2 # Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # This module implements support for AES instructions as per PowerISA
18 # specification version 2.07, first implemented by POWER8 processor.
19 # The module is endian-agnostic in sense that it supports both big-
20 # and little-endian cases. Data alignment in parallelizable modes is
21 # handled with VSX loads and stores, which implies MSR.VSX flag being
22 # set. It should also be noted that ISA specification doesn't prohibit
23 # alignment exceptions for these instructions on page boundaries.
24 # Initially alignment was handled in pure AltiVec/VMX way [when data
25 # is aligned programmatically, which in turn guarantees exception-
26 # free execution], but it turned to hamper performance when vcipher
27 # instructions are interleaved. It's reckoned that eventual
28 # misalignment penalties at page boundaries are in average lower
29 # than additional overhead in pure AltiVec approach.
33 # Add XTS subroutine, 9x on little- and 12x improvement on big-endian
34 # systems were measured.
36 ######################################################################
37 # Current large-block performance in cycles per byte processed with
38 # 128-bit key (less is better).
40 # CBC en-/decrypt CTR XTS
41 # POWER8[le] 3.96/0.72 0.74 1.1
42 # POWER8[be] 3.75/0.65 0.66 1.0
43 # POWER9[le] 3.05/0.65 0.65 0.80
47 if ($flavour =~ /64/) {
55 } elsif ($flavour =~ /32/) {
63 } else { die "nonsense $flavour"; }
65 $LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
67 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
68 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
69 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
70 die "can't locate ppc-xlate.pl";
72 open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
80 #########################################################################
81 {{{ # Key setup procedures #
82 my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));
83 my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));
84 my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));
93 .long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ?rev
94 .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
95 .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
100 mflr $ptr #vvvvv "distance between . and rcon
105 .byte 0,12,0x14,0,0,0,0,0
106 .asciz "AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
108 .globl .${prefix}_set_encrypt_key
110 .${prefix}_set_encrypt_key:
113 $PUSH r11,$LRSAVE($sp)
117 beq- Lenc_key_abort # if ($inp==0) return -1;
119 beq- Lenc_key_abort # if ($out==0) return -1;
137 addi $inp,$inp,15 # 15 is not typo
138 lvsr $key,0,r9 # borrow $key
142 le?vspltisb $mask,0x0f # borrow $mask
144 le?vxor $key,$key,$mask # adjust for byte swap
147 vperm $in0,$in0,$in1,$key # align [and byte swap in LE]
149 vxor $zero,$zero,$zero
152 ?lvsr $outperm,0,$out
155 ?vperm $outmask,$zero,$outmask,$outperm
165 vperm $key,$in0,$in0,$mask # rotate-n-splat
166 vsldoi $tmp,$zero,$in0,12 # >>32
167 vperm $outtail,$in0,$in0,$outperm # rotate
168 vsel $stage,$outhead,$outtail,$outmask
169 vmr $outhead,$outtail
170 vcipherlast $key,$key,$rcon
175 vsldoi $tmp,$zero,$tmp,12 # >>32
177 vsldoi $tmp,$zero,$tmp,12 # >>32
179 vadduwm $rcon,$rcon,$rcon
183 lvx $rcon,0,$ptr # last two round keys
185 vperm $key,$in0,$in0,$mask # rotate-n-splat
186 vsldoi $tmp,$zero,$in0,12 # >>32
187 vperm $outtail,$in0,$in0,$outperm # rotate
188 vsel $stage,$outhead,$outtail,$outmask
189 vmr $outhead,$outtail
190 vcipherlast $key,$key,$rcon
195 vsldoi $tmp,$zero,$tmp,12 # >>32
197 vsldoi $tmp,$zero,$tmp,12 # >>32
199 vadduwm $rcon,$rcon,$rcon
202 vperm $key,$in0,$in0,$mask # rotate-n-splat
203 vsldoi $tmp,$zero,$in0,12 # >>32
204 vperm $outtail,$in0,$in0,$outperm # rotate
205 vsel $stage,$outhead,$outtail,$outmask
206 vmr $outhead,$outtail
207 vcipherlast $key,$key,$rcon
212 vsldoi $tmp,$zero,$tmp,12 # >>32
214 vsldoi $tmp,$zero,$tmp,12 # >>32
217 vperm $outtail,$in0,$in0,$outperm # rotate
218 vsel $stage,$outhead,$outtail,$outmask
219 vmr $outhead,$outtail
222 addi $inp,$out,15 # 15 is not typo
232 vperm $outtail,$in0,$in0,$outperm # rotate
233 vsel $stage,$outhead,$outtail,$outmask
234 vmr $outhead,$outtail
237 vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
238 vspltisb $key,8 # borrow $key
240 vsububm $mask,$mask,$key # adjust the mask
243 vperm $key,$in1,$in1,$mask # roate-n-splat
244 vsldoi $tmp,$zero,$in0,12 # >>32
245 vcipherlast $key,$key,$rcon
248 vsldoi $tmp,$zero,$tmp,12 # >>32
250 vsldoi $tmp,$zero,$tmp,12 # >>32
253 vsldoi $stage,$zero,$in1,8
256 vsldoi $in1,$zero,$in1,12 # >>32
257 vadduwm $rcon,$rcon,$rcon
261 vsldoi $stage,$stage,$in0,8
263 vperm $key,$in1,$in1,$mask # rotate-n-splat
264 vsldoi $tmp,$zero,$in0,12 # >>32
265 vperm $outtail,$stage,$stage,$outperm # rotate
266 vsel $stage,$outhead,$outtail,$outmask
267 vmr $outhead,$outtail
268 vcipherlast $key,$key,$rcon
272 vsldoi $stage,$in0,$in1,8
274 vsldoi $tmp,$zero,$tmp,12 # >>32
275 vperm $outtail,$stage,$stage,$outperm # rotate
276 vsel $stage,$outhead,$outtail,$outmask
277 vmr $outhead,$outtail
279 vsldoi $tmp,$zero,$tmp,12 # >>32
286 vsldoi $in1,$zero,$in1,12 # >>32
287 vadduwm $rcon,$rcon,$rcon
291 vperm $outtail,$in0,$in0,$outperm # rotate
292 vsel $stage,$outhead,$outtail,$outmask
293 vmr $outhead,$outtail
295 addi $inp,$out,15 # 15 is not typo
308 vperm $outtail,$in0,$in0,$outperm # rotate
309 vsel $stage,$outhead,$outtail,$outmask
310 vmr $outhead,$outtail
313 vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
317 vperm $key,$in1,$in1,$mask # rotate-n-splat
318 vsldoi $tmp,$zero,$in0,12 # >>32
319 vperm $outtail,$in1,$in1,$outperm # rotate
320 vsel $stage,$outhead,$outtail,$outmask
321 vmr $outhead,$outtail
322 vcipherlast $key,$key,$rcon
327 vsldoi $tmp,$zero,$tmp,12 # >>32
329 vsldoi $tmp,$zero,$tmp,12 # >>32
331 vadduwm $rcon,$rcon,$rcon
333 vperm $outtail,$in0,$in0,$outperm # rotate
334 vsel $stage,$outhead,$outtail,$outmask
335 vmr $outhead,$outtail
337 addi $inp,$out,15 # 15 is not typo
341 vspltw $key,$in0,3 # just splat
342 vsldoi $tmp,$zero,$in1,12 # >>32
346 vsldoi $tmp,$zero,$tmp,12 # >>32
348 vsldoi $tmp,$zero,$tmp,12 # >>32
356 lvx $in1,0,$inp # redundant in aligned case
357 vsel $in1,$outhead,$in1,$outmask
367 .byte 0,12,0x14,1,0,0,3,0
369 .size .${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key
371 .globl .${prefix}_set_decrypt_key
373 .${prefix}_set_decrypt_key:
374 $STU $sp,-$FRAME($sp)
376 $PUSH r10,$FRAME+$LRSAVE($sp)
384 subi $inp,$out,240 # first round key
385 srwi $rounds,$rounds,1
386 add $out,$inp,$cnt # last round key
410 xor r3,r3,r3 # return value
415 .byte 0,12,4,1,0x80,0,3,0
417 .size .${prefix}_set_decrypt_key,.-.${prefix}_set_decrypt_key
420 #########################################################################
421 {{{ # Single block en- and decrypt procedures #
424 my $n = $dir eq "de" ? "n" : "";
425 my ($inp,$out,$key,$rounds,$idx)=map("r$_",(3..7));
428 .globl .${prefix}_${dir}crypt
430 .${prefix}_${dir}crypt:
431 lwz $rounds,240($key)
434 li $idx,15 # 15 is not typo
440 lvsl v2,0,$inp # inpperm
442 ?lvsl v3,0,r11 # outperm
445 vperm v0,v0,v1,v2 # align [and byte swap in LE]
447 ?lvsl v5,0,$key # keyperm
448 srwi $rounds,$rounds,1
451 subi $rounds,$rounds,1
452 ?vperm v1,v1,v2,v5 # align round key
474 v${n}cipherlast v0,v0,v1
478 li $idx,15 # 15 is not typo
479 ?vperm v2,v1,v2,v3 # outmask
481 lvx v1,0,$out # outhead
482 vperm v0,v0,v0,v3 # rotate [and byte swap in LE]
492 .byte 0,12,0x14,0,0,0,3,0
494 .size .${prefix}_${dir}crypt,.-.${prefix}_${dir}crypt
500 #########################################################################
501 {{{ # CBC en- and decrypt procedures #
502 my ($inp,$out,$len,$key,$ivp,$enc,$rounds,$idx)=map("r$_",(3..10));
503 my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
504 my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)=
507 .globl .${prefix}_cbc_encrypt
509 .${prefix}_cbc_encrypt:
513 cmpwi $enc,0 # test direction
519 vxor $rndkey0,$rndkey0,$rndkey0
520 le?vspltisb $tmp,0x0f
522 lvx $ivec,0,$ivp # load [unaligned] iv
524 lvx $inptail,$idx,$ivp
525 le?vxor $inpperm,$inpperm,$tmp
526 vperm $ivec,$ivec,$inptail,$inpperm
529 ?lvsl $keyperm,0,$key # prepare for unaligned key
530 lwz $rounds,240($key)
532 lvsr $inpperm,0,r11 # prepare for unaligned load
534 addi $inp,$inp,15 # 15 is not typo
535 le?vxor $inpperm,$inpperm,$tmp
537 ?lvsr $outperm,0,$out # prepare for unaligned store
540 ?vperm $outmask,$rndkey0,$outmask,$outperm
541 le?vxor $outperm,$outperm,$tmp
543 srwi $rounds,$rounds,1
545 subi $rounds,$rounds,1
553 subi $len,$len,16 # len-=16
556 vperm $inout,$inout,$inptail,$inpperm
557 lvx $rndkey1,$idx,$key
559 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
560 vxor $inout,$inout,$rndkey0
561 lvx $rndkey0,$idx,$key
563 vxor $inout,$inout,$ivec
566 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
567 vcipher $inout,$inout,$rndkey1
568 lvx $rndkey1,$idx,$key
570 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
571 vcipher $inout,$inout,$rndkey0
572 lvx $rndkey0,$idx,$key
576 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
577 vcipher $inout,$inout,$rndkey1
578 lvx $rndkey1,$idx,$key
580 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
581 vcipherlast $ivec,$inout,$rndkey0
584 vperm $tmp,$ivec,$ivec,$outperm
585 vsel $inout,$outhead,$tmp,$outmask
596 bge _aesp8_cbc_decrypt8x
601 subi $len,$len,16 # len-=16
604 vperm $tmp,$tmp,$inptail,$inpperm
605 lvx $rndkey1,$idx,$key
607 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
608 vxor $inout,$tmp,$rndkey0
609 lvx $rndkey0,$idx,$key
613 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
614 vncipher $inout,$inout,$rndkey1
615 lvx $rndkey1,$idx,$key
617 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
618 vncipher $inout,$inout,$rndkey0
619 lvx $rndkey0,$idx,$key
623 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
624 vncipher $inout,$inout,$rndkey1
625 lvx $rndkey1,$idx,$key
627 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
628 vncipherlast $inout,$inout,$rndkey0
631 vxor $inout,$inout,$ivec
633 vperm $tmp,$inout,$inout,$outperm
634 vsel $inout,$outhead,$tmp,$outmask
642 lvx $inout,0,$out # redundant in aligned case
643 vsel $inout,$outhead,$inout,$outmask
646 neg $enc,$ivp # write [unaligned] iv
647 li $idx,15 # 15 is not typo
648 vxor $rndkey0,$rndkey0,$rndkey0
650 le?vspltisb $tmp,0x0f
651 ?lvsl $outperm,0,$enc
652 ?vperm $outmask,$rndkey0,$outmask,$outperm
653 le?vxor $outperm,$outperm,$tmp
655 vperm $ivec,$ivec,$ivec,$outperm
656 vsel $inout,$outhead,$ivec,$outmask
657 lvx $inptail,$idx,$ivp
659 vsel $inout,$ivec,$inptail,$outmask
660 stvx $inout,$idx,$ivp
665 .byte 0,12,0x14,0,0,0,6,0
668 #########################################################################
669 {{ # Optimized CBC decrypt procedure #
671 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
672 $x00=0 if ($flavour =~ /osx/);
673 my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10..13));
674 my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(14..21));
675 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
676 # v26-v31 last 6 round keys
677 my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
681 _aesp8_cbc_decrypt8x:
682 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
683 li r10,`$FRAME+8*16+15`
684 li r11,`$FRAME+8*16+31`
685 stvx v20,r10,$sp # ABI says so
708 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
710 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
712 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
714 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
716 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
718 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
720 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
724 subi $rounds,$rounds,3 # -4 in total
725 subi $len,$len,128 # bias
727 lvx $rndkey0,$x00,$key # load key schedule
731 ?vperm $rndkey0,$rndkey0,v30,$keyperm
732 addi $key_,$sp,$FRAME+15
736 ?vperm v24,v30,v31,$keyperm
739 stvx v24,$x00,$key_ # off-load round[1]
740 ?vperm v25,v31,v30,$keyperm
742 stvx v25,$x10,$key_ # off-load round[2]
743 addi $key_,$key_,0x20
744 bdnz Load_cbc_dec_key
747 ?vperm v24,v30,v31,$keyperm
749 stvx v24,$x00,$key_ # off-load round[3]
750 ?vperm v25,v31,v26,$keyperm
752 stvx v25,$x10,$key_ # off-load round[4]
753 addi $key_,$sp,$FRAME+15 # rewind $key_
754 ?vperm v26,v26,v27,$keyperm
756 ?vperm v27,v27,v28,$keyperm
758 ?vperm v28,v28,v29,$keyperm
760 ?vperm v29,v29,v30,$keyperm
761 lvx $out0,$x70,$key # borrow $out0
762 ?vperm v30,v30,v31,$keyperm
763 lvx v24,$x00,$key_ # pre-load round[1]
764 ?vperm v31,v31,$out0,$keyperm
765 lvx v25,$x10,$key_ # pre-load round[2]
767 #lvx $inptail,0,$inp # "caller" already did this
768 #addi $inp,$inp,15 # 15 is not typo
769 subi $inp,$inp,15 # undo "caller"
772 lvx_u $in0,$x00,$inp # load first 8 "words"
773 le?lvsl $inpperm,0,$idx
774 le?vspltisb $tmp,0x0f
776 le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
778 le?vperm $in0,$in0,$in0,$inpperm
780 le?vperm $in1,$in1,$in1,$inpperm
782 le?vperm $in2,$in2,$in2,$inpperm
783 vxor $out0,$in0,$rndkey0
785 le?vperm $in3,$in3,$in3,$inpperm
786 vxor $out1,$in1,$rndkey0
788 le?vperm $in4,$in4,$in4,$inpperm
789 vxor $out2,$in2,$rndkey0
792 le?vperm $in5,$in5,$in5,$inpperm
793 vxor $out3,$in3,$rndkey0
794 le?vperm $in6,$in6,$in6,$inpperm
795 vxor $out4,$in4,$rndkey0
796 le?vperm $in7,$in7,$in7,$inpperm
797 vxor $out5,$in5,$rndkey0
798 vxor $out6,$in6,$rndkey0
799 vxor $out7,$in7,$rndkey0
805 vncipher $out0,$out0,v24
806 vncipher $out1,$out1,v24
807 vncipher $out2,$out2,v24
808 vncipher $out3,$out3,v24
809 vncipher $out4,$out4,v24
810 vncipher $out5,$out5,v24
811 vncipher $out6,$out6,v24
812 vncipher $out7,$out7,v24
813 lvx v24,$x20,$key_ # round[3]
814 addi $key_,$key_,0x20
816 vncipher $out0,$out0,v25
817 vncipher $out1,$out1,v25
818 vncipher $out2,$out2,v25
819 vncipher $out3,$out3,v25
820 vncipher $out4,$out4,v25
821 vncipher $out5,$out5,v25
822 vncipher $out6,$out6,v25
823 vncipher $out7,$out7,v25
824 lvx v25,$x10,$key_ # round[4]
827 subic $len,$len,128 # $len-=128
828 vncipher $out0,$out0,v24
829 vncipher $out1,$out1,v24
830 vncipher $out2,$out2,v24
831 vncipher $out3,$out3,v24
832 vncipher $out4,$out4,v24
833 vncipher $out5,$out5,v24
834 vncipher $out6,$out6,v24
835 vncipher $out7,$out7,v24
837 subfe. r0,r0,r0 # borrow?-1:0
838 vncipher $out0,$out0,v25
839 vncipher $out1,$out1,v25
840 vncipher $out2,$out2,v25
841 vncipher $out3,$out3,v25
842 vncipher $out4,$out4,v25
843 vncipher $out5,$out5,v25
844 vncipher $out6,$out6,v25
845 vncipher $out7,$out7,v25
848 vncipher $out0,$out0,v26
849 vncipher $out1,$out1,v26
850 vncipher $out2,$out2,v26
851 vncipher $out3,$out3,v26
852 vncipher $out4,$out4,v26
853 vncipher $out5,$out5,v26
854 vncipher $out6,$out6,v26
855 vncipher $out7,$out7,v26
857 add $inp,$inp,r0 # $inp is adjusted in such
858 # way that at exit from the
859 # loop inX-in7 are loaded
861 vncipher $out0,$out0,v27
862 vncipher $out1,$out1,v27
863 vncipher $out2,$out2,v27
864 vncipher $out3,$out3,v27
865 vncipher $out4,$out4,v27
866 vncipher $out5,$out5,v27
867 vncipher $out6,$out6,v27
868 vncipher $out7,$out7,v27
870 addi $key_,$sp,$FRAME+15 # rewind $key_
871 vncipher $out0,$out0,v28
872 vncipher $out1,$out1,v28
873 vncipher $out2,$out2,v28
874 vncipher $out3,$out3,v28
875 vncipher $out4,$out4,v28
876 vncipher $out5,$out5,v28
877 vncipher $out6,$out6,v28
878 vncipher $out7,$out7,v28
879 lvx v24,$x00,$key_ # re-pre-load round[1]
881 vncipher $out0,$out0,v29
882 vncipher $out1,$out1,v29
883 vncipher $out2,$out2,v29
884 vncipher $out3,$out3,v29
885 vncipher $out4,$out4,v29
886 vncipher $out5,$out5,v29
887 vncipher $out6,$out6,v29
888 vncipher $out7,$out7,v29
889 lvx v25,$x10,$key_ # re-pre-load round[2]
891 vncipher $out0,$out0,v30
892 vxor $ivec,$ivec,v31 # xor with last round key
893 vncipher $out1,$out1,v30
895 vncipher $out2,$out2,v30
897 vncipher $out3,$out3,v30
899 vncipher $out4,$out4,v30
901 vncipher $out5,$out5,v30
903 vncipher $out6,$out6,v30
905 vncipher $out7,$out7,v30
908 vncipherlast $out0,$out0,$ivec
909 vncipherlast $out1,$out1,$in0
910 lvx_u $in0,$x00,$inp # load next input block
911 vncipherlast $out2,$out2,$in1
913 vncipherlast $out3,$out3,$in2
914 le?vperm $in0,$in0,$in0,$inpperm
916 vncipherlast $out4,$out4,$in3
917 le?vperm $in1,$in1,$in1,$inpperm
919 vncipherlast $out5,$out5,$in4
920 le?vperm $in2,$in2,$in2,$inpperm
922 vncipherlast $out6,$out6,$in5
923 le?vperm $in3,$in3,$in3,$inpperm
925 vncipherlast $out7,$out7,$in6
926 le?vperm $in4,$in4,$in4,$inpperm
929 le?vperm $in5,$in5,$in5,$inpperm
933 le?vperm $out0,$out0,$out0,$inpperm
934 le?vperm $out1,$out1,$out1,$inpperm
935 stvx_u $out0,$x00,$out
936 le?vperm $in6,$in6,$in6,$inpperm
937 vxor $out0,$in0,$rndkey0
938 le?vperm $out2,$out2,$out2,$inpperm
939 stvx_u $out1,$x10,$out
940 le?vperm $in7,$in7,$in7,$inpperm
941 vxor $out1,$in1,$rndkey0
942 le?vperm $out3,$out3,$out3,$inpperm
943 stvx_u $out2,$x20,$out
944 vxor $out2,$in2,$rndkey0
945 le?vperm $out4,$out4,$out4,$inpperm
946 stvx_u $out3,$x30,$out
947 vxor $out3,$in3,$rndkey0
948 le?vperm $out5,$out5,$out5,$inpperm
949 stvx_u $out4,$x40,$out
950 vxor $out4,$in4,$rndkey0
951 le?vperm $out6,$out6,$out6,$inpperm
952 stvx_u $out5,$x50,$out
953 vxor $out5,$in5,$rndkey0
954 le?vperm $out7,$out7,$out7,$inpperm
955 stvx_u $out6,$x60,$out
956 vxor $out6,$in6,$rndkey0
957 stvx_u $out7,$x70,$out
959 vxor $out7,$in7,$rndkey0
962 beq Loop_cbc_dec8x # did $len-=128 borrow?
969 Loop_cbc_dec8x_tail: # up to 7 "words" tail...
970 vncipher $out1,$out1,v24
971 vncipher $out2,$out2,v24
972 vncipher $out3,$out3,v24
973 vncipher $out4,$out4,v24
974 vncipher $out5,$out5,v24
975 vncipher $out6,$out6,v24
976 vncipher $out7,$out7,v24
977 lvx v24,$x20,$key_ # round[3]
978 addi $key_,$key_,0x20
980 vncipher $out1,$out1,v25
981 vncipher $out2,$out2,v25
982 vncipher $out3,$out3,v25
983 vncipher $out4,$out4,v25
984 vncipher $out5,$out5,v25
985 vncipher $out6,$out6,v25
986 vncipher $out7,$out7,v25
987 lvx v25,$x10,$key_ # round[4]
988 bdnz Loop_cbc_dec8x_tail
990 vncipher $out1,$out1,v24
991 vncipher $out2,$out2,v24
992 vncipher $out3,$out3,v24
993 vncipher $out4,$out4,v24
994 vncipher $out5,$out5,v24
995 vncipher $out6,$out6,v24
996 vncipher $out7,$out7,v24
998 vncipher $out1,$out1,v25
999 vncipher $out2,$out2,v25
1000 vncipher $out3,$out3,v25
1001 vncipher $out4,$out4,v25
1002 vncipher $out5,$out5,v25
1003 vncipher $out6,$out6,v25
1004 vncipher $out7,$out7,v25
1006 vncipher $out1,$out1,v26
1007 vncipher $out2,$out2,v26
1008 vncipher $out3,$out3,v26
1009 vncipher $out4,$out4,v26
1010 vncipher $out5,$out5,v26
1011 vncipher $out6,$out6,v26
1012 vncipher $out7,$out7,v26
1014 vncipher $out1,$out1,v27
1015 vncipher $out2,$out2,v27
1016 vncipher $out3,$out3,v27
1017 vncipher $out4,$out4,v27
1018 vncipher $out5,$out5,v27
1019 vncipher $out6,$out6,v27
1020 vncipher $out7,$out7,v27
1022 vncipher $out1,$out1,v28
1023 vncipher $out2,$out2,v28
1024 vncipher $out3,$out3,v28
1025 vncipher $out4,$out4,v28
1026 vncipher $out5,$out5,v28
1027 vncipher $out6,$out6,v28
1028 vncipher $out7,$out7,v28
1030 vncipher $out1,$out1,v29
1031 vncipher $out2,$out2,v29
1032 vncipher $out3,$out3,v29
1033 vncipher $out4,$out4,v29
1034 vncipher $out5,$out5,v29
1035 vncipher $out6,$out6,v29
1036 vncipher $out7,$out7,v29
1038 vncipher $out1,$out1,v30
1039 vxor $ivec,$ivec,v31 # last round key
1040 vncipher $out2,$out2,v30
1042 vncipher $out3,$out3,v30
1044 vncipher $out4,$out4,v30
1046 vncipher $out5,$out5,v30
1048 vncipher $out6,$out6,v30
1050 vncipher $out7,$out7,v30
1053 cmplwi $len,32 # switch($len)
1058 blt Lcbc_dec8x_three
1067 vncipherlast $out1,$out1,$ivec
1068 vncipherlast $out2,$out2,$in1
1069 vncipherlast $out3,$out3,$in2
1070 vncipherlast $out4,$out4,$in3
1071 vncipherlast $out5,$out5,$in4
1072 vncipherlast $out6,$out6,$in5
1073 vncipherlast $out7,$out7,$in6
1076 le?vperm $out1,$out1,$out1,$inpperm
1077 le?vperm $out2,$out2,$out2,$inpperm
1078 stvx_u $out1,$x00,$out
1079 le?vperm $out3,$out3,$out3,$inpperm
1080 stvx_u $out2,$x10,$out
1081 le?vperm $out4,$out4,$out4,$inpperm
1082 stvx_u $out3,$x20,$out
1083 le?vperm $out5,$out5,$out5,$inpperm
1084 stvx_u $out4,$x30,$out
1085 le?vperm $out6,$out6,$out6,$inpperm
1086 stvx_u $out5,$x40,$out
1087 le?vperm $out7,$out7,$out7,$inpperm
1088 stvx_u $out6,$x50,$out
1089 stvx_u $out7,$x60,$out
1095 vncipherlast $out2,$out2,$ivec
1096 vncipherlast $out3,$out3,$in2
1097 vncipherlast $out4,$out4,$in3
1098 vncipherlast $out5,$out5,$in4
1099 vncipherlast $out6,$out6,$in5
1100 vncipherlast $out7,$out7,$in6
1103 le?vperm $out2,$out2,$out2,$inpperm
1104 le?vperm $out3,$out3,$out3,$inpperm
1105 stvx_u $out2,$x00,$out
1106 le?vperm $out4,$out4,$out4,$inpperm
1107 stvx_u $out3,$x10,$out
1108 le?vperm $out5,$out5,$out5,$inpperm
1109 stvx_u $out4,$x20,$out
1110 le?vperm $out6,$out6,$out6,$inpperm
1111 stvx_u $out5,$x30,$out
1112 le?vperm $out7,$out7,$out7,$inpperm
1113 stvx_u $out6,$x40,$out
1114 stvx_u $out7,$x50,$out
1120 vncipherlast $out3,$out3,$ivec
1121 vncipherlast $out4,$out4,$in3
1122 vncipherlast $out5,$out5,$in4
1123 vncipherlast $out6,$out6,$in5
1124 vncipherlast $out7,$out7,$in6
1127 le?vperm $out3,$out3,$out3,$inpperm
1128 le?vperm $out4,$out4,$out4,$inpperm
1129 stvx_u $out3,$x00,$out
1130 le?vperm $out5,$out5,$out5,$inpperm
1131 stvx_u $out4,$x10,$out
1132 le?vperm $out6,$out6,$out6,$inpperm
1133 stvx_u $out5,$x20,$out
1134 le?vperm $out7,$out7,$out7,$inpperm
1135 stvx_u $out6,$x30,$out
1136 stvx_u $out7,$x40,$out
1142 vncipherlast $out4,$out4,$ivec
1143 vncipherlast $out5,$out5,$in4
1144 vncipherlast $out6,$out6,$in5
1145 vncipherlast $out7,$out7,$in6
1148 le?vperm $out4,$out4,$out4,$inpperm
1149 le?vperm $out5,$out5,$out5,$inpperm
1150 stvx_u $out4,$x00,$out
1151 le?vperm $out6,$out6,$out6,$inpperm
1152 stvx_u $out5,$x10,$out
1153 le?vperm $out7,$out7,$out7,$inpperm
1154 stvx_u $out6,$x20,$out
1155 stvx_u $out7,$x30,$out
1161 vncipherlast $out5,$out5,$ivec
1162 vncipherlast $out6,$out6,$in5
1163 vncipherlast $out7,$out7,$in6
1166 le?vperm $out5,$out5,$out5,$inpperm
1167 le?vperm $out6,$out6,$out6,$inpperm
1168 stvx_u $out5,$x00,$out
1169 le?vperm $out7,$out7,$out7,$inpperm
1170 stvx_u $out6,$x10,$out
1171 stvx_u $out7,$x20,$out
1177 vncipherlast $out6,$out6,$ivec
1178 vncipherlast $out7,$out7,$in6
1181 le?vperm $out6,$out6,$out6,$inpperm
1182 le?vperm $out7,$out7,$out7,$inpperm
1183 stvx_u $out6,$x00,$out
1184 stvx_u $out7,$x10,$out
1190 vncipherlast $out7,$out7,$ivec
1193 le?vperm $out7,$out7,$out7,$inpperm
1198 le?vperm $ivec,$ivec,$ivec,$inpperm
1199 stvx_u $ivec,0,$ivp # write [unaligned] iv
1203 stvx $inpperm,r10,$sp # wipe copies of round keys
1205 stvx $inpperm,r11,$sp
1207 stvx $inpperm,r10,$sp
1209 stvx $inpperm,r11,$sp
1211 stvx $inpperm,r10,$sp
1213 stvx $inpperm,r11,$sp
1215 stvx $inpperm,r10,$sp
1217 stvx $inpperm,r11,$sp
1221 lvx v20,r10,$sp # ABI says so
1243 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1244 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1245 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1246 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1247 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1248 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1249 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
1252 .byte 0,12,0x04,0,0x80,6,6,0
1254 .size .${prefix}_cbc_encrypt,.-.${prefix}_cbc_encrypt
1258 #########################################################################
1259 {{{ # CTR procedure[s] #
1260 my ($inp,$out,$len,$key,$ivp,$x10,$rounds,$idx)=map("r$_",(3..10));
1261 my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
1262 my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm,$one)=
1267 .globl .${prefix}_ctr32_encrypt_blocks
1269 .${prefix}_ctr32_encrypt_blocks:
1278 vxor $rndkey0,$rndkey0,$rndkey0
1279 le?vspltisb $tmp,0x0f
1281 lvx $ivec,0,$ivp # load [unaligned] iv
1282 lvsl $inpperm,0,$ivp
1283 lvx $inptail,$idx,$ivp
1285 le?vxor $inpperm,$inpperm,$tmp
1286 vperm $ivec,$ivec,$inptail,$inpperm
1287 vsldoi $one,$rndkey0,$one,1
1290 ?lvsl $keyperm,0,$key # prepare for unaligned key
1291 lwz $rounds,240($key)
1293 lvsr $inpperm,0,r11 # prepare for unaligned load
1295 addi $inp,$inp,15 # 15 is not typo
1296 le?vxor $inpperm,$inpperm,$tmp
1298 srwi $rounds,$rounds,1
1300 subi $rounds,$rounds,1
1303 bge _aesp8_ctr32_encrypt8x
1305 ?lvsr $outperm,0,$out # prepare for unaligned store
1306 vspltisb $outmask,-1
1308 ?vperm $outmask,$rndkey0,$outmask,$outperm
1309 le?vxor $outperm,$outperm,$tmp
1313 lvx $rndkey1,$idx,$key
1315 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1316 vxor $inout,$ivec,$rndkey0
1317 lvx $rndkey0,$idx,$key
1323 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1324 vcipher $inout,$inout,$rndkey1
1325 lvx $rndkey1,$idx,$key
1327 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1328 vcipher $inout,$inout,$rndkey0
1329 lvx $rndkey0,$idx,$key
1333 vadduwm $ivec,$ivec,$one
1337 subic. $len,$len,1 # blocks--
1339 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1340 vcipher $inout,$inout,$rndkey1
1341 lvx $rndkey1,$idx,$key
1342 vperm $dat,$dat,$inptail,$inpperm
1344 ?vperm $rndkey1,$rndkey0,$rndkey1,$keyperm
1346 vxor $dat,$dat,$rndkey1 # last round key
1347 vcipherlast $inout,$inout,$dat
1349 lvx $rndkey1,$idx,$key
1351 vperm $inout,$inout,$inout,$outperm
1352 vsel $dat,$outhead,$inout,$outmask
1354 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1356 vxor $inout,$ivec,$rndkey0
1357 lvx $rndkey0,$idx,$key
1364 lvx $inout,0,$out # redundant in aligned case
1365 vsel $inout,$outhead,$inout,$outmask
1371 .byte 0,12,0x14,0,0,0,6,0
1374 #########################################################################
1375 {{ # Optimized CTR procedure #
1377 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
1378 $x00=0 if ($flavour =~ /osx/);
1379 my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10,12..14));
1380 my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(15..22));
1381 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
1382 # v26-v31 last 6 round keys
1383 my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
1384 my ($two,$three,$four)=($outhead,$outperm,$outmask);
1388 _aesp8_ctr32_encrypt8x:
1389 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
1390 li r10,`$FRAME+8*16+15`
1391 li r11,`$FRAME+8*16+31`
1392 stvx v20,r10,$sp # ABI says so
1415 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
1417 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1419 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1421 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1423 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1425 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1427 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1431 subi $rounds,$rounds,3 # -4 in total
1433 lvx $rndkey0,$x00,$key # load key schedule
1437 ?vperm $rndkey0,$rndkey0,v30,$keyperm
1438 addi $key_,$sp,$FRAME+15
1442 ?vperm v24,v30,v31,$keyperm
1445 stvx v24,$x00,$key_ # off-load round[1]
1446 ?vperm v25,v31,v30,$keyperm
1448 stvx v25,$x10,$key_ # off-load round[2]
1449 addi $key_,$key_,0x20
1450 bdnz Load_ctr32_enc_key
1453 ?vperm v24,v30,v31,$keyperm
1455 stvx v24,$x00,$key_ # off-load round[3]
1456 ?vperm v25,v31,v26,$keyperm
1458 stvx v25,$x10,$key_ # off-load round[4]
1459 addi $key_,$sp,$FRAME+15 # rewind $key_
1460 ?vperm v26,v26,v27,$keyperm
1462 ?vperm v27,v27,v28,$keyperm
1464 ?vperm v28,v28,v29,$keyperm
1466 ?vperm v29,v29,v30,$keyperm
1467 lvx $out0,$x70,$key # borrow $out0
1468 ?vperm v30,v30,v31,$keyperm
1469 lvx v24,$x00,$key_ # pre-load round[1]
1470 ?vperm v31,v31,$out0,$keyperm
1471 lvx v25,$x10,$key_ # pre-load round[2]
1473 vadduwm $two,$one,$one
1474 subi $inp,$inp,15 # undo "caller"
1477 vadduwm $out1,$ivec,$one # counter values ...
1478 vadduwm $out2,$ivec,$two
1479 vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
1481 vadduwm $out3,$out1,$two
1482 vxor $out1,$out1,$rndkey0
1483 le?lvsl $inpperm,0,$idx
1484 vadduwm $out4,$out2,$two
1485 vxor $out2,$out2,$rndkey0
1486 le?vspltisb $tmp,0x0f
1487 vadduwm $out5,$out3,$two
1488 vxor $out3,$out3,$rndkey0
1489 le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
1490 vadduwm $out6,$out4,$two
1491 vxor $out4,$out4,$rndkey0
1492 vadduwm $out7,$out5,$two
1493 vxor $out5,$out5,$rndkey0
1494 vadduwm $ivec,$out6,$two # next counter value
1495 vxor $out6,$out6,$rndkey0
1496 vxor $out7,$out7,$rndkey0
1502 vcipher $out0,$out0,v24
1503 vcipher $out1,$out1,v24
1504 vcipher $out2,$out2,v24
1505 vcipher $out3,$out3,v24
1506 vcipher $out4,$out4,v24
1507 vcipher $out5,$out5,v24
1508 vcipher $out6,$out6,v24
1509 vcipher $out7,$out7,v24
1510 Loop_ctr32_enc8x_middle:
1511 lvx v24,$x20,$key_ # round[3]
1512 addi $key_,$key_,0x20
1514 vcipher $out0,$out0,v25
1515 vcipher $out1,$out1,v25
1516 vcipher $out2,$out2,v25
1517 vcipher $out3,$out3,v25
1518 vcipher $out4,$out4,v25
1519 vcipher $out5,$out5,v25
1520 vcipher $out6,$out6,v25
1521 vcipher $out7,$out7,v25
1522 lvx v25,$x10,$key_ # round[4]
1523 bdnz Loop_ctr32_enc8x
1525 subic r11,$len,256 # $len-256, borrow $key_
1526 vcipher $out0,$out0,v24
1527 vcipher $out1,$out1,v24
1528 vcipher $out2,$out2,v24
1529 vcipher $out3,$out3,v24
1530 vcipher $out4,$out4,v24
1531 vcipher $out5,$out5,v24
1532 vcipher $out6,$out6,v24
1533 vcipher $out7,$out7,v24
1535 subfe r0,r0,r0 # borrow?-1:0
1536 vcipher $out0,$out0,v25
1537 vcipher $out1,$out1,v25
1538 vcipher $out2,$out2,v25
1539 vcipher $out3,$out3,v25
1540 vcipher $out4,$out4,v25
1541 vcipher $out5,$out5,v25
1542 vcipher $out6,$out6,v25
1543 vcipher $out7,$out7,v25
1546 addi $key_,$sp,$FRAME+15 # rewind $key_
1547 vcipher $out0,$out0,v26
1548 vcipher $out1,$out1,v26
1549 vcipher $out2,$out2,v26
1550 vcipher $out3,$out3,v26
1551 vcipher $out4,$out4,v26
1552 vcipher $out5,$out5,v26
1553 vcipher $out6,$out6,v26
1554 vcipher $out7,$out7,v26
1555 lvx v24,$x00,$key_ # re-pre-load round[1]
1557 subic $len,$len,129 # $len-=129
1558 vcipher $out0,$out0,v27
1559 addi $len,$len,1 # $len-=128 really
1560 vcipher $out1,$out1,v27
1561 vcipher $out2,$out2,v27
1562 vcipher $out3,$out3,v27
1563 vcipher $out4,$out4,v27
1564 vcipher $out5,$out5,v27
1565 vcipher $out6,$out6,v27
1566 vcipher $out7,$out7,v27
1567 lvx v25,$x10,$key_ # re-pre-load round[2]
1569 vcipher $out0,$out0,v28
1570 lvx_u $in0,$x00,$inp # load input
1571 vcipher $out1,$out1,v28
1572 lvx_u $in1,$x10,$inp
1573 vcipher $out2,$out2,v28
1574 lvx_u $in2,$x20,$inp
1575 vcipher $out3,$out3,v28
1576 lvx_u $in3,$x30,$inp
1577 vcipher $out4,$out4,v28
1578 lvx_u $in4,$x40,$inp
1579 vcipher $out5,$out5,v28
1580 lvx_u $in5,$x50,$inp
1581 vcipher $out6,$out6,v28
1582 lvx_u $in6,$x60,$inp
1583 vcipher $out7,$out7,v28
1584 lvx_u $in7,$x70,$inp
1587 vcipher $out0,$out0,v29
1588 le?vperm $in0,$in0,$in0,$inpperm
1589 vcipher $out1,$out1,v29
1590 le?vperm $in1,$in1,$in1,$inpperm
1591 vcipher $out2,$out2,v29
1592 le?vperm $in2,$in2,$in2,$inpperm
1593 vcipher $out3,$out3,v29
1594 le?vperm $in3,$in3,$in3,$inpperm
1595 vcipher $out4,$out4,v29
1596 le?vperm $in4,$in4,$in4,$inpperm
1597 vcipher $out5,$out5,v29
1598 le?vperm $in5,$in5,$in5,$inpperm
1599 vcipher $out6,$out6,v29
1600 le?vperm $in6,$in6,$in6,$inpperm
1601 vcipher $out7,$out7,v29
1602 le?vperm $in7,$in7,$in7,$inpperm
1604 add $inp,$inp,r0 # $inp is adjusted in such
1605 # way that at exit from the
1606 # loop inX-in7 are loaded
1608 subfe. r0,r0,r0 # borrow?-1:0
1609 vcipher $out0,$out0,v30
1610 vxor $in0,$in0,v31 # xor with last round key
1611 vcipher $out1,$out1,v30
1613 vcipher $out2,$out2,v30
1615 vcipher $out3,$out3,v30
1617 vcipher $out4,$out4,v30
1619 vcipher $out5,$out5,v30
1621 vcipher $out6,$out6,v30
1623 vcipher $out7,$out7,v30
1626 bne Lctr32_enc8x_break # did $len-129 borrow?
1628 vcipherlast $in0,$out0,$in0
1629 vcipherlast $in1,$out1,$in1
1630 vadduwm $out1,$ivec,$one # counter values ...
1631 vcipherlast $in2,$out2,$in2
1632 vadduwm $out2,$ivec,$two
1633 vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
1634 vcipherlast $in3,$out3,$in3
1635 vadduwm $out3,$out1,$two
1636 vxor $out1,$out1,$rndkey0
1637 vcipherlast $in4,$out4,$in4
1638 vadduwm $out4,$out2,$two
1639 vxor $out2,$out2,$rndkey0
1640 vcipherlast $in5,$out5,$in5
1641 vadduwm $out5,$out3,$two
1642 vxor $out3,$out3,$rndkey0
1643 vcipherlast $in6,$out6,$in6
1644 vadduwm $out6,$out4,$two
1645 vxor $out4,$out4,$rndkey0
1646 vcipherlast $in7,$out7,$in7
1647 vadduwm $out7,$out5,$two
1648 vxor $out5,$out5,$rndkey0
1649 le?vperm $in0,$in0,$in0,$inpperm
1650 vadduwm $ivec,$out6,$two # next counter value
1651 vxor $out6,$out6,$rndkey0
1652 le?vperm $in1,$in1,$in1,$inpperm
1653 vxor $out7,$out7,$rndkey0
1656 vcipher $out0,$out0,v24
1657 stvx_u $in0,$x00,$out
1658 le?vperm $in2,$in2,$in2,$inpperm
1659 vcipher $out1,$out1,v24
1660 stvx_u $in1,$x10,$out
1661 le?vperm $in3,$in3,$in3,$inpperm
1662 vcipher $out2,$out2,v24
1663 stvx_u $in2,$x20,$out
1664 le?vperm $in4,$in4,$in4,$inpperm
1665 vcipher $out3,$out3,v24
1666 stvx_u $in3,$x30,$out
1667 le?vperm $in5,$in5,$in5,$inpperm
1668 vcipher $out4,$out4,v24
1669 stvx_u $in4,$x40,$out
1670 le?vperm $in6,$in6,$in6,$inpperm
1671 vcipher $out5,$out5,v24
1672 stvx_u $in5,$x50,$out
1673 le?vperm $in7,$in7,$in7,$inpperm
1674 vcipher $out6,$out6,v24
1675 stvx_u $in6,$x60,$out
1676 vcipher $out7,$out7,v24
1677 stvx_u $in7,$x70,$out
1680 b Loop_ctr32_enc8x_middle
1685 blt Lctr32_enc8x_one
1687 beq Lctr32_enc8x_two
1689 blt Lctr32_enc8x_three
1691 beq Lctr32_enc8x_four
1693 blt Lctr32_enc8x_five
1695 beq Lctr32_enc8x_six
1697 blt Lctr32_enc8x_seven
1700 vcipherlast $out0,$out0,$in0
1701 vcipherlast $out1,$out1,$in1
1702 vcipherlast $out2,$out2,$in2
1703 vcipherlast $out3,$out3,$in3
1704 vcipherlast $out4,$out4,$in4
1705 vcipherlast $out5,$out5,$in5
1706 vcipherlast $out6,$out6,$in6
1707 vcipherlast $out7,$out7,$in7
1709 le?vperm $out0,$out0,$out0,$inpperm
1710 le?vperm $out1,$out1,$out1,$inpperm
1711 stvx_u $out0,$x00,$out
1712 le?vperm $out2,$out2,$out2,$inpperm
1713 stvx_u $out1,$x10,$out
1714 le?vperm $out3,$out3,$out3,$inpperm
1715 stvx_u $out2,$x20,$out
1716 le?vperm $out4,$out4,$out4,$inpperm
1717 stvx_u $out3,$x30,$out
1718 le?vperm $out5,$out5,$out5,$inpperm
1719 stvx_u $out4,$x40,$out
1720 le?vperm $out6,$out6,$out6,$inpperm
1721 stvx_u $out5,$x50,$out
1722 le?vperm $out7,$out7,$out7,$inpperm
1723 stvx_u $out6,$x60,$out
1724 stvx_u $out7,$x70,$out
1730 vcipherlast $out0,$out0,$in1
1731 vcipherlast $out1,$out1,$in2
1732 vcipherlast $out2,$out2,$in3
1733 vcipherlast $out3,$out3,$in4
1734 vcipherlast $out4,$out4,$in5
1735 vcipherlast $out5,$out5,$in6
1736 vcipherlast $out6,$out6,$in7
1738 le?vperm $out0,$out0,$out0,$inpperm
1739 le?vperm $out1,$out1,$out1,$inpperm
1740 stvx_u $out0,$x00,$out
1741 le?vperm $out2,$out2,$out2,$inpperm
1742 stvx_u $out1,$x10,$out
1743 le?vperm $out3,$out3,$out3,$inpperm
1744 stvx_u $out2,$x20,$out
1745 le?vperm $out4,$out4,$out4,$inpperm
1746 stvx_u $out3,$x30,$out
1747 le?vperm $out5,$out5,$out5,$inpperm
1748 stvx_u $out4,$x40,$out
1749 le?vperm $out6,$out6,$out6,$inpperm
1750 stvx_u $out5,$x50,$out
1751 stvx_u $out6,$x60,$out
1757 vcipherlast $out0,$out0,$in2
1758 vcipherlast $out1,$out1,$in3
1759 vcipherlast $out2,$out2,$in4
1760 vcipherlast $out3,$out3,$in5
1761 vcipherlast $out4,$out4,$in6
1762 vcipherlast $out5,$out5,$in7
1764 le?vperm $out0,$out0,$out0,$inpperm
1765 le?vperm $out1,$out1,$out1,$inpperm
1766 stvx_u $out0,$x00,$out
1767 le?vperm $out2,$out2,$out2,$inpperm
1768 stvx_u $out1,$x10,$out
1769 le?vperm $out3,$out3,$out3,$inpperm
1770 stvx_u $out2,$x20,$out
1771 le?vperm $out4,$out4,$out4,$inpperm
1772 stvx_u $out3,$x30,$out
1773 le?vperm $out5,$out5,$out5,$inpperm
1774 stvx_u $out4,$x40,$out
1775 stvx_u $out5,$x50,$out
1781 vcipherlast $out0,$out0,$in3
1782 vcipherlast $out1,$out1,$in4
1783 vcipherlast $out2,$out2,$in5
1784 vcipherlast $out3,$out3,$in6
1785 vcipherlast $out4,$out4,$in7
1787 le?vperm $out0,$out0,$out0,$inpperm
1788 le?vperm $out1,$out1,$out1,$inpperm
1789 stvx_u $out0,$x00,$out
1790 le?vperm $out2,$out2,$out2,$inpperm
1791 stvx_u $out1,$x10,$out
1792 le?vperm $out3,$out3,$out3,$inpperm
1793 stvx_u $out2,$x20,$out
1794 le?vperm $out4,$out4,$out4,$inpperm
1795 stvx_u $out3,$x30,$out
1796 stvx_u $out4,$x40,$out
1802 vcipherlast $out0,$out0,$in4
1803 vcipherlast $out1,$out1,$in5
1804 vcipherlast $out2,$out2,$in6
1805 vcipherlast $out3,$out3,$in7
1807 le?vperm $out0,$out0,$out0,$inpperm
1808 le?vperm $out1,$out1,$out1,$inpperm
1809 stvx_u $out0,$x00,$out
1810 le?vperm $out2,$out2,$out2,$inpperm
1811 stvx_u $out1,$x10,$out
1812 le?vperm $out3,$out3,$out3,$inpperm
1813 stvx_u $out2,$x20,$out
1814 stvx_u $out3,$x30,$out
1820 vcipherlast $out0,$out0,$in5
1821 vcipherlast $out1,$out1,$in6
1822 vcipherlast $out2,$out2,$in7
1824 le?vperm $out0,$out0,$out0,$inpperm
1825 le?vperm $out1,$out1,$out1,$inpperm
1826 stvx_u $out0,$x00,$out
1827 le?vperm $out2,$out2,$out2,$inpperm
1828 stvx_u $out1,$x10,$out
1829 stvx_u $out2,$x20,$out
1835 vcipherlast $out0,$out0,$in6
1836 vcipherlast $out1,$out1,$in7
1838 le?vperm $out0,$out0,$out0,$inpperm
1839 le?vperm $out1,$out1,$out1,$inpperm
1840 stvx_u $out0,$x00,$out
1841 stvx_u $out1,$x10,$out
1847 vcipherlast $out0,$out0,$in7
1849 le?vperm $out0,$out0,$out0,$inpperm
1856 stvx $inpperm,r10,$sp # wipe copies of round keys
1858 stvx $inpperm,r11,$sp
1860 stvx $inpperm,r10,$sp
1862 stvx $inpperm,r11,$sp
1864 stvx $inpperm,r10,$sp
1866 stvx $inpperm,r11,$sp
1868 stvx $inpperm,r10,$sp
1870 stvx $inpperm,r11,$sp
1874 lvx v20,r10,$sp # ABI says so
1896 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1897 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1898 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1899 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1900 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1901 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1902 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
1905 .byte 0,12,0x04,0,0x80,6,6,0
1907 .size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks
1911 #########################################################################
1912 {{{ # XTS procedures #
1913 # int aes_p8_xts_[en|de]crypt(const char *inp, char *out, size_t len, #
1914 # const AES_KEY *key1, const AES_KEY *key2, #
1915 # [const] unsigned char iv[16]); #
1916 # If $key2 is NULL, then a "tweak chaining" mode is engaged, in which #
1917 # input tweak value is assumed to be encrypted already, and last tweak #
1918 # value, one suitable for consecutive call on same chunk of data, is #
1919 # written back to original buffer. In addition, in "tweak chaining" #
1920 # mode only complete input blocks are processed. #
1922 my ($inp,$out,$len,$key1,$key2,$ivp,$rounds,$idx) = map("r$_",(3..10));
1923 my ($rndkey0,$rndkey1,$inout) = map("v$_",(0..2));
1924 my ($output,$inptail,$inpperm,$leperm,$keyperm) = map("v$_",(3..7));
1925 my ($tweak,$seven,$eighty7,$tmp,$tweak1) = map("v$_",(8..12));
1926 my $taillen = $key2;
1928 ($inp,$idx) = ($idx,$inp); # reassign
1931 .globl .${prefix}_xts_encrypt
1933 .${prefix}_xts_encrypt:
1934 mr $inp,r3 # reassign
1940 mfspr r12,256 # save vrsave
1944 vspltisb $seven,0x07 # 0x070707..07
1945 le?lvsl $leperm,r11,r11
1946 le?vspltisb $tmp,0x0f
1947 le?vxor $leperm,$leperm,$seven
1950 lvx $tweak,0,$ivp # load [unaligned] iv
1951 lvsl $inpperm,0,$ivp
1952 lvx $inptail,$idx,$ivp
1953 le?vxor $inpperm,$inpperm,$tmp
1954 vperm $tweak,$tweak,$inptail,$inpperm
1957 lvsr $inpperm,0,r11 # prepare for unaligned load
1959 addi $inp,$inp,15 # 15 is not typo
1960 le?vxor $inpperm,$inpperm,$tmp
1962 ${UCMP}i $key2,0 # key2==NULL?
1963 beq Lxts_enc_no_key2
1965 ?lvsl $keyperm,0,$key2 # prepare for unaligned key
1966 lwz $rounds,240($key2)
1967 srwi $rounds,$rounds,1
1968 subi $rounds,$rounds,1
1971 lvx $rndkey0,0,$key2
1972 lvx $rndkey1,$idx,$key2
1974 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1975 vxor $tweak,$tweak,$rndkey0
1976 lvx $rndkey0,$idx,$key2
1981 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1982 vcipher $tweak,$tweak,$rndkey1
1983 lvx $rndkey1,$idx,$key2
1985 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1986 vcipher $tweak,$tweak,$rndkey0
1987 lvx $rndkey0,$idx,$key2
1991 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1992 vcipher $tweak,$tweak,$rndkey1
1993 lvx $rndkey1,$idx,$key2
1994 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1995 vcipherlast $tweak,$tweak,$rndkey0
1997 li $ivp,0 # don't chain the tweak
2002 and $len,$len,$idx # in "tweak chaining"
2003 # mode only complete
2004 # blocks are processed
2009 ?lvsl $keyperm,0,$key1 # prepare for unaligned key
2010 lwz $rounds,240($key1)
2011 srwi $rounds,$rounds,1
2012 subi $rounds,$rounds,1
2015 vslb $eighty7,$seven,$seven # 0x808080..80
2016 vor $eighty7,$eighty7,$seven # 0x878787..87
2017 vspltisb $tmp,1 # 0x010101..01
2018 vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
2021 bge _aesp8_xts_encrypt6x
2023 andi. $taillen,$len,15
2025 subi $taillen,$taillen,16
2030 lvx $rndkey0,0,$key1
2031 lvx $rndkey1,$idx,$key1
2033 vperm $inout,$inout,$inptail,$inpperm
2034 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2035 vxor $inout,$inout,$tweak
2036 vxor $inout,$inout,$rndkey0
2037 lvx $rndkey0,$idx,$key1
2044 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2045 vcipher $inout,$inout,$rndkey1
2046 lvx $rndkey1,$idx,$key1
2048 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2049 vcipher $inout,$inout,$rndkey0
2050 lvx $rndkey0,$idx,$key1
2054 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2055 vcipher $inout,$inout,$rndkey1
2056 lvx $rndkey1,$idx,$key1
2058 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2059 vxor $rndkey0,$rndkey0,$tweak
2060 vcipherlast $output,$inout,$rndkey0
2062 le?vperm $tmp,$output,$output,$leperm
2064 le?stvx_u $tmp,0,$out
2065 be?stvx_u $output,0,$out
2074 lvx $rndkey0,0,$key1
2075 lvx $rndkey1,$idx,$key1
2083 vsrab $tmp,$tweak,$seven # next tweak value
2084 vaddubm $tweak,$tweak,$tweak
2085 vsldoi $tmp,$tmp,$tmp,15
2086 vand $tmp,$tmp,$eighty7
2087 vxor $tweak,$tweak,$tmp
2089 vperm $inout,$inout,$inptail,$inpperm
2090 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2091 vxor $inout,$inout,$tweak
2092 vxor $output,$output,$rndkey0 # just in case $len<16
2093 vxor $inout,$inout,$rndkey0
2094 lvx $rndkey0,$idx,$key1
2101 vxor $output,$output,$tweak
2102 lvsr $inpperm,0,$len # $inpperm is no longer needed
2103 vxor $inptail,$inptail,$inptail # $inptail is no longer needed
2105 vperm $inptail,$inptail,$tmp,$inpperm
2106 vsel $inout,$inout,$output,$inptail
2115 bdnz Loop_xts_enc_steal
2118 b Loop_xts_enc # one more time...
2124 vsrab $tmp,$tweak,$seven # next tweak value
2125 vaddubm $tweak,$tweak,$tweak
2126 vsldoi $tmp,$tmp,$tmp,15
2127 vand $tmp,$tmp,$eighty7
2128 vxor $tweak,$tweak,$tmp
2130 le?vperm $tweak,$tweak,$tweak,$leperm
2131 stvx_u $tweak,0,$ivp
2134 mtspr 256,r12 # restore vrsave
2138 .byte 0,12,0x04,0,0x80,6,6,0
2140 .size .${prefix}_xts_encrypt,.-.${prefix}_xts_encrypt
2142 .globl .${prefix}_xts_decrypt
2144 .${prefix}_xts_decrypt:
2145 mr $inp,r3 # reassign
2151 mfspr r12,256 # save vrsave
2160 vspltisb $seven,0x07 # 0x070707..07
2161 le?lvsl $leperm,r11,r11
2162 le?vspltisb $tmp,0x0f
2163 le?vxor $leperm,$leperm,$seven
2166 lvx $tweak,0,$ivp # load [unaligned] iv
2167 lvsl $inpperm,0,$ivp
2168 lvx $inptail,$idx,$ivp
2169 le?vxor $inpperm,$inpperm,$tmp
2170 vperm $tweak,$tweak,$inptail,$inpperm
2173 lvsr $inpperm,0,r11 # prepare for unaligned load
2175 addi $inp,$inp,15 # 15 is not typo
2176 le?vxor $inpperm,$inpperm,$tmp
2178 ${UCMP}i $key2,0 # key2==NULL?
2179 beq Lxts_dec_no_key2
2181 ?lvsl $keyperm,0,$key2 # prepare for unaligned key
2182 lwz $rounds,240($key2)
2183 srwi $rounds,$rounds,1
2184 subi $rounds,$rounds,1
2187 lvx $rndkey0,0,$key2
2188 lvx $rndkey1,$idx,$key2
2190 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2191 vxor $tweak,$tweak,$rndkey0
2192 lvx $rndkey0,$idx,$key2
2197 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2198 vcipher $tweak,$tweak,$rndkey1
2199 lvx $rndkey1,$idx,$key2
2201 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2202 vcipher $tweak,$tweak,$rndkey0
2203 lvx $rndkey0,$idx,$key2
2207 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2208 vcipher $tweak,$tweak,$rndkey1
2209 lvx $rndkey1,$idx,$key2
2210 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2211 vcipherlast $tweak,$tweak,$rndkey0
2213 li $ivp,0 # don't chain the tweak
2219 add $len,$len,$idx # in "tweak chaining"
2220 # mode only complete
2221 # blocks are processed
2226 ?lvsl $keyperm,0,$key1 # prepare for unaligned key
2227 lwz $rounds,240($key1)
2228 srwi $rounds,$rounds,1
2229 subi $rounds,$rounds,1
2232 vslb $eighty7,$seven,$seven # 0x808080..80
2233 vor $eighty7,$eighty7,$seven # 0x878787..87
2234 vspltisb $tmp,1 # 0x010101..01
2235 vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
2238 bge _aesp8_xts_decrypt6x
2240 lvx $rndkey0,0,$key1
2241 lvx $rndkey1,$idx,$key1
2243 vperm $inout,$inout,$inptail,$inpperm
2244 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2245 vxor $inout,$inout,$tweak
2246 vxor $inout,$inout,$rndkey0
2247 lvx $rndkey0,$idx,$key1
2257 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2258 vncipher $inout,$inout,$rndkey1
2259 lvx $rndkey1,$idx,$key1
2261 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2262 vncipher $inout,$inout,$rndkey0
2263 lvx $rndkey0,$idx,$key1
2267 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2268 vncipher $inout,$inout,$rndkey1
2269 lvx $rndkey1,$idx,$key1
2271 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2272 vxor $rndkey0,$rndkey0,$tweak
2273 vncipherlast $output,$inout,$rndkey0
2275 le?vperm $tmp,$output,$output,$leperm
2277 le?stvx_u $tmp,0,$out
2278 be?stvx_u $output,0,$out
2287 lvx $rndkey0,0,$key1
2288 lvx $rndkey1,$idx,$key1
2291 vsrab $tmp,$tweak,$seven # next tweak value
2292 vaddubm $tweak,$tweak,$tweak
2293 vsldoi $tmp,$tmp,$tmp,15
2294 vand $tmp,$tmp,$eighty7
2295 vxor $tweak,$tweak,$tmp
2297 vperm $inout,$inout,$inptail,$inpperm
2298 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2299 vxor $inout,$inout,$tweak
2300 vxor $inout,$inout,$rndkey0
2301 lvx $rndkey0,$idx,$key1
2309 vsrab $tmp,$tweak,$seven # next tweak value
2310 vaddubm $tweak1,$tweak,$tweak
2311 vsldoi $tmp,$tmp,$tmp,15
2312 vand $tmp,$tmp,$eighty7
2313 vxor $tweak1,$tweak1,$tmp
2318 vxor $inout,$inout,$tweak # :-(
2319 vxor $inout,$inout,$tweak1 # :-)
2322 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2323 vncipher $inout,$inout,$rndkey1
2324 lvx $rndkey1,$idx,$key1
2326 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2327 vncipher $inout,$inout,$rndkey0
2328 lvx $rndkey0,$idx,$key1
2330 bdnz Loop_xts_dec_short
2332 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2333 vncipher $inout,$inout,$rndkey1
2334 lvx $rndkey1,$idx,$key1
2336 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2337 vxor $rndkey0,$rndkey0,$tweak1
2338 vncipherlast $output,$inout,$rndkey0
2340 le?vperm $tmp,$output,$output,$leperm
2342 le?stvx_u $tmp,0,$out
2343 be?stvx_u $output,0,$out
2348 lvx $rndkey0,0,$key1
2349 lvx $rndkey1,$idx,$key1
2351 vperm $inout,$inout,$inptail,$inpperm
2352 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2354 lvsr $inpperm,0,$len # $inpperm is no longer needed
2355 vxor $inptail,$inptail,$inptail # $inptail is no longer needed
2357 vperm $inptail,$inptail,$tmp,$inpperm
2358 vsel $inout,$inout,$output,$inptail
2360 vxor $rndkey0,$rndkey0,$tweak
2361 vxor $inout,$inout,$rndkey0
2362 lvx $rndkey0,$idx,$key1
2371 bdnz Loop_xts_dec_steal
2374 b Loop_xts_dec # one more time...
2380 vsrab $tmp,$tweak,$seven # next tweak value
2381 vaddubm $tweak,$tweak,$tweak
2382 vsldoi $tmp,$tmp,$tmp,15
2383 vand $tmp,$tmp,$eighty7
2384 vxor $tweak,$tweak,$tmp
2386 le?vperm $tweak,$tweak,$tweak,$leperm
2387 stvx_u $tweak,0,$ivp
2390 mtspr 256,r12 # restore vrsave
2394 .byte 0,12,0x04,0,0x80,6,6,0
2396 .size .${prefix}_xts_decrypt,.-.${prefix}_xts_decrypt
2398 #########################################################################
2399 {{ # Optimized XTS procedures #
2401 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
2402 $x00=0 if ($flavour =~ /osx/);
2403 my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
2404 my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
2405 my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
2406 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
2407 # v26-v31 last 6 round keys
2408 my ($keyperm)=($out0); # aliases with "caller", redundant assignment
2413 _aesp8_xts_encrypt6x:
2414 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
2416 li r7,`$FRAME+8*16+15`
2417 li r3,`$FRAME+8*16+31`
2418 $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
2419 stvx v20,r7,$sp # ABI says so
2442 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
2444 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
2446 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
2448 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
2450 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
2452 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
2454 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
2458 subi $rounds,$rounds,3 # -4 in total
2460 lvx $rndkey0,$x00,$key1 # load key schedule
2462 addi $key1,$key1,0x20
2464 ?vperm $rndkey0,$rndkey0,v30,$keyperm
2465 addi $key_,$sp,$FRAME+15
2469 ?vperm v24,v30,v31,$keyperm
2471 addi $key1,$key1,0x20
2472 stvx v24,$x00,$key_ # off-load round[1]
2473 ?vperm v25,v31,v30,$keyperm
2475 stvx v25,$x10,$key_ # off-load round[2]
2476 addi $key_,$key_,0x20
2477 bdnz Load_xts_enc_key
2480 ?vperm v24,v30,v31,$keyperm
2482 stvx v24,$x00,$key_ # off-load round[3]
2483 ?vperm v25,v31,v26,$keyperm
2485 stvx v25,$x10,$key_ # off-load round[4]
2486 addi $key_,$sp,$FRAME+15 # rewind $key_
2487 ?vperm v26,v26,v27,$keyperm
2489 ?vperm v27,v27,v28,$keyperm
2491 ?vperm v28,v28,v29,$keyperm
2493 ?vperm v29,v29,v30,$keyperm
2494 lvx $twk5,$x70,$key1 # borrow $twk5
2495 ?vperm v30,v30,v31,$keyperm
2496 lvx v24,$x00,$key_ # pre-load round[1]
2497 ?vperm v31,v31,$twk5,$keyperm
2498 lvx v25,$x10,$key_ # pre-load round[2]
2500 vperm $in0,$inout,$inptail,$inpperm
2501 subi $inp,$inp,31 # undo "caller"
2502 vxor $twk0,$tweak,$rndkey0
2503 vsrab $tmp,$tweak,$seven # next tweak value
2504 vaddubm $tweak,$tweak,$tweak
2505 vsldoi $tmp,$tmp,$tmp,15
2506 vand $tmp,$tmp,$eighty7
2507 vxor $out0,$in0,$twk0
2508 vxor $tweak,$tweak,$tmp
2510 lvx_u $in1,$x10,$inp
2511 vxor $twk1,$tweak,$rndkey0
2512 vsrab $tmp,$tweak,$seven # next tweak value
2513 vaddubm $tweak,$tweak,$tweak
2514 vsldoi $tmp,$tmp,$tmp,15
2515 le?vperm $in1,$in1,$in1,$leperm
2516 vand $tmp,$tmp,$eighty7
2517 vxor $out1,$in1,$twk1
2518 vxor $tweak,$tweak,$tmp
2520 lvx_u $in2,$x20,$inp
2521 andi. $taillen,$len,15
2522 vxor $twk2,$tweak,$rndkey0
2523 vsrab $tmp,$tweak,$seven # next tweak value
2524 vaddubm $tweak,$tweak,$tweak
2525 vsldoi $tmp,$tmp,$tmp,15
2526 le?vperm $in2,$in2,$in2,$leperm
2527 vand $tmp,$tmp,$eighty7
2528 vxor $out2,$in2,$twk2
2529 vxor $tweak,$tweak,$tmp
2531 lvx_u $in3,$x30,$inp
2532 sub $len,$len,$taillen
2533 vxor $twk3,$tweak,$rndkey0
2534 vsrab $tmp,$tweak,$seven # next tweak value
2535 vaddubm $tweak,$tweak,$tweak
2536 vsldoi $tmp,$tmp,$tmp,15
2537 le?vperm $in3,$in3,$in3,$leperm
2538 vand $tmp,$tmp,$eighty7
2539 vxor $out3,$in3,$twk3
2540 vxor $tweak,$tweak,$tmp
2542 lvx_u $in4,$x40,$inp
2544 vxor $twk4,$tweak,$rndkey0
2545 vsrab $tmp,$tweak,$seven # next tweak value
2546 vaddubm $tweak,$tweak,$tweak
2547 vsldoi $tmp,$tmp,$tmp,15
2548 le?vperm $in4,$in4,$in4,$leperm
2549 vand $tmp,$tmp,$eighty7
2550 vxor $out4,$in4,$twk4
2551 vxor $tweak,$tweak,$tmp
2553 lvx_u $in5,$x50,$inp
2555 vxor $twk5,$tweak,$rndkey0
2556 vsrab $tmp,$tweak,$seven # next tweak value
2557 vaddubm $tweak,$tweak,$tweak
2558 vsldoi $tmp,$tmp,$tmp,15
2559 le?vperm $in5,$in5,$in5,$leperm
2560 vand $tmp,$tmp,$eighty7
2561 vxor $out5,$in5,$twk5
2562 vxor $tweak,$tweak,$tmp
2564 vxor v31,v31,$rndkey0
2570 vcipher $out0,$out0,v24
2571 vcipher $out1,$out1,v24
2572 vcipher $out2,$out2,v24
2573 vcipher $out3,$out3,v24
2574 vcipher $out4,$out4,v24
2575 vcipher $out5,$out5,v24
2576 lvx v24,$x20,$key_ # round[3]
2577 addi $key_,$key_,0x20
2579 vcipher $out0,$out0,v25
2580 vcipher $out1,$out1,v25
2581 vcipher $out2,$out2,v25
2582 vcipher $out3,$out3,v25
2583 vcipher $out4,$out4,v25
2584 vcipher $out5,$out5,v25
2585 lvx v25,$x10,$key_ # round[4]
2588 subic $len,$len,96 # $len-=96
2589 vxor $in0,$twk0,v31 # xor with last round key
2590 vcipher $out0,$out0,v24
2591 vcipher $out1,$out1,v24
2592 vsrab $tmp,$tweak,$seven # next tweak value
2593 vxor $twk0,$tweak,$rndkey0
2594 vaddubm $tweak,$tweak,$tweak
2595 vcipher $out2,$out2,v24
2596 vcipher $out3,$out3,v24
2597 vsldoi $tmp,$tmp,$tmp,15
2598 vcipher $out4,$out4,v24
2599 vcipher $out5,$out5,v24
2601 subfe. r0,r0,r0 # borrow?-1:0
2602 vand $tmp,$tmp,$eighty7
2603 vcipher $out0,$out0,v25
2604 vcipher $out1,$out1,v25
2605 vxor $tweak,$tweak,$tmp
2606 vcipher $out2,$out2,v25
2607 vcipher $out3,$out3,v25
2609 vsrab $tmp,$tweak,$seven # next tweak value
2610 vxor $twk1,$tweak,$rndkey0
2611 vcipher $out4,$out4,v25
2612 vcipher $out5,$out5,v25
2615 vaddubm $tweak,$tweak,$tweak
2616 vsldoi $tmp,$tmp,$tmp,15
2617 vcipher $out0,$out0,v26
2618 vcipher $out1,$out1,v26
2619 vand $tmp,$tmp,$eighty7
2620 vcipher $out2,$out2,v26
2621 vcipher $out3,$out3,v26
2622 vxor $tweak,$tweak,$tmp
2623 vcipher $out4,$out4,v26
2624 vcipher $out5,$out5,v26
2626 add $inp,$inp,r0 # $inp is adjusted in such
2627 # way that at exit from the
2628 # loop inX-in5 are loaded
2631 vsrab $tmp,$tweak,$seven # next tweak value
2632 vxor $twk2,$tweak,$rndkey0
2633 vaddubm $tweak,$tweak,$tweak
2634 vcipher $out0,$out0,v27
2635 vcipher $out1,$out1,v27
2636 vsldoi $tmp,$tmp,$tmp,15
2637 vcipher $out2,$out2,v27
2638 vcipher $out3,$out3,v27
2639 vand $tmp,$tmp,$eighty7
2640 vcipher $out4,$out4,v27
2641 vcipher $out5,$out5,v27
2643 addi $key_,$sp,$FRAME+15 # rewind $key_
2644 vxor $tweak,$tweak,$tmp
2645 vcipher $out0,$out0,v28
2646 vcipher $out1,$out1,v28
2648 vsrab $tmp,$tweak,$seven # next tweak value
2649 vxor $twk3,$tweak,$rndkey0
2650 vcipher $out2,$out2,v28
2651 vcipher $out3,$out3,v28
2652 vaddubm $tweak,$tweak,$tweak
2653 vsldoi $tmp,$tmp,$tmp,15
2654 vcipher $out4,$out4,v28
2655 vcipher $out5,$out5,v28
2656 lvx v24,$x00,$key_ # re-pre-load round[1]
2657 vand $tmp,$tmp,$eighty7
2659 vcipher $out0,$out0,v29
2660 vcipher $out1,$out1,v29
2661 vxor $tweak,$tweak,$tmp
2662 vcipher $out2,$out2,v29
2663 vcipher $out3,$out3,v29
2665 vsrab $tmp,$tweak,$seven # next tweak value
2666 vxor $twk4,$tweak,$rndkey0
2667 vcipher $out4,$out4,v29
2668 vcipher $out5,$out5,v29
2669 lvx v25,$x10,$key_ # re-pre-load round[2]
2670 vaddubm $tweak,$tweak,$tweak
2671 vsldoi $tmp,$tmp,$tmp,15
2673 vcipher $out0,$out0,v30
2674 vcipher $out1,$out1,v30
2675 vand $tmp,$tmp,$eighty7
2676 vcipher $out2,$out2,v30
2677 vcipher $out3,$out3,v30
2678 vxor $tweak,$tweak,$tmp
2679 vcipher $out4,$out4,v30
2680 vcipher $out5,$out5,v30
2682 vsrab $tmp,$tweak,$seven # next tweak value
2683 vxor $twk5,$tweak,$rndkey0
2685 vcipherlast $out0,$out0,$in0
2686 lvx_u $in0,$x00,$inp # load next input block
2687 vaddubm $tweak,$tweak,$tweak
2688 vsldoi $tmp,$tmp,$tmp,15
2689 vcipherlast $out1,$out1,$in1
2690 lvx_u $in1,$x10,$inp
2691 vcipherlast $out2,$out2,$in2
2692 le?vperm $in0,$in0,$in0,$leperm
2693 lvx_u $in2,$x20,$inp
2694 vand $tmp,$tmp,$eighty7
2695 vcipherlast $out3,$out3,$in3
2696 le?vperm $in1,$in1,$in1,$leperm
2697 lvx_u $in3,$x30,$inp
2698 vcipherlast $out4,$out4,$in4
2699 le?vperm $in2,$in2,$in2,$leperm
2700 lvx_u $in4,$x40,$inp
2701 vxor $tweak,$tweak,$tmp
2702 vcipherlast $tmp,$out5,$in5 # last block might be needed
2704 le?vperm $in3,$in3,$in3,$leperm
2705 lvx_u $in5,$x50,$inp
2707 le?vperm $in4,$in4,$in4,$leperm
2708 le?vperm $in5,$in5,$in5,$leperm
2710 le?vperm $out0,$out0,$out0,$leperm
2711 le?vperm $out1,$out1,$out1,$leperm
2712 stvx_u $out0,$x00,$out # store output
2713 vxor $out0,$in0,$twk0
2714 le?vperm $out2,$out2,$out2,$leperm
2715 stvx_u $out1,$x10,$out
2716 vxor $out1,$in1,$twk1
2717 le?vperm $out3,$out3,$out3,$leperm
2718 stvx_u $out2,$x20,$out
2719 vxor $out2,$in2,$twk2
2720 le?vperm $out4,$out4,$out4,$leperm
2721 stvx_u $out3,$x30,$out
2722 vxor $out3,$in3,$twk3
2723 le?vperm $out5,$tmp,$tmp,$leperm
2724 stvx_u $out4,$x40,$out
2725 vxor $out4,$in4,$twk4
2726 le?stvx_u $out5,$x50,$out
2727 be?stvx_u $tmp, $x50,$out
2728 vxor $out5,$in5,$twk5
2732 beq Loop_xts_enc6x # did $len-=96 borrow?
2734 addic. $len,$len,0x60
2741 blt Lxts_enc6x_three
2746 vxor $out0,$in1,$twk0
2747 vxor $out1,$in2,$twk1
2748 vxor $out2,$in3,$twk2
2749 vxor $out3,$in4,$twk3
2750 vxor $out4,$in5,$twk4
2754 le?vperm $out0,$out0,$out0,$leperm
2755 vmr $twk0,$twk5 # unused tweak
2756 le?vperm $out1,$out1,$out1,$leperm
2757 stvx_u $out0,$x00,$out # store output
2758 le?vperm $out2,$out2,$out2,$leperm
2759 stvx_u $out1,$x10,$out
2760 le?vperm $out3,$out3,$out3,$leperm
2761 stvx_u $out2,$x20,$out
2762 vxor $tmp,$out4,$twk5 # last block prep for stealing
2763 le?vperm $out4,$out4,$out4,$leperm
2764 stvx_u $out3,$x30,$out
2765 stvx_u $out4,$x40,$out
2767 bne Lxts_enc6x_steal
2772 vxor $out0,$in2,$twk0
2773 vxor $out1,$in3,$twk1
2774 vxor $out2,$in4,$twk2
2775 vxor $out3,$in5,$twk3
2776 vxor $out4,$out4,$out4
2780 le?vperm $out0,$out0,$out0,$leperm
2781 vmr $twk0,$twk4 # unused tweak
2782 le?vperm $out1,$out1,$out1,$leperm
2783 stvx_u $out0,$x00,$out # store output
2784 le?vperm $out2,$out2,$out2,$leperm
2785 stvx_u $out1,$x10,$out
2786 vxor $tmp,$out3,$twk4 # last block prep for stealing
2787 le?vperm $out3,$out3,$out3,$leperm
2788 stvx_u $out2,$x20,$out
2789 stvx_u $out3,$x30,$out
2791 bne Lxts_enc6x_steal
2796 vxor $out0,$in3,$twk0
2797 vxor $out1,$in4,$twk1
2798 vxor $out2,$in5,$twk2
2799 vxor $out3,$out3,$out3
2800 vxor $out4,$out4,$out4
2804 le?vperm $out0,$out0,$out0,$leperm
2805 vmr $twk0,$twk3 # unused tweak
2806 le?vperm $out1,$out1,$out1,$leperm
2807 stvx_u $out0,$x00,$out # store output
2808 vxor $tmp,$out2,$twk3 # last block prep for stealing
2809 le?vperm $out2,$out2,$out2,$leperm
2810 stvx_u $out1,$x10,$out
2811 stvx_u $out2,$x20,$out
2813 bne Lxts_enc6x_steal
2818 vxor $out0,$in4,$twk0
2819 vxor $out1,$in5,$twk1
2820 vxor $out2,$out2,$out2
2821 vxor $out3,$out3,$out3
2822 vxor $out4,$out4,$out4
2826 le?vperm $out0,$out0,$out0,$leperm
2827 vmr $twk0,$twk2 # unused tweak
2828 vxor $tmp,$out1,$twk2 # last block prep for stealing
2829 le?vperm $out1,$out1,$out1,$leperm
2830 stvx_u $out0,$x00,$out # store output
2831 stvx_u $out1,$x10,$out
2833 bne Lxts_enc6x_steal
2838 vxor $out0,$in5,$twk0
2841 vcipher $out0,$out0,v24
2842 lvx v24,$x20,$key_ # round[3]
2843 addi $key_,$key_,0x20
2845 vcipher $out0,$out0,v25
2846 lvx v25,$x10,$key_ # round[4]
2849 add $inp,$inp,$taillen
2851 vcipher $out0,$out0,v24
2854 vcipher $out0,$out0,v25
2856 lvsr $inpperm,0,$taillen
2857 vcipher $out0,$out0,v26
2860 vcipher $out0,$out0,v27
2862 addi $key_,$sp,$FRAME+15 # rewind $key_
2863 vcipher $out0,$out0,v28
2864 lvx v24,$x00,$key_ # re-pre-load round[1]
2866 vcipher $out0,$out0,v29
2867 lvx v25,$x10,$key_ # re-pre-load round[2]
2868 vxor $twk0,$twk0,v31
2870 le?vperm $in0,$in0,$in0,$leperm
2871 vcipher $out0,$out0,v30
2873 vperm $in0,$in0,$in0,$inpperm
2874 vcipherlast $out0,$out0,$twk0
2876 vmr $twk0,$twk1 # unused tweak
2877 vxor $tmp,$out0,$twk1 # last block prep for stealing
2878 le?vperm $out0,$out0,$out0,$leperm
2879 stvx_u $out0,$x00,$out # store output
2881 bne Lxts_enc6x_steal
2889 add $inp,$inp,$taillen
2892 lvsr $inpperm,0,$taillen # $in5 is no more
2893 le?vperm $in0,$in0,$in0,$leperm
2894 vperm $in0,$in0,$in0,$inpperm
2895 vxor $tmp,$tmp,$twk0
2897 vxor $in0,$in0,$twk0
2898 vxor $out0,$out0,$out0
2900 vperm $out0,$out0,$out1,$inpperm
2901 vsel $out0,$in0,$tmp,$out0 # $tmp is last block, remember?
2906 Loop_xts_enc6x_steal:
2909 bdnz Loop_xts_enc6x_steal
2913 b Loop_xts_enc1x # one more time...
2920 vxor $tweak,$twk0,$rndkey0
2921 le?vperm $tweak,$tweak,$tweak,$leperm
2922 stvx_u $tweak,0,$ivp
2928 stvx $seven,r10,$sp # wipe copies of round keys
2946 lvx v20,r10,$sp # ABI says so
2968 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
2969 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
2970 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
2971 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
2972 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
2973 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
2974 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
2977 .byte 0,12,0x04,1,0x80,6,6,0
2982 vcipher $out0,$out0,v24
2983 vcipher $out1,$out1,v24
2984 vcipher $out2,$out2,v24
2985 vcipher $out3,$out3,v24
2986 vcipher $out4,$out4,v24
2987 lvx v24,$x20,$key_ # round[3]
2988 addi $key_,$key_,0x20
2990 vcipher $out0,$out0,v25
2991 vcipher $out1,$out1,v25
2992 vcipher $out2,$out2,v25
2993 vcipher $out3,$out3,v25
2994 vcipher $out4,$out4,v25
2995 lvx v25,$x10,$key_ # round[4]
2996 bdnz _aesp8_xts_enc5x
2998 add $inp,$inp,$taillen
3000 vcipher $out0,$out0,v24
3001 vcipher $out1,$out1,v24
3002 vcipher $out2,$out2,v24
3003 vcipher $out3,$out3,v24
3004 vcipher $out4,$out4,v24
3007 vcipher $out0,$out0,v25
3008 vcipher $out1,$out1,v25
3009 vcipher $out2,$out2,v25
3010 vcipher $out3,$out3,v25
3011 vcipher $out4,$out4,v25
3012 vxor $twk0,$twk0,v31
3014 vcipher $out0,$out0,v26
3015 lvsr $inpperm,0,$taillen # $in5 is no more
3016 vcipher $out1,$out1,v26
3017 vcipher $out2,$out2,v26
3018 vcipher $out3,$out3,v26
3019 vcipher $out4,$out4,v26
3022 vcipher $out0,$out0,v27
3024 vcipher $out1,$out1,v27
3025 vcipher $out2,$out2,v27
3026 vcipher $out3,$out3,v27
3027 vcipher $out4,$out4,v27
3030 addi $key_,$sp,$FRAME+15 # rewind $key_
3031 vcipher $out0,$out0,v28
3032 vcipher $out1,$out1,v28
3033 vcipher $out2,$out2,v28
3034 vcipher $out3,$out3,v28
3035 vcipher $out4,$out4,v28
3036 lvx v24,$x00,$key_ # re-pre-load round[1]
3039 vcipher $out0,$out0,v29
3040 le?vperm $in0,$in0,$in0,$leperm
3041 vcipher $out1,$out1,v29
3042 vcipher $out2,$out2,v29
3043 vcipher $out3,$out3,v29
3044 vcipher $out4,$out4,v29
3045 lvx v25,$x10,$key_ # re-pre-load round[2]
3048 vcipher $out0,$out0,v30
3049 vperm $in0,$in0,$in0,$inpperm
3050 vcipher $out1,$out1,v30
3051 vcipher $out2,$out2,v30
3052 vcipher $out3,$out3,v30
3053 vcipher $out4,$out4,v30
3055 vcipherlast $out0,$out0,$twk0
3056 vcipherlast $out1,$out1,$in1
3057 vcipherlast $out2,$out2,$in2
3058 vcipherlast $out3,$out3,$in3
3059 vcipherlast $out4,$out4,$in4
3062 .byte 0,12,0x14,0,0,0,0,0
3065 _aesp8_xts_decrypt6x:
3066 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
3068 li r7,`$FRAME+8*16+15`
3069 li r3,`$FRAME+8*16+31`
3070 $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
3071 stvx v20,r7,$sp # ABI says so
3094 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
3096 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
3098 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
3100 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
3102 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
3104 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
3106 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
3110 subi $rounds,$rounds,3 # -4 in total
3112 lvx $rndkey0,$x00,$key1 # load key schedule
3114 addi $key1,$key1,0x20
3116 ?vperm $rndkey0,$rndkey0,v30,$keyperm
3117 addi $key_,$sp,$FRAME+15
3121 ?vperm v24,v30,v31,$keyperm
3123 addi $key1,$key1,0x20
3124 stvx v24,$x00,$key_ # off-load round[1]
3125 ?vperm v25,v31,v30,$keyperm
3127 stvx v25,$x10,$key_ # off-load round[2]
3128 addi $key_,$key_,0x20
3129 bdnz Load_xts_dec_key
3132 ?vperm v24,v30,v31,$keyperm
3134 stvx v24,$x00,$key_ # off-load round[3]
3135 ?vperm v25,v31,v26,$keyperm
3137 stvx v25,$x10,$key_ # off-load round[4]
3138 addi $key_,$sp,$FRAME+15 # rewind $key_
3139 ?vperm v26,v26,v27,$keyperm
3141 ?vperm v27,v27,v28,$keyperm
3143 ?vperm v28,v28,v29,$keyperm
3145 ?vperm v29,v29,v30,$keyperm
3146 lvx $twk5,$x70,$key1 # borrow $twk5
3147 ?vperm v30,v30,v31,$keyperm
3148 lvx v24,$x00,$key_ # pre-load round[1]
3149 ?vperm v31,v31,$twk5,$keyperm
3150 lvx v25,$x10,$key_ # pre-load round[2]
3152 vperm $in0,$inout,$inptail,$inpperm
3153 subi $inp,$inp,31 # undo "caller"
3154 vxor $twk0,$tweak,$rndkey0
3155 vsrab $tmp,$tweak,$seven # next tweak value
3156 vaddubm $tweak,$tweak,$tweak
3157 vsldoi $tmp,$tmp,$tmp,15
3158 vand $tmp,$tmp,$eighty7
3159 vxor $out0,$in0,$twk0
3160 vxor $tweak,$tweak,$tmp
3162 lvx_u $in1,$x10,$inp
3163 vxor $twk1,$tweak,$rndkey0
3164 vsrab $tmp,$tweak,$seven # next tweak value
3165 vaddubm $tweak,$tweak,$tweak
3166 vsldoi $tmp,$tmp,$tmp,15
3167 le?vperm $in1,$in1,$in1,$leperm
3168 vand $tmp,$tmp,$eighty7
3169 vxor $out1,$in1,$twk1
3170 vxor $tweak,$tweak,$tmp
3172 lvx_u $in2,$x20,$inp
3173 andi. $taillen,$len,15
3174 vxor $twk2,$tweak,$rndkey0
3175 vsrab $tmp,$tweak,$seven # next tweak value
3176 vaddubm $tweak,$tweak,$tweak
3177 vsldoi $tmp,$tmp,$tmp,15
3178 le?vperm $in2,$in2,$in2,$leperm
3179 vand $tmp,$tmp,$eighty7
3180 vxor $out2,$in2,$twk2
3181 vxor $tweak,$tweak,$tmp
3183 lvx_u $in3,$x30,$inp
3184 sub $len,$len,$taillen
3185 vxor $twk3,$tweak,$rndkey0
3186 vsrab $tmp,$tweak,$seven # next tweak value
3187 vaddubm $tweak,$tweak,$tweak
3188 vsldoi $tmp,$tmp,$tmp,15
3189 le?vperm $in3,$in3,$in3,$leperm
3190 vand $tmp,$tmp,$eighty7
3191 vxor $out3,$in3,$twk3
3192 vxor $tweak,$tweak,$tmp
3194 lvx_u $in4,$x40,$inp
3196 vxor $twk4,$tweak,$rndkey0
3197 vsrab $tmp,$tweak,$seven # next tweak value
3198 vaddubm $tweak,$tweak,$tweak
3199 vsldoi $tmp,$tmp,$tmp,15
3200 le?vperm $in4,$in4,$in4,$leperm
3201 vand $tmp,$tmp,$eighty7
3202 vxor $out4,$in4,$twk4
3203 vxor $tweak,$tweak,$tmp
3205 lvx_u $in5,$x50,$inp
3207 vxor $twk5,$tweak,$rndkey0
3208 vsrab $tmp,$tweak,$seven # next tweak value
3209 vaddubm $tweak,$tweak,$tweak
3210 vsldoi $tmp,$tmp,$tmp,15
3211 le?vperm $in5,$in5,$in5,$leperm
3212 vand $tmp,$tmp,$eighty7
3213 vxor $out5,$in5,$twk5
3214 vxor $tweak,$tweak,$tmp
3216 vxor v31,v31,$rndkey0
3222 vncipher $out0,$out0,v24
3223 vncipher $out1,$out1,v24
3224 vncipher $out2,$out2,v24
3225 vncipher $out3,$out3,v24
3226 vncipher $out4,$out4,v24
3227 vncipher $out5,$out5,v24
3228 lvx v24,$x20,$key_ # round[3]
3229 addi $key_,$key_,0x20
3231 vncipher $out0,$out0,v25
3232 vncipher $out1,$out1,v25
3233 vncipher $out2,$out2,v25
3234 vncipher $out3,$out3,v25
3235 vncipher $out4,$out4,v25
3236 vncipher $out5,$out5,v25
3237 lvx v25,$x10,$key_ # round[4]
3240 subic $len,$len,96 # $len-=96
3241 vxor $in0,$twk0,v31 # xor with last round key
3242 vncipher $out0,$out0,v24
3243 vncipher $out1,$out1,v24
3244 vsrab $tmp,$tweak,$seven # next tweak value
3245 vxor $twk0,$tweak,$rndkey0
3246 vaddubm $tweak,$tweak,$tweak
3247 vncipher $out2,$out2,v24
3248 vncipher $out3,$out3,v24
3249 vsldoi $tmp,$tmp,$tmp,15
3250 vncipher $out4,$out4,v24
3251 vncipher $out5,$out5,v24
3253 subfe. r0,r0,r0 # borrow?-1:0
3254 vand $tmp,$tmp,$eighty7
3255 vncipher $out0,$out0,v25
3256 vncipher $out1,$out1,v25
3257 vxor $tweak,$tweak,$tmp
3258 vncipher $out2,$out2,v25
3259 vncipher $out3,$out3,v25
3261 vsrab $tmp,$tweak,$seven # next tweak value
3262 vxor $twk1,$tweak,$rndkey0
3263 vncipher $out4,$out4,v25
3264 vncipher $out5,$out5,v25
3267 vaddubm $tweak,$tweak,$tweak
3268 vsldoi $tmp,$tmp,$tmp,15
3269 vncipher $out0,$out0,v26
3270 vncipher $out1,$out1,v26
3271 vand $tmp,$tmp,$eighty7
3272 vncipher $out2,$out2,v26
3273 vncipher $out3,$out3,v26
3274 vxor $tweak,$tweak,$tmp
3275 vncipher $out4,$out4,v26
3276 vncipher $out5,$out5,v26
3278 add $inp,$inp,r0 # $inp is adjusted in such
3279 # way that at exit from the
3280 # loop inX-in5 are loaded
3283 vsrab $tmp,$tweak,$seven # next tweak value
3284 vxor $twk2,$tweak,$rndkey0
3285 vaddubm $tweak,$tweak,$tweak
3286 vncipher $out0,$out0,v27
3287 vncipher $out1,$out1,v27
3288 vsldoi $tmp,$tmp,$tmp,15
3289 vncipher $out2,$out2,v27
3290 vncipher $out3,$out3,v27
3291 vand $tmp,$tmp,$eighty7
3292 vncipher $out4,$out4,v27
3293 vncipher $out5,$out5,v27
3295 addi $key_,$sp,$FRAME+15 # rewind $key_
3296 vxor $tweak,$tweak,$tmp
3297 vncipher $out0,$out0,v28
3298 vncipher $out1,$out1,v28
3300 vsrab $tmp,$tweak,$seven # next tweak value
3301 vxor $twk3,$tweak,$rndkey0
3302 vncipher $out2,$out2,v28
3303 vncipher $out3,$out3,v28
3304 vaddubm $tweak,$tweak,$tweak
3305 vsldoi $tmp,$tmp,$tmp,15
3306 vncipher $out4,$out4,v28
3307 vncipher $out5,$out5,v28
3308 lvx v24,$x00,$key_ # re-pre-load round[1]
3309 vand $tmp,$tmp,$eighty7
3311 vncipher $out0,$out0,v29
3312 vncipher $out1,$out1,v29
3313 vxor $tweak,$tweak,$tmp
3314 vncipher $out2,$out2,v29
3315 vncipher $out3,$out3,v29
3317 vsrab $tmp,$tweak,$seven # next tweak value
3318 vxor $twk4,$tweak,$rndkey0
3319 vncipher $out4,$out4,v29
3320 vncipher $out5,$out5,v29
3321 lvx v25,$x10,$key_ # re-pre-load round[2]
3322 vaddubm $tweak,$tweak,$tweak
3323 vsldoi $tmp,$tmp,$tmp,15
3325 vncipher $out0,$out0,v30
3326 vncipher $out1,$out1,v30
3327 vand $tmp,$tmp,$eighty7
3328 vncipher $out2,$out2,v30
3329 vncipher $out3,$out3,v30
3330 vxor $tweak,$tweak,$tmp
3331 vncipher $out4,$out4,v30
3332 vncipher $out5,$out5,v30
3334 vsrab $tmp,$tweak,$seven # next tweak value
3335 vxor $twk5,$tweak,$rndkey0
3337 vncipherlast $out0,$out0,$in0
3338 lvx_u $in0,$x00,$inp # load next input block
3339 vaddubm $tweak,$tweak,$tweak
3340 vsldoi $tmp,$tmp,$tmp,15
3341 vncipherlast $out1,$out1,$in1
3342 lvx_u $in1,$x10,$inp
3343 vncipherlast $out2,$out2,$in2
3344 le?vperm $in0,$in0,$in0,$leperm
3345 lvx_u $in2,$x20,$inp
3346 vand $tmp,$tmp,$eighty7
3347 vncipherlast $out3,$out3,$in3
3348 le?vperm $in1,$in1,$in1,$leperm
3349 lvx_u $in3,$x30,$inp
3350 vncipherlast $out4,$out4,$in4
3351 le?vperm $in2,$in2,$in2,$leperm
3352 lvx_u $in4,$x40,$inp
3353 vxor $tweak,$tweak,$tmp
3354 vncipherlast $out5,$out5,$in5
3355 le?vperm $in3,$in3,$in3,$leperm
3356 lvx_u $in5,$x50,$inp
3358 le?vperm $in4,$in4,$in4,$leperm
3359 le?vperm $in5,$in5,$in5,$leperm
3361 le?vperm $out0,$out0,$out0,$leperm
3362 le?vperm $out1,$out1,$out1,$leperm
3363 stvx_u $out0,$x00,$out # store output
3364 vxor $out0,$in0,$twk0
3365 le?vperm $out2,$out2,$out2,$leperm
3366 stvx_u $out1,$x10,$out
3367 vxor $out1,$in1,$twk1
3368 le?vperm $out3,$out3,$out3,$leperm
3369 stvx_u $out2,$x20,$out
3370 vxor $out2,$in2,$twk2
3371 le?vperm $out4,$out4,$out4,$leperm
3372 stvx_u $out3,$x30,$out
3373 vxor $out3,$in3,$twk3
3374 le?vperm $out5,$out5,$out5,$leperm
3375 stvx_u $out4,$x40,$out
3376 vxor $out4,$in4,$twk4
3377 stvx_u $out5,$x50,$out
3378 vxor $out5,$in5,$twk5
3382 beq Loop_xts_dec6x # did $len-=96 borrow?
3384 addic. $len,$len,0x60
3391 blt Lxts_dec6x_three
3396 vxor $out0,$in1,$twk0
3397 vxor $out1,$in2,$twk1
3398 vxor $out2,$in3,$twk2
3399 vxor $out3,$in4,$twk3
3400 vxor $out4,$in5,$twk4
3404 le?vperm $out0,$out0,$out0,$leperm
3405 vmr $twk0,$twk5 # unused tweak
3406 vxor $twk1,$tweak,$rndkey0
3407 le?vperm $out1,$out1,$out1,$leperm
3408 stvx_u $out0,$x00,$out # store output
3409 vxor $out0,$in0,$twk1
3410 le?vperm $out2,$out2,$out2,$leperm
3411 stvx_u $out1,$x10,$out
3412 le?vperm $out3,$out3,$out3,$leperm
3413 stvx_u $out2,$x20,$out
3414 le?vperm $out4,$out4,$out4,$leperm
3415 stvx_u $out3,$x30,$out
3416 stvx_u $out4,$x40,$out
3418 bne Lxts_dec6x_steal
3423 vxor $out0,$in2,$twk0
3424 vxor $out1,$in3,$twk1
3425 vxor $out2,$in4,$twk2
3426 vxor $out3,$in5,$twk3
3427 vxor $out4,$out4,$out4
3431 le?vperm $out0,$out0,$out0,$leperm
3432 vmr $twk0,$twk4 # unused tweak
3434 le?vperm $out1,$out1,$out1,$leperm
3435 stvx_u $out0,$x00,$out # store output
3436 vxor $out0,$in0,$twk5
3437 le?vperm $out2,$out2,$out2,$leperm
3438 stvx_u $out1,$x10,$out
3439 le?vperm $out3,$out3,$out3,$leperm
3440 stvx_u $out2,$x20,$out
3441 stvx_u $out3,$x30,$out
3443 bne Lxts_dec6x_steal
3448 vxor $out0,$in3,$twk0
3449 vxor $out1,$in4,$twk1
3450 vxor $out2,$in5,$twk2
3451 vxor $out3,$out3,$out3
3452 vxor $out4,$out4,$out4
3456 le?vperm $out0,$out0,$out0,$leperm
3457 vmr $twk0,$twk3 # unused tweak
3459 le?vperm $out1,$out1,$out1,$leperm
3460 stvx_u $out0,$x00,$out # store output
3461 vxor $out0,$in0,$twk4
3462 le?vperm $out2,$out2,$out2,$leperm
3463 stvx_u $out1,$x10,$out
3464 stvx_u $out2,$x20,$out
3466 bne Lxts_dec6x_steal
3471 vxor $out0,$in4,$twk0
3472 vxor $out1,$in5,$twk1
3473 vxor $out2,$out2,$out2
3474 vxor $out3,$out3,$out3
3475 vxor $out4,$out4,$out4
3479 le?vperm $out0,$out0,$out0,$leperm
3480 vmr $twk0,$twk2 # unused tweak
3482 le?vperm $out1,$out1,$out1,$leperm
3483 stvx_u $out0,$x00,$out # store output
3484 vxor $out0,$in0,$twk3
3485 stvx_u $out1,$x10,$out
3487 bne Lxts_dec6x_steal
3492 vxor $out0,$in5,$twk0
3495 vncipher $out0,$out0,v24
3496 lvx v24,$x20,$key_ # round[3]
3497 addi $key_,$key_,0x20
3499 vncipher $out0,$out0,v25
3500 lvx v25,$x10,$key_ # round[4]
3504 vncipher $out0,$out0,v24
3508 vncipher $out0,$out0,v25
3511 vncipher $out0,$out0,v26
3514 vncipher $out0,$out0,v27
3516 addi $key_,$sp,$FRAME+15 # rewind $key_
3517 vncipher $out0,$out0,v28
3518 lvx v24,$x00,$key_ # re-pre-load round[1]
3520 vncipher $out0,$out0,v29
3521 lvx v25,$x10,$key_ # re-pre-load round[2]
3522 vxor $twk0,$twk0,v31
3524 le?vperm $in0,$in0,$in0,$leperm
3525 vncipher $out0,$out0,v30
3528 vncipherlast $out0,$out0,$twk0
3530 vmr $twk0,$twk1 # unused tweak
3532 le?vperm $out0,$out0,$out0,$leperm
3533 stvx_u $out0,$x00,$out # store output
3535 vxor $out0,$in0,$twk2
3536 bne Lxts_dec6x_steal
3545 le?vperm $in0,$in0,$in0,$leperm
3546 vxor $out0,$in0,$twk1
3548 vncipher $out0,$out0,v24
3549 lvx v24,$x20,$key_ # round[3]
3550 addi $key_,$key_,0x20
3552 vncipher $out0,$out0,v25
3553 lvx v25,$x10,$key_ # round[4]
3554 bdnz Lxts_dec6x_steal
3556 add $inp,$inp,$taillen
3557 vncipher $out0,$out0,v24
3560 vncipher $out0,$out0,v25
3563 vncipher $out0,$out0,v26
3565 lvsr $inpperm,0,$taillen # $in5 is no more
3566 vncipher $out0,$out0,v27
3568 addi $key_,$sp,$FRAME+15 # rewind $key_
3569 vncipher $out0,$out0,v28
3570 lvx v24,$x00,$key_ # re-pre-load round[1]
3572 vncipher $out0,$out0,v29
3573 lvx v25,$x10,$key_ # re-pre-load round[2]
3574 vxor $twk1,$twk1,v31
3576 le?vperm $in0,$in0,$in0,$leperm
3577 vncipher $out0,$out0,v30
3579 vperm $in0,$in0,$in0,$inpperm
3580 vncipherlast $tmp,$out0,$twk1
3582 le?vperm $out0,$tmp,$tmp,$leperm
3583 le?stvx_u $out0,0,$out
3584 be?stvx_u $tmp,0,$out
3586 vxor $out0,$out0,$out0
3588 vperm $out0,$out0,$out1,$inpperm
3589 vsel $out0,$in0,$tmp,$out0
3590 vxor $out0,$out0,$twk0
3594 Loop_xts_dec6x_steal:
3597 bdnz Loop_xts_dec6x_steal
3601 b Loop_xts_dec1x # one more time...
3608 vxor $tweak,$twk0,$rndkey0
3609 le?vperm $tweak,$tweak,$tweak,$leperm
3610 stvx_u $tweak,0,$ivp
3616 stvx $seven,r10,$sp # wipe copies of round keys
3634 lvx v20,r10,$sp # ABI says so
3656 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
3657 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
3658 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
3659 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
3660 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
3661 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
3662 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
3665 .byte 0,12,0x04,1,0x80,6,6,0
3670 vncipher $out0,$out0,v24
3671 vncipher $out1,$out1,v24
3672 vncipher $out2,$out2,v24
3673 vncipher $out3,$out3,v24
3674 vncipher $out4,$out4,v24
3675 lvx v24,$x20,$key_ # round[3]
3676 addi $key_,$key_,0x20
3678 vncipher $out0,$out0,v25
3679 vncipher $out1,$out1,v25
3680 vncipher $out2,$out2,v25
3681 vncipher $out3,$out3,v25
3682 vncipher $out4,$out4,v25
3683 lvx v25,$x10,$key_ # round[4]
3684 bdnz _aesp8_xts_dec5x
3687 vncipher $out0,$out0,v24
3688 vncipher $out1,$out1,v24
3689 vncipher $out2,$out2,v24
3690 vncipher $out3,$out3,v24
3691 vncipher $out4,$out4,v24
3695 vncipher $out0,$out0,v25
3696 vncipher $out1,$out1,v25
3697 vncipher $out2,$out2,v25
3698 vncipher $out3,$out3,v25
3699 vncipher $out4,$out4,v25
3700 vxor $twk0,$twk0,v31
3703 vncipher $out0,$out0,v26
3704 vncipher $out1,$out1,v26
3705 vncipher $out2,$out2,v26
3706 vncipher $out3,$out3,v26
3707 vncipher $out4,$out4,v26
3710 vncipher $out0,$out0,v27
3712 vncipher $out1,$out1,v27
3713 vncipher $out2,$out2,v27
3714 vncipher $out3,$out3,v27
3715 vncipher $out4,$out4,v27
3718 addi $key_,$sp,$FRAME+15 # rewind $key_
3719 vncipher $out0,$out0,v28
3720 vncipher $out1,$out1,v28
3721 vncipher $out2,$out2,v28
3722 vncipher $out3,$out3,v28
3723 vncipher $out4,$out4,v28
3724 lvx v24,$x00,$key_ # re-pre-load round[1]
3727 vncipher $out0,$out0,v29
3728 le?vperm $in0,$in0,$in0,$leperm
3729 vncipher $out1,$out1,v29
3730 vncipher $out2,$out2,v29
3731 vncipher $out3,$out3,v29
3732 vncipher $out4,$out4,v29
3733 lvx v25,$x10,$key_ # re-pre-load round[2]
3736 vncipher $out0,$out0,v30
3737 vncipher $out1,$out1,v30
3738 vncipher $out2,$out2,v30
3739 vncipher $out3,$out3,v30
3740 vncipher $out4,$out4,v30
3742 vncipherlast $out0,$out0,$twk0
3743 vncipherlast $out1,$out1,$in1
3744 vncipherlast $out2,$out2,$in2
3745 vncipherlast $out3,$out3,$in3
3746 vncipherlast $out4,$out4,$in4
3750 .byte 0,12,0x14,0,0,0,0,0
3755 foreach(split("\n",$code)) {
3756 s/\`([^\`]*)\`/eval($1)/geo;
3758 # constants table endian-specific conversion
3759 if ($consts && m/\.(long|byte)\s+(.+)\s+(\?[a-z]*)$/o) {
3763 # convert to endian-agnostic format
3765 foreach (split(/,\s*/,$2)) {
3766 my $l = /^0/?oct:int;
3767 push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
3770 @bytes = map(/^0/?oct:int,split(/,\s*/,$2));
3773 # little-endian conversion
3774 if ($flavour =~ /le$/o) {
3775 SWITCH: for($conv) {
3776 /\?inv/ && do { @bytes=map($_^0xf,@bytes); last; };
3777 /\?rev/ && do { @bytes=reverse(@bytes); last; };
3782 print ".byte\t",join(',',map (sprintf("0x%02x",$_),@bytes)),"\n";
3785 $consts=0 if (m/Lconsts:/o); # end of table
3787 # instructions prefixed with '?' are endian-specific and need
3788 # to be adjusted accordingly...
3789 if ($flavour =~ /le$/o) { # little-endian
3794 s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
3795 s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
3796 s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
3797 } else { # big-endian
projects / openssl.git / blob