]>
Commit | Line | Data |
---|---|---|
6aa36e8e | 1 | #! /usr/bin/env perl |
3c7d0945 | 2 | # Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. |
6aa36e8e | 3 | # |
c918d8e2 | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
6aa36e8e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
a2a54ffc AP |
9 | |
10 | # ==================================================================== | |
e3713c36 | 11 | # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL |
a2a54ffc AP |
12 | # project. The module is, however, dual licensed under OpenSSL and |
13 | # CRYPTOGAMS licenses depending on where you obtain it. For further | |
14 | # details see http://www.openssl.org/~appro/cryptogams/. | |
15 | # ==================================================================== | |
16 | ||
17 | # AES for s390x. | |
18 | ||
19 | # April 2007. | |
20 | # | |
21 | # Software performance improvement over gcc-generated code is ~70% and | |
22 | # in absolute terms is ~73 cycles per byte processed with 128-bit key. | |
23 | # You're likely to exclaim "why so slow?" Keep in mind that z-CPUs are | |
24 | # *strictly* in-order execution and issued instruction [in this case | |
25 | # load value from memory is critical] has to complete before execution | |
76c828c6 | 26 | # flow proceeds. S-boxes are compressed to 2KB[+256B]. |
a2a54ffc AP |
27 | # |
28 | # As for hardware acceleration support. It's basically a "teaser," as | |
29 | # it can and should be improved in several ways. Most notably support | |
30 | # for CBC is not utilized, nor multiple blocks are ever processed. | |
31 | # Then software key schedule can be postponed till hardware support | |
32 | # detection... Performance improvement over assembler is reportedly | |
251718e4 | 33 | # ~2.5x, but can reach >8x [naturally on larger chunks] if proper |
a2a54ffc AP |
34 | # support is implemented. |
35 | ||
76c828c6 AP |
36 | # May 2007. |
37 | # | |
38 | # Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided | |
39 | # for 128-bit keys, if hardware support is detected. | |
40 | ||
c2969ff6 | 41 | # January 2009. |
8626230a AP |
42 | # |
43 | # Add support for hardware AES192/256 and reschedule instructions to | |
44 | # minimize/avoid Address Generation Interlock hazard and to favour | |
4e52b984 AP |
45 | # dual-issue z10 pipeline. This gave ~25% improvement on z10 and |
46 | # almost 50% on z9. The gain is smaller on z10, because being dual- | |
46f4e1be | 47 | # issue z10 makes it impossible to eliminate the interlock condition: |
c2969ff6 | 48 | # critical path is not long enough. Yet it spends ~24 cycles per byte |
4e52b984 | 49 | # processed with 128-bit key. |
8626230a AP |
50 | # |
51 | # Unlike previous version hardware support detection takes place only | |
52 | # at the moment of key schedule setup, which is denoted in key->rounds. | |
53 | # This is done, because deferred key setup can't be made MT-safe, not | |
26064d7f | 54 | # for keys longer than 128 bits. |
8626230a AP |
55 | # |
56 | # Add AES_cbc_encrypt, which gives incredible performance improvement, | |
57 | # it was measured to be ~6.6x. It's less than previously mentioned 8x, | |
58 | # because software implementation was optimized. | |
59 | ||
874a3757 AP |
60 | # May 2010. |
61 | # | |
26064d7f AP |
62 | # Add AES_ctr32_encrypt. If hardware-assisted, it provides up to 4.3x |
63 | # performance improvement over "generic" counter mode routine relying | |
64 | # on single-block, also hardware-assisted, AES_encrypt. "Up to" refers | |
65 | # to the fact that exact throughput value depends on current stack | |
66 | # frame alignment within 4KB page. In worst case you get ~75% of the | |
67 | # maximum, but *on average* it would be as much as ~98%. Meaning that | |
68 | # worst case is unlike, it's like hitting ravine on plateau. | |
874a3757 | 69 | |
e822c756 AP |
70 | # November 2010. |
71 | # | |
72 | # Adapt for -m31 build. If kernel supports what's called "highgprs" | |
73 | # feature on Linux [see /proc/cpuinfo], it's possible to use 64-bit | |
74 | # instructions and achieve "64-bit" performance even in 31-bit legacy | |
75 | # application context. The feature is not specific to any particular | |
76 | # processor, as long as it's "z-CPU". Latter implies that the code | |
77 | # remains z/Architecture specific. On z990 it was measured to perform | |
78 | # 2x better than code generated by gcc 4.3. | |
79 | ||
0ab8fd58 AP |
80 | # December 2010. |
81 | # | |
82 | # Add support for z196 "cipher message with counter" instruction. | |
83 | # Note however that it's disengaged, because it was measured to | |
84 | # perform ~12% worse than vanilla km-based code... | |
85 | ||
86 | # February 2011. | |
87 | # | |
0c237e42 AP |
88 | # Add AES_xts_[en|de]crypt. This includes support for z196 km-xts-aes |
89 | # instructions, which deliver ~70% improvement at 8KB block size over | |
90 | # vanilla km-based code, 37% - at most like 512-bytes block size. | |
0ab8fd58 | 91 | |
e822c756 AP |
92 | $flavour = shift; |
93 | ||
94 | if ($flavour =~ /3[12]/) { | |
95 | $SIZE_T=4; | |
96 | $g=""; | |
97 | } else { | |
98 | $SIZE_T=8; | |
99 | $g="g"; | |
100 | } | |
101 | ||
a5aa63a4 | 102 | while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} |
1cbdca7b AP |
103 | open STDOUT,">$output"; |
104 | ||
a61710b8 AP |
105 | $softonly=0; # allow hardware support |
106 | ||
8626230a AP |
107 | $t0="%r0"; $mask="%r0"; |
108 | $t1="%r1"; | |
109 | $t2="%r2"; $inp="%r2"; | |
110 | $t3="%r3"; $out="%r3"; $bits="%r3"; | |
a2a54ffc AP |
111 | $key="%r4"; |
112 | $i1="%r5"; | |
113 | $i2="%r6"; | |
114 | $i3="%r7"; | |
115 | $s0="%r8"; | |
116 | $s1="%r9"; | |
117 | $s2="%r10"; | |
118 | $s3="%r11"; | |
119 | $tbl="%r12"; | |
120 | $rounds="%r13"; | |
121 | $ra="%r14"; | |
122 | $sp="%r15"; | |
123 | ||
e822c756 AP |
124 | $stdframe=16*$SIZE_T+4*8; |
125 | ||
a2a54ffc AP |
126 | sub _data_word() |
127 | { my $i; | |
128 | while(defined($i=shift)) { $code.=sprintf".long\t0x%08x,0x%08x\n",$i,$i; } | |
129 | } | |
130 | ||
131 | $code=<<___; | |
bc4e831c PS |
132 | #include "s390x_arch.h" |
133 | ||
a2a54ffc AP |
134 | .text |
135 | ||
136 | .type AES_Te,\@object | |
8626230a | 137 | .align 256 |
a2a54ffc AP |
138 | AES_Te: |
139 | ___ | |
140 | &_data_word( | |
141 | 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, | |
142 | 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, | |
143 | 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d, | |
144 | 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, | |
145 | 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87, | |
146 | 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b, | |
147 | 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, | |
148 | 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b, | |
149 | 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a, | |
150 | 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, | |
151 | 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108, | |
152 | 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f, | |
153 | 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, | |
154 | 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5, | |
155 | 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d, | |
156 | 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, | |
157 | 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e, | |
158 | 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb, | |
159 | 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, | |
160 | 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497, | |
161 | 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c, | |
162 | 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, | |
163 | 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b, | |
164 | 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a, | |
165 | 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, | |
166 | 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594, | |
167 | 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81, | |
168 | 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, | |
169 | 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a, | |
170 | 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504, | |
171 | 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, | |
172 | 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d, | |
173 | 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f, | |
174 | 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, | |
175 | 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47, | |
176 | 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395, | |
177 | 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, | |
178 | 0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883, | |
179 | 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c, | |
180 | 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, | |
181 | 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e, | |
182 | 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4, | |
183 | 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, | |
184 | 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b, | |
185 | 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7, | |
186 | 0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, | |
187 | 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25, | |
188 | 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818, | |
189 | 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, | |
190 | 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651, | |
191 | 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21, | |
192 | 0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, | |
193 | 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa, | |
194 | 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12, | |
195 | 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, | |
196 | 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9, | |
197 | 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133, | |
198 | 0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, | |
199 | 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920, | |
200 | 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a, | |
201 | 0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, | |
202 | 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8, | |
203 | 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11, | |
204 | 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a); | |
205 | $code.=<<___; | |
76c828c6 AP |
206 | # Te4[256] |
207 | .byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 | |
208 | .byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 | |
209 | .byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 | |
210 | .byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 | |
211 | .byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc | |
212 | .byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 | |
213 | .byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a | |
214 | .byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 | |
215 | .byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 | |
216 | .byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 | |
217 | .byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b | |
218 | .byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf | |
219 | .byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 | |
220 | .byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 | |
221 | .byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 | |
222 | .byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 | |
223 | .byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 | |
224 | .byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 | |
225 | .byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 | |
226 | .byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb | |
227 | .byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c | |
228 | .byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 | |
229 | .byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 | |
230 | .byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 | |
231 | .byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 | |
232 | .byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a | |
233 | .byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e | |
234 | .byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e | |
235 | .byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 | |
236 | .byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf | |
237 | .byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 | |
238 | .byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 | |
239 | # rcon[] | |
240 | .long 0x01000000, 0x02000000, 0x04000000, 0x08000000 | |
241 | .long 0x10000000, 0x20000000, 0x40000000, 0x80000000 | |
242 | .long 0x1B000000, 0x36000000, 0, 0, 0, 0, 0, 0 | |
8626230a | 243 | .align 256 |
a2a54ffc AP |
244 | .size AES_Te,.-AES_Te |
245 | ||
76c828c6 | 246 | # void AES_encrypt(const unsigned char *inp, unsigned char *out, |
a2a54ffc AP |
247 | # const AES_KEY *key) { |
248 | .globl AES_encrypt | |
249 | .type AES_encrypt,\@function | |
250 | AES_encrypt: | |
a61710b8 AP |
251 | ___ |
252 | $code.=<<___ if (!$softonly); | |
8626230a AP |
253 | l %r0,240($key) |
254 | lhi %r1,16 | |
255 | clr %r0,%r1 | |
256 | jl .Lesoft | |
257 | ||
a2a54ffc | 258 | la %r1,0($key) |
3f6916cf | 259 | #la %r2,0($inp) |
a2a54ffc AP |
260 | la %r4,0($out) |
261 | lghi %r3,16 # single block length | |
262 | .long 0xb92e0042 # km %r4,%r2 | |
8626230a AP |
263 | brc 1,.-4 # can this happen? |
264 | br %r14 | |
265 | .align 64 | |
a2a54ffc | 266 | .Lesoft: |
a61710b8 AP |
267 | ___ |
268 | $code.=<<___; | |
e822c756 | 269 | stm${g} %r3,$ra,3*$SIZE_T($sp) |
a2a54ffc AP |
270 | |
271 | llgf $s0,0($inp) | |
272 | llgf $s1,4($inp) | |
273 | llgf $s2,8($inp) | |
274 | llgf $s3,12($inp) | |
275 | ||
8626230a | 276 | larl $tbl,AES_Te |
a2a54ffc AP |
277 | bras $ra,_s390x_AES_encrypt |
278 | ||
e822c756 | 279 | l${g} $out,3*$SIZE_T($sp) |
a2a54ffc AP |
280 | st $s0,0($out) |
281 | st $s1,4($out) | |
282 | st $s2,8($out) | |
283 | st $s3,12($out) | |
284 | ||
e822c756 | 285 | lm${g} %r6,$ra,6*$SIZE_T($sp) |
76c828c6 | 286 | br $ra |
a2a54ffc AP |
287 | .size AES_encrypt,.-AES_encrypt |
288 | ||
289 | .type _s390x_AES_encrypt,\@function | |
290 | .align 16 | |
291 | _s390x_AES_encrypt: | |
0ab8fd58 | 292 | st${g} $ra,15*$SIZE_T($sp) |
a2a54ffc AP |
293 | x $s0,0($key) |
294 | x $s1,4($key) | |
295 | x $s2,8($key) | |
296 | x $s3,12($key) | |
297 | l $rounds,240($key) | |
8626230a | 298 | llill $mask,`0xff<<3` |
a2a54ffc | 299 | aghi $rounds,-1 |
8626230a AP |
300 | j .Lenc_loop |
301 | .align 16 | |
a2a54ffc | 302 | .Lenc_loop: |
8626230a AP |
303 | sllg $t1,$s0,`0+3` |
304 | srlg $t2,$s0,`8-3` | |
305 | srlg $t3,$s0,`16-3` | |
a2a54ffc AP |
306 | srl $s0,`24-3` |
307 | nr $s0,$mask | |
8626230a AP |
308 | ngr $t1,$mask |
309 | nr $t2,$mask | |
310 | nr $t3,$mask | |
a2a54ffc AP |
311 | |
312 | srlg $i1,$s1,`16-3` # i0 | |
313 | sllg $i2,$s1,`0+3` | |
314 | srlg $i3,$s1,`8-3` | |
315 | srl $s1,`24-3` | |
316 | nr $i1,$mask | |
317 | nr $s1,$mask | |
318 | ngr $i2,$mask | |
319 | nr $i3,$mask | |
8626230a AP |
320 | |
321 | l $s0,0($s0,$tbl) # Te0[s0>>24] | |
322 | l $t1,1($t1,$tbl) # Te3[s0>>0] | |
323 | l $t2,2($t2,$tbl) # Te2[s0>>8] | |
324 | l $t3,3($t3,$tbl) # Te1[s0>>16] | |
325 | ||
a2a54ffc AP |
326 | x $s0,3($i1,$tbl) # Te1[s1>>16] |
327 | l $s1,0($s1,$tbl) # Te0[s1>>24] | |
328 | x $t2,1($i2,$tbl) # Te3[s1>>0] | |
329 | x $t3,2($i3,$tbl) # Te2[s1>>8] | |
a2a54ffc AP |
330 | |
331 | srlg $i1,$s2,`8-3` # i0 | |
332 | srlg $i2,$s2,`16-3` # i1 | |
a2a54ffc AP |
333 | nr $i1,$mask |
334 | nr $i2,$mask | |
8626230a AP |
335 | sllg $i3,$s2,`0+3` |
336 | srl $s2,`24-3` | |
a2a54ffc AP |
337 | nr $s2,$mask |
338 | ngr $i3,$mask | |
8626230a AP |
339 | |
340 | xr $s1,$t1 | |
341 | srlg $ra,$s3,`8-3` # i1 | |
342 | sllg $t1,$s3,`0+3` # i0 | |
343 | nr $ra,$mask | |
344 | la $key,16($key) | |
345 | ngr $t1,$mask | |
346 | ||
a2a54ffc AP |
347 | x $s0,2($i1,$tbl) # Te2[s2>>8] |
348 | x $s1,3($i2,$tbl) # Te1[s2>>16] | |
349 | l $s2,0($s2,$tbl) # Te0[s2>>24] | |
350 | x $t3,1($i3,$tbl) # Te3[s2>>0] | |
a2a54ffc | 351 | |
a2a54ffc | 352 | srlg $i3,$s3,`16-3` # i2 |
8626230a | 353 | xr $s2,$t2 |
a2a54ffc | 354 | srl $s3,`24-3` |
a2a54ffc AP |
355 | nr $i3,$mask |
356 | nr $s3,$mask | |
a2a54ffc | 357 | |
a2a54ffc AP |
358 | x $s0,0($key) |
359 | x $s1,4($key) | |
360 | x $s2,8($key) | |
8626230a AP |
361 | x $t3,12($key) |
362 | ||
363 | x $s0,1($t1,$tbl) # Te3[s3>>0] | |
364 | x $s1,2($ra,$tbl) # Te2[s3>>8] | |
365 | x $s2,3($i3,$tbl) # Te1[s3>>16] | |
366 | l $s3,0($s3,$tbl) # Te0[s3>>24] | |
367 | xr $s3,$t3 | |
a2a54ffc AP |
368 | |
369 | brct $rounds,.Lenc_loop | |
8626230a | 370 | .align 16 |
a2a54ffc | 371 | |
8626230a AP |
372 | sllg $t1,$s0,`0+3` |
373 | srlg $t2,$s0,`8-3` | |
374 | ngr $t1,$mask | |
375 | srlg $t3,$s0,`16-3` | |
a2a54ffc AP |
376 | srl $s0,`24-3` |
377 | nr $s0,$mask | |
8626230a AP |
378 | nr $t2,$mask |
379 | nr $t3,$mask | |
a2a54ffc AP |
380 | |
381 | srlg $i1,$s1,`16-3` # i0 | |
382 | sllg $i2,$s1,`0+3` | |
8626230a | 383 | ngr $i2,$mask |
a2a54ffc AP |
384 | srlg $i3,$s1,`8-3` |
385 | srl $s1,`24-3` | |
386 | nr $i1,$mask | |
387 | nr $s1,$mask | |
a2a54ffc | 388 | nr $i3,$mask |
8626230a AP |
389 | |
390 | llgc $s0,2($s0,$tbl) # Te4[s0>>24] | |
391 | llgc $t1,2($t1,$tbl) # Te4[s0>>0] | |
392 | sll $s0,24 | |
393 | llgc $t2,2($t2,$tbl) # Te4[s0>>8] | |
394 | llgc $t3,2($t3,$tbl) # Te4[s0>>16] | |
395 | sll $t2,8 | |
396 | sll $t3,16 | |
397 | ||
a2a54ffc AP |
398 | llgc $i1,2($i1,$tbl) # Te4[s1>>16] |
399 | llgc $s1,2($s1,$tbl) # Te4[s1>>24] | |
400 | llgc $i2,2($i2,$tbl) # Te4[s1>>0] | |
401 | llgc $i3,2($i3,$tbl) # Te4[s1>>8] | |
402 | sll $i1,16 | |
403 | sll $s1,24 | |
404 | sll $i3,8 | |
405 | or $s0,$i1 | |
406 | or $s1,$t1 | |
407 | or $t2,$i2 | |
408 | or $t3,$i3 | |
609b0852 | 409 | |
a2a54ffc AP |
410 | srlg $i1,$s2,`8-3` # i0 |
411 | srlg $i2,$s2,`16-3` # i1 | |
a2a54ffc AP |
412 | nr $i1,$mask |
413 | nr $i2,$mask | |
8626230a AP |
414 | sllg $i3,$s2,`0+3` |
415 | srl $s2,`24-3` | |
a2a54ffc | 416 | ngr $i3,$mask |
8626230a AP |
417 | nr $s2,$mask |
418 | ||
419 | sllg $t1,$s3,`0+3` # i0 | |
420 | srlg $ra,$s3,`8-3` # i1 | |
421 | ngr $t1,$mask | |
422 | ||
a2a54ffc AP |
423 | llgc $i1,2($i1,$tbl) # Te4[s2>>8] |
424 | llgc $i2,2($i2,$tbl) # Te4[s2>>16] | |
8626230a | 425 | sll $i1,8 |
a2a54ffc AP |
426 | llgc $s2,2($s2,$tbl) # Te4[s2>>24] |
427 | llgc $i3,2($i3,$tbl) # Te4[s2>>0] | |
a2a54ffc | 428 | sll $i2,16 |
8626230a | 429 | nr $ra,$mask |
a2a54ffc AP |
430 | sll $s2,24 |
431 | or $s0,$i1 | |
432 | or $s1,$i2 | |
433 | or $s2,$t2 | |
434 | or $t3,$i3 | |
435 | ||
a2a54ffc AP |
436 | srlg $i3,$s3,`16-3` # i2 |
437 | srl $s3,`24-3` | |
a2a54ffc AP |
438 | nr $i3,$mask |
439 | nr $s3,$mask | |
8626230a AP |
440 | |
441 | l $t0,16($key) | |
442 | l $t2,20($key) | |
443 | ||
444 | llgc $i1,2($t1,$tbl) # Te4[s3>>0] | |
445 | llgc $i2,2($ra,$tbl) # Te4[s3>>8] | |
a2a54ffc AP |
446 | llgc $i3,2($i3,$tbl) # Te4[s3>>16] |
447 | llgc $s3,2($s3,$tbl) # Te4[s3>>24] | |
448 | sll $i2,8 | |
449 | sll $i3,16 | |
450 | sll $s3,24 | |
451 | or $s0,$i1 | |
452 | or $s1,$i2 | |
453 | or $s2,$i3 | |
454 | or $s3,$t3 | |
455 | ||
0ab8fd58 | 456 | l${g} $ra,15*$SIZE_T($sp) |
8626230a AP |
457 | xr $s0,$t0 |
458 | xr $s1,$t2 | |
a2a54ffc AP |
459 | x $s2,24($key) |
460 | x $s3,28($key) | |
461 | ||
609b0852 | 462 | br $ra |
a2a54ffc AP |
463 | .size _s390x_AES_encrypt,.-_s390x_AES_encrypt |
464 | ___ | |
465 | ||
466 | $code.=<<___; | |
467 | .type AES_Td,\@object | |
8626230a | 468 | .align 256 |
a2a54ffc AP |
469 | AES_Td: |
470 | ___ | |
471 | &_data_word( | |
472 | 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, | |
473 | 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393, | |
474 | 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25, | |
475 | 0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, | |
476 | 0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1, | |
477 | 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6, | |
478 | 0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, | |
479 | 0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844, | |
480 | 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd, | |
481 | 0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, | |
482 | 0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45, | |
483 | 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94, | |
484 | 0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, | |
485 | 0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a, | |
486 | 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5, | |
487 | 0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c, | |
488 | 0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1, | |
489 | 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a, | |
490 | 0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75, | |
491 | 0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051, | |
492 | 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46, | |
493 | 0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff, | |
494 | 0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77, | |
495 | 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb, | |
496 | 0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000, | |
497 | 0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e, | |
498 | 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927, | |
499 | 0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, | |
500 | 0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e, | |
501 | 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16, | |
502 | 0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, | |
503 | 0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8, | |
504 | 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd, | |
505 | 0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, | |
506 | 0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163, | |
507 | 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120, | |
508 | 0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, | |
509 | 0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0, | |
510 | 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422, | |
511 | 0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, | |
512 | 0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36, | |
513 | 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4, | |
514 | 0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, | |
515 | 0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5, | |
516 | 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3, | |
517 | 0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, | |
518 | 0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8, | |
519 | 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6, | |
520 | 0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, | |
521 | 0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0, | |
522 | 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815, | |
523 | 0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, | |
524 | 0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df, | |
525 | 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f, | |
526 | 0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e, | |
527 | 0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713, | |
528 | 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89, | |
529 | 0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, | |
530 | 0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf, | |
531 | 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86, | |
532 | 0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, | |
533 | 0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541, | |
534 | 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190, | |
535 | 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742); | |
536 | $code.=<<___; | |
76c828c6 | 537 | # Td4[256] |
a2a54ffc AP |
538 | .byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38 |
539 | .byte 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb | |
540 | .byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87 | |
541 | .byte 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb | |
542 | .byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d | |
543 | .byte 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e | |
544 | .byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2 | |
545 | .byte 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 | |
546 | .byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16 | |
547 | .byte 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92 | |
548 | .byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda | |
549 | .byte 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 | |
550 | .byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a | |
551 | .byte 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06 | |
552 | .byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02 | |
553 | .byte 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b | |
554 | .byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea | |
555 | .byte 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73 | |
556 | .byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85 | |
557 | .byte 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e | |
558 | .byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89 | |
559 | .byte 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b | |
560 | .byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20 | |
561 | .byte 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4 | |
562 | .byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31 | |
563 | .byte 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f | |
564 | .byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d | |
565 | .byte 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef | |
566 | .byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0 | |
567 | .byte 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 | |
568 | .byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26 | |
569 | .byte 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d | |
570 | .size AES_Td,.-AES_Td | |
571 | ||
76c828c6 | 572 | # void AES_decrypt(const unsigned char *inp, unsigned char *out, |
a2a54ffc AP |
573 | # const AES_KEY *key) { |
574 | .globl AES_decrypt | |
575 | .type AES_decrypt,\@function | |
576 | AES_decrypt: | |
a61710b8 AP |
577 | ___ |
578 | $code.=<<___ if (!$softonly); | |
8626230a AP |
579 | l %r0,240($key) |
580 | lhi %r1,16 | |
581 | clr %r0,%r1 | |
582 | jl .Ldsoft | |
583 | ||
584 | la %r1,0($key) | |
3f6916cf | 585 | #la %r2,0($inp) |
a2a54ffc AP |
586 | la %r4,0($out) |
587 | lghi %r3,16 # single block length | |
588 | .long 0xb92e0042 # km %r4,%r2 | |
8626230a AP |
589 | brc 1,.-4 # can this happen? |
590 | br %r14 | |
591 | .align 64 | |
a2a54ffc | 592 | .Ldsoft: |
a61710b8 AP |
593 | ___ |
594 | $code.=<<___; | |
e822c756 | 595 | stm${g} %r3,$ra,3*$SIZE_T($sp) |
a2a54ffc AP |
596 | |
597 | llgf $s0,0($inp) | |
598 | llgf $s1,4($inp) | |
599 | llgf $s2,8($inp) | |
600 | llgf $s3,12($inp) | |
601 | ||
8626230a | 602 | larl $tbl,AES_Td |
a2a54ffc AP |
603 | bras $ra,_s390x_AES_decrypt |
604 | ||
e822c756 | 605 | l${g} $out,3*$SIZE_T($sp) |
a2a54ffc AP |
606 | st $s0,0($out) |
607 | st $s1,4($out) | |
608 | st $s2,8($out) | |
609 | st $s3,12($out) | |
610 | ||
e822c756 | 611 | lm${g} %r6,$ra,6*$SIZE_T($sp) |
76c828c6 | 612 | br $ra |
a2a54ffc AP |
613 | .size AES_decrypt,.-AES_decrypt |
614 | ||
615 | .type _s390x_AES_decrypt,\@function | |
616 | .align 16 | |
617 | _s390x_AES_decrypt: | |
0ab8fd58 | 618 | st${g} $ra,15*$SIZE_T($sp) |
a2a54ffc AP |
619 | x $s0,0($key) |
620 | x $s1,4($key) | |
621 | x $s2,8($key) | |
622 | x $s3,12($key) | |
623 | l $rounds,240($key) | |
8626230a | 624 | llill $mask,`0xff<<3` |
a2a54ffc | 625 | aghi $rounds,-1 |
8626230a AP |
626 | j .Ldec_loop |
627 | .align 16 | |
a2a54ffc | 628 | .Ldec_loop: |
8626230a AP |
629 | srlg $t1,$s0,`16-3` |
630 | srlg $t2,$s0,`8-3` | |
631 | sllg $t3,$s0,`0+3` | |
a2a54ffc AP |
632 | srl $s0,`24-3` |
633 | nr $s0,$mask | |
8626230a AP |
634 | nr $t1,$mask |
635 | nr $t2,$mask | |
636 | ngr $t3,$mask | |
a2a54ffc AP |
637 | |
638 | sllg $i1,$s1,`0+3` # i0 | |
639 | srlg $i2,$s1,`16-3` | |
640 | srlg $i3,$s1,`8-3` | |
641 | srl $s1,`24-3` | |
642 | ngr $i1,$mask | |
643 | nr $s1,$mask | |
644 | nr $i2,$mask | |
645 | nr $i3,$mask | |
8626230a AP |
646 | |
647 | l $s0,0($s0,$tbl) # Td0[s0>>24] | |
648 | l $t1,3($t1,$tbl) # Td1[s0>>16] | |
649 | l $t2,2($t2,$tbl) # Td2[s0>>8] | |
650 | l $t3,1($t3,$tbl) # Td3[s0>>0] | |
651 | ||
a2a54ffc AP |
652 | x $s0,1($i1,$tbl) # Td3[s1>>0] |
653 | l $s1,0($s1,$tbl) # Td0[s1>>24] | |
654 | x $t2,3($i2,$tbl) # Td1[s1>>16] | |
655 | x $t3,2($i3,$tbl) # Td2[s1>>8] | |
a2a54ffc AP |
656 | |
657 | srlg $i1,$s2,`8-3` # i0 | |
658 | sllg $i2,$s2,`0+3` # i1 | |
659 | srlg $i3,$s2,`16-3` | |
660 | srl $s2,`24-3` | |
661 | nr $i1,$mask | |
662 | ngr $i2,$mask | |
663 | nr $s2,$mask | |
664 | nr $i3,$mask | |
8626230a AP |
665 | |
666 | xr $s1,$t1 | |
667 | srlg $ra,$s3,`8-3` # i1 | |
668 | srlg $t1,$s3,`16-3` # i0 | |
669 | nr $ra,$mask | |
670 | la $key,16($key) | |
671 | nr $t1,$mask | |
672 | ||
a2a54ffc AP |
673 | x $s0,2($i1,$tbl) # Td2[s2>>8] |
674 | x $s1,1($i2,$tbl) # Td3[s2>>0] | |
675 | l $s2,0($s2,$tbl) # Td0[s2>>24] | |
676 | x $t3,3($i3,$tbl) # Td1[s2>>16] | |
a2a54ffc | 677 | |
a2a54ffc AP |
678 | sllg $i3,$s3,`0+3` # i2 |
679 | srl $s3,`24-3` | |
a2a54ffc AP |
680 | ngr $i3,$mask |
681 | nr $s3,$mask | |
a2a54ffc | 682 | |
8626230a | 683 | xr $s2,$t2 |
a2a54ffc AP |
684 | x $s0,0($key) |
685 | x $s1,4($key) | |
686 | x $s2,8($key) | |
8626230a AP |
687 | x $t3,12($key) |
688 | ||
689 | x $s0,3($t1,$tbl) # Td1[s3>>16] | |
690 | x $s1,2($ra,$tbl) # Td2[s3>>8] | |
691 | x $s2,1($i3,$tbl) # Td3[s3>>0] | |
692 | l $s3,0($s3,$tbl) # Td0[s3>>24] | |
693 | xr $s3,$t3 | |
a2a54ffc AP |
694 | |
695 | brct $rounds,.Ldec_loop | |
8626230a | 696 | .align 16 |
a2a54ffc AP |
697 | |
698 | l $t1,`2048+0`($tbl) # prefetch Td4 | |
8626230a AP |
699 | l $t2,`2048+64`($tbl) |
700 | l $t3,`2048+128`($tbl) | |
701 | l $i1,`2048+192`($tbl) | |
a2a54ffc AP |
702 | llill $mask,0xff |
703 | ||
704 | srlg $i3,$s0,24 # i0 | |
8626230a AP |
705 | srlg $t1,$s0,16 |
706 | srlg $t2,$s0,8 | |
a2a54ffc | 707 | nr $s0,$mask # i3 |
8626230a AP |
708 | nr $t1,$mask |
709 | ||
710 | srlg $i1,$s1,24 | |
711 | nr $t2,$mask | |
712 | srlg $i2,$s1,16 | |
713 | srlg $ra,$s1,8 | |
714 | nr $s1,$mask # i0 | |
a2a54ffc | 715 | nr $i2,$mask |
8626230a AP |
716 | nr $ra,$mask |
717 | ||
a2a54ffc | 718 | llgc $i3,2048($i3,$tbl) # Td4[s0>>24] |
8626230a AP |
719 | llgc $t1,2048($t1,$tbl) # Td4[s0>>16] |
720 | llgc $t2,2048($t2,$tbl) # Td4[s0>>8] | |
721 | sll $t1,16 | |
a2a54ffc AP |
722 | llgc $t3,2048($s0,$tbl) # Td4[s0>>0] |
723 | sllg $s0,$i3,24 | |
a2a54ffc AP |
724 | sll $t2,8 |
725 | ||
a2a54ffc AP |
726 | llgc $s1,2048($s1,$tbl) # Td4[s1>>0] |
727 | llgc $i1,2048($i1,$tbl) # Td4[s1>>24] | |
728 | llgc $i2,2048($i2,$tbl) # Td4[s1>>16] | |
a2a54ffc | 729 | sll $i1,24 |
8626230a | 730 | llgc $i3,2048($ra,$tbl) # Td4[s1>>8] |
a2a54ffc AP |
731 | sll $i2,16 |
732 | sll $i3,8 | |
733 | or $s0,$s1 | |
734 | or $t1,$i1 | |
735 | or $t2,$i2 | |
736 | or $t3,$i3 | |
737 | ||
738 | srlg $i1,$s2,8 # i0 | |
739 | srlg $i2,$s2,24 | |
740 | srlg $i3,$s2,16 | |
741 | nr $s2,$mask # i1 | |
742 | nr $i1,$mask | |
743 | nr $i3,$mask | |
744 | llgc $i1,2048($i1,$tbl) # Td4[s2>>8] | |
745 | llgc $s1,2048($s2,$tbl) # Td4[s2>>0] | |
746 | llgc $i2,2048($i2,$tbl) # Td4[s2>>24] | |
747 | llgc $i3,2048($i3,$tbl) # Td4[s2>>16] | |
748 | sll $i1,8 | |
749 | sll $i2,24 | |
a2a54ffc | 750 | or $s0,$i1 |
8626230a | 751 | sll $i3,16 |
a2a54ffc AP |
752 | or $t2,$i2 |
753 | or $t3,$i3 | |
754 | ||
755 | srlg $i1,$s3,16 # i0 | |
756 | srlg $i2,$s3,8 # i1 | |
757 | srlg $i3,$s3,24 | |
758 | nr $s3,$mask # i2 | |
759 | nr $i1,$mask | |
760 | nr $i2,$mask | |
8626230a | 761 | |
0ab8fd58 | 762 | l${g} $ra,15*$SIZE_T($sp) |
8626230a AP |
763 | or $s1,$t1 |
764 | l $t0,16($key) | |
765 | l $t1,20($key) | |
766 | ||
a2a54ffc AP |
767 | llgc $i1,2048($i1,$tbl) # Td4[s3>>16] |
768 | llgc $i2,2048($i2,$tbl) # Td4[s3>>8] | |
8626230a | 769 | sll $i1,16 |
a2a54ffc AP |
770 | llgc $s2,2048($s3,$tbl) # Td4[s3>>0] |
771 | llgc $s3,2048($i3,$tbl) # Td4[s3>>24] | |
a2a54ffc AP |
772 | sll $i2,8 |
773 | sll $s3,24 | |
774 | or $s0,$i1 | |
775 | or $s1,$i2 | |
776 | or $s2,$t2 | |
777 | or $s3,$t3 | |
778 | ||
8626230a AP |
779 | xr $s0,$t0 |
780 | xr $s1,$t1 | |
a2a54ffc AP |
781 | x $s2,24($key) |
782 | x $s3,28($key) | |
783 | ||
609b0852 | 784 | br $ra |
a2a54ffc | 785 | .size _s390x_AES_decrypt,.-_s390x_AES_decrypt |
8626230a | 786 | ___ |
76c828c6 | 787 | |
8626230a | 788 | $code.=<<___; |
76c828c6 AP |
789 | # void AES_set_encrypt_key(const unsigned char *in, int bits, |
790 | # AES_KEY *key) { | |
791 | .globl AES_set_encrypt_key | |
792 | .type AES_set_encrypt_key,\@function | |
793 | .align 16 | |
794 | AES_set_encrypt_key: | |
bc9583ef | 795 | _s390x_AES_set_encrypt_key: |
8626230a | 796 | lghi $t0,0 |
e822c756 | 797 | cl${g}r $inp,$t0 |
76c828c6 | 798 | je .Lminus1 |
e822c756 | 799 | cl${g}r $key,$t0 |
76c828c6 AP |
800 | je .Lminus1 |
801 | ||
8626230a AP |
802 | lghi $t0,128 |
803 | clr $bits,$t0 | |
804 | je .Lproceed | |
805 | lghi $t0,192 | |
806 | clr $bits,$t0 | |
807 | je .Lproceed | |
808 | lghi $t0,256 | |
809 | clr $bits,$t0 | |
810 | je .Lproceed | |
76c828c6 AP |
811 | lghi %r2,-2 |
812 | br %r14 | |
813 | ||
8626230a AP |
814 | .align 16 |
815 | .Lproceed: | |
a61710b8 AP |
816 | ___ |
817 | $code.=<<___ if (!$softonly); | |
af1d6387 | 818 | # convert bits to km(c) code, [128,192,256]->[18,19,20] |
8626230a AP |
819 | lhi %r5,-128 |
820 | lhi %r0,18 | |
821 | ar %r5,$bits | |
822 | srl %r5,6 | |
823 | ar %r5,%r0 | |
824 | ||
91fdacb2 | 825 | larl %r1,OPENSSL_s390xcap_P |
670ad0fb AP |
826 | llihh %r0,0x8000 |
827 | srlg %r0,%r0,0(%r5) | |
bc4e831c PS |
828 | ng %r0,S390X_KM(%r1) # check availability of both km... |
829 | ng %r0,S390X_KMC(%r1) # ...and kmc support for given key length | |
76c828c6 AP |
830 | jz .Lekey_internal |
831 | ||
8626230a AP |
832 | lmg %r0,%r1,0($inp) # just copy 128 bits... |
833 | stmg %r0,%r1,0($key) | |
834 | lhi %r0,192 | |
835 | cr $bits,%r0 | |
836 | jl 1f | |
837 | lg %r1,16($inp) | |
838 | stg %r1,16($key) | |
839 | je 1f | |
840 | lg %r1,24($inp) | |
841 | stg %r1,24($key) | |
b1fd0ccb AP |
842 | 1: st $bits,236($key) # save bits [for debugging purposes] |
843 | lgr $t0,%r5 | |
af1d6387 | 844 | st %r5,240($key) # save km(c) code |
76c828c6 AP |
845 | lghi %r2,0 |
846 | br %r14 | |
a61710b8 AP |
847 | ___ |
848 | $code.=<<___; | |
76c828c6 AP |
849 | .align 16 |
850 | .Lekey_internal: | |
b1fd0ccb | 851 | stm${g} %r4,%r13,4*$SIZE_T($sp) # all non-volatile regs and $key |
76c828c6 | 852 | |
a61710b8 | 853 | larl $tbl,AES_Te+2048 |
76c828c6 AP |
854 | |
855 | llgf $s0,0($inp) | |
856 | llgf $s1,4($inp) | |
857 | llgf $s2,8($inp) | |
858 | llgf $s3,12($inp) | |
859 | st $s0,0($key) | |
860 | st $s1,4($key) | |
861 | st $s2,8($key) | |
862 | st $s3,12($key) | |
8626230a AP |
863 | lghi $t0,128 |
864 | cr $bits,$t0 | |
76c828c6 AP |
865 | jne .Lnot128 |
866 | ||
867 | llill $mask,0xff | |
868 | lghi $t3,0 # i=0 | |
869 | lghi $rounds,10 | |
76c828c6 AP |
870 | st $rounds,240($key) |
871 | ||
76c828c6 AP |
872 | llgfr $t2,$s3 # temp=rk[3] |
873 | srlg $i1,$s3,8 | |
874 | srlg $i2,$s3,16 | |
875 | srlg $i3,$s3,24 | |
876 | nr $t2,$mask | |
877 | nr $i1,$mask | |
878 | nr $i2,$mask | |
8626230a AP |
879 | |
880 | .align 16 | |
881 | .L128_loop: | |
76c828c6 AP |
882 | la $t2,0($t2,$tbl) |
883 | la $i1,0($i1,$tbl) | |
884 | la $i2,0($i2,$tbl) | |
885 | la $i3,0($i3,$tbl) | |
886 | icm $t2,2,0($t2) # Te4[rk[3]>>0]<<8 | |
887 | icm $t2,4,0($i1) # Te4[rk[3]>>8]<<16 | |
888 | icm $t2,8,0($i2) # Te4[rk[3]>>16]<<24 | |
889 | icm $t2,1,0($i3) # Te4[rk[3]>>24] | |
890 | x $t2,256($t3,$tbl) # rcon[i] | |
891 | xr $s0,$t2 # rk[4]=rk[0]^... | |
892 | xr $s1,$s0 # rk[5]=rk[1]^rk[4] | |
893 | xr $s2,$s1 # rk[6]=rk[2]^rk[5] | |
894 | xr $s3,$s2 # rk[7]=rk[3]^rk[6] | |
8626230a AP |
895 | |
896 | llgfr $t2,$s3 # temp=rk[3] | |
897 | srlg $i1,$s3,8 | |
898 | srlg $i2,$s3,16 | |
899 | nr $t2,$mask | |
900 | nr $i1,$mask | |
901 | srlg $i3,$s3,24 | |
902 | nr $i2,$mask | |
903 | ||
76c828c6 AP |
904 | st $s0,16($key) |
905 | st $s1,20($key) | |
906 | st $s2,24($key) | |
907 | st $s3,28($key) | |
908 | la $key,16($key) # key+=4 | |
909 | la $t3,4($t3) # i++ | |
910 | brct $rounds,.L128_loop | |
b1fd0ccb | 911 | lghi $t0,10 |
76c828c6 | 912 | lghi %r2,0 |
b1fd0ccb | 913 | lm${g} %r4,%r13,4*$SIZE_T($sp) |
76c828c6 AP |
914 | br $ra |
915 | ||
8626230a | 916 | .align 16 |
76c828c6 | 917 | .Lnot128: |
8626230a AP |
918 | llgf $t0,16($inp) |
919 | llgf $t1,20($inp) | |
920 | st $t0,16($key) | |
921 | st $t1,20($key) | |
922 | lghi $t0,192 | |
923 | cr $bits,$t0 | |
76c828c6 AP |
924 | jne .Lnot192 |
925 | ||
926 | llill $mask,0xff | |
927 | lghi $t3,0 # i=0 | |
928 | lghi $rounds,12 | |
929 | st $rounds,240($key) | |
930 | lghi $rounds,8 | |
931 | ||
8626230a AP |
932 | srlg $i1,$t1,8 |
933 | srlg $i2,$t1,16 | |
934 | srlg $i3,$t1,24 | |
935 | nr $t1,$mask | |
76c828c6 AP |
936 | nr $i1,$mask |
937 | nr $i2,$mask | |
8626230a AP |
938 | |
939 | .align 16 | |
940 | .L192_loop: | |
941 | la $t1,0($t1,$tbl) | |
76c828c6 AP |
942 | la $i1,0($i1,$tbl) |
943 | la $i2,0($i2,$tbl) | |
944 | la $i3,0($i3,$tbl) | |
8626230a AP |
945 | icm $t1,2,0($t1) # Te4[rk[5]>>0]<<8 |
946 | icm $t1,4,0($i1) # Te4[rk[5]>>8]<<16 | |
947 | icm $t1,8,0($i2) # Te4[rk[5]>>16]<<24 | |
948 | icm $t1,1,0($i3) # Te4[rk[5]>>24] | |
949 | x $t1,256($t3,$tbl) # rcon[i] | |
950 | xr $s0,$t1 # rk[6]=rk[0]^... | |
76c828c6 AP |
951 | xr $s1,$s0 # rk[7]=rk[1]^rk[6] |
952 | xr $s2,$s1 # rk[8]=rk[2]^rk[7] | |
953 | xr $s3,$s2 # rk[9]=rk[3]^rk[8] | |
8626230a | 954 | |
76c828c6 AP |
955 | st $s0,24($key) |
956 | st $s1,28($key) | |
957 | st $s2,32($key) | |
958 | st $s3,36($key) | |
959 | brct $rounds,.L192_continue | |
b1fd0ccb | 960 | lghi $t0,12 |
76c828c6 | 961 | lghi %r2,0 |
b1fd0ccb | 962 | lm${g} %r4,%r13,4*$SIZE_T($sp) |
76c828c6 | 963 | br $ra |
8626230a AP |
964 | |
965 | .align 16 | |
76c828c6 | 966 | .L192_continue: |
8626230a AP |
967 | lgr $t1,$s3 |
968 | x $t1,16($key) # rk[10]=rk[4]^rk[9] | |
969 | st $t1,40($key) | |
970 | x $t1,20($key) # rk[11]=rk[5]^rk[10] | |
971 | st $t1,44($key) | |
972 | ||
973 | srlg $i1,$t1,8 | |
974 | srlg $i2,$t1,16 | |
975 | srlg $i3,$t1,24 | |
976 | nr $t1,$mask | |
977 | nr $i1,$mask | |
978 | nr $i2,$mask | |
979 | ||
76c828c6 AP |
980 | la $key,24($key) # key+=6 |
981 | la $t3,4($t3) # i++ | |
982 | j .L192_loop | |
983 | ||
8626230a | 984 | .align 16 |
76c828c6 | 985 | .Lnot192: |
8626230a AP |
986 | llgf $t0,24($inp) |
987 | llgf $t1,28($inp) | |
988 | st $t0,24($key) | |
989 | st $t1,28($key) | |
76c828c6 AP |
990 | llill $mask,0xff |
991 | lghi $t3,0 # i=0 | |
992 | lghi $rounds,14 | |
993 | st $rounds,240($key) | |
994 | lghi $rounds,7 | |
995 | ||
8626230a AP |
996 | srlg $i1,$t1,8 |
997 | srlg $i2,$t1,16 | |
998 | srlg $i3,$t1,24 | |
999 | nr $t1,$mask | |
76c828c6 AP |
1000 | nr $i1,$mask |
1001 | nr $i2,$mask | |
8626230a AP |
1002 | |
1003 | .align 16 | |
1004 | .L256_loop: | |
1005 | la $t1,0($t1,$tbl) | |
76c828c6 AP |
1006 | la $i1,0($i1,$tbl) |
1007 | la $i2,0($i2,$tbl) | |
1008 | la $i3,0($i3,$tbl) | |
8626230a AP |
1009 | icm $t1,2,0($t1) # Te4[rk[7]>>0]<<8 |
1010 | icm $t1,4,0($i1) # Te4[rk[7]>>8]<<16 | |
1011 | icm $t1,8,0($i2) # Te4[rk[7]>>16]<<24 | |
1012 | icm $t1,1,0($i3) # Te4[rk[7]>>24] | |
1013 | x $t1,256($t3,$tbl) # rcon[i] | |
1014 | xr $s0,$t1 # rk[8]=rk[0]^... | |
76c828c6 AP |
1015 | xr $s1,$s0 # rk[9]=rk[1]^rk[8] |
1016 | xr $s2,$s1 # rk[10]=rk[2]^rk[9] | |
1017 | xr $s3,$s2 # rk[11]=rk[3]^rk[10] | |
1018 | st $s0,32($key) | |
1019 | st $s1,36($key) | |
1020 | st $s2,40($key) | |
1021 | st $s3,44($key) | |
1022 | brct $rounds,.L256_continue | |
b1fd0ccb | 1023 | lghi $t0,14 |
76c828c6 | 1024 | lghi %r2,0 |
b1fd0ccb | 1025 | lm${g} %r4,%r13,4*$SIZE_T($sp) |
76c828c6 | 1026 | br $ra |
8626230a AP |
1027 | |
1028 | .align 16 | |
76c828c6 | 1029 | .L256_continue: |
8626230a | 1030 | lgr $t1,$s3 # temp=rk[11] |
76c828c6 AP |
1031 | srlg $i1,$s3,8 |
1032 | srlg $i2,$s3,16 | |
1033 | srlg $i3,$s3,24 | |
8626230a | 1034 | nr $t1,$mask |
76c828c6 AP |
1035 | nr $i1,$mask |
1036 | nr $i2,$mask | |
8626230a | 1037 | la $t1,0($t1,$tbl) |
76c828c6 AP |
1038 | la $i1,0($i1,$tbl) |
1039 | la $i2,0($i2,$tbl) | |
1040 | la $i3,0($i3,$tbl) | |
8626230a AP |
1041 | llgc $t1,0($t1) # Te4[rk[11]>>0] |
1042 | icm $t1,2,0($i1) # Te4[rk[11]>>8]<<8 | |
1043 | icm $t1,4,0($i2) # Te4[rk[11]>>16]<<16 | |
1044 | icm $t1,8,0($i3) # Te4[rk[11]>>24]<<24 | |
1045 | x $t1,16($key) # rk[12]=rk[4]^... | |
1046 | st $t1,48($key) | |
1047 | x $t1,20($key) # rk[13]=rk[5]^rk[12] | |
1048 | st $t1,52($key) | |
1049 | x $t1,24($key) # rk[14]=rk[6]^rk[13] | |
1050 | st $t1,56($key) | |
1051 | x $t1,28($key) # rk[15]=rk[7]^rk[14] | |
1052 | st $t1,60($key) | |
1053 | ||
1054 | srlg $i1,$t1,8 | |
1055 | srlg $i2,$t1,16 | |
1056 | srlg $i3,$t1,24 | |
1057 | nr $t1,$mask | |
1058 | nr $i1,$mask | |
1059 | nr $i2,$mask | |
76c828c6 AP |
1060 | |
1061 | la $key,32($key) # key+=8 | |
1062 | la $t3,4($t3) # i++ | |
1063 | j .L256_loop | |
8626230a | 1064 | |
76c828c6 AP |
1065 | .Lminus1: |
1066 | lghi %r2,-1 | |
8626230a | 1067 | br $ra |
76c828c6 AP |
1068 | .size AES_set_encrypt_key,.-AES_set_encrypt_key |
1069 | ||
1070 | # void AES_set_decrypt_key(const unsigned char *in, int bits, | |
1071 | # AES_KEY *key) { | |
1072 | .globl AES_set_decrypt_key | |
1073 | .type AES_set_decrypt_key,\@function | |
1074 | .align 16 | |
1075 | AES_set_decrypt_key: | |
b1fd0ccb AP |
1076 | #st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to |
1077 | st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers and $key! | |
bc9583ef | 1078 | bras $ra,_s390x_AES_set_encrypt_key |
b1fd0ccb | 1079 | #l${g} $key,4*$SIZE_T($sp) |
e822c756 | 1080 | l${g} $ra,14*$SIZE_T($sp) |
76c828c6 AP |
1081 | ltgr %r2,%r2 |
1082 | bnzr $ra | |
a61710b8 AP |
1083 | ___ |
1084 | $code.=<<___ if (!$softonly); | |
b1fd0ccb | 1085 | #l $t0,240($key) |
8626230a AP |
1086 | lhi $t1,16 |
1087 | cr $t0,$t1 | |
1088 | jl .Lgo | |
e21a8430 | 1089 | oill $t0,S390X_DECRYPT # set "decrypt" bit |
8626230a | 1090 | st $t0,240($key) |
76c828c6 | 1091 | br $ra |
a61710b8 AP |
1092 | ___ |
1093 | $code.=<<___; | |
b1fd0ccb AP |
1094 | .align 16 |
1095 | .Lgo: lgr $rounds,$t0 #llgf $rounds,240($key) | |
96b0f6c1 | 1096 | la $i1,0($key) |
76c828c6 | 1097 | sllg $i2,$rounds,4 |
96b0f6c1 | 1098 | la $i2,0($i2,$key) |
76c828c6 | 1099 | srl $rounds,1 |
8626230a | 1100 | lghi $t1,-16 |
76c828c6 | 1101 | |
8626230a | 1102 | .align 16 |
96b0f6c1 AP |
1103 | .Linv: lmg $s0,$s1,0($i1) |
1104 | lmg $s2,$s3,0($i2) | |
1105 | stmg $s0,$s1,0($i2) | |
1106 | stmg $s2,$s3,0($i1) | |
8626230a AP |
1107 | la $i1,16($i1) |
1108 | la $i2,0($t1,$i2) | |
76c828c6 AP |
1109 | brct $rounds,.Linv |
1110 | ___ | |
1111 | $mask80=$i1; | |
1112 | $mask1b=$i2; | |
1113 | $maskfe=$i3; | |
1114 | $code.=<<___; | |
1115 | llgf $rounds,240($key) | |
1116 | aghi $rounds,-1 | |
1117 | sll $rounds,2 # (rounds-1)*4 | |
1118 | llilh $mask80,0x8080 | |
76c828c6 | 1119 | llilh $mask1b,0x1b1b |
76c828c6 | 1120 | llilh $maskfe,0xfefe |
8626230a AP |
1121 | oill $mask80,0x8080 |
1122 | oill $mask1b,0x1b1b | |
76c828c6 AP |
1123 | oill $maskfe,0xfefe |
1124 | ||
8626230a | 1125 | .align 16 |
76c828c6 AP |
1126 | .Lmix: l $s0,16($key) # tp1 |
1127 | lr $s1,$s0 | |
1128 | ngr $s1,$mask80 | |
1129 | srlg $t1,$s1,7 | |
1130 | slr $s1,$t1 | |
1131 | nr $s1,$mask1b | |
1132 | sllg $t1,$s0,1 | |
1133 | nr $t1,$maskfe | |
1134 | xr $s1,$t1 # tp2 | |
1135 | ||
1136 | lr $s2,$s1 | |
1137 | ngr $s2,$mask80 | |
1138 | srlg $t1,$s2,7 | |
1139 | slr $s2,$t1 | |
1140 | nr $s2,$mask1b | |
1141 | sllg $t1,$s1,1 | |
1142 | nr $t1,$maskfe | |
1143 | xr $s2,$t1 # tp4 | |
1144 | ||
1145 | lr $s3,$s2 | |
1146 | ngr $s3,$mask80 | |
1147 | srlg $t1,$s3,7 | |
1148 | slr $s3,$t1 | |
1149 | nr $s3,$mask1b | |
1150 | sllg $t1,$s2,1 | |
1151 | nr $t1,$maskfe | |
1152 | xr $s3,$t1 # tp8 | |
1153 | ||
1154 | xr $s1,$s0 # tp2^tp1 | |
1155 | xr $s2,$s0 # tp4^tp1 | |
1156 | rll $s0,$s0,24 # = ROTATE(tp1,8) | |
8626230a | 1157 | xr $s2,$s3 # ^=tp8 |
76c828c6 | 1158 | xr $s0,$s1 # ^=tp2^tp1 |
76c828c6 | 1159 | xr $s1,$s3 # tp2^tp1^tp8 |
8626230a | 1160 | xr $s0,$s2 # ^=tp4^tp1^tp8 |
76c828c6 | 1161 | rll $s1,$s1,8 |
76c828c6 | 1162 | rll $s2,$s2,16 |
8626230a | 1163 | xr $s0,$s1 # ^= ROTATE(tp8^tp2^tp1,24) |
76c828c6 | 1164 | rll $s3,$s3,24 |
8626230a | 1165 | xr $s0,$s2 # ^= ROTATE(tp8^tp4^tp1,16) |
76c828c6 AP |
1166 | xr $s0,$s3 # ^= ROTATE(tp8,8) |
1167 | ||
1168 | st $s0,16($key) | |
1169 | la $key,4($key) | |
1170 | brct $rounds,.Lmix | |
1171 | ||
e822c756 | 1172 | lm${g} %r6,%r13,6*$SIZE_T($sp)# as was saved by AES_set_encrypt_key! |
76c828c6 AP |
1173 | lghi %r2,0 |
1174 | br $ra | |
1175 | .size AES_set_decrypt_key,.-AES_set_decrypt_key | |
8626230a AP |
1176 | ___ |
1177 | ||
0ab8fd58 AP |
1178 | ######################################################################## |
1179 | # void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, | |
8626230a AP |
1180 | # size_t length, const AES_KEY *key, |
1181 | # unsigned char *ivec, const int enc) | |
1182 | { | |
1183 | my $inp="%r2"; | |
1184 | my $out="%r4"; # length and out are swapped | |
1185 | my $len="%r3"; | |
1186 | my $key="%r5"; | |
1187 | my $ivp="%r6"; | |
1188 | ||
1189 | $code.=<<___; | |
1190 | .globl AES_cbc_encrypt | |
1191 | .type AES_cbc_encrypt,\@function | |
1192 | .align 16 | |
1193 | AES_cbc_encrypt: | |
1194 | xgr %r3,%r4 # flip %r3 and %r4, out and len | |
1195 | xgr %r4,%r3 | |
1196 | xgr %r3,%r4 | |
1197 | ___ | |
1198 | $code.=<<___ if (!$softonly); | |
1199 | lhi %r0,16 | |
1200 | cl %r0,240($key) | |
1201 | jh .Lcbc_software | |
1202 | ||
1203 | lg %r0,0($ivp) # copy ivec | |
1204 | lg %r1,8($ivp) | |
1205 | stmg %r0,%r1,16($sp) | |
1206 | lmg %r0,%r1,0($key) # copy key, cover 256 bit | |
1207 | stmg %r0,%r1,32($sp) | |
1208 | lmg %r0,%r1,16($key) | |
1209 | stmg %r0,%r1,48($sp) | |
1210 | l %r0,240($key) # load kmc code | |
1211 | lghi $key,15 # res=len%16, len-=res; | |
1212 | ngr $key,$len | |
e822c756 | 1213 | sl${g}r $len,$key |
8626230a AP |
1214 | la %r1,16($sp) # parameter block - ivec || key |
1215 | jz .Lkmc_truncated | |
1216 | .long 0xb92f0042 # kmc %r4,%r2 | |
1217 | brc 1,.-4 # pay attention to "partial completion" | |
1218 | ltr $key,$key | |
1219 | jnz .Lkmc_truncated | |
1220 | .Lkmc_done: | |
1221 | lmg %r0,%r1,16($sp) # copy ivec to caller | |
1222 | stg %r0,0($ivp) | |
1223 | stg %r1,8($ivp) | |
1224 | br $ra | |
1225 | .align 16 | |
1226 | .Lkmc_truncated: | |
1227 | ahi $key,-1 # it's the way it's encoded in mvc | |
e21a8430 | 1228 | tmll %r0,S390X_DECRYPT |
8626230a AP |
1229 | jnz .Lkmc_truncated_dec |
1230 | lghi %r1,0 | |
e822c756 AP |
1231 | stg %r1,16*$SIZE_T($sp) |
1232 | stg %r1,16*$SIZE_T+8($sp) | |
8626230a | 1233 | bras %r1,1f |
e822c756 | 1234 | mvc 16*$SIZE_T(1,$sp),0($inp) |
8626230a AP |
1235 | 1: ex $key,0(%r1) |
1236 | la %r1,16($sp) # restore parameter block | |
e822c756 | 1237 | la $inp,16*$SIZE_T($sp) |
8626230a AP |
1238 | lghi $len,16 |
1239 | .long 0xb92f0042 # kmc %r4,%r2 | |
1240 | j .Lkmc_done | |
1241 | .align 16 | |
1242 | .Lkmc_truncated_dec: | |
e822c756 AP |
1243 | st${g} $out,4*$SIZE_T($sp) |
1244 | la $out,16*$SIZE_T($sp) | |
8626230a AP |
1245 | lghi $len,16 |
1246 | .long 0xb92f0042 # kmc %r4,%r2 | |
e822c756 | 1247 | l${g} $out,4*$SIZE_T($sp) |
8626230a | 1248 | bras %r1,2f |
e822c756 | 1249 | mvc 0(1,$out),16*$SIZE_T($sp) |
8626230a AP |
1250 | 2: ex $key,0(%r1) |
1251 | j .Lkmc_done | |
1252 | .align 16 | |
1253 | .Lcbc_software: | |
1254 | ___ | |
1255 | $code.=<<___; | |
e822c756 | 1256 | stm${g} $key,$ra,5*$SIZE_T($sp) |
8626230a | 1257 | lhi %r0,0 |
e822c756 | 1258 | cl %r0,`$stdframe+$SIZE_T-4`($sp) |
8626230a AP |
1259 | je .Lcbc_decrypt |
1260 | ||
1261 | larl $tbl,AES_Te | |
1262 | ||
1263 | llgf $s0,0($ivp) | |
1264 | llgf $s1,4($ivp) | |
1265 | llgf $s2,8($ivp) | |
1266 | llgf $s3,12($ivp) | |
1267 | ||
1268 | lghi $t0,16 | |
e822c756 | 1269 | sl${g}r $len,$t0 |
8626230a AP |
1270 | brc 4,.Lcbc_enc_tail # if borrow |
1271 | .Lcbc_enc_loop: | |
e822c756 | 1272 | stm${g} $inp,$out,2*$SIZE_T($sp) |
8626230a AP |
1273 | x $s0,0($inp) |
1274 | x $s1,4($inp) | |
1275 | x $s2,8($inp) | |
1276 | x $s3,12($inp) | |
1277 | lgr %r4,$key | |
1278 | ||
1279 | bras $ra,_s390x_AES_encrypt | |
1280 | ||
e822c756 | 1281 | lm${g} $inp,$key,2*$SIZE_T($sp) |
8626230a AP |
1282 | st $s0,0($out) |
1283 | st $s1,4($out) | |
1284 | st $s2,8($out) | |
1285 | st $s3,12($out) | |
1286 | ||
1287 | la $inp,16($inp) | |
1288 | la $out,16($out) | |
1289 | lghi $t0,16 | |
e822c756 | 1290 | lt${g}r $len,$len |
8626230a | 1291 | jz .Lcbc_enc_done |
e822c756 | 1292 | sl${g}r $len,$t0 |
8626230a AP |
1293 | brc 4,.Lcbc_enc_tail # if borrow |
1294 | j .Lcbc_enc_loop | |
1295 | .align 16 | |
1296 | .Lcbc_enc_done: | |
e822c756 | 1297 | l${g} $ivp,6*$SIZE_T($sp) |
8626230a | 1298 | st $s0,0($ivp) |
609b0852 | 1299 | st $s1,4($ivp) |
8626230a AP |
1300 | st $s2,8($ivp) |
1301 | st $s3,12($ivp) | |
1302 | ||
e822c756 | 1303 | lm${g} %r7,$ra,7*$SIZE_T($sp) |
8626230a AP |
1304 | br $ra |
1305 | ||
1306 | .align 16 | |
1307 | .Lcbc_enc_tail: | |
1308 | aghi $len,15 | |
1309 | lghi $t0,0 | |
e822c756 AP |
1310 | stg $t0,16*$SIZE_T($sp) |
1311 | stg $t0,16*$SIZE_T+8($sp) | |
8626230a | 1312 | bras $t1,3f |
e822c756 | 1313 | mvc 16*$SIZE_T(1,$sp),0($inp) |
8626230a AP |
1314 | 3: ex $len,0($t1) |
1315 | lghi $len,0 | |
e822c756 | 1316 | la $inp,16*$SIZE_T($sp) |
8626230a AP |
1317 | j .Lcbc_enc_loop |
1318 | ||
1319 | .align 16 | |
1320 | .Lcbc_decrypt: | |
1321 | larl $tbl,AES_Td | |
1322 | ||
1323 | lg $t0,0($ivp) | |
1324 | lg $t1,8($ivp) | |
e822c756 | 1325 | stmg $t0,$t1,16*$SIZE_T($sp) |
8626230a AP |
1326 | |
1327 | .Lcbc_dec_loop: | |
e822c756 | 1328 | stm${g} $inp,$out,2*$SIZE_T($sp) |
8626230a AP |
1329 | llgf $s0,0($inp) |
1330 | llgf $s1,4($inp) | |
1331 | llgf $s2,8($inp) | |
1332 | llgf $s3,12($inp) | |
1333 | lgr %r4,$key | |
1334 | ||
1335 | bras $ra,_s390x_AES_decrypt | |
1336 | ||
e822c756 | 1337 | lm${g} $inp,$key,2*$SIZE_T($sp) |
8626230a AP |
1338 | sllg $s0,$s0,32 |
1339 | sllg $s2,$s2,32 | |
1340 | lr $s0,$s1 | |
1341 | lr $s2,$s3 | |
1342 | ||
1343 | lg $t0,0($inp) | |
1344 | lg $t1,8($inp) | |
e822c756 AP |
1345 | xg $s0,16*$SIZE_T($sp) |
1346 | xg $s2,16*$SIZE_T+8($sp) | |
8626230a | 1347 | lghi $s1,16 |
e822c756 | 1348 | sl${g}r $len,$s1 |
8626230a AP |
1349 | brc 4,.Lcbc_dec_tail # if borrow |
1350 | brc 2,.Lcbc_dec_done # if zero | |
1351 | stg $s0,0($out) | |
1352 | stg $s2,8($out) | |
e822c756 | 1353 | stmg $t0,$t1,16*$SIZE_T($sp) |
8626230a AP |
1354 | |
1355 | la $inp,16($inp) | |
1356 | la $out,16($out) | |
1357 | j .Lcbc_dec_loop | |
1358 | ||
1359 | .Lcbc_dec_done: | |
1360 | stg $s0,0($out) | |
1361 | stg $s2,8($out) | |
1362 | .Lcbc_dec_exit: | |
e822c756 | 1363 | lm${g} %r6,$ra,6*$SIZE_T($sp) |
8626230a AP |
1364 | stmg $t0,$t1,0($ivp) |
1365 | ||
1366 | br $ra | |
1367 | ||
1368 | .align 16 | |
1369 | .Lcbc_dec_tail: | |
1370 | aghi $len,15 | |
e822c756 AP |
1371 | stg $s0,16*$SIZE_T($sp) |
1372 | stg $s2,16*$SIZE_T+8($sp) | |
8626230a | 1373 | bras $s1,4f |
e822c756 | 1374 | mvc 0(1,$out),16*$SIZE_T($sp) |
8626230a AP |
1375 | 4: ex $len,0($s1) |
1376 | j .Lcbc_dec_exit | |
1377 | .size AES_cbc_encrypt,.-AES_cbc_encrypt | |
874a3757 AP |
1378 | ___ |
1379 | } | |
0ab8fd58 AP |
1380 | ######################################################################## |
1381 | # void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, | |
874a3757 AP |
1382 | # size_t blocks, const AES_KEY *key, |
1383 | # const unsigned char *ivec) | |
1384 | { | |
1385 | my $inp="%r2"; | |
0ab8fd58 AP |
1386 | my $out="%r4"; # blocks and out are swapped |
1387 | my $len="%r3"; | |
874a3757 AP |
1388 | my $key="%r5"; my $iv0="%r5"; |
1389 | my $ivp="%r6"; | |
1390 | my $fp ="%r7"; | |
1391 | ||
1392 | $code.=<<___; | |
1393 | .globl AES_ctr32_encrypt | |
1394 | .type AES_ctr32_encrypt,\@function | |
1395 | .align 16 | |
1396 | AES_ctr32_encrypt: | |
0ab8fd58 AP |
1397 | xgr %r3,%r4 # flip %r3 and %r4, $out and $len |
1398 | xgr %r4,%r3 | |
1399 | xgr %r3,%r4 | |
e822c756 | 1400 | llgfr $len,$len # safe in ctr32 subroutine even in 64-bit case |
874a3757 AP |
1401 | ___ |
1402 | $code.=<<___ if (!$softonly); | |
1403 | l %r0,240($key) | |
1404 | lhi %r1,16 | |
1405 | clr %r0,%r1 | |
1406 | jl .Lctr32_software | |
1407 | ||
1c3a23e4 PS |
1408 | st${g} $s2,10*$SIZE_T($sp) |
1409 | st${g} $s3,11*$SIZE_T($sp) | |
1410 | ||
1411 | clr $len,%r1 # does work even in 64-bit mode | |
1412 | jle .Lctr32_nokma # kma is slower for <= 16 blocks | |
1413 | ||
1414 | larl %r1,OPENSSL_s390xcap_P | |
1415 | lr $s2,%r0 | |
1416 | llihh $s3,0x8000 | |
1417 | srlg $s3,$s3,0($s2) | |
1418 | ng $s3,S390X_KMA(%r1) # check kma capability vector | |
1419 | jz .Lctr32_nokma | |
1420 | ||
1421 | l${g}hi %r1,-$stdframe-112 | |
1422 | l${g}r $s3,$sp | |
1423 | la $sp,0(%r1,$sp) # prepare parameter block | |
1424 | ||
1425 | lhi %r1,0x0600 | |
1426 | sllg $len,$len,4 | |
1427 | or %r0,%r1 # set HS and LAAD flags | |
1428 | ||
1429 | st${g} $s3,0($sp) # backchain | |
1430 | la %r1,$stdframe($sp) | |
1431 | ||
1432 | lmg $s2,$s3,0($key) # copy key | |
1433 | stg $s2,$stdframe+80($sp) | |
1434 | stg $s3,$stdframe+88($sp) | |
1435 | lmg $s2,$s3,16($key) | |
1436 | stg $s2,$stdframe+96($sp) | |
1437 | stg $s3,$stdframe+104($sp) | |
1438 | ||
1439 | lmg $s2,$s3,0($ivp) # copy iv | |
1440 | stg $s2,$stdframe+64($sp) | |
1441 | ahi $s3,-1 # kma requires counter-1 | |
1442 | stg $s3,$stdframe+72($sp) | |
1443 | st $s3,$stdframe+12($sp) # copy counter | |
1444 | ||
1445 | lghi $s2,0 # no AAD | |
1446 | lghi $s3,0 | |
1447 | ||
1448 | .long 0xb929a042 # kma $out,$s2,$inp | |
1449 | brc 1,.-4 # pay attention to "partial completion" | |
1450 | ||
1451 | stg %r0,$stdframe+80($sp) # wipe key | |
1452 | stg %r0,$stdframe+88($sp) | |
1453 | stg %r0,$stdframe+96($sp) | |
1454 | stg %r0,$stdframe+104($sp) | |
1455 | la $sp,$stdframe+112($sp) | |
1456 | ||
1457 | lm${g} $s2,$s3,10*$SIZE_T($sp) | |
1458 | br $ra | |
1459 | ||
1460 | .align 16 | |
1461 | .Lctr32_nokma: | |
1462 | stm${g} %r6,$s1,6*$SIZE_T($sp) | |
874a3757 AP |
1463 | |
1464 | slgr $out,$inp | |
1465 | la %r1,0($key) # %r1 is permanent copy of $key | |
1466 | lg $iv0,0($ivp) # load ivec | |
1467 | lg $ivp,8($ivp) | |
1468 | ||
26064d7f AP |
1469 | # prepare and allocate stack frame at the top of 4K page |
1470 | # with 1K reserved for eventual signal handling | |
1471 | lghi $s0,-1024-256-16# guarantee at least 256-bytes buffer | |
874a3757 | 1472 | lghi $s1,-4096 |
874a3757 | 1473 | algr $s0,$sp |
26064d7f | 1474 | lgr $fp,$sp |
874a3757 | 1475 | ngr $s0,$s1 # align at page boundary |
26064d7f AP |
1476 | slgr $fp,$s0 # total buffer size |
1477 | lgr $s2,$sp | |
1478 | lghi $s1,1024+16 # sl[g]fi is extended-immediate facility | |
1479 | slgr $fp,$s1 # deduct reservation to get usable buffer size | |
1480 | # buffer size is at lest 256 and at most 3072+256-16 | |
1481 | ||
1482 | la $sp,1024($s0) # alloca | |
1483 | srlg $fp,$fp,4 # convert bytes to blocks, minimum 16 | |
e822c756 AP |
1484 | st${g} $s2,0($sp) # back-chain |
1485 | st${g} $fp,$SIZE_T($sp) | |
874a3757 AP |
1486 | |
1487 | slgr $len,$fp | |
0ab8fd58 | 1488 | brc 1,.Lctr32_hw_switch # not zero, no borrow |
26064d7f | 1489 | algr $fp,$len # input is shorter than allocated buffer |
874a3757 | 1490 | lghi $len,0 |
e822c756 | 1491 | st${g} $fp,$SIZE_T($sp) |
874a3757 | 1492 | |
0ab8fd58 AP |
1493 | .Lctr32_hw_switch: |
1494 | ___ | |
4c5100ce | 1495 | $code.=<<___ if (!$softonly && 0);# kmctr code was measured to be ~12% slower |
0ab8fd58 AP |
1496 | llgfr $s0,%r0 |
1497 | lgr $s1,%r1 | |
670ad0fb | 1498 | larl %r1,OPENSSL_s390xcap_P |
0ab8fd58 AP |
1499 | llihh %r0,0x8000 # check if kmctr supports the function code |
1500 | srlg %r0,%r0,0($s0) | |
bc4e831c | 1501 | ng %r0,S390X_KMCTR(%r1) # check kmctr capability vector |
0ab8fd58 AP |
1502 | lgr %r0,$s0 |
1503 | lgr %r1,$s1 | |
1504 | jz .Lctr32_km_loop | |
1505 | ||
1506 | ####### kmctr code | |
1507 | algr $out,$inp # restore $out | |
1508 | lgr $s1,$len # $s1 undertakes $len | |
1509 | j .Lctr32_kmctr_loop | |
1510 | .align 16 | |
1511 | .Lctr32_kmctr_loop: | |
1512 | la $s2,16($sp) | |
1513 | lgr $s3,$fp | |
1514 | .Lctr32_kmctr_prepare: | |
1515 | stg $iv0,0($s2) | |
1516 | stg $ivp,8($s2) | |
1517 | la $s2,16($s2) | |
1518 | ahi $ivp,1 # 32-bit increment, preserves upper half | |
1519 | brct $s3,.Lctr32_kmctr_prepare | |
1520 | ||
1521 | #la $inp,0($inp) # inp | |
1522 | sllg $len,$fp,4 # len | |
1523 | #la $out,0($out) # out | |
1524 | la $s2,16($sp) # iv | |
1525 | .long 0xb92da042 # kmctr $out,$s2,$inp | |
1526 | brc 1,.-4 # pay attention to "partial completion" | |
1527 | ||
1528 | slgr $s1,$fp | |
1529 | brc 1,.Lctr32_kmctr_loop # not zero, no borrow | |
1530 | algr $fp,$s1 | |
1531 | lghi $s1,0 | |
1532 | brc 4+1,.Lctr32_kmctr_loop # not zero | |
1533 | ||
1534 | l${g} $sp,0($sp) | |
1535 | lm${g} %r6,$s3,6*$SIZE_T($sp) | |
1536 | br $ra | |
1537 | .align 16 | |
1538 | ___ | |
4c5100ce | 1539 | $code.=<<___ if (!$softonly); |
0ab8fd58 | 1540 | .Lctr32_km_loop: |
874a3757 AP |
1541 | la $s2,16($sp) |
1542 | lgr $s3,$fp | |
0ab8fd58 | 1543 | .Lctr32_km_prepare: |
874a3757 AP |
1544 | stg $iv0,0($s2) |
1545 | stg $ivp,8($s2) | |
1546 | la $s2,16($s2) | |
1547 | ahi $ivp,1 # 32-bit increment, preserves upper half | |
0ab8fd58 | 1548 | brct $s3,.Lctr32_km_prepare |
874a3757 AP |
1549 | |
1550 | la $s0,16($sp) # inp | |
1551 | sllg $s1,$fp,4 # len | |
1552 | la $s2,16($sp) # out | |
1553 | .long 0xb92e00a8 # km %r10,%r8 | |
1554 | brc 1,.-4 # pay attention to "partial completion" | |
1555 | ||
1556 | la $s2,16($sp) | |
1557 | lgr $s3,$fp | |
1558 | slgr $s2,$inp | |
0ab8fd58 | 1559 | .Lctr32_km_xor: |
874a3757 AP |
1560 | lg $s0,0($inp) |
1561 | lg $s1,8($inp) | |
1562 | xg $s0,0($s2,$inp) | |
1563 | xg $s1,8($s2,$inp) | |
1564 | stg $s0,0($out,$inp) | |
1565 | stg $s1,8($out,$inp) | |
1566 | la $inp,16($inp) | |
0ab8fd58 | 1567 | brct $s3,.Lctr32_km_xor |
874a3757 AP |
1568 | |
1569 | slgr $len,$fp | |
0ab8fd58 | 1570 | brc 1,.Lctr32_km_loop # not zero, no borrow |
874a3757 AP |
1571 | algr $fp,$len |
1572 | lghi $len,0 | |
0ab8fd58 | 1573 | brc 4+1,.Lctr32_km_loop # not zero |
874a3757 | 1574 | |
e822c756 AP |
1575 | l${g} $s0,0($sp) |
1576 | l${g} $s1,$SIZE_T($sp) | |
874a3757 | 1577 | la $s2,16($sp) |
0ab8fd58 | 1578 | .Lctr32_km_zap: |
874a3757 AP |
1579 | stg $s0,0($s2) |
1580 | stg $s0,8($s2) | |
1581 | la $s2,16($s2) | |
0ab8fd58 | 1582 | brct $s1,.Lctr32_km_zap |
874a3757 AP |
1583 | |
1584 | la $sp,0($s0) | |
e822c756 | 1585 | lm${g} %r6,$s3,6*$SIZE_T($sp) |
874a3757 AP |
1586 | br $ra |
1587 | .align 16 | |
1588 | .Lctr32_software: | |
1589 | ___ | |
1590 | $code.=<<___; | |
e822c756 | 1591 | stm${g} $key,$ra,5*$SIZE_T($sp) |
0ab8fd58 | 1592 | sl${g}r $inp,$out |
874a3757 AP |
1593 | larl $tbl,AES_Te |
1594 | llgf $t1,12($ivp) | |
1595 | ||
1596 | .Lctr32_loop: | |
0ab8fd58 | 1597 | stm${g} $inp,$out,2*$SIZE_T($sp) |
874a3757 AP |
1598 | llgf $s0,0($ivp) |
1599 | llgf $s1,4($ivp) | |
1600 | llgf $s2,8($ivp) | |
1601 | lgr $s3,$t1 | |
e822c756 | 1602 | st $t1,16*$SIZE_T($sp) |
874a3757 AP |
1603 | lgr %r4,$key |
1604 | ||
1605 | bras $ra,_s390x_AES_encrypt | |
1606 | ||
e822c756 AP |
1607 | lm${g} $inp,$ivp,2*$SIZE_T($sp) |
1608 | llgf $t1,16*$SIZE_T($sp) | |
0ab8fd58 AP |
1609 | x $s0,0($inp,$out) |
1610 | x $s1,4($inp,$out) | |
1611 | x $s2,8($inp,$out) | |
1612 | x $s3,12($inp,$out) | |
1613 | stm $s0,$s3,0($out) | |
1614 | ||
1615 | la $out,16($out) | |
1616 | ahi $t1,1 # 32-bit increment | |
1617 | brct $len,.Lctr32_loop | |
1618 | ||
1619 | lm${g} %r6,$ra,6*$SIZE_T($sp) | |
1620 | br $ra | |
1621 | .size AES_ctr32_encrypt,.-AES_ctr32_encrypt | |
1622 | ___ | |
1623 | } | |
1624 | ||
1625 | ######################################################################## | |
96cce820 PS |
1626 | # void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, |
1627 | # size_t len, const AES_KEY *key1, const AES_KEY *key2, | |
0c237e42 | 1628 | # const unsigned char iv[16]); |
0ab8fd58 AP |
1629 | # |
1630 | { | |
1631 | my $inp="%r2"; | |
1632 | my $out="%r4"; # len and out are swapped | |
1633 | my $len="%r3"; | |
1634 | my $key1="%r5"; # $i1 | |
1635 | my $key2="%r6"; # $i2 | |
1636 | my $fp="%r7"; # $i3 | |
1637 | my $tweak=16*$SIZE_T+16; # or $stdframe-16, bottom of the frame... | |
1638 | ||
1639 | $code.=<<___; | |
1640 | .type _s390x_xts_km,\@function | |
1641 | .align 16 | |
1642 | _s390x_xts_km: | |
1643 | ___ | |
0c237e42 | 1644 | $code.=<<___ if(1); |
0ab8fd58 AP |
1645 | llgfr $s0,%r0 # put aside the function code |
1646 | lghi $s1,0x7f | |
1647 | nr $s1,%r0 | |
670ad0fb AP |
1648 | larl %r1,OPENSSL_s390xcap_P |
1649 | llihh %r0,0x8000 | |
1650 | srlg %r0,%r0,32($s1) # check for 32+function code | |
bc4e831c | 1651 | ng %r0,S390X_KM(%r1) # check km capability vector |
0ab8fd58 AP |
1652 | lgr %r0,$s0 # restore the function code |
1653 | la %r1,0($key1) # restore $key1 | |
1654 | jz .Lxts_km_vanilla | |
1655 | ||
1656 | lmg $i2,$i3,$tweak($sp) # put aside the tweak value | |
1657 | algr $out,$inp | |
1658 | ||
1659 | oill %r0,32 # switch to xts function code | |
1660 | aghi $s1,-18 # | |
1661 | sllg $s1,$s1,3 # (function code - 18)*8, 0 or 16 | |
1662 | la %r1,$tweak-16($sp) | |
1663 | slgr %r1,$s1 # parameter block position | |
1664 | lmg $s0,$s3,0($key1) # load 256 bits of key material, | |
1665 | stmg $s0,$s3,0(%r1) # and copy it to parameter block. | |
1666 | # yes, it contains junk and overlaps | |
1667 | # with the tweak in 128-bit case. | |
1668 | # it's done to avoid conditional | |
1669 | # branch. | |
1670 | stmg $i2,$i3,$tweak($sp) # "re-seat" the tweak value | |
1671 | ||
1672 | .long 0xb92e0042 # km %r4,%r2 | |
1673 | brc 1,.-4 # pay attention to "partial completion" | |
1674 | ||
1675 | lrvg $s0,$tweak+0($sp) # load the last tweak | |
1676 | lrvg $s1,$tweak+8($sp) | |
8df400cf | 1677 | stmg %r0,%r3,$tweak-32($sp) # wipe copy of the key |
0ab8fd58 AP |
1678 | |
1679 | nill %r0,0xffdf # switch back to original function code | |
1680 | la %r1,0($key1) # restore pointer to $key1 | |
1681 | slgr $out,$inp | |
1682 | ||
1683 | llgc $len,2*$SIZE_T-1($sp) | |
1684 | nill $len,0x0f # $len%=16 | |
1685 | br $ra | |
609b0852 | 1686 | |
0ab8fd58 AP |
1687 | .align 16 |
1688 | .Lxts_km_vanilla: | |
1689 | ___ | |
1690 | $code.=<<___; | |
1691 | # prepare and allocate stack frame at the top of 4K page | |
1692 | # with 1K reserved for eventual signal handling | |
1693 | lghi $s0,-1024-256-16# guarantee at least 256-bytes buffer | |
1694 | lghi $s1,-4096 | |
1695 | algr $s0,$sp | |
1696 | lgr $fp,$sp | |
1697 | ngr $s0,$s1 # align at page boundary | |
1698 | slgr $fp,$s0 # total buffer size | |
1699 | lgr $s2,$sp | |
1700 | lghi $s1,1024+16 # sl[g]fi is extended-immediate facility | |
1701 | slgr $fp,$s1 # deduct reservation to get usable buffer size | |
1702 | # buffer size is at lest 256 and at most 3072+256-16 | |
1703 | ||
1704 | la $sp,1024($s0) # alloca | |
1705 | nill $fp,0xfff0 # round to 16*n | |
1706 | st${g} $s2,0($sp) # back-chain | |
1707 | nill $len,0xfff0 # redundant | |
1708 | st${g} $fp,$SIZE_T($sp) | |
1709 | ||
1710 | slgr $len,$fp | |
1711 | brc 1,.Lxts_km_go # not zero, no borrow | |
1712 | algr $fp,$len # input is shorter than allocated buffer | |
1713 | lghi $len,0 | |
1714 | st${g} $fp,$SIZE_T($sp) | |
1715 | ||
1716 | .Lxts_km_go: | |
1717 | lrvg $s0,$tweak+0($s2) # load the tweak value in little-endian | |
1718 | lrvg $s1,$tweak+8($s2) | |
1719 | ||
1720 | la $s2,16($sp) # vector of ascending tweak values | |
1721 | slgr $s2,$inp | |
1722 | srlg $s3,$fp,4 | |
1723 | j .Lxts_km_start | |
1724 | ||
1725 | .Lxts_km_loop: | |
1726 | la $s2,16($sp) | |
1727 | slgr $s2,$inp | |
1728 | srlg $s3,$fp,4 | |
1729 | .Lxts_km_prepare: | |
1730 | lghi $i1,0x87 | |
1731 | srag $i2,$s1,63 # broadcast upper bit | |
1732 | ngr $i1,$i2 # rem | |
c3cddeae AP |
1733 | algr $s0,$s0 |
1734 | alcgr $s1,$s1 | |
0ab8fd58 | 1735 | xgr $s0,$i1 |
0ab8fd58 AP |
1736 | .Lxts_km_start: |
1737 | lrvgr $i1,$s0 # flip byte order | |
1738 | lrvgr $i2,$s1 | |
1739 | stg $i1,0($s2,$inp) | |
1740 | stg $i2,8($s2,$inp) | |
1741 | xg $i1,0($inp) | |
1742 | xg $i2,8($inp) | |
1743 | stg $i1,0($out,$inp) | |
1744 | stg $i2,8($out,$inp) | |
1745 | la $inp,16($inp) | |
1746 | brct $s3,.Lxts_km_prepare | |
1747 | ||
1748 | slgr $inp,$fp # rewind $inp | |
1749 | la $s2,0($out,$inp) | |
1750 | lgr $s3,$fp | |
1751 | .long 0xb92e00aa # km $s2,$s2 | |
1752 | brc 1,.-4 # pay attention to "partial completion" | |
1753 | ||
1754 | la $s2,16($sp) | |
1755 | slgr $s2,$inp | |
1756 | srlg $s3,$fp,4 | |
1757 | .Lxts_km_xor: | |
1758 | lg $i1,0($out,$inp) | |
1759 | lg $i2,8($out,$inp) | |
1760 | xg $i1,0($s2,$inp) | |
1761 | xg $i2,8($s2,$inp) | |
1762 | stg $i1,0($out,$inp) | |
1763 | stg $i2,8($out,$inp) | |
1764 | la $inp,16($inp) | |
1765 | brct $s3,.Lxts_km_xor | |
1766 | ||
1767 | slgr $len,$fp | |
1768 | brc 1,.Lxts_km_loop # not zero, no borrow | |
1769 | algr $fp,$len | |
1770 | lghi $len,0 | |
1771 | brc 4+1,.Lxts_km_loop # not zero | |
1772 | ||
1773 | l${g} $i1,0($sp) # back-chain | |
1774 | llgf $fp,`2*$SIZE_T-4`($sp) # bytes used | |
1775 | la $i2,16($sp) | |
1776 | srlg $fp,$fp,4 | |
1777 | .Lxts_km_zap: | |
1778 | stg $i1,0($i2) | |
1779 | stg $i1,8($i2) | |
1780 | la $i2,16($i2) | |
1781 | brct $fp,.Lxts_km_zap | |
1782 | ||
1783 | la $sp,0($i1) | |
1784 | llgc $len,2*$SIZE_T-1($i1) | |
1785 | nill $len,0x0f # $len%=16 | |
1786 | bzr $ra | |
1787 | ||
1788 | # generate one more tweak... | |
1789 | lghi $i1,0x87 | |
1790 | srag $i2,$s1,63 # broadcast upper bit | |
1791 | ngr $i1,$i2 # rem | |
c3cddeae AP |
1792 | algr $s0,$s0 |
1793 | alcgr $s1,$s1 | |
0ab8fd58 | 1794 | xgr $s0,$i1 |
0ab8fd58 AP |
1795 | |
1796 | ltr $len,$len # clear zero flag | |
1797 | br $ra | |
1798 | .size _s390x_xts_km,.-_s390x_xts_km | |
1799 | ||
1800 | .globl AES_xts_encrypt | |
1801 | .type AES_xts_encrypt,\@function | |
1802 | .align 16 | |
1803 | AES_xts_encrypt: | |
1804 | xgr %r3,%r4 # flip %r3 and %r4, $out and $len | |
1805 | xgr %r4,%r3 | |
1806 | xgr %r3,%r4 | |
1807 | ___ | |
1808 | $code.=<<___ if ($SIZE_T==4); | |
1809 | llgfr $len,$len | |
1810 | ___ | |
1811 | $code.=<<___; | |
1812 | st${g} $len,1*$SIZE_T($sp) # save copy of $len | |
1813 | srag $len,$len,4 # formally wrong, because it expands | |
1814 | # sign byte, but who can afford asking | |
1815 | # to process more than 2^63-1 bytes? | |
1816 | # I use it, because it sets condition | |
1817 | # code... | |
1818 | bcr 8,$ra # abort if zero (i.e. less than 16) | |
1819 | ___ | |
1820 | $code.=<<___ if (!$softonly); | |
1821 | llgf %r0,240($key2) | |
1822 | lhi %r1,16 | |
1823 | clr %r0,%r1 | |
1824 | jl .Lxts_enc_software | |
1825 | ||
8df400cf | 1826 | st${g} $ra,5*$SIZE_T($sp) |
0ab8fd58 | 1827 | stm${g} %r6,$s3,6*$SIZE_T($sp) |
0ab8fd58 AP |
1828 | |
1829 | sllg $len,$len,4 # $len&=~15 | |
1830 | slgr $out,$inp | |
1831 | ||
0c237e42 AP |
1832 | # generate the tweak value |
1833 | l${g} $s3,$stdframe($sp) # pointer to iv | |
0ab8fd58 | 1834 | la $s2,$tweak($sp) |
0c237e42 | 1835 | lmg $s0,$s1,0($s3) |
0ab8fd58 AP |
1836 | lghi $s3,16 |
1837 | stmg $s0,$s1,0($s2) | |
1838 | la %r1,0($key2) # $key2 is not needed anymore | |
1839 | .long 0xb92e00aa # km $s2,$s2, generate the tweak | |
1840 | brc 1,.-4 # can this happen? | |
1841 | ||
1842 | l %r0,240($key1) | |
1843 | la %r1,0($key1) # $key1 is not needed anymore | |
1844 | bras $ra,_s390x_xts_km | |
1845 | jz .Lxts_enc_km_done | |
1846 | ||
1847 | aghi $inp,-16 # take one step back | |
1848 | la $i3,0($out,$inp) # put aside real $out | |
1849 | .Lxts_enc_km_steal: | |
1850 | llgc $i1,16($inp) | |
1851 | llgc $i2,0($out,$inp) | |
1852 | stc $i1,0($out,$inp) | |
1853 | stc $i2,16($out,$inp) | |
1854 | la $inp,1($inp) | |
1855 | brct $len,.Lxts_enc_km_steal | |
1856 | ||
1857 | la $s2,0($i3) | |
1858 | lghi $s3,16 | |
1859 | lrvgr $i1,$s0 # flip byte order | |
1860 | lrvgr $i2,$s1 | |
1861 | xg $i1,0($s2) | |
1862 | xg $i2,8($s2) | |
1863 | stg $i1,0($s2) | |
1864 | stg $i2,8($s2) | |
1865 | .long 0xb92e00aa # km $s2,$s2 | |
1866 | brc 1,.-4 # can this happen? | |
1867 | lrvgr $i1,$s0 # flip byte order | |
1868 | lrvgr $i2,$s1 | |
1869 | xg $i1,0($i3) | |
1870 | xg $i2,8($i3) | |
1871 | stg $i1,0($i3) | |
1872 | stg $i2,8($i3) | |
1873 | ||
1874 | .Lxts_enc_km_done: | |
8df400cf AP |
1875 | stg $sp,$tweak+0($sp) # wipe tweak |
1876 | stg $sp,$tweak+8($sp) | |
1877 | l${g} $ra,5*$SIZE_T($sp) | |
0ab8fd58 AP |
1878 | lm${g} %r6,$s3,6*$SIZE_T($sp) |
1879 | br $ra | |
1880 | .align 16 | |
1881 | .Lxts_enc_software: | |
1882 | ___ | |
1883 | $code.=<<___; | |
1884 | stm${g} %r6,$ra,6*$SIZE_T($sp) | |
1885 | ||
1886 | slgr $out,$inp | |
1887 | ||
c3cddeae AP |
1888 | l${g} $s3,$stdframe($sp) # ivp |
1889 | llgf $s0,0($s3) # load iv | |
1890 | llgf $s1,4($s3) | |
1891 | llgf $s2,8($s3) | |
1892 | llgf $s3,12($s3) | |
0ab8fd58 AP |
1893 | stm${g} %r2,%r5,2*$SIZE_T($sp) |
1894 | la $key,0($key2) | |
1895 | larl $tbl,AES_Te | |
1896 | bras $ra,_s390x_AES_encrypt # generate the tweak | |
1897 | lm${g} %r2,%r5,2*$SIZE_T($sp) | |
1898 | stm $s0,$s3,$tweak($sp) # save the tweak | |
1899 | j .Lxts_enc_enter | |
1900 | ||
1901 | .align 16 | |
1902 | .Lxts_enc_loop: | |
1903 | lrvg $s1,$tweak+0($sp) # load the tweak in little-endian | |
1904 | lrvg $s3,$tweak+8($sp) | |
1905 | lghi %r1,0x87 | |
1906 | srag %r0,$s3,63 # broadcast upper bit | |
1907 | ngr %r1,%r0 # rem | |
c3cddeae AP |
1908 | algr $s1,$s1 |
1909 | alcgr $s3,$s3 | |
0ab8fd58 | 1910 | xgr $s1,%r1 |
0ab8fd58 AP |
1911 | lrvgr $s1,$s1 # flip byte order |
1912 | lrvgr $s3,$s3 | |
609b0852 | 1913 | srlg $s0,$s1,32 # smash the tweak to 4x32-bits |
0ab8fd58 AP |
1914 | stg $s1,$tweak+0($sp) # save the tweak |
1915 | llgfr $s1,$s1 | |
1916 | srlg $s2,$s3,32 | |
1917 | stg $s3,$tweak+8($sp) | |
1918 | llgfr $s3,$s3 | |
1919 | la $inp,16($inp) # $inp+=16 | |
1920 | .Lxts_enc_enter: | |
1921 | x $s0,0($inp) # ^=*($inp) | |
874a3757 AP |
1922 | x $s1,4($inp) |
1923 | x $s2,8($inp) | |
1924 | x $s3,12($inp) | |
0ab8fd58 AP |
1925 | stm${g} %r2,%r3,2*$SIZE_T($sp) # only two registers are changing |
1926 | la $key,0($key1) | |
1927 | bras $ra,_s390x_AES_encrypt | |
1928 | lm${g} %r2,%r5,2*$SIZE_T($sp) | |
1929 | x $s0,$tweak+0($sp) # ^=tweak | |
1930 | x $s1,$tweak+4($sp) | |
1931 | x $s2,$tweak+8($sp) | |
1932 | x $s3,$tweak+12($sp) | |
874a3757 AP |
1933 | st $s0,0($out,$inp) |
1934 | st $s1,4($out,$inp) | |
1935 | st $s2,8($out,$inp) | |
1936 | st $s3,12($out,$inp) | |
0ab8fd58 AP |
1937 | brct${g} $len,.Lxts_enc_loop |
1938 | ||
1939 | llgc $len,`2*$SIZE_T-1`($sp) | |
1940 | nill $len,0x0f # $len%16 | |
1941 | jz .Lxts_enc_done | |
1942 | ||
1943 | la $i3,0($inp,$out) # put aside real $out | |
1944 | .Lxts_enc_steal: | |
1945 | llgc %r0,16($inp) | |
1946 | llgc %r1,0($out,$inp) | |
1947 | stc %r0,0($out,$inp) | |
1948 | stc %r1,16($out,$inp) | |
1949 | la $inp,1($inp) | |
1950 | brct $len,.Lxts_enc_steal | |
1951 | la $out,0($i3) # restore real $out | |
1952 | ||
1953 | # generate last tweak... | |
1954 | lrvg $s1,$tweak+0($sp) # load the tweak in little-endian | |
1955 | lrvg $s3,$tweak+8($sp) | |
1956 | lghi %r1,0x87 | |
1957 | srag %r0,$s3,63 # broadcast upper bit | |
1958 | ngr %r1,%r0 # rem | |
c3cddeae AP |
1959 | algr $s1,$s1 |
1960 | alcgr $s3,$s3 | |
0ab8fd58 | 1961 | xgr $s1,%r1 |
0ab8fd58 AP |
1962 | lrvgr $s1,$s1 # flip byte order |
1963 | lrvgr $s3,$s3 | |
609b0852 | 1964 | srlg $s0,$s1,32 # smash the tweak to 4x32-bits |
0ab8fd58 AP |
1965 | stg $s1,$tweak+0($sp) # save the tweak |
1966 | llgfr $s1,$s1 | |
1967 | srlg $s2,$s3,32 | |
1968 | stg $s3,$tweak+8($sp) | |
1969 | llgfr $s3,$s3 | |
1970 | ||
1971 | x $s0,0($out) # ^=*(inp)|stolen cipther-text | |
1972 | x $s1,4($out) | |
1973 | x $s2,8($out) | |
1974 | x $s3,12($out) | |
1975 | st${g} $out,4*$SIZE_T($sp) | |
1976 | la $key,0($key1) | |
1977 | bras $ra,_s390x_AES_encrypt | |
1978 | l${g} $out,4*$SIZE_T($sp) | |
1979 | x $s0,`$tweak+0`($sp) # ^=tweak | |
1980 | x $s1,`$tweak+4`($sp) | |
1981 | x $s2,`$tweak+8`($sp) | |
1982 | x $s3,`$tweak+12`($sp) | |
1983 | st $s0,0($out) | |
1984 | st $s1,4($out) | |
1985 | st $s2,8($out) | |
1986 | st $s3,12($out) | |
1987 | ||
1988 | .Lxts_enc_done: | |
1989 | stg $sp,$tweak+0($sp) # wipe tweak | |
1990 | stg $sp,$twesk+8($sp) | |
1991 | lm${g} %r6,$ra,6*$SIZE_T($sp) | |
1992 | br $ra | |
1993 | .size AES_xts_encrypt,.-AES_xts_encrypt | |
1994 | ___ | |
96cce820 PS |
1995 | # void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, |
1996 | # size_t len, const AES_KEY *key1, const AES_KEY *key2, | |
c3cddeae | 1997 | # const unsigned char iv[16]); |
0ab8fd58 AP |
1998 | # |
1999 | $code.=<<___; | |
2000 | .globl AES_xts_decrypt | |
2001 | .type AES_xts_decrypt,\@function | |
2002 | .align 16 | |
2003 | AES_xts_decrypt: | |
2004 | xgr %r3,%r4 # flip %r3 and %r4, $out and $len | |
2005 | xgr %r4,%r3 | |
2006 | xgr %r3,%r4 | |
2007 | ___ | |
2008 | $code.=<<___ if ($SIZE_T==4); | |
2009 | llgfr $len,$len | |
2010 | ___ | |
2011 | $code.=<<___; | |
2012 | st${g} $len,1*$SIZE_T($sp) # save copy of $len | |
2013 | aghi $len,-16 | |
2014 | bcr 4,$ra # abort if less than zero. formally | |
2015 | # wrong, because $len is unsigned, | |
2016 | # but who can afford asking to | |
2017 | # process more than 2^63-1 bytes? | |
2018 | tmll $len,0x0f | |
2019 | jnz .Lxts_dec_proceed | |
2020 | aghi $len,16 | |
2021 | .Lxts_dec_proceed: | |
2022 | ___ | |
2023 | $code.=<<___ if (!$softonly); | |
2024 | llgf %r0,240($key2) | |
2025 | lhi %r1,16 | |
2026 | clr %r0,%r1 | |
2027 | jl .Lxts_dec_software | |
874a3757 | 2028 | |
8df400cf | 2029 | st${g} $ra,5*$SIZE_T($sp) |
0ab8fd58 | 2030 | stm${g} %r6,$s3,6*$SIZE_T($sp) |
0ab8fd58 AP |
2031 | |
2032 | nill $len,0xfff0 # $len&=~15 | |
2033 | slgr $out,$inp | |
2034 | ||
2035 | # generate the tweak value | |
0c237e42 | 2036 | l${g} $s3,$stdframe($sp) # pointer to iv |
0ab8fd58 | 2037 | la $s2,$tweak($sp) |
0c237e42 | 2038 | lmg $s0,$s1,0($s3) |
0ab8fd58 | 2039 | lghi $s3,16 |
0c237e42 | 2040 | stmg $s0,$s1,0($s2) |
0ab8fd58 AP |
2041 | la %r1,0($key2) # $key2 is not needed past this point |
2042 | .long 0xb92e00aa # km $s2,$s2, generate the tweak | |
2043 | brc 1,.-4 # can this happen? | |
2044 | ||
2045 | l %r0,240($key1) | |
2046 | la %r1,0($key1) # $key1 is not needed anymore | |
2047 | ||
2048 | ltgr $len,$len | |
2049 | jz .Lxts_dec_km_short | |
2050 | bras $ra,_s390x_xts_km | |
2051 | jz .Lxts_dec_km_done | |
2052 | ||
2053 | lrvgr $s2,$s0 # make copy in reverse byte order | |
2054 | lrvgr $s3,$s1 | |
2055 | j .Lxts_dec_km_2ndtweak | |
2056 | ||
2057 | .Lxts_dec_km_short: | |
2058 | llgc $len,`2*$SIZE_T-1`($sp) | |
2059 | nill $len,0x0f # $len%=16 | |
2060 | lrvg $s0,$tweak+0($sp) # load the tweak | |
2061 | lrvg $s1,$tweak+8($sp) | |
2062 | lrvgr $s2,$s0 # make copy in reverse byte order | |
2063 | lrvgr $s3,$s1 | |
2064 | ||
2065 | .Lxts_dec_km_2ndtweak: | |
2066 | lghi $i1,0x87 | |
2067 | srag $i2,$s1,63 # broadcast upper bit | |
2068 | ngr $i1,$i2 # rem | |
c3cddeae AP |
2069 | algr $s0,$s0 |
2070 | alcgr $s1,$s1 | |
0ab8fd58 | 2071 | xgr $s0,$i1 |
0ab8fd58 AP |
2072 | lrvgr $i1,$s0 # flip byte order |
2073 | lrvgr $i2,$s1 | |
2074 | ||
2075 | xg $i1,0($inp) | |
2076 | xg $i2,8($inp) | |
2077 | stg $i1,0($out,$inp) | |
2078 | stg $i2,8($out,$inp) | |
2079 | la $i2,0($out,$inp) | |
2080 | lghi $i3,16 | |
2081 | .long 0xb92e0066 # km $i2,$i2 | |
2082 | brc 1,.-4 # can this happen? | |
2083 | lrvgr $i1,$s0 | |
2084 | lrvgr $i2,$s1 | |
2085 | xg $i1,0($out,$inp) | |
2086 | xg $i2,8($out,$inp) | |
2087 | stg $i1,0($out,$inp) | |
2088 | stg $i2,8($out,$inp) | |
2089 | ||
2090 | la $i3,0($out,$inp) # put aside real $out | |
2091 | .Lxts_dec_km_steal: | |
2092 | llgc $i1,16($inp) | |
2093 | llgc $i2,0($out,$inp) | |
2094 | stc $i1,0($out,$inp) | |
2095 | stc $i2,16($out,$inp) | |
2096 | la $inp,1($inp) | |
2097 | brct $len,.Lxts_dec_km_steal | |
2098 | ||
2099 | lgr $s0,$s2 | |
2100 | lgr $s1,$s3 | |
2101 | xg $s0,0($i3) | |
2102 | xg $s1,8($i3) | |
2103 | stg $s0,0($i3) | |
2104 | stg $s1,8($i3) | |
2105 | la $s0,0($i3) | |
2106 | lghi $s1,16 | |
2107 | .long 0xb92e0088 # km $s0,$s0 | |
2108 | brc 1,.-4 # can this happen? | |
2109 | xg $s2,0($i3) | |
2110 | xg $s3,8($i3) | |
2111 | stg $s2,0($i3) | |
2112 | stg $s3,8($i3) | |
2113 | .Lxts_dec_km_done: | |
8df400cf AP |
2114 | stg $sp,$tweak+0($sp) # wipe tweak |
2115 | stg $sp,$tweak+8($sp) | |
2116 | l${g} $ra,5*$SIZE_T($sp) | |
0ab8fd58 AP |
2117 | lm${g} %r6,$s3,6*$SIZE_T($sp) |
2118 | br $ra | |
2119 | .align 16 | |
2120 | .Lxts_dec_software: | |
2121 | ___ | |
2122 | $code.=<<___; | |
2123 | stm${g} %r6,$ra,6*$SIZE_T($sp) | |
2124 | ||
2125 | srlg $len,$len,4 | |
2126 | slgr $out,$inp | |
2127 | ||
c3cddeae AP |
2128 | l${g} $s3,$stdframe($sp) # ivp |
2129 | llgf $s0,0($s3) # load iv | |
2130 | llgf $s1,4($s3) | |
2131 | llgf $s2,8($s3) | |
2132 | llgf $s3,12($s3) | |
0ab8fd58 AP |
2133 | stm${g} %r2,%r5,2*$SIZE_T($sp) |
2134 | la $key,0($key2) | |
2135 | larl $tbl,AES_Te | |
2136 | bras $ra,_s390x_AES_encrypt # generate the tweak | |
2137 | lm${g} %r2,%r5,2*$SIZE_T($sp) | |
2138 | larl $tbl,AES_Td | |
2139 | lt${g}r $len,$len | |
2140 | stm $s0,$s3,$tweak($sp) # save the tweak | |
2141 | jz .Lxts_dec_short | |
2142 | j .Lxts_dec_enter | |
2143 | ||
2144 | .align 16 | |
2145 | .Lxts_dec_loop: | |
2146 | lrvg $s1,$tweak+0($sp) # load the tweak in little-endian | |
2147 | lrvg $s3,$tweak+8($sp) | |
2148 | lghi %r1,0x87 | |
2149 | srag %r0,$s3,63 # broadcast upper bit | |
2150 | ngr %r1,%r0 # rem | |
c3cddeae AP |
2151 | algr $s1,$s1 |
2152 | alcgr $s3,$s3 | |
0ab8fd58 | 2153 | xgr $s1,%r1 |
0ab8fd58 AP |
2154 | lrvgr $s1,$s1 # flip byte order |
2155 | lrvgr $s3,$s3 | |
609b0852 | 2156 | srlg $s0,$s1,32 # smash the tweak to 4x32-bits |
0ab8fd58 AP |
2157 | stg $s1,$tweak+0($sp) # save the tweak |
2158 | llgfr $s1,$s1 | |
2159 | srlg $s2,$s3,32 | |
2160 | stg $s3,$tweak+8($sp) | |
2161 | llgfr $s3,$s3 | |
2162 | .Lxts_dec_enter: | |
2163 | x $s0,0($inp) # tweak^=*(inp) | |
2164 | x $s1,4($inp) | |
2165 | x $s2,8($inp) | |
2166 | x $s3,12($inp) | |
2167 | stm${g} %r2,%r3,2*$SIZE_T($sp) # only two registers are changing | |
2168 | la $key,0($key1) | |
2169 | bras $ra,_s390x_AES_decrypt | |
2170 | lm${g} %r2,%r5,2*$SIZE_T($sp) | |
2171 | x $s0,$tweak+0($sp) # ^=tweak | |
2172 | x $s1,$tweak+4($sp) | |
2173 | x $s2,$tweak+8($sp) | |
2174 | x $s3,$tweak+12($sp) | |
2175 | st $s0,0($out,$inp) | |
2176 | st $s1,4($out,$inp) | |
2177 | st $s2,8($out,$inp) | |
2178 | st $s3,12($out,$inp) | |
874a3757 | 2179 | la $inp,16($inp) |
0ab8fd58 AP |
2180 | brct${g} $len,.Lxts_dec_loop |
2181 | ||
2182 | llgc $len,`2*$SIZE_T-1`($sp) | |
2183 | nill $len,0x0f # $len%16 | |
2184 | jz .Lxts_dec_done | |
2185 | ||
2186 | # generate pair of tweaks... | |
2187 | lrvg $s1,$tweak+0($sp) # load the tweak in little-endian | |
2188 | lrvg $s3,$tweak+8($sp) | |
2189 | lghi %r1,0x87 | |
2190 | srag %r0,$s3,63 # broadcast upper bit | |
2191 | ngr %r1,%r0 # rem | |
c3cddeae AP |
2192 | algr $s1,$s1 |
2193 | alcgr $s3,$s3 | |
0ab8fd58 | 2194 | xgr $s1,%r1 |
0ab8fd58 AP |
2195 | lrvgr $i2,$s1 # flip byte order |
2196 | lrvgr $i3,$s3 | |
2197 | stmg $i2,$i3,$tweak($sp) # save the 1st tweak | |
2198 | j .Lxts_dec_2ndtweak | |
2199 | ||
2200 | .align 16 | |
2201 | .Lxts_dec_short: | |
2202 | llgc $len,`2*$SIZE_T-1`($sp) | |
2203 | nill $len,0x0f # $len%16 | |
2204 | lrvg $s1,$tweak+0($sp) # load the tweak in little-endian | |
2205 | lrvg $s3,$tweak+8($sp) | |
2206 | .Lxts_dec_2ndtweak: | |
2207 | lghi %r1,0x87 | |
2208 | srag %r0,$s3,63 # broadcast upper bit | |
2209 | ngr %r1,%r0 # rem | |
c3cddeae AP |
2210 | algr $s1,$s1 |
2211 | alcgr $s3,$s3 | |
0ab8fd58 | 2212 | xgr $s1,%r1 |
0ab8fd58 AP |
2213 | lrvgr $s1,$s1 # flip byte order |
2214 | lrvgr $s3,$s3 | |
2215 | srlg $s0,$s1,32 # smash the tweak to 4x32-bits | |
2216 | stg $s1,$tweak-16+0($sp) # save the 2nd tweak | |
2217 | llgfr $s1,$s1 | |
2218 | srlg $s2,$s3,32 | |
2219 | stg $s3,$tweak-16+8($sp) | |
2220 | llgfr $s3,$s3 | |
2221 | ||
2222 | x $s0,0($inp) # tweak_the_2nd^=*(inp) | |
2223 | x $s1,4($inp) | |
2224 | x $s2,8($inp) | |
2225 | x $s3,12($inp) | |
2226 | stm${g} %r2,%r3,2*$SIZE_T($sp) | |
2227 | la $key,0($key1) | |
2228 | bras $ra,_s390x_AES_decrypt | |
2229 | lm${g} %r2,%r5,2*$SIZE_T($sp) | |
2230 | x $s0,$tweak-16+0($sp) # ^=tweak_the_2nd | |
2231 | x $s1,$tweak-16+4($sp) | |
2232 | x $s2,$tweak-16+8($sp) | |
2233 | x $s3,$tweak-16+12($sp) | |
2234 | st $s0,0($out,$inp) | |
2235 | st $s1,4($out,$inp) | |
2236 | st $s2,8($out,$inp) | |
2237 | st $s3,12($out,$inp) | |
874a3757 | 2238 | |
0ab8fd58 AP |
2239 | la $i3,0($out,$inp) # put aside real $out |
2240 | .Lxts_dec_steal: | |
2241 | llgc %r0,16($inp) | |
2242 | llgc %r1,0($out,$inp) | |
2243 | stc %r0,0($out,$inp) | |
2244 | stc %r1,16($out,$inp) | |
2245 | la $inp,1($inp) | |
2246 | brct $len,.Lxts_dec_steal | |
2247 | la $out,0($i3) # restore real $out | |
2248 | ||
2249 | lm $s0,$s3,$tweak($sp) # load the 1st tweak | |
2250 | x $s0,0($out) # tweak^=*(inp)|stolen cipher-text | |
2251 | x $s1,4($out) | |
2252 | x $s2,8($out) | |
2253 | x $s3,12($out) | |
2254 | st${g} $out,4*$SIZE_T($sp) | |
2255 | la $key,0($key1) | |
2256 | bras $ra,_s390x_AES_decrypt | |
2257 | l${g} $out,4*$SIZE_T($sp) | |
2258 | x $s0,$tweak+0($sp) # ^=tweak | |
2259 | x $s1,$tweak+4($sp) | |
2260 | x $s2,$tweak+8($sp) | |
2261 | x $s3,$tweak+12($sp) | |
2262 | st $s0,0($out) | |
2263 | st $s1,4($out) | |
2264 | st $s2,8($out) | |
2265 | st $s3,12($out) | |
2266 | stg $sp,$tweak-16+0($sp) # wipe 2nd tweak | |
2267 | stg $sp,$tweak-16+8($sp) | |
2268 | .Lxts_dec_done: | |
2269 | stg $sp,$tweak+0($sp) # wipe tweak | |
2270 | stg $sp,$twesk+8($sp) | |
e822c756 | 2271 | lm${g} %r6,$ra,6*$SIZE_T($sp) |
874a3757 | 2272 | br $ra |
0ab8fd58 | 2273 | .size AES_xts_decrypt,.-AES_xts_decrypt |
8626230a AP |
2274 | ___ |
2275 | } | |
2276 | $code.=<<___; | |
a2a54ffc AP |
2277 | .string "AES for s390x, CRYPTOGAMS by <appro\@openssl.org>" |
2278 | ___ | |
2279 | ||
2280 | $code =~ s/\`([^\`]*)\`/eval $1/gem; | |
2281 | print $code; | |
1cbdca7b | 2282 | close STDOUT; # force flush |