1 /* 2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <string.h> 12 13 #include <openssl/opensslconf.h> 14 #include <openssl/crypto.h> 15 #include <openssl/engine.h> 16 #include <openssl/evp.h> 17 #include <openssl/aes.h> 18 #include <openssl/rand.h> 19 #include <openssl/err.h> 20 #include <openssl/modes.h> 21 22 #ifndef OPENSSL_NO_HW 23 # ifndef OPENSSL_NO_HW_PADLOCK 24 25 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */ 26 # if (OPENSSL_VERSION_NUMBER >= 0x00908000L) 27 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 28 # define DYNAMIC_ENGINE 29 # endif 30 # elif (OPENSSL_VERSION_NUMBER >= 0x00907000L) 31 # ifdef ENGINE_DYNAMIC_SUPPORT 32 # define DYNAMIC_ENGINE 33 # endif 34 # else 35 # error "Only OpenSSL >= 0.9.7 is supported" 36 # endif 37 38 /* 39 * VIA PadLock AES is available *ONLY* on some x86 CPUs. Not only that it 40 * doesn't exist elsewhere, but it even can't be compiled on other platforms! 41 */ 42 43 # undef COMPILE_HW_PADLOCK 44 # if defined(PADLOCK_ASM) 45 # define COMPILE_HW_PADLOCK 46 # ifdef OPENSSL_NO_DYNAMIC_ENGINE 47 static ENGINE *ENGINE_padlock(void); 48 # endif 49 # endif 50 51 # ifdef OPENSSL_NO_DYNAMIC_ENGINE 52 void engine_load_padlock_int(void); 53 void engine_load_padlock_int(void) 54 { 55 /* On non-x86 CPUs it just returns. */ 56 # ifdef COMPILE_HW_PADLOCK 57 ENGINE *toadd = ENGINE_padlock(); 58 if (!toadd) 59 return; 60 ENGINE_add(toadd); 61 ENGINE_free(toadd); 62 ERR_clear_error(); 63 # endif 64 } 65 66 # endif 67 68 # ifdef COMPILE_HW_PADLOCK 69 70 /* Function for ENGINE detection and control */ 71 static int padlock_available(void); 72 static int padlock_init(ENGINE *e); 73 74 /* RNG Stuff */ 75 static RAND_METHOD padlock_rand; 76 77 /* Cipher Stuff */ 78 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 79 const int **nids, int nid); 80 81 /* Engine names */ 82 static const char *padlock_id = "padlock"; 83 static char padlock_name[100]; 84 85 /* Available features */ 86 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */ 87 static int padlock_use_rng = 0; /* Random Number Generator */ 88 89 /* ===== Engine "management" functions ===== */ 90 91 /* Prepare the ENGINE structure for registration */ 92 static int padlock_bind_helper(ENGINE *e) 93 { 94 /* Check available features */ 95 padlock_available(); 96 97 /* 98 * RNG is currently disabled for reasons discussed in commentary just 99 * before padlock_rand_bytes function. 100 */ 101 padlock_use_rng = 0; 102 103 /* Generate a nice engine name with available features */ 104 BIO_snprintf(padlock_name, sizeof(padlock_name), 105 "VIA PadLock (%s, %s)", 106 padlock_use_rng ? "RNG" : "no-RNG", 107 padlock_use_ace ? "ACE" : "no-ACE"); 108 109 /* Register everything or return with an error */ 110 if (!ENGINE_set_id(e, padlock_id) || 111 !ENGINE_set_name(e, padlock_name) || 112 !ENGINE_set_init_function(e, padlock_init) || 113 (padlock_use_ace && !ENGINE_set_ciphers(e, padlock_ciphers)) || 114 (padlock_use_rng && !ENGINE_set_RAND(e, &padlock_rand))) { 115 return 0; 116 } 117 118 /* Everything looks good */ 119 return 1; 120 } 121 122 # ifdef OPENSSL_NO_DYNAMIC_ENGINE 123 /* Constructor */ 124 static ENGINE *ENGINE_padlock(void) 125 { 126 ENGINE *eng = ENGINE_new(); 127 128 if (eng == NULL) { 129 return NULL; 130 } 131 132 if (!padlock_bind_helper(eng)) { 133 ENGINE_free(eng); 134 return NULL; 135 } 136 137 return eng; 138 } 139 # endif 140 141 /* Check availability of the engine */ 142 static int padlock_init(ENGINE *e) 143 { 144 return (padlock_use_rng || padlock_use_ace); 145 } 146 147 # ifndef AES_ASM 148 static int padlock_aes_set_encrypt_key(const unsigned char *userKey, 149 const int bits, 150 AES_KEY *key); 151 static int padlock_aes_set_decrypt_key(const unsigned char *userKey, 152 const int bits, 153 AES_KEY *key); 154 # define AES_ASM 155 # define AES_set_encrypt_key padlock_aes_set_encrypt_key 156 # define AES_set_decrypt_key padlock_aes_set_decrypt_key 157 # include "../crypto/aes/aes_core.c" 158 # endif 159 160 /* 161 * This stuff is needed if this ENGINE is being compiled into a 162 * self-contained shared-library. 163 */ 164 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 165 static int padlock_bind_fn(ENGINE *e, const char *id) 166 { 167 if (id && (strcmp(id, padlock_id) != 0)) { 168 return 0; 169 } 170 171 if (!padlock_bind_helper(e)) { 172 return 0; 173 } 174 175 return 1; 176 } 177 178 IMPLEMENT_DYNAMIC_CHECK_FN() 179 IMPLEMENT_DYNAMIC_BIND_FN(padlock_bind_fn) 180 # endif /* !OPENSSL_NO_DYNAMIC_ENGINE */ 181 /* ===== Here comes the "real" engine ===== */ 182 183 /* Some AES-related constants */ 184 # define AES_BLOCK_SIZE 16 185 # define AES_KEY_SIZE_128 16 186 # define AES_KEY_SIZE_192 24 187 # define AES_KEY_SIZE_256 32 188 /* 189 * Here we store the status information relevant to the current context. 190 */ 191 /* 192 * BIG FAT WARNING: Inline assembler in PADLOCK_XCRYPT_ASM() depends on 193 * the order of items in this structure. Don't blindly modify, reorder, 194 * etc! 195 */ 196 struct padlock_cipher_data { 197 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */ 198 union { 199 unsigned int pad[4]; 200 struct { 201 int rounds:4; 202 int dgst:1; /* n/a in C3 */ 203 int align:1; /* n/a in C3 */ 204 int ciphr:1; /* n/a in C3 */ 205 unsigned int keygen:1; 206 int interm:1; 207 unsigned int encdec:1; 208 int ksize:2; 209 } b; 210 } cword; /* Control word */ 211 AES_KEY ks; /* Encryption key */ 212 }; 213 214 /* Interface to assembler module */ 215 unsigned int padlock_capability(void); 216 void padlock_key_bswap(AES_KEY *key); 217 void padlock_verify_context(struct padlock_cipher_data *ctx); 218 void padlock_reload_key(void); 219 void padlock_aes_block(void *out, const void *inp, 220 struct padlock_cipher_data *ctx); 221 int padlock_ecb_encrypt(void *out, const void *inp, 222 struct padlock_cipher_data *ctx, size_t len); 223 int padlock_cbc_encrypt(void *out, const void *inp, 224 struct padlock_cipher_data *ctx, size_t len); 225 int padlock_cfb_encrypt(void *out, const void *inp, 226 struct padlock_cipher_data *ctx, size_t len); 227 int padlock_ofb_encrypt(void *out, const void *inp, 228 struct padlock_cipher_data *ctx, size_t len); 229 int padlock_ctr32_encrypt(void *out, const void *inp, 230 struct padlock_cipher_data *ctx, size_t len); 231 int padlock_xstore(void *out, int edx); 232 void padlock_sha1_oneshot(void *ctx, const void *inp, size_t len); 233 void padlock_sha1(void *ctx, const void *inp, size_t len); 234 void padlock_sha256_oneshot(void *ctx, const void *inp, size_t len); 235 void padlock_sha256(void *ctx, const void *inp, size_t len); 236 237 /* 238 * Load supported features of the CPU to see if the PadLock is available. 239 */ 240 static int padlock_available(void) 241 { 242 unsigned int edx = padlock_capability(); 243 244 /* Fill up some flags */ 245 padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6)); 246 padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2)); 247 248 return padlock_use_ace + padlock_use_rng; 249 } 250 251 /* ===== AES encryption/decryption ===== */ 252 253 # if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb) 254 # define NID_aes_128_cfb NID_aes_128_cfb128 255 # endif 256 257 # if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb) 258 # define NID_aes_128_ofb NID_aes_128_ofb128 259 # endif 260 261 # if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb) 262 # define NID_aes_192_cfb NID_aes_192_cfb128 263 # endif 264 265 # if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb) 266 # define NID_aes_192_ofb NID_aes_192_ofb128 267 # endif 268 269 # if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb) 270 # define NID_aes_256_cfb NID_aes_256_cfb128 271 # endif 272 273 # if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb) 274 # define NID_aes_256_ofb NID_aes_256_ofb128 275 # endif 276 277 /* List of supported ciphers. */ 278 static const int padlock_cipher_nids[] = { 279 NID_aes_128_ecb, 280 NID_aes_128_cbc, 281 NID_aes_128_cfb, 282 NID_aes_128_ofb, 283 NID_aes_128_ctr, 284 285 NID_aes_192_ecb, 286 NID_aes_192_cbc, 287 NID_aes_192_cfb, 288 NID_aes_192_ofb, 289 NID_aes_192_ctr, 290 291 NID_aes_256_ecb, 292 NID_aes_256_cbc, 293 NID_aes_256_cfb, 294 NID_aes_256_ofb, 295 NID_aes_256_ctr 296 }; 297 298 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids) / 299 sizeof(padlock_cipher_nids[0])); 300 301 /* Function prototypes ... */ 302 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 303 const unsigned char *iv, int enc); 304 305 # define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \ 306 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) ) 307 # define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\ 308 NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx))) 309 310 static int 311 padlock_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 312 const unsigned char *in_arg, size_t nbytes) 313 { 314 return padlock_ecb_encrypt(out_arg, in_arg, 315 ALIGNED_CIPHER_DATA(ctx), nbytes); 316 } 317 318 static int 319 padlock_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 320 const unsigned char *in_arg, size_t nbytes) 321 { 322 struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 323 int ret; 324 325 memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 326 if ((ret = padlock_cbc_encrypt(out_arg, in_arg, cdata, nbytes))) 327 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 328 return ret; 329 } 330 331 static int 332 padlock_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 333 const unsigned char *in_arg, size_t nbytes) 334 { 335 struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 336 size_t chunk; 337 338 if ((chunk = EVP_CIPHER_CTX_num(ctx))) { /* borrow chunk variable */ 339 unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx); 340 341 if (chunk >= AES_BLOCK_SIZE) 342 return 0; /* bogus value */ 343 344 if (EVP_CIPHER_CTX_encrypting(ctx)) 345 while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 346 ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk]; 347 chunk++, nbytes--; 348 } else 349 while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 350 unsigned char c = *(in_arg++); 351 *(out_arg++) = c ^ ivp[chunk]; 352 ivp[chunk++] = c, nbytes--; 353 } 354 355 EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE); 356 } 357 358 if (nbytes == 0) 359 return 1; 360 361 memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 362 363 if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) { 364 if (!padlock_cfb_encrypt(out_arg, in_arg, cdata, chunk)) 365 return 0; 366 nbytes -= chunk; 367 } 368 369 if (nbytes) { 370 unsigned char *ivp = cdata->iv; 371 372 out_arg += chunk; 373 in_arg += chunk; 374 EVP_CIPHER_CTX_set_num(ctx, nbytes); 375 if (cdata->cword.b.encdec) { 376 cdata->cword.b.encdec = 0; 377 padlock_reload_key(); 378 padlock_aes_block(ivp, ivp, cdata); 379 cdata->cword.b.encdec = 1; 380 padlock_reload_key(); 381 while (nbytes) { 382 unsigned char c = *(in_arg++); 383 *(out_arg++) = c ^ *ivp; 384 *(ivp++) = c, nbytes--; 385 } 386 } else { 387 padlock_reload_key(); 388 padlock_aes_block(ivp, ivp, cdata); 389 padlock_reload_key(); 390 while (nbytes) { 391 *ivp = *(out_arg++) = *(in_arg++) ^ *ivp; 392 ivp++, nbytes--; 393 } 394 } 395 } 396 397 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 398 399 return 1; 400 } 401 402 static int 403 padlock_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 404 const unsigned char *in_arg, size_t nbytes) 405 { 406 struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 407 size_t chunk; 408 409 /* 410 * ctx->num is maintained in byte-oriented modes, such as CFB and OFB... 411 */ 412 if ((chunk = EVP_CIPHER_CTX_num(ctx))) { /* borrow chunk variable */ 413 unsigned char *ivp = EVP_CIPHER_CTX_iv_noconst(ctx); 414 415 if (chunk >= AES_BLOCK_SIZE) 416 return 0; /* bogus value */ 417 418 while (chunk < AES_BLOCK_SIZE && nbytes != 0) { 419 *(out_arg++) = *(in_arg++) ^ ivp[chunk]; 420 chunk++, nbytes--; 421 } 422 423 EVP_CIPHER_CTX_set_num(ctx, chunk % AES_BLOCK_SIZE); 424 } 425 426 if (nbytes == 0) 427 return 1; 428 429 memcpy(cdata->iv, EVP_CIPHER_CTX_iv(ctx), AES_BLOCK_SIZE); 430 431 if ((chunk = nbytes & ~(AES_BLOCK_SIZE - 1))) { 432 if (!padlock_ofb_encrypt(out_arg, in_arg, cdata, chunk)) 433 return 0; 434 nbytes -= chunk; 435 } 436 437 if (nbytes) { 438 unsigned char *ivp = cdata->iv; 439 440 out_arg += chunk; 441 in_arg += chunk; 442 EVP_CIPHER_CTX_set_num(ctx, nbytes); 443 padlock_reload_key(); /* empirically found */ 444 padlock_aes_block(ivp, ivp, cdata); 445 padlock_reload_key(); /* empirically found */ 446 while (nbytes) { 447 *(out_arg++) = *(in_arg++) ^ *ivp; 448 ivp++, nbytes--; 449 } 450 } 451 452 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), cdata->iv, AES_BLOCK_SIZE); 453 454 return 1; 455 } 456 457 static void padlock_ctr32_encrypt_glue(const unsigned char *in, 458 unsigned char *out, size_t blocks, 459 struct padlock_cipher_data *ctx, 460 const unsigned char *ivec) 461 { 462 memcpy(ctx->iv, ivec, AES_BLOCK_SIZE); 463 padlock_ctr32_encrypt(out, in, ctx, AES_BLOCK_SIZE * blocks); 464 } 465 466 static int 467 padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg, 468 const unsigned char *in_arg, size_t nbytes) 469 { 470 struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx); 471 unsigned int num = EVP_CIPHER_CTX_num(ctx); 472 473 CRYPTO_ctr128_encrypt_ctr32(in_arg, out_arg, nbytes, 474 cdata, EVP_CIPHER_CTX_iv_noconst(ctx), 475 EVP_CIPHER_CTX_buf_noconst(ctx), &num, 476 (ctr128_f) padlock_ctr32_encrypt_glue); 477 478 EVP_CIPHER_CTX_set_num(ctx, (size_t)num); 479 return 1; 480 } 481 482 # define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE 483 # define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE 484 # define EVP_CIPHER_block_size_OFB 1 485 # define EVP_CIPHER_block_size_CFB 1 486 # define EVP_CIPHER_block_size_CTR 1 487 488 /* 489 * Declaring so many ciphers by hand would be a pain. Instead introduce a bit 490 * of preprocessor magic :-) 491 */ 492 # define DECLARE_AES_EVP(ksize,lmode,umode) \ 493 static EVP_CIPHER *_hidden_aes_##ksize##_##lmode = NULL; \ 494 static const EVP_CIPHER *padlock_aes_##ksize##_##lmode(void) \ 495 { \ 496 if (_hidden_aes_##ksize##_##lmode == NULL \ 497 && ((_hidden_aes_##ksize##_##lmode = \ 498 EVP_CIPHER_meth_new(NID_aes_##ksize##_##lmode, \ 499 EVP_CIPHER_block_size_##umode, \ 500 AES_KEY_SIZE_##ksize)) == NULL \ 501 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_##ksize##_##lmode, \ 502 AES_BLOCK_SIZE) \ 503 || !EVP_CIPHER_meth_set_flags(_hidden_aes_##ksize##_##lmode, \ 504 0 | EVP_CIPH_##umode##_MODE) \ 505 || !EVP_CIPHER_meth_set_init(_hidden_aes_##ksize##_##lmode, \ 506 padlock_aes_init_key) \ 507 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_##ksize##_##lmode, \ 508 padlock_##lmode##_cipher) \ 509 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_##ksize##_##lmode, \ 510 sizeof(struct padlock_cipher_data) + 16) \ 511 || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_##ksize##_##lmode, \ 512 EVP_CIPHER_set_asn1_iv) \ 513 || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_##ksize##_##lmode, \ 514 EVP_CIPHER_get_asn1_iv))) { \ 515 EVP_CIPHER_meth_free(_hidden_aes_##ksize##_##lmode); \ 516 _hidden_aes_##ksize##_##lmode = NULL; \ 517 } \ 518 return _hidden_aes_##ksize##_##lmode; \ 519 } 520 521 DECLARE_AES_EVP(128, ecb, ECB) 522 DECLARE_AES_EVP(128, cbc, CBC) 523 DECLARE_AES_EVP(128, cfb, CFB) 524 DECLARE_AES_EVP(128, ofb, OFB) 525 DECLARE_AES_EVP(128, ctr, CTR) 526 527 DECLARE_AES_EVP(192, ecb, ECB) 528 DECLARE_AES_EVP(192, cbc, CBC) 529 DECLARE_AES_EVP(192, cfb, CFB) 530 DECLARE_AES_EVP(192, ofb, OFB) 531 DECLARE_AES_EVP(192, ctr, CTR) 532 533 DECLARE_AES_EVP(256, ecb, ECB) 534 DECLARE_AES_EVP(256, cbc, CBC) 535 DECLARE_AES_EVP(256, cfb, CFB) 536 DECLARE_AES_EVP(256, ofb, OFB) 537 DECLARE_AES_EVP(256, ctr, CTR) 538 539 static int 540 padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, 541 int nid) 542 { 543 /* No specific cipher => return a list of supported nids ... */ 544 if (!cipher) { 545 *nids = padlock_cipher_nids; 546 return padlock_cipher_nids_num; 547 } 548 549 /* ... or the requested "cipher" otherwise */ 550 switch (nid) { 551 case NID_aes_128_ecb: 552 *cipher = padlock_aes_128_ecb(); 553 break; 554 case NID_aes_128_cbc: 555 *cipher = padlock_aes_128_cbc(); 556 break; 557 case NID_aes_128_cfb: 558 *cipher = padlock_aes_128_cfb(); 559 break; 560 case NID_aes_128_ofb: 561 *cipher = padlock_aes_128_ofb(); 562 break; 563 case NID_aes_128_ctr: 564 *cipher = padlock_aes_128_ctr(); 565 break; 566 567 case NID_aes_192_ecb: 568 *cipher = padlock_aes_192_ecb(); 569 break; 570 case NID_aes_192_cbc: 571 *cipher = padlock_aes_192_cbc(); 572 break; 573 case NID_aes_192_cfb: 574 *cipher = padlock_aes_192_cfb(); 575 break; 576 case NID_aes_192_ofb: 577 *cipher = padlock_aes_192_ofb(); 578 break; 579 case NID_aes_192_ctr: 580 *cipher = padlock_aes_192_ctr(); 581 break; 582 583 case NID_aes_256_ecb: 584 *cipher = padlock_aes_256_ecb(); 585 break; 586 case NID_aes_256_cbc: 587 *cipher = padlock_aes_256_cbc(); 588 break; 589 case NID_aes_256_cfb: 590 *cipher = padlock_aes_256_cfb(); 591 break; 592 case NID_aes_256_ofb: 593 *cipher = padlock_aes_256_ofb(); 594 break; 595 case NID_aes_256_ctr: 596 *cipher = padlock_aes_256_ctr(); 597 break; 598 599 default: 600 /* Sorry, we don't support this NID */ 601 *cipher = NULL; 602 return 0; 603 } 604 605 return 1; 606 } 607 608 /* Prepare the encryption key for PadLock usage */ 609 static int 610 padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 611 const unsigned char *iv, int enc) 612 { 613 struct padlock_cipher_data *cdata; 614 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8; 615 unsigned long mode = EVP_CIPHER_CTX_mode(ctx); 616 617 if (key == NULL) 618 return 0; /* ERROR */ 619 620 cdata = ALIGNED_CIPHER_DATA(ctx); 621 memset(cdata, 0, sizeof(*cdata)); 622 623 /* Prepare Control word. */ 624 if (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CTR_MODE) 625 cdata->cword.b.encdec = 0; 626 else 627 cdata->cword.b.encdec = (EVP_CIPHER_CTX_encrypting(ctx) == 0); 628 cdata->cword.b.rounds = 10 + (key_len - 128) / 32; 629 cdata->cword.b.ksize = (key_len - 128) / 64; 630 631 switch (key_len) { 632 case 128: 633 /* 634 * PadLock can generate an extended key for AES128 in hardware 635 */ 636 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128); 637 cdata->cword.b.keygen = 0; 638 break; 639 640 case 192: 641 case 256: 642 /* 643 * Generate an extended AES key in software. Needed for AES192/AES256 644 */ 645 /* 646 * Well, the above applies to Stepping 8 CPUs and is listed as 647 * hardware errata. They most likely will fix it at some point and 648 * then a check for stepping would be due here. 649 */ 650 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 651 && !enc) 652 AES_set_decrypt_key(key, key_len, &cdata->ks); 653 else 654 AES_set_encrypt_key(key, key_len, &cdata->ks); 655 /* 656 * OpenSSL C functions use byte-swapped extended key. 657 */ 658 padlock_key_bswap(&cdata->ks); 659 cdata->cword.b.keygen = 1; 660 break; 661 662 default: 663 /* ERROR */ 664 return 0; 665 } 666 667 /* 668 * This is done to cover for cases when user reuses the 669 * context for new key. The catch is that if we don't do 670 * this, padlock_eas_cipher might proceed with old key... 671 */ 672 padlock_reload_key(); 673 674 return 1; 675 } 676 677 /* ===== Random Number Generator ===== */ 678 /* 679 * This code is not engaged. The reason is that it does not comply 680 * with recommendations for VIA RNG usage for secure applications 681 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it 682 * provide meaningful error control... 683 */ 684 /* 685 * Wrapper that provides an interface between the API and the raw PadLock 686 * RNG 687 */ 688 static int padlock_rand_bytes(unsigned char *output, int count) 689 { 690 unsigned int eax, buf; 691 692 while (count >= 8) { 693 eax = padlock_xstore(output, 0); 694 if (!(eax & (1 << 6))) 695 return 0; /* RNG disabled */ 696 /* this ---vv--- covers DC bias, Raw Bits and String Filter */ 697 if (eax & (0x1F << 10)) 698 return 0; 699 if ((eax & 0x1F) == 0) 700 continue; /* no data, retry... */ 701 if ((eax & 0x1F) != 8) 702 return 0; /* fatal failure... */ 703 output += 8; 704 count -= 8; 705 } 706 while (count > 0) { 707 eax = padlock_xstore(&buf, 3); 708 if (!(eax & (1 << 6))) 709 return 0; /* RNG disabled */ 710 /* this ---vv--- covers DC bias, Raw Bits and String Filter */ 711 if (eax & (0x1F << 10)) 712 return 0; 713 if ((eax & 0x1F) == 0) 714 continue; /* no data, retry... */ 715 if ((eax & 0x1F) != 1) 716 return 0; /* fatal failure... */ 717 *output++ = (unsigned char)buf; 718 count--; 719 } 720 OPENSSL_cleanse(&buf, sizeof(buf)); 721 722 return 1; 723 } 724 725 /* Dummy but necessary function */ 726 static int padlock_rand_status(void) 727 { 728 return 1; 729 } 730 731 /* Prepare structure for registration */ 732 static RAND_METHOD padlock_rand = { 733 NULL, /* seed */ 734 padlock_rand_bytes, /* bytes */ 735 NULL, /* cleanup */ 736 NULL, /* add */ 737 padlock_rand_bytes, /* pseudorand */ 738 padlock_rand_status, /* rand status */ 739 }; 740 741 # endif /* COMPILE_HW_PADLOCK */ 742 # endif /* !OPENSSL_NO_HW_PADLOCK */ 743 #endif /* !OPENSSL_NO_HW */ 744 745 #if defined(OPENSSL_NO_HW) || defined(OPENSSL_NO_HW_PADLOCK) \ 746 || !defined(COMPILE_HW_PADLOCK) 747 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 748 OPENSSL_EXPORT 749 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); 750 OPENSSL_EXPORT 751 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) 752 { 753 return 0; 754 } 755 756 IMPLEMENT_DYNAMIC_CHECK_FN() 757 # endif 758 #endif 759