RubyGems - ring-native - Versions diffs - 0.0.0 - Mend

ring-native 0.0.0

Files changed (261) hide show

checksums.yaml +7 -0
data/.gitignore +9 -0
data/Gemfile +3 -0
data/README.md +22 -0
data/Rakefile +1 -0
data/ext/ring/extconf.rb +29 -0
data/lib/ring/native.rb +8 -0
data/lib/ring/native/version.rb +5 -0
data/ring-native.gemspec +25 -0
data/vendor/ring/BUILDING.md +40 -0
data/vendor/ring/Cargo.toml +43 -0
data/vendor/ring/LICENSE +185 -0
data/vendor/ring/Makefile +35 -0
data/vendor/ring/PORTING.md +163 -0
data/vendor/ring/README.md +113 -0
data/vendor/ring/STYLE.md +197 -0
data/vendor/ring/appveyor.yml +27 -0
data/vendor/ring/build.rs +108 -0
data/vendor/ring/crypto/aes/aes.c +1142 -0
data/vendor/ring/crypto/aes/aes_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/aes/aes_test.cc +93 -0
data/vendor/ring/crypto/aes/asm/aes-586.pl +2368 -0
data/vendor/ring/crypto/aes/asm/aes-armv4.pl +1249 -0
data/vendor/ring/crypto/aes/asm/aes-x86_64.pl +2246 -0
data/vendor/ring/crypto/aes/asm/aesni-x86.pl +1318 -0
data/vendor/ring/crypto/aes/asm/aesni-x86_64.pl +2084 -0
data/vendor/ring/crypto/aes/asm/aesv8-armx.pl +675 -0
data/vendor/ring/crypto/aes/asm/bsaes-armv7.pl +1364 -0
data/vendor/ring/crypto/aes/asm/bsaes-x86_64.pl +1565 -0
data/vendor/ring/crypto/aes/asm/vpaes-x86.pl +841 -0
data/vendor/ring/crypto/aes/asm/vpaes-x86_64.pl +1116 -0
data/vendor/ring/crypto/aes/internal.h +87 -0
data/vendor/ring/crypto/aes/mode_wrappers.c +61 -0
data/vendor/ring/crypto/bn/add.c +394 -0
data/vendor/ring/crypto/bn/asm/armv4-mont.pl +694 -0
data/vendor/ring/crypto/bn/asm/armv8-mont.pl +1503 -0
data/vendor/ring/crypto/bn/asm/bn-586.pl +774 -0
data/vendor/ring/crypto/bn/asm/co-586.pl +287 -0
data/vendor/ring/crypto/bn/asm/rsaz-avx2.pl +1882 -0
data/vendor/ring/crypto/bn/asm/x86-mont.pl +592 -0
data/vendor/ring/crypto/bn/asm/x86_64-gcc.c +599 -0
data/vendor/ring/crypto/bn/asm/x86_64-mont.pl +1393 -0
data/vendor/ring/crypto/bn/asm/x86_64-mont5.pl +3507 -0
data/vendor/ring/crypto/bn/bn.c +352 -0
data/vendor/ring/crypto/bn/bn_asn1.c +74 -0
data/vendor/ring/crypto/bn/bn_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/bn/bn_test.cc +1696 -0
data/vendor/ring/crypto/bn/cmp.c +200 -0
data/vendor/ring/crypto/bn/convert.c +433 -0
data/vendor/ring/crypto/bn/ctx.c +311 -0
data/vendor/ring/crypto/bn/div.c +594 -0
data/vendor/ring/crypto/bn/exponentiation.c +1335 -0
data/vendor/ring/crypto/bn/gcd.c +711 -0
data/vendor/ring/crypto/bn/generic.c +1019 -0
data/vendor/ring/crypto/bn/internal.h +316 -0
data/vendor/ring/crypto/bn/montgomery.c +516 -0
data/vendor/ring/crypto/bn/mul.c +888 -0
data/vendor/ring/crypto/bn/prime.c +829 -0
data/vendor/ring/crypto/bn/random.c +334 -0
data/vendor/ring/crypto/bn/rsaz_exp.c +262 -0
data/vendor/ring/crypto/bn/rsaz_exp.h +53 -0
data/vendor/ring/crypto/bn/shift.c +276 -0
data/vendor/ring/crypto/bytestring/bytestring_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/bytestring/bytestring_test.cc +421 -0
data/vendor/ring/crypto/bytestring/cbb.c +399 -0
data/vendor/ring/crypto/bytestring/cbs.c +227 -0
data/vendor/ring/crypto/bytestring/internal.h +46 -0
data/vendor/ring/crypto/chacha/chacha_generic.c +140 -0
data/vendor/ring/crypto/chacha/chacha_vec.c +323 -0
data/vendor/ring/crypto/chacha/chacha_vec_arm.S +1447 -0
data/vendor/ring/crypto/chacha/chacha_vec_arm_generate.go +153 -0
data/vendor/ring/crypto/cipher/cipher_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/cipher/e_aes.c +390 -0
data/vendor/ring/crypto/cipher/e_chacha20poly1305.c +208 -0
data/vendor/ring/crypto/cipher/internal.h +173 -0
data/vendor/ring/crypto/cipher/test/aes_128_gcm_tests.txt +543 -0
data/vendor/ring/crypto/cipher/test/aes_128_key_wrap_tests.txt +9 -0
data/vendor/ring/crypto/cipher/test/aes_256_gcm_tests.txt +475 -0
data/vendor/ring/crypto/cipher/test/aes_256_key_wrap_tests.txt +23 -0
data/vendor/ring/crypto/cipher/test/chacha20_poly1305_old_tests.txt +422 -0
data/vendor/ring/crypto/cipher/test/chacha20_poly1305_tests.txt +484 -0
data/vendor/ring/crypto/cipher/test/cipher_test.txt +100 -0
data/vendor/ring/crypto/constant_time_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/constant_time_test.c +304 -0
data/vendor/ring/crypto/cpu-arm-asm.S +32 -0
data/vendor/ring/crypto/cpu-arm.c +199 -0
data/vendor/ring/crypto/cpu-intel.c +261 -0
data/vendor/ring/crypto/crypto.c +151 -0
data/vendor/ring/crypto/curve25519/asm/x25519-arm.S +2118 -0
data/vendor/ring/crypto/curve25519/curve25519.c +4888 -0
data/vendor/ring/crypto/curve25519/x25519_test.cc +128 -0
data/vendor/ring/crypto/digest/md32_common.h +181 -0
data/vendor/ring/crypto/ec/asm/p256-x86_64-asm.pl +2725 -0
data/vendor/ring/crypto/ec/ec.c +193 -0
data/vendor/ring/crypto/ec/ec_curves.c +61 -0
data/vendor/ring/crypto/ec/ec_key.c +228 -0
data/vendor/ring/crypto/ec/ec_montgomery.c +114 -0
data/vendor/ring/crypto/ec/example_mul.Windows.vcxproj +25 -0
data/vendor/ring/crypto/ec/internal.h +243 -0
data/vendor/ring/crypto/ec/oct.c +253 -0
data/vendor/ring/crypto/ec/p256-64.c +1794 -0
data/vendor/ring/crypto/ec/p256-x86_64-table.h +9548 -0
data/vendor/ring/crypto/ec/p256-x86_64.c +509 -0
data/vendor/ring/crypto/ec/simple.c +1007 -0
data/vendor/ring/crypto/ec/util-64.c +183 -0
data/vendor/ring/crypto/ec/wnaf.c +508 -0
data/vendor/ring/crypto/ecdh/ecdh.c +155 -0
data/vendor/ring/crypto/ecdsa/ecdsa.c +304 -0
data/vendor/ring/crypto/ecdsa/ecdsa_asn1.c +193 -0
data/vendor/ring/crypto/ecdsa/ecdsa_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/ecdsa/ecdsa_test.cc +327 -0
data/vendor/ring/crypto/header_removed.h +17 -0
data/vendor/ring/crypto/internal.h +495 -0
data/vendor/ring/crypto/libring.Windows.vcxproj +101 -0
data/vendor/ring/crypto/mem.c +98 -0
data/vendor/ring/crypto/modes/asm/aesni-gcm-x86_64.pl +1045 -0
data/vendor/ring/crypto/modes/asm/ghash-armv4.pl +517 -0
data/vendor/ring/crypto/modes/asm/ghash-x86.pl +1393 -0
data/vendor/ring/crypto/modes/asm/ghash-x86_64.pl +1741 -0
data/vendor/ring/crypto/modes/asm/ghashv8-armx.pl +422 -0
data/vendor/ring/crypto/modes/ctr.c +226 -0
data/vendor/ring/crypto/modes/gcm.c +1206 -0
data/vendor/ring/crypto/modes/gcm_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/modes/gcm_test.c +348 -0
data/vendor/ring/crypto/modes/internal.h +299 -0
data/vendor/ring/crypto/perlasm/arm-xlate.pl +170 -0
data/vendor/ring/crypto/perlasm/readme +100 -0
data/vendor/ring/crypto/perlasm/x86_64-xlate.pl +1164 -0
data/vendor/ring/crypto/perlasm/x86asm.pl +292 -0
data/vendor/ring/crypto/perlasm/x86gas.pl +263 -0
data/vendor/ring/crypto/perlasm/x86masm.pl +200 -0
data/vendor/ring/crypto/perlasm/x86nasm.pl +187 -0
data/vendor/ring/crypto/poly1305/poly1305.c +331 -0
data/vendor/ring/crypto/poly1305/poly1305_arm.c +301 -0
data/vendor/ring/crypto/poly1305/poly1305_arm_asm.S +2015 -0
data/vendor/ring/crypto/poly1305/poly1305_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/poly1305/poly1305_test.cc +80 -0
data/vendor/ring/crypto/poly1305/poly1305_test.txt +52 -0
data/vendor/ring/crypto/poly1305/poly1305_vec.c +892 -0
data/vendor/ring/crypto/rand/asm/rdrand-x86_64.pl +75 -0
data/vendor/ring/crypto/rand/internal.h +32 -0
data/vendor/ring/crypto/rand/rand.c +189 -0
data/vendor/ring/crypto/rand/urandom.c +219 -0
data/vendor/ring/crypto/rand/windows.c +56 -0
data/vendor/ring/crypto/refcount_c11.c +66 -0
data/vendor/ring/crypto/refcount_lock.c +53 -0
data/vendor/ring/crypto/refcount_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/refcount_test.c +58 -0
data/vendor/ring/crypto/rsa/blinding.c +462 -0
data/vendor/ring/crypto/rsa/internal.h +108 -0
data/vendor/ring/crypto/rsa/padding.c +300 -0
data/vendor/ring/crypto/rsa/rsa.c +450 -0
data/vendor/ring/crypto/rsa/rsa_asn1.c +261 -0
data/vendor/ring/crypto/rsa/rsa_impl.c +944 -0
data/vendor/ring/crypto/rsa/rsa_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/rsa/rsa_test.cc +437 -0
data/vendor/ring/crypto/sha/asm/sha-armv8.pl +436 -0
data/vendor/ring/crypto/sha/asm/sha-x86_64.pl +2390 -0
data/vendor/ring/crypto/sha/asm/sha256-586.pl +1275 -0
data/vendor/ring/crypto/sha/asm/sha256-armv4.pl +735 -0
data/vendor/ring/crypto/sha/asm/sha256-armv8.pl +14 -0
data/vendor/ring/crypto/sha/asm/sha256-x86_64.pl +14 -0
data/vendor/ring/crypto/sha/asm/sha512-586.pl +911 -0
data/vendor/ring/crypto/sha/asm/sha512-armv4.pl +666 -0
data/vendor/ring/crypto/sha/asm/sha512-armv8.pl +14 -0
data/vendor/ring/crypto/sha/asm/sha512-x86_64.pl +14 -0
data/vendor/ring/crypto/sha/sha1.c +271 -0
data/vendor/ring/crypto/sha/sha256.c +204 -0
data/vendor/ring/crypto/sha/sha512.c +355 -0
data/vendor/ring/crypto/test/file_test.cc +326 -0
data/vendor/ring/crypto/test/file_test.h +181 -0
data/vendor/ring/crypto/test/malloc.cc +150 -0
data/vendor/ring/crypto/test/scoped_types.h +95 -0
data/vendor/ring/crypto/test/test.Windows.vcxproj +35 -0
data/vendor/ring/crypto/test/test_util.cc +46 -0
data/vendor/ring/crypto/test/test_util.h +41 -0
data/vendor/ring/crypto/thread_none.c +55 -0
data/vendor/ring/crypto/thread_pthread.c +165 -0
data/vendor/ring/crypto/thread_test.Windows.vcxproj +25 -0
data/vendor/ring/crypto/thread_test.c +200 -0
data/vendor/ring/crypto/thread_win.c +282 -0
data/vendor/ring/examples/checkdigest.rs +103 -0
data/vendor/ring/include/openssl/aes.h +121 -0
data/vendor/ring/include/openssl/arm_arch.h +129 -0
data/vendor/ring/include/openssl/base.h +156 -0
data/vendor/ring/include/openssl/bn.h +794 -0
data/vendor/ring/include/openssl/buffer.h +18 -0
data/vendor/ring/include/openssl/bytestring.h +235 -0
data/vendor/ring/include/openssl/chacha.h +37 -0
data/vendor/ring/include/openssl/cmac.h +76 -0
data/vendor/ring/include/openssl/cpu.h +184 -0
data/vendor/ring/include/openssl/crypto.h +43 -0
data/vendor/ring/include/openssl/curve25519.h +88 -0
data/vendor/ring/include/openssl/ec.h +225 -0
data/vendor/ring/include/openssl/ec_key.h +129 -0
data/vendor/ring/include/openssl/ecdh.h +110 -0
data/vendor/ring/include/openssl/ecdsa.h +156 -0
data/vendor/ring/include/openssl/err.h +201 -0
data/vendor/ring/include/openssl/mem.h +101 -0
data/vendor/ring/include/openssl/obj_mac.h +71 -0
data/vendor/ring/include/openssl/opensslfeatures.h +68 -0
data/vendor/ring/include/openssl/opensslv.h +18 -0
data/vendor/ring/include/openssl/ossl_typ.h +18 -0
data/vendor/ring/include/openssl/poly1305.h +51 -0
data/vendor/ring/include/openssl/rand.h +70 -0
data/vendor/ring/include/openssl/rsa.h +399 -0
data/vendor/ring/include/openssl/thread.h +133 -0
data/vendor/ring/include/openssl/type_check.h +71 -0
data/vendor/ring/mk/Common.props +63 -0
data/vendor/ring/mk/Windows.props +42 -0
data/vendor/ring/mk/WindowsTest.props +18 -0
data/vendor/ring/mk/appveyor.bat +62 -0
data/vendor/ring/mk/bottom_of_makefile.mk +54 -0
data/vendor/ring/mk/ring.mk +266 -0
data/vendor/ring/mk/top_of_makefile.mk +214 -0
data/vendor/ring/mk/travis.sh +40 -0
data/vendor/ring/mk/update-travis-yml.py +229 -0
data/vendor/ring/ring.sln +153 -0
data/vendor/ring/src/aead.rs +682 -0
data/vendor/ring/src/agreement.rs +248 -0
data/vendor/ring/src/c.rs +129 -0
data/vendor/ring/src/constant_time.rs +37 -0
data/vendor/ring/src/der.rs +96 -0
data/vendor/ring/src/digest.rs +690 -0
data/vendor/ring/src/digest_tests.txt +57 -0
data/vendor/ring/src/ecc.rs +28 -0
data/vendor/ring/src/ecc_build.rs +279 -0
data/vendor/ring/src/ecc_curves.rs +117 -0
data/vendor/ring/src/ed25519_tests.txt +2579 -0
data/vendor/ring/src/exe_tests.rs +46 -0
data/vendor/ring/src/ffi.rs +29 -0
data/vendor/ring/src/file_test.rs +187 -0
data/vendor/ring/src/hkdf.rs +153 -0
data/vendor/ring/src/hkdf_tests.txt +59 -0
data/vendor/ring/src/hmac.rs +414 -0
data/vendor/ring/src/hmac_tests.txt +97 -0
data/vendor/ring/src/input.rs +312 -0
data/vendor/ring/src/lib.rs +41 -0
data/vendor/ring/src/pbkdf2.rs +265 -0
data/vendor/ring/src/pbkdf2_tests.txt +113 -0
data/vendor/ring/src/polyfill.rs +57 -0
data/vendor/ring/src/rand.rs +28 -0
data/vendor/ring/src/signature.rs +314 -0
data/vendor/ring/third-party/NIST/README.md +9 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA1LongMsg.rsp +263 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA1Monte.rsp +309 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA1ShortMsg.rsp +267 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA224LongMsg.rsp +263 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA224Monte.rsp +309 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA224ShortMsg.rsp +267 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA256LongMsg.rsp +263 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA256Monte.rsp +309 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA256ShortMsg.rsp +267 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA384LongMsg.rsp +519 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA384Monte.rsp +309 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA384ShortMsg.rsp +523 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA512LongMsg.rsp +519 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA512Monte.rsp +309 -0
data/vendor/ring/third-party/NIST/SHAVS/SHA512ShortMsg.rsp +523 -0
data/vendor/ring/third-party/NIST/sha256sums.txt +1 -0
metadata +333 -0

data/vendor/ring/crypto/aes/asm/aesv8-armx.pl ADDED

@@ -0,0 +1,675 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# This module implements support for ARMv8 AES instructions. The
+# module is endian-agnostic in sense that it supports both big- and
+# little-endian cases. As does it support both 32- and 64-bit modes
+# of operation. Latter is achieved by limiting amount of utilized
+# registers to 16, which implies additional NEON load and integer
+# instructions. This has no effect on mighty Apple A7, where results
+# are literally equal to the theoretical estimates based on AES
+# instruction latencies and issue rates. On Cortex-A53, an in-order
+# execution core, this costs up to 10-15%, which is partially
+# compensated by implementing dedicated code path for 128-bit
+# CBC encrypt case. On Cortex-A57 parallelizable mode performance
+# seems to be limited by sheer amount of NEON instructions...
+#
+# Performance in cycles per byte processed with 128-bit key:
+#
+#		CBC enc		CBC dec		CTR
+# Apple A7	2.39		1.20		1.20
+# Cortex-A53	1.32		1.29		1.46
+# Cortex-A57(*)	1.95		0.85		0.93
+# Denver	1.96		0.86		0.80
+#
+# (*)	original 3.64/1.34/1.32 results were for r0p0 revision
+#	and are still same even for updated module;
+$flavour = shift;
+$output  = shift;
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+$prefix="aes_v8";
+$code=<<___;
+#include <openssl/arm_arch.h>
+#if __ARM_MAX_ARCH__>=7
+.text
+___
+$code.=<<___ if ($flavour =~ /64/);
+#if !defined(__clang__)
+.arch  armv8-a+crypto
+#endif
+___
+$code.=".arch	armv7-a\n.fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
+		#^^^^^^ this is done to simplify adoption by not depending
+		#	on latest binutils.
+# Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
+# NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
+# maintain both 32- and 64-bit codes within single module and
+# transliterate common code to either flavour with regex vodoo.
+#
+{{{
+my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
+my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
+	$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
+$code.=<<___;
+.align	5
+.Lrcon:
+.long	0x01,0x01,0x01,0x01
+.long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
+.long	0x1b,0x1b,0x1b,0x1b
+.globl	${prefix}_set_encrypt_key
+.type	${prefix}_set_encrypt_key,%function
+.align	5
+${prefix}_set_encrypt_key:
+.Lenc_key:
+___
+$code.=<<___	if ($flavour =~ /64/);
+	stp	x29,x30,[sp,#-16]!
+	add	x29,sp,#0
+___
+$code.=<<___;
+	mov	$ptr,#-1
+	cmp	$inp,#0
+	b.eq	.Lenc_key_abort
+	cmp	$out,#0
+	b.eq	.Lenc_key_abort
+	mov	$ptr,#-2
+	cmp	$bits,#128
+	b.lt	.Lenc_key_abort
+	cmp	$bits,#256
+	b.gt	.Lenc_key_abort
+	tst	$bits,#0x3f
+	b.ne	.Lenc_key_abort
+	adr	$ptr,.Lrcon
+	cmp	$bits,#192
+	veor	$zero,$zero,$zero
+	vld1.8	{$in0},[$inp],#16
+	mov	$bits,#8		// reuse $bits
+	vld1.32	{$rcon,$mask},[$ptr],#32
+	b.lt	.Loop128
+	b.eq	.L192
+	b	.L256
+.align	4
+.Loop128:
+	vtbl.8	$key,{$in0},$mask
+	vext.8	$tmp,$zero,$in0,#12
+	vst1.32	{$in0},[$out],#16
+	aese	$key,$zero
+	subs	$bits,$bits,#1
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	 veor	$key,$key,$rcon
+	veor	$in0,$in0,$tmp
+	vshl.u8	$rcon,$rcon,#1
+	veor	$in0,$in0,$key
+	b.ne	.Loop128
+	vld1.32	{$rcon},[$ptr]
+	vtbl.8	$key,{$in0},$mask
+	vext.8	$tmp,$zero,$in0,#12
+	vst1.32	{$in0},[$out],#16
+	aese	$key,$zero
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	 veor	$key,$key,$rcon
+	veor	$in0,$in0,$tmp
+	vshl.u8	$rcon,$rcon,#1
+	veor	$in0,$in0,$key
+	vtbl.8	$key,{$in0},$mask
+	vext.8	$tmp,$zero,$in0,#12
+	vst1.32	{$in0},[$out],#16
+	aese	$key,$zero
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	 veor	$key,$key,$rcon
+	veor	$in0,$in0,$tmp
+	veor	$in0,$in0,$key
+	vst1.32	{$in0},[$out]
+	add	$out,$out,#0x50
+	mov	$rounds,#10
+	b	.Ldone
+.align	4
+.L192:
+	vld1.8	{$in1},[$inp],#8
+	vmov.i8	$key,#8			// borrow $key
+	vst1.32	{$in0},[$out],#16
+	vsub.i8	$mask,$mask,$key	// adjust the mask
+.Loop192:
+	vtbl.8	$key,{$in1},$mask
+	vext.8	$tmp,$zero,$in0,#12
+	vst1.32	{$in1},[$out],#8
+	aese	$key,$zero
+	subs	$bits,$bits,#1
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vdup.32	$tmp,${in0}[3]
+	veor	$tmp,$tmp,$in1
+	 veor	$key,$key,$rcon
+	vext.8	$in1,$zero,$in1,#12
+	vshl.u8	$rcon,$rcon,#1
+	veor	$in1,$in1,$tmp
+	veor	$in0,$in0,$key
+	veor	$in1,$in1,$key
+	vst1.32	{$in0},[$out],#16
+	b.ne	.Loop192
+	mov	$rounds,#12
+	add	$out,$out,#0x20
+	b	.Ldone
+.align	4
+.L256:
+	vld1.8	{$in1},[$inp]
+	mov	$bits,#7
+	mov	$rounds,#14
+	vst1.32	{$in0},[$out],#16
+.Loop256:
+	vtbl.8	$key,{$in1},$mask
+	vext.8	$tmp,$zero,$in0,#12
+	vst1.32	{$in1},[$out],#16
+	aese	$key,$zero
+	subs	$bits,$bits,#1
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in0,$in0,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	 veor	$key,$key,$rcon
+	veor	$in0,$in0,$tmp
+	vshl.u8	$rcon,$rcon,#1
+	veor	$in0,$in0,$key
+	vst1.32	{$in0},[$out],#16
+	b.eq	.Ldone
+	vdup.32	$key,${in0}[3]		// just splat
+	vext.8	$tmp,$zero,$in1,#12
+	aese	$key,$zero
+	veor	$in1,$in1,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in1,$in1,$tmp
+	vext.8	$tmp,$zero,$tmp,#12
+	veor	$in1,$in1,$tmp
+	veor	$in1,$in1,$key
+	b	.Loop256
+.Ldone:
+	str	$rounds,[$out]
+	mov	$ptr,#0
+.Lenc_key_abort:
+	mov	x0,$ptr			// return value
+	`"ldr	x29,[sp],#16"		if ($flavour =~ /64/)`
+	ret
+.size	${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
+.globl	${prefix}_set_decrypt_key
+.type	${prefix}_set_decrypt_key,%function
+.align	5
+${prefix}_set_decrypt_key:
+___
+$code.=<<___	if ($flavour =~ /64/);
+	stp	x29,x30,[sp,#-16]!
+	add	x29,sp,#0
+___
+$code.=<<___	if ($flavour !~ /64/);
+	stmdb	sp!,{r4,lr}
+___
+$code.=<<___;
+	bl	.Lenc_key
+	cmp	x0,#0
+	b.ne	.Ldec_key_abort
+	sub	$out,$out,#240		// restore original $out
+	mov	x4,#-16
+	add	$inp,$out,x12,lsl#4	// end of key schedule
+	vld1.32	{v0.16b},[$out]
+	vld1.32	{v1.16b},[$inp]
+	vst1.32	{v0.16b},[$inp],x4
+	vst1.32	{v1.16b},[$out],#16
+.Loop_imc:
+	vld1.32	{v0.16b},[$out]
+	vld1.32	{v1.16b},[$inp]
+	aesimc	v0.16b,v0.16b
+	aesimc	v1.16b,v1.16b
+	vst1.32	{v0.16b},[$inp],x4
+	vst1.32	{v1.16b},[$out],#16
+	cmp	$inp,$out
+	b.hi	.Loop_imc
+	vld1.32	{v0.16b},[$out]
+	aesimc	v0.16b,v0.16b
+	vst1.32	{v0.16b},[$inp]
+	eor	x0,x0,x0		// return value
+.Ldec_key_abort:
+___
+$code.=<<___	if ($flavour !~ /64/);
+	ldmia	sp!,{r4,pc}
+___
+$code.=<<___	if ($flavour =~ /64/);
+	ldp	x29,x30,[sp],#16
+	ret
+___
+$code.=<<___;
+.size	${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
+___
+}}}
+{{{
+sub gen_block () {
+my $dir = shift;
+my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
+my ($inp,$out,$key)=map("x$_",(0..2));
+my $rounds="w3";
+my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
+$code.=<<___;
+.globl	${prefix}_${dir}crypt
+.type	${prefix}_${dir}crypt,%function
+.align	5
+${prefix}_${dir}crypt:
+	ldr	$rounds,[$key,#240]
+	vld1.32	{$rndkey0},[$key],#16
+	vld1.8	{$inout},[$inp]
+	sub	$rounds,$rounds,#2
+	vld1.32	{$rndkey1},[$key],#16
+.Loop_${dir}c:
+	aes$e	$inout,$rndkey0
+	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key],#16
+	subs	$rounds,$rounds,#2
+	aes$e	$inout,$rndkey1
+	aes$mc	$inout,$inout
+	vld1.32	{$rndkey1},[$key],#16
+	b.gt	.Loop_${dir}c
+	aes$e	$inout,$rndkey0
+	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key]
+	aes$e	$inout,$rndkey1
+	veor	$inout,$inout,$rndkey0
+	vst1.8	{$inout},[$out]
+	ret
+.size	${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
+___
+}
+&gen_block("en");
+&gen_block("de");
+}}}
+{{{
+my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
+my ($rounds,$cnt,$key_)=("w5","w6","x7");
+my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
+my $step="x12";		# aliases with $tctr2
+my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
+my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
+my ($dat,$tmp)=($dat0,$tmp0);
+### q8-q15	preloaded key schedule
+$code.=<<___;
+.globl	${prefix}_ctr32_encrypt_blocks
+.type	${prefix}_ctr32_encrypt_blocks,%function
+.align	5
+${prefix}_ctr32_encrypt_blocks:
+___
+$code.=<<___	if ($flavour =~ /64/);
+	stp		x29,x30,[sp,#-16]!
+	add		x29,sp,#0
+___
+$code.=<<___	if ($flavour !~ /64/);
+	mov		ip,sp
+	stmdb		sp!,{r4-r10,lr}
+	vstmdb		sp!,{d8-d15}            @ ABI specification says so
+	ldr		r4, [ip]		@ load remaining arg
+___
+$code.=<<___;
+	ldr		$rounds,[$key,#240]
+	ldr		$ctr, [$ivp, #12]
+	vld1.32		{$dat0},[$ivp]
+	vld1.32		{q8-q9},[$key]		// load key schedule...
+	sub		$rounds,$rounds,#4
+	mov		$step,#16
+	cmp		$len,#2
+	add		$key_,$key,x5,lsl#4	// pointer to last 5 round keys
+	sub		$rounds,$rounds,#2
+	vld1.32		{q12-q13},[$key_],#32
+	vld1.32		{q14-q15},[$key_],#32
+	vld1.32		{$rndlast},[$key_]
+	add		$key_,$key,#32
+	mov		$cnt,$rounds
+	cclr		$step,lo
+#ifndef __ARMEB__
+	rev		$ctr, $ctr
+#endif
+	vorr		$dat1,$dat0,$dat0
+	add		$tctr1, $ctr, #1
+	vorr		$dat2,$dat0,$dat0
+	add		$ctr, $ctr, #2
+	vorr		$ivec,$dat0,$dat0
+	rev		$tctr1, $tctr1
+	vmov.32		${dat1}[3],$tctr1
+	b.ls		.Lctr32_tail
+	rev		$tctr2, $ctr
+	sub		$len,$len,#3		// bias
+	vmov.32		${dat2}[3],$tctr2
+	b		.Loop3x_ctr32
+.align	4
+.Loop3x_ctr32:
+	aese		$dat0,q8
+	aesmc		$dat0,$dat0
+	aese		$dat1,q8
+	aesmc		$dat1,$dat1
+	aese		$dat2,q8
+	aesmc		$dat2,$dat2
+	vld1.32		{q8},[$key_],#16
+	subs		$cnt,$cnt,#2
+	aese		$dat0,q9
+	aesmc		$dat0,$dat0
+	aese		$dat1,q9
+	aesmc		$dat1,$dat1
+	aese		$dat2,q9
+	aesmc		$dat2,$dat2
+	vld1.32		{q9},[$key_],#16
+	b.gt		.Loop3x_ctr32
+	aese		$dat0,q8
+	aesmc		$tmp0,$dat0
+	aese		$dat1,q8
+	aesmc		$tmp1,$dat1
+	 vld1.8		{$in0},[$inp],#16
+	 vorr		$dat0,$ivec,$ivec
+	aese		$dat2,q8
+	aesmc		$dat2,$dat2
+	 vld1.8		{$in1},[$inp],#16
+	 vorr		$dat1,$ivec,$ivec
+	aese		$tmp0,q9
+	aesmc		$tmp0,$tmp0
+	aese		$tmp1,q9
+	aesmc		$tmp1,$tmp1
+	 vld1.8		{$in2},[$inp],#16
+	 mov		$key_,$key
+	aese		$dat2,q9
+	aesmc		$tmp2,$dat2
+	 vorr		$dat2,$ivec,$ivec
+	 add		$tctr0,$ctr,#1
+	aese		$tmp0,q12
+	aesmc		$tmp0,$tmp0
+	aese		$tmp1,q12
+	aesmc		$tmp1,$tmp1
+	 veor		$in0,$in0,$rndlast
+	 add		$tctr1,$ctr,#2
+	aese		$tmp2,q12
+	aesmc		$tmp2,$tmp2
+	 veor		$in1,$in1,$rndlast
+	 add		$ctr,$ctr,#3
+	aese		$tmp0,q13
+	aesmc		$tmp0,$tmp0
+	aese		$tmp1,q13
+	aesmc		$tmp1,$tmp1
+	 veor		$in2,$in2,$rndlast
+	 rev		$tctr0,$tctr0
+	aese		$tmp2,q13
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat0}[3], $tctr0
+	 rev		$tctr1,$tctr1
+	aese		$tmp0,q14
+	aesmc		$tmp0,$tmp0
+	aese		$tmp1,q14
+	aesmc		$tmp1,$tmp1
+	 vmov.32	${dat1}[3], $tctr1
+	 rev		$tctr2,$ctr
+	aese		$tmp2,q14
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat2}[3], $tctr2
+	 subs		$len,$len,#3
+	aese		$tmp0,q15
+	aese		$tmp1,q15
+	aese		$tmp2,q15
+	veor		$in0,$in0,$tmp0
+	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
+	vst1.8		{$in0},[$out],#16
+	veor		$in1,$in1,$tmp1
+	 mov		$cnt,$rounds
+	vst1.8		{$in1},[$out],#16
+	veor		$in2,$in2,$tmp2
+	 vld1.32	 {q9},[$key_],#16	// re-pre-load rndkey[1]
+	vst1.8		{$in2},[$out],#16
+	b.hs		.Loop3x_ctr32
+	adds		$len,$len,#3
+	b.eq		.Lctr32_done
+	cmp		$len,#1
+	mov		$step,#16
+	cclr		$step,eq
+.Lctr32_tail:
+	aese		$dat0,q8
+	aesmc		$dat0,$dat0
+	aese		$dat1,q8
+	aesmc		$dat1,$dat1
+	vld1.32		{q8},[$key_],#16
+	subs		$cnt,$cnt,#2
+	aese		$dat0,q9
+	aesmc		$dat0,$dat0
+	aese		$dat1,q9
+	aesmc		$dat1,$dat1
+	vld1.32		{q9},[$key_],#16
+	b.gt		.Lctr32_tail
+	aese		$dat0,q8
+	aesmc		$dat0,$dat0
+	aese		$dat1,q8
+	aesmc		$dat1,$dat1
+	aese		$dat0,q9
+	aesmc		$dat0,$dat0
+	aese		$dat1,q9
+	aesmc		$dat1,$dat1
+	 vld1.8		{$in0},[$inp],$step
+	aese		$dat0,q12
+	aesmc		$dat0,$dat0
+	aese		$dat1,q12
+	aesmc		$dat1,$dat1
+	 vld1.8		{$in1},[$inp]
+	aese		$dat0,q13
+	aesmc		$dat0,$dat0
+	aese		$dat1,q13
+	aesmc		$dat1,$dat1
+	 veor		$in0,$in0,$rndlast
+	aese		$dat0,q14
+	aesmc		$dat0,$dat0
+	aese		$dat1,q14
+	aesmc		$dat1,$dat1
+	 veor		$in1,$in1,$rndlast
+	aese		$dat0,q15
+	aese		$dat1,q15
+	cmp		$len,#1
+	veor		$in0,$in0,$dat0
+	veor		$in1,$in1,$dat1
+	vst1.8		{$in0},[$out],#16
+	b.eq		.Lctr32_done
+	vst1.8		{$in1},[$out]
+.Lctr32_done:
+___
+$code.=<<___	if ($flavour !~ /64/);
+	vldmia		sp!,{d8-d15}
+	ldmia		sp!,{r4-r10,pc}
+___
+$code.=<<___	if ($flavour =~ /64/);
+	ldr		x29,[sp],#16
+	ret
+___
+$code.=<<___;
+.size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
+___
+}}}
+$code.=<<___;
+#endif
+___
+########################################
+if ($flavour =~ /64/) {			######## 64-bit code
+    my %opcode = (
+	"aesd"	=>	0x4e285800,	"aese"	=>	0x4e284800,
+	"aesimc"=>	0x4e287800,	"aesmc"	=>	0x4e286800	);
+    local *unaes = sub {
+	my ($mnemonic,$arg)=@_;
+	$arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o	&&
+	sprintf ".inst\t0x%08x\t//%s %s",
+			$opcode{$mnemonic}|$1|($2<<5),
+			$mnemonic,$arg;
+    };
+    foreach(split("\n",$code)) {
+	s/\`([^\`]*)\`/eval($1)/geo;
+	s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo;	# old->new registers
+	s/@\s/\/\//o;			# old->new style commentary
+	#s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
+	s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel	$1$2,$1zr,$1$2,$3/o	or
+	s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel	$2,$3,$2,$1/o	or
+	s/vmov\.i8/movi/o	or	# fix up legacy mnemonics
+	s/vext\.8/ext/o		or
+	s/vrev32\.8/rev32/o	or
+	s/vtst\.8/cmtst/o	or
+	s/vshr/ushr/o		or
+	s/^(\s+)v/$1/o		or	# strip off v prefix
+	s/\bbx\s+lr\b/ret/o;
+	# fix up remainig legacy suffixes
+	s/\.[ui]?8//o;
+	m/\],#8/o and s/\.16b/\.8b/go;
+	s/\.[ui]?32//o and s/\.16b/\.4s/go;
+	s/\.[ui]?64//o and s/\.16b/\.2d/go;
+	s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
+	print $_,"\n";
+    }
+} else {				######## 32-bit code
+    my %opcode = (
+	"aesd"	=>	0xf3b00340,	"aese"	=>	0xf3b00300,
+	"aesimc"=>	0xf3b003c0,	"aesmc"	=>	0xf3b00380	);
+    local *unaes = sub {
+	my ($mnemonic,$arg)=@_;
+	if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
+	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
+					 |(($2&7)<<1) |(($2&8)<<2);
+	    # since ARMv7 instructions are always encoded little-endian.
+	    # correct solution is to use .inst directive, but older
+	    # assemblers don't implement it:-(
+	    sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
+			$word&0xff,($word>>8)&0xff,
+			($word>>16)&0xff,($word>>24)&0xff,
+			$mnemonic,$arg;
+	}
+    };
+    sub unvtbl {
+	my $arg=shift;
+	$arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
+	sprintf	"vtbl.8	d%d,{q%d},d%d\n\t".
+		"vtbl.8	d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
+    }
+    sub unvdup32 {
+	my $arg=shift;
+	$arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
+	sprintf	"vdup.32	q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
+    }
+    sub unvmov32 {
+	my $arg=shift;
+	$arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
+	sprintf	"vmov.32	d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
+    }
+    foreach(split("\n",$code)) {
+	s/\`([^\`]*)\`/eval($1)/geo;
+	s/\b[wx]([0-9]+)\b/r$1/go;		# new->old registers
+	s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go;	# new->old registers
+	s/\/\/\s?/@ /o;				# new->old style commentary
+	# fix up remainig new-style suffixes
+	s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo	or
+	s/\],#[0-9]+/]!/o;
+	s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
+	s/cclr\s+([^,]+),\s*([a-z]+)/mov$2	$1,#0/o	or
+	s/vtbl\.8\s+(.*)/unvtbl($1)/geo			or
+	s/vdup\.32\s+(.*)/unvdup32($1)/geo		or
+	s/vmov\.32\s+(.*)/unvmov32($1)/geo		or
+	s/^(\s+)b\./$1b/o				or
+	s/^(\s+)mov\./$1mov/o				or
+	s/^(\s+)ret/$1bx\tlr/o;
+	print $_,"\n";
+    }
+}
+close STDOUT;