Patch out the XTS implementation in bsaes.
We don't call it, so ship less code and reduce the number of places
where we must think about the bsaes -> aes_nohw fallback.
Bug: 256
Change-Id: I10ac2d70e18ec81e679631a9532c36d9edab1c6e
Reviewed-on: https://boringssl-review.googlesource.com/c/33586
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/aes/asm/bsaes-x86_64.pl b/crypto/fipsmodule/aes/asm/bsaes-x86_64.pl
index 11b7a9d..c0ade37 100644
--- a/crypto/fipsmodule/aes/asm/bsaes-x86_64.pl
+++ b/crypto/fipsmodule/aes/asm/bsaes-x86_64.pl
@@ -114,6 +114,7 @@
my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15)
my $ecb=0; # suppress unreferenced ECB subroutines, spare some space...
+my $xts=0; # Also patch out the XTS subroutines.
{
my ($key,$rounds,$const)=("%rax","%r10d","%r11");
@@ -2163,6 +2164,8 @@
# const AES_KEY *key1, const AES_KEY *key2,
# const unsigned char iv[16]);
#
+# We patch out the XTS implementation in BoringSSL.
+if ($xts) {
my ($twmask,$twres,$twtmp)=@XMM[13..15];
$arg6=~s/d$//;
@@ -2991,6 +2994,7 @@
.size bsaes_xts_decrypt,.-bsaes_xts_decrypt
___
}
+} # $xts
$code.=<<___;
.type _bsaes_const,\@object
.align 64
@@ -3172,7 +3176,8 @@
.rva .Lctr_enc_prologue
.rva .Lctr_enc_epilogue
.rva .Lctr_enc_info
-
+___
+$code.=<<___ if ($xts);
.rva .Lxts_enc_prologue
.rva .Lxts_enc_epilogue
.rva .Lxts_enc_info
@@ -3180,6 +3185,8 @@
.rva .Lxts_dec_prologue
.rva .Lxts_dec_epilogue
.rva .Lxts_dec_info
+___
+$code.=<<___;
.section .xdata
.align 8
@@ -3211,6 +3218,8 @@
.rva .Lctr_enc_body,.Lctr_enc_epilogue # HandlerData[]
.rva .Lctr_enc_tail
.long 0
+___
+$code.=<<___ if ($xts);
.Lxts_enc_info:
.byte 9,0,0,0
.rva se_handler