1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
This is http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch adopted for
openssl-0.9.8l. It makes AES192 and AES256 CBC known to the cryptodev engine.
There's also http://people.freebsd.org/~pjd/patches/eng_cryptodev.c.patch,
which seems more current, also adds SHA digests and does somehting CTX-related
to cryptodev_rsa_nocrt_mod_exp(). But since digests are disabled in
cryptodev_usable_digests() anyway and cryptodev_rsa_nocrt_mod_exp() is used for
RSA only, I didn't bother with it.
--- openssl-0.9.8l/crypto/engine/eng_cryptodev.caes256 2004-06-15 13:45:42.000000000 +0200
+++ openssl-0.9.8l/crypto/engine/eng_cryptodev.c 2010-02-16 21:57:15.000000000 +0100
@@ -133,11 +133,14 @@
{ CRYPTO_DES_CBC, NID_des_cbc, 8, 8, },
{ CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, },
{ CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, },
+ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, },
+ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, },
{ CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, },
{ CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, },
{ CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, },
{ 0, NID_undef, 0, 0, },
};
+#define NCIPHERS (sizeof(ciphers) / sizeof(ciphers[0]))
static struct {
int id;
@@ -229,8 +232,8 @@
int i;
for (i = 0; ciphers[i].id; i++)
- if (ciphers[i].id == cipher)
- return (ciphers[i].keylen == len);
+ if (ciphers[i].id == cipher && ciphers[i].keylen == len)
+ return (1);
return (0);
}
@@ -255,7 +258,7 @@
static int
get_cryptodev_ciphers(const int **cnids)
{
- static int nids[CRYPTO_ALGORITHM_MAX];
+ static int nids[NCIPHERS];
struct session_op sess;
int fd, i, count = 0;
@@ -266,7 +269,7 @@
memset(&sess, 0, sizeof(sess));
sess.key = (caddr_t)"123456781234567812345678";
- for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+ for (i = 0; ciphers[i].id && count < NCIPHERS; i++) {
if (ciphers[i].nid == NID_undef)
continue;
sess.cipher = ciphers[i].id;
@@ -550,7 +553,7 @@
NULL
};
-const EVP_CIPHER cryptodev_aes_cbc = {
+const EVP_CIPHER cryptodev_aes128_cbc = {
NID_aes_128_cbc,
16, 16, 16,
EVP_CIPH_CBC_MODE,
@@ -563,6 +566,32 @@
NULL
};
+const EVP_CIPHER cryptodev_aes192_cbc = {
+ NID_aes_192_cbc,
+ 16, 24, 16,
+ EVP_CIPH_CBC_MODE,
+ cryptodev_init_key,
+ cryptodev_cipher,
+ cryptodev_cleanup,
+ sizeof(struct dev_crypto_state),
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL
+};
+
+const EVP_CIPHER cryptodev_aes256_cbc = {
+ NID_aes_256_cbc,
+ 16, 32, 16,
+ EVP_CIPH_CBC_MODE,
+ cryptodev_init_key,
+ cryptodev_cipher,
+ cryptodev_cleanup,
+ sizeof(struct dev_crypto_state),
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL
+};
+
/*
* Registered by the ENGINE when used to find out how to deal with
* a particular NID in the ENGINE. this says what we'll do at the
@@ -589,7 +618,13 @@
*cipher = &cryptodev_cast_cbc;
break;
case NID_aes_128_cbc:
- *cipher = &cryptodev_aes_cbc;
+ *cipher = &cryptodev_aes128_cbc;
+ break;
+ case NID_aes_192_cbc:
+ *cipher = &cryptodev_aes192_cbc;
+ break;
+ case NID_aes_256_cbc:
+ *cipher = &cryptodev_aes256_cbc;
break;
default:
*cipher = NULL;
|
