1#! /usr/bin/env perl
2# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the OpenSSL license (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9#
10# ====================================================================
11# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12# project. The module is, however, dual licensed under OpenSSL and
13# CRYPTOGAMS licenses depending on where you obtain it. For further
14# details see http://www.openssl.org/~appro/cryptogams/.
15# ====================================================================
16#
17#
18# AES-NI-CTR+GHASH stitch.
19#
20# February 2013
21#
22# OpenSSL GCM implementation is organized in such way that its
23# performance is rather close to the sum of its streamed components,
24# in the context parallelized AES-NI CTR and modulo-scheduled
25# PCLMULQDQ-enabled GHASH. Unfortunately, as no stitch implementation
26# was observed to perform significantly better than the sum of the
27# components on contemporary CPUs, the effort was deemed impossible to
28# justify. This module is based on combination of Intel submissions,
29# [1] and [2], with MOVBE twist suggested by Ilya Albrekht and Max
30# Locktyukhin of Intel Corp. who verified that it reduces shuffles
31# pressure with notable relative improvement, achieving 1.0 cycle per
32# byte processed with 128-bit key on Haswell processor, 0.74 - on
33# Broadwell, 0.63 - on Skylake... [Mentioned results are raw profiled
34# measurements for favourable packet size, one divisible by 96.
35# Applications using the EVP interface will observe a few percent
36# worse performance.]
37#
38# Knights Landing processes 1 byte in 1.25 cycles (measured with EVP).
39#
40# [1] http://rt.openssl.org/Ticket/Display.html?id=2900&user=guest&pass=guest
41# [2] http://www.intel.com/content/dam/www/public/us/en/documents/software-support/enabling-high-performance-gcm.pdf
42
43$flavour = shift;
44$output  = shift;
45if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
46
47$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
48
49$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
50( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
51( $xlate="${dir}../../../perlasm/x86_64-xlate.pl" and -f $xlate) or
52die "can't locate x86_64-xlate.pl";
53
54# |$avx| in ghash-x86_64.pl must be set to at least 1; otherwise tags will
55# be computed incorrectly.
56#
57# In upstream, this is controlled by shelling out to the compiler to check
58# versions, but BoringSSL is intended to be used with pre-generated perlasm
59# output, so this isn't useful anyway.
60#
61# The upstream code uses the condition |$avx>1| even though no AVX2
62# instructions are used, because it assumes MOVBE is supported by the assembler
63# if and only if AVX2 is also supported by the assembler; see
64# https://marc.info/?l=openssl-dev&m=146567589526984&w=2.
65$avx = 2;
66
67open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
68*STDOUT=*OUT;
69
70# See the comment above regarding why the condition is ($avx>1) when there are
71# no AVX2 instructions being used.
72if ($avx>1) {{{
73
74($inp,$out,$len,$key,$ivp,$Xip)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
75
76($Ii,$T1,$T2,$Hkey,
77 $Z0,$Z1,$Z2,$Z3,$Xi) = map("%xmm$_",(0..8));
78
79($inout0,$inout1,$inout2,$inout3,$inout4,$inout5,$rndkey) = map("%xmm$_",(9..15));
80
81($counter,$rounds,$ret,$const,$in0,$end0)=("%ebx","%ebp","%r10","%r11","%r14","%r15");
82
83$code=<<___;
84.text
85
86.type	_aesni_ctr32_ghash_6x,\@abi-omnipotent
87.align	32
88_aesni_ctr32_ghash_6x:
89.cfi_startproc
90	vmovdqu		0x20($const),$T2	# borrow $T2, .Lone_msb
91	sub		\$6,$len
92	vpxor		$Z0,$Z0,$Z0		# $Z0   = 0
93	vmovdqu		0x00-0x80($key),$rndkey
94	vpaddb		$T2,$T1,$inout1
95	vpaddb		$T2,$inout1,$inout2
96	vpaddb		$T2,$inout2,$inout3
97	vpaddb		$T2,$inout3,$inout4
98	vpaddb		$T2,$inout4,$inout5
99	vpxor		$rndkey,$T1,$inout0
100	vmovdqu		$Z0,16+8(%rsp)		# "$Z3" = 0
101	jmp		.Loop6x
102
103.align	32
104.Loop6x:
105	add		\$`6<<24`,$counter
106	jc		.Lhandle_ctr32		# discard $inout[1-5]?
107	vmovdqu		0x00-0x20($Xip),$Hkey	# $Hkey^1
108	  vpaddb	$T2,$inout5,$T1		# next counter value
109	  vpxor		$rndkey,$inout1,$inout1
110	  vpxor		$rndkey,$inout2,$inout2
111
112.Lresume_ctr32:
113	vmovdqu		$T1,($ivp)		# save next counter value
114	vpclmulqdq	\$0x10,$Hkey,$Z3,$Z1
115	  vpxor		$rndkey,$inout3,$inout3
116	  vmovups	0x10-0x80($key),$T2	# borrow $T2 for $rndkey
117	vpclmulqdq	\$0x01,$Hkey,$Z3,$Z2
118
119	# At this point, the current block of 96 (0x60) bytes has already been
120	# loaded into registers. Concurrently with processing it, we want to
121	# load the next 96 bytes of input for the next round. Obviously, we can
122	# only do this if there are at least 96 more bytes of input beyond the
123	# input we're currently processing, or else we'd read past the end of
124	# the input buffer. Here, we set |%r12| to 96 if there are at least 96
125	# bytes of input beyond the 96 bytes we're already processing, and we
126	# set |%r12| to 0 otherwise. In the case where we set |%r12| to 96,
127	# we'll read in the next block so that it is in registers for the next
128	# loop iteration. In the case where we set |%r12| to 0, we'll re-read
129	# the current block and then ignore what we re-read.
130	#
131	# At this point, |$in0| points to the current (already read into
132	# registers) block, and |$end0| points to 2*96 bytes before the end of
133	# the input. Thus, |$in0| > |$end0| means that we do not have the next
134	# 96-byte block to read in, and |$in0| <= |$end0| means we do.
135	xor		%r12,%r12
136	cmp		$in0,$end0
137
138	  vaesenc	$T2,$inout0,$inout0
139	vmovdqu		0x30+8(%rsp),$Ii	# I[4]
140	  vpxor		$rndkey,$inout4,$inout4
141	vpclmulqdq	\$0x00,$Hkey,$Z3,$T1
142	  vaesenc	$T2,$inout1,$inout1
143	  vpxor		$rndkey,$inout5,$inout5
144	setnc		%r12b
145	vpclmulqdq	\$0x11,$Hkey,$Z3,$Z3
146	  vaesenc	$T2,$inout2,$inout2
147	vmovdqu		0x10-0x20($Xip),$Hkey	# $Hkey^2
148	neg		%r12
149	  vaesenc	$T2,$inout3,$inout3
150	 vpxor		$Z1,$Z2,$Z2
151	vpclmulqdq	\$0x00,$Hkey,$Ii,$Z1
152	 vpxor		$Z0,$Xi,$Xi		# modulo-scheduled
153	  vaesenc	$T2,$inout4,$inout4
154	 vpxor		$Z1,$T1,$Z0
155	and		\$0x60,%r12
156	  vmovups	0x20-0x80($key),$rndkey
157	vpclmulqdq	\$0x10,$Hkey,$Ii,$T1
158	  vaesenc	$T2,$inout5,$inout5
159
160	vpclmulqdq	\$0x01,$Hkey,$Ii,$T2
161	lea		($in0,%r12),$in0
162	  vaesenc	$rndkey,$inout0,$inout0
163	 vpxor		16+8(%rsp),$Xi,$Xi	# modulo-scheduled [vpxor $Z3,$Xi,$Xi]
164	vpclmulqdq	\$0x11,$Hkey,$Ii,$Hkey
165	 vmovdqu	0x40+8(%rsp),$Ii	# I[3]
166	  vaesenc	$rndkey,$inout1,$inout1
167	movbe		0x58($in0),%r13
168	  vaesenc	$rndkey,$inout2,$inout2
169	movbe		0x50($in0),%r12
170	  vaesenc	$rndkey,$inout3,$inout3
171	mov		%r13,0x20+8(%rsp)
172	  vaesenc	$rndkey,$inout4,$inout4
173	mov		%r12,0x28+8(%rsp)
174	vmovdqu		0x30-0x20($Xip),$Z1	# borrow $Z1 for $Hkey^3
175	  vaesenc	$rndkey,$inout5,$inout5
176
177	  vmovups	0x30-0x80($key),$rndkey
178	 vpxor		$T1,$Z2,$Z2
179	vpclmulqdq	\$0x00,$Z1,$Ii,$T1
180	  vaesenc	$rndkey,$inout0,$inout0
181	 vpxor		$T2,$Z2,$Z2
182	vpclmulqdq	\$0x10,$Z1,$Ii,$T2
183	  vaesenc	$rndkey,$inout1,$inout1
184	 vpxor		$Hkey,$Z3,$Z3
185	vpclmulqdq	\$0x01,$Z1,$Ii,$Hkey
186	  vaesenc	$rndkey,$inout2,$inout2
187	vpclmulqdq	\$0x11,$Z1,$Ii,$Z1
188	 vmovdqu	0x50+8(%rsp),$Ii	# I[2]
189	  vaesenc	$rndkey,$inout3,$inout3
190	  vaesenc	$rndkey,$inout4,$inout4
191	 vpxor		$T1,$Z0,$Z0
192	vmovdqu		0x40-0x20($Xip),$T1	# borrow $T1 for $Hkey^4
193	  vaesenc	$rndkey,$inout5,$inout5
194
195	  vmovups	0x40-0x80($key),$rndkey
196	 vpxor		$T2,$Z2,$Z2
197	vpclmulqdq	\$0x00,$T1,$Ii,$T2
198	  vaesenc	$rndkey,$inout0,$inout0
199	 vpxor		$Hkey,$Z2,$Z2
200	vpclmulqdq	\$0x10,$T1,$Ii,$Hkey
201	  vaesenc	$rndkey,$inout1,$inout1
202	movbe		0x48($in0),%r13
203	 vpxor		$Z1,$Z3,$Z3
204	vpclmulqdq	\$0x01,$T1,$Ii,$Z1
205	  vaesenc	$rndkey,$inout2,$inout2
206	movbe		0x40($in0),%r12
207	vpclmulqdq	\$0x11,$T1,$Ii,$T1
208	 vmovdqu	0x60+8(%rsp),$Ii	# I[1]
209	  vaesenc	$rndkey,$inout3,$inout3
210	mov		%r13,0x30+8(%rsp)
211	  vaesenc	$rndkey,$inout4,$inout4
212	mov		%r12,0x38+8(%rsp)
213	 vpxor		$T2,$Z0,$Z0
214	vmovdqu		0x60-0x20($Xip),$T2	# borrow $T2 for $Hkey^5
215	  vaesenc	$rndkey,$inout5,$inout5
216
217	  vmovups	0x50-0x80($key),$rndkey
218	 vpxor		$Hkey,$Z2,$Z2
219	vpclmulqdq	\$0x00,$T2,$Ii,$Hkey
220	  vaesenc	$rndkey,$inout0,$inout0
221	 vpxor		$Z1,$Z2,$Z2
222	vpclmulqdq	\$0x10,$T2,$Ii,$Z1
223	  vaesenc	$rndkey,$inout1,$inout1
224	movbe		0x38($in0),%r13
225	 vpxor		$T1,$Z3,$Z3
226	vpclmulqdq	\$0x01,$T2,$Ii,$T1
227	 vpxor		0x70+8(%rsp),$Xi,$Xi	# accumulate I[0]
228	  vaesenc	$rndkey,$inout2,$inout2
229	movbe		0x30($in0),%r12
230	vpclmulqdq	\$0x11,$T2,$Ii,$T2
231	  vaesenc	$rndkey,$inout3,$inout3
232	mov		%r13,0x40+8(%rsp)
233	  vaesenc	$rndkey,$inout4,$inout4
234	mov		%r12,0x48+8(%rsp)
235	 vpxor		$Hkey,$Z0,$Z0
236	 vmovdqu	0x70-0x20($Xip),$Hkey	# $Hkey^6
237	  vaesenc	$rndkey,$inout5,$inout5
238
239	  vmovups	0x60-0x80($key),$rndkey
240	 vpxor		$Z1,$Z2,$Z2
241	vpclmulqdq	\$0x10,$Hkey,$Xi,$Z1
242	  vaesenc	$rndkey,$inout0,$inout0
243	 vpxor		$T1,$Z2,$Z2
244	vpclmulqdq	\$0x01,$Hkey,$Xi,$T1
245	  vaesenc	$rndkey,$inout1,$inout1
246	movbe		0x28($in0),%r13
247	 vpxor		$T2,$Z3,$Z3
248	vpclmulqdq	\$0x00,$Hkey,$Xi,$T2
249	  vaesenc	$rndkey,$inout2,$inout2
250	movbe		0x20($in0),%r12
251	vpclmulqdq	\$0x11,$Hkey,$Xi,$Xi
252	  vaesenc	$rndkey,$inout3,$inout3
253	mov		%r13,0x50+8(%rsp)
254	  vaesenc	$rndkey,$inout4,$inout4
255	mov		%r12,0x58+8(%rsp)
256	vpxor		$Z1,$Z2,$Z2
257	  vaesenc	$rndkey,$inout5,$inout5
258	vpxor		$T1,$Z2,$Z2
259
260	  vmovups	0x70-0x80($key),$rndkey
261	vpslldq		\$8,$Z2,$Z1
262	vpxor		$T2,$Z0,$Z0
263	vmovdqu		0x10($const),$Hkey	# .Lpoly
264
265	  vaesenc	$rndkey,$inout0,$inout0
266	vpxor		$Xi,$Z3,$Z3
267	  vaesenc	$rndkey,$inout1,$inout1
268	vpxor		$Z1,$Z0,$Z0
269	movbe		0x18($in0),%r13
270	  vaesenc	$rndkey,$inout2,$inout2
271	movbe		0x10($in0),%r12
272	vpalignr	\$8,$Z0,$Z0,$Ii		# 1st phase
273	vpclmulqdq	\$0x10,$Hkey,$Z0,$Z0
274	mov		%r13,0x60+8(%rsp)
275	  vaesenc	$rndkey,$inout3,$inout3
276	mov		%r12,0x68+8(%rsp)
277	  vaesenc	$rndkey,$inout4,$inout4
278	  vmovups	0x80-0x80($key),$T1	# borrow $T1 for $rndkey
279	  vaesenc	$rndkey,$inout5,$inout5
280
281	  vaesenc	$T1,$inout0,$inout0
282	  vmovups	0x90-0x80($key),$rndkey
283	  vaesenc	$T1,$inout1,$inout1
284	vpsrldq		\$8,$Z2,$Z2
285	  vaesenc	$T1,$inout2,$inout2
286	vpxor		$Z2,$Z3,$Z3
287	  vaesenc	$T1,$inout3,$inout3
288	vpxor		$Ii,$Z0,$Z0
289	movbe		0x08($in0),%r13
290	  vaesenc	$T1,$inout4,$inout4
291	movbe		0x00($in0),%r12
292	  vaesenc	$T1,$inout5,$inout5
293	  vmovups	0xa0-0x80($key),$T1
294	  cmp		\$11,$rounds
295	  jb		.Lenc_tail		# 128-bit key
296
297	  vaesenc	$rndkey,$inout0,$inout0
298	  vaesenc	$rndkey,$inout1,$inout1
299	  vaesenc	$rndkey,$inout2,$inout2
300	  vaesenc	$rndkey,$inout3,$inout3
301	  vaesenc	$rndkey,$inout4,$inout4
302	  vaesenc	$rndkey,$inout5,$inout5
303
304	  vaesenc	$T1,$inout0,$inout0
305	  vaesenc	$T1,$inout1,$inout1
306	  vaesenc	$T1,$inout2,$inout2
307	  vaesenc	$T1,$inout3,$inout3
308	  vaesenc	$T1,$inout4,$inout4
309	  vmovups	0xb0-0x80($key),$rndkey
310	  vaesenc	$T1,$inout5,$inout5
311	  vmovups	0xc0-0x80($key),$T1
312	  je		.Lenc_tail		# 192-bit key
313
314	  vaesenc	$rndkey,$inout0,$inout0
315	  vaesenc	$rndkey,$inout1,$inout1
316	  vaesenc	$rndkey,$inout2,$inout2
317	  vaesenc	$rndkey,$inout3,$inout3
318	  vaesenc	$rndkey,$inout4,$inout4
319	  vaesenc	$rndkey,$inout5,$inout5
320
321	  vaesenc	$T1,$inout0,$inout0
322	  vaesenc	$T1,$inout1,$inout1
323	  vaesenc	$T1,$inout2,$inout2
324	  vaesenc	$T1,$inout3,$inout3
325	  vaesenc	$T1,$inout4,$inout4
326	  vmovups	0xd0-0x80($key),$rndkey
327	  vaesenc	$T1,$inout5,$inout5
328	  vmovups	0xe0-0x80($key),$T1
329	  jmp		.Lenc_tail		# 256-bit key
330
331.align	32
332.Lhandle_ctr32:
333	vmovdqu		($const),$Ii		# borrow $Ii for .Lbswap_mask
334	  vpshufb	$Ii,$T1,$Z2		# byte-swap counter
335	  vmovdqu	0x30($const),$Z1	# borrow $Z1, .Ltwo_lsb
336	  vpaddd	0x40($const),$Z2,$inout1	# .Lone_lsb
337	  vpaddd	$Z1,$Z2,$inout2
338	vmovdqu		0x00-0x20($Xip),$Hkey	# $Hkey^1
339	  vpaddd	$Z1,$inout1,$inout3
340	  vpshufb	$Ii,$inout1,$inout1
341	  vpaddd	$Z1,$inout2,$inout4
342	  vpshufb	$Ii,$inout2,$inout2
343	  vpxor		$rndkey,$inout1,$inout1
344	  vpaddd	$Z1,$inout3,$inout5
345	  vpshufb	$Ii,$inout3,$inout3
346	  vpxor		$rndkey,$inout2,$inout2
347	  vpaddd	$Z1,$inout4,$T1		# byte-swapped next counter value
348	  vpshufb	$Ii,$inout4,$inout4
349	  vpshufb	$Ii,$inout5,$inout5
350	  vpshufb	$Ii,$T1,$T1		# next counter value
351	jmp		.Lresume_ctr32
352
353.align	32
354.Lenc_tail:
355	  vaesenc	$rndkey,$inout0,$inout0
356	vmovdqu		$Z3,16+8(%rsp)		# postpone vpxor $Z3,$Xi,$Xi
357	vpalignr	\$8,$Z0,$Z0,$Xi		# 2nd phase
358	  vaesenc	$rndkey,$inout1,$inout1
359	vpclmulqdq	\$0x10,$Hkey,$Z0,$Z0
360	  vpxor		0x00($inp),$T1,$T2
361	  vaesenc	$rndkey,$inout2,$inout2
362	  vpxor		0x10($inp),$T1,$Ii
363	  vaesenc	$rndkey,$inout3,$inout3
364	  vpxor		0x20($inp),$T1,$Z1
365	  vaesenc	$rndkey,$inout4,$inout4
366	  vpxor		0x30($inp),$T1,$Z2
367	  vaesenc	$rndkey,$inout5,$inout5
368	  vpxor		0x40($inp),$T1,$Z3
369	  vpxor		0x50($inp),$T1,$Hkey
370	  vmovdqu	($ivp),$T1		# load next counter value
371
372	  vaesenclast	$T2,$inout0,$inout0
373	  vmovdqu	0x20($const),$T2	# borrow $T2, .Lone_msb
374	  vaesenclast	$Ii,$inout1,$inout1
375	 vpaddb		$T2,$T1,$Ii
376	mov		%r13,0x70+8(%rsp)
377	lea		0x60($inp),$inp
378	  vaesenclast	$Z1,$inout2,$inout2
379	 vpaddb		$T2,$Ii,$Z1
380	mov		%r12,0x78+8(%rsp)
381	lea		0x60($out),$out
382	  vmovdqu	0x00-0x80($key),$rndkey
383	  vaesenclast	$Z2,$inout3,$inout3
384	 vpaddb		$T2,$Z1,$Z2
385	  vaesenclast	$Z3, $inout4,$inout4
386	 vpaddb		$T2,$Z2,$Z3
387	  vaesenclast	$Hkey,$inout5,$inout5
388	 vpaddb		$T2,$Z3,$Hkey
389
390	add		\$0x60,$ret
391	sub		\$0x6,$len
392	jc		.L6x_done
393
394	  vmovups	$inout0,-0x60($out)	# save output
395	 vpxor		$rndkey,$T1,$inout0
396	  vmovups	$inout1,-0x50($out)
397	 vmovdqa	$Ii,$inout1		# 0 latency
398	  vmovups	$inout2,-0x40($out)
399	 vmovdqa	$Z1,$inout2		# 0 latency
400	  vmovups	$inout3,-0x30($out)
401	 vmovdqa	$Z2,$inout3		# 0 latency
402	  vmovups	$inout4,-0x20($out)
403	 vmovdqa	$Z3,$inout4		# 0 latency
404	  vmovups	$inout5,-0x10($out)
405	 vmovdqa	$Hkey,$inout5		# 0 latency
406	vmovdqu		0x20+8(%rsp),$Z3	# I[5]
407	jmp		.Loop6x
408
409.L6x_done:
410	vpxor		16+8(%rsp),$Xi,$Xi	# modulo-scheduled
411	vpxor		$Z0,$Xi,$Xi		# modulo-scheduled
412
413	ret
414.cfi_endproc
415.size	_aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x
416___
417######################################################################
418#
419# size_t aesni_gcm_[en|de]crypt(const void *inp, void *out, size_t len,
420#		const AES_KEY *key, unsigned char iv[16],
421#		struct { u128 Xi,H,Htbl[9]; } *Xip);
422$code.=<<___;
423.globl	aesni_gcm_decrypt
424.type	aesni_gcm_decrypt,\@function,6
425.align	32
426aesni_gcm_decrypt:
427.cfi_startproc
428	xor	$ret,$ret
429
430	# We call |_aesni_ctr32_ghash_6x|, which requires at least 96 (0x60)
431	# bytes of input.
432	cmp	\$0x60,$len			# minimal accepted length
433	jb	.Lgcm_dec_abort
434
435	lea	(%rsp),%rax			# save stack pointer
436.cfi_def_cfa_register	%rax
437	push	%rbx
438.cfi_push	%rbx
439	push	%rbp
440.cfi_push	%rbp
441	push	%r12
442.cfi_push	%r12
443	push	%r13
444.cfi_push	%r13
445	push	%r14
446.cfi_push	%r14
447	push	%r15
448.cfi_push	%r15
449___
450$code.=<<___ if ($win64);
451	lea	-0xa8(%rsp),%rsp
452	movaps	%xmm6,-0xd8(%rax)
453	movaps	%xmm7,-0xc8(%rax)
454	movaps	%xmm8,-0xb8(%rax)
455	movaps	%xmm9,-0xa8(%rax)
456	movaps	%xmm10,-0x98(%rax)
457	movaps	%xmm11,-0x88(%rax)
458	movaps	%xmm12,-0x78(%rax)
459	movaps	%xmm13,-0x68(%rax)
460	movaps	%xmm14,-0x58(%rax)
461	movaps	%xmm15,-0x48(%rax)
462.Lgcm_dec_body:
463___
464$code.=<<___;
465	vzeroupper
466
467	vmovdqu		($ivp),$T1		# input counter value
468	add		\$-128,%rsp
469	mov		12($ivp),$counter
470	lea		.Lbswap_mask(%rip),$const
471	lea		-0x80($key),$in0	# borrow $in0
472	mov		\$0xf80,$end0		# borrow $end0
473	vmovdqu		($Xip),$Xi		# load Xi
474	and		\$-128,%rsp		# ensure stack alignment
475	vmovdqu		($const),$Ii		# borrow $Ii for .Lbswap_mask
476	lea		0x80($key),$key		# size optimization
477	lea		0x20+0x20($Xip),$Xip	# size optimization
478	mov		0xf0-0x80($key),$rounds
479	vpshufb		$Ii,$Xi,$Xi
480
481	and		$end0,$in0
482	and		%rsp,$end0
483	sub		$in0,$end0
484	jc		.Ldec_no_key_aliasing
485	cmp		\$768,$end0
486	jnc		.Ldec_no_key_aliasing
487	sub		$end0,%rsp		# avoid aliasing with key
488.Ldec_no_key_aliasing:
489
490	vmovdqu		0x50($inp),$Z3		# I[5]
491	lea		($inp),$in0
492	vmovdqu		0x40($inp),$Z0
493
494	# |_aesni_ctr32_ghash_6x| requires |$end0| to point to 2*96 (0xc0)
495	# bytes before the end of the input. Note, in particular, that this is
496	# correct even if |$len| is not an even multiple of 96 or 16. XXX: This
497	# seems to require that |$inp| + |$len| >= 2*96 (0xc0); i.e. |$inp| must
498	# not be near the very beginning of the address space when |$len| < 2*96
499	# (0xc0).
500	lea		-0xc0($inp,$len),$end0
501
502	vmovdqu		0x30($inp),$Z1
503	shr		\$4,$len
504	xor		$ret,$ret
505	vmovdqu		0x20($inp),$Z2
506	 vpshufb	$Ii,$Z3,$Z3		# passed to _aesni_ctr32_ghash_6x
507	vmovdqu		0x10($inp),$T2
508	 vpshufb	$Ii,$Z0,$Z0
509	vmovdqu		($inp),$Hkey
510	 vpshufb	$Ii,$Z1,$Z1
511	vmovdqu		$Z0,0x30(%rsp)
512	 vpshufb	$Ii,$Z2,$Z2
513	vmovdqu		$Z1,0x40(%rsp)
514	 vpshufb	$Ii,$T2,$T2
515	vmovdqu		$Z2,0x50(%rsp)
516	 vpshufb	$Ii,$Hkey,$Hkey
517	vmovdqu		$T2,0x60(%rsp)
518	vmovdqu		$Hkey,0x70(%rsp)
519
520	call		_aesni_ctr32_ghash_6x
521
522	vmovups		$inout0,-0x60($out)	# save output
523	vmovups		$inout1,-0x50($out)
524	vmovups		$inout2,-0x40($out)
525	vmovups		$inout3,-0x30($out)
526	vmovups		$inout4,-0x20($out)
527	vmovups		$inout5,-0x10($out)
528
529	vpshufb		($const),$Xi,$Xi	# .Lbswap_mask
530	vmovdqu		$Xi,-0x40($Xip)		# output Xi
531
532	vzeroupper
533___
534$code.=<<___ if ($win64);
535	movaps	-0xd8(%rax),%xmm6
536	movaps	-0xc8(%rax),%xmm7
537	movaps	-0xb8(%rax),%xmm8
538	movaps	-0xa8(%rax),%xmm9
539	movaps	-0x98(%rax),%xmm10
540	movaps	-0x88(%rax),%xmm11
541	movaps	-0x78(%rax),%xmm12
542	movaps	-0x68(%rax),%xmm13
543	movaps	-0x58(%rax),%xmm14
544	movaps	-0x48(%rax),%xmm15
545___
546$code.=<<___;
547	mov	-48(%rax),%r15
548.cfi_restore	%r15
549	mov	-40(%rax),%r14
550.cfi_restore	%r14
551	mov	-32(%rax),%r13
552.cfi_restore	%r13
553	mov	-24(%rax),%r12
554.cfi_restore	%r12
555	mov	-16(%rax),%rbp
556.cfi_restore	%rbp
557	mov	-8(%rax),%rbx
558.cfi_restore	%rbx
559	lea	(%rax),%rsp		# restore %rsp
560.cfi_def_cfa_register	%rsp
561.Lgcm_dec_abort:
562	mov	$ret,%rax		# return value
563	ret
564.cfi_endproc
565.size	aesni_gcm_decrypt,.-aesni_gcm_decrypt
566___
567
568$code.=<<___;
569.type	_aesni_ctr32_6x,\@abi-omnipotent
570.align	32
571_aesni_ctr32_6x:
572.cfi_startproc
573	vmovdqu		0x00-0x80($key),$Z0	# borrow $Z0 for $rndkey
574	vmovdqu		0x20($const),$T2	# borrow $T2, .Lone_msb
575	lea		-1($rounds),%r13
576	vmovups		0x10-0x80($key),$rndkey
577	lea		0x20-0x80($key),%r12
578	vpxor		$Z0,$T1,$inout0
579	add		\$`6<<24`,$counter
580	jc		.Lhandle_ctr32_2
581	vpaddb		$T2,$T1,$inout1
582	vpaddb		$T2,$inout1,$inout2
583	vpxor		$Z0,$inout1,$inout1
584	vpaddb		$T2,$inout2,$inout3
585	vpxor		$Z0,$inout2,$inout2
586	vpaddb		$T2,$inout3,$inout4
587	vpxor		$Z0,$inout3,$inout3
588	vpaddb		$T2,$inout4,$inout5
589	vpxor		$Z0,$inout4,$inout4
590	vpaddb		$T2,$inout5,$T1
591	vpxor		$Z0,$inout5,$inout5
592	jmp		.Loop_ctr32
593
594.align	16
595.Loop_ctr32:
596	vaesenc		$rndkey,$inout0,$inout0
597	vaesenc		$rndkey,$inout1,$inout1
598	vaesenc		$rndkey,$inout2,$inout2
599	vaesenc		$rndkey,$inout3,$inout3
600	vaesenc		$rndkey,$inout4,$inout4
601	vaesenc		$rndkey,$inout5,$inout5
602	vmovups		(%r12),$rndkey
603	lea		0x10(%r12),%r12
604	dec		%r13d
605	jnz		.Loop_ctr32
606
607	vmovdqu		(%r12),$Hkey		# last round key
608	vaesenc		$rndkey,$inout0,$inout0
609	vpxor		0x00($inp),$Hkey,$Z0
610	vaesenc		$rndkey,$inout1,$inout1
611	vpxor		0x10($inp),$Hkey,$Z1
612	vaesenc		$rndkey,$inout2,$inout2
613	vpxor		0x20($inp),$Hkey,$Z2
614	vaesenc		$rndkey,$inout3,$inout3
615	vpxor		0x30($inp),$Hkey,$Xi
616	vaesenc		$rndkey,$inout4,$inout4
617	vpxor		0x40($inp),$Hkey,$T2
618	vaesenc		$rndkey,$inout5,$inout5
619	vpxor		0x50($inp),$Hkey,$Hkey
620	lea		0x60($inp),$inp
621
622	vaesenclast	$Z0,$inout0,$inout0
623	vaesenclast	$Z1,$inout1,$inout1
624	vaesenclast	$Z2,$inout2,$inout2
625	vaesenclast	$Xi,$inout3,$inout3
626	vaesenclast	$T2,$inout4,$inout4
627	vaesenclast	$Hkey,$inout5,$inout5
628	vmovups		$inout0,0x00($out)
629	vmovups		$inout1,0x10($out)
630	vmovups		$inout2,0x20($out)
631	vmovups		$inout3,0x30($out)
632	vmovups		$inout4,0x40($out)
633	vmovups		$inout5,0x50($out)
634	lea		0x60($out),$out
635
636	ret
637.align	32
638.Lhandle_ctr32_2:
639	vpshufb		$Ii,$T1,$Z2		# byte-swap counter
640	vmovdqu		0x30($const),$Z1	# borrow $Z1, .Ltwo_lsb
641	vpaddd		0x40($const),$Z2,$inout1	# .Lone_lsb
642	vpaddd		$Z1,$Z2,$inout2
643	vpaddd		$Z1,$inout1,$inout3
644	vpshufb		$Ii,$inout1,$inout1
645	vpaddd		$Z1,$inout2,$inout4
646	vpshufb		$Ii,$inout2,$inout2
647	vpxor		$Z0,$inout1,$inout1
648	vpaddd		$Z1,$inout3,$inout5
649	vpshufb		$Ii,$inout3,$inout3
650	vpxor		$Z0,$inout2,$inout2
651	vpaddd		$Z1,$inout4,$T1		# byte-swapped next counter value
652	vpshufb		$Ii,$inout4,$inout4
653	vpxor		$Z0,$inout3,$inout3
654	vpshufb		$Ii,$inout5,$inout5
655	vpxor		$Z0,$inout4,$inout4
656	vpshufb		$Ii,$T1,$T1		# next counter value
657	vpxor		$Z0,$inout5,$inout5
658	jmp	.Loop_ctr32
659.cfi_endproc
660.size	_aesni_ctr32_6x,.-_aesni_ctr32_6x
661
662.globl	aesni_gcm_encrypt
663.type	aesni_gcm_encrypt,\@function,6
664.align	32
665aesni_gcm_encrypt:
666.cfi_startproc
667#ifndef NDEBUG
668#ifndef BORINGSSL_FIPS
669.extern	BORINGSSL_function_hit
670	movb \$1,BORINGSSL_function_hit+2(%rip)
671#endif
672#endif
673	xor	$ret,$ret
674
675	# We call |_aesni_ctr32_6x| twice, each call consuming 96 bytes of
676	# input. Then we call |_aesni_ctr32_ghash_6x|, which requires at
677	# least 96 more bytes of input.
678	cmp	\$0x60*3,$len			# minimal accepted length
679	jb	.Lgcm_enc_abort
680
681	lea	(%rsp),%rax			# save stack pointer
682.cfi_def_cfa_register	%rax
683	push	%rbx
684.cfi_push	%rbx
685	push	%rbp
686.cfi_push	%rbp
687	push	%r12
688.cfi_push	%r12
689	push	%r13
690.cfi_push	%r13
691	push	%r14
692.cfi_push	%r14
693	push	%r15
694.cfi_push	%r15
695___
696$code.=<<___ if ($win64);
697	lea	-0xa8(%rsp),%rsp
698	movaps	%xmm6,-0xd8(%rax)
699	movaps	%xmm7,-0xc8(%rax)
700	movaps	%xmm8,-0xb8(%rax)
701	movaps	%xmm9,-0xa8(%rax)
702	movaps	%xmm10,-0x98(%rax)
703	movaps	%xmm11,-0x88(%rax)
704	movaps	%xmm12,-0x78(%rax)
705	movaps	%xmm13,-0x68(%rax)
706	movaps	%xmm14,-0x58(%rax)
707	movaps	%xmm15,-0x48(%rax)
708.Lgcm_enc_body:
709___
710$code.=<<___;
711	vzeroupper
712
713	vmovdqu		($ivp),$T1		# input counter value
714	add		\$-128,%rsp
715	mov		12($ivp),$counter
716	lea		.Lbswap_mask(%rip),$const
717	lea		-0x80($key),$in0	# borrow $in0
718	mov		\$0xf80,$end0		# borrow $end0
719	lea		0x80($key),$key		# size optimization
720	vmovdqu		($const),$Ii		# borrow $Ii for .Lbswap_mask
721	and		\$-128,%rsp		# ensure stack alignment
722	mov		0xf0-0x80($key),$rounds
723
724	and		$end0,$in0
725	and		%rsp,$end0
726	sub		$in0,$end0
727	jc		.Lenc_no_key_aliasing
728	cmp		\$768,$end0
729	jnc		.Lenc_no_key_aliasing
730	sub		$end0,%rsp		# avoid aliasing with key
731.Lenc_no_key_aliasing:
732
733	lea		($out),$in0
734
735	# |_aesni_ctr32_ghash_6x| requires |$end0| to point to 2*96 (0xc0)
736	# bytes before the end of the input. Note, in particular, that this is
737	# correct even if |$len| is not an even multiple of 96 or 16. Unlike in
738	# the decryption case, there's no caveat that |$out| must not be near
739	# the very beginning of the address space, because we know that
740	# |$len| >= 3*96 from the check above, and so we know
741	# |$out| + |$len| >= 2*96 (0xc0).
742	lea		-0xc0($out,$len),$end0
743
744	shr		\$4,$len
745
746	call		_aesni_ctr32_6x
747	vpshufb		$Ii,$inout0,$Xi		# save bswapped output on stack
748	vpshufb		$Ii,$inout1,$T2
749	vmovdqu		$Xi,0x70(%rsp)
750	vpshufb		$Ii,$inout2,$Z0
751	vmovdqu		$T2,0x60(%rsp)
752	vpshufb		$Ii,$inout3,$Z1
753	vmovdqu		$Z0,0x50(%rsp)
754	vpshufb		$Ii,$inout4,$Z2
755	vmovdqu		$Z1,0x40(%rsp)
756	vpshufb		$Ii,$inout5,$Z3		# passed to _aesni_ctr32_ghash_6x
757	vmovdqu		$Z2,0x30(%rsp)
758
759	call		_aesni_ctr32_6x
760
761	vmovdqu		($Xip),$Xi		# load Xi
762	lea		0x20+0x20($Xip),$Xip	# size optimization
763	sub		\$12,$len
764	mov		\$0x60*2,$ret
765	vpshufb		$Ii,$Xi,$Xi
766
767	call		_aesni_ctr32_ghash_6x
768	vmovdqu		0x20(%rsp),$Z3		# I[5]
769	 vmovdqu	($const),$Ii		# borrow $Ii for .Lbswap_mask
770	vmovdqu		0x00-0x20($Xip),$Hkey	# $Hkey^1
771	vpunpckhqdq	$Z3,$Z3,$T1
772	vmovdqu		0x20-0x20($Xip),$rndkey	# borrow $rndkey for $HK
773	 vmovups	$inout0,-0x60($out)	# save output
774	 vpshufb	$Ii,$inout0,$inout0	# but keep bswapped copy
775	vpxor		$Z3,$T1,$T1
776	 vmovups	$inout1,-0x50($out)
777	 vpshufb	$Ii,$inout1,$inout1
778	 vmovups	$inout2,-0x40($out)
779	 vpshufb	$Ii,$inout2,$inout2
780	 vmovups	$inout3,-0x30($out)
781	 vpshufb	$Ii,$inout3,$inout3
782	 vmovups	$inout4,-0x20($out)
783	 vpshufb	$Ii,$inout4,$inout4
784	 vmovups	$inout5,-0x10($out)
785	 vpshufb	$Ii,$inout5,$inout5
786	 vmovdqu	$inout0,0x10(%rsp)	# free $inout0
787___
788{ my ($HK,$T3)=($rndkey,$inout0);
789
790$code.=<<___;
791	 vmovdqu	0x30(%rsp),$Z2		# I[4]
792	 vmovdqu	0x10-0x20($Xip),$Ii	# borrow $Ii for $Hkey^2
793	 vpunpckhqdq	$Z2,$Z2,$T2
794	vpclmulqdq	\$0x00,$Hkey,$Z3,$Z1
795	 vpxor		$Z2,$T2,$T2
796	vpclmulqdq	\$0x11,$Hkey,$Z3,$Z3
797	vpclmulqdq	\$0x00,$HK,$T1,$T1
798
799	 vmovdqu	0x40(%rsp),$T3		# I[3]
800	vpclmulqdq	\$0x00,$Ii,$Z2,$Z0
801	 vmovdqu	0x30-0x20($Xip),$Hkey	# $Hkey^3
802	vpxor		$Z1,$Z0,$Z0
803	 vpunpckhqdq	$T3,$T3,$Z1
804	vpclmulqdq	\$0x11,$Ii,$Z2,$Z2
805	 vpxor		$T3,$Z1,$Z1
806	vpxor		$Z3,$Z2,$Z2
807	vpclmulqdq	\$0x10,$HK,$T2,$T2
808	 vmovdqu	0x50-0x20($Xip),$HK
809	vpxor		$T1,$T2,$T2
810
811	 vmovdqu	0x50(%rsp),$T1		# I[2]
812	vpclmulqdq	\$0x00,$Hkey,$T3,$Z3
813	 vmovdqu	0x40-0x20($Xip),$Ii	# borrow $Ii for $Hkey^4
814	vpxor		$Z0,$Z3,$Z3
815	 vpunpckhqdq	$T1,$T1,$Z0
816	vpclmulqdq	\$0x11,$Hkey,$T3,$T3
817	 vpxor		$T1,$Z0,$Z0
818	vpxor		$Z2,$T3,$T3
819	vpclmulqdq	\$0x00,$HK,$Z1,$Z1
820	vpxor		$T2,$Z1,$Z1
821
822	 vmovdqu	0x60(%rsp),$T2		# I[1]
823	vpclmulqdq	\$0x00,$Ii,$T1,$Z2
824	 vmovdqu	0x60-0x20($Xip),$Hkey	# $Hkey^5
825	vpxor		$Z3,$Z2,$Z2
826	 vpunpckhqdq	$T2,$T2,$Z3
827	vpclmulqdq	\$0x11,$Ii,$T1,$T1
828	 vpxor		$T2,$Z3,$Z3
829	vpxor		$T3,$T1,$T1
830	vpclmulqdq	\$0x10,$HK,$Z0,$Z0
831	 vmovdqu	0x80-0x20($Xip),$HK
832	vpxor		$Z1,$Z0,$Z0
833
834	 vpxor		0x70(%rsp),$Xi,$Xi	# accumulate I[0]
835	vpclmulqdq	\$0x00,$Hkey,$T2,$Z1
836	 vmovdqu	0x70-0x20($Xip),$Ii	# borrow $Ii for $Hkey^6
837	 vpunpckhqdq	$Xi,$Xi,$T3
838	vpxor		$Z2,$Z1,$Z1
839	vpclmulqdq	\$0x11,$Hkey,$T2,$T2
840	 vpxor		$Xi,$T3,$T3
841	vpxor		$T1,$T2,$T2
842	vpclmulqdq	\$0x00,$HK,$Z3,$Z3
843	vpxor		$Z0,$Z3,$Z0
844
845	vpclmulqdq	\$0x00,$Ii,$Xi,$Z2
846	 vmovdqu	0x00-0x20($Xip),$Hkey	# $Hkey^1
847	 vpunpckhqdq	$inout5,$inout5,$T1
848	vpclmulqdq	\$0x11,$Ii,$Xi,$Xi
849	 vpxor		$inout5,$T1,$T1
850	vpxor		$Z1,$Z2,$Z1
851	vpclmulqdq	\$0x10,$HK,$T3,$T3
852	 vmovdqu	0x20-0x20($Xip),$HK
853	vpxor		$T2,$Xi,$Z3
854	vpxor		$Z0,$T3,$Z2
855
856	 vmovdqu	0x10-0x20($Xip),$Ii	# borrow $Ii for $Hkey^2
857	  vpxor		$Z1,$Z3,$T3		# aggregated Karatsuba post-processing
858	vpclmulqdq	\$0x00,$Hkey,$inout5,$Z0
859	  vpxor		$T3,$Z2,$Z2
860	 vpunpckhqdq	$inout4,$inout4,$T2
861	vpclmulqdq	\$0x11,$Hkey,$inout5,$inout5
862	 vpxor		$inout4,$T2,$T2
863	  vpslldq	\$8,$Z2,$T3
864	vpclmulqdq	\$0x00,$HK,$T1,$T1
865	  vpxor		$T3,$Z1,$Xi
866	  vpsrldq	\$8,$Z2,$Z2
867	  vpxor		$Z2,$Z3,$Z3
868
869	vpclmulqdq	\$0x00,$Ii,$inout4,$Z1
870	 vmovdqu	0x30-0x20($Xip),$Hkey	# $Hkey^3
871	vpxor		$Z0,$Z1,$Z1
872	 vpunpckhqdq	$inout3,$inout3,$T3
873	vpclmulqdq	\$0x11,$Ii,$inout4,$inout4
874	 vpxor		$inout3,$T3,$T3
875	vpxor		$inout5,$inout4,$inout4
876	  vpalignr	\$8,$Xi,$Xi,$inout5	# 1st phase
877	vpclmulqdq	\$0x10,$HK,$T2,$T2
878	 vmovdqu	0x50-0x20($Xip),$HK
879	vpxor		$T1,$T2,$T2
880
881	vpclmulqdq	\$0x00,$Hkey,$inout3,$Z0
882	 vmovdqu	0x40-0x20($Xip),$Ii	# borrow $Ii for $Hkey^4
883	vpxor		$Z1,$Z0,$Z0
884	 vpunpckhqdq	$inout2,$inout2,$T1
885	vpclmulqdq	\$0x11,$Hkey,$inout3,$inout3
886	 vpxor		$inout2,$T1,$T1
887	vpxor		$inout4,$inout3,$inout3
888	  vxorps	0x10(%rsp),$Z3,$Z3	# accumulate $inout0
889	vpclmulqdq	\$0x00,$HK,$T3,$T3
890	vpxor		$T2,$T3,$T3
891
892	  vpclmulqdq	\$0x10,0x10($const),$Xi,$Xi
893	  vxorps	$inout5,$Xi,$Xi
894
895	vpclmulqdq	\$0x00,$Ii,$inout2,$Z1
896	 vmovdqu	0x60-0x20($Xip),$Hkey	# $Hkey^5
897	vpxor		$Z0,$Z1,$Z1
898	 vpunpckhqdq	$inout1,$inout1,$T2
899	vpclmulqdq	\$0x11,$Ii,$inout2,$inout2
900	 vpxor		$inout1,$T2,$T2
901	  vpalignr	\$8,$Xi,$Xi,$inout5	# 2nd phase
902	vpxor		$inout3,$inout2,$inout2
903	vpclmulqdq	\$0x10,$HK,$T1,$T1
904	 vmovdqu	0x80-0x20($Xip),$HK
905	vpxor		$T3,$T1,$T1
906
907	  vxorps	$Z3,$inout5,$inout5
908	  vpclmulqdq	\$0x10,0x10($const),$Xi,$Xi
909	  vxorps	$inout5,$Xi,$Xi
910
911	vpclmulqdq	\$0x00,$Hkey,$inout1,$Z0
912	 vmovdqu	0x70-0x20($Xip),$Ii	# borrow $Ii for $Hkey^6
913	vpxor		$Z1,$Z0,$Z0
914	 vpunpckhqdq	$Xi,$Xi,$T3
915	vpclmulqdq	\$0x11,$Hkey,$inout1,$inout1
916	 vpxor		$Xi,$T3,$T3
917	vpxor		$inout2,$inout1,$inout1
918	vpclmulqdq	\$0x00,$HK,$T2,$T2
919	vpxor		$T1,$T2,$T2
920
921	vpclmulqdq	\$0x00,$Ii,$Xi,$Z1
922	vpclmulqdq	\$0x11,$Ii,$Xi,$Z3
923	vpxor		$Z0,$Z1,$Z1
924	vpclmulqdq	\$0x10,$HK,$T3,$Z2
925	vpxor		$inout1,$Z3,$Z3
926	vpxor		$T2,$Z2,$Z2
927
928	vpxor		$Z1,$Z3,$Z0		# aggregated Karatsuba post-processing
929	vpxor		$Z0,$Z2,$Z2
930	vpslldq		\$8,$Z2,$T1
931	vmovdqu		0x10($const),$Hkey	# .Lpoly
932	vpsrldq		\$8,$Z2,$Z2
933	vpxor		$T1,$Z1,$Xi
934	vpxor		$Z2,$Z3,$Z3
935
936	vpalignr	\$8,$Xi,$Xi,$T2		# 1st phase
937	vpclmulqdq	\$0x10,$Hkey,$Xi,$Xi
938	vpxor		$T2,$Xi,$Xi
939
940	vpalignr	\$8,$Xi,$Xi,$T2		# 2nd phase
941	vpclmulqdq	\$0x10,$Hkey,$Xi,$Xi
942	vpxor		$Z3,$T2,$T2
943	vpxor		$T2,$Xi,$Xi
944___
945}
946$code.=<<___;
947	vpshufb		($const),$Xi,$Xi	# .Lbswap_mask
948	vmovdqu		$Xi,-0x40($Xip)		# output Xi
949
950	vzeroupper
951___
952$code.=<<___ if ($win64);
953	movaps	-0xd8(%rax),%xmm6
954	movaps	-0xc8(%rax),%xmm7
955	movaps	-0xb8(%rax),%xmm8
956	movaps	-0xa8(%rax),%xmm9
957	movaps	-0x98(%rax),%xmm10
958	movaps	-0x88(%rax),%xmm11
959	movaps	-0x78(%rax),%xmm12
960	movaps	-0x68(%rax),%xmm13
961	movaps	-0x58(%rax),%xmm14
962	movaps	-0x48(%rax),%xmm15
963___
964$code.=<<___;
965	mov	-48(%rax),%r15
966.cfi_restore	%r15
967	mov	-40(%rax),%r14
968.cfi_restore	%r14
969	mov	-32(%rax),%r13
970.cfi_restore	%r13
971	mov	-24(%rax),%r12
972.cfi_restore	%r12
973	mov	-16(%rax),%rbp
974.cfi_restore	%rbp
975	mov	-8(%rax),%rbx
976.cfi_restore	%rbx
977	lea	(%rax),%rsp		# restore %rsp
978.cfi_def_cfa_register	%rsp
979.Lgcm_enc_abort:
980	mov	$ret,%rax		# return value
981	ret
982.cfi_endproc
983.size	aesni_gcm_encrypt,.-aesni_gcm_encrypt
984___
985
986$code.=<<___;
987.align	64
988.Lbswap_mask:
989	.byte	15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
990.Lpoly:
991	.byte	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2
992.Lone_msb:
993	.byte	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
994.Ltwo_lsb:
995	.byte	2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
996.Lone_lsb:
997	.byte	1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
998.asciz	"AES-NI GCM module for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
999.align	64
1000___
1001if ($win64) {
1002$rec="%rcx";
1003$frame="%rdx";
1004$context="%r8";
1005$disp="%r9";
1006
1007$code.=<<___
1008.extern	__imp_RtlVirtualUnwind
1009.type	gcm_se_handler,\@abi-omnipotent
1010.align	16
1011gcm_se_handler:
1012	push	%rsi
1013	push	%rdi
1014	push	%rbx
1015	push	%rbp
1016	push	%r12
1017	push	%r13
1018	push	%r14
1019	push	%r15
1020	pushfq
1021	sub	\$64,%rsp
1022
1023	mov	120($context),%rax	# pull context->Rax
1024	mov	248($context),%rbx	# pull context->Rip
1025
1026	mov	8($disp),%rsi		# disp->ImageBase
1027	mov	56($disp),%r11		# disp->HandlerData
1028
1029	mov	0(%r11),%r10d		# HandlerData[0]
1030	lea	(%rsi,%r10),%r10	# prologue label
1031	cmp	%r10,%rbx		# context->Rip<prologue label
1032	jb	.Lcommon_seh_tail
1033
1034	mov	152($context),%rax	# pull context->Rsp
1035
1036	mov	4(%r11),%r10d		# HandlerData[1]
1037	lea	(%rsi,%r10),%r10	# epilogue label
1038	cmp	%r10,%rbx		# context->Rip>=epilogue label
1039	jae	.Lcommon_seh_tail
1040
1041	mov	120($context),%rax	# pull context->Rax
1042
1043	mov	-48(%rax),%r15
1044	mov	-40(%rax),%r14
1045	mov	-32(%rax),%r13
1046	mov	-24(%rax),%r12
1047	mov	-16(%rax),%rbp
1048	mov	-8(%rax),%rbx
1049	mov	%r15,240($context)
1050	mov	%r14,232($context)
1051	mov	%r13,224($context)
1052	mov	%r12,216($context)
1053	mov	%rbp,160($context)
1054	mov	%rbx,144($context)
1055
1056	lea	-0xd8(%rax),%rsi	# %xmm save area
1057	lea	512($context),%rdi	# & context.Xmm6
1058	mov	\$20,%ecx		# 10*sizeof(%xmm0)/sizeof(%rax)
1059	.long	0xa548f3fc		# cld; rep movsq
1060
1061.Lcommon_seh_tail:
1062	mov	8(%rax),%rdi
1063	mov	16(%rax),%rsi
1064	mov	%rax,152($context)	# restore context->Rsp
1065	mov	%rsi,168($context)	# restore context->Rsi
1066	mov	%rdi,176($context)	# restore context->Rdi
1067
1068	mov	40($disp),%rdi		# disp->ContextRecord
1069	mov	$context,%rsi		# context
1070	mov	\$154,%ecx		# sizeof(CONTEXT)
1071	.long	0xa548f3fc		# cld; rep movsq
1072
1073	mov	$disp,%rsi
1074	xor	%rcx,%rcx		# arg1, UNW_FLAG_NHANDLER
1075	mov	8(%rsi),%rdx		# arg2, disp->ImageBase
1076	mov	0(%rsi),%r8		# arg3, disp->ControlPc
1077	mov	16(%rsi),%r9		# arg4, disp->FunctionEntry
1078	mov	40(%rsi),%r10		# disp->ContextRecord
1079	lea	56(%rsi),%r11		# &disp->HandlerData
1080	lea	24(%rsi),%r12		# &disp->EstablisherFrame
1081	mov	%r10,32(%rsp)		# arg5
1082	mov	%r11,40(%rsp)		# arg6
1083	mov	%r12,48(%rsp)		# arg7
1084	mov	%rcx,56(%rsp)		# arg8, (NULL)
1085	call	*__imp_RtlVirtualUnwind(%rip)
1086
1087	mov	\$1,%eax		# ExceptionContinueSearch
1088	add	\$64,%rsp
1089	popfq
1090	pop	%r15
1091	pop	%r14
1092	pop	%r13
1093	pop	%r12
1094	pop	%rbp
1095	pop	%rbx
1096	pop	%rdi
1097	pop	%rsi
1098	ret
1099.size	gcm_se_handler,.-gcm_se_handler
1100
1101.section	.pdata
1102.align	4
1103	.rva	.LSEH_begin_aesni_gcm_decrypt
1104	.rva	.LSEH_end_aesni_gcm_decrypt
1105	.rva	.LSEH_gcm_dec_info
1106
1107	.rva	.LSEH_begin_aesni_gcm_encrypt
1108	.rva	.LSEH_end_aesni_gcm_encrypt
1109	.rva	.LSEH_gcm_enc_info
1110.section	.xdata
1111.align	8
1112.LSEH_gcm_dec_info:
1113	.byte	9,0,0,0
1114	.rva	gcm_se_handler
1115	.rva	.Lgcm_dec_body,.Lgcm_dec_abort
1116.LSEH_gcm_enc_info:
1117	.byte	9,0,0,0
1118	.rva	gcm_se_handler
1119	.rva	.Lgcm_enc_body,.Lgcm_enc_abort
1120___
1121}
1122}}} else {{{
1123$code=<<___;	# assembler is too old
1124.text
1125
1126.globl	aesni_gcm_encrypt
1127.type	aesni_gcm_encrypt,\@abi-omnipotent
1128aesni_gcm_encrypt:
1129	xor	%eax,%eax
1130	ret
1131.size	aesni_gcm_encrypt,.-aesni_gcm_encrypt
1132
1133.globl	aesni_gcm_decrypt
1134.type	aesni_gcm_decrypt,\@abi-omnipotent
1135aesni_gcm_decrypt:
1136	xor	%eax,%eax
1137	ret
1138.size	aesni_gcm_decrypt,.-aesni_gcm_decrypt
1139___
1140}}}
1141
1142$code =~ s/\`([^\`]*)\`/eval($1)/gem;
1143
1144print $code;
1145
1146close STDOUT;
1147