ +#ifdef CONFIG_ASSYMETRIC if (item->type == NCR_KEY_TYPE_PRIVATE || item->type == NCR_KEY_TYPE_PUBLIC) { ncr_pk_clear(item); } +#endif memset(&item->key, 0, sizeof(item->key)); memset(item->key_id, 0, sizeof(item->key_id)); item->key_id_size = 0; @@ -491,6 +496,8 @@ fail: return ret; } +#ifdef CONFIG_ASSYMETRIC + /* Those values are derived from "ECRYPT II Yearly Report on Algorithms and * Keysizes (2009-2010)". It maps the strength of public key algorithms to * symmetric ones. Should be kept up to date. @@ -548,13 +555,13 @@ int i = 1; return ecrypt_vals[i-1].bits; } +#endif + /* returns the security level of the key in bits. Private/Public keys * are mapped to symmetric key bits using the ECRYPT II 2010 recommendation. */ int _ncr_key_get_sec_level(struct key_item_st* item) { -int bits; - /* FIXME: should we move everything here into algorithm properties? */ if (item->type == NCR_KEY_TYPE_SECRET) { @@ -562,7 +569,10 @@ int bits; return 112; return item->key.secret.size*8; +#ifdef CONFIG_ASSYMETRIC } else if (item->type == NCR_KEY_TYPE_PRIVATE) { + int bits; + switch(item->algorithm->algo) { case NCR_ALG_RSA: bits = ncr_pk_get_rsa_size(&item->key.pk.rsa); @@ -591,6 +601,7 @@ int bits; default: return -EINVAL; } +#endif } else { return -EINVAL; } @@ -662,6 +673,7 @@ int ncr_key_generate_pair(struct ncr_lists *lst, const struct ncr_key_generate_pair *gen, struct nlattr *tb[]) { +#ifdef CONFIG_ASSYMETRIC struct key_item_st* private = NULL; struct key_item_st* public = NULL; int ret; @@ -727,6 +739,9 @@ fail: _ncr_key_item_put(private); } return ret; +#else + return -EOPNOTSUPP; +#endif } int ncr_key_derive(struct ncr_lists *lst, const struct ncr_key_derive *data, @@ -765,6 +780,7 @@ struct key_item_st* newkey = NULL; } switch (key->type) { +#ifdef CONFIG_ASSYMETRIC case NCR_KEY_TYPE_PUBLIC: case NCR_KEY_TYPE_PRIVATE: ret = ncr_pk_derive(newkey, key, tb); @@ -773,6 +789,7 @@ struct key_item_st* newkey = NULL; goto fail; } break; +#endif default: err(); ret = -EINVAL; diff --git a/ncr-pk.c b/ncr-pk.c index 904e8d6..6de044b 100644 --- a/ncr-pk.c +++ b/ncr-pk.c @@ -33,6 +33,8 @@ #include "ncr-int.h" #include +#ifdef CONFIG_ASSYMETRIC + int _ncr_tomerr(int err) { switch (err) { @@ -683,3 +685,5 @@ int ret; return ret; } + +#endif /* CONFIG_ASSYMETRIC */ diff --git a/ncr-sessions.c b/ncr-sessions.c index cb18853..3f39d6d 100644 --- a/ncr-sessions.c +++ b/ncr-sessions.c @@ -47,7 +47,9 @@ struct session_item_st { * in a union. */ struct cipher_data cipher; +#ifdef CONFIG_ASSYMETRIC struct ncr_pk_ctx pk; +#endif struct hash_data hash; /* This is a hack, ideally we'd have a hash algorithm that simply outputs its input as a digest. We'd still need to distinguish @@ -168,7 +170,9 @@ static void _ncr_sessions_item_put(struct session_item_st *item) { if (atomic_dec_and_test(&item->refcnt)) { cryptodev_cipher_deinit(&item->cipher); +#ifdef CONFIG_ASSYMETRIC ncr_pk_cipher_deinit(&item->pk); +#endif cryptodev_hash_deinit(&item->hash); kfree(item->transparent_hash); if (item->key) @@ -504,7 +508,6 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists, const struct nlattr *nla; struct session_item_st *ns, *old_session = NULL; int ret; - const struct algo_properties_st *sign_hash; ns = ncr_session_new(desc); if (ns == NULL) { @@ -602,6 +605,7 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists, nla_data(nla), nla_len(nla)); } +#ifdef CONFIG_ASSYMETRIC } else if (ns->key->type == NCR_KEY_TYPE_PRIVATE || ns->key->type == NCR_KEY_TYPE_PUBLIC) { ret = ncr_pk_cipher_init(ns->algorithm, &ns->pk, tb, ns->key, NULL); @@ -609,6 +613,7 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists, err(); goto fail; } +#endif } else { err(); ret = -EINVAL; @@ -683,8 +688,10 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists, err(); goto fail; } - +#ifdef CONFIG_ASSYMETRIC } else if (ns->algorithm->is_pk && (ns->key->type == NCR_KEY_TYPE_PRIVATE || ns->key->type == NCR_KEY_TYPE_PUBLIC)) { + const struct algo_properties_st *sign_hash; + if (old_session != NULL) { err(); ret = -EOPNOTSUPP; @@ -740,6 +747,7 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists, goto fail; } } +#endif } else { err(); ret = -EINVAL; @@ -809,6 +817,7 @@ int ret; /* FIXME: handle ciphers that do not require that */ *output_size = input_size; } else { /* public key */ +#ifdef CONFIG_ASSYMETRIC ret = ncr_pk_cipher_encrypt(&sess->pk, input, input_cnt, input_size, output, output_cnt, output_size); @@ -816,6 +825,10 @@ int ret; err(); return ret; } +#else + return -EOPNOTSUPP; +#endif + } return 0; @@ -839,6 +852,7 @@ int ret; /* FIXME: handle ciphers that do not require equality */ *output_size = input_size; } else { /* public key */ +#ifdef CONFIG_ASSYMETRIC ret = ncr_pk_cipher_decrypt(&sess->pk, input, input_cnt, input_size, output, output_cnt, output_size); @@ -846,6 +860,10 @@ int ret; err(); return ret; } +#else + return -EOPNOTSUPP; +#endif + } return 0; @@ -1190,6 +1208,7 @@ static int _ncr_session_final(struct ncr_lists *lists, ret = (digest_size == src.data_size && memcmp(buffer, digest, digest_size) == 0); else { +#ifdef CONFIG_ASSYMETRIC ret = ncr_pk_cipher_verify(&sess->pk, buffer, src.data_size, digest, digest_size); @@ -1197,6 +1216,10 @@ static int _ncr_session_final(struct ncr_lists *lists, err(); goto fail; } +#else + ret = -EOPNOTSUPP; + goto fail; +#endif } break; } @@ -1245,6 +1268,7 @@ static int _ncr_session_final(struct ncr_lists *lists, } output_size = digest_size; } else { +#ifdef CONFIG_ASSYMETRIC output_size = dst.buffer_size; buffer = kmalloc(output_size, GFP_KERNEL); if (buffer == NULL) { @@ -1264,6 +1288,10 @@ static int _ncr_session_final(struct ncr_lists *lists, ret = -EFAULT; goto fail; } +#else + ret = -EOPNOTSUPP; + goto fail; +#endif } ret = ncr_session_output_buffer_set_size(&dst, output_size, -- cgit