arch/aarch64/bsaes-armv8.S

1.1  christos // Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
1.1  christos //
1.1  christos // Licensed under the OpenSSL license (the "License").  You may not use
1.1  christos // this file except in compliance with the License.  You can obtain a copy
1.1  christos // in the file LICENSE in the source distribution or at
1.1  christos // https://www.openssl.org/source/license.html
1.1  christos //
1.1  christos // ====================================================================
1.1  christos // Written by Ben Avison <bavison (at) riscosopen.org> for the OpenSSL
1.1  christos // project. Rights for redistribution and usage in source and binary
1.1  christos // forms are granted according to the OpenSSL license.
1.1  christos // ====================================================================
1.1  christos //
1.1  christos // This implementation is a translation of bsaes-armv7 for AArch64.
1.1  christos // No attempt has been made to carry across the build switches for
1.1  christos // kernel targets, since the Linux kernel crypto support has moved on
1.1  christos // from when it was based on OpenSSL.
1.1  christos
1.1  christos // A lot of hand-scheduling has been performed. Consequently, this code
1.1  christos // doesn't factor out neatly into macros in the same way that the
1.1  christos // AArch32 version did, and there is little to be gained by wrapping it
1.1  christos // up in Perl, and it is presented as pure assembly.
1.1  christos
1.1  christos
1.1  christos #include "crypto/arm_arch.h"
1.1  christos
1.1  christos .text
1.1  christos
1.1  christos
1.1  christos
1.1  christos
1.1  christos
1.1  christos .type	_bsaes_decrypt8,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x9 -> key (previously expanded using _bsaes_key_convert)
1.1  christos //   x10 = number of rounds
1.1  christos //   v0-v7 input data
1.1  christos // On exit:
1.1  christos //   x9-x11 corrupted
1.1  christos //   other general-purpose registers preserved
1.1  christos //   v0-v7 output data
1.1  christos //   v11-v15 preserved
1.1  christos //   other SIMD registers corrupted
1.1  christos _bsaes_decrypt8:
1.1  christos 	ldr	q8, [x9], #16
1.1  christos 	adrp	x11, .LM0ISR
1.1  christos 	add	x11, x11, #:lo12:.LM0ISR
1.1  christos 	movi	v9.16b, #0x55
1.1  christos 	ldr	q10, [x11], #16
1.1  christos 	movi	v16.16b, #0x33
1.1  christos 	movi	v17.16b, #0x0f
1.1  christos 	sub	x10, x10, #1
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	eor	v2.16b, v2.16b, v8.16b
1.1  christos 	eor	v4.16b, v4.16b, v8.16b
1.1  christos 	eor	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	tbl	v0.16b, {v0.16b}, v10.16b
1.1  christos 	tbl	v1.16b, {v1.16b}, v10.16b
1.1  christos 	tbl	v2.16b, {v2.16b}, v10.16b
1.1  christos 	tbl	v4.16b, {v4.16b}, v10.16b
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	eor	v7.16b, v7.16b, v8.16b
1.1  christos 	tbl	v3.16b, {v3.16b}, v10.16b
1.1  christos 	tbl	v5.16b, {v5.16b}, v10.16b
1.1  christos 	tbl	v6.16b, {v6.16b}, v10.16b
1.1  christos 	ushr	v8.2d, v0.2d, #1
1.1  christos 	tbl	v7.16b, {v7.16b}, v10.16b
1.1  christos 	ushr	v10.2d, v4.2d, #1
1.1  christos 	ushr	v18.2d, v2.2d, #1
1.1  christos 	eor	v8.16b, v8.16b, v1.16b
1.1  christos 	ushr	v19.2d, v6.2d, #1
1.1  christos 	eor	v10.16b, v10.16b, v5.16b
1.1  christos 	eor	v18.16b, v18.16b, v3.16b
1.1  christos 	and	v8.16b, v8.16b, v9.16b
1.1  christos 	eor	v19.16b, v19.16b, v7.16b
1.1  christos 	and	v10.16b, v10.16b, v9.16b
1.1  christos 	and	v18.16b, v18.16b, v9.16b
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #1
1.1  christos 	and	v9.16b, v19.16b, v9.16b
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	shl	v10.2d, v10.2d, #1
1.1  christos 	eor	v3.16b, v3.16b, v18.16b
1.1  christos 	shl	v18.2d, v18.2d, #1
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	shl	v8.2d, v9.2d, #1
1.1  christos 	eor	v7.16b, v7.16b, v9.16b
1.1  christos 	eor	v4.16b, v4.16b, v10.16b
1.1  christos 	eor	v2.16b, v2.16b, v18.16b
1.1  christos 	ushr	v9.2d, v1.2d, #2
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	ushr	v8.2d, v0.2d, #2
1.1  christos 	ushr	v10.2d, v5.2d, #2
1.1  christos 	ushr	v18.2d, v4.2d, #2
1.1  christos 	eor	v9.16b, v9.16b, v3.16b
1.1  christos 	eor	v8.16b, v8.16b, v2.16b
1.1  christos 	eor	v10.16b, v10.16b, v7.16b
1.1  christos 	eor	v18.16b, v18.16b, v6.16b
1.1  christos 	and	v9.16b, v9.16b, v16.16b
1.1  christos 	and	v8.16b, v8.16b, v16.16b
1.1  christos 	and	v10.16b, v10.16b, v16.16b
1.1  christos 	and	v16.16b, v18.16b, v16.16b
1.1  christos 	eor	v3.16b, v3.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #2
1.1  christos 	eor	v2.16b, v2.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #2
1.1  christos 	eor	v7.16b, v7.16b, v10.16b
1.1  christos 	shl	v10.2d, v10.2d, #2
1.1  christos 	eor	v6.16b, v6.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #2
1.1  christos 	eor	v1.16b, v1.16b, v9.16b
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	ushr	v8.2d, v3.2d, #4
1.1  christos 	ushr	v9.2d, v2.2d, #4
1.1  christos 	ushr	v10.2d, v1.2d, #4
1.1  christos 	ushr	v16.2d, v0.2d, #4
1.1  christos 	eor	v8.16b, v8.16b, v7.16b
1.1  christos 	eor	v9.16b, v9.16b, v6.16b
1.1  christos 	eor	v10.16b, v10.16b, v5.16b
1.1  christos 	eor	v16.16b, v16.16b, v4.16b
1.1  christos 	and	v8.16b, v8.16b, v17.16b
1.1  christos 	and	v9.16b, v9.16b, v17.16b
1.1  christos 	and	v10.16b, v10.16b, v17.16b
1.1  christos 	and	v16.16b, v16.16b, v17.16b
1.1  christos 	eor	v7.16b, v7.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #4
1.1  christos 	eor	v6.16b, v6.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #4
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	shl	v10.2d, v10.2d, #4
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #4
1.1  christos 	eor	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v2.16b, v2.16b, v9.16b
1.1  christos 	eor	v1.16b, v1.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v16.16b
1.1  christos 	b	.Ldec_sbox
1.1  christos .align	4
1.1  christos .Ldec_loop:
1.1  christos 	ld1	{v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64
1.1  christos 	ldp	q8, q9, [x9], #32
1.1  christos 	eor	v0.16b, v16.16b, v0.16b
1.1  christos 	ldr	q10, [x9], #16
1.1  christos 	eor	v1.16b, v17.16b, v1.16b
1.1  christos 	ldr	q16, [x9], #16
1.1  christos 	eor	v2.16b, v18.16b, v2.16b
1.1  christos 	eor	v3.16b, v19.16b, v3.16b
1.1  christos 	eor	v4.16b, v8.16b, v4.16b
1.1  christos 	eor	v5.16b, v9.16b, v5.16b
1.1  christos 	eor	v6.16b, v10.16b, v6.16b
1.1  christos 	eor	v7.16b, v16.16b, v7.16b
1.1  christos 	tbl	v0.16b, {v0.16b}, v28.16b
1.1  christos 	tbl	v1.16b, {v1.16b}, v28.16b
1.1  christos 	tbl	v2.16b, {v2.16b}, v28.16b
1.1  christos 	tbl	v3.16b, {v3.16b}, v28.16b
1.1  christos 	tbl	v4.16b, {v4.16b}, v28.16b
1.1  christos 	tbl	v5.16b, {v5.16b}, v28.16b
1.1  christos 	tbl	v6.16b, {v6.16b}, v28.16b
1.1  christos 	tbl	v7.16b, {v7.16b}, v28.16b
1.1  christos .Ldec_sbox:
1.1  christos 	eor	v1.16b, v1.16b, v4.16b
1.1  christos 	eor	v3.16b, v3.16b, v4.16b
1.1  christos 	subs	x10, x10, #1
1.1  christos 	eor	v4.16b, v4.16b, v7.16b
1.1  christos 	eor	v2.16b, v2.16b, v7.16b
1.1  christos 	eor	v1.16b, v1.16b, v6.16b
1.1  christos 	eor	v6.16b, v6.16b, v4.16b
1.1  christos 	eor	v2.16b, v2.16b, v5.16b
1.1  christos 	eor	v0.16b, v0.16b, v1.16b
1.1  christos 	eor	v7.16b, v7.16b, v6.16b
1.1  christos 	eor	v8.16b, v6.16b, v2.16b
1.1  christos 	and	v9.16b, v4.16b, v6.16b
1.1  christos 	eor	v10.16b, v2.16b, v6.16b
1.1  christos 	eor	v3.16b, v3.16b, v0.16b
1.1  christos 	eor	v5.16b, v5.16b, v0.16b
1.1  christos 	eor	v16.16b, v7.16b, v4.16b
1.1  christos 	eor	v17.16b, v4.16b, v0.16b
1.1  christos 	and	v18.16b, v0.16b, v2.16b
1.1  christos 	eor	v19.16b, v7.16b, v4.16b
1.1  christos 	eor	v1.16b, v1.16b, v3.16b
1.1  christos 	eor	v20.16b, v3.16b, v0.16b
1.1  christos 	eor	v21.16b, v5.16b, v2.16b
1.1  christos 	eor	v22.16b, v3.16b, v7.16b
1.1  christos 	and	v8.16b, v17.16b, v8.16b
1.1  christos 	orr	v17.16b, v3.16b, v5.16b
1.1  christos 	eor	v23.16b, v1.16b, v6.16b
1.1  christos 	eor	v24.16b, v20.16b, v16.16b
1.1  christos 	eor	v25.16b, v1.16b, v5.16b
1.1  christos 	orr	v26.16b, v20.16b, v21.16b
1.1  christos 	and	v20.16b, v20.16b, v21.16b
1.1  christos 	and	v27.16b, v7.16b, v1.16b
1.1  christos 	eor	v21.16b, v21.16b, v23.16b
1.1  christos 	orr	v28.16b, v16.16b, v23.16b
1.1  christos 	orr	v29.16b, v22.16b, v25.16b
1.1  christos 	eor	v26.16b, v26.16b, v8.16b
1.1  christos 	and	v16.16b, v16.16b, v23.16b
1.1  christos 	and	v22.16b, v22.16b, v25.16b
1.1  christos 	and	v21.16b, v24.16b, v21.16b
1.1  christos 	eor	v8.16b, v28.16b, v8.16b
1.1  christos 	eor	v23.16b, v5.16b, v2.16b
1.1  christos 	eor	v24.16b, v1.16b, v6.16b
1.1  christos 	eor	v16.16b, v16.16b, v22.16b
1.1  christos 	eor	v22.16b, v3.16b, v0.16b
1.1  christos 	eor	v25.16b, v29.16b, v21.16b
1.1  christos 	eor	v21.16b, v26.16b, v21.16b
1.1  christos 	eor	v8.16b, v8.16b, v20.16b
1.1  christos 	eor	v26.16b, v23.16b, v24.16b
1.1  christos 	eor	v16.16b, v16.16b, v20.16b
1.1  christos 	eor	v28.16b, v22.16b, v19.16b
1.1  christos 	eor	v20.16b, v25.16b, v20.16b
1.1  christos 	eor	v9.16b, v21.16b, v9.16b
1.1  christos 	eor	v8.16b, v8.16b, v18.16b
1.1  christos 	eor	v18.16b, v5.16b, v1.16b
1.1  christos 	eor	v21.16b, v16.16b, v17.16b
1.1  christos 	eor	v16.16b, v16.16b, v17.16b
1.1  christos 	eor	v17.16b, v20.16b, v27.16b
1.1  christos 	eor	v20.16b, v3.16b, v7.16b
1.1  christos 	eor	v25.16b, v9.16b, v8.16b
1.1  christos 	eor	v27.16b, v0.16b, v4.16b
1.1  christos 	and	v29.16b, v9.16b, v17.16b
1.1  christos 	eor	v30.16b, v8.16b, v29.16b
1.1  christos 	eor	v31.16b, v21.16b, v29.16b
1.1  christos 	eor	v29.16b, v21.16b, v29.16b
1.1  christos 	bsl	v30.16b, v17.16b, v21.16b
1.1  christos 	bsl	v31.16b, v9.16b, v8.16b
1.1  christos 	bsl	v16.16b, v30.16b, v29.16b
1.1  christos 	bsl	v21.16b, v29.16b, v30.16b
1.1  christos 	eor	v8.16b, v31.16b, v30.16b
1.1  christos 	and	v1.16b, v1.16b, v31.16b
1.1  christos 	and	v9.16b, v16.16b, v31.16b
1.1  christos 	and	v6.16b, v6.16b, v30.16b
1.1  christos 	eor	v16.16b, v17.16b, v21.16b
1.1  christos 	and	v4.16b, v4.16b, v30.16b
1.1  christos 	eor	v17.16b, v8.16b, v30.16b
1.1  christos 	and	v21.16b, v24.16b, v8.16b
1.1  christos 	eor	v9.16b, v9.16b, v25.16b
1.1  christos 	and	v19.16b, v19.16b, v8.16b
1.1  christos 	eor	v24.16b, v30.16b, v16.16b
1.1  christos 	eor	v25.16b, v30.16b, v16.16b
1.1  christos 	and	v7.16b, v7.16b, v17.16b
1.1  christos 	and	v10.16b, v10.16b, v16.16b
1.1  christos 	eor	v29.16b, v9.16b, v16.16b
1.1  christos 	eor	v30.16b, v31.16b, v9.16b
1.1  christos 	and	v0.16b, v24.16b, v0.16b
1.1  christos 	and	v9.16b, v18.16b, v9.16b
1.1  christos 	and	v2.16b, v25.16b, v2.16b
1.1  christos 	eor	v10.16b, v10.16b, v6.16b
1.1  christos 	eor	v18.16b, v29.16b, v16.16b
1.1  christos 	and	v5.16b, v30.16b, v5.16b
1.1  christos 	eor	v24.16b, v8.16b, v29.16b
1.1  christos 	and	v25.16b, v26.16b, v29.16b
1.1  christos 	and	v26.16b, v28.16b, v29.16b
1.1  christos 	eor	v8.16b, v8.16b, v29.16b
1.1  christos 	eor	v17.16b, v17.16b, v18.16b
1.1  christos 	eor	v5.16b, v1.16b, v5.16b
1.1  christos 	and	v23.16b, v24.16b, v23.16b
1.1  christos 	eor	v21.16b, v21.16b, v25.16b
1.1  christos 	eor	v19.16b, v19.16b, v26.16b
1.1  christos 	eor	v0.16b, v4.16b, v0.16b
1.1  christos 	and	v3.16b, v17.16b, v3.16b
1.1  christos 	eor	v1.16b, v9.16b, v1.16b
1.1  christos 	eor	v9.16b, v25.16b, v23.16b
1.1  christos 	eor	v5.16b, v5.16b, v21.16b
1.1  christos 	eor	v2.16b, v6.16b, v2.16b
1.1  christos 	and	v6.16b, v8.16b, v22.16b
1.1  christos 	eor	v3.16b, v7.16b, v3.16b
1.1  christos 	and	v8.16b, v20.16b, v18.16b
1.1  christos 	eor	v10.16b, v10.16b, v9.16b
1.1  christos 	eor	v0.16b, v0.16b, v19.16b
1.1  christos 	eor	v9.16b, v1.16b, v9.16b
1.1  christos 	eor	v1.16b, v2.16b, v21.16b
1.1  christos 	eor	v3.16b, v3.16b, v19.16b
1.1  christos 	and	v16.16b, v27.16b, v16.16b
1.1  christos 	eor	v17.16b, v26.16b, v6.16b
1.1  christos 	eor	v6.16b, v8.16b, v7.16b
1.1  christos 	eor	v7.16b, v1.16b, v9.16b
1.1  christos 	eor	v1.16b, v5.16b, v3.16b
1.1  christos 	eor	v2.16b, v10.16b, v3.16b
1.1  christos 	eor	v4.16b, v16.16b, v4.16b
1.1  christos 	eor	v8.16b, v6.16b, v17.16b
1.1  christos 	eor	v5.16b, v9.16b, v3.16b
1.1  christos 	eor	v9.16b, v0.16b, v1.16b
1.1  christos 	eor	v6.16b, v7.16b, v1.16b
1.1  christos 	eor	v0.16b, v4.16b, v17.16b
1.1  christos 	eor	v4.16b, v8.16b, v7.16b
1.1  christos 	eor	v7.16b, v9.16b, v2.16b
1.1  christos 	eor	v8.16b, v3.16b, v0.16b
1.1  christos 	eor	v7.16b, v7.16b, v5.16b
1.1  christos 	eor	v3.16b, v4.16b, v7.16b
1.1  christos 	eor	v4.16b, v7.16b, v0.16b
1.1  christos 	eor	v7.16b, v8.16b, v3.16b
1.1  christos 	bcc	.Ldec_done
1.1  christos 	ext	v8.16b, v0.16b, v0.16b, #8
1.1  christos 	ext	v9.16b, v1.16b, v1.16b, #8
1.1  christos 	ldr	q28, [x11]                  // load from .LISR in common case (x10 > 0)
1.1  christos 	ext	v10.16b, v6.16b, v6.16b, #8
1.1  christos 	ext	v16.16b, v3.16b, v3.16b, #8
1.1  christos 	ext	v17.16b, v5.16b, v5.16b, #8
1.1  christos 	ext	v18.16b, v4.16b, v4.16b, #8
1.1  christos 	eor	v8.16b, v8.16b, v0.16b
1.1  christos 	eor	v9.16b, v9.16b, v1.16b
1.1  christos 	eor	v10.16b, v10.16b, v6.16b
1.1  christos 	eor	v16.16b, v16.16b, v3.16b
1.1  christos 	eor	v17.16b, v17.16b, v5.16b
1.1  christos 	ext	v19.16b, v2.16b, v2.16b, #8
1.1  christos 	ext	v20.16b, v7.16b, v7.16b, #8
1.1  christos 	eor	v18.16b, v18.16b, v4.16b
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	eor	v8.16b, v2.16b, v10.16b
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	eor	v2.16b, v19.16b, v2.16b
1.1  christos 	eor	v9.16b, v20.16b, v7.16b
1.1  christos 	eor	v0.16b, v0.16b, v16.16b
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v6.16b, v6.16b, v17.16b
1.1  christos 	eor	v8.16b, v8.16b, v16.16b
1.1  christos 	eor	v7.16b, v7.16b, v18.16b
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	eor	v2.16b, v3.16b, v2.16b
1.1  christos 	eor	v1.16b, v1.16b, v17.16b
1.1  christos 	eor	v3.16b, v5.16b, v9.16b
1.1  christos 	eor	v5.16b, v8.16b, v17.16b
1.1  christos 	eor	v7.16b, v7.16b, v17.16b
1.1  christos 	ext	v8.16b, v0.16b, v0.16b, #12
1.1  christos 	ext	v9.16b, v6.16b, v6.16b, #12
1.1  christos 	ext	v10.16b, v4.16b, v4.16b, #12
1.1  christos 	ext	v16.16b, v1.16b, v1.16b, #12
1.1  christos 	ext	v17.16b, v5.16b, v5.16b, #12
1.1  christos 	ext	v18.16b, v7.16b, v7.16b, #12
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v6.16b, v6.16b, v9.16b
1.1  christos 	eor	v4.16b, v4.16b, v10.16b
1.1  christos 	ext	v19.16b, v2.16b, v2.16b, #12
1.1  christos 	ext	v20.16b, v3.16b, v3.16b, #12
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v5.16b, v5.16b, v17.16b
1.1  christos 	eor	v7.16b, v7.16b, v18.16b
1.1  christos 	eor	v2.16b, v2.16b, v19.16b
1.1  christos 	eor	v16.16b, v16.16b, v0.16b
1.1  christos 	eor	v3.16b, v3.16b, v20.16b
1.1  christos 	eor	v17.16b, v17.16b, v4.16b
1.1  christos 	eor	v10.16b, v10.16b, v6.16b
1.1  christos 	ext	v0.16b, v0.16b, v0.16b, #8
1.1  christos 	eor	v9.16b, v9.16b, v1.16b
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	eor	v8.16b, v8.16b, v3.16b
1.1  christos 	eor	v16.16b, v16.16b, v3.16b
1.1  christos 	eor	v18.16b, v18.16b, v5.16b
1.1  christos 	eor	v19.16b, v19.16b, v7.16b
1.1  christos 	ext	v21.16b, v5.16b, v5.16b, #8
1.1  christos 	ext	v5.16b, v7.16b, v7.16b, #8
1.1  christos 	eor	v7.16b, v20.16b, v2.16b
1.1  christos 	ext	v4.16b, v4.16b, v4.16b, #8
1.1  christos 	ext	v20.16b, v3.16b, v3.16b, #8
1.1  christos 	eor	v17.16b, v17.16b, v3.16b
1.1  christos 	ext	v2.16b, v2.16b, v2.16b, #8
1.1  christos 	eor	v3.16b, v10.16b, v3.16b
1.1  christos 	ext	v10.16b, v6.16b, v6.16b, #8
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v5.16b, v5.16b, v18.16b
1.1  christos 	eor	v3.16b, v3.16b, v4.16b
1.1  christos 	eor	v7.16b, v20.16b, v7.16b
1.1  christos 	eor	v6.16b, v2.16b, v19.16b
1.1  christos 	eor	v4.16b, v21.16b, v17.16b
1.1  christos 	eor	v2.16b, v10.16b, v9.16b
1.1  christos 	bne	.Ldec_loop
1.1  christos 	ldr	q28, [x11, #16]!            // load from .LISRM0 on last round (x10 == 0)
1.1  christos 	b	.Ldec_loop
1.1  christos .align	4
1.1  christos .Ldec_done:
1.1  christos 	ushr	v8.2d, v0.2d, #1
1.1  christos 	movi	v9.16b, #0x55
1.1  christos 	ldr	q10, [x9]
1.1  christos 	ushr	v16.2d, v2.2d, #1
1.1  christos 	movi	v17.16b, #0x33
1.1  christos 	ushr	v18.2d, v6.2d, #1
1.1  christos 	movi	v19.16b, #0x0f
1.1  christos 	eor	v8.16b, v8.16b, v1.16b
1.1  christos 	ushr	v20.2d, v3.2d, #1
1.1  christos 	eor	v16.16b, v16.16b, v7.16b
1.1  christos 	eor	v18.16b, v18.16b, v4.16b
1.1  christos 	and	v8.16b, v8.16b, v9.16b
1.1  christos 	eor	v20.16b, v20.16b, v5.16b
1.1  christos 	and	v16.16b, v16.16b, v9.16b
1.1  christos 	and	v18.16b, v18.16b, v9.16b
1.1  christos 	shl	v21.2d, v8.2d, #1
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	and	v8.16b, v20.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	shl	v9.2d, v16.2d, #1
1.1  christos 	eor	v4.16b, v4.16b, v18.16b
1.1  christos 	shl	v16.2d, v18.2d, #1
1.1  christos 	eor	v0.16b, v0.16b, v21.16b
1.1  christos 	shl	v18.2d, v8.2d, #1
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	eor	v2.16b, v2.16b, v9.16b
1.1  christos 	eor	v6.16b, v6.16b, v16.16b
1.1  christos 	ushr	v8.2d, v1.2d, #2
1.1  christos 	eor	v3.16b, v3.16b, v18.16b
1.1  christos 	ushr	v9.2d, v0.2d, #2
1.1  christos 	ushr	v16.2d, v7.2d, #2
1.1  christos 	ushr	v18.2d, v2.2d, #2
1.1  christos 	eor	v8.16b, v8.16b, v4.16b
1.1  christos 	eor	v9.16b, v9.16b, v6.16b
1.1  christos 	eor	v16.16b, v16.16b, v5.16b
1.1  christos 	eor	v18.16b, v18.16b, v3.16b
1.1  christos 	and	v8.16b, v8.16b, v17.16b
1.1  christos 	and	v9.16b, v9.16b, v17.16b
1.1  christos 	and	v16.16b, v16.16b, v17.16b
1.1  christos 	and	v17.16b, v18.16b, v17.16b
1.1  christos 	eor	v4.16b, v4.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #2
1.1  christos 	eor	v6.16b, v6.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #2
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #2
1.1  christos 	eor	v3.16b, v3.16b, v17.16b
1.1  christos 	shl	v17.2d, v17.2d, #2
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	eor	v0.16b, v0.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	eor	v2.16b, v2.16b, v17.16b
1.1  christos 	ushr	v8.2d, v4.2d, #4
1.1  christos 	ushr	v9.2d, v6.2d, #4
1.1  christos 	ushr	v16.2d, v1.2d, #4
1.1  christos 	ushr	v17.2d, v0.2d, #4
1.1  christos 	eor	v8.16b, v8.16b, v5.16b
1.1  christos 	eor	v9.16b, v9.16b, v3.16b
1.1  christos 	eor	v16.16b, v16.16b, v7.16b
1.1  christos 	eor	v17.16b, v17.16b, v2.16b
1.1  christos 	and	v8.16b, v8.16b, v19.16b
1.1  christos 	and	v9.16b, v9.16b, v19.16b
1.1  christos 	and	v16.16b, v16.16b, v19.16b
1.1  christos 	and	v17.16b, v17.16b, v19.16b
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #4
1.1  christos 	eor	v3.16b, v3.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #4
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #4
1.1  christos 	eor	v2.16b, v2.16b, v17.16b
1.1  christos 	shl	v17.2d, v17.2d, #4
1.1  christos 	eor	v4.16b, v4.16b, v8.16b
1.1  christos 	eor	v6.16b, v6.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v10.16b
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v2.16b, v2.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v17.16b
1.1  christos 	eor	v4.16b, v4.16b, v10.16b
1.1  christos 	eor	v6.16b, v6.16b, v10.16b
1.1  christos 	eor	v3.16b, v3.16b, v10.16b
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	eor	v1.16b, v1.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v10.16b
1.1  christos 	ret
1.1  christos .size	_bsaes_decrypt8,.-_bsaes_decrypt8
1.1  christos
1.1  christos .section	.rodata
1.1  christos .type	_bsaes_consts,%object
1.1  christos .align	6
1.1  christos _bsaes_consts:
1.1  christos // InvShiftRows constants
1.1  christos // Used in _bsaes_decrypt8, which assumes contiguity
1.1  christos // .LM0ISR used with round 0 key
1.1  christos // .LISR   used with middle round keys
1.1  christos // .LISRM0 used with final round key
1.1  christos .LM0ISR:
1.1  christos .quad	0x0a0e0206070b0f03, 0x0004080c0d010509
1.1  christos .LISR:
1.1  christos .quad	0x0504070602010003, 0x0f0e0d0c080b0a09
1.1  christos .LISRM0:
1.1  christos .quad	0x01040b0e0205080f, 0x0306090c00070a0d
1.1  christos
1.1  christos // ShiftRows constants
1.1  christos // Used in _bsaes_encrypt8, which assumes contiguity
1.1  christos // .LM0SR used with round 0 key
1.1  christos // .LSR   used with middle round keys
1.1  christos // .LSRM0 used with final round key
1.1  christos .LM0SR:
1.1  christos .quad	0x0a0e02060f03070b, 0x0004080c05090d01
1.1  christos .LSR:
1.1  christos .quad	0x0504070600030201, 0x0f0e0d0c0a09080b
1.1  christos .LSRM0:
1.1  christos .quad	0x0304090e00050a0f, 0x01060b0c0207080d
1.1  christos
1.1  christos .LM0_bigendian:
1.1  christos .quad	0x02060a0e03070b0f, 0x0004080c0105090d
1.1  christos .LM0_littleendian:
1.1  christos .quad	0x0105090d0004080c, 0x03070b0f02060a0e
1.1  christos
1.1  christos // Used in ossl_bsaes_ctr32_encrypt_blocks, prior to dropping into
1.1  christos // _bsaes_encrypt8_alt, for round 0 key in place of .LM0SR
1.1  christos .LREVM0SR:
1.1  christos .quad	0x090d01050c000408, 0x03070b0f060a0e02
1.1  christos
1.1  christos .align	6
1.1  christos .size	_bsaes_consts,.-_bsaes_consts
1.1  christos
1.1  christos .previous
1.1  christos
1.1  christos .type	_bsaes_encrypt8,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x9 -> key (previously expanded using _bsaes_key_convert)
1.1  christos //   x10 = number of rounds
1.1  christos //   v0-v7 input data
1.1  christos // On exit:
1.1  christos //   x9-x11 corrupted
1.1  christos //   other general-purpose registers preserved
1.1  christos //   v0-v7 output data
1.1  christos //   v11-v15 preserved
1.1  christos //   other SIMD registers corrupted
1.1  christos _bsaes_encrypt8:
1.1  christos 	ldr	q8, [x9], #16
1.1  christos 	adrp	x11, .LM0SR
1.1  christos 	add	x11, x11, #:lo12:.LM0SR
1.1  christos 	ldr	q9, [x11], #16
1.1  christos _bsaes_encrypt8_alt:
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	sub	x10, x10, #1
1.1  christos 	eor	v2.16b, v2.16b, v8.16b
1.1  christos 	eor	v4.16b, v4.16b, v8.16b
1.1  christos 	eor	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	tbl	v0.16b, {v0.16b}, v9.16b
1.1  christos 	tbl	v1.16b, {v1.16b}, v9.16b
1.1  christos 	tbl	v2.16b, {v2.16b}, v9.16b
1.1  christos 	tbl	v4.16b, {v4.16b}, v9.16b
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	eor	v7.16b, v7.16b, v8.16b
1.1  christos 	tbl	v3.16b, {v3.16b}, v9.16b
1.1  christos 	tbl	v5.16b, {v5.16b}, v9.16b
1.1  christos 	tbl	v6.16b, {v6.16b}, v9.16b
1.1  christos 	ushr	v8.2d, v0.2d, #1
1.1  christos 	movi	v10.16b, #0x55
1.1  christos 	tbl	v7.16b, {v7.16b}, v9.16b
1.1  christos 	ushr	v9.2d, v4.2d, #1
1.1  christos 	movi	v16.16b, #0x33
1.1  christos 	ushr	v17.2d, v2.2d, #1
1.1  christos 	eor	v8.16b, v8.16b, v1.16b
1.1  christos 	movi	v18.16b, #0x0f
1.1  christos 	ushr	v19.2d, v6.2d, #1
1.1  christos 	eor	v9.16b, v9.16b, v5.16b
1.1  christos 	eor	v17.16b, v17.16b, v3.16b
1.1  christos 	and	v8.16b, v8.16b, v10.16b
1.1  christos 	eor	v19.16b, v19.16b, v7.16b
1.1  christos 	and	v9.16b, v9.16b, v10.16b
1.1  christos 	and	v17.16b, v17.16b, v10.16b
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #1
1.1  christos 	and	v10.16b, v19.16b, v10.16b
1.1  christos 	eor	v5.16b, v5.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #1
1.1  christos 	eor	v3.16b, v3.16b, v17.16b
1.1  christos 	shl	v17.2d, v17.2d, #1
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	shl	v8.2d, v10.2d, #1
1.1  christos 	eor	v7.16b, v7.16b, v10.16b
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	eor	v2.16b, v2.16b, v17.16b
1.1  christos 	ushr	v9.2d, v1.2d, #2
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	ushr	v8.2d, v0.2d, #2
1.1  christos 	ushr	v10.2d, v5.2d, #2
1.1  christos 	ushr	v17.2d, v4.2d, #2
1.1  christos 	eor	v9.16b, v9.16b, v3.16b
1.1  christos 	eor	v8.16b, v8.16b, v2.16b
1.1  christos 	eor	v10.16b, v10.16b, v7.16b
1.1  christos 	eor	v17.16b, v17.16b, v6.16b
1.1  christos 	and	v9.16b, v9.16b, v16.16b
1.1  christos 	and	v8.16b, v8.16b, v16.16b
1.1  christos 	and	v10.16b, v10.16b, v16.16b
1.1  christos 	and	v16.16b, v17.16b, v16.16b
1.1  christos 	eor	v3.16b, v3.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #2
1.1  christos 	eor	v2.16b, v2.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #2
1.1  christos 	eor	v7.16b, v7.16b, v10.16b
1.1  christos 	shl	v10.2d, v10.2d, #2
1.1  christos 	eor	v6.16b, v6.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #2
1.1  christos 	eor	v1.16b, v1.16b, v9.16b
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	ushr	v8.2d, v3.2d, #4
1.1  christos 	ushr	v9.2d, v2.2d, #4
1.1  christos 	ushr	v10.2d, v1.2d, #4
1.1  christos 	ushr	v16.2d, v0.2d, #4
1.1  christos 	eor	v8.16b, v8.16b, v7.16b
1.1  christos 	eor	v9.16b, v9.16b, v6.16b
1.1  christos 	eor	v10.16b, v10.16b, v5.16b
1.1  christos 	eor	v16.16b, v16.16b, v4.16b
1.1  christos 	and	v8.16b, v8.16b, v18.16b
1.1  christos 	and	v9.16b, v9.16b, v18.16b
1.1  christos 	and	v10.16b, v10.16b, v18.16b
1.1  christos 	and	v16.16b, v16.16b, v18.16b
1.1  christos 	eor	v7.16b, v7.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #4
1.1  christos 	eor	v6.16b, v6.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #4
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	shl	v10.2d, v10.2d, #4
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #4
1.1  christos 	eor	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v2.16b, v2.16b, v9.16b
1.1  christos 	eor	v1.16b, v1.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v16.16b
1.1  christos 	b	.Lenc_sbox
1.1  christos .align	4
1.1  christos .Lenc_loop:
1.1  christos 	ld1	{v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64
1.1  christos 	ldp	q8, q9, [x9], #32
1.1  christos 	eor	v0.16b, v16.16b, v0.16b
1.1  christos 	ldr	q10, [x9], #16
1.1  christos 	eor	v1.16b, v17.16b, v1.16b
1.1  christos 	ldr	q16, [x9], #16
1.1  christos 	eor	v2.16b, v18.16b, v2.16b
1.1  christos 	eor	v3.16b, v19.16b, v3.16b
1.1  christos 	eor	v4.16b, v8.16b, v4.16b
1.1  christos 	eor	v5.16b, v9.16b, v5.16b
1.1  christos 	eor	v6.16b, v10.16b, v6.16b
1.1  christos 	eor	v7.16b, v16.16b, v7.16b
1.1  christos 	tbl	v0.16b, {v0.16b}, v28.16b
1.1  christos 	tbl	v1.16b, {v1.16b}, v28.16b
1.1  christos 	tbl	v2.16b, {v2.16b}, v28.16b
1.1  christos 	tbl	v3.16b, {v3.16b}, v28.16b
1.1  christos 	tbl	v4.16b, {v4.16b}, v28.16b
1.1  christos 	tbl	v5.16b, {v5.16b}, v28.16b
1.1  christos 	tbl	v6.16b, {v6.16b}, v28.16b
1.1  christos 	tbl	v7.16b, {v7.16b}, v28.16b
1.1  christos .Lenc_sbox:
1.1  christos 	eor	v5.16b, v5.16b, v6.16b
1.1  christos 	eor	v3.16b, v3.16b, v0.16b
1.1  christos 	subs	x10, x10, #1
1.1  christos 	eor	v2.16b, v2.16b, v1.16b
1.1  christos 	eor	v5.16b, v5.16b, v0.16b
1.1  christos 	eor	v8.16b, v3.16b, v7.16b
1.1  christos 	eor	v6.16b, v6.16b, v2.16b
1.1  christos 	eor	v7.16b, v7.16b, v5.16b
1.1  christos 	eor	v8.16b, v8.16b, v4.16b
1.1  christos 	eor	v3.16b, v6.16b, v3.16b
1.1  christos 	eor	v4.16b, v4.16b, v5.16b
1.1  christos 	eor	v6.16b, v1.16b, v5.16b
1.1  christos 	eor	v2.16b, v2.16b, v7.16b
1.1  christos 	eor	v1.16b, v8.16b, v1.16b
1.1  christos 	eor	v8.16b, v7.16b, v4.16b
1.1  christos 	eor	v9.16b, v3.16b, v0.16b
1.1  christos 	eor	v10.16b, v7.16b, v6.16b
1.1  christos 	eor	v16.16b, v5.16b, v3.16b
1.1  christos 	eor	v17.16b, v6.16b, v2.16b
1.1  christos 	eor	v18.16b, v5.16b, v1.16b
1.1  christos 	eor	v19.16b, v2.16b, v4.16b
1.1  christos 	eor	v20.16b, v1.16b, v0.16b
1.1  christos 	orr	v21.16b, v8.16b, v9.16b
1.1  christos 	orr	v22.16b, v10.16b, v16.16b
1.1  christos 	eor	v23.16b, v8.16b, v17.16b
1.1  christos 	eor	v24.16b, v9.16b, v18.16b
1.1  christos 	and	v19.16b, v19.16b, v20.16b
1.1  christos 	orr	v20.16b, v17.16b, v18.16b
1.1  christos 	and	v8.16b, v8.16b, v9.16b
1.1  christos 	and	v9.16b, v17.16b, v18.16b
1.1  christos 	and	v17.16b, v23.16b, v24.16b
1.1  christos 	and	v10.16b, v10.16b, v16.16b
1.1  christos 	eor	v16.16b, v21.16b, v19.16b
1.1  christos 	eor	v18.16b, v20.16b, v19.16b
1.1  christos 	and	v19.16b, v2.16b, v1.16b
1.1  christos 	and	v20.16b, v6.16b, v5.16b
1.1  christos 	eor	v21.16b, v22.16b, v17.16b
1.1  christos 	eor	v9.16b, v9.16b, v10.16b
1.1  christos 	eor	v10.16b, v16.16b, v17.16b
1.1  christos 	eor	v16.16b, v18.16b, v8.16b
1.1  christos 	and	v17.16b, v4.16b, v0.16b
1.1  christos 	orr	v18.16b, v7.16b, v3.16b
1.1  christos 	eor	v21.16b, v21.16b, v8.16b
1.1  christos 	eor	v8.16b, v9.16b, v8.16b
1.1  christos 	eor	v9.16b, v10.16b, v19.16b
1.1  christos 	eor	v10.16b, v3.16b, v0.16b
1.1  christos 	eor	v16.16b, v16.16b, v17.16b
1.1  christos 	eor	v17.16b, v5.16b, v1.16b
1.1  christos 	eor	v19.16b, v21.16b, v20.16b
1.1  christos 	eor	v20.16b, v8.16b, v18.16b
1.1  christos 	eor	v8.16b, v8.16b, v18.16b
1.1  christos 	eor	v18.16b, v7.16b, v4.16b
1.1  christos 	eor	v21.16b, v9.16b, v16.16b
1.1  christos 	eor	v22.16b, v6.16b, v2.16b
1.1  christos 	and	v23.16b, v9.16b, v19.16b
1.1  christos 	eor	v24.16b, v10.16b, v17.16b
1.1  christos 	eor	v25.16b, v0.16b, v1.16b
1.1  christos 	eor	v26.16b, v7.16b, v6.16b
1.1  christos 	eor	v27.16b, v18.16b, v22.16b
1.1  christos 	eor	v28.16b, v3.16b, v5.16b
1.1  christos 	eor	v29.16b, v16.16b, v23.16b
1.1  christos 	eor	v30.16b, v20.16b, v23.16b
1.1  christos 	eor	v23.16b, v20.16b, v23.16b
1.1  christos 	eor	v31.16b, v4.16b, v2.16b
1.1  christos 	bsl	v29.16b, v19.16b, v20.16b
1.1  christos 	bsl	v30.16b, v9.16b, v16.16b
1.1  christos 	bsl	v8.16b, v29.16b, v23.16b
1.1  christos 	bsl	v20.16b, v23.16b, v29.16b
1.1  christos 	eor	v9.16b, v30.16b, v29.16b
1.1  christos 	and	v5.16b, v5.16b, v30.16b
1.1  christos 	and	v8.16b, v8.16b, v30.16b
1.1  christos 	and	v1.16b, v1.16b, v29.16b
1.1  christos 	eor	v16.16b, v19.16b, v20.16b
1.1  christos 	and	v2.16b, v2.16b, v29.16b
1.1  christos 	eor	v19.16b, v9.16b, v29.16b
1.1  christos 	and	v17.16b, v17.16b, v9.16b
1.1  christos 	eor	v8.16b, v8.16b, v21.16b
1.1  christos 	and	v20.16b, v22.16b, v9.16b
1.1  christos 	eor	v21.16b, v29.16b, v16.16b
1.1  christos 	eor	v22.16b, v29.16b, v16.16b
1.1  christos 	and	v23.16b, v25.16b, v16.16b
1.1  christos 	and	v6.16b, v6.16b, v19.16b
1.1  christos 	eor	v25.16b, v8.16b, v16.16b
1.1  christos 	eor	v29.16b, v30.16b, v8.16b
1.1  christos 	and	v4.16b, v21.16b, v4.16b
1.1  christos 	and	v8.16b, v28.16b, v8.16b
1.1  christos 	and	v0.16b, v22.16b, v0.16b
1.1  christos 	eor	v21.16b, v23.16b, v1.16b
1.1  christos 	eor	v22.16b, v9.16b, v25.16b
1.1  christos 	eor	v9.16b, v9.16b, v25.16b
1.1  christos 	eor	v23.16b, v25.16b, v16.16b
1.1  christos 	and	v3.16b, v29.16b, v3.16b
1.1  christos 	and	v24.16b, v24.16b, v25.16b
1.1  christos 	and	v25.16b, v27.16b, v25.16b
1.1  christos 	and	v10.16b, v22.16b, v10.16b
1.1  christos 	and	v9.16b, v9.16b, v18.16b
1.1  christos 	eor	v18.16b, v19.16b, v23.16b
1.1  christos 	and	v19.16b, v26.16b, v23.16b
1.1  christos 	eor	v3.16b, v5.16b, v3.16b
1.1  christos 	eor	v17.16b, v17.16b, v24.16b
1.1  christos 	eor	v10.16b, v24.16b, v10.16b
1.1  christos 	and	v16.16b, v31.16b, v16.16b
1.1  christos 	eor	v20.16b, v20.16b, v25.16b
1.1  christos 	eor	v9.16b, v25.16b, v9.16b
1.1  christos 	eor	v4.16b, v2.16b, v4.16b
1.1  christos 	and	v7.16b, v18.16b, v7.16b
1.1  christos 	eor	v18.16b, v19.16b, v6.16b
1.1  christos 	eor	v5.16b, v8.16b, v5.16b
1.1  christos 	eor	v0.16b, v1.16b, v0.16b
1.1  christos 	eor	v1.16b, v21.16b, v10.16b
1.1  christos 	eor	v8.16b, v3.16b, v17.16b
1.1  christos 	eor	v2.16b, v16.16b, v2.16b
1.1  christos 	eor	v3.16b, v6.16b, v7.16b
1.1  christos 	eor	v6.16b, v18.16b, v9.16b
1.1  christos 	eor	v4.16b, v4.16b, v20.16b
1.1  christos 	eor	v10.16b, v5.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v17.16b
1.1  christos 	eor	v9.16b, v2.16b, v9.16b
1.1  christos 	eor	v3.16b, v3.16b, v20.16b
1.1  christos 	eor	v7.16b, v6.16b, v1.16b
1.1  christos 	eor	v5.16b, v8.16b, v4.16b
1.1  christos 	eor	v6.16b, v10.16b, v1.16b
1.1  christos 	eor	v2.16b, v4.16b, v0.16b
1.1  christos 	eor	v4.16b, v3.16b, v10.16b
1.1  christos 	eor	v9.16b, v9.16b, v7.16b
1.1  christos 	eor	v3.16b, v0.16b, v5.16b
1.1  christos 	eor	v0.16b, v1.16b, v4.16b
1.1  christos 	eor	v1.16b, v4.16b, v8.16b
1.1  christos 	eor	v4.16b, v9.16b, v5.16b
1.1  christos 	eor	v6.16b, v6.16b, v3.16b
1.1  christos 	bcc	.Lenc_done
1.1  christos 	ext	v8.16b, v0.16b, v0.16b, #12
1.1  christos 	ext	v9.16b, v4.16b, v4.16b, #12
1.1  christos 	ldr	q28, [x11]
1.1  christos 	ext	v10.16b, v6.16b, v6.16b, #12
1.1  christos 	ext	v16.16b, v1.16b, v1.16b, #12
1.1  christos 	ext	v17.16b, v3.16b, v3.16b, #12
1.1  christos 	ext	v18.16b, v7.16b, v7.16b, #12
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	eor	v6.16b, v6.16b, v10.16b
1.1  christos 	ext	v19.16b, v2.16b, v2.16b, #12
1.1  christos 	ext	v20.16b, v5.16b, v5.16b, #12
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v3.16b, v3.16b, v17.16b
1.1  christos 	eor	v7.16b, v7.16b, v18.16b
1.1  christos 	eor	v2.16b, v2.16b, v19.16b
1.1  christos 	eor	v16.16b, v16.16b, v0.16b
1.1  christos 	eor	v5.16b, v5.16b, v20.16b
1.1  christos 	eor	v17.16b, v17.16b, v6.16b
1.1  christos 	eor	v10.16b, v10.16b, v4.16b
1.1  christos 	ext	v0.16b, v0.16b, v0.16b, #8
1.1  christos 	eor	v9.16b, v9.16b, v1.16b
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	eor	v8.16b, v8.16b, v5.16b
1.1  christos 	eor	v16.16b, v16.16b, v5.16b
1.1  christos 	eor	v18.16b, v18.16b, v3.16b
1.1  christos 	eor	v19.16b, v19.16b, v7.16b
1.1  christos 	ext	v3.16b, v3.16b, v3.16b, #8
1.1  christos 	ext	v7.16b, v7.16b, v7.16b, #8
1.1  christos 	eor	v20.16b, v20.16b, v2.16b
1.1  christos 	ext	v6.16b, v6.16b, v6.16b, #8
1.1  christos 	ext	v21.16b, v5.16b, v5.16b, #8
1.1  christos 	eor	v17.16b, v17.16b, v5.16b
1.1  christos 	ext	v2.16b, v2.16b, v2.16b, #8
1.1  christos 	eor	v10.16b, v10.16b, v5.16b
1.1  christos 	ext	v22.16b, v4.16b, v4.16b, #8
1.1  christos 	eor	v0.16b, v0.16b, v8.16b
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v5.16b, v7.16b, v18.16b
1.1  christos 	eor	v4.16b, v3.16b, v17.16b
1.1  christos 	eor	v3.16b, v6.16b, v10.16b
1.1  christos 	eor	v7.16b, v21.16b, v20.16b
1.1  christos 	eor	v6.16b, v2.16b, v19.16b
1.1  christos 	eor	v2.16b, v22.16b, v9.16b
1.1  christos 	bne	.Lenc_loop
1.1  christos 	ldr	q28, [x11, #16]!            // load from .LSRM0 on last round (x10 == 0)
1.1  christos 	b	.Lenc_loop
1.1  christos .align	4
1.1  christos .Lenc_done:
1.1  christos 	ushr	v8.2d, v0.2d, #1
1.1  christos 	movi	v9.16b, #0x55
1.1  christos 	ldr	q10, [x9]
1.1  christos 	ushr	v16.2d, v3.2d, #1
1.1  christos 	movi	v17.16b, #0x33
1.1  christos 	ushr	v18.2d, v4.2d, #1
1.1  christos 	movi	v19.16b, #0x0f
1.1  christos 	eor	v8.16b, v8.16b, v1.16b
1.1  christos 	ushr	v20.2d, v2.2d, #1
1.1  christos 	eor	v16.16b, v16.16b, v7.16b
1.1  christos 	eor	v18.16b, v18.16b, v6.16b
1.1  christos 	and	v8.16b, v8.16b, v9.16b
1.1  christos 	eor	v20.16b, v20.16b, v5.16b
1.1  christos 	and	v16.16b, v16.16b, v9.16b
1.1  christos 	and	v18.16b, v18.16b, v9.16b
1.1  christos 	shl	v21.2d, v8.2d, #1
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	and	v8.16b, v20.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	shl	v9.2d, v16.2d, #1
1.1  christos 	eor	v6.16b, v6.16b, v18.16b
1.1  christos 	shl	v16.2d, v18.2d, #1
1.1  christos 	eor	v0.16b, v0.16b, v21.16b
1.1  christos 	shl	v18.2d, v8.2d, #1
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	eor	v3.16b, v3.16b, v9.16b
1.1  christos 	eor	v4.16b, v4.16b, v16.16b
1.1  christos 	ushr	v8.2d, v1.2d, #2
1.1  christos 	eor	v2.16b, v2.16b, v18.16b
1.1  christos 	ushr	v9.2d, v0.2d, #2
1.1  christos 	ushr	v16.2d, v7.2d, #2
1.1  christos 	ushr	v18.2d, v3.2d, #2
1.1  christos 	eor	v8.16b, v8.16b, v6.16b
1.1  christos 	eor	v9.16b, v9.16b, v4.16b
1.1  christos 	eor	v16.16b, v16.16b, v5.16b
1.1  christos 	eor	v18.16b, v18.16b, v2.16b
1.1  christos 	and	v8.16b, v8.16b, v17.16b
1.1  christos 	and	v9.16b, v9.16b, v17.16b
1.1  christos 	and	v16.16b, v16.16b, v17.16b
1.1  christos 	and	v17.16b, v18.16b, v17.16b
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #2
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #2
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #2
1.1  christos 	eor	v2.16b, v2.16b, v17.16b
1.1  christos 	shl	v17.2d, v17.2d, #2
1.1  christos 	eor	v1.16b, v1.16b, v8.16b
1.1  christos 	eor	v0.16b, v0.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	eor	v3.16b, v3.16b, v17.16b
1.1  christos 	ushr	v8.2d, v6.2d, #4
1.1  christos 	ushr	v9.2d, v4.2d, #4
1.1  christos 	ushr	v16.2d, v1.2d, #4
1.1  christos 	ushr	v17.2d, v0.2d, #4
1.1  christos 	eor	v8.16b, v8.16b, v5.16b
1.1  christos 	eor	v9.16b, v9.16b, v2.16b
1.1  christos 	eor	v16.16b, v16.16b, v7.16b
1.1  christos 	eor	v17.16b, v17.16b, v3.16b
1.1  christos 	and	v8.16b, v8.16b, v19.16b
1.1  christos 	and	v9.16b, v9.16b, v19.16b
1.1  christos 	and	v16.16b, v16.16b, v19.16b
1.1  christos 	and	v17.16b, v17.16b, v19.16b
1.1  christos 	eor	v5.16b, v5.16b, v8.16b
1.1  christos 	shl	v8.2d, v8.2d, #4
1.1  christos 	eor	v2.16b, v2.16b, v9.16b
1.1  christos 	shl	v9.2d, v9.2d, #4
1.1  christos 	eor	v7.16b, v7.16b, v16.16b
1.1  christos 	shl	v16.2d, v16.2d, #4
1.1  christos 	eor	v3.16b, v3.16b, v17.16b
1.1  christos 	shl	v17.2d, v17.2d, #4
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	eor	v7.16b, v7.16b, v10.16b
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	eor	v3.16b, v3.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v17.16b
1.1  christos 	eor	v6.16b, v6.16b, v10.16b
1.1  christos 	eor	v4.16b, v4.16b, v10.16b
1.1  christos 	eor	v2.16b, v2.16b, v10.16b
1.1  christos 	eor	v5.16b, v5.16b, v10.16b
1.1  christos 	eor	v1.16b, v1.16b, v10.16b
1.1  christos 	eor	v0.16b, v0.16b, v10.16b
1.1  christos 	ret
1.1  christos .size	_bsaes_encrypt8,.-_bsaes_encrypt8
1.1  christos
1.1  christos .type	_bsaes_key_convert,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x9 -> input key (big-endian)
1.1  christos //   x10 = number of rounds
1.1  christos //   x17 -> output key (native endianness)
1.1  christos // On exit:
1.1  christos //   x9, x10 corrupted
1.1  christos //   x11 -> .LM0_bigendian
1.1  christos //   x17 -> last quadword of output key
1.1  christos //   other general-purpose registers preserved
1.1  christos //   v2-v6 preserved
1.1  christos //   v7.16b[] = 0x63
1.1  christos //   v8-v14 preserved
1.1  christos //   v15 = last round key (converted to native endianness)
1.1  christos //   other SIMD registers corrupted
1.1  christos _bsaes_key_convert:
1.1  christos #ifdef __AARCH64EL__
1.1  christos 	adrp	x11, .LM0_littleendian
1.1  christos 	add	x11, x11, #:lo12:.LM0_littleendian
1.1  christos #else
1.1  christos 	adrp	x11, .LM0_bigendian
1.1  christos 	add	x11, x11, #:lo12:.LM0_bigendian
1.1  christos #endif
1.1  christos 	ldr	q0, [x9], #16               // load round 0 key
1.1  christos 	ldr	q1, [x11]                   // .LM0
1.1  christos 	ldr	q15, [x9], #16              // load round 1 key
1.1  christos
1.1  christos 	movi	v7.16b, #0x63               // compose .L63
1.1  christos 	movi	v16.16b, #0x01              // bit masks
1.1  christos 	movi	v17.16b, #0x02
1.1  christos 	movi	v18.16b, #0x04
1.1  christos 	movi	v19.16b, #0x08
1.1  christos 	movi	v20.16b, #0x10
1.1  christos 	movi	v21.16b, #0x20
1.1  christos 	movi	v22.16b, #0x40
1.1  christos 	movi	v23.16b, #0x80
1.1  christos
1.1  christos #ifdef __AARCH64EL__
1.1  christos 	rev32	v0.16b, v0.16b
1.1  christos #endif
1.1  christos 	sub	x10, x10, #1
1.1  christos 	str	q0, [x17], #16              // save round 0 key
1.1  christos
1.1  christos .align	4
1.1  christos .Lkey_loop:
1.1  christos 	tbl	v0.16b, {v15.16b}, v1.16b
1.1  christos 	ldr	q15, [x9], #16              // load next round key
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v7.16b
1.1  christos 	cmtst	v24.16b, v0.16b, v16.16b
1.1  christos 	cmtst	v25.16b, v0.16b, v17.16b
1.1  christos 	cmtst	v26.16b, v0.16b, v18.16b
1.1  christos 	cmtst	v27.16b, v0.16b, v19.16b
1.1  christos 	cmtst	v28.16b, v0.16b, v20.16b
1.1  christos 	cmtst	v29.16b, v0.16b, v21.16b
1.1  christos 	cmtst	v30.16b, v0.16b, v22.16b
1.1  christos 	cmtst	v31.16b, v0.16b, v23.16b
1.1  christos 	sub	x10, x10, #1
1.1  christos 	st1	{v24.16b,v25.16b,v26.16b,v27.16b}, [x17], #64 // write bit-sliced round key
1.1  christos 	st1	{v28.16b,v29.16b,v30.16b,v31.16b}, [x17], #64
1.1  christos 	cbnz	x10, .Lkey_loop
1.1  christos
1.1  christos         // don't save last round key
1.1  christos #ifdef __AARCH64EL__
1.1  christos 	rev32	v15.16b, v15.16b
1.1  christos 	adrp	x11, .LM0_bigendian
1.1  christos 	add	x11, x11, #:lo12:.LM0_bigendian
1.1  christos #endif
1.1  christos 	ret
1.1  christos .size	_bsaes_key_convert,.-_bsaes_key_convert
1.1  christos
1.1  christos .globl	ossl_bsaes_cbc_encrypt
1.1  christos .type	ossl_bsaes_cbc_encrypt,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x0 -> input ciphertext
1.1  christos //   x1 -> output plaintext
1.1  christos //   x2 = size of ciphertext and plaintext in bytes (assumed a multiple of 16)
1.1  christos //   x3 -> key
1.1  christos //   x4 -> 128-bit initialisation vector (or preceding 128-bit block of ciphertext if continuing after an earlier call)
1.1  christos //   w5 must be == 0
1.1  christos // On exit:
1.1  christos //   Output plaintext filled in
1.1  christos //   Initialisation vector overwritten with last quadword of ciphertext
1.1  christos //   No output registers, usual AAPCS64 register preservation
1.1  christos ossl_bsaes_cbc_encrypt:
1.1  christos 	AARCH64_VALID_CALL_TARGET
1.1  christos 	cmp	x2, #128
1.1  christos 	bhs	.Lcbc_do_bsaes
1.1  christos 	b	AES_cbc_encrypt
1.1  christos .Lcbc_do_bsaes:
1.1  christos
1.1  christos         // it is up to the caller to make sure we are called with enc == 0
1.1  christos
1.1  christos 	stp	x29, x30, [sp, #-48]!
1.1  christos 	stp	d8, d9, [sp, #16]
1.1  christos 	stp	d10, d15, [sp, #32]
1.1  christos 	lsr	x2, x2, #4                  // len in 16 byte blocks
1.1  christos
1.1  christos 	ldr	w15, [x3, #240]             // get # of rounds
1.1  christos 	mov	x14, sp
1.1  christos
1.1  christos         // allocate the key schedule on the stack
1.1  christos 	add	x17, sp, #96
1.1  christos 	sub	x17, x17, x15, lsl #7       // 128 bytes per inner round key, less 96 bytes
1.1  christos
1.1  christos         // populate the key schedule
1.1  christos 	mov	x9, x3                      // pass key
1.1  christos 	mov	x10, x15                    // pass # of rounds
1.1  christos 	mov	sp, x17                     // sp is sp
1.1  christos 	bl	_bsaes_key_convert
1.1  christos 	ldr	q6,  [sp]
1.1  christos 	str	q15, [x17]                  // save last round key
1.1  christos 	eor	v6.16b, v6.16b, v7.16b      // fix up round 0 key (by XORing with 0x63)
1.1  christos 	str	q6, [sp]
1.1  christos
1.1  christos 	ldr	q15, [x4]                   // load IV
1.1  christos 	b	.Lcbc_dec_loop
1.1  christos
1.1  christos .align	4
1.1  christos .Lcbc_dec_loop:
1.1  christos 	subs	x2, x2, #0x8
1.1  christos 	bmi	.Lcbc_dec_loop_finish
1.1  christos
1.1  christos 	ldr	q0, [x0], #16               // load input
1.1  christos 	mov	x9, sp                      // pass the key
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	mov	x10, x15
1.1  christos 	ldr	q2, [x0], #16
1.1  christos 	ldr	q3, [x0], #16
1.1  christos 	ldr	q4, [x0], #16
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	ldr	q6, [x0], #16
1.1  christos 	ldr	q7, [x0], #-7*16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	ldr	q16, [x0], #16              // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	eor	v1.16b, v1.16b, v16.16b
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	ldr	q0, [x0], #16
1.1  christos 	str	q1, [x1], #16
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	eor	v1.16b, v4.16b, v1.16b
1.1  christos 	ldr	q4, [x0], #16
1.1  christos 	eor	v2.16b, v2.16b, v4.16b
1.1  christos 	eor	v0.16b, v6.16b, v0.16b
1.1  christos 	ldr	q4, [x0], #16
1.1  christos 	str	q0, [x1], #16
1.1  christos 	str	q1, [x1], #16
1.1  christos 	eor	v0.16b, v7.16b, v4.16b
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	str	q2, [x1], #16
1.1  christos 	ldr	q2, [x0], #16
1.1  christos 	ldr	q15, [x0], #16
1.1  christos 	str	q0, [x1], #16
1.1  christos 	eor	v0.16b, v5.16b, v2.16b
1.1  christos 	eor	v1.16b, v3.16b, v1.16b
1.1  christos 	str	q1, [x1], #16
1.1  christos 	str	q0, [x1], #16
1.1  christos
1.1  christos 	b	.Lcbc_dec_loop
1.1  christos
1.1  christos .Lcbc_dec_loop_finish:
1.1  christos 	adds	x2, x2, #8
1.1  christos 	beq	.Lcbc_dec_done
1.1  christos
1.1  christos 	ldr	q0, [x0], #16               // load input
1.1  christos 	cmp	x2, #2
1.1  christos 	blo	.Lcbc_dec_one
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	mov	x9, sp                      // pass the key
1.1  christos 	mov	x10, x15
1.1  christos 	beq	.Lcbc_dec_two
1.1  christos 	ldr	q2, [x0], #16
1.1  christos 	cmp	x2, #4
1.1  christos 	blo	.Lcbc_dec_three
1.1  christos 	ldr	q3, [x0], #16
1.1  christos 	beq	.Lcbc_dec_four
1.1  christos 	ldr	q4, [x0], #16
1.1  christos 	cmp	x2, #6
1.1  christos 	blo	.Lcbc_dec_five
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	beq	.Lcbc_dec_six
1.1  christos 	ldr	q6, [x0], #-6*16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	ldr	q5, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q8, [x0], #16
1.1  christos 	ldr	q9, [x0], #16
1.1  christos 	ldr	q10, [x0], #16
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	ldr	q0, [x0], #16
1.1  christos 	eor	v1.16b, v1.16b, v5.16b
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	eor	v6.16b, v6.16b, v8.16b
1.1  christos 	ldr	q15, [x0]
1.1  christos 	eor	v4.16b, v4.16b, v9.16b
1.1  christos 	eor	v2.16b, v2.16b, v10.16b
1.1  christos 	str	q1, [x1], #16
1.1  christos 	eor	v0.16b, v7.16b, v0.16b
1.1  christos 	str	q6, [x1], #16
1.1  christos 	eor	v1.16b, v3.16b, v5.16b
1.1  christos 	str	q4, [x1], #16
1.1  christos 	str	q2, [x1], #16
1.1  christos 	str	q0, [x1], #16
1.1  christos 	str	q1, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_six:
1.1  christos 	sub	x0, x0, #0x60
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos 	ldr	q3, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	ldr	q8, [x0], #16
1.1  christos 	ldr	q9, [x0], #16
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	ldr	q0, [x0], #16
1.1  christos 	eor	v1.16b, v1.16b, v3.16b
1.1  christos 	ldr	q15, [x0]
1.1  christos 	eor	v3.16b, v6.16b, v5.16b
1.1  christos 	eor	v4.16b, v4.16b, v8.16b
1.1  christos 	eor	v2.16b, v2.16b, v9.16b
1.1  christos 	str	q1, [x1], #16
1.1  christos 	eor	v0.16b, v7.16b, v0.16b
1.1  christos 	str	q3, [x1], #16
1.1  christos 	str	q4, [x1], #16
1.1  christos 	str	q2, [x1], #16
1.1  christos 	str	q0, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_five:
1.1  christos 	sub	x0, x0, #0x50
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos 	ldr	q3, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	ldr	q7, [x0], #16
1.1  christos 	ldr	q8, [x0], #16
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	ldr	q15, [x0]
1.1  christos 	eor	v0.16b, v1.16b, v3.16b
1.1  christos 	eor	v1.16b, v6.16b, v5.16b
1.1  christos 	eor	v3.16b, v4.16b, v7.16b
1.1  christos 	str	q0, [x1], #16
1.1  christos 	eor	v0.16b, v2.16b, v8.16b
1.1  christos 	str	q1, [x1], #16
1.1  christos 	str	q3, [x1], #16
1.1  christos 	str	q0, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_four:
1.1  christos 	sub	x0, x0, #0x40
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos 	ldr	q2, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q3, [x0], #16
1.1  christos 	ldr	q5, [x0], #16
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	ldr	q15, [x0]
1.1  christos 	eor	v0.16b, v1.16b, v2.16b
1.1  christos 	eor	v1.16b, v6.16b, v3.16b
1.1  christos 	eor	v2.16b, v4.16b, v5.16b
1.1  christos 	str	q0, [x1], #16
1.1  christos 	str	q1, [x1], #16
1.1  christos 	str	q2, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_three:
1.1  christos 	sub	x0, x0, #0x30
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos 	ldr	q2, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q3, [x0], #16
1.1  christos 	ldr	q15, [x0]
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	eor	v0.16b, v1.16b, v2.16b
1.1  christos 	eor	v1.16b, v6.16b, v3.16b
1.1  christos 	str	q0, [x1], #16
1.1  christos 	str	q1, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_two:
1.1  christos 	sub	x0, x0, #0x20
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos 	ldr	q2, [x0], #16               // reload input
1.1  christos 	eor	v0.16b, v0.16b, v15.16b     // ^= IV
1.1  christos 	ldr	q15, [x0]
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	eor	v0.16b, v1.16b, v2.16b
1.1  christos 	str	q0, [x1]
1.1  christos 	b	.Lcbc_dec_done
1.1  christos .align	4
1.1  christos .Lcbc_dec_one:
1.1  christos 	sub	x0, x0, #0x10
1.1  christos 	stp	x1, x4, [sp, #-32]!
1.1  christos 	str	x14, [sp, #16]
1.1  christos 	mov	v8.16b, v15.16b
1.1  christos 	mov	v15.16b, v0.16b
1.1  christos 	mov	x2, x3
1.1  christos 	bl	AES_decrypt
1.1  christos 	ldr	x14, [sp, #16]
1.1  christos 	ldp	x1, x4, [sp], #32
1.1  christos 	ldr	q0, [x1]                    // load result
1.1  christos 	eor	v0.16b, v0.16b, v8.16b      // ^= IV
1.1  christos 	str	q0, [x1]                    // write output
1.1  christos
1.1  christos .align	4
1.1  christos .Lcbc_dec_done:
1.1  christos 	movi	v0.16b, #0
1.1  christos 	movi	v1.16b, #0
1.1  christos .Lcbc_dec_bzero:	//	wipe key schedule [if any]
1.1  christos 	stp	q0, q1, [sp], #32
1.1  christos 	cmp	sp, x14
1.1  christos 	bne	.Lcbc_dec_bzero
1.1  christos 	str	q15, [x4]                   // return IV
1.1  christos 	ldp	d8, d9, [sp, #16]
1.1  christos 	ldp	d10, d15, [sp, #32]
1.1  christos 	ldp	x29, x30, [sp], #48
1.1  christos 	ret
1.1  christos .size	ossl_bsaes_cbc_encrypt,.-ossl_bsaes_cbc_encrypt
1.1  christos
1.1  christos .globl	ossl_bsaes_ctr32_encrypt_blocks
1.1  christos .type	ossl_bsaes_ctr32_encrypt_blocks,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x0 -> input text (whole 16-byte blocks)
1.1  christos //   x1 -> output text (whole 16-byte blocks)
1.1  christos //   x2 = number of 16-byte blocks to encrypt/decrypt (> 0)
1.1  christos //   x3 -> key
1.1  christos //   x4 -> initial value of 128-bit counter (stored big-endian) which increments, modulo 2^32, for each block
1.1  christos // On exit:
1.1  christos //   Output text filled in
1.1  christos //   No output registers, usual AAPCS64 register preservation
1.1  christos ossl_bsaes_ctr32_encrypt_blocks:
1.1  christos 	AARCH64_VALID_CALL_TARGET
1.1  christos 	cmp	x2, #8                      // use plain AES for
1.1  christos 	blo	.Lctr_enc_short             // small sizes
1.1  christos
1.1  christos 	stp	x29, x30, [sp, #-80]!
1.1  christos 	stp	d8, d9, [sp, #16]
1.1  christos 	stp	d10, d11, [sp, #32]
1.1  christos 	stp	d12, d13, [sp, #48]
1.1  christos 	stp	d14, d15, [sp, #64]
1.1  christos
1.1  christos 	ldr	w15, [x3, #240]             // get # of rounds
1.1  christos 	mov	x14, sp
1.1  christos
1.1  christos         // allocate the key schedule on the stack
1.1  christos 	add	x17, sp, #96
1.1  christos 	sub	x17, x17, x15, lsl #7       // 128 bytes per inner round key, less 96 bytes
1.1  christos
1.1  christos         // populate the key schedule
1.1  christos 	mov	x9, x3                      // pass key
1.1  christos 	mov	x10, x15                    // pass # of rounds
1.1  christos 	mov	sp, x17                     // sp is sp
1.1  christos 	bl	_bsaes_key_convert
1.1  christos 	eor	v7.16b, v7.16b, v15.16b     // fix up last round key
1.1  christos 	str	q7, [x17]                   // save last round key
1.1  christos
1.1  christos 	ldr	q0, [x4]                    // load counter
1.1  christos 	add	x13, x11, #.LREVM0SR-.LM0_bigendian
1.1  christos 	ldr	q4, [sp]                    // load round0 key
1.1  christos
1.1  christos 	movi	v8.4s, #1                   // compose 1<<96
1.1  christos 	movi	v9.16b, #0
1.1  christos 	rev32	v15.16b, v0.16b
1.1  christos 	rev32	v0.16b, v0.16b
1.1  christos 	ext	v11.16b, v9.16b, v8.16b, #4
1.1  christos 	rev32	v4.16b, v4.16b
1.1  christos 	add	v12.4s, v11.4s, v11.4s      // compose 2<<96
1.1  christos 	str	q4, [sp]                    // save adjusted round0 key
1.1  christos 	add	v13.4s, v11.4s, v12.4s      // compose 3<<96
1.1  christos 	add	v14.4s, v12.4s, v12.4s      // compose 4<<96
1.1  christos 	b	.Lctr_enc_loop
1.1  christos
1.1  christos .align	4
1.1  christos .Lctr_enc_loop:
1.1  christos         // Intermix prologue from _bsaes_encrypt8 to use the opportunity
1.1  christos         // to flip byte order in 32-bit counter
1.1  christos
1.1  christos 	add	v1.4s, v15.4s, v11.4s       // +1
1.1  christos 	add	x9, sp, #0x10               // pass next round key
1.1  christos 	add	v2.4s, v15.4s, v12.4s       // +2
1.1  christos 	ldr	q9, [x13]                   // .LREVM0SR
1.1  christos 	ldr	q8, [sp]                    // load round0 key
1.1  christos 	add	v3.4s, v15.4s, v13.4s       // +3
1.1  christos 	mov	x10, x15                    // pass rounds
1.1  christos 	sub	x11, x13, #.LREVM0SR-.LSR   // pass constants
1.1  christos 	add	v6.4s, v2.4s, v14.4s
1.1  christos 	add	v4.4s, v15.4s, v14.4s       // +4
1.1  christos 	add	v7.4s, v3.4s, v14.4s
1.1  christos 	add	v15.4s, v4.4s, v14.4s       // next counter
1.1  christos 	add	v5.4s, v1.4s, v14.4s
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8_alt
1.1  christos
1.1  christos 	subs	x2, x2, #8
1.1  christos 	blo	.Lctr_enc_loop_done
1.1  christos
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	ldr	q17, [x0], #16
1.1  christos 	eor	v1.16b, v1.16b, v17.16b
1.1  christos 	ldr	q17, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v16.16b
1.1  christos 	eor	v4.16b, v4.16b, v17.16b
1.1  christos 	str	q0, [x1], #16
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	str	q1, [x1], #16
1.1  christos 	mov	v0.16b, v15.16b
1.1  christos 	str	q4, [x1], #16
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	eor	v4.16b, v6.16b, v16.16b
1.1  christos 	eor	v1.16b, v3.16b, v1.16b
1.1  christos 	ldr	q3, [x0], #16
1.1  christos 	eor	v3.16b, v7.16b, v3.16b
1.1  christos 	ldr	q6, [x0], #16
1.1  christos 	eor	v2.16b, v2.16b, v6.16b
1.1  christos 	ldr	q6, [x0], #16
1.1  christos 	eor	v5.16b, v5.16b, v6.16b
1.1  christos 	str	q4, [x1], #16
1.1  christos 	str	q1, [x1], #16
1.1  christos 	str	q3, [x1], #16
1.1  christos 	str	q2, [x1], #16
1.1  christos 	str	q5, [x1], #16
1.1  christos
1.1  christos 	bne	.Lctr_enc_loop
1.1  christos 	b	.Lctr_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lctr_enc_loop_done:
1.1  christos 	add	x2, x2, #8
1.1  christos 	ldr	q16, [x0], #16              // load input
1.1  christos 	eor	v0.16b, v0.16b, v16.16b
1.1  christos 	str	q0, [x1], #16               // write output
1.1  christos 	cmp	x2, #2
1.1  christos 	blo	.Lctr_enc_done
1.1  christos 	ldr	q17, [x0], #16
1.1  christos 	eor	v1.16b, v1.16b, v17.16b
1.1  christos 	str	q1, [x1], #16
1.1  christos 	beq	.Lctr_enc_done
1.1  christos 	ldr	q18, [x0], #16
1.1  christos 	eor	v4.16b, v4.16b, v18.16b
1.1  christos 	str	q4, [x1], #16
1.1  christos 	cmp	x2, #4
1.1  christos 	blo	.Lctr_enc_done
1.1  christos 	ldr	q19, [x0], #16
1.1  christos 	eor	v6.16b, v6.16b, v19.16b
1.1  christos 	str	q6, [x1], #16
1.1  christos 	beq	.Lctr_enc_done
1.1  christos 	ldr	q20, [x0], #16
1.1  christos 	eor	v3.16b, v3.16b, v20.16b
1.1  christos 	str	q3, [x1], #16
1.1  christos 	cmp	x2, #6
1.1  christos 	blo	.Lctr_enc_done
1.1  christos 	ldr	q21, [x0], #16
1.1  christos 	eor	v7.16b, v7.16b, v21.16b
1.1  christos 	str	q7, [x1], #16
1.1  christos 	beq	.Lctr_enc_done
1.1  christos 	ldr	q22, [x0]
1.1  christos 	eor	v2.16b, v2.16b, v22.16b
1.1  christos 	str	q2, [x1], #16
1.1  christos
1.1  christos .Lctr_enc_done:
1.1  christos 	movi	v0.16b, #0
1.1  christos 	movi	v1.16b, #0
1.1  christos .Lctr_enc_bzero:	//	wipe key schedule [if any]
1.1  christos 	stp	q0, q1, [sp], #32
1.1  christos 	cmp	sp, x14
1.1  christos 	bne	.Lctr_enc_bzero
1.1  christos
1.1  christos 	ldp	d8, d9, [sp, #16]
1.1  christos 	ldp	d10, d11, [sp, #32]
1.1  christos 	ldp	d12, d13, [sp, #48]
1.1  christos 	ldp	d14, d15, [sp, #64]
1.1  christos 	ldp	x29, x30, [sp], #80
1.1  christos 	ret
1.1  christos
1.1  christos .Lctr_enc_short:
1.1  christos 	stp	x29, x30, [sp, #-96]!
1.1  christos 	stp	x19, x20, [sp, #16]
1.1  christos 	stp	x21, x22, [sp, #32]
1.1  christos 	str	x23, [sp, #48]
1.1  christos
1.1  christos 	mov	x19, x0                     // copy arguments
1.1  christos 	mov	x20, x1
1.1  christos 	mov	x21, x2
1.1  christos 	mov	x22, x3
1.1  christos 	ldr	w23, [x4, #12]              // load counter .LSW
1.1  christos 	ldr	q1, [x4]                    // load whole counter value
1.1  christos #ifdef __AARCH64EL__
1.1  christos 	rev	w23, w23
1.1  christos #endif
1.1  christos 	str	q1, [sp, #80]               // copy counter value
1.1  christos
1.1  christos .Lctr_enc_short_loop:
1.1  christos 	add	x0, sp, #80                 // input counter value
1.1  christos 	add	x1, sp, #64                 // output on the stack
1.1  christos 	mov	x2, x22                     // key
1.1  christos
1.1  christos 	bl	AES_encrypt
1.1  christos
1.1  christos 	ldr	q0, [x19], #16              // load input
1.1  christos 	ldr	q1, [sp, #64]               // load encrypted counter
1.1  christos 	add	x23, x23, #1
1.1  christos #ifdef __AARCH64EL__
1.1  christos 	rev	w0, w23
1.1  christos 	str	w0, [sp, #80+12]            // next counter value
1.1  christos #else
1.1  christos 	str	w23, [sp, #80+12]           // next counter value
1.1  christos #endif
1.1  christos 	eor	v0.16b, v0.16b, v1.16b
1.1  christos 	str	q0, [x20], #16              // store output
1.1  christos 	subs	x21, x21, #1
1.1  christos 	bne	.Lctr_enc_short_loop
1.1  christos
1.1  christos 	movi	v0.16b, #0
1.1  christos 	movi	v1.16b, #0
1.1  christos 	stp	q0, q1, [sp, #64]
1.1  christos
1.1  christos 	ldr	x23, [sp, #48]
1.1  christos 	ldp	x21, x22, [sp, #32]
1.1  christos 	ldp	x19, x20, [sp, #16]
1.1  christos 	ldp	x29, x30, [sp], #96
1.1  christos 	ret
1.1  christos .size	ossl_bsaes_ctr32_encrypt_blocks,.-ossl_bsaes_ctr32_encrypt_blocks
1.1  christos
1.1  christos .globl	ossl_bsaes_xts_encrypt
1.1  christos .type	ossl_bsaes_xts_encrypt,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x0 -> input plaintext
1.1  christos //   x1 -> output ciphertext
1.1  christos //   x2 -> length of text in bytes (must be at least 16)
1.1  christos //   x3 -> key1 (used to encrypt the XORed plaintext blocks)
1.1  christos //   x4 -> key2 (used to encrypt the initial vector to yield the initial tweak)
1.1  christos //   x5 -> 16-byte initial vector (typically, sector number)
1.1  christos // On exit:
1.1  christos //   Output ciphertext filled in
1.1  christos //   No output registers, usual AAPCS64 register preservation
1.1  christos ossl_bsaes_xts_encrypt:
1.1  christos 	AARCH64_VALID_CALL_TARGET
1.1  christos         // Stack layout:
1.1  christos         // sp ->
1.1  christos         //        nrounds*128-96 bytes: key schedule
1.1  christos         // x19 ->
1.1  christos         //        16 bytes: frame record
1.1  christos         //        4*16 bytes: tweak storage across _bsaes_encrypt8
1.1  christos         //        6*8 bytes: storage for 5 callee-saved general-purpose registers
1.1  christos         //        8*8 bytes: storage for 8 callee-saved SIMD registers
1.1  christos 	stp	x29, x30, [sp, #-192]!
1.1  christos 	stp	x19, x20, [sp, #80]
1.1  christos 	stp	x21, x22, [sp, #96]
1.1  christos 	str	x23, [sp, #112]
1.1  christos 	stp	d8, d9, [sp, #128]
1.1  christos 	stp	d10, d11, [sp, #144]
1.1  christos 	stp	d12, d13, [sp, #160]
1.1  christos 	stp	d14, d15, [sp, #176]
1.1  christos
1.1  christos 	mov	x19, sp
1.1  christos 	mov	x20, x0
1.1  christos 	mov	x21, x1
1.1  christos 	mov	x22, x2
1.1  christos 	mov	x23, x3
1.1  christos
1.1  christos         // generate initial tweak
1.1  christos 	sub	sp, sp, #16
1.1  christos 	mov	x0, x5                      // iv[]
1.1  christos 	mov	x1, sp
1.1  christos 	mov	x2, x4                      // key2
1.1  christos 	bl	AES_encrypt
1.1  christos 	ldr	q11, [sp], #16
1.1  christos
1.1  christos 	ldr	w1, [x23, #240]             // get # of rounds
1.1  christos         // allocate the key schedule on the stack
1.1  christos 	add	x17, sp, #96
1.1  christos 	sub	x17, x17, x1, lsl #7        // 128 bytes per inner round key, less 96 bytes
1.1  christos
1.1  christos         // populate the key schedule
1.1  christos 	mov	x9, x23                     // pass key
1.1  christos 	mov	x10, x1                     // pass # of rounds
1.1  christos 	mov	sp, x17
1.1  christos 	bl	_bsaes_key_convert
1.1  christos 	eor	v15.16b, v15.16b, v7.16b    // fix up last round key
1.1  christos 	str	q15, [x17]                  // save last round key
1.1  christos
1.1  christos 	subs	x22, x22, #0x80
1.1  christos 	blo	.Lxts_enc_short
1.1  christos 	b	.Lxts_enc_loop
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_loop:
1.1  christos 	ldr	q8, .Lxts_magic
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x2, x19, #16
1.1  christos 	ldr	q0, [x20], #16
1.1  christos 	sshr	v1.2d, v11.2d, #63
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	ldr	q6, .Lxts_magic+16
1.1  christos 	add	v2.2d, v11.2d, v11.2d
1.1  christos 	cmtst	v3.2d, v11.2d, v6.2d
1.1  christos 	and	v1.16b, v1.16b, v8.16b
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	and	v3.16b, v3.16b, v8.16b
1.1  christos 	ldr	q4, [x20], #16
1.1  christos 	eor	v12.16b, v2.16b, v1.16b
1.1  christos 	eor	v1.16b, v4.16b, v12.16b
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	cmtst	v2.2d, v12.2d, v6.2d
1.1  christos 	add	v4.2d, v12.2d, v12.2d
1.1  christos 	add	x0, x19, #16
1.1  christos 	ext	v3.16b, v3.16b, v3.16b, #8
1.1  christos 	and	v2.16b, v2.16b, v8.16b
1.1  christos 	eor	v13.16b, v4.16b, v3.16b
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	ext	v4.16b, v2.16b, v2.16b, #8
1.1  christos 	eor	v2.16b, v3.16b, v13.16b
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	add	v5.2d, v13.2d, v13.2d
1.1  christos 	cmtst	v7.2d, v13.2d, v6.2d
1.1  christos 	and	v7.16b, v7.16b, v8.16b
1.1  christos 	ldr	q9, [x20], #16
1.1  christos 	ext	v7.16b, v7.16b, v7.16b, #8
1.1  christos 	ldr	q10, [x20], #16
1.1  christos 	eor	v14.16b, v5.16b, v4.16b
1.1  christos 	ldr	q16, [x20], #16
1.1  christos 	add	v4.2d, v14.2d, v14.2d
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	eor	v15.16b, v4.16b, v7.16b
1.1  christos 	add	v5.2d, v15.2d, v15.2d
1.1  christos 	ldr	q7, [x20], #16
1.1  christos 	cmtst	v4.2d, v14.2d, v6.2d
1.1  christos 	and	v17.16b, v4.16b, v8.16b
1.1  christos 	cmtst	v18.2d, v15.2d, v6.2d
1.1  christos 	eor	v4.16b, v9.16b, v15.16b
1.1  christos 	ext	v9.16b, v17.16b, v17.16b, #8
1.1  christos 	eor	v9.16b, v5.16b, v9.16b
1.1  christos 	add	v17.2d, v9.2d, v9.2d
1.1  christos 	and	v18.16b, v18.16b, v8.16b
1.1  christos 	eor	v5.16b, v10.16b, v9.16b
1.1  christos 	str	q9, [x2], #16
1.1  christos 	ext	v10.16b, v18.16b, v18.16b, #8
1.1  christos 	cmtst	v9.2d, v9.2d, v6.2d
1.1  christos 	and	v9.16b, v9.16b, v8.16b
1.1  christos 	eor	v10.16b, v17.16b, v10.16b
1.1  christos 	cmtst	v17.2d, v10.2d, v6.2d
1.1  christos 	eor	v6.16b, v16.16b, v10.16b
1.1  christos 	str	q10, [x2], #16
1.1  christos 	ext	v9.16b, v9.16b, v9.16b, #8
1.1  christos 	add	v10.2d, v10.2d, v10.2d
1.1  christos 	eor	v9.16b, v10.16b, v9.16b
1.1  christos 	str	q9, [x2], #16
1.1  christos 	eor	v7.16b, v7.16b, v9.16b
1.1  christos 	add	v9.2d, v9.2d, v9.2d
1.1  christos 	and	v8.16b, v17.16b, v8.16b
1.1  christos 	ext	v8.16b, v8.16b, v8.16b, #8
1.1  christos 	eor	v8.16b, v9.16b, v8.16b
1.1  christos 	str	q8, [x2]                    // next round tweak
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	ldr	q8, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	ldr	q9, [x0], #16
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	eor	v6.16b, v6.16b, v14.16b
1.1  christos 	ldr	q10, [x0], #16
1.1  christos 	eor	v3.16b, v3.16b, v15.16b
1.1  christos 	subs	x22, x22, #0x80
1.1  christos 	str	q0, [x21], #16
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	str	q1, [x21], #16
1.1  christos 	eor	v0.16b, v7.16b, v8.16b
1.1  christos 	eor	v1.16b, v2.16b, v9.16b
1.1  christos 	str	q4, [x21], #16
1.1  christos 	eor	v2.16b, v5.16b, v10.16b
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q3, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q2, [x21], #16
1.1  christos 	bpl	.Lxts_enc_loop
1.1  christos
1.1  christos .Lxts_enc_short:
1.1  christos 	adds	x22, x22, #0x70
1.1  christos 	bmi	.Lxts_enc_done
1.1  christos
1.1  christos 	ldr	q8, .Lxts_magic
1.1  christos 	sshr	v1.2d, v11.2d, #63
1.1  christos 	add	v2.2d, v11.2d, v11.2d
1.1  christos 	ldr	q9, .Lxts_magic+16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	ldr	q0, [x20], #16
1.1  christos 	and	v1.16b, v1.16b, v8.16b
1.1  christos 	cmtst	v3.2d, v11.2d, v9.2d
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	and	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v12.16b, v2.16b, v1.16b
1.1  christos 	ext	v1.16b, v3.16b, v3.16b, #8
1.1  christos 	add	v2.2d, v12.2d, v12.2d
1.1  christos 	cmtst	v3.2d, v12.2d, v9.2d
1.1  christos 	eor	v13.16b, v2.16b, v1.16b
1.1  christos 	and	v22.16b, v3.16b, v8.16b
1.1  christos 	bmi	.Lxts_enc_1
1.1  christos
1.1  christos 	ext	v2.16b, v22.16b, v22.16b, #8
1.1  christos 	add	v3.2d, v13.2d, v13.2d
1.1  christos 	ldr	q1, [x20], #16
1.1  christos 	cmtst	v4.2d, v13.2d, v9.2d
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v14.16b, v3.16b, v2.16b
1.1  christos 	and	v23.16b, v4.16b, v8.16b
1.1  christos 	bmi	.Lxts_enc_2
1.1  christos
1.1  christos 	ext	v3.16b, v23.16b, v23.16b, #8
1.1  christos 	add	v4.2d, v14.2d, v14.2d
1.1  christos 	ldr	q2, [x20], #16
1.1  christos 	cmtst	v5.2d, v14.2d, v9.2d
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v15.16b, v4.16b, v3.16b
1.1  christos 	and	v24.16b, v5.16b, v8.16b
1.1  christos 	bmi	.Lxts_enc_3
1.1  christos
1.1  christos 	ext	v4.16b, v24.16b, v24.16b, #8
1.1  christos 	add	v5.2d, v15.2d, v15.2d
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	cmtst	v6.2d, v15.2d, v9.2d
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v16.16b, v5.16b, v4.16b
1.1  christos 	and	v25.16b, v6.16b, v8.16b
1.1  christos 	bmi	.Lxts_enc_4
1.1  christos
1.1  christos 	ext	v5.16b, v25.16b, v25.16b, #8
1.1  christos 	add	v6.2d, v16.2d, v16.2d
1.1  christos 	add	x0, x19, #16
1.1  christos 	cmtst	v7.2d, v16.2d, v9.2d
1.1  christos 	ldr	q4, [x20], #16
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	str	q16, [x0], #16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v17.16b, v6.16b, v5.16b
1.1  christos 	and	v26.16b, v7.16b, v8.16b
1.1  christos 	bmi	.Lxts_enc_5
1.1  christos
1.1  christos 	ext	v7.16b, v26.16b, v26.16b, #8
1.1  christos 	add	v18.2d, v17.2d, v17.2d
1.1  christos 	ldr	q5, [x20], #16
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	str	q17, [x0], #16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v18.16b, v18.16b, v7.16b
1.1  christos 	bmi	.Lxts_enc_6
1.1  christos
1.1  christos 	ldr	q6, [x20], #16
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	str	q18, [x0]                   // next round tweak
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1
1.1  christos 	add	x0, x19, #16
1.1  christos 	sub	x22, x22, #0x10
1.1  christos 	eor	v6.16b, v6.16b, v17.16b
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	ldr	q17, [x0], #16
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	eor	v6.16b, v6.16b, v14.16b
1.1  christos 	eor	v3.16b, v3.16b, v15.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	eor	v0.16b, v7.16b, v16.16b
1.1  christos 	eor	v1.16b, v2.16b, v17.16b
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q3, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_6:
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	eor	v6.16b, v6.16b, v14.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	eor	v3.16b, v3.16b, v15.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	eor	v0.16b, v7.16b, v16.16b
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q3, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_5:
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	eor	v6.16b, v6.16b, v14.16b
1.1  christos 	eor	v3.16b, v3.16b, v15.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q3, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_4:
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	eor	v6.16b, v6.16b, v14.16b
1.1  christos 	mov	v11.16b, v15.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_3:
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v4.16b, v4.16b, v13.16b
1.1  christos 	mov	v11.16b, v14.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_2:
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_encrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	mov	v11.16b, v13.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	b	.Lxts_enc_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_enc_1:
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	sub	x0, sp, #16
1.1  christos 	sub	x1, sp, #16
1.1  christos 	mov	x2, x23
1.1  christos 	mov	v13.d[0], v11.d[1]          // just in case AES_encrypt corrupts top half of callee-saved SIMD registers
1.1  christos 	mov	v14.d[0], v12.d[1]
1.1  christos 	str	q0, [sp, #-16]!
1.1  christos
1.1  christos 	bl	AES_encrypt
1.1  christos
1.1  christos 	ldr	q0, [sp], #16
1.1  christos 	trn1	v13.2d, v11.2d, v13.2d
1.1  christos 	trn1	v11.2d, v12.2d, v14.2d      // next round tweak
1.1  christos 	eor	v0.16b, v0.16b, v13.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos
1.1  christos .Lxts_enc_done:
1.1  christos 	adds	x22, x22, #0x10
1.1  christos 	beq	.Lxts_enc_ret
1.1  christos
1.1  christos 	sub	x6, x21, #0x10
1.1  christos         // Penultimate plaintext block produces final ciphertext part-block
1.1  christos         // plus remaining part of final plaintext block. Move ciphertext part
1.1  christos         // to final position and reuse penultimate ciphertext block buffer to
1.1  christos         // construct final plaintext block
1.1  christos .Lxts_enc_steal:
1.1  christos 	ldrb	w0, [x20], #1
1.1  christos 	ldrb	w1, [x21, #-0x10]
1.1  christos 	strb	w0, [x21, #-0x10]
1.1  christos 	strb	w1, [x21], #1
1.1  christos
1.1  christos 	subs	x22, x22, #1
1.1  christos 	bhi	.Lxts_enc_steal
1.1  christos
1.1  christos         // Finally encrypt the penultimate ciphertext block using the
1.1  christos         // last tweak
1.1  christos 	ldr	q0, [x6]
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	str	q0, [sp, #-16]!
1.1  christos 	mov	x0, sp
1.1  christos 	mov	x1, sp
1.1  christos 	mov	x2, x23
1.1  christos 	mov	x21, x6
1.1  christos 	mov	v13.d[0], v11.d[1]          // just in case AES_encrypt corrupts top half of callee-saved SIMD registers
1.1  christos
1.1  christos 	bl	AES_encrypt
1.1  christos
1.1  christos 	trn1	v11.2d, v11.2d, v13.2d
1.1  christos 	ldr	q0, [sp], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	str	q0, [x21]
1.1  christos
1.1  christos .Lxts_enc_ret:
1.1  christos
1.1  christos 	movi	v0.16b, #0
1.1  christos 	movi	v1.16b, #0
1.1  christos .Lxts_enc_bzero:	//	wipe key schedule
1.1  christos 	stp	q0, q1, [sp], #32
1.1  christos 	cmp	sp, x19
1.1  christos 	bne	.Lxts_enc_bzero
1.1  christos
1.1  christos 	ldp	x19, x20, [sp, #80]
1.1  christos 	ldp	x21, x22, [sp, #96]
1.1  christos 	ldr	x23, [sp, #112]
1.1  christos 	ldp	d8, d9, [sp, #128]
1.1  christos 	ldp	d10, d11, [sp, #144]
1.1  christos 	ldp	d12, d13, [sp, #160]
1.1  christos 	ldp	d14, d15, [sp, #176]
1.1  christos 	ldp	x29, x30, [sp], #192
1.1  christos 	ret
1.1  christos .size	ossl_bsaes_xts_encrypt,.-ossl_bsaes_xts_encrypt
1.1  christos
1.1  christos // The assembler doesn't seem capable of de-duplicating these when expressed
1.1  christos // using `ldr qd,=` syntax, so assign a symbolic address
1.1  christos .align	5
1.1  christos .Lxts_magic:
1.1  christos .quad	1, 0x87, 0x4000000000000000, 0x4000000000000000
1.1  christos
1.1  christos .globl	ossl_bsaes_xts_decrypt
1.1  christos .type	ossl_bsaes_xts_decrypt,%function
1.1  christos .align	4
1.1  christos // On entry:
1.1  christos //   x0 -> input ciphertext
1.1  christos //   x1 -> output plaintext
1.1  christos //   x2 -> length of text in bytes (must be at least 16)
1.1  christos //   x3 -> key1 (used to decrypt the XORed ciphertext blocks)
1.1  christos //   x4 -> key2 (used to encrypt the initial vector to yield the initial tweak)
1.1  christos //   x5 -> 16-byte initial vector (typically, sector number)
1.1  christos // On exit:
1.1  christos //   Output plaintext filled in
1.1  christos //   No output registers, usual AAPCS64 register preservation
1.1  christos ossl_bsaes_xts_decrypt:
1.1  christos 	AARCH64_VALID_CALL_TARGET
1.1  christos         // Stack layout:
1.1  christos         // sp ->
1.1  christos         //        nrounds*128-96 bytes: key schedule
1.1  christos         // x19 ->
1.1  christos         //        16 bytes: frame record
1.1  christos         //        4*16 bytes: tweak storage across _bsaes_decrypt8
1.1  christos         //        6*8 bytes: storage for 5 callee-saved general-purpose registers
1.1  christos         //        8*8 bytes: storage for 8 callee-saved SIMD registers
1.1  christos 	stp	x29, x30, [sp, #-192]!
1.1  christos 	stp	x19, x20, [sp, #80]
1.1  christos 	stp	x21, x22, [sp, #96]
1.1  christos 	str	x23, [sp, #112]
1.1  christos 	stp	d8, d9, [sp, #128]
1.1  christos 	stp	d10, d11, [sp, #144]
1.1  christos 	stp	d12, d13, [sp, #160]
1.1  christos 	stp	d14, d15, [sp, #176]
1.1  christos
1.1  christos 	mov	x19, sp
1.1  christos 	mov	x20, x0
1.1  christos 	mov	x21, x1
1.1  christos 	mov	x22, x2
1.1  christos 	mov	x23, x3
1.1  christos
1.1  christos         // generate initial tweak
1.1  christos 	sub	sp, sp, #16
1.1  christos 	mov	x0, x5                      // iv[]
1.1  christos 	mov	x1, sp
1.1  christos 	mov	x2, x4                      // key2
1.1  christos 	bl	AES_encrypt
1.1  christos 	ldr	q11, [sp], #16
1.1  christos
1.1  christos 	ldr	w1, [x23, #240]             // get # of rounds
1.1  christos         // allocate the key schedule on the stack
1.1  christos 	add	x17, sp, #96
1.1  christos 	sub	x17, x17, x1, lsl #7        // 128 bytes per inner round key, less 96 bytes
1.1  christos
1.1  christos         // populate the key schedule
1.1  christos 	mov	x9, x23                     // pass key
1.1  christos 	mov	x10, x1                     // pass # of rounds
1.1  christos 	mov	sp, x17
1.1  christos 	bl	_bsaes_key_convert
1.1  christos 	ldr	q6,  [sp]
1.1  christos 	str	q15, [x17]                  // save last round key
1.1  christos 	eor	v6.16b, v6.16b, v7.16b      // fix up round 0 key (by XORing with 0x63)
1.1  christos 	str	q6, [sp]
1.1  christos
1.1  christos 	sub	x30, x22, #0x10
1.1  christos 	tst	x22, #0xf                   // if not multiple of 16
1.1  christos 	csel	x22, x30, x22, ne           // subtract another 16 bytes
1.1  christos 	subs	x22, x22, #0x80
1.1  christos
1.1  christos 	blo	.Lxts_dec_short
1.1  christos 	b	.Lxts_dec_loop
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_loop:
1.1  christos 	ldr	q8, .Lxts_magic
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x2, x19, #16
1.1  christos 	ldr	q0, [x20], #16
1.1  christos 	sshr	v1.2d, v11.2d, #63
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	ldr	q6, .Lxts_magic+16
1.1  christos 	add	v2.2d, v11.2d, v11.2d
1.1  christos 	cmtst	v3.2d, v11.2d, v6.2d
1.1  christos 	and	v1.16b, v1.16b, v8.16b
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	and	v3.16b, v3.16b, v8.16b
1.1  christos 	ldr	q4, [x20], #16
1.1  christos 	eor	v12.16b, v2.16b, v1.16b
1.1  christos 	eor	v1.16b, v4.16b, v12.16b
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	cmtst	v2.2d, v12.2d, v6.2d
1.1  christos 	add	v4.2d, v12.2d, v12.2d
1.1  christos 	add	x0, x19, #16
1.1  christos 	ext	v3.16b, v3.16b, v3.16b, #8
1.1  christos 	and	v2.16b, v2.16b, v8.16b
1.1  christos 	eor	v13.16b, v4.16b, v3.16b
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	ext	v4.16b, v2.16b, v2.16b, #8
1.1  christos 	eor	v2.16b, v3.16b, v13.16b
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	add	v5.2d, v13.2d, v13.2d
1.1  christos 	cmtst	v7.2d, v13.2d, v6.2d
1.1  christos 	and	v7.16b, v7.16b, v8.16b
1.1  christos 	ldr	q9, [x20], #16
1.1  christos 	ext	v7.16b, v7.16b, v7.16b, #8
1.1  christos 	ldr	q10, [x20], #16
1.1  christos 	eor	v14.16b, v5.16b, v4.16b
1.1  christos 	ldr	q16, [x20], #16
1.1  christos 	add	v4.2d, v14.2d, v14.2d
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	eor	v15.16b, v4.16b, v7.16b
1.1  christos 	add	v5.2d, v15.2d, v15.2d
1.1  christos 	ldr	q7, [x20], #16
1.1  christos 	cmtst	v4.2d, v14.2d, v6.2d
1.1  christos 	and	v17.16b, v4.16b, v8.16b
1.1  christos 	cmtst	v18.2d, v15.2d, v6.2d
1.1  christos 	eor	v4.16b, v9.16b, v15.16b
1.1  christos 	ext	v9.16b, v17.16b, v17.16b, #8
1.1  christos 	eor	v9.16b, v5.16b, v9.16b
1.1  christos 	add	v17.2d, v9.2d, v9.2d
1.1  christos 	and	v18.16b, v18.16b, v8.16b
1.1  christos 	eor	v5.16b, v10.16b, v9.16b
1.1  christos 	str	q9, [x2], #16
1.1  christos 	ext	v10.16b, v18.16b, v18.16b, #8
1.1  christos 	cmtst	v9.2d, v9.2d, v6.2d
1.1  christos 	and	v9.16b, v9.16b, v8.16b
1.1  christos 	eor	v10.16b, v17.16b, v10.16b
1.1  christos 	cmtst	v17.2d, v10.2d, v6.2d
1.1  christos 	eor	v6.16b, v16.16b, v10.16b
1.1  christos 	str	q10, [x2], #16
1.1  christos 	ext	v9.16b, v9.16b, v9.16b, #8
1.1  christos 	add	v10.2d, v10.2d, v10.2d
1.1  christos 	eor	v9.16b, v10.16b, v9.16b
1.1  christos 	str	q9, [x2], #16
1.1  christos 	eor	v7.16b, v7.16b, v9.16b
1.1  christos 	add	v9.2d, v9.2d, v9.2d
1.1  christos 	and	v8.16b, v17.16b, v8.16b
1.1  christos 	ext	v8.16b, v8.16b, v8.16b, #8
1.1  christos 	eor	v8.16b, v9.16b, v8.16b
1.1  christos 	str	q8, [x2]                    // next round tweak
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	ldr	q8, [x0], #16
1.1  christos 	eor	v7.16b, v7.16b, v8.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos 	eor	v0.16b, v1.16b, v12.16b
1.1  christos 	ldr	q1, [x0], #16
1.1  christos 	eor	v1.16b, v3.16b, v1.16b
1.1  christos 	subs	x22, x22, #0x80
1.1  christos 	eor	v2.16b, v2.16b, v15.16b
1.1  christos 	eor	v3.16b, v4.16b, v14.16b
1.1  christos 	ldr	q4, [x0], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	eor	v0.16b, v5.16b, v4.16b
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q3, [x21], #16
1.1  christos 	str	q2, [x21], #16
1.1  christos 	str	q7, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	bpl	.Lxts_dec_loop
1.1  christos
1.1  christos .Lxts_dec_short:
1.1  christos 	adds	x22, x22, #0x70
1.1  christos 	bmi	.Lxts_dec_done
1.1  christos
1.1  christos 	ldr	q8, .Lxts_magic
1.1  christos 	sshr	v1.2d, v11.2d, #63
1.1  christos 	add	v2.2d, v11.2d, v11.2d
1.1  christos 	ldr	q9, .Lxts_magic+16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	ldr	q0, [x20], #16
1.1  christos 	and	v1.16b, v1.16b, v8.16b
1.1  christos 	cmtst	v3.2d, v11.2d, v9.2d
1.1  christos 	ext	v1.16b, v1.16b, v1.16b, #8
1.1  christos 	and	v3.16b, v3.16b, v8.16b
1.1  christos 	eor	v12.16b, v2.16b, v1.16b
1.1  christos 	ext	v1.16b, v3.16b, v3.16b, #8
1.1  christos 	add	v2.2d, v12.2d, v12.2d
1.1  christos 	cmtst	v3.2d, v12.2d, v9.2d
1.1  christos 	eor	v13.16b, v2.16b, v1.16b
1.1  christos 	and	v22.16b, v3.16b, v8.16b
1.1  christos 	bmi	.Lxts_dec_1
1.1  christos
1.1  christos 	ext	v2.16b, v22.16b, v22.16b, #8
1.1  christos 	add	v3.2d, v13.2d, v13.2d
1.1  christos 	ldr	q1, [x20], #16
1.1  christos 	cmtst	v4.2d, v13.2d, v9.2d
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v14.16b, v3.16b, v2.16b
1.1  christos 	and	v23.16b, v4.16b, v8.16b
1.1  christos 	bmi	.Lxts_dec_2
1.1  christos
1.1  christos 	ext	v3.16b, v23.16b, v23.16b, #8
1.1  christos 	add	v4.2d, v14.2d, v14.2d
1.1  christos 	ldr	q2, [x20], #16
1.1  christos 	cmtst	v5.2d, v14.2d, v9.2d
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v15.16b, v4.16b, v3.16b
1.1  christos 	and	v24.16b, v5.16b, v8.16b
1.1  christos 	bmi	.Lxts_dec_3
1.1  christos
1.1  christos 	ext	v4.16b, v24.16b, v24.16b, #8
1.1  christos 	add	v5.2d, v15.2d, v15.2d
1.1  christos 	ldr	q3, [x20], #16
1.1  christos 	cmtst	v6.2d, v15.2d, v9.2d
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v16.16b, v5.16b, v4.16b
1.1  christos 	and	v25.16b, v6.16b, v8.16b
1.1  christos 	bmi	.Lxts_dec_4
1.1  christos
1.1  christos 	ext	v5.16b, v25.16b, v25.16b, #8
1.1  christos 	add	v6.2d, v16.2d, v16.2d
1.1  christos 	add	x0, x19, #16
1.1  christos 	cmtst	v7.2d, v16.2d, v9.2d
1.1  christos 	ldr	q4, [x20], #16
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	str	q16, [x0], #16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v17.16b, v6.16b, v5.16b
1.1  christos 	and	v26.16b, v7.16b, v8.16b
1.1  christos 	bmi	.Lxts_dec_5
1.1  christos
1.1  christos 	ext	v7.16b, v26.16b, v26.16b, #8
1.1  christos 	add	v18.2d, v17.2d, v17.2d
1.1  christos 	ldr	q5, [x20], #16
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	str	q17, [x0], #16
1.1  christos 	subs	x22, x22, #0x10
1.1  christos 	eor	v18.16b, v18.16b, v7.16b
1.1  christos 	bmi	.Lxts_dec_6
1.1  christos
1.1  christos 	ldr	q6, [x20], #16
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	str	q18, [x0]                   // next round tweak
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1
1.1  christos 	add	x0, x19, #16
1.1  christos 	sub	x22, x22, #0x10
1.1  christos 	eor	v6.16b, v6.16b, v17.16b
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	ldr	q17, [x0], #16
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	eor	v4.16b, v4.16b, v14.16b
1.1  christos 	eor	v2.16b, v2.16b, v15.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	eor	v0.16b, v7.16b, v16.16b
1.1  christos 	eor	v1.16b, v3.16b, v17.16b
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q2, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_6:
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	eor	v5.16b, v5.16b, v16.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	ldr	q16, [x0], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	eor	v4.16b, v4.16b, v14.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	eor	v2.16b, v2.16b, v15.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	eor	v0.16b, v7.16b, v16.16b
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q2, [x21], #16
1.1  christos 	str	q0, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_5:
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	eor	v4.16b, v4.16b, v15.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	ldr	q11, [x0]                   // next round tweak
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	eor	v4.16b, v4.16b, v14.16b
1.1  christos 	eor	v2.16b, v2.16b, v15.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	str	q2, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_4:
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	eor	v3.16b, v3.16b, v14.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	eor	v4.16b, v4.16b, v14.16b
1.1  christos 	mov	v11.16b, v15.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	str	q4, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_3:
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v2.16b, v2.16b, v13.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	eor	v6.16b, v6.16b, v13.16b
1.1  christos 	mov	v11.16b, v14.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	str	q6, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_2:
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	mov	x9, sp                      // pass key schedule
1.1  christos 	mov	x10, x1                     // pass rounds
1.1  christos 	add	x0, x19, #16
1.1  christos
1.1  christos 	bl	_bsaes_decrypt8
1.1  christos
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	eor	v1.16b, v1.16b, v12.16b
1.1  christos 	mov	v11.16b, v13.16b            // next round tweak
1.1  christos 	str	q0, [x21], #16
1.1  christos 	str	q1, [x21], #16
1.1  christos 	b	.Lxts_dec_done
1.1  christos
1.1  christos .align	4
1.1  christos .Lxts_dec_1:
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	sub	x0, sp, #16
1.1  christos 	sub	x1, sp, #16
1.1  christos 	mov	x2, x23
1.1  christos 	mov	v13.d[0], v11.d[1]          // just in case AES_decrypt corrupts top half of callee-saved SIMD registers
1.1  christos 	mov	v14.d[0], v12.d[1]
1.1  christos 	str	q0, [sp, #-16]!
1.1  christos
1.1  christos 	bl	AES_decrypt
1.1  christos
1.1  christos 	ldr	q0, [sp], #16
1.1  christos 	trn1	v13.2d, v11.2d, v13.2d
1.1  christos 	trn1	v11.2d, v12.2d, v14.2d      // next round tweak
1.1  christos 	eor	v0.16b, v0.16b, v13.16b
1.1  christos 	str	q0, [x21], #16
1.1  christos
1.1  christos .Lxts_dec_done:
1.1  christos 	adds	x22, x22, #0x10
1.1  christos 	beq	.Lxts_dec_ret
1.1  christos
1.1  christos         // calculate one round of extra tweak for the stolen ciphertext
1.1  christos 	ldr	q8, .Lxts_magic
1.1  christos 	sshr	v6.2d, v11.2d, #63
1.1  christos 	and	v6.16b, v6.16b, v8.16b
1.1  christos 	add	v12.2d, v11.2d, v11.2d
1.1  christos 	ext	v6.16b, v6.16b, v6.16b, #8
1.1  christos 	eor	v12.16b, v12.16b, v6.16b
1.1  christos
1.1  christos         // perform the final decryption with the last tweak value
1.1  christos 	ldr	q0, [x20], #16
1.1  christos 	eor	v0.16b, v0.16b, v12.16b
1.1  christos 	str	q0, [sp, #-16]!
1.1  christos 	mov	x0, sp
1.1  christos 	mov	x1, sp
1.1  christos 	mov	x2, x23
1.1  christos 	mov	v13.d[0], v11.d[1]          // just in case AES_decrypt corrupts top half of callee-saved SIMD registers
1.1  christos 	mov	v14.d[0], v12.d[1]
1.1  christos
1.1  christos 	bl	AES_decrypt
1.1  christos
1.1  christos 	trn1	v12.2d, v12.2d, v14.2d
1.1  christos 	trn1	v11.2d, v11.2d, v13.2d
1.1  christos 	ldr	q0, [sp], #16
1.1  christos 	eor	v0.16b, v0.16b, v12.16b
1.1  christos 	str	q0, [x21]
1.1  christos
1.1  christos 	mov	x6, x21
1.1  christos         // Penultimate ciphertext block produces final plaintext part-block
1.1  christos         // plus remaining part of final ciphertext block. Move plaintext part
1.1  christos         // to final position and reuse penultimate plaintext block buffer to
1.1  christos         // construct final ciphertext block
1.1  christos .Lxts_dec_steal:
1.1  christos 	ldrb	w1, [x21]
1.1  christos 	ldrb	w0, [x20], #1
1.1  christos 	strb	w1, [x21, #0x10]
1.1  christos 	strb	w0, [x21], #1
1.1  christos
1.1  christos 	subs	x22, x22, #1
1.1  christos 	bhi	.Lxts_dec_steal
1.1  christos
1.1  christos         // Finally decrypt the penultimate plaintext block using the
1.1  christos         // penultimate tweak
1.1  christos 	ldr	q0, [x6]
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	str	q0, [sp, #-16]!
1.1  christos 	mov	x0, sp
1.1  christos 	mov	x1, sp
1.1  christos 	mov	x2, x23
1.1  christos 	mov	x21, x6
1.1  christos
1.1  christos 	bl	AES_decrypt
1.1  christos
1.1  christos 	trn1	v11.2d, v11.2d, v13.2d
1.1  christos 	ldr	q0, [sp], #16
1.1  christos 	eor	v0.16b, v0.16b, v11.16b
1.1  christos 	str	q0, [x21]
1.1  christos
1.1  christos .Lxts_dec_ret:
1.1  christos
1.1  christos 	movi	v0.16b, #0
1.1  christos 	movi	v1.16b, #0
1.1  christos .Lxts_dec_bzero:	//	wipe key schedule
1.1  christos 	stp	q0, q1, [sp], #32
1.1  christos 	cmp	sp, x19
1.1  christos 	bne	.Lxts_dec_bzero
1.1  christos
1.1  christos 	ldp	x19, x20, [sp, #80]
1.1  christos 	ldp	x21, x22, [sp, #96]
1.1  christos 	ldr	x23, [sp, #112]
1.1  christos 	ldp	d8, d9, [sp, #128]
1.1  christos 	ldp	d10, d11, [sp, #144]
1.1  christos 	ldp	d12, d13, [sp, #160]
1.1  christos 	ldp	d14, d15, [sp, #176]
1.1  christos 	ldp	x29, x30, [sp], #192
1.1  christos 	ret
1.1  christos .size	ossl_bsaes_xts_decrypt,.-ossl_bsaes_xts_decrypt