3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
12 # This is AESNI-CBC+SHA1 "stitch" implementation. The idea, as spelled
13 # in http://download.intel.com/design/intarch/papers/323686.pdf, is
14 # that since AESNI-CBC encrypt exhibit *very* low instruction-level
15 # parallelism, interleaving it with another algorithm would allow to
16 # utilize processor resources better and achieve better performance.
17 # SHA1 instruction sequences(*) are taken from sha1-x86_64.pl and
18 # AESNI code is weaved into it. Below are performance numbers in
19 # cycles per processed byte, less is better, for standalone AESNI-CBC
20 # encrypt, sum of the latter and standalone SHA1, and "stitched"
23 # AES-128-CBC +SHA1 stitch gain
24 # Westmere 3.77[+5.3] 9.07 6.55 +38%
25 # Sandy Bridge 5.05[+5.0(6.1)] 10.06(11.15) 5.98(7.05) +68%(+58%)
26 # Ivy Bridge 5.05[+4.6] 9.65 5.54 +74%
27 # Haswell 4.43[+3.6(4.2)] 8.00(8.58) 4.55(5.21) +75%(+65%)
28 # Bulldozer 5.77[+6.0] 11.72 6.37 +84%
31 # Westmere 4.51 9.81 6.80 +44%
32 # Sandy Bridge 6.05 11.06(12.15) 6.11(7.19) +81%(+69%)
33 # Ivy Bridge 6.05 10.65 6.07 +75%
34 # Haswell 5.29 8.86(9.44) 5.32(5.32) +67%(+77%)
35 # Bulldozer 6.89 12.84 6.96 +84%
38 # Westmere 5.25 10.55 7.21 +46%
39 # Sandy Bridge 7.05 12.06(13.15) 7.12(7.72) +69%(+70%)
40 # Ivy Bridge 7.05 11.65 7.12 +64%
41 # Haswell 6.19 9.76(10.34) 6.21(6.25) +57%(+65%)
42 # Bulldozer 8.00 13.95 8.25 +69%
44 # (*) There are two code paths: SSSE3 and AVX. See sha1-568.pl for
45 # background information. Above numbers in parentheses are SSSE3
46 # results collected on AVX-capable CPU, i.e. apply on OSes that
49 # Needless to mention that it makes no sense to implement "stitched"
50 # *decrypt* subroutine. Because *both* AESNI-CBC decrypt and SHA1
51 # fully utilize parallelism, so stitching would not give any gain
52 # anyway. Well, there might be some, e.g. because of better cache
53 # locality... For reference, here are performance results for
54 # standalone AESNI-CBC decrypt:
56 # AES-128-CBC AES-192-CBC AES-256-CBC
57 # Westmere 1.25 1.50 1.75
58 # Sandy Bridge 0.74 0.91 1.09
59 # Ivy Bridge 0.74 0.90 1.11
60 # Haswell 0.63 0.76 0.88
61 # Bulldozer 0.70 0.85 0.99
65 # AES-256-CBC +SHA1 stitch gain
66 # Westmere 1.75 7.20 6.68 +7.8%
67 # Sandy Bridge 1.09 6.09(7.22) 5.82(6.95) +4.6%(+3.9%)
68 # Ivy Bridge 1.11 5.70 5.45 +4.6%
69 # Haswell 0.88 4.45(5.00) 4.39(4.69) +1.4%(*)(+6.6%)
70 # Bulldozer 0.99 6.95 5.95 +17%(**)
72 # (*) Tiny improvement coefficient on Haswell is because we compare
73 # AVX1 stitch to sum with AVX2 SHA1.
74 # (**) Execution is fully dominated by integer code sequence and
75 # SIMD still hardly shows [in single-process benchmark;-]
79 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
81 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
83 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
84 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
85 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
86 die "can't locate x86_64-xlate.pl";
88 $avx=1 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
89 =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
91 $avx=1 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
92 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/ &&
94 $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
95 `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
100 open OUT,"| \"$^X\" $xlate $flavour $output";
103 # void aesni_cbc_sha1_enc(const void *inp,
106 # const AES_KEY *key,
113 .extern OPENSSL_ia32cap_P
115 .globl aesni_cbc_sha1_enc
116 .type aesni_cbc_sha1_enc,\@abi-omnipotent
119 # caller should check for SSSE3 and AES-NI bits
120 mov OPENSSL_ia32cap_P+0(%rip),%r10d
121 mov OPENSSL_ia32cap_P+4(%rip),%r11d
123 $code.=<<___ if ($avx);
124 and \$`1<<28`,%r11d # mask AVX bit
125 and \$`1<<30`,%r10d # mask "Intel CPU" bit
127 cmp \$`1<<28|1<<30`,%r10d
128 je aesni_cbc_sha1_enc_avx
131 jmp aesni_cbc_sha1_enc_ssse3
133 .size aesni_cbc_sha1_enc,.-aesni_cbc_sha1_enc
136 my ($in0,$out,$len,$key,$ivp,$ctx,$inp)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9","%r10");
139 my @X=map("%xmm$_",(4..7,0..3));
140 my @Tx=map("%xmm$_",(8..10));
141 my @V=($A,$B,$C,$D,$E)=("%eax","%ebx","%ecx","%edx","%ebp"); # size optimization
142 my @T=("%esi","%edi");
143 my $j=0; my $jj=0; my $r=0; my $sn=0; my $rx=0;
145 my ($rndkey0,$iv,$in)=map("%xmm$_",(11..13)); # for enc
146 my @rndkey=("%xmm14","%xmm15"); # for enc
147 my ($inout0,$inout1,$inout2,$inout3)=map("%xmm$_",(12..15)); # for dec
149 if (1) { # reassign for Atom Silvermont
150 # The goal is to minimize amount of instructions with more than
151 # 3 prefix bytes. Or in more practical terms to keep AES-NI *and*
152 # SSSE3 instructions to upper half of the register bank.
153 @X=map("%xmm$_",(8..11,4..7));
154 @Tx=map("%xmm$_",(12,13,3));
155 ($iv,$in,$rndkey0)=map("%xmm$_",(2,14,15));
156 @rndkey=("%xmm0","%xmm1");
159 sub AUTOLOAD() # thunk [simplified] 32-bit style perlasm
160 { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://;
162 $arg = "\$$arg" if ($arg*1 eq $arg);
163 $code .= "\t$opcode\t".join(',',$arg,reverse @_)."\n";
166 my $_rol=sub { &rol(@_) };
167 my $_ror=sub { &ror(@_) };
170 .type aesni_cbc_sha1_enc_ssse3,\@function,6
172 aesni_cbc_sha1_enc_ssse3:
173 mov `($win64?56:8)`(%rsp),$inp # load 7th argument
174 #shr \$6,$len # debugging artefact
175 #jz .Lepilogue_ssse3 # debugging artefact
182 lea `-104-($win64?10*16:0)`(%rsp),%rsp
183 #mov $in0,$inp # debugging artefact
184 #lea 64(%rsp),$ctx # debugging artefact
186 $code.=<<___ if ($win64);
187 movaps %xmm6,96+0(%rsp)
188 movaps %xmm7,96+16(%rsp)
189 movaps %xmm8,96+32(%rsp)
190 movaps %xmm9,96+48(%rsp)
191 movaps %xmm10,96+64(%rsp)
192 movaps %xmm11,96+80(%rsp)
193 movaps %xmm12,96+96(%rsp)
194 movaps %xmm13,96+112(%rsp)
195 movaps %xmm14,96+128(%rsp)
196 movaps %xmm15,96+144(%rsp)
200 mov $in0,%r12 # reassign arguments
204 movdqu ($ivp),$iv # load IV
205 mov $ivp,88(%rsp) # save $ivp
207 ($in0,$out,$len,$key)=map("%r$_",(12..15)); # reassign arguments
208 my $rounds="${ivp}d";
212 mov 240($key),$rounds
213 add $inp,$len # end of input
215 lea K_XX_XX(%rip),$K_XX_XX
216 mov 0($ctx),$A # load context
220 mov $B,@T[0] # magic seed
226 movdqa 64($K_XX_XX),@Tx[2] # pbswap mask
227 movdqa 0($K_XX_XX),@Tx[1] # K_00_19
228 movdqu 0($inp),@X[-4&7] # load input to %xmm[0-3]
229 movdqu 16($inp),@X[-3&7]
230 movdqu 32($inp),@X[-2&7]
231 movdqu 48($inp),@X[-1&7]
232 pshufb @Tx[2],@X[-4&7] # byte swap
233 pshufb @Tx[2],@X[-3&7]
234 pshufb @Tx[2],@X[-2&7]
236 paddd @Tx[1],@X[-4&7] # add K_00_19
237 pshufb @Tx[2],@X[-1&7]
238 paddd @Tx[1],@X[-3&7]
239 paddd @Tx[1],@X[-2&7]
240 movdqa @X[-4&7],0(%rsp) # X[]+K xfer to IALU
241 psubd @Tx[1],@X[-4&7] # restore X[]
242 movdqa @X[-3&7],16(%rsp)
243 psubd @Tx[1],@X[-3&7]
244 movdqa @X[-2&7],32(%rsp)
245 psubd @Tx[1],@X[-2&7]
246 movups ($key),$rndkey0 # $key[0]
247 movups 16($key),$rndkey[0] # forward reference
253 my ($n,$k)=($r/10,$r%10);
256 movups `16*$n`($in0),$in # load input
259 $code.=<<___ if ($n);
260 movups $iv,`16*($n-1)`($out,$in0) # write output
264 aesenc $rndkey[0],$iv
265 movups `32+16*$k`($key),$rndkey[1]
272 movups `32+16*($k+0)`($key),$rndkey[1]
273 aesenc $rndkey[0],$iv
274 movups `32+16*($k+1)`($key),$rndkey[0]
275 aesenc $rndkey[1],$iv
277 movups `32+16*($k+2)`($key),$rndkey[1]
278 aesenc $rndkey[0],$iv
279 movups `32+16*($k+3)`($key),$rndkey[0]
280 aesenc $rndkey[1],$iv
282 aesenclast $rndkey[0],$iv
283 movups 16($key),$rndkey[1] # forward reference
287 aesenc $rndkey[0],$iv
288 movups `32+16*$k`($key),$rndkey[1]
291 $r++; unshift(@rndkey,pop(@rndkey));
294 sub Xupdate_ssse3_16_31() # recall that $Xi starts wtih 4
297 my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
300 eval(shift(@insns)); # ror
301 &pshufd (@X[0],@X[-4&7],0xee); # was &movdqa (@X[0],@X[-3&7]);
303 &movdqa (@Tx[0],@X[-1&7]);
304 &paddd (@Tx[1],@X[-1&7]);
308 &punpcklqdq(@X[0],@X[-3&7]); # compose "X[-14]" in "X[0]", was &palignr(@X[0],@X[-4&7],8);
310 eval(shift(@insns)); # rol
312 &psrldq (@Tx[0],4); # "X[-3]", 3 dwords
316 &pxor (@X[0],@X[-4&7]); # "X[0]"^="X[-16]"
318 eval(shift(@insns)); # ror
319 &pxor (@Tx[0],@X[-2&7]); # "X[-3]"^"X[-8]"
324 &pxor (@X[0],@Tx[0]); # "X[0]"^="X[-3]"^"X[-8]"
326 eval(shift(@insns)); # rol
327 &movdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer to IALU
331 &movdqa (@Tx[2],@X[0]);
334 eval(shift(@insns)); # ror
335 &movdqa (@Tx[0],@X[0]);
338 &pslldq (@Tx[2],12); # "X[0]"<<96, extract one dword
339 &paddd (@X[0],@X[0]);
345 eval(shift(@insns)); # rol
347 &movdqa (@Tx[1],@Tx[2]);
353 eval(shift(@insns)); # ror
354 &por (@X[0],@Tx[0]); # "X[0]"<<<=1
360 &pxor (@X[0],@Tx[2]);
362 &movdqa (@Tx[2],eval(16*(($Xi)/5))."($K_XX_XX)"); # K_XX_XX
363 eval(shift(@insns)); # rol
367 &pxor (@X[0],@Tx[1]); # "X[0]"^=("X[0]">>96)<<<2
368 &pshufd (@Tx[1],@X[-1&7],0xee) if ($Xi==7); # was &movdqa (@Tx[0],@X[-1&7]) in Xupdate_ssse3_32_79
370 foreach (@insns) { eval; } # remaining instructions [if any]
372 $Xi++; push(@X,shift(@X)); # "rotate" X[]
373 push(@Tx,shift(@Tx));
376 sub Xupdate_ssse3_32_79()
379 my @insns = (&$body,&$body,&$body,&$body); # 32 to 44 instructions
382 eval(shift(@insns)) if ($Xi==8);
383 &pxor (@X[0],@X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
384 eval(shift(@insns)) if ($Xi==8);
385 eval(shift(@insns)); # body_20_39
387 eval(shift(@insns)) if (@insns[1] =~ /_ror/);
388 eval(shift(@insns)) if (@insns[0] =~ /_ror/);
389 &punpcklqdq(@Tx[0],@X[-1&7]); # compose "X[-6]", was &palignr(@Tx[0],@X[-2&7],8);
391 eval(shift(@insns)); # rol
393 &pxor (@X[0],@X[-7&7]); # "X[0]"^="X[-28]"
397 &movdqa (@Tx[2],@Tx[1]);# "perpetuate" K_XX_XX...
398 } else { # ... or load next one
399 &movdqa (@Tx[2],eval(16*($Xi/5))."($K_XX_XX)");
401 eval(shift(@insns)); # ror
402 &paddd (@Tx[1],@X[-1&7]);
405 &pxor (@X[0],@Tx[0]); # "X[0]"^="X[-6]"
406 eval(shift(@insns)); # body_20_39
409 eval(shift(@insns)); # rol
410 eval(shift(@insns)) if (@insns[0] =~ /_ror/);
412 &movdqa (@Tx[0],@X[0]);
415 &movdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer to IALU
416 eval(shift(@insns)); # ror
418 eval(shift(@insns)); # body_20_39
424 eval(shift(@insns)) if (@insns[0] =~ /_rol/);# rol
427 eval(shift(@insns)); # ror
429 &por (@X[0],@Tx[0]); # "X[0]"<<<=2
431 eval(shift(@insns)); # body_20_39
432 eval(shift(@insns)) if (@insns[1] =~ /_rol/);
433 eval(shift(@insns)) if (@insns[0] =~ /_rol/);
434 &pshufd(@Tx[1],@X[-1&7],0xee) if ($Xi<19); # was &movdqa (@Tx[1],@X[0])
436 eval(shift(@insns)); # rol
439 eval(shift(@insns)); # rol
442 foreach (@insns) { eval; } # remaining instructions
444 $Xi++; push(@X,shift(@X)); # "rotate" X[]
445 push(@Tx,shift(@Tx));
448 sub Xuplast_ssse3_80()
451 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
458 &paddd (@Tx[1],@X[-1&7]);
462 &movdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer IALU
464 foreach (@insns) { eval; } # remaining instructions
469 unshift(@Tx,pop(@Tx));
471 &movdqa (@Tx[2],"64($K_XX_XX)"); # pbswap mask
472 &movdqa (@Tx[1],"0($K_XX_XX)"); # K_00_19
473 &movdqu (@X[-4&7],"0($inp)"); # load input
474 &movdqu (@X[-3&7],"16($inp)");
475 &movdqu (@X[-2&7],"32($inp)");
476 &movdqu (@X[-1&7],"48($inp)");
477 &pshufb (@X[-4&7],@Tx[2]); # byte swap
486 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
492 &pshufb (@X[($Xi-3)&7],@Tx[2]);
497 &paddd (@X[($Xi-4)&7],@Tx[1]);
502 &movdqa (eval(16*$Xi)."(%rsp)",@X[($Xi-4)&7]); # X[]+K xfer to IALU
507 &psubd (@X[($Xi-4)&7],@Tx[1]);
509 foreach (@insns) { eval; }
516 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
519 foreach (@insns) { eval; }
523 '($a,$b,$c,$d,$e)=@V;'.
524 '&$_ror ($b,$j?7:2);', # $b>>>2
526 '&mov (@T[1],$a);', # $b for next round
528 '&add ($e,eval(4*($j&15))."(%rsp)");',# X[]+K xfer
529 '&xor ($b,$c);', # $c^$d for next round
533 '&and (@T[1],$b);', # ($b&($c^$d)) for next round
535 '&xor ($b,$c);', # restore $b
536 '&add ($e,$a);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
539 sub body_00_19 () { # ((c^d)&b)^d
540 # on start @T[0]=(c^d)&b
541 return &body_20_39() if ($rx==19); $rx++;
548 $k = (($jj+1)*12/20)*20*$n/12; # 12 aesencs per these 20 rounds
549 @r[$k%$n].='&$aesenc();' if ($jj==$k/$n);
556 '($a,$b,$c,$d,$e)=@V;'.
557 '&add ($e,eval(4*($j&15))."(%rsp)");',# X[]+K xfer
558 '&xor (@T[0],$d) if($j==19);'.
559 '&xor (@T[0],$c) if($j> 19);', # ($b^$d^$c)
560 '&mov (@T[1],$a);', # $b for next round
564 '&xor (@T[1],$c) if ($j< 79);', # $b^$d for next round
566 '&$_ror ($b,7);', # $b>>>2
567 '&add ($e,$a);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
570 sub body_20_39 () { # b^d^c
572 return &body_40_59() if ($rx==39); $rx++;
579 $k = (($jj+1)*8/20)*20*$n/8; # 8 aesencs per these 20 rounds
580 @r[$k%$n].='&$aesenc();' if ($jj==$k/$n && $rx!=20);
587 '($a,$b,$c,$d,$e)=@V;'.
588 '&add ($e,eval(4*($j&15))."(%rsp)");',# X[]+K xfer
589 '&and (@T[0],$c) if ($j>=40);', # (b^c)&(c^d)
590 '&xor ($c,$d) if ($j>=40);', # restore $c
592 '&$_ror ($b,7);', # $b>>>2
593 '&mov (@T[1],$a);', # $b for next round
598 '&xor (@T[1],$c) if ($j==59);'.
599 '&xor (@T[1],$b) if ($j< 59);', # b^c for next round
601 '&xor ($b,$c) if ($j< 59);', # c^d for next round
602 '&add ($e,$a);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
605 sub body_40_59 () { # ((b^c)&(c^d))^c
606 # on entry @T[0]=(b^c), (c^=d)
614 $k=(($jj+1)*12/20)*20*$n/12; # 12 aesencs per these 20 rounds
615 @r[$k%$n].='&$aesenc();' if ($jj==$k/$n && $rx!=40);
624 &Xupdate_ssse3_16_31(\&body_00_19);
625 &Xupdate_ssse3_16_31(\&body_00_19);
626 &Xupdate_ssse3_16_31(\&body_00_19);
627 &Xupdate_ssse3_16_31(\&body_00_19);
628 &Xupdate_ssse3_32_79(\&body_00_19);
629 &Xupdate_ssse3_32_79(\&body_20_39);
630 &Xupdate_ssse3_32_79(\&body_20_39);
631 &Xupdate_ssse3_32_79(\&body_20_39);
632 &Xupdate_ssse3_32_79(\&body_20_39);
633 &Xupdate_ssse3_32_79(\&body_20_39);
634 &Xupdate_ssse3_32_79(\&body_40_59);
635 &Xupdate_ssse3_32_79(\&body_40_59);
636 &Xupdate_ssse3_32_79(\&body_40_59);
637 &Xupdate_ssse3_32_79(\&body_40_59);
638 &Xupdate_ssse3_32_79(\&body_40_59);
639 &Xupdate_ssse3_32_79(\&body_20_39);
640 &Xuplast_ssse3_80(\&body_20_39,".Ldone_ssse3"); # can jump to "done"
642 $saved_j=$j; @saved_V=@V;
643 $saved_r=$r; @saved_rndkey=@rndkey;
645 &Xloop_ssse3(\&body_20_39);
646 &Xloop_ssse3(\&body_20_39);
647 &Xloop_ssse3(\&body_20_39);
650 movups $iv,48($out,$in0) # write output
653 add 0($ctx),$A # update context
660 mov @T[0],$B # magic seed
671 $jj=$j=$saved_j; @V=@saved_V;
672 $r=$saved_r; @rndkey=@saved_rndkey;
674 &Xtail_ssse3(\&body_20_39);
675 &Xtail_ssse3(\&body_20_39);
676 &Xtail_ssse3(\&body_20_39);
679 movups $iv,48($out,$in0) # write output
680 mov 88(%rsp),$ivp # restore $ivp
682 add 0($ctx),$A # update context
692 movups $iv,($ivp) # write IV
694 $code.=<<___ if ($win64);
695 movaps 96+0(%rsp),%xmm6
696 movaps 96+16(%rsp),%xmm7
697 movaps 96+32(%rsp),%xmm8
698 movaps 96+48(%rsp),%xmm9
699 movaps 96+64(%rsp),%xmm10
700 movaps 96+80(%rsp),%xmm11
701 movaps 96+96(%rsp),%xmm12
702 movaps 96+112(%rsp),%xmm13
703 movaps 96+128(%rsp),%xmm14
704 movaps 96+144(%rsp),%xmm15
707 lea `104+($win64?10*16:0)`(%rsp),%rsi
717 .size aesni_cbc_sha1_enc_ssse3,.-aesni_cbc_sha1_enc_ssse3
720 if ($stitched_decrypt) {{{
722 ($in0,$out,$len,$key,$ivp,$ctx,$inp)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9","%r10");
726 # reassign for Atom Silvermont (see above)
727 ($inout0,$inout1,$inout2,$inout3,$rndkey0)=map("%xmm$_",(0..4));
728 @X=map("%xmm$_",(8..13,6,7));
729 @Tx=map("%xmm$_",(14,15,5));
732 '&movdqu($inout0,"0x00($in0)");',
733 '&movdqu($inout1,"0x10($in0)"); &pxor ($inout0,$rndkey0);',
734 '&movdqu($inout2,"0x20($in0)"); &pxor ($inout1,$rndkey0);',
735 '&movdqu($inout3,"0x30($in0)"); &pxor ($inout2,$rndkey0);',
737 '&pxor ($inout3,$rndkey0); &movups ($rndkey0,"16-112($key)");',
738 '&movaps("64(%rsp)",@X[2]);', # save IV, originally @X[3]
741 for ($i=0;$i<13;$i++) {
743 '&aesdec ($inout0,$rndkey0);',
744 '&aesdec ($inout1,$rndkey0);',
745 '&aesdec ($inout2,$rndkey0);',
746 '&aesdec ($inout3,$rndkey0); &movups($rndkey0,"'.(16*($i+2)-112).'($key)");'
748 push (@aes256_dec,(undef,undef)) if (($i>=3 && $i<=5) || $i>=11);
749 push (@aes256_dec,(undef,undef)) if ($i==5);
752 '&aesdeclast ($inout0,$rndkey0); &movups (@X[0],"0x00($in0)");',
753 '&aesdeclast ($inout1,$rndkey0); &movups (@X[1],"0x10($in0)");',
754 '&aesdeclast ($inout2,$rndkey0); &movups (@X[2],"0x20($in0)");',
755 '&aesdeclast ($inout3,$rndkey0); &movups (@X[3],"0x30($in0)");',
757 '&xorps ($inout0,"64(%rsp)"); &movdqu ($rndkey0,"-112($key)");',
758 '&xorps ($inout1,@X[0]); &movups ("0x00($out,$in0)",$inout0);',
759 '&xorps ($inout2,@X[1]); &movups ("0x10($out,$in0)",$inout1);',
760 '&xorps ($inout3,@X[2]); &movups ("0x20($out,$in0)",$inout2);',
762 '&movups ("0x30($out,$in0)",$inout3);'
765 sub body_00_19_dec () { # ((c^d)&b)^d
766 # on start @T[0]=(c^d)&b
767 return &body_20_39_dec() if ($rx==19);
771 unshift (@r,@aes256_dec[$rx]) if (@aes256_dec[$rx]);
777 sub body_20_39_dec () { # b^d^c
779 return &body_40_59_dec() if ($rx==39);
783 unshift (@r,@aes256_dec[$rx]) if (@aes256_dec[$rx]);
789 sub body_40_59_dec () { # ((b^c)&(c^d))^c
790 # on entry @T[0]=(b^c), (c^=d)
794 unshift (@r,@aes256_dec[$rx]) if (@aes256_dec[$rx]);
801 .globl aesni256_cbc_sha1_dec
802 .type aesni256_cbc_sha1_dec,\@abi-omnipotent
804 aesni256_cbc_sha1_dec:
805 # caller should check for SSSE3 and AES-NI bits
806 mov OPENSSL_ia32cap_P+0(%rip),%r10d
807 mov OPENSSL_ia32cap_P+4(%rip),%r11d
809 $code.=<<___ if ($avx);
810 and \$`1<<28`,%r11d # mask AVX bit
811 and \$`1<<30`,%r10d # mask "Intel CPU" bit
813 cmp \$`1<<28|1<<30`,%r10d
814 je aesni256_cbc_sha1_dec_avx
817 jmp aesni256_cbc_sha1_dec_ssse3
819 .size aesni256_cbc_sha1_dec,.-aesni256_cbc_sha1_dec
821 .type aesni256_cbc_sha1_dec_ssse3,\@function,6
823 aesni256_cbc_sha1_dec_ssse3:
824 mov `($win64?56:8)`(%rsp),$inp # load 7th argument
831 lea `-104-($win64?10*16:0)`(%rsp),%rsp
833 $code.=<<___ if ($win64);
834 movaps %xmm6,96+0(%rsp)
835 movaps %xmm7,96+16(%rsp)
836 movaps %xmm8,96+32(%rsp)
837 movaps %xmm9,96+48(%rsp)
838 movaps %xmm10,96+64(%rsp)
839 movaps %xmm11,96+80(%rsp)
840 movaps %xmm12,96+96(%rsp)
841 movaps %xmm13,96+112(%rsp)
842 movaps %xmm14,96+128(%rsp)
843 movaps %xmm15,96+144(%rsp)
844 .Lprologue_dec_ssse3:
847 mov $in0,%r12 # reassign arguments
850 lea 112($key),%r15 # size optimization
851 movdqu ($ivp),@X[3] # load IV
852 #mov $ivp,88(%rsp) # save $ivp
854 ($in0,$out,$len,$key)=map("%r$_",(12..15)); # reassign arguments
858 add $inp,$len # end of input
860 lea K_XX_XX(%rip),$K_XX_XX
861 mov 0($ctx),$A # load context
865 mov $B,@T[0] # magic seed
871 movdqa 64($K_XX_XX),@Tx[2] # pbswap mask
872 movdqa 0($K_XX_XX),@Tx[1] # K_00_19
873 movdqu 0($inp),@X[-4&7] # load input to %xmm[0-3]
874 movdqu 16($inp),@X[-3&7]
875 movdqu 32($inp),@X[-2&7]
876 movdqu 48($inp),@X[-1&7]
877 pshufb @Tx[2],@X[-4&7] # byte swap
879 pshufb @Tx[2],@X[-3&7]
880 pshufb @Tx[2],@X[-2&7]
881 pshufb @Tx[2],@X[-1&7]
882 paddd @Tx[1],@X[-4&7] # add K_00_19
883 paddd @Tx[1],@X[-3&7]
884 paddd @Tx[1],@X[-2&7]
885 movdqa @X[-4&7],0(%rsp) # X[]+K xfer to IALU
886 psubd @Tx[1],@X[-4&7] # restore X[]
887 movdqa @X[-3&7],16(%rsp)
888 psubd @Tx[1],@X[-3&7]
889 movdqa @X[-2&7],32(%rsp)
890 psubd @Tx[1],@X[-2&7]
891 movdqu -112($key),$rndkey0 # $key[0]
897 &Xupdate_ssse3_16_31(\&body_00_19_dec);
898 &Xupdate_ssse3_16_31(\&body_00_19_dec);
899 &Xupdate_ssse3_16_31(\&body_00_19_dec);
900 &Xupdate_ssse3_16_31(\&body_00_19_dec);
901 &Xupdate_ssse3_32_79(\&body_00_19_dec);
902 &Xupdate_ssse3_32_79(\&body_20_39_dec);
903 &Xupdate_ssse3_32_79(\&body_20_39_dec);
904 &Xupdate_ssse3_32_79(\&body_20_39_dec);
905 &Xupdate_ssse3_32_79(\&body_20_39_dec);
906 &Xupdate_ssse3_32_79(\&body_20_39_dec);
907 &Xupdate_ssse3_32_79(\&body_40_59_dec);
908 &Xupdate_ssse3_32_79(\&body_40_59_dec);
909 &Xupdate_ssse3_32_79(\&body_40_59_dec);
910 &Xupdate_ssse3_32_79(\&body_40_59_dec);
911 &Xupdate_ssse3_32_79(\&body_40_59_dec);
912 &Xupdate_ssse3_32_79(\&body_20_39_dec);
913 &Xuplast_ssse3_80(\&body_20_39_dec,".Ldone_dec_ssse3"); # can jump to "done"
915 $saved_j=$j; @saved_V=@V;
918 &Xloop_ssse3(\&body_20_39_dec);
919 &Xloop_ssse3(\&body_20_39_dec);
920 &Xloop_ssse3(\&body_20_39_dec);
922 eval(@aes256_dec[-1]); # last store
926 add 0($ctx),$A # update context
933 mov @T[0],$B # magic seed
944 $jj=$j=$saved_j; @V=@saved_V;
947 &Xtail_ssse3(\&body_20_39_dec);
948 &Xtail_ssse3(\&body_20_39_dec);
949 &Xtail_ssse3(\&body_20_39_dec);
951 eval(@aes256_dec[-1]); # last store
953 add 0($ctx),$A # update context
963 movups @X[3],($ivp) # write IV
965 $code.=<<___ if ($win64);
966 movaps 96+0(%rsp),%xmm6
967 movaps 96+16(%rsp),%xmm7
968 movaps 96+32(%rsp),%xmm8
969 movaps 96+48(%rsp),%xmm9
970 movaps 96+64(%rsp),%xmm10
971 movaps 96+80(%rsp),%xmm11
972 movaps 96+96(%rsp),%xmm12
973 movaps 96+112(%rsp),%xmm13
974 movaps 96+128(%rsp),%xmm14
975 movaps 96+144(%rsp),%xmm15
978 lea `104+($win64?10*16:0)`(%rsp),%rsi
986 .Lepilogue_dec_ssse3:
988 .size aesni256_cbc_sha1_dec_ssse3,.-aesni256_cbc_sha1_dec_ssse3
994 my ($in0,$out,$len,$key,$ivp,$ctx,$inp)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9","%r10");
997 my @X=map("%xmm$_",(4..7,0..3));
998 my @Tx=map("%xmm$_",(8..10));
999 my @V=($A,$B,$C,$D,$E)=("%eax","%ebx","%ecx","%edx","%ebp"); # size optimization
1000 my @T=("%esi","%edi");
1001 my ($rndkey0,$iv,$in)=map("%xmm$_",(11..13));
1002 my @rndkey=("%xmm14","%xmm15");
1003 my ($inout0,$inout1,$inout2,$inout3)=map("%xmm$_",(12..15)); # for dec
1006 my $_rol=sub { &shld(@_[0],@_) };
1007 my $_ror=sub { &shrd(@_[0],@_) };
1010 .type aesni_cbc_sha1_enc_avx,\@function,6
1012 aesni_cbc_sha1_enc_avx:
1013 mov `($win64?56:8)`(%rsp),$inp # load 7th argument
1014 #shr \$6,$len # debugging artefact
1015 #jz .Lepilogue_avx # debugging artefact
1022 lea `-104-($win64?10*16:0)`(%rsp),%rsp
1023 #mov $in0,$inp # debugging artefact
1024 #lea 64(%rsp),$ctx # debugging artefact
1026 $code.=<<___ if ($win64);
1027 movaps %xmm6,96+0(%rsp)
1028 movaps %xmm7,96+16(%rsp)
1029 movaps %xmm8,96+32(%rsp)
1030 movaps %xmm9,96+48(%rsp)
1031 movaps %xmm10,96+64(%rsp)
1032 movaps %xmm11,96+80(%rsp)
1033 movaps %xmm12,96+96(%rsp)
1034 movaps %xmm13,96+112(%rsp)
1035 movaps %xmm14,96+128(%rsp)
1036 movaps %xmm15,96+144(%rsp)
1041 mov $in0,%r12 # reassign arguments
1045 vmovdqu ($ivp),$iv # load IV
1046 mov $ivp,88(%rsp) # save $ivp
1048 ($in0,$out,$len,$key)=map("%r$_",(12..15)); # reassign arguments
1049 my $rounds="${ivp}d";
1053 mov 240($key),$rounds
1054 add \$112,$key # size optimization
1055 add $inp,$len # end of input
1057 lea K_XX_XX(%rip),$K_XX_XX
1058 mov 0($ctx),$A # load context
1062 mov $B,@T[0] # magic seed
1068 vmovdqa 64($K_XX_XX),@X[2] # pbswap mask
1069 vmovdqa 0($K_XX_XX),$Kx # K_00_19
1070 vmovdqu 0($inp),@X[-4&7] # load input to %xmm[0-3]
1071 vmovdqu 16($inp),@X[-3&7]
1072 vmovdqu 32($inp),@X[-2&7]
1073 vmovdqu 48($inp),@X[-1&7]
1074 vpshufb @X[2],@X[-4&7],@X[-4&7] # byte swap
1076 vpshufb @X[2],@X[-3&7],@X[-3&7]
1077 vpshufb @X[2],@X[-2&7],@X[-2&7]
1078 vpshufb @X[2],@X[-1&7],@X[-1&7]
1079 vpaddd $Kx,@X[-4&7],@X[0] # add K_00_19
1080 vpaddd $Kx,@X[-3&7],@X[1]
1081 vpaddd $Kx,@X[-2&7],@X[2]
1082 vmovdqa @X[0],0(%rsp) # X[]+K xfer to IALU
1083 vmovdqa @X[1],16(%rsp)
1084 vmovdqa @X[2],32(%rsp)
1085 vmovups -112($key),$rndkey[1] # $key[0]
1086 vmovups 16-112($key),$rndkey[0] # forward reference
1092 my ($n,$k)=($r/10,$r%10);
1095 vmovdqu `16*$n`($in0),$in # load input
1096 vpxor $rndkey[1],$in,$in
1098 $code.=<<___ if ($n);
1099 vmovups $iv,`16*($n-1)`($out,$in0) # write output
1103 vaesenc $rndkey[0],$iv,$iv
1104 vmovups `32+16*$k-112`($key),$rndkey[1]
1111 vaesenc $rndkey[0],$iv,$iv
1112 vmovups `32+16*($k+0)-112`($key),$rndkey[1]
1113 vaesenc $rndkey[1],$iv,$iv
1114 vmovups `32+16*($k+1)-112`($key),$rndkey[0]
1116 vaesenc $rndkey[0],$iv,$iv
1117 vmovups `32+16*($k+2)-112`($key),$rndkey[1]
1118 vaesenc $rndkey[1],$iv,$iv
1119 vmovups `32+16*($k+3)-112`($key),$rndkey[0]
1121 vaesenclast $rndkey[0],$iv,$iv
1122 vmovups -112($key),$rndkey[0]
1123 vmovups 16-112($key),$rndkey[1] # forward reference
1127 vaesenc $rndkey[0],$iv,$iv
1128 vmovups `32+16*$k-112`($key),$rndkey[1]
1131 $r++; unshift(@rndkey,pop(@rndkey));
1134 sub Xupdate_avx_16_31() # recall that $Xi starts wtih 4
1137 my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
1138 my ($a,$b,$c,$d,$e);
1140 eval(shift(@insns));
1141 eval(shift(@insns));
1142 &vpalignr(@X[0],@X[-3&7],@X[-4&7],8); # compose "X[-14]" in "X[0]"
1143 eval(shift(@insns));
1144 eval(shift(@insns));
1146 &vpaddd (@Tx[1],$Kx,@X[-1&7]);
1147 eval(shift(@insns));
1148 eval(shift(@insns));
1149 &vpsrldq(@Tx[0],@X[-1&7],4); # "X[-3]", 3 dwords
1150 eval(shift(@insns));
1151 eval(shift(@insns));
1152 &vpxor (@X[0],@X[0],@X[-4&7]); # "X[0]"^="X[-16]"
1153 eval(shift(@insns));
1154 eval(shift(@insns));
1156 &vpxor (@Tx[0],@Tx[0],@X[-2&7]); # "X[-3]"^"X[-8]"
1157 eval(shift(@insns));
1158 eval(shift(@insns));
1159 eval(shift(@insns));
1160 eval(shift(@insns));
1162 &vpxor (@X[0],@X[0],@Tx[0]); # "X[0]"^="X[-3]"^"X[-8]"
1163 eval(shift(@insns));
1164 eval(shift(@insns));
1165 &vmovdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer to IALU
1166 eval(shift(@insns));
1167 eval(shift(@insns));
1169 &vpsrld (@Tx[0],@X[0],31);
1170 eval(shift(@insns));
1171 eval(shift(@insns));
1172 eval(shift(@insns));
1173 eval(shift(@insns));
1175 &vpslldq(@Tx[1],@X[0],12); # "X[0]"<<96, extract one dword
1176 &vpaddd (@X[0],@X[0],@X[0]);
1177 eval(shift(@insns));
1178 eval(shift(@insns));
1179 eval(shift(@insns));
1180 eval(shift(@insns));
1182 &vpor (@X[0],@X[0],@Tx[0]); # "X[0]"<<<=1
1183 &vpsrld (@Tx[0],@Tx[1],30);
1184 eval(shift(@insns));
1185 eval(shift(@insns));
1186 eval(shift(@insns));
1187 eval(shift(@insns));
1189 &vpslld (@Tx[1],@Tx[1],2);
1190 &vpxor (@X[0],@X[0],@Tx[0]);
1191 eval(shift(@insns));
1192 eval(shift(@insns));
1193 eval(shift(@insns));
1194 eval(shift(@insns));
1196 &vpxor (@X[0],@X[0],@Tx[1]); # "X[0]"^=("X[0]">>96)<<<2
1197 eval(shift(@insns));
1198 eval(shift(@insns));
1199 &vmovdqa ($Kx,eval(16*(($Xi)/5))."($K_XX_XX)") if ($Xi%5==0); # K_XX_XX
1200 eval(shift(@insns));
1201 eval(shift(@insns));
1204 foreach (@insns) { eval; } # remaining instructions [if any]
1206 $Xi++; push(@X,shift(@X)); # "rotate" X[]
1209 sub Xupdate_avx_32_79()
1212 my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
1213 my ($a,$b,$c,$d,$e);
1215 &vpalignr(@Tx[0],@X[-1&7],@X[-2&7],8); # compose "X[-6]"
1216 &vpxor (@X[0],@X[0],@X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
1217 eval(shift(@insns)); # body_20_39
1218 eval(shift(@insns));
1219 eval(shift(@insns));
1220 eval(shift(@insns)); # rol
1222 &vpxor (@X[0],@X[0],@X[-7&7]); # "X[0]"^="X[-28]"
1223 eval(shift(@insns));
1224 eval(shift(@insns)) if (@insns[0] !~ /&ro[rl]/);
1225 &vpaddd (@Tx[1],$Kx,@X[-1&7]);
1226 &vmovdqa ($Kx,eval(16*($Xi/5))."($K_XX_XX)") if ($Xi%5==0);
1227 eval(shift(@insns)); # ror
1228 eval(shift(@insns));
1230 &vpxor (@X[0],@X[0],@Tx[0]); # "X[0]"^="X[-6]"
1231 eval(shift(@insns)); # body_20_39
1232 eval(shift(@insns));
1233 eval(shift(@insns));
1234 eval(shift(@insns)); # rol
1236 &vpsrld (@Tx[0],@X[0],30);
1237 &vmovdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer to IALU
1238 eval(shift(@insns));
1239 eval(shift(@insns));
1240 eval(shift(@insns)); # ror
1241 eval(shift(@insns));
1243 &vpslld (@X[0],@X[0],2);
1244 eval(shift(@insns)); # body_20_39
1245 eval(shift(@insns));
1246 eval(shift(@insns));
1247 eval(shift(@insns)); # rol
1248 eval(shift(@insns));
1249 eval(shift(@insns));
1250 eval(shift(@insns)); # ror
1251 eval(shift(@insns));
1253 &vpor (@X[0],@X[0],@Tx[0]); # "X[0]"<<<=2
1254 eval(shift(@insns)); # body_20_39
1255 eval(shift(@insns));
1256 eval(shift(@insns));
1257 eval(shift(@insns)); # rol
1258 eval(shift(@insns));
1259 eval(shift(@insns));
1260 eval(shift(@insns)); # rol
1261 eval(shift(@insns));
1263 foreach (@insns) { eval; } # remaining instructions
1265 $Xi++; push(@X,shift(@X)); # "rotate" X[]
1268 sub Xuplast_avx_80()
1271 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1272 my ($a,$b,$c,$d,$e);
1274 eval(shift(@insns));
1275 &vpaddd (@Tx[1],$Kx,@X[-1&7]);
1276 eval(shift(@insns));
1277 eval(shift(@insns));
1278 eval(shift(@insns));
1279 eval(shift(@insns));
1281 &vmovdqa (eval(16*(($Xi-1)&3))."(%rsp)",@Tx[1]); # X[]+K xfer IALU
1283 foreach (@insns) { eval; } # remaining instructions
1288 &vmovdqa(@Tx[1],"64($K_XX_XX)"); # pbswap mask
1289 &vmovdqa($Kx,"0($K_XX_XX)"); # K_00_19
1290 &vmovdqu(@X[-4&7],"0($inp)"); # load input
1291 &vmovdqu(@X[-3&7],"16($inp)");
1292 &vmovdqu(@X[-2&7],"32($inp)");
1293 &vmovdqu(@X[-1&7],"48($inp)");
1294 &vpshufb(@X[-4&7],@X[-4&7],@Tx[1]); # byte swap
1303 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1304 my ($a,$b,$c,$d,$e);
1306 eval(shift(@insns));
1307 eval(shift(@insns));
1308 &vpshufb(@X[($Xi-3)&7],@X[($Xi-3)&7],@Tx[1]);
1309 eval(shift(@insns));
1310 eval(shift(@insns));
1311 &vpaddd (@Tx[0],@X[($Xi-4)&7],$Kx);
1312 eval(shift(@insns));
1313 eval(shift(@insns));
1314 eval(shift(@insns));
1315 eval(shift(@insns));
1316 &vmovdqa(eval(16*$Xi)."(%rsp)",@Tx[0]); # X[]+K xfer to IALU
1317 eval(shift(@insns));
1318 eval(shift(@insns));
1320 foreach (@insns) { eval; }
1327 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1328 my ($a,$b,$c,$d,$e);
1330 foreach (@insns) { eval; }
1337 &Xupdate_avx_16_31(\&body_00_19);
1338 &Xupdate_avx_16_31(\&body_00_19);
1339 &Xupdate_avx_16_31(\&body_00_19);
1340 &Xupdate_avx_16_31(\&body_00_19);
1341 &Xupdate_avx_32_79(\&body_00_19);
1342 &Xupdate_avx_32_79(\&body_20_39);
1343 &Xupdate_avx_32_79(\&body_20_39);
1344 &Xupdate_avx_32_79(\&body_20_39);
1345 &Xupdate_avx_32_79(\&body_20_39);
1346 &Xupdate_avx_32_79(\&body_20_39);
1347 &Xupdate_avx_32_79(\&body_40_59);
1348 &Xupdate_avx_32_79(\&body_40_59);
1349 &Xupdate_avx_32_79(\&body_40_59);
1350 &Xupdate_avx_32_79(\&body_40_59);
1351 &Xupdate_avx_32_79(\&body_40_59);
1352 &Xupdate_avx_32_79(\&body_20_39);
1353 &Xuplast_avx_80(\&body_20_39,".Ldone_avx"); # can jump to "done"
1355 $saved_j=$j; @saved_V=@V;
1356 $saved_r=$r; @saved_rndkey=@rndkey;
1358 &Xloop_avx(\&body_20_39);
1359 &Xloop_avx(\&body_20_39);
1360 &Xloop_avx(\&body_20_39);
1363 vmovups $iv,48($out,$in0) # write output
1366 add 0($ctx),$A # update context
1373 mov @T[0],$B # magic seed
1384 $jj=$j=$saved_j; @V=@saved_V;
1385 $r=$saved_r; @rndkey=@saved_rndkey;
1387 &Xtail_avx(\&body_20_39);
1388 &Xtail_avx(\&body_20_39);
1389 &Xtail_avx(\&body_20_39);
1392 vmovups $iv,48($out,$in0) # write output
1393 mov 88(%rsp),$ivp # restore $ivp
1395 add 0($ctx),$A # update context
1405 vmovups $iv,($ivp) # write IV
1408 $code.=<<___ if ($win64);
1409 movaps 96+0(%rsp),%xmm6
1410 movaps 96+16(%rsp),%xmm7
1411 movaps 96+32(%rsp),%xmm8
1412 movaps 96+48(%rsp),%xmm9
1413 movaps 96+64(%rsp),%xmm10
1414 movaps 96+80(%rsp),%xmm11
1415 movaps 96+96(%rsp),%xmm12
1416 movaps 96+112(%rsp),%xmm13
1417 movaps 96+128(%rsp),%xmm14
1418 movaps 96+144(%rsp),%xmm15
1421 lea `104+($win64?10*16:0)`(%rsp),%rsi
1431 .size aesni_cbc_sha1_enc_avx,.-aesni_cbc_sha1_enc_avx
1434 if ($stitched_decrypt) {{{
1436 ($in0,$out,$len,$key,$ivp,$ctx,$inp)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9","%r10");
1438 $j=$jj=$r=$sn=$rx=0;
1442 '&vpxor ($inout0,$rndkey0,"0x00($in0)");',
1443 '&vpxor ($inout1,$rndkey0,"0x10($in0)");',
1444 '&vpxor ($inout2,$rndkey0,"0x20($in0)");',
1445 '&vpxor ($inout3,$rndkey0,"0x30($in0)");',
1447 '&vmovups($rndkey0,"16-112($key)");',
1448 '&vmovups("64(%rsp)",@X[2]);', # save IV, originally @X[3]
1451 for ($i=0;$i<13;$i++) {
1453 '&vaesdec ($inout0,$inout0,$rndkey0);',
1454 '&vaesdec ($inout1,$inout1,$rndkey0);',
1455 '&vaesdec ($inout2,$inout2,$rndkey0);',
1456 '&vaesdec ($inout3,$inout3,$rndkey0); &vmovups($rndkey0,"'.(16*($i+2)-112).'($key)");'
1458 push (@aes256_dec,(undef,undef)) if (($i>=3 && $i<=5) || $i>=11);
1459 push (@aes256_dec,(undef,undef)) if ($i==5);
1462 '&vaesdeclast ($inout0,$inout0,$rndkey0); &vmovups(@X[0],"0x00($in0)");',
1463 '&vaesdeclast ($inout1,$inout1,$rndkey0); &vmovups(@X[1],"0x10($in0)");',
1464 '&vaesdeclast ($inout2,$inout2,$rndkey0); &vmovups(@X[2],"0x20($in0)");',
1465 '&vaesdeclast ($inout3,$inout3,$rndkey0); &vmovups(@X[3],"0x30($in0)");',
1467 '&vxorps ($inout0,$inout0,"64(%rsp)"); &vmovdqu($rndkey0,"-112($key)");',
1468 '&vxorps ($inout1,$inout1,@X[0]); &vmovups("0x00($out,$in0)",$inout0);',
1469 '&vxorps ($inout2,$inout2,@X[1]); &vmovups("0x10($out,$in0)",$inout1);',
1470 '&vxorps ($inout3,$inout3,@X[2]); &vmovups("0x20($out,$in0)",$inout2);',
1472 '&vmovups ("0x30($out,$in0)",$inout3);'
1476 .type aesni256_cbc_sha1_dec_avx,\@function,6
1478 aesni256_cbc_sha1_dec_avx:
1479 mov `($win64?56:8)`(%rsp),$inp # load 7th argument
1486 lea `-104-($win64?10*16:0)`(%rsp),%rsp
1488 $code.=<<___ if ($win64);
1489 movaps %xmm6,96+0(%rsp)
1490 movaps %xmm7,96+16(%rsp)
1491 movaps %xmm8,96+32(%rsp)
1492 movaps %xmm9,96+48(%rsp)
1493 movaps %xmm10,96+64(%rsp)
1494 movaps %xmm11,96+80(%rsp)
1495 movaps %xmm12,96+96(%rsp)
1496 movaps %xmm13,96+112(%rsp)
1497 movaps %xmm14,96+128(%rsp)
1498 movaps %xmm15,96+144(%rsp)
1503 mov $in0,%r12 # reassign arguments
1506 lea 112($key),%r15 # size optimization
1507 vmovdqu ($ivp),@X[3] # load IV
1509 ($in0,$out,$len,$key)=map("%r$_",(12..15)); # reassign arguments
1513 add $inp,$len # end of input
1515 lea K_XX_XX(%rip),$K_XX_XX
1516 mov 0($ctx),$A # load context
1520 mov $B,@T[0] # magic seed
1526 vmovdqa 64($K_XX_XX),@X[2] # pbswap mask
1527 vmovdqa 0($K_XX_XX),$Kx # K_00_19
1528 vmovdqu 0($inp),@X[-4&7] # load input to %xmm[0-3]
1529 vmovdqu 16($inp),@X[-3&7]
1530 vmovdqu 32($inp),@X[-2&7]
1531 vmovdqu 48($inp),@X[-1&7]
1532 vpshufb @X[2],@X[-4&7],@X[-4&7] # byte swap
1534 vpshufb @X[2],@X[-3&7],@X[-3&7]
1535 vpshufb @X[2],@X[-2&7],@X[-2&7]
1536 vpshufb @X[2],@X[-1&7],@X[-1&7]
1537 vpaddd $Kx,@X[-4&7],@X[0] # add K_00_19
1538 vpaddd $Kx,@X[-3&7],@X[1]
1539 vpaddd $Kx,@X[-2&7],@X[2]
1540 vmovdqa @X[0],0(%rsp) # X[]+K xfer to IALU
1541 vmovdqa @X[1],16(%rsp)
1542 vmovdqa @X[2],32(%rsp)
1543 vmovups -112($key),$rndkey0 # $key[0]
1549 &Xupdate_avx_16_31(\&body_00_19_dec);
1550 &Xupdate_avx_16_31(\&body_00_19_dec);
1551 &Xupdate_avx_16_31(\&body_00_19_dec);
1552 &Xupdate_avx_16_31(\&body_00_19_dec);
1553 &Xupdate_avx_32_79(\&body_00_19_dec);
1554 &Xupdate_avx_32_79(\&body_20_39_dec);
1555 &Xupdate_avx_32_79(\&body_20_39_dec);
1556 &Xupdate_avx_32_79(\&body_20_39_dec);
1557 &Xupdate_avx_32_79(\&body_20_39_dec);
1558 &Xupdate_avx_32_79(\&body_20_39_dec);
1559 &Xupdate_avx_32_79(\&body_40_59_dec);
1560 &Xupdate_avx_32_79(\&body_40_59_dec);
1561 &Xupdate_avx_32_79(\&body_40_59_dec);
1562 &Xupdate_avx_32_79(\&body_40_59_dec);
1563 &Xupdate_avx_32_79(\&body_40_59_dec);
1564 &Xupdate_avx_32_79(\&body_20_39_dec);
1565 &Xuplast_avx_80(\&body_20_39_dec,".Ldone_dec_avx"); # can jump to "done"
1567 $saved_j=$j; @saved_V=@V;
1570 &Xloop_avx(\&body_20_39_dec);
1571 &Xloop_avx(\&body_20_39_dec);
1572 &Xloop_avx(\&body_20_39_dec);
1574 eval(@aes256_dec[-1]); # last store
1578 add 0($ctx),$A # update context
1585 mov @T[0],$B # magic seed
1596 $jj=$j=$saved_j; @V=@saved_V;
1599 &Xtail_avx(\&body_20_39_dec);
1600 &Xtail_avx(\&body_20_39_dec);
1601 &Xtail_avx(\&body_20_39_dec);
1603 eval(@aes256_dec[-1]); # last store
1606 add 0($ctx),$A # update context
1616 vmovups @X[3],($ivp) # write IV
1619 $code.=<<___ if ($win64);
1620 movaps 96+0(%rsp),%xmm6
1621 movaps 96+16(%rsp),%xmm7
1622 movaps 96+32(%rsp),%xmm8
1623 movaps 96+48(%rsp),%xmm9
1624 movaps 96+64(%rsp),%xmm10
1625 movaps 96+80(%rsp),%xmm11
1626 movaps 96+96(%rsp),%xmm12
1627 movaps 96+112(%rsp),%xmm13
1628 movaps 96+128(%rsp),%xmm14
1629 movaps 96+144(%rsp),%xmm15
1632 lea `104+($win64?10*16:0)`(%rsp),%rsi
1642 .size aesni256_cbc_sha1_dec_avx,.-aesni256_cbc_sha1_dec_avx
1649 .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 # K_00_19
1650 .long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 # K_20_39
1651 .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc # K_40_59
1652 .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 # K_60_79
1653 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f # pbswap mask
1655 .asciz "AESNI-CBC+SHA1 stitch for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
1659 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
1660 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
1668 .extern __imp_RtlVirtualUnwind
1669 .type ssse3_handler,\@abi-omnipotent
1683 mov 120($context),%rax # pull context->Rax
1684 mov 248($context),%rbx # pull context->Rip
1686 mov 8($disp),%rsi # disp->ImageBase
1687 mov 56($disp),%r11 # disp->HandlerData
1689 mov 0(%r11),%r10d # HandlerData[0]
1690 lea (%rsi,%r10),%r10 # prologue label
1691 cmp %r10,%rbx # context->Rip<prologue label
1692 jb .Lcommon_seh_tail
1694 mov 152($context),%rax # pull context->Rsp
1696 mov 4(%r11),%r10d # HandlerData[1]
1697 lea (%rsi,%r10),%r10 # epilogue label
1698 cmp %r10,%rbx # context->Rip>=epilogue label
1699 jae .Lcommon_seh_tail
1702 lea 512($context),%rdi # &context.Xmm6
1704 .long 0xa548f3fc # cld; rep movsq
1705 lea `104+10*16`(%rax),%rax # adjust stack pointer
1714 mov %rbx,144($context) # restore context->Rbx
1715 mov %rbp,160($context) # restore context->Rbp
1716 mov %r12,216($context) # restore context->R12
1717 mov %r13,224($context) # restore context->R13
1718 mov %r14,232($context) # restore context->R14
1719 mov %r15,240($context) # restore context->R15
1724 mov %rax,152($context) # restore context->Rsp
1725 mov %rsi,168($context) # restore context->Rsi
1726 mov %rdi,176($context) # restore context->Rdi
1728 mov 40($disp),%rdi # disp->ContextRecord
1729 mov $context,%rsi # context
1730 mov \$154,%ecx # sizeof(CONTEXT)
1731 .long 0xa548f3fc # cld; rep movsq
1734 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1735 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1736 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1737 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1738 mov 40(%rsi),%r10 # disp->ContextRecord
1739 lea 56(%rsi),%r11 # &disp->HandlerData
1740 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1741 mov %r10,32(%rsp) # arg5
1742 mov %r11,40(%rsp) # arg6
1743 mov %r12,48(%rsp) # arg7
1744 mov %rcx,56(%rsp) # arg8, (NULL)
1745 call *__imp_RtlVirtualUnwind(%rip)
1747 mov \$1,%eax # ExceptionContinueSearch
1759 .size ssse3_handler,.-ssse3_handler
1763 .rva .LSEH_begin_aesni_cbc_sha1_enc_ssse3
1764 .rva .LSEH_end_aesni_cbc_sha1_enc_ssse3
1765 .rva .LSEH_info_aesni_cbc_sha1_enc_ssse3
1767 $code.=<<___ if ($avx);
1768 .rva .LSEH_begin_aesni_cbc_sha1_enc_avx
1769 .rva .LSEH_end_aesni_cbc_sha1_enc_avx
1770 .rva .LSEH_info_aesni_cbc_sha1_enc_avx
1775 .LSEH_info_aesni_cbc_sha1_enc_ssse3:
1778 .rva .Lprologue_ssse3,.Lepilogue_ssse3 # HandlerData[]
1780 $code.=<<___ if ($avx);
1781 .LSEH_info_aesni_cbc_sha1_enc_avx:
1784 .rva .Lprologue_avx,.Lepilogue_avx # HandlerData[]
1788 ####################################################################
1790 local *opcode=shift;
1794 $rex|=0x04 if($dst>=8);
1795 $rex|=0x01 if($src>=8);
1796 push @opcode,$rex|0x40 if($rex);
1803 if ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
1805 "aesenc" => 0xdc, "aesenclast" => 0xdd,
1806 "aesdec" => 0xde, "aesdeclast" => 0xdf
1808 return undef if (!defined($opcodelet{$1}));
1809 rex(\@opcode,$3,$2);
1810 push @opcode,0x0f,0x38,$opcodelet{$1};
1811 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
1812 return ".byte\t".join(',',@opcode);
1817 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
1818 $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;
projects / openssl.git / blob