openssl/crypto/aes/asm/aes-s390x.pl

#! /usr/bin/env perl
# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================

# AES for s390x.

# April 2007.
#
# Software performance improvement over gcc-generated code is ~70% and
# in absolute terms is ~73 cycles per byte processed with 128-bit key.
# You're likely to exclaim "why so slow?" Keep in mind that z-CPUs are
# *strictly* in-order execution and issued instruction [in this case
# load value from memory is critical] has to complete before execution
# flow proceeds. S-boxes are compressed to 2KB[+256B].
#
# As for hardware acceleration support. It's basically a "teaser," as
# it can and should be improved in several ways. Most notably support
# for CBC is not utilized, nor multiple blocks are ever processed.
# Then software key schedule can be postponed till hardware support
# detection... Performance improvement over assembler is reportedly
# ~2.5x, but can reach >8x [naturally on larger chunks] if proper
# support is implemented.

# May 2007.
#
# Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided
# for 128-bit keys, if hardware support is detected.

# Januray 2009.
#
# Add support for hardware AES192/256 and reschedule instructions to
# minimize/avoid Address Generation Interlock hazard and to favour
# dual-issue z10 pipeline. This gave ~25% improvement on z10 and
# almost 50% on z9. The gain is smaller on z10, because being dual-
# issue z10 makes it impossible to eliminate the interlock condition:
# critial path is not long enough. Yet it spends ~24 cycles per byte
# processed with 128-bit key.
#
# Unlike previous version hardware support detection takes place only
# at the moment of key schedule setup, which is denoted in key->rounds.
# This is done, because deferred key setup can't be made MT-safe, not
# for keys longer than 128 bits.
#
# Add AES_cbc_encrypt, which gives incredible performance improvement,
# it was measured to be ~6.6x. It's less than previously mentioned 8x,
# because software implementation was optimized.

# May 2010.
#
# Add AES_ctr32_encrypt. If hardware-assisted, it provides up to 4.3x
# performance improvement over "generic" counter mode routine relying
# on single-block, also hardware-assisted, AES_encrypt. "Up to" refers
# to the fact that exact throughput value depends on current stack
# frame alignment within 4KB page. In worst case you get ~75% of the
# maximum, but *on average* it would be as much as ~98%. Meaning that
# worst case is unlike, it's like hitting ravine on plateau.

# November 2010.
#
# Adapt for -m31 build. If kernel supports what's called "highgprs"
# feature on Linux [see /proc/cpuinfo], it's possible to use 64-bit
# instructions and achieve "64-bit" performance even in 31-bit legacy
# application context. The feature is not specific to any particular
# processor, as long as it's "z-CPU". Latter implies that the code
# remains z/Architecture specific. On z990 it was measured to perform
# 2x better than code generated by gcc 4.3.

# December 2010.
#
# Add support for z196 "cipher message with counter" instruction.
# Note however that it's disengaged, because it was measured to
# perform ~12% worse than vanilla km-based code...

# February 2011.
#
# Add AES_xts_[en|de]crypt. This includes support for z196 km-xts-aes
# instructions, which deliver ~70% improvement at 8KB block size over
# vanilla km-based code, 37% - at most like 512-bytes block size.

$flavour = shift;

if ($flavour =~ /3[12]/) {
	$SIZE_T=4;
	$g="";
} else {
	$SIZE_T=8;
	$g="g";
}

while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
open STDOUT,">$output";

$softonly=0;	# allow hardware support

$t0="%r0";	$mask="%r0";
$t1="%r1";
$t2="%r2";	$inp="%r2";
$t3="%r3";	$out="%r3";	$bits="%r3";
$key="%r4";
$i1="%r5";
$i2="%r6";
$i3="%r7";
$s0="%r8";
$s1="%r9";
$s2="%r10";
$s3="%r11";
$tbl="%r12";
$rounds="%r13";
$ra="%r14";
$sp="%r15";

$stdframe=16*$SIZE_T+4*8;

sub _data_word()
{ my $i;
    while(defined($i=shift)) { $code.=sprintf".long\t0x%08x,0x%08x\n",$i,$i; }
}

$code=<<___;
#include "s390x_arch.h"

.text

.type	AES_Te,\@object
.align	256
AES_Te:
___
&_data_word(
	0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d,
	0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554,
	0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
	0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a,
	0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87,
	0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
	0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea,
	0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b,
	0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
	0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f,
	0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108,
	0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
	0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e,
	0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5,
	0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
	0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f,
	0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e,
	0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
	0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce,
	0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497,
	0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
	0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed,
	0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b,
	0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
	0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16,
	0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594,
	0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
	0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3,
	0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a,
	0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
	0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163,
	0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d,
	0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
	0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739,
	0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47,
	0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
	0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f,
	0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883,
	0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
	0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76,
	0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e,
	0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
	0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6,
	0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b,
	0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
	0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0,
	0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25,
	0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
	0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72,
	0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651,
	0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
	0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85,
	0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa,
	0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
	0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0,
	0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9,
	0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
	0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7,
	0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920,
	0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
	0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17,
	0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8,
	0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
	0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a);
$code.=<<___;
# Te4[256]
.byte	0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5
.byte	0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76
.byte	0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0
.byte	0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0
.byte	0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc
.byte	0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15
.byte	0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a
.byte	0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75
.byte	0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0
.byte	0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84
.byte	0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b
.byte	0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf
.byte	0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85
.byte	0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8
.byte	0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5
.byte	0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2
.byte	0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17
.byte	0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73
.byte	0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88
.byte	0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb
.byte	0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c
.byte	0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79
.byte	0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9
.byte	0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08
.byte	0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6
.byte	0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a
.byte	0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e
.byte	0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e
.byte	0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94
.byte	0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf
.byte	0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68
.byte	0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
# rcon[]
.long	0x01000000, 0x02000000, 0x04000000, 0x08000000
.long	0x10000000, 0x20000000, 0x40000000, 0x80000000
.long	0x1B000000, 0x36000000, 0, 0, 0, 0, 0, 0
.align	256
.size	AES_Te,.-AES_Te

# void AES_encrypt(const unsigned char *inp, unsigned char *out,
# 		 const AES_KEY *key) {
.globl	AES_encrypt
.type	AES_encrypt,\@function
AES_encrypt:
___
$code.=<<___ if (!$softonly);
	l	%r0,240($key)
	lhi	%r1,16
	clr	%r0,%r1
	jl	.Lesoft

	la	%r1,0($key)
	#la	%r2,0($inp)
	la	%r4,0($out)
	lghi	%r3,16		# single block length
	.long	0xb92e0042	# km %r4,%r2
	brc	1,.-4		# can this happen?
	br	%r14
.align	64
.Lesoft:
___
$code.=<<___;
	stm${g}	%r3,$ra,3*$SIZE_T($sp)

	llgf	$s0,0($inp)
	llgf	$s1,4($inp)
	llgf	$s2,8($inp)
	llgf	$s3,12($inp)

	larl	$tbl,AES_Te
	bras	$ra,_s390x_AES_encrypt

	l${g}	$out,3*$SIZE_T($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)

	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	br	$ra
.size	AES_encrypt,.-AES_encrypt

.type   _s390x_AES_encrypt,\@function
.align	16
_s390x_AES_encrypt:
	st${g}	$ra,15*$SIZE_T($sp)
	x	$s0,0($key)
	x	$s1,4($key)
	x	$s2,8($key)
	x	$s3,12($key)
	l	$rounds,240($key)
	llill	$mask,`0xff<<3`
	aghi	$rounds,-1
	j	.Lenc_loop
.align	16
.Lenc_loop:
	sllg	$t1,$s0,`0+3`
	srlg	$t2,$s0,`8-3`
	srlg	$t3,$s0,`16-3`
	srl	$s0,`24-3`
	nr	$s0,$mask
	ngr	$t1,$mask
	nr	$t2,$mask
	nr	$t3,$mask

	srlg	$i1,$s1,`16-3`	# i0
	sllg	$i2,$s1,`0+3`
	srlg	$i3,$s1,`8-3`
	srl	$s1,`24-3`
	nr	$i1,$mask
	nr	$s1,$mask
	ngr	$i2,$mask
	nr	$i3,$mask

	l	$s0,0($s0,$tbl)	# Te0[s0>>24]
	l	$t1,1($t1,$tbl)	# Te3[s0>>0]
	l	$t2,2($t2,$tbl) # Te2[s0>>8]
	l	$t3,3($t3,$tbl)	# Te1[s0>>16]

	x	$s0,3($i1,$tbl)	# Te1[s1>>16]
	l	$s1,0($s1,$tbl)	# Te0[s1>>24]
	x	$t2,1($i2,$tbl)	# Te3[s1>>0]
	x	$t3,2($i3,$tbl)	# Te2[s1>>8]

	srlg	$i1,$s2,`8-3`	# i0
	srlg	$i2,$s2,`16-3`	# i1
	nr	$i1,$mask
	nr	$i2,$mask
	sllg	$i3,$s2,`0+3`
	srl	$s2,`24-3`
	nr	$s2,$mask
	ngr	$i3,$mask

	xr	$s1,$t1
	srlg	$ra,$s3,`8-3`	# i1
	sllg	$t1,$s3,`0+3`	# i0
	nr	$ra,$mask
	la	$key,16($key)
	ngr	$t1,$mask

	x	$s0,2($i1,$tbl)	# Te2[s2>>8]
	x	$s1,3($i2,$tbl)	# Te1[s2>>16]
	l	$s2,0($s2,$tbl)	# Te0[s2>>24]
	x	$t3,1($i3,$tbl)	# Te3[s2>>0]

	srlg	$i3,$s3,`16-3`	# i2
	xr	$s2,$t2
	srl	$s3,`24-3`
	nr	$i3,$mask
	nr	$s3,$mask

	x	$s0,0($key)
	x	$s1,4($key)
	x	$s2,8($key)
	x	$t3,12($key)

	x	$s0,1($t1,$tbl)	# Te3[s3>>0]
	x	$s1,2($ra,$tbl)	# Te2[s3>>8]
	x	$s2,3($i3,$tbl)	# Te1[s3>>16]
	l	$s3,0($s3,$tbl)	# Te0[s3>>24]
	xr	$s3,$t3

	brct	$rounds,.Lenc_loop
	.align	16

	sllg	$t1,$s0,`0+3`
	srlg	$t2,$s0,`8-3`
	ngr	$t1,$mask
	srlg	$t3,$s0,`16-3`
	srl	$s0,`24-3`
	nr	$s0,$mask
	nr	$t2,$mask
	nr	$t3,$mask

	srlg	$i1,$s1,`16-3`	# i0
	sllg	$i2,$s1,`0+3`
	ngr	$i2,$mask
	srlg	$i3,$s1,`8-3`
	srl	$s1,`24-3`
	nr	$i1,$mask
	nr	$s1,$mask
	nr	$i3,$mask

	llgc	$s0,2($s0,$tbl)	# Te4[s0>>24]
	llgc	$t1,2($t1,$tbl)	# Te4[s0>>0]
	sll	$s0,24
	llgc	$t2,2($t2,$tbl)	# Te4[s0>>8]
	llgc	$t3,2($t3,$tbl)	# Te4[s0>>16]
	sll	$t2,8
	sll	$t3,16

	llgc	$i1,2($i1,$tbl)	# Te4[s1>>16]
	llgc	$s1,2($s1,$tbl)	# Te4[s1>>24]
	llgc	$i2,2($i2,$tbl)	# Te4[s1>>0]
	llgc	$i3,2($i3,$tbl)	# Te4[s1>>8]
	sll	$i1,16
	sll	$s1,24
	sll	$i3,8
	or	$s0,$i1
	or	$s1,$t1
	or	$t2,$i2
	or	$t3,$i3

	srlg	$i1,$s2,`8-3`	# i0
	srlg	$i2,$s2,`16-3`	# i1
	nr	$i1,$mask
	nr	$i2,$mask
	sllg	$i3,$s2,`0+3`
	srl	$s2,`24-3`
	ngr	$i3,$mask
	nr	$s2,$mask

	sllg	$t1,$s3,`0+3`	# i0
	srlg	$ra,$s3,`8-3`	# i1
	ngr	$t1,$mask

	llgc	$i1,2($i1,$tbl)	# Te4[s2>>8]
	llgc	$i2,2($i2,$tbl)	# Te4[s2>>16]
	sll	$i1,8
	llgc	$s2,2($s2,$tbl)	# Te4[s2>>24]
	llgc	$i3,2($i3,$tbl)	# Te4[s2>>0]
	sll	$i2,16
	nr	$ra,$mask
	sll	$s2,24
	or	$s0,$i1
	or	$s1,$i2
	or	$s2,$t2
	or	$t3,$i3

	srlg	$i3,$s3,`16-3`	# i2
	srl	$s3,`24-3`
	nr	$i3,$mask
	nr	$s3,$mask

	l	$t0,16($key)
	l	$t2,20($key)

	llgc	$i1,2($t1,$tbl)	# Te4[s3>>0]
	llgc	$i2,2($ra,$tbl)	# Te4[s3>>8]
	llgc	$i3,2($i3,$tbl)	# Te4[s3>>16]
	llgc	$s3,2($s3,$tbl)	# Te4[s3>>24]
	sll	$i2,8
	sll	$i3,16
	sll	$s3,24
	or	$s0,$i1
	or	$s1,$i2
	or	$s2,$i3
	or	$s3,$t3

	l${g}	$ra,15*$SIZE_T($sp)
	xr	$s0,$t0
	xr	$s1,$t2
	x	$s2,24($key)
	x	$s3,28($key)

	br	$ra
.size	_s390x_AES_encrypt,.-_s390x_AES_encrypt
___

$code.=<<___;
.type	AES_Td,\@object
.align	256
AES_Td:
___
&_data_word(
	0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96,
	0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393,
	0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
	0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f,
	0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1,
	0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
	0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da,
	0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844,
	0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
	0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4,
	0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45,
	0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
	0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7,
	0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a,
	0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
	0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c,
	0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1,
	0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
	0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75,
	0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051,
	0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
	0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff,
	0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77,
	0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
	0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000,
	0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e,
	0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
	0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a,
	0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e,
	0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
	0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d,
	0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8,
	0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
	0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34,
	0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163,
	0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
	0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d,
	0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0,
	0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
	0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef,
	0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36,
	0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
	0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662,
	0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5,
	0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
	0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b,
	0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8,
	0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
	0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6,
	0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0,
	0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
	0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f,
	0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df,
	0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
	0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e,
	0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713,
	0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
	0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c,
	0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf,
	0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
	0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f,
	0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541,
	0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
	0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742);
$code.=<<___;
# Td4[256]
.byte	0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38
.byte	0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb
.byte	0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87
.byte	0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb
.byte	0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d
.byte	0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e
.byte	0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2
.byte	0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25
.byte	0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16
.byte	0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92
.byte	0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda
.byte	0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84
.byte	0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a
.byte	0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06
.byte	0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02
.byte	0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b
.byte	0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea
.byte	0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73
.byte	0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85
.byte	0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e
.byte	0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89
.byte	0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b
.byte	0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20
.byte	0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4
.byte	0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31
.byte	0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f
.byte	0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d
.byte	0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef
.byte	0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0
.byte	0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61
.byte	0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26
.byte	0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
.size	AES_Td,.-AES_Td

# void AES_decrypt(const unsigned char *inp, unsigned char *out,
# 		 const AES_KEY *key) {
.globl	AES_decrypt
.type	AES_decrypt,\@function
AES_decrypt:
___
$code.=<<___ if (!$softonly);
	l	%r0,240($key)
	lhi	%r1,16
	clr	%r0,%r1
	jl	.Ldsoft

	la	%r1,0($key)
	#la	%r2,0($inp)
	la	%r4,0($out)
	lghi	%r3,16		# single block length
	.long	0xb92e0042	# km %r4,%r2
	brc	1,.-4		# can this happen?
	br	%r14
.align	64
.Ldsoft:
___
$code.=<<___;
	stm${g}	%r3,$ra,3*$SIZE_T($sp)

	llgf	$s0,0($inp)
	llgf	$s1,4($inp)
	llgf	$s2,8($inp)
	llgf	$s3,12($inp)

	larl	$tbl,AES_Td
	bras	$ra,_s390x_AES_decrypt

	l${g}	$out,3*$SIZE_T($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)

	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	br	$ra
.size	AES_decrypt,.-AES_decrypt

.type   _s390x_AES_decrypt,\@function
.align	16
_s390x_AES_decrypt:
	st${g}	$ra,15*$SIZE_T($sp)
	x	$s0,0($key)
	x	$s1,4($key)
	x	$s2,8($key)
	x	$s3,12($key)
	l	$rounds,240($key)
	llill	$mask,`0xff<<3`
	aghi	$rounds,-1
	j	.Ldec_loop
.align	16
.Ldec_loop:
	srlg	$t1,$s0,`16-3`
	srlg	$t2,$s0,`8-3`
	sllg	$t3,$s0,`0+3`
	srl	$s0,`24-3`
	nr	$s0,$mask
	nr	$t1,$mask
	nr	$t2,$mask
	ngr	$t3,$mask

	sllg	$i1,$s1,`0+3`	# i0
	srlg	$i2,$s1,`16-3`
	srlg	$i3,$s1,`8-3`
	srl	$s1,`24-3`
	ngr	$i1,$mask
	nr	$s1,$mask
	nr	$i2,$mask
	nr	$i3,$mask

	l	$s0,0($s0,$tbl)	# Td0[s0>>24]
	l	$t1,3($t1,$tbl)	# Td1[s0>>16]
	l	$t2,2($t2,$tbl)	# Td2[s0>>8]
	l	$t3,1($t3,$tbl)	# Td3[s0>>0]

	x	$s0,1($i1,$tbl)	# Td3[s1>>0]
	l	$s1,0($s1,$tbl)	# Td0[s1>>24]
	x	$t2,3($i2,$tbl)	# Td1[s1>>16]
	x	$t3,2($i3,$tbl)	# Td2[s1>>8]

	srlg	$i1,$s2,`8-3`	# i0
	sllg	$i2,$s2,`0+3`	# i1
	srlg	$i3,$s2,`16-3`
	srl	$s2,`24-3`
	nr	$i1,$mask
	ngr	$i2,$mask
	nr	$s2,$mask
	nr	$i3,$mask

	xr	$s1,$t1
	srlg	$ra,$s3,`8-3`	# i1
	srlg	$t1,$s3,`16-3`	# i0
	nr	$ra,$mask
	la	$key,16($key)
	nr	$t1,$mask

	x	$s0,2($i1,$tbl)	# Td2[s2>>8]
	x	$s1,1($i2,$tbl)	# Td3[s2>>0]
	l	$s2,0($s2,$tbl)	# Td0[s2>>24]
	x	$t3,3($i3,$tbl)	# Td1[s2>>16]

	sllg	$i3,$s3,`0+3`	# i2
	srl	$s3,`24-3`
	ngr	$i3,$mask
	nr	$s3,$mask

	xr	$s2,$t2
	x	$s0,0($key)
	x	$s1,4($key)
	x	$s2,8($key)
	x	$t3,12($key)

	x	$s0,3($t1,$tbl)	# Td1[s3>>16]
	x	$s1,2($ra,$tbl)	# Td2[s3>>8]
	x	$s2,1($i3,$tbl)	# Td3[s3>>0]
	l	$s3,0($s3,$tbl)	# Td0[s3>>24]
	xr	$s3,$t3

	brct	$rounds,.Ldec_loop
	.align	16

	l	$t1,`2048+0`($tbl)	# prefetch Td4
	l	$t2,`2048+64`($tbl)
	l	$t3,`2048+128`($tbl)
	l	$i1,`2048+192`($tbl)
	llill	$mask,0xff

	srlg	$i3,$s0,24	# i0
	srlg	$t1,$s0,16
	srlg	$t2,$s0,8
	nr	$s0,$mask	# i3
	nr	$t1,$mask

	srlg	$i1,$s1,24
	nr	$t2,$mask
	srlg	$i2,$s1,16
	srlg	$ra,$s1,8
	nr	$s1,$mask	# i0
	nr	$i2,$mask
	nr	$ra,$mask

	llgc	$i3,2048($i3,$tbl)	# Td4[s0>>24]
	llgc	$t1,2048($t1,$tbl)	# Td4[s0>>16]
	llgc	$t2,2048($t2,$tbl)	# Td4[s0>>8]
	sll	$t1,16
	llgc	$t3,2048($s0,$tbl)	# Td4[s0>>0]
	sllg	$s0,$i3,24
	sll	$t2,8

	llgc	$s1,2048($s1,$tbl)	# Td4[s1>>0]
	llgc	$i1,2048($i1,$tbl)	# Td4[s1>>24]
	llgc	$i2,2048($i2,$tbl)	# Td4[s1>>16]
	sll	$i1,24
	llgc	$i3,2048($ra,$tbl)	# Td4[s1>>8]
	sll	$i2,16
	sll	$i3,8
	or	$s0,$s1
	or	$t1,$i1
	or	$t2,$i2
	or	$t3,$i3

	srlg	$i1,$s2,8	# i0
	srlg	$i2,$s2,24
	srlg	$i3,$s2,16
	nr	$s2,$mask	# i1
	nr	$i1,$mask
	nr	$i3,$mask
	llgc	$i1,2048($i1,$tbl)	# Td4[s2>>8]
	llgc	$s1,2048($s2,$tbl)	# Td4[s2>>0]
	llgc	$i2,2048($i2,$tbl)	# Td4[s2>>24]
	llgc	$i3,2048($i3,$tbl)	# Td4[s2>>16]
	sll	$i1,8
	sll	$i2,24
	or	$s0,$i1
	sll	$i3,16
	or	$t2,$i2
	or	$t3,$i3

	srlg	$i1,$s3,16	# i0
	srlg	$i2,$s3,8	# i1
	srlg	$i3,$s3,24
	nr	$s3,$mask	# i2
	nr	$i1,$mask
	nr	$i2,$mask

	l${g}	$ra,15*$SIZE_T($sp)
	or	$s1,$t1
	l	$t0,16($key)
	l	$t1,20($key)

	llgc	$i1,2048($i1,$tbl)	# Td4[s3>>16]
	llgc	$i2,2048($i2,$tbl)	# Td4[s3>>8]
	sll	$i1,16
	llgc	$s2,2048($s3,$tbl)	# Td4[s3>>0]
	llgc	$s3,2048($i3,$tbl)	# Td4[s3>>24]
	sll	$i2,8
	sll	$s3,24
	or	$s0,$i1
	or	$s1,$i2
	or	$s2,$t2
	or	$s3,$t3

	xr	$s0,$t0
	xr	$s1,$t1
	x	$s2,24($key)
	x	$s3,28($key)

	br	$ra
.size	_s390x_AES_decrypt,.-_s390x_AES_decrypt
___

$code.=<<___;
# void AES_set_encrypt_key(const unsigned char *in, int bits,
# 		 AES_KEY *key) {
.globl	AES_set_encrypt_key
.type	AES_set_encrypt_key,\@function
.align	16
AES_set_encrypt_key:
_s390x_AES_set_encrypt_key:
	lghi	$t0,0
	cl${g}r	$inp,$t0
	je	.Lminus1
	cl${g}r	$key,$t0
	je	.Lminus1

	lghi	$t0,128
	clr	$bits,$t0
	je	.Lproceed
	lghi	$t0,192
	clr	$bits,$t0
	je	.Lproceed
	lghi	$t0,256
	clr	$bits,$t0
	je	.Lproceed
	lghi	%r2,-2
	br	%r14

.align	16
.Lproceed:
___
$code.=<<___ if (!$softonly);
	# convert bits to km(c) code, [128,192,256]->[18,19,20]
	lhi	%r5,-128
	lhi	%r0,18
	ar	%r5,$bits
	srl	%r5,6
	ar	%r5,%r0

	larl	%r1,OPENSSL_s390xcap_P
	llihh	%r0,0x8000
	srlg	%r0,%r0,0(%r5)
	ng	%r0,S390X_KM(%r1)  # check availability of both km...
	ng	%r0,S390X_KMC(%r1) # ...and kmc support for given key length
	jz	.Lekey_internal

	lmg	%r0,%r1,0($inp)	# just copy 128 bits...
	stmg	%r0,%r1,0($key)
	lhi	%r0,192
	cr	$bits,%r0
	jl	1f
	lg	%r1,16($inp)
	stg	%r1,16($key)
	je	1f
	lg	%r1,24($inp)
	stg	%r1,24($key)
1:	st	$bits,236($key)	# save bits [for debugging purposes]
	lgr	$t0,%r5
	st	%r5,240($key)	# save km(c) code
	lghi	%r2,0
	br	%r14
___
$code.=<<___;
.align	16
.Lekey_internal:
	stm${g}	%r4,%r13,4*$SIZE_T($sp)	# all non-volatile regs and $key

	larl	$tbl,AES_Te+2048

	llgf	$s0,0($inp)
	llgf	$s1,4($inp)
	llgf	$s2,8($inp)
	llgf	$s3,12($inp)
	st	$s0,0($key)
	st	$s1,4($key)
	st	$s2,8($key)
	st	$s3,12($key)
	lghi	$t0,128
	cr	$bits,$t0
	jne	.Lnot128

	llill	$mask,0xff
	lghi	$t3,0			# i=0
	lghi	$rounds,10
	st	$rounds,240($key)

	llgfr	$t2,$s3			# temp=rk[3]
	srlg	$i1,$s3,8
	srlg	$i2,$s3,16
	srlg	$i3,$s3,24
	nr	$t2,$mask
	nr	$i1,$mask
	nr	$i2,$mask

.align	16
.L128_loop:
	la	$t2,0($t2,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	icm	$t2,2,0($t2)		# Te4[rk[3]>>0]<<8
	icm	$t2,4,0($i1)		# Te4[rk[3]>>8]<<16
	icm	$t2,8,0($i2)		# Te4[rk[3]>>16]<<24
	icm	$t2,1,0($i3)		# Te4[rk[3]>>24]
	x	$t2,256($t3,$tbl)	# rcon[i]
	xr	$s0,$t2			# rk[4]=rk[0]^...
	xr	$s1,$s0			# rk[5]=rk[1]^rk[4]
	xr	$s2,$s1			# rk[6]=rk[2]^rk[5]
	xr	$s3,$s2			# rk[7]=rk[3]^rk[6]

	llgfr	$t2,$s3			# temp=rk[3]
	srlg	$i1,$s3,8
	srlg	$i2,$s3,16
	nr	$t2,$mask
	nr	$i1,$mask
	srlg	$i3,$s3,24
	nr	$i2,$mask

	st	$s0,16($key)
	st	$s1,20($key)
	st	$s2,24($key)
	st	$s3,28($key)
	la	$key,16($key)		# key+=4
	la	$t3,4($t3)		# i++
	brct	$rounds,.L128_loop
	lghi	$t0,10
	lghi	%r2,0
	lm${g}	%r4,%r13,4*$SIZE_T($sp)
	br	$ra

.align	16
.Lnot128:
	llgf	$t0,16($inp)
	llgf	$t1,20($inp)
	st	$t0,16($key)
	st	$t1,20($key)
	lghi	$t0,192
	cr	$bits,$t0
	jne	.Lnot192

	llill	$mask,0xff
	lghi	$t3,0			# i=0
	lghi	$rounds,12
	st	$rounds,240($key)
	lghi	$rounds,8

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

.align	16
.L192_loop:
	la	$t1,0($t1,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	icm	$t1,2,0($t1)		# Te4[rk[5]>>0]<<8
	icm	$t1,4,0($i1)		# Te4[rk[5]>>8]<<16
	icm	$t1,8,0($i2)		# Te4[rk[5]>>16]<<24
	icm	$t1,1,0($i3)		# Te4[rk[5]>>24]
	x	$t1,256($t3,$tbl)	# rcon[i]
	xr	$s0,$t1			# rk[6]=rk[0]^...
	xr	$s1,$s0			# rk[7]=rk[1]^rk[6]
	xr	$s2,$s1			# rk[8]=rk[2]^rk[7]
	xr	$s3,$s2			# rk[9]=rk[3]^rk[8]

	st	$s0,24($key)
	st	$s1,28($key)
	st	$s2,32($key)
	st	$s3,36($key)
	brct	$rounds,.L192_continue
	lghi	$t0,12
	lghi	%r2,0
	lm${g}	%r4,%r13,4*$SIZE_T($sp)
	br	$ra

.align	16
.L192_continue:
	lgr	$t1,$s3
	x	$t1,16($key)		# rk[10]=rk[4]^rk[9]
	st	$t1,40($key)
	x	$t1,20($key)		# rk[11]=rk[5]^rk[10]
	st	$t1,44($key)

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

	la	$key,24($key)		# key+=6
	la	$t3,4($t3)		# i++
	j	.L192_loop

.align	16
.Lnot192:
	llgf	$t0,24($inp)
	llgf	$t1,28($inp)
	st	$t0,24($key)
	st	$t1,28($key)
	llill	$mask,0xff
	lghi	$t3,0			# i=0
	lghi	$rounds,14
	st	$rounds,240($key)
	lghi	$rounds,7

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

.align	16
.L256_loop:
	la	$t1,0($t1,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	icm	$t1,2,0($t1)		# Te4[rk[7]>>0]<<8
	icm	$t1,4,0($i1)		# Te4[rk[7]>>8]<<16
	icm	$t1,8,0($i2)		# Te4[rk[7]>>16]<<24
	icm	$t1,1,0($i3)		# Te4[rk[7]>>24]
	x	$t1,256($t3,$tbl)	# rcon[i]
	xr	$s0,$t1			# rk[8]=rk[0]^...
	xr	$s1,$s0			# rk[9]=rk[1]^rk[8]
	xr	$s2,$s1			# rk[10]=rk[2]^rk[9]
	xr	$s3,$s2			# rk[11]=rk[3]^rk[10]
	st	$s0,32($key)
	st	$s1,36($key)
	st	$s2,40($key)
	st	$s3,44($key)
	brct	$rounds,.L256_continue
	lghi	$t0,14
	lghi	%r2,0
	lm${g}	%r4,%r13,4*$SIZE_T($sp)
	br	$ra

.align	16
.L256_continue:
	lgr	$t1,$s3			# temp=rk[11]
	srlg	$i1,$s3,8
	srlg	$i2,$s3,16
	srlg	$i3,$s3,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask
	la	$t1,0($t1,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	llgc	$t1,0($t1)		# Te4[rk[11]>>0]
	icm	$t1,2,0($i1)		# Te4[rk[11]>>8]<<8
	icm	$t1,4,0($i2)		# Te4[rk[11]>>16]<<16
	icm	$t1,8,0($i3)		# Te4[rk[11]>>24]<<24
	x	$t1,16($key)		# rk[12]=rk[4]^...
	st	$t1,48($key)
	x	$t1,20($key)		# rk[13]=rk[5]^rk[12]
	st	$t1,52($key)
	x	$t1,24($key)		# rk[14]=rk[6]^rk[13]
	st	$t1,56($key)
	x	$t1,28($key)		# rk[15]=rk[7]^rk[14]
	st	$t1,60($key)

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

	la	$key,32($key)		# key+=8
	la	$t3,4($t3)		# i++
	j	.L256_loop

.Lminus1:
	lghi	%r2,-1
	br	$ra
.size	AES_set_encrypt_key,.-AES_set_encrypt_key

# void AES_set_decrypt_key(const unsigned char *in, int bits,
# 		 AES_KEY *key) {
.globl	AES_set_decrypt_key
.type	AES_set_decrypt_key,\@function
.align	16
AES_set_decrypt_key:
	#st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers and $key!
	bras	$ra,_s390x_AES_set_encrypt_key
	#l${g}	$key,4*$SIZE_T($sp)
	l${g}	$ra,14*$SIZE_T($sp)
	ltgr	%r2,%r2
	bnzr	$ra
___
$code.=<<___ if (!$softonly);
	#l	$t0,240($key)
	lhi	$t1,16
	cr	$t0,$t1
	jl	.Lgo
	oill	$t0,S390X_DECRYPT	# set "decrypt" bit
	st	$t0,240($key)
	br	$ra
___
$code.=<<___;
.align	16
.Lgo:	lgr	$rounds,$t0	#llgf	$rounds,240($key)
	la	$i1,0($key)
	sllg	$i2,$rounds,4
	la	$i2,0($i2,$key)
	srl	$rounds,1
	lghi	$t1,-16

.align	16
.Linv:	lmg	$s0,$s1,0($i1)
	lmg	$s2,$s3,0($i2)
	stmg	$s0,$s1,0($i2)
	stmg	$s2,$s3,0($i1)
	la	$i1,16($i1)
	la	$i2,0($t1,$i2)
	brct	$rounds,.Linv
___
$mask80=$i1;
$mask1b=$i2;
$maskfe=$i3;
$code.=<<___;
	llgf	$rounds,240($key)
	aghi	$rounds,-1
	sll	$rounds,2	# (rounds-1)*4
	llilh	$mask80,0x8080
	llilh	$mask1b,0x1b1b
	llilh	$maskfe,0xfefe
	oill	$mask80,0x8080
	oill	$mask1b,0x1b1b
	oill	$maskfe,0xfefe

.align	16
.Lmix:	l	$s0,16($key)	# tp1
	lr	$s1,$s0
	ngr	$s1,$mask80
	srlg	$t1,$s1,7
	slr	$s1,$t1
	nr	$s1,$mask1b
	sllg	$t1,$s0,1
	nr	$t1,$maskfe
	xr	$s1,$t1		# tp2

	lr	$s2,$s1
	ngr	$s2,$mask80
	srlg	$t1,$s2,7
	slr	$s2,$t1
	nr	$s2,$mask1b
	sllg	$t1,$s1,1
	nr	$t1,$maskfe
	xr	$s2,$t1		# tp4

	lr	$s3,$s2
	ngr	$s3,$mask80
	srlg	$t1,$s3,7
	slr	$s3,$t1
	nr	$s3,$mask1b
	sllg	$t1,$s2,1
	nr	$t1,$maskfe
	xr	$s3,$t1		# tp8

	xr	$s1,$s0		# tp2^tp1
	xr	$s2,$s0		# tp4^tp1
	rll	$s0,$s0,24	# = ROTATE(tp1,8)
	xr	$s2,$s3		# ^=tp8
	xr	$s0,$s1		# ^=tp2^tp1
	xr	$s1,$s3		# tp2^tp1^tp8
	xr	$s0,$s2		# ^=tp4^tp1^tp8
	rll	$s1,$s1,8
	rll	$s2,$s2,16
	xr	$s0,$s1		# ^= ROTATE(tp8^tp2^tp1,24)
	rll	$s3,$s3,24
	xr	$s0,$s2    	# ^= ROTATE(tp8^tp4^tp1,16)
	xr	$s0,$s3		# ^= ROTATE(tp8,8)

	st	$s0,16($key)
	la	$key,4($key)
	brct	$rounds,.Lmix

	lm${g}	%r6,%r13,6*$SIZE_T($sp)# as was saved by AES_set_encrypt_key!
	lghi	%r2,0
	br	$ra
.size	AES_set_decrypt_key,.-AES_set_decrypt_key
___

########################################################################
# void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
#                     size_t length, const AES_KEY *key,
#                     unsigned char *ivec, const int enc)
{
my $inp="%r2";
my $out="%r4";	# length and out are swapped
my $len="%r3";
my $key="%r5";
my $ivp="%r6";

$code.=<<___;
.globl	AES_cbc_encrypt
.type	AES_cbc_encrypt,\@function
.align	16
AES_cbc_encrypt:
	xgr	%r3,%r4		# flip %r3 and %r4, out and len
	xgr	%r4,%r3
	xgr	%r3,%r4
___
$code.=<<___ if (!$softonly);
	lhi	%r0,16
	cl	%r0,240($key)
	jh	.Lcbc_software

	lg	%r0,0($ivp)	# copy ivec
	lg	%r1,8($ivp)
	stmg	%r0,%r1,16($sp)
	lmg	%r0,%r1,0($key)	# copy key, cover 256 bit
	stmg	%r0,%r1,32($sp)
	lmg	%r0,%r1,16($key)
	stmg	%r0,%r1,48($sp)
	l	%r0,240($key)	# load kmc code
	lghi	$key,15		# res=len%16, len-=res;
	ngr	$key,$len
	sl${g}r	$len,$key
	la	%r1,16($sp)	# parameter block - ivec || key
	jz	.Lkmc_truncated
	.long	0xb92f0042	# kmc %r4,%r2
	brc	1,.-4		# pay attention to "partial completion"
	ltr	$key,$key
	jnz	.Lkmc_truncated
.Lkmc_done:
	lmg	%r0,%r1,16($sp)	# copy ivec to caller
	stg	%r0,0($ivp)
	stg	%r1,8($ivp)
	br	$ra
.align	16
.Lkmc_truncated:
	ahi	$key,-1		# it's the way it's encoded in mvc
	tmll	%r0,S390X_DECRYPT
	jnz	.Lkmc_truncated_dec
	lghi	%r1,0
	stg	%r1,16*$SIZE_T($sp)
	stg	%r1,16*$SIZE_T+8($sp)
	bras	%r1,1f
	mvc	16*$SIZE_T(1,$sp),0($inp)
1:	ex	$key,0(%r1)
	la	%r1,16($sp)	# restore parameter block
	la	$inp,16*$SIZE_T($sp)
	lghi	$len,16
	.long	0xb92f0042	# kmc %r4,%r2
	j	.Lkmc_done
.align	16
.Lkmc_truncated_dec:
	st${g}	$out,4*$SIZE_T($sp)
	la	$out,16*$SIZE_T($sp)
	lghi	$len,16
	.long	0xb92f0042	# kmc %r4,%r2
	l${g}	$out,4*$SIZE_T($sp)
	bras	%r1,2f
	mvc	0(1,$out),16*$SIZE_T($sp)
2:	ex	$key,0(%r1)
	j	.Lkmc_done
.align	16
.Lcbc_software:
___
$code.=<<___;
	stm${g}	$key,$ra,5*$SIZE_T($sp)
	lhi	%r0,0
	cl	%r0,`$stdframe+$SIZE_T-4`($sp)
	je	.Lcbc_decrypt

	larl	$tbl,AES_Te

	llgf	$s0,0($ivp)
	llgf	$s1,4($ivp)
	llgf	$s2,8($ivp)
	llgf	$s3,12($ivp)

	lghi	$t0,16
	sl${g}r	$len,$t0
	brc	4,.Lcbc_enc_tail	# if borrow
.Lcbc_enc_loop:
	stm${g}	$inp,$out,2*$SIZE_T($sp)
	x	$s0,0($inp)
	x	$s1,4($inp)
	x	$s2,8($inp)
	x	$s3,12($inp)
	lgr	%r4,$key

	bras	$ra,_s390x_AES_encrypt

	lm${g}	$inp,$key,2*$SIZE_T($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)

	la	$inp,16($inp)
	la	$out,16($out)
	lghi	$t0,16
	lt${g}r	$len,$len
	jz	.Lcbc_enc_done
	sl${g}r	$len,$t0
	brc	4,.Lcbc_enc_tail	# if borrow
	j	.Lcbc_enc_loop
.align	16
.Lcbc_enc_done:
	l${g}	$ivp,6*$SIZE_T($sp)
	st	$s0,0($ivp)
	st	$s1,4($ivp)
	st	$s2,8($ivp)
	st	$s3,12($ivp)

	lm${g}	%r7,$ra,7*$SIZE_T($sp)
	br	$ra

.align	16
.Lcbc_enc_tail:
	aghi	$len,15
	lghi	$t0,0
	stg	$t0,16*$SIZE_T($sp)
	stg	$t0,16*$SIZE_T+8($sp)
	bras	$t1,3f
	mvc	16*$SIZE_T(1,$sp),0($inp)
3:	ex	$len,0($t1)
	lghi	$len,0
	la	$inp,16*$SIZE_T($sp)
	j	.Lcbc_enc_loop

.align	16
.Lcbc_decrypt:
	larl	$tbl,AES_Td

	lg	$t0,0($ivp)
	lg	$t1,8($ivp)
	stmg	$t0,$t1,16*$SIZE_T($sp)

.Lcbc_dec_loop:
	stm${g}	$inp,$out,2*$SIZE_T($sp)
	llgf	$s0,0($inp)
	llgf	$s1,4($inp)
	llgf	$s2,8($inp)
	llgf	$s3,12($inp)
	lgr	%r4,$key

	bras	$ra,_s390x_AES_decrypt

	lm${g}	$inp,$key,2*$SIZE_T($sp)
	sllg	$s0,$s0,32
	sllg	$s2,$s2,32
	lr	$s0,$s1
	lr	$s2,$s3

	lg	$t0,0($inp)
	lg	$t1,8($inp)
	xg	$s0,16*$SIZE_T($sp)
	xg	$s2,16*$SIZE_T+8($sp)
	lghi	$s1,16
	sl${g}r	$len,$s1
	brc	4,.Lcbc_dec_tail	# if borrow
	brc	2,.Lcbc_dec_done	# if zero
	stg	$s0,0($out)
	stg	$s2,8($out)
	stmg	$t0,$t1,16*$SIZE_T($sp)

	la	$inp,16($inp)
	la	$out,16($out)
	j	.Lcbc_dec_loop

.Lcbc_dec_done:
	stg	$s0,0($out)
	stg	$s2,8($out)
.Lcbc_dec_exit:
	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	stmg	$t0,$t1,0($ivp)

	br	$ra

.align	16
.Lcbc_dec_tail:
	aghi	$len,15
	stg	$s0,16*$SIZE_T($sp)
	stg	$s2,16*$SIZE_T+8($sp)
	bras	$s1,4f
	mvc	0(1,$out),16*$SIZE_T($sp)
4:	ex	$len,0($s1)
	j	.Lcbc_dec_exit
.size	AES_cbc_encrypt,.-AES_cbc_encrypt
___
}
########################################################################
# void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
#                     size_t blocks, const AES_KEY *key,
#                     const unsigned char *ivec)
{
my $inp="%r2";
my $out="%r4";	# blocks and out are swapped
my $len="%r3";
my $key="%r5";	my $iv0="%r5";
my $ivp="%r6";
my $fp ="%r7";

$code.=<<___;
.globl	AES_ctr32_encrypt
.type	AES_ctr32_encrypt,\@function
.align	16
AES_ctr32_encrypt:
	xgr	%r3,%r4		# flip %r3 and %r4, $out and $len
	xgr	%r4,%r3
	xgr	%r3,%r4
	llgfr	$len,$len	# safe in ctr32 subroutine even in 64-bit case
___
$code.=<<___ if (!$softonly);
	l	%r0,240($key)
	lhi	%r1,16
	clr	%r0,%r1
	jl	.Lctr32_software

	st${g}	$s2,10*$SIZE_T($sp)
	st${g}	$s3,11*$SIZE_T($sp)

	clr	$len,%r1		# does work even in 64-bit mode
	jle	.Lctr32_nokma		# kma is slower for <= 16 blocks

	larl	%r1,OPENSSL_s390xcap_P
	lr	$s2,%r0
	llihh	$s3,0x8000
	srlg	$s3,$s3,0($s2)
	ng	$s3,S390X_KMA(%r1)		# check kma capability vector
	jz	.Lctr32_nokma

	l${g}hi	%r1,-$stdframe-112
	l${g}r	$s3,$sp
	la	$sp,0(%r1,$sp)			# prepare parameter block

	lhi	%r1,0x0600
	sllg	$len,$len,4
	or	%r0,%r1				# set HS and LAAD flags

	st${g}	$s3,0($sp)			# backchain
	la	%r1,$stdframe($sp)

	lmg	$s2,$s3,0($key)			# copy key
	stg	$s2,$stdframe+80($sp)
	stg	$s3,$stdframe+88($sp)
	lmg	$s2,$s3,16($key)
	stg	$s2,$stdframe+96($sp)
	stg	$s3,$stdframe+104($sp)

	lmg	$s2,$s3,0($ivp)			# copy iv
	stg	$s2,$stdframe+64($sp)
	ahi	$s3,-1				# kma requires counter-1
	stg	$s3,$stdframe+72($sp)
	st	$s3,$stdframe+12($sp)		# copy counter

	lghi	$s2,0				# no AAD
	lghi	$s3,0

	.long	0xb929a042	# kma $out,$s2,$inp
	brc	1,.-4		# pay attention to "partial completion"

	stg	%r0,$stdframe+80($sp)		# wipe key
	stg	%r0,$stdframe+88($sp)
	stg	%r0,$stdframe+96($sp)
	stg	%r0,$stdframe+104($sp)
	la	$sp,$stdframe+112($sp)

	lm${g}	$s2,$s3,10*$SIZE_T($sp)
	br	$ra

.align	16
.Lctr32_nokma:
	stm${g}	%r6,$s1,6*$SIZE_T($sp)

	slgr	$out,$inp
	la	%r1,0($key)	# %r1 is permanent copy of $key
	lg	$iv0,0($ivp)	# load ivec
	lg	$ivp,8($ivp)

	# prepare and allocate stack frame at the top of 4K page
	# with 1K reserved for eventual signal handling
	lghi	$s0,-1024-256-16# guarantee at least 256-bytes buffer
	lghi	$s1,-4096
	algr	$s0,$sp
	lgr	$fp,$sp
	ngr	$s0,$s1		# align at page boundary
	slgr	$fp,$s0		# total buffer size
	lgr	$s2,$sp
	lghi	$s1,1024+16	# sl[g]fi is extended-immediate facility
	slgr	$fp,$s1		# deduct reservation to get usable buffer size
	# buffer size is at lest 256 and at most 3072+256-16

	la	$sp,1024($s0)	# alloca
	srlg	$fp,$fp,4	# convert bytes to blocks, minimum 16
	st${g}	$s2,0($sp)	# back-chain
	st${g}	$fp,$SIZE_T($sp)

	slgr	$len,$fp
	brc	1,.Lctr32_hw_switch	# not zero, no borrow
	algr	$fp,$len	# input is shorter than allocated buffer
	lghi	$len,0
	st${g}	$fp,$SIZE_T($sp)

.Lctr32_hw_switch:
___
$code.=<<___ if (!$softonly && 0);# kmctr code was measured to be ~12% slower
	llgfr	$s0,%r0
	lgr	$s1,%r1
	larl	%r1,OPENSSL_s390xcap_P
	llihh	%r0,0x8000	# check if kmctr supports the function code
	srlg	%r0,%r0,0($s0)
	ng	%r0,S390X_KMCTR(%r1)	# check kmctr capability vector
	lgr	%r0,$s0
	lgr	%r1,$s1
	jz	.Lctr32_km_loop

####### kmctr code
	algr	$out,$inp	# restore $out
	lgr	$s1,$len	# $s1 undertakes $len
	j	.Lctr32_kmctr_loop
.align	16
.Lctr32_kmctr_loop:
	la	$s2,16($sp)
	lgr	$s3,$fp
.Lctr32_kmctr_prepare:
	stg	$iv0,0($s2)
	stg	$ivp,8($s2)
	la	$s2,16($s2)
	ahi	$ivp,1		# 32-bit increment, preserves upper half
	brct	$s3,.Lctr32_kmctr_prepare

	#la	$inp,0($inp)	# inp
	sllg	$len,$fp,4	# len
	#la	$out,0($out)	# out
	la	$s2,16($sp)	# iv
	.long	0xb92da042	# kmctr $out,$s2,$inp
	brc	1,.-4		# pay attention to "partial completion"

	slgr	$s1,$fp
	brc	1,.Lctr32_kmctr_loop	# not zero, no borrow
	algr	$fp,$s1
	lghi	$s1,0
	brc	4+1,.Lctr32_kmctr_loop	# not zero

	l${g}	$sp,0($sp)
	lm${g}	%r6,$s3,6*$SIZE_T($sp)
	br	$ra
.align	16
___
$code.=<<___ if (!$softonly);
.Lctr32_km_loop:
	la	$s2,16($sp)
	lgr	$s3,$fp
.Lctr32_km_prepare:
	stg	$iv0,0($s2)
	stg	$ivp,8($s2)
	la	$s2,16($s2)
	ahi	$ivp,1		# 32-bit increment, preserves upper half
	brct	$s3,.Lctr32_km_prepare

	la	$s0,16($sp)	# inp
	sllg	$s1,$fp,4	# len
	la	$s2,16($sp)	# out
	.long	0xb92e00a8	# km %r10,%r8
	brc	1,.-4		# pay attention to "partial completion"

	la	$s2,16($sp)
	lgr	$s3,$fp
	slgr	$s2,$inp
.Lctr32_km_xor:
	lg	$s0,0($inp)
	lg	$s1,8($inp)
	xg	$s0,0($s2,$inp)
	xg	$s1,8($s2,$inp)
	stg	$s0,0($out,$inp)
	stg	$s1,8($out,$inp)
	la	$inp,16($inp)
	brct	$s3,.Lctr32_km_xor

	slgr	$len,$fp
	brc	1,.Lctr32_km_loop	# not zero, no borrow
	algr	$fp,$len
	lghi	$len,0
	brc	4+1,.Lctr32_km_loop	# not zero

	l${g}	$s0,0($sp)
	l${g}	$s1,$SIZE_T($sp)
	la	$s2,16($sp)
.Lctr32_km_zap:
	stg	$s0,0($s2)
	stg	$s0,8($s2)
	la	$s2,16($s2)
	brct	$s1,.Lctr32_km_zap

	la	$sp,0($s0)
	lm${g}	%r6,$s3,6*$SIZE_T($sp)
	br	$ra
.align	16
.Lctr32_software:
___
$code.=<<___;
	stm${g}	$key,$ra,5*$SIZE_T($sp)
	sl${g}r	$inp,$out
	larl	$tbl,AES_Te
	llgf	$t1,12($ivp)

.Lctr32_loop:
	stm${g}	$inp,$out,2*$SIZE_T($sp)
	llgf	$s0,0($ivp)
	llgf	$s1,4($ivp)
	llgf	$s2,8($ivp)
	lgr	$s3,$t1
	st	$t1,16*$SIZE_T($sp)
	lgr	%r4,$key

	bras	$ra,_s390x_AES_encrypt

	lm${g}	$inp,$ivp,2*$SIZE_T($sp)
	llgf	$t1,16*$SIZE_T($sp)
	x	$s0,0($inp,$out)
	x	$s1,4($inp,$out)
	x	$s2,8($inp,$out)
	x	$s3,12($inp,$out)
	stm	$s0,$s3,0($out)

	la	$out,16($out)
	ahi	$t1,1		# 32-bit increment
	brct	$len,.Lctr32_loop

	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	br	$ra
.size	AES_ctr32_encrypt,.-AES_ctr32_encrypt
___
}

########################################################################
# void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
#	size_t len, const AES_KEY *key1, const AES_KEY *key2,
#	const unsigned char iv[16]);
#
{
my $inp="%r2";
my $out="%r4";	# len and out are swapped
my $len="%r3";
my $key1="%r5";	# $i1
my $key2="%r6";	# $i2
my $fp="%r7";	# $i3
my $tweak=16*$SIZE_T+16;	# or $stdframe-16, bottom of the frame...

$code.=<<___;
.type	_s390x_xts_km,\@function
.align	16
_s390x_xts_km:
___
$code.=<<___ if(1);
	llgfr	$s0,%r0			# put aside the function code
	lghi	$s1,0x7f
	nr	$s1,%r0
	larl	%r1,OPENSSL_s390xcap_P
	llihh	%r0,0x8000
	srlg	%r0,%r0,32($s1)		# check for 32+function code
	ng	%r0,S390X_KM(%r1)	# check km capability vector
	lgr	%r0,$s0			# restore the function code
	la	%r1,0($key1)		# restore $key1
	jz	.Lxts_km_vanilla

	lmg	$i2,$i3,$tweak($sp)	# put aside the tweak value
	algr	$out,$inp

	oill	%r0,32			# switch to xts function code
	aghi	$s1,-18			#
	sllg	$s1,$s1,3		# (function code - 18)*8, 0 or 16
	la	%r1,$tweak-16($sp)
	slgr	%r1,$s1			# parameter block position
	lmg	$s0,$s3,0($key1)	# load 256 bits of key material,
	stmg	$s0,$s3,0(%r1)		# and copy it to parameter block.
					# yes, it contains junk and overlaps
					# with the tweak in 128-bit case.
					# it's done to avoid conditional
					# branch.
	stmg	$i2,$i3,$tweak($sp)	# "re-seat" the tweak value

	.long	0xb92e0042		# km %r4,%r2
	brc	1,.-4			# pay attention to "partial completion"

	lrvg	$s0,$tweak+0($sp)	# load the last tweak
	lrvg	$s1,$tweak+8($sp)
	stmg	%r0,%r3,$tweak-32($sp)	# wipe copy of the key

	nill	%r0,0xffdf		# switch back to original function code
	la	%r1,0($key1)		# restore pointer to $key1
	slgr	$out,$inp

	llgc	$len,2*$SIZE_T-1($sp)
	nill	$len,0x0f		# $len%=16
	br	$ra

.align	16
.Lxts_km_vanilla:
___
$code.=<<___;
	# prepare and allocate stack frame at the top of 4K page
	# with 1K reserved for eventual signal handling
	lghi	$s0,-1024-256-16# guarantee at least 256-bytes buffer
	lghi	$s1,-4096
	algr	$s0,$sp
	lgr	$fp,$sp
	ngr	$s0,$s1		# align at page boundary
	slgr	$fp,$s0		# total buffer size
	lgr	$s2,$sp
	lghi	$s1,1024+16	# sl[g]fi is extended-immediate facility
	slgr	$fp,$s1		# deduct reservation to get usable buffer size
	# buffer size is at lest 256 and at most 3072+256-16

	la	$sp,1024($s0)	# alloca
	nill	$fp,0xfff0	# round to 16*n
	st${g}	$s2,0($sp)	# back-chain
	nill	$len,0xfff0	# redundant
	st${g}	$fp,$SIZE_T($sp)

	slgr	$len,$fp
	brc	1,.Lxts_km_go	# not zero, no borrow
	algr	$fp,$len	# input is shorter than allocated buffer
	lghi	$len,0
	st${g}	$fp,$SIZE_T($sp)

.Lxts_km_go:
	lrvg	$s0,$tweak+0($s2)	# load the tweak value in little-endian
	lrvg	$s1,$tweak+8($s2)

	la	$s2,16($sp)		# vector of ascending tweak values
	slgr	$s2,$inp
	srlg	$s3,$fp,4
	j	.Lxts_km_start

.Lxts_km_loop:
	la	$s2,16($sp)
	slgr	$s2,$inp
	srlg	$s3,$fp,4
.Lxts_km_prepare:
	lghi	$i1,0x87
	srag	$i2,$s1,63		# broadcast upper bit
	ngr	$i1,$i2			# rem
	algr	$s0,$s0
	alcgr	$s1,$s1
	xgr	$s0,$i1
.Lxts_km_start:
	lrvgr	$i1,$s0			# flip byte order
	lrvgr	$i2,$s1
	stg	$i1,0($s2,$inp)
	stg	$i2,8($s2,$inp)
	xg	$i1,0($inp)
	xg	$i2,8($inp)
	stg	$i1,0($out,$inp)
	stg	$i2,8($out,$inp)
	la	$inp,16($inp)
	brct	$s3,.Lxts_km_prepare

	slgr	$inp,$fp		# rewind $inp
	la	$s2,0($out,$inp)
	lgr	$s3,$fp
	.long	0xb92e00aa		# km $s2,$s2
	brc	1,.-4			# pay attention to "partial completion"

	la	$s2,16($sp)
	slgr	$s2,$inp
	srlg	$s3,$fp,4
.Lxts_km_xor:
	lg	$i1,0($out,$inp)
	lg	$i2,8($out,$inp)
	xg	$i1,0($s2,$inp)
	xg	$i2,8($s2,$inp)
	stg	$i1,0($out,$inp)
	stg	$i2,8($out,$inp)
	la	$inp,16($inp)
	brct	$s3,.Lxts_km_xor

	slgr	$len,$fp
	brc	1,.Lxts_km_loop		# not zero, no borrow
	algr	$fp,$len
	lghi	$len,0
	brc	4+1,.Lxts_km_loop	# not zero

	l${g}	$i1,0($sp)		# back-chain
	llgf	$fp,`2*$SIZE_T-4`($sp)	# bytes used
	la	$i2,16($sp)
	srlg	$fp,$fp,4
.Lxts_km_zap:
	stg	$i1,0($i2)
	stg	$i1,8($i2)
	la	$i2,16($i2)
	brct	$fp,.Lxts_km_zap

	la	$sp,0($i1)
	llgc	$len,2*$SIZE_T-1($i1)
	nill	$len,0x0f		# $len%=16
	bzr	$ra

	# generate one more tweak...
	lghi	$i1,0x87
	srag	$i2,$s1,63		# broadcast upper bit
	ngr	$i1,$i2			# rem
	algr	$s0,$s0
	alcgr	$s1,$s1
	xgr	$s0,$i1

	ltr	$len,$len		# clear zero flag
	br	$ra
.size	_s390x_xts_km,.-_s390x_xts_km

.globl	AES_xts_encrypt
.type	AES_xts_encrypt,\@function
.align	16
AES_xts_encrypt:
	xgr	%r3,%r4			# flip %r3 and %r4, $out and $len
	xgr	%r4,%r3
	xgr	%r3,%r4
___
$code.=<<___ if ($SIZE_T==4);
	llgfr	$len,$len
___
$code.=<<___;
	st${g}	$len,1*$SIZE_T($sp)	# save copy of $len
	srag	$len,$len,4		# formally wrong, because it expands
					# sign byte, but who can afford asking
					# to process more than 2^63-1 bytes?
					# I use it, because it sets condition
					# code...
	bcr	8,$ra			# abort if zero (i.e. less than 16)
___
$code.=<<___ if (!$softonly);
	llgf	%r0,240($key2)
	lhi	%r1,16
	clr	%r0,%r1
	jl	.Lxts_enc_software

	st${g}	$ra,5*$SIZE_T($sp)
	stm${g}	%r6,$s3,6*$SIZE_T($sp)

	sllg	$len,$len,4		# $len&=~15
	slgr	$out,$inp

	# generate the tweak value
	l${g}	$s3,$stdframe($sp)	# pointer to iv
	la	$s2,$tweak($sp)
	lmg	$s0,$s1,0($s3)
	lghi	$s3,16
	stmg	$s0,$s1,0($s2)
	la	%r1,0($key2)		# $key2 is not needed anymore
	.long	0xb92e00aa		# km $s2,$s2, generate the tweak
	brc	1,.-4			# can this happen?

	l	%r0,240($key1)
	la	%r1,0($key1)		# $key1 is not needed anymore
	bras	$ra,_s390x_xts_km
	jz	.Lxts_enc_km_done

	aghi	$inp,-16		# take one step back
	la	$i3,0($out,$inp)	# put aside real $out
.Lxts_enc_km_steal:
	llgc	$i1,16($inp)
	llgc	$i2,0($out,$inp)
	stc	$i1,0($out,$inp)
	stc	$i2,16($out,$inp)
	la	$inp,1($inp)
	brct	$len,.Lxts_enc_km_steal

	la	$s2,0($i3)
	lghi	$s3,16
	lrvgr	$i1,$s0			# flip byte order
	lrvgr	$i2,$s1
	xg	$i1,0($s2)
	xg	$i2,8($s2)
	stg	$i1,0($s2)
	stg	$i2,8($s2)
	.long	0xb92e00aa		# km $s2,$s2
	brc	1,.-4			# can this happen?
	lrvgr	$i1,$s0			# flip byte order
	lrvgr	$i2,$s1
	xg	$i1,0($i3)
	xg	$i2,8($i3)
	stg	$i1,0($i3)
	stg	$i2,8($i3)

.Lxts_enc_km_done:
	stg	$sp,$tweak+0($sp)	# wipe tweak
	stg	$sp,$tweak+8($sp)
	l${g}	$ra,5*$SIZE_T($sp)
	lm${g}	%r6,$s3,6*$SIZE_T($sp)
	br	$ra
.align	16
.Lxts_enc_software:
___
$code.=<<___;
	stm${g}	%r6,$ra,6*$SIZE_T($sp)

	slgr	$out,$inp

	l${g}	$s3,$stdframe($sp)	# ivp
	llgf	$s0,0($s3)		# load iv
	llgf	$s1,4($s3)
	llgf	$s2,8($s3)
	llgf	$s3,12($s3)
	stm${g}	%r2,%r5,2*$SIZE_T($sp)
	la	$key,0($key2)
	larl	$tbl,AES_Te
	bras	$ra,_s390x_AES_encrypt	# generate the tweak
	lm${g}	%r2,%r5,2*$SIZE_T($sp)
	stm	$s0,$s3,$tweak($sp)	# save the tweak
	j	.Lxts_enc_enter

.align	16
.Lxts_enc_loop:
	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
	lrvg	$s3,$tweak+8($sp)
	lghi	%r1,0x87
	srag	%r0,$s3,63		# broadcast upper bit
	ngr	%r1,%r0			# rem
	algr	$s1,$s1
	alcgr	$s3,$s3
	xgr	$s1,%r1
	lrvgr	$s1,$s1			# flip byte order
	lrvgr	$s3,$s3
	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
	stg	$s1,$tweak+0($sp)	# save the tweak
	llgfr	$s1,$s1
	srlg	$s2,$s3,32
	stg	$s3,$tweak+8($sp)
	llgfr	$s3,$s3
	la	$inp,16($inp)		# $inp+=16
.Lxts_enc_enter:
	x	$s0,0($inp)		# ^=*($inp)
	x	$s1,4($inp)
	x	$s2,8($inp)
	x	$s3,12($inp)
	stm${g}	%r2,%r3,2*$SIZE_T($sp)	# only two registers are changing
	la	$key,0($key1)
	bras	$ra,_s390x_AES_encrypt
	lm${g}	%r2,%r5,2*$SIZE_T($sp)
	x	$s0,$tweak+0($sp)	# ^=tweak
	x	$s1,$tweak+4($sp)
	x	$s2,$tweak+8($sp)
	x	$s3,$tweak+12($sp)
	st	$s0,0($out,$inp)
	st	$s1,4($out,$inp)
	st	$s2,8($out,$inp)
	st	$s3,12($out,$inp)
	brct${g}	$len,.Lxts_enc_loop

	llgc	$len,`2*$SIZE_T-1`($sp)
	nill	$len,0x0f		# $len%16
	jz	.Lxts_enc_done

	la	$i3,0($inp,$out)	# put aside real $out
.Lxts_enc_steal:
	llgc	%r0,16($inp)
	llgc	%r1,0($out,$inp)
	stc	%r0,0($out,$inp)
	stc	%r1,16($out,$inp)
	la	$inp,1($inp)
	brct	$len,.Lxts_enc_steal
	la	$out,0($i3)		# restore real $out

	# generate last tweak...
	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
	lrvg	$s3,$tweak+8($sp)
	lghi	%r1,0x87
	srag	%r0,$s3,63		# broadcast upper bit
	ngr	%r1,%r0			# rem
	algr	$s1,$s1
	alcgr	$s3,$s3
	xgr	$s1,%r1
	lrvgr	$s1,$s1			# flip byte order
	lrvgr	$s3,$s3
	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
	stg	$s1,$tweak+0($sp)	# save the tweak
	llgfr	$s1,$s1
	srlg	$s2,$s3,32
	stg	$s3,$tweak+8($sp)
	llgfr	$s3,$s3

	x	$s0,0($out)		# ^=*(inp)|stolen cipther-text
	x	$s1,4($out)
	x	$s2,8($out)
	x	$s3,12($out)
	st${g}	$out,4*$SIZE_T($sp)
	la	$key,0($key1)
	bras	$ra,_s390x_AES_encrypt
	l${g}	$out,4*$SIZE_T($sp)
	x	$s0,`$tweak+0`($sp)	# ^=tweak
	x	$s1,`$tweak+4`($sp)
	x	$s2,`$tweak+8`($sp)
	x	$s3,`$tweak+12`($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)

.Lxts_enc_done:
	stg	$sp,$tweak+0($sp)	# wipe tweak
	stg	$sp,$twesk+8($sp)
	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	br	$ra
.size	AES_xts_encrypt,.-AES_xts_encrypt
___
# void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
#	size_t len, const AES_KEY *key1, const AES_KEY *key2,
#	const unsigned char iv[16]);
#
$code.=<<___;
.globl	AES_xts_decrypt
.type	AES_xts_decrypt,\@function
.align	16
AES_xts_decrypt:
	xgr	%r3,%r4			# flip %r3 and %r4, $out and $len
	xgr	%r4,%r3
	xgr	%r3,%r4
___
$code.=<<___ if ($SIZE_T==4);
	llgfr	$len,$len
___
$code.=<<___;
	st${g}	$len,1*$SIZE_T($sp)	# save copy of $len
	aghi	$len,-16
	bcr	4,$ra			# abort if less than zero. formally
					# wrong, because $len is unsigned,
					# but who can afford asking to
					# process more than 2^63-1 bytes?
	tmll	$len,0x0f
	jnz	.Lxts_dec_proceed
	aghi	$len,16
.Lxts_dec_proceed:
___
$code.=<<___ if (!$softonly);
	llgf	%r0,240($key2)
	lhi	%r1,16
	clr	%r0,%r1
	jl	.Lxts_dec_software

	st${g}	$ra,5*$SIZE_T($sp)
	stm${g}	%r6,$s3,6*$SIZE_T($sp)

	nill	$len,0xfff0		# $len&=~15
	slgr	$out,$inp

	# generate the tweak value
	l${g}	$s3,$stdframe($sp)	# pointer to iv
	la	$s2,$tweak($sp)
	lmg	$s0,$s1,0($s3)
	lghi	$s3,16
	stmg	$s0,$s1,0($s2)
	la	%r1,0($key2)		# $key2 is not needed past this point
	.long	0xb92e00aa		# km $s2,$s2, generate the tweak
	brc	1,.-4			# can this happen?

	l	%r0,240($key1)
	la	%r1,0($key1)		# $key1 is not needed anymore

	ltgr	$len,$len
	jz	.Lxts_dec_km_short
	bras	$ra,_s390x_xts_km
	jz	.Lxts_dec_km_done

	lrvgr	$s2,$s0			# make copy in reverse byte order
	lrvgr	$s3,$s1
	j	.Lxts_dec_km_2ndtweak

.Lxts_dec_km_short:
	llgc	$len,`2*$SIZE_T-1`($sp)
	nill	$len,0x0f		# $len%=16
	lrvg	$s0,$tweak+0($sp)	# load the tweak
	lrvg	$s1,$tweak+8($sp)
	lrvgr	$s2,$s0			# make copy in reverse byte order
	lrvgr	$s3,$s1

.Lxts_dec_km_2ndtweak:
	lghi	$i1,0x87
	srag	$i2,$s1,63		# broadcast upper bit
	ngr	$i1,$i2			# rem
	algr	$s0,$s0
	alcgr	$s1,$s1
	xgr	$s0,$i1
	lrvgr	$i1,$s0			# flip byte order
	lrvgr	$i2,$s1

	xg	$i1,0($inp)
	xg	$i2,8($inp)
	stg	$i1,0($out,$inp)
	stg	$i2,8($out,$inp)
	la	$i2,0($out,$inp)
	lghi	$i3,16
	.long	0xb92e0066		# km $i2,$i2
	brc	1,.-4			# can this happen?
	lrvgr	$i1,$s0
	lrvgr	$i2,$s1
	xg	$i1,0($out,$inp)
	xg	$i2,8($out,$inp)
	stg	$i1,0($out,$inp)
	stg	$i2,8($out,$inp)

	la	$i3,0($out,$inp)	# put aside real $out
.Lxts_dec_km_steal:
	llgc	$i1,16($inp)
	llgc	$i2,0($out,$inp)
	stc	$i1,0($out,$inp)
	stc	$i2,16($out,$inp)
	la	$inp,1($inp)
	brct	$len,.Lxts_dec_km_steal

	lgr	$s0,$s2
	lgr	$s1,$s3
	xg	$s0,0($i3)
	xg	$s1,8($i3)
	stg	$s0,0($i3)
	stg	$s1,8($i3)
	la	$s0,0($i3)
	lghi	$s1,16
	.long	0xb92e0088		# km $s0,$s0
	brc	1,.-4			# can this happen?
	xg	$s2,0($i3)
	xg	$s3,8($i3)
	stg	$s2,0($i3)
	stg	$s3,8($i3)
.Lxts_dec_km_done:
	stg	$sp,$tweak+0($sp)	# wipe tweak
	stg	$sp,$tweak+8($sp)
	l${g}	$ra,5*$SIZE_T($sp)
	lm${g}	%r6,$s3,6*$SIZE_T($sp)
	br	$ra
.align	16
.Lxts_dec_software:
___
$code.=<<___;
	stm${g}	%r6,$ra,6*$SIZE_T($sp)

	srlg	$len,$len,4
	slgr	$out,$inp

	l${g}	$s3,$stdframe($sp)	# ivp
	llgf	$s0,0($s3)		# load iv
	llgf	$s1,4($s3)
	llgf	$s2,8($s3)
	llgf	$s3,12($s3)
	stm${g}	%r2,%r5,2*$SIZE_T($sp)
	la	$key,0($key2)
	larl	$tbl,AES_Te
	bras	$ra,_s390x_AES_encrypt	# generate the tweak
	lm${g}	%r2,%r5,2*$SIZE_T($sp)
	larl	$tbl,AES_Td
	lt${g}r	$len,$len
	stm	$s0,$s3,$tweak($sp)	# save the tweak
	jz	.Lxts_dec_short
	j	.Lxts_dec_enter

.align	16
.Lxts_dec_loop:
	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
	lrvg	$s3,$tweak+8($sp)
	lghi	%r1,0x87
	srag	%r0,$s3,63		# broadcast upper bit
	ngr	%r1,%r0			# rem
	algr	$s1,$s1
	alcgr	$s3,$s3
	xgr	$s1,%r1
	lrvgr	$s1,$s1			# flip byte order
	lrvgr	$s3,$s3
	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
	stg	$s1,$tweak+0($sp)	# save the tweak
	llgfr	$s1,$s1
	srlg	$s2,$s3,32
	stg	$s3,$tweak+8($sp)
	llgfr	$s3,$s3
.Lxts_dec_enter:
	x	$s0,0($inp)		# tweak^=*(inp)
	x	$s1,4($inp)
	x	$s2,8($inp)
	x	$s3,12($inp)
	stm${g}	%r2,%r3,2*$SIZE_T($sp)	# only two registers are changing
	la	$key,0($key1)
	bras	$ra,_s390x_AES_decrypt
	lm${g}	%r2,%r5,2*$SIZE_T($sp)
	x	$s0,$tweak+0($sp)	# ^=tweak
	x	$s1,$tweak+4($sp)
	x	$s2,$tweak+8($sp)
	x	$s3,$tweak+12($sp)
	st	$s0,0($out,$inp)
	st	$s1,4($out,$inp)
	st	$s2,8($out,$inp)
	st	$s3,12($out,$inp)
	la	$inp,16($inp)
	brct${g}	$len,.Lxts_dec_loop

	llgc	$len,`2*$SIZE_T-1`($sp)
	nill	$len,0x0f		# $len%16
	jz	.Lxts_dec_done

	# generate pair of tweaks...
	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
	lrvg	$s3,$tweak+8($sp)
	lghi	%r1,0x87
	srag	%r0,$s3,63		# broadcast upper bit
	ngr	%r1,%r0			# rem
	algr	$s1,$s1
	alcgr	$s3,$s3
	xgr	$s1,%r1
	lrvgr	$i2,$s1			# flip byte order
	lrvgr	$i3,$s3
	stmg	$i2,$i3,$tweak($sp)	# save the 1st tweak
	j	.Lxts_dec_2ndtweak

.align	16
.Lxts_dec_short:
	llgc	$len,`2*$SIZE_T-1`($sp)
	nill	$len,0x0f		# $len%16
	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
	lrvg	$s3,$tweak+8($sp)
.Lxts_dec_2ndtweak:
	lghi	%r1,0x87
	srag	%r0,$s3,63		# broadcast upper bit
	ngr	%r1,%r0			# rem
	algr	$s1,$s1
	alcgr	$s3,$s3
	xgr	$s1,%r1
	lrvgr	$s1,$s1			# flip byte order
	lrvgr	$s3,$s3
	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
	stg	$s1,$tweak-16+0($sp)	# save the 2nd tweak
	llgfr	$s1,$s1
	srlg	$s2,$s3,32
	stg	$s3,$tweak-16+8($sp)
	llgfr	$s3,$s3

	x	$s0,0($inp)		# tweak_the_2nd^=*(inp)
	x	$s1,4($inp)
	x	$s2,8($inp)
	x	$s3,12($inp)
	stm${g}	%r2,%r3,2*$SIZE_T($sp)
	la	$key,0($key1)
	bras	$ra,_s390x_AES_decrypt
	lm${g}	%r2,%r5,2*$SIZE_T($sp)
	x	$s0,$tweak-16+0($sp)	# ^=tweak_the_2nd
	x	$s1,$tweak-16+4($sp)
	x	$s2,$tweak-16+8($sp)
	x	$s3,$tweak-16+12($sp)
	st	$s0,0($out,$inp)
	st	$s1,4($out,$inp)
	st	$s2,8($out,$inp)
	st	$s3,12($out,$inp)

	la	$i3,0($out,$inp)	# put aside real $out
.Lxts_dec_steal:
	llgc	%r0,16($inp)
	llgc	%r1,0($out,$inp)
	stc	%r0,0($out,$inp)
	stc	%r1,16($out,$inp)
	la	$inp,1($inp)
	brct	$len,.Lxts_dec_steal
	la	$out,0($i3)		# restore real $out

	lm	$s0,$s3,$tweak($sp)	# load the 1st tweak
	x	$s0,0($out)		# tweak^=*(inp)|stolen cipher-text
	x	$s1,4($out)
	x	$s2,8($out)
	x	$s3,12($out)
	st${g}	$out,4*$SIZE_T($sp)
	la	$key,0($key1)
	bras	$ra,_s390x_AES_decrypt
	l${g}	$out,4*$SIZE_T($sp)
	x	$s0,$tweak+0($sp)	# ^=tweak
	x	$s1,$tweak+4($sp)
	x	$s2,$tweak+8($sp)
	x	$s3,$tweak+12($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)
	stg	$sp,$tweak-16+0($sp)	# wipe 2nd tweak
	stg	$sp,$tweak-16+8($sp)
.Lxts_dec_done:
	stg	$sp,$tweak+0($sp)	# wipe tweak
	stg	$sp,$twesk+8($sp)
	lm${g}	%r6,$ra,6*$SIZE_T($sp)
	br	$ra
.size	AES_xts_decrypt,.-AES_xts_decrypt
___
}
$code.=<<___;
.string	"AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
___

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;	# force flush