[openssl.git] / crypto / camellia / asm / cmll-x86_64.pl

#! /usr/bin/env perl
# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


# ====================================================================
# Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
#
# This module may be used under the terms of either the GNU General
# Public License version 2 or later, the GNU Lesser General Public
# License version 2.1 or later, the Mozilla Public License version
# 1.1 or the BSD License. The exact terms of either license are
# distributed along with this module. For further details see
# http://www.openssl.org/~appro/camellia/.
# ====================================================================

# Performance in cycles per processed byte (less is better) in
# 'openssl speed ...' benchmark:
#
#                       AMD64   Core2   EM64T
# -evp camellia-128-ecb 16.7    21.0    22.7
# + over gcc 3.4.6      +25%    +5%     0%
#
# camellia-128-cbc      15.7    20.4    21.1
#
# 128-bit key setup     128     216     205     cycles/key
# + over gcc 3.4.6      +54%    +39%    +15%
#
# Numbers in "+" rows represent performance improvement over compiler
# generated code. Key setup timings are impressive on AMD and Core2
# thanks to 64-bit operations being covertly deployed. Improvement on
# EM64T, pre-Core2 Intel x86_64 CPU, is not as impressive, because it
# apparently emulates some of 64-bit operations in [32-bit] microcode.

$flavour = shift;
$output  = shift;
if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }

$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);

$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";

open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
*STDOUT=*OUT;

sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/;    $r; }
sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
                        $r =~ s/%[er]([sd]i)/%\1l/;
                        $r =~ s/%(r[0-9]+)[d]?/%\1b/;   $r; }

$t0="%eax";$t1="%ebx";$t2="%ecx";$t3="%edx";
@S=("%r8d","%r9d","%r10d","%r11d");
$i0="%esi";
$i1="%edi";
$Tbl="%rbp";    # size optimization
$inp="%r12";
$out="%r13";
$key="%r14";
$keyend="%r15";
$arg0d=$win64?"%ecx":"%edi";

# const unsigned int Camellia_SBOX[4][256];
# Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
# and [2][] - with [3][]. This is done to minimize code size.
$SBOX1_1110=0;          # Camellia_SBOX[0]
$SBOX4_4404=4;          # Camellia_SBOX[1]
$SBOX2_0222=2048;       # Camellia_SBOX[2]
$SBOX3_3033=2052;       # Camellia_SBOX[3]

sub Camellia_Feistel {
my $i=@_[0];
my $seed=defined(@_[1])?@_[1]:0;
my $scale=$seed<0?-8:8;
my $j=($i&1)*2;
my ($s0,$s1,$s2,$s3)=(@S[($j)%4],@S[($j+1)%4],@S[($j+2)%4],@S[($j+3)%4]);

$code.=<<___;
        xor     $s0,$t0                         # t0^=key[0]
        xor     $s1,$t1                         # t1^=key[1]
        movz    `&hi("$t0")`,$i0                # (t0>>8)&0xff
        movz    `&lo("$t1")`,$i1                # (t1>>0)&0xff
        mov     $SBOX3_3033($Tbl,$i0,8),$t3     # t3=SBOX3_3033[0]
        mov     $SBOX1_1110($Tbl,$i1,8),$t2     # t2=SBOX1_1110[1]
        movz    `&lo("$t0")`,$i0                # (t0>>0)&0xff
        shr     \$16,$t0
        movz    `&hi("$t1")`,$i1                # (t1>>8)&0xff
        xor     $SBOX4_4404($Tbl,$i0,8),$t3     # t3^=SBOX4_4404[0]
        shr     \$16,$t1
        xor     $SBOX4_4404($Tbl,$i1,8),$t2     # t2^=SBOX4_4404[1]
        movz    `&hi("$t0")`,$i0                # (t0>>24)&0xff
        movz    `&lo("$t1")`,$i1                # (t1>>16)&0xff
        xor     $SBOX1_1110($Tbl,$i0,8),$t3     # t3^=SBOX1_1110[0]
        xor     $SBOX3_3033($Tbl,$i1,8),$t2     # t2^=SBOX3_3033[1]
        movz    `&lo("$t0")`,$i0                # (t0>>16)&0xff
        movz    `&hi("$t1")`,$i1                # (t1>>24)&0xff
        xor     $SBOX2_0222($Tbl,$i0,8),$t3     # t3^=SBOX2_0222[0]
        xor     $SBOX2_0222($Tbl,$i1,8),$t2     # t2^=SBOX2_0222[1]
        mov     `$seed+($i+1)*$scale`($key),$t1 # prefetch key[i+1]
        mov     `$seed+($i+1)*$scale+4`($key),$t0
        xor     $t3,$t2                         # t2^=t3
        ror     \$8,$t3                         # t3=RightRotate(t3,8)
        xor     $t2,$s2
        xor     $t2,$s3
        xor     $t3,$s3
___
}

# void Camellia_EncryptBlock_Rounds(
#               int grandRounds,
#               const Byte plaintext[],
#               const KEY_TABLE_TYPE keyTable,
#               Byte ciphertext[])
$code=<<___;
.text

# V1.x API
.globl  Camellia_EncryptBlock
.type   Camellia_EncryptBlock,\@abi-omnipotent
.align  16
Camellia_EncryptBlock:
        movl    \$128,%eax
        subl    $arg0d,%eax
        movl    \$3,$arg0d
        adcl    \$0,$arg0d      # keyBitLength==128?3:4
        jmp     .Lenc_rounds
.size   Camellia_EncryptBlock,.-Camellia_EncryptBlock
# V2
.globl  Camellia_EncryptBlock_Rounds
.type   Camellia_EncryptBlock_Rounds,\@function,4
.align  16
.Lenc_rounds:
Camellia_EncryptBlock_Rounds:
.cfi_startproc
        push    %rbx
.cfi_push       %rbx
        push    %rbp
.cfi_push       %rbp
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
.Lenc_prologue:

        #mov    %rsi,$inp               # put away arguments
        mov     %rcx,$out
        mov     %rdx,$key

        shl     \$6,%edi                # process grandRounds
        lea     .LCamellia_SBOX(%rip),$Tbl
        lea     ($key,%rdi),$keyend

        mov     0(%rsi),@S[0]           # load plaintext
        mov     4(%rsi),@S[1]
        mov     8(%rsi),@S[2]
        bswap   @S[0]
        mov     12(%rsi),@S[3]
        bswap   @S[1]
        bswap   @S[2]
        bswap   @S[3]

        call    _x86_64_Camellia_encrypt

        bswap   @S[0]
        bswap   @S[1]
        bswap   @S[2]
        mov     @S[0],0($out)
        bswap   @S[3]
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        mov     @S[3],12($out)

        mov     0(%rsp),%r15
.cfi_restore    %r15
        mov     8(%rsp),%r14
.cfi_restore    %r14
        mov     16(%rsp),%r13
.cfi_restore    %r13
        mov     24(%rsp),%rbp
.cfi_restore    %rbp
        mov     32(%rsp),%rbx
.cfi_restore    %rbx
        lea     40(%rsp),%rsp
.cfi_adjust_cfa_offset  -40
.Lenc_epilogue:
        ret
.cfi_endproc
.size   Camellia_EncryptBlock_Rounds,.-Camellia_EncryptBlock_Rounds

.type   _x86_64_Camellia_encrypt,\@abi-omnipotent
.align  16
_x86_64_Camellia_encrypt:
        xor     0($key),@S[1]
        xor     4($key),@S[0]           # ^=key[0-3]
        xor     8($key),@S[3]
        xor     12($key),@S[2]
.align  16
.Leloop:
        mov     16($key),$t1            # prefetch key[4-5]
        mov     20($key),$t0

___
        for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16); }
$code.=<<___;
        lea     16*4($key),$key
        cmp     $keyend,$key
        mov     8($key),$t3             # prefetch key[2-3]
        mov     12($key),$t2
        je      .Ledone

        and     @S[0],$t0
        or      @S[3],$t3
        rol     \$1,$t0
        xor     $t3,@S[2]               # s2^=s3|key[3];
        xor     $t0,@S[1]               # s1^=LeftRotate(s0&key[0],1);
        and     @S[2],$t2
        or      @S[1],$t1
        rol     \$1,$t2
        xor     $t1,@S[0]               # s0^=s1|key[1];
        xor     $t2,@S[3]               # s3^=LeftRotate(s2&key[2],1);
        jmp     .Leloop

.align  16
.Ledone:
        xor     @S[2],$t0               # SwapHalf
        xor     @S[3],$t1
        xor     @S[0],$t2
        xor     @S[1],$t3

        mov     $t0,@S[0]
        mov     $t1,@S[1]
        mov     $t2,@S[2]
        mov     $t3,@S[3]

        .byte   0xf3,0xc3               # rep ret
.size   _x86_64_Camellia_encrypt,.-_x86_64_Camellia_encrypt

# V1.x API
.globl  Camellia_DecryptBlock
.type   Camellia_DecryptBlock,\@abi-omnipotent
.align  16
Camellia_DecryptBlock:
        movl    \$128,%eax
        subl    $arg0d,%eax
        movl    \$3,$arg0d
        adcl    \$0,$arg0d      # keyBitLength==128?3:4
        jmp     .Ldec_rounds
.size   Camellia_DecryptBlock,.-Camellia_DecryptBlock
# V2
.globl  Camellia_DecryptBlock_Rounds
.type   Camellia_DecryptBlock_Rounds,\@function,4
.align  16
.Ldec_rounds:
Camellia_DecryptBlock_Rounds:
.cfi_startproc
        push    %rbx
.cfi_push       %rbx
        push    %rbp
.cfi_push       %rbp
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
.Ldec_prologue:

        #mov    %rsi,$inp               # put away arguments
        mov     %rcx,$out
        mov     %rdx,$keyend

        shl     \$6,%edi                # process grandRounds
        lea     .LCamellia_SBOX(%rip),$Tbl
        lea     ($keyend,%rdi),$key

        mov     0(%rsi),@S[0]           # load plaintext
        mov     4(%rsi),@S[1]
        mov     8(%rsi),@S[2]
        bswap   @S[0]
        mov     12(%rsi),@S[3]
        bswap   @S[1]
        bswap   @S[2]
        bswap   @S[3]

        call    _x86_64_Camellia_decrypt

        bswap   @S[0]
        bswap   @S[1]
        bswap   @S[2]
        mov     @S[0],0($out)
        bswap   @S[3]
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        mov     @S[3],12($out)

        mov     0(%rsp),%r15
.cfi_restore    %r15
        mov     8(%rsp),%r14
.cfi_restore    %r14
        mov     16(%rsp),%r13
.cfi_restore    %r13
        mov     24(%rsp),%rbp
.cfi_restore    %rbp
        mov     32(%rsp),%rbx
.cfi_restore    %rbx
        lea     40(%rsp),%rsp
.cfi_adjust_cfa_offset  -40
.Ldec_epilogue:
        ret
.cfi_endproc
.size   Camellia_DecryptBlock_Rounds,.-Camellia_DecryptBlock_Rounds

.type   _x86_64_Camellia_decrypt,\@abi-omnipotent
.align  16
_x86_64_Camellia_decrypt:
        xor     0($key),@S[1]
        xor     4($key),@S[0]           # ^=key[0-3]
        xor     8($key),@S[3]
        xor     12($key),@S[2]
.align  16
.Ldloop:
        mov     -8($key),$t1            # prefetch key[4-5]
        mov     -4($key),$t0

___
        for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8); }
$code.=<<___;
        lea     -16*4($key),$key
        cmp     $keyend,$key
        mov     0($key),$t3             # prefetch key[2-3]
        mov     4($key),$t2
        je      .Lddone

        and     @S[0],$t0
        or      @S[3],$t3
        rol     \$1,$t0
        xor     $t3,@S[2]               # s2^=s3|key[3];
        xor     $t0,@S[1]               # s1^=LeftRotate(s0&key[0],1);
        and     @S[2],$t2
        or      @S[1],$t1
        rol     \$1,$t2
        xor     $t1,@S[0]               # s0^=s1|key[1];
        xor     $t2,@S[3]               # s3^=LeftRotate(s2&key[2],1);

        jmp     .Ldloop

.align  16
.Lddone:
        xor     @S[2],$t2
        xor     @S[3],$t3
        xor     @S[0],$t0
        xor     @S[1],$t1

        mov     $t2,@S[0]               # SwapHalf
        mov     $t3,@S[1]
        mov     $t0,@S[2]
        mov     $t1,@S[3]

        .byte   0xf3,0xc3               # rep ret
.size   _x86_64_Camellia_decrypt,.-_x86_64_Camellia_decrypt
___

sub _saveround {
my ($rnd,$key,@T)=@_;
my $bias=int(@T[0])?shift(@T):0;

    if ($#T==3) {
        $code.=<<___;
        mov     @T[1],`$bias+$rnd*8+0`($key)
        mov     @T[0],`$bias+$rnd*8+4`($key)
        mov     @T[3],`$bias+$rnd*8+8`($key)
        mov     @T[2],`$bias+$rnd*8+12`($key)
___
    } else {
        $code.="        mov     @T[0],`$bias+$rnd*8+0`($key)\n";
        $code.="        mov     @T[1],`$bias+$rnd*8+8`($key)\n" if ($#T>=1);
    }
}

sub _loadround {
my ($rnd,$key,@T)=@_;
my $bias=int(@T[0])?shift(@T):0;

$code.="        mov     `$bias+$rnd*8+0`($key),@T[0]\n";
$code.="        mov     `$bias+$rnd*8+8`($key),@T[1]\n" if ($#T>=1);
}

# shld is very slow on Intel EM64T family. Even on AMD it limits
# instruction decode rate [because it's VectorPath] and consequently
# performance...
sub __rotl128 {
my ($i0,$i1,$rot)=@_;

    if ($rot) {
        $code.=<<___;
        mov     $i0,%r11
        shld    \$$rot,$i1,$i0
        shld    \$$rot,%r11,$i1
___
    }
}

# ... Implementing 128-bit rotate without shld gives 80% better
# performance EM64T, +15% on AMD64 and only ~7% degradation on
# Core2. This is therefore preferred.
sub _rotl128 {
my ($i0,$i1,$rot)=@_;

    if ($rot) {
        $code.=<<___;
        mov     $i0,%r11
        shl     \$$rot,$i0
        mov     $i1,%r9
        shr     \$`64-$rot`,%r9
        shr     \$`64-$rot`,%r11
        or      %r9,$i0
        shl     \$$rot,$i1
        or      %r11,$i1
___
    }
}

{ my $step=0;

$code.=<<___;
.globl  Camellia_Ekeygen
.type   Camellia_Ekeygen,\@function,3
.align  16
Camellia_Ekeygen:
.cfi_startproc
        push    %rbx
.cfi_push       %rbx
        push    %rbp
.cfi_push       %rbp
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
.Lkey_prologue:

        mov     %edi,${keyend}d         # put away arguments, keyBitLength
        mov     %rdx,$out               # keyTable

        mov     0(%rsi),@S[0]           # load 0-127 bits
        mov     4(%rsi),@S[1]
        mov     8(%rsi),@S[2]
        mov     12(%rsi),@S[3]

        bswap   @S[0]
        bswap   @S[1]
        bswap   @S[2]
        bswap   @S[3]
___
        &_saveround     (0,$out,@S);    # KL<<<0
$code.=<<___;
        cmp     \$128,$keyend           # check keyBitLength
        je      .L1st128

        mov     16(%rsi),@S[0]          # load 128-191 bits
        mov     20(%rsi),@S[1]
        cmp     \$192,$keyend
        je      .L1st192
        mov     24(%rsi),@S[2]          # load 192-255 bits
        mov     28(%rsi),@S[3]
        jmp     .L1st256
.L1st192:
        mov     @S[0],@S[2]
        mov     @S[1],@S[3]
        not     @S[2]
        not     @S[3]
.L1st256:
        bswap   @S[0]
        bswap   @S[1]
        bswap   @S[2]
        bswap   @S[3]
___
        &_saveround     (4,$out,@S);    # temp storage for KR!
$code.=<<___;
        xor     0($out),@S[1]           # KR^KL
        xor     4($out),@S[0]
        xor     8($out),@S[3]
        xor     12($out),@S[2]

.L1st128:
        lea     .LCamellia_SIGMA(%rip),$key
        lea     .LCamellia_SBOX(%rip),$Tbl

        mov     0($key),$t1
        mov     4($key),$t0
___
        &Camellia_Feistel($step++);
        &Camellia_Feistel($step++);
$code.=<<___;
        xor     0($out),@S[1]           # ^KL
        xor     4($out),@S[0]
        xor     8($out),@S[3]
        xor     12($out),@S[2]
___
        &Camellia_Feistel($step++);
        &Camellia_Feistel($step++);
$code.=<<___;
        cmp     \$128,$keyend
        jne     .L2nd256

        lea     128($out),$out          # size optimization
        shl     \$32,%r8                # @S[0]||
        shl     \$32,%r10               # @S[2]||
        or      %r9,%r8                 # ||@S[1]
        or      %r11,%r10               # ||@S[3]
___
        &_loadround     (0,$out,-128,"%rax","%rbx");    # KL
        &_saveround     (2,$out,-128,"%r8","%r10");     # KA<<<0
        &_rotl128       ("%rax","%rbx",15);
        &_saveround     (4,$out,-128,"%rax","%rbx");    # KL<<<15
        &_rotl128       ("%r8","%r10",15);
        &_saveround     (6,$out,-128,"%r8","%r10");     # KA<<<15
        &_rotl128       ("%r8","%r10",15);              # 15+15=30
        &_saveround     (8,$out,-128,"%r8","%r10");     # KA<<<30
        &_rotl128       ("%rax","%rbx",30);             # 15+30=45
        &_saveround     (10,$out,-128,"%rax","%rbx");   # KL<<<45
        &_rotl128       ("%r8","%r10",15);              # 30+15=45
        &_saveround     (12,$out,-128,"%r8");           # KA<<<45
        &_rotl128       ("%rax","%rbx",15);             # 45+15=60
        &_saveround     (13,$out,-128,"%rbx");          # KL<<<60
        &_rotl128       ("%r8","%r10",15);              # 45+15=60
        &_saveround     (14,$out,-128,"%r8","%r10");    # KA<<<60
        &_rotl128       ("%rax","%rbx",17);             # 60+17=77
        &_saveround     (16,$out,-128,"%rax","%rbx");   # KL<<<77
        &_rotl128       ("%rax","%rbx",17);             # 77+17=94
        &_saveround     (18,$out,-128,"%rax","%rbx");   # KL<<<94
        &_rotl128       ("%r8","%r10",34);              # 60+34=94
        &_saveround     (20,$out,-128,"%r8","%r10");    # KA<<<94
        &_rotl128       ("%rax","%rbx",17);             # 94+17=111
        &_saveround     (22,$out,-128,"%rax","%rbx");   # KL<<<111
        &_rotl128       ("%r8","%r10",17);              # 94+17=111
        &_saveround     (24,$out,-128,"%r8","%r10");    # KA<<<111
$code.=<<___;
        mov     \$3,%eax
        jmp     .Ldone
.align  16
.L2nd256:
___
        &_saveround     (6,$out,@S);    # temp storage for KA!
$code.=<<___;
        xor     `4*8+0`($out),@S[1]     # KA^KR
        xor     `4*8+4`($out),@S[0]
        xor     `5*8+0`($out),@S[3]
        xor     `5*8+4`($out),@S[2]
___
        &Camellia_Feistel($step++);
        &Camellia_Feistel($step++);

        &_loadround     (0,$out,"%rax","%rbx"); # KL
        &_loadround     (4,$out,"%rcx","%rdx"); # KR
        &_loadround     (6,$out,"%r14","%r15"); # KA
$code.=<<___;
        lea     128($out),$out          # size optimization
        shl     \$32,%r8                # @S[0]||
        shl     \$32,%r10               # @S[2]||
        or      %r9,%r8                 # ||@S[1]
        or      %r11,%r10               # ||@S[3]
___
        &_saveround     (2,$out,-128,"%r8","%r10");     # KB<<<0
        &_rotl128       ("%rcx","%rdx",15);
        &_saveround     (4,$out,-128,"%rcx","%rdx");    # KR<<<15
        &_rotl128       ("%r14","%r15",15);
        &_saveround     (6,$out,-128,"%r14","%r15");    # KA<<<15
        &_rotl128       ("%rcx","%rdx",15);             # 15+15=30
        &_saveround     (8,$out,-128,"%rcx","%rdx");    # KR<<<30
        &_rotl128       ("%r8","%r10",30);
        &_saveround     (10,$out,-128,"%r8","%r10");    # KB<<<30
        &_rotl128       ("%rax","%rbx",45);
        &_saveround     (12,$out,-128,"%rax","%rbx");   # KL<<<45
        &_rotl128       ("%r14","%r15",30);             # 15+30=45
        &_saveround     (14,$out,-128,"%r14","%r15");   # KA<<<45
        &_rotl128       ("%rax","%rbx",15);             # 45+15=60
        &_saveround     (16,$out,-128,"%rax","%rbx");   # KL<<<60
        &_rotl128       ("%rcx","%rdx",30);             # 30+30=60
        &_saveround     (18,$out,-128,"%rcx","%rdx");   # KR<<<60
        &_rotl128       ("%r8","%r10",30);              # 30+30=60
        &_saveround     (20,$out,-128,"%r8","%r10");    # KB<<<60
        &_rotl128       ("%rax","%rbx",17);             # 60+17=77
        &_saveround     (22,$out,-128,"%rax","%rbx");   # KL<<<77
        &_rotl128       ("%r14","%r15",32);             # 45+32=77
        &_saveround     (24,$out,-128,"%r14","%r15");   # KA<<<77
        &_rotl128       ("%rcx","%rdx",34);             # 60+34=94
        &_saveround     (26,$out,-128,"%rcx","%rdx");   # KR<<<94
        &_rotl128       ("%r14","%r15",17);             # 77+17=94
        &_saveround     (28,$out,-128,"%r14","%r15");   # KA<<<77
        &_rotl128       ("%rax","%rbx",34);             # 77+34=111
        &_saveround     (30,$out,-128,"%rax","%rbx");   # KL<<<111
        &_rotl128       ("%r8","%r10",51);              # 60+51=111
        &_saveround     (32,$out,-128,"%r8","%r10");    # KB<<<111
$code.=<<___;
        mov     \$4,%eax
.Ldone:
        mov     0(%rsp),%r15
.cfi_restore    %r15
        mov     8(%rsp),%r14
.cfi_restore    %r14
        mov     16(%rsp),%r13
.cfi_restore    %r13
        mov     24(%rsp),%rbp
.cfi_restore    %rbp
        mov     32(%rsp),%rbx
.cfi_restore    %rbx
        lea     40(%rsp),%rsp
.cfi_adjust_cfa_offset  -40
.Lkey_epilogue:
        ret
.cfi_endproc
.size   Camellia_Ekeygen,.-Camellia_Ekeygen
___
}

@SBOX=(
112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
 16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);

sub S1110 { my $i=shift; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i<<8; sprintf("0x%08x",$i); }
sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i; sprintf("0x%08x",$i); }
sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; $i=$i<<16|$i<<8|$i; sprintf("0x%08x",$i); }
sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; $i=$i<<24|$i<<8|$i; sprintf("0x%08x",$i); }

$code.=<<___;
.align  64
.LCamellia_SIGMA:
.long   0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858
.long   0xe94f82be, 0xc6ef372f, 0xf1d36f1c, 0x54ff53a5
.long   0xde682d1d, 0x10e527fa, 0xb3e6c1fd, 0xb05688c2
.long   0,          0,          0,          0
.LCamellia_SBOX:
___
# tables are interleaved, remember?
sub data_word { $code.=".long\t".join(',',@_)."\n"; }
for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }

# void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
#                       size_t length, const CAMELLIA_KEY *key,
#                       unsigned char *ivp,const int enc);
{
$_key="0(%rsp)";
$_end="8(%rsp)";        # inp+len&~15
$_res="16(%rsp)";       # len&15
$ivec="24(%rsp)";
$_ivp="40(%rsp)";
$_rsp="48(%rsp)";

$code.=<<___;
.globl  Camellia_cbc_encrypt
.type   Camellia_cbc_encrypt,\@function,6
.align  16
Camellia_cbc_encrypt:
.cfi_startproc
        cmp     \$0,%rdx
        je      .Lcbc_abort
        push    %rbx
.cfi_push       %rbx
        push    %rbp
.cfi_push       %rbp
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
.Lcbc_prologue:

        mov     %rsp,%rbp
.cfi_def_cfa_register   %rbp
        sub     \$64,%rsp
        and     \$-64,%rsp

        # place stack frame just "above mod 1024" the key schedule,
        # this ensures that cache associativity suffices
        lea     -64-63(%rcx),%r10
        sub     %rsp,%r10
        neg     %r10
        and     \$0x3C0,%r10
        sub     %r10,%rsp
        #add    \$8,%rsp                # 8 is reserved for callee's ra

        mov     %rdi,$inp               # inp argument
        mov     %rsi,$out               # out argument
        mov     %r8,%rbx                # ivp argument
        mov     %rcx,$key               # key argument
        mov     272(%rcx),${keyend}d    # grandRounds

        mov     %r8,$_ivp
        mov     %rbp,$_rsp
.cfi_cfa_expression     $_rsp,deref,+56

.Lcbc_body:
        lea     .LCamellia_SBOX(%rip),$Tbl

        mov     \$32,%ecx
.align  4
.Lcbc_prefetch_sbox:
        mov     0($Tbl),%rax
        mov     32($Tbl),%rsi
        mov     64($Tbl),%rdi
        mov     96($Tbl),%r11
        lea     128($Tbl),$Tbl
        loop    .Lcbc_prefetch_sbox
        sub     \$4096,$Tbl
        shl     \$6,$keyend
        mov     %rdx,%rcx               # len argument
        lea     ($key,$keyend),$keyend

        cmp     \$0,%r9d                # enc argument
        je      .LCBC_DECRYPT

        and     \$-16,%rdx
        and     \$15,%rcx               # length residue
        lea     ($inp,%rdx),%rdx
        mov     $key,$_key
        mov     %rdx,$_end
        mov     %rcx,$_res

        cmp     $inp,%rdx
        mov     0(%rbx),@S[0]           # load IV
        mov     4(%rbx),@S[1]
        mov     8(%rbx),@S[2]
        mov     12(%rbx),@S[3]
        je      .Lcbc_enc_tail
        jmp     .Lcbc_eloop

.align  16
.Lcbc_eloop:
        xor     0($inp),@S[0]
        xor     4($inp),@S[1]
        xor     8($inp),@S[2]
        bswap   @S[0]
        xor     12($inp),@S[3]
        bswap   @S[1]
        bswap   @S[2]
        bswap   @S[3]

        call    _x86_64_Camellia_encrypt

        mov     $_key,$key              # "rewind" the key
        bswap   @S[0]
        mov     $_end,%rdx
        bswap   @S[1]
        mov     $_res,%rcx
        bswap   @S[2]
        mov     @S[0],0($out)
        bswap   @S[3]
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        lea     16($inp),$inp
        mov     @S[3],12($out)
        cmp     %rdx,$inp
        lea     16($out),$out
        jne     .Lcbc_eloop

        cmp     \$0,%rcx
        jne     .Lcbc_enc_tail

        mov     $_ivp,$out
        mov     @S[0],0($out)           # write out IV residue
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        mov     @S[3],12($out)
        jmp     .Lcbc_done

.align  16
.Lcbc_enc_tail:
        xor     %rax,%rax
        mov     %rax,0+$ivec
        mov     %rax,8+$ivec
        mov     %rax,$_res

.Lcbc_enc_pushf:
        pushfq
        cld
        mov     $inp,%rsi
        lea     8+$ivec,%rdi
        .long   0x9066A4F3              # rep movsb
        popfq
.Lcbc_enc_popf:

        lea     $ivec,$inp
        lea     16+$ivec,%rax
        mov     %rax,$_end
        jmp     .Lcbc_eloop             # one more time

.align  16
.LCBC_DECRYPT:
        xchg    $key,$keyend
        add     \$15,%rdx
        and     \$15,%rcx               # length residue
        and     \$-16,%rdx
        mov     $key,$_key
        lea     ($inp,%rdx),%rdx
        mov     %rdx,$_end
        mov     %rcx,$_res

        mov     (%rbx),%rax             # load IV
        mov     8(%rbx),%rbx
        jmp     .Lcbc_dloop
.align  16
.Lcbc_dloop:
        mov     0($inp),@S[0]
        mov     4($inp),@S[1]
        mov     8($inp),@S[2]
        bswap   @S[0]
        mov     12($inp),@S[3]
        bswap   @S[1]
        mov     %rax,0+$ivec            # save IV to temporary storage
        bswap   @S[2]
        mov     %rbx,8+$ivec
        bswap   @S[3]

        call    _x86_64_Camellia_decrypt

        mov     $_key,$key              # "rewind" the key
        mov     $_end,%rdx
        mov     $_res,%rcx

        bswap   @S[0]
        mov     ($inp),%rax             # load IV for next iteration
        bswap   @S[1]
        mov     8($inp),%rbx
        bswap   @S[2]
        xor     0+$ivec,@S[0]
        bswap   @S[3]
        xor     4+$ivec,@S[1]
        xor     8+$ivec,@S[2]
        lea     16($inp),$inp
        xor     12+$ivec,@S[3]
        cmp     %rdx,$inp
        je      .Lcbc_ddone

        mov     @S[0],0($out)
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        mov     @S[3],12($out)

        lea     16($out),$out
        jmp     .Lcbc_dloop

.align  16
.Lcbc_ddone:
        mov     $_ivp,%rdx
        cmp     \$0,%rcx
        jne     .Lcbc_dec_tail

        mov     @S[0],0($out)
        mov     @S[1],4($out)
        mov     @S[2],8($out)
        mov     @S[3],12($out)

        mov     %rax,(%rdx)             # write out IV residue
        mov     %rbx,8(%rdx)
        jmp     .Lcbc_done
.align  16
.Lcbc_dec_tail:
        mov     @S[0],0+$ivec
        mov     @S[1],4+$ivec
        mov     @S[2],8+$ivec
        mov     @S[3],12+$ivec

.Lcbc_dec_pushf:
        pushfq
        cld
        lea     8+$ivec,%rsi
        lea     ($out),%rdi
        .long   0x9066A4F3              # rep movsb
        popfq
.Lcbc_dec_popf:

        mov     %rax,(%rdx)             # write out IV residue
        mov     %rbx,8(%rdx)
        jmp     .Lcbc_done

.align  16
.Lcbc_done:
        mov     $_rsp,%rcx
.cfi_def_cfa    %rcx,56
        mov     0(%rcx),%r15
.cfi_restore    %r15
        mov     8(%rcx),%r14
.cfi_restore    %r14
        mov     16(%rcx),%r13
.cfi_restore    %r13
        mov     24(%rcx),%r12
.cfi_restore    %r12
        mov     32(%rcx),%rbp
.cfi_restore    %rbp
        mov     40(%rcx),%rbx
.cfi_restore    %rbx
        lea     48(%rcx),%rsp
.cfi_def_cfa    %rsp,8
.Lcbc_abort:
        ret
.cfi_endproc
.size   Camellia_cbc_encrypt,.-Camellia_cbc_encrypt

.asciz  "Camellia for x86_64 by <appro\@openssl.org>"
___
}

# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
if ($win64) {
$rec="%rcx";
$frame="%rdx";
$context="%r8";
$disp="%r9";

$code.=<<___;
.extern __imp_RtlVirtualUnwind
.type   common_se_handler,\@abi-omnipotent
.align  16
common_se_handler:
        push    %rsi
        push    %rdi
        push    %rbx
        push    %rbp
        push    %r12
        push    %r13
        push    %r14
        push    %r15
        pushfq
        lea     -64(%rsp),%rsp

        mov     120($context),%rax      # pull context->Rax
        mov     248($context),%rbx      # pull context->Rip

        mov     8($disp),%rsi           # disp->ImageBase
        mov     56($disp),%r11          # disp->HandlerData

        mov     0(%r11),%r10d           # HandlerData[0]
        lea     (%rsi,%r10),%r10        # prologue label
        cmp     %r10,%rbx               # context->Rip<prologue label
        jb      .Lin_prologue

        mov     152($context),%rax      # pull context->Rsp

        mov     4(%r11),%r10d           # HandlerData[1]
        lea     (%rsi,%r10),%r10        # epilogue label
        cmp     %r10,%rbx               # context->Rip>=epilogue label
        jae     .Lin_prologue

        lea     40(%rax),%rax
        mov     -8(%rax),%rbx
        mov     -16(%rax),%rbp
        mov     -24(%rax),%r13
        mov     -32(%rax),%r14
        mov     -40(%rax),%r15
        mov     %rbx,144($context)      # restore context->Rbx
        mov     %rbp,160($context)      # restore context->Rbp
        mov     %r13,224($context)      # restore context->R13
        mov     %r14,232($context)      # restore context->R14
        mov     %r15,240($context)      # restore context->R15

.Lin_prologue:
        mov     8(%rax),%rdi
        mov     16(%rax),%rsi
        mov     %rax,152($context)      # restore context->Rsp
        mov     %rsi,168($context)      # restore context->Rsi
        mov     %rdi,176($context)      # restore context->Rdi

        jmp     .Lcommon_seh_exit
.size   common_se_handler,.-common_se_handler

.type   cbc_se_handler,\@abi-omnipotent
.align  16
cbc_se_handler:
        push    %rsi
        push    %rdi
        push    %rbx
        push    %rbp
        push    %r12
        push    %r13
        push    %r14
        push    %r15
        pushfq
        lea     -64(%rsp),%rsp

        mov     120($context),%rax      # pull context->Rax
        mov     248($context),%rbx      # pull context->Rip

        lea     .Lcbc_prologue(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<.Lcbc_prologue
        jb      .Lin_cbc_prologue

        lea     .Lcbc_body(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<.Lcbc_body
        jb      .Lin_cbc_frame_setup

        mov     152($context),%rax      # pull context->Rsp

        lea     .Lcbc_abort(%rip),%r10
        cmp     %r10,%rbx               # context->Rip>=.Lcbc_abort
        jae     .Lin_cbc_prologue

        # handle pushf/popf in Camellia_cbc_encrypt
        lea     .Lcbc_enc_pushf(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<=.Lcbc_enc_pushf
        jbe     .Lin_cbc_no_flag
        lea     8(%rax),%rax
        lea     .Lcbc_enc_popf(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<.Lcbc_enc_popf
        jb      .Lin_cbc_no_flag
        lea     -8(%rax),%rax
        lea     .Lcbc_dec_pushf(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<=.Lcbc_dec_pushf
        jbe     .Lin_cbc_no_flag
        lea     8(%rax),%rax
        lea     .Lcbc_dec_popf(%rip),%r10
        cmp     %r10,%rbx               # context->Rip<.Lcbc_dec_popf
        jb      .Lin_cbc_no_flag
        lea     -8(%rax),%rax

.Lin_cbc_no_flag:
        mov     48(%rax),%rax           # $_rsp
        lea     48(%rax),%rax

.Lin_cbc_frame_setup:
        mov     -8(%rax),%rbx
        mov     -16(%rax),%rbp
        mov     -24(%rax),%r12
        mov     -32(%rax),%r13
        mov     -40(%rax),%r14
        mov     -48(%rax),%r15
        mov     %rbx,144($context)      # restore context->Rbx
        mov     %rbp,160($context)      # restore context->Rbp
        mov     %r12,216($context)      # restore context->R12
        mov     %r13,224($context)      # restore context->R13
        mov     %r14,232($context)      # restore context->R14
        mov     %r15,240($context)      # restore context->R15

.Lin_cbc_prologue:
        mov     8(%rax),%rdi
        mov     16(%rax),%rsi
        mov     %rax,152($context)      # restore context->Rsp
        mov     %rsi,168($context)      # restore context->Rsi
        mov     %rdi,176($context)      # restore context->Rdi

.align  4
.Lcommon_seh_exit:

        mov     40($disp),%rdi          # disp->ContextRecord
        mov     $context,%rsi           # context
        mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
        .long   0xa548f3fc              # cld; rep movsq

        mov     $disp,%rsi
        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
        mov     0(%rsi),%r8             # arg3, disp->ControlPc
        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
        mov     40(%rsi),%r10           # disp->ContextRecord
        lea     56(%rsi),%r11           # &disp->HandlerData
        lea     24(%rsi),%r12           # &disp->EstablisherFrame
        mov     %r10,32(%rsp)           # arg5
        mov     %r11,40(%rsp)           # arg6
        mov     %r12,48(%rsp)           # arg7
        mov     %rcx,56(%rsp)           # arg8, (NULL)
        call    *__imp_RtlVirtualUnwind(%rip)

        mov     \$1,%eax                # ExceptionContinueSearch
        lea     64(%rsp),%rsp
        popfq
        pop     %r15
        pop     %r14
        pop     %r13
        pop     %r12
        pop     %rbp
        pop     %rbx
        pop     %rdi
        pop     %rsi
        ret
.size   cbc_se_handler,.-cbc_se_handler

.section        .pdata
.align  4
        .rva    .LSEH_begin_Camellia_EncryptBlock_Rounds
        .rva    .LSEH_end_Camellia_EncryptBlock_Rounds
        .rva    .LSEH_info_Camellia_EncryptBlock_Rounds

        .rva    .LSEH_begin_Camellia_DecryptBlock_Rounds
        .rva    .LSEH_end_Camellia_DecryptBlock_Rounds
        .rva    .LSEH_info_Camellia_DecryptBlock_Rounds

        .rva    .LSEH_begin_Camellia_Ekeygen
        .rva    .LSEH_end_Camellia_Ekeygen
        .rva    .LSEH_info_Camellia_Ekeygen

        .rva    .LSEH_begin_Camellia_cbc_encrypt
        .rva    .LSEH_end_Camellia_cbc_encrypt
        .rva    .LSEH_info_Camellia_cbc_encrypt

.section        .xdata
.align  8
.LSEH_info_Camellia_EncryptBlock_Rounds:
        .byte   9,0,0,0
        .rva    common_se_handler
        .rva    .Lenc_prologue,.Lenc_epilogue   # HandlerData[]
.LSEH_info_Camellia_DecryptBlock_Rounds:
        .byte   9,0,0,0
        .rva    common_se_handler
        .rva    .Ldec_prologue,.Ldec_epilogue   # HandlerData[]
.LSEH_info_Camellia_Ekeygen:
        .byte   9,0,0,0
        .rva    common_se_handler
        .rva    .Lkey_prologue,.Lkey_epilogue   # HandlerData[]
.LSEH_info_Camellia_cbc_encrypt:
        .byte   9,0,0,0
        .rva    cbc_se_handler
___
}

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;