mirror of
https://github.com/oxen-io/session-android.git
synced 2025-01-07 17:38:06 +00:00
d83a3d71bc
Merge in RedPhone // FREEBIE
981 lines
20 KiB
Perl
981 lines
20 KiB
Perl
#!/usr/bin/env perl
|
|
#
|
|
# ====================================================================
|
|
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
|
|
# project. The module is, however, dual licensed under OpenSSL and
|
|
# CRYPTOGAMS licenses depending on where you obtain it. For further
|
|
# details see http://www.openssl.org/~appro/cryptogams/.
|
|
# ====================================================================
|
|
#
|
|
# This module implements support for ARMv8 AES instructions. The
|
|
# module is endian-agnostic in sense that it supports both big- and
|
|
# little-endian cases. As does it support both 32- and 64-bit modes
|
|
# of operation. Latter is achieved by limiting amount of utilized
|
|
# registers to 16, which implies additional instructions. This has
|
|
# no effect on mighty Apple A7, as results are literally equal to
|
|
# the theoretical estimates based on instruction latencies and issue
|
|
# rate. It remains to be seen how does it affect other platforms...
|
|
#
|
|
# Performance in cycles per byte processed with 128-bit key:
|
|
#
|
|
# CBC enc CBC dec CTR
|
|
# Apple A7 2.39 1.20 1.20
|
|
# Cortex-A5x n/a n/a n/a
|
|
|
|
$flavour = shift;
|
|
open STDOUT,">".shift;
|
|
|
|
$prefix="aes_v8";
|
|
|
|
$code=<<___;
|
|
#include "arm_arch.h"
|
|
|
|
#if __ARM_ARCH__>=7
|
|
.text
|
|
___
|
|
$code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
|
|
$code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/);
|
|
|
|
# Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
|
|
# NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
|
|
# maintain both 32- and 64-bit codes within single module and
|
|
# transliterate common code to either flavour with regex vodoo.
|
|
#
|
|
{{{
|
|
my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
|
|
my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
|
|
$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
|
|
|
|
|
|
$code.=<<___;
|
|
.align 5
|
|
rcon:
|
|
.long 0x01,0x01,0x01,0x01
|
|
.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
|
|
.long 0x1b,0x1b,0x1b,0x1b
|
|
|
|
.globl ${prefix}_set_encrypt_key
|
|
.type ${prefix}_set_encrypt_key,%function
|
|
.align 5
|
|
${prefix}_set_encrypt_key:
|
|
.Lenc_key:
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
stp x29,x30,[sp,#-16]!
|
|
add x29,sp,#0
|
|
___
|
|
$code.=<<___;
|
|
adr $ptr,rcon
|
|
cmp $bits,#192
|
|
|
|
veor $zero,$zero,$zero
|
|
vld1.8 {$in0},[$inp],#16
|
|
mov $bits,#8 // reuse $bits
|
|
vld1.32 {$rcon,$mask},[$ptr],#32
|
|
|
|
b.lt .Loop128
|
|
b.eq .L192
|
|
b .L256
|
|
|
|
.align 4
|
|
.Loop128:
|
|
vtbl.8 $key,{$in0},$mask
|
|
vext.8 $tmp,$zero,$in0,#12
|
|
vst1.32 {$in0},[$out],#16
|
|
aese $key,$zero
|
|
subs $bits,$bits,#1
|
|
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $key,$key,$rcon
|
|
veor $in0,$in0,$tmp
|
|
vshl.u8 $rcon,$rcon,#1
|
|
veor $in0,$in0,$key
|
|
b.ne .Loop128
|
|
|
|
vld1.32 {$rcon},[$ptr]
|
|
|
|
vtbl.8 $key,{$in0},$mask
|
|
vext.8 $tmp,$zero,$in0,#12
|
|
vst1.32 {$in0},[$out],#16
|
|
aese $key,$zero
|
|
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $key,$key,$rcon
|
|
veor $in0,$in0,$tmp
|
|
vshl.u8 $rcon,$rcon,#1
|
|
veor $in0,$in0,$key
|
|
|
|
vtbl.8 $key,{$in0},$mask
|
|
vext.8 $tmp,$zero,$in0,#12
|
|
vst1.32 {$in0},[$out],#16
|
|
aese $key,$zero
|
|
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $key,$key,$rcon
|
|
veor $in0,$in0,$tmp
|
|
veor $in0,$in0,$key
|
|
vst1.32 {$in0},[$out]
|
|
add $out,$out,#0x50
|
|
|
|
mov $rounds,#10
|
|
b .Ldone
|
|
|
|
.align 4
|
|
.L192:
|
|
vld1.8 {$in1},[$inp],#8
|
|
vmov.i8 $key,#8 // borrow $key
|
|
vst1.32 {$in0},[$out],#16
|
|
vsub.i8 $mask,$mask,$key // adjust the mask
|
|
|
|
.Loop192:
|
|
vtbl.8 $key,{$in1},$mask
|
|
vext.8 $tmp,$zero,$in0,#12
|
|
vst1.32 {$in1},[$out],#8
|
|
aese $key,$zero
|
|
subs $bits,$bits,#1
|
|
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
|
|
vdup.32 $tmp,${in0}[3]
|
|
veor $tmp,$tmp,$in1
|
|
veor $key,$key,$rcon
|
|
vext.8 $in1,$zero,$in1,#12
|
|
vshl.u8 $rcon,$rcon,#1
|
|
veor $in1,$in1,$tmp
|
|
veor $in0,$in0,$key
|
|
veor $in1,$in1,$key
|
|
vst1.32 {$in0},[$out],#16
|
|
b.ne .Loop192
|
|
|
|
mov $rounds,#12
|
|
add $out,$out,#0x20
|
|
b .Ldone
|
|
|
|
.align 4
|
|
.L256:
|
|
vld1.8 {$in1},[$inp]
|
|
mov $bits,#7
|
|
mov $rounds,#14
|
|
vst1.32 {$in0},[$out],#16
|
|
|
|
.Loop256:
|
|
vtbl.8 $key,{$in1},$mask
|
|
vext.8 $tmp,$zero,$in0,#12
|
|
vst1.32 {$in1},[$out],#16
|
|
aese $key,$zero
|
|
subs $bits,$bits,#1
|
|
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in0,$in0,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $key,$key,$rcon
|
|
veor $in0,$in0,$tmp
|
|
vshl.u8 $rcon,$rcon,#1
|
|
veor $in0,$in0,$key
|
|
vst1.32 {$in0},[$out],#16
|
|
b.eq .Ldone
|
|
|
|
vdup.32 $key,${in0}[3] // just splat
|
|
vext.8 $tmp,$zero,$in1,#12
|
|
aese $key,$zero
|
|
|
|
veor $in1,$in1,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in1,$in1,$tmp
|
|
vext.8 $tmp,$zero,$tmp,#12
|
|
veor $in1,$in1,$tmp
|
|
|
|
veor $in1,$in1,$key
|
|
b .Loop256
|
|
|
|
.Ldone:
|
|
str $rounds,[$out]
|
|
|
|
eor x0,x0,x0 // return value
|
|
`"ldr x29,[sp],#16" if ($flavour =~ /64/)`
|
|
ret
|
|
.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
|
|
|
|
.globl ${prefix}_set_decrypt_key
|
|
.type ${prefix}_set_decrypt_key,%function
|
|
.align 5
|
|
${prefix}_set_decrypt_key:
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
stp x29,x30,[sp,#-16]!
|
|
add x29,sp,#0
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
stmdb sp!,{r4,lr}
|
|
___
|
|
$code.=<<___;
|
|
bl .Lenc_key
|
|
|
|
sub $out,$out,#240 // restore original $out
|
|
mov x4,#-16
|
|
add $inp,$out,x12,lsl#4 // end of key schedule
|
|
|
|
vld1.32 {v0.16b},[$out]
|
|
vld1.32 {v1.16b},[$inp]
|
|
vst1.32 {v0.16b},[$inp],x4
|
|
vst1.32 {v1.16b},[$out],#16
|
|
|
|
.Loop_imc:
|
|
vld1.32 {v0.16b},[$out]
|
|
vld1.32 {v1.16b},[$inp]
|
|
aesimc v0.16b,v0.16b
|
|
aesimc v1.16b,v1.16b
|
|
vst1.32 {v0.16b},[$inp],x4
|
|
vst1.32 {v1.16b},[$out],#16
|
|
cmp $inp,$out
|
|
b.hi .Loop_imc
|
|
|
|
vld1.32 {v0.16b},[$out]
|
|
aesimc v0.16b,v0.16b
|
|
vst1.32 {v0.16b},[$inp]
|
|
|
|
eor x0,x0,x0 // return value
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
ldmia sp!,{r4,pc}
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
ldp x29,x30,[sp],#16
|
|
ret
|
|
___
|
|
$code.=<<___;
|
|
.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
|
|
___
|
|
}}}
|
|
{{{
|
|
sub gen_block () {
|
|
my $dir = shift;
|
|
my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
|
|
my ($inp,$out,$key)=map("x$_",(0..2));
|
|
my $rounds="w3";
|
|
my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
|
|
|
|
$code.=<<___;
|
|
.globl ${prefix}_${dir}crypt
|
|
.type ${prefix}_${dir}crypt,%function
|
|
.align 5
|
|
${prefix}_${dir}crypt:
|
|
ldr $rounds,[$key,#240]
|
|
vld1.32 {$rndkey0},[$key],#16
|
|
vld1.8 {$inout},[$inp]
|
|
sub $rounds,$rounds,#2
|
|
vld1.32 {$rndkey1},[$key],#16
|
|
|
|
.Loop_${dir}c:
|
|
aes$e $inout,$rndkey0
|
|
vld1.32 {$rndkey0},[$key],#16
|
|
aes$mc $inout,$inout
|
|
subs $rounds,$rounds,#2
|
|
aes$e $inout,$rndkey1
|
|
vld1.32 {$rndkey1},[$key],#16
|
|
aes$mc $inout,$inout
|
|
b.gt .Loop_${dir}c
|
|
|
|
aes$e $inout,$rndkey0
|
|
vld1.32 {$rndkey0},[$key]
|
|
aes$mc $inout,$inout
|
|
aes$e $inout,$rndkey1
|
|
veor $inout,$inout,$rndkey0
|
|
|
|
vst1.8 {$inout},[$out]
|
|
ret
|
|
.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
|
|
___
|
|
}
|
|
&gen_block("en");
|
|
&gen_block("de");
|
|
}}}
|
|
{{{
|
|
my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
|
|
my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
|
|
my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
|
|
|
|
my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
|
|
|
|
### q8-q15 preloaded key schedule
|
|
|
|
$code.=<<___;
|
|
.globl ${prefix}_cbc_encrypt
|
|
.type ${prefix}_cbc_encrypt,%function
|
|
.align 5
|
|
${prefix}_cbc_encrypt:
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
stp x29,x30,[sp,#-16]!
|
|
add x29,sp,#0
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
mov ip,sp
|
|
stmdb sp!,{r4-r8,lr}
|
|
vstmdb sp!,{d8-d15} @ ABI specification says so
|
|
ldmia ip,{r4-r5} @ load remaining args
|
|
___
|
|
$code.=<<___;
|
|
subs $len,$len,#16
|
|
mov $step,#16
|
|
b.lo .Lcbc_abort
|
|
cclr $step,eq
|
|
|
|
cmp $enc,#0 // en- or decrypting?
|
|
ldr $rounds,[$key,#240]
|
|
and $len,$len,#-16
|
|
vld1.8 {$ivec},[$ivp]
|
|
vld1.8 {$dat},[$inp],$step
|
|
|
|
vld1.32 {q8-q9},[$key] // load key schedule...
|
|
sub $rounds,$rounds,#6
|
|
add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
|
|
sub $rounds,$rounds,#2
|
|
vld1.32 {q10-q11},[$key_],#32
|
|
vld1.32 {q12-q13},[$key_],#32
|
|
vld1.32 {q14-q15},[$key_],#32
|
|
vld1.32 {$rndlast},[$key_]
|
|
|
|
add $key_,$key,#32
|
|
mov $cnt,$rounds
|
|
b.eq .Lcbc_dec
|
|
|
|
cmp $rounds,#2
|
|
veor $dat,$dat,$ivec
|
|
veor $rndzero_n_last,q8,$rndlast
|
|
b.eq .Lcbc_enc128
|
|
|
|
.Loop_cbc_enc:
|
|
aese $dat,q8
|
|
vld1.32 {q8},[$key_],#16
|
|
aesmc $dat,$dat
|
|
subs $cnt,$cnt,#2
|
|
aese $dat,q9
|
|
vld1.32 {q9},[$key_],#16
|
|
aesmc $dat,$dat
|
|
b.gt .Loop_cbc_enc
|
|
|
|
aese $dat,q8
|
|
aesmc $dat,$dat
|
|
subs $len,$len,#16
|
|
aese $dat,q9
|
|
aesmc $dat,$dat
|
|
cclr $step,eq
|
|
aese $dat,q10
|
|
aesmc $dat,$dat
|
|
add $key_,$key,#16
|
|
aese $dat,q11
|
|
aesmc $dat,$dat
|
|
vld1.8 {q8},[$inp],$step
|
|
aese $dat,q12
|
|
aesmc $dat,$dat
|
|
veor q8,q8,$rndzero_n_last
|
|
aese $dat,q13
|
|
aesmc $dat,$dat
|
|
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
|
|
aese $dat,q14
|
|
aesmc $dat,$dat
|
|
aese $dat,q15
|
|
|
|
mov $cnt,$rounds
|
|
veor $ivec,$dat,$rndlast
|
|
vst1.8 {$ivec},[$out],#16
|
|
b.hs .Loop_cbc_enc
|
|
|
|
b .Lcbc_done
|
|
|
|
.align 5
|
|
.Lcbc_enc128:
|
|
vld1.32 {$in0-$in1},[$key_]
|
|
aese $dat,q8
|
|
aesmc $dat,$dat
|
|
b .Lenter_cbc_enc128
|
|
.Loop_cbc_enc128:
|
|
aese $dat,q8
|
|
aesmc $dat,$dat
|
|
vst1.8 {$ivec},[$out],#16
|
|
.Lenter_cbc_enc128:
|
|
aese $dat,q9
|
|
aesmc $dat,$dat
|
|
subs $len,$len,#16
|
|
aese $dat,$in0
|
|
aesmc $dat,$dat
|
|
cclr $step,eq
|
|
aese $dat,$in1
|
|
aesmc $dat,$dat
|
|
aese $dat,q10
|
|
aesmc $dat,$dat
|
|
aese $dat,q11
|
|
aesmc $dat,$dat
|
|
vld1.8 {q8},[$inp],$step
|
|
aese $dat,q12
|
|
aesmc $dat,$dat
|
|
aese $dat,q13
|
|
aesmc $dat,$dat
|
|
aese $dat,q14
|
|
aesmc $dat,$dat
|
|
veor q8,q8,$rndzero_n_last
|
|
aese $dat,q15
|
|
veor $ivec,$dat,$rndlast
|
|
b.hs .Loop_cbc_enc128
|
|
|
|
vst1.8 {$ivec},[$out],#16
|
|
b .Lcbc_done
|
|
|
|
.align 5
|
|
.Lcbc_dec128:
|
|
vld1.32 {$tmp0-$tmp1},[$key_]
|
|
veor $ivec,$ivec,$rndlast
|
|
veor $in0,$dat0,$rndlast
|
|
mov $step1,$step
|
|
|
|
.Loop2x_cbc_dec128:
|
|
aesd $dat0,q8
|
|
aesd $dat1,q8
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
subs $len,$len,#32
|
|
aesd $dat0,q9
|
|
aesd $dat1,q9
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
cclr $step,lo
|
|
aesd $dat0,$tmp0
|
|
aesd $dat1,$tmp0
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
cclr $step1,ls
|
|
aesd $dat0,$tmp1
|
|
aesd $dat1,$tmp1
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q10
|
|
aesd $dat1,q10
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q11
|
|
aesd $dat1,q11
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q12
|
|
aesd $dat1,q12
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q13
|
|
aesd $dat1,q13
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q14
|
|
aesd $dat1,q14
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
aesd $dat0,q15
|
|
aesd $dat1,q15
|
|
|
|
veor $ivec,$ivec,$dat0
|
|
vld1.8 {$dat0},[$inp],$step
|
|
veor $in0,$in0,$dat1
|
|
vld1.8 {$dat1},[$inp],$step1
|
|
vst1.8 {$ivec},[$out],#16
|
|
veor $ivec,$in1,$rndlast
|
|
vst1.8 {$in0},[$out],#16
|
|
veor $in0,$dat0,$rndlast
|
|
vorr $in1,$dat1,$dat1
|
|
b.hs .Loop2x_cbc_dec128
|
|
|
|
adds $len,$len,#32
|
|
veor $ivec,$ivec,$rndlast
|
|
b.eq .Lcbc_done
|
|
veor $in0,$in0,$rndlast
|
|
b .Lcbc_dec_tail
|
|
|
|
.align 5
|
|
.Lcbc_dec:
|
|
subs $len,$len,#16
|
|
vorr $in0,$dat,$dat
|
|
b.lo .Lcbc_dec_tail
|
|
|
|
cclr $step,eq
|
|
cmp $rounds,#2
|
|
vld1.8 {$dat1},[$inp],$step
|
|
vorr $in1,$dat1,$dat1
|
|
b.eq .Lcbc_dec128
|
|
|
|
.Loop2x_cbc_dec:
|
|
aesd $dat0,q8
|
|
aesd $dat1,q8
|
|
vld1.32 {q8},[$key_],#16
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
subs $cnt,$cnt,#2
|
|
aesd $dat0,q9
|
|
aesd $dat1,q9
|
|
vld1.32 {q9},[$key_],#16
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
b.gt .Loop2x_cbc_dec
|
|
|
|
aesd $dat0,q8
|
|
aesd $dat1,q8
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
veor $tmp0,$ivec,$rndlast
|
|
veor $tmp1,$in0,$rndlast
|
|
aesd $dat0,q9
|
|
aesd $dat1,q9
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
vorr $ivec,$in1,$in1
|
|
subs $len,$len,#32
|
|
aesd $dat0,q10
|
|
aesd $dat1,q10
|
|
aesimc $dat0,$dat0
|
|
cclr $step,lo
|
|
aesimc $dat1,$dat1
|
|
mov $key_,$key
|
|
aesd $dat0,q11
|
|
aesd $dat1,q11
|
|
aesimc $dat0,$dat0
|
|
vld1.8 {$in0},[$inp],$step
|
|
aesimc $dat1,$dat1
|
|
cclr $step,ls
|
|
aesd $dat0,q12
|
|
aesd $dat1,q12
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
vld1.8 {$in1},[$inp],$step
|
|
aesd $dat0,q13
|
|
aesd $dat1,q13
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
|
|
aesd $dat0,q14
|
|
aesd $dat1,q14
|
|
aesimc $dat0,$dat0
|
|
aesimc $dat1,$dat1
|
|
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
|
|
aesd $dat0,q15
|
|
aesd $dat1,q15
|
|
|
|
mov $cnt,$rounds
|
|
veor $tmp0,$tmp0,$dat0
|
|
veor $tmp1,$tmp1,$dat1
|
|
vorr $dat0,$in0,$in0
|
|
vst1.8 {$tmp0},[$out],#16
|
|
vorr $dat1,$in1,$in1
|
|
vst1.8 {$tmp1},[$out],#16
|
|
b.hs .Loop2x_cbc_dec
|
|
|
|
adds $len,$len,#32
|
|
b.eq .Lcbc_done
|
|
|
|
.Lcbc_dec_tail:
|
|
aesd $dat,q8
|
|
vld1.32 {q8},[$key_],#16
|
|
aesimc $dat,$dat
|
|
subs $cnt,$cnt,#2
|
|
aesd $dat,q9
|
|
vld1.32 {q9},[$key_],#16
|
|
aesimc $dat,$dat
|
|
b.gt .Lcbc_dec_tail
|
|
|
|
aesd $dat,q8
|
|
aesimc $dat,$dat
|
|
aesd $dat,q9
|
|
aesimc $dat,$dat
|
|
veor $tmp,$ivec,$rndlast
|
|
aesd $dat,q10
|
|
aesimc $dat,$dat
|
|
vorr $ivec,$in0,$in0
|
|
aesd $dat,q11
|
|
aesimc $dat,$dat
|
|
aesd $dat,q12
|
|
aesimc $dat,$dat
|
|
aesd $dat,q13
|
|
aesimc $dat,$dat
|
|
aesd $dat,q14
|
|
aesimc $dat,$dat
|
|
aesd $dat,q15
|
|
|
|
veor $tmp,$tmp,$dat
|
|
vst1.8 {$tmp},[$out],#16
|
|
|
|
.Lcbc_done:
|
|
vst1.8 {$ivec},[$ivp]
|
|
.Lcbc_abort:
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
vldmia sp!,{d8-d15}
|
|
ldmia sp!,{r4-r8,pc}
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
ldr x29,[sp],#16
|
|
ret
|
|
___
|
|
$code.=<<___;
|
|
.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
|
|
___
|
|
}}}
|
|
{{{
|
|
my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
|
|
my ($rounds,$cnt,$key_,$ctr,$tctr,$tctr1)=("w5","w6","x7","w8","w9","w10");
|
|
my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
|
|
|
|
my ($dat,$tmp)=($dat0,$tmp0);
|
|
|
|
### q8-q15 preloaded key schedule
|
|
|
|
$code.=<<___;
|
|
.globl ${prefix}_ctr32_encrypt_blocks
|
|
.type ${prefix}_ctr32_encrypt_blocks,%function
|
|
.align 5
|
|
${prefix}_ctr32_encrypt_blocks:
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
stp x29,x30,[sp,#-16]!
|
|
add x29,sp,#0
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
mov ip,sp
|
|
stmdb sp!,{r4-r10,lr}
|
|
vstmdb sp!,{d8-d15} @ ABI specification says so
|
|
ldr r4, [ip] @ load remaining arg
|
|
___
|
|
$code.=<<___;
|
|
ldr $rounds,[$key,#240]
|
|
|
|
ldr $ctr, [$ivp, #12]
|
|
vld1.32 {$dat0},[$ivp]
|
|
|
|
vld1.32 {q8-q9},[$key] // load key schedule...
|
|
sub $rounds,$rounds,#6
|
|
add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
|
|
sub $rounds,$rounds,#2
|
|
vld1.32 {q10-q11},[$key_],#32
|
|
vld1.32 {q12-q13},[$key_],#32
|
|
vld1.32 {q14-q15},[$key_],#32
|
|
vld1.32 {$rndlast},[$key_]
|
|
|
|
add $key_,$key,#32
|
|
mov $cnt,$rounds
|
|
|
|
subs $len,$len,#2
|
|
b.lo .Lctr32_tail
|
|
|
|
#ifndef __ARMEB__
|
|
rev $ctr, $ctr
|
|
#endif
|
|
vorr $dat1,$dat0,$dat0
|
|
add $ctr, $ctr, #1
|
|
vorr $ivec,$dat0,$dat0
|
|
rev $tctr1, $ctr
|
|
cmp $rounds,#2
|
|
vmov.32 ${dat1}[3],$tctr1
|
|
b.eq .Lctr32_128
|
|
|
|
.Loop2x_ctr32:
|
|
aese $dat0,q8
|
|
aese $dat1,q8
|
|
vld1.32 {q8},[$key_],#16
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
subs $cnt,$cnt,#2
|
|
aese $dat0,q9
|
|
aese $dat1,q9
|
|
vld1.32 {q9},[$key_],#16
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
b.gt .Loop2x_ctr32
|
|
|
|
aese $dat0,q8
|
|
aese $dat1,q8
|
|
aesmc $tmp0,$dat0
|
|
vorr $dat0,$ivec,$ivec
|
|
aesmc $tmp1,$dat1
|
|
vorr $dat1,$ivec,$ivec
|
|
aese $tmp0,q9
|
|
aese $tmp1,q9
|
|
vld1.8 {$in0},[$inp],#16
|
|
aesmc $tmp0,$tmp0
|
|
vld1.8 {$in1},[$inp],#16
|
|
aesmc $tmp1,$tmp1
|
|
add $ctr,$ctr,#1
|
|
aese $tmp0,q10
|
|
aese $tmp1,q10
|
|
rev $tctr,$ctr
|
|
aesmc $tmp0,$tmp0
|
|
aesmc $tmp1,$tmp1
|
|
add $ctr,$ctr,#1
|
|
aese $tmp0,q11
|
|
aese $tmp1,q11
|
|
veor $in0,$in0,$rndlast
|
|
rev $tctr1,$ctr
|
|
aesmc $tmp0,$tmp0
|
|
aesmc $tmp1,$tmp1
|
|
veor $in1,$in1,$rndlast
|
|
mov $key_,$key
|
|
aese $tmp0,q12
|
|
aese $tmp1,q12
|
|
subs $len,$len,#2
|
|
aesmc $tmp0,$tmp0
|
|
aesmc $tmp1,$tmp1
|
|
vld1.32 {q8-q9},[$key_],#32 // re-pre-load rndkey[0-1]
|
|
aese $tmp0,q13
|
|
aese $tmp1,q13
|
|
aesmc $tmp0,$tmp0
|
|
aesmc $tmp1,$tmp1
|
|
aese $tmp0,q14
|
|
aese $tmp1,q14
|
|
vmov.32 ${dat0}[3], $tctr
|
|
aesmc $tmp0,$tmp0
|
|
vmov.32 ${dat1}[3], $tctr1
|
|
aesmc $tmp1,$tmp1
|
|
aese $tmp0,q15
|
|
aese $tmp1,q15
|
|
|
|
mov $cnt,$rounds
|
|
veor $in0,$in0,$tmp0
|
|
veor $in1,$in1,$tmp1
|
|
vst1.8 {$in0},[$out],#16
|
|
vst1.8 {$in1},[$out],#16
|
|
b.hs .Loop2x_ctr32
|
|
|
|
adds $len,$len,#2
|
|
b.eq .Lctr32_done
|
|
b .Lctr32_tail
|
|
|
|
.Lctr32_128:
|
|
vld1.32 {$tmp0-$tmp1},[$key_]
|
|
|
|
.Loop2x_ctr32_128:
|
|
aese $dat0,q8
|
|
aese $dat1,q8
|
|
aesmc $dat0,$dat0
|
|
vld1.8 {$in0},[$inp],#16
|
|
aesmc $dat1,$dat1
|
|
vld1.8 {$in1},[$inp],#16
|
|
aese $dat0,q9
|
|
aese $dat1,q9
|
|
add $ctr,$ctr,#1
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
rev $tctr,$ctr
|
|
aese $dat0,$tmp0
|
|
aese $dat1,$tmp0
|
|
add $ctr,$ctr,#1
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
rev $tctr1,$ctr
|
|
aese $dat0,$tmp1
|
|
aese $dat1,$tmp1
|
|
subs $len,$len,#2
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
aese $dat0,q10
|
|
aese $dat1,q10
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
aese $dat0,q11
|
|
aese $dat1,q11
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
aese $dat0,q12
|
|
aese $dat1,q12
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
aese $dat0,q13
|
|
aese $dat1,q13
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
aese $dat0,q14
|
|
aese $dat1,q14
|
|
aesmc $dat0,$dat0
|
|
aesmc $dat1,$dat1
|
|
veor $in0,$in0,$rndlast
|
|
aese $dat0,q15
|
|
veor $in1,$in1,$rndlast
|
|
aese $dat1,q15
|
|
|
|
veor $in0,$in0,$dat0
|
|
vorr $dat0,$ivec,$ivec
|
|
veor $in1,$in1,$dat1
|
|
vorr $dat1,$ivec,$ivec
|
|
vst1.8 {$in0},[$out],#16
|
|
vmov.32 ${dat0}[3], $tctr
|
|
vst1.8 {$in1},[$out],#16
|
|
vmov.32 ${dat1}[3], $tctr1
|
|
b.hs .Loop2x_ctr32_128
|
|
|
|
adds $len,$len,#2
|
|
b.eq .Lctr32_done
|
|
|
|
.Lctr32_tail:
|
|
aese $dat,q8
|
|
vld1.32 {q8},[$key_],#16
|
|
aesmc $dat,$dat
|
|
subs $cnt,$cnt,#2
|
|
aese $dat,q9
|
|
vld1.32 {q9},[$key_],#16
|
|
aesmc $dat,$dat
|
|
b.gt .Lctr32_tail
|
|
|
|
aese $dat,q8
|
|
aesmc $dat,$dat
|
|
aese $dat,q9
|
|
aesmc $dat,$dat
|
|
vld1.8 {$in0},[$inp]
|
|
aese $dat,q10
|
|
aesmc $dat,$dat
|
|
aese $dat,q11
|
|
aesmc $dat,$dat
|
|
aese $dat,q12
|
|
aesmc $dat,$dat
|
|
aese $dat,q13
|
|
aesmc $dat,$dat
|
|
aese $dat,q14
|
|
aesmc $dat,$dat
|
|
veor $in0,$in0,$rndlast
|
|
aese $dat,q15
|
|
|
|
veor $in0,$in0,$dat
|
|
vst1.8 {$in0},[$out]
|
|
|
|
.Lctr32_done:
|
|
___
|
|
$code.=<<___ if ($flavour !~ /64/);
|
|
vldmia sp!,{d8-d15}
|
|
ldmia sp!,{r4-r10,pc}
|
|
___
|
|
$code.=<<___ if ($flavour =~ /64/);
|
|
ldr x29,[sp],#16
|
|
ret
|
|
___
|
|
$code.=<<___;
|
|
.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
|
|
___
|
|
}}}
|
|
$code.=<<___;
|
|
#endif
|
|
___
|
|
########################################
|
|
if ($flavour =~ /64/) { ######## 64-bit code
|
|
my %opcode = (
|
|
"aesd" => 0x4e285800, "aese" => 0x4e284800,
|
|
"aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
|
|
|
|
local *unaes = sub {
|
|
my ($mnemonic,$arg)=@_;
|
|
|
|
$arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
|
|
sprintf ".inst\t0x%08x\t//%s %s",
|
|
$opcode{$mnemonic}|$1|($2<<5),
|
|
$mnemonic,$arg;
|
|
};
|
|
|
|
foreach(split("\n",$code)) {
|
|
s/\`([^\`]*)\`/eval($1)/geo;
|
|
|
|
s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
|
|
s/@\s/\/\//o; # old->new style commentary
|
|
|
|
#s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
|
|
s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
|
|
s/vmov\.i8/movi/o or # fix up legacy mnemonics
|
|
s/vext\.8/ext/o or
|
|
s/vrev32\.8/rev32/o or
|
|
s/vtst\.8/cmtst/o or
|
|
s/vshr/ushr/o or
|
|
s/^(\s+)v/$1/o or # strip off v prefix
|
|
s/\bbx\s+lr\b/ret/o;
|
|
|
|
# fix up remainig legacy suffixes
|
|
s/\.[ui]?8//o;
|
|
m/\],#8/o and s/\.16b/\.8b/go;
|
|
s/\.[ui]?32//o and s/\.16b/\.4s/go;
|
|
s/\.[ui]?64//o and s/\.16b/\.2d/go;
|
|
s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
|
|
|
|
print $_,"\n";
|
|
}
|
|
} else { ######## 32-bit code
|
|
my %opcode = (
|
|
"aesd" => 0xf3b00340, "aese" => 0xf3b00300,
|
|
"aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
|
|
|
|
local *unaes = sub {
|
|
my ($mnemonic,$arg)=@_;
|
|
|
|
if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
|
|
my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
|
|
|(($2&7)<<1) |(($2&8)<<2);
|
|
# since ARMv7 instructions are always encoded little-endian.
|
|
# correct solution is to use .inst directive, but older
|
|
# assemblers don't implement it:-(
|
|
sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
|
|
$word&0xff,($word>>8)&0xff,
|
|
($word>>16)&0xff,($word>>24)&0xff,
|
|
$mnemonic,$arg;
|
|
}
|
|
};
|
|
|
|
sub unvtbl {
|
|
my $arg=shift;
|
|
|
|
$arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
|
|
sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
|
|
"vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
|
|
}
|
|
|
|
sub unvdup32 {
|
|
my $arg=shift;
|
|
|
|
$arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
|
|
sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
|
|
}
|
|
|
|
sub unvmov32 {
|
|
my $arg=shift;
|
|
|
|
$arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
|
|
sprintf "vmov.32 d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
|
|
}
|
|
|
|
foreach(split("\n",$code)) {
|
|
s/\`([^\`]*)\`/eval($1)/geo;
|
|
|
|
s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
|
|
s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
|
|
s/\/\/\s?/@ /o; # new->old style commentary
|
|
|
|
# fix up remainig new-style suffixes
|
|
s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo or
|
|
s/\],#[0-9]+/]!/o;
|
|
|
|
s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
|
|
s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
|
|
s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
|
|
s/vdup\.32\s+(.*)/unvdup32($1)/geo or
|
|
s/vmov\.32\s+(.*)/unvmov32($1)/geo or
|
|
s/^(\s+)b\./$1b/o or
|
|
s/^(\s+)ret/$1bx\tlr/o;
|
|
|
|
print $_,"\n";
|
|
}
|
|
}
|
|
|
|
close STDOUT;
|