aws-crt 0.1.9 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (581) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/VERSION +1 -1
  4. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/auth.h +1 -0
  5. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/aws_imds_client.h +5 -0
  6. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/credentials.h +5 -0
  7. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/aws_signing.h +1 -0
  8. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/credentials_utils.h +2 -0
  9. data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/signing_config.h +1 -0
  10. data/aws-crt-ffi/crt/aws-c-auth/source/auth.c +3 -1
  11. data/aws-crt-ffi/crt/aws-c-auth/source/aws_imds_client.c +146 -63
  12. data/aws-crt-ffi/crt/aws-c-auth/source/aws_signing.c +41 -19
  13. data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_imds.c +1 -0
  14. data/aws-crt-ffi/crt/aws-c-auth/source/credentials_utils.c +1 -0
  15. data/aws-crt-ffi/crt/aws-c-auth/source/signable_http_request.c +2 -1
  16. data/aws-crt-ffi/crt/aws-c-auth/source/signing_config.c +25 -0
  17. data/aws-crt-ffi/crt/aws-c-auth/tests/CMakeLists.txt +3 -0
  18. data/aws-crt-ffi/crt/aws-c-auth/tests/aws_imds_client_test.c +197 -31
  19. data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_imds_tests.c +16 -18
  20. data/aws-crt-ffi/crt/aws-c-auth/tests/sigv4_signing_tests.c +3 -1
  21. data/aws-crt-ffi/crt/aws-c-cal/include/aws/cal/private/opensslcrypto_common.h +22 -0
  22. data/aws-crt-ffi/crt/aws-c-cal/source/darwin/commoncrypto_aes.c +46 -17
  23. data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_aes.c +1 -0
  24. data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_platform_init.c +7 -0
  25. data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_rsa.c +59 -2
  26. data/aws-crt-ffi/crt/aws-c-cal/source/unix/opensslcrypto_ecc.c +1 -0
  27. data/aws-crt-ffi/crt/aws-c-common/CMakeLists.txt +13 -1
  28. data/aws-crt-ffi/crt/aws-c-common/THIRD-PARTY-LICENSES.txt +28 -7
  29. data/aws-crt-ffi/crt/aws-c-common/bin/system_info/CMakeLists.txt +18 -0
  30. data/aws-crt-ffi/crt/aws-c-common/bin/system_info/print_system_info.c +48 -0
  31. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/allocator.h +23 -0
  32. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/byte_buf.h +12 -0
  33. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/cross_process_lock.h +35 -0
  34. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/hash_table.h +1 -0
  35. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/priority_queue.h +24 -0
  36. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/private/system_info_priv.h +37 -0
  37. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_info.h +47 -0
  38. data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_resource_util.h +30 -0
  39. data/aws-crt-ffi/crt/aws-c-common/include/aws/testing/aws_test_harness.h +3 -2
  40. data/aws-crt-ffi/crt/aws-c-common/source/allocator.c +64 -13
  41. data/aws-crt-ffi/crt/aws-c-common/source/android/logging.c +14 -0
  42. data/aws-crt-ffi/crt/aws-c-common/source/common.c +3 -3
  43. data/aws-crt-ffi/crt/aws-c-common/source/file.c +96 -35
  44. data/aws-crt-ffi/crt/aws-c-common/source/linux/system_info.c +24 -0
  45. data/aws-crt-ffi/crt/aws-c-common/source/memtrace.c +10 -3
  46. data/aws-crt-ffi/crt/aws-c-common/source/platform_fallback_stubs/system_info.c +21 -0
  47. data/aws-crt-ffi/crt/aws-c-common/source/posix/cross_process_lock.c +141 -0
  48. data/aws-crt-ffi/crt/aws-c-common/source/posix/system_info.c +1 -1
  49. data/aws-crt-ffi/crt/aws-c-common/source/posix/system_resource_utils.c +32 -0
  50. data/aws-crt-ffi/crt/aws-c-common/source/priority_queue.c +24 -0
  51. data/aws-crt-ffi/crt/aws-c-common/source/system_info.c +80 -0
  52. data/aws-crt-ffi/crt/aws-c-common/source/task_scheduler.c +2 -2
  53. data/aws-crt-ffi/crt/aws-c-common/source/windows/cross_process_lock.c +93 -0
  54. data/aws-crt-ffi/crt/aws-c-common/source/windows/system_resource_utils.c +31 -0
  55. data/aws-crt-ffi/crt/aws-c-common/tests/CMakeLists.txt +16 -0
  56. data/aws-crt-ffi/crt/aws-c-common/tests/alloc_test.c +83 -22
  57. data/aws-crt-ffi/crt/aws-c-common/tests/cross_process_lock_tests.c +116 -0
  58. data/aws-crt-ffi/crt/aws-c-common/tests/file_test.c +103 -0
  59. data/aws-crt-ffi/crt/aws-c-common/tests/priority_queue_test.c +36 -0
  60. data/aws-crt-ffi/crt/aws-c-common/tests/system_info_tests.c +19 -0
  61. data/aws-crt-ffi/crt/aws-c-common/tests/system_resource_util_test.c +37 -0
  62. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection.h +9 -0
  63. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/http.h +1 -0
  64. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_impl.h +5 -4
  65. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_manager_system_vtable.h +10 -18
  66. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/proxy_impl.h +5 -1
  67. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/request_response_impl.h +5 -0
  68. data/aws-crt-ffi/crt/aws-c-http/include/aws/http/request_response.h +10 -0
  69. data/aws-crt-ffi/crt/aws-c-http/source/connection.c +5 -2
  70. data/aws-crt-ffi/crt/aws-c-http/source/connection_manager.c +22 -21
  71. data/aws-crt-ffi/crt/aws-c-http/source/h1_connection.c +102 -17
  72. data/aws-crt-ffi/crt/aws-c-http/source/h1_stream.c +1 -0
  73. data/aws-crt-ffi/crt/aws-c-http/source/http.c +3 -0
  74. data/aws-crt-ffi/crt/aws-c-http/source/proxy_connection.c +2 -2
  75. data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt +2 -0
  76. data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_manager.c +18 -18
  77. data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_client.c +111 -1
  78. data/aws-crt-ffi/crt/aws-c-http/tests/test_proxy.c +2 -2
  79. data/aws-crt-ffi/crt/aws-c-http/tests/test_stream_manager.c +2 -2
  80. data/aws-crt-ffi/crt/aws-c-io/include/aws/io/retry_strategy.h +1 -1
  81. data/aws-crt-ffi/crt/aws-c-io/source/exponential_backoff_retry_strategy.c +1 -1
  82. data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_tls_op_handler.c +2 -4
  83. data/aws-crt-ffi/crt/aws-lc/CMakeLists.txt +16 -8
  84. data/aws-crt-ffi/crt/aws-lc/cmake/go.cmake +6 -0
  85. data/aws-crt-ffi/crt/aws-lc/crypto/CMakeLists.txt +6 -9
  86. data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_time.c +34 -1
  87. data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_utctm.c +4 -1
  88. data/aws-crt-ffi/crt/aws-lc/crypto/asn1/asn1_test.cc +41 -0
  89. data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_mem.c +6 -7
  90. data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_test.cc +152 -16
  91. data/aws-crt-ffi/crt/aws-lc/crypto/bio/connect.c +6 -12
  92. data/aws-crt-ffi/crt/aws-lc/crypto/bio/fd.c +2 -2
  93. data/aws-crt-ffi/crt/aws-lc/crypto/bio/file.c +20 -8
  94. data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket.c +2 -2
  95. data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket_helper.c +2 -2
  96. data/aws-crt-ffi/crt/aws-lc/crypto/blake2/blake2.c +11 -1
  97. data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbb.c +13 -3
  98. data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbs.c +9 -0
  99. data/aws-crt-ffi/crt/aws-lc/crypto/chacha/asm/chacha-armv8.pl +1 -1
  100. data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha.c +49 -8
  101. data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha_test.cc +110 -0
  102. data/aws-crt-ffi/crt/aws-lc/crypto/chacha/internal.h +8 -1
  103. data/aws-crt-ffi/crt/aws-lc/crypto/compiler_test.cc +4 -1
  104. data/aws-crt-ffi/crt/aws-lc/crypto/conf/conf_test.cc +1 -0
  105. data/aws-crt-ffi/crt/aws-lc/crypto/crypto_test.cc +9 -0
  106. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519.c +189 -108
  107. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519_nohw.c +78 -6
  108. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/ed25519_test.cc +9 -0
  109. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/internal.h +24 -10
  110. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/spake25519.c +4 -4
  111. data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/x25519_test.cc +80 -11
  112. data/aws-crt-ffi/crt/aws-lc/crypto/decrepit/evp/evp_do_all.c +2 -0
  113. data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_extra.c +8 -0
  114. data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_test.cc +110 -45
  115. data/aws-crt-ffi/crt/aws-lc/crypto/dsa/dsa_test.cc +8 -2
  116. data/aws-crt-ffi/crt/aws-lc/crypto/dsa/internal.h +18 -0
  117. data/aws-crt-ffi/crt/aws-lc/crypto/dynamic_loading_test.c +8 -5
  118. data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/ec_derive.c +4 -3
  119. data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/hash_to_curve.c +6 -18
  120. data/aws-crt-ffi/crt/aws-lc/crypto/endian_test.cc +308 -0
  121. data/aws-crt-ffi/crt/aws-lc/crypto/err/ssl.errordata +2 -0
  122. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_extra_test.cc +2 -0
  123. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_test.cc +11 -1
  124. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_tests.txt +25 -0
  125. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_ec_asn1.c +1 -1
  126. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_kem.c +2 -2
  127. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_rsa_asn1.c +1 -0
  128. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/print.c +7 -6
  129. data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/scrypt.c +13 -1
  130. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/CMakeLists.txt +13 -4
  131. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/aes/aes_nohw.c +18 -6
  132. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bcm.c +12 -4
  133. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_assert_test.cc +77 -0
  134. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_test.cc +30 -0
  135. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bytes.c +112 -22
  136. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/div.c +12 -5
  137. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/exponentiation.c +54 -1
  138. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/gcd.c +5 -6
  139. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/internal.h +37 -15
  140. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery.c +4 -11
  141. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery_inv.c +51 -15
  142. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/cipher/aead.c +2 -2
  143. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digest.c +29 -6
  144. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digests.c +89 -0
  145. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/internal.h +4 -0
  146. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec.c +19 -36
  147. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_key.c +3 -3
  148. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_montgomery.c +9 -7
  149. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_test.cc +33 -9
  150. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/internal.h +17 -12
  151. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p224-64.c +5 -8
  152. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256-nistz.c +8 -8
  153. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256.c +9 -8
  154. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p384.c +33 -16
  155. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p521.c +14 -6
  156. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/scalar.c +26 -24
  157. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/simple_mul.c +8 -5
  158. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/wnaf.c +3 -3
  159. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ecdsa/ecdsa.c +9 -3
  160. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/evp.c +43 -12
  161. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/p_ec.c +4 -3
  162. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/hmac/hmac.c +3 -1
  163. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/modes/xts.c +26 -3
  164. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/cpu_jitter_test.cc +1 -1
  165. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/internal.h +20 -11
  166. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/rand.c +10 -10
  167. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/urandom.c +2 -2
  168. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/internal.h +59 -0
  169. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/padding.c +9 -3
  170. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa.c +7 -0
  171. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa_impl.c +51 -60
  172. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator.c +5 -2
  173. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator_test.cc +205 -5
  174. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv8.pl +1 -1
  175. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv8.pl +1 -1
  176. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/internal.h +8 -0
  177. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3.c +37 -15
  178. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3_test.cc +115 -110
  179. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha512.c +55 -1
  180. data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sshkdf/sshkdf.c +2 -2
  181. data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_test.cc +12 -0
  182. data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_tests.txt +10 -0
  183. data/aws-crt-ffi/crt/aws-lc/crypto/hrss/asm/poly_rq_mul.S +2 -6
  184. data/aws-crt-ffi/crt/aws-lc/crypto/impl_dispatch_test.cc +9 -1
  185. data/aws-crt-ffi/crt/aws-lc/crypto/internal.h +90 -8
  186. data/aws-crt-ffi/crt/aws-lc/crypto/kem/kem.c +28 -27
  187. data/aws-crt-ffi/crt/aws-lc/crypto/kyber/kem_kyber.h +14 -0
  188. data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_dat.h +52 -2
  189. data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_mac.num +5 -0
  190. data/aws-crt-ffi/crt/aws-lc/crypto/obj/objects.txt +7 -0
  191. data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/arm-xlate.pl +3 -14
  192. data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/ppc-xlate.pl +1 -5
  193. data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86_64-xlate.pl +4 -15
  194. data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86asm.pl +4 -13
  195. data/aws-crt-ffi/crt/aws-lc/crypto/poly1305/poly1305_arm_asm.S +3 -13
  196. data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/deterministic.c +4 -3
  197. data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/fuchsia.c +4 -4
  198. data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/rand_test.cc +0 -63
  199. data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/windows.c +41 -19
  200. data/aws-crt-ffi/crt/aws-lc/crypto/rsa_extra/rsa_test.cc +3 -3
  201. data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash.c +12 -5
  202. data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash_test.cc +5 -5
  203. data/aws-crt-ffi/crt/aws-lc/crypto/stack/stack.c +68 -46
  204. data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/pmbtoken.c +4 -4
  205. data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/voprf.c +2 -2
  206. data/aws-crt-ffi/crt/aws-lc/crypto/x509/by_dir.c +0 -6
  207. data/aws-crt-ffi/crt/aws-lc/crypto/x509/internal.h +4 -1
  208. data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_lu.c +33 -9
  209. data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_test.cc +87 -0
  210. data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_trs.c +1 -1
  211. data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_vfy.c +35 -13
  212. data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_lib.c +2 -0
  213. data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_purp.c +4 -6
  214. data/aws-crt-ffi/crt/aws-lc/generated-src/crypto_test_data.cc +179 -151
  215. data/aws-crt-ffi/crt/aws-lc/generated-src/err_data.c +353 -349
  216. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/chacha/chacha-armv8.S +4 -14
  217. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
  218. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
  219. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
  220. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
  221. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
  222. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
  223. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
  224. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
  225. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
  226. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
  227. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
  228. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
  229. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
  230. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
  231. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
  232. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
  233. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/test/trampoline-armv8.S +4 -14
  234. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/chacha/chacha-armv4.S +3 -13
  235. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
  236. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S +3 -13
  237. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
  238. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
  239. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
  240. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
  241. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
  242. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
  243. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
  244. data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/test/trampoline-armv4.S +3 -13
  245. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/chacha/chacha-armv8.S +4 -14
  246. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
  247. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
  248. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
  249. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
  250. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
  251. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/bn-armv8.S +3 -13
  252. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +3 -13
  253. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
  254. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
  255. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
  256. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
  257. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
  258. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
  259. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
  260. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
  261. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
  262. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/test/trampoline-armv8.S +3 -13
  263. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/chacha/chacha-armv4.S +3 -13
  264. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
  265. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S +3 -13
  266. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
  267. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
  268. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
  269. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
  270. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
  271. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
  272. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
  273. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/test/trampoline-armv4.S +3 -13
  274. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S +1 -5
  275. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S +1 -5
  276. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/test/trampoline-ppc.S +1 -5
  277. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/chacha/chacha-x86.S +3 -12
  278. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/aesni-x86.S +3 -12
  279. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/bn-586.S +4 -13
  280. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/co-586.S +4 -13
  281. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
  282. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-x86.S +3 -12
  283. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/md5-586.S +4 -13
  284. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha1-586.S +4 -13
  285. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha256-586.S +3 -12
  286. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha512-586.S +3 -12
  287. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
  288. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/x86-mont.S +3 -12
  289. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/test/trampoline-x86.S +3 -12
  290. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
  291. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
  292. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
  293. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
  294. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
  295. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
  296. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
  297. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
  298. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
  299. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
  300. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
  301. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
  302. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
  303. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
  304. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
  305. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
  306. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
  307. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
  308. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
  309. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
  310. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
  311. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
  312. data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/test/trampoline-x86_64.S +2 -11
  313. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/chacha/chacha-x86.S +3 -12
  314. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/aesni-x86.S +3 -12
  315. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/bn-586.S +3 -12
  316. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/co-586.S +3 -12
  317. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
  318. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-x86.S +3 -12
  319. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/md5-586.S +3 -12
  320. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha1-586.S +3 -12
  321. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha256-586.S +3 -12
  322. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha512-586.S +3 -12
  323. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
  324. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/x86-mont.S +3 -12
  325. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/test/trampoline-x86.S +3 -12
  326. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
  327. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
  328. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
  329. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
  330. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
  331. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
  332. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
  333. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
  334. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
  335. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
  336. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
  337. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
  338. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
  339. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
  340. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
  341. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
  342. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
  343. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
  344. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
  345. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
  346. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
  347. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
  348. data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/test/trampoline-x86_64.S +2 -11
  349. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/chacha/chacha-armv8.S +4 -14
  350. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
  351. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
  352. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
  353. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
  354. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
  355. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
  356. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
  357. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
  358. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
  359. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
  360. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
  361. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
  362. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
  363. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
  364. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
  365. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
  366. data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/test/trampoline-armv8.S +4 -14
  367. data/aws-crt-ffi/crt/aws-lc/go.mod +4 -4
  368. data/aws-crt-ffi/crt/aws-lc/go.sum +8 -10
  369. data/aws-crt-ffi/crt/aws-lc/include/openssl/aead.h +2 -2
  370. data/aws-crt-ffi/crt/aws-lc/include/openssl/arm_arch.h +4 -119
  371. data/aws-crt-ffi/crt/aws-lc/include/openssl/asm_base.h +185 -0
  372. data/aws-crt-ffi/crt/aws-lc/include/openssl/asn1.h +5 -0
  373. data/aws-crt-ffi/crt/aws-lc/include/openssl/base.h +31 -134
  374. data/aws-crt-ffi/crt/aws-lc/include/openssl/bio.h +30 -18
  375. data/aws-crt-ffi/crt/aws-lc/include/openssl/bn.h +0 -2
  376. data/aws-crt-ffi/crt/aws-lc/include/openssl/chacha.h +6 -0
  377. data/aws-crt-ffi/crt/aws-lc/include/openssl/cipher.h +2 -2
  378. data/aws-crt-ffi/crt/aws-lc/include/openssl/digest.h +9 -6
  379. data/aws-crt-ffi/crt/aws-lc/include/openssl/dsa.h +0 -21
  380. data/aws-crt-ffi/crt/aws-lc/include/openssl/ec.h +1 -1
  381. data/aws-crt-ffi/crt/aws-lc/include/openssl/err.h +1 -1
  382. data/aws-crt-ffi/crt/aws-lc/include/openssl/evp.h +8 -5
  383. data/aws-crt-ffi/crt/aws-lc/include/openssl/nid.h +21 -0
  384. data/aws-crt-ffi/crt/aws-lc/include/openssl/rsa.h +1 -65
  385. data/aws-crt-ffi/crt/aws-lc/include/openssl/sha.h +22 -1
  386. data/aws-crt-ffi/crt/aws-lc/include/openssl/ssl.h +121 -13
  387. data/aws-crt-ffi/crt/aws-lc/include/openssl/stack.h +229 -208
  388. data/aws-crt-ffi/crt/aws-lc/include/openssl/target.h +166 -0
  389. data/aws-crt-ffi/crt/aws-lc/include/openssl/x509.h +30 -10
  390. data/aws-crt-ffi/crt/aws-lc/include/openssl/x509v3.h +6 -4
  391. data/aws-crt-ffi/crt/aws-lc/sources.cmake +2 -0
  392. data/aws-crt-ffi/crt/aws-lc/ssl/extensions.cc +12 -7
  393. data/aws-crt-ffi/crt/aws-lc/ssl/handshake_server.cc +28 -18
  394. data/aws-crt-ffi/crt/aws-lc/ssl/internal.h +41 -6
  395. data/aws-crt-ffi/crt/aws-lc/ssl/s3_both.cc +9 -17
  396. data/aws-crt-ffi/crt/aws-lc/ssl/ssl_cipher.cc +13 -5
  397. data/aws-crt-ffi/crt/aws-lc/ssl/ssl_key_share.cc +542 -2
  398. data/aws-crt-ffi/crt/aws-lc/ssl/ssl_lib.cc +35 -0
  399. data/aws-crt-ffi/crt/aws-lc/ssl/ssl_test.cc +1847 -14
  400. data/aws-crt-ffi/crt/aws-lc/ssl/ssl_x509.cc +128 -0
  401. data/aws-crt-ffi/crt/aws-lc/ssl/test/PORTING.md +10 -7
  402. data/aws-crt-ffi/crt/aws-lc/ssl/test/bssl_shim.cc +133 -77
  403. data/aws-crt-ffi/crt/aws-lc/ssl/test/handshake_util.cc +3 -3
  404. data/aws-crt-ffi/crt/aws-lc/ssl/test/handshaker.cc +4 -0
  405. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_client.go +6 -2
  406. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_messages.go +894 -1042
  407. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_server.go +24 -23
  408. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/prf.go +6 -5
  409. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/runner.go +56 -55
  410. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/shim_dispatcher.go +188 -0
  411. data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/ticket.go +37 -39
  412. data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.cc +59 -24
  413. data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.h +3 -2
  414. data/aws-crt-ffi/crt/aws-lc/ssl/tls13_server.cc +10 -11
  415. data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/app.py +4 -4
  416. data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/{aws_lc_mac_arm_ci_stack.py → aws_lc_ec2_test_framework_ci_stack.py} +13 -29
  417. data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml +43 -0
  418. data/aws-crt-ffi/crt/aws-lc/tests/ci/common_posix_setup.sh +10 -0
  419. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/amazonlinux-2023_base/Dockerfile +5 -1
  420. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/ubuntu-22.04_base/Dockerfile +19 -3
  421. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/amazonlinux-2_gcc-7x-intel-sde/Dockerfile +5 -4
  422. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/build_images.sh +1 -0
  423. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/push_images.sh +2 -1
  424. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-20.04_clang-10x_formal-verification/create_image.sh +1 -1
  425. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_base/Dockerfile +1 -0
  426. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_clang-14x-sde/Dockerfile +42 -0
  427. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/vs2017/Dockerfile +14 -0
  428. data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/windows_base/Dockerfile +3 -0
  429. data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/README.md +12 -0
  430. data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/nginx_patch/aws-lc-nginx.patch +68 -23
  431. data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_crt_integration.sh +27 -0
  432. data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_monit_integration.sh +56 -0
  433. data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/sslproxy_patch/aws-lc-sslproxy.patch +2 -2
  434. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_ec2_test_framework.sh +135 -0
  435. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_fips_tests.sh +14 -2
  436. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde.sh +4 -1
  437. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde_asan.sh +14 -0
  438. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_windows_tests.bat +39 -3
  439. data/aws-crt-ffi/crt/aws-lc/third_party/fiat/README.md +21 -6
  440. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519.S +284 -0
  441. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519_alt.S +210 -0
  442. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_mod_n25519.S +186 -0
  443. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_neg_p25519.S +65 -0
  444. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S +1043 -352
  445. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_alt.S +1043 -352
  446. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte.S +1043 -352
  447. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte_alt.S +1043 -352
  448. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base.S +1042 -352
  449. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_alt.S +1042 -352
  450. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte.S +1042 -352
  451. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte_alt.S +1043 -354
  452. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode.S +700 -0
  453. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode_alt.S +563 -0
  454. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_encode.S +131 -0
  455. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase.S +9626 -0
  456. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase_alt.S +9468 -0
  457. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble.S +3157 -0
  458. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble_alt.S +2941 -0
  459. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p384/Makefile +1 -1
  460. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p521/Makefile +1 -1
  461. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h +34 -0
  462. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519.S +219 -0
  463. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519_alt.S +245 -0
  464. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_mod_n25519.S +228 -0
  465. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_neg_p25519.S +86 -0
  466. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519.S +1350 -407
  467. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519_alt.S +1350 -407
  468. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base.S +1344 -400
  469. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base_alt.S +1348 -402
  470. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode.S +670 -0
  471. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode_alt.S +751 -0
  472. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_encode.S +81 -0
  473. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase.S +9910 -0
  474. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase_alt.S +9986 -0
  475. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble.S +3619 -0
  476. data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble_alt.S +3736 -0
  477. data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.json +1978 -0
  478. data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.txt +1403 -0
  479. data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.json +1993 -0
  480. data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.txt +1416 -0
  481. data/aws-crt-ffi/crt/aws-lc/tool/digest.cc +4 -0
  482. data/aws-crt-ffi/crt/aws-lc/tool/internal.h +1 -0
  483. data/aws-crt-ffi/crt/aws-lc/tool/speed.cc +53 -6
  484. data/aws-crt-ffi/crt/aws-lc/util/all_tests.go +43 -12
  485. data/aws-crt-ffi/crt/aws-lc/util/all_tests.json +13 -5
  486. data/aws-crt-ffi/crt/aws-lc/util/bot/DEPS +4 -4
  487. data/aws-crt-ffi/crt/aws-lc/util/bot/update_clang.py +8 -2
  488. data/aws-crt-ffi/crt/aws-lc/util/codecov-ci.sh +82 -0
  489. data/aws-crt-ffi/crt/aws-lc/util/convert_wycheproof/convert_wycheproof.go +7 -5
  490. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/ACVP.md +7 -0
  491. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/hash.go +24 -9
  492. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/rsa.go +3 -4
  493. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/subprocess.go +15 -10
  494. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-224.bz2 +0 -0
  495. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHA2-512-224.bz2 +0 -0
  496. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-128.bz2 +0 -0
  497. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-256.bz2 +0 -0
  498. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/sha512-224-tests.json +1 -0
  499. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-128-tests.json +1 -0
  500. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-256-tests.json +1 -0
  501. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/tests.json +1 -0
  502. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-224.bz2 +0 -0
  503. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHA2-512-224.bz2 +0 -0
  504. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-128.bz2 +0 -0
  505. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-256.bz2 +0 -0
  506. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/main.cc +4 -0
  507. data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/modulewrapper.cc +144 -1
  508. data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/delocate.go +9 -3
  509. data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/in.s +4 -0
  510. data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/out.s +11 -0
  511. data/aws-crt-ffi/crt/aws-lc/util/fipstools/inject_hash/inject_hash.go +13 -4
  512. data/aws-crt-ffi/crt/aws-lc/util/fipstools/test-break-kat.sh +2 -0
  513. data/aws-crt-ffi/crt/aws-lc/util/testconfig/testconfig.go +2 -1
  514. data/aws-crt-ffi/crt/s2n/api/s2n.h +9 -5
  515. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/handshake.rs +9 -6
  516. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/resumption.rs +14 -14
  517. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/throughput.rs +9 -6
  518. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/harness.rs +106 -102
  519. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/openssl.rs +24 -20
  520. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/rustls.rs +28 -24
  521. data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/s2n_tls.rs +52 -50
  522. data/aws-crt-ffi/crt/s2n/bindings/rust/generate/Cargo.toml +1 -0
  523. data/aws-crt-ffi/crt/s2n/bindings/rust/integration/Cargo.toml +3 -0
  524. data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml +2 -2
  525. data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/src/connection.rs +9 -0
  526. data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/templates/Cargo.template +2 -1
  527. data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml +2 -2
  528. data/aws-crt-ffi/crt/s2n/tests/cbmc/sources/make_common_datastructures.c +9 -2
  529. data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_client_cert_verify_recv_test.c +1 -1
  530. data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c +1 -1
  531. data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_tls13_cert_verify_recv_test.c +1 -1
  532. data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py +4 -4
  533. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_auth_selection_test.c +19 -9
  534. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_auth_handshake_test.c +3 -3
  535. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_cert_verify_test.c +1 -1
  536. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_recv_test.c +1 -1
  537. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_test.c +4 -4
  538. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_signature_algorithms_extension_test.c +4 -5
  539. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_protocol_versions_test.c +390 -0
  540. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_test.c +8 -4
  541. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_handshake_test.c +2 -1
  542. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_quic_support_io_test.c +106 -0
  543. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_security_policies_test.c +6 -2
  544. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_offload_signing_test.c +3 -3
  545. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_session_resumption_test.c +135 -0
  546. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_new_session_ticket_test.c +32 -0
  547. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_signature_algorithms_extension_test.c +1 -1
  548. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_signature_algorithms_test.c +307 -283
  549. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_request_test.c +1 -1
  550. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_verify_test.c +18 -17
  551. data/aws-crt-ffi/crt/s2n/tests/unit/s2n_x509_validator_test.c +125 -0
  552. data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_signature_algorithms.c +8 -1
  553. data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.c +43 -11
  554. data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.h +3 -0
  555. data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_server_signature_algorithms.c +8 -1
  556. data/aws-crt-ffi/crt/s2n/tls/s2n_auth_selection.c +4 -2
  557. data/aws-crt-ffi/crt/s2n/tls/s2n_client_cert_verify.c +7 -10
  558. data/aws-crt-ffi/crt/s2n/tls/s2n_client_hello.c +2 -2
  559. data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c +75 -14
  560. data/aws-crt-ffi/crt/s2n/tls/s2n_handshake.h +2 -2
  561. data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.c +1 -1
  562. data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.h +1 -0
  563. data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.c +29 -0
  564. data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.h +5 -0
  565. data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.c +40 -0
  566. data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.h +4 -0
  567. data/aws-crt-ffi/crt/s2n/tls/s2n_server_cert_request.c +1 -1
  568. data/aws-crt-ffi/crt/s2n/tls/s2n_server_hello.c +0 -3
  569. data/aws-crt-ffi/crt/s2n/tls/s2n_server_key_exchange.c +8 -9
  570. data/aws-crt-ffi/crt/s2n/tls/s2n_server_new_session_ticket.c +8 -0
  571. data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.c +111 -72
  572. data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.h +11 -9
  573. data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.c +9 -0
  574. data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.h +2 -0
  575. data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_certificate_verify.c +12 -18
  576. data/aws-crt-ffi/crt/s2n/tls/s2n_x509_validator.c +7 -7
  577. data/aws-crt-ffi/src/api.h +1 -0
  578. data/lib/aws-crt/native.rb +1 -1
  579. metadata +68 -5
  580. data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/m1_tests_ssm_document.yaml +0 -34
  581. data/aws-crt-ffi/crt/aws-lc/tests/ci/run_m1_ec2_instance.sh +0 -96
data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble.S ADDED
@@ -0,0 +1,3157 @@
1
+ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2
+ // SPDX-License-Identifier: Apache-2.0 OR ISC
3
+
4
+ // ----------------------------------------------------------------------------
5
+ // Double scalar multiplication for edwards25519, fresh and base point
6
+ // Input scalar[4], point[8], bscalar[4]; output res[8]
7
+ //
8
+ // extern void edwards25519_scalarmuldouble
9
+ // (uint64_t res[static 8],uint64_t scalar[static 4],
10
+ // uint64_t point[static 8],uint64_t bscalar[static 4]);
11
+ //
12
+ // Given scalar = n, point = P and bscalar = m, returns in res
13
+ // the point (X,Y) = n * P + m * B where B = (...,4/5) is
14
+ // the standard basepoint for the edwards25519 (Ed25519) curve.
15
+ //
16
+ // Both 256-bit coordinates of the input point P are implicitly
17
+ // reduced modulo 2^255-19 if they are not already in reduced form,
18
+ // but the conventional usage is that they *are* already reduced.
19
+ // The scalars can be arbitrary 256-bit numbers but may also be
20
+ // considered as implicitly reduced modulo the group order.
21
+ //
22
+ // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point, X3 = bscalar
23
+ // ----------------------------------------------------------------------------
24
+ #include "_internal_s2n_bignum.h"
25
+
26
+ S2N_BN_SYM_VISIBILITY_DIRECTIVE(edwards25519_scalarmuldouble)
27
+ S2N_BN_SYM_PRIVACY_DIRECTIVE(edwards25519_scalarmuldouble)
28
+
29
+ .text
30
+ .balign 4
31
+
32
+ // Size of individual field elements
33
+
34
+ #define NUMSIZE 32
35
+
36
+ // Stable home for the input result argument during the whole body
37
+
38
+ #define res x25
39
+
40
+ // Additional pointer variables for local subroutines
41
+
42
+ #define p0 x22
43
+ #define p1 x23
44
+ #define p2 x24
45
+
46
+ // Other variables that are only needed prior to the modular inverse.
47
+
48
+ #define i x19
49
+ #define bf x20
50
+ #define cf x21
51
+
52
+ // Pointer-offset pairs for result and temporaries on stack with some aliasing.
53
+
54
+ #define resx res, #(0*NUMSIZE)
55
+ #define resy res, #(1*NUMSIZE)
56
+
57
+ #define scalar sp, #(0*NUMSIZE)
58
+ #define bscalar sp, #(1*NUMSIZE)
59
+
60
+ #define btabent sp, #(2*NUMSIZE)
61
+ #define acc sp, #(5*NUMSIZE)
62
+ #define acc_x sp, #(5*NUMSIZE)
63
+ #define acc_y sp, #(6*NUMSIZE)
64
+ #define acc_z sp, #(7*NUMSIZE)
65
+ #define acc_w sp, #(8*NUMSIZE)
66
+
67
+ #define tabent sp, #(9*NUMSIZE)
68
+
69
+ #define tab sp, #(13*NUMSIZE)
70
+
71
+ // Total size to reserve on the stack (excluding local subroutines)
72
+
73
+ #define NSPACE (45*NUMSIZE)
74
+
75
+ // Sub-references used in local subroutines with local stack
76
+
77
+ #define x_0 p0, #0
78
+ #define y_0 p0, #NUMSIZE
79
+ #define z_0 p0, #(2*NUMSIZE)
80
+ #define w_0 p0, #(3*NUMSIZE)
81
+
82
+ #define x_1 p1, #0
83
+ #define y_1 p1, #NUMSIZE
84
+ #define z_1 p1, #(2*NUMSIZE)
85
+ #define w_1 p1, #(3*NUMSIZE)
86
+
87
+ #define x_2 p2, #0
88
+ #define y_2 p2, #NUMSIZE
89
+ #define z_2 p2, #(2*NUMSIZE)
90
+ #define w_2 p2, #(3*NUMSIZE)
91
+
92
+ #define t0 sp, #(0*NUMSIZE)
93
+ #define t1 sp, #(1*NUMSIZE)
94
+ #define t2 sp, #(2*NUMSIZE)
95
+ #define t3 sp, #(3*NUMSIZE)
96
+ #define t4 sp, #(4*NUMSIZE)
97
+ #define t5 sp, #(5*NUMSIZE)
98
+
99
+ // Load 64-bit immediate into a register
100
+
101
+ #define movbig(nn,n3,n2,n1,n0) \
102
+ movz nn, n0; \
103
+ movk nn, n1, lsl #16; \
104
+ movk nn, n2, lsl #32; \
105
+ movk nn, n3, lsl #48
106
+
107
+ // Macro wrapping up the basic field operation bignum_mul_p25519, only
108
+ // trivially different from a pure function call to that subroutine.
109
+
110
+ #define mul_p25519(P0,P1,P2) \
111
+ ldp x3, x4, [P1]; \
112
+ ldp x5, x6, [P2]; \
113
+ umull x7, w3, w5; \
114
+ lsr x0, x3, #32; \
115
+ umull x15, w0, w5; \
116
+ lsr x16, x5, #32; \
117
+ umull x8, w16, w0; \
118
+ umull x16, w3, w16; \
119
+ adds x7, x7, x15, lsl #32; \
120
+ lsr x15, x15, #32; \
121
+ adc x8, x8, x15; \
122
+ adds x7, x7, x16, lsl #32; \
123
+ lsr x16, x16, #32; \
124
+ adc x8, x8, x16; \
125
+ mul x9, x4, x6; \
126
+ umulh x10, x4, x6; \
127
+ subs x4, x4, x3; \
128
+ cneg x4, x4, cc; \
129
+ csetm x16, cc; \
130
+ adds x9, x9, x8; \
131
+ adc x10, x10, xzr; \
132
+ subs x3, x5, x6; \
133
+ cneg x3, x3, cc; \
134
+ cinv x16, x16, cc; \
135
+ mul x15, x4, x3; \
136
+ umulh x3, x4, x3; \
137
+ adds x8, x7, x9; \
138
+ adcs x9, x9, x10; \
139
+ adc x10, x10, xzr; \
140
+ cmn x16, #0x1; \
141
+ eor x15, x15, x16; \
142
+ adcs x8, x15, x8; \
143
+ eor x3, x3, x16; \
144
+ adcs x9, x3, x9; \
145
+ adc x10, x10, x16; \
146
+ ldp x3, x4, [P1+16]; \
147
+ ldp x5, x6, [P2+16]; \
148
+ umull x11, w3, w5; \
149
+ lsr x0, x3, #32; \
150
+ umull x15, w0, w5; \
151
+ lsr x16, x5, #32; \
152
+ umull x12, w16, w0; \
153
+ umull x16, w3, w16; \
154
+ adds x11, x11, x15, lsl #32; \
155
+ lsr x15, x15, #32; \
156
+ adc x12, x12, x15; \
157
+ adds x11, x11, x16, lsl #32; \
158
+ lsr x16, x16, #32; \
159
+ adc x12, x12, x16; \
160
+ mul x13, x4, x6; \
161
+ umulh x14, x4, x6; \
162
+ subs x4, x4, x3; \
163
+ cneg x4, x4, cc; \
164
+ csetm x16, cc; \
165
+ adds x13, x13, x12; \
166
+ adc x14, x14, xzr; \
167
+ subs x3, x5, x6; \
168
+ cneg x3, x3, cc; \
169
+ cinv x16, x16, cc; \
170
+ mul x15, x4, x3; \
171
+ umulh x3, x4, x3; \
172
+ adds x12, x11, x13; \
173
+ adcs x13, x13, x14; \
174
+ adc x14, x14, xzr; \
175
+ cmn x16, #0x1; \
176
+ eor x15, x15, x16; \
177
+ adcs x12, x15, x12; \
178
+ eor x3, x3, x16; \
179
+ adcs x13, x3, x13; \
180
+ adc x14, x14, x16; \
181
+ ldp x3, x4, [P1+16]; \
182
+ ldp x15, x16, [P1]; \
183
+ subs x3, x3, x15; \
184
+ sbcs x4, x4, x16; \
185
+ csetm x16, cc; \
186
+ ldp x15, x0, [P2]; \
187
+ subs x5, x15, x5; \
188
+ sbcs x6, x0, x6; \
189
+ csetm x0, cc; \
190
+ eor x3, x3, x16; \
191
+ subs x3, x3, x16; \
192
+ eor x4, x4, x16; \
193
+ sbc x4, x4, x16; \
194
+ eor x5, x5, x0; \
195
+ subs x5, x5, x0; \
196
+ eor x6, x6, x0; \
197
+ sbc x6, x6, x0; \
198
+ eor x16, x0, x16; \
199
+ adds x11, x11, x9; \
200
+ adcs x12, x12, x10; \
201
+ adcs x13, x13, xzr; \
202
+ adc x14, x14, xzr; \
203
+ mul x2, x3, x5; \
204
+ umulh x0, x3, x5; \
205
+ mul x15, x4, x6; \
206
+ umulh x1, x4, x6; \
207
+ subs x4, x4, x3; \
208
+ cneg x4, x4, cc; \
209
+ csetm x9, cc; \
210
+ adds x15, x15, x0; \
211
+ adc x1, x1, xzr; \
212
+ subs x6, x5, x6; \
213
+ cneg x6, x6, cc; \
214
+ cinv x9, x9, cc; \
215
+ mul x5, x4, x6; \
216
+ umulh x6, x4, x6; \
217
+ adds x0, x2, x15; \
218
+ adcs x15, x15, x1; \
219
+ adc x1, x1, xzr; \
220
+ cmn x9, #0x1; \
221
+ eor x5, x5, x9; \
222
+ adcs x0, x5, x0; \
223
+ eor x6, x6, x9; \
224
+ adcs x15, x6, x15; \
225
+ adc x1, x1, x9; \
226
+ adds x9, x11, x7; \
227
+ adcs x10, x12, x8; \
228
+ adcs x11, x13, x11; \
229
+ adcs x12, x14, x12; \
230
+ adcs x13, x13, xzr; \
231
+ adc x14, x14, xzr; \
232
+ cmn x16, #0x1; \
233
+ eor x2, x2, x16; \
234
+ adcs x9, x2, x9; \
235
+ eor x0, x0, x16; \
236
+ adcs x10, x0, x10; \
237
+ eor x15, x15, x16; \
238
+ adcs x11, x15, x11; \
239
+ eor x1, x1, x16; \
240
+ adcs x12, x1, x12; \
241
+ adcs x13, x13, x16; \
242
+ adc x14, x14, x16; \
243
+ mov x3, #0x26; \
244
+ umull x4, w11, w3; \
245
+ add x4, x4, w7, uxtw; \
246
+ lsr x7, x7, #32; \
247
+ lsr x11, x11, #32; \
248
+ umaddl x11, w11, w3, x7; \
249
+ mov x7, x4; \
250
+ umull x4, w12, w3; \
251
+ add x4, x4, w8, uxtw; \
252
+ lsr x8, x8, #32; \
253
+ lsr x12, x12, #32; \
254
+ umaddl x12, w12, w3, x8; \
255
+ mov x8, x4; \
256
+ umull x4, w13, w3; \
257
+ add x4, x4, w9, uxtw; \
258
+ lsr x9, x9, #32; \
259
+ lsr x13, x13, #32; \
260
+ umaddl x13, w13, w3, x9; \
261
+ mov x9, x4; \
262
+ umull x4, w14, w3; \
263
+ add x4, x4, w10, uxtw; \
264
+ lsr x10, x10, #32; \
265
+ lsr x14, x14, #32; \
266
+ umaddl x14, w14, w3, x10; \
267
+ mov x10, x4; \
268
+ lsr x0, x14, #31; \
269
+ mov x5, #0x13; \
270
+ umaddl x5, w5, w0, x5; \
271
+ add x7, x7, x5; \
272
+ adds x7, x7, x11, lsl #32; \
273
+ extr x3, x12, x11, #32; \
274
+ adcs x8, x8, x3; \
275
+ extr x3, x13, x12, #32; \
276
+ adcs x9, x9, x3; \
277
+ extr x3, x14, x13, #32; \
278
+ lsl x5, x0, #63; \
279
+ eor x10, x10, x5; \
280
+ adc x10, x10, x3; \
281
+ mov x3, #0x13; \
282
+ tst x10, #0x8000000000000000; \
283
+ csel x3, x3, xzr, pl; \
284
+ subs x7, x7, x3; \
285
+ sbcs x8, x8, xzr; \
286
+ sbcs x9, x9, xzr; \
287
+ sbc x10, x10, xzr; \
288
+ and x10, x10, #0x7fffffffffffffff; \
289
+ stp x7, x8, [P0]; \
290
+ stp x9, x10, [P0+16]
291
+
292
+ // A version of multiplication that only guarantees output < 2 * p_25519.
293
+ // This basically skips the +1 and final correction in quotient estimation.
294
+
295
+ #define mul_4(P0,P1,P2) \
296
+ ldp x3, x4, [P1]; \
297
+ ldp x5, x6, [P2]; \
298
+ umull x7, w3, w5; \
299
+ lsr x0, x3, #32; \
300
+ umull x15, w0, w5; \
301
+ lsr x16, x5, #32; \
302
+ umull x8, w16, w0; \
303
+ umull x16, w3, w16; \
304
+ adds x7, x7, x15, lsl #32; \
305
+ lsr x15, x15, #32; \
306
+ adc x8, x8, x15; \
307
+ adds x7, x7, x16, lsl #32; \
308
+ lsr x16, x16, #32; \
309
+ adc x8, x8, x16; \
310
+ mul x9, x4, x6; \
311
+ umulh x10, x4, x6; \
312
+ subs x4, x4, x3; \
313
+ cneg x4, x4, cc; \
314
+ csetm x16, cc; \
315
+ adds x9, x9, x8; \
316
+ adc x10, x10, xzr; \
317
+ subs x3, x5, x6; \
318
+ cneg x3, x3, cc; \
319
+ cinv x16, x16, cc; \
320
+ mul x15, x4, x3; \
321
+ umulh x3, x4, x3; \
322
+ adds x8, x7, x9; \
323
+ adcs x9, x9, x10; \
324
+ adc x10, x10, xzr; \
325
+ cmn x16, #0x1; \
326
+ eor x15, x15, x16; \
327
+ adcs x8, x15, x8; \
328
+ eor x3, x3, x16; \
329
+ adcs x9, x3, x9; \
330
+ adc x10, x10, x16; \
331
+ ldp x3, x4, [P1+16]; \
332
+ ldp x5, x6, [P2+16]; \
333
+ umull x11, w3, w5; \
334
+ lsr x0, x3, #32; \
335
+ umull x15, w0, w5; \
336
+ lsr x16, x5, #32; \
337
+ umull x12, w16, w0; \
338
+ umull x16, w3, w16; \
339
+ adds x11, x11, x15, lsl #32; \
340
+ lsr x15, x15, #32; \
341
+ adc x12, x12, x15; \
342
+ adds x11, x11, x16, lsl #32; \
343
+ lsr x16, x16, #32; \
344
+ adc x12, x12, x16; \
345
+ mul x13, x4, x6; \
346
+ umulh x14, x4, x6; \
347
+ subs x4, x4, x3; \
348
+ cneg x4, x4, cc; \
349
+ csetm x16, cc; \
350
+ adds x13, x13, x12; \
351
+ adc x14, x14, xzr; \
352
+ subs x3, x5, x6; \
353
+ cneg x3, x3, cc; \
354
+ cinv x16, x16, cc; \
355
+ mul x15, x4, x3; \
356
+ umulh x3, x4, x3; \
357
+ adds x12, x11, x13; \
358
+ adcs x13, x13, x14; \
359
+ adc x14, x14, xzr; \
360
+ cmn x16, #0x1; \
361
+ eor x15, x15, x16; \
362
+ adcs x12, x15, x12; \
363
+ eor x3, x3, x16; \
364
+ adcs x13, x3, x13; \
365
+ adc x14, x14, x16; \
366
+ ldp x3, x4, [P1+16]; \
367
+ ldp x15, x16, [P1]; \
368
+ subs x3, x3, x15; \
369
+ sbcs x4, x4, x16; \
370
+ csetm x16, cc; \
371
+ ldp x15, x0, [P2]; \
372
+ subs x5, x15, x5; \
373
+ sbcs x6, x0, x6; \
374
+ csetm x0, cc; \
375
+ eor x3, x3, x16; \
376
+ subs x3, x3, x16; \
377
+ eor x4, x4, x16; \
378
+ sbc x4, x4, x16; \
379
+ eor x5, x5, x0; \
380
+ subs x5, x5, x0; \
381
+ eor x6, x6, x0; \
382
+ sbc x6, x6, x0; \
383
+ eor x16, x0, x16; \
384
+ adds x11, x11, x9; \
385
+ adcs x12, x12, x10; \
386
+ adcs x13, x13, xzr; \
387
+ adc x14, x14, xzr; \
388
+ mul x2, x3, x5; \
389
+ umulh x0, x3, x5; \
390
+ mul x15, x4, x6; \
391
+ umulh x1, x4, x6; \
392
+ subs x4, x4, x3; \
393
+ cneg x4, x4, cc; \
394
+ csetm x9, cc; \
395
+ adds x15, x15, x0; \
396
+ adc x1, x1, xzr; \
397
+ subs x6, x5, x6; \
398
+ cneg x6, x6, cc; \
399
+ cinv x9, x9, cc; \
400
+ mul x5, x4, x6; \
401
+ umulh x6, x4, x6; \
402
+ adds x0, x2, x15; \
403
+ adcs x15, x15, x1; \
404
+ adc x1, x1, xzr; \
405
+ cmn x9, #0x1; \
406
+ eor x5, x5, x9; \
407
+ adcs x0, x5, x0; \
408
+ eor x6, x6, x9; \
409
+ adcs x15, x6, x15; \
410
+ adc x1, x1, x9; \
411
+ adds x9, x11, x7; \
412
+ adcs x10, x12, x8; \
413
+ adcs x11, x13, x11; \
414
+ adcs x12, x14, x12; \
415
+ adcs x13, x13, xzr; \
416
+ adc x14, x14, xzr; \
417
+ cmn x16, #0x1; \
418
+ eor x2, x2, x16; \
419
+ adcs x9, x2, x9; \
420
+ eor x0, x0, x16; \
421
+ adcs x10, x0, x10; \
422
+ eor x15, x15, x16; \
423
+ adcs x11, x15, x11; \
424
+ eor x1, x1, x16; \
425
+ adcs x12, x1, x12; \
426
+ adcs x13, x13, x16; \
427
+ adc x14, x14, x16; \
428
+ mov x3, #0x26; \
429
+ umull x4, w11, w3; \
430
+ add x4, x4, w7, uxtw; \
431
+ lsr x7, x7, #32; \
432
+ lsr x11, x11, #32; \
433
+ umaddl x11, w11, w3, x7; \
434
+ mov x7, x4; \
435
+ umull x4, w12, w3; \
436
+ add x4, x4, w8, uxtw; \
437
+ lsr x8, x8, #32; \
438
+ lsr x12, x12, #32; \
439
+ umaddl x12, w12, w3, x8; \
440
+ mov x8, x4; \
441
+ umull x4, w13, w3; \
442
+ add x4, x4, w9, uxtw; \
443
+ lsr x9, x9, #32; \
444
+ lsr x13, x13, #32; \
445
+ umaddl x13, w13, w3, x9; \
446
+ mov x9, x4; \
447
+ umull x4, w14, w3; \
448
+ add x4, x4, w10, uxtw; \
449
+ lsr x10, x10, #32; \
450
+ lsr x14, x14, #32; \
451
+ umaddl x14, w14, w3, x10; \
452
+ mov x10, x4; \
453
+ lsr x0, x14, #31; \
454
+ mov x5, #0x13; \
455
+ umull x5, w5, w0; \
456
+ add x7, x7, x5; \
457
+ adds x7, x7, x11, lsl #32; \
458
+ extr x3, x12, x11, #32; \
459
+ adcs x8, x8, x3; \
460
+ extr x3, x13, x12, #32; \
461
+ adcs x9, x9, x3; \
462
+ extr x3, x14, x13, #32; \
463
+ lsl x5, x0, #63; \
464
+ eor x10, x10, x5; \
465
+ adc x10, x10, x3; \
466
+ stp x7, x8, [P0]; \
467
+ stp x9, x10, [P0+16]
468
+
469
+ // Squaring just giving a result < 2 * p_25519, which is done by
470
+ // basically skipping the +1 in the quotient estimate and the final
471
+ // optional correction.
472
+
473
+ #define sqr_4(P0,P1) \
474
+ ldp x10, x11, [P1]; \
475
+ ldp x12, x13, [P1+16]; \
476
+ umull x2, w10, w10; \
477
+ lsr x14, x10, #32; \
478
+ umull x3, w14, w14; \
479
+ umull x14, w10, w14; \
480
+ adds x2, x2, x14, lsl #33; \
481
+ lsr x14, x14, #31; \
482
+ adc x3, x3, x14; \
483
+ umull x4, w11, w11; \
484
+ lsr x14, x11, #32; \
485
+ umull x5, w14, w14; \
486
+ umull x14, w11, w14; \
487
+ mul x15, x10, x11; \
488
+ umulh x16, x10, x11; \
489
+ adds x4, x4, x14, lsl #33; \
490
+ lsr x14, x14, #31; \
491
+ adc x5, x5, x14; \
492
+ adds x15, x15, x15; \
493
+ adcs x16, x16, x16; \
494
+ adc x5, x5, xzr; \
495
+ adds x3, x3, x15; \
496
+ adcs x4, x4, x16; \
497
+ adc x5, x5, xzr; \
498
+ umull x6, w12, w12; \
499
+ lsr x14, x12, #32; \
500
+ umull x7, w14, w14; \
501
+ umull x14, w12, w14; \
502
+ adds x6, x6, x14, lsl #33; \
503
+ lsr x14, x14, #31; \
504
+ adc x7, x7, x14; \
505
+ umull x8, w13, w13; \
506
+ lsr x14, x13, #32; \
507
+ umull x9, w14, w14; \
508
+ umull x14, w13, w14; \
509
+ mul x15, x12, x13; \
510
+ umulh x16, x12, x13; \
511
+ adds x8, x8, x14, lsl #33; \
512
+ lsr x14, x14, #31; \
513
+ adc x9, x9, x14; \
514
+ adds x15, x15, x15; \
515
+ adcs x16, x16, x16; \
516
+ adc x9, x9, xzr; \
517
+ adds x7, x7, x15; \
518
+ adcs x8, x8, x16; \
519
+ adc x9, x9, xzr; \
520
+ subs x10, x10, x12; \
521
+ sbcs x11, x11, x13; \
522
+ csetm x16, cc; \
523
+ eor x10, x10, x16; \
524
+ subs x10, x10, x16; \
525
+ eor x11, x11, x16; \
526
+ sbc x11, x11, x16; \
527
+ adds x6, x6, x4; \
528
+ adcs x7, x7, x5; \
529
+ adcs x8, x8, xzr; \
530
+ adc x9, x9, xzr; \
531
+ umull x12, w10, w10; \
532
+ lsr x5, x10, #32; \
533
+ umull x13, w5, w5; \
534
+ umull x5, w10, w5; \
535
+ adds x12, x12, x5, lsl #33; \
536
+ lsr x5, x5, #31; \
537
+ adc x13, x13, x5; \
538
+ umull x15, w11, w11; \
539
+ lsr x5, x11, #32; \
540
+ umull x14, w5, w5; \
541
+ umull x5, w11, w5; \
542
+ mul x4, x10, x11; \
543
+ umulh x16, x10, x11; \
544
+ adds x15, x15, x5, lsl #33; \
545
+ lsr x5, x5, #31; \
546
+ adc x14, x14, x5; \
547
+ adds x4, x4, x4; \
548
+ adcs x16, x16, x16; \
549
+ adc x14, x14, xzr; \
550
+ adds x13, x13, x4; \
551
+ adcs x15, x15, x16; \
552
+ adc x14, x14, xzr; \
553
+ adds x4, x2, x6; \
554
+ adcs x5, x3, x7; \
555
+ adcs x6, x6, x8; \
556
+ adcs x7, x7, x9; \
557
+ csetm x16, cc; \
558
+ subs x4, x4, x12; \
559
+ sbcs x5, x5, x13; \
560
+ sbcs x6, x6, x15; \
561
+ sbcs x7, x7, x14; \
562
+ adcs x8, x8, x16; \
563
+ adc x9, x9, x16; \
564
+ mov x10, #0x26; \
565
+ umull x12, w6, w10; \
566
+ add x12, x12, w2, uxtw; \
567
+ lsr x2, x2, #32; \
568
+ lsr x6, x6, #32; \
569
+ umaddl x6, w6, w10, x2; \
570
+ mov x2, x12; \
571
+ umull x12, w7, w10; \
572
+ add x12, x12, w3, uxtw; \
573
+ lsr x3, x3, #32; \
574
+ lsr x7, x7, #32; \
575
+ umaddl x7, w7, w10, x3; \
576
+ mov x3, x12; \
577
+ umull x12, w8, w10; \
578
+ add x12, x12, w4, uxtw; \
579
+ lsr x4, x4, #32; \
580
+ lsr x8, x8, #32; \
581
+ umaddl x8, w8, w10, x4; \
582
+ mov x4, x12; \
583
+ umull x12, w9, w10; \
584
+ add x12, x12, w5, uxtw; \
585
+ lsr x5, x5, #32; \
586
+ lsr x9, x9, #32; \
587
+ umaddl x9, w9, w10, x5; \
588
+ mov x5, x12; \
589
+ lsr x13, x9, #31; \
590
+ mov x11, #0x13; \
591
+ umull x11, w11, w13; \
592
+ add x2, x2, x11; \
593
+ adds x2, x2, x6, lsl #32; \
594
+ extr x10, x7, x6, #32; \
595
+ adcs x3, x3, x10; \
596
+ extr x10, x8, x7, #32; \
597
+ adcs x4, x4, x10; \
598
+ extr x10, x9, x8, #32; \
599
+ lsl x11, x13, #63; \
600
+ eor x5, x5, x11; \
601
+ adc x5, x5, x10; \
602
+ stp x2, x3, [P0]; \
603
+ stp x4, x5, [P0+16]
604
+
605
+ // Modular subtraction with double modulus 2 * p_25519 = 2^256 - 38
606
+
607
+ #define sub_twice4(P0,P1,P2) \
608
+ ldp x5, x6, [P1]; \
609
+ ldp x4, x3, [P2]; \
610
+ subs x5, x5, x4; \
611
+ sbcs x6, x6, x3; \
612
+ ldp x7, x8, [P1+16]; \
613
+ ldp x4, x3, [P2+16]; \
614
+ sbcs x7, x7, x4; \
615
+ sbcs x8, x8, x3; \
616
+ mov x4, #38; \
617
+ csel x3, x4, xzr, lo; \
618
+ subs x5, x5, x3; \
619
+ sbcs x6, x6, xzr; \
620
+ sbcs x7, x7, xzr; \
621
+ sbc x8, x8, xzr; \
622
+ stp x5, x6, [P0]; \
623
+ stp x7, x8, [P0+16]
624
+
625
+ // Modular addition and doubling with double modulus 2 * p_25519 = 2^256 - 38.
626
+ // This only ensures that the result fits in 4 digits, not that it is reduced
627
+ // even w.r.t. double modulus. The result is always correct modulo provided
628
+ // the sum of the inputs is < 2^256 + 2^256 - 38, so in particular provided
629
+ // at least one of them is reduced double modulo.
630
+
631
+ #define add_twice4(P0,P1,P2) \
632
+ ldp x3, x4, [P1]; \
633
+ ldp x7, x8, [P2]; \
634
+ adds x3, x3, x7; \
635
+ adcs x4, x4, x8; \
636
+ ldp x5, x6, [P1+16]; \
637
+ ldp x7, x8, [P2+16]; \
638
+ adcs x5, x5, x7; \
639
+ adcs x6, x6, x8; \
640
+ mov x9, #38; \
641
+ csel x9, x9, xzr, cs; \
642
+ adds x3, x3, x9; \
643
+ adcs x4, x4, xzr; \
644
+ adcs x5, x5, xzr; \
645
+ adc x6, x6, xzr; \
646
+ stp x3, x4, [P0]; \
647
+ stp x5, x6, [P0+16]
648
+
649
+ #define double_twice4(P0,P1) \
650
+ ldp x3, x4, [P1]; \
651
+ adds x3, x3, x3; \
652
+ adcs x4, x4, x4; \
653
+ ldp x5, x6, [P1+16]; \
654
+ adcs x5, x5, x5; \
655
+ adcs x6, x6, x6; \
656
+ mov x9, #38; \
657
+ csel x9, x9, xzr, cs; \
658
+ adds x3, x3, x9; \
659
+ adcs x4, x4, xzr; \
660
+ adcs x5, x5, xzr; \
661
+ adc x6, x6, xzr; \
662
+ stp x3, x4, [P0]; \
663
+ stp x5, x6, [P0+16]
664
+
665
+ // Load the constant k_25519 = 2 * d_25519 using immediate operations
666
+
667
+ #define load_k25519(P0) \
668
+ movz x0, #0xf159; \
669
+ movz x1, #0xb156; \
670
+ movz x2, #0xd130; \
671
+ movz x3, #0xfce7; \
672
+ movk x0, #0x26b2, lsl #16; \
673
+ movk x1, #0x8283, lsl #16; \
674
+ movk x2, #0xeef3, lsl #16; \
675
+ movk x3, #0x56df, lsl #16; \
676
+ movk x0, #0x9b94, lsl #32; \
677
+ movk x1, #0x149a, lsl #32; \
678
+ movk x2, #0x80f2, lsl #32; \
679
+ movk x3, #0xd9dc, lsl #32; \
680
+ movk x0, #0xebd6, lsl #48; \
681
+ movk x1, #0x00e0, lsl #48; \
682
+ movk x2, #0x198e, lsl #48; \
683
+ movk x3, #0x2406, lsl #48; \
684
+ stp x0, x1, [P0]; \
685
+ stp x2, x3, [P0+16]
686
+
687
+ S2N_BN_SYMBOL(edwards25519_scalarmuldouble):
688
+
689
+ // Save regs and make room for temporaries
690
+
691
+ stp x19, x20, [sp, -16]!
692
+ stp x21, x22, [sp, -16]!
693
+ stp x23, x24, [sp, -16]!
694
+ stp x25, x30, [sp, -16]!
695
+ sub sp, sp, #NSPACE
696
+
697
+ // Move the output pointer to a stable place
698
+
699
+ mov res, x0
700
+
701
+ // Copy scalars while recoding all 4-bit nybbles except the top
702
+ // one (bits 252..255) into signed 4-bit digits. This is essentially
703
+ // done just by adding the recoding constant 0x0888..888, after
704
+ // which all digits except the first have an implicit bias of -8,
705
+ // so 0 -> -8, 1 -> -7, ... 7 -> -1, 8 -> 0, 9 -> 1, ... 15 -> 7.
706
+ // (We could literally create 2s complement signed nybbles by
707
+ // XORing with the same constant 0x0888..888 afterwards, but it
708
+ // doesn't seem to make the end usage any simpler.)
709
+ //
710
+ // In order to ensure that the unrecoded top nybble (bits 252..255)
711
+ // does not become > 8 as a result of carries lower down from the
712
+ // recoding, we first (conceptually) subtract the group order iff
713
+ // the top digit of the scalar is > 2^63. In the implementation the
714
+ // reduction and recoding are combined by optionally using the
715
+ // modified recoding constant 0x0888...888 + (2^256 - group_order).
716
+
717
+ movbig(x4,#0xc7f5, #0x6fb5, #0xa0d9, #0xe920)
718
+ movbig(x5,#0xe190, #0xb993, #0x70cb, #0xa1d5)
719
+ mov x7, #0x8888888888888888
720
+ sub x6, x7, #1
721
+ bic x8, x7, #0xF000000000000000
722
+
723
+ ldp x10, x11, [x3]
724
+ ldp x12, x13, [x3, #16]
725
+ mov x3, 0x8000000000000000
726
+ cmp x3, x13
727
+ csel x14, x7, x4, cs
728
+ csel x15, x7, x5, cs
729
+ csel x16, x7, x6, cs
730
+ csel x17, x8, x7, cs
731
+ adds x10, x10, x14
732
+ adcs x11, x11, x15
733
+ adcs x12, x12, x16
734
+ adc x13, x13, x17
735
+ stp x10, x11, [bscalar]
736
+ stp x12, x13, [bscalar+16]
737
+
738
+ ldp x10, x11, [x1]
739
+ ldp x12, x13, [x1, #16]
740
+ mov x3, 0x8000000000000000
741
+ cmp x3, x13
742
+ csel x14, x7, x4, cs
743
+ csel x15, x7, x5, cs
744
+ csel x16, x7, x6, cs
745
+ csel x17, x8, x7, cs
746
+ adds x10, x10, x14
747
+ adcs x11, x11, x15
748
+ adcs x12, x12, x16
749
+ adc x13, x13, x17
750
+ stp x10, x11, [scalar]
751
+ stp x12, x13, [scalar+16]
752
+
753
+ // Create table of multiples 1..8 of the general input point at "tab".
754
+ // Reduce the input coordinates x and y modulo 2^256 - 38 first, for the
755
+ // sake of definiteness; this is the reduction that will be maintained.
756
+ // We could slightly optimize the additions because we know the input
757
+ // point is affine (so Z = 1), but it doesn't seem worth the complication.
758
+
759
+ ldp x10, x11, [x2]
760
+ ldp x12, x13, [x2, #16]
761
+ adds x14, x10, #38
762
+ adcs x15, x11, xzr
763
+ adcs x16, x12, xzr
764
+ adcs x17, x13, xzr
765
+ csel x10, x14, x10, cs
766
+ csel x11, x15, x11, cs
767
+ csel x12, x16, x12, cs
768
+ csel x13, x17, x13, cs
769
+ stp x10, x11, [tab]
770
+ stp x12, x13, [tab+16]
771
+
772
+ ldp x10, x11, [x2, #32]
773
+ ldp x12, x13, [x2, #48]
774
+ adds x14, x10, #38
775
+ adcs x15, x11, xzr
776
+ adcs x16, x12, xzr
777
+ adcs x17, x13, xzr
778
+ csel x10, x14, x10, cs
779
+ csel x11, x15, x11, cs
780
+ csel x12, x16, x12, cs
781
+ csel x13, x17, x13, cs
782
+ stp x10, x11, [tab+32]
783
+ stp x12, x13, [tab+48]
784
+
785
+ mov x1, #1
786
+ stp x1, xzr, [tab+64]
787
+ stp xzr, xzr, [tab+80]
788
+
789
+ add p0, tab+96
790
+ add p1, tab
791
+ add p2, tab+32
792
+ mul_4(x_0,x_1,x_2)
793
+
794
+ // Multiple 2
795
+
796
+ add p0, tab+1*128
797
+ add p1, tab
798
+ bl edwards25519_scalarmuldouble_epdouble
799
+
800
+ // Multiple 3
801
+
802
+ add p0, tab+2*128
803
+ add p1, tab
804
+ add p2, tab+1*128
805
+ bl edwards25519_scalarmuldouble_epadd
806
+
807
+ // Multiple 4
808
+
809
+ add p0, tab+3*128
810
+ add p1, tab+1*128
811
+ bl edwards25519_scalarmuldouble_epdouble
812
+
813
+ // Multiple 5
814
+
815
+ add p0, tab+4*128
816
+ add p1, tab
817
+ add p2, tab+3*128
818
+ bl edwards25519_scalarmuldouble_epadd
819
+
820
+ // Multiple 6
821
+
822
+ add p0, tab+5*128
823
+ add p1, tab+2*128
824
+ bl edwards25519_scalarmuldouble_epdouble
825
+
826
+ // Multiple 7
827
+
828
+ add p0, tab+6*128
829
+ add p1, tab
830
+ add p2, tab+5*128
831
+ bl edwards25519_scalarmuldouble_epadd
832
+
833
+ // Multiple 8
834
+
835
+ add p0, tab+7*128
836
+ add p1, tab+3*128
837
+ bl edwards25519_scalarmuldouble_epdouble
838
+
839
+ // Handle the initialization, starting the loop counter at i = 252
840
+ // and initializing acc to the sum of the table entries for the
841
+ // top nybbles of the scalars (the ones with no implicit -8 bias).
842
+
843
+ mov i, #252
844
+
845
+ // Index for btable entry...
846
+
847
+ ldr x0, [bscalar+24]
848
+ lsr bf, x0, #60
849
+
850
+ // ...and constant-time indexing based on that index
851
+
852
+ adr x14, edwards25519_scalarmuldouble_table
853
+
854
+ mov x0, #1
855
+ mov x1, xzr
856
+ mov x2, xzr
857
+ mov x3, xzr
858
+ mov x4, #1
859
+ mov x5, xzr
860
+ mov x6, xzr
861
+ mov x7, xzr
862
+ mov x8, xzr
863
+ mov x9, xzr
864
+ mov x10, xzr
865
+ mov x11, xzr
866
+
867
+ cmp bf, #1
868
+ ldp x12, x13, [x14]
869
+ csel x0, x0, x12, ne
870
+ csel x1, x1, x13, ne
871
+ ldp x12, x13, [x14, #16]
872
+ csel x2, x2, x12, ne
873
+ csel x3, x3, x13, ne
874
+ ldp x12, x13, [x14, #32]
875
+ csel x4, x4, x12, ne
876
+ csel x5, x5, x13, ne
877
+ ldp x12, x13, [x14, #48]
878
+ csel x6, x6, x12, ne
879
+ csel x7, x7, x13, ne
880
+ ldp x12, x13, [x14, #64]
881
+ csel x8, x8, x12, ne
882
+ csel x9, x9, x13, ne
883
+ ldp x12, x13, [x14, #80]
884
+ csel x10, x10, x12, ne
885
+ csel x11, x11, x13, ne
886
+ add x14, x14, #96
887
+
888
+ cmp bf, #2
889
+ ldp x12, x13, [x14]
890
+ csel x0, x0, x12, ne
891
+ csel x1, x1, x13, ne
892
+ ldp x12, x13, [x14, #16]
893
+ csel x2, x2, x12, ne
894
+ csel x3, x3, x13, ne
895
+ ldp x12, x13, [x14, #32]
896
+ csel x4, x4, x12, ne
897
+ csel x5, x5, x13, ne
898
+ ldp x12, x13, [x14, #48]
899
+ csel x6, x6, x12, ne
900
+ csel x7, x7, x13, ne
901
+ ldp x12, x13, [x14, #64]
902
+ csel x8, x8, x12, ne
903
+ csel x9, x9, x13, ne
904
+ ldp x12, x13, [x14, #80]
905
+ csel x10, x10, x12, ne
906
+ csel x11, x11, x13, ne
907
+ add x14, x14, #96
908
+
909
+ cmp bf, #3
910
+ ldp x12, x13, [x14]
911
+ csel x0, x0, x12, ne
912
+ csel x1, x1, x13, ne
913
+ ldp x12, x13, [x14, #16]
914
+ csel x2, x2, x12, ne
915
+ csel x3, x3, x13, ne
916
+ ldp x12, x13, [x14, #32]
917
+ csel x4, x4, x12, ne
918
+ csel x5, x5, x13, ne
919
+ ldp x12, x13, [x14, #48]
920
+ csel x6, x6, x12, ne
921
+ csel x7, x7, x13, ne
922
+ ldp x12, x13, [x14, #64]
923
+ csel x8, x8, x12, ne
924
+ csel x9, x9, x13, ne
925
+ ldp x12, x13, [x14, #80]
926
+ csel x10, x10, x12, ne
927
+ csel x11, x11, x13, ne
928
+ add x14, x14, #96
929
+
930
+ cmp bf, #4
931
+ ldp x12, x13, [x14]
932
+ csel x0, x0, x12, ne
933
+ csel x1, x1, x13, ne
934
+ ldp x12, x13, [x14, #16]
935
+ csel x2, x2, x12, ne
936
+ csel x3, x3, x13, ne
937
+ ldp x12, x13, [x14, #32]
938
+ csel x4, x4, x12, ne
939
+ csel x5, x5, x13, ne
940
+ ldp x12, x13, [x14, #48]
941
+ csel x6, x6, x12, ne
942
+ csel x7, x7, x13, ne
943
+ ldp x12, x13, [x14, #64]
944
+ csel x8, x8, x12, ne
945
+ csel x9, x9, x13, ne
946
+ ldp x12, x13, [x14, #80]
947
+ csel x10, x10, x12, ne
948
+ csel x11, x11, x13, ne
949
+ add x14, x14, #96
950
+
951
+ cmp bf, #5
952
+ ldp x12, x13, [x14]
953
+ csel x0, x0, x12, ne
954
+ csel x1, x1, x13, ne
955
+ ldp x12, x13, [x14, #16]
956
+ csel x2, x2, x12, ne
957
+ csel x3, x3, x13, ne
958
+ ldp x12, x13, [x14, #32]
959
+ csel x4, x4, x12, ne
960
+ csel x5, x5, x13, ne
961
+ ldp x12, x13, [x14, #48]
962
+ csel x6, x6, x12, ne
963
+ csel x7, x7, x13, ne
964
+ ldp x12, x13, [x14, #64]
965
+ csel x8, x8, x12, ne
966
+ csel x9, x9, x13, ne
967
+ ldp x12, x13, [x14, #80]
968
+ csel x10, x10, x12, ne
969
+ csel x11, x11, x13, ne
970
+ add x14, x14, #96
971
+
972
+ cmp bf, #6
973
+ ldp x12, x13, [x14]
974
+ csel x0, x0, x12, ne
975
+ csel x1, x1, x13, ne
976
+ ldp x12, x13, [x14, #16]
977
+ csel x2, x2, x12, ne
978
+ csel x3, x3, x13, ne
979
+ ldp x12, x13, [x14, #32]
980
+ csel x4, x4, x12, ne
981
+ csel x5, x5, x13, ne
982
+ ldp x12, x13, [x14, #48]
983
+ csel x6, x6, x12, ne
984
+ csel x7, x7, x13, ne
985
+ ldp x12, x13, [x14, #64]
986
+ csel x8, x8, x12, ne
987
+ csel x9, x9, x13, ne
988
+ ldp x12, x13, [x14, #80]
989
+ csel x10, x10, x12, ne
990
+ csel x11, x11, x13, ne
991
+ add x14, x14, #96
992
+
993
+ cmp bf, #7
994
+ ldp x12, x13, [x14]
995
+ csel x0, x0, x12, ne
996
+ csel x1, x1, x13, ne
997
+ ldp x12, x13, [x14, #16]
998
+ csel x2, x2, x12, ne
999
+ csel x3, x3, x13, ne
1000
+ ldp x12, x13, [x14, #32]
1001
+ csel x4, x4, x12, ne
1002
+ csel x5, x5, x13, ne
1003
+ ldp x12, x13, [x14, #48]
1004
+ csel x6, x6, x12, ne
1005
+ csel x7, x7, x13, ne
1006
+ ldp x12, x13, [x14, #64]
1007
+ csel x8, x8, x12, ne
1008
+ csel x9, x9, x13, ne
1009
+ ldp x12, x13, [x14, #80]
1010
+ csel x10, x10, x12, ne
1011
+ csel x11, x11, x13, ne
1012
+ add x14, x14, #96
1013
+
1014
+ cmp bf, #8
1015
+ ldp x12, x13, [x14]
1016
+ csel x0, x0, x12, ne
1017
+ csel x1, x1, x13, ne
1018
+ ldp x12, x13, [x14, #16]
1019
+ csel x2, x2, x12, ne
1020
+ csel x3, x3, x13, ne
1021
+ ldp x12, x13, [x14, #32]
1022
+ csel x4, x4, x12, ne
1023
+ csel x5, x5, x13, ne
1024
+ ldp x12, x13, [x14, #48]
1025
+ csel x6, x6, x12, ne
1026
+ csel x7, x7, x13, ne
1027
+ ldp x12, x13, [x14, #64]
1028
+ csel x8, x8, x12, ne
1029
+ csel x9, x9, x13, ne
1030
+ ldp x12, x13, [x14, #80]
1031
+ csel x10, x10, x12, ne
1032
+ csel x11, x11, x13, ne
1033
+
1034
+ stp x0, x1, [btabent]
1035
+ stp x2, x3, [btabent+16]
1036
+ stp x4, x5, [btabent+32]
1037
+ stp x6, x7, [btabent+48]
1038
+ stp x8, x9, [btabent+64]
1039
+ stp x10, x11, [btabent+80]
1040
+
1041
+ // Index for table entry...
1042
+
1043
+ ldr x0, [scalar+24]
1044
+ lsr bf, x0, #60
1045
+
1046
+ // ...and constant-time indexing based on that index
1047
+
1048
+ add p0, tab
1049
+
1050
+ mov x0, xzr
1051
+ mov x1, xzr
1052
+ mov x2, xzr
1053
+ mov x3, xzr
1054
+ mov x4, #1
1055
+ mov x5, xzr
1056
+ mov x6, xzr
1057
+ mov x7, xzr
1058
+ mov x8, #1
1059
+ mov x9, xzr
1060
+ mov x10, xzr
1061
+ mov x11, xzr
1062
+ mov x12, xzr
1063
+ mov x13, xzr
1064
+ mov x14, xzr
1065
+ mov x15, xzr
1066
+
1067
+ cmp bf, #1
1068
+ ldp x16, x17, [p0]
1069
+ csel x0, x0, x16, ne
1070
+ csel x1, x1, x17, ne
1071
+ ldp x16, x17, [p0, #16]
1072
+ csel x2, x2, x16, ne
1073
+ csel x3, x3, x17, ne
1074
+ ldp x16, x17, [p0, #32]
1075
+ csel x4, x4, x16, ne
1076
+ csel x5, x5, x17, ne
1077
+ ldp x16, x17, [p0, #48]
1078
+ csel x6, x6, x16, ne
1079
+ csel x7, x7, x17, ne
1080
+ ldp x16, x17, [p0, #64]
1081
+ csel x8, x8, x16, ne
1082
+ csel x9, x9, x17, ne
1083
+ ldp x16, x17, [p0, #80]
1084
+ csel x10, x10, x16, ne
1085
+ csel x11, x11, x17, ne
1086
+ ldp x16, x17, [p0, #96]
1087
+ csel x12, x12, x16, ne
1088
+ csel x13, x13, x17, ne
1089
+ ldp x16, x17, [p0, #112]
1090
+ csel x14, x14, x16, ne
1091
+ csel x15, x15, x17, ne
1092
+ add p0, p0, #128
1093
+
1094
+ cmp bf, #2
1095
+ ldp x16, x17, [p0]
1096
+ csel x0, x0, x16, ne
1097
+ csel x1, x1, x17, ne
1098
+ ldp x16, x17, [p0, #16]
1099
+ csel x2, x2, x16, ne
1100
+ csel x3, x3, x17, ne
1101
+ ldp x16, x17, [p0, #32]
1102
+ csel x4, x4, x16, ne
1103
+ csel x5, x5, x17, ne
1104
+ ldp x16, x17, [p0, #48]
1105
+ csel x6, x6, x16, ne
1106
+ csel x7, x7, x17, ne
1107
+ ldp x16, x17, [p0, #64]
1108
+ csel x8, x8, x16, ne
1109
+ csel x9, x9, x17, ne
1110
+ ldp x16, x17, [p0, #80]
1111
+ csel x10, x10, x16, ne
1112
+ csel x11, x11, x17, ne
1113
+ ldp x16, x17, [p0, #96]
1114
+ csel x12, x12, x16, ne
1115
+ csel x13, x13, x17, ne
1116
+ ldp x16, x17, [p0, #112]
1117
+ csel x14, x14, x16, ne
1118
+ csel x15, x15, x17, ne
1119
+ add p0, p0, #128
1120
+
1121
+ cmp bf, #3
1122
+ ldp x16, x17, [p0]
1123
+ csel x0, x0, x16, ne
1124
+ csel x1, x1, x17, ne
1125
+ ldp x16, x17, [p0, #16]
1126
+ csel x2, x2, x16, ne
1127
+ csel x3, x3, x17, ne
1128
+ ldp x16, x17, [p0, #32]
1129
+ csel x4, x4, x16, ne
1130
+ csel x5, x5, x17, ne
1131
+ ldp x16, x17, [p0, #48]
1132
+ csel x6, x6, x16, ne
1133
+ csel x7, x7, x17, ne
1134
+ ldp x16, x17, [p0, #64]
1135
+ csel x8, x8, x16, ne
1136
+ csel x9, x9, x17, ne
1137
+ ldp x16, x17, [p0, #80]
1138
+ csel x10, x10, x16, ne
1139
+ csel x11, x11, x17, ne
1140
+ ldp x16, x17, [p0, #96]
1141
+ csel x12, x12, x16, ne
1142
+ csel x13, x13, x17, ne
1143
+ ldp x16, x17, [p0, #112]
1144
+ csel x14, x14, x16, ne
1145
+ csel x15, x15, x17, ne
1146
+ add p0, p0, #128
1147
+
1148
+ cmp bf, #4
1149
+ ldp x16, x17, [p0]
1150
+ csel x0, x0, x16, ne
1151
+ csel x1, x1, x17, ne
1152
+ ldp x16, x17, [p0, #16]
1153
+ csel x2, x2, x16, ne
1154
+ csel x3, x3, x17, ne
1155
+ ldp x16, x17, [p0, #32]
1156
+ csel x4, x4, x16, ne
1157
+ csel x5, x5, x17, ne
1158
+ ldp x16, x17, [p0, #48]
1159
+ csel x6, x6, x16, ne
1160
+ csel x7, x7, x17, ne
1161
+ ldp x16, x17, [p0, #64]
1162
+ csel x8, x8, x16, ne
1163
+ csel x9, x9, x17, ne
1164
+ ldp x16, x17, [p0, #80]
1165
+ csel x10, x10, x16, ne
1166
+ csel x11, x11, x17, ne
1167
+ ldp x16, x17, [p0, #96]
1168
+ csel x12, x12, x16, ne
1169
+ csel x13, x13, x17, ne
1170
+ ldp x16, x17, [p0, #112]
1171
+ csel x14, x14, x16, ne
1172
+ csel x15, x15, x17, ne
1173
+ add p0, p0, #128
1174
+
1175
+ cmp bf, #5
1176
+ ldp x16, x17, [p0]
1177
+ csel x0, x0, x16, ne
1178
+ csel x1, x1, x17, ne
1179
+ ldp x16, x17, [p0, #16]
1180
+ csel x2, x2, x16, ne
1181
+ csel x3, x3, x17, ne
1182
+ ldp x16, x17, [p0, #32]
1183
+ csel x4, x4, x16, ne
1184
+ csel x5, x5, x17, ne
1185
+ ldp x16, x17, [p0, #48]
1186
+ csel x6, x6, x16, ne
1187
+ csel x7, x7, x17, ne
1188
+ ldp x16, x17, [p0, #64]
1189
+ csel x8, x8, x16, ne
1190
+ csel x9, x9, x17, ne
1191
+ ldp x16, x17, [p0, #80]
1192
+ csel x10, x10, x16, ne
1193
+ csel x11, x11, x17, ne
1194
+ ldp x16, x17, [p0, #96]
1195
+ csel x12, x12, x16, ne
1196
+ csel x13, x13, x17, ne
1197
+ ldp x16, x17, [p0, #112]
1198
+ csel x14, x14, x16, ne
1199
+ csel x15, x15, x17, ne
1200
+ add p0, p0, #128
1201
+
1202
+ cmp bf, #6
1203
+ ldp x16, x17, [p0]
1204
+ csel x0, x0, x16, ne
1205
+ csel x1, x1, x17, ne
1206
+ ldp x16, x17, [p0, #16]
1207
+ csel x2, x2, x16, ne
1208
+ csel x3, x3, x17, ne
1209
+ ldp x16, x17, [p0, #32]
1210
+ csel x4, x4, x16, ne
1211
+ csel x5, x5, x17, ne
1212
+ ldp x16, x17, [p0, #48]
1213
+ csel x6, x6, x16, ne
1214
+ csel x7, x7, x17, ne
1215
+ ldp x16, x17, [p0, #64]
1216
+ csel x8, x8, x16, ne
1217
+ csel x9, x9, x17, ne
1218
+ ldp x16, x17, [p0, #80]
1219
+ csel x10, x10, x16, ne
1220
+ csel x11, x11, x17, ne
1221
+ ldp x16, x17, [p0, #96]
1222
+ csel x12, x12, x16, ne
1223
+ csel x13, x13, x17, ne
1224
+ ldp x16, x17, [p0, #112]
1225
+ csel x14, x14, x16, ne
1226
+ csel x15, x15, x17, ne
1227
+ add p0, p0, #128
1228
+
1229
+ cmp bf, #7
1230
+ ldp x16, x17, [p0]
1231
+ csel x0, x0, x16, ne
1232
+ csel x1, x1, x17, ne
1233
+ ldp x16, x17, [p0, #16]
1234
+ csel x2, x2, x16, ne
1235
+ csel x3, x3, x17, ne
1236
+ ldp x16, x17, [p0, #32]
1237
+ csel x4, x4, x16, ne
1238
+ csel x5, x5, x17, ne
1239
+ ldp x16, x17, [p0, #48]
1240
+ csel x6, x6, x16, ne
1241
+ csel x7, x7, x17, ne
1242
+ ldp x16, x17, [p0, #64]
1243
+ csel x8, x8, x16, ne
1244
+ csel x9, x9, x17, ne
1245
+ ldp x16, x17, [p0, #80]
1246
+ csel x10, x10, x16, ne
1247
+ csel x11, x11, x17, ne
1248
+ ldp x16, x17, [p0, #96]
1249
+ csel x12, x12, x16, ne
1250
+ csel x13, x13, x17, ne
1251
+ ldp x16, x17, [p0, #112]
1252
+ csel x14, x14, x16, ne
1253
+ csel x15, x15, x17, ne
1254
+ add p0, p0, #128
1255
+
1256
+ cmp bf, #8
1257
+ ldp x16, x17, [p0]
1258
+ csel x0, x0, x16, ne
1259
+ csel x1, x1, x17, ne
1260
+ ldp x16, x17, [p0, #16]
1261
+ csel x2, x2, x16, ne
1262
+ csel x3, x3, x17, ne
1263
+ ldp x16, x17, [p0, #32]
1264
+ csel x4, x4, x16, ne
1265
+ csel x5, x5, x17, ne
1266
+ ldp x16, x17, [p0, #48]
1267
+ csel x6, x6, x16, ne
1268
+ csel x7, x7, x17, ne
1269
+ ldp x16, x17, [p0, #64]
1270
+ csel x8, x8, x16, ne
1271
+ csel x9, x9, x17, ne
1272
+ ldp x16, x17, [p0, #80]
1273
+ csel x10, x10, x16, ne
1274
+ csel x11, x11, x17, ne
1275
+ ldp x16, x17, [p0, #96]
1276
+ csel x12, x12, x16, ne
1277
+ csel x13, x13, x17, ne
1278
+ ldp x16, x17, [p0, #112]
1279
+ csel x14, x14, x16, ne
1280
+ csel x15, x15, x17, ne
1281
+
1282
+ stp x0, x1, [tabent]
1283
+ stp x2, x3, [tabent+16]
1284
+ stp x4, x5, [tabent+32]
1285
+ stp x6, x7, [tabent+48]
1286
+ stp x8, x9, [tabent+64]
1287
+ stp x10, x11, [tabent+80]
1288
+ stp x12, x13, [tabent+96]
1289
+ stp x14, x15, [tabent+112]
1290
+
1291
+ // Add those elements to initialize the accumulator for bit position 252
1292
+
1293
+ add p0, acc
1294
+ add p1, tabent
1295
+ add p2, btabent
1296
+ bl edwards25519_scalarmuldouble_pepadd
1297
+
1298
+ // Main loop with acc = [scalar/2^i] * point + [bscalar/2^i] * basepoint
1299
+ // Start with i = 252 for bits 248..251 and go down four at a time to 3..0
1300
+
1301
+ edwards25519_scalarmuldouble_loop:
1302
+
1303
+ sub i, i, #4
1304
+
1305
+ // Double to acc' = 2 * acc
1306
+
1307
+ add p0, acc
1308
+ add p1, acc
1309
+ bl edwards25519_scalarmuldouble_pdouble
1310
+
1311
+ // Get btable entry, first getting the adjusted bitfield...
1312
+
1313
+ lsr x0, i, #6
1314
+ add x1, bscalar
1315
+ ldr x2, [x1, x0, lsl #3]
1316
+ lsr x3, x2, i
1317
+ and x0, x3, #15
1318
+ subs bf, x0, #8
1319
+ cneg bf, bf, cc
1320
+ csetm cf, cc
1321
+
1322
+ // ... then doing constant-time lookup with the appropriate index...
1323
+
1324
+ adr x14, edwards25519_scalarmuldouble_table
1325
+
1326
+ mov x0, #1
1327
+ mov x1, xzr
1328
+ mov x2, xzr
1329
+ mov x3, xzr
1330
+ mov x4, #1
1331
+ mov x5, xzr
1332
+ mov x6, xzr
1333
+ mov x7, xzr
1334
+ mov x8, xzr
1335
+ mov x9, xzr
1336
+ mov x10, xzr
1337
+ mov x11, xzr
1338
+
1339
+ cmp bf, #1
1340
+ ldp x12, x13, [x14]
1341
+ csel x0, x0, x12, ne
1342
+ csel x1, x1, x13, ne
1343
+ ldp x12, x13, [x14, #16]
1344
+ csel x2, x2, x12, ne
1345
+ csel x3, x3, x13, ne
1346
+ ldp x12, x13, [x14, #32]
1347
+ csel x4, x4, x12, ne
1348
+ csel x5, x5, x13, ne
1349
+ ldp x12, x13, [x14, #48]
1350
+ csel x6, x6, x12, ne
1351
+ csel x7, x7, x13, ne
1352
+ ldp x12, x13, [x14, #64]
1353
+ csel x8, x8, x12, ne
1354
+ csel x9, x9, x13, ne
1355
+ ldp x12, x13, [x14, #80]
1356
+ csel x10, x10, x12, ne
1357
+ csel x11, x11, x13, ne
1358
+ add x14, x14, #96
1359
+
1360
+ cmp bf, #2
1361
+ ldp x12, x13, [x14]
1362
+ csel x0, x0, x12, ne
1363
+ csel x1, x1, x13, ne
1364
+ ldp x12, x13, [x14, #16]
1365
+ csel x2, x2, x12, ne
1366
+ csel x3, x3, x13, ne
1367
+ ldp x12, x13, [x14, #32]
1368
+ csel x4, x4, x12, ne
1369
+ csel x5, x5, x13, ne
1370
+ ldp x12, x13, [x14, #48]
1371
+ csel x6, x6, x12, ne
1372
+ csel x7, x7, x13, ne
1373
+ ldp x12, x13, [x14, #64]
1374
+ csel x8, x8, x12, ne
1375
+ csel x9, x9, x13, ne
1376
+ ldp x12, x13, [x14, #80]
1377
+ csel x10, x10, x12, ne
1378
+ csel x11, x11, x13, ne
1379
+ add x14, x14, #96
1380
+
1381
+ cmp bf, #3
1382
+ ldp x12, x13, [x14]
1383
+ csel x0, x0, x12, ne
1384
+ csel x1, x1, x13, ne
1385
+ ldp x12, x13, [x14, #16]
1386
+ csel x2, x2, x12, ne
1387
+ csel x3, x3, x13, ne
1388
+ ldp x12, x13, [x14, #32]
1389
+ csel x4, x4, x12, ne
1390
+ csel x5, x5, x13, ne
1391
+ ldp x12, x13, [x14, #48]
1392
+ csel x6, x6, x12, ne
1393
+ csel x7, x7, x13, ne
1394
+ ldp x12, x13, [x14, #64]
1395
+ csel x8, x8, x12, ne
1396
+ csel x9, x9, x13, ne
1397
+ ldp x12, x13, [x14, #80]
1398
+ csel x10, x10, x12, ne
1399
+ csel x11, x11, x13, ne
1400
+ add x14, x14, #96
1401
+
1402
+ cmp bf, #4
1403
+ ldp x12, x13, [x14]
1404
+ csel x0, x0, x12, ne
1405
+ csel x1, x1, x13, ne
1406
+ ldp x12, x13, [x14, #16]
1407
+ csel x2, x2, x12, ne
1408
+ csel x3, x3, x13, ne
1409
+ ldp x12, x13, [x14, #32]
1410
+ csel x4, x4, x12, ne
1411
+ csel x5, x5, x13, ne
1412
+ ldp x12, x13, [x14, #48]
1413
+ csel x6, x6, x12, ne
1414
+ csel x7, x7, x13, ne
1415
+ ldp x12, x13, [x14, #64]
1416
+ csel x8, x8, x12, ne
1417
+ csel x9, x9, x13, ne
1418
+ ldp x12, x13, [x14, #80]
1419
+ csel x10, x10, x12, ne
1420
+ csel x11, x11, x13, ne
1421
+ add x14, x14, #96
1422
+
1423
+ cmp bf, #5
1424
+ ldp x12, x13, [x14]
1425
+ csel x0, x0, x12, ne
1426
+ csel x1, x1, x13, ne
1427
+ ldp x12, x13, [x14, #16]
1428
+ csel x2, x2, x12, ne
1429
+ csel x3, x3, x13, ne
1430
+ ldp x12, x13, [x14, #32]
1431
+ csel x4, x4, x12, ne
1432
+ csel x5, x5, x13, ne
1433
+ ldp x12, x13, [x14, #48]
1434
+ csel x6, x6, x12, ne
1435
+ csel x7, x7, x13, ne
1436
+ ldp x12, x13, [x14, #64]
1437
+ csel x8, x8, x12, ne
1438
+ csel x9, x9, x13, ne
1439
+ ldp x12, x13, [x14, #80]
1440
+ csel x10, x10, x12, ne
1441
+ csel x11, x11, x13, ne
1442
+ add x14, x14, #96
1443
+
1444
+ cmp bf, #6
1445
+ ldp x12, x13, [x14]
1446
+ csel x0, x0, x12, ne
1447
+ csel x1, x1, x13, ne
1448
+ ldp x12, x13, [x14, #16]
1449
+ csel x2, x2, x12, ne
1450
+ csel x3, x3, x13, ne
1451
+ ldp x12, x13, [x14, #32]
1452
+ csel x4, x4, x12, ne
1453
+ csel x5, x5, x13, ne
1454
+ ldp x12, x13, [x14, #48]
1455
+ csel x6, x6, x12, ne
1456
+ csel x7, x7, x13, ne
1457
+ ldp x12, x13, [x14, #64]
1458
+ csel x8, x8, x12, ne
1459
+ csel x9, x9, x13, ne
1460
+ ldp x12, x13, [x14, #80]
1461
+ csel x10, x10, x12, ne
1462
+ csel x11, x11, x13, ne
1463
+ add x14, x14, #96
1464
+
1465
+ cmp bf, #7
1466
+ ldp x12, x13, [x14]
1467
+ csel x0, x0, x12, ne
1468
+ csel x1, x1, x13, ne
1469
+ ldp x12, x13, [x14, #16]
1470
+ csel x2, x2, x12, ne
1471
+ csel x3, x3, x13, ne
1472
+ ldp x12, x13, [x14, #32]
1473
+ csel x4, x4, x12, ne
1474
+ csel x5, x5, x13, ne
1475
+ ldp x12, x13, [x14, #48]
1476
+ csel x6, x6, x12, ne
1477
+ csel x7, x7, x13, ne
1478
+ ldp x12, x13, [x14, #64]
1479
+ csel x8, x8, x12, ne
1480
+ csel x9, x9, x13, ne
1481
+ ldp x12, x13, [x14, #80]
1482
+ csel x10, x10, x12, ne
1483
+ csel x11, x11, x13, ne
1484
+ add x14, x14, #96
1485
+
1486
+ cmp bf, #8
1487
+ ldp x12, x13, [x14]
1488
+ csel x0, x0, x12, ne
1489
+ csel x1, x1, x13, ne
1490
+ ldp x12, x13, [x14, #16]
1491
+ csel x2, x2, x12, ne
1492
+ csel x3, x3, x13, ne
1493
+ ldp x12, x13, [x14, #32]
1494
+ csel x4, x4, x12, ne
1495
+ csel x5, x5, x13, ne
1496
+ ldp x12, x13, [x14, #48]
1497
+ csel x6, x6, x12, ne
1498
+ csel x7, x7, x13, ne
1499
+ ldp x12, x13, [x14, #64]
1500
+ csel x8, x8, x12, ne
1501
+ csel x9, x9, x13, ne
1502
+ ldp x12, x13, [x14, #80]
1503
+ csel x10, x10, x12, ne
1504
+ csel x11, x11, x13, ne
1505
+
1506
+ // ... then optionally negating before storing. The table entry
1507
+ // is in precomputed form and we currently have
1508
+ //
1509
+ // [x3;x2;x1;x0] = y - x
1510
+ // [x7;x6;x5;x4] = x + y
1511
+ // [x11;x10;x9;x8] = 2 * d * x * y
1512
+ //
1513
+ // Negation for Edwards curves is -(x,y) = (-x,y), which in this modified
1514
+ // form amounts to swapping the first two fields and negating the third.
1515
+ // The negation does not always fully reduce even mod 2^256-38 in the zero
1516
+ // case, instead giving -0 = 2^256-38. But that is fine since the result is
1517
+ // always fed to a multiplication inside the "pepadd" function below that
1518
+ // handles any 256-bit input.
1519
+
1520
+ cmp cf, xzr
1521
+
1522
+ csel x12, x0, x4, eq
1523
+ csel x4, x0, x4, ne
1524
+ csel x13, x1, x5, eq
1525
+ csel x5, x1, x5, ne
1526
+ csel x14, x2, x6, eq
1527
+ csel x6, x2, x6, ne
1528
+ csel x15, x3, x7, eq
1529
+ csel x7, x3, x7, ne
1530
+
1531
+ eor x8, x8, cf
1532
+ eor x9, x9, cf
1533
+ eor x10, x10, cf
1534
+ eor x11, x11, cf
1535
+ mov x0, #37
1536
+ and x0, x0, cf
1537
+ subs x8, x8, x0
1538
+ sbcs x9, x9, xzr
1539
+ sbcs x10, x10, xzr
1540
+ sbc x11, x11, xzr
1541
+
1542
+ stp x12, x13, [btabent]
1543
+ stp x14, x15, [btabent+16]
1544
+ stp x4, x5, [btabent+32]
1545
+ stp x6, x7, [btabent+48]
1546
+ stp x8, x9, [btabent+64]
1547
+ stp x10, x11, [btabent+80]
1548
+
1549
+ // Get table entry, first getting the adjusted bitfield...
1550
+
1551
+ lsr x0, i, #6
1552
+ ldr x1, [sp, x0, lsl #3]
1553
+ lsr x2, x1, i
1554
+ and x0, x2, #15
1555
+ subs bf, x0, #8
1556
+ cneg bf, bf, cc
1557
+ csetm cf, cc
1558
+
1559
+ // ... then getting the unadjusted table entry
1560
+
1561
+ add p0, tab
1562
+
1563
+ mov x0, xzr
1564
+ mov x1, xzr
1565
+ mov x2, xzr
1566
+ mov x3, xzr
1567
+ mov x4, #1
1568
+ mov x5, xzr
1569
+ mov x6, xzr
1570
+ mov x7, xzr
1571
+ mov x8, #1
1572
+ mov x9, xzr
1573
+ mov x10, xzr
1574
+ mov x11, xzr
1575
+ mov x12, xzr
1576
+ mov x13, xzr
1577
+ mov x14, xzr
1578
+ mov x15, xzr
1579
+
1580
+ cmp bf, #1
1581
+ ldp x16, x17, [p0]
1582
+ csel x0, x0, x16, ne
1583
+ csel x1, x1, x17, ne
1584
+ ldp x16, x17, [p0, #16]
1585
+ csel x2, x2, x16, ne
1586
+ csel x3, x3, x17, ne
1587
+ ldp x16, x17, [p0, #32]
1588
+ csel x4, x4, x16, ne
1589
+ csel x5, x5, x17, ne
1590
+ ldp x16, x17, [p0, #48]
1591
+ csel x6, x6, x16, ne
1592
+ csel x7, x7, x17, ne
1593
+ ldp x16, x17, [p0, #64]
1594
+ csel x8, x8, x16, ne
1595
+ csel x9, x9, x17, ne
1596
+ ldp x16, x17, [p0, #80]
1597
+ csel x10, x10, x16, ne
1598
+ csel x11, x11, x17, ne
1599
+ ldp x16, x17, [p0, #96]
1600
+ csel x12, x12, x16, ne
1601
+ csel x13, x13, x17, ne
1602
+ ldp x16, x17, [p0, #112]
1603
+ csel x14, x14, x16, ne
1604
+ csel x15, x15, x17, ne
1605
+ add p0, p0, #128
1606
+
1607
+ cmp bf, #2
1608
+ ldp x16, x17, [p0]
1609
+ csel x0, x0, x16, ne
1610
+ csel x1, x1, x17, ne
1611
+ ldp x16, x17, [p0, #16]
1612
+ csel x2, x2, x16, ne
1613
+ csel x3, x3, x17, ne
1614
+ ldp x16, x17, [p0, #32]
1615
+ csel x4, x4, x16, ne
1616
+ csel x5, x5, x17, ne
1617
+ ldp x16, x17, [p0, #48]
1618
+ csel x6, x6, x16, ne
1619
+ csel x7, x7, x17, ne
1620
+ ldp x16, x17, [p0, #64]
1621
+ csel x8, x8, x16, ne
1622
+ csel x9, x9, x17, ne
1623
+ ldp x16, x17, [p0, #80]
1624
+ csel x10, x10, x16, ne
1625
+ csel x11, x11, x17, ne
1626
+ ldp x16, x17, [p0, #96]
1627
+ csel x12, x12, x16, ne
1628
+ csel x13, x13, x17, ne
1629
+ ldp x16, x17, [p0, #112]
1630
+ csel x14, x14, x16, ne
1631
+ csel x15, x15, x17, ne
1632
+ add p0, p0, #128
1633
+
1634
+ cmp bf, #3
1635
+ ldp x16, x17, [p0]
1636
+ csel x0, x0, x16, ne
1637
+ csel x1, x1, x17, ne
1638
+ ldp x16, x17, [p0, #16]
1639
+ csel x2, x2, x16, ne
1640
+ csel x3, x3, x17, ne
1641
+ ldp x16, x17, [p0, #32]
1642
+ csel x4, x4, x16, ne
1643
+ csel x5, x5, x17, ne
1644
+ ldp x16, x17, [p0, #48]
1645
+ csel x6, x6, x16, ne
1646
+ csel x7, x7, x17, ne
1647
+ ldp x16, x17, [p0, #64]
1648
+ csel x8, x8, x16, ne
1649
+ csel x9, x9, x17, ne
1650
+ ldp x16, x17, [p0, #80]
1651
+ csel x10, x10, x16, ne
1652
+ csel x11, x11, x17, ne
1653
+ ldp x16, x17, [p0, #96]
1654
+ csel x12, x12, x16, ne
1655
+ csel x13, x13, x17, ne
1656
+ ldp x16, x17, [p0, #112]
1657
+ csel x14, x14, x16, ne
1658
+ csel x15, x15, x17, ne
1659
+ add p0, p0, #128
1660
+
1661
+ cmp bf, #4
1662
+ ldp x16, x17, [p0]
1663
+ csel x0, x0, x16, ne
1664
+ csel x1, x1, x17, ne
1665
+ ldp x16, x17, [p0, #16]
1666
+ csel x2, x2, x16, ne
1667
+ csel x3, x3, x17, ne
1668
+ ldp x16, x17, [p0, #32]
1669
+ csel x4, x4, x16, ne
1670
+ csel x5, x5, x17, ne
1671
+ ldp x16, x17, [p0, #48]
1672
+ csel x6, x6, x16, ne
1673
+ csel x7, x7, x17, ne
1674
+ ldp x16, x17, [p0, #64]
1675
+ csel x8, x8, x16, ne
1676
+ csel x9, x9, x17, ne
1677
+ ldp x16, x17, [p0, #80]
1678
+ csel x10, x10, x16, ne
1679
+ csel x11, x11, x17, ne
1680
+ ldp x16, x17, [p0, #96]
1681
+ csel x12, x12, x16, ne
1682
+ csel x13, x13, x17, ne
1683
+ ldp x16, x17, [p0, #112]
1684
+ csel x14, x14, x16, ne
1685
+ csel x15, x15, x17, ne
1686
+ add p0, p0, #128
1687
+
1688
+ cmp bf, #5
1689
+ ldp x16, x17, [p0]
1690
+ csel x0, x0, x16, ne
1691
+ csel x1, x1, x17, ne
1692
+ ldp x16, x17, [p0, #16]
1693
+ csel x2, x2, x16, ne
1694
+ csel x3, x3, x17, ne
1695
+ ldp x16, x17, [p0, #32]
1696
+ csel x4, x4, x16, ne
1697
+ csel x5, x5, x17, ne
1698
+ ldp x16, x17, [p0, #48]
1699
+ csel x6, x6, x16, ne
1700
+ csel x7, x7, x17, ne
1701
+ ldp x16, x17, [p0, #64]
1702
+ csel x8, x8, x16, ne
1703
+ csel x9, x9, x17, ne
1704
+ ldp x16, x17, [p0, #80]
1705
+ csel x10, x10, x16, ne
1706
+ csel x11, x11, x17, ne
1707
+ ldp x16, x17, [p0, #96]
1708
+ csel x12, x12, x16, ne
1709
+ csel x13, x13, x17, ne
1710
+ ldp x16, x17, [p0, #112]
1711
+ csel x14, x14, x16, ne
1712
+ csel x15, x15, x17, ne
1713
+ add p0, p0, #128
1714
+
1715
+ cmp bf, #6
1716
+ ldp x16, x17, [p0]
1717
+ csel x0, x0, x16, ne
1718
+ csel x1, x1, x17, ne
1719
+ ldp x16, x17, [p0, #16]
1720
+ csel x2, x2, x16, ne
1721
+ csel x3, x3, x17, ne
1722
+ ldp x16, x17, [p0, #32]
1723
+ csel x4, x4, x16, ne
1724
+ csel x5, x5, x17, ne
1725
+ ldp x16, x17, [p0, #48]
1726
+ csel x6, x6, x16, ne
1727
+ csel x7, x7, x17, ne
1728
+ ldp x16, x17, [p0, #64]
1729
+ csel x8, x8, x16, ne
1730
+ csel x9, x9, x17, ne
1731
+ ldp x16, x17, [p0, #80]
1732
+ csel x10, x10, x16, ne
1733
+ csel x11, x11, x17, ne
1734
+ ldp x16, x17, [p0, #96]
1735
+ csel x12, x12, x16, ne
1736
+ csel x13, x13, x17, ne
1737
+ ldp x16, x17, [p0, #112]
1738
+ csel x14, x14, x16, ne
1739
+ csel x15, x15, x17, ne
1740
+ add p0, p0, #128
1741
+
1742
+ cmp bf, #7
1743
+ ldp x16, x17, [p0]
1744
+ csel x0, x0, x16, ne
1745
+ csel x1, x1, x17, ne
1746
+ ldp x16, x17, [p0, #16]
1747
+ csel x2, x2, x16, ne
1748
+ csel x3, x3, x17, ne
1749
+ ldp x16, x17, [p0, #32]
1750
+ csel x4, x4, x16, ne
1751
+ csel x5, x5, x17, ne
1752
+ ldp x16, x17, [p0, #48]
1753
+ csel x6, x6, x16, ne
1754
+ csel x7, x7, x17, ne
1755
+ ldp x16, x17, [p0, #64]
1756
+ csel x8, x8, x16, ne
1757
+ csel x9, x9, x17, ne
1758
+ ldp x16, x17, [p0, #80]
1759
+ csel x10, x10, x16, ne
1760
+ csel x11, x11, x17, ne
1761
+ ldp x16, x17, [p0, #96]
1762
+ csel x12, x12, x16, ne
1763
+ csel x13, x13, x17, ne
1764
+ ldp x16, x17, [p0, #112]
1765
+ csel x14, x14, x16, ne
1766
+ csel x15, x15, x17, ne
1767
+ add p0, p0, #128
1768
+
1769
+ cmp bf, #8
1770
+ ldp x16, x17, [p0]
1771
+ csel x0, x0, x16, ne
1772
+ csel x1, x1, x17, ne
1773
+ ldp x16, x17, [p0, #16]
1774
+ csel x2, x2, x16, ne
1775
+ csel x3, x3, x17, ne
1776
+ ldp x16, x17, [p0, #32]
1777
+ csel x4, x4, x16, ne
1778
+ csel x5, x5, x17, ne
1779
+ ldp x16, x17, [p0, #48]
1780
+ csel x6, x6, x16, ne
1781
+ csel x7, x7, x17, ne
1782
+ ldp x16, x17, [p0, #64]
1783
+ csel x8, x8, x16, ne
1784
+ csel x9, x9, x17, ne
1785
+ ldp x16, x17, [p0, #80]
1786
+ csel x10, x10, x16, ne
1787
+ csel x11, x11, x17, ne
1788
+ ldp x16, x17, [p0, #96]
1789
+ csel x12, x12, x16, ne
1790
+ csel x13, x13, x17, ne
1791
+ ldp x16, x17, [p0, #112]
1792
+ csel x14, x14, x16, ne
1793
+ csel x15, x15, x17, ne
1794
+
1795
+ // ... then optionally negating before storing. This time the table
1796
+ // entry is extended-projective, and is in registers thus:
1797
+ //
1798
+ // [x3;x2;x1;x0] = X
1799
+ // [x7;x6;x5;x4] = Y
1800
+ // [x11;x10;x9;x8] = Z
1801
+ // [x15;x14;x13;x12] = W
1802
+ //
1803
+ // This time we just need to negate the X and the W fields.
1804
+ // The crude way negation is done can result in values of X or W
1805
+ // (when initially zero before negation) being exactly equal to
1806
+ // 2^256-38, but the "pepadd" function handles that correctly.
1807
+
1808
+ eor x0, x0, cf
1809
+ eor x1, x1, cf
1810
+ eor x2, x2, cf
1811
+ eor x3, x3, cf
1812
+ mov x16, #37
1813
+ and x16, x16, cf
1814
+ subs x0, x0, x16
1815
+ sbcs x1, x1, xzr
1816
+ sbcs x2, x2, xzr
1817
+ sbc x3, x3, xzr
1818
+
1819
+ eor x12, x12, cf
1820
+ eor x13, x13, cf
1821
+ eor x14, x14, cf
1822
+ eor x15, x15, cf
1823
+ subs x12, x12, x16
1824
+ sbcs x13, x13, xzr
1825
+ sbcs x14, x14, xzr
1826
+ sbc x15, x15, xzr
1827
+
1828
+ stp x0, x1, [tabent]
1829
+ stp x2, x3, [tabent+16]
1830
+ stp x4, x5, [tabent+32]
1831
+ stp x6, x7, [tabent+48]
1832
+ stp x8, x9, [tabent+64]
1833
+ stp x10, x11, [tabent+80]
1834
+ stp x12, x13, [tabent+96]
1835
+ stp x14, x15, [tabent+112]
1836
+
1837
+ // Double to acc' = 4 * acc
1838
+
1839
+ add p0, acc
1840
+ add p1, acc
1841
+ bl edwards25519_scalarmuldouble_pdouble
1842
+
1843
+ // Add tabent := tabent + btabent
1844
+
1845
+ add p0, tabent
1846
+ add p1, tabent
1847
+ add p2, btabent
1848
+ bl edwards25519_scalarmuldouble_pepadd
1849
+
1850
+ // Double to acc' = 8 * acc
1851
+
1852
+ add p0, acc
1853
+ add p1, acc
1854
+ bl edwards25519_scalarmuldouble_pdouble
1855
+
1856
+ // Double to acc' = 16 * acc
1857
+
1858
+ add p0, acc
1859
+ add p1, acc
1860
+ bl edwards25519_scalarmuldouble_epdouble
1861
+
1862
+ // Add table entry, acc := acc + tabent
1863
+
1864
+ add p0, acc
1865
+ add p1, acc
1866
+ add p2, tabent
1867
+ bl edwards25519_scalarmuldouble_epadd
1868
+
1869
+ // Loop down
1870
+
1871
+ cbnz i, edwards25519_scalarmuldouble_loop
1872
+
1873
+ // Modular inverse setup
1874
+
1875
+ add x0, tabent
1876
+ add x1, acc+64
1877
+
1878
+ // Inline copy of bignum_inv_p25519, identical except for stripping out
1879
+ // the prologue and epilogue saving and restoring registers and making
1880
+ // and reclaiming room on the stack. For more details and explanations see
1881
+ // "arm/curve25519/bignum_inv_p25519.S". Note that the stack it uses for
1882
+ // its own temporaries is 128 bytes, so it has no effect on variables
1883
+ // that are needed in the rest of our computation here: res, acc, tabent.
1884
+
1885
+ mov x20, x0
1886
+ mov x10, #0xffffffffffffffed
1887
+ mov x11, #0xffffffffffffffff
1888
+ stp x10, x11, [sp]
1889
+ mov x12, #0x7fffffffffffffff
1890
+ stp x11, x12, [sp, #16]
1891
+ ldp x2, x3, [x1]
1892
+ ldp x4, x5, [x1, #16]
1893
+ mov x7, #0x13
1894
+ lsr x6, x5, #63
1895
+ madd x6, x7, x6, x7
1896
+ adds x2, x2, x6
1897
+ adcs x3, x3, xzr
1898
+ adcs x4, x4, xzr
1899
+ orr x5, x5, #0x8000000000000000
1900
+ adcs x5, x5, xzr
1901
+ csel x6, x7, xzr, cc
1902
+ subs x2, x2, x6
1903
+ sbcs x3, x3, xzr
1904
+ sbcs x4, x4, xzr
1905
+ sbc x5, x5, xzr
1906
+ and x5, x5, #0x7fffffffffffffff
1907
+ stp x2, x3, [sp, #32]
1908
+ stp x4, x5, [sp, #48]
1909
+ stp xzr, xzr, [sp, #64]
1910
+ stp xzr, xzr, [sp, #80]
1911
+ mov x10, #0x2099
1912
+ movk x10, #0x7502, lsl #16
1913
+ movk x10, #0x9e23, lsl #32
1914
+ movk x10, #0xa0f9, lsl #48
1915
+ mov x11, #0x2595
1916
+ movk x11, #0x1d13, lsl #16
1917
+ movk x11, #0x8f3f, lsl #32
1918
+ movk x11, #0xa8c6, lsl #48
1919
+ mov x12, #0x5242
1920
+ movk x12, #0x5ac, lsl #16
1921
+ movk x12, #0x8938, lsl #32
1922
+ movk x12, #0x6c6c, lsl #48
1923
+ mov x13, #0x615
1924
+ movk x13, #0x4177, lsl #16
1925
+ movk x13, #0x8b2, lsl #32
1926
+ movk x13, #0x2765, lsl #48
1927
+ stp x10, x11, [sp, #96]
1928
+ stp x12, x13, [sp, #112]
1929
+ mov x21, #0xa
1930
+ mov x22, #0x1
1931
+ b edwards25519_scalarmuldouble_invmidloop
1932
+ edwards25519_scalarmuldouble_invloop:
1933
+ cmp x10, xzr
1934
+ csetm x14, mi
1935
+ cneg x10, x10, mi
1936
+ cmp x11, xzr
1937
+ csetm x15, mi
1938
+ cneg x11, x11, mi
1939
+ cmp x12, xzr
1940
+ csetm x16, mi
1941
+ cneg x12, x12, mi
1942
+ cmp x13, xzr
1943
+ csetm x17, mi
1944
+ cneg x13, x13, mi
1945
+ and x0, x10, x14
1946
+ and x1, x11, x15
1947
+ add x9, x0, x1
1948
+ and x0, x12, x16
1949
+ and x1, x13, x17
1950
+ add x19, x0, x1
1951
+ ldr x7, [sp]
1952
+ eor x1, x7, x14
1953
+ mul x0, x1, x10
1954
+ umulh x1, x1, x10
1955
+ adds x4, x9, x0
1956
+ adc x2, xzr, x1
1957
+ ldr x8, [sp, #32]
1958
+ eor x1, x8, x15
1959
+ mul x0, x1, x11
1960
+ umulh x1, x1, x11
1961
+ adds x4, x4, x0
1962
+ adc x2, x2, x1
1963
+ eor x1, x7, x16
1964
+ mul x0, x1, x12
1965
+ umulh x1, x1, x12
1966
+ adds x5, x19, x0
1967
+ adc x3, xzr, x1
1968
+ eor x1, x8, x17
1969
+ mul x0, x1, x13
1970
+ umulh x1, x1, x13
1971
+ adds x5, x5, x0
1972
+ adc x3, x3, x1
1973
+ ldr x7, [sp, #8]
1974
+ eor x1, x7, x14
1975
+ mul x0, x1, x10
1976
+ umulh x1, x1, x10
1977
+ adds x2, x2, x0
1978
+ adc x6, xzr, x1
1979
+ ldr x8, [sp, #40]
1980
+ eor x1, x8, x15
1981
+ mul x0, x1, x11
1982
+ umulh x1, x1, x11
1983
+ adds x2, x2, x0
1984
+ adc x6, x6, x1
1985
+ extr x4, x2, x4, #59
1986
+ str x4, [sp]
1987
+ eor x1, x7, x16
1988
+ mul x0, x1, x12
1989
+ umulh x1, x1, x12
1990
+ adds x3, x3, x0
1991
+ adc x4, xzr, x1
1992
+ eor x1, x8, x17
1993
+ mul x0, x1, x13
1994
+ umulh x1, x1, x13
1995
+ adds x3, x3, x0
1996
+ adc x4, x4, x1
1997
+ extr x5, x3, x5, #59
1998
+ str x5, [sp, #32]
1999
+ ldr x7, [sp, #16]
2000
+ eor x1, x7, x14
2001
+ mul x0, x1, x10
2002
+ umulh x1, x1, x10
2003
+ adds x6, x6, x0
2004
+ adc x5, xzr, x1
2005
+ ldr x8, [sp, #48]
2006
+ eor x1, x8, x15
2007
+ mul x0, x1, x11
2008
+ umulh x1, x1, x11
2009
+ adds x6, x6, x0
2010
+ adc x5, x5, x1
2011
+ extr x2, x6, x2, #59
2012
+ str x2, [sp, #8]
2013
+ eor x1, x7, x16
2014
+ mul x0, x1, x12
2015
+ umulh x1, x1, x12
2016
+ adds x4, x4, x0
2017
+ adc x2, xzr, x1
2018
+ eor x1, x8, x17
2019
+ mul x0, x1, x13
2020
+ umulh x1, x1, x13
2021
+ adds x4, x4, x0
2022
+ adc x2, x2, x1
2023
+ extr x3, x4, x3, #59
2024
+ str x3, [sp, #40]
2025
+ ldr x7, [sp, #24]
2026
+ eor x1, x7, x14
2027
+ asr x3, x1, #63
2028
+ and x3, x3, x10
2029
+ neg x3, x3
2030
+ mul x0, x1, x10
2031
+ umulh x1, x1, x10
2032
+ adds x5, x5, x0
2033
+ adc x3, x3, x1
2034
+ ldr x8, [sp, #56]
2035
+ eor x1, x8, x15
2036
+ asr x0, x1, #63
2037
+ and x0, x0, x11
2038
+ sub x3, x3, x0
2039
+ mul x0, x1, x11
2040
+ umulh x1, x1, x11
2041
+ adds x5, x5, x0
2042
+ adc x3, x3, x1
2043
+ extr x6, x5, x6, #59
2044
+ str x6, [sp, #16]
2045
+ extr x5, x3, x5, #59
2046
+ str x5, [sp, #24]
2047
+ eor x1, x7, x16
2048
+ asr x5, x1, #63
2049
+ and x5, x5, x12
2050
+ neg x5, x5
2051
+ mul x0, x1, x12
2052
+ umulh x1, x1, x12
2053
+ adds x2, x2, x0
2054
+ adc x5, x5, x1
2055
+ eor x1, x8, x17
2056
+ asr x0, x1, #63
2057
+ and x0, x0, x13
2058
+ sub x5, x5, x0
2059
+ mul x0, x1, x13
2060
+ umulh x1, x1, x13
2061
+ adds x2, x2, x0
2062
+ adc x5, x5, x1
2063
+ extr x4, x2, x4, #59
2064
+ str x4, [sp, #48]
2065
+ extr x2, x5, x2, #59
2066
+ str x2, [sp, #56]
2067
+ ldr x7, [sp, #64]
2068
+ eor x1, x7, x14
2069
+ mul x0, x1, x10
2070
+ umulh x1, x1, x10
2071
+ adds x4, x9, x0
2072
+ adc x2, xzr, x1
2073
+ ldr x8, [sp, #96]
2074
+ eor x1, x8, x15
2075
+ mul x0, x1, x11
2076
+ umulh x1, x1, x11
2077
+ adds x4, x4, x0
2078
+ str x4, [sp, #64]
2079
+ adc x2, x2, x1
2080
+ eor x1, x7, x16
2081
+ mul x0, x1, x12
2082
+ umulh x1, x1, x12
2083
+ adds x5, x19, x0
2084
+ adc x3, xzr, x1
2085
+ eor x1, x8, x17
2086
+ mul x0, x1, x13
2087
+ umulh x1, x1, x13
2088
+ adds x5, x5, x0
2089
+ str x5, [sp, #96]
2090
+ adc x3, x3, x1
2091
+ ldr x7, [sp, #72]
2092
+ eor x1, x7, x14
2093
+ mul x0, x1, x10
2094
+ umulh x1, x1, x10
2095
+ adds x2, x2, x0
2096
+ adc x6, xzr, x1
2097
+ ldr x8, [sp, #104]
2098
+ eor x1, x8, x15
2099
+ mul x0, x1, x11
2100
+ umulh x1, x1, x11
2101
+ adds x2, x2, x0
2102
+ str x2, [sp, #72]
2103
+ adc x6, x6, x1
2104
+ eor x1, x7, x16
2105
+ mul x0, x1, x12
2106
+ umulh x1, x1, x12
2107
+ adds x3, x3, x0
2108
+ adc x4, xzr, x1
2109
+ eor x1, x8, x17
2110
+ mul x0, x1, x13
2111
+ umulh x1, x1, x13
2112
+ adds x3, x3, x0
2113
+ str x3, [sp, #104]
2114
+ adc x4, x4, x1
2115
+ ldr x7, [sp, #80]
2116
+ eor x1, x7, x14
2117
+ mul x0, x1, x10
2118
+ umulh x1, x1, x10
2119
+ adds x6, x6, x0
2120
+ adc x5, xzr, x1
2121
+ ldr x8, [sp, #112]
2122
+ eor x1, x8, x15
2123
+ mul x0, x1, x11
2124
+ umulh x1, x1, x11
2125
+ adds x6, x6, x0
2126
+ str x6, [sp, #80]
2127
+ adc x5, x5, x1
2128
+ eor x1, x7, x16
2129
+ mul x0, x1, x12
2130
+ umulh x1, x1, x12
2131
+ adds x4, x4, x0
2132
+ adc x2, xzr, x1
2133
+ eor x1, x8, x17
2134
+ mul x0, x1, x13
2135
+ umulh x1, x1, x13
2136
+ adds x4, x4, x0
2137
+ str x4, [sp, #112]
2138
+ adc x2, x2, x1
2139
+ ldr x7, [sp, #88]
2140
+ eor x1, x7, x14
2141
+ and x3, x14, x10
2142
+ neg x3, x3
2143
+ mul x0, x1, x10
2144
+ umulh x1, x1, x10
2145
+ adds x5, x5, x0
2146
+ adc x3, x3, x1
2147
+ ldr x8, [sp, #120]
2148
+ eor x1, x8, x15
2149
+ and x0, x15, x11
2150
+ sub x3, x3, x0
2151
+ mul x0, x1, x11
2152
+ umulh x1, x1, x11
2153
+ adds x5, x5, x0
2154
+ adc x3, x3, x1
2155
+ extr x6, x3, x5, #63
2156
+ ldp x0, x1, [sp, #64]
2157
+ add x6, x6, x3, asr #63
2158
+ mov x3, #0x13
2159
+ mul x4, x6, x3
2160
+ add x5, x5, x6, lsl #63
2161
+ smulh x3, x6, x3
2162
+ ldr x6, [sp, #80]
2163
+ adds x0, x0, x4
2164
+ adcs x1, x1, x3
2165
+ asr x3, x3, #63
2166
+ adcs x6, x6, x3
2167
+ adc x5, x5, x3
2168
+ stp x0, x1, [sp, #64]
2169
+ stp x6, x5, [sp, #80]
2170
+ eor x1, x7, x16
2171
+ and x5, x16, x12
2172
+ neg x5, x5
2173
+ mul x0, x1, x12
2174
+ umulh x1, x1, x12
2175
+ adds x2, x2, x0
2176
+ adc x5, x5, x1
2177
+ eor x1, x8, x17
2178
+ and x0, x17, x13
2179
+ sub x5, x5, x0
2180
+ mul x0, x1, x13
2181
+ umulh x1, x1, x13
2182
+ adds x2, x2, x0
2183
+ adc x5, x5, x1
2184
+ extr x6, x5, x2, #63
2185
+ ldp x0, x1, [sp, #96]
2186
+ add x6, x6, x5, asr #63
2187
+ mov x5, #0x13
2188
+ mul x4, x6, x5
2189
+ add x2, x2, x6, lsl #63
2190
+ smulh x5, x6, x5
2191
+ ldr x3, [sp, #112]
2192
+ adds x0, x0, x4
2193
+ adcs x1, x1, x5
2194
+ asr x5, x5, #63
2195
+ adcs x3, x3, x5
2196
+ adc x2, x2, x5
2197
+ stp x0, x1, [sp, #96]
2198
+ stp x3, x2, [sp, #112]
2199
+ edwards25519_scalarmuldouble_invmidloop:
2200
+ mov x1, x22
2201
+ ldr x2, [sp]
2202
+ ldr x3, [sp, #32]
2203
+ and x4, x2, #0xfffff
2204
+ orr x4, x4, #0xfffffe0000000000
2205
+ and x5, x3, #0xfffff
2206
+ orr x5, x5, #0xc000000000000000
2207
+ tst x5, #0x1
2208
+ csel x6, x4, xzr, ne
2209
+ ccmp x1, xzr, #0x8, ne
2210
+ cneg x1, x1, ge
2211
+ cneg x6, x6, ge
2212
+ csel x4, x5, x4, ge
2213
+ add x5, x5, x6
2214
+ add x1, x1, #0x2
2215
+ tst x5, #0x2
2216
+ asr x5, x5, #1
2217
+ csel x6, x4, xzr, ne
2218
+ ccmp x1, xzr, #0x8, ne
2219
+ cneg x1, x1, ge
2220
+ cneg x6, x6, ge
2221
+ csel x4, x5, x4, ge
2222
+ add x5, x5, x6
2223
+ add x1, x1, #0x2
2224
+ tst x5, #0x2
2225
+ asr x5, x5, #1
2226
+ csel x6, x4, xzr, ne
2227
+ ccmp x1, xzr, #0x8, ne
2228
+ cneg x1, x1, ge
2229
+ cneg x6, x6, ge
2230
+ csel x4, x5, x4, ge
2231
+ add x5, x5, x6
2232
+ add x1, x1, #0x2
2233
+ tst x5, #0x2
2234
+ asr x5, x5, #1
2235
+ csel x6, x4, xzr, ne
2236
+ ccmp x1, xzr, #0x8, ne
2237
+ cneg x1, x1, ge
2238
+ cneg x6, x6, ge
2239
+ csel x4, x5, x4, ge
2240
+ add x5, x5, x6
2241
+ add x1, x1, #0x2
2242
+ tst x5, #0x2
2243
+ asr x5, x5, #1
2244
+ csel x6, x4, xzr, ne
2245
+ ccmp x1, xzr, #0x8, ne
2246
+ cneg x1, x1, ge
2247
+ cneg x6, x6, ge
2248
+ csel x4, x5, x4, ge
2249
+ add x5, x5, x6
2250
+ add x1, x1, #0x2
2251
+ tst x5, #0x2
2252
+ asr x5, x5, #1
2253
+ csel x6, x4, xzr, ne
2254
+ ccmp x1, xzr, #0x8, ne
2255
+ cneg x1, x1, ge
2256
+ cneg x6, x6, ge
2257
+ csel x4, x5, x4, ge
2258
+ add x5, x5, x6
2259
+ add x1, x1, #0x2
2260
+ tst x5, #0x2
2261
+ asr x5, x5, #1
2262
+ csel x6, x4, xzr, ne
2263
+ ccmp x1, xzr, #0x8, ne
2264
+ cneg x1, x1, ge
2265
+ cneg x6, x6, ge
2266
+ csel x4, x5, x4, ge
2267
+ add x5, x5, x6
2268
+ add x1, x1, #0x2
2269
+ tst x5, #0x2
2270
+ asr x5, x5, #1
2271
+ csel x6, x4, xzr, ne
2272
+ ccmp x1, xzr, #0x8, ne
2273
+ cneg x1, x1, ge
2274
+ cneg x6, x6, ge
2275
+ csel x4, x5, x4, ge
2276
+ add x5, x5, x6
2277
+ add x1, x1, #0x2
2278
+ tst x5, #0x2
2279
+ asr x5, x5, #1
2280
+ csel x6, x4, xzr, ne
2281
+ ccmp x1, xzr, #0x8, ne
2282
+ cneg x1, x1, ge
2283
+ cneg x6, x6, ge
2284
+ csel x4, x5, x4, ge
2285
+ add x5, x5, x6
2286
+ add x1, x1, #0x2
2287
+ tst x5, #0x2
2288
+ asr x5, x5, #1
2289
+ csel x6, x4, xzr, ne
2290
+ ccmp x1, xzr, #0x8, ne
2291
+ cneg x1, x1, ge
2292
+ cneg x6, x6, ge
2293
+ csel x4, x5, x4, ge
2294
+ add x5, x5, x6
2295
+ add x1, x1, #0x2
2296
+ tst x5, #0x2
2297
+ asr x5, x5, #1
2298
+ csel x6, x4, xzr, ne
2299
+ ccmp x1, xzr, #0x8, ne
2300
+ cneg x1, x1, ge
2301
+ cneg x6, x6, ge
2302
+ csel x4, x5, x4, ge
2303
+ add x5, x5, x6
2304
+ add x1, x1, #0x2
2305
+ tst x5, #0x2
2306
+ asr x5, x5, #1
2307
+ csel x6, x4, xzr, ne
2308
+ ccmp x1, xzr, #0x8, ne
2309
+ cneg x1, x1, ge
2310
+ cneg x6, x6, ge
2311
+ csel x4, x5, x4, ge
2312
+ add x5, x5, x6
2313
+ add x1, x1, #0x2
2314
+ tst x5, #0x2
2315
+ asr x5, x5, #1
2316
+ csel x6, x4, xzr, ne
2317
+ ccmp x1, xzr, #0x8, ne
2318
+ cneg x1, x1, ge
2319
+ cneg x6, x6, ge
2320
+ csel x4, x5, x4, ge
2321
+ add x5, x5, x6
2322
+ add x1, x1, #0x2
2323
+ tst x5, #0x2
2324
+ asr x5, x5, #1
2325
+ csel x6, x4, xzr, ne
2326
+ ccmp x1, xzr, #0x8, ne
2327
+ cneg x1, x1, ge
2328
+ cneg x6, x6, ge
2329
+ csel x4, x5, x4, ge
2330
+ add x5, x5, x6
2331
+ add x1, x1, #0x2
2332
+ tst x5, #0x2
2333
+ asr x5, x5, #1
2334
+ csel x6, x4, xzr, ne
2335
+ ccmp x1, xzr, #0x8, ne
2336
+ cneg x1, x1, ge
2337
+ cneg x6, x6, ge
2338
+ csel x4, x5, x4, ge
2339
+ add x5, x5, x6
2340
+ add x1, x1, #0x2
2341
+ tst x5, #0x2
2342
+ asr x5, x5, #1
2343
+ csel x6, x4, xzr, ne
2344
+ ccmp x1, xzr, #0x8, ne
2345
+ cneg x1, x1, ge
2346
+ cneg x6, x6, ge
2347
+ csel x4, x5, x4, ge
2348
+ add x5, x5, x6
2349
+ add x1, x1, #0x2
2350
+ tst x5, #0x2
2351
+ asr x5, x5, #1
2352
+ csel x6, x4, xzr, ne
2353
+ ccmp x1, xzr, #0x8, ne
2354
+ cneg x1, x1, ge
2355
+ cneg x6, x6, ge
2356
+ csel x4, x5, x4, ge
2357
+ add x5, x5, x6
2358
+ add x1, x1, #0x2
2359
+ tst x5, #0x2
2360
+ asr x5, x5, #1
2361
+ csel x6, x4, xzr, ne
2362
+ ccmp x1, xzr, #0x8, ne
2363
+ cneg x1, x1, ge
2364
+ cneg x6, x6, ge
2365
+ csel x4, x5, x4, ge
2366
+ add x5, x5, x6
2367
+ add x1, x1, #0x2
2368
+ tst x5, #0x2
2369
+ asr x5, x5, #1
2370
+ csel x6, x4, xzr, ne
2371
+ ccmp x1, xzr, #0x8, ne
2372
+ cneg x1, x1, ge
2373
+ cneg x6, x6, ge
2374
+ csel x4, x5, x4, ge
2375
+ add x5, x5, x6
2376
+ add x1, x1, #0x2
2377
+ tst x5, #0x2
2378
+ asr x5, x5, #1
2379
+ csel x6, x4, xzr, ne
2380
+ ccmp x1, xzr, #0x8, ne
2381
+ cneg x1, x1, ge
2382
+ cneg x6, x6, ge
2383
+ csel x4, x5, x4, ge
2384
+ add x5, x5, x6
2385
+ add x1, x1, #0x2
2386
+ asr x5, x5, #1
2387
+ add x8, x4, #0x100, lsl #12
2388
+ sbfx x8, x8, #21, #21
2389
+ mov x11, #0x100000
2390
+ add x11, x11, x11, lsl #21
2391
+ add x9, x4, x11
2392
+ asr x9, x9, #42
2393
+ add x10, x5, #0x100, lsl #12
2394
+ sbfx x10, x10, #21, #21
2395
+ add x11, x5, x11
2396
+ asr x11, x11, #42
2397
+ mul x6, x8, x2
2398
+ mul x7, x9, x3
2399
+ mul x2, x10, x2
2400
+ mul x3, x11, x3
2401
+ add x4, x6, x7
2402
+ add x5, x2, x3
2403
+ asr x2, x4, #20
2404
+ asr x3, x5, #20
2405
+ and x4, x2, #0xfffff
2406
+ orr x4, x4, #0xfffffe0000000000
2407
+ and x5, x3, #0xfffff
2408
+ orr x5, x5, #0xc000000000000000
2409
+ tst x5, #0x1
2410
+ csel x6, x4, xzr, ne
2411
+ ccmp x1, xzr, #0x8, ne
2412
+ cneg x1, x1, ge
2413
+ cneg x6, x6, ge
2414
+ csel x4, x5, x4, ge
2415
+ add x5, x5, x6
2416
+ add x1, x1, #0x2
2417
+ tst x5, #0x2
2418
+ asr x5, x5, #1
2419
+ csel x6, x4, xzr, ne
2420
+ ccmp x1, xzr, #0x8, ne
2421
+ cneg x1, x1, ge
2422
+ cneg x6, x6, ge
2423
+ csel x4, x5, x4, ge
2424
+ add x5, x5, x6
2425
+ add x1, x1, #0x2
2426
+ tst x5, #0x2
2427
+ asr x5, x5, #1
2428
+ csel x6, x4, xzr, ne
2429
+ ccmp x1, xzr, #0x8, ne
2430
+ cneg x1, x1, ge
2431
+ cneg x6, x6, ge
2432
+ csel x4, x5, x4, ge
2433
+ add x5, x5, x6
2434
+ add x1, x1, #0x2
2435
+ tst x5, #0x2
2436
+ asr x5, x5, #1
2437
+ csel x6, x4, xzr, ne
2438
+ ccmp x1, xzr, #0x8, ne
2439
+ cneg x1, x1, ge
2440
+ cneg x6, x6, ge
2441
+ csel x4, x5, x4, ge
2442
+ add x5, x5, x6
2443
+ add x1, x1, #0x2
2444
+ tst x5, #0x2
2445
+ asr x5, x5, #1
2446
+ csel x6, x4, xzr, ne
2447
+ ccmp x1, xzr, #0x8, ne
2448
+ cneg x1, x1, ge
2449
+ cneg x6, x6, ge
2450
+ csel x4, x5, x4, ge
2451
+ add x5, x5, x6
2452
+ add x1, x1, #0x2
2453
+ tst x5, #0x2
2454
+ asr x5, x5, #1
2455
+ csel x6, x4, xzr, ne
2456
+ ccmp x1, xzr, #0x8, ne
2457
+ cneg x1, x1, ge
2458
+ cneg x6, x6, ge
2459
+ csel x4, x5, x4, ge
2460
+ add x5, x5, x6
2461
+ add x1, x1, #0x2
2462
+ tst x5, #0x2
2463
+ asr x5, x5, #1
2464
+ csel x6, x4, xzr, ne
2465
+ ccmp x1, xzr, #0x8, ne
2466
+ cneg x1, x1, ge
2467
+ cneg x6, x6, ge
2468
+ csel x4, x5, x4, ge
2469
+ add x5, x5, x6
2470
+ add x1, x1, #0x2
2471
+ tst x5, #0x2
2472
+ asr x5, x5, #1
2473
+ csel x6, x4, xzr, ne
2474
+ ccmp x1, xzr, #0x8, ne
2475
+ cneg x1, x1, ge
2476
+ cneg x6, x6, ge
2477
+ csel x4, x5, x4, ge
2478
+ add x5, x5, x6
2479
+ add x1, x1, #0x2
2480
+ tst x5, #0x2
2481
+ asr x5, x5, #1
2482
+ csel x6, x4, xzr, ne
2483
+ ccmp x1, xzr, #0x8, ne
2484
+ cneg x1, x1, ge
2485
+ cneg x6, x6, ge
2486
+ csel x4, x5, x4, ge
2487
+ add x5, x5, x6
2488
+ add x1, x1, #0x2
2489
+ tst x5, #0x2
2490
+ asr x5, x5, #1
2491
+ csel x6, x4, xzr, ne
2492
+ ccmp x1, xzr, #0x8, ne
2493
+ cneg x1, x1, ge
2494
+ cneg x6, x6, ge
2495
+ csel x4, x5, x4, ge
2496
+ add x5, x5, x6
2497
+ add x1, x1, #0x2
2498
+ tst x5, #0x2
2499
+ asr x5, x5, #1
2500
+ csel x6, x4, xzr, ne
2501
+ ccmp x1, xzr, #0x8, ne
2502
+ cneg x1, x1, ge
2503
+ cneg x6, x6, ge
2504
+ csel x4, x5, x4, ge
2505
+ add x5, x5, x6
2506
+ add x1, x1, #0x2
2507
+ tst x5, #0x2
2508
+ asr x5, x5, #1
2509
+ csel x6, x4, xzr, ne
2510
+ ccmp x1, xzr, #0x8, ne
2511
+ cneg x1, x1, ge
2512
+ cneg x6, x6, ge
2513
+ csel x4, x5, x4, ge
2514
+ add x5, x5, x6
2515
+ add x1, x1, #0x2
2516
+ tst x5, #0x2
2517
+ asr x5, x5, #1
2518
+ csel x6, x4, xzr, ne
2519
+ ccmp x1, xzr, #0x8, ne
2520
+ cneg x1, x1, ge
2521
+ cneg x6, x6, ge
2522
+ csel x4, x5, x4, ge
2523
+ add x5, x5, x6
2524
+ add x1, x1, #0x2
2525
+ tst x5, #0x2
2526
+ asr x5, x5, #1
2527
+ csel x6, x4, xzr, ne
2528
+ ccmp x1, xzr, #0x8, ne
2529
+ cneg x1, x1, ge
2530
+ cneg x6, x6, ge
2531
+ csel x4, x5, x4, ge
2532
+ add x5, x5, x6
2533
+ add x1, x1, #0x2
2534
+ tst x5, #0x2
2535
+ asr x5, x5, #1
2536
+ csel x6, x4, xzr, ne
2537
+ ccmp x1, xzr, #0x8, ne
2538
+ cneg x1, x1, ge
2539
+ cneg x6, x6, ge
2540
+ csel x4, x5, x4, ge
2541
+ add x5, x5, x6
2542
+ add x1, x1, #0x2
2543
+ tst x5, #0x2
2544
+ asr x5, x5, #1
2545
+ csel x6, x4, xzr, ne
2546
+ ccmp x1, xzr, #0x8, ne
2547
+ cneg x1, x1, ge
2548
+ cneg x6, x6, ge
2549
+ csel x4, x5, x4, ge
2550
+ add x5, x5, x6
2551
+ add x1, x1, #0x2
2552
+ tst x5, #0x2
2553
+ asr x5, x5, #1
2554
+ csel x6, x4, xzr, ne
2555
+ ccmp x1, xzr, #0x8, ne
2556
+ cneg x1, x1, ge
2557
+ cneg x6, x6, ge
2558
+ csel x4, x5, x4, ge
2559
+ add x5, x5, x6
2560
+ add x1, x1, #0x2
2561
+ tst x5, #0x2
2562
+ asr x5, x5, #1
2563
+ csel x6, x4, xzr, ne
2564
+ ccmp x1, xzr, #0x8, ne
2565
+ cneg x1, x1, ge
2566
+ cneg x6, x6, ge
2567
+ csel x4, x5, x4, ge
2568
+ add x5, x5, x6
2569
+ add x1, x1, #0x2
2570
+ tst x5, #0x2
2571
+ asr x5, x5, #1
2572
+ csel x6, x4, xzr, ne
2573
+ ccmp x1, xzr, #0x8, ne
2574
+ cneg x1, x1, ge
2575
+ cneg x6, x6, ge
2576
+ csel x4, x5, x4, ge
2577
+ add x5, x5, x6
2578
+ add x1, x1, #0x2
2579
+ tst x5, #0x2
2580
+ asr x5, x5, #1
2581
+ csel x6, x4, xzr, ne
2582
+ ccmp x1, xzr, #0x8, ne
2583
+ cneg x1, x1, ge
2584
+ cneg x6, x6, ge
2585
+ csel x4, x5, x4, ge
2586
+ add x5, x5, x6
2587
+ add x1, x1, #0x2
2588
+ asr x5, x5, #1
2589
+ add x12, x4, #0x100, lsl #12
2590
+ sbfx x12, x12, #21, #21
2591
+ mov x15, #0x100000
2592
+ add x15, x15, x15, lsl #21
2593
+ add x13, x4, x15
2594
+ asr x13, x13, #42
2595
+ add x14, x5, #0x100, lsl #12
2596
+ sbfx x14, x14, #21, #21
2597
+ add x15, x5, x15
2598
+ asr x15, x15, #42
2599
+ mul x6, x12, x2
2600
+ mul x7, x13, x3
2601
+ mul x2, x14, x2
2602
+ mul x3, x15, x3
2603
+ add x4, x6, x7
2604
+ add x5, x2, x3
2605
+ asr x2, x4, #20
2606
+ asr x3, x5, #20
2607
+ and x4, x2, #0xfffff
2608
+ orr x4, x4, #0xfffffe0000000000
2609
+ and x5, x3, #0xfffff
2610
+ orr x5, x5, #0xc000000000000000
2611
+ tst x5, #0x1
2612
+ csel x6, x4, xzr, ne
2613
+ ccmp x1, xzr, #0x8, ne
2614
+ cneg x1, x1, ge
2615
+ cneg x6, x6, ge
2616
+ csel x4, x5, x4, ge
2617
+ add x5, x5, x6
2618
+ add x1, x1, #0x2
2619
+ tst x5, #0x2
2620
+ asr x5, x5, #1
2621
+ csel x6, x4, xzr, ne
2622
+ ccmp x1, xzr, #0x8, ne
2623
+ cneg x1, x1, ge
2624
+ cneg x6, x6, ge
2625
+ csel x4, x5, x4, ge
2626
+ add x5, x5, x6
2627
+ add x1, x1, #0x2
2628
+ tst x5, #0x2
2629
+ asr x5, x5, #1
2630
+ csel x6, x4, xzr, ne
2631
+ ccmp x1, xzr, #0x8, ne
2632
+ cneg x1, x1, ge
2633
+ cneg x6, x6, ge
2634
+ csel x4, x5, x4, ge
2635
+ add x5, x5, x6
2636
+ add x1, x1, #0x2
2637
+ tst x5, #0x2
2638
+ asr x5, x5, #1
2639
+ csel x6, x4, xzr, ne
2640
+ ccmp x1, xzr, #0x8, ne
2641
+ cneg x1, x1, ge
2642
+ cneg x6, x6, ge
2643
+ csel x4, x5, x4, ge
2644
+ add x5, x5, x6
2645
+ add x1, x1, #0x2
2646
+ tst x5, #0x2
2647
+ asr x5, x5, #1
2648
+ csel x6, x4, xzr, ne
2649
+ ccmp x1, xzr, #0x8, ne
2650
+ cneg x1, x1, ge
2651
+ cneg x6, x6, ge
2652
+ csel x4, x5, x4, ge
2653
+ add x5, x5, x6
2654
+ add x1, x1, #0x2
2655
+ tst x5, #0x2
2656
+ asr x5, x5, #1
2657
+ csel x6, x4, xzr, ne
2658
+ ccmp x1, xzr, #0x8, ne
2659
+ cneg x1, x1, ge
2660
+ cneg x6, x6, ge
2661
+ csel x4, x5, x4, ge
2662
+ add x5, x5, x6
2663
+ add x1, x1, #0x2
2664
+ tst x5, #0x2
2665
+ asr x5, x5, #1
2666
+ csel x6, x4, xzr, ne
2667
+ ccmp x1, xzr, #0x8, ne
2668
+ cneg x1, x1, ge
2669
+ cneg x6, x6, ge
2670
+ csel x4, x5, x4, ge
2671
+ add x5, x5, x6
2672
+ add x1, x1, #0x2
2673
+ tst x5, #0x2
2674
+ asr x5, x5, #1
2675
+ csel x6, x4, xzr, ne
2676
+ ccmp x1, xzr, #0x8, ne
2677
+ cneg x1, x1, ge
2678
+ cneg x6, x6, ge
2679
+ csel x4, x5, x4, ge
2680
+ add x5, x5, x6
2681
+ add x1, x1, #0x2
2682
+ tst x5, #0x2
2683
+ asr x5, x5, #1
2684
+ csel x6, x4, xzr, ne
2685
+ ccmp x1, xzr, #0x8, ne
2686
+ cneg x1, x1, ge
2687
+ cneg x6, x6, ge
2688
+ csel x4, x5, x4, ge
2689
+ add x5, x5, x6
2690
+ add x1, x1, #0x2
2691
+ tst x5, #0x2
2692
+ asr x5, x5, #1
2693
+ csel x6, x4, xzr, ne
2694
+ ccmp x1, xzr, #0x8, ne
2695
+ cneg x1, x1, ge
2696
+ cneg x6, x6, ge
2697
+ csel x4, x5, x4, ge
2698
+ add x5, x5, x6
2699
+ add x1, x1, #0x2
2700
+ tst x5, #0x2
2701
+ asr x5, x5, #1
2702
+ mul x2, x12, x8
2703
+ mul x3, x12, x9
2704
+ mul x6, x14, x8
2705
+ mul x7, x14, x9
2706
+ madd x8, x13, x10, x2
2707
+ madd x9, x13, x11, x3
2708
+ madd x16, x15, x10, x6
2709
+ madd x17, x15, x11, x7
2710
+ csel x6, x4, xzr, ne
2711
+ ccmp x1, xzr, #0x8, ne
2712
+ cneg x1, x1, ge
2713
+ cneg x6, x6, ge
2714
+ csel x4, x5, x4, ge
2715
+ add x5, x5, x6
2716
+ add x1, x1, #0x2
2717
+ tst x5, #0x2
2718
+ asr x5, x5, #1
2719
+ csel x6, x4, xzr, ne
2720
+ ccmp x1, xzr, #0x8, ne
2721
+ cneg x1, x1, ge
2722
+ cneg x6, x6, ge
2723
+ csel x4, x5, x4, ge
2724
+ add x5, x5, x6
2725
+ add x1, x1, #0x2
2726
+ tst x5, #0x2
2727
+ asr x5, x5, #1
2728
+ csel x6, x4, xzr, ne
2729
+ ccmp x1, xzr, #0x8, ne
2730
+ cneg x1, x1, ge
2731
+ cneg x6, x6, ge
2732
+ csel x4, x5, x4, ge
2733
+ add x5, x5, x6
2734
+ add x1, x1, #0x2
2735
+ tst x5, #0x2
2736
+ asr x5, x5, #1
2737
+ csel x6, x4, xzr, ne
2738
+ ccmp x1, xzr, #0x8, ne
2739
+ cneg x1, x1, ge
2740
+ cneg x6, x6, ge
2741
+ csel x4, x5, x4, ge
2742
+ add x5, x5, x6
2743
+ add x1, x1, #0x2
2744
+ tst x5, #0x2
2745
+ asr x5, x5, #1
2746
+ csel x6, x4, xzr, ne
2747
+ ccmp x1, xzr, #0x8, ne
2748
+ cneg x1, x1, ge
2749
+ cneg x6, x6, ge
2750
+ csel x4, x5, x4, ge
2751
+ add x5, x5, x6
2752
+ add x1, x1, #0x2
2753
+ tst x5, #0x2
2754
+ asr x5, x5, #1
2755
+ csel x6, x4, xzr, ne
2756
+ ccmp x1, xzr, #0x8, ne
2757
+ cneg x1, x1, ge
2758
+ cneg x6, x6, ge
2759
+ csel x4, x5, x4, ge
2760
+ add x5, x5, x6
2761
+ add x1, x1, #0x2
2762
+ tst x5, #0x2
2763
+ asr x5, x5, #1
2764
+ csel x6, x4, xzr, ne
2765
+ ccmp x1, xzr, #0x8, ne
2766
+ cneg x1, x1, ge
2767
+ cneg x6, x6, ge
2768
+ csel x4, x5, x4, ge
2769
+ add x5, x5, x6
2770
+ add x1, x1, #0x2
2771
+ tst x5, #0x2
2772
+ asr x5, x5, #1
2773
+ csel x6, x4, xzr, ne
2774
+ ccmp x1, xzr, #0x8, ne
2775
+ cneg x1, x1, ge
2776
+ cneg x6, x6, ge
2777
+ csel x4, x5, x4, ge
2778
+ add x5, x5, x6
2779
+ add x1, x1, #0x2
2780
+ tst x5, #0x2
2781
+ asr x5, x5, #1
2782
+ csel x6, x4, xzr, ne
2783
+ ccmp x1, xzr, #0x8, ne
2784
+ cneg x1, x1, ge
2785
+ cneg x6, x6, ge
2786
+ csel x4, x5, x4, ge
2787
+ add x5, x5, x6
2788
+ add x1, x1, #0x2
2789
+ asr x5, x5, #1
2790
+ add x12, x4, #0x100, lsl #12
2791
+ sbfx x12, x12, #22, #21
2792
+ mov x15, #0x100000
2793
+ add x15, x15, x15, lsl #21
2794
+ add x13, x4, x15
2795
+ asr x13, x13, #43
2796
+ add x14, x5, #0x100, lsl #12
2797
+ sbfx x14, x14, #22, #21
2798
+ add x15, x5, x15
2799
+ asr x15, x15, #43
2800
+ mneg x2, x12, x8
2801
+ mneg x3, x12, x9
2802
+ mneg x4, x14, x8
2803
+ mneg x5, x14, x9
2804
+ msub x10, x13, x16, x2
2805
+ msub x11, x13, x17, x3
2806
+ msub x12, x15, x16, x4
2807
+ msub x13, x15, x17, x5
2808
+ mov x22, x1
2809
+ subs x21, x21, #0x1
2810
+ b.ne edwards25519_scalarmuldouble_invloop
2811
+ ldr x0, [sp]
2812
+ ldr x1, [sp, #32]
2813
+ mul x0, x0, x10
2814
+ madd x1, x1, x11, x0
2815
+ asr x0, x1, #63
2816
+ cmp x10, xzr
2817
+ csetm x14, mi
2818
+ cneg x10, x10, mi
2819
+ eor x14, x14, x0
2820
+ cmp x11, xzr
2821
+ csetm x15, mi
2822
+ cneg x11, x11, mi
2823
+ eor x15, x15, x0
2824
+ cmp x12, xzr
2825
+ csetm x16, mi
2826
+ cneg x12, x12, mi
2827
+ eor x16, x16, x0
2828
+ cmp x13, xzr
2829
+ csetm x17, mi
2830
+ cneg x13, x13, mi
2831
+ eor x17, x17, x0
2832
+ and x0, x10, x14
2833
+ and x1, x11, x15
2834
+ add x9, x0, x1
2835
+ ldr x7, [sp, #64]
2836
+ eor x1, x7, x14
2837
+ mul x0, x1, x10
2838
+ umulh x1, x1, x10
2839
+ adds x4, x9, x0
2840
+ adc x2, xzr, x1
2841
+ ldr x8, [sp, #96]
2842
+ eor x1, x8, x15
2843
+ mul x0, x1, x11
2844
+ umulh x1, x1, x11
2845
+ adds x4, x4, x0
2846
+ str x4, [sp, #64]
2847
+ adc x2, x2, x1
2848
+ ldr x7, [sp, #72]
2849
+ eor x1, x7, x14
2850
+ mul x0, x1, x10
2851
+ umulh x1, x1, x10
2852
+ adds x2, x2, x0
2853
+ adc x6, xzr, x1
2854
+ ldr x8, [sp, #104]
2855
+ eor x1, x8, x15
2856
+ mul x0, x1, x11
2857
+ umulh x1, x1, x11
2858
+ adds x2, x2, x0
2859
+ str x2, [sp, #72]
2860
+ adc x6, x6, x1
2861
+ ldr x7, [sp, #80]
2862
+ eor x1, x7, x14
2863
+ mul x0, x1, x10
2864
+ umulh x1, x1, x10
2865
+ adds x6, x6, x0
2866
+ adc x5, xzr, x1
2867
+ ldr x8, [sp, #112]
2868
+ eor x1, x8, x15
2869
+ mul x0, x1, x11
2870
+ umulh x1, x1, x11
2871
+ adds x6, x6, x0
2872
+ str x6, [sp, #80]
2873
+ adc x5, x5, x1
2874
+ ldr x7, [sp, #88]
2875
+ eor x1, x7, x14
2876
+ and x3, x14, x10
2877
+ neg x3, x3
2878
+ mul x0, x1, x10
2879
+ umulh x1, x1, x10
2880
+ adds x5, x5, x0
2881
+ adc x3, x3, x1
2882
+ ldr x8, [sp, #120]
2883
+ eor x1, x8, x15
2884
+ and x0, x15, x11
2885
+ sub x3, x3, x0
2886
+ mul x0, x1, x11
2887
+ umulh x1, x1, x11
2888
+ adds x5, x5, x0
2889
+ adc x3, x3, x1
2890
+ extr x6, x3, x5, #63
2891
+ ldp x0, x1, [sp, #64]
2892
+ tst x3, x3
2893
+ cinc x6, x6, pl
2894
+ mov x3, #0x13
2895
+ mul x4, x6, x3
2896
+ add x5, x5, x6, lsl #63
2897
+ smulh x6, x6, x3
2898
+ ldr x2, [sp, #80]
2899
+ adds x0, x0, x4
2900
+ adcs x1, x1, x6
2901
+ asr x6, x6, #63
2902
+ adcs x2, x2, x6
2903
+ adcs x5, x5, x6
2904
+ csel x3, x3, xzr, mi
2905
+ subs x0, x0, x3
2906
+ sbcs x1, x1, xzr
2907
+ sbcs x2, x2, xzr
2908
+ sbc x5, x5, xzr
2909
+ and x5, x5, #0x7fffffffffffffff
2910
+ mov x4, x20
2911
+ stp x0, x1, [x4]
2912
+ stp x2, x5, [x4, #16]
2913
+
2914
+ // Store result. Note that these are the only reductions mod 2^255-19
2915
+
2916
+ mov p0, res
2917
+ add p1, acc
2918
+ add p2, tabent
2919
+ mul_p25519(x_0,x_1,x_2)
2920
+
2921
+ add p0, res, #32
2922
+ add p1, acc+32
2923
+ add p2, tabent
2924
+ mul_p25519(x_0,x_1,x_2)
2925
+
2926
+ // Restore stack and registers
2927
+
2928
+ add sp, sp, #NSPACE
2929
+ ldp x25, x30, [sp], 16
2930
+ ldp x23, x24, [sp], 16
2931
+ ldp x21, x22, [sp], 16
2932
+ ldp x19, x20, [sp], 16
2933
+
2934
+ ret
2935
+
2936
+ // ****************************************************************************
2937
+ // Localized versions of subroutines.
2938
+ // These are close to the standalone functions "edwards25519_epdouble" etc.,
2939
+ // but are only maintaining reduction modulo 2^256 - 38, not 2^255 - 19.
2940
+ // ****************************************************************************
2941
+
2942
+ edwards25519_scalarmuldouble_epdouble:
2943
+ sub sp, sp, #(5*NUMSIZE)
2944
+ add_twice4(t0,x_1,y_1)
2945
+ sqr_4(t1,z_1)
2946
+ sqr_4(t2,x_1)
2947
+ sqr_4(t3,y_1)
2948
+ double_twice4(t1,t1)
2949
+ sqr_4(t0,t0)
2950
+ add_twice4(t4,t2,t3)
2951
+ sub_twice4(t2,t2,t3)
2952
+ add_twice4(t3,t1,t2)
2953
+ sub_twice4(t1,t4,t0)
2954
+ mul_4(y_0,t2,t4)
2955
+ mul_4(z_0,t3,t2)
2956
+ mul_4(w_0,t1,t4)
2957
+ mul_4(x_0,t1,t3)
2958
+ add sp, sp, #(5*NUMSIZE)
2959
+ ret
2960
+
2961
+ edwards25519_scalarmuldouble_pdouble:
2962
+ sub sp, sp, #(5*NUMSIZE)
2963
+ add_twice4(t0,x_1,y_1)
2964
+ sqr_4(t1,z_1)
2965
+ sqr_4(t2,x_1)
2966
+ sqr_4(t3,y_1)
2967
+ double_twice4(t1,t1)
2968
+ sqr_4(t0,t0)
2969
+ add_twice4(t4,t2,t3)
2970
+ sub_twice4(t2,t2,t3)
2971
+ add_twice4(t3,t1,t2)
2972
+ sub_twice4(t1,t4,t0)
2973
+ mul_4(y_0,t2,t4)
2974
+ mul_4(z_0,t3,t2)
2975
+ mul_4(x_0,t1,t3)
2976
+ add sp, sp, #(5*NUMSIZE)
2977
+ ret
2978
+
2979
+ edwards25519_scalarmuldouble_epadd:
2980
+ sub sp, sp, #(6*NUMSIZE)
2981
+ mul_4(t0,w_1,w_2)
2982
+ sub_twice4(t1,y_1,x_1)
2983
+ sub_twice4(t2,y_2,x_2)
2984
+ add_twice4(t3,y_1,x_1)
2985
+ add_twice4(t4,y_2,x_2)
2986
+ double_twice4(t5,z_2)
2987
+ mul_4(t1,t1,t2)
2988
+ mul_4(t3,t3,t4)
2989
+ load_k25519(t2)
2990
+ mul_4(t2,t2,t0)
2991
+ mul_4(t4,z_1,t5)
2992
+ sub_twice4(t0,t3,t1)
2993
+ add_twice4(t5,t3,t1)
2994
+ sub_twice4(t1,t4,t2)
2995
+ add_twice4(t3,t4,t2)
2996
+ mul_4(w_0,t0,t5)
2997
+ mul_4(x_0,t0,t1)
2998
+ mul_4(y_0,t3,t5)
2999
+ mul_4(z_0,t1,t3)
3000
+ add sp, sp, #(6*NUMSIZE)
3001
+ ret
3002
+
3003
+ edwards25519_scalarmuldouble_pepadd:
3004
+ sub sp, sp, #(6*NUMSIZE)
3005
+ double_twice4(t0,z_1);
3006
+ sub_twice4(t1,y_1,x_1);
3007
+ add_twice4(t2,y_1,x_1);
3008
+ mul_4(t3,w_1,z_2);
3009
+ mul_4(t1,t1,x_2);
3010
+ mul_4(t2,t2,y_2);
3011
+ sub_twice4(t4,t0,t3);
3012
+ add_twice4(t0,t0,t3);
3013
+ sub_twice4(t5,t2,t1);
3014
+ add_twice4(t1,t2,t1);
3015
+ mul_4(z_0,t4,t0);
3016
+ mul_4(x_0,t5,t4);
3017
+ mul_4(y_0,t0,t1);
3018
+ mul_4(w_0,t5,t1);
3019
+ add sp, sp, #(6*NUMSIZE)
3020
+ ret
3021
+
3022
+ // ****************************************************************************
3023
+ // The precomputed data (all read-only). This is currently part of the same
3024
+ // text section, which gives position-independent code with simple PC-relative
3025
+ // addressing. However it could be put in a separate section via something like
3026
+ //
3027
+ // .section .rodata
3028
+ // ****************************************************************************
3029
+
3030
+ // Precomputed table of multiples of generator for edwards25519
3031
+ // all in precomputed extended-projective (y-x,x+y,2*d*x*y) triples.
3032
+
3033
+ edwards25519_scalarmuldouble_table:
3034
+
3035
+ // 1 * G
3036
+
3037
+ .quad 0x9d103905d740913e
3038
+ .quad 0xfd399f05d140beb3
3039
+ .quad 0xa5c18434688f8a09
3040
+ .quad 0x44fd2f9298f81267
3041
+ .quad 0x2fbc93c6f58c3b85
3042
+ .quad 0xcf932dc6fb8c0e19
3043
+ .quad 0x270b4898643d42c2
3044
+ .quad 0x07cf9d3a33d4ba65
3045
+ .quad 0xabc91205877aaa68
3046
+ .quad 0x26d9e823ccaac49e
3047
+ .quad 0x5a1b7dcbdd43598c
3048
+ .quad 0x6f117b689f0c65a8
3049
+
3050
+ // 2 * G
3051
+
3052
+ .quad 0x8a99a56042b4d5a8
3053
+ .quad 0x8f2b810c4e60acf6
3054
+ .quad 0xe09e236bb16e37aa
3055
+ .quad 0x6bb595a669c92555
3056
+ .quad 0x9224e7fc933c71d7
3057
+ .quad 0x9f469d967a0ff5b5
3058
+ .quad 0x5aa69a65e1d60702
3059
+ .quad 0x590c063fa87d2e2e
3060
+ .quad 0x43faa8b3a59b7a5f
3061
+ .quad 0x36c16bdd5d9acf78
3062
+ .quad 0x500fa0840b3d6a31
3063
+ .quad 0x701af5b13ea50b73
3064
+
3065
+ // 3 * G
3066
+
3067
+ .quad 0x56611fe8a4fcd265
3068
+ .quad 0x3bd353fde5c1ba7d
3069
+ .quad 0x8131f31a214bd6bd
3070
+ .quad 0x2ab91587555bda62
3071
+ .quad 0xaf25b0a84cee9730
3072
+ .quad 0x025a8430e8864b8a
3073
+ .quad 0xc11b50029f016732
3074
+ .quad 0x7a164e1b9a80f8f4
3075
+ .quad 0x14ae933f0dd0d889
3076
+ .quad 0x589423221c35da62
3077
+ .quad 0xd170e5458cf2db4c
3078
+ .quad 0x5a2826af12b9b4c6
3079
+
3080
+ // 4 * G
3081
+
3082
+ .quad 0x95fe050a056818bf
3083
+ .quad 0x327e89715660faa9
3084
+ .quad 0xc3e8e3cd06a05073
3085
+ .quad 0x27933f4c7445a49a
3086
+ .quad 0x287351b98efc099f
3087
+ .quad 0x6765c6f47dfd2538
3088
+ .quad 0xca348d3dfb0a9265
3089
+ .quad 0x680e910321e58727
3090
+ .quad 0x5a13fbe9c476ff09
3091
+ .quad 0x6e9e39457b5cc172
3092
+ .quad 0x5ddbdcf9102b4494
3093
+ .quad 0x7f9d0cbf63553e2b
3094
+
3095
+ // 5 * G
3096
+
3097
+ .quad 0x7f9182c3a447d6ba
3098
+ .quad 0xd50014d14b2729b7
3099
+ .quad 0xe33cf11cb864a087
3100
+ .quad 0x154a7e73eb1b55f3
3101
+ .quad 0xa212bc4408a5bb33
3102
+ .quad 0x8d5048c3c75eed02
3103
+ .quad 0xdd1beb0c5abfec44
3104
+ .quad 0x2945ccf146e206eb
3105
+ .quad 0xbcbbdbf1812a8285
3106
+ .quad 0x270e0807d0bdd1fc
3107
+ .quad 0xb41b670b1bbda72d
3108
+ .quad 0x43aabe696b3bb69a
3109
+
3110
+ // 6 * G
3111
+
3112
+ .quad 0x499806b67b7d8ca4
3113
+ .quad 0x575be28427d22739
3114
+ .quad 0xbb085ce7204553b9
3115
+ .quad 0x38b64c41ae417884
3116
+ .quad 0x3a0ceeeb77157131
3117
+ .quad 0x9b27158900c8af88
3118
+ .quad 0x8065b668da59a736
3119
+ .quad 0x51e57bb6a2cc38bd
3120
+ .quad 0x85ac326702ea4b71
3121
+ .quad 0xbe70e00341a1bb01
3122
+ .quad 0x53e4a24b083bc144
3123
+ .quad 0x10b8e91a9f0d61e3
3124
+
3125
+ // 7 * G
3126
+
3127
+ .quad 0xba6f2c9aaa3221b1
3128
+ .quad 0x6ca021533bba23a7
3129
+ .quad 0x9dea764f92192c3a
3130
+ .quad 0x1d6edd5d2e5317e0
3131
+ .quad 0x6b1a5cd0944ea3bf
3132
+ .quad 0x7470353ab39dc0d2
3133
+ .quad 0x71b2528228542e49
3134
+ .quad 0x461bea69283c927e
3135
+ .quad 0xf1836dc801b8b3a2
3136
+ .quad 0xb3035f47053ea49a
3137
+ .quad 0x529c41ba5877adf3
3138
+ .quad 0x7a9fbb1c6a0f90a7
3139
+
3140
+ // 8 * G
3141
+
3142
+ .quad 0xe2a75dedf39234d9
3143
+ .quad 0x963d7680e1b558f9
3144
+ .quad 0x2c2741ac6e3c23fb
3145
+ .quad 0x3a9024a1320e01c3
3146
+ .quad 0x59b7596604dd3e8f
3147
+ .quad 0x6cb30377e288702c
3148
+ .quad 0xb1339c665ed9c323
3149
+ .quad 0x0915e76061bce52f
3150
+ .quad 0xe7c1f5d9c9a2911a
3151
+ .quad 0xb8a371788bcca7d7
3152
+ .quad 0x636412190eb62a32
3153
+ .quad 0x26907c5c2ecc4e95
3154
+
3155
+ #if defined(__linux__) && defined(__ELF__)
3156
+ .section .note.GNU-stack, "", %progbits
3157
+ #endif