e_padlock.c revision 1.1.1.2
1 1.1.1.2 christos /* 2 1.1.1.2 christos * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1 christos #include <string.h> 12 1.1 christos 13 1.1 christos #include <openssl/opensslconf.h> 14 1.1 christos #include <openssl/crypto.h> 15 1.1 christos #include <openssl/engine.h> 16 1.1 christos #include <openssl/evp.h> 17 1.1.1.2 christos #include <openssl/aes.h> 18 1.1 christos #include <openssl/rand.h> 19 1.1 christos #include <openssl/err.h> 20 1.1.1.2 christos #include <openssl/modes.h> 21 1.1 christos 22 1.1 christos #ifndef OPENSSL_NO_HW 23 1.1 christos # ifndef OPENSSL_NO_HW_PADLOCK 24 1.1 christos 25 1.1 christos /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */ 26 1.1 christos # if (OPENSSL_VERSION_NUMBER >= 0x00908000L) 27 1.1 christos # ifndef OPENSSL_NO_DYNAMIC_ENGINE 28 1.1 christos # define DYNAMIC_ENGINE 29 1.1 christos # endif 30 1.1 christos # elif (OPENSSL_VERSION_NUMBER >= 0x00907000L) 31 1.1 christos # ifdef ENGINE_DYNAMIC_SUPPORT 32 1.1 christos # define DYNAMIC_ENGINE 33 1.1 christos # endif 34 1.1 christos # else 35 1.1 christos # error "Only OpenSSL >= 0.9.7 is supported" 36 1.1 christos # endif 37 1.1 christos 38 1.1 christos /* 39 1.1 christos * VIA PadLock AES is available *ONLY* on some x86 CPUs. Not only that it 40 1.1 christos * doesn't exist elsewhere, but it even can't be compiled on other platforms! 41 1.1 christos */ 42 1.1.1.2 christos 43 1.1 christos # undef COMPILE_HW_PADLOCK 44 1.1.1.2 christos # if defined(PADLOCK_ASM) 45 1.1.1.2 christos # define COMPILE_HW_PADLOCK 46 1.1.1.2 christos # ifdef OPENSSL_NO_DYNAMIC_ENGINE 47 1.1.1.2 christos static ENGINE *ENGINE_padlock(void); 48 1.1 christos # endif 49 1.1 christos # endif 50 1.1 christos 51 1.1 christos # ifdef OPENSSL_NO_DYNAMIC_ENGINE 52 1.1.1.2 christos void engine_load_padlock_int(void); 53 1.1.1.2 christos void engine_load_padlock_int(void) 54 1.1 christos { 55 1.1 christos /* On non-x86 CPUs it just returns. */ 56 1.1 christos # ifdef COMPILE_HW_PADLOCK 57 1.1 christos ENGINE *toadd = ENGINE_padlock(); 58 1.1 christos if (!toadd) 59 1.1 christos return; 60 1.1 christos ENGINE_add(toadd); 61 1.1 christos ENGINE_free(toadd); 62 1.1 christos ERR_clear_error(); 63 1.1 christos # endif 64 1.1 christos } 65 1.1 christos 66 1.1 christos # endif 67 1.1 christos 68 1.1 christos # ifdef COMPILE_HW_PADLOCK 69 1.1 christos 70 1.1 christos /* Function for ENGINE detection and control */ 71 1.1 christos static int padlock_available(void); 72 1.1 christos static int padlock_init(ENGINE *e); 73 1.1 christos 74 1.1 christos /* RNG Stuff */ 75 1.1 christos static RAND_METHOD padlock_rand; 76 1.1 christos 77 1.1 christos /* Cipher Stuff */ 78 1.1 christos static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 79 1.1 christos const int **nids, int nid); 80 1.1 christos 81 1.1 christos /* Engine names */ 82 1.1 christos static const char *padlock_id = "padlock"; 83 1.1 christos static char padlock_name[100]; 84 1.1 christos 85 1.1 christos /* Available features */ 86 1.1 christos static int padlock_use_ace = 0; /* Advanced Cryptography Engine */ 87 1.1 christos static int padlock_use_rng = 0; /* Random Number Generator */ 88 1.1 christos 89 1.1 christos /* ===== Engine "management" functions ===== */ 90 1.1 christos 91 1.1 christos /* Prepare the ENGINE structure for registration */ 92 1.1 christos static int padlock_bind_helper(ENGINE *e) 93 1.1 christos { 94 1.1 christos /* Check available features */ 95 1.1 christos padlock_available(); 96 1.1 christos 97 1.1.1.2 christos /* 98 1.1.1.2 christos * RNG is currently disabled for reasons discussed in commentary just 99 1.1.1.2 christos * before padlock_rand_bytes function. 100 1.1.1.2 christos */ 101 1.1 christos padlock_use_rng = 0; 102 1.1 christos 103 1.1 christos /* Generate a nice engine name with available features */ 104 1.1 christos BIO_snprintf(padlock_name, sizeof(padlock_name), 105 1.1 christos "VIA PadLock (%s, %s)", 106 1.1 christos padlock_use_rng ? "RNG" : "no-RNG", 107 1.1 christos padlock_use_ace ? "ACE" : "no-ACE"); 108 1.1 christos 109 1.1 christos /* Register everything or return with an error */ 110 1.1 christos if (!ENGINE_set_id(e, padlock_id) || 111 1.1 christos !ENGINE_set_name(e, padlock_name) || 112 1.1 christos !ENGINE_set_init_function(e, padlock_init) || 113 1.1 christos (padlock_use_ace && !ENGINE_set_ciphers(e, padlock_ciphers)) || 114 1.1 christos (padlock_use_rng && !ENGINE_set_RAND(e, &padlock_rand))) { 115 1.1 christos return 0; 116 1.1 christos } 117 1.1 christos 118 1.1 christos /* Everything looks good */ 119 1.1 christos return 1; 120 1.1 christos } 121 1.1 christos 122 1.1 christos # ifdef OPENSSL_NO_DYNAMIC_ENGINE 123 1.1 christos /* Constructor */ 124 1.1 christos static ENGINE *ENGINE_padlock(void) 125 1.1 christos { 126 1.1 christos ENGINE *eng = ENGINE_new(); 127 1.1 christos 128 1.1.1.2 christos if (eng == NULL) { 129 1.1 christos return NULL; 130 1.1 christos } 131 1.1 christos 132 1.1 christos if (!padlock_bind_helper(eng)) { 133 1.1 christos ENGINE_free(eng); 134 1.1 christos return NULL; 135 1.1 christos } 136 1.1 christos 137 1.1 christos return eng; 138 1.1 christos } 139 1.1 christos # endif 140 1.1 christos 141 1.1 christos /* Check availability of the engine */ 142 1.1 christos static int padlock_init(ENGINE *e) 143 1.1 christos { 144 1.1 christos return (padlock_use_rng || padlock_use_ace); 145 1.1 christos } 146 1.1 christos 147 1.1 christos /* 148 1.1 christos * This stuff is needed if this ENGINE is being compiled into a 149 1.1 christos * self-contained shared-library. 150 1.1 christos */ 151 1.1.1.2 christos # ifndef OPENSSL_NO_DYNAMIC_ENGINE 152 1.1 christos static int padlock_bind_fn(ENGINE *e, const char *id) 153 1.1 christos { 154 1.1 christos if (id && (strcmp(id, padlock_id) != 0)) { 155 1.1 christos return 0; 156 1.1 christos } 157 1.1 christos 158 1.1 christos if (!padlock_bind_helper(e)) { 159 1.1 christos return 0; 160 1.1 christos } 161 1.1 christos 162 1.1 christos return 1; 163 1.1 christos } 164 1.1 christos 165 1.1 christos IMPLEMENT_DYNAMIC_CHECK_FN() 166 1.1.1.2 christos IMPLEMENT_DYNAMIC_BIND_FN(padlock_bind_fn) 167 1.1.1.2 christos # endif /* !OPENSSL_NO_DYNAMIC_ENGINE */ 168 1.1 christos /* ===== Here comes the "real" engine ===== */ 169 1.1.1.2 christos 170 1.1 christos /* Some AES-related constants */ 171 1.1.1.2 christos # define AES_BLOCK_SIZE 16 172 1.1.1.2 christos # define AES_KEY_SIZE_128 16 173 1.1.1.2 christos # define AES_KEY_SIZE_192 24 174 1.1.1.2 christos # define AES_KEY_SIZE_256 32 175 1.1 christos /* 176 1.1 christos * Here we store the status information relevant to the current context. 177 1.1 christos */ 178 1.1 christos /* 179 1.1 christos * BIG FAT WARNING: Inline assembler in PADLOCK_XCRYPT_ASM() depends on 180 1.1 christos * the order of items in this structure. Don't blindly modify, reorder, 181 1.1 christos * etc! 182 1.1 christos */ 183 1.1 christos struct padlock_cipher_data { 184 1.1 christos unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */ 185 1.1 christos union { 186 1.1 christos unsigned int pad[4]; 187 1.1 christos struct { 188 1.1 christos int rounds:4; 189 1.1 christos int dgst:1; /* n/a in C3 */ 190 1.1 christos int align:1; /* n/a in C3 */ 191 1.1 christos int ciphr:1; /* n/a in C3 */ 192 1.1 christos unsigned int keygen:1; 193 1.1 christos int interm:1; 194 1.1 christos unsigned int encdec:1; 195 1.1 christos int ksize:2; 196 1.1 christos } b; 197 1.1 christos } cword; /* Control word */ 198 1.1 christos AES_KEY ks; /* Encryption key */ 199 1.1 christos }; 200 1.1 christos 201 1.1.1.2 christos /* Interface to assembler module */ 202 1.1.1.2 christos unsigned int padlock_capability(void); 203 1.1.1.2 christos void padlock_key_bswap(AES_KEY *key); 204 1.1.1.2 christos void padlock_verify_context(struct padlock_cipher_data *ctx); 205 1.1.1.2 christos void padlock_reload_key(void); 206 1.1.1.2 christos void padlock_aes_block(void *out, const void *inp, 207 1.1.1.2 christos struct padlock_cipher_data *ctx); 208 1.1.1.2 christos int padlock_ecb_encrypt(void *out, const void *inp, 209 1.1.1.2 christos struct padlock_cipher_data *ctx, size_t len); 210 1.1.1.2 christos int padlock_cbc_encrypt(void *out, const void *inp, 211 1.1.1.2 christos struct padlock_cipher_data *ctx, size_t len); 212 1.1.1.2 christos int padlock_cfb_encrypt(void *out, const void *inp, 213 1.1.1.2 christos struct padlock_cipher_data *ctx, size_t len); 214 1.1.1.2 christos int padlock_ofb_encrypt(void *out, const void *inp, 215 1.1.1.2 christos struct padlock_cipher_data *ctx, size_t len); 216 1.1.1.2 christos int padlock_ctr32_encrypt(void *out, const void *inp, 217 1.1.1.2 christos struct padlock_cipher_data *ctx, size_t len); 218 1.1.1.2 christos int padlock_xstore(void *out, int edx); 219 1.1.1.2 christos void padlock_sha1_oneshot(void *ctx, const void *inp, size_t len); 220 1.1.1.2 christos void padlock_sha1(void *ctx, const void *inp, size_t len); 221 1.1.1.2 christos void padlock_sha256_oneshot(void *ctx, const void *inp, size_t len); 222 1.1.1.2 christos void padlock_sha256(void *ctx, const void *inp, size_t len); 223 1.1 christos 224 1.1 christos /* 225 1.1.1.2 christos * Load supported features of the CPU to see if the PadLock is available. 226 1.1 christos */ 227 1.1.1.2 christos static int padlock_available(void) 228 1.1 christos { 229 1.1.1.2 christos unsigned int edx = padlock_capability(); 230 1.1 christos 231 1.1.1.2 christos /* Fill up some flags */ 232 1.1.1.2 christos padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6)); 233 1.1.1.2 christos padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2)); 234 1.1 christos 235 1.1.1.2 christos return padlock_use_ace + padlock_use_rng; 236 1.1 christos } 237 1.1 christos 238 1.1.1.2 christos /* ===== AES encryption/decryption ===== */ 239 1.1 christos 240 1.1.1.2 christos # if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb) 241 1.1.1.2 christos # define NID_aes_128_cfb NID_aes_128_cfb128 242 1.1.1.2 christos # endif 243 1.1 christos 244 1.1.1.2 christos # if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb) 245 1.1.1.2 christos # define NID_aes_128_ofb NID_aes_128_ofb128 246 1.1.1.2 christos # endif 247 1.1 christos 248 1.1.1.2 christos # if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb) 249 1.1.1.2 christos # define NID_aes_192_cfb NID_aes_192_cfb128 250 1.1.1.2 christos # endif 251 1.1 christos 252 1.1.1.2 christos # if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb) 253 1.1.1.2 christos # define NID_aes_192_ofb NID_aes_192_ofb128 254 1.1.1.2 christos # endif 255 1.1 christos 256 1.1.1.2 christos # if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb) 257 1.1.1.2 christos # define NID_aes_256_cfb NID_aes_256_cfb128 258 1.1.1.2 christos # endif 259 1.1 christos 260 1.1.1.2 christos # if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb) 261 1.1.1.2 christos # define NID_aes_256_ofb NID_aes_256_ofb128 262 1.1.1.2 christos # endif 263 1.1 christos 264 1.1.1.2 christos /* List of supported ciphers. */ 265 1.1.1.2 christos static const int padlock_cipher_nids[] = { 266 1.1.1.2 christos NID_aes_128_ecb, 267 1.1.1.2 christos NID_aes_128_cbc, 268 1.1.1.2 christos NID_aes_128_cfb, 269 1.1.1.2 christos NID_aes_128_ofb, 270 1.1.1.2 christos NID_aes_128_ctr, 271 1.1 christos 272 1.1.1.2 christos NID_aes_192_ecb, 273 1.1.1.2 christos NID_aes_192_cbc, 274 1.1.1.2 christos NID_aes_192_cfb, 275 1.1.1.2 christos NID_aes_192_ofb, 276 1.1.1.2 christos NID_aes_192_ctr, 277 1.1 christos 278 1.1.1.2 christos NID_aes_256_ecb, 279 1.1.1.2 christos NID_aes_256_cbc, 280 1.1.1.2 christos NID_aes_256_cfb, 281 1.1.1.2 christos NID_aes_256_ofb, 282 1.1.1.2 christos NID_aes_256_ctr 283 1.1.1.2 christos }; 284 1.1.1.2 christos 285 1.1.1.2 christos static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids) / 286 1.1.1.2 christos sizeof(padlock_cipher_nids[0])); 287 1.1.1.2 christos 288 1.1.1.2 christos /* Function prototypes ... */ 289 1.1.1.2 christos static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 290 1.1.1.2 christos const unsigned char *iv, int enc); 291 1.1.1.2 christos 292 1.1.1.2 christos # define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \ 293 1.1.1.2 christos ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) ) 294 1.1.1.2 christos # define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\ 295 1.1.1.2 christos NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx))) 296 1.1.1.2 christos 297 1.1.1.2 christos static int 298 1.1.1.2 christos padlock_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 299 1.1.1.2 christos const unsigned char *in_arg, size_t nbytes) 300 1.1 christos { 301 1.1.1.2 christos return padlock_ecb_encrypt(out_arg, in_arg, 302 1.1.1.2 christos ALIGNED_CIPHER_DATA(ctx), nbytes); 303 1.1 christos } 304 1.1 christos 305 1.1.1.2 christos static int 306 1.1.1.2 christos padlock_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 307 1.1.1.2 christos const unsigned char *in_arg, size_t nbytes) 308 1.1 christos { 309 1.1.1.2 christos struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 310 1.1.1.2 christos int ret; 311 1.1 christos 312 1.1.1.2 christos memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 313 1.1.1.2 christos if ((ret = padlock_cbc_encrypt(out_arg, in_arg, cdata, nbytes))) 314 1.1.1.2 christos memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 315 1.1.1.2 christos return ret; 316 1.1 christos } 317 1.1 christos 318 1.1.1.2 christos static int 319 1.1.1.2 christos padlock_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 320 1.1.1.2 christos const unsigned char *in_arg, size_t nbytes) 321 1.1 christos { 322 1.1.1.2 christos struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 323 1.1.1.2 christos size_t chunk; 324 1.1 christos 325 1.1.1.2 christos if ((chunk = EVP_CIPHER_CTX_num(ctx))) { /* borrow chunk variable */ 326 1.1.1.2 christos unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx); 327 1.1 christos 328 1.1.1.2 christos if (chunk >= AES_BLOCK_SIZE) 329 1.1.1.2 christos return 0; /* bogus value */ 330 1.1 christos 331 1.1.1.2 christos if (EVP_CIPHER_CTX_encrypting(ctx)) 332 1.1.1.2 christos while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 333 1.1.1.2 christos ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk]; 334 1.1.1.2 christos chunk++, nbytes--; 335 1.1.1.2 christos } else 336 1.1.1.2 christos while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 337 1.1.1.2 christos unsigned char c = *(in_arg++); 338 1.1.1.2 christos *(out_arg++) = c ^ ivp[chunk]; 339 1.1.1.2 christos ivp[chunk++] = c, nbytes--; 340 1.1.1.2 christos } 341 1.1 christos 342 1.1.1.2 christos EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE); 343 1.1.1.2 christos } 344 1.1 christos 345 1.1.1.2 christos if (nbytes == 0) 346 1.1.1.2 christos return 1; 347 1.1 christos 348 1.1.1.2 christos memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 349 1.1 christos 350 1.1.1.2 christos if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) { 351 1.1.1.2 christos if (!padlock_cfb_encrypt(out_arg, in_arg, cdata, chunk)) 352 1.1.1.2 christos return 0; 353 1.1.1.2 christos nbytes -= chunk; 354 1.1.1.2 christos } 355 1.1 christos 356 1.1.1.2 christos if (nbytes) { 357 1.1.1.2 christos unsigned char *ivp = cdata->iv; 358 1.1 christos 359 1.1.1.2 christos out_arg += chunk; 360 1.1.1.2 christos in_arg += chunk; 361 1.1.1.2 christos EVP_CIPHER_CTX_set_num(ctx, nbytes); 362 1.1.1.2 christos if (cdata->cword.b.encdec) { 363 1.1.1.2 christos cdata->cword.b.encdec = 0; 364 1.1.1.2 christos padlock_reload_key(); 365 1.1.1.2 christos padlock_aes_block(ivp, ivp, cdata); 366 1.1.1.2 christos cdata->cword.b.encdec = 1; 367 1.1.1.2 christos padlock_reload_key(); 368 1.1.1.2 christos while (nbytes) { 369 1.1.1.2 christos unsigned char c = *(in_arg++); 370 1.1.1.2 christos *(out_arg++) = c ^ *ivp; 371 1.1.1.2 christos *(ivp++) = c, nbytes--; 372 1.1.1.2 christos } 373 1.1.1.2 christos } else { 374 1.1.1.2 christos padlock_reload_key(); 375 1.1.1.2 christos padlock_aes_block(ivp, ivp, cdata); 376 1.1.1.2 christos padlock_reload_key(); 377 1.1.1.2 christos while (nbytes) { 378 1.1.1.2 christos *ivp = *(out_arg++) = *(in_arg++) ^ *ivp; 379 1.1.1.2 christos ivp++, nbytes--; 380 1.1.1.2 christos } 381 1.1.1.2 christos } 382 1.1.1.2 christos } 383 1.1 christos 384 1.1.1.2 christos memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 385 1.1 christos 386 1.1.1.2 christos return 1; 387 1.1 christos } 388 1.1 christos 389 1.1 christos static int 390 1.1.1.2 christos padlock_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 391 1.1.1.2 christos const unsigned char *in_arg, size_t nbytes) 392 1.1 christos { 393 1.1.1.2 christos struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 394 1.1.1.2 christos size_t chunk; 395 1.1.1.2 christos 396 1.1.1.2 christos /* 397 1.1.1.2 christos * ctx->num is maintained in byte-oriented modes, such as CFB and OFB... 398 1.1.1.2 christos */ 399 1.1.1.2 christos if ((chunk = EVP_CIPHER_CTX_num(ctx))) { /* borrow chunk variable */ 400 1.1.1.2 christos unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx); 401 1.1.1.2 christos 402 1.1.1.2 christos if (chunk >= AES_BLOCK_SIZE) 403 1.1.1.2 christos return 0; /* bogus value */ 404 1.1.1.2 christos 405 1.1.1.2 christos while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 406 1.1.1.2 christos *(out_arg++) = *(in_arg++) ^ ivp[chunk]; 407 1.1.1.2 christos chunk++, nbytes--; 408 1.1.1.2 christos } 409 1.1.1.2 christos 410 1.1.1.2 christos EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE); 411 1.1 christos } 412 1.1 christos 413 1.1.1.2 christos if (nbytes == 0) 414 1.1.1.2 christos return 1; 415 1.1.1.2 christos 416 1.1.1.2 christos memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 417 1.1.1.2 christos 418 1.1.1.2 christos if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) { 419 1.1.1.2 christos if (!padlock_ofb_encrypt(out_arg, in_arg, cdata, chunk)) 420 1.1.1.2 christos return 0; 421 1.1.1.2 christos nbytes -= chunk; 422 1.1 christos } 423 1.1 christos 424 1.1.1.2 christos if (nbytes) { 425 1.1.1.2 christos unsigned char *ivp = cdata->iv; 426 1.1 christos 427 1.1.1.2 christos out_arg += chunk; 428 1.1.1.2 christos in_arg += chunk; 429 1.1.1.2 christos EVP_CIPHER_CTX_set_num(ctx, nbytes); 430 1.1.1.2 christos padlock_reload_key(); /* empirically found */ 431 1.1.1.2 christos padlock_aes_block(ivp, ivp, cdata); 432 1.1.1.2 christos padlock_reload_key(); /* empirically found */ 433 1.1.1.2 christos while (nbytes) { 434 1.1.1.2 christos *(out_arg++) = *(in_arg++) ^ *ivp; 435 1.1.1.2 christos ivp++, nbytes--; 436 1.1.1.2 christos } 437 1.1.1.2 christos } 438 1.1 christos 439 1.1.1.2 christos memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 440 1.1 christos 441 1.1.1.2 christos return 1; 442 1.1.1.2 christos } 443 1.1 christos 444 1.1.1.2 christos static void padlock_ctr32_encrypt_glue(const unsigned char *in, 445 1.1.1.2 christos unsigned char *out, size_t blocks, 446 1.1.1.2 christos struct padlock_cipher_data *ctx, 447 1.1.1.2 christos const unsigned char *ivec) 448 1.1.1.2 christos { 449 1.1.1.2 christos memcpy(ctx->iv, ivec, AES_BLOCK_SIZE); 450 1.1.1.2 christos padlock_ctr32_encrypt(out, in, ctx, AES_BLOCK_SIZE * blocks); 451 1.1.1.2 christos } 452 1.1 christos 453 1.1.1.2 christos static int 454 1.1.1.2 christos padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 455 1.1.1.2 christos const unsigned char *in_arg, size_t nbytes) 456 1.1.1.2 christos { 457 1.1.1.2 christos struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 458 1.1.1.2 christos unsigned int num = EVP_CIPHER_CTX_num(ctx); 459 1.1 christos 460 1.1.1.2 christos CRYPTO_ctr128_encrypt_ctr32(in_arg, out_arg, nbytes, 461 1.1.1.2 christos cdata, EVP_CIPHER_CTX_iv_noconst(ctx), 462 1.1.1.2 christos EVP_CIPHER_CTX_buf_noconst(ctx), &num, 463 1.1.1.2 christos (ctr128_f) padlock_ctr32_encrypt_glue); 464 1.1.1.2 christos 465 1.1.1.2 christos EVP_CIPHER_CTX_set_num(ctx, (size_t)num); 466 1.1.1.2 christos return 1; 467 1.1.1.2 christos } 468 1.1.1.2 christos 469 1.1.1.2 christos # define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE 470 1.1.1.2 christos # define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE 471 1.1.1.2 christos # define EVP_CIPHER_block_size_OFB 1 472 1.1.1.2 christos # define EVP_CIPHER_block_size_CFB 1 473 1.1.1.2 christos # define EVP_CIPHER_block_size_CTR 1 474 1.1 christos 475 1.1 christos /* 476 1.1 christos * Declaring so many ciphers by hand would be a pain. Instead introduce a bit 477 1.1 christos * of preprocessor magic :-) 478 1.1 christos */ 479 1.1.1.2 christos # define DECLARE_AES_EVP(ksize,lmode,umode) \ 480 1.1.1.2 christos static EVP_CIPHER *_hidden_aes_##ksize##_##lmode = NULL; \ 481 1.1.1.2 christos static const EVP_CIPHER *padlock_aes_##ksize##_##lmode(void) \ 482 1.1.1.2 christos { \ 483 1.1.1.2 christos if (_hidden_aes_##ksize##_##lmode == NULL \ 484 1.1.1.2 christos && ((_hidden_aes_##ksize##_##lmode = \ 485 1.1.1.2 christos EVP_CIPHER_meth_new(NID_aes_##ksize##_##lmode, \ 486 1.1.1.2 christos EVP_CIPHER_block_size_##umode, \ 487 1.1.1.2 christos AES_KEY_SIZE_##ksize)) == NULL \ 488 1.1.1.2 christos || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_##ksize##_##lmode, \ 489 1.1.1.2 christos AES_BLOCK_SIZE) \ 490 1.1.1.2 christos || !EVP_CIPHER_meth_set_flags(_hidden_aes_##ksize##_##lmode, \ 491 1.1.1.2 christos 0 | EVP_CIPH_##umode##_MODE) \ 492 1.1.1.2 christos || !EVP_CIPHER_meth_set_init(_hidden_aes_##ksize##_##lmode, \ 493 1.1.1.2 christos padlock_aes_init_key) \ 494 1.1.1.2 christos || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_##ksize##_##lmode, \ 495 1.1.1.2 christos padlock_##lmode##_cipher) \ 496 1.1.1.2 christos || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_##ksize##_##lmode, \ 497 1.1.1.2 christos sizeof(struct padlock_cipher_data) + 16) \ 498 1.1.1.2 christos || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_##ksize##_##lmode, \ 499 1.1.1.2 christos EVP_CIPHER_set_asn1_iv) \ 500 1.1.1.2 christos || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_##ksize##_##lmode, \ 501 1.1.1.2 christos EVP_CIPHER_get_asn1_iv))) { \ 502 1.1.1.2 christos EVP_CIPHER_meth_free(_hidden_aes_##ksize##_##lmode); \ 503 1.1.1.2 christos _hidden_aes_##ksize##_##lmode = NULL; \ 504 1.1.1.2 christos } \ 505 1.1.1.2 christos return _hidden_aes_##ksize##_##lmode; \ 506 1.1.1.2 christos } 507 1.1.1.2 christos 508 1.1.1.2 christos DECLARE_AES_EVP(128, ecb, ECB) 509 1.1.1.2 christos DECLARE_AES_EVP(128, cbc, CBC) 510 1.1.1.2 christos DECLARE_AES_EVP(128, cfb, CFB) 511 1.1.1.2 christos DECLARE_AES_EVP(128, ofb, OFB) 512 1.1.1.2 christos DECLARE_AES_EVP(128, ctr, CTR) 513 1.1.1.2 christos 514 1.1.1.2 christos DECLARE_AES_EVP(192, ecb, ECB) 515 1.1.1.2 christos DECLARE_AES_EVP(192, cbc, CBC) 516 1.1.1.2 christos DECLARE_AES_EVP(192, cfb, CFB) 517 1.1.1.2 christos DECLARE_AES_EVP(192, ofb, OFB) 518 1.1.1.2 christos DECLARE_AES_EVP(192, ctr, CTR) 519 1.1.1.2 christos 520 1.1.1.2 christos DECLARE_AES_EVP(256, ecb, ECB) 521 1.1.1.2 christos DECLARE_AES_EVP(256, cbc, CBC) 522 1.1.1.2 christos DECLARE_AES_EVP(256, cfb, CFB) 523 1.1.1.2 christos DECLARE_AES_EVP(256, ofb, OFB) 524 1.1.1.2 christos DECLARE_AES_EVP(256, ctr, CTR) 525 1.1 christos 526 1.1 christos static int 527 1.1 christos padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, 528 1.1 christos int nid) 529 1.1 christos { 530 1.1 christos /* No specific cipher => return a list of supported nids ... */ 531 1.1 christos if (!cipher) { 532 1.1 christos *nids = padlock_cipher_nids; 533 1.1 christos return padlock_cipher_nids_num; 534 1.1 christos } 535 1.1 christos 536 1.1 christos /* ... or the requested "cipher" otherwise */ 537 1.1 christos switch (nid) { 538 1.1 christos case NID_aes_128_ecb: 539 1.1.1.2 christos *cipher = padlock_aes_128_ecb(); 540 1.1 christos break; 541 1.1 christos case NID_aes_128_cbc: 542 1.1.1.2 christos *cipher = padlock_aes_128_cbc(); 543 1.1 christos break; 544 1.1 christos case NID_aes_128_cfb: 545 1.1.1.2 christos *cipher = padlock_aes_128_cfb(); 546 1.1 christos break; 547 1.1 christos case NID_aes_128_ofb: 548 1.1.1.2 christos *cipher = padlock_aes_128_ofb(); 549 1.1.1.2 christos break; 550 1.1.1.2 christos case NID_aes_128_ctr: 551 1.1.1.2 christos *cipher = padlock_aes_128_ctr(); 552 1.1 christos break; 553 1.1 christos 554 1.1 christos case NID_aes_192_ecb: 555 1.1.1.2 christos *cipher = padlock_aes_192_ecb(); 556 1.1 christos break; 557 1.1 christos case NID_aes_192_cbc: 558 1.1.1.2 christos *cipher = padlock_aes_192_cbc(); 559 1.1 christos break; 560 1.1 christos case NID_aes_192_cfb: 561 1.1.1.2 christos *cipher = padlock_aes_192_cfb(); 562 1.1 christos break; 563 1.1 christos case NID_aes_192_ofb: 564 1.1.1.2 christos *cipher = padlock_aes_192_ofb(); 565 1.1.1.2 christos break; 566 1.1.1.2 christos case NID_aes_192_ctr: 567 1.1.1.2 christos *cipher = padlock_aes_192_ctr(); 568 1.1 christos break; 569 1.1 christos 570 1.1 christos case NID_aes_256_ecb: 571 1.1.1.2 christos *cipher = padlock_aes_256_ecb(); 572 1.1 christos break; 573 1.1 christos case NID_aes_256_cbc: 574 1.1.1.2 christos *cipher = padlock_aes_256_cbc(); 575 1.1 christos break; 576 1.1 christos case NID_aes_256_cfb: 577 1.1.1.2 christos *cipher = padlock_aes_256_cfb(); 578 1.1 christos break; 579 1.1 christos case NID_aes_256_ofb: 580 1.1.1.2 christos *cipher = padlock_aes_256_ofb(); 581 1.1.1.2 christos break; 582 1.1.1.2 christos case NID_aes_256_ctr: 583 1.1.1.2 christos *cipher = padlock_aes_256_ctr(); 584 1.1 christos break; 585 1.1 christos 586 1.1 christos default: 587 1.1 christos /* Sorry, we don't support this NID */ 588 1.1 christos *cipher = NULL; 589 1.1 christos return 0; 590 1.1 christos } 591 1.1 christos 592 1.1 christos return 1; 593 1.1 christos } 594 1.1 christos 595 1.1 christos /* Prepare the encryption key for PadLock usage */ 596 1.1 christos static int 597 1.1 christos padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 598 1.1 christos const unsigned char *iv, int enc) 599 1.1 christos { 600 1.1 christos struct padlock_cipher_data *cdata; 601 1.1 christos int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8; 602 1.1.1.2 christos unsigned long mode = EVP_CIPHER_CTX_mode(ctx); 603 1.1 christos 604 1.1 christos if (key == NULL) 605 1.1 christos return 0; /* ERROR */ 606 1.1 christos 607 1.1 christos cdata = ALIGNED_CIPHER_DATA(ctx); 608 1.1.1.2 christos memset(cdata, 0, sizeof(*cdata)); 609 1.1 christos 610 1.1 christos /* Prepare Control word. */ 611 1.1.1.2 christos if (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CTR_MODE) 612 1.1 christos cdata->cword.b.encdec = 0; 613 1.1 christos else 614 1.1.1.2 christos cdata->cword.b.encdec = (EVP_CIPHER_CTX_encrypting(ctx) == 0); 615 1.1 christos cdata->cword.b.rounds = 10 + (key_len - 128) / 32; 616 1.1 christos cdata->cword.b.ksize = (key_len - 128) / 64; 617 1.1 christos 618 1.1 christos switch (key_len) { 619 1.1 christos case 128: 620 1.1 christos /* 621 1.1 christos * PadLock can generate an extended key for AES128 in hardware 622 1.1 christos */ 623 1.1 christos memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128); 624 1.1 christos cdata->cword.b.keygen = 0; 625 1.1 christos break; 626 1.1 christos 627 1.1 christos case 192: 628 1.1 christos case 256: 629 1.1 christos /* 630 1.1 christos * Generate an extended AES key in software. Needed for AES192/AES256 631 1.1 christos */ 632 1.1 christos /* 633 1.1 christos * Well, the above applies to Stepping 8 CPUs and is listed as 634 1.1 christos * hardware errata. They most likely will fix it at some point and 635 1.1 christos * then a check for stepping would be due here. 636 1.1 christos */ 637 1.1.1.2 christos if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 638 1.1.1.2 christos && !enc) 639 1.1 christos AES_set_decrypt_key(key, key_len, &cdata->ks); 640 1.1.1.2 christos else 641 1.1.1.2 christos AES_set_encrypt_key(key, key_len, &cdata->ks); 642 1.1.1.2 christos # ifndef AES_ASM 643 1.1 christos /* 644 1.1 christos * OpenSSL C functions use byte-swapped extended key. 645 1.1 christos */ 646 1.1.1.2 christos padlock_key_bswap(&cdata->ks); 647 1.1.1.2 christos # endif 648 1.1 christos cdata->cword.b.keygen = 1; 649 1.1 christos break; 650 1.1 christos 651 1.1 christos default: 652 1.1 christos /* ERROR */ 653 1.1 christos return 0; 654 1.1 christos } 655 1.1 christos 656 1.1 christos /* 657 1.1 christos * This is done to cover for cases when user reuses the 658 1.1 christos * context for new key. The catch is that if we don't do 659 1.1 christos * this, padlock_eas_cipher might proceed with old key... 660 1.1 christos */ 661 1.1 christos padlock_reload_key(); 662 1.1 christos 663 1.1 christos return 1; 664 1.1 christos } 665 1.1 christos 666 1.1 christos /* ===== Random Number Generator ===== */ 667 1.1 christos /* 668 1.1 christos * This code is not engaged. The reason is that it does not comply 669 1.1 christos * with recommendations for VIA RNG usage for secure applications 670 1.1 christos * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it 671 1.1 christos * provide meaningful error control... 672 1.1 christos */ 673 1.1 christos /* 674 1.1 christos * Wrapper that provides an interface between the API and the raw PadLock 675 1.1 christos * RNG 676 1.1 christos */ 677 1.1 christos static int padlock_rand_bytes(unsigned char *output, int count) 678 1.1 christos { 679 1.1 christos unsigned int eax, buf; 680 1.1 christos 681 1.1 christos while (count >= 8) { 682 1.1 christos eax = padlock_xstore(output, 0); 683 1.1 christos if (!(eax & (1 << 6))) 684 1.1 christos return 0; /* RNG disabled */ 685 1.1 christos /* this ---vv--- covers DC bias, Raw Bits and String Filter */ 686 1.1 christos if (eax & (0x1F << 10)) 687 1.1 christos return 0; 688 1.1 christos if ((eax & 0x1F) == 0) 689 1.1 christos continue; /* no data, retry... */ 690 1.1 christos if ((eax & 0x1F) != 8) 691 1.1 christos return 0; /* fatal failure... */ 692 1.1 christos output += 8; 693 1.1 christos count -= 8; 694 1.1 christos } 695 1.1 christos while (count > 0) { 696 1.1 christos eax = padlock_xstore(&buf, 3); 697 1.1 christos if (!(eax & (1 << 6))) 698 1.1 christos return 0; /* RNG disabled */ 699 1.1 christos /* this ---vv--- covers DC bias, Raw Bits and String Filter */ 700 1.1 christos if (eax & (0x1F << 10)) 701 1.1 christos return 0; 702 1.1 christos if ((eax & 0x1F) == 0) 703 1.1 christos continue; /* no data, retry... */ 704 1.1 christos if ((eax & 0x1F) != 1) 705 1.1 christos return 0; /* fatal failure... */ 706 1.1 christos *output++ = (unsigned char)buf; 707 1.1 christos count--; 708 1.1 christos } 709 1.1.1.2 christos OPENSSL_cleanse(&buf, sizeof(buf)); 710 1.1 christos 711 1.1 christos return 1; 712 1.1 christos } 713 1.1 christos 714 1.1 christos /* Dummy but necessary function */ 715 1.1 christos static int padlock_rand_status(void) 716 1.1 christos { 717 1.1 christos return 1; 718 1.1 christos } 719 1.1 christos 720 1.1 christos /* Prepare structure for registration */ 721 1.1 christos static RAND_METHOD padlock_rand = { 722 1.1 christos NULL, /* seed */ 723 1.1 christos padlock_rand_bytes, /* bytes */ 724 1.1 christos NULL, /* cleanup */ 725 1.1 christos NULL, /* add */ 726 1.1 christos padlock_rand_bytes, /* pseudorand */ 727 1.1 christos padlock_rand_status, /* rand status */ 728 1.1 christos }; 729 1.1 christos 730 1.1.1.2 christos # endif /* COMPILE_HW_PADLOCK */ 731 1.1.1.2 christos # endif /* !OPENSSL_NO_HW_PADLOCK */ 732 1.1.1.2 christos #endif /* !OPENSSL_NO_HW */ 733 1.1.1.2 christos 734 1.1.1.2 christos #if defined(OPENSSL_NO_HW) || defined(OPENSSL_NO_HW_PADLOCK) \ 735 1.1.1.2 christos || !defined(COMPILE_HW_PADLOCK) 736 1.1.1.2 christos # ifndef OPENSSL_NO_DYNAMIC_ENGINE 737 1.1 christos OPENSSL_EXPORT 738 1.1 christos int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); 739 1.1 christos OPENSSL_EXPORT 740 1.1 christos int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) 741 1.1 christos { 742 1.1 christos return 0; 743 1.1 christos } 744 1.1 christos 745 1.1 christos IMPLEMENT_DYNAMIC_CHECK_FN() 746 1.1.1.2 christos # endif 747 1.1.1.2 christos #endif 748
Indexes created Thu May 07 00:24:58 UTC 2026