2 * Support for VIA PadLock Advanced Cryptography Engine (ACE)
3 * Written by Michal Ludvig <michal@logix.cz>
4 * http://www.logix.cz/michal
6 * Big thanks to Andy Polyakov for a help with optimization,
7 * assembler fixes, port to MS Windows and a lot of other
8 * valuable work on this engine!
11 /* ====================================================================
12 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in
23 * the documentation and/or other materials provided with the
26 * 3. All advertising materials mentioning features or use of this
27 * software must display the following acknowledgment:
28 * "This product includes software developed by the OpenSSL Project
29 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
32 * endorse or promote products derived from this software without
33 * prior written permission. For written permission, please contact
34 * licensing@OpenSSL.org.
36 * 5. Products derived from this software may not be called "OpenSSL"
37 * nor may "OpenSSL" appear in their names without prior written
38 * permission of the OpenSSL Project.
40 * 6. Redistributions of any form whatsoever must retain the following
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
46 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56 * OF THE POSSIBILITY OF SUCH DAMAGE.
57 * ====================================================================
59 * This product includes cryptographic software written by Eric Young
60 * (eay@cryptsoft.com). This product includes software written by Tim
61 * Hudson (tjh@cryptsoft.com).
69 #include <openssl/opensslconf.h>
70 #include <openssl/crypto.h>
71 #include <openssl/dso.h>
72 #include <openssl/engine.h>
73 #include <openssl/evp.h>
74 #ifndef OPENSSL_NO_AES
75 #include <openssl/aes.h>
77 #include <openssl/rand.h>
80 #ifndef OPENSSL_NO_HW_PADLOCK
82 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
83 #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
84 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
85 # define DYNAMIC_ENGINE
87 #elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
88 # ifdef ENGINE_DYNAMIC_SUPPORT
89 # define DYNAMIC_ENGINE
92 # error "Only OpenSSL >= 0.9.7 is supported"
95 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
96 Not only that it doesn't exist elsewhere, but it
97 even can't be compiled on other platforms!
99 In addition, because of the heavy use of inline assembler,
100 compiler choice is limited to GCC and Microsoft C. */
101 #undef COMPILE_HW_PADLOCK
102 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
103 # if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
104 (defined(_MSC_VER) && defined(_M_IX86))
105 # define COMPILE_HW_PADLOCK
106 static ENGINE *ENGINE_padlock (void);
110 void ENGINE_load_padlock (void)
112 /* On non-x86 CPUs it just returns. */
113 #ifdef COMPILE_HW_PADLOCK
114 ENGINE *toadd = ENGINE_padlock ();
122 #ifdef COMPILE_HW_PADLOCK
123 /* We do these includes here to avoid header problems on platforms that
124 do not have the VIA padlock anyway... */
127 # define alloca _alloca
132 /* Function for ENGINE detection and control */
133 static int padlock_available(void);
134 static int padlock_init(ENGINE *e);
137 static RAND_METHOD padlock_rand;
140 #ifndef OPENSSL_NO_AES
141 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
145 static const char *padlock_id = "padlock";
146 static char padlock_name[100];
148 /* Available features */
149 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
150 static int padlock_use_rng = 0; /* Random Number Generator */
151 #ifndef OPENSSL_NO_AES
152 static int padlock_aes_align_required = 1;
155 /* ===== Engine "management" functions ===== */
157 /* Prepare the ENGINE structure for registration */
159 padlock_bind_helper(ENGINE *e)
161 /* Check available features */
164 #if 1 /* disable RNG for now, see commentary in vicinity of RNG code */
168 /* Generate a nice engine name with available features */
169 BIO_snprintf(padlock_name, sizeof(padlock_name),
170 "VIA PadLock (%s, %s)",
171 padlock_use_rng ? "RNG" : "no-RNG",
172 padlock_use_ace ? "ACE" : "no-ACE");
174 /* Register everything or return with an error */
175 if (!ENGINE_set_id(e, padlock_id) ||
176 !ENGINE_set_name(e, padlock_name) ||
178 !ENGINE_set_init_function(e, padlock_init) ||
179 #ifndef OPENSSL_NO_AES
180 (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
182 (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
186 /* Everything looks good */
194 ENGINE *eng = ENGINE_new();
200 if (!padlock_bind_helper(eng)) {
208 /* Check availability of the engine */
210 padlock_init(ENGINE *e)
212 return (padlock_use_rng || padlock_use_ace);
215 /* This stuff is needed if this ENGINE is being compiled into a self-contained
218 #ifdef DYNAMIC_ENGINE
220 padlock_bind_fn(ENGINE *e, const char *id)
222 if (id && (strcmp(id, padlock_id) != 0)) {
226 if (!padlock_bind_helper(e)) {
233 IMPLEMENT_DYNAMIC_CHECK_FN ();
234 IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn);
235 #endif /* DYNAMIC_ENGINE */
237 /* ===== Here comes the "real" engine ===== */
239 #ifndef OPENSSL_NO_AES
240 /* Some AES-related constants */
241 #define AES_BLOCK_SIZE 16
242 #define AES_KEY_SIZE_128 16
243 #define AES_KEY_SIZE_192 24
244 #define AES_KEY_SIZE_256 32
246 /* Here we store the status information relevant to the
249 * Inline assembler in PADLOCK_XCRYPT_ASM()
250 * depends on the order of items in this structure.
251 * Don't blindly modify, reorder, etc!
253 struct padlock_cipher_data
255 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
256 union { unsigned int pad[4];
265 } cword; /* Control word */
266 AES_KEY ks; /* Encryption key */
270 * Essentially this variable belongs in thread local storage.
271 * Having this variable global on the other hand can only cause
272 * few bogus key reloads [if any at all on single-CPU system],
273 * so we accept the penatly...
275 static volatile struct padlock_cipher_data *padlock_saved_context;
279 * =======================================================
280 * Inline assembler section(s).
281 * =======================================================
282 * Order of arguments is chosen to facilitate Windows port
283 * using __fastcall calling convention. If you wish to add
284 * more routines, keep in mind that first __fastcall
285 * argument is passed in %ecx and second - in %edx.
286 * =======================================================
288 #if defined(__GNUC__) && __GNUC__>=2
290 * As for excessive "push %ebx"/"pop %ebx" found all over.
291 * When generating position-independent code GCC won't let
292 * us use "b" in assembler templates nor even respect "ebx"
293 * in "clobber description." Therefore the trouble...
296 /* Helper function - check if a CPUID instruction
297 is available on this CPU */
299 padlock_insn_cpuid_available(void)
303 /* We're checking if the bit #21 of EFLAGS
304 can be toggled. If yes = CPUID is available. */
308 "xorl $0x200000, %%eax\n"
309 "movl %%eax, %%ecx\n"
310 "andl $0x200000, %%ecx\n"
315 "andl $0x200000, %%eax\n"
316 "xorl %%eax, %%ecx\n"
318 : "=r" (result) : : "eax", "ecx");
320 return (result == 0);
323 /* Load supported features of the CPU to see if
324 the PadLock is available. */
326 padlock_available(void)
328 char vendor_string[16];
329 unsigned int eax, edx;
331 /* First check if the CPUID instruction is available at all... */
332 if (! padlock_insn_cpuid_available())
335 /* Are we running on the Centaur (VIA) CPU? */
337 vendor_string[12] = 0;
341 "movl %%ebx,(%%edi)\n"
342 "movl %%edx,4(%%edi)\n"
343 "movl %%ecx,8(%%edi)\n"
345 : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
346 if (strcmp(vendor_string, "CentaurHauls") != 0)
349 /* Check for Centaur Extended Feature Flags presence */
351 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
352 : "+a"(eax) : : "ecx", "edx");
353 if (eax < 0xC0000001)
356 /* Read the Centaur Extended Feature Flags */
358 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
359 : "+a"(eax), "=d"(edx) : : "ecx");
361 /* Fill up some flags */
362 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
363 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
365 return padlock_use_ace + padlock_use_rng;
368 #ifndef OPENSSL_NO_AES
369 /* Our own htonl()/ntohl() */
371 padlock_bswapl(AES_KEY *ks)
373 size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
374 unsigned int *key = ks->rd_key;
377 asm volatile ("bswapl %0" : "+r"(*key));
383 /* Force key reload from memory to the CPU microcode.
384 Loading EFLAGS from the stack clears EFLAGS[30]
385 which does the trick. */
387 padlock_reload_key(void)
389 asm volatile ("pushfl; popfl");
392 #ifndef OPENSSL_NO_AES
394 * This is heuristic key context tracing. At first one
395 * believes that one should use atomic swap instructions,
396 * but it's not actually necessary. Point is that if
397 * padlock_saved_context was changed by another thread
398 * after we've read it and before we compare it with cdata,
399 * our key *shall* be reloaded upon thread context switch
400 * and we are therefore set in either case...
403 padlock_verify_context(struct padlock_cipher_data *cdata)
415 :"+m"(padlock_saved_context)
416 : "r"(padlock_saved_context), "r"(cdata) : "cc");
419 /* Template for padlock_xcrypt_* modes */
421 * The offsets used with 'leal' instructions
422 * describe items of the 'padlock_cipher_data'
425 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
426 static inline void *name(size_t cnt, \
427 struct padlock_cipher_data *cdata, \
428 void *out, const void *inp) \
430 asm volatile ( "pushl %%ebx\n" \
431 " leal 16(%0),%%edx\n" \
432 " leal 32(%0),%%ebx\n" \
435 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
436 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
441 /* Generate all functions with appropriate opcodes */
442 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
443 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
444 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
445 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
448 /* The RNG call itself */
449 static inline unsigned int
450 padlock_xstore(void *addr, unsigned int edx_in)
452 unsigned int eax_out;
454 asm volatile (".byte 0x0f,0xa7,0xc0" /* xstore */
455 : "=a"(eax_out),"=m"(*(unsigned *)addr)
456 : "D"(addr), "d" (edx_in)
462 /* Why not inline 'rep movsd'? I failed to find information on what
463 * value in Direction Flag one can expect and consequently have to
464 * apply "better-safe-than-sorry" approach and assume "undefined."
465 * I could explicitly clear it and restore the original value upon
466 * return from padlock_aes_cipher, but it's presumably too much
467 * trouble for too little gain...
469 * In case you wonder 'rep xcrypt*' instructions above are *not*
470 * affected by the Direction Flag and pointers advance toward
471 * larger addresses unconditionally.
473 static inline unsigned char *
474 padlock_memcpy(void *dst,const void *src,size_t n)
480 do { *d++ = *s++; } while (--n);
485 #elif defined(_MSC_VER)
487 * Unlike GCC these are real functions. In order to minimize impact
488 * on performance we adhere to __fastcall calling convention in
489 * order to get two first arguments passed through %ecx and %edx.
490 * Which kind of suits very well, as instructions in question use
491 * both %ecx and %edx as input:-)
493 #define REP_XCRYPT(code) \
495 _asm _emit 0x0f _asm _emit 0xa7 \
499 * The offsets used with 'lea' instructions
500 * describe items of the 'padlock_cipher_data'
503 #define PADLOCK_XCRYPT_ASM(name,code) \
504 static void * __fastcall \
505 name (size_t cnt, void *cdata, \
506 void *outp, const void *inp) \
508 _asm lea edx,[eax+16] \
509 _asm lea ebx,[eax+32] \
515 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
516 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
517 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
518 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
520 static int __fastcall
521 padlock_xstore(void *outp,unsigned int code)
523 _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
526 static void __fastcall
527 padlock_reload_key(void)
528 { _asm pushfd _asm popfd }
530 static void __fastcall
531 padlock_verify_context(void *cdata)
536 cmp ecx,padlock_saved_context
541 mov padlock_saved_context,ecx
546 padlock_available(void)
581 mov padlock_use_ace,1
587 mov padlock_use_rng,1
594 static void __fastcall
595 padlock_bswapl(void *key)
610 /* MS actually specifies status of Direction Flag and compiler even
611 * manages to compile following as 'rep movsd' all by itself...
613 #define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
616 /* ===== AES encryption/decryption ===== */
617 #ifndef OPENSSL_NO_AES
619 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
620 #define NID_aes_128_cfb NID_aes_128_cfb128
623 #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
624 #define NID_aes_128_ofb NID_aes_128_ofb128
627 #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
628 #define NID_aes_192_cfb NID_aes_192_cfb128
631 #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
632 #define NID_aes_192_ofb NID_aes_192_ofb128
635 #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
636 #define NID_aes_256_cfb NID_aes_256_cfb128
639 #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
640 #define NID_aes_256_ofb NID_aes_256_ofb128
643 /* List of supported ciphers. */
644 static int padlock_cipher_nids[] = {
653 NID_aes_192_cfb, /* FIXME: AES192/256 CFB/OFB don't work. */
664 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
665 sizeof(padlock_cipher_nids[0]));
667 /* Function prototypes ... */
668 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
669 const unsigned char *iv, int enc);
670 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
671 const unsigned char *in, size_t nbytes);
673 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
674 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
675 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
676 NEAREST_ALIGNED(ctx->cipher_data))
678 /* Declaring so many ciphers by hand would be a pain.
679 Instead introduce a bit of preprocessor magic :-) */
680 #define DECLARE_AES_EVP(ksize,lmode,umode) \
681 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = { \
682 NID_aes_##ksize##_##lmode, \
684 AES_KEY_SIZE_##ksize, \
686 0 | EVP_CIPH_##umode##_MODE, \
687 padlock_aes_init_key, \
688 padlock_aes_cipher, \
690 sizeof(struct padlock_cipher_data) + 16, \
691 EVP_CIPHER_set_asn1_iv, \
692 EVP_CIPHER_get_asn1_iv, \
697 DECLARE_AES_EVP(128,ecb,ECB);
698 DECLARE_AES_EVP(128,cbc,CBC);
699 DECLARE_AES_EVP(128,cfb,CFB);
700 DECLARE_AES_EVP(128,ofb,OFB);
702 DECLARE_AES_EVP(192,ecb,ECB);
703 DECLARE_AES_EVP(192,cbc,CBC);
704 DECLARE_AES_EVP(192,cfb,CFB);
705 DECLARE_AES_EVP(192,ofb,OFB);
707 DECLARE_AES_EVP(256,ecb,ECB);
708 DECLARE_AES_EVP(256,cbc,CBC);
709 DECLARE_AES_EVP(256,cfb,CFB);
710 DECLARE_AES_EVP(256,ofb,OFB);
713 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
715 /* No specific cipher => return a list of supported nids ... */
717 *nids = padlock_cipher_nids;
718 return padlock_cipher_nids_num;
721 /* ... or the requested "cipher" otherwise */
723 case NID_aes_128_ecb:
724 *cipher = &padlock_aes_128_ecb;
726 case NID_aes_128_cbc:
727 *cipher = &padlock_aes_128_cbc;
729 case NID_aes_128_cfb:
730 *cipher = &padlock_aes_128_cfb;
732 case NID_aes_128_ofb:
733 *cipher = &padlock_aes_128_ofb;
736 case NID_aes_192_ecb:
737 *cipher = &padlock_aes_192_ecb;
739 case NID_aes_192_cbc:
740 *cipher = &padlock_aes_192_cbc;
742 case NID_aes_192_cfb:
743 *cipher = &padlock_aes_192_cfb;
745 case NID_aes_192_ofb:
746 *cipher = &padlock_aes_192_ofb;
749 case NID_aes_256_ecb:
750 *cipher = &padlock_aes_256_ecb;
752 case NID_aes_256_cbc:
753 *cipher = &padlock_aes_256_cbc;
755 case NID_aes_256_cfb:
756 *cipher = &padlock_aes_256_cfb;
758 case NID_aes_256_ofb:
759 *cipher = &padlock_aes_256_ofb;
763 /* Sorry, we don't support this NID */
771 /* Prepare the encryption key for PadLock usage */
773 padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
774 const unsigned char *iv, int enc)
776 struct padlock_cipher_data *cdata;
777 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
779 if (key==NULL) return 0; /* ERROR */
781 cdata = ALIGNED_CIPHER_DATA(ctx);
782 memset(cdata, 0, sizeof(struct padlock_cipher_data));
784 /* Prepare Control word. */
785 cdata->cword.b.encdec = (ctx->encrypt == 0);
786 cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
787 cdata->cword.b.ksize = (key_len - 128) / 64;
791 /* PadLock can generate an extended key for
792 AES128 in hardware */
793 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
794 cdata->cword.b.keygen = 0;
799 /* Generate an extended AES key in software.
800 Needed for AES192/AES256 */
801 /* Well, the above applies to Stepping 8 CPUs
802 and is listed as hardware errata. They most
803 likely will fix it at some point and then
804 a check for stepping would be due here. */
806 AES_set_encrypt_key(key, key_len, &cdata->ks);
808 AES_set_decrypt_key(key, key_len, &cdata->ks);
810 /* OpenSSL C functions use byte-swapped extended key. */
811 padlock_bswapl(&cdata->ks);
813 cdata->cword.b.keygen = 1;
822 * This is done to cover for cases when user reuses the
823 * context for new key. The catch is that if we don't do
824 * this, padlock_eas_cipher might proceed with old key...
826 padlock_reload_key ();
832 * Simplified version of padlock_aes_cipher() used when
833 * 1) both input and output buffers are at aligned addresses.
835 * 2) running on a newer CPU that doesn't require aligned buffers.
838 padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
839 const unsigned char *in_arg, size_t nbytes)
841 struct padlock_cipher_data *cdata;
844 cdata = ALIGNED_CIPHER_DATA(ctx);
845 padlock_verify_context(cdata);
847 switch (EVP_CIPHER_CTX_mode(ctx)) {
848 case EVP_CIPH_ECB_MODE:
849 padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
852 case EVP_CIPH_CBC_MODE:
853 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
854 iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
855 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
858 case EVP_CIPH_CFB_MODE:
859 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
860 iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
861 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
864 case EVP_CIPH_OFB_MODE:
865 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
866 padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
867 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
874 memset(cdata->iv, 0, AES_BLOCK_SIZE);
879 #ifndef PADLOCK_CHUNK
880 # define PADLOCK_CHUNK 4096 /* Must be a power of 2 larger than 16 */
882 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
883 # error "insane PADLOCK_CHUNK..."
886 /* Re-align the arguments to 16-Bytes boundaries and run the
887 encryption function itself. This function is not AES-specific. */
889 padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
890 const unsigned char *in_arg, size_t nbytes)
892 struct padlock_cipher_data *cdata;
896 int inp_misaligned, out_misaligned, realign_in_loop;
897 size_t chunk, allocated=0;
901 if (nbytes % AES_BLOCK_SIZE)
902 return 0; /* are we expected to do tail processing? */
904 /* VIA promises CPUs that won't require alignment in the future.
905 For now padlock_aes_align_required is initialized to 1 and
906 the condition is never met... */
907 if (!padlock_aes_align_required)
908 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
910 inp_misaligned = (((size_t)in_arg) & 0x0F);
911 out_misaligned = (((size_t)out_arg) & 0x0F);
913 /* Note that even if output is aligned and input not,
914 * I still prefer to loop instead of copy the whole
915 * input and then encrypt in one stroke. This is done
916 * in order to improve L1 cache utilization... */
917 realign_in_loop = out_misaligned|inp_misaligned;
919 if (!realign_in_loop)
920 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
922 /* this takes one "if" out of the loops */
924 chunk %= PADLOCK_CHUNK;
925 if (chunk==0) chunk = PADLOCK_CHUNK;
927 if (out_misaligned) {
928 /* optmize for small input */
929 allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
930 out = alloca(0x10 + allocated);
931 out = NEAREST_ALIGNED(out);
936 cdata = ALIGNED_CIPHER_DATA(ctx);
937 padlock_verify_context(cdata);
939 switch (EVP_CIPHER_CTX_mode(ctx)) {
940 case EVP_CIPH_ECB_MODE:
943 inp = padlock_memcpy(out, in_arg, chunk);
948 padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
951 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
953 out = out_arg+=chunk;
956 chunk = PADLOCK_CHUNK;
960 case EVP_CIPH_CBC_MODE:
961 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
965 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
966 chunk = PADLOCK_CHUNK;
967 cbc_shortcut: /* optimize for small input */
969 inp = padlock_memcpy(out, in_arg, chunk);
974 iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
977 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
979 out = out_arg+=chunk;
981 } while (nbytes -= chunk);
982 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
985 case EVP_CIPH_CFB_MODE:
986 memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
990 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
991 chunk = PADLOCK_CHUNK;
992 cfb_shortcut: /* optimize for small input */
994 inp = padlock_memcpy(out, in_arg, chunk);
999 iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1002 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1004 out = out_arg+=chunk;
1006 } while (nbytes -= chunk);
1007 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
1010 case EVP_CIPH_OFB_MODE:
1011 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
1014 inp = padlock_memcpy(out, in_arg, chunk);
1019 padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1022 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1024 out = out_arg+=chunk;
1027 chunk = PADLOCK_CHUNK;
1029 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
1036 /* Clean the realign buffer if it was used */
1037 if (out_misaligned) {
1038 volatile unsigned long *p=(void *)out;
1039 size_t n = allocated/sizeof(*p);
1043 memset(cdata->iv, 0, AES_BLOCK_SIZE);
1048 #endif /* OPENSSL_NO_AES */
1050 /* ===== Random Number Generator ===== */
1052 * This code is not engaged. The reason is that it does not comply
1053 * with recommendations for VIA RNG usage for secure applications
1054 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
1055 * provide meaningful error control...
1057 /* Wrapper that provides an interface between the API and
1058 the raw PadLock RNG */
1060 padlock_rand_bytes(unsigned char *output, int count)
1062 unsigned int eax, buf;
1064 while (count >= 8) {
1065 eax = padlock_xstore(output, 0);
1066 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1067 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1068 if (eax&(0x1F<<10)) return 0;
1069 if ((eax&0x1F)==0) continue; /* no data, retry... */
1070 if ((eax&0x1F)!=8) return 0; /* fatal failure... */
1075 eax = padlock_xstore(&buf, 3);
1076 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1077 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1078 if (eax&(0x1F<<10)) return 0;
1079 if ((eax&0x1F)==0) continue; /* no data, retry... */
1080 if ((eax&0x1F)!=1) return 0; /* fatal failure... */
1081 *output++ = (unsigned char)buf;
1084 *(volatile unsigned int *)&buf=0;
1089 /* Dummy but necessary function */
1091 padlock_rand_status(void)
1096 /* Prepare structure for registration */
1097 static RAND_METHOD padlock_rand = {
1099 padlock_rand_bytes, /* bytes */
1102 padlock_rand_bytes, /* pseudorand */
1103 padlock_rand_status, /* rand status */
1106 #endif /* COMPILE_HW_PADLOCK */
1108 #endif /* !OPENSSL_NO_HW_PADLOCK */
1109 #endif /* !OPENSSL_NO_HW */