root/arch/x86/crypto/chacha-ssse3-x86_64.S

/* [<][>][^][v][top][bottom][index][help] */ 
   1 /* SPDX-License-Identifier: GPL-2.0-or-later */
   2 /*
   3  * ChaCha 256-bit cipher algorithm, x64 SSSE3 functions
   4  *
   5  * Copyright (C) 2015 Martin Willi
   6  */
   7 
   8 #include <linux/linkage.h>
   9 #include <asm/frame.h>
  10 
  11 .section        .rodata.cst16.ROT8, "aM", @progbits, 16
  12 .align 16
  13 ROT8:   .octa 0x0e0d0c0f0a09080b0605040702010003
  14 .section        .rodata.cst16.ROT16, "aM", @progbits, 16
  15 .align 16
  16 ROT16:  .octa 0x0d0c0f0e09080b0a0504070601000302
  17 .section        .rodata.cst16.CTRINC, "aM", @progbits, 16
  18 .align 16
  19 CTRINC: .octa 0x00000003000000020000000100000000
  20 
  21 .text
  22 
  23 /*
  24  * chacha_permute - permute one block
  25  *
  26  * Permute one 64-byte block where the state matrix is in %xmm0-%xmm3.  This
  27  * function performs matrix operations on four words in parallel, but requires
  28  * shuffling to rearrange the words after each round.  8/16-bit word rotation is
  29  * done with the slightly better performing SSSE3 byte shuffling, 7/12-bit word
  30  * rotation uses traditional shift+OR.
  31  *
  32  * The round count is given in %r8d.
  33  *
  34  * Clobbers: %r8d, %xmm4-%xmm7
  35  */
  36 chacha_permute:
  37 
  38         movdqa          ROT8(%rip),%xmm4
  39         movdqa          ROT16(%rip),%xmm5
  40 
  41 .Ldoubleround:
  42         # x0 += x1, x3 = rotl32(x3 ^ x0, 16)
  43         paddd           %xmm1,%xmm0
  44         pxor            %xmm0,%xmm3
  45         pshufb          %xmm5,%xmm3
  46 
  47         # x2 += x3, x1 = rotl32(x1 ^ x2, 12)
  48         paddd           %xmm3,%xmm2
  49         pxor            %xmm2,%xmm1
  50         movdqa          %xmm1,%xmm6
  51         pslld           $12,%xmm6
  52         psrld           $20,%xmm1
  53         por             %xmm6,%xmm1
  54 
  55         # x0 += x1, x3 = rotl32(x3 ^ x0, 8)
  56         paddd           %xmm1,%xmm0
  57         pxor            %xmm0,%xmm3
  58         pshufb          %xmm4,%xmm3
  59 
  60         # x2 += x3, x1 = rotl32(x1 ^ x2, 7)
  61         paddd           %xmm3,%xmm2
  62         pxor            %xmm2,%xmm1
  63         movdqa          %xmm1,%xmm7
  64         pslld           $7,%xmm7
  65         psrld           $25,%xmm1
  66         por             %xmm7,%xmm1
  67 
  68         # x1 = shuffle32(x1, MASK(0, 3, 2, 1))
  69         pshufd          $0x39,%xmm1,%xmm1
  70         # x2 = shuffle32(x2, MASK(1, 0, 3, 2))
  71         pshufd          $0x4e,%xmm2,%xmm2
  72         # x3 = shuffle32(x3, MASK(2, 1, 0, 3))
  73         pshufd          $0x93,%xmm3,%xmm3
  74 
  75         # x0 += x1, x3 = rotl32(x3 ^ x0, 16)
  76         paddd           %xmm1,%xmm0
  77         pxor            %xmm0,%xmm3
  78         pshufb          %xmm5,%xmm3
  79 
  80         # x2 += x3, x1 = rotl32(x1 ^ x2, 12)
  81         paddd           %xmm3,%xmm2
  82         pxor            %xmm2,%xmm1
  83         movdqa          %xmm1,%xmm6
  84         pslld           $12,%xmm6
  85         psrld           $20,%xmm1
  86         por             %xmm6,%xmm1
  87 
  88         # x0 += x1, x3 = rotl32(x3 ^ x0, 8)
  89         paddd           %xmm1,%xmm0
  90         pxor            %xmm0,%xmm3
  91         pshufb          %xmm4,%xmm3
  92 
  93         # x2 += x3, x1 = rotl32(x1 ^ x2, 7)
  94         paddd           %xmm3,%xmm2
  95         pxor            %xmm2,%xmm1
  96         movdqa          %xmm1,%xmm7
  97         pslld           $7,%xmm7
  98         psrld           $25,%xmm1
  99         por             %xmm7,%xmm1
 100 
 101         # x1 = shuffle32(x1, MASK(2, 1, 0, 3))
 102         pshufd          $0x93,%xmm1,%xmm1
 103         # x2 = shuffle32(x2, MASK(1, 0, 3, 2))
 104         pshufd          $0x4e,%xmm2,%xmm2
 105         # x3 = shuffle32(x3, MASK(0, 3, 2, 1))
 106         pshufd          $0x39,%xmm3,%xmm3
 107 
 108         sub             $2,%r8d
 109         jnz             .Ldoubleround
 110 
 111         ret
 112 ENDPROC(chacha_permute)
 113 
 114 ENTRY(chacha_block_xor_ssse3)
 115         # %rdi: Input state matrix, s
 116         # %rsi: up to 1 data block output, o
 117         # %rdx: up to 1 data block input, i
 118         # %rcx: input/output length in bytes
 119         # %r8d: nrounds
 120         FRAME_BEGIN
 121 
 122         # x0..3 = s0..3
 123         movdqa          0x00(%rdi),%xmm0
 124         movdqa          0x10(%rdi),%xmm1
 125         movdqa          0x20(%rdi),%xmm2
 126         movdqa          0x30(%rdi),%xmm3
 127         movdqa          %xmm0,%xmm8
 128         movdqa          %xmm1,%xmm9
 129         movdqa          %xmm2,%xmm10
 130         movdqa          %xmm3,%xmm11
 131 
 132         mov             %rcx,%rax
 133         call            chacha_permute
 134 
 135         # o0 = i0 ^ (x0 + s0)
 136         paddd           %xmm8,%xmm0
 137         cmp             $0x10,%rax
 138         jl              .Lxorpart
 139         movdqu          0x00(%rdx),%xmm4
 140         pxor            %xmm4,%xmm0
 141         movdqu          %xmm0,0x00(%rsi)
 142         # o1 = i1 ^ (x1 + s1)
 143         paddd           %xmm9,%xmm1
 144         movdqa          %xmm1,%xmm0
 145         cmp             $0x20,%rax
 146         jl              .Lxorpart
 147         movdqu          0x10(%rdx),%xmm0
 148         pxor            %xmm1,%xmm0
 149         movdqu          %xmm0,0x10(%rsi)
 150         # o2 = i2 ^ (x2 + s2)
 151         paddd           %xmm10,%xmm2
 152         movdqa          %xmm2,%xmm0
 153         cmp             $0x30,%rax
 154         jl              .Lxorpart
 155         movdqu          0x20(%rdx),%xmm0
 156         pxor            %xmm2,%xmm0
 157         movdqu          %xmm0,0x20(%rsi)
 158         # o3 = i3 ^ (x3 + s3)
 159         paddd           %xmm11,%xmm3
 160         movdqa          %xmm3,%xmm0
 161         cmp             $0x40,%rax
 162         jl              .Lxorpart
 163         movdqu          0x30(%rdx),%xmm0
 164         pxor            %xmm3,%xmm0
 165         movdqu          %xmm0,0x30(%rsi)
 166 
 167 .Ldone:
 168         FRAME_END
 169         ret
 170 
 171 .Lxorpart:
 172         # xor remaining bytes from partial register into output
 173         mov             %rax,%r9
 174         and             $0x0f,%r9
 175         jz              .Ldone
 176         and             $~0x0f,%rax
 177 
 178         mov             %rsi,%r11
 179 
 180         lea             8(%rsp),%r10
 181         sub             $0x10,%rsp
 182         and             $~31,%rsp
 183 
 184         lea             (%rdx,%rax),%rsi
 185         mov             %rsp,%rdi
 186         mov             %r9,%rcx
 187         rep movsb
 188 
 189         pxor            0x00(%rsp),%xmm0
 190         movdqa          %xmm0,0x00(%rsp)
 191 
 192         mov             %rsp,%rsi
 193         lea             (%r11,%rax),%rdi
 194         mov             %r9,%rcx
 195         rep movsb
 196 
 197         lea             -8(%r10),%rsp
 198         jmp             .Ldone
 199 
 200 ENDPROC(chacha_block_xor_ssse3)
 201 
 202 ENTRY(hchacha_block_ssse3)
 203         # %rdi: Input state matrix, s
 204         # %rsi: output (8 32-bit words)
 205         # %edx: nrounds
 206         FRAME_BEGIN
 207 
 208         movdqa          0x00(%rdi),%xmm0
 209         movdqa          0x10(%rdi),%xmm1
 210         movdqa          0x20(%rdi),%xmm2
 211         movdqa          0x30(%rdi),%xmm3
 212 
 213         mov             %edx,%r8d
 214         call            chacha_permute
 215 
 216         movdqu          %xmm0,0x00(%rsi)
 217         movdqu          %xmm3,0x10(%rsi)
 218 
 219         FRAME_END
 220         ret
 221 ENDPROC(hchacha_block_ssse3)
 222 
 223 ENTRY(chacha_4block_xor_ssse3)
 224         # %rdi: Input state matrix, s
 225         # %rsi: up to 4 data blocks output, o
 226         # %rdx: up to 4 data blocks input, i
 227         # %rcx: input/output length in bytes
 228         # %r8d: nrounds
 229 
 230         # This function encrypts four consecutive ChaCha blocks by loading the
 231         # the state matrix in SSE registers four times. As we need some scratch
 232         # registers, we save the first four registers on the stack. The
 233         # algorithm performs each operation on the corresponding word of each
 234         # state matrix, hence requires no word shuffling. For final XORing step
 235         # we transpose the matrix by interleaving 32- and then 64-bit words,
 236         # which allows us to do XOR in SSE registers. 8/16-bit word rotation is
 237         # done with the slightly better performing SSSE3 byte shuffling,
 238         # 7/12-bit word rotation uses traditional shift+OR.
 239 
 240         lea             8(%rsp),%r10
 241         sub             $0x80,%rsp
 242         and             $~63,%rsp
 243         mov             %rcx,%rax
 244 
 245         # x0..15[0-3] = s0..3[0..3]
 246         movq            0x00(%rdi),%xmm1
 247         pshufd          $0x00,%xmm1,%xmm0
 248         pshufd          $0x55,%xmm1,%xmm1
 249         movq            0x08(%rdi),%xmm3
 250         pshufd          $0x00,%xmm3,%xmm2
 251         pshufd          $0x55,%xmm3,%xmm3
 252         movq            0x10(%rdi),%xmm5
 253         pshufd          $0x00,%xmm5,%xmm4
 254         pshufd          $0x55,%xmm5,%xmm5
 255         movq            0x18(%rdi),%xmm7
 256         pshufd          $0x00,%xmm7,%xmm6
 257         pshufd          $0x55,%xmm7,%xmm7
 258         movq            0x20(%rdi),%xmm9
 259         pshufd          $0x00,%xmm9,%xmm8
 260         pshufd          $0x55,%xmm9,%xmm9
 261         movq            0x28(%rdi),%xmm11
 262         pshufd          $0x00,%xmm11,%xmm10
 263         pshufd          $0x55,%xmm11,%xmm11
 264         movq            0x30(%rdi),%xmm13
 265         pshufd          $0x00,%xmm13,%xmm12
 266         pshufd          $0x55,%xmm13,%xmm13
 267         movq            0x38(%rdi),%xmm15
 268         pshufd          $0x00,%xmm15,%xmm14
 269         pshufd          $0x55,%xmm15,%xmm15
 270         # x0..3 on stack
 271         movdqa          %xmm0,0x00(%rsp)
 272         movdqa          %xmm1,0x10(%rsp)
 273         movdqa          %xmm2,0x20(%rsp)
 274         movdqa          %xmm3,0x30(%rsp)
 275 
 276         movdqa          CTRINC(%rip),%xmm1
 277         movdqa          ROT8(%rip),%xmm2
 278         movdqa          ROT16(%rip),%xmm3
 279 
 280         # x12 += counter values 0-3
 281         paddd           %xmm1,%xmm12
 282 
 283 .Ldoubleround4:
 284         # x0 += x4, x12 = rotl32(x12 ^ x0, 16)
 285         movdqa          0x00(%rsp),%xmm0
 286         paddd           %xmm4,%xmm0
 287         movdqa          %xmm0,0x00(%rsp)
 288         pxor            %xmm0,%xmm12
 289         pshufb          %xmm3,%xmm12
 290         # x1 += x5, x13 = rotl32(x13 ^ x1, 16)
 291         movdqa          0x10(%rsp),%xmm0
 292         paddd           %xmm5,%xmm0
 293         movdqa          %xmm0,0x10(%rsp)
 294         pxor            %xmm0,%xmm13
 295         pshufb          %xmm3,%xmm13
 296         # x2 += x6, x14 = rotl32(x14 ^ x2, 16)
 297         movdqa          0x20(%rsp),%xmm0
 298         paddd           %xmm6,%xmm0
 299         movdqa          %xmm0,0x20(%rsp)
 300         pxor            %xmm0,%xmm14
 301         pshufb          %xmm3,%xmm14
 302         # x3 += x7, x15 = rotl32(x15 ^ x3, 16)
 303         movdqa          0x30(%rsp),%xmm0
 304         paddd           %xmm7,%xmm0
 305         movdqa          %xmm0,0x30(%rsp)
 306         pxor            %xmm0,%xmm15
 307         pshufb          %xmm3,%xmm15
 308 
 309         # x8 += x12, x4 = rotl32(x4 ^ x8, 12)
 310         paddd           %xmm12,%xmm8
 311         pxor            %xmm8,%xmm4
 312         movdqa          %xmm4,%xmm0
 313         pslld           $12,%xmm0
 314         psrld           $20,%xmm4
 315         por             %xmm0,%xmm4
 316         # x9 += x13, x5 = rotl32(x5 ^ x9, 12)
 317         paddd           %xmm13,%xmm9
 318         pxor            %xmm9,%xmm5
 319         movdqa          %xmm5,%xmm0
 320         pslld           $12,%xmm0
 321         psrld           $20,%xmm5
 322         por             %xmm0,%xmm5
 323         # x10 += x14, x6 = rotl32(x6 ^ x10, 12)
 324         paddd           %xmm14,%xmm10
 325         pxor            %xmm10,%xmm6
 326         movdqa          %xmm6,%xmm0
 327         pslld           $12,%xmm0
 328         psrld           $20,%xmm6
 329         por             %xmm0,%xmm6
 330         # x11 += x15, x7 = rotl32(x7 ^ x11, 12)
 331         paddd           %xmm15,%xmm11
 332         pxor            %xmm11,%xmm7
 333         movdqa          %xmm7,%xmm0
 334         pslld           $12,%xmm0
 335         psrld           $20,%xmm7
 336         por             %xmm0,%xmm7
 337 
 338         # x0 += x4, x12 = rotl32(x12 ^ x0, 8)
 339         movdqa          0x00(%rsp),%xmm0
 340         paddd           %xmm4,%xmm0
 341         movdqa          %xmm0,0x00(%rsp)
 342         pxor            %xmm0,%xmm12
 343         pshufb          %xmm2,%xmm12
 344         # x1 += x5, x13 = rotl32(x13 ^ x1, 8)
 345         movdqa          0x10(%rsp),%xmm0
 346         paddd           %xmm5,%xmm0
 347         movdqa          %xmm0,0x10(%rsp)
 348         pxor            %xmm0,%xmm13
 349         pshufb          %xmm2,%xmm13
 350         # x2 += x6, x14 = rotl32(x14 ^ x2, 8)
 351         movdqa          0x20(%rsp),%xmm0
 352         paddd           %xmm6,%xmm0
 353         movdqa          %xmm0,0x20(%rsp)
 354         pxor            %xmm0,%xmm14
 355         pshufb          %xmm2,%xmm14
 356         # x3 += x7, x15 = rotl32(x15 ^ x3, 8)
 357         movdqa          0x30(%rsp),%xmm0
 358         paddd           %xmm7,%xmm0
 359         movdqa          %xmm0,0x30(%rsp)
 360         pxor            %xmm0,%xmm15
 361         pshufb          %xmm2,%xmm15
 362 
 363         # x8 += x12, x4 = rotl32(x4 ^ x8, 7)
 364         paddd           %xmm12,%xmm8
 365         pxor            %xmm8,%xmm4
 366         movdqa          %xmm4,%xmm0
 367         pslld           $7,%xmm0
 368         psrld           $25,%xmm4
 369         por             %xmm0,%xmm4
 370         # x9 += x13, x5 = rotl32(x5 ^ x9, 7)
 371         paddd           %xmm13,%xmm9
 372         pxor            %xmm9,%xmm5
 373         movdqa          %xmm5,%xmm0
 374         pslld           $7,%xmm0
 375         psrld           $25,%xmm5
 376         por             %xmm0,%xmm5
 377         # x10 += x14, x6 = rotl32(x6 ^ x10, 7)
 378         paddd           %xmm14,%xmm10
 379         pxor            %xmm10,%xmm6
 380         movdqa          %xmm6,%xmm0
 381         pslld           $7,%xmm0
 382         psrld           $25,%xmm6
 383         por             %xmm0,%xmm6
 384         # x11 += x15, x7 = rotl32(x7 ^ x11, 7)
 385         paddd           %xmm15,%xmm11
 386         pxor            %xmm11,%xmm7
 387         movdqa          %xmm7,%xmm0
 388         pslld           $7,%xmm0
 389         psrld           $25,%xmm7
 390         por             %xmm0,%xmm7
 391 
 392         # x0 += x5, x15 = rotl32(x15 ^ x0, 16)
 393         movdqa          0x00(%rsp),%xmm0
 394         paddd           %xmm5,%xmm0
 395         movdqa          %xmm0,0x00(%rsp)
 396         pxor            %xmm0,%xmm15
 397         pshufb          %xmm3,%xmm15
 398         # x1 += x6, x12 = rotl32(x12 ^ x1, 16)
 399         movdqa          0x10(%rsp),%xmm0
 400         paddd           %xmm6,%xmm0
 401         movdqa          %xmm0,0x10(%rsp)
 402         pxor            %xmm0,%xmm12
 403         pshufb          %xmm3,%xmm12
 404         # x2 += x7, x13 = rotl32(x13 ^ x2, 16)
 405         movdqa          0x20(%rsp),%xmm0
 406         paddd           %xmm7,%xmm0
 407         movdqa          %xmm0,0x20(%rsp)
 408         pxor            %xmm0,%xmm13
 409         pshufb          %xmm3,%xmm13
 410         # x3 += x4, x14 = rotl32(x14 ^ x3, 16)
 411         movdqa          0x30(%rsp),%xmm0
 412         paddd           %xmm4,%xmm0
 413         movdqa          %xmm0,0x30(%rsp)
 414         pxor            %xmm0,%xmm14
 415         pshufb          %xmm3,%xmm14
 416 
 417         # x10 += x15, x5 = rotl32(x5 ^ x10, 12)
 418         paddd           %xmm15,%xmm10
 419         pxor            %xmm10,%xmm5
 420         movdqa          %xmm5,%xmm0
 421         pslld           $12,%xmm0
 422         psrld           $20,%xmm5
 423         por             %xmm0,%xmm5
 424         # x11 += x12, x6 = rotl32(x6 ^ x11, 12)
 425         paddd           %xmm12,%xmm11
 426         pxor            %xmm11,%xmm6
 427         movdqa          %xmm6,%xmm0
 428         pslld           $12,%xmm0
 429         psrld           $20,%xmm6
 430         por             %xmm0,%xmm6
 431         # x8 += x13, x7 = rotl32(x7 ^ x8, 12)
 432         paddd           %xmm13,%xmm8
 433         pxor            %xmm8,%xmm7
 434         movdqa          %xmm7,%xmm0
 435         pslld           $12,%xmm0
 436         psrld           $20,%xmm7
 437         por             %xmm0,%xmm7
 438         # x9 += x14, x4 = rotl32(x4 ^ x9, 12)
 439         paddd           %xmm14,%xmm9
 440         pxor            %xmm9,%xmm4
 441         movdqa          %xmm4,%xmm0
 442         pslld           $12,%xmm0
 443         psrld           $20,%xmm4
 444         por             %xmm0,%xmm4
 445 
 446         # x0 += x5, x15 = rotl32(x15 ^ x0, 8)
 447         movdqa          0x00(%rsp),%xmm0
 448         paddd           %xmm5,%xmm0
 449         movdqa          %xmm0,0x00(%rsp)
 450         pxor            %xmm0,%xmm15
 451         pshufb          %xmm2,%xmm15
 452         # x1 += x6, x12 = rotl32(x12 ^ x1, 8)
 453         movdqa          0x10(%rsp),%xmm0
 454         paddd           %xmm6,%xmm0
 455         movdqa          %xmm0,0x10(%rsp)
 456         pxor            %xmm0,%xmm12
 457         pshufb          %xmm2,%xmm12
 458         # x2 += x7, x13 = rotl32(x13 ^ x2, 8)
 459         movdqa          0x20(%rsp),%xmm0
 460         paddd           %xmm7,%xmm0
 461         movdqa          %xmm0,0x20(%rsp)
 462         pxor            %xmm0,%xmm13
 463         pshufb          %xmm2,%xmm13
 464         # x3 += x4, x14 = rotl32(x14 ^ x3, 8)
 465         movdqa          0x30(%rsp),%xmm0
 466         paddd           %xmm4,%xmm0
 467         movdqa          %xmm0,0x30(%rsp)
 468         pxor            %xmm0,%xmm14
 469         pshufb          %xmm2,%xmm14
 470 
 471         # x10 += x15, x5 = rotl32(x5 ^ x10, 7)
 472         paddd           %xmm15,%xmm10
 473         pxor            %xmm10,%xmm5
 474         movdqa          %xmm5,%xmm0
 475         pslld           $7,%xmm0
 476         psrld           $25,%xmm5
 477         por             %xmm0,%xmm5
 478         # x11 += x12, x6 = rotl32(x6 ^ x11, 7)
 479         paddd           %xmm12,%xmm11
 480         pxor            %xmm11,%xmm6
 481         movdqa          %xmm6,%xmm0
 482         pslld           $7,%xmm0
 483         psrld           $25,%xmm6
 484         por             %xmm0,%xmm6
 485         # x8 += x13, x7 = rotl32(x7 ^ x8, 7)
 486         paddd           %xmm13,%xmm8
 487         pxor            %xmm8,%xmm7
 488         movdqa          %xmm7,%xmm0
 489         pslld           $7,%xmm0
 490         psrld           $25,%xmm7
 491         por             %xmm0,%xmm7
 492         # x9 += x14, x4 = rotl32(x4 ^ x9, 7)
 493         paddd           %xmm14,%xmm9
 494         pxor            %xmm9,%xmm4
 495         movdqa          %xmm4,%xmm0
 496         pslld           $7,%xmm0
 497         psrld           $25,%xmm4
 498         por             %xmm0,%xmm4
 499 
 500         sub             $2,%r8d
 501         jnz             .Ldoubleround4
 502 
 503         # x0[0-3] += s0[0]
 504         # x1[0-3] += s0[1]
 505         movq            0x00(%rdi),%xmm3
 506         pshufd          $0x00,%xmm3,%xmm2
 507         pshufd          $0x55,%xmm3,%xmm3
 508         paddd           0x00(%rsp),%xmm2
 509         movdqa          %xmm2,0x00(%rsp)
 510         paddd           0x10(%rsp),%xmm3
 511         movdqa          %xmm3,0x10(%rsp)
 512         # x2[0-3] += s0[2]
 513         # x3[0-3] += s0[3]
 514         movq            0x08(%rdi),%xmm3
 515         pshufd          $0x00,%xmm3,%xmm2
 516         pshufd          $0x55,%xmm3,%xmm3
 517         paddd           0x20(%rsp),%xmm2
 518         movdqa          %xmm2,0x20(%rsp)
 519         paddd           0x30(%rsp),%xmm3
 520         movdqa          %xmm3,0x30(%rsp)
 521 
 522         # x4[0-3] += s1[0]
 523         # x5[0-3] += s1[1]
 524         movq            0x10(%rdi),%xmm3
 525         pshufd          $0x00,%xmm3,%xmm2
 526         pshufd          $0x55,%xmm3,%xmm3
 527         paddd           %xmm2,%xmm4
 528         paddd           %xmm3,%xmm5
 529         # x6[0-3] += s1[2]
 530         # x7[0-3] += s1[3]
 531         movq            0x18(%rdi),%xmm3
 532         pshufd          $0x00,%xmm3,%xmm2
 533         pshufd          $0x55,%xmm3,%xmm3
 534         paddd           %xmm2,%xmm6
 535         paddd           %xmm3,%xmm7
 536 
 537         # x8[0-3] += s2[0]
 538         # x9[0-3] += s2[1]
 539         movq            0x20(%rdi),%xmm3
 540         pshufd          $0x00,%xmm3,%xmm2
 541         pshufd          $0x55,%xmm3,%xmm3
 542         paddd           %xmm2,%xmm8
 543         paddd           %xmm3,%xmm9
 544         # x10[0-3] += s2[2]
 545         # x11[0-3] += s2[3]
 546         movq            0x28(%rdi),%xmm3
 547         pshufd          $0x00,%xmm3,%xmm2
 548         pshufd          $0x55,%xmm3,%xmm3
 549         paddd           %xmm2,%xmm10
 550         paddd           %xmm3,%xmm11
 551 
 552         # x12[0-3] += s3[0]
 553         # x13[0-3] += s3[1]
 554         movq            0x30(%rdi),%xmm3
 555         pshufd          $0x00,%xmm3,%xmm2
 556         pshufd          $0x55,%xmm3,%xmm3
 557         paddd           %xmm2,%xmm12
 558         paddd           %xmm3,%xmm13
 559         # x14[0-3] += s3[2]
 560         # x15[0-3] += s3[3]
 561         movq            0x38(%rdi),%xmm3
 562         pshufd          $0x00,%xmm3,%xmm2
 563         pshufd          $0x55,%xmm3,%xmm3
 564         paddd           %xmm2,%xmm14
 565         paddd           %xmm3,%xmm15
 566 
 567         # x12 += counter values 0-3
 568         paddd           %xmm1,%xmm12
 569 
 570         # interleave 32-bit words in state n, n+1
 571         movdqa          0x00(%rsp),%xmm0
 572         movdqa          0x10(%rsp),%xmm1
 573         movdqa          %xmm0,%xmm2
 574         punpckldq       %xmm1,%xmm2
 575         punpckhdq       %xmm1,%xmm0
 576         movdqa          %xmm2,0x00(%rsp)
 577         movdqa          %xmm0,0x10(%rsp)
 578         movdqa          0x20(%rsp),%xmm0
 579         movdqa          0x30(%rsp),%xmm1
 580         movdqa          %xmm0,%xmm2
 581         punpckldq       %xmm1,%xmm2
 582         punpckhdq       %xmm1,%xmm0
 583         movdqa          %xmm2,0x20(%rsp)
 584         movdqa          %xmm0,0x30(%rsp)
 585         movdqa          %xmm4,%xmm0
 586         punpckldq       %xmm5,%xmm4
 587         punpckhdq       %xmm5,%xmm0
 588         movdqa          %xmm0,%xmm5
 589         movdqa          %xmm6,%xmm0
 590         punpckldq       %xmm7,%xmm6
 591         punpckhdq       %xmm7,%xmm0
 592         movdqa          %xmm0,%xmm7
 593         movdqa          %xmm8,%xmm0
 594         punpckldq       %xmm9,%xmm8
 595         punpckhdq       %xmm9,%xmm0
 596         movdqa          %xmm0,%xmm9
 597         movdqa          %xmm10,%xmm0
 598         punpckldq       %xmm11,%xmm10
 599         punpckhdq       %xmm11,%xmm0
 600         movdqa          %xmm0,%xmm11
 601         movdqa          %xmm12,%xmm0
 602         punpckldq       %xmm13,%xmm12
 603         punpckhdq       %xmm13,%xmm0
 604         movdqa          %xmm0,%xmm13
 605         movdqa          %xmm14,%xmm0
 606         punpckldq       %xmm15,%xmm14
 607         punpckhdq       %xmm15,%xmm0
 608         movdqa          %xmm0,%xmm15
 609 
 610         # interleave 64-bit words in state n, n+2
 611         movdqa          0x00(%rsp),%xmm0
 612         movdqa          0x20(%rsp),%xmm1
 613         movdqa          %xmm0,%xmm2
 614         punpcklqdq      %xmm1,%xmm2
 615         punpckhqdq      %xmm1,%xmm0
 616         movdqa          %xmm2,0x00(%rsp)
 617         movdqa          %xmm0,0x20(%rsp)
 618         movdqa          0x10(%rsp),%xmm0
 619         movdqa          0x30(%rsp),%xmm1
 620         movdqa          %xmm0,%xmm2
 621         punpcklqdq      %xmm1,%xmm2
 622         punpckhqdq      %xmm1,%xmm0
 623         movdqa          %xmm2,0x10(%rsp)
 624         movdqa          %xmm0,0x30(%rsp)
 625         movdqa          %xmm4,%xmm0
 626         punpcklqdq      %xmm6,%xmm4
 627         punpckhqdq      %xmm6,%xmm0
 628         movdqa          %xmm0,%xmm6
 629         movdqa          %xmm5,%xmm0
 630         punpcklqdq      %xmm7,%xmm5
 631         punpckhqdq      %xmm7,%xmm0
 632         movdqa          %xmm0,%xmm7
 633         movdqa          %xmm8,%xmm0
 634         punpcklqdq      %xmm10,%xmm8
 635         punpckhqdq      %xmm10,%xmm0
 636         movdqa          %xmm0,%xmm10
 637         movdqa          %xmm9,%xmm0
 638         punpcklqdq      %xmm11,%xmm9
 639         punpckhqdq      %xmm11,%xmm0
 640         movdqa          %xmm0,%xmm11
 641         movdqa          %xmm12,%xmm0
 642         punpcklqdq      %xmm14,%xmm12
 643         punpckhqdq      %xmm14,%xmm0
 644         movdqa          %xmm0,%xmm14
 645         movdqa          %xmm13,%xmm0
 646         punpcklqdq      %xmm15,%xmm13
 647         punpckhqdq      %xmm15,%xmm0
 648         movdqa          %xmm0,%xmm15
 649 
 650         # xor with corresponding input, write to output
 651         movdqa          0x00(%rsp),%xmm0
 652         cmp             $0x10,%rax
 653         jl              .Lxorpart4
 654         movdqu          0x00(%rdx),%xmm1
 655         pxor            %xmm1,%xmm0
 656         movdqu          %xmm0,0x00(%rsi)
 657 
 658         movdqu          %xmm4,%xmm0
 659         cmp             $0x20,%rax
 660         jl              .Lxorpart4
 661         movdqu          0x10(%rdx),%xmm1
 662         pxor            %xmm1,%xmm0
 663         movdqu          %xmm0,0x10(%rsi)
 664 
 665         movdqu          %xmm8,%xmm0
 666         cmp             $0x30,%rax
 667         jl              .Lxorpart4
 668         movdqu          0x20(%rdx),%xmm1
 669         pxor            %xmm1,%xmm0
 670         movdqu          %xmm0,0x20(%rsi)
 671 
 672         movdqu          %xmm12,%xmm0
 673         cmp             $0x40,%rax
 674         jl              .Lxorpart4
 675         movdqu          0x30(%rdx),%xmm1
 676         pxor            %xmm1,%xmm0
 677         movdqu          %xmm0,0x30(%rsi)
 678 
 679         movdqa          0x20(%rsp),%xmm0
 680         cmp             $0x50,%rax
 681         jl              .Lxorpart4
 682         movdqu          0x40(%rdx),%xmm1
 683         pxor            %xmm1,%xmm0
 684         movdqu          %xmm0,0x40(%rsi)
 685 
 686         movdqu          %xmm6,%xmm0
 687         cmp             $0x60,%rax
 688         jl              .Lxorpart4
 689         movdqu          0x50(%rdx),%xmm1
 690         pxor            %xmm1,%xmm0
 691         movdqu          %xmm0,0x50(%rsi)
 692 
 693         movdqu          %xmm10,%xmm0
 694         cmp             $0x70,%rax
 695         jl              .Lxorpart4
 696         movdqu          0x60(%rdx),%xmm1
 697         pxor            %xmm1,%xmm0
 698         movdqu          %xmm0,0x60(%rsi)
 699 
 700         movdqu          %xmm14,%xmm0
 701         cmp             $0x80,%rax
 702         jl              .Lxorpart4
 703         movdqu          0x70(%rdx),%xmm1
 704         pxor            %xmm1,%xmm0
 705         movdqu          %xmm0,0x70(%rsi)
 706 
 707         movdqa          0x10(%rsp),%xmm0
 708         cmp             $0x90,%rax
 709         jl              .Lxorpart4
 710         movdqu          0x80(%rdx),%xmm1
 711         pxor            %xmm1,%xmm0
 712         movdqu          %xmm0,0x80(%rsi)
 713 
 714         movdqu          %xmm5,%xmm0
 715         cmp             $0xa0,%rax
 716         jl              .Lxorpart4
 717         movdqu          0x90(%rdx),%xmm1
 718         pxor            %xmm1,%xmm0
 719         movdqu          %xmm0,0x90(%rsi)
 720 
 721         movdqu          %xmm9,%xmm0
 722         cmp             $0xb0,%rax
 723         jl              .Lxorpart4
 724         movdqu          0xa0(%rdx),%xmm1
 725         pxor            %xmm1,%xmm0
 726         movdqu          %xmm0,0xa0(%rsi)
 727 
 728         movdqu          %xmm13,%xmm0
 729         cmp             $0xc0,%rax
 730         jl              .Lxorpart4
 731         movdqu          0xb0(%rdx),%xmm1
 732         pxor            %xmm1,%xmm0
 733         movdqu          %xmm0,0xb0(%rsi)
 734 
 735         movdqa          0x30(%rsp),%xmm0
 736         cmp             $0xd0,%rax
 737         jl              .Lxorpart4
 738         movdqu          0xc0(%rdx),%xmm1
 739         pxor            %xmm1,%xmm0
 740         movdqu          %xmm0,0xc0(%rsi)
 741 
 742         movdqu          %xmm7,%xmm0
 743         cmp             $0xe0,%rax
 744         jl              .Lxorpart4
 745         movdqu          0xd0(%rdx),%xmm1
 746         pxor            %xmm1,%xmm0
 747         movdqu          %xmm0,0xd0(%rsi)
 748 
 749         movdqu          %xmm11,%xmm0
 750         cmp             $0xf0,%rax
 751         jl              .Lxorpart4
 752         movdqu          0xe0(%rdx),%xmm1
 753         pxor            %xmm1,%xmm0
 754         movdqu          %xmm0,0xe0(%rsi)
 755 
 756         movdqu          %xmm15,%xmm0
 757         cmp             $0x100,%rax
 758         jl              .Lxorpart4
 759         movdqu          0xf0(%rdx),%xmm1
 760         pxor            %xmm1,%xmm0
 761         movdqu          %xmm0,0xf0(%rsi)
 762 
 763 .Ldone4:
 764         lea             -8(%r10),%rsp
 765         ret
 766 
 767 .Lxorpart4:
 768         # xor remaining bytes from partial register into output
 769         mov             %rax,%r9
 770         and             $0x0f,%r9
 771         jz              .Ldone4
 772         and             $~0x0f,%rax
 773 
 774         mov             %rsi,%r11
 775 
 776         lea             (%rdx,%rax),%rsi
 777         mov             %rsp,%rdi
 778         mov             %r9,%rcx
 779         rep movsb
 780 
 781         pxor            0x00(%rsp),%xmm0
 782         movdqa          %xmm0,0x00(%rsp)
 783 
 784         mov             %rsp,%rsi
 785         lea             (%r11,%rax),%rdi
 786         mov             %r9,%rcx
 787         rep movsb
 788 
 789         jmp             .Ldone4
 790 
 791 ENDPROC(chacha_4block_xor_ssse3)
/* [<][>][^][v][top][bottom][index][help] */