3 # ====================================================================
4 # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for Intel AES-NI extension. In
11 # OpenSSL context it's used with Intel engine, but can also be used as
12 # drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
17 # Given aes(enc|dec) instructions' latency asymptotic performance for
18 # non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
19 # processed with 128-bit key. And given their throughput asymptotic
20 # performance for parallelizable modes is 1.25 cycles per byte. Being
21 # asymptotic limit is not something you commonly achieve in reality,
22 # but how close does one get? Below are results collected for
23 # different modes and block sized. Pairs of numbers are for en-/
26 # 16-byte 64-byte 256-byte 1-KB 8-KB
27 # ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
28 # CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
29 # CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
30 # CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
31 # OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
32 # CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55
34 # ECB, CTR, CBC and CCM results are free from EVP overhead. This means
35 # that otherwise used 'openssl speed -evp aes-128-??? -engine aesni
36 # [-decrypt]' will exhibit 10-15% worse results for smaller blocks.
37 # The results were collected with specially crafted speed.c benchmark
38 # in order to compare them with results reported in "Intel Advanced
39 # Encryption Standard (AES) New Instruction Set" White Paper Revision
40 # 3.0 dated May 2010. All above results are consistently better. This
41 # module also provides better performance for block sizes smaller than
42 # 128 bytes in points *not* represented in the above table.
44 # Looking at the results for 8-KB buffer.
46 # CFB and OFB results are far from the limit, because implementation
47 # uses "generic" CRYPTO_[c|o]fb128_encrypt interfaces relying on
48 # single-block aesni_encrypt, which is not the most optimal way to go.
49 # CBC encrypt result is unexpectedly high and there is no documented
50 # explanation for it. Seemingly there is a small penalty for feeding
51 # the result back to AES unit the way it's done in CBC mode. There is
52 # nothing one can do and the result appears optimal. CCM result is
53 # identical to CBC, because CBC-MAC is essentially CBC encrypt without
54 # saving output. CCM CTR "stays invisible," because it's neatly
55 # interleaved wih CBC-MAC. This provides ~30% improvement over
56 # "straghtforward" CCM implementation with CTR and CBC-MAC performed
57 # disjointly. Parallelizable modes practically achieve the theoretical
60 # Looking at how results vary with buffer size.
62 # Curves are practically saturated at 1-KB buffer size. In most cases
63 # "256-byte" performance is >95%, and "64-byte" is ~90% of "8-KB" one.
64 # CTR curve doesn't follow this pattern and is "slowest" changing one
65 # with "256-byte" result being 87% of "8-KB." This is because overhead
66 # in CTR mode is most computationally intensive. Small-block CCM
67 # decrypt is slower than encrypt, because first CTR and last CBC-MAC
68 # iterations can't be interleaved.
70 # Results for 192- and 256-bit keys.
72 # EVP-free results were observed to scale perfectly with number of
73 # rounds for larger block sizes, i.e. 192-bit result being 10/12 times
74 # lower and 256-bit one - 10/14. Well, in CBC encrypt case differences
75 # are a tad smaller, because the above mentioned penalty biases all
76 # results by same constant value. In similar way function call
77 # overhead affects small-block performance, as well as OFB and CFB
78 # results. Differences are not large, most common coefficients are
79 # 10/11.7 and 10/13.4 (as opposite to 10/12.0 and 10/14.0), but one
80 # observe even 10/11.2 and 10/12.4 (CTR, OFB, CFB)...
82 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
83 # generates drop-in replacement for
84 # crypto/aes/asm/aes-x86_64.pl:-)
88 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
90 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
92 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
93 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
94 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
95 die "can't locate x86_64-xlate.pl";
97 open STDOUT,"| $^X $xlate $flavour $output";
99 $movkey = $PREFIX eq "aesni" ? "movaps" : "movups";
100 @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
101 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
105 $rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!!
106 # this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ...
110 $key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
111 $ivp="%r8"; # cbc, ctr, ...
113 $rnds_="%r10d"; # backup copy for $rounds
114 $key_="%r11"; # backup copy for $key
116 # %xmm register layout
117 $inout0="%xmm0"; $inout1="%xmm1";
118 $inout2="%xmm2"; $inout3="%xmm3";
119 $rndkey0="%xmm4"; $rndkey1="%xmm5";
121 $iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt, CTR, ...
122 $in1="%xmm8"; $in2="%xmm9";
124 # Inline version of internal aesni_[en|de]crypt1.
126 # Why folded loop? Because aes[enc|dec] is slow enough to accommodate
127 # cycles which take care of loop variables...
129 sub aesni_generate1 {
130 my ($p,$key,$rounds,$inout)=@_; $inout=$inout0 if (!defined($inout));
133 movdqu ($key),$rndkey0
134 $movkey 16($key),$rndkey1
138 aes${p} $rndkey1,$inout
140 $movkey ($key),$rndkey1
142 jnz .Loop_${p}1_$sn # loop body is 16 bytes
143 aes${p}last $rndkey1,$inout
146 # void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
148 { my ($inp,$out,$key) = @_4args;
151 .globl ${PREFIX}_encrypt
152 .type ${PREFIX}_encrypt,\@abi-omnipotent
155 movdqu ($inp),$inout0 # load input
156 mov 240($key),$rounds # pull $rounds
158 &aesni_generate1("enc",$key,$rounds);
160 movups $inout0,($out) # output
162 .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
164 .globl ${PREFIX}_decrypt
165 .type ${PREFIX}_decrypt,\@abi-omnipotent
168 movdqu ($inp),$inout0 # load input
169 mov 240($key),$rounds # pull $rounds
171 &aesni_generate1("dec",$key,$rounds);
173 movups $inout0,($out) # output
175 .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
179 # _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
180 # factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
181 # latency is 6, it turned out that it can be scheduled only every
182 # *second* cycle. Thus 3x interleave is the one providing optimal
183 # utilization, i.e. when subroutine's throughput is virtually same as
184 # of non-interleaved subroutine [for number of input blocks up to 3].
185 # This is why it makes no sense to implement 2x subroutine. As soon
186 # as/if Intel improves throughput by making it possible to schedule
187 # the instructions in question *every* cycles I would have to
188 # implement 6x interleave and use it in loop...
189 sub aesni_generate3 {
191 # As already mentioned it takes in $key and $rounds, which are *not*
192 # preserved. $inout[0-2] is cipher/clear text...
194 .type _aesni_${dir}rypt3,\@abi-omnipotent
197 $movkey ($key),$rndkey0
199 $movkey 16($key),$rndkey1
201 pxor $rndkey0,$inout0
202 pxor $rndkey0,$inout1
203 pxor $rndkey0,$inout2
204 $movkey ($key),$rndkey0
207 aes${dir} $rndkey1,$inout0
208 aes${dir} $rndkey1,$inout1
210 aes${dir} $rndkey1,$inout2
211 $movkey 16($key),$rndkey1
212 aes${dir} $rndkey0,$inout0
213 aes${dir} $rndkey0,$inout1
215 aes${dir} $rndkey0,$inout2
216 $movkey ($key),$rndkey0
219 aes${dir} $rndkey1,$inout0
220 aes${dir} $rndkey1,$inout1
221 aes${dir} $rndkey1,$inout2
222 aes${dir}last $rndkey0,$inout0
223 aes${dir}last $rndkey0,$inout1
224 aes${dir}last $rndkey0,$inout2
226 .size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
229 # 4x interleave is implemented to improve small block performance,
230 # most notably [and naturally] 4 block by ~30%. One can argue that one
231 # should have implemented 5x as well, but improvement would be <20%,
232 # so it's not worth it...
233 sub aesni_generate4 {
235 # As already mentioned it takes in $key and $rounds, which are *not*
236 # preserved. $inout[0-3] is cipher/clear text...
238 .type _aesni_${dir}rypt4,\@abi-omnipotent
241 $movkey ($key),$rndkey0
243 $movkey 16($key),$rndkey1
245 pxor $rndkey0,$inout0
246 pxor $rndkey0,$inout1
247 pxor $rndkey0,$inout2
248 pxor $rndkey0,$inout3
249 $movkey ($key),$rndkey0
252 aes${dir} $rndkey1,$inout0
253 aes${dir} $rndkey1,$inout1
255 aes${dir} $rndkey1,$inout2
256 aes${dir} $rndkey1,$inout3
257 $movkey 16($key),$rndkey1
258 aes${dir} $rndkey0,$inout0
259 aes${dir} $rndkey0,$inout1
261 aes${dir} $rndkey0,$inout2
262 aes${dir} $rndkey0,$inout3
263 $movkey ($key),$rndkey0
266 aes${dir} $rndkey1,$inout0
267 aes${dir} $rndkey1,$inout1
268 aes${dir} $rndkey1,$inout2
269 aes${dir} $rndkey1,$inout3
270 aes${dir}last $rndkey0,$inout0
271 aes${dir}last $rndkey0,$inout1
272 aes${dir}last $rndkey0,$inout2
273 aes${dir}last $rndkey0,$inout3
275 .size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
278 &aesni_generate3("enc") if ($PREFIX eq "aesni");
279 &aesni_generate3("dec");
280 &aesni_generate4("enc") if ($PREFIX eq "aesni");
281 &aesni_generate4("dec");
283 if ($PREFIX eq "aesni") {
284 ########################################################################
285 # void aesni_ecb_encrypt (const void *in, void *out,
286 # size_t length, const AES_KEY *key,
289 .globl aesni_ecb_encrypt
290 .type aesni_ecb_encrypt,\@function,5
293 cmp \$16,$len # check length
296 mov 240($key),$rounds # pull $rounds
298 mov $key,$key_ # backup $key
299 mov $rounds,$rnds_ # backup $rounds
300 test %r8d,%r8d # 5th argument
302 #--------------------------- ECB ENCRYPT ------------------------------#
309 movups ($inp),$inout0
310 movups 0x10($inp),$inout1
311 movups 0x20($inp),$inout2
314 movups $inout0,($out)
315 mov $rnds_,$rounds # restore $rounds
316 movups $inout1,0x10($out)
317 mov $key_,$key # restore $key
318 movups $inout2,0x20($out)
325 movups ($inp),$inout0
328 movups 0x10($inp),$inout1
330 movups 0x20($inp),$inout2
333 movups 0x30($inp),$inout3
335 movups $inout0,($out)
336 movups $inout1,0x10($out)
337 movups $inout2,0x20($out)
338 movups $inout3,0x30($out)
343 &aesni_generate1("enc",$key,$rounds);
345 movups $inout0,($out)
351 movups $inout0,($out)
352 movups $inout1,0x10($out)
357 movups $inout0,($out)
358 movups $inout1,0x10($out)
359 movups $inout2,0x20($out)
361 \f#--------------------------- ECB DECRYPT ------------------------------#
370 movups ($inp),$inout0
371 movups 0x10($inp),$inout1
372 movups 0x20($inp),$inout2
375 movups $inout0,($out)
376 mov $rnds_,$rounds # restore $rounds
377 movups $inout1,0x10($out)
378 mov $key_,$key # restore $key
379 movups $inout2,0x20($out)
386 movups ($inp),$inout0
389 movups 0x10($inp),$inout1
391 movups 0x20($inp),$inout2
394 movups 0x30($inp),$inout3
396 movups $inout0,($out)
397 movups $inout1,0x10($out)
398 movups $inout2,0x20($out)
399 movups $inout3,0x30($out)
404 &aesni_generate1("dec",$key,$rounds);
406 movups $inout0,($out)
412 movups $inout0,($out)
413 movups $inout1,0x10($out)
418 movups $inout0,($out)
419 movups $inout1,0x10($out)
420 movups $inout2,0x20($out)
424 .size aesni_ecb_encrypt,.-aesni_ecb_encrypt
428 ######################################################################
429 # void aesni_ccm64_[en|de]crypt_blocks (const void *in, void *out,
430 # size_t blocks, const AES_KEY *key,
431 # const char *ivec,char *cmac);
433 # Handles only complete blocks, operates on 64-bit counter and
434 # does not update *ivec! Nor does it finalize CMAC value
435 # (see engine/eng_aesni.c for details)
438 my $cmac="%r9"; # 6th argument
440 my $increment="%xmm8";
441 my $bswap_mask="%xmm9";
444 .globl aesni_ccm64_encrypt_blocks
445 .type aesni_ccm64_encrypt_blocks,\@function,6
447 aesni_ccm64_encrypt_blocks:
449 $code.=<<___ if ($win64);
452 movaps %xmm7,0x10(%rsp)
453 movaps %xmm8,0x20(%rsp)
454 movaps %xmm9,0x30(%rsp)
459 movdqu ($cmac),$inout1
460 movdqa .Lincrement64(%rip),$increment
461 movdqa .Lbswap_mask(%rip),$bswap_mask
462 pshufb $bswap_mask,$iv # keep iv in reverse order
464 mov 240($key),$rounds # key->rounds
470 movdqu ($inp),$in0 # load inp
471 pshufb $bswap_mask,$inout0
474 pxor $in0,$inout1 # cmac^=inp
482 pxor $inout0,$in0 # inp ^= E(iv)
484 movdqu $in0,($out) # save output
486 jnz .Lccm64_enc_outer
488 movdqu $inout1,($cmac)
490 $code.=<<___ if ($win64);
492 movaps 0x10(%rsp),%xmm7
493 movaps 0x20(%rsp),%xmm8
494 movaps 0x30(%rsp),%xmm9
500 .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks
502 ######################################################################
504 .globl aesni_ccm64_decrypt_blocks
505 .type aesni_ccm64_decrypt_blocks,\@function,6
507 aesni_ccm64_decrypt_blocks:
509 $code.=<<___ if ($win64);
512 movaps %xmm7,0x10(%rsp)
513 movaps %xmm8,0x20(%rsp)
514 movaps %xmm9,0x30(%rsp)
519 movdqu ($cmac),$inout1
520 movdqa .Lincrement64(%rip),$increment
521 movdqa .Lbswap_mask(%rip),$bswap_mask
523 mov 240($key),$rounds # key->rounds
525 pshufb $bswap_mask,$iv # keep iv in reverse order
529 &aesni_generate1("enc",$key,$rounds);
532 movdqu ($inp),$in0 # load inp
540 pshufb $bswap_mask,$inout0
543 pxor $in0,$inout1 # cmac^=out
550 jmp .Lccm64_dec_outer
555 &aesni_generate1("enc",$key,$rounds,$inout1);
557 movdqu $inout1,($cmac)
559 $code.=<<___ if ($win64);
561 movaps 0x10(%rsp),%xmm7
562 movaps 0x20(%rsp),%xmm8
563 movaps 0x30(%rsp),%xmm9
569 .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks
572 ######################################################################
573 # void aesni_ctr32_encrypt_blocks (const void *in, void *out,
574 # size_t blocks, const AES_KEY *key,
577 # Handles only complete blocks, operates on 32-bit counter and
578 # does not update *ivec! (see engine/eng_aesni.c for details)
580 my $increment="%xmm10";
581 my $bswap_mask="%xmm11";
584 .globl aesni_ctr32_encrypt_blocks
585 .type aesni_ctr32_encrypt_blocks,\@function,5
587 aesni_ctr32_encrypt_blocks:
589 $code.=<<___ if ($win64);
592 movaps %xmm7,0x10(%rsp)
593 movaps %xmm8,0x20(%rsp)
594 movaps %xmm9,0x30(%rsp)
595 movaps %xmm10,0x40(%rsp)
596 movaps %xmm11,0x50(%rsp)
602 je .Lctr32_one_shortcut
604 movdqu ($ivp),$inout3
605 movdqa .Lincrement32(%rip),$increment
606 movdqa .Lbswap_mask(%rip),$bswap_mask
608 pextrd \$3,$inout3,$rnds_ # pull 32-bit counter
609 pinsrd \$3,$rounds,$inout3 # wipe 32-bit counter
611 mov 240($key),$rounds # key->rounds
612 pxor $iv,$iv # vector of 3 32-bit counters
614 pinsrd \$0,$rnds_,$iv
616 pinsrd \$1,$rnds_,$iv
618 pinsrd \$2,$rnds_,$iv
619 pshufb $bswap_mask,$iv
628 pshufd \$`3<<6`,$iv,$inout0 # place counter to upper dword
629 pshufd \$`2<<6`,$iv,$inout1
630 por $inout3,$inout0 # merge counter-less ivec
631 pshufd \$`1<<6`,$iv,$inout2
635 # inline _aesni_encrypt3 and interleave last round
638 $movkey ($key),$rndkey0
640 $movkey 16($key),$rndkey1
642 pxor $rndkey0,$inout0
643 pxor $rndkey0,$inout1
644 pxor $rndkey0,$inout2
645 $movkey ($key),$rndkey0
646 jmp .Lctr32_enc_loop3
649 aesenc $rndkey1,$inout0
650 aesenc $rndkey1,$inout1
652 aesenc $rndkey1,$inout2
653 $movkey 16($key),$rndkey1
654 aesenc $rndkey0,$inout0
655 aesenc $rndkey0,$inout1
657 aesenc $rndkey0,$inout2
658 $movkey ($key),$rndkey0
659 jnz .Lctr32_enc_loop3
661 aesenc $rndkey1,$inout0
662 aesenc $rndkey1,$inout1
663 aesenc $rndkey1,$inout2
665 pshufb $bswap_mask,$iv
667 aesenclast $rndkey0,$inout0
668 movdqu 0x10($inp),$in1
670 aesenclast $rndkey0,$inout1
671 movdqu 0x20($inp),$in2
672 pshufb $bswap_mask,$iv
673 aesenclast $rndkey0,$inout2
683 movdqu $in1,0x10($out)
684 movdqu $in2,0x20($out)
688 pextrd \$1,$iv,$rnds_ # might need last counter value
693 pshufd \$`3<<6`,$iv,$inout0
694 pshufd \$`2<<6`,$iv,$inout1
700 pshufd \$`1<<6`,$iv,$inout2
702 movdqu 0x10($inp),$in1
706 movdqu 0x20($inp),$in2
710 pinsrd \$3,$rnds_,$inout3 # compose last counter value
711 movdqu 0x30($inp),$iv
720 movdqu $in1,0x10($out)
721 movdqu $in2,0x20($out)
722 movdqu $iv,0x30($out)
726 .Lctr32_one_shortcut:
727 movdqu ($ivp),$inout0
729 mov 240($key),$rounds # key->rounds
732 &aesni_generate1("enc",$key,$rounds);
745 movdqu $in1,0x10($out)
755 movdqu $in1,0x10($out)
756 movdqu $in2,0x20($out)
761 $code.=<<___ if ($win64);
763 movaps 0x10(%rsp),%xmm7
764 movaps 0x20(%rsp),%xmm8
765 movaps 0x30(%rsp),%xmm9
766 movaps 0x40(%rsp),%xmm10
767 movaps 0x50(%rsp),%xmm11
773 .size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks
777 ########################################################################
778 # void $PREFIX_cbc_encrypt (const void *inp, void *out,
779 # size_t length, const AES_KEY *key,
780 # unsigned char *ivp,const int enc);
781 $reserved = $win64?0x40:-0x18; # used in decrypt
783 .globl ${PREFIX}_cbc_encrypt
784 .type ${PREFIX}_cbc_encrypt,\@function,6
786 ${PREFIX}_cbc_encrypt:
787 test $len,$len # check length
790 mov 240($key),$rnds_ # pull $rounds
791 mov $key,$key_ # backup $key
792 test %r9d,%r9d # 6th argument
794 #--------------------------- CBC ENCRYPT ------------------------------#
795 movdqu ($ivp),$inout0 # load iv as initial state
803 movdqu ($inp),$inout1 # load input
807 &aesni_generate1("enc",$key,$rounds);
809 mov $rnds_,$rounds # restore $rounds
810 mov $key_,$key # restore $key
811 movups $inout0,0($out) # store output
817 movups $inout0,($ivp)
821 mov $len,%rcx # zaps $key
822 xchg $inp,$out # $inp is %rsi and $out is %rdi now
823 .long 0x9066A4F3 # rep movsb
824 mov \$16,%ecx # zero tail
827 .long 0x9066AAF3 # rep stosb
828 lea -16(%rdi),%rdi # rewind $out by 1 block
829 mov $rnds_,$rounds # restore $rounds
830 mov %rdi,%rsi # $inp and $out are the same
831 mov $key_,$key # restore $key
832 xor $len,$len # len=16
833 jmp .Lcbc_enc_loop # one more spin
834 \f#--------------------------- CBC DECRYPT ------------------------------#
838 $code.=<<___ if ($win64);
841 movaps %xmm7,0x10(%rsp)
842 movaps %xmm8,0x20(%rsp)
843 movaps %xmm9,0x30(%rsp)
855 movups ($inp),$inout0
856 movups 0x10($inp),$inout1
857 movups 0x20($inp),$inout2
871 movdqu $inout0,-0x30($out)
872 mov $rnds_,$rounds # restore $rounds
873 movdqu $inout1,-0x20($out)
874 mov $key_,$key # restore $key
875 movdqu $inout2,-0x10($out)
881 movups ($inp),$inout0
885 movups 0x10($inp),$inout1
889 movups 0x20($inp),$inout2
893 movups 0x30($inp),$inout3
896 movups 0x30($inp),$iv
898 movdqu $inout0,($out)
900 movdqu $inout1,0x10($out)
902 movdqu $inout2,0x20($out)
903 movdqa $inout3,$inout0
905 jmp .Lcbc_dec_tail_collected
909 &aesni_generate1("dec",$key,$rounds);
913 jmp .Lcbc_dec_tail_collected
920 movdqu $inout0,($out)
922 movdqa $inout1,$inout0
924 jmp .Lcbc_dec_tail_collected
930 movdqu $inout0,($out)
932 movdqu $inout1,0x10($out)
934 movdqa $inout2,$inout0
936 jmp .Lcbc_dec_tail_collected
938 .Lcbc_dec_tail_collected:
941 jnz .Lcbc_dec_tail_partial
942 movdqu $inout0,($out)
945 .Lcbc_dec_tail_partial:
946 movaps $inout0,$reserved(%rsp)
949 lea $reserved(%rsp),%rsi
950 .long 0x9066A4F3 # rep movsb
954 $code.=<<___ if ($win64);
956 movaps 0x10(%rsp),%xmm7
957 movaps 0x20(%rsp),%xmm8
958 movaps 0x30(%rsp),%xmm9
964 .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
967 # int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
968 # int bits, AES_KEY *key)
969 { my ($inp,$bits,$key) = @_4args;
973 .globl ${PREFIX}_set_decrypt_key
974 .type ${PREFIX}_set_decrypt_key,\@abi-omnipotent
976 ${PREFIX}_set_decrypt_key:
977 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
978 call __aesni_set_encrypt_key
979 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
982 lea 16($key,$bits),$inp # points at the end of key schedule
984 $movkey ($key),%xmm0 # just swap
992 $movkey ($key),%xmm0 # swap and inverse
998 $movkey %xmm0,16($inp)
999 $movkey %xmm1,-16($key)
1001 ja .Ldec_key_inverse
1003 $movkey ($key),%xmm0 # inverse middle
1005 $movkey %xmm0,($inp)
1009 .LSEH_end_set_decrypt_key:
1010 .size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
1013 # This is based on submission by
1015 # Huang Ying <ying.huang@intel.com>
1016 # Vinodh Gopal <vinodh.gopal@intel.com>
1019 # Agressively optimized in respect to aeskeygenassist's critical path
1020 # and is contained in %xmm0-5 to meet Win64 ABI requirement.
1023 .globl ${PREFIX}_set_encrypt_key
1024 .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
1026 ${PREFIX}_set_encrypt_key:
1027 __aesni_set_encrypt_key:
1028 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
1035 movups ($inp),%xmm0 # pull first 128 bits of *userKey
1036 pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0
1046 mov \$9,$bits # 10 rounds for 128-bit key
1047 $movkey %xmm0,($key) # round 0
1048 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
1049 call .Lkey_expansion_128_cold
1050 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2
1051 call .Lkey_expansion_128
1052 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3
1053 call .Lkey_expansion_128
1054 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4
1055 call .Lkey_expansion_128
1056 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5
1057 call .Lkey_expansion_128
1058 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6
1059 call .Lkey_expansion_128
1060 aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7
1061 call .Lkey_expansion_128
1062 aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8
1063 call .Lkey_expansion_128
1064 aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9
1065 call .Lkey_expansion_128
1066 aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10
1067 call .Lkey_expansion_128
1068 $movkey %xmm0,(%rax)
1069 mov $bits,80(%rax) # 240(%rdx)
1075 movq 16($inp),%xmm2 # remaining 1/3 of *userKey
1076 mov \$11,$bits # 12 rounds for 192
1077 $movkey %xmm0,($key) # round 0
1078 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
1079 call .Lkey_expansion_192a_cold
1080 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3
1081 call .Lkey_expansion_192b
1082 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5
1083 call .Lkey_expansion_192a
1084 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6
1085 call .Lkey_expansion_192b
1086 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8
1087 call .Lkey_expansion_192a
1088 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9
1089 call .Lkey_expansion_192b
1090 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11
1091 call .Lkey_expansion_192a
1092 aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12
1093 call .Lkey_expansion_192b
1094 $movkey %xmm0,(%rax)
1095 mov $bits,48(%rax) # 240(%rdx)
1101 movups 16($inp),%xmm2 # remaning half of *userKey
1102 mov \$13,$bits # 14 rounds for 256
1104 $movkey %xmm0,($key) # round 0
1105 $movkey %xmm2,16($key) # round 1
1106 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
1107 call .Lkey_expansion_256a_cold
1108 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3
1109 call .Lkey_expansion_256b
1110 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4
1111 call .Lkey_expansion_256a
1112 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5
1113 call .Lkey_expansion_256b
1114 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6
1115 call .Lkey_expansion_256a
1116 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7
1117 call .Lkey_expansion_256b
1118 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8
1119 call .Lkey_expansion_256a
1120 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9
1121 call .Lkey_expansion_256b
1122 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10
1123 call .Lkey_expansion_256a
1124 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11
1125 call .Lkey_expansion_256b
1126 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12
1127 call .Lkey_expansion_256a
1128 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13
1129 call .Lkey_expansion_256b
1130 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14
1131 call .Lkey_expansion_256a
1132 $movkey %xmm0,(%rax)
1133 mov $bits,16(%rax) # 240(%rdx)
1143 .LSEH_end_set_encrypt_key:
1146 .Lkey_expansion_128:
1147 $movkey %xmm0,(%rax)
1149 .Lkey_expansion_128_cold:
1150 shufps \$0b00010000,%xmm0,%xmm4
1152 shufps \$0b10001100,%xmm0,%xmm4
1154 pshufd \$0b11111111,%xmm1,%xmm1 # critical path
1159 .Lkey_expansion_192a:
1160 $movkey %xmm0,(%rax)
1162 .Lkey_expansion_192a_cold:
1164 .Lkey_expansion_192b_warm:
1165 shufps \$0b00010000,%xmm0,%xmm4
1168 shufps \$0b10001100,%xmm0,%xmm4
1171 pshufd \$0b01010101,%xmm1,%xmm1 # critical path
1174 pshufd \$0b11111111,%xmm0,%xmm3
1179 .Lkey_expansion_192b:
1181 shufps \$0b01000100,%xmm0,%xmm5
1182 $movkey %xmm5,(%rax)
1183 shufps \$0b01001110,%xmm2,%xmm3
1184 $movkey %xmm3,16(%rax)
1186 jmp .Lkey_expansion_192b_warm
1189 .Lkey_expansion_256a:
1190 $movkey %xmm2,(%rax)
1192 .Lkey_expansion_256a_cold:
1193 shufps \$0b00010000,%xmm0,%xmm4
1195 shufps \$0b10001100,%xmm0,%xmm4
1197 pshufd \$0b11111111,%xmm1,%xmm1 # critical path
1202 .Lkey_expansion_256b:
1203 $movkey %xmm0,(%rax)
1206 shufps \$0b00010000,%xmm2,%xmm4
1208 shufps \$0b10001100,%xmm2,%xmm4
1210 pshufd \$0b10101010,%xmm1,%xmm1 # critical path
1213 .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
1220 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
1225 .asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
1229 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
1230 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
1238 .extern __imp_RtlVirtualUnwind
1240 $code.=<<___ if ($PREFIX eq "aesni");
1241 .type ecb_se_handler,\@abi-omnipotent
1255 mov 152($context),%rax # pull context->Rsp
1258 mov %rsi,168($context) # restore context->Rsi
1259 mov %rdi,176($context) # restore context->Rdi
1261 jmp .Lcommon_seh_exit
1262 .size ecb_se_handler,.-ecb_se_handler
1264 .type ccm64_se_handler,\@abi-omnipotent
1278 mov 120($context),%rax # pull context->Rax
1279 mov 248($context),%rbx # pull context->Rip
1281 mov 8($disp),%rsi # disp->ImageBase
1282 mov 56($disp),%r11 # disp->HandlerData
1284 mov 0(%r11),%r10d # HandlerData[0]
1285 lea (%rsi,%r10),%r10 # prologue label
1286 cmp %r10,%rbx # context->Rip<prologue label
1287 jb .Lin_ccm64_prologue
1289 mov 152($context),%rax # pull context->Rsp
1291 mov 4(%r11),%r10d # HandlerData[1]
1292 lea (%rsi,%r10),%r10 # epilogue label
1293 cmp %r10,%rbx # context->Rip>=epilogue label
1294 jae .Lin_ccm64_prologue
1296 lea 0(%rax),%rsi # top of stack
1297 lea 512($context),%rdi # &context.Xmm6
1298 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
1299 .long 0xa548f3fc # cld; rep movsq
1300 lea 0x58(%rax),%rax # adjust stack pointer
1302 .Lin_ccm64_prologue:
1305 mov %rax,152($context) # restore context->Rsp
1306 mov %rsi,168($context) # restore context->Rsi
1307 mov %rdi,176($context) # restore context->Rdi
1309 jmp .Lcommon_seh_exit
1310 .size ccm64_se_handler,.-ccm64_se_handler
1312 .type ctr32_se_handler,\@abi-omnipotent
1326 mov 120($context),%rax # pull context->Rax
1327 mov 248($context),%rbx # pull context->Rip
1329 lea .Lctr32_body(%rip),%r10
1330 cmp %r10,%rbx # context->Rip<"prologue" label
1331 jb .Lin_ctr32_prologue
1333 mov 152($context),%rax # pull context->Rsp
1335 lea .Lctr32_ret(%rip),%r10
1337 jae .Lin_ctr32_prologue
1339 lea 0(%rax),%rsi # top of stack
1340 lea 512($context),%rdi # &context.Xmm6
1341 mov \$12,%ecx # 6*sizeof(%xmm0)/sizeof(%rax)
1342 .long 0xa548f3fc # cld; rep movsq
1343 lea 0x68(%rax),%rax # adjust stack pointer
1345 .Lin_ctr32_prologue:
1348 mov %rax,152($context) # restore context->Rsp
1349 mov %rsi,168($context) # restore context->Rsi
1350 mov %rdi,176($context) # restore context->Rdi
1352 jmp .Lcommon_seh_exit
1353 .size ctr32_se_handler,.-ctr32_se_handler
1356 .type cbc_se_handler,\@abi-omnipotent
1370 mov 152($context),%rax # pull context->Rsp
1371 mov 248($context),%rbx # pull context->Rip
1373 lea .Lcbc_decrypt(%rip),%r10
1374 cmp %r10,%rbx # context->Rip<"prologue" label
1375 jb .Lin_cbc_prologue
1377 lea .Lcbc_decrypt_body(%rip),%r10
1378 cmp %r10,%rbx # context->Rip<cbc_decrypt_body
1379 jb .Lrestore_cbc_rax
1381 lea .Lcbc_ret(%rip),%r10
1382 cmp %r10,%rbx # context->Rip>="epilogue" label
1383 jae .Lin_cbc_prologue
1385 lea 0(%rax),%rsi # top of stack
1386 lea 512($context),%rdi # &context.Xmm6
1387 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
1388 .long 0xa548f3fc # cld; rep movsq
1389 lea 0x58(%rax),%rax # adjust stack pointer
1390 jmp .Lin_cbc_prologue
1393 mov 120($context),%rax
1397 mov %rax,152($context) # restore context->Rsp
1398 mov %rsi,168($context) # restore context->Rsi
1399 mov %rdi,176($context) # restore context->Rdi
1403 mov 40($disp),%rdi # disp->ContextRecord
1404 mov $context,%rsi # context
1405 mov \$154,%ecx # sizeof(CONTEXT)
1406 .long 0xa548f3fc # cld; rep movsq
1409 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1410 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1411 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1412 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1413 mov 40(%rsi),%r10 # disp->ContextRecord
1414 lea 56(%rsi),%r11 # &disp->HandlerData
1415 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1416 mov %r10,32(%rsp) # arg5
1417 mov %r11,40(%rsp) # arg6
1418 mov %r12,48(%rsp) # arg7
1419 mov %rcx,56(%rsp) # arg8, (NULL)
1420 call *__imp_RtlVirtualUnwind(%rip)
1422 mov \$1,%eax # ExceptionContinueSearch
1434 .size cbc_se_handler,.-cbc_se_handler
1439 $code.=<<___ if ($PREFIX eq "aesni");
1440 .rva .LSEH_begin_aesni_ecb_encrypt
1441 .rva .LSEH_end_aesni_ecb_encrypt
1444 .rva .LSEH_begin_aesni_ccm64_encrypt_blocks
1445 .rva .LSEH_end_aesni_ccm64_encrypt_blocks
1446 .rva .LSEH_info_ccm64_enc
1448 .rva .LSEH_begin_aesni_ccm64_decrypt_blocks
1449 .rva .LSEH_end_aesni_ccm64_decrypt_blocks
1450 .rva .LSEH_info_ccm64_dec
1452 .rva .LSEH_begin_aesni_ctr32_encrypt_blocks
1453 .rva .LSEH_end_aesni_ctr32_encrypt_blocks
1454 .rva .LSEH_info_ctr32
1457 .rva .LSEH_begin_${PREFIX}_cbc_encrypt
1458 .rva .LSEH_end_${PREFIX}_cbc_encrypt
1461 .rva ${PREFIX}_set_decrypt_key
1462 .rva .LSEH_end_set_decrypt_key
1465 .rva ${PREFIX}_set_encrypt_key
1466 .rva .LSEH_end_set_encrypt_key
1471 $code.=<<___ if ($PREFIX eq "aesni");
1475 .LSEH_info_ccm64_enc:
1477 .rva ccm64_se_handler
1478 .rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[]
1479 .LSEH_info_ccm64_dec:
1481 .rva ccm64_se_handler
1482 .rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[]
1485 .rva ctr32_se_handler
1492 .byte 0x01,0x04,0x01,0x00
1493 .byte 0x04,0x02,0x00,0x00 # sub rsp,8
1498 local *opcode=shift;
1501 if ($dst>=8 || $src>=8) {
1503 $rex|=0x04 if($dst>=8);
1504 $rex|=0x01 if($src>=8);
1513 if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
1514 rex(\@opcode,$4,$3);
1515 push @opcode,0x0f,0x3a,0xdf;
1516 push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M
1518 push @opcode,$c=~/^0/?oct($c):$c;
1519 return ".byte\t".join(',',@opcode);
1521 elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
1524 "aesenc" => 0xdc, "aesenclast" => 0xdd,
1525 "aesdec" => 0xde, "aesdeclast" => 0xdf
1527 return undef if (!defined($opcodelet{$1}));
1528 rex(\@opcode,$3,$2);
1529 push @opcode,0x0f,0x38,$opcodelet{$1};
1530 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
1531 return ".byte\t".join(',',@opcode);
1536 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
1537 $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;