xref: /freebsd/crypto/openssl/engines/e_padlock.c (revision b077aed33b7b6aefca7b17ddb250cf521f938613)
1 /*
2  * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * This file uses the low level AES and engine functions (which are deprecated
12  * for non-internal use) in order to implement the padlock engine AES ciphers.
13  */
14 #define OPENSSL_SUPPRESS_DEPRECATED
15 
16 #include <stdio.h>
17 #include <string.h>
18 
19 #include <openssl/opensslconf.h>
20 #include <openssl/crypto.h>
21 #include <openssl/engine.h>
22 #include <openssl/evp.h>
23 #include <openssl/aes.h>
24 #include <openssl/rand.h>
25 #include <openssl/err.h>
26 #include <openssl/modes.h>
27 
28 #ifndef OPENSSL_NO_PADLOCKENG
29 
30 /*
31  * VIA PadLock AES is available *ONLY* on some x86 CPUs. Not only that it
32  * doesn't exist elsewhere, but it even can't be compiled on other platforms!
33  */
34 
35 # undef COMPILE_PADLOCKENG
36 # if defined(PADLOCK_ASM)
37 #  define COMPILE_PADLOCKENG
38 #  ifdef OPENSSL_NO_DYNAMIC_ENGINE
39 static ENGINE *ENGINE_padlock(void);
40 #  endif
41 # endif
42 
43 # ifdef OPENSSL_NO_DYNAMIC_ENGINE
44 void engine_load_padlock_int(void);
engine_load_padlock_int(void)45 void engine_load_padlock_int(void)
46 {
47 /* On non-x86 CPUs it just returns. */
48 #  ifdef COMPILE_PADLOCKENG
49     ENGINE *toadd = ENGINE_padlock();
50     if (!toadd)
51         return;
52     ERR_set_mark();
53     ENGINE_add(toadd);
54     /*
55      * If the "add" worked, it gets a structural reference. So either way, we
56      * release our just-created reference.
57      */
58     ENGINE_free(toadd);
59     /*
60      * If the "add" didn't work, it was probably a conflict because it was
61      * already added (eg. someone calling ENGINE_load_blah then calling
62      * ENGINE_load_builtin_engines() perhaps).
63      */
64     ERR_pop_to_mark();
65 #  endif
66 }
67 
68 # endif
69 
70 # ifdef COMPILE_PADLOCKENG
71 
72 /* Function for ENGINE detection and control */
73 static int padlock_available(void);
74 static int padlock_init(ENGINE *e);
75 
76 /* RNG Stuff */
77 static RAND_METHOD padlock_rand;
78 
79 /* Cipher Stuff */
80 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
81                            const int **nids, int nid);
82 
83 /* Engine names */
84 static const char *padlock_id = "padlock";
85 static char padlock_name[100];
86 
87 /* Available features */
88 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
89 static int padlock_use_rng = 0; /* Random Number Generator */
90 
91 /* ===== Engine "management" functions ===== */
92 
93 /* Prepare the ENGINE structure for registration */
padlock_bind_helper(ENGINE * e)94 static int padlock_bind_helper(ENGINE *e)
95 {
96     /* Check available features */
97     padlock_available();
98 
99     /*
100      * RNG is currently disabled for reasons discussed in commentary just
101      * before padlock_rand_bytes function.
102      */
103     padlock_use_rng = 0;
104 
105     /* Generate a nice engine name with available features */
106     BIO_snprintf(padlock_name, sizeof(padlock_name),
107                  "VIA PadLock (%s, %s)",
108                  padlock_use_rng ? "RNG" : "no-RNG",
109                  padlock_use_ace ? "ACE" : "no-ACE");
110 
111     /* Register everything or return with an error */
112     if (!ENGINE_set_id(e, padlock_id) ||
113         !ENGINE_set_name(e, padlock_name) ||
114         !ENGINE_set_init_function(e, padlock_init) ||
115         (padlock_use_ace && !ENGINE_set_ciphers(e, padlock_ciphers)) ||
116         (padlock_use_rng && !ENGINE_set_RAND(e, &padlock_rand))) {
117         return 0;
118     }
119 
120     /* Everything looks good */
121     return 1;
122 }
123 
124 #  ifdef OPENSSL_NO_DYNAMIC_ENGINE
125 /* Constructor */
ENGINE_padlock(void)126 static ENGINE *ENGINE_padlock(void)
127 {
128     ENGINE *eng = ENGINE_new();
129 
130     if (eng == NULL) {
131         return NULL;
132     }
133 
134     if (!padlock_bind_helper(eng)) {
135         ENGINE_free(eng);
136         return NULL;
137     }
138 
139     return eng;
140 }
141 #  endif
142 
143 /* Check availability of the engine */
padlock_init(ENGINE * e)144 static int padlock_init(ENGINE *e)
145 {
146     return (padlock_use_rng || padlock_use_ace);
147 }
148 
149 #  ifndef AES_ASM
150 static int padlock_aes_set_encrypt_key(const unsigned char *userKey,
151                                        const int bits,
152                                        AES_KEY *key);
153 static int padlock_aes_set_decrypt_key(const unsigned char *userKey,
154                                        const int bits,
155                                        AES_KEY *key);
156 #   define AES_ASM
157 #   define AES_set_encrypt_key padlock_aes_set_encrypt_key
158 #   define AES_set_decrypt_key padlock_aes_set_decrypt_key
159 #   include "../crypto/aes/aes_core.c"
160 #  endif
161 
162 /*
163  * This stuff is needed if this ENGINE is being compiled into a
164  * self-contained shared-library.
165  */
166 #  ifndef OPENSSL_NO_DYNAMIC_ENGINE
padlock_bind_fn(ENGINE * e,const char * id)167 static int padlock_bind_fn(ENGINE *e, const char *id)
168 {
169     if (id && (strcmp(id, padlock_id) != 0)) {
170         return 0;
171     }
172 
173     if (!padlock_bind_helper(e)) {
174         return 0;
175     }
176 
177     return 1;
178 }
179 
180 IMPLEMENT_DYNAMIC_CHECK_FN()
181 IMPLEMENT_DYNAMIC_BIND_FN(padlock_bind_fn)
182 #  endif                       /* !OPENSSL_NO_DYNAMIC_ENGINE */
183 /* ===== Here comes the "real" engine ===== */
184 
185 /* Some AES-related constants */
186 #  define AES_BLOCK_SIZE          16
187 #  define AES_KEY_SIZE_128        16
188 #  define AES_KEY_SIZE_192        24
189 #  define AES_KEY_SIZE_256        32
190     /*
191      * Here we store the status information relevant to the current context.
192      */
193     /*
194      * BIG FAT WARNING: Inline assembler in PADLOCK_XCRYPT_ASM() depends on
195      * the order of items in this structure.  Don't blindly modify, reorder,
196      * etc!
197      */
198 struct padlock_cipher_data {
199     unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
200     union {
201         unsigned int pad[4];
202         struct {
203             int rounds:4;
204             int dgst:1;         /* n/a in C3 */
205             int align:1;        /* n/a in C3 */
206             int ciphr:1;        /* n/a in C3 */
207             unsigned int keygen:1;
208             int interm:1;
209             unsigned int encdec:1;
210             int ksize:2;
211         } b;
212     } cword;                    /* Control word */
213     AES_KEY ks;                 /* Encryption key */
214 };
215 
216 /* Interface to assembler module */
217 unsigned int padlock_capability(void);
218 void padlock_key_bswap(AES_KEY *key);
219 void padlock_verify_context(struct padlock_cipher_data *ctx);
220 void padlock_reload_key(void);
221 void padlock_aes_block(void *out, const void *inp,
222                        struct padlock_cipher_data *ctx);
223 int padlock_ecb_encrypt(void *out, const void *inp,
224                         struct padlock_cipher_data *ctx, size_t len);
225 int padlock_cbc_encrypt(void *out, const void *inp,
226                         struct padlock_cipher_data *ctx, size_t len);
227 int padlock_cfb_encrypt(void *out, const void *inp,
228                         struct padlock_cipher_data *ctx, size_t len);
229 int padlock_ofb_encrypt(void *out, const void *inp,
230                         struct padlock_cipher_data *ctx, size_t len);
231 int padlock_ctr32_encrypt(void *out, const void *inp,
232                           struct padlock_cipher_data *ctx, size_t len);
233 int padlock_xstore(void *out, int edx);
234 void padlock_sha1_oneshot(void *ctx, const void *inp, size_t len);
235 void padlock_sha1(void *ctx, const void *inp, size_t len);
236 void padlock_sha256_oneshot(void *ctx, const void *inp, size_t len);
237 void padlock_sha256(void *ctx, const void *inp, size_t len);
238 
239 /*
240  * Load supported features of the CPU to see if the PadLock is available.
241  */
padlock_available(void)242 static int padlock_available(void)
243 {
244     unsigned int edx = padlock_capability();
245 
246     /* Fill up some flags */
247     padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
248     padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
249 
250     return padlock_use_ace + padlock_use_rng;
251 }
252 
253 /* ===== AES encryption/decryption ===== */
254 
255 #  if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
256 #   define NID_aes_128_cfb NID_aes_128_cfb128
257 #  endif
258 
259 #  if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
260 #   define NID_aes_128_ofb NID_aes_128_ofb128
261 #  endif
262 
263 #  if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
264 #   define NID_aes_192_cfb NID_aes_192_cfb128
265 #  endif
266 
267 #  if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
268 #   define NID_aes_192_ofb NID_aes_192_ofb128
269 #  endif
270 
271 #  if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
272 #   define NID_aes_256_cfb NID_aes_256_cfb128
273 #  endif
274 
275 #  if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
276 #   define NID_aes_256_ofb NID_aes_256_ofb128
277 #  endif
278 
279 /* List of supported ciphers. */
280 static const int padlock_cipher_nids[] = {
281     NID_aes_128_ecb,
282     NID_aes_128_cbc,
283     NID_aes_128_cfb,
284     NID_aes_128_ofb,
285     NID_aes_128_ctr,
286 
287     NID_aes_192_ecb,
288     NID_aes_192_cbc,
289     NID_aes_192_cfb,
290     NID_aes_192_ofb,
291     NID_aes_192_ctr,
292 
293     NID_aes_256_ecb,
294     NID_aes_256_cbc,
295     NID_aes_256_cfb,
296     NID_aes_256_ofb,
297     NID_aes_256_ctr
298 };
299 
300 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids) /
301                                       sizeof(padlock_cipher_nids[0]));
302 
303 /* Function prototypes ... */
304 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
305                                 const unsigned char *iv, int enc);
306 
307 #  define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) +         \
308         ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F )      )
309 #  define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
310         NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx)))
311 
312 static int
padlock_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out_arg,const unsigned char * in_arg,size_t nbytes)313 padlock_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
314                    const unsigned char *in_arg, size_t nbytes)
315 {
316     return padlock_ecb_encrypt(out_arg, in_arg,
317                                ALIGNED_CIPHER_DATA(ctx), nbytes);
318 }
319 
320 static int
padlock_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out_arg,const unsigned char * in_arg,size_t nbytes)321 padlock_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
322                    const unsigned char *in_arg, size_t nbytes)
323 {
324     struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
325     int ret;
326 
327     memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE);
328     if ((ret = padlock_cbc_encrypt(out_arg, in_arg, cdata, nbytes)))
329         memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE);
330     return ret;
331 }
332 
333 static int
padlock_cfb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out_arg,const unsigned char * in_arg,size_t nbytes)334 padlock_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
335                    const unsigned char *in_arg, size_t nbytes)
336 {
337     struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
338     size_t chunk;
339 
340     if ((chunk = EVP_CIPHER_CTX_get_num(ctx))) {   /* borrow chunk variable */
341         unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx);
342 
343         if (chunk >= AES_BLOCK_SIZE)
344             return 0;           /* bogus value */
345 
346         if (EVP_CIPHER_CTX_is_encrypting(ctx))
347             while (chunk < AES_BLOCK_SIZE && nbytes != 0) {
348                 ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk];
349                 chunk++, nbytes--;
350         } else
351             while (chunk < AES_BLOCK_SIZE && nbytes != 0) {
352                 unsigned char c = *(in_arg++);
353                 *(out_arg++) = c ^ ivp[chunk];
354                 ivp[chunk++] = c, nbytes--;
355             }
356 
357         EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE);
358     }
359 
360     if (nbytes == 0)
361         return 1;
362 
363     memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE);
364 
365     if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) {
366         if (!padlock_cfb_encrypt(out_arg, in_arg, cdata, chunk))
367             return 0;
368         nbytes -= chunk;
369     }
370 
371     if (nbytes) {
372         unsigned char *ivp = cdata->iv;
373 
374         out_arg += chunk;
375         in_arg += chunk;
376         EVP_CIPHER_CTX_set_num(ctx, nbytes);
377         if (cdata->cword.b.encdec) {
378             cdata->cword.b.encdec = 0;
379             padlock_reload_key();
380             padlock_aes_block(ivp, ivp, cdata);
381             cdata->cword.b.encdec = 1;
382             padlock_reload_key();
383             while (nbytes) {
384                 unsigned char c = *(in_arg++);
385                 *(out_arg++) = c ^ *ivp;
386                 *(ivp++) = c, nbytes--;
387             }
388         } else {
389             padlock_reload_key();
390             padlock_aes_block(ivp, ivp, cdata);
391             padlock_reload_key();
392             while (nbytes) {
393                 *ivp = *(out_arg++) = *(in_arg++) ^ *ivp;
394                 ivp++, nbytes--;
395             }
396         }
397     }
398 
399     memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE);
400 
401     return 1;
402 }
403 
404 static int
padlock_ofb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out_arg,const unsigned char * in_arg,size_t nbytes)405 padlock_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
406                    const unsigned char *in_arg, size_t nbytes)
407 {
408     struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
409     size_t chunk;
410 
411     /*
412      * ctx->num is maintained in byte-oriented modes, such as CFB and OFB...
413      */
414     if ((chunk = EVP_CIPHER_CTX_get_num(ctx))) {   /* borrow chunk variable */
415         unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx);
416 
417         if (chunk >= AES_BLOCK_SIZE)
418             return 0;           /* bogus value */
419 
420         while (chunk < AES_BLOCK_SIZE && nbytes != 0) {
421             *(out_arg++) = *(in_arg++) ^ ivp[chunk];
422             chunk++, nbytes--;
423         }
424 
425         EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE);
426     }
427 
428     if (nbytes == 0)
429         return 1;
430 
431     memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE);
432 
433     if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) {
434         if (!padlock_ofb_encrypt(out_arg, in_arg, cdata, chunk))
435             return 0;
436         nbytes -= chunk;
437     }
438 
439     if (nbytes) {
440         unsigned char *ivp = cdata->iv;
441 
442         out_arg += chunk;
443         in_arg += chunk;
444         EVP_CIPHER_CTX_set_num(ctx, nbytes);
445         padlock_reload_key();   /* empirically found */
446         padlock_aes_block(ivp, ivp, cdata);
447         padlock_reload_key();   /* empirically found */
448         while (nbytes) {
449             *(out_arg++) = *(in_arg++) ^ *ivp;
450             ivp++, nbytes--;
451         }
452     }
453 
454     memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE);
455 
456     return 1;
457 }
458 
padlock_ctr32_encrypt_glue(const unsigned char * in,unsigned char * out,size_t blocks,struct padlock_cipher_data * ctx,const unsigned char * ivec)459 static void padlock_ctr32_encrypt_glue(const unsigned char *in,
460                                        unsigned char *out, size_t blocks,
461                                        struct padlock_cipher_data *ctx,
462                                        const unsigned char *ivec)
463 {
464     memcpy(ctx->iv, ivec, AES_BLOCK_SIZE);
465     padlock_ctr32_encrypt(out, in, ctx, AES_BLOCK_SIZE * blocks);
466 }
467 
468 static int
padlock_ctr_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out_arg,const unsigned char * in_arg,size_t nbytes)469 padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
470                    const unsigned char *in_arg, size_t nbytes)
471 {
472     struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
473     int n = EVP_CIPHER_CTX_get_num(ctx);
474     unsigned int num;
475 
476     if (n < 0)
477         return 0;
478     num = (unsigned int)n;
479 
480     CRYPTO_ctr128_encrypt_ctr32(in_arg, out_arg, nbytes,
481                                 cdata, EVP_CIPHER_CTX_iv_noconst(ctx),
482                                 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
483                                 (ctr128_f) padlock_ctr32_encrypt_glue);
484 
485     EVP_CIPHER_CTX_set_num(ctx, (size_t)num);
486     return 1;
487 }
488 
489 #  define EVP_CIPHER_block_size_ECB       AES_BLOCK_SIZE
490 #  define EVP_CIPHER_block_size_CBC       AES_BLOCK_SIZE
491 #  define EVP_CIPHER_block_size_OFB       1
492 #  define EVP_CIPHER_block_size_CFB       1
493 #  define EVP_CIPHER_block_size_CTR       1
494 
495 /*
496  * Declaring so many ciphers by hand would be a pain. Instead introduce a bit
497  * of preprocessor magic :-)
498  */
499 #  define DECLARE_AES_EVP(ksize,lmode,umode)      \
500 static EVP_CIPHER *_hidden_aes_##ksize##_##lmode = NULL; \
501 static const EVP_CIPHER *padlock_aes_##ksize##_##lmode(void) \
502 {                                                                       \
503     if (_hidden_aes_##ksize##_##lmode == NULL                           \
504         && ((_hidden_aes_##ksize##_##lmode =                            \
505              EVP_CIPHER_meth_new(NID_aes_##ksize##_##lmode,             \
506                                  EVP_CIPHER_block_size_##umode,         \
507                                  AES_KEY_SIZE_##ksize)) == NULL         \
508             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_##ksize##_##lmode, \
509                                               AES_BLOCK_SIZE)           \
510             || !EVP_CIPHER_meth_set_flags(_hidden_aes_##ksize##_##lmode, \
511                                           0 | EVP_CIPH_##umode##_MODE)  \
512             || !EVP_CIPHER_meth_set_init(_hidden_aes_##ksize##_##lmode, \
513                                          padlock_aes_init_key)          \
514             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_##ksize##_##lmode, \
515                                               padlock_##lmode##_cipher) \
516             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_##ksize##_##lmode, \
517                                                   sizeof(struct padlock_cipher_data) + 16) \
518             || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_##ksize##_##lmode, \
519                                                     EVP_CIPHER_set_asn1_iv) \
520             || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_##ksize##_##lmode, \
521                                                     EVP_CIPHER_get_asn1_iv))) { \
522         EVP_CIPHER_meth_free(_hidden_aes_##ksize##_##lmode);            \
523         _hidden_aes_##ksize##_##lmode = NULL;                           \
524     }                                                                   \
525     return _hidden_aes_##ksize##_##lmode;                               \
526 }
527 
528 DECLARE_AES_EVP(128, ecb, ECB)
529 DECLARE_AES_EVP(128, cbc, CBC)
530 DECLARE_AES_EVP(128, cfb, CFB)
531 DECLARE_AES_EVP(128, ofb, OFB)
532 DECLARE_AES_EVP(128, ctr, CTR)
533 
534 DECLARE_AES_EVP(192, ecb, ECB)
535 DECLARE_AES_EVP(192, cbc, CBC)
536 DECLARE_AES_EVP(192, cfb, CFB)
537 DECLARE_AES_EVP(192, ofb, OFB)
538 DECLARE_AES_EVP(192, ctr, CTR)
539 
540 DECLARE_AES_EVP(256, ecb, ECB)
541 DECLARE_AES_EVP(256, cbc, CBC)
542 DECLARE_AES_EVP(256, cfb, CFB)
543 DECLARE_AES_EVP(256, ofb, OFB)
544 DECLARE_AES_EVP(256, ctr, CTR)
545 
546 static int
padlock_ciphers(ENGINE * e,const EVP_CIPHER ** cipher,const int ** nids,int nid)547 padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids,
548                 int nid)
549 {
550     /* No specific cipher => return a list of supported nids ... */
551     if (!cipher) {
552         *nids = padlock_cipher_nids;
553         return padlock_cipher_nids_num;
554     }
555 
556     /* ... or the requested "cipher" otherwise */
557     switch (nid) {
558     case NID_aes_128_ecb:
559         *cipher = padlock_aes_128_ecb();
560         break;
561     case NID_aes_128_cbc:
562         *cipher = padlock_aes_128_cbc();
563         break;
564     case NID_aes_128_cfb:
565         *cipher = padlock_aes_128_cfb();
566         break;
567     case NID_aes_128_ofb:
568         *cipher = padlock_aes_128_ofb();
569         break;
570     case NID_aes_128_ctr:
571         *cipher = padlock_aes_128_ctr();
572         break;
573 
574     case NID_aes_192_ecb:
575         *cipher = padlock_aes_192_ecb();
576         break;
577     case NID_aes_192_cbc:
578         *cipher = padlock_aes_192_cbc();
579         break;
580     case NID_aes_192_cfb:
581         *cipher = padlock_aes_192_cfb();
582         break;
583     case NID_aes_192_ofb:
584         *cipher = padlock_aes_192_ofb();
585         break;
586     case NID_aes_192_ctr:
587         *cipher = padlock_aes_192_ctr();
588         break;
589 
590     case NID_aes_256_ecb:
591         *cipher = padlock_aes_256_ecb();
592         break;
593     case NID_aes_256_cbc:
594         *cipher = padlock_aes_256_cbc();
595         break;
596     case NID_aes_256_cfb:
597         *cipher = padlock_aes_256_cfb();
598         break;
599     case NID_aes_256_ofb:
600         *cipher = padlock_aes_256_ofb();
601         break;
602     case NID_aes_256_ctr:
603         *cipher = padlock_aes_256_ctr();
604         break;
605 
606     default:
607         /* Sorry, we don't support this NID */
608         *cipher = NULL;
609         return 0;
610     }
611 
612     return 1;
613 }
614 
615 /* Prepare the encryption key for PadLock usage */
616 static int
padlock_aes_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)617 padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
618                      const unsigned char *iv, int enc)
619 {
620     struct padlock_cipher_data *cdata;
621     int key_len = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
622     unsigned long mode = EVP_CIPHER_CTX_get_mode(ctx);
623 
624     if (key == NULL)
625         return 0;               /* ERROR */
626 
627     cdata = ALIGNED_CIPHER_DATA(ctx);
628     memset(cdata, 0, sizeof(*cdata));
629 
630     /* Prepare Control word. */
631     if (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CTR_MODE)
632         cdata->cword.b.encdec = 0;
633     else
634         cdata->cword.b.encdec = (EVP_CIPHER_CTX_is_encrypting(ctx) == 0);
635     cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
636     cdata->cword.b.ksize = (key_len - 128) / 64;
637 
638     switch (key_len) {
639     case 128:
640         /*
641          * PadLock can generate an extended key for AES128 in hardware
642          */
643         memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
644         cdata->cword.b.keygen = 0;
645         break;
646 
647     case 192:
648     case 256:
649         /*
650          * Generate an extended AES key in software. Needed for AES192/AES256
651          */
652         /*
653          * Well, the above applies to Stepping 8 CPUs and is listed as
654          * hardware errata. They most likely will fix it at some point and
655          * then a check for stepping would be due here.
656          */
657         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
658             && !enc)
659             AES_set_decrypt_key(key, key_len, &cdata->ks);
660         else
661             AES_set_encrypt_key(key, key_len, &cdata->ks);
662         /*
663          * OpenSSL C functions use byte-swapped extended key.
664          */
665         padlock_key_bswap(&cdata->ks);
666         cdata->cword.b.keygen = 1;
667         break;
668 
669     default:
670         /* ERROR */
671         return 0;
672     }
673 
674     /*
675      * This is done to cover for cases when user reuses the
676      * context for new key. The catch is that if we don't do
677      * this, padlock_eas_cipher might proceed with old key...
678      */
679     padlock_reload_key();
680 
681     return 1;
682 }
683 
684 /* ===== Random Number Generator ===== */
685 /*
686  * This code is not engaged. The reason is that it does not comply
687  * with recommendations for VIA RNG usage for secure applications
688  * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
689  * provide meaningful error control...
690  */
691 /*
692  * Wrapper that provides an interface between the API and the raw PadLock
693  * RNG
694  */
padlock_rand_bytes(unsigned char * output,int count)695 static int padlock_rand_bytes(unsigned char *output, int count)
696 {
697     unsigned int eax, buf;
698 
699     while (count >= 8) {
700         eax = padlock_xstore(output, 0);
701         if (!(eax & (1 << 6)))
702             return 0;           /* RNG disabled */
703         /* this ---vv--- covers DC bias, Raw Bits and String Filter */
704         if (eax & (0x1F << 10))
705             return 0;
706         if ((eax & 0x1F) == 0)
707             continue;           /* no data, retry... */
708         if ((eax & 0x1F) != 8)
709             return 0;           /* fatal failure...  */
710         output += 8;
711         count -= 8;
712     }
713     while (count > 0) {
714         eax = padlock_xstore(&buf, 3);
715         if (!(eax & (1 << 6)))
716             return 0;           /* RNG disabled */
717         /* this ---vv--- covers DC bias, Raw Bits and String Filter */
718         if (eax & (0x1F << 10))
719             return 0;
720         if ((eax & 0x1F) == 0)
721             continue;           /* no data, retry... */
722         if ((eax & 0x1F) != 1)
723             return 0;           /* fatal failure...  */
724         *output++ = (unsigned char)buf;
725         count--;
726     }
727     OPENSSL_cleanse(&buf, sizeof(buf));
728 
729     return 1;
730 }
731 
732 /* Dummy but necessary function */
padlock_rand_status(void)733 static int padlock_rand_status(void)
734 {
735     return 1;
736 }
737 
738 /* Prepare structure for registration */
739 static RAND_METHOD padlock_rand = {
740     NULL,                       /* seed */
741     padlock_rand_bytes,         /* bytes */
742     NULL,                       /* cleanup */
743     NULL,                       /* add */
744     padlock_rand_bytes,         /* pseudorand */
745     padlock_rand_status,        /* rand status */
746 };
747 
748 # endif                        /* COMPILE_PADLOCKENG */
749 #endif                         /* !OPENSSL_NO_PADLOCKENG */
750 
751 #if defined(OPENSSL_NO_PADLOCKENG) || !defined(COMPILE_PADLOCKENG)
752 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
753 OPENSSL_EXPORT
754     int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);
755 OPENSSL_EXPORT
bind_engine(ENGINE * e,const char * id,const dynamic_fns * fns)756     int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns)
757 {
758     return 0;
759 }
760 
761 IMPLEMENT_DYNAMIC_CHECK_FN()
762 # endif
763 #endif
764