2 # Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # This module implements support for AES instructions as per PowerISA
18 # specification version 2.07, first implemented by POWER8 processor.
19 # The module is endian-agnostic in sense that it supports both big-
20 # and little-endian cases. Data alignment in parallelizable modes is
21 # handled with VSX loads and stores, which implies MSR.VSX flag being
22 # set. It should also be noted that ISA specification doesn't prohibit
23 # alignment exceptions for these instructions on page boundaries.
24 # Initially alignment was handled in pure AltiVec/VMX way [when data
25 # is aligned programmatically, which in turn guarantees exception-
26 # free execution], but it turned to hamper performance when vcipher
27 # instructions are interleaved. It's reckoned that eventual
28 # misalignment penalties at page boundaries are in average lower
29 # than additional overhead in pure AltiVec approach.
33 # Add XTS subroutine, 9x on little- and 12x improvement on big-endian
34 # systems were measured.
36 ######################################################################
37 # Current large-block performance in cycles per byte processed with
38 # 128-bit key (less is better).
40 # CBC en-/decrypt CTR XTS
41 # POWER8[le] 3.96/0.72 0.74 1.1
42 # POWER8[be] 3.75/0.65 0.66 1.0
43 # POWER9[le] 4.02/0.86 0.84 1.05
44 # POWER9[be] 3.99/0.78 0.79 0.97
46 # $output is the last argument if it looks like a file (it has an extension)
47 # $flavour is the first argument if it doesn't look like a file
48 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
49 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
51 if ($flavour =~ /64/) {
59 } elsif ($flavour =~ /32/) {
67 } else { die "nonsense $flavour"; }
69 $LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
71 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
72 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
73 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
74 die "can't locate ppc-xlate.pl";
76 open STDOUT,"| $^X $xlate $flavour \"$output\""
77 or die "can't call $xlate: $!";
85 #########################################################################
86 {{{ # Key setup procedures #
87 my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));
88 my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));
89 my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));
98 .long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ?rev
99 .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
100 .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
105 mflr $ptr #vvvvv "distance between . and rcon
110 .byte 0,12,0x14,0,0,0,0,0
111 .asciz "AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
113 .globl .${prefix}_set_encrypt_key
115 .${prefix}_set_encrypt_key:
118 $PUSH r11,$LRSAVE($sp)
122 beq- Lenc_key_abort # if ($inp==0) return -1;
124 beq- Lenc_key_abort # if ($out==0) return -1;
142 addi $inp,$inp,15 # 15 is not typo
143 lvsr $key,0,r9 # borrow $key
147 le?vspltisb $mask,0x0f # borrow $mask
149 le?vxor $key,$key,$mask # adjust for byte swap
152 vperm $in0,$in0,$in1,$key # align [and byte swap in LE]
154 vxor $zero,$zero,$zero
157 ?lvsr $outperm,0,$out
160 ?vperm $outmask,$zero,$outmask,$outperm
170 vperm $key,$in0,$in0,$mask # rotate-n-splat
171 vsldoi $tmp,$zero,$in0,12 # >>32
172 vperm $outtail,$in0,$in0,$outperm # rotate
173 vsel $stage,$outhead,$outtail,$outmask
174 vmr $outhead,$outtail
175 vcipherlast $key,$key,$rcon
180 vsldoi $tmp,$zero,$tmp,12 # >>32
182 vsldoi $tmp,$zero,$tmp,12 # >>32
184 vadduwm $rcon,$rcon,$rcon
188 lvx $rcon,0,$ptr # last two round keys
190 vperm $key,$in0,$in0,$mask # rotate-n-splat
191 vsldoi $tmp,$zero,$in0,12 # >>32
192 vperm $outtail,$in0,$in0,$outperm # rotate
193 vsel $stage,$outhead,$outtail,$outmask
194 vmr $outhead,$outtail
195 vcipherlast $key,$key,$rcon
200 vsldoi $tmp,$zero,$tmp,12 # >>32
202 vsldoi $tmp,$zero,$tmp,12 # >>32
204 vadduwm $rcon,$rcon,$rcon
207 vperm $key,$in0,$in0,$mask # rotate-n-splat
208 vsldoi $tmp,$zero,$in0,12 # >>32
209 vperm $outtail,$in0,$in0,$outperm # rotate
210 vsel $stage,$outhead,$outtail,$outmask
211 vmr $outhead,$outtail
212 vcipherlast $key,$key,$rcon
217 vsldoi $tmp,$zero,$tmp,12 # >>32
219 vsldoi $tmp,$zero,$tmp,12 # >>32
222 vperm $outtail,$in0,$in0,$outperm # rotate
223 vsel $stage,$outhead,$outtail,$outmask
224 vmr $outhead,$outtail
227 addi $inp,$out,15 # 15 is not typo
237 vperm $outtail,$in0,$in0,$outperm # rotate
238 vsel $stage,$outhead,$outtail,$outmask
239 vmr $outhead,$outtail
242 vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
243 vspltisb $key,8 # borrow $key
245 vsububm $mask,$mask,$key # adjust the mask
248 vperm $key,$in1,$in1,$mask # roate-n-splat
249 vsldoi $tmp,$zero,$in0,12 # >>32
250 vcipherlast $key,$key,$rcon
253 vsldoi $tmp,$zero,$tmp,12 # >>32
255 vsldoi $tmp,$zero,$tmp,12 # >>32
258 vsldoi $stage,$zero,$in1,8
261 vsldoi $in1,$zero,$in1,12 # >>32
262 vadduwm $rcon,$rcon,$rcon
266 vsldoi $stage,$stage,$in0,8
268 vperm $key,$in1,$in1,$mask # rotate-n-splat
269 vsldoi $tmp,$zero,$in0,12 # >>32
270 vperm $outtail,$stage,$stage,$outperm # rotate
271 vsel $stage,$outhead,$outtail,$outmask
272 vmr $outhead,$outtail
273 vcipherlast $key,$key,$rcon
277 vsldoi $stage,$in0,$in1,8
279 vsldoi $tmp,$zero,$tmp,12 # >>32
280 vperm $outtail,$stage,$stage,$outperm # rotate
281 vsel $stage,$outhead,$outtail,$outmask
282 vmr $outhead,$outtail
284 vsldoi $tmp,$zero,$tmp,12 # >>32
291 vsldoi $in1,$zero,$in1,12 # >>32
292 vadduwm $rcon,$rcon,$rcon
296 vperm $outtail,$in0,$in0,$outperm # rotate
297 vsel $stage,$outhead,$outtail,$outmask
298 vmr $outhead,$outtail
300 addi $inp,$out,15 # 15 is not typo
313 vperm $outtail,$in0,$in0,$outperm # rotate
314 vsel $stage,$outhead,$outtail,$outmask
315 vmr $outhead,$outtail
318 vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
322 vperm $key,$in1,$in1,$mask # rotate-n-splat
323 vsldoi $tmp,$zero,$in0,12 # >>32
324 vperm $outtail,$in1,$in1,$outperm # rotate
325 vsel $stage,$outhead,$outtail,$outmask
326 vmr $outhead,$outtail
327 vcipherlast $key,$key,$rcon
332 vsldoi $tmp,$zero,$tmp,12 # >>32
334 vsldoi $tmp,$zero,$tmp,12 # >>32
336 vadduwm $rcon,$rcon,$rcon
338 vperm $outtail,$in0,$in0,$outperm # rotate
339 vsel $stage,$outhead,$outtail,$outmask
340 vmr $outhead,$outtail
342 addi $inp,$out,15 # 15 is not typo
346 vspltw $key,$in0,3 # just splat
347 vsldoi $tmp,$zero,$in1,12 # >>32
351 vsldoi $tmp,$zero,$tmp,12 # >>32
353 vsldoi $tmp,$zero,$tmp,12 # >>32
361 lvx $in1,0,$inp # redundant in aligned case
362 vsel $in1,$outhead,$in1,$outmask
372 .byte 0,12,0x14,1,0,0,3,0
374 .size .${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key
376 .globl .${prefix}_set_decrypt_key
378 .${prefix}_set_decrypt_key:
379 $STU $sp,-$FRAME($sp)
381 $PUSH r10,$FRAME+$LRSAVE($sp)
389 subi $inp,$out,240 # first round key
390 srwi $rounds,$rounds,1
391 add $out,$inp,$cnt # last round key
415 xor r3,r3,r3 # return value
420 .byte 0,12,4,1,0x80,0,3,0
422 .size .${prefix}_set_decrypt_key,.-.${prefix}_set_decrypt_key
425 #########################################################################
426 {{{ # Single block en- and decrypt procedures #
429 my $n = $dir eq "de" ? "n" : "";
430 my ($inp,$out,$key,$rounds,$idx)=map("r$_",(3..7));
433 .globl .${prefix}_${dir}crypt
435 .${prefix}_${dir}crypt:
436 lwz $rounds,240($key)
439 li $idx,15 # 15 is not typo
445 lvsl v2,0,$inp # inpperm
447 ?lvsl v3,0,r11 # outperm
450 vperm v0,v0,v1,v2 # align [and byte swap in LE]
452 ?lvsl v5,0,$key # keyperm
453 srwi $rounds,$rounds,1
456 subi $rounds,$rounds,1
457 ?vperm v1,v1,v2,v5 # align round key
479 v${n}cipherlast v0,v0,v1
483 li $idx,15 # 15 is not typo
484 ?vperm v2,v1,v2,v3 # outmask
486 lvx v1,0,$out # outhead
487 vperm v0,v0,v0,v3 # rotate [and byte swap in LE]
497 .byte 0,12,0x14,0,0,0,3,0
499 .size .${prefix}_${dir}crypt,.-.${prefix}_${dir}crypt
505 #########################################################################
506 {{{ # CBC en- and decrypt procedures #
507 my ($inp,$out,$len,$key,$ivp,$enc,$rounds,$idx)=map("r$_",(3..10));
508 my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
509 my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)=
512 .globl .${prefix}_cbc_encrypt
514 .${prefix}_cbc_encrypt:
518 cmpwi $enc,0 # test direction
524 vxor $rndkey0,$rndkey0,$rndkey0
525 le?vspltisb $tmp,0x0f
527 lvx $ivec,0,$ivp # load [unaligned] iv
529 lvx $inptail,$idx,$ivp
530 le?vxor $inpperm,$inpperm,$tmp
531 vperm $ivec,$ivec,$inptail,$inpperm
534 ?lvsl $keyperm,0,$key # prepare for unaligned key
535 lwz $rounds,240($key)
537 lvsr $inpperm,0,r11 # prepare for unaligned load
539 addi $inp,$inp,15 # 15 is not typo
540 le?vxor $inpperm,$inpperm,$tmp
542 ?lvsr $outperm,0,$out # prepare for unaligned store
545 ?vperm $outmask,$rndkey0,$outmask,$outperm
546 le?vxor $outperm,$outperm,$tmp
548 srwi $rounds,$rounds,1
550 subi $rounds,$rounds,1
558 subi $len,$len,16 # len-=16
561 vperm $inout,$inout,$inptail,$inpperm
562 lvx $rndkey1,$idx,$key
564 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
565 vxor $inout,$inout,$rndkey0
566 lvx $rndkey0,$idx,$key
568 vxor $inout,$inout,$ivec
571 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
572 vcipher $inout,$inout,$rndkey1
573 lvx $rndkey1,$idx,$key
575 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
576 vcipher $inout,$inout,$rndkey0
577 lvx $rndkey0,$idx,$key
581 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
582 vcipher $inout,$inout,$rndkey1
583 lvx $rndkey1,$idx,$key
585 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
586 vcipherlast $ivec,$inout,$rndkey0
589 vperm $tmp,$ivec,$ivec,$outperm
590 vsel $inout,$outhead,$tmp,$outmask
601 bge _aesp8_cbc_decrypt8x
606 subi $len,$len,16 # len-=16
609 vperm $tmp,$tmp,$inptail,$inpperm
610 lvx $rndkey1,$idx,$key
612 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
613 vxor $inout,$tmp,$rndkey0
614 lvx $rndkey0,$idx,$key
618 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
619 vncipher $inout,$inout,$rndkey1
620 lvx $rndkey1,$idx,$key
622 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
623 vncipher $inout,$inout,$rndkey0
624 lvx $rndkey0,$idx,$key
628 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
629 vncipher $inout,$inout,$rndkey1
630 lvx $rndkey1,$idx,$key
632 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
633 vncipherlast $inout,$inout,$rndkey0
636 vxor $inout,$inout,$ivec
638 vperm $tmp,$inout,$inout,$outperm
639 vsel $inout,$outhead,$tmp,$outmask
647 lvx $inout,0,$out # redundant in aligned case
648 vsel $inout,$outhead,$inout,$outmask
651 neg $enc,$ivp # write [unaligned] iv
652 li $idx,15 # 15 is not typo
653 vxor $rndkey0,$rndkey0,$rndkey0
655 le?vspltisb $tmp,0x0f
656 ?lvsl $outperm,0,$enc
657 ?vperm $outmask,$rndkey0,$outmask,$outperm
658 le?vxor $outperm,$outperm,$tmp
660 vperm $ivec,$ivec,$ivec,$outperm
661 vsel $inout,$outhead,$ivec,$outmask
662 lvx $inptail,$idx,$ivp
664 vsel $inout,$ivec,$inptail,$outmask
665 stvx $inout,$idx,$ivp
670 .byte 0,12,0x14,0,0,0,6,0
673 #########################################################################
674 {{ # Optimized CBC decrypt procedure #
676 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
677 $x00=0 if ($flavour =~ /osx/);
678 my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10..13));
679 my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(14..21));
680 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
681 # v26-v31 last 6 round keys
682 my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
686 _aesp8_cbc_decrypt8x:
687 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
688 li r10,`$FRAME+8*16+15`
689 li r11,`$FRAME+8*16+31`
690 stvx v20,r10,$sp # ABI says so
713 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
715 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
717 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
719 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
721 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
723 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
725 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
729 subi $rounds,$rounds,3 # -4 in total
730 subi $len,$len,128 # bias
732 lvx $rndkey0,$x00,$key # load key schedule
736 ?vperm $rndkey0,$rndkey0,v30,$keyperm
737 addi $key_,$sp,$FRAME+15
741 ?vperm v24,v30,v31,$keyperm
744 stvx v24,$x00,$key_ # off-load round[1]
745 ?vperm v25,v31,v30,$keyperm
747 stvx v25,$x10,$key_ # off-load round[2]
748 addi $key_,$key_,0x20
749 bdnz Load_cbc_dec_key
752 ?vperm v24,v30,v31,$keyperm
754 stvx v24,$x00,$key_ # off-load round[3]
755 ?vperm v25,v31,v26,$keyperm
757 stvx v25,$x10,$key_ # off-load round[4]
758 addi $key_,$sp,$FRAME+15 # rewind $key_
759 ?vperm v26,v26,v27,$keyperm
761 ?vperm v27,v27,v28,$keyperm
763 ?vperm v28,v28,v29,$keyperm
765 ?vperm v29,v29,v30,$keyperm
766 lvx $out0,$x70,$key # borrow $out0
767 ?vperm v30,v30,v31,$keyperm
768 lvx v24,$x00,$key_ # pre-load round[1]
769 ?vperm v31,v31,$out0,$keyperm
770 lvx v25,$x10,$key_ # pre-load round[2]
772 #lvx $inptail,0,$inp # "caller" already did this
773 #addi $inp,$inp,15 # 15 is not typo
774 subi $inp,$inp,15 # undo "caller"
777 lvx_u $in0,$x00,$inp # load first 8 "words"
778 le?lvsl $inpperm,0,$idx
779 le?vspltisb $tmp,0x0f
781 le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
783 le?vperm $in0,$in0,$in0,$inpperm
785 le?vperm $in1,$in1,$in1,$inpperm
787 le?vperm $in2,$in2,$in2,$inpperm
788 vxor $out0,$in0,$rndkey0
790 le?vperm $in3,$in3,$in3,$inpperm
791 vxor $out1,$in1,$rndkey0
793 le?vperm $in4,$in4,$in4,$inpperm
794 vxor $out2,$in2,$rndkey0
797 le?vperm $in5,$in5,$in5,$inpperm
798 vxor $out3,$in3,$rndkey0
799 le?vperm $in6,$in6,$in6,$inpperm
800 vxor $out4,$in4,$rndkey0
801 le?vperm $in7,$in7,$in7,$inpperm
802 vxor $out5,$in5,$rndkey0
803 vxor $out6,$in6,$rndkey0
804 vxor $out7,$in7,$rndkey0
810 vncipher $out0,$out0,v24
811 vncipher $out1,$out1,v24
812 vncipher $out2,$out2,v24
813 vncipher $out3,$out3,v24
814 vncipher $out4,$out4,v24
815 vncipher $out5,$out5,v24
816 vncipher $out6,$out6,v24
817 vncipher $out7,$out7,v24
818 lvx v24,$x20,$key_ # round[3]
819 addi $key_,$key_,0x20
821 vncipher $out0,$out0,v25
822 vncipher $out1,$out1,v25
823 vncipher $out2,$out2,v25
824 vncipher $out3,$out3,v25
825 vncipher $out4,$out4,v25
826 vncipher $out5,$out5,v25
827 vncipher $out6,$out6,v25
828 vncipher $out7,$out7,v25
829 lvx v25,$x10,$key_ # round[4]
832 subic $len,$len,128 # $len-=128
833 vncipher $out0,$out0,v24
834 vncipher $out1,$out1,v24
835 vncipher $out2,$out2,v24
836 vncipher $out3,$out3,v24
837 vncipher $out4,$out4,v24
838 vncipher $out5,$out5,v24
839 vncipher $out6,$out6,v24
840 vncipher $out7,$out7,v24
842 subfe. r0,r0,r0 # borrow?-1:0
843 vncipher $out0,$out0,v25
844 vncipher $out1,$out1,v25
845 vncipher $out2,$out2,v25
846 vncipher $out3,$out3,v25
847 vncipher $out4,$out4,v25
848 vncipher $out5,$out5,v25
849 vncipher $out6,$out6,v25
850 vncipher $out7,$out7,v25
853 vncipher $out0,$out0,v26
854 vncipher $out1,$out1,v26
855 vncipher $out2,$out2,v26
856 vncipher $out3,$out3,v26
857 vncipher $out4,$out4,v26
858 vncipher $out5,$out5,v26
859 vncipher $out6,$out6,v26
860 vncipher $out7,$out7,v26
862 add $inp,$inp,r0 # $inp is adjusted in such
863 # way that at exit from the
864 # loop inX-in7 are loaded
866 vncipher $out0,$out0,v27
867 vncipher $out1,$out1,v27
868 vncipher $out2,$out2,v27
869 vncipher $out3,$out3,v27
870 vncipher $out4,$out4,v27
871 vncipher $out5,$out5,v27
872 vncipher $out6,$out6,v27
873 vncipher $out7,$out7,v27
875 addi $key_,$sp,$FRAME+15 # rewind $key_
876 vncipher $out0,$out0,v28
877 vncipher $out1,$out1,v28
878 vncipher $out2,$out2,v28
879 vncipher $out3,$out3,v28
880 vncipher $out4,$out4,v28
881 vncipher $out5,$out5,v28
882 vncipher $out6,$out6,v28
883 vncipher $out7,$out7,v28
884 lvx v24,$x00,$key_ # re-pre-load round[1]
886 vncipher $out0,$out0,v29
887 vncipher $out1,$out1,v29
888 vncipher $out2,$out2,v29
889 vncipher $out3,$out3,v29
890 vncipher $out4,$out4,v29
891 vncipher $out5,$out5,v29
892 vncipher $out6,$out6,v29
893 vncipher $out7,$out7,v29
894 lvx v25,$x10,$key_ # re-pre-load round[2]
896 vncipher $out0,$out0,v30
897 vxor $ivec,$ivec,v31 # xor with last round key
898 vncipher $out1,$out1,v30
900 vncipher $out2,$out2,v30
902 vncipher $out3,$out3,v30
904 vncipher $out4,$out4,v30
906 vncipher $out5,$out5,v30
908 vncipher $out6,$out6,v30
910 vncipher $out7,$out7,v30
913 vncipherlast $out0,$out0,$ivec
914 vncipherlast $out1,$out1,$in0
915 lvx_u $in0,$x00,$inp # load next input block
916 vncipherlast $out2,$out2,$in1
918 vncipherlast $out3,$out3,$in2
919 le?vperm $in0,$in0,$in0,$inpperm
921 vncipherlast $out4,$out4,$in3
922 le?vperm $in1,$in1,$in1,$inpperm
924 vncipherlast $out5,$out5,$in4
925 le?vperm $in2,$in2,$in2,$inpperm
927 vncipherlast $out6,$out6,$in5
928 le?vperm $in3,$in3,$in3,$inpperm
930 vncipherlast $out7,$out7,$in6
931 le?vperm $in4,$in4,$in4,$inpperm
934 le?vperm $in5,$in5,$in5,$inpperm
938 le?vperm $out0,$out0,$out0,$inpperm
939 le?vperm $out1,$out1,$out1,$inpperm
940 stvx_u $out0,$x00,$out
941 le?vperm $in6,$in6,$in6,$inpperm
942 vxor $out0,$in0,$rndkey0
943 le?vperm $out2,$out2,$out2,$inpperm
944 stvx_u $out1,$x10,$out
945 le?vperm $in7,$in7,$in7,$inpperm
946 vxor $out1,$in1,$rndkey0
947 le?vperm $out3,$out3,$out3,$inpperm
948 stvx_u $out2,$x20,$out
949 vxor $out2,$in2,$rndkey0
950 le?vperm $out4,$out4,$out4,$inpperm
951 stvx_u $out3,$x30,$out
952 vxor $out3,$in3,$rndkey0
953 le?vperm $out5,$out5,$out5,$inpperm
954 stvx_u $out4,$x40,$out
955 vxor $out4,$in4,$rndkey0
956 le?vperm $out6,$out6,$out6,$inpperm
957 stvx_u $out5,$x50,$out
958 vxor $out5,$in5,$rndkey0
959 le?vperm $out7,$out7,$out7,$inpperm
960 stvx_u $out6,$x60,$out
961 vxor $out6,$in6,$rndkey0
962 stvx_u $out7,$x70,$out
964 vxor $out7,$in7,$rndkey0
967 beq Loop_cbc_dec8x # did $len-=128 borrow?
974 Loop_cbc_dec8x_tail: # up to 7 "words" tail...
975 vncipher $out1,$out1,v24
976 vncipher $out2,$out2,v24
977 vncipher $out3,$out3,v24
978 vncipher $out4,$out4,v24
979 vncipher $out5,$out5,v24
980 vncipher $out6,$out6,v24
981 vncipher $out7,$out7,v24
982 lvx v24,$x20,$key_ # round[3]
983 addi $key_,$key_,0x20
985 vncipher $out1,$out1,v25
986 vncipher $out2,$out2,v25
987 vncipher $out3,$out3,v25
988 vncipher $out4,$out4,v25
989 vncipher $out5,$out5,v25
990 vncipher $out6,$out6,v25
991 vncipher $out7,$out7,v25
992 lvx v25,$x10,$key_ # round[4]
993 bdnz Loop_cbc_dec8x_tail
995 vncipher $out1,$out1,v24
996 vncipher $out2,$out2,v24
997 vncipher $out3,$out3,v24
998 vncipher $out4,$out4,v24
999 vncipher $out5,$out5,v24
1000 vncipher $out6,$out6,v24
1001 vncipher $out7,$out7,v24
1003 vncipher $out1,$out1,v25
1004 vncipher $out2,$out2,v25
1005 vncipher $out3,$out3,v25
1006 vncipher $out4,$out4,v25
1007 vncipher $out5,$out5,v25
1008 vncipher $out6,$out6,v25
1009 vncipher $out7,$out7,v25
1011 vncipher $out1,$out1,v26
1012 vncipher $out2,$out2,v26
1013 vncipher $out3,$out3,v26
1014 vncipher $out4,$out4,v26
1015 vncipher $out5,$out5,v26
1016 vncipher $out6,$out6,v26
1017 vncipher $out7,$out7,v26
1019 vncipher $out1,$out1,v27
1020 vncipher $out2,$out2,v27
1021 vncipher $out3,$out3,v27
1022 vncipher $out4,$out4,v27
1023 vncipher $out5,$out5,v27
1024 vncipher $out6,$out6,v27
1025 vncipher $out7,$out7,v27
1027 vncipher $out1,$out1,v28
1028 vncipher $out2,$out2,v28
1029 vncipher $out3,$out3,v28
1030 vncipher $out4,$out4,v28
1031 vncipher $out5,$out5,v28
1032 vncipher $out6,$out6,v28
1033 vncipher $out7,$out7,v28
1035 vncipher $out1,$out1,v29
1036 vncipher $out2,$out2,v29
1037 vncipher $out3,$out3,v29
1038 vncipher $out4,$out4,v29
1039 vncipher $out5,$out5,v29
1040 vncipher $out6,$out6,v29
1041 vncipher $out7,$out7,v29
1043 vncipher $out1,$out1,v30
1044 vxor $ivec,$ivec,v31 # last round key
1045 vncipher $out2,$out2,v30
1047 vncipher $out3,$out3,v30
1049 vncipher $out4,$out4,v30
1051 vncipher $out5,$out5,v30
1053 vncipher $out6,$out6,v30
1055 vncipher $out7,$out7,v30
1058 cmplwi $len,32 # switch($len)
1063 blt Lcbc_dec8x_three
1072 vncipherlast $out1,$out1,$ivec
1073 vncipherlast $out2,$out2,$in1
1074 vncipherlast $out3,$out3,$in2
1075 vncipherlast $out4,$out4,$in3
1076 vncipherlast $out5,$out5,$in4
1077 vncipherlast $out6,$out6,$in5
1078 vncipherlast $out7,$out7,$in6
1081 le?vperm $out1,$out1,$out1,$inpperm
1082 le?vperm $out2,$out2,$out2,$inpperm
1083 stvx_u $out1,$x00,$out
1084 le?vperm $out3,$out3,$out3,$inpperm
1085 stvx_u $out2,$x10,$out
1086 le?vperm $out4,$out4,$out4,$inpperm
1087 stvx_u $out3,$x20,$out
1088 le?vperm $out5,$out5,$out5,$inpperm
1089 stvx_u $out4,$x30,$out
1090 le?vperm $out6,$out6,$out6,$inpperm
1091 stvx_u $out5,$x40,$out
1092 le?vperm $out7,$out7,$out7,$inpperm
1093 stvx_u $out6,$x50,$out
1094 stvx_u $out7,$x60,$out
1100 vncipherlast $out2,$out2,$ivec
1101 vncipherlast $out3,$out3,$in2
1102 vncipherlast $out4,$out4,$in3
1103 vncipherlast $out5,$out5,$in4
1104 vncipherlast $out6,$out6,$in5
1105 vncipherlast $out7,$out7,$in6
1108 le?vperm $out2,$out2,$out2,$inpperm
1109 le?vperm $out3,$out3,$out3,$inpperm
1110 stvx_u $out2,$x00,$out
1111 le?vperm $out4,$out4,$out4,$inpperm
1112 stvx_u $out3,$x10,$out
1113 le?vperm $out5,$out5,$out5,$inpperm
1114 stvx_u $out4,$x20,$out
1115 le?vperm $out6,$out6,$out6,$inpperm
1116 stvx_u $out5,$x30,$out
1117 le?vperm $out7,$out7,$out7,$inpperm
1118 stvx_u $out6,$x40,$out
1119 stvx_u $out7,$x50,$out
1125 vncipherlast $out3,$out3,$ivec
1126 vncipherlast $out4,$out4,$in3
1127 vncipherlast $out5,$out5,$in4
1128 vncipherlast $out6,$out6,$in5
1129 vncipherlast $out7,$out7,$in6
1132 le?vperm $out3,$out3,$out3,$inpperm
1133 le?vperm $out4,$out4,$out4,$inpperm
1134 stvx_u $out3,$x00,$out
1135 le?vperm $out5,$out5,$out5,$inpperm
1136 stvx_u $out4,$x10,$out
1137 le?vperm $out6,$out6,$out6,$inpperm
1138 stvx_u $out5,$x20,$out
1139 le?vperm $out7,$out7,$out7,$inpperm
1140 stvx_u $out6,$x30,$out
1141 stvx_u $out7,$x40,$out
1147 vncipherlast $out4,$out4,$ivec
1148 vncipherlast $out5,$out5,$in4
1149 vncipherlast $out6,$out6,$in5
1150 vncipherlast $out7,$out7,$in6
1153 le?vperm $out4,$out4,$out4,$inpperm
1154 le?vperm $out5,$out5,$out5,$inpperm
1155 stvx_u $out4,$x00,$out
1156 le?vperm $out6,$out6,$out6,$inpperm
1157 stvx_u $out5,$x10,$out
1158 le?vperm $out7,$out7,$out7,$inpperm
1159 stvx_u $out6,$x20,$out
1160 stvx_u $out7,$x30,$out
1166 vncipherlast $out5,$out5,$ivec
1167 vncipherlast $out6,$out6,$in5
1168 vncipherlast $out7,$out7,$in6
1171 le?vperm $out5,$out5,$out5,$inpperm
1172 le?vperm $out6,$out6,$out6,$inpperm
1173 stvx_u $out5,$x00,$out
1174 le?vperm $out7,$out7,$out7,$inpperm
1175 stvx_u $out6,$x10,$out
1176 stvx_u $out7,$x20,$out
1182 vncipherlast $out6,$out6,$ivec
1183 vncipherlast $out7,$out7,$in6
1186 le?vperm $out6,$out6,$out6,$inpperm
1187 le?vperm $out7,$out7,$out7,$inpperm
1188 stvx_u $out6,$x00,$out
1189 stvx_u $out7,$x10,$out
1195 vncipherlast $out7,$out7,$ivec
1198 le?vperm $out7,$out7,$out7,$inpperm
1203 le?vperm $ivec,$ivec,$ivec,$inpperm
1204 stvx_u $ivec,0,$ivp # write [unaligned] iv
1208 stvx $inpperm,r10,$sp # wipe copies of round keys
1210 stvx $inpperm,r11,$sp
1212 stvx $inpperm,r10,$sp
1214 stvx $inpperm,r11,$sp
1216 stvx $inpperm,r10,$sp
1218 stvx $inpperm,r11,$sp
1220 stvx $inpperm,r10,$sp
1222 stvx $inpperm,r11,$sp
1226 lvx v20,r10,$sp # ABI says so
1248 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1249 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1250 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1251 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1252 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1253 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1254 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
1257 .byte 0,12,0x04,0,0x80,6,6,0
1259 .size .${prefix}_cbc_encrypt,.-.${prefix}_cbc_encrypt
1263 #########################################################################
1264 {{{ # CTR procedure[s] #
1265 my ($inp,$out,$len,$key,$ivp,$x10,$rounds,$idx)=map("r$_",(3..10));
1266 my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
1267 my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm,$one)=
1272 .globl .${prefix}_ctr32_encrypt_blocks
1274 .${prefix}_ctr32_encrypt_blocks:
1283 vxor $rndkey0,$rndkey0,$rndkey0
1284 le?vspltisb $tmp,0x0f
1286 lvx $ivec,0,$ivp # load [unaligned] iv
1287 lvsl $inpperm,0,$ivp
1288 lvx $inptail,$idx,$ivp
1290 le?vxor $inpperm,$inpperm,$tmp
1291 vperm $ivec,$ivec,$inptail,$inpperm
1292 vsldoi $one,$rndkey0,$one,1
1295 ?lvsl $keyperm,0,$key # prepare for unaligned key
1296 lwz $rounds,240($key)
1298 lvsr $inpperm,0,r11 # prepare for unaligned load
1300 addi $inp,$inp,15 # 15 is not typo
1301 le?vxor $inpperm,$inpperm,$tmp
1303 srwi $rounds,$rounds,1
1305 subi $rounds,$rounds,1
1308 bge _aesp8_ctr32_encrypt8x
1310 ?lvsr $outperm,0,$out # prepare for unaligned store
1311 vspltisb $outmask,-1
1313 ?vperm $outmask,$rndkey0,$outmask,$outperm
1314 le?vxor $outperm,$outperm,$tmp
1318 lvx $rndkey1,$idx,$key
1320 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1321 vxor $inout,$ivec,$rndkey0
1322 lvx $rndkey0,$idx,$key
1328 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1329 vcipher $inout,$inout,$rndkey1
1330 lvx $rndkey1,$idx,$key
1332 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1333 vcipher $inout,$inout,$rndkey0
1334 lvx $rndkey0,$idx,$key
1338 vadduwm $ivec,$ivec,$one
1342 subic. $len,$len,1 # blocks--
1344 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1345 vcipher $inout,$inout,$rndkey1
1346 lvx $rndkey1,$idx,$key
1347 vperm $dat,$dat,$inptail,$inpperm
1349 ?vperm $rndkey1,$rndkey0,$rndkey1,$keyperm
1351 vxor $dat,$dat,$rndkey1 # last round key
1352 vcipherlast $inout,$inout,$dat
1354 lvx $rndkey1,$idx,$key
1356 vperm $inout,$inout,$inout,$outperm
1357 vsel $dat,$outhead,$inout,$outmask
1359 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1361 vxor $inout,$ivec,$rndkey0
1362 lvx $rndkey0,$idx,$key
1369 lvx $inout,0,$out # redundant in aligned case
1370 vsel $inout,$outhead,$inout,$outmask
1376 .byte 0,12,0x14,0,0,0,6,0
1379 #########################################################################
1380 {{ # Optimized CTR procedure #
1382 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
1383 $x00=0 if ($flavour =~ /osx/);
1384 my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10,12..14));
1385 my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(15..22));
1386 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
1387 # v26-v31 last 6 round keys
1388 my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
1389 my ($two,$three,$four)=($outhead,$outperm,$outmask);
1393 _aesp8_ctr32_encrypt8x:
1394 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
1395 li r10,`$FRAME+8*16+15`
1396 li r11,`$FRAME+8*16+31`
1397 stvx v20,r10,$sp # ABI says so
1420 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
1422 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1424 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1426 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1428 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1430 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1432 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1436 subi $rounds,$rounds,3 # -4 in total
1438 lvx $rndkey0,$x00,$key # load key schedule
1442 ?vperm $rndkey0,$rndkey0,v30,$keyperm
1443 addi $key_,$sp,$FRAME+15
1447 ?vperm v24,v30,v31,$keyperm
1450 stvx v24,$x00,$key_ # off-load round[1]
1451 ?vperm v25,v31,v30,$keyperm
1453 stvx v25,$x10,$key_ # off-load round[2]
1454 addi $key_,$key_,0x20
1455 bdnz Load_ctr32_enc_key
1458 ?vperm v24,v30,v31,$keyperm
1460 stvx v24,$x00,$key_ # off-load round[3]
1461 ?vperm v25,v31,v26,$keyperm
1463 stvx v25,$x10,$key_ # off-load round[4]
1464 addi $key_,$sp,$FRAME+15 # rewind $key_
1465 ?vperm v26,v26,v27,$keyperm
1467 ?vperm v27,v27,v28,$keyperm
1469 ?vperm v28,v28,v29,$keyperm
1471 ?vperm v29,v29,v30,$keyperm
1472 lvx $out0,$x70,$key # borrow $out0
1473 ?vperm v30,v30,v31,$keyperm
1474 lvx v24,$x00,$key_ # pre-load round[1]
1475 ?vperm v31,v31,$out0,$keyperm
1476 lvx v25,$x10,$key_ # pre-load round[2]
1478 vadduwm $two,$one,$one
1479 subi $inp,$inp,15 # undo "caller"
1482 vadduwm $out1,$ivec,$one # counter values ...
1483 vadduwm $out2,$ivec,$two
1484 vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
1486 vadduwm $out3,$out1,$two
1487 vxor $out1,$out1,$rndkey0
1488 le?lvsl $inpperm,0,$idx
1489 vadduwm $out4,$out2,$two
1490 vxor $out2,$out2,$rndkey0
1491 le?vspltisb $tmp,0x0f
1492 vadduwm $out5,$out3,$two
1493 vxor $out3,$out3,$rndkey0
1494 le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
1495 vadduwm $out6,$out4,$two
1496 vxor $out4,$out4,$rndkey0
1497 vadduwm $out7,$out5,$two
1498 vxor $out5,$out5,$rndkey0
1499 vadduwm $ivec,$out6,$two # next counter value
1500 vxor $out6,$out6,$rndkey0
1501 vxor $out7,$out7,$rndkey0
1507 vcipher $out0,$out0,v24
1508 vcipher $out1,$out1,v24
1509 vcipher $out2,$out2,v24
1510 vcipher $out3,$out3,v24
1511 vcipher $out4,$out4,v24
1512 vcipher $out5,$out5,v24
1513 vcipher $out6,$out6,v24
1514 vcipher $out7,$out7,v24
1515 Loop_ctr32_enc8x_middle:
1516 lvx v24,$x20,$key_ # round[3]
1517 addi $key_,$key_,0x20
1519 vcipher $out0,$out0,v25
1520 vcipher $out1,$out1,v25
1521 vcipher $out2,$out2,v25
1522 vcipher $out3,$out3,v25
1523 vcipher $out4,$out4,v25
1524 vcipher $out5,$out5,v25
1525 vcipher $out6,$out6,v25
1526 vcipher $out7,$out7,v25
1527 lvx v25,$x10,$key_ # round[4]
1528 bdnz Loop_ctr32_enc8x
1530 subic r11,$len,256 # $len-256, borrow $key_
1531 vcipher $out0,$out0,v24
1532 vcipher $out1,$out1,v24
1533 vcipher $out2,$out2,v24
1534 vcipher $out3,$out3,v24
1535 vcipher $out4,$out4,v24
1536 vcipher $out5,$out5,v24
1537 vcipher $out6,$out6,v24
1538 vcipher $out7,$out7,v24
1540 subfe r0,r0,r0 # borrow?-1:0
1541 vcipher $out0,$out0,v25
1542 vcipher $out1,$out1,v25
1543 vcipher $out2,$out2,v25
1544 vcipher $out3,$out3,v25
1545 vcipher $out4,$out4,v25
1546 vcipher $out5,$out5,v25
1547 vcipher $out6,$out6,v25
1548 vcipher $out7,$out7,v25
1551 addi $key_,$sp,$FRAME+15 # rewind $key_
1552 vcipher $out0,$out0,v26
1553 vcipher $out1,$out1,v26
1554 vcipher $out2,$out2,v26
1555 vcipher $out3,$out3,v26
1556 vcipher $out4,$out4,v26
1557 vcipher $out5,$out5,v26
1558 vcipher $out6,$out6,v26
1559 vcipher $out7,$out7,v26
1560 lvx v24,$x00,$key_ # re-pre-load round[1]
1562 subic $len,$len,129 # $len-=129
1563 vcipher $out0,$out0,v27
1564 addi $len,$len,1 # $len-=128 really
1565 vcipher $out1,$out1,v27
1566 vcipher $out2,$out2,v27
1567 vcipher $out3,$out3,v27
1568 vcipher $out4,$out4,v27
1569 vcipher $out5,$out5,v27
1570 vcipher $out6,$out6,v27
1571 vcipher $out7,$out7,v27
1572 lvx v25,$x10,$key_ # re-pre-load round[2]
1574 vcipher $out0,$out0,v28
1575 lvx_u $in0,$x00,$inp # load input
1576 vcipher $out1,$out1,v28
1577 lvx_u $in1,$x10,$inp
1578 vcipher $out2,$out2,v28
1579 lvx_u $in2,$x20,$inp
1580 vcipher $out3,$out3,v28
1581 lvx_u $in3,$x30,$inp
1582 vcipher $out4,$out4,v28
1583 lvx_u $in4,$x40,$inp
1584 vcipher $out5,$out5,v28
1585 lvx_u $in5,$x50,$inp
1586 vcipher $out6,$out6,v28
1587 lvx_u $in6,$x60,$inp
1588 vcipher $out7,$out7,v28
1589 lvx_u $in7,$x70,$inp
1592 vcipher $out0,$out0,v29
1593 le?vperm $in0,$in0,$in0,$inpperm
1594 vcipher $out1,$out1,v29
1595 le?vperm $in1,$in1,$in1,$inpperm
1596 vcipher $out2,$out2,v29
1597 le?vperm $in2,$in2,$in2,$inpperm
1598 vcipher $out3,$out3,v29
1599 le?vperm $in3,$in3,$in3,$inpperm
1600 vcipher $out4,$out4,v29
1601 le?vperm $in4,$in4,$in4,$inpperm
1602 vcipher $out5,$out5,v29
1603 le?vperm $in5,$in5,$in5,$inpperm
1604 vcipher $out6,$out6,v29
1605 le?vperm $in6,$in6,$in6,$inpperm
1606 vcipher $out7,$out7,v29
1607 le?vperm $in7,$in7,$in7,$inpperm
1609 add $inp,$inp,r0 # $inp is adjusted in such
1610 # way that at exit from the
1611 # loop inX-in7 are loaded
1613 subfe. r0,r0,r0 # borrow?-1:0
1614 vcipher $out0,$out0,v30
1615 vxor $in0,$in0,v31 # xor with last round key
1616 vcipher $out1,$out1,v30
1618 vcipher $out2,$out2,v30
1620 vcipher $out3,$out3,v30
1622 vcipher $out4,$out4,v30
1624 vcipher $out5,$out5,v30
1626 vcipher $out6,$out6,v30
1628 vcipher $out7,$out7,v30
1631 bne Lctr32_enc8x_break # did $len-129 borrow?
1633 vcipherlast $in0,$out0,$in0
1634 vcipherlast $in1,$out1,$in1
1635 vadduwm $out1,$ivec,$one # counter values ...
1636 vcipherlast $in2,$out2,$in2
1637 vadduwm $out2,$ivec,$two
1638 vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
1639 vcipherlast $in3,$out3,$in3
1640 vadduwm $out3,$out1,$two
1641 vxor $out1,$out1,$rndkey0
1642 vcipherlast $in4,$out4,$in4
1643 vadduwm $out4,$out2,$two
1644 vxor $out2,$out2,$rndkey0
1645 vcipherlast $in5,$out5,$in5
1646 vadduwm $out5,$out3,$two
1647 vxor $out3,$out3,$rndkey0
1648 vcipherlast $in6,$out6,$in6
1649 vadduwm $out6,$out4,$two
1650 vxor $out4,$out4,$rndkey0
1651 vcipherlast $in7,$out7,$in7
1652 vadduwm $out7,$out5,$two
1653 vxor $out5,$out5,$rndkey0
1654 le?vperm $in0,$in0,$in0,$inpperm
1655 vadduwm $ivec,$out6,$two # next counter value
1656 vxor $out6,$out6,$rndkey0
1657 le?vperm $in1,$in1,$in1,$inpperm
1658 vxor $out7,$out7,$rndkey0
1661 vcipher $out0,$out0,v24
1662 stvx_u $in0,$x00,$out
1663 le?vperm $in2,$in2,$in2,$inpperm
1664 vcipher $out1,$out1,v24
1665 stvx_u $in1,$x10,$out
1666 le?vperm $in3,$in3,$in3,$inpperm
1667 vcipher $out2,$out2,v24
1668 stvx_u $in2,$x20,$out
1669 le?vperm $in4,$in4,$in4,$inpperm
1670 vcipher $out3,$out3,v24
1671 stvx_u $in3,$x30,$out
1672 le?vperm $in5,$in5,$in5,$inpperm
1673 vcipher $out4,$out4,v24
1674 stvx_u $in4,$x40,$out
1675 le?vperm $in6,$in6,$in6,$inpperm
1676 vcipher $out5,$out5,v24
1677 stvx_u $in5,$x50,$out
1678 le?vperm $in7,$in7,$in7,$inpperm
1679 vcipher $out6,$out6,v24
1680 stvx_u $in6,$x60,$out
1681 vcipher $out7,$out7,v24
1682 stvx_u $in7,$x70,$out
1685 b Loop_ctr32_enc8x_middle
1690 blt Lctr32_enc8x_one
1692 beq Lctr32_enc8x_two
1694 blt Lctr32_enc8x_three
1696 beq Lctr32_enc8x_four
1698 blt Lctr32_enc8x_five
1700 beq Lctr32_enc8x_six
1702 blt Lctr32_enc8x_seven
1705 vcipherlast $out0,$out0,$in0
1706 vcipherlast $out1,$out1,$in1
1707 vcipherlast $out2,$out2,$in2
1708 vcipherlast $out3,$out3,$in3
1709 vcipherlast $out4,$out4,$in4
1710 vcipherlast $out5,$out5,$in5
1711 vcipherlast $out6,$out6,$in6
1712 vcipherlast $out7,$out7,$in7
1714 le?vperm $out0,$out0,$out0,$inpperm
1715 le?vperm $out1,$out1,$out1,$inpperm
1716 stvx_u $out0,$x00,$out
1717 le?vperm $out2,$out2,$out2,$inpperm
1718 stvx_u $out1,$x10,$out
1719 le?vperm $out3,$out3,$out3,$inpperm
1720 stvx_u $out2,$x20,$out
1721 le?vperm $out4,$out4,$out4,$inpperm
1722 stvx_u $out3,$x30,$out
1723 le?vperm $out5,$out5,$out5,$inpperm
1724 stvx_u $out4,$x40,$out
1725 le?vperm $out6,$out6,$out6,$inpperm
1726 stvx_u $out5,$x50,$out
1727 le?vperm $out7,$out7,$out7,$inpperm
1728 stvx_u $out6,$x60,$out
1729 stvx_u $out7,$x70,$out
1735 vcipherlast $out0,$out0,$in1
1736 vcipherlast $out1,$out1,$in2
1737 vcipherlast $out2,$out2,$in3
1738 vcipherlast $out3,$out3,$in4
1739 vcipherlast $out4,$out4,$in5
1740 vcipherlast $out5,$out5,$in6
1741 vcipherlast $out6,$out6,$in7
1743 le?vperm $out0,$out0,$out0,$inpperm
1744 le?vperm $out1,$out1,$out1,$inpperm
1745 stvx_u $out0,$x00,$out
1746 le?vperm $out2,$out2,$out2,$inpperm
1747 stvx_u $out1,$x10,$out
1748 le?vperm $out3,$out3,$out3,$inpperm
1749 stvx_u $out2,$x20,$out
1750 le?vperm $out4,$out4,$out4,$inpperm
1751 stvx_u $out3,$x30,$out
1752 le?vperm $out5,$out5,$out5,$inpperm
1753 stvx_u $out4,$x40,$out
1754 le?vperm $out6,$out6,$out6,$inpperm
1755 stvx_u $out5,$x50,$out
1756 stvx_u $out6,$x60,$out
1762 vcipherlast $out0,$out0,$in2
1763 vcipherlast $out1,$out1,$in3
1764 vcipherlast $out2,$out2,$in4
1765 vcipherlast $out3,$out3,$in5
1766 vcipherlast $out4,$out4,$in6
1767 vcipherlast $out5,$out5,$in7
1769 le?vperm $out0,$out0,$out0,$inpperm
1770 le?vperm $out1,$out1,$out1,$inpperm
1771 stvx_u $out0,$x00,$out
1772 le?vperm $out2,$out2,$out2,$inpperm
1773 stvx_u $out1,$x10,$out
1774 le?vperm $out3,$out3,$out3,$inpperm
1775 stvx_u $out2,$x20,$out
1776 le?vperm $out4,$out4,$out4,$inpperm
1777 stvx_u $out3,$x30,$out
1778 le?vperm $out5,$out5,$out5,$inpperm
1779 stvx_u $out4,$x40,$out
1780 stvx_u $out5,$x50,$out
1786 vcipherlast $out0,$out0,$in3
1787 vcipherlast $out1,$out1,$in4
1788 vcipherlast $out2,$out2,$in5
1789 vcipherlast $out3,$out3,$in6
1790 vcipherlast $out4,$out4,$in7
1792 le?vperm $out0,$out0,$out0,$inpperm
1793 le?vperm $out1,$out1,$out1,$inpperm
1794 stvx_u $out0,$x00,$out
1795 le?vperm $out2,$out2,$out2,$inpperm
1796 stvx_u $out1,$x10,$out
1797 le?vperm $out3,$out3,$out3,$inpperm
1798 stvx_u $out2,$x20,$out
1799 le?vperm $out4,$out4,$out4,$inpperm
1800 stvx_u $out3,$x30,$out
1801 stvx_u $out4,$x40,$out
1807 vcipherlast $out0,$out0,$in4
1808 vcipherlast $out1,$out1,$in5
1809 vcipherlast $out2,$out2,$in6
1810 vcipherlast $out3,$out3,$in7
1812 le?vperm $out0,$out0,$out0,$inpperm
1813 le?vperm $out1,$out1,$out1,$inpperm
1814 stvx_u $out0,$x00,$out
1815 le?vperm $out2,$out2,$out2,$inpperm
1816 stvx_u $out1,$x10,$out
1817 le?vperm $out3,$out3,$out3,$inpperm
1818 stvx_u $out2,$x20,$out
1819 stvx_u $out3,$x30,$out
1825 vcipherlast $out0,$out0,$in5
1826 vcipherlast $out1,$out1,$in6
1827 vcipherlast $out2,$out2,$in7
1829 le?vperm $out0,$out0,$out0,$inpperm
1830 le?vperm $out1,$out1,$out1,$inpperm
1831 stvx_u $out0,$x00,$out
1832 le?vperm $out2,$out2,$out2,$inpperm
1833 stvx_u $out1,$x10,$out
1834 stvx_u $out2,$x20,$out
1840 vcipherlast $out0,$out0,$in6
1841 vcipherlast $out1,$out1,$in7
1843 le?vperm $out0,$out0,$out0,$inpperm
1844 le?vperm $out1,$out1,$out1,$inpperm
1845 stvx_u $out0,$x00,$out
1846 stvx_u $out1,$x10,$out
1852 vcipherlast $out0,$out0,$in7
1854 le?vperm $out0,$out0,$out0,$inpperm
1861 stvx $inpperm,r10,$sp # wipe copies of round keys
1863 stvx $inpperm,r11,$sp
1865 stvx $inpperm,r10,$sp
1867 stvx $inpperm,r11,$sp
1869 stvx $inpperm,r10,$sp
1871 stvx $inpperm,r11,$sp
1873 stvx $inpperm,r10,$sp
1875 stvx $inpperm,r11,$sp
1879 lvx v20,r10,$sp # ABI says so
1901 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
1902 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
1903 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
1904 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
1905 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
1906 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
1907 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
1910 .byte 0,12,0x04,0,0x80,6,6,0
1912 .size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks
1916 #########################################################################
1917 {{{ # XTS procedures #
1918 # int aes_p8_xts_[en|de]crypt(const char *inp, char *out, size_t len, #
1919 # const AES_KEY *key1, const AES_KEY *key2, #
1920 # [const] unsigned char iv[16]); #
1921 # If $key2 is NULL, then a "tweak chaining" mode is engaged, in which #
1922 # input tweak value is assumed to be encrypted already, and last tweak #
1923 # value, one suitable for consecutive call on same chunk of data, is #
1924 # written back to original buffer. In addition, in "tweak chaining" #
1925 # mode only complete input blocks are processed. #
1927 my ($inp,$out,$len,$key1,$key2,$ivp,$rounds,$idx) = map("r$_",(3..10));
1928 my ($rndkey0,$rndkey1,$inout) = map("v$_",(0..2));
1929 my ($output,$inptail,$inpperm,$leperm,$keyperm) = map("v$_",(3..7));
1930 my ($tweak,$seven,$eighty7,$tmp,$tweak1) = map("v$_",(8..12));
1931 my $taillen = $key2;
1933 ($inp,$idx) = ($idx,$inp); # reassign
1936 .globl .${prefix}_xts_encrypt
1938 .${prefix}_xts_encrypt:
1939 mr $inp,r3 # reassign
1945 mfspr r12,256 # save vrsave
1949 vspltisb $seven,0x07 # 0x070707..07
1950 le?lvsl $leperm,r11,r11
1951 le?vspltisb $tmp,0x0f
1952 le?vxor $leperm,$leperm,$seven
1955 lvx $tweak,0,$ivp # load [unaligned] iv
1956 lvsl $inpperm,0,$ivp
1957 lvx $inptail,$idx,$ivp
1958 le?vxor $inpperm,$inpperm,$tmp
1959 vperm $tweak,$tweak,$inptail,$inpperm
1962 lvsr $inpperm,0,r11 # prepare for unaligned load
1964 addi $inp,$inp,15 # 15 is not typo
1965 le?vxor $inpperm,$inpperm,$tmp
1967 ${UCMP}i $key2,0 # key2==NULL?
1968 beq Lxts_enc_no_key2
1970 ?lvsl $keyperm,0,$key2 # prepare for unaligned key
1971 lwz $rounds,240($key2)
1972 srwi $rounds,$rounds,1
1973 subi $rounds,$rounds,1
1976 lvx $rndkey0,0,$key2
1977 lvx $rndkey1,$idx,$key2
1979 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1980 vxor $tweak,$tweak,$rndkey0
1981 lvx $rndkey0,$idx,$key2
1986 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1987 vcipher $tweak,$tweak,$rndkey1
1988 lvx $rndkey1,$idx,$key2
1990 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
1991 vcipher $tweak,$tweak,$rndkey0
1992 lvx $rndkey0,$idx,$key2
1996 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
1997 vcipher $tweak,$tweak,$rndkey1
1998 lvx $rndkey1,$idx,$key2
1999 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2000 vcipherlast $tweak,$tweak,$rndkey0
2002 li $ivp,0 # don't chain the tweak
2007 and $len,$len,$idx # in "tweak chaining"
2008 # mode only complete
2009 # blocks are processed
2014 ?lvsl $keyperm,0,$key1 # prepare for unaligned key
2015 lwz $rounds,240($key1)
2016 srwi $rounds,$rounds,1
2017 subi $rounds,$rounds,1
2020 vslb $eighty7,$seven,$seven # 0x808080..80
2021 vor $eighty7,$eighty7,$seven # 0x878787..87
2022 vspltisb $tmp,1 # 0x010101..01
2023 vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
2026 bge _aesp8_xts_encrypt6x
2028 andi. $taillen,$len,15
2030 subi $taillen,$taillen,16
2035 lvx $rndkey0,0,$key1
2036 lvx $rndkey1,$idx,$key1
2038 vperm $inout,$inout,$inptail,$inpperm
2039 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2040 vxor $inout,$inout,$tweak
2041 vxor $inout,$inout,$rndkey0
2042 lvx $rndkey0,$idx,$key1
2049 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2050 vcipher $inout,$inout,$rndkey1
2051 lvx $rndkey1,$idx,$key1
2053 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2054 vcipher $inout,$inout,$rndkey0
2055 lvx $rndkey0,$idx,$key1
2059 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2060 vcipher $inout,$inout,$rndkey1
2061 lvx $rndkey1,$idx,$key1
2063 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2064 vxor $rndkey0,$rndkey0,$tweak
2065 vcipherlast $output,$inout,$rndkey0
2067 le?vperm $tmp,$output,$output,$leperm
2069 le?stvx_u $tmp,0,$out
2070 be?stvx_u $output,0,$out
2079 lvx $rndkey0,0,$key1
2080 lvx $rndkey1,$idx,$key1
2088 vsrab $tmp,$tweak,$seven # next tweak value
2089 vaddubm $tweak,$tweak,$tweak
2090 vsldoi $tmp,$tmp,$tmp,15
2091 vand $tmp,$tmp,$eighty7
2092 vxor $tweak,$tweak,$tmp
2094 vperm $inout,$inout,$inptail,$inpperm
2095 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2096 vxor $inout,$inout,$tweak
2097 vxor $output,$output,$rndkey0 # just in case $len<16
2098 vxor $inout,$inout,$rndkey0
2099 lvx $rndkey0,$idx,$key1
2106 vxor $output,$output,$tweak
2107 lvsr $inpperm,0,$len # $inpperm is no longer needed
2108 vxor $inptail,$inptail,$inptail # $inptail is no longer needed
2110 vperm $inptail,$inptail,$tmp,$inpperm
2111 vsel $inout,$inout,$output,$inptail
2120 bdnz Loop_xts_enc_steal
2123 b Loop_xts_enc # one more time...
2129 vsrab $tmp,$tweak,$seven # next tweak value
2130 vaddubm $tweak,$tweak,$tweak
2131 vsldoi $tmp,$tmp,$tmp,15
2132 vand $tmp,$tmp,$eighty7
2133 vxor $tweak,$tweak,$tmp
2135 le?vperm $tweak,$tweak,$tweak,$leperm
2136 stvx_u $tweak,0,$ivp
2139 mtspr 256,r12 # restore vrsave
2143 .byte 0,12,0x04,0,0x80,6,6,0
2145 .size .${prefix}_xts_encrypt,.-.${prefix}_xts_encrypt
2147 .globl .${prefix}_xts_decrypt
2149 .${prefix}_xts_decrypt:
2150 mr $inp,r3 # reassign
2156 mfspr r12,256 # save vrsave
2165 vspltisb $seven,0x07 # 0x070707..07
2166 le?lvsl $leperm,r11,r11
2167 le?vspltisb $tmp,0x0f
2168 le?vxor $leperm,$leperm,$seven
2171 lvx $tweak,0,$ivp # load [unaligned] iv
2172 lvsl $inpperm,0,$ivp
2173 lvx $inptail,$idx,$ivp
2174 le?vxor $inpperm,$inpperm,$tmp
2175 vperm $tweak,$tweak,$inptail,$inpperm
2178 lvsr $inpperm,0,r11 # prepare for unaligned load
2180 addi $inp,$inp,15 # 15 is not typo
2181 le?vxor $inpperm,$inpperm,$tmp
2183 ${UCMP}i $key2,0 # key2==NULL?
2184 beq Lxts_dec_no_key2
2186 ?lvsl $keyperm,0,$key2 # prepare for unaligned key
2187 lwz $rounds,240($key2)
2188 srwi $rounds,$rounds,1
2189 subi $rounds,$rounds,1
2192 lvx $rndkey0,0,$key2
2193 lvx $rndkey1,$idx,$key2
2195 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2196 vxor $tweak,$tweak,$rndkey0
2197 lvx $rndkey0,$idx,$key2
2202 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2203 vcipher $tweak,$tweak,$rndkey1
2204 lvx $rndkey1,$idx,$key2
2206 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2207 vcipher $tweak,$tweak,$rndkey0
2208 lvx $rndkey0,$idx,$key2
2212 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2213 vcipher $tweak,$tweak,$rndkey1
2214 lvx $rndkey1,$idx,$key2
2215 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2216 vcipherlast $tweak,$tweak,$rndkey0
2218 li $ivp,0 # don't chain the tweak
2224 add $len,$len,$idx # in "tweak chaining"
2225 # mode only complete
2226 # blocks are processed
2231 ?lvsl $keyperm,0,$key1 # prepare for unaligned key
2232 lwz $rounds,240($key1)
2233 srwi $rounds,$rounds,1
2234 subi $rounds,$rounds,1
2237 vslb $eighty7,$seven,$seven # 0x808080..80
2238 vor $eighty7,$eighty7,$seven # 0x878787..87
2239 vspltisb $tmp,1 # 0x010101..01
2240 vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
2243 bge _aesp8_xts_decrypt6x
2245 lvx $rndkey0,0,$key1
2246 lvx $rndkey1,$idx,$key1
2248 vperm $inout,$inout,$inptail,$inpperm
2249 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2250 vxor $inout,$inout,$tweak
2251 vxor $inout,$inout,$rndkey0
2252 lvx $rndkey0,$idx,$key1
2262 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2263 vncipher $inout,$inout,$rndkey1
2264 lvx $rndkey1,$idx,$key1
2266 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2267 vncipher $inout,$inout,$rndkey0
2268 lvx $rndkey0,$idx,$key1
2272 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2273 vncipher $inout,$inout,$rndkey1
2274 lvx $rndkey1,$idx,$key1
2276 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2277 vxor $rndkey0,$rndkey0,$tweak
2278 vncipherlast $output,$inout,$rndkey0
2280 le?vperm $tmp,$output,$output,$leperm
2282 le?stvx_u $tmp,0,$out
2283 be?stvx_u $output,0,$out
2292 lvx $rndkey0,0,$key1
2293 lvx $rndkey1,$idx,$key1
2296 vsrab $tmp,$tweak,$seven # next tweak value
2297 vaddubm $tweak,$tweak,$tweak
2298 vsldoi $tmp,$tmp,$tmp,15
2299 vand $tmp,$tmp,$eighty7
2300 vxor $tweak,$tweak,$tmp
2302 vperm $inout,$inout,$inptail,$inpperm
2303 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2304 vxor $inout,$inout,$tweak
2305 vxor $inout,$inout,$rndkey0
2306 lvx $rndkey0,$idx,$key1
2314 vsrab $tmp,$tweak,$seven # next tweak value
2315 vaddubm $tweak1,$tweak,$tweak
2316 vsldoi $tmp,$tmp,$tmp,15
2317 vand $tmp,$tmp,$eighty7
2318 vxor $tweak1,$tweak1,$tmp
2323 vxor $inout,$inout,$tweak # :-(
2324 vxor $inout,$inout,$tweak1 # :-)
2327 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2328 vncipher $inout,$inout,$rndkey1
2329 lvx $rndkey1,$idx,$key1
2331 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2332 vncipher $inout,$inout,$rndkey0
2333 lvx $rndkey0,$idx,$key1
2335 bdnz Loop_xts_dec_short
2337 ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
2338 vncipher $inout,$inout,$rndkey1
2339 lvx $rndkey1,$idx,$key1
2341 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2342 vxor $rndkey0,$rndkey0,$tweak1
2343 vncipherlast $output,$inout,$rndkey0
2345 le?vperm $tmp,$output,$output,$leperm
2347 le?stvx_u $tmp,0,$out
2348 be?stvx_u $output,0,$out
2353 lvx $rndkey0,0,$key1
2354 lvx $rndkey1,$idx,$key1
2356 vperm $inout,$inout,$inptail,$inpperm
2357 ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
2359 lvsr $inpperm,0,$len # $inpperm is no longer needed
2360 vxor $inptail,$inptail,$inptail # $inptail is no longer needed
2362 vperm $inptail,$inptail,$tmp,$inpperm
2363 vsel $inout,$inout,$output,$inptail
2365 vxor $rndkey0,$rndkey0,$tweak
2366 vxor $inout,$inout,$rndkey0
2367 lvx $rndkey0,$idx,$key1
2376 bdnz Loop_xts_dec_steal
2379 b Loop_xts_dec # one more time...
2385 vsrab $tmp,$tweak,$seven # next tweak value
2386 vaddubm $tweak,$tweak,$tweak
2387 vsldoi $tmp,$tmp,$tmp,15
2388 vand $tmp,$tmp,$eighty7
2389 vxor $tweak,$tweak,$tmp
2391 le?vperm $tweak,$tweak,$tweak,$leperm
2392 stvx_u $tweak,0,$ivp
2395 mtspr 256,r12 # restore vrsave
2399 .byte 0,12,0x04,0,0x80,6,6,0
2401 .size .${prefix}_xts_decrypt,.-.${prefix}_xts_decrypt
2403 #########################################################################
2404 {{ # Optimized XTS procedures #
2406 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
2407 $x00=0 if ($flavour =~ /osx/);
2408 my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
2409 my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
2410 my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
2411 my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
2412 # v26-v31 last 6 round keys
2413 my ($keyperm)=($out0); # aliases with "caller", redundant assignment
2418 _aesp8_xts_encrypt6x:
2419 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
2421 li r7,`$FRAME+8*16+15`
2422 li r3,`$FRAME+8*16+31`
2423 $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
2424 stvx v20,r7,$sp # ABI says so
2447 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
2449 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
2451 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
2453 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
2455 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
2457 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
2459 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
2463 subi $rounds,$rounds,3 # -4 in total
2465 lvx $rndkey0,$x00,$key1 # load key schedule
2467 addi $key1,$key1,0x20
2469 ?vperm $rndkey0,$rndkey0,v30,$keyperm
2470 addi $key_,$sp,$FRAME+15
2474 ?vperm v24,v30,v31,$keyperm
2476 addi $key1,$key1,0x20
2477 stvx v24,$x00,$key_ # off-load round[1]
2478 ?vperm v25,v31,v30,$keyperm
2480 stvx v25,$x10,$key_ # off-load round[2]
2481 addi $key_,$key_,0x20
2482 bdnz Load_xts_enc_key
2485 ?vperm v24,v30,v31,$keyperm
2487 stvx v24,$x00,$key_ # off-load round[3]
2488 ?vperm v25,v31,v26,$keyperm
2490 stvx v25,$x10,$key_ # off-load round[4]
2491 addi $key_,$sp,$FRAME+15 # rewind $key_
2492 ?vperm v26,v26,v27,$keyperm
2494 ?vperm v27,v27,v28,$keyperm
2496 ?vperm v28,v28,v29,$keyperm
2498 ?vperm v29,v29,v30,$keyperm
2499 lvx $twk5,$x70,$key1 # borrow $twk5
2500 ?vperm v30,v30,v31,$keyperm
2501 lvx v24,$x00,$key_ # pre-load round[1]
2502 ?vperm v31,v31,$twk5,$keyperm
2503 lvx v25,$x10,$key_ # pre-load round[2]
2505 vperm $in0,$inout,$inptail,$inpperm
2506 subi $inp,$inp,31 # undo "caller"
2507 vxor $twk0,$tweak,$rndkey0
2508 vsrab $tmp,$tweak,$seven # next tweak value
2509 vaddubm $tweak,$tweak,$tweak
2510 vsldoi $tmp,$tmp,$tmp,15
2511 vand $tmp,$tmp,$eighty7
2512 vxor $out0,$in0,$twk0
2513 vxor $tweak,$tweak,$tmp
2515 lvx_u $in1,$x10,$inp
2516 vxor $twk1,$tweak,$rndkey0
2517 vsrab $tmp,$tweak,$seven # next tweak value
2518 vaddubm $tweak,$tweak,$tweak
2519 vsldoi $tmp,$tmp,$tmp,15
2520 le?vperm $in1,$in1,$in1,$leperm
2521 vand $tmp,$tmp,$eighty7
2522 vxor $out1,$in1,$twk1
2523 vxor $tweak,$tweak,$tmp
2525 lvx_u $in2,$x20,$inp
2526 andi. $taillen,$len,15
2527 vxor $twk2,$tweak,$rndkey0
2528 vsrab $tmp,$tweak,$seven # next tweak value
2529 vaddubm $tweak,$tweak,$tweak
2530 vsldoi $tmp,$tmp,$tmp,15
2531 le?vperm $in2,$in2,$in2,$leperm
2532 vand $tmp,$tmp,$eighty7
2533 vxor $out2,$in2,$twk2
2534 vxor $tweak,$tweak,$tmp
2536 lvx_u $in3,$x30,$inp
2537 sub $len,$len,$taillen
2538 vxor $twk3,$tweak,$rndkey0
2539 vsrab $tmp,$tweak,$seven # next tweak value
2540 vaddubm $tweak,$tweak,$tweak
2541 vsldoi $tmp,$tmp,$tmp,15
2542 le?vperm $in3,$in3,$in3,$leperm
2543 vand $tmp,$tmp,$eighty7
2544 vxor $out3,$in3,$twk3
2545 vxor $tweak,$tweak,$tmp
2547 lvx_u $in4,$x40,$inp
2549 vxor $twk4,$tweak,$rndkey0
2550 vsrab $tmp,$tweak,$seven # next tweak value
2551 vaddubm $tweak,$tweak,$tweak
2552 vsldoi $tmp,$tmp,$tmp,15
2553 le?vperm $in4,$in4,$in4,$leperm
2554 vand $tmp,$tmp,$eighty7
2555 vxor $out4,$in4,$twk4
2556 vxor $tweak,$tweak,$tmp
2558 lvx_u $in5,$x50,$inp
2560 vxor $twk5,$tweak,$rndkey0
2561 vsrab $tmp,$tweak,$seven # next tweak value
2562 vaddubm $tweak,$tweak,$tweak
2563 vsldoi $tmp,$tmp,$tmp,15
2564 le?vperm $in5,$in5,$in5,$leperm
2565 vand $tmp,$tmp,$eighty7
2566 vxor $out5,$in5,$twk5
2567 vxor $tweak,$tweak,$tmp
2569 vxor v31,v31,$rndkey0
2575 vcipher $out0,$out0,v24
2576 vcipher $out1,$out1,v24
2577 vcipher $out2,$out2,v24
2578 vcipher $out3,$out3,v24
2579 vcipher $out4,$out4,v24
2580 vcipher $out5,$out5,v24
2581 lvx v24,$x20,$key_ # round[3]
2582 addi $key_,$key_,0x20
2584 vcipher $out0,$out0,v25
2585 vcipher $out1,$out1,v25
2586 vcipher $out2,$out2,v25
2587 vcipher $out3,$out3,v25
2588 vcipher $out4,$out4,v25
2589 vcipher $out5,$out5,v25
2590 lvx v25,$x10,$key_ # round[4]
2593 subic $len,$len,96 # $len-=96
2594 vxor $in0,$twk0,v31 # xor with last round key
2595 vcipher $out0,$out0,v24
2596 vcipher $out1,$out1,v24
2597 vsrab $tmp,$tweak,$seven # next tweak value
2598 vxor $twk0,$tweak,$rndkey0
2599 vaddubm $tweak,$tweak,$tweak
2600 vcipher $out2,$out2,v24
2601 vcipher $out3,$out3,v24
2602 vsldoi $tmp,$tmp,$tmp,15
2603 vcipher $out4,$out4,v24
2604 vcipher $out5,$out5,v24
2606 subfe. r0,r0,r0 # borrow?-1:0
2607 vand $tmp,$tmp,$eighty7
2608 vcipher $out0,$out0,v25
2609 vcipher $out1,$out1,v25
2610 vxor $tweak,$tweak,$tmp
2611 vcipher $out2,$out2,v25
2612 vcipher $out3,$out3,v25
2614 vsrab $tmp,$tweak,$seven # next tweak value
2615 vxor $twk1,$tweak,$rndkey0
2616 vcipher $out4,$out4,v25
2617 vcipher $out5,$out5,v25
2620 vaddubm $tweak,$tweak,$tweak
2621 vsldoi $tmp,$tmp,$tmp,15
2622 vcipher $out0,$out0,v26
2623 vcipher $out1,$out1,v26
2624 vand $tmp,$tmp,$eighty7
2625 vcipher $out2,$out2,v26
2626 vcipher $out3,$out3,v26
2627 vxor $tweak,$tweak,$tmp
2628 vcipher $out4,$out4,v26
2629 vcipher $out5,$out5,v26
2631 add $inp,$inp,r0 # $inp is adjusted in such
2632 # way that at exit from the
2633 # loop inX-in5 are loaded
2636 vsrab $tmp,$tweak,$seven # next tweak value
2637 vxor $twk2,$tweak,$rndkey0
2638 vaddubm $tweak,$tweak,$tweak
2639 vcipher $out0,$out0,v27
2640 vcipher $out1,$out1,v27
2641 vsldoi $tmp,$tmp,$tmp,15
2642 vcipher $out2,$out2,v27
2643 vcipher $out3,$out3,v27
2644 vand $tmp,$tmp,$eighty7
2645 vcipher $out4,$out4,v27
2646 vcipher $out5,$out5,v27
2648 addi $key_,$sp,$FRAME+15 # rewind $key_
2649 vxor $tweak,$tweak,$tmp
2650 vcipher $out0,$out0,v28
2651 vcipher $out1,$out1,v28
2653 vsrab $tmp,$tweak,$seven # next tweak value
2654 vxor $twk3,$tweak,$rndkey0
2655 vcipher $out2,$out2,v28
2656 vcipher $out3,$out3,v28
2657 vaddubm $tweak,$tweak,$tweak
2658 vsldoi $tmp,$tmp,$tmp,15
2659 vcipher $out4,$out4,v28
2660 vcipher $out5,$out5,v28
2661 lvx v24,$x00,$key_ # re-pre-load round[1]
2662 vand $tmp,$tmp,$eighty7
2664 vcipher $out0,$out0,v29
2665 vcipher $out1,$out1,v29
2666 vxor $tweak,$tweak,$tmp
2667 vcipher $out2,$out2,v29
2668 vcipher $out3,$out3,v29
2670 vsrab $tmp,$tweak,$seven # next tweak value
2671 vxor $twk4,$tweak,$rndkey0
2672 vcipher $out4,$out4,v29
2673 vcipher $out5,$out5,v29
2674 lvx v25,$x10,$key_ # re-pre-load round[2]
2675 vaddubm $tweak,$tweak,$tweak
2676 vsldoi $tmp,$tmp,$tmp,15
2678 vcipher $out0,$out0,v30
2679 vcipher $out1,$out1,v30
2680 vand $tmp,$tmp,$eighty7
2681 vcipher $out2,$out2,v30
2682 vcipher $out3,$out3,v30
2683 vxor $tweak,$tweak,$tmp
2684 vcipher $out4,$out4,v30
2685 vcipher $out5,$out5,v30
2687 vsrab $tmp,$tweak,$seven # next tweak value
2688 vxor $twk5,$tweak,$rndkey0
2690 vcipherlast $out0,$out0,$in0
2691 lvx_u $in0,$x00,$inp # load next input block
2692 vaddubm $tweak,$tweak,$tweak
2693 vsldoi $tmp,$tmp,$tmp,15
2694 vcipherlast $out1,$out1,$in1
2695 lvx_u $in1,$x10,$inp
2696 vcipherlast $out2,$out2,$in2
2697 le?vperm $in0,$in0,$in0,$leperm
2698 lvx_u $in2,$x20,$inp
2699 vand $tmp,$tmp,$eighty7
2700 vcipherlast $out3,$out3,$in3
2701 le?vperm $in1,$in1,$in1,$leperm
2702 lvx_u $in3,$x30,$inp
2703 vcipherlast $out4,$out4,$in4
2704 le?vperm $in2,$in2,$in2,$leperm
2705 lvx_u $in4,$x40,$inp
2706 vxor $tweak,$tweak,$tmp
2707 vcipherlast $tmp,$out5,$in5 # last block might be needed
2709 le?vperm $in3,$in3,$in3,$leperm
2710 lvx_u $in5,$x50,$inp
2712 le?vperm $in4,$in4,$in4,$leperm
2713 le?vperm $in5,$in5,$in5,$leperm
2715 le?vperm $out0,$out0,$out0,$leperm
2716 le?vperm $out1,$out1,$out1,$leperm
2717 stvx_u $out0,$x00,$out # store output
2718 vxor $out0,$in0,$twk0
2719 le?vperm $out2,$out2,$out2,$leperm
2720 stvx_u $out1,$x10,$out
2721 vxor $out1,$in1,$twk1
2722 le?vperm $out3,$out3,$out3,$leperm
2723 stvx_u $out2,$x20,$out
2724 vxor $out2,$in2,$twk2
2725 le?vperm $out4,$out4,$out4,$leperm
2726 stvx_u $out3,$x30,$out
2727 vxor $out3,$in3,$twk3
2728 le?vperm $out5,$tmp,$tmp,$leperm
2729 stvx_u $out4,$x40,$out
2730 vxor $out4,$in4,$twk4
2731 le?stvx_u $out5,$x50,$out
2732 be?stvx_u $tmp, $x50,$out
2733 vxor $out5,$in5,$twk5
2737 beq Loop_xts_enc6x # did $len-=96 borrow?
2739 addic. $len,$len,0x60
2746 blt Lxts_enc6x_three
2751 vxor $out0,$in1,$twk0
2752 vxor $out1,$in2,$twk1
2753 vxor $out2,$in3,$twk2
2754 vxor $out3,$in4,$twk3
2755 vxor $out4,$in5,$twk4
2759 le?vperm $out0,$out0,$out0,$leperm
2760 vmr $twk0,$twk5 # unused tweak
2761 le?vperm $out1,$out1,$out1,$leperm
2762 stvx_u $out0,$x00,$out # store output
2763 le?vperm $out2,$out2,$out2,$leperm
2764 stvx_u $out1,$x10,$out
2765 le?vperm $out3,$out3,$out3,$leperm
2766 stvx_u $out2,$x20,$out
2767 vxor $tmp,$out4,$twk5 # last block prep for stealing
2768 le?vperm $out4,$out4,$out4,$leperm
2769 stvx_u $out3,$x30,$out
2770 stvx_u $out4,$x40,$out
2772 bne Lxts_enc6x_steal
2777 vxor $out0,$in2,$twk0
2778 vxor $out1,$in3,$twk1
2779 vxor $out2,$in4,$twk2
2780 vxor $out3,$in5,$twk3
2781 vxor $out4,$out4,$out4
2785 le?vperm $out0,$out0,$out0,$leperm
2786 vmr $twk0,$twk4 # unused tweak
2787 le?vperm $out1,$out1,$out1,$leperm
2788 stvx_u $out0,$x00,$out # store output
2789 le?vperm $out2,$out2,$out2,$leperm
2790 stvx_u $out1,$x10,$out
2791 vxor $tmp,$out3,$twk4 # last block prep for stealing
2792 le?vperm $out3,$out3,$out3,$leperm
2793 stvx_u $out2,$x20,$out
2794 stvx_u $out3,$x30,$out
2796 bne Lxts_enc6x_steal
2801 vxor $out0,$in3,$twk0
2802 vxor $out1,$in4,$twk1
2803 vxor $out2,$in5,$twk2
2804 vxor $out3,$out3,$out3
2805 vxor $out4,$out4,$out4
2809 le?vperm $out0,$out0,$out0,$leperm
2810 vmr $twk0,$twk3 # unused tweak
2811 le?vperm $out1,$out1,$out1,$leperm
2812 stvx_u $out0,$x00,$out # store output
2813 vxor $tmp,$out2,$twk3 # last block prep for stealing
2814 le?vperm $out2,$out2,$out2,$leperm
2815 stvx_u $out1,$x10,$out
2816 stvx_u $out2,$x20,$out
2818 bne Lxts_enc6x_steal
2823 vxor $out0,$in4,$twk0
2824 vxor $out1,$in5,$twk1
2825 vxor $out2,$out2,$out2
2826 vxor $out3,$out3,$out3
2827 vxor $out4,$out4,$out4
2831 le?vperm $out0,$out0,$out0,$leperm
2832 vmr $twk0,$twk2 # unused tweak
2833 vxor $tmp,$out1,$twk2 # last block prep for stealing
2834 le?vperm $out1,$out1,$out1,$leperm
2835 stvx_u $out0,$x00,$out # store output
2836 stvx_u $out1,$x10,$out
2838 bne Lxts_enc6x_steal
2843 vxor $out0,$in5,$twk0
2846 vcipher $out0,$out0,v24
2847 lvx v24,$x20,$key_ # round[3]
2848 addi $key_,$key_,0x20
2850 vcipher $out0,$out0,v25
2851 lvx v25,$x10,$key_ # round[4]
2854 add $inp,$inp,$taillen
2856 vcipher $out0,$out0,v24
2859 vcipher $out0,$out0,v25
2861 lvsr $inpperm,0,$taillen
2862 vcipher $out0,$out0,v26
2865 vcipher $out0,$out0,v27
2867 addi $key_,$sp,$FRAME+15 # rewind $key_
2868 vcipher $out0,$out0,v28
2869 lvx v24,$x00,$key_ # re-pre-load round[1]
2871 vcipher $out0,$out0,v29
2872 lvx v25,$x10,$key_ # re-pre-load round[2]
2873 vxor $twk0,$twk0,v31
2875 le?vperm $in0,$in0,$in0,$leperm
2876 vcipher $out0,$out0,v30
2878 vperm $in0,$in0,$in0,$inpperm
2879 vcipherlast $out0,$out0,$twk0
2881 vmr $twk0,$twk1 # unused tweak
2882 vxor $tmp,$out0,$twk1 # last block prep for stealing
2883 le?vperm $out0,$out0,$out0,$leperm
2884 stvx_u $out0,$x00,$out # store output
2886 bne Lxts_enc6x_steal
2894 add $inp,$inp,$taillen
2897 lvsr $inpperm,0,$taillen # $in5 is no more
2898 le?vperm $in0,$in0,$in0,$leperm
2899 vperm $in0,$in0,$in0,$inpperm
2900 vxor $tmp,$tmp,$twk0
2902 vxor $in0,$in0,$twk0
2903 vxor $out0,$out0,$out0
2905 vperm $out0,$out0,$out1,$inpperm
2906 vsel $out0,$in0,$tmp,$out0 # $tmp is last block, remember?
2911 Loop_xts_enc6x_steal:
2914 bdnz Loop_xts_enc6x_steal
2918 b Loop_xts_enc1x # one more time...
2925 vxor $tweak,$twk0,$rndkey0
2926 le?vperm $tweak,$tweak,$tweak,$leperm
2927 stvx_u $tweak,0,$ivp
2933 stvx $seven,r10,$sp # wipe copies of round keys
2951 lvx v20,r10,$sp # ABI says so
2973 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
2974 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
2975 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
2976 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
2977 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
2978 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
2979 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
2982 .byte 0,12,0x04,1,0x80,6,6,0
2987 vcipher $out0,$out0,v24
2988 vcipher $out1,$out1,v24
2989 vcipher $out2,$out2,v24
2990 vcipher $out3,$out3,v24
2991 vcipher $out4,$out4,v24
2992 lvx v24,$x20,$key_ # round[3]
2993 addi $key_,$key_,0x20
2995 vcipher $out0,$out0,v25
2996 vcipher $out1,$out1,v25
2997 vcipher $out2,$out2,v25
2998 vcipher $out3,$out3,v25
2999 vcipher $out4,$out4,v25
3000 lvx v25,$x10,$key_ # round[4]
3001 bdnz _aesp8_xts_enc5x
3003 add $inp,$inp,$taillen
3005 vcipher $out0,$out0,v24
3006 vcipher $out1,$out1,v24
3007 vcipher $out2,$out2,v24
3008 vcipher $out3,$out3,v24
3009 vcipher $out4,$out4,v24
3012 vcipher $out0,$out0,v25
3013 vcipher $out1,$out1,v25
3014 vcipher $out2,$out2,v25
3015 vcipher $out3,$out3,v25
3016 vcipher $out4,$out4,v25
3017 vxor $twk0,$twk0,v31
3019 vcipher $out0,$out0,v26
3020 lvsr $inpperm,0,$taillen # $in5 is no more
3021 vcipher $out1,$out1,v26
3022 vcipher $out2,$out2,v26
3023 vcipher $out3,$out3,v26
3024 vcipher $out4,$out4,v26
3027 vcipher $out0,$out0,v27
3029 vcipher $out1,$out1,v27
3030 vcipher $out2,$out2,v27
3031 vcipher $out3,$out3,v27
3032 vcipher $out4,$out4,v27
3035 addi $key_,$sp,$FRAME+15 # rewind $key_
3036 vcipher $out0,$out0,v28
3037 vcipher $out1,$out1,v28
3038 vcipher $out2,$out2,v28
3039 vcipher $out3,$out3,v28
3040 vcipher $out4,$out4,v28
3041 lvx v24,$x00,$key_ # re-pre-load round[1]
3044 vcipher $out0,$out0,v29
3045 le?vperm $in0,$in0,$in0,$leperm
3046 vcipher $out1,$out1,v29
3047 vcipher $out2,$out2,v29
3048 vcipher $out3,$out3,v29
3049 vcipher $out4,$out4,v29
3050 lvx v25,$x10,$key_ # re-pre-load round[2]
3053 vcipher $out0,$out0,v30
3054 vperm $in0,$in0,$in0,$inpperm
3055 vcipher $out1,$out1,v30
3056 vcipher $out2,$out2,v30
3057 vcipher $out3,$out3,v30
3058 vcipher $out4,$out4,v30
3060 vcipherlast $out0,$out0,$twk0
3061 vcipherlast $out1,$out1,$in1
3062 vcipherlast $out2,$out2,$in2
3063 vcipherlast $out3,$out3,$in3
3064 vcipherlast $out4,$out4,$in4
3067 .byte 0,12,0x14,0,0,0,0,0
3070 _aesp8_xts_decrypt6x:
3071 $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
3073 li r7,`$FRAME+8*16+15`
3074 li r3,`$FRAME+8*16+31`
3075 $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
3076 stvx v20,r7,$sp # ABI says so
3099 stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
3101 $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
3103 $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
3105 $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
3107 $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
3109 $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
3111 $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
3115 subi $rounds,$rounds,3 # -4 in total
3117 lvx $rndkey0,$x00,$key1 # load key schedule
3119 addi $key1,$key1,0x20
3121 ?vperm $rndkey0,$rndkey0,v30,$keyperm
3122 addi $key_,$sp,$FRAME+15
3126 ?vperm v24,v30,v31,$keyperm
3128 addi $key1,$key1,0x20
3129 stvx v24,$x00,$key_ # off-load round[1]
3130 ?vperm v25,v31,v30,$keyperm
3132 stvx v25,$x10,$key_ # off-load round[2]
3133 addi $key_,$key_,0x20
3134 bdnz Load_xts_dec_key
3137 ?vperm v24,v30,v31,$keyperm
3139 stvx v24,$x00,$key_ # off-load round[3]
3140 ?vperm v25,v31,v26,$keyperm
3142 stvx v25,$x10,$key_ # off-load round[4]
3143 addi $key_,$sp,$FRAME+15 # rewind $key_
3144 ?vperm v26,v26,v27,$keyperm
3146 ?vperm v27,v27,v28,$keyperm
3148 ?vperm v28,v28,v29,$keyperm
3150 ?vperm v29,v29,v30,$keyperm
3151 lvx $twk5,$x70,$key1 # borrow $twk5
3152 ?vperm v30,v30,v31,$keyperm
3153 lvx v24,$x00,$key_ # pre-load round[1]
3154 ?vperm v31,v31,$twk5,$keyperm
3155 lvx v25,$x10,$key_ # pre-load round[2]
3157 vperm $in0,$inout,$inptail,$inpperm
3158 subi $inp,$inp,31 # undo "caller"
3159 vxor $twk0,$tweak,$rndkey0
3160 vsrab $tmp,$tweak,$seven # next tweak value
3161 vaddubm $tweak,$tweak,$tweak
3162 vsldoi $tmp,$tmp,$tmp,15
3163 vand $tmp,$tmp,$eighty7
3164 vxor $out0,$in0,$twk0
3165 vxor $tweak,$tweak,$tmp
3167 lvx_u $in1,$x10,$inp
3168 vxor $twk1,$tweak,$rndkey0
3169 vsrab $tmp,$tweak,$seven # next tweak value
3170 vaddubm $tweak,$tweak,$tweak
3171 vsldoi $tmp,$tmp,$tmp,15
3172 le?vperm $in1,$in1,$in1,$leperm
3173 vand $tmp,$tmp,$eighty7
3174 vxor $out1,$in1,$twk1
3175 vxor $tweak,$tweak,$tmp
3177 lvx_u $in2,$x20,$inp
3178 andi. $taillen,$len,15
3179 vxor $twk2,$tweak,$rndkey0
3180 vsrab $tmp,$tweak,$seven # next tweak value
3181 vaddubm $tweak,$tweak,$tweak
3182 vsldoi $tmp,$tmp,$tmp,15
3183 le?vperm $in2,$in2,$in2,$leperm
3184 vand $tmp,$tmp,$eighty7
3185 vxor $out2,$in2,$twk2
3186 vxor $tweak,$tweak,$tmp
3188 lvx_u $in3,$x30,$inp
3189 sub $len,$len,$taillen
3190 vxor $twk3,$tweak,$rndkey0
3191 vsrab $tmp,$tweak,$seven # next tweak value
3192 vaddubm $tweak,$tweak,$tweak
3193 vsldoi $tmp,$tmp,$tmp,15
3194 le?vperm $in3,$in3,$in3,$leperm
3195 vand $tmp,$tmp,$eighty7
3196 vxor $out3,$in3,$twk3
3197 vxor $tweak,$tweak,$tmp
3199 lvx_u $in4,$x40,$inp
3201 vxor $twk4,$tweak,$rndkey0
3202 vsrab $tmp,$tweak,$seven # next tweak value
3203 vaddubm $tweak,$tweak,$tweak
3204 vsldoi $tmp,$tmp,$tmp,15
3205 le?vperm $in4,$in4,$in4,$leperm
3206 vand $tmp,$tmp,$eighty7
3207 vxor $out4,$in4,$twk4
3208 vxor $tweak,$tweak,$tmp
3210 lvx_u $in5,$x50,$inp
3212 vxor $twk5,$tweak,$rndkey0
3213 vsrab $tmp,$tweak,$seven # next tweak value
3214 vaddubm $tweak,$tweak,$tweak
3215 vsldoi $tmp,$tmp,$tmp,15
3216 le?vperm $in5,$in5,$in5,$leperm
3217 vand $tmp,$tmp,$eighty7
3218 vxor $out5,$in5,$twk5
3219 vxor $tweak,$tweak,$tmp
3221 vxor v31,v31,$rndkey0
3227 vncipher $out0,$out0,v24
3228 vncipher $out1,$out1,v24
3229 vncipher $out2,$out2,v24
3230 vncipher $out3,$out3,v24
3231 vncipher $out4,$out4,v24
3232 vncipher $out5,$out5,v24
3233 lvx v24,$x20,$key_ # round[3]
3234 addi $key_,$key_,0x20
3236 vncipher $out0,$out0,v25
3237 vncipher $out1,$out1,v25
3238 vncipher $out2,$out2,v25
3239 vncipher $out3,$out3,v25
3240 vncipher $out4,$out4,v25
3241 vncipher $out5,$out5,v25
3242 lvx v25,$x10,$key_ # round[4]
3245 subic $len,$len,96 # $len-=96
3246 vxor $in0,$twk0,v31 # xor with last round key
3247 vncipher $out0,$out0,v24
3248 vncipher $out1,$out1,v24
3249 vsrab $tmp,$tweak,$seven # next tweak value
3250 vxor $twk0,$tweak,$rndkey0
3251 vaddubm $tweak,$tweak,$tweak
3252 vncipher $out2,$out2,v24
3253 vncipher $out3,$out3,v24
3254 vsldoi $tmp,$tmp,$tmp,15
3255 vncipher $out4,$out4,v24
3256 vncipher $out5,$out5,v24
3258 subfe. r0,r0,r0 # borrow?-1:0
3259 vand $tmp,$tmp,$eighty7
3260 vncipher $out0,$out0,v25
3261 vncipher $out1,$out1,v25
3262 vxor $tweak,$tweak,$tmp
3263 vncipher $out2,$out2,v25
3264 vncipher $out3,$out3,v25
3266 vsrab $tmp,$tweak,$seven # next tweak value
3267 vxor $twk1,$tweak,$rndkey0
3268 vncipher $out4,$out4,v25
3269 vncipher $out5,$out5,v25
3272 vaddubm $tweak,$tweak,$tweak
3273 vsldoi $tmp,$tmp,$tmp,15
3274 vncipher $out0,$out0,v26
3275 vncipher $out1,$out1,v26
3276 vand $tmp,$tmp,$eighty7
3277 vncipher $out2,$out2,v26
3278 vncipher $out3,$out3,v26
3279 vxor $tweak,$tweak,$tmp
3280 vncipher $out4,$out4,v26
3281 vncipher $out5,$out5,v26
3283 add $inp,$inp,r0 # $inp is adjusted in such
3284 # way that at exit from the
3285 # loop inX-in5 are loaded
3288 vsrab $tmp,$tweak,$seven # next tweak value
3289 vxor $twk2,$tweak,$rndkey0
3290 vaddubm $tweak,$tweak,$tweak
3291 vncipher $out0,$out0,v27
3292 vncipher $out1,$out1,v27
3293 vsldoi $tmp,$tmp,$tmp,15
3294 vncipher $out2,$out2,v27
3295 vncipher $out3,$out3,v27
3296 vand $tmp,$tmp,$eighty7
3297 vncipher $out4,$out4,v27
3298 vncipher $out5,$out5,v27
3300 addi $key_,$sp,$FRAME+15 # rewind $key_
3301 vxor $tweak,$tweak,$tmp
3302 vncipher $out0,$out0,v28
3303 vncipher $out1,$out1,v28
3305 vsrab $tmp,$tweak,$seven # next tweak value
3306 vxor $twk3,$tweak,$rndkey0
3307 vncipher $out2,$out2,v28
3308 vncipher $out3,$out3,v28
3309 vaddubm $tweak,$tweak,$tweak
3310 vsldoi $tmp,$tmp,$tmp,15
3311 vncipher $out4,$out4,v28
3312 vncipher $out5,$out5,v28
3313 lvx v24,$x00,$key_ # re-pre-load round[1]
3314 vand $tmp,$tmp,$eighty7
3316 vncipher $out0,$out0,v29
3317 vncipher $out1,$out1,v29
3318 vxor $tweak,$tweak,$tmp
3319 vncipher $out2,$out2,v29
3320 vncipher $out3,$out3,v29
3322 vsrab $tmp,$tweak,$seven # next tweak value
3323 vxor $twk4,$tweak,$rndkey0
3324 vncipher $out4,$out4,v29
3325 vncipher $out5,$out5,v29
3326 lvx v25,$x10,$key_ # re-pre-load round[2]
3327 vaddubm $tweak,$tweak,$tweak
3328 vsldoi $tmp,$tmp,$tmp,15
3330 vncipher $out0,$out0,v30
3331 vncipher $out1,$out1,v30
3332 vand $tmp,$tmp,$eighty7
3333 vncipher $out2,$out2,v30
3334 vncipher $out3,$out3,v30
3335 vxor $tweak,$tweak,$tmp
3336 vncipher $out4,$out4,v30
3337 vncipher $out5,$out5,v30
3339 vsrab $tmp,$tweak,$seven # next tweak value
3340 vxor $twk5,$tweak,$rndkey0
3342 vncipherlast $out0,$out0,$in0
3343 lvx_u $in0,$x00,$inp # load next input block
3344 vaddubm $tweak,$tweak,$tweak
3345 vsldoi $tmp,$tmp,$tmp,15
3346 vncipherlast $out1,$out1,$in1
3347 lvx_u $in1,$x10,$inp
3348 vncipherlast $out2,$out2,$in2
3349 le?vperm $in0,$in0,$in0,$leperm
3350 lvx_u $in2,$x20,$inp
3351 vand $tmp,$tmp,$eighty7
3352 vncipherlast $out3,$out3,$in3
3353 le?vperm $in1,$in1,$in1,$leperm
3354 lvx_u $in3,$x30,$inp
3355 vncipherlast $out4,$out4,$in4
3356 le?vperm $in2,$in2,$in2,$leperm
3357 lvx_u $in4,$x40,$inp
3358 vxor $tweak,$tweak,$tmp
3359 vncipherlast $out5,$out5,$in5
3360 le?vperm $in3,$in3,$in3,$leperm
3361 lvx_u $in5,$x50,$inp
3363 le?vperm $in4,$in4,$in4,$leperm
3364 le?vperm $in5,$in5,$in5,$leperm
3366 le?vperm $out0,$out0,$out0,$leperm
3367 le?vperm $out1,$out1,$out1,$leperm
3368 stvx_u $out0,$x00,$out # store output
3369 vxor $out0,$in0,$twk0
3370 le?vperm $out2,$out2,$out2,$leperm
3371 stvx_u $out1,$x10,$out
3372 vxor $out1,$in1,$twk1
3373 le?vperm $out3,$out3,$out3,$leperm
3374 stvx_u $out2,$x20,$out
3375 vxor $out2,$in2,$twk2
3376 le?vperm $out4,$out4,$out4,$leperm
3377 stvx_u $out3,$x30,$out
3378 vxor $out3,$in3,$twk3
3379 le?vperm $out5,$out5,$out5,$leperm
3380 stvx_u $out4,$x40,$out
3381 vxor $out4,$in4,$twk4
3382 stvx_u $out5,$x50,$out
3383 vxor $out5,$in5,$twk5
3387 beq Loop_xts_dec6x # did $len-=96 borrow?
3389 addic. $len,$len,0x60
3396 blt Lxts_dec6x_three
3401 vxor $out0,$in1,$twk0
3402 vxor $out1,$in2,$twk1
3403 vxor $out2,$in3,$twk2
3404 vxor $out3,$in4,$twk3
3405 vxor $out4,$in5,$twk4
3409 le?vperm $out0,$out0,$out0,$leperm
3410 vmr $twk0,$twk5 # unused tweak
3411 vxor $twk1,$tweak,$rndkey0
3412 le?vperm $out1,$out1,$out1,$leperm
3413 stvx_u $out0,$x00,$out # store output
3414 vxor $out0,$in0,$twk1
3415 le?vperm $out2,$out2,$out2,$leperm
3416 stvx_u $out1,$x10,$out
3417 le?vperm $out3,$out3,$out3,$leperm
3418 stvx_u $out2,$x20,$out
3419 le?vperm $out4,$out4,$out4,$leperm
3420 stvx_u $out3,$x30,$out
3421 stvx_u $out4,$x40,$out
3423 bne Lxts_dec6x_steal
3428 vxor $out0,$in2,$twk0
3429 vxor $out1,$in3,$twk1
3430 vxor $out2,$in4,$twk2
3431 vxor $out3,$in5,$twk3
3432 vxor $out4,$out4,$out4
3436 le?vperm $out0,$out0,$out0,$leperm
3437 vmr $twk0,$twk4 # unused tweak
3439 le?vperm $out1,$out1,$out1,$leperm
3440 stvx_u $out0,$x00,$out # store output
3441 vxor $out0,$in0,$twk5
3442 le?vperm $out2,$out2,$out2,$leperm
3443 stvx_u $out1,$x10,$out
3444 le?vperm $out3,$out3,$out3,$leperm
3445 stvx_u $out2,$x20,$out
3446 stvx_u $out3,$x30,$out
3448 bne Lxts_dec6x_steal
3453 vxor $out0,$in3,$twk0
3454 vxor $out1,$in4,$twk1
3455 vxor $out2,$in5,$twk2
3456 vxor $out3,$out3,$out3
3457 vxor $out4,$out4,$out4
3461 le?vperm $out0,$out0,$out0,$leperm
3462 vmr $twk0,$twk3 # unused tweak
3464 le?vperm $out1,$out1,$out1,$leperm
3465 stvx_u $out0,$x00,$out # store output
3466 vxor $out0,$in0,$twk4
3467 le?vperm $out2,$out2,$out2,$leperm
3468 stvx_u $out1,$x10,$out
3469 stvx_u $out2,$x20,$out
3471 bne Lxts_dec6x_steal
3476 vxor $out0,$in4,$twk0
3477 vxor $out1,$in5,$twk1
3478 vxor $out2,$out2,$out2
3479 vxor $out3,$out3,$out3
3480 vxor $out4,$out4,$out4
3484 le?vperm $out0,$out0,$out0,$leperm
3485 vmr $twk0,$twk2 # unused tweak
3487 le?vperm $out1,$out1,$out1,$leperm
3488 stvx_u $out0,$x00,$out # store output
3489 vxor $out0,$in0,$twk3
3490 stvx_u $out1,$x10,$out
3492 bne Lxts_dec6x_steal
3497 vxor $out0,$in5,$twk0
3500 vncipher $out0,$out0,v24
3501 lvx v24,$x20,$key_ # round[3]
3502 addi $key_,$key_,0x20
3504 vncipher $out0,$out0,v25
3505 lvx v25,$x10,$key_ # round[4]
3509 vncipher $out0,$out0,v24
3513 vncipher $out0,$out0,v25
3516 vncipher $out0,$out0,v26
3519 vncipher $out0,$out0,v27
3521 addi $key_,$sp,$FRAME+15 # rewind $key_
3522 vncipher $out0,$out0,v28
3523 lvx v24,$x00,$key_ # re-pre-load round[1]
3525 vncipher $out0,$out0,v29
3526 lvx v25,$x10,$key_ # re-pre-load round[2]
3527 vxor $twk0,$twk0,v31
3529 le?vperm $in0,$in0,$in0,$leperm
3530 vncipher $out0,$out0,v30
3533 vncipherlast $out0,$out0,$twk0
3535 vmr $twk0,$twk1 # unused tweak
3537 le?vperm $out0,$out0,$out0,$leperm
3538 stvx_u $out0,$x00,$out # store output
3540 vxor $out0,$in0,$twk2
3541 bne Lxts_dec6x_steal
3550 le?vperm $in0,$in0,$in0,$leperm
3551 vxor $out0,$in0,$twk1
3553 vncipher $out0,$out0,v24
3554 lvx v24,$x20,$key_ # round[3]
3555 addi $key_,$key_,0x20
3557 vncipher $out0,$out0,v25
3558 lvx v25,$x10,$key_ # round[4]
3559 bdnz Lxts_dec6x_steal
3561 add $inp,$inp,$taillen
3562 vncipher $out0,$out0,v24
3565 vncipher $out0,$out0,v25
3568 vncipher $out0,$out0,v26
3570 lvsr $inpperm,0,$taillen # $in5 is no more
3571 vncipher $out0,$out0,v27
3573 addi $key_,$sp,$FRAME+15 # rewind $key_
3574 vncipher $out0,$out0,v28
3575 lvx v24,$x00,$key_ # re-pre-load round[1]
3577 vncipher $out0,$out0,v29
3578 lvx v25,$x10,$key_ # re-pre-load round[2]
3579 vxor $twk1,$twk1,v31
3581 le?vperm $in0,$in0,$in0,$leperm
3582 vncipher $out0,$out0,v30
3584 vperm $in0,$in0,$in0,$inpperm
3585 vncipherlast $tmp,$out0,$twk1
3587 le?vperm $out0,$tmp,$tmp,$leperm
3588 le?stvx_u $out0,0,$out
3589 be?stvx_u $tmp,0,$out
3591 vxor $out0,$out0,$out0
3593 vperm $out0,$out0,$out1,$inpperm
3594 vsel $out0,$in0,$tmp,$out0
3595 vxor $out0,$out0,$twk0
3599 Loop_xts_dec6x_steal:
3602 bdnz Loop_xts_dec6x_steal
3606 b Loop_xts_dec1x # one more time...
3613 vxor $tweak,$twk0,$rndkey0
3614 le?vperm $tweak,$tweak,$tweak,$leperm
3615 stvx_u $tweak,0,$ivp
3621 stvx $seven,r10,$sp # wipe copies of round keys
3639 lvx v20,r10,$sp # ABI says so
3661 $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
3662 $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
3663 $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
3664 $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
3665 $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
3666 $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
3667 addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
3670 .byte 0,12,0x04,1,0x80,6,6,0
3675 vncipher $out0,$out0,v24
3676 vncipher $out1,$out1,v24
3677 vncipher $out2,$out2,v24
3678 vncipher $out3,$out3,v24
3679 vncipher $out4,$out4,v24
3680 lvx v24,$x20,$key_ # round[3]
3681 addi $key_,$key_,0x20
3683 vncipher $out0,$out0,v25
3684 vncipher $out1,$out1,v25
3685 vncipher $out2,$out2,v25
3686 vncipher $out3,$out3,v25
3687 vncipher $out4,$out4,v25
3688 lvx v25,$x10,$key_ # round[4]
3689 bdnz _aesp8_xts_dec5x
3692 vncipher $out0,$out0,v24
3693 vncipher $out1,$out1,v24
3694 vncipher $out2,$out2,v24
3695 vncipher $out3,$out3,v24
3696 vncipher $out4,$out4,v24
3700 vncipher $out0,$out0,v25
3701 vncipher $out1,$out1,v25
3702 vncipher $out2,$out2,v25
3703 vncipher $out3,$out3,v25
3704 vncipher $out4,$out4,v25
3705 vxor $twk0,$twk0,v31
3708 vncipher $out0,$out0,v26
3709 vncipher $out1,$out1,v26
3710 vncipher $out2,$out2,v26
3711 vncipher $out3,$out3,v26
3712 vncipher $out4,$out4,v26
3715 vncipher $out0,$out0,v27
3717 vncipher $out1,$out1,v27
3718 vncipher $out2,$out2,v27
3719 vncipher $out3,$out3,v27
3720 vncipher $out4,$out4,v27
3723 addi $key_,$sp,$FRAME+15 # rewind $key_
3724 vncipher $out0,$out0,v28
3725 vncipher $out1,$out1,v28
3726 vncipher $out2,$out2,v28
3727 vncipher $out3,$out3,v28
3728 vncipher $out4,$out4,v28
3729 lvx v24,$x00,$key_ # re-pre-load round[1]
3732 vncipher $out0,$out0,v29
3733 le?vperm $in0,$in0,$in0,$leperm
3734 vncipher $out1,$out1,v29
3735 vncipher $out2,$out2,v29
3736 vncipher $out3,$out3,v29
3737 vncipher $out4,$out4,v29
3738 lvx v25,$x10,$key_ # re-pre-load round[2]
3741 vncipher $out0,$out0,v30
3742 vncipher $out1,$out1,v30
3743 vncipher $out2,$out2,v30
3744 vncipher $out3,$out3,v30
3745 vncipher $out4,$out4,v30
3747 vncipherlast $out0,$out0,$twk0
3748 vncipherlast $out1,$out1,$in1
3749 vncipherlast $out2,$out2,$in2
3750 vncipherlast $out3,$out3,$in3
3751 vncipherlast $out4,$out4,$in4
3755 .byte 0,12,0x14,0,0,0,0,0
3760 foreach(split("\n",$code)) {
3761 s/\`([^\`]*)\`/eval($1)/geo;
3763 # constants table endian-specific conversion
3764 if ($consts && m/\.(long|byte)\s+(.+)\s+(\?[a-z]*)$/o) {
3768 # convert to endian-agnostic format
3770 foreach (split(/,\s*/,$2)) {
3771 my $l = /^0/?oct:int;
3772 push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
3775 @bytes = map(/^0/?oct:int,split(/,\s*/,$2));
3778 # little-endian conversion
3779 if ($flavour =~ /le$/o) {
3780 SWITCH: for($conv) {
3781 /\?inv/ && do { @bytes=map($_^0xf,@bytes); last; };
3782 /\?rev/ && do { @bytes=reverse(@bytes); last; };
3787 print ".byte\t",join(',',map (sprintf("0x%02x",$_),@bytes)),"\n";
3790 $consts=0 if (m/Lconsts:/o); # end of table
3792 # instructions prefixed with '?' are endian-specific and need
3793 # to be adjusted accordingly...
3794 if ($flavour =~ /le$/o) { # little-endian
3799 s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
3800 s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
3801 s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
3802 } else { # big-endian
3811 close STDOUT or die "error closing STDOUT: $!";
projects / openssl.git / blob