crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.

[openssl.git] / crypto / aes / asm / aes-s390x.pl

diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 1495917d261cc28d6b1b095b9fed2e331ca57b13..bab566223bce19d2c17c1c7f00734d1c9b827a78 100644 (file)
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -44,7 +44,7 @@
 # minimize/avoid Address Generation Interlock hazard and to favour
 # dual-issue z10 pipeline. This gave ~25% improvement on z10 and
 # almost 50% on z9. The gain is smaller on z10, because being dual-
-# issue z10 makes it improssible to eliminate the interlock condition:
+# issue z10 makes it impossible to eliminate the interlock condition:
 # critial path is not long enough. Yet it spends ~24 cycles per byte
 # processed with 128-bit key.
 #
@@ -1086,7 +1086,7 @@ $code.=<<___ if (!$softonly);
        lhi     $t1,16
        cr      $t0,$t1
        jl      .Lgo
-       oill    $t0,0x80        # set "decrypt" bit
+       oill    $t0,S390X_DECRYPT       # set "decrypt" bit
        st      $t0,240($key)
        br      $ra
 ___
@@ -1225,7 +1225,7 @@ $code.=<<___ if (!$softonly);
 .align 16
 .Lkmc_truncated:
        ahi     $key,-1         # it's the way it's encoded in mvc
-       tmll    %r0,0x80
+       tmll    %r0,S390X_DECRYPT
        jnz     .Lkmc_truncated_dec
        lghi    %r1,0
        stg     %r1,16*$SIZE_T($sp)
@@ -1405,7 +1405,61 @@ $code.=<<___ if (!$softonly);
        clr     %r0,%r1
        jl      .Lctr32_software
 
-       stm${g} %r6,$s3,6*$SIZE_T($sp)
+       st${g}  $s2,10*$SIZE_T($sp)
+       st${g}  $s3,11*$SIZE_T($sp)
+
+       clr     $len,%r1                # does work even in 64-bit mode
+       jle     .Lctr32_nokma           # kma is slower for <= 16 blocks
+
+       larl    %r1,OPENSSL_s390xcap_P
+       lr      $s2,%r0
+       llihh   $s3,0x8000
+       srlg    $s3,$s3,0($s2)
+       ng      $s3,S390X_KMA(%r1)              # check kma capability vector
+       jz      .Lctr32_nokma
+
+       l${g}hi %r1,-$stdframe-112
+       l${g}r  $s3,$sp
+       la      $sp,0(%r1,$sp)                  # prepare parameter block
+
+       lhi     %r1,0x0600
+       sllg    $len,$len,4
+       or      %r0,%r1                         # set HS and LAAD flags
+
+       st${g}  $s3,0($sp)                      # backchain
+       la      %r1,$stdframe($sp)
+
+       lmg     $s2,$s3,0($key)                 # copy key
+       stg     $s2,$stdframe+80($sp)
+       stg     $s3,$stdframe+88($sp)
+       lmg     $s2,$s3,16($key)
+       stg     $s2,$stdframe+96($sp)
+       stg     $s3,$stdframe+104($sp)
+
+       lmg     $s2,$s3,0($ivp)                 # copy iv
+       stg     $s2,$stdframe+64($sp)
+       ahi     $s3,-1                          # kma requires counter-1
+       stg     $s3,$stdframe+72($sp)
+       st      $s3,$stdframe+12($sp)           # copy counter
+
+       lghi    $s2,0                           # no AAD
+       lghi    $s3,0
+
+       .long   0xb929a042      # kma $out,$s2,$inp
+       brc     1,.-4           # pay attention to "partial completion"
+
+       stg     %r0,$stdframe+80($sp)           # wipe key
+       stg     %r0,$stdframe+88($sp)
+       stg     %r0,$stdframe+96($sp)
+       stg     %r0,$stdframe+104($sp)
+       la      $sp,$stdframe+112($sp)
+
+       lm${g}  $s2,$s3,10*$SIZE_T($sp)
+       br      $ra
+
+.align 16
+.Lctr32_nokma:
+       stm${g} %r6,$s1,6*$SIZE_T($sp)
 
        slgr    $out,$inp
        la      %r1,0($key)     # %r1 is permanent copy of $key