• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* AesOpt.c -- AES optimized code for x86 AES hardware instructions
2 2021-04-01 : Igor Pavlov : Public domain */
3 
4 #include "Precomp.h"
5 
6 #include "CpuArch.h"
7 
8 #ifdef MY_CPU_X86_OR_AMD64
9 
10   #if defined(__clang__)
11     #if __clang_major__ > 3 || (__clang_major__ == 3 && __clang_minor__ >= 8)
12       #define USE_INTEL_AES
13         #define ATTRIB_AES __attribute__((__target__("aes")))
14       #if (__clang_major__ >= 8)
15         #define USE_INTEL_VAES
16         #define ATTRIB_VAES __attribute__((__target__("aes,vaes,avx2")))
17       #endif
18     #endif
19   #elif defined(__GNUC__)
20     #if (__GNUC__ > 4) || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)
21       #define USE_INTEL_AES
22       #ifndef __AES__
23         #define ATTRIB_AES __attribute__((__target__("aes")))
24       #endif
25       #if (__GNUC__ >= 8)
26         #define USE_INTEL_VAES
27         #define ATTRIB_VAES __attribute__((__target__("aes,vaes,avx2")))
28       #endif
29     #endif
30   #elif defined(__INTEL_COMPILER)
31     #if (__INTEL_COMPILER >= 1110)
32       #define USE_INTEL_AES
33       #if (__INTEL_COMPILER >= 1900)
34         #define USE_INTEL_VAES
35       #endif
36     #endif
37   #elif defined(_MSC_VER)
38     #if (_MSC_VER > 1500) || (_MSC_FULL_VER >= 150030729)
39       #define USE_INTEL_AES
40       #if (_MSC_VER >= 1910)
41         #define USE_INTEL_VAES
42       #endif
43     #endif
44   #endif
45 
46 #ifndef ATTRIB_AES
47   #define ATTRIB_AES
48 #endif
49 #ifndef ATTRIB_VAES
50   #define ATTRIB_VAES
51 #endif
52 
53 
54 #ifdef USE_INTEL_AES
55 
56 #include <wmmintrin.h>
57 
58 #ifndef USE_INTEL_VAES
59 #define AES_TYPE_keys __m128i
60 #define AES_TYPE_data __m128i
61 #endif
62 
63 #define AES_FUNC_START(name) \
64     void MY_FAST_CALL name(__m128i *p, __m128i *data, size_t numBlocks)
65 
66 #define AES_FUNC_START2(name) \
67 AES_FUNC_START (name); \
68 ATTRIB_AES \
69 AES_FUNC_START (name)
70 
71 #define MM_OP(op, dest, src)  dest = op(dest, src);
72 #define MM_OP_m(op, src)      MM_OP(op, m, src);
73 
74 #define MM_XOR( dest, src)    MM_OP(_mm_xor_si128,    dest, src);
75 #define AVX_XOR(dest, src)    MM_OP(_mm256_xor_si256, dest, src);
76 
77 
AES_FUNC_START2(AesCbc_Encode_HW)78 AES_FUNC_START2 (AesCbc_Encode_HW)
79 {
80   __m128i m = *p;
81   const __m128i k0 = p[2];
82   const __m128i k1 = p[3];
83   const UInt32 numRounds2 = *(const UInt32 *)(p + 1) - 1;
84   for (; numBlocks != 0; numBlocks--, data++)
85   {
86     UInt32 r = numRounds2;
87     const __m128i *w = p + 4;
88     __m128i temp = *data;
89     MM_XOR (temp, k0);
90     MM_XOR (m, temp);
91     MM_OP_m (_mm_aesenc_si128, k1);
92     do
93     {
94       MM_OP_m (_mm_aesenc_si128, w[0]);
95       MM_OP_m (_mm_aesenc_si128, w[1]);
96       w += 2;
97     }
98     while (--r);
99     MM_OP_m (_mm_aesenclast_si128, w[0]);
100     *data = m;
101   }
102   *p = m;
103 }
104 
105 
106 #define WOP_1(op)
107 #define WOP_2(op)   WOP_1 (op)  op (m1, 1);
108 #define WOP_3(op)   WOP_2 (op)  op (m2, 2);
109 #define WOP_4(op)   WOP_3 (op)  op (m3, 3);
110 #ifdef MY_CPU_AMD64
111 #define WOP_5(op)   WOP_4 (op)  op (m4, 4);
112 #define WOP_6(op)   WOP_5 (op)  op (m5, 5);
113 #define WOP_7(op)   WOP_6 (op)  op (m6, 6);
114 #define WOP_8(op)   WOP_7 (op)  op (m7, 7);
115 #endif
116 /*
117 #define WOP_9(op)   WOP_8 (op)  op (m8, 8);
118 #define WOP_10(op)  WOP_9 (op)  op (m9, 9);
119 #define WOP_11(op)  WOP_10(op)  op (m10, 10);
120 #define WOP_12(op)  WOP_11(op)  op (m11, 11);
121 #define WOP_13(op)  WOP_12(op)  op (m12, 12);
122 #define WOP_14(op)  WOP_13(op)  op (m13, 13);
123 */
124 
125 #ifdef MY_CPU_AMD64
126   #define NUM_WAYS      8
127   #define WOP_M1    WOP_8
128 #else
129   #define NUM_WAYS      4
130   #define WOP_M1    WOP_4
131 #endif
132 
133 #define WOP(op)  op (m0, 0);  WOP_M1(op)
134 
135 
136 #define DECLARE_VAR(reg, ii)  __m128i reg
137 #define LOAD_data(  reg, ii)  reg = data[ii];
138 #define STORE_data( reg, ii)  data[ii] = reg;
139 #if (NUM_WAYS > 1)
140 #define XOR_data_M1(reg, ii)  MM_XOR (reg, data[ii- 1]);
141 #endif
142 
143 #define AVX__DECLARE_VAR(reg, ii)  __m256i reg
144 #define AVX__LOAD_data(  reg, ii)  reg = ((const __m256i *)(const void *)data)[ii];
145 #define AVX__STORE_data( reg, ii)  ((__m256i *)(void *)data)[ii] = reg;
146 #define AVX__XOR_data_M1(reg, ii)  AVX_XOR (reg, (((const __m256i *)(const void *)(data - 1))[ii]));
147 
148 #define MM_OP_key(op, reg)  MM_OP(op, reg, key);
149 
150 #define AES_DEC(      reg, ii)   MM_OP_key (_mm_aesdec_si128,     reg)
151 #define AES_DEC_LAST( reg, ii)   MM_OP_key (_mm_aesdeclast_si128, reg)
152 #define AES_ENC(      reg, ii)   MM_OP_key (_mm_aesenc_si128,     reg)
153 #define AES_ENC_LAST( reg, ii)   MM_OP_key (_mm_aesenclast_si128, reg)
154 #define AES_XOR(      reg, ii)   MM_OP_key (_mm_xor_si128,        reg)
155 
156 
157 #define AVX__AES_DEC(      reg, ii)   MM_OP_key (_mm256_aesdec_epi128,     reg)
158 #define AVX__AES_DEC_LAST( reg, ii)   MM_OP_key (_mm256_aesdeclast_epi128, reg)
159 #define AVX__AES_ENC(      reg, ii)   MM_OP_key (_mm256_aesenc_epi128,     reg)
160 #define AVX__AES_ENC_LAST( reg, ii)   MM_OP_key (_mm256_aesenclast_epi128, reg)
161 #define AVX__AES_XOR(      reg, ii)   MM_OP_key (_mm256_xor_si256,         reg)
162 
163 #define CTR_START(reg, ii)  MM_OP (_mm_add_epi64, ctr, one); reg = ctr;
164 #define CTR_END(  reg, ii)  MM_XOR (data[ii], reg);
165 
166 #define AVX__CTR_START(reg, ii)  MM_OP (_mm256_add_epi64, ctr2, two); reg = _mm256_xor_si256(ctr2, key);
167 #define AVX__CTR_END(  reg, ii)  AVX_XOR (((__m256i *)(void *)data)[ii], reg);
168 
169 #define WOP_KEY(op, n) { \
170     const __m128i key = w[n]; \
171     WOP(op); }
172 
173 #define AVX__WOP_KEY(op, n) { \
174     const __m256i key = w[n]; \
175     WOP(op); }
176 
177 
178 #define WIDE_LOOP_START  \
179     dataEnd = data + numBlocks;  \
180     if (numBlocks >= NUM_WAYS)  \
181     { dataEnd -= NUM_WAYS; do {  \
182 
183 
184 #define WIDE_LOOP_END  \
185     data += NUM_WAYS;  \
186     } while (data <= dataEnd);  \
187     dataEnd += NUM_WAYS; }  \
188 
189 
190 #define SINGLE_LOOP  \
191     for (; data < dataEnd; data++)
192 
193 
194 #define NUM_AES_KEYS_MAX 15
195 
196 #define WIDE_LOOP_START_AVX(OP)  \
197     dataEnd = data + numBlocks;  \
198     if (numBlocks >= NUM_WAYS * 2)  \
199     { __m256i keys[NUM_AES_KEYS_MAX]; \
200     UInt32 ii; \
201     OP \
202     for (ii = 0; ii < numRounds; ii++) \
203       keys[ii] = _mm256_broadcastsi128_si256(p[ii]); \
204     dataEnd -= NUM_WAYS * 2; do {  \
205 
206 
207 #define WIDE_LOOP_END_AVX(OP)  \
208     data += NUM_WAYS * 2;  \
209     } while (data <= dataEnd);  \
210     dataEnd += NUM_WAYS * 2;  \
211     OP  \
212     _mm256_zeroupper();  \
213     }  \
214 
215 /* MSVC for x86: If we don't call _mm256_zeroupper(), and -arch:IA32 is not specified,
216    MSVC still can insert vzeroupper instruction. */
217 
218 
AES_FUNC_START2(AesCbc_Decode_HW)219 AES_FUNC_START2 (AesCbc_Decode_HW)
220 {
221   __m128i iv = *p;
222   const __m128i *wStart = p + *(const UInt32 *)(p + 1) * 2 + 2 - 1;
223   const __m128i *dataEnd;
224   p += 2;
225 
226   WIDE_LOOP_START
227   {
228     const __m128i *w = wStart;
229 
230     WOP (DECLARE_VAR)
231     WOP (LOAD_data);
232     WOP_KEY (AES_XOR, 1)
233 
234     do
235     {
236       WOP_KEY (AES_DEC, 0)
237       w--;
238     }
239     while (w != p);
240     WOP_KEY (AES_DEC_LAST, 0)
241 
242     MM_XOR (m0, iv);
243     WOP_M1 (XOR_data_M1)
244     iv = data[NUM_WAYS - 1];
245     WOP (STORE_data);
246   }
247   WIDE_LOOP_END
248 
249   SINGLE_LOOP
250   {
251     const __m128i *w = wStart - 1;
252     __m128i m = _mm_xor_si128 (w[2], *data);
253     do
254     {
255       MM_OP_m (_mm_aesdec_si128, w[1]);
256       MM_OP_m (_mm_aesdec_si128, w[0]);
257       w -= 2;
258     }
259     while (w != p);
260     MM_OP_m (_mm_aesdec_si128,     w[1]);
261     MM_OP_m (_mm_aesdeclast_si128, w[0]);
262 
263     MM_XOR (m, iv);
264     iv = *data;
265     *data = m;
266   }
267 
268   p[-2] = iv;
269 }
270 
271 
AES_FUNC_START2(AesCtr_Code_HW)272 AES_FUNC_START2 (AesCtr_Code_HW)
273 {
274   __m128i ctr = *p;
275   UInt32 numRoundsMinus2 = *(const UInt32 *)(p + 1) * 2 - 1;
276   const __m128i *dataEnd;
277   __m128i one = _mm_cvtsi32_si128(1);
278 
279   p += 2;
280 
281   WIDE_LOOP_START
282   {
283     const __m128i *w = p;
284     UInt32 r = numRoundsMinus2;
285     WOP (DECLARE_VAR)
286     WOP (CTR_START);
287     WOP_KEY (AES_XOR, 0)
288     w += 1;
289     do
290     {
291       WOP_KEY (AES_ENC, 0)
292       w += 1;
293     }
294     while (--r);
295     WOP_KEY (AES_ENC_LAST, 0)
296 
297     WOP (CTR_END);
298   }
299   WIDE_LOOP_END
300 
301   SINGLE_LOOP
302   {
303     UInt32 numRounds2 = *(const UInt32 *)(p - 2 + 1) - 1;
304     const __m128i *w = p;
305     __m128i m;
306     MM_OP (_mm_add_epi64, ctr, one);
307     m = _mm_xor_si128 (ctr, p[0]);
308     w += 1;
309     do
310     {
311       MM_OP_m (_mm_aesenc_si128, w[0]);
312       MM_OP_m (_mm_aesenc_si128, w[1]);
313       w += 2;
314     }
315     while (--numRounds2);
316     MM_OP_m (_mm_aesenc_si128,     w[0]);
317     MM_OP_m (_mm_aesenclast_si128, w[1]);
318     MM_XOR (*data, m);
319   }
320 
321   p[-2] = ctr;
322 }
323 
324 
325 
326 #ifdef USE_INTEL_VAES
327 
328 #if defined(__clang__) && defined(_MSC_VER)
329 #define __SSE4_2__
330 #define __AES__
331 #define __AVX__
332 #define __AVX2__
333 #define __VAES__
334 #define __AVX512F__
335 #define __AVX512VL__
336 #endif
337 
338 #include <immintrin.h>
339 
340 #define VAES_FUNC_START2(name) \
341 AES_FUNC_START (name); \
342 ATTRIB_VAES \
343 AES_FUNC_START (name)
344 
VAES_FUNC_START2(AesCbc_Decode_HW_256)345 VAES_FUNC_START2 (AesCbc_Decode_HW_256)
346 {
347   __m128i iv = *p;
348   const __m128i *dataEnd;
349   UInt32 numRounds = *(const UInt32 *)(p + 1) * 2 + 1;
350   p += 2;
351 
352   WIDE_LOOP_START_AVX(;)
353   {
354     const __m256i *w = keys + numRounds - 2;
355 
356     WOP (AVX__DECLARE_VAR)
357     WOP (AVX__LOAD_data);
358     AVX__WOP_KEY (AVX__AES_XOR, 1)
359 
360     do
361     {
362       AVX__WOP_KEY (AVX__AES_DEC, 0)
363       w--;
364     }
365     while (w != keys);
366     AVX__WOP_KEY (AVX__AES_DEC_LAST, 0)
367 
368     AVX_XOR (m0, _mm256_setr_m128i(iv, data[0]));
369     WOP_M1 (AVX__XOR_data_M1)
370     iv = data[NUM_WAYS * 2 - 1];
371     WOP (AVX__STORE_data);
372   }
373   WIDE_LOOP_END_AVX(;)
374 
375   SINGLE_LOOP
376   {
377     const __m128i *w = p + *(const UInt32 *)(p + 1 - 2) * 2 + 1 - 3;
378     __m128i m = _mm_xor_si128 (w[2], *data);
379     do
380     {
381       MM_OP_m (_mm_aesdec_si128, w[1]);
382       MM_OP_m (_mm_aesdec_si128, w[0]);
383       w -= 2;
384     }
385     while (w != p);
386     MM_OP_m (_mm_aesdec_si128,     w[1]);
387     MM_OP_m (_mm_aesdeclast_si128, w[0]);
388 
389     MM_XOR (m, iv);
390     iv = *data;
391     *data = m;
392   }
393 
394   p[-2] = iv;
395 }
396 
397 
398 /*
399 SSE2: _mm_cvtsi32_si128 : movd
400 AVX:  _mm256_setr_m128i            : vinsertf128
401 AVX2: _mm256_add_epi64             : vpaddq ymm, ymm, ymm
402       _mm256_extracti128_si256     : vextracti128
403       _mm256_broadcastsi128_si256  : vbroadcasti128
404 */
405 
406 #define AVX__CTR_LOOP_START  \
407     ctr2 = _mm256_setr_m128i(_mm_sub_epi64(ctr, one), ctr); \
408     two = _mm256_setr_m128i(one, one); \
409     two = _mm256_add_epi64(two, two); \
410 
411 // two = _mm256_setr_epi64x(2, 0, 2, 0);
412 
413 #define AVX__CTR_LOOP_ENC  \
414     ctr = _mm256_extracti128_si256 (ctr2, 1); \
415 
VAES_FUNC_START2(AesCtr_Code_HW_256)416 VAES_FUNC_START2 (AesCtr_Code_HW_256)
417 {
418   __m128i ctr = *p;
419   UInt32 numRounds = *(const UInt32 *)(p + 1) * 2 + 1;
420   const __m128i *dataEnd;
421   __m128i one = _mm_cvtsi32_si128(1);
422   __m256i ctr2, two;
423   p += 2;
424 
425   WIDE_LOOP_START_AVX (AVX__CTR_LOOP_START)
426   {
427     const __m256i *w = keys;
428     UInt32 r = numRounds - 2;
429     WOP (AVX__DECLARE_VAR)
430     AVX__WOP_KEY (AVX__CTR_START, 0);
431 
432     w += 1;
433     do
434     {
435       AVX__WOP_KEY (AVX__AES_ENC, 0)
436       w += 1;
437     }
438     while (--r);
439     AVX__WOP_KEY (AVX__AES_ENC_LAST, 0)
440 
441     WOP (AVX__CTR_END);
442   }
443   WIDE_LOOP_END_AVX (AVX__CTR_LOOP_ENC)
444 
445   SINGLE_LOOP
446   {
447     UInt32 numRounds2 = *(const UInt32 *)(p - 2 + 1) - 1;
448     const __m128i *w = p;
449     __m128i m;
450     MM_OP (_mm_add_epi64, ctr, one);
451     m = _mm_xor_si128 (ctr, p[0]);
452     w += 1;
453     do
454     {
455       MM_OP_m (_mm_aesenc_si128, w[0]);
456       MM_OP_m (_mm_aesenc_si128, w[1]);
457       w += 2;
458     }
459     while (--numRounds2);
460     MM_OP_m (_mm_aesenc_si128,     w[0]);
461     MM_OP_m (_mm_aesenclast_si128, w[1]);
462     MM_XOR (*data, m);
463   }
464 
465   p[-2] = ctr;
466 }
467 
468 #endif // USE_INTEL_VAES
469 
470 #else // USE_INTEL_AES
471 
472 /* no USE_INTEL_AES */
473 
474 #pragma message("AES  HW_SW stub was used")
475 
476 #define AES_TYPE_keys UInt32
477 #define AES_TYPE_data Byte
478 
479 #define AES_FUNC_START(name) \
480     void MY_FAST_CALL name(UInt32 *p, Byte *data, size_t numBlocks) \
481 
482 #define AES_COMPAT_STUB(name) \
483     AES_FUNC_START(name); \
484     AES_FUNC_START(name ## _HW) \
485     { name(p, data, numBlocks); }
486 
487 AES_COMPAT_STUB (AesCbc_Encode)
488 AES_COMPAT_STUB (AesCbc_Decode)
489 AES_COMPAT_STUB (AesCtr_Code)
490 
491 #endif // USE_INTEL_AES
492 
493 
494 #ifndef USE_INTEL_VAES
495 
496 #pragma message("VAES HW_SW stub was used")
497 
498 #define VAES_COMPAT_STUB(name) \
499     void MY_FAST_CALL name ## _256(UInt32 *p, Byte *data, size_t numBlocks); \
500     void MY_FAST_CALL name ## _256(UInt32 *p, Byte *data, size_t numBlocks) \
501     { name((AES_TYPE_keys *)(void *)p, (AES_TYPE_data *)(void *)data, numBlocks); }
502 
503 VAES_COMPAT_STUB (AesCbc_Decode_HW)
504 VAES_COMPAT_STUB (AesCtr_Code_HW)
505 
506 #endif // ! USE_INTEL_VAES
507 
508 
509 #elif defined(MY_CPU_ARM_OR_ARM64) && defined(MY_CPU_LE)
510 
511   #if defined(__clang__)
512     #if (__clang_major__ >= 16) // fix that check
513       #define USE_HW_AES
514     #endif
515   #elif defined(__GNUC__)
516     #if (__GNUC__ >= 6) // fix that check
517       #define USE_HW_AES
518     #endif
519   #elif defined(_MSC_VER)
520     #if _MSC_VER >= 1910
521       #define USE_HW_AES
522     #endif
523   #endif
524 
525 #ifdef USE_HW_AES
526 
527 // #pragma message("=== AES HW === ")
528 
529 #if defined(__clang__) || defined(__GNUC__)
530   #ifdef MY_CPU_ARM64
531     #define ATTRIB_AES __attribute__((__target__("+crypto")))
532   #else
533     #define ATTRIB_AES __attribute__((__target__("fpu=crypto-neon-fp-armv8")))
534   #endif
535 #else
536   // _MSC_VER
537   // for arm32
538   #define _ARM_USE_NEW_NEON_INTRINSICS
539 #endif
540 
541 #ifndef ATTRIB_AES
542   #define ATTRIB_AES
543 #endif
544 
545 #if defined(_MSC_VER) && defined(MY_CPU_ARM64)
546 #include <arm64_neon.h>
547 #else
548 #include <arm_neon.h>
549 #endif
550 
551 typedef uint8x16_t v128;
552 
553 #define AES_FUNC_START(name) \
554     void MY_FAST_CALL name(v128 *p, v128 *data, size_t numBlocks)
555 
556 #define AES_FUNC_START2(name) \
557 AES_FUNC_START (name); \
558 ATTRIB_AES \
559 AES_FUNC_START (name)
560 
561 #define MM_OP(op, dest, src)  dest = op(dest, src);
562 #define MM_OP_m(op, src)      MM_OP(op, m, src);
563 #define MM_OP1_m(op)          m = op(m);
564 
565 #define MM_XOR( dest, src)    MM_OP(veorq_u8, dest, src);
566 #define MM_XOR_m( src)        MM_XOR(m, src);
567 
568 #define AES_E_m(k)     MM_OP_m (vaeseq_u8, k);
569 #define AES_E_MC_m(k)  AES_E_m (k);  MM_OP1_m(vaesmcq_u8);
570 
571 
572 AES_FUNC_START2 (AesCbc_Encode_HW)
573 {
574   v128 m = *p;
575   const v128 k0 = p[2];
576   const v128 k1 = p[3];
577   const v128 k2 = p[4];
578   const v128 k3 = p[5];
579   const v128 k4 = p[6];
580   const v128 k5 = p[7];
581   const v128 k6 = p[8];
582   const v128 k7 = p[9];
583   const v128 k8 = p[10];
584   const v128 k9 = p[11];
585   const UInt32 numRounds2 = *(const UInt32 *)(p + 1);
586   const v128 *w = p + ((size_t)numRounds2 * 2);
587   const v128 k_z1 = w[1];
588   const v128 k_z0 = w[2];
589   for (; numBlocks != 0; numBlocks--, data++)
590   {
591     MM_XOR_m (*data);
592     AES_E_MC_m (k0)
593     AES_E_MC_m (k1)
594     AES_E_MC_m (k2)
595     AES_E_MC_m (k3)
596     AES_E_MC_m (k4)
597     AES_E_MC_m (k5)
598     AES_E_MC_m (k6)
599     AES_E_MC_m (k7)
600     AES_E_MC_m (k8)
601     if (numRounds2 >= 6)
602     {
603       AES_E_MC_m (k9)
604       AES_E_MC_m (p[12])
605       if (numRounds2 != 6)
606       {
607         AES_E_MC_m (p[13])
608         AES_E_MC_m (p[14])
609       }
610     }
611     AES_E_m  (k_z1);
612     MM_XOR_m (k_z0);
613     *data = m;
614   }
615   *p = m;
616 }
617 
618 
619 #define WOP_1(op)
620 #define WOP_2(op)   WOP_1 (op)  op (m1, 1);
621 #define WOP_3(op)   WOP_2 (op)  op (m2, 2);
622 #define WOP_4(op)   WOP_3 (op)  op (m3, 3);
623 #define WOP_5(op)   WOP_4 (op)  op (m4, 4);
624 #define WOP_6(op)   WOP_5 (op)  op (m5, 5);
625 #define WOP_7(op)   WOP_6 (op)  op (m6, 6);
626 #define WOP_8(op)   WOP_7 (op)  op (m7, 7);
627 
628   #define NUM_WAYS      8
629   #define WOP_M1    WOP_8
630 
631 #define WOP(op)  op (m0, 0);  WOP_M1(op)
632 
633 #define DECLARE_VAR(reg, ii)  v128 reg
634 #define LOAD_data(  reg, ii)  reg = data[ii];
635 #define STORE_data( reg, ii)  data[ii] = reg;
636 #if (NUM_WAYS > 1)
637 #define XOR_data_M1(reg, ii)  MM_XOR (reg, data[ii- 1]);
638 #endif
639 
640 #define MM_OP_key(op, reg)  MM_OP (op, reg, key);
641 
642 #define AES_D_m(k)      MM_OP_m (vaesdq_u8, k);
643 #define AES_D_IMC_m(k)  AES_D_m (k);  MM_OP1_m (vaesimcq_u8);
644 
645 #define AES_XOR(   reg, ii)  MM_OP_key (veorq_u8,  reg)
646 #define AES_D(     reg, ii)  MM_OP_key (vaesdq_u8, reg)
647 #define AES_E(     reg, ii)  MM_OP_key (vaeseq_u8, reg)
648 
649 #define AES_D_IMC( reg, ii)  AES_D (reg, ii);  reg = vaesimcq_u8(reg)
650 #define AES_E_MC(  reg, ii)  AES_E (reg, ii);  reg = vaesmcq_u8(reg)
651 
652 #define CTR_START(reg, ii)  MM_OP (vaddq_u64, ctr, one);  reg = vreinterpretq_u8_u64(ctr);
653 #define CTR_END(  reg, ii)  MM_XOR (data[ii], reg);
654 
655 #define WOP_KEY(op, n) { \
656     const v128 key = w[n]; \
657     WOP(op); }
658 
659 #define WIDE_LOOP_START  \
660     dataEnd = data + numBlocks;  \
661     if (numBlocks >= NUM_WAYS)  \
662     { dataEnd -= NUM_WAYS; do {  \
663 
664 #define WIDE_LOOP_END  \
665     data += NUM_WAYS;  \
666     } while (data <= dataEnd);  \
667     dataEnd += NUM_WAYS; }  \
668 
669 #define SINGLE_LOOP  \
670     for (; data < dataEnd; data++)
671 
672 
673 AES_FUNC_START2 (AesCbc_Decode_HW)
674 {
675   v128 iv = *p;
676   const v128 *wStart = p + ((size_t)*(const UInt32 *)(p + 1)) * 2;
677   const v128 *dataEnd;
678   p += 2;
679 
680   WIDE_LOOP_START
681   {
682     const v128 *w = wStart;
683     WOP (DECLARE_VAR)
684     WOP (LOAD_data);
685     WOP_KEY (AES_D_IMC, 2)
686     do
687     {
688       WOP_KEY (AES_D_IMC, 1)
689       WOP_KEY (AES_D_IMC, 0)
690       w -= 2;
691     }
692     while (w != p);
693     WOP_KEY (AES_D,   1)
694     WOP_KEY (AES_XOR, 0)
695     MM_XOR (m0, iv);
696     WOP_M1 (XOR_data_M1)
697     iv = data[NUM_WAYS - 1];
698     WOP (STORE_data);
699   }
700   WIDE_LOOP_END
701 
702   SINGLE_LOOP
703   {
704     const v128 *w = wStart;
705     v128 m = *data;
706     AES_D_IMC_m (w[2])
707     do
708     {
709       AES_D_IMC_m (w[1]);
710       AES_D_IMC_m (w[0]);
711       w -= 2;
712     }
713     while (w != p);
714     AES_D_m  (w[1]);
715     MM_XOR_m (w[0]);
716     MM_XOR_m (iv);
717     iv = *data;
718     *data = m;
719   }
720 
721   p[-2] = iv;
722 }
723 
724 
725 AES_FUNC_START2 (AesCtr_Code_HW)
726 {
727   uint64x2_t ctr = vreinterpretq_u64_u8(*p);
728   const v128 *wEnd = p + ((size_t)*(const UInt32 *)(p + 1)) * 2;
729   const v128 *dataEnd;
730   uint64x2_t one = vdupq_n_u64(0);
731   one = vsetq_lane_u64(1, one, 0);
732   p += 2;
733 
734   WIDE_LOOP_START
735   {
736     const v128 *w = p;
737     WOP (DECLARE_VAR)
738     WOP (CTR_START);
739     do
740     {
741       WOP_KEY (AES_E_MC, 0)
742       WOP_KEY (AES_E_MC, 1)
743       w += 2;
744     }
745     while (w != wEnd);
746     WOP_KEY (AES_E_MC, 0)
747     WOP_KEY (AES_E,    1)
748     WOP_KEY (AES_XOR,  2)
749     WOP (CTR_END);
750   }
751   WIDE_LOOP_END
752 
753   SINGLE_LOOP
754   {
755     const v128 *w = p;
756     v128 m;
757     CTR_START (m, 0);
758     do
759     {
760       AES_E_MC_m (w[0]);
761       AES_E_MC_m (w[1]);
762       w += 2;
763     }
764     while (w != wEnd);
765     AES_E_MC_m (w[0]);
766     AES_E_m    (w[1]);
767     MM_XOR_m   (w[2]);
768     CTR_END (m, 0);
769   }
770 
771   p[-2] = vreinterpretq_u8_u64(ctr);
772 }
773 
774 #endif // USE_HW_AES
775 
776 #endif // MY_CPU_ARM_OR_ARM64
777