From 6cc91c8f9b2cebc95da8d663a448263f8be3222f Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Tue, 12 Apr 2022 11:45:14 +1000
Subject: [PATCH] Wycheproof testing of Aarch64 ASM

Fix which bytes are incremented for AES-GCM - only 4 bytes are counter.
Fix Curve25519 to reduce to below modulus at end.
---
 wolfcrypt/src/port/arm/armv8-aes.c          | 18 +++++++++---------
 wolfcrypt/src/port/arm/armv8-curve25519.S   | 11 +++++++++++
 wolfcrypt/src/port/arm/armv8-curve25519_c.c | 11 +++++++++++
 3 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/wolfcrypt/src/port/arm/armv8-aes.c b/wolfcrypt/src/port/arm/armv8-aes.c
index 63f0a731a..e1ea701de 100644
--- a/wolfcrypt/src/port/arm/armv8-aes.c
+++ b/wolfcrypt/src/port/arm/armv8-aes.c
@@ -1611,7 +1611,7 @@ static int Aes128GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "LD1 {v1.2d-v4.2d}, [%[Key]], #64 \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
             "LD1 {v5.2d-v8.2d}, [%[Key]], #64 \n"
@@ -1659,7 +1659,7 @@ static int Aes128GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "EOR v15.16b, v17.16b, v15.16b \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "RBIT v15.16b, v15.16b \n" /* v15 is encrypted out block (c) */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
@@ -1929,7 +1929,7 @@ static int Aes192GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "LD1 {v1.2d-v4.2d}, [%[Key]], #64 \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
             "LD1 {v5.2d-v8.2d}, [%[Key]], #64 \n"
@@ -1981,7 +1981,7 @@ static int Aes192GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "EOR v15.16b, v17.16b, v15.16b \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "RBIT v15.16b, v15.16b \n" /* v15 is encrypted out block (c) */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
@@ -2262,7 +2262,7 @@ static int Aes256GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "LD1 {v1.2d-v4.2d}, [%[Key]], #64 \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
             "LD1 {v5.2d-v8.2d}, [%[Key]], #64 \n"
@@ -2318,7 +2318,7 @@ static int Aes256GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "REV64 v13.16b, v13.16b \n" /* network order */
             "EOR v15.16b, v17.16b, v15.16b \n"
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
-            "ADD v13.2d, v13.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v13.4s, v13.4s, v14.4s \n" /* add 1 to counter */
             "RBIT v15.16b, v15.16b \n" /* v15 is encrypted out block (c) */
             "EXT v13.16b, v13.16b, v13.16b, #8 \n"
             "REV64 v13.16b, v13.16b \n" /* revert from network order */
@@ -2684,7 +2684,7 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "1: \n"
             "REV64 v12.16b, v12.16b \n" /* network order */
             "EXT v12.16b, v12.16b, v12.16b, #8 \n"
-            "ADD v12.2d, v12.2d, v14.2d \n" /* add 1 to counter */
+            "ADD v12.4s, v12.4s, v14.4s \n" /* add 1 to counter */
             "EXT v12.16b, v12.16b, v12.16b, #8 \n"
             "REV64 v12.16b, v12.16b \n" /* revert from network order */
             "MOV v0.16b, v12.16b  \n"
@@ -2750,7 +2750,7 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "1: \n"
             "REV64 v14.16b, v14.16b \n" /* network order */
             "EXT v14.16b, v14.16b, v14.16b, #8 \n"
-            "ADD v14.2d, v14.2d, v16.2d \n" /* add 1 to counter */
+            "ADD v14.4s, v14.4s, v16.4s \n" /* add 1 to counter */
             "EXT v14.16b, v14.16b, v14.16b, #8 \n"
             "REV64 v14.16b, v14.16b \n" /* revert from network order */
             "MOV v0.16b, v14.16b  \n"
@@ -2821,7 +2821,7 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             "1: \n"
             "REV64 v17.16b, v17.16b \n" /* network order */
             "EXT v17.16b, v17.16b, v17.16b, #8 \n"
-            "ADD v17.2d, v17.2d, v18.2d \n" /* add 1 to counter */
+            "ADD v17.4s, v17.4s, v18.4s \n" /* add 1 to counter */
             "EXT v17.16b, v17.16b, v17.16b, #8 \n"
             "REV64 v17.16b, v17.16b \n" /* revert from network order */
             "MOV v0.16b, v17.16b  \n"
diff --git a/wolfcrypt/src/port/arm/armv8-curve25519.S b/wolfcrypt/src/port/arm/armv8-curve25519.S
index 218658a0a..432493bc0 100644
--- a/wolfcrypt/src/port/arm/armv8-curve25519.S
+++ b/wolfcrypt/src/port/arm/armv8-curve25519.S
@@ -2907,6 +2907,17 @@ L_curve25519_inv_8:
 	adcs	x15, x15, xzr
 	adcs	x16, x16, xzr
 	adc	x17, x17, xzr
+	adds	x4, x14, x3
+	adcs	x4, x15, xzr
+	adcs	x4, x16, xzr
+	adc	x4, x17, xzr
+	and	x4, x3, x4, asr 63
+	adds	x14, x14, x4
+	adcs	x15, x15, xzr
+	mov	x4, #0x7fffffffffffffff
+	adcs	x16, x16, xzr
+	adc	x17, x17, xzr
+	and	x17, x17, x4
 	# Store
 	stp	x14, x15, [x0]
 	stp	x16, x17, [x0, #16]
diff --git a/wolfcrypt/src/port/arm/armv8-curve25519_c.c b/wolfcrypt/src/port/arm/armv8-curve25519_c.c
index 0401813e5..6477225e5 100644
--- a/wolfcrypt/src/port/arm/armv8-curve25519_c.c
+++ b/wolfcrypt/src/port/arm/armv8-curve25519_c.c
@@ -2782,6 +2782,17 @@ int curve25519(byte* r, const byte* n, const byte* a)
         "adcs	x15, x15, xzr\n\t"
         "adcs	x16, x16, xzr\n\t"
         "adc	x17, x17, xzr\n\t"
+        "adds	x4, x14, x3\n\t"
+        "adcs	x4, x15, xzr\n\t"
+        "adcs	x4, x16, xzr\n\t"
+        "adc	x4, x17, xzr\n\t"
+        "and	x4, x3, x4, asr 63\n\t"
+        "adds	x14, x14, x4\n\t"
+        "adcs	x15, x15, xzr\n\t"
+        "mov	x4, #0x7fffffffffffffff\n\t"
+        "adcs	x16, x16, xzr\n\t"
+        "adc	x17, x17, xzr\n\t"
+        "and	x17, x17, x4\n\t"
         /* Store */
         "stp	x14, x15, [%x[r]]\n\t"
         "stp	x16, x17, [%x[r], #16]\n\t"