2 * Support for VIA PadLock Advanced Cryptography Engine (ACE)
3 * Written by Michal Ludvig <michal@logix.cz>
4 * http://www.logix.cz/michal
6 * Big thanks to Andy Polyakov for a help with optimization,
7 * assembler fixes, port to MS Windows and a lot of other
8 * valuable work on this engine!
11 /* ====================================================================
12 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in
23 * the documentation and/or other materials provided with the
26 * 3. All advertising materials mentioning features or use of this
27 * software must display the following acknowledgment:
28 * "This product includes software developed by the OpenSSL Project
29 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
32 * endorse or promote products derived from this software without
33 * prior written permission. For written permission, please contact
34 * licensing@OpenSSL.org.
36 * 5. Products derived from this software may not be called "OpenSSL"
37 * nor may "OpenSSL" appear in their names without prior written
38 * permission of the OpenSSL Project.
40 * 6. Redistributions of any form whatsoever must retain the following
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
46 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56 * OF THE POSSIBILITY OF SUCH DAMAGE.
57 * ====================================================================
59 * This product includes cryptographic software written by Eric Young
60 * (eay@cryptsoft.com). This product includes software written by Tim
61 * Hudson (tjh@cryptsoft.com).
69 #include <openssl/crypto.h>
70 #include <openssl/dso.h>
71 #include <openssl/engine.h>
72 #include <openssl/evp.h>
73 #include <openssl/aes.h>
74 #include <openssl/rand.h>
77 #ifndef OPENSSL_NO_HW_PADLOCK
79 /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
80 #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
81 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
82 # define DYNAMIC_ENGINE
84 #elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
85 # ifdef ENGINE_DYNAMIC_SUPPORT
86 # define DYNAMIC_ENGINE
89 # error "Only OpenSSL >= 0.9.7 is supported"
92 /* VIA PadLock AES is available *ONLY* on some x86 CPUs.
93 Not only that it doesn't exist elsewhere, but it
94 even can't be compiled on other platforms!
96 In addition, because of the heavy use of inline assembler,
97 compiler choice is limited to GCC and Microsoft C. */
98 #undef COMPILE_HW_PADLOCK
99 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
100 # if defined(__i386__) || defined(__i386) || defined(_M_IX86)
101 # define COMPILE_HW_PADLOCK
102 static ENGINE *ENGINE_padlock (void);
106 void ENGINE_load_padlock (void)
108 /* On non-x86 CPUs it just returns. */
109 #ifdef COMPILE_HW_PADLOCK
110 ENGINE *toadd = ENGINE_padlock ();
118 #ifdef COMPILE_HW_PADLOCK
119 /* We do these includes here to avoid header problems on platforms that
120 do not have the VIA padlock anyway... */
123 # define alloca _alloca
126 /* Function for ENGINE detection and control */
127 static int padlock_available(void);
128 static int padlock_init(ENGINE *e);
131 static RAND_METHOD padlock_rand;
134 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
137 static const char *padlock_id = "padlock";
138 static char padlock_name[100];
140 /* Available features */
141 static int padlock_use_ace = 0; /* Advanced Cryptography Engine */
142 static int padlock_use_rng = 0; /* Random Number Generator */
143 static int padlock_aes_align_required = 1;
145 /* ===== Engine "management" functions ===== */
147 /* Prepare the ENGINE structure for registration */
149 padlock_bind_helper(ENGINE *e)
151 /* Check available features */
154 #if 1 /* disable RNG for now, see commentary in vicinity of RNG code */
158 /* Generate a nice engine name with available features */
159 BIO_snprintf(padlock_name, sizeof(padlock_name),
160 "VIA PadLock (%s, %s)",
161 padlock_use_rng ? "RNG" : "no-RNG",
162 padlock_use_ace ? "ACE" : "no-ACE");
164 /* Register everything or return with an error */
165 if (!ENGINE_set_id(e, padlock_id) ||
166 !ENGINE_set_name(e, padlock_name) ||
168 !ENGINE_set_init_function(e, padlock_init) ||
170 (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
171 (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
175 /* Everything looks good */
183 ENGINE *eng = ENGINE_new();
189 if (!padlock_bind_helper(eng)) {
197 /* Check availability of the engine */
199 padlock_init(ENGINE *e)
201 return (padlock_use_rng || padlock_use_ace);
204 /* This stuff is needed if this ENGINE is being compiled into a self-contained
207 #ifdef DYNAMIC_ENGINE
209 padlock_bind_fn(ENGINE *e, const char *id)
211 if (id && (strcmp(id, padlock_id) != 0)) {
215 if (!padlock_bind_helper(e)) {
222 IMPLEMENT_DYNAMIC_CHECK_FN ();
223 IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn);
224 #endif /* DYNAMIC_ENGINE */
226 /* ===== Here comes the "real" engine ===== */
228 /* Some AES-related constants */
229 #define AES_BLOCK_SIZE 16
230 #define AES_KEY_SIZE_128 16
231 #define AES_KEY_SIZE_192 24
232 #define AES_KEY_SIZE_256 32
234 /* Here we store the status information relevant to the
237 * Inline assembler in PADLOCK_XCRYPT_ASM()
238 * depends on the order of items in this structure.
239 * Don't blindly modify, reorder, etc!
241 struct padlock_cipher_data
243 unsigned char iv[AES_BLOCK_SIZE]; /* Initialization vector */
244 union { unsigned int pad[4];
253 } cword; /* Control word */
254 AES_KEY ks; /* Encryption key */
258 * Essentially this variable belongs in thread local storage.
259 * Having this variable global on the other hand can only cause
260 * few bogus key reloads [if any at all on single-CPU system],
261 * so we accept the penatly...
263 static volatile struct padlock_cipher_data *padlock_saved_context;
266 * =======================================================
267 * Inline assembler section(s).
268 * =======================================================
269 * Order of arguments is chosen to facilitate Windows port
270 * using __fastcall calling convention. If you wish to add
271 * more routines, keep in mind that first __fastcall
272 * argument is passed in %ecx and second - in %edx.
273 * =======================================================
275 #if defined(__GNUC__) && __GNUC__>=2
277 * As for excessive "push %ebx"/"pop %ebx" found all over.
278 * When generating position-independent code GCC won't let
279 * us use "b" in assembler templates nor even respect "ebx"
280 * in "clobber description." Therefore the trouble...
283 /* Helper function - check if a CPUID instruction
284 is available on this CPU */
286 padlock_insn_cpuid_available(void)
290 /* We're checking if the bit #21 of EFLAGS
291 can be toggled. If yes = CPUID is available. */
295 "xorl $0x200000, %%eax\n"
296 "movl %%eax, %%ecx\n"
297 "andl $0x200000, %%ecx\n"
302 "andl $0x200000, %%eax\n"
303 "xorl %%eax, %%ecx\n"
305 : "=r" (result) : : "eax", "ecx");
307 return (result == 0);
310 /* Load supported features of the CPU to see if
311 the PadLock is available. */
313 padlock_available(void)
315 char vendor_string[16];
316 unsigned int eax, edx;
318 /* First check if the CPUID instruction is available at all... */
319 if (! padlock_insn_cpuid_available())
322 /* Are we running on the Centaur (VIA) CPU? */
324 vendor_string[12] = 0;
328 "movl %%ebx,(%%edi)\n"
329 "movl %%edx,4(%%edi)\n"
330 "movl %%ecx,8(%%edi)\n"
332 : "+a"(eax) : "D"(vendor_string) : "ecx", "edx");
333 if (strcmp(vendor_string, "CentaurHauls") != 0)
336 /* Check for Centaur Extended Feature Flags presence */
338 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
339 : "+a"(eax) : : "ecx", "edx");
340 if (eax < 0xC0000001)
343 /* Read the Centaur Extended Feature Flags */
345 asm volatile ("pushl %%ebx; cpuid; popl %%ebx"
346 : "+a"(eax), "=d"(edx) : : "ecx");
348 /* Fill up some flags */
349 padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
350 padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
352 return padlock_use_ace + padlock_use_rng;
355 /* Our own htonl()/ntohl() */
357 padlock_bswapl(AES_KEY *ks)
359 size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
360 unsigned long *key = ks->rd_key;
363 asm volatile ("bswapl %0" : "+r"(*key));
368 /* Force key reload from memory to the CPU microcode.
369 Loading EFLAGS from the stack clears EFLAGS[30]
370 which does the trick. */
372 padlock_reload_key(void)
374 asm volatile ("pushfl; popfl");
378 * This is heuristic key context tracing. At first one
379 * believes that one should use atomic swap instructions,
380 * but it's not actually necessary. Point is that if
381 * padlock_saved_context was changed by another thread
382 * after we've read it and before we compare it with cdata,
383 * our key *shall* be reloaded upon thread context switch
384 * and we are therefore set in either case...
387 padlock_verify_context(struct padlock_cipher_data *cdata)
399 :"+m"(padlock_saved_context)
400 : "r"(padlock_saved_context), "r"(cdata) : "cc");
403 /* Template for padlock_xcrypt_* modes */
405 * The offsets used with 'leal' instructions
406 * describe items of the 'padlock_cipher_data'
409 #define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
410 static inline void *name(size_t cnt, \
411 struct padlock_cipher_data *cdata, \
412 void *out, const void *inp) \
414 asm volatile ( "pushl %%ebx\n" \
415 " leal 16(%0),%%edx\n" \
416 " leal 32(%0),%%ebx\n" \
419 : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
420 : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
425 /* Generate all functions with appropriate opcodes */
426 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
427 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
428 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
429 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
431 /* The RNG call itself */
432 static inline unsigned int
433 padlock_xstore(void *addr, unsigned int edx_in)
435 unsigned int eax_out;
437 asm volatile (".byte 0x0f,0xa7,0xc0" /* xstore */
438 : "=a"(eax_out),"=m"(*(unsigned *)addr)
439 : "D"(addr), "d" (edx_in)
445 /* Why not inline 'rep movsd'? I failed to find information on what
446 * value in Direction Flag one can expect and consequently have to
447 * apply "better-safe-than-sorry" approach and assume "undefined."
448 * I could explicitly clear it and restore the original value upon
449 * return from padlock_aes_cipher, but it's presumably too much
450 * trouble for too little gain...
452 * In case you wonder 'rep xcrypt*' instructions above are *not*
453 * affected by the Direction Flag and pointers advance toward
454 * larger addresses unconditionally.
456 static inline unsigned char *
457 padlock_memcpy(void *dst,const void *src,size_t n)
463 do { *d++ = *s++; } while (--n);
468 #elif defined(_MSC_VER)
470 * Unlike GCC these are real functions. In order to minimize impact
471 * on performance we adhere to __fastcall calling convention in
472 * order to get two first arguments passed through %ecx and %edx.
473 * Which kind of suits very well, as instructions in question use
474 * both %ecx and %edx as input:-)
476 #define REP_XCRYPT(code) \
478 _asm _emit 0x0f _asm _emit 0xa7 \
482 * The offsets used with 'lea' instructions
483 * describe items of the 'padlock_cipher_data'
486 #define PADLOCK_XCRYPT_ASM(name,code) \
487 static void * __fastcall \
488 name (size_t cnt, void *cdata, \
489 void *outp, const void *inp) \
491 _asm lea edx,[eax+16] \
492 _asm lea ebx,[eax+32] \
498 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb,0xc8)
499 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc,0xd0)
500 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb,0xe0)
501 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb,0xe8)
503 static int __fastcall
504 padlock_xstore(void *outp,unsigned int code)
506 _asm _emit 0x0f _asm _emit 0xa7 _asm _emit 0xc0
509 static void __fastcall
510 padlock_reload_key(void)
511 { _asm pushfd _asm popfd }
513 static void __fastcall
514 padlock_verify_context(void *cdata)
519 cmp ecx,padlock_saved_context
521 mov padlock_saved_context,ecx
529 padlock_available(void)
564 mov padlock_use_ace,1
570 mov padlock_use_rng,1
577 static void __fastcall
578 padlock_bswapl(void *key)
593 /* MS actually specifies status of Direction Flag and compiler even
594 * manages to compile following as 'rep movsd' all by itself...
596 #define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
599 /* ===== AES encryption/decryption ===== */
601 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
602 #define NID_aes_128_cfb NID_aes_128_cfb128
605 #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
606 #define NID_aes_128_ofb NID_aes_128_ofb128
609 #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
610 #define NID_aes_192_cfb NID_aes_192_cfb128
613 #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
614 #define NID_aes_192_ofb NID_aes_192_ofb128
617 #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
618 #define NID_aes_256_cfb NID_aes_256_cfb128
621 #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
622 #define NID_aes_256_ofb NID_aes_256_ofb128
625 /* List of supported ciphers. */
626 static int padlock_cipher_nids[] = {
635 NID_aes_192_cfb, /* FIXME: AES192/256 CFB/OFB don't work. */
646 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
647 sizeof(padlock_cipher_nids[0]));
649 /* Function prototypes ... */
650 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
651 const unsigned char *iv, int enc);
652 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
653 const unsigned char *in, size_t nbytes);
655 #define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
656 ( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
657 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
658 NEAREST_ALIGNED(ctx->cipher_data))
660 /* Declaring so many ciphers by hand would be a pain.
661 Instead introduce a bit of preprocessor magic :-) */
662 #define DECLARE_AES_EVP(ksize,lmode,umode) \
663 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = { \
664 NID_aes_##ksize##_##lmode, \
666 AES_KEY_SIZE_##ksize, \
668 0 | EVP_CIPH_##umode##_MODE, \
669 padlock_aes_init_key, \
670 padlock_aes_cipher, \
672 sizeof(struct padlock_cipher_data) + 16, \
673 EVP_CIPHER_set_asn1_iv, \
674 EVP_CIPHER_get_asn1_iv, \
679 DECLARE_AES_EVP(128,ecb,ECB);
680 DECLARE_AES_EVP(128,cbc,CBC);
681 DECLARE_AES_EVP(128,cfb,CFB);
682 DECLARE_AES_EVP(128,ofb,OFB);
684 DECLARE_AES_EVP(192,ecb,ECB);
685 DECLARE_AES_EVP(192,cbc,CBC);
686 DECLARE_AES_EVP(192,cfb,CFB);
687 DECLARE_AES_EVP(192,ofb,OFB);
689 DECLARE_AES_EVP(256,ecb,ECB);
690 DECLARE_AES_EVP(256,cbc,CBC);
691 DECLARE_AES_EVP(256,cfb,CFB);
692 DECLARE_AES_EVP(256,ofb,OFB);
695 padlock_ciphers (ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid)
697 /* No specific cipher => return a list of supported nids ... */
699 *nids = padlock_cipher_nids;
700 return padlock_cipher_nids_num;
703 /* ... or the requested "cipher" otherwise */
705 case NID_aes_128_ecb:
706 *cipher = &padlock_aes_128_ecb;
708 case NID_aes_128_cbc:
709 *cipher = &padlock_aes_128_cbc;
711 case NID_aes_128_cfb:
712 *cipher = &padlock_aes_128_cfb;
714 case NID_aes_128_ofb:
715 *cipher = &padlock_aes_128_ofb;
718 case NID_aes_192_ecb:
719 *cipher = &padlock_aes_192_ecb;
721 case NID_aes_192_cbc:
722 *cipher = &padlock_aes_192_cbc;
724 case NID_aes_192_cfb:
725 *cipher = &padlock_aes_192_cfb;
727 case NID_aes_192_ofb:
728 *cipher = &padlock_aes_192_ofb;
731 case NID_aes_256_ecb:
732 *cipher = &padlock_aes_256_ecb;
734 case NID_aes_256_cbc:
735 *cipher = &padlock_aes_256_cbc;
737 case NID_aes_256_cfb:
738 *cipher = &padlock_aes_256_cfb;
740 case NID_aes_256_ofb:
741 *cipher = &padlock_aes_256_ofb;
745 /* Sorry, we don't support this NID */
753 /* Prepare the encryption key for PadLock usage */
755 padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
756 const unsigned char *iv, int enc)
758 struct padlock_cipher_data *cdata;
759 int key_len = EVP_CIPHER_CTX_key_length(ctx) * 8;
761 if (key==NULL) return 0; /* ERROR */
763 cdata = ALIGNED_CIPHER_DATA(ctx);
764 memset(cdata, 0, sizeof(struct padlock_cipher_data));
766 /* Prepare Control word. */
767 cdata->cword.b.encdec = (ctx->encrypt == 0);
768 cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
769 cdata->cword.b.ksize = (key_len - 128) / 64;
773 /* PadLock can generate an extended key for
774 AES128 in hardware */
775 memcpy(cdata->ks.rd_key, key, AES_KEY_SIZE_128);
776 cdata->cword.b.keygen = 0;
781 /* Generate an extended AES key in software.
782 Needed for AES192/AES256 */
783 /* Well, the above applies to Stepping 8 CPUs
784 and is listed as hardware errata. They most
785 likely will fix it at some point and then
786 a check for stepping would be due here. */
788 AES_set_encrypt_key(key, key_len, &cdata->ks);
790 AES_set_decrypt_key(key, key_len, &cdata->ks);
792 /* OpenSSL C functions use byte-swapped extended key. */
793 padlock_bswapl(&cdata->ks);
795 cdata->cword.b.keygen = 1;
804 * This is done to cover for cases when user reuses the
805 * context for new key. The catch is that if we don't do
806 * this, padlock_eas_cipher might proceed with old key...
808 padlock_reload_key ();
814 * Simplified version of padlock_aes_cipher() used when
815 * 1) both input and output buffers are at aligned addresses.
817 * 2) running on a newer CPU that doesn't require aligned buffers.
820 padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
821 const unsigned char *in_arg, size_t nbytes)
823 struct padlock_cipher_data *cdata;
826 cdata = ALIGNED_CIPHER_DATA(ctx);
827 padlock_verify_context(cdata);
829 switch (EVP_CIPHER_CTX_mode(ctx)) {
830 case EVP_CIPH_ECB_MODE:
831 padlock_xcrypt_ecb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
834 case EVP_CIPH_CBC_MODE:
835 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
836 iv = padlock_xcrypt_cbc(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
837 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
840 case EVP_CIPH_CFB_MODE:
841 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
842 iv = padlock_xcrypt_cfb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
843 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
846 case EVP_CIPH_OFB_MODE:
847 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
848 padlock_xcrypt_ofb(nbytes/AES_BLOCK_SIZE, cdata, out_arg, in_arg);
849 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
856 memset(cdata->iv, 0, AES_BLOCK_SIZE);
861 #ifndef PADLOCK_CHUNK
862 # define PADLOCK_CHUNK 4096 /* Must be a power of 2 larger than 16 */
864 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
865 # error "insane PADLOCK_CHUNK..."
868 /* Re-align the arguments to 16-Bytes boundaries and run the
869 encryption function itself. This function is not AES-specific. */
871 padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
872 const unsigned char *in_arg, size_t nbytes)
874 struct padlock_cipher_data *cdata;
878 int inp_misaligned, out_misaligned, realign_in_loop;
879 size_t chunk, allocated=0;
883 if (nbytes % AES_BLOCK_SIZE)
884 return 0; /* are we expected to do tail processing? */
886 /* VIA promises CPUs that won't require alignment in the future.
887 For now padlock_aes_align_required is initialized to 1 and
888 the condition is never met... */
889 if (!padlock_aes_align_required)
890 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
892 inp_misaligned = (((size_t)in_arg) & 0x0F);
893 out_misaligned = (((size_t)out_arg) & 0x0F);
895 /* Note that even if output is aligned and input not,
896 * I still prefer to loop instead of copy the whole
897 * input and then encrypt in one stroke. This is done
898 * in order to improve L1 cache utilization... */
899 realign_in_loop = out_misaligned|inp_misaligned;
901 if (!realign_in_loop)
902 return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
904 /* this takes one "if" out of the loops */
906 chunk %= PADLOCK_CHUNK;
907 if (chunk==0) chunk = PADLOCK_CHUNK;
909 if (out_misaligned) {
910 /* optmize for small input */
911 allocated = (chunk<nbytes?PADLOCK_CHUNK:nbytes);
912 out = alloca(0x10 + allocated);
913 out = NEAREST_ALIGNED(out);
918 cdata = ALIGNED_CIPHER_DATA(ctx);
919 padlock_verify_context(cdata);
921 switch (EVP_CIPHER_CTX_mode(ctx)) {
922 case EVP_CIPH_ECB_MODE:
925 inp = padlock_memcpy(out, in_arg, chunk);
930 padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
933 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
935 out = out_arg+=chunk;
938 chunk = PADLOCK_CHUNK;
942 case EVP_CIPH_CBC_MODE:
943 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
947 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
948 chunk = PADLOCK_CHUNK;
949 cbc_shortcut: /* optimize for small input */
951 inp = padlock_memcpy(out, in_arg, chunk);
956 iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
959 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
961 out = out_arg+=chunk;
963 } while (nbytes -= chunk);
964 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
967 case EVP_CIPH_CFB_MODE:
968 memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
972 memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
973 chunk = PADLOCK_CHUNK;
974 cfb_shortcut: /* optimize for small input */
976 inp = padlock_memcpy(out, in_arg, chunk);
981 iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
984 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
986 out = out_arg+=chunk;
988 } while (nbytes -= chunk);
989 memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
992 case EVP_CIPH_OFB_MODE:
993 memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
996 inp = padlock_memcpy(out, in_arg, chunk);
1001 padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
1004 out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
1006 out = out_arg+=chunk;
1009 chunk = PADLOCK_CHUNK;
1011 memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
1018 /* Clean the realign buffer if it was used */
1019 if (out_misaligned) {
1020 volatile unsigned long *p=(void *)out;
1021 size_t n = allocated/sizeof(*p);
1025 memset(cdata->iv, 0, AES_BLOCK_SIZE);
1030 /* ===== Random Number Generator ===== */
1032 * This code is not engaged. The reason is that it does not comply
1033 * with recommendations for VIA RNG usage for secure applications
1034 * (posted at http://www.via.com.tw/en/viac3/c3.jsp) nor does it
1035 * provide meaningful error control...
1037 /* Wrapper that provides an interface between the API and
1038 the raw PadLock RNG */
1040 padlock_rand_bytes(unsigned char *output, int count)
1042 unsigned int eax, buf;
1044 while (count >= 8) {
1045 eax = padlock_xstore(output, 0);
1046 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1047 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1048 if (eax&(0x1F<<10)) return 0;
1049 if ((eax&0x1F)==0) continue; /* no data, retry... */
1050 if ((eax&0x1F)!=8) return 0; /* fatal failure... */
1055 eax = padlock_xstore(&buf, 3);
1056 if (!(eax&(1<<6))) return 0; /* RNG disabled */
1057 /* this ---vv--- covers DC bias, Raw Bits and String Filter */
1058 if (eax&(0x1F<<10)) return 0;
1059 if ((eax&0x1F)==0) continue; /* no data, retry... */
1060 if ((eax&0x1F)!=1) return 0; /* fatal failure... */
1061 *output++ = (unsigned char)buf;
1064 *(volatile unsigned int *)&buf=0;
1069 /* Dummy but necessary function */
1071 padlock_rand_status(void)
1076 /* Prepare structure for registration */
1077 static RAND_METHOD padlock_rand = {
1079 padlock_rand_bytes, /* bytes */
1082 padlock_rand_bytes, /* pseudorand */
1083 padlock_rand_status, /* rand status */
1086 #endif /* COMPILE_HW_PADLOCK */
1088 #endif /* !OPENSSL_NO_HW_PADLOCK */
1089 #endif /* !OPENSSL_NO_HW */