1 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2 ; Copyright(c) 2011-2016 Intel Corporation All rights reserved.
4 ; Redistribution and use in source and binary forms, with or without
5 ; modification, are permitted provided that the following conditions
7 ; * Redistributions of source code must retain the above copyright
8 ; notice, this list of conditions and the following disclaimer.
9 ; * Redistributions in binary form must reproduce the above copyright
10 ; notice, this list of conditions and the following disclaimer in
11 ; the documentation and/or other materials provided with the
13 ; * Neither the name of Intel Corporation nor the names of its
14 ; contributors may be used to endorse or promote products derived
15 ; from this software without specific prior written permission.
17 ; THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 ; "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 ; LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
20 ; A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
21 ; OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22 ; SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
23 ; LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 ; DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 ; THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 ; OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
38 ; This code was derived and highly optimized from the code described in paper:
39 ; Vinodh Gopal et. al. Optimized Galois-Counter-Mode Implementation on Intel Architecture Processors. August, 2010
41 ; For the shift-based reductions used in this code, we used the method described in paper:
42 ; Shay Gueron, Michael E. Kounavis. Intel Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode. January, 2010.
53 ; 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
54 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
55 ; | Salt (From the SA) |
56 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57 ; | Initialization Vector |
58 ; | (This is the sequence number from IPSec header) |
59 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ; AAD will be padded with 0 to the next 16byte multiple
67 ; for example, assume AAD is a u32 vector
71 ; padded AAD in xmm register = {A1 A0 0 0}
74 ; 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
75 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ; | 32-bit Sequence Number (A0) |
79 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
81 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
83 ; AAD Format with 32-bit Sequence Number
86 ; AAD[3] = {A0, A1, A2};
87 ; padded AAD in xmm register = {A2 A1 A0 0}
90 ; 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
91 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
93 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
94 ; | 64-bit Extended Sequence Number {A1,A0} |
96 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
98 ; +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
100 ; AAD Format with 64-bit Extended Sequence Number
104 ; Must be a multiple of 4 bytes and from the definition of the spec.
105 ; The code additionally supports any aadLen length.
108 ; from the definition of the spec, TLen can only be 8, 12 or 16 bytes.
110 ; poly = x^128 + x^127 + x^126 + x^121 + 1
111 ; throughout the code, one tab and two tab indentations are used. one tab is for GHASH part, two tabs is for AES part.
114 %include "reg_sizes.asm"
115 %include "gcm_defines.asm"
118 ; need to push 4 registers into stack to maintain
119 %define STACK_OFFSET 8*4
121 %define TMP2 16*0 ; Temporary storage for AES State 2 (State 1 is stored in an XMM register)
122 %define TMP3 16*1 ; Temporary storage for AES State 3
123 %define TMP4 16*2 ; Temporary storage for AES State 4
124 %define TMP5 16*3 ; Temporary storage for AES State 5
125 %define TMP6 16*4 ; Temporary storage for AES State 6
126 %define TMP7 16*5 ; Temporary storage for AES State 7
127 %define TMP8 16*6 ; Temporary storage for AES State 8
129 %define LOCAL_STORAGE 16*7
131 %ifidn __OUTPUT_FORMAT__, win64
132 %define XMM_STORAGE 16*10
134 %define XMM_STORAGE 0
137 %define VARIABLE_OFFSET LOCAL_STORAGE + XMM_STORAGE
139 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
141 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
143 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
144 ; GHASH_MUL MACRO to implement: Data*HashKey mod (128,127,126,121,0)
145 ; Input: A and B (128-bits each, bit-reflected)
146 ; Output: C = A*B*x mod poly, (i.e. >>1 )
147 ; To compute GH = GH*HashKey mod poly, give HK = HashKey<<1 mod poly as input
148 ; GH = GH * HK * x mod poly which is equivalent to GH*HashKey mod poly.
149 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
151 %define %%GH %1 ; 16 Bytes
152 %define %%HK %2 ; 16 Bytes
158 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
160 vpshufd %%T2, %%GH, 01001110b
161 vpshufd %%T3, %%HK, 01001110b
162 vpxor %%T2, %%T2, %%GH ; %%T2 = (a1+a0)
163 vpxor %%T3, %%T3, %%HK ; %%T3 = (b1+b0)
165 vpclmulqdq %%T1, %%GH, %%HK, 0x11 ; %%T1 = a1*b1
166 vpclmulqdq %%GH, %%HK, 0x00 ; %%GH = a0*b0
167 vpclmulqdq %%T2, %%T3, 0x00 ; %%T2 = (a1+a0)*(b1+b0)
168 vpxor %%T2, %%T2, %%GH
169 vpxor %%T2, %%T2, %%T1 ; %%T2 = a0*b1+a1*b0
171 vpslldq %%T3, %%T2, 8 ; shift-L %%T3 2 DWs
172 vpsrldq %%T2, %%T2, 8 ; shift-R %%T2 2 DWs
173 vpxor %%GH, %%GH, %%T3
174 vpxor %%T1, %%T1, %%T2 ; <%%T1:%%GH> = %%GH x %%HK
176 ;first phase of the reduction
177 vpslld %%T2, %%GH, 31 ; packed right shifting << 31
178 vpslld %%T3, %%GH, 30 ; packed right shifting shift << 30
179 vpslld %%T4, %%GH, 25 ; packed right shifting shift << 25
181 vpxor %%T2, %%T2, %%T3 ; xor the shifted versions
182 vpxor %%T2, %%T2, %%T4
184 vpsrldq %%T5, %%T2, 4 ; shift-R %%T5 1 DW
186 vpslldq %%T2, %%T2, 12 ; shift-L %%T2 3 DWs
187 vpxor %%GH, %%GH, %%T2 ; first phase of the reduction complete
188 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
190 ;second phase of the reduction
192 vpsrld %%T2,%%GH,1 ; packed left shifting >> 1
193 vpsrld %%T3,%%GH,2 ; packed left shifting >> 2
194 vpsrld %%T4,%%GH,7 ; packed left shifting >> 7
195 vpxor %%T2, %%T2, %%T3 ; xor the shifted versions
196 vpxor %%T2, %%T2, %%T4
198 vpxor %%T2, %%T2, %%T5
199 vpxor %%GH, %%GH, %%T2
200 vpxor %%GH, %%GH, %%T1 ; the result is in %%GH
216 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
217 ; Haskey_i_k holds XORed values of the low and high parts of the Haskey_i
220 vpshufd %%T1, %%T5, 01001110b
222 vmovdqu [%%GDATA + HashKey_k], %%T1
224 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^2<<1 mod poly
225 vmovdqu [%%GDATA + HashKey_2], %%T5 ; [HashKey_2] = HashKey^2<<1 mod poly
226 vpshufd %%T1, %%T5, 01001110b
228 vmovdqu [%%GDATA + HashKey_2_k], %%T1
230 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^3<<1 mod poly
231 vmovdqu [%%GDATA + HashKey_3], %%T5
232 vpshufd %%T1, %%T5, 01001110b
234 vmovdqu [%%GDATA + HashKey_3_k], %%T1
236 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^4<<1 mod poly
237 vmovdqu [%%GDATA + HashKey_4], %%T5
238 vpshufd %%T1, %%T5, 01001110b
240 vmovdqu [%%GDATA + HashKey_4_k], %%T1
242 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^5<<1 mod poly
243 vmovdqu [%%GDATA + HashKey_5], %%T5
244 vpshufd %%T1, %%T5, 01001110b
246 vmovdqu [%%GDATA + HashKey_5_k], %%T1
248 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^6<<1 mod poly
249 vmovdqu [%%GDATA + HashKey_6], %%T5
250 vpshufd %%T1, %%T5, 01001110b
252 vmovdqu [%%GDATA + HashKey_6_k], %%T1
254 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^7<<1 mod poly
255 vmovdqu [%%GDATA + HashKey_7], %%T5
256 vpshufd %%T1, %%T5, 01001110b
258 vmovdqu [%%GDATA + HashKey_7_k], %%T1
260 GHASH_MUL %%T5, %%HK, %%T1, %%T3, %%T4, %%T6, %%T2 ; %%T5 = HashKey^8<<1 mod poly
261 vmovdqu [%%GDATA + HashKey_8], %%T5
262 vpshufd %%T1, %%T5, 01001110b
264 vmovdqu [%%GDATA + HashKey_8_k], %%T1
268 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
269 ; READ_SMALL_DATA_INPUT: Packs xmm register with data when data input is less than 16 bytes.
270 ; Returns 0 if data has length 0.
271 ; Input: The input data (INPUT), that data's length (LENGTH).
272 ; Output: The packed xmm register (OUTPUT).
273 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
274 %macro READ_SMALL_DATA_INPUT 6
275 %define %%OUTPUT %1 ; %%OUTPUT is an xmm register
278 %define %%END_READ_LOCATION %4 ; All this and the lower inputs are temp registers
282 vpxor %%OUTPUT, %%OUTPUT
283 mov %%COUNTER, %%LENGTH
284 mov %%END_READ_LOCATION, %%INPUT
285 add %%END_READ_LOCATION, %%LENGTH
291 vpinsrq %%OUTPUT, [%%INPUT],0 ;Read in 8 bytes if they exists
296 %%_byte_loop_1: ;Read in data 1 byte at a time while data is left
297 shl %%TMP1, 8 ;This loop handles when 8 bytes were already read in
298 dec %%END_READ_LOCATION
299 mov BYTE(%%TMP1), BYTE [%%END_READ_LOCATION]
302 vpinsrq %%OUTPUT, %%TMP1, 1
305 %%_byte_loop_2: ;Read in data 1 byte at a time while data is left
308 shl %%TMP1, 8 ;This loop handles when no bytes were already read in
309 dec %%END_READ_LOCATION
310 mov BYTE(%%TMP1), BYTE [%%END_READ_LOCATION]
313 vpinsrq %%OUTPUT, %%TMP1, 0
316 %endmacro ; READ_SMALL_DATA_INPUT
319 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
320 ; CALC_AAD_HASH: Calculates the hash of the data which will not be encrypted.
321 ; Input: The input data (A_IN), that data's length (A_LEN), and the hash key (HASH_KEY).
322 ; Output: The hash of the data (AAD_HASH).
323 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
324 %macro CALC_AAD_HASH 14
327 %define %%AAD_HASH %3
328 %define %%HASH_KEY %4
329 %define %%XTMP1 %5 ; xmm temp reg 5
333 %define %%XTMP5 %9 ; xmm temp reg 5
334 %define %%T1 %10 ; temp reg 1
338 %define %%T5 %14 ; temp reg 5
341 mov %%T1, %%A_IN ; T1 = AAD
342 mov %%T2, %%A_LEN ; T2 = aadLen
343 vpxor %%AAD_HASH, %%AAD_HASH
346 jl %%_get_small_AAD_block
350 vmovdqu %%XTMP1, [%%T1]
351 ;byte-reflect the AAD data
352 vpshufb %%XTMP1, [SHUF_MASK]
353 vpxor %%AAD_HASH, %%XTMP1
354 GHASH_MUL %%AAD_HASH, %%HASH_KEY, %%XTMP1, %%XTMP2, %%XTMP3, %%XTMP4, %%XTMP5
361 jge %%_get_AAD_loop16
363 %%_get_small_AAD_block:
364 READ_SMALL_DATA_INPUT %%XTMP1, %%T1, %%T2, %%T3, %%T4, %%T5
365 ;byte-reflect the AAD data
366 vpshufb %%XTMP1, [SHUF_MASK]
367 vpxor %%AAD_HASH, %%XTMP1
368 GHASH_MUL %%AAD_HASH, %%HASH_KEY, %%XTMP1, %%XTMP2, %%XTMP3, %%XTMP4, %%XTMP5
372 %endmacro ; CALC_AAD_HASH
376 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
377 ; PARTIAL_BLOCK: Handles encryption/decryption and the tag partial blocks between update calls.
378 ; Requires the input data be at least 1 byte long.
379 ; Input: gcm_data struct* (GDATA), input text (PLAIN_CYPH_IN), input text length (PLAIN_CYPH_LEN),
380 ; the current data offset (DATA_OFFSET), and whether encoding or decoding (ENC_DEC)
381 ; Output: A cypher of the first partial block (CYPH_PLAIN_OUT), and updated GDATA
382 ; Clobbers rax, r10, r12, r13, r15, xmm0, xmm1, xmm2, xmm3, xmm5, xmm6, xmm9, xmm10, xmm11, xmm13
383 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
384 %macro PARTIAL_BLOCK 7
386 %define %%CYPH_PLAIN_OUT %2
387 %define %%PLAIN_CYPH_IN %3
388 %define %%PLAIN_CYPH_LEN %4
389 %define %%DATA_OFFSET %5
390 %define %%AAD_HASH %6
392 mov r13, [%%GDATA + PBlockLen]
394 je %%_partial_block_done ;Leave Macro if no partial blocks
396 cmp %%PLAIN_CYPH_LEN, 16 ;Read in input data without over reading
397 jl %%_fewer_than_16_bytes
398 VXLDR xmm1, [%%PLAIN_CYPH_IN] ;If more than 16 bytes of data, just fill the xmm register
401 %%_fewer_than_16_bytes:
402 lea r10, [%%PLAIN_CYPH_IN + %%DATA_OFFSET]
403 READ_SMALL_DATA_INPUT xmm1, r10, %%PLAIN_CYPH_LEN, rax, r12, r15
405 %%_data_read: ;Finished reading in data
408 vmovdqu xmm9, [%%GDATA + PBlockEncKey] ;xmm9 = my_ctx_data.partial_block_enc_key
409 vmovdqu xmm13, [%%GDATA + HashKey]
411 lea r12, [SHIFT_MASK]
414 add r12, r13 ; adjust the shuffle mask pointer to be able to shift r13 bytes (16-r13 is the number of bytes in plaintext mod 16)
415 vmovdqu xmm2, [r12] ; get the appropriate shuffle mask
416 vpshufb xmm9, xmm2 ;shift right r13 bytes
418 %ifidn %%ENC_DEC, DEC
420 vpxor xmm9, xmm1 ; Cyphertext XOR E(K, Yn)
422 mov r15, %%PLAIN_CYPH_LEN
424 sub r15, 16 ;Set r15 to be the amount of data left in CYPH_PLAIN_IN after filling the block
425 jge %%_no_extra_mask_1 ;Determine if if partial block is not being filled and shift mask accordingly
429 vmovdqu xmm1, [r12 + ALL_F-SHIFT_MASK] ; get the appropriate mask to mask out bottom r13 bytes of xmm9
430 vpand xmm9, xmm1 ; mask out bottom r13 bytes of xmm9
433 vpshufb xmm3, [SHUF_MASK]
435 vpxor %%AAD_HASH, xmm3
439 jl %%_partial_incomplete_1
441 GHASH_MUL %%AAD_HASH, xmm13, xmm0, xmm10, xmm11, xmm5, xmm6 ;GHASH computation for the last <16 Byte block
443 mov [%%GDATA+PBlockLen], rax
445 %%_partial_incomplete_1:
446 add [%%GDATA+PBlockLen], %%PLAIN_CYPH_LEN
448 vmovdqu [%%GDATA + AadHash], %%AAD_HASH
451 vpxor xmm9, xmm1 ; Plaintext XOR E(K, Yn)
453 mov r15, %%PLAIN_CYPH_LEN
455 sub r15, 16 ;Set r15 to be the amount of data left in CYPH_PLAIN_IN after filling the block
456 jge %%_no_extra_mask_2 ;Determine if if partial block is not being filled and shift mask accordingly
460 vmovdqu xmm1, [r12 + ALL_F-SHIFT_MASK] ; get the appropriate mask to mask out bottom r13 bytes of xmm9
461 vpand xmm9, xmm1 ; mask out bottom r13 bytes of xmm9
463 vpshufb xmm9, [SHUF_MASK]
465 vpxor %%AAD_HASH, xmm9
468 jl %%_partial_incomplete_2
470 GHASH_MUL %%AAD_HASH, xmm13, xmm0, xmm10, xmm11, xmm5, xmm6 ;GHASH computation for the last <16 Byte block
472 mov [%%GDATA+PBlockLen], rax
474 %%_partial_incomplete_2:
475 add [%%GDATA+PBlockLen], %%PLAIN_CYPH_LEN
477 vmovdqu [%%GDATA + AadHash], %%AAD_HASH
479 vpshufb xmm9, [SHUF_MASK] ; shuffle xmm9 back to output as ciphertext
484 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
485 ; output encrypted Bytes
490 sub r13, r12 ; Set r13 to be the number of bytes to write out
493 mov r13, %%PLAIN_CYPH_LEN
497 jle %%_less_than_8_bytes_left
499 mov [%%CYPH_PLAIN_OUT+ %%DATA_OFFSET], rax
501 vpsrldq xmm9, xmm9, 8
504 %%_less_than_8_bytes_left:
505 mov BYTE [%%CYPH_PLAIN_OUT + %%DATA_OFFSET], al
509 jne %%_less_than_8_bytes_left
510 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
511 %%_partial_block_done:
512 %endmacro ; PARTIAL_BLOCK
515 ; if a = number of total plaintext bytes
517 ; %%num_initial_blocks = b mod 8;
518 ; encrypt the initial %%num_initial_blocks blocks and apply ghash on the ciphertext
519 ; %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r14 are used as a pointer only, not modified.
520 ; Updated AAD_HASH is returned in %%T3
522 %macro INITIAL_BLOCKS 23
524 %define %%CYPH_PLAIN_OUT %2
525 %define %%PLAIN_CYPH_IN %3
527 %define %%DATA_OFFSET %5
528 %define %%num_initial_blocks %6 ; can be 0, 1, 2, 3, 4, 5, 6 or 7
530 %define %%HASH_KEY %8
545 %define %%ENC_DEC %23
547 %assign i (8-%%num_initial_blocks)
548 movdqu reg(i), %%XMM8 ; move AAD_HASH to temp reg
549 ; start AES for %%num_initial_blocks blocks
550 vmovdqu %%CTR, [%%GDATA + CurCount] ; %%CTR = Y0
553 %assign i (9-%%num_initial_blocks)
554 %rep %%num_initial_blocks
555 vpaddd %%CTR, [ONE] ; INCR Y0
556 vmovdqa reg(i), %%CTR
557 vpshufb reg(i), [SHUF_MASK] ; perform a 16Byte swap
561 vmovdqu %%T_key, [%%GDATA+16*0]
562 %assign i (9-%%num_initial_blocks)
563 %rep %%num_initial_blocks
570 vmovdqu %%T_key, [%%GDATA+16*j]
571 %assign i (9-%%num_initial_blocks)
572 %rep %%num_initial_blocks
573 vaesenc reg(i),%%T_key
581 vmovdqu %%T_key, [%%GDATA+16*10]
582 %assign i (9-%%num_initial_blocks)
583 %rep %%num_initial_blocks
584 vaesenclast reg(i),%%T_key
588 %assign i (9-%%num_initial_blocks)
589 %rep %%num_initial_blocks
590 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET]
592 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET], reg(i) ; write back ciphertext for %%num_initial_blocks blocks
593 add %%DATA_OFFSET, 16
594 %ifidn %%ENC_DEC, DEC
597 vpshufb reg(i), [SHUF_MASK] ; prepare ciphertext for GHASH computations
602 %assign i (8-%%num_initial_blocks)
603 %assign j (9-%%num_initial_blocks)
605 %rep %%num_initial_blocks
607 GHASH_MUL reg(j), %%HASH_KEY, %%T1, %%T3, %%T4, %%T5, %%T6 ; apply GHASH on %%num_initial_blocks blocks
611 ; %%XMM8 has the current Hash Value
615 jl %%_initial_blocks_done ; no need for precomputed constants
617 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
618 ; Haskey_i_k holds XORed values of the low and high parts of the Haskey_i
619 vpaddd %%CTR, [ONE] ; INCR Y0
620 vmovdqa %%XMM1, %%CTR
621 vpshufb %%XMM1, [SHUF_MASK] ; perform a 16Byte swap
623 vpaddd %%CTR, [ONE] ; INCR Y0
624 vmovdqa %%XMM2, %%CTR
625 vpshufb %%XMM2, [SHUF_MASK] ; perform a 16Byte swap
627 vpaddd %%CTR, [ONE] ; INCR Y0
628 vmovdqa %%XMM3, %%CTR
629 vpshufb %%XMM3, [SHUF_MASK] ; perform a 16Byte swap
631 vpaddd %%CTR, [ONE] ; INCR Y0
632 vmovdqa %%XMM4, %%CTR
633 vpshufb %%XMM4, [SHUF_MASK] ; perform a 16Byte swap
635 vpaddd %%CTR, [ONE] ; INCR Y0
636 vmovdqa %%XMM5, %%CTR
637 vpshufb %%XMM5, [SHUF_MASK] ; perform a 16Byte swap
639 vpaddd %%CTR, [ONE] ; INCR Y0
640 vmovdqa %%XMM6, %%CTR
641 vpshufb %%XMM6, [SHUF_MASK] ; perform a 16Byte swap
643 vpaddd %%CTR, [ONE] ; INCR Y0
644 vmovdqa %%XMM7, %%CTR
645 vpshufb %%XMM7, [SHUF_MASK] ; perform a 16Byte swap
647 vpaddd %%CTR, [ONE] ; INCR Y0
648 vmovdqa %%XMM8, %%CTR
649 vpshufb %%XMM8, [SHUF_MASK] ; perform a 16Byte swap
651 vmovdqu %%T_key, [%%GDATA+16*0]
652 vpxor %%XMM1, %%T_key
653 vpxor %%XMM2, %%T_key
654 vpxor %%XMM3, %%T_key
655 vpxor %%XMM4, %%T_key
656 vpxor %%XMM5, %%T_key
657 vpxor %%XMM6, %%T_key
658 vpxor %%XMM7, %%T_key
659 vpxor %%XMM8, %%T_key
664 vmovdqu %%T_key, [%%GDATA+16*i]
665 vaesenc %%XMM1, %%T_key
666 vaesenc %%XMM2, %%T_key
667 vaesenc %%XMM3, %%T_key
668 vaesenc %%XMM4, %%T_key
669 vaesenc %%XMM5, %%T_key
670 vaesenc %%XMM6, %%T_key
671 vaesenc %%XMM7, %%T_key
672 vaesenc %%XMM8, %%T_key
677 vmovdqu %%T_key, [%%GDATA+16*i]
678 vaesenclast %%XMM1, %%T_key
679 vaesenclast %%XMM2, %%T_key
680 vaesenclast %%XMM3, %%T_key
681 vaesenclast %%XMM4, %%T_key
682 vaesenclast %%XMM5, %%T_key
683 vaesenclast %%XMM6, %%T_key
684 vaesenclast %%XMM7, %%T_key
685 vaesenclast %%XMM8, %%T_key
687 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*0]
689 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*0], %%XMM1
690 %ifidn %%ENC_DEC, DEC
694 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*1]
696 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*1], %%XMM2
697 %ifidn %%ENC_DEC, DEC
701 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*2]
703 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*2], %%XMM3
704 %ifidn %%ENC_DEC, DEC
708 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*3]
710 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*3], %%XMM4
711 %ifidn %%ENC_DEC, DEC
715 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*4]
717 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*4], %%XMM5
718 %ifidn %%ENC_DEC, DEC
722 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*5]
724 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*5], %%XMM6
725 %ifidn %%ENC_DEC, DEC
729 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*6]
731 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*6], %%XMM7
732 %ifidn %%ENC_DEC, DEC
736 VXLDR %%T1, [%%PLAIN_CYPH_IN + %%DATA_OFFSET + 16*7]
738 VXSTR [%%CYPH_PLAIN_OUT + %%DATA_OFFSET + 16*7], %%XMM8
739 %ifidn %%ENC_DEC, DEC
743 add %%DATA_OFFSET, 128
745 vpshufb %%XMM1, [SHUF_MASK] ; perform a 16Byte swap
746 vpxor %%XMM1, %%T3 ; combine GHASHed value with the corresponding ciphertext
747 vpshufb %%XMM2, [SHUF_MASK] ; perform a 16Byte swap
748 vpshufb %%XMM3, [SHUF_MASK] ; perform a 16Byte swap
749 vpshufb %%XMM4, [SHUF_MASK] ; perform a 16Byte swap
750 vpshufb %%XMM5, [SHUF_MASK] ; perform a 16Byte swap
751 vpshufb %%XMM6, [SHUF_MASK] ; perform a 16Byte swap
752 vpshufb %%XMM7, [SHUF_MASK] ; perform a 16Byte swap
753 vpshufb %%XMM8, [SHUF_MASK] ; perform a 16Byte swap
755 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
757 %%_initial_blocks_done:
763 ; encrypt 8 blocks at a time
764 ; ghash the 8 previously encrypted ciphertext blocks
765 ; %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN are used as pointers only, not modified
766 ; r11 is the data offset value
767 %macro GHASH_8_ENCRYPT_8_PARALLEL 22
769 %define %%CYPH_PLAIN_OUT %2
770 %define %%PLAIN_CYPH_IN %3
771 %define %%DATA_OFFSET %4
788 %define %%loop_idx %21
789 %define %%ENC_DEC %22
792 vmovdqu [rsp + TMP2], %%XMM2
793 vmovdqu [rsp + TMP3], %%XMM3
794 vmovdqu [rsp + TMP4], %%XMM4
795 vmovdqu [rsp + TMP5], %%XMM5
796 vmovdqu [rsp + TMP6], %%XMM6
797 vmovdqu [rsp + TMP7], %%XMM7
798 vmovdqu [rsp + TMP8], %%XMM8
800 %ifidn %%loop_idx, in_order
801 vpaddd %%XMM1, %%CTR, [ONE] ; INCR CNT
802 vpaddd %%XMM2, %%XMM1, [ONE]
803 vpaddd %%XMM3, %%XMM2, [ONE]
804 vpaddd %%XMM4, %%XMM3, [ONE]
805 vpaddd %%XMM5, %%XMM4, [ONE]
806 vpaddd %%XMM6, %%XMM5, [ONE]
807 vpaddd %%XMM7, %%XMM6, [ONE]
808 vpaddd %%XMM8, %%XMM7, [ONE]
809 vmovdqa %%CTR, %%XMM8
811 vpshufb %%XMM1, [SHUF_MASK] ; perform a 16Byte swap
812 vpshufb %%XMM2, [SHUF_MASK] ; perform a 16Byte swap
813 vpshufb %%XMM3, [SHUF_MASK] ; perform a 16Byte swap
814 vpshufb %%XMM4, [SHUF_MASK] ; perform a 16Byte swap
815 vpshufb %%XMM5, [SHUF_MASK] ; perform a 16Byte swap
816 vpshufb %%XMM6, [SHUF_MASK] ; perform a 16Byte swap
817 vpshufb %%XMM7, [SHUF_MASK] ; perform a 16Byte swap
818 vpshufb %%XMM8, [SHUF_MASK] ; perform a 16Byte swap
820 vpaddd %%XMM1, %%CTR, [ONEf] ; INCR CNT
821 vpaddd %%XMM2, %%XMM1, [ONEf]
822 vpaddd %%XMM3, %%XMM2, [ONEf]
823 vpaddd %%XMM4, %%XMM3, [ONEf]
824 vpaddd %%XMM5, %%XMM4, [ONEf]
825 vpaddd %%XMM6, %%XMM5, [ONEf]
826 vpaddd %%XMM7, %%XMM6, [ONEf]
827 vpaddd %%XMM8, %%XMM7, [ONEf]
828 vmovdqa %%CTR, %%XMM8
833 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
835 vmovdqu %%T1, [%%GDATA + 16*0]
845 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
851 vmovdqu %%T1, [%%GDATA + 16*1]
862 vmovdqu %%T1, [%%GDATA + 16*2]
872 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
874 vmovdqu %%T5, [%%GDATA + HashKey_8]
875 vpclmulqdq %%T4, %%T2, %%T5, 0x11 ; %%T4 = a1*b1
876 vpclmulqdq %%T7, %%T2, %%T5, 0x00 ; %%T7 = a0*b0
878 vpshufd %%T6, %%T2, 01001110b
881 vmovdqu %%T5, [%%GDATA + HashKey_8_k]
882 vpclmulqdq %%T6, %%T6, %%T5, 0x00 ;
885 vmovdqu %%T1, [%%GDATA + 16*3]
895 vmovdqu %%T1, [rsp + TMP2]
896 vmovdqu %%T5, [%%GDATA + HashKey_7]
897 vpclmulqdq %%T3, %%T1, %%T5, 0x11
898 vpxor %%T4, %%T4, %%T3
899 vpclmulqdq %%T3, %%T1, %%T5, 0x00
900 vpxor %%T7, %%T7, %%T3
902 vpshufd %%T3, %%T1, 01001110b
904 vmovdqu %%T5, [%%GDATA + HashKey_7_k]
905 vpclmulqdq %%T3, %%T3, %%T5, 0x10
906 vpxor %%T6, %%T6, %%T3
908 vmovdqu %%T1, [%%GDATA + 16*4]
918 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
919 vmovdqu %%T1, [rsp + TMP3]
920 vmovdqu %%T5, [%%GDATA + HashKey_6]
921 vpclmulqdq %%T3, %%T1, %%T5, 0x11
922 vpxor %%T4, %%T4, %%T3
923 vpclmulqdq %%T3, %%T1, %%T5, 0x00
924 vpxor %%T7, %%T7, %%T3
926 vpshufd %%T3, %%T1, 01001110b
928 vmovdqu %%T5, [%%GDATA + HashKey_6_k]
929 vpclmulqdq %%T3, %%T3, %%T5, 0x10
930 vpxor %%T6, %%T6, %%T3
932 vmovdqu %%T1, [%%GDATA + 16*5]
943 vmovdqu %%T1, [rsp + TMP4]
944 vmovdqu %%T5, [%%GDATA + HashKey_5]
945 vpclmulqdq %%T3, %%T1, %%T5, 0x11
946 vpxor %%T4, %%T4, %%T3
947 vpclmulqdq %%T3, %%T1, %%T5, 0x00
948 vpxor %%T7, %%T7, %%T3
950 vpshufd %%T3, %%T1, 01001110b
952 vmovdqu %%T5, [%%GDATA + HashKey_5_k]
953 vpclmulqdq %%T3, %%T3, %%T5, 0x10
954 vpxor %%T6, %%T6, %%T3
956 vmovdqu %%T1, [%%GDATA + 16*6]
966 vmovdqu %%T1, [rsp + TMP5]
967 vmovdqu %%T5, [%%GDATA + HashKey_4]
968 vpclmulqdq %%T3, %%T1, %%T5, 0x11
969 vpxor %%T4, %%T4, %%T3
970 vpclmulqdq %%T3, %%T1, %%T5, 0x00
971 vpxor %%T7, %%T7, %%T3
973 vpshufd %%T3, %%T1, 01001110b
975 vmovdqu %%T5, [%%GDATA + HashKey_4_k]
976 vpclmulqdq %%T3, %%T3, %%T5, 0x10
977 vpxor %%T6, %%T6, %%T3
980 vmovdqu %%T1, [%%GDATA + 16*7]
990 vmovdqu %%T1, [rsp + TMP6]
991 vmovdqu %%T5, [%%GDATA + HashKey_3]
992 vpclmulqdq %%T3, %%T1, %%T5, 0x11
993 vpxor %%T4, %%T4, %%T3
994 vpclmulqdq %%T3, %%T1, %%T5, 0x00
995 vpxor %%T7, %%T7, %%T3
997 vpshufd %%T3, %%T1, 01001110b
999 vmovdqu %%T5, [%%GDATA + HashKey_3_k]
1000 vpclmulqdq %%T3, %%T3, %%T5, 0x10
1001 vpxor %%T6, %%T6, %%T3
1003 vmovdqu %%T1, [%%GDATA + 16*8]
1004 vaesenc %%XMM1, %%T1
1005 vaesenc %%XMM2, %%T1
1006 vaesenc %%XMM3, %%T1
1007 vaesenc %%XMM4, %%T1
1008 vaesenc %%XMM5, %%T1
1009 vaesenc %%XMM6, %%T1
1010 vaesenc %%XMM7, %%T1
1011 vaesenc %%XMM8, %%T1
1013 vmovdqu %%T1, [rsp + TMP7]
1014 vmovdqu %%T5, [%%GDATA + HashKey_2]
1015 vpclmulqdq %%T3, %%T1, %%T5, 0x11
1016 vpxor %%T4, %%T4, %%T3
1017 vpclmulqdq %%T3, %%T1, %%T5, 0x00
1018 vpxor %%T7, %%T7, %%T3
1020 vpshufd %%T3, %%T1, 01001110b
1022 vmovdqu %%T5, [%%GDATA + HashKey_2_k]
1023 vpclmulqdq %%T3, %%T3, %%T5, 0x10
1024 vpxor %%T6, %%T6, %%T3
1025 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1027 vmovdqu %%T5, [%%GDATA + 16*9]
1028 vaesenc %%XMM1, %%T5
1029 vaesenc %%XMM2, %%T5
1030 vaesenc %%XMM3, %%T5
1031 vaesenc %%XMM4, %%T5
1032 vaesenc %%XMM5, %%T5
1033 vaesenc %%XMM6, %%T5
1034 vaesenc %%XMM7, %%T5
1035 vaesenc %%XMM8, %%T5
1037 vmovdqu %%T1, [rsp + TMP8]
1038 vmovdqu %%T5, [%%GDATA + HashKey]
1039 vpclmulqdq %%T3, %%T1, %%T5, 0x11
1040 vpxor %%T4, %%T4, %%T3
1041 vpclmulqdq %%T3, %%T1, %%T5, 0x00
1042 vpxor %%T7, %%T7, %%T3
1044 vpshufd %%T3, %%T1, 01001110b
1046 vmovdqu %%T5, [%%GDATA + HashKey_k]
1047 vpclmulqdq %%T3, %%T3, %%T5, 0x10
1048 vpxor %%T6, %%T6, %%T3
1054 vmovdqu %%T5, [%%GDATA + 16*10]
1059 %ifidn %%ENC_DEC, ENC
1062 VXLDR %%T2, [%%PLAIN_CYPH_IN+%%DATA_OFFSET+16*i]
1063 vpxor %%T2, %%T2, %%T5
1065 vpxor %%T2, %%T5, [%%PLAIN_CYPH_IN+%%DATA_OFFSET+16*i]
1068 vaesenclast reg(j), reg(j), %%T2
1072 VXLDR %%T2, [%%PLAIN_CYPH_IN+%%DATA_OFFSET+16*i]
1073 vpxor %%T2, %%T2, %%T5
1074 vaesenclast %%T3, reg(j), %%T2
1075 vpxor reg(j), %%T2, %%T5
1076 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*i], %%T3
1084 vpslldq %%T3, %%T6, 8 ; shift-L %%T3 2 DWs
1085 vpsrldq %%T6, %%T6, 8 ; shift-R %%T2 2 DWs
1087 vpxor %%T6, %%T4 ; accumulate the results in %%T6:%%T7
1090 ;first phase of the reduction
1092 vpslld %%T2, %%T7, 31 ; packed right shifting << 31
1093 vpslld %%T3, %%T7, 30 ; packed right shifting shift << 30
1094 vpslld %%T4, %%T7, 25 ; packed right shifting shift << 25
1096 vpxor %%T2, %%T2, %%T3 ; xor the shifted versions
1097 vpxor %%T2, %%T2, %%T4
1099 vpsrldq %%T1, %%T2, 4 ; shift-R %%T1 1 DW
1101 vpslldq %%T2, %%T2, 12 ; shift-L %%T2 3 DWs
1102 vpxor %%T7, %%T2 ; first phase of the reduction complete
1103 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1104 %ifidn %%ENC_DEC, ENC
1105 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*0], %%XMM1 ; Write to the Ciphertext buffer
1106 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*1], %%XMM2 ; Write to the Ciphertext buffer
1107 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*2], %%XMM3 ; Write to the Ciphertext buffer
1108 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*3], %%XMM4 ; Write to the Ciphertext buffer
1109 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*4], %%XMM5 ; Write to the Ciphertext buffer
1110 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*5], %%XMM6 ; Write to the Ciphertext buffer
1111 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*6], %%XMM7 ; Write to the Ciphertext buffer
1112 VXSTR [%%CYPH_PLAIN_OUT+%%DATA_OFFSET+16*7], %%XMM8 ; Write to the Ciphertext buffer
1115 ;second phase of the reduction
1117 vpsrld %%T2,%%T7,1 ; packed left shifting >> 1
1118 vpsrld %%T3,%%T7,2 ; packed left shifting >> 2
1119 vpsrld %%T4,%%T7,7 ; packed left shifting >> 7
1120 vpxor %%T2, %%T2,%%T3 ; xor the shifted versions
1121 vpxor %%T2, %%T2,%%T4
1123 vpxor %%T2, %%T2, %%T1
1124 vpxor %%T7, %%T7, %%T2
1125 vpxor %%T6, %%T6, %%T7 ; the result is in %%T6
1129 vpshufb %%XMM1, [SHUF_MASK] ; perform a 16Byte swap
1130 vpshufb %%XMM2, [SHUF_MASK]
1131 vpshufb %%XMM3, [SHUF_MASK]
1132 vpshufb %%XMM4, [SHUF_MASK]
1133 vpshufb %%XMM5, [SHUF_MASK]
1134 vpshufb %%XMM6, [SHUF_MASK]
1135 vpshufb %%XMM7, [SHUF_MASK]
1136 vpshufb %%XMM8, [SHUF_MASK]
1144 ; GHASH the last 4 ciphertext blocks.
1145 %macro GHASH_LAST_8 16
1165 vpshufd %%T2, %%XMM1, 01001110b
1167 vmovdqu %%T5, [%%GDATA + HashKey_8]
1168 vpclmulqdq %%T6, %%XMM1, %%T5, 0x11
1169 vpclmulqdq %%T7, %%XMM1, %%T5, 0x00
1171 vmovdqu %%T3, [%%GDATA + HashKey_8_k]
1172 vpclmulqdq %%XMM1, %%T2, %%T3, 0x00
1175 ;;;;;;;;;;;;;;;;;;;;;;
1178 vpshufd %%T2, %%XMM2, 01001110b
1180 vmovdqu %%T5, [%%GDATA + HashKey_7]
1181 vpclmulqdq %%T4, %%XMM2, %%T5, 0x11
1182 vpxor %%T6, %%T6, %%T4
1184 vpclmulqdq %%T4, %%XMM2, %%T5, 0x00
1185 vpxor %%T7, %%T7, %%T4
1187 vmovdqu %%T3, [%%GDATA + HashKey_7_k]
1188 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1189 vpxor %%XMM1, %%XMM1, %%T2
1191 ;;;;;;;;;;;;;;;;;;;;;;
1194 vpshufd %%T2, %%XMM3, 01001110b
1196 vmovdqu %%T5, [%%GDATA + HashKey_6]
1197 vpclmulqdq %%T4, %%XMM3, %%T5, 0x11
1198 vpxor %%T6, %%T6, %%T4
1200 vpclmulqdq %%T4, %%XMM3, %%T5, 0x00
1201 vpxor %%T7, %%T7, %%T4
1203 vmovdqu %%T3, [%%GDATA + HashKey_6_k]
1204 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1205 vpxor %%XMM1, %%XMM1, %%T2
1207 ;;;;;;;;;;;;;;;;;;;;;;
1210 vpshufd %%T2, %%XMM4, 01001110b
1212 vmovdqu %%T5, [%%GDATA + HashKey_5]
1213 vpclmulqdq %%T4, %%XMM4, %%T5, 0x11
1214 vpxor %%T6, %%T6, %%T4
1216 vpclmulqdq %%T4, %%XMM4, %%T5, 0x00
1217 vpxor %%T7, %%T7, %%T4
1219 vmovdqu %%T3, [%%GDATA + HashKey_5_k]
1220 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1221 vpxor %%XMM1, %%XMM1, %%T2
1223 ;;;;;;;;;;;;;;;;;;;;;;
1225 vpshufd %%T2, %%XMM5, 01001110b
1227 vmovdqu %%T5, [%%GDATA + HashKey_4]
1228 vpclmulqdq %%T4, %%XMM5, %%T5, 0x11
1229 vpxor %%T6, %%T6, %%T4
1231 vpclmulqdq %%T4, %%XMM5, %%T5, 0x00
1232 vpxor %%T7, %%T7, %%T4
1234 vmovdqu %%T3, [%%GDATA + HashKey_4_k]
1235 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1236 vpxor %%XMM1, %%XMM1, %%T2
1238 ;;;;;;;;;;;;;;;;;;;;;;
1240 vpshufd %%T2, %%XMM6, 01001110b
1242 vmovdqu %%T5, [%%GDATA + HashKey_3]
1244 vpclmulqdq %%T4, %%XMM6, %%T5, 0x11
1245 vpxor %%T6, %%T6, %%T4
1247 vpclmulqdq %%T4, %%XMM6, %%T5, 0x00
1248 vpxor %%T7, %%T7, %%T4
1250 vmovdqu %%T3, [%%GDATA + HashKey_3_k]
1251 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1252 vpxor %%XMM1, %%XMM1, %%T2
1254 ;;;;;;;;;;;;;;;;;;;;;;
1256 vpshufd %%T2, %%XMM7, 01001110b
1258 vmovdqu %%T5, [%%GDATA + HashKey_2]
1259 vpclmulqdq %%T4, %%XMM7, %%T5, 0x11
1260 vpxor %%T6, %%T6, %%T4
1262 vpclmulqdq %%T4, %%XMM7, %%T5, 0x00
1263 vpxor %%T7, %%T7, %%T4
1265 vmovdqu %%T3, [%%GDATA + HashKey_2_k]
1266 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1267 vpxor %%XMM1, %%XMM1, %%T2
1269 ;;;;;;;;;;;;;;;;;;;;;;
1271 vpshufd %%T2, %%XMM8, 01001110b
1273 vmovdqu %%T5, [%%GDATA + HashKey]
1274 vpclmulqdq %%T4, %%XMM8, %%T5, 0x11
1275 vpxor %%T6, %%T6, %%T4
1277 vpclmulqdq %%T4, %%XMM8, %%T5, 0x00
1278 vpxor %%T7, %%T7, %%T4
1280 vmovdqu %%T3, [%%GDATA + HashKey_k]
1281 vpclmulqdq %%T2, %%T2, %%T3, 0x00
1283 vpxor %%XMM1, %%XMM1, %%T2
1284 vpxor %%XMM1, %%XMM1, %%T6
1285 vpxor %%T2, %%XMM1, %%T7
1290 vpslldq %%T4, %%T2, 8
1291 vpsrldq %%T2, %%T2, 8
1294 vpxor %%T6, %%T2 ; <%%T6:%%T7> holds the result of the accumulated carry-less multiplications
1296 ;first phase of the reduction
1298 vpslld %%T2, %%T7, 31 ; packed right shifting << 31
1299 vpslld %%T3, %%T7, 30 ; packed right shifting shift << 30
1300 vpslld %%T4, %%T7, 25 ; packed right shifting shift << 25
1302 vpxor %%T2, %%T2, %%T3 ; xor the shifted versions
1303 vpxor %%T2, %%T2, %%T4
1305 vpsrldq %%T1, %%T2, 4 ; shift-R %%T1 1 DW
1307 vpslldq %%T2, %%T2, 12 ; shift-L %%T2 3 DWs
1308 vpxor %%T7, %%T2 ; first phase of the reduction complete
1309 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1311 ;second phase of the reduction
1313 vpsrld %%T2,%%T7,1 ; packed left shifting >> 1
1314 vpsrld %%T3,%%T7,2 ; packed left shifting >> 2
1315 vpsrld %%T4,%%T7,7 ; packed left shifting >> 7
1316 vpxor %%T2, %%T2,%%T3 ; xor the shifted versions
1317 vpxor %%T2, %%T2,%%T4
1319 vpxor %%T2, %%T2, %%T1
1320 vpxor %%T7, %%T7, %%T2
1321 vpxor %%T6, %%T6, %%T7 ; the result is in %%T6
1327 ; Encryption of a single block
1328 %macro ENCRYPT_SINGLE_BLOCK 2
1332 vpxor %%XMM0, [%%GDATA+16*0]
1335 vaesenc %%XMM0, [%%GDATA+16*i]
1338 vaesenclast %%XMM0, [%%GDATA+16*10]
1342 ;; Start of Stack Setup
1345 ;; Required for Update/GMC_ENC
1346 ;the number of pushes must equal STACK_OFFSET
1353 sub rsp, VARIABLE_OFFSET
1356 %ifidn __OUTPUT_FORMAT__, win64
1357 ; xmm6:xmm15 need to be maintained for Windows
1358 vmovdqu [rsp + LOCAL_STORAGE + 0*16],xmm6
1359 vmovdqu [rsp + LOCAL_STORAGE + 1*16],xmm7
1360 vmovdqu [rsp + LOCAL_STORAGE + 2*16],xmm8
1361 vmovdqu [rsp + LOCAL_STORAGE + 3*16],xmm9
1362 vmovdqu [rsp + LOCAL_STORAGE + 4*16],xmm10
1363 vmovdqu [rsp + LOCAL_STORAGE + 5*16],xmm11
1364 vmovdqu [rsp + LOCAL_STORAGE + 6*16],xmm12
1365 vmovdqu [rsp + LOCAL_STORAGE + 7*16],xmm13
1366 vmovdqu [rsp + LOCAL_STORAGE + 8*16],xmm14
1367 vmovdqu [rsp + LOCAL_STORAGE + 9*16],xmm15
1372 %macro FUNC_RESTORE 0
1374 %ifidn __OUTPUT_FORMAT__, win64
1375 vmovdqu xmm15 , [rsp + LOCAL_STORAGE + 9*16]
1376 vmovdqu xmm14 , [rsp + LOCAL_STORAGE + 8*16]
1377 vmovdqu xmm13 , [rsp + LOCAL_STORAGE + 7*16]
1378 vmovdqu xmm12 , [rsp + LOCAL_STORAGE + 6*16]
1379 vmovdqu xmm11 , [rsp + LOCAL_STORAGE + 5*16]
1380 vmovdqu xmm10 , [rsp + LOCAL_STORAGE + 4*16]
1381 vmovdqu xmm9 , [rsp + LOCAL_STORAGE + 3*16]
1382 vmovdqu xmm8 , [rsp + LOCAL_STORAGE + 2*16]
1383 vmovdqu xmm7 , [rsp + LOCAL_STORAGE + 1*16]
1384 vmovdqu xmm6 , [rsp + LOCAL_STORAGE + 0*16]
1387 ;; Required for Update/GMC_ENC
1396 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1397 ; GCM_INIT initializes a gcm_data struct to prepare for encoding/decoding.
1398 ; Input: gcm_data struct* (GDATA), IV, Additional Authentication data (A_IN), Additional
1399 ; Data length (A_LEN)
1400 ; Output: Updated GDATA with the hash of A_IN (AadHash) and initialized other parts of GDATA.
1401 ; Clobbers rax, r10-r13, and xmm0-xmm6
1402 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1408 %define %%AAD_HASH xmm0
1409 %define %%SUBHASH xmm1
1412 vmovdqu %%SUBHASH, [%%GDATA + HashKey]
1414 CALC_AAD_HASH %%A_IN, %%A_LEN, %%AAD_HASH, %%SUBHASH, xmm2, xmm3, xmm4, xmm5, xmm6, r10, r11, r12, r13, rax
1418 vmovdqu [%%GDATA + AadHash], %%AAD_HASH ; my_ctx_data.aad hash = aad_hash
1419 mov [%%GDATA + AadLen], r10 ; my_ctx_data.aad_length = aad_length
1421 mov [%%GDATA + InLen], r10 ; my_ctx_data.in_length = 0
1422 mov [%%GDATA + PBlockLen], r10 ; my_ctx_data.partial_block_length = 0
1423 vmovdqu [%%GDATA + PBlockEncKey], xmm2 ; my_ctx_data.partial_block_enc_key = 0
1426 vmovdqu [%%GDATA + OrigIV], xmm2 ; my_ctx_data.orig_IV = iv
1428 vpshufb xmm2, [SHUF_MASK]
1430 vmovdqu [%%GDATA + CurCount], xmm2 ; my_ctx_data.current_counter = iv
1434 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1435 ; GCM_ENC_DEC Encodes/Decodes given data. Assumes that the passed gcm_data struct has been
1436 ; initialized by GCM_INIT
1437 ; Requires the input data be at least 1 byte long because of READ_SMALL_INPUT_DATA.
1438 ; Input: gcm_data struct* (GDATA), input text (PLAIN_CYPH_IN), input text length (PLAIN_CYPH_LEN),
1439 ; and whether encoding or decoding (ENC_DEC)
1440 ; Output: A cypher of the given plain text (CYPH_PLAIN_OUT), and updated GDATA
1441 ; Clobbers rax, r10-r15, and xmm0-xmm15
1442 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1443 %macro GCM_ENC_DEC 5
1445 %define %%CYPH_PLAIN_OUT %2
1446 %define %%PLAIN_CYPH_IN %3
1447 %define %%PLAIN_CYPH_LEN %4
1448 %define %%ENC_DEC %5
1449 %define %%DATA_OFFSET r11
1452 ; calculate the number of 16byte blocks in the message
1453 ; process (number of 16byte blocks) mod 8 '%%_initial_num_blocks_is_# .. %%_initial_blocks_encrypted'
1454 ; process 8 16 byte blocks at a time until all are done '%%_encrypt_by_8_new .. %%_eight_cipher_left'
1455 ; if there is a block of less tahn 16 bytes process it '%%_zero_cipher_left .. %%_multiple_of_16_bytes'
1456 cmp %%PLAIN_CYPH_LEN, 0
1457 je %%_multiple_of_16_bytes
1459 xor %%DATA_OFFSET, %%DATA_OFFSET
1460 add [%%GDATA+InLen], %%PLAIN_CYPH_LEN ;Update length of data processed
1461 vmovdqu xmm13, [%%GDATA + HashKey] ; xmm13 = HashKey
1462 vmovdqu xmm8, [%%GDATA + AadHash]
1465 PARTIAL_BLOCK %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, %%PLAIN_CYPH_LEN, %%DATA_OFFSET, xmm8, %%ENC_DEC
1468 mov r13, %%PLAIN_CYPH_LEN
1469 sub r13, %%DATA_OFFSET
1470 mov r10, r13 ; save the amount of data left to process in r10
1471 and r13, -16 ; r13 = r13 - (r13 mod 16)
1477 jz %%_initial_num_blocks_is_0
1480 je %%_initial_num_blocks_is_7
1482 je %%_initial_num_blocks_is_6
1484 je %%_initial_num_blocks_is_5
1486 je %%_initial_num_blocks_is_4
1488 je %%_initial_num_blocks_is_3
1490 je %%_initial_num_blocks_is_2
1492 jmp %%_initial_num_blocks_is_1
1494 %%_initial_num_blocks_is_7:
1495 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 7, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1497 jmp %%_initial_blocks_encrypted
1499 %%_initial_num_blocks_is_6:
1500 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 6, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1502 jmp %%_initial_blocks_encrypted
1504 %%_initial_num_blocks_is_5:
1505 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 5, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1507 jmp %%_initial_blocks_encrypted
1509 %%_initial_num_blocks_is_4:
1510 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 4, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1512 jmp %%_initial_blocks_encrypted
1515 %%_initial_num_blocks_is_3:
1516 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 3, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1518 jmp %%_initial_blocks_encrypted
1519 %%_initial_num_blocks_is_2:
1520 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 2, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1522 jmp %%_initial_blocks_encrypted
1524 %%_initial_num_blocks_is_1:
1525 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 1, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1527 jmp %%_initial_blocks_encrypted
1529 %%_initial_num_blocks_is_0:
1530 INITIAL_BLOCKS %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, r13, %%DATA_OFFSET, 0, xmm12, xmm13, xmm14, xmm15, xmm11, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm10, xmm0, %%ENC_DEC
1533 %%_initial_blocks_encrypted:
1535 je %%_zero_cipher_left
1538 je %%_eight_cipher_left
1545 vpshufb xmm9, [SHUF_MASK]
1548 %%_encrypt_by_8_new:
1555 GHASH_8_ENCRYPT_8_PARALLEL %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN, %%DATA_OFFSET, xmm0, xmm10, xmm11, xmm12, xmm13, xmm14, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm15, out_order, %%ENC_DEC
1556 add %%DATA_OFFSET, 128
1558 jne %%_encrypt_by_8_new
1560 vpshufb xmm9, [SHUF_MASK]
1561 jmp %%_eight_cipher_left
1564 vpshufb xmm9, [SHUF_MASK]
1566 GHASH_8_ENCRYPT_8_PARALLEL %%GDATA, %%CYPH_PLAIN_OUT, %%PLAIN_CYPH_IN,%%DATA_OFFSET, xmm0, xmm10, xmm11, xmm12, xmm13, xmm14, xmm9, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8, xmm15, in_order, %%ENC_DEC
1567 vpshufb xmm9, [SHUF_MASK]
1568 add %%DATA_OFFSET, 128
1570 jne %%_encrypt_by_8_new
1572 vpshufb xmm9, [SHUF_MASK]
1577 %%_eight_cipher_left:
1578 GHASH_LAST_8 %%GDATA, xmm0, xmm10, xmm11, xmm12, xmm13, xmm14, xmm15, xmm1, xmm2, xmm3, xmm4, xmm5, xmm6, xmm7, xmm8
1581 %%_zero_cipher_left:
1582 vmovdqu [%%GDATA + AadHash], xmm14 ; my_ctx_data.aad hash = xmm14
1583 vmovdqu [%%GDATA + CurCount], xmm9 ; my_ctx_data.current_counter = xmm9
1586 and r13, 15 ; r13 = (%%PLAIN_CYPH_LEN mod 16)
1588 je %%_multiple_of_16_bytes
1590 mov [%%GDATA + PBlockLen], r13 ; my_ctx_data.partial_blck_length = r13
1591 ; handle the last <16 Byte block seperately
1593 vpaddd xmm9, [ONE] ; INCR CNT to get Yn
1594 vmovdqu [%%GDATA + CurCount], xmm9 ; my_ctx_data.current_counter = xmm9
1595 vpshufb xmm9, [SHUF_MASK]
1596 ENCRYPT_SINGLE_BLOCK %%GDATA, xmm9 ; E(K, Yn)
1597 vmovdqu [%%GDATA + PBlockEncKey], xmm9 ; my_ctx_data.partial_block_enc_key = xmm9
1599 cmp %%PLAIN_CYPH_LEN, 16
1600 jge %%_large_enough_update
1602 lea r10, [%%PLAIN_CYPH_IN + %%DATA_OFFSET]
1603 READ_SMALL_DATA_INPUT xmm1, r10, r13, r12, r15, rax
1604 lea r12, [SHIFT_MASK + 16]
1608 %%_large_enough_update:
1609 sub %%DATA_OFFSET, 16
1610 add %%DATA_OFFSET, r13
1612 vmovdqu xmm1, [%%PLAIN_CYPH_IN+%%DATA_OFFSET] ; receive the last <16 Byte block
1614 sub %%DATA_OFFSET, r13
1615 add %%DATA_OFFSET, 16
1618 lea r12, [SHIFT_MASK + 16]
1619 sub r12, r13 ; adjust the shuffle mask pointer to be able to shift 16-r13 bytes (r13 is the number of bytes in plaintext mod 16)
1621 vmovdqu xmm2, [r12] ; get the appropriate shuffle mask
1622 vpshufb xmm1, xmm2 ; shift right 16-r13 bytes
1624 %ifidn %%ENC_DEC, DEC
1626 vpxor xmm9, xmm1 ; Plaintext XOR E(K, Yn)
1627 vmovdqu xmm1, [r12 + ALL_F - SHIFT_MASK] ; get the appropriate mask to mask out top 16-r13 bytes of xmm9
1628 vpand xmm9, xmm1 ; mask out top 16-r13 bytes of xmm9
1630 vpshufb xmm2, [SHUF_MASK]
1632 vmovdqu [%%GDATA + AadHash], xmm14
1635 vpxor xmm9, xmm1 ; Plaintext XOR E(K, Yn)
1636 vmovdqu xmm1, [r12 + ALL_F - SHIFT_MASK] ; get the appropriate mask to mask out top 16-r13 bytes of xmm9
1637 vpand xmm9, xmm1 ; mask out top 16-r13 bytes of xmm9
1638 vpshufb xmm9, [SHUF_MASK]
1640 vmovdqu [%%GDATA + AadHash], xmm14
1642 vpshufb xmm9, [SHUF_MASK] ; shuffle xmm9 back to output as ciphertext
1645 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1649 jle %%_less_than_8_bytes_left
1651 mov [%%CYPH_PLAIN_OUT + %%DATA_OFFSET], rax
1652 add %%DATA_OFFSET, 8
1653 vpsrldq xmm9, xmm9, 8
1657 %%_less_than_8_bytes_left:
1658 mov BYTE [%%CYPH_PLAIN_OUT + %%DATA_OFFSET], al
1659 add %%DATA_OFFSET, 1
1662 jne %%_less_than_8_bytes_left
1663 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1665 %%_multiple_of_16_bytes:
1672 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1673 ; GCM_COMPLETE Finishes Encyrption/Decryption of last partial block after GCM_UPDATE finishes.
1674 ; Input: A gcm_data struct* (GDATA) and whether encoding or decoding (ENC_DEC).
1675 ; Output: Authorization Tag (AUTH_TAG) and Authorization Tag length (AUTH_TAG_LEN)
1676 ; Clobbers rax, r10-r12, and xmm0, xmm1, xmm5, xmm6, xmm9, xmm11, xmm14, xmm15
1677 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1678 %macro GCM_COMPLETE 4
1680 %define %%AUTH_TAG %2
1681 %define %%AUTH_TAG_LEN %3
1682 %define %%ENC_DEC %4
1683 %define %%PLAIN_CYPH_LEN rax
1685 mov r12, [%%GDATA + PBlockLen]
1686 vmovdqu xmm14, [%%GDATA+AadHash]
1687 vmovdqu xmm13, [%%GDATA+HashKey]
1693 GHASH_MUL xmm14, xmm13, xmm0, xmm10, xmm11, xmm5, xmm6 ;GHASH computation for the last <16 Byte block
1694 vmovdqu [%%GDATA+AadHash], xmm14
1698 mov r12, [%%GDATA + AadLen] ; r12 = aadLen (number of bytes)
1699 mov %%PLAIN_CYPH_LEN, [%%GDATA+InLen]
1701 shl r12, 3 ; convert into number of bits
1702 vmovd xmm15, r12d ; len(A) in xmm15
1704 shl %%PLAIN_CYPH_LEN, 3 ; len(C) in bits (*128)
1705 vmovq xmm1, %%PLAIN_CYPH_LEN
1706 vpslldq xmm15, xmm15, 8 ; xmm15 = len(A)|| 0x0000000000000000
1707 vpxor xmm15, xmm1 ; xmm15 = len(A)||len(C)
1710 GHASH_MUL xmm14, xmm13, xmm0, xmm10, xmm11, xmm5, xmm6 ; final GHASH computation
1711 vpshufb xmm14, [SHUF_MASK] ; perform a 16Byte swap
1713 vmovdqu xmm9, [%%GDATA+OrigIV] ; xmm9 = Y0
1715 ENCRYPT_SINGLE_BLOCK %%GDATA, xmm9 ; E(K, Y0)
1721 mov r10, %%AUTH_TAG ; r10 = authTag
1722 mov r11, %%AUTH_TAG_LEN ; r11 = auth_tag_len
1733 jmp %%_return_T_done
1737 vpsrldq xmm9, xmm9, 8
1740 jmp %%_return_T_done
1746 %endmacro ; GCM_COMPLETE
1749 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1750 ;void aesni_gcm128_precomp_avx_gen2
1751 ; (gcm_data *my_ctx_data);
1752 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1753 global aesni_gcm128_precomp_avx_gen2
1754 aesni_gcm128_precomp_avx_gen2:
1764 sub rsp, VARIABLE_OFFSET
1765 and rsp, ~63 ; align rsp to 64 bytes
1767 %ifidn __OUTPUT_FORMAT__, win64
1768 ; only xmm6 needs to be maintained
1769 vmovdqu [rsp + LOCAL_STORAGE + 0*16],xmm6
1773 ENCRYPT_SINGLE_BLOCK arg1, xmm6 ; xmm6 = HashKey
1775 vpshufb xmm6, [SHUF_MASK]
1776 ;;;;;;;;;;;;;;; PRECOMPUTATION of HashKey<<1 mod poly from the HashKey;;;;;;;;;;;;;;;
1781 vpslldq xmm2, xmm2, 8
1782 vpsrldq xmm1, xmm1, 8
1785 vpshufd xmm2, xmm1, 00100100b
1786 vpcmpeqd xmm2, [TWOONE]
1788 vpxor xmm6, xmm2 ; xmm6 holds the HashKey<<1 mod poly
1789 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1790 vmovdqu [arg1 + HashKey], xmm6 ; store HashKey<<1 mod poly
1793 PRECOMPUTE arg1, xmm6, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5
1795 %ifidn __OUTPUT_FORMAT__, win64
1796 vmovdqu xmm6, [rsp + LOCAL_STORAGE + 0*16]
1806 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1807 ;void aesni_gcm128_init_avx_gen2(
1808 ; gcm_data *my_ctx_data,
1809 ; u8 *iv, /* Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer. */
1810 ; const u8 *aad, /* Additional Authentication Data (AAD)*/
1811 ; u64 aad_len); /* Length of AAD in bytes (must be a multiple of 4 bytes). */
1812 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1813 global aesni_gcm128_init_avx_gen2
1814 aesni_gcm128_init_avx_gen2:
1819 %ifidn __OUTPUT_FORMAT__, win64
1820 ; xmm6:xmm15 need to be maintained for Windows
1822 vmovdqu [rsp + 0*16],xmm6
1825 GCM_INIT arg1, arg2, arg3, arg4
1827 %ifidn __OUTPUT_FORMAT__, win64
1828 vmovdqu xmm6 , [rsp + 0*16]
1836 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1837 ;void aesni_gcm128_enc_update_avx_gen2(
1838 ; gcm_data *my_ctx_data,
1839 ; u8 *out, /* Ciphertext output. Encrypt in-place is allowed. */
1840 ; const u8 *in, /* Plaintext input */
1841 ; u64 plaintext_len); /* Length of data in Bytes for encryption. must be a multiple of 16 bytes*/
1842 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1843 global aesni_gcm128_enc_update_avx_gen2
1844 aesni_gcm128_enc_update_avx_gen2:
1848 GCM_ENC_DEC arg1, arg2, arg3, arg4, ENC
1855 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1856 ;void aesni_gcm128_dec_update_avx_gen2(
1857 ; gcm_data *my_ctx_data,
1858 ; u8 *out, /* Plaintext output. Encrypt in-place is allowed. */
1859 ; const u8 *in, /* Cyphertext input */
1860 ; u64 plaintext_len); /* Length of data in Bytes for encryption. must be a multiple of 16 bytes*/
1861 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1862 global aesni_gcm128_dec_update_avx_gen2
1863 aesni_gcm128_dec_update_avx_gen2:
1867 GCM_ENC_DEC arg1, arg2, arg3, arg4, DEC
1874 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1875 ;void aesni_gcm128_enc_finalize_avx_gen2(
1876 ; gcm_data *my_ctx_data,
1877 ; u8 *auth_tag, /* Authenticated Tag output. */
1878 ; u64 auth_tag_len); /* Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8. */
1879 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1880 global aesni_gcm128_enc_finalize_avx_gen2
1881 aesni_gcm128_enc_finalize_avx_gen2:
1885 %ifidn __OUTPUT_FORMAT__, win64
1886 ; xmm6:xmm15 need to be maintained for Windows
1888 vmovdqu [rsp + 0*16],xmm6
1889 vmovdqu [rsp + 1*16],xmm9
1890 vmovdqu [rsp + 2*16],xmm11
1891 vmovdqu [rsp + 3*16],xmm14
1892 vmovdqu [rsp + 4*16],xmm15
1894 GCM_COMPLETE arg1, arg2, arg3, ENC
1896 %ifidn __OUTPUT_FORMAT__, win64
1897 vmovdqu xmm15 , [rsp + 4*16]
1898 vmovdqu xmm14 , [rsp + 3*16]
1899 vmovdqu xmm11 , [rsp + 2*16]
1900 vmovdqu xmm9 , [rsp + 1*16]
1901 vmovdqu xmm6 , [rsp + 0*16]
1909 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1910 ;void aesni_gcm128_dec_finalize_avx_gen2(
1911 ; gcm_data *my_ctx_data,
1912 ; u8 *auth_tag, /* Authenticated Tag output. */
1913 ; u64 auth_tag_len); /* Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8. */
1914 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1915 global aesni_gcm128_dec_finalize_avx_gen2
1916 aesni_gcm128_dec_finalize_avx_gen2:
1920 %ifidn __OUTPUT_FORMAT__, win64
1921 ; xmm6:xmm15 need to be maintained for Windows
1923 vmovdqu [rsp + 0*16],xmm6
1924 vmovdqu [rsp + 1*16],xmm9
1925 vmovdqu [rsp + 2*16],xmm11
1926 vmovdqu [rsp + 3*16],xmm14
1927 vmovdqu [rsp + 4*16],xmm15
1929 GCM_COMPLETE arg1, arg2, arg3, DEC
1931 %ifidn __OUTPUT_FORMAT__, win64
1932 vmovdqu xmm15 , [rsp + 4*16]
1933 vmovdqu xmm14 , [rsp + 3*16]
1934 vmovdqu xmm11 , [rsp + 2*16]
1935 vmovdqu xmm9 , [rsp + 1*16]
1936 vmovdqu xmm6 , [rsp + 0*16]
1944 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1945 ;void aesni_gcm128_enc_avx_gen2(
1946 ; gcm_data *my_ctx_data,
1947 ; u8 *out, /* Ciphertext output. Encrypt in-place is allowed. */
1948 ; const u8 *in, /* Plaintext input */
1949 ; u64 plaintext_len, /* Length of data in Bytes for encryption. */
1950 ; u8 *iv, /* Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer. */
1951 ; const u8 *aad, /* Additional Authentication Data (AAD)*/
1952 ; u64 aad_len, /* Length of AAD in bytes (must be a multiple of 4 bytes). */
1953 ; u8 *auth_tag, /* Authenticated Tag output. */
1954 ; u64 auth_tag_len); /* Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8. */
1955 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1956 global aesni_gcm128_enc_avx_gen2
1957 aesni_gcm128_enc_avx_gen2:
1961 GCM_INIT arg1, arg5, arg6, arg7
1963 GCM_ENC_DEC arg1, arg2, arg3, arg4, ENC
1965 GCM_COMPLETE arg1, arg8, arg9, ENC
1971 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1972 ;void aesni_gcm128_dec_avx_gen2(
1973 ; gcm_data *my_ctx_data,
1974 ; u8 *out, /* Plaintext output. Decrypt in-place is allowed. */
1975 ; const u8 *in, /* Ciphertext input */
1976 ; u64 plaintext_len, /* Length of data in Bytes for encryption. */
1977 ; u8 *iv, /* Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer. */
1978 ; const u8 *aad, /* Additional Authentication Data (AAD)*/
1979 ; u64 aad_len, /* Length of AAD in bytes (must be a multiple of 4 bytes). */
1980 ; u8 *auth_tag, /* Authenticated Tag output. */
1981 ; u64 auth_tag_len); /* Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8. */
1982 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1983 global aesni_gcm128_dec_avx_gen2
1984 aesni_gcm128_dec_avx_gen2:
1988 GCM_INIT arg1, arg5, arg6, arg7
1990 GCM_ENC_DEC arg1, arg2, arg3, arg4, DEC
1992 GCM_COMPLETE arg1, arg8, arg9, DEC