3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for Intel AES-NI extension. In
11 # OpenSSL context it's used with Intel engine, but can also be used as
12 # drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
17 # Given aes(enc|dec) instructions' latency asymptotic performance for
18 # non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
19 # processed with 128-bit key. And given their throughput asymptotic
20 # performance for parallelizable modes is 1.25 cycles per byte. Being
21 # asymptotic limit it's not something you commonly achieve in reality,
22 # but how close does one get? Below are results collected for
23 # different modes and block sized. Pairs of numbers are for en-/
26 # 16-byte 64-byte 256-byte 1-KB 8-KB
27 # ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
28 # CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
29 # CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
30 # CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
31 # OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
32 # CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55
34 # ECB, CTR, CBC and CCM results are free from EVP overhead. This means
35 # that otherwise used 'openssl speed -evp aes-128-??? -engine aesni
36 # [-decrypt]' will exhibit 10-15% worse results for smaller blocks.
37 # The results were collected with specially crafted speed.c benchmark
38 # in order to compare them with results reported in "Intel Advanced
39 # Encryption Standard (AES) New Instruction Set" White Paper Revision
40 # 3.0 dated May 2010. All above results are consistently better. This
41 # module also provides better performance for block sizes smaller than
42 # 128 bytes in points *not* represented in the above table.
44 # Looking at the results for 8-KB buffer.
46 # CFB and OFB results are far from the limit, because implementation
47 # uses "generic" CRYPTO_[c|o]fb128_encrypt interfaces relying on
48 # single-block aesni_encrypt, which is not the most optimal way to go.
49 # CBC encrypt result is unexpectedly high and there is no documented
50 # explanation for it. Seemingly there is a small penalty for feeding
51 # the result back to AES unit the way it's done in CBC mode. There is
52 # nothing one can do and the result appears optimal. CCM result is
53 # identical to CBC, because CBC-MAC is essentially CBC encrypt without
54 # saving output. CCM CTR "stays invisible," because it's neatly
55 # interleaved wih CBC-MAC. This provides ~30% improvement over
56 # "straghtforward" CCM implementation with CTR and CBC-MAC performed
57 # disjointly. Parallelizable modes practically achieve the theoretical
60 # Looking at how results vary with buffer size.
62 # Curves are practically saturated at 1-KB buffer size. In most cases
63 # "256-byte" performance is >95%, and "64-byte" is ~90% of "8-KB" one.
64 # CTR curve doesn't follow this pattern and is "slowest" changing one
65 # with "256-byte" result being 87% of "8-KB." This is because overhead
66 # in CTR mode is most computationally intensive. Small-block CCM
67 # decrypt is slower than encrypt, because first CTR and last CBC-MAC
68 # iterations can't be interleaved.
70 # Results for 192- and 256-bit keys.
72 # EVP-free results were observed to scale perfectly with number of
73 # rounds for larger block sizes, i.e. 192-bit result being 10/12 times
74 # lower and 256-bit one - 10/14. Well, in CBC encrypt case differences
75 # are a tad smaller, because the above mentioned penalty biases all
76 # results by same constant value. In similar way function call
77 # overhead affects small-block performance, as well as OFB and CFB
78 # results. Differences are not large, most common coefficients are
79 # 10/11.7 and 10/13.4 (as opposite to 10/12.0 and 10/14.0), but one
80 # observe even 10/11.2 and 10/12.4 (CTR, OFB, CFB)...
84 # While Westmere processor features 6 cycles latency for aes[enc|dec]
85 # instructions, which can be scheduled every second cycle, Sandy
86 # Bridge spends 8 cycles per instruction, but it can schedule them
87 # every cycle. This means that code targeting Westmere would perform
88 # suboptimally on Sandy Bridge. Therefore this update.
90 # In addition, non-parallelizable CBC encrypt (as well as CCM) is
91 # optimized. Relative improvement might appear modest, 8% on Westmere,
92 # but in absolute terms it's 3.77 cycles per byte encrypted with
93 # 128-bit key on Westmere, and 5.07 - on Sandy Bridge. These numbers
94 # should be compared to asymptotic limits of 3.75 for Westmere and
95 # 5.00 for Sandy Bridge. Actually, the fact that they get this close
96 # to asymptotic limits is quite amazing. Indeed, the limit is
97 # calculated as latency times number of rounds, 10 for 128-bit key,
98 # and divided by 16, the number of bytes in block, or in other words
99 # it accounts *solely* for aesenc instructions. But there are extra
100 # instructions, and numbers so close to the asymptotic limits mean
101 # that it's as if it takes as little as *one* additional cycle to
102 # execute all of them. How is it possible? It is possible thanks to
103 # out-of-order execution logic, which manages to overlap post-
104 # processing of previous block, things like saving the output, with
105 # actual encryption of current block, as well as pre-processing of
106 # current block, things like fetching input and xor-ing it with
107 # 0-round element of the key schedule, with actual encryption of
108 # previous block. Keep this in mind...
110 # For parallelizable modes, such as ECB, CBC decrypt, CTR, higher
111 # performance is achieved by interleaving instructions working on
112 # independent blocks. In which case asymptotic limit for such modes
113 # can be obtained by dividing above mentioned numbers by AES
114 # instructions' interleave factor. Westmere can execute at most 3
115 # instructions at a time, meaning that optimal interleave factor is 3,
116 # and that's where the "magic" number of 1.25 come from. "Optimal
117 # interleave factor" means that increase of interleave factor does
118 # not improve performance. The formula has proven to reflect reality
119 # pretty well on Westmere... Sandy Bridge on the other hand can
120 # execute up to 8 AES instructions at a time, so how does varying
121 # interleave factor affect the performance? Here is table for ECB
122 # (numbers are cycles per byte processed with 128-bit key):
124 # instruction interleave factor 3x 6x 8x
125 # theoretical asymptotic limit 1.67 0.83 0.625
126 # measured performance for 8KB block 1.05 0.86 0.84
128 # "as if" interleave factor 4.7x 5.8x 6.0x
130 # Further data for other parallelizable modes:
132 # CBC decrypt 1.16 0.93 0.74
135 # Well, given 3x column it's probably inappropriate to call the limit
136 # asymptotic, if it can be surpassed, isn't it? What happens there?
137 # Rewind to CBC paragraph for the answer. Yes, out-of-order execution
138 # magic is responsible for this. Processor overlaps not only the
139 # additional instructions with AES ones, but even AES instuctions
140 # processing adjacent triplets of independent blocks. In the 6x case
141 # additional instructions still claim disproportionally small amount
142 # of additional cycles, but in 8x case number of instructions must be
143 # a tad too high for out-of-order logic to cope with, and AES unit
144 # remains underutilized... As you can see 8x interleave is hardly
145 # justifiable, so there no need to feel bad that 32-bit aesni-x86.pl
146 # utilizies 6x interleave because of limited register bank capacity.
148 # Higher interleave factors do have negative impact on Westmere
149 # performance. While for ECB mode it's negligible ~1.5%, other
150 # parallelizables perform ~5% worse, which is outweighed by ~25%
151 # improvement on Sandy Bridge. To balance regression on Westmere
152 # CTR mode was implemented with 6x aesenc interleave factor.
156 # Add aesni_xts_[en|de]crypt. Westmere spends 1.25 cycles processing
157 # one byte out of 8KB with 128-bit key, Sandy Bridge - 0.90. Just like
158 # in CTR mode AES instruction interleave factor was chosen to be 6x.
162 # Add aesni_ocb_[en|de]crypt. AES instruction interleave factor was
165 ######################################################################
166 # Current large-block performance in cycles per byte processed with
167 # 128-bit key (less is better).
169 # CBC en-/decrypt CTR XTS ECB OCB
170 # Westmere 3.77/1.25 1.25 1.25 1.26
171 # * Bridge 5.07/0.74 0.75 0.90 0.85 0.98
172 # Haswell 4.44/0.63 0.63 0.73 0.63 0.70
173 # Skylake 2.62/0.63 0.63 0.63 0.63
174 # Silvermont 5.75/3.54 3.56 4.12 3.87(*) 4.11
175 # Bulldozer 5.77/0.70 0.72 0.90 0.70 0.95
177 # (*) Atom Silvermont ECB result is suboptimal because of penalties
178 # incurred by operations on %xmm8-15. As ECB is not considered
179 # critical, nothing was done to mitigate the problem.
181 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
182 # generates drop-in replacement for
183 # crypto/aes/asm/aes-x86_64.pl:-)
187 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
189 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
191 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
192 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
193 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
194 die "can't locate x86_64-xlate.pl";
196 open OUT,"| \"$^X\" $xlate $flavour $output";
199 $movkey = $PREFIX eq "aesni" ? "movups" : "movups";
200 @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
201 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
204 $code.=".extern OPENSSL_ia32cap_P\n";
206 $rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!!
207 # this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ...
211 $key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
212 $ivp="%r8"; # cbc, ctr, ...
214 $rnds_="%r10d"; # backup copy for $rounds
215 $key_="%r11"; # backup copy for $key
217 # %xmm register layout
218 $rndkey0="%xmm0"; $rndkey1="%xmm1";
219 $inout0="%xmm2"; $inout1="%xmm3";
220 $inout2="%xmm4"; $inout3="%xmm5";
221 $inout4="%xmm6"; $inout5="%xmm7";
222 $inout6="%xmm8"; $inout7="%xmm9";
224 $in2="%xmm6"; $in1="%xmm7"; # used in CBC decrypt, CTR, ...
225 $in0="%xmm8"; $iv="%xmm9";
227 # Inline version of internal aesni_[en|de]crypt1.
229 # Why folded loop? Because aes[enc|dec] is slow enough to accommodate
230 # cycles which take care of loop variables...
232 sub aesni_generate1 {
233 my ($p,$key,$rounds,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
236 $movkey ($key),$rndkey0
237 $movkey 16($key),$rndkey1
239 $code.=<<___ if (defined($ivec));
244 $code.=<<___ if (!defined($ivec));
246 xorps $rndkey0,$inout
250 aes${p} $rndkey1,$inout
252 $movkey ($key),$rndkey1
254 jnz .Loop_${p}1_$sn # loop body is 16 bytes
255 aes${p}last $rndkey1,$inout
258 # void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
260 { my ($inp,$out,$key) = @_4args;
263 .globl ${PREFIX}_encrypt
264 .type ${PREFIX}_encrypt,\@abi-omnipotent
267 movups ($inp),$inout0 # load input
268 mov 240($key),$rounds # key->rounds
270 &aesni_generate1("enc",$key,$rounds);
272 pxor $rndkey0,$rndkey0 # clear register bank
273 pxor $rndkey1,$rndkey1
274 movups $inout0,($out) # output
277 .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
279 .globl ${PREFIX}_decrypt
280 .type ${PREFIX}_decrypt,\@abi-omnipotent
283 movups ($inp),$inout0 # load input
284 mov 240($key),$rounds # key->rounds
286 &aesni_generate1("dec",$key,$rounds);
288 pxor $rndkey0,$rndkey0 # clear register bank
289 pxor $rndkey1,$rndkey1
290 movups $inout0,($out) # output
293 .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
297 # _aesni_[en|de]cryptN are private interfaces, N denotes interleave
298 # factor. Why 3x subroutine were originally used in loops? Even though
299 # aes[enc|dec] latency was originally 6, it could be scheduled only
300 # every *2nd* cycle. Thus 3x interleave was the one providing optimal
301 # utilization, i.e. when subroutine's throughput is virtually same as
302 # of non-interleaved subroutine [for number of input blocks up to 3].
303 # This is why it originally made no sense to implement 2x subroutine.
304 # But times change and it became appropriate to spend extra 192 bytes
305 # on 2x subroutine on Atom Silvermont account. For processors that
306 # can schedule aes[enc|dec] every cycle optimal interleave factor
307 # equals to corresponding instructions latency. 8x is optimal for
308 # * Bridge and "super-optimal" for other Intel CPUs...
310 sub aesni_generate2 {
312 # As already mentioned it takes in $key and $rounds, which are *not*
313 # preserved. $inout[0-1] is cipher/clear text...
315 .type _aesni_${dir}rypt2,\@abi-omnipotent
318 $movkey ($key),$rndkey0
320 $movkey 16($key),$rndkey1
321 xorps $rndkey0,$inout0
322 xorps $rndkey0,$inout1
323 $movkey 32($key),$rndkey0
324 lea 32($key,$rounds),$key
329 aes${dir} $rndkey1,$inout0
330 aes${dir} $rndkey1,$inout1
331 $movkey ($key,%rax),$rndkey1
333 aes${dir} $rndkey0,$inout0
334 aes${dir} $rndkey0,$inout1
335 $movkey -16($key,%rax),$rndkey0
338 aes${dir} $rndkey1,$inout0
339 aes${dir} $rndkey1,$inout1
340 aes${dir}last $rndkey0,$inout0
341 aes${dir}last $rndkey0,$inout1
343 .size _aesni_${dir}rypt2,.-_aesni_${dir}rypt2
346 sub aesni_generate3 {
348 # As already mentioned it takes in $key and $rounds, which are *not*
349 # preserved. $inout[0-2] is cipher/clear text...
351 .type _aesni_${dir}rypt3,\@abi-omnipotent
354 $movkey ($key),$rndkey0
356 $movkey 16($key),$rndkey1
357 xorps $rndkey0,$inout0
358 xorps $rndkey0,$inout1
359 xorps $rndkey0,$inout2
360 $movkey 32($key),$rndkey0
361 lea 32($key,$rounds),$key
366 aes${dir} $rndkey1,$inout0
367 aes${dir} $rndkey1,$inout1
368 aes${dir} $rndkey1,$inout2
369 $movkey ($key,%rax),$rndkey1
371 aes${dir} $rndkey0,$inout0
372 aes${dir} $rndkey0,$inout1
373 aes${dir} $rndkey0,$inout2
374 $movkey -16($key,%rax),$rndkey0
377 aes${dir} $rndkey1,$inout0
378 aes${dir} $rndkey1,$inout1
379 aes${dir} $rndkey1,$inout2
380 aes${dir}last $rndkey0,$inout0
381 aes${dir}last $rndkey0,$inout1
382 aes${dir}last $rndkey0,$inout2
384 .size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
387 # 4x interleave is implemented to improve small block performance,
388 # most notably [and naturally] 4 block by ~30%. One can argue that one
389 # should have implemented 5x as well, but improvement would be <20%,
390 # so it's not worth it...
391 sub aesni_generate4 {
393 # As already mentioned it takes in $key and $rounds, which are *not*
394 # preserved. $inout[0-3] is cipher/clear text...
396 .type _aesni_${dir}rypt4,\@abi-omnipotent
399 $movkey ($key),$rndkey0
401 $movkey 16($key),$rndkey1
402 xorps $rndkey0,$inout0
403 xorps $rndkey0,$inout1
404 xorps $rndkey0,$inout2
405 xorps $rndkey0,$inout3
406 $movkey 32($key),$rndkey0
407 lea 32($key,$rounds),$key
413 aes${dir} $rndkey1,$inout0
414 aes${dir} $rndkey1,$inout1
415 aes${dir} $rndkey1,$inout2
416 aes${dir} $rndkey1,$inout3
417 $movkey ($key,%rax),$rndkey1
419 aes${dir} $rndkey0,$inout0
420 aes${dir} $rndkey0,$inout1
421 aes${dir} $rndkey0,$inout2
422 aes${dir} $rndkey0,$inout3
423 $movkey -16($key,%rax),$rndkey0
426 aes${dir} $rndkey1,$inout0
427 aes${dir} $rndkey1,$inout1
428 aes${dir} $rndkey1,$inout2
429 aes${dir} $rndkey1,$inout3
430 aes${dir}last $rndkey0,$inout0
431 aes${dir}last $rndkey0,$inout1
432 aes${dir}last $rndkey0,$inout2
433 aes${dir}last $rndkey0,$inout3
435 .size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
438 sub aesni_generate6 {
440 # As already mentioned it takes in $key and $rounds, which are *not*
441 # preserved. $inout[0-5] is cipher/clear text...
443 .type _aesni_${dir}rypt6,\@abi-omnipotent
446 $movkey ($key),$rndkey0
448 $movkey 16($key),$rndkey1
449 xorps $rndkey0,$inout0
450 pxor $rndkey0,$inout1
451 pxor $rndkey0,$inout2
452 aes${dir} $rndkey1,$inout0
453 lea 32($key,$rounds),$key
455 aes${dir} $rndkey1,$inout1
456 pxor $rndkey0,$inout3
457 pxor $rndkey0,$inout4
458 aes${dir} $rndkey1,$inout2
459 pxor $rndkey0,$inout5
460 $movkey ($key,%rax),$rndkey0
462 jmp .L${dir}_loop6_enter
465 aes${dir} $rndkey1,$inout0
466 aes${dir} $rndkey1,$inout1
467 aes${dir} $rndkey1,$inout2
468 .L${dir}_loop6_enter:
469 aes${dir} $rndkey1,$inout3
470 aes${dir} $rndkey1,$inout4
471 aes${dir} $rndkey1,$inout5
472 $movkey ($key,%rax),$rndkey1
474 aes${dir} $rndkey0,$inout0
475 aes${dir} $rndkey0,$inout1
476 aes${dir} $rndkey0,$inout2
477 aes${dir} $rndkey0,$inout3
478 aes${dir} $rndkey0,$inout4
479 aes${dir} $rndkey0,$inout5
480 $movkey -16($key,%rax),$rndkey0
483 aes${dir} $rndkey1,$inout0
484 aes${dir} $rndkey1,$inout1
485 aes${dir} $rndkey1,$inout2
486 aes${dir} $rndkey1,$inout3
487 aes${dir} $rndkey1,$inout4
488 aes${dir} $rndkey1,$inout5
489 aes${dir}last $rndkey0,$inout0
490 aes${dir}last $rndkey0,$inout1
491 aes${dir}last $rndkey0,$inout2
492 aes${dir}last $rndkey0,$inout3
493 aes${dir}last $rndkey0,$inout4
494 aes${dir}last $rndkey0,$inout5
496 .size _aesni_${dir}rypt6,.-_aesni_${dir}rypt6
499 sub aesni_generate8 {
501 # As already mentioned it takes in $key and $rounds, which are *not*
502 # preserved. $inout[0-7] is cipher/clear text...
504 .type _aesni_${dir}rypt8,\@abi-omnipotent
507 $movkey ($key),$rndkey0
509 $movkey 16($key),$rndkey1
510 xorps $rndkey0,$inout0
511 xorps $rndkey0,$inout1
512 pxor $rndkey0,$inout2
513 pxor $rndkey0,$inout3
514 pxor $rndkey0,$inout4
515 lea 32($key,$rounds),$key
517 aes${dir} $rndkey1,$inout0
518 pxor $rndkey0,$inout5
519 pxor $rndkey0,$inout6
520 aes${dir} $rndkey1,$inout1
521 pxor $rndkey0,$inout7
522 $movkey ($key,%rax),$rndkey0
524 jmp .L${dir}_loop8_inner
527 aes${dir} $rndkey1,$inout0
528 aes${dir} $rndkey1,$inout1
529 .L${dir}_loop8_inner:
530 aes${dir} $rndkey1,$inout2
531 aes${dir} $rndkey1,$inout3
532 aes${dir} $rndkey1,$inout4
533 aes${dir} $rndkey1,$inout5
534 aes${dir} $rndkey1,$inout6
535 aes${dir} $rndkey1,$inout7
536 .L${dir}_loop8_enter:
537 $movkey ($key,%rax),$rndkey1
539 aes${dir} $rndkey0,$inout0
540 aes${dir} $rndkey0,$inout1
541 aes${dir} $rndkey0,$inout2
542 aes${dir} $rndkey0,$inout3
543 aes${dir} $rndkey0,$inout4
544 aes${dir} $rndkey0,$inout5
545 aes${dir} $rndkey0,$inout6
546 aes${dir} $rndkey0,$inout7
547 $movkey -16($key,%rax),$rndkey0
550 aes${dir} $rndkey1,$inout0
551 aes${dir} $rndkey1,$inout1
552 aes${dir} $rndkey1,$inout2
553 aes${dir} $rndkey1,$inout3
554 aes${dir} $rndkey1,$inout4
555 aes${dir} $rndkey1,$inout5
556 aes${dir} $rndkey1,$inout6
557 aes${dir} $rndkey1,$inout7
558 aes${dir}last $rndkey0,$inout0
559 aes${dir}last $rndkey0,$inout1
560 aes${dir}last $rndkey0,$inout2
561 aes${dir}last $rndkey0,$inout3
562 aes${dir}last $rndkey0,$inout4
563 aes${dir}last $rndkey0,$inout5
564 aes${dir}last $rndkey0,$inout6
565 aes${dir}last $rndkey0,$inout7
567 .size _aesni_${dir}rypt8,.-_aesni_${dir}rypt8
570 &aesni_generate2("enc") if ($PREFIX eq "aesni");
571 &aesni_generate2("dec");
572 &aesni_generate3("enc") if ($PREFIX eq "aesni");
573 &aesni_generate3("dec");
574 &aesni_generate4("enc") if ($PREFIX eq "aesni");
575 &aesni_generate4("dec");
576 &aesni_generate6("enc") if ($PREFIX eq "aesni");
577 &aesni_generate6("dec");
578 &aesni_generate8("enc") if ($PREFIX eq "aesni");
579 &aesni_generate8("dec");
581 if ($PREFIX eq "aesni") {
582 ########################################################################
583 # void aesni_ecb_encrypt (const void *in, void *out,
584 # size_t length, const AES_KEY *key,
587 .globl aesni_ecb_encrypt
588 .type aesni_ecb_encrypt,\@function,5
592 $code.=<<___ if ($win64);
594 movaps %xmm6,(%rsp) # offload $inout4..7
595 movaps %xmm7,0x10(%rsp)
596 movaps %xmm8,0x20(%rsp)
597 movaps %xmm9,0x30(%rsp)
601 and \$-16,$len # if ($len<16)
602 jz .Lecb_ret # return
604 mov 240($key),$rounds # key->rounds
605 $movkey ($key),$rndkey0
606 mov $key,$key_ # backup $key
607 mov $rounds,$rnds_ # backup $rounds
608 test %r8d,%r8d # 5th argument
610 #--------------------------- ECB ENCRYPT ------------------------------#
611 cmp \$0x80,$len # if ($len<8*16)
612 jb .Lecb_enc_tail # short input
614 movdqu ($inp),$inout0 # load 8 input blocks
615 movdqu 0x10($inp),$inout1
616 movdqu 0x20($inp),$inout2
617 movdqu 0x30($inp),$inout3
618 movdqu 0x40($inp),$inout4
619 movdqu 0x50($inp),$inout5
620 movdqu 0x60($inp),$inout6
621 movdqu 0x70($inp),$inout7
622 lea 0x80($inp),$inp # $inp+=8*16
623 sub \$0x80,$len # $len-=8*16 (can be zero)
624 jmp .Lecb_enc_loop8_enter
627 movups $inout0,($out) # store 8 output blocks
628 mov $key_,$key # restore $key
629 movdqu ($inp),$inout0 # load 8 input blocks
630 mov $rnds_,$rounds # restore $rounds
631 movups $inout1,0x10($out)
632 movdqu 0x10($inp),$inout1
633 movups $inout2,0x20($out)
634 movdqu 0x20($inp),$inout2
635 movups $inout3,0x30($out)
636 movdqu 0x30($inp),$inout3
637 movups $inout4,0x40($out)
638 movdqu 0x40($inp),$inout4
639 movups $inout5,0x50($out)
640 movdqu 0x50($inp),$inout5
641 movups $inout6,0x60($out)
642 movdqu 0x60($inp),$inout6
643 movups $inout7,0x70($out)
644 lea 0x80($out),$out # $out+=8*16
645 movdqu 0x70($inp),$inout7
646 lea 0x80($inp),$inp # $inp+=8*16
647 .Lecb_enc_loop8_enter:
652 jnc .Lecb_enc_loop8 # loop if $len-=8*16 didn't borrow
654 movups $inout0,($out) # store 8 output blocks
655 mov $key_,$key # restore $key
656 movups $inout1,0x10($out)
657 mov $rnds_,$rounds # restore $rounds
658 movups $inout2,0x20($out)
659 movups $inout3,0x30($out)
660 movups $inout4,0x40($out)
661 movups $inout5,0x50($out)
662 movups $inout6,0x60($out)
663 movups $inout7,0x70($out)
664 lea 0x80($out),$out # $out+=8*16
665 add \$0x80,$len # restore real remaining $len
666 jz .Lecb_ret # done if ($len==0)
668 .Lecb_enc_tail: # $len is less than 8*16
669 movups ($inp),$inout0
672 movups 0x10($inp),$inout1
674 movups 0x20($inp),$inout2
677 movups 0x30($inp),$inout3
679 movups 0x40($inp),$inout4
682 movups 0x50($inp),$inout5
684 movdqu 0x60($inp),$inout6
685 xorps $inout7,$inout7
687 movups $inout0,($out) # store 7 output blocks
688 movups $inout1,0x10($out)
689 movups $inout2,0x20($out)
690 movups $inout3,0x30($out)
691 movups $inout4,0x40($out)
692 movups $inout5,0x50($out)
693 movups $inout6,0x60($out)
698 &aesni_generate1("enc",$key,$rounds);
700 movups $inout0,($out) # store one output block
705 movups $inout0,($out) # store 2 output blocks
706 movups $inout1,0x10($out)
711 movups $inout0,($out) # store 3 output blocks
712 movups $inout1,0x10($out)
713 movups $inout2,0x20($out)
718 movups $inout0,($out) # store 4 output blocks
719 movups $inout1,0x10($out)
720 movups $inout2,0x20($out)
721 movups $inout3,0x30($out)
725 xorps $inout5,$inout5
727 movups $inout0,($out) # store 5 output blocks
728 movups $inout1,0x10($out)
729 movups $inout2,0x20($out)
730 movups $inout3,0x30($out)
731 movups $inout4,0x40($out)
736 movups $inout0,($out) # store 6 output blocks
737 movups $inout1,0x10($out)
738 movups $inout2,0x20($out)
739 movups $inout3,0x30($out)
740 movups $inout4,0x40($out)
741 movups $inout5,0x50($out)
743 \f#--------------------------- ECB DECRYPT ------------------------------#
746 cmp \$0x80,$len # if ($len<8*16)
747 jb .Lecb_dec_tail # short input
749 movdqu ($inp),$inout0 # load 8 input blocks
750 movdqu 0x10($inp),$inout1
751 movdqu 0x20($inp),$inout2
752 movdqu 0x30($inp),$inout3
753 movdqu 0x40($inp),$inout4
754 movdqu 0x50($inp),$inout5
755 movdqu 0x60($inp),$inout6
756 movdqu 0x70($inp),$inout7
757 lea 0x80($inp),$inp # $inp+=8*16
758 sub \$0x80,$len # $len-=8*16 (can be zero)
759 jmp .Lecb_dec_loop8_enter
762 movups $inout0,($out) # store 8 output blocks
763 mov $key_,$key # restore $key
764 movdqu ($inp),$inout0 # load 8 input blocks
765 mov $rnds_,$rounds # restore $rounds
766 movups $inout1,0x10($out)
767 movdqu 0x10($inp),$inout1
768 movups $inout2,0x20($out)
769 movdqu 0x20($inp),$inout2
770 movups $inout3,0x30($out)
771 movdqu 0x30($inp),$inout3
772 movups $inout4,0x40($out)
773 movdqu 0x40($inp),$inout4
774 movups $inout5,0x50($out)
775 movdqu 0x50($inp),$inout5
776 movups $inout6,0x60($out)
777 movdqu 0x60($inp),$inout6
778 movups $inout7,0x70($out)
779 lea 0x80($out),$out # $out+=8*16
780 movdqu 0x70($inp),$inout7
781 lea 0x80($inp),$inp # $inp+=8*16
782 .Lecb_dec_loop8_enter:
786 $movkey ($key_),$rndkey0
788 jnc .Lecb_dec_loop8 # loop if $len-=8*16 didn't borrow
790 movups $inout0,($out) # store 8 output blocks
791 pxor $inout0,$inout0 # clear register bank
792 mov $key_,$key # restore $key
793 movups $inout1,0x10($out)
795 mov $rnds_,$rounds # restore $rounds
796 movups $inout2,0x20($out)
798 movups $inout3,0x30($out)
800 movups $inout4,0x40($out)
802 movups $inout5,0x50($out)
804 movups $inout6,0x60($out)
806 movups $inout7,0x70($out)
808 lea 0x80($out),$out # $out+=8*16
809 add \$0x80,$len # restore real remaining $len
810 jz .Lecb_ret # done if ($len==0)
813 movups ($inp),$inout0
816 movups 0x10($inp),$inout1
818 movups 0x20($inp),$inout2
821 movups 0x30($inp),$inout3
823 movups 0x40($inp),$inout4
826 movups 0x50($inp),$inout5
828 movups 0x60($inp),$inout6
829 $movkey ($key),$rndkey0
830 xorps $inout7,$inout7
832 movups $inout0,($out) # store 7 output blocks
833 pxor $inout0,$inout0 # clear register bank
834 movups $inout1,0x10($out)
836 movups $inout2,0x20($out)
838 movups $inout3,0x30($out)
840 movups $inout4,0x40($out)
842 movups $inout5,0x50($out)
844 movups $inout6,0x60($out)
851 &aesni_generate1("dec",$key,$rounds);
853 movups $inout0,($out) # store one output block
854 pxor $inout0,$inout0 # clear register bank
859 movups $inout0,($out) # store 2 output blocks
860 pxor $inout0,$inout0 # clear register bank
861 movups $inout1,0x10($out)
867 movups $inout0,($out) # store 3 output blocks
868 pxor $inout0,$inout0 # clear register bank
869 movups $inout1,0x10($out)
871 movups $inout2,0x20($out)
877 movups $inout0,($out) # store 4 output blocks
878 pxor $inout0,$inout0 # clear register bank
879 movups $inout1,0x10($out)
881 movups $inout2,0x20($out)
883 movups $inout3,0x30($out)
888 xorps $inout5,$inout5
890 movups $inout0,($out) # store 5 output blocks
891 pxor $inout0,$inout0 # clear register bank
892 movups $inout1,0x10($out)
894 movups $inout2,0x20($out)
896 movups $inout3,0x30($out)
898 movups $inout4,0x40($out)
905 movups $inout0,($out) # store 6 output blocks
906 pxor $inout0,$inout0 # clear register bank
907 movups $inout1,0x10($out)
909 movups $inout2,0x20($out)
911 movups $inout3,0x30($out)
913 movups $inout4,0x40($out)
915 movups $inout5,0x50($out)
919 xorps $rndkey0,$rndkey0 # %xmm0
920 pxor $rndkey1,$rndkey1
922 $code.=<<___ if ($win64);
924 movaps %xmm0,(%rsp) # clear stack
925 movaps 0x10(%rsp),%xmm7
926 movaps %xmm0,0x10(%rsp)
927 movaps 0x20(%rsp),%xmm8
928 movaps %xmm0,0x20(%rsp)
929 movaps 0x30(%rsp),%xmm9
930 movaps %xmm0,0x30(%rsp)
936 .size aesni_ecb_encrypt,.-aesni_ecb_encrypt
940 ######################################################################
941 # void aesni_ccm64_[en|de]crypt_blocks (const void *in, void *out,
942 # size_t blocks, const AES_KEY *key,
943 # const char *ivec,char *cmac);
945 # Handles only complete blocks, operates on 64-bit counter and
946 # does not update *ivec! Nor does it finalize CMAC value
947 # (see engine/eng_aesni.c for details)
950 my $cmac="%r9"; # 6th argument
952 my $increment="%xmm9";
954 my $bswap_mask="%xmm7";
957 .globl aesni_ccm64_encrypt_blocks
958 .type aesni_ccm64_encrypt_blocks,\@function,6
960 aesni_ccm64_encrypt_blocks:
962 $code.=<<___ if ($win64);
964 movaps %xmm6,(%rsp) # $iv
965 movaps %xmm7,0x10(%rsp) # $bswap_mask
966 movaps %xmm8,0x20(%rsp) # $in0
967 movaps %xmm9,0x30(%rsp) # $increment
971 mov 240($key),$rounds # key->rounds
973 movdqa .Lincrement64(%rip),$increment
974 movdqa .Lbswap_mask(%rip),$bswap_mask
979 movdqu ($cmac),$inout1
981 lea 32($key,$rounds),$key # end of key schedule
982 pshufb $bswap_mask,$iv
983 sub %rax,%r10 # twisted $rounds
984 jmp .Lccm64_enc_outer
987 $movkey ($key_),$rndkey0
989 movups ($inp),$in0 # load inp
991 xorps $rndkey0,$inout0 # counter
992 $movkey 16($key_),$rndkey1
994 xorps $rndkey0,$inout1 # cmac^=inp
995 $movkey 32($key_),$rndkey0
998 aesenc $rndkey1,$inout0
999 aesenc $rndkey1,$inout1
1000 $movkey ($key,%rax),$rndkey1
1002 aesenc $rndkey0,$inout0
1003 aesenc $rndkey0,$inout1
1004 $movkey -16($key,%rax),$rndkey0
1005 jnz .Lccm64_enc2_loop
1006 aesenc $rndkey1,$inout0
1007 aesenc $rndkey1,$inout1
1008 paddq $increment,$iv
1009 dec $len # $len-- ($len is in blocks)
1010 aesenclast $rndkey0,$inout0
1011 aesenclast $rndkey0,$inout1
1014 xorps $inout0,$in0 # inp ^= E(iv)
1016 movups $in0,($out) # save output
1017 pshufb $bswap_mask,$inout0
1018 lea 16($out),$out # $out+=16
1019 jnz .Lccm64_enc_outer # loop if ($len!=0)
1021 pxor $rndkey0,$rndkey0 # clear register bank
1022 pxor $rndkey1,$rndkey1
1023 pxor $inout0,$inout0
1024 movups $inout1,($cmac) # store resulting mac
1025 pxor $inout1,$inout1
1029 $code.=<<___ if ($win64);
1031 movaps %xmm0,(%rsp) # clear stack
1032 movaps 0x10(%rsp),%xmm7
1033 movaps %xmm0,0x10(%rsp)
1034 movaps 0x20(%rsp),%xmm8
1035 movaps %xmm0,0x20(%rsp)
1036 movaps 0x30(%rsp),%xmm9
1037 movaps %xmm0,0x30(%rsp)
1043 .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks
1045 ######################################################################
1047 .globl aesni_ccm64_decrypt_blocks
1048 .type aesni_ccm64_decrypt_blocks,\@function,6
1050 aesni_ccm64_decrypt_blocks:
1052 $code.=<<___ if ($win64);
1053 lea -0x58(%rsp),%rsp
1054 movaps %xmm6,(%rsp) # $iv
1055 movaps %xmm7,0x10(%rsp) # $bswap_mask
1056 movaps %xmm8,0x20(%rsp) # $in8
1057 movaps %xmm9,0x30(%rsp) # $increment
1061 mov 240($key),$rounds # key->rounds
1063 movdqu ($cmac),$inout1
1064 movdqa .Lincrement64(%rip),$increment
1065 movdqa .Lbswap_mask(%rip),$bswap_mask
1070 pshufb $bswap_mask,$iv
1072 &aesni_generate1("enc",$key,$rounds);
1076 movups ($inp),$in0 # load inp
1077 paddq $increment,$iv
1078 lea 16($inp),$inp # $inp+=16
1079 sub %r10,%rax # twisted $rounds
1080 lea 32($key_,$rnds_),$key # end of key schedule
1082 jmp .Lccm64_dec_outer
1085 xorps $inout0,$in0 # inp ^= E(iv)
1087 movups $in0,($out) # save output
1088 lea 16($out),$out # $out+=16
1089 pshufb $bswap_mask,$inout0
1091 sub \$1,$len # $len-- ($len is in blocks)
1092 jz .Lccm64_dec_break # if ($len==0) break
1094 $movkey ($key_),$rndkey0
1096 $movkey 16($key_),$rndkey1
1098 xorps $rndkey0,$inout0
1099 xorps $in0,$inout1 # cmac^=out
1100 $movkey 32($key_),$rndkey0
1101 jmp .Lccm64_dec2_loop
1104 aesenc $rndkey1,$inout0
1105 aesenc $rndkey1,$inout1
1106 $movkey ($key,%rax),$rndkey1
1108 aesenc $rndkey0,$inout0
1109 aesenc $rndkey0,$inout1
1110 $movkey -16($key,%rax),$rndkey0
1111 jnz .Lccm64_dec2_loop
1112 movups ($inp),$in0 # load input
1113 paddq $increment,$iv
1114 aesenc $rndkey1,$inout0
1115 aesenc $rndkey1,$inout1
1116 aesenclast $rndkey0,$inout0
1117 aesenclast $rndkey0,$inout1
1118 lea 16($inp),$inp # $inp+=16
1119 jmp .Lccm64_dec_outer
1123 #xorps $in0,$inout1 # cmac^=out
1124 mov 240($key_),$rounds
1126 &aesni_generate1("enc",$key_,$rounds,$inout1,$in0);
1128 pxor $rndkey0,$rndkey0 # clear register bank
1129 pxor $rndkey1,$rndkey1
1130 pxor $inout0,$inout0
1131 movups $inout1,($cmac) # store resulting mac
1132 pxor $inout1,$inout1
1136 $code.=<<___ if ($win64);
1138 movaps %xmm0,(%rsp) # clear stack
1139 movaps 0x10(%rsp),%xmm7
1140 movaps %xmm0,0x10(%rsp)
1141 movaps 0x20(%rsp),%xmm8
1142 movaps %xmm0,0x20(%rsp)
1143 movaps 0x30(%rsp),%xmm9
1144 movaps %xmm0,0x30(%rsp)
1150 .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks
1153 ######################################################################
1154 # void aesni_ctr32_encrypt_blocks (const void *in, void *out,
1155 # size_t blocks, const AES_KEY *key,
1156 # const char *ivec);
1158 # Handles only complete blocks, operates on 32-bit counter and
1159 # does not update *ivec! (see crypto/modes/ctr128.c for details)
1161 # Overhaul based on suggestions from Shay Gueron and Vlad Krasnov,
1162 # http://rt.openssl.org/Ticket/Display.html?id=3021&user=guest&pass=guest.
1163 # Keywords are full unroll and modulo-schedule counter calculations
1164 # with zero-round key xor.
1166 my ($in0,$in1,$in2,$in3,$in4,$in5)=map("%xmm$_",(10..15));
1167 my ($key0,$ctr)=("${key_}d","${ivp}d");
1168 my $frame_size = 0x80 + ($win64?160:0);
1171 .globl aesni_ctr32_encrypt_blocks
1172 .type aesni_ctr32_encrypt_blocks,\@function,5
1174 aesni_ctr32_encrypt_blocks:
1178 # handle single block without allocating stack frame,
1179 # useful when handling edges
1180 movups ($ivp),$inout0
1181 movups ($inp),$inout1
1182 mov 240($key),%edx # key->rounds
1184 &aesni_generate1("enc",$key,"%edx");
1186 pxor $rndkey0,$rndkey0 # clear register bank
1187 pxor $rndkey1,$rndkey1
1188 xorps $inout1,$inout0
1189 pxor $inout1,$inout1
1190 movups $inout0,($out)
1191 xorps $inout0,$inout0
1192 jmp .Lctr32_epilogue
1198 sub \$$frame_size,%rsp
1199 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
1201 $code.=<<___ if ($win64);
1202 movaps %xmm6,-0xa8(%rax) # offload everything
1203 movaps %xmm7,-0x98(%rax)
1204 movaps %xmm8,-0x88(%rax)
1205 movaps %xmm9,-0x78(%rax)
1206 movaps %xmm10,-0x68(%rax)
1207 movaps %xmm11,-0x58(%rax)
1208 movaps %xmm12,-0x48(%rax)
1209 movaps %xmm13,-0x38(%rax)
1210 movaps %xmm14,-0x28(%rax)
1211 movaps %xmm15,-0x18(%rax)
1217 # 8 16-byte words on top of stack are counter values
1218 # xor-ed with zero-round key
1220 movdqu ($ivp),$inout0
1221 movdqu ($key),$rndkey0
1222 mov 12($ivp),$ctr # counter LSB
1223 pxor $rndkey0,$inout0
1224 mov 12($key),$key0 # 0-round key LSB
1225 movdqa $inout0,0x00(%rsp) # populate counter block
1227 movdqa $inout0,$inout1
1228 movdqa $inout0,$inout2
1229 movdqa $inout0,$inout3
1230 movdqa $inout0,0x40(%rsp)
1231 movdqa $inout0,0x50(%rsp)
1232 movdqa $inout0,0x60(%rsp)
1233 mov %rdx,%r10 # about to borrow %rdx
1234 movdqa $inout0,0x70(%rsp)
1242 pinsrd \$3,%eax,$inout1
1244 movdqa $inout1,0x10(%rsp)
1245 pinsrd \$3,%edx,$inout2
1247 mov %r10,%rdx # restore %rdx
1249 movdqa $inout2,0x20(%rsp)
1252 pinsrd \$3,%eax,$inout3
1254 movdqa $inout3,0x30(%rsp)
1256 mov %r10d,0x40+12(%rsp)
1259 mov 240($key),$rounds # key->rounds
1262 mov %r9d,0x50+12(%rsp)
1265 mov %r10d,0x60+12(%rsp)
1267 mov OPENSSL_ia32cap_P+4(%rip),%r10d
1269 and \$`1<<26|1<<22`,%r10d # isolate XSAVE+MOVBE
1270 mov %r9d,0x70+12(%rsp)
1272 $movkey 0x10($key),$rndkey1
1274 movdqa 0x40(%rsp),$inout4
1275 movdqa 0x50(%rsp),$inout5
1277 cmp \$8,$len # $len is in blocks
1278 jb .Lctr32_tail # short input if ($len<8)
1280 sub \$6,$len # $len is biased by -6
1281 cmp \$`1<<22`,%r10d # check for MOVBE without XSAVE
1282 je .Lctr32_6x # [which denotes Atom Silvermont]
1284 lea 0x80($key),$key # size optimization
1285 sub \$2,$len # $len is biased by -8
1293 lea 32($key,$rounds),$key # end of key schedule
1294 sub %rax,%r10 # twisted $rounds
1299 add \$6,$ctr # next counter value
1300 $movkey -48($key,$rnds_),$rndkey0
1301 aesenc $rndkey1,$inout0
1304 aesenc $rndkey1,$inout1
1305 movbe %eax,`0x00+12`(%rsp) # store next counter value
1307 aesenc $rndkey1,$inout2
1309 movbe %eax,`0x10+12`(%rsp)
1310 aesenc $rndkey1,$inout3
1313 aesenc $rndkey1,$inout4
1314 movbe %eax,`0x20+12`(%rsp)
1316 aesenc $rndkey1,$inout5
1317 $movkey -32($key,$rnds_),$rndkey1
1320 aesenc $rndkey0,$inout0
1321 movbe %eax,`0x30+12`(%rsp)
1323 aesenc $rndkey0,$inout1
1325 movbe %eax,`0x40+12`(%rsp)
1326 aesenc $rndkey0,$inout2
1329 aesenc $rndkey0,$inout3
1330 movbe %eax,`0x50+12`(%rsp)
1331 mov %r10,%rax # mov $rnds_,$rounds
1332 aesenc $rndkey0,$inout4
1333 aesenc $rndkey0,$inout5
1334 $movkey -16($key,$rnds_),$rndkey0
1338 movdqu ($inp),$inout6 # load 6 input blocks
1339 movdqu 0x10($inp),$inout7
1340 movdqu 0x20($inp),$in0
1341 movdqu 0x30($inp),$in1
1342 movdqu 0x40($inp),$in2
1343 movdqu 0x50($inp),$in3
1344 lea 0x60($inp),$inp # $inp+=6*16
1345 $movkey -64($key,$rnds_),$rndkey1
1346 pxor $inout0,$inout6 # inp^=E(ctr)
1347 movaps 0x00(%rsp),$inout0 # load next counter [xor-ed with 0 round]
1348 pxor $inout1,$inout7
1349 movaps 0x10(%rsp),$inout1
1351 movaps 0x20(%rsp),$inout2
1353 movaps 0x30(%rsp),$inout3
1355 movaps 0x40(%rsp),$inout4
1357 movaps 0x50(%rsp),$inout5
1358 movdqu $inout6,($out) # store 6 output blocks
1359 movdqu $inout7,0x10($out)
1360 movdqu $in0,0x20($out)
1361 movdqu $in1,0x30($out)
1362 movdqu $in2,0x40($out)
1363 movdqu $in3,0x50($out)
1364 lea 0x60($out),$out # $out+=6*16
1367 jnc .Lctr32_loop6 # loop if $len-=6 didn't borrow
1369 add \$6,$len # restore real remaining $len
1370 jz .Lctr32_done # done if ($len==0)
1372 lea -48($rnds_),$rounds
1373 lea -80($key,$rnds_),$key # restore $key
1375 shr \$4,$rounds # restore $rounds
1380 add \$8,$ctr # next counter value
1381 movdqa 0x60(%rsp),$inout6
1382 aesenc $rndkey1,$inout0
1384 movdqa 0x70(%rsp),$inout7
1385 aesenc $rndkey1,$inout1
1387 $movkey 0x20-0x80($key),$rndkey0
1388 aesenc $rndkey1,$inout2
1391 aesenc $rndkey1,$inout3
1392 mov %r9d,0x00+12(%rsp) # store next counter value
1394 aesenc $rndkey1,$inout4
1395 aesenc $rndkey1,$inout5
1396 aesenc $rndkey1,$inout6
1397 aesenc $rndkey1,$inout7
1398 $movkey 0x30-0x80($key),$rndkey1
1400 for($i=2;$i<8;$i++) {
1401 my $rndkeyx = ($i&1)?$rndkey1:$rndkey0;
1404 aesenc $rndkeyx,$inout0
1405 aesenc $rndkeyx,$inout1
1408 aesenc $rndkeyx,$inout2
1409 aesenc $rndkeyx,$inout3
1410 mov %r9d,`0x10*($i-1)`+12(%rsp)
1412 aesenc $rndkeyx,$inout4
1413 aesenc $rndkeyx,$inout5
1414 aesenc $rndkeyx,$inout6
1415 aesenc $rndkeyx,$inout7
1416 $movkey `0x20+0x10*$i`-0x80($key),$rndkeyx
1421 aesenc $rndkey0,$inout0
1422 aesenc $rndkey0,$inout1
1423 aesenc $rndkey0,$inout2
1425 movdqu 0x00($inp),$in0 # start loading input
1426 aesenc $rndkey0,$inout3
1427 mov %r9d,0x70+12(%rsp)
1429 aesenc $rndkey0,$inout4
1430 aesenc $rndkey0,$inout5
1431 aesenc $rndkey0,$inout6
1432 aesenc $rndkey0,$inout7
1433 $movkey 0xa0-0x80($key),$rndkey0
1437 aesenc $rndkey1,$inout0
1438 aesenc $rndkey1,$inout1
1439 aesenc $rndkey1,$inout2
1440 aesenc $rndkey1,$inout3
1441 aesenc $rndkey1,$inout4
1442 aesenc $rndkey1,$inout5
1443 aesenc $rndkey1,$inout6
1444 aesenc $rndkey1,$inout7
1445 $movkey 0xb0-0x80($key),$rndkey1
1447 aesenc $rndkey0,$inout0
1448 aesenc $rndkey0,$inout1
1449 aesenc $rndkey0,$inout2
1450 aesenc $rndkey0,$inout3
1451 aesenc $rndkey0,$inout4
1452 aesenc $rndkey0,$inout5
1453 aesenc $rndkey0,$inout6
1454 aesenc $rndkey0,$inout7
1455 $movkey 0xc0-0x80($key),$rndkey0
1458 aesenc $rndkey1,$inout0
1459 aesenc $rndkey1,$inout1
1460 aesenc $rndkey1,$inout2
1461 aesenc $rndkey1,$inout3
1462 aesenc $rndkey1,$inout4
1463 aesenc $rndkey1,$inout5
1464 aesenc $rndkey1,$inout6
1465 aesenc $rndkey1,$inout7
1466 $movkey 0xd0-0x80($key),$rndkey1
1468 aesenc $rndkey0,$inout0
1469 aesenc $rndkey0,$inout1
1470 aesenc $rndkey0,$inout2
1471 aesenc $rndkey0,$inout3
1472 aesenc $rndkey0,$inout4
1473 aesenc $rndkey0,$inout5
1474 aesenc $rndkey0,$inout6
1475 aesenc $rndkey0,$inout7
1476 $movkey 0xe0-0x80($key),$rndkey0
1477 jmp .Lctr32_enc_done
1481 movdqu 0x10($inp),$in1
1482 pxor $rndkey0,$in0 # input^=round[last]
1483 movdqu 0x20($inp),$in2
1485 movdqu 0x30($inp),$in3
1487 movdqu 0x40($inp),$in4
1489 movdqu 0x50($inp),$in5
1492 aesenc $rndkey1,$inout0
1493 aesenc $rndkey1,$inout1
1494 aesenc $rndkey1,$inout2
1495 aesenc $rndkey1,$inout3
1496 aesenc $rndkey1,$inout4
1497 aesenc $rndkey1,$inout5
1498 aesenc $rndkey1,$inout6
1499 aesenc $rndkey1,$inout7
1500 movdqu 0x60($inp),$rndkey1 # borrow $rndkey1 for inp[6]
1501 lea 0x80($inp),$inp # $inp+=8*16
1503 aesenclast $in0,$inout0 # $inN is inp[N]^round[last]
1504 pxor $rndkey0,$rndkey1 # borrowed $rndkey
1505 movdqu 0x70-0x80($inp),$in0
1506 aesenclast $in1,$inout1
1508 movdqa 0x00(%rsp),$in1 # load next counter block
1509 aesenclast $in2,$inout2
1510 aesenclast $in3,$inout3
1511 movdqa 0x10(%rsp),$in2
1512 movdqa 0x20(%rsp),$in3
1513 aesenclast $in4,$inout4
1514 aesenclast $in5,$inout5
1515 movdqa 0x30(%rsp),$in4
1516 movdqa 0x40(%rsp),$in5
1517 aesenclast $rndkey1,$inout6
1518 movdqa 0x50(%rsp),$rndkey0
1519 $movkey 0x10-0x80($key),$rndkey1#real 1st-round key
1520 aesenclast $in0,$inout7
1522 movups $inout0,($out) # store 8 output blocks
1524 movups $inout1,0x10($out)
1526 movups $inout2,0x20($out)
1528 movups $inout3,0x30($out)
1530 movups $inout4,0x40($out)
1532 movups $inout5,0x50($out)
1533 movdqa $rndkey0,$inout5
1534 movups $inout6,0x60($out)
1535 movups $inout7,0x70($out)
1536 lea 0x80($out),$out # $out+=8*16
1539 jnc .Lctr32_loop8 # loop if $len-=8 didn't borrow
1541 add \$8,$len # restore real remainig $len
1542 jz .Lctr32_done # done if ($len==0)
1543 lea -0x80($key),$key
1546 # note that at this point $inout0..5 are populated with
1547 # counter values xor-ed with 0-round key
1553 # if ($len>4) compute 7 E(counter)
1555 movdqa 0x60(%rsp),$inout6
1556 pxor $inout7,$inout7
1558 $movkey 16($key),$rndkey0
1559 aesenc $rndkey1,$inout0
1560 aesenc $rndkey1,$inout1
1561 lea 32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter
1563 aesenc $rndkey1,$inout2
1564 add \$16,%rax # prepare for .Lenc_loop8_enter
1566 aesenc $rndkey1,$inout3
1567 aesenc $rndkey1,$inout4
1568 movups 0x10($inp),$in1 # pre-load input
1569 movups 0x20($inp),$in2
1570 aesenc $rndkey1,$inout5
1571 aesenc $rndkey1,$inout6
1573 call .Lenc_loop8_enter
1575 movdqu 0x30($inp),$in3
1577 movdqu 0x40($inp),$in0
1579 movdqu $inout0,($out) # store output
1581 movdqu $inout1,0x10($out)
1583 movdqu $inout2,0x20($out)
1585 movdqu $inout3,0x30($out)
1586 movdqu $inout4,0x40($out)
1588 jb .Lctr32_done # $len was 5, stop store
1590 movups 0x50($inp),$in1
1592 movups $inout5,0x50($out)
1593 je .Lctr32_done # $len was 6, stop store
1595 movups 0x60($inp),$in2
1597 movups $inout6,0x60($out)
1598 jmp .Lctr32_done # $len was 7, stop store
1602 aesenc $rndkey1,$inout0
1605 aesenc $rndkey1,$inout1
1606 aesenc $rndkey1,$inout2
1607 aesenc $rndkey1,$inout3
1608 $movkey ($key),$rndkey1
1610 aesenclast $rndkey1,$inout0
1611 aesenclast $rndkey1,$inout1
1612 movups ($inp),$in0 # load input
1613 movups 0x10($inp),$in1
1614 aesenclast $rndkey1,$inout2
1615 aesenclast $rndkey1,$inout3
1616 movups 0x20($inp),$in2
1617 movups 0x30($inp),$in3
1620 movups $inout0,($out) # store output
1622 movups $inout1,0x10($out)
1624 movdqu $inout2,0x20($out)
1626 movdqu $inout3,0x30($out)
1627 jmp .Lctr32_done # $len was 4, stop store
1631 aesenc $rndkey1,$inout0
1634 aesenc $rndkey1,$inout1
1635 aesenc $rndkey1,$inout2
1636 $movkey ($key),$rndkey1
1638 aesenclast $rndkey1,$inout0
1639 aesenclast $rndkey1,$inout1
1640 aesenclast $rndkey1,$inout2
1642 movups ($inp),$in0 # load input
1644 movups $inout0,($out) # store output
1646 jb .Lctr32_done # $len was 1, stop store
1648 movups 0x10($inp),$in1
1650 movups $inout1,0x10($out)
1651 je .Lctr32_done # $len was 2, stop store
1653 movups 0x20($inp),$in2
1655 movups $inout2,0x20($out) # $len was 3, stop store
1658 xorps %xmm0,%xmm0 # clear regiser bank
1666 $code.=<<___ if (!$win64);
1669 movaps %xmm0,0x00(%rsp) # clear stack
1671 movaps %xmm0,0x10(%rsp)
1673 movaps %xmm0,0x20(%rsp)
1675 movaps %xmm0,0x30(%rsp)
1677 movaps %xmm0,0x40(%rsp)
1679 movaps %xmm0,0x50(%rsp)
1681 movaps %xmm0,0x60(%rsp)
1683 movaps %xmm0,0x70(%rsp)
1686 $code.=<<___ if ($win64);
1687 movaps -0xa0(%rbp),%xmm6
1688 movaps %xmm0,-0xa0(%rbp) # clear stack
1689 movaps -0x90(%rbp),%xmm7
1690 movaps %xmm0,-0x90(%rbp)
1691 movaps -0x80(%rbp),%xmm8
1692 movaps %xmm0,-0x80(%rbp)
1693 movaps -0x70(%rbp),%xmm9
1694 movaps %xmm0,-0x70(%rbp)
1695 movaps -0x60(%rbp),%xmm10
1696 movaps %xmm0,-0x60(%rbp)
1697 movaps -0x50(%rbp),%xmm11
1698 movaps %xmm0,-0x50(%rbp)
1699 movaps -0x40(%rbp),%xmm12
1700 movaps %xmm0,-0x40(%rbp)
1701 movaps -0x30(%rbp),%xmm13
1702 movaps %xmm0,-0x30(%rbp)
1703 movaps -0x20(%rbp),%xmm14
1704 movaps %xmm0,-0x20(%rbp)
1705 movaps -0x10(%rbp),%xmm15
1706 movaps %xmm0,-0x10(%rbp)
1707 movaps %xmm0,0x00(%rsp)
1708 movaps %xmm0,0x10(%rsp)
1709 movaps %xmm0,0x20(%rsp)
1710 movaps %xmm0,0x30(%rsp)
1711 movaps %xmm0,0x40(%rsp)
1712 movaps %xmm0,0x50(%rsp)
1713 movaps %xmm0,0x60(%rsp)
1714 movaps %xmm0,0x70(%rsp)
1721 .size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks
1725 ######################################################################
1726 # void aesni_xts_[en|de]crypt(const char *inp,char *out,size_t len,
1727 # const AES_KEY *key1, const AES_KEY *key2
1728 # const unsigned char iv[16]);
1731 my @tweak=map("%xmm$_",(10..15));
1732 my ($twmask,$twres,$twtmp)=("%xmm8","%xmm9",@tweak[4]);
1733 my ($key2,$ivp,$len_)=("%r8","%r9","%r9");
1734 my $frame_size = 0x70 + ($win64?160:0);
1737 .globl aesni_xts_encrypt
1738 .type aesni_xts_encrypt,\@function,6
1743 sub \$$frame_size,%rsp
1744 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
1746 $code.=<<___ if ($win64);
1747 movaps %xmm6,-0xa8(%rax) # offload everything
1748 movaps %xmm7,-0x98(%rax)
1749 movaps %xmm8,-0x88(%rax)
1750 movaps %xmm9,-0x78(%rax)
1751 movaps %xmm10,-0x68(%rax)
1752 movaps %xmm11,-0x58(%rax)
1753 movaps %xmm12,-0x48(%rax)
1754 movaps %xmm13,-0x38(%rax)
1755 movaps %xmm14,-0x28(%rax)
1756 movaps %xmm15,-0x18(%rax)
1761 movups ($ivp),$inout0 # load clear-text tweak
1762 mov 240(%r8),$rounds # key2->rounds
1763 mov 240($key),$rnds_ # key1->rounds
1765 # generate the tweak
1766 &aesni_generate1("enc",$key2,$rounds,$inout0);
1768 $movkey ($key),$rndkey0 # zero round key
1769 mov $key,$key_ # backup $key
1770 mov $rnds_,$rounds # backup $rounds
1772 mov $len,$len_ # backup $len
1775 $movkey 16($key,$rnds_),$rndkey1 # last round key
1777 movdqa .Lxts_magic(%rip),$twmask
1778 movdqa $inout0,@tweak[5]
1779 pshufd \$0x5f,$inout0,$twres
1780 pxor $rndkey0,$rndkey1
1782 # alternative tweak calculation algorithm is based on suggestions
1783 # by Shay Gueron. psrad doesn't conflict with AES-NI instructions
1784 # and should help in the future...
1785 for ($i=0;$i<4;$i++) {
1787 movdqa $twres,$twtmp
1789 movdqa @tweak[5],@tweak[$i]
1790 psrad \$31,$twtmp # broadcast upper bits
1791 paddq @tweak[5],@tweak[5]
1793 pxor $rndkey0,@tweak[$i]
1794 pxor $twtmp,@tweak[5]
1798 movdqa @tweak[5],@tweak[4]
1800 paddq @tweak[5],@tweak[5]
1802 pxor $rndkey0,@tweak[4]
1803 pxor $twres,@tweak[5]
1804 movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
1807 jc .Lxts_enc_short # if $len-=6*16 borrowed
1810 lea 32($key_,$rnds_),$key # end of key schedule
1811 sub %r10,%rax # twisted $rounds
1812 $movkey 16($key_),$rndkey1
1813 mov %rax,%r10 # backup twisted $rounds
1814 lea .Lxts_magic(%rip),%r8
1815 jmp .Lxts_enc_grandloop
1818 .Lxts_enc_grandloop:
1819 movdqu `16*0`($inp),$inout0 # load input
1820 movdqa $rndkey0,$twmask
1821 movdqu `16*1`($inp),$inout1
1822 pxor @tweak[0],$inout0 # input^=tweak^round[0]
1823 movdqu `16*2`($inp),$inout2
1824 pxor @tweak[1],$inout1
1825 aesenc $rndkey1,$inout0
1826 movdqu `16*3`($inp),$inout3
1827 pxor @tweak[2],$inout2
1828 aesenc $rndkey1,$inout1
1829 movdqu `16*4`($inp),$inout4
1830 pxor @tweak[3],$inout3
1831 aesenc $rndkey1,$inout2
1832 movdqu `16*5`($inp),$inout5
1833 pxor @tweak[5],$twmask # round[0]^=tweak[5]
1834 movdqa 0x60(%rsp),$twres # load round[0]^round[last]
1835 pxor @tweak[4],$inout4
1836 aesenc $rndkey1,$inout3
1837 $movkey 32($key_),$rndkey0
1838 lea `16*6`($inp),$inp
1839 pxor $twmask,$inout5
1841 pxor $twres,@tweak[0] # calclulate tweaks^round[last]
1842 aesenc $rndkey1,$inout4
1843 pxor $twres,@tweak[1]
1844 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^round[last]
1845 aesenc $rndkey1,$inout5
1846 $movkey 48($key_),$rndkey1
1847 pxor $twres,@tweak[2]
1849 aesenc $rndkey0,$inout0
1850 pxor $twres,@tweak[3]
1851 movdqa @tweak[1],`16*1`(%rsp)
1852 aesenc $rndkey0,$inout1
1853 pxor $twres,@tweak[4]
1854 movdqa @tweak[2],`16*2`(%rsp)
1855 aesenc $rndkey0,$inout2
1856 aesenc $rndkey0,$inout3
1858 movdqa @tweak[4],`16*4`(%rsp)
1859 aesenc $rndkey0,$inout4
1860 aesenc $rndkey0,$inout5
1861 $movkey 64($key_),$rndkey0
1862 movdqa $twmask,`16*5`(%rsp)
1863 pshufd \$0x5f,@tweak[5],$twres
1867 aesenc $rndkey1,$inout0
1868 aesenc $rndkey1,$inout1
1869 aesenc $rndkey1,$inout2
1870 aesenc $rndkey1,$inout3
1871 aesenc $rndkey1,$inout4
1872 aesenc $rndkey1,$inout5
1873 $movkey -64($key,%rax),$rndkey1
1876 aesenc $rndkey0,$inout0
1877 aesenc $rndkey0,$inout1
1878 aesenc $rndkey0,$inout2
1879 aesenc $rndkey0,$inout3
1880 aesenc $rndkey0,$inout4
1881 aesenc $rndkey0,$inout5
1882 $movkey -80($key,%rax),$rndkey0
1885 movdqa (%r8),$twmask # start calculating next tweak
1886 movdqa $twres,$twtmp
1888 aesenc $rndkey1,$inout0
1889 paddq @tweak[5],@tweak[5]
1891 aesenc $rndkey1,$inout1
1893 $movkey ($key_),@tweak[0] # load round[0]
1894 aesenc $rndkey1,$inout2
1895 aesenc $rndkey1,$inout3
1896 aesenc $rndkey1,$inout4
1897 pxor $twtmp,@tweak[5]
1898 movaps @tweak[0],@tweak[1] # copy round[0]
1899 aesenc $rndkey1,$inout5
1900 $movkey -64($key),$rndkey1
1902 movdqa $twres,$twtmp
1903 aesenc $rndkey0,$inout0
1905 pxor @tweak[5],@tweak[0]
1906 aesenc $rndkey0,$inout1
1908 paddq @tweak[5],@tweak[5]
1909 aesenc $rndkey0,$inout2
1910 aesenc $rndkey0,$inout3
1912 movaps @tweak[1],@tweak[2]
1913 aesenc $rndkey0,$inout4
1914 pxor $twtmp,@tweak[5]
1915 movdqa $twres,$twtmp
1916 aesenc $rndkey0,$inout5
1917 $movkey -48($key),$rndkey0
1920 aesenc $rndkey1,$inout0
1921 pxor @tweak[5],@tweak[1]
1923 aesenc $rndkey1,$inout1
1924 paddq @tweak[5],@tweak[5]
1926 aesenc $rndkey1,$inout2
1927 aesenc $rndkey1,$inout3
1928 movdqa @tweak[3],`16*3`(%rsp)
1929 pxor $twtmp,@tweak[5]
1930 aesenc $rndkey1,$inout4
1931 movaps @tweak[2],@tweak[3]
1932 movdqa $twres,$twtmp
1933 aesenc $rndkey1,$inout5
1934 $movkey -32($key),$rndkey1
1937 aesenc $rndkey0,$inout0
1938 pxor @tweak[5],@tweak[2]
1940 aesenc $rndkey0,$inout1
1941 paddq @tweak[5],@tweak[5]
1943 aesenc $rndkey0,$inout2
1944 aesenc $rndkey0,$inout3
1945 aesenc $rndkey0,$inout4
1946 pxor $twtmp,@tweak[5]
1947 movaps @tweak[3],@tweak[4]
1948 aesenc $rndkey0,$inout5
1950 movdqa $twres,$rndkey0
1952 aesenc $rndkey1,$inout0
1953 pxor @tweak[5],@tweak[3]
1955 aesenc $rndkey1,$inout1
1956 paddq @tweak[5],@tweak[5]
1957 pand $twmask,$rndkey0
1958 aesenc $rndkey1,$inout2
1959 aesenc $rndkey1,$inout3
1960 pxor $rndkey0,@tweak[5]
1961 $movkey ($key_),$rndkey0
1962 aesenc $rndkey1,$inout4
1963 aesenc $rndkey1,$inout5
1964 $movkey 16($key_),$rndkey1
1966 pxor @tweak[5],@tweak[4]
1967 aesenclast `16*0`(%rsp),$inout0
1969 paddq @tweak[5],@tweak[5]
1970 aesenclast `16*1`(%rsp),$inout1
1971 aesenclast `16*2`(%rsp),$inout2
1973 mov %r10,%rax # restore $rounds
1974 aesenclast `16*3`(%rsp),$inout3
1975 aesenclast `16*4`(%rsp),$inout4
1976 aesenclast `16*5`(%rsp),$inout5
1977 pxor $twres,@tweak[5]
1979 lea `16*6`($out),$out # $out+=6*16
1980 movups $inout0,`-16*6`($out) # store 6 output blocks
1981 movups $inout1,`-16*5`($out)
1982 movups $inout2,`-16*4`($out)
1983 movups $inout3,`-16*3`($out)
1984 movups $inout4,`-16*2`($out)
1985 movups $inout5,`-16*1`($out)
1987 jnc .Lxts_enc_grandloop # loop if $len-=6*16 didn't borrow
1991 mov $key_,$key # restore $key
1992 shr \$4,$rounds # restore original value
1995 # at the point @tweak[0..5] are populated with tweak values
1996 mov $rounds,$rnds_ # backup $rounds
1997 pxor $rndkey0,@tweak[0]
1998 add \$16*6,$len # restore real remaining $len
1999 jz .Lxts_enc_done # done if ($len==0)
2001 pxor $rndkey0,@tweak[1]
2003 jb .Lxts_enc_one # $len is 1*16
2004 pxor $rndkey0,@tweak[2]
2005 je .Lxts_enc_two # $len is 2*16
2007 pxor $rndkey0,@tweak[3]
2009 jb .Lxts_enc_three # $len is 3*16
2010 pxor $rndkey0,@tweak[4]
2011 je .Lxts_enc_four # $len is 4*16
2013 movdqu ($inp),$inout0 # $len is 5*16
2014 movdqu 16*1($inp),$inout1
2015 movdqu 16*2($inp),$inout2
2016 pxor @tweak[0],$inout0
2017 movdqu 16*3($inp),$inout3
2018 pxor @tweak[1],$inout1
2019 movdqu 16*4($inp),$inout4
2020 lea 16*5($inp),$inp # $inp+=5*16
2021 pxor @tweak[2],$inout2
2022 pxor @tweak[3],$inout3
2023 pxor @tweak[4],$inout4
2024 pxor $inout5,$inout5
2026 call _aesni_encrypt6
2028 xorps @tweak[0],$inout0
2029 movdqa @tweak[5],@tweak[0]
2030 xorps @tweak[1],$inout1
2031 xorps @tweak[2],$inout2
2032 movdqu $inout0,($out) # store 5 output blocks
2033 xorps @tweak[3],$inout3
2034 movdqu $inout1,16*1($out)
2035 xorps @tweak[4],$inout4
2036 movdqu $inout2,16*2($out)
2037 movdqu $inout3,16*3($out)
2038 movdqu $inout4,16*4($out)
2039 lea 16*5($out),$out # $out+=5*16
2044 movups ($inp),$inout0
2045 lea 16*1($inp),$inp # inp+=1*16
2046 xorps @tweak[0],$inout0
2048 &aesni_generate1("enc",$key,$rounds);
2050 xorps @tweak[0],$inout0
2051 movdqa @tweak[1],@tweak[0]
2052 movups $inout0,($out) # store one output block
2053 lea 16*1($out),$out # $out+=1*16
2058 movups ($inp),$inout0
2059 movups 16($inp),$inout1
2060 lea 32($inp),$inp # $inp+=2*16
2061 xorps @tweak[0],$inout0
2062 xorps @tweak[1],$inout1
2064 call _aesni_encrypt2
2066 xorps @tweak[0],$inout0
2067 movdqa @tweak[2],@tweak[0]
2068 xorps @tweak[1],$inout1
2069 movups $inout0,($out) # store 2 output blocks
2070 movups $inout1,16*1($out)
2071 lea 16*2($out),$out # $out+=2*16
2076 movups ($inp),$inout0
2077 movups 16*1($inp),$inout1
2078 movups 16*2($inp),$inout2
2079 lea 16*3($inp),$inp # $inp+=3*16
2080 xorps @tweak[0],$inout0
2081 xorps @tweak[1],$inout1
2082 xorps @tweak[2],$inout2
2084 call _aesni_encrypt3
2086 xorps @tweak[0],$inout0
2087 movdqa @tweak[3],@tweak[0]
2088 xorps @tweak[1],$inout1
2089 xorps @tweak[2],$inout2
2090 movups $inout0,($out) # store 3 output blocks
2091 movups $inout1,16*1($out)
2092 movups $inout2,16*2($out)
2093 lea 16*3($out),$out # $out+=3*16
2098 movups ($inp),$inout0
2099 movups 16*1($inp),$inout1
2100 movups 16*2($inp),$inout2
2101 xorps @tweak[0],$inout0
2102 movups 16*3($inp),$inout3
2103 lea 16*4($inp),$inp # $inp+=4*16
2104 xorps @tweak[1],$inout1
2105 xorps @tweak[2],$inout2
2106 xorps @tweak[3],$inout3
2108 call _aesni_encrypt4
2110 pxor @tweak[0],$inout0
2111 movdqa @tweak[4],@tweak[0]
2112 pxor @tweak[1],$inout1
2113 pxor @tweak[2],$inout2
2114 movdqu $inout0,($out) # store 4 output blocks
2115 pxor @tweak[3],$inout3
2116 movdqu $inout1,16*1($out)
2117 movdqu $inout2,16*2($out)
2118 movdqu $inout3,16*3($out)
2119 lea 16*4($out),$out # $out+=4*16
2124 and \$15,$len_ # see if $len%16 is 0
2129 movzb ($inp),%eax # borrow $rounds ...
2130 movzb -16($out),%ecx # ... and $key
2138 sub $len_,$out # rewind $out
2139 mov $key_,$key # restore $key
2140 mov $rnds_,$rounds # restore $rounds
2142 movups -16($out),$inout0
2143 xorps @tweak[0],$inout0
2145 &aesni_generate1("enc",$key,$rounds);
2147 xorps @tweak[0],$inout0
2148 movups $inout0,-16($out)
2151 xorps %xmm0,%xmm0 # clear register bank
2158 $code.=<<___ if (!$win64);
2161 movaps %xmm0,0x00(%rsp) # clear stack
2163 movaps %xmm0,0x10(%rsp)
2165 movaps %xmm0,0x20(%rsp)
2167 movaps %xmm0,0x30(%rsp)
2169 movaps %xmm0,0x40(%rsp)
2171 movaps %xmm0,0x50(%rsp)
2173 movaps %xmm0,0x60(%rsp)
2177 $code.=<<___ if ($win64);
2178 movaps -0xa0(%rbp),%xmm6
2179 movaps %xmm0,-0xa0(%rbp) # clear stack
2180 movaps -0x90(%rbp),%xmm7
2181 movaps %xmm0,-0x90(%rbp)
2182 movaps -0x80(%rbp),%xmm8
2183 movaps %xmm0,-0x80(%rbp)
2184 movaps -0x70(%rbp),%xmm9
2185 movaps %xmm0,-0x70(%rbp)
2186 movaps -0x60(%rbp),%xmm10
2187 movaps %xmm0,-0x60(%rbp)
2188 movaps -0x50(%rbp),%xmm11
2189 movaps %xmm0,-0x50(%rbp)
2190 movaps -0x40(%rbp),%xmm12
2191 movaps %xmm0,-0x40(%rbp)
2192 movaps -0x30(%rbp),%xmm13
2193 movaps %xmm0,-0x30(%rbp)
2194 movaps -0x20(%rbp),%xmm14
2195 movaps %xmm0,-0x20(%rbp)
2196 movaps -0x10(%rbp),%xmm15
2197 movaps %xmm0,-0x10(%rbp)
2198 movaps %xmm0,0x00(%rsp)
2199 movaps %xmm0,0x10(%rsp)
2200 movaps %xmm0,0x20(%rsp)
2201 movaps %xmm0,0x30(%rsp)
2202 movaps %xmm0,0x40(%rsp)
2203 movaps %xmm0,0x50(%rsp)
2204 movaps %xmm0,0x60(%rsp)
2211 .size aesni_xts_encrypt,.-aesni_xts_encrypt
2215 .globl aesni_xts_decrypt
2216 .type aesni_xts_decrypt,\@function,6
2221 sub \$$frame_size,%rsp
2222 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
2224 $code.=<<___ if ($win64);
2225 movaps %xmm6,-0xa8(%rax) # offload everything
2226 movaps %xmm7,-0x98(%rax)
2227 movaps %xmm8,-0x88(%rax)
2228 movaps %xmm9,-0x78(%rax)
2229 movaps %xmm10,-0x68(%rax)
2230 movaps %xmm11,-0x58(%rax)
2231 movaps %xmm12,-0x48(%rax)
2232 movaps %xmm13,-0x38(%rax)
2233 movaps %xmm14,-0x28(%rax)
2234 movaps %xmm15,-0x18(%rax)
2239 movups ($ivp),$inout0 # load clear-text tweak
2240 mov 240($key2),$rounds # key2->rounds
2241 mov 240($key),$rnds_ # key1->rounds
2243 # generate the tweak
2244 &aesni_generate1("enc",$key2,$rounds,$inout0);
2246 xor %eax,%eax # if ($len%16) len-=16;
2252 $movkey ($key),$rndkey0 # zero round key
2253 mov $key,$key_ # backup $key
2254 mov $rnds_,$rounds # backup $rounds
2256 mov $len,$len_ # backup $len
2259 $movkey 16($key,$rnds_),$rndkey1 # last round key
2261 movdqa .Lxts_magic(%rip),$twmask
2262 movdqa $inout0,@tweak[5]
2263 pshufd \$0x5f,$inout0,$twres
2264 pxor $rndkey0,$rndkey1
2266 for ($i=0;$i<4;$i++) {
2268 movdqa $twres,$twtmp
2270 movdqa @tweak[5],@tweak[$i]
2271 psrad \$31,$twtmp # broadcast upper bits
2272 paddq @tweak[5],@tweak[5]
2274 pxor $rndkey0,@tweak[$i]
2275 pxor $twtmp,@tweak[5]
2279 movdqa @tweak[5],@tweak[4]
2281 paddq @tweak[5],@tweak[5]
2283 pxor $rndkey0,@tweak[4]
2284 pxor $twres,@tweak[5]
2285 movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
2288 jc .Lxts_dec_short # if $len-=6*16 borrowed
2291 lea 32($key_,$rnds_),$key # end of key schedule
2292 sub %r10,%rax # twisted $rounds
2293 $movkey 16($key_),$rndkey1
2294 mov %rax,%r10 # backup twisted $rounds
2295 lea .Lxts_magic(%rip),%r8
2296 jmp .Lxts_dec_grandloop
2299 .Lxts_dec_grandloop:
2300 movdqu `16*0`($inp),$inout0 # load input
2301 movdqa $rndkey0,$twmask
2302 movdqu `16*1`($inp),$inout1
2303 pxor @tweak[0],$inout0 # intput^=tweak^round[0]
2304 movdqu `16*2`($inp),$inout2
2305 pxor @tweak[1],$inout1
2306 aesdec $rndkey1,$inout0
2307 movdqu `16*3`($inp),$inout3
2308 pxor @tweak[2],$inout2
2309 aesdec $rndkey1,$inout1
2310 movdqu `16*4`($inp),$inout4
2311 pxor @tweak[3],$inout3
2312 aesdec $rndkey1,$inout2
2313 movdqu `16*5`($inp),$inout5
2314 pxor @tweak[5],$twmask # round[0]^=tweak[5]
2315 movdqa 0x60(%rsp),$twres # load round[0]^round[last]
2316 pxor @tweak[4],$inout4
2317 aesdec $rndkey1,$inout3
2318 $movkey 32($key_),$rndkey0
2319 lea `16*6`($inp),$inp
2320 pxor $twmask,$inout5
2322 pxor $twres,@tweak[0] # calclulate tweaks^round[last]
2323 aesdec $rndkey1,$inout4
2324 pxor $twres,@tweak[1]
2325 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key
2326 aesdec $rndkey1,$inout5
2327 $movkey 48($key_),$rndkey1
2328 pxor $twres,@tweak[2]
2330 aesdec $rndkey0,$inout0
2331 pxor $twres,@tweak[3]
2332 movdqa @tweak[1],`16*1`(%rsp)
2333 aesdec $rndkey0,$inout1
2334 pxor $twres,@tweak[4]
2335 movdqa @tweak[2],`16*2`(%rsp)
2336 aesdec $rndkey0,$inout2
2337 aesdec $rndkey0,$inout3
2339 movdqa @tweak[4],`16*4`(%rsp)
2340 aesdec $rndkey0,$inout4
2341 aesdec $rndkey0,$inout5
2342 $movkey 64($key_),$rndkey0
2343 movdqa $twmask,`16*5`(%rsp)
2344 pshufd \$0x5f,@tweak[5],$twres
2348 aesdec $rndkey1,$inout0
2349 aesdec $rndkey1,$inout1
2350 aesdec $rndkey1,$inout2
2351 aesdec $rndkey1,$inout3
2352 aesdec $rndkey1,$inout4
2353 aesdec $rndkey1,$inout5
2354 $movkey -64($key,%rax),$rndkey1
2357 aesdec $rndkey0,$inout0
2358 aesdec $rndkey0,$inout1
2359 aesdec $rndkey0,$inout2
2360 aesdec $rndkey0,$inout3
2361 aesdec $rndkey0,$inout4
2362 aesdec $rndkey0,$inout5
2363 $movkey -80($key,%rax),$rndkey0
2366 movdqa (%r8),$twmask # start calculating next tweak
2367 movdqa $twres,$twtmp
2369 aesdec $rndkey1,$inout0
2370 paddq @tweak[5],@tweak[5]
2372 aesdec $rndkey1,$inout1
2374 $movkey ($key_),@tweak[0] # load round[0]
2375 aesdec $rndkey1,$inout2
2376 aesdec $rndkey1,$inout3
2377 aesdec $rndkey1,$inout4
2378 pxor $twtmp,@tweak[5]
2379 movaps @tweak[0],@tweak[1] # copy round[0]
2380 aesdec $rndkey1,$inout5
2381 $movkey -64($key),$rndkey1
2383 movdqa $twres,$twtmp
2384 aesdec $rndkey0,$inout0
2386 pxor @tweak[5],@tweak[0]
2387 aesdec $rndkey0,$inout1
2389 paddq @tweak[5],@tweak[5]
2390 aesdec $rndkey0,$inout2
2391 aesdec $rndkey0,$inout3
2393 movaps @tweak[1],@tweak[2]
2394 aesdec $rndkey0,$inout4
2395 pxor $twtmp,@tweak[5]
2396 movdqa $twres,$twtmp
2397 aesdec $rndkey0,$inout5
2398 $movkey -48($key),$rndkey0
2401 aesdec $rndkey1,$inout0
2402 pxor @tweak[5],@tweak[1]
2404 aesdec $rndkey1,$inout1
2405 paddq @tweak[5],@tweak[5]
2407 aesdec $rndkey1,$inout2
2408 aesdec $rndkey1,$inout3
2409 movdqa @tweak[3],`16*3`(%rsp)
2410 pxor $twtmp,@tweak[5]
2411 aesdec $rndkey1,$inout4
2412 movaps @tweak[2],@tweak[3]
2413 movdqa $twres,$twtmp
2414 aesdec $rndkey1,$inout5
2415 $movkey -32($key),$rndkey1
2418 aesdec $rndkey0,$inout0
2419 pxor @tweak[5],@tweak[2]
2421 aesdec $rndkey0,$inout1
2422 paddq @tweak[5],@tweak[5]
2424 aesdec $rndkey0,$inout2
2425 aesdec $rndkey0,$inout3
2426 aesdec $rndkey0,$inout4
2427 pxor $twtmp,@tweak[5]
2428 movaps @tweak[3],@tweak[4]
2429 aesdec $rndkey0,$inout5
2431 movdqa $twres,$rndkey0
2433 aesdec $rndkey1,$inout0
2434 pxor @tweak[5],@tweak[3]
2436 aesdec $rndkey1,$inout1
2437 paddq @tweak[5],@tweak[5]
2438 pand $twmask,$rndkey0
2439 aesdec $rndkey1,$inout2
2440 aesdec $rndkey1,$inout3
2441 pxor $rndkey0,@tweak[5]
2442 $movkey ($key_),$rndkey0
2443 aesdec $rndkey1,$inout4
2444 aesdec $rndkey1,$inout5
2445 $movkey 16($key_),$rndkey1
2447 pxor @tweak[5],@tweak[4]
2448 aesdeclast `16*0`(%rsp),$inout0
2450 paddq @tweak[5],@tweak[5]
2451 aesdeclast `16*1`(%rsp),$inout1
2452 aesdeclast `16*2`(%rsp),$inout2
2454 mov %r10,%rax # restore $rounds
2455 aesdeclast `16*3`(%rsp),$inout3
2456 aesdeclast `16*4`(%rsp),$inout4
2457 aesdeclast `16*5`(%rsp),$inout5
2458 pxor $twres,@tweak[5]
2460 lea `16*6`($out),$out # $out+=6*16
2461 movups $inout0,`-16*6`($out) # store 6 output blocks
2462 movups $inout1,`-16*5`($out)
2463 movups $inout2,`-16*4`($out)
2464 movups $inout3,`-16*3`($out)
2465 movups $inout4,`-16*2`($out)
2466 movups $inout5,`-16*1`($out)
2468 jnc .Lxts_dec_grandloop # loop if $len-=6*16 didn't borrow
2472 mov $key_,$key # restore $key
2473 shr \$4,$rounds # restore original value
2476 # at the point @tweak[0..5] are populated with tweak values
2477 mov $rounds,$rnds_ # backup $rounds
2478 pxor $rndkey0,@tweak[0]
2479 pxor $rndkey0,@tweak[1]
2480 add \$16*6,$len # restore real remaining $len
2481 jz .Lxts_dec_done # done if ($len==0)
2483 pxor $rndkey0,@tweak[2]
2485 jb .Lxts_dec_one # $len is 1*16
2486 pxor $rndkey0,@tweak[3]
2487 je .Lxts_dec_two # $len is 2*16
2489 pxor $rndkey0,@tweak[4]
2491 jb .Lxts_dec_three # $len is 3*16
2492 je .Lxts_dec_four # $len is 4*16
2494 movdqu ($inp),$inout0 # $len is 5*16
2495 movdqu 16*1($inp),$inout1
2496 movdqu 16*2($inp),$inout2
2497 pxor @tweak[0],$inout0
2498 movdqu 16*3($inp),$inout3
2499 pxor @tweak[1],$inout1
2500 movdqu 16*4($inp),$inout4
2501 lea 16*5($inp),$inp # $inp+=5*16
2502 pxor @tweak[2],$inout2
2503 pxor @tweak[3],$inout3
2504 pxor @tweak[4],$inout4
2506 call _aesni_decrypt6
2508 xorps @tweak[0],$inout0
2509 xorps @tweak[1],$inout1
2510 xorps @tweak[2],$inout2
2511 movdqu $inout0,($out) # store 5 output blocks
2512 xorps @tweak[3],$inout3
2513 movdqu $inout1,16*1($out)
2514 xorps @tweak[4],$inout4
2515 movdqu $inout2,16*2($out)
2517 movdqu $inout3,16*3($out)
2518 pcmpgtd @tweak[5],$twtmp
2519 movdqu $inout4,16*4($out)
2520 lea 16*5($out),$out # $out+=5*16
2521 pshufd \$0x13,$twtmp,@tweak[1] # $twres
2525 movdqa @tweak[5],@tweak[0]
2526 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
2527 pand $twmask,@tweak[1] # isolate carry and residue
2528 pxor @tweak[5],@tweak[1]
2533 movups ($inp),$inout0
2534 lea 16*1($inp),$inp # $inp+=1*16
2535 xorps @tweak[0],$inout0
2537 &aesni_generate1("dec",$key,$rounds);
2539 xorps @tweak[0],$inout0
2540 movdqa @tweak[1],@tweak[0]
2541 movups $inout0,($out) # store one output block
2542 movdqa @tweak[2],@tweak[1]
2543 lea 16*1($out),$out # $out+=1*16
2548 movups ($inp),$inout0
2549 movups 16($inp),$inout1
2550 lea 32($inp),$inp # $inp+=2*16
2551 xorps @tweak[0],$inout0
2552 xorps @tweak[1],$inout1
2554 call _aesni_decrypt2
2556 xorps @tweak[0],$inout0
2557 movdqa @tweak[2],@tweak[0]
2558 xorps @tweak[1],$inout1
2559 movdqa @tweak[3],@tweak[1]
2560 movups $inout0,($out) # store 2 output blocks
2561 movups $inout1,16*1($out)
2562 lea 16*2($out),$out # $out+=2*16
2567 movups ($inp),$inout0
2568 movups 16*1($inp),$inout1
2569 movups 16*2($inp),$inout2
2570 lea 16*3($inp),$inp # $inp+=3*16
2571 xorps @tweak[0],$inout0
2572 xorps @tweak[1],$inout1
2573 xorps @tweak[2],$inout2
2575 call _aesni_decrypt3
2577 xorps @tweak[0],$inout0
2578 movdqa @tweak[3],@tweak[0]
2579 xorps @tweak[1],$inout1
2580 movdqa @tweak[4],@tweak[1]
2581 xorps @tweak[2],$inout2
2582 movups $inout0,($out) # store 3 output blocks
2583 movups $inout1,16*1($out)
2584 movups $inout2,16*2($out)
2585 lea 16*3($out),$out # $out+=3*16
2590 movups ($inp),$inout0
2591 movups 16*1($inp),$inout1
2592 movups 16*2($inp),$inout2
2593 xorps @tweak[0],$inout0
2594 movups 16*3($inp),$inout3
2595 lea 16*4($inp),$inp # $inp+=4*16
2596 xorps @tweak[1],$inout1
2597 xorps @tweak[2],$inout2
2598 xorps @tweak[3],$inout3
2600 call _aesni_decrypt4
2602 pxor @tweak[0],$inout0
2603 movdqa @tweak[4],@tweak[0]
2604 pxor @tweak[1],$inout1
2605 movdqa @tweak[5],@tweak[1]
2606 pxor @tweak[2],$inout2
2607 movdqu $inout0,($out) # store 4 output blocks
2608 pxor @tweak[3],$inout3
2609 movdqu $inout1,16*1($out)
2610 movdqu $inout2,16*2($out)
2611 movdqu $inout3,16*3($out)
2612 lea 16*4($out),$out # $out+=4*16
2617 and \$15,$len_ # see if $len%16 is 0
2621 mov $key_,$key # restore $key
2622 mov $rnds_,$rounds # restore $rounds
2624 movups ($inp),$inout0
2625 xorps @tweak[1],$inout0
2627 &aesni_generate1("dec",$key,$rounds);
2629 xorps @tweak[1],$inout0
2630 movups $inout0,($out)
2633 movzb 16($inp),%eax # borrow $rounds ...
2634 movzb ($out),%ecx # ... and $key
2642 sub $len_,$out # rewind $out
2643 mov $key_,$key # restore $key
2644 mov $rnds_,$rounds # restore $rounds
2646 movups ($out),$inout0
2647 xorps @tweak[0],$inout0
2649 &aesni_generate1("dec",$key,$rounds);
2651 xorps @tweak[0],$inout0
2652 movups $inout0,($out)
2655 xorps %xmm0,%xmm0 # clear register bank
2662 $code.=<<___ if (!$win64);
2665 movaps %xmm0,0x00(%rsp) # clear stack
2667 movaps %xmm0,0x10(%rsp)
2669 movaps %xmm0,0x20(%rsp)
2671 movaps %xmm0,0x30(%rsp)
2673 movaps %xmm0,0x40(%rsp)
2675 movaps %xmm0,0x50(%rsp)
2677 movaps %xmm0,0x60(%rsp)
2681 $code.=<<___ if ($win64);
2682 movaps -0xa0(%rbp),%xmm6
2683 movaps %xmm0,-0xa0(%rbp) # clear stack
2684 movaps -0x90(%rbp),%xmm7
2685 movaps %xmm0,-0x90(%rbp)
2686 movaps -0x80(%rbp),%xmm8
2687 movaps %xmm0,-0x80(%rbp)
2688 movaps -0x70(%rbp),%xmm9
2689 movaps %xmm0,-0x70(%rbp)
2690 movaps -0x60(%rbp),%xmm10
2691 movaps %xmm0,-0x60(%rbp)
2692 movaps -0x50(%rbp),%xmm11
2693 movaps %xmm0,-0x50(%rbp)
2694 movaps -0x40(%rbp),%xmm12
2695 movaps %xmm0,-0x40(%rbp)
2696 movaps -0x30(%rbp),%xmm13
2697 movaps %xmm0,-0x30(%rbp)
2698 movaps -0x20(%rbp),%xmm14
2699 movaps %xmm0,-0x20(%rbp)
2700 movaps -0x10(%rbp),%xmm15
2701 movaps %xmm0,-0x10(%rbp)
2702 movaps %xmm0,0x00(%rsp)
2703 movaps %xmm0,0x10(%rsp)
2704 movaps %xmm0,0x20(%rsp)
2705 movaps %xmm0,0x30(%rsp)
2706 movaps %xmm0,0x40(%rsp)
2707 movaps %xmm0,0x50(%rsp)
2708 movaps %xmm0,0x60(%rsp)
2715 .size aesni_xts_decrypt,.-aesni_xts_decrypt
2719 ######################################################################
2720 # void aesni_ocb_[en|de]crypt(const char *inp, char *out, size_t blocks,
2721 # const AES_KEY *key, unsigned int start_block_num,
2722 # unsigned char offset_i[16], const unsigned char L_[][16],
2723 # unsigned char checksum[16]);
2726 my @offset=map("%xmm$_",(10..15));
2727 my ($checksum,$rndkey0l)=("%xmm8","%xmm9");
2728 my ($block_num,$offset_p)=("%r8","%r9"); # 5th and 6th arguments
2729 my ($L_p,$checksum_p) = ("%rbx","%rbp");
2730 my ($i1,$i3,$i5) = ("%r12","%r13","%r14");
2731 my $seventh_arg = $win64 ? 56 : 8;
2735 .globl aesni_ocb_encrypt
2736 .type aesni_ocb_encrypt,\@function,6
2746 $code.=<<___ if ($win64);
2747 lea -0xa0(%rsp),%rsp
2748 movaps %xmm6,0x00(%rsp) # offload everything
2749 movaps %xmm7,0x10(%rsp)
2750 movaps %xmm8,0x20(%rsp)
2751 movaps %xmm9,0x30(%rsp)
2752 movaps %xmm10,0x40(%rsp)
2753 movaps %xmm11,0x50(%rsp)
2754 movaps %xmm12,0x60(%rsp)
2755 movaps %xmm13,0x70(%rsp)
2756 movaps %xmm14,0x80(%rsp)
2757 movaps %xmm15,0x90(%rsp)
2761 mov $seventh_arg(%rax),$L_p # 7th argument
2762 mov $seventh_arg+8(%rax),$checksum_p# 8th argument
2764 mov 240($key),$rnds_
2767 $movkey ($key),$rndkey0l # round[0]
2768 $movkey 16($key,$rnds_),$rndkey1 # round[last]
2770 movdqu ($offset_p),@offset[5] # load last offset_i
2771 pxor $rndkey1,$rndkey0l # round[0] ^ round[last]
2772 pxor $rndkey1,@offset[5] # offset_i ^ round[last]
2775 lea 32($key_,$rnds_),$key
2776 $movkey 16($key_),$rndkey1 # round[1]
2777 sub %r10,%rax # twisted $rounds
2778 mov %rax,%r10 # backup twisted $rounds
2780 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
2781 movdqu ($checksum_p),$checksum # load checksum
2783 test \$1,$block_num # is first block number odd?
2789 movdqu ($L_p,$i1),$inout5 # borrow
2790 movdqu ($inp),$inout0
2795 movdqa $inout5,@offset[5]
2796 movups $inout0,($out)
2802 lea 1($block_num),$i1 # even-numbered blocks
2803 lea 3($block_num),$i3
2804 lea 5($block_num),$i5
2805 lea 6($block_num),$block_num
2806 bsf $i1,$i1 # ntz(block)
2809 shl \$4,$i1 # ntz(block) -> table offset
2815 jmp .Locb_enc_grandloop
2818 .Locb_enc_grandloop:
2819 movdqu `16*0`($inp),$inout0 # load input
2820 movdqu `16*1`($inp),$inout1
2821 movdqu `16*2`($inp),$inout2
2822 movdqu `16*3`($inp),$inout3
2823 movdqu `16*4`($inp),$inout4
2824 movdqu `16*5`($inp),$inout5
2825 lea `16*6`($inp),$inp
2829 movups $inout0,`16*0`($out) # store output
2830 movups $inout1,`16*1`($out)
2831 movups $inout2,`16*2`($out)
2832 movups $inout3,`16*3`($out)
2833 movups $inout4,`16*4`($out)
2834 movups $inout5,`16*5`($out)
2835 lea `16*6`($out),$out
2837 jnc .Locb_enc_grandloop
2843 movdqu `16*0`($inp),$inout0
2846 movdqu `16*1`($inp),$inout1
2849 movdqu `16*2`($inp),$inout2
2852 movdqu `16*3`($inp),$inout3
2855 movdqu `16*4`($inp),$inout4
2856 pxor $inout5,$inout5
2860 movdqa @offset[4],@offset[5]
2861 movups $inout0,`16*0`($out)
2862 movups $inout1,`16*1`($out)
2863 movups $inout2,`16*2`($out)
2864 movups $inout3,`16*3`($out)
2865 movups $inout4,`16*4`($out)
2871 movdqa @offset[0],$inout5 # borrow
2875 movdqa $inout5,@offset[5]
2876 movups $inout0,`16*0`($out)
2881 pxor $inout2,$inout2
2882 pxor $inout3,$inout3
2886 movdqa @offset[1],@offset[5]
2887 movups $inout0,`16*0`($out)
2888 movups $inout1,`16*1`($out)
2894 pxor $inout3,$inout3
2898 movdqa @offset[2],@offset[5]
2899 movups $inout0,`16*0`($out)
2900 movups $inout1,`16*1`($out)
2901 movups $inout2,`16*2`($out)
2909 movdqa @offset[3],@offset[5]
2910 movups $inout0,`16*0`($out)
2911 movups $inout1,`16*1`($out)
2912 movups $inout2,`16*2`($out)
2913 movups $inout3,`16*3`($out)
2916 pxor $rndkey0,@offset[5] # "remove" round[last]
2917 movdqu $checksum,($checksum_p) # store checksum
2918 movdqu @offset[5],($offset_p) # store last offset_i
2920 xorps %xmm0,%xmm0 # clear register bank
2927 $code.=<<___ if (!$win64);
2939 $code.=<<___ if ($win64);
2940 movaps 0x00(%rsp),%xmm6
2941 movaps %xmm0,0x00(%rsp) # clear stack
2942 movaps 0x10(%rsp),%xmm7
2943 movaps %xmm0,0x10(%rsp)
2944 movaps 0x20(%rsp),%xmm8
2945 movaps %xmm0,0x20(%rsp)
2946 movaps 0x30(%rsp),%xmm9
2947 movaps %xmm0,0x30(%rsp)
2948 movaps 0x40(%rsp),%xmm10
2949 movaps %xmm0,0x40(%rsp)
2950 movaps 0x50(%rsp),%xmm11
2951 movaps %xmm0,0x50(%rsp)
2952 movaps 0x60(%rsp),%xmm12
2953 movaps %xmm0,0x60(%rsp)
2954 movaps 0x70(%rsp),%xmm13
2955 movaps %xmm0,0x70(%rsp)
2956 movaps 0x80(%rsp),%xmm14
2957 movaps %xmm0,0x80(%rsp)
2958 movaps 0x90(%rsp),%xmm15
2959 movaps %xmm0,0x90(%rsp)
2960 lea 0xa0+0x28(%rsp),%rax
2972 .size aesni_ocb_encrypt,.-aesni_ocb_encrypt
2974 .type __ocb_encrypt6,\@abi-omnipotent
2977 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
2978 movdqu ($L_p,$i1),@offset[1]
2979 movdqa @offset[0],@offset[2]
2980 movdqu ($L_p,$i3),@offset[3]
2981 movdqa @offset[0],@offset[4]
2982 pxor @offset[5],@offset[0]
2983 movdqu ($L_p,$i5),@offset[5]
2984 pxor @offset[0],@offset[1]
2985 pxor $inout0,$checksum # accumulate checksum
2986 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
2987 pxor @offset[1],@offset[2]
2988 pxor $inout1,$checksum
2989 pxor @offset[1],$inout1
2990 pxor @offset[2],@offset[3]
2991 pxor $inout2,$checksum
2992 pxor @offset[2],$inout2
2993 pxor @offset[3],@offset[4]
2994 pxor $inout3,$checksum
2995 pxor @offset[3],$inout3
2996 pxor @offset[4],@offset[5]
2997 pxor $inout4,$checksum
2998 pxor @offset[4],$inout4
2999 pxor $inout5,$checksum
3000 pxor @offset[5],$inout5
3001 $movkey 32($key_),$rndkey0
3003 lea 1($block_num),$i1 # even-numbered blocks
3004 lea 3($block_num),$i3
3005 lea 5($block_num),$i5
3007 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3008 bsf $i1,$i1 # ntz(block)
3012 aesenc $rndkey1,$inout0
3013 aesenc $rndkey1,$inout1
3014 aesenc $rndkey1,$inout2
3015 aesenc $rndkey1,$inout3
3016 pxor $rndkey0l,@offset[1]
3017 pxor $rndkey0l,@offset[2]
3018 aesenc $rndkey1,$inout4
3019 pxor $rndkey0l,@offset[3]
3020 pxor $rndkey0l,@offset[4]
3021 aesenc $rndkey1,$inout5
3022 $movkey 48($key_),$rndkey1
3023 pxor $rndkey0l,@offset[5]
3025 aesenc $rndkey0,$inout0
3026 aesenc $rndkey0,$inout1
3027 aesenc $rndkey0,$inout2
3028 aesenc $rndkey0,$inout3
3029 aesenc $rndkey0,$inout4
3030 aesenc $rndkey0,$inout5
3031 $movkey 64($key_),$rndkey0
3032 shl \$4,$i1 # ntz(block) -> table offset
3038 aesenc $rndkey1,$inout0
3039 aesenc $rndkey1,$inout1
3040 aesenc $rndkey1,$inout2
3041 aesenc $rndkey1,$inout3
3042 aesenc $rndkey1,$inout4
3043 aesenc $rndkey1,$inout5
3044 $movkey ($key,%rax),$rndkey1
3047 aesenc $rndkey0,$inout0
3048 aesenc $rndkey0,$inout1
3049 aesenc $rndkey0,$inout2
3050 aesenc $rndkey0,$inout3
3051 aesenc $rndkey0,$inout4
3052 aesenc $rndkey0,$inout5
3053 $movkey -16($key,%rax),$rndkey0
3056 aesenc $rndkey1,$inout0
3057 aesenc $rndkey1,$inout1
3058 aesenc $rndkey1,$inout2
3059 aesenc $rndkey1,$inout3
3060 aesenc $rndkey1,$inout4
3061 aesenc $rndkey1,$inout5
3062 $movkey 16($key_),$rndkey1
3065 aesenclast @offset[0],$inout0
3066 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3067 mov %r10,%rax # restore twisted rounds
3068 aesenclast @offset[1],$inout1
3069 aesenclast @offset[2],$inout2
3070 aesenclast @offset[3],$inout3
3071 aesenclast @offset[4],$inout4
3072 aesenclast @offset[5],$inout5
3074 .size __ocb_encrypt6,.-__ocb_encrypt6
3076 .type __ocb_encrypt4,\@abi-omnipotent
3079 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3080 movdqu ($L_p,$i1),@offset[1]
3081 movdqa @offset[0],@offset[2]
3082 movdqu ($L_p,$i3),@offset[3]
3083 pxor @offset[5],@offset[0]
3084 pxor @offset[0],@offset[1]
3085 pxor $inout0,$checksum # accumulate checksum
3086 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3087 pxor @offset[1],@offset[2]
3088 pxor $inout1,$checksum
3089 pxor @offset[1],$inout1
3090 pxor @offset[2],@offset[3]
3091 pxor $inout2,$checksum
3092 pxor @offset[2],$inout2
3093 pxor $inout3,$checksum
3094 pxor @offset[3],$inout3
3095 $movkey 32($key_),$rndkey0
3097 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3098 pxor $rndkey0l,@offset[1]
3099 pxor $rndkey0l,@offset[2]
3100 pxor $rndkey0l,@offset[3]
3102 aesenc $rndkey1,$inout0
3103 aesenc $rndkey1,$inout1
3104 aesenc $rndkey1,$inout2
3105 aesenc $rndkey1,$inout3
3106 $movkey 48($key_),$rndkey1
3108 aesenc $rndkey0,$inout0
3109 aesenc $rndkey0,$inout1
3110 aesenc $rndkey0,$inout2
3111 aesenc $rndkey0,$inout3
3112 $movkey 64($key_),$rndkey0
3117 aesenc $rndkey1,$inout0
3118 aesenc $rndkey1,$inout1
3119 aesenc $rndkey1,$inout2
3120 aesenc $rndkey1,$inout3
3121 $movkey ($key,%rax),$rndkey1
3124 aesenc $rndkey0,$inout0
3125 aesenc $rndkey0,$inout1
3126 aesenc $rndkey0,$inout2
3127 aesenc $rndkey0,$inout3
3128 $movkey -16($key,%rax),$rndkey0
3131 aesenc $rndkey1,$inout0
3132 aesenc $rndkey1,$inout1
3133 aesenc $rndkey1,$inout2
3134 aesenc $rndkey1,$inout3
3135 $movkey 16($key_),$rndkey1
3136 mov %r10,%rax # restore twisted rounds
3138 aesenclast @offset[0],$inout0
3139 aesenclast @offset[1],$inout1
3140 aesenclast @offset[2],$inout2
3141 aesenclast @offset[3],$inout3
3143 .size __ocb_encrypt4,.-__ocb_encrypt4
3145 .type __ocb_encrypt1,\@abi-omnipotent
3148 pxor @offset[5],$inout5 # offset_i
3149 pxor $rndkey0l,$inout5 # offset_i ^ round[0]
3150 pxor $inout0,$checksum # accumulate checksum
3151 pxor $inout5,$inout0 # input ^ round[0] ^ offset_i
3152 $movkey 32($key_),$rndkey0
3154 aesenc $rndkey1,$inout0
3155 $movkey 48($key_),$rndkey1
3156 pxor $rndkey0l,$inout5 # offset_i ^ round[last]
3158 aesenc $rndkey0,$inout0
3159 $movkey 64($key_),$rndkey0
3164 aesenc $rndkey1,$inout0
3165 $movkey ($key,%rax),$rndkey1
3168 aesenc $rndkey0,$inout0
3169 $movkey -16($key,%rax),$rndkey0
3172 aesenc $rndkey1,$inout0
3173 $movkey 16($key_),$rndkey1 # redundant in tail
3174 mov %r10,%rax # restore twisted rounds
3176 aesenclast $inout5,$inout0
3178 .size __ocb_encrypt1,.-__ocb_encrypt1
3180 .globl aesni_ocb_decrypt
3181 .type aesni_ocb_decrypt,\@function,6
3191 $code.=<<___ if ($win64);
3192 lea -0xa0(%rsp),%rsp
3193 movaps %xmm6,0x00(%rsp) # offload everything
3194 movaps %xmm7,0x10(%rsp)
3195 movaps %xmm8,0x20(%rsp)
3196 movaps %xmm9,0x30(%rsp)
3197 movaps %xmm10,0x40(%rsp)
3198 movaps %xmm11,0x50(%rsp)
3199 movaps %xmm12,0x60(%rsp)
3200 movaps %xmm13,0x70(%rsp)
3201 movaps %xmm14,0x80(%rsp)
3202 movaps %xmm15,0x90(%rsp)
3206 mov $seventh_arg(%rax),$L_p # 7th argument
3207 mov $seventh_arg+8(%rax),$checksum_p# 8th argument
3209 mov 240($key),$rnds_
3212 $movkey ($key),$rndkey0l # round[0]
3213 $movkey 16($key,$rnds_),$rndkey1 # round[last]
3215 movdqu ($offset_p),@offset[5] # load last offset_i
3216 pxor $rndkey1,$rndkey0l # round[0] ^ round[last]
3217 pxor $rndkey1,@offset[5] # offset_i ^ round[last]
3220 lea 32($key_,$rnds_),$key
3221 $movkey 16($key_),$rndkey1 # round[1]
3222 sub %r10,%rax # twisted $rounds
3223 mov %rax,%r10 # backup twisted $rounds
3225 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3226 movdqu ($checksum_p),$checksum # load checksum
3228 test \$1,$block_num # is first block number odd?
3234 movdqu ($L_p,$i1),$inout5 # borrow
3235 movdqu ($inp),$inout0
3240 movdqa $inout5,@offset[5]
3241 movups $inout0,($out)
3242 xorps $inout0,$checksum # accumulate checksum
3248 lea 1($block_num),$i1 # even-numbered blocks
3249 lea 3($block_num),$i3
3250 lea 5($block_num),$i5
3251 lea 6($block_num),$block_num
3252 bsf $i1,$i1 # ntz(block)
3255 shl \$4,$i1 # ntz(block) -> table offset
3261 jmp .Locb_dec_grandloop
3264 .Locb_dec_grandloop:
3265 movdqu `16*0`($inp),$inout0 # load input
3266 movdqu `16*1`($inp),$inout1
3267 movdqu `16*2`($inp),$inout2
3268 movdqu `16*3`($inp),$inout3
3269 movdqu `16*4`($inp),$inout4
3270 movdqu `16*5`($inp),$inout5
3271 lea `16*6`($inp),$inp
3275 movups $inout0,`16*0`($out) # store output
3276 pxor $inout0,$checksum # accumulate checksum
3277 movups $inout1,`16*1`($out)
3278 pxor $inout1,$checksum
3279 movups $inout2,`16*2`($out)
3280 pxor $inout2,$checksum
3281 movups $inout3,`16*3`($out)
3282 pxor $inout3,$checksum
3283 movups $inout4,`16*4`($out)
3284 pxor $inout4,$checksum
3285 movups $inout5,`16*5`($out)
3286 pxor $inout5,$checksum
3287 lea `16*6`($out),$out
3289 jnc .Locb_dec_grandloop
3295 movdqu `16*0`($inp),$inout0
3298 movdqu `16*1`($inp),$inout1
3301 movdqu `16*2`($inp),$inout2
3304 movdqu `16*3`($inp),$inout3
3307 movdqu `16*4`($inp),$inout4
3308 pxor $inout5,$inout5
3312 movdqa @offset[4],@offset[5]
3313 movups $inout0,`16*0`($out) # store output
3314 pxor $inout0,$checksum # accumulate checksum
3315 movups $inout1,`16*1`($out)
3316 pxor $inout1,$checksum
3317 movups $inout2,`16*2`($out)
3318 pxor $inout2,$checksum
3319 movups $inout3,`16*3`($out)
3320 pxor $inout3,$checksum
3321 movups $inout4,`16*4`($out)
3322 pxor $inout4,$checksum
3328 movdqa @offset[0],$inout5 # borrow
3332 movdqa $inout5,@offset[5]
3333 movups $inout0,`16*0`($out) # store output
3334 xorps $inout0,$checksum # accumulate checksum
3339 pxor $inout2,$inout2
3340 pxor $inout3,$inout3
3344 movdqa @offset[1],@offset[5]
3345 movups $inout0,`16*0`($out) # store output
3346 xorps $inout0,$checksum # accumulate checksum
3347 movups $inout1,`16*1`($out)
3348 xorps $inout1,$checksum
3354 pxor $inout3,$inout3
3358 movdqa @offset[2],@offset[5]
3359 movups $inout0,`16*0`($out) # store output
3360 xorps $inout0,$checksum # accumulate checksum
3361 movups $inout1,`16*1`($out)
3362 xorps $inout1,$checksum
3363 movups $inout2,`16*2`($out)
3364 xorps $inout2,$checksum
3372 movdqa @offset[3],@offset[5]
3373 movups $inout0,`16*0`($out) # store output
3374 pxor $inout0,$checksum # accumulate checksum
3375 movups $inout1,`16*1`($out)
3376 pxor $inout1,$checksum
3377 movups $inout2,`16*2`($out)
3378 pxor $inout2,$checksum
3379 movups $inout3,`16*3`($out)
3380 pxor $inout3,$checksum
3383 pxor $rndkey0,@offset[5] # "remove" round[last]
3384 movdqu $checksum,($checksum_p) # store checksum
3385 movdqu @offset[5],($offset_p) # store last offset_i
3387 xorps %xmm0,%xmm0 # clear register bank
3394 $code.=<<___ if (!$win64);
3406 $code.=<<___ if ($win64);
3407 movaps 0x00(%rsp),%xmm6
3408 movaps %xmm0,0x00(%rsp) # clear stack
3409 movaps 0x10(%rsp),%xmm7
3410 movaps %xmm0,0x10(%rsp)
3411 movaps 0x20(%rsp),%xmm8
3412 movaps %xmm0,0x20(%rsp)
3413 movaps 0x30(%rsp),%xmm9
3414 movaps %xmm0,0x30(%rsp)
3415 movaps 0x40(%rsp),%xmm10
3416 movaps %xmm0,0x40(%rsp)
3417 movaps 0x50(%rsp),%xmm11
3418 movaps %xmm0,0x50(%rsp)
3419 movaps 0x60(%rsp),%xmm12
3420 movaps %xmm0,0x60(%rsp)
3421 movaps 0x70(%rsp),%xmm13
3422 movaps %xmm0,0x70(%rsp)
3423 movaps 0x80(%rsp),%xmm14
3424 movaps %xmm0,0x80(%rsp)
3425 movaps 0x90(%rsp),%xmm15
3426 movaps %xmm0,0x90(%rsp)
3427 lea 0xa0+0x28(%rsp),%rax
3439 .size aesni_ocb_decrypt,.-aesni_ocb_decrypt
3441 .type __ocb_decrypt6,\@abi-omnipotent
3444 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3445 movdqu ($L_p,$i1),@offset[1]
3446 movdqa @offset[0],@offset[2]
3447 movdqu ($L_p,$i3),@offset[3]
3448 movdqa @offset[0],@offset[4]
3449 pxor @offset[5],@offset[0]
3450 movdqu ($L_p,$i5),@offset[5]
3451 pxor @offset[0],@offset[1]
3452 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3453 pxor @offset[1],@offset[2]
3454 pxor @offset[1],$inout1
3455 pxor @offset[2],@offset[3]
3456 pxor @offset[2],$inout2
3457 pxor @offset[3],@offset[4]
3458 pxor @offset[3],$inout3
3459 pxor @offset[4],@offset[5]
3460 pxor @offset[4],$inout4
3461 pxor @offset[5],$inout5
3462 $movkey 32($key_),$rndkey0
3464 lea 1($block_num),$i1 # even-numbered blocks
3465 lea 3($block_num),$i3
3466 lea 5($block_num),$i5
3468 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3469 bsf $i1,$i1 # ntz(block)
3473 aesdec $rndkey1,$inout0
3474 aesdec $rndkey1,$inout1
3475 aesdec $rndkey1,$inout2
3476 aesdec $rndkey1,$inout3
3477 pxor $rndkey0l,@offset[1]
3478 pxor $rndkey0l,@offset[2]
3479 aesdec $rndkey1,$inout4
3480 pxor $rndkey0l,@offset[3]
3481 pxor $rndkey0l,@offset[4]
3482 aesdec $rndkey1,$inout5
3483 $movkey 48($key_),$rndkey1
3484 pxor $rndkey0l,@offset[5]
3486 aesdec $rndkey0,$inout0
3487 aesdec $rndkey0,$inout1
3488 aesdec $rndkey0,$inout2
3489 aesdec $rndkey0,$inout3
3490 aesdec $rndkey0,$inout4
3491 aesdec $rndkey0,$inout5
3492 $movkey 64($key_),$rndkey0
3493 shl \$4,$i1 # ntz(block) -> table offset
3499 aesdec $rndkey1,$inout0
3500 aesdec $rndkey1,$inout1
3501 aesdec $rndkey1,$inout2
3502 aesdec $rndkey1,$inout3
3503 aesdec $rndkey1,$inout4
3504 aesdec $rndkey1,$inout5
3505 $movkey ($key,%rax),$rndkey1
3508 aesdec $rndkey0,$inout0
3509 aesdec $rndkey0,$inout1
3510 aesdec $rndkey0,$inout2
3511 aesdec $rndkey0,$inout3
3512 aesdec $rndkey0,$inout4
3513 aesdec $rndkey0,$inout5
3514 $movkey -16($key,%rax),$rndkey0
3517 aesdec $rndkey1,$inout0
3518 aesdec $rndkey1,$inout1
3519 aesdec $rndkey1,$inout2
3520 aesdec $rndkey1,$inout3
3521 aesdec $rndkey1,$inout4
3522 aesdec $rndkey1,$inout5
3523 $movkey 16($key_),$rndkey1
3526 aesdeclast @offset[0],$inout0
3527 movdqu ($L_p),@offset[0] # L_0 for all odd-numbered blocks
3528 mov %r10,%rax # restore twisted rounds
3529 aesdeclast @offset[1],$inout1
3530 aesdeclast @offset[2],$inout2
3531 aesdeclast @offset[3],$inout3
3532 aesdeclast @offset[4],$inout4
3533 aesdeclast @offset[5],$inout5
3535 .size __ocb_decrypt6,.-__ocb_decrypt6
3537 .type __ocb_decrypt4,\@abi-omnipotent
3540 pxor $rndkey0l,@offset[5] # offset_i ^ round[0]
3541 movdqu ($L_p,$i1),@offset[1]
3542 movdqa @offset[0],@offset[2]
3543 movdqu ($L_p,$i3),@offset[3]
3544 pxor @offset[5],@offset[0]
3545 pxor @offset[0],@offset[1]
3546 pxor @offset[0],$inout0 # input ^ round[0] ^ offset_i
3547 pxor @offset[1],@offset[2]
3548 pxor @offset[1],$inout1
3549 pxor @offset[2],@offset[3]
3550 pxor @offset[2],$inout2
3551 pxor @offset[3],$inout3
3552 $movkey 32($key_),$rndkey0
3554 pxor $rndkey0l,@offset[0] # offset_i ^ round[last]
3555 pxor $rndkey0l,@offset[1]
3556 pxor $rndkey0l,@offset[2]
3557 pxor $rndkey0l,@offset[3]
3559 aesdec $rndkey1,$inout0
3560 aesdec $rndkey1,$inout1
3561 aesdec $rndkey1,$inout2
3562 aesdec $rndkey1,$inout3
3563 $movkey 48($key_),$rndkey1
3565 aesdec $rndkey0,$inout0
3566 aesdec $rndkey0,$inout1
3567 aesdec $rndkey0,$inout2
3568 aesdec $rndkey0,$inout3
3569 $movkey 64($key_),$rndkey0
3574 aesdec $rndkey1,$inout0
3575 aesdec $rndkey1,$inout1
3576 aesdec $rndkey1,$inout2
3577 aesdec $rndkey1,$inout3
3578 $movkey ($key,%rax),$rndkey1
3581 aesdec $rndkey0,$inout0
3582 aesdec $rndkey0,$inout1
3583 aesdec $rndkey0,$inout2
3584 aesdec $rndkey0,$inout3
3585 $movkey -16($key,%rax),$rndkey0
3588 aesdec $rndkey1,$inout0
3589 aesdec $rndkey1,$inout1
3590 aesdec $rndkey1,$inout2
3591 aesdec $rndkey1,$inout3
3592 $movkey 16($key_),$rndkey1
3593 mov %r10,%rax # restore twisted rounds
3595 aesdeclast @offset[0],$inout0
3596 aesdeclast @offset[1],$inout1
3597 aesdeclast @offset[2],$inout2
3598 aesdeclast @offset[3],$inout3
3600 .size __ocb_decrypt4,.-__ocb_decrypt4
3602 .type __ocb_decrypt1,\@abi-omnipotent
3605 pxor @offset[5],$inout5 # offset_i
3606 pxor $rndkey0l,$inout5 # offset_i ^ round[0]
3607 pxor $inout5,$inout0 # input ^ round[0] ^ offset_i
3608 $movkey 32($key_),$rndkey0
3610 aesdec $rndkey1,$inout0
3611 $movkey 48($key_),$rndkey1
3612 pxor $rndkey0l,$inout5 # offset_i ^ round[last]
3614 aesdec $rndkey0,$inout0
3615 $movkey 64($key_),$rndkey0
3620 aesdec $rndkey1,$inout0
3621 $movkey ($key,%rax),$rndkey1
3624 aesdec $rndkey0,$inout0
3625 $movkey -16($key,%rax),$rndkey0
3628 aesdec $rndkey1,$inout0
3629 $movkey 16($key_),$rndkey1 # redundant in tail
3630 mov %r10,%rax # restore twisted rounds
3632 aesdeclast $inout5,$inout0
3634 .size __ocb_decrypt1,.-__ocb_decrypt1
3638 ########################################################################
3639 # void $PREFIX_cbc_encrypt (const void *inp, void *out,
3640 # size_t length, const AES_KEY *key,
3641 # unsigned char *ivp,const int enc);
3643 my $frame_size = 0x10 + ($win64?0xa0:0); # used in decrypt
3644 my ($iv,$in0,$in1,$in2,$in3,$in4)=map("%xmm$_",(10..15));
3648 .globl ${PREFIX}_cbc_encrypt
3649 .type ${PREFIX}_cbc_encrypt,\@function,6
3651 ${PREFIX}_cbc_encrypt:
3652 test $len,$len # check length
3655 mov 240($key),$rnds_ # key->rounds
3656 mov $key,$key_ # backup $key
3657 test %r9d,%r9d # 6th argument
3659 #--------------------------- CBC ENCRYPT ------------------------------#
3660 movups ($ivp),$inout0 # load iv as initial state
3668 movups ($inp),$inout1 # load input
3670 #xorps $inout1,$inout0
3672 &aesni_generate1("enc",$key,$rounds,$inout0,$inout1);
3674 mov $rnds_,$rounds # restore $rounds
3675 mov $key_,$key # restore $key
3676 movups $inout0,0($out) # store output
3682 pxor $rndkey0,$rndkey0 # clear register bank
3683 pxor $rndkey1,$rndkey1
3684 movups $inout0,($ivp)
3685 pxor $inout0,$inout0
3686 pxor $inout1,$inout1
3690 mov $len,%rcx # zaps $key
3691 xchg $inp,$out # $inp is %rsi and $out is %rdi now
3692 .long 0x9066A4F3 # rep movsb
3693 mov \$16,%ecx # zero tail
3696 .long 0x9066AAF3 # rep stosb
3697 lea -16(%rdi),%rdi # rewind $out by 1 block
3698 mov $rnds_,$rounds # restore $rounds
3699 mov %rdi,%rsi # $inp and $out are the same
3700 mov $key_,$key # restore $key
3701 xor $len,$len # len=16
3702 jmp .Lcbc_enc_loop # one more spin
3703 \f#--------------------------- CBC DECRYPT ------------------------------#
3707 jne .Lcbc_decrypt_bulk
3709 # handle single block without allocating stack frame,
3710 # useful in ciphertext stealing mode
3711 movdqu ($inp),$inout0 # load input
3712 movdqu ($ivp),$inout1 # load iv
3713 movdqa $inout0,$inout2 # future iv
3715 &aesni_generate1("dec",$key,$rnds_);
3717 pxor $rndkey0,$rndkey0 # clear register bank
3718 pxor $rndkey1,$rndkey1
3719 movdqu $inout2,($ivp) # store iv
3720 xorps $inout1,$inout0 # ^=iv
3721 pxor $inout1,$inout1
3722 movups $inout0,($out) # store output
3723 pxor $inout0,$inout0
3729 sub \$$frame_size,%rsp
3730 and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
3732 $code.=<<___ if ($win64);
3733 movaps %xmm6,0x10(%rsp)
3734 movaps %xmm7,0x20(%rsp)
3735 movaps %xmm8,0x30(%rsp)
3736 movaps %xmm9,0x40(%rsp)
3737 movaps %xmm10,0x50(%rsp)
3738 movaps %xmm11,0x60(%rsp)
3739 movaps %xmm12,0x70(%rsp)
3740 movaps %xmm13,0x80(%rsp)
3741 movaps %xmm14,0x90(%rsp)
3742 movaps %xmm15,0xa0(%rsp)
3752 $movkey ($key),$rndkey0
3753 movdqu 0x00($inp),$inout0 # load input
3754 movdqu 0x10($inp),$inout1
3756 movdqu 0x20($inp),$inout2
3758 movdqu 0x30($inp),$inout3
3760 movdqu 0x40($inp),$inout4
3762 movdqu 0x50($inp),$inout5
3764 mov OPENSSL_ia32cap_P+4(%rip),%r9d
3766 jbe .Lcbc_dec_six_or_seven
3768 and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE
3769 sub \$0x50,$len # $len is biased by -5*16
3770 cmp \$`1<<22`,%r9d # check for MOVBE without XSAVE
3771 je .Lcbc_dec_loop6_enter # [which denotes Atom Silvermont]
3772 sub \$0x20,$len # $len is biased by -7*16
3773 lea 0x70($key),$key # size optimization
3774 jmp .Lcbc_dec_loop8_enter
3777 movups $inout7,($out)
3779 .Lcbc_dec_loop8_enter:
3780 movdqu 0x60($inp),$inout6
3781 pxor $rndkey0,$inout0
3782 movdqu 0x70($inp),$inout7
3783 pxor $rndkey0,$inout1
3784 $movkey 0x10-0x70($key),$rndkey1
3785 pxor $rndkey0,$inout2
3787 cmp \$0x70,$len # is there at least 0x60 bytes ahead?
3788 pxor $rndkey0,$inout3
3789 pxor $rndkey0,$inout4
3790 pxor $rndkey0,$inout5
3791 pxor $rndkey0,$inout6
3793 aesdec $rndkey1,$inout0
3794 pxor $rndkey0,$inout7
3795 $movkey 0x20-0x70($key),$rndkey0
3796 aesdec $rndkey1,$inout1
3797 aesdec $rndkey1,$inout2
3798 aesdec $rndkey1,$inout3
3799 aesdec $rndkey1,$inout4
3800 aesdec $rndkey1,$inout5
3801 aesdec $rndkey1,$inout6
3804 aesdec $rndkey1,$inout7
3806 $movkey 0x30-0x70($key),$rndkey1
3808 for($i=1;$i<12;$i++) {
3809 my $rndkeyx = ($i&1)?$rndkey0:$rndkey1;
3810 $code.=<<___ if ($i==7);
3814 aesdec $rndkeyx,$inout0
3815 aesdec $rndkeyx,$inout1
3816 aesdec $rndkeyx,$inout2
3817 aesdec $rndkeyx,$inout3
3818 aesdec $rndkeyx,$inout4
3819 aesdec $rndkeyx,$inout5
3820 aesdec $rndkeyx,$inout6
3821 aesdec $rndkeyx,$inout7
3822 $movkey `0x30+0x10*$i`-0x70($key),$rndkeyx
3824 $code.=<<___ if ($i<6 || (!($i&1) && $i>7));
3827 $code.=<<___ if ($i==7);
3830 $code.=<<___ if ($i==9);
3833 $code.=<<___ if ($i==11);
3840 aesdec $rndkey1,$inout0
3841 aesdec $rndkey1,$inout1
3844 aesdec $rndkey1,$inout2
3845 aesdec $rndkey1,$inout3
3848 aesdec $rndkey1,$inout4
3849 aesdec $rndkey1,$inout5
3852 aesdec $rndkey1,$inout6
3853 aesdec $rndkey1,$inout7
3854 movdqu 0x50($inp),$rndkey1
3856 aesdeclast $iv,$inout0
3857 movdqu 0x60($inp),$iv # borrow $iv
3858 pxor $rndkey0,$rndkey1
3859 aesdeclast $in0,$inout1
3861 movdqu 0x70($inp),$rndkey0 # next IV
3862 aesdeclast $in1,$inout2
3864 movdqu 0x00($inp_),$in0
3865 aesdeclast $in2,$inout3
3866 aesdeclast $in3,$inout4
3867 movdqu 0x10($inp_),$in1
3868 movdqu 0x20($inp_),$in2
3869 aesdeclast $in4,$inout5
3870 aesdeclast $rndkey1,$inout6
3871 movdqu 0x30($inp_),$in3
3872 movdqu 0x40($inp_),$in4
3873 aesdeclast $iv,$inout7
3874 movdqa $rndkey0,$iv # return $iv
3875 movdqu 0x50($inp_),$rndkey1
3876 $movkey -0x70($key),$rndkey0
3878 movups $inout0,($out) # store output
3880 movups $inout1,0x10($out)
3882 movups $inout2,0x20($out)
3884 movups $inout3,0x30($out)
3886 movups $inout4,0x40($out)
3888 movups $inout5,0x50($out)
3889 movdqa $rndkey1,$inout5
3890 movups $inout6,0x60($out)
3896 movaps $inout7,$inout0
3897 lea -0x70($key),$key
3899 jle .Lcbc_dec_clear_tail_collected
3900 movups $inout7,($out)
3906 .Lcbc_dec_six_or_seven:
3910 movaps $inout5,$inout6
3911 call _aesni_decrypt6
3912 pxor $iv,$inout0 # ^= IV
3915 movdqu $inout0,($out)
3917 movdqu $inout1,0x10($out)
3918 pxor $inout1,$inout1 # clear register bank
3920 movdqu $inout2,0x20($out)
3921 pxor $inout2,$inout2
3923 movdqu $inout3,0x30($out)
3924 pxor $inout3,$inout3
3926 movdqu $inout4,0x40($out)
3927 pxor $inout4,$inout4
3929 movdqa $inout5,$inout0
3930 pxor $inout5,$inout5
3931 jmp .Lcbc_dec_tail_collected
3935 movups 0x60($inp),$inout6
3936 xorps $inout7,$inout7
3937 call _aesni_decrypt8
3938 movups 0x50($inp),$inout7
3939 pxor $iv,$inout0 # ^= IV
3940 movups 0x60($inp),$iv
3942 movdqu $inout0,($out)
3944 movdqu $inout1,0x10($out)
3945 pxor $inout1,$inout1 # clear register bank
3947 movdqu $inout2,0x20($out)
3948 pxor $inout2,$inout2
3950 movdqu $inout3,0x30($out)
3951 pxor $inout3,$inout3
3953 movdqu $inout4,0x40($out)
3954 pxor $inout4,$inout4
3955 pxor $inout7,$inout6
3956 movdqu $inout5,0x50($out)
3957 pxor $inout5,$inout5
3959 movdqa $inout6,$inout0
3960 pxor $inout6,$inout6
3961 pxor $inout7,$inout7
3962 jmp .Lcbc_dec_tail_collected
3966 movups $inout5,($out)
3968 movdqu 0x00($inp),$inout0 # load input
3969 movdqu 0x10($inp),$inout1
3971 movdqu 0x20($inp),$inout2
3973 movdqu 0x30($inp),$inout3
3975 movdqu 0x40($inp),$inout4
3977 movdqu 0x50($inp),$inout5
3979 .Lcbc_dec_loop6_enter:
3981 movdqa $inout5,$inout6
3983 call _aesni_decrypt6
3985 pxor $iv,$inout0 # ^= IV
3988 movdqu $inout0,($out)
3990 movdqu $inout1,0x10($out)
3992 movdqu $inout2,0x20($out)
3995 movdqu $inout3,0x30($out)
3998 movdqu $inout4,0x40($out)
4003 movdqa $inout5,$inout0
4005 jle .Lcbc_dec_clear_tail_collected
4006 movups $inout5,($out)
4010 movups ($inp),$inout0
4012 jbe .Lcbc_dec_one # $len is 1*16 or less
4014 movups 0x10($inp),$inout1
4017 jbe .Lcbc_dec_two # $len is 2*16 or less
4019 movups 0x20($inp),$inout2
4022 jbe .Lcbc_dec_three # $len is 3*16 or less
4024 movups 0x30($inp),$inout3
4027 jbe .Lcbc_dec_four # $len is 4*16 or less
4029 movups 0x40($inp),$inout4 # $len is 5*16 or less
4032 xorps $inout5,$inout5
4033 call _aesni_decrypt6
4037 movdqu $inout0,($out)
4039 movdqu $inout1,0x10($out)
4040 pxor $inout1,$inout1 # clear register bank
4042 movdqu $inout2,0x20($out)
4043 pxor $inout2,$inout2
4045 movdqu $inout3,0x30($out)
4046 pxor $inout3,$inout3
4048 movdqa $inout4,$inout0
4049 pxor $inout4,$inout4
4050 pxor $inout5,$inout5
4052 jmp .Lcbc_dec_tail_collected
4058 &aesni_generate1("dec",$key,$rounds);
4062 jmp .Lcbc_dec_tail_collected
4066 call _aesni_decrypt2
4070 movdqu $inout0,($out)
4071 movdqa $inout1,$inout0
4072 pxor $inout1,$inout1 # clear register bank
4074 jmp .Lcbc_dec_tail_collected
4078 call _aesni_decrypt3
4082 movdqu $inout0,($out)
4084 movdqu $inout1,0x10($out)
4085 pxor $inout1,$inout1 # clear register bank
4086 movdqa $inout2,$inout0
4087 pxor $inout2,$inout2
4089 jmp .Lcbc_dec_tail_collected
4093 call _aesni_decrypt4
4097 movdqu $inout0,($out)
4099 movdqu $inout1,0x10($out)
4100 pxor $inout1,$inout1 # clear register bank
4102 movdqu $inout2,0x20($out)
4103 pxor $inout2,$inout2
4104 movdqa $inout3,$inout0
4105 pxor $inout3,$inout3
4107 jmp .Lcbc_dec_tail_collected
4110 .Lcbc_dec_clear_tail_collected:
4111 pxor $inout1,$inout1 # clear register bank
4112 pxor $inout2,$inout2
4113 pxor $inout3,$inout3
4115 $code.=<<___ if (!$win64);
4116 pxor $inout4,$inout4 # %xmm6..9
4117 pxor $inout5,$inout5
4118 pxor $inout6,$inout6
4119 pxor $inout7,$inout7
4122 .Lcbc_dec_tail_collected:
4125 jnz .Lcbc_dec_tail_partial
4126 movups $inout0,($out)
4127 pxor $inout0,$inout0
4130 .Lcbc_dec_tail_partial:
4131 movaps $inout0,(%rsp)
4132 pxor $inout0,$inout0
4137 .long 0x9066A4F3 # rep movsb
4138 movdqa $inout0,(%rsp)
4141 xorps $rndkey0,$rndkey0 # %xmm0
4142 pxor $rndkey1,$rndkey1
4144 $code.=<<___ if ($win64);
4145 movaps 0x10(%rsp),%xmm6
4146 movaps %xmm0,0x10(%rsp) # clear stack
4147 movaps 0x20(%rsp),%xmm7
4148 movaps %xmm0,0x20(%rsp)
4149 movaps 0x30(%rsp),%xmm8
4150 movaps %xmm0,0x30(%rsp)
4151 movaps 0x40(%rsp),%xmm9
4152 movaps %xmm0,0x40(%rsp)
4153 movaps 0x50(%rsp),%xmm10
4154 movaps %xmm0,0x50(%rsp)
4155 movaps 0x60(%rsp),%xmm11
4156 movaps %xmm0,0x60(%rsp)
4157 movaps 0x70(%rsp),%xmm12
4158 movaps %xmm0,0x70(%rsp)
4159 movaps 0x80(%rsp),%xmm13
4160 movaps %xmm0,0x80(%rsp)
4161 movaps 0x90(%rsp),%xmm14
4162 movaps %xmm0,0x90(%rsp)
4163 movaps 0xa0(%rsp),%xmm15
4164 movaps %xmm0,0xa0(%rsp)
4171 .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
4174 # int ${PREFIX}_set_decrypt_key(const unsigned char *inp,
4175 # int bits, AES_KEY *key)
4177 # input: $inp user-supplied key
4178 # $bits $inp length in bits
4179 # $key pointer to key schedule
4180 # output: %eax 0 denoting success, -1 or -2 - failure (see C)
4181 # *$key key schedule
4183 { my ($inp,$bits,$key) = @_4args;
4187 .globl ${PREFIX}_set_decrypt_key
4188 .type ${PREFIX}_set_decrypt_key,\@abi-omnipotent
4190 ${PREFIX}_set_decrypt_key:
4191 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
4192 call __aesni_set_encrypt_key
4193 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
4196 lea 16($key,$bits),$inp # points at the end of key schedule
4198 $movkey ($key),%xmm0 # just swap
4199 $movkey ($inp),%xmm1
4200 $movkey %xmm0,($inp)
4201 $movkey %xmm1,($key)
4206 $movkey ($key),%xmm0 # swap and inverse
4207 $movkey ($inp),%xmm1
4212 $movkey %xmm0,16($inp)
4213 $movkey %xmm1,-16($key)
4215 ja .Ldec_key_inverse
4217 $movkey ($key),%xmm0 # inverse middle
4220 $movkey %xmm0,($inp)
4225 .LSEH_end_set_decrypt_key:
4226 .size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
4229 # This is based on submission by
4231 # Huang Ying <ying.huang@intel.com>
4232 # Vinodh Gopal <vinodh.gopal@intel.com>
4235 # Agressively optimized in respect to aeskeygenassist's critical path
4236 # and is contained in %xmm0-5 to meet Win64 ABI requirement.
4238 # int ${PREFIX}_set_encrypt_key(const unsigned char *inp,
4239 # int bits, AES_KEY * const key);
4241 # input: $inp user-supplied key
4242 # $bits $inp length in bits
4243 # $key pointer to key schedule
4244 # output: %eax 0 denoting success, -1 or -2 - failure (see C)
4245 # $bits rounds-1 (used in aesni_set_decrypt_key)
4246 # *$key key schedule
4247 # $key pointer to key schedule (used in
4248 # aesni_set_decrypt_key)
4250 # Subroutine is frame-less, which means that only volatile registers
4251 # are used. Note that it's declared "abi-omnipotent", which means that
4252 # amount of volatile registers is smaller on Windows.
4255 .globl ${PREFIX}_set_encrypt_key
4256 .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
4258 ${PREFIX}_set_encrypt_key:
4259 __aesni_set_encrypt_key:
4260 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
4267 mov \$`1<<28|1<<11`,%r10d # AVX and XOP bits
4268 movups ($inp),%xmm0 # pull first 128 bits of *userKey
4269 xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0
4270 and OPENSSL_ia32cap_P+4(%rip),%r10d
4271 lea 16($key),%rax # %rax is used as modifiable copy of $key
4280 mov \$9,$bits # 10 rounds for 128-bit key
4281 cmp \$`1<<28`,%r10d # AVX, bit no XOP
4284 $movkey %xmm0,($key) # round 0
4285 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
4286 call .Lkey_expansion_128_cold
4287 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2
4288 call .Lkey_expansion_128
4289 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3
4290 call .Lkey_expansion_128
4291 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4
4292 call .Lkey_expansion_128
4293 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5
4294 call .Lkey_expansion_128
4295 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6
4296 call .Lkey_expansion_128
4297 aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7
4298 call .Lkey_expansion_128
4299 aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8
4300 call .Lkey_expansion_128
4301 aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9
4302 call .Lkey_expansion_128
4303 aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10
4304 call .Lkey_expansion_128
4305 $movkey %xmm0,(%rax)
4306 mov $bits,80(%rax) # 240(%rdx)
4312 movdqa .Lkey_rotate(%rip),%xmm5
4314 movdqa .Lkey_rcon1(%rip),%xmm4
4322 aesenclast %xmm4,%xmm0
4335 movdqu %xmm0,-16(%rax)
4341 movdqa .Lkey_rcon1b(%rip),%xmm4
4344 aesenclast %xmm4,%xmm0
4360 aesenclast %xmm4,%xmm0
4371 movdqu %xmm0,16(%rax)
4373 mov $bits,96(%rax) # 240($key)
4379 movq 16($inp),%xmm2 # remaining 1/3 of *userKey
4380 mov \$11,$bits # 12 rounds for 192
4381 cmp \$`1<<28`,%r10d # AVX, but no XOP
4384 $movkey %xmm0,($key) # round 0
4385 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
4386 call .Lkey_expansion_192a_cold
4387 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3
4388 call .Lkey_expansion_192b
4389 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5
4390 call .Lkey_expansion_192a
4391 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6
4392 call .Lkey_expansion_192b
4393 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8
4394 call .Lkey_expansion_192a
4395 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9
4396 call .Lkey_expansion_192b
4397 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11
4398 call .Lkey_expansion_192a
4399 aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12
4400 call .Lkey_expansion_192b
4401 $movkey %xmm0,(%rax)
4402 mov $bits,48(%rax) # 240(%rdx)
4408 movdqa .Lkey_rotate192(%rip),%xmm5
4409 movdqa .Lkey_rcon1(%rip),%xmm4
4419 aesenclast %xmm4,%xmm2
4431 pshufd \$0xff,%xmm0,%xmm3
4438 movdqu %xmm0,-16(%rax)
4443 mov $bits,32(%rax) # 240($key)
4449 movups 16($inp),%xmm2 # remaning half of *userKey
4450 mov \$13,$bits # 14 rounds for 256
4452 cmp \$`1<<28`,%r10d # AVX, but no XOP
4455 $movkey %xmm0,($key) # round 0
4456 $movkey %xmm2,16($key) # round 1
4457 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
4458 call .Lkey_expansion_256a_cold
4459 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3
4460 call .Lkey_expansion_256b
4461 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4
4462 call .Lkey_expansion_256a
4463 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5
4464 call .Lkey_expansion_256b
4465 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6
4466 call .Lkey_expansion_256a
4467 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7
4468 call .Lkey_expansion_256b
4469 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8
4470 call .Lkey_expansion_256a
4471 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9
4472 call .Lkey_expansion_256b
4473 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10
4474 call .Lkey_expansion_256a
4475 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11
4476 call .Lkey_expansion_256b
4477 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12
4478 call .Lkey_expansion_256a
4479 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13
4480 call .Lkey_expansion_256b
4481 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14
4482 call .Lkey_expansion_256a
4483 $movkey %xmm0,(%rax)
4484 mov $bits,16(%rax) # 240(%rdx)
4490 movdqa .Lkey_rotate(%rip),%xmm5
4491 movdqa .Lkey_rcon1(%rip),%xmm4
4493 movdqu %xmm0,0($key)
4495 movdqu %xmm2,16($key)
4501 aesenclast %xmm4,%xmm2
4518 pshufd \$0xff,%xmm0,%xmm2
4520 aesenclast %xmm3,%xmm2
4531 movdqu %xmm2,16(%rax)
4538 mov $bits,16(%rax) # 240($key)
4554 .LSEH_end_set_encrypt_key:
4557 .Lkey_expansion_128:
4558 $movkey %xmm0,(%rax)
4560 .Lkey_expansion_128_cold:
4561 shufps \$0b00010000,%xmm0,%xmm4
4563 shufps \$0b10001100,%xmm0,%xmm4
4565 shufps \$0b11111111,%xmm1,%xmm1 # critical path
4570 .Lkey_expansion_192a:
4571 $movkey %xmm0,(%rax)
4573 .Lkey_expansion_192a_cold:
4575 .Lkey_expansion_192b_warm:
4576 shufps \$0b00010000,%xmm0,%xmm4
4579 shufps \$0b10001100,%xmm0,%xmm4
4582 pshufd \$0b01010101,%xmm1,%xmm1 # critical path
4585 pshufd \$0b11111111,%xmm0,%xmm3
4590 .Lkey_expansion_192b:
4592 shufps \$0b01000100,%xmm0,%xmm5
4593 $movkey %xmm5,(%rax)
4594 shufps \$0b01001110,%xmm2,%xmm3
4595 $movkey %xmm3,16(%rax)
4597 jmp .Lkey_expansion_192b_warm
4600 .Lkey_expansion_256a:
4601 $movkey %xmm2,(%rax)
4603 .Lkey_expansion_256a_cold:
4604 shufps \$0b00010000,%xmm0,%xmm4
4606 shufps \$0b10001100,%xmm0,%xmm4
4608 shufps \$0b11111111,%xmm1,%xmm1 # critical path
4613 .Lkey_expansion_256b:
4614 $movkey %xmm0,(%rax)
4617 shufps \$0b00010000,%xmm2,%xmm4
4619 shufps \$0b10001100,%xmm2,%xmm4
4621 shufps \$0b10101010,%xmm1,%xmm1 # critical path
4624 .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
4625 .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key
4632 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
4640 .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
4642 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d
4644 .long 0x04070605,0x04070605,0x04070605,0x04070605
4648 .long 0x1b,0x1b,0x1b,0x1b
4650 .asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
4654 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
4655 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
4663 .extern __imp_RtlVirtualUnwind
4665 $code.=<<___ if ($PREFIX eq "aesni");
4666 .type ecb_ccm64_se_handler,\@abi-omnipotent
4668 ecb_ccm64_se_handler:
4680 mov 120($context),%rax # pull context->Rax
4681 mov 248($context),%rbx # pull context->Rip
4683 mov 8($disp),%rsi # disp->ImageBase
4684 mov 56($disp),%r11 # disp->HandlerData
4686 mov 0(%r11),%r10d # HandlerData[0]
4687 lea (%rsi,%r10),%r10 # prologue label
4688 cmp %r10,%rbx # context->Rip<prologue label
4689 jb .Lcommon_seh_tail
4691 mov 152($context),%rax # pull context->Rsp
4693 mov 4(%r11),%r10d # HandlerData[1]
4694 lea (%rsi,%r10),%r10 # epilogue label
4695 cmp %r10,%rbx # context->Rip>=epilogue label
4696 jae .Lcommon_seh_tail
4698 lea 0(%rax),%rsi # %xmm save area
4699 lea 512($context),%rdi # &context.Xmm6
4700 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
4701 .long 0xa548f3fc # cld; rep movsq
4702 lea 0x58(%rax),%rax # adjust stack pointer
4704 jmp .Lcommon_seh_tail
4705 .size ecb_ccm64_se_handler,.-ecb_ccm64_se_handler
4707 .type ctr_xts_se_handler,\@abi-omnipotent
4721 mov 120($context),%rax # pull context->Rax
4722 mov 248($context),%rbx # pull context->Rip
4724 mov 8($disp),%rsi # disp->ImageBase
4725 mov 56($disp),%r11 # disp->HandlerData
4727 mov 0(%r11),%r10d # HandlerData[0]
4728 lea (%rsi,%r10),%r10 # prologue lable
4729 cmp %r10,%rbx # context->Rip<prologue label
4730 jb .Lcommon_seh_tail
4732 mov 152($context),%rax # pull context->Rsp
4734 mov 4(%r11),%r10d # HandlerData[1]
4735 lea (%rsi,%r10),%r10 # epilogue label
4736 cmp %r10,%rbx # context->Rip>=epilogue label
4737 jae .Lcommon_seh_tail
4739 mov 160($context),%rax # pull context->Rbp
4740 lea -0xa0(%rax),%rsi # %xmm save area
4741 lea 512($context),%rdi # & context.Xmm6
4742 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4743 .long 0xa548f3fc # cld; rep movsq
4745 jmp .Lcommon_rbp_tail
4746 .size ctr_xts_se_handler,.-ctr_xts_se_handler
4748 .type ocb_se_handler,\@abi-omnipotent
4762 mov 120($context),%rax # pull context->Rax
4763 mov 248($context),%rbx # pull context->Rip
4765 mov 8($disp),%rsi # disp->ImageBase
4766 mov 56($disp),%r11 # disp->HandlerData
4768 mov 0(%r11),%r10d # HandlerData[0]
4769 lea (%rsi,%r10),%r10 # prologue lable
4770 cmp %r10,%rbx # context->Rip<prologue label
4771 jb .Lcommon_seh_tail
4773 mov 4(%r11),%r10d # HandlerData[1]
4774 lea (%rsi,%r10),%r10 # epilogue label
4775 cmp %r10,%rbx # context->Rip>=epilogue label
4776 jae .Lcommon_seh_tail
4778 mov 8(%r11),%r10d # HandlerData[2]
4779 lea (%rsi,%r10),%r10
4780 cmp %r10,%rbx # context->Rip>=pop label
4783 mov 152($context),%rax # pull context->Rsp
4785 lea (%rax),%rsi # %xmm save area
4786 lea 512($context),%rdi # & context.Xmm6
4787 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4788 .long 0xa548f3fc # cld; rep movsq
4789 lea 0xa0+0x28(%rax),%rax
4798 mov %rbx,144($context) # restore context->Rbx
4799 mov %rbp,160($context) # restore context->Rbp
4800 mov %r12,216($context) # restore context->R12
4801 mov %r13,224($context) # restore context->R13
4802 mov %r14,232($context) # restore context->R14
4804 jmp .Lcommon_seh_tail
4805 .size ocb_se_handler,.-ocb_se_handler
4808 .type cbc_se_handler,\@abi-omnipotent
4822 mov 152($context),%rax # pull context->Rsp
4823 mov 248($context),%rbx # pull context->Rip
4825 lea .Lcbc_decrypt_bulk(%rip),%r10
4826 cmp %r10,%rbx # context->Rip<"prologue" label
4827 jb .Lcommon_seh_tail
4829 lea .Lcbc_decrypt_body(%rip),%r10
4830 cmp %r10,%rbx # context->Rip<cbc_decrypt_body
4831 jb .Lrestore_cbc_rax
4833 lea .Lcbc_ret(%rip),%r10
4834 cmp %r10,%rbx # context->Rip>="epilogue" label
4835 jae .Lcommon_seh_tail
4837 lea 16(%rax),%rsi # %xmm save area
4838 lea 512($context),%rdi # &context.Xmm6
4839 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
4840 .long 0xa548f3fc # cld; rep movsq
4843 mov 160($context),%rax # pull context->Rbp
4844 mov (%rax),%rbp # restore saved %rbp
4845 lea 8(%rax),%rax # adjust stack pointer
4846 mov %rbp,160($context) # restore context->Rbp
4847 jmp .Lcommon_seh_tail
4850 mov 120($context),%rax
4855 mov %rax,152($context) # restore context->Rsp
4856 mov %rsi,168($context) # restore context->Rsi
4857 mov %rdi,176($context) # restore context->Rdi
4859 mov 40($disp),%rdi # disp->ContextRecord
4860 mov $context,%rsi # context
4861 mov \$154,%ecx # sizeof(CONTEXT)
4862 .long 0xa548f3fc # cld; rep movsq
4865 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
4866 mov 8(%rsi),%rdx # arg2, disp->ImageBase
4867 mov 0(%rsi),%r8 # arg3, disp->ControlPc
4868 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
4869 mov 40(%rsi),%r10 # disp->ContextRecord
4870 lea 56(%rsi),%r11 # &disp->HandlerData
4871 lea 24(%rsi),%r12 # &disp->EstablisherFrame
4872 mov %r10,32(%rsp) # arg5
4873 mov %r11,40(%rsp) # arg6
4874 mov %r12,48(%rsp) # arg7
4875 mov %rcx,56(%rsp) # arg8, (NULL)
4876 call *__imp_RtlVirtualUnwind(%rip)
4878 mov \$1,%eax # ExceptionContinueSearch
4890 .size cbc_se_handler,.-cbc_se_handler
4895 $code.=<<___ if ($PREFIX eq "aesni");
4896 .rva .LSEH_begin_aesni_ecb_encrypt
4897 .rva .LSEH_end_aesni_ecb_encrypt
4900 .rva .LSEH_begin_aesni_ccm64_encrypt_blocks
4901 .rva .LSEH_end_aesni_ccm64_encrypt_blocks
4902 .rva .LSEH_info_ccm64_enc
4904 .rva .LSEH_begin_aesni_ccm64_decrypt_blocks
4905 .rva .LSEH_end_aesni_ccm64_decrypt_blocks
4906 .rva .LSEH_info_ccm64_dec
4908 .rva .LSEH_begin_aesni_ctr32_encrypt_blocks
4909 .rva .LSEH_end_aesni_ctr32_encrypt_blocks
4910 .rva .LSEH_info_ctr32
4912 .rva .LSEH_begin_aesni_xts_encrypt
4913 .rva .LSEH_end_aesni_xts_encrypt
4914 .rva .LSEH_info_xts_enc
4916 .rva .LSEH_begin_aesni_xts_decrypt
4917 .rva .LSEH_end_aesni_xts_decrypt
4918 .rva .LSEH_info_xts_dec
4920 .rva .LSEH_begin_aesni_ocb_encrypt
4921 .rva .LSEH_end_aesni_ocb_encrypt
4922 .rva .LSEH_info_ocb_enc
4924 .rva .LSEH_begin_aesni_ocb_decrypt
4925 .rva .LSEH_end_aesni_ocb_decrypt
4926 .rva .LSEH_info_ocb_dec
4929 .rva .LSEH_begin_${PREFIX}_cbc_encrypt
4930 .rva .LSEH_end_${PREFIX}_cbc_encrypt
4933 .rva ${PREFIX}_set_decrypt_key
4934 .rva .LSEH_end_set_decrypt_key
4937 .rva ${PREFIX}_set_encrypt_key
4938 .rva .LSEH_end_set_encrypt_key
4943 $code.=<<___ if ($PREFIX eq "aesni");
4946 .rva ecb_ccm64_se_handler
4947 .rva .Lecb_enc_body,.Lecb_enc_ret # HandlerData[]
4948 .LSEH_info_ccm64_enc:
4950 .rva ecb_ccm64_se_handler
4951 .rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[]
4952 .LSEH_info_ccm64_dec:
4954 .rva ecb_ccm64_se_handler
4955 .rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[]
4958 .rva ctr_xts_se_handler
4959 .rva .Lctr32_body,.Lctr32_epilogue # HandlerData[]
4962 .rva ctr_xts_se_handler
4963 .rva .Lxts_enc_body,.Lxts_enc_epilogue # HandlerData[]
4966 .rva ctr_xts_se_handler
4967 .rva .Lxts_dec_body,.Lxts_dec_epilogue # HandlerData[]
4971 .rva .Locb_enc_body,.Locb_enc_epilogue # HandlerData[]
4977 .rva .Locb_dec_body,.Locb_dec_epilogue # HandlerData[]
4986 .byte 0x01,0x04,0x01,0x00
4987 .byte 0x04,0x02,0x00,0x00 # sub rsp,8
4992 local *opcode=shift;
4996 $rex|=0x04 if($dst>=8);
4997 $rex|=0x01 if($src>=8);
4998 push @opcode,$rex|0x40 if($rex);
5005 if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
5006 rex(\@opcode,$4,$3);
5007 push @opcode,0x0f,0x3a,0xdf;
5008 push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M
5010 push @opcode,$c=~/^0/?oct($c):$c;
5011 return ".byte\t".join(',',@opcode);
5013 elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
5016 "aesenc" => 0xdc, "aesenclast" => 0xdd,
5017 "aesdec" => 0xde, "aesdeclast" => 0xdf
5019 return undef if (!defined($opcodelet{$1}));
5020 rex(\@opcode,$3,$2);
5021 push @opcode,0x0f,0x38,$opcodelet{$1};
5022 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
5023 return ".byte\t".join(',',@opcode);
5025 elsif ($line=~/(aes[a-z]+)\s+([0x1-9a-fA-F]*)\(%rsp\),\s*%xmm([0-9]+)/) {
5027 "aesenc" => 0xdc, "aesenclast" => 0xdd,
5028 "aesdec" => 0xde, "aesdeclast" => 0xdf
5030 return undef if (!defined($opcodelet{$1}));
5032 push @opcode,0x44 if ($3>=8);
5033 push @opcode,0x0f,0x38,$opcodelet{$1};
5034 push @opcode,0x44|(($3&7)<<3),0x24; # ModR/M
5035 push @opcode,($off=~/^0/?oct($off):$off)&0xff;
5036 return ".byte\t".join(',',@opcode);
5042 ".byte 0x0f,0x38,0xf1,0x44,0x24,".shift;
5045 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
5046 $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;
5047 #$code =~ s/\bmovbe\s+%eax/bswap %eax; mov %eax/gm; # debugging artefact
5048 $code =~ s/\bmovbe\s+%eax,\s*([0-9]+)\(%rsp\)/movbe($1)/gem;
projects / openssl.git / blob