2 * Support for VIA PadLock Advanced Cryptography Engine (ACE)
3 * Written by Michal Ludvig <michal@logix.cz>
4 * http://www.logix.cz/michal
6 * Big thanks to Andy Polyakov for a help with optimization,
7 * assembler fixes, port to MS Windows and a lot of other
8 * valuable work on this engine!
11 /* ====================================================================
12 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in
23 * the documentation and/or other materials provided with the
26 * 3. All advertising materials mentioning features or use of this
27 * software must display the following acknowledgment:
28 * "This product includes software developed by the OpenSSL Project
29 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
32 * endorse or promote products derived from this software without
33 * prior written permission. For written permission, please contact
34 * licensing@OpenSSL.org.
36 * 5. Products derived from this software may not be called "OpenSSL"
37 * nor may "OpenSSL" appear in their names without prior written
38 * permission of the OpenSSL Project.
40 * 6. Redistributions of any form whatsoever must retain the following
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
46 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56 * OF THE POSSIBILITY OF SUCH DAMAGE.
57 * ====================================================================
59 * This product includes cryptographic software written by Eric Young
60 * (eay@cryptsoft.com). This product includes software written by Tim
61 * Hudson (tjh@cryptsoft.com).
70 # define alloca _alloca
71 # define snprintf _snprintf
74 #include <openssl/crypto.h>
75 #include <openssl/dso.h>
76 #include <openssl/engine.h>
77 #include <openssl/evp.h>
78 #include <openssl/aes.h>
81 #ifndef OPENSSL_NO_HW_PADLOCK
83 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
84 #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
85 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
86 # define DYNAMIC_ENGINE
88 #elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
89 # ifdef ENGINE_DYNAMIC_SUPPORT
90 # define DYNAMIC_ENGINE
93 # error "Only OpenSSL >= 0.9.7 is supported"
96 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
97 Not only that it doesn't exist elsewhere, but it
98 even can't be compiled on other platforms!
100 In addition, because of the heavy use of inline assembler,
101 compiler choice is limited to GCC and Microsoft C. */
102 #undef COMPILE_HW_PADLOCK
103 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
104 # if defined(__i386__) || defined(__i386) || defined(_M_IX86)
105 # define COMPILE_HW_PADLOCK
106 static ENGINE *ENGINE_padlock (void);
110 void ENGINE_load_padlock (void)
112 /* On non-x86 CPUs it just returns. */
113 #ifdef COMPILE_HW_PADLOCK
114 ENGINE *toadd = ENGINE_padlock ();
122 #ifdef COMPILE_HW_PADLOCK
123 /* Function for ENGINE detection and control */
124 static int padlock_available(void);
125 static int padlock_init(ENGINE *e);
128 static RAND_METHOD padlock_rand;
131 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
134 static const char *padlock_id = "padlock";
135 static char padlock_name[100];
137 /* Available features */
138 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
139 static int padlock_use_rng = 0; /* Random Number Generator */
140 static int padlock_aes_align_required = 1;
142 /* ===== Engine "management" functions ===== */
144 /* Prepare the ENGINE structure for registration */
146 padlock_bind_helper(ENGINE *e)
148 /* Check available features */
151 #if 1 /* disable RNG for now, see commentary in vicinity of RNG code */
155 /* Generate a nice engine name with available features */
156 snprintf(padlock_name, sizeof(padlock_name), "VIA PadLock (%s, %s)",
157 padlock_use_rng ? "RNG" : "no-RNG",
158 padlock_use_ace ? "ACE" : "no-ACE");
160 /* Register everything or return with an error */
161 if (!ENGINE_set_id(e, padlock_id) ||
162 !ENGINE_set_name(e, padlock_name) ||
164 !ENGINE_set_init_function(e, padlock_init) ||
166 (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
167 (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
171 /* Everything looks good */
179 ENGINE *eng = ENGINE_new();
185 if (!padlock_bind_helper(eng)) {
193 /* Check availability of the engine */
195 padlock_init(ENGINE *e)
197 return (padlock_use_rng || padlock_use_ace);
200 /* This stuff is needed if this ENGINE is being compiled into a self-contained
203 #ifdef DYNAMIC_ENGINE
205 padlock_bind_fn(ENGINE *e, const char *id)
207 if (id && (strcmp(id, padlock_id) != 0)) {
211 if (!padlock_bind_helper(e)) {
218 IMPLEMENT_DYNAMIC_CHECK_FN ();
219 IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn);
220 #endif /* DYNAMIC_ENGINE */
222 /* ===== Here comes the "real" engine ===== */
224 /* Some AES-related constants */
225 #define AES_BLOCK_SIZE 16
226 #define AES_KEY_SIZE_128 16
227 #define AES_KEY_SIZE_192 24
228 #define AES_KEY_SIZE_256 32
230 /* Here we store the status information relevant to the
233 * Inline assembler in PADLOCK_XCRYPT_ASM()
234 * depends on the order of items in this structure.
235 * Don't blindly modify, reorder, etc!
237 struct padlock_cipher_data
239 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
240 union { unsigned int pad[4];
249 } cword; /* Control word */
250 AES_KEY ks; /* Encryption key */
254 * Essentially this variable belongs in thread local storage.
255 * Having this variable global on the other hand can only cause
256 * few bogus key reloads [if any at all on single-CPU system],
257 * so we accept the penatly...
259 static volatile struct padlock_cipher_data *padlock_saved_context;
262 * =======================================================
263 * Inline assembler section(s).
264 * =======================================================
265 * Order of arguments is chosen to facilitate Windows port
266 * using __fastcall calling convention. If you wish to add
267 * more routines, keep in mind that first __fastcall
268 * argument is passed in %ecx and second - in %edx.
269 * =======================================================
271 #if defined(__GNUC__) && __GNUC__>=2
273 * As for excessive "push %ebx"/"pop %ebx" found all over.
274 * When generating position-independent code GCC won't let
275 * us use "b" in assembler templates nor even respect "ebx"
276 * in "clobber description." Therefore the trouble...
279 /* Helper function - check if a CPUID instruction
280 is available on this CPU */
282 padlock_insn_cpuid_available(void)
286 /* We're checking if the bit #21 of EFLAGS
287 can be toggled. If yes = CPUID is available. */
291 "xorl $0x200000, %%eax\n"
292 "movl %%eax, %%ecx\n"
293 "andl $0x200000, %%ecx\n"
298 "andl $0x200000, %%eax\n"
299 "xorl %%eax, %%ecx\n"
301 : "=r" (result) : : "eax", "ecx");
303 return (result == 0);
306 /* Load supported features of the CPU to see if
307 the PadLock is available. */
309 padlock_available(void)
311 char vendor_string[16];
312 unsigned int eax, edx;
314 /* First check if the CPUID instruction is available at all... */
315 if (! padlock_insn_cpuid_available())
318 /* Are we running on the Centaur (VIA) CPU? */
320 vendor_string[12] = 0;
324 "movl %%ebx,(%%edi)\n"
325 "movl %%edx,4(%%edi)\n"
326 "movl %%ecx,8(%%edi)\n"
328 : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
329 if (strcmp(vendor_string, "CentaurHauls") != 0)
332 /* Check for Centaur Extended Feature Flags presence */
334 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
335 : "+a"(eax) : : "ecx", "edx");
336 if (eax < 0xC0000001)
339 /* Read the Centaur Extended Feature Flags */
341 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
342 : "+a"(eax), "=d"(edx) : : "ecx");
344 /* Fill up some flags */
345 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
346 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
348 return padlock_use_ace + padlock_use_rng;
351 /* Our own htonl()/ntohl() */
353 padlock_bswapl(AES_KEY *ks)
355 size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
356 unsigned long *key = ks->rd_key;
359 asm volatile ("bswapl %0" : "+r"(*key));
364 /* Force key reload from memory to the CPU microcode.
365 Loading EFLAGS from the stack clears EFLAGS[30]
366 which does the trick. */
368 padlock_reload_key(void)
370 asm volatile ("pushfl; popfl");
374 * This is heuristic key context tracing. At first one
375 * believes that one should use atomic swap instructions,
376 * but it's not actually necessary. Point is that if
377 * padlock_saved_context was changed by another thread
378 * after we've read it and before we compare it with cdata,
379 * our key *shall* be reloaded upon thread context switch
380 * and we are therefore set in either case...
383 padlock_verify_context(struct padlock_cipher_data *cdata)
395 :"+m"(padlock_saved_context)
396 : "r"(padlock_saved_context), "r"(cdata) : "cc");
399 /* Template for padlock_xcrypt_* modes */
401 * The offsets used with 'leal' instructions
402 * describe items of the 'padlock_cipher_data'
405 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
406 static inline void *name(size_t cnt, \
407 struct padlock_cipher_data *cdata, \
408 void *out, const void *inp) \
410 asm volatile ( "pushl %%ebx\n" \
411 " leal 16(%0),%%edx\n" \
412 " leal 32(%0),%%ebx\n" \
415 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
416 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
421 /* Generate all functions with appropriate opcodes */
422 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
423 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
424 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
425 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
427 /* The RNG call itself */
428 static inline unsigned int
429 padlock_xstore(void *addr, unsigned int edx_in)
431 unsigned int eax_out;
433 asm volatile (".byte 0x0f,0xa7,0xc0" /* xstore */
434 : "=a"(eax_out),"=m"(*(unsigned *)addr)
435 : "D"(addr), "d" (edx_in)
441 /* Why not inline 'rep movsd'? I failed to find information on what
442 * value in Direction Flag one can expect and consequently have to
443 * apply "better-safe-than-sorry" approach and assume "undefined."
444 * I could explicitly clear it and restore the original value upon
445 * return from padlock_aes_cipher, but it's presumably too much
446 * trouble for too little gain...
448 * In case you wonder 'rep xcrypt*' instructions above are *not*
449 * affected by the Direction Flag and pointers advance toward
450 * larger addresses unconditionally.
452 static inline unsigned char *
453 padlock_memcpy(void *dst,const void *src,size_t n)
459 do { *d++ = *s++; } while (--n);
464 #elif defined(_MSC_VER)
466 * Unlike GCC these are real functions. In order to minimize impact
467 * on performance we adhere to __fastcall calling convention in
468 * order to get two first arguments passed through %ecx and %edx.
469 * Which kind of suits very well, as instructions in question use
470 * both %ecx and %edx as input:-)
472 #define REP_XCRYPT(code) \
474 _asm _emit 0x0f _asm _emit 0xa7 \
478 * The offsets used with 'lea' instructions
479 * describe items of the 'padlock_cipher_data'
482 #define PADLOCK_XCRYPT_ASM(name,code) \
483 static void * __fastcall \
484 name (size_t cnt, void *cdata, \
485 void *outp, const void *inp) \
487 _asm lea edx,[eax+16] \
488 _asm lea ebx,[eax+32] \
494 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
495 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
496 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
497 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
499 static int __fastcall
500 padlock_xstore(void *outp,unsigned int code)
502 _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
505 static void __fastcall
506 padlock_reload_key(void)
507 { _asm pushfd _asm popfd }
509 static void __fastcall
510 padlock_verify_context(void *cdata)
515 cmp ecx,padlock_saved_context
517 mov padlock_saved_context,ecx
525 padlock_available(void)
560 mov padlock_use_ace,1
566 mov padlock_use_rng,1
573 static void __fastcall
574 padlock_bswapl(void *key)
589 /* MS actually specifies status of Direction Flag and compiler even
590 * manages to compile following as 'rep movsd' all by itself...
592 #define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
595 /* ===== AES encryption/decryption ===== */
597 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
598 #define NID_aes_128_cfb NID_aes_128_cfb128
601 #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
602 #define NID_aes_128_ofb NID_aes_128_ofb128
605 #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
606 #define NID_aes_192_cfb NID_aes_192_cfb128
609 #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
610 #define NID_aes_192_ofb NID_aes_192_ofb128
613 #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
614 #define NID_aes_256_cfb NID_aes_256_cfb128
617 #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
618 #define NID_aes_256_ofb NID_aes_256_ofb128
621 /* List of supported ciphers. */
622 static int padlock_cipher_nids[] = {
631 NID_aes_192_cfb, /* FIXME: AES192/256 CFB/OFB don't work. */
642 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
643 sizeof(padlock_cipher_nids[0]));
645 /* Function prototypes ... */
646 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
647 const unsigned char *iv, int enc);
648 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
649 const unsigned char *in, unsigned int nbytes);
651 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
652 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
653 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
654 NEAREST_ALIGNED(ctx->cipher_data))
656 /* Declaring so many ciphers by hand would be a pain.
657 Instead introduce a bit of preprocessor magic :-) */
658 #define DECLARE_AES_EVP(ksize,lmode,umode) \
659 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = { \
660 NID_aes_##ksize##_##lmode, \
662 AES_KEY_SIZE_##ksize, \
664 0 | EVP_CIPH_##umode##_MODE, \
665 padlock_aes_init_key, \
666 padlock_aes_cipher, \
668 sizeof(struct padlock_cipher_data) + 16, \
669 EVP_CIPHER_set_asn1_iv, \
670 EVP_CIPHER_get_asn1_iv, \
675 DECLARE_AES_EVP(128,ecb,ECB);
676 DECLARE_AES_EVP(128,cbc,CBC);
677 DECLARE_AES_EVP(128,cfb,CFB);
678 DECLARE_AES_EVP(128,ofb,OFB);
680 DECLARE_AES_EVP(192,ecb,ECB);
681 DECLARE_AES_EVP(192,cbc,CBC);
682 DECLARE_AES_EVP(192,cfb,CFB);
683 DECLARE_AES_EVP(192,ofb,OFB);
685 DECLARE_AES_EVP(256,ecb,ECB);
686 DECLARE_AES_EVP(256,cbc,CBC);
687 DECLARE_AES_EVP(256,cfb,CFB);
688 DECLARE_AES_EVP(256,ofb,OFB);
691 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
693 /* No specific cipher => return a list of supported nids ... */
695 *nids = padlock_cipher_nids;
696 return padlock_cipher_nids_num;
699 /* ... or the requested "cipher" otherwise */
701 case NID_aes_128_ecb:
702 *cipher = &padlock_aes_128_ecb;
704 case NID_aes_128_cbc:
705 *cipher = &padlock_aes_128_cbc;
707 case NID_aes_128_cfb:
708 *cipher = &padlock_aes_128_cfb;
710 case NID_aes_128_ofb:
711 *cipher = &padlock_aes_128_ofb;
714 case NID_aes_192_ecb:
715 *cipher = &padlock_aes_192_ecb;
717 case NID_aes_192_cbc:
718 *cipher = &padlock_aes_192_cbc;
720 case NID_aes_192_cfb:
721 *cipher = &padlock_aes_192_cfb;
723 case NID_aes_192_ofb:
724 *cipher = &padlock_aes_192_ofb;
727 case NID_aes_256_ecb:
728 *cipher = &padlock_aes_256_ecb;
730 case NID_aes_256_cbc:
731 *cipher = &padlock_aes_256_cbc;
733 case NID_aes_256_cfb:
734 *cipher = &padlock_aes_256_cfb;
736 case NID_aes_256_ofb:
737 *cipher = &padlock_aes_256_ofb;
741 /* Sorry, we don't support this NID */
749 /* Prepare the encryption key for PadLock usage */
751 padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
752 const unsigned char *iv, int enc)
754 struct padlock_cipher_data *cdata;
755 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
757 if (key==NULL) return 0; /* ERROR */
759 cdata = ALIGNED_CIPHER_DATA(ctx);
760 memset(cdata, 0, sizeof(struct padlock_cipher_data));
762 /* Prepare Control word. */
763 cdata->cword.b.encdec = (ctx->encrypt == 0);
764 cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
765 cdata->cword.b.ksize = (key_len - 128) / 64;
769 /* PadLock can generate an extended key for
770 AES128 in hardware */
771 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
772 cdata->cword.b.keygen = 0;
777 /* Generate an extended AES key in software.
778 Needed for AES192/AES256 */
779 /* Well, the above applies to Stepping 8 CPUs
780 and is listed as hardware errata. They most
781 likely will fix it at some point and then
782 a check for stepping would be due here. */
784 AES_set_encrypt_key(key, key_len, &cdata->ks);
786 AES_set_decrypt_key(key, key_len, &cdata->ks);
788 /* OpenSSL internal functions use byte-swapped extended key. */
789 padlock_bswapl(&cdata->ks);
791 cdata->cword.b.keygen = 1;
800 * This is done to cover for cases when user reuses the
801 * context for new key. The catch is that if we don't do
802 * this, padlock_eas_cipher might proceed with old key...
804 padlock_reload_key ();
810 * Simplified version of padlock_aes_cipher() used when
811 * 1) both input and output buffers are at aligned addresses.
813 * 2) running on a newer CPU that doesn't require aligned buffers.
816 padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
817 const unsigned char *in_arg, size_t nbytes)
819 struct padlock_cipher_data *cdata;
822 cdata = ALIGNED_CIPHER_DATA(ctx);
823 padlock_verify_context(cdata);
825 switch (EVP_CIPHER_CTX_mode(ctx)) {
826 case EVP_CIPH_ECB_MODE:
827 padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
830 case EVP_CIPH_CBC_MODE:
831 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
832 iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
833 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
836 case EVP_CIPH_CFB_MODE:
837 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
838 iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
839 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
842 case EVP_CIPH_OFB_MODE:
843 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
844 padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
845 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
852 memset(cdata->iv, 0, AES_BLOCK_SIZE);
857 #ifndef PADLOCK_CHUNK
858 # define PADLOCK_CHUNK 4096 /* Must be a power of 2 larger than 16 */
860 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
861 # error "insane PADLOCK_CHUNK..."
864 /* Re-align the arguments to 16-Bytes boundaries and run the
865 encryption function itself. This function is not AES-specific. */
867 padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
868 const unsigned char *in_arg, size_t nbytes)
870 struct padlock_cipher_data *cdata;
874 int inp_misaligned, out_misaligned, realign_in_loop;
875 size_t chunk, allocated=0;
879 if (nbytes % AES_BLOCK_SIZE)
880 return 0; /* are we expected to do tail processing? */
882 /* VIA promises CPUs that won't require alignment in the future.
883 For now padlock_aes_align_required is initialized to 1 and
884 the condition is never met... */
885 if (!padlock_aes_align_required)
886 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
888 inp_misaligned = (((size_t)in_arg) & 0x0F);
889 out_misaligned = (((size_t)out_arg) & 0x0F);
891 /* Note that even if output is aligned and input not,
892 * I still prefer to loop instead of copy the whole
893 * input and then encrypt in one stroke. This is done
894 * in order to improve L1 cache utilization... */
895 realign_in_loop = out_misaligned|inp_misaligned;
897 if (!realign_in_loop)
898 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
900 /* this takes one "if" out of the loops */
902 chunk %= PADLOCK_CHUNK;
903 if (chunk==0) chunk = PADLOCK_CHUNK;
905 if (out_misaligned) {
906 /* optmize for small input */
907 allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
908 out = alloca(0x10 + allocated);
909 out = NEAREST_ALIGNED(out);
914 cdata = ALIGNED_CIPHER_DATA(ctx);
915 padlock_verify_context(cdata);
917 switch (EVP_CIPHER_CTX_mode(ctx)) {
918 case EVP_CIPH_ECB_MODE:
921 inp = padlock_memcpy(out, in_arg, chunk);
926 padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
929 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
931 out = out_arg+=chunk;
934 chunk = PADLOCK_CHUNK;
938 case EVP_CIPH_CBC_MODE:
939 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
943 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
944 chunk = PADLOCK_CHUNK;
945 cbc_shortcut: /* optimize for small input */
947 inp = padlock_memcpy(out, in_arg, chunk);
952 iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
955 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
957 out = out_arg+=chunk;
959 } while (nbytes -= chunk);
960 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
963 case EVP_CIPH_CFB_MODE:
964 memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
968 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
969 chunk = PADLOCK_CHUNK;
970 cfb_shortcut: /* optimize for small input */
972 inp = padlock_memcpy(out, in_arg, chunk);
977 iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
980 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
982 out = out_arg+=chunk;
984 } while (nbytes -= chunk);
985 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
988 case EVP_CIPH_OFB_MODE:
989 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
992 inp = padlock_memcpy(out, in_arg, chunk);
997 padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1000 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1002 out = out_arg+=chunk;
1005 chunk = PADLOCK_CHUNK;
1007 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
1014 /* Clean the realign buffer if it was used */
1015 if (out_misaligned) {
1016 volatile unsigned long *p=(void *)out;
1017 size_t n = allocated/sizeof(*p);
1021 memset(cdata->iv, 0, AES_BLOCK_SIZE);
1026 /* ===== Random Number Generator ===== */
1028 * This code is not engaged. The reason is that it does not comply
1029 * with recommendations for VIA RNG usage for secure applications
1030 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
1031 * provide meaningful error control...
1033 /* Wrapper that provides an interface between the API and
1034 the raw PadLock RNG */
1036 padlock_rand_bytes(unsigned char *output, int count)
1038 unsigned int eax, buf;
1040 while (count >= 8) {
1041 eax = padlock_xstore(output, 0);
1042 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1043 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1044 if (eax&(0x1F<<10)) return 0;
1045 if ((eax&0x1F)==0) continue; /* no data, retry... */
1046 if ((eax&0x1F)!=8) return 0; /* fatal failure... */
1051 eax = padlock_xstore(&buf, 3);
1052 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1053 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1054 if (eax&(0x1F<<10)) return 0;
1055 if ((eax&0x1F)==0) continue; /* no data, retry... */
1056 if ((eax&0x1F)!=1) return 0; /* fatal failure... */
1057 *output++ = (unsigned char)buf;
1060 *(volatile unsigned int *)&buf=0;
1065 /* Dummy but necessary function */
1067 padlock_rand_status(void)
1072 /* Prepare structure for registration */
1073 static RAND_METHOD padlock_rand = {
1075 padlock_rand_bytes, /* bytes */
1078 padlock_rand_bytes, /* pseudorand */
1079 padlock_rand_status, /* rand status */
1082 #endif /* COMPILE_HW_PADLOCK */
1084 #endif /* !OPENSSL_NO_HW_PADLOCK */
1085 #endif /* !OPENSSL_NO_HW */