release/src/router/openssl/crypto/camellia/asm/cmll-x86_64.pl

   1 #!/usr/bin/env perl
   2
   3 # ====================================================================
   4 # Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
   5 #
   6 # This module may be used under the terms of either the GNU General
   7 # Public License version 2 or later, the GNU Lesser General Public
   8 # License version 2.1 or later, the Mozilla Public License version
   9 # 1.1 or the BSD License. The exact terms of either license are
  10 # distributed along with this module. For further details see
  11 # http://www.openssl.org/~appro/camellia/.
  12 # ====================================================================
  13
  14 # Performance in cycles per processed byte (less is better) in
  15 # 'openssl speed ...' benchmark:
  16 #
  17 #                       AMD64   Core2   EM64T
  18 # -evp camellia-128-ecb 16.7    21.0    22.7
  19 # + over gcc 3.4.6      +25%    +5%     0%
  20 #
  21 # camellia-128-cbc      15.7    20.4    21.1
  22 #
  23 # 128-bit key setup     128     216     205     cycles/key
  24 # + over gcc 3.4.6      +54%    +39%    +15%
  25 #
  26 # Numbers in "+" rows represent performance improvement over compiler
  27 # generated code. Key setup timings are impressive on AMD and Core2
  28 # thanks to 64-bit operations being covertly deployed. Improvement on
  29 # EM64T, pre-Core2 Intel x86_64 CPU, is not as impressive, because it
  30 # apparently emulates some of 64-bit operations in [32-bit] microcode.
  31
  32 $flavour = shift;
  33 $output  = shift;
  34 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
  35
  36 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
  37
  38 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
  39 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
  40 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
  41 die "can't locate x86_64-xlate.pl";
  42
  43 open OUT,"| \"$^X\" $xlate $flavour $output";
  44 *STDOUT=*OUT;
  45
  46 sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/;    $r; }
  47 sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
  48                         $r =~ s/%[er]([sd]i)/%\1l/;
  49                         $r =~ s/%(r[0-9]+)[d]?/%\1b/;   $r; }
  50
  51 $t0="%eax";$t1="%ebx";$t2="%ecx";$t3="%edx";
  52 @S=("%r8d","%r9d","%r10d","%r11d");
  53 $i0="%esi";
  54 $i1="%edi";
  55 $Tbl="%rbp";    # size optimization
  56 $inp="%r12";
  57 $out="%r13";
  58 $key="%r14";
  59 $keyend="%r15";
  60 $arg0d=$win64?"%ecx":"%edi";
  61
  62 # const unsigned int Camellia_SBOX[4][256];
  63 # Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
  64 # and [2][] - with [3][]. This is done to minimize code size.
  65 $SBOX1_1110=0;          # Camellia_SBOX[0]
  66 $SBOX4_4404=4;          # Camellia_SBOX[1]
  67 $SBOX2_0222=2048;       # Camellia_SBOX[2]
  68 $SBOX3_3033=2052;       # Camellia_SBOX[3]
  69
  70 sub Camellia_Feistel {
  71 my $i=@_[0];
  72 my $seed=defined(@_[1])?@_[1]:0;
  73 my $scale=$seed<0?-8:8;
  74 my $j=($i&1)*2;
  75 my $s0=@S[($j)%4],$s1=@S[($j+1)%4],$s2=@S[($j+2)%4],$s3=@S[($j+3)%4];
  76
  77 $code.=<<___;
  78         xor     $s0,$t0                         # t0^=key[0]
  79         xor     $s1,$t1                         # t1^=key[1]
  80         movz    `&hi("$t0")`,$i0                # (t0>>8)&0xff
  81         movz    `&lo("$t1")`,$i1                # (t1>>0)&0xff
  82         mov     $SBOX3_3033($Tbl,$i0,8),$t3     # t3=SBOX3_3033[0]
  83         mov     $SBOX1_1110($Tbl,$i1,8),$t2     # t2=SBOX1_1110[1]
  84         movz    `&lo("$t0")`,$i0                # (t0>>0)&0xff
  85         shr     \$16,$t0
  86         movz    `&hi("$t1")`,$i1                # (t1>>8)&0xff
  87         xor     $SBOX4_4404($Tbl,$i0,8),$t3     # t3^=SBOX4_4404[0]
  88         shr     \$16,$t1
  89         xor     $SBOX4_4404($Tbl,$i1,8),$t2     # t2^=SBOX4_4404[1]
  90         movz    `&hi("$t0")`,$i0                # (t0>>24)&0xff
  91         movz    `&lo("$t1")`,$i1                # (t1>>16)&0xff
  92         xor     $SBOX1_1110($Tbl,$i0,8),$t3     # t3^=SBOX1_1110[0]
  93         xor     $SBOX3_3033($Tbl,$i1,8),$t2     # t2^=SBOX3_3033[1]
  94         movz    `&lo("$t0")`,$i0                # (t0>>16)&0xff
  95         movz    `&hi("$t1")`,$i1                # (t1>>24)&0xff
  96         xor     $SBOX2_0222($Tbl,$i0,8),$t3     # t3^=SBOX2_0222[0]
  97         xor     $SBOX2_0222($Tbl,$i1,8),$t2     # t2^=SBOX2_0222[1]
  98         mov     `$seed+($i+1)*$scale`($key),$t1 # prefetch key[i+1]
  99         mov     `$seed+($i+1)*$scale+4`($key),$t0
 100         xor     $t3,$t2                         # t2^=t3
 101         ror     \$8,$t3                         # t3=RightRotate(t3,8)
 102         xor     $t2,$s2
 103         xor     $t2,$s3
 104         xor     $t3,$s3
 105 ___
 106 }
 107
 108 # void Camellia_EncryptBlock_Rounds(
 109 #               int grandRounds,
 110 #               const Byte plaintext[],
 111 #               const KEY_TABLE_TYPE keyTable,
 112 #               Byte ciphertext[])
 113 $code=<<___;
 114 .text
 115
 116 # V1.x API
 117 .globl  Camellia_EncryptBlock
 118 .type   Camellia_EncryptBlock,\@abi-omnipotent
 119 .align  16
 120 Camellia_EncryptBlock:
 121         movl    \$128,%eax
 122         subl    $arg0d,%eax
 123         movl    \$3,$arg0d
 124         adcl    \$0,$arg0d      # keyBitLength==128?3:4
 125         jmp     .Lenc_rounds
 126 .size   Camellia_EncryptBlock,.-Camellia_EncryptBlock
 127 # V2
 128 .globl  Camellia_EncryptBlock_Rounds
 129 .type   Camellia_EncryptBlock_Rounds,\@function,4
 130 .align  16
 131 .Lenc_rounds:
 132 Camellia_EncryptBlock_Rounds:
 133         push    %rbx
 134         push    %rbp
 135         push    %r13
 136         push    %r14
 137         push    %r15
 138 .Lenc_prologue:
 139
 140         #mov    %rsi,$inp               # put away arguments
 141         mov     %rcx,$out
 142         mov     %rdx,$key
 143
 144         shl     \$6,%edi                # process grandRounds
 145         lea     .LCamellia_SBOX(%rip),$Tbl
 146         lea     ($key,%rdi),$keyend
 147
 148         mov     0(%rsi),@S[0]           # load plaintext
 149         mov     4(%rsi),@S[1]
 150         mov     8(%rsi),@S[2]
 151         bswap   @S[0]
 152         mov     12(%rsi),@S[3]
 153         bswap   @S[1]
 154         bswap   @S[2]
 155         bswap   @S[3]
 156
 157         call    _x86_64_Camellia_encrypt
 158
 159         bswap   @S[0]
 160         bswap   @S[1]
 161         bswap   @S[2]
 162         mov     @S[0],0($out)
 163         bswap   @S[3]
 164         mov     @S[1],4($out)
 165         mov     @S[2],8($out)
 166         mov     @S[3],12($out)
 167
 168         mov     0(%rsp),%r15
 169         mov     8(%rsp),%r14
 170         mov     16(%rsp),%r13
 171         mov     24(%rsp),%rbp
 172         mov     32(%rsp),%rbx
 173         lea     40(%rsp),%rsp
 174 .Lenc_epilogue:
 175         ret
 176 .size   Camellia_EncryptBlock_Rounds,.-Camellia_EncryptBlock_Rounds
 177
 178 .type   _x86_64_Camellia_encrypt,\@abi-omnipotent
 179 .align  16
 180 _x86_64_Camellia_encrypt:
 181         xor     0($key),@S[1]
 182         xor     4($key),@S[0]           # ^=key[0-3]
 183         xor     8($key),@S[3]
 184         xor     12($key),@S[2]
 185 .align  16
 186 .Leloop:
 187         mov     16($key),$t1            # prefetch key[4-5]
 188         mov     20($key),$t0
 189
 190 ___
 191         for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16); }
 192 $code.=<<___;
 193         lea     16*4($key),$key
 194         cmp     $keyend,$key
 195         mov     8($key),$t3             # prefetch key[2-3]
 196         mov     12($key),$t2
 197         je      .Ledone
 198
 199         and     @S[0],$t0
 200         or      @S[3],$t3
 201         rol     \$1,$t0
 202         xor     $t3,@S[2]               # s2^=s3|key[3];
 203         xor     $t0,@S[1]               # s1^=LeftRotate(s0&key[0],1);
 204         and     @S[2],$t2
 205         or      @S[1],$t1
 206         rol     \$1,$t2
 207         xor     $t1,@S[0]               # s0^=s1|key[1];
 208         xor     $t2,@S[3]               # s3^=LeftRotate(s2&key[2],1);
 209         jmp     .Leloop
 210
 211 .align  16
 212 .Ledone:
 213         xor     @S[2],$t0               # SwapHalf
 214         xor     @S[3],$t1
 215         xor     @S[0],$t2
 216         xor     @S[1],$t3
 217
 218         mov     $t0,@S[0]
 219         mov     $t1,@S[1]
 220         mov     $t2,@S[2]
 221         mov     $t3,@S[3]
 222
 223         .byte   0xf3,0xc3               # rep ret
 224 .size   _x86_64_Camellia_encrypt,.-_x86_64_Camellia_encrypt
 225
 226 # V1.x API
 227 .globl  Camellia_DecryptBlock
 228 .type   Camellia_DecryptBlock,\@abi-omnipotent
 229 .align  16
 230 Camellia_DecryptBlock:
 231         movl    \$128,%eax
 232         subl    $arg0d,%eax
 233         movl    \$3,$arg0d
 234         adcl    \$0,$arg0d      # keyBitLength==128?3:4
 235         jmp     .Ldec_rounds
 236 .size   Camellia_DecryptBlock,.-Camellia_DecryptBlock
 237 # V2
 238 .globl  Camellia_DecryptBlock_Rounds
 239 .type   Camellia_DecryptBlock_Rounds,\@function,4
 240 .align  16
 241 .Ldec_rounds:
 242 Camellia_DecryptBlock_Rounds:
 243         push    %rbx
 244         push    %rbp
 245         push    %r13
 246         push    %r14
 247         push    %r15
 248 .Ldec_prologue:
 249
 250         #mov    %rsi,$inp               # put away arguments
 251         mov     %rcx,$out
 252         mov     %rdx,$keyend
 253
 254         shl     \$6,%edi                # process grandRounds
 255         lea     .LCamellia_SBOX(%rip),$Tbl
 256         lea     ($keyend,%rdi),$key
 257
 258         mov     0(%rsi),@S[0]           # load plaintext
 259         mov     4(%rsi),@S[1]
 260         mov     8(%rsi),@S[2]
 261         bswap   @S[0]
 262         mov     12(%rsi),@S[3]
 263         bswap   @S[1]
 264         bswap   @S[2]
 265         bswap   @S[3]
 266
 267         call    _x86_64_Camellia_decrypt
 268
 269         bswap   @S[0]
 270         bswap   @S[1]
 271         bswap   @S[2]
 272         mov     @S[0],0($out)
 273         bswap   @S[3]
 274         mov     @S[1],4($out)
 275         mov     @S[2],8($out)
 276         mov     @S[3],12($out)
 277
 278         mov     0(%rsp),%r15
 279         mov     8(%rsp),%r14
 280         mov     16(%rsp),%r13
 281         mov     24(%rsp),%rbp
 282         mov     32(%rsp),%rbx
 283         lea     40(%rsp),%rsp
 284 .Ldec_epilogue:
 285         ret
 286 .size   Camellia_DecryptBlock_Rounds,.-Camellia_DecryptBlock_Rounds
 287
 288 .type   _x86_64_Camellia_decrypt,\@abi-omnipotent
 289 .align  16
 290 _x86_64_Camellia_decrypt:
 291         xor     0($key),@S[1]
 292         xor     4($key),@S[0]           # ^=key[0-3]
 293         xor     8($key),@S[3]
 294         xor     12($key),@S[2]
 295 .align  16
 296 .Ldloop:
 297         mov     -8($key),$t1            # prefetch key[4-5]
 298         mov     -4($key),$t0
 299
 300 ___
 301         for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8); }
 302 $code.=<<___;
 303         lea     -16*4($key),$key
 304         cmp     $keyend,$key
 305         mov     0($key),$t3             # prefetch key[2-3]
 306         mov     4($key),$t2
 307         je      .Lddone
 308
 309         and     @S[0],$t0
 310         or      @S[3],$t3
 311         rol     \$1,$t0
 312         xor     $t3,@S[2]               # s2^=s3|key[3];
 313         xor     $t0,@S[1]               # s1^=LeftRotate(s0&key[0],1);
 314         and     @S[2],$t2
 315         or      @S[1],$t1
 316         rol     \$1,$t2
 317         xor     $t1,@S[0]               # s0^=s1|key[1];
 318         xor     $t2,@S[3]               # s3^=LeftRotate(s2&key[2],1);
 319
 320         jmp     .Ldloop
 321
 322 .align  16
 323 .Lddone:
 324         xor     @S[2],$t2
 325         xor     @S[3],$t3
 326         xor     @S[0],$t0
 327         xor     @S[1],$t1
 328
 329         mov     $t2,@S[0]               # SwapHalf
 330         mov     $t3,@S[1]
 331         mov     $t0,@S[2]
 332         mov     $t1,@S[3]
 333
 334         .byte   0xf3,0xc3               # rep ret
 335 .size   _x86_64_Camellia_decrypt,.-_x86_64_Camellia_decrypt
 336 ___
 337
 338 sub _saveround {
 339 my ($rnd,$key,@T)=@_;
 340 my $bias=int(@T[0])?shift(@T):0;
 341
 342     if ($#T==3) {
 343         $code.=<<___;
 344         mov     @T[1],`$bias+$rnd*8+0`($key)
 345         mov     @T[0],`$bias+$rnd*8+4`($key)
 346         mov     @T[3],`$bias+$rnd*8+8`($key)
 347         mov     @T[2],`$bias+$rnd*8+12`($key)
 348 ___
 349     } else {
 350         $code.="        mov     @T[0],`$bias+$rnd*8+0`($key)\n";
 351         $code.="        mov     @T[1],`$bias+$rnd*8+8`($key)\n" if ($#T>=1);
 352     }
 353 }
 354
 355 sub _loadround {
 356 my ($rnd,$key,@T)=@_;
 357 my $bias=int(@T[0])?shift(@T):0;
 358
 359 $code.="        mov     `$bias+$rnd*8+0`($key),@T[0]\n";
 360 $code.="        mov     `$bias+$rnd*8+8`($key),@T[1]\n" if ($#T>=1);
 361 }
 362
 363 # shld is very slow on Intel EM64T family. Even on AMD it limits
 364 # instruction decode rate [because it's VectorPath] and consequently
 365 # performance...
 366 sub __rotl128 {
 367 my ($i0,$i1,$rot)=@_;
 368
 369     if ($rot) {
 370         $code.=<<___;
 371         mov     $i0,%r11
 372         shld    \$$rot,$i1,$i0
 373         shld    \$$rot,%r11,$i1
 374 ___
 375     }
 376 }
 377
 378 # ... Implementing 128-bit rotate without shld gives 80% better
 379 # performance EM64T, +15% on AMD64 and only ~7% degradation on
 380 # Core2. This is therefore preferred.
 381 sub _rotl128 {
 382 my ($i0,$i1,$rot)=@_;
 383
 384     if ($rot) {
 385         $code.=<<___;
 386         mov     $i0,%r11
 387         shl     \$$rot,$i0
 388         mov     $i1,%r9
 389         shr     \$`64-$rot`,%r9
 390         shr     \$`64-$rot`,%r11
 391         or      %r9,$i0
 392         shl     \$$rot,$i1
 393         or      %r11,$i1
 394 ___
 395     }
 396 }
 397
 398 { my $step=0;
 399
 400 $code.=<<___;
 401 .globl  Camellia_Ekeygen
 402 .type   Camellia_Ekeygen,\@function,3
 403 .align  16
 404 Camellia_Ekeygen:
 405         push    %rbx
 406         push    %rbp
 407         push    %r13
 408         push    %r14
 409         push    %r15
 410 .Lkey_prologue:
 411
 412         mov     %rdi,$keyend            # put away arguments, keyBitLength
 413         mov     %rdx,$out               # keyTable
 414
 415         mov     0(%rsi),@S[0]           # load 0-127 bits
 416         mov     4(%rsi),@S[1]
 417         mov     8(%rsi),@S[2]
 418         mov     12(%rsi),@S[3]
 419
 420         bswap   @S[0]
 421         bswap   @S[1]
 422         bswap   @S[2]
 423         bswap   @S[3]
 424 ___
 425         &_saveround     (0,$out,@S);    # KL<<<0
 426 $code.=<<___;
 427         cmp     \$128,$keyend           # check keyBitLength
 428         je      .L1st128
 429
 430         mov     16(%rsi),@S[0]          # load 128-191 bits
 431         mov     20(%rsi),@S[1]
 432         cmp     \$192,$keyend
 433         je      .L1st192
 434         mov     24(%rsi),@S[2]          # load 192-255 bits
 435         mov     28(%rsi),@S[3]
 436         jmp     .L1st256
 437 .L1st192:
 438         mov     @S[0],@S[2]
 439         mov     @S[1],@S[3]
 440         not     @S[2]
 441         not     @S[3]
 442 .L1st256:
 443         bswap   @S[0]
 444         bswap   @S[1]
 445         bswap   @S[2]
 446         bswap   @S[3]
 447 ___
 448         &_saveround     (4,$out,@S);    # temp storage for KR!
 449 $code.=<<___;
 450         xor     0($out),@S[1]           # KR^KL
 451         xor     4($out),@S[0]
 452         xor     8($out),@S[3]
 453         xor     12($out),@S[2]
 454
 455 .L1st128:
 456         lea     .LCamellia_SIGMA(%rip),$key
 457         lea     .LCamellia_SBOX(%rip),$Tbl
 458
 459         mov     0($key),$t1
 460         mov     4($key),$t0
 461 ___
 462         &Camellia_Feistel($step++);
 463         &Camellia_Feistel($step++);
 464 $code.=<<___;
 465         xor     0($out),@S[1]           # ^KL
 466         xor     4($out),@S[0]
 467         xor     8($out),@S[3]
 468         xor     12($out),@S[2]
 469 ___
 470         &Camellia_Feistel($step++);
 471         &Camellia_Feistel($step++);
 472 $code.=<<___;
 473         cmp     \$128,$keyend
 474         jne     .L2nd256
 475
 476         lea     128($out),$out          # size optimization
 477         shl     \$32,%r8                # @S[0]||
 478         shl     \$32,%r10               # @S[2]||
 479         or      %r9,%r8                 # ||@S[1]
 480         or      %r11,%r10               # ||@S[3]
 481 ___
 482         &_loadround     (0,$out,-128,"%rax","%rbx");    # KL
 483         &_saveround     (2,$out,-128,"%r8","%r10");     # KA<<<0
 484         &_rotl128       ("%rax","%rbx",15);
 485         &_saveround     (4,$out,-128,"%rax","%rbx");    # KL<<<15
 486         &_rotl128       ("%r8","%r10",15);
 487         &_saveround     (6,$out,-128,"%r8","%r10");     # KA<<<15
 488         &_rotl128       ("%r8","%r10",15);              # 15+15=30
 489         &_saveround     (8,$out,-128,"%r8","%r10");     # KA<<<30
 490         &_rotl128       ("%rax","%rbx",30);             # 15+30=45
 491         &_saveround     (10,$out,-128,"%rax","%rbx");   # KL<<<45
 492         &_rotl128       ("%r8","%r10",15);              # 30+15=45
 493         &_saveround     (12,$out,-128,"%r8");           # KA<<<45
 494         &_rotl128       ("%rax","%rbx",15);             # 45+15=60
 495         &_saveround     (13,$out,-128,"%rbx");          # KL<<<60
 496         &_rotl128       ("%r8","%r10",15);              # 45+15=60
 497         &_saveround     (14,$out,-128,"%r8","%r10");    # KA<<<60
 498         &_rotl128       ("%rax","%rbx",17);             # 60+17=77
 499         &_saveround     (16,$out,-128,"%rax","%rbx");   # KL<<<77
 500         &_rotl128       ("%rax","%rbx",17);             # 77+17=94
 501         &_saveround     (18,$out,-128,"%rax","%rbx");   # KL<<<94
 502         &_rotl128       ("%r8","%r10",34);              # 60+34=94
 503         &_saveround     (20,$out,-128,"%r8","%r10");    # KA<<<94
 504         &_rotl128       ("%rax","%rbx",17);             # 94+17=111
 505         &_saveround     (22,$out,-128,"%rax","%rbx");   # KL<<<111
 506         &_rotl128       ("%r8","%r10",17);              # 94+17=111
 507         &_saveround     (24,$out,-128,"%r8","%r10");    # KA<<<111
 508 $code.=<<___;
 509         mov     \$3,%eax
 510         jmp     .Ldone
 511 .align  16
 512 .L2nd256:
 513 ___
 514         &_saveround     (6,$out,@S);    # temp storage for KA!
 515 $code.=<<___;
 516         xor     `4*8+0`($out),@S[1]     # KA^KR
 517         xor     `4*8+4`($out),@S[0]
 518         xor     `5*8+0`($out),@S[3]
 519         xor     `5*8+4`($out),@S[2]
 520 ___
 521         &Camellia_Feistel($step++);
 522         &Camellia_Feistel($step++);
 523
 524         &_loadround     (0,$out,"%rax","%rbx"); # KL
 525         &_loadround     (4,$out,"%rcx","%rdx"); # KR
 526         &_loadround     (6,$out,"%r14","%r15"); # KA
 527 $code.=<<___;
 528         lea     128($out),$out          # size optimization
 529         shl     \$32,%r8                # @S[0]||
 530         shl     \$32,%r10               # @S[2]||
 531         or      %r9,%r8                 # ||@S[1]
 532         or      %r11,%r10               # ||@S[3]
 533 ___
 534         &_saveround     (2,$out,-128,"%r8","%r10");     # KB<<<0
 535         &_rotl128       ("%rcx","%rdx",15);
 536         &_saveround     (4,$out,-128,"%rcx","%rdx");    # KR<<<15
 537         &_rotl128       ("%r14","%r15",15);
 538         &_saveround     (6,$out,-128,"%r14","%r15");    # KA<<<15
 539         &_rotl128       ("%rcx","%rdx",15);             # 15+15=30
 540         &_saveround     (8,$out,-128,"%rcx","%rdx");    # KR<<<30
 541         &_rotl128       ("%r8","%r10",30);
 542         &_saveround     (10,$out,-128,"%r8","%r10");    # KB<<<30
 543         &_rotl128       ("%rax","%rbx",45);
 544         &_saveround     (12,$out,-128,"%rax","%rbx");   # KL<<<45
 545         &_rotl128       ("%r14","%r15",30);             # 15+30=45
 546         &_saveround     (14,$out,-128,"%r14","%r15");   # KA<<<45
 547         &_rotl128       ("%rax","%rbx",15);             # 45+15=60
 548         &_saveround     (16,$out,-128,"%rax","%rbx");   # KL<<<60
 549         &_rotl128       ("%rcx","%rdx",30);             # 30+30=60
 550         &_saveround     (18,$out,-128,"%rcx","%rdx");   # KR<<<60
 551         &_rotl128       ("%r8","%r10",30);              # 30+30=60
 552         &_saveround     (20,$out,-128,"%r8","%r10");    # KB<<<60
 553         &_rotl128       ("%rax","%rbx",17);             # 60+17=77
 554         &_saveround     (22,$out,-128,"%rax","%rbx");   # KL<<<77
 555         &_rotl128       ("%r14","%r15",32);             # 45+32=77
 556         &_saveround     (24,$out,-128,"%r14","%r15");   # KA<<<77
 557         &_rotl128       ("%rcx","%rdx",34);             # 60+34=94
 558         &_saveround     (26,$out,-128,"%rcx","%rdx");   # KR<<<94
 559         &_rotl128       ("%r14","%r15",17);             # 77+17=94
 560         &_saveround     (28,$out,-128,"%r14","%r15");   # KA<<<77
 561         &_rotl128       ("%rax","%rbx",34);             # 77+34=111
 562         &_saveround     (30,$out,-128,"%rax","%rbx");   # KL<<<111
 563         &_rotl128       ("%r8","%r10",51);              # 60+51=111
 564         &_saveround     (32,$out,-128,"%r8","%r10");    # KB<<<111
 565 $code.=<<___;
 566         mov     \$4,%eax
 567 .Ldone:
 568         mov     0(%rsp),%r15
 569         mov     8(%rsp),%r14
 570         mov     16(%rsp),%r13
 571         mov     24(%rsp),%rbp
 572         mov     32(%rsp),%rbx
 573         lea     40(%rsp),%rsp
 574 .Lkey_epilogue:
 575         ret
 576 .size   Camellia_Ekeygen,.-Camellia_Ekeygen
 577 ___
 578 }
 579
 580 @SBOX=(
 581 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
 582  35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
 583 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
 584 166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
 585 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
 586 223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
 587  20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
 588 254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
 589 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
 590  16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
 591 135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
 592  82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
 593 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
 594 120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
 595 114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
 596  64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);
 597
 598 sub S1110 { my $i=shift; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i<<8; sprintf("0x%08x",$i); }
 599 sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i; sprintf("0x%08x",$i); }
 600 sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; $i=$i<<16|$i<<8|$i; sprintf("0x%08x",$i); }
 601 sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; $i=$i<<24|$i<<8|$i; sprintf("0x%08x",$i); }
 602
 603 $code.=<<___;
 604 .align  64
 605 .LCamellia_SIGMA:
 606 .long   0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858
 607 .long   0xe94f82be, 0xc6ef372f, 0xf1d36f1c, 0x54ff53a5
 608 .long   0xde682d1d, 0x10e527fa, 0xb3e6c1fd, 0xb05688c2
 609 .long   0,          0,          0,          0
 610 .LCamellia_SBOX:
 611 ___
 612 # tables are interleaved, remember?
 613 sub data_word { $code.=".long\t".join(',',@_)."\n"; }
 614 for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
 615 for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }
 616
 617 # void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
 618 #                       size_t length, const CAMELLIA_KEY *key,
 619 #                       unsigned char *ivp,const int enc);
 620 {
 621 $_key="0(%rsp)";
 622 $_end="8(%rsp)";        # inp+len&~15
 623 $_res="16(%rsp)";       # len&15
 624 $ivec="24(%rsp)";
 625 $_ivp="40(%rsp)";
 626 $_rsp="48(%rsp)";
 627
 628 $code.=<<___;
 629 .globl  Camellia_cbc_encrypt
 630 .type   Camellia_cbc_encrypt,\@function,6
 631 .align  16
 632 Camellia_cbc_encrypt:
 633         cmp     \$0,%rdx
 634         je      .Lcbc_abort
 635         push    %rbx
 636         push    %rbp
 637         push    %r12
 638         push    %r13
 639         push    %r14
 640         push    %r15
 641 .Lcbc_prologue:
 642
 643         mov     %rsp,%rbp
 644         sub     \$64,%rsp
 645         and     \$-64,%rsp
 646
 647         # place stack frame just "above mod 1024" the key schedule,
 648         # this ensures that cache associativity suffices
 649         lea     -64-63(%rcx),%r10
 650         sub     %rsp,%r10
 651         neg     %r10
 652         and     \$0x3C0,%r10
 653         sub     %r10,%rsp
 654         #add    \$8,%rsp                # 8 is reserved for callee's ra
 655
 656         mov     %rdi,$inp               # inp argument
 657         mov     %rsi,$out               # out argument
 658         mov     %r8,%rbx                # ivp argument
 659         mov     %rcx,$key               # key argument
 660         mov     272(%rcx),${keyend}d    # grandRounds
 661
 662         mov     %r8,$_ivp
 663         mov     %rbp,$_rsp
 664
 665 .Lcbc_body:
 666         lea     .LCamellia_SBOX(%rip),$Tbl
 667
 668         mov     \$32,%ecx
 669 .align  4
 670 .Lcbc_prefetch_sbox:
 671         mov     0($Tbl),%rax
 672         mov     32($Tbl),%rsi
 673         mov     64($Tbl),%rdi
 674         mov     96($Tbl),%r11
 675         lea     128($Tbl),$Tbl
 676         loop    .Lcbc_prefetch_sbox
 677         sub     \$4096,$Tbl
 678         shl     \$6,$keyend
 679         mov     %rdx,%rcx               # len argument
 680         lea     ($key,$keyend),$keyend
 681
 682         cmp     \$0,%r9d                # enc argument
 683         je      .LCBC_DECRYPT
 684
 685         and     \$-16,%rdx
 686         and     \$15,%rcx               # length residue
 687         lea     ($inp,%rdx),%rdx
 688         mov     $key,$_key
 689         mov     %rdx,$_end
 690         mov     %rcx,$_res
 691
 692         cmp     $inp,%rdx
 693         mov     0(%rbx),@S[0]           # load IV
 694         mov     4(%rbx),@S[1]
 695         mov     8(%rbx),@S[2]
 696         mov     12(%rbx),@S[3]
 697         je      .Lcbc_enc_tail
 698         jmp     .Lcbc_eloop
 699
 700 .align  16
 701 .Lcbc_eloop:
 702         xor     0($inp),@S[0]
 703         xor     4($inp),@S[1]
 704         xor     8($inp),@S[2]
 705         bswap   @S[0]
 706         xor     12($inp),@S[3]
 707         bswap   @S[1]
 708         bswap   @S[2]
 709         bswap   @S[3]
 710
 711         call    _x86_64_Camellia_encrypt
 712
 713         mov     $_key,$key              # "rewind" the key
 714         bswap   @S[0]
 715         mov     $_end,%rdx
 716         bswap   @S[1]
 717         mov     $_res,%rcx
 718         bswap   @S[2]
 719         mov     @S[0],0($out)
 720         bswap   @S[3]
 721         mov     @S[1],4($out)
 722         mov     @S[2],8($out)
 723         lea     16($inp),$inp
 724         mov     @S[3],12($out)
 725         cmp     %rdx,$inp
 726         lea     16($out),$out
 727         jne     .Lcbc_eloop
 728
 729         cmp     \$0,%rcx
 730         jne     .Lcbc_enc_tail
 731
 732         mov     $_ivp,$out
 733         mov     @S[0],0($out)           # write out IV residue
 734         mov     @S[1],4($out)
 735         mov     @S[2],8($out)
 736         mov     @S[3],12($out)
 737         jmp     .Lcbc_done
 738
 739 .align  16
 740 .Lcbc_enc_tail:
 741         xor     %rax,%rax
 742         mov     %rax,0+$ivec
 743         mov     %rax,8+$ivec
 744         mov     %rax,$_res
 745
 746 .Lcbc_enc_pushf:
 747         pushfq
 748         cld
 749         mov     $inp,%rsi
 750         lea     8+$ivec,%rdi
 751         .long   0x9066A4F3              # rep movsb
 752         popfq
 753 .Lcbc_enc_popf:
 754
 755         lea     $ivec,$inp
 756         lea     16+$ivec,%rax
 757         mov     %rax,$_end
 758         jmp     .Lcbc_eloop             # one more time
 759
 760 .align  16
 761 .LCBC_DECRYPT:
 762         xchg    $key,$keyend
 763         add     \$15,%rdx
 764         and     \$15,%rcx               # length residue
 765         and     \$-16,%rdx
 766         mov     $key,$_key
 767         lea     ($inp,%rdx),%rdx
 768         mov     %rdx,$_end
 769         mov     %rcx,$_res
 770
 771         mov     (%rbx),%rax             # load IV
 772         mov     8(%rbx),%rbx
 773         jmp     .Lcbc_dloop
 774 .align  16
 775 .Lcbc_dloop:
 776         mov     0($inp),@S[0]
 777         mov     4($inp),@S[1]
 778         mov     8($inp),@S[2]
 779         bswap   @S[0]
 780         mov     12($inp),@S[3]
 781         bswap   @S[1]
 782         mov     %rax,0+$ivec            # save IV to temporary storage
 783         bswap   @S[2]
 784         mov     %rbx,8+$ivec
 785         bswap   @S[3]
 786
 787         call    _x86_64_Camellia_decrypt
 788
 789         mov     $_key,$key              # "rewind" the key
 790         mov     $_end,%rdx
 791         mov     $_res,%rcx
 792
 793         bswap   @S[0]
 794         mov     ($inp),%rax             # load IV for next iteration
 795         bswap   @S[1]
 796         mov     8($inp),%rbx
 797         bswap   @S[2]
 798         xor     0+$ivec,@S[0]
 799         bswap   @S[3]
 800         xor     4+$ivec,@S[1]
 801         xor     8+$ivec,@S[2]
 802         lea     16($inp),$inp
 803         xor     12+$ivec,@S[3]
 804         cmp     %rdx,$inp
 805         je      .Lcbc_ddone
 806
 807         mov     @S[0],0($out)
 808         mov     @S[1],4($out)
 809         mov     @S[2],8($out)
 810         mov     @S[3],12($out)
 811
 812         lea     16($out),$out
 813         jmp     .Lcbc_dloop
 814
 815 .align  16
 816 .Lcbc_ddone:
 817         mov     $_ivp,%rdx
 818         cmp     \$0,%rcx
 819         jne     .Lcbc_dec_tail
 820
 821         mov     @S[0],0($out)
 822         mov     @S[1],4($out)
 823         mov     @S[2],8($out)
 824         mov     @S[3],12($out)
 825
 826         mov     %rax,(%rdx)             # write out IV residue
 827         mov     %rbx,8(%rdx)
 828         jmp     .Lcbc_done
 829 .align  16
 830 .Lcbc_dec_tail:
 831         mov     @S[0],0+$ivec
 832         mov     @S[1],4+$ivec
 833         mov     @S[2],8+$ivec
 834         mov     @S[3],12+$ivec
 835
 836 .Lcbc_dec_pushf:
 837         pushfq
 838         cld
 839         lea     8+$ivec,%rsi
 840         lea     ($out),%rdi
 841         .long   0x9066A4F3              # rep movsb
 842         popfq
 843 .Lcbc_dec_popf:
 844
 845         mov     %rax,(%rdx)             # write out IV residue
 846         mov     %rbx,8(%rdx)
 847         jmp     .Lcbc_done
 848
 849 .align  16
 850 .Lcbc_done:
 851         mov     $_rsp,%rcx
 852         mov     0(%rcx),%r15
 853         mov     8(%rcx),%r14
 854         mov     16(%rcx),%r13
 855         mov     24(%rcx),%r12
 856         mov     32(%rcx),%rbp
 857         mov     40(%rcx),%rbx
 858         lea     48(%rcx),%rsp
 859 .Lcbc_abort:
 860         ret
 861 .size   Camellia_cbc_encrypt,.-Camellia_cbc_encrypt
 862
 863 .asciz  "Camellia for x86_64 by <appro\@openssl.org>"
 864 ___
 865 }
 866
 867 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
 868 #               CONTEXT *context,DISPATCHER_CONTEXT *disp)
 869 if ($win64) {
 870 $rec="%rcx";
 871 $frame="%rdx";
 872 $context="%r8";
 873 $disp="%r9";
 874
 875 $code.=<<___;
 876 .extern __imp_RtlVirtualUnwind
 877 .type   common_se_handler,\@abi-omnipotent
 878 .align  16
 879 common_se_handler:
 880         push    %rsi
 881         push    %rdi
 882         push    %rbx
 883         push    %rbp
 884         push    %r12
 885         push    %r13
 886         push    %r14
 887         push    %r15
 888         pushfq
 889         lea     -64(%rsp),%rsp
 890
 891         mov     120($context),%rax      # pull context->Rax
 892         mov     248($context),%rbx      # pull context->Rip
 893
 894         mov     8($disp),%rsi           # disp->ImageBase
 895         mov     56($disp),%r11          # disp->HandlerData
 896
 897         mov     0(%r11),%r10d           # HandlerData[0]
 898         lea     (%rsi,%r10),%r10        # prologue label
 899         cmp     %r10,%rbx               # context->Rip<prologue label
 900         jb      .Lin_prologue
 901
 902         mov     152($context),%rax      # pull context->Rsp
 903
 904         mov     4(%r11),%r10d           # HandlerData[1]
 905         lea     (%rsi,%r10),%r10        # epilogue label
 906         cmp     %r10,%rbx               # context->Rip>=epilogue label
 907         jae     .Lin_prologue
 908
 909         lea     40(%rax),%rax
 910         mov     -8(%rax),%rbx
 911         mov     -16(%rax),%rbp
 912         mov     -24(%rax),%r13
 913         mov     -32(%rax),%r14
 914         mov     -40(%rax),%r15
 915         mov     %rbx,144($context)      # restore context->Rbx
 916         mov     %rbp,160($context)      # restore context->Rbp
 917         mov     %r13,224($context)      # restore context->R13
 918         mov     %r14,232($context)      # restore context->R14
 919         mov     %r15,240($context)      # restore context->R15
 920
 921 .Lin_prologue:
 922         mov     8(%rax),%rdi
 923         mov     16(%rax),%rsi
 924         mov     %rax,152($context)      # restore context->Rsp
 925         mov     %rsi,168($context)      # restore context->Rsi
 926         mov     %rdi,176($context)      # restore context->Rdi
 927
 928         jmp     .Lcommon_seh_exit
 929 .size   common_se_handler,.-common_se_handler
 930
 931 .type   cbc_se_handler,\@abi-omnipotent
 932 .align  16
 933 cbc_se_handler:
 934         push    %rsi
 935         push    %rdi
 936         push    %rbx
 937         push    %rbp
 938         push    %r12
 939         push    %r13
 940         push    %r14
 941         push    %r15
 942         pushfq
 943         lea     -64(%rsp),%rsp
 944
 945         mov     120($context),%rax      # pull context->Rax
 946         mov     248($context),%rbx      # pull context->Rip
 947
 948         lea     .Lcbc_prologue(%rip),%r10
 949         cmp     %r10,%rbx               # context->Rip<.Lcbc_prologue
 950         jb      .Lin_cbc_prologue
 951
 952         lea     .Lcbc_body(%rip),%r10
 953         cmp     %r10,%rbx               # context->Rip<.Lcbc_body
 954         jb      .Lin_cbc_frame_setup
 955
 956         mov     152($context),%rax      # pull context->Rsp
 957
 958         lea     .Lcbc_abort(%rip),%r10
 959         cmp     %r10,%rbx               # context->Rip>=.Lcbc_abort
 960         jae     .Lin_cbc_prologue
 961
 962         # handle pushf/popf in Camellia_cbc_encrypt
 963         lea     .Lcbc_enc_pushf(%rip),%r10
 964         cmp     %r10,%rbx               # context->Rip<=.Lcbc_enc_pushf
 965         jbe     .Lin_cbc_no_flag
 966         lea     8(%rax),%rax
 967         lea     .Lcbc_enc_popf(%rip),%r10
 968         cmp     %r10,%rbx               # context->Rip<.Lcbc_enc_popf
 969         jb      .Lin_cbc_no_flag
 970         lea     -8(%rax),%rax
 971         lea     .Lcbc_dec_pushf(%rip),%r10
 972         cmp     %r10,%rbx               # context->Rip<=.Lcbc_dec_pushf
 973         jbe     .Lin_cbc_no_flag
 974         lea     8(%rax),%rax
 975         lea     .Lcbc_dec_popf(%rip),%r10
 976         cmp     %r10,%rbx               # context->Rip<.Lcbc_dec_popf
 977         jb      .Lin_cbc_no_flag
 978         lea     -8(%rax),%rax
 979
 980 .Lin_cbc_no_flag:
 981         mov     48(%rax),%rax           # $_rsp
 982         lea     48(%rax),%rax
 983
 984 .Lin_cbc_frame_setup:
 985         mov     -8(%rax),%rbx
 986         mov     -16(%rax),%rbp
 987         mov     -24(%rax),%r12
 988         mov     -32(%rax),%r13
 989         mov     -40(%rax),%r14
 990         mov     -48(%rax),%r15
 991         mov     %rbx,144($context)      # restore context->Rbx
 992         mov     %rbp,160($context)      # restore context->Rbp
 993         mov     %r12,216($context)      # restore context->R12
 994         mov     %r13,224($context)      # restore context->R13
 995         mov     %r14,232($context)      # restore context->R14
 996         mov     %r15,240($context)      # restore context->R15
 997
 998 .Lin_cbc_prologue:
 999         mov     8(%rax),%rdi
1000         mov     16(%rax),%rsi
1001         mov     %rax,152($context)      # restore context->Rsp
1002         mov     %rsi,168($context)      # restore context->Rsi
1003         mov     %rdi,176($context)      # restore context->Rdi
1004
1005 .align  4
1006 .Lcommon_seh_exit:
1007
1008         mov     40($disp),%rdi          # disp->ContextRecord
1009         mov     $context,%rsi           # context
1010         mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
1011         .long   0xa548f3fc              # cld; rep movsq
1012
1013         mov     $disp,%rsi
1014         xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
1015         mov     8(%rsi),%rdx            # arg2, disp->ImageBase
1016         mov     0(%rsi),%r8             # arg3, disp->ControlPc
1017         mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
1018         mov     40(%rsi),%r10           # disp->ContextRecord
1019         lea     56(%rsi),%r11           # &disp->HandlerData
1020         lea     24(%rsi),%r12           # &disp->EstablisherFrame
1021         mov     %r10,32(%rsp)           # arg5
1022         mov     %r11,40(%rsp)           # arg6
1023         mov     %r12,48(%rsp)           # arg7
1024         mov     %rcx,56(%rsp)           # arg8, (NULL)
1025         call    *__imp_RtlVirtualUnwind(%rip)
1026
1027         mov     \$1,%eax                # ExceptionContinueSearch
1028         lea     64(%rsp),%rsp
1029         popfq
1030         pop     %r15
1031         pop     %r14
1032         pop     %r13
1033         pop     %r12
1034         pop     %rbp
1035         pop     %rbx
1036         pop     %rdi
1037         pop     %rsi
1038         ret
1039 .size   cbc_se_handler,.-cbc_se_handler
1040
1041 .section        .pdata
1042 .align  4
1043         .rva    .LSEH_begin_Camellia_EncryptBlock_Rounds
1044         .rva    .LSEH_end_Camellia_EncryptBlock_Rounds
1045         .rva    .LSEH_info_Camellia_EncryptBlock_Rounds
1046
1047         .rva    .LSEH_begin_Camellia_DecryptBlock_Rounds
1048         .rva    .LSEH_end_Camellia_DecryptBlock_Rounds
1049         .rva    .LSEH_info_Camellia_DecryptBlock_Rounds
1050
1051         .rva    .LSEH_begin_Camellia_Ekeygen
1052         .rva    .LSEH_end_Camellia_Ekeygen
1053         .rva    .LSEH_info_Camellia_Ekeygen
1054
1055         .rva    .LSEH_begin_Camellia_cbc_encrypt
1056         .rva    .LSEH_end_Camellia_cbc_encrypt
1057         .rva    .LSEH_info_Camellia_cbc_encrypt
1058
1059 .section        .xdata
1060 .align  8
1061 .LSEH_info_Camellia_EncryptBlock_Rounds:
1062         .byte   9,0,0,0
1063         .rva    common_se_handler
1064         .rva    .Lenc_prologue,.Lenc_epilogue   # HandlerData[]
1065 .LSEH_info_Camellia_DecryptBlock_Rounds:
1066         .byte   9,0,0,0
1067         .rva    common_se_handler
1068         .rva    .Ldec_prologue,.Ldec_epilogue   # HandlerData[]
1069 .LSEH_info_Camellia_Ekeygen:
1070         .byte   9,0,0,0
1071         .rva    common_se_handler
1072         .rva    .Lkey_prologue,.Lkey_epilogue   # HandlerData[]
1073 .LSEH_info_Camellia_cbc_encrypt:
1074         .byte   9,0,0,0
1075         .rva    cbc_se_handler
1076 ___
1077 }
1078
1079 $code =~ s/\`([^\`]*)\`/eval $1/gem;
1080 print $code;
1081 close STDOUT;