Switch to using software generated extended keys (because the cpu cannot

yet generate 192 & 256 bit keys).  Ensure that 192 and 256 are in the
nids table.  This also accelerates performance for 128 a tiny bit:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      34921.48k   129617.82k   362059.93k   623649.81k   790397.77k
aes-192-cbc      26227.43k    99215.33k   283242.84k   509881.15k   665323.22k
aes-256-cbc      26133.22k    97458.06k   265990.84k   457824.69k   579835.09k

1 files changed, 35 insertions, 10 deletions

diff --git a/lib/libssl/src/crypto/engine/hw_cryptodev.c b/lib/libssl/src/crypto/engine/hw_cryptodev.c
index 4959c67e92e..06671a51bf1 100644
--- a/lib/libssl/src/crypto/engine/hw_cryptodev.c
+++ b/lib/libssl/src/crypto/engine/hw_cryptodev.c
@@ -55,6 +55,8 @@ ENGINE_load_cryptodev(void)
 #include <crypto/cryptodev.h>
 #include <sys/ioctl.h>
 
+#include <ssl/aes.h>
+
 #include <errno.h>
 #include <stdio.h>
 #include <unistd.h>
@@ -68,7 +70,7 @@ ENGINE_load_cryptodev(void)
 #include <sys/sysctl.h>
 #include <machine/cpu.h>
 #include <machine/specialreg.h>
-static void check_viac3aes(void);
+static int check_viac3aes(void);
 #endif
 
 struct dev_crypto_state {
@@ -259,7 +261,26 @@ get_cryptodev_ciphers(const int **cnids)
 	 * On i386, always check for the VIA C3 AES instructions;
 	 * even if /dev/crypto is disabled.
 	 */
-	check_viac3aes();
+	if (check_viac3aes() == 1) {
+		int have_NID_aes_128_cbc = 0;
+		int have_NID_aes_192_cbc = 0;
+		int have_NID_aes_256_cbc = 0;
+
+		for (i = 0; i < count; i++) {
+			if (nids[i] == NID_aes_128_cbc)
+				have_NID_aes_128_cbc = 1;
+			if (nids[i] == NID_aes_192_cbc)
+				have_NID_aes_192_cbc = 1;
+			if (nids[i] == NID_aes_256_cbc)
+				have_NID_aes_256_cbc = 1;
+		}
+		if (!have_NID_aes_128_cbc)
+			nids[count++] = NID_aes_128_cbc;
+		if (!have_NID_aes_192_cbc)
+			nids[count++] = NID_aes_192_cbc;
+		if (!have_NID_aes_256_cbc)
+			nids[count++] = NID_aes_256_cbc;
+	}
 #endif
 
 	if (count > 0)
@@ -632,7 +653,7 @@ xcrypt_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			useout = spare;
 	}
 
-	cw[0] = C3_CRYPT_CWLO_ALG_AES | C3_CRYPT_CWLO_KEYGEN_HW |
+	cw[0] = C3_CRYPT_CWLO_ALG_AES | C3_CRYPT_CWLO_KEYGEN_SW |
 	    C3_CRYPT_CWLO_NORMAL |
 	    ctx->encrypt ? C3_CRYPT_CWLO_ENCRYPT : C3_CRYPT_CWLO_DECRYPT;
 	cw[1] = cw[2] = cw[3] = 0;
@@ -687,7 +708,10 @@ static int
 xcrypt_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc)
 {
-	bcopy(key, ctx->cipher_data, ctx->key_len);
+	if (enc)
+		AES_set_encrypt_key(key, 128, ctx->cipher_data);
+	else
+		AES_set_decrypt_key(key, 128, ctx->cipher_data);
 	return (1);
 }
 
@@ -698,7 +722,7 @@ xcrypt_cleanup(EVP_CIPHER_CTX *ctx)
 	return (1);
 }
 
-static void
+static int
 check_viac3aes(void)
 {
 	int mib[2] = { CTL_MACHDEP, CPU_XCRYPT }, value;
@@ -706,24 +730,25 @@ check_viac3aes(void)
 
 	if (sysctl(mib, sizeof(mib)/sizeof(mib[0]), &value, &size,
 	    NULL, 0) < 0)
-		return;
+		return (0);
 	if (value == 0)
-		return;
+		return (0);
 
 	cryptodev_aes_128_cbc.init = xcrypt_init_key;
 	cryptodev_aes_128_cbc.do_cipher = xcrypt_cipher;
 	cryptodev_aes_128_cbc.cleanup = xcrypt_cleanup;
-	cryptodev_aes_128_cbc.ctx_size = 128;
+	cryptodev_aes_128_cbc.ctx_size = sizeof(AES_KEY);
 
 	cryptodev_aes_192_cbc.init = xcrypt_init_key;
 	cryptodev_aes_192_cbc.do_cipher = xcrypt_cipher;
 	cryptodev_aes_192_cbc.cleanup = xcrypt_cleanup;
-	cryptodev_aes_192_cbc.ctx_size = 128;
+	cryptodev_aes_192_cbc.ctx_size = sizeof(AES_KEY);
 
 	cryptodev_aes_256_cbc.init = xcrypt_init_key;
 	cryptodev_aes_256_cbc.do_cipher = xcrypt_cipher;
 	cryptodev_aes_256_cbc.cleanup = xcrypt_cleanup;
-	cryptodev_aes_256_cbc.ctx_size = 128;
+	cryptodev_aes_256_cbc.ctx_size = sizeof(AES_KEY);
+	return (1);
 }
 #endif /* __i386__ */