• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#! /usr/bin/env perl
2# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10# ====================================================================
11# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12# project. The module is, however, dual licensed under OpenSSL and
13# CRYPTOGAMS licenses depending on where you obtain it. For further
14# details see http://www.openssl.org/~appro/cryptogams/.
15# ====================================================================
16#
17# This module implements support for Intel AES-NI extension. In
18# OpenSSL context it's used with Intel engine, but can also be used as
19# drop-in replacement for crypto/aes/asm/aes-586.pl [see below for
20# details].
21#
22# Performance.
23#
24# To start with see corresponding paragraph in aesni-x86_64.pl...
25# Instead of filling table similar to one found there I've chosen to
26# summarize *comparison* results for raw ECB, CTR and CBC benchmarks.
27# The simplified table below represents 32-bit performance relative
28# to 64-bit one in every given point. Ratios vary for different
29# encryption modes, therefore interval values.
30#
31#	16-byte     64-byte     256-byte    1-KB        8-KB
32#	53-67%      67-84%      91-94%      95-98%      97-99.5%
33#
34# Lower ratios for smaller block sizes are perfectly understandable,
35# because function call overhead is higher in 32-bit mode. Largest
36# 8-KB block performance is virtually same: 32-bit code is less than
37# 1% slower for ECB, CBC and CCM, and ~3% slower otherwise.
38
39# January 2011
40#
41# See aesni-x86_64.pl for details. Unlike x86_64 version this module
42# interleaves at most 6 aes[enc|dec] instructions, because there are
43# not enough registers for 8x interleave [which should be optimal for
44# Sandy Bridge]. Actually, performance results for 6x interleave
45# factor presented in aesni-x86_64.pl (except for CTR) are for this
46# module.
47
48# April 2011
49#
50# Add aesni_xts_[en|de]crypt. Westmere spends 1.50 cycles processing
51# one byte out of 8KB with 128-bit key, Sandy Bridge - 1.09.
52
53# November 2015
54#
55# Add aesni_ocb_[en|de]crypt.
56
57######################################################################
58# Current large-block performance in cycles per byte processed with
59# 128-bit key (less is better).
60#
61#		CBC en-/decrypt	CTR	XTS	ECB	OCB
62# Westmere	3.77/1.37	1.37	1.52	1.27
63# * Bridge	5.07/0.98	0.99	1.09	0.91	1.10
64# Haswell	4.44/0.80	0.97	1.03	0.72	0.76
65# Skylake	2.68/0.65	0.65	0.66	0.64	0.66
66# Silvermont	5.77/3.56	3.67	4.03	3.46	4.03
67# Goldmont	3.84/1.39	1.39	1.63	1.31	1.70
68# Bulldozer	5.80/0.98	1.05	1.24	0.93	1.23
69
70$PREFIX="aesni";	# if $PREFIX is set to "AES", the script
71			# generates drop-in replacement for
72			# crypto/aes/asm/aes-586.pl:-)
73$inline=1;		# inline _aesni_[en|de]crypt
74
75$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
76push(@INC,"${dir}","${dir}../../perlasm");
77require "x86asm.pl";
78
79$output = pop and open STDOUT,">$output";
80
81&asm_init($ARGV[0]);
82
83&external_label("OPENSSL_ia32cap_P");
84&static_label("key_const");
85
86if ($PREFIX eq "aesni")	{ $movekey=\&movups; }
87else			{ $movekey=\&movups; }
88
89$len="eax";
90$rounds="ecx";
91$key="edx";
92$inp="esi";
93$out="edi";
94$rounds_="ebx";	# backup copy for $rounds
95$key_="ebp";	# backup copy for $key
96
97$rndkey0="xmm0";
98$rndkey1="xmm1";
99$inout0="xmm2";
100$inout1="xmm3";
101$inout2="xmm4";
102$inout3="xmm5";	$in1="xmm5";
103$inout4="xmm6";	$in0="xmm6";
104$inout5="xmm7";	$ivec="xmm7";
105
106# AESNI extension
107sub aeskeygenassist
108{ my($dst,$src,$imm)=@_;
109    if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
110    {	&data_byte(0x66,0x0f,0x3a,0xdf,0xc0|($1<<3)|$2,$imm);	}
111}
112sub aescommon
113{ my($opcodelet,$dst,$src)=@_;
114    if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
115    {	&data_byte(0x66,0x0f,0x38,$opcodelet,0xc0|($1<<3)|$2);}
116}
117sub aesimc	{ aescommon(0xdb,@_); }
118sub aesenc	{ aescommon(0xdc,@_); }
119sub aesenclast	{ aescommon(0xdd,@_); }
120sub aesdec	{ aescommon(0xde,@_); }
121sub aesdeclast	{ aescommon(0xdf,@_); }
122
123# Inline version of internal aesni_[en|de]crypt1
124{ my $sn;
125sub aesni_inline_generate1
126{ my ($p,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
127  $sn++;
128
129    &$movekey		($rndkey0,&QWP(0,$key));
130    &$movekey		($rndkey1,&QWP(16,$key));
131    &xorps		($ivec,$rndkey0)	if (defined($ivec));
132    &lea		($key,&DWP(32,$key));
133    &xorps		($inout,$ivec)		if (defined($ivec));
134    &xorps		($inout,$rndkey0)	if (!defined($ivec));
135    &set_label("${p}1_loop_$sn");
136	eval"&aes${p}	($inout,$rndkey1)";
137	&dec		($rounds);
138	&$movekey	($rndkey1,&QWP(0,$key));
139	&lea		($key,&DWP(16,$key));
140    &jnz		(&label("${p}1_loop_$sn"));
141    eval"&aes${p}last	($inout,$rndkey1)";
142}}
143
144sub aesni_generate1	# fully unrolled loop
145{ my ($p,$inout)=@_; $inout=$inout0 if (!defined($inout));
146
147    &function_begin_B("_aesni_${p}rypt1");
148	&movups		($rndkey0,&QWP(0,$key));
149	&$movekey	($rndkey1,&QWP(0x10,$key));
150	&xorps		($inout,$rndkey0);
151	&$movekey	($rndkey0,&QWP(0x20,$key));
152	&lea		($key,&DWP(0x30,$key));
153	&cmp		($rounds,11);
154	&jb		(&label("${p}128"));
155	&lea		($key,&DWP(0x20,$key));
156	&je		(&label("${p}192"));
157	&lea		($key,&DWP(0x20,$key));
158	eval"&aes${p}	($inout,$rndkey1)";
159	&$movekey	($rndkey1,&QWP(-0x40,$key));
160	eval"&aes${p}	($inout,$rndkey0)";
161	&$movekey	($rndkey0,&QWP(-0x30,$key));
162    &set_label("${p}192");
163	eval"&aes${p}	($inout,$rndkey1)";
164	&$movekey	($rndkey1,&QWP(-0x20,$key));
165	eval"&aes${p}	($inout,$rndkey0)";
166	&$movekey	($rndkey0,&QWP(-0x10,$key));
167    &set_label("${p}128");
168	eval"&aes${p}	($inout,$rndkey1)";
169	&$movekey	($rndkey1,&QWP(0,$key));
170	eval"&aes${p}	($inout,$rndkey0)";
171	&$movekey	($rndkey0,&QWP(0x10,$key));
172	eval"&aes${p}	($inout,$rndkey1)";
173	&$movekey	($rndkey1,&QWP(0x20,$key));
174	eval"&aes${p}	($inout,$rndkey0)";
175	&$movekey	($rndkey0,&QWP(0x30,$key));
176	eval"&aes${p}	($inout,$rndkey1)";
177	&$movekey	($rndkey1,&QWP(0x40,$key));
178	eval"&aes${p}	($inout,$rndkey0)";
179	&$movekey	($rndkey0,&QWP(0x50,$key));
180	eval"&aes${p}	($inout,$rndkey1)";
181	&$movekey	($rndkey1,&QWP(0x60,$key));
182	eval"&aes${p}	($inout,$rndkey0)";
183	&$movekey	($rndkey0,&QWP(0x70,$key));
184	eval"&aes${p}	($inout,$rndkey1)";
185    eval"&aes${p}last	($inout,$rndkey0)";
186    &ret();
187    &function_end_B("_aesni_${p}rypt1");
188}
189
190# void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key);
191&aesni_generate1("enc") if (!$inline);
192&function_begin_B("${PREFIX}_encrypt");
193	&mov	("eax",&wparam(0));
194	&mov	($key,&wparam(2));
195	&movups	($inout0,&QWP(0,"eax"));
196	&mov	($rounds,&DWP(240,$key));
197	&mov	("eax",&wparam(1));
198	if ($inline)
199	{   &aesni_inline_generate1("enc");	}
200	else
201	{   &call	("_aesni_encrypt1");	}
202	&pxor	($rndkey0,$rndkey0);		# clear register bank
203	&pxor	($rndkey1,$rndkey1);
204	&movups	(&QWP(0,"eax"),$inout0);
205	&pxor	($inout0,$inout0);
206	&ret	();
207&function_end_B("${PREFIX}_encrypt");
208
209# void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key);
210&aesni_generate1("dec") if(!$inline);
211&function_begin_B("${PREFIX}_decrypt");
212	&mov	("eax",&wparam(0));
213	&mov	($key,&wparam(2));
214	&movups	($inout0,&QWP(0,"eax"));
215	&mov	($rounds,&DWP(240,$key));
216	&mov	("eax",&wparam(1));
217	if ($inline)
218	{   &aesni_inline_generate1("dec");	}
219	else
220	{   &call	("_aesni_decrypt1");	}
221	&pxor	($rndkey0,$rndkey0);		# clear register bank
222	&pxor	($rndkey1,$rndkey1);
223	&movups	(&QWP(0,"eax"),$inout0);
224	&pxor	($inout0,$inout0);
225	&ret	();
226&function_end_B("${PREFIX}_decrypt");
227
228# _aesni_[en|de]cryptN are private interfaces, N denotes interleave
229# factor. Why 3x subroutine were originally used in loops? Even though
230# aes[enc|dec] latency was originally 6, it could be scheduled only
231# every *2nd* cycle. Thus 3x interleave was the one providing optimal
232# utilization, i.e. when subroutine's throughput is virtually same as
233# of non-interleaved subroutine [for number of input blocks up to 3].
234# This is why it originally made no sense to implement 2x subroutine.
235# But times change and it became appropriate to spend extra 192 bytes
236# on 2x subroutine on Atom Silvermont account. For processors that
237# can schedule aes[enc|dec] every cycle optimal interleave factor
238# equals to corresponding instructions latency. 8x is optimal for
239# * Bridge, but it's unfeasible to accommodate such implementation
240# in XMM registers addressable in 32-bit mode and therefore maximum
241# of 6x is used instead...
242
243sub aesni_generate2
244{ my $p=shift;
245
246    &function_begin_B("_aesni_${p}rypt2");
247	&$movekey	($rndkey0,&QWP(0,$key));
248	&shl		($rounds,4);
249	&$movekey	($rndkey1,&QWP(16,$key));
250	&xorps		($inout0,$rndkey0);
251	&pxor		($inout1,$rndkey0);
252	&$movekey	($rndkey0,&QWP(32,$key));
253	&lea		($key,&DWP(32,$key,$rounds));
254	&neg		($rounds);
255	&add		($rounds,16);
256
257    &set_label("${p}2_loop");
258	eval"&aes${p}	($inout0,$rndkey1)";
259	eval"&aes${p}	($inout1,$rndkey1)";
260	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
261	&add		($rounds,32);
262	eval"&aes${p}	($inout0,$rndkey0)";
263	eval"&aes${p}	($inout1,$rndkey0)";
264	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
265	&jnz		(&label("${p}2_loop"));
266    eval"&aes${p}	($inout0,$rndkey1)";
267    eval"&aes${p}	($inout1,$rndkey1)";
268    eval"&aes${p}last	($inout0,$rndkey0)";
269    eval"&aes${p}last	($inout1,$rndkey0)";
270    &ret();
271    &function_end_B("_aesni_${p}rypt2");
272}
273
274sub aesni_generate3
275{ my $p=shift;
276
277    &function_begin_B("_aesni_${p}rypt3");
278	&$movekey	($rndkey0,&QWP(0,$key));
279	&shl		($rounds,4);
280	&$movekey	($rndkey1,&QWP(16,$key));
281	&xorps		($inout0,$rndkey0);
282	&pxor		($inout1,$rndkey0);
283	&pxor		($inout2,$rndkey0);
284	&$movekey	($rndkey0,&QWP(32,$key));
285	&lea		($key,&DWP(32,$key,$rounds));
286	&neg		($rounds);
287	&add		($rounds,16);
288
289    &set_label("${p}3_loop");
290	eval"&aes${p}	($inout0,$rndkey1)";
291	eval"&aes${p}	($inout1,$rndkey1)";
292	eval"&aes${p}	($inout2,$rndkey1)";
293	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
294	&add		($rounds,32);
295	eval"&aes${p}	($inout0,$rndkey0)";
296	eval"&aes${p}	($inout1,$rndkey0)";
297	eval"&aes${p}	($inout2,$rndkey0)";
298	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
299	&jnz		(&label("${p}3_loop"));
300    eval"&aes${p}	($inout0,$rndkey1)";
301    eval"&aes${p}	($inout1,$rndkey1)";
302    eval"&aes${p}	($inout2,$rndkey1)";
303    eval"&aes${p}last	($inout0,$rndkey0)";
304    eval"&aes${p}last	($inout1,$rndkey0)";
305    eval"&aes${p}last	($inout2,$rndkey0)";
306    &ret();
307    &function_end_B("_aesni_${p}rypt3");
308}
309
310# 4x interleave is implemented to improve small block performance,
311# most notably [and naturally] 4 block by ~30%. One can argue that one
312# should have implemented 5x as well, but improvement  would be <20%,
313# so it's not worth it...
314sub aesni_generate4
315{ my $p=shift;
316
317    &function_begin_B("_aesni_${p}rypt4");
318	&$movekey	($rndkey0,&QWP(0,$key));
319	&$movekey	($rndkey1,&QWP(16,$key));
320	&shl		($rounds,4);
321	&xorps		($inout0,$rndkey0);
322	&pxor		($inout1,$rndkey0);
323	&pxor		($inout2,$rndkey0);
324	&pxor		($inout3,$rndkey0);
325	&$movekey	($rndkey0,&QWP(32,$key));
326	&lea		($key,&DWP(32,$key,$rounds));
327	&neg		($rounds);
328	&data_byte	(0x0f,0x1f,0x40,0x00);
329	&add		($rounds,16);
330
331    &set_label("${p}4_loop");
332	eval"&aes${p}	($inout0,$rndkey1)";
333	eval"&aes${p}	($inout1,$rndkey1)";
334	eval"&aes${p}	($inout2,$rndkey1)";
335	eval"&aes${p}	($inout3,$rndkey1)";
336	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
337	&add		($rounds,32);
338	eval"&aes${p}	($inout0,$rndkey0)";
339	eval"&aes${p}	($inout1,$rndkey0)";
340	eval"&aes${p}	($inout2,$rndkey0)";
341	eval"&aes${p}	($inout3,$rndkey0)";
342	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
343    &jnz		(&label("${p}4_loop"));
344
345    eval"&aes${p}	($inout0,$rndkey1)";
346    eval"&aes${p}	($inout1,$rndkey1)";
347    eval"&aes${p}	($inout2,$rndkey1)";
348    eval"&aes${p}	($inout3,$rndkey1)";
349    eval"&aes${p}last	($inout0,$rndkey0)";
350    eval"&aes${p}last	($inout1,$rndkey0)";
351    eval"&aes${p}last	($inout2,$rndkey0)";
352    eval"&aes${p}last	($inout3,$rndkey0)";
353    &ret();
354    &function_end_B("_aesni_${p}rypt4");
355}
356
357sub aesni_generate6
358{ my $p=shift;
359
360    &function_begin_B("_aesni_${p}rypt6");
361    &static_label("_aesni_${p}rypt6_enter");
362	&$movekey	($rndkey0,&QWP(0,$key));
363	&shl		($rounds,4);
364	&$movekey	($rndkey1,&QWP(16,$key));
365	&xorps		($inout0,$rndkey0);
366	&pxor		($inout1,$rndkey0);	# pxor does better here
367	&pxor		($inout2,$rndkey0);
368	eval"&aes${p}	($inout0,$rndkey1)";
369	&pxor		($inout3,$rndkey0);
370	&pxor		($inout4,$rndkey0);
371	eval"&aes${p}	($inout1,$rndkey1)";
372	&lea		($key,&DWP(32,$key,$rounds));
373	&neg		($rounds);
374	eval"&aes${p}	($inout2,$rndkey1)";
375	&pxor		($inout5,$rndkey0);
376	&$movekey	($rndkey0,&QWP(0,$key,$rounds));
377	&add		($rounds,16);
378	&jmp		(&label("_aesni_${p}rypt6_inner"));
379
380    &set_label("${p}6_loop",16);
381	eval"&aes${p}	($inout0,$rndkey1)";
382	eval"&aes${p}	($inout1,$rndkey1)";
383	eval"&aes${p}	($inout2,$rndkey1)";
384    &set_label("_aesni_${p}rypt6_inner");
385	eval"&aes${p}	($inout3,$rndkey1)";
386	eval"&aes${p}	($inout4,$rndkey1)";
387	eval"&aes${p}	($inout5,$rndkey1)";
388    &set_label("_aesni_${p}rypt6_enter");
389	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
390	&add		($rounds,32);
391	eval"&aes${p}	($inout0,$rndkey0)";
392	eval"&aes${p}	($inout1,$rndkey0)";
393	eval"&aes${p}	($inout2,$rndkey0)";
394	eval"&aes${p}	($inout3,$rndkey0)";
395	eval"&aes${p}	($inout4,$rndkey0)";
396	eval"&aes${p}	($inout5,$rndkey0)";
397	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
398    &jnz		(&label("${p}6_loop"));
399
400    eval"&aes${p}	($inout0,$rndkey1)";
401    eval"&aes${p}	($inout1,$rndkey1)";
402    eval"&aes${p}	($inout2,$rndkey1)";
403    eval"&aes${p}	($inout3,$rndkey1)";
404    eval"&aes${p}	($inout4,$rndkey1)";
405    eval"&aes${p}	($inout5,$rndkey1)";
406    eval"&aes${p}last	($inout0,$rndkey0)";
407    eval"&aes${p}last	($inout1,$rndkey0)";
408    eval"&aes${p}last	($inout2,$rndkey0)";
409    eval"&aes${p}last	($inout3,$rndkey0)";
410    eval"&aes${p}last	($inout4,$rndkey0)";
411    eval"&aes${p}last	($inout5,$rndkey0)";
412    &ret();
413    &function_end_B("_aesni_${p}rypt6");
414}
415&aesni_generate2("enc") if ($PREFIX eq "aesni");
416&aesni_generate2("dec");
417&aesni_generate3("enc") if ($PREFIX eq "aesni");
418&aesni_generate3("dec");
419&aesni_generate4("enc") if ($PREFIX eq "aesni");
420&aesni_generate4("dec");
421&aesni_generate6("enc") if ($PREFIX eq "aesni");
422&aesni_generate6("dec");
423
424if ($PREFIX eq "aesni") {
425######################################################################
426# void aesni_ecb_encrypt (const void *in, void *out,
427#                         size_t length, const AES_KEY *key,
428#                         int enc);
429&function_begin("aesni_ecb_encrypt");
430	&mov	($inp,&wparam(0));
431	&mov	($out,&wparam(1));
432	&mov	($len,&wparam(2));
433	&mov	($key,&wparam(3));
434	&mov	($rounds_,&wparam(4));
435	&and	($len,-16);
436	&jz	(&label("ecb_ret"));
437	&mov	($rounds,&DWP(240,$key));
438	&test	($rounds_,$rounds_);
439	&jz	(&label("ecb_decrypt"));
440
441	&mov	($key_,$key);		# backup $key
442	&mov	($rounds_,$rounds);	# backup $rounds
443	&cmp	($len,0x60);
444	&jb	(&label("ecb_enc_tail"));
445
446	&movdqu	($inout0,&QWP(0,$inp));
447	&movdqu	($inout1,&QWP(0x10,$inp));
448	&movdqu	($inout2,&QWP(0x20,$inp));
449	&movdqu	($inout3,&QWP(0x30,$inp));
450	&movdqu	($inout4,&QWP(0x40,$inp));
451	&movdqu	($inout5,&QWP(0x50,$inp));
452	&lea	($inp,&DWP(0x60,$inp));
453	&sub	($len,0x60);
454	&jmp	(&label("ecb_enc_loop6_enter"));
455
456&set_label("ecb_enc_loop6",16);
457	&movups	(&QWP(0,$out),$inout0);
458	&movdqu	($inout0,&QWP(0,$inp));
459	&movups	(&QWP(0x10,$out),$inout1);
460	&movdqu	($inout1,&QWP(0x10,$inp));
461	&movups	(&QWP(0x20,$out),$inout2);
462	&movdqu	($inout2,&QWP(0x20,$inp));
463	&movups	(&QWP(0x30,$out),$inout3);
464	&movdqu	($inout3,&QWP(0x30,$inp));
465	&movups	(&QWP(0x40,$out),$inout4);
466	&movdqu	($inout4,&QWP(0x40,$inp));
467	&movups	(&QWP(0x50,$out),$inout5);
468	&lea	($out,&DWP(0x60,$out));
469	&movdqu	($inout5,&QWP(0x50,$inp));
470	&lea	($inp,&DWP(0x60,$inp));
471&set_label("ecb_enc_loop6_enter");
472
473	&call	("_aesni_encrypt6");
474
475	&mov	($key,$key_);		# restore $key
476	&mov	($rounds,$rounds_);	# restore $rounds
477	&sub	($len,0x60);
478	&jnc	(&label("ecb_enc_loop6"));
479
480	&movups	(&QWP(0,$out),$inout0);
481	&movups	(&QWP(0x10,$out),$inout1);
482	&movups	(&QWP(0x20,$out),$inout2);
483	&movups	(&QWP(0x30,$out),$inout3);
484	&movups	(&QWP(0x40,$out),$inout4);
485	&movups	(&QWP(0x50,$out),$inout5);
486	&lea	($out,&DWP(0x60,$out));
487	&add	($len,0x60);
488	&jz	(&label("ecb_ret"));
489
490&set_label("ecb_enc_tail");
491	&movups	($inout0,&QWP(0,$inp));
492	&cmp	($len,0x20);
493	&jb	(&label("ecb_enc_one"));
494	&movups	($inout1,&QWP(0x10,$inp));
495	&je	(&label("ecb_enc_two"));
496	&movups	($inout2,&QWP(0x20,$inp));
497	&cmp	($len,0x40);
498	&jb	(&label("ecb_enc_three"));
499	&movups	($inout3,&QWP(0x30,$inp));
500	&je	(&label("ecb_enc_four"));
501	&movups	($inout4,&QWP(0x40,$inp));
502	&xorps	($inout5,$inout5);
503	&call	("_aesni_encrypt6");
504	&movups	(&QWP(0,$out),$inout0);
505	&movups	(&QWP(0x10,$out),$inout1);
506	&movups	(&QWP(0x20,$out),$inout2);
507	&movups	(&QWP(0x30,$out),$inout3);
508	&movups	(&QWP(0x40,$out),$inout4);
509	jmp	(&label("ecb_ret"));
510
511&set_label("ecb_enc_one",16);
512	if ($inline)
513	{   &aesni_inline_generate1("enc");	}
514	else
515	{   &call	("_aesni_encrypt1");	}
516	&movups	(&QWP(0,$out),$inout0);
517	&jmp	(&label("ecb_ret"));
518
519&set_label("ecb_enc_two",16);
520	&call	("_aesni_encrypt2");
521	&movups	(&QWP(0,$out),$inout0);
522	&movups	(&QWP(0x10,$out),$inout1);
523	&jmp	(&label("ecb_ret"));
524
525&set_label("ecb_enc_three",16);
526	&call	("_aesni_encrypt3");
527	&movups	(&QWP(0,$out),$inout0);
528	&movups	(&QWP(0x10,$out),$inout1);
529	&movups	(&QWP(0x20,$out),$inout2);
530	&jmp	(&label("ecb_ret"));
531
532&set_label("ecb_enc_four",16);
533	&call	("_aesni_encrypt4");
534	&movups	(&QWP(0,$out),$inout0);
535	&movups	(&QWP(0x10,$out),$inout1);
536	&movups	(&QWP(0x20,$out),$inout2);
537	&movups	(&QWP(0x30,$out),$inout3);
538	&jmp	(&label("ecb_ret"));
539######################################################################
540&set_label("ecb_decrypt",16);
541	&mov	($key_,$key);		# backup $key
542	&mov	($rounds_,$rounds);	# backup $rounds
543	&cmp	($len,0x60);
544	&jb	(&label("ecb_dec_tail"));
545
546	&movdqu	($inout0,&QWP(0,$inp));
547	&movdqu	($inout1,&QWP(0x10,$inp));
548	&movdqu	($inout2,&QWP(0x20,$inp));
549	&movdqu	($inout3,&QWP(0x30,$inp));
550	&movdqu	($inout4,&QWP(0x40,$inp));
551	&movdqu	($inout5,&QWP(0x50,$inp));
552	&lea	($inp,&DWP(0x60,$inp));
553	&sub	($len,0x60);
554	&jmp	(&label("ecb_dec_loop6_enter"));
555
556&set_label("ecb_dec_loop6",16);
557	&movups	(&QWP(0,$out),$inout0);
558	&movdqu	($inout0,&QWP(0,$inp));
559	&movups	(&QWP(0x10,$out),$inout1);
560	&movdqu	($inout1,&QWP(0x10,$inp));
561	&movups	(&QWP(0x20,$out),$inout2);
562	&movdqu	($inout2,&QWP(0x20,$inp));
563	&movups	(&QWP(0x30,$out),$inout3);
564	&movdqu	($inout3,&QWP(0x30,$inp));
565	&movups	(&QWP(0x40,$out),$inout4);
566	&movdqu	($inout4,&QWP(0x40,$inp));
567	&movups	(&QWP(0x50,$out),$inout5);
568	&lea	($out,&DWP(0x60,$out));
569	&movdqu	($inout5,&QWP(0x50,$inp));
570	&lea	($inp,&DWP(0x60,$inp));
571&set_label("ecb_dec_loop6_enter");
572
573	&call	("_aesni_decrypt6");
574
575	&mov	($key,$key_);		# restore $key
576	&mov	($rounds,$rounds_);	# restore $rounds
577	&sub	($len,0x60);
578	&jnc	(&label("ecb_dec_loop6"));
579
580	&movups	(&QWP(0,$out),$inout0);
581	&movups	(&QWP(0x10,$out),$inout1);
582	&movups	(&QWP(0x20,$out),$inout2);
583	&movups	(&QWP(0x30,$out),$inout3);
584	&movups	(&QWP(0x40,$out),$inout4);
585	&movups	(&QWP(0x50,$out),$inout5);
586	&lea	($out,&DWP(0x60,$out));
587	&add	($len,0x60);
588	&jz	(&label("ecb_ret"));
589
590&set_label("ecb_dec_tail");
591	&movups	($inout0,&QWP(0,$inp));
592	&cmp	($len,0x20);
593	&jb	(&label("ecb_dec_one"));
594	&movups	($inout1,&QWP(0x10,$inp));
595	&je	(&label("ecb_dec_two"));
596	&movups	($inout2,&QWP(0x20,$inp));
597	&cmp	($len,0x40);
598	&jb	(&label("ecb_dec_three"));
599	&movups	($inout3,&QWP(0x30,$inp));
600	&je	(&label("ecb_dec_four"));
601	&movups	($inout4,&QWP(0x40,$inp));
602	&xorps	($inout5,$inout5);
603	&call	("_aesni_decrypt6");
604	&movups	(&QWP(0,$out),$inout0);
605	&movups	(&QWP(0x10,$out),$inout1);
606	&movups	(&QWP(0x20,$out),$inout2);
607	&movups	(&QWP(0x30,$out),$inout3);
608	&movups	(&QWP(0x40,$out),$inout4);
609	&jmp	(&label("ecb_ret"));
610
611&set_label("ecb_dec_one",16);
612	if ($inline)
613	{   &aesni_inline_generate1("dec");	}
614	else
615	{   &call	("_aesni_decrypt1");	}
616	&movups	(&QWP(0,$out),$inout0);
617	&jmp	(&label("ecb_ret"));
618
619&set_label("ecb_dec_two",16);
620	&call	("_aesni_decrypt2");
621	&movups	(&QWP(0,$out),$inout0);
622	&movups	(&QWP(0x10,$out),$inout1);
623	&jmp	(&label("ecb_ret"));
624
625&set_label("ecb_dec_three",16);
626	&call	("_aesni_decrypt3");
627	&movups	(&QWP(0,$out),$inout0);
628	&movups	(&QWP(0x10,$out),$inout1);
629	&movups	(&QWP(0x20,$out),$inout2);
630	&jmp	(&label("ecb_ret"));
631
632&set_label("ecb_dec_four",16);
633	&call	("_aesni_decrypt4");
634	&movups	(&QWP(0,$out),$inout0);
635	&movups	(&QWP(0x10,$out),$inout1);
636	&movups	(&QWP(0x20,$out),$inout2);
637	&movups	(&QWP(0x30,$out),$inout3);
638
639&set_label("ecb_ret");
640	&pxor	("xmm0","xmm0");		# clear register bank
641	&pxor	("xmm1","xmm1");
642	&pxor	("xmm2","xmm2");
643	&pxor	("xmm3","xmm3");
644	&pxor	("xmm4","xmm4");
645	&pxor	("xmm5","xmm5");
646	&pxor	("xmm6","xmm6");
647	&pxor	("xmm7","xmm7");
648&function_end("aesni_ecb_encrypt");
649
650######################################################################
651# void aesni_ccm64_[en|de]crypt_blocks (const void *in, void *out,
652#                         size_t blocks, const AES_KEY *key,
653#                         const char *ivec,char *cmac);
654#
655# Handles only complete blocks, operates on 64-bit counter and
656# does not update *ivec! Nor does it finalize CMAC value
657# (see engine/eng_aesni.c for details)
658#
659{ my $cmac=$inout1;
660&function_begin("aesni_ccm64_encrypt_blocks");
661	&mov	($inp,&wparam(0));
662	&mov	($out,&wparam(1));
663	&mov	($len,&wparam(2));
664	&mov	($key,&wparam(3));
665	&mov	($rounds_,&wparam(4));
666	&mov	($rounds,&wparam(5));
667	&mov	($key_,"esp");
668	&sub	("esp",60);
669	&and	("esp",-16);			# align stack
670	&mov	(&DWP(48,"esp"),$key_);
671
672	&movdqu	($ivec,&QWP(0,$rounds_));	# load ivec
673	&movdqu	($cmac,&QWP(0,$rounds));	# load cmac
674	&mov	($rounds,&DWP(240,$key));
675
676	# compose byte-swap control mask for pshufb on stack
677	&mov	(&DWP(0,"esp"),0x0c0d0e0f);
678	&mov	(&DWP(4,"esp"),0x08090a0b);
679	&mov	(&DWP(8,"esp"),0x04050607);
680	&mov	(&DWP(12,"esp"),0x00010203);
681
682	# compose counter increment vector on stack
683	&mov	($rounds_,1);
684	&xor	($key_,$key_);
685	&mov	(&DWP(16,"esp"),$rounds_);
686	&mov	(&DWP(20,"esp"),$key_);
687	&mov	(&DWP(24,"esp"),$key_);
688	&mov	(&DWP(28,"esp"),$key_);
689
690	&shl	($rounds,4);
691	&mov	($rounds_,16);
692	&lea	($key_,&DWP(0,$key));
693	&movdqa	($inout3,&QWP(0,"esp"));
694	&movdqa	($inout0,$ivec);
695	&lea	($key,&DWP(32,$key,$rounds));
696	&sub	($rounds_,$rounds);
697	&pshufb	($ivec,$inout3);
698
699&set_label("ccm64_enc_outer");
700	&$movekey	($rndkey0,&QWP(0,$key_));
701	&mov		($rounds,$rounds_);
702	&movups		($in0,&QWP(0,$inp));
703
704	&xorps		($inout0,$rndkey0);
705	&$movekey	($rndkey1,&QWP(16,$key_));
706	&xorps		($rndkey0,$in0);
707	&xorps		($cmac,$rndkey0);		# cmac^=inp
708	&$movekey	($rndkey0,&QWP(32,$key_));
709
710&set_label("ccm64_enc2_loop");
711	&aesenc		($inout0,$rndkey1);
712	&aesenc		($cmac,$rndkey1);
713	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
714	&add		($rounds,32);
715	&aesenc		($inout0,$rndkey0);
716	&aesenc		($cmac,$rndkey0);
717	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
718	&jnz		(&label("ccm64_enc2_loop"));
719	&aesenc		($inout0,$rndkey1);
720	&aesenc		($cmac,$rndkey1);
721	&paddq		($ivec,&QWP(16,"esp"));
722	&dec		($len);
723	&aesenclast	($inout0,$rndkey0);
724	&aesenclast	($cmac,$rndkey0);
725
726	&lea	($inp,&DWP(16,$inp));
727	&xorps	($in0,$inout0);			# inp^=E(ivec)
728	&movdqa	($inout0,$ivec);
729	&movups	(&QWP(0,$out),$in0);		# save output
730	&pshufb	($inout0,$inout3);
731	&lea	($out,&DWP(16,$out));
732	&jnz	(&label("ccm64_enc_outer"));
733
734	&mov	("esp",&DWP(48,"esp"));
735	&mov	($out,&wparam(5));
736	&movups	(&QWP(0,$out),$cmac);
737
738	&pxor	("xmm0","xmm0");		# clear register bank
739	&pxor	("xmm1","xmm1");
740	&pxor	("xmm2","xmm2");
741	&pxor	("xmm3","xmm3");
742	&pxor	("xmm4","xmm4");
743	&pxor	("xmm5","xmm5");
744	&pxor	("xmm6","xmm6");
745	&pxor	("xmm7","xmm7");
746&function_end("aesni_ccm64_encrypt_blocks");
747
748&function_begin("aesni_ccm64_decrypt_blocks");
749	&mov	($inp,&wparam(0));
750	&mov	($out,&wparam(1));
751	&mov	($len,&wparam(2));
752	&mov	($key,&wparam(3));
753	&mov	($rounds_,&wparam(4));
754	&mov	($rounds,&wparam(5));
755	&mov	($key_,"esp");
756	&sub	("esp",60);
757	&and	("esp",-16);			# align stack
758	&mov	(&DWP(48,"esp"),$key_);
759
760	&movdqu	($ivec,&QWP(0,$rounds_));	# load ivec
761	&movdqu	($cmac,&QWP(0,$rounds));	# load cmac
762	&mov	($rounds,&DWP(240,$key));
763
764	# compose byte-swap control mask for pshufb on stack
765	&mov	(&DWP(0,"esp"),0x0c0d0e0f);
766	&mov	(&DWP(4,"esp"),0x08090a0b);
767	&mov	(&DWP(8,"esp"),0x04050607);
768	&mov	(&DWP(12,"esp"),0x00010203);
769
770	# compose counter increment vector on stack
771	&mov	($rounds_,1);
772	&xor	($key_,$key_);
773	&mov	(&DWP(16,"esp"),$rounds_);
774	&mov	(&DWP(20,"esp"),$key_);
775	&mov	(&DWP(24,"esp"),$key_);
776	&mov	(&DWP(28,"esp"),$key_);
777
778	&movdqa	($inout3,&QWP(0,"esp"));	# bswap mask
779	&movdqa	($inout0,$ivec);
780
781	&mov	($key_,$key);
782	&mov	($rounds_,$rounds);
783
784	&pshufb	($ivec,$inout3);
785	if ($inline)
786	{   &aesni_inline_generate1("enc");	}
787	else
788	{   &call	("_aesni_encrypt1");	}
789	&shl	($rounds_,4);
790	&mov	($rounds,16);
791	&movups	($in0,&QWP(0,$inp));		# load inp
792	&paddq	($ivec,&QWP(16,"esp"));
793	&lea	($inp,&QWP(16,$inp));
794	&sub	($rounds,$rounds_);
795	&lea	($key,&DWP(32,$key_,$rounds_));
796	&mov	($rounds_,$rounds);
797	&jmp	(&label("ccm64_dec_outer"));
798
799&set_label("ccm64_dec_outer",16);
800	&xorps	($in0,$inout0);			# inp ^= E(ivec)
801	&movdqa	($inout0,$ivec);
802	&movups	(&QWP(0,$out),$in0);		# save output
803	&lea	($out,&DWP(16,$out));
804	&pshufb	($inout0,$inout3);
805
806	&sub	($len,1);
807	&jz	(&label("ccm64_dec_break"));
808
809	&$movekey	($rndkey0,&QWP(0,$key_));
810	&mov		($rounds,$rounds_);
811	&$movekey	($rndkey1,&QWP(16,$key_));
812	&xorps		($in0,$rndkey0);
813	&xorps		($inout0,$rndkey0);
814	&xorps		($cmac,$in0);		# cmac^=out
815	&$movekey	($rndkey0,&QWP(32,$key_));
816
817&set_label("ccm64_dec2_loop");
818	&aesenc		($inout0,$rndkey1);
819	&aesenc		($cmac,$rndkey1);
820	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
821	&add		($rounds,32);
822	&aesenc		($inout0,$rndkey0);
823	&aesenc		($cmac,$rndkey0);
824	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
825	&jnz		(&label("ccm64_dec2_loop"));
826	&movups		($in0,&QWP(0,$inp));	# load inp
827	&paddq		($ivec,&QWP(16,"esp"));
828	&aesenc		($inout0,$rndkey1);
829	&aesenc		($cmac,$rndkey1);
830	&aesenclast	($inout0,$rndkey0);
831	&aesenclast	($cmac,$rndkey0);
832	&lea		($inp,&QWP(16,$inp));
833	&jmp	(&label("ccm64_dec_outer"));
834
835&set_label("ccm64_dec_break",16);
836	&mov	($rounds,&DWP(240,$key_));
837	&mov	($key,$key_);
838	if ($inline)
839	{   &aesni_inline_generate1("enc",$cmac,$in0);	}
840	else
841	{   &call	("_aesni_encrypt1",$cmac);	}
842
843	&mov	("esp",&DWP(48,"esp"));
844	&mov	($out,&wparam(5));
845	&movups	(&QWP(0,$out),$cmac);
846
847	&pxor	("xmm0","xmm0");		# clear register bank
848	&pxor	("xmm1","xmm1");
849	&pxor	("xmm2","xmm2");
850	&pxor	("xmm3","xmm3");
851	&pxor	("xmm4","xmm4");
852	&pxor	("xmm5","xmm5");
853	&pxor	("xmm6","xmm6");
854	&pxor	("xmm7","xmm7");
855&function_end("aesni_ccm64_decrypt_blocks");
856}
857
858######################################################################
859# void aesni_ctr32_encrypt_blocks (const void *in, void *out,
860#                         size_t blocks, const AES_KEY *key,
861#                         const char *ivec);
862#
863# Handles only complete blocks, operates on 32-bit counter and
864# does not update *ivec! (see crypto/modes/ctr128.c for details)
865#
866# stack layout:
867#	0	pshufb mask
868#	16	vector addend: 0,6,6,6
869# 	32	counter-less ivec
870#	48	1st triplet of counter vector
871#	64	2nd triplet of counter vector
872#	80	saved %esp
873
874&function_begin("aesni_ctr32_encrypt_blocks");
875	&mov	($inp,&wparam(0));
876	&mov	($out,&wparam(1));
877	&mov	($len,&wparam(2));
878	&mov	($key,&wparam(3));
879	&mov	($rounds_,&wparam(4));
880	&mov	($key_,"esp");
881	&sub	("esp",88);
882	&and	("esp",-16);			# align stack
883	&mov	(&DWP(80,"esp"),$key_);
884
885	&cmp	($len,1);
886	&je	(&label("ctr32_one_shortcut"));
887
888	&movdqu	($inout5,&QWP(0,$rounds_));	# load ivec
889
890	# compose byte-swap control mask for pshufb on stack
891	&mov	(&DWP(0,"esp"),0x0c0d0e0f);
892	&mov	(&DWP(4,"esp"),0x08090a0b);
893	&mov	(&DWP(8,"esp"),0x04050607);
894	&mov	(&DWP(12,"esp"),0x00010203);
895
896	# compose counter increment vector on stack
897	&mov	($rounds,6);
898	&xor	($key_,$key_);
899	&mov	(&DWP(16,"esp"),$rounds);
900	&mov	(&DWP(20,"esp"),$rounds);
901	&mov	(&DWP(24,"esp"),$rounds);
902	&mov	(&DWP(28,"esp"),$key_);
903
904	&pextrd	($rounds_,$inout5,3);		# pull 32-bit counter
905	&pinsrd	($inout5,$key_,3);		# wipe 32-bit counter
906
907	&mov	($rounds,&DWP(240,$key));	# key->rounds
908
909	# compose 2 vectors of 3x32-bit counters
910	&bswap	($rounds_);
911	&pxor	($rndkey0,$rndkey0);
912	&pxor	($rndkey1,$rndkey1);
913	&movdqa	($inout0,&QWP(0,"esp"));	# load byte-swap mask
914	&pinsrd	($rndkey0,$rounds_,0);
915	&lea	($key_,&DWP(3,$rounds_));
916	&pinsrd	($rndkey1,$key_,0);
917	&inc	($rounds_);
918	&pinsrd	($rndkey0,$rounds_,1);
919	&inc	($key_);
920	&pinsrd	($rndkey1,$key_,1);
921	&inc	($rounds_);
922	&pinsrd	($rndkey0,$rounds_,2);
923	&inc	($key_);
924	&pinsrd	($rndkey1,$key_,2);
925	&movdqa	(&QWP(48,"esp"),$rndkey0);	# save 1st triplet
926	&pshufb	($rndkey0,$inout0);		# byte swap
927	&movdqu	($inout4,&QWP(0,$key));		# key[0]
928	&movdqa	(&QWP(64,"esp"),$rndkey1);	# save 2nd triplet
929	&pshufb	($rndkey1,$inout0);		# byte swap
930
931	&pshufd	($inout0,$rndkey0,3<<6);	# place counter to upper dword
932	&pshufd	($inout1,$rndkey0,2<<6);
933	&cmp	($len,6);
934	&jb	(&label("ctr32_tail"));
935	&pxor	($inout5,$inout4);		# counter-less ivec^key[0]
936	&shl	($rounds,4);
937	&mov	($rounds_,16);
938	&movdqa	(&QWP(32,"esp"),$inout5);	# save counter-less ivec^key[0]
939	&mov	($key_,$key);			# backup $key
940	&sub	($rounds_,$rounds);		# backup twisted $rounds
941	&lea	($key,&DWP(32,$key,$rounds));
942	&sub	($len,6);
943	&jmp	(&label("ctr32_loop6"));
944
945&set_label("ctr32_loop6",16);
946	# inlining _aesni_encrypt6's prologue gives ~6% improvement...
947	&pshufd	($inout2,$rndkey0,1<<6);
948	&movdqa	($rndkey0,&QWP(32,"esp"));	# pull counter-less ivec
949	&pshufd	($inout3,$rndkey1,3<<6);
950	&pxor		($inout0,$rndkey0);	# merge counter-less ivec
951	&pshufd	($inout4,$rndkey1,2<<6);
952	&pxor		($inout1,$rndkey0);
953	&pshufd	($inout5,$rndkey1,1<<6);
954	&$movekey	($rndkey1,&QWP(16,$key_));
955	&pxor		($inout2,$rndkey0);
956	&pxor		($inout3,$rndkey0);
957	&aesenc		($inout0,$rndkey1);
958	&pxor		($inout4,$rndkey0);
959	&pxor		($inout5,$rndkey0);
960	&aesenc		($inout1,$rndkey1);
961	&$movekey	($rndkey0,&QWP(32,$key_));
962	&mov		($rounds,$rounds_);
963	&aesenc		($inout2,$rndkey1);
964	&aesenc		($inout3,$rndkey1);
965	&aesenc		($inout4,$rndkey1);
966	&aesenc		($inout5,$rndkey1);
967
968	&call		(&label("_aesni_encrypt6_enter"));
969
970	&movups	($rndkey1,&QWP(0,$inp));
971	&movups	($rndkey0,&QWP(0x10,$inp));
972	&xorps	($inout0,$rndkey1);
973	&movups	($rndkey1,&QWP(0x20,$inp));
974	&xorps	($inout1,$rndkey0);
975	&movups	(&QWP(0,$out),$inout0);
976	&movdqa	($rndkey0,&QWP(16,"esp"));	# load increment
977	&xorps	($inout2,$rndkey1);
978	&movdqa	($rndkey1,&QWP(64,"esp"));	# load 2nd triplet
979	&movups	(&QWP(0x10,$out),$inout1);
980	&movups	(&QWP(0x20,$out),$inout2);
981
982	&paddd	($rndkey1,$rndkey0);		# 2nd triplet increment
983	&paddd	($rndkey0,&QWP(48,"esp"));	# 1st triplet increment
984	&movdqa	($inout0,&QWP(0,"esp"));	# load byte swap mask
985
986	&movups	($inout1,&QWP(0x30,$inp));
987	&movups	($inout2,&QWP(0x40,$inp));
988	&xorps	($inout3,$inout1);
989	&movups	($inout1,&QWP(0x50,$inp));
990	&lea	($inp,&DWP(0x60,$inp));
991	&movdqa	(&QWP(48,"esp"),$rndkey0);	# save 1st triplet
992	&pshufb	($rndkey0,$inout0);		# byte swap
993	&xorps	($inout4,$inout2);
994	&movups	(&QWP(0x30,$out),$inout3);
995	&xorps	($inout5,$inout1);
996	&movdqa	(&QWP(64,"esp"),$rndkey1);	# save 2nd triplet
997	&pshufb	($rndkey1,$inout0);		# byte swap
998	&movups	(&QWP(0x40,$out),$inout4);
999	&pshufd	($inout0,$rndkey0,3<<6);
1000	&movups	(&QWP(0x50,$out),$inout5);
1001	&lea	($out,&DWP(0x60,$out));
1002
1003	&pshufd	($inout1,$rndkey0,2<<6);
1004	&sub	($len,6);
1005	&jnc	(&label("ctr32_loop6"));
1006
1007	&add	($len,6);
1008	&jz	(&label("ctr32_ret"));
1009	&movdqu	($inout5,&QWP(0,$key_));
1010	&mov	($key,$key_);
1011	&pxor	($inout5,&QWP(32,"esp"));	# restore count-less ivec
1012	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
1013
1014&set_label("ctr32_tail");
1015	&por	($inout0,$inout5);
1016	&cmp	($len,2);
1017	&jb	(&label("ctr32_one"));
1018
1019	&pshufd	($inout2,$rndkey0,1<<6);
1020	&por	($inout1,$inout5);
1021	&je	(&label("ctr32_two"));
1022
1023	&pshufd	($inout3,$rndkey1,3<<6);
1024	&por	($inout2,$inout5);
1025	&cmp	($len,4);
1026	&jb	(&label("ctr32_three"));
1027
1028	&pshufd	($inout4,$rndkey1,2<<6);
1029	&por	($inout3,$inout5);
1030	&je	(&label("ctr32_four"));
1031
1032	&por	($inout4,$inout5);
1033	&call	("_aesni_encrypt6");
1034	&movups	($rndkey1,&QWP(0,$inp));
1035	&movups	($rndkey0,&QWP(0x10,$inp));
1036	&xorps	($inout0,$rndkey1);
1037	&movups	($rndkey1,&QWP(0x20,$inp));
1038	&xorps	($inout1,$rndkey0);
1039	&movups	($rndkey0,&QWP(0x30,$inp));
1040	&xorps	($inout2,$rndkey1);
1041	&movups	($rndkey1,&QWP(0x40,$inp));
1042	&xorps	($inout3,$rndkey0);
1043	&movups	(&QWP(0,$out),$inout0);
1044	&xorps	($inout4,$rndkey1);
1045	&movups	(&QWP(0x10,$out),$inout1);
1046	&movups	(&QWP(0x20,$out),$inout2);
1047	&movups	(&QWP(0x30,$out),$inout3);
1048	&movups	(&QWP(0x40,$out),$inout4);
1049	&jmp	(&label("ctr32_ret"));
1050
1051&set_label("ctr32_one_shortcut",16);
1052	&movups	($inout0,&QWP(0,$rounds_));	# load ivec
1053	&mov	($rounds,&DWP(240,$key));
1054
1055&set_label("ctr32_one");
1056	if ($inline)
1057	{   &aesni_inline_generate1("enc");	}
1058	else
1059	{   &call	("_aesni_encrypt1");	}
1060	&movups	($in0,&QWP(0,$inp));
1061	&xorps	($in0,$inout0);
1062	&movups	(&QWP(0,$out),$in0);
1063	&jmp	(&label("ctr32_ret"));
1064
1065&set_label("ctr32_two",16);
1066	&call	("_aesni_encrypt2");
1067	&movups	($inout3,&QWP(0,$inp));
1068	&movups	($inout4,&QWP(0x10,$inp));
1069	&xorps	($inout0,$inout3);
1070	&xorps	($inout1,$inout4);
1071	&movups	(&QWP(0,$out),$inout0);
1072	&movups	(&QWP(0x10,$out),$inout1);
1073	&jmp	(&label("ctr32_ret"));
1074
1075&set_label("ctr32_three",16);
1076	&call	("_aesni_encrypt3");
1077	&movups	($inout3,&QWP(0,$inp));
1078	&movups	($inout4,&QWP(0x10,$inp));
1079	&xorps	($inout0,$inout3);
1080	&movups	($inout5,&QWP(0x20,$inp));
1081	&xorps	($inout1,$inout4);
1082	&movups	(&QWP(0,$out),$inout0);
1083	&xorps	($inout2,$inout5);
1084	&movups	(&QWP(0x10,$out),$inout1);
1085	&movups	(&QWP(0x20,$out),$inout2);
1086	&jmp	(&label("ctr32_ret"));
1087
1088&set_label("ctr32_four",16);
1089	&call	("_aesni_encrypt4");
1090	&movups	($inout4,&QWP(0,$inp));
1091	&movups	($inout5,&QWP(0x10,$inp));
1092	&movups	($rndkey1,&QWP(0x20,$inp));
1093	&xorps	($inout0,$inout4);
1094	&movups	($rndkey0,&QWP(0x30,$inp));
1095	&xorps	($inout1,$inout5);
1096	&movups	(&QWP(0,$out),$inout0);
1097	&xorps	($inout2,$rndkey1);
1098	&movups	(&QWP(0x10,$out),$inout1);
1099	&xorps	($inout3,$rndkey0);
1100	&movups	(&QWP(0x20,$out),$inout2);
1101	&movups	(&QWP(0x30,$out),$inout3);
1102
1103&set_label("ctr32_ret");
1104	&pxor	("xmm0","xmm0");		# clear register bank
1105	&pxor	("xmm1","xmm1");
1106	&pxor	("xmm2","xmm2");
1107	&pxor	("xmm3","xmm3");
1108	&pxor	("xmm4","xmm4");
1109	&movdqa	(&QWP(32,"esp"),"xmm0");	# clear stack
1110	&pxor	("xmm5","xmm5");
1111	&movdqa	(&QWP(48,"esp"),"xmm0");
1112	&pxor	("xmm6","xmm6");
1113	&movdqa	(&QWP(64,"esp"),"xmm0");
1114	&pxor	("xmm7","xmm7");
1115	&mov	("esp",&DWP(80,"esp"));
1116&function_end("aesni_ctr32_encrypt_blocks");
1117
1118######################################################################
1119# void aesni_xts_[en|de]crypt(const char *inp,char *out,size_t len,
1120#	const AES_KEY *key1, const AES_KEY *key2
1121#	const unsigned char iv[16]);
1122#
1123{ my ($tweak,$twtmp,$twres,$twmask)=($rndkey1,$rndkey0,$inout0,$inout1);
1124
1125&function_begin("aesni_xts_encrypt");
1126	&mov	($key,&wparam(4));		# key2
1127	&mov	($inp,&wparam(5));		# clear-text tweak
1128
1129	&mov	($rounds,&DWP(240,$key));	# key2->rounds
1130	&movups	($inout0,&QWP(0,$inp));
1131	if ($inline)
1132	{   &aesni_inline_generate1("enc");	}
1133	else
1134	{   &call	("_aesni_encrypt1");	}
1135
1136	&mov	($inp,&wparam(0));
1137	&mov	($out,&wparam(1));
1138	&mov	($len,&wparam(2));
1139	&mov	($key,&wparam(3));		# key1
1140
1141	&mov	($key_,"esp");
1142	&sub	("esp",16*7+8);
1143	&mov	($rounds,&DWP(240,$key));	# key1->rounds
1144	&and	("esp",-16);			# align stack
1145
1146	&mov	(&DWP(16*6+0,"esp"),0x87);	# compose the magic constant
1147	&mov	(&DWP(16*6+4,"esp"),0);
1148	&mov	(&DWP(16*6+8,"esp"),1);
1149	&mov	(&DWP(16*6+12,"esp"),0);
1150	&mov	(&DWP(16*7+0,"esp"),$len);	# save original $len
1151	&mov	(&DWP(16*7+4,"esp"),$key_);	# save original %esp
1152
1153	&movdqa	($tweak,$inout0);
1154	&pxor	($twtmp,$twtmp);
1155	&movdqa	($twmask,&QWP(6*16,"esp"));	# 0x0...010...87
1156	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1157
1158	&and	($len,-16);
1159	&mov	($key_,$key);			# backup $key
1160	&mov	($rounds_,$rounds);		# backup $rounds
1161	&sub	($len,16*6);
1162	&jc	(&label("xts_enc_short"));
1163
1164	&shl	($rounds,4);
1165	&mov	($rounds_,16);
1166	&sub	($rounds_,$rounds);
1167	&lea	($key,&DWP(32,$key,$rounds));
1168	&jmp	(&label("xts_enc_loop6"));
1169
1170&set_label("xts_enc_loop6",16);
1171	for ($i=0;$i<4;$i++) {
1172	    &pshufd	($twres,$twtmp,0x13);
1173	    &pxor	($twtmp,$twtmp);
1174	    &movdqa	(&QWP(16*$i,"esp"),$tweak);
1175	    &paddq	($tweak,$tweak);	# &psllq($tweak,1);
1176	    &pand	($twres,$twmask);	# isolate carry and residue
1177	    &pcmpgtd	($twtmp,$tweak);	# broadcast upper bits
1178	    &pxor	($tweak,$twres);
1179	}
1180	&pshufd	($inout5,$twtmp,0x13);
1181	&movdqa	(&QWP(16*$i++,"esp"),$tweak);
1182	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1183	 &$movekey	($rndkey0,&QWP(0,$key_));
1184	&pand	($inout5,$twmask);		# isolate carry and residue
1185	 &movups	($inout0,&QWP(0,$inp));	# load input
1186	&pxor	($inout5,$tweak);
1187
1188	# inline _aesni_encrypt6 prologue and flip xor with tweak and key[0]
1189	&mov	($rounds,$rounds_);		# restore $rounds
1190	&movdqu	($inout1,&QWP(16*1,$inp));
1191	 &xorps		($inout0,$rndkey0);	# input^=rndkey[0]
1192	&movdqu	($inout2,&QWP(16*2,$inp));
1193	 &pxor		($inout1,$rndkey0);
1194	&movdqu	($inout3,&QWP(16*3,$inp));
1195	 &pxor		($inout2,$rndkey0);
1196	&movdqu	($inout4,&QWP(16*4,$inp));
1197	 &pxor		($inout3,$rndkey0);
1198	&movdqu	($rndkey1,&QWP(16*5,$inp));
1199	 &pxor		($inout4,$rndkey0);
1200	&lea	($inp,&DWP(16*6,$inp));
1201	&pxor	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1202	&movdqa	(&QWP(16*$i,"esp"),$inout5);	# save last tweak
1203	&pxor	($inout5,$rndkey1);
1204
1205	 &$movekey	($rndkey1,&QWP(16,$key_));
1206	&pxor	($inout1,&QWP(16*1,"esp"));
1207	&pxor	($inout2,&QWP(16*2,"esp"));
1208	 &aesenc	($inout0,$rndkey1);
1209	&pxor	($inout3,&QWP(16*3,"esp"));
1210	&pxor	($inout4,&QWP(16*4,"esp"));
1211	 &aesenc	($inout1,$rndkey1);
1212	&pxor		($inout5,$rndkey0);
1213	 &$movekey	($rndkey0,&QWP(32,$key_));
1214	 &aesenc	($inout2,$rndkey1);
1215	 &aesenc	($inout3,$rndkey1);
1216	 &aesenc	($inout4,$rndkey1);
1217	 &aesenc	($inout5,$rndkey1);
1218	&call		(&label("_aesni_encrypt6_enter"));
1219
1220	&movdqa	($tweak,&QWP(16*5,"esp"));	# last tweak
1221       &pxor	($twtmp,$twtmp);
1222	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1223       &pcmpgtd	($twtmp,$tweak);		# broadcast upper bits
1224	&xorps	($inout1,&QWP(16*1,"esp"));
1225	&movups	(&QWP(16*0,$out),$inout0);	# write output
1226	&xorps	($inout2,&QWP(16*2,"esp"));
1227	&movups	(&QWP(16*1,$out),$inout1);
1228	&xorps	($inout3,&QWP(16*3,"esp"));
1229	&movups	(&QWP(16*2,$out),$inout2);
1230	&xorps	($inout4,&QWP(16*4,"esp"));
1231	&movups	(&QWP(16*3,$out),$inout3);
1232	&xorps	($inout5,$tweak);
1233	&movups	(&QWP(16*4,$out),$inout4);
1234       &pshufd	($twres,$twtmp,0x13);
1235	&movups	(&QWP(16*5,$out),$inout5);
1236	&lea	($out,&DWP(16*6,$out));
1237       &movdqa	($twmask,&QWP(16*6,"esp"));	# 0x0...010...87
1238
1239	&pxor	($twtmp,$twtmp);
1240	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1241	&pand	($twres,$twmask);		# isolate carry and residue
1242	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1243	&pxor	($tweak,$twres);
1244
1245	&sub	($len,16*6);
1246	&jnc	(&label("xts_enc_loop6"));
1247
1248	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
1249	&mov	($key,$key_);			# restore $key
1250	&mov	($rounds_,$rounds);
1251
1252&set_label("xts_enc_short");
1253	&add	($len,16*6);
1254	&jz	(&label("xts_enc_done6x"));
1255
1256	&movdqa	($inout3,$tweak);		# put aside previous tweak
1257	&cmp	($len,0x20);
1258	&jb	(&label("xts_enc_one"));
1259
1260	&pshufd	($twres,$twtmp,0x13);
1261	&pxor	($twtmp,$twtmp);
1262	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1263	&pand	($twres,$twmask);		# isolate carry and residue
1264	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1265	&pxor	($tweak,$twres);
1266	&je	(&label("xts_enc_two"));
1267
1268	&pshufd	($twres,$twtmp,0x13);
1269	&pxor	($twtmp,$twtmp);
1270	&movdqa	($inout4,$tweak);		# put aside previous tweak
1271	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1272	&pand	($twres,$twmask);		# isolate carry and residue
1273	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1274	&pxor	($tweak,$twres);
1275	&cmp	($len,0x40);
1276	&jb	(&label("xts_enc_three"));
1277
1278	&pshufd	($twres,$twtmp,0x13);
1279	&pxor	($twtmp,$twtmp);
1280	&movdqa	($inout5,$tweak);		# put aside previous tweak
1281	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1282	&pand	($twres,$twmask);		# isolate carry and residue
1283	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1284	&pxor	($tweak,$twres);
1285	&movdqa	(&QWP(16*0,"esp"),$inout3);
1286	&movdqa	(&QWP(16*1,"esp"),$inout4);
1287	&je	(&label("xts_enc_four"));
1288
1289	&movdqa	(&QWP(16*2,"esp"),$inout5);
1290	&pshufd	($inout5,$twtmp,0x13);
1291	&movdqa	(&QWP(16*3,"esp"),$tweak);
1292	&paddq	($tweak,$tweak);		# &psllq($inout0,1);
1293	&pand	($inout5,$twmask);		# isolate carry and residue
1294	&pxor	($inout5,$tweak);
1295
1296	&movdqu	($inout0,&QWP(16*0,$inp));	# load input
1297	&movdqu	($inout1,&QWP(16*1,$inp));
1298	&movdqu	($inout2,&QWP(16*2,$inp));
1299	&pxor	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1300	&movdqu	($inout3,&QWP(16*3,$inp));
1301	&pxor	($inout1,&QWP(16*1,"esp"));
1302	&movdqu	($inout4,&QWP(16*4,$inp));
1303	&pxor	($inout2,&QWP(16*2,"esp"));
1304	&lea	($inp,&DWP(16*5,$inp));
1305	&pxor	($inout3,&QWP(16*3,"esp"));
1306	&movdqa	(&QWP(16*4,"esp"),$inout5);	# save last tweak
1307	&pxor	($inout4,$inout5);
1308
1309	&call	("_aesni_encrypt6");
1310
1311	&movaps	($tweak,&QWP(16*4,"esp"));	# last tweak
1312	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1313	&xorps	($inout1,&QWP(16*1,"esp"));
1314	&xorps	($inout2,&QWP(16*2,"esp"));
1315	&movups	(&QWP(16*0,$out),$inout0);	# write output
1316	&xorps	($inout3,&QWP(16*3,"esp"));
1317	&movups	(&QWP(16*1,$out),$inout1);
1318	&xorps	($inout4,$tweak);
1319	&movups	(&QWP(16*2,$out),$inout2);
1320	&movups	(&QWP(16*3,$out),$inout3);
1321	&movups	(&QWP(16*4,$out),$inout4);
1322	&lea	($out,&DWP(16*5,$out));
1323	&jmp	(&label("xts_enc_done"));
1324
1325&set_label("xts_enc_one",16);
1326	&movups	($inout0,&QWP(16*0,$inp));	# load input
1327	&lea	($inp,&DWP(16*1,$inp));
1328	&xorps	($inout0,$inout3);		# input^=tweak
1329	if ($inline)
1330	{   &aesni_inline_generate1("enc");	}
1331	else
1332	{   &call	("_aesni_encrypt1");	}
1333	&xorps	($inout0,$inout3);		# output^=tweak
1334	&movups	(&QWP(16*0,$out),$inout0);	# write output
1335	&lea	($out,&DWP(16*1,$out));
1336
1337	&movdqa	($tweak,$inout3);		# last tweak
1338	&jmp	(&label("xts_enc_done"));
1339
1340&set_label("xts_enc_two",16);
1341	&movaps	($inout4,$tweak);		# put aside last tweak
1342
1343	&movups	($inout0,&QWP(16*0,$inp));	# load input
1344	&movups	($inout1,&QWP(16*1,$inp));
1345	&lea	($inp,&DWP(16*2,$inp));
1346	&xorps	($inout0,$inout3);		# input^=tweak
1347	&xorps	($inout1,$inout4);
1348
1349	&call	("_aesni_encrypt2");
1350
1351	&xorps	($inout0,$inout3);		# output^=tweak
1352	&xorps	($inout1,$inout4);
1353	&movups	(&QWP(16*0,$out),$inout0);	# write output
1354	&movups	(&QWP(16*1,$out),$inout1);
1355	&lea	($out,&DWP(16*2,$out));
1356
1357	&movdqa	($tweak,$inout4);		# last tweak
1358	&jmp	(&label("xts_enc_done"));
1359
1360&set_label("xts_enc_three",16);
1361	&movaps	($inout5,$tweak);		# put aside last tweak
1362	&movups	($inout0,&QWP(16*0,$inp));	# load input
1363	&movups	($inout1,&QWP(16*1,$inp));
1364	&movups	($inout2,&QWP(16*2,$inp));
1365	&lea	($inp,&DWP(16*3,$inp));
1366	&xorps	($inout0,$inout3);		# input^=tweak
1367	&xorps	($inout1,$inout4);
1368	&xorps	($inout2,$inout5);
1369
1370	&call	("_aesni_encrypt3");
1371
1372	&xorps	($inout0,$inout3);		# output^=tweak
1373	&xorps	($inout1,$inout4);
1374	&xorps	($inout2,$inout5);
1375	&movups	(&QWP(16*0,$out),$inout0);	# write output
1376	&movups	(&QWP(16*1,$out),$inout1);
1377	&movups	(&QWP(16*2,$out),$inout2);
1378	&lea	($out,&DWP(16*3,$out));
1379
1380	&movdqa	($tweak,$inout5);		# last tweak
1381	&jmp	(&label("xts_enc_done"));
1382
1383&set_label("xts_enc_four",16);
1384	&movaps	($inout4,$tweak);		# put aside last tweak
1385
1386	&movups	($inout0,&QWP(16*0,$inp));	# load input
1387	&movups	($inout1,&QWP(16*1,$inp));
1388	&movups	($inout2,&QWP(16*2,$inp));
1389	&xorps	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1390	&movups	($inout3,&QWP(16*3,$inp));
1391	&lea	($inp,&DWP(16*4,$inp));
1392	&xorps	($inout1,&QWP(16*1,"esp"));
1393	&xorps	($inout2,$inout5);
1394	&xorps	($inout3,$inout4);
1395
1396	&call	("_aesni_encrypt4");
1397
1398	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1399	&xorps	($inout1,&QWP(16*1,"esp"));
1400	&xorps	($inout2,$inout5);
1401	&movups	(&QWP(16*0,$out),$inout0);	# write output
1402	&xorps	($inout3,$inout4);
1403	&movups	(&QWP(16*1,$out),$inout1);
1404	&movups	(&QWP(16*2,$out),$inout2);
1405	&movups	(&QWP(16*3,$out),$inout3);
1406	&lea	($out,&DWP(16*4,$out));
1407
1408	&movdqa	($tweak,$inout4);		# last tweak
1409	&jmp	(&label("xts_enc_done"));
1410
1411&set_label("xts_enc_done6x",16);		# $tweak is pre-calculated
1412	&mov	($len,&DWP(16*7+0,"esp"));	# restore original $len
1413	&and	($len,15);
1414	&jz	(&label("xts_enc_ret"));
1415	&movdqa	($inout3,$tweak);
1416	&mov	(&DWP(16*7+0,"esp"),$len);	# save $len%16
1417	&jmp	(&label("xts_enc_steal"));
1418
1419&set_label("xts_enc_done",16);
1420	&mov	($len,&DWP(16*7+0,"esp"));	# restore original $len
1421	&pxor	($twtmp,$twtmp);
1422	&and	($len,15);
1423	&jz	(&label("xts_enc_ret"));
1424
1425	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1426	&mov	(&DWP(16*7+0,"esp"),$len);	# save $len%16
1427	&pshufd	($inout3,$twtmp,0x13);
1428	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1429	&pand	($inout3,&QWP(16*6,"esp"));	# isolate carry and residue
1430	&pxor	($inout3,$tweak);
1431
1432&set_label("xts_enc_steal");
1433	&movz	($rounds,&BP(0,$inp));
1434	&movz	($key,&BP(-16,$out));
1435	&lea	($inp,&DWP(1,$inp));
1436	&mov	(&BP(-16,$out),&LB($rounds));
1437	&mov	(&BP(0,$out),&LB($key));
1438	&lea	($out,&DWP(1,$out));
1439	&sub	($len,1);
1440	&jnz	(&label("xts_enc_steal"));
1441
1442	&sub	($out,&DWP(16*7+0,"esp"));	# rewind $out
1443	&mov	($key,$key_);			# restore $key
1444	&mov	($rounds,$rounds_);		# restore $rounds
1445
1446	&movups	($inout0,&QWP(-16,$out));	# load input
1447	&xorps	($inout0,$inout3);		# input^=tweak
1448	if ($inline)
1449	{   &aesni_inline_generate1("enc");	}
1450	else
1451	{   &call	("_aesni_encrypt1");	}
1452	&xorps	($inout0,$inout3);		# output^=tweak
1453	&movups	(&QWP(-16,$out),$inout0);	# write output
1454
1455&set_label("xts_enc_ret");
1456	&pxor	("xmm0","xmm0");		# clear register bank
1457	&pxor	("xmm1","xmm1");
1458	&pxor	("xmm2","xmm2");
1459	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
1460	&pxor	("xmm3","xmm3");
1461	&movdqa	(&QWP(16*1,"esp"),"xmm0");
1462	&pxor	("xmm4","xmm4");
1463	&movdqa	(&QWP(16*2,"esp"),"xmm0");
1464	&pxor	("xmm5","xmm5");
1465	&movdqa	(&QWP(16*3,"esp"),"xmm0");
1466	&pxor	("xmm6","xmm6");
1467	&movdqa	(&QWP(16*4,"esp"),"xmm0");
1468	&pxor	("xmm7","xmm7");
1469	&movdqa	(&QWP(16*5,"esp"),"xmm0");
1470	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
1471&function_end("aesni_xts_encrypt");
1472
1473&function_begin("aesni_xts_decrypt");
1474	&mov	($key,&wparam(4));		# key2
1475	&mov	($inp,&wparam(5));		# clear-text tweak
1476
1477	&mov	($rounds,&DWP(240,$key));	# key2->rounds
1478	&movups	($inout0,&QWP(0,$inp));
1479	if ($inline)
1480	{   &aesni_inline_generate1("enc");	}
1481	else
1482	{   &call	("_aesni_encrypt1");	}
1483
1484	&mov	($inp,&wparam(0));
1485	&mov	($out,&wparam(1));
1486	&mov	($len,&wparam(2));
1487	&mov	($key,&wparam(3));		# key1
1488
1489	&mov	($key_,"esp");
1490	&sub	("esp",16*7+8);
1491	&and	("esp",-16);			# align stack
1492
1493	&xor	($rounds_,$rounds_);		# if(len%16) len-=16;
1494	&test	($len,15);
1495	&setnz	(&LB($rounds_));
1496	&shl	($rounds_,4);
1497	&sub	($len,$rounds_);
1498
1499	&mov	(&DWP(16*6+0,"esp"),0x87);	# compose the magic constant
1500	&mov	(&DWP(16*6+4,"esp"),0);
1501	&mov	(&DWP(16*6+8,"esp"),1);
1502	&mov	(&DWP(16*6+12,"esp"),0);
1503	&mov	(&DWP(16*7+0,"esp"),$len);	# save original $len
1504	&mov	(&DWP(16*7+4,"esp"),$key_);	# save original %esp
1505
1506	&mov	($rounds,&DWP(240,$key));	# key1->rounds
1507	&mov	($key_,$key);			# backup $key
1508	&mov	($rounds_,$rounds);		# backup $rounds
1509
1510	&movdqa	($tweak,$inout0);
1511	&pxor	($twtmp,$twtmp);
1512	&movdqa	($twmask,&QWP(6*16,"esp"));	# 0x0...010...87
1513	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1514
1515	&and	($len,-16);
1516	&sub	($len,16*6);
1517	&jc	(&label("xts_dec_short"));
1518
1519	&shl	($rounds,4);
1520	&mov	($rounds_,16);
1521	&sub	($rounds_,$rounds);
1522	&lea	($key,&DWP(32,$key,$rounds));
1523	&jmp	(&label("xts_dec_loop6"));
1524
1525&set_label("xts_dec_loop6",16);
1526	for ($i=0;$i<4;$i++) {
1527	    &pshufd	($twres,$twtmp,0x13);
1528	    &pxor	($twtmp,$twtmp);
1529	    &movdqa	(&QWP(16*$i,"esp"),$tweak);
1530	    &paddq	($tweak,$tweak);	# &psllq($tweak,1);
1531	    &pand	($twres,$twmask);	# isolate carry and residue
1532	    &pcmpgtd	($twtmp,$tweak);	# broadcast upper bits
1533	    &pxor	($tweak,$twres);
1534	}
1535	&pshufd	($inout5,$twtmp,0x13);
1536	&movdqa	(&QWP(16*$i++,"esp"),$tweak);
1537	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1538	 &$movekey	($rndkey0,&QWP(0,$key_));
1539	&pand	($inout5,$twmask);		# isolate carry and residue
1540	 &movups	($inout0,&QWP(0,$inp));	# load input
1541	&pxor	($inout5,$tweak);
1542
1543	# inline _aesni_encrypt6 prologue and flip xor with tweak and key[0]
1544	&mov	($rounds,$rounds_);
1545	&movdqu	($inout1,&QWP(16*1,$inp));
1546	 &xorps		($inout0,$rndkey0);	# input^=rndkey[0]
1547	&movdqu	($inout2,&QWP(16*2,$inp));
1548	 &pxor		($inout1,$rndkey0);
1549	&movdqu	($inout3,&QWP(16*3,$inp));
1550	 &pxor		($inout2,$rndkey0);
1551	&movdqu	($inout4,&QWP(16*4,$inp));
1552	 &pxor		($inout3,$rndkey0);
1553	&movdqu	($rndkey1,&QWP(16*5,$inp));
1554	 &pxor		($inout4,$rndkey0);
1555	&lea	($inp,&DWP(16*6,$inp));
1556	&pxor	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1557	&movdqa	(&QWP(16*$i,"esp"),$inout5);	# save last tweak
1558	&pxor	($inout5,$rndkey1);
1559
1560	 &$movekey	($rndkey1,&QWP(16,$key_));
1561	&pxor	($inout1,&QWP(16*1,"esp"));
1562	&pxor	($inout2,&QWP(16*2,"esp"));
1563	 &aesdec	($inout0,$rndkey1);
1564	&pxor	($inout3,&QWP(16*3,"esp"));
1565	&pxor	($inout4,&QWP(16*4,"esp"));
1566	 &aesdec	($inout1,$rndkey1);
1567	&pxor		($inout5,$rndkey0);
1568	 &$movekey	($rndkey0,&QWP(32,$key_));
1569	 &aesdec	($inout2,$rndkey1);
1570	 &aesdec	($inout3,$rndkey1);
1571	 &aesdec	($inout4,$rndkey1);
1572	 &aesdec	($inout5,$rndkey1);
1573	&call		(&label("_aesni_decrypt6_enter"));
1574
1575	&movdqa	($tweak,&QWP(16*5,"esp"));	# last tweak
1576       &pxor	($twtmp,$twtmp);
1577	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1578       &pcmpgtd	($twtmp,$tweak);		# broadcast upper bits
1579	&xorps	($inout1,&QWP(16*1,"esp"));
1580	&movups	(&QWP(16*0,$out),$inout0);	# write output
1581	&xorps	($inout2,&QWP(16*2,"esp"));
1582	&movups	(&QWP(16*1,$out),$inout1);
1583	&xorps	($inout3,&QWP(16*3,"esp"));
1584	&movups	(&QWP(16*2,$out),$inout2);
1585	&xorps	($inout4,&QWP(16*4,"esp"));
1586	&movups	(&QWP(16*3,$out),$inout3);
1587	&xorps	($inout5,$tweak);
1588	&movups	(&QWP(16*4,$out),$inout4);
1589       &pshufd	($twres,$twtmp,0x13);
1590	&movups	(&QWP(16*5,$out),$inout5);
1591	&lea	($out,&DWP(16*6,$out));
1592       &movdqa	($twmask,&QWP(16*6,"esp"));	# 0x0...010...87
1593
1594	&pxor	($twtmp,$twtmp);
1595	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1596	&pand	($twres,$twmask);		# isolate carry and residue
1597	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1598	&pxor	($tweak,$twres);
1599
1600	&sub	($len,16*6);
1601	&jnc	(&label("xts_dec_loop6"));
1602
1603	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
1604	&mov	($key,$key_);			# restore $key
1605	&mov	($rounds_,$rounds);
1606
1607&set_label("xts_dec_short");
1608	&add	($len,16*6);
1609	&jz	(&label("xts_dec_done6x"));
1610
1611	&movdqa	($inout3,$tweak);		# put aside previous tweak
1612	&cmp	($len,0x20);
1613	&jb	(&label("xts_dec_one"));
1614
1615	&pshufd	($twres,$twtmp,0x13);
1616	&pxor	($twtmp,$twtmp);
1617	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1618	&pand	($twres,$twmask);		# isolate carry and residue
1619	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1620	&pxor	($tweak,$twres);
1621	&je	(&label("xts_dec_two"));
1622
1623	&pshufd	($twres,$twtmp,0x13);
1624	&pxor	($twtmp,$twtmp);
1625	&movdqa	($inout4,$tweak);		# put aside previous tweak
1626	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1627	&pand	($twres,$twmask);		# isolate carry and residue
1628	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1629	&pxor	($tweak,$twres);
1630	&cmp	($len,0x40);
1631	&jb	(&label("xts_dec_three"));
1632
1633	&pshufd	($twres,$twtmp,0x13);
1634	&pxor	($twtmp,$twtmp);
1635	&movdqa	($inout5,$tweak);		# put aside previous tweak
1636	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1637	&pand	($twres,$twmask);		# isolate carry and residue
1638	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1639	&pxor	($tweak,$twres);
1640	&movdqa	(&QWP(16*0,"esp"),$inout3);
1641	&movdqa	(&QWP(16*1,"esp"),$inout4);
1642	&je	(&label("xts_dec_four"));
1643
1644	&movdqa	(&QWP(16*2,"esp"),$inout5);
1645	&pshufd	($inout5,$twtmp,0x13);
1646	&movdqa	(&QWP(16*3,"esp"),$tweak);
1647	&paddq	($tweak,$tweak);		# &psllq($inout0,1);
1648	&pand	($inout5,$twmask);		# isolate carry and residue
1649	&pxor	($inout5,$tweak);
1650
1651	&movdqu	($inout0,&QWP(16*0,$inp));	# load input
1652	&movdqu	($inout1,&QWP(16*1,$inp));
1653	&movdqu	($inout2,&QWP(16*2,$inp));
1654	&pxor	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1655	&movdqu	($inout3,&QWP(16*3,$inp));
1656	&pxor	($inout1,&QWP(16*1,"esp"));
1657	&movdqu	($inout4,&QWP(16*4,$inp));
1658	&pxor	($inout2,&QWP(16*2,"esp"));
1659	&lea	($inp,&DWP(16*5,$inp));
1660	&pxor	($inout3,&QWP(16*3,"esp"));
1661	&movdqa	(&QWP(16*4,"esp"),$inout5);	# save last tweak
1662	&pxor	($inout4,$inout5);
1663
1664	&call	("_aesni_decrypt6");
1665
1666	&movaps	($tweak,&QWP(16*4,"esp"));	# last tweak
1667	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1668	&xorps	($inout1,&QWP(16*1,"esp"));
1669	&xorps	($inout2,&QWP(16*2,"esp"));
1670	&movups	(&QWP(16*0,$out),$inout0);	# write output
1671	&xorps	($inout3,&QWP(16*3,"esp"));
1672	&movups	(&QWP(16*1,$out),$inout1);
1673	&xorps	($inout4,$tweak);
1674	&movups	(&QWP(16*2,$out),$inout2);
1675	&movups	(&QWP(16*3,$out),$inout3);
1676	&movups	(&QWP(16*4,$out),$inout4);
1677	&lea	($out,&DWP(16*5,$out));
1678	&jmp	(&label("xts_dec_done"));
1679
1680&set_label("xts_dec_one",16);
1681	&movups	($inout0,&QWP(16*0,$inp));	# load input
1682	&lea	($inp,&DWP(16*1,$inp));
1683	&xorps	($inout0,$inout3);		# input^=tweak
1684	if ($inline)
1685	{   &aesni_inline_generate1("dec");	}
1686	else
1687	{   &call	("_aesni_decrypt1");	}
1688	&xorps	($inout0,$inout3);		# output^=tweak
1689	&movups	(&QWP(16*0,$out),$inout0);	# write output
1690	&lea	($out,&DWP(16*1,$out));
1691
1692	&movdqa	($tweak,$inout3);		# last tweak
1693	&jmp	(&label("xts_dec_done"));
1694
1695&set_label("xts_dec_two",16);
1696	&movaps	($inout4,$tweak);		# put aside last tweak
1697
1698	&movups	($inout0,&QWP(16*0,$inp));	# load input
1699	&movups	($inout1,&QWP(16*1,$inp));
1700	&lea	($inp,&DWP(16*2,$inp));
1701	&xorps	($inout0,$inout3);		# input^=tweak
1702	&xorps	($inout1,$inout4);
1703
1704	&call	("_aesni_decrypt2");
1705
1706	&xorps	($inout0,$inout3);		# output^=tweak
1707	&xorps	($inout1,$inout4);
1708	&movups	(&QWP(16*0,$out),$inout0);	# write output
1709	&movups	(&QWP(16*1,$out),$inout1);
1710	&lea	($out,&DWP(16*2,$out));
1711
1712	&movdqa	($tweak,$inout4);		# last tweak
1713	&jmp	(&label("xts_dec_done"));
1714
1715&set_label("xts_dec_three",16);
1716	&movaps	($inout5,$tweak);		# put aside last tweak
1717	&movups	($inout0,&QWP(16*0,$inp));	# load input
1718	&movups	($inout1,&QWP(16*1,$inp));
1719	&movups	($inout2,&QWP(16*2,$inp));
1720	&lea	($inp,&DWP(16*3,$inp));
1721	&xorps	($inout0,$inout3);		# input^=tweak
1722	&xorps	($inout1,$inout4);
1723	&xorps	($inout2,$inout5);
1724
1725	&call	("_aesni_decrypt3");
1726
1727	&xorps	($inout0,$inout3);		# output^=tweak
1728	&xorps	($inout1,$inout4);
1729	&xorps	($inout2,$inout5);
1730	&movups	(&QWP(16*0,$out),$inout0);	# write output
1731	&movups	(&QWP(16*1,$out),$inout1);
1732	&movups	(&QWP(16*2,$out),$inout2);
1733	&lea	($out,&DWP(16*3,$out));
1734
1735	&movdqa	($tweak,$inout5);		# last tweak
1736	&jmp	(&label("xts_dec_done"));
1737
1738&set_label("xts_dec_four",16);
1739	&movaps	($inout4,$tweak);		# put aside last tweak
1740
1741	&movups	($inout0,&QWP(16*0,$inp));	# load input
1742	&movups	($inout1,&QWP(16*1,$inp));
1743	&movups	($inout2,&QWP(16*2,$inp));
1744	&xorps	($inout0,&QWP(16*0,"esp"));	# input^=tweak
1745	&movups	($inout3,&QWP(16*3,$inp));
1746	&lea	($inp,&DWP(16*4,$inp));
1747	&xorps	($inout1,&QWP(16*1,"esp"));
1748	&xorps	($inout2,$inout5);
1749	&xorps	($inout3,$inout4);
1750
1751	&call	("_aesni_decrypt4");
1752
1753	&xorps	($inout0,&QWP(16*0,"esp"));	# output^=tweak
1754	&xorps	($inout1,&QWP(16*1,"esp"));
1755	&xorps	($inout2,$inout5);
1756	&movups	(&QWP(16*0,$out),$inout0);	# write output
1757	&xorps	($inout3,$inout4);
1758	&movups	(&QWP(16*1,$out),$inout1);
1759	&movups	(&QWP(16*2,$out),$inout2);
1760	&movups	(&QWP(16*3,$out),$inout3);
1761	&lea	($out,&DWP(16*4,$out));
1762
1763	&movdqa	($tweak,$inout4);		# last tweak
1764	&jmp	(&label("xts_dec_done"));
1765
1766&set_label("xts_dec_done6x",16);		# $tweak is pre-calculated
1767	&mov	($len,&DWP(16*7+0,"esp"));	# restore original $len
1768	&and	($len,15);
1769	&jz	(&label("xts_dec_ret"));
1770	&mov	(&DWP(16*7+0,"esp"),$len);	# save $len%16
1771	&jmp	(&label("xts_dec_only_one_more"));
1772
1773&set_label("xts_dec_done",16);
1774	&mov	($len,&DWP(16*7+0,"esp"));	# restore original $len
1775	&pxor	($twtmp,$twtmp);
1776	&and	($len,15);
1777	&jz	(&label("xts_dec_ret"));
1778
1779	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1780	&mov	(&DWP(16*7+0,"esp"),$len);	# save $len%16
1781	&pshufd	($twres,$twtmp,0x13);
1782	&pxor	($twtmp,$twtmp);
1783	&movdqa	($twmask,&QWP(16*6,"esp"));
1784	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1785	&pand	($twres,$twmask);		# isolate carry and residue
1786	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
1787	&pxor	($tweak,$twres);
1788
1789&set_label("xts_dec_only_one_more");
1790	&pshufd	($inout3,$twtmp,0x13);
1791	&movdqa	($inout4,$tweak);		# put aside previous tweak
1792	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
1793	&pand	($inout3,$twmask);		# isolate carry and residue
1794	&pxor	($inout3,$tweak);
1795
1796	&mov	($key,$key_);			# restore $key
1797	&mov	($rounds,$rounds_);		# restore $rounds
1798
1799	&movups	($inout0,&QWP(0,$inp));		# load input
1800	&xorps	($inout0,$inout3);		# input^=tweak
1801	if ($inline)
1802	{   &aesni_inline_generate1("dec");	}
1803	else
1804	{   &call	("_aesni_decrypt1");	}
1805	&xorps	($inout0,$inout3);		# output^=tweak
1806	&movups	(&QWP(0,$out),$inout0);		# write output
1807
1808&set_label("xts_dec_steal");
1809	&movz	($rounds,&BP(16,$inp));
1810	&movz	($key,&BP(0,$out));
1811	&lea	($inp,&DWP(1,$inp));
1812	&mov	(&BP(0,$out),&LB($rounds));
1813	&mov	(&BP(16,$out),&LB($key));
1814	&lea	($out,&DWP(1,$out));
1815	&sub	($len,1);
1816	&jnz	(&label("xts_dec_steal"));
1817
1818	&sub	($out,&DWP(16*7+0,"esp"));	# rewind $out
1819	&mov	($key,$key_);			# restore $key
1820	&mov	($rounds,$rounds_);		# restore $rounds
1821
1822	&movups	($inout0,&QWP(0,$out));		# load input
1823	&xorps	($inout0,$inout4);		# input^=tweak
1824	if ($inline)
1825	{   &aesni_inline_generate1("dec");	}
1826	else
1827	{   &call	("_aesni_decrypt1");	}
1828	&xorps	($inout0,$inout4);		# output^=tweak
1829	&movups	(&QWP(0,$out),$inout0);		# write output
1830
1831&set_label("xts_dec_ret");
1832	&pxor	("xmm0","xmm0");		# clear register bank
1833	&pxor	("xmm1","xmm1");
1834	&pxor	("xmm2","xmm2");
1835	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
1836	&pxor	("xmm3","xmm3");
1837	&movdqa	(&QWP(16*1,"esp"),"xmm0");
1838	&pxor	("xmm4","xmm4");
1839	&movdqa	(&QWP(16*2,"esp"),"xmm0");
1840	&pxor	("xmm5","xmm5");
1841	&movdqa	(&QWP(16*3,"esp"),"xmm0");
1842	&pxor	("xmm6","xmm6");
1843	&movdqa	(&QWP(16*4,"esp"),"xmm0");
1844	&pxor	("xmm7","xmm7");
1845	&movdqa	(&QWP(16*5,"esp"),"xmm0");
1846	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
1847&function_end("aesni_xts_decrypt");
1848}
1849
1850######################################################################
1851# void aesni_ocb_[en|de]crypt(const char *inp, char *out, size_t blocks,
1852#	const AES_KEY *key, unsigned int start_block_num,
1853#	unsigned char offset_i[16], const unsigned char L_[][16],
1854#	unsigned char checksum[16]);
1855#
1856{
1857# offsets within stack frame
1858my $checksum = 16*6;
1859my ($key_off,$rounds_off,$out_off,$end_off,$esp_off)=map(16*7+4*$_,(0..4));
1860
1861# reassigned registers
1862my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
1863# $l_, $blocks, $inp, $key are permanently allocated in registers;
1864# remaining non-volatile ones are offloaded to stack, which even
1865# stay invariant after written to stack.
1866
1867&function_begin("aesni_ocb_encrypt");
1868	&mov	($rounds,&wparam(5));		# &offset_i
1869	&mov	($rounds_,&wparam(7));		# &checksum
1870
1871	&mov	($inp,&wparam(0));
1872	&mov	($out,&wparam(1));
1873	&mov	($len,&wparam(2));
1874	&mov	($key,&wparam(3));
1875	&movdqu	($rndkey0,&QWP(0,$rounds));	# load offset_i
1876	&mov	($block,&wparam(4));		# start_block_num
1877	&movdqu	($rndkey1,&QWP(0,$rounds_));	# load checksum
1878	&mov	($l_,&wparam(6));		# L_
1879
1880	&mov	($rounds,"esp");
1881	&sub	("esp",$esp_off+4);		# alloca
1882	&and	("esp",-16);			# align stack
1883
1884	&sub	($out,$inp);
1885	&shl	($len,4);
1886	&lea	($len,&DWP(-16*6,$inp,$len));	# end of input - 16*6
1887	&mov	(&DWP($out_off,"esp"),$out);
1888	&mov	(&DWP($end_off,"esp"),$len);
1889	&mov	(&DWP($esp_off,"esp"),$rounds);
1890
1891	&mov	($rounds,&DWP(240,$key));
1892
1893	&test	($block,1);
1894	&jnz	(&label("odd"));
1895
1896	&bsf		($i3,$block);
1897	&add		($block,1);
1898	&shl		($i3,4);
1899	&movdqu		($inout5,&QWP(0,$l_,$i3));
1900	&mov		($i3,$key);			# put aside key
1901
1902	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
1903	&lea		($inp,&DWP(16,$inp));
1904
1905	&pxor		($inout5,$rndkey0);		# ^ last offset_i
1906	&pxor		($rndkey1,$inout0);		# checksum
1907	&pxor		($inout0,$inout5);		# ^ offset_i
1908
1909	&movdqa		($inout4,$rndkey1);
1910	if ($inline)
1911	{   &aesni_inline_generate1("enc");	}
1912	else
1913	{   &call	("_aesni_encrypt1");	}
1914
1915	&xorps		($inout0,$inout5);		# ^ offset_i
1916	&movdqa		($rndkey0,$inout5);		# pass last offset_i
1917	&movdqa		($rndkey1,$inout4);		# pass the checksum
1918
1919	&movups		(&QWP(-16,$out,$inp),$inout0);	# store output
1920
1921	&mov		($rounds,&DWP(240,$i3));
1922	&mov		($key,$i3);			# restore key
1923	&mov		($len,&DWP($end_off,"esp"));
1924
1925&set_label("odd");
1926	&shl		($rounds,4);
1927	&mov		($out,16);
1928	&sub		($out,$rounds);			# twisted rounds
1929	&mov		(&DWP($key_off,"esp"),$key);
1930	&lea		($key,&DWP(32,$key,$rounds));	# end of key schedule
1931	&mov		(&DWP($rounds_off,"esp"),$out);
1932
1933	&cmp		($inp,$len);
1934	&ja		(&label("short"));
1935	&jmp		(&label("grandloop"));
1936
1937&set_label("grandloop",32);
1938	&lea		($i1,&DWP(1,$block));
1939	&lea		($i3,&DWP(3,$block));
1940	&lea		($i5,&DWP(5,$block));
1941	&add		($block,6);
1942	&bsf		($i1,$i1);
1943	&bsf		($i3,$i3);
1944	&bsf		($i5,$i5);
1945	&shl		($i1,4);
1946	&shl		($i3,4);
1947	&shl		($i5,4);
1948	&movdqu		($inout0,&QWP(0,$l_));
1949	&movdqu		($inout1,&QWP(0,$l_,$i1));
1950	&mov		($rounds,&DWP($rounds_off,"esp"));
1951	&movdqa		($inout2,$inout0);
1952	&movdqu		($inout3,&QWP(0,$l_,$i3));
1953	&movdqa		($inout4,$inout0);
1954	&movdqu		($inout5,&QWP(0,$l_,$i5));
1955
1956	&pxor		($inout0,$rndkey0);		# ^ last offset_i
1957	&pxor		($inout1,$inout0);
1958	&movdqa		(&QWP(16*0,"esp"),$inout0);
1959	&pxor		($inout2,$inout1);
1960	&movdqa		(&QWP(16*1,"esp"),$inout1);
1961	&pxor		($inout3,$inout2);
1962	&movdqa		(&QWP(16*2,"esp"),$inout2);
1963	&pxor		($inout4,$inout3);
1964	&movdqa		(&QWP(16*3,"esp"),$inout3);
1965	&pxor		($inout5,$inout4);
1966	&movdqa		(&QWP(16*4,"esp"),$inout4);
1967	&movdqa		(&QWP(16*5,"esp"),$inout5);
1968
1969	&$movekey	($rndkey0,&QWP(-48,$key,$rounds));
1970	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
1971	&movdqu		($inout1,&QWP(16*1,$inp));
1972	&movdqu		($inout2,&QWP(16*2,$inp));
1973	&movdqu		($inout3,&QWP(16*3,$inp));
1974	&movdqu		($inout4,&QWP(16*4,$inp));
1975	&movdqu		($inout5,&QWP(16*5,$inp));
1976	&lea		($inp,&DWP(16*6,$inp));
1977
1978	&pxor		($rndkey1,$inout0);		# checksum
1979	&pxor		($inout0,$rndkey0);		# ^ roundkey[0]
1980	&pxor		($rndkey1,$inout1);
1981	&pxor		($inout1,$rndkey0);
1982	&pxor		($rndkey1,$inout2);
1983	&pxor		($inout2,$rndkey0);
1984	&pxor		($rndkey1,$inout3);
1985	&pxor		($inout3,$rndkey0);
1986	&pxor		($rndkey1,$inout4);
1987	&pxor		($inout4,$rndkey0);
1988	&pxor		($rndkey1,$inout5);
1989	&pxor		($inout5,$rndkey0);
1990	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
1991
1992	&$movekey	($rndkey1,&QWP(-32,$key,$rounds));
1993	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
1994	&pxor		($inout1,&QWP(16*1,"esp"));
1995	&pxor		($inout2,&QWP(16*2,"esp"));
1996	&pxor		($inout3,&QWP(16*3,"esp"));
1997	&pxor		($inout4,&QWP(16*4,"esp"));
1998	&pxor		($inout5,&QWP(16*5,"esp"));
1999
2000	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
2001	&aesenc		($inout0,$rndkey1);
2002	&aesenc		($inout1,$rndkey1);
2003	&aesenc		($inout2,$rndkey1);
2004	&aesenc		($inout3,$rndkey1);
2005	&aesenc		($inout4,$rndkey1);
2006	&aesenc		($inout5,$rndkey1);
2007
2008	&mov		($out,&DWP($out_off,"esp"));
2009	&mov		($len,&DWP($end_off,"esp"));
2010	&call		("_aesni_encrypt6_enter");
2011
2012	&movdqa		($rndkey0,&QWP(16*5,"esp"));	# pass last offset_i
2013	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2014	&pxor		($inout1,&QWP(16*1,"esp"));
2015	&pxor		($inout2,&QWP(16*2,"esp"));
2016	&pxor		($inout3,&QWP(16*3,"esp"));
2017	&pxor		($inout4,&QWP(16*4,"esp"));
2018	&pxor		($inout5,$rndkey0);
2019	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2020
2021	&movdqu		(&QWP(-16*6,$out,$inp),$inout0);# store output
2022	&movdqu		(&QWP(-16*5,$out,$inp),$inout1);
2023	&movdqu		(&QWP(-16*4,$out,$inp),$inout2);
2024	&movdqu		(&QWP(-16*3,$out,$inp),$inout3);
2025	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
2026	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
2027	&cmp		($inp,$len);			# done yet?
2028	&jbe		(&label("grandloop"));
2029
2030&set_label("short");
2031	&add		($len,16*6);
2032	&sub		($len,$inp);
2033	&jz		(&label("done"));
2034
2035	&cmp		($len,16*2);
2036	&jb		(&label("one"));
2037	&je		(&label("two"));
2038
2039	&cmp		($len,16*4);
2040	&jb		(&label("three"));
2041	&je		(&label("four"));
2042
2043	&lea		($i1,&DWP(1,$block));
2044	&lea		($i3,&DWP(3,$block));
2045	&bsf		($i1,$i1);
2046	&bsf		($i3,$i3);
2047	&shl		($i1,4);
2048	&shl		($i3,4);
2049	&movdqu		($inout0,&QWP(0,$l_));
2050	&movdqu		($inout1,&QWP(0,$l_,$i1));
2051	&mov		($rounds,&DWP($rounds_off,"esp"));
2052	&movdqa		($inout2,$inout0);
2053	&movdqu		($inout3,&QWP(0,$l_,$i3));
2054	&movdqa		($inout4,$inout0);
2055
2056	&pxor		($inout0,$rndkey0);		# ^ last offset_i
2057	&pxor		($inout1,$inout0);
2058	&movdqa		(&QWP(16*0,"esp"),$inout0);
2059	&pxor		($inout2,$inout1);
2060	&movdqa		(&QWP(16*1,"esp"),$inout1);
2061	&pxor		($inout3,$inout2);
2062	&movdqa		(&QWP(16*2,"esp"),$inout2);
2063	&pxor		($inout4,$inout3);
2064	&movdqa		(&QWP(16*3,"esp"),$inout3);
2065	&pxor		($inout5,$inout4);
2066	&movdqa		(&QWP(16*4,"esp"),$inout4);
2067
2068	&$movekey	($rndkey0,&QWP(-48,$key,$rounds));
2069	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2070	&movdqu		($inout1,&QWP(16*1,$inp));
2071	&movdqu		($inout2,&QWP(16*2,$inp));
2072	&movdqu		($inout3,&QWP(16*3,$inp));
2073	&movdqu		($inout4,&QWP(16*4,$inp));
2074	&pxor		($inout5,$inout5);
2075
2076	&pxor		($rndkey1,$inout0);		# checksum
2077	&pxor		($inout0,$rndkey0);		# ^ roundkey[0]
2078	&pxor		($rndkey1,$inout1);
2079	&pxor		($inout1,$rndkey0);
2080	&pxor		($rndkey1,$inout2);
2081	&pxor		($inout2,$rndkey0);
2082	&pxor		($rndkey1,$inout3);
2083	&pxor		($inout3,$rndkey0);
2084	&pxor		($rndkey1,$inout4);
2085	&pxor		($inout4,$rndkey0);
2086	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2087
2088	&$movekey	($rndkey1,&QWP(-32,$key,$rounds));
2089	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2090	&pxor		($inout1,&QWP(16*1,"esp"));
2091	&pxor		($inout2,&QWP(16*2,"esp"));
2092	&pxor		($inout3,&QWP(16*3,"esp"));
2093	&pxor		($inout4,&QWP(16*4,"esp"));
2094
2095	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
2096	&aesenc		($inout0,$rndkey1);
2097	&aesenc		($inout1,$rndkey1);
2098	&aesenc		($inout2,$rndkey1);
2099	&aesenc		($inout3,$rndkey1);
2100	&aesenc		($inout4,$rndkey1);
2101	&aesenc		($inout5,$rndkey1);
2102
2103	&mov		($out,&DWP($out_off,"esp"));
2104	&call		("_aesni_encrypt6_enter");
2105
2106	&movdqa		($rndkey0,&QWP(16*4,"esp"));	# pass last offset_i
2107	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2108	&pxor		($inout1,&QWP(16*1,"esp"));
2109	&pxor		($inout2,&QWP(16*2,"esp"));
2110	&pxor		($inout3,&QWP(16*3,"esp"));
2111	&pxor		($inout4,$rndkey0);
2112	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2113
2114	&movdqu		(&QWP(16*0,$out,$inp),$inout0);	# store output
2115	&movdqu		(&QWP(16*1,$out,$inp),$inout1);
2116	&movdqu		(&QWP(16*2,$out,$inp),$inout2);
2117	&movdqu		(&QWP(16*3,$out,$inp),$inout3);
2118	&movdqu		(&QWP(16*4,$out,$inp),$inout4);
2119
2120	&jmp		(&label("done"));
2121
2122&set_label("one",16);
2123	&movdqu		($inout5,&QWP(0,$l_));
2124	&mov		($key,&DWP($key_off,"esp"));	# restore key
2125
2126	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2127	&mov		($rounds,&DWP(240,$key));
2128
2129	&pxor		($inout5,$rndkey0);		# ^ last offset_i
2130	&pxor		($rndkey1,$inout0);		# checksum
2131	&pxor		($inout0,$inout5);		# ^ offset_i
2132
2133	&movdqa		($inout4,$rndkey1);
2134	&mov		($out,&DWP($out_off,"esp"));
2135	if ($inline)
2136	{   &aesni_inline_generate1("enc");	}
2137	else
2138	{   &call	("_aesni_encrypt1");	}
2139
2140	&xorps		($inout0,$inout5);		# ^ offset_i
2141	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2142	&movdqa		($rndkey1,$inout4);		# pass the checksum
2143	&movups		(&QWP(0,$out,$inp),$inout0);
2144
2145	&jmp		(&label("done"));
2146
2147&set_label("two",16);
2148	&lea		($i1,&DWP(1,$block));
2149	&mov		($key,&DWP($key_off,"esp"));	# restore key
2150	&bsf		($i1,$i1);
2151	&shl		($i1,4);
2152	&movdqu		($inout4,&QWP(0,$l_));
2153	&movdqu		($inout5,&QWP(0,$l_,$i1));
2154
2155	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2156	&movdqu		($inout1,&QWP(16*1,$inp));
2157	&mov		($rounds,&DWP(240,$key));
2158
2159	&pxor		($inout4,$rndkey0);		# ^ last offset_i
2160	&pxor		($inout5,$inout4);
2161
2162	&pxor		($rndkey1,$inout0);		# checksum
2163	&pxor		($inout0,$inout4);		# ^ offset_i
2164	&pxor		($rndkey1,$inout1);
2165	&pxor		($inout1,$inout5);
2166
2167	&movdqa		($inout3,$rndkey1)
2168	&mov		($out,&DWP($out_off,"esp"));
2169	&call		("_aesni_encrypt2");
2170
2171	&xorps		($inout0,$inout4);		# ^ offset_i
2172	&xorps		($inout1,$inout5);
2173	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2174	&movdqa		($rndkey1,$inout3);		# pass the checksum
2175	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2176	&movups		(&QWP(16*1,$out,$inp),$inout1);
2177
2178	&jmp		(&label("done"));
2179
2180&set_label("three",16);
2181	&lea		($i1,&DWP(1,$block));
2182	&mov		($key,&DWP($key_off,"esp"));	# restore key
2183	&bsf		($i1,$i1);
2184	&shl		($i1,4);
2185	&movdqu		($inout3,&QWP(0,$l_));
2186	&movdqu		($inout4,&QWP(0,$l_,$i1));
2187	&movdqa		($inout5,$inout3);
2188
2189	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2190	&movdqu		($inout1,&QWP(16*1,$inp));
2191	&movdqu		($inout2,&QWP(16*2,$inp));
2192	&mov		($rounds,&DWP(240,$key));
2193
2194	&pxor		($inout3,$rndkey0);		# ^ last offset_i
2195	&pxor		($inout4,$inout3);
2196	&pxor		($inout5,$inout4);
2197
2198	&pxor		($rndkey1,$inout0);		# checksum
2199	&pxor		($inout0,$inout3);		# ^ offset_i
2200	&pxor		($rndkey1,$inout1);
2201	&pxor		($inout1,$inout4);
2202	&pxor		($rndkey1,$inout2);
2203	&pxor		($inout2,$inout5);
2204
2205	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2206	&mov		($out,&DWP($out_off,"esp"));
2207	&call		("_aesni_encrypt3");
2208
2209	&xorps		($inout0,$inout3);		# ^ offset_i
2210	&xorps		($inout1,$inout4);
2211	&xorps		($inout2,$inout5);
2212	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2213	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2214	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2215	&movups		(&QWP(16*1,$out,$inp),$inout1);
2216	&movups		(&QWP(16*2,$out,$inp),$inout2);
2217
2218	&jmp		(&label("done"));
2219
2220&set_label("four",16);
2221	&lea		($i1,&DWP(1,$block));
2222	&lea		($i3,&DWP(3,$block));
2223	&bsf		($i1,$i1);
2224	&bsf		($i3,$i3);
2225	&mov		($key,&DWP($key_off,"esp"));	# restore key
2226	&shl		($i1,4);
2227	&shl		($i3,4);
2228	&movdqu		($inout2,&QWP(0,$l_));
2229	&movdqu		($inout3,&QWP(0,$l_,$i1));
2230	&movdqa		($inout4,$inout2);
2231	&movdqu		($inout5,&QWP(0,$l_,$i3));
2232
2233	&pxor		($inout2,$rndkey0);		# ^ last offset_i
2234	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2235	&pxor		($inout3,$inout2);
2236	&movdqu		($inout1,&QWP(16*1,$inp));
2237	&pxor		($inout4,$inout3);
2238	&movdqa		(&QWP(16*0,"esp"),$inout2);
2239	&pxor		($inout5,$inout4);
2240	&movdqa		(&QWP(16*1,"esp"),$inout3);
2241	&movdqu		($inout2,&QWP(16*2,$inp));
2242	&movdqu		($inout3,&QWP(16*3,$inp));
2243	&mov		($rounds,&DWP(240,$key));
2244
2245	&pxor		($rndkey1,$inout0);		# checksum
2246	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2247	&pxor		($rndkey1,$inout1);
2248	&pxor		($inout1,&QWP(16*1,"esp"));
2249	&pxor		($rndkey1,$inout2);
2250	&pxor		($inout2,$inout4);
2251	&pxor		($rndkey1,$inout3);
2252	&pxor		($inout3,$inout5);
2253
2254	&movdqa		(&QWP($checksum,"esp"),$rndkey1)
2255	&mov		($out,&DWP($out_off,"esp"));
2256	&call		("_aesni_encrypt4");
2257
2258	&xorps		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2259	&xorps		($inout1,&QWP(16*1,"esp"));
2260	&xorps		($inout2,$inout4);
2261	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2262	&xorps		($inout3,$inout5);
2263	&movups		(&QWP(16*1,$out,$inp),$inout1);
2264	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2265	&movups		(&QWP(16*2,$out,$inp),$inout2);
2266	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2267	&movups		(&QWP(16*3,$out,$inp),$inout3);
2268
2269&set_label("done");
2270	&mov	($key,&DWP($esp_off,"esp"));
2271	&pxor	($inout0,$inout0);		# clear register bank
2272	&pxor	($inout1,$inout1);
2273	&movdqa	(&QWP(16*0,"esp"),$inout0);	# clear stack
2274	&pxor	($inout2,$inout2);
2275	&movdqa	(&QWP(16*1,"esp"),$inout0);
2276	&pxor	($inout3,$inout3);
2277	&movdqa	(&QWP(16*2,"esp"),$inout0);
2278	&pxor	($inout4,$inout4);
2279	&movdqa	(&QWP(16*3,"esp"),$inout0);
2280	&pxor	($inout5,$inout5);
2281	&movdqa	(&QWP(16*4,"esp"),$inout0);
2282	&movdqa	(&QWP(16*5,"esp"),$inout0);
2283	&movdqa	(&QWP(16*6,"esp"),$inout0);
2284
2285	&lea	("esp",&DWP(0,$key));
2286	&mov	($rounds,&wparam(5));		# &offset_i
2287	&mov	($rounds_,&wparam(7));		# &checksum
2288	&movdqu	(&QWP(0,$rounds),$rndkey0);
2289	&pxor	($rndkey0,$rndkey0);
2290	&movdqu	(&QWP(0,$rounds_),$rndkey1);
2291	&pxor	($rndkey1,$rndkey1);
2292&function_end("aesni_ocb_encrypt");
2293
2294&function_begin("aesni_ocb_decrypt");
2295	&mov	($rounds,&wparam(5));		# &offset_i
2296	&mov	($rounds_,&wparam(7));		# &checksum
2297
2298	&mov	($inp,&wparam(0));
2299	&mov	($out,&wparam(1));
2300	&mov	($len,&wparam(2));
2301	&mov	($key,&wparam(3));
2302	&movdqu	($rndkey0,&QWP(0,$rounds));	# load offset_i
2303	&mov	($block,&wparam(4));		# start_block_num
2304	&movdqu	($rndkey1,&QWP(0,$rounds_));	# load checksum
2305	&mov	($l_,&wparam(6));		# L_
2306
2307	&mov	($rounds,"esp");
2308	&sub	("esp",$esp_off+4);		# alloca
2309	&and	("esp",-16);			# align stack
2310
2311	&sub	($out,$inp);
2312	&shl	($len,4);
2313	&lea	($len,&DWP(-16*6,$inp,$len));	# end of input - 16*6
2314	&mov	(&DWP($out_off,"esp"),$out);
2315	&mov	(&DWP($end_off,"esp"),$len);
2316	&mov	(&DWP($esp_off,"esp"),$rounds);
2317
2318	&mov	($rounds,&DWP(240,$key));
2319
2320	&test	($block,1);
2321	&jnz	(&label("odd"));
2322
2323	&bsf		($i3,$block);
2324	&add		($block,1);
2325	&shl		($i3,4);
2326	&movdqu		($inout5,&QWP(0,$l_,$i3));
2327	&mov		($i3,$key);			# put aside key
2328
2329	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2330	&lea		($inp,&DWP(16,$inp));
2331
2332	&pxor		($inout5,$rndkey0);		# ^ last offset_i
2333	&pxor		($inout0,$inout5);		# ^ offset_i
2334
2335	&movdqa		($inout4,$rndkey1);
2336	if ($inline)
2337	{   &aesni_inline_generate1("dec");	}
2338	else
2339	{   &call	("_aesni_decrypt1");	}
2340
2341	&xorps		($inout0,$inout5);		# ^ offset_i
2342	&movaps		($rndkey1,$inout4);		# pass the checksum
2343	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2344	&xorps		($rndkey1,$inout0);		# checksum
2345	&movups		(&QWP(-16,$out,$inp),$inout0);	# store output
2346
2347	&mov		($rounds,&DWP(240,$i3));
2348	&mov		($key,$i3);			# restore key
2349	&mov		($len,&DWP($end_off,"esp"));
2350
2351&set_label("odd");
2352	&shl		($rounds,4);
2353	&mov		($out,16);
2354	&sub		($out,$rounds);			# twisted rounds
2355	&mov		(&DWP($key_off,"esp"),$key);
2356	&lea		($key,&DWP(32,$key,$rounds));	# end of key schedule
2357	&mov		(&DWP($rounds_off,"esp"),$out);
2358
2359	&cmp		($inp,$len);
2360	&ja		(&label("short"));
2361	&jmp		(&label("grandloop"));
2362
2363&set_label("grandloop",32);
2364	&lea		($i1,&DWP(1,$block));
2365	&lea		($i3,&DWP(3,$block));
2366	&lea		($i5,&DWP(5,$block));
2367	&add		($block,6);
2368	&bsf		($i1,$i1);
2369	&bsf		($i3,$i3);
2370	&bsf		($i5,$i5);
2371	&shl		($i1,4);
2372	&shl		($i3,4);
2373	&shl		($i5,4);
2374	&movdqu		($inout0,&QWP(0,$l_));
2375	&movdqu		($inout1,&QWP(0,$l_,$i1));
2376	&mov		($rounds,&DWP($rounds_off,"esp"));
2377	&movdqa		($inout2,$inout0);
2378	&movdqu		($inout3,&QWP(0,$l_,$i3));
2379	&movdqa		($inout4,$inout0);
2380	&movdqu		($inout5,&QWP(0,$l_,$i5));
2381
2382	&pxor		($inout0,$rndkey0);		# ^ last offset_i
2383	&pxor		($inout1,$inout0);
2384	&movdqa		(&QWP(16*0,"esp"),$inout0);
2385	&pxor		($inout2,$inout1);
2386	&movdqa		(&QWP(16*1,"esp"),$inout1);
2387	&pxor		($inout3,$inout2);
2388	&movdqa		(&QWP(16*2,"esp"),$inout2);
2389	&pxor		($inout4,$inout3);
2390	&movdqa		(&QWP(16*3,"esp"),$inout3);
2391	&pxor		($inout5,$inout4);
2392	&movdqa		(&QWP(16*4,"esp"),$inout4);
2393	&movdqa		(&QWP(16*5,"esp"),$inout5);
2394
2395	&$movekey	($rndkey0,&QWP(-48,$key,$rounds));
2396	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2397	&movdqu		($inout1,&QWP(16*1,$inp));
2398	&movdqu		($inout2,&QWP(16*2,$inp));
2399	&movdqu		($inout3,&QWP(16*3,$inp));
2400	&movdqu		($inout4,&QWP(16*4,$inp));
2401	&movdqu		($inout5,&QWP(16*5,$inp));
2402	&lea		($inp,&DWP(16*6,$inp));
2403
2404	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2405	&pxor		($inout0,$rndkey0);		# ^ roundkey[0]
2406	&pxor		($inout1,$rndkey0);
2407	&pxor		($inout2,$rndkey0);
2408	&pxor		($inout3,$rndkey0);
2409	&pxor		($inout4,$rndkey0);
2410	&pxor		($inout5,$rndkey0);
2411
2412	&$movekey	($rndkey1,&QWP(-32,$key,$rounds));
2413	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2414	&pxor		($inout1,&QWP(16*1,"esp"));
2415	&pxor		($inout2,&QWP(16*2,"esp"));
2416	&pxor		($inout3,&QWP(16*3,"esp"));
2417	&pxor		($inout4,&QWP(16*4,"esp"));
2418	&pxor		($inout5,&QWP(16*5,"esp"));
2419
2420	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
2421	&aesdec		($inout0,$rndkey1);
2422	&aesdec		($inout1,$rndkey1);
2423	&aesdec		($inout2,$rndkey1);
2424	&aesdec		($inout3,$rndkey1);
2425	&aesdec		($inout4,$rndkey1);
2426	&aesdec		($inout5,$rndkey1);
2427
2428	&mov		($out,&DWP($out_off,"esp"));
2429	&mov		($len,&DWP($end_off,"esp"));
2430	&call		("_aesni_decrypt6_enter");
2431
2432	&movdqa		($rndkey0,&QWP(16*5,"esp"));	# pass last offset_i
2433	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2434	&movdqa		($rndkey1,&QWP($checksum,"esp"));
2435	&pxor		($inout1,&QWP(16*1,"esp"));
2436	&pxor		($inout2,&QWP(16*2,"esp"));
2437	&pxor		($inout3,&QWP(16*3,"esp"));
2438	&pxor		($inout4,&QWP(16*4,"esp"));
2439	&pxor		($inout5,$rndkey0);
2440
2441	&pxor		($rndkey1,$inout0);		# checksum
2442	&movdqu		(&QWP(-16*6,$out,$inp),$inout0);# store output
2443	&pxor		($rndkey1,$inout1);
2444	&movdqu		(&QWP(-16*5,$out,$inp),$inout1);
2445	&pxor		($rndkey1,$inout2);
2446	&movdqu		(&QWP(-16*4,$out,$inp),$inout2);
2447	&pxor		($rndkey1,$inout3);
2448	&movdqu		(&QWP(-16*3,$out,$inp),$inout3);
2449	&pxor		($rndkey1,$inout4);
2450	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
2451	&pxor		($rndkey1,$inout5);
2452	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
2453	&cmp		($inp,$len);			# done yet?
2454	&jbe		(&label("grandloop"));
2455
2456&set_label("short");
2457	&add		($len,16*6);
2458	&sub		($len,$inp);
2459	&jz		(&label("done"));
2460
2461	&cmp		($len,16*2);
2462	&jb		(&label("one"));
2463	&je		(&label("two"));
2464
2465	&cmp		($len,16*4);
2466	&jb		(&label("three"));
2467	&je		(&label("four"));
2468
2469	&lea		($i1,&DWP(1,$block));
2470	&lea		($i3,&DWP(3,$block));
2471	&bsf		($i1,$i1);
2472	&bsf		($i3,$i3);
2473	&shl		($i1,4);
2474	&shl		($i3,4);
2475	&movdqu		($inout0,&QWP(0,$l_));
2476	&movdqu		($inout1,&QWP(0,$l_,$i1));
2477	&mov		($rounds,&DWP($rounds_off,"esp"));
2478	&movdqa		($inout2,$inout0);
2479	&movdqu		($inout3,&QWP(0,$l_,$i3));
2480	&movdqa		($inout4,$inout0);
2481
2482	&pxor		($inout0,$rndkey0);		# ^ last offset_i
2483	&pxor		($inout1,$inout0);
2484	&movdqa		(&QWP(16*0,"esp"),$inout0);
2485	&pxor		($inout2,$inout1);
2486	&movdqa		(&QWP(16*1,"esp"),$inout1);
2487	&pxor		($inout3,$inout2);
2488	&movdqa		(&QWP(16*2,"esp"),$inout2);
2489	&pxor		($inout4,$inout3);
2490	&movdqa		(&QWP(16*3,"esp"),$inout3);
2491	&pxor		($inout5,$inout4);
2492	&movdqa		(&QWP(16*4,"esp"),$inout4);
2493
2494	&$movekey	($rndkey0,&QWP(-48,$key,$rounds));
2495	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2496	&movdqu		($inout1,&QWP(16*1,$inp));
2497	&movdqu		($inout2,&QWP(16*2,$inp));
2498	&movdqu		($inout3,&QWP(16*3,$inp));
2499	&movdqu		($inout4,&QWP(16*4,$inp));
2500	&pxor		($inout5,$inout5);
2501
2502	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2503	&pxor		($inout0,$rndkey0);		# ^ roundkey[0]
2504	&pxor		($inout1,$rndkey0);
2505	&pxor		($inout2,$rndkey0);
2506	&pxor		($inout3,$rndkey0);
2507	&pxor		($inout4,$rndkey0);
2508
2509	&$movekey	($rndkey1,&QWP(-32,$key,$rounds));
2510	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2511	&pxor		($inout1,&QWP(16*1,"esp"));
2512	&pxor		($inout2,&QWP(16*2,"esp"));
2513	&pxor		($inout3,&QWP(16*3,"esp"));
2514	&pxor		($inout4,&QWP(16*4,"esp"));
2515
2516	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
2517	&aesdec		($inout0,$rndkey1);
2518	&aesdec		($inout1,$rndkey1);
2519	&aesdec		($inout2,$rndkey1);
2520	&aesdec		($inout3,$rndkey1);
2521	&aesdec		($inout4,$rndkey1);
2522	&aesdec		($inout5,$rndkey1);
2523
2524	&mov		($out,&DWP($out_off,"esp"));
2525	&call		("_aesni_decrypt6_enter");
2526
2527	&movdqa		($rndkey0,&QWP(16*4,"esp"));	# pass last offset_i
2528	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2529	&movdqa		($rndkey1,&QWP($checksum,"esp"));
2530	&pxor		($inout1,&QWP(16*1,"esp"));
2531	&pxor		($inout2,&QWP(16*2,"esp"));
2532	&pxor		($inout3,&QWP(16*3,"esp"));
2533	&pxor		($inout4,$rndkey0);
2534
2535	&pxor		($rndkey1,$inout0);		# checksum
2536	&movdqu		(&QWP(16*0,$out,$inp),$inout0);	# store output
2537	&pxor		($rndkey1,$inout1);
2538	&movdqu		(&QWP(16*1,$out,$inp),$inout1);
2539	&pxor		($rndkey1,$inout2);
2540	&movdqu		(&QWP(16*2,$out,$inp),$inout2);
2541	&pxor		($rndkey1,$inout3);
2542	&movdqu		(&QWP(16*3,$out,$inp),$inout3);
2543	&pxor		($rndkey1,$inout4);
2544	&movdqu		(&QWP(16*4,$out,$inp),$inout4);
2545
2546	&jmp		(&label("done"));
2547
2548&set_label("one",16);
2549	&movdqu		($inout5,&QWP(0,$l_));
2550	&mov		($key,&DWP($key_off,"esp"));	# restore key
2551
2552	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2553	&mov		($rounds,&DWP(240,$key));
2554
2555	&pxor		($inout5,$rndkey0);		# ^ last offset_i
2556	&pxor		($inout0,$inout5);		# ^ offset_i
2557
2558	&movdqa		($inout4,$rndkey1);
2559	&mov		($out,&DWP($out_off,"esp"));
2560	if ($inline)
2561	{   &aesni_inline_generate1("dec");	}
2562	else
2563	{   &call	("_aesni_decrypt1");	}
2564
2565	&xorps		($inout0,$inout5);		# ^ offset_i
2566	&movaps		($rndkey1,$inout4);		# pass the checksum
2567	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2568	&xorps		($rndkey1,$inout0);		# checksum
2569	&movups		(&QWP(0,$out,$inp),$inout0);
2570
2571	&jmp		(&label("done"));
2572
2573&set_label("two",16);
2574	&lea		($i1,&DWP(1,$block));
2575	&mov		($key,&DWP($key_off,"esp"));	# restore key
2576	&bsf		($i1,$i1);
2577	&shl		($i1,4);
2578	&movdqu		($inout4,&QWP(0,$l_));
2579	&movdqu		($inout5,&QWP(0,$l_,$i1));
2580
2581	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2582	&movdqu		($inout1,&QWP(16*1,$inp));
2583	&mov		($rounds,&DWP(240,$key));
2584
2585	&movdqa		($inout3,$rndkey1);
2586	&pxor		($inout4,$rndkey0);		# ^ last offset_i
2587	&pxor		($inout5,$inout4);
2588
2589	&pxor		($inout0,$inout4);		# ^ offset_i
2590	&pxor		($inout1,$inout5);
2591
2592	&mov		($out,&DWP($out_off,"esp"));
2593	&call		("_aesni_decrypt2");
2594
2595	&xorps		($inout0,$inout4);		# ^ offset_i
2596	&xorps		($inout1,$inout5);
2597	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2598	&xorps		($inout3,$inout0);		# checksum
2599	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2600	&xorps		($inout3,$inout1);
2601	&movups		(&QWP(16*1,$out,$inp),$inout1);
2602	&movaps		($rndkey1,$inout3);		# pass the checksum
2603
2604	&jmp		(&label("done"));
2605
2606&set_label("three",16);
2607	&lea		($i1,&DWP(1,$block));
2608	&mov		($key,&DWP($key_off,"esp"));	# restore key
2609	&bsf		($i1,$i1);
2610	&shl		($i1,4);
2611	&movdqu		($inout3,&QWP(0,$l_));
2612	&movdqu		($inout4,&QWP(0,$l_,$i1));
2613	&movdqa		($inout5,$inout3);
2614
2615	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2616	&movdqu		($inout1,&QWP(16*1,$inp));
2617	&movdqu		($inout2,&QWP(16*2,$inp));
2618	&mov		($rounds,&DWP(240,$key));
2619
2620	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2621	&pxor		($inout3,$rndkey0);		# ^ last offset_i
2622	&pxor		($inout4,$inout3);
2623	&pxor		($inout5,$inout4);
2624
2625	&pxor		($inout0,$inout3);		# ^ offset_i
2626	&pxor		($inout1,$inout4);
2627	&pxor		($inout2,$inout5);
2628
2629	&mov		($out,&DWP($out_off,"esp"));
2630	&call		("_aesni_decrypt3");
2631
2632	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2633	&xorps		($inout0,$inout3);		# ^ offset_i
2634	&xorps		($inout1,$inout4);
2635	&xorps		($inout2,$inout5);
2636	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2637	&pxor		($rndkey1,$inout0);		# checksum
2638	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2639	&movups		(&QWP(16*1,$out,$inp),$inout1);
2640	&pxor		($rndkey1,$inout1);
2641	&movups		(&QWP(16*2,$out,$inp),$inout2);
2642	&pxor		($rndkey1,$inout2);
2643
2644	&jmp		(&label("done"));
2645
2646&set_label("four",16);
2647	&lea		($i1,&DWP(1,$block));
2648	&lea		($i3,&DWP(3,$block));
2649	&bsf		($i1,$i1);
2650	&bsf		($i3,$i3);
2651	&mov		($key,&DWP($key_off,"esp"));	# restore key
2652	&shl		($i1,4);
2653	&shl		($i3,4);
2654	&movdqu		($inout2,&QWP(0,$l_));
2655	&movdqu		($inout3,&QWP(0,$l_,$i1));
2656	&movdqa		($inout4,$inout2);
2657	&movdqu		($inout5,&QWP(0,$l_,$i3));
2658
2659	&pxor		($inout2,$rndkey0);		# ^ last offset_i
2660	&movdqu		($inout0,&QWP(16*0,$inp));	# load input
2661	&pxor		($inout3,$inout2);
2662	&movdqu		($inout1,&QWP(16*1,$inp));
2663	&pxor		($inout4,$inout3);
2664	&movdqa		(&QWP(16*0,"esp"),$inout2);
2665	&pxor		($inout5,$inout4);
2666	&movdqa		(&QWP(16*1,"esp"),$inout3);
2667	&movdqu		($inout2,&QWP(16*2,$inp));
2668	&movdqu		($inout3,&QWP(16*3,$inp));
2669	&mov		($rounds,&DWP(240,$key));
2670
2671	&movdqa		(&QWP($checksum,"esp"),$rndkey1);
2672	&pxor		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2673	&pxor		($inout1,&QWP(16*1,"esp"));
2674	&pxor		($inout2,$inout4);
2675	&pxor		($inout3,$inout5);
2676
2677	&mov		($out,&DWP($out_off,"esp"));
2678	&call		("_aesni_decrypt4");
2679
2680	&movdqa		($rndkey1,&QWP($checksum,"esp"));# pass the checksum
2681	&xorps		($inout0,&QWP(16*0,"esp"));	# ^ offset_i
2682	&xorps		($inout1,&QWP(16*1,"esp"));
2683	&xorps		($inout2,$inout4);
2684	&movups		(&QWP(16*0,$out,$inp),$inout0);	# store output
2685	&pxor		($rndkey1,$inout0);		# checksum
2686	&xorps		($inout3,$inout5);
2687	&movups		(&QWP(16*1,$out,$inp),$inout1);
2688	&pxor		($rndkey1,$inout1);
2689	&movdqa		($rndkey0,$inout5);		# pass last offset_i
2690	&movups		(&QWP(16*2,$out,$inp),$inout2);
2691	&pxor		($rndkey1,$inout2);
2692	&movups		(&QWP(16*3,$out,$inp),$inout3);
2693	&pxor		($rndkey1,$inout3);
2694
2695&set_label("done");
2696	&mov	($key,&DWP($esp_off,"esp"));
2697	&pxor	($inout0,$inout0);		# clear register bank
2698	&pxor	($inout1,$inout1);
2699	&movdqa	(&QWP(16*0,"esp"),$inout0);	# clear stack
2700	&pxor	($inout2,$inout2);
2701	&movdqa	(&QWP(16*1,"esp"),$inout0);
2702	&pxor	($inout3,$inout3);
2703	&movdqa	(&QWP(16*2,"esp"),$inout0);
2704	&pxor	($inout4,$inout4);
2705	&movdqa	(&QWP(16*3,"esp"),$inout0);
2706	&pxor	($inout5,$inout5);
2707	&movdqa	(&QWP(16*4,"esp"),$inout0);
2708	&movdqa	(&QWP(16*5,"esp"),$inout0);
2709	&movdqa	(&QWP(16*6,"esp"),$inout0);
2710
2711	&lea	("esp",&DWP(0,$key));
2712	&mov	($rounds,&wparam(5));		# &offset_i
2713	&mov	($rounds_,&wparam(7));		# &checksum
2714	&movdqu	(&QWP(0,$rounds),$rndkey0);
2715	&pxor	($rndkey0,$rndkey0);
2716	&movdqu	(&QWP(0,$rounds_),$rndkey1);
2717	&pxor	($rndkey1,$rndkey1);
2718&function_end("aesni_ocb_decrypt");
2719}
2720}
2721
2722######################################################################
2723# void $PREFIX_cbc_encrypt (const void *inp, void *out,
2724#                           size_t length, const AES_KEY *key,
2725#                           unsigned char *ivp,const int enc);
2726&function_begin("${PREFIX}_cbc_encrypt");
2727	&mov	($inp,&wparam(0));
2728	&mov	($rounds_,"esp");
2729	&mov	($out,&wparam(1));
2730	&sub	($rounds_,24);
2731	&mov	($len,&wparam(2));
2732	&and	($rounds_,-16);
2733	&mov	($key,&wparam(3));
2734	&mov	($key_,&wparam(4));
2735	&test	($len,$len);
2736	&jz	(&label("cbc_abort"));
2737
2738	&cmp	(&wparam(5),0);
2739	&xchg	($rounds_,"esp");		# alloca
2740	&movups	($ivec,&QWP(0,$key_));		# load IV
2741	&mov	($rounds,&DWP(240,$key));
2742	&mov	($key_,$key);			# backup $key
2743	&mov	(&DWP(16,"esp"),$rounds_);	# save original %esp
2744	&mov	($rounds_,$rounds);		# backup $rounds
2745	&je	(&label("cbc_decrypt"));
2746
2747	&movaps	($inout0,$ivec);
2748	&cmp	($len,16);
2749	&jb	(&label("cbc_enc_tail"));
2750	&sub	($len,16);
2751	&jmp	(&label("cbc_enc_loop"));
2752
2753&set_label("cbc_enc_loop",16);
2754	&movups	($ivec,&QWP(0,$inp));		# input actually
2755	&lea	($inp,&DWP(16,$inp));
2756	if ($inline)
2757	{   &aesni_inline_generate1("enc",$inout0,$ivec);	}
2758	else
2759	{   &xorps($inout0,$ivec); &call("_aesni_encrypt1");	}
2760	&mov	($rounds,$rounds_);	# restore $rounds
2761	&mov	($key,$key_);		# restore $key
2762	&movups	(&QWP(0,$out),$inout0);	# store output
2763	&lea	($out,&DWP(16,$out));
2764	&sub	($len,16);
2765	&jnc	(&label("cbc_enc_loop"));
2766	&add	($len,16);
2767	&jnz	(&label("cbc_enc_tail"));
2768	&movaps	($ivec,$inout0);
2769	&pxor	($inout0,$inout0);
2770	&jmp	(&label("cbc_ret"));
2771
2772&set_label("cbc_enc_tail");
2773	&mov	("ecx",$len);		# zaps $rounds
2774	&data_word(0xA4F3F689);		# rep movsb
2775	&mov	("ecx",16);		# zero tail
2776	&sub	("ecx",$len);
2777	&xor	("eax","eax");		# zaps $len
2778	&data_word(0xAAF3F689);		# rep stosb
2779	&lea	($out,&DWP(-16,$out));	# rewind $out by 1 block
2780	&mov	($rounds,$rounds_);	# restore $rounds
2781	&mov	($inp,$out);		# $inp and $out are the same
2782	&mov	($key,$key_);		# restore $key
2783	&jmp	(&label("cbc_enc_loop"));
2784######################################################################
2785&set_label("cbc_decrypt",16);
2786	&cmp	($len,0x50);
2787	&jbe	(&label("cbc_dec_tail"));
2788	&movaps	(&QWP(0,"esp"),$ivec);		# save IV
2789	&sub	($len,0x50);
2790	&jmp	(&label("cbc_dec_loop6_enter"));
2791
2792&set_label("cbc_dec_loop6",16);
2793	&movaps	(&QWP(0,"esp"),$rndkey0);	# save IV
2794	&movups	(&QWP(0,$out),$inout5);
2795	&lea	($out,&DWP(0x10,$out));
2796&set_label("cbc_dec_loop6_enter");
2797	&movdqu	($inout0,&QWP(0,$inp));
2798	&movdqu	($inout1,&QWP(0x10,$inp));
2799	&movdqu	($inout2,&QWP(0x20,$inp));
2800	&movdqu	($inout3,&QWP(0x30,$inp));
2801	&movdqu	($inout4,&QWP(0x40,$inp));
2802	&movdqu	($inout5,&QWP(0x50,$inp));
2803
2804	&call	("_aesni_decrypt6");
2805
2806	&movups	($rndkey1,&QWP(0,$inp));
2807	&movups	($rndkey0,&QWP(0x10,$inp));
2808	&xorps	($inout0,&QWP(0,"esp"));	# ^=IV
2809	&xorps	($inout1,$rndkey1);
2810	&movups	($rndkey1,&QWP(0x20,$inp));
2811	&xorps	($inout2,$rndkey0);
2812	&movups	($rndkey0,&QWP(0x30,$inp));
2813	&xorps	($inout3,$rndkey1);
2814	&movups	($rndkey1,&QWP(0x40,$inp));
2815	&xorps	($inout4,$rndkey0);
2816	&movups	($rndkey0,&QWP(0x50,$inp));	# IV
2817	&xorps	($inout5,$rndkey1);
2818	&movups	(&QWP(0,$out),$inout0);
2819	&movups	(&QWP(0x10,$out),$inout1);
2820	&lea	($inp,&DWP(0x60,$inp));
2821	&movups	(&QWP(0x20,$out),$inout2);
2822	&mov	($rounds,$rounds_);		# restore $rounds
2823	&movups	(&QWP(0x30,$out),$inout3);
2824	&mov	($key,$key_);			# restore $key
2825	&movups	(&QWP(0x40,$out),$inout4);
2826	&lea	($out,&DWP(0x50,$out));
2827	&sub	($len,0x60);
2828	&ja	(&label("cbc_dec_loop6"));
2829
2830	&movaps	($inout0,$inout5);
2831	&movaps	($ivec,$rndkey0);
2832	&add	($len,0x50);
2833	&jle	(&label("cbc_dec_clear_tail_collected"));
2834	&movups	(&QWP(0,$out),$inout0);
2835	&lea	($out,&DWP(0x10,$out));
2836&set_label("cbc_dec_tail");
2837	&movups	($inout0,&QWP(0,$inp));
2838	&movaps	($in0,$inout0);
2839	&cmp	($len,0x10);
2840	&jbe	(&label("cbc_dec_one"));
2841
2842	&movups	($inout1,&QWP(0x10,$inp));
2843	&movaps	($in1,$inout1);
2844	&cmp	($len,0x20);
2845	&jbe	(&label("cbc_dec_two"));
2846
2847	&movups	($inout2,&QWP(0x20,$inp));
2848	&cmp	($len,0x30);
2849	&jbe	(&label("cbc_dec_three"));
2850
2851	&movups	($inout3,&QWP(0x30,$inp));
2852	&cmp	($len,0x40);
2853	&jbe	(&label("cbc_dec_four"));
2854
2855	&movups	($inout4,&QWP(0x40,$inp));
2856	&movaps	(&QWP(0,"esp"),$ivec);		# save IV
2857	&movups	($inout0,&QWP(0,$inp));
2858	&xorps	($inout5,$inout5);
2859	&call	("_aesni_decrypt6");
2860	&movups	($rndkey1,&QWP(0,$inp));
2861	&movups	($rndkey0,&QWP(0x10,$inp));
2862	&xorps	($inout0,&QWP(0,"esp"));	# ^= IV
2863	&xorps	($inout1,$rndkey1);
2864	&movups	($rndkey1,&QWP(0x20,$inp));
2865	&xorps	($inout2,$rndkey0);
2866	&movups	($rndkey0,&QWP(0x30,$inp));
2867	&xorps	($inout3,$rndkey1);
2868	&movups	($ivec,&QWP(0x40,$inp));	# IV
2869	&xorps	($inout4,$rndkey0);
2870	&movups	(&QWP(0,$out),$inout0);
2871	&movups	(&QWP(0x10,$out),$inout1);
2872	&pxor	($inout1,$inout1);
2873	&movups	(&QWP(0x20,$out),$inout2);
2874	&pxor	($inout2,$inout2);
2875	&movups	(&QWP(0x30,$out),$inout3);
2876	&pxor	($inout3,$inout3);
2877	&lea	($out,&DWP(0x40,$out));
2878	&movaps	($inout0,$inout4);
2879	&pxor	($inout4,$inout4);
2880	&sub	($len,0x50);
2881	&jmp	(&label("cbc_dec_tail_collected"));
2882
2883&set_label("cbc_dec_one",16);
2884	if ($inline)
2885	{   &aesni_inline_generate1("dec");	}
2886	else
2887	{   &call	("_aesni_decrypt1");	}
2888	&xorps	($inout0,$ivec);
2889	&movaps	($ivec,$in0);
2890	&sub	($len,0x10);
2891	&jmp	(&label("cbc_dec_tail_collected"));
2892
2893&set_label("cbc_dec_two",16);
2894	&call	("_aesni_decrypt2");
2895	&xorps	($inout0,$ivec);
2896	&xorps	($inout1,$in0);
2897	&movups	(&QWP(0,$out),$inout0);
2898	&movaps	($inout0,$inout1);
2899	&pxor	($inout1,$inout1);
2900	&lea	($out,&DWP(0x10,$out));
2901	&movaps	($ivec,$in1);
2902	&sub	($len,0x20);
2903	&jmp	(&label("cbc_dec_tail_collected"));
2904
2905&set_label("cbc_dec_three",16);
2906	&call	("_aesni_decrypt3");
2907	&xorps	($inout0,$ivec);
2908	&xorps	($inout1,$in0);
2909	&xorps	($inout2,$in1);
2910	&movups	(&QWP(0,$out),$inout0);
2911	&movaps	($inout0,$inout2);
2912	&pxor	($inout2,$inout2);
2913	&movups	(&QWP(0x10,$out),$inout1);
2914	&pxor	($inout1,$inout1);
2915	&lea	($out,&DWP(0x20,$out));
2916	&movups	($ivec,&QWP(0x20,$inp));
2917	&sub	($len,0x30);
2918	&jmp	(&label("cbc_dec_tail_collected"));
2919
2920&set_label("cbc_dec_four",16);
2921	&call	("_aesni_decrypt4");
2922	&movups	($rndkey1,&QWP(0x10,$inp));
2923	&movups	($rndkey0,&QWP(0x20,$inp));
2924	&xorps	($inout0,$ivec);
2925	&movups	($ivec,&QWP(0x30,$inp));
2926	&xorps	($inout1,$in0);
2927	&movups	(&QWP(0,$out),$inout0);
2928	&xorps	($inout2,$rndkey1);
2929	&movups	(&QWP(0x10,$out),$inout1);
2930	&pxor	($inout1,$inout1);
2931	&xorps	($inout3,$rndkey0);
2932	&movups	(&QWP(0x20,$out),$inout2);
2933	&pxor	($inout2,$inout2);
2934	&lea	($out,&DWP(0x30,$out));
2935	&movaps	($inout0,$inout3);
2936	&pxor	($inout3,$inout3);
2937	&sub	($len,0x40);
2938	&jmp	(&label("cbc_dec_tail_collected"));
2939
2940&set_label("cbc_dec_clear_tail_collected",16);
2941	&pxor	($inout1,$inout1);
2942	&pxor	($inout2,$inout2);
2943	&pxor	($inout3,$inout3);
2944	&pxor	($inout4,$inout4);
2945&set_label("cbc_dec_tail_collected");
2946	&and	($len,15);
2947	&jnz	(&label("cbc_dec_tail_partial"));
2948	&movups	(&QWP(0,$out),$inout0);
2949	&pxor	($rndkey0,$rndkey0);
2950	&jmp	(&label("cbc_ret"));
2951
2952&set_label("cbc_dec_tail_partial",16);
2953	&movaps	(&QWP(0,"esp"),$inout0);
2954	&pxor	($rndkey0,$rndkey0);
2955	&mov	("ecx",16);
2956	&mov	($inp,"esp");
2957	&sub	("ecx",$len);
2958	&data_word(0xA4F3F689);		# rep movsb
2959	&movdqa	(&QWP(0,"esp"),$inout0);
2960
2961&set_label("cbc_ret");
2962	&mov	("esp",&DWP(16,"esp"));	# pull original %esp
2963	&mov	($key_,&wparam(4));
2964	&pxor	($inout0,$inout0);
2965	&pxor	($rndkey1,$rndkey1);
2966	&movups	(&QWP(0,$key_),$ivec);	# output IV
2967	&pxor	($ivec,$ivec);
2968&set_label("cbc_abort");
2969&function_end("${PREFIX}_cbc_encrypt");
2970
2971######################################################################
2972# Mechanical port from aesni-x86_64.pl.
2973#
2974# _aesni_set_encrypt_key is private interface,
2975# input:
2976#	"eax"	const unsigned char *userKey
2977#	$rounds	int bits
2978#	$key	AES_KEY *key
2979# output:
2980#	"eax"	return code
2981#	$round	rounds
2982
2983&function_begin_B("_aesni_set_encrypt_key");
2984	&push	("ebp");
2985	&push	("ebx");
2986	&test	("eax","eax");
2987	&jz	(&label("bad_pointer"));
2988	&test	($key,$key);
2989	&jz	(&label("bad_pointer"));
2990
2991	&call	(&label("pic"));
2992&set_label("pic");
2993	&blindpop("ebx");
2994	&lea	("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx"));
2995
2996	&picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const"));
2997	&movups	("xmm0",&QWP(0,"eax"));	# pull first 128 bits of *userKey
2998	&xorps	("xmm4","xmm4");	# low dword of xmm4 is assumed 0
2999	&mov	("ebp",&DWP(4,"ebp"));
3000	&lea	($key,&DWP(16,$key));
3001	&and	("ebp",1<<28|1<<11);	# AVX and XOP bits
3002	&cmp	($rounds,256);
3003	&je	(&label("14rounds"));
3004	&cmp	($rounds,192);
3005	&je	(&label("12rounds"));
3006	&cmp	($rounds,128);
3007	&jne	(&label("bad_keybits"));
3008
3009&set_label("10rounds",16);
3010	&cmp		("ebp",1<<28);
3011	&je		(&label("10rounds_alt"));
3012
3013	&mov		($rounds,9);
3014	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
3015	&aeskeygenassist("xmm1","xmm0",0x01);		# round 1
3016	&call		(&label("key_128_cold"));
3017	&aeskeygenassist("xmm1","xmm0",0x2);		# round 2
3018	&call		(&label("key_128"));
3019	&aeskeygenassist("xmm1","xmm0",0x04);		# round 3
3020	&call		(&label("key_128"));
3021	&aeskeygenassist("xmm1","xmm0",0x08);		# round 4
3022	&call		(&label("key_128"));
3023	&aeskeygenassist("xmm1","xmm0",0x10);		# round 5
3024	&call		(&label("key_128"));
3025	&aeskeygenassist("xmm1","xmm0",0x20);		# round 6
3026	&call		(&label("key_128"));
3027	&aeskeygenassist("xmm1","xmm0",0x40);		# round 7
3028	&call		(&label("key_128"));
3029	&aeskeygenassist("xmm1","xmm0",0x80);		# round 8
3030	&call		(&label("key_128"));
3031	&aeskeygenassist("xmm1","xmm0",0x1b);		# round 9
3032	&call		(&label("key_128"));
3033	&aeskeygenassist("xmm1","xmm0",0x36);		# round 10
3034	&call		(&label("key_128"));
3035	&$movekey	(&QWP(0,$key),"xmm0");
3036	&mov		(&DWP(80,$key),$rounds);
3037
3038	&jmp	(&label("good_key"));
3039
3040&set_label("key_128",16);
3041	&$movekey	(&QWP(0,$key),"xmm0");
3042	&lea		($key,&DWP(16,$key));
3043&set_label("key_128_cold");
3044	&shufps		("xmm4","xmm0",0b00010000);
3045	&xorps		("xmm0","xmm4");
3046	&shufps		("xmm4","xmm0",0b10001100);
3047	&xorps		("xmm0","xmm4");
3048	&shufps		("xmm1","xmm1",0b11111111);	# critical path
3049	&xorps		("xmm0","xmm1");
3050	&ret();
3051
3052&set_label("10rounds_alt",16);
3053	&movdqa		("xmm5",&QWP(0x00,"ebx"));
3054	&mov		($rounds,8);
3055	&movdqa		("xmm4",&QWP(0x20,"ebx"));
3056	&movdqa		("xmm2","xmm0");
3057	&movdqu		(&QWP(-16,$key),"xmm0");
3058
3059&set_label("loop_key128");
3060	&pshufb		("xmm0","xmm5");
3061	&aesenclast	("xmm0","xmm4");
3062	&pslld		("xmm4",1);
3063	&lea		($key,&DWP(16,$key));
3064
3065	&movdqa		("xmm3","xmm2");
3066	&pslldq		("xmm2",4);
3067	&pxor		("xmm3","xmm2");
3068	&pslldq		("xmm2",4);
3069	&pxor		("xmm3","xmm2");
3070	&pslldq		("xmm2",4);
3071	&pxor		("xmm2","xmm3");
3072
3073	&pxor		("xmm0","xmm2");
3074	&movdqu		(&QWP(-16,$key),"xmm0");
3075	&movdqa		("xmm2","xmm0");
3076
3077	&dec		($rounds);
3078	&jnz		(&label("loop_key128"));
3079
3080	&movdqa		("xmm4",&QWP(0x30,"ebx"));
3081
3082	&pshufb		("xmm0","xmm5");
3083	&aesenclast	("xmm0","xmm4");
3084	&pslld		("xmm4",1);
3085
3086	&movdqa		("xmm3","xmm2");
3087	&pslldq		("xmm2",4);
3088	&pxor		("xmm3","xmm2");
3089	&pslldq		("xmm2",4);
3090	&pxor		("xmm3","xmm2");
3091	&pslldq		("xmm2",4);
3092	&pxor		("xmm2","xmm3");
3093
3094	&pxor		("xmm0","xmm2");
3095	&movdqu		(&QWP(0,$key),"xmm0");
3096
3097	&movdqa		("xmm2","xmm0");
3098	&pshufb		("xmm0","xmm5");
3099	&aesenclast	("xmm0","xmm4");
3100
3101	&movdqa		("xmm3","xmm2");
3102	&pslldq		("xmm2",4);
3103	&pxor		("xmm3","xmm2");
3104	&pslldq		("xmm2",4);
3105	&pxor		("xmm3","xmm2");
3106	&pslldq		("xmm2",4);
3107	&pxor		("xmm2","xmm3");
3108
3109	&pxor		("xmm0","xmm2");
3110	&movdqu		(&QWP(16,$key),"xmm0");
3111
3112	&mov		($rounds,9);
3113	&mov		(&DWP(96,$key),$rounds);
3114
3115	&jmp	(&label("good_key"));
3116
3117&set_label("12rounds",16);
3118	&movq		("xmm2",&QWP(16,"eax"));	# remaining 1/3 of *userKey
3119	&cmp		("ebp",1<<28);
3120	&je		(&label("12rounds_alt"));
3121
3122	&mov		($rounds,11);
3123	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
3124	&aeskeygenassist("xmm1","xmm2",0x01);		# round 1,2
3125	&call		(&label("key_192a_cold"));
3126	&aeskeygenassist("xmm1","xmm2",0x02);		# round 2,3
3127	&call		(&label("key_192b"));
3128	&aeskeygenassist("xmm1","xmm2",0x04);		# round 4,5
3129	&call		(&label("key_192a"));
3130	&aeskeygenassist("xmm1","xmm2",0x08);		# round 5,6
3131	&call		(&label("key_192b"));
3132	&aeskeygenassist("xmm1","xmm2",0x10);		# round 7,8
3133	&call		(&label("key_192a"));
3134	&aeskeygenassist("xmm1","xmm2",0x20);		# round 8,9
3135	&call		(&label("key_192b"));
3136	&aeskeygenassist("xmm1","xmm2",0x40);		# round 10,11
3137	&call		(&label("key_192a"));
3138	&aeskeygenassist("xmm1","xmm2",0x80);		# round 11,12
3139	&call		(&label("key_192b"));
3140	&$movekey	(&QWP(0,$key),"xmm0");
3141	&mov		(&DWP(48,$key),$rounds);
3142
3143	&jmp	(&label("good_key"));
3144
3145&set_label("key_192a",16);
3146	&$movekey	(&QWP(0,$key),"xmm0");
3147	&lea		($key,&DWP(16,$key));
3148&set_label("key_192a_cold",16);
3149	&movaps		("xmm5","xmm2");
3150&set_label("key_192b_warm");
3151	&shufps		("xmm4","xmm0",0b00010000);
3152	&movdqa		("xmm3","xmm2");
3153	&xorps		("xmm0","xmm4");
3154	&shufps		("xmm4","xmm0",0b10001100);
3155	&pslldq		("xmm3",4);
3156	&xorps		("xmm0","xmm4");
3157	&pshufd		("xmm1","xmm1",0b01010101);	# critical path
3158	&pxor		("xmm2","xmm3");
3159	&pxor		("xmm0","xmm1");
3160	&pshufd		("xmm3","xmm0",0b11111111);
3161	&pxor		("xmm2","xmm3");
3162	&ret();
3163
3164&set_label("key_192b",16);
3165	&movaps		("xmm3","xmm0");
3166	&shufps		("xmm5","xmm0",0b01000100);
3167	&$movekey	(&QWP(0,$key),"xmm5");
3168	&shufps		("xmm3","xmm2",0b01001110);
3169	&$movekey	(&QWP(16,$key),"xmm3");
3170	&lea		($key,&DWP(32,$key));
3171	&jmp		(&label("key_192b_warm"));
3172
3173&set_label("12rounds_alt",16);
3174	&movdqa		("xmm5",&QWP(0x10,"ebx"));
3175	&movdqa		("xmm4",&QWP(0x20,"ebx"));
3176	&mov		($rounds,8);
3177	&movdqu		(&QWP(-16,$key),"xmm0");
3178
3179&set_label("loop_key192");
3180	&movq		(&QWP(0,$key),"xmm2");
3181	&movdqa		("xmm1","xmm2");
3182	&pshufb		("xmm2","xmm5");
3183	&aesenclast	("xmm2","xmm4");
3184	&pslld		("xmm4",1);
3185	&lea		($key,&DWP(24,$key));
3186
3187	&movdqa		("xmm3","xmm0");
3188	&pslldq		("xmm0",4);
3189	&pxor		("xmm3","xmm0");
3190	&pslldq		("xmm0",4);
3191	&pxor		("xmm3","xmm0");
3192	&pslldq		("xmm0",4);
3193	&pxor		("xmm0","xmm3");
3194
3195	&pshufd		("xmm3","xmm0",0xff);
3196	&pxor		("xmm3","xmm1");
3197	&pslldq		("xmm1",4);
3198	&pxor		("xmm3","xmm1");
3199
3200	&pxor		("xmm0","xmm2");
3201	&pxor		("xmm2","xmm3");
3202	&movdqu		(&QWP(-16,$key),"xmm0");
3203
3204	&dec		($rounds);
3205	&jnz		(&label("loop_key192"));
3206
3207	&mov	($rounds,11);
3208	&mov	(&DWP(32,$key),$rounds);
3209
3210	&jmp	(&label("good_key"));
3211
3212&set_label("14rounds",16);
3213	&movups		("xmm2",&QWP(16,"eax"));	# remaining half of *userKey
3214	&lea		($key,&DWP(16,$key));
3215	&cmp		("ebp",1<<28);
3216	&je		(&label("14rounds_alt"));
3217
3218	&mov		($rounds,13);
3219	&$movekey	(&QWP(-32,$key),"xmm0");	# round 0
3220	&$movekey	(&QWP(-16,$key),"xmm2");	# round 1
3221	&aeskeygenassist("xmm1","xmm2",0x01);		# round 2
3222	&call		(&label("key_256a_cold"));
3223	&aeskeygenassist("xmm1","xmm0",0x01);		# round 3
3224	&call		(&label("key_256b"));
3225	&aeskeygenassist("xmm1","xmm2",0x02);		# round 4
3226	&call		(&label("key_256a"));
3227	&aeskeygenassist("xmm1","xmm0",0x02);		# round 5
3228	&call		(&label("key_256b"));
3229	&aeskeygenassist("xmm1","xmm2",0x04);		# round 6
3230	&call		(&label("key_256a"));
3231	&aeskeygenassist("xmm1","xmm0",0x04);		# round 7
3232	&call		(&label("key_256b"));
3233	&aeskeygenassist("xmm1","xmm2",0x08);		# round 8
3234	&call		(&label("key_256a"));
3235	&aeskeygenassist("xmm1","xmm0",0x08);		# round 9
3236	&call		(&label("key_256b"));
3237	&aeskeygenassist("xmm1","xmm2",0x10);		# round 10
3238	&call		(&label("key_256a"));
3239	&aeskeygenassist("xmm1","xmm0",0x10);		# round 11
3240	&call		(&label("key_256b"));
3241	&aeskeygenassist("xmm1","xmm2",0x20);		# round 12
3242	&call		(&label("key_256a"));
3243	&aeskeygenassist("xmm1","xmm0",0x20);		# round 13
3244	&call		(&label("key_256b"));
3245	&aeskeygenassist("xmm1","xmm2",0x40);		# round 14
3246	&call		(&label("key_256a"));
3247	&$movekey	(&QWP(0,$key),"xmm0");
3248	&mov		(&DWP(16,$key),$rounds);
3249	&xor		("eax","eax");
3250
3251	&jmp	(&label("good_key"));
3252
3253&set_label("key_256a",16);
3254	&$movekey	(&QWP(0,$key),"xmm2");
3255	&lea		($key,&DWP(16,$key));
3256&set_label("key_256a_cold");
3257	&shufps		("xmm4","xmm0",0b00010000);
3258	&xorps		("xmm0","xmm4");
3259	&shufps		("xmm4","xmm0",0b10001100);
3260	&xorps		("xmm0","xmm4");
3261	&shufps		("xmm1","xmm1",0b11111111);	# critical path
3262	&xorps		("xmm0","xmm1");
3263	&ret();
3264
3265&set_label("key_256b",16);
3266	&$movekey	(&QWP(0,$key),"xmm0");
3267	&lea		($key,&DWP(16,$key));
3268
3269	&shufps		("xmm4","xmm2",0b00010000);
3270	&xorps		("xmm2","xmm4");
3271	&shufps		("xmm4","xmm2",0b10001100);
3272	&xorps		("xmm2","xmm4");
3273	&shufps		("xmm1","xmm1",0b10101010);	# critical path
3274	&xorps		("xmm2","xmm1");
3275	&ret();
3276
3277&set_label("14rounds_alt",16);
3278	&movdqa		("xmm5",&QWP(0x00,"ebx"));
3279	&movdqa		("xmm4",&QWP(0x20,"ebx"));
3280	&mov		($rounds,7);
3281	&movdqu		(&QWP(-32,$key),"xmm0");
3282	&movdqa		("xmm1","xmm2");
3283	&movdqu		(&QWP(-16,$key),"xmm2");
3284
3285&set_label("loop_key256");
3286	&pshufb		("xmm2","xmm5");
3287	&aesenclast	("xmm2","xmm4");
3288
3289	&movdqa		("xmm3","xmm0");
3290	&pslldq		("xmm0",4);
3291	&pxor		("xmm3","xmm0");
3292	&pslldq		("xmm0",4);
3293	&pxor		("xmm3","xmm0");
3294	&pslldq		("xmm0",4);
3295	&pxor		("xmm0","xmm3");
3296	&pslld		("xmm4",1);
3297
3298	&pxor		("xmm0","xmm2");
3299	&movdqu		(&QWP(0,$key),"xmm0");
3300
3301	&dec		($rounds);
3302	&jz		(&label("done_key256"));
3303
3304	&pshufd		("xmm2","xmm0",0xff);
3305	&pxor		("xmm3","xmm3");
3306	&aesenclast	("xmm2","xmm3");
3307
3308	&movdqa		("xmm3","xmm1");
3309	&pslldq		("xmm1",4);
3310	&pxor		("xmm3","xmm1");
3311	&pslldq		("xmm1",4);
3312	&pxor		("xmm3","xmm1");
3313	&pslldq		("xmm1",4);
3314	&pxor		("xmm1","xmm3");
3315
3316	&pxor		("xmm2","xmm1");
3317	&movdqu		(&QWP(16,$key),"xmm2");
3318	&lea		($key,&DWP(32,$key));
3319	&movdqa		("xmm1","xmm2");
3320	&jmp		(&label("loop_key256"));
3321
3322&set_label("done_key256");
3323	&mov		($rounds,13);
3324	&mov		(&DWP(16,$key),$rounds);
3325
3326&set_label("good_key");
3327	&pxor	("xmm0","xmm0");
3328	&pxor	("xmm1","xmm1");
3329	&pxor	("xmm2","xmm2");
3330	&pxor	("xmm3","xmm3");
3331	&pxor	("xmm4","xmm4");
3332	&pxor	("xmm5","xmm5");
3333	&xor	("eax","eax");
3334	&pop	("ebx");
3335	&pop	("ebp");
3336	&ret	();
3337
3338&set_label("bad_pointer",4);
3339	&mov	("eax",-1);
3340	&pop	("ebx");
3341	&pop	("ebp");
3342	&ret	();
3343&set_label("bad_keybits",4);
3344	&pxor	("xmm0","xmm0");
3345	&mov	("eax",-2);
3346	&pop	("ebx");
3347	&pop	("ebp");
3348	&ret	();
3349&function_end_B("_aesni_set_encrypt_key");
3350
3351# int $PREFIX_set_encrypt_key (const unsigned char *userKey, int bits,
3352#                              AES_KEY *key)
3353&function_begin_B("${PREFIX}_set_encrypt_key");
3354	&mov	("eax",&wparam(0));
3355	&mov	($rounds,&wparam(1));
3356	&mov	($key,&wparam(2));
3357	&call	("_aesni_set_encrypt_key");
3358	&ret	();
3359&function_end_B("${PREFIX}_set_encrypt_key");
3360
3361# int $PREFIX_set_decrypt_key (const unsigned char *userKey, int bits,
3362#                              AES_KEY *key)
3363&function_begin_B("${PREFIX}_set_decrypt_key");
3364	&mov	("eax",&wparam(0));
3365	&mov	($rounds,&wparam(1));
3366	&mov	($key,&wparam(2));
3367	&call	("_aesni_set_encrypt_key");
3368	&mov	($key,&wparam(2));
3369	&shl	($rounds,4);	# rounds-1 after _aesni_set_encrypt_key
3370	&test	("eax","eax");
3371	&jnz	(&label("dec_key_ret"));
3372	&lea	("eax",&DWP(16,$key,$rounds));	# end of key schedule
3373
3374	&$movekey	("xmm0",&QWP(0,$key));	# just swap
3375	&$movekey	("xmm1",&QWP(0,"eax"));
3376	&$movekey	(&QWP(0,"eax"),"xmm0");
3377	&$movekey	(&QWP(0,$key),"xmm1");
3378	&lea		($key,&DWP(16,$key));
3379	&lea		("eax",&DWP(-16,"eax"));
3380
3381&set_label("dec_key_inverse");
3382	&$movekey	("xmm0",&QWP(0,$key));	# swap and inverse
3383	&$movekey	("xmm1",&QWP(0,"eax"));
3384	&aesimc		("xmm0","xmm0");
3385	&aesimc		("xmm1","xmm1");
3386	&lea		($key,&DWP(16,$key));
3387	&lea		("eax",&DWP(-16,"eax"));
3388	&$movekey	(&QWP(16,"eax"),"xmm0");
3389	&$movekey	(&QWP(-16,$key),"xmm1");
3390	&cmp		("eax",$key);
3391	&ja		(&label("dec_key_inverse"));
3392
3393	&$movekey	("xmm0",&QWP(0,$key));	# inverse middle
3394	&aesimc		("xmm0","xmm0");
3395	&$movekey	(&QWP(0,$key),"xmm0");
3396
3397	&pxor		("xmm0","xmm0");
3398	&pxor		("xmm1","xmm1");
3399	&xor		("eax","eax");		# return success
3400&set_label("dec_key_ret");
3401	&ret	();
3402&function_end_B("${PREFIX}_set_decrypt_key");
3403
3404&set_label("key_const",64);
3405&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d);
3406&data_word(0x04070605,0x04070605,0x04070605,0x04070605);
3407&data_word(1,1,1,1);
3408&data_word(0x1b,0x1b,0x1b,0x1b);
3409&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
3410
3411&asm_finish();
3412
3413close STDOUT or die "error closing STDOUT: $!";
3414