diff options
Diffstat (limited to 'src/lib/libcrypto/aes/asm/aes-586.pl')
-rw-r--r-- | src/lib/libcrypto/aes/asm/aes-586.pl | 2974 |
1 files changed, 0 insertions, 2974 deletions
diff --git a/src/lib/libcrypto/aes/asm/aes-586.pl b/src/lib/libcrypto/aes/asm/aes-586.pl deleted file mode 100644 index 364099d4d3..0000000000 --- a/src/lib/libcrypto/aes/asm/aes-586.pl +++ /dev/null | |||
@@ -1,2974 +0,0 @@ | |||
1 | #!/usr/bin/env perl | ||
2 | # | ||
3 | # ==================================================================== | ||
4 | # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL | ||
5 | # project. The module is, however, dual licensed under OpenSSL and | ||
6 | # CRYPTOGAMS licenses depending on where you obtain it. For further | ||
7 | # details see http://www.openssl.org/~appro/cryptogams/. | ||
8 | # ==================================================================== | ||
9 | # | ||
10 | # Version 4.3. | ||
11 | # | ||
12 | # You might fail to appreciate this module performance from the first | ||
13 | # try. If compared to "vanilla" linux-ia32-icc target, i.e. considered | ||
14 | # to be *the* best Intel C compiler without -KPIC, performance appears | ||
15 | # to be virtually identical... But try to re-configure with shared | ||
16 | # library support... Aha! Intel compiler "suddenly" lags behind by 30% | ||
17 | # [on P4, more on others]:-) And if compared to position-independent | ||
18 | # code generated by GNU C, this code performs *more* than *twice* as | ||
19 | # fast! Yes, all this buzz about PIC means that unlike other hand- | ||
20 | # coded implementations, this one was explicitly designed to be safe | ||
21 | # to use even in shared library context... This also means that this | ||
22 | # code isn't necessarily absolutely fastest "ever," because in order | ||
23 | # to achieve position independence an extra register has to be | ||
24 | # off-loaded to stack, which affects the benchmark result. | ||
25 | # | ||
26 | # Special note about instruction choice. Do you recall RC4_INT code | ||
27 | # performing poorly on P4? It might be the time to figure out why. | ||
28 | # RC4_INT code implies effective address calculations in base+offset*4 | ||
29 | # form. Trouble is that it seems that offset scaling turned to be | ||
30 | # critical path... At least eliminating scaling resulted in 2.8x RC4 | ||
31 | # performance improvement [as you might recall]. As AES code is hungry | ||
32 | # for scaling too, I [try to] avoid the latter by favoring off-by-2 | ||
33 | # shifts and masking the result with 0xFF<<2 instead of "boring" 0xFF. | ||
34 | # | ||
35 | # As was shown by Dean Gaudet <dean@arctic.org>, the above note turned | ||
36 | # void. Performance improvement with off-by-2 shifts was observed on | ||
37 | # intermediate implementation, which was spilling yet another register | ||
38 | # to stack... Final offset*4 code below runs just a tad faster on P4, | ||
39 | # but exhibits up to 10% improvement on other cores. | ||
40 | # | ||
41 | # Second version is "monolithic" replacement for aes_core.c, which in | ||
42 | # addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key. | ||
43 | # This made it possible to implement little-endian variant of the | ||
44 | # algorithm without modifying the base C code. Motivating factor for | ||
45 | # the undertaken effort was that it appeared that in tight IA-32 | ||
46 | # register window little-endian flavor could achieve slightly higher | ||
47 | # Instruction Level Parallelism, and it indeed resulted in up to 15% | ||
48 | # better performance on most recent µ-archs... | ||
49 | # | ||
50 | # Third version adds AES_cbc_encrypt implementation, which resulted in | ||
51 | # up to 40% performance improvement of CBC benchmark results. 40% was | ||
52 | # observed on P4 core, where "overall" improvement coefficient, i.e. if | ||
53 | # compared to PIC generated by GCC and in CBC mode, was observed to be | ||
54 | # as large as 4x:-) CBC performance is virtually identical to ECB now | ||
55 | # and on some platforms even better, e.g. 17.6 "small" cycles/byte on | ||
56 | # Opteron, because certain function prologues and epilogues are | ||
57 | # effectively taken out of the loop... | ||
58 | # | ||
59 | # Version 3.2 implements compressed tables and prefetch of these tables | ||
60 | # in CBC[!] mode. Former means that 3/4 of table references are now | ||
61 | # misaligned, which unfortunately has negative impact on elder IA-32 | ||
62 | # implementations, Pentium suffered 30% penalty, PIII - 10%. | ||
63 | # | ||
64 | # Version 3.3 avoids L1 cache aliasing between stack frame and | ||
65 | # S-boxes, and 3.4 - L1 cache aliasing even between key schedule. The | ||
66 | # latter is achieved by copying the key schedule to controlled place in | ||
67 | # stack. This unfortunately has rather strong impact on small block CBC | ||
68 | # performance, ~2x deterioration on 16-byte block if compared to 3.3. | ||
69 | # | ||
70 | # Version 3.5 checks if there is L1 cache aliasing between user-supplied | ||
71 | # key schedule and S-boxes and abstains from copying the former if | ||
72 | # there is no. This allows end-user to consciously retain small block | ||
73 | # performance by aligning key schedule in specific manner. | ||
74 | # | ||
75 | # Version 3.6 compresses Td4 to 256 bytes and prefetches it in ECB. | ||
76 | # | ||
77 | # Current ECB performance numbers for 128-bit key in CPU cycles per | ||
78 | # processed byte [measure commonly used by AES benchmarkers] are: | ||
79 | # | ||
80 | # small footprint fully unrolled | ||
81 | # P4 24 22 | ||
82 | # AMD K8 20 19 | ||
83 | # PIII 25 23 | ||
84 | # Pentium 81 78 | ||
85 | # | ||
86 | # Version 3.7 reimplements outer rounds as "compact." Meaning that | ||
87 | # first and last rounds reference compact 256 bytes S-box. This means | ||
88 | # that first round consumes a lot more CPU cycles and that encrypt | ||
89 | # and decrypt performance becomes asymmetric. Encrypt performance | ||
90 | # drops by 10-12%, while decrypt - by 20-25%:-( 256 bytes S-box is | ||
91 | # aggressively pre-fetched. | ||
92 | # | ||
93 | # Version 4.0 effectively rolls back to 3.6 and instead implements | ||
94 | # additional set of functions, _[x86|sse]_AES_[en|de]crypt_compact, | ||
95 | # which use exclusively 256 byte S-box. These functions are to be | ||
96 | # called in modes not concealing plain text, such as ECB, or when | ||
97 | # we're asked to process smaller amount of data [or unconditionally | ||
98 | # on hyper-threading CPU]. Currently it's called unconditionally from | ||
99 | # AES_[en|de]crypt, which affects all modes, but CBC. CBC routine | ||
100 | # still needs to be modified to switch between slower and faster | ||
101 | # mode when appropriate... But in either case benchmark landscape | ||
102 | # changes dramatically and below numbers are CPU cycles per processed | ||
103 | # byte for 128-bit key. | ||
104 | # | ||
105 | # ECB encrypt ECB decrypt CBC large chunk | ||
106 | # P4 56[60] 84[100] 23 | ||
107 | # AMD K8 48[44] 70[79] 18 | ||
108 | # PIII 41[50] 61[91] 24 | ||
109 | # Core 2 32[38] 45[70] 18.5 | ||
110 | # Pentium 120 160 77 | ||
111 | # | ||
112 | # Version 4.1 switches to compact S-box even in key schedule setup. | ||
113 | # | ||
114 | # Version 4.2 prefetches compact S-box in every SSE round or in other | ||
115 | # words every cache-line is *guaranteed* to be accessed within ~50 | ||
116 | # cycles window. Why just SSE? Because it's needed on hyper-threading | ||
117 | # CPU! Which is also why it's prefetched with 64 byte stride. Best | ||
118 | # part is that it has no negative effect on performance:-) | ||
119 | # | ||
120 | # Version 4.3 implements switch between compact and non-compact block | ||
121 | # functions in AES_cbc_encrypt depending on how much data was asked | ||
122 | # to be processed in one stroke. | ||
123 | # | ||
124 | ###################################################################### | ||
125 | # Timing attacks are classified in two classes: synchronous when | ||
126 | # attacker consciously initiates cryptographic operation and collects | ||
127 | # timing data of various character afterwards, and asynchronous when | ||
128 | # malicious code is executed on same CPU simultaneously with AES, | ||
129 | # instruments itself and performs statistical analysis of this data. | ||
130 | # | ||
131 | # As far as synchronous attacks go the root to the AES timing | ||
132 | # vulnerability is twofold. Firstly, of 256 S-box elements at most 160 | ||
133 | # are referred to in single 128-bit block operation. Well, in C | ||
134 | # implementation with 4 distinct tables it's actually as little as 40 | ||
135 | # references per 256 elements table, but anyway... Secondly, even | ||
136 | # though S-box elements are clustered into smaller amount of cache- | ||
137 | # lines, smaller than 160 and even 40, it turned out that for certain | ||
138 | # plain-text pattern[s] or simply put chosen plain-text and given key | ||
139 | # few cache-lines remain unaccessed during block operation. Now, if | ||
140 | # attacker can figure out this access pattern, he can deduct the key | ||
141 | # [or at least part of it]. The natural way to mitigate this kind of | ||
142 | # attacks is to minimize the amount of cache-lines in S-box and/or | ||
143 | # prefetch them to ensure that every one is accessed for more uniform | ||
144 | # timing. But note that *if* plain-text was concealed in such way that | ||
145 | # input to block function is distributed *uniformly*, then attack | ||
146 | # wouldn't apply. Now note that some encryption modes, most notably | ||
147 | # CBC, do mask the plain-text in this exact way [secure cipher output | ||
148 | # is distributed uniformly]. Yes, one still might find input that | ||
149 | # would reveal the information about given key, but if amount of | ||
150 | # candidate inputs to be tried is larger than amount of possible key | ||
151 | # combinations then attack becomes infeasible. This is why revised | ||
152 | # AES_cbc_encrypt "dares" to switch to larger S-box when larger chunk | ||
153 | # of data is to be processed in one stroke. The current size limit of | ||
154 | # 512 bytes is chosen to provide same [diminishigly low] probability | ||
155 | # for cache-line to remain untouched in large chunk operation with | ||
156 | # large S-box as for single block operation with compact S-box and | ||
157 | # surely needs more careful consideration... | ||
158 | # | ||
159 | # As for asynchronous attacks. There are two flavours: attacker code | ||
160 | # being interleaved with AES on hyper-threading CPU at *instruction* | ||
161 | # level, and two processes time sharing single core. As for latter. | ||
162 | # Two vectors. 1. Given that attacker process has higher priority, | ||
163 | # yield execution to process performing AES just before timer fires | ||
164 | # off the scheduler, immediately regain control of CPU and analyze the | ||
165 | # cache state. For this attack to be efficient attacker would have to | ||
166 | # effectively slow down the operation by several *orders* of magnitute, | ||
167 | # by ratio of time slice to duration of handful of AES rounds, which | ||
168 | # unlikely to remain unnoticed. Not to mention that this also means | ||
169 | # that he would spend correspondigly more time to collect enough | ||
170 | # statistical data to mount the attack. It's probably appropriate to | ||
171 | # say that if adeversary reckons that this attack is beneficial and | ||
172 | # risks to be noticed, you probably have larger problems having him | ||
173 | # mere opportunity. In other words suggested code design expects you | ||
174 | # to preclude/mitigate this attack by overall system security design. | ||
175 | # 2. Attacker manages to make his code interrupt driven. In order for | ||
176 | # this kind of attack to be feasible, interrupt rate has to be high | ||
177 | # enough, again comparable to duration of handful of AES rounds. But | ||
178 | # is there interrupt source of such rate? Hardly, not even 1Gbps NIC | ||
179 | # generates interrupts at such raging rate... | ||
180 | # | ||
181 | # And now back to the former, hyper-threading CPU or more specifically | ||
182 | # Intel P4. Recall that asynchronous attack implies that malicious | ||
183 | # code instruments itself. And naturally instrumentation granularity | ||
184 | # has be noticeably lower than duration of codepath accessing S-box. | ||
185 | # Given that all cache-lines are accessed during that time that is. | ||
186 | # Current implementation accesses *all* cache-lines within ~50 cycles | ||
187 | # window, which is actually *less* than RDTSC latency on Intel P4! | ||
188 | |||
189 | $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; | ||
190 | push(@INC,"${dir}","${dir}../../perlasm"); | ||
191 | require "x86asm.pl"; | ||
192 | |||
193 | &asm_init($ARGV[0],"aes-586.pl",$x86only = $ARGV[$#ARGV] eq "386"); | ||
194 | &static_label("AES_Te"); | ||
195 | &static_label("AES_Td"); | ||
196 | |||
197 | $s0="eax"; | ||
198 | $s1="ebx"; | ||
199 | $s2="ecx"; | ||
200 | $s3="edx"; | ||
201 | $key="edi"; | ||
202 | $acc="esi"; | ||
203 | $tbl="ebp"; | ||
204 | |||
205 | # stack frame layout in _[x86|sse]_AES_* routines, frame is allocated | ||
206 | # by caller | ||
207 | $__ra=&DWP(0,"esp"); # return address | ||
208 | $__s0=&DWP(4,"esp"); # s0 backing store | ||
209 | $__s1=&DWP(8,"esp"); # s1 backing store | ||
210 | $__s2=&DWP(12,"esp"); # s2 backing store | ||
211 | $__s3=&DWP(16,"esp"); # s3 backing store | ||
212 | $__key=&DWP(20,"esp"); # pointer to key schedule | ||
213 | $__end=&DWP(24,"esp"); # pointer to end of key schedule | ||
214 | $__tbl=&DWP(28,"esp"); # %ebp backing store | ||
215 | |||
216 | # stack frame layout in AES_[en|crypt] routines, which differs from | ||
217 | # above by 4 and overlaps by %ebp backing store | ||
218 | $_tbl=&DWP(24,"esp"); | ||
219 | $_esp=&DWP(28,"esp"); | ||
220 | |||
221 | sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } } | ||
222 | |||
223 | $speed_limit=512; # chunks smaller than $speed_limit are | ||
224 | # processed with compact routine in CBC mode | ||
225 | $small_footprint=1; # $small_footprint=1 code is ~5% slower [on | ||
226 | # recent µ-archs], but ~5 times smaller! | ||
227 | # I favor compact code to minimize cache | ||
228 | # contention and in hope to "collect" 5% back | ||
229 | # in real-life applications... | ||
230 | |||
231 | $vertical_spin=0; # shift "vertically" defaults to 0, because of | ||
232 | # its proof-of-concept status... | ||
233 | # Note that there is no decvert(), as well as last encryption round is | ||
234 | # performed with "horizontal" shifts. This is because this "vertical" | ||
235 | # implementation [one which groups shifts on a given $s[i] to form a | ||
236 | # "column," unlike "horizontal" one, which groups shifts on different | ||
237 | # $s[i] to form a "row"] is work in progress. It was observed to run | ||
238 | # few percents faster on Intel cores, but not AMD. On AMD K8 core it's | ||
239 | # whole 12% slower:-( So we face a trade-off... Shall it be resolved | ||
240 | # some day? Till then the code is considered experimental and by | ||
241 | # default remains dormant... | ||
242 | |||
243 | sub encvert() | ||
244 | { my ($te,@s) = @_; | ||
245 | my $v0 = $acc, $v1 = $key; | ||
246 | |||
247 | &mov ($v0,$s[3]); # copy s3 | ||
248 | &mov (&DWP(4,"esp"),$s[2]); # save s2 | ||
249 | &mov ($v1,$s[0]); # copy s0 | ||
250 | &mov (&DWP(8,"esp"),$s[1]); # save s1 | ||
251 | |||
252 | &movz ($s[2],&HB($s[0])); | ||
253 | &and ($s[0],0xFF); | ||
254 | &mov ($s[0],&DWP(0,$te,$s[0],8)); # s0>>0 | ||
255 | &shr ($v1,16); | ||
256 | &mov ($s[3],&DWP(3,$te,$s[2],8)); # s0>>8 | ||
257 | &movz ($s[1],&HB($v1)); | ||
258 | &and ($v1,0xFF); | ||
259 | &mov ($s[2],&DWP(2,$te,$v1,8)); # s0>>16 | ||
260 | &mov ($v1,$v0); | ||
261 | &mov ($s[1],&DWP(1,$te,$s[1],8)); # s0>>24 | ||
262 | |||
263 | &and ($v0,0xFF); | ||
264 | &xor ($s[3],&DWP(0,$te,$v0,8)); # s3>>0 | ||
265 | &movz ($v0,&HB($v1)); | ||
266 | &shr ($v1,16); | ||
267 | &xor ($s[2],&DWP(3,$te,$v0,8)); # s3>>8 | ||
268 | &movz ($v0,&HB($v1)); | ||
269 | &and ($v1,0xFF); | ||
270 | &xor ($s[1],&DWP(2,$te,$v1,8)); # s3>>16 | ||
271 | &mov ($v1,&DWP(4,"esp")); # restore s2 | ||
272 | &xor ($s[0],&DWP(1,$te,$v0,8)); # s3>>24 | ||
273 | |||
274 | &mov ($v0,$v1); | ||
275 | &and ($v1,0xFF); | ||
276 | &xor ($s[2],&DWP(0,$te,$v1,8)); # s2>>0 | ||
277 | &movz ($v1,&HB($v0)); | ||
278 | &shr ($v0,16); | ||
279 | &xor ($s[1],&DWP(3,$te,$v1,8)); # s2>>8 | ||
280 | &movz ($v1,&HB($v0)); | ||
281 | &and ($v0,0xFF); | ||
282 | &xor ($s[0],&DWP(2,$te,$v0,8)); # s2>>16 | ||
283 | &mov ($v0,&DWP(8,"esp")); # restore s1 | ||
284 | &xor ($s[3],&DWP(1,$te,$v1,8)); # s2>>24 | ||
285 | |||
286 | &mov ($v1,$v0); | ||
287 | &and ($v0,0xFF); | ||
288 | &xor ($s[1],&DWP(0,$te,$v0,8)); # s1>>0 | ||
289 | &movz ($v0,&HB($v1)); | ||
290 | &shr ($v1,16); | ||
291 | &xor ($s[0],&DWP(3,$te,$v0,8)); # s1>>8 | ||
292 | &movz ($v0,&HB($v1)); | ||
293 | &and ($v1,0xFF); | ||
294 | &xor ($s[3],&DWP(2,$te,$v1,8)); # s1>>16 | ||
295 | &mov ($key,$__key); # reincarnate v1 as key | ||
296 | &xor ($s[2],&DWP(1,$te,$v0,8)); # s1>>24 | ||
297 | } | ||
298 | |||
299 | # Another experimental routine, which features "horizontal spin," but | ||
300 | # eliminates one reference to stack. Strangely enough runs slower... | ||
301 | sub enchoriz() | ||
302 | { my $v0 = $key, $v1 = $acc; | ||
303 | |||
304 | &movz ($v0,&LB($s0)); # 3, 2, 1, 0* | ||
305 | &rotr ($s2,8); # 8,11,10, 9 | ||
306 | &mov ($v1,&DWP(0,$te,$v0,8)); # 0 | ||
307 | &movz ($v0,&HB($s1)); # 7, 6, 5*, 4 | ||
308 | &rotr ($s3,16); # 13,12,15,14 | ||
309 | &xor ($v1,&DWP(3,$te,$v0,8)); # 5 | ||
310 | &movz ($v0,&HB($s2)); # 8,11,10*, 9 | ||
311 | &rotr ($s0,16); # 1, 0, 3, 2 | ||
312 | &xor ($v1,&DWP(2,$te,$v0,8)); # 10 | ||
313 | &movz ($v0,&HB($s3)); # 13,12,15*,14 | ||
314 | &xor ($v1,&DWP(1,$te,$v0,8)); # 15, t[0] collected | ||
315 | &mov ($__s0,$v1); # t[0] saved | ||
316 | |||
317 | &movz ($v0,&LB($s1)); # 7, 6, 5, 4* | ||
318 | &shr ($s1,16); # -, -, 7, 6 | ||
319 | &mov ($v1,&DWP(0,$te,$v0,8)); # 4 | ||
320 | &movz ($v0,&LB($s3)); # 13,12,15,14* | ||
321 | &xor ($v1,&DWP(2,$te,$v0,8)); # 14 | ||
322 | &movz ($v0,&HB($s0)); # 1, 0, 3*, 2 | ||
323 | &and ($s3,0xffff0000); # 13,12, -, - | ||
324 | &xor ($v1,&DWP(1,$te,$v0,8)); # 3 | ||
325 | &movz ($v0,&LB($s2)); # 8,11,10, 9* | ||
326 | &or ($s3,$s1); # 13,12, 7, 6 | ||
327 | &xor ($v1,&DWP(3,$te,$v0,8)); # 9, t[1] collected | ||
328 | &mov ($s1,$v1); # s[1]=t[1] | ||
329 | |||
330 | &movz ($v0,&LB($s0)); # 1, 0, 3, 2* | ||
331 | &shr ($s2,16); # -, -, 8,11 | ||
332 | &mov ($v1,&DWP(2,$te,$v0,8)); # 2 | ||
333 | &movz ($v0,&HB($s3)); # 13,12, 7*, 6 | ||
334 | &xor ($v1,&DWP(1,$te,$v0,8)); # 7 | ||
335 | &movz ($v0,&HB($s2)); # -, -, 8*,11 | ||
336 | &xor ($v1,&DWP(0,$te,$v0,8)); # 8 | ||
337 | &mov ($v0,$s3); | ||
338 | &shr ($v0,24); # 13 | ||
339 | &xor ($v1,&DWP(3,$te,$v0,8)); # 13, t[2] collected | ||
340 | |||
341 | &movz ($v0,&LB($s2)); # -, -, 8,11* | ||
342 | &shr ($s0,24); # 1* | ||
343 | &mov ($s2,&DWP(1,$te,$v0,8)); # 11 | ||
344 | &xor ($s2,&DWP(3,$te,$s0,8)); # 1 | ||
345 | &mov ($s0,$__s0); # s[0]=t[0] | ||
346 | &movz ($v0,&LB($s3)); # 13,12, 7, 6* | ||
347 | &shr ($s3,16); # , ,13,12 | ||
348 | &xor ($s2,&DWP(2,$te,$v0,8)); # 6 | ||
349 | &mov ($key,$__key); # reincarnate v0 as key | ||
350 | &and ($s3,0xff); # , ,13,12* | ||
351 | &mov ($s3,&DWP(0,$te,$s3,8)); # 12 | ||
352 | &xor ($s3,$s2); # s[2]=t[3] collected | ||
353 | &mov ($s2,$v1); # s[2]=t[2] | ||
354 | } | ||
355 | |||
356 | # More experimental code... SSE one... Even though this one eliminates | ||
357 | # *all* references to stack, it's not faster... | ||
358 | sub sse_encbody() | ||
359 | { | ||
360 | &movz ($acc,&LB("eax")); # 0 | ||
361 | &mov ("ecx",&DWP(0,$tbl,$acc,8)); # 0 | ||
362 | &pshufw ("mm2","mm0",0x0d); # 7, 6, 3, 2 | ||
363 | &movz ("edx",&HB("eax")); # 1 | ||
364 | &mov ("edx",&DWP(3,$tbl,"edx",8)); # 1 | ||
365 | &shr ("eax",16); # 5, 4 | ||
366 | |||
367 | &movz ($acc,&LB("ebx")); # 10 | ||
368 | &xor ("ecx",&DWP(2,$tbl,$acc,8)); # 10 | ||
369 | &pshufw ("mm6","mm4",0x08); # 13,12, 9, 8 | ||
370 | &movz ($acc,&HB("ebx")); # 11 | ||
371 | &xor ("edx",&DWP(1,$tbl,$acc,8)); # 11 | ||
372 | &shr ("ebx",16); # 15,14 | ||
373 | |||
374 | &movz ($acc,&HB("eax")); # 5 | ||
375 | &xor ("ecx",&DWP(3,$tbl,$acc,8)); # 5 | ||
376 | &movq ("mm3",QWP(16,$key)); | ||
377 | &movz ($acc,&HB("ebx")); # 15 | ||
378 | &xor ("ecx",&DWP(1,$tbl,$acc,8)); # 15 | ||
379 | &movd ("mm0","ecx"); # t[0] collected | ||
380 | |||
381 | &movz ($acc,&LB("eax")); # 4 | ||
382 | &mov ("ecx",&DWP(0,$tbl,$acc,8)); # 4 | ||
383 | &movd ("eax","mm2"); # 7, 6, 3, 2 | ||
384 | &movz ($acc,&LB("ebx")); # 14 | ||
385 | &xor ("ecx",&DWP(2,$tbl,$acc,8)); # 14 | ||
386 | &movd ("ebx","mm6"); # 13,12, 9, 8 | ||
387 | |||
388 | &movz ($acc,&HB("eax")); # 3 | ||
389 | &xor ("ecx",&DWP(1,$tbl,$acc,8)); # 3 | ||
390 | &movz ($acc,&HB("ebx")); # 9 | ||
391 | &xor ("ecx",&DWP(3,$tbl,$acc,8)); # 9 | ||
392 | &movd ("mm1","ecx"); # t[1] collected | ||
393 | |||
394 | &movz ($acc,&LB("eax")); # 2 | ||
395 | &mov ("ecx",&DWP(2,$tbl,$acc,8)); # 2 | ||
396 | &shr ("eax",16); # 7, 6 | ||
397 | &punpckldq ("mm0","mm1"); # t[0,1] collected | ||
398 | &movz ($acc,&LB("ebx")); # 8 | ||
399 | &xor ("ecx",&DWP(0,$tbl,$acc,8)); # 8 | ||
400 | &shr ("ebx",16); # 13,12 | ||
401 | |||
402 | &movz ($acc,&HB("eax")); # 7 | ||
403 | &xor ("ecx",&DWP(1,$tbl,$acc,8)); # 7 | ||
404 | &pxor ("mm0","mm3"); | ||
405 | &movz ("eax",&LB("eax")); # 6 | ||
406 | &xor ("edx",&DWP(2,$tbl,"eax",8)); # 6 | ||
407 | &pshufw ("mm1","mm0",0x08); # 5, 4, 1, 0 | ||
408 | &movz ($acc,&HB("ebx")); # 13 | ||
409 | &xor ("ecx",&DWP(3,$tbl,$acc,8)); # 13 | ||
410 | &xor ("ecx",&DWP(24,$key)); # t[2] | ||
411 | &movd ("mm4","ecx"); # t[2] collected | ||
412 | &movz ("ebx",&LB("ebx")); # 12 | ||
413 | &xor ("edx",&DWP(0,$tbl,"ebx",8)); # 12 | ||
414 | &shr ("ecx",16); | ||
415 | &movd ("eax","mm1"); # 5, 4, 1, 0 | ||
416 | &mov ("ebx",&DWP(28,$key)); # t[3] | ||
417 | &xor ("ebx","edx"); | ||
418 | &movd ("mm5","ebx"); # t[3] collected | ||
419 | &and ("ebx",0xffff0000); | ||
420 | &or ("ebx","ecx"); | ||
421 | |||
422 | &punpckldq ("mm4","mm5"); # t[2,3] collected | ||
423 | } | ||
424 | |||
425 | ###################################################################### | ||
426 | # "Compact" block function | ||
427 | ###################################################################### | ||
428 | |||
429 | sub enccompact() | ||
430 | { my $Fn = mov; | ||
431 | while ($#_>5) { pop(@_); $Fn=sub{}; } | ||
432 | my ($i,$te,@s)=@_; | ||
433 | my $tmp = $key; | ||
434 | my $out = $i==3?$s[0]:$acc; | ||
435 | |||
436 | # $Fn is used in first compact round and its purpose is to | ||
437 | # void restoration of some values from stack, so that after | ||
438 | # 4xenccompact with extra argument $key value is left there... | ||
439 | if ($i==3) { &$Fn ($key,$__key); }##%edx | ||
440 | else { &mov ($out,$s[0]); } | ||
441 | &and ($out,0xFF); | ||
442 | if ($i==1) { &shr ($s[0],16); }#%ebx[1] | ||
443 | if ($i==2) { &shr ($s[0],24); }#%ecx[2] | ||
444 | &movz ($out,&BP(-128,$te,$out,1)); | ||
445 | |||
446 | if ($i==3) { $tmp=$s[1]; }##%eax | ||
447 | &movz ($tmp,&HB($s[1])); | ||
448 | &movz ($tmp,&BP(-128,$te,$tmp,1)); | ||
449 | &shl ($tmp,8); | ||
450 | &xor ($out,$tmp); | ||
451 | |||
452 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$__s0); }##%ebx | ||
453 | else { &mov ($tmp,$s[2]); | ||
454 | &shr ($tmp,16); } | ||
455 | if ($i==2) { &and ($s[1],0xFF); }#%edx[2] | ||
456 | &and ($tmp,0xFF); | ||
457 | &movz ($tmp,&BP(-128,$te,$tmp,1)); | ||
458 | &shl ($tmp,16); | ||
459 | &xor ($out,$tmp); | ||
460 | |||
461 | if ($i==3) { $tmp=$s[3]; &mov ($s[2],$__s1); }##%ecx | ||
462 | elsif($i==2){ &movz ($tmp,&HB($s[3])); }#%ebx[2] | ||
463 | else { &mov ($tmp,$s[3]); | ||
464 | &shr ($tmp,24); } | ||
465 | &movz ($tmp,&BP(-128,$te,$tmp,1)); | ||
466 | &shl ($tmp,24); | ||
467 | &xor ($out,$tmp); | ||
468 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
469 | if ($i==3) { &mov ($s[3],$acc); } | ||
470 | &comment(); | ||
471 | } | ||
472 | |||
473 | sub enctransform() | ||
474 | { my @s = ($s0,$s1,$s2,$s3); | ||
475 | my $i = shift; | ||
476 | my $tmp = $tbl; | ||
477 | my $r2 = $key ; | ||
478 | |||
479 | &mov ($acc,$s[$i]); | ||
480 | &and ($acc,0x80808080); | ||
481 | &mov ($tmp,$acc); | ||
482 | &shr ($tmp,7); | ||
483 | &lea ($r2,&DWP(0,$s[$i],$s[$i])); | ||
484 | &sub ($acc,$tmp); | ||
485 | &and ($r2,0xfefefefe); | ||
486 | &and ($acc,0x1b1b1b1b); | ||
487 | &mov ($tmp,$s[$i]); | ||
488 | &xor ($acc,$r2); # r2 | ||
489 | |||
490 | &xor ($s[$i],$acc); # r0 ^ r2 | ||
491 | &rotl ($s[$i],24); | ||
492 | &xor ($s[$i],$acc) # ROTATE(r2^r0,24) ^ r2 | ||
493 | &rotr ($tmp,16); | ||
494 | &xor ($s[$i],$tmp); | ||
495 | &rotr ($tmp,8); | ||
496 | &xor ($s[$i],$tmp); | ||
497 | } | ||
498 | |||
499 | &function_begin_B("_x86_AES_encrypt_compact"); | ||
500 | # note that caller is expected to allocate stack frame for me! | ||
501 | &mov ($__key,$key); # save key | ||
502 | |||
503 | &xor ($s0,&DWP(0,$key)); # xor with key | ||
504 | &xor ($s1,&DWP(4,$key)); | ||
505 | &xor ($s2,&DWP(8,$key)); | ||
506 | &xor ($s3,&DWP(12,$key)); | ||
507 | |||
508 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
509 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
510 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
511 | &mov ($__end,$acc); # end of key schedule | ||
512 | |||
513 | # prefetch Te4 | ||
514 | &mov ($key,&DWP(0-128,$tbl)); | ||
515 | &mov ($acc,&DWP(32-128,$tbl)); | ||
516 | &mov ($key,&DWP(64-128,$tbl)); | ||
517 | &mov ($acc,&DWP(96-128,$tbl)); | ||
518 | &mov ($key,&DWP(128-128,$tbl)); | ||
519 | &mov ($acc,&DWP(160-128,$tbl)); | ||
520 | &mov ($key,&DWP(192-128,$tbl)); | ||
521 | &mov ($acc,&DWP(224-128,$tbl)); | ||
522 | |||
523 | &set_label("loop",16); | ||
524 | |||
525 | &enccompact(0,$tbl,$s0,$s1,$s2,$s3,1); | ||
526 | &enccompact(1,$tbl,$s1,$s2,$s3,$s0,1); | ||
527 | &enccompact(2,$tbl,$s2,$s3,$s0,$s1,1); | ||
528 | &enccompact(3,$tbl,$s3,$s0,$s1,$s2,1); | ||
529 | &enctransform(2); | ||
530 | &enctransform(3); | ||
531 | &enctransform(0); | ||
532 | &enctransform(1); | ||
533 | &mov ($key,$__key); | ||
534 | &mov ($tbl,$__tbl); | ||
535 | &add ($key,16); # advance rd_key | ||
536 | &xor ($s0,&DWP(0,$key)); | ||
537 | &xor ($s1,&DWP(4,$key)); | ||
538 | &xor ($s2,&DWP(8,$key)); | ||
539 | &xor ($s3,&DWP(12,$key)); | ||
540 | |||
541 | &cmp ($key,$__end); | ||
542 | &mov ($__key,$key); | ||
543 | &jb (&label("loop")); | ||
544 | |||
545 | &enccompact(0,$tbl,$s0,$s1,$s2,$s3); | ||
546 | &enccompact(1,$tbl,$s1,$s2,$s3,$s0); | ||
547 | &enccompact(2,$tbl,$s2,$s3,$s0,$s1); | ||
548 | &enccompact(3,$tbl,$s3,$s0,$s1,$s2); | ||
549 | |||
550 | &xor ($s0,&DWP(16,$key)); | ||
551 | &xor ($s1,&DWP(20,$key)); | ||
552 | &xor ($s2,&DWP(24,$key)); | ||
553 | &xor ($s3,&DWP(28,$key)); | ||
554 | |||
555 | &ret (); | ||
556 | &function_end_B("_x86_AES_encrypt_compact"); | ||
557 | |||
558 | ###################################################################### | ||
559 | # "Compact" SSE block function. | ||
560 | ###################################################################### | ||
561 | # | ||
562 | # Performance is not actually extraordinary in comparison to pure | ||
563 | # x86 code. In particular encrypt performance is virtually the same. | ||
564 | # Decrypt performance on the other hand is 15-20% better on newer | ||
565 | # µ-archs [but we're thankful for *any* improvement here], and ~50% | ||
566 | # better on PIII:-) And additionally on the pros side this code | ||
567 | # eliminates redundant references to stack and thus relieves/ | ||
568 | # minimizes the pressure on the memory bus. | ||
569 | # | ||
570 | # MMX register layout lsb | ||
571 | # +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||
572 | # | mm4 | mm0 | | ||
573 | # +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||
574 | # | s3 | s2 | s1 | s0 | | ||
575 | # +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||
576 | # |15|14|13|12|11|10| 9| 8| 7| 6| 5| 4| 3| 2| 1| 0| | ||
577 | # +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ||
578 | # | ||
579 | # Indexes translate as s[N/4]>>(8*(N%4)), e.g. 5 means s1>>8. | ||
580 | # In this terms encryption and decryption "compact" permutation | ||
581 | # matrices can be depicted as following: | ||
582 | # | ||
583 | # encryption lsb # decryption lsb | ||
584 | # +----++----+----+----+----+ # +----++----+----+----+----+ | ||
585 | # | t0 || 15 | 10 | 5 | 0 | # | t0 || 7 | 10 | 13 | 0 | | ||
586 | # +----++----+----+----+----+ # +----++----+----+----+----+ | ||
587 | # | t1 || 3 | 14 | 9 | 4 | # | t1 || 11 | 14 | 1 | 4 | | ||
588 | # +----++----+----+----+----+ # +----++----+----+----+----+ | ||
589 | # | t2 || 7 | 2 | 13 | 8 | # | t2 || 15 | 2 | 5 | 8 | | ||
590 | # +----++----+----+----+----+ # +----++----+----+----+----+ | ||
591 | # | t3 || 11 | 6 | 1 | 12 | # | t3 || 3 | 6 | 9 | 12 | | ||
592 | # +----++----+----+----+----+ # +----++----+----+----+----+ | ||
593 | # | ||
594 | ###################################################################### | ||
595 | # Why not xmm registers? Short answer. It was actually tested and | ||
596 | # was not any faster, but *contrary*, most notably on Intel CPUs. | ||
597 | # Longer answer. Main advantage of using mm registers is that movd | ||
598 | # latency is lower, especially on Intel P4. While arithmetic | ||
599 | # instructions are twice as many, they can be scheduled every cycle | ||
600 | # and not every second one when they are operating on xmm register, | ||
601 | # so that "arithmetic throughput" remains virtually the same. And | ||
602 | # finally the code can be executed even on elder SSE-only CPUs:-) | ||
603 | |||
604 | sub sse_enccompact() | ||
605 | { | ||
606 | &pshufw ("mm1","mm0",0x08); # 5, 4, 1, 0 | ||
607 | &pshufw ("mm5","mm4",0x0d); # 15,14,11,10 | ||
608 | &movd ("eax","mm1"); # 5, 4, 1, 0 | ||
609 | &movd ("ebx","mm5"); # 15,14,11,10 | ||
610 | |||
611 | &movz ($acc,&LB("eax")); # 0 | ||
612 | &movz ("ecx",&BP(-128,$tbl,$acc,1)); # 0 | ||
613 | &pshufw ("mm2","mm0",0x0d); # 7, 6, 3, 2 | ||
614 | &movz ("edx",&HB("eax")); # 1 | ||
615 | &movz ("edx",&BP(-128,$tbl,"edx",1)); # 1 | ||
616 | &shl ("edx",8); # 1 | ||
617 | &shr ("eax",16); # 5, 4 | ||
618 | |||
619 | &movz ($acc,&LB("ebx")); # 10 | ||
620 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 10 | ||
621 | &shl ($acc,16); # 10 | ||
622 | &or ("ecx",$acc); # 10 | ||
623 | &pshufw ("mm6","mm4",0x08); # 13,12, 9, 8 | ||
624 | &movz ($acc,&HB("ebx")); # 11 | ||
625 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 11 | ||
626 | &shl ($acc,24); # 11 | ||
627 | &or ("edx",$acc); # 11 | ||
628 | &shr ("ebx",16); # 15,14 | ||
629 | |||
630 | &movz ($acc,&HB("eax")); # 5 | ||
631 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 5 | ||
632 | &shl ($acc,8); # 5 | ||
633 | &or ("ecx",$acc); # 5 | ||
634 | &movz ($acc,&HB("ebx")); # 15 | ||
635 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 15 | ||
636 | &shl ($acc,24); # 15 | ||
637 | &or ("ecx",$acc); # 15 | ||
638 | &movd ("mm0","ecx"); # t[0] collected | ||
639 | |||
640 | &movz ($acc,&LB("eax")); # 4 | ||
641 | &movz ("ecx",&BP(-128,$tbl,$acc,1)); # 4 | ||
642 | &movd ("eax","mm2"); # 7, 6, 3, 2 | ||
643 | &movz ($acc,&LB("ebx")); # 14 | ||
644 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 14 | ||
645 | &shl ($acc,16); # 14 | ||
646 | &or ("ecx",$acc); # 14 | ||
647 | |||
648 | &movd ("ebx","mm6"); # 13,12, 9, 8 | ||
649 | &movz ($acc,&HB("eax")); # 3 | ||
650 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 3 | ||
651 | &shl ($acc,24); # 3 | ||
652 | &or ("ecx",$acc); # 3 | ||
653 | &movz ($acc,&HB("ebx")); # 9 | ||
654 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 9 | ||
655 | &shl ($acc,8); # 9 | ||
656 | &or ("ecx",$acc); # 9 | ||
657 | &movd ("mm1","ecx"); # t[1] collected | ||
658 | |||
659 | &movz ($acc,&LB("ebx")); # 8 | ||
660 | &movz ("ecx",&BP(-128,$tbl,$acc,1)); # 8 | ||
661 | &shr ("ebx",16); # 13,12 | ||
662 | &movz ($acc,&LB("eax")); # 2 | ||
663 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 2 | ||
664 | &shl ($acc,16); # 2 | ||
665 | &or ("ecx",$acc); # 2 | ||
666 | &shr ("eax",16); # 7, 6 | ||
667 | |||
668 | &punpckldq ("mm0","mm1"); # t[0,1] collected | ||
669 | |||
670 | &movz ($acc,&HB("eax")); # 7 | ||
671 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 7 | ||
672 | &shl ($acc,24); # 7 | ||
673 | &or ("ecx",$acc); # 7 | ||
674 | &and ("eax",0xff); # 6 | ||
675 | &movz ("eax",&BP(-128,$tbl,"eax",1)); # 6 | ||
676 | &shl ("eax",16); # 6 | ||
677 | &or ("edx","eax"); # 6 | ||
678 | &movz ($acc,&HB("ebx")); # 13 | ||
679 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 13 | ||
680 | &shl ($acc,8); # 13 | ||
681 | &or ("ecx",$acc); # 13 | ||
682 | &movd ("mm4","ecx"); # t[2] collected | ||
683 | &and ("ebx",0xff); # 12 | ||
684 | &movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 12 | ||
685 | &or ("edx","ebx"); # 12 | ||
686 | &movd ("mm5","edx"); # t[3] collected | ||
687 | |||
688 | &punpckldq ("mm4","mm5"); # t[2,3] collected | ||
689 | } | ||
690 | |||
691 | if (!$x86only) { | ||
692 | &function_begin_B("_sse_AES_encrypt_compact"); | ||
693 | &pxor ("mm0",&QWP(0,$key)); # 7, 6, 5, 4, 3, 2, 1, 0 | ||
694 | &pxor ("mm4",&QWP(8,$key)); # 15,14,13,12,11,10, 9, 8 | ||
695 | |||
696 | # note that caller is expected to allocate stack frame for me! | ||
697 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
698 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
699 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
700 | &mov ($__end,$acc); # end of key schedule | ||
701 | |||
702 | &mov ($s0,0x1b1b1b1b); # magic constant | ||
703 | &mov (&DWP(8,"esp"),$s0); | ||
704 | &mov (&DWP(12,"esp"),$s0); | ||
705 | |||
706 | # prefetch Te4 | ||
707 | &mov ($s0,&DWP(0-128,$tbl)); | ||
708 | &mov ($s1,&DWP(32-128,$tbl)); | ||
709 | &mov ($s2,&DWP(64-128,$tbl)); | ||
710 | &mov ($s3,&DWP(96-128,$tbl)); | ||
711 | &mov ($s0,&DWP(128-128,$tbl)); | ||
712 | &mov ($s1,&DWP(160-128,$tbl)); | ||
713 | &mov ($s2,&DWP(192-128,$tbl)); | ||
714 | &mov ($s3,&DWP(224-128,$tbl)); | ||
715 | |||
716 | &set_label("loop",16); | ||
717 | &sse_enccompact(); | ||
718 | &add ($key,16); | ||
719 | &cmp ($key,$__end); | ||
720 | &ja (&label("out")); | ||
721 | |||
722 | &movq ("mm2",&QWP(8,"esp")); | ||
723 | &pxor ("mm3","mm3"); &pxor ("mm7","mm7"); | ||
724 | &movq ("mm1","mm0"); &movq ("mm5","mm4"); # r0 | ||
725 | &pcmpgtb("mm3","mm0"); &pcmpgtb("mm7","mm4"); | ||
726 | &pand ("mm3","mm2"); &pand ("mm7","mm2"); | ||
727 | &pshufw ("mm2","mm0",0xb1); &pshufw ("mm6","mm4",0xb1);# ROTATE(r0,16) | ||
728 | &paddb ("mm0","mm0"); &paddb ("mm4","mm4"); | ||
729 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # = r2 | ||
730 | &pshufw ("mm3","mm2",0xb1); &pshufw ("mm7","mm6",0xb1);# r0 | ||
731 | &pxor ("mm1","mm0"); &pxor ("mm5","mm4"); # r0^r2 | ||
732 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= ROTATE(r0,16) | ||
733 | |||
734 | &movq ("mm2","mm3"); &movq ("mm6","mm7"); | ||
735 | &pslld ("mm3",8); &pslld ("mm7",8); | ||
736 | &psrld ("mm2",24); &psrld ("mm6",24); | ||
737 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= r0<<8 | ||
738 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= r0>>24 | ||
739 | |||
740 | &movq ("mm3","mm1"); &movq ("mm7","mm5"); | ||
741 | &movq ("mm2",&QWP(0,$key)); &movq ("mm6",&QWP(8,$key)); | ||
742 | &psrld ("mm1",8); &psrld ("mm5",8); | ||
743 | &mov ($s0,&DWP(0-128,$tbl)); | ||
744 | &pslld ("mm3",24); &pslld ("mm7",24); | ||
745 | &mov ($s1,&DWP(64-128,$tbl)); | ||
746 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= (r2^r0)<<8 | ||
747 | &mov ($s2,&DWP(128-128,$tbl)); | ||
748 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= (r2^r0)>>24 | ||
749 | &mov ($s3,&DWP(192-128,$tbl)); | ||
750 | |||
751 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); | ||
752 | &jmp (&label("loop")); | ||
753 | |||
754 | &set_label("out",16); | ||
755 | &pxor ("mm0",&QWP(0,$key)); | ||
756 | &pxor ("mm4",&QWP(8,$key)); | ||
757 | |||
758 | &ret (); | ||
759 | &function_end_B("_sse_AES_encrypt_compact"); | ||
760 | } | ||
761 | |||
762 | ###################################################################### | ||
763 | # Vanilla block function. | ||
764 | ###################################################################### | ||
765 | |||
766 | sub encstep() | ||
767 | { my ($i,$te,@s) = @_; | ||
768 | my $tmp = $key; | ||
769 | my $out = $i==3?$s[0]:$acc; | ||
770 | |||
771 | # lines marked with #%e?x[i] denote "reordered" instructions... | ||
772 | if ($i==3) { &mov ($key,$__key); }##%edx | ||
773 | else { &mov ($out,$s[0]); | ||
774 | &and ($out,0xFF); } | ||
775 | if ($i==1) { &shr ($s[0],16); }#%ebx[1] | ||
776 | if ($i==2) { &shr ($s[0],24); }#%ecx[2] | ||
777 | &mov ($out,&DWP(0,$te,$out,8)); | ||
778 | |||
779 | if ($i==3) { $tmp=$s[1]; }##%eax | ||
780 | &movz ($tmp,&HB($s[1])); | ||
781 | &xor ($out,&DWP(3,$te,$tmp,8)); | ||
782 | |||
783 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$__s0); }##%ebx | ||
784 | else { &mov ($tmp,$s[2]); | ||
785 | &shr ($tmp,16); } | ||
786 | if ($i==2) { &and ($s[1],0xFF); }#%edx[2] | ||
787 | &and ($tmp,0xFF); | ||
788 | &xor ($out,&DWP(2,$te,$tmp,8)); | ||
789 | |||
790 | if ($i==3) { $tmp=$s[3]; &mov ($s[2],$__s1); }##%ecx | ||
791 | elsif($i==2){ &movz ($tmp,&HB($s[3])); }#%ebx[2] | ||
792 | else { &mov ($tmp,$s[3]); | ||
793 | &shr ($tmp,24) } | ||
794 | &xor ($out,&DWP(1,$te,$tmp,8)); | ||
795 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
796 | if ($i==3) { &mov ($s[3],$acc); } | ||
797 | &comment(); | ||
798 | } | ||
799 | |||
800 | sub enclast() | ||
801 | { my ($i,$te,@s)=@_; | ||
802 | my $tmp = $key; | ||
803 | my $out = $i==3?$s[0]:$acc; | ||
804 | |||
805 | if ($i==3) { &mov ($key,$__key); }##%edx | ||
806 | else { &mov ($out,$s[0]); } | ||
807 | &and ($out,0xFF); | ||
808 | if ($i==1) { &shr ($s[0],16); }#%ebx[1] | ||
809 | if ($i==2) { &shr ($s[0],24); }#%ecx[2] | ||
810 | &mov ($out,&DWP(2,$te,$out,8)); | ||
811 | &and ($out,0x000000ff); | ||
812 | |||
813 | if ($i==3) { $tmp=$s[1]; }##%eax | ||
814 | &movz ($tmp,&HB($s[1])); | ||
815 | &mov ($tmp,&DWP(0,$te,$tmp,8)); | ||
816 | &and ($tmp,0x0000ff00); | ||
817 | &xor ($out,$tmp); | ||
818 | |||
819 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$__s0); }##%ebx | ||
820 | else { &mov ($tmp,$s[2]); | ||
821 | &shr ($tmp,16); } | ||
822 | if ($i==2) { &and ($s[1],0xFF); }#%edx[2] | ||
823 | &and ($tmp,0xFF); | ||
824 | &mov ($tmp,&DWP(0,$te,$tmp,8)); | ||
825 | &and ($tmp,0x00ff0000); | ||
826 | &xor ($out,$tmp); | ||
827 | |||
828 | if ($i==3) { $tmp=$s[3]; &mov ($s[2],$__s1); }##%ecx | ||
829 | elsif($i==2){ &movz ($tmp,&HB($s[3])); }#%ebx[2] | ||
830 | else { &mov ($tmp,$s[3]); | ||
831 | &shr ($tmp,24); } | ||
832 | &mov ($tmp,&DWP(2,$te,$tmp,8)); | ||
833 | &and ($tmp,0xff000000); | ||
834 | &xor ($out,$tmp); | ||
835 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
836 | if ($i==3) { &mov ($s[3],$acc); } | ||
837 | } | ||
838 | |||
839 | &function_begin_B("_x86_AES_encrypt"); | ||
840 | if ($vertical_spin) { | ||
841 | # I need high parts of volatile registers to be accessible... | ||
842 | &exch ($s1="edi",$key="ebx"); | ||
843 | &mov ($s2="esi",$acc="ecx"); | ||
844 | } | ||
845 | |||
846 | # note that caller is expected to allocate stack frame for me! | ||
847 | &mov ($__key,$key); # save key | ||
848 | |||
849 | &xor ($s0,&DWP(0,$key)); # xor with key | ||
850 | &xor ($s1,&DWP(4,$key)); | ||
851 | &xor ($s2,&DWP(8,$key)); | ||
852 | &xor ($s3,&DWP(12,$key)); | ||
853 | |||
854 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
855 | |||
856 | if ($small_footprint) { | ||
857 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
858 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
859 | &mov ($__end,$acc); # end of key schedule | ||
860 | |||
861 | &set_label("loop",16); | ||
862 | if ($vertical_spin) { | ||
863 | &encvert($tbl,$s0,$s1,$s2,$s3); | ||
864 | } else { | ||
865 | &encstep(0,$tbl,$s0,$s1,$s2,$s3); | ||
866 | &encstep(1,$tbl,$s1,$s2,$s3,$s0); | ||
867 | &encstep(2,$tbl,$s2,$s3,$s0,$s1); | ||
868 | &encstep(3,$tbl,$s3,$s0,$s1,$s2); | ||
869 | } | ||
870 | &add ($key,16); # advance rd_key | ||
871 | &xor ($s0,&DWP(0,$key)); | ||
872 | &xor ($s1,&DWP(4,$key)); | ||
873 | &xor ($s2,&DWP(8,$key)); | ||
874 | &xor ($s3,&DWP(12,$key)); | ||
875 | &cmp ($key,$__end); | ||
876 | &mov ($__key,$key); | ||
877 | &jb (&label("loop")); | ||
878 | } | ||
879 | else { | ||
880 | &cmp ($acc,10); | ||
881 | &jle (&label("10rounds")); | ||
882 | &cmp ($acc,12); | ||
883 | &jle (&label("12rounds")); | ||
884 | |||
885 | &set_label("14rounds",4); | ||
886 | for ($i=1;$i<3;$i++) { | ||
887 | if ($vertical_spin) { | ||
888 | &encvert($tbl,$s0,$s1,$s2,$s3); | ||
889 | } else { | ||
890 | &encstep(0,$tbl,$s0,$s1,$s2,$s3); | ||
891 | &encstep(1,$tbl,$s1,$s2,$s3,$s0); | ||
892 | &encstep(2,$tbl,$s2,$s3,$s0,$s1); | ||
893 | &encstep(3,$tbl,$s3,$s0,$s1,$s2); | ||
894 | } | ||
895 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
896 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
897 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
898 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
899 | } | ||
900 | &add ($key,32); | ||
901 | &mov ($__key,$key); # advance rd_key | ||
902 | &set_label("12rounds",4); | ||
903 | for ($i=1;$i<3;$i++) { | ||
904 | if ($vertical_spin) { | ||
905 | &encvert($tbl,$s0,$s1,$s2,$s3); | ||
906 | } else { | ||
907 | &encstep(0,$tbl,$s0,$s1,$s2,$s3); | ||
908 | &encstep(1,$tbl,$s1,$s2,$s3,$s0); | ||
909 | &encstep(2,$tbl,$s2,$s3,$s0,$s1); | ||
910 | &encstep(3,$tbl,$s3,$s0,$s1,$s2); | ||
911 | } | ||
912 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
913 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
914 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
915 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
916 | } | ||
917 | &add ($key,32); | ||
918 | &mov ($__key,$key); # advance rd_key | ||
919 | &set_label("10rounds",4); | ||
920 | for ($i=1;$i<10;$i++) { | ||
921 | if ($vertical_spin) { | ||
922 | &encvert($tbl,$s0,$s1,$s2,$s3); | ||
923 | } else { | ||
924 | &encstep(0,$tbl,$s0,$s1,$s2,$s3); | ||
925 | &encstep(1,$tbl,$s1,$s2,$s3,$s0); | ||
926 | &encstep(2,$tbl,$s2,$s3,$s0,$s1); | ||
927 | &encstep(3,$tbl,$s3,$s0,$s1,$s2); | ||
928 | } | ||
929 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
930 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
931 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
932 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
933 | } | ||
934 | } | ||
935 | |||
936 | if ($vertical_spin) { | ||
937 | # "reincarnate" some registers for "horizontal" spin... | ||
938 | &mov ($s1="ebx",$key="edi"); | ||
939 | &mov ($s2="ecx",$acc="esi"); | ||
940 | } | ||
941 | &enclast(0,$tbl,$s0,$s1,$s2,$s3); | ||
942 | &enclast(1,$tbl,$s1,$s2,$s3,$s0); | ||
943 | &enclast(2,$tbl,$s2,$s3,$s0,$s1); | ||
944 | &enclast(3,$tbl,$s3,$s0,$s1,$s2); | ||
945 | |||
946 | &add ($key,$small_footprint?16:160); | ||
947 | &xor ($s0,&DWP(0,$key)); | ||
948 | &xor ($s1,&DWP(4,$key)); | ||
949 | &xor ($s2,&DWP(8,$key)); | ||
950 | &xor ($s3,&DWP(12,$key)); | ||
951 | |||
952 | &ret (); | ||
953 | &function_end_B("_x86_AES_encrypt"); | ||
954 | |||
955 | &rodataseg(); | ||
956 | &set_label("AES_Te",64); | ||
957 | &_data_word(0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6); | ||
958 | &_data_word(0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591); | ||
959 | &_data_word(0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56); | ||
960 | &_data_word(0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec); | ||
961 | &_data_word(0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa); | ||
962 | &_data_word(0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb); | ||
963 | &_data_word(0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45); | ||
964 | &_data_word(0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b); | ||
965 | &_data_word(0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c); | ||
966 | &_data_word(0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83); | ||
967 | &_data_word(0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9); | ||
968 | &_data_word(0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a); | ||
969 | &_data_word(0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d); | ||
970 | &_data_word(0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f); | ||
971 | &_data_word(0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df); | ||
972 | &_data_word(0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea); | ||
973 | &_data_word(0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34); | ||
974 | &_data_word(0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b); | ||
975 | &_data_word(0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d); | ||
976 | &_data_word(0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413); | ||
977 | &_data_word(0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1); | ||
978 | &_data_word(0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6); | ||
979 | &_data_word(0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972); | ||
980 | &_data_word(0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85); | ||
981 | &_data_word(0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed); | ||
982 | &_data_word(0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511); | ||
983 | &_data_word(0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe); | ||
984 | &_data_word(0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b); | ||
985 | &_data_word(0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05); | ||
986 | &_data_word(0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1); | ||
987 | &_data_word(0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142); | ||
988 | &_data_word(0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf); | ||
989 | &_data_word(0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3); | ||
990 | &_data_word(0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e); | ||
991 | &_data_word(0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a); | ||
992 | &_data_word(0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6); | ||
993 | &_data_word(0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3); | ||
994 | &_data_word(0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b); | ||
995 | &_data_word(0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428); | ||
996 | &_data_word(0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad); | ||
997 | &_data_word(0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14); | ||
998 | &_data_word(0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8); | ||
999 | &_data_word(0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4); | ||
1000 | &_data_word(0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2); | ||
1001 | &_data_word(0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda); | ||
1002 | &_data_word(0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949); | ||
1003 | &_data_word(0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf); | ||
1004 | &_data_word(0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810); | ||
1005 | &_data_word(0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c); | ||
1006 | &_data_word(0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697); | ||
1007 | &_data_word(0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e); | ||
1008 | &_data_word(0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f); | ||
1009 | &_data_word(0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc); | ||
1010 | &_data_word(0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c); | ||
1011 | &_data_word(0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969); | ||
1012 | &_data_word(0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27); | ||
1013 | &_data_word(0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122); | ||
1014 | &_data_word(0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433); | ||
1015 | &_data_word(0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9); | ||
1016 | &_data_word(0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5); | ||
1017 | &_data_word(0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a); | ||
1018 | &_data_word(0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0); | ||
1019 | &_data_word(0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e); | ||
1020 | &_data_word(0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c); | ||
1021 | |||
1022 | #Te4 # four copies of Te4 to choose from to avoid L1 aliasing | ||
1023 | &data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5); | ||
1024 | &data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76); | ||
1025 | &data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0); | ||
1026 | &data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0); | ||
1027 | &data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc); | ||
1028 | &data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15); | ||
1029 | &data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a); | ||
1030 | &data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75); | ||
1031 | &data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0); | ||
1032 | &data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84); | ||
1033 | &data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b); | ||
1034 | &data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf); | ||
1035 | &data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85); | ||
1036 | &data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8); | ||
1037 | &data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5); | ||
1038 | &data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2); | ||
1039 | &data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17); | ||
1040 | &data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73); | ||
1041 | &data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88); | ||
1042 | &data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb); | ||
1043 | &data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c); | ||
1044 | &data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79); | ||
1045 | &data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9); | ||
1046 | &data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08); | ||
1047 | &data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6); | ||
1048 | &data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a); | ||
1049 | &data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e); | ||
1050 | &data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e); | ||
1051 | &data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94); | ||
1052 | &data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf); | ||
1053 | &data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68); | ||
1054 | &data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16); | ||
1055 | |||
1056 | &data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5); | ||
1057 | &data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76); | ||
1058 | &data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0); | ||
1059 | &data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0); | ||
1060 | &data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc); | ||
1061 | &data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15); | ||
1062 | &data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a); | ||
1063 | &data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75); | ||
1064 | &data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0); | ||
1065 | &data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84); | ||
1066 | &data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b); | ||
1067 | &data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf); | ||
1068 | &data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85); | ||
1069 | &data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8); | ||
1070 | &data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5); | ||
1071 | &data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2); | ||
1072 | &data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17); | ||
1073 | &data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73); | ||
1074 | &data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88); | ||
1075 | &data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb); | ||
1076 | &data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c); | ||
1077 | &data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79); | ||
1078 | &data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9); | ||
1079 | &data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08); | ||
1080 | &data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6); | ||
1081 | &data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a); | ||
1082 | &data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e); | ||
1083 | &data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e); | ||
1084 | &data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94); | ||
1085 | &data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf); | ||
1086 | &data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68); | ||
1087 | &data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16); | ||
1088 | |||
1089 | &data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5); | ||
1090 | &data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76); | ||
1091 | &data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0); | ||
1092 | &data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0); | ||
1093 | &data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc); | ||
1094 | &data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15); | ||
1095 | &data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a); | ||
1096 | &data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75); | ||
1097 | &data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0); | ||
1098 | &data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84); | ||
1099 | &data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b); | ||
1100 | &data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf); | ||
1101 | &data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85); | ||
1102 | &data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8); | ||
1103 | &data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5); | ||
1104 | &data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2); | ||
1105 | &data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17); | ||
1106 | &data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73); | ||
1107 | &data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88); | ||
1108 | &data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb); | ||
1109 | &data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c); | ||
1110 | &data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79); | ||
1111 | &data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9); | ||
1112 | &data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08); | ||
1113 | &data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6); | ||
1114 | &data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a); | ||
1115 | &data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e); | ||
1116 | &data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e); | ||
1117 | &data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94); | ||
1118 | &data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf); | ||
1119 | &data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68); | ||
1120 | &data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16); | ||
1121 | |||
1122 | &data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5); | ||
1123 | &data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76); | ||
1124 | &data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0); | ||
1125 | &data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0); | ||
1126 | &data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc); | ||
1127 | &data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15); | ||
1128 | &data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a); | ||
1129 | &data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75); | ||
1130 | &data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0); | ||
1131 | &data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84); | ||
1132 | &data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b); | ||
1133 | &data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf); | ||
1134 | &data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85); | ||
1135 | &data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8); | ||
1136 | &data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5); | ||
1137 | &data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2); | ||
1138 | &data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17); | ||
1139 | &data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73); | ||
1140 | &data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88); | ||
1141 | &data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb); | ||
1142 | &data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c); | ||
1143 | &data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79); | ||
1144 | &data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9); | ||
1145 | &data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08); | ||
1146 | &data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6); | ||
1147 | &data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a); | ||
1148 | &data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e); | ||
1149 | &data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e); | ||
1150 | &data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94); | ||
1151 | &data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf); | ||
1152 | &data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68); | ||
1153 | &data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16); | ||
1154 | #rcon: | ||
1155 | &data_word(0x00000001, 0x00000002, 0x00000004, 0x00000008); | ||
1156 | &data_word(0x00000010, 0x00000020, 0x00000040, 0x00000080); | ||
1157 | &data_word(0x0000001b, 0x00000036, 0x00000000, 0x00000000); | ||
1158 | &data_word(0x00000000, 0x00000000, 0x00000000, 0x00000000); | ||
1159 | &previous(); | ||
1160 | |||
1161 | # void aes_encrypt_internal(const void *inp, void *out, const AES_KEY *key); | ||
1162 | &function_begin("aes_encrypt_internal"); | ||
1163 | &mov ($acc,&wparam(0)); # load inp | ||
1164 | &mov ($key,&wparam(2)); # load key | ||
1165 | |||
1166 | &mov ($s0,"esp"); | ||
1167 | &sub ("esp",36); | ||
1168 | &and ("esp",-64); # align to cache-line | ||
1169 | |||
1170 | # place stack frame just "above" the key schedule | ||
1171 | &lea ($s1,&DWP(-64-63,$key)); | ||
1172 | &sub ($s1,"esp"); | ||
1173 | &neg ($s1); | ||
1174 | &and ($s1,0x3C0); # modulo 1024, but aligned to cache-line | ||
1175 | &sub ("esp",$s1); | ||
1176 | &add ("esp",4); # 4 is reserved for caller's return address | ||
1177 | &mov ($_esp,$s0); # save stack pointer | ||
1178 | |||
1179 | &picsetup($tbl); | ||
1180 | &picsymbol($s0, "OPENSSL_ia32cap_P", $tbl); | ||
1181 | &picsymbol($tbl, &label("AES_Te"), $tbl); | ||
1182 | |||
1183 | # pick Te4 copy which can't "overlap" with stack frame or key schedule | ||
1184 | &lea ($s1,&DWP(768-4,"esp")); | ||
1185 | &sub ($s1,$tbl); | ||
1186 | &and ($s1,0x300); | ||
1187 | &lea ($tbl,&DWP(2048+128,$tbl,$s1)); | ||
1188 | |||
1189 | if (!$x86only) { | ||
1190 | &bt (&DWP(0,$s0),"\$IA32CAP_BIT0_SSE"); # check for SSE bit | ||
1191 | &jnc (&label("x86")); | ||
1192 | |||
1193 | &movq ("mm0",&QWP(0,$acc)); | ||
1194 | &movq ("mm4",&QWP(8,$acc)); | ||
1195 | &call ("_sse_AES_encrypt_compact"); | ||
1196 | &mov ("esp",$_esp); # restore stack pointer | ||
1197 | &mov ($acc,&wparam(1)); # load out | ||
1198 | &movq (&QWP(0,$acc),"mm0"); # write output data | ||
1199 | &movq (&QWP(8,$acc),"mm4"); | ||
1200 | &emms (); | ||
1201 | &function_end_A(); | ||
1202 | } | ||
1203 | &set_label("x86",16); | ||
1204 | &mov ($_tbl,$tbl); | ||
1205 | &mov ($s0,&DWP(0,$acc)); # load input data | ||
1206 | &mov ($s1,&DWP(4,$acc)); | ||
1207 | &mov ($s2,&DWP(8,$acc)); | ||
1208 | &mov ($s3,&DWP(12,$acc)); | ||
1209 | &call ("_x86_AES_encrypt_compact"); | ||
1210 | &mov ("esp",$_esp); # restore stack pointer | ||
1211 | &mov ($acc,&wparam(1)); # load out | ||
1212 | &mov (&DWP(0,$acc),$s0); # write output data | ||
1213 | &mov (&DWP(4,$acc),$s1); | ||
1214 | &mov (&DWP(8,$acc),$s2); | ||
1215 | &mov (&DWP(12,$acc),$s3); | ||
1216 | &function_end("aes_encrypt_internal"); | ||
1217 | |||
1218 | #--------------------------------------------------------------------# | ||
1219 | |||
1220 | ###################################################################### | ||
1221 | # "Compact" block function | ||
1222 | ###################################################################### | ||
1223 | |||
1224 | sub deccompact() | ||
1225 | { my $Fn = mov; | ||
1226 | while ($#_>5) { pop(@_); $Fn=sub{}; } | ||
1227 | my ($i,$td,@s)=@_; | ||
1228 | my $tmp = $key; | ||
1229 | my $out = $i==3?$s[0]:$acc; | ||
1230 | |||
1231 | # $Fn is used in first compact round and its purpose is to | ||
1232 | # void restoration of some values from stack, so that after | ||
1233 | # 4xdeccompact with extra argument $key, $s0 and $s1 values | ||
1234 | # are left there... | ||
1235 | if($i==3) { &$Fn ($key,$__key); } | ||
1236 | else { &mov ($out,$s[0]); } | ||
1237 | &and ($out,0xFF); | ||
1238 | &movz ($out,&BP(-128,$td,$out,1)); | ||
1239 | |||
1240 | if ($i==3) { $tmp=$s[1]; } | ||
1241 | &movz ($tmp,&HB($s[1])); | ||
1242 | &movz ($tmp,&BP(-128,$td,$tmp,1)); | ||
1243 | &shl ($tmp,8); | ||
1244 | &xor ($out,$tmp); | ||
1245 | |||
1246 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$acc); } | ||
1247 | else { mov ($tmp,$s[2]); } | ||
1248 | &shr ($tmp,16); | ||
1249 | &and ($tmp,0xFF); | ||
1250 | &movz ($tmp,&BP(-128,$td,$tmp,1)); | ||
1251 | &shl ($tmp,16); | ||
1252 | &xor ($out,$tmp); | ||
1253 | |||
1254 | if ($i==3) { $tmp=$s[3]; &$Fn ($s[2],$__s1); } | ||
1255 | else { &mov ($tmp,$s[3]); } | ||
1256 | &shr ($tmp,24); | ||
1257 | &movz ($tmp,&BP(-128,$td,$tmp,1)); | ||
1258 | &shl ($tmp,24); | ||
1259 | &xor ($out,$tmp); | ||
1260 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
1261 | if ($i==3) { &$Fn ($s[3],$__s0); } | ||
1262 | } | ||
1263 | |||
1264 | # must be called with 2,3,0,1 as argument sequence!!! | ||
1265 | sub dectransform() | ||
1266 | { my @s = ($s0,$s1,$s2,$s3); | ||
1267 | my $i = shift; | ||
1268 | my $tmp = $key; | ||
1269 | my $tp2 = @s[($i+2)%4]; $tp2 = @s[2] if ($i==1); | ||
1270 | my $tp4 = @s[($i+3)%4]; $tp4 = @s[3] if ($i==1); | ||
1271 | my $tp8 = $tbl; | ||
1272 | |||
1273 | &mov ($acc,$s[$i]); | ||
1274 | &and ($acc,0x80808080); | ||
1275 | &mov ($tmp,$acc); | ||
1276 | &shr ($tmp,7); | ||
1277 | &lea ($tp2,&DWP(0,$s[$i],$s[$i])); | ||
1278 | &sub ($acc,$tmp); | ||
1279 | &and ($tp2,0xfefefefe); | ||
1280 | &and ($acc,0x1b1b1b1b); | ||
1281 | &xor ($acc,$tp2); | ||
1282 | &mov ($tp2,$acc); | ||
1283 | |||
1284 | &and ($acc,0x80808080); | ||
1285 | &mov ($tmp,$acc); | ||
1286 | &shr ($tmp,7); | ||
1287 | &lea ($tp4,&DWP(0,$tp2,$tp2)); | ||
1288 | &sub ($acc,$tmp); | ||
1289 | &and ($tp4,0xfefefefe); | ||
1290 | &and ($acc,0x1b1b1b1b); | ||
1291 | &xor ($tp2,$s[$i]); # tp2^tp1 | ||
1292 | &xor ($acc,$tp4); | ||
1293 | &mov ($tp4,$acc); | ||
1294 | |||
1295 | &and ($acc,0x80808080); | ||
1296 | &mov ($tmp,$acc); | ||
1297 | &shr ($tmp,7); | ||
1298 | &lea ($tp8,&DWP(0,$tp4,$tp4)); | ||
1299 | &sub ($acc,$tmp); | ||
1300 | &and ($tp8,0xfefefefe); | ||
1301 | &and ($acc,0x1b1b1b1b); | ||
1302 | &xor ($tp4,$s[$i]); # tp4^tp1 | ||
1303 | &rotl ($s[$i],8); # = ROTATE(tp1,8) | ||
1304 | &xor ($tp8,$acc); | ||
1305 | |||
1306 | &xor ($s[$i],$tp2); | ||
1307 | &xor ($tp2,$tp8); | ||
1308 | &rotl ($tp2,24); | ||
1309 | &xor ($s[$i],$tp4); | ||
1310 | &xor ($tp4,$tp8); | ||
1311 | &rotl ($tp4,16); | ||
1312 | &xor ($s[$i],$tp8); # ^= tp8^(tp4^tp1)^(tp2^tp1) | ||
1313 | &rotl ($tp8,8); | ||
1314 | &xor ($s[$i],$tp2); # ^= ROTATE(tp8^tp2^tp1,24) | ||
1315 | &xor ($s[$i],$tp4); # ^= ROTATE(tp8^tp4^tp1,16) | ||
1316 | &mov ($s[0],$__s0) if($i==2); #prefetch $s0 | ||
1317 | &mov ($s[1],$__s1) if($i==3); #prefetch $s1 | ||
1318 | &mov ($s[2],$__s2) if($i==1); | ||
1319 | &xor ($s[$i],$tp8); # ^= ROTATE(tp8,8) | ||
1320 | |||
1321 | &mov ($s[3],$__s3) if($i==1); | ||
1322 | &mov (&DWP(4+4*$i,"esp"),$s[$i]) if($i>=2); | ||
1323 | } | ||
1324 | |||
1325 | &function_begin_B("_x86_AES_decrypt_compact"); | ||
1326 | # note that caller is expected to allocate stack frame for me! | ||
1327 | &mov ($__key,$key); # save key | ||
1328 | |||
1329 | &xor ($s0,&DWP(0,$key)); # xor with key | ||
1330 | &xor ($s1,&DWP(4,$key)); | ||
1331 | &xor ($s2,&DWP(8,$key)); | ||
1332 | &xor ($s3,&DWP(12,$key)); | ||
1333 | |||
1334 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
1335 | |||
1336 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
1337 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
1338 | &mov ($__end,$acc); # end of key schedule | ||
1339 | |||
1340 | # prefetch Td4 | ||
1341 | &mov ($key,&DWP(0-128,$tbl)); | ||
1342 | &mov ($acc,&DWP(32-128,$tbl)); | ||
1343 | &mov ($key,&DWP(64-128,$tbl)); | ||
1344 | &mov ($acc,&DWP(96-128,$tbl)); | ||
1345 | &mov ($key,&DWP(128-128,$tbl)); | ||
1346 | &mov ($acc,&DWP(160-128,$tbl)); | ||
1347 | &mov ($key,&DWP(192-128,$tbl)); | ||
1348 | &mov ($acc,&DWP(224-128,$tbl)); | ||
1349 | |||
1350 | &set_label("loop",16); | ||
1351 | |||
1352 | &deccompact(0,$tbl,$s0,$s3,$s2,$s1,1); | ||
1353 | &deccompact(1,$tbl,$s1,$s0,$s3,$s2,1); | ||
1354 | &deccompact(2,$tbl,$s2,$s1,$s0,$s3,1); | ||
1355 | &deccompact(3,$tbl,$s3,$s2,$s1,$s0,1); | ||
1356 | &dectransform(2); | ||
1357 | &dectransform(3); | ||
1358 | &dectransform(0); | ||
1359 | &dectransform(1); | ||
1360 | &mov ($key,$__key); | ||
1361 | &mov ($tbl,$__tbl); | ||
1362 | &add ($key,16); # advance rd_key | ||
1363 | &xor ($s0,&DWP(0,$key)); | ||
1364 | &xor ($s1,&DWP(4,$key)); | ||
1365 | &xor ($s2,&DWP(8,$key)); | ||
1366 | &xor ($s3,&DWP(12,$key)); | ||
1367 | |||
1368 | &cmp ($key,$__end); | ||
1369 | &mov ($__key,$key); | ||
1370 | &jb (&label("loop")); | ||
1371 | |||
1372 | &deccompact(0,$tbl,$s0,$s3,$s2,$s1); | ||
1373 | &deccompact(1,$tbl,$s1,$s0,$s3,$s2); | ||
1374 | &deccompact(2,$tbl,$s2,$s1,$s0,$s3); | ||
1375 | &deccompact(3,$tbl,$s3,$s2,$s1,$s0); | ||
1376 | |||
1377 | &xor ($s0,&DWP(16,$key)); | ||
1378 | &xor ($s1,&DWP(20,$key)); | ||
1379 | &xor ($s2,&DWP(24,$key)); | ||
1380 | &xor ($s3,&DWP(28,$key)); | ||
1381 | |||
1382 | &ret (); | ||
1383 | &function_end_B("_x86_AES_decrypt_compact"); | ||
1384 | |||
1385 | ###################################################################### | ||
1386 | # "Compact" SSE block function. | ||
1387 | ###################################################################### | ||
1388 | |||
1389 | sub sse_deccompact() | ||
1390 | { | ||
1391 | &pshufw ("mm1","mm0",0x0c); # 7, 6, 1, 0 | ||
1392 | &movd ("eax","mm1"); # 7, 6, 1, 0 | ||
1393 | |||
1394 | &pshufw ("mm5","mm4",0x09); # 13,12,11,10 | ||
1395 | &movz ($acc,&LB("eax")); # 0 | ||
1396 | &movz ("ecx",&BP(-128,$tbl,$acc,1)); # 0 | ||
1397 | &movd ("ebx","mm5"); # 13,12,11,10 | ||
1398 | &movz ("edx",&HB("eax")); # 1 | ||
1399 | &movz ("edx",&BP(-128,$tbl,"edx",1)); # 1 | ||
1400 | &shl ("edx",8); # 1 | ||
1401 | |||
1402 | &pshufw ("mm2","mm0",0x06); # 3, 2, 5, 4 | ||
1403 | &movz ($acc,&LB("ebx")); # 10 | ||
1404 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 10 | ||
1405 | &shl ($acc,16); # 10 | ||
1406 | &or ("ecx",$acc); # 10 | ||
1407 | &shr ("eax",16); # 7, 6 | ||
1408 | &movz ($acc,&HB("ebx")); # 11 | ||
1409 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 11 | ||
1410 | &shl ($acc,24); # 11 | ||
1411 | &or ("edx",$acc); # 11 | ||
1412 | &shr ("ebx",16); # 13,12 | ||
1413 | |||
1414 | &pshufw ("mm6","mm4",0x03); # 9, 8,15,14 | ||
1415 | &movz ($acc,&HB("eax")); # 7 | ||
1416 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 7 | ||
1417 | &shl ($acc,24); # 7 | ||
1418 | &or ("ecx",$acc); # 7 | ||
1419 | &movz ($acc,&HB("ebx")); # 13 | ||
1420 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 13 | ||
1421 | &shl ($acc,8); # 13 | ||
1422 | &or ("ecx",$acc); # 13 | ||
1423 | &movd ("mm0","ecx"); # t[0] collected | ||
1424 | |||
1425 | &movz ($acc,&LB("eax")); # 6 | ||
1426 | &movd ("eax","mm2"); # 3, 2, 5, 4 | ||
1427 | &movz ("ecx",&BP(-128,$tbl,$acc,1)); # 6 | ||
1428 | &shl ("ecx",16); # 6 | ||
1429 | &movz ($acc,&LB("ebx")); # 12 | ||
1430 | &movd ("ebx","mm6"); # 9, 8,15,14 | ||
1431 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 12 | ||
1432 | &or ("ecx",$acc); # 12 | ||
1433 | |||
1434 | &movz ($acc,&LB("eax")); # 4 | ||
1435 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 4 | ||
1436 | &or ("edx",$acc); # 4 | ||
1437 | &movz ($acc,&LB("ebx")); # 14 | ||
1438 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 14 | ||
1439 | &shl ($acc,16); # 14 | ||
1440 | &or ("edx",$acc); # 14 | ||
1441 | &movd ("mm1","edx"); # t[1] collected | ||
1442 | |||
1443 | &movz ($acc,&HB("eax")); # 5 | ||
1444 | &movz ("edx",&BP(-128,$tbl,$acc,1)); # 5 | ||
1445 | &shl ("edx",8); # 5 | ||
1446 | &movz ($acc,&HB("ebx")); # 15 | ||
1447 | &shr ("eax",16); # 3, 2 | ||
1448 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 15 | ||
1449 | &shl ($acc,24); # 15 | ||
1450 | &or ("edx",$acc); # 15 | ||
1451 | &shr ("ebx",16); # 9, 8 | ||
1452 | |||
1453 | &punpckldq ("mm0","mm1"); # t[0,1] collected | ||
1454 | |||
1455 | &movz ($acc,&HB("ebx")); # 9 | ||
1456 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 9 | ||
1457 | &shl ($acc,8); # 9 | ||
1458 | &or ("ecx",$acc); # 9 | ||
1459 | &and ("ebx",0xff); # 8 | ||
1460 | &movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 8 | ||
1461 | &or ("edx","ebx"); # 8 | ||
1462 | &movz ($acc,&LB("eax")); # 2 | ||
1463 | &movz ($acc,&BP(-128,$tbl,$acc,1)); # 2 | ||
1464 | &shl ($acc,16); # 2 | ||
1465 | &or ("edx",$acc); # 2 | ||
1466 | &movd ("mm4","edx"); # t[2] collected | ||
1467 | &movz ("eax",&HB("eax")); # 3 | ||
1468 | &movz ("eax",&BP(-128,$tbl,"eax",1)); # 3 | ||
1469 | &shl ("eax",24); # 3 | ||
1470 | &or ("ecx","eax"); # 3 | ||
1471 | &movd ("mm5","ecx"); # t[3] collected | ||
1472 | |||
1473 | &punpckldq ("mm4","mm5"); # t[2,3] collected | ||
1474 | } | ||
1475 | |||
1476 | if (!$x86only) { | ||
1477 | &function_begin_B("_sse_AES_decrypt_compact"); | ||
1478 | &pxor ("mm0",&QWP(0,$key)); # 7, 6, 5, 4, 3, 2, 1, 0 | ||
1479 | &pxor ("mm4",&QWP(8,$key)); # 15,14,13,12,11,10, 9, 8 | ||
1480 | |||
1481 | # note that caller is expected to allocate stack frame for me! | ||
1482 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
1483 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
1484 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
1485 | &mov ($__end,$acc); # end of key schedule | ||
1486 | |||
1487 | &mov ($s0,0x1b1b1b1b); # magic constant | ||
1488 | &mov (&DWP(8,"esp"),$s0); | ||
1489 | &mov (&DWP(12,"esp"),$s0); | ||
1490 | |||
1491 | # prefetch Td4 | ||
1492 | &mov ($s0,&DWP(0-128,$tbl)); | ||
1493 | &mov ($s1,&DWP(32-128,$tbl)); | ||
1494 | &mov ($s2,&DWP(64-128,$tbl)); | ||
1495 | &mov ($s3,&DWP(96-128,$tbl)); | ||
1496 | &mov ($s0,&DWP(128-128,$tbl)); | ||
1497 | &mov ($s1,&DWP(160-128,$tbl)); | ||
1498 | &mov ($s2,&DWP(192-128,$tbl)); | ||
1499 | &mov ($s3,&DWP(224-128,$tbl)); | ||
1500 | |||
1501 | &set_label("loop",16); | ||
1502 | &sse_deccompact(); | ||
1503 | &add ($key,16); | ||
1504 | &cmp ($key,$__end); | ||
1505 | &ja (&label("out")); | ||
1506 | |||
1507 | # ROTATE(x^y,N) == ROTATE(x,N)^ROTATE(y,N) | ||
1508 | &movq ("mm3","mm0"); &movq ("mm7","mm4"); | ||
1509 | &movq ("mm2","mm0",1); &movq ("mm6","mm4",1); | ||
1510 | &movq ("mm1","mm0"); &movq ("mm5","mm4"); | ||
1511 | &pshufw ("mm0","mm0",0xb1); &pshufw ("mm4","mm4",0xb1);# = ROTATE(tp0,16) | ||
1512 | &pslld ("mm2",8); &pslld ("mm6",8); | ||
1513 | &psrld ("mm3",8); &psrld ("mm7",8); | ||
1514 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= tp0<<8 | ||
1515 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= tp0>>8 | ||
1516 | &pslld ("mm2",16); &pslld ("mm6",16); | ||
1517 | &psrld ("mm3",16); &psrld ("mm7",16); | ||
1518 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= tp0<<24 | ||
1519 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= tp0>>24 | ||
1520 | |||
1521 | &movq ("mm3",&QWP(8,"esp")); | ||
1522 | &pxor ("mm2","mm2"); &pxor ("mm6","mm6"); | ||
1523 | &pcmpgtb("mm2","mm1"); &pcmpgtb("mm6","mm5"); | ||
1524 | &pand ("mm2","mm3"); &pand ("mm6","mm3"); | ||
1525 | &paddb ("mm1","mm1"); &paddb ("mm5","mm5"); | ||
1526 | &pxor ("mm1","mm2"); &pxor ("mm5","mm6"); # tp2 | ||
1527 | &movq ("mm3","mm1"); &movq ("mm7","mm5"); | ||
1528 | &movq ("mm2","mm1"); &movq ("mm6","mm5"); | ||
1529 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= tp2 | ||
1530 | &pslld ("mm3",24); &pslld ("mm7",24); | ||
1531 | &psrld ("mm2",8); &psrld ("mm6",8); | ||
1532 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= tp2<<24 | ||
1533 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= tp2>>8 | ||
1534 | |||
1535 | &movq ("mm2",&QWP(8,"esp")); | ||
1536 | &pxor ("mm3","mm3"); &pxor ("mm7","mm7"); | ||
1537 | &pcmpgtb("mm3","mm1"); &pcmpgtb("mm7","mm5"); | ||
1538 | &pand ("mm3","mm2"); &pand ("mm7","mm2"); | ||
1539 | &paddb ("mm1","mm1"); &paddb ("mm5","mm5"); | ||
1540 | &pxor ("mm1","mm3"); &pxor ("mm5","mm7"); # tp4 | ||
1541 | &pshufw ("mm3","mm1",0xb1); &pshufw ("mm7","mm5",0xb1); | ||
1542 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= tp4 | ||
1543 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= ROTATE(tp4,16) | ||
1544 | |||
1545 | &pxor ("mm3","mm3"); &pxor ("mm7","mm7"); | ||
1546 | &pcmpgtb("mm3","mm1"); &pcmpgtb("mm7","mm5"); | ||
1547 | &pand ("mm3","mm2"); &pand ("mm7","mm2"); | ||
1548 | &paddb ("mm1","mm1"); &paddb ("mm5","mm5"); | ||
1549 | &pxor ("mm1","mm3"); &pxor ("mm5","mm7"); # tp8 | ||
1550 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= tp8 | ||
1551 | &movq ("mm3","mm1"); &movq ("mm7","mm5"); | ||
1552 | &pshufw ("mm2","mm1",0xb1); &pshufw ("mm6","mm5",0xb1); | ||
1553 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); # ^= ROTATE(tp8,16) | ||
1554 | &pslld ("mm1",8); &pslld ("mm5",8); | ||
1555 | &psrld ("mm3",8); &psrld ("mm7",8); | ||
1556 | &movq ("mm2",&QWP(0,$key)); &movq ("mm6",&QWP(8,$key)); | ||
1557 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= tp8<<8 | ||
1558 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= tp8>>8 | ||
1559 | &mov ($s0,&DWP(0-128,$tbl)); | ||
1560 | &pslld ("mm1",16); &pslld ("mm5",16); | ||
1561 | &mov ($s1,&DWP(64-128,$tbl)); | ||
1562 | &psrld ("mm3",16); &psrld ("mm7",16); | ||
1563 | &mov ($s2,&DWP(128-128,$tbl)); | ||
1564 | &pxor ("mm0","mm1"); &pxor ("mm4","mm5"); # ^= tp8<<24 | ||
1565 | &mov ($s3,&DWP(192-128,$tbl)); | ||
1566 | &pxor ("mm0","mm3"); &pxor ("mm4","mm7"); # ^= tp8>>24 | ||
1567 | |||
1568 | &pxor ("mm0","mm2"); &pxor ("mm4","mm6"); | ||
1569 | &jmp (&label("loop")); | ||
1570 | |||
1571 | &set_label("out",16); | ||
1572 | &pxor ("mm0",&QWP(0,$key)); | ||
1573 | &pxor ("mm4",&QWP(8,$key)); | ||
1574 | |||
1575 | &ret (); | ||
1576 | &function_end_B("_sse_AES_decrypt_compact"); | ||
1577 | } | ||
1578 | |||
1579 | ###################################################################### | ||
1580 | # Vanilla block function. | ||
1581 | ###################################################################### | ||
1582 | |||
1583 | sub decstep() | ||
1584 | { my ($i,$td,@s) = @_; | ||
1585 | my $tmp = $key; | ||
1586 | my $out = $i==3?$s[0]:$acc; | ||
1587 | |||
1588 | # no instructions are reordered, as performance appears | ||
1589 | # optimal... or rather that all attempts to reorder didn't | ||
1590 | # result in better performance [which by the way is not a | ||
1591 | # bit lower than ecryption]. | ||
1592 | if($i==3) { &mov ($key,$__key); } | ||
1593 | else { &mov ($out,$s[0]); } | ||
1594 | &and ($out,0xFF); | ||
1595 | &mov ($out,&DWP(0,$td,$out,8)); | ||
1596 | |||
1597 | if ($i==3) { $tmp=$s[1]; } | ||
1598 | &movz ($tmp,&HB($s[1])); | ||
1599 | &xor ($out,&DWP(3,$td,$tmp,8)); | ||
1600 | |||
1601 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$acc); } | ||
1602 | else { &mov ($tmp,$s[2]); } | ||
1603 | &shr ($tmp,16); | ||
1604 | &and ($tmp,0xFF); | ||
1605 | &xor ($out,&DWP(2,$td,$tmp,8)); | ||
1606 | |||
1607 | if ($i==3) { $tmp=$s[3]; &mov ($s[2],$__s1); } | ||
1608 | else { &mov ($tmp,$s[3]); } | ||
1609 | &shr ($tmp,24); | ||
1610 | &xor ($out,&DWP(1,$td,$tmp,8)); | ||
1611 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
1612 | if ($i==3) { &mov ($s[3],$__s0); } | ||
1613 | &comment(); | ||
1614 | } | ||
1615 | |||
1616 | sub declast() | ||
1617 | { my ($i,$td,@s)=@_; | ||
1618 | my $tmp = $key; | ||
1619 | my $out = $i==3?$s[0]:$acc; | ||
1620 | |||
1621 | if($i==0) { &lea ($td,&DWP(2048+128,$td)); | ||
1622 | &mov ($tmp,&DWP(0-128,$td)); | ||
1623 | &mov ($acc,&DWP(32-128,$td)); | ||
1624 | &mov ($tmp,&DWP(64-128,$td)); | ||
1625 | &mov ($acc,&DWP(96-128,$td)); | ||
1626 | &mov ($tmp,&DWP(128-128,$td)); | ||
1627 | &mov ($acc,&DWP(160-128,$td)); | ||
1628 | &mov ($tmp,&DWP(192-128,$td)); | ||
1629 | &mov ($acc,&DWP(224-128,$td)); | ||
1630 | &lea ($td,&DWP(-128,$td)); } | ||
1631 | if($i==3) { &mov ($key,$__key); } | ||
1632 | else { &mov ($out,$s[0]); } | ||
1633 | &and ($out,0xFF); | ||
1634 | &movz ($out,&BP(0,$td,$out,1)); | ||
1635 | |||
1636 | if ($i==3) { $tmp=$s[1]; } | ||
1637 | &movz ($tmp,&HB($s[1])); | ||
1638 | &movz ($tmp,&BP(0,$td,$tmp,1)); | ||
1639 | &shl ($tmp,8); | ||
1640 | &xor ($out,$tmp); | ||
1641 | |||
1642 | if ($i==3) { $tmp=$s[2]; &mov ($s[1],$acc); } | ||
1643 | else { mov ($tmp,$s[2]); } | ||
1644 | &shr ($tmp,16); | ||
1645 | &and ($tmp,0xFF); | ||
1646 | &movz ($tmp,&BP(0,$td,$tmp,1)); | ||
1647 | &shl ($tmp,16); | ||
1648 | &xor ($out,$tmp); | ||
1649 | |||
1650 | if ($i==3) { $tmp=$s[3]; &mov ($s[2],$__s1); } | ||
1651 | else { &mov ($tmp,$s[3]); } | ||
1652 | &shr ($tmp,24); | ||
1653 | &movz ($tmp,&BP(0,$td,$tmp,1)); | ||
1654 | &shl ($tmp,24); | ||
1655 | &xor ($out,$tmp); | ||
1656 | if ($i<2) { &mov (&DWP(4+4*$i,"esp"),$out); } | ||
1657 | if ($i==3) { &mov ($s[3],$__s0); | ||
1658 | &lea ($td,&DWP(-2048,$td)); } | ||
1659 | } | ||
1660 | |||
1661 | &function_begin_B("_x86_AES_decrypt"); | ||
1662 | # note that caller is expected to allocate stack frame for me! | ||
1663 | &mov ($__key,$key); # save key | ||
1664 | |||
1665 | &xor ($s0,&DWP(0,$key)); # xor with key | ||
1666 | &xor ($s1,&DWP(4,$key)); | ||
1667 | &xor ($s2,&DWP(8,$key)); | ||
1668 | &xor ($s3,&DWP(12,$key)); | ||
1669 | |||
1670 | &mov ($acc,&DWP(240,$key)); # load key->rounds | ||
1671 | |||
1672 | if ($small_footprint) { | ||
1673 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
1674 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
1675 | &mov ($__end,$acc); # end of key schedule | ||
1676 | &set_label("loop",16); | ||
1677 | &decstep(0,$tbl,$s0,$s3,$s2,$s1); | ||
1678 | &decstep(1,$tbl,$s1,$s0,$s3,$s2); | ||
1679 | &decstep(2,$tbl,$s2,$s1,$s0,$s3); | ||
1680 | &decstep(3,$tbl,$s3,$s2,$s1,$s0); | ||
1681 | &add ($key,16); # advance rd_key | ||
1682 | &xor ($s0,&DWP(0,$key)); | ||
1683 | &xor ($s1,&DWP(4,$key)); | ||
1684 | &xor ($s2,&DWP(8,$key)); | ||
1685 | &xor ($s3,&DWP(12,$key)); | ||
1686 | &cmp ($key,$__end); | ||
1687 | &mov ($__key,$key); | ||
1688 | &jb (&label("loop")); | ||
1689 | } | ||
1690 | else { | ||
1691 | &cmp ($acc,10); | ||
1692 | &jle (&label("10rounds")); | ||
1693 | &cmp ($acc,12); | ||
1694 | &jle (&label("12rounds")); | ||
1695 | |||
1696 | &set_label("14rounds",4); | ||
1697 | for ($i=1;$i<3;$i++) { | ||
1698 | &decstep(0,$tbl,$s0,$s3,$s2,$s1); | ||
1699 | &decstep(1,$tbl,$s1,$s0,$s3,$s2); | ||
1700 | &decstep(2,$tbl,$s2,$s1,$s0,$s3); | ||
1701 | &decstep(3,$tbl,$s3,$s2,$s1,$s0); | ||
1702 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
1703 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
1704 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
1705 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
1706 | } | ||
1707 | &add ($key,32); | ||
1708 | &mov ($__key,$key); # advance rd_key | ||
1709 | &set_label("12rounds",4); | ||
1710 | for ($i=1;$i<3;$i++) { | ||
1711 | &decstep(0,$tbl,$s0,$s3,$s2,$s1); | ||
1712 | &decstep(1,$tbl,$s1,$s0,$s3,$s2); | ||
1713 | &decstep(2,$tbl,$s2,$s1,$s0,$s3); | ||
1714 | &decstep(3,$tbl,$s3,$s2,$s1,$s0); | ||
1715 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
1716 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
1717 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
1718 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
1719 | } | ||
1720 | &add ($key,32); | ||
1721 | &mov ($__key,$key); # advance rd_key | ||
1722 | &set_label("10rounds",4); | ||
1723 | for ($i=1;$i<10;$i++) { | ||
1724 | &decstep(0,$tbl,$s0,$s3,$s2,$s1); | ||
1725 | &decstep(1,$tbl,$s1,$s0,$s3,$s2); | ||
1726 | &decstep(2,$tbl,$s2,$s1,$s0,$s3); | ||
1727 | &decstep(3,$tbl,$s3,$s2,$s1,$s0); | ||
1728 | &xor ($s0,&DWP(16*$i+0,$key)); | ||
1729 | &xor ($s1,&DWP(16*$i+4,$key)); | ||
1730 | &xor ($s2,&DWP(16*$i+8,$key)); | ||
1731 | &xor ($s3,&DWP(16*$i+12,$key)); | ||
1732 | } | ||
1733 | } | ||
1734 | |||
1735 | &declast(0,$tbl,$s0,$s3,$s2,$s1); | ||
1736 | &declast(1,$tbl,$s1,$s0,$s3,$s2); | ||
1737 | &declast(2,$tbl,$s2,$s1,$s0,$s3); | ||
1738 | &declast(3,$tbl,$s3,$s2,$s1,$s0); | ||
1739 | |||
1740 | &add ($key,$small_footprint?16:160); | ||
1741 | &xor ($s0,&DWP(0,$key)); | ||
1742 | &xor ($s1,&DWP(4,$key)); | ||
1743 | &xor ($s2,&DWP(8,$key)); | ||
1744 | &xor ($s3,&DWP(12,$key)); | ||
1745 | |||
1746 | &ret (); | ||
1747 | &function_end_B("_x86_AES_decrypt"); | ||
1748 | |||
1749 | &rodataseg(); | ||
1750 | &set_label("AES_Td",64); | ||
1751 | &_data_word(0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a); | ||
1752 | &_data_word(0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b); | ||
1753 | &_data_word(0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5); | ||
1754 | &_data_word(0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5); | ||
1755 | &_data_word(0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d); | ||
1756 | &_data_word(0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b); | ||
1757 | &_data_word(0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295); | ||
1758 | &_data_word(0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e); | ||
1759 | &_data_word(0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927); | ||
1760 | &_data_word(0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d); | ||
1761 | &_data_word(0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362); | ||
1762 | &_data_word(0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9); | ||
1763 | &_data_word(0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52); | ||
1764 | &_data_word(0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566); | ||
1765 | &_data_word(0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3); | ||
1766 | &_data_word(0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed); | ||
1767 | &_data_word(0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e); | ||
1768 | &_data_word(0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4); | ||
1769 | &_data_word(0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4); | ||
1770 | &_data_word(0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd); | ||
1771 | &_data_word(0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d); | ||
1772 | &_data_word(0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060); | ||
1773 | &_data_word(0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967); | ||
1774 | &_data_word(0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879); | ||
1775 | &_data_word(0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000); | ||
1776 | &_data_word(0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c); | ||
1777 | &_data_word(0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36); | ||
1778 | &_data_word(0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624); | ||
1779 | &_data_word(0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b); | ||
1780 | &_data_word(0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c); | ||
1781 | &_data_word(0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12); | ||
1782 | &_data_word(0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14); | ||
1783 | &_data_word(0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3); | ||
1784 | &_data_word(0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b); | ||
1785 | &_data_word(0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8); | ||
1786 | &_data_word(0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684); | ||
1787 | &_data_word(0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7); | ||
1788 | &_data_word(0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177); | ||
1789 | &_data_word(0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947); | ||
1790 | &_data_word(0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322); | ||
1791 | &_data_word(0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498); | ||
1792 | &_data_word(0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f); | ||
1793 | &_data_word(0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54); | ||
1794 | &_data_word(0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382); | ||
1795 | &_data_word(0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf); | ||
1796 | &_data_word(0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb); | ||
1797 | &_data_word(0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83); | ||
1798 | &_data_word(0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef); | ||
1799 | &_data_word(0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029); | ||
1800 | &_data_word(0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235); | ||
1801 | &_data_word(0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733); | ||
1802 | &_data_word(0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117); | ||
1803 | &_data_word(0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4); | ||
1804 | &_data_word(0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546); | ||
1805 | &_data_word(0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb); | ||
1806 | &_data_word(0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d); | ||
1807 | &_data_word(0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb); | ||
1808 | &_data_word(0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a); | ||
1809 | &_data_word(0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773); | ||
1810 | &_data_word(0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478); | ||
1811 | &_data_word(0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2); | ||
1812 | &_data_word(0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff); | ||
1813 | &_data_word(0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664); | ||
1814 | &_data_word(0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0); | ||
1815 | |||
1816 | #Td4: # four copies of Td4 to choose from to avoid L1 aliasing | ||
1817 | &data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38); | ||
1818 | &data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb); | ||
1819 | &data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87); | ||
1820 | &data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb); | ||
1821 | &data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d); | ||
1822 | &data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e); | ||
1823 | &data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2); | ||
1824 | &data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25); | ||
1825 | &data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16); | ||
1826 | &data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92); | ||
1827 | &data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda); | ||
1828 | &data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84); | ||
1829 | &data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a); | ||
1830 | &data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06); | ||
1831 | &data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02); | ||
1832 | &data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b); | ||
1833 | &data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea); | ||
1834 | &data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73); | ||
1835 | &data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85); | ||
1836 | &data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e); | ||
1837 | &data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89); | ||
1838 | &data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b); | ||
1839 | &data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20); | ||
1840 | &data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4); | ||
1841 | &data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31); | ||
1842 | &data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f); | ||
1843 | &data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d); | ||
1844 | &data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef); | ||
1845 | &data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0); | ||
1846 | &data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61); | ||
1847 | &data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26); | ||
1848 | &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d); | ||
1849 | |||
1850 | &data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38); | ||
1851 | &data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb); | ||
1852 | &data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87); | ||
1853 | &data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb); | ||
1854 | &data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d); | ||
1855 | &data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e); | ||
1856 | &data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2); | ||
1857 | &data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25); | ||
1858 | &data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16); | ||
1859 | &data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92); | ||
1860 | &data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda); | ||
1861 | &data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84); | ||
1862 | &data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a); | ||
1863 | &data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06); | ||
1864 | &data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02); | ||
1865 | &data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b); | ||
1866 | &data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea); | ||
1867 | &data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73); | ||
1868 | &data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85); | ||
1869 | &data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e); | ||
1870 | &data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89); | ||
1871 | &data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b); | ||
1872 | &data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20); | ||
1873 | &data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4); | ||
1874 | &data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31); | ||
1875 | &data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f); | ||
1876 | &data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d); | ||
1877 | &data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef); | ||
1878 | &data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0); | ||
1879 | &data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61); | ||
1880 | &data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26); | ||
1881 | &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d); | ||
1882 | |||
1883 | &data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38); | ||
1884 | &data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb); | ||
1885 | &data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87); | ||
1886 | &data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb); | ||
1887 | &data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d); | ||
1888 | &data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e); | ||
1889 | &data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2); | ||
1890 | &data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25); | ||
1891 | &data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16); | ||
1892 | &data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92); | ||
1893 | &data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda); | ||
1894 | &data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84); | ||
1895 | &data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a); | ||
1896 | &data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06); | ||
1897 | &data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02); | ||
1898 | &data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b); | ||
1899 | &data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea); | ||
1900 | &data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73); | ||
1901 | &data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85); | ||
1902 | &data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e); | ||
1903 | &data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89); | ||
1904 | &data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b); | ||
1905 | &data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20); | ||
1906 | &data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4); | ||
1907 | &data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31); | ||
1908 | &data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f); | ||
1909 | &data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d); | ||
1910 | &data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef); | ||
1911 | &data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0); | ||
1912 | &data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61); | ||
1913 | &data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26); | ||
1914 | &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d); | ||
1915 | |||
1916 | &data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38); | ||
1917 | &data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb); | ||
1918 | &data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87); | ||
1919 | &data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb); | ||
1920 | &data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d); | ||
1921 | &data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e); | ||
1922 | &data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2); | ||
1923 | &data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25); | ||
1924 | &data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16); | ||
1925 | &data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92); | ||
1926 | &data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda); | ||
1927 | &data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84); | ||
1928 | &data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a); | ||
1929 | &data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06); | ||
1930 | &data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02); | ||
1931 | &data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b); | ||
1932 | &data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea); | ||
1933 | &data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73); | ||
1934 | &data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85); | ||
1935 | &data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e); | ||
1936 | &data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89); | ||
1937 | &data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b); | ||
1938 | &data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20); | ||
1939 | &data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4); | ||
1940 | &data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31); | ||
1941 | &data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f); | ||
1942 | &data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d); | ||
1943 | &data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef); | ||
1944 | &data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0); | ||
1945 | &data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61); | ||
1946 | &data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26); | ||
1947 | &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d); | ||
1948 | &previous(); | ||
1949 | |||
1950 | # void aes_decrypt_internal(const void *inp, void *out, const AES_KEY *key); | ||
1951 | &function_begin("aes_decrypt_internal"); | ||
1952 | &mov ($acc,&wparam(0)); # load inp | ||
1953 | &mov ($key,&wparam(2)); # load key | ||
1954 | |||
1955 | &mov ($s0,"esp"); | ||
1956 | &sub ("esp",36); | ||
1957 | &and ("esp",-64); # align to cache-line | ||
1958 | |||
1959 | # place stack frame just "above" the key schedule | ||
1960 | &lea ($s1,&DWP(-64-63,$key)); | ||
1961 | &sub ($s1,"esp"); | ||
1962 | &neg ($s1); | ||
1963 | &and ($s1,0x3C0); # modulo 1024, but aligned to cache-line | ||
1964 | &sub ("esp",$s1); | ||
1965 | &add ("esp",4); # 4 is reserved for caller's return address | ||
1966 | &mov ($_esp,$s0); # save stack pointer | ||
1967 | |||
1968 | &picsetup($tbl); | ||
1969 | &picsymbol($s0, "OPENSSL_ia32cap_P", $tbl); | ||
1970 | &picsymbol($tbl, &label("AES_Td"), $tbl); | ||
1971 | |||
1972 | # pick Td4 copy which can't "overlap" with stack frame or key schedule | ||
1973 | &lea ($s1,&DWP(768-4,"esp")); | ||
1974 | &sub ($s1,$tbl); | ||
1975 | &and ($s1,0x300); | ||
1976 | &lea ($tbl,&DWP(2048+128,$tbl,$s1)); | ||
1977 | |||
1978 | if (!$x86only) { | ||
1979 | &bt (&DWP(0,$s0),"\$IA32CAP_BIT0_SSE"); # check for SSE bit | ||
1980 | &jnc (&label("x86")); | ||
1981 | |||
1982 | &movq ("mm0",&QWP(0,$acc)); | ||
1983 | &movq ("mm4",&QWP(8,$acc)); | ||
1984 | &call ("_sse_AES_decrypt_compact"); | ||
1985 | &mov ("esp",$_esp); # restore stack pointer | ||
1986 | &mov ($acc,&wparam(1)); # load out | ||
1987 | &movq (&QWP(0,$acc),"mm0"); # write output data | ||
1988 | &movq (&QWP(8,$acc),"mm4"); | ||
1989 | &emms (); | ||
1990 | &function_end_A(); | ||
1991 | } | ||
1992 | &set_label("x86",16); | ||
1993 | &mov ($_tbl,$tbl); | ||
1994 | &mov ($s0,&DWP(0,$acc)); # load input data | ||
1995 | &mov ($s1,&DWP(4,$acc)); | ||
1996 | &mov ($s2,&DWP(8,$acc)); | ||
1997 | &mov ($s3,&DWP(12,$acc)); | ||
1998 | &call ("_x86_AES_decrypt_compact"); | ||
1999 | &mov ("esp",$_esp); # restore stack pointer | ||
2000 | &mov ($acc,&wparam(1)); # load out | ||
2001 | &mov (&DWP(0,$acc),$s0); # write output data | ||
2002 | &mov (&DWP(4,$acc),$s1); | ||
2003 | &mov (&DWP(8,$acc),$s2); | ||
2004 | &mov (&DWP(12,$acc),$s3); | ||
2005 | &function_end("aes_decrypt_internal"); | ||
2006 | |||
2007 | # void aes_cbc_encrypt_internal(const void char *inp, unsigned char *out, | ||
2008 | # size_t length, const AES_KEY *key, unsigned char *ivp,const int enc); | ||
2009 | { | ||
2010 | # stack frame layout | ||
2011 | # -4(%esp) # return address 0(%esp) | ||
2012 | # 0(%esp) # s0 backing store 4(%esp) | ||
2013 | # 4(%esp) # s1 backing store 8(%esp) | ||
2014 | # 8(%esp) # s2 backing store 12(%esp) | ||
2015 | # 12(%esp) # s3 backing store 16(%esp) | ||
2016 | # 16(%esp) # key backup 20(%esp) | ||
2017 | # 20(%esp) # end of key schedule 24(%esp) | ||
2018 | # 24(%esp) # %ebp backup 28(%esp) | ||
2019 | # 28(%esp) # %esp backup | ||
2020 | my $_inp=&DWP(32,"esp"); # copy of wparam(0) | ||
2021 | my $_out=&DWP(36,"esp"); # copy of wparam(1) | ||
2022 | my $_len=&DWP(40,"esp"); # copy of wparam(2) | ||
2023 | my $_key=&DWP(44,"esp"); # copy of wparam(3) | ||
2024 | my $_ivp=&DWP(48,"esp"); # copy of wparam(4) | ||
2025 | my $_tmp=&DWP(52,"esp"); # volatile variable | ||
2026 | # | ||
2027 | my $ivec=&DWP(60,"esp"); # ivec[16] | ||
2028 | my $aes_key=&DWP(76,"esp"); # copy of aes_key | ||
2029 | my $mark=&DWP(76+240,"esp"); # copy of aes_key->rounds | ||
2030 | |||
2031 | &function_begin("aes_cbc_encrypt_internal"); | ||
2032 | &mov ($s2 eq "ecx"? $s2 : "",&wparam(2)); # load len | ||
2033 | &cmp ($s2,0); | ||
2034 | &je (&label("drop_out")); | ||
2035 | |||
2036 | &picsetup($tbl); | ||
2037 | &picsymbol($s0, "OPENSSL_ia32cap_P", $tbl); | ||
2038 | &picsymbol($tbl, &label("AES_Te"), $tbl); | ||
2039 | &cmp (&wparam(5),0); | ||
2040 | &jne (&label("picked_te")); | ||
2041 | &lea ($tbl,&DWP(&label("AES_Td")."-".&label("AES_Te"),$tbl)); | ||
2042 | &set_label("picked_te"); | ||
2043 | |||
2044 | # one can argue if this is required | ||
2045 | &pushf (); | ||
2046 | &cld (); | ||
2047 | |||
2048 | &cmp ($s2,$speed_limit); | ||
2049 | &jb (&label("slow_way")); | ||
2050 | &test ($s2,15); | ||
2051 | &jnz (&label("slow_way")); | ||
2052 | if (!$x86only) { | ||
2053 | &bt (&DWP(0,$s0),"\$IA32CAP_BIT0_HT"); # check for hyper-threading bit | ||
2054 | &jc (&label("slow_way")); | ||
2055 | } | ||
2056 | # pre-allocate aligned stack frame... | ||
2057 | &lea ($acc,&DWP(-80-244,"esp")); | ||
2058 | &and ($acc,-64); | ||
2059 | |||
2060 | # ... and make sure it doesn't alias with $tbl modulo 4096 | ||
2061 | &mov ($s0,$tbl); | ||
2062 | &lea ($s1,&DWP(2048+256,$tbl)); | ||
2063 | &mov ($s3,$acc); | ||
2064 | &and ($s0,0xfff); # s = %ebp&0xfff | ||
2065 | &and ($s1,0xfff); # e = (%ebp+2048+256)&0xfff | ||
2066 | &and ($s3,0xfff); # p = %esp&0xfff | ||
2067 | |||
2068 | &cmp ($s3,$s1); # if (p>=e) %esp =- (p-e); | ||
2069 | &jb (&label("tbl_break_out")); | ||
2070 | &sub ($s3,$s1); | ||
2071 | &sub ($acc,$s3); | ||
2072 | &jmp (&label("tbl_ok")); | ||
2073 | &set_label("tbl_break_out",4); # else %esp -= (p-s)&0xfff + framesz; | ||
2074 | &sub ($s3,$s0); | ||
2075 | &and ($s3,0xfff); | ||
2076 | &add ($s3,384); | ||
2077 | &sub ($acc,$s3); | ||
2078 | &set_label("tbl_ok",4); | ||
2079 | |||
2080 | &lea ($s3,&wparam(0)); # obtain pointer to parameter block | ||
2081 | &exch ("esp",$acc); # allocate stack frame | ||
2082 | &add ("esp",4); # reserve for return address! | ||
2083 | &mov ($_tbl,$tbl); # save %ebp | ||
2084 | &mov ($_esp,$acc); # save %esp | ||
2085 | |||
2086 | &mov ($s0,&DWP(0,$s3)); # load inp | ||
2087 | &mov ($s1,&DWP(4,$s3)); # load out | ||
2088 | #&mov ($s2,&DWP(8,$s3)); # load len | ||
2089 | &mov ($key,&DWP(12,$s3)); # load key | ||
2090 | &mov ($acc,&DWP(16,$s3)); # load ivp | ||
2091 | &mov ($s3,&DWP(20,$s3)); # load enc flag | ||
2092 | |||
2093 | &mov ($_inp,$s0); # save copy of inp | ||
2094 | &mov ($_out,$s1); # save copy of out | ||
2095 | &mov ($_len,$s2); # save copy of len | ||
2096 | &mov ($_key,$key); # save copy of key | ||
2097 | &mov ($_ivp,$acc); # save copy of ivp | ||
2098 | |||
2099 | &mov ($mark,0); # copy of aes_key->rounds = 0; | ||
2100 | # do we copy key schedule to stack? | ||
2101 | &mov ($s1 eq "ebx" ? $s1 : "",$key); | ||
2102 | &mov ($s2 eq "ecx" ? $s2 : "",244/4); | ||
2103 | &sub ($s1,$tbl); | ||
2104 | &mov ("esi",$key); | ||
2105 | &and ($s1,0xfff); | ||
2106 | &lea ("edi",$aes_key); | ||
2107 | &cmp ($s1,2048+256); | ||
2108 | &jb (&label("do_copy")); | ||
2109 | &cmp ($s1,4096-244); | ||
2110 | &jb (&label("skip_copy")); | ||
2111 | &set_label("do_copy",4); | ||
2112 | &mov ($_key,"edi"); | ||
2113 | &data_word(0xA5F3F689); # rep movsd | ||
2114 | &set_label("skip_copy"); | ||
2115 | |||
2116 | &mov ($key,16); | ||
2117 | &set_label("prefetch_tbl",4); | ||
2118 | &mov ($s0,&DWP(0,$tbl)); | ||
2119 | &mov ($s1,&DWP(32,$tbl)); | ||
2120 | &mov ($s2,&DWP(64,$tbl)); | ||
2121 | &mov ($acc,&DWP(96,$tbl)); | ||
2122 | &lea ($tbl,&DWP(128,$tbl)); | ||
2123 | &sub ($key,1); | ||
2124 | &jnz (&label("prefetch_tbl")); | ||
2125 | &sub ($tbl,2048); | ||
2126 | |||
2127 | &mov ($acc,$_inp); | ||
2128 | &mov ($key,$_ivp); | ||
2129 | |||
2130 | &cmp ($s3,0); | ||
2131 | &je (&label("fast_decrypt")); | ||
2132 | |||
2133 | #----------------------------- ENCRYPT -----------------------------# | ||
2134 | &mov ($s0,&DWP(0,$key)); # load iv | ||
2135 | &mov ($s1,&DWP(4,$key)); | ||
2136 | |||
2137 | &set_label("fast_enc_loop",16); | ||
2138 | &mov ($s2,&DWP(8,$key)); | ||
2139 | &mov ($s3,&DWP(12,$key)); | ||
2140 | |||
2141 | &xor ($s0,&DWP(0,$acc)); # xor input data | ||
2142 | &xor ($s1,&DWP(4,$acc)); | ||
2143 | &xor ($s2,&DWP(8,$acc)); | ||
2144 | &xor ($s3,&DWP(12,$acc)); | ||
2145 | |||
2146 | &mov ($key,$_key); # load key | ||
2147 | &call ("_x86_AES_encrypt"); | ||
2148 | |||
2149 | &mov ($acc,$_inp); # load inp | ||
2150 | &mov ($key,$_out); # load out | ||
2151 | |||
2152 | &mov (&DWP(0,$key),$s0); # save output data | ||
2153 | &mov (&DWP(4,$key),$s1); | ||
2154 | &mov (&DWP(8,$key),$s2); | ||
2155 | &mov (&DWP(12,$key),$s3); | ||
2156 | |||
2157 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2158 | &mov ($s2,$_len); # load len | ||
2159 | &mov ($_inp,$acc); # save inp | ||
2160 | &lea ($s3,&DWP(16,$key)); # advance out | ||
2161 | &mov ($_out,$s3); # save out | ||
2162 | &sub ($s2,16); # decrease len | ||
2163 | &mov ($_len,$s2); # save len | ||
2164 | &jnz (&label("fast_enc_loop")); | ||
2165 | &mov ($acc,$_ivp); # load ivp | ||
2166 | &mov ($s2,&DWP(8,$key)); # restore last 2 dwords | ||
2167 | &mov ($s3,&DWP(12,$key)); | ||
2168 | &mov (&DWP(0,$acc),$s0); # save ivec | ||
2169 | &mov (&DWP(4,$acc),$s1); | ||
2170 | &mov (&DWP(8,$acc),$s2); | ||
2171 | &mov (&DWP(12,$acc),$s3); | ||
2172 | |||
2173 | &cmp ($mark,0); # was the key schedule copied? | ||
2174 | &mov ("edi",$_key); | ||
2175 | &je (&label("skip_ezero")); | ||
2176 | # zero copy of key schedule | ||
2177 | &mov ("ecx",240/4); | ||
2178 | &xor ("eax","eax"); | ||
2179 | &align (4); | ||
2180 | &data_word(0xABF3F689); # rep stosd | ||
2181 | &set_label("skip_ezero") | ||
2182 | &mov ("esp",$_esp); | ||
2183 | &popf (); | ||
2184 | &set_label("drop_out"); | ||
2185 | &function_end_A(); | ||
2186 | &pushf (); # kludge, never executed | ||
2187 | |||
2188 | #----------------------------- DECRYPT -----------------------------# | ||
2189 | &set_label("fast_decrypt",16); | ||
2190 | |||
2191 | &cmp ($acc,$_out); | ||
2192 | &je (&label("fast_dec_in_place")); # in-place processing... | ||
2193 | |||
2194 | &mov ($_tmp,$key); | ||
2195 | |||
2196 | &align (4); | ||
2197 | &set_label("fast_dec_loop",16); | ||
2198 | &mov ($s0,&DWP(0,$acc)); # read input | ||
2199 | &mov ($s1,&DWP(4,$acc)); | ||
2200 | &mov ($s2,&DWP(8,$acc)); | ||
2201 | &mov ($s3,&DWP(12,$acc)); | ||
2202 | |||
2203 | &mov ($key,$_key); # load key | ||
2204 | &call ("_x86_AES_decrypt"); | ||
2205 | |||
2206 | &mov ($key,$_tmp); # load ivp | ||
2207 | &mov ($acc,$_len); # load len | ||
2208 | &xor ($s0,&DWP(0,$key)); # xor iv | ||
2209 | &xor ($s1,&DWP(4,$key)); | ||
2210 | &xor ($s2,&DWP(8,$key)); | ||
2211 | &xor ($s3,&DWP(12,$key)); | ||
2212 | |||
2213 | &mov ($key,$_out); # load out | ||
2214 | &mov ($acc,$_inp); # load inp | ||
2215 | |||
2216 | &mov (&DWP(0,$key),$s0); # write output | ||
2217 | &mov (&DWP(4,$key),$s1); | ||
2218 | &mov (&DWP(8,$key),$s2); | ||
2219 | &mov (&DWP(12,$key),$s3); | ||
2220 | |||
2221 | &mov ($s2,$_len); # load len | ||
2222 | &mov ($_tmp,$acc); # save ivp | ||
2223 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2224 | &mov ($_inp,$acc); # save inp | ||
2225 | &lea ($key,&DWP(16,$key)); # advance out | ||
2226 | &mov ($_out,$key); # save out | ||
2227 | &sub ($s2,16); # decrease len | ||
2228 | &mov ($_len,$s2); # save len | ||
2229 | &jnz (&label("fast_dec_loop")); | ||
2230 | &mov ($key,$_tmp); # load temp ivp | ||
2231 | &mov ($acc,$_ivp); # load user ivp | ||
2232 | &mov ($s0,&DWP(0,$key)); # load iv | ||
2233 | &mov ($s1,&DWP(4,$key)); | ||
2234 | &mov ($s2,&DWP(8,$key)); | ||
2235 | &mov ($s3,&DWP(12,$key)); | ||
2236 | &mov (&DWP(0,$acc),$s0); # copy back to user | ||
2237 | &mov (&DWP(4,$acc),$s1); | ||
2238 | &mov (&DWP(8,$acc),$s2); | ||
2239 | &mov (&DWP(12,$acc),$s3); | ||
2240 | &jmp (&label("fast_dec_out")); | ||
2241 | |||
2242 | &set_label("fast_dec_in_place",16); | ||
2243 | &set_label("fast_dec_in_place_loop"); | ||
2244 | &mov ($s0,&DWP(0,$acc)); # read input | ||
2245 | &mov ($s1,&DWP(4,$acc)); | ||
2246 | &mov ($s2,&DWP(8,$acc)); | ||
2247 | &mov ($s3,&DWP(12,$acc)); | ||
2248 | |||
2249 | &lea ($key,$ivec); | ||
2250 | &mov (&DWP(0,$key),$s0); # copy to temp | ||
2251 | &mov (&DWP(4,$key),$s1); | ||
2252 | &mov (&DWP(8,$key),$s2); | ||
2253 | &mov (&DWP(12,$key),$s3); | ||
2254 | |||
2255 | &mov ($key,$_key); # load key | ||
2256 | &call ("_x86_AES_decrypt"); | ||
2257 | |||
2258 | &mov ($key,$_ivp); # load ivp | ||
2259 | &mov ($acc,$_out); # load out | ||
2260 | &xor ($s0,&DWP(0,$key)); # xor iv | ||
2261 | &xor ($s1,&DWP(4,$key)); | ||
2262 | &xor ($s2,&DWP(8,$key)); | ||
2263 | &xor ($s3,&DWP(12,$key)); | ||
2264 | |||
2265 | &mov (&DWP(0,$acc),$s0); # write output | ||
2266 | &mov (&DWP(4,$acc),$s1); | ||
2267 | &mov (&DWP(8,$acc),$s2); | ||
2268 | &mov (&DWP(12,$acc),$s3); | ||
2269 | |||
2270 | &lea ($acc,&DWP(16,$acc)); # advance out | ||
2271 | &mov ($_out,$acc); # save out | ||
2272 | |||
2273 | &lea ($acc,$ivec); | ||
2274 | &mov ($s0,&DWP(0,$acc)); # read temp | ||
2275 | &mov ($s1,&DWP(4,$acc)); | ||
2276 | &mov ($s2,&DWP(8,$acc)); | ||
2277 | &mov ($s3,&DWP(12,$acc)); | ||
2278 | |||
2279 | &mov (&DWP(0,$key),$s0); # copy iv | ||
2280 | &mov (&DWP(4,$key),$s1); | ||
2281 | &mov (&DWP(8,$key),$s2); | ||
2282 | &mov (&DWP(12,$key),$s3); | ||
2283 | |||
2284 | &mov ($acc,$_inp); # load inp | ||
2285 | &mov ($s2,$_len); # load len | ||
2286 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2287 | &mov ($_inp,$acc); # save inp | ||
2288 | &sub ($s2,16); # decrease len | ||
2289 | &mov ($_len,$s2); # save len | ||
2290 | &jnz (&label("fast_dec_in_place_loop")); | ||
2291 | |||
2292 | &set_label("fast_dec_out",4); | ||
2293 | &cmp ($mark,0); # was the key schedule copied? | ||
2294 | &mov ("edi",$_key); | ||
2295 | &je (&label("skip_dzero")); | ||
2296 | # zero copy of key schedule | ||
2297 | &mov ("ecx",240/4); | ||
2298 | &xor ("eax","eax"); | ||
2299 | &align (4); | ||
2300 | &data_word(0xABF3F689); # rep stosd | ||
2301 | &set_label("skip_dzero") | ||
2302 | &mov ("esp",$_esp); | ||
2303 | &popf (); | ||
2304 | &function_end_A(); | ||
2305 | &pushf (); # kludge, never executed | ||
2306 | |||
2307 | #--------------------------- SLOW ROUTINE ---------------------------# | ||
2308 | &set_label("slow_way",16); | ||
2309 | |||
2310 | &mov ($s0,&DWP(0,$s0)) if (!$x86only);# load OPENSSL_ia32cap | ||
2311 | &mov ($key,&wparam(3)); # load key | ||
2312 | |||
2313 | # pre-allocate aligned stack frame... | ||
2314 | &lea ($acc,&DWP(-80,"esp")); | ||
2315 | &and ($acc,-64); | ||
2316 | |||
2317 | # ... and make sure it doesn't alias with $key modulo 1024 | ||
2318 | &lea ($s1,&DWP(-80-63,$key)); | ||
2319 | &sub ($s1,$acc); | ||
2320 | &neg ($s1); | ||
2321 | &and ($s1,0x3C0); # modulo 1024, but aligned to cache-line | ||
2322 | &sub ($acc,$s1); | ||
2323 | |||
2324 | # pick S-box copy which can't overlap with stack frame or $key | ||
2325 | &lea ($s1,&DWP(768,$acc)); | ||
2326 | &sub ($s1,$tbl); | ||
2327 | &and ($s1,0x300); | ||
2328 | &lea ($tbl,&DWP(2048+128,$tbl,$s1)); | ||
2329 | |||
2330 | &lea ($s3,&wparam(0)); # pointer to parameter block | ||
2331 | |||
2332 | &exch ("esp",$acc); | ||
2333 | &add ("esp",4); # reserve for return address! | ||
2334 | &mov ($_tbl,$tbl); # save %ebp | ||
2335 | &mov ($_esp,$acc); # save %esp | ||
2336 | &mov ($_tmp,$s0); # save OPENSSL_ia32cap | ||
2337 | |||
2338 | &mov ($s0,&DWP(0,$s3)); # load inp | ||
2339 | &mov ($s1,&DWP(4,$s3)); # load out | ||
2340 | #&mov ($s2,&DWP(8,$s3)); # load len | ||
2341 | #&mov ($key,&DWP(12,$s3)); # load key | ||
2342 | &mov ($acc,&DWP(16,$s3)); # load ivp | ||
2343 | &mov ($s3,&DWP(20,$s3)); # load enc flag | ||
2344 | |||
2345 | &mov ($_inp,$s0); # save copy of inp | ||
2346 | &mov ($_out,$s1); # save copy of out | ||
2347 | &mov ($_len,$s2); # save copy of len | ||
2348 | &mov ($_key,$key); # save copy of key | ||
2349 | &mov ($_ivp,$acc); # save copy of ivp | ||
2350 | |||
2351 | &mov ($key,$acc); | ||
2352 | &mov ($acc,$s0); | ||
2353 | |||
2354 | &cmp ($s3,0); | ||
2355 | &je (&label("slow_decrypt")); | ||
2356 | |||
2357 | #--------------------------- SLOW ENCRYPT ---------------------------# | ||
2358 | &cmp ($s2,16); | ||
2359 | &mov ($s3,$s1); | ||
2360 | &jb (&label("slow_enc_tail")); | ||
2361 | |||
2362 | if (!$x86only) { | ||
2363 | &bt ($_tmp,"\$IA32CAP_BIT0_SSE"); # check for SSE bit | ||
2364 | &jnc (&label("slow_enc_x86")); | ||
2365 | |||
2366 | &movq ("mm0",&QWP(0,$key)); # load iv | ||
2367 | &movq ("mm4",&QWP(8,$key)); | ||
2368 | |||
2369 | &set_label("slow_enc_loop_sse",16); | ||
2370 | &pxor ("mm0",&QWP(0,$acc)); # xor input data | ||
2371 | &pxor ("mm4",&QWP(8,$acc)); | ||
2372 | |||
2373 | &mov ($key,$_key); | ||
2374 | &call ("_sse_AES_encrypt_compact"); | ||
2375 | |||
2376 | &mov ($acc,$_inp); # load inp | ||
2377 | &mov ($key,$_out); # load out | ||
2378 | &mov ($s2,$_len); # load len | ||
2379 | |||
2380 | &movq (&QWP(0,$key),"mm0"); # save output data | ||
2381 | &movq (&QWP(8,$key),"mm4"); | ||
2382 | |||
2383 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2384 | &mov ($_inp,$acc); # save inp | ||
2385 | &lea ($s3,&DWP(16,$key)); # advance out | ||
2386 | &mov ($_out,$s3); # save out | ||
2387 | &sub ($s2,16); # decrease len | ||
2388 | &cmp ($s2,16); | ||
2389 | &mov ($_len,$s2); # save len | ||
2390 | &jae (&label("slow_enc_loop_sse")); | ||
2391 | &test ($s2,15); | ||
2392 | &jnz (&label("slow_enc_tail")); | ||
2393 | &mov ($acc,$_ivp); # load ivp | ||
2394 | &movq (&QWP(0,$acc),"mm0"); # save ivec | ||
2395 | &movq (&QWP(8,$acc),"mm4"); | ||
2396 | &emms (); | ||
2397 | &mov ("esp",$_esp); | ||
2398 | &popf (); | ||
2399 | &function_end_A(); | ||
2400 | &pushf (); # kludge, never executed | ||
2401 | } | ||
2402 | &set_label("slow_enc_x86",16); | ||
2403 | &mov ($s0,&DWP(0,$key)); # load iv | ||
2404 | &mov ($s1,&DWP(4,$key)); | ||
2405 | |||
2406 | &set_label("slow_enc_loop_x86",4); | ||
2407 | &mov ($s2,&DWP(8,$key)); | ||
2408 | &mov ($s3,&DWP(12,$key)); | ||
2409 | |||
2410 | &xor ($s0,&DWP(0,$acc)); # xor input data | ||
2411 | &xor ($s1,&DWP(4,$acc)); | ||
2412 | &xor ($s2,&DWP(8,$acc)); | ||
2413 | &xor ($s3,&DWP(12,$acc)); | ||
2414 | |||
2415 | &mov ($key,$_key); # load key | ||
2416 | &call ("_x86_AES_encrypt_compact"); | ||
2417 | |||
2418 | &mov ($acc,$_inp); # load inp | ||
2419 | &mov ($key,$_out); # load out | ||
2420 | |||
2421 | &mov (&DWP(0,$key),$s0); # save output data | ||
2422 | &mov (&DWP(4,$key),$s1); | ||
2423 | &mov (&DWP(8,$key),$s2); | ||
2424 | &mov (&DWP(12,$key),$s3); | ||
2425 | |||
2426 | &mov ($s2,$_len); # load len | ||
2427 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2428 | &mov ($_inp,$acc); # save inp | ||
2429 | &lea ($s3,&DWP(16,$key)); # advance out | ||
2430 | &mov ($_out,$s3); # save out | ||
2431 | &sub ($s2,16); # decrease len | ||
2432 | &cmp ($s2,16); | ||
2433 | &mov ($_len,$s2); # save len | ||
2434 | &jae (&label("slow_enc_loop_x86")); | ||
2435 | &test ($s2,15); | ||
2436 | &jnz (&label("slow_enc_tail")); | ||
2437 | &mov ($acc,$_ivp); # load ivp | ||
2438 | &mov ($s2,&DWP(8,$key)); # restore last dwords | ||
2439 | &mov ($s3,&DWP(12,$key)); | ||
2440 | &mov (&DWP(0,$acc),$s0); # save ivec | ||
2441 | &mov (&DWP(4,$acc),$s1); | ||
2442 | &mov (&DWP(8,$acc),$s2); | ||
2443 | &mov (&DWP(12,$acc),$s3); | ||
2444 | |||
2445 | &mov ("esp",$_esp); | ||
2446 | &popf (); | ||
2447 | &function_end_A(); | ||
2448 | &pushf (); # kludge, never executed | ||
2449 | |||
2450 | &set_label("slow_enc_tail",16); | ||
2451 | &emms () if (!$x86only); | ||
2452 | &mov ($key eq "edi"? $key:"",$s3); # load out to edi | ||
2453 | &mov ($s1,16); | ||
2454 | &sub ($s1,$s2); | ||
2455 | &cmp ($key,$acc eq "esi"? $acc:""); # compare with inp | ||
2456 | &je (&label("enc_in_place")); | ||
2457 | &align (4); | ||
2458 | &data_word(0xA4F3F689); # rep movsb # copy input | ||
2459 | &jmp (&label("enc_skip_in_place")); | ||
2460 | &set_label("enc_in_place"); | ||
2461 | &lea ($key,&DWP(0,$key,$s2)); | ||
2462 | &set_label("enc_skip_in_place"); | ||
2463 | &mov ($s2,$s1); | ||
2464 | &xor ($s0,$s0); | ||
2465 | &align (4); | ||
2466 | &data_word(0xAAF3F689); # rep stosb # zero tail | ||
2467 | |||
2468 | &mov ($key,$_ivp); # restore ivp | ||
2469 | &mov ($acc,$s3); # output as input | ||
2470 | &mov ($s0,&DWP(0,$key)); | ||
2471 | &mov ($s1,&DWP(4,$key)); | ||
2472 | &mov ($_len,16); # len=16 | ||
2473 | &jmp (&label("slow_enc_loop_x86")); # one more spin... | ||
2474 | |||
2475 | #--------------------------- SLOW DECRYPT ---------------------------# | ||
2476 | &set_label("slow_decrypt",16); | ||
2477 | if (!$x86only) { | ||
2478 | &bt ($_tmp,"\$IA32CAP_BIT0_SSE"); # check for SSE bit | ||
2479 | &jnc (&label("slow_dec_loop_x86")); | ||
2480 | |||
2481 | &set_label("slow_dec_loop_sse",4); | ||
2482 | &movq ("mm0",&QWP(0,$acc)); # read input | ||
2483 | &movq ("mm4",&QWP(8,$acc)); | ||
2484 | |||
2485 | &mov ($key,$_key); | ||
2486 | &call ("_sse_AES_decrypt_compact"); | ||
2487 | |||
2488 | &mov ($acc,$_inp); # load inp | ||
2489 | &lea ($s0,$ivec); | ||
2490 | &mov ($s1,$_out); # load out | ||
2491 | &mov ($s2,$_len); # load len | ||
2492 | &mov ($key,$_ivp); # load ivp | ||
2493 | |||
2494 | &movq ("mm1",&QWP(0,$acc)); # re-read input | ||
2495 | &movq ("mm5",&QWP(8,$acc)); | ||
2496 | |||
2497 | &pxor ("mm0",&QWP(0,$key)); # xor iv | ||
2498 | &pxor ("mm4",&QWP(8,$key)); | ||
2499 | |||
2500 | &movq (&QWP(0,$key),"mm1"); # copy input to iv | ||
2501 | &movq (&QWP(8,$key),"mm5"); | ||
2502 | |||
2503 | &sub ($s2,16); # decrease len | ||
2504 | &jc (&label("slow_dec_partial_sse")); | ||
2505 | |||
2506 | &movq (&QWP(0,$s1),"mm0"); # write output | ||
2507 | &movq (&QWP(8,$s1),"mm4"); | ||
2508 | |||
2509 | &lea ($s1,&DWP(16,$s1)); # advance out | ||
2510 | &mov ($_out,$s1); # save out | ||
2511 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2512 | &mov ($_inp,$acc); # save inp | ||
2513 | &mov ($_len,$s2); # save len | ||
2514 | &jnz (&label("slow_dec_loop_sse")); | ||
2515 | &emms (); | ||
2516 | &mov ("esp",$_esp); | ||
2517 | &popf (); | ||
2518 | &function_end_A(); | ||
2519 | &pushf (); # kludge, never executed | ||
2520 | |||
2521 | &set_label("slow_dec_partial_sse",16); | ||
2522 | &movq (&QWP(0,$s0),"mm0"); # save output to temp | ||
2523 | &movq (&QWP(8,$s0),"mm4"); | ||
2524 | &emms (); | ||
2525 | |||
2526 | &add ($s2 eq "ecx" ? "ecx":"",16); | ||
2527 | &mov ("edi",$s1); # out | ||
2528 | &mov ("esi",$s0); # temp | ||
2529 | &align (4); | ||
2530 | &data_word(0xA4F3F689); # rep movsb # copy partial output | ||
2531 | |||
2532 | &mov ("esp",$_esp); | ||
2533 | &popf (); | ||
2534 | &function_end_A(); | ||
2535 | &pushf (); # kludge, never executed | ||
2536 | } | ||
2537 | &set_label("slow_dec_loop_x86",16); | ||
2538 | &mov ($s0,&DWP(0,$acc)); # read input | ||
2539 | &mov ($s1,&DWP(4,$acc)); | ||
2540 | &mov ($s2,&DWP(8,$acc)); | ||
2541 | &mov ($s3,&DWP(12,$acc)); | ||
2542 | |||
2543 | &lea ($key,$ivec); | ||
2544 | &mov (&DWP(0,$key),$s0); # copy to temp | ||
2545 | &mov (&DWP(4,$key),$s1); | ||
2546 | &mov (&DWP(8,$key),$s2); | ||
2547 | &mov (&DWP(12,$key),$s3); | ||
2548 | |||
2549 | &mov ($key,$_key); # load key | ||
2550 | &call ("_x86_AES_decrypt_compact"); | ||
2551 | |||
2552 | &mov ($key,$_ivp); # load ivp | ||
2553 | &mov ($acc,$_len); # load len | ||
2554 | &xor ($s0,&DWP(0,$key)); # xor iv | ||
2555 | &xor ($s1,&DWP(4,$key)); | ||
2556 | &xor ($s2,&DWP(8,$key)); | ||
2557 | &xor ($s3,&DWP(12,$key)); | ||
2558 | |||
2559 | &sub ($acc,16); | ||
2560 | &jc (&label("slow_dec_partial_x86")); | ||
2561 | |||
2562 | &mov ($_len,$acc); # save len | ||
2563 | &mov ($acc,$_out); # load out | ||
2564 | |||
2565 | &mov (&DWP(0,$acc),$s0); # write output | ||
2566 | &mov (&DWP(4,$acc),$s1); | ||
2567 | &mov (&DWP(8,$acc),$s2); | ||
2568 | &mov (&DWP(12,$acc),$s3); | ||
2569 | |||
2570 | &lea ($acc,&DWP(16,$acc)); # advance out | ||
2571 | &mov ($_out,$acc); # save out | ||
2572 | |||
2573 | &lea ($acc,$ivec); | ||
2574 | &mov ($s0,&DWP(0,$acc)); # read temp | ||
2575 | &mov ($s1,&DWP(4,$acc)); | ||
2576 | &mov ($s2,&DWP(8,$acc)); | ||
2577 | &mov ($s3,&DWP(12,$acc)); | ||
2578 | |||
2579 | &mov (&DWP(0,$key),$s0); # copy it to iv | ||
2580 | &mov (&DWP(4,$key),$s1); | ||
2581 | &mov (&DWP(8,$key),$s2); | ||
2582 | &mov (&DWP(12,$key),$s3); | ||
2583 | |||
2584 | &mov ($acc,$_inp); # load inp | ||
2585 | &lea ($acc,&DWP(16,$acc)); # advance inp | ||
2586 | &mov ($_inp,$acc); # save inp | ||
2587 | &jnz (&label("slow_dec_loop_x86")); | ||
2588 | &mov ("esp",$_esp); | ||
2589 | &popf (); | ||
2590 | &function_end_A(); | ||
2591 | &pushf (); # kludge, never executed | ||
2592 | |||
2593 | &set_label("slow_dec_partial_x86",16); | ||
2594 | &lea ($acc,$ivec); | ||
2595 | &mov (&DWP(0,$acc),$s0); # save output to temp | ||
2596 | &mov (&DWP(4,$acc),$s1); | ||
2597 | &mov (&DWP(8,$acc),$s2); | ||
2598 | &mov (&DWP(12,$acc),$s3); | ||
2599 | |||
2600 | &mov ($acc,$_inp); | ||
2601 | &mov ($s0,&DWP(0,$acc)); # re-read input | ||
2602 | &mov ($s1,&DWP(4,$acc)); | ||
2603 | &mov ($s2,&DWP(8,$acc)); | ||
2604 | &mov ($s3,&DWP(12,$acc)); | ||
2605 | |||
2606 | &mov (&DWP(0,$key),$s0); # copy it to iv | ||
2607 | &mov (&DWP(4,$key),$s1); | ||
2608 | &mov (&DWP(8,$key),$s2); | ||
2609 | &mov (&DWP(12,$key),$s3); | ||
2610 | |||
2611 | &mov ("ecx",$_len); | ||
2612 | &mov ("edi",$_out); | ||
2613 | &lea ("esi",$ivec); | ||
2614 | &align (4); | ||
2615 | &data_word(0xA4F3F689); # rep movsb # copy partial output | ||
2616 | |||
2617 | &mov ("esp",$_esp); | ||
2618 | &popf (); | ||
2619 | &function_end("aes_cbc_encrypt_internal"); | ||
2620 | } | ||
2621 | |||
2622 | #------------------------------------------------------------------# | ||
2623 | |||
2624 | sub enckey() | ||
2625 | { | ||
2626 | &movz ("esi",&LB("edx")); # rk[i]>>0 | ||
2627 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2628 | &movz ("esi",&HB("edx")); # rk[i]>>8 | ||
2629 | &shl ("ebx",24); | ||
2630 | &xor ("eax","ebx"); | ||
2631 | |||
2632 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2633 | &shr ("edx",16); | ||
2634 | &movz ("esi",&LB("edx")); # rk[i]>>16 | ||
2635 | &xor ("eax","ebx"); | ||
2636 | |||
2637 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2638 | &movz ("esi",&HB("edx")); # rk[i]>>24 | ||
2639 | &shl ("ebx",8); | ||
2640 | &xor ("eax","ebx"); | ||
2641 | |||
2642 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2643 | &shl ("ebx",16); | ||
2644 | &xor ("eax","ebx"); | ||
2645 | |||
2646 | &xor ("eax",&DWP(1024-128,$tbl,"ecx",4)); # rcon | ||
2647 | } | ||
2648 | |||
2649 | &function_begin("_x86_AES_set_encrypt_key"); | ||
2650 | &mov ("esi",&wparam(1)); # user supplied key | ||
2651 | &mov ("edi",&wparam(3)); # private key schedule | ||
2652 | |||
2653 | &test ("esi",-1); | ||
2654 | &jz (&label("badpointer")); | ||
2655 | &test ("edi",-1); | ||
2656 | &jz (&label("badpointer")); | ||
2657 | |||
2658 | &picsetup($tbl); | ||
2659 | &picsymbol($tbl, &label("AES_Te"), $tbl); | ||
2660 | |||
2661 | &lea ($tbl,&DWP(2048+128,$tbl)); | ||
2662 | |||
2663 | # prefetch Te4 | ||
2664 | &mov ("eax",&DWP(0-128,$tbl)); | ||
2665 | &mov ("ebx",&DWP(32-128,$tbl)); | ||
2666 | &mov ("ecx",&DWP(64-128,$tbl)); | ||
2667 | &mov ("edx",&DWP(96-128,$tbl)); | ||
2668 | &mov ("eax",&DWP(128-128,$tbl)); | ||
2669 | &mov ("ebx",&DWP(160-128,$tbl)); | ||
2670 | &mov ("ecx",&DWP(192-128,$tbl)); | ||
2671 | &mov ("edx",&DWP(224-128,$tbl)); | ||
2672 | |||
2673 | &mov ("ecx",&wparam(2)); # number of bits in key | ||
2674 | &cmp ("ecx",128); | ||
2675 | &je (&label("10rounds")); | ||
2676 | &cmp ("ecx",192); | ||
2677 | &je (&label("12rounds")); | ||
2678 | &cmp ("ecx",256); | ||
2679 | &je (&label("14rounds")); | ||
2680 | &mov ("eax",-2); # invalid number of bits | ||
2681 | &jmp (&label("exit")); | ||
2682 | |||
2683 | &set_label("10rounds"); | ||
2684 | &mov ("eax",&DWP(0,"esi")); # copy first 4 dwords | ||
2685 | &mov ("ebx",&DWP(4,"esi")); | ||
2686 | &mov ("ecx",&DWP(8,"esi")); | ||
2687 | &mov ("edx",&DWP(12,"esi")); | ||
2688 | &mov (&DWP(0,"edi"),"eax"); | ||
2689 | &mov (&DWP(4,"edi"),"ebx"); | ||
2690 | &mov (&DWP(8,"edi"),"ecx"); | ||
2691 | &mov (&DWP(12,"edi"),"edx"); | ||
2692 | |||
2693 | &xor ("ecx","ecx"); | ||
2694 | &jmp (&label("10shortcut")); | ||
2695 | |||
2696 | &align (4); | ||
2697 | &set_label("10loop"); | ||
2698 | &mov ("eax",&DWP(0,"edi")); # rk[0] | ||
2699 | &mov ("edx",&DWP(12,"edi")); # rk[3] | ||
2700 | &set_label("10shortcut"); | ||
2701 | &enckey (); | ||
2702 | |||
2703 | &mov (&DWP(16,"edi"),"eax"); # rk[4] | ||
2704 | &xor ("eax",&DWP(4,"edi")); | ||
2705 | &mov (&DWP(20,"edi"),"eax"); # rk[5] | ||
2706 | &xor ("eax",&DWP(8,"edi")); | ||
2707 | &mov (&DWP(24,"edi"),"eax"); # rk[6] | ||
2708 | &xor ("eax",&DWP(12,"edi")); | ||
2709 | &mov (&DWP(28,"edi"),"eax"); # rk[7] | ||
2710 | &inc ("ecx"); | ||
2711 | &add ("edi",16); | ||
2712 | &cmp ("ecx",10); | ||
2713 | &jl (&label("10loop")); | ||
2714 | |||
2715 | &mov (&DWP(80,"edi"),10); # setup number of rounds | ||
2716 | &xor ("eax","eax"); | ||
2717 | &jmp (&label("exit")); | ||
2718 | |||
2719 | &set_label("12rounds"); | ||
2720 | &mov ("eax",&DWP(0,"esi")); # copy first 6 dwords | ||
2721 | &mov ("ebx",&DWP(4,"esi")); | ||
2722 | &mov ("ecx",&DWP(8,"esi")); | ||
2723 | &mov ("edx",&DWP(12,"esi")); | ||
2724 | &mov (&DWP(0,"edi"),"eax"); | ||
2725 | &mov (&DWP(4,"edi"),"ebx"); | ||
2726 | &mov (&DWP(8,"edi"),"ecx"); | ||
2727 | &mov (&DWP(12,"edi"),"edx"); | ||
2728 | &mov ("ecx",&DWP(16,"esi")); | ||
2729 | &mov ("edx",&DWP(20,"esi")); | ||
2730 | &mov (&DWP(16,"edi"),"ecx"); | ||
2731 | &mov (&DWP(20,"edi"),"edx"); | ||
2732 | |||
2733 | &xor ("ecx","ecx"); | ||
2734 | &jmp (&label("12shortcut")); | ||
2735 | |||
2736 | &align (4); | ||
2737 | &set_label("12loop"); | ||
2738 | &mov ("eax",&DWP(0,"edi")); # rk[0] | ||
2739 | &mov ("edx",&DWP(20,"edi")); # rk[5] | ||
2740 | &set_label("12shortcut"); | ||
2741 | &enckey (); | ||
2742 | |||
2743 | &mov (&DWP(24,"edi"),"eax"); # rk[6] | ||
2744 | &xor ("eax",&DWP(4,"edi")); | ||
2745 | &mov (&DWP(28,"edi"),"eax"); # rk[7] | ||
2746 | &xor ("eax",&DWP(8,"edi")); | ||
2747 | &mov (&DWP(32,"edi"),"eax"); # rk[8] | ||
2748 | &xor ("eax",&DWP(12,"edi")); | ||
2749 | &mov (&DWP(36,"edi"),"eax"); # rk[9] | ||
2750 | |||
2751 | &cmp ("ecx",7); | ||
2752 | &je (&label("12break")); | ||
2753 | &inc ("ecx"); | ||
2754 | |||
2755 | &xor ("eax",&DWP(16,"edi")); | ||
2756 | &mov (&DWP(40,"edi"),"eax"); # rk[10] | ||
2757 | &xor ("eax",&DWP(20,"edi")); | ||
2758 | &mov (&DWP(44,"edi"),"eax"); # rk[11] | ||
2759 | |||
2760 | &add ("edi",24); | ||
2761 | &jmp (&label("12loop")); | ||
2762 | |||
2763 | &set_label("12break"); | ||
2764 | &mov (&DWP(72,"edi"),12); # setup number of rounds | ||
2765 | &xor ("eax","eax"); | ||
2766 | &jmp (&label("exit")); | ||
2767 | |||
2768 | &set_label("14rounds"); | ||
2769 | &mov ("eax",&DWP(0,"esi")); # copy first 8 dwords | ||
2770 | &mov ("ebx",&DWP(4,"esi")); | ||
2771 | &mov ("ecx",&DWP(8,"esi")); | ||
2772 | &mov ("edx",&DWP(12,"esi")); | ||
2773 | &mov (&DWP(0,"edi"),"eax"); | ||
2774 | &mov (&DWP(4,"edi"),"ebx"); | ||
2775 | &mov (&DWP(8,"edi"),"ecx"); | ||
2776 | &mov (&DWP(12,"edi"),"edx"); | ||
2777 | &mov ("eax",&DWP(16,"esi")); | ||
2778 | &mov ("ebx",&DWP(20,"esi")); | ||
2779 | &mov ("ecx",&DWP(24,"esi")); | ||
2780 | &mov ("edx",&DWP(28,"esi")); | ||
2781 | &mov (&DWP(16,"edi"),"eax"); | ||
2782 | &mov (&DWP(20,"edi"),"ebx"); | ||
2783 | &mov (&DWP(24,"edi"),"ecx"); | ||
2784 | &mov (&DWP(28,"edi"),"edx"); | ||
2785 | |||
2786 | &xor ("ecx","ecx"); | ||
2787 | &jmp (&label("14shortcut")); | ||
2788 | |||
2789 | &align (4); | ||
2790 | &set_label("14loop"); | ||
2791 | &mov ("edx",&DWP(28,"edi")); # rk[7] | ||
2792 | &set_label("14shortcut"); | ||
2793 | &mov ("eax",&DWP(0,"edi")); # rk[0] | ||
2794 | |||
2795 | &enckey (); | ||
2796 | |||
2797 | &mov (&DWP(32,"edi"),"eax"); # rk[8] | ||
2798 | &xor ("eax",&DWP(4,"edi")); | ||
2799 | &mov (&DWP(36,"edi"),"eax"); # rk[9] | ||
2800 | &xor ("eax",&DWP(8,"edi")); | ||
2801 | &mov (&DWP(40,"edi"),"eax"); # rk[10] | ||
2802 | &xor ("eax",&DWP(12,"edi")); | ||
2803 | &mov (&DWP(44,"edi"),"eax"); # rk[11] | ||
2804 | |||
2805 | &cmp ("ecx",6); | ||
2806 | &je (&label("14break")); | ||
2807 | &inc ("ecx"); | ||
2808 | |||
2809 | &mov ("edx","eax"); | ||
2810 | &mov ("eax",&DWP(16,"edi")); # rk[4] | ||
2811 | &movz ("esi",&LB("edx")); # rk[11]>>0 | ||
2812 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2813 | &movz ("esi",&HB("edx")); # rk[11]>>8 | ||
2814 | &xor ("eax","ebx"); | ||
2815 | |||
2816 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2817 | &shr ("edx",16); | ||
2818 | &shl ("ebx",8); | ||
2819 | &movz ("esi",&LB("edx")); # rk[11]>>16 | ||
2820 | &xor ("eax","ebx"); | ||
2821 | |||
2822 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2823 | &movz ("esi",&HB("edx")); # rk[11]>>24 | ||
2824 | &shl ("ebx",16); | ||
2825 | &xor ("eax","ebx"); | ||
2826 | |||
2827 | &movz ("ebx",&BP(-128,$tbl,"esi",1)); | ||
2828 | &shl ("ebx",24); | ||
2829 | &xor ("eax","ebx"); | ||
2830 | |||
2831 | &mov (&DWP(48,"edi"),"eax"); # rk[12] | ||
2832 | &xor ("eax",&DWP(20,"edi")); | ||
2833 | &mov (&DWP(52,"edi"),"eax"); # rk[13] | ||
2834 | &xor ("eax",&DWP(24,"edi")); | ||
2835 | &mov (&DWP(56,"edi"),"eax"); # rk[14] | ||
2836 | &xor ("eax",&DWP(28,"edi")); | ||
2837 | &mov (&DWP(60,"edi"),"eax"); # rk[15] | ||
2838 | |||
2839 | &add ("edi",32); | ||
2840 | &jmp (&label("14loop")); | ||
2841 | |||
2842 | &set_label("14break"); | ||
2843 | &mov (&DWP(48,"edi"),14); # setup number of rounds | ||
2844 | &xor ("eax","eax"); | ||
2845 | &jmp (&label("exit")); | ||
2846 | |||
2847 | &set_label("badpointer"); | ||
2848 | &mov ("eax",-1); | ||
2849 | &set_label("exit"); | ||
2850 | &function_end("_x86_AES_set_encrypt_key"); | ||
2851 | |||
2852 | # int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits, | ||
2853 | # AES_KEY *key) | ||
2854 | &function_begin_B("aes_set_encrypt_key_internal"); | ||
2855 | &call ("_x86_AES_set_encrypt_key"); | ||
2856 | &ret (); | ||
2857 | &function_end_B("aes_set_encrypt_key_internal"); | ||
2858 | |||
2859 | sub deckey() | ||
2860 | { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_; | ||
2861 | my $tmp = $tbl; | ||
2862 | |||
2863 | &mov ($acc,$tp1); | ||
2864 | &and ($acc,0x80808080); | ||
2865 | &mov ($tmp,$acc); | ||
2866 | &shr ($tmp,7); | ||
2867 | &lea ($tp2,&DWP(0,$tp1,$tp1)); | ||
2868 | &sub ($acc,$tmp); | ||
2869 | &and ($tp2,0xfefefefe); | ||
2870 | &and ($acc,0x1b1b1b1b); | ||
2871 | &xor ($acc,$tp2); | ||
2872 | &mov ($tp2,$acc); | ||
2873 | |||
2874 | &and ($acc,0x80808080); | ||
2875 | &mov ($tmp,$acc); | ||
2876 | &shr ($tmp,7); | ||
2877 | &lea ($tp4,&DWP(0,$tp2,$tp2)); | ||
2878 | &sub ($acc,$tmp); | ||
2879 | &and ($tp4,0xfefefefe); | ||
2880 | &and ($acc,0x1b1b1b1b); | ||
2881 | &xor ($tp2,$tp1); # tp2^tp1 | ||
2882 | &xor ($acc,$tp4); | ||
2883 | &mov ($tp4,$acc); | ||
2884 | |||
2885 | &and ($acc,0x80808080); | ||
2886 | &mov ($tmp,$acc); | ||
2887 | &shr ($tmp,7); | ||
2888 | &lea ($tp8,&DWP(0,$tp4,$tp4)); | ||
2889 | &xor ($tp4,$tp1); # tp4^tp1 | ||
2890 | &sub ($acc,$tmp); | ||
2891 | &and ($tp8,0xfefefefe); | ||
2892 | &and ($acc,0x1b1b1b1b); | ||
2893 | &rotl ($tp1,8); # = ROTATE(tp1,8) | ||
2894 | &xor ($tp8,$acc); | ||
2895 | |||
2896 | &mov ($tmp,&DWP(4*($i+1),$key)); # modulo-scheduled load | ||
2897 | |||
2898 | &xor ($tp1,$tp2); | ||
2899 | &xor ($tp2,$tp8); | ||
2900 | &xor ($tp1,$tp4); | ||
2901 | &rotl ($tp2,24); | ||
2902 | &xor ($tp4,$tp8); | ||
2903 | &xor ($tp1,$tp8); # ^= tp8^(tp4^tp1)^(tp2^tp1) | ||
2904 | &rotl ($tp4,16); | ||
2905 | &xor ($tp1,$tp2); # ^= ROTATE(tp8^tp2^tp1,24) | ||
2906 | &rotl ($tp8,8); | ||
2907 | &xor ($tp1,$tp4); # ^= ROTATE(tp8^tp4^tp1,16) | ||
2908 | &mov ($tp2,$tmp); | ||
2909 | &xor ($tp1,$tp8); # ^= ROTATE(tp8,8) | ||
2910 | |||
2911 | &mov (&DWP(4*$i,$key),$tp1); | ||
2912 | } | ||
2913 | |||
2914 | # int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits, | ||
2915 | # AES_KEY *key) | ||
2916 | &function_begin_B("aes_set_decrypt_key_internal"); | ||
2917 | &call ("_x86_AES_set_encrypt_key"); | ||
2918 | &cmp ("eax",0); | ||
2919 | &je (&label("proceed")); | ||
2920 | &ret (); | ||
2921 | |||
2922 | &set_label("proceed"); | ||
2923 | &push ("ebp"); | ||
2924 | &push ("ebx"); | ||
2925 | &push ("esi"); | ||
2926 | &push ("edi"); | ||
2927 | |||
2928 | &mov ("esi",&wparam(2)); | ||
2929 | &mov ("ecx",&DWP(240,"esi")); # pull number of rounds | ||
2930 | &lea ("ecx",&DWP(0,"","ecx",4)); | ||
2931 | &lea ("edi",&DWP(0,"esi","ecx",4)); # pointer to last chunk | ||
2932 | |||
2933 | &set_label("invert",4); # invert order of chunks | ||
2934 | &mov ("eax",&DWP(0,"esi")); | ||
2935 | &mov ("ebx",&DWP(4,"esi")); | ||
2936 | &mov ("ecx",&DWP(0,"edi")); | ||
2937 | &mov ("edx",&DWP(4,"edi")); | ||
2938 | &mov (&DWP(0,"edi"),"eax"); | ||
2939 | &mov (&DWP(4,"edi"),"ebx"); | ||
2940 | &mov (&DWP(0,"esi"),"ecx"); | ||
2941 | &mov (&DWP(4,"esi"),"edx"); | ||
2942 | &mov ("eax",&DWP(8,"esi")); | ||
2943 | &mov ("ebx",&DWP(12,"esi")); | ||
2944 | &mov ("ecx",&DWP(8,"edi")); | ||
2945 | &mov ("edx",&DWP(12,"edi")); | ||
2946 | &mov (&DWP(8,"edi"),"eax"); | ||
2947 | &mov (&DWP(12,"edi"),"ebx"); | ||
2948 | &mov (&DWP(8,"esi"),"ecx"); | ||
2949 | &mov (&DWP(12,"esi"),"edx"); | ||
2950 | &add ("esi",16); | ||
2951 | &sub ("edi",16); | ||
2952 | &cmp ("esi","edi"); | ||
2953 | &jne (&label("invert")); | ||
2954 | |||
2955 | &mov ($key,&wparam(2)); | ||
2956 | &mov ($acc,&DWP(240,$key)); # pull number of rounds | ||
2957 | &lea ($acc,&DWP(-2,$acc,$acc)); | ||
2958 | &lea ($acc,&DWP(0,$key,$acc,8)); | ||
2959 | &mov (&wparam(2),$acc); | ||
2960 | |||
2961 | &mov ($s0,&DWP(16,$key)); # modulo-scheduled load | ||
2962 | &set_label("permute",4); # permute the key schedule | ||
2963 | &add ($key,16); | ||
2964 | &deckey (0,$key,$s0,$s1,$s2,$s3); | ||
2965 | &deckey (1,$key,$s1,$s2,$s3,$s0); | ||
2966 | &deckey (2,$key,$s2,$s3,$s0,$s1); | ||
2967 | &deckey (3,$key,$s3,$s0,$s1,$s2); | ||
2968 | &cmp ($key,&wparam(2)); | ||
2969 | &jb (&label("permute")); | ||
2970 | |||
2971 | &xor ("eax","eax"); # return success | ||
2972 | &function_end("aes_set_decrypt_key_internal"); | ||
2973 | |||
2974 | &asm_finish(); | ||