2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/opensslconf.h>
14 #include <openssl/crypto.h>
15 #include <openssl/engine.h>
16 #include <openssl/evp.h>
17 #include <openssl/aes.h>
18 #include <openssl/rand.h>
19 #include <openssl/err.h>
20 #include <openssl/modes.h>
22 #ifndef OPENSSL_NO_PADLOCKENG
25 * VIA PadLock AES is available *ONLY* on some x86 CPUs. Not only that it
26 * doesn't exist elsewhere, but it even can't be compiled on other platforms!
29 # undef COMPILE_PADLOCKENG
30 # if defined(PADLOCK_ASM)
31 # define COMPILE_PADLOCKENG
32 # ifdef OPENSSL_NO_DYNAMIC_ENGINE
33 static ENGINE
*ENGINE_padlock(void);
37 # ifdef OPENSSL_NO_DYNAMIC_ENGINE
38 void engine_load_padlock_int(void);
39 void engine_load_padlock_int(void)
41 /* On non-x86 CPUs it just returns. */
42 # ifdef COMPILE_PADLOCKENG
43 ENGINE
*toadd
= ENGINE_padlock();
54 # ifdef COMPILE_PADLOCKENG
56 /* Function for ENGINE detection and control */
57 static int padlock_available(void);
58 static int padlock_init(ENGINE
*e
);
61 static RAND_METHOD padlock_rand
;
64 static int padlock_ciphers(ENGINE
*e
, const EVP_CIPHER
**cipher
,
65 const int **nids
, int nid
);
68 static const char *padlock_id
= "padlock";
69 static char padlock_name
[100];
71 /* Available features */
72 static int padlock_use_ace
= 0; /* Advanced Cryptography Engine */
73 static int padlock_use_rng
= 0; /* Random Number Generator */
75 /* ===== Engine "management" functions ===== */
77 /* Prepare the ENGINE structure for registration */
78 static int padlock_bind_helper(ENGINE
*e
)
80 /* Check available features */
84 * RNG is currently disabled for reasons discussed in commentary just
85 * before padlock_rand_bytes function.
89 /* Generate a nice engine name with available features */
90 BIO_snprintf(padlock_name
, sizeof(padlock_name
),
91 "VIA PadLock (%s, %s)",
92 padlock_use_rng
? "RNG" : "no-RNG",
93 padlock_use_ace
? "ACE" : "no-ACE");
95 /* Register everything or return with an error */
96 if (!ENGINE_set_id(e
, padlock_id
) ||
97 !ENGINE_set_name(e
, padlock_name
) ||
98 !ENGINE_set_init_function(e
, padlock_init
) ||
99 (padlock_use_ace
&& !ENGINE_set_ciphers(e
, padlock_ciphers
)) ||
100 (padlock_use_rng
&& !ENGINE_set_RAND(e
, &padlock_rand
))) {
104 /* Everything looks good */
108 # ifdef OPENSSL_NO_DYNAMIC_ENGINE
110 static ENGINE
*ENGINE_padlock(void)
112 ENGINE
*eng
= ENGINE_new();
118 if (!padlock_bind_helper(eng
)) {
127 /* Check availability of the engine */
128 static int padlock_init(ENGINE
*e
)
130 return (padlock_use_rng
|| padlock_use_ace
);
134 * This stuff is needed if this ENGINE is being compiled into a
135 * self-contained shared-library.
137 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
138 static int padlock_bind_fn(ENGINE
*e
, const char *id
)
140 if (id
&& (strcmp(id
, padlock_id
) != 0)) {
144 if (!padlock_bind_helper(e
)) {
151 IMPLEMENT_DYNAMIC_CHECK_FN()
152 IMPLEMENT_DYNAMIC_BIND_FN(padlock_bind_fn
)
153 # endif /* !OPENSSL_NO_DYNAMIC_ENGINE */
154 /* ===== Here comes the "real" engine ===== */
156 /* Some AES-related constants */
157 # define AES_BLOCK_SIZE 16
158 # define AES_KEY_SIZE_128 16
159 # define AES_KEY_SIZE_192 24
160 # define AES_KEY_SIZE_256 32
162 * Here we store the status information relevant to the current context.
165 * BIG FAT WARNING: Inline assembler in PADLOCK_XCRYPT_ASM() depends on
166 * the order of items in this structure. Don't blindly modify, reorder,
169 struct padlock_cipher_data
{
170 unsigned char iv
[AES_BLOCK_SIZE
]; /* Initialization vector */
175 int dgst
:1; /* n/a in C3 */
176 int align
:1; /* n/a in C3 */
177 int ciphr
:1; /* n/a in C3 */
178 unsigned int keygen
:1;
180 unsigned int encdec
:1;
183 } cword
; /* Control word */
184 AES_KEY ks
; /* Encryption key */
187 /* Interface to assembler module */
188 unsigned int padlock_capability(void);
189 void padlock_key_bswap(AES_KEY
*key
);
190 void padlock_verify_context(struct padlock_cipher_data
*ctx
);
191 void padlock_reload_key(void);
192 void padlock_aes_block(void *out
, const void *inp
,
193 struct padlock_cipher_data
*ctx
);
194 int padlock_ecb_encrypt(void *out
, const void *inp
,
195 struct padlock_cipher_data
*ctx
, size_t len
);
196 int padlock_cbc_encrypt(void *out
, const void *inp
,
197 struct padlock_cipher_data
*ctx
, size_t len
);
198 int padlock_cfb_encrypt(void *out
, const void *inp
,
199 struct padlock_cipher_data
*ctx
, size_t len
);
200 int padlock_ofb_encrypt(void *out
, const void *inp
,
201 struct padlock_cipher_data
*ctx
, size_t len
);
202 int padlock_ctr32_encrypt(void *out
, const void *inp
,
203 struct padlock_cipher_data
*ctx
, size_t len
);
204 int padlock_xstore(void *out
, int edx
);
205 void padlock_sha1_oneshot(void *ctx
, const void *inp
, size_t len
);
206 void padlock_sha1(void *ctx
, const void *inp
, size_t len
);
207 void padlock_sha256_oneshot(void *ctx
, const void *inp
, size_t len
);
208 void padlock_sha256(void *ctx
, const void *inp
, size_t len
);
211 * Load supported features of the CPU to see if the PadLock is available.
213 static int padlock_available(void)
215 unsigned int edx
= padlock_capability();
217 /* Fill up some flags */
218 padlock_use_ace
= ((edx
& (0x3 << 6)) == (0x3 << 6));
219 padlock_use_rng
= ((edx
& (0x3 << 2)) == (0x3 << 2));
221 return padlock_use_ace
+ padlock_use_rng
;
224 /* ===== AES encryption/decryption ===== */
226 # if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
227 # define NID_aes_128_cfb NID_aes_128_cfb128
230 # if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
231 # define NID_aes_128_ofb NID_aes_128_ofb128
234 # if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
235 # define NID_aes_192_cfb NID_aes_192_cfb128
238 # if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
239 # define NID_aes_192_ofb NID_aes_192_ofb128
242 # if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
243 # define NID_aes_256_cfb NID_aes_256_cfb128
246 # if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
247 # define NID_aes_256_ofb NID_aes_256_ofb128
250 /* List of supported ciphers. */
251 static const int padlock_cipher_nids
[] = {
271 static int padlock_cipher_nids_num
= (sizeof(padlock_cipher_nids
) /
272 sizeof(padlock_cipher_nids
[0]));
274 /* Function prototypes ... */
275 static int padlock_aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
276 const unsigned char *iv
, int enc
);
278 # define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
279 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
280 # define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
281 NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx)))
284 padlock_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out_arg
,
285 const unsigned char *in_arg
, size_t nbytes
)
287 return padlock_ecb_encrypt(out_arg
, in_arg
,
288 ALIGNED_CIPHER_DATA(ctx
), nbytes
);
292 padlock_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out_arg
,
293 const unsigned char *in_arg
, size_t nbytes
)
295 struct padlock_cipher_data
*cdata
= ALIGNED_CIPHER_DATA(ctx
);
298 memcpy(cdata
->iv
, EVP_CIPHER_CTX_iv(ctx
), AES_BLOCK_SIZE
);
299 if ((ret
= padlock_cbc_encrypt(out_arg
, in_arg
, cdata
, nbytes
)))
300 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx
), cdata
->iv
, AES_BLOCK_SIZE
);
305 padlock_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out_arg
,
306 const unsigned char *in_arg
, size_t nbytes
)
308 struct padlock_cipher_data
*cdata
= ALIGNED_CIPHER_DATA(ctx
);
311 if ((chunk
= EVP_CIPHER_CTX_num(ctx
))) { /* borrow chunk variable */
312 unsigned char *ivp
= EVP_CIPHER_CTX_iv_noconst(ctx
);
314 if (chunk
>= AES_BLOCK_SIZE
)
315 return 0; /* bogus value */
317 if (EVP_CIPHER_CTX_encrypting(ctx
))
318 while (chunk
< AES_BLOCK_SIZE
&& nbytes
!= 0) {
319 ivp
[chunk
] = *(out_arg
++) = *(in_arg
++) ^ ivp
[chunk
];
322 while (chunk
< AES_BLOCK_SIZE
&& nbytes
!= 0) {
323 unsigned char c
= *(in_arg
++);
324 *(out_arg
++) = c
^ ivp
[chunk
];
325 ivp
[chunk
++] = c
, nbytes
--;
328 EVP_CIPHER_CTX_set_num(ctx
, chunk
% AES_BLOCK_SIZE
);
334 memcpy(cdata
->iv
, EVP_CIPHER_CTX_iv(ctx
), AES_BLOCK_SIZE
);
336 if ((chunk
= nbytes
& ~(AES_BLOCK_SIZE
- 1))) {
337 if (!padlock_cfb_encrypt(out_arg
, in_arg
, cdata
, chunk
))
343 unsigned char *ivp
= cdata
->iv
;
347 EVP_CIPHER_CTX_set_num(ctx
, nbytes
);
348 if (cdata
->cword
.b
.encdec
) {
349 cdata
->cword
.b
.encdec
= 0;
350 padlock_reload_key();
351 padlock_aes_block(ivp
, ivp
, cdata
);
352 cdata
->cword
.b
.encdec
= 1;
353 padlock_reload_key();
355 unsigned char c
= *(in_arg
++);
356 *(out_arg
++) = c
^ *ivp
;
357 *(ivp
++) = c
, nbytes
--;
360 padlock_reload_key();
361 padlock_aes_block(ivp
, ivp
, cdata
);
362 padlock_reload_key();
364 *ivp
= *(out_arg
++) = *(in_arg
++) ^ *ivp
;
370 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx
), cdata
->iv
, AES_BLOCK_SIZE
);
376 padlock_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out_arg
,
377 const unsigned char *in_arg
, size_t nbytes
)
379 struct padlock_cipher_data
*cdata
= ALIGNED_CIPHER_DATA(ctx
);
383 * ctx->num is maintained in byte-oriented modes, such as CFB and OFB...
385 if ((chunk
= EVP_CIPHER_CTX_num(ctx
))) { /* borrow chunk variable */
386 unsigned char *ivp
= EVP_CIPHER_CTX_iv_noconst(ctx
);
388 if (chunk
>= AES_BLOCK_SIZE
)
389 return 0; /* bogus value */
391 while (chunk
< AES_BLOCK_SIZE
&& nbytes
!= 0) {
392 *(out_arg
++) = *(in_arg
++) ^ ivp
[chunk
];
396 EVP_CIPHER_CTX_set_num(ctx
, chunk
% AES_BLOCK_SIZE
);
402 memcpy(cdata
->iv
, EVP_CIPHER_CTX_iv(ctx
), AES_BLOCK_SIZE
);
404 if ((chunk
= nbytes
& ~(AES_BLOCK_SIZE
- 1))) {
405 if (!padlock_ofb_encrypt(out_arg
, in_arg
, cdata
, chunk
))
411 unsigned char *ivp
= cdata
->iv
;
415 EVP_CIPHER_CTX_set_num(ctx
, nbytes
);
416 padlock_reload_key(); /* empirically found */
417 padlock_aes_block(ivp
, ivp
, cdata
);
418 padlock_reload_key(); /* empirically found */
420 *(out_arg
++) = *(in_arg
++) ^ *ivp
;
425 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx
), cdata
->iv
, AES_BLOCK_SIZE
);
430 static void padlock_ctr32_encrypt_glue(const unsigned char *in
,
431 unsigned char *out
, size_t blocks
,
432 struct padlock_cipher_data
*ctx
,
433 const unsigned char *ivec
)
435 memcpy(ctx
->iv
, ivec
, AES_BLOCK_SIZE
);
436 padlock_ctr32_encrypt(out
, in
, ctx
, AES_BLOCK_SIZE
* blocks
);
440 padlock_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out_arg
,
441 const unsigned char *in_arg
, size_t nbytes
)
443 struct padlock_cipher_data
*cdata
= ALIGNED_CIPHER_DATA(ctx
);
444 unsigned int num
= EVP_CIPHER_CTX_num(ctx
);
446 CRYPTO_ctr128_encrypt_ctr32(in_arg
, out_arg
, nbytes
,
447 cdata
, EVP_CIPHER_CTX_iv_noconst(ctx
),
448 EVP_CIPHER_CTX_buf_noconst(ctx
), &num
,
449 (ctr128_f
) padlock_ctr32_encrypt_glue
);
451 EVP_CIPHER_CTX_set_num(ctx
, (size_t)num
);
455 # define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE
456 # define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE
457 # define EVP_CIPHER_block_size_OFB 1
458 # define EVP_CIPHER_block_size_CFB 1
459 # define EVP_CIPHER_block_size_CTR 1
462 * Declaring so many ciphers by hand would be a pain. Instead introduce a bit
463 * of preprocessor magic :-)
465 # define DECLARE_AES_EVP(ksize,lmode,umode) \
466 static EVP_CIPHER *_hidden_aes_##ksize##_##lmode = NULL; \
467 static const EVP_CIPHER *padlock_aes_##ksize##_##lmode(void) \
469 if (_hidden_aes_##ksize##_##lmode == NULL \
470 && ((_hidden_aes_##ksize##_##lmode = \
471 EVP_CIPHER_meth_new(NID_aes_##ksize##_##lmode, \
472 EVP_CIPHER_block_size_##umode, \
473 AES_KEY_SIZE_##ksize)) == NULL \
474 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_##ksize##_##lmode, \
476 || !EVP_CIPHER_meth_set_flags(_hidden_aes_##ksize##_##lmode, \
477 0 | EVP_CIPH_##umode##_MODE) \
478 || !EVP_CIPHER_meth_set_init(_hidden_aes_##ksize##_##lmode, \
479 padlock_aes_init_key) \
480 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_##ksize##_##lmode, \
481 padlock_##lmode##_cipher) \
482 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_##ksize##_##lmode, \
483 sizeof(struct padlock_cipher_data) + 16) \
484 || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_##ksize##_##lmode, \
485 EVP_CIPHER_set_asn1_iv) \
486 || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_##ksize##_##lmode, \
487 EVP_CIPHER_get_asn1_iv))) { \
488 EVP_CIPHER_meth_free(_hidden_aes_##ksize##_##lmode); \
489 _hidden_aes_##ksize##_##lmode = NULL; \
491 return _hidden_aes_##ksize##_##lmode; \
494 DECLARE_AES_EVP(128, ecb
, ECB
)
495 DECLARE_AES_EVP(128, cbc
, CBC
)
496 DECLARE_AES_EVP(128, cfb
, CFB
)
497 DECLARE_AES_EVP(128, ofb
, OFB
)
498 DECLARE_AES_EVP(128, ctr
, CTR
)
500 DECLARE_AES_EVP(192, ecb
, ECB
)
501 DECLARE_AES_EVP(192, cbc
, CBC
)
502 DECLARE_AES_EVP(192, cfb
, CFB
)
503 DECLARE_AES_EVP(192, ofb
, OFB
)
504 DECLARE_AES_EVP(192, ctr
, CTR
)
506 DECLARE_AES_EVP(256, ecb
, ECB
)
507 DECLARE_AES_EVP(256, cbc
, CBC
)
508 DECLARE_AES_EVP(256, cfb
, CFB
)
509 DECLARE_AES_EVP(256, ofb
, OFB
)
510 DECLARE_AES_EVP(256, ctr
, CTR
)
513 padlock_ciphers(ENGINE
*e
, const EVP_CIPHER
**cipher
, const int **nids
,
516 /* No specific cipher => return a list of supported nids ... */
518 *nids
= padlock_cipher_nids
;
519 return padlock_cipher_nids_num
;
522 /* ... or the requested "cipher" otherwise */
524 case NID_aes_128_ecb
:
525 *cipher
= padlock_aes_128_ecb();
527 case NID_aes_128_cbc
:
528 *cipher
= padlock_aes_128_cbc();
530 case NID_aes_128_cfb
:
531 *cipher
= padlock_aes_128_cfb();
533 case NID_aes_128_ofb
:
534 *cipher
= padlock_aes_128_ofb();
536 case NID_aes_128_ctr
:
537 *cipher
= padlock_aes_128_ctr();
540 case NID_aes_192_ecb
:
541 *cipher
= padlock_aes_192_ecb();
543 case NID_aes_192_cbc
:
544 *cipher
= padlock_aes_192_cbc();
546 case NID_aes_192_cfb
:
547 *cipher
= padlock_aes_192_cfb();
549 case NID_aes_192_ofb
:
550 *cipher
= padlock_aes_192_ofb();
552 case NID_aes_192_ctr
:
553 *cipher
= padlock_aes_192_ctr();
556 case NID_aes_256_ecb
:
557 *cipher
= padlock_aes_256_ecb();
559 case NID_aes_256_cbc
:
560 *cipher
= padlock_aes_256_cbc();
562 case NID_aes_256_cfb
:
563 *cipher
= padlock_aes_256_cfb();
565 case NID_aes_256_ofb
:
566 *cipher
= padlock_aes_256_ofb();
568 case NID_aes_256_ctr
:
569 *cipher
= padlock_aes_256_ctr();
573 /* Sorry, we don't support this NID */
581 /* Prepare the encryption key for PadLock usage */
583 padlock_aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
584 const unsigned char *iv
, int enc
)
586 struct padlock_cipher_data
*cdata
;
587 int key_len
= EVP_CIPHER_CTX_key_length(ctx
) * 8;
588 unsigned long mode
= EVP_CIPHER_CTX_mode(ctx
);
591 return 0; /* ERROR */
593 cdata
= ALIGNED_CIPHER_DATA(ctx
);
594 memset(cdata
, 0, sizeof(*cdata
));
596 /* Prepare Control word. */
597 if (mode
== EVP_CIPH_OFB_MODE
|| mode
== EVP_CIPH_CTR_MODE
)
598 cdata
->cword
.b
.encdec
= 0;
600 cdata
->cword
.b
.encdec
= (EVP_CIPHER_CTX_encrypting(ctx
) == 0);
601 cdata
->cword
.b
.rounds
= 10 + (key_len
- 128) / 32;
602 cdata
->cword
.b
.ksize
= (key_len
- 128) / 64;
607 * PadLock can generate an extended key for AES128 in hardware
609 memcpy(cdata
->ks
.rd_key
, key
, AES_KEY_SIZE_128
);
610 cdata
->cword
.b
.keygen
= 0;
616 * Generate an extended AES key in software. Needed for AES192/AES256
619 * Well, the above applies to Stepping 8 CPUs and is listed as
620 * hardware errata. They most likely will fix it at some point and
621 * then a check for stepping would be due here.
623 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
625 AES_set_decrypt_key(key
, key_len
, &cdata
->ks
);
627 AES_set_encrypt_key(key
, key_len
, &cdata
->ks
);
630 * OpenSSL C functions use byte-swapped extended key.
632 padlock_key_bswap(&cdata
->ks
);
634 cdata
->cword
.b
.keygen
= 1;
643 * This is done to cover for cases when user reuses the
644 * context for new key. The catch is that if we don't do
645 * this, padlock_eas_cipher might proceed with old key...
647 padlock_reload_key();
652 /* ===== Random Number Generator ===== */
654 * This code is not engaged. The reason is that it does not comply
655 * with recommendations for VIA RNG usage for secure applications
656 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
657 * provide meaningful error control...
660 * Wrapper that provides an interface between the API and the raw PadLock
663 static int padlock_rand_bytes(unsigned char *output
, int count
)
665 unsigned int eax
, buf
;
668 eax
= padlock_xstore(output
, 0);
669 if (!(eax
& (1 << 6)))
670 return 0; /* RNG disabled */
671 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
672 if (eax
& (0x1F << 10))
674 if ((eax
& 0x1F) == 0)
675 continue; /* no data, retry... */
676 if ((eax
& 0x1F) != 8)
677 return 0; /* fatal failure... */
682 eax
= padlock_xstore(&buf
, 3);
683 if (!(eax
& (1 << 6)))
684 return 0; /* RNG disabled */
685 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
686 if (eax
& (0x1F << 10))
688 if ((eax
& 0x1F) == 0)
689 continue; /* no data, retry... */
690 if ((eax
& 0x1F) != 1)
691 return 0; /* fatal failure... */
692 *output
++ = (unsigned char)buf
;
695 OPENSSL_cleanse(&buf
, sizeof(buf
));
700 /* Dummy but necessary function */
701 static int padlock_rand_status(void)
706 /* Prepare structure for registration */
707 static RAND_METHOD padlock_rand
= {
709 padlock_rand_bytes
, /* bytes */
712 padlock_rand_bytes
, /* pseudorand */
713 padlock_rand_status
, /* rand status */
716 # endif /* COMPILE_PADLOCKENG */
717 #endif /* !OPENSSL_NO_PADLOCKENG */
719 #if defined(OPENSSL_NO_PADLOCKENG) || !defined(COMPILE_PADLOCKENG)
720 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
722 int bind_engine(ENGINE
*e
, const char *id
, const dynamic_fns
*fns
);
724 int bind_engine(ENGINE
*e
, const char *id
, const dynamic_fns
*fns
)
729 IMPLEMENT_DYNAMIC_CHECK_FN()