Home Verkennen Help
Registreren Inloggen
Apq
/
winscp
spiegel van https://github.com/winscp/winscp.git
1
0
Vork 0
Bestanden Issues 0 Wiki
Boom: efa8db8eec
Aftakkingen Labels
winscp
/
libs
/
openssl
/
crypto
/
aes
/
asm
/
aes-s390x.pl

aes-s390x.pl 54 KB
Geschiedenis Ruwe

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. 

  10. # ====================================================================
    11. 

  11. # Written by Andy Polyakov <[email protected]> for the OpenSSL
    12. 

  12. # project. The module is, however, dual licensed under OpenSSL and
    13. 

  13. # CRYPTOGAMS licenses depending on where you obtain it. For further
    14. 

  14. # details see http://www.openssl.org/~appro/cryptogams/.
    15. 

  15. # ====================================================================
    16. 

  16. 

  17. # AES for s390x.
    18. 

  18. 

  19. # April 2007.
    20. 

  20. #
    21. 

  21. # Software performance improvement over gcc-generated code is ~70% and
    22. 

  22. # in absolute terms is ~73 cycles per byte processed with 128-bit key.
    23. 

  23. # You're likely to exclaim "why so slow?" Keep in mind that z-CPUs are
    24. 

  24. # *strictly* in-order execution and issued instruction [in this case
    25. 

  25. # load value from memory is critical] has to complete before execution
    26. 

  26. # flow proceeds. S-boxes are compressed to 2KB[+256B].
    27. 

  27. #
    28. 

  28. # As for hardware acceleration support. It's basically a "teaser," as
    29. 

  29. # it can and should be improved in several ways. Most notably support
    30. 

  30. # for CBC is not utilized, nor multiple blocks are ever processed.
    31. 

  31. # Then software key schedule can be postponed till hardware support
    32. 

  32. # detection... Performance improvement over assembler is reportedly
    33. 

  33. # ~2.5x, but can reach >8x [naturally on larger chunks] if proper
    34. 

  34. # support is implemented.
    35. 

  35. 

  36. # May 2007.
    37. 

  37. #
    38. 

  38. # Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided
    39. 

  39. # for 128-bit keys, if hardware support is detected.
    40. 

  40. 

  41. # January 2009.
    42. 

  42. #
    43. 

  43. # Add support for hardware AES192/256 and reschedule instructions to
    44. 

  44. # minimize/avoid Address Generation Interlock hazard and to favour
    45. 

  45. # dual-issue z10 pipeline. This gave ~25% improvement on z10 and
    46. 

  46. # almost 50% on z9. The gain is smaller on z10, because being dual-
    47. 

  47. # issue z10 makes it impossible to eliminate the interlock condition:
    48. 

  48. # critical path is not long enough. Yet it spends ~24 cycles per byte
    49. 

  49. # processed with 128-bit key.
    50. 

  50. #
    51. 

  51. # Unlike previous version hardware support detection takes place only
    52. 

  52. # at the moment of key schedule setup, which is denoted in key->rounds.
    53. 

  53. # This is done, because deferred key setup can't be made MT-safe, not
    54. 

  54. # for keys longer than 128 bits.
    55. 

  55. #
    56. 

  56. # Add AES_cbc_encrypt, which gives incredible performance improvement,
    57. 

  57. # it was measured to be ~6.6x. It's less than previously mentioned 8x,
    58. 

  58. # because software implementation was optimized.
    59. 

  59. 

  60. # May 2010.
    61. 

  61. #
    62. 

  62. # Add AES_ctr32_encrypt. If hardware-assisted, it provides up to 4.3x
    63. 

  63. # performance improvement over "generic" counter mode routine relying
    64. 

  64. # on single-block, also hardware-assisted, AES_encrypt. "Up to" refers
    65. 

  65. # to the fact that exact throughput value depends on current stack
    66. 

  66. # frame alignment within 4KB page. In worst case you get ~75% of the
    67. 

  67. # maximum, but *on average* it would be as much as ~98%. Meaning that
    68. 

  68. # worst case is unlike, it's like hitting ravine on plateau.
    69. 

  69. 

  70. # November 2010.
    71. 

  71. #
    72. 

  72. # Adapt for -m31 build. If kernel supports what's called "highgprs"
    73. 

  73. # feature on Linux [see /proc/cpuinfo], it's possible to use 64-bit
    74. 

  74. # instructions and achieve "64-bit" performance even in 31-bit legacy
    75. 

  75. # application context. The feature is not specific to any particular
    76. 

  76. # processor, as long as it's "z-CPU". Latter implies that the code
    77. 

  77. # remains z/Architecture specific. On z990 it was measured to perform
    78. 

  78. # 2x better than code generated by gcc 4.3.
    79. 

  79. 

  80. # December 2010.
    81. 

  81. #
    82. 

  82. # Add support for z196 "cipher message with counter" instruction.
    83. 

  83. # Note however that it's disengaged, because it was measured to
    84. 

  84. # perform ~12% worse than vanilla km-based code...
    85. 

  85. 

  86. # February 2011.
    87. 

  87. #
    88. 

  88. # Add AES_xts_[en|de]crypt. This includes support for z196 km-xts-aes
    89. 

  89. # instructions, which deliver ~70% improvement at 8KB block size over
    90. 

  90. # vanilla km-based code, 37% - at most like 512-bytes block size.
    91. 

  91. 

  92. # $output is the last argument if it looks like a file (it has an extension)
    93. 

  93. # $flavour is the first argument if it doesn't look like a file
    94. 

  94. $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
    95. 

  95. $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
    96. 

  96. 

  97. if ($flavour =~ /3[12]/) {
    98. 

  98. 	$SIZE_T=4;
    99. 

  99. 	$g="";
    100. 

  100. } else {
    101. 

  101. 	$SIZE_T=8;
    102. 

  102. 	$g="g";
    103. 

  103. }
    104. 

  104. 

  105. $output and open STDOUT,">$output";
    106. 

  106. 

  107. $softonly=0;	# allow hardware support
    108. 

  108. 

  109. $t0="%r0";	$mask="%r0";
    110. 

  110. $t1="%r1";
    111. 

  111. $t2="%r2";	$inp="%r2";
    112. 

  112. $t3="%r3";	$out="%r3";	$bits="%r3";
    113. 

  113. $key="%r4";
    114. 

  114. $i1="%r5";
    115. 

  115. $i2="%r6";
    116. 

  116. $i3="%r7";
    117. 

  117. $s0="%r8";
    118. 

  118. $s1="%r9";
    119. 

  119. $s2="%r10";
    120. 

  120. $s3="%r11";
    121. 

  121. $tbl="%r12";
    122. 

  122. $rounds="%r13";
    123. 

  123. $ra="%r14";
    124. 

  124. $sp="%r15";
    125. 

  125. 

  126. $stdframe=16*$SIZE_T+4*8;
    127. 

  127. 

  128. sub _data_word()
    129. 

  129. { my $i;
    130. 

  130.     while(defined($i=shift)) { $code.=sprintf".long\t0x%08x,0x%08x\n",$i,$i; }
    131. 

  131. }
    132. 

  132. 

  133. $code=<<___;
    134. 

  134. #include "s390x_arch.h"
    135. 

  135. 

  136. .text
    137. 

  137. 

  138. .type	AES_Te,\@object
    139. 

  139. .align	256
    140. 

  140. AES_Te:
    141. 

  141. ___
    142. 

  142. &_data_word(
    143. 

  143. 	0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d,
    144. 

  144. 	0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554,
    145. 

  145. 	0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
    146. 

  146. 	0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a,
    147. 

  147. 	0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87,
    148. 

  148. 	0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
    149. 

  149. 	0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea,
    150. 

  150. 	0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b,
    151. 

  151. 	0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
    152. 

  152. 	0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f,
    153. 

  153. 	0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108,
    154. 

  154. 	0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
    155. 

  155. 	0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e,
    156. 

  156. 	0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5,
    157. 

  157. 	0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
    158. 

  158. 	0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f,
    159. 

  159. 	0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e,
    160. 

  160. 	0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
    161. 

  161. 	0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce,
    162. 

  162. 	0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497,
    163. 

  163. 	0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
    164. 

  164. 	0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed,
    165. 

  165. 	0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b,
    166. 

  166. 	0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
    167. 

  167. 	0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16,
    168. 

  168. 	0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594,
    169. 

  169. 	0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
    170. 

  170. 	0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3,
    171. 

  171. 	0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a,
    172. 

  172. 	0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
    173. 

  173. 	0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163,
    174. 

  174. 	0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d,
    175. 

  175. 	0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
    176. 

  176. 	0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739,
    177. 

  177. 	0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47,
    178. 

  178. 	0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
    179. 

  179. 	0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f,
    180. 

  180. 	0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883,
    181. 

  181. 	0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
    182. 

  182. 	0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76,
    183. 

  183. 	0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e,
    184. 

  184. 	0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
    185. 

  185. 	0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6,
    186. 

  186. 	0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b,
    187. 

  187. 	0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
    188. 

  188. 	0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0,
    189. 

  189. 	0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25,
    190. 

  190. 	0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
    191. 

  191. 	0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72,
    192. 

  192. 	0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651,
    193. 

  193. 	0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
    194. 

  194. 	0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85,
    195. 

  195. 	0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa,
    196. 

  196. 	0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
    197. 

  197. 	0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0,
    198. 

  198. 	0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9,
    199. 

  199. 	0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
    200. 

  200. 	0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7,
    201. 

  201. 	0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920,
    202. 

  202. 	0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
    203. 

  203. 	0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17,
    204. 

  204. 	0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8,
    205. 

  205. 	0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
    206. 

  206. 	0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a);
    207. 

  207. $code.=<<___;
    208. 

  208. # Te4[256]
    209. 

  209. .byte	0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5
    210. 

  210. .byte	0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76
    211. 

  211. .byte	0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0
    212. 

  212. .byte	0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0
    213. 

  213. .byte	0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc
    214. 

  214. .byte	0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15
    215. 

  215. .byte	0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a
    216. 

  216. .byte	0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75
    217. 

  217. .byte	0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0
    218. 

  218. .byte	0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84
    219. 

  219. .byte	0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b
    220. 

  220. .byte	0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf
    221. 

  221. .byte	0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85
    222. 

  222. .byte	0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8
    223. 

  223. .byte	0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5
    224. 

  224. .byte	0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2
    225. 

  225. .byte	0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17
    226. 

  226. .byte	0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73
    227. 

  227. .byte	0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88
    228. 

  228. .byte	0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb
    229. 

  229. .byte	0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c
    230. 

  230. .byte	0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79
    231. 

  231. .byte	0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9
    232. 

  232. .byte	0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08
    233. 

  233. .byte	0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6
    234. 

  234. .byte	0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a
    235. 

  235. .byte	0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e
    236. 

  236. .byte	0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e
    237. 

  237. .byte	0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94
    238. 

  238. .byte	0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf
    239. 

  239. .byte	0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68
    240. 

  240. .byte	0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
    241. 

  241. # rcon[]
    242. 

  242. .long	0x01000000, 0x02000000, 0x04000000, 0x08000000
    243. 

  243. .long	0x10000000, 0x20000000, 0x40000000, 0x80000000
    244. 

  244. .long	0x1B000000, 0x36000000, 0, 0, 0, 0, 0, 0
    245. 

  245. .align	256
    246. 

  246. .size	AES_Te,.-AES_Te
    247. 

  247. 

  248. # void AES_encrypt(const unsigned char *inp, unsigned char *out,
    249. 

  249. # 		 const AES_KEY *key) {
    250. 

  250. .globl	AES_encrypt
    251. 

  251. .type	AES_encrypt,\@function
    252. 

  252. AES_encrypt:
    253. 

  253. ___
    254. 

  254. $code.=<<___ if (!$softonly);
    255. 

  255. 	l	%r0,240($key)
    256. 

  256. 	lhi	%r1,16
    257. 

  257. 	clr	%r0,%r1
    258. 

  258. 	jl	.Lesoft
    259. 

  259. 

  260. 	la	%r1,0($key)
    261. 

  261. 	#la	%r2,0($inp)
    262. 

  262. 	la	%r4,0($out)
    263. 

  263. 	lghi	%r3,16		# single block length
    264. 

  264. 	.long	0xb92e0042	# km %r4,%r2
    265. 

  265. 	brc	1,.-4		# can this happen?
    266. 

  266. 	br	%r14
    267. 

  267. .align	64
    268. 

  268. .Lesoft:
    269. 

  269. ___
    270. 

  270. $code.=<<___;
    271. 

  271. 	stm${g}	%r3,$ra,3*$SIZE_T($sp)
    272. 

  272. 

  273. 	llgf	$s0,0($inp)
    274. 

  274. 	llgf	$s1,4($inp)
    275. 

  275. 	llgf	$s2,8($inp)
    276. 

  276. 	llgf	$s3,12($inp)
    277. 

  277. 

  278. 	larl	$tbl,AES_Te
    279. 

  279. 	bras	$ra,_s390x_AES_encrypt
    280. 

  280. 

  281. 	l${g}	$out,3*$SIZE_T($sp)
    282. 

  282. 	st	$s0,0($out)
    283. 

  283. 	st	$s1,4($out)
    284. 

  284. 	st	$s2,8($out)
    285. 

  285. 	st	$s3,12($out)
    286. 

  286. 

  287. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    288. 

  288. 	br	$ra
    289. 

  289. .size	AES_encrypt,.-AES_encrypt
    290. 

  290. 

  291. .type   _s390x_AES_encrypt,\@function
    292. 

  292. .align	16
    293. 

  293. _s390x_AES_encrypt:
    294. 

  294. 	st${g}	$ra,15*$SIZE_T($sp)
    295. 

  295. 	x	$s0,0($key)
    296. 

  296. 	x	$s1,4($key)
    297. 

  297. 	x	$s2,8($key)
    298. 

  298. 	x	$s3,12($key)
    299. 

  299. 	l	$rounds,240($key)
    300. 

  300. 	llill	$mask,`0xff<<3`
    301. 

  301. 	aghi	$rounds,-1
    302. 

  302. 	j	.Lenc_loop
    303. 

  303. .align	16
    304. 

  304. .Lenc_loop:
    305. 

  305. 	sllg	$t1,$s0,`0+3`
    306. 

  306. 	srlg	$t2,$s0,`8-3`
    307. 

  307. 	srlg	$t3,$s0,`16-3`
    308. 

  308. 	srl	$s0,`24-3`
    309. 

  309. 	nr	$s0,$mask
    310. 

  310. 	ngr	$t1,$mask
    311. 

  311. 	nr	$t2,$mask
    312. 

  312. 	nr	$t3,$mask
    313. 

  313. 

  314. 	srlg	$i1,$s1,`16-3`	# i0
    315. 

  315. 	sllg	$i2,$s1,`0+3`
    316. 

  316. 	srlg	$i3,$s1,`8-3`
    317. 

  317. 	srl	$s1,`24-3`
    318. 

  318. 	nr	$i1,$mask
    319. 

  319. 	nr	$s1,$mask
    320. 

  320. 	ngr	$i2,$mask
    321. 

  321. 	nr	$i3,$mask
    322. 

  322. 

  323. 	l	$s0,0($s0,$tbl)	# Te0[s0>>24]
    324. 

  324. 	l	$t1,1($t1,$tbl)	# Te3[s0>>0]
    325. 

  325. 	l	$t2,2($t2,$tbl) # Te2[s0>>8]
    326. 

  326. 	l	$t3,3($t3,$tbl)	# Te1[s0>>16]
    327. 

  327. 

  328. 	x	$s0,3($i1,$tbl)	# Te1[s1>>16]
    329. 

  329. 	l	$s1,0($s1,$tbl)	# Te0[s1>>24]
    330. 

  330. 	x	$t2,1($i2,$tbl)	# Te3[s1>>0]
    331. 

  331. 	x	$t3,2($i3,$tbl)	# Te2[s1>>8]
    332. 

  332. 

  333. 	srlg	$i1,$s2,`8-3`	# i0
    334. 

  334. 	srlg	$i2,$s2,`16-3`	# i1
    335. 

  335. 	nr	$i1,$mask
    336. 

  336. 	nr	$i2,$mask
    337. 

  337. 	sllg	$i3,$s2,`0+3`
    338. 

  338. 	srl	$s2,`24-3`
    339. 

  339. 	nr	$s2,$mask
    340. 

  340. 	ngr	$i3,$mask
    341. 

  341. 

  342. 	xr	$s1,$t1
    343. 

  343. 	srlg	$ra,$s3,`8-3`	# i1
    344. 

  344. 	sllg	$t1,$s3,`0+3`	# i0
    345. 

  345. 	nr	$ra,$mask
    346. 

  346. 	la	$key,16($key)
    347. 

  347. 	ngr	$t1,$mask
    348. 

  348. 

  349. 	x	$s0,2($i1,$tbl)	# Te2[s2>>8]
    350. 

  350. 	x	$s1,3($i2,$tbl)	# Te1[s2>>16]
    351. 

  351. 	l	$s2,0($s2,$tbl)	# Te0[s2>>24]
    352. 

  352. 	x	$t3,1($i3,$tbl)	# Te3[s2>>0]
    353. 

  353. 

  354. 	srlg	$i3,$s3,`16-3`	# i2
    355. 

  355. 	xr	$s2,$t2
    356. 

  356. 	srl	$s3,`24-3`
    357. 

  357. 	nr	$i3,$mask
    358. 

  358. 	nr	$s3,$mask
    359. 

  359. 

  360. 	x	$s0,0($key)
    361. 

  361. 	x	$s1,4($key)
    362. 

  362. 	x	$s2,8($key)
    363. 

  363. 	x	$t3,12($key)
    364. 

  364. 

  365. 	x	$s0,1($t1,$tbl)	# Te3[s3>>0]
    366. 

  366. 	x	$s1,2($ra,$tbl)	# Te2[s3>>8]
    367. 

  367. 	x	$s2,3($i3,$tbl)	# Te1[s3>>16]
    368. 

  368. 	l	$s3,0($s3,$tbl)	# Te0[s3>>24]
    369. 

  369. 	xr	$s3,$t3
    370. 

  370. 

  371. 	brct	$rounds,.Lenc_loop
    372. 

  372. 	.align	16
    373. 

  373. 

  374. 	sllg	$t1,$s0,`0+3`
    375. 

  375. 	srlg	$t2,$s0,`8-3`
    376. 

  376. 	ngr	$t1,$mask
    377. 

  377. 	srlg	$t3,$s0,`16-3`
    378. 

  378. 	srl	$s0,`24-3`
    379. 

  379. 	nr	$s0,$mask
    380. 

  380. 	nr	$t2,$mask
    381. 

  381. 	nr	$t3,$mask
    382. 

  382. 

  383. 	srlg	$i1,$s1,`16-3`	# i0
    384. 

  384. 	sllg	$i2,$s1,`0+3`
    385. 

  385. 	ngr	$i2,$mask
    386. 

  386. 	srlg	$i3,$s1,`8-3`
    387. 

  387. 	srl	$s1,`24-3`
    388. 

  388. 	nr	$i1,$mask
    389. 

  389. 	nr	$s1,$mask
    390. 

  390. 	nr	$i3,$mask
    391. 

  391. 

  392. 	llgc	$s0,2($s0,$tbl)	# Te4[s0>>24]
    393. 

  393. 	llgc	$t1,2($t1,$tbl)	# Te4[s0>>0]
    394. 

  394. 	sll	$s0,24
    395. 

  395. 	llgc	$t2,2($t2,$tbl)	# Te4[s0>>8]
    396. 

  396. 	llgc	$t3,2($t3,$tbl)	# Te4[s0>>16]
    397. 

  397. 	sll	$t2,8
    398. 

  398. 	sll	$t3,16
    399. 

  399. 

  400. 	llgc	$i1,2($i1,$tbl)	# Te4[s1>>16]
    401. 

  401. 	llgc	$s1,2($s1,$tbl)	# Te4[s1>>24]
    402. 

  402. 	llgc	$i2,2($i2,$tbl)	# Te4[s1>>0]
    403. 

  403. 	llgc	$i3,2($i3,$tbl)	# Te4[s1>>8]
    404. 

  404. 	sll	$i1,16
    405. 

  405. 	sll	$s1,24
    406. 

  406. 	sll	$i3,8
    407. 

  407. 	or	$s0,$i1
    408. 

  408. 	or	$s1,$t1
    409. 

  409. 	or	$t2,$i2
    410. 

  410. 	or	$t3,$i3
    411. 

  411. 

  412. 	srlg	$i1,$s2,`8-3`	# i0
    413. 

  413. 	srlg	$i2,$s2,`16-3`	# i1
    414. 

  414. 	nr	$i1,$mask
    415. 

  415. 	nr	$i2,$mask
    416. 

  416. 	sllg	$i3,$s2,`0+3`
    417. 

  417. 	srl	$s2,`24-3`
    418. 

  418. 	ngr	$i3,$mask
    419. 

  419. 	nr	$s2,$mask
    420. 

  420. 

  421. 	sllg	$t1,$s3,`0+3`	# i0
    422. 

  422. 	srlg	$ra,$s3,`8-3`	# i1
    423. 

  423. 	ngr	$t1,$mask
    424. 

  424. 

  425. 	llgc	$i1,2($i1,$tbl)	# Te4[s2>>8]
    426. 

  426. 	llgc	$i2,2($i2,$tbl)	# Te4[s2>>16]
    427. 

  427. 	sll	$i1,8
    428. 

  428. 	llgc	$s2,2($s2,$tbl)	# Te4[s2>>24]
    429. 

  429. 	llgc	$i3,2($i3,$tbl)	# Te4[s2>>0]
    430. 

  430. 	sll	$i2,16
    431. 

  431. 	nr	$ra,$mask
    432. 

  432. 	sll	$s2,24
    433. 

  433. 	or	$s0,$i1
    434. 

  434. 	or	$s1,$i2
    435. 

  435. 	or	$s2,$t2
    436. 

  436. 	or	$t3,$i3
    437. 

  437. 

  438. 	srlg	$i3,$s3,`16-3`	# i2
    439. 

  439. 	srl	$s3,`24-3`
    440. 

  440. 	nr	$i3,$mask
    441. 

  441. 	nr	$s3,$mask
    442. 

  442. 

  443. 	l	$t0,16($key)
    444. 

  444. 	l	$t2,20($key)
    445. 

  445. 

  446. 	llgc	$i1,2($t1,$tbl)	# Te4[s3>>0]
    447. 

  447. 	llgc	$i2,2($ra,$tbl)	# Te4[s3>>8]
    448. 

  448. 	llgc	$i3,2($i3,$tbl)	# Te4[s3>>16]
    449. 

  449. 	llgc	$s3,2($s3,$tbl)	# Te4[s3>>24]
    450. 

  450. 	sll	$i2,8
    451. 

  451. 	sll	$i3,16
    452. 

  452. 	sll	$s3,24
    453. 

  453. 	or	$s0,$i1
    454. 

  454. 	or	$s1,$i2
    455. 

  455. 	or	$s2,$i3
    456. 

  456. 	or	$s3,$t3
    457. 

  457. 

  458. 	l${g}	$ra,15*$SIZE_T($sp)
    459. 

  459. 	xr	$s0,$t0
    460. 

  460. 	xr	$s1,$t2
    461. 

  461. 	x	$s2,24($key)
    462. 

  462. 	x	$s3,28($key)
    463. 

  463. 

  464. 	br	$ra
    465. 

  465. .size	_s390x_AES_encrypt,.-_s390x_AES_encrypt
    466. 

  466. ___
    467. 

  467. 

  468. $code.=<<___;
    469. 

  469. .type	AES_Td,\@object
    470. 

  470. .align	256
    471. 

  471. AES_Td:
    472. 

  472. ___
    473. 

  473. &_data_word(
    474. 

  474. 	0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96,
    475. 

  475. 	0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393,
    476. 

  476. 	0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
    477. 

  477. 	0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f,
    478. 

  478. 	0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1,
    479. 

  479. 	0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
    480. 

  480. 	0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da,
    481. 

  481. 	0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844,
    482. 

  482. 	0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
    483. 

  483. 	0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4,
    484. 

  484. 	0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45,
    485. 

  485. 	0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
    486. 

  486. 	0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7,
    487. 

  487. 	0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a,
    488. 

  488. 	0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
    489. 

  489. 	0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c,
    490. 

  490. 	0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1,
    491. 

  491. 	0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
    492. 

  492. 	0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75,
    493. 

  493. 	0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051,
    494. 

  494. 	0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
    495. 

  495. 	0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff,
    496. 

  496. 	0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77,
    497. 

  497. 	0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
    498. 

  498. 	0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000,
    499. 

  499. 	0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e,
    500. 

  500. 	0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
    501. 

  501. 	0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a,
    502. 

  502. 	0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e,
    503. 

  503. 	0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
    504. 

  504. 	0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d,
    505. 

  505. 	0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8,
    506. 

  506. 	0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
    507. 

  507. 	0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34,
    508. 

  508. 	0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163,
    509. 

  509. 	0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
    510. 

  510. 	0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d,
    511. 

  511. 	0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0,
    512. 

  512. 	0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
    513. 

  513. 	0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef,
    514. 

  514. 	0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36,
    515. 

  515. 	0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
    516. 

  516. 	0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662,
    517. 

  517. 	0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5,
    518. 

  518. 	0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
    519. 

  519. 	0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b,
    520. 

  520. 	0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8,
    521. 

  521. 	0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
    522. 

  522. 	0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6,
    523. 

  523. 	0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0,
    524. 

  524. 	0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
    525. 

  525. 	0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f,
    526. 

  526. 	0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df,
    527. 

  527. 	0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
    528. 

  528. 	0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e,
    529. 

  529. 	0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713,
    530. 

  530. 	0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
    531. 

  531. 	0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c,
    532. 

  532. 	0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf,
    533. 

  533. 	0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
    534. 

  534. 	0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f,
    535. 

  535. 	0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541,
    536. 

  536. 	0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
    537. 

  537. 	0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742);
    538. 

  538. $code.=<<___;
    539. 

  539. # Td4[256]
    540. 

  540. .byte	0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38
    541. 

  541. .byte	0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb
    542. 

  542. .byte	0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87
    543. 

  543. .byte	0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb
    544. 

  544. .byte	0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d
    545. 

  545. .byte	0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e
    546. 

  546. .byte	0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2
    547. 

  547. .byte	0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25
    548. 

  548. .byte	0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16
    549. 

  549. .byte	0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92
    550. 

  550. .byte	0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda
    551. 

  551. .byte	0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84
    552. 

  552. .byte	0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a
    553. 

  553. .byte	0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06
    554. 

  554. .byte	0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02
    555. 

  555. .byte	0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b
    556. 

  556. .byte	0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea
    557. 

  557. .byte	0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73
    558. 

  558. .byte	0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85
    559. 

  559. .byte	0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e
    560. 

  560. .byte	0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89
    561. 

  561. .byte	0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b
    562. 

  562. .byte	0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20
    563. 

  563. .byte	0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4
    564. 

  564. .byte	0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31
    565. 

  565. .byte	0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f
    566. 

  566. .byte	0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d
    567. 

  567. .byte	0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef
    568. 

  568. .byte	0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0
    569. 

  569. .byte	0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61
    570. 

  570. .byte	0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26
    571. 

  571. .byte	0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
    572. 

  572. .size	AES_Td,.-AES_Td
    573. 

  573. 

  574. # void AES_decrypt(const unsigned char *inp, unsigned char *out,
    575. 

  575. # 		 const AES_KEY *key) {
    576. 

  576. .globl	AES_decrypt
    577. 

  577. .type	AES_decrypt,\@function
    578. 

  578. AES_decrypt:
    579. 

  579. ___
    580. 

  580. $code.=<<___ if (!$softonly);
    581. 

  581. 	l	%r0,240($key)
    582. 

  582. 	lhi	%r1,16
    583. 

  583. 	clr	%r0,%r1
    584. 

  584. 	jl	.Ldsoft
    585. 

  585. 

  586. 	la	%r1,0($key)
    587. 

  587. 	#la	%r2,0($inp)
    588. 

  588. 	la	%r4,0($out)
    589. 

  589. 	lghi	%r3,16		# single block length
    590. 

  590. 	.long	0xb92e0042	# km %r4,%r2
    591. 

  591. 	brc	1,.-4		# can this happen?
    592. 

  592. 	br	%r14
    593. 

  593. .align	64
    594. 

  594. .Ldsoft:
    595. 

  595. ___
    596. 

  596. $code.=<<___;
    597. 

  597. 	stm${g}	%r3,$ra,3*$SIZE_T($sp)
    598. 

  598. 

  599. 	llgf	$s0,0($inp)
    600. 

  600. 	llgf	$s1,4($inp)
    601. 

  601. 	llgf	$s2,8($inp)
    602. 

  602. 	llgf	$s3,12($inp)
    603. 

  603. 

  604. 	larl	$tbl,AES_Td
    605. 

  605. 	bras	$ra,_s390x_AES_decrypt
    606. 

  606. 

  607. 	l${g}	$out,3*$SIZE_T($sp)
    608. 

  608. 	st	$s0,0($out)
    609. 

  609. 	st	$s1,4($out)
    610. 

  610. 	st	$s2,8($out)
    611. 

  611. 	st	$s3,12($out)
    612. 

  612. 

  613. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    614. 

  614. 	br	$ra
    615. 

  615. .size	AES_decrypt,.-AES_decrypt
    616. 

  616. 

  617. .type   _s390x_AES_decrypt,\@function
    618. 

  618. .align	16
    619. 

  619. _s390x_AES_decrypt:
    620. 

  620. 	st${g}	$ra,15*$SIZE_T($sp)
    621. 

  621. 	x	$s0,0($key)
    622. 

  622. 	x	$s1,4($key)
    623. 

  623. 	x	$s2,8($key)
    624. 

  624. 	x	$s3,12($key)
    625. 

  625. 	l	$rounds,240($key)
    626. 

  626. 	llill	$mask,`0xff<<3`
    627. 

  627. 	aghi	$rounds,-1
    628. 

  628. 	j	.Ldec_loop
    629. 

  629. .align	16
    630. 

  630. .Ldec_loop:
    631. 

  631. 	srlg	$t1,$s0,`16-3`
    632. 

  632. 	srlg	$t2,$s0,`8-3`
    633. 

  633. 	sllg	$t3,$s0,`0+3`
    634. 

  634. 	srl	$s0,`24-3`
    635. 

  635. 	nr	$s0,$mask
    636. 

  636. 	nr	$t1,$mask
    637. 

  637. 	nr	$t2,$mask
    638. 

  638. 	ngr	$t3,$mask
    639. 

  639. 

  640. 	sllg	$i1,$s1,`0+3`	# i0
    641. 

  641. 	srlg	$i2,$s1,`16-3`
    642. 

  642. 	srlg	$i3,$s1,`8-3`
    643. 

  643. 	srl	$s1,`24-3`
    644. 

  644. 	ngr	$i1,$mask
    645. 

  645. 	nr	$s1,$mask
    646. 

  646. 	nr	$i2,$mask
    647. 

  647. 	nr	$i3,$mask
    648. 

  648. 

  649. 	l	$s0,0($s0,$tbl)	# Td0[s0>>24]
    650. 

  650. 	l	$t1,3($t1,$tbl)	# Td1[s0>>16]
    651. 

  651. 	l	$t2,2($t2,$tbl)	# Td2[s0>>8]
    652. 

  652. 	l	$t3,1($t3,$tbl)	# Td3[s0>>0]
    653. 

  653. 

  654. 	x	$s0,1($i1,$tbl)	# Td3[s1>>0]
    655. 

  655. 	l	$s1,0($s1,$tbl)	# Td0[s1>>24]
    656. 

  656. 	x	$t2,3($i2,$tbl)	# Td1[s1>>16]
    657. 

  657. 	x	$t3,2($i3,$tbl)	# Td2[s1>>8]
    658. 

  658. 

  659. 	srlg	$i1,$s2,`8-3`	# i0
    660. 

  660. 	sllg	$i2,$s2,`0+3`	# i1
    661. 

  661. 	srlg	$i3,$s2,`16-3`
    662. 

  662. 	srl	$s2,`24-3`
    663. 

  663. 	nr	$i1,$mask
    664. 

  664. 	ngr	$i2,$mask
    665. 

  665. 	nr	$s2,$mask
    666. 

  666. 	nr	$i3,$mask
    667. 

  667. 

  668. 	xr	$s1,$t1
    669. 

  669. 	srlg	$ra,$s3,`8-3`	# i1
    670. 

  670. 	srlg	$t1,$s3,`16-3`	# i0
    671. 

  671. 	nr	$ra,$mask
    672. 

  672. 	la	$key,16($key)
    673. 

  673. 	nr	$t1,$mask
    674. 

  674. 

  675. 	x	$s0,2($i1,$tbl)	# Td2[s2>>8]
    676. 

  676. 	x	$s1,1($i2,$tbl)	# Td3[s2>>0]
    677. 

  677. 	l	$s2,0($s2,$tbl)	# Td0[s2>>24]
    678. 

  678. 	x	$t3,3($i3,$tbl)	# Td1[s2>>16]
    679. 

  679. 

  680. 	sllg	$i3,$s3,`0+3`	# i2
    681. 

  681. 	srl	$s3,`24-3`
    682. 

  682. 	ngr	$i3,$mask
    683. 

  683. 	nr	$s3,$mask
    684. 

  684. 

  685. 	xr	$s2,$t2
    686. 

  686. 	x	$s0,0($key)
    687. 

  687. 	x	$s1,4($key)
    688. 

  688. 	x	$s2,8($key)
    689. 

  689. 	x	$t3,12($key)
    690. 

  690. 

  691. 	x	$s0,3($t1,$tbl)	# Td1[s3>>16]
    692. 

  692. 	x	$s1,2($ra,$tbl)	# Td2[s3>>8]
    693. 

  693. 	x	$s2,1($i3,$tbl)	# Td3[s3>>0]
    694. 

  694. 	l	$s3,0($s3,$tbl)	# Td0[s3>>24]
    695. 

  695. 	xr	$s3,$t3
    696. 

  696. 

  697. 	brct	$rounds,.Ldec_loop
    698. 

  698. 	.align	16
    699. 

  699. 

  700. 	l	$t1,`2048+0`($tbl)	# prefetch Td4
    701. 

  701. 	l	$t2,`2048+64`($tbl)
    702. 

  702. 	l	$t3,`2048+128`($tbl)
    703. 

  703. 	l	$i1,`2048+192`($tbl)
    704. 

  704. 	llill	$mask,0xff
    705. 

  705. 

  706. 	srlg	$i3,$s0,24	# i0
    707. 

  707. 	srlg	$t1,$s0,16
    708. 

  708. 	srlg	$t2,$s0,8
    709. 

  709. 	nr	$s0,$mask	# i3
    710. 

  710. 	nr	$t1,$mask
    711. 

  711. 

  712. 	srlg	$i1,$s1,24
    713. 

  713. 	nr	$t2,$mask
    714. 

  714. 	srlg	$i2,$s1,16
    715. 

  715. 	srlg	$ra,$s1,8
    716. 

  716. 	nr	$s1,$mask	# i0
    717. 

  717. 	nr	$i2,$mask
    718. 

  718. 	nr	$ra,$mask
    719. 

  719. 

  720. 	llgc	$i3,2048($i3,$tbl)	# Td4[s0>>24]
    721. 

  721. 	llgc	$t1,2048($t1,$tbl)	# Td4[s0>>16]
    722. 

  722. 	llgc	$t2,2048($t2,$tbl)	# Td4[s0>>8]
    723. 

  723. 	sll	$t1,16
    724. 

  724. 	llgc	$t3,2048($s0,$tbl)	# Td4[s0>>0]
    725. 

  725. 	sllg	$s0,$i3,24
    726. 

  726. 	sll	$t2,8
    727. 

  727. 

  728. 	llgc	$s1,2048($s1,$tbl)	# Td4[s1>>0]
    729. 

  729. 	llgc	$i1,2048($i1,$tbl)	# Td4[s1>>24]
    730. 

  730. 	llgc	$i2,2048($i2,$tbl)	# Td4[s1>>16]
    731. 

  731. 	sll	$i1,24
    732. 

  732. 	llgc	$i3,2048($ra,$tbl)	# Td4[s1>>8]
    733. 

  733. 	sll	$i2,16
    734. 

  734. 	sll	$i3,8
    735. 

  735. 	or	$s0,$s1
    736. 

  736. 	or	$t1,$i1
    737. 

  737. 	or	$t2,$i2
    738. 

  738. 	or	$t3,$i3
    739. 

  739. 

  740. 	srlg	$i1,$s2,8	# i0
    741. 

  741. 	srlg	$i2,$s2,24
    742. 

  742. 	srlg	$i3,$s2,16
    743. 

  743. 	nr	$s2,$mask	# i1
    744. 

  744. 	nr	$i1,$mask
    745. 

  745. 	nr	$i3,$mask
    746. 

  746. 	llgc	$i1,2048($i1,$tbl)	# Td4[s2>>8]
    747. 

  747. 	llgc	$s1,2048($s2,$tbl)	# Td4[s2>>0]
    748. 

  748. 	llgc	$i2,2048($i2,$tbl)	# Td4[s2>>24]
    749. 

  749. 	llgc	$i3,2048($i3,$tbl)	# Td4[s2>>16]
    750. 

  750. 	sll	$i1,8
    751. 

  751. 	sll	$i2,24
    752. 

  752. 	or	$s0,$i1
    753. 

  753. 	sll	$i3,16
    754. 

  754. 	or	$t2,$i2
    755. 

  755. 	or	$t3,$i3
    756. 

  756. 

  757. 	srlg	$i1,$s3,16	# i0
    758. 

  758. 	srlg	$i2,$s3,8	# i1
    759. 

  759. 	srlg	$i3,$s3,24
    760. 

  760. 	nr	$s3,$mask	# i2
    761. 

  761. 	nr	$i1,$mask
    762. 

  762. 	nr	$i2,$mask
    763. 

  763. 

  764. 	l${g}	$ra,15*$SIZE_T($sp)
    765. 

  765. 	or	$s1,$t1
    766. 

  766. 	l	$t0,16($key)
    767. 

  767. 	l	$t1,20($key)
    768. 

  768. 

  769. 	llgc	$i1,2048($i1,$tbl)	# Td4[s3>>16]
    770. 

  770. 	llgc	$i2,2048($i2,$tbl)	# Td4[s3>>8]
    771. 

  771. 	sll	$i1,16
    772. 

  772. 	llgc	$s2,2048($s3,$tbl)	# Td4[s3>>0]
    773. 

  773. 	llgc	$s3,2048($i3,$tbl)	# Td4[s3>>24]
    774. 

  774. 	sll	$i2,8
    775. 

  775. 	sll	$s3,24
    776. 

  776. 	or	$s0,$i1
    777. 

  777. 	or	$s1,$i2
    778. 

  778. 	or	$s2,$t2
    779. 

  779. 	or	$s3,$t3
    780. 

  780. 

  781. 	xr	$s0,$t0
    782. 

  782. 	xr	$s1,$t1
    783. 

  783. 	x	$s2,24($key)
    784. 

  784. 	x	$s3,28($key)
    785. 

  785. 

  786. 	br	$ra
    787. 

  787. .size	_s390x_AES_decrypt,.-_s390x_AES_decrypt
    788. 

  788. ___
    789. 

  789. 

  790. $code.=<<___;
    791. 

  791. # void AES_set_encrypt_key(const unsigned char *in, int bits,
    792. 

  792. # 		 AES_KEY *key) {
    793. 

  793. .globl	AES_set_encrypt_key
    794. 

  794. .type	AES_set_encrypt_key,\@function
    795. 

  795. .align	16
    796. 

  796. AES_set_encrypt_key:
    797. 

  797. _s390x_AES_set_encrypt_key:
    798. 

  798. 	lghi	$t0,0
    799. 

  799. 	cl${g}r	$inp,$t0
    800. 

  800. 	je	.Lminus1
    801. 

  801. 	cl${g}r	$key,$t0
    802. 

  802. 	je	.Lminus1
    803. 

  803. 

  804. 	lghi	$t0,128
    805. 

  805. 	clr	$bits,$t0
    806. 

  806. 	je	.Lproceed
    807. 

  807. 	lghi	$t0,192
    808. 

  808. 	clr	$bits,$t0
    809. 

  809. 	je	.Lproceed
    810. 

  810. 	lghi	$t0,256
    811. 

  811. 	clr	$bits,$t0
    812. 

  812. 	je	.Lproceed
    813. 

  813. 	lghi	%r2,-2
    814. 

  814. 	br	%r14
    815. 

  815. 

  816. .align	16
    817. 

  817. .Lproceed:
    818. 

  818. ___
    819. 

  819. $code.=<<___ if (!$softonly);
    820. 

  820. 	# convert bits to km(c) code, [128,192,256]->[18,19,20]
    821. 

  821. 	lhi	%r5,-128
    822. 

  822. 	lhi	%r0,18
    823. 

  823. 	ar	%r5,$bits
    824. 

  824. 	srl	%r5,6
    825. 

  825. 	ar	%r5,%r0
    826. 

  826. 

  827. 	larl	%r1,OPENSSL_s390xcap_P
    828. 

  828. 	llihh	%r0,0x8000
    829. 

  829. 	srlg	%r0,%r0,0(%r5)
    830. 

  830. 	ng	%r0,S390X_KM(%r1)  # check availability of both km...
    831. 

  831. 	ng	%r0,S390X_KMC(%r1) # ...and kmc support for given key length
    832. 

  832. 	jz	.Lekey_internal
    833. 

  833. 

  834. 	lmg	%r0,%r1,0($inp)	# just copy 128 bits...
    835. 

  835. 	stmg	%r0,%r1,0($key)
    836. 

  836. 	lhi	%r0,192
    837. 

  837. 	cr	$bits,%r0
    838. 

  838. 	jl	1f
    839. 

  839. 	lg	%r1,16($inp)
    840. 

  840. 	stg	%r1,16($key)
    841. 

  841. 	je	1f
    842. 

  842. 	lg	%r1,24($inp)
    843. 

  843. 	stg	%r1,24($key)
    844. 

  844. 1:	st	$bits,236($key)	# save bits [for debugging purposes]
    845. 

  845. 	lgr	$t0,%r5
    846. 

  846. 	st	%r5,240($key)	# save km(c) code
    847. 

  847. 	lghi	%r2,0
    848. 

  848. 	br	%r14
    849. 

  849. ___
    850. 

  850. $code.=<<___;
    851. 

  851. .align	16
    852. 

  852. .Lekey_internal:
    853. 

  853. 	stm${g}	%r4,%r13,4*$SIZE_T($sp)	# all non-volatile regs and $key
    854. 

  854. 

  855. 	larl	$tbl,AES_Te+2048
    856. 

  856. 

  857. 	llgf	$s0,0($inp)
    858. 

  858. 	llgf	$s1,4($inp)
    859. 

  859. 	llgf	$s2,8($inp)
    860. 

  860. 	llgf	$s3,12($inp)
    861. 

  861. 	st	$s0,0($key)
    862. 

  862. 	st	$s1,4($key)
    863. 

  863. 	st	$s2,8($key)
    864. 

  864. 	st	$s3,12($key)
    865. 

  865. 	lghi	$t0,128
    866. 

  866. 	cr	$bits,$t0
    867. 

  867. 	jne	.Lnot128
    868. 

  868. 

  869. 	llill	$mask,0xff
    870. 

  870. 	lghi	$t3,0			# i=0
    871. 

  871. 	lghi	$rounds,10
    872. 

  872. 	st	$rounds,240($key)
    873. 

  873. 

  874. 	llgfr	$t2,$s3			# temp=rk[3]
    875. 

  875. 	srlg	$i1,$s3,8
    876. 

  876. 	srlg	$i2,$s3,16
    877. 

  877. 	srlg	$i3,$s3,24
    878. 

  878. 	nr	$t2,$mask
    879. 

  879. 	nr	$i1,$mask
    880. 

  880. 	nr	$i2,$mask
    881. 

  881. 

  882. .align	16
    883. 

  883. .L128_loop:
    884. 

  884. 	la	$t2,0($t2,$tbl)
    885. 

  885. 	la	$i1,0($i1,$tbl)
    886. 

  886. 	la	$i2,0($i2,$tbl)
    887. 

  887. 	la	$i3,0($i3,$tbl)
    888. 

  888. 	icm	$t2,2,0($t2)		# Te4[rk[3]>>0]<<8
    889. 

  889. 	icm	$t2,4,0($i1)		# Te4[rk[3]>>8]<<16
    890. 

  890. 	icm	$t2,8,0($i2)		# Te4[rk[3]>>16]<<24
    891. 

  891. 	icm	$t2,1,0($i3)		# Te4[rk[3]>>24]
    892. 

  892. 	x	$t2,256($t3,$tbl)	# rcon[i]
    893. 

  893. 	xr	$s0,$t2			# rk[4]=rk[0]^...
    894. 

  894. 	xr	$s1,$s0			# rk[5]=rk[1]^rk[4]
    895. 

  895. 	xr	$s2,$s1			# rk[6]=rk[2]^rk[5]
    896. 

  896. 	xr	$s3,$s2			# rk[7]=rk[3]^rk[6]
    897. 

  897. 

  898. 	llgfr	$t2,$s3			# temp=rk[3]
    899. 

  899. 	srlg	$i1,$s3,8
    900. 

  900. 	srlg	$i2,$s3,16
    901. 

  901. 	nr	$t2,$mask
    902. 

  902. 	nr	$i1,$mask
    903. 

  903. 	srlg	$i3,$s3,24
    904. 

  904. 	nr	$i2,$mask
    905. 

  905. 

  906. 	st	$s0,16($key)
    907. 

  907. 	st	$s1,20($key)
    908. 

  908. 	st	$s2,24($key)
    909. 

  909. 	st	$s3,28($key)
    910. 

  910. 	la	$key,16($key)		# key+=4
    911. 

  911. 	la	$t3,4($t3)		# i++
    912. 

  912. 	brct	$rounds,.L128_loop
    913. 

  913. 	lghi	$t0,10
    914. 

  914. 	lghi	%r2,0
    915. 

  915. 	lm${g}	%r4,%r13,4*$SIZE_T($sp)
    916. 

  916. 	br	$ra
    917. 

  917. 

  918. .align	16
    919. 

  919. .Lnot128:
    920. 

  920. 	llgf	$t0,16($inp)
    921. 

  921. 	llgf	$t1,20($inp)
    922. 

  922. 	st	$t0,16($key)
    923. 

  923. 	st	$t1,20($key)
    924. 

  924. 	lghi	$t0,192
    925. 

  925. 	cr	$bits,$t0
    926. 

  926. 	jne	.Lnot192
    927. 

  927. 

  928. 	llill	$mask,0xff
    929. 

  929. 	lghi	$t3,0			# i=0
    930. 

  930. 	lghi	$rounds,12
    931. 

  931. 	st	$rounds,240($key)
    932. 

  932. 	lghi	$rounds,8
    933. 

  933. 

  934. 	srlg	$i1,$t1,8
    935. 

  935. 	srlg	$i2,$t1,16
    936. 

  936. 	srlg	$i3,$t1,24
    937. 

  937. 	nr	$t1,$mask
    938. 

  938. 	nr	$i1,$mask
    939. 

  939. 	nr	$i2,$mask
    940. 

  940. 

  941. .align	16
    942. 

  942. .L192_loop:
    943. 

  943. 	la	$t1,0($t1,$tbl)
    944. 

  944. 	la	$i1,0($i1,$tbl)
    945. 

  945. 	la	$i2,0($i2,$tbl)
    946. 

  946. 	la	$i3,0($i3,$tbl)
    947. 

  947. 	icm	$t1,2,0($t1)		# Te4[rk[5]>>0]<<8
    948. 

  948. 	icm	$t1,4,0($i1)		# Te4[rk[5]>>8]<<16
    949. 

  949. 	icm	$t1,8,0($i2)		# Te4[rk[5]>>16]<<24
    950. 

  950. 	icm	$t1,1,0($i3)		# Te4[rk[5]>>24]
    951. 

  951. 	x	$t1,256($t3,$tbl)	# rcon[i]
    952. 

  952. 	xr	$s0,$t1			# rk[6]=rk[0]^...
    953. 

  953. 	xr	$s1,$s0			# rk[7]=rk[1]^rk[6]
    954. 

  954. 	xr	$s2,$s1			# rk[8]=rk[2]^rk[7]
    955. 

  955. 	xr	$s3,$s2			# rk[9]=rk[3]^rk[8]
    956. 

  956. 

  957. 	st	$s0,24($key)
    958. 

  958. 	st	$s1,28($key)
    959. 

  959. 	st	$s2,32($key)
    960. 

  960. 	st	$s3,36($key)
    961. 

  961. 	brct	$rounds,.L192_continue
    962. 

  962. 	lghi	$t0,12
    963. 

  963. 	lghi	%r2,0
    964. 

  964. 	lm${g}	%r4,%r13,4*$SIZE_T($sp)
    965. 

  965. 	br	$ra
    966. 

  966. 

  967. .align	16
    968. 

  968. .L192_continue:
    969. 

  969. 	lgr	$t1,$s3
    970. 

  970. 	x	$t1,16($key)		# rk[10]=rk[4]^rk[9]
    971. 

  971. 	st	$t1,40($key)
    972. 

  972. 	x	$t1,20($key)		# rk[11]=rk[5]^rk[10]
    973. 

  973. 	st	$t1,44($key)
    974. 

  974. 

  975. 	srlg	$i1,$t1,8
    976. 

  976. 	srlg	$i2,$t1,16
    977. 

  977. 	srlg	$i3,$t1,24
    978. 

  978. 	nr	$t1,$mask
    979. 

  979. 	nr	$i1,$mask
    980. 

  980. 	nr	$i2,$mask
    981. 

  981. 

  982. 	la	$key,24($key)		# key+=6
    983. 

  983. 	la	$t3,4($t3)		# i++
    984. 

  984. 	j	.L192_loop
    985. 

  985. 

  986. .align	16
    987. 

  987. .Lnot192:
    988. 

  988. 	llgf	$t0,24($inp)
    989. 

  989. 	llgf	$t1,28($inp)
    990. 

  990. 	st	$t0,24($key)
    991. 

  991. 	st	$t1,28($key)
    992. 

  992. 	llill	$mask,0xff
    993. 

  993. 	lghi	$t3,0			# i=0
    994. 

  994. 	lghi	$rounds,14
    995. 

  995. 	st	$rounds,240($key)
    996. 

  996. 	lghi	$rounds,7
    997. 

  997. 

  998. 	srlg	$i1,$t1,8
    999. 

  999. 	srlg	$i2,$t1,16
    1000. 

  1000. 	srlg	$i3,$t1,24
    1001. 

  1001. 	nr	$t1,$mask
    1002. 

  1002. 	nr	$i1,$mask
    1003. 

  1003. 	nr	$i2,$mask
    1004. 

  1004. 

  1005. .align	16
    1006. 

  1006. .L256_loop:
    1007. 

  1007. 	la	$t1,0($t1,$tbl)
    1008. 

  1008. 	la	$i1,0($i1,$tbl)
    1009. 

  1009. 	la	$i2,0($i2,$tbl)
    1010. 

  1010. 	la	$i3,0($i3,$tbl)
    1011. 

  1011. 	icm	$t1,2,0($t1)		# Te4[rk[7]>>0]<<8
    1012. 

  1012. 	icm	$t1,4,0($i1)		# Te4[rk[7]>>8]<<16
    1013. 

  1013. 	icm	$t1,8,0($i2)		# Te4[rk[7]>>16]<<24
    1014. 

  1014. 	icm	$t1,1,0($i3)		# Te4[rk[7]>>24]
    1015. 

  1015. 	x	$t1,256($t3,$tbl)	# rcon[i]
    1016. 

  1016. 	xr	$s0,$t1			# rk[8]=rk[0]^...
    1017. 

  1017. 	xr	$s1,$s0			# rk[9]=rk[1]^rk[8]
    1018. 

  1018. 	xr	$s2,$s1			# rk[10]=rk[2]^rk[9]
    1019. 

  1019. 	xr	$s3,$s2			# rk[11]=rk[3]^rk[10]
    1020. 

  1020. 	st	$s0,32($key)
    1021. 

  1021. 	st	$s1,36($key)
    1022. 

  1022. 	st	$s2,40($key)
    1023. 

  1023. 	st	$s3,44($key)
    1024. 

  1024. 	brct	$rounds,.L256_continue
    1025. 

  1025. 	lghi	$t0,14
    1026. 

  1026. 	lghi	%r2,0
    1027. 

  1027. 	lm${g}	%r4,%r13,4*$SIZE_T($sp)
    1028. 

  1028. 	br	$ra
    1029. 

  1029. 

  1030. .align	16
    1031. 

  1031. .L256_continue:
    1032. 

  1032. 	lgr	$t1,$s3			# temp=rk[11]
    1033. 

  1033. 	srlg	$i1,$s3,8
    1034. 

  1034. 	srlg	$i2,$s3,16
    1035. 

  1035. 	srlg	$i3,$s3,24
    1036. 

  1036. 	nr	$t1,$mask
    1037. 

  1037. 	nr	$i1,$mask
    1038. 

  1038. 	nr	$i2,$mask
    1039. 

  1039. 	la	$t1,0($t1,$tbl)
    1040. 

  1040. 	la	$i1,0($i1,$tbl)
    1041. 

  1041. 	la	$i2,0($i2,$tbl)
    1042. 

  1042. 	la	$i3,0($i3,$tbl)
    1043. 

  1043. 	llgc	$t1,0($t1)		# Te4[rk[11]>>0]
    1044. 

  1044. 	icm	$t1,2,0($i1)		# Te4[rk[11]>>8]<<8
    1045. 

  1045. 	icm	$t1,4,0($i2)		# Te4[rk[11]>>16]<<16
    1046. 

  1046. 	icm	$t1,8,0($i3)		# Te4[rk[11]>>24]<<24
    1047. 

  1047. 	x	$t1,16($key)		# rk[12]=rk[4]^...
    1048. 

  1048. 	st	$t1,48($key)
    1049. 

  1049. 	x	$t1,20($key)		# rk[13]=rk[5]^rk[12]
    1050. 

  1050. 	st	$t1,52($key)
    1051. 

  1051. 	x	$t1,24($key)		# rk[14]=rk[6]^rk[13]
    1052. 

  1052. 	st	$t1,56($key)
    1053. 

  1053. 	x	$t1,28($key)		# rk[15]=rk[7]^rk[14]
    1054. 

  1054. 	st	$t1,60($key)
    1055. 

  1055. 

  1056. 	srlg	$i1,$t1,8
    1057. 

  1057. 	srlg	$i2,$t1,16
    1058. 

  1058. 	srlg	$i3,$t1,24
    1059. 

  1059. 	nr	$t1,$mask
    1060. 

  1060. 	nr	$i1,$mask
    1061. 

  1061. 	nr	$i2,$mask
    1062. 

  1062. 

  1063. 	la	$key,32($key)		# key+=8
    1064. 

  1064. 	la	$t3,4($t3)		# i++
    1065. 

  1065. 	j	.L256_loop
    1066. 

  1066. 

  1067. .Lminus1:
    1068. 

  1068. 	lghi	%r2,-1
    1069. 

  1069. 	br	$ra
    1070. 

  1070. .size	AES_set_encrypt_key,.-AES_set_encrypt_key
    1071. 

  1071. 

  1072. # void AES_set_decrypt_key(const unsigned char *in, int bits,
    1073. 

  1073. # 		 AES_KEY *key) {
    1074. 

  1074. .globl	AES_set_decrypt_key
    1075. 

  1075. .type	AES_set_decrypt_key,\@function
    1076. 

  1076. .align	16
    1077. 

  1077. AES_set_decrypt_key:
    1078. 

  1078. 	#st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
    1079. 

  1079. 	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers and $key!
    1080. 

  1080. 	bras	$ra,_s390x_AES_set_encrypt_key
    1081. 

  1081. 	#l${g}	$key,4*$SIZE_T($sp)
    1082. 

  1082. 	l${g}	$ra,14*$SIZE_T($sp)
    1083. 

  1083. 	ltgr	%r2,%r2
    1084. 

  1084. 	bnzr	$ra
    1085. 

  1085. ___
    1086. 

  1086. $code.=<<___ if (!$softonly);
    1087. 

  1087. 	#l	$t0,240($key)
    1088. 

  1088. 	lhi	$t1,16
    1089. 

  1089. 	cr	$t0,$t1
    1090. 

  1090. 	jl	.Lgo
    1091. 

  1091. 	oill	$t0,S390X_DECRYPT	# set "decrypt" bit
    1092. 

  1092. 	st	$t0,240($key)
    1093. 

  1093. 	br	$ra
    1094. 

  1094. ___
    1095. 

  1095. $code.=<<___;
    1096. 

  1096. .align	16
    1097. 

  1097. .Lgo:	lgr	$rounds,$t0	#llgf	$rounds,240($key)
    1098. 

  1098. 	la	$i1,0($key)
    1099. 

  1099. 	sllg	$i2,$rounds,4
    1100. 

  1100. 	la	$i2,0($i2,$key)
    1101. 

  1101. 	srl	$rounds,1
    1102. 

  1102. 	lghi	$t1,-16
    1103. 

  1103. 

  1104. .align	16
    1105. 

  1105. .Linv:	lmg	$s0,$s1,0($i1)
    1106. 

  1106. 	lmg	$s2,$s3,0($i2)
    1107. 

  1107. 	stmg	$s0,$s1,0($i2)
    1108. 

  1108. 	stmg	$s2,$s3,0($i1)
    1109. 

  1109. 	la	$i1,16($i1)
    1110. 

  1110. 	la	$i2,0($t1,$i2)
    1111. 

  1111. 	brct	$rounds,.Linv
    1112. 

  1112. ___
    1113. 

  1113. $mask80=$i1;
    1114. 

  1114. $mask1b=$i2;
    1115. 

  1115. $maskfe=$i3;
    1116. 

  1116. $code.=<<___;
    1117. 

  1117. 	llgf	$rounds,240($key)
    1118. 

  1118. 	aghi	$rounds,-1
    1119. 

  1119. 	sll	$rounds,2	# (rounds-1)*4
    1120. 

  1120. 	llilh	$mask80,0x8080
    1121. 

  1121. 	llilh	$mask1b,0x1b1b
    1122. 

  1122. 	llilh	$maskfe,0xfefe
    1123. 

  1123. 	oill	$mask80,0x8080
    1124. 

  1124. 	oill	$mask1b,0x1b1b
    1125. 

  1125. 	oill	$maskfe,0xfefe
    1126. 

  1126. 

  1127. .align	16
    1128. 

  1128. .Lmix:	l	$s0,16($key)	# tp1
    1129. 

  1129. 	lr	$s1,$s0
    1130. 

  1130. 	ngr	$s1,$mask80
    1131. 

  1131. 	srlg	$t1,$s1,7
    1132. 

  1132. 	slr	$s1,$t1
    1133. 

  1133. 	nr	$s1,$mask1b
    1134. 

  1134. 	sllg	$t1,$s0,1
    1135. 

  1135. 	nr	$t1,$maskfe
    1136. 

  1136. 	xr	$s1,$t1		# tp2
    1137. 

  1137. 

  1138. 	lr	$s2,$s1
    1139. 

  1139. 	ngr	$s2,$mask80
    1140. 

  1140. 	srlg	$t1,$s2,7
    1141. 

  1141. 	slr	$s2,$t1
    1142. 

  1142. 	nr	$s2,$mask1b
    1143. 

  1143. 	sllg	$t1,$s1,1
    1144. 

  1144. 	nr	$t1,$maskfe
    1145. 

  1145. 	xr	$s2,$t1		# tp4
    1146. 

  1146. 

  1147. 	lr	$s3,$s2
    1148. 

  1148. 	ngr	$s3,$mask80
    1149. 

  1149. 	srlg	$t1,$s3,7
    1150. 

  1150. 	slr	$s3,$t1
    1151. 

  1151. 	nr	$s3,$mask1b
    1152. 

  1152. 	sllg	$t1,$s2,1
    1153. 

  1153. 	nr	$t1,$maskfe
    1154. 

  1154. 	xr	$s3,$t1		# tp8
    1155. 

  1155. 

  1156. 	xr	$s1,$s0		# tp2^tp1
    1157. 

  1157. 	xr	$s2,$s0		# tp4^tp1
    1158. 

  1158. 	rll	$s0,$s0,24	# = ROTATE(tp1,8)
    1159. 

  1159. 	xr	$s2,$s3		# ^=tp8
    1160. 

  1160. 	xr	$s0,$s1		# ^=tp2^tp1
    1161. 

  1161. 	xr	$s1,$s3		# tp2^tp1^tp8
    1162. 

  1162. 	xr	$s0,$s2		# ^=tp4^tp1^tp8
    1163. 

  1163. 	rll	$s1,$s1,8
    1164. 

  1164. 	rll	$s2,$s2,16
    1165. 

  1165. 	xr	$s0,$s1		# ^= ROTATE(tp8^tp2^tp1,24)
    1166. 

  1166. 	rll	$s3,$s3,24
    1167. 

  1167. 	xr	$s0,$s2    	# ^= ROTATE(tp8^tp4^tp1,16)
    1168. 

  1168. 	xr	$s0,$s3		# ^= ROTATE(tp8,8)
    1169. 

  1169. 

  1170. 	st	$s0,16($key)
    1171. 

  1171. 	la	$key,4($key)
    1172. 

  1172. 	brct	$rounds,.Lmix
    1173. 

  1173. 

  1174. 	lm${g}	%r6,%r13,6*$SIZE_T($sp)# as was saved by AES_set_encrypt_key!
    1175. 

  1175. 	lghi	%r2,0
    1176. 

  1176. 	br	$ra
    1177. 

  1177. .size	AES_set_decrypt_key,.-AES_set_decrypt_key
    1178. 

  1178. ___
    1179. 

  1179. 

  1180. ########################################################################
    1181. 

  1181. # void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
    1182. 

  1182. #                     size_t length, const AES_KEY *key,
    1183. 

  1183. #                     unsigned char *ivec, const int enc)
    1184. 

  1184. {
    1185. 

  1185. my $inp="%r2";
    1186. 

  1186. my $out="%r4";	# length and out are swapped
    1187. 

  1187. my $len="%r3";
    1188. 

  1188. my $key="%r5";
    1189. 

  1189. my $ivp="%r6";
    1190. 

  1190. 

  1191. $code.=<<___;
    1192. 

  1192. .globl	AES_cbc_encrypt
    1193. 

  1193. .type	AES_cbc_encrypt,\@function
    1194. 

  1194. .align	16
    1195. 

  1195. AES_cbc_encrypt:
    1196. 

  1196. 	xgr	%r3,%r4		# flip %r3 and %r4, out and len
    1197. 

  1197. 	xgr	%r4,%r3
    1198. 

  1198. 	xgr	%r3,%r4
    1199. 

  1199. ___
    1200. 

  1200. $code.=<<___ if (!$softonly);
    1201. 

  1201. 	lhi	%r0,16
    1202. 

  1202. 	cl	%r0,240($key)
    1203. 

  1203. 	jh	.Lcbc_software
    1204. 

  1204. 

  1205. 	lg	%r0,0($ivp)	# copy ivec
    1206. 

  1206. 	lg	%r1,8($ivp)
    1207. 

  1207. 	stmg	%r0,%r1,16($sp)
    1208. 

  1208. 	lmg	%r0,%r1,0($key)	# copy key, cover 256 bit
    1209. 

  1209. 	stmg	%r0,%r1,32($sp)
    1210. 

  1210. 	lmg	%r0,%r1,16($key)
    1211. 

  1211. 	stmg	%r0,%r1,48($sp)
    1212. 

  1212. 	l	%r0,240($key)	# load kmc code
    1213. 

  1213. 	lghi	$key,15		# res=len%16, len-=res;
    1214. 

  1214. 	ngr	$key,$len
    1215. 

  1215. 	sl${g}r	$len,$key
    1216. 

  1216. 	la	%r1,16($sp)	# parameter block - ivec || key
    1217. 

  1217. 	jz	.Lkmc_truncated
    1218. 

  1218. 	.long	0xb92f0042	# kmc %r4,%r2
    1219. 

  1219. 	brc	1,.-4		# pay attention to "partial completion"
    1220. 

  1220. 	ltr	$key,$key
    1221. 

  1221. 	jnz	.Lkmc_truncated
    1222. 

  1222. .Lkmc_done:
    1223. 

  1223. 	lmg	%r0,%r1,16($sp)	# copy ivec to caller
    1224. 

  1224. 	stg	%r0,0($ivp)
    1225. 

  1225. 	stg	%r1,8($ivp)
    1226. 

  1226. 	br	$ra
    1227. 

  1227. .align	16
    1228. 

  1228. .Lkmc_truncated:
    1229. 

  1229. 	ahi	$key,-1		# it's the way it's encoded in mvc
    1230. 

  1230. 	tmll	%r0,S390X_DECRYPT
    1231. 

  1231. 	jnz	.Lkmc_truncated_dec
    1232. 

  1232. 	lghi	%r1,0
    1233. 

  1233. 	stg	%r1,16*$SIZE_T($sp)
    1234. 

  1234. 	stg	%r1,16*$SIZE_T+8($sp)
    1235. 

  1235. 	bras	%r1,1f
    1236. 

  1236. 	mvc	16*$SIZE_T(1,$sp),0($inp)
    1237. 

  1237. 1:	ex	$key,0(%r1)
    1238. 

  1238. 	la	%r1,16($sp)	# restore parameter block
    1239. 

  1239. 	la	$inp,16*$SIZE_T($sp)
    1240. 

  1240. 	lghi	$len,16
    1241. 

  1241. 	.long	0xb92f0042	# kmc %r4,%r2
    1242. 

  1242. 	j	.Lkmc_done
    1243. 

  1243. .align	16
    1244. 

  1244. .Lkmc_truncated_dec:
    1245. 

  1245. 	st${g}	$out,4*$SIZE_T($sp)
    1246. 

  1246. 	la	$out,16*$SIZE_T($sp)
    1247. 

  1247. 	lghi	$len,16
    1248. 

  1248. 	.long	0xb92f0042	# kmc %r4,%r2
    1249. 

  1249. 	l${g}	$out,4*$SIZE_T($sp)
    1250. 

  1250. 	bras	%r1,2f
    1251. 

  1251. 	mvc	0(1,$out),16*$SIZE_T($sp)
    1252. 

  1252. 2:	ex	$key,0(%r1)
    1253. 

  1253. 	j	.Lkmc_done
    1254. 

  1254. .align	16
    1255. 

  1255. .Lcbc_software:
    1256. 

  1256. ___
    1257. 

  1257. $code.=<<___;
    1258. 

  1258. 	stm${g}	$key,$ra,5*$SIZE_T($sp)
    1259. 

  1259. 	lhi	%r0,0
    1260. 

  1260. 	cl	%r0,`$stdframe+$SIZE_T-4`($sp)
    1261. 

  1261. 	je	.Lcbc_decrypt
    1262. 

  1262. 

  1263. 	larl	$tbl,AES_Te
    1264. 

  1264. 

  1265. 	llgf	$s0,0($ivp)
    1266. 

  1266. 	llgf	$s1,4($ivp)
    1267. 

  1267. 	llgf	$s2,8($ivp)
    1268. 

  1268. 	llgf	$s3,12($ivp)
    1269. 

  1269. 

  1270. 	lghi	$t0,16
    1271. 

  1271. 	sl${g}r	$len,$t0
    1272. 

  1272. 	brc	4,.Lcbc_enc_tail	# if borrow
    1273. 

  1273. .Lcbc_enc_loop:
    1274. 

  1274. 	stm${g}	$inp,$out,2*$SIZE_T($sp)
    1275. 

  1275. 	x	$s0,0($inp)
    1276. 

  1276. 	x	$s1,4($inp)
    1277. 

  1277. 	x	$s2,8($inp)
    1278. 

  1278. 	x	$s3,12($inp)
    1279. 

  1279. 	lgr	%r4,$key
    1280. 

  1280. 

  1281. 	bras	$ra,_s390x_AES_encrypt
    1282. 

  1282. 

  1283. 	lm${g}	$inp,$key,2*$SIZE_T($sp)
    1284. 

  1284. 	st	$s0,0($out)
    1285. 

  1285. 	st	$s1,4($out)
    1286. 

  1286. 	st	$s2,8($out)
    1287. 

  1287. 	st	$s3,12($out)
    1288. 

  1288. 

  1289. 	la	$inp,16($inp)
    1290. 

  1290. 	la	$out,16($out)
    1291. 

  1291. 	lghi	$t0,16
    1292. 

  1292. 	lt${g}r	$len,$len
    1293. 

  1293. 	jz	.Lcbc_enc_done
    1294. 

  1294. 	sl${g}r	$len,$t0
    1295. 

  1295. 	brc	4,.Lcbc_enc_tail	# if borrow
    1296. 

  1296. 	j	.Lcbc_enc_loop
    1297. 

  1297. .align	16
    1298. 

  1298. .Lcbc_enc_done:
    1299. 

  1299. 	l${g}	$ivp,6*$SIZE_T($sp)
    1300. 

  1300. 	st	$s0,0($ivp)
    1301. 

  1301. 	st	$s1,4($ivp)
    1302. 

  1302. 	st	$s2,8($ivp)
    1303. 

  1303. 	st	$s3,12($ivp)
    1304. 

  1304. 

  1305. 	lm${g}	%r7,$ra,7*$SIZE_T($sp)
    1306. 

  1306. 	br	$ra
    1307. 

  1307. 

  1308. .align	16
    1309. 

  1309. .Lcbc_enc_tail:
    1310. 

  1310. 	aghi	$len,15
    1311. 

  1311. 	lghi	$t0,0
    1312. 

  1312. 	stg	$t0,16*$SIZE_T($sp)
    1313. 

  1313. 	stg	$t0,16*$SIZE_T+8($sp)
    1314. 

  1314. 	bras	$t1,3f
    1315. 

  1315. 	mvc	16*$SIZE_T(1,$sp),0($inp)
    1316. 

  1316. 3:	ex	$len,0($t1)
    1317. 

  1317. 	lghi	$len,0
    1318. 

  1318. 	la	$inp,16*$SIZE_T($sp)
    1319. 

  1319. 	j	.Lcbc_enc_loop
    1320. 

  1320. 

  1321. .align	16
    1322. 

  1322. .Lcbc_decrypt:
    1323. 

  1323. 	larl	$tbl,AES_Td
    1324. 

  1324. 

  1325. 	lg	$t0,0($ivp)
    1326. 

  1326. 	lg	$t1,8($ivp)
    1327. 

  1327. 	stmg	$t0,$t1,16*$SIZE_T($sp)
    1328. 

  1328. 

  1329. .Lcbc_dec_loop:
    1330. 

  1330. 	stm${g}	$inp,$out,2*$SIZE_T($sp)
    1331. 

  1331. 	llgf	$s0,0($inp)
    1332. 

  1332. 	llgf	$s1,4($inp)
    1333. 

  1333. 	llgf	$s2,8($inp)
    1334. 

  1334. 	llgf	$s3,12($inp)
    1335. 

  1335. 	lgr	%r4,$key
    1336. 

  1336. 

  1337. 	bras	$ra,_s390x_AES_decrypt
    1338. 

  1338. 

  1339. 	lm${g}	$inp,$key,2*$SIZE_T($sp)
    1340. 

  1340. 	sllg	$s0,$s0,32
    1341. 

  1341. 	sllg	$s2,$s2,32
    1342. 

  1342. 	lr	$s0,$s1
    1343. 

  1343. 	lr	$s2,$s3
    1344. 

  1344. 

  1345. 	lg	$t0,0($inp)
    1346. 

  1346. 	lg	$t1,8($inp)
    1347. 

  1347. 	xg	$s0,16*$SIZE_T($sp)
    1348. 

  1348. 	xg	$s2,16*$SIZE_T+8($sp)
    1349. 

  1349. 	lghi	$s1,16
    1350. 

  1350. 	sl${g}r	$len,$s1
    1351. 

  1351. 	brc	4,.Lcbc_dec_tail	# if borrow
    1352. 

  1352. 	brc	2,.Lcbc_dec_done	# if zero
    1353. 

  1353. 	stg	$s0,0($out)
    1354. 

  1354. 	stg	$s2,8($out)
    1355. 

  1355. 	stmg	$t0,$t1,16*$SIZE_T($sp)
    1356. 

  1356. 

  1357. 	la	$inp,16($inp)
    1358. 

  1358. 	la	$out,16($out)
    1359. 

  1359. 	j	.Lcbc_dec_loop
    1360. 

  1360. 

  1361. .Lcbc_dec_done:
    1362. 

  1362. 	stg	$s0,0($out)
    1363. 

  1363. 	stg	$s2,8($out)
    1364. 

  1364. .Lcbc_dec_exit:
    1365. 

  1365. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    1366. 

  1366. 	stmg	$t0,$t1,0($ivp)
    1367. 

  1367. 

  1368. 	br	$ra
    1369. 

  1369. 

  1370. .align	16
    1371. 

  1371. .Lcbc_dec_tail:
    1372. 

  1372. 	aghi	$len,15
    1373. 

  1373. 	stg	$s0,16*$SIZE_T($sp)
    1374. 

  1374. 	stg	$s2,16*$SIZE_T+8($sp)
    1375. 

  1375. 	bras	$s1,4f
    1376. 

  1376. 	mvc	0(1,$out),16*$SIZE_T($sp)
    1377. 

  1377. 4:	ex	$len,0($s1)
    1378. 

  1378. 	j	.Lcbc_dec_exit
    1379. 

  1379. .size	AES_cbc_encrypt,.-AES_cbc_encrypt
    1380. 

  1380. ___
    1381. 

  1381. }
    1382. 

  1382. ########################################################################
    1383. 

  1383. # void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
    1384. 

  1384. #                     size_t blocks, const AES_KEY *key,
    1385. 

  1385. #                     const unsigned char *ivec)
    1386. 

  1386. {
    1387. 

  1387. my $inp="%r2";
    1388. 

  1388. my $out="%r4";	# blocks and out are swapped
    1389. 

  1389. my $len="%r3";
    1390. 

  1390. my $key="%r5";	my $iv0="%r5";
    1391. 

  1391. my $ivp="%r6";
    1392. 

  1392. my $fp ="%r7";
    1393. 

  1393. 

  1394. $code.=<<___;
    1395. 

  1395. .globl	AES_ctr32_encrypt
    1396. 

  1396. .type	AES_ctr32_encrypt,\@function
    1397. 

  1397. .align	16
    1398. 

  1398. AES_ctr32_encrypt:
    1399. 

  1399. 	xgr	%r3,%r4		# flip %r3 and %r4, $out and $len
    1400. 

  1400. 	xgr	%r4,%r3
    1401. 

  1401. 	xgr	%r3,%r4
    1402. 

  1402. 	llgfr	$len,$len	# safe in ctr32 subroutine even in 64-bit case
    1403. 

  1403. ___
    1404. 

  1404. $code.=<<___ if (!$softonly);
    1405. 

  1405. 	l	%r0,240($key)
    1406. 

  1406. 	lhi	%r1,16
    1407. 

  1407. 	clr	%r0,%r1
    1408. 

  1408. 	jl	.Lctr32_software
    1409. 

  1409. 

  1410. 	st${g}	$s2,10*$SIZE_T($sp)
    1411. 

  1411. 	st${g}	$s3,11*$SIZE_T($sp)
    1412. 

  1412. 

  1413. 	clr	$len,%r1		# does work even in 64-bit mode
    1414. 

  1414. 	jle	.Lctr32_nokma		# kma is slower for <= 16 blocks
    1415. 

  1415. 

  1416. 	larl	%r1,OPENSSL_s390xcap_P
    1417. 

  1417. 	lr	$s2,%r0
    1418. 

  1418. 	llihh	$s3,0x8000
    1419. 

  1419. 	srlg	$s3,$s3,0($s2)
    1420. 

  1420. 	ng	$s3,S390X_KMA(%r1)		# check kma capability vector
    1421. 

  1421. 	jz	.Lctr32_nokma
    1422. 

  1422. 

  1423. 	l${g}hi	%r1,-$stdframe-112
    1424. 

  1424. 	l${g}r	$s3,$sp
    1425. 

  1425. 	la	$sp,0(%r1,$sp)			# prepare parameter block
    1426. 

  1426. 

  1427. 	lhi	%r1,0x0600
    1428. 

  1428. 	sllg	$len,$len,4
    1429. 

  1429. 	or	%r0,%r1				# set HS and LAAD flags
    1430. 

  1430. 

  1431. 	st${g}	$s3,0($sp)			# backchain
    1432. 

  1432. 	la	%r1,$stdframe($sp)
    1433. 

  1433. 

  1434. 	xc	$stdframe+0(64,$sp),$stdframe+0($sp)	# clear reserved/unused
    1435. 

  1435. 							# in parameter block
    1436. 

  1436. 

  1437. 	lmg	$s2,$s3,0($key)			# copy key
    1438. 

  1438. 	stg	$s2,$stdframe+80($sp)
    1439. 

  1439. 	stg	$s3,$stdframe+88($sp)
    1440. 

  1440. 	lmg	$s2,$s3,16($key)
    1441. 

  1441. 	stg	$s2,$stdframe+96($sp)
    1442. 

  1442. 	stg	$s3,$stdframe+104($sp)
    1443. 

  1443. 

  1444. 	lmg	$s2,$s3,0($ivp)			# copy iv
    1445. 

  1445. 	stg	$s2,$stdframe+64($sp)
    1446. 

  1446. 	ahi	$s3,-1				# kma requires counter-1
    1447. 

  1447. 	stg	$s3,$stdframe+72($sp)
    1448. 

  1448. 	st	$s3,$stdframe+12($sp)		# copy counter
    1449. 

  1449. 

  1450. 	lghi	$s2,0				# no AAD
    1451. 

  1451. 	lghi	$s3,0
    1452. 

  1452. 

  1453. 	.long	0xb929a042	# kma $out,$s2,$inp
    1454. 

  1454. 	brc	1,.-4		# pay attention to "partial completion"
    1455. 

  1455. 

  1456. 	stg	%r0,$stdframe+80($sp)		# wipe key
    1457. 

  1457. 	stg	%r0,$stdframe+88($sp)
    1458. 

  1458. 	stg	%r0,$stdframe+96($sp)
    1459. 

  1459. 	stg	%r0,$stdframe+104($sp)
    1460. 

  1460. 	la	$sp,$stdframe+112($sp)
    1461. 

  1461. 

  1462. 	lm${g}	$s2,$s3,10*$SIZE_T($sp)
    1463. 

  1463. 	br	$ra
    1464. 

  1464. 

  1465. .align	16
    1466. 

  1466. .Lctr32_nokma:
    1467. 

  1467. 	stm${g}	%r6,$s1,6*$SIZE_T($sp)
    1468. 

  1468. 

  1469. 	slgr	$out,$inp
    1470. 

  1470. 	la	%r1,0($key)	# %r1 is permanent copy of $key
    1471. 

  1471. 	lg	$iv0,0($ivp)	# load ivec
    1472. 

  1472. 	lg	$ivp,8($ivp)
    1473. 

  1473. 

  1474. 	# prepare and allocate stack frame at the top of 4K page
    1475. 

  1475. 	# with 1K reserved for eventual signal handling
    1476. 

  1476. 	lghi	$s0,-1024-256-16# guarantee at least 256-bytes buffer
    1477. 

  1477. 	lghi	$s1,-4096
    1478. 

  1478. 	algr	$s0,$sp
    1479. 

  1479. 	lgr	$fp,$sp
    1480. 

  1480. 	ngr	$s0,$s1		# align at page boundary
    1481. 

  1481. 	slgr	$fp,$s0		# total buffer size
    1482. 

  1482. 	lgr	$s2,$sp
    1483. 

  1483. 	lghi	$s1,1024+16	# sl[g]fi is extended-immediate facility
    1484. 

  1484. 	slgr	$fp,$s1		# deduct reservation to get usable buffer size
    1485. 

  1485. 	# buffer size is at lest 256 and at most 3072+256-16
    1486. 

  1486. 

  1487. 	la	$sp,1024($s0)	# alloca
    1488. 

  1488. 	srlg	$fp,$fp,4	# convert bytes to blocks, minimum 16
    1489. 

  1489. 	st${g}	$s2,0($sp)	# back-chain
    1490. 

  1490. 	st${g}	$fp,$SIZE_T($sp)
    1491. 

  1491. 

  1492. 	slgr	$len,$fp
    1493. 

  1493. 	brc	1,.Lctr32_hw_switch	# not zero, no borrow
    1494. 

  1494. 	algr	$fp,$len	# input is shorter than allocated buffer
    1495. 

  1495. 	lghi	$len,0
    1496. 

  1496. 	st${g}	$fp,$SIZE_T($sp)
    1497. 

  1497. 

  1498. .Lctr32_hw_switch:
    1499. 

  1499. ___
    1500. 

  1500. $code.=<<___ if (!$softonly && 0);# kmctr code was measured to be ~12% slower
    1501. 

  1501. 	llgfr	$s0,%r0
    1502. 

  1502. 	lgr	$s1,%r1
    1503. 

  1503. 	larl	%r1,OPENSSL_s390xcap_P
    1504. 

  1504. 	llihh	%r0,0x8000	# check if kmctr supports the function code
    1505. 

  1505. 	srlg	%r0,%r0,0($s0)
    1506. 

  1506. 	ng	%r0,S390X_KMCTR(%r1)	# check kmctr capability vector
    1507. 

  1507. 	lgr	%r0,$s0
    1508. 

  1508. 	lgr	%r1,$s1
    1509. 

  1509. 	jz	.Lctr32_km_loop
    1510. 

  1510. 

  1511. ####### kmctr code
    1512. 

  1512. 	algr	$out,$inp	# restore $out
    1513. 

  1513. 	lgr	$s1,$len	# $s1 undertakes $len
    1514. 

  1514. 	j	.Lctr32_kmctr_loop
    1515. 

  1515. .align	16
    1516. 

  1516. .Lctr32_kmctr_loop:
    1517. 

  1517. 	la	$s2,16($sp)
    1518. 

  1518. 	lgr	$s3,$fp
    1519. 

  1519. .Lctr32_kmctr_prepare:
    1520. 

  1520. 	stg	$iv0,0($s2)
    1521. 

  1521. 	stg	$ivp,8($s2)
    1522. 

  1522. 	la	$s2,16($s2)
    1523. 

  1523. 	ahi	$ivp,1		# 32-bit increment, preserves upper half
    1524. 

  1524. 	brct	$s3,.Lctr32_kmctr_prepare
    1525. 

  1525. 

  1526. 	#la	$inp,0($inp)	# inp
    1527. 

  1527. 	sllg	$len,$fp,4	# len
    1528. 

  1528. 	#la	$out,0($out)	# out
    1529. 

  1529. 	la	$s2,16($sp)	# iv
    1530. 

  1530. 	.long	0xb92da042	# kmctr $out,$s2,$inp
    1531. 

  1531. 	brc	1,.-4		# pay attention to "partial completion"
    1532. 

  1532. 

  1533. 	slgr	$s1,$fp
    1534. 

  1534. 	brc	1,.Lctr32_kmctr_loop	# not zero, no borrow
    1535. 

  1535. 	algr	$fp,$s1
    1536. 

  1536. 	lghi	$s1,0
    1537. 

  1537. 	brc	4+1,.Lctr32_kmctr_loop	# not zero
    1538. 

  1538. 

  1539. 	l${g}	$sp,0($sp)
    1540. 

  1540. 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
    1541. 

  1541. 	br	$ra
    1542. 

  1542. .align	16
    1543. 

  1543. ___
    1544. 

  1544. $code.=<<___ if (!$softonly);
    1545. 

  1545. .Lctr32_km_loop:
    1546. 

  1546. 	la	$s2,16($sp)
    1547. 

  1547. 	lgr	$s3,$fp
    1548. 

  1548. .Lctr32_km_prepare:
    1549. 

  1549. 	stg	$iv0,0($s2)
    1550. 

  1550. 	stg	$ivp,8($s2)
    1551. 

  1551. 	la	$s2,16($s2)
    1552. 

  1552. 	ahi	$ivp,1		# 32-bit increment, preserves upper half
    1553. 

  1553. 	brct	$s3,.Lctr32_km_prepare
    1554. 

  1554. 

  1555. 	la	$s0,16($sp)	# inp
    1556. 

  1556. 	sllg	$s1,$fp,4	# len
    1557. 

  1557. 	la	$s2,16($sp)	# out
    1558. 

  1558. 	.long	0xb92e00a8	# km %r10,%r8
    1559. 

  1559. 	brc	1,.-4		# pay attention to "partial completion"
    1560. 

  1560. 

  1561. 	la	$s2,16($sp)
    1562. 

  1562. 	lgr	$s3,$fp
    1563. 

  1563. 	slgr	$s2,$inp
    1564. 

  1564. .Lctr32_km_xor:
    1565. 

  1565. 	lg	$s0,0($inp)
    1566. 

  1566. 	lg	$s1,8($inp)
    1567. 

  1567. 	xg	$s0,0($s2,$inp)
    1568. 

  1568. 	xg	$s1,8($s2,$inp)
    1569. 

  1569. 	stg	$s0,0($out,$inp)
    1570. 

  1570. 	stg	$s1,8($out,$inp)
    1571. 

  1571. 	la	$inp,16($inp)
    1572. 

  1572. 	brct	$s3,.Lctr32_km_xor
    1573. 

  1573. 

  1574. 	slgr	$len,$fp
    1575. 

  1575. 	brc	1,.Lctr32_km_loop	# not zero, no borrow
    1576. 

  1576. 	algr	$fp,$len
    1577. 

  1577. 	lghi	$len,0
    1578. 

  1578. 	brc	4+1,.Lctr32_km_loop	# not zero
    1579. 

  1579. 

  1580. 	l${g}	$s0,0($sp)
    1581. 

  1581. 	l${g}	$s1,$SIZE_T($sp)
    1582. 

  1582. 	la	$s2,16($sp)
    1583. 

  1583. .Lctr32_km_zap:
    1584. 

  1584. 	stg	$s0,0($s2)
    1585. 

  1585. 	stg	$s0,8($s2)
    1586. 

  1586. 	la	$s2,16($s2)
    1587. 

  1587. 	brct	$s1,.Lctr32_km_zap
    1588. 

  1588. 

  1589. 	la	$sp,0($s0)
    1590. 

  1590. 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
    1591. 

  1591. 	br	$ra
    1592. 

  1592. .align	16
    1593. 

  1593. .Lctr32_software:
    1594. 

  1594. ___
    1595. 

  1595. $code.=<<___;
    1596. 

  1596. 	stm${g}	$key,$ra,5*$SIZE_T($sp)
    1597. 

  1597. 	sl${g}r	$inp,$out
    1598. 

  1598. 	larl	$tbl,AES_Te
    1599. 

  1599. 	llgf	$t1,12($ivp)
    1600. 

  1600. 

  1601. .Lctr32_loop:
    1602. 

  1602. 	stm${g}	$inp,$out,2*$SIZE_T($sp)
    1603. 

  1603. 	llgf	$s0,0($ivp)
    1604. 

  1604. 	llgf	$s1,4($ivp)
    1605. 

  1605. 	llgf	$s2,8($ivp)
    1606. 

  1606. 	lgr	$s3,$t1
    1607. 

  1607. 	st	$t1,16*$SIZE_T($sp)
    1608. 

  1608. 	lgr	%r4,$key
    1609. 

  1609. 

  1610. 	bras	$ra,_s390x_AES_encrypt
    1611. 

  1611. 

  1612. 	lm${g}	$inp,$ivp,2*$SIZE_T($sp)
    1613. 

  1613. 	llgf	$t1,16*$SIZE_T($sp)
    1614. 

  1614. 	x	$s0,0($inp,$out)
    1615. 

  1615. 	x	$s1,4($inp,$out)
    1616. 

  1616. 	x	$s2,8($inp,$out)
    1617. 

  1617. 	x	$s3,12($inp,$out)
    1618. 

  1618. 	stm	$s0,$s3,0($out)
    1619. 

  1619. 

  1620. 	la	$out,16($out)
    1621. 

  1621. 	ahi	$t1,1		# 32-bit increment
    1622. 

  1622. 	brct	$len,.Lctr32_loop
    1623. 

  1623. 

  1624. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    1625. 

  1625. 	br	$ra
    1626. 

  1626. .size	AES_ctr32_encrypt,.-AES_ctr32_encrypt
    1627. 

  1627. ___
    1628. 

  1628. }
    1629. 

  1629. 

  1630. ########################################################################
    1631. 

  1631. # void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
    1632. 

  1632. #	size_t len, const AES_KEY *key1, const AES_KEY *key2,
    1633. 

  1633. #	const unsigned char iv[16]);
    1634. 

  1634. #
    1635. 

  1635. {
    1636. 

  1636. my $inp="%r2";
    1637. 

  1637. my $out="%r4";	# len and out are swapped
    1638. 

  1638. my $len="%r3";
    1639. 

  1639. my $key1="%r5";	# $i1
    1640. 

  1640. my $key2="%r6";	# $i2
    1641. 

  1641. my $fp="%r7";	# $i3
    1642. 

  1642. my $tweak=16*$SIZE_T+16;	# or $stdframe-16, bottom of the frame...
    1643. 

  1643. 

  1644. $code.=<<___;
    1645. 

  1645. .type	_s390x_xts_km,\@function
    1646. 

  1646. .align	16
    1647. 

  1647. _s390x_xts_km:
    1648. 

  1648. ___
    1649. 

  1649. $code.=<<___ if(1);
    1650. 

  1650. 	llgfr	$s0,%r0			# put aside the function code
    1651. 

  1651. 	lghi	$s1,0x7f
    1652. 

  1652. 	nr	$s1,%r0
    1653. 

  1653. 	larl	%r1,OPENSSL_s390xcap_P
    1654. 

  1654. 	llihh	%r0,0x8000
    1655. 

  1655. 	srlg	%r0,%r0,32($s1)		# check for 32+function code
    1656. 

  1656. 	ng	%r0,S390X_KM(%r1)	# check km capability vector
    1657. 

  1657. 	lgr	%r0,$s0			# restore the function code
    1658. 

  1658. 	la	%r1,0($key1)		# restore $key1
    1659. 

  1659. 	jz	.Lxts_km_vanilla
    1660. 

  1660. 

  1661. 	lmg	$i2,$i3,$tweak($sp)	# put aside the tweak value
    1662. 

  1662. 	algr	$out,$inp
    1663. 

  1663. 

  1664. 	oill	%r0,32			# switch to xts function code
    1665. 

  1665. 	aghi	$s1,-18			#
    1666. 

  1666. 	sllg	$s1,$s1,3		# (function code - 18)*8, 0 or 16
    1667. 

  1667. 	la	%r1,$tweak-16($sp)
    1668. 

  1668. 	slgr	%r1,$s1			# parameter block position
    1669. 

  1669. 	lmg	$s0,$s3,0($key1)	# load 256 bits of key material,
    1670. 

  1670. 	stmg	$s0,$s3,0(%r1)		# and copy it to parameter block.
    1671. 

  1671. 					# yes, it contains junk and overlaps
    1672. 

  1672. 					# with the tweak in 128-bit case.
    1673. 

  1673. 					# it's done to avoid conditional
    1674. 

  1674. 					# branch.
    1675. 

  1675. 	stmg	$i2,$i3,$tweak($sp)	# "re-seat" the tweak value
    1676. 

  1676. 

  1677. 	.long	0xb92e0042		# km %r4,%r2
    1678. 

  1678. 	brc	1,.-4			# pay attention to "partial completion"
    1679. 

  1679. 

  1680. 	lrvg	$s0,$tweak+0($sp)	# load the last tweak
    1681. 

  1681. 	lrvg	$s1,$tweak+8($sp)
    1682. 

  1682. 	stmg	%r0,%r3,$tweak-32($sp)	# wipe copy of the key
    1683. 

  1683. 

  1684. 	nill	%r0,0xffdf		# switch back to original function code
    1685. 

  1685. 	la	%r1,0($key1)		# restore pointer to $key1
    1686. 

  1686. 	slgr	$out,$inp
    1687. 

  1687. 

  1688. 	llgc	$len,2*$SIZE_T-1($sp)
    1689. 

  1689. 	nill	$len,0x0f		# $len%=16
    1690. 

  1690. 	br	$ra
    1691. 

  1691. 

  1692. .align	16
    1693. 

  1693. .Lxts_km_vanilla:
    1694. 

  1694. ___
    1695. 

  1695. $code.=<<___;
    1696. 

  1696. 	# prepare and allocate stack frame at the top of 4K page
    1697. 

  1697. 	# with 1K reserved for eventual signal handling
    1698. 

  1698. 	lghi	$s0,-1024-256-16# guarantee at least 256-bytes buffer
    1699. 

  1699. 	lghi	$s1,-4096
    1700. 

  1700. 	algr	$s0,$sp
    1701. 

  1701. 	lgr	$fp,$sp
    1702. 

  1702. 	ngr	$s0,$s1		# align at page boundary
    1703. 

  1703. 	slgr	$fp,$s0		# total buffer size
    1704. 

  1704. 	lgr	$s2,$sp
    1705. 

  1705. 	lghi	$s1,1024+16	# sl[g]fi is extended-immediate facility
    1706. 

  1706. 	slgr	$fp,$s1		# deduct reservation to get usable buffer size
    1707. 

  1707. 	# buffer size is at lest 256 and at most 3072+256-16
    1708. 

  1708. 

  1709. 	la	$sp,1024($s0)	# alloca
    1710. 

  1710. 	nill	$fp,0xfff0	# round to 16*n
    1711. 

  1711. 	st${g}	$s2,0($sp)	# back-chain
    1712. 

  1712. 	nill	$len,0xfff0	# redundant
    1713. 

  1713. 	st${g}	$fp,$SIZE_T($sp)
    1714. 

  1714. 

  1715. 	slgr	$len,$fp
    1716. 

  1716. 	brc	1,.Lxts_km_go	# not zero, no borrow
    1717. 

  1717. 	algr	$fp,$len	# input is shorter than allocated buffer
    1718. 

  1718. 	lghi	$len,0
    1719. 

  1719. 	st${g}	$fp,$SIZE_T($sp)
    1720. 

  1720. 

  1721. .Lxts_km_go:
    1722. 

  1722. 	lrvg	$s0,$tweak+0($s2)	# load the tweak value in little-endian
    1723. 

  1723. 	lrvg	$s1,$tweak+8($s2)
    1724. 

  1724. 

  1725. 	la	$s2,16($sp)		# vector of ascending tweak values
    1726. 

  1726. 	slgr	$s2,$inp
    1727. 

  1727. 	srlg	$s3,$fp,4
    1728. 

  1728. 	j	.Lxts_km_start
    1729. 

  1729. 

  1730. .Lxts_km_loop:
    1731. 

  1731. 	la	$s2,16($sp)
    1732. 

  1732. 	slgr	$s2,$inp
    1733. 

  1733. 	srlg	$s3,$fp,4
    1734. 

  1734. .Lxts_km_prepare:
    1735. 

  1735. 	lghi	$i1,0x87
    1736. 

  1736. 	srag	$i2,$s1,63		# broadcast upper bit
    1737. 

  1737. 	ngr	$i1,$i2			# rem
    1738. 

  1738. 	algr	$s0,$s0
    1739. 

  1739. 	alcgr	$s1,$s1
    1740. 

  1740. 	xgr	$s0,$i1
    1741. 

  1741. .Lxts_km_start:
    1742. 

  1742. 	lrvgr	$i1,$s0			# flip byte order
    1743. 

  1743. 	lrvgr	$i2,$s1
    1744. 

  1744. 	stg	$i1,0($s2,$inp)
    1745. 

  1745. 	stg	$i2,8($s2,$inp)
    1746. 

  1746. 	xg	$i1,0($inp)
    1747. 

  1747. 	xg	$i2,8($inp)
    1748. 

  1748. 	stg	$i1,0($out,$inp)
    1749. 

  1749. 	stg	$i2,8($out,$inp)
    1750. 

  1750. 	la	$inp,16($inp)
    1751. 

  1751. 	brct	$s3,.Lxts_km_prepare
    1752. 

  1752. 

  1753. 	slgr	$inp,$fp		# rewind $inp
    1754. 

  1754. 	la	$s2,0($out,$inp)
    1755. 

  1755. 	lgr	$s3,$fp
    1756. 

  1756. 	.long	0xb92e00aa		# km $s2,$s2
    1757. 

  1757. 	brc	1,.-4			# pay attention to "partial completion"
    1758. 

  1758. 

  1759. 	la	$s2,16($sp)
    1760. 

  1760. 	slgr	$s2,$inp
    1761. 

  1761. 	srlg	$s3,$fp,4
    1762. 

  1762. .Lxts_km_xor:
    1763. 

  1763. 	lg	$i1,0($out,$inp)
    1764. 

  1764. 	lg	$i2,8($out,$inp)
    1765. 

  1765. 	xg	$i1,0($s2,$inp)
    1766. 

  1766. 	xg	$i2,8($s2,$inp)
    1767. 

  1767. 	stg	$i1,0($out,$inp)
    1768. 

  1768. 	stg	$i2,8($out,$inp)
    1769. 

  1769. 	la	$inp,16($inp)
    1770. 

  1770. 	brct	$s3,.Lxts_km_xor
    1771. 

  1771. 

  1772. 	slgr	$len,$fp
    1773. 

  1773. 	brc	1,.Lxts_km_loop		# not zero, no borrow
    1774. 

  1774. 	algr	$fp,$len
    1775. 

  1775. 	lghi	$len,0
    1776. 

  1776. 	brc	4+1,.Lxts_km_loop	# not zero
    1777. 

  1777. 

  1778. 	l${g}	$i1,0($sp)		# back-chain
    1779. 

  1779. 	llgf	$fp,`2*$SIZE_T-4`($sp)	# bytes used
    1780. 

  1780. 	la	$i2,16($sp)
    1781. 

  1781. 	srlg	$fp,$fp,4
    1782. 

  1782. .Lxts_km_zap:
    1783. 

  1783. 	stg	$i1,0($i2)
    1784. 

  1784. 	stg	$i1,8($i2)
    1785. 

  1785. 	la	$i2,16($i2)
    1786. 

  1786. 	brct	$fp,.Lxts_km_zap
    1787. 

  1787. 

  1788. 	la	$sp,0($i1)
    1789. 

  1789. 	llgc	$len,2*$SIZE_T-1($i1)
    1790. 

  1790. 	nill	$len,0x0f		# $len%=16
    1791. 

  1791. 	bzr	$ra
    1792. 

  1792. 

  1793. 	# generate one more tweak...
    1794. 

  1794. 	lghi	$i1,0x87
    1795. 

  1795. 	srag	$i2,$s1,63		# broadcast upper bit
    1796. 

  1796. 	ngr	$i1,$i2			# rem
    1797. 

  1797. 	algr	$s0,$s0
    1798. 

  1798. 	alcgr	$s1,$s1
    1799. 

  1799. 	xgr	$s0,$i1
    1800. 

  1800. 

  1801. 	ltr	$len,$len		# clear zero flag
    1802. 

  1802. 	br	$ra
    1803. 

  1803. .size	_s390x_xts_km,.-_s390x_xts_km
    1804. 

  1804. 

  1805. .globl	AES_xts_encrypt
    1806. 

  1806. .type	AES_xts_encrypt,\@function
    1807. 

  1807. .align	16
    1808. 

  1808. AES_xts_encrypt:
    1809. 

  1809. 	xgr	%r3,%r4			# flip %r3 and %r4, $out and $len
    1810. 

  1810. 	xgr	%r4,%r3
    1811. 

  1811. 	xgr	%r3,%r4
    1812. 

  1812. ___
    1813. 

  1813. $code.=<<___ if ($SIZE_T==4);
    1814. 

  1814. 	llgfr	$len,$len
    1815. 

  1815. ___
    1816. 

  1816. $code.=<<___;
    1817. 

  1817. 	st${g}	$len,1*$SIZE_T($sp)	# save copy of $len
    1818. 

  1818. 	srag	$len,$len,4		# formally wrong, because it expands
    1819. 

  1819. 					# sign byte, but who can afford asking
    1820. 

  1820. 					# to process more than 2^63-1 bytes?
    1821. 

  1821. 					# I use it, because it sets condition
    1822. 

  1822. 					# code...
    1823. 

  1823. 	bcr	8,$ra			# abort if zero (i.e. less than 16)
    1824. 

  1824. ___
    1825. 

  1825. $code.=<<___ if (!$softonly);
    1826. 

  1826. 	llgf	%r0,240($key2)
    1827. 

  1827. 	lhi	%r1,16
    1828. 

  1828. 	clr	%r0,%r1
    1829. 

  1829. 	jl	.Lxts_enc_software
    1830. 

  1830. 

  1831. 	st${g}	$ra,5*$SIZE_T($sp)
    1832. 

  1832. 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
    1833. 

  1833. 

  1834. 	sllg	$len,$len,4		# $len&=~15
    1835. 

  1835. 	slgr	$out,$inp
    1836. 

  1836. 

  1837. 	# generate the tweak value
    1838. 

  1838. 	l${g}	$s3,$stdframe($sp)	# pointer to iv
    1839. 

  1839. 	la	$s2,$tweak($sp)
    1840. 

  1840. 	lmg	$s0,$s1,0($s3)
    1841. 

  1841. 	lghi	$s3,16
    1842. 

  1842. 	stmg	$s0,$s1,0($s2)
    1843. 

  1843. 	la	%r1,0($key2)		# $key2 is not needed anymore
    1844. 

  1844. 	.long	0xb92e00aa		# km $s2,$s2, generate the tweak
    1845. 

  1845. 	brc	1,.-4			# can this happen?
    1846. 

  1846. 

  1847. 	l	%r0,240($key1)
    1848. 

  1848. 	la	%r1,0($key1)		# $key1 is not needed anymore
    1849. 

  1849. 	bras	$ra,_s390x_xts_km
    1850. 

  1850. 	jz	.Lxts_enc_km_done
    1851. 

  1851. 

  1852. 	aghi	$inp,-16		# take one step back
    1853. 

  1853. 	la	$i3,0($out,$inp)	# put aside real $out
    1854. 

  1854. .Lxts_enc_km_steal:
    1855. 

  1855. 	llgc	$i1,16($inp)
    1856. 

  1856. 	llgc	$i2,0($out,$inp)
    1857. 

  1857. 	stc	$i1,0($out,$inp)
    1858. 

  1858. 	stc	$i2,16($out,$inp)
    1859. 

  1859. 	la	$inp,1($inp)
    1860. 

  1860. 	brct	$len,.Lxts_enc_km_steal
    1861. 

  1861. 

  1862. 	la	$s2,0($i3)
    1863. 

  1863. 	lghi	$s3,16
    1864. 

  1864. 	lrvgr	$i1,$s0			# flip byte order
    1865. 

  1865. 	lrvgr	$i2,$s1
    1866. 

  1866. 	xg	$i1,0($s2)
    1867. 

  1867. 	xg	$i2,8($s2)
    1868. 

  1868. 	stg	$i1,0($s2)
    1869. 

  1869. 	stg	$i2,8($s2)
    1870. 

  1870. 	.long	0xb92e00aa		# km $s2,$s2
    1871. 

  1871. 	brc	1,.-4			# can this happen?
    1872. 

  1872. 	lrvgr	$i1,$s0			# flip byte order
    1873. 

  1873. 	lrvgr	$i2,$s1
    1874. 

  1874. 	xg	$i1,0($i3)
    1875. 

  1875. 	xg	$i2,8($i3)
    1876. 

  1876. 	stg	$i1,0($i3)
    1877. 

  1877. 	stg	$i2,8($i3)
    1878. 

  1878. 

  1879. .Lxts_enc_km_done:
    1880. 

  1880. 	stg	$sp,$tweak+0($sp)	# wipe tweak
    1881. 

  1881. 	stg	$sp,$tweak+8($sp)
    1882. 

  1882. 	l${g}	$ra,5*$SIZE_T($sp)
    1883. 

  1883. 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
    1884. 

  1884. 	br	$ra
    1885. 

  1885. .align	16
    1886. 

  1886. .Lxts_enc_software:
    1887. 

  1887. ___
    1888. 

  1888. $code.=<<___;
    1889. 

  1889. 	stm${g}	%r6,$ra,6*$SIZE_T($sp)
    1890. 

  1890. 

  1891. 	slgr	$out,$inp
    1892. 

  1892. 

  1893. 	l${g}	$s3,$stdframe($sp)	# ivp
    1894. 

  1894. 	llgf	$s0,0($s3)		# load iv
    1895. 

  1895. 	llgf	$s1,4($s3)
    1896. 

  1896. 	llgf	$s2,8($s3)
    1897. 

  1897. 	llgf	$s3,12($s3)
    1898. 

  1898. 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
    1899. 

  1899. 	la	$key,0($key2)
    1900. 

  1900. 	larl	$tbl,AES_Te
    1901. 

  1901. 	bras	$ra,_s390x_AES_encrypt	# generate the tweak
    1902. 

  1902. 	lm${g}	%r2,%r5,2*$SIZE_T($sp)
    1903. 

  1903. 	stm	$s0,$s3,$tweak($sp)	# save the tweak
    1904. 

  1904. 	j	.Lxts_enc_enter
    1905. 

  1905. 

  1906. .align	16
    1907. 

  1907. .Lxts_enc_loop:
    1908. 

  1908. 	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
    1909. 

  1909. 	lrvg	$s3,$tweak+8($sp)
    1910. 

  1910. 	lghi	%r1,0x87
    1911. 

  1911. 	srag	%r0,$s3,63		# broadcast upper bit
    1912. 

  1912. 	ngr	%r1,%r0			# rem
    1913. 

  1913. 	algr	$s1,$s1
    1914. 

  1914. 	alcgr	$s3,$s3
    1915. 

  1915. 	xgr	$s1,%r1
    1916. 

  1916. 	lrvgr	$s1,$s1			# flip byte order
    1917. 

  1917. 	lrvgr	$s3,$s3
    1918. 

  1918. 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
    1919. 

  1919. 	stg	$s1,$tweak+0($sp)	# save the tweak
    1920. 

  1920. 	llgfr	$s1,$s1
    1921. 

  1921. 	srlg	$s2,$s3,32
    1922. 

  1922. 	stg	$s3,$tweak+8($sp)
    1923. 

  1923. 	llgfr	$s3,$s3
    1924. 

  1924. 	la	$inp,16($inp)		# $inp+=16
    1925. 

  1925. .Lxts_enc_enter:
    1926. 

  1926. 	x	$s0,0($inp)		# ^=*($inp)
    1927. 

  1927. 	x	$s1,4($inp)
    1928. 

  1928. 	x	$s2,8($inp)
    1929. 

  1929. 	x	$s3,12($inp)
    1930. 

  1930. 	stm${g}	%r2,%r3,2*$SIZE_T($sp)	# only two registers are changing
    1931. 

  1931. 	la	$key,0($key1)
    1932. 

  1932. 	bras	$ra,_s390x_AES_encrypt
    1933. 

  1933. 	lm${g}	%r2,%r5,2*$SIZE_T($sp)
    1934. 

  1934. 	x	$s0,$tweak+0($sp)	# ^=tweak
    1935. 

  1935. 	x	$s1,$tweak+4($sp)
    1936. 

  1936. 	x	$s2,$tweak+8($sp)
    1937. 

  1937. 	x	$s3,$tweak+12($sp)
    1938. 

  1938. 	st	$s0,0($out,$inp)
    1939. 

  1939. 	st	$s1,4($out,$inp)
    1940. 

  1940. 	st	$s2,8($out,$inp)
    1941. 

  1941. 	st	$s3,12($out,$inp)
    1942. 

  1942. 	brct${g}	$len,.Lxts_enc_loop
    1943. 

  1943. 

  1944. 	llgc	$len,`2*$SIZE_T-1`($sp)
    1945. 

  1945. 	nill	$len,0x0f		# $len%16
    1946. 

  1946. 	jz	.Lxts_enc_done
    1947. 

  1947. 

  1948. 	la	$i3,0($inp,$out)	# put aside real $out
    1949. 

  1949. .Lxts_enc_steal:
    1950. 

  1950. 	llgc	%r0,16($inp)
    1951. 

  1951. 	llgc	%r1,0($out,$inp)
    1952. 

  1952. 	stc	%r0,0($out,$inp)
    1953. 

  1953. 	stc	%r1,16($out,$inp)
    1954. 

  1954. 	la	$inp,1($inp)
    1955. 

  1955. 	brct	$len,.Lxts_enc_steal
    1956. 

  1956. 	la	$out,0($i3)		# restore real $out
    1957. 

  1957. 

  1958. 	# generate last tweak...
    1959. 

  1959. 	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
    1960. 

  1960. 	lrvg	$s3,$tweak+8($sp)
    1961. 

  1961. 	lghi	%r1,0x87
    1962. 

  1962. 	srag	%r0,$s3,63		# broadcast upper bit
    1963. 

  1963. 	ngr	%r1,%r0			# rem
    1964. 

  1964. 	algr	$s1,$s1
    1965. 

  1965. 	alcgr	$s3,$s3
    1966. 

  1966. 	xgr	$s1,%r1
    1967. 

  1967. 	lrvgr	$s1,$s1			# flip byte order
    1968. 

  1968. 	lrvgr	$s3,$s3
    1969. 

  1969. 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
    1970. 

  1970. 	stg	$s1,$tweak+0($sp)	# save the tweak
    1971. 

  1971. 	llgfr	$s1,$s1
    1972. 

  1972. 	srlg	$s2,$s3,32
    1973. 

  1973. 	stg	$s3,$tweak+8($sp)
    1974. 

  1974. 	llgfr	$s3,$s3
    1975. 

  1975. 

  1976. 	x	$s0,0($out)		# ^=*(inp)|stolen cipther-text
    1977. 

  1977. 	x	$s1,4($out)
    1978. 

  1978. 	x	$s2,8($out)
    1979. 

  1979. 	x	$s3,12($out)
    1980. 

  1980. 	st${g}	$out,4*$SIZE_T($sp)
    1981. 

  1981. 	la	$key,0($key1)
    1982. 

  1982. 	bras	$ra,_s390x_AES_encrypt
    1983. 

  1983. 	l${g}	$out,4*$SIZE_T($sp)
    1984. 

  1984. 	x	$s0,`$tweak+0`($sp)	# ^=tweak
    1985. 

  1985. 	x	$s1,`$tweak+4`($sp)
    1986. 

  1986. 	x	$s2,`$tweak+8`($sp)
    1987. 

  1987. 	x	$s3,`$tweak+12`($sp)
    1988. 

  1988. 	st	$s0,0($out)
    1989. 

  1989. 	st	$s1,4($out)
    1990. 

  1990. 	st	$s2,8($out)
    1991. 

  1991. 	st	$s3,12($out)
    1992. 

  1992. 

  1993. .Lxts_enc_done:
    1994. 

  1994. 	stg	$sp,$tweak+0($sp)	# wipe tweak
    1995. 

  1995. 	stg	$sp,$tweak+8($sp)
    1996. 

  1996. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    1997. 

  1997. 	br	$ra
    1998. 

  1998. .size	AES_xts_encrypt,.-AES_xts_encrypt
    1999. 

  1999. ___
    2000. 

  2000. # void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
    2001. 

  2001. #	size_t len, const AES_KEY *key1, const AES_KEY *key2,
    2002. 

  2002. #	const unsigned char iv[16]);
    2003. 

  2003. #
    2004. 

  2004. $code.=<<___;
    2005. 

  2005. .globl	AES_xts_decrypt
    2006. 

  2006. .type	AES_xts_decrypt,\@function
    2007. 

  2007. .align	16
    2008. 

  2008. AES_xts_decrypt:
    2009. 

  2009. 	xgr	%r3,%r4			# flip %r3 and %r4, $out and $len
    2010. 

  2010. 	xgr	%r4,%r3
    2011. 

  2011. 	xgr	%r3,%r4
    2012. 

  2012. ___
    2013. 

  2013. $code.=<<___ if ($SIZE_T==4);
    2014. 

  2014. 	llgfr	$len,$len
    2015. 

  2015. ___
    2016. 

  2016. $code.=<<___;
    2017. 

  2017. 	st${g}	$len,1*$SIZE_T($sp)	# save copy of $len
    2018. 

  2018. 	aghi	$len,-16
    2019. 

  2019. 	bcr	4,$ra			# abort if less than zero. formally
    2020. 

  2020. 					# wrong, because $len is unsigned,
    2021. 

  2021. 					# but who can afford asking to
    2022. 

  2022. 					# process more than 2^63-1 bytes?
    2023. 

  2023. 	tmll	$len,0x0f
    2024. 

  2024. 	jnz	.Lxts_dec_proceed
    2025. 

  2025. 	aghi	$len,16
    2026. 

  2026. .Lxts_dec_proceed:
    2027. 

  2027. ___
    2028. 

  2028. $code.=<<___ if (!$softonly);
    2029. 

  2029. 	llgf	%r0,240($key2)
    2030. 

  2030. 	lhi	%r1,16
    2031. 

  2031. 	clr	%r0,%r1
    2032. 

  2032. 	jl	.Lxts_dec_software
    2033. 

  2033. 

  2034. 	st${g}	$ra,5*$SIZE_T($sp)
    2035. 

  2035. 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
    2036. 

  2036. 

  2037. 	nill	$len,0xfff0		# $len&=~15
    2038. 

  2038. 	slgr	$out,$inp
    2039. 

  2039. 

  2040. 	# generate the tweak value
    2041. 

  2041. 	l${g}	$s3,$stdframe($sp)	# pointer to iv
    2042. 

  2042. 	la	$s2,$tweak($sp)
    2043. 

  2043. 	lmg	$s0,$s1,0($s3)
    2044. 

  2044. 	lghi	$s3,16
    2045. 

  2045. 	stmg	$s0,$s1,0($s2)
    2046. 

  2046. 	la	%r1,0($key2)		# $key2 is not needed past this point
    2047. 

  2047. 	.long	0xb92e00aa		# km $s2,$s2, generate the tweak
    2048. 

  2048. 	brc	1,.-4			# can this happen?
    2049. 

  2049. 

  2050. 	l	%r0,240($key1)
    2051. 

  2051. 	la	%r1,0($key1)		# $key1 is not needed anymore
    2052. 

  2052. 

  2053. 	ltgr	$len,$len
    2054. 

  2054. 	jz	.Lxts_dec_km_short
    2055. 

  2055. 	bras	$ra,_s390x_xts_km
    2056. 

  2056. 	jz	.Lxts_dec_km_done
    2057. 

  2057. 

  2058. 	lrvgr	$s2,$s0			# make copy in reverse byte order
    2059. 

  2059. 	lrvgr	$s3,$s1
    2060. 

  2060. 	j	.Lxts_dec_km_2ndtweak
    2061. 

  2061. 

  2062. .Lxts_dec_km_short:
    2063. 

  2063. 	llgc	$len,`2*$SIZE_T-1`($sp)
    2064. 

  2064. 	nill	$len,0x0f		# $len%=16
    2065. 

  2065. 	lrvg	$s0,$tweak+0($sp)	# load the tweak
    2066. 

  2066. 	lrvg	$s1,$tweak+8($sp)
    2067. 

  2067. 	lrvgr	$s2,$s0			# make copy in reverse byte order
    2068. 

  2068. 	lrvgr	$s3,$s1
    2069. 

  2069. 

  2070. .Lxts_dec_km_2ndtweak:
    2071. 

  2071. 	lghi	$i1,0x87
    2072. 

  2072. 	srag	$i2,$s1,63		# broadcast upper bit
    2073. 

  2073. 	ngr	$i1,$i2			# rem
    2074. 

  2074. 	algr	$s0,$s0
    2075. 

  2075. 	alcgr	$s1,$s1
    2076. 

  2076. 	xgr	$s0,$i1
    2077. 

  2077. 	lrvgr	$i1,$s0			# flip byte order
    2078. 

  2078. 	lrvgr	$i2,$s1
    2079. 

  2079. 

  2080. 	xg	$i1,0($inp)
    2081. 

  2081. 	xg	$i2,8($inp)
    2082. 

  2082. 	stg	$i1,0($out,$inp)
    2083. 

  2083. 	stg	$i2,8($out,$inp)
    2084. 

  2084. 	la	$i2,0($out,$inp)
    2085. 

  2085. 	lghi	$i3,16
    2086. 

  2086. 	.long	0xb92e0066		# km $i2,$i2
    2087. 

  2087. 	brc	1,.-4			# can this happen?
    2088. 

  2088. 	lrvgr	$i1,$s0
    2089. 

  2089. 	lrvgr	$i2,$s1
    2090. 

  2090. 	xg	$i1,0($out,$inp)
    2091. 

  2091. 	xg	$i2,8($out,$inp)
    2092. 

  2092. 	stg	$i1,0($out,$inp)
    2093. 

  2093. 	stg	$i2,8($out,$inp)
    2094. 

  2094. 

  2095. 	la	$i3,0($out,$inp)	# put aside real $out
    2096. 

  2096. .Lxts_dec_km_steal:
    2097. 

  2097. 	llgc	$i1,16($inp)
    2098. 

  2098. 	llgc	$i2,0($out,$inp)
    2099. 

  2099. 	stc	$i1,0($out,$inp)
    2100. 

  2100. 	stc	$i2,16($out,$inp)
    2101. 

  2101. 	la	$inp,1($inp)
    2102. 

  2102. 	brct	$len,.Lxts_dec_km_steal
    2103. 

  2103. 

  2104. 	lgr	$s0,$s2
    2105. 

  2105. 	lgr	$s1,$s3
    2106. 

  2106. 	xg	$s0,0($i3)
    2107. 

  2107. 	xg	$s1,8($i3)
    2108. 

  2108. 	stg	$s0,0($i3)
    2109. 

  2109. 	stg	$s1,8($i3)
    2110. 

  2110. 	la	$s0,0($i3)
    2111. 

  2111. 	lghi	$s1,16
    2112. 

  2112. 	.long	0xb92e0088		# km $s0,$s0
    2113. 

  2113. 	brc	1,.-4			# can this happen?
    2114. 

  2114. 	xg	$s2,0($i3)
    2115. 

  2115. 	xg	$s3,8($i3)
    2116. 

  2116. 	stg	$s2,0($i3)
    2117. 

  2117. 	stg	$s3,8($i3)
    2118. 

  2118. .Lxts_dec_km_done:
    2119. 

  2119. 	stg	$sp,$tweak+0($sp)	# wipe tweak
    2120. 

  2120. 	stg	$sp,$tweak+8($sp)
    2121. 

  2121. 	l${g}	$ra,5*$SIZE_T($sp)
    2122. 

  2122. 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
    2123. 

  2123. 	br	$ra
    2124. 

  2124. .align	16
    2125. 

  2125. .Lxts_dec_software:
    2126. 

  2126. ___
    2127. 

  2127. $code.=<<___;
    2128. 

  2128. 	stm${g}	%r6,$ra,6*$SIZE_T($sp)
    2129. 

  2129. 

  2130. 	srlg	$len,$len,4
    2131. 

  2131. 	slgr	$out,$inp
    2132. 

  2132. 

  2133. 	l${g}	$s3,$stdframe($sp)	# ivp
    2134. 

  2134. 	llgf	$s0,0($s3)		# load iv
    2135. 

  2135. 	llgf	$s1,4($s3)
    2136. 

  2136. 	llgf	$s2,8($s3)
    2137. 

  2137. 	llgf	$s3,12($s3)
    2138. 

  2138. 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
    2139. 

  2139. 	la	$key,0($key2)
    2140. 

  2140. 	larl	$tbl,AES_Te
    2141. 

  2141. 	bras	$ra,_s390x_AES_encrypt	# generate the tweak
    2142. 

  2142. 	lm${g}	%r2,%r5,2*$SIZE_T($sp)
    2143. 

  2143. 	larl	$tbl,AES_Td
    2144. 

  2144. 	lt${g}r	$len,$len
    2145. 

  2145. 	stm	$s0,$s3,$tweak($sp)	# save the tweak
    2146. 

  2146. 	jz	.Lxts_dec_short
    2147. 

  2147. 	j	.Lxts_dec_enter
    2148. 

  2148. 

  2149. .align	16
    2150. 

  2150. .Lxts_dec_loop:
    2151. 

  2151. 	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
    2152. 

  2152. 	lrvg	$s3,$tweak+8($sp)
    2153. 

  2153. 	lghi	%r1,0x87
    2154. 

  2154. 	srag	%r0,$s3,63		# broadcast upper bit
    2155. 

  2155. 	ngr	%r1,%r0			# rem
    2156. 

  2156. 	algr	$s1,$s1
    2157. 

  2157. 	alcgr	$s3,$s3
    2158. 

  2158. 	xgr	$s1,%r1
    2159. 

  2159. 	lrvgr	$s1,$s1			# flip byte order
    2160. 

  2160. 	lrvgr	$s3,$s3
    2161. 

  2161. 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
    2162. 

  2162. 	stg	$s1,$tweak+0($sp)	# save the tweak
    2163. 

  2163. 	llgfr	$s1,$s1
    2164. 

  2164. 	srlg	$s2,$s3,32
    2165. 

  2165. 	stg	$s3,$tweak+8($sp)
    2166. 

  2166. 	llgfr	$s3,$s3
    2167. 

  2167. .Lxts_dec_enter:
    2168. 

  2168. 	x	$s0,0($inp)		# tweak^=*(inp)
    2169. 

  2169. 	x	$s1,4($inp)
    2170. 

  2170. 	x	$s2,8($inp)
    2171. 

  2171. 	x	$s3,12($inp)
    2172. 

  2172. 	stm${g}	%r2,%r3,2*$SIZE_T($sp)	# only two registers are changing
    2173. 

  2173. 	la	$key,0($key1)
    2174. 

  2174. 	bras	$ra,_s390x_AES_decrypt
    2175. 

  2175. 	lm${g}	%r2,%r5,2*$SIZE_T($sp)
    2176. 

  2176. 	x	$s0,$tweak+0($sp)	# ^=tweak
    2177. 

  2177. 	x	$s1,$tweak+4($sp)
    2178. 

  2178. 	x	$s2,$tweak+8($sp)
    2179. 

  2179. 	x	$s3,$tweak+12($sp)
    2180. 

  2180. 	st	$s0,0($out,$inp)
    2181. 

  2181. 	st	$s1,4($out,$inp)
    2182. 

  2182. 	st	$s2,8($out,$inp)
    2183. 

  2183. 	st	$s3,12($out,$inp)
    2184. 

  2184. 	la	$inp,16($inp)
    2185. 

  2185. 	brct${g}	$len,.Lxts_dec_loop
    2186. 

  2186. 

  2187. 	llgc	$len,`2*$SIZE_T-1`($sp)
    2188. 

  2188. 	nill	$len,0x0f		# $len%16
    2189. 

  2189. 	jz	.Lxts_dec_done
    2190. 

  2190. 

  2191. 	# generate pair of tweaks...
    2192. 

  2192. 	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
    2193. 

  2193. 	lrvg	$s3,$tweak+8($sp)
    2194. 

  2194. 	lghi	%r1,0x87
    2195. 

  2195. 	srag	%r0,$s3,63		# broadcast upper bit
    2196. 

  2196. 	ngr	%r1,%r0			# rem
    2197. 

  2197. 	algr	$s1,$s1
    2198. 

  2198. 	alcgr	$s3,$s3
    2199. 

  2199. 	xgr	$s1,%r1
    2200. 

  2200. 	lrvgr	$i2,$s1			# flip byte order
    2201. 

  2201. 	lrvgr	$i3,$s3
    2202. 

  2202. 	stmg	$i2,$i3,$tweak($sp)	# save the 1st tweak
    2203. 

  2203. 	j	.Lxts_dec_2ndtweak
    2204. 

  2204. 

  2205. .align	16
    2206. 

  2206. .Lxts_dec_short:
    2207. 

  2207. 	llgc	$len,`2*$SIZE_T-1`($sp)
    2208. 

  2208. 	nill	$len,0x0f		# $len%16
    2209. 

  2209. 	lrvg	$s1,$tweak+0($sp)	# load the tweak in little-endian
    2210. 

  2210. 	lrvg	$s3,$tweak+8($sp)
    2211. 

  2211. .Lxts_dec_2ndtweak:
    2212. 

  2212. 	lghi	%r1,0x87
    2213. 

  2213. 	srag	%r0,$s3,63		# broadcast upper bit
    2214. 

  2214. 	ngr	%r1,%r0			# rem
    2215. 

  2215. 	algr	$s1,$s1
    2216. 

  2216. 	alcgr	$s3,$s3
    2217. 

  2217. 	xgr	$s1,%r1
    2218. 

  2218. 	lrvgr	$s1,$s1			# flip byte order
    2219. 

  2219. 	lrvgr	$s3,$s3
    2220. 

  2220. 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
    2221. 

  2221. 	stg	$s1,$tweak-16+0($sp)	# save the 2nd tweak
    2222. 

  2222. 	llgfr	$s1,$s1
    2223. 

  2223. 	srlg	$s2,$s3,32
    2224. 

  2224. 	stg	$s3,$tweak-16+8($sp)
    2225. 

  2225. 	llgfr	$s3,$s3
    2226. 

  2226. 

  2227. 	x	$s0,0($inp)		# tweak_the_2nd^=*(inp)
    2228. 

  2228. 	x	$s1,4($inp)
    2229. 

  2229. 	x	$s2,8($inp)
    2230. 

  2230. 	x	$s3,12($inp)
    2231. 

  2231. 	stm${g}	%r2,%r3,2*$SIZE_T($sp)
    2232. 

  2232. 	la	$key,0($key1)
    2233. 

  2233. 	bras	$ra,_s390x_AES_decrypt
    2234. 

  2234. 	lm${g}	%r2,%r5,2*$SIZE_T($sp)
    2235. 

  2235. 	x	$s0,$tweak-16+0($sp)	# ^=tweak_the_2nd
    2236. 

  2236. 	x	$s1,$tweak-16+4($sp)
    2237. 

  2237. 	x	$s2,$tweak-16+8($sp)
    2238. 

  2238. 	x	$s3,$tweak-16+12($sp)
    2239. 

  2239. 	st	$s0,0($out,$inp)
    2240. 

  2240. 	st	$s1,4($out,$inp)
    2241. 

  2241. 	st	$s2,8($out,$inp)
    2242. 

  2242. 	st	$s3,12($out,$inp)
    2243. 

  2243. 

  2244. 	la	$i3,0($out,$inp)	# put aside real $out
    2245. 

  2245. .Lxts_dec_steal:
    2246. 

  2246. 	llgc	%r0,16($inp)
    2247. 

  2247. 	llgc	%r1,0($out,$inp)
    2248. 

  2248. 	stc	%r0,0($out,$inp)
    2249. 

  2249. 	stc	%r1,16($out,$inp)
    2250. 

  2250. 	la	$inp,1($inp)
    2251. 

  2251. 	brct	$len,.Lxts_dec_steal
    2252. 

  2252. 	la	$out,0($i3)		# restore real $out
    2253. 

  2253. 

  2254. 	lm	$s0,$s3,$tweak($sp)	# load the 1st tweak
    2255. 

  2255. 	x	$s0,0($out)		# tweak^=*(inp)|stolen cipher-text
    2256. 

  2256. 	x	$s1,4($out)
    2257. 

  2257. 	x	$s2,8($out)
    2258. 

  2258. 	x	$s3,12($out)
    2259. 

  2259. 	st${g}	$out,4*$SIZE_T($sp)
    2260. 

  2260. 	la	$key,0($key1)
    2261. 

  2261. 	bras	$ra,_s390x_AES_decrypt
    2262. 

  2262. 	l${g}	$out,4*$SIZE_T($sp)
    2263. 

  2263. 	x	$s0,$tweak+0($sp)	# ^=tweak
    2264. 

  2264. 	x	$s1,$tweak+4($sp)
    2265. 

  2265. 	x	$s2,$tweak+8($sp)
    2266. 

  2266. 	x	$s3,$tweak+12($sp)
    2267. 

  2267. 	st	$s0,0($out)
    2268. 

  2268. 	st	$s1,4($out)
    2269. 

  2269. 	st	$s2,8($out)
    2270. 

  2270. 	st	$s3,12($out)
    2271. 

  2271. 	stg	$sp,$tweak-16+0($sp)	# wipe 2nd tweak
    2272. 

  2272. 	stg	$sp,$tweak-16+8($sp)
    2273. 

  2273. .Lxts_dec_done:
    2274. 

  2274. 	stg	$sp,$tweak+0($sp)	# wipe tweak
    2275. 

  2275. 	stg	$sp,$tweak+8($sp)
    2276. 

  2276. 	lm${g}	%r6,$ra,6*$SIZE_T($sp)
    2277. 

  2277. 	br	$ra
    2278. 

  2278. .size	AES_xts_decrypt,.-AES_xts_decrypt
    2279. 

  2279. ___
    2280. 

  2280. }
    2281. 

  2281. $code.=<<___;
    2282. 

  2282. .string	"AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
    2283. 

  2283. ___
    2284. 

  2284. 

  2285. $code =~ s/\`([^\`]*)\`/eval $1/gem;
    2286. 

  2286. print $code;
    2287. 

  2287. close STDOUT or die "error closing STDOUT: $!";	# force flush
    2288.