Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / rust / crates / ring / refs/heads/int/12/fp4 / . / pregenerated / vpaes-armv7-ios32.S
blob: 10ca84ec566913e7d0beca596c73e945c4502e51 [file] [log] [blame]
Jeff Vander Stoep39e02b12020-12-04 13:57:34 +0100[diff] [blame]1// This file is generated from a similarly-named Perl script in the BoringSSL
2// source tree. Do not edit by hand.
3
4#if !defined(__has_feature)
5#define __has_feature(x) 0
6#endif
7#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
8#define OPENSSL_NO_ASM
9#endif
10
11#if !defined(OPENSSL_NO_ASM)
12.syntax unified
13
14
15
16
17#if defined(__thumb2__)
18.thumb
19#else
20.code 32
21#endif
22
23.text
24
25
26.align 7 @ totally strategic alignment
27_vpaes_consts:
28Lk_mc_forward:@ mc_forward
29.quad 0x0407060500030201, 0x0C0F0E0D080B0A09
30.quad 0x080B0A0904070605, 0x000302010C0F0E0D
31.quad 0x0C0F0E0D080B0A09, 0x0407060500030201
32.quad 0x000302010C0F0E0D, 0x080B0A0904070605
33Lk_mc_backward:@ mc_backward
34.quad 0x0605040702010003, 0x0E0D0C0F0A09080B
35.quad 0x020100030E0D0C0F, 0x0A09080B06050407
36.quad 0x0E0D0C0F0A09080B, 0x0605040702010003
37.quad 0x0A09080B06050407, 0x020100030E0D0C0F
38Lk_sr:@ sr
39.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908
40.quad 0x030E09040F0A0500, 0x0B06010C07020D08
41.quad 0x0F060D040B020900, 0x070E050C030A0108
42.quad 0x0B0E0104070A0D00, 0x0306090C0F020508
43
44@
45@ "Hot" constants
46@
47Lk_inv:@ inv, inva
48.quad 0x0E05060F0D080180, 0x040703090A0B0C02
49.quad 0x01040A060F0B0780, 0x030D0E0C02050809
50Lk_ipt:@ input transform (lo, hi)
51.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808
52.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81
53Lk_sbo:@ sbou, sbot
54.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878
55.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA
56Lk_sb1:@ sb1u, sb1t
57.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF
58.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544
59Lk_sb2:@ sb2u, sb2t
60.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A
61.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD
62
63.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,55,32,78,69,79,78,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0
64.align 2
65
66.align 6
67@@
68@@ _aes_preheat
69@@
70@@ Fills q9-q15 as specified below.
71@@
72#ifdef __thumb2__
73.thumb_func _vpaes_preheat
74#endif
75.align 4
76_vpaes_preheat:
77 adr r10, Lk_inv
78 vmov.i8 q9, #0x0f @ Lk_s0F
79 vld1.64 {q10,q11}, [r10]! @ Lk_inv
80 add r10, r10, #64 @ Skip Lk_ipt, Lk_sbo
81 vld1.64 {q12,q13}, [r10]! @ Lk_sb1
82 vld1.64 {q14,q15}, [r10] @ Lk_sb2
83 bx lr
84
85@@
86@@ _aes_encrypt_core
87@@
88@@ AES-encrypt q0.
89@@
90@@ Inputs:
91@@ q0 = input
92@@ q9-q15 as in _vpaes_preheat
93@@ [r2] = scheduled keys
94@@
95@@ Output in q0
96@@ Clobbers q1-q5, r8-r11
97@@ Preserves q6-q8 so you get some local vectors
98@@
99@@
100#ifdef __thumb2__
101.thumb_func _vpaes_encrypt_core
102#endif
103.align 4
104_vpaes_encrypt_core:
105 mov r9, r2
106 ldr r8, [r2,#240] @ pull rounds
107 adr r11, Lk_ipt
108 @ vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo
109 @ vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi
110 vld1.64 {q2, q3}, [r11]
111 adr r11, Lk_mc_forward+16
112 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 # round0 key
113 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1
114 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0
115 vtbl.8 d2, {q2}, d2 @ vpshufb %xmm1, %xmm2, %xmm1
116 vtbl.8 d3, {q2}, d3
117 vtbl.8 d4, {q3}, d0 @ vpshufb %xmm0, %xmm3, %xmm2
118 vtbl.8 d5, {q3}, d1
119 veor q0, q1, q5 @ vpxor %xmm5, %xmm1, %xmm0
120 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0
121
122 @ .Lenc_entry ends with a bnz instruction which is normally paired with
123 @ subs in .Lenc_loop.
124 tst r8, r8
125 b Lenc_entry
126
127.align 4
128Lenc_loop:
129 @ middle of middle round
130 add r10, r11, #0x40
131 vtbl.8 d8, {q13}, d4 @ vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
132 vtbl.8 d9, {q13}, d5
133 vld1.64 {q1}, [r11]! @ vmovdqa -0x40(%r11,%r10), %xmm1 # Lk_mc_forward[]
134 vtbl.8 d0, {q12}, d6 @ vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
135 vtbl.8 d1, {q12}, d7
136 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
137 vtbl.8 d10, {q15}, d4 @ vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
138 vtbl.8 d11, {q15}, d5
139 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A
140 vtbl.8 d4, {q14}, d6 @ vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
141 vtbl.8 d5, {q14}, d7
142 vld1.64 {q4}, [r10] @ vmovdqa (%r11,%r10), %xmm4 # Lk_mc_backward[]
143 vtbl.8 d6, {q0}, d2 @ vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
144 vtbl.8 d7, {q0}, d3
145 veor q2, q2, q5 @ vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
146 @ Write to q5 instead of q0, so the table and destination registers do
147 @ not overlap.
148 vtbl.8 d10, {q0}, d8 @ vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
149 vtbl.8 d11, {q0}, d9
150 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
151 vtbl.8 d8, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
152 vtbl.8 d9, {q3}, d3
153 @ Here we restore the original q0/q5 usage.
154 veor q0, q5, q3 @ vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
155 and r11, r11, #~(1<<6) @ and $0x30, %r11 # ... mod 4
156 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
157 subs r8, r8, #1 @ nr--
158
159Lenc_entry:
160 @ top of round
161 vand q1, q0, q9 @ vpand %xmm0, %xmm9, %xmm1 # 0 = k
162 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i
163 vtbl.8 d10, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
164 vtbl.8 d11, {q11}, d3
165 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j
166 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
167 vtbl.8 d7, {q10}, d1
168 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
169 vtbl.8 d9, {q10}, d3
170 veor q3, q3, q5 @ vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
171 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
172 vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
173 vtbl.8 d5, {q10}, d7
174 vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
175 vtbl.8 d7, {q10}, d9
176 veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io
177 veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
178 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5
179 bne Lenc_loop
180
181 @ middle of last round
182 add r10, r11, #0x80
183
184 adr r11, Lk_sbo
185 @ Read to q1 instead of q4, so the vtbl.8 instruction below does not
186 @ overlap table and destination registers.
187 vld1.64 {q1}, [r11]! @ vmovdqa -0x60(%r10), %xmm4 # 3 : sbou
188 vld1.64 {q0}, [r11] @ vmovdqa -0x50(%r10), %xmm0 # 0 : sbot Lk_sbo+16
189 vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
190 vtbl.8 d9, {q1}, d5
191 vld1.64 {q1}, [r10] @ vmovdqa 0x40(%r11,%r10), %xmm1 # Lk_sr[]
192 @ Write to q2 instead of q0 below, to avoid overlapping table and
193 @ destination registers.
194 vtbl.8 d4, {q0}, d6 @ vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
195 vtbl.8 d5, {q0}, d7
196 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
197 veor q2, q2, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A
198 @ Here we restore the original q0/q2 usage.
199 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0
200 vtbl.8 d1, {q2}, d3
201 bx lr
202
203
204.globl _GFp_vpaes_encrypt
205.private_extern _GFp_vpaes_encrypt
206#ifdef __thumb2__
207.thumb_func _GFp_vpaes_encrypt
208#endif
209.align 4
210_GFp_vpaes_encrypt:
211 @ _vpaes_encrypt_core uses r8-r11. Round up to r7-r11 to maintain stack
212 @ alignment.
213 stmdb sp!, {r7,r8,r9,r10,r11,lr}
214 @ _vpaes_encrypt_core uses q4-q5 (d8-d11), which are callee-saved.
215 vstmdb sp!, {d8,d9,d10,d11}
216
217 vld1.64 {q0}, [r0]
218 bl _vpaes_preheat
219 bl _vpaes_encrypt_core
220 vst1.64 {q0}, [r1]
221
222 vldmia sp!, {d8,d9,d10,d11}
223 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return
224
225@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
226@@ @@
227@@ AES key schedule @@
228@@ @@
229@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
230
231@ This function diverges from both x86_64 and armv7 in which constants are
232@ pinned. x86_64 has a common preheat function for all operations. aarch64
233@ separates them because it has enough registers to pin nearly all constants.
234@ armv7 does not have enough registers, but needing explicit loads and stores
235@ also complicates using x86_64's register allocation directly.
236@
237@ We pin some constants for convenience and leave q14 and q15 free to load
238@ others on demand.
239
240@
241@ Key schedule constants
242@
243
244.align 4
245_vpaes_key_consts:
246Lk_rcon:@ rcon
247.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81
248
249Lk_opt:@ output transform
250.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808
251.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0
252Lk_deskew:@ deskew tables: inverts the sbox's "skew"
253.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A
254.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77
255
256
257#ifdef __thumb2__
258.thumb_func _vpaes_key_preheat
259#endif
260.align 4
261_vpaes_key_preheat:
262 adr r11, Lk_rcon
263 vmov.i8 q12, #0x5b @ Lk_s63
264 adr r10, Lk_inv @ Must be aligned to 8 mod 16.
265 vmov.i8 q9, #0x0f @ Lk_s0F
266 vld1.64 {q10,q11}, [r10] @ Lk_inv
267 vld1.64 {q8}, [r11] @ Lk_rcon
268 bx lr
269
270
271#ifdef __thumb2__
272.thumb_func _vpaes_schedule_core
273#endif
274.align 4
275_vpaes_schedule_core:
276 @ We only need to save lr, but ARM requires an 8-byte stack alignment,
277 @ so save an extra register.
278 stmdb sp!, {r3,lr}
279
280 bl _vpaes_key_preheat @ load the tables
281
282 adr r11, Lk_ipt @ Must be aligned to 8 mod 16.
283 vld1.64 {q0}, [r0]! @ vmovdqu (%rdi), %xmm0 # load key (unaligned)
284
285 @ input transform
286 @ Use q4 here rather than q3 so .Lschedule_am_decrypting does not
287 @ overlap table and destination.
288 vmov q4, q0 @ vmovdqa %xmm0, %xmm3
289 bl _vpaes_schedule_transform
290 adr r10, Lk_sr @ Must be aligned to 8 mod 16.
291 vmov q7, q0 @ vmovdqa %xmm0, %xmm7
292
293 add r8, r8, r10
294
295 @ encrypting, output zeroth round key after transform
296 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx)
297
298 @ *ring*: Decryption removed.
299
300Lschedule_go:
301 cmp r1, #192 @ cmp $192, %esi
302 bhi Lschedule_256
303 @ 128: fall though
304
305@@
306@@ .schedule_128
307@@
308@@ 128-bit specific part of key schedule.
309@@
310@@ This schedule is really simple, because all its parts
311@@ are accomplished by the subroutines.
312@@
313Lschedule_128:
314 mov r0, #10 @ mov $10, %esi
315
316Loop_schedule_128:
317 bl _vpaes_schedule_round
318 subs r0, r0, #1 @ dec %esi
319 beq Lschedule_mangle_last
320 bl _vpaes_schedule_mangle @ write output
321 b Loop_schedule_128
322
323@@
324@@ .aes_schedule_256
325@@
326@@ 256-bit specific part of key schedule.
327@@
328@@ The structure here is very similar to the 128-bit
329@@ schedule, but with an additional "low side" in
330@@ q6. The low side's rounds are the same as the
331@@ high side's, except no rcon and no rotation.
332@@
333.align 4
334Lschedule_256:
335 vld1.64 {q0}, [r0] @ vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)
336 bl _vpaes_schedule_transform @ input transform
337 mov r0, #7 @ mov $7, %esi
338
339Loop_schedule_256:
340 bl _vpaes_schedule_mangle @ output low result
341 vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6
342
343 @ high round
344 bl _vpaes_schedule_round
345 subs r0, r0, #1 @ dec %esi
346 beq Lschedule_mangle_last
347 bl _vpaes_schedule_mangle
348
349 @ low round. swap xmm7 and xmm6
350 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0
351 vmov.i8 q4, #0
352 vmov q5, q7 @ vmovdqa %xmm7, %xmm5
353 vmov q7, q6 @ vmovdqa %xmm6, %xmm7
354 bl _vpaes_schedule_low_round
355 vmov q7, q5 @ vmovdqa %xmm5, %xmm7
356
357 b Loop_schedule_256
358
359@@
360@@ .aes_schedule_mangle_last
361@@
362@@ Mangler for last round of key schedule
363@@ Mangles q0
364@@ when encrypting, outputs out(q0) ^ 63
365@@ when decrypting, outputs unskew(q0)
366@@
367@@ Always called right before return... jumps to cleanup and exits
368@@
369.align 4
370Lschedule_mangle_last:
371 @ schedule last round key from xmm0
372 adr r11, Lk_deskew @ lea Lk_deskew(%rip),%r11 # prepare to deskew
373
374 @ encrypting
375 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10),%xmm1
376 adr r11, Lk_opt @ lea Lk_opt(%rip), %r11 # prepare to output transform
377 add r2, r2, #32 @ add $32, %rdx
378 vmov q2, q0
379 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 # output permute
380 vtbl.8 d1, {q2}, d3
381
382Lschedule_mangle_last_dec:
383 sub r2, r2, #16 @ add $-16, %rdx
384 veor q0, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm0
385 bl _vpaes_schedule_transform @ output transform
386 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) # save last key
387
388 @ cleanup
389 veor q0, q0, q0 @ vpxor %xmm0, %xmm0, %xmm0
390 veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1
391 veor q2, q2, q2 @ vpxor %xmm2, %xmm2, %xmm2
392 veor q3, q3, q3 @ vpxor %xmm3, %xmm3, %xmm3
393 veor q4, q4, q4 @ vpxor %xmm4, %xmm4, %xmm4
394 veor q5, q5, q5 @ vpxor %xmm5, %xmm5, %xmm5
395 veor q6, q6, q6 @ vpxor %xmm6, %xmm6, %xmm6
396 veor q7, q7, q7 @ vpxor %xmm7, %xmm7, %xmm7
397 ldmia sp!, {r3,pc} @ return
398
399
400@@
401@@ .aes_schedule_round
402@@
403@@ Runs one main round of the key schedule on q0, q7
404@@
405@@ Specifically, runs subbytes on the high dword of q0
406@@ then rotates it by one byte and xors into the low dword of
407@@ q7.
408@@
409@@ Adds rcon from low byte of q8, then rotates q8 for
410@@ next rcon.
411@@
412@@ Smears the dwords of q7 by xoring the low into the
413@@ second low, result into third, result into highest.
414@@
415@@ Returns results in q7 = q0.
416@@ Clobbers q1-q4, r11.
417@@
418#ifdef __thumb2__
419.thumb_func _vpaes_schedule_round
420#endif
421.align 4
422_vpaes_schedule_round:
423 @ extract rcon from xmm8
424 vmov.i8 q4, #0 @ vpxor %xmm4, %xmm4, %xmm4
425 vext.8 q1, q8, q4, #15 @ vpalignr $15, %xmm8, %xmm4, %xmm1
426 vext.8 q8, q8, q8, #15 @ vpalignr $15, %xmm8, %xmm8, %xmm8
427 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7
428
429 @ rotate
430 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0
431 vext.8 q0, q0, q0, #1 @ vpalignr $1, %xmm0, %xmm0, %xmm0
432
433 @ fall through...
434
435 @ low round: same as high round, but no rotation and no rcon.
436_vpaes_schedule_low_round:
437 @ The x86_64 version pins .Lk_sb1 in %xmm13 and .Lk_sb1+16 in %xmm12.
438 @ We pin other values in _vpaes_key_preheat, so load them now.
439 adr r11, Lk_sb1
440 vld1.64 {q14,q15}, [r11]
441
442 @ smear xmm7
443 vext.8 q1, q4, q7, #12 @ vpslldq $4, %xmm7, %xmm1
444 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7
445 vext.8 q4, q4, q7, #8 @ vpslldq $8, %xmm7, %xmm4
446
447 @ subbytes
448 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k
449 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i
450 veor q7, q7, q4 @ vpxor %xmm4, %xmm7, %xmm7
451 vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
452 vtbl.8 d5, {q11}, d3
453 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j
454 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
455 vtbl.8 d7, {q10}, d1
456 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
457 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
458 vtbl.8 d9, {q10}, d3
459 veor q7, q7, q12 @ vpxor Lk_s63(%rip), %xmm7, %xmm7
460 vtbl.8 d6, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak
461 vtbl.8 d7, {q10}, d7
462 veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
463 vtbl.8 d4, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak
464 vtbl.8 d5, {q10}, d9
465 veor q3, q3, q1 @ vpxor %xmm1, %xmm3, %xmm3 # 2 = io
466 veor q2, q2, q0 @ vpxor %xmm0, %xmm2, %xmm2 # 3 = jo
467 vtbl.8 d8, {q15}, d6 @ vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou
468 vtbl.8 d9, {q15}, d7
469 vtbl.8 d2, {q14}, d4 @ vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t
470 vtbl.8 d3, {q14}, d5
471 veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output
472
473 @ add in smeared stuff
474 veor q0, q1, q7 @ vpxor %xmm7, %xmm1, %xmm0
475 veor q7, q1, q7 @ vmovdqa %xmm0, %xmm7
476 bx lr
477
478
479@@
480@@ .aes_schedule_transform
481@@
482@@ Linear-transform q0 according to tables at [r11]
483@@
484@@ Requires that q9 = 0x0F0F... as in preheat
485@@ Output in q0
486@@ Clobbers q1, q2, q14, q15
487@@
488#ifdef __thumb2__
489.thumb_func _vpaes_schedule_transform
490#endif
491.align 4
492_vpaes_schedule_transform:
493 vld1.64 {q14,q15}, [r11] @ vmovdqa (%r11), %xmm2 # lo
494 @ vmovdqa 16(%r11), %xmm1 # hi
495 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1
496 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0
497 vtbl.8 d4, {q14}, d2 @ vpshufb %xmm1, %xmm2, %xmm2
498 vtbl.8 d5, {q14}, d3
499 vtbl.8 d0, {q15}, d0 @ vpshufb %xmm0, %xmm1, %xmm0
500 vtbl.8 d1, {q15}, d1
501 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0
502 bx lr
503
504
505@@
506@@ .aes_schedule_mangle
507@@
508@@ Mangles q0 from (basis-transformed) standard version
509@@ to our version.
510@@
511@@ On encrypt,
512@@ xor with 0x63
513@@ multiply by circulant 0,1,1,1
514@@ apply shiftrows transform
515@@
516@@ On decrypt,
517@@ xor with 0x63
518@@ multiply by "inverse mixcolumns" circulant E,B,D,9
519@@ deskew
520@@ apply shiftrows transform
521@@
522@@
523@@ Writes out to [r2], and increments or decrements it
524@@ Keeps track of round number mod 4 in r8
525@@ Preserves q0
526@@ Clobbers q1-q5
527@@
528#ifdef __thumb2__
529.thumb_func _vpaes_schedule_mangle
530#endif
531.align 4
532_vpaes_schedule_mangle:
533 tst r3, r3
534 vmov q4, q0 @ vmovdqa %xmm0, %xmm4 # save xmm0 for later
535 adr r11, Lk_mc_forward @ Must be aligned to 8 mod 16.
536 vld1.64 {q5}, [r11] @ vmovdqa Lk_mc_forward(%rip),%xmm5
537
538 @ encrypting
539 @ Write to q2 so we do not overlap table and destination below.
540 veor q2, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm4
541 add r2, r2, #16 @ add $16, %rdx
542 vtbl.8 d8, {q2}, d10 @ vpshufb %xmm5, %xmm4, %xmm4
543 vtbl.8 d9, {q2}, d11
544 vtbl.8 d2, {q4}, d10 @ vpshufb %xmm5, %xmm4, %xmm1
545 vtbl.8 d3, {q4}, d11
546 vtbl.8 d6, {q1}, d10 @ vpshufb %xmm5, %xmm1, %xmm3
547 vtbl.8 d7, {q1}, d11
548 veor q4, q4, q1 @ vpxor %xmm1, %xmm4, %xmm4
549 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1
550 veor q3, q3, q4 @ vpxor %xmm4, %xmm3, %xmm3
551
552Lschedule_mangle_both:
553 @ Write to q2 so table and destination do not overlap.
554 vtbl.8 d4, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm3
555 vtbl.8 d5, {q3}, d3
556 add r8, r8, #64-16 @ add $-16, %r8
557 and r8, r8, #~(1<<6) @ and $0x30, %r8
558 vst1.64 {q2}, [r2] @ vmovdqu %xmm3, (%rdx)
559 bx lr
560
561
562.globl _GFp_vpaes_set_encrypt_key
563.private_extern _GFp_vpaes_set_encrypt_key
564#ifdef __thumb2__
565.thumb_func _GFp_vpaes_set_encrypt_key
566#endif
567.align 4
568_GFp_vpaes_set_encrypt_key:
569 stmdb sp!, {r7,r8,r9,r10,r11, lr}
570 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15}
571
572 lsr r9, r1, #5 @ shr $5,%eax
573 add r9, r9, #5 @ $5,%eax
574 str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
575
576 mov r3, #0 @ mov $0,%ecx
577 mov r8, #0x30 @ mov $0x30,%r8d
578 bl _vpaes_schedule_core
579 eor r0, r0, r0
580
581 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15}
582 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return
583
584
585@ Additional constants for converting to bsaes.
586
587.align 4
588_vpaes_convert_consts:
589@ .Lk_opt_then_skew applies skew(opt(x)) XOR 0x63, where skew is the linear
590@ transform in the AES S-box. 0x63 is incorporated into the low half of the
591@ table. This was computed with the following script:
592@
593@ def u64s_to_u128(x, y):
594@ return x | (y << 64)
595@ def u128_to_u64s(w):
596@ return w & ((1<<64)-1), w >> 64
597@ def get_byte(w, i):
598@ return (w >> (i*8)) & 0xff
599@ def apply_table(table, b):
600@ lo = b & 0xf
601@ hi = b >> 4
602@ return get_byte(table[0], lo) ^ get_byte(table[1], hi)
603@ def opt(b):
604@ table = [
605@ u64s_to_u128(0xFF9F4929D6B66000, 0xF7974121DEBE6808),
606@ u64s_to_u128(0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0),
607@ ]
608@ return apply_table(table, b)
609@ def rot_byte(b, n):
610@ return 0xff & ((b << n) | (b >> (8-n)))
611@ def skew(x):
612@ return (x ^ rot_byte(x, 1) ^ rot_byte(x, 2) ^ rot_byte(x, 3) ^
613@ rot_byte(x, 4))
614@ table = [0, 0]
615@ for i in range(16):
616@ table[0] |= (skew(opt(i)) ^ 0x63) << (i*8)
617@ table[1] |= skew(opt(i<<4)) << (i*8)
618@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[0]))
619@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[1]))
620Lk_opt_then_skew:
621.quad 0x9cb8436798bc4763, 0x6440bb9f6044bf9b
622.quad 0x1f30062936192f00, 0xb49bad829db284ab
623
624@ void GFp_vpaes_encrypt_key_to_bsaes(AES_KEY *bsaes, const AES_KEY *vpaes);
625.globl _GFp_vpaes_encrypt_key_to_bsaes
626.private_extern _GFp_vpaes_encrypt_key_to_bsaes
627#ifdef __thumb2__
628.thumb_func _GFp_vpaes_encrypt_key_to_bsaes
629#endif
630.align 4
631_GFp_vpaes_encrypt_key_to_bsaes:
632 stmdb sp!, {r11, lr}
633
634 @ See _vpaes_schedule_core for the key schedule logic. In particular,
635 @ _vpaes_schedule_transform(.Lk_ipt) (section 2.2 of the paper),
636 @ _vpaes_schedule_mangle (section 4.3), and .Lschedule_mangle_last
637 @ contain the transformations not in the bsaes representation. This
638 @ function inverts those transforms.
639 @
640 @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key
641 @ representation, which does not match the other aes_nohw_*
642 @ implementations. The ARM aes_nohw_* stores each 32-bit word
643 @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the
644 @ cost of extra REV and VREV32 operations in little-endian ARM.
645
646 vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform
647 adr r2, Lk_mc_forward @ Must be aligned to 8 mod 16.
648 add r3, r2, 0x90 @ Lk_sr+0x10-Lk_mc_forward = 0x90 (Apple's toolchain doesn't support the expression)
649
650 vld1.64 {q12}, [r2]
651 vmov.i8 q10, #0x5b @ Lk_s63 from vpaes-x86_64
652 adr r11, Lk_opt @ Must be aligned to 8 mod 16.
653 vmov.i8 q11, #0x63 @ LK_s63 without Lk_ipt applied
654
655 @ vpaes stores one fewer round count than bsaes, but the number of keys
656 @ is the same.
657 ldr r2, [r1,#240]
658 add r2, r2, #1
659 str r2, [r0,#240]
660
661 @ The first key is transformed with _vpaes_schedule_transform(.Lk_ipt).
662 @ Invert this with .Lk_opt.
663 vld1.64 {q0}, [r1]!
664 bl _vpaes_schedule_transform
665 vrev32.8 q0, q0
666 vst1.64 {q0}, [r0]!
667
668 @ The middle keys have _vpaes_schedule_transform(.Lk_ipt) applied,
669 @ followed by _vpaes_schedule_mangle. _vpaes_schedule_mangle XORs 0x63,
670 @ multiplies by the circulant 0,1,1,1, then applies ShiftRows.
671Loop_enc_key_to_bsaes:
672 vld1.64 {q0}, [r1]!
673
674 @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note we cycle
675 @ r3 in the opposite direction and start at .Lk_sr+0x10 instead of 0x30.
676 @ We use r3 rather than r8 to avoid a callee-saved register.
677 vld1.64 {q1}, [r3]
678 vtbl.8 d4, {q0}, d2
679 vtbl.8 d5, {q0}, d3
680 add r3, r3, #16
681 and r3, r3, #~(1<<6)
682 vmov q0, q2
683
684 @ Handle the last key differently.
685 subs r2, r2, #1
686 beq Loop_enc_key_to_bsaes_last
687
688 @ Multiply by the circulant. This is its own inverse.
689 vtbl.8 d2, {q0}, d24
690 vtbl.8 d3, {q0}, d25
691 vmov q0, q1
692 vtbl.8 d4, {q1}, d24
693 vtbl.8 d5, {q1}, d25
694 veor q0, q0, q2
695 vtbl.8 d2, {q2}, d24
696 vtbl.8 d3, {q2}, d25
697 veor q0, q0, q1
698
699 @ XOR and finish.
700 veor q0, q0, q10
701 bl _vpaes_schedule_transform
702 vrev32.8 q0, q0
703 vst1.64 {q0}, [r0]!
704 b Loop_enc_key_to_bsaes
705
706Loop_enc_key_to_bsaes_last:
707 @ The final key does not have a basis transform (note
708 @ .Lschedule_mangle_last inverts the original transform). It only XORs
709 @ 0x63 and applies ShiftRows. The latter was already inverted in the
710 @ loop. Note that, because we act on the original representation, we use
711 @ q11, not q10.
712 veor q0, q0, q11
713 vrev32.8 q0, q0
714 vst1.64 {q0}, [r0]
715
716 @ Wipe registers which contained key material.
717 veor q0, q0, q0
718 veor q1, q1, q1
719 veor q2, q2, q2
720
721 ldmia sp!, {r11, pc} @ return
722
723.globl _GFp_vpaes_ctr32_encrypt_blocks
724.private_extern _GFp_vpaes_ctr32_encrypt_blocks
725#ifdef __thumb2__
726.thumb_func _GFp_vpaes_ctr32_encrypt_blocks
727#endif
728.align 4
729_GFp_vpaes_ctr32_encrypt_blocks:
730 mov ip, sp
731 stmdb sp!, {r7,r8,r9,r10,r11, lr}
732 @ This function uses q4-q7 (d8-d15), which are callee-saved.
733 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15}
734
735 cmp r2, #0
736 @ r8 is passed on the stack.
737 ldr r8, [ip]
738 beq Lctr32_done
739
740 @ _vpaes_encrypt_core expects the key in r2, so swap r2 and r3.
741 mov r9, r3
742 mov r3, r2
743 mov r2, r9
744
745 @ Load the IV and counter portion.
746 ldr r7, [r8, #12]
747 vld1.8 {q7}, [r8]
748
749 bl _vpaes_preheat
750 rev r7, r7 @ The counter is big-endian.
751
752Lctr32_loop:
753 vmov q0, q7
754 vld1.8 {q6}, [r0]! @ Load input ahead of time
755 bl _vpaes_encrypt_core
756 veor q0, q0, q6 @ XOR input and result
757 vst1.8 {q0}, [r1]!
758 subs r3, r3, #1
759 @ Update the counter.
760 add r7, r7, #1
761 rev r9, r7
762 vmov.32 d15[1], r9
763 bne Lctr32_loop
764
765Lctr32_done:
766 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15}
767 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return
768
769#endif // !OPENSSL_NO_ASM