26 	uint8x16_t v[5];  member
44 	vst1q_u8(state, st.v[0]);  in aegis128_save_state_neon()
45 	vst1q_u8(state + 16, st.v[1]);  in aegis128_save_state_neon()
46 	vst1q_u8(state + 32, st.v[2]);  in aegis128_save_state_neon()
47 	vst1q_u8(state + 48, st.v[3]);  in aegis128_save_state_neon()
48 	vst1q_u8(state + 64, st.v[4]);  in aegis128_save_state_neon()
59 			0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3,  in aegis_aes_round()
60 			0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb,  in aegis_aes_round()
63 			0x1, 0x2, 0x3, 0x0, 0x5, 0x6, 0x7, 0x4,  in aegis_aes_round()
64 			0x9, 0xa, 0xb, 0x8, 0xd, 0xe, 0xf, 0xc,  in aegis_aes_round()
66 		uint8x16_t v;  in aegis_aes_round()  local
73 		v = vqtbl4q_u8(vld1q_u8_x4(crypto_aes_sbox), w);  in aegis_aes_round()
74 		v = vqtbx4q_u8(v, vld1q_u8_x4(crypto_aes_sbox + 0x40), w - 0x40);  in aegis_aes_round()
75 		v = vqtbx4q_u8(v, vld1q_u8_x4(crypto_aes_sbox + 0x80), w - 0x80);  in aegis_aes_round()
76 		v = vqtbx4q_u8(v, vld1q_u8_x4(crypto_aes_sbox + 0xc0), w - 0xc0);  in aegis_aes_round()
78 		asm("tbl %0.16b, {v16.16b-v19.16b}, %1.16b" : "=w"(v) : "w"(w));  in aegis_aes_round()
79 		w -= 0x40;  in aegis_aes_round()
80 		asm("tbx %0.16b, {v20.16b-v23.16b}, %1.16b" : "+w"(v) : "w"(w));  in aegis_aes_round()
81 		w -= 0x40;  in aegis_aes_round()
82 		asm("tbx %0.16b, {v24.16b-v27.16b}, %1.16b" : "+w"(v) : "w"(w));  in aegis_aes_round()
83 		w -= 0x40;  in aegis_aes_round()
84 		asm("tbx %0.16b, {v28.16b-v31.16b}, %1.16b" : "+w"(v) : "w"(w));  in aegis_aes_round()
88 		w = (v << 1) ^ (uint8x16_t)(((int8x16_t)v >> 7) & 0x1b);  in aegis_aes_round()
89 		w ^= (uint8x16_t)vrev32q_u16((uint16x8_t)v);  in aegis_aes_round()
90 		w ^= vqtbl1q_u8(v ^ w, vld1q_u8(ror32by8));  in aegis_aes_round()
110 	m       ^= aegis_aes_round(st.v[4]);  in aegis128_update_neon()
111 	st.v[4] ^= aegis_aes_round(st.v[3]);  in aegis128_update_neon()
112 	st.v[3] ^= aegis_aes_round(st.v[2]);  in aegis128_update_neon()
113 	st.v[2] ^= aegis_aes_round(st.v[1]);  in aegis128_update_neon()
114 	st.v[1] ^= aegis_aes_round(st.v[0]);  in aegis128_update_neon()
115 	st.v[0] ^= m;  in aegis128_update_neon()
128 	asm("ld1	{v16.16b-v19.16b}, [%0], #64	\n\t"  in preload_sbox()
129 	    "ld1	{v20.16b-v23.16b}, [%0], #64	\n\t"  in preload_sbox()
130 	    "ld1	{v24.16b-v27.16b}, [%0], #64	\n\t"  in preload_sbox()
131 	    "ld1	{v28.16b-v31.16b}, [%0]		\n\t"  in preload_sbox()
138 		0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d,  in crypto_aegis128_init_neon()
139 		0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62,  in crypto_aegis128_init_neon()
142 		0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1,  in crypto_aegis128_init_neon()
143 		0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd,  in crypto_aegis128_init_neon()
158 	for (i = 0; i < 5; i++) {  in crypto_aegis128_init_neon()
185 		uint8x16_t s = st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4];  in crypto_aegis128_encrypt_chunk_neon()
196 	if (size > 0) {  in crypto_aegis128_encrypt_chunk_neon()
197 		uint8x16_t s = st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4];  in crypto_aegis128_encrypt_chunk_neon()
219 		msg = vld1q_u8(src) ^ st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4];  in crypto_aegis128_decrypt_chunk_neon()
228 	if (size > 0) {  in crypto_aegis128_decrypt_chunk_neon()
229 		uint8x16_t s = st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4];  in crypto_aegis128_decrypt_chunk_neon()
248 	uint8x16_t v;  in crypto_aegis128_final_neon()  local
253 	v = st.v[3] ^ (uint8x16_t)vcombine_u64(vmov_n_u64(8 * assoclen),  in crypto_aegis128_final_neon()
256 	for (i = 0; i < 7; i++)  in crypto_aegis128_final_neon()
257 		st = aegis128_update_neon(st, v);  in crypto_aegis128_final_neon()
259 	v = vld1q_u8(tag_xor);  in crypto_aegis128_final_neon()
260 	v ^= st.v[0] ^ st.v[1] ^ st.v[2] ^ st.v[3] ^ st.v[4];  in crypto_aegis128_final_neon()
261 	vst1q_u8(tag_xor, v);  in crypto_aegis128_final_neon()