2 * Support for VIA PadLock Advanced Cryptography Engine (ACE)
3 * Written by Michal Ludvig <michal@logix.cz>
4 * http://www.logix.cz/michal
6 * Big thanks to Andy Polyakov for a help with optimization,
7 * assembler fixes, port to MS Windows and a lot of other
8 * valuable work on this engine!
11 /* ====================================================================
12 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in
23 * the documentation and/or other materials provided with the
26 * 3. All advertising materials mentioning features or use of this
27 * software must display the following acknowledgment:
28 * "This product includes software developed by the OpenSSL Project
29 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
32 * endorse or promote products derived from this software without
33 * prior written permission. For written permission, please contact
34 * licensing@OpenSSL.org.
36 * 5. Products derived from this software may not be called "OpenSSL"
37 * nor may "OpenSSL" appear in their names without prior written
38 * permission of the OpenSSL Project.
40 * 6. Redistributions of any form whatsoever must retain the following
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
46 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56 * OF THE POSSIBILITY OF SUCH DAMAGE.
57 * ====================================================================
59 * This product includes cryptographic software written by Eric Young
60 * (eay@cryptsoft.com). This product includes software written by Tim
61 * Hudson (tjh@cryptsoft.com).
69 #include <openssl/opensslconf.h>
70 #include <openssl/crypto.h>
71 #include <openssl/dso.h>
72 #include <openssl/engine.h>
73 #include <openssl/evp.h>
74 #ifndef OPENSSL_NO_AES
75 #include <openssl/aes.h>
77 #include <openssl/rand.h>
78 #include <openssl/err.h>
81 #ifndef OPENSSL_NO_HW_PADLOCK
83 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
84 #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
85 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
86 # define DYNAMIC_ENGINE
88 #elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
89 # ifdef ENGINE_DYNAMIC_SUPPORT
90 # define DYNAMIC_ENGINE
93 # error "Only OpenSSL >= 0.9.7 is supported"
96 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
97 Not only that it doesn't exist elsewhere, but it
98 even can't be compiled on other platforms!
100 In addition, because of the heavy use of inline assembler,
101 compiler choice is limited to GCC and Microsoft C. */
102 #undef COMPILE_HW_PADLOCK
103 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
104 # if (defined(__GNUC__) && __GNUC__>=2 && \
105 (defined(__i386__) || defined(__i386) || \
106 defined(__x86_64__) || defined(__x86_64)) \
108 (defined(_MSC_VER) && defined(_M_IX86))
109 # define COMPILE_HW_PADLOCK
110 static ENGINE *ENGINE_padlock (void);
114 void ENGINE_load_padlock (void)
116 /* On non-x86 CPUs it just returns. */
117 #ifdef COMPILE_HW_PADLOCK
118 ENGINE *toadd = ENGINE_padlock ();
126 #ifdef COMPILE_HW_PADLOCK
127 /* We do these includes here to avoid header problems on platforms that
128 do not have the VIA padlock anyway... */
133 # define alloca _alloca
135 #elif defined(__GNUC__)
137 # define alloca(s) __builtin_alloca((s))
141 /* Function for ENGINE detection and control */
142 static int padlock_available(void);
143 static int padlock_init(ENGINE *e);
146 static RAND_METHOD padlock_rand;
149 #ifndef OPENSSL_NO_AES
150 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
154 static const char *padlock_id = "padlock";
155 static char padlock_name[100];
157 /* Available features */
158 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
159 static int padlock_use_rng = 0; /* Random Number Generator */
160 #ifndef OPENSSL_NO_AES
161 static int padlock_aes_align_required = 1;
164 /* ===== Engine "management" functions ===== */
166 /* Prepare the ENGINE structure for registration */
168 padlock_bind_helper(ENGINE *e)
170 /* Check available features */
173 #if 1 /* disable RNG for now, see commentary in vicinity of RNG code */
177 /* Generate a nice engine name with available features */
178 BIO_snprintf(padlock_name, sizeof(padlock_name),
179 "VIA PadLock (%s, %s)",
180 padlock_use_rng ? "RNG" : "no-RNG",
181 padlock_use_ace ? "ACE" : "no-ACE");
183 /* Register everything or return with an error */
184 if (!ENGINE_set_id(e, padlock_id) ||
185 !ENGINE_set_name(e, padlock_name) ||
187 !ENGINE_set_init_function(e, padlock_init) ||
188 #ifndef OPENSSL_NO_AES
189 (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
191 (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
195 /* Everything looks good */
203 ENGINE *eng = ENGINE_new();
209 if (!padlock_bind_helper(eng)) {
217 /* Check availability of the engine */
219 padlock_init(ENGINE *e)
221 return (padlock_use_rng || padlock_use_ace);
224 /* This stuff is needed if this ENGINE is being compiled into a self-contained
227 #ifdef DYNAMIC_ENGINE
229 padlock_bind_fn(ENGINE *e, const char *id)
231 if (id && (strcmp(id, padlock_id) != 0)) {
235 if (!padlock_bind_helper(e)) {
242 IMPLEMENT_DYNAMIC_CHECK_FN()
243 IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn)
244 #endif /* DYNAMIC_ENGINE */
246 /* ===== Here comes the "real" engine ===== */
248 #ifndef OPENSSL_NO_AES
249 /* Some AES-related constants */
250 #define AES_BLOCK_SIZE 16
251 #define AES_KEY_SIZE_128 16
252 #define AES_KEY_SIZE_192 24
253 #define AES_KEY_SIZE_256 32
255 /* Here we store the status information relevant to the
258 * Inline assembler in PADLOCK_XCRYPT_ASM()
259 * depends on the order of items in this structure.
260 * Don't blindly modify, reorder, etc!
262 struct padlock_cipher_data
264 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
265 union { unsigned int pad[4];
268 int dgst:1; /* n/a in C3 */
269 int align:1; /* n/a in C3 */
270 int ciphr:1; /* n/a in C3 */
271 unsigned int keygen:1;
273 unsigned int encdec:1;
276 } cword; /* Control word */
277 AES_KEY ks; /* Encryption key */
281 * Essentially this variable belongs in thread local storage.
282 * Having this variable global on the other hand can only cause
283 * few bogus key reloads [if any at all on single-CPU system],
284 * so we accept the penatly...
286 static volatile struct padlock_cipher_data *padlock_saved_context;
290 * =======================================================
291 * Inline assembler section(s).
292 * =======================================================
293 * Order of arguments is chosen to facilitate Windows port
294 * using __fastcall calling convention. If you wish to add
295 * more routines, keep in mind that first __fastcall
296 * argument is passed in %ecx and second - in %edx.
297 * =======================================================
299 #if defined(__GNUC__) && __GNUC__>=2
300 #if defined(__i386__) || defined(__i386)
302 * As for excessive "push %ebx"/"pop %ebx" found all over.
303 * When generating position-independent code GCC won't let
304 * us use "b" in assembler templates nor even respect "ebx"
305 * in "clobber description." Therefore the trouble...
308 /* Helper function - check if a CPUID instruction
309 is available on this CPU */
311 padlock_insn_cpuid_available(void)
315 /* We're checking if the bit #21 of EFLAGS
316 can be toggled. If yes = CPUID is available. */
320 "xorl $0x200000, %%eax\n"
321 "movl %%eax, %%ecx\n"
322 "andl $0x200000, %%ecx\n"
327 "andl $0x200000, %%eax\n"
328 "xorl %%eax, %%ecx\n"
330 : "=r" (result) : : "eax", "ecx");
332 return (result == 0);
335 /* Load supported features of the CPU to see if
336 the PadLock is available. */
338 padlock_available(void)
340 char vendor_string[16];
341 unsigned int eax, edx;
343 /* First check if the CPUID instruction is available at all... */
344 if (! padlock_insn_cpuid_available())
347 /* Are we running on the Centaur (VIA) CPU? */
349 vendor_string[12] = 0;
353 "movl %%ebx,(%%edi)\n"
354 "movl %%edx,4(%%edi)\n"
355 "movl %%ecx,8(%%edi)\n"
357 : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
358 if (strcmp(vendor_string, "CentaurHauls") != 0)
361 /* Check for Centaur Extended Feature Flags presence */
363 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
364 : "+a"(eax) : : "ecx", "edx");
365 if (eax < 0xC0000001)
368 /* Read the Centaur Extended Feature Flags */
370 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
371 : "+a"(eax), "=d"(edx) : : "ecx");
373 /* Fill up some flags */
374 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
375 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
377 return padlock_use_ace + padlock_use_rng;
380 /* Force key reload from memory to the CPU microcode.
381 Loading EFLAGS from the stack clears EFLAGS[30]
382 which does the trick. */
384 padlock_reload_key(void)
386 asm volatile ("pushfl; popfl");
389 #ifndef OPENSSL_NO_AES
391 * This is heuristic key context tracing. At first one
392 * believes that one should use atomic swap instructions,
393 * but it's not actually necessary. Point is that if
394 * padlock_saved_context was changed by another thread
395 * after we've read it and before we compare it with cdata,
396 * our key *shall* be reloaded upon thread context switch
397 * and we are therefore set in either case...
400 padlock_verify_context(struct padlock_cipher_data *cdata)
412 :"+m"(padlock_saved_context)
413 : "r"(padlock_saved_context), "r"(cdata) : "cc");
416 /* Template for padlock_xcrypt_* modes */
418 * The offsets used with 'leal' instructions
419 * describe items of the 'padlock_cipher_data'
422 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
423 static inline void *name(size_t cnt, \
424 struct padlock_cipher_data *cdata, \
425 void *out, const void *inp) \
427 asm volatile ( "pushl %%ebx\n" \
428 " leal 16(%0),%%edx\n" \
429 " leal 32(%0),%%ebx\n" \
432 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
433 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
434 : "edx", "cc", "memory"); \
439 #elif defined(__x86_64__) || defined(__x86_64)
441 /* Load supported features of the CPU to see if
442 the PadLock is available. */
444 padlock_available(void)
446 char vendor_string[16];
447 unsigned int eax, edx;
449 /* Are we running on the Centaur (VIA) CPU? */
451 vendor_string[12] = 0;
457 : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
458 if (strcmp(vendor_string, "CentaurHauls") != 0)
461 /* Check for Centaur Extended Feature Flags presence */
463 asm volatile ("cpuid"
464 : "+a"(eax) : : "rbx", "rcx", "rdx");
465 if (eax < 0xC0000001)
468 /* Read the Centaur Extended Feature Flags */
470 asm volatile ("cpuid"
471 : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
473 /* Fill up some flags */
474 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
475 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
477 return padlock_use_ace + padlock_use_rng;
480 /* Force key reload from memory to the CPU microcode.
481 Loading EFLAGS from the stack clears EFLAGS[30]
482 which does the trick. */
484 padlock_reload_key(void)
486 asm volatile ("pushfq; popfq");
489 #ifndef OPENSSL_NO_AES
491 * This is heuristic key context tracing. At first one
492 * believes that one should use atomic swap instructions,
493 * but it's not actually necessary. Point is that if
494 * padlock_saved_context was changed by another thread
495 * after we've read it and before we compare it with cdata,
496 * our key *shall* be reloaded upon thread context switch
497 * and we are therefore set in either case...
500 padlock_verify_context(struct padlock_cipher_data *cdata)
512 :"+m"(padlock_saved_context)
513 : "r"(padlock_saved_context), "r"(cdata) : "cc");
516 /* Template for padlock_xcrypt_* modes */
518 * The offsets used with 'leal' instructions
519 * describe items of the 'padlock_cipher_data'
522 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
523 static inline void *name(size_t cnt, \
524 struct padlock_cipher_data *cdata, \
525 void *out, const void *inp) \
527 asm volatile ( "leaq 16(%0),%%rdx\n" \
528 " leaq 32(%0),%%rbx\n" \
530 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
531 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
532 : "rbx", "rdx", "cc", "memory"); \
539 #ifndef OPENSSL_NO_AES
540 /* Generate all functions with appropriate opcodes */
541 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
542 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
543 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
544 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
546 /* Our own htonl()/ntohl() */
548 padlock_bswapl(AES_KEY *ks)
550 size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
551 unsigned int *key = ks->rd_key;
554 asm volatile ("bswapl %0" : "+r"(*key));
560 /* The RNG call itself */
561 static inline unsigned int
562 padlock_xstore(void *addr, unsigned int edx_in)
564 unsigned int eax_out;
566 asm volatile (".byte 0x0f,0xa7,0xc0" /* xstore */
567 : "=a"(eax_out),"=m"(*(unsigned *)addr)
568 : "D"(addr), "d" (edx_in)
574 /* Why not inline 'rep movsd'? I failed to find information on what
575 * value in Direction Flag one can expect and consequently have to
576 * apply "better-safe-than-sorry" approach and assume "undefined."
577 * I could explicitly clear it and restore the original value upon
578 * return from padlock_aes_cipher, but it's presumably too much
579 * trouble for too little gain...
581 * In case you wonder 'rep xcrypt*' instructions above are *not*
582 * affected by the Direction Flag and pointers advance toward
583 * larger addresses unconditionally.
585 static inline unsigned char *
586 padlock_memcpy(void *dst,const void *src,size_t n)
592 do { *d++ = *s++; } while (--n);
597 #elif defined(_MSC_VER)
599 * Unlike GCC these are real functions. In order to minimize impact
600 * on performance we adhere to __fastcall calling convention in
601 * order to get two first arguments passed through %ecx and %edx.
602 * Which kind of suits very well, as instructions in question use
603 * both %ecx and %edx as input:-)
605 #define REP_XCRYPT(code) \
607 _asm _emit 0x0f _asm _emit 0xa7 \
611 * The offsets used with 'lea' instructions
612 * describe items of the 'padlock_cipher_data'
615 #define PADLOCK_XCRYPT_ASM(name,code) \
616 static void * __fastcall \
617 name (size_t cnt, void *cdata, \
618 void *outp, const void *inp) \
620 _asm lea edx,[eax+16] \
621 _asm lea ebx,[eax+32] \
627 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
628 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
629 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
630 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
632 static int __fastcall
633 padlock_xstore(void *outp,unsigned int code)
635 _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
638 static void __fastcall
639 padlock_reload_key(void)
640 { _asm pushfd _asm popfd }
642 static void __fastcall
643 padlock_verify_context(void *cdata)
648 cmp ecx,padlock_saved_context
653 mov padlock_saved_context,ecx
658 padlock_available(void)
693 mov padlock_use_ace,1
699 mov padlock_use_rng,1
706 static void __fastcall
707 padlock_bswapl(void *key)
722 /* MS actually specifies status of Direction Flag and compiler even
723 * manages to compile following as 'rep movsd' all by itself...
725 #define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
728 /* ===== AES encryption/decryption ===== */
729 #ifndef OPENSSL_NO_AES
731 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
732 #define NID_aes_128_cfb NID_aes_128_cfb128
735 #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
736 #define NID_aes_128_ofb NID_aes_128_ofb128
739 #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
740 #define NID_aes_192_cfb NID_aes_192_cfb128
743 #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
744 #define NID_aes_192_ofb NID_aes_192_ofb128
747 #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
748 #define NID_aes_256_cfb NID_aes_256_cfb128
751 #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
752 #define NID_aes_256_ofb NID_aes_256_ofb128
755 /* List of supported ciphers. */
756 static int padlock_cipher_nids[] = {
772 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
773 sizeof(padlock_cipher_nids[0]));
775 /* Function prototypes ... */
776 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
777 const unsigned char *iv, int enc);
778 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
779 const unsigned char *in, size_t nbytes);
781 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
782 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
783 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
784 NEAREST_ALIGNED(ctx->cipher_data))
786 #define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE
787 #define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE
788 #define EVP_CIPHER_block_size_OFB 1
789 #define EVP_CIPHER_block_size_CFB 1
791 /* Declaring so many ciphers by hand would be a pain.
792 Instead introduce a bit of preprocessor magic :-) */
793 #define DECLARE_AES_EVP(ksize,lmode,umode) \
794 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = { \
795 NID_aes_##ksize##_##lmode, \
796 EVP_CIPHER_block_size_##umode, \
797 AES_KEY_SIZE_##ksize, \
799 0 | EVP_CIPH_##umode##_MODE, \
800 padlock_aes_init_key, \
801 padlock_aes_cipher, \
803 sizeof(struct padlock_cipher_data) + 16, \
804 EVP_CIPHER_set_asn1_iv, \
805 EVP_CIPHER_get_asn1_iv, \
810 DECLARE_AES_EVP(128,ecb,ECB);
811 DECLARE_AES_EVP(128,cbc,CBC);
812 DECLARE_AES_EVP(128,cfb,CFB);
813 DECLARE_AES_EVP(128,ofb,OFB);
815 DECLARE_AES_EVP(192,ecb,ECB);
816 DECLARE_AES_EVP(192,cbc,CBC);
817 DECLARE_AES_EVP(192,cfb,CFB);
818 DECLARE_AES_EVP(192,ofb,OFB);
820 DECLARE_AES_EVP(256,ecb,ECB);
821 DECLARE_AES_EVP(256,cbc,CBC);
822 DECLARE_AES_EVP(256,cfb,CFB);
823 DECLARE_AES_EVP(256,ofb,OFB);
826 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
828 /* No specific cipher => return a list of supported nids ... */
830 *nids = padlock_cipher_nids;
831 return padlock_cipher_nids_num;
834 /* ... or the requested "cipher" otherwise */
836 case NID_aes_128_ecb:
837 *cipher = &padlock_aes_128_ecb;
839 case NID_aes_128_cbc:
840 *cipher = &padlock_aes_128_cbc;
842 case NID_aes_128_cfb:
843 *cipher = &padlock_aes_128_cfb;
845 case NID_aes_128_ofb:
846 *cipher = &padlock_aes_128_ofb;
849 case NID_aes_192_ecb:
850 *cipher = &padlock_aes_192_ecb;
852 case NID_aes_192_cbc:
853 *cipher = &padlock_aes_192_cbc;
855 case NID_aes_192_cfb:
856 *cipher = &padlock_aes_192_cfb;
858 case NID_aes_192_ofb:
859 *cipher = &padlock_aes_192_ofb;
862 case NID_aes_256_ecb:
863 *cipher = &padlock_aes_256_ecb;
865 case NID_aes_256_cbc:
866 *cipher = &padlock_aes_256_cbc;
868 case NID_aes_256_cfb:
869 *cipher = &padlock_aes_256_cfb;
871 case NID_aes_256_ofb:
872 *cipher = &padlock_aes_256_ofb;
876 /* Sorry, we don't support this NID */
884 /* Prepare the encryption key for PadLock usage */
886 padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
887 const unsigned char *iv, int enc)
889 struct padlock_cipher_data *cdata;
890 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
892 if (key==NULL) return 0; /* ERROR */
894 cdata = ALIGNED_CIPHER_DATA(ctx);
895 memset(cdata, 0, sizeof(struct padlock_cipher_data));
897 /* Prepare Control word. */
898 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE)
899 cdata->cword.b.encdec = 0;
901 cdata->cword.b.encdec = (ctx->encrypt == 0);
902 cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
903 cdata->cword.b.ksize = (key_len - 128) / 64;
907 /* PadLock can generate an extended key for
908 AES128 in hardware */
909 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
910 cdata->cword.b.keygen = 0;
915 /* Generate an extended AES key in software.
916 Needed for AES192/AES256 */
917 /* Well, the above applies to Stepping 8 CPUs
918 and is listed as hardware errata. They most
919 likely will fix it at some point and then
920 a check for stepping would be due here. */
921 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE ||
922 EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE ||
924 AES_set_encrypt_key(key, key_len, &cdata->ks);
926 AES_set_decrypt_key(key, key_len, &cdata->ks);
928 /* OpenSSL C functions use byte-swapped extended key. */
929 padlock_bswapl(&cdata->ks);
931 cdata->cword.b.keygen = 1;
940 * This is done to cover for cases when user reuses the
941 * context for new key. The catch is that if we don't do
942 * this, padlock_eas_cipher might proceed with old key...
944 padlock_reload_key ();
950 * Simplified version of padlock_aes_cipher() used when
951 * 1) both input and output buffers are at aligned addresses.
953 * 2) running on a newer CPU that doesn't require aligned buffers.
956 padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
957 const unsigned char *in_arg, size_t nbytes)
959 struct padlock_cipher_data *cdata;
962 cdata = ALIGNED_CIPHER_DATA(ctx);
963 padlock_verify_context(cdata);
965 switch (EVP_CIPHER_CTX_mode(ctx)) {
966 case EVP_CIPH_ECB_MODE:
967 padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
970 case EVP_CIPH_CBC_MODE:
971 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
972 iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
973 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
976 case EVP_CIPH_CFB_MODE:
977 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
978 iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
979 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
982 case EVP_CIPH_OFB_MODE:
983 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
984 padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
985 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
992 memset(cdata->iv, 0, AES_BLOCK_SIZE);
997 #ifndef PADLOCK_CHUNK
998 # define PADLOCK_CHUNK 512 /* Must be a power of 2 larger than 16 */
1000 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
1001 # error "insane PADLOCK_CHUNK..."
1004 /* Re-align the arguments to 16-Bytes boundaries and run the
1005 encryption function itself. This function is not AES-specific. */
1007 padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
1008 const unsigned char *in_arg, size_t nbytes)
1010 struct padlock_cipher_data *cdata;
1014 int inp_misaligned, out_misaligned, realign_in_loop;
1015 size_t chunk, allocated=0;
1017 /* ctx->num is maintained in byte-oriented modes,
1018 such as CFB and OFB... */
1019 if ((chunk = ctx->num)) { /* borrow chunk variable */
1020 unsigned char *ivp=ctx->iv;
1022 switch (EVP_CIPHER_CTX_mode(ctx)) {
1023 case EVP_CIPH_CFB_MODE:
1024 if (chunk >= AES_BLOCK_SIZE)
1025 return 0; /* bogus value */
1028 while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
1029 ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk];
1032 else while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
1033 unsigned char c = *(in_arg++);
1034 *(out_arg++) = c ^ ivp[chunk];
1035 ivp[chunk++] = c, nbytes--;
1038 ctx->num = chunk%AES_BLOCK_SIZE;
1040 case EVP_CIPH_OFB_MODE:
1041 if (chunk >= AES_BLOCK_SIZE)
1042 return 0; /* bogus value */
1044 while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
1045 *(out_arg++) = *(in_arg++) ^ ivp[chunk];
1049 ctx->num = chunk%AES_BLOCK_SIZE;
1057 if (nbytes % AES_BLOCK_SIZE)
1058 return 0; /* are we expected to do tail processing? */
1060 /* nbytes is always multiple of AES_BLOCK_SIZE in ECB and CBC
1061 modes and arbitrary value in byte-oriented modes, such as
1065 /* VIA promises CPUs that won't require alignment in the future.
1066 For now padlock_aes_align_required is initialized to 1 and
1067 the condition is never met... */
1068 /* C7 core is capable to manage unaligned input in non-ECB[!]
1069 mode, but performance penalties appear to be approximately
1070 same as for software alignment below or ~3x. They promise to
1071 improve it in the future, but for now we can just as well
1072 pretend that it can only handle aligned input... */
1073 if (!padlock_aes_align_required && (nbytes%AES_BLOCK_SIZE)==0)
1074 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
1076 inp_misaligned = (((size_t)in_arg) & 0x0F);
1077 out_misaligned = (((size_t)out_arg) & 0x0F);
1079 /* Note that even if output is aligned and input not,
1080 * I still prefer to loop instead of copy the whole
1081 * input and then encrypt in one stroke. This is done
1082 * in order to improve L1 cache utilization... */
1083 realign_in_loop = out_misaligned|inp_misaligned;
1085 if (!realign_in_loop && (nbytes%AES_BLOCK_SIZE)==0)
1086 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
1088 /* this takes one "if" out of the loops */
1090 chunk %= PADLOCK_CHUNK;
1091 if (chunk==0) chunk = PADLOCK_CHUNK;
1093 if (out_misaligned) {
1094 /* optmize for small input */
1095 allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
1096 out = alloca(0x10 + allocated);
1097 out = NEAREST_ALIGNED(out);
1102 cdata = ALIGNED_CIPHER_DATA(ctx);
1103 padlock_verify_context(cdata);
1105 switch (EVP_CIPHER_CTX_mode(ctx)) {
1106 case EVP_CIPH_ECB_MODE:
1109 inp = padlock_memcpy(out, in_arg, chunk);
1114 padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1117 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1119 out = out_arg+=chunk;
1122 chunk = PADLOCK_CHUNK;
1126 case EVP_CIPH_CBC_MODE:
1127 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
1130 if (iv != cdata->iv)
1131 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
1132 chunk = PADLOCK_CHUNK;
1133 cbc_shortcut: /* optimize for small input */
1135 inp = padlock_memcpy(out, in_arg, chunk);
1140 iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1143 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1145 out = out_arg+=chunk;
1147 } while (nbytes -= chunk);
1148 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
1151 case EVP_CIPH_CFB_MODE:
1152 memcpy (iv = cdata->iv, ctx->iv, AES_BLOCK_SIZE);
1153 chunk &= ~(AES_BLOCK_SIZE-1);
1154 if (chunk) goto cfb_shortcut;
1155 else goto cfb_skiploop;
1157 if (iv != cdata->iv)
1158 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
1159 chunk = PADLOCK_CHUNK;
1160 cfb_shortcut: /* optimize for small input */
1162 inp = padlock_memcpy(out, in_arg, chunk);
1167 iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1170 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1172 out = out_arg+=chunk;
1175 } while (nbytes >= AES_BLOCK_SIZE);
1179 unsigned char *ivp = cdata->iv;
1182 memcpy(ivp, iv, AES_BLOCK_SIZE);
1186 if (cdata->cword.b.encdec) {
1187 cdata->cword.b.encdec=0;
1188 padlock_reload_key();
1189 padlock_xcrypt_ecb(1,cdata,ivp,ivp);
1190 cdata->cword.b.encdec=1;
1191 padlock_reload_key();
1193 unsigned char c = *(in_arg++);
1194 *(out_arg++) = c ^ *ivp;
1195 *(ivp++) = c, nbytes--;
1198 else { padlock_reload_key();
1199 padlock_xcrypt_ecb(1,cdata,ivp,ivp);
1200 padlock_reload_key();
1202 *ivp = *(out_arg++) = *(in_arg++) ^ *ivp;
1208 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
1211 case EVP_CIPH_OFB_MODE:
1212 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
1213 chunk &= ~(AES_BLOCK_SIZE-1);
1216 inp = padlock_memcpy(out, in_arg, chunk);
1221 padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1224 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1226 out = out_arg+=chunk;
1229 chunk = PADLOCK_CHUNK;
1230 } while (nbytes >= AES_BLOCK_SIZE);
1233 unsigned char *ivp = cdata->iv;
1236 padlock_reload_key(); /* empirically found */
1237 padlock_xcrypt_ecb(1,cdata,ivp,ivp);
1238 padlock_reload_key(); /* empirically found */
1240 *(out_arg++) = *(in_arg++) ^ *ivp;
1245 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
1252 /* Clean the realign buffer if it was used */
1253 if (out_misaligned) {
1254 volatile unsigned long *p=(void *)out;
1255 size_t n = allocated/sizeof(*p);
1259 memset(cdata->iv, 0, AES_BLOCK_SIZE);
1264 #endif /* OPENSSL_NO_AES */
1266 /* ===== Random Number Generator ===== */
1268 * This code is not engaged. The reason is that it does not comply
1269 * with recommendations for VIA RNG usage for secure applications
1270 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
1271 * provide meaningful error control...
1273 /* Wrapper that provides an interface between the API and
1274 the raw PadLock RNG */
1276 padlock_rand_bytes(unsigned char *output, int count)
1278 unsigned int eax, buf;
1280 while (count >= 8) {
1281 eax = padlock_xstore(output, 0);
1282 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1283 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1284 if (eax&(0x1F<<10)) return 0;
1285 if ((eax&0x1F)==0) continue; /* no data, retry... */
1286 if ((eax&0x1F)!=8) return 0; /* fatal failure... */
1291 eax = padlock_xstore(&buf, 3);
1292 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1293 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1294 if (eax&(0x1F<<10)) return 0;
1295 if ((eax&0x1F)==0) continue; /* no data, retry... */
1296 if ((eax&0x1F)!=1) return 0; /* fatal failure... */
1297 *output++ = (unsigned char)buf;
1300 *(volatile unsigned int *)&buf=0;
1305 /* Dummy but necessary function */
1307 padlock_rand_status(void)
1312 /* Prepare structure for registration */
1313 static RAND_METHOD padlock_rand = {
1315 padlock_rand_bytes, /* bytes */
1318 padlock_rand_bytes, /* pseudorand */
1319 padlock_rand_status, /* rand status */
1322 #else /* !COMPILE_HW_PADLOCK */
1323 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
1325 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
1326 IMPLEMENT_DYNAMIC_CHECK_FN()
1328 #endif /* COMPILE_HW_PADLOCK */
1330 #endif /* !OPENSSL_NO_HW_PADLOCK */
1331 #endif /* !OPENSSL_NO_HW */
projects / openssl.git / blob