2 # Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # This module implements support for Intel AES-NI extension. In
18 # OpenSSL context it's used with Intel engine, but can also be used as
19 # drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
24 # Given aes(enc|dec) instructions' latency asymptotic performance for
25 # non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
26 # processed with 128-bit key. And given their throughput asymptotic
27 # performance for parallelizable modes is 1.25 cycles per byte. Being
28 # asymptotic limit it's not something you commonly achieve in reality,
29 # but how close does one get? Below are results collected for
30 # different modes and block sized. Pairs of numbers are for en-/
33 # 16-byte 64-byte 256-byte 1-KB 8-KB
34 # ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
35 # CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
36 # CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
37 # CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
38 # OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
39 # CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55
41 # ECB, CTR, CBC and CCM results are free from EVP overhead. This means
42 # that otherwise used 'openssl speed -evp aes-128-??? -engine aesni
43 # [-decrypt]' will exhibit 10-15% worse results for smaller blocks.
44 # The results were collected with specially crafted speed.c benchmark
45 # in order to compare them with results reported in "Intel Advanced
46 # Encryption Standard (AES) New Instruction Set" White Paper Revision
47 # 3.0 dated May 2010. All above results are consistently better. This
48 # module also provides better performance for block sizes smaller than
49 # 128 bytes in points *not* represented in the above table.
51 # Looking at the results for 8-KB buffer.
53 # CFB and OFB results are far from the limit, because implementation
54 # uses "generic" CRYPTO_[c|o]fb128_encrypt interfaces relying on
55 # single-block aesni_encrypt, which is not the most optimal way to go.
56 # CBC encrypt result is unexpectedly high and there is no documented
57 # explanation for it. Seemingly there is a small penalty for feeding
58 # the result back to AES unit the way it's done in CBC mode. There is
59 # nothing one can do and the result appears optimal. CCM result is
60 # identical to CBC, because CBC-MAC is essentially CBC encrypt without
61 # saving output. CCM CTR "stays invisible," because it's neatly
62 # interleaved wih CBC-MAC. This provides ~30% improvement over
63 # "straightforward" CCM implementation with CTR and CBC-MAC performed
64 # disjointly. Parallelizable modes practically achieve the theoretical
67 # Looking at how results vary with buffer size.
69 # Curves are practically saturated at 1-KB buffer size. In most cases
70 # "256-byte" performance is >95%, and "64-byte" is ~90% of "8-KB" one.
71 # CTR curve doesn't follow this pattern and is "slowest" changing one
72 # with "256-byte" result being 87% of "8-KB." This is because overhead
73 # in CTR mode is most computationally intensive. Small-block CCM
74 # decrypt is slower than encrypt, because first CTR and last CBC-MAC
75 # iterations can't be interleaved.
77 # Results for 192- and 256-bit keys.
79 # EVP-free results were observed to scale perfectly with number of
80 # rounds for larger block sizes, i.e. 192-bit result being 10/12 times
81 # lower and 256-bit one - 10/14. Well, in CBC encrypt case differences
82 # are a tad smaller, because the above mentioned penalty biases all
83 # results by same constant value. In similar way function call
84 # overhead affects small-block performance, as well as OFB and CFB
85 # results. Differences are not large, most common coefficients are
86 # 10/11.7 and 10/13.4 (as opposite to 10/12.0 and 10/14.0), but one
87 # observe even 10/11.2 and 10/12.4 (CTR, OFB, CFB)...
91 # While Westmere processor features 6 cycles latency for aes[enc|dec]
92 # instructions, which can be scheduled every second cycle, Sandy
93 # Bridge spends 8 cycles per instruction, but it can schedule them
94 # every cycle. This means that code targeting Westmere would perform
95 # suboptimally on Sandy Bridge. Therefore this update.
97 # In addition, non-parallelizable CBC encrypt (as well as CCM) is
98 # optimized. Relative improvement might appear modest, 8% on Westmere,
99 # but in absolute terms it's 3.77 cycles per byte encrypted with
100 # 128-bit key on Westmere, and 5.07 - on Sandy Bridge. These numbers
101 # should be compared to asymptotic limits of 3.75 for Westmere and
102 # 5.00 for Sandy Bridge. Actually, the fact that they get this close
103 # to asymptotic limits is quite amazing. Indeed, the limit is
104 # calculated as latency times number of rounds, 10 for 128-bit key,
105 # and divided by 16, the number of bytes in block, or in other words
106 # it accounts *solely* for aesenc instructions. But there are extra
107 # instructions, and numbers so close to the asymptotic limits mean
108 # that it's as if it takes as little as *one* additional cycle to
109 # execute all of them. How is it possible? It is possible thanks to
110 # out-of-order execution logic, which manages to overlap post-
111 # processing of previous block, things like saving the output, with
112 # actual encryption of current block, as well as pre-processing of
113 # current block, things like fetching input and xor-ing it with
114 # 0-round element of the key schedule, with actual encryption of
115 # previous block. Keep this in mind...
117 # For parallelizable modes, such as ECB, CBC decrypt, CTR, higher
118 # performance is achieved by interleaving instructions working on
119 # independent blocks. In which case asymptotic limit for such modes
120 # can be obtained by dividing above mentioned numbers by AES
121 # instructions' interleave factor. Westmere can execute at most 3
122 # instructions at a time, meaning that optimal interleave factor is 3,
123 # and that's where the "magic" number of 1.25 come from. "Optimal
124 # interleave factor" means that increase of interleave factor does
125 # not improve performance. The formula has proven to reflect reality
126 # pretty well on Westmere... Sandy Bridge on the other hand can
127 # execute up to 8 AES instructions at a time, so how does varying
128 # interleave factor affect the performance? Here is table for ECB
129 # (numbers are cycles per byte processed with 128-bit key):
131 # instruction interleave factor 3x 6x 8x
132 # theoretical asymptotic limit 1.67 0.83 0.625
133 # measured performance for 8KB block 1.05 0.86 0.84
135 # "as if" interleave factor 4.7x 5.8x 6.0x
137 # Further data for other parallelizable modes:
139 # CBC decrypt 1.16 0.93 0.74
142 # Well, given 3x column it's probably inappropriate to call the limit
143 # asymptotic, if it can be surpassed, isn't it? What happens there?
144 # Rewind to CBC paragraph for the answer. Yes, out-of-order execution
145 # magic is responsible for this. Processor overlaps not only the
146 # additional instructions with AES ones, but even AES instructions
147 # processing adjacent triplets of independent blocks. In the 6x case
148 # additional instructions still claim disproportionally small amount
149 # of additional cycles, but in 8x case number of instructions must be
150 # a tad too high for out-of-order logic to cope with, and AES unit
151 # remains underutilized... As you can see 8x interleave is hardly
152 # justifiable, so there no need to feel bad that 32-bit aesni-x86.pl
153 # utilizes 6x interleave because of limited register bank capacity.
155 # Higher interleave factors do have negative impact on Westmere
156 # performance. While for ECB mode it's negligible ~1.5%, other
157 # parallelizables perform ~5% worse, which is outweighed by ~25%
158 # improvement on Sandy Bridge. To balance regression on Westmere
159 # CTR mode was implemented with 6x aesenc interleave factor.
163 # Add aesni_xts_[en|de]crypt. Westmere spends 1.25 cycles processing
164 # one byte out of 8KB with 128-bit key, Sandy Bridge - 0.90. Just like
165 # in CTR mode AES instruction interleave factor was chosen to be 6x.
169 # Add aesni_ocb_[en|de]crypt. AES instruction interleave factor was
172 ######################################################################
173 # Current large-block performance in cycles per byte processed with
174 # 128-bit key (less is better).
176 # CBC en-/decrypt CTR XTS ECB OCB
177 # Westmere 3.77/1.25 1.25 1.25 1.26
178 # * Bridge 5.07/0.74 0.75 0.90 0.85 0.98
179 # Haswell 4.44/0.63 0.63 0.73 0.63 0.70
180 # Skylake 2.62/0.63 0.63 0.63 0.63
181 # Silvermont 5.75/3.54 3.56 4.12 3.87(*) 4.11
182 # Knights L 2.54/0.77 0.78 0.85 - 1.50
183 # Goldmont 3.82/1.26 1.26 1.29 1.29 1.50
184 # Bulldozer 5.77/0.70 0.72 0.90 0.70 0.95
185 # Ryzen 2.71/0.35 0.35 0.44 0.38 0.49
187 # (*) Atom Silvermont ECB result is suboptimal because of penalties
188 # incurred by operations on %xmm8-15. As ECB is not considered
189 # critical, nothing was done to mitigate the problem.
191 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
192 # generates drop-in replacement for
193 # crypto/aes/asm/aes-x86_64.pl:-)
197 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
199 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
201 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
202 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
203 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
204 die "can't locate x86_64-xlate.pl";
206 open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
209 $movkey = $PREFIX eq "aesni" ? "movups" : "movups";
210 @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
211 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
214 $code.=".extern OPENSSL_ia32cap_P\n";
216 $rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!!
217 # this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ...
221 $key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
222 $ivp="%r8"; # cbc, ctr, ...
224 $rnds_="%r10d"; # backup copy for $rounds
225 $key_="%r11"; # backup copy for $key
227 # %xmm register layout
228 $rndkey0="%xmm0"; $rndkey1="%xmm1";
229 $inout0="%xmm2"; $inout1="%xmm3";
230 $inout2="%xmm4"; $inout3="%xmm5";
231 $inout4="%xmm6"; $inout5="%xmm7";
232 $inout6="%xmm8"; $inout7="%xmm9";
234 $in2="%xmm6"; $in1="%xmm7"; # used in CBC decrypt, CTR, ...
235 $in0="%xmm8"; $iv="%xmm9";
237 # Inline version of internal aesni_[en|de]crypt1.
239 # Why folded loop? Because aes[enc|dec] is slow enough to accommodate
240 # cycles which take care of loop variables...
242 sub aesni_generate1 {
243 my ($p,$key,$rounds,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
246 $movkey ($key),$rndkey0
247 $movkey 16($key),$rndkey1
249 $code.=<<___ if (defined($ivec));
254 $code.=<<___ if (!defined($ivec));
256 xorps $rndkey0,$inout
260 aes${p} $rndkey1,$inout
262 $movkey ($key),$rndkey1
264 jnz .Loop_${p}1_$sn # loop body is 16 bytes
265 aes${p}last $rndkey1,$inout
268 # void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
270 { my ($inp,$out,$key) = @_4args;
273 .globl ${PREFIX}_encrypt
274 .type ${PREFIX}_encrypt,\@abi-omnipotent
277 movups ($inp),$inout0 # load input
278 mov 240($key),$rounds # key->rounds
280 &aesni_generate1("enc",$key,$rounds);
282 pxor $rndkey0,$rndkey0 # clear register bank
283 pxor $rndkey1,$rndkey1
284 movups $inout0,($out) # output
287 .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
289 .globl ${PREFIX}_decrypt
290 .type ${PREFIX}_decrypt,\@abi-omnipotent
293 movups ($inp),$inout0 # load input
294 mov 240($key),$rounds # key->rounds
296 &aesni_generate1("dec",$key,$rounds);
298 pxor $rndkey0,$rndkey0 # clear register bank
299 pxor $rndkey1,$rndkey1
300 movups $inout0,($out) # output
303 .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
307 # _aesni_[en|de]cryptN are private interfaces, N denotes interleave
308 # factor. Why 3x subroutine were originally used in loops? Even though
309 # aes[enc|dec] latency was originally 6, it could be scheduled only
310 # every *2nd* cycle. Thus 3x interleave was the one providing optimal
311 # utilization, i.e. when subroutine's throughput is virtually same as
312 # of non-interleaved subroutine [for number of input blocks up to 3].
313 # This is why it originally made no sense to implement 2x subroutine.
314 # But times change and it became appropriate to spend extra 192 bytes
315 # on 2x subroutine on Atom Silvermont account. For processors that
316 # can schedule aes[enc|dec] every cycle optimal interleave factor
317 # equals to corresponding instructions latency. 8x is optimal for
318 # * Bridge and "super-optimal" for other Intel CPUs...
320 sub aesni_generate2 {
322 # As already mentioned it takes in $key and $rounds, which are *not*
323 # preserved. $inout[0-1] is cipher/clear text...
325 .type _aesni_${dir}rypt2,\@abi-omnipotent
328 $movkey ($key),$rndkey0
330 $movkey 16($key),$rndkey1
331 xorps $rndkey0,$inout0
332 xorps $rndkey0,$inout1
333 $movkey 32($key),$rndkey0
334 lea 32($key,$rounds),$key
339 aes${dir} $rndkey1,$inout0
340 aes${dir} $rndkey1,$inout1
341 $movkey ($key,%rax),$rndkey1
343 aes${dir} $rndkey0,$inout0
344 aes${dir} $rndkey0,$inout1
345 $movkey -16($key,%rax),$rndkey0
348 aes${dir} $rndkey1,$inout0
349 aes${dir} $rndkey1,$inout1
350 aes${dir}last $rndkey0,$inout0
351 aes${dir}last $rndkey0,$inout1
353 .size _aesni_${dir}rypt2,.-_aesni_${dir}rypt2
356 sub aesni_generate3 {
358 # As already mentioned it takes in $key and $rounds, which are *not*
359 # preserved. $inout[0-2] is cipher/clear text...
361 .type _aesni_${dir}rypt3,\@abi-omnipotent
364 $movkey ($key),$rndkey0
366 $movkey 16($key),$rndkey1
367 xorps $rndkey0,$inout0
368 xorps $rndkey0,$inout1
369 xorps $rndkey0,$inout2
370 $movkey 32($key),$rndkey0
371 lea 32($key,$rounds),$key
376 aes${dir} $rndkey1,$inout0
377 aes${dir} $rndkey1,$inout1
378 aes${dir} $rndkey1,$inout2
379 $movkey ($key,%rax),$rndkey1
381 aes${dir} $rndkey0,$inout0
382 aes${dir} $rndkey0,$inout1
383 aes${dir} $rndkey0,$inout2
384 $movkey -16($key,%rax),$rndkey0
387 aes${dir} $rndkey1,$inout0
388 aes${dir} $rndkey1,$inout1
389 aes${dir} $rndkey1,$inout2
390 aes${dir}last $rndkey0,$inout0
391 aes${dir}last $rndkey0,$inout1
392 aes${dir}last $rndkey0,$inout2
394 .size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
397 # 4x interleave is implemented to improve small block performance,
398 # most notably [and naturally] 4 block by ~30%. One can argue that one
399 # should have implemented 5x as well, but improvement would be <20%,
400 # so it's not worth it...
401 sub aesni_generate4 {
403 # As already mentioned it takes in $key and $rounds, which are *not*
404 # preserved. $inout[0-3] is cipher/clear text...
406 .type _aesni_${dir}rypt4,\@abi-omnipotent
409 $movkey ($key),$rndkey0
411 $movkey 16($key),$rndkey1
412 xorps $rndkey0,$inout0
413 xorps $rndkey0,$inout1
414 xorps $rndkey0,$inout2
415 xorps $rndkey0,$inout3
416 $movkey 32($key),$rndkey0
417 lea 32($key,$rounds),$key
423 aes${dir} $rndkey1,$inout0
424 aes${dir} $rndkey1,$inout1
425 aes${dir} $rndkey1,$inout2
426 aes${dir} $rndkey1,$inout3
427 $movkey ($key,%rax),$rndkey1
429 aes${dir} $rndkey0,$inout0
430 aes${dir} $rndkey0,$inout1
431 aes${dir} $rndkey0,$inout2
432 aes${dir} $rndkey0,$inout3
433 $movkey -16($key,%rax),$rndkey0
436 aes${dir} $rndkey1,$inout0
437 aes${dir} $rndkey1,$inout1
438 aes${dir} $rndkey1,$inout2
439 aes${dir} $rndkey1,$inout3
440 aes${dir}last $rndkey0,$inout0
441 aes${dir}last $rndkey0,$inout1
442 aes${dir}last $rndkey0,$inout2
443 aes${dir}last $rndkey0,$inout3
445 .size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
448 sub aesni_generate6 {
450 # As already mentioned it takes in $key and $rounds, which are *not*
451 # preserved. $inout[0-5] is cipher/clear text...
453 .type _aesni_${dir}rypt6,\@abi-omnipotent
456 $movkey ($key),$rndkey0
458 $movkey 16($key),$rndkey1
459 xorps $rndkey0,$inout0
460 pxor $rndkey0,$inout1
461 pxor $rndkey0,$inout2
462 aes${dir} $rndkey1,$inout0
463 lea 32($key,$rounds),$key
465 aes${dir} $rndkey1,$inout1
466 pxor $rndkey0,$inout3
467 pxor $rndkey0,$inout4
468 aes${dir} $rndkey1,$inout2
469 pxor $rndkey0,$inout5
470 $movkey ($key,%rax),$rndkey0
472 jmp .L${dir}_loop6_enter
475 aes${dir} $rndkey1,$inout0
476 aes${dir} $rndkey1,$inout1
477 aes${dir} $rndkey1,$inout2
478 .L${dir}_loop6_enter:
479 aes${dir} $rndkey1,$inout3
480 aes${dir} $rndkey1,$inout4
481 aes${dir} $rndkey1,$inout5
482 $movkey ($key,%rax),$rndkey1
484 aes${dir} $rndkey0,$inout0
485 aes${dir} $rndkey0,$inout1
486 aes${dir} $rndkey0,$inout2
487 aes${dir} $rndkey0,$inout3
488 aes${dir} $rndkey0,$inout4
489 aes${dir} $rndkey0,$inout5
490 $movkey -16($key,%rax),$rndkey0
493 aes${dir} $rndkey1,$inout0
494 aes${dir} $rndkey1,$inout1
495 aes${dir} $rndkey1,$inout2
496 aes${dir} $rndkey1,$inout3
497 aes${dir} $rndkey1,$inout4
498 aes${dir} $rndkey1,$inout5
499 aes${dir}last $rndkey0,$inout0
500 aes${dir}last $rndkey0,$inout1
501 aes${dir}last $rndkey0,$inout2
502 aes${dir}last $rndkey0,$inout3
503 aes${dir}last $rndkey0,$inout4
504 aes${dir}last $rndkey0,$inout5
506 .size _aesni_${dir}rypt6,.-_aesni_${dir}rypt6
509 sub aesni_generate8 {
511 # As already mentioned it takes in $key and $rounds, which are *not*
512 # preserved. $inout[0-7] is cipher/clear text...
514 .type _aesni_${dir}rypt8,\@abi-omnipotent
517 $movkey ($key),$rndkey0
519 $movkey 16($key),$rndkey1
520 xorps $rndkey0,$inout0
521 xorps $rndkey0,$inout1
522 pxor $rndkey0,$inout2
523 pxor $rndkey0,$inout3
524 pxor $rndkey0,$inout4
525 lea 32($key,$rounds),$key
527 aes${dir} $rndkey1,$inout0
528 pxor $rndkey0,$inout5
529 pxor $rndkey0,$inout6
530 aes${dir} $rndkey1,$inout1
531 pxor $rndkey0,$inout7
532 $movkey ($key,%rax),$rndkey0
534 jmp .L${dir}_loop8_inner
537 aes${dir} $rndkey1,$inout0
538 aes${dir} $rndkey1,$inout1
539 .L${dir}_loop8_inner:
540 aes${dir} $rndkey1,$inout2
541 aes${dir} $rndkey1,$inout3
542 aes${dir} $rndkey1,$inout4
543 aes${dir} $rndkey1,$inout5
544 aes${dir} $rndkey1,$inout6
545 aes${dir} $rndkey1,$inout7
546 .L${dir}_loop8_enter:
547 $movkey ($key,%rax),$rndkey1
549 aes${dir} $rndkey0,$inout0
550 aes${dir} $rndkey0,$inout1
551 aes${dir} $rndkey0,$inout2
552 aes${dir} $rndkey0,$inout3
553 aes${dir} $rndkey0,$inout4
554 aes${dir} $rndkey0,$inout5
555 aes${dir} $rndkey0,$inout6
556 aes${dir} $rndkey0,$inout7
557 $movkey -16($key,%rax),$rndkey0
560 aes${dir} $rndkey1,$inout0
561 aes${dir} $rndkey1,$inout1
562 aes${dir} $rndkey1,$inout2
563 aes${dir} $rndkey1,$inout3
564 aes${dir} $rndkey1,$inout4
565 aes${dir} $rndkey1,$inout5
566 aes${dir} $rndkey1,$inout6
567 aes${dir} $rndkey1,$inout7
568 aes${dir}last $rndkey0,$inout0
569 aes${dir}last $rndkey0,$inout1
570 aes${dir}last $rndkey0,$inout2
571 aes${dir}last $rndkey0,$inout3
572 aes${dir}last $rndkey0,$inout4
573 aes${dir}last $rndkey0,$inout5
574 aes${dir}last $rndkey0,$inout6
575 aes${dir}last $rndkey0,$inout7
577 .size _aesni_${dir}rypt8,.-_aesni_${dir}rypt8
580 &aesni_generate2("enc") if ($PREFIX eq "aesni");
581 &aesni_generate2("dec");
582 &aesni_generate3("enc") if ($PREFIX eq "aesni");
583 &aesni_generate3("dec");
584 &aesni_generate4("enc") if ($PREFIX eq "aesni");
585 &aesni_generate4("dec");
586 &aesni_generate6("enc") if ($PREFIX eq "aesni");
587 &aesni_generate6("dec");
588 &aesni_generate8("enc") if ($PREFIX eq "aesni");
589 &aesni_generate8("dec");
591 if ($PREFIX eq "aesni") {
592 ########################################################################
593 # void aesni_ecb_encrypt (const void *in, void *out,
594 # size_t length, const AES_KEY *key,
597 .globl aesni_ecb_encrypt
598 .type aesni_ecb_encrypt,\@function,5
602 $code.=<<___ if ($win64);
604 movaps %xmm6,(%rsp) # offload $inout4..7
605 movaps %xmm7,0x10(%rsp)
606 movaps %xmm8,0x20(%rsp)
607 movaps %xmm9,0x30(%rsp)
611 and \$-16,$len # if ($len<16)
612 jz .Lecb_ret # return
614 mov 240($key),$rounds # key->rounds
615 $movkey ($key),$rndkey0
616 mov $key,$key_ # backup $key
617 mov $rounds,$rnds_ # backup $rounds
618 test %r8d,%r8d # 5th argument
620 #--------------------------- ECB ENCRYPT ------------------------------#
621 cmp \$0x80,$len # if ($len<8*16)
622 jb .Lecb_enc_tail # short input
624 movdqu ($inp),$inout0 # load 8 input blocks
625 movdqu 0x10($inp),$inout1
626 movdqu 0x20($inp),$inout2
627 movdqu 0x30($inp),$inout3
628 movdqu 0x40($inp),$inout4
629 movdqu 0x50($inp),$inout5
630 movdqu 0x60($inp),$inout6
631 movdqu 0x70($inp),$inout7
632 lea 0x80($inp),$inp # $inp+=8*16
633 sub \$0x80,$len # $len-=8*16 (can be zero)
634 jmp .Lecb_enc_loop8_enter
637 movups $inout0,($out) # store 8 output blocks
638 mov $key_,$key # restore $key
639 movdqu ($inp),$inout0 # load 8 input blocks
640 mov $rnds_,$rounds # restore $rounds
641 movups $inout1,0x10($out)
642 movdqu 0x10($inp),$inout1
643 movups $inout2,0x20($out)
644 movdqu 0x20($inp),$inout2
645 movups $inout3,0x30($out)
646 movdqu 0x30($inp),$inout3
647 movups $inout4,0x40($out)
648 movdqu 0x40($inp),$inout4
649 movups $inout5,0x50($out)
650 movdqu 0x50($inp),$inout5
651 movups $inout6,0x60($out)
652 movdqu 0x60($inp),$inout6
653 movups $inout7,0x70($out)
654 lea 0x80($out),$out # $out+=8*16
655 movdqu 0x70($inp),$inout7
656 lea 0x80($inp),$inp # $inp+=8*16
657 .Lecb_enc_loop8_enter:
662 jnc .Lecb_enc_loop8 # loop if $len-=8*16 didn't borrow
664 movups $inout0,($out) # store 8 output blocks
665 mov $key_,$key # restore $key
666 movups $inout1,0x10($out)
667 mov $rnds_,$rounds # restore $rounds
668 movups $inout2,0x20($out)
669 movups $inout3,0x30($out)
670 movups $inout4,0x40($out)
671 movups $inout5,0x50($out)
672 movups $inout6,0x60($out)
673 movups $inout7,0x70($out)
674 lea 0x80($out),$out # $out+=8*16
675 add \$0x80,$len # restore real remaining $len
676 jz .Lecb_ret # done if ($len==0)
678 .Lecb_enc_tail: # $len is less than 8*16
679 movups ($inp),$inout0
682 movups 0x10($inp),$inout1
684 movups 0x20($inp),$inout2
687 movups 0x30($inp),$inout3
689 movups 0x40($inp),$inout4
692 movups 0x50($inp),$inout5
694 movdqu 0x60($inp),$inout6
695 xorps $inout7,$inout7
697 movups $inout0,($out) # store 7 output blocks
698 movups $inout1,0x10($out)
699 movups $inout2,0x20($out)
700 movups $inout3,0x30($out)
701 movups $inout4,0x40($out)
702 movups $inout5,0x50($out)
703 movups $inout6,0x60($out)
708 &aesni_generate1("enc",$key,$rounds);
710 movups $inout0,($out) # store one output block
715 movups $inout0,($out) # store 2 output blocks
716 movups $inout1,0x10($out)
721 movups $inout0,($out) # store 3 output blocks
722 movups $inout1,0x10($out)
723 movups $inout2,0x20($out)
728 movups $inout0,($out) # store 4 output blocks
729 movups $inout1,0x10($out)
730 movups $inout2,0x20($out)
731 movups $inout3,0x30($out)
735 xorps $inout5,$inout5
737 movups $inout0,($out) # store 5 output blocks
738 movups $inout1,0x10($out)
739 movups $inout2,0x20($out)
740 movups $inout3,0x30($out)
741 movups $inout4,0x40($out)
746 movups $inout0,($out) # store 6 output blocks
747 movups $inout1,0x10($out)
748 movups $inout2,0x20($out)
749 movups $inout3,0x30($out)
750 movups $inout4,0x40($out)
751 movups $inout5,0x50($out)
753 \f#--------------------------- ECB DECRYPT ------------------------------#
756 cmp \$0x80,$len # if ($len<8*16)
757 jb .Lecb_dec_tail # short input
759 movdqu ($inp),$inout0 # load 8 input blocks
760 movdqu 0x10($inp),$inout1
761 movdqu 0x20($inp),$inout2
762 movdqu 0x30($inp),$inout3
763 movdqu 0x40($inp),$inout4
764 movdqu 0x50($inp),$inout5
765 movdqu 0x60($inp),$inout6
766 movdqu 0x70($inp),$inout7
767 lea 0x80($inp),$inp # $inp+=8*16
768 sub \$0x80,$len # $len-=8*16 (can be zero)
769 jmp .Lecb_dec_loop8_enter
772 movups $inout0,($out) # store 8 output blocks
773 mov $key_,$key # restore $key
774 movdqu ($inp),$inout0 # load 8 input blocks
775 mov $rnds_,$rounds # restore $rounds
776 movups $inout1,0x10($out)
777 movdqu 0x10($inp),$inout1
778 movups $inout2,0x20($out)
779 movdqu 0x20($inp),$inout2
780 movups $inout3,0x30($out)
781 movdqu 0x30($inp),$inout3
782 movups $inout4,0x40($out)
783 movdqu 0x40($inp),$inout4
784 movups $inout5,0x50($out)
785 movdqu 0x50($inp),$inout5
786 movups $inout6,0x60($out)
787 movdqu 0x60($inp),$inout6
788 movups $inout7,0x70($out)
789 lea 0x80($out),$out # $out+=8*16
790 movdqu 0x70($inp),$inout7
791 lea 0x80($inp),$inp # $inp+=8*16
792 .Lecb_dec_loop8_enter:
796 $movkey ($key_),$rndkey0
798 jnc .Lecb_dec_loop8 # loop if $len-=8*16 didn't borrow
800 movups $inout0,($out) # store 8 output blocks
801 pxor $inout0,$inout0 # clear register bank
802 mov $key_,$key # restore $key
803 movups $inout1,0x10($out)
805 mov $rnds_,$rounds # restore $rounds
806 movups $inout2,0x20($out)
808 movups $inout3,0x30($out)
810 movups $inout4,0x40($out)
812 movups $inout5,0x50($out)
814 movups $inout6,0x60($out)
816 movups $inout7,0x70($out)
818 lea 0x80($out),$out # $out+=8*16
819 add \$0x80,$len # restore real remaining $len
820 jz .Lecb_ret # done if ($len==0)
823 movups ($inp),$inout0
826 movups 0x10($inp),$inout1
828 movups 0x20($inp),$inout2
831 movups 0x30($inp),$inout3
833 movups 0x40($inp),$inout4
836 movups 0x50($inp),$inout5
838 movups 0x60($inp),$inout6
839 $movkey ($key),$rndkey0
840 xorps $inout7,$inout7
842 movups $inout0,($out) # store 7 output blocks
843 pxor $inout0,$inout0 # clear register bank
844 movups $inout1,0x10($out)
846 movups $inout2,0x20($out)
848 movups $inout3,0x30($out)
850 movups $inout4,0x40($out)
852 movups $inout5,0x50($out)
854 movups $inout6,0x60($out)
861 &aesni_generate1("dec",$key,$rounds);
863 movups $inout0,($out) # store one output block
864 pxor $inout0,$inout0 # clear register bank
869 movups $inout0,($out) # store 2 output blocks
870 pxor $inout0,$inout0 # clear register bank
871 movups $inout1,0x10($out)
877 movups $inout0,($out) # store 3 output blocks
878 pxor $inout0,$inout0 # clear register bank
879 movups $inout1,0x10($out)
881 movups $inout2,0x20($out)
887 movups $inout0,($out) # store 4 output blocks
888 pxor $inout0,$inout0 # clear register bank
889 movups $inout1,0x10($out)
891 movups $inout2,0x20($out)
893 movups $inout3,0x30($out)
898 xorps $inout5,$inout5
900 movups $inout0,($out) # store 5 output blocks
901 pxor $inout0,$inout0 # clear register bank
902 movups $inout1,0x10($out)
904 movups $inout2,0x20($out)
906 movups $inout3,0x30($out)
908 movups $inout4,0x40($out)
915 movups $inout0,($out) # store 6 output blocks
916 pxor $inout0,$inout0 # clear register bank
917 movups $inout1,0x10($out)
919 movups $inout2,0x20($out)
921 movups $inout3,0x30($out)
923 movups $inout4,0x40($out)
925 movups $inout5,0x50($out)
929 xorps $rndkey0,$rndkey0 # %xmm0
930 pxor $rndkey1,$rndkey1
932 $code.=<<___ if ($win64);
934 movaps %xmm0,(%rsp) # clear stack
935 movaps 0x10(%rsp),%xmm7
936 movaps %xmm0,0x10(%rsp)
937 movaps 0x20(%rsp),%xmm8
938 movaps %xmm0,0x20(%rsp)
939 movaps 0x30(%rsp),%xmm9
940 movaps %xmm0,0x30(%rsp)
946 .size aesni_ecb_encrypt,.-aesni_ecb_encrypt
950 ######################################################################
951 # void aesni_ccm64_[en|de]crypt_blocks (const void *in, void *out,
952 # size_t blocks, const AES_KEY *key,
953 # const char *ivec,char *cmac);
955 # Handles only complete blocks, operates on 64-bit counter and
956 # does not update *ivec! Nor does it finalize CMAC value
957 # (see engine/eng_aesni.c for details)
960 my $cmac="%r9"; # 6th argument
962 my $increment="%xmm9";
964 my $bswap_mask="%xmm7";
967 .globl aesni_ccm64_encrypt_blocks
968 .type aesni_ccm64_encrypt_blocks,\@function,6
970 aesni_ccm64_encrypt_blocks:
972 $code.=<<___ if ($win64);
974 movaps %xmm6,(%rsp) # $iv
975 movaps %xmm7,0x10(%rsp) # $bswap_mask
976 movaps %xmm8,0x20(%rsp) # $in0
977 movaps %xmm9,0x30(%rsp) # $increment
981 mov 240($key),$rounds # key->rounds
983 movdqa .Lincrement64(%rip),$increment
984 movdqa .Lbswap_mask(%rip),$bswap_mask
989 movdqu ($cmac),$inout1
991 lea 32($key,$rounds),$key # end of key schedule
992 pshufb $bswap_mask,$iv
993 sub %rax,%r10 # twisted $rounds
994 jmp .Lccm64_enc_outer
997 $movkey ($key_),$rndkey0
999 movups ($inp),$in0 # load inp
1001 xorps $rndkey0,$inout0 # counter
1002 $movkey 16($key_),$rndkey1
1004 xorps $rndkey0,$inout1 # cmac^=inp
1005 $movkey 32($key_),$rndkey0
1008 aesenc $rndkey1,$inout0
1009 aesenc $rndkey1,$inout1
1010 $movkey ($key,%rax),$rndkey1
1012 aesenc $rndkey0,$inout0
1013 aesenc $rndkey0,$inout1
1014 $movkey -16($key,%rax),$rndkey0
1015 jnz .Lccm64_enc2_loop
1016 aesenc $rndkey1,$inout0
1017 aesenc $rndkey1,$inout1
1018 paddq $increment,$iv
1019 dec $len # $len-- ($len is in blocks)
1020 aesenclast $rndkey0,$inout0
1021 aesenclast $rndkey0,$inout1
1024 xorps $inout0,$in0 # inp ^= E(iv)
1026 movups $in0,($out) # save output
1027 pshufb $bswap_mask,$inout0
1028 lea 16($out),$out # $out+=16
1029 jnz .Lccm64_enc_outer # loop if ($len!=0)
1031 pxor $rndkey0,$rndkey0 # clear register bank
1032 pxor $rndkey1,$rndkey1
1033 pxor $inout0,$inout0
1034 movups $inout1,($cmac) # store resulting mac
1035 pxor $inout1,$inout1
1039 $code.=<<___ if ($win64);
1041 movaps %xmm0,(%rsp) # clear stack
1042 movaps 0x10(%rsp),%xmm7
1043 movaps %xmm0,0x10(%rsp)
1044 movaps 0x20(%rsp),%xmm8
1045 movaps %xmm0,0x20(%rsp)
1046 movaps 0x30(%rsp),%xmm9
1047 movaps %xmm0,0x30(%rsp)
1053 .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks
1055 ######################################################################
1057 .globl aesni_ccm64_decrypt_blocks
1058 .type aesni_ccm64_decrypt_blocks,\@function,6
1060 aesni_ccm64_decrypt_blocks:
1062 $code.=<<___ if ($win64);
1063 lea -0x58(%rsp),%rsp
1064 movaps %xmm6,(%rsp) # $iv
1065 movaps %xmm7,0x10(%rsp) # $bswap_mask
1066 movaps %xmm8,0x20(%rsp) # $in8
1067 movaps %xmm9,0x30(%rsp) # $increment
1071 mov 240($key),$rounds # key->rounds
1073 movdqu ($cmac),$inout1
1074 movdqa .Lincrement64(%rip),$increment
1075 movdqa .Lbswap_mask(%rip),$bswap_mask
1080 pshufb $bswap_mask,$iv
1082 &aesni_generate1("enc",$key,$rounds);
1086 movups ($inp),$in0 # load inp
1087 paddq $increment,$iv
1088 lea 16($inp),$inp # $inp+=16
1089 sub %r10,%rax # twisted $rounds
1090 lea 32($key_,$rnds_),$key # end of key schedule
1092 jmp .Lccm64_dec_outer
1095 xorps $inout0,$in0 # inp ^= E(iv)
1097 movups $in0,($out) # save output
1098 lea 16($out),$out # $out+=16
1099 pshufb $bswap_mask,$inout0
1101 sub \$1,$len # $len-- ($len is in blocks)
1102 jz .Lccm64_dec_break # if ($len==0) break
1104 $movkey ($key_),$rndkey0
1106 $movkey 16($key_),$rndkey1
1108 xorps $rndkey0,$inout0
1109 xorps $in0,$inout1 # cmac^=out
1110 $movkey 32($key_),$rndkey0
1111 jmp .Lccm64_dec2_loop
1114 aesenc $rndkey1,$inout0
1115 aesenc $rndkey1,$inout1
1116 $movkey ($key,%rax),$rndkey1
1118 aesenc $rndkey0,$inout0
1119 aesenc $rndkey0,$inout1
1120 $movkey -16($key,%rax),$rndkey0
1121 jnz .Lccm64_dec2_loop
1122 movups ($inp),$in0 # load input
1123 paddq $increment,$iv
1124 aesenc $rndkey1,$inout0
1125 aesenc $rndkey1,$inout1
1126 aesenclast $rndkey0,$inout0
1127 aesenclast $rndkey0,$inout1
1128 lea 16($inp),$inp # $inp+=16
1129 jmp .Lccm64_dec_outer
1133 #xorps $in0,$inout1 # cmac^=out
1134 mov 240($key_),$rounds
1136 &aesni_generate1("enc",$key_,$rounds,$inout1,$in0);
1138 pxor $rndkey0,$rndkey0 # clear register bank
1139 pxor $rndkey1,$rndkey1
1140 pxor $inout0,$inout0
1141 movups $inout1,($cmac) # store resulting mac
1142 pxor $inout1,$inout1
1146 $code.=<<___ if ($win64);
1148 movaps %xmm0,(%rsp) # clear stack
1149 movaps 0x10(%rsp),%xmm7
1150 movaps %xmm0,0x10(%rsp)
1151 movaps 0x20(%rsp),%xmm8
1152 movaps %xmm0,0x20(%rsp)
1153 movaps 0x30(%rsp),%xmm9
1154 movaps %xmm0,0x30(%rsp)
1160 .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks
1163 ######################################################################
1164 # void aesni_ctr32_encrypt_blocks (const void *in, void *out,
1165 # size_t blocks, const AES_KEY *key,
1166 # const char *ivec);
1168 # Handles only complete blocks, operates on 32-bit counter and
1169 # does not update *ivec! (see crypto/modes/ctr128.c for details)
1171 # Overhaul based on suggestions from Shay Gueron and Vlad Krasnov,
1172 # http://rt.openssl.org/Ticket/Display.html?id=3021&user=guest&pass=guest.
1173 # Keywords are full unroll and modulo-schedule counter calculations
1174 # with zero-round key xor.
1176 my ($in0,$in1,$in2,$in3,$in4,$in5)=map("%xmm$_",(10..15));
1177 my ($key0,$ctr)=("%ebp","${ivp}d");
1178 my $frame_size = 0x80 + ($win64?160:0);
1181 .globl aesni_ctr32_encrypt_blocks
1182 .type aesni_ctr32_encrypt_blocks,\@function,5
1184 aesni_ctr32_encrypt_blocks:
1189 # handle single block without allocating stack frame,
1190 # useful when handling edges
1191 movups ($ivp),$inout0
1192 movups ($inp),$inout1
1193 mov 240($key),%edx # key->rounds
1195 &aesni_generate1("enc",$key,"%edx");
1197 pxor $rndkey0,$rndkey0 # clear register bank
1198 pxor $rndkey1,$rndkey1
1199 xorps $inout1,$inout0
1200 pxor $inout1,$inout1
1201 movups $inout0,($out)
1202 xorps $inout0,$inout0
1203 jmp .Lctr32_epilogue
1207 lea (%rsp),$key_ # use $key_ as frame pointer
1208 .cfi_def_cfa_register $key_
1211 sub \$$frame_size,%rsp
1212 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
1214 $code.=<<___ if ($win64);
1215 movaps %xmm6,-0xa8($key_) # offload everything
1216 movaps %xmm7,-0x98($key_)
1217 movaps %xmm8,-0x88($key_)
1218 movaps %xmm9,-0x78($key_)
1219 movaps %xmm10,-0x68($key_)
1220 movaps %xmm11,-0x58($key_)
1221 movaps %xmm12,-0x48($key_)
1222 movaps %xmm13,-0x38($key_)
1223 movaps %xmm14,-0x28($key_)
1224 movaps %xmm15,-0x18($key_)
1229 # 8 16-byte words on top of stack are counter values
1230 # xor-ed with zero-round key
1232 movdqu ($ivp),$inout0
1233 movdqu ($key),$rndkey0
1234 mov 12($ivp),$ctr # counter LSB
1235 pxor $rndkey0,$inout0
1236 mov 12($key),$key0 # 0-round key LSB
1237 movdqa $inout0,0x00(%rsp) # populate counter block
1239 movdqa $inout0,$inout1
1240 movdqa $inout0,$inout2
1241 movdqa $inout0,$inout3
1242 movdqa $inout0,0x40(%rsp)
1243 movdqa $inout0,0x50(%rsp)
1244 movdqa $inout0,0x60(%rsp)
1245 mov %rdx,%r10 # about to borrow %rdx
1246 movdqa $inout0,0x70(%rsp)
1254 pinsrd \$3,%eax,$inout1
1256 movdqa $inout1,0x10(%rsp)
1257 pinsrd \$3,%edx,$inout2
1259 mov %r10,%rdx # restore %rdx
1261 movdqa $inout2,0x20(%rsp)
1264 pinsrd \$3,%eax,$inout3
1266 movdqa $inout3,0x30(%rsp)
1268 mov %r10d,0x40+12(%rsp)
1271 mov 240($key),$rounds # key->rounds
1274 mov %r9d,0x50+12(%rsp)
1277 mov %r10d,0x60+12(%rsp)
1279 mov OPENSSL_ia32cap_P+4(%rip),%r10d
1281 and \$`1<<26|1<<22`,%r10d # isolate XSAVE+MOVBE
1282 mov %r9d,0x70+12(%rsp)
1284 $movkey 0x10($key),$rndkey1
1286 movdqa 0x40(%rsp),$inout4
1287 movdqa 0x50(%rsp),$inout5
1289 cmp \$8,$len # $len is in blocks
1290 jb .Lctr32_tail # short input if ($len<8)
1292 sub \$6,$len # $len is biased by -6
1293 cmp \$`1<<22`,%r10d # check for MOVBE without XSAVE
1294 je .Lctr32_6x # [which denotes Atom Silvermont]
1296 lea 0x80($key),$key # size optimization
1297 sub \$2,$len # $len is biased by -8
1305 lea 32($key,$rounds),$key # end of key schedule
1306 sub %rax,%r10 # twisted $rounds
1311 add \$6,$ctr # next counter value
1312 $movkey -48($key,$rnds_),$rndkey0
1313 aesenc $rndkey1,$inout0
1316 aesenc $rndkey1,$inout1
1317 movbe %eax,`0x00+12`(%rsp) # store next counter value
1319 aesenc $rndkey1,$inout2
1321 movbe %eax,`0x10+12`(%rsp)
1322 aesenc $rndkey1,$inout3
1325 aesenc $rndkey1,$inout4
1326 movbe %eax,`0x20+12`(%rsp)
1328 aesenc $rndkey1,$inout5
1329 $movkey -32($key,$rnds_),$rndkey1
1332 aesenc $rndkey0,$inout0
1333 movbe %eax,`0x30+12`(%rsp)
1335 aesenc $rndkey0,$inout1
1337 movbe %eax,`0x40+12`(%rsp)
1338 aesenc $rndkey0,$inout2
1341 aesenc $rndkey0,$inout3
1342 movbe %eax,`0x50+12`(%rsp)
1343 mov %r10,%rax # mov $rnds_,$rounds
1344 aesenc $rndkey0,$inout4
1345 aesenc $rndkey0,$inout5
1346 $movkey -16($key,$rnds_),$rndkey0
1350 movdqu ($inp),$inout6 # load 6 input blocks
1351 movdqu 0x10($inp),$inout7
1352 movdqu 0x20($inp),$in0
1353 movdqu 0x30($inp),$in1
1354 movdqu 0x40($inp),$in2
1355 movdqu 0x50($inp),$in3
1356 lea 0x60($inp),$inp # $inp+=6*16
1357 $movkey -64($key,$rnds_),$rndkey1
1358 pxor $inout0,$inout6 # inp^=E(ctr)
1359 movaps 0x00(%rsp),$inout0 # load next counter [xor-ed with 0 round]
1360 pxor $inout1,$inout7
1361 movaps 0x10(%rsp),$inout1
1363 movaps 0x20(%rsp),$inout2
1365 movaps 0x30(%rsp),$inout3
1367 movaps 0x40(%rsp),$inout4
1369 movaps 0x50(%rsp),$inout5
1370 movdqu $inout6,($out) # store 6 output blocks
1371 movdqu $inout7,0x10($out)
1372 movdqu $in0,0x20($out)
1373 movdqu $in1,0x30($out)
1374 movdqu $in2,0x40($out)
1375 movdqu $in3,0x50($out)
1376 lea 0x60($out),$out # $out+=6*16
1379 jnc .Lctr32_loop6 # loop if $len-=6 didn't borrow
1381 add \$6,$len # restore real remaining $len
1382 jz .Lctr32_done # done if ($len==0)
1384 lea -48($rnds_),$rounds
1385 lea -80($key,$rnds_),$key # restore $key
1387 shr \$4,$rounds # restore $rounds
1392 add \$8,$ctr # next counter value
1393 movdqa 0x60(%rsp),$inout6
1394 aesenc $rndkey1,$inout0
1396 movdqa 0x70(%rsp),$inout7
1397 aesenc $rndkey1,$inout1
1399 $movkey 0x20-0x80($key),$rndkey0
1400 aesenc $rndkey1,$inout2
1403 aesenc $rndkey1,$inout3
1404 mov %r9d,0x00+12(%rsp) # store next counter value
1406 aesenc $rndkey1,$inout4
1407 aesenc $rndkey1,$inout5
1408 aesenc $rndkey1,$inout6
1409 aesenc $rndkey1,$inout7
1410 $movkey 0x30-0x80($key),$rndkey1
1412 for($i=2;$i<8;$i++) {
1413 my $rndkeyx = ($i&1)?$rndkey1:$rndkey0;
1416 aesenc $rndkeyx,$inout0
1417 aesenc $rndkeyx,$inout1
1420 aesenc $rndkeyx,$inout2
1421 aesenc $rndkeyx,$inout3
1422 mov %r9d,`0x10*($i-1)`+12(%rsp)
1424 aesenc $rndkeyx,$inout4
1425 aesenc $rndkeyx,$inout5
1426 aesenc $rndkeyx,$inout6
1427 aesenc $rndkeyx,$inout7
1428 $movkey `0x20+0x10*$i`-0x80($key),$rndkeyx
1433 aesenc $rndkey0,$inout0
1434 aesenc $rndkey0,$inout1
1435 aesenc $rndkey0,$inout2
1437 movdqu 0x00($inp),$in0 # start loading input
1438 aesenc $rndkey0,$inout3
1439 mov %r9d,0x70+12(%rsp)
1441 aesenc $rndkey0,$inout4
1442 aesenc $rndkey0,$inout5
1443 aesenc $rndkey0,$inout6
1444 aesenc $rndkey0,$inout7
1445 $movkey 0xa0-0x80($key),$rndkey0
1449 aesenc $rndkey1,$inout0
1450 aesenc $rndkey1,$inout1
1451 aesenc $rndkey1,$inout2
1452 aesenc $rndkey1,$inout3
1453 aesenc $rndkey1,$inout4
1454 aesenc $rndkey1,$inout5
1455 aesenc $rndkey1,$inout6
1456 aesenc $rndkey1,$inout7
1457 $movkey 0xb0-0x80($key),$rndkey1
1459 aesenc $rndkey0,$inout0
1460 aesenc $rndkey0,$inout1
1461 aesenc $rndkey0,$inout2
1462 aesenc $rndkey0,$inout3
1463 aesenc $rndkey0,$inout4
1464 aesenc $rndkey0,$inout5
1465 aesenc $rndkey0,$inout6
1466 aesenc $rndkey0,$inout7
1467 $movkey 0xc0-0x80($key),$rndkey0
1470 aesenc $rndkey1,$inout0
1471 aesenc $rndkey1,$inout1
1472 aesenc $rndkey1,$inout2
1473 aesenc $rndkey1,$inout3
1474 aesenc $rndkey1,$inout4
1475 aesenc $rndkey1,$inout5
1476 aesenc $rndkey1,$inout6
1477 aesenc $rndkey1,$inout7
1478 $movkey 0xd0-0x80($key),$rndkey1
1480 aesenc $rndkey0,$inout0
1481 aesenc $rndkey0,$inout1
1482 aesenc $rndkey0,$inout2
1483 aesenc $rndkey0,$inout3
1484 aesenc $rndkey0,$inout4
1485 aesenc $rndkey0,$inout5
1486 aesenc $rndkey0,$inout6
1487 aesenc $rndkey0,$inout7
1488 $movkey 0xe0-0x80($key),$rndkey0
1489 jmp .Lctr32_enc_done
1493 movdqu 0x10($inp),$in1
1494 pxor $rndkey0,$in0 # input^=round[last]
1495 movdqu 0x20($inp),$in2
1497 movdqu 0x30($inp),$in3
1499 movdqu 0x40($inp),$in4
1501 movdqu 0x50($inp),$in5
1504 aesenc $rndkey1,$inout0
1505 aesenc $rndkey1,$inout1
1506 aesenc $rndkey1,$inout2
1507 aesenc $rndkey1,$inout3
1508 aesenc $rndkey1,$inout4
1509 aesenc $rndkey1,$inout5
1510 aesenc $rndkey1,$inout6
1511 aesenc $rndkey1,$inout7
1512 movdqu 0x60($inp),$rndkey1 # borrow $rndkey1 for inp[6]
1513 lea 0x80($inp),$inp # $inp+=8*16
1515 aesenclast $in0,$inout0 # $inN is inp[N]^round[last]
1516 pxor $rndkey0,$rndkey1 # borrowed $rndkey
1517 movdqu 0x70-0x80($inp),$in0
1518 aesenclast $in1,$inout1
1520 movdqa 0x00(%rsp),$in1 # load next counter block
1521 aesenclast $in2,$inout2
1522 aesenclast $in3,$inout3
1523 movdqa 0x10(%rsp),$in2
1524 movdqa 0x20(%rsp),$in3
1525 aesenclast $in4,$inout4
1526 aesenclast $in5,$inout5
1527 movdqa 0x30(%rsp),$in4
1528 movdqa 0x40(%rsp),$in5
1529 aesenclast $rndkey1,$inout6
1530 movdqa 0x50(%rsp),$rndkey0
1531 $movkey 0x10-0x80($key),$rndkey1#real 1st-round key
1532 aesenclast $in0,$inout7
1534 movups $inout0,($out) # store 8 output blocks
1536 movups $inout1,0x10($out)
1538 movups $inout2,0x20($out)
1540 movups $inout3,0x30($out)
1542 movups $inout4,0x40($out)
1544 movups $inout5,0x50($out)
1545 movdqa $rndkey0,$inout5
1546 movups $inout6,0x60($out)
1547 movups $inout7,0x70($out)
1548 lea 0x80($out),$out # $out+=8*16
1551 jnc .Lctr32_loop8 # loop if $len-=8 didn't borrow
1553 add \$8,$len # restore real remaining $len
1554 jz .Lctr32_done # done if ($len==0)
1555 lea -0x80($key),$key
1558 # note that at this point $inout0..5 are populated with
1559 # counter values xor-ed with 0-round key
1565 # if ($len>4) compute 7 E(counter)
1567 movdqa 0x60(%rsp),$inout6
1568 pxor $inout7,$inout7
1570 $movkey 16($key),$rndkey0
1571 aesenc $rndkey1,$inout0
1572 aesenc $rndkey1,$inout1
1573 lea 32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter
1575 aesenc $rndkey1,$inout2
1576 add \$16,%rax # prepare for .Lenc_loop8_enter
1578 aesenc $rndkey1,$inout3
1579 aesenc $rndkey1,$inout4
1580 movups 0x10($inp),$in1 # pre-load input
1581 movups 0x20($inp),$in2
1582 aesenc $rndkey1,$inout5
1583 aesenc $rndkey1,$inout6
1585 call .Lenc_loop8_enter
1587 movdqu 0x30($inp),$in3
1589 movdqu 0x40($inp),$in0
1591 movdqu $inout0,($out) # store output
1593 movdqu $inout1,0x10($out)
1595 movdqu $inout2,0x20($out)
1597 movdqu $inout3,0x30($out)
1598 movdqu $inout4,0x40($out)
1600 jb .Lctr32_done # $len was 5, stop store
1602 movups 0x50($inp),$in1
1604 movups $inout5,0x50($out)
1605 je .Lctr32_done # $len was 6, stop store
1607 movups 0x60($inp),$in2
1609 movups $inout6,0x60($out)
1610 jmp .Lctr32_done # $len was 7, stop store
1614 aesenc $rndkey1,$inout0
1617 aesenc $rndkey1,$inout1
1618 aesenc $rndkey1,$inout2
1619 aesenc $rndkey1,$inout3
1620 $movkey ($key),$rndkey1
1622 aesenclast $rndkey1,$inout0
1623 aesenclast $rndkey1,$inout1
1624 movups ($inp),$in0 # load input
1625 movups 0x10($inp),$in1
1626 aesenclast $rndkey1,$inout2
1627 aesenclast $rndkey1,$inout3
1628 movups 0x20($inp),$in2
1629 movups 0x30($inp),$in3
1632 movups $inout0,($out) # store output
1634 movups $inout1,0x10($out)
1636 movdqu $inout2,0x20($out)
1638 movdqu $inout3,0x30($out)
1639 jmp .Lctr32_done # $len was 4, stop store
1643 aesenc $rndkey1,$inout0
1646 aesenc $rndkey1,$inout1
1647 aesenc $rndkey1,$inout2
1648 $movkey ($key),$rndkey1
1650 aesenclast $rndkey1,$inout0
1651 aesenclast $rndkey1,$inout1
1652 aesenclast $rndkey1,$inout2
1654 movups ($inp),$in0 # load input
1656 movups $inout0,($out) # store output
1658 jb .Lctr32_done # $len was 1, stop store
1660 movups 0x10($inp),$in1
1662 movups $inout1,0x10($out)
1663 je .Lctr32_done # $len was 2, stop store
1665 movups 0x20($inp),$in2
1667 movups $inout2,0x20($out) # $len was 3, stop store
1670 xorps %xmm0,%xmm0 # clear register bank
1678 $code.=<<___ if (!$win64);
1681 movaps %xmm0,0x00(%rsp) # clear stack
1683 movaps %xmm0,0x10(%rsp)
1685 movaps %xmm0,0x20(%rsp)
1687 movaps %xmm0,0x30(%rsp)
1689 movaps %xmm0,0x40(%rsp)
1691 movaps %xmm0,0x50(%rsp)
1693 movaps %xmm0,0x60(%rsp)
1695 movaps %xmm0,0x70(%rsp)
1698 $code.=<<___ if ($win64);
1699 movaps -0xa8($key_),%xmm6
1700 movaps %xmm0,-0xa8($key_) # clear stack
1701 movaps -0x98($key_),%xmm7
1702 movaps %xmm0,-0x98($key_)
1703 movaps -0x88($key_),%xmm8
1704 movaps %xmm0,-0x88($key_)
1705 movaps -0x78($key_),%xmm9
1706 movaps %xmm0,-0x78($key_)
1707 movaps -0x68($key_),%xmm10
1708 movaps %xmm0,-0x68($key_)
1709 movaps -0x58($key_),%xmm11
1710 movaps %xmm0,-0x58($key_)
1711 movaps -0x48($key_),%xmm12
1712 movaps %xmm0,-0x48($key_)
1713 movaps -0x38($key_),%xmm13
1714 movaps %xmm0,-0x38($key_)
1715 movaps -0x28($key_),%xmm14
1716 movaps %xmm0,-0x28($key_)
1717 movaps -0x18($key_),%xmm15
1718 movaps %xmm0,-0x18($key_)
1719 movaps %xmm0,0x00(%rsp)
1720 movaps %xmm0,0x10(%rsp)
1721 movaps %xmm0,0x20(%rsp)
1722 movaps %xmm0,0x30(%rsp)
1723 movaps %xmm0,0x40(%rsp)
1724 movaps %xmm0,0x50(%rsp)
1725 movaps %xmm0,0x60(%rsp)
1726 movaps %xmm0,0x70(%rsp)
1732 .cfi_def_cfa_register %rsp
1736 .size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks
1740 ######################################################################
1741 # void aesni_xts_[en|de]crypt(const char *inp,char *out,size_t len,
1742 # const AES_KEY *key1, const AES_KEY *key2
1743 # const unsigned char iv[16]);
1746 my @tweak=map("%xmm$_",(10..15));
1747 my ($twmask,$twres,$twtmp)=("%xmm8","%xmm9",@tweak[4]);
1748 my ($key2,$ivp,$len_)=("%r8","%r9","%r9");
1749 my $frame_size = 0x70 + ($win64?160:0);
1750 my $key_ = "%rbp"; # override so that we can use %r11 as FP
1753 .globl aesni_xts_encrypt
1754 .type aesni_xts_encrypt,\@function,6
1758 lea (%rsp),%r11 # frame pointer
1759 .cfi_def_cfa_register %r11
1762 sub \$$frame_size,%rsp
1763 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
1765 $code.=<<___ if ($win64);
1766 movaps %xmm6,-0xa8(%r11) # offload everything
1767 movaps %xmm7,-0x98(%r11)
1768 movaps %xmm8,-0x88(%r11)
1769 movaps %xmm9,-0x78(%r11)
1770 movaps %xmm10,-0x68(%r11)
1771 movaps %xmm11,-0x58(%r11)
1772 movaps %xmm12,-0x48(%r11)
1773 movaps %xmm13,-0x38(%r11)
1774 movaps %xmm14,-0x28(%r11)
1775 movaps %xmm15,-0x18(%r11)
1779 movups ($ivp),$inout0 # load clear-text tweak
1780 mov 240(%r8),$rounds # key2->rounds
1781 mov 240($key),$rnds_ # key1->rounds
1783 # generate the tweak
1784 &aesni_generate1("enc",$key2,$rounds,$inout0);
1786 $movkey ($key),$rndkey0 # zero round key
1787 mov $key,$key_ # backup $key
1788 mov $rnds_,$rounds # backup $rounds
1790 mov $len,$len_ # backup $len
1793 $movkey 16($key,$rnds_),$rndkey1 # last round key
1795 movdqa .Lxts_magic(%rip),$twmask
1796 movdqa $inout0,@tweak[5]
1797 pshufd \$0x5f,$inout0,$twres
1798 pxor $rndkey0,$rndkey1
1800 # alternative tweak calculation algorithm is based on suggestions
1801 # by Shay Gueron. psrad doesn't conflict with AES-NI instructions
1802 # and should help in the future...
1803 for ($i=0;$i<4;$i++) {
1805 movdqa $twres,$twtmp
1807 movdqa @tweak[5],@tweak[$i]
1808 psrad \$31,$twtmp # broadcast upper bits
1809 paddq @tweak[5],@tweak[5]
1811 pxor $rndkey0,@tweak[$i]
1812 pxor $twtmp,@tweak[5]
1816 movdqa @tweak[5],@tweak[4]
1818 paddq @tweak[5],@tweak[5]
1820 pxor $rndkey0,@tweak[4]
1821 pxor $twres,@tweak[5]
1822 movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
1825 jc .Lxts_enc_short # if $len-=6*16 borrowed
1828 lea 32($key_,$rnds_),$key # end of key schedule
1829 sub %r10,%rax # twisted $rounds
1830 $movkey 16($key_),$rndkey1
1831 mov %rax,%r10 # backup twisted $rounds
1832 lea .Lxts_magic(%rip),%r8
1833 jmp .Lxts_enc_grandloop
1836 .Lxts_enc_grandloop:
1837 movdqu `16*0`($inp),$inout0 # load input
1838 movdqa $rndkey0,$twmask
1839 movdqu `16*1`($inp),$inout1
1840 pxor @tweak[0],$inout0 # input^=tweak^round[0]
1841 movdqu `16*2`($inp),$inout2
1842 pxor @tweak[1],$inout1
1843 aesenc $rndkey1,$inout0
1844 movdqu `16*3`($inp),$inout3
1845 pxor @tweak[2],$inout2
1846 aesenc $rndkey1,$inout1
1847 movdqu `16*4`($inp),$inout4
1848 pxor @tweak[3],$inout3
1849 aesenc $rndkey1,$inout2
1850 movdqu `16*5`($inp),$inout5
1851 pxor @tweak[5],$twmask # round[0]^=tweak[5]
1852 movdqa 0x60(%rsp),$twres # load round[0]^round[last]
1853 pxor @tweak[4],$inout4
1854 aesenc $rndkey1,$inout3
1855 $movkey 32($key_),$rndkey0
1856 lea `16*6`($inp),$inp
1857 pxor $twmask,$inout5
1859 pxor $twres,@tweak[0] # calculate tweaks^round[last]
1860 aesenc $rndkey1,$inout4
1861 pxor $twres,@tweak[1]
1862 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^round[last]
1863 aesenc $rndkey1,$inout5
1864 $movkey 48($key_),$rndkey1
1865 pxor $twres,@tweak[2]
1867 aesenc $rndkey0,$inout0
1868 pxor $twres,@tweak[3]
1869 movdqa @tweak[1],`16*1`(%rsp)
1870 aesenc $rndkey0,$inout1
1871 pxor $twres,@tweak[4]
1872 movdqa @tweak[2],`16*2`(%rsp)
1873 aesenc $rndkey0,$inout2
1874 aesenc $rndkey0,$inout3
1876 movdqa @tweak[4],`16*4`(%rsp)
1877 aesenc $rndkey0,$inout4
1878 aesenc $rndkey0,$inout5
1879 $movkey 64($key_),$rndkey0
1880 movdqa $twmask,`16*5`(%rsp)
1881 pshufd \$0x5f,@tweak[5],$twres
1885 aesenc $rndkey1,$inout0
1886 aesenc $rndkey1,$inout1
1887 aesenc $rndkey1,$inout2
1888 aesenc $rndkey1,$inout3
1889 aesenc $rndkey1,$inout4
1890 aesenc $rndkey1,$inout5
1891 $movkey -64($key,%rax),$rndkey1
1894 aesenc $rndkey0,$inout0
1895 aesenc $rndkey0,$inout1
1896 aesenc $rndkey0,$inout2
1897 aesenc $rndkey0,$inout3
1898 aesenc $rndkey0,$inout4
1899 aesenc $rndkey0,$inout5
1900 $movkey -80($key,%rax),$rndkey0
1903 movdqa (%r8),$twmask # start calculating next tweak
1904 movdqa $twres,$twtmp
1906 aesenc $rndkey1,$inout0
1907 paddq @tweak[5],@tweak[5]
1909 aesenc $rndkey1,$inout1
1911 $movkey ($key_),@tweak[0] # load round[0]
1912 aesenc $rndkey1,$inout2
1913 aesenc $rndkey1,$inout3
1914 aesenc $rndkey1,$inout4
1915 pxor $twtmp,@tweak[5]
1916 movaps @tweak[0],@tweak[1] # copy round[0]
1917 aesenc $rndkey1,$inout5
1918 $movkey -64($key),$rndkey1
1920 movdqa $twres,$twtmp
1921 aesenc $rndkey0,$inout0
1923 pxor @tweak[5],@tweak[0]
1924 aesenc $rndkey0,$inout1
1926 paddq @tweak[5],@tweak[5]
1927 aesenc $rndkey0,$inout2
1928 aesenc $rndkey0,$inout3
1930 movaps @tweak[1],@tweak[2]
1931 aesenc $rndkey0,$inout4
1932 pxor $twtmp,@tweak[5]
1933 movdqa $twres,$twtmp
1934 aesenc $rndkey0,$inout5
1935 $movkey -48($key),$rndkey0
1938 aesenc $rndkey1,$inout0
1939 pxor @tweak[5],@tweak[1]
1941 aesenc $rndkey1,$inout1
1942 paddq @tweak[5],@tweak[5]
1944 aesenc $rndkey1,$inout2
1945 aesenc $rndkey1,$inout3
1946 movdqa @tweak[3],`16*3`(%rsp)
1947 pxor $twtmp,@tweak[5]
1948 aesenc $rndkey1,$inout4
1949 movaps @tweak[2],@tweak[3]
1950 movdqa $twres,$twtmp
1951 aesenc $rndkey1,$inout5
1952 $movkey -32($key),$rndkey1
1955 aesenc $rndkey0,$inout0
1956 pxor @tweak[5],@tweak[2]
1958 aesenc $rndkey0,$inout1
1959 paddq @tweak[5],@tweak[5]
1961 aesenc $rndkey0,$inout2
1962 aesenc $rndkey0,$inout3
1963 aesenc $rndkey0,$inout4
1964 pxor $twtmp,@tweak[5]
1965 movaps @tweak[3],@tweak[4]
1966 aesenc $rndkey0,$inout5
1968 movdqa $twres,$rndkey0
1970 aesenc $rndkey1,$inout0
1971 pxor @tweak[5],@tweak[3]
1973 aesenc $rndkey1,$inout1
1974 paddq @tweak[5],@tweak[5]
1975 pand $twmask,$rndkey0
1976 aesenc $rndkey1,$inout2
1977 aesenc $rndkey1,$inout3
1978 pxor $rndkey0,@tweak[5]
1979 $movkey ($key_),$rndkey0
1980 aesenc $rndkey1,$inout4
1981 aesenc $rndkey1,$inout5
1982 $movkey 16($key_),$rndkey1
1984 pxor @tweak[5],@tweak[4]
1985 aesenclast `16*0`(%rsp),$inout0
1987 paddq @tweak[5],@tweak[5]
1988 aesenclast `16*1`(%rsp),$inout1
1989 aesenclast `16*2`(%rsp),$inout2
1991 mov %r10,%rax # restore $rounds
1992 aesenclast `16*3`(%rsp),$inout3
1993 aesenclast `16*4`(%rsp),$inout4
1994 aesenclast `16*5`(%rsp),$inout5
1995 pxor $twres,@tweak[5]
1997 lea `16*6`($out),$out # $out+=6*16
1998 movups $inout0,`-16*6`($out) # store 6 output blocks
1999 movups $inout1,`-16*5`($out)
2000 movups $inout2,`-16*4`($out)
2001 movups $inout3,`-16*3`($out)
2002 movups $inout4,`-16*2`($out)
2003 movups $inout5,`-16*1`($out)
2005 jnc .Lxts_enc_grandloop # loop if $len-=6*16 didn't borrow
2009 mov $key_,$key # restore $key
2010 shr \$4,$rounds # restore original value
2013 # at the point @tweak[0..5] are populated with tweak values
2014 mov $rounds,$rnds_ # backup $rounds
2015 pxor $rndkey0,@tweak[0]
2016 add \$16*6,$len # restore real remaining $len
2017 jz .Lxts_enc_done # done if ($len==0)
2019 pxor $rndkey0,@tweak[1]
2021 jb .Lxts_enc_one # $len is 1*16
2022 pxor $rndkey0,@tweak[2]
2023 je .Lxts_enc_two # $len is 2*16
2025 pxor $rndkey0,@tweak[3]
2027 jb .Lxts_enc_three # $len is 3*16
2028 pxor $rndkey0,@tweak[4]
2029 je .Lxts_enc_four # $len is 4*16
2031 movdqu ($inp),$inout0 # $len is 5*16
2032 movdqu 16*1($inp),$inout1
2033 movdqu 16*2($inp),$inout2
2034 pxor @tweak[0],$inout0
2035 movdqu 16*3($inp),$inout3
2036 pxor @tweak[1],$inout1
2037 movdqu 16*4($inp),$inout4
2038 lea 16*5($inp),$inp # $inp+=5*16
2039 pxor @tweak[2],$inout2
2040 pxor @tweak[3],$inout3
2041 pxor @tweak[4],$inout4
2042 pxor $inout5,$inout5
2044 call _aesni_encrypt6
2046 xorps @tweak[0],$inout0
2047 movdqa @tweak[5],@tweak[0]
2048 xorps @tweak[1],$inout1
2049 xorps @tweak[2],$inout2
2050 movdqu $inout0,($out) # store 5 output blocks
2051 xorps @tweak[3],$inout3
2052 movdqu $inout1,16*1($out)
2053 xorps @tweak[4],$inout4
2054 movdqu $inout2,16*2($out)
2055 movdqu $inout3,16*3($out)
2056 movdqu $inout4,16*4($out)
2057 lea 16*5($out),$out # $out+=5*16
2062 movups ($inp),$inout0
2063 lea 16*1($inp),$inp # inp+=1*16
2064 xorps @tweak[0],$inout0
2066 &aesni_generate1("enc",$key,$rounds);
2068 xorps @tweak[0],$inout0
2069 movdqa @tweak[1],@tweak[0]
2070 movups $inout0,($out) # store one output block
2071 lea 16*1($out),$out # $out+=1*16
2076 movups ($inp),$inout0
2077 movups 16($inp),$inout1
2078 lea 32($inp),$inp # $inp+=2*16
2079 xorps @tweak[0],$inout0
2080 xorps @tweak[1],$inout1
2082 call _aesni_encrypt2
2084 xorps @tweak[0],$inout0
2085 movdqa @tweak[2],@tweak[0]
2086 xorps @tweak[1],$inout1
2087 movups $inout0,($out) # store 2 output blocks
2088 movups $inout1,16*1($out)
2089 lea 16*2($out),$out # $out+=2*16
2094 movups ($inp),$inout0
2095 movups 16*1($inp),$inout1
2096 movups 16*2($inp),$inout2
2097 lea 16*3($inp),$inp # $inp+=3*16
2098 xorps @tweak[0],$inout0
2099 xorps @tweak[1],$inout1
2100 xorps @tweak[2],$inout2
2102 call _aesni_encrypt3
2104 xorps @tweak[0],$inout0
2105 movdqa @tweak[3],@tweak[0]
2106 xorps @tweak[1],$inout1
2107 xorps @tweak[2],$inout2
2108 movups $inout0,($out) # store 3 output blocks
2109 movups $inout1,16*1($out)
2110 movups $inout2,16*2($out)
2111 lea 16*3($out),$out # $out+=3*16
2116 movups ($inp),$inout0
2117 movups 16*1($inp),$inout1
2118 movups 16*2($inp),$inout2
2119 xorps @tweak[0],$inout0
2120 movups 16*3($inp),$inout3
2121 lea 16*4($inp),$inp # $inp+=4*16
2122 xorps @tweak[1],$inout1
2123 xorps @tweak[2],$inout2
2124 xorps @tweak[3],$inout3
2126 call _aesni_encrypt4
2128 pxor @tweak[0],$inout0
2129 movdqa @tweak[4],@tweak[0]
2130 pxor @tweak[1],$inout1
2131 pxor @tweak[2],$inout2
2132 movdqu $inout0,($out) # store 4 output blocks
2133 pxor @tweak[3],$inout3
2134 movdqu $inout1,16*1($out)
2135 movdqu $inout2,16*2($out)
2136 movdqu $inout3,16*3($out)
2137 lea 16*4($out),$out # $out+=4*16
2142 and \$15,$len_ # see if $len%16 is 0
2147 movzb ($inp),%eax # borrow $rounds ...
2148 movzb -16($out),%ecx # ... and $key
2156 sub $len_,$out # rewind $out
2157 mov $key_,$key # restore $key
2158 mov $rnds_,$rounds # restore $rounds
2160 movups -16($out),$inout0
2161 xorps @tweak[0],$inout0
2163 &aesni_generate1("enc",$key,$rounds);
2165 xorps @tweak[0],$inout0
2166 movups $inout0,-16($out)
2169 xorps %xmm0,%xmm0 # clear register bank
2176 $code.=<<___ if (!$win64);
2179 movaps %xmm0,0x00(%rsp) # clear stack
2181 movaps %xmm0,0x10(%rsp)
2183 movaps %xmm0,0x20(%rsp)
2185 movaps %xmm0,0x30(%rsp)
2187 movaps %xmm0,0x40(%rsp)
2189 movaps %xmm0,0x50(%rsp)
2191 movaps %xmm0,0x60(%rsp)
2195 $code.=<<___ if ($win64);
2196 movaps -0xa8(%r11),%xmm6
2197 movaps %xmm0,-0xa8(%r11) # clear stack
2198 movaps -0x98(%r11),%xmm7
2199 movaps %xmm0,-0x98(%r11)
2200 movaps -0x88(%r11),%xmm8
2201 movaps %xmm0,-0x88(%r11)
2202 movaps -0x78(%r11),%xmm9
2203 movaps %xmm0,-0x78(%r11)
2204 movaps -0x68(%r11),%xmm10
2205 movaps %xmm0,-0x68(%r11)
2206 movaps -0x58(%r11),%xmm11
2207 movaps %xmm0,-0x58(%r11)
2208 movaps -0x48(%r11),%xmm12
2209 movaps %xmm0,-0x48(%r11)
2210 movaps -0x38(%r11),%xmm13
2211 movaps %xmm0,-0x38(%r11)
2212 movaps -0x28(%r11),%xmm14
2213 movaps %xmm0,-0x28(%r11)
2214 movaps -0x18(%r11),%xmm15
2215 movaps %xmm0,-0x18(%r11)
2216 movaps %xmm0,0x00(%rsp)
2217 movaps %xmm0,0x10(%rsp)
2218 movaps %xmm0,0x20(%rsp)
2219 movaps %xmm0,0x30(%rsp)
2220 movaps %xmm0,0x40(%rsp)
2221 movaps %xmm0,0x50(%rsp)
2222 movaps %xmm0,0x60(%rsp)
2228 .cfi_def_cfa_register %rsp
2232 .size aesni_xts_encrypt,.-aesni_xts_encrypt
2236 .globl aesni_xts_decrypt
2237 .type aesni_xts_decrypt,\@function,6
2241 lea (%rsp),%r11 # frame pointer
2242 .cfi_def_cfa_register %r11
2245 sub \$$frame_size,%rsp
2246 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
2248 $code.=<<___ if ($win64);
2249 movaps %xmm6,-0xa8(%r11) # offload everything
2250 movaps %xmm7,-0x98(%r11)
2251 movaps %xmm8,-0x88(%r11)
2252 movaps %xmm9,-0x78(%r11)
2253 movaps %xmm10,-0x68(%r11)
2254 movaps %xmm11,-0x58(%r11)
2255 movaps %xmm12,-0x48(%r11)
2256 movaps %xmm13,-0x38(%r11)
2257 movaps %xmm14,-0x28(%r11)
2258 movaps %xmm15,-0x18(%r11)
2262 movups ($ivp),$inout0 # load clear-text tweak
2263 mov 240($key2),$rounds # key2->rounds
2264 mov 240($key),$rnds_ # key1->rounds
2266 # generate the tweak
2267 &aesni_generate1("enc",$key2,$rounds,$inout0);
2269 xor %eax,%eax # if ($len%16) len-=16;
2275 $movkey ($key),$rndkey0 # zero round key
2276 mov $key,$key_ # backup $key
2277 mov $rnds_,$rounds # backup $rounds
2279 mov $len,$len_ # backup $len
2282 $movkey 16($key,$rnds_),$rndkey1 # last round key
2284 movdqa .Lxts_magic(%rip),$twmask
2285 movdqa $inout0,@tweak[5]
2286 pshufd \$0x5f,$inout0,$twres
2287 pxor $rndkey0,$rndkey1
2289 for ($i=0;$i<4;$i++) {
2291 movdqa $twres,$twtmp
2293 movdqa @tweak[5],@tweak[$i]
2294 psrad \$31,$twtmp # broadcast upper bits
2295 paddq @tweak[5],@tweak[5]
2297 pxor $rndkey0,@tweak[$i]
2298 pxor $twtmp,@tweak[5]
2302 movdqa @tweak[5],@tweak[4]
2304 paddq @tweak[5],@tweak[5]
2306 pxor $rndkey0,@tweak[4]
2307 pxor $twres,@tweak[5]
2308 movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
2311 jc .Lxts_dec_short # if $len-=6*16 borrowed
2314 lea 32($key_,$rnds_),$key # end of key schedule
2315 sub %r10,%rax # twisted $rounds
2316 $movkey 16($key_),$rndkey1
2317 mov %rax,%r10 # backup twisted $rounds
2318 lea .Lxts_magic(%rip),%r8
2319 jmp .Lxts_dec_grandloop
2322 .Lxts_dec_grandloop:
2323 movdqu `16*0`($inp),$inout0 # load input
2324 movdqa $rndkey0,$twmask
2325 movdqu `16*1`($inp),$inout1
2326 pxor @tweak[0],$inout0 # intput^=tweak^round[0]
2327 movdqu `16*2`($inp),$inout2
2328 pxor @tweak[1],$inout1
2329 aesdec $rndkey1,$inout0
2330 movdqu `16*3`($inp),$inout3
2331 pxor @tweak[2],$inout2
2332 aesdec $rndkey1,$inout1
2333 movdqu `16*4`($inp),$inout4
2334 pxor @tweak[3],$inout3
2335 aesdec $rndkey1,$inout2
2336 movdqu `16*5`($inp),$inout5
2337 pxor @tweak[5],$twmask # round[0]^=tweak[5]
2338 movdqa 0x60(%rsp),$twres # load round[0]^round[last]
2339 pxor @tweak[4],$inout4
2340 aesdec $rndkey1,$inout3
2341 $movkey 32($key_),$rndkey0
2342 lea `16*6`($inp),$inp
2343 pxor $twmask,$inout5
2345 pxor $twres,@tweak[0] # calculate tweaks^round[last]
2346 aesdec $rndkey1,$inout4
2347 pxor $twres,@tweak[1]
2348 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key
2349 aesdec $rndkey1,$inout5
2350 $movkey 48($key_),$rndkey1
2351 pxor $twres,@tweak[2]
2353 aesdec $rndkey0,$inout0
2354 pxor $twres,@tweak[3]
2355 movdqa @tweak[1],`16*1`(%rsp)
2356 aesdec $rndkey0,$inout1
2357 pxor $twres,@tweak[4]
2358 movdqa @tweak[2],`16*2`(%rsp)
2359 aesdec $rndkey0,$inout2
2360 aesdec $rndkey0,$inout3
2362 movdqa @tweak[4],`16*4`(%rsp)
2363 aesdec $rndkey0,$inout4
2364 aesdec $rndkey0,$inout5
2365 $movkey 64($key_),$rndkey0
2366 movdqa $twmask,`16*5`(%rsp)
2367 pshufd \$0x5f,@tweak[5],$twres
2371 aesdec $rndkey1,$inout0
2372 aesdec $rndkey1,$inout1
2373 aesdec $rndkey1,$inout2
2374 aesdec $rndkey1,$inout3
2375 aesdec $rndkey1,$inout4
2376 aesdec $rndkey1,$inout5
2377 $movkey -64($key,%rax),$rndkey1
2380 aesdec $rndkey0,$inout0
2381 aesdec $rndkey0,$inout1
2382 aesdec $rndkey0,$inout2
2383 aesdec $rndkey0,$inout3
2384 aesdec $rndkey0,$inout4
2385 aesdec $rndkey0,$inout5
2386 $movkey -80($key,%rax),$rndkey0
2389 movdqa (%r8),$twmask # start calculating next tweak
2390 movdqa $twres,$twtmp
2392 aesdec $rndkey1,$inout0
2393 paddq @tweak[5],@tweak[5]
2395 aesdec $rndkey1,$inout1
2397 $movkey ($key_),@tweak[0] # load round[0]
2398 aesdec $rndkey1,$inout2
2399 aesdec $rndkey1,$inout3
2400 aesdec $rndkey1,$inout4
2401 pxor $twtmp,@tweak[5]
2402 movaps @tweak[0],@tweak[1] # copy round[0]
2403 aesdec $rndkey1,$inout5
2404 $movkey -64($key),$rndkey1
2406 movdqa $twres,$twtmp
2407 aesdec $rndkey0,$inout0
2409 pxor @tweak[5],@tweak[0]
2410 aesdec $rndkey0,$inout1
2412 paddq @tweak[5],@tweak[5]
2413 aesdec $rndkey0,$inout2
2414 aesdec $rndkey0,$inout3
2416 movaps @tweak[1],@tweak[2]
2417 aesdec $rndkey0,$inout4
2418 pxor $twtmp,@tweak[5]
2419 movdqa $twres,$twtmp
2420 aesdec $rndkey0,$inout5
2421 $movkey -48($key),$rndkey0
2424 aesdec $rndkey1,$inout0
2425 pxor @tweak[5],@tweak[1]
2427 aesdec $rndkey1,$inout1
2428 paddq @tweak[5],@tweak[5]
2430 aesdec $rndkey1,$inout2
2431 aesdec $rndkey1,$inout3
2432 movdqa @tweak[3],`16*3`(%rsp)
2433 pxor $twtmp,@tweak[5]
2434 aesdec $rndkey1,$inout4
2435 movaps @tweak[2],@tweak[3]
2436 movdqa $twres,$twtmp
2437 aesdec $rndkey1,$inout5
2438 $movkey -32($key),$rndkey1
2441 aesdec $rndkey0,$inout0
2442 pxor @tweak[5],@tweak[2]
2444 aesdec $rndkey0,$inout1
2445 paddq @tweak[5],@tweak[5]
2447 aesdec $rndkey0,$inout2
2448 aesdec $rndkey0,$inout3
2449 aesdec $rndkey0,$inout4
2450 pxor $twtmp,@tweak[5]
2451 movaps @tweak[3],@tweak[4]
2452 aesdec $rndkey0,$inout5
2454 movdqa $twres,$rndkey0
2456 aesdec $rndkey1,$inout0
2457 pxor @tweak[5],@tweak[3]
2459 aesdec $rndkey1,$inout1
2460 paddq @tweak[5],@tweak[5]
2461 pand $twmask,$rndkey0
2462 aesdec $rndkey1,$inout2
2463 aesdec $rndkey1,$inout3
2464 pxor $rndkey0,@tweak[5]
2465 $movkey ($key_),$rndkey0
2466 aesdec $rndkey1,$inout4
2467 aesdec $rndkey1,$inout5
2468 $movkey 16($key_),$rndkey1
2470 pxor @tweak[5],@tweak[4]
2471 aesdeclast `16*0`(%rsp),$inout0
2473 paddq @tweak[5],@tweak[5]
2474 aesdeclast `16*1`(%rsp),$inout1
2475 aesdeclast `16*2`(%rsp),$inout2
2477 mov %r10,%rax # restore $rounds
2478 aesdeclast `16*3`(%rsp),$inout3
2479 aesdeclast `16*4`(%rsp),$inout4
2480 aesdeclast `16*5`(%rsp),$inout5
2481 pxor $twres,@tweak[5]
2483 lea `16*6`($out),$out # $out+=6*16
2484 movups $inout0,`-16*6`($out) # store 6 output blocks
2485 movups $inout1,`-16*5`($out)
2486 movups $inout2,`-16*4`($out)
2487 movups $inout3,`-16*3`($out)
2488 movups $inout4,`-16*2`($out)
2489 movups $inout5,`-16*1`($out)
2491 jnc .Lxts_dec_grandloop # loop if $len-=6*16 didn't borrow
2495 mov $key_,$key # restore $key
2496 shr \$4,$rounds # restore original value
2499 # at the point @tweak[0..5] are populated with tweak values
2500 mov $rounds,$rnds_ # backup $rounds
2501 pxor $rndkey0,@tweak[0]
2502 pxor $rndkey0,@tweak[1]
2503 add \$16*6,$len # restore real remaining $len
2504 jz .Lxts_dec_done # done if ($len==0)
2506 pxor $rndkey0,@tweak[2]
2508 jb .Lxts_dec_one # $len is 1*16
2509 pxor $rndkey0,@tweak[3]
2510 je .Lxts_dec_two # $len is 2*16
2512 pxor $rndkey0,@tweak[4]
2514 jb .Lxts_dec_three # $len is 3*16
2515 je .Lxts_dec_four # $len is 4*16
2517 movdqu ($inp),$inout0 # $len is 5*16
2518 movdqu 16*1($inp),$inout1
2519 movdqu 16*2($inp),$inout2
2520 pxor @tweak[0],$inout0
2521 movdqu 16*3($inp),$inout3
2522 pxor @tweak[1],$inout1
2523 movdqu 16*4($inp),$inout4
2524 lea 16*5($inp),$inp # $inp+=5*16
2525 pxor @tweak[2],$inout2
2526 pxor @tweak[3],$inout3
2527 pxor @tweak[4],$inout4
2529 call _aesni_decrypt6
2531 xorps @tweak[0],$inout0
2532 xorps @tweak[1],$inout1
2533 xorps @tweak[2],$inout2
2534 movdqu $inout0,($out) # store 5 output blocks
2535 xorps @tweak[3],$inout3
2536 movdqu $inout1,16*1($out)
2537 xorps @tweak[4],$inout4
2538 movdqu $inout2,16*2($out)
2540 movdqu $inout3,16*3($out)
2541 pcmpgtd @tweak[5],$twtmp
2542 movdqu $inout4,16*4($out)
2543 lea 16*5($out),$out # $out+=5*16
2544 pshufd \$0x13,$twtmp,@tweak[1] # $twres
2548 movdqa @tweak[5],@tweak[0]
2549 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
2550 pand $twmask,@tweak[1] # isolate carry and residue
2551 pxor @tweak[5],@tweak[1]
2556 movups ($inp),$inout0
2557 lea 16*1($inp),$inp # $inp+=1*16
2558 xorps @tweak[0],$inout0
2560 &aesni_generate1("dec",$key,$rounds);
2562 xorps @tweak[0],$inout0
2563 movdqa @tweak[1],@tweak[0]
2564 movups $inout0,($out) # store one output block
2565 movdqa @tweak[2],@tweak[1]
2566 lea 16*1($out),$out # $out+=1*16
2571 movups ($inp),$inout0
2572 movups 16($inp),$inout1
2573 lea 32($inp),$inp # $inp+=2*16
2574 xorps @tweak[0],$inout0
2575 xorps @tweak[1],$inout1
2577 call _aesni_decrypt2
2579 xorps @tweak[0],$inout0
2580 movdqa @tweak[2],@tweak[0]
2581 xorps @tweak[1],$inout1
2582 movdqa @tweak[3],@tweak[1]
2583 movups $inout0,($out) # store 2 output blocks
2584 movups $inout1,16*1($out)
2585 lea 16*2($out),$out # $out+=2*16
2590 movups ($inp),$inout0
2591 movups 16*1($inp),$inout1
2592 movups 16*2($inp),$inout2
2593 lea 16*3($inp),$inp # $inp+=3*16
2594 xorps @tweak[0],$inout0
2595 xorps @tweak[1],$inout1
2596 xorps @tweak[2],$inout2
2598 call _aesni_decrypt3
2600 xorps @tweak[0],$inout0
2601 movdqa @tweak[3],@tweak[0]
2602 xorps @tweak[1],$inout1
2603 movdqa @tweak[4],@tweak[1]
2604 xorps @tweak[2],$inout2
2605 movups $inout0,($out) # store 3 output blocks
2606 movups $inout1,16*1($out)
2607 movups $inout2,16*2($out)
2608 lea 16*3($out),$out # $out+=3*16
2613 movups ($inp),$inout0
2614 movups 16*1($inp),$inout1
2615 movups 16*2($inp),$inout2
2616 xorps @tweak[0],$inout0
2617 movups 16*3($inp),$inout3
2618 lea 16*4($inp),$inp # $inp+=4*16
2619 xorps @tweak[1],$inout1
2620 xorps @tweak[2],$inout2
2621 xorps @tweak[3],$inout3
2623 call _aesni_decrypt4
2625 pxor @tweak[0],$inout0
2626 movdqa @tweak[4],@tweak[0]
2627 pxor @tweak[1],$inout1
2628 movdqa @tweak[5],@tweak[1]
2629 pxor @tweak[2],$inout2
2630 movdqu $inout0,($out) # store 4 output blocks
2631 pxor @tweak[3],$inout3
2632 movdqu $inout1,16*1($out)
2633 movdqu $inout2,16*2($out)
2634 movdqu $inout3,16*3($out)
2635 lea 16*4($out),$out # $out+=4*16
2640 and \$15,$len_ # see if $len%16 is 0
2644 mov $key_,$key # restore $key
2645 mov $rnds_,$rounds # restore $rounds
2647 movups ($inp),$inout0
2648 xorps @tweak[1],$inout0
2650 &aesni_generate1("dec",$key,$rounds);
2652 xorps @tweak[1],$inout0
2653 movups $inout0,($out)
2656 movzb 16($inp),%eax # borrow $rounds ...
2657 movzb ($out),%ecx # ... and $key
2665 sub $len_,$out # rewind $out
2666 mov $key_,$key # restore $key
2667 mov $rnds_,$rounds # restore $rounds
2669 movups ($out),$inout0
2670 xorps @tweak[0],$inout0
2672 &aesni_generate1("dec",$key,$rounds);
2674 xorps @tweak[0],$inout0
2675 movups $inout0,($out)
2678 xorps %xmm0,%xmm0 # clear register bank
2685 $code.=<<___ if (!$win64);
2688 movaps %xmm0,0x00(%rsp) # clear stack
2690 movaps %xmm0,0x10(%rsp)
2692 movaps %xmm0,0x20(%rsp)
2694 movaps %xmm0,0x30(%rsp)
2696 movaps %xmm0,0x40(%rsp)
2698 movaps %xmm0,0x50(%rsp)
2700 movaps %xmm0,0x60(%rsp)
2704 $code.=<<___ if ($win64);
2705 movaps -0xa8(%r11),%xmm6
2706 movaps %xmm0,-0xa8(%r11) # clear stack
2707 movaps -0x98(%r11),%xmm7
2708 movaps %xmm0,-0x98(%r11)
2709 movaps -0x88(%r11),%xmm8
2710 movaps %xmm0,-0x88(%r11)
2711 movaps -0x78(%r11),%xmm9
2712 movaps %xmm0,-0x78(%r11)
2713 movaps -0x68(%r11),%xmm10
2714 movaps %xmm0,-0x68(%r11)
2715 movaps -0x58(%r11),%xmm11
2716 movaps %xmm0,-0x58(%r11)
2717 movaps -0x48(%r11),%xmm12
2718 movaps %xmm0,-0x48(%r11)
2719 movaps -0x38(%r11),%xmm13
2720 movaps %xmm0,-0x38(%r11)
2721 movaps -0x28(%r11),%xmm14
2722 movaps %xmm0,-0x28(%r11)
2723 movaps -0x18(%r11),%xmm15
2724 movaps %xmm0,-0x18(%r11)
2725 movaps %xmm0,0x00(%rsp)
2726 movaps %xmm0,0x10(%rsp)
2727 movaps %xmm0,0x20(%rsp)
2728 movaps %xmm0,0x30(%rsp)
2729 movaps %xmm0,0x40(%rsp)
2730 movaps %xmm0,0x50(%rsp)
2731 movaps %xmm0,0x60(%rsp)
2737 .cfi_def_cfa_register %rsp
2741 .size aesni_xts_decrypt,.-aesni_xts_decrypt
2745 ######################################################################
2746 # void aesni_ocb_[en|de]crypt(const char *inp, char *out, size_t blocks,
2747 # const AES_KEY *key, unsigned int start_block_num,
2748 # unsigned char offset_i[16], const unsigned char L_[][16],
2749 # unsigned char checksum[16]);
2752 my @offset=map("%xmm$_",(10..15));
2753 my ($checksum,$rndkey0l)=("%xmm8","%xmm9");
2754 my ($block_num,$offset_p)=("%r8","%r9"); # 5th and 6th arguments
2755 my ($L_p,$checksum_p) = ("%rbx","%rbp");
2756 my ($i1,$i3,$i5) = ("%r12","%r13","%r14");
2757 my $seventh_arg = $win64 ? 56 : 8;
2761 .globl aesni_ocb_encrypt
2762 .type aesni_ocb_encrypt,\@function,6
2778 $code.=<<___ if ($win64);
2779 lea -0xa0(%rsp),%rsp
2780 movaps %xmm6,0x00(%rsp) # offload everything
2781 movaps %xmm7,0x10(%rsp)
2782 movaps %xmm8,0x20(%rsp)
2783 movaps %xmm9,0x30(%rsp)
2784 movaps %xmm10,0x40(%rsp)
2785 movaps %xmm11,0x50(%rsp)
2786 movaps %xmm12,0x60(%rsp)
2787 movaps %xmm13,0x70(%rsp)
2788 movaps %xmm14,0x80(%rsp)
2789 movaps %xmm15,0x90(%rsp)
2793 mov $seventh_arg(%rax),$L_p # 7th argument
2794 mov $seventh_arg+8(%rax),$checksum_p# 8th argument
2796 mov 240($key),$rnds_
2799 $movkey ($key),$rndkey0l # round[0]
2800 $movkey 16($key,$rnds_),$rndkey1 # round[last]
2802 movdqu ($offset_p),@offset[5] # load last offset_i
2803 pxor $rndkey1,$rndkey0l # round[0] ^ round[last]
2804 pxor $rndkey1,@offset[5] # offset_i ^ round[last]
2807 lea 32($key_,$rnds_),$key
2808 $movkey 16($key_),$rndkey1 # round[1]
2809 sub %r10,%rax # twisted $rounds
2810 mov %rax,%r10 # backup twisted $rounds
2812 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
2813 movdqu ($checksum_p),$checksum # load checksum
2815 test \$1,$block_num # is first block number odd?
2821 movdqu ($L_p,$i1),$inout5 # borrow
2822 movdqu ($inp),$inout0
2827 movdqa $inout5,@offset[5]
2828 movups $inout0,($out)
2834 lea 1($block_num),$i1 # even-numbered blocks
2835 lea 3($block_num),$i3
2836 lea 5($block_num),$i5
2837 lea 6($block_num),$block_num
2838 bsf $i1,$i1 # ntz(block)
2841 shl \$4,$i1 # ntz(block) -> table offset
2847 jmp .Locb_enc_grandloop
2850 .Locb_enc_grandloop:
2851 movdqu `16*0`($inp),$inout0 # load input
2852 movdqu `16*1`($inp),$inout1
2853 movdqu `16*2`($inp),$inout2
2854 movdqu `16*3`($inp),$inout3
2855 movdqu `16*4`($inp),$inout4
2856 movdqu `16*5`($inp),$inout5
2857 lea `16*6`($inp),$inp
2861 movups $inout0,`16*0`($out) # store output
2862 movups $inout1,`16*1`($out)
2863 movups $inout2,`16*2`($out)
2864 movups $inout3,`16*3`($out)
2865 movups $inout4,`16*4`($out)
2866 movups $inout5,`16*5`($out)
2867 lea `16*6`($out),$out
2869 jnc .Locb_enc_grandloop
2875 movdqu `16*0`($inp),$inout0
2878 movdqu `16*1`($inp),$inout1
2881 movdqu `16*2`($inp),$inout2
2884 movdqu `16*3`($inp),$inout3
2887 movdqu `16*4`($inp),$inout4
2888 pxor $inout5,$inout5
2892 movdqa @offset[4],@offset[5]
2893 movups $inout0,`16*0`($out)
2894 movups $inout1,`16*1`($out)
2895 movups $inout2,`16*2`($out)
2896 movups $inout3,`16*3`($out)
2897 movups $inout4,`16*4`($out)
2903 movdqa @offset[0],$inout5 # borrow
2907 movdqa $inout5,@offset[5]
2908 movups $inout0,`16*0`($out)
2913 pxor $inout2,$inout2
2914 pxor $inout3,$inout3
2918 movdqa @offset[1],@offset[5]
2919 movups $inout0,`16*0`($out)
2920 movups $inout1,`16*1`($out)
2926 pxor $inout3,$inout3
2930 movdqa @offset[2],@offset[5]
2931 movups $inout0,`16*0`($out)
2932 movups $inout1,`16*1`($out)
2933 movups $inout2,`16*2`($out)
2941 movdqa @offset[3],@offset[5]
2942 movups $inout0,`16*0`($out)
2943 movups $inout1,`16*1`($out)
2944 movups $inout2,`16*2`($out)
2945 movups $inout3,`16*3`($out)
2948 pxor $rndkey0,@offset[5] # "remove" round[last]
2949 movdqu $checksum,($checksum_p) # store checksum
2950 movdqu @offset[5],($offset_p) # store last offset_i
2952 xorps %xmm0,%xmm0 # clear register bank
2959 $code.=<<___ if (!$win64);
2973 $code.=<<___ if ($win64);
2974 movaps 0x00(%rsp),%xmm6
2975 movaps %xmm0,0x00(%rsp) # clear stack
2976 movaps 0x10(%rsp),%xmm7
2977 movaps %xmm0,0x10(%rsp)
2978 movaps 0x20(%rsp),%xmm8
2979 movaps %xmm0,0x20(%rsp)
2980 movaps 0x30(%rsp),%xmm9
2981 movaps %xmm0,0x30(%rsp)
2982 movaps 0x40(%rsp),%xmm10
2983 movaps %xmm0,0x40(%rsp)
2984 movaps 0x50(%rsp),%xmm11
2985 movaps %xmm0,0x50(%rsp)
2986 movaps 0x60(%rsp),%xmm12
2987 movaps %xmm0,0x60(%rsp)
2988 movaps 0x70(%rsp),%xmm13
2989 movaps %xmm0,0x70(%rsp)
2990 movaps 0x80(%rsp),%xmm14
2991 movaps %xmm0,0x80(%rsp)
2992 movaps 0x90(%rsp),%xmm15
2993 movaps %xmm0,0x90(%rsp)
2994 lea 0xa0+0x28(%rsp),%rax
3009 .cfi_def_cfa_register %rsp
3013 .size aesni_ocb_encrypt,.-aesni_ocb_encrypt
3015 .type __ocb_encrypt6,\@abi-omnipotent
3018 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3019 movdqu ($L_p,$i1),@offset[1]
3020 movdqa @offset[0],@offset[2]
3021 movdqu ($L_p,$i3),@offset[3]
3022 movdqa @offset[0],@offset[4]
3023 pxor @offset[5],@offset[0]
3024 movdqu ($L_p,$i5),@offset[5]
3025 pxor @offset[0],@offset[1]
3026 pxor $inout0,$checksum # accumulate checksum
3027 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3028 pxor @offset[1],@offset[2]
3029 pxor $inout1,$checksum
3030 pxor @offset[1],$inout1
3031 pxor @offset[2],@offset[3]
3032 pxor $inout2,$checksum
3033 pxor @offset[2],$inout2
3034 pxor @offset[3],@offset[4]
3035 pxor $inout3,$checksum
3036 pxor @offset[3],$inout3
3037 pxor @offset[4],@offset[5]
3038 pxor $inout4,$checksum
3039 pxor @offset[4],$inout4
3040 pxor $inout5,$checksum
3041 pxor @offset[5],$inout5
3042 $movkey 32($key_),$rndkey0
3044 lea 1($block_num),$i1 # even-numbered blocks
3045 lea 3($block_num),$i3
3046 lea 5($block_num),$i5
3048 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3049 bsf $i1,$i1 # ntz(block)
3053 aesenc $rndkey1,$inout0
3054 aesenc $rndkey1,$inout1
3055 aesenc $rndkey1,$inout2
3056 aesenc $rndkey1,$inout3
3057 pxor $rndkey0l,@offset[1]
3058 pxor $rndkey0l,@offset[2]
3059 aesenc $rndkey1,$inout4
3060 pxor $rndkey0l,@offset[3]
3061 pxor $rndkey0l,@offset[4]
3062 aesenc $rndkey1,$inout5
3063 $movkey 48($key_),$rndkey1
3064 pxor $rndkey0l,@offset[5]
3066 aesenc $rndkey0,$inout0
3067 aesenc $rndkey0,$inout1
3068 aesenc $rndkey0,$inout2
3069 aesenc $rndkey0,$inout3
3070 aesenc $rndkey0,$inout4
3071 aesenc $rndkey0,$inout5
3072 $movkey 64($key_),$rndkey0
3073 shl \$4,$i1 # ntz(block) -> table offset
3079 aesenc $rndkey1,$inout0
3080 aesenc $rndkey1,$inout1
3081 aesenc $rndkey1,$inout2
3082 aesenc $rndkey1,$inout3
3083 aesenc $rndkey1,$inout4
3084 aesenc $rndkey1,$inout5
3085 $movkey ($key,%rax),$rndkey1
3088 aesenc $rndkey0,$inout0
3089 aesenc $rndkey0,$inout1
3090 aesenc $rndkey0,$inout2
3091 aesenc $rndkey0,$inout3
3092 aesenc $rndkey0,$inout4
3093 aesenc $rndkey0,$inout5
3094 $movkey -16($key,%rax),$rndkey0
3097 aesenc $rndkey1,$inout0
3098 aesenc $rndkey1,$inout1
3099 aesenc $rndkey1,$inout2
3100 aesenc $rndkey1,$inout3
3101 aesenc $rndkey1,$inout4
3102 aesenc $rndkey1,$inout5
3103 $movkey 16($key_),$rndkey1
3106 aesenclast @offset[0],$inout0
3107 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3108 mov %r10,%rax # restore twisted rounds
3109 aesenclast @offset[1],$inout1
3110 aesenclast @offset[2],$inout2
3111 aesenclast @offset[3],$inout3
3112 aesenclast @offset[4],$inout4
3113 aesenclast @offset[5],$inout5
3115 .size __ocb_encrypt6,.-__ocb_encrypt6
3117 .type __ocb_encrypt4,\@abi-omnipotent
3120 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3121 movdqu ($L_p,$i1),@offset[1]
3122 movdqa @offset[0],@offset[2]
3123 movdqu ($L_p,$i3),@offset[3]
3124 pxor @offset[5],@offset[0]
3125 pxor @offset[0],@offset[1]
3126 pxor $inout0,$checksum # accumulate checksum
3127 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3128 pxor @offset[1],@offset[2]
3129 pxor $inout1,$checksum
3130 pxor @offset[1],$inout1
3131 pxor @offset[2],@offset[3]
3132 pxor $inout2,$checksum
3133 pxor @offset[2],$inout2
3134 pxor $inout3,$checksum
3135 pxor @offset[3],$inout3
3136 $movkey 32($key_),$rndkey0
3138 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3139 pxor $rndkey0l,@offset[1]
3140 pxor $rndkey0l,@offset[2]
3141 pxor $rndkey0l,@offset[3]
3143 aesenc $rndkey1,$inout0
3144 aesenc $rndkey1,$inout1
3145 aesenc $rndkey1,$inout2
3146 aesenc $rndkey1,$inout3
3147 $movkey 48($key_),$rndkey1
3149 aesenc $rndkey0,$inout0
3150 aesenc $rndkey0,$inout1
3151 aesenc $rndkey0,$inout2
3152 aesenc $rndkey0,$inout3
3153 $movkey 64($key_),$rndkey0
3158 aesenc $rndkey1,$inout0
3159 aesenc $rndkey1,$inout1
3160 aesenc $rndkey1,$inout2
3161 aesenc $rndkey1,$inout3
3162 $movkey ($key,%rax),$rndkey1
3165 aesenc $rndkey0,$inout0
3166 aesenc $rndkey0,$inout1
3167 aesenc $rndkey0,$inout2
3168 aesenc $rndkey0,$inout3
3169 $movkey -16($key,%rax),$rndkey0
3172 aesenc $rndkey1,$inout0
3173 aesenc $rndkey1,$inout1
3174 aesenc $rndkey1,$inout2
3175 aesenc $rndkey1,$inout3
3176 $movkey 16($key_),$rndkey1
3177 mov %r10,%rax # restore twisted rounds
3179 aesenclast @offset[0],$inout0
3180 aesenclast @offset[1],$inout1
3181 aesenclast @offset[2],$inout2
3182 aesenclast @offset[3],$inout3
3184 .size __ocb_encrypt4,.-__ocb_encrypt4
3186 .type __ocb_encrypt1,\@abi-omnipotent
3189 pxor @offset[5],$inout5 # offset_i
3190 pxor $rndkey0l,$inout5 # offset_i ^ round[0]
3191 pxor $inout0,$checksum # accumulate checksum
3192 pxor $inout5,$inout0 # input ^ round[0] ^ offset_i
3193 $movkey 32($key_),$rndkey0
3195 aesenc $rndkey1,$inout0
3196 $movkey 48($key_),$rndkey1
3197 pxor $rndkey0l,$inout5 # offset_i ^ round[last]
3199 aesenc $rndkey0,$inout0
3200 $movkey 64($key_),$rndkey0
3205 aesenc $rndkey1,$inout0
3206 $movkey ($key,%rax),$rndkey1
3209 aesenc $rndkey0,$inout0
3210 $movkey -16($key,%rax),$rndkey0
3213 aesenc $rndkey1,$inout0
3214 $movkey 16($key_),$rndkey1 # redundant in tail
3215 mov %r10,%rax # restore twisted rounds
3217 aesenclast $inout5,$inout0
3219 .size __ocb_encrypt1,.-__ocb_encrypt1
3221 .globl aesni_ocb_decrypt
3222 .type aesni_ocb_decrypt,\@function,6
3238 $code.=<<___ if ($win64);
3239 lea -0xa0(%rsp),%rsp
3240 movaps %xmm6,0x00(%rsp) # offload everything
3241 movaps %xmm7,0x10(%rsp)
3242 movaps %xmm8,0x20(%rsp)
3243 movaps %xmm9,0x30(%rsp)
3244 movaps %xmm10,0x40(%rsp)
3245 movaps %xmm11,0x50(%rsp)
3246 movaps %xmm12,0x60(%rsp)
3247 movaps %xmm13,0x70(%rsp)
3248 movaps %xmm14,0x80(%rsp)
3249 movaps %xmm15,0x90(%rsp)
3253 mov $seventh_arg(%rax),$L_p # 7th argument
3254 mov $seventh_arg+8(%rax),$checksum_p# 8th argument
3256 mov 240($key),$rnds_
3259 $movkey ($key),$rndkey0l # round[0]
3260 $movkey 16($key,$rnds_),$rndkey1 # round[last]
3262 movdqu ($offset_p),@offset[5] # load last offset_i
3263 pxor $rndkey1,$rndkey0l # round[0] ^ round[last]
3264 pxor $rndkey1,@offset[5] # offset_i ^ round[last]
3267 lea 32($key_,$rnds_),$key
3268 $movkey 16($key_),$rndkey1 # round[1]
3269 sub %r10,%rax # twisted $rounds
3270 mov %rax,%r10 # backup twisted $rounds
3272 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3273 movdqu ($checksum_p),$checksum # load checksum
3275 test \$1,$block_num # is first block number odd?
3281 movdqu ($L_p,$i1),$inout5 # borrow
3282 movdqu ($inp),$inout0
3287 movdqa $inout5,@offset[5]
3288 movups $inout0,($out)
3289 xorps $inout0,$checksum # accumulate checksum
3295 lea 1($block_num),$i1 # even-numbered blocks
3296 lea 3($block_num),$i3
3297 lea 5($block_num),$i5
3298 lea 6($block_num),$block_num
3299 bsf $i1,$i1 # ntz(block)
3302 shl \$4,$i1 # ntz(block) -> table offset
3308 jmp .Locb_dec_grandloop
3311 .Locb_dec_grandloop:
3312 movdqu `16*0`($inp),$inout0 # load input
3313 movdqu `16*1`($inp),$inout1
3314 movdqu `16*2`($inp),$inout2
3315 movdqu `16*3`($inp),$inout3
3316 movdqu `16*4`($inp),$inout4
3317 movdqu `16*5`($inp),$inout5
3318 lea `16*6`($inp),$inp
3322 movups $inout0,`16*0`($out) # store output
3323 pxor $inout0,$checksum # accumulate checksum
3324 movups $inout1,`16*1`($out)
3325 pxor $inout1,$checksum
3326 movups $inout2,`16*2`($out)
3327 pxor $inout2,$checksum
3328 movups $inout3,`16*3`($out)
3329 pxor $inout3,$checksum
3330 movups $inout4,`16*4`($out)
3331 pxor $inout4,$checksum
3332 movups $inout5,`16*5`($out)
3333 pxor $inout5,$checksum
3334 lea `16*6`($out),$out
3336 jnc .Locb_dec_grandloop
3342 movdqu `16*0`($inp),$inout0
3345 movdqu `16*1`($inp),$inout1
3348 movdqu `16*2`($inp),$inout2
3351 movdqu `16*3`($inp),$inout3
3354 movdqu `16*4`($inp),$inout4
3355 pxor $inout5,$inout5
3359 movdqa @offset[4],@offset[5]
3360 movups $inout0,`16*0`($out) # store output
3361 pxor $inout0,$checksum # accumulate checksum
3362 movups $inout1,`16*1`($out)
3363 pxor $inout1,$checksum
3364 movups $inout2,`16*2`($out)
3365 pxor $inout2,$checksum
3366 movups $inout3,`16*3`($out)
3367 pxor $inout3,$checksum
3368 movups $inout4,`16*4`($out)
3369 pxor $inout4,$checksum
3375 movdqa @offset[0],$inout5 # borrow
3379 movdqa $inout5,@offset[5]
3380 movups $inout0,`16*0`($out) # store output
3381 xorps $inout0,$checksum # accumulate checksum
3386 pxor $inout2,$inout2
3387 pxor $inout3,$inout3
3391 movdqa @offset[1],@offset[5]
3392 movups $inout0,`16*0`($out) # store output
3393 xorps $inout0,$checksum # accumulate checksum
3394 movups $inout1,`16*1`($out)
3395 xorps $inout1,$checksum
3401 pxor $inout3,$inout3
3405 movdqa @offset[2],@offset[5]
3406 movups $inout0,`16*0`($out) # store output
3407 xorps $inout0,$checksum # accumulate checksum
3408 movups $inout1,`16*1`($out)
3409 xorps $inout1,$checksum
3410 movups $inout2,`16*2`($out)
3411 xorps $inout2,$checksum
3419 movdqa @offset[3],@offset[5]
3420 movups $inout0,`16*0`($out) # store output
3421 pxor $inout0,$checksum # accumulate checksum
3422 movups $inout1,`16*1`($out)
3423 pxor $inout1,$checksum
3424 movups $inout2,`16*2`($out)
3425 pxor $inout2,$checksum
3426 movups $inout3,`16*3`($out)
3427 pxor $inout3,$checksum
3430 pxor $rndkey0,@offset[5] # "remove" round[last]
3431 movdqu $checksum,($checksum_p) # store checksum
3432 movdqu @offset[5],($offset_p) # store last offset_i
3434 xorps %xmm0,%xmm0 # clear register bank
3441 $code.=<<___ if (!$win64);
3455 $code.=<<___ if ($win64);
3456 movaps 0x00(%rsp),%xmm6
3457 movaps %xmm0,0x00(%rsp) # clear stack
3458 movaps 0x10(%rsp),%xmm7
3459 movaps %xmm0,0x10(%rsp)
3460 movaps 0x20(%rsp),%xmm8
3461 movaps %xmm0,0x20(%rsp)
3462 movaps 0x30(%rsp),%xmm9
3463 movaps %xmm0,0x30(%rsp)
3464 movaps 0x40(%rsp),%xmm10
3465 movaps %xmm0,0x40(%rsp)
3466 movaps 0x50(%rsp),%xmm11
3467 movaps %xmm0,0x50(%rsp)
3468 movaps 0x60(%rsp),%xmm12
3469 movaps %xmm0,0x60(%rsp)
3470 movaps 0x70(%rsp),%xmm13
3471 movaps %xmm0,0x70(%rsp)
3472 movaps 0x80(%rsp),%xmm14
3473 movaps %xmm0,0x80(%rsp)
3474 movaps 0x90(%rsp),%xmm15
3475 movaps %xmm0,0x90(%rsp)
3476 lea 0xa0+0x28(%rsp),%rax
3491 .cfi_def_cfa_register %rsp
3495 .size aesni_ocb_decrypt,.-aesni_ocb_decrypt
3497 .type __ocb_decrypt6,\@abi-omnipotent
3500 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3501 movdqu ($L_p,$i1),@offset[1]
3502 movdqa @offset[0],@offset[2]
3503 movdqu ($L_p,$i3),@offset[3]
3504 movdqa @offset[0],@offset[4]
3505 pxor @offset[5],@offset[0]
3506 movdqu ($L_p,$i5),@offset[5]
3507 pxor @offset[0],@offset[1]
3508 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3509 pxor @offset[1],@offset[2]
3510 pxor @offset[1],$inout1
3511 pxor @offset[2],@offset[3]
3512 pxor @offset[2],$inout2
3513 pxor @offset[3],@offset[4]
3514 pxor @offset[3],$inout3
3515 pxor @offset[4],@offset[5]
3516 pxor @offset[4],$inout4
3517 pxor @offset[5],$inout5
3518 $movkey 32($key_),$rndkey0
3520 lea 1($block_num),$i1 # even-numbered blocks
3521 lea 3($block_num),$i3
3522 lea 5($block_num),$i5
3524 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3525 bsf $i1,$i1 # ntz(block)
3529 aesdec $rndkey1,$inout0
3530 aesdec $rndkey1,$inout1
3531 aesdec $rndkey1,$inout2
3532 aesdec $rndkey1,$inout3
3533 pxor $rndkey0l,@offset[1]
3534 pxor $rndkey0l,@offset[2]
3535 aesdec $rndkey1,$inout4
3536 pxor $rndkey0l,@offset[3]
3537 pxor $rndkey0l,@offset[4]
3538 aesdec $rndkey1,$inout5
3539 $movkey 48($key_),$rndkey1
3540 pxor $rndkey0l,@offset[5]
3542 aesdec $rndkey0,$inout0
3543 aesdec $rndkey0,$inout1
3544 aesdec $rndkey0,$inout2
3545 aesdec $rndkey0,$inout3
3546 aesdec $rndkey0,$inout4
3547 aesdec $rndkey0,$inout5
3548 $movkey 64($key_),$rndkey0
3549 shl \$4,$i1 # ntz(block) -> table offset
3555 aesdec $rndkey1,$inout0
3556 aesdec $rndkey1,$inout1
3557 aesdec $rndkey1,$inout2
3558 aesdec $rndkey1,$inout3
3559 aesdec $rndkey1,$inout4
3560 aesdec $rndkey1,$inout5
3561 $movkey ($key,%rax),$rndkey1
3564 aesdec $rndkey0,$inout0
3565 aesdec $rndkey0,$inout1
3566 aesdec $rndkey0,$inout2
3567 aesdec $rndkey0,$inout3
3568 aesdec $rndkey0,$inout4
3569 aesdec $rndkey0,$inout5
3570 $movkey -16($key,%rax),$rndkey0
3573 aesdec $rndkey1,$inout0
3574 aesdec $rndkey1,$inout1
3575 aesdec $rndkey1,$inout2
3576 aesdec $rndkey1,$inout3
3577 aesdec $rndkey1,$inout4
3578 aesdec $rndkey1,$inout5
3579 $movkey 16($key_),$rndkey1
3582 aesdeclast @offset[0],$inout0
3583 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3584 mov %r10,%rax # restore twisted rounds
3585 aesdeclast @offset[1],$inout1
3586 aesdeclast @offset[2],$inout2
3587 aesdeclast @offset[3],$inout3
3588 aesdeclast @offset[4],$inout4
3589 aesdeclast @offset[5],$inout5
3591 .size __ocb_decrypt6,.-__ocb_decrypt6
3593 .type __ocb_decrypt4,\@abi-omnipotent
3596 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3597 movdqu ($L_p,$i1),@offset[1]
3598 movdqa @offset[0],@offset[2]
3599 movdqu ($L_p,$i3),@offset[3]
3600 pxor @offset[5],@offset[0]
3601 pxor @offset[0],@offset[1]
3602 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3603 pxor @offset[1],@offset[2]
3604 pxor @offset[1],$inout1
3605 pxor @offset[2],@offset[3]
3606 pxor @offset[2],$inout2
3607 pxor @offset[3],$inout3
3608 $movkey 32($key_),$rndkey0
3610 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3611 pxor $rndkey0l,@offset[1]
3612 pxor $rndkey0l,@offset[2]
3613 pxor $rndkey0l,@offset[3]
3615 aesdec $rndkey1,$inout0
3616 aesdec $rndkey1,$inout1
3617 aesdec $rndkey1,$inout2
3618 aesdec $rndkey1,$inout3
3619 $movkey 48($key_),$rndkey1
3621 aesdec $rndkey0,$inout0
3622 aesdec $rndkey0,$inout1
3623 aesdec $rndkey0,$inout2
3624 aesdec $rndkey0,$inout3
3625 $movkey 64($key_),$rndkey0
3630 aesdec $rndkey1,$inout0
3631 aesdec $rndkey1,$inout1
3632 aesdec $rndkey1,$inout2
3633 aesdec $rndkey1,$inout3
3634 $movkey ($key,%rax),$rndkey1
3637 aesdec $rndkey0,$inout0
3638 aesdec $rndkey0,$inout1
3639 aesdec $rndkey0,$inout2
3640 aesdec $rndkey0,$inout3
3641 $movkey -16($key,%rax),$rndkey0
3644 aesdec $rndkey1,$inout0
3645 aesdec $rndkey1,$inout1
3646 aesdec $rndkey1,$inout2
3647 aesdec $rndkey1,$inout3
3648 $movkey 16($key_),$rndkey1
3649 mov %r10,%rax # restore twisted rounds
3651 aesdeclast @offset[0],$inout0
3652 aesdeclast @offset[1],$inout1
3653 aesdeclast @offset[2],$inout2
3654 aesdeclast @offset[3],$inout3
3656 .size __ocb_decrypt4,.-__ocb_decrypt4
3658 .type __ocb_decrypt1,\@abi-omnipotent
3661 pxor @offset[5],$inout5 # offset_i
3662 pxor $rndkey0l,$inout5 # offset_i ^ round[0]
3663 pxor $inout5,$inout0 # input ^ round[0] ^ offset_i
3664 $movkey 32($key_),$rndkey0
3666 aesdec $rndkey1,$inout0
3667 $movkey 48($key_),$rndkey1
3668 pxor $rndkey0l,$inout5 # offset_i ^ round[last]
3670 aesdec $rndkey0,$inout0
3671 $movkey 64($key_),$rndkey0
3676 aesdec $rndkey1,$inout0
3677 $movkey ($key,%rax),$rndkey1
3680 aesdec $rndkey0,$inout0
3681 $movkey -16($key,%rax),$rndkey0
3684 aesdec $rndkey1,$inout0
3685 $movkey 16($key_),$rndkey1 # redundant in tail
3686 mov %r10,%rax # restore twisted rounds
3688 aesdeclast $inout5,$inout0
3690 .size __ocb_decrypt1,.-__ocb_decrypt1
3694 ########################################################################
3695 # void $PREFIX_cbc_encrypt (const void *inp, void *out,
3696 # size_t length, const AES_KEY *key,
3697 # unsigned char *ivp,const int enc);
3699 my $frame_size = 0x10 + ($win64?0xa0:0); # used in decrypt
3700 my ($iv,$in0,$in1,$in2,$in3,$in4)=map("%xmm$_",(10..15));
3703 .globl ${PREFIX}_cbc_encrypt
3704 .type ${PREFIX}_cbc_encrypt,\@function,6
3706 ${PREFIX}_cbc_encrypt:
3708 test $len,$len # check length
3711 mov 240($key),$rnds_ # key->rounds
3712 mov $key,$key_ # backup $key
3713 test %r9d,%r9d # 6th argument
3715 #--------------------------- CBC ENCRYPT ------------------------------#
3716 movups ($ivp),$inout0 # load iv as initial state
3724 movups ($inp),$inout1 # load input
3726 #xorps $inout1,$inout0
3728 &aesni_generate1("enc",$key,$rounds,$inout0,$inout1);
3730 mov $rnds_,$rounds # restore $rounds
3731 mov $key_,$key # restore $key
3732 movups $inout0,0($out) # store output
3738 pxor $rndkey0,$rndkey0 # clear register bank
3739 pxor $rndkey1,$rndkey1
3740 movups $inout0,($ivp)
3741 pxor $inout0,$inout0
3742 pxor $inout1,$inout1
3746 mov $len,%rcx # zaps $key
3747 xchg $inp,$out # $inp is %rsi and $out is %rdi now
3748 .long 0x9066A4F3 # rep movsb
3749 mov \$16,%ecx # zero tail
3752 .long 0x9066AAF3 # rep stosb
3753 lea -16(%rdi),%rdi # rewind $out by 1 block
3754 mov $rnds_,$rounds # restore $rounds
3755 mov %rdi,%rsi # $inp and $out are the same
3756 mov $key_,$key # restore $key
3757 xor $len,$len # len=16
3758 jmp .Lcbc_enc_loop # one more spin
3759 \f#--------------------------- CBC DECRYPT ------------------------------#
3763 jne .Lcbc_decrypt_bulk
3765 # handle single block without allocating stack frame,
3766 # useful in ciphertext stealing mode
3767 movdqu ($inp),$inout0 # load input
3768 movdqu ($ivp),$inout1 # load iv
3769 movdqa $inout0,$inout2 # future iv
3771 &aesni_generate1("dec",$key,$rnds_);
3773 pxor $rndkey0,$rndkey0 # clear register bank
3774 pxor $rndkey1,$rndkey1
3775 movdqu $inout2,($ivp) # store iv
3776 xorps $inout1,$inout0 # ^=iv
3777 pxor $inout1,$inout1
3778 movups $inout0,($out) # store output
3779 pxor $inout0,$inout0
3783 lea (%rsp),%r11 # frame pointer
3784 .cfi_def_cfa_register %r11
3787 sub \$$frame_size,%rsp
3788 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
3790 $code.=<<___ if ($win64);
3791 movaps %xmm6,0x10(%rsp)
3792 movaps %xmm7,0x20(%rsp)
3793 movaps %xmm8,0x30(%rsp)
3794 movaps %xmm9,0x40(%rsp)
3795 movaps %xmm10,0x50(%rsp)
3796 movaps %xmm11,0x60(%rsp)
3797 movaps %xmm12,0x70(%rsp)
3798 movaps %xmm13,0x80(%rsp)
3799 movaps %xmm14,0x90(%rsp)
3800 movaps %xmm15,0xa0(%rsp)
3804 my $inp_=$key_="%rbp"; # reassign $key_
3807 mov $key,$key_ # [re-]backup $key [after reassignment]
3813 $movkey ($key),$rndkey0
3814 movdqu 0x00($inp),$inout0 # load input
3815 movdqu 0x10($inp),$inout1
3817 movdqu 0x20($inp),$inout2
3819 movdqu 0x30($inp),$inout3
3821 movdqu 0x40($inp),$inout4
3823 movdqu 0x50($inp),$inout5
3825 mov OPENSSL_ia32cap_P+4(%rip),%r9d
3827 jbe .Lcbc_dec_six_or_seven
3829 and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE
3830 sub \$0x50,$len # $len is biased by -5*16
3831 cmp \$`1<<22`,%r9d # check for MOVBE without XSAVE
3832 je .Lcbc_dec_loop6_enter # [which denotes Atom Silvermont]
3833 sub \$0x20,$len # $len is biased by -7*16
3834 lea 0x70($key),$key # size optimization
3835 jmp .Lcbc_dec_loop8_enter
3838 movups $inout7,($out)
3840 .Lcbc_dec_loop8_enter:
3841 movdqu 0x60($inp),$inout6
3842 pxor $rndkey0,$inout0
3843 movdqu 0x70($inp),$inout7
3844 pxor $rndkey0,$inout1
3845 $movkey 0x10-0x70($key),$rndkey1
3846 pxor $rndkey0,$inout2
3848 cmp \$0x70,$len # is there at least 0x60 bytes ahead?
3849 pxor $rndkey0,$inout3
3850 pxor $rndkey0,$inout4
3851 pxor $rndkey0,$inout5
3852 pxor $rndkey0,$inout6
3854 aesdec $rndkey1,$inout0
3855 pxor $rndkey0,$inout7
3856 $movkey 0x20-0x70($key),$rndkey0
3857 aesdec $rndkey1,$inout1
3858 aesdec $rndkey1,$inout2
3859 aesdec $rndkey1,$inout3
3860 aesdec $rndkey1,$inout4
3861 aesdec $rndkey1,$inout5
3862 aesdec $rndkey1,$inout6
3865 aesdec $rndkey1,$inout7
3867 $movkey 0x30-0x70($key),$rndkey1
3869 for($i=1;$i<12;$i++) {
3870 my $rndkeyx = ($i&1)?$rndkey0:$rndkey1;
3871 $code.=<<___ if ($i==7);
3875 aesdec $rndkeyx,$inout0
3876 aesdec $rndkeyx,$inout1
3877 aesdec $rndkeyx,$inout2
3878 aesdec $rndkeyx,$inout3
3879 aesdec $rndkeyx,$inout4
3880 aesdec $rndkeyx,$inout5
3881 aesdec $rndkeyx,$inout6
3882 aesdec $rndkeyx,$inout7
3883 $movkey `0x30+0x10*$i`-0x70($key),$rndkeyx
3885 $code.=<<___ if ($i<6 || (!($i&1) && $i>7));
3888 $code.=<<___ if ($i==7);
3891 $code.=<<___ if ($i==9);
3894 $code.=<<___ if ($i==11);
3901 aesdec $rndkey1,$inout0
3902 aesdec $rndkey1,$inout1
3905 aesdec $rndkey1,$inout2
3906 aesdec $rndkey1,$inout3
3909 aesdec $rndkey1,$inout4
3910 aesdec $rndkey1,$inout5
3913 aesdec $rndkey1,$inout6
3914 aesdec $rndkey1,$inout7
3915 movdqu 0x50($inp),$rndkey1
3917 aesdeclast $iv,$inout0
3918 movdqu 0x60($inp),$iv # borrow $iv
3919 pxor $rndkey0,$rndkey1
3920 aesdeclast $in0,$inout1
3922 movdqu 0x70($inp),$rndkey0 # next IV
3923 aesdeclast $in1,$inout2
3925 movdqu 0x00($inp_),$in0
3926 aesdeclast $in2,$inout3
3927 aesdeclast $in3,$inout4
3928 movdqu 0x10($inp_),$in1
3929 movdqu 0x20($inp_),$in2
3930 aesdeclast $in4,$inout5
3931 aesdeclast $rndkey1,$inout6
3932 movdqu 0x30($inp_),$in3
3933 movdqu 0x40($inp_),$in4
3934 aesdeclast $iv,$inout7
3935 movdqa $rndkey0,$iv # return $iv
3936 movdqu 0x50($inp_),$rndkey1
3937 $movkey -0x70($key),$rndkey0
3939 movups $inout0,($out) # store output
3941 movups $inout1,0x10($out)
3943 movups $inout2,0x20($out)
3945 movups $inout3,0x30($out)
3947 movups $inout4,0x40($out)
3949 movups $inout5,0x50($out)
3950 movdqa $rndkey1,$inout5
3951 movups $inout6,0x60($out)
3957 movaps $inout7,$inout0
3958 lea -0x70($key),$key
3960 jle .Lcbc_dec_clear_tail_collected
3961 movups $inout7,($out)
3967 .Lcbc_dec_six_or_seven:
3971 movaps $inout5,$inout6
3972 call _aesni_decrypt6
3973 pxor $iv,$inout0 # ^= IV
3976 movdqu $inout0,($out)
3978 movdqu $inout1,0x10($out)
3979 pxor $inout1,$inout1 # clear register bank
3981 movdqu $inout2,0x20($out)
3982 pxor $inout2,$inout2
3984 movdqu $inout3,0x30($out)
3985 pxor $inout3,$inout3
3987 movdqu $inout4,0x40($out)
3988 pxor $inout4,$inout4
3990 movdqa $inout5,$inout0
3991 pxor $inout5,$inout5
3992 jmp .Lcbc_dec_tail_collected
3996 movups 0x60($inp),$inout6
3997 xorps $inout7,$inout7
3998 call _aesni_decrypt8
3999 movups 0x50($inp),$inout7
4000 pxor $iv,$inout0 # ^= IV
4001 movups 0x60($inp),$iv
4003 movdqu $inout0,($out)
4005 movdqu $inout1,0x10($out)
4006 pxor $inout1,$inout1 # clear register bank
4008 movdqu $inout2,0x20($out)
4009 pxor $inout2,$inout2
4011 movdqu $inout3,0x30($out)
4012 pxor $inout3,$inout3
4014 movdqu $inout4,0x40($out)
4015 pxor $inout4,$inout4
4016 pxor $inout7,$inout6
4017 movdqu $inout5,0x50($out)
4018 pxor $inout5,$inout5
4020 movdqa $inout6,$inout0
4021 pxor $inout6,$inout6
4022 pxor $inout7,$inout7
4023 jmp .Lcbc_dec_tail_collected
4027 movups $inout5,($out)
4029 movdqu 0x00($inp),$inout0 # load input
4030 movdqu 0x10($inp),$inout1
4032 movdqu 0x20($inp),$inout2
4034 movdqu 0x30($inp),$inout3
4036 movdqu 0x40($inp),$inout4
4038 movdqu 0x50($inp),$inout5
4040 .Lcbc_dec_loop6_enter:
4042 movdqa $inout5,$inout6
4044 call _aesni_decrypt6
4046 pxor $iv,$inout0 # ^= IV
4049 movdqu $inout0,($out)
4051 movdqu $inout1,0x10($out)
4053 movdqu $inout2,0x20($out)
4056 movdqu $inout3,0x30($out)
4059 movdqu $inout4,0x40($out)
4064 movdqa $inout5,$inout0
4066 jle .Lcbc_dec_clear_tail_collected
4067 movups $inout5,($out)
4071 movups ($inp),$inout0
4073 jbe .Lcbc_dec_one # $len is 1*16 or less
4075 movups 0x10($inp),$inout1
4078 jbe .Lcbc_dec_two # $len is 2*16 or less
4080 movups 0x20($inp),$inout2
4083 jbe .Lcbc_dec_three # $len is 3*16 or less
4085 movups 0x30($inp),$inout3
4088 jbe .Lcbc_dec_four # $len is 4*16 or less
4090 movups 0x40($inp),$inout4 # $len is 5*16 or less
4093 xorps $inout5,$inout5
4094 call _aesni_decrypt6
4098 movdqu $inout0,($out)
4100 movdqu $inout1,0x10($out)
4101 pxor $inout1,$inout1 # clear register bank
4103 movdqu $inout2,0x20($out)
4104 pxor $inout2,$inout2
4106 movdqu $inout3,0x30($out)
4107 pxor $inout3,$inout3
4109 movdqa $inout4,$inout0
4110 pxor $inout4,$inout4
4111 pxor $inout5,$inout5
4113 jmp .Lcbc_dec_tail_collected
4119 &aesni_generate1("dec",$key,$rounds);
4123 jmp .Lcbc_dec_tail_collected
4127 call _aesni_decrypt2
4131 movdqu $inout0,($out)
4132 movdqa $inout1,$inout0
4133 pxor $inout1,$inout1 # clear register bank
4135 jmp .Lcbc_dec_tail_collected
4139 call _aesni_decrypt3
4143 movdqu $inout0,($out)
4145 movdqu $inout1,0x10($out)
4146 pxor $inout1,$inout1 # clear register bank
4147 movdqa $inout2,$inout0
4148 pxor $inout2,$inout2
4150 jmp .Lcbc_dec_tail_collected
4154 call _aesni_decrypt4
4158 movdqu $inout0,($out)
4160 movdqu $inout1,0x10($out)
4161 pxor $inout1,$inout1 # clear register bank
4163 movdqu $inout2,0x20($out)
4164 pxor $inout2,$inout2
4165 movdqa $inout3,$inout0
4166 pxor $inout3,$inout3
4168 jmp .Lcbc_dec_tail_collected
4171 .Lcbc_dec_clear_tail_collected:
4172 pxor $inout1,$inout1 # clear register bank
4173 pxor $inout2,$inout2
4174 pxor $inout3,$inout3
4176 $code.=<<___ if (!$win64);
4177 pxor $inout4,$inout4 # %xmm6..9
4178 pxor $inout5,$inout5
4179 pxor $inout6,$inout6
4180 pxor $inout7,$inout7
4183 .Lcbc_dec_tail_collected:
4186 jnz .Lcbc_dec_tail_partial
4187 movups $inout0,($out)
4188 pxor $inout0,$inout0
4191 .Lcbc_dec_tail_partial:
4192 movaps $inout0,(%rsp)
4193 pxor $inout0,$inout0
4198 .long 0x9066A4F3 # rep movsb
4199 movdqa $inout0,(%rsp)
4202 xorps $rndkey0,$rndkey0 # %xmm0
4203 pxor $rndkey1,$rndkey1
4205 $code.=<<___ if ($win64);
4206 movaps 0x10(%rsp),%xmm6
4207 movaps %xmm0,0x10(%rsp) # clear stack
4208 movaps 0x20(%rsp),%xmm7
4209 movaps %xmm0,0x20(%rsp)
4210 movaps 0x30(%rsp),%xmm8
4211 movaps %xmm0,0x30(%rsp)
4212 movaps 0x40(%rsp),%xmm9
4213 movaps %xmm0,0x40(%rsp)
4214 movaps 0x50(%rsp),%xmm10
4215 movaps %xmm0,0x50(%rsp)
4216 movaps 0x60(%rsp),%xmm11
4217 movaps %xmm0,0x60(%rsp)
4218 movaps 0x70(%rsp),%xmm12
4219 movaps %xmm0,0x70(%rsp)
4220 movaps 0x80(%rsp),%xmm13
4221 movaps %xmm0,0x80(%rsp)
4222 movaps 0x90(%rsp),%xmm14
4223 movaps %xmm0,0x90(%rsp)
4224 movaps 0xa0(%rsp),%xmm15
4225 movaps %xmm0,0xa0(%rsp)
4231 .cfi_def_cfa_register %rsp
4235 .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
4238 # int ${PREFIX}_set_decrypt_key(const unsigned char *inp,
4239 # int bits, AES_KEY *key)
4241 # input: $inp user-supplied key
4242 # $bits $inp length in bits
4243 # $key pointer to key schedule
4244 # output: %eax 0 denoting success, -1 or -2 - failure (see C)
4245 # *$key key schedule
4247 { my ($inp,$bits,$key) = @_4args;
4251 .globl ${PREFIX}_set_decrypt_key
4252 .type ${PREFIX}_set_decrypt_key,\@abi-omnipotent
4254 ${PREFIX}_set_decrypt_key:
4256 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
4257 .cfi_adjust_cfa_offset 8
4258 call __aesni_set_encrypt_key
4259 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
4262 lea 16($key,$bits),$inp # points at the end of key schedule
4264 $movkey ($key),%xmm0 # just swap
4265 $movkey ($inp),%xmm1
4266 $movkey %xmm0,($inp)
4267 $movkey %xmm1,($key)
4272 $movkey ($key),%xmm0 # swap and inverse
4273 $movkey ($inp),%xmm1
4278 $movkey %xmm0,16($inp)
4279 $movkey %xmm1,-16($key)
4281 ja .Ldec_key_inverse
4283 $movkey ($key),%xmm0 # inverse middle
4286 $movkey %xmm0,($inp)
4290 .cfi_adjust_cfa_offset -8
4293 .LSEH_end_set_decrypt_key:
4294 .size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
4297 # This is based on submission from Intel by
4302 # Aggressively optimized in respect to aeskeygenassist's critical path
4303 # and is contained in %xmm0-5 to meet Win64 ABI requirement.
4305 # int ${PREFIX}_set_encrypt_key(const unsigned char *inp,
4306 # int bits, AES_KEY * const key);
4308 # input: $inp user-supplied key
4309 # $bits $inp length in bits
4310 # $key pointer to key schedule
4311 # output: %eax 0 denoting success, -1 or -2 - failure (see C)
4312 # $bits rounds-1 (used in aesni_set_decrypt_key)
4313 # *$key key schedule
4314 # $key pointer to key schedule (used in
4315 # aesni_set_decrypt_key)
4317 # Subroutine is frame-less, which means that only volatile registers
4318 # are used. Note that it's declared "abi-omnipotent", which means that
4319 # amount of volatile registers is smaller on Windows.
4322 .globl ${PREFIX}_set_encrypt_key
4323 .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
4325 ${PREFIX}_set_encrypt_key:
4326 __aesni_set_encrypt_key:
4328 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
4329 .cfi_adjust_cfa_offset 8
4336 mov \$`1<<28|1<<11`,%r10d # AVX and XOP bits
4337 movups ($inp),%xmm0 # pull first 128 bits of *userKey
4338 xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0
4339 and OPENSSL_ia32cap_P+4(%rip),%r10d
4340 lea 16($key),%rax # %rax is used as modifiable copy of $key
4349 mov \$9,$bits # 10 rounds for 128-bit key
4350 cmp \$`1<<28`,%r10d # AVX, bit no XOP
4353 $movkey %xmm0,($key) # round 0
4354 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
4355 call .Lkey_expansion_128_cold
4356 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2
4357 call .Lkey_expansion_128
4358 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3
4359 call .Lkey_expansion_128
4360 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4
4361 call .Lkey_expansion_128
4362 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5
4363 call .Lkey_expansion_128
4364 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6
4365 call .Lkey_expansion_128
4366 aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7
4367 call .Lkey_expansion_128
4368 aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8
4369 call .Lkey_expansion_128
4370 aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9
4371 call .Lkey_expansion_128
4372 aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10
4373 call .Lkey_expansion_128
4374 $movkey %xmm0,(%rax)
4375 mov $bits,80(%rax) # 240(%rdx)
4381 movdqa .Lkey_rotate(%rip),%xmm5
4383 movdqa .Lkey_rcon1(%rip),%xmm4
4391 aesenclast %xmm4,%xmm0
4404 movdqu %xmm0,-16(%rax)
4410 movdqa .Lkey_rcon1b(%rip),%xmm4
4413 aesenclast %xmm4,%xmm0
4429 aesenclast %xmm4,%xmm0
4440 movdqu %xmm0,16(%rax)
4442 mov $bits,96(%rax) # 240($key)
4448 movq 16($inp),%xmm2 # remaining 1/3 of *userKey
4449 mov \$11,$bits # 12 rounds for 192
4450 cmp \$`1<<28`,%r10d # AVX, but no XOP
4453 $movkey %xmm0,($key) # round 0
4454 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
4455 call .Lkey_expansion_192a_cold
4456 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3
4457 call .Lkey_expansion_192b
4458 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5
4459 call .Lkey_expansion_192a
4460 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6
4461 call .Lkey_expansion_192b
4462 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8
4463 call .Lkey_expansion_192a
4464 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9
4465 call .Lkey_expansion_192b
4466 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11
4467 call .Lkey_expansion_192a
4468 aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12
4469 call .Lkey_expansion_192b
4470 $movkey %xmm0,(%rax)
4471 mov $bits,48(%rax) # 240(%rdx)
4477 movdqa .Lkey_rotate192(%rip),%xmm5
4478 movdqa .Lkey_rcon1(%rip),%xmm4
4488 aesenclast %xmm4,%xmm2
4500 pshufd \$0xff,%xmm0,%xmm3
4507 movdqu %xmm0,-16(%rax)
4512 mov $bits,32(%rax) # 240($key)
4518 movups 16($inp),%xmm2 # remaining half of *userKey
4519 mov \$13,$bits # 14 rounds for 256
4521 cmp \$`1<<28`,%r10d # AVX, but no XOP
4524 $movkey %xmm0,($key) # round 0
4525 $movkey %xmm2,16($key) # round 1
4526 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
4527 call .Lkey_expansion_256a_cold
4528 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3
4529 call .Lkey_expansion_256b
4530 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4
4531 call .Lkey_expansion_256a
4532 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5
4533 call .Lkey_expansion_256b
4534 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6
4535 call .Lkey_expansion_256a
4536 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7
4537 call .Lkey_expansion_256b
4538 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8
4539 call .Lkey_expansion_256a
4540 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9
4541 call .Lkey_expansion_256b
4542 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10
4543 call .Lkey_expansion_256a
4544 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11
4545 call .Lkey_expansion_256b
4546 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12
4547 call .Lkey_expansion_256a
4548 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13
4549 call .Lkey_expansion_256b
4550 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14
4551 call .Lkey_expansion_256a
4552 $movkey %xmm0,(%rax)
4553 mov $bits,16(%rax) # 240(%rdx)
4559 movdqa .Lkey_rotate(%rip),%xmm5
4560 movdqa .Lkey_rcon1(%rip),%xmm4
4562 movdqu %xmm0,0($key)
4564 movdqu %xmm2,16($key)
4570 aesenclast %xmm4,%xmm2
4587 pshufd \$0xff,%xmm0,%xmm2
4589 aesenclast %xmm3,%xmm2
4600 movdqu %xmm2,16(%rax)
4607 mov $bits,16(%rax) # 240($key)
4622 .cfi_adjust_cfa_offset -8
4625 .LSEH_end_set_encrypt_key:
4628 .Lkey_expansion_128:
4629 $movkey %xmm0,(%rax)
4631 .Lkey_expansion_128_cold:
4632 shufps \$0b00010000,%xmm0,%xmm4
4634 shufps \$0b10001100,%xmm0,%xmm4
4636 shufps \$0b11111111,%xmm1,%xmm1 # critical path
4641 .Lkey_expansion_192a:
4642 $movkey %xmm0,(%rax)
4644 .Lkey_expansion_192a_cold:
4646 .Lkey_expansion_192b_warm:
4647 shufps \$0b00010000,%xmm0,%xmm4
4650 shufps \$0b10001100,%xmm0,%xmm4
4653 pshufd \$0b01010101,%xmm1,%xmm1 # critical path
4656 pshufd \$0b11111111,%xmm0,%xmm3
4661 .Lkey_expansion_192b:
4663 shufps \$0b01000100,%xmm0,%xmm5
4664 $movkey %xmm5,(%rax)
4665 shufps \$0b01001110,%xmm2,%xmm3
4666 $movkey %xmm3,16(%rax)
4668 jmp .Lkey_expansion_192b_warm
4671 .Lkey_expansion_256a:
4672 $movkey %xmm2,(%rax)
4674 .Lkey_expansion_256a_cold:
4675 shufps \$0b00010000,%xmm0,%xmm4
4677 shufps \$0b10001100,%xmm0,%xmm4
4679 shufps \$0b11111111,%xmm1,%xmm1 # critical path
4684 .Lkey_expansion_256b:
4685 $movkey %xmm0,(%rax)
4688 shufps \$0b00010000,%xmm2,%xmm4
4690 shufps \$0b10001100,%xmm2,%xmm4
4692 shufps \$0b10101010,%xmm1,%xmm1 # critical path
4695 .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
4696 .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key
4703 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
4711 .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
4713 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d
4715 .long 0x04070605,0x04070605,0x04070605,0x04070605
4719 .long 0x1b,0x1b,0x1b,0x1b
4721 .asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
4725 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
4726 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
4734 .extern __imp_RtlVirtualUnwind
4736 $code.=<<___ if ($PREFIX eq "aesni");
4737 .type ecb_ccm64_se_handler,\@abi-omnipotent
4739 ecb_ccm64_se_handler:
4751 mov 120($context),%rax # pull context->Rax
4752 mov 248($context),%rbx # pull context->Rip
4754 mov 8($disp),%rsi # disp->ImageBase
4755 mov 56($disp),%r11 # disp->HandlerData
4757 mov 0(%r11),%r10d # HandlerData[0]
4758 lea (%rsi,%r10),%r10 # prologue label
4759 cmp %r10,%rbx # context->Rip<prologue label
4760 jb .Lcommon_seh_tail
4762 mov 152($context),%rax # pull context->Rsp
4764 mov 4(%r11),%r10d # HandlerData[1]
4765 lea (%rsi,%r10),%r10 # epilogue label
4766 cmp %r10,%rbx # context->Rip>=epilogue label
4767 jae .Lcommon_seh_tail
4769 lea 0(%rax),%rsi # %xmm save area
4770 lea 512($context),%rdi # &context.Xmm6
4771 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
4772 .long 0xa548f3fc # cld; rep movsq
4773 lea 0x58(%rax),%rax # adjust stack pointer
4775 jmp .Lcommon_seh_tail
4776 .size ecb_ccm64_se_handler,.-ecb_ccm64_se_handler
4778 .type ctr_xts_se_handler,\@abi-omnipotent
4792 mov 120($context),%rax # pull context->Rax
4793 mov 248($context),%rbx # pull context->Rip
4795 mov 8($disp),%rsi # disp->ImageBase
4796 mov 56($disp),%r11 # disp->HandlerData
4798 mov 0(%r11),%r10d # HandlerData[0]
4799 lea (%rsi,%r10),%r10 # prologue lable
4800 cmp %r10,%rbx # context->Rip<prologue label
4801 jb .Lcommon_seh_tail
4803 mov 152($context),%rax # pull context->Rsp
4805 mov 4(%r11),%r10d # HandlerData[1]
4806 lea (%rsi,%r10),%r10 # epilogue label
4807 cmp %r10,%rbx # context->Rip>=epilogue label
4808 jae .Lcommon_seh_tail
4810 mov 208($context),%rax # pull context->R11
4812 lea -0xa8(%rax),%rsi # %xmm save area
4813 lea 512($context),%rdi # & context.Xmm6
4814 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4815 .long 0xa548f3fc # cld; rep movsq
4817 mov -8(%rax),%rbp # restore saved %rbp
4818 mov %rbp,160($context) # restore context->Rbp
4819 jmp .Lcommon_seh_tail
4820 .size ctr_xts_se_handler,.-ctr_xts_se_handler
4822 .type ocb_se_handler,\@abi-omnipotent
4836 mov 120($context),%rax # pull context->Rax
4837 mov 248($context),%rbx # pull context->Rip
4839 mov 8($disp),%rsi # disp->ImageBase
4840 mov 56($disp),%r11 # disp->HandlerData
4842 mov 0(%r11),%r10d # HandlerData[0]
4843 lea (%rsi,%r10),%r10 # prologue lable
4844 cmp %r10,%rbx # context->Rip<prologue label
4845 jb .Lcommon_seh_tail
4847 mov 4(%r11),%r10d # HandlerData[1]
4848 lea (%rsi,%r10),%r10 # epilogue label
4849 cmp %r10,%rbx # context->Rip>=epilogue label
4850 jae .Lcommon_seh_tail
4852 mov 8(%r11),%r10d # HandlerData[2]
4853 lea (%rsi,%r10),%r10
4854 cmp %r10,%rbx # context->Rip>=pop label
4857 mov 152($context),%rax # pull context->Rsp
4859 lea (%rax),%rsi # %xmm save area
4860 lea 512($context),%rdi # & context.Xmm6
4861 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4862 .long 0xa548f3fc # cld; rep movsq
4863 lea 0xa0+0x28(%rax),%rax
4872 mov %rbx,144($context) # restore context->Rbx
4873 mov %rbp,160($context) # restore context->Rbp
4874 mov %r12,216($context) # restore context->R12
4875 mov %r13,224($context) # restore context->R13
4876 mov %r14,232($context) # restore context->R14
4878 jmp .Lcommon_seh_tail
4879 .size ocb_se_handler,.-ocb_se_handler
4882 .type cbc_se_handler,\@abi-omnipotent
4896 mov 152($context),%rax # pull context->Rsp
4897 mov 248($context),%rbx # pull context->Rip
4899 lea .Lcbc_decrypt_bulk(%rip),%r10
4900 cmp %r10,%rbx # context->Rip<"prologue" label
4901 jb .Lcommon_seh_tail
4903 mov 120($context),%rax # pull context->Rax
4905 lea .Lcbc_decrypt_body(%rip),%r10
4906 cmp %r10,%rbx # context->Rip<cbc_decrypt_body
4907 jb .Lcommon_seh_tail
4909 mov 152($context),%rax # pull context->Rsp
4911 lea .Lcbc_ret(%rip),%r10
4912 cmp %r10,%rbx # context->Rip>="epilogue" label
4913 jae .Lcommon_seh_tail
4915 lea 16(%rax),%rsi # %xmm save area
4916 lea 512($context),%rdi # &context.Xmm6
4917 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4918 .long 0xa548f3fc # cld; rep movsq
4920 mov 208($context),%rax # pull context->R11
4922 mov -8(%rax),%rbp # restore saved %rbp
4923 mov %rbp,160($context) # restore context->Rbp
4928 mov %rax,152($context) # restore context->Rsp
4929 mov %rsi,168($context) # restore context->Rsi
4930 mov %rdi,176($context) # restore context->Rdi
4932 mov 40($disp),%rdi # disp->ContextRecord
4933 mov $context,%rsi # context
4934 mov \$154,%ecx # sizeof(CONTEXT)
4935 .long 0xa548f3fc # cld; rep movsq
4938 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
4939 mov 8(%rsi),%rdx # arg2, disp->ImageBase
4940 mov 0(%rsi),%r8 # arg3, disp->ControlPc
4941 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
4942 mov 40(%rsi),%r10 # disp->ContextRecord
4943 lea 56(%rsi),%r11 # &disp->HandlerData
4944 lea 24(%rsi),%r12 # &disp->EstablisherFrame
4945 mov %r10,32(%rsp) # arg5
4946 mov %r11,40(%rsp) # arg6
4947 mov %r12,48(%rsp) # arg7
4948 mov %rcx,56(%rsp) # arg8, (NULL)
4949 call *__imp_RtlVirtualUnwind(%rip)
4951 mov \$1,%eax # ExceptionContinueSearch
4963 .size cbc_se_handler,.-cbc_se_handler
4968 $code.=<<___ if ($PREFIX eq "aesni");
4969 .rva .LSEH_begin_aesni_ecb_encrypt
4970 .rva .LSEH_end_aesni_ecb_encrypt
4973 .rva .LSEH_begin_aesni_ccm64_encrypt_blocks
4974 .rva .LSEH_end_aesni_ccm64_encrypt_blocks
4975 .rva .LSEH_info_ccm64_enc
4977 .rva .LSEH_begin_aesni_ccm64_decrypt_blocks
4978 .rva .LSEH_end_aesni_ccm64_decrypt_blocks
4979 .rva .LSEH_info_ccm64_dec
4981 .rva .LSEH_begin_aesni_ctr32_encrypt_blocks
4982 .rva .LSEH_end_aesni_ctr32_encrypt_blocks
4983 .rva .LSEH_info_ctr32
4985 .rva .LSEH_begin_aesni_xts_encrypt
4986 .rva .LSEH_end_aesni_xts_encrypt
4987 .rva .LSEH_info_xts_enc
4989 .rva .LSEH_begin_aesni_xts_decrypt
4990 .rva .LSEH_end_aesni_xts_decrypt
4991 .rva .LSEH_info_xts_dec
4993 .rva .LSEH_begin_aesni_ocb_encrypt
4994 .rva .LSEH_end_aesni_ocb_encrypt
4995 .rva .LSEH_info_ocb_enc
4997 .rva .LSEH_begin_aesni_ocb_decrypt
4998 .rva .LSEH_end_aesni_ocb_decrypt
4999 .rva .LSEH_info_ocb_dec
5002 .rva .LSEH_begin_${PREFIX}_cbc_encrypt
5003 .rva .LSEH_end_${PREFIX}_cbc_encrypt
5006 .rva ${PREFIX}_set_decrypt_key
5007 .rva .LSEH_end_set_decrypt_key
5010 .rva ${PREFIX}_set_encrypt_key
5011 .rva .LSEH_end_set_encrypt_key
5016 $code.=<<___ if ($PREFIX eq "aesni");
5019 .rva ecb_ccm64_se_handler
5020 .rva .Lecb_enc_body,.Lecb_enc_ret # HandlerData[]
5021 .LSEH_info_ccm64_enc:
5023 .rva ecb_ccm64_se_handler
5024 .rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[]
5025 .LSEH_info_ccm64_dec:
5027 .rva ecb_ccm64_se_handler
5028 .rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[]
5031 .rva ctr_xts_se_handler
5032 .rva .Lctr32_body,.Lctr32_epilogue # HandlerData[]
5035 .rva ctr_xts_se_handler
5036 .rva .Lxts_enc_body,.Lxts_enc_epilogue # HandlerData[]
5039 .rva ctr_xts_se_handler
5040 .rva .Lxts_dec_body,.Lxts_dec_epilogue # HandlerData[]
5044 .rva .Locb_enc_body,.Locb_enc_epilogue # HandlerData[]
5050 .rva .Locb_dec_body,.Locb_dec_epilogue # HandlerData[]
5059 .byte 0x01,0x04,0x01,0x00
5060 .byte 0x04,0x02,0x00,0x00 # sub rsp,8
5065 local *opcode=shift;
5069 $rex|=0x04 if($dst>=8);
5070 $rex|=0x01 if($src>=8);
5071 push @opcode,$rex|0x40 if($rex);
5078 if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
5079 rex(\@opcode,$4,$3);
5080 push @opcode,0x0f,0x3a,0xdf;
5081 push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M
5083 push @opcode,$c=~/^0/?oct($c):$c;
5084 return ".byte\t".join(',',@opcode);
5086 elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
5089 "aesenc" => 0xdc, "aesenclast" => 0xdd,
5090 "aesdec" => 0xde, "aesdeclast" => 0xdf
5092 return undef if (!defined($opcodelet{$1}));
5093 rex(\@opcode,$3,$2);
5094 push @opcode,0x0f,0x38,$opcodelet{$1};
5095 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
5096 return ".byte\t".join(',',@opcode);
5098 elsif ($line=~/(aes[a-z]+)\s+([0x1-9a-fA-F]*)\(%rsp\),\s*%xmm([0-9]+)/) {
5100 "aesenc" => 0xdc, "aesenclast" => 0xdd,
5101 "aesdec" => 0xde, "aesdeclast" => 0xdf
5103 return undef if (!defined($opcodelet{$1}));
5105 push @opcode,0x44 if ($3>=8);
5106 push @opcode,0x0f,0x38,$opcodelet{$1};
5107 push @opcode,0x44|(($3&7)<<3),0x24; # ModR/M
5108 push @opcode,($off=~/^0/?oct($off):$off)&0xff;
5109 return ".byte\t".join(',',@opcode);
5115 ".byte 0x0f,0x38,0xf1,0x44,0x24,".shift;
5118 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
5119 $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;
5120 #$code =~ s/\bmovbe\s+%eax/bswap %eax; mov %eax/gm; # debugging artefact
5121 $code =~ s/\bmovbe\s+%eax,\s*([0-9]+)\(%rsp\)/movbe($1)/gem;
projects / openssl.git / blob