e_padlock-x86[_64].pl: better understanding of prefetch errata and proper
[openssl.git] / engines / e_padlock.c
index b89113e..c71eeb5 100644 (file)
@@ -76,6 +76,7 @@
 #endif
 #include <openssl/rand.h>
 #include <openssl/err.h>
+#include <openssl/modes.h>
 
 #ifndef OPENSSL_NO_HW
 #ifndef OPENSSL_NO_HW_PADLOCK
 
 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
    Not only that it doesn't exist elsewhere, but it
-   even can't be compiled on other platforms!
+   even can't be compiled on other platforms! */
  
-   In addition, because of the heavy use of inline assembler,
-   compiler choice is limited to GCC and Microsoft C. */
 #undef COMPILE_HW_PADLOCK
-#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && __GNUC__>=2 && \
-       (defined(__i386__) || defined(__i386) || \
-        defined(__x86_64__) || defined(__x86_64)) \
-     ) || \
-     (defined(_MSC_VER) && defined(_M_IX86))
+#if !defined(I386_ONLY) && !defined(OPENSSL_NO_ASM)
+# if   defined(__i386__) || defined(__i386) ||    \
+       defined(__x86_64__) || defined(__x86_64) || \
+       defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
+       defined(__INTEL__)
 #  define COMPILE_HW_PADLOCK
+#  ifdef OPENSSL_NO_DYNAMIC_ENGINE
 static ENGINE *ENGINE_padlock (void);
+#  endif
 # endif
 #endif
 
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+
 void ENGINE_load_padlock (void)
 {
 /* On non-x86 CPUs it just returns. */
@@ -123,21 +125,10 @@ void ENGINE_load_padlock (void)
 #endif
 }
 
-#ifdef COMPILE_HW_PADLOCK
-/* We do these includes here to avoid header problems on platforms that
-   do not have the VIA padlock anyway... */
-#ifdef _WIN32
-# include <malloc.h>
-# ifndef alloca
-#  define alloca _alloca
-# endif
-#elif defined(NETWARE_CLIB) && defined(__GNUC__)
-  void *alloca(size_t);
-# define alloca(s) __builtin_alloca(s)
-#else
-# include <stdlib.h>
 #endif
 
+#ifdef COMPILE_HW_PADLOCK
+
 /* Function for ENGINE detection and control */
 static int padlock_available(void);
 static int padlock_init(ENGINE *e);
@@ -157,9 +148,6 @@ static char padlock_name[100];
 /* Available features */
 static int padlock_use_ace = 0;        /* Advanced Cryptography Engine */
 static int padlock_use_rng = 0;        /* Random Number Generator */
-#ifndef OPENSSL_NO_AES
-static int padlock_aes_align_required = 1;
-#endif
 
 /* ===== Engine "management" functions ===== */
 
@@ -196,6 +184,7 @@ padlock_bind_helper(ENGINE *e)
        return 1;
 }
 
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
 /* Constructor */
 static ENGINE *
 ENGINE_padlock(void)
@@ -213,6 +202,7 @@ ENGINE_padlock(void)
 
        return eng;
 }
+#endif
 
 /* Check availability of the engine */
 static int
@@ -276,99 +266,37 @@ struct padlock_cipher_data
        } cword;                /* Control word */
        AES_KEY ks;             /* Encryption key */
 };
-
-/*
- * Essentially this variable belongs in thread local storage.
- * Having this variable global on the other hand can only cause
- * few bogus key reloads [if any at all on single-CPU system],
- * so we accept the penatly...
- */
-static volatile struct padlock_cipher_data *padlock_saved_context;
 #endif
 
-/*
- * =======================================================
- * Inline assembler section(s).
- * =======================================================
- * Order of arguments is chosen to facilitate Windows port
- * using __fastcall calling convention. If you wish to add
- * more routines, keep in mind that first __fastcall
- * argument is passed in %ecx and second - in %edx.
- * =======================================================
- */
-#if defined(__GNUC__) && __GNUC__>=2
-#if defined(__i386__) || defined(__i386)
-/*
- * As for excessive "push %ebx"/"pop %ebx" found all over.
- * When generating position-independent code GCC won't let
- * us use "b" in assembler templates nor even respect "ebx"
- * in "clobber description." Therefore the trouble...
- */
-
-/* Helper function - check if a CPUID instruction
-   is available on this CPU */
-static int
-padlock_insn_cpuid_available(void)
-{
-       int result = -1;
-
-       /* We're checking if the bit #21 of EFLAGS 
-          can be toggled. If yes = CPUID is available. */
-       asm volatile (
-               "pushf\n"
-               "popl %%eax\n"
-               "xorl $0x200000, %%eax\n"
-               "movl %%eax, %%ecx\n"
-               "andl $0x200000, %%ecx\n"
-               "pushl %%eax\n"
-               "popf\n"
-               "pushf\n"
-               "popl %%eax\n"
-               "andl $0x200000, %%eax\n"
-               "xorl %%eax, %%ecx\n"
-               "movl %%ecx, %0\n"
-               : "=r" (result) : : "eax", "ecx");
-       
-       return (result == 0);
-}
+/* Interface to assembler module */
+unsigned int padlock_capability();
+void padlock_key_bswap(AES_KEY *key);
+void padlock_verify_context(struct padlock_cipher_data *ctx);
+void padlock_reload_key();
+void padlock_aes_block(void *out, const void *inp,
+               struct padlock_cipher_data *ctx);
+int  padlock_ecb_encrypt(void *out, const void *inp,
+               struct padlock_cipher_data *ctx, size_t len);
+int  padlock_cbc_encrypt(void *out, const void *inp,
+               struct padlock_cipher_data *ctx, size_t len);
+int  padlock_cfb_encrypt(void *out, const void *inp,
+               struct padlock_cipher_data *ctx, size_t len);
+int  padlock_ofb_encrypt(void *out, const void *inp,
+               struct padlock_cipher_data *ctx, size_t len);
+int  padlock_ctr32_encrypt(void *out, const void *inp,
+               struct padlock_cipher_data *ctx, size_t len);
+int  padlock_xstore(void *out,int edx);
+void padlock_sha1_oneshot(void *ctx,const void *inp,size_t len);
+void padlock_sha1(void *ctx,const void *inp,size_t len);
+void padlock_sha256_oneshot(void *ctx,const void *inp,size_t len);
+void padlock_sha256(void *ctx,const void *inp,size_t len);
 
 /* Load supported features of the CPU to see if
    the PadLock is available. */
 static int
 padlock_available(void)
 {
-       char vendor_string[16];
-       unsigned int eax, edx;
-
-       /* First check if the CPUID instruction is available at all... */
-       if (! padlock_insn_cpuid_available())
-               return 0;
-
-       /* Are we running on the Centaur (VIA) CPU? */
-       eax = 0x00000000;
-       vendor_string[12] = 0;
-       asm volatile (
-               "pushl  %%ebx\n"
-               "cpuid\n"
-               "movl   %%ebx,(%%edi)\n"
-               "movl   %%edx,4(%%edi)\n"
-               "movl   %%ecx,8(%%edi)\n"
-               "popl   %%ebx"
-               : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
-       if (strcmp(vendor_string, "CentaurHauls") != 0)
-               return 0;
-
-       /* Check for Centaur Extended Feature Flags presence */
-       eax = 0xC0000000;
-       asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
-               : "+a"(eax) : : "ecx", "edx");
-       if (eax < 0xC0000001)
-               return 0;
-
-       /* Read the Centaur Extended Feature Flags */
-       eax = 0xC0000001;
-       asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
-               : "+a"(eax), "=d"(edx) : : "ecx");
+       unsigned int edx = padlock_capability();
 
        /* Fill up some flags */
        padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
@@ -377,354 +305,6 @@ padlock_available(void)
        return padlock_use_ace + padlock_use_rng;
 }
 
-/* Force key reload from memory to the CPU microcode.
-   Loading EFLAGS from the stack clears EFLAGS[30] 
-   which does the trick. */
-static inline void
-padlock_reload_key(void)
-{
-       asm volatile ("pushfl; popfl");
-}
-
-#ifndef OPENSSL_NO_AES
-/*
- * This is heuristic key context tracing. At first one
- * believes that one should use atomic swap instructions,
- * but it's not actually necessary. Point is that if
- * padlock_saved_context was changed by another thread
- * after we've read it and before we compare it with cdata,
- * our key *shall* be reloaded upon thread context switch
- * and we are therefore set in either case...
- */
-static inline void
-padlock_verify_context(struct padlock_cipher_data *cdata)
-{
-       asm volatile (
-       "pushfl\n"
-"      btl     $30,(%%esp)\n"
-"      jnc     1f\n"
-"      cmpl    %2,%1\n"
-"      je      1f\n"
-"      popfl\n"
-"      subl    $4,%%esp\n"
-"1:    addl    $4,%%esp\n"
-"      movl    %2,%0"
-       :"+m"(padlock_saved_context)
-       : "r"(padlock_saved_context), "r"(cdata) : "cc");
-}
-
-/* Template for padlock_xcrypt_* modes */
-/* BIG FAT WARNING: 
- *     The offsets used with 'leal' instructions
- *     describe items of the 'padlock_cipher_data'
- *     structure.
- */
-#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt)    \
-static inline void *name(size_t cnt,           \
-       struct padlock_cipher_data *cdata,      \
-       void *out, const void *inp)             \
-{      void *iv;                               \
-       asm volatile ( "pushl   %%ebx\n"        \
-               "       leal    16(%0),%%edx\n" \
-               "       leal    32(%0),%%ebx\n" \
-                       rep_xcrypt "\n"         \
-               "       popl    %%ebx"          \
-               : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
-               : "0"(cdata), "1"(cnt), "2"(out), "3"(inp)  \
-               : "edx", "cc", "memory");       \
-       return iv;                              \
-}
-#endif
-
-#elif defined(__x86_64__) || defined(__x86_64)
-
-/* Load supported features of the CPU to see if
-   the PadLock is available. */
-static int
-padlock_available(void)
-{
-       char vendor_string[16];
-       unsigned int eax, edx;
-
-       /* Are we running on the Centaur (VIA) CPU? */
-       eax = 0x00000000;
-       vendor_string[12] = 0;
-       asm volatile (
-               "cpuid\n"
-               "movl   %%ebx,(%1)\n"
-               "movl   %%edx,4(%1)\n"
-               "movl   %%ecx,8(%1)\n"
-               : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
-       if (strcmp(vendor_string, "CentaurHauls") != 0)
-               return 0;
-
-       /* Check for Centaur Extended Feature Flags presence */
-       eax = 0xC0000000;
-       asm volatile ("cpuid"
-               : "+a"(eax) : : "rbx", "rcx", "rdx");
-       if (eax < 0xC0000001)
-               return 0;
-
-       /* Read the Centaur Extended Feature Flags */
-       eax = 0xC0000001;
-       asm volatile ("cpuid"
-               : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
-
-       /* Fill up some flags */
-       padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
-       padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
-
-       return padlock_use_ace + padlock_use_rng;
-}
-
-/* Force key reload from memory to the CPU microcode.
-   Loading EFLAGS from the stack clears EFLAGS[30] 
-   which does the trick. */
-static inline void
-padlock_reload_key(void)
-{
-       asm volatile ("pushfq; popfq");
-}
-
-#ifndef OPENSSL_NO_AES
-/*
- * This is heuristic key context tracing. At first one
- * believes that one should use atomic swap instructions,
- * but it's not actually necessary. Point is that if
- * padlock_saved_context was changed by another thread
- * after we've read it and before we compare it with cdata,
- * our key *shall* be reloaded upon thread context switch
- * and we are therefore set in either case...
- */
-static inline void
-padlock_verify_context(struct padlock_cipher_data *cdata)
-{
-       asm volatile (
-       "pushfq\n"
-"      btl     $30,(%%rsp)\n"
-"      jnc     1f\n"
-"      cmpq    %2,%1\n"
-"      je      1f\n"
-"      popfq\n"
-"      subq    $8,%%rsp\n"
-"1:    addq    $8,%%rsp\n"
-"      movq    %2,%0"
-       :"+m"(padlock_saved_context)
-       : "r"(padlock_saved_context), "r"(cdata) : "cc");
-}
-
-/* Template for padlock_xcrypt_* modes */
-/* BIG FAT WARNING: 
- *     The offsets used with 'leal' instructions
- *     describe items of the 'padlock_cipher_data'
- *     structure.
- */
-#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt)    \
-static inline void *name(size_t cnt,           \
-       struct padlock_cipher_data *cdata,      \
-       void *out, const void *inp)             \
-{      void *iv;                               \
-       asm volatile ( "leaq    16(%0),%%rdx\n" \
-               "       leaq    32(%0),%%rbx\n" \
-                       rep_xcrypt "\n"         \
-               : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
-               : "0"(cdata), "1"(cnt), "2"(out), "3"(inp)  \
-               : "rbx", "rdx", "cc", "memory");        \
-       return iv;                              \
-}
-#endif
-
-#endif /* cpu */
-
-#ifndef OPENSSL_NO_AES
-/* Generate all functions with appropriate opcodes */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")    /* rep xcryptecb */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0")    /* rep xcryptcbc */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")    /* rep xcryptcfb */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")    /* rep xcryptofb */
-
-/* Our own htonl()/ntohl() */
-static inline void
-padlock_bswapl(AES_KEY *ks)
-{
-       size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-       unsigned int *key = ks->rd_key;
-
-       while (i--) {
-               asm volatile ("bswapl %0" : "+r"(*key));
-               key++;
-       }
-}
-#endif
-
-/* The RNG call itself */
-static inline unsigned int
-padlock_xstore(void *addr, unsigned int edx_in)
-{
-       unsigned int eax_out;
-
-       asm volatile (".byte 0x0f,0xa7,0xc0"    /* xstore */
-           : "=a"(eax_out),"=m"(*(unsigned *)addr)
-           : "D"(addr), "d" (edx_in)
-           );
-
-       return eax_out;
-}
-
-/* Why not inline 'rep movsd'? I failed to find information on what
- * value in Direction Flag one can expect and consequently have to
- * apply "better-safe-than-sorry" approach and assume "undefined."
- * I could explicitly clear it and restore the original value upon
- * return from padlock_aes_cipher, but it's presumably too much
- * trouble for too little gain...
- *
- * In case you wonder 'rep xcrypt*' instructions above are *not*
- * affected by the Direction Flag and pointers advance toward
- * larger addresses unconditionally.
- */ 
-static inline unsigned char *
-padlock_memcpy(void *dst,const void *src,size_t n)
-{
-       size_t       *d=dst;
-       const size_t *s=src;
-
-       n /= sizeof(*d);
-       do { *d++ = *s++; } while (--n);
-
-       return dst;
-}
-
-#elif defined(_MSC_VER)
-/*
- * Unlike GCC these are real functions. In order to minimize impact
- * on performance we adhere to __fastcall calling convention in
- * order to get two first arguments passed through %ecx and %edx.
- * Which kind of suits very well, as instructions in question use
- * both %ecx and %edx as input:-)
- */
-#define REP_XCRYPT(code)               \
-       _asm _emit 0xf3                 \
-       _asm _emit 0x0f _asm _emit 0xa7 \
-       _asm _emit code
-
-/* BIG FAT WARNING: 
- *     The offsets used with 'lea' instructions
- *     describe items of the 'padlock_cipher_data'
- *     structure.
- */
-#define PADLOCK_XCRYPT_ASM(name,code)  \
-static void * __fastcall               \
-       name (size_t cnt, void *cdata,  \
-       void *outp, const void *inp)    \
-{      _asm    mov     eax,edx         \
-       _asm    lea     edx,[eax+16]    \
-       _asm    lea     ebx,[eax+32]    \
-       _asm    mov     edi,outp        \
-       _asm    mov     esi,inp         \
-       REP_XCRYPT(code)                \
-}
-
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
-
-static int __fastcall
-padlock_xstore(void *outp,unsigned int code)
-{      _asm    mov     edi,ecx
-       _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
-}
-
-static void __fastcall
-padlock_reload_key(void)
-{      _asm pushfd _asm popfd          }
-
-static void __fastcall
-padlock_verify_context(void *cdata)
-{      _asm    {
-               pushfd
-               bt      DWORD PTR[esp],30
-               jnc     skip
-               cmp     ecx,padlock_saved_context
-               je      skip
-               popfd
-               sub     esp,4
-       skip:   add     esp,4
-               mov     padlock_saved_context,ecx
-               }
-}
-
-static int
-padlock_available(void)
-{      _asm    {
-               pushfd
-               pop     eax
-               mov     ecx,eax
-               xor     eax,1<<21
-               push    eax
-               popfd
-               pushfd
-               pop     eax
-               xor     eax,ecx
-               bt      eax,21
-               jnc     noluck
-               mov     eax,0
-               cpuid
-               xor     eax,eax
-               cmp     ebx,'tneC'
-               jne     noluck
-               cmp     edx,'Hrua'
-               jne     noluck
-               cmp     ecx,'slua'
-               jne     noluck
-               mov     eax,0xC0000000
-               cpuid
-               mov     edx,eax
-               xor     eax,eax
-               cmp     edx,0xC0000001
-               jb      noluck
-               mov     eax,0xC0000001
-               cpuid
-               xor     eax,eax
-               bt      edx,6
-               jnc     skip_a
-               bt      edx,7
-               jnc     skip_a
-               mov     padlock_use_ace,1
-               inc     eax
-       skip_a: bt      edx,2
-               jnc     skip_r
-               bt      edx,3
-               jnc     skip_r
-               mov     padlock_use_rng,1
-               inc     eax
-       skip_r:
-       noluck:
-               }
-}
-
-static void __fastcall
-padlock_bswapl(void *key)
-{      _asm    {
-               pushfd
-               cld
-               mov     esi,ecx
-               mov     edi,ecx
-               mov     ecx,60
-       up:     lodsd
-               bswap   eax
-               stosd
-               loop    up
-               popfd
-               }
-}
-
-/* MS actually specifies status of Direction Flag and compiler even
- * manages to compile following as 'rep movsd' all by itself...
- */
-#define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
-#endif
-
 /* ===== AES encryption/decryption ===== */
 #ifndef OPENSSL_NO_AES
 
@@ -758,16 +338,19 @@ static int padlock_cipher_nids[] = {
        NID_aes_128_cbc,
        NID_aes_128_cfb,
        NID_aes_128_ofb,
+       NID_aes_128_ctr,
 
        NID_aes_192_ecb,
        NID_aes_192_cbc,
        NID_aes_192_cfb,
        NID_aes_192_ofb,
+       NID_aes_192_ctr,
 
        NID_aes_256_ecb,
        NID_aes_256_cbc,
        NID_aes_256_cfb,
        NID_aes_256_ofb,
+       NID_aes_256_ctr
 };
 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
                                      sizeof(padlock_cipher_nids[0]));
@@ -775,18 +358,186 @@ static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
 /* Function prototypes ... */
 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv, int enc);
-static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                             const unsigned char *in, size_t nbytes);
 
 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) +                \
        ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F )      )
 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
        NEAREST_ALIGNED(ctx->cipher_data))
 
+static int
+padlock_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+                  const unsigned char *in_arg, size_t nbytes)
+{
+       return padlock_ecb_encrypt(out_arg,in_arg,
+                       ALIGNED_CIPHER_DATA(ctx),nbytes);
+}
+static int
+padlock_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+                  const unsigned char *in_arg, size_t nbytes)
+{
+       struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
+       int ret;
+
+       memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
+       if ((ret = padlock_cbc_encrypt(out_arg,in_arg,cdata,nbytes)))
+               memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
+       return ret;
+}
+
+static int
+padlock_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+                  const unsigned char *in_arg, size_t nbytes)
+{
+       struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
+       size_t chunk;
+
+       if ((chunk = ctx->num)) { /* borrow chunk variable */
+               unsigned char *ivp=ctx->iv;
+
+               if (chunk >= AES_BLOCK_SIZE)
+                       return 0; /* bogus value */
+
+               if (ctx->encrypt)
+                       while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+                               ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk];
+                               chunk++, nbytes--;
+                       }
+               else    while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+                               unsigned char c = *(in_arg++);
+                               *(out_arg++) = c ^ ivp[chunk];
+                               ivp[chunk++] = c, nbytes--;
+                       }
+
+               ctx->num = chunk%AES_BLOCK_SIZE;
+       }
+
+       if (nbytes == 0)
+               return 1;
+
+       memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
+
+       if ((chunk = nbytes & ~(AES_BLOCK_SIZE-1))) {
+               if (!padlock_cfb_encrypt(out_arg,in_arg,cdata,chunk))
+                       return 0;
+               nbytes  -= chunk;
+       }
+
+       if (nbytes) {
+               unsigned char *ivp = cdata->iv;
+
+               out_arg += chunk;
+               in_arg  += chunk;
+               ctx->num = nbytes;
+               if (cdata->cword.b.encdec) {
+                       cdata->cword.b.encdec=0;
+                       padlock_reload_key();
+                       padlock_aes_block(ivp,ivp,cdata);
+                       cdata->cword.b.encdec=1;
+                       padlock_reload_key();
+                       while(nbytes) {
+                               unsigned char c = *(in_arg++);
+                               *(out_arg++) = c ^ *ivp;
+                               *(ivp++) = c, nbytes--;
+                       }
+               }
+               else {  padlock_reload_key();
+                       padlock_aes_block(ivp,ivp,cdata);
+                       padlock_reload_key();
+                       while (nbytes) {
+                               *ivp = *(out_arg++) = *(in_arg++) ^ *ivp;
+                               ivp++, nbytes--;
+                       }
+               }
+       }
+
+       memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
+
+       return 1;
+}
+
+static int
+padlock_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+                  const unsigned char *in_arg, size_t nbytes)
+{
+       struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
+       size_t chunk;
+
+       /* ctx->num is maintained in byte-oriented modes,
+          such as CFB and OFB... */
+       if ((chunk = ctx->num)) { /* borrow chunk variable */
+               unsigned char *ivp=ctx->iv;
+
+               if (chunk >= AES_BLOCK_SIZE)
+                       return 0; /* bogus value */
+
+               while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+                       *(out_arg++) = *(in_arg++) ^ ivp[chunk];
+                       chunk++, nbytes--;
+               }
+
+               ctx->num = chunk%AES_BLOCK_SIZE;
+       }
+
+       if (nbytes == 0)
+               return 1;
+
+       memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
+
+       if ((chunk = nbytes & ~(AES_BLOCK_SIZE-1))) {
+               if (!padlock_ofb_encrypt(out_arg,in_arg,cdata,chunk))
+                       return 0;
+               nbytes -= chunk;
+       }
+
+       if (nbytes) {
+               unsigned char *ivp = cdata->iv;
+
+               out_arg += chunk;
+               in_arg  += chunk;
+               ctx->num = nbytes;
+               padlock_reload_key();   /* empirically found */
+               padlock_aes_block(ivp,ivp,cdata);
+               padlock_reload_key();   /* empirically found */
+               while (nbytes) {
+                       *(out_arg++) = *(in_arg++) ^ *ivp;
+                       ivp++, nbytes--;
+               }
+       }
+
+       memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
+
+       return 1;
+}
+
+static void padlock_ctr32_encrypt_glue(const unsigned char *in,
+                       unsigned char *out, size_t blocks,
+                       struct padlock_cipher_data *ctx,
+                       const unsigned char *ivec)
+{
+       memcpy(ctx->iv,ivec,AES_BLOCK_SIZE);
+       padlock_ctr32_encrypt(out,in,ctx,AES_BLOCK_SIZE*blocks);
+}
+
+static int
+padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+                  const unsigned char *in_arg, size_t nbytes)
+{
+       struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
+       unsigned int num = ctx->num;
+
+       CRYPTO_ctr128_encrypt_ctr32(in_arg,out_arg,nbytes,
+                       cdata,ctx->iv,ctx->buf,&num,
+                       (ctr128_f)padlock_ctr32_encrypt_glue);
+
+       ctx->num = (size_t)num;
+       return 1;
+}
+
 #define EVP_CIPHER_block_size_ECB      AES_BLOCK_SIZE
 #define EVP_CIPHER_block_size_CBC      AES_BLOCK_SIZE
 #define EVP_CIPHER_block_size_OFB      1
 #define EVP_CIPHER_block_size_CFB      1
+#define EVP_CIPHER_block_size_CTR      1
 
 /* Declaring so many ciphers by hand would be a pain.
    Instead introduce a bit of preprocessor magic :-) */
@@ -798,7 +549,7 @@ static const EVP_CIPHER padlock_aes_##ksize##_##lmode = {   \
        AES_BLOCK_SIZE,                 \
        0 | EVP_CIPH_##umode##_MODE,    \
        padlock_aes_init_key,           \
-       padlock_aes_cipher,             \
+       padlock_##lmode##_cipher,       \
        NULL,                           \
        sizeof(struct padlock_cipher_data) + 16,        \
        EVP_CIPHER_set_asn1_iv,         \
@@ -811,16 +562,19 @@ DECLARE_AES_EVP(128,ecb,ECB);
 DECLARE_AES_EVP(128,cbc,CBC);
 DECLARE_AES_EVP(128,cfb,CFB);
 DECLARE_AES_EVP(128,ofb,OFB);
+DECLARE_AES_EVP(128,ctr,CTR);
 
 DECLARE_AES_EVP(192,ecb,ECB);
 DECLARE_AES_EVP(192,cbc,CBC);
 DECLARE_AES_EVP(192,cfb,CFB);
 DECLARE_AES_EVP(192,ofb,OFB);
+DECLARE_AES_EVP(192,ctr,CTR);
 
 DECLARE_AES_EVP(256,ecb,ECB);
 DECLARE_AES_EVP(256,cbc,CBC);
 DECLARE_AES_EVP(256,cfb,CFB);
 DECLARE_AES_EVP(256,ofb,OFB);
+DECLARE_AES_EVP(256,ctr,CTR);
 
 static int
 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
@@ -845,6 +599,9 @@ padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid
          case NID_aes_128_ofb:
            *cipher = &padlock_aes_128_ofb;
            break;
+         case NID_aes_128_ctr:
+           *cipher = &padlock_aes_128_ctr;
+           break;
 
          case NID_aes_192_ecb:
            *cipher = &padlock_aes_192_ecb;
@@ -858,6 +615,9 @@ padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid
          case NID_aes_192_ofb:
            *cipher = &padlock_aes_192_ofb;
            break;
+         case NID_aes_192_ctr:
+           *cipher = &padlock_aes_192_ctr;
+           break;
 
          case NID_aes_256_ecb:
            *cipher = &padlock_aes_256_ecb;
@@ -871,6 +631,9 @@ padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid
          case NID_aes_256_ofb:
            *cipher = &padlock_aes_256_ofb;
            break;
+         case NID_aes_256_ctr:
+           *cipher = &padlock_aes_256_ctr;
+           break;
 
          default:
            /* Sorry, we don't support this NID */
@@ -888,6 +651,7 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
 {
        struct padlock_cipher_data *cdata;
        int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
+       unsigned long mode = EVP_CIPHER_CTX_mode(ctx);
 
        if (key==NULL) return 0;        /* ERROR */
 
@@ -895,7 +659,7 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
        memset(cdata, 0, sizeof(struct padlock_cipher_data));
 
        /* Prepare Control word. */
-       if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE)
+       if (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CTR_MODE)
                cdata->cword.b.encdec = 0;
        else
                cdata->cword.b.encdec = (ctx->encrypt == 0);
@@ -918,15 +682,15 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
                           and is listed as hardware errata. They most
                           likely will fix it at some point and then
                           a check for stepping would be due here. */
-                       if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE ||
-                           EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE ||
-                           enc)
-                               AES_set_encrypt_key(key, key_len, &cdata->ks);
-                       else
+                       if ((mode == EVP_CIPH_ECB_MODE ||
+                            mode == EVP_CIPH_CBC_MODE)
+                           && !enc)
                                AES_set_decrypt_key(key, key_len, &cdata->ks);
+                       else
+                               AES_set_encrypt_key(key, key_len, &cdata->ks);
 #ifndef AES_ASM
                        /* OpenSSL C functions use byte-swapped extended key. */
-                       padlock_bswapl(&cdata->ks);
+                       padlock_key_bswap(&cdata->ks);
 #endif
                        cdata->cword.b.keygen = 1;
                        break;
@@ -946,321 +710,6 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
        return 1;
 }
 
-/* 
- * Simplified version of padlock_aes_cipher() used when
- * 1) both input and output buffers are at aligned addresses.
- * or when
- * 2) running on a newer CPU that doesn't require aligned buffers.
- */
-static int
-padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
-               const unsigned char *in_arg, size_t nbytes)
-{
-       struct padlock_cipher_data *cdata;
-       void  *iv;
-
-       cdata = ALIGNED_CIPHER_DATA(ctx);
-       padlock_verify_context(cdata);
-
-       switch (EVP_CIPHER_CTX_mode(ctx)) {
-       case EVP_CIPH_ECB_MODE:
-               padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
-               break;
-
-       case EVP_CIPH_CBC_MODE:
-               memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
-               memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-               break;
-
-       case EVP_CIPH_CFB_MODE:
-               memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
-               memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-               break;
-
-       case EVP_CIPH_OFB_MODE:
-               memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
-               memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
-               break;
-
-       default:
-               return 0;
-       }
-
-       memset(cdata->iv, 0, AES_BLOCK_SIZE);
-
-       return 1;
-}
-
-#ifndef  PADLOCK_CHUNK
-# define PADLOCK_CHUNK 512     /* Must be a power of 2 larger than 16 */
-#endif
-#if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
-# error "insane PADLOCK_CHUNK..."
-#endif
-
-/* Re-align the arguments to 16-Bytes boundaries and run the 
-   encryption function itself. This function is not AES-specific. */
-static int
-padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
-                  const unsigned char *in_arg, size_t nbytes)
-{
-       struct padlock_cipher_data *cdata;
-       const  void *inp;
-       unsigned char  *out;
-       void  *iv;
-       int    inp_misaligned, out_misaligned, realign_in_loop;
-       size_t chunk, allocated=0;
-
-       /* ctx->num is maintained in byte-oriented modes,
-          such as CFB and OFB... */
-       if ((chunk = ctx->num)) { /* borrow chunk variable */
-               unsigned char *ivp=ctx->iv;
-
-               switch (EVP_CIPHER_CTX_mode(ctx)) {
-               case EVP_CIPH_CFB_MODE:
-                       if (chunk >= AES_BLOCK_SIZE)
-                               return 0; /* bogus value */
-
-                       if (ctx->encrypt)
-                               while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
-                                       ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk];
-                                       chunk++, nbytes--;
-                               }
-                       else    while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
-                                       unsigned char c = *(in_arg++);
-                                       *(out_arg++) = c ^ ivp[chunk];
-                                       ivp[chunk++] = c, nbytes--;
-                               }
-
-                       ctx->num = chunk%AES_BLOCK_SIZE;
-                       break;
-               case EVP_CIPH_OFB_MODE:
-                       if (chunk >= AES_BLOCK_SIZE)
-                               return 0; /* bogus value */
-
-                       while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
-                               *(out_arg++) = *(in_arg++) ^ ivp[chunk];
-                               chunk++, nbytes--;
-                       }
-
-                       ctx->num = chunk%AES_BLOCK_SIZE;
-                       break;
-               }
-       }
-
-       if (nbytes == 0)
-               return 1;
-#if 0
-       if (nbytes % AES_BLOCK_SIZE)
-               return 0; /* are we expected to do tail processing? */
-#else
-       /* nbytes is always multiple of AES_BLOCK_SIZE in ECB and CBC
-          modes and arbitrary value in byte-oriented modes, such as
-          CFB and OFB... */
-#endif
-
-       /* VIA promises CPUs that won't require alignment in the future.
-          For now padlock_aes_align_required is initialized to 1 and
-          the condition is never met... */
-       /* C7 core is capable to manage unaligned input in non-ECB[!]
-          mode, but performance penalties appear to be approximately
-          same as for software alignment below or ~3x. They promise to
-          improve it in the future, but for now we can just as well
-          pretend that it can only handle aligned input... */
-       if (!padlock_aes_align_required && (nbytes%AES_BLOCK_SIZE)==0)
-               return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
-
-       inp_misaligned = (((size_t)in_arg) & 0x0F);
-       out_misaligned = (((size_t)out_arg) & 0x0F);
-
-       /* Note that even if output is aligned and input not,
-        * I still prefer to loop instead of copy the whole
-        * input and then encrypt in one stroke. This is done
-        * in order to improve L1 cache utilization... */
-       realign_in_loop = out_misaligned|inp_misaligned;
-
-       if (!realign_in_loop && (nbytes%AES_BLOCK_SIZE)==0)
-               return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
-
-       /* this takes one "if" out of the loops */
-       chunk  = nbytes;
-       chunk %= PADLOCK_CHUNK;
-       if (chunk==0) chunk = PADLOCK_CHUNK;
-
-       if (out_misaligned) {
-               /* optmize for small input */
-               allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
-               out = alloca(0x10 + allocated);
-               out = NEAREST_ALIGNED(out);
-       }
-       else
-               out = out_arg;
-
-       cdata = ALIGNED_CIPHER_DATA(ctx);
-       padlock_verify_context(cdata);
-
-       switch (EVP_CIPHER_CTX_mode(ctx)) {
-       case EVP_CIPH_ECB_MODE:
-               do      {
-                       if (inp_misaligned)
-                               inp = padlock_memcpy(out, in_arg, chunk);
-                       else
-                               inp = in_arg;
-                       in_arg += chunk;
-
-                       padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
-
-                       if (out_misaligned)
-                               out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
-                       else
-                               out     = out_arg+=chunk;
-
-                       nbytes -= chunk;
-                       chunk   = PADLOCK_CHUNK;
-               } while (nbytes);
-               break;
-
-       case EVP_CIPH_CBC_MODE:
-               memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               goto cbc_shortcut;
-               do      {
-                       if (iv != cdata->iv)
-                               memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
-                       chunk = PADLOCK_CHUNK;
-               cbc_shortcut: /* optimize for small input */
-                       if (inp_misaligned)
-                               inp = padlock_memcpy(out, in_arg, chunk);
-                       else
-                               inp = in_arg;
-                       in_arg += chunk;
-
-                       iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
-
-                       if (out_misaligned)
-                               out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
-                       else
-                               out     = out_arg+=chunk;
-
-               } while (nbytes -= chunk);
-               memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-               break;
-
-       case EVP_CIPH_CFB_MODE:
-               memcpy (iv = cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               chunk &= ~(AES_BLOCK_SIZE-1);
-               if (chunk)      goto cfb_shortcut;
-               else            goto cfb_skiploop;
-               do      {
-                       if (iv != cdata->iv)
-                               memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
-                       chunk = PADLOCK_CHUNK;
-               cfb_shortcut: /* optimize for small input */
-                       if (inp_misaligned)
-                               inp = padlock_memcpy(out, in_arg, chunk);
-                       else
-                               inp = in_arg;
-                       in_arg += chunk;
-
-                       iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
-
-                       if (out_misaligned)
-                               out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
-                       else
-                               out     = out_arg+=chunk;
-
-                       nbytes -= chunk;
-               } while (nbytes >= AES_BLOCK_SIZE);
-
-               cfb_skiploop:
-               if (nbytes) {
-                       unsigned char *ivp = cdata->iv;
-
-                       if (iv != ivp) {
-                               memcpy(ivp, iv, AES_BLOCK_SIZE);
-                               iv = ivp;
-                       }
-                       ctx->num = nbytes;
-                       if (cdata->cword.b.encdec) {
-                               cdata->cword.b.encdec=0;
-                               padlock_reload_key();
-                               padlock_xcrypt_ecb(1,cdata,ivp,ivp);
-                               cdata->cword.b.encdec=1;
-                               padlock_reload_key();
-                               while(nbytes) {
-                                       unsigned char c = *(in_arg++);
-                                       *(out_arg++) = c ^ *ivp;
-                                       *(ivp++) = c, nbytes--;
-                               }
-                       }
-                       else {  padlock_reload_key();
-                               padlock_xcrypt_ecb(1,cdata,ivp,ivp);
-                               padlock_reload_key();
-                               while (nbytes) {
-                                       *ivp = *(out_arg++) = *(in_arg++) ^ *ivp;
-                                       ivp++, nbytes--;
-                               }
-                       }
-               }
-
-               memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-               break;
-
-       case EVP_CIPH_OFB_MODE:
-               memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-               chunk &= ~(AES_BLOCK_SIZE-1);
-               if (chunk) do   {
-                       if (inp_misaligned)
-                               inp = padlock_memcpy(out, in_arg, chunk);
-                       else
-                               inp = in_arg;
-                       in_arg += chunk;
-
-                       padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
-
-                       if (out_misaligned)
-                               out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
-                       else
-                               out     = out_arg+=chunk;
-
-                       nbytes -= chunk;
-                       chunk   = PADLOCK_CHUNK;
-               } while (nbytes >= AES_BLOCK_SIZE);
-
-               if (nbytes) {
-                       unsigned char *ivp = cdata->iv;
-
-                       ctx->num = nbytes;
-                       padlock_reload_key();   /* empirically found */
-                       padlock_xcrypt_ecb(1,cdata,ivp,ivp);
-                       padlock_reload_key();   /* empirically found */
-                       while (nbytes) {
-                               *(out_arg++) = *(in_arg++) ^ *ivp;
-                               ivp++, nbytes--;
-                       }
-               }
-
-               memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
-               break;
-
-       default:
-               return 0;
-       }
-
-       /* Clean the realign buffer if it was used */
-       if (out_misaligned) {
-               volatile unsigned long *p=(void *)out;
-               size_t   n = allocated/sizeof(*p);
-               while (n--) *p++=0;
-       }
-
-       memset(cdata->iv, 0, AES_BLOCK_SIZE);
-
-       return 1;
-}
-
 #endif /* OPENSSL_NO_AES */
 
 /* ===== Random Number Generator ===== */
@@ -1322,9 +771,12 @@ static RAND_METHOD padlock_rand = {
 #else  /* !COMPILE_HW_PADLOCK */
 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
 OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);
+OPENSSL_EXPORT
 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
 IMPLEMENT_DYNAMIC_CHECK_FN()
 #endif
+#endif /* COMPILE_HW_PADLOCK */
 
 #endif /* !OPENSSL_NO_HW_PADLOCK */
 #endif /* !OPENSSL_NO_HW */