diff options
| author | Ingo Franzki <ifranzki@linux.ibm.com> | 2024-09-26 15:56:47 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-10-23 15:07:01 +0200 |
| commit | f928304a9db3772a6047462599384fb57d878ccb (patch) | |
| tree | a7a643d0c6530ff9201f4ce1fdba39e8f38b4938 /crypto/s390xcap.c | |
| parent | work around oqsprovider out-of-source build bug (diff) | |
| download | openssl-f928304a9db3772a6047462599384fb57d878ccb.tar.xz openssl-f928304a9db3772a6047462599384fb57d878ccb.zip | |
s390x: Don't probe crypto cards for ME/CRT offloading during initialization
Probing for crypto cards during initialization by issuing an ioctl to the
zcrypt device driver can cause a lot of traffic and overhead, because it
runs for each and every application that uses OpenSSL, regardless if that
application will later perform ME or CRT operations or not.
Fix this by performing no probing during initialization, but detect the
crypto card availability only at the first ME/CRT operation that is subject
to be offloaded. If the ioctl returns ENODEV, then no suitable crypto
card is available in the system, and we disable further offloading
attempts by setting flag OPENSSL_s390xcex_nodev to 1.
Setting the global flag OPENSSL_s390xcex_nodev in case of ENODEV is
intentionally not made in a thread save manner, because the only thing
that could happen is that another thread, that misses the flag update,
also issues an ioctl and gets ENODEV as well.
The file descriptor is not closed in such error cases, because this could
cause raise conditions where we would close a foreign file if the same
file descriptor got reused by another thread. The file descriptor is finally
closed during termination by the atexit handler.
In case the ioctl returns ENOTTY then this indicates that the file descriptor
was closed (e.g. by a sandbox), but in the meantime the same file descriptor
has been reused for another file. Do not use the file descriptor anymore,
and also do not close it during termination.
Fixes: https://github.com/openssl/openssl/commit/79040cf29e011c21789563d74da626b7465a0540
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25576)
Diffstat (limited to '')
| -rw-r--r-- | crypto/s390xcap.c | 39 |
1 files changed, 3 insertions, 36 deletions
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c index 7721b5c801..82b2654fb5 100644 --- a/crypto/s390xcap.c +++ b/crypto/s390xcap.c @@ -86,8 +86,8 @@ void OPENSSL_s390x_functions(void); struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; #ifdef S390X_MOD_EXP -static int probe_cex(void); int OPENSSL_s390xcex; +int OPENSSL_s390xcex_nodev; #if defined(__GNUC__) __attribute__ ((visibility("hidden"))) @@ -217,45 +217,12 @@ void OPENSSL_cpuid_setup(void) OPENSSL_s390xcex = -1; } else { OPENSSL_s390xcex = open("/dev/z90crypt", O_RDWR | O_CLOEXEC); - if (probe_cex() == 1) - OPENSSL_atexit(OPENSSL_s390x_cleanup); + OPENSSL_atexit(OPENSSL_s390x_cleanup); } + OPENSSL_s390xcex_nodev = 0; #endif } -#ifdef S390X_MOD_EXP -static int probe_cex(void) -{ - struct ica_rsa_modexpo me; - const unsigned char inval[16] = { - 0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,2 - }; - const unsigned char modulus[16] = { - 0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,3 - }; - unsigned char res[16]; - int olderrno; - int rc = 1; - - me.inputdata = (unsigned char *)inval; - me.inputdatalength = sizeof(inval); - me.outputdata = (unsigned char *)res; - me.outputdatalength = sizeof(res); - me.b_key = (unsigned char *)inval; - me.n_modulus = (unsigned char *)modulus; - olderrno = errno; - if (ioctl(OPENSSL_s390xcex, ICARSAMODEXPO, &me) == -1) { - (void)close(OPENSSL_s390xcex); - OPENSSL_s390xcex = -1; - rc = 0; - } - errno = olderrno; - return rc; -} -#endif - static int parse_env(struct OPENSSL_s390xcap_st *cap, int *cex) { /*- |