2 # Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
18 # AES-NI-CTR+GHASH stitch.
22 # OpenSSL GCM implementation is organized in such way that its
23 # performance is rather close to the sum of its streamed components,
24 # in the context parallelized AES-NI CTR and modulo-scheduled
25 # PCLMULQDQ-enabled GHASH. Unfortunately, as no stitch implementation
26 # was observed to perform significantly better than the sum of the
27 # components on contemporary CPUs, the effort was deemed impossible to
28 # justify. This module is based on combination of Intel submissions,
29 # [1] and [2], with MOVBE twist suggested by Ilya Albrekht and Max
30 # Locktyukhin of Intel Corp. who verified that it reduces shuffles
31 # pressure with notable relative improvement, achieving 1.0 cycle per
32 # byte processed with 128-bit key on Haswell processor, 0.74 - on
33 # Broadwell, 0.63 - on Skylake... [Mentioned results are raw profiled
34 # measurements for favourable packet size, one divisible by 96.
35 # Applications using the EVP interface will observe a few percent
38 # Knights Landing processes 1 byte in 1.25 cycles (measured with EVP).
40 # [1] http://rt.openssl.org/Ticket/Display.html?id=2900&user=guest&pass=guest
41 # [2] http://www.intel.com/content/dam/www/public/us/en/documents/software-support/enabling-high-performance-gcm.pdf
45 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
47 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
49 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
50 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
51 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
52 die "can't locate x86_64-xlate.pl";
54 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
55 =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
56 $avx = ($1>=2.20) + ($1>=2.22);
59 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
60 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
61 $avx = ($1>=2.09) + ($1>=2.10);
64 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
65 `ml64 2>&1` =~ /Version ([0-9]+)\./) {
66 $avx = ($1>=10) + ($1>=11);
69 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
70 $avx = ($2>=3.0) + ($2>3.0);
73 open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
78 ($inp,$out,$len,$key,$ivp,$Xip)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
81 $Z0,$Z1,$Z2,$Z3,$Xi) = map("%xmm$_",(0..8));
83 ($inout0,$inout1,$inout2,$inout3,$inout4,$inout5,$rndkey) = map("%xmm$_",(9..15));
85 ($counter,$rounds,$ret,$const,$in0,$end0)=("%ebx","%ebp","%r10","%r11","%r14","%r15");
90 .type _aesni_ctr32_ghash_6x,\@abi-omnipotent
92 _aesni_ctr32_ghash_6x:
93 vmovdqu 0x20($const),$T2 # borrow $T2, .Lone_msb
95 vpxor $Z0,$Z0,$Z0 # $Z0 = 0
96 vmovdqu 0x00-0x80($key),$rndkey
97 vpaddb $T2,$T1,$inout1
98 vpaddb $T2,$inout1,$inout2
99 vpaddb $T2,$inout2,$inout3
100 vpaddb $T2,$inout3,$inout4
101 vpaddb $T2,$inout4,$inout5
102 vpxor $rndkey,$T1,$inout0
103 vmovdqu $Z0,16+8(%rsp) # "$Z3" = 0
108 add \$`6<<24`,$counter
109 jc .Lhandle_ctr32 # discard $inout[1-5]?
110 vmovdqu 0x00-0x20($Xip),$Hkey # $Hkey^1
111 vpaddb $T2,$inout5,$T1 # next counter value
112 vpxor $rndkey,$inout1,$inout1
113 vpxor $rndkey,$inout2,$inout2
116 vmovdqu $T1,($ivp) # save next counter value
117 vpclmulqdq \$0x10,$Hkey,$Z3,$Z1
118 vpxor $rndkey,$inout3,$inout3
119 vmovups 0x10-0x80($key),$T2 # borrow $T2 for $rndkey
120 vpclmulqdq \$0x01,$Hkey,$Z3,$Z2
124 vaesenc $T2,$inout0,$inout0
125 vmovdqu 0x30+8(%rsp),$Ii # I[4]
126 vpxor $rndkey,$inout4,$inout4
127 vpclmulqdq \$0x00,$Hkey,$Z3,$T1
128 vaesenc $T2,$inout1,$inout1
129 vpxor $rndkey,$inout5,$inout5
131 vpclmulqdq \$0x11,$Hkey,$Z3,$Z3
132 vaesenc $T2,$inout2,$inout2
133 vmovdqu 0x10-0x20($Xip),$Hkey # $Hkey^2
135 vaesenc $T2,$inout3,$inout3
137 vpclmulqdq \$0x00,$Hkey,$Ii,$Z1
138 vpxor $Z0,$Xi,$Xi # modulo-scheduled
139 vaesenc $T2,$inout4,$inout4
142 vmovups 0x20-0x80($key),$rndkey
143 vpclmulqdq \$0x10,$Hkey,$Ii,$T1
144 vaesenc $T2,$inout5,$inout5
146 vpclmulqdq \$0x01,$Hkey,$Ii,$T2
148 vaesenc $rndkey,$inout0,$inout0
149 vpxor 16+8(%rsp),$Xi,$Xi # modulo-scheduled [vpxor $Z3,$Xi,$Xi]
150 vpclmulqdq \$0x11,$Hkey,$Ii,$Hkey
151 vmovdqu 0x40+8(%rsp),$Ii # I[3]
152 vaesenc $rndkey,$inout1,$inout1
153 movbe 0x58($in0),%r13
154 vaesenc $rndkey,$inout2,$inout2
155 movbe 0x50($in0),%r12
156 vaesenc $rndkey,$inout3,$inout3
157 mov %r13,0x20+8(%rsp)
158 vaesenc $rndkey,$inout4,$inout4
159 mov %r12,0x28+8(%rsp)
160 vmovdqu 0x30-0x20($Xip),$Z1 # borrow $Z1 for $Hkey^3
161 vaesenc $rndkey,$inout5,$inout5
163 vmovups 0x30-0x80($key),$rndkey
165 vpclmulqdq \$0x00,$Z1,$Ii,$T1
166 vaesenc $rndkey,$inout0,$inout0
168 vpclmulqdq \$0x10,$Z1,$Ii,$T2
169 vaesenc $rndkey,$inout1,$inout1
171 vpclmulqdq \$0x01,$Z1,$Ii,$Hkey
172 vaesenc $rndkey,$inout2,$inout2
173 vpclmulqdq \$0x11,$Z1,$Ii,$Z1
174 vmovdqu 0x50+8(%rsp),$Ii # I[2]
175 vaesenc $rndkey,$inout3,$inout3
176 vaesenc $rndkey,$inout4,$inout4
178 vmovdqu 0x40-0x20($Xip),$T1 # borrow $T1 for $Hkey^4
179 vaesenc $rndkey,$inout5,$inout5
181 vmovups 0x40-0x80($key),$rndkey
183 vpclmulqdq \$0x00,$T1,$Ii,$T2
184 vaesenc $rndkey,$inout0,$inout0
186 vpclmulqdq \$0x10,$T1,$Ii,$Hkey
187 vaesenc $rndkey,$inout1,$inout1
188 movbe 0x48($in0),%r13
190 vpclmulqdq \$0x01,$T1,$Ii,$Z1
191 vaesenc $rndkey,$inout2,$inout2
192 movbe 0x40($in0),%r12
193 vpclmulqdq \$0x11,$T1,$Ii,$T1
194 vmovdqu 0x60+8(%rsp),$Ii # I[1]
195 vaesenc $rndkey,$inout3,$inout3
196 mov %r13,0x30+8(%rsp)
197 vaesenc $rndkey,$inout4,$inout4
198 mov %r12,0x38+8(%rsp)
200 vmovdqu 0x60-0x20($Xip),$T2 # borrow $T2 for $Hkey^5
201 vaesenc $rndkey,$inout5,$inout5
203 vmovups 0x50-0x80($key),$rndkey
205 vpclmulqdq \$0x00,$T2,$Ii,$Hkey
206 vaesenc $rndkey,$inout0,$inout0
208 vpclmulqdq \$0x10,$T2,$Ii,$Z1
209 vaesenc $rndkey,$inout1,$inout1
210 movbe 0x38($in0),%r13
212 vpclmulqdq \$0x01,$T2,$Ii,$T1
213 vpxor 0x70+8(%rsp),$Xi,$Xi # accumulate I[0]
214 vaesenc $rndkey,$inout2,$inout2
215 movbe 0x30($in0),%r12
216 vpclmulqdq \$0x11,$T2,$Ii,$T2
217 vaesenc $rndkey,$inout3,$inout3
218 mov %r13,0x40+8(%rsp)
219 vaesenc $rndkey,$inout4,$inout4
220 mov %r12,0x48+8(%rsp)
222 vmovdqu 0x70-0x20($Xip),$Hkey # $Hkey^6
223 vaesenc $rndkey,$inout5,$inout5
225 vmovups 0x60-0x80($key),$rndkey
227 vpclmulqdq \$0x10,$Hkey,$Xi,$Z1
228 vaesenc $rndkey,$inout0,$inout0
230 vpclmulqdq \$0x01,$Hkey,$Xi,$T1
231 vaesenc $rndkey,$inout1,$inout1
232 movbe 0x28($in0),%r13
234 vpclmulqdq \$0x00,$Hkey,$Xi,$T2
235 vaesenc $rndkey,$inout2,$inout2
236 movbe 0x20($in0),%r12
237 vpclmulqdq \$0x11,$Hkey,$Xi,$Xi
238 vaesenc $rndkey,$inout3,$inout3
239 mov %r13,0x50+8(%rsp)
240 vaesenc $rndkey,$inout4,$inout4
241 mov %r12,0x58+8(%rsp)
243 vaesenc $rndkey,$inout5,$inout5
246 vmovups 0x70-0x80($key),$rndkey
249 vmovdqu 0x10($const),$Hkey # .Lpoly
251 vaesenc $rndkey,$inout0,$inout0
253 vaesenc $rndkey,$inout1,$inout1
255 movbe 0x18($in0),%r13
256 vaesenc $rndkey,$inout2,$inout2
257 movbe 0x10($in0),%r12
258 vpalignr \$8,$Z0,$Z0,$Ii # 1st phase
259 vpclmulqdq \$0x10,$Hkey,$Z0,$Z0
260 mov %r13,0x60+8(%rsp)
261 vaesenc $rndkey,$inout3,$inout3
262 mov %r12,0x68+8(%rsp)
263 vaesenc $rndkey,$inout4,$inout4
264 vmovups 0x80-0x80($key),$T1 # borrow $T1 for $rndkey
265 vaesenc $rndkey,$inout5,$inout5
267 vaesenc $T1,$inout0,$inout0
268 vmovups 0x90-0x80($key),$rndkey
269 vaesenc $T1,$inout1,$inout1
271 vaesenc $T1,$inout2,$inout2
273 vaesenc $T1,$inout3,$inout3
275 movbe 0x08($in0),%r13
276 vaesenc $T1,$inout4,$inout4
277 movbe 0x00($in0),%r12
278 vaesenc $T1,$inout5,$inout5
279 vmovups 0xa0-0x80($key),$T1
281 jb .Lenc_tail # 128-bit key
283 vaesenc $rndkey,$inout0,$inout0
284 vaesenc $rndkey,$inout1,$inout1
285 vaesenc $rndkey,$inout2,$inout2
286 vaesenc $rndkey,$inout3,$inout3
287 vaesenc $rndkey,$inout4,$inout4
288 vaesenc $rndkey,$inout5,$inout5
290 vaesenc $T1,$inout0,$inout0
291 vaesenc $T1,$inout1,$inout1
292 vaesenc $T1,$inout2,$inout2
293 vaesenc $T1,$inout3,$inout3
294 vaesenc $T1,$inout4,$inout4
295 vmovups 0xb0-0x80($key),$rndkey
296 vaesenc $T1,$inout5,$inout5
297 vmovups 0xc0-0x80($key),$T1
298 je .Lenc_tail # 192-bit key
300 vaesenc $rndkey,$inout0,$inout0
301 vaesenc $rndkey,$inout1,$inout1
302 vaesenc $rndkey,$inout2,$inout2
303 vaesenc $rndkey,$inout3,$inout3
304 vaesenc $rndkey,$inout4,$inout4
305 vaesenc $rndkey,$inout5,$inout5
307 vaesenc $T1,$inout0,$inout0
308 vaesenc $T1,$inout1,$inout1
309 vaesenc $T1,$inout2,$inout2
310 vaesenc $T1,$inout3,$inout3
311 vaesenc $T1,$inout4,$inout4
312 vmovups 0xd0-0x80($key),$rndkey
313 vaesenc $T1,$inout5,$inout5
314 vmovups 0xe0-0x80($key),$T1
315 jmp .Lenc_tail # 256-bit key
319 vmovdqu ($const),$Ii # borrow $Ii for .Lbswap_mask
320 vpshufb $Ii,$T1,$Z2 # byte-swap counter
321 vmovdqu 0x30($const),$Z1 # borrow $Z1, .Ltwo_lsb
322 vpaddd 0x40($const),$Z2,$inout1 # .Lone_lsb
323 vpaddd $Z1,$Z2,$inout2
324 vmovdqu 0x00-0x20($Xip),$Hkey # $Hkey^1
325 vpaddd $Z1,$inout1,$inout3
326 vpshufb $Ii,$inout1,$inout1
327 vpaddd $Z1,$inout2,$inout4
328 vpshufb $Ii,$inout2,$inout2
329 vpxor $rndkey,$inout1,$inout1
330 vpaddd $Z1,$inout3,$inout5
331 vpshufb $Ii,$inout3,$inout3
332 vpxor $rndkey,$inout2,$inout2
333 vpaddd $Z1,$inout4,$T1 # byte-swapped next counter value
334 vpshufb $Ii,$inout4,$inout4
335 vpshufb $Ii,$inout5,$inout5
336 vpshufb $Ii,$T1,$T1 # next counter value
341 vaesenc $rndkey,$inout0,$inout0
342 vmovdqu $Z3,16+8(%rsp) # postpone vpxor $Z3,$Xi,$Xi
343 vpalignr \$8,$Z0,$Z0,$Xi # 2nd phase
344 vaesenc $rndkey,$inout1,$inout1
345 vpclmulqdq \$0x10,$Hkey,$Z0,$Z0
346 vpxor 0x00($inp),$T1,$T2
347 vaesenc $rndkey,$inout2,$inout2
348 vpxor 0x10($inp),$T1,$Ii
349 vaesenc $rndkey,$inout3,$inout3
350 vpxor 0x20($inp),$T1,$Z1
351 vaesenc $rndkey,$inout4,$inout4
352 vpxor 0x30($inp),$T1,$Z2
353 vaesenc $rndkey,$inout5,$inout5
354 vpxor 0x40($inp),$T1,$Z3
355 vpxor 0x50($inp),$T1,$Hkey
356 vmovdqu ($ivp),$T1 # load next counter value
358 vaesenclast $T2,$inout0,$inout0
359 vmovdqu 0x20($const),$T2 # borrow $T2, .Lone_msb
360 vaesenclast $Ii,$inout1,$inout1
362 mov %r13,0x70+8(%rsp)
364 vaesenclast $Z1,$inout2,$inout2
366 mov %r12,0x78+8(%rsp)
368 vmovdqu 0x00-0x80($key),$rndkey
369 vaesenclast $Z2,$inout3,$inout3
371 vaesenclast $Z3, $inout4,$inout4
373 vaesenclast $Hkey,$inout5,$inout5
380 vmovups $inout0,-0x60($out) # save output
381 vpxor $rndkey,$T1,$inout0
382 vmovups $inout1,-0x50($out)
383 vmovdqa $Ii,$inout1 # 0 latency
384 vmovups $inout2,-0x40($out)
385 vmovdqa $Z1,$inout2 # 0 latency
386 vmovups $inout3,-0x30($out)
387 vmovdqa $Z2,$inout3 # 0 latency
388 vmovups $inout4,-0x20($out)
389 vmovdqa $Z3,$inout4 # 0 latency
390 vmovups $inout5,-0x10($out)
391 vmovdqa $Hkey,$inout5 # 0 latency
392 vmovdqu 0x20+8(%rsp),$Z3 # I[5]
396 vpxor 16+8(%rsp),$Xi,$Xi # modulo-scheduled
397 vpxor $Z0,$Xi,$Xi # modulo-scheduled
400 .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x
402 ######################################################################
404 # size_t aesni_gcm_[en|de]crypt(const void *inp, void *out, size_t len,
405 # const AES_KEY *key, unsigned char iv[16],
406 # struct { u128 Xi,H,Htbl[9]; } *Xip);
408 .globl aesni_gcm_decrypt
409 .type aesni_gcm_decrypt,\@function,6
414 cmp \$0x60,$len # minimal accepted length
417 lea (%rsp),%rax # save stack pointer
418 .cfi_def_cfa_register %rax
432 $code.=<<___ if ($win64);
434 movaps %xmm6,-0xd8(%rax)
435 movaps %xmm7,-0xc8(%rax)
436 movaps %xmm8,-0xb8(%rax)
437 movaps %xmm9,-0xa8(%rax)
438 movaps %xmm10,-0x98(%rax)
439 movaps %xmm11,-0x88(%rax)
440 movaps %xmm12,-0x78(%rax)
441 movaps %xmm13,-0x68(%rax)
442 movaps %xmm14,-0x58(%rax)
443 movaps %xmm15,-0x48(%rax)
449 vmovdqu ($ivp),$T1 # input counter value
451 mov 12($ivp),$counter
452 lea .Lbswap_mask(%rip),$const
453 lea -0x80($key),$in0 # borrow $in0
454 mov \$0xf80,$end0 # borrow $end0
455 vmovdqu ($Xip),$Xi # load Xi
456 and \$-128,%rsp # ensure stack alignment
457 vmovdqu ($const),$Ii # borrow $Ii for .Lbswap_mask
458 lea 0x80($key),$key # size optimization
459 lea 0x20+0x20($Xip),$Xip # size optimization
460 mov 0xf0-0x80($key),$rounds
466 jc .Ldec_no_key_aliasing
468 jnc .Ldec_no_key_aliasing
469 sub $end0,%rsp # avoid aliasing with key
470 .Ldec_no_key_aliasing:
472 vmovdqu 0x50($inp),$Z3 # I[5]
474 vmovdqu 0x40($inp),$Z0
475 lea -0xc0($inp,$len),$end0
476 vmovdqu 0x30($inp),$Z1
479 vmovdqu 0x20($inp),$Z2
480 vpshufb $Ii,$Z3,$Z3 # passed to _aesni_ctr32_ghash_6x
481 vmovdqu 0x10($inp),$T2
485 vmovdqu $Z0,0x30(%rsp)
487 vmovdqu $Z1,0x40(%rsp)
489 vmovdqu $Z2,0x50(%rsp)
490 vpshufb $Ii,$Hkey,$Hkey
491 vmovdqu $T2,0x60(%rsp)
492 vmovdqu $Hkey,0x70(%rsp)
494 call _aesni_ctr32_ghash_6x
496 vmovups $inout0,-0x60($out) # save output
497 vmovups $inout1,-0x50($out)
498 vmovups $inout2,-0x40($out)
499 vmovups $inout3,-0x30($out)
500 vmovups $inout4,-0x20($out)
501 vmovups $inout5,-0x10($out)
503 vpshufb ($const),$Xi,$Xi # .Lbswap_mask
504 vmovdqu $Xi,-0x40($Xip) # output Xi
508 $code.=<<___ if ($win64);
509 movaps -0xd8(%rax),%xmm6
510 movaps -0xc8(%rax),%xmm7
511 movaps -0xb8(%rax),%xmm8
512 movaps -0xa8(%rax),%xmm9
513 movaps -0x98(%rax),%xmm10
514 movaps -0x88(%rax),%xmm11
515 movaps -0x78(%rax),%xmm12
516 movaps -0x68(%rax),%xmm13
517 movaps -0x58(%rax),%xmm14
518 movaps -0x48(%rax),%xmm15
533 lea (%rax),%rsp # restore %rsp
534 .cfi_def_cfa_register %rsp
536 mov $ret,%rax # return value
539 .size aesni_gcm_decrypt,.-aesni_gcm_decrypt
543 .type _aesni_ctr32_6x,\@abi-omnipotent
546 vmovdqu 0x00-0x80($key),$Z0 # borrow $Z0 for $rndkey
547 vmovdqu 0x20($const),$T2 # borrow $T2, .Lone_msb
549 vmovups 0x10-0x80($key),$rndkey
550 lea 0x20-0x80($key),%r12
551 vpxor $Z0,$T1,$inout0
552 add \$`6<<24`,$counter
554 vpaddb $T2,$T1,$inout1
555 vpaddb $T2,$inout1,$inout2
556 vpxor $Z0,$inout1,$inout1
557 vpaddb $T2,$inout2,$inout3
558 vpxor $Z0,$inout2,$inout2
559 vpaddb $T2,$inout3,$inout4
560 vpxor $Z0,$inout3,$inout3
561 vpaddb $T2,$inout4,$inout5
562 vpxor $Z0,$inout4,$inout4
563 vpaddb $T2,$inout5,$T1
564 vpxor $Z0,$inout5,$inout5
569 vaesenc $rndkey,$inout0,$inout0
570 vaesenc $rndkey,$inout1,$inout1
571 vaesenc $rndkey,$inout2,$inout2
572 vaesenc $rndkey,$inout3,$inout3
573 vaesenc $rndkey,$inout4,$inout4
574 vaesenc $rndkey,$inout5,$inout5
575 vmovups (%r12),$rndkey
580 vmovdqu (%r12),$Hkey # last round key
581 vaesenc $rndkey,$inout0,$inout0
582 vpxor 0x00($inp),$Hkey,$Z0
583 vaesenc $rndkey,$inout1,$inout1
584 vpxor 0x10($inp),$Hkey,$Z1
585 vaesenc $rndkey,$inout2,$inout2
586 vpxor 0x20($inp),$Hkey,$Z2
587 vaesenc $rndkey,$inout3,$inout3
588 vpxor 0x30($inp),$Hkey,$Xi
589 vaesenc $rndkey,$inout4,$inout4
590 vpxor 0x40($inp),$Hkey,$T2
591 vaesenc $rndkey,$inout5,$inout5
592 vpxor 0x50($inp),$Hkey,$Hkey
595 vaesenclast $Z0,$inout0,$inout0
596 vaesenclast $Z1,$inout1,$inout1
597 vaesenclast $Z2,$inout2,$inout2
598 vaesenclast $Xi,$inout3,$inout3
599 vaesenclast $T2,$inout4,$inout4
600 vaesenclast $Hkey,$inout5,$inout5
601 vmovups $inout0,0x00($out)
602 vmovups $inout1,0x10($out)
603 vmovups $inout2,0x20($out)
604 vmovups $inout3,0x30($out)
605 vmovups $inout4,0x40($out)
606 vmovups $inout5,0x50($out)
612 vpshufb $Ii,$T1,$Z2 # byte-swap counter
613 vmovdqu 0x30($const),$Z1 # borrow $Z1, .Ltwo_lsb
614 vpaddd 0x40($const),$Z2,$inout1 # .Lone_lsb
615 vpaddd $Z1,$Z2,$inout2
616 vpaddd $Z1,$inout1,$inout3
617 vpshufb $Ii,$inout1,$inout1
618 vpaddd $Z1,$inout2,$inout4
619 vpshufb $Ii,$inout2,$inout2
620 vpxor $Z0,$inout1,$inout1
621 vpaddd $Z1,$inout3,$inout5
622 vpshufb $Ii,$inout3,$inout3
623 vpxor $Z0,$inout2,$inout2
624 vpaddd $Z1,$inout4,$T1 # byte-swapped next counter value
625 vpshufb $Ii,$inout4,$inout4
626 vpxor $Z0,$inout3,$inout3
627 vpshufb $Ii,$inout5,$inout5
628 vpxor $Z0,$inout4,$inout4
629 vpshufb $Ii,$T1,$T1 # next counter value
630 vpxor $Z0,$inout5,$inout5
632 .size _aesni_ctr32_6x,.-_aesni_ctr32_6x
634 .globl aesni_gcm_encrypt
635 .type aesni_gcm_encrypt,\@function,6
640 cmp \$0x60*3,$len # minimal accepted length
643 lea (%rsp),%rax # save stack pointer
644 .cfi_def_cfa_register %rax
658 $code.=<<___ if ($win64);
660 movaps %xmm6,-0xd8(%rax)
661 movaps %xmm7,-0xc8(%rax)
662 movaps %xmm8,-0xb8(%rax)
663 movaps %xmm9,-0xa8(%rax)
664 movaps %xmm10,-0x98(%rax)
665 movaps %xmm11,-0x88(%rax)
666 movaps %xmm12,-0x78(%rax)
667 movaps %xmm13,-0x68(%rax)
668 movaps %xmm14,-0x58(%rax)
669 movaps %xmm15,-0x48(%rax)
675 vmovdqu ($ivp),$T1 # input counter value
677 mov 12($ivp),$counter
678 lea .Lbswap_mask(%rip),$const
679 lea -0x80($key),$in0 # borrow $in0
680 mov \$0xf80,$end0 # borrow $end0
681 lea 0x80($key),$key # size optimization
682 vmovdqu ($const),$Ii # borrow $Ii for .Lbswap_mask
683 and \$-128,%rsp # ensure stack alignment
684 mov 0xf0-0x80($key),$rounds
689 jc .Lenc_no_key_aliasing
691 jnc .Lenc_no_key_aliasing
692 sub $end0,%rsp # avoid aliasing with key
693 .Lenc_no_key_aliasing:
696 lea -0xc0($out,$len),$end0
700 vpshufb $Ii,$inout0,$Xi # save bswapped output on stack
701 vpshufb $Ii,$inout1,$T2
702 vmovdqu $Xi,0x70(%rsp)
703 vpshufb $Ii,$inout2,$Z0
704 vmovdqu $T2,0x60(%rsp)
705 vpshufb $Ii,$inout3,$Z1
706 vmovdqu $Z0,0x50(%rsp)
707 vpshufb $Ii,$inout4,$Z2
708 vmovdqu $Z1,0x40(%rsp)
709 vpshufb $Ii,$inout5,$Z3 # passed to _aesni_ctr32_ghash_6x
710 vmovdqu $Z2,0x30(%rsp)
714 vmovdqu ($Xip),$Xi # load Xi
715 lea 0x20+0x20($Xip),$Xip # size optimization
720 call _aesni_ctr32_ghash_6x
721 vmovdqu 0x20(%rsp),$Z3 # I[5]
722 vmovdqu ($const),$Ii # borrow $Ii for .Lbswap_mask
723 vmovdqu 0x00-0x20($Xip),$Hkey # $Hkey^1
724 vpunpckhqdq $Z3,$Z3,$T1
725 vmovdqu 0x20-0x20($Xip),$rndkey # borrow $rndkey for $HK
726 vmovups $inout0,-0x60($out) # save output
727 vpshufb $Ii,$inout0,$inout0 # but keep bswapped copy
729 vmovups $inout1,-0x50($out)
730 vpshufb $Ii,$inout1,$inout1
731 vmovups $inout2,-0x40($out)
732 vpshufb $Ii,$inout2,$inout2
733 vmovups $inout3,-0x30($out)
734 vpshufb $Ii,$inout3,$inout3
735 vmovups $inout4,-0x20($out)
736 vpshufb $Ii,$inout4,$inout4
737 vmovups $inout5,-0x10($out)
738 vpshufb $Ii,$inout5,$inout5
739 vmovdqu $inout0,0x10(%rsp) # free $inout0
741 { my ($HK,$T3)=($rndkey,$inout0);
744 vmovdqu 0x30(%rsp),$Z2 # I[4]
745 vmovdqu 0x10-0x20($Xip),$Ii # borrow $Ii for $Hkey^2
746 vpunpckhqdq $Z2,$Z2,$T2
747 vpclmulqdq \$0x00,$Hkey,$Z3,$Z1
749 vpclmulqdq \$0x11,$Hkey,$Z3,$Z3
750 vpclmulqdq \$0x00,$HK,$T1,$T1
752 vmovdqu 0x40(%rsp),$T3 # I[3]
753 vpclmulqdq \$0x00,$Ii,$Z2,$Z0
754 vmovdqu 0x30-0x20($Xip),$Hkey # $Hkey^3
756 vpunpckhqdq $T3,$T3,$Z1
757 vpclmulqdq \$0x11,$Ii,$Z2,$Z2
760 vpclmulqdq \$0x10,$HK,$T2,$T2
761 vmovdqu 0x50-0x20($Xip),$HK
764 vmovdqu 0x50(%rsp),$T1 # I[2]
765 vpclmulqdq \$0x00,$Hkey,$T3,$Z3
766 vmovdqu 0x40-0x20($Xip),$Ii # borrow $Ii for $Hkey^4
768 vpunpckhqdq $T1,$T1,$Z0
769 vpclmulqdq \$0x11,$Hkey,$T3,$T3
772 vpclmulqdq \$0x00,$HK,$Z1,$Z1
775 vmovdqu 0x60(%rsp),$T2 # I[1]
776 vpclmulqdq \$0x00,$Ii,$T1,$Z2
777 vmovdqu 0x60-0x20($Xip),$Hkey # $Hkey^5
779 vpunpckhqdq $T2,$T2,$Z3
780 vpclmulqdq \$0x11,$Ii,$T1,$T1
783 vpclmulqdq \$0x10,$HK,$Z0,$Z0
784 vmovdqu 0x80-0x20($Xip),$HK
787 vpxor 0x70(%rsp),$Xi,$Xi # accumulate I[0]
788 vpclmulqdq \$0x00,$Hkey,$T2,$Z1
789 vmovdqu 0x70-0x20($Xip),$Ii # borrow $Ii for $Hkey^6
790 vpunpckhqdq $Xi,$Xi,$T3
792 vpclmulqdq \$0x11,$Hkey,$T2,$T2
795 vpclmulqdq \$0x00,$HK,$Z3,$Z3
798 vpclmulqdq \$0x00,$Ii,$Xi,$Z2
799 vmovdqu 0x00-0x20($Xip),$Hkey # $Hkey^1
800 vpunpckhqdq $inout5,$inout5,$T1
801 vpclmulqdq \$0x11,$Ii,$Xi,$Xi
802 vpxor $inout5,$T1,$T1
804 vpclmulqdq \$0x10,$HK,$T3,$T3
805 vmovdqu 0x20-0x20($Xip),$HK
809 vmovdqu 0x10-0x20($Xip),$Ii # borrow $Ii for $Hkey^2
810 vpxor $Z1,$Z3,$T3 # aggregated Karatsuba post-processing
811 vpclmulqdq \$0x00,$Hkey,$inout5,$Z0
813 vpunpckhqdq $inout4,$inout4,$T2
814 vpclmulqdq \$0x11,$Hkey,$inout5,$inout5
815 vpxor $inout4,$T2,$T2
817 vpclmulqdq \$0x00,$HK,$T1,$T1
822 vpclmulqdq \$0x00,$Ii,$inout4,$Z1
823 vmovdqu 0x30-0x20($Xip),$Hkey # $Hkey^3
825 vpunpckhqdq $inout3,$inout3,$T3
826 vpclmulqdq \$0x11,$Ii,$inout4,$inout4
827 vpxor $inout3,$T3,$T3
828 vpxor $inout5,$inout4,$inout4
829 vpalignr \$8,$Xi,$Xi,$inout5 # 1st phase
830 vpclmulqdq \$0x10,$HK,$T2,$T2
831 vmovdqu 0x50-0x20($Xip),$HK
834 vpclmulqdq \$0x00,$Hkey,$inout3,$Z0
835 vmovdqu 0x40-0x20($Xip),$Ii # borrow $Ii for $Hkey^4
837 vpunpckhqdq $inout2,$inout2,$T1
838 vpclmulqdq \$0x11,$Hkey,$inout3,$inout3
839 vpxor $inout2,$T1,$T1
840 vpxor $inout4,$inout3,$inout3
841 vxorps 0x10(%rsp),$Z3,$Z3 # accumulate $inout0
842 vpclmulqdq \$0x00,$HK,$T3,$T3
845 vpclmulqdq \$0x10,0x10($const),$Xi,$Xi
846 vxorps $inout5,$Xi,$Xi
848 vpclmulqdq \$0x00,$Ii,$inout2,$Z1
849 vmovdqu 0x60-0x20($Xip),$Hkey # $Hkey^5
851 vpunpckhqdq $inout1,$inout1,$T2
852 vpclmulqdq \$0x11,$Ii,$inout2,$inout2
853 vpxor $inout1,$T2,$T2
854 vpalignr \$8,$Xi,$Xi,$inout5 # 2nd phase
855 vpxor $inout3,$inout2,$inout2
856 vpclmulqdq \$0x10,$HK,$T1,$T1
857 vmovdqu 0x80-0x20($Xip),$HK
860 vxorps $Z3,$inout5,$inout5
861 vpclmulqdq \$0x10,0x10($const),$Xi,$Xi
862 vxorps $inout5,$Xi,$Xi
864 vpclmulqdq \$0x00,$Hkey,$inout1,$Z0
865 vmovdqu 0x70-0x20($Xip),$Ii # borrow $Ii for $Hkey^6
867 vpunpckhqdq $Xi,$Xi,$T3
868 vpclmulqdq \$0x11,$Hkey,$inout1,$inout1
870 vpxor $inout2,$inout1,$inout1
871 vpclmulqdq \$0x00,$HK,$T2,$T2
874 vpclmulqdq \$0x00,$Ii,$Xi,$Z1
875 vpclmulqdq \$0x11,$Ii,$Xi,$Z3
877 vpclmulqdq \$0x10,$HK,$T3,$Z2
878 vpxor $inout1,$Z3,$Z3
881 vpxor $Z1,$Z3,$Z0 # aggregated Karatsuba post-processing
884 vmovdqu 0x10($const),$Hkey # .Lpoly
889 vpalignr \$8,$Xi,$Xi,$T2 # 1st phase
890 vpclmulqdq \$0x10,$Hkey,$Xi,$Xi
893 vpalignr \$8,$Xi,$Xi,$T2 # 2nd phase
894 vpclmulqdq \$0x10,$Hkey,$Xi,$Xi
900 vpshufb ($const),$Xi,$Xi # .Lbswap_mask
901 vmovdqu $Xi,-0x40($Xip) # output Xi
905 $code.=<<___ if ($win64);
906 movaps -0xd8(%rax),%xmm6
907 movaps -0xc8(%rax),%xmm7
908 movaps -0xb8(%rax),%xmm8
909 movaps -0xa8(%rax),%xmm9
910 movaps -0x98(%rax),%xmm10
911 movaps -0x88(%rax),%xmm11
912 movaps -0x78(%rax),%xmm12
913 movaps -0x68(%rax),%xmm13
914 movaps -0x58(%rax),%xmm14
915 movaps -0x48(%rax),%xmm15
930 lea (%rax),%rsp # restore %rsp
931 .cfi_def_cfa_register %rsp
933 mov $ret,%rax # return value
936 .size aesni_gcm_encrypt,.-aesni_gcm_encrypt
942 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
944 .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2
946 .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
948 .byte 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
950 .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
951 .asciz "AES-NI GCM module for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
961 .extern __imp_RtlVirtualUnwind
962 .type gcm_se_handler,\@abi-omnipotent
976 mov 120($context),%rax # pull context->Rax
977 mov 248($context),%rbx # pull context->Rip
979 mov 8($disp),%rsi # disp->ImageBase
980 mov 56($disp),%r11 # disp->HandlerData
982 mov 0(%r11),%r10d # HandlerData[0]
983 lea (%rsi,%r10),%r10 # prologue label
984 cmp %r10,%rbx # context->Rip<prologue label
987 mov 152($context),%rax # pull context->Rsp
989 mov 4(%r11),%r10d # HandlerData[1]
990 lea (%rsi,%r10),%r10 # epilogue label
991 cmp %r10,%rbx # context->Rip>=epilogue label
992 jae .Lcommon_seh_tail
994 mov 120($context),%rax # pull context->Rax
1002 mov %r15,240($context)
1003 mov %r14,232($context)
1004 mov %r13,224($context)
1005 mov %r12,216($context)
1006 mov %rbp,160($context)
1007 mov %rbx,144($context)
1009 lea -0xd8(%rax),%rsi # %xmm save area
1010 lea 512($context),%rdi # & context.Xmm6
1011 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
1012 .long 0xa548f3fc # cld; rep movsq
1017 mov %rax,152($context) # restore context->Rsp
1018 mov %rsi,168($context) # restore context->Rsi
1019 mov %rdi,176($context) # restore context->Rdi
1021 mov 40($disp),%rdi # disp->ContextRecord
1022 mov $context,%rsi # context
1023 mov \$154,%ecx # sizeof(CONTEXT)
1024 .long 0xa548f3fc # cld; rep movsq
1027 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1028 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1029 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1030 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1031 mov 40(%rsi),%r10 # disp->ContextRecord
1032 lea 56(%rsi),%r11 # &disp->HandlerData
1033 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1034 mov %r10,32(%rsp) # arg5
1035 mov %r11,40(%rsp) # arg6
1036 mov %r12,48(%rsp) # arg7
1037 mov %rcx,56(%rsp) # arg8, (NULL)
1038 call *__imp_RtlVirtualUnwind(%rip)
1040 mov \$1,%eax # ExceptionContinueSearch
1052 .size gcm_se_handler,.-gcm_se_handler
1056 .rva .LSEH_begin_aesni_gcm_decrypt
1057 .rva .LSEH_end_aesni_gcm_decrypt
1058 .rva .LSEH_gcm_dec_info
1060 .rva .LSEH_begin_aesni_gcm_encrypt
1061 .rva .LSEH_end_aesni_gcm_encrypt
1062 .rva .LSEH_gcm_enc_info
1068 .rva .Lgcm_dec_body,.Lgcm_dec_abort
1072 .rva .Lgcm_enc_body,.Lgcm_enc_abort
1076 $code=<<___; # assembler is too old
1079 .globl aesni_gcm_encrypt
1080 .type aesni_gcm_encrypt,\@abi-omnipotent
1084 .size aesni_gcm_encrypt,.-aesni_gcm_encrypt
1086 .globl aesni_gcm_decrypt
1087 .type aesni_gcm_decrypt,\@abi-omnipotent
1091 .size aesni_gcm_decrypt,.-aesni_gcm_decrypt
1095 $code =~ s/\`([^\`]*)\`/eval($1)/gem;