CoCalc -- camellia-aesni-avx-asm

GitHub Repository: torvalds/linux
Path: blob/master/arch/x86/crypto/camellia-aesni-avx-asm_64.S
²⁶⁴⁵¹ views
1
/*
2
 * x86_64/AVX/AES-NI assembler implementation of Camellia
3
 *
4
 * Copyright © 2012-2013 Jussi Kivilinna <[email protected]>
5
 *
6
 * This program is free software; you can redistribute it and/or modify
7
 * it under the terms of the GNU General Public License as published by
8
 * the Free Software Foundation; either version 2 of the License, or
9
 * (at your option) any later version.
10
 *
11
 */
12

13
/*
14
 * Version licensed under 2-clause BSD License is available at:
15
 *	http://koti.mbnet.fi/axh/crypto/camellia-BSD-1.2.0-aesni1.tar.xz
16
 */
17

18
#include <linux/linkage.h>
19
#include <linux/cfi_types.h>
20
#include <asm/frame.h>
21

22
#define CAMELLIA_TABLE_BYTE_LEN 272
23

24
/* struct camellia_ctx: */
25
#define key_table 0
26
#define key_length CAMELLIA_TABLE_BYTE_LEN
27

28
/* register macros */
29
#define CTX %rdi
30

31
/**********************************************************************
32
  16-way camellia
33
 **********************************************************************/
34
#define filter_8bit(x, lo_t, hi_t, mask4bit, tmp0) \
35
	vpand x, mask4bit, tmp0; \
36
	vpandn x, mask4bit, x; \
37
	vpsrld $4, x, x; \
38
	\
39
	vpshufb tmp0, lo_t, tmp0; \
40
	vpshufb x, hi_t, x; \
41
	vpxor tmp0, x, x;
42

43
/*
44
 * IN:
45
 *   x0..x7: byte-sliced AB state
46
 *   mem_cd: register pointer storing CD state
47
 *   key: index for key material
48
 * OUT:
49
 *   x0..x7: new byte-sliced CD state
50
 */
51
#define roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, t0, t1, t2, t3, t4, t5, t6, \
52
		  t7, mem_cd, key) \
53
	/* \
54
	 * S-function with AES subbytes \
55
	 */ \
56
	vmovdqa .Linv_shift_row(%rip), t4; \
57
	vbroadcastss .L0f0f0f0f(%rip), t7; \
58
	vmovdqa .Lpre_tf_lo_s1(%rip), t0; \
59
	vmovdqa .Lpre_tf_hi_s1(%rip), t1; \
60
	\
61
	/* AES inverse shift rows */ \
62
	vpshufb t4, x0, x0; \
63
	vpshufb t4, x7, x7; \
64
	vpshufb t4, x1, x1; \
65
	vpshufb t4, x4, x4; \
66
	vpshufb t4, x2, x2; \
67
	vpshufb t4, x5, x5; \
68
	vpshufb t4, x3, x3; \
69
	vpshufb t4, x6, x6; \
70
	\
71
	/* prefilter sboxes 1, 2 and 3 */ \
72
	vmovdqa .Lpre_tf_lo_s4(%rip), t2; \
73
	vmovdqa .Lpre_tf_hi_s4(%rip), t3; \
74
	filter_8bit(x0, t0, t1, t7, t6); \
75
	filter_8bit(x7, t0, t1, t7, t6); \
76
	filter_8bit(x1, t0, t1, t7, t6); \
77
	filter_8bit(x4, t0, t1, t7, t6); \
78
	filter_8bit(x2, t0, t1, t7, t6); \
79
	filter_8bit(x5, t0, t1, t7, t6); \
80
	\
81
	/* prefilter sbox 4 */ \
82
	vpxor t4, t4, t4; \
83
	filter_8bit(x3, t2, t3, t7, t6); \
84
	filter_8bit(x6, t2, t3, t7, t6); \
85
	\
86
	/* AES subbytes + AES shift rows */ \
87
	vmovdqa .Lpost_tf_lo_s1(%rip), t0; \
88
	vmovdqa .Lpost_tf_hi_s1(%rip), t1; \
89
	vaesenclast t4, x0, x0; \
90
	vaesenclast t4, x7, x7; \
91
	vaesenclast t4, x1, x1; \
92
	vaesenclast t4, x4, x4; \
93
	vaesenclast t4, x2, x2; \
94
	vaesenclast t4, x5, x5; \
95
	vaesenclast t4, x3, x3; \
96
	vaesenclast t4, x6, x6; \
97
	\
98
	/* postfilter sboxes 1 and 4 */ \
99
	vmovdqa .Lpost_tf_lo_s3(%rip), t2; \
100
	vmovdqa .Lpost_tf_hi_s3(%rip), t3; \
101
	filter_8bit(x0, t0, t1, t7, t6); \
102
	filter_8bit(x7, t0, t1, t7, t6); \
103
	filter_8bit(x3, t0, t1, t7, t6); \
104
	filter_8bit(x6, t0, t1, t7, t6); \
105
	\
106
	/* postfilter sbox 3 */ \
107
	vmovdqa .Lpost_tf_lo_s2(%rip), t4; \
108
	vmovdqa .Lpost_tf_hi_s2(%rip), t5; \
109
	filter_8bit(x2, t2, t3, t7, t6); \
110
	filter_8bit(x5, t2, t3, t7, t6); \
111
	\
112
	vpxor t6, t6, t6; \
113
	vmovq key, t0; \
114
	\
115
	/* postfilter sbox 2 */ \
116
	filter_8bit(x1, t4, t5, t7, t2); \
117
	filter_8bit(x4, t4, t5, t7, t2); \
118
	\
119
	vpsrldq $5, t0, t5; \
120
	vpsrldq $1, t0, t1; \
121
	vpsrldq $2, t0, t2; \
122
	vpsrldq $3, t0, t3; \
123
	vpsrldq $4, t0, t4; \
124
	vpshufb t6, t0, t0; \
125
	vpshufb t6, t1, t1; \
126
	vpshufb t6, t2, t2; \
127
	vpshufb t6, t3, t3; \
128
	vpshufb t6, t4, t4; \
129
	vpsrldq $2, t5, t7; \
130
	vpshufb t6, t7, t7; \
131
	\
132
	/* \
133
	 * P-function \
134
	 */ \
135
	vpxor x5, x0, x0; \
136
	vpxor x6, x1, x1; \
137
	vpxor x7, x2, x2; \
138
	vpxor x4, x3, x3; \
139
	\
140
	vpxor x2, x4, x4; \
141
	vpxor x3, x5, x5; \
142
	vpxor x0, x6, x6; \
143
	vpxor x1, x7, x7; \
144
	\
145
	vpxor x7, x0, x0; \
146
	vpxor x4, x1, x1; \
147
	vpxor x5, x2, x2; \
148
	vpxor x6, x3, x3; \
149
	\
150
	vpxor x3, x4, x4; \
151
	vpxor x0, x5, x5; \
152
	vpxor x1, x6, x6; \
153
	vpxor x2, x7, x7; /* note: high and low parts swapped */ \
154
	\
155
	/* \
156
	 * Add key material and result to CD (x becomes new CD) \
157
	 */ \
158
	\
159
	vpxor t3, x4, x4; \
160
	vpxor 0 * 16(mem_cd), x4, x4; \
161
	\
162
	vpxor t2, x5, x5; \
163
	vpxor 1 * 16(mem_cd), x5, x5; \
164
	\
165
	vpsrldq $1, t5, t3; \
166
	vpshufb t6, t5, t5; \
167
	vpshufb t6, t3, t6; \
168
	\
169
	vpxor t1, x6, x6; \
170
	vpxor 2 * 16(mem_cd), x6, x6; \
171
	\
172
	vpxor t0, x7, x7; \
173
	vpxor 3 * 16(mem_cd), x7, x7; \
174
	\
175
	vpxor t7, x0, x0; \
176
	vpxor 4 * 16(mem_cd), x0, x0; \
177
	\
178
	vpxor t6, x1, x1; \
179
	vpxor 5 * 16(mem_cd), x1, x1; \
180
	\
181
	vpxor t5, x2, x2; \
182
	vpxor 6 * 16(mem_cd), x2, x2; \
183
	\
184
	vpxor t4, x3, x3; \
185
	vpxor 7 * 16(mem_cd), x3, x3;
186

187
/*
188
 * Size optimization... with inlined roundsm16, binary would be over 5 times
189
 * larger and would only be 0.5% faster (on sandy-bridge).
190
 */
191
.align 8
192
SYM_FUNC_START_LOCAL(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
193
	roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
194
		  %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
195
		  %rcx, (%r9));
196
	RET;
197
SYM_FUNC_END(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
198

199
.align 8
200
SYM_FUNC_START_LOCAL(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
201
	roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
202
		  %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
203
		  %rax, (%r9));
204
	RET;
205
SYM_FUNC_END(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
206

207
/*
208
 * IN/OUT:
209
 *  x0..x7: byte-sliced AB state preloaded
210
 *  mem_ab: byte-sliced AB state in memory
211
 *  mem_cb: byte-sliced CD state in memory
212
 */
213
#define two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
214
		      y6, y7, mem_ab, mem_cd, i, dir, store_ab) \
215
	leaq (key_table + (i) * 8)(CTX), %r9; \
216
	call roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd; \
217
	\
218
	vmovdqu x4, 0 * 16(mem_cd); \
219
	vmovdqu x5, 1 * 16(mem_cd); \
220
	vmovdqu x6, 2 * 16(mem_cd); \
221
	vmovdqu x7, 3 * 16(mem_cd); \
222
	vmovdqu x0, 4 * 16(mem_cd); \
223
	vmovdqu x1, 5 * 16(mem_cd); \
224
	vmovdqu x2, 6 * 16(mem_cd); \
225
	vmovdqu x3, 7 * 16(mem_cd); \
226
	\
227
	leaq (key_table + ((i) + (dir)) * 8)(CTX), %r9; \
228
	call roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab; \
229
	\
230
	store_ab(x0, x1, x2, x3, x4, x5, x6, x7, mem_ab);
231

232
#define dummy_store(x0, x1, x2, x3, x4, x5, x6, x7, mem_ab) /* do nothing */
233

234
#define store_ab_state(x0, x1, x2, x3, x4, x5, x6, x7, mem_ab) \
235
	/* Store new AB state */ \
236
	vmovdqu x0, 0 * 16(mem_ab); \
237
	vmovdqu x1, 1 * 16(mem_ab); \
238
	vmovdqu x2, 2 * 16(mem_ab); \
239
	vmovdqu x3, 3 * 16(mem_ab); \
240
	vmovdqu x4, 4 * 16(mem_ab); \
241
	vmovdqu x5, 5 * 16(mem_ab); \
242
	vmovdqu x6, 6 * 16(mem_ab); \
243
	vmovdqu x7, 7 * 16(mem_ab);
244

245
#define enc_rounds16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
246
		      y6, y7, mem_ab, mem_cd, i) \
247
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
248
		      y6, y7, mem_ab, mem_cd, (i) + 2, 1, store_ab_state); \
249
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
250
		      y6, y7, mem_ab, mem_cd, (i) + 4, 1, store_ab_state); \
251
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
252
		      y6, y7, mem_ab, mem_cd, (i) + 6, 1, dummy_store);
253

254
#define dec_rounds16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
255
		      y6, y7, mem_ab, mem_cd, i) \
256
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
257
		      y6, y7, mem_ab, mem_cd, (i) + 7, -1, store_ab_state); \
258
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
259
		      y6, y7, mem_ab, mem_cd, (i) + 5, -1, store_ab_state); \
260
	two_roundsm16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
261
		      y6, y7, mem_ab, mem_cd, (i) + 3, -1, dummy_store);
262

263
/*
264
 * IN:
265
 *  v0..3: byte-sliced 32-bit integers
266
 * OUT:
267
 *  v0..3: (IN <<< 1)
268
 */
269
#define rol32_1_16(v0, v1, v2, v3, t0, t1, t2, zero) \
270
	vpcmpgtb v0, zero, t0; \
271
	vpaddb v0, v0, v0; \
272
	vpabsb t0, t0; \
273
	\
274
	vpcmpgtb v1, zero, t1; \
275
	vpaddb v1, v1, v1; \
276
	vpabsb t1, t1; \
277
	\
278
	vpcmpgtb v2, zero, t2; \
279
	vpaddb v2, v2, v2; \
280
	vpabsb t2, t2; \
281
	\
282
	vpor t0, v1, v1; \
283
	\
284
	vpcmpgtb v3, zero, t0; \
285
	vpaddb v3, v3, v3; \
286
	vpabsb t0, t0; \
287
	\
288
	vpor t1, v2, v2; \
289
	vpor t2, v3, v3; \
290
	vpor t0, v0, v0;
291

292
/*
293
 * IN:
294
 *   r: byte-sliced AB state in memory
295
 *   l: byte-sliced CD state in memory
296
 * OUT:
297
 *   x0..x7: new byte-sliced CD state
298
 */
299
#define fls16(l, l0, l1, l2, l3, l4, l5, l6, l7, r, t0, t1, t2, t3, tt0, \
300
	      tt1, tt2, tt3, kll, klr, krl, krr) \
301
	/* \
302
	 * t0 = kll; \
303
	 * t0 &= ll; \
304
	 * lr ^= rol32(t0, 1); \
305
	 */ \
306
	vpxor tt0, tt0, tt0; \
307
	vmovd kll, t0; \
308
	vpshufb tt0, t0, t3; \
309
	vpsrldq $1, t0, t0; \
310
	vpshufb tt0, t0, t2; \
311
	vpsrldq $1, t0, t0; \
312
	vpshufb tt0, t0, t1; \
313
	vpsrldq $1, t0, t0; \
314
	vpshufb tt0, t0, t0; \
315
	\
316
	vpand l0, t0, t0; \
317
	vpand l1, t1, t1; \
318
	vpand l2, t2, t2; \
319
	vpand l3, t3, t3; \
320
	\
321
	rol32_1_16(t3, t2, t1, t0, tt1, tt2, tt3, tt0); \
322
	\
323
	vpxor l4, t0, l4; \
324
	vmovdqu l4, 4 * 16(l); \
325
	vpxor l5, t1, l5; \
326
	vmovdqu l5, 5 * 16(l); \
327
	vpxor l6, t2, l6; \
328
	vmovdqu l6, 6 * 16(l); \
329
	vpxor l7, t3, l7; \
330
	vmovdqu l7, 7 * 16(l); \
331
	\
332
	/* \
333
	 * t2 = krr; \
334
	 * t2 |= rr; \
335
	 * rl ^= t2; \
336
	 */ \
337
	\
338
	vmovd krr, t0; \
339
	vpshufb tt0, t0, t3; \
340
	vpsrldq $1, t0, t0; \
341
	vpshufb tt0, t0, t2; \
342
	vpsrldq $1, t0, t0; \
343
	vpshufb tt0, t0, t1; \
344
	vpsrldq $1, t0, t0; \
345
	vpshufb tt0, t0, t0; \
346
	\
347
	vpor 4 * 16(r), t0, t0; \
348
	vpor 5 * 16(r), t1, t1; \
349
	vpor 6 * 16(r), t2, t2; \
350
	vpor 7 * 16(r), t3, t3; \
351
	\
352
	vpxor 0 * 16(r), t0, t0; \
353
	vpxor 1 * 16(r), t1, t1; \
354
	vpxor 2 * 16(r), t2, t2; \
355
	vpxor 3 * 16(r), t3, t3; \
356
	vmovdqu t0, 0 * 16(r); \
357
	vmovdqu t1, 1 * 16(r); \
358
	vmovdqu t2, 2 * 16(r); \
359
	vmovdqu t3, 3 * 16(r); \
360
	\
361
	/* \
362
	 * t2 = krl; \
363
	 * t2 &= rl; \
364
	 * rr ^= rol32(t2, 1); \
365
	 */ \
366
	vmovd krl, t0; \
367
	vpshufb tt0, t0, t3; \
368
	vpsrldq $1, t0, t0; \
369
	vpshufb tt0, t0, t2; \
370
	vpsrldq $1, t0, t0; \
371
	vpshufb tt0, t0, t1; \
372
	vpsrldq $1, t0, t0; \
373
	vpshufb tt0, t0, t0; \
374
	\
375
	vpand 0 * 16(r), t0, t0; \
376
	vpand 1 * 16(r), t1, t1; \
377
	vpand 2 * 16(r), t2, t2; \
378
	vpand 3 * 16(r), t3, t3; \
379
	\
380
	rol32_1_16(t3, t2, t1, t0, tt1, tt2, tt3, tt0); \
381
	\
382
	vpxor 4 * 16(r), t0, t0; \
383
	vpxor 5 * 16(r), t1, t1; \
384
	vpxor 6 * 16(r), t2, t2; \
385
	vpxor 7 * 16(r), t3, t3; \
386
	vmovdqu t0, 4 * 16(r); \
387
	vmovdqu t1, 5 * 16(r); \
388
	vmovdqu t2, 6 * 16(r); \
389
	vmovdqu t3, 7 * 16(r); \
390
	\
391
	/* \
392
	 * t0 = klr; \
393
	 * t0 |= lr; \
394
	 * ll ^= t0; \
395
	 */ \
396
	\
397
	vmovd klr, t0; \
398
	vpshufb tt0, t0, t3; \
399
	vpsrldq $1, t0, t0; \
400
	vpshufb tt0, t0, t2; \
401
	vpsrldq $1, t0, t0; \
402
	vpshufb tt0, t0, t1; \
403
	vpsrldq $1, t0, t0; \
404
	vpshufb tt0, t0, t0; \
405
	\
406
	vpor l4, t0, t0; \
407
	vpor l5, t1, t1; \
408
	vpor l6, t2, t2; \
409
	vpor l7, t3, t3; \
410
	\
411
	vpxor l0, t0, l0; \
412
	vmovdqu l0, 0 * 16(l); \
413
	vpxor l1, t1, l1; \
414
	vmovdqu l1, 1 * 16(l); \
415
	vpxor l2, t2, l2; \
416
	vmovdqu l2, 2 * 16(l); \
417
	vpxor l3, t3, l3; \
418
	vmovdqu l3, 3 * 16(l);
419

420
#define transpose_4x4(x0, x1, x2, x3, t1, t2) \
421
	vpunpckhdq x1, x0, t2; \
422
	vpunpckldq x1, x0, x0; \
423
	\
424
	vpunpckldq x3, x2, t1; \
425
	vpunpckhdq x3, x2, x2; \
426
	\
427
	vpunpckhqdq t1, x0, x1; \
428
	vpunpcklqdq t1, x0, x0; \
429
	\
430
	vpunpckhqdq x2, t2, x3; \
431
	vpunpcklqdq x2, t2, x2;
432

433
#define byteslice_16x16b(a0, b0, c0, d0, a1, b1, c1, d1, a2, b2, c2, d2, a3, \
434
			 b3, c3, d3, st0, st1) \
435
	vmovdqu d2, st0; \
436
	vmovdqu d3, st1; \
437
	transpose_4x4(a0, a1, a2, a3, d2, d3); \
438
	transpose_4x4(b0, b1, b2, b3, d2, d3); \
439
	vmovdqu st0, d2; \
440
	vmovdqu st1, d3; \
441
	\
442
	vmovdqu a0, st0; \
443
	vmovdqu a1, st1; \
444
	transpose_4x4(c0, c1, c2, c3, a0, a1); \
445
	transpose_4x4(d0, d1, d2, d3, a0, a1); \
446
	\
447
	vmovdqu .Lshufb_16x16b(%rip), a0; \
448
	vmovdqu st1, a1; \
449
	vpshufb a0, a2, a2; \
450
	vpshufb a0, a3, a3; \
451
	vpshufb a0, b0, b0; \
452
	vpshufb a0, b1, b1; \
453
	vpshufb a0, b2, b2; \
454
	vpshufb a0, b3, b3; \
455
	vpshufb a0, a1, a1; \
456
	vpshufb a0, c0, c0; \
457
	vpshufb a0, c1, c1; \
458
	vpshufb a0, c2, c2; \
459
	vpshufb a0, c3, c3; \
460
	vpshufb a0, d0, d0; \
461
	vpshufb a0, d1, d1; \
462
	vpshufb a0, d2, d2; \
463
	vpshufb a0, d3, d3; \
464
	vmovdqu d3, st1; \
465
	vmovdqu st0, d3; \
466
	vpshufb a0, d3, a0; \
467
	vmovdqu d2, st0; \
468
	\
469
	transpose_4x4(a0, b0, c0, d0, d2, d3); \
470
	transpose_4x4(a1, b1, c1, d1, d2, d3); \
471
	vmovdqu st0, d2; \
472
	vmovdqu st1, d3; \
473
	\
474
	vmovdqu b0, st0; \
475
	vmovdqu b1, st1; \
476
	transpose_4x4(a2, b2, c2, d2, b0, b1); \
477
	transpose_4x4(a3, b3, c3, d3, b0, b1); \
478
	vmovdqu st0, b0; \
479
	vmovdqu st1, b1; \
480
	/* does not adjust output bytes inside vectors */
481

482
/* load blocks to registers and apply pre-whitening */
483
#define inpack16_pre(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
484
		     y6, y7, rio, key) \
485
	vmovq key, x0; \
486
	vpshufb .Lpack_bswap(%rip), x0, x0; \
487
	\
488
	vpxor 0 * 16(rio), x0, y7; \
489
	vpxor 1 * 16(rio), x0, y6; \
490
	vpxor 2 * 16(rio), x0, y5; \
491
	vpxor 3 * 16(rio), x0, y4; \
492
	vpxor 4 * 16(rio), x0, y3; \
493
	vpxor 5 * 16(rio), x0, y2; \
494
	vpxor 6 * 16(rio), x0, y1; \
495
	vpxor 7 * 16(rio), x0, y0; \
496
	vpxor 8 * 16(rio), x0, x7; \
497
	vpxor 9 * 16(rio), x0, x6; \
498
	vpxor 10 * 16(rio), x0, x5; \
499
	vpxor 11 * 16(rio), x0, x4; \
500
	vpxor 12 * 16(rio), x0, x3; \
501
	vpxor 13 * 16(rio), x0, x2; \
502
	vpxor 14 * 16(rio), x0, x1; \
503
	vpxor 15 * 16(rio), x0, x0;
504

505
/* byteslice pre-whitened blocks and store to temporary memory */
506
#define inpack16_post(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
507
		      y6, y7, mem_ab, mem_cd) \
508
	byteslice_16x16b(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, \
509
			 y5, y6, y7, (mem_ab), (mem_cd)); \
510
	\
511
	vmovdqu x0, 0 * 16(mem_ab); \
512
	vmovdqu x1, 1 * 16(mem_ab); \
513
	vmovdqu x2, 2 * 16(mem_ab); \
514
	vmovdqu x3, 3 * 16(mem_ab); \
515
	vmovdqu x4, 4 * 16(mem_ab); \
516
	vmovdqu x5, 5 * 16(mem_ab); \
517
	vmovdqu x6, 6 * 16(mem_ab); \
518
	vmovdqu x7, 7 * 16(mem_ab); \
519
	vmovdqu y0, 0 * 16(mem_cd); \
520
	vmovdqu y1, 1 * 16(mem_cd); \
521
	vmovdqu y2, 2 * 16(mem_cd); \
522
	vmovdqu y3, 3 * 16(mem_cd); \
523
	vmovdqu y4, 4 * 16(mem_cd); \
524
	vmovdqu y5, 5 * 16(mem_cd); \
525
	vmovdqu y6, 6 * 16(mem_cd); \
526
	vmovdqu y7, 7 * 16(mem_cd);
527

528
/* de-byteslice, apply post-whitening and store blocks */
529
#define outunpack16(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, \
530
		    y5, y6, y7, key, stack_tmp0, stack_tmp1) \
531
	byteslice_16x16b(y0, y4, x0, x4, y1, y5, x1, x5, y2, y6, x2, x6, y3, \
532
			 y7, x3, x7, stack_tmp0, stack_tmp1); \
533
	\
534
	vmovdqu x0, stack_tmp0; \
535
	\
536
	vmovq key, x0; \
537
	vpshufb .Lpack_bswap(%rip), x0, x0; \
538
	\
539
	vpxor x0, y7, y7; \
540
	vpxor x0, y6, y6; \
541
	vpxor x0, y5, y5; \
542
	vpxor x0, y4, y4; \
543
	vpxor x0, y3, y3; \
544
	vpxor x0, y2, y2; \
545
	vpxor x0, y1, y1; \
546
	vpxor x0, y0, y0; \
547
	vpxor x0, x7, x7; \
548
	vpxor x0, x6, x6; \
549
	vpxor x0, x5, x5; \
550
	vpxor x0, x4, x4; \
551
	vpxor x0, x3, x3; \
552
	vpxor x0, x2, x2; \
553
	vpxor x0, x1, x1; \
554
	vpxor stack_tmp0, x0, x0;
555

556
#define write_output(x0, x1, x2, x3, x4, x5, x6, x7, y0, y1, y2, y3, y4, y5, \
557
		     y6, y7, rio) \
558
	vmovdqu x0, 0 * 16(rio); \
559
	vmovdqu x1, 1 * 16(rio); \
560
	vmovdqu x2, 2 * 16(rio); \
561
	vmovdqu x3, 3 * 16(rio); \
562
	vmovdqu x4, 4 * 16(rio); \
563
	vmovdqu x5, 5 * 16(rio); \
564
	vmovdqu x6, 6 * 16(rio); \
565
	vmovdqu x7, 7 * 16(rio); \
566
	vmovdqu y0, 8 * 16(rio); \
567
	vmovdqu y1, 9 * 16(rio); \
568
	vmovdqu y2, 10 * 16(rio); \
569
	vmovdqu y3, 11 * 16(rio); \
570
	vmovdqu y4, 12 * 16(rio); \
571
	vmovdqu y5, 13 * 16(rio); \
572
	vmovdqu y6, 14 * 16(rio); \
573
	vmovdqu y7, 15 * 16(rio);
574

575

576
/* NB: section is mergeable, all elements must be aligned 16-byte blocks */
577
.section	.rodata.cst16, "aM", @progbits, 16
578
.align 16
579

580
#define SHUFB_BYTES(idx) \
581
	0 + (idx), 4 + (idx), 8 + (idx), 12 + (idx)
582

583
.Lshufb_16x16b:
584
	.byte SHUFB_BYTES(0), SHUFB_BYTES(1), SHUFB_BYTES(2), SHUFB_BYTES(3);
585

586
.Lpack_bswap:
587
	.long 0x00010203
588
	.long 0x04050607
589
	.long 0x80808080
590
	.long 0x80808080
591

592
/*
593
 * pre-SubByte transform
594
 *
595
 * pre-lookup for sbox1, sbox2, sbox3:
596
 *   swap_bitendianness(
597
 *       isom_map_camellia_to_aes(
598
 *           camellia_f(
599
 *               swap_bitendianess(in)
600
 *           )
601
 *       )
602
 *   )
603
 *
604
 * (note: '⊕ 0xc5' inside camellia_f())
605
 */
606
.Lpre_tf_lo_s1:
607
	.byte 0x45, 0xe8, 0x40, 0xed, 0x2e, 0x83, 0x2b, 0x86
608
	.byte 0x4b, 0xe6, 0x4e, 0xe3, 0x20, 0x8d, 0x25, 0x88
609
.Lpre_tf_hi_s1:
610
	.byte 0x00, 0x51, 0xf1, 0xa0, 0x8a, 0xdb, 0x7b, 0x2a
611
	.byte 0x09, 0x58, 0xf8, 0xa9, 0x83, 0xd2, 0x72, 0x23
612

613
/*
614
 * pre-SubByte transform
615
 *
616
 * pre-lookup for sbox4:
617
 *   swap_bitendianness(
618
 *       isom_map_camellia_to_aes(
619
 *           camellia_f(
620
 *               swap_bitendianess(in <<< 1)
621
 *           )
622
 *       )
623
 *   )
624
 *
625
 * (note: '⊕ 0xc5' inside camellia_f())
626
 */
627
.Lpre_tf_lo_s4:
628
	.byte 0x45, 0x40, 0x2e, 0x2b, 0x4b, 0x4e, 0x20, 0x25
629
	.byte 0x14, 0x11, 0x7f, 0x7a, 0x1a, 0x1f, 0x71, 0x74
630
.Lpre_tf_hi_s4:
631
	.byte 0x00, 0xf1, 0x8a, 0x7b, 0x09, 0xf8, 0x83, 0x72
632
	.byte 0xad, 0x5c, 0x27, 0xd6, 0xa4, 0x55, 0x2e, 0xdf
633

634
/*
635
 * post-SubByte transform
636
 *
637
 * post-lookup for sbox1, sbox4:
638
 *  swap_bitendianness(
639
 *      camellia_h(
640
 *          isom_map_aes_to_camellia(
641
 *              swap_bitendianness(
642
 *                  aes_inverse_affine_transform(in)
643
 *              )
644
 *          )
645
 *      )
646
 *  )
647
 *
648
 * (note: '⊕ 0x6e' inside camellia_h())
649
 */
650
.Lpost_tf_lo_s1:
651
	.byte 0x3c, 0xcc, 0xcf, 0x3f, 0x32, 0xc2, 0xc1, 0x31
652
	.byte 0xdc, 0x2c, 0x2f, 0xdf, 0xd2, 0x22, 0x21, 0xd1
653
.Lpost_tf_hi_s1:
654
	.byte 0x00, 0xf9, 0x86, 0x7f, 0xd7, 0x2e, 0x51, 0xa8
655
	.byte 0xa4, 0x5d, 0x22, 0xdb, 0x73, 0x8a, 0xf5, 0x0c
656

657
/*
658
 * post-SubByte transform
659
 *
660
 * post-lookup for sbox2:
661
 *  swap_bitendianness(
662
 *      camellia_h(
663
 *          isom_map_aes_to_camellia(
664
 *              swap_bitendianness(
665
 *                  aes_inverse_affine_transform(in)
666
 *              )
667
 *          )
668
 *      )
669
 *  ) <<< 1
670
 *
671
 * (note: '⊕ 0x6e' inside camellia_h())
672
 */
673
.Lpost_tf_lo_s2:
674
	.byte 0x78, 0x99, 0x9f, 0x7e, 0x64, 0x85, 0x83, 0x62
675
	.byte 0xb9, 0x58, 0x5e, 0xbf, 0xa5, 0x44, 0x42, 0xa3
676
.Lpost_tf_hi_s2:
677
	.byte 0x00, 0xf3, 0x0d, 0xfe, 0xaf, 0x5c, 0xa2, 0x51
678
	.byte 0x49, 0xba, 0x44, 0xb7, 0xe6, 0x15, 0xeb, 0x18
679

680
/*
681
 * post-SubByte transform
682
 *
683
 * post-lookup for sbox3:
684
 *  swap_bitendianness(
685
 *      camellia_h(
686
 *          isom_map_aes_to_camellia(
687
 *              swap_bitendianness(
688
 *                  aes_inverse_affine_transform(in)
689
 *              )
690
 *          )
691
 *      )
692
 *  ) >>> 1
693
 *
694
 * (note: '⊕ 0x6e' inside camellia_h())
695
 */
696
.Lpost_tf_lo_s3:
697
	.byte 0x1e, 0x66, 0xe7, 0x9f, 0x19, 0x61, 0xe0, 0x98
698
	.byte 0x6e, 0x16, 0x97, 0xef, 0x69, 0x11, 0x90, 0xe8
699
.Lpost_tf_hi_s3:
700
	.byte 0x00, 0xfc, 0x43, 0xbf, 0xeb, 0x17, 0xa8, 0x54
701
	.byte 0x52, 0xae, 0x11, 0xed, 0xb9, 0x45, 0xfa, 0x06
702

703
/* For isolating SubBytes from AESENCLAST, inverse shift row */
704
.Linv_shift_row:
705
	.byte 0x00, 0x0d, 0x0a, 0x07, 0x04, 0x01, 0x0e, 0x0b
706
	.byte 0x08, 0x05, 0x02, 0x0f, 0x0c, 0x09, 0x06, 0x03
707

708
/* 4-bit mask */
709
.section	.rodata.cst4.L0f0f0f0f, "aM", @progbits, 4
710
.align 4
711
.L0f0f0f0f:
712
	.long 0x0f0f0f0f
713

714
.text
715

716
SYM_FUNC_START_LOCAL(__camellia_enc_blk16)
717
	/* input:
718
	 *	%rdi: ctx, CTX
719
	 *	%rax: temporary storage, 256 bytes
720
	 *	%xmm0..%xmm15: 16 plaintext blocks
721
	 * output:
722
	 *	%xmm0..%xmm15: 16 encrypted blocks, order swapped:
723
	 *       7, 8, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8
724
	 */
725
	FRAME_BEGIN
726

727
	leaq 8 * 16(%rax), %rcx;
728

729
	inpack16_post(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
730
		      %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
731
		      %xmm15, %rax, %rcx);
732

733
	enc_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
734
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
735
		     %xmm15, %rax, %rcx, 0);
736

737
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
738
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
739
	      %xmm15,
740
	      ((key_table + (8) * 8) + 0)(CTX),
741
	      ((key_table + (8) * 8) + 4)(CTX),
742
	      ((key_table + (8) * 8) + 8)(CTX),
743
	      ((key_table + (8) * 8) + 12)(CTX));
744

745
	enc_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
746
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
747
		     %xmm15, %rax, %rcx, 8);
748

749
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
750
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
751
	      %xmm15,
752
	      ((key_table + (16) * 8) + 0)(CTX),
753
	      ((key_table + (16) * 8) + 4)(CTX),
754
	      ((key_table + (16) * 8) + 8)(CTX),
755
	      ((key_table + (16) * 8) + 12)(CTX));
756

757
	enc_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
758
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
759
		     %xmm15, %rax, %rcx, 16);
760

761
	movl $24, %r8d;
762
	cmpl $16, key_length(CTX);
763
	jne .Lenc_max32;
764

765
.Lenc_done:
766
	/* load CD for output */
767
	vmovdqu 0 * 16(%rcx), %xmm8;
768
	vmovdqu 1 * 16(%rcx), %xmm9;
769
	vmovdqu 2 * 16(%rcx), %xmm10;
770
	vmovdqu 3 * 16(%rcx), %xmm11;
771
	vmovdqu 4 * 16(%rcx), %xmm12;
772
	vmovdqu 5 * 16(%rcx), %xmm13;
773
	vmovdqu 6 * 16(%rcx), %xmm14;
774
	vmovdqu 7 * 16(%rcx), %xmm15;
775

776
	outunpack16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
777
		    %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
778
		    %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
779

780
	FRAME_END
781
	RET;
782

783
.align 8
784
.Lenc_max32:
785
	movl $32, %r8d;
786

787
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
788
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
789
	      %xmm15,
790
	      ((key_table + (24) * 8) + 0)(CTX),
791
	      ((key_table + (24) * 8) + 4)(CTX),
792
	      ((key_table + (24) * 8) + 8)(CTX),
793
	      ((key_table + (24) * 8) + 12)(CTX));
794

795
	enc_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
796
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
797
		     %xmm15, %rax, %rcx, 24);
798

799
	jmp .Lenc_done;
800
SYM_FUNC_END(__camellia_enc_blk16)
801

802
SYM_FUNC_START_LOCAL(__camellia_dec_blk16)
803
	/* input:
804
	 *	%rdi: ctx, CTX
805
	 *	%rax: temporary storage, 256 bytes
806
	 *	%r8d: 24 for 16 byte key, 32 for larger
807
	 *	%xmm0..%xmm15: 16 encrypted blocks
808
	 * output:
809
	 *	%xmm0..%xmm15: 16 plaintext blocks, order swapped:
810
	 *       7, 8, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8
811
	 */
812
	FRAME_BEGIN
813

814
	leaq 8 * 16(%rax), %rcx;
815

816
	inpack16_post(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
817
		      %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
818
		      %xmm15, %rax, %rcx);
819

820
	cmpl $32, %r8d;
821
	je .Ldec_max32;
822

823
.Ldec_max24:
824
	dec_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
825
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
826
		     %xmm15, %rax, %rcx, 16);
827

828
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
829
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
830
	      %xmm15,
831
	      ((key_table + (16) * 8) + 8)(CTX),
832
	      ((key_table + (16) * 8) + 12)(CTX),
833
	      ((key_table + (16) * 8) + 0)(CTX),
834
	      ((key_table + (16) * 8) + 4)(CTX));
835

836
	dec_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
837
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
838
		     %xmm15, %rax, %rcx, 8);
839

840
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
841
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
842
	      %xmm15,
843
	      ((key_table + (8) * 8) + 8)(CTX),
844
	      ((key_table + (8) * 8) + 12)(CTX),
845
	      ((key_table + (8) * 8) + 0)(CTX),
846
	      ((key_table + (8) * 8) + 4)(CTX));
847

848
	dec_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
849
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
850
		     %xmm15, %rax, %rcx, 0);
851

852
	/* load CD for output */
853
	vmovdqu 0 * 16(%rcx), %xmm8;
854
	vmovdqu 1 * 16(%rcx), %xmm9;
855
	vmovdqu 2 * 16(%rcx), %xmm10;
856
	vmovdqu 3 * 16(%rcx), %xmm11;
857
	vmovdqu 4 * 16(%rcx), %xmm12;
858
	vmovdqu 5 * 16(%rcx), %xmm13;
859
	vmovdqu 6 * 16(%rcx), %xmm14;
860
	vmovdqu 7 * 16(%rcx), %xmm15;
861

862
	outunpack16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
863
		    %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
864
		    %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
865

866
	FRAME_END
867
	RET;
868

869
.align 8
870
.Ldec_max32:
871
	dec_rounds16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
872
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
873
		     %xmm15, %rax, %rcx, 24);
874

875
	fls16(%rax, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
876
	      %rcx, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
877
	      %xmm15,
878
	      ((key_table + (24) * 8) + 8)(CTX),
879
	      ((key_table + (24) * 8) + 12)(CTX),
880
	      ((key_table + (24) * 8) + 0)(CTX),
881
	      ((key_table + (24) * 8) + 4)(CTX));
882

883
	jmp .Ldec_max24;
884
SYM_FUNC_END(__camellia_dec_blk16)
885

886
SYM_TYPED_FUNC_START(camellia_ecb_enc_16way)
887
	/* input:
888
	 *	%rdi: ctx, CTX
889
	 *	%rsi: dst (16 blocks)
890
	 *	%rdx: src (16 blocks)
891
	 */
892
	 FRAME_BEGIN
893

894
	inpack16_pre(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
895
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
896
		     %xmm15, %rdx, (key_table)(CTX));
897

898
	/* now dst can be used as temporary buffer (even in src == dst case) */
899
	movq	%rsi, %rax;
900

901
	call __camellia_enc_blk16;
902

903
	write_output(%xmm7, %xmm6, %xmm5, %xmm4, %xmm3, %xmm2, %xmm1, %xmm0,
904
		     %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
905
		     %xmm8, %rsi);
906

907
	FRAME_END
908
	RET;
909
SYM_FUNC_END(camellia_ecb_enc_16way)
910

911
SYM_TYPED_FUNC_START(camellia_ecb_dec_16way)
912
	/* input:
913
	 *	%rdi: ctx, CTX
914
	 *	%rsi: dst (16 blocks)
915
	 *	%rdx: src (16 blocks)
916
	 */
917
	 FRAME_BEGIN
918

919
	cmpl $16, key_length(CTX);
920
	movl $32, %r8d;
921
	movl $24, %eax;
922
	cmovel %eax, %r8d; /* max */
923

924
	inpack16_pre(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
925
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
926
		     %xmm15, %rdx, (key_table)(CTX, %r8, 8));
927

928
	/* now dst can be used as temporary buffer (even in src == dst case) */
929
	movq	%rsi, %rax;
930

931
	call __camellia_dec_blk16;
932

933
	write_output(%xmm7, %xmm6, %xmm5, %xmm4, %xmm3, %xmm2, %xmm1, %xmm0,
934
		     %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
935
		     %xmm8, %rsi);
936

937
	FRAME_END
938
	RET;
939
SYM_FUNC_END(camellia_ecb_dec_16way)
940

941
SYM_TYPED_FUNC_START(camellia_cbc_dec_16way)
942
	/* input:
943
	 *	%rdi: ctx, CTX
944
	 *	%rsi: dst (16 blocks)
945
	 *	%rdx: src (16 blocks)
946
	 */
947
	FRAME_BEGIN
948

949
	cmpl $16, key_length(CTX);
950
	movl $32, %r8d;
951
	movl $24, %eax;
952
	cmovel %eax, %r8d; /* max */
953

954
	inpack16_pre(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
955
		     %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
956
		     %xmm15, %rdx, (key_table)(CTX, %r8, 8));
957

958
	/*
959
	 * dst might still be in-use (in case dst == src), so use stack for
960
	 * temporary storage.
961
	 */
962
	subq $(16 * 16), %rsp;
963
	movq %rsp, %rax;
964

965
	call __camellia_dec_blk16;
966

967
	addq $(16 * 16), %rsp;
968

969
	vpxor (0 * 16)(%rdx), %xmm6, %xmm6;
970
	vpxor (1 * 16)(%rdx), %xmm5, %xmm5;
971
	vpxor (2 * 16)(%rdx), %xmm4, %xmm4;
972
	vpxor (3 * 16)(%rdx), %xmm3, %xmm3;
973
	vpxor (4 * 16)(%rdx), %xmm2, %xmm2;
974
	vpxor (5 * 16)(%rdx), %xmm1, %xmm1;
975
	vpxor (6 * 16)(%rdx), %xmm0, %xmm0;
976
	vpxor (7 * 16)(%rdx), %xmm15, %xmm15;
977
	vpxor (8 * 16)(%rdx), %xmm14, %xmm14;
978
	vpxor (9 * 16)(%rdx), %xmm13, %xmm13;
979
	vpxor (10 * 16)(%rdx), %xmm12, %xmm12;
980
	vpxor (11 * 16)(%rdx), %xmm11, %xmm11;
981
	vpxor (12 * 16)(%rdx), %xmm10, %xmm10;
982
	vpxor (13 * 16)(%rdx), %xmm9, %xmm9;
983
	vpxor (14 * 16)(%rdx), %xmm8, %xmm8;
984
	write_output(%xmm7, %xmm6, %xmm5, %xmm4, %xmm3, %xmm2, %xmm1, %xmm0,
985
		     %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
986
		     %xmm8, %rsi);
987

988
	FRAME_END
989
	RET;
990
SYM_FUNC_END(camellia_cbc_dec_16way)
991

992
Product

Resources

Company
