2019-07-09 00:08:04 +03:00
|
|
|
/* rijndael-armv8-aarch64-ce.S - ARMv8/CE accelerated AES
|
|
|
|
* Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
*
|
|
|
|
* This file is part of Libgcrypt.
|
|
|
|
*
|
|
|
|
* Libgcrypt is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Lesser General Public License as
|
|
|
|
* published by the Free Software Foundation; either version 2.1 of
|
|
|
|
* the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* Libgcrypt is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#if defined(__AARCH64EL__) && \
|
|
|
|
defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
|
|
|
|
defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
|
|
|
|
|
|
|
|
.cpu generic+simd+crypto
|
|
|
|
|
|
|
|
.text
|
|
|
|
|
|
|
|
|
|
|
|
#define GET_DATA_POINTER(reg, name) \
|
|
|
|
adrp reg, :got:name ; \
|
|
|
|
ldr reg, [reg, #:got_lo12:name] ;
|
|
|
|
|
|
|
|
|
|
|
|
/* Register macros */
|
|
|
|
|
|
|
|
#define vk0 v17
|
|
|
|
#define vk1 v18
|
|
|
|
#define vk2 v19
|
|
|
|
#define vk3 v20
|
|
|
|
#define vk4 v21
|
|
|
|
#define vk5 v22
|
|
|
|
#define vk6 v23
|
|
|
|
#define vk7 v24
|
|
|
|
#define vk8 v25
|
|
|
|
#define vk9 v26
|
|
|
|
#define vk10 v27
|
|
|
|
#define vk11 v28
|
|
|
|
#define vk12 v29
|
|
|
|
#define vk13 v30
|
|
|
|
#define vk14 v31
|
|
|
|
|
|
|
|
|
|
|
|
/* AES macros */
|
|
|
|
|
|
|
|
#define aes_preload_keys(keysched, nrounds) \
|
|
|
|
cmp nrounds, #12; \
|
|
|
|
ld1 {vk0.16b-vk3.16b}, [keysched], #64; \
|
|
|
|
ld1 {vk4.16b-vk7.16b}, [keysched], #64; \
|
|
|
|
ld1 {vk8.16b-vk10.16b}, [keysched], #48; \
|
|
|
|
b.lo 1f; \
|
|
|
|
ld1 {vk11.16b-vk12.16b}, [keysched], #32; \
|
|
|
|
b.eq 1f; \
|
|
|
|
ld1 {vk13.16b-vk14.16b}, [keysched]; \
|
|
|
|
1: ;
|
|
|
|
|
|
|
|
#define do_aes_one128(ed, mcimc, vo, vb) \
|
|
|
|
aes##ed vb.16b, vk0.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk1.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk2.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk3.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk4.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk5.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk6.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk7.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk8.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk9.16b; \
|
|
|
|
eor vo.16b, vb.16b, vk10.16b;
|
|
|
|
|
|
|
|
#define do_aes_one192(ed, mcimc, vo, vb) \
|
|
|
|
aes##ed vb.16b, vk0.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk1.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk2.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk3.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk4.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk5.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk6.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk7.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk8.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk9.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk10.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk11.16b; \
|
|
|
|
eor vo.16b, vb.16b, vk12.16b;
|
|
|
|
|
|
|
|
#define do_aes_one256(ed, mcimc, vo, vb) \
|
|
|
|
aes##ed vb.16b, vk0.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk1.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk2.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk3.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk4.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk5.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk6.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk7.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk8.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk9.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk10.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk11.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk12.16b; \
|
|
|
|
aes##mcimc vb.16b, vb.16b; \
|
|
|
|
aes##ed vb.16b, vk13.16b; \
|
|
|
|
eor vo.16b, vb.16b, vk14.16b;
|
|
|
|
|
|
|
|
#define aes_round_4(ed, mcimc, b0, b1, b2, b3, key) \
|
|
|
|
aes##ed b0.16b, key.16b; \
|
|
|
|
aes##mcimc b0.16b, b0.16b; \
|
|
|
|
aes##ed b1.16b, key.16b; \
|
|
|
|
aes##mcimc b1.16b, b1.16b; \
|
|
|
|
aes##ed b2.16b, key.16b; \
|
|
|
|
aes##mcimc b2.16b, b2.16b; \
|
|
|
|
aes##ed b3.16b, key.16b; \
|
|
|
|
aes##mcimc b3.16b, b3.16b;
|
|
|
|
|
|
|
|
#define aes_lastround_4(ed, b0, b1, b2, b3, key1, key2) \
|
|
|
|
aes##ed b0.16b, key1.16b; \
|
|
|
|
eor b0.16b, b0.16b, key2.16b; \
|
|
|
|
aes##ed b1.16b, key1.16b; \
|
|
|
|
eor b1.16b, b1.16b, key2.16b; \
|
|
|
|
aes##ed b2.16b, key1.16b; \
|
|
|
|
eor b2.16b, b2.16b, key2.16b; \
|
|
|
|
aes##ed b3.16b, key1.16b; \
|
|
|
|
eor b3.16b, b3.16b, key2.16b;
|
|
|
|
|
|
|
|
#define do_aes_4_128(ed, mcimc, b0, b1, b2, b3) \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
|
|
|
|
aes_lastround_4(ed, b0, b1, b2, b3, vk9, vk10);
|
|
|
|
|
|
|
|
#define do_aes_4_192(ed, mcimc, b0, b1, b2, b3) \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk9); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk10); \
|
|
|
|
aes_lastround_4(ed, b0, b1, b2, b3, vk11, vk12);
|
|
|
|
|
|
|
|
#define do_aes_4_256(ed, mcimc, b0, b1, b2, b3) \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk9); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk10); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk11); \
|
|
|
|
aes_round_4(ed, mcimc, b0, b1, b2, b3, vk12); \
|
|
|
|
aes_lastround_4(ed, b0, b1, b2, b3, vk13, vk14);
|
|
|
|
|
|
|
|
|
|
|
|
/* Other functional macros */
|
|
|
|
|
|
|
|
#define CLEAR_REG(reg) eor reg.16b, reg.16b, reg.16b;
|
|
|
|
|
|
|
|
#define aes_clear_keys(nrounds) \
|
|
|
|
cmp nrounds, #12; \
|
|
|
|
CLEAR_REG(vk0); \
|
|
|
|
CLEAR_REG(vk1); \
|
|
|
|
CLEAR_REG(vk2); \
|
|
|
|
CLEAR_REG(vk3); \
|
|
|
|
CLEAR_REG(vk4); \
|
|
|
|
CLEAR_REG(vk5); \
|
|
|
|
CLEAR_REG(vk6); \
|
|
|
|
CLEAR_REG(vk7); \
|
|
|
|
CLEAR_REG(vk9); \
|
|
|
|
CLEAR_REG(vk8); \
|
|
|
|
CLEAR_REG(vk10); \
|
|
|
|
b.lo 1f; \
|
|
|
|
CLEAR_REG(vk11); \
|
|
|
|
CLEAR_REG(vk12); \
|
|
|
|
b.eq 1f; \
|
|
|
|
CLEAR_REG(vk13); \
|
|
|
|
CLEAR_REG(vk14); \
|
|
|
|
1: ;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* unsigned int _gcry_aes_enc_armv8_ce(void *keysched, byte *dst,
|
|
|
|
* const byte *src,
|
|
|
|
* unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_enc_armv8_ce
|
|
|
|
.type _gcry_aes_enc_armv8_ce,%function;
|
|
|
|
_gcry_aes_enc_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: dst
|
|
|
|
* x2: src
|
|
|
|
* w3: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w3);
|
|
|
|
|
|
|
|
ld1 {v0.16b}, [x2]
|
|
|
|
|
|
|
|
b.hi .Lenc1_256
|
|
|
|
b.eq .Lenc1_192
|
|
|
|
|
|
|
|
.Lenc1_128:
|
|
|
|
do_aes_one128(e, mc, v0, v0);
|
|
|
|
|
|
|
|
.Lenc1_tail:
|
|
|
|
CLEAR_REG(vk0)
|
|
|
|
CLEAR_REG(vk1)
|
|
|
|
CLEAR_REG(vk2)
|
|
|
|
CLEAR_REG(vk3)
|
|
|
|
CLEAR_REG(vk4)
|
|
|
|
CLEAR_REG(vk5)
|
|
|
|
CLEAR_REG(vk6)
|
|
|
|
CLEAR_REG(vk7)
|
|
|
|
CLEAR_REG(vk8)
|
|
|
|
CLEAR_REG(vk9)
|
|
|
|
CLEAR_REG(vk10)
|
|
|
|
st1 {v0.16b}, [x1]
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
|
|
|
|
mov x0, #0
|
|
|
|
ret
|
|
|
|
|
|
|
|
.Lenc1_192:
|
|
|
|
do_aes_one192(e, mc, v0, v0);
|
|
|
|
|
|
|
|
CLEAR_REG(vk11)
|
|
|
|
CLEAR_REG(vk12)
|
|
|
|
b .Lenc1_tail
|
|
|
|
|
|
|
|
.Lenc1_256:
|
|
|
|
do_aes_one256(e, mc, v0, v0);
|
|
|
|
|
|
|
|
CLEAR_REG(vk11)
|
|
|
|
CLEAR_REG(vk12)
|
|
|
|
CLEAR_REG(vk13)
|
|
|
|
CLEAR_REG(vk14)
|
|
|
|
b .Lenc1_tail
|
|
|
|
.size _gcry_aes_enc_armv8_ce,.-_gcry_aes_enc_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* unsigned int _gcry_aes_dec_armv8_ce(void *keysched, byte *dst,
|
|
|
|
* const byte *src,
|
|
|
|
* unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_dec_armv8_ce
|
|
|
|
.type _gcry_aes_dec_armv8_ce,%function;
|
|
|
|
_gcry_aes_dec_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: dst
|
|
|
|
* x2: src
|
|
|
|
* w3: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w3);
|
|
|
|
|
|
|
|
ld1 {v0.16b}, [x2]
|
|
|
|
|
|
|
|
b.hi .Ldec1_256
|
|
|
|
b.eq .Ldec1_192
|
|
|
|
|
|
|
|
.Ldec1_128:
|
|
|
|
do_aes_one128(d, imc, v0, v0);
|
|
|
|
|
|
|
|
.Ldec1_tail:
|
|
|
|
CLEAR_REG(vk0)
|
|
|
|
CLEAR_REG(vk1)
|
|
|
|
CLEAR_REG(vk2)
|
|
|
|
CLEAR_REG(vk3)
|
|
|
|
CLEAR_REG(vk4)
|
|
|
|
CLEAR_REG(vk5)
|
|
|
|
CLEAR_REG(vk6)
|
|
|
|
CLEAR_REG(vk7)
|
|
|
|
CLEAR_REG(vk8)
|
|
|
|
CLEAR_REG(vk9)
|
|
|
|
CLEAR_REG(vk10)
|
|
|
|
st1 {v0.16b}, [x1]
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
|
|
|
|
mov x0, #0
|
|
|
|
ret
|
|
|
|
|
|
|
|
.Ldec1_192:
|
|
|
|
do_aes_one192(d, imc, v0, v0);
|
|
|
|
|
|
|
|
CLEAR_REG(vk11)
|
|
|
|
CLEAR_REG(vk12)
|
|
|
|
b .Ldec1_tail
|
|
|
|
|
|
|
|
.Ldec1_256:
|
|
|
|
do_aes_one256(d, imc, v0, v0);
|
|
|
|
|
|
|
|
CLEAR_REG(vk11)
|
|
|
|
CLEAR_REG(vk12)
|
|
|
|
CLEAR_REG(vk13)
|
|
|
|
CLEAR_REG(vk14)
|
|
|
|
b .Ldec1_tail
|
|
|
|
.size _gcry_aes_dec_armv8_ce,.-_gcry_aes_dec_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_cbc_enc_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *iv, size_t nblocks,
|
|
|
|
* int cbc_mac, unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_cbc_enc_armv8_ce
|
|
|
|
.type _gcry_aes_cbc_enc_armv8_ce,%function;
|
|
|
|
_gcry_aes_cbc_enc_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: outbuf
|
|
|
|
* x2: inbuf
|
|
|
|
* x3: iv
|
|
|
|
* x4: nblocks
|
|
|
|
* w5: cbc_mac
|
|
|
|
* w6: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
cbz x4, .Lcbc_enc_skip
|
|
|
|
|
|
|
|
cmp w5, #0
|
|
|
|
ld1 {v1.16b}, [x3] /* load IV */
|
|
|
|
cset x5, eq
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w6);
|
|
|
|
lsl x5, x5, #4
|
|
|
|
|
|
|
|
b.eq .Lcbc_enc_loop192
|
|
|
|
b.hi .Lcbc_enc_loop256
|
|
|
|
|
|
|
|
#define CBC_ENC(bits) \
|
|
|
|
.Lcbc_enc_loop##bits: \
|
|
|
|
ld1 {v0.16b}, [x2], #16; /* load plaintext */ \
|
|
|
|
eor v1.16b, v0.16b, v1.16b; \
|
|
|
|
sub x4, x4, #1; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v1, v1); \
|
|
|
|
\
|
|
|
|
st1 {v1.16b}, [x1], x5; /* store ciphertext */ \
|
|
|
|
\
|
|
|
|
cbnz x4, .Lcbc_enc_loop##bits; \
|
|
|
|
b .Lcbc_enc_done;
|
|
|
|
|
|
|
|
CBC_ENC(128)
|
|
|
|
CBC_ENC(192)
|
|
|
|
CBC_ENC(256)
|
|
|
|
|
|
|
|
#undef CBC_ENC
|
|
|
|
|
|
|
|
.Lcbc_enc_done:
|
|
|
|
aes_clear_keys(w6)
|
|
|
|
|
|
|
|
st1 {v1.16b}, [x3] /* store IV */
|
|
|
|
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
|
|
|
|
.Lcbc_enc_skip:
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_cbc_enc_armv8_ce,.-_gcry_aes_cbc_enc_armv8_ce;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_cbc_dec_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *iv, unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_cbc_dec_armv8_ce
|
|
|
|
.type _gcry_aes_cbc_dec_armv8_ce,%function;
|
|
|
|
_gcry_aes_cbc_dec_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: outbuf
|
|
|
|
* x2: inbuf
|
|
|
|
* x3: iv
|
|
|
|
* x4: nblocks
|
|
|
|
* w5: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
cbz x4, .Lcbc_dec_skip
|
|
|
|
|
|
|
|
ld1 {v0.16b}, [x3] /* load IV */
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w5);
|
|
|
|
|
|
|
|
b.eq .Lcbc_dec_entry_192
|
|
|
|
b.hi .Lcbc_dec_entry_256
|
|
|
|
|
|
|
|
#define CBC_DEC(bits) \
|
|
|
|
.Lcbc_dec_entry_##bits: \
|
|
|
|
cmp x4, #4; \
|
|
|
|
b.lo .Lcbc_dec_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Lcbc_dec_loop4_##bits: \
|
|
|
|
\
|
|
|
|
ld1 {v1.16b-v4.16b}, [x2], #64; /* load ciphertext */ \
|
|
|
|
sub x4, x4, #4; \
|
|
|
|
mov v5.16b, v1.16b; \
|
|
|
|
mov v6.16b, v2.16b; \
|
|
|
|
mov v7.16b, v3.16b; \
|
|
|
|
mov v16.16b, v4.16b; \
|
|
|
|
cmp x4, #4; \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(d, imc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
eor v2.16b, v2.16b, v5.16b; \
|
|
|
|
st1 {v1.16b-v2.16b}, [x1], #32; /* store plaintext */ \
|
|
|
|
eor v3.16b, v3.16b, v6.16b; \
|
|
|
|
eor v4.16b, v4.16b, v7.16b; \
|
|
|
|
mov v0.16b, v16.16b; /* next IV */ \
|
|
|
|
st1 {v3.16b-v4.16b}, [x1], #32; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
b.hs .Lcbc_dec_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
CLEAR_REG(v16); \
|
|
|
|
cbz x4, .Lcbc_dec_done; \
|
|
|
|
\
|
|
|
|
.Lcbc_dec_loop_##bits: \
|
|
|
|
ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
|
|
|
|
sub x4, x4, #1; \
|
|
|
|
mov v2.16b, v1.16b; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(d, imc, v1, v1); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
mov v0.16b, v2.16b; \
|
|
|
|
st1 {v1.16b}, [x1], #16; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
cbnz x4, .Lcbc_dec_loop_##bits; \
|
|
|
|
b .Lcbc_dec_done;
|
|
|
|
|
|
|
|
CBC_DEC(128)
|
|
|
|
CBC_DEC(192)
|
|
|
|
CBC_DEC(256)
|
|
|
|
|
|
|
|
#undef CBC_DEC
|
|
|
|
|
|
|
|
.Lcbc_dec_done:
|
|
|
|
aes_clear_keys(w5)
|
|
|
|
|
|
|
|
st1 {v0.16b}, [x3] /* store IV */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
|
|
|
|
.Lcbc_dec_skip:
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_cbc_dec_armv8_ce,.-_gcry_aes_cbc_dec_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_ctr_enc_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *iv, unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_ctr_enc_armv8_ce
|
|
|
|
.type _gcry_aes_ctr_enc_armv8_ce,%function;
|
|
|
|
_gcry_aes_ctr_enc_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* r0: keysched
|
|
|
|
* r1: outbuf
|
|
|
|
* r2: inbuf
|
|
|
|
* r3: iv
|
|
|
|
* x4: nblocks
|
|
|
|
* w5: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
cbz x4, .Lctr_enc_skip
|
|
|
|
|
|
|
|
mov x6, #1
|
|
|
|
movi v16.16b, #0
|
|
|
|
mov v16.D[1], x6
|
|
|
|
|
|
|
|
/* load IV */
|
|
|
|
ldp x9, x10, [x3]
|
|
|
|
ld1 {v0.16b}, [x3]
|
|
|
|
rev x9, x9
|
|
|
|
rev x10, x10
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w5);
|
|
|
|
|
|
|
|
b.eq .Lctr_enc_entry_192
|
|
|
|
b.hi .Lctr_enc_entry_256
|
|
|
|
|
|
|
|
#define CTR_ENC(bits) \
|
|
|
|
.Lctr_enc_entry_##bits: \
|
|
|
|
cmp x4, #4; \
|
|
|
|
b.lo .Lctr_enc_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Lctr_enc_loop4_##bits: \
|
|
|
|
cmp x10, #0xfffffffffffffffc; \
|
|
|
|
sub x4, x4, #4; \
|
|
|
|
b.lo .Lctr_enc_loop4_##bits##_nocarry; \
|
|
|
|
\
|
|
|
|
adds x10, x10, #1; \
|
|
|
|
mov v1.16b, v0.16b; \
|
|
|
|
adc x9, x9, xzr; \
|
|
|
|
mov v2.D[1], x10; \
|
|
|
|
mov v2.D[0], x9; \
|
|
|
|
\
|
|
|
|
adds x10, x10, #1; \
|
|
|
|
rev64 v2.16b, v2.16b; \
|
|
|
|
adc x9, x9, xzr; \
|
|
|
|
mov v3.D[1], x10; \
|
|
|
|
mov v3.D[0], x9; \
|
|
|
|
\
|
|
|
|
adds x10, x10, #1; \
|
|
|
|
rev64 v3.16b, v3.16b; \
|
|
|
|
adc x9, x9, xzr; \
|
|
|
|
mov v4.D[1], x10; \
|
|
|
|
mov v4.D[0], x9; \
|
|
|
|
\
|
|
|
|
adds x10, x10, #1; \
|
|
|
|
rev64 v4.16b, v4.16b; \
|
|
|
|
adc x9, x9, xzr; \
|
|
|
|
mov v0.D[1], x10; \
|
|
|
|
mov v0.D[0], x9; \
|
|
|
|
rev64 v0.16b, v0.16b; \
|
|
|
|
\
|
|
|
|
b .Lctr_enc_loop4_##bits##_store_ctr; \
|
|
|
|
\
|
|
|
|
.Lctr_enc_loop4_##bits##_nocarry: \
|
|
|
|
\
|
|
|
|
add v3.2d, v16.2d, v16.2d; /* 2 */ \
|
|
|
|
rev64 v6.16b, v0.16b; \
|
|
|
|
add x10, x10, #4; \
|
|
|
|
add v4.2d, v3.2d, v16.2d; /* 3 */ \
|
|
|
|
add v0.2d, v3.2d, v3.2d; /* 4 */ \
|
|
|
|
rev64 v1.16b, v6.16b; \
|
|
|
|
add v2.2d, v6.2d, v16.2d; \
|
|
|
|
add v3.2d, v6.2d, v3.2d; \
|
|
|
|
add v4.2d, v6.2d, v4.2d; \
|
|
|
|
add v0.2d, v6.2d, v0.2d; \
|
|
|
|
rev64 v2.16b, v2.16b; \
|
|
|
|
rev64 v3.16b, v3.16b; \
|
|
|
|
rev64 v0.16b, v0.16b; \
|
|
|
|
rev64 v4.16b, v4.16b; \
|
|
|
|
\
|
|
|
|
.Lctr_enc_loop4_##bits##_store_ctr: \
|
|
|
|
\
|
|
|
|
st1 {v0.16b}, [x3]; \
|
|
|
|
cmp x4, #4; \
|
|
|
|
ld1 {v5.16b-v7.16b}, [x2], #48; /* preload ciphertext */ \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v5.16b; \
|
|
|
|
ld1 {v5.16b}, [x2], #16; /* load ciphertext */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; \
|
|
|
|
eor v4.16b, v4.16b, v5.16b; \
|
|
|
|
st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
b.hs .Lctr_enc_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
cbz x4, .Lctr_enc_done; \
|
|
|
|
\
|
|
|
|
.Lctr_enc_loop_##bits: \
|
|
|
|
\
|
|
|
|
adds x10, x10, #1; \
|
|
|
|
mov v1.16b, v0.16b; \
|
|
|
|
adc x9, x9, xzr; \
|
|
|
|
mov v0.D[1], x10; \
|
|
|
|
mov v0.D[0], x9; \
|
|
|
|
sub x4, x4, #1; \
|
|
|
|
ld1 {v2.16b}, [x2], #16; /* load ciphertext */ \
|
|
|
|
rev64 v0.16b, v0.16b; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v1, v1); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v2.16b, v1.16b; \
|
|
|
|
st1 {v1.16b}, [x1], #16; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
cbnz x4, .Lctr_enc_loop_##bits; \
|
|
|
|
b .Lctr_enc_done;
|
|
|
|
|
|
|
|
CTR_ENC(128)
|
|
|
|
CTR_ENC(192)
|
|
|
|
CTR_ENC(256)
|
|
|
|
|
|
|
|
#undef CTR_ENC
|
|
|
|
|
|
|
|
.Lctr_enc_done:
|
|
|
|
aes_clear_keys(w5)
|
|
|
|
|
|
|
|
st1 {v0.16b}, [x3] /* store IV */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
|
|
|
|
.Lctr_enc_skip:
|
|
|
|
ret
|
|
|
|
|
|
|
|
.size _gcry_aes_ctr_enc_armv8_ce,.-_gcry_aes_ctr_enc_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_cfb_enc_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *iv, unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_cfb_enc_armv8_ce
|
|
|
|
.type _gcry_aes_cfb_enc_armv8_ce,%function;
|
|
|
|
_gcry_aes_cfb_enc_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* r0: keysched
|
|
|
|
* r1: outbuf
|
|
|
|
* r2: inbuf
|
|
|
|
* r3: iv
|
|
|
|
* x4: nblocks
|
|
|
|
* w5: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
cbz x4, .Lcfb_enc_skip
|
|
|
|
|
|
|
|
/* load IV */
|
|
|
|
ld1 {v0.16b}, [x3]
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w5);
|
|
|
|
|
|
|
|
b.eq .Lcfb_enc_entry_192
|
|
|
|
b.hi .Lcfb_enc_entry_256
|
|
|
|
|
|
|
|
#define CFB_ENC(bits) \
|
|
|
|
.Lcfb_enc_entry_##bits: \
|
|
|
|
.Lcfb_enc_loop_##bits: \
|
|
|
|
ld1 {v1.16b}, [x2], #16; /* load plaintext */ \
|
|
|
|
sub x4, x4, #1; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v0, v0); \
|
|
|
|
\
|
|
|
|
eor v0.16b, v1.16b, v0.16b; \
|
|
|
|
st1 {v0.16b}, [x1], #16; /* store ciphertext */ \
|
|
|
|
\
|
|
|
|
cbnz x4, .Lcfb_enc_loop_##bits; \
|
|
|
|
b .Lcfb_enc_done;
|
|
|
|
|
|
|
|
CFB_ENC(128)
|
|
|
|
CFB_ENC(192)
|
|
|
|
CFB_ENC(256)
|
|
|
|
|
|
|
|
#undef CFB_ENC
|
|
|
|
|
|
|
|
.Lcfb_enc_done:
|
|
|
|
aes_clear_keys(w5)
|
|
|
|
|
|
|
|
st1 {v0.16b}, [x3] /* store IV */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
|
|
|
|
.Lcfb_enc_skip:
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_cfb_enc_armv8_ce,.-_gcry_aes_cfb_enc_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_cfb_dec_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *iv, unsigned int nrounds);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_cfb_dec_armv8_ce
|
|
|
|
.type _gcry_aes_cfb_dec_armv8_ce,%function;
|
|
|
|
_gcry_aes_cfb_dec_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* r0: keysched
|
|
|
|
* r1: outbuf
|
|
|
|
* r2: inbuf
|
|
|
|
* r3: iv
|
|
|
|
* x4: nblocks
|
|
|
|
* w5: nrounds
|
|
|
|
*/
|
|
|
|
|
|
|
|
cbz x4, .Lcfb_dec_skip
|
|
|
|
|
|
|
|
/* load IV */
|
|
|
|
ld1 {v0.16b}, [x3]
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w5);
|
|
|
|
|
|
|
|
b.eq .Lcfb_dec_entry_192
|
|
|
|
b.hi .Lcfb_dec_entry_256
|
|
|
|
|
|
|
|
#define CFB_DEC(bits) \
|
|
|
|
.Lcfb_dec_entry_##bits: \
|
|
|
|
cmp x4, #4; \
|
|
|
|
b.lo .Lcfb_dec_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Lcfb_dec_loop4_##bits: \
|
|
|
|
\
|
|
|
|
ld1 {v2.16b-v4.16b}, [x2], #48; /* load ciphertext */ \
|
|
|
|
mov v1.16b, v0.16b; \
|
|
|
|
sub x4, x4, #4; \
|
|
|
|
cmp x4, #4; \
|
|
|
|
mov v5.16b, v2.16b; \
|
|
|
|
mov v6.16b, v3.16b; \
|
|
|
|
mov v7.16b, v4.16b; \
|
|
|
|
ld1 {v0.16b}, [x2], #16; /* load next IV / ciphertext */ \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v5.16b; \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; \
|
|
|
|
st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
b.hs .Lcfb_dec_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
cbz x4, .Lcfb_dec_done; \
|
|
|
|
\
|
|
|
|
.Lcfb_dec_loop_##bits: \
|
|
|
|
\
|
|
|
|
ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
|
|
|
|
\
|
|
|
|
sub x4, x4, #1; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v0, v0); \
|
|
|
|
\
|
|
|
|
eor v2.16b, v1.16b, v0.16b; \
|
|
|
|
mov v0.16b, v1.16b; \
|
|
|
|
st1 {v2.16b}, [x1], #16; /* store plaintext */ \
|
|
|
|
\
|
|
|
|
cbnz x4, .Lcfb_dec_loop_##bits; \
|
|
|
|
b .Lcfb_dec_done;
|
|
|
|
|
|
|
|
CFB_DEC(128)
|
|
|
|
CFB_DEC(192)
|
|
|
|
CFB_DEC(256)
|
|
|
|
|
|
|
|
#undef CFB_DEC
|
|
|
|
|
|
|
|
.Lcfb_dec_done:
|
|
|
|
aes_clear_keys(w5)
|
|
|
|
|
|
|
|
st1 {v0.16b}, [x3] /* store IV */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
|
|
|
|
.Lcfb_dec_skip:
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_cfb_dec_armv8_ce,.-_gcry_aes_cfb_dec_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_ocb_enc_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *offset,
|
|
|
|
* unsigned char *checksum,
|
|
|
|
* unsigned char *L_table,
|
|
|
|
* size_t nblocks,
|
|
|
|
* unsigned int nrounds,
|
|
|
|
* unsigned int blkn);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_ocb_enc_armv8_ce
|
|
|
|
.type _gcry_aes_ocb_enc_armv8_ce,%function;
|
|
|
|
_gcry_aes_ocb_enc_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: outbuf
|
|
|
|
* x2: inbuf
|
|
|
|
* x3: offset
|
|
|
|
* x4: checksum
|
|
|
|
* x5: Ltable
|
|
|
|
* x6: nblocks (0 < nblocks <= 32)
|
|
|
|
* w7: nrounds
|
|
|
|
* %st+0: blkn => w12
|
|
|
|
*/
|
|
|
|
|
|
|
|
ldr w12, [sp]
|
|
|
|
ld1 {v0.16b}, [x3] /* load offset */
|
|
|
|
ld1 {v16.16b}, [x4] /* load checksum */
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w7);
|
|
|
|
|
|
|
|
b.eq .Locb_enc_entry_192
|
|
|
|
b.hi .Locb_enc_entry_256
|
|
|
|
|
|
|
|
#define OCB_ENC(bits, ...) \
|
|
|
|
.Locb_enc_entry_##bits: \
|
|
|
|
cmp x6, #4; \
|
|
|
|
add x12, x12, #1; \
|
|
|
|
b.lo .Locb_enc_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Locb_enc_loop4_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* Checksum_i = Checksum_{i-1} xor P_i */ \
|
|
|
|
/* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
|
|
|
|
\
|
|
|
|
add w9, w12, #1; \
|
|
|
|
add w10, w12, #2; \
|
|
|
|
add w11, w12, #3; \
|
|
|
|
rbit w8, w12; \
|
|
|
|
add w12, w12, #4; \
|
|
|
|
rbit w9, w9; \
|
|
|
|
rbit w10, w10; \
|
|
|
|
rbit w11, w11; \
|
|
|
|
clz w8, w8; /* ntz(i+0) */ \
|
|
|
|
clz w9, w9; /* ntz(i+1) */ \
|
|
|
|
clz w10, w10; /* ntz(i+2) */ \
|
|
|
|
clz w11, w11; /* ntz(i+3) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
ld1 {v1.16b-v4.16b}, [x2], #64; /* load P_i+<0-3> */ \
|
|
|
|
add x9, x5, x9, lsl #4; \
|
|
|
|
add x10, x5, x10, lsl #4; \
|
|
|
|
add x11, x5, x11, lsl #4; \
|
|
|
|
\
|
|
|
|
sub x6, x6, #4; \
|
|
|
|
\
|
|
|
|
ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
|
|
|
|
eor v16.16b, v16.16b, v1.16b; /* Checksum_i+0 */ \
|
|
|
|
ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
|
|
|
|
eor v16.16b, v16.16b, v2.16b; /* Checksum_i+1 */ \
|
|
|
|
ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
|
|
|
|
eor v16.16b, v16.16b, v3.16b; /* Checksum_i+2 */ \
|
|
|
|
eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
|
|
|
|
ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
|
|
|
|
eor v16.16b, v16.16b, v4.16b; /* Checksum_i+3 */ \
|
|
|
|
eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
|
|
|
|
eor v1.16b, v1.16b, v5.16b; /* P_i+0 xor Offset_i+0 */ \
|
|
|
|
eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; /* P_i+1 xor Offset_i+1 */ \
|
|
|
|
eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
|
|
|
|
cmp x6, #4; \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; /* P_i+2 xor Offset_i+2 */ \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; /* P_i+3 xor Offset_i+3 */ \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v5.16b; /* xor Offset_i+0 */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; /* xor Offset_i+1 */ \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; /* xor Offset_i+2 */ \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; /* xor Offset_i+3 */ \
|
|
|
|
st1 {v1.16b-v4.16b}, [x1], #64; \
|
|
|
|
\
|
|
|
|
b.hs .Locb_enc_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
cbz x6, .Locb_enc_done; \
|
|
|
|
\
|
|
|
|
.Locb_enc_loop_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* Checksum_i = Checksum_{i-1} xor P_i */ \
|
|
|
|
/* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
|
|
|
|
\
|
|
|
|
rbit x8, x12; \
|
|
|
|
add x12, x12, #1; \
|
|
|
|
clz x8, x8; /* ntz(i) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
\
|
|
|
|
ld1 {v1.16b}, [x2], #16; /* load plaintext */ \
|
|
|
|
ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
|
|
|
|
sub x6, x6, #1; \
|
|
|
|
eor v0.16b, v0.16b, v2.16b; \
|
|
|
|
eor v16.16b, v16.16b, v1.16b; \
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v1, v1); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
st1 {v1.16b}, [x1], #16; /* store ciphertext */ \
|
|
|
|
\
|
|
|
|
cbnz x6, .Locb_enc_loop_##bits; \
|
|
|
|
b .Locb_enc_done;
|
|
|
|
|
|
|
|
OCB_ENC(128)
|
|
|
|
OCB_ENC(192)
|
|
|
|
OCB_ENC(256)
|
|
|
|
|
|
|
|
#undef OCB_ENC
|
|
|
|
|
|
|
|
.Locb_enc_done:
|
|
|
|
aes_clear_keys(w7)
|
|
|
|
|
|
|
|
st1 {v16.16b}, [x4] /* store checksum */
|
|
|
|
st1 {v0.16b}, [x3] /* store offset */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
CLEAR_REG(v16)
|
|
|
|
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_ocb_enc_armv8_ce,.-_gcry_aes_ocb_enc_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_ocb_dec_armv8_ce (const void *keysched,
|
|
|
|
* unsigned char *outbuf,
|
|
|
|
* const unsigned char *inbuf,
|
|
|
|
* unsigned char *offset,
|
|
|
|
* unsigned char *checksum,
|
|
|
|
* unsigned char *L_table,
|
|
|
|
* size_t nblocks,
|
|
|
|
* unsigned int nrounds,
|
|
|
|
* unsigned int blkn);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_ocb_dec_armv8_ce
|
|
|
|
.type _gcry_aes_ocb_dec_armv8_ce,%function;
|
|
|
|
_gcry_aes_ocb_dec_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: outbuf
|
|
|
|
* x2: inbuf
|
|
|
|
* x3: offset
|
|
|
|
* x4: checksum
|
|
|
|
* x5: Ltable
|
|
|
|
* x6: nblocks (0 < nblocks <= 32)
|
|
|
|
* w7: nrounds
|
|
|
|
* %st+0: blkn => w12
|
|
|
|
*/
|
|
|
|
|
|
|
|
ldr w12, [sp]
|
|
|
|
ld1 {v0.16b}, [x3] /* load offset */
|
|
|
|
ld1 {v16.16b}, [x4] /* load checksum */
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w7);
|
|
|
|
|
|
|
|
b.eq .Locb_dec_entry_192
|
|
|
|
b.hi .Locb_dec_entry_256
|
|
|
|
|
|
|
|
#define OCB_DEC(bits) \
|
|
|
|
.Locb_dec_entry_##bits: \
|
|
|
|
cmp x6, #4; \
|
|
|
|
add w12, w12, #1; \
|
|
|
|
b.lo .Locb_dec_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Locb_dec_loop4_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
|
|
|
|
/* Checksum_i = Checksum_{i-1} xor P_i */ \
|
|
|
|
\
|
|
|
|
add w9, w12, #1; \
|
|
|
|
add w10, w12, #2; \
|
|
|
|
add w11, w12, #3; \
|
|
|
|
rbit w8, w12; \
|
|
|
|
add w12, w12, #4; \
|
|
|
|
rbit w9, w9; \
|
|
|
|
rbit w10, w10; \
|
|
|
|
rbit w11, w11; \
|
|
|
|
clz w8, w8; /* ntz(i+0) */ \
|
|
|
|
clz w9, w9; /* ntz(i+1) */ \
|
|
|
|
clz w10, w10; /* ntz(i+2) */ \
|
|
|
|
clz w11, w11; /* ntz(i+3) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
ld1 {v1.16b-v4.16b}, [x2], #64; /* load C_i+<0-3> */ \
|
|
|
|
add x9, x5, x9, lsl #4; \
|
|
|
|
add x10, x5, x10, lsl #4; \
|
|
|
|
add x11, x5, x11, lsl #4; \
|
|
|
|
\
|
|
|
|
sub x6, x6, #4; \
|
|
|
|
\
|
|
|
|
ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
|
|
|
|
ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
|
|
|
|
ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
|
|
|
|
eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
|
|
|
|
ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
|
|
|
|
eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
|
|
|
|
eor v1.16b, v1.16b, v5.16b; /* C_i+0 xor Offset_i+0 */ \
|
|
|
|
eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; /* C_i+1 xor Offset_i+1 */ \
|
|
|
|
eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
|
|
|
|
cmp x6, #4; \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; /* C_i+2 xor Offset_i+2 */ \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; /* C_i+3 xor Offset_i+3 */ \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(d, imc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v5.16b; /* xor Offset_i+0 */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; /* xor Offset_i+1 */ \
|
|
|
|
eor v16.16b, v16.16b, v1.16b; /* Checksum_i+0 */ \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; /* xor Offset_i+2 */ \
|
|
|
|
eor v16.16b, v16.16b, v2.16b; /* Checksum_i+1 */ \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; /* xor Offset_i+3 */ \
|
|
|
|
eor v16.16b, v16.16b, v3.16b; /* Checksum_i+2 */ \
|
|
|
|
eor v16.16b, v16.16b, v4.16b; /* Checksum_i+3 */ \
|
|
|
|
st1 {v1.16b-v4.16b}, [x1], #64; \
|
|
|
|
\
|
|
|
|
b.hs .Locb_dec_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
cbz x6, .Locb_dec_done; \
|
|
|
|
\
|
|
|
|
.Locb_dec_loop_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
|
|
|
|
/* Checksum_i = Checksum_{i-1} xor P_i */ \
|
|
|
|
\
|
|
|
|
rbit w8, w12; \
|
|
|
|
add w12, w12, #1; \
|
|
|
|
clz w8, w8; /* ntz(i) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
\
|
|
|
|
ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
|
|
|
|
ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
|
|
|
|
sub x6, x6, #1; \
|
|
|
|
eor v0.16b, v0.16b, v2.16b; \
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(d, imc, v1, v1) \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
st1 {v1.16b}, [x1], #16; /* store plaintext */ \
|
|
|
|
eor v16.16b, v16.16b, v1.16b; \
|
|
|
|
\
|
|
|
|
cbnz x6, .Locb_dec_loop_##bits; \
|
|
|
|
b .Locb_dec_done;
|
|
|
|
|
|
|
|
OCB_DEC(128)
|
|
|
|
OCB_DEC(192)
|
|
|
|
OCB_DEC(256)
|
|
|
|
|
|
|
|
#undef OCB_DEC
|
|
|
|
|
|
|
|
.Locb_dec_done:
|
|
|
|
aes_clear_keys(w7)
|
|
|
|
|
|
|
|
st1 {v16.16b}, [x4] /* store checksum */
|
|
|
|
st1 {v0.16b}, [x3] /* store offset */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
CLEAR_REG(v16)
|
|
|
|
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_ocb_dec_armv8_ce,.-_gcry_aes_ocb_dec_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_ocb_auth_armv8_ce (const void *keysched,
|
|
|
|
* const unsigned char *abuf,
|
|
|
|
* unsigned char *offset,
|
|
|
|
* unsigned char *checksum,
|
|
|
|
* unsigned char *L_table,
|
|
|
|
* size_t nblocks,
|
|
|
|
* unsigned int nrounds,
|
|
|
|
* unsigned int blkn);
|
|
|
|
*/
|
|
|
|
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_ocb_auth_armv8_ce
|
|
|
|
.type _gcry_aes_ocb_auth_armv8_ce,%function;
|
|
|
|
_gcry_aes_ocb_auth_armv8_ce:
|
|
|
|
/* input:
|
|
|
|
* x0: keysched
|
|
|
|
* x1: abuf
|
|
|
|
* x2: offset => x3
|
|
|
|
* x3: checksum => x4
|
|
|
|
* x4: Ltable => x5
|
|
|
|
* x5: nblocks => x6 (0 < nblocks <= 32)
|
|
|
|
* w6: nrounds => w7
|
|
|
|
* w7: blkn => w12
|
|
|
|
*/
|
|
|
|
mov x12, x7
|
|
|
|
mov x7, x6
|
|
|
|
mov x6, x5
|
|
|
|
mov x5, x4
|
|
|
|
mov x4, x3
|
|
|
|
mov x3, x2
|
|
|
|
|
|
|
|
aes_preload_keys(x0, w7);
|
|
|
|
|
|
|
|
ld1 {v0.16b}, [x3] /* load offset */
|
|
|
|
ld1 {v16.16b}, [x4] /* load checksum */
|
|
|
|
|
|
|
|
beq .Locb_auth_entry_192
|
|
|
|
bhi .Locb_auth_entry_256
|
|
|
|
|
|
|
|
#define OCB_AUTH(bits) \
|
|
|
|
.Locb_auth_entry_##bits: \
|
|
|
|
cmp x6, #4; \
|
|
|
|
add w12, w12, #1; \
|
|
|
|
b.lo .Locb_auth_loop_##bits; \
|
|
|
|
\
|
|
|
|
.Locb_auth_loop4_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
|
|
|
|
\
|
|
|
|
add w9, w12, #1; \
|
|
|
|
add w10, w12, #2; \
|
|
|
|
add w11, w12, #3; \
|
|
|
|
rbit w8, w12; \
|
|
|
|
add w12, w12, #4; \
|
|
|
|
rbit w9, w9; \
|
|
|
|
rbit w10, w10; \
|
|
|
|
rbit w11, w11; \
|
|
|
|
clz w8, w8; /* ntz(i+0) */ \
|
|
|
|
clz w9, w9; /* ntz(i+1) */ \
|
|
|
|
clz w10, w10; /* ntz(i+2) */ \
|
|
|
|
clz w11, w11; /* ntz(i+3) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
ld1 {v1.16b-v4.16b}, [x1], #64; /* load A_i+<0-3> */ \
|
|
|
|
add x9, x5, x9, lsl #4; \
|
|
|
|
add x10, x5, x10, lsl #4; \
|
|
|
|
add x11, x5, x11, lsl #4; \
|
|
|
|
\
|
|
|
|
sub x6, x6, #4; \
|
|
|
|
\
|
|
|
|
ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
|
|
|
|
ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
|
|
|
|
ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
|
|
|
|
eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
|
|
|
|
ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
|
|
|
|
eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
|
|
|
|
eor v1.16b, v1.16b, v5.16b; /* A_i+0 xor Offset_i+0 */ \
|
|
|
|
eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
|
|
|
|
eor v2.16b, v2.16b, v6.16b; /* A_i+1 xor Offset_i+1 */ \
|
|
|
|
eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
|
|
|
|
cmp x6, #4; \
|
|
|
|
eor v3.16b, v3.16b, v7.16b; /* A_i+2 xor Offset_i+2 */ \
|
|
|
|
eor v4.16b, v4.16b, v0.16b; /* A_i+3 xor Offset_i+3 */ \
|
|
|
|
\
|
|
|
|
do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
|
|
|
|
\
|
|
|
|
eor v1.16b, v1.16b, v2.16b; \
|
|
|
|
eor v16.16b, v16.16b, v3.16b; \
|
|
|
|
eor v1.16b, v1.16b, v4.16b; \
|
|
|
|
eor v16.16b, v16.16b, v1.16b; \
|
|
|
|
\
|
|
|
|
b.hs .Locb_auth_loop4_##bits; \
|
|
|
|
CLEAR_REG(v3); \
|
|
|
|
CLEAR_REG(v4); \
|
|
|
|
CLEAR_REG(v5); \
|
|
|
|
CLEAR_REG(v6); \
|
|
|
|
CLEAR_REG(v7); \
|
|
|
|
cbz x6, .Locb_auth_done; \
|
|
|
|
\
|
|
|
|
.Locb_auth_loop_##bits: \
|
|
|
|
\
|
|
|
|
/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
|
|
|
|
/* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
|
|
|
|
\
|
|
|
|
rbit w8, w12; \
|
|
|
|
add w12, w12, #1; \
|
|
|
|
clz w8, w8; /* ntz(i) */ \
|
|
|
|
add x8, x5, x8, lsl #4; \
|
|
|
|
\
|
|
|
|
ld1 {v1.16b}, [x1], #16; /* load aadtext */ \
|
|
|
|
ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
|
|
|
|
sub x6, x6, #1; \
|
|
|
|
eor v0.16b, v0.16b, v2.16b; \
|
|
|
|
eor v1.16b, v1.16b, v0.16b; \
|
|
|
|
\
|
|
|
|
do_aes_one##bits(e, mc, v1, v1) \
|
|
|
|
\
|
|
|
|
eor v16.16b, v16.16b, v1.16b; \
|
|
|
|
\
|
|
|
|
cbnz x6, .Locb_auth_loop_##bits; \
|
|
|
|
b .Locb_auth_done;
|
|
|
|
|
|
|
|
OCB_AUTH(128)
|
|
|
|
OCB_AUTH(192)
|
|
|
|
OCB_AUTH(256)
|
|
|
|
|
|
|
|
#undef OCB_AUTH
|
|
|
|
|
|
|
|
.Locb_auth_done:
|
|
|
|
aes_clear_keys(w7)
|
|
|
|
|
|
|
|
st1 {v16.16b}, [x4] /* store checksum */
|
|
|
|
st1 {v0.16b}, [x3] /* store offset */
|
|
|
|
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
CLEAR_REG(v1)
|
|
|
|
CLEAR_REG(v2)
|
|
|
|
CLEAR_REG(v16)
|
|
|
|
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_ocb_auth_armv8_ce,.-_gcry_aes_ocb_auth_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* u32 _gcry_aes_sbox4_armv8_ce(u32 in4b);
|
|
|
|
*/
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_sbox4_armv8_ce
|
|
|
|
.type _gcry_aes_sbox4_armv8_ce,%function;
|
|
|
|
_gcry_aes_sbox4_armv8_ce:
|
2019-08-30 12:47:23 +03:00
|
|
|
/* See "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
|
|
|
|
* Cryptology — CT-RSA 2015" for details.
|
2019-07-09 00:08:04 +03:00
|
|
|
*/
|
|
|
|
movi v0.16b, #0x52
|
|
|
|
movi v1.16b, #0
|
|
|
|
mov v0.S[0], w0
|
|
|
|
aese v0.16b, v1.16b
|
|
|
|
addv s0, v0.4s
|
|
|
|
mov w0, v0.S[0]
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_sbox4_armv8_ce,.-_gcry_aes_sbox4_armv8_ce;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* void _gcry_aes_invmixcol_armv8_ce(void *dst, const void *src);
|
|
|
|
*/
|
|
|
|
.align 3
|
|
|
|
.globl _gcry_aes_invmixcol_armv8_ce
|
|
|
|
.type _gcry_aes_invmixcol_armv8_ce,%function;
|
|
|
|
_gcry_aes_invmixcol_armv8_ce:
|
|
|
|
ld1 {v0.16b}, [x1]
|
|
|
|
aesimc v0.16b, v0.16b
|
|
|
|
st1 {v0.16b}, [x0]
|
|
|
|
CLEAR_REG(v0)
|
|
|
|
ret
|
|
|
|
.size _gcry_aes_invmixcol_armv8_ce,.-_gcry_aes_invmixcol_armv8_ce;
|
|
|
|
|
|
|
|
#endif
|