aes-s390x.pl

著名的开源密码源代码

	icm	$t1,1,0($i3)		# Te4[rk[5]>>24]
	x	$t1,256($t3,$tbl)	# rcon[i]
	xr	$s0,$t1			# rk[6]=rk[0]^...
	xr	$s1,$s0			# rk[7]=rk[1]^rk[6]
	xr	$s2,$s1			# rk[8]=rk[2]^rk[7]
	xr	$s3,$s2			# rk[9]=rk[3]^rk[8]

	st	$s0,24($key)
	st	$s1,28($key)
	st	$s2,32($key)
	st	$s3,36($key)
	brct	$rounds,.L192_continue
	lghi	%r2,0
	lmg	%r6,%r13,48($sp)
	br	$ra

.align	16
.L192_continue:
	lgr	$t1,$s3
	x	$t1,16($key)		# rk[10]=rk[4]^rk[9]
	st	$t1,40($key)
	x	$t1,20($key)		# rk[11]=rk[5]^rk[10]
	st	$t1,44($key)

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

	la	$key,24($key)		# key+=6
	la	$t3,4($t3)		# i++
	j	.L192_loop

.align	16
.Lnot192:
	llgf	$t0,24($inp)
	llgf	$t1,28($inp)
	st	$t0,24($key)
	st	$t1,28($key)
	llill	$mask,0xff
	lghi	$t3,0			# i=0
	lghi	$rounds,14
	st	$rounds,240($key)
	lghi	$rounds,7

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

.align	16
.L256_loop:
	la	$t1,0($t1,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	icm	$t1,2,0($t1)		# Te4[rk[7]>>0]<<8
	icm	$t1,4,0($i1)		# Te4[rk[7]>>8]<<16
	icm	$t1,8,0($i2)		# Te4[rk[7]>>16]<<24
	icm	$t1,1,0($i3)		# Te4[rk[7]>>24]
	x	$t1,256($t3,$tbl)	# rcon[i]
	xr	$s0,$t1			# rk[8]=rk[0]^...
	xr	$s1,$s0			# rk[9]=rk[1]^rk[8]
	xr	$s2,$s1			# rk[10]=rk[2]^rk[9]
	xr	$s3,$s2			# rk[11]=rk[3]^rk[10]
	st	$s0,32($key)
	st	$s1,36($key)
	st	$s2,40($key)
	st	$s3,44($key)
	brct	$rounds,.L256_continue
	lghi	%r2,0
	lmg	%r6,%r13,48($sp)
	br	$ra

.align	16
.L256_continue:
	lgr	$t1,$s3			# temp=rk[11]
	srlg	$i1,$s3,8
	srlg	$i2,$s3,16
	srlg	$i3,$s3,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask
	la	$t1,0($t1,$tbl)
	la	$i1,0($i1,$tbl)
	la	$i2,0($i2,$tbl)
	la	$i3,0($i3,$tbl)
	llgc	$t1,0($t1)		# Te4[rk[11]>>0]
	icm	$t1,2,0($i1)		# Te4[rk[11]>>8]<<8
	icm	$t1,4,0($i2)		# Te4[rk[11]>>16]<<16
	icm	$t1,8,0($i3)		# Te4[rk[11]>>24]<<24
	x	$t1,16($key)		# rk[12]=rk[4]^...
	st	$t1,48($key)
	x	$t1,20($key)		# rk[13]=rk[5]^rk[12]
	st	$t1,52($key)
	x	$t1,24($key)		# rk[14]=rk[6]^rk[13]
	st	$t1,56($key)
	x	$t1,28($key)		# rk[15]=rk[7]^rk[14]
	st	$t1,60($key)

	srlg	$i1,$t1,8
	srlg	$i2,$t1,16
	srlg	$i3,$t1,24
	nr	$t1,$mask
	nr	$i1,$mask
	nr	$i2,$mask

	la	$key,32($key)		# key+=8
	la	$t3,4($t3)		# i++
	j	.L256_loop

.Lminus1:
	lghi	%r2,-1
	br	$ra
.size	AES_set_encrypt_key,.-AES_set_encrypt_key

# void AES_set_decrypt_key(const unsigned char *in, int bits,
# 		 AES_KEY *key) {
.globl	AES_set_decrypt_key
.type	AES_set_decrypt_key,\@function
.align	16
AES_set_decrypt_key:
	stg	$key,32($sp)		# I rely on AES_set_encrypt_key to
	stg	$ra,112($sp)		# save non-volatile registers!
	bras	$ra,AES_set_encrypt_key
	lg	$key,32($sp)
	lg	$ra,112($sp)
	ltgr	%r2,%r2
	bnzr	$ra
___
$code.=<<___ if (!$softonly);
	l	$t0,240($key)
	lhi	$t1,16
	cr	$t0,$t1
	jl	.Lgo
	oill	$t0,0x80	# set "decrypt" bit
	st	$t0,240($key)
	br	$ra

.align	16
.Ldkey_internal:
	stg	$key,32($sp)
	stg	$ra,40($sp)
	bras	$ra,.Lekey_internal
	lg	$key,32($sp)
	lg	$ra,40($sp)
___
$code.=<<___;

.Lgo:	llgf	$rounds,240($key)
	la	$i1,0($key)
	sllg	$i2,$rounds,4
	la	$i2,0($i2,$key)
	srl	$rounds,1
	lghi	$t1,-16

.align	16
.Linv:	lmg	$s0,$s1,0($i1)
	lmg	$s2,$s3,0($i2)
	stmg	$s0,$s1,0($i2)
	stmg	$s2,$s3,0($i1)
	la	$i1,16($i1)
	la	$i2,0($t1,$i2)
	brct	$rounds,.Linv
___
$mask80=$i1;
$mask1b=$i2;
$maskfe=$i3;
$code.=<<___;
	llgf	$rounds,240($key)
	aghi	$rounds,-1
	sll	$rounds,2	# (rounds-1)*4
	llilh	$mask80,0x8080
	llilh	$mask1b,0x1b1b
	llilh	$maskfe,0xfefe
	oill	$mask80,0x8080
	oill	$mask1b,0x1b1b
	oill	$maskfe,0xfefe

.align	16
.Lmix:	l	$s0,16($key)	# tp1
	lr	$s1,$s0
	ngr	$s1,$mask80
	srlg	$t1,$s1,7
	slr	$s1,$t1
	nr	$s1,$mask1b
	sllg	$t1,$s0,1
	nr	$t1,$maskfe
	xr	$s1,$t1		# tp2

	lr	$s2,$s1
	ngr	$s2,$mask80
	srlg	$t1,$s2,7
	slr	$s2,$t1
	nr	$s2,$mask1b
	sllg	$t1,$s1,1
	nr	$t1,$maskfe
	xr	$s2,$t1		# tp4

	lr	$s3,$s2
	ngr	$s3,$mask80
	srlg	$t1,$s3,7
	slr	$s3,$t1
	nr	$s3,$mask1b
	sllg	$t1,$s2,1
	nr	$t1,$maskfe
	xr	$s3,$t1		# tp8

	xr	$s1,$s0		# tp2^tp1
	xr	$s2,$s0		# tp4^tp1
	rll	$s0,$s0,24	# = ROTATE(tp1,8)
	xr	$s2,$s3		# ^=tp8
	xr	$s0,$s1		# ^=tp2^tp1
	xr	$s1,$s3		# tp2^tp1^tp8
	xr	$s0,$s2		# ^=tp4^tp1^tp8
	rll	$s1,$s1,8
	rll	$s2,$s2,16
	xr	$s0,$s1		# ^= ROTATE(tp8^tp2^tp1,24)
	rll	$s3,$s3,24
	xr	$s0,$s2    	# ^= ROTATE(tp8^tp4^tp1,16)
	xr	$s0,$s3		# ^= ROTATE(tp8,8)

	st	$s0,16($key)
	la	$key,4($key)
	brct	$rounds,.Lmix

	lmg	%r6,%r13,48($sp)# as was saved by AES_set_encrypt_key!
	lghi	%r2,0
	br	$ra
.size	AES_set_decrypt_key,.-AES_set_decrypt_key
___

#void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
#                     size_t length, const AES_KEY *key,
#                     unsigned char *ivec, const int enc)
{
my $inp="%r2";
my $out="%r4";	# length and out are swapped
my $len="%r3";
my $key="%r5";
my $ivp="%r6";

$code.=<<___;
.globl	AES_cbc_encrypt
.type	AES_cbc_encrypt,\@function
.align	16
AES_cbc_encrypt:
	xgr	%r3,%r4		# flip %r3 and %r4, out and len
	xgr	%r4,%r3
	xgr	%r3,%r4
___
$code.=<<___ if (!$softonly);
	lhi	%r0,16
	cl	%r0,240($key)
	jh	.Lcbc_software

	lg	%r0,0($ivp)	# copy ivec
	lg	%r1,8($ivp)
	stmg	%r0,%r1,16($sp)
	lmg	%r0,%r1,0($key)	# copy key, cover 256 bit
	stmg	%r0,%r1,32($sp)
	lmg	%r0,%r1,16($key)
	stmg	%r0,%r1,48($sp)
	l	%r0,240($key)	# load kmc code
	lghi	$key,15		# res=len%16, len-=res;
	ngr	$key,$len
	slgr	$len,$key
	la	%r1,16($sp)	# parameter block - ivec || key
	jz	.Lkmc_truncated
	.long	0xb92f0042	# kmc %r4,%r2
	brc	1,.-4		# pay attention to "partial completion"
	ltr	$key,$key
	jnz	.Lkmc_truncated
.Lkmc_done:
	lmg	%r0,%r1,16($sp)	# copy ivec to caller
	stg	%r0,0($ivp)
	stg	%r1,8($ivp)
	br	$ra
.align	16
.Lkmc_truncated:
	ahi	$key,-1		# it's the way it's encoded in mvc
	tmll	%r0,0x80
	jnz	.Lkmc_truncated_dec
	lghi	%r1,0
	stg	%r1,128($sp)
	stg	%r1,136($sp)
	bras	%r1,1f
	mvc	128(1,$sp),0($inp)
1:	ex	$key,0(%r1)
	la	%r1,16($sp)	# restore parameter block
	la	$inp,128($sp)
	lghi	$len,16
	.long	0xb92f0042	# kmc %r4,%r2
	j	.Lkmc_done
.align	16
.Lkmc_truncated_dec:
	stg	$out,64($sp)
	la	$out,128($sp)
	lghi	$len,16
	.long	0xb92f0042	# kmc %r4,%r2
	lg	$out,64($sp)
	bras	%r1,2f
	mvc	0(1,$out),128($sp)
2:	ex	$key,0(%r1)
	j	.Lkmc_done
.align	16
.Lcbc_software:
___
$code.=<<___;
	stmg	$key,$ra,40($sp)
	lhi	%r0,0
	cl	%r0,164($sp)
	je	.Lcbc_decrypt

	larl	$tbl,AES_Te

	llgf	$s0,0($ivp)
	llgf	$s1,4($ivp)
	llgf	$s2,8($ivp)
	llgf	$s3,12($ivp)

	lghi	$t0,16
	slgr	$len,$t0
	brc	4,.Lcbc_enc_tail	# if borrow
.Lcbc_enc_loop:
	stmg	$inp,$out,16($sp)
	x	$s0,0($inp)
	x	$s1,4($inp)
	x	$s2,8($inp)
	x	$s3,12($inp)
	lgr	%r4,$key

	bras	$ra,_s390x_AES_encrypt

	lmg	$inp,$key,16($sp)
	st	$s0,0($out)
	st	$s1,4($out)
	st	$s2,8($out)
	st	$s3,12($out)

	la	$inp,16($inp)
	la	$out,16($out)
	lghi	$t0,16
	ltgr	$len,$len
	jz	.Lcbc_enc_done
	slgr	$len,$t0
	brc	4,.Lcbc_enc_tail	# if borrow
	j	.Lcbc_enc_loop
.align	16
.Lcbc_enc_done:
	lg	$ivp,48($sp)
	st	$s0,0($ivp)
	st	$s1,4($ivp)	
	st	$s2,8($ivp)
	st	$s3,12($ivp)

	lmg	%r7,$ra,56($sp)
	br	$ra

.align	16
.Lcbc_enc_tail:
	aghi	$len,15
	lghi	$t0,0
	stg	$t0,128($sp)
	stg	$t0,136($sp)
	bras	$t1,3f
	mvc	128(1,$sp),0($inp)
3:	ex	$len,0($t1)
	lghi	$len,0
	la	$inp,128($sp)
	j	.Lcbc_enc_loop

.align	16
.Lcbc_decrypt:
	larl	$tbl,AES_Td

	lg	$t0,0($ivp)
	lg	$t1,8($ivp)
	stmg	$t0,$t1,128($sp)

.Lcbc_dec_loop:
	stmg	$inp,$out,16($sp)
	llgf	$s0,0($inp)
	llgf	$s1,4($inp)
	llgf	$s2,8($inp)
	llgf	$s3,12($inp)
	lgr	%r4,$key

	bras	$ra,_s390x_AES_decrypt

	lmg	$inp,$key,16($sp)
	sllg	$s0,$s0,32
	sllg	$s2,$s2,32
	lr	$s0,$s1
	lr	$s2,$s3

	lg	$t0,0($inp)
	lg	$t1,8($inp)
	xg	$s0,128($sp)
	xg	$s2,136($sp)
	lghi	$s1,16
	slgr	$len,$s1
	brc	4,.Lcbc_dec_tail	# if borrow
	brc	2,.Lcbc_dec_done	# if zero
	stg	$s0,0($out)
	stg	$s2,8($out)
	stmg	$t0,$t1,128($sp)

	la	$inp,16($inp)
	la	$out,16($out)
	j	.Lcbc_dec_loop

.Lcbc_dec_done:
	stg	$s0,0($out)
	stg	$s2,8($out)
.Lcbc_dec_exit:
	lmg	$ivp,$ra,48($sp)
	stmg	$t0,$t1,0($ivp)

	br	$ra

.align	16
.Lcbc_dec_tail:
	aghi	$len,15
	stg	$s0,128($sp)
	stg	$s2,136($sp)
	bras	$s1,4f
	mvc	0(1,$out),128($sp)
4:	ex	$len,0($s1)
	j	.Lcbc_dec_exit
.size	AES_cbc_encrypt,.-AES_cbc_encrypt
___
}
$code.=<<___;
.string	"AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
___

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;