2 # Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
19 # The module implements "4-bit" GCM GHASH function and underlying
20 # single multiplication operation in GF(2^128). "4-bit" means that
21 # it uses 256 bytes per-key table [+128 bytes shared table]. GHASH
22 # function features so called "528B" variant utilizing additional
23 # 256+16 bytes of per-key storage [+512 bytes shared table].
24 # Performance results are for this streamed GHASH subroutine and are
25 # expressed in cycles per processed byte, less is better:
27 # gcc 3.4.x(*) assembler
30 # Opteron 19.3 7.7 +150%
31 # Core2 17.8 8.1(**) +120%
33 # VIA Nano 21.8 10.1 +115%
35 # (*) comparison is not completely fair, because C results are
36 # for vanilla "256B" implementation, while assembler results
38 # (**) it's mystery [to me] why Core2 result is not same as for
43 # Add PCLMULQDQ version performing at 2.02 cycles per processed byte.
44 # See ghash-x86.pl for background information and details about coding
47 # Special thanks to David Woodhouse <dwmw2@infradead.org> for
48 # providing access to a Westmere-based system on behalf of Intel
49 # Open Source Technology Centre.
53 # Overhaul: aggregate Karatsuba post-processing, improve ILP in
54 # reduction_alg9, increase reduction aggregate factor to 4x. As for
55 # the latter. ghash-x86.pl discusses that it makes lesser sense to
56 # increase aggregate factor. Then why increase here? Critical path
57 # consists of 3 independent pclmulqdq instructions, Karatsuba post-
58 # processing and reduction. "On top" of this we lay down aggregated
59 # multiplication operations, triplets of independent pclmulqdq's. As
60 # issue rate for pclmulqdq is limited, it makes lesser sense to
61 # aggregate more multiplications than it takes to perform remaining
62 # non-multiplication operations. 2x is near-optimal coefficient for
63 # contemporary Intel CPUs (therefore modest improvement coefficient),
64 # but not for Bulldozer. Latter is because logical SIMD operations
65 # are twice as slow in comparison to Intel, so that critical path is
66 # longer. A CPU with higher pclmulqdq issue rate would also benefit
67 # from higher aggregate factor...
70 # Sandy Bridge 1.80(+8%)
71 # Ivy Bridge 1.80(+7%)
72 # Haswell 0.55(+93%) (if system doesn't support AVX)
73 # Broadwell 0.45(+110%)(if system doesn't support AVX)
74 # Skylake 0.44(+110%)(if system doesn't support AVX)
75 # Bulldozer 1.49(+27%)
76 # Silvermont 2.88(+13%)
81 # ... 8x aggregate factor AVX code path is using reduction algorithm
82 # suggested by Shay Gueron[1]. Even though contemporary AVX-capable
83 # CPUs such as Sandy and Ivy Bridge can execute it, the code performs
84 # sub-optimally in comparison to above mentioned version. But thanks
85 # to Ilya Albrekht and Max Locktyukhin of Intel Corp. we knew that
86 # it performs in 0.41 cycles per byte on Haswell processor, in
87 # 0.29 on Broadwell, and in 0.36 on Skylake.
89 # [1] http://rt.openssl.org/Ticket/Display.html?id=2900&user=guest&pass=guest
93 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
95 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
97 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
98 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
99 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
100 die "can't locate x86_64-xlate.pl";
102 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
103 =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
104 $avx = ($1>=2.20) + ($1>=2.22);
107 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
108 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
109 $avx = ($1>=2.09) + ($1>=2.10);
112 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
113 `ml64 2>&1` =~ /Version ([0-9]+)\./) {
114 $avx = ($1>=10) + ($1>=11);
117 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
118 $avx = ($2>=3.0) + ($2>3.0);
121 open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
126 # common register layout
137 # per-function register layout
141 sub LB() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/ or
142 $r =~ s/%[er]([sd]i)/%\1l/ or
143 $r =~ s/%[er](bp)/%\1l/ or
144 $r =~ s/%(r[0-9]+)[d]?/%\1b/; $r; }
146 sub AUTOLOAD() # thunk [simplified] 32-bit style perlasm
147 { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://;
149 $arg = "\$$arg" if ($arg*1 eq $arg);
150 $code .= "\t$opcode\t".join(',',$arg,reverse @_)."\n";
161 mov `&LB("$Zlo")`,`&LB("$nlo")`
162 mov `&LB("$Zlo")`,`&LB("$nhi")`
163 shl \$4,`&LB("$nlo")`
165 mov 8($Htbl,$nlo),$Zlo
166 mov ($Htbl,$nlo),$Zhi
167 and \$0xf0,`&LB("$nhi")`
176 mov ($inp,$cnt),`&LB("$nlo")`
178 xor 8($Htbl,$nhi),$Zlo
180 xor ($Htbl,$nhi),$Zhi
181 mov `&LB("$nlo")`,`&LB("$nhi")`
182 xor ($rem_4bit,$rem,8),$Zhi
184 shl \$4,`&LB("$nlo")`
193 xor 8($Htbl,$nlo),$Zlo
195 xor ($Htbl,$nlo),$Zhi
196 and \$0xf0,`&LB("$nhi")`
197 xor ($rem_4bit,$rem,8),$Zhi
208 xor 8($Htbl,$nlo),$Zlo
210 xor ($Htbl,$nlo),$Zhi
211 and \$0xf0,`&LB("$nhi")`
212 xor ($rem_4bit,$rem,8),$Zhi
220 xor 8($Htbl,$nhi),$Zlo
222 xor ($Htbl,$nhi),$Zhi
224 xor ($rem_4bit,$rem,8),$Zhi
233 .extern OPENSSL_ia32cap_P
235 .globl gcm_gmult_4bit
236 .type gcm_gmult_4bit,\@function,2
240 push %rbp # %rbp and %r12 are pushed exclusively in
241 push %r12 # order to reuse Win64 exception handler...
245 lea .Lrem_4bit(%rip),$rem_4bit
256 .size gcm_gmult_4bit,.-gcm_gmult_4bit
259 # per-function register layout
265 .globl gcm_ghash_4bit
266 .type gcm_ghash_4bit,\@function,4
277 mov $inp,%r14 # reassign couple of args
283 my @nhi=("%ebx","%ecx");
284 my @rem=("%r12","%r13");
287 &sub ($Htbl,-128); # size optimization
288 &lea ($Hshr4,"16+128(%rsp)");
289 { my @lo =($nlo,$nhi);
293 for ($i=0,$j=-2;$i<18;$i++,$j++) {
294 &mov ("$j(%rsp)",&LB($dat)) if ($i>1);
295 &or ($lo[0],$tmp) if ($i>1);
296 &mov (&LB($dat),&LB($lo[1])) if ($i>0 && $i<17);
297 &shr ($lo[1],4) if ($i>0 && $i<17);
298 &mov ($tmp,$hi[1]) if ($i>0 && $i<17);
299 &shr ($hi[1],4) if ($i>0 && $i<17);
300 &mov ("8*$j($Hshr4)",$hi[0]) if ($i>1);
301 &mov ($hi[0],"16*$i+0-128($Htbl)") if ($i<16);
302 &shl (&LB($dat),4) if ($i>0 && $i<17);
303 &mov ("8*$j-128($Hshr4)",$lo[0]) if ($i>1);
304 &mov ($lo[0],"16*$i+8-128($Htbl)") if ($i<16);
305 &shl ($tmp,60) if ($i>0 && $i<17);
307 push (@lo,shift(@lo));
308 push (@hi,shift(@hi));
312 &mov ($Zlo,"8($Xi)");
313 &mov ($Zhi,"0($Xi)");
314 &add ($len,$inp); # pointer to the end of data
315 &lea ($rem_8bit,".Lrem_8bit(%rip)");
316 &jmp (".Louter_loop");
318 $code.=".align 16\n.Louter_loop:\n";
319 &xor ($Zhi,"($inp)");
320 &mov ("%rdx","8($inp)");
321 &lea ($inp,"16($inp)");
324 &mov ("8($Xi)","%rdx");
329 &mov (&LB($nlo),&LB($dat));
330 &movz ($nhi[0],&LB($dat));
334 for ($j=11,$i=0;$i<15;$i++) {
336 &xor ($Zlo,"8($Htbl,$nlo)") if ($i>0);
337 &xor ($Zhi,"($Htbl,$nlo)") if ($i>0);
338 &mov ($Zlo,"8($Htbl,$nlo)") if ($i==0);
339 &mov ($Zhi,"($Htbl,$nlo)") if ($i==0);
341 &mov (&LB($nlo),&LB($dat));
342 &xor ($Zlo,$tmp) if ($i>0);
343 &movzw ($rem[1],"($rem_8bit,$rem[1],2)") if ($i>0);
345 &movz ($nhi[1],&LB($dat));
347 &movzb ($rem[0],"(%rsp,$nhi[0])");
349 &shr ($nhi[1],4) if ($i<14);
350 &and ($nhi[1],0xf0) if ($i==14);
351 &shl ($rem[1],48) if ($i>0);
355 &xor ($Zhi,$rem[1]) if ($i>0);
358 &movz ($rem[0],&LB($rem[0]));
359 &mov ($dat,"$j($Xi)") if (--$j%4==0);
362 &xor ($Zlo,"-128($Hshr4,$nhi[0],8)");
364 &xor ($Zhi,"($Hshr4,$nhi[0],8)");
366 unshift (@nhi,pop(@nhi)); # "rotate" registers
367 unshift (@rem,pop(@rem));
369 &movzw ($rem[1],"($rem_8bit,$rem[1],2)");
370 &xor ($Zlo,"8($Htbl,$nlo)");
371 &xor ($Zhi,"($Htbl,$nlo)");
377 &movz ($rem[0],&LB($Zlo));
381 &shl (&LB($rem[0]),4);
384 &xor ($Zlo,"8($Htbl,$nhi[0])");
385 &movzw ($rem[0],"($rem_8bit,$rem[0],2)");
388 &xor ($Zhi,"($Htbl,$nhi[0])");
397 &jb (".Louter_loop");
413 .size gcm_ghash_4bit,.-gcm_ghash_4bit
416 ######################################################################
419 @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
420 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
422 ($Xi,$Xhi)=("%xmm0","%xmm1"); $Hkey="%xmm2";
423 ($T1,$T2,$T3)=("%xmm3","%xmm4","%xmm5");
425 sub clmul64x64_T2 { # minimal register pressure
426 my ($Xhi,$Xi,$Hkey,$HK)=@_;
428 if (!defined($HK)) { $HK = $T2;
431 pshufd \$0b01001110,$Xi,$T1
432 pshufd \$0b01001110,$Hkey,$T2
439 pshufd \$0b01001110,$Xi,$T1
444 pclmulqdq \$0x00,$Hkey,$Xi #######
445 pclmulqdq \$0x11,$Hkey,$Xhi #######
446 pclmulqdq \$0x00,$HK,$T1 #######
458 sub reduction_alg9 { # 17/11 times faster than Intel version
488 { my ($Htbl,$Xip)=@_4args;
492 .globl gcm_init_clmul
493 .type gcm_init_clmul,\@abi-omnipotent
498 $code.=<<___ if ($win64);
499 .LSEH_begin_gcm_init_clmul:
500 # I can't trust assembler to use specific encoding:-(
501 .byte 0x48,0x83,0xec,0x18 #sub $0x18,%rsp
502 .byte 0x0f,0x29,0x34,0x24 #movaps %xmm6,(%rsp)
506 pshufd \$0b01001110,$Hkey,$Hkey # dword swap
509 pshufd \$0b11111111,$Hkey,$T2 # broadcast uppermost dword
514 pcmpgtd $T2,$T3 # broadcast carry bit
516 por $T1,$Hkey # H<<=1
519 pand .L0x1c2_polynomial(%rip),$T3
520 pxor $T3,$Hkey # if(carry) H^=0x1c2_polynomial
523 pshufd \$0b01001110,$Hkey,$HK
527 &clmul64x64_T2 ($Xhi,$Xi,$Hkey,$HK);
528 &reduction_alg9 ($Xhi,$Xi);
530 pshufd \$0b01001110,$Hkey,$T1
531 pshufd \$0b01001110,$Xi,$T2
532 pxor $Hkey,$T1 # Karatsuba pre-processing
533 movdqu $Hkey,0x00($Htbl) # save H
534 pxor $Xi,$T2 # Karatsuba pre-processing
535 movdqu $Xi,0x10($Htbl) # save H^2
536 palignr \$8,$T1,$T2 # low part is H.lo^H.hi...
537 movdqu $T2,0x20($Htbl) # save Karatsuba "salt"
540 &clmul64x64_T2 ($Xhi,$Xi,$Hkey,$HK); # H^3
541 &reduction_alg9 ($Xhi,$Xi);
545 &clmul64x64_T2 ($Xhi,$Xi,$Hkey,$HK); # H^4
546 &reduction_alg9 ($Xhi,$Xi);
548 pshufd \$0b01001110,$T3,$T1
549 pshufd \$0b01001110,$Xi,$T2
550 pxor $T3,$T1 # Karatsuba pre-processing
551 movdqu $T3,0x30($Htbl) # save H^3
552 pxor $Xi,$T2 # Karatsuba pre-processing
553 movdqu $Xi,0x40($Htbl) # save H^4
554 palignr \$8,$T1,$T2 # low part is H^3.lo^H^3.hi...
555 movdqu $T2,0x50($Htbl) # save Karatsuba "salt"
558 $code.=<<___ if ($win64);
561 .LSEH_end_gcm_init_clmul:
565 .size gcm_init_clmul,.-gcm_init_clmul
569 { my ($Xip,$Htbl)=@_4args;
572 .globl gcm_gmult_clmul
573 .type gcm_gmult_clmul,\@abi-omnipotent
578 movdqa .Lbswap_mask(%rip),$T3
580 movdqu 0x20($Htbl),$T2
583 &clmul64x64_T2 ($Xhi,$Xi,$Hkey,$T2);
584 $code.=<<___ if (0 || (&reduction_alg9($Xhi,$Xi)&&0));
585 # experimental alternative. special thing about is that there
586 # no dependency between the two multiplications...
588 mov \$0xA040608020C0E000,%r10 # ((7..0)·0xE0)&0xff
592 movq %r11,$T3 # borrow $T3
594 pshufb $T3,$T2 # ($Xi&7)·0xE0
596 pclmulqdq \$0x00,$Xi,$T1 # ·(0xE1<<1)
599 paddd $T2,$T2 # <<(64+56+1)
601 pclmulqdq \$0x01,$T3,$Xi
602 movdqa .Lbswap_mask(%rip),$T3 # reload $T3
612 .size gcm_gmult_clmul,.-gcm_gmult_clmul
616 { my ($Xip,$Htbl,$inp,$len)=@_4args;
617 my ($Xln,$Xmn,$Xhn,$Hkey2,$HK) = map("%xmm$_",(3..7));
618 my ($T1,$T2,$T3)=map("%xmm$_",(8..10));
621 .globl gcm_ghash_clmul
622 .type gcm_ghash_clmul,\@abi-omnipotent
627 $code.=<<___ if ($win64);
629 .LSEH_begin_gcm_ghash_clmul:
630 # I can't trust assembler to use specific encoding:-(
631 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax),%rsp
632 .byte 0x0f,0x29,0x70,0xe0 #movaps %xmm6,-0x20(%rax)
633 .byte 0x0f,0x29,0x78,0xf0 #movaps %xmm7,-0x10(%rax)
634 .byte 0x44,0x0f,0x29,0x00 #movaps %xmm8,0(%rax)
635 .byte 0x44,0x0f,0x29,0x48,0x10 #movaps %xmm9,0x10(%rax)
636 .byte 0x44,0x0f,0x29,0x50,0x20 #movaps %xmm10,0x20(%rax)
637 .byte 0x44,0x0f,0x29,0x58,0x30 #movaps %xmm11,0x30(%rax)
638 .byte 0x44,0x0f,0x29,0x60,0x40 #movaps %xmm12,0x40(%rax)
639 .byte 0x44,0x0f,0x29,0x68,0x50 #movaps %xmm13,0x50(%rax)
640 .byte 0x44,0x0f,0x29,0x70,0x60 #movaps %xmm14,0x60(%rax)
641 .byte 0x44,0x0f,0x29,0x78,0x70 #movaps %xmm15,0x70(%rax)
644 movdqa .Lbswap_mask(%rip),$T3
648 movdqu 0x20($Htbl),$HK
654 movdqu 0x10($Htbl),$Hkey2
657 my ($Xl,$Xm,$Xh,$Hkey3,$Hkey4)=map("%xmm$_",(11..15));
660 mov OPENSSL_ia32cap_P+4(%rip),%eax
664 and \$`1<<26|1<<22`,%eax # isolate MOVBE+XSAVE
665 cmp \$`1<<22`,%eax # check for MOVBE without XSAVE
669 mov \$0xA040608020C0E000,%rax # ((7..0)·0xE0)&0xff
670 movdqu 0x30($Htbl),$Hkey3
671 movdqu 0x40($Htbl),$Hkey4
674 # Xi+4 =[(H*Ii+3) + (H^2*Ii+2) + (H^3*Ii+1) + H^4*(Ii+Xi)] mod P
676 movdqu 0x30($inp),$Xln
677 movdqu 0x20($inp),$Xl
681 pshufd \$0b01001110,$Xln,$Xmn
683 pclmulqdq \$0x00,$Hkey,$Xln
684 pclmulqdq \$0x11,$Hkey,$Xhn
685 pclmulqdq \$0x00,$HK,$Xmn
688 pshufd \$0b01001110,$Xl,$Xm
690 pclmulqdq \$0x00,$Hkey2,$Xl
691 pclmulqdq \$0x11,$Hkey2,$Xh
692 pclmulqdq \$0x10,$HK,$Xm
695 movups 0x50($Htbl),$HK
698 movdqu 0x10($inp),$Xl
703 pshufd \$0b01001110,$Xl,$Xm
706 pclmulqdq \$0x00,$Hkey3,$Xl
708 pshufd \$0b01001110,$Xi,$T1
710 pclmulqdq \$0x11,$Hkey3,$Xh
711 pclmulqdq \$0x00,$HK,$Xm
722 pclmulqdq \$0x00,$Hkey4,$Xi
724 movdqu 0x30($inp),$Xl
726 pclmulqdq \$0x11,$Hkey4,$Xhi
728 movdqu 0x20($inp),$Xln
730 pclmulqdq \$0x10,$HK,$T1
731 pshufd \$0b01001110,$Xl,$Xm
735 movups 0x20($Htbl),$HK
737 pclmulqdq \$0x00,$Hkey,$Xl
738 pshufd \$0b01001110,$Xln,$Xmn
740 pxor $Xi,$T1 # aggregated Karatsuba post-processing
745 pclmulqdq \$0x11,$Hkey,$Xh
749 movdqa .L7_mask(%rip),$T1
753 pand $Xi,$T1 # 1st phase
756 pclmulqdq \$0x00,$HK,$Xm
760 pclmulqdq \$0x00,$Hkey2,$Xln
766 movdqa $Xi,$T2 # 2nd phase
768 pclmulqdq \$0x11,$Hkey2,$Xhn
770 movdqu 0x10($inp),$Xl
772 pclmulqdq \$0x10,$HK,$Xmn
774 movups 0x50($Htbl),$HK
782 pshufd \$0b01001110,$Xl,$Xm
786 pclmulqdq \$0x00,$Hkey3,$Xl
790 pclmulqdq \$0x11,$Hkey3,$Xh
792 pshufd \$0b01001110,$Xi,$T1
795 pclmulqdq \$0x00,$HK,$Xm
803 pclmulqdq \$0x00,$Hkey4,$Xi
804 pclmulqdq \$0x11,$Hkey4,$Xhi
805 pclmulqdq \$0x10,$HK,$T1
809 pxor $Xi,$Xhi # aggregated Karatsuba post-processing
821 &reduction_alg9($Xhi,$Xi);
825 movdqu 0x20($Htbl),$HK
833 # Xi+2 =[H*(Ii+1 + Xi+1)] mod P =
834 # [(H*Ii+1) + (H*Xi+1)] mod P =
835 # [(H*Ii+1) + H^2*(Ii+Xi)] mod P
837 movdqu ($inp),$T1 # Ii
838 movdqu 16($inp),$Xln # Ii+1
844 pshufd \$0b01001110,$Xln,$Xmn
846 pclmulqdq \$0x00,$Hkey,$Xln
847 pclmulqdq \$0x11,$Hkey,$Xhn
848 pclmulqdq \$0x00,$HK,$Xmn
850 lea 32($inp),$inp # i+=2
861 pshufd \$0b01001110,$Xi,$Xmn #
864 pclmulqdq \$0x00,$Hkey2,$Xi
865 pclmulqdq \$0x11,$Hkey2,$Xhi
866 pclmulqdq \$0x10,$HK,$Xmn
868 pxor $Xln,$Xi # (H*Ii+1) + H^2*(Ii+Xi)
870 movdqu ($inp),$T2 # Ii
871 pxor $Xi,$T1 # aggregated Karatsuba post-processing
873 movdqu 16($inp),$Xln # Ii+1
876 pxor $T2,$Xhi # "Ii+Xi", consume early
887 movdqa $Xi,$T2 # 1st phase
891 pclmulqdq \$0x00,$Hkey,$Xln #######
899 pshufd \$0b01001110,$Xhn,$Xmn
903 movdqa $Xi,$T2 # 2nd phase
905 pclmulqdq \$0x11,$Hkey,$Xhn #######
912 pclmulqdq \$0x00,$HK,$Xmn #######
921 pshufd \$0b01001110,$Xi,$Xmn #
924 pclmulqdq \$0x00,$Hkey2,$Xi
925 pclmulqdq \$0x11,$Hkey2,$Xhi
926 pclmulqdq \$0x10,$HK,$Xmn
928 pxor $Xln,$Xi # (H*Ii+1) + H^2*(Ii+Xi)
939 &reduction_alg9 ($Xhi,$Xi);
945 movdqu ($inp),$T1 # Ii
949 &clmul64x64_T2 ($Xhi,$Xi,$Hkey,$HK); # H*(Ii+Xi)
950 &reduction_alg9 ($Xhi,$Xi);
956 $code.=<<___ if ($win64);
958 movaps 0x10(%rsp),%xmm7
959 movaps 0x20(%rsp),%xmm8
960 movaps 0x30(%rsp),%xmm9
961 movaps 0x40(%rsp),%xmm10
962 movaps 0x50(%rsp),%xmm11
963 movaps 0x60(%rsp),%xmm12
964 movaps 0x70(%rsp),%xmm13
965 movaps 0x80(%rsp),%xmm14
966 movaps 0x90(%rsp),%xmm15
968 .LSEH_end_gcm_ghash_clmul:
972 .size gcm_ghash_clmul,.-gcm_ghash_clmul
978 .type gcm_init_avx,\@abi-omnipotent
983 my ($Htbl,$Xip)=@_4args;
986 $code.=<<___ if ($win64);
987 .LSEH_begin_gcm_init_avx:
988 # I can't trust assembler to use specific encoding:-(
989 .byte 0x48,0x83,0xec,0x18 #sub $0x18,%rsp
990 .byte 0x0f,0x29,0x34,0x24 #movaps %xmm6,(%rsp)
996 vpshufd \$0b01001110,$Hkey,$Hkey # dword swap
999 vpshufd \$0b11111111,$Hkey,$T2 # broadcast uppermost dword
1000 vpsrlq \$63,$Hkey,$T1
1001 vpsllq \$1,$Hkey,$Hkey
1003 vpcmpgtd $T2,$T3,$T3 # broadcast carry bit
1005 vpor $T1,$Hkey,$Hkey # H<<=1
1008 vpand .L0x1c2_polynomial(%rip),$T3,$T3
1009 vpxor $T3,$Hkey,$Hkey # if(carry) H^=0x1c2_polynomial
1011 vpunpckhqdq $Hkey,$Hkey,$HK
1014 mov \$4,%r10 # up to H^8
1015 jmp .Linit_start_avx
1018 sub clmul64x64_avx {
1019 my ($Xhi,$Xi,$Hkey,$HK)=@_;
1021 if (!defined($HK)) { $HK = $T2;
1023 vpunpckhqdq $Xi,$Xi,$T1
1024 vpunpckhqdq $Hkey,$Hkey,$T2
1030 vpunpckhqdq $Xi,$Xi,$T1
1035 vpclmulqdq \$0x11,$Hkey,$Xi,$Xhi #######
1036 vpclmulqdq \$0x00,$Hkey,$Xi,$Xi #######
1037 vpclmulqdq \$0x00,$HK,$T1,$T1 #######
1038 vpxor $Xi,$Xhi,$T2 #
1041 vpslldq \$8,$T1,$T2 #
1052 vpsllq \$57,$Xi,$T1 # 1st phase
1057 vpslldq \$8,$T2,$T1 #
1062 vpsrlq \$1,$Xi,$T2 # 2nd phase
1067 vpsrlq \$1,$Xi,$Xi #
1068 vpxor $Xhi,$Xi,$Xi #
1075 vpalignr \$8,$T1,$T2,$T3 # low part is H.lo^H.hi...
1076 vmovdqu $T3,-0x10($Htbl) # save Karatsuba "salt"
1078 &clmul64x64_avx ($Xhi,$Xi,$Hkey,$HK); # calculate H^3,5,7
1079 &reduction_avx ($Xhi,$Xi);
1084 &clmul64x64_avx ($Xhi,$Xi,$Hkey,$HK); # calculate H^2,4,6,8
1085 &reduction_avx ($Xhi,$Xi);
1087 vpshufd \$0b01001110,$T3,$T1
1088 vpshufd \$0b01001110,$Xi,$T2
1089 vpxor $T3,$T1,$T1 # Karatsuba pre-processing
1090 vmovdqu $T3,0x00($Htbl) # save H^1,3,5,7
1091 vpxor $Xi,$T2,$T2 # Karatsuba pre-processing
1092 vmovdqu $Xi,0x10($Htbl) # save H^2,4,6,8
1093 lea 0x30($Htbl),$Htbl
1097 vpalignr \$8,$T2,$T1,$T3 # last "salt" is flipped
1098 vmovdqu $T3,-0x10($Htbl)
1102 $code.=<<___ if ($win64);
1105 .LSEH_end_gcm_init_avx:
1109 .size gcm_init_avx,.-gcm_init_avx
1114 .size gcm_init_avx,.-gcm_init_avx
1119 .globl gcm_gmult_avx
1120 .type gcm_gmult_avx,\@abi-omnipotent
1124 .size gcm_gmult_avx,.-gcm_gmult_avx
1128 .globl gcm_ghash_avx
1129 .type gcm_ghash_avx,\@abi-omnipotent
1134 my ($Xip,$Htbl,$inp,$len)=@_4args;
1138 $Xi,$Xo,$Tred,$bswap,$Ii,$Ij) = map("%xmm$_",(0..15));
1140 $code.=<<___ if ($win64);
1141 lea -0x88(%rsp),%rax
1142 .LSEH_begin_gcm_ghash_avx:
1143 # I can't trust assembler to use specific encoding:-(
1144 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax),%rsp
1145 .byte 0x0f,0x29,0x70,0xe0 #movaps %xmm6,-0x20(%rax)
1146 .byte 0x0f,0x29,0x78,0xf0 #movaps %xmm7,-0x10(%rax)
1147 .byte 0x44,0x0f,0x29,0x00 #movaps %xmm8,0(%rax)
1148 .byte 0x44,0x0f,0x29,0x48,0x10 #movaps %xmm9,0x10(%rax)
1149 .byte 0x44,0x0f,0x29,0x50,0x20 #movaps %xmm10,0x20(%rax)
1150 .byte 0x44,0x0f,0x29,0x58,0x30 #movaps %xmm11,0x30(%rax)
1151 .byte 0x44,0x0f,0x29,0x60,0x40 #movaps %xmm12,0x40(%rax)
1152 .byte 0x44,0x0f,0x29,0x68,0x50 #movaps %xmm13,0x50(%rax)
1153 .byte 0x44,0x0f,0x29,0x70,0x60 #movaps %xmm14,0x60(%rax)
1154 .byte 0x44,0x0f,0x29,0x78,0x70 #movaps %xmm15,0x70(%rax)
1159 vmovdqu ($Xip),$Xi # load $Xi
1160 lea .L0x1c2_polynomial(%rip),%r10
1161 lea 0x40($Htbl),$Htbl # size optimization
1162 vmovdqu .Lbswap_mask(%rip),$bswap
1163 vpshufb $bswap,$Xi,$Xi
1168 vmovdqu 0x70($inp),$Ii # I[7]
1169 vmovdqu 0x00-0x40($Htbl),$Hkey # $Hkey^1
1170 vpshufb $bswap,$Ii,$Ii
1171 vmovdqu 0x20-0x40($Htbl),$HK
1173 vpunpckhqdq $Ii,$Ii,$T2
1174 vmovdqu 0x60($inp),$Ij # I[6]
1175 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1177 vpshufb $bswap,$Ij,$Ij
1178 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1179 vmovdqu 0x10-0x40($Htbl),$Hkey # $Hkey^2
1180 vpunpckhqdq $Ij,$Ij,$T1
1181 vmovdqu 0x50($inp),$Ii # I[5]
1182 vpclmulqdq \$0x00,$HK,$T2,$Xmi
1185 vpshufb $bswap,$Ii,$Ii
1186 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1187 vpunpckhqdq $Ii,$Ii,$T2
1188 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1189 vmovdqu 0x30-0x40($Htbl),$Hkey # $Hkey^3
1191 vmovdqu 0x40($inp),$Ij # I[4]
1192 vpclmulqdq \$0x10,$HK,$T1,$Zmi
1193 vmovdqu 0x50-0x40($Htbl),$HK
1195 vpshufb $bswap,$Ij,$Ij
1196 vpxor $Xlo,$Zlo,$Zlo
1197 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1198 vpxor $Xhi,$Zhi,$Zhi
1199 vpunpckhqdq $Ij,$Ij,$T1
1200 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1201 vmovdqu 0x40-0x40($Htbl),$Hkey # $Hkey^4
1202 vpxor $Xmi,$Zmi,$Zmi
1203 vpclmulqdq \$0x00,$HK,$T2,$Xmi
1206 vmovdqu 0x30($inp),$Ii # I[3]
1207 vpxor $Zlo,$Xlo,$Xlo
1208 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1209 vpxor $Zhi,$Xhi,$Xhi
1210 vpshufb $bswap,$Ii,$Ii
1211 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1212 vmovdqu 0x60-0x40($Htbl),$Hkey # $Hkey^5
1213 vpxor $Zmi,$Xmi,$Xmi
1214 vpunpckhqdq $Ii,$Ii,$T2
1215 vpclmulqdq \$0x10,$HK,$T1,$Zmi
1216 vmovdqu 0x80-0x40($Htbl),$HK
1219 vmovdqu 0x20($inp),$Ij # I[2]
1220 vpxor $Xlo,$Zlo,$Zlo
1221 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1222 vpxor $Xhi,$Zhi,$Zhi
1223 vpshufb $bswap,$Ij,$Ij
1224 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1225 vmovdqu 0x70-0x40($Htbl),$Hkey # $Hkey^6
1226 vpxor $Xmi,$Zmi,$Zmi
1227 vpunpckhqdq $Ij,$Ij,$T1
1228 vpclmulqdq \$0x00,$HK,$T2,$Xmi
1231 vmovdqu 0x10($inp),$Ii # I[1]
1232 vpxor $Zlo,$Xlo,$Xlo
1233 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1234 vpxor $Zhi,$Xhi,$Xhi
1235 vpshufb $bswap,$Ii,$Ii
1236 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1237 vmovdqu 0x90-0x40($Htbl),$Hkey # $Hkey^7
1238 vpxor $Zmi,$Xmi,$Xmi
1239 vpunpckhqdq $Ii,$Ii,$T2
1240 vpclmulqdq \$0x10,$HK,$T1,$Zmi
1241 vmovdqu 0xb0-0x40($Htbl),$HK
1244 vmovdqu ($inp),$Ij # I[0]
1245 vpxor $Xlo,$Zlo,$Zlo
1246 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1247 vpxor $Xhi,$Zhi,$Zhi
1248 vpshufb $bswap,$Ij,$Ij
1249 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1250 vmovdqu 0xa0-0x40($Htbl),$Hkey # $Hkey^8
1251 vpxor $Xmi,$Zmi,$Zmi
1252 vpclmulqdq \$0x10,$HK,$T2,$Xmi
1258 vpxor $Xi,$Ij,$Ij # accumulate $Xi
1264 vpunpckhqdq $Ij,$Ij,$T1
1265 vmovdqu 0x70($inp),$Ii # I[7]
1266 vpxor $Xlo,$Zlo,$Zlo
1268 vpclmulqdq \$0x00,$Hkey,$Ij,$Xi
1269 vpshufb $bswap,$Ii,$Ii
1270 vpxor $Xhi,$Zhi,$Zhi
1271 vpclmulqdq \$0x11,$Hkey,$Ij,$Xo
1272 vmovdqu 0x00-0x40($Htbl),$Hkey # $Hkey^1
1273 vpunpckhqdq $Ii,$Ii,$T2
1274 vpxor $Xmi,$Zmi,$Zmi
1275 vpclmulqdq \$0x00,$HK,$T1,$Tred
1276 vmovdqu 0x20-0x40($Htbl),$HK
1279 vmovdqu 0x60($inp),$Ij # I[6]
1280 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1281 vpxor $Zlo,$Xi,$Xi # collect result
1282 vpshufb $bswap,$Ij,$Ij
1283 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1285 vmovdqu 0x10-0x40($Htbl),$Hkey # $Hkey^2
1286 vpunpckhqdq $Ij,$Ij,$T1
1287 vpclmulqdq \$0x00,$HK, $T2,$Xmi
1288 vpxor $Zmi,$Tred,$Tred
1291 vmovdqu 0x50($inp),$Ii # I[5]
1292 vpxor $Xi,$Tred,$Tred # aggregated Karatsuba post-processing
1293 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1294 vpxor $Xo,$Tred,$Tred
1295 vpslldq \$8,$Tred,$T2
1296 vpxor $Xlo,$Zlo,$Zlo
1297 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1298 vpsrldq \$8,$Tred,$Tred
1300 vmovdqu 0x30-0x40($Htbl),$Hkey # $Hkey^3
1301 vpshufb $bswap,$Ii,$Ii
1302 vxorps $Tred,$Xo, $Xo
1303 vpxor $Xhi,$Zhi,$Zhi
1304 vpunpckhqdq $Ii,$Ii,$T2
1305 vpclmulqdq \$0x10,$HK, $T1,$Zmi
1306 vmovdqu 0x50-0x40($Htbl),$HK
1308 vpxor $Xmi,$Zmi,$Zmi
1310 vmovdqu 0x40($inp),$Ij # I[4]
1311 vpalignr \$8,$Xi,$Xi,$Tred # 1st phase
1312 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1313 vpshufb $bswap,$Ij,$Ij
1314 vpxor $Zlo,$Xlo,$Xlo
1315 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1316 vmovdqu 0x40-0x40($Htbl),$Hkey # $Hkey^4
1317 vpunpckhqdq $Ij,$Ij,$T1
1318 vpxor $Zhi,$Xhi,$Xhi
1319 vpclmulqdq \$0x00,$HK, $T2,$Xmi
1321 vpxor $Zmi,$Xmi,$Xmi
1323 vmovdqu 0x30($inp),$Ii # I[3]
1324 vpclmulqdq \$0x10,(%r10),$Xi,$Xi
1325 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1326 vpshufb $bswap,$Ii,$Ii
1327 vpxor $Xlo,$Zlo,$Zlo
1328 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1329 vmovdqu 0x60-0x40($Htbl),$Hkey # $Hkey^5
1330 vpunpckhqdq $Ii,$Ii,$T2
1331 vpxor $Xhi,$Zhi,$Zhi
1332 vpclmulqdq \$0x10,$HK, $T1,$Zmi
1333 vmovdqu 0x80-0x40($Htbl),$HK
1335 vpxor $Xmi,$Zmi,$Zmi
1337 vmovdqu 0x20($inp),$Ij # I[2]
1338 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1339 vpshufb $bswap,$Ij,$Ij
1340 vpxor $Zlo,$Xlo,$Xlo
1341 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1342 vmovdqu 0x70-0x40($Htbl),$Hkey # $Hkey^6
1343 vpunpckhqdq $Ij,$Ij,$T1
1344 vpxor $Zhi,$Xhi,$Xhi
1345 vpclmulqdq \$0x00,$HK, $T2,$Xmi
1347 vpxor $Zmi,$Xmi,$Xmi
1348 vxorps $Tred,$Xi,$Xi
1350 vmovdqu 0x10($inp),$Ii # I[1]
1351 vpalignr \$8,$Xi,$Xi,$Tred # 2nd phase
1352 vpclmulqdq \$0x00,$Hkey,$Ij,$Zlo
1353 vpshufb $bswap,$Ii,$Ii
1354 vpxor $Xlo,$Zlo,$Zlo
1355 vpclmulqdq \$0x11,$Hkey,$Ij,$Zhi
1356 vmovdqu 0x90-0x40($Htbl),$Hkey # $Hkey^7
1357 vpclmulqdq \$0x10,(%r10),$Xi,$Xi
1358 vxorps $Xo,$Tred,$Tred
1359 vpunpckhqdq $Ii,$Ii,$T2
1360 vpxor $Xhi,$Zhi,$Zhi
1361 vpclmulqdq \$0x10,$HK, $T1,$Zmi
1362 vmovdqu 0xb0-0x40($Htbl),$HK
1364 vpxor $Xmi,$Zmi,$Zmi
1366 vmovdqu ($inp),$Ij # I[0]
1367 vpclmulqdq \$0x00,$Hkey,$Ii,$Xlo
1368 vpshufb $bswap,$Ij,$Ij
1369 vpclmulqdq \$0x11,$Hkey,$Ii,$Xhi
1370 vmovdqu 0xa0-0x40($Htbl),$Hkey # $Hkey^8
1372 vpclmulqdq \$0x10,$HK, $T2,$Xmi
1373 vpxor $Xi,$Ij,$Ij # accumulate $Xi
1380 jmp .Ltail_no_xor_avx
1384 vmovdqu -0x10($inp,$len),$Ii # very last word
1385 lea ($inp,$len),$inp
1386 vmovdqu 0x00-0x40($Htbl),$Hkey # $Hkey^1
1387 vmovdqu 0x20-0x40($Htbl),$HK
1388 vpshufb $bswap,$Ii,$Ij
1390 vmovdqa $Xlo,$Zlo # subtle way to zero $Zlo,
1391 vmovdqa $Xhi,$Zhi # $Zhi and
1392 vmovdqa $Xmi,$Zmi # $Zmi
1396 vpunpckhqdq $Ij,$Ij,$T1
1397 vpxor $Xlo,$Zlo,$Zlo
1398 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1400 vmovdqu -0x20($inp),$Ii
1401 vpxor $Xhi,$Zhi,$Zhi
1402 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1403 vmovdqu 0x10-0x40($Htbl),$Hkey # $Hkey^2
1404 vpshufb $bswap,$Ii,$Ij
1405 vpxor $Xmi,$Zmi,$Zmi
1406 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1411 vpunpckhqdq $Ij,$Ij,$T1
1412 vpxor $Xlo,$Zlo,$Zlo
1413 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1415 vmovdqu -0x30($inp),$Ii
1416 vpxor $Xhi,$Zhi,$Zhi
1417 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1418 vmovdqu 0x30-0x40($Htbl),$Hkey # $Hkey^3
1419 vpshufb $bswap,$Ii,$Ij
1420 vpxor $Xmi,$Zmi,$Zmi
1421 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1422 vmovdqu 0x50-0x40($Htbl),$HK
1426 vpunpckhqdq $Ij,$Ij,$T1
1427 vpxor $Xlo,$Zlo,$Zlo
1428 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1430 vmovdqu -0x40($inp),$Ii
1431 vpxor $Xhi,$Zhi,$Zhi
1432 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1433 vmovdqu 0x40-0x40($Htbl),$Hkey # $Hkey^4
1434 vpshufb $bswap,$Ii,$Ij
1435 vpxor $Xmi,$Zmi,$Zmi
1436 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1441 vpunpckhqdq $Ij,$Ij,$T1
1442 vpxor $Xlo,$Zlo,$Zlo
1443 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1445 vmovdqu -0x50($inp),$Ii
1446 vpxor $Xhi,$Zhi,$Zhi
1447 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1448 vmovdqu 0x60-0x40($Htbl),$Hkey # $Hkey^5
1449 vpshufb $bswap,$Ii,$Ij
1450 vpxor $Xmi,$Zmi,$Zmi
1451 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1452 vmovdqu 0x80-0x40($Htbl),$HK
1456 vpunpckhqdq $Ij,$Ij,$T1
1457 vpxor $Xlo,$Zlo,$Zlo
1458 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1460 vmovdqu -0x60($inp),$Ii
1461 vpxor $Xhi,$Zhi,$Zhi
1462 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1463 vmovdqu 0x70-0x40($Htbl),$Hkey # $Hkey^6
1464 vpshufb $bswap,$Ii,$Ij
1465 vpxor $Xmi,$Zmi,$Zmi
1466 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1471 vpunpckhqdq $Ij,$Ij,$T1
1472 vpxor $Xlo,$Zlo,$Zlo
1473 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1475 vmovdqu -0x70($inp),$Ii
1476 vpxor $Xhi,$Zhi,$Zhi
1477 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1478 vmovdqu 0x90-0x40($Htbl),$Hkey # $Hkey^7
1479 vpshufb $bswap,$Ii,$Ij
1480 vpxor $Xmi,$Zmi,$Zmi
1481 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1482 vmovq 0xb8-0x40($Htbl),$HK
1488 vpxor $Xi,$Ij,$Ij # accumulate $Xi
1490 vpunpckhqdq $Ij,$Ij,$T1
1491 vpxor $Xlo,$Zlo,$Zlo
1492 vpclmulqdq \$0x00,$Hkey,$Ij,$Xlo
1494 vpxor $Xhi,$Zhi,$Zhi
1495 vpclmulqdq \$0x11,$Hkey,$Ij,$Xhi
1496 vpxor $Xmi,$Zmi,$Zmi
1497 vpclmulqdq \$0x00,$HK,$T1,$Xmi
1499 vmovdqu (%r10),$Tred
1503 vpxor $Xmi,$Zmi,$Zmi
1505 vpxor $Xi, $Zmi,$Zmi # aggregated Karatsuba post-processing
1506 vpxor $Xo, $Zmi,$Zmi
1507 vpslldq \$8, $Zmi,$T2
1508 vpsrldq \$8, $Zmi,$Zmi
1512 vpclmulqdq \$0x10,$Tred,$Xi,$T2 # 1st phase
1513 vpalignr \$8,$Xi,$Xi,$Xi
1516 vpclmulqdq \$0x10,$Tred,$Xi,$T2 # 2nd phase
1517 vpalignr \$8,$Xi,$Xi,$Xi
1524 vpshufb $bswap,$Xi,$Xi
1528 $code.=<<___ if ($win64);
1530 movaps 0x10(%rsp),%xmm7
1531 movaps 0x20(%rsp),%xmm8
1532 movaps 0x30(%rsp),%xmm9
1533 movaps 0x40(%rsp),%xmm10
1534 movaps 0x50(%rsp),%xmm11
1535 movaps 0x60(%rsp),%xmm12
1536 movaps 0x70(%rsp),%xmm13
1537 movaps 0x80(%rsp),%xmm14
1538 movaps 0x90(%rsp),%xmm15
1540 .LSEH_end_gcm_ghash_avx:
1544 .size gcm_ghash_avx,.-gcm_ghash_avx
1549 .size gcm_ghash_avx,.-gcm_ghash_avx
1556 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
1558 .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2
1562 .long 7,0,`0xE1<<1`,0
1564 .type .Lrem_4bit,\@object
1566 .long 0,`0x0000<<16`,0,`0x1C20<<16`,0,`0x3840<<16`,0,`0x2460<<16`
1567 .long 0,`0x7080<<16`,0,`0x6CA0<<16`,0,`0x48C0<<16`,0,`0x54E0<<16`
1568 .long 0,`0xE100<<16`,0,`0xFD20<<16`,0,`0xD940<<16`,0,`0xC560<<16`
1569 .long 0,`0x9180<<16`,0,`0x8DA0<<16`,0,`0xA9C0<<16`,0,`0xB5E0<<16`
1570 .type .Lrem_8bit,\@object
1572 .value 0x0000,0x01C2,0x0384,0x0246,0x0708,0x06CA,0x048C,0x054E
1573 .value 0x0E10,0x0FD2,0x0D94,0x0C56,0x0918,0x08DA,0x0A9C,0x0B5E
1574 .value 0x1C20,0x1DE2,0x1FA4,0x1E66,0x1B28,0x1AEA,0x18AC,0x196E
1575 .value 0x1230,0x13F2,0x11B4,0x1076,0x1538,0x14FA,0x16BC,0x177E
1576 .value 0x3840,0x3982,0x3BC4,0x3A06,0x3F48,0x3E8A,0x3CCC,0x3D0E
1577 .value 0x3650,0x3792,0x35D4,0x3416,0x3158,0x309A,0x32DC,0x331E
1578 .value 0x2460,0x25A2,0x27E4,0x2626,0x2368,0x22AA,0x20EC,0x212E
1579 .value 0x2A70,0x2BB2,0x29F4,0x2836,0x2D78,0x2CBA,0x2EFC,0x2F3E
1580 .value 0x7080,0x7142,0x7304,0x72C6,0x7788,0x764A,0x740C,0x75CE
1581 .value 0x7E90,0x7F52,0x7D14,0x7CD6,0x7998,0x785A,0x7A1C,0x7BDE
1582 .value 0x6CA0,0x6D62,0x6F24,0x6EE6,0x6BA8,0x6A6A,0x682C,0x69EE
1583 .value 0x62B0,0x6372,0x6134,0x60F6,0x65B8,0x647A,0x663C,0x67FE
1584 .value 0x48C0,0x4902,0x4B44,0x4A86,0x4FC8,0x4E0A,0x4C4C,0x4D8E
1585 .value 0x46D0,0x4712,0x4554,0x4496,0x41D8,0x401A,0x425C,0x439E
1586 .value 0x54E0,0x5522,0x5764,0x56A6,0x53E8,0x522A,0x506C,0x51AE
1587 .value 0x5AF0,0x5B32,0x5974,0x58B6,0x5DF8,0x5C3A,0x5E7C,0x5FBE
1588 .value 0xE100,0xE0C2,0xE284,0xE346,0xE608,0xE7CA,0xE58C,0xE44E
1589 .value 0xEF10,0xEED2,0xEC94,0xED56,0xE818,0xE9DA,0xEB9C,0xEA5E
1590 .value 0xFD20,0xFCE2,0xFEA4,0xFF66,0xFA28,0xFBEA,0xF9AC,0xF86E
1591 .value 0xF330,0xF2F2,0xF0B4,0xF176,0xF438,0xF5FA,0xF7BC,0xF67E
1592 .value 0xD940,0xD882,0xDAC4,0xDB06,0xDE48,0xDF8A,0xDDCC,0xDC0E
1593 .value 0xD750,0xD692,0xD4D4,0xD516,0xD058,0xD19A,0xD3DC,0xD21E
1594 .value 0xC560,0xC4A2,0xC6E4,0xC726,0xC268,0xC3AA,0xC1EC,0xC02E
1595 .value 0xCB70,0xCAB2,0xC8F4,0xC936,0xCC78,0xCDBA,0xCFFC,0xCE3E
1596 .value 0x9180,0x9042,0x9204,0x93C6,0x9688,0x974A,0x950C,0x94CE
1597 .value 0x9F90,0x9E52,0x9C14,0x9DD6,0x9898,0x995A,0x9B1C,0x9ADE
1598 .value 0x8DA0,0x8C62,0x8E24,0x8FE6,0x8AA8,0x8B6A,0x892C,0x88EE
1599 .value 0x83B0,0x8272,0x8034,0x81F6,0x84B8,0x857A,0x873C,0x86FE
1600 .value 0xA9C0,0xA802,0xAA44,0xAB86,0xAEC8,0xAF0A,0xAD4C,0xAC8E
1601 .value 0xA7D0,0xA612,0xA454,0xA596,0xA0D8,0xA11A,0xA35C,0xA29E
1602 .value 0xB5E0,0xB422,0xB664,0xB7A6,0xB2E8,0xB32A,0xB16C,0xB0AE
1603 .value 0xBBF0,0xBA32,0xB874,0xB9B6,0xBCF8,0xBD3A,0xBF7C,0xBEBE
1605 .asciz "GHASH for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
1609 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
1610 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
1618 .extern __imp_RtlVirtualUnwind
1619 .type se_handler,\@abi-omnipotent
1633 mov 120($context),%rax # pull context->Rax
1634 mov 248($context),%rbx # pull context->Rip
1636 mov 8($disp),%rsi # disp->ImageBase
1637 mov 56($disp),%r11 # disp->HandlerData
1639 mov 0(%r11),%r10d # HandlerData[0]
1640 lea (%rsi,%r10),%r10 # prologue label
1641 cmp %r10,%rbx # context->Rip<prologue label
1644 mov 152($context),%rax # pull context->Rsp
1646 mov 4(%r11),%r10d # HandlerData[1]
1647 lea (%rsi,%r10),%r10 # epilogue label
1648 cmp %r10,%rbx # context->Rip>=epilogue label
1651 lea 24(%rax),%rax # adjust "rsp"
1656 mov %rbx,144($context) # restore context->Rbx
1657 mov %rbp,160($context) # restore context->Rbp
1658 mov %r12,216($context) # restore context->R12
1663 mov %rax,152($context) # restore context->Rsp
1664 mov %rsi,168($context) # restore context->Rsi
1665 mov %rdi,176($context) # restore context->Rdi
1667 mov 40($disp),%rdi # disp->ContextRecord
1668 mov $context,%rsi # context
1669 mov \$`1232/8`,%ecx # sizeof(CONTEXT)
1670 .long 0xa548f3fc # cld; rep movsq
1673 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1674 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1675 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1676 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1677 mov 40(%rsi),%r10 # disp->ContextRecord
1678 lea 56(%rsi),%r11 # &disp->HandlerData
1679 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1680 mov %r10,32(%rsp) # arg5
1681 mov %r11,40(%rsp) # arg6
1682 mov %r12,48(%rsp) # arg7
1683 mov %rcx,56(%rsp) # arg8, (NULL)
1684 call *__imp_RtlVirtualUnwind(%rip)
1686 mov \$1,%eax # ExceptionContinueSearch
1698 .size se_handler,.-se_handler
1702 .rva .LSEH_begin_gcm_gmult_4bit
1703 .rva .LSEH_end_gcm_gmult_4bit
1704 .rva .LSEH_info_gcm_gmult_4bit
1706 .rva .LSEH_begin_gcm_ghash_4bit
1707 .rva .LSEH_end_gcm_ghash_4bit
1708 .rva .LSEH_info_gcm_ghash_4bit
1710 .rva .LSEH_begin_gcm_init_clmul
1711 .rva .LSEH_end_gcm_init_clmul
1712 .rva .LSEH_info_gcm_init_clmul
1714 .rva .LSEH_begin_gcm_ghash_clmul
1715 .rva .LSEH_end_gcm_ghash_clmul
1716 .rva .LSEH_info_gcm_ghash_clmul
1718 $code.=<<___ if ($avx);
1719 .rva .LSEH_begin_gcm_init_avx
1720 .rva .LSEH_end_gcm_init_avx
1721 .rva .LSEH_info_gcm_init_clmul
1723 .rva .LSEH_begin_gcm_ghash_avx
1724 .rva .LSEH_end_gcm_ghash_avx
1725 .rva .LSEH_info_gcm_ghash_clmul
1730 .LSEH_info_gcm_gmult_4bit:
1733 .rva .Lgmult_prologue,.Lgmult_epilogue # HandlerData
1734 .LSEH_info_gcm_ghash_4bit:
1737 .rva .Lghash_prologue,.Lghash_epilogue # HandlerData
1738 .LSEH_info_gcm_init_clmul:
1739 .byte 0x01,0x08,0x03,0x00
1740 .byte 0x08,0x68,0x00,0x00 #movaps 0x00(rsp),xmm6
1741 .byte 0x04,0x22,0x00,0x00 #sub rsp,0x18
1742 .LSEH_info_gcm_ghash_clmul:
1743 .byte 0x01,0x33,0x16,0x00
1744 .byte 0x33,0xf8,0x09,0x00 #movaps 0x90(rsp),xmm15
1745 .byte 0x2e,0xe8,0x08,0x00 #movaps 0x80(rsp),xmm14
1746 .byte 0x29,0xd8,0x07,0x00 #movaps 0x70(rsp),xmm13
1747 .byte 0x24,0xc8,0x06,0x00 #movaps 0x60(rsp),xmm12
1748 .byte 0x1f,0xb8,0x05,0x00 #movaps 0x50(rsp),xmm11
1749 .byte 0x1a,0xa8,0x04,0x00 #movaps 0x40(rsp),xmm10
1750 .byte 0x15,0x98,0x03,0x00 #movaps 0x30(rsp),xmm9
1751 .byte 0x10,0x88,0x02,0x00 #movaps 0x20(rsp),xmm8
1752 .byte 0x0c,0x78,0x01,0x00 #movaps 0x10(rsp),xmm7
1753 .byte 0x08,0x68,0x00,0x00 #movaps 0x00(rsp),xmm6
1754 .byte 0x04,0x01,0x15,0x00 #sub rsp,0xa8
1758 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
projects / cassiopeia.git / blob