1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284 |
- #! /usr/bin/env perl
- # Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the Apache License 2.0 (the "License"). You may not use
- # this file except in compliance with the License. You can obtain a copy
- # in the file LICENSE in the source distribution or at
- # https://www.openssl.org/source/license.html
- # ====================================================================
- # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
- # ====================================================================
- # AES for s390x.
- # April 2007.
- #
- # Software performance improvement over gcc-generated code is ~70% and
- # in absolute terms is ~73 cycles per byte processed with 128-bit key.
- # You're likely to exclaim "why so slow?" Keep in mind that z-CPUs are
- # *strictly* in-order execution and issued instruction [in this case
- # load value from memory is critical] has to complete before execution
- # flow proceeds. S-boxes are compressed to 2KB[+256B].
- #
- # As for hardware acceleration support. It's basically a "teaser," as
- # it can and should be improved in several ways. Most notably support
- # for CBC is not utilized, nor multiple blocks are ever processed.
- # Then software key schedule can be postponed till hardware support
- # detection... Performance improvement over assembler is reportedly
- # ~2.5x, but can reach >8x [naturally on larger chunks] if proper
- # support is implemented.
- # May 2007.
- #
- # Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided
- # for 128-bit keys, if hardware support is detected.
- # January 2009.
- #
- # Add support for hardware AES192/256 and reschedule instructions to
- # minimize/avoid Address Generation Interlock hazard and to favour
- # dual-issue z10 pipeline. This gave ~25% improvement on z10 and
- # almost 50% on z9. The gain is smaller on z10, because being dual-
- # issue z10 makes it impossible to eliminate the interlock condition:
- # critical path is not long enough. Yet it spends ~24 cycles per byte
- # processed with 128-bit key.
- #
- # Unlike previous version hardware support detection takes place only
- # at the moment of key schedule setup, which is denoted in key->rounds.
- # This is done, because deferred key setup can't be made MT-safe, not
- # for keys longer than 128 bits.
- #
- # Add AES_cbc_encrypt, which gives incredible performance improvement,
- # it was measured to be ~6.6x. It's less than previously mentioned 8x,
- # because software implementation was optimized.
- # May 2010.
- #
- # Add AES_ctr32_encrypt. If hardware-assisted, it provides up to 4.3x
- # performance improvement over "generic" counter mode routine relying
- # on single-block, also hardware-assisted, AES_encrypt. "Up to" refers
- # to the fact that exact throughput value depends on current stack
- # frame alignment within 4KB page. In worst case you get ~75% of the
- # maximum, but *on average* it would be as much as ~98%. Meaning that
- # worst case is unlike, it's like hitting ravine on plateau.
- # November 2010.
- #
- # Adapt for -m31 build. If kernel supports what's called "highgprs"
- # feature on Linux [see /proc/cpuinfo], it's possible to use 64-bit
- # instructions and achieve "64-bit" performance even in 31-bit legacy
- # application context. The feature is not specific to any particular
- # processor, as long as it's "z-CPU". Latter implies that the code
- # remains z/Architecture specific. On z990 it was measured to perform
- # 2x better than code generated by gcc 4.3.
- # December 2010.
- #
- # Add support for z196 "cipher message with counter" instruction.
- # Note however that it's disengaged, because it was measured to
- # perform ~12% worse than vanilla km-based code...
- # February 2011.
- #
- # Add AES_xts_[en|de]crypt. This includes support for z196 km-xts-aes
- # instructions, which deliver ~70% improvement at 8KB block size over
- # vanilla km-based code, 37% - at most like 512-bytes block size.
- # $output is the last argument if it looks like a file (it has an extension)
- # $flavour is the first argument if it doesn't look like a file
- $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
- $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
- if ($flavour =~ /3[12]/) {
- $SIZE_T=4;
- $g="";
- } else {
- $SIZE_T=8;
- $g="g";
- }
- $output and open STDOUT,">$output";
- $softonly=0; # allow hardware support
- $t0="%r0"; $mask="%r0";
- $t1="%r1";
- $t2="%r2"; $inp="%r2";
- $t3="%r3"; $out="%r3"; $bits="%r3";
- $key="%r4";
- $i1="%r5";
- $i2="%r6";
- $i3="%r7";
- $s0="%r8";
- $s1="%r9";
- $s2="%r10";
- $s3="%r11";
- $tbl="%r12";
- $rounds="%r13";
- $ra="%r14";
- $sp="%r15";
- $stdframe=16*$SIZE_T+4*8;
- sub _data_word()
- { my $i;
- while(defined($i=shift)) { $code.=sprintf".long\t0x%08x,0x%08x\n",$i,$i; }
- }
- $code=<<___;
- #include "s390x_arch.h"
- .text
- .type AES_Te,\@object
- .align 256
- AES_Te:
- ___
- &_data_word(
- 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d,
- 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554,
- 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
- 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a,
- 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87,
- 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
- 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea,
- 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b,
- 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
- 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f,
- 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108,
- 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
- 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e,
- 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5,
- 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
- 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f,
- 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e,
- 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
- 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce,
- 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497,
- 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
- 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed,
- 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b,
- 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
- 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16,
- 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594,
- 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
- 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3,
- 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a,
- 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
- 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163,
- 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d,
- 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
- 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739,
- 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47,
- 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
- 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f,
- 0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883,
- 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
- 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76,
- 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e,
- 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
- 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6,
- 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b,
- 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
- 0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0,
- 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25,
- 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
- 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72,
- 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651,
- 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
- 0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85,
- 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa,
- 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
- 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0,
- 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9,
- 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
- 0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7,
- 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920,
- 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
- 0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17,
- 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8,
- 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
- 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a);
- $code.=<<___;
- # Te4[256]
- .byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5
- .byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76
- .byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0
- .byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0
- .byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc
- .byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15
- .byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a
- .byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75
- .byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0
- .byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84
- .byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b
- .byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf
- .byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85
- .byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8
- .byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5
- .byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2
- .byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17
- .byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73
- .byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88
- .byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb
- .byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c
- .byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79
- .byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9
- .byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08
- .byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6
- .byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a
- .byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e
- .byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e
- .byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94
- .byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf
- .byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68
- .byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
- # rcon[]
- .long 0x01000000, 0x02000000, 0x04000000, 0x08000000
- .long 0x10000000, 0x20000000, 0x40000000, 0x80000000
- .long 0x1B000000, 0x36000000, 0, 0, 0, 0, 0, 0
- .align 256
- .size AES_Te,.-AES_Te
- # void AES_encrypt(const unsigned char *inp, unsigned char *out,
- # const AES_KEY *key) {
- .globl AES_encrypt
- .type AES_encrypt,\@function
- AES_encrypt:
- ___
- $code.=<<___ if (!$softonly);
- l %r0,240($key)
- lhi %r1,16
- clr %r0,%r1
- jl .Lesoft
- la %r1,0($key)
- #la %r2,0($inp)
- la %r4,0($out)
- lghi %r3,16 # single block length
- .long 0xb92e0042 # km %r4,%r2
- brc 1,.-4 # can this happen?
- br %r14
- .align 64
- .Lesoft:
- ___
- $code.=<<___;
- stm${g} %r3,$ra,3*$SIZE_T($sp)
- llgf $s0,0($inp)
- llgf $s1,4($inp)
- llgf $s2,8($inp)
- llgf $s3,12($inp)
- larl $tbl,AES_Te
- bras $ra,_s390x_AES_encrypt
- l${g} $out,3*$SIZE_T($sp)
- st $s0,0($out)
- st $s1,4($out)
- st $s2,8($out)
- st $s3,12($out)
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- br $ra
- .size AES_encrypt,.-AES_encrypt
- .type _s390x_AES_encrypt,\@function
- .align 16
- _s390x_AES_encrypt:
- st${g} $ra,15*$SIZE_T($sp)
- x $s0,0($key)
- x $s1,4($key)
- x $s2,8($key)
- x $s3,12($key)
- l $rounds,240($key)
- llill $mask,`0xff<<3`
- aghi $rounds,-1
- j .Lenc_loop
- .align 16
- .Lenc_loop:
- sllg $t1,$s0,`0+3`
- srlg $t2,$s0,`8-3`
- srlg $t3,$s0,`16-3`
- srl $s0,`24-3`
- nr $s0,$mask
- ngr $t1,$mask
- nr $t2,$mask
- nr $t3,$mask
- srlg $i1,$s1,`16-3` # i0
- sllg $i2,$s1,`0+3`
- srlg $i3,$s1,`8-3`
- srl $s1,`24-3`
- nr $i1,$mask
- nr $s1,$mask
- ngr $i2,$mask
- nr $i3,$mask
- l $s0,0($s0,$tbl) # Te0[s0>>24]
- l $t1,1($t1,$tbl) # Te3[s0>>0]
- l $t2,2($t2,$tbl) # Te2[s0>>8]
- l $t3,3($t3,$tbl) # Te1[s0>>16]
- x $s0,3($i1,$tbl) # Te1[s1>>16]
- l $s1,0($s1,$tbl) # Te0[s1>>24]
- x $t2,1($i2,$tbl) # Te3[s1>>0]
- x $t3,2($i3,$tbl) # Te2[s1>>8]
- srlg $i1,$s2,`8-3` # i0
- srlg $i2,$s2,`16-3` # i1
- nr $i1,$mask
- nr $i2,$mask
- sllg $i3,$s2,`0+3`
- srl $s2,`24-3`
- nr $s2,$mask
- ngr $i3,$mask
- xr $s1,$t1
- srlg $ra,$s3,`8-3` # i1
- sllg $t1,$s3,`0+3` # i0
- nr $ra,$mask
- la $key,16($key)
- ngr $t1,$mask
- x $s0,2($i1,$tbl) # Te2[s2>>8]
- x $s1,3($i2,$tbl) # Te1[s2>>16]
- l $s2,0($s2,$tbl) # Te0[s2>>24]
- x $t3,1($i3,$tbl) # Te3[s2>>0]
- srlg $i3,$s3,`16-3` # i2
- xr $s2,$t2
- srl $s3,`24-3`
- nr $i3,$mask
- nr $s3,$mask
- x $s0,0($key)
- x $s1,4($key)
- x $s2,8($key)
- x $t3,12($key)
- x $s0,1($t1,$tbl) # Te3[s3>>0]
- x $s1,2($ra,$tbl) # Te2[s3>>8]
- x $s2,3($i3,$tbl) # Te1[s3>>16]
- l $s3,0($s3,$tbl) # Te0[s3>>24]
- xr $s3,$t3
- brct $rounds,.Lenc_loop
- .align 16
- sllg $t1,$s0,`0+3`
- srlg $t2,$s0,`8-3`
- ngr $t1,$mask
- srlg $t3,$s0,`16-3`
- srl $s0,`24-3`
- nr $s0,$mask
- nr $t2,$mask
- nr $t3,$mask
- srlg $i1,$s1,`16-3` # i0
- sllg $i2,$s1,`0+3`
- ngr $i2,$mask
- srlg $i3,$s1,`8-3`
- srl $s1,`24-3`
- nr $i1,$mask
- nr $s1,$mask
- nr $i3,$mask
- llgc $s0,2($s0,$tbl) # Te4[s0>>24]
- llgc $t1,2($t1,$tbl) # Te4[s0>>0]
- sll $s0,24
- llgc $t2,2($t2,$tbl) # Te4[s0>>8]
- llgc $t3,2($t3,$tbl) # Te4[s0>>16]
- sll $t2,8
- sll $t3,16
- llgc $i1,2($i1,$tbl) # Te4[s1>>16]
- llgc $s1,2($s1,$tbl) # Te4[s1>>24]
- llgc $i2,2($i2,$tbl) # Te4[s1>>0]
- llgc $i3,2($i3,$tbl) # Te4[s1>>8]
- sll $i1,16
- sll $s1,24
- sll $i3,8
- or $s0,$i1
- or $s1,$t1
- or $t2,$i2
- or $t3,$i3
- srlg $i1,$s2,`8-3` # i0
- srlg $i2,$s2,`16-3` # i1
- nr $i1,$mask
- nr $i2,$mask
- sllg $i3,$s2,`0+3`
- srl $s2,`24-3`
- ngr $i3,$mask
- nr $s2,$mask
- sllg $t1,$s3,`0+3` # i0
- srlg $ra,$s3,`8-3` # i1
- ngr $t1,$mask
- llgc $i1,2($i1,$tbl) # Te4[s2>>8]
- llgc $i2,2($i2,$tbl) # Te4[s2>>16]
- sll $i1,8
- llgc $s2,2($s2,$tbl) # Te4[s2>>24]
- llgc $i3,2($i3,$tbl) # Te4[s2>>0]
- sll $i2,16
- nr $ra,$mask
- sll $s2,24
- or $s0,$i1
- or $s1,$i2
- or $s2,$t2
- or $t3,$i3
- srlg $i3,$s3,`16-3` # i2
- srl $s3,`24-3`
- nr $i3,$mask
- nr $s3,$mask
- l $t0,16($key)
- l $t2,20($key)
- llgc $i1,2($t1,$tbl) # Te4[s3>>0]
- llgc $i2,2($ra,$tbl) # Te4[s3>>8]
- llgc $i3,2($i3,$tbl) # Te4[s3>>16]
- llgc $s3,2($s3,$tbl) # Te4[s3>>24]
- sll $i2,8
- sll $i3,16
- sll $s3,24
- or $s0,$i1
- or $s1,$i2
- or $s2,$i3
- or $s3,$t3
- l${g} $ra,15*$SIZE_T($sp)
- xr $s0,$t0
- xr $s1,$t2
- x $s2,24($key)
- x $s3,28($key)
- br $ra
- .size _s390x_AES_encrypt,.-_s390x_AES_encrypt
- ___
- $code.=<<___;
- .type AES_Td,\@object
- .align 256
- AES_Td:
- ___
- &_data_word(
- 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96,
- 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393,
- 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
- 0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f,
- 0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1,
- 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
- 0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da,
- 0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844,
- 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
- 0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4,
- 0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45,
- 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
- 0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7,
- 0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a,
- 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
- 0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c,
- 0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1,
- 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
- 0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75,
- 0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051,
- 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
- 0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff,
- 0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77,
- 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
- 0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000,
- 0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e,
- 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
- 0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a,
- 0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e,
- 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
- 0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d,
- 0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8,
- 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
- 0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34,
- 0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163,
- 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
- 0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d,
- 0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0,
- 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
- 0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef,
- 0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36,
- 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
- 0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662,
- 0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5,
- 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
- 0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b,
- 0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8,
- 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
- 0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6,
- 0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0,
- 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
- 0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f,
- 0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df,
- 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
- 0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e,
- 0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713,
- 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
- 0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c,
- 0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf,
- 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
- 0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f,
- 0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541,
- 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
- 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742);
- $code.=<<___;
- # Td4[256]
- .byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38
- .byte 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb
- .byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87
- .byte 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb
- .byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d
- .byte 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e
- .byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2
- .byte 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25
- .byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16
- .byte 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92
- .byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda
- .byte 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84
- .byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a
- .byte 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06
- .byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02
- .byte 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b
- .byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea
- .byte 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73
- .byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85
- .byte 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e
- .byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89
- .byte 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b
- .byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20
- .byte 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4
- .byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31
- .byte 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f
- .byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d
- .byte 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef
- .byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0
- .byte 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61
- .byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26
- .byte 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
- .size AES_Td,.-AES_Td
- # void AES_decrypt(const unsigned char *inp, unsigned char *out,
- # const AES_KEY *key) {
- .globl AES_decrypt
- .type AES_decrypt,\@function
- AES_decrypt:
- ___
- $code.=<<___ if (!$softonly);
- l %r0,240($key)
- lhi %r1,16
- clr %r0,%r1
- jl .Ldsoft
- la %r1,0($key)
- #la %r2,0($inp)
- la %r4,0($out)
- lghi %r3,16 # single block length
- .long 0xb92e0042 # km %r4,%r2
- brc 1,.-4 # can this happen?
- br %r14
- .align 64
- .Ldsoft:
- ___
- $code.=<<___;
- stm${g} %r3,$ra,3*$SIZE_T($sp)
- llgf $s0,0($inp)
- llgf $s1,4($inp)
- llgf $s2,8($inp)
- llgf $s3,12($inp)
- larl $tbl,AES_Td
- bras $ra,_s390x_AES_decrypt
- l${g} $out,3*$SIZE_T($sp)
- st $s0,0($out)
- st $s1,4($out)
- st $s2,8($out)
- st $s3,12($out)
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- br $ra
- .size AES_decrypt,.-AES_decrypt
- .type _s390x_AES_decrypt,\@function
- .align 16
- _s390x_AES_decrypt:
- st${g} $ra,15*$SIZE_T($sp)
- x $s0,0($key)
- x $s1,4($key)
- x $s2,8($key)
- x $s3,12($key)
- l $rounds,240($key)
- llill $mask,`0xff<<3`
- aghi $rounds,-1
- j .Ldec_loop
- .align 16
- .Ldec_loop:
- srlg $t1,$s0,`16-3`
- srlg $t2,$s0,`8-3`
- sllg $t3,$s0,`0+3`
- srl $s0,`24-3`
- nr $s0,$mask
- nr $t1,$mask
- nr $t2,$mask
- ngr $t3,$mask
- sllg $i1,$s1,`0+3` # i0
- srlg $i2,$s1,`16-3`
- srlg $i3,$s1,`8-3`
- srl $s1,`24-3`
- ngr $i1,$mask
- nr $s1,$mask
- nr $i2,$mask
- nr $i3,$mask
- l $s0,0($s0,$tbl) # Td0[s0>>24]
- l $t1,3($t1,$tbl) # Td1[s0>>16]
- l $t2,2($t2,$tbl) # Td2[s0>>8]
- l $t3,1($t3,$tbl) # Td3[s0>>0]
- x $s0,1($i1,$tbl) # Td3[s1>>0]
- l $s1,0($s1,$tbl) # Td0[s1>>24]
- x $t2,3($i2,$tbl) # Td1[s1>>16]
- x $t3,2($i3,$tbl) # Td2[s1>>8]
- srlg $i1,$s2,`8-3` # i0
- sllg $i2,$s2,`0+3` # i1
- srlg $i3,$s2,`16-3`
- srl $s2,`24-3`
- nr $i1,$mask
- ngr $i2,$mask
- nr $s2,$mask
- nr $i3,$mask
- xr $s1,$t1
- srlg $ra,$s3,`8-3` # i1
- srlg $t1,$s3,`16-3` # i0
- nr $ra,$mask
- la $key,16($key)
- nr $t1,$mask
- x $s0,2($i1,$tbl) # Td2[s2>>8]
- x $s1,1($i2,$tbl) # Td3[s2>>0]
- l $s2,0($s2,$tbl) # Td0[s2>>24]
- x $t3,3($i3,$tbl) # Td1[s2>>16]
- sllg $i3,$s3,`0+3` # i2
- srl $s3,`24-3`
- ngr $i3,$mask
- nr $s3,$mask
- xr $s2,$t2
- x $s0,0($key)
- x $s1,4($key)
- x $s2,8($key)
- x $t3,12($key)
- x $s0,3($t1,$tbl) # Td1[s3>>16]
- x $s1,2($ra,$tbl) # Td2[s3>>8]
- x $s2,1($i3,$tbl) # Td3[s3>>0]
- l $s3,0($s3,$tbl) # Td0[s3>>24]
- xr $s3,$t3
- brct $rounds,.Ldec_loop
- .align 16
- l $t1,`2048+0`($tbl) # prefetch Td4
- l $t2,`2048+64`($tbl)
- l $t3,`2048+128`($tbl)
- l $i1,`2048+192`($tbl)
- llill $mask,0xff
- srlg $i3,$s0,24 # i0
- srlg $t1,$s0,16
- srlg $t2,$s0,8
- nr $s0,$mask # i3
- nr $t1,$mask
- srlg $i1,$s1,24
- nr $t2,$mask
- srlg $i2,$s1,16
- srlg $ra,$s1,8
- nr $s1,$mask # i0
- nr $i2,$mask
- nr $ra,$mask
- llgc $i3,2048($i3,$tbl) # Td4[s0>>24]
- llgc $t1,2048($t1,$tbl) # Td4[s0>>16]
- llgc $t2,2048($t2,$tbl) # Td4[s0>>8]
- sll $t1,16
- llgc $t3,2048($s0,$tbl) # Td4[s0>>0]
- sllg $s0,$i3,24
- sll $t2,8
- llgc $s1,2048($s1,$tbl) # Td4[s1>>0]
- llgc $i1,2048($i1,$tbl) # Td4[s1>>24]
- llgc $i2,2048($i2,$tbl) # Td4[s1>>16]
- sll $i1,24
- llgc $i3,2048($ra,$tbl) # Td4[s1>>8]
- sll $i2,16
- sll $i3,8
- or $s0,$s1
- or $t1,$i1
- or $t2,$i2
- or $t3,$i3
- srlg $i1,$s2,8 # i0
- srlg $i2,$s2,24
- srlg $i3,$s2,16
- nr $s2,$mask # i1
- nr $i1,$mask
- nr $i3,$mask
- llgc $i1,2048($i1,$tbl) # Td4[s2>>8]
- llgc $s1,2048($s2,$tbl) # Td4[s2>>0]
- llgc $i2,2048($i2,$tbl) # Td4[s2>>24]
- llgc $i3,2048($i3,$tbl) # Td4[s2>>16]
- sll $i1,8
- sll $i2,24
- or $s0,$i1
- sll $i3,16
- or $t2,$i2
- or $t3,$i3
- srlg $i1,$s3,16 # i0
- srlg $i2,$s3,8 # i1
- srlg $i3,$s3,24
- nr $s3,$mask # i2
- nr $i1,$mask
- nr $i2,$mask
- l${g} $ra,15*$SIZE_T($sp)
- or $s1,$t1
- l $t0,16($key)
- l $t1,20($key)
- llgc $i1,2048($i1,$tbl) # Td4[s3>>16]
- llgc $i2,2048($i2,$tbl) # Td4[s3>>8]
- sll $i1,16
- llgc $s2,2048($s3,$tbl) # Td4[s3>>0]
- llgc $s3,2048($i3,$tbl) # Td4[s3>>24]
- sll $i2,8
- sll $s3,24
- or $s0,$i1
- or $s1,$i2
- or $s2,$t2
- or $s3,$t3
- xr $s0,$t0
- xr $s1,$t1
- x $s2,24($key)
- x $s3,28($key)
- br $ra
- .size _s390x_AES_decrypt,.-_s390x_AES_decrypt
- ___
- $code.=<<___;
- # void AES_set_encrypt_key(const unsigned char *in, int bits,
- # AES_KEY *key) {
- .globl AES_set_encrypt_key
- .type AES_set_encrypt_key,\@function
- .align 16
- AES_set_encrypt_key:
- _s390x_AES_set_encrypt_key:
- lghi $t0,0
- cl${g}r $inp,$t0
- je .Lminus1
- cl${g}r $key,$t0
- je .Lminus1
- lghi $t0,128
- clr $bits,$t0
- je .Lproceed
- lghi $t0,192
- clr $bits,$t0
- je .Lproceed
- lghi $t0,256
- clr $bits,$t0
- je .Lproceed
- lghi %r2,-2
- br %r14
- .align 16
- .Lproceed:
- ___
- $code.=<<___ if (!$softonly);
- # convert bits to km(c) code, [128,192,256]->[18,19,20]
- lhi %r5,-128
- lhi %r0,18
- ar %r5,$bits
- srl %r5,6
- ar %r5,%r0
- larl %r1,OPENSSL_s390xcap_P
- llihh %r0,0x8000
- srlg %r0,%r0,0(%r5)
- ng %r0,S390X_KM(%r1) # check availability of both km...
- ng %r0,S390X_KMC(%r1) # ...and kmc support for given key length
- jz .Lekey_internal
- lmg %r0,%r1,0($inp) # just copy 128 bits...
- stmg %r0,%r1,0($key)
- lhi %r0,192
- cr $bits,%r0
- jl 1f
- lg %r1,16($inp)
- stg %r1,16($key)
- je 1f
- lg %r1,24($inp)
- stg %r1,24($key)
- 1: st $bits,236($key) # save bits [for debugging purposes]
- lgr $t0,%r5
- st %r5,240($key) # save km(c) code
- lghi %r2,0
- br %r14
- ___
- $code.=<<___;
- .align 16
- .Lekey_internal:
- stm${g} %r4,%r13,4*$SIZE_T($sp) # all non-volatile regs and $key
- larl $tbl,AES_Te+2048
- llgf $s0,0($inp)
- llgf $s1,4($inp)
- llgf $s2,8($inp)
- llgf $s3,12($inp)
- st $s0,0($key)
- st $s1,4($key)
- st $s2,8($key)
- st $s3,12($key)
- lghi $t0,128
- cr $bits,$t0
- jne .Lnot128
- llill $mask,0xff
- lghi $t3,0 # i=0
- lghi $rounds,10
- st $rounds,240($key)
- llgfr $t2,$s3 # temp=rk[3]
- srlg $i1,$s3,8
- srlg $i2,$s3,16
- srlg $i3,$s3,24
- nr $t2,$mask
- nr $i1,$mask
- nr $i2,$mask
- .align 16
- .L128_loop:
- la $t2,0($t2,$tbl)
- la $i1,0($i1,$tbl)
- la $i2,0($i2,$tbl)
- la $i3,0($i3,$tbl)
- icm $t2,2,0($t2) # Te4[rk[3]>>0]<<8
- icm $t2,4,0($i1) # Te4[rk[3]>>8]<<16
- icm $t2,8,0($i2) # Te4[rk[3]>>16]<<24
- icm $t2,1,0($i3) # Te4[rk[3]>>24]
- x $t2,256($t3,$tbl) # rcon[i]
- xr $s0,$t2 # rk[4]=rk[0]^...
- xr $s1,$s0 # rk[5]=rk[1]^rk[4]
- xr $s2,$s1 # rk[6]=rk[2]^rk[5]
- xr $s3,$s2 # rk[7]=rk[3]^rk[6]
- llgfr $t2,$s3 # temp=rk[3]
- srlg $i1,$s3,8
- srlg $i2,$s3,16
- nr $t2,$mask
- nr $i1,$mask
- srlg $i3,$s3,24
- nr $i2,$mask
- st $s0,16($key)
- st $s1,20($key)
- st $s2,24($key)
- st $s3,28($key)
- la $key,16($key) # key+=4
- la $t3,4($t3) # i++
- brct $rounds,.L128_loop
- lghi $t0,10
- lghi %r2,0
- lm${g} %r4,%r13,4*$SIZE_T($sp)
- br $ra
- .align 16
- .Lnot128:
- llgf $t0,16($inp)
- llgf $t1,20($inp)
- st $t0,16($key)
- st $t1,20($key)
- lghi $t0,192
- cr $bits,$t0
- jne .Lnot192
- llill $mask,0xff
- lghi $t3,0 # i=0
- lghi $rounds,12
- st $rounds,240($key)
- lghi $rounds,8
- srlg $i1,$t1,8
- srlg $i2,$t1,16
- srlg $i3,$t1,24
- nr $t1,$mask
- nr $i1,$mask
- nr $i2,$mask
- .align 16
- .L192_loop:
- la $t1,0($t1,$tbl)
- la $i1,0($i1,$tbl)
- la $i2,0($i2,$tbl)
- la $i3,0($i3,$tbl)
- icm $t1,2,0($t1) # Te4[rk[5]>>0]<<8
- icm $t1,4,0($i1) # Te4[rk[5]>>8]<<16
- icm $t1,8,0($i2) # Te4[rk[5]>>16]<<24
- icm $t1,1,0($i3) # Te4[rk[5]>>24]
- x $t1,256($t3,$tbl) # rcon[i]
- xr $s0,$t1 # rk[6]=rk[0]^...
- xr $s1,$s0 # rk[7]=rk[1]^rk[6]
- xr $s2,$s1 # rk[8]=rk[2]^rk[7]
- xr $s3,$s2 # rk[9]=rk[3]^rk[8]
- st $s0,24($key)
- st $s1,28($key)
- st $s2,32($key)
- st $s3,36($key)
- brct $rounds,.L192_continue
- lghi $t0,12
- lghi %r2,0
- lm${g} %r4,%r13,4*$SIZE_T($sp)
- br $ra
- .align 16
- .L192_continue:
- lgr $t1,$s3
- x $t1,16($key) # rk[10]=rk[4]^rk[9]
- st $t1,40($key)
- x $t1,20($key) # rk[11]=rk[5]^rk[10]
- st $t1,44($key)
- srlg $i1,$t1,8
- srlg $i2,$t1,16
- srlg $i3,$t1,24
- nr $t1,$mask
- nr $i1,$mask
- nr $i2,$mask
- la $key,24($key) # key+=6
- la $t3,4($t3) # i++
- j .L192_loop
- .align 16
- .Lnot192:
- llgf $t0,24($inp)
- llgf $t1,28($inp)
- st $t0,24($key)
- st $t1,28($key)
- llill $mask,0xff
- lghi $t3,0 # i=0
- lghi $rounds,14
- st $rounds,240($key)
- lghi $rounds,7
- srlg $i1,$t1,8
- srlg $i2,$t1,16
- srlg $i3,$t1,24
- nr $t1,$mask
- nr $i1,$mask
- nr $i2,$mask
- .align 16
- .L256_loop:
- la $t1,0($t1,$tbl)
- la $i1,0($i1,$tbl)
- la $i2,0($i2,$tbl)
- la $i3,0($i3,$tbl)
- icm $t1,2,0($t1) # Te4[rk[7]>>0]<<8
- icm $t1,4,0($i1) # Te4[rk[7]>>8]<<16
- icm $t1,8,0($i2) # Te4[rk[7]>>16]<<24
- icm $t1,1,0($i3) # Te4[rk[7]>>24]
- x $t1,256($t3,$tbl) # rcon[i]
- xr $s0,$t1 # rk[8]=rk[0]^...
- xr $s1,$s0 # rk[9]=rk[1]^rk[8]
- xr $s2,$s1 # rk[10]=rk[2]^rk[9]
- xr $s3,$s2 # rk[11]=rk[3]^rk[10]
- st $s0,32($key)
- st $s1,36($key)
- st $s2,40($key)
- st $s3,44($key)
- brct $rounds,.L256_continue
- lghi $t0,14
- lghi %r2,0
- lm${g} %r4,%r13,4*$SIZE_T($sp)
- br $ra
- .align 16
- .L256_continue:
- lgr $t1,$s3 # temp=rk[11]
- srlg $i1,$s3,8
- srlg $i2,$s3,16
- srlg $i3,$s3,24
- nr $t1,$mask
- nr $i1,$mask
- nr $i2,$mask
- la $t1,0($t1,$tbl)
- la $i1,0($i1,$tbl)
- la $i2,0($i2,$tbl)
- la $i3,0($i3,$tbl)
- llgc $t1,0($t1) # Te4[rk[11]>>0]
- icm $t1,2,0($i1) # Te4[rk[11]>>8]<<8
- icm $t1,4,0($i2) # Te4[rk[11]>>16]<<16
- icm $t1,8,0($i3) # Te4[rk[11]>>24]<<24
- x $t1,16($key) # rk[12]=rk[4]^...
- st $t1,48($key)
- x $t1,20($key) # rk[13]=rk[5]^rk[12]
- st $t1,52($key)
- x $t1,24($key) # rk[14]=rk[6]^rk[13]
- st $t1,56($key)
- x $t1,28($key) # rk[15]=rk[7]^rk[14]
- st $t1,60($key)
- srlg $i1,$t1,8
- srlg $i2,$t1,16
- srlg $i3,$t1,24
- nr $t1,$mask
- nr $i1,$mask
- nr $i2,$mask
- la $key,32($key) # key+=8
- la $t3,4($t3) # i++
- j .L256_loop
- .Lminus1:
- lghi %r2,-1
- br $ra
- .size AES_set_encrypt_key,.-AES_set_encrypt_key
- # void AES_set_decrypt_key(const unsigned char *in, int bits,
- # AES_KEY *key) {
- .globl AES_set_decrypt_key
- .type AES_set_decrypt_key,\@function
- .align 16
- AES_set_decrypt_key:
- #st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to
- st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers and $key!
- bras $ra,_s390x_AES_set_encrypt_key
- #l${g} $key,4*$SIZE_T($sp)
- l${g} $ra,14*$SIZE_T($sp)
- ltgr %r2,%r2
- bnzr $ra
- ___
- $code.=<<___ if (!$softonly);
- #l $t0,240($key)
- lhi $t1,16
- cr $t0,$t1
- jl .Lgo
- oill $t0,S390X_DECRYPT # set "decrypt" bit
- st $t0,240($key)
- br $ra
- ___
- $code.=<<___;
- .align 16
- .Lgo: lgr $rounds,$t0 #llgf $rounds,240($key)
- la $i1,0($key)
- sllg $i2,$rounds,4
- la $i2,0($i2,$key)
- srl $rounds,1
- lghi $t1,-16
- .align 16
- .Linv: lmg $s0,$s1,0($i1)
- lmg $s2,$s3,0($i2)
- stmg $s0,$s1,0($i2)
- stmg $s2,$s3,0($i1)
- la $i1,16($i1)
- la $i2,0($t1,$i2)
- brct $rounds,.Linv
- ___
- $mask80=$i1;
- $mask1b=$i2;
- $maskfe=$i3;
- $code.=<<___;
- llgf $rounds,240($key)
- aghi $rounds,-1
- sll $rounds,2 # (rounds-1)*4
- llilh $mask80,0x8080
- llilh $mask1b,0x1b1b
- llilh $maskfe,0xfefe
- oill $mask80,0x8080
- oill $mask1b,0x1b1b
- oill $maskfe,0xfefe
- .align 16
- .Lmix: l $s0,16($key) # tp1
- lr $s1,$s0
- ngr $s1,$mask80
- srlg $t1,$s1,7
- slr $s1,$t1
- nr $s1,$mask1b
- sllg $t1,$s0,1
- nr $t1,$maskfe
- xr $s1,$t1 # tp2
- lr $s2,$s1
- ngr $s2,$mask80
- srlg $t1,$s2,7
- slr $s2,$t1
- nr $s2,$mask1b
- sllg $t1,$s1,1
- nr $t1,$maskfe
- xr $s2,$t1 # tp4
- lr $s3,$s2
- ngr $s3,$mask80
- srlg $t1,$s3,7
- slr $s3,$t1
- nr $s3,$mask1b
- sllg $t1,$s2,1
- nr $t1,$maskfe
- xr $s3,$t1 # tp8
- xr $s1,$s0 # tp2^tp1
- xr $s2,$s0 # tp4^tp1
- rll $s0,$s0,24 # = ROTATE(tp1,8)
- xr $s2,$s3 # ^=tp8
- xr $s0,$s1 # ^=tp2^tp1
- xr $s1,$s3 # tp2^tp1^tp8
- xr $s0,$s2 # ^=tp4^tp1^tp8
- rll $s1,$s1,8
- rll $s2,$s2,16
- xr $s0,$s1 # ^= ROTATE(tp8^tp2^tp1,24)
- rll $s3,$s3,24
- xr $s0,$s2 # ^= ROTATE(tp8^tp4^tp1,16)
- xr $s0,$s3 # ^= ROTATE(tp8,8)
- st $s0,16($key)
- la $key,4($key)
- brct $rounds,.Lmix
- lm${g} %r6,%r13,6*$SIZE_T($sp)# as was saved by AES_set_encrypt_key!
- lghi %r2,0
- br $ra
- .size AES_set_decrypt_key,.-AES_set_decrypt_key
- ___
- ########################################################################
- # void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
- # size_t length, const AES_KEY *key,
- # unsigned char *ivec, const int enc)
- {
- my $inp="%r2";
- my $out="%r4"; # length and out are swapped
- my $len="%r3";
- my $key="%r5";
- my $ivp="%r6";
- $code.=<<___;
- .globl AES_cbc_encrypt
- .type AES_cbc_encrypt,\@function
- .align 16
- AES_cbc_encrypt:
- xgr %r3,%r4 # flip %r3 and %r4, out and len
- xgr %r4,%r3
- xgr %r3,%r4
- ___
- $code.=<<___ if (!$softonly);
- lhi %r0,16
- cl %r0,240($key)
- jh .Lcbc_software
- lg %r0,0($ivp) # copy ivec
- lg %r1,8($ivp)
- stmg %r0,%r1,16($sp)
- lmg %r0,%r1,0($key) # copy key, cover 256 bit
- stmg %r0,%r1,32($sp)
- lmg %r0,%r1,16($key)
- stmg %r0,%r1,48($sp)
- l %r0,240($key) # load kmc code
- lghi $key,15 # res=len%16, len-=res;
- ngr $key,$len
- sl${g}r $len,$key
- la %r1,16($sp) # parameter block - ivec || key
- jz .Lkmc_truncated
- .long 0xb92f0042 # kmc %r4,%r2
- brc 1,.-4 # pay attention to "partial completion"
- ltr $key,$key
- jnz .Lkmc_truncated
- .Lkmc_done:
- lmg %r0,%r1,16($sp) # copy ivec to caller
- stg %r0,0($ivp)
- stg %r1,8($ivp)
- br $ra
- .align 16
- .Lkmc_truncated:
- ahi $key,-1 # it's the way it's encoded in mvc
- tmll %r0,S390X_DECRYPT
- jnz .Lkmc_truncated_dec
- lghi %r1,0
- stg %r1,16*$SIZE_T($sp)
- stg %r1,16*$SIZE_T+8($sp)
- bras %r1,1f
- mvc 16*$SIZE_T(1,$sp),0($inp)
- 1: ex $key,0(%r1)
- la %r1,16($sp) # restore parameter block
- la $inp,16*$SIZE_T($sp)
- lghi $len,16
- .long 0xb92f0042 # kmc %r4,%r2
- j .Lkmc_done
- .align 16
- .Lkmc_truncated_dec:
- st${g} $out,4*$SIZE_T($sp)
- la $out,16*$SIZE_T($sp)
- lghi $len,16
- .long 0xb92f0042 # kmc %r4,%r2
- l${g} $out,4*$SIZE_T($sp)
- bras %r1,2f
- mvc 0(1,$out),16*$SIZE_T($sp)
- 2: ex $key,0(%r1)
- j .Lkmc_done
- .align 16
- .Lcbc_software:
- ___
- $code.=<<___;
- stm${g} $key,$ra,5*$SIZE_T($sp)
- lhi %r0,0
- cl %r0,`$stdframe+$SIZE_T-4`($sp)
- je .Lcbc_decrypt
- larl $tbl,AES_Te
- llgf $s0,0($ivp)
- llgf $s1,4($ivp)
- llgf $s2,8($ivp)
- llgf $s3,12($ivp)
- lghi $t0,16
- sl${g}r $len,$t0
- brc 4,.Lcbc_enc_tail # if borrow
- .Lcbc_enc_loop:
- stm${g} $inp,$out,2*$SIZE_T($sp)
- x $s0,0($inp)
- x $s1,4($inp)
- x $s2,8($inp)
- x $s3,12($inp)
- lgr %r4,$key
- bras $ra,_s390x_AES_encrypt
- lm${g} $inp,$key,2*$SIZE_T($sp)
- st $s0,0($out)
- st $s1,4($out)
- st $s2,8($out)
- st $s3,12($out)
- la $inp,16($inp)
- la $out,16($out)
- lghi $t0,16
- lt${g}r $len,$len
- jz .Lcbc_enc_done
- sl${g}r $len,$t0
- brc 4,.Lcbc_enc_tail # if borrow
- j .Lcbc_enc_loop
- .align 16
- .Lcbc_enc_done:
- l${g} $ivp,6*$SIZE_T($sp)
- st $s0,0($ivp)
- st $s1,4($ivp)
- st $s2,8($ivp)
- st $s3,12($ivp)
- lm${g} %r7,$ra,7*$SIZE_T($sp)
- br $ra
- .align 16
- .Lcbc_enc_tail:
- aghi $len,15
- lghi $t0,0
- stg $t0,16*$SIZE_T($sp)
- stg $t0,16*$SIZE_T+8($sp)
- bras $t1,3f
- mvc 16*$SIZE_T(1,$sp),0($inp)
- 3: ex $len,0($t1)
- lghi $len,0
- la $inp,16*$SIZE_T($sp)
- j .Lcbc_enc_loop
- .align 16
- .Lcbc_decrypt:
- larl $tbl,AES_Td
- lg $t0,0($ivp)
- lg $t1,8($ivp)
- stmg $t0,$t1,16*$SIZE_T($sp)
- .Lcbc_dec_loop:
- stm${g} $inp,$out,2*$SIZE_T($sp)
- llgf $s0,0($inp)
- llgf $s1,4($inp)
- llgf $s2,8($inp)
- llgf $s3,12($inp)
- lgr %r4,$key
- bras $ra,_s390x_AES_decrypt
- lm${g} $inp,$key,2*$SIZE_T($sp)
- sllg $s0,$s0,32
- sllg $s2,$s2,32
- lr $s0,$s1
- lr $s2,$s3
- lg $t0,0($inp)
- lg $t1,8($inp)
- xg $s0,16*$SIZE_T($sp)
- xg $s2,16*$SIZE_T+8($sp)
- lghi $s1,16
- sl${g}r $len,$s1
- brc 4,.Lcbc_dec_tail # if borrow
- brc 2,.Lcbc_dec_done # if zero
- stg $s0,0($out)
- stg $s2,8($out)
- stmg $t0,$t1,16*$SIZE_T($sp)
- la $inp,16($inp)
- la $out,16($out)
- j .Lcbc_dec_loop
- .Lcbc_dec_done:
- stg $s0,0($out)
- stg $s2,8($out)
- .Lcbc_dec_exit:
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- stmg $t0,$t1,0($ivp)
- br $ra
- .align 16
- .Lcbc_dec_tail:
- aghi $len,15
- stg $s0,16*$SIZE_T($sp)
- stg $s2,16*$SIZE_T+8($sp)
- bras $s1,4f
- mvc 0(1,$out),16*$SIZE_T($sp)
- 4: ex $len,0($s1)
- j .Lcbc_dec_exit
- .size AES_cbc_encrypt,.-AES_cbc_encrypt
- ___
- }
- ########################################################################
- # void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- # size_t blocks, const AES_KEY *key,
- # const unsigned char *ivec)
- {
- my $inp="%r2";
- my $out="%r4"; # blocks and out are swapped
- my $len="%r3";
- my $key="%r5"; my $iv0="%r5";
- my $ivp="%r6";
- my $fp ="%r7";
- $code.=<<___;
- .globl AES_ctr32_encrypt
- .type AES_ctr32_encrypt,\@function
- .align 16
- AES_ctr32_encrypt:
- xgr %r3,%r4 # flip %r3 and %r4, $out and $len
- xgr %r4,%r3
- xgr %r3,%r4
- llgfr $len,$len # safe in ctr32 subroutine even in 64-bit case
- ___
- $code.=<<___ if (!$softonly);
- l %r0,240($key)
- lhi %r1,16
- clr %r0,%r1
- jl .Lctr32_software
- st${g} $s2,10*$SIZE_T($sp)
- st${g} $s3,11*$SIZE_T($sp)
- clr $len,%r1 # does work even in 64-bit mode
- jle .Lctr32_nokma # kma is slower for <= 16 blocks
- larl %r1,OPENSSL_s390xcap_P
- lr $s2,%r0
- llihh $s3,0x8000
- srlg $s3,$s3,0($s2)
- ng $s3,S390X_KMA(%r1) # check kma capability vector
- jz .Lctr32_nokma
- l${g}hi %r1,-$stdframe-112
- l${g}r $s3,$sp
- la $sp,0(%r1,$sp) # prepare parameter block
- lhi %r1,0x0600
- sllg $len,$len,4
- or %r0,%r1 # set HS and LAAD flags
- st${g} $s3,0($sp) # backchain
- la %r1,$stdframe($sp)
- lmg $s2,$s3,0($key) # copy key
- stg $s2,$stdframe+80($sp)
- stg $s3,$stdframe+88($sp)
- lmg $s2,$s3,16($key)
- stg $s2,$stdframe+96($sp)
- stg $s3,$stdframe+104($sp)
- lmg $s2,$s3,0($ivp) # copy iv
- stg $s2,$stdframe+64($sp)
- ahi $s3,-1 # kma requires counter-1
- stg $s3,$stdframe+72($sp)
- st $s3,$stdframe+12($sp) # copy counter
- lghi $s2,0 # no AAD
- lghi $s3,0
- .long 0xb929a042 # kma $out,$s2,$inp
- brc 1,.-4 # pay attention to "partial completion"
- stg %r0,$stdframe+80($sp) # wipe key
- stg %r0,$stdframe+88($sp)
- stg %r0,$stdframe+96($sp)
- stg %r0,$stdframe+104($sp)
- la $sp,$stdframe+112($sp)
- lm${g} $s2,$s3,10*$SIZE_T($sp)
- br $ra
- .align 16
- .Lctr32_nokma:
- stm${g} %r6,$s1,6*$SIZE_T($sp)
- slgr $out,$inp
- la %r1,0($key) # %r1 is permanent copy of $key
- lg $iv0,0($ivp) # load ivec
- lg $ivp,8($ivp)
- # prepare and allocate stack frame at the top of 4K page
- # with 1K reserved for eventual signal handling
- lghi $s0,-1024-256-16# guarantee at least 256-bytes buffer
- lghi $s1,-4096
- algr $s0,$sp
- lgr $fp,$sp
- ngr $s0,$s1 # align at page boundary
- slgr $fp,$s0 # total buffer size
- lgr $s2,$sp
- lghi $s1,1024+16 # sl[g]fi is extended-immediate facility
- slgr $fp,$s1 # deduct reservation to get usable buffer size
- # buffer size is at lest 256 and at most 3072+256-16
- la $sp,1024($s0) # alloca
- srlg $fp,$fp,4 # convert bytes to blocks, minimum 16
- st${g} $s2,0($sp) # back-chain
- st${g} $fp,$SIZE_T($sp)
- slgr $len,$fp
- brc 1,.Lctr32_hw_switch # not zero, no borrow
- algr $fp,$len # input is shorter than allocated buffer
- lghi $len,0
- st${g} $fp,$SIZE_T($sp)
- .Lctr32_hw_switch:
- ___
- $code.=<<___ if (!$softonly && 0);# kmctr code was measured to be ~12% slower
- llgfr $s0,%r0
- lgr $s1,%r1
- larl %r1,OPENSSL_s390xcap_P
- llihh %r0,0x8000 # check if kmctr supports the function code
- srlg %r0,%r0,0($s0)
- ng %r0,S390X_KMCTR(%r1) # check kmctr capability vector
- lgr %r0,$s0
- lgr %r1,$s1
- jz .Lctr32_km_loop
- ####### kmctr code
- algr $out,$inp # restore $out
- lgr $s1,$len # $s1 undertakes $len
- j .Lctr32_kmctr_loop
- .align 16
- .Lctr32_kmctr_loop:
- la $s2,16($sp)
- lgr $s3,$fp
- .Lctr32_kmctr_prepare:
- stg $iv0,0($s2)
- stg $ivp,8($s2)
- la $s2,16($s2)
- ahi $ivp,1 # 32-bit increment, preserves upper half
- brct $s3,.Lctr32_kmctr_prepare
- #la $inp,0($inp) # inp
- sllg $len,$fp,4 # len
- #la $out,0($out) # out
- la $s2,16($sp) # iv
- .long 0xb92da042 # kmctr $out,$s2,$inp
- brc 1,.-4 # pay attention to "partial completion"
- slgr $s1,$fp
- brc 1,.Lctr32_kmctr_loop # not zero, no borrow
- algr $fp,$s1
- lghi $s1,0
- brc 4+1,.Lctr32_kmctr_loop # not zero
- l${g} $sp,0($sp)
- lm${g} %r6,$s3,6*$SIZE_T($sp)
- br $ra
- .align 16
- ___
- $code.=<<___ if (!$softonly);
- .Lctr32_km_loop:
- la $s2,16($sp)
- lgr $s3,$fp
- .Lctr32_km_prepare:
- stg $iv0,0($s2)
- stg $ivp,8($s2)
- la $s2,16($s2)
- ahi $ivp,1 # 32-bit increment, preserves upper half
- brct $s3,.Lctr32_km_prepare
- la $s0,16($sp) # inp
- sllg $s1,$fp,4 # len
- la $s2,16($sp) # out
- .long 0xb92e00a8 # km %r10,%r8
- brc 1,.-4 # pay attention to "partial completion"
- la $s2,16($sp)
- lgr $s3,$fp
- slgr $s2,$inp
- .Lctr32_km_xor:
- lg $s0,0($inp)
- lg $s1,8($inp)
- xg $s0,0($s2,$inp)
- xg $s1,8($s2,$inp)
- stg $s0,0($out,$inp)
- stg $s1,8($out,$inp)
- la $inp,16($inp)
- brct $s3,.Lctr32_km_xor
- slgr $len,$fp
- brc 1,.Lctr32_km_loop # not zero, no borrow
- algr $fp,$len
- lghi $len,0
- brc 4+1,.Lctr32_km_loop # not zero
- l${g} $s0,0($sp)
- l${g} $s1,$SIZE_T($sp)
- la $s2,16($sp)
- .Lctr32_km_zap:
- stg $s0,0($s2)
- stg $s0,8($s2)
- la $s2,16($s2)
- brct $s1,.Lctr32_km_zap
- la $sp,0($s0)
- lm${g} %r6,$s3,6*$SIZE_T($sp)
- br $ra
- .align 16
- .Lctr32_software:
- ___
- $code.=<<___;
- stm${g} $key,$ra,5*$SIZE_T($sp)
- sl${g}r $inp,$out
- larl $tbl,AES_Te
- llgf $t1,12($ivp)
- .Lctr32_loop:
- stm${g} $inp,$out,2*$SIZE_T($sp)
- llgf $s0,0($ivp)
- llgf $s1,4($ivp)
- llgf $s2,8($ivp)
- lgr $s3,$t1
- st $t1,16*$SIZE_T($sp)
- lgr %r4,$key
- bras $ra,_s390x_AES_encrypt
- lm${g} $inp,$ivp,2*$SIZE_T($sp)
- llgf $t1,16*$SIZE_T($sp)
- x $s0,0($inp,$out)
- x $s1,4($inp,$out)
- x $s2,8($inp,$out)
- x $s3,12($inp,$out)
- stm $s0,$s3,0($out)
- la $out,16($out)
- ahi $t1,1 # 32-bit increment
- brct $len,.Lctr32_loop
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- br $ra
- .size AES_ctr32_encrypt,.-AES_ctr32_encrypt
- ___
- }
- ########################################################################
- # void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
- # size_t len, const AES_KEY *key1, const AES_KEY *key2,
- # const unsigned char iv[16]);
- #
- {
- my $inp="%r2";
- my $out="%r4"; # len and out are swapped
- my $len="%r3";
- my $key1="%r5"; # $i1
- my $key2="%r6"; # $i2
- my $fp="%r7"; # $i3
- my $tweak=16*$SIZE_T+16; # or $stdframe-16, bottom of the frame...
- $code.=<<___;
- .type _s390x_xts_km,\@function
- .align 16
- _s390x_xts_km:
- ___
- $code.=<<___ if(1);
- llgfr $s0,%r0 # put aside the function code
- lghi $s1,0x7f
- nr $s1,%r0
- larl %r1,OPENSSL_s390xcap_P
- llihh %r0,0x8000
- srlg %r0,%r0,32($s1) # check for 32+function code
- ng %r0,S390X_KM(%r1) # check km capability vector
- lgr %r0,$s0 # restore the function code
- la %r1,0($key1) # restore $key1
- jz .Lxts_km_vanilla
- lmg $i2,$i3,$tweak($sp) # put aside the tweak value
- algr $out,$inp
- oill %r0,32 # switch to xts function code
- aghi $s1,-18 #
- sllg $s1,$s1,3 # (function code - 18)*8, 0 or 16
- la %r1,$tweak-16($sp)
- slgr %r1,$s1 # parameter block position
- lmg $s0,$s3,0($key1) # load 256 bits of key material,
- stmg $s0,$s3,0(%r1) # and copy it to parameter block.
- # yes, it contains junk and overlaps
- # with the tweak in 128-bit case.
- # it's done to avoid conditional
- # branch.
- stmg $i2,$i3,$tweak($sp) # "re-seat" the tweak value
- .long 0xb92e0042 # km %r4,%r2
- brc 1,.-4 # pay attention to "partial completion"
- lrvg $s0,$tweak+0($sp) # load the last tweak
- lrvg $s1,$tweak+8($sp)
- stmg %r0,%r3,$tweak-32($sp) # wipe copy of the key
- nill %r0,0xffdf # switch back to original function code
- la %r1,0($key1) # restore pointer to $key1
- slgr $out,$inp
- llgc $len,2*$SIZE_T-1($sp)
- nill $len,0x0f # $len%=16
- br $ra
- .align 16
- .Lxts_km_vanilla:
- ___
- $code.=<<___;
- # prepare and allocate stack frame at the top of 4K page
- # with 1K reserved for eventual signal handling
- lghi $s0,-1024-256-16# guarantee at least 256-bytes buffer
- lghi $s1,-4096
- algr $s0,$sp
- lgr $fp,$sp
- ngr $s0,$s1 # align at page boundary
- slgr $fp,$s0 # total buffer size
- lgr $s2,$sp
- lghi $s1,1024+16 # sl[g]fi is extended-immediate facility
- slgr $fp,$s1 # deduct reservation to get usable buffer size
- # buffer size is at lest 256 and at most 3072+256-16
- la $sp,1024($s0) # alloca
- nill $fp,0xfff0 # round to 16*n
- st${g} $s2,0($sp) # back-chain
- nill $len,0xfff0 # redundant
- st${g} $fp,$SIZE_T($sp)
- slgr $len,$fp
- brc 1,.Lxts_km_go # not zero, no borrow
- algr $fp,$len # input is shorter than allocated buffer
- lghi $len,0
- st${g} $fp,$SIZE_T($sp)
- .Lxts_km_go:
- lrvg $s0,$tweak+0($s2) # load the tweak value in little-endian
- lrvg $s1,$tweak+8($s2)
- la $s2,16($sp) # vector of ascending tweak values
- slgr $s2,$inp
- srlg $s3,$fp,4
- j .Lxts_km_start
- .Lxts_km_loop:
- la $s2,16($sp)
- slgr $s2,$inp
- srlg $s3,$fp,4
- .Lxts_km_prepare:
- lghi $i1,0x87
- srag $i2,$s1,63 # broadcast upper bit
- ngr $i1,$i2 # rem
- algr $s0,$s0
- alcgr $s1,$s1
- xgr $s0,$i1
- .Lxts_km_start:
- lrvgr $i1,$s0 # flip byte order
- lrvgr $i2,$s1
- stg $i1,0($s2,$inp)
- stg $i2,8($s2,$inp)
- xg $i1,0($inp)
- xg $i2,8($inp)
- stg $i1,0($out,$inp)
- stg $i2,8($out,$inp)
- la $inp,16($inp)
- brct $s3,.Lxts_km_prepare
- slgr $inp,$fp # rewind $inp
- la $s2,0($out,$inp)
- lgr $s3,$fp
- .long 0xb92e00aa # km $s2,$s2
- brc 1,.-4 # pay attention to "partial completion"
- la $s2,16($sp)
- slgr $s2,$inp
- srlg $s3,$fp,4
- .Lxts_km_xor:
- lg $i1,0($out,$inp)
- lg $i2,8($out,$inp)
- xg $i1,0($s2,$inp)
- xg $i2,8($s2,$inp)
- stg $i1,0($out,$inp)
- stg $i2,8($out,$inp)
- la $inp,16($inp)
- brct $s3,.Lxts_km_xor
- slgr $len,$fp
- brc 1,.Lxts_km_loop # not zero, no borrow
- algr $fp,$len
- lghi $len,0
- brc 4+1,.Lxts_km_loop # not zero
- l${g} $i1,0($sp) # back-chain
- llgf $fp,`2*$SIZE_T-4`($sp) # bytes used
- la $i2,16($sp)
- srlg $fp,$fp,4
- .Lxts_km_zap:
- stg $i1,0($i2)
- stg $i1,8($i2)
- la $i2,16($i2)
- brct $fp,.Lxts_km_zap
- la $sp,0($i1)
- llgc $len,2*$SIZE_T-1($i1)
- nill $len,0x0f # $len%=16
- bzr $ra
- # generate one more tweak...
- lghi $i1,0x87
- srag $i2,$s1,63 # broadcast upper bit
- ngr $i1,$i2 # rem
- algr $s0,$s0
- alcgr $s1,$s1
- xgr $s0,$i1
- ltr $len,$len # clear zero flag
- br $ra
- .size _s390x_xts_km,.-_s390x_xts_km
- .globl AES_xts_encrypt
- .type AES_xts_encrypt,\@function
- .align 16
- AES_xts_encrypt:
- xgr %r3,%r4 # flip %r3 and %r4, $out and $len
- xgr %r4,%r3
- xgr %r3,%r4
- ___
- $code.=<<___ if ($SIZE_T==4);
- llgfr $len,$len
- ___
- $code.=<<___;
- st${g} $len,1*$SIZE_T($sp) # save copy of $len
- srag $len,$len,4 # formally wrong, because it expands
- # sign byte, but who can afford asking
- # to process more than 2^63-1 bytes?
- # I use it, because it sets condition
- # code...
- bcr 8,$ra # abort if zero (i.e. less than 16)
- ___
- $code.=<<___ if (!$softonly);
- llgf %r0,240($key2)
- lhi %r1,16
- clr %r0,%r1
- jl .Lxts_enc_software
- st${g} $ra,5*$SIZE_T($sp)
- stm${g} %r6,$s3,6*$SIZE_T($sp)
- sllg $len,$len,4 # $len&=~15
- slgr $out,$inp
- # generate the tweak value
- l${g} $s3,$stdframe($sp) # pointer to iv
- la $s2,$tweak($sp)
- lmg $s0,$s1,0($s3)
- lghi $s3,16
- stmg $s0,$s1,0($s2)
- la %r1,0($key2) # $key2 is not needed anymore
- .long 0xb92e00aa # km $s2,$s2, generate the tweak
- brc 1,.-4 # can this happen?
- l %r0,240($key1)
- la %r1,0($key1) # $key1 is not needed anymore
- bras $ra,_s390x_xts_km
- jz .Lxts_enc_km_done
- aghi $inp,-16 # take one step back
- la $i3,0($out,$inp) # put aside real $out
- .Lxts_enc_km_steal:
- llgc $i1,16($inp)
- llgc $i2,0($out,$inp)
- stc $i1,0($out,$inp)
- stc $i2,16($out,$inp)
- la $inp,1($inp)
- brct $len,.Lxts_enc_km_steal
- la $s2,0($i3)
- lghi $s3,16
- lrvgr $i1,$s0 # flip byte order
- lrvgr $i2,$s1
- xg $i1,0($s2)
- xg $i2,8($s2)
- stg $i1,0($s2)
- stg $i2,8($s2)
- .long 0xb92e00aa # km $s2,$s2
- brc 1,.-4 # can this happen?
- lrvgr $i1,$s0 # flip byte order
- lrvgr $i2,$s1
- xg $i1,0($i3)
- xg $i2,8($i3)
- stg $i1,0($i3)
- stg $i2,8($i3)
- .Lxts_enc_km_done:
- stg $sp,$tweak+0($sp) # wipe tweak
- stg $sp,$tweak+8($sp)
- l${g} $ra,5*$SIZE_T($sp)
- lm${g} %r6,$s3,6*$SIZE_T($sp)
- br $ra
- .align 16
- .Lxts_enc_software:
- ___
- $code.=<<___;
- stm${g} %r6,$ra,6*$SIZE_T($sp)
- slgr $out,$inp
- l${g} $s3,$stdframe($sp) # ivp
- llgf $s0,0($s3) # load iv
- llgf $s1,4($s3)
- llgf $s2,8($s3)
- llgf $s3,12($s3)
- stm${g} %r2,%r5,2*$SIZE_T($sp)
- la $key,0($key2)
- larl $tbl,AES_Te
- bras $ra,_s390x_AES_encrypt # generate the tweak
- lm${g} %r2,%r5,2*$SIZE_T($sp)
- stm $s0,$s3,$tweak($sp) # save the tweak
- j .Lxts_enc_enter
- .align 16
- .Lxts_enc_loop:
- lrvg $s1,$tweak+0($sp) # load the tweak in little-endian
- lrvg $s3,$tweak+8($sp)
- lghi %r1,0x87
- srag %r0,$s3,63 # broadcast upper bit
- ngr %r1,%r0 # rem
- algr $s1,$s1
- alcgr $s3,$s3
- xgr $s1,%r1
- lrvgr $s1,$s1 # flip byte order
- lrvgr $s3,$s3
- srlg $s0,$s1,32 # smash the tweak to 4x32-bits
- stg $s1,$tweak+0($sp) # save the tweak
- llgfr $s1,$s1
- srlg $s2,$s3,32
- stg $s3,$tweak+8($sp)
- llgfr $s3,$s3
- la $inp,16($inp) # $inp+=16
- .Lxts_enc_enter:
- x $s0,0($inp) # ^=*($inp)
- x $s1,4($inp)
- x $s2,8($inp)
- x $s3,12($inp)
- stm${g} %r2,%r3,2*$SIZE_T($sp) # only two registers are changing
- la $key,0($key1)
- bras $ra,_s390x_AES_encrypt
- lm${g} %r2,%r5,2*$SIZE_T($sp)
- x $s0,$tweak+0($sp) # ^=tweak
- x $s1,$tweak+4($sp)
- x $s2,$tweak+8($sp)
- x $s3,$tweak+12($sp)
- st $s0,0($out,$inp)
- st $s1,4($out,$inp)
- st $s2,8($out,$inp)
- st $s3,12($out,$inp)
- brct${g} $len,.Lxts_enc_loop
- llgc $len,`2*$SIZE_T-1`($sp)
- nill $len,0x0f # $len%16
- jz .Lxts_enc_done
- la $i3,0($inp,$out) # put aside real $out
- .Lxts_enc_steal:
- llgc %r0,16($inp)
- llgc %r1,0($out,$inp)
- stc %r0,0($out,$inp)
- stc %r1,16($out,$inp)
- la $inp,1($inp)
- brct $len,.Lxts_enc_steal
- la $out,0($i3) # restore real $out
- # generate last tweak...
- lrvg $s1,$tweak+0($sp) # load the tweak in little-endian
- lrvg $s3,$tweak+8($sp)
- lghi %r1,0x87
- srag %r0,$s3,63 # broadcast upper bit
- ngr %r1,%r0 # rem
- algr $s1,$s1
- alcgr $s3,$s3
- xgr $s1,%r1
- lrvgr $s1,$s1 # flip byte order
- lrvgr $s3,$s3
- srlg $s0,$s1,32 # smash the tweak to 4x32-bits
- stg $s1,$tweak+0($sp) # save the tweak
- llgfr $s1,$s1
- srlg $s2,$s3,32
- stg $s3,$tweak+8($sp)
- llgfr $s3,$s3
- x $s0,0($out) # ^=*(inp)|stolen cipther-text
- x $s1,4($out)
- x $s2,8($out)
- x $s3,12($out)
- st${g} $out,4*$SIZE_T($sp)
- la $key,0($key1)
- bras $ra,_s390x_AES_encrypt
- l${g} $out,4*$SIZE_T($sp)
- x $s0,`$tweak+0`($sp) # ^=tweak
- x $s1,`$tweak+4`($sp)
- x $s2,`$tweak+8`($sp)
- x $s3,`$tweak+12`($sp)
- st $s0,0($out)
- st $s1,4($out)
- st $s2,8($out)
- st $s3,12($out)
- .Lxts_enc_done:
- stg $sp,$tweak+0($sp) # wipe tweak
- stg $sp,$tweak+8($sp)
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- br $ra
- .size AES_xts_encrypt,.-AES_xts_encrypt
- ___
- # void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
- # size_t len, const AES_KEY *key1, const AES_KEY *key2,
- # const unsigned char iv[16]);
- #
- $code.=<<___;
- .globl AES_xts_decrypt
- .type AES_xts_decrypt,\@function
- .align 16
- AES_xts_decrypt:
- xgr %r3,%r4 # flip %r3 and %r4, $out and $len
- xgr %r4,%r3
- xgr %r3,%r4
- ___
- $code.=<<___ if ($SIZE_T==4);
- llgfr $len,$len
- ___
- $code.=<<___;
- st${g} $len,1*$SIZE_T($sp) # save copy of $len
- aghi $len,-16
- bcr 4,$ra # abort if less than zero. formally
- # wrong, because $len is unsigned,
- # but who can afford asking to
- # process more than 2^63-1 bytes?
- tmll $len,0x0f
- jnz .Lxts_dec_proceed
- aghi $len,16
- .Lxts_dec_proceed:
- ___
- $code.=<<___ if (!$softonly);
- llgf %r0,240($key2)
- lhi %r1,16
- clr %r0,%r1
- jl .Lxts_dec_software
- st${g} $ra,5*$SIZE_T($sp)
- stm${g} %r6,$s3,6*$SIZE_T($sp)
- nill $len,0xfff0 # $len&=~15
- slgr $out,$inp
- # generate the tweak value
- l${g} $s3,$stdframe($sp) # pointer to iv
- la $s2,$tweak($sp)
- lmg $s0,$s1,0($s3)
- lghi $s3,16
- stmg $s0,$s1,0($s2)
- la %r1,0($key2) # $key2 is not needed past this point
- .long 0xb92e00aa # km $s2,$s2, generate the tweak
- brc 1,.-4 # can this happen?
- l %r0,240($key1)
- la %r1,0($key1) # $key1 is not needed anymore
- ltgr $len,$len
- jz .Lxts_dec_km_short
- bras $ra,_s390x_xts_km
- jz .Lxts_dec_km_done
- lrvgr $s2,$s0 # make copy in reverse byte order
- lrvgr $s3,$s1
- j .Lxts_dec_km_2ndtweak
- .Lxts_dec_km_short:
- llgc $len,`2*$SIZE_T-1`($sp)
- nill $len,0x0f # $len%=16
- lrvg $s0,$tweak+0($sp) # load the tweak
- lrvg $s1,$tweak+8($sp)
- lrvgr $s2,$s0 # make copy in reverse byte order
- lrvgr $s3,$s1
- .Lxts_dec_km_2ndtweak:
- lghi $i1,0x87
- srag $i2,$s1,63 # broadcast upper bit
- ngr $i1,$i2 # rem
- algr $s0,$s0
- alcgr $s1,$s1
- xgr $s0,$i1
- lrvgr $i1,$s0 # flip byte order
- lrvgr $i2,$s1
- xg $i1,0($inp)
- xg $i2,8($inp)
- stg $i1,0($out,$inp)
- stg $i2,8($out,$inp)
- la $i2,0($out,$inp)
- lghi $i3,16
- .long 0xb92e0066 # km $i2,$i2
- brc 1,.-4 # can this happen?
- lrvgr $i1,$s0
- lrvgr $i2,$s1
- xg $i1,0($out,$inp)
- xg $i2,8($out,$inp)
- stg $i1,0($out,$inp)
- stg $i2,8($out,$inp)
- la $i3,0($out,$inp) # put aside real $out
- .Lxts_dec_km_steal:
- llgc $i1,16($inp)
- llgc $i2,0($out,$inp)
- stc $i1,0($out,$inp)
- stc $i2,16($out,$inp)
- la $inp,1($inp)
- brct $len,.Lxts_dec_km_steal
- lgr $s0,$s2
- lgr $s1,$s3
- xg $s0,0($i3)
- xg $s1,8($i3)
- stg $s0,0($i3)
- stg $s1,8($i3)
- la $s0,0($i3)
- lghi $s1,16
- .long 0xb92e0088 # km $s0,$s0
- brc 1,.-4 # can this happen?
- xg $s2,0($i3)
- xg $s3,8($i3)
- stg $s2,0($i3)
- stg $s3,8($i3)
- .Lxts_dec_km_done:
- stg $sp,$tweak+0($sp) # wipe tweak
- stg $sp,$tweak+8($sp)
- l${g} $ra,5*$SIZE_T($sp)
- lm${g} %r6,$s3,6*$SIZE_T($sp)
- br $ra
- .align 16
- .Lxts_dec_software:
- ___
- $code.=<<___;
- stm${g} %r6,$ra,6*$SIZE_T($sp)
- srlg $len,$len,4
- slgr $out,$inp
- l${g} $s3,$stdframe($sp) # ivp
- llgf $s0,0($s3) # load iv
- llgf $s1,4($s3)
- llgf $s2,8($s3)
- llgf $s3,12($s3)
- stm${g} %r2,%r5,2*$SIZE_T($sp)
- la $key,0($key2)
- larl $tbl,AES_Te
- bras $ra,_s390x_AES_encrypt # generate the tweak
- lm${g} %r2,%r5,2*$SIZE_T($sp)
- larl $tbl,AES_Td
- lt${g}r $len,$len
- stm $s0,$s3,$tweak($sp) # save the tweak
- jz .Lxts_dec_short
- j .Lxts_dec_enter
- .align 16
- .Lxts_dec_loop:
- lrvg $s1,$tweak+0($sp) # load the tweak in little-endian
- lrvg $s3,$tweak+8($sp)
- lghi %r1,0x87
- srag %r0,$s3,63 # broadcast upper bit
- ngr %r1,%r0 # rem
- algr $s1,$s1
- alcgr $s3,$s3
- xgr $s1,%r1
- lrvgr $s1,$s1 # flip byte order
- lrvgr $s3,$s3
- srlg $s0,$s1,32 # smash the tweak to 4x32-bits
- stg $s1,$tweak+0($sp) # save the tweak
- llgfr $s1,$s1
- srlg $s2,$s3,32
- stg $s3,$tweak+8($sp)
- llgfr $s3,$s3
- .Lxts_dec_enter:
- x $s0,0($inp) # tweak^=*(inp)
- x $s1,4($inp)
- x $s2,8($inp)
- x $s3,12($inp)
- stm${g} %r2,%r3,2*$SIZE_T($sp) # only two registers are changing
- la $key,0($key1)
- bras $ra,_s390x_AES_decrypt
- lm${g} %r2,%r5,2*$SIZE_T($sp)
- x $s0,$tweak+0($sp) # ^=tweak
- x $s1,$tweak+4($sp)
- x $s2,$tweak+8($sp)
- x $s3,$tweak+12($sp)
- st $s0,0($out,$inp)
- st $s1,4($out,$inp)
- st $s2,8($out,$inp)
- st $s3,12($out,$inp)
- la $inp,16($inp)
- brct${g} $len,.Lxts_dec_loop
- llgc $len,`2*$SIZE_T-1`($sp)
- nill $len,0x0f # $len%16
- jz .Lxts_dec_done
- # generate pair of tweaks...
- lrvg $s1,$tweak+0($sp) # load the tweak in little-endian
- lrvg $s3,$tweak+8($sp)
- lghi %r1,0x87
- srag %r0,$s3,63 # broadcast upper bit
- ngr %r1,%r0 # rem
- algr $s1,$s1
- alcgr $s3,$s3
- xgr $s1,%r1
- lrvgr $i2,$s1 # flip byte order
- lrvgr $i3,$s3
- stmg $i2,$i3,$tweak($sp) # save the 1st tweak
- j .Lxts_dec_2ndtweak
- .align 16
- .Lxts_dec_short:
- llgc $len,`2*$SIZE_T-1`($sp)
- nill $len,0x0f # $len%16
- lrvg $s1,$tweak+0($sp) # load the tweak in little-endian
- lrvg $s3,$tweak+8($sp)
- .Lxts_dec_2ndtweak:
- lghi %r1,0x87
- srag %r0,$s3,63 # broadcast upper bit
- ngr %r1,%r0 # rem
- algr $s1,$s1
- alcgr $s3,$s3
- xgr $s1,%r1
- lrvgr $s1,$s1 # flip byte order
- lrvgr $s3,$s3
- srlg $s0,$s1,32 # smash the tweak to 4x32-bits
- stg $s1,$tweak-16+0($sp) # save the 2nd tweak
- llgfr $s1,$s1
- srlg $s2,$s3,32
- stg $s3,$tweak-16+8($sp)
- llgfr $s3,$s3
- x $s0,0($inp) # tweak_the_2nd^=*(inp)
- x $s1,4($inp)
- x $s2,8($inp)
- x $s3,12($inp)
- stm${g} %r2,%r3,2*$SIZE_T($sp)
- la $key,0($key1)
- bras $ra,_s390x_AES_decrypt
- lm${g} %r2,%r5,2*$SIZE_T($sp)
- x $s0,$tweak-16+0($sp) # ^=tweak_the_2nd
- x $s1,$tweak-16+4($sp)
- x $s2,$tweak-16+8($sp)
- x $s3,$tweak-16+12($sp)
- st $s0,0($out,$inp)
- st $s1,4($out,$inp)
- st $s2,8($out,$inp)
- st $s3,12($out,$inp)
- la $i3,0($out,$inp) # put aside real $out
- .Lxts_dec_steal:
- llgc %r0,16($inp)
- llgc %r1,0($out,$inp)
- stc %r0,0($out,$inp)
- stc %r1,16($out,$inp)
- la $inp,1($inp)
- brct $len,.Lxts_dec_steal
- la $out,0($i3) # restore real $out
- lm $s0,$s3,$tweak($sp) # load the 1st tweak
- x $s0,0($out) # tweak^=*(inp)|stolen cipher-text
- x $s1,4($out)
- x $s2,8($out)
- x $s3,12($out)
- st${g} $out,4*$SIZE_T($sp)
- la $key,0($key1)
- bras $ra,_s390x_AES_decrypt
- l${g} $out,4*$SIZE_T($sp)
- x $s0,$tweak+0($sp) # ^=tweak
- x $s1,$tweak+4($sp)
- x $s2,$tweak+8($sp)
- x $s3,$tweak+12($sp)
- st $s0,0($out)
- st $s1,4($out)
- st $s2,8($out)
- st $s3,12($out)
- stg $sp,$tweak-16+0($sp) # wipe 2nd tweak
- stg $sp,$tweak-16+8($sp)
- .Lxts_dec_done:
- stg $sp,$tweak+0($sp) # wipe tweak
- stg $sp,$tweak+8($sp)
- lm${g} %r6,$ra,6*$SIZE_T($sp)
- br $ra
- .size AES_xts_decrypt,.-AES_xts_decrypt
- ___
- }
- $code.=<<___;
- .string "AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
- ___
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
- print $code;
- close STDOUT or die "error closing STDOUT: $!"; # force flush
|