OLD | NEW |
| (Empty) |
1 #!/usr/bin/env perl | |
2 | |
3 ###################################################################### | |
4 ## Constant-time SSSE3 AES core implementation. | |
5 ## version 0.1 | |
6 ## | |
7 ## By Mike Hamburg (Stanford University), 2009 | |
8 ## Public domain. | |
9 ## | |
10 ## For details see http://shiftleft.org/papers/vector_aes/ and | |
11 ## http://crypto.stanford.edu/vpaes/. | |
12 | |
13 ###################################################################### | |
14 # September 2011. | |
15 # | |
16 # Interface to OpenSSL as "almost" drop-in replacement for | |
17 # aes-x86_64.pl. "Almost" refers to the fact that AES_cbc_encrypt | |
18 # doesn't handle partial vectors (doesn't have to if called from | |
19 # EVP only). "Drop-in" implies that this module doesn't share key | |
20 # schedule structure with the original nor does it make assumption | |
21 # about its alignment... | |
22 # | |
23 # Performance summary. aes-x86_64.pl column lists large-block CBC | |
24 # encrypt/decrypt/with-hyper-threading-off(*) results in cycles per | |
25 # byte processed with 128-bit key, and vpaes-x86_64.pl column - | |
26 # [also large-block CBC] encrypt/decrypt. | |
27 # | |
28 # aes-x86_64.pl vpaes-x86_64.pl | |
29 # | |
30 # Core 2(**) 30.5/43.7/14.3 21.8/25.7(***) | |
31 # Nehalem 30.5/42.2/14.6 9.8/11.8 | |
32 # Atom 63.9/79.0/32.1 64.0/84.8(***) | |
33 # | |
34 # (*) "Hyper-threading" in the context refers rather to cache shared | |
35 # among multiple cores, than to specifically Intel HTT. As vast | |
36 # majority of contemporary cores share cache, slower code path | |
37 # is common place. In other words "with-hyper-threading-off" | |
38 # results are presented mostly for reference purposes. | |
39 # | |
40 # (**) "Core 2" refers to initial 65nm design, a.k.a. Conroe. | |
41 # | |
42 # (***) Less impressive improvement on Core 2 and Atom is due to slow | |
43 # pshufb, yet it's respectable +40%/78% improvement on Core 2 | |
44 # (as implied, over "hyper-threading-safe" code path). | |
45 # | |
46 # <appro@openssl.org> | |
47 | |
48 $flavour = shift; | |
49 $output = shift; | |
50 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } | |
51 | |
52 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); | |
53 | |
54 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; | |
55 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or | |
56 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or | |
57 die "can't locate x86_64-xlate.pl"; | |
58 | |
59 open OUT,"| \"$^X\" $xlate $flavour $output"; | |
60 *STDOUT=*OUT; | |
61 | |
62 $PREFIX="vpaes"; | |
63 | |
64 $code.=<<___; | |
65 .text | |
66 | |
67 ## | |
68 ## _aes_encrypt_core | |
69 ## | |
70 ## AES-encrypt %xmm0. | |
71 ## | |
72 ## Inputs: | |
73 ## %xmm0 = input | |
74 ## %xmm9-%xmm15 as in _vpaes_preheat | |
75 ## (%rdx) = scheduled keys | |
76 ## | |
77 ## Output in %xmm0 | |
78 ## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax | |
79 ## Preserves %xmm6 - %xmm8 so you get some local vectors | |
80 ## | |
81 ## | |
82 .type _vpaes_encrypt_core,\@abi-omnipotent | |
83 .align 16 | |
84 _vpaes_encrypt_core: | |
85 mov %rdx, %r9 | |
86 mov \$16, %r11 | |
87 mov 240(%rdx),%eax | |
88 movdqa %xmm9, %xmm1 | |
89 movdqa .Lk_ipt(%rip), %xmm2 # iptlo | |
90 pandn %xmm0, %xmm1 | |
91 movdqu (%r9), %xmm5 # round0 key | |
92 psrld \$4, %xmm1 | |
93 pand %xmm9, %xmm0 | |
94 pshufb %xmm0, %xmm2 | |
95 movdqa .Lk_ipt+16(%rip), %xmm0 # ipthi | |
96 pshufb %xmm1, %xmm0 | |
97 pxor %xmm5, %xmm2 | |
98 pxor %xmm2, %xmm0 | |
99 add \$16, %r9 | |
100 lea .Lk_mc_backward(%rip),%r10 | |
101 jmp .Lenc_entry | |
102 | |
103 .align 16 | |
104 .Lenc_loop: | |
105 # middle of middle round | |
106 movdqa %xmm13, %xmm4 # 4 : sb1u | |
107 pshufb %xmm2, %xmm4 # 4 = sb1u | |
108 pxor %xmm5, %xmm4 # 4 = sb1u + k | |
109 movdqa %xmm12, %xmm0 # 0 : sb1t | |
110 pshufb %xmm3, %xmm0 # 0 = sb1t | |
111 pxor %xmm4, %xmm0 # 0 = A | |
112 movdqa %xmm15, %xmm5 # 4 : sb2u | |
113 pshufb %xmm2, %xmm5 # 4 = sb2u | |
114 movdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[] | |
115 movdqa %xmm14, %xmm2 # 2 : sb2t | |
116 pshufb %xmm3, %xmm2 # 2 = sb2t | |
117 pxor %xmm5, %xmm2 # 2 = 2A | |
118 movdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[] | |
119 movdqa %xmm0, %xmm3 # 3 = A | |
120 pshufb %xmm1, %xmm0 # 0 = B | |
121 add \$16, %r9 # next key | |
122 pxor %xmm2, %xmm0 # 0 = 2A+B | |
123 pshufb %xmm4, %xmm3 # 3 = D | |
124 add \$16, %r11 # next mc | |
125 pxor %xmm0, %xmm3 # 3 = 2A+B+D | |
126 pshufb %xmm1, %xmm0 # 0 = 2B+C | |
127 and \$0x30, %r11 # ... mod 4 | |
128 pxor %xmm3, %xmm0 # 0 = 2A+3B+C+D | |
129 sub \$1,%rax # nr-- | |
130 | |
131 .Lenc_entry: | |
132 # top of round | |
133 movdqa %xmm9, %xmm1 # 1 : i | |
134 pandn %xmm0, %xmm1 # 1 = i<<4 | |
135 psrld \$4, %xmm1 # 1 = i | |
136 pand %xmm9, %xmm0 # 0 = k | |
137 movdqa %xmm11, %xmm5 # 2 : a/k | |
138 pshufb %xmm0, %xmm5 # 2 = a/k | |
139 pxor %xmm1, %xmm0 # 0 = j | |
140 movdqa %xmm10, %xmm3 # 3 : 1/i | |
141 pshufb %xmm1, %xmm3 # 3 = 1/i | |
142 pxor %xmm5, %xmm3 # 3 = iak = 1/i + a/k | |
143 movdqa %xmm10, %xmm4 # 4 : 1/j | |
144 pshufb %xmm0, %xmm4 # 4 = 1/j | |
145 pxor %xmm5, %xmm4 # 4 = jak = 1/j + a/k | |
146 movdqa %xmm10, %xmm2 # 2 : 1/iak | |
147 pshufb %xmm3, %xmm2 # 2 = 1/iak | |
148 pxor %xmm0, %xmm2 # 2 = io | |
149 movdqa %xmm10, %xmm3 # 3 : 1/jak | |
150 movdqu (%r9), %xmm5 | |
151 pshufb %xmm4, %xmm3 # 3 = 1/jak | |
152 pxor %xmm1, %xmm3 # 3 = jo | |
153 jnz .Lenc_loop | |
154 | |
155 # middle of last round | |
156 movdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo | |
157 movdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16 | |
158 pshufb %xmm2, %xmm4 # 4 = sbou | |
159 pxor %xmm5, %xmm4 # 4 = sb1u + k | |
160 pshufb %xmm3, %xmm0 # 0 = sb1t | |
161 movdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[] | |
162 pxor %xmm4, %xmm0 # 0 = A | |
163 pshufb %xmm1, %xmm0 | |
164 ret | |
165 .size _vpaes_encrypt_core,.-_vpaes_encrypt_core | |
166 | |
167 ## | |
168 ## Decryption core | |
169 ## | |
170 ## Same API as encryption core. | |
171 ## | |
172 .type _vpaes_decrypt_core,\@abi-omnipotent | |
173 .align 16 | |
174 _vpaes_decrypt_core: | |
175 mov %rdx, %r9 # load key | |
176 mov 240(%rdx),%eax | |
177 movdqa %xmm9, %xmm1 | |
178 movdqa .Lk_dipt(%rip), %xmm2 # iptlo | |
179 pandn %xmm0, %xmm1 | |
180 mov %rax, %r11 | |
181 psrld \$4, %xmm1 | |
182 movdqu (%r9), %xmm5 # round0 key | |
183 shl \$4, %r11 | |
184 pand %xmm9, %xmm0 | |
185 pshufb %xmm0, %xmm2 | |
186 movdqa .Lk_dipt+16(%rip), %xmm0 # ipthi | |
187 xor \$0x30, %r11 | |
188 lea .Lk_dsbd(%rip),%r10 | |
189 pshufb %xmm1, %xmm0 | |
190 and \$0x30, %r11 | |
191 pxor %xmm5, %xmm2 | |
192 movdqa .Lk_mc_forward+48(%rip), %xmm5 | |
193 pxor %xmm2, %xmm0 | |
194 add \$16, %r9 | |
195 add %r10, %r11 | |
196 jmp .Ldec_entry | |
197 | |
198 .align 16 | |
199 .Ldec_loop: | |
200 ## | |
201 ## Inverse mix columns | |
202 ## | |
203 movdqa -0x20(%r10),%xmm4 # 4 : sb9u | |
204 pshufb %xmm2, %xmm4 # 4 = sb9u | |
205 pxor %xmm0, %xmm4 | |
206 movdqa -0x10(%r10),%xmm0 # 0 : sb9t | |
207 pshufb %xmm3, %xmm0 # 0 = sb9t | |
208 pxor %xmm4, %xmm0 # 0 = ch | |
209 add \$16, %r9 # next round key | |
210 | |
211 pshufb %xmm5, %xmm0 # MC ch | |
212 movdqa 0x00(%r10),%xmm4 # 4 : sbdu | |
213 pshufb %xmm2, %xmm4 # 4 = sbdu | |
214 pxor %xmm0, %xmm4 # 4 = ch | |
215 movdqa 0x10(%r10),%xmm0 # 0 : sbdt | |
216 pshufb %xmm3, %xmm0 # 0 = sbdt | |
217 pxor %xmm4, %xmm0 # 0 = ch | |
218 sub \$1,%rax # nr-- | |
219 | |
220 pshufb %xmm5, %xmm0 # MC ch | |
221 movdqa 0x20(%r10),%xmm4 # 4 : sbbu | |
222 pshufb %xmm2, %xmm4 # 4 = sbbu | |
223 pxor %xmm0, %xmm4 # 4 = ch | |
224 movdqa 0x30(%r10),%xmm0 # 0 : sbbt | |
225 pshufb %xmm3, %xmm0 # 0 = sbbt | |
226 pxor %xmm4, %xmm0 # 0 = ch | |
227 | |
228 pshufb %xmm5, %xmm0 # MC ch | |
229 movdqa 0x40(%r10),%xmm4 # 4 : sbeu | |
230 pshufb %xmm2, %xmm4 # 4 = sbeu | |
231 pxor %xmm0, %xmm4 # 4 = ch | |
232 movdqa 0x50(%r10),%xmm0 # 0 : sbet | |
233 pshufb %xmm3, %xmm0 # 0 = sbet | |
234 pxor %xmm4, %xmm0 # 0 = ch | |
235 | |
236 palignr \$12, %xmm5, %xmm5 | |
237 | |
238 .Ldec_entry: | |
239 # top of round | |
240 movdqa %xmm9, %xmm1 # 1 : i | |
241 pandn %xmm0, %xmm1 # 1 = i<<4 | |
242 psrld \$4, %xmm1 # 1 = i | |
243 pand %xmm9, %xmm0 # 0 = k | |
244 movdqa %xmm11, %xmm2 # 2 : a/k | |
245 pshufb %xmm0, %xmm2 # 2 = a/k | |
246 pxor %xmm1, %xmm0 # 0 = j | |
247 movdqa %xmm10, %xmm3 # 3 : 1/i | |
248 pshufb %xmm1, %xmm3 # 3 = 1/i | |
249 pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k | |
250 movdqa %xmm10, %xmm4 # 4 : 1/j | |
251 pshufb %xmm0, %xmm4 # 4 = 1/j | |
252 pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k | |
253 movdqa %xmm10, %xmm2 # 2 : 1/iak | |
254 pshufb %xmm3, %xmm2 # 2 = 1/iak | |
255 pxor %xmm0, %xmm2 # 2 = io | |
256 movdqa %xmm10, %xmm3 # 3 : 1/jak | |
257 pshufb %xmm4, %xmm3 # 3 = 1/jak | |
258 pxor %xmm1, %xmm3 # 3 = jo | |
259 movdqu (%r9), %xmm0 | |
260 jnz .Ldec_loop | |
261 | |
262 # middle of last round | |
263 movdqa 0x60(%r10), %xmm4 # 3 : sbou | |
264 pshufb %xmm2, %xmm4 # 4 = sbou | |
265 pxor %xmm0, %xmm4 # 4 = sb1u + k | |
266 movdqa 0x70(%r10), %xmm0 # 0 : sbot | |
267 movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160 | |
268 pshufb %xmm3, %xmm0 # 0 = sb1t | |
269 pxor %xmm4, %xmm0 # 0 = A | |
270 pshufb %xmm2, %xmm0 | |
271 ret | |
272 .size _vpaes_decrypt_core,.-_vpaes_decrypt_core | |
273 | |
274 ######################################################## | |
275 ## ## | |
276 ## AES key schedule ## | |
277 ## ## | |
278 ######################################################## | |
279 .type _vpaes_schedule_core,\@abi-omnipotent | |
280 .align 16 | |
281 _vpaes_schedule_core: | |
282 # rdi = key | |
283 # rsi = size in bits | |
284 # rdx = buffer | |
285 # rcx = direction. 0=encrypt, 1=decrypt | |
286 | |
287 call _vpaes_preheat # load the tables | |
288 movdqa .Lk_rcon(%rip), %xmm8 # load rcon | |
289 movdqu (%rdi), %xmm0 # load key (unaligned) | |
290 | |
291 # input transform | |
292 movdqa %xmm0, %xmm3 | |
293 lea .Lk_ipt(%rip), %r11 | |
294 call _vpaes_schedule_transform | |
295 movdqa %xmm0, %xmm7 | |
296 | |
297 lea .Lk_sr(%rip),%r10 | |
298 test %rcx, %rcx | |
299 jnz .Lschedule_am_decrypting | |
300 | |
301 # encrypting, output zeroth round key after transform | |
302 movdqu %xmm0, (%rdx) | |
303 jmp .Lschedule_go | |
304 | |
305 .Lschedule_am_decrypting: | |
306 # decrypting, output zeroth round key after shiftrows | |
307 movdqa (%r8,%r10),%xmm1 | |
308 pshufb %xmm1, %xmm3 | |
309 movdqu %xmm3, (%rdx) | |
310 xor \$0x30, %r8 | |
311 | |
312 .Lschedule_go: | |
313 cmp \$192, %esi | |
314 ja .Lschedule_256 | |
315 je .Lschedule_192 | |
316 # 128: fall though | |
317 | |
318 ## | |
319 ## .schedule_128 | |
320 ## | |
321 ## 128-bit specific part of key schedule. | |
322 ## | |
323 ## This schedule is really simple, because all its parts | |
324 ## are accomplished by the subroutines. | |
325 ## | |
326 .Lschedule_128: | |
327 mov \$10, %esi | |
328 | |
329 .Loop_schedule_128: | |
330 call _vpaes_schedule_round | |
331 dec %rsi | |
332 jz .Lschedule_mangle_last | |
333 call _vpaes_schedule_mangle # write output | |
334 jmp .Loop_schedule_128 | |
335 | |
336 ## | |
337 ## .aes_schedule_192 | |
338 ## | |
339 ## 192-bit specific part of key schedule. | |
340 ## | |
341 ## The main body of this schedule is the same as the 128-bit | |
342 ## schedule, but with more smearing. The long, high side is | |
343 ## stored in %xmm7 as before, and the short, low side is in | |
344 ## the high bits of %xmm6. | |
345 ## | |
346 ## This schedule is somewhat nastier, however, because each | |
347 ## round produces 192 bits of key material, or 1.5 round keys. | |
348 ## Therefore, on each cycle we do 2 rounds and produce 3 round | |
349 ## keys. | |
350 ## | |
351 .align 16 | |
352 .Lschedule_192: | |
353 movdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) | |
354 call _vpaes_schedule_transform # input transform | |
355 movdqa %xmm0, %xmm6 # save short part | |
356 pxor %xmm4, %xmm4 # clear 4 | |
357 movhlps %xmm4, %xmm6 # clobber low side with zeros | |
358 mov \$4, %esi | |
359 | |
360 .Loop_schedule_192: | |
361 call _vpaes_schedule_round | |
362 palignr \$8,%xmm6,%xmm0 | |
363 call _vpaes_schedule_mangle # save key n | |
364 call _vpaes_schedule_192_smear | |
365 call _vpaes_schedule_mangle # save key n+1 | |
366 call _vpaes_schedule_round | |
367 dec %rsi | |
368 jz .Lschedule_mangle_last | |
369 call _vpaes_schedule_mangle # save key n+2 | |
370 call _vpaes_schedule_192_smear | |
371 jmp .Loop_schedule_192 | |
372 | |
373 ## | |
374 ## .aes_schedule_256 | |
375 ## | |
376 ## 256-bit specific part of key schedule. | |
377 ## | |
378 ## The structure here is very similar to the 128-bit | |
379 ## schedule, but with an additional "low side" in | |
380 ## %xmm6. The low side's rounds are the same as the | |
381 ## high side's, except no rcon and no rotation. | |
382 ## | |
383 .align 16 | |
384 .Lschedule_256: | |
385 movdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) | |
386 call _vpaes_schedule_transform # input transform | |
387 mov \$7, %esi | |
388 | |
389 .Loop_schedule_256: | |
390 call _vpaes_schedule_mangle # output low result | |
391 movdqa %xmm0, %xmm6 # save cur_lo in xmm6 | |
392 | |
393 # high round | |
394 call _vpaes_schedule_round | |
395 dec %rsi | |
396 jz .Lschedule_mangle_last | |
397 call _vpaes_schedule_mangle | |
398 | |
399 # low round. swap xmm7 and xmm6 | |
400 pshufd \$0xFF, %xmm0, %xmm0 | |
401 movdqa %xmm7, %xmm5 | |
402 movdqa %xmm6, %xmm7 | |
403 call _vpaes_schedule_low_round | |
404 movdqa %xmm5, %xmm7 | |
405 | |
406 jmp .Loop_schedule_256 | |
407 | |
408 | |
409 ## | |
410 ## .aes_schedule_mangle_last | |
411 ## | |
412 ## Mangler for last round of key schedule | |
413 ## Mangles %xmm0 | |
414 ## when encrypting, outputs out(%xmm0) ^ 63 | |
415 ## when decrypting, outputs unskew(%xmm0) | |
416 ## | |
417 ## Always called right before return... jumps to cleanup and exits | |
418 ## | |
419 .align 16 | |
420 .Lschedule_mangle_last: | |
421 # schedule last round key from xmm0 | |
422 lea .Lk_deskew(%rip),%r11 # prepare to deskew | |
423 test %rcx, %rcx | |
424 jnz .Lschedule_mangle_last_dec | |
425 | |
426 # encrypting | |
427 movdqa (%r8,%r10),%xmm1 | |
428 pshufb %xmm1, %xmm0 # output permute | |
429 lea .Lk_opt(%rip), %r11 # prepare to output transform | |
430 add \$32, %rdx | |
431 | |
432 .Lschedule_mangle_last_dec: | |
433 add \$-16, %rdx | |
434 pxor .Lk_s63(%rip), %xmm0 | |
435 call _vpaes_schedule_transform # output transform | |
436 movdqu %xmm0, (%rdx) # save last key | |
437 | |
438 # cleanup | |
439 pxor %xmm0, %xmm0 | |
440 pxor %xmm1, %xmm1 | |
441 pxor %xmm2, %xmm2 | |
442 pxor %xmm3, %xmm3 | |
443 pxor %xmm4, %xmm4 | |
444 pxor %xmm5, %xmm5 | |
445 pxor %xmm6, %xmm6 | |
446 pxor %xmm7, %xmm7 | |
447 ret | |
448 .size _vpaes_schedule_core,.-_vpaes_schedule_core | |
449 | |
450 ## | |
451 ## .aes_schedule_192_smear | |
452 ## | |
453 ## Smear the short, low side in the 192-bit key schedule. | |
454 ## | |
455 ## Inputs: | |
456 ## %xmm7: high side, b a x y | |
457 ## %xmm6: low side, d c 0 0 | |
458 ## %xmm13: 0 | |
459 ## | |
460 ## Outputs: | |
461 ## %xmm6: b+c+d b+c 0 0 | |
462 ## %xmm0: b+c+d b+c b a | |
463 ## | |
464 .type _vpaes_schedule_192_smear,\@abi-omnipotent | |
465 .align 16 | |
466 _vpaes_schedule_192_smear: | |
467 pshufd \$0x80, %xmm6, %xmm0 # d c 0 0 -> c 0 0 0 | |
468 pxor %xmm0, %xmm6 # -> c+d c 0 0 | |
469 pshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a | |
470 pxor %xmm0, %xmm6 # -> b+c+d b+c b a | |
471 movdqa %xmm6, %xmm0 | |
472 pxor %xmm1, %xmm1 | |
473 movhlps %xmm1, %xmm6 # clobber low side with zeros | |
474 ret | |
475 .size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear | |
476 | |
477 ## | |
478 ## .aes_schedule_round | |
479 ## | |
480 ## Runs one main round of the key schedule on %xmm0, %xmm7 | |
481 ## | |
482 ## Specifically, runs subbytes on the high dword of %xmm0 | |
483 ## then rotates it by one byte and xors into the low dword of | |
484 ## %xmm7. | |
485 ## | |
486 ## Adds rcon from low byte of %xmm8, then rotates %xmm8 for | |
487 ## next rcon. | |
488 ## | |
489 ## Smears the dwords of %xmm7 by xoring the low into the | |
490 ## second low, result into third, result into highest. | |
491 ## | |
492 ## Returns results in %xmm7 = %xmm0. | |
493 ## Clobbers %xmm1-%xmm4, %r11. | |
494 ## | |
495 .type _vpaes_schedule_round,\@abi-omnipotent | |
496 .align 16 | |
497 _vpaes_schedule_round: | |
498 # extract rcon from xmm8 | |
499 pxor %xmm1, %xmm1 | |
500 palignr \$15, %xmm8, %xmm1 | |
501 palignr \$15, %xmm8, %xmm8 | |
502 pxor %xmm1, %xmm7 | |
503 | |
504 # rotate | |
505 pshufd \$0xFF, %xmm0, %xmm0 | |
506 palignr \$1, %xmm0, %xmm0 | |
507 | |
508 # fall through... | |
509 | |
510 # low round: same as high round, but no rotation and no rcon. | |
511 _vpaes_schedule_low_round: | |
512 # smear xmm7 | |
513 movdqa %xmm7, %xmm1 | |
514 pslldq \$4, %xmm7 | |
515 pxor %xmm1, %xmm7 | |
516 movdqa %xmm7, %xmm1 | |
517 pslldq \$8, %xmm7 | |
518 pxor %xmm1, %xmm7 | |
519 pxor .Lk_s63(%rip), %xmm7 | |
520 | |
521 # subbytes | |
522 movdqa %xmm9, %xmm1 | |
523 pandn %xmm0, %xmm1 | |
524 psrld \$4, %xmm1 # 1 = i | |
525 pand %xmm9, %xmm0 # 0 = k | |
526 movdqa %xmm11, %xmm2 # 2 : a/k | |
527 pshufb %xmm0, %xmm2 # 2 = a/k | |
528 pxor %xmm1, %xmm0 # 0 = j | |
529 movdqa %xmm10, %xmm3 # 3 : 1/i | |
530 pshufb %xmm1, %xmm3 # 3 = 1/i | |
531 pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k | |
532 movdqa %xmm10, %xmm4 # 4 : 1/j | |
533 pshufb %xmm0, %xmm4 # 4 = 1/j | |
534 pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k | |
535 movdqa %xmm10, %xmm2 # 2 : 1/iak | |
536 pshufb %xmm3, %xmm2 # 2 = 1/iak | |
537 pxor %xmm0, %xmm2 # 2 = io | |
538 movdqa %xmm10, %xmm3 # 3 : 1/jak | |
539 pshufb %xmm4, %xmm3 # 3 = 1/jak | |
540 pxor %xmm1, %xmm3 # 3 = jo | |
541 movdqa %xmm13, %xmm4 # 4 : sbou | |
542 pshufb %xmm2, %xmm4 # 4 = sbou | |
543 movdqa %xmm12, %xmm0 # 0 : sbot | |
544 pshufb %xmm3, %xmm0 # 0 = sb1t | |
545 pxor %xmm4, %xmm0 # 0 = sbox output | |
546 | |
547 # add in smeared stuff | |
548 pxor %xmm7, %xmm0 | |
549 movdqa %xmm0, %xmm7 | |
550 ret | |
551 .size _vpaes_schedule_round,.-_vpaes_schedule_round | |
552 | |
553 ## | |
554 ## .aes_schedule_transform | |
555 ## | |
556 ## Linear-transform %xmm0 according to tables at (%r11) | |
557 ## | |
558 ## Requires that %xmm9 = 0x0F0F... as in preheat | |
559 ## Output in %xmm0 | |
560 ## Clobbers %xmm1, %xmm2 | |
561 ## | |
562 .type _vpaes_schedule_transform,\@abi-omnipotent | |
563 .align 16 | |
564 _vpaes_schedule_transform: | |
565 movdqa %xmm9, %xmm1 | |
566 pandn %xmm0, %xmm1 | |
567 psrld \$4, %xmm1 | |
568 pand %xmm9, %xmm0 | |
569 movdqa (%r11), %xmm2 # lo | |
570 pshufb %xmm0, %xmm2 | |
571 movdqa 16(%r11), %xmm0 # hi | |
572 pshufb %xmm1, %xmm0 | |
573 pxor %xmm2, %xmm0 | |
574 ret | |
575 .size _vpaes_schedule_transform,.-_vpaes_schedule_transform | |
576 | |
577 ## | |
578 ## .aes_schedule_mangle | |
579 ## | |
580 ## Mangle xmm0 from (basis-transformed) standard version | |
581 ## to our version. | |
582 ## | |
583 ## On encrypt, | |
584 ## xor with 0x63 | |
585 ## multiply by circulant 0,1,1,1 | |
586 ## apply shiftrows transform | |
587 ## | |
588 ## On decrypt, | |
589 ## xor with 0x63 | |
590 ## multiply by "inverse mixcolumns" circulant E,B,D,9 | |
591 ## deskew | |
592 ## apply shiftrows transform | |
593 ## | |
594 ## | |
595 ## Writes out to (%rdx), and increments or decrements it | |
596 ## Keeps track of round number mod 4 in %r8 | |
597 ## Preserves xmm0 | |
598 ## Clobbers xmm1-xmm5 | |
599 ## | |
600 .type _vpaes_schedule_mangle,\@abi-omnipotent | |
601 .align 16 | |
602 _vpaes_schedule_mangle: | |
603 movdqa %xmm0, %xmm4 # save xmm0 for later | |
604 movdqa .Lk_mc_forward(%rip),%xmm5 | |
605 test %rcx, %rcx | |
606 jnz .Lschedule_mangle_dec | |
607 | |
608 # encrypting | |
609 add \$16, %rdx | |
610 pxor .Lk_s63(%rip),%xmm4 | |
611 pshufb %xmm5, %xmm4 | |
612 movdqa %xmm4, %xmm3 | |
613 pshufb %xmm5, %xmm4 | |
614 pxor %xmm4, %xmm3 | |
615 pshufb %xmm5, %xmm4 | |
616 pxor %xmm4, %xmm3 | |
617 | |
618 jmp .Lschedule_mangle_both | |
619 .align 16 | |
620 .Lschedule_mangle_dec: | |
621 # inverse mix columns | |
622 lea .Lk_dksd(%rip),%r11 | |
623 movdqa %xmm9, %xmm1 | |
624 pandn %xmm4, %xmm1 | |
625 psrld \$4, %xmm1 # 1 = hi | |
626 pand %xmm9, %xmm4 # 4 = lo | |
627 | |
628 movdqa 0x00(%r11), %xmm2 | |
629 pshufb %xmm4, %xmm2 | |
630 movdqa 0x10(%r11), %xmm3 | |
631 pshufb %xmm1, %xmm3 | |
632 pxor %xmm2, %xmm3 | |
633 pshufb %xmm5, %xmm3 | |
634 | |
635 movdqa 0x20(%r11), %xmm2 | |
636 pshufb %xmm4, %xmm2 | |
637 pxor %xmm3, %xmm2 | |
638 movdqa 0x30(%r11), %xmm3 | |
639 pshufb %xmm1, %xmm3 | |
640 pxor %xmm2, %xmm3 | |
641 pshufb %xmm5, %xmm3 | |
642 | |
643 movdqa 0x40(%r11), %xmm2 | |
644 pshufb %xmm4, %xmm2 | |
645 pxor %xmm3, %xmm2 | |
646 movdqa 0x50(%r11), %xmm3 | |
647 pshufb %xmm1, %xmm3 | |
648 pxor %xmm2, %xmm3 | |
649 pshufb %xmm5, %xmm3 | |
650 | |
651 movdqa 0x60(%r11), %xmm2 | |
652 pshufb %xmm4, %xmm2 | |
653 pxor %xmm3, %xmm2 | |
654 movdqa 0x70(%r11), %xmm3 | |
655 pshufb %xmm1, %xmm3 | |
656 pxor %xmm2, %xmm3 | |
657 | |
658 add \$-16, %rdx | |
659 | |
660 .Lschedule_mangle_both: | |
661 movdqa (%r8,%r10),%xmm1 | |
662 pshufb %xmm1,%xmm3 | |
663 add \$-16, %r8 | |
664 and \$0x30, %r8 | |
665 movdqu %xmm3, (%rdx) | |
666 ret | |
667 .size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle | |
668 | |
669 # | |
670 # Interface to OpenSSL | |
671 # | |
672 .globl ${PREFIX}_set_encrypt_key | |
673 .type ${PREFIX}_set_encrypt_key,\@function,3 | |
674 .align 16 | |
675 ${PREFIX}_set_encrypt_key: | |
676 ___ | |
677 $code.=<<___ if ($win64); | |
678 lea -0xb8(%rsp),%rsp | |
679 movaps %xmm6,0x10(%rsp) | |
680 movaps %xmm7,0x20(%rsp) | |
681 movaps %xmm8,0x30(%rsp) | |
682 movaps %xmm9,0x40(%rsp) | |
683 movaps %xmm10,0x50(%rsp) | |
684 movaps %xmm11,0x60(%rsp) | |
685 movaps %xmm12,0x70(%rsp) | |
686 movaps %xmm13,0x80(%rsp) | |
687 movaps %xmm14,0x90(%rsp) | |
688 movaps %xmm15,0xa0(%rsp) | |
689 .Lenc_key_body: | |
690 ___ | |
691 $code.=<<___; | |
692 mov %esi,%eax | |
693 shr \$5,%eax | |
694 add \$5,%eax | |
695 mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; | |
696 | |
697 mov \$0,%ecx | |
698 mov \$0x30,%r8d | |
699 call _vpaes_schedule_core | |
700 ___ | |
701 $code.=<<___ if ($win64); | |
702 movaps 0x10(%rsp),%xmm6 | |
703 movaps 0x20(%rsp),%xmm7 | |
704 movaps 0x30(%rsp),%xmm8 | |
705 movaps 0x40(%rsp),%xmm9 | |
706 movaps 0x50(%rsp),%xmm10 | |
707 movaps 0x60(%rsp),%xmm11 | |
708 movaps 0x70(%rsp),%xmm12 | |
709 movaps 0x80(%rsp),%xmm13 | |
710 movaps 0x90(%rsp),%xmm14 | |
711 movaps 0xa0(%rsp),%xmm15 | |
712 lea 0xb8(%rsp),%rsp | |
713 .Lenc_key_epilogue: | |
714 ___ | |
715 $code.=<<___; | |
716 xor %eax,%eax | |
717 ret | |
718 .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key | |
719 | |
720 .globl ${PREFIX}_set_decrypt_key | |
721 .type ${PREFIX}_set_decrypt_key,\@function,3 | |
722 .align 16 | |
723 ${PREFIX}_set_decrypt_key: | |
724 ___ | |
725 $code.=<<___ if ($win64); | |
726 lea -0xb8(%rsp),%rsp | |
727 movaps %xmm6,0x10(%rsp) | |
728 movaps %xmm7,0x20(%rsp) | |
729 movaps %xmm8,0x30(%rsp) | |
730 movaps %xmm9,0x40(%rsp) | |
731 movaps %xmm10,0x50(%rsp) | |
732 movaps %xmm11,0x60(%rsp) | |
733 movaps %xmm12,0x70(%rsp) | |
734 movaps %xmm13,0x80(%rsp) | |
735 movaps %xmm14,0x90(%rsp) | |
736 movaps %xmm15,0xa0(%rsp) | |
737 .Ldec_key_body: | |
738 ___ | |
739 $code.=<<___; | |
740 mov %esi,%eax | |
741 shr \$5,%eax | |
742 add \$5,%eax | |
743 mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; | |
744 shl \$4,%eax | |
745 lea 16(%rdx,%rax),%rdx | |
746 | |
747 mov \$1,%ecx | |
748 mov %esi,%r8d | |
749 shr \$1,%r8d | |
750 and \$32,%r8d | |
751 xor \$32,%r8d # nbits==192?0:32 | |
752 call _vpaes_schedule_core | |
753 ___ | |
754 $code.=<<___ if ($win64); | |
755 movaps 0x10(%rsp),%xmm6 | |
756 movaps 0x20(%rsp),%xmm7 | |
757 movaps 0x30(%rsp),%xmm8 | |
758 movaps 0x40(%rsp),%xmm9 | |
759 movaps 0x50(%rsp),%xmm10 | |
760 movaps 0x60(%rsp),%xmm11 | |
761 movaps 0x70(%rsp),%xmm12 | |
762 movaps 0x80(%rsp),%xmm13 | |
763 movaps 0x90(%rsp),%xmm14 | |
764 movaps 0xa0(%rsp),%xmm15 | |
765 lea 0xb8(%rsp),%rsp | |
766 .Ldec_key_epilogue: | |
767 ___ | |
768 $code.=<<___; | |
769 xor %eax,%eax | |
770 ret | |
771 .size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key | |
772 | |
773 .globl ${PREFIX}_encrypt | |
774 .type ${PREFIX}_encrypt,\@function,3 | |
775 .align 16 | |
776 ${PREFIX}_encrypt: | |
777 ___ | |
778 $code.=<<___ if ($win64); | |
779 lea -0xb8(%rsp),%rsp | |
780 movaps %xmm6,0x10(%rsp) | |
781 movaps %xmm7,0x20(%rsp) | |
782 movaps %xmm8,0x30(%rsp) | |
783 movaps %xmm9,0x40(%rsp) | |
784 movaps %xmm10,0x50(%rsp) | |
785 movaps %xmm11,0x60(%rsp) | |
786 movaps %xmm12,0x70(%rsp) | |
787 movaps %xmm13,0x80(%rsp) | |
788 movaps %xmm14,0x90(%rsp) | |
789 movaps %xmm15,0xa0(%rsp) | |
790 .Lenc_body: | |
791 ___ | |
792 $code.=<<___; | |
793 movdqu (%rdi),%xmm0 | |
794 call _vpaes_preheat | |
795 call _vpaes_encrypt_core | |
796 movdqu %xmm0,(%rsi) | |
797 ___ | |
798 $code.=<<___ if ($win64); | |
799 movaps 0x10(%rsp),%xmm6 | |
800 movaps 0x20(%rsp),%xmm7 | |
801 movaps 0x30(%rsp),%xmm8 | |
802 movaps 0x40(%rsp),%xmm9 | |
803 movaps 0x50(%rsp),%xmm10 | |
804 movaps 0x60(%rsp),%xmm11 | |
805 movaps 0x70(%rsp),%xmm12 | |
806 movaps 0x80(%rsp),%xmm13 | |
807 movaps 0x90(%rsp),%xmm14 | |
808 movaps 0xa0(%rsp),%xmm15 | |
809 lea 0xb8(%rsp),%rsp | |
810 .Lenc_epilogue: | |
811 ___ | |
812 $code.=<<___; | |
813 ret | |
814 .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt | |
815 | |
816 .globl ${PREFIX}_decrypt | |
817 .type ${PREFIX}_decrypt,\@function,3 | |
818 .align 16 | |
819 ${PREFIX}_decrypt: | |
820 ___ | |
821 $code.=<<___ if ($win64); | |
822 lea -0xb8(%rsp),%rsp | |
823 movaps %xmm6,0x10(%rsp) | |
824 movaps %xmm7,0x20(%rsp) | |
825 movaps %xmm8,0x30(%rsp) | |
826 movaps %xmm9,0x40(%rsp) | |
827 movaps %xmm10,0x50(%rsp) | |
828 movaps %xmm11,0x60(%rsp) | |
829 movaps %xmm12,0x70(%rsp) | |
830 movaps %xmm13,0x80(%rsp) | |
831 movaps %xmm14,0x90(%rsp) | |
832 movaps %xmm15,0xa0(%rsp) | |
833 .Ldec_body: | |
834 ___ | |
835 $code.=<<___; | |
836 movdqu (%rdi),%xmm0 | |
837 call _vpaes_preheat | |
838 call _vpaes_decrypt_core | |
839 movdqu %xmm0,(%rsi) | |
840 ___ | |
841 $code.=<<___ if ($win64); | |
842 movaps 0x10(%rsp),%xmm6 | |
843 movaps 0x20(%rsp),%xmm7 | |
844 movaps 0x30(%rsp),%xmm8 | |
845 movaps 0x40(%rsp),%xmm9 | |
846 movaps 0x50(%rsp),%xmm10 | |
847 movaps 0x60(%rsp),%xmm11 | |
848 movaps 0x70(%rsp),%xmm12 | |
849 movaps 0x80(%rsp),%xmm13 | |
850 movaps 0x90(%rsp),%xmm14 | |
851 movaps 0xa0(%rsp),%xmm15 | |
852 lea 0xb8(%rsp),%rsp | |
853 .Ldec_epilogue: | |
854 ___ | |
855 $code.=<<___; | |
856 ret | |
857 .size ${PREFIX}_decrypt,.-${PREFIX}_decrypt | |
858 ___ | |
859 { | |
860 my ($inp,$out,$len,$key,$ivp,$enc)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9"); | |
861 # void AES_cbc_encrypt (const void char *inp, unsigned char *out, | |
862 # size_t length, const AES_KEY *key, | |
863 # unsigned char *ivp,const int enc); | |
864 $code.=<<___; | |
865 .globl ${PREFIX}_cbc_encrypt | |
866 .type ${PREFIX}_cbc_encrypt,\@function,6 | |
867 .align 16 | |
868 ${PREFIX}_cbc_encrypt: | |
869 xchg $key,$len | |
870 ___ | |
871 ($len,$key)=($key,$len); | |
872 $code.=<<___; | |
873 sub \$16,$len | |
874 jc .Lcbc_abort | |
875 ___ | |
876 $code.=<<___ if ($win64); | |
877 lea -0xb8(%rsp),%rsp | |
878 movaps %xmm6,0x10(%rsp) | |
879 movaps %xmm7,0x20(%rsp) | |
880 movaps %xmm8,0x30(%rsp) | |
881 movaps %xmm9,0x40(%rsp) | |
882 movaps %xmm10,0x50(%rsp) | |
883 movaps %xmm11,0x60(%rsp) | |
884 movaps %xmm12,0x70(%rsp) | |
885 movaps %xmm13,0x80(%rsp) | |
886 movaps %xmm14,0x90(%rsp) | |
887 movaps %xmm15,0xa0(%rsp) | |
888 .Lcbc_body: | |
889 ___ | |
890 $code.=<<___; | |
891 movdqu ($ivp),%xmm6 # load IV | |
892 sub $inp,$out | |
893 call _vpaes_preheat | |
894 cmp \$0,${enc}d | |
895 je .Lcbc_dec_loop | |
896 jmp .Lcbc_enc_loop | |
897 .align 16 | |
898 .Lcbc_enc_loop: | |
899 movdqu ($inp),%xmm0 | |
900 pxor %xmm6,%xmm0 | |
901 call _vpaes_encrypt_core | |
902 movdqa %xmm0,%xmm6 | |
903 movdqu %xmm0,($out,$inp) | |
904 lea 16($inp),$inp | |
905 sub \$16,$len | |
906 jnc .Lcbc_enc_loop | |
907 jmp .Lcbc_done | |
908 .align 16 | |
909 .Lcbc_dec_loop: | |
910 movdqu ($inp),%xmm0 | |
911 movdqa %xmm0,%xmm7 | |
912 call _vpaes_decrypt_core | |
913 pxor %xmm6,%xmm0 | |
914 movdqa %xmm7,%xmm6 | |
915 movdqu %xmm0,($out,$inp) | |
916 lea 16($inp),$inp | |
917 sub \$16,$len | |
918 jnc .Lcbc_dec_loop | |
919 .Lcbc_done: | |
920 movdqu %xmm6,($ivp) # save IV | |
921 ___ | |
922 $code.=<<___ if ($win64); | |
923 movaps 0x10(%rsp),%xmm6 | |
924 movaps 0x20(%rsp),%xmm7 | |
925 movaps 0x30(%rsp),%xmm8 | |
926 movaps 0x40(%rsp),%xmm9 | |
927 movaps 0x50(%rsp),%xmm10 | |
928 movaps 0x60(%rsp),%xmm11 | |
929 movaps 0x70(%rsp),%xmm12 | |
930 movaps 0x80(%rsp),%xmm13 | |
931 movaps 0x90(%rsp),%xmm14 | |
932 movaps 0xa0(%rsp),%xmm15 | |
933 lea 0xb8(%rsp),%rsp | |
934 .Lcbc_epilogue: | |
935 ___ | |
936 $code.=<<___; | |
937 .Lcbc_abort: | |
938 ret | |
939 .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt | |
940 ___ | |
941 } | |
942 $code.=<<___; | |
943 ## | |
944 ## _aes_preheat | |
945 ## | |
946 ## Fills register %r10 -> .aes_consts (so you can -fPIC) | |
947 ## and %xmm9-%xmm15 as specified below. | |
948 ## | |
949 .type _vpaes_preheat,\@abi-omnipotent | |
950 .align 16 | |
951 _vpaes_preheat: | |
952 lea .Lk_s0F(%rip), %r10 | |
953 movdqa -0x20(%r10), %xmm10 # .Lk_inv | |
954 movdqa -0x10(%r10), %xmm11 # .Lk_inv+16 | |
955 movdqa 0x00(%r10), %xmm9 # .Lk_s0F | |
956 movdqa 0x30(%r10), %xmm13 # .Lk_sb1 | |
957 movdqa 0x40(%r10), %xmm12 # .Lk_sb1+16 | |
958 movdqa 0x50(%r10), %xmm15 # .Lk_sb2 | |
959 movdqa 0x60(%r10), %xmm14 # .Lk_sb2+16 | |
960 ret | |
961 .size _vpaes_preheat,.-_vpaes_preheat | |
962 ######################################################## | |
963 ## ## | |
964 ## Constants ## | |
965 ## ## | |
966 ######################################################## | |
967 .type _vpaes_consts,\@object | |
968 .align 64 | |
969 _vpaes_consts: | |
970 .Lk_inv: # inv, inva | |
971 .quad 0x0E05060F0D080180, 0x040703090A0B0C02 | |
972 .quad 0x01040A060F0B0780, 0x030D0E0C02050809 | |
973 | |
974 .Lk_s0F: # s0F | |
975 .quad 0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F | |
976 | |
977 .Lk_ipt: # input transform (lo, hi) | |
978 .quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 | |
979 .quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 | |
980 | |
981 .Lk_sb1: # sb1u, sb1t | |
982 .quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 | |
983 .quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF | |
984 .Lk_sb2: # sb2u, sb2t | |
985 .quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD | |
986 .quad 0x69EB88400AE12900, 0xC2A163C8AB82234A | |
987 .Lk_sbo: # sbou, sbot | |
988 .quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 | |
989 .quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA | |
990 | |
991 .Lk_mc_forward: # mc_forward | |
992 .quad 0x0407060500030201, 0x0C0F0E0D080B0A09 | |
993 .quad 0x080B0A0904070605, 0x000302010C0F0E0D | |
994 .quad 0x0C0F0E0D080B0A09, 0x0407060500030201 | |
995 .quad 0x000302010C0F0E0D, 0x080B0A0904070605 | |
996 | |
997 .Lk_mc_backward:# mc_backward | |
998 .quad 0x0605040702010003, 0x0E0D0C0F0A09080B | |
999 .quad 0x020100030E0D0C0F, 0x0A09080B06050407 | |
1000 .quad 0x0E0D0C0F0A09080B, 0x0605040702010003 | |
1001 .quad 0x0A09080B06050407, 0x020100030E0D0C0F | |
1002 | |
1003 .Lk_sr: # sr | |
1004 .quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 | |
1005 .quad 0x030E09040F0A0500, 0x0B06010C07020D08 | |
1006 .quad 0x0F060D040B020900, 0x070E050C030A0108 | |
1007 .quad 0x0B0E0104070A0D00, 0x0306090C0F020508 | |
1008 | |
1009 .Lk_rcon: # rcon | |
1010 .quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 | |
1011 | |
1012 .Lk_s63: # s63: all equal to 0x63 transformed | |
1013 .quad 0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B | |
1014 | |
1015 .Lk_opt: # output transform | |
1016 .quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 | |
1017 .quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 | |
1018 | |
1019 .Lk_deskew: # deskew tables: inverts the sbox's "skew" | |
1020 .quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A | |
1021 .quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 | |
1022 | |
1023 ## | |
1024 ## Decryption stuff | |
1025 ## Key schedule constants | |
1026 ## | |
1027 .Lk_dksd: # decryption key schedule: invskew x*D | |
1028 .quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 | |
1029 .quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E | |
1030 .Lk_dksb: # decryption key schedule: invskew x*B | |
1031 .quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 | |
1032 .quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 | |
1033 .Lk_dkse: # decryption key schedule: invskew x*E + 0x63 | |
1034 .quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 | |
1035 .quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 | |
1036 .Lk_dks9: # decryption key schedule: invskew x*9 | |
1037 .quad 0xB6116FC87ED9A700, 0x4AED933482255BFC | |
1038 .quad 0x4576516227143300, 0x8BB89FACE9DAFDCE | |
1039 | |
1040 ## | |
1041 ## Decryption stuff | |
1042 ## Round function constants | |
1043 ## | |
1044 .Lk_dipt: # decryption input transform | |
1045 .quad 0x0F505B040B545F00, 0x154A411E114E451A | |
1046 .quad 0x86E383E660056500, 0x12771772F491F194 | |
1047 | |
1048 .Lk_dsb9: # decryption sbox output *9*u, *9*t | |
1049 .quad 0x851C03539A86D600, 0xCAD51F504F994CC9 | |
1050 .quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 | |
1051 .Lk_dsbd: # decryption sbox output *D*u, *D*t | |
1052 .quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 | |
1053 .quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 | |
1054 .Lk_dsbb: # decryption sbox output *B*u, *B*t | |
1055 .quad 0xD022649296B44200, 0x602646F6B0F2D404 | |
1056 .quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B | |
1057 .Lk_dsbe: # decryption sbox output *E*u, *E*t | |
1058 .quad 0x46F2929626D4D000, 0x2242600464B4F6B0 | |
1059 .quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 | |
1060 .Lk_dsbo: # decryption sbox final output | |
1061 .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D | |
1062 .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C | |
1063 .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford Universi
ty)" | |
1064 .align 64 | |
1065 .size _vpaes_consts,.-_vpaes_consts | |
1066 ___ | |
1067 | |
1068 if ($win64) { | |
1069 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, | |
1070 # CONTEXT *context,DISPATCHER_CONTEXT *disp) | |
1071 $rec="%rcx"; | |
1072 $frame="%rdx"; | |
1073 $context="%r8"; | |
1074 $disp="%r9"; | |
1075 | |
1076 $code.=<<___; | |
1077 .extern __imp_RtlVirtualUnwind | |
1078 .type se_handler,\@abi-omnipotent | |
1079 .align 16 | |
1080 se_handler: | |
1081 push %rsi | |
1082 push %rdi | |
1083 push %rbx | |
1084 push %rbp | |
1085 push %r12 | |
1086 push %r13 | |
1087 push %r14 | |
1088 push %r15 | |
1089 pushfq | |
1090 sub \$64,%rsp | |
1091 | |
1092 mov 120($context),%rax # pull context->Rax | |
1093 mov 248($context),%rbx # pull context->Rip | |
1094 | |
1095 mov 8($disp),%rsi # disp->ImageBase | |
1096 mov 56($disp),%r11 # disp->HandlerData | |
1097 | |
1098 mov 0(%r11),%r10d # HandlerData[0] | |
1099 lea (%rsi,%r10),%r10 # prologue label | |
1100 cmp %r10,%rbx # context->Rip<prologue label | |
1101 jb .Lin_prologue | |
1102 | |
1103 mov 152($context),%rax # pull context->Rsp | |
1104 | |
1105 mov 4(%r11),%r10d # HandlerData[1] | |
1106 lea (%rsi,%r10),%r10 # epilogue label | |
1107 cmp %r10,%rbx # context->Rip>=epilogue label | |
1108 jae .Lin_prologue | |
1109 | |
1110 lea 16(%rax),%rsi # %xmm save area | |
1111 lea 512($context),%rdi # &context.Xmm6 | |
1112 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax) | |
1113 .long 0xa548f3fc # cld; rep movsq | |
1114 lea 0xb8(%rax),%rax # adjust stack pointer | |
1115 | |
1116 .Lin_prologue: | |
1117 mov 8(%rax),%rdi | |
1118 mov 16(%rax),%rsi | |
1119 mov %rax,152($context) # restore context->Rsp | |
1120 mov %rsi,168($context) # restore context->Rsi | |
1121 mov %rdi,176($context) # restore context->Rdi | |
1122 | |
1123 mov 40($disp),%rdi # disp->ContextRecord | |
1124 mov $context,%rsi # context | |
1125 mov \$`1232/8`,%ecx # sizeof(CONTEXT) | |
1126 .long 0xa548f3fc # cld; rep movsq | |
1127 | |
1128 mov $disp,%rsi | |
1129 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER | |
1130 mov 8(%rsi),%rdx # arg2, disp->ImageBase | |
1131 mov 0(%rsi),%r8 # arg3, disp->ControlPc | |
1132 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry | |
1133 mov 40(%rsi),%r10 # disp->ContextRecord | |
1134 lea 56(%rsi),%r11 # &disp->HandlerData | |
1135 lea 24(%rsi),%r12 # &disp->EstablisherFrame | |
1136 mov %r10,32(%rsp) # arg5 | |
1137 mov %r11,40(%rsp) # arg6 | |
1138 mov %r12,48(%rsp) # arg7 | |
1139 mov %rcx,56(%rsp) # arg8, (NULL) | |
1140 call *__imp_RtlVirtualUnwind(%rip) | |
1141 | |
1142 mov \$1,%eax # ExceptionContinueSearch | |
1143 add \$64,%rsp | |
1144 popfq | |
1145 pop %r15 | |
1146 pop %r14 | |
1147 pop %r13 | |
1148 pop %r12 | |
1149 pop %rbp | |
1150 pop %rbx | |
1151 pop %rdi | |
1152 pop %rsi | |
1153 ret | |
1154 .size se_handler,.-se_handler | |
1155 | |
1156 .section .pdata | |
1157 .align 4 | |
1158 .rva .LSEH_begin_${PREFIX}_set_encrypt_key | |
1159 .rva .LSEH_end_${PREFIX}_set_encrypt_key | |
1160 .rva .LSEH_info_${PREFIX}_set_encrypt_key | |
1161 | |
1162 .rva .LSEH_begin_${PREFIX}_set_decrypt_key | |
1163 .rva .LSEH_end_${PREFIX}_set_decrypt_key | |
1164 .rva .LSEH_info_${PREFIX}_set_decrypt_key | |
1165 | |
1166 .rva .LSEH_begin_${PREFIX}_encrypt | |
1167 .rva .LSEH_end_${PREFIX}_encrypt | |
1168 .rva .LSEH_info_${PREFIX}_encrypt | |
1169 | |
1170 .rva .LSEH_begin_${PREFIX}_decrypt | |
1171 .rva .LSEH_end_${PREFIX}_decrypt | |
1172 .rva .LSEH_info_${PREFIX}_decrypt | |
1173 | |
1174 .rva .LSEH_begin_${PREFIX}_cbc_encrypt | |
1175 .rva .LSEH_end_${PREFIX}_cbc_encrypt | |
1176 .rva .LSEH_info_${PREFIX}_cbc_encrypt | |
1177 | |
1178 .section .xdata | |
1179 .align 8 | |
1180 .LSEH_info_${PREFIX}_set_encrypt_key: | |
1181 .byte 9,0,0,0 | |
1182 .rva se_handler | |
1183 .rva .Lenc_key_body,.Lenc_key_epilogue # HandlerData[] | |
1184 .LSEH_info_${PREFIX}_set_decrypt_key: | |
1185 .byte 9,0,0,0 | |
1186 .rva se_handler | |
1187 .rva .Ldec_key_body,.Ldec_key_epilogue # HandlerData[] | |
1188 .LSEH_info_${PREFIX}_encrypt: | |
1189 .byte 9,0,0,0 | |
1190 .rva se_handler | |
1191 .rva .Lenc_body,.Lenc_epilogue # HandlerData[] | |
1192 .LSEH_info_${PREFIX}_decrypt: | |
1193 .byte 9,0,0,0 | |
1194 .rva se_handler | |
1195 .rva .Ldec_body,.Ldec_epilogue # HandlerData[] | |
1196 .LSEH_info_${PREFIX}_cbc_encrypt: | |
1197 .byte 9,0,0,0 | |
1198 .rva se_handler | |
1199 .rva .Lcbc_body,.Lcbc_epilogue # HandlerData[] | |
1200 ___ | |
1201 } | |
1202 | |
1203 $code =~ s/\`([^\`]*)\`/eval($1)/gem; | |
1204 | |
1205 print $code; | |
1206 | |
1207 close STDOUT; | |
OLD | NEW |