3 ##############################################################################
5 # Copyright 2014 Intel Corporation #
7 # Licensed under the Apache License, Version 2.0 (the "License"); #
8 # you may not use this file except in compliance with the License. #
9 # You may obtain a copy of the License at #
11 # http://www.apache.org/licenses/LICENSE-2.0 #
13 # Unless required by applicable law or agreed to in writing, software #
14 # distributed under the License is distributed on an "AS IS" BASIS, #
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
16 # See the License for the specific language governing permissions and #
17 # limitations under the License. #
19 ##############################################################################
21 # Developers and authors: #
22 # Shay Gueron (1, 2), and Vlad Krasnov (1) #
23 # (1) Intel Corporation, Israel Development Center #
24 # (2) University of Haifa #
26 # S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with#
29 ##############################################################################
31 # Further optimization by <appro@openssl.org>:
44 # Ranges denote minimum and maximum improvement coefficients depending
45 # on benchmark. Lower coefficients are for ECDSA sign, relatively
46 # fastest server-side operation.
50 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
52 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
54 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
55 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
56 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
57 die "can't locate x86_64-xlate.pl";
59 open OUT,"| \"$^X\" $xlate $flavour $output";
62 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
63 =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
64 $avx = ($1>=2.19) + ($1>=2.22);
68 if (!$addx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
69 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
70 $avx = ($1>=2.09) + ($1>=2.10);
74 if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
75 `ml64 2>&1` =~ /Version ([0-9]+)\./) {
76 $avx = ($1>=10) + ($1>=11);
80 if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
81 my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
82 $avx = ($ver>=3.0) + ($ver>=3.01);
88 .extern OPENSSL_ia32cap_P
93 .quad 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001
95 # 2^512 mod P precomputed for NIST P256 polynomial
97 .quad 0x0000000000000003, 0xfffffffbffffffff, 0xfffffffffffffffe, 0x00000004fffffffd
100 .long 1,1,1,1,1,1,1,1
102 .long 2,2,2,2,2,2,2,2
104 .long 3,3,3,3,3,3,3,3
106 .quad 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, 0x00000000fffffffe
110 ################################################################################
111 # void ecp_nistz256_mul_by_2(uint64_t res[4], uint64_t a[4]);
113 my ($a0,$a1,$a2,$a3)=map("%r$_",(8..11));
114 my ($t0,$t1,$t2,$t3,$t4)=("%rax","%rdx","%rcx","%r12","%r13");
115 my ($r_ptr,$a_ptr,$b_ptr)=("%rdi","%rsi","%rdx");
119 .globl ecp_nistz256_mul_by_2
120 .type ecp_nistz256_mul_by_2,\@function,2
122 ecp_nistz256_mul_by_2:
128 add $a0, $a0 # a0:a3+a0:a3
132 lea .Lpoly(%rip), $a_ptr
159 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
161 ################################################################################
162 # void ecp_nistz256_div_by_2(uint64_t res[4], uint64_t a[4]);
163 .globl ecp_nistz256_div_by_2
164 .type ecp_nistz256_div_by_2,\@function,2
166 ecp_nistz256_div_by_2:
175 lea .Lpoly(%rip), $a_ptr
186 xor $a_ptr, $a_ptr # borrow $a_ptr
195 mov $a1, $t0 # a0:a3>>1
219 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
221 ################################################################################
222 # void ecp_nistz256_mul_by_3(uint64_t res[4], uint64_t a[4]);
223 .globl ecp_nistz256_mul_by_3
224 .type ecp_nistz256_mul_by_3,\@function,2
226 ecp_nistz256_mul_by_3:
233 add $a0, $a0 # a0:a3+a0:a3
245 sbb .Lpoly+8*1(%rip), $a1
248 sbb .Lpoly+8*3(%rip), $a3
257 add 8*0($a_ptr), $a0 # a0:a3+=a_ptr[0:3]
267 sbb .Lpoly+8*1(%rip), $a1
270 sbb .Lpoly+8*3(%rip), $a3
285 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
287 ################################################################################
288 # void ecp_nistz256_add(uint64_t res[4], uint64_t a[4], uint64_t b[4]);
289 .globl ecp_nistz256_add
290 .type ecp_nistz256_add,\@function,3
301 lea .Lpoly(%rip), $a_ptr
331 .size ecp_nistz256_add,.-ecp_nistz256_add
333 ################################################################################
334 # void ecp_nistz256_sub(uint64_t res[4], uint64_t a[4], uint64_t b[4]);
335 .globl ecp_nistz256_sub
336 .type ecp_nistz256_sub,\@function,3
347 lea .Lpoly(%rip), $a_ptr
377 .size ecp_nistz256_sub,.-ecp_nistz256_sub
379 ################################################################################
380 # void ecp_nistz256_neg(uint64_t res[4], uint64_t a[4]);
381 .globl ecp_nistz256_neg
382 .type ecp_nistz256_neg,\@function,2
399 lea .Lpoly(%rip), $a_ptr
423 .size ecp_nistz256_neg,.-ecp_nistz256_neg
427 my ($r_ptr,$a_ptr,$b_org,$b_ptr)=("%rdi","%rsi","%rdx","%rbx");
428 my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5,$acc6,$acc7)=map("%r$_",(8..15));
429 my ($t0,$t1,$t2,$t3,$t4)=("%rcx","%rbp","%rbx","%rdx","%rax");
430 my ($poly1,$poly3)=($acc6,$acc7);
433 ################################################################################
434 # void ecp_nistz256_to_mont(
437 .globl ecp_nistz256_to_mont
438 .type ecp_nistz256_to_mont,\@function,2
440 ecp_nistz256_to_mont:
442 $code.=<<___ if ($addx);
444 and OPENSSL_ia32cap_P+8(%rip), %ecx
447 lea .LRR(%rip), $b_org
449 .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
451 ################################################################################
452 # void ecp_nistz256_mul_mont(
457 .globl ecp_nistz256_mul_mont
458 .type ecp_nistz256_mul_mont,\@function,3
460 ecp_nistz256_mul_mont:
462 $code.=<<___ if ($addx);
464 and OPENSSL_ia32cap_P+8(%rip), %ecx
475 $code.=<<___ if ($addx);
481 mov 8*0($b_org), %rax
482 mov 8*0($a_ptr), $acc1
483 mov 8*1($a_ptr), $acc2
484 mov 8*2($a_ptr), $acc3
485 mov 8*3($a_ptr), $acc4
487 call __ecp_nistz256_mul_montq
489 $code.=<<___ if ($addx);
495 mov 8*0($b_org), %rdx
496 mov 8*0($a_ptr), $acc1
497 mov 8*1($a_ptr), $acc2
498 mov 8*2($a_ptr), $acc3
499 mov 8*3($a_ptr), $acc4
500 lea -128($a_ptr), $a_ptr # control u-op density
502 call __ecp_nistz256_mul_montx
513 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
515 .type __ecp_nistz256_mul_montq,\@abi-omnipotent
517 __ecp_nistz256_mul_montq:
518 ########################################################################
522 mov .Lpoly+8*1(%rip),$poly1
528 mov .Lpoly+8*3(%rip),$poly3
547 ########################################################################
548 # First reduction step
549 # Basically now we want to multiply acc[0] by p256,
550 # and add the result to the acc.
551 # Due to the special form of p256 we do some optimizations
553 # acc[0] x p256[0] = acc[0] x 2^64 - acc[0]
554 # then we add acc[0] and get acc[0] x 2^64
558 add $acc0, $acc1 # +=acc[0]*2^64
563 # acc[0] x p256[2] = 0
572 mov 8*1($b_ptr), %rax
576 ########################################################################
609 ########################################################################
610 # Second reduction step
625 mov 8*2($b_ptr), %rax
629 ########################################################################
662 ########################################################################
663 # Third reduction step
678 mov 8*3($b_ptr), %rax
682 ########################################################################
715 ########################################################################
716 # Final reduction step
724 #adc \$0, $t0 # doesn't overflow
735 ########################################################################
736 # Branch-less conditional subtraction of P
737 sub \$-1, $acc4 # .Lpoly[0]
739 sbb $poly1, $acc5 # .Lpoly[1]
740 sbb \$0, $acc0 # .Lpoly[2]
742 sbb $poly3, $acc1 # .Lpoly[3]
747 mov $acc4, 8*0($r_ptr)
749 mov $acc5, 8*1($r_ptr)
751 mov $acc0, 8*2($r_ptr)
752 mov $acc1, 8*3($r_ptr)
755 .size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq
757 ################################################################################
758 # void ecp_nistz256_sqr_mont(
762 # we optimize the square according to S.Gueron and V.Krasnov,
763 # "Speeding up Big-Number Squaring"
764 .globl ecp_nistz256_sqr_mont
765 .type ecp_nistz256_sqr_mont,\@function,2
767 ecp_nistz256_sqr_mont:
769 $code.=<<___ if ($addx);
771 and OPENSSL_ia32cap_P+8(%rip), %ecx
781 $code.=<<___ if ($addx);
786 mov 8*0($a_ptr), %rax
787 mov 8*1($a_ptr), $acc6
788 mov 8*2($a_ptr), $acc7
789 mov 8*3($a_ptr), $acc0
791 call __ecp_nistz256_sqr_montq
793 $code.=<<___ if ($addx);
798 mov 8*0($a_ptr), %rdx
799 mov 8*1($a_ptr), $acc6
800 mov 8*2($a_ptr), $acc7
801 mov 8*3($a_ptr), $acc0
802 lea -128($a_ptr), $a_ptr # control u-op density
804 call __ecp_nistz256_sqr_montx
815 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
817 .type __ecp_nistz256_sqr_montq,\@abi-omnipotent
819 __ecp_nistz256_sqr_montq:
821 mulq $acc6 # a[1]*a[0]
826 mulq $acc5 # a[0]*a[2]
832 mulq $acc5 # a[0]*a[3]
838 #################################
839 mulq $acc6 # a[1]*a[2]
845 mulq $acc6 # a[1]*a[3]
853 #################################
854 mulq $acc7 # a[2]*a[3]
857 mov 8*0($a_ptr), %rax
861 add $acc1, $acc1 # acc1:6<<1
871 mov 8*1($a_ptr), %rax
877 mov 8*2($a_ptr), %rax
884 mov 8*3($a_ptr), %rax
894 mov .Lpoly+8*1(%rip), $a_ptr
895 mov .Lpoly+8*3(%rip), $t1
897 ##########################################
906 adc %rdx, $acc2 # doesn't overflow
918 ##########################################
926 adc %rdx, $acc3 # doesn't overflow
938 ##########################################
946 adc %rdx, $acc4 # doesn't overflow
958 ###########################################
966 adc %rdx, $acc0 # doesn't overflow
977 ############################################
978 # Add the rest of the acc
986 sub \$-1, $acc4 # .Lpoly[0]
988 sbb $a_ptr, $acc5 # .Lpoly[1]
989 sbb \$0, $acc6 # .Lpoly[2]
991 sbb $t1, $acc7 # .Lpoly[3]
996 mov $acc4, 8*0($r_ptr)
998 mov $acc5, 8*1($r_ptr)
1000 mov $acc6, 8*2($r_ptr)
1001 mov $acc7, 8*3($r_ptr)
1004 .size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq
1009 .type __ecp_nistz256_mul_montx,\@abi-omnipotent
1011 __ecp_nistz256_mul_montx:
1012 ########################################################################
1014 mulx $acc1, $acc0, $acc1
1015 mulx $acc2, $t0, $acc2
1017 xor $acc5, $acc5 # cf=0
1018 mulx $acc3, $t1, $acc3
1019 mov .Lpoly+8*3(%rip), $poly3
1021 mulx $acc4, $t0, $acc4
1024 shlx $poly1,$acc0,$t1
1026 shrx $poly1,$acc0,$t0
1029 ########################################################################
1030 # First reduction step
1031 xor $acc0, $acc0 # $acc0=0,cf=0,of=0
1035 mulx $poly3, $t0, $t1
1036 mov 8*1($b_ptr), %rdx
1041 adcx $acc0, $acc5 # cf=0
1042 adox $acc0, $acc5 # of=0
1044 ########################################################################
1046 mulx 8*0+128($a_ptr), $t0, $t1
1050 mulx 8*1+128($a_ptr), $t0, $t1
1054 mulx 8*2+128($a_ptr), $t0, $t1
1058 mulx 8*3+128($a_ptr), $t0, $t1
1061 shlx $poly1, $acc1, $t0
1063 shrx $poly1, $acc1, $t1
1069 ########################################################################
1070 # Second reduction step
1071 xor $acc1 ,$acc1 # $acc1=0,cf=0,of=0
1075 mulx $poly3, $t0, $t1
1076 mov 8*2($b_ptr), %rdx
1081 adcx $acc1, $acc0 # cf=0
1082 adox $acc1, $acc0 # of=0
1084 ########################################################################
1086 mulx 8*0+128($a_ptr), $t0, $t1
1090 mulx 8*1+128($a_ptr), $t0, $t1
1094 mulx 8*2+128($a_ptr), $t0, $t1
1098 mulx 8*3+128($a_ptr), $t0, $t1
1101 shlx $poly1, $acc2, $t0
1103 shrx $poly1, $acc2, $t1
1109 ########################################################################
1110 # Third reduction step
1111 xor $acc2, $acc2 # $acc2=0,cf=0,of=0
1115 mulx $poly3, $t0, $t1
1116 mov 8*3($b_ptr), %rdx
1121 adcx $acc2, $acc1 # cf=0
1122 adox $acc2, $acc1 # of=0
1124 ########################################################################
1126 mulx 8*0+128($a_ptr), $t0, $t1
1130 mulx 8*1+128($a_ptr), $t0, $t1
1134 mulx 8*2+128($a_ptr), $t0, $t1
1138 mulx 8*3+128($a_ptr), $t0, $t1
1141 shlx $poly1, $acc3, $t0
1143 shrx $poly1, $acc3, $t1
1149 ########################################################################
1150 # Fourth reduction step
1151 xor $acc3, $acc3 # $acc3=0,cf=0,of=0
1155 mulx $poly3, $t0, $t1
1157 mov .Lpoly+8*1(%rip), $poly1
1167 ########################################################################
1168 # Branch-less conditional subtraction of P
1170 sbb \$-1, $acc4 # .Lpoly[0]
1171 sbb $poly1, $acc5 # .Lpoly[1]
1172 sbb \$0, $acc0 # .Lpoly[2]
1174 sbb $poly3, $acc1 # .Lpoly[3]
1179 mov $acc4, 8*0($r_ptr)
1181 mov $acc5, 8*1($r_ptr)
1183 mov $acc0, 8*2($r_ptr)
1184 mov $acc1, 8*3($r_ptr)
1187 .size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx
1189 .type __ecp_nistz256_sqr_montx,\@abi-omnipotent
1191 __ecp_nistz256_sqr_montx:
1192 mulx $acc6, $acc1, $acc2 # a[0]*a[1]
1193 mulx $acc7, $t0, $acc3 # a[0]*a[2]
1196 mulx $acc0, $t1, $acc4 # a[0]*a[3]
1200 xor $acc5, $acc5 # $acc5=0,cf=0,of=0
1202 #################################
1203 mulx $acc7, $t0, $t1 # a[1]*a[2]
1207 mulx $acc0, $t0, $t1 # a[1]*a[3]
1213 #################################
1214 mulx $acc0, $t0, $acc6 # a[2]*a[3]
1215 mov 8*0+128($a_ptr), %rdx
1216 xor $acc7, $acc7 # $acc7=0,cf=0,of=0
1217 adcx $acc1, $acc1 # acc1:6<<1
1220 adox $acc7, $acc6 # of=0
1222 mulx %rdx, $acc0, $t1
1223 mov 8*1+128($a_ptr), %rdx
1228 mov 8*2+128($a_ptr), %rdx
1234 mov 8*3+128($a_ptr), %rdx
1244 shlx $a_ptr, $acc0, $t0
1246 shrx $a_ptr, $acc0, $t4
1247 mov .Lpoly+8*3(%rip), $t1
1257 shlx $a_ptr, $acc1, $t0
1259 shrx $a_ptr, $acc1, $t4
1270 shlx $a_ptr, $acc2, $t0
1272 shrx $a_ptr, $acc2, $t4
1283 shlx $a_ptr, $acc3, $t0
1285 shrx $a_ptr, $acc3, $t4
1299 adc $acc0, $acc4 # accumulate upper half
1300 mov .Lpoly+8*1(%rip), $a_ptr
1308 xor %eax, %eax # cf=0
1309 sbb \$-1, $acc4 # .Lpoly[0]
1311 sbb $a_ptr, $acc5 # .Lpoly[1]
1312 sbb \$0, $acc6 # .Lpoly[2]
1314 sbb $t1, $acc7 # .Lpoly[3]
1319 mov $acc4, 8*0($r_ptr)
1321 mov $acc5, 8*1($r_ptr)
1323 mov $acc6, 8*2($r_ptr)
1324 mov $acc7, 8*3($r_ptr)
1327 .size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx
1332 my ($r_ptr,$in_ptr)=("%rdi","%rsi");
1333 my ($acc0,$acc1,$acc2,$acc3,$acc4)=map("%r$_",(8..12));
1334 my ($t0,$t1)=("%rcx","%rsi");
1337 ################################################################################
1338 # void ecp_nistz256_from_mont(
1341 # This one performs Montgomery multiplication by 1, so we only need the reduction
1343 .globl ecp_nistz256_from_mont
1344 .type ecp_nistz256_from_mont,\@function,2
1346 ecp_nistz256_from_mont:
1350 mov 8*0($in_ptr), %rax
1351 mov 8*1($in_ptr), $acc1
1352 mov 8*2($in_ptr), $acc2
1353 mov 8*3($in_ptr), $acc3
1354 lea .Lpoly(%rip), $in_ptr
1358 #########################################
1378 #########################################
1398 ##########################################
1418 ###########################################
1436 mov 0*8($in_ptr), %rax
1437 mov 1*8($in_ptr), %rdx
1438 mov 2*8($in_ptr), $t0
1439 mov 3*8($in_ptr), $t1
1448 mov $acc4, 8*0($r_ptr)
1450 mov $acc0, 8*1($r_ptr)
1452 mov $acc1, 8*2($r_ptr)
1453 mov $acc2, 8*3($r_ptr)
1458 .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
1462 my ($val,$in_t,$index)=$win64?("%rcx","%rdx","%r8d"):("%rdi","%rsi","%edx");
1463 my ($ONE,$INDEX,$Ra,$Rb,$Rc,$Rd,$Re,$Rf)=map("%xmm$_",(0..7));
1464 my ($M0,$T0a,$T0b,$T0c,$T0d,$T0e,$T0f,$TMP0)=map("%xmm$_",(8..15));
1465 my ($M1,$T2a,$T2b,$TMP2,$M2,$T2a,$T2b,$TMP2)=map("%xmm$_",(8..15));
1468 ################################################################################
1469 # void ecp_nistz256_scatter_w5(uint64_t *val, uint64_t *in_t, int index);
1470 .globl ecp_nistz256_scatter_w5
1471 .type ecp_nistz256_scatter_w5,\@abi-omnipotent
1473 ecp_nistz256_scatter_w5:
1474 lea -3($index,$index,2), $index
1475 movdqa 0x00($in_t), %xmm0
1477 movdqa 0x10($in_t), %xmm1
1478 movdqa 0x20($in_t), %xmm2
1479 movdqa 0x30($in_t), %xmm3
1480 movdqa 0x40($in_t), %xmm4
1481 movdqa 0x50($in_t), %xmm5
1482 movdqa %xmm0, 0x00($val,$index)
1483 movdqa %xmm1, 0x10($val,$index)
1484 movdqa %xmm2, 0x20($val,$index)
1485 movdqa %xmm3, 0x30($val,$index)
1486 movdqa %xmm4, 0x40($val,$index)
1487 movdqa %xmm5, 0x50($val,$index)
1490 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
1492 ################################################################################
1493 # void ecp_nistz256_gather_w5(uint64_t *val, uint64_t *in_t, int index);
1494 .globl ecp_nistz256_gather_w5
1495 .type ecp_nistz256_gather_w5,\@abi-omnipotent
1497 ecp_nistz256_gather_w5:
1499 $code.=<<___ if ($avx>1);
1500 mov OPENSSL_ia32cap_P+8(%rip), %eax
1502 jnz .Lavx2_gather_w5
1504 $code.=<<___ if ($win64);
1505 lea -0x88(%rsp), %rax
1506 .LSEH_begin_ecp_nistz256_gather_w5:
1507 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax), %rsp
1508 .byte 0x0f,0x29,0x70,0xe0 #movaps %xmm6, -0x20(%rax)
1509 .byte 0x0f,0x29,0x78,0xf0 #movaps %xmm7, -0x10(%rax)
1510 .byte 0x44,0x0f,0x29,0x00 #movaps %xmm8, 0(%rax)
1511 .byte 0x44,0x0f,0x29,0x48,0x10 #movaps %xmm9, 0x10(%rax)
1512 .byte 0x44,0x0f,0x29,0x50,0x20 #movaps %xmm10, 0x20(%rax)
1513 .byte 0x44,0x0f,0x29,0x58,0x30 #movaps %xmm11, 0x30(%rax)
1514 .byte 0x44,0x0f,0x29,0x60,0x40 #movaps %xmm12, 0x40(%rax)
1515 .byte 0x44,0x0f,0x29,0x68,0x50 #movaps %xmm13, 0x50(%rax)
1516 .byte 0x44,0x0f,0x29,0x70,0x60 #movaps %xmm14, 0x60(%rax)
1517 .byte 0x44,0x0f,0x29,0x78,0x70 #movaps %xmm15, 0x70(%rax)
1520 movdqa .LOne(%rip), $ONE
1531 pshufd \$0, $INDEX, $INDEX
1534 .Lselect_loop_sse_w5:
1538 pcmpeqd $INDEX, $TMP0
1540 movdqa 16*0($in_t), $T0a
1541 movdqa 16*1($in_t), $T0b
1542 movdqa 16*2($in_t), $T0c
1543 movdqa 16*3($in_t), $T0d
1544 movdqa 16*4($in_t), $T0e
1545 movdqa 16*5($in_t), $T0f
1546 lea 16*6($in_t), $in_t
1562 jnz .Lselect_loop_sse_w5
1564 movdqu $Ra, 16*0($val)
1565 movdqu $Rb, 16*1($val)
1566 movdqu $Rc, 16*2($val)
1567 movdqu $Rd, 16*3($val)
1568 movdqu $Re, 16*4($val)
1569 movdqu $Rf, 16*5($val)
1571 $code.=<<___ if ($win64);
1572 movaps (%rsp), %xmm6
1573 movaps 0x10(%rsp), %xmm7
1574 movaps 0x20(%rsp), %xmm8
1575 movaps 0x30(%rsp), %xmm9
1576 movaps 0x40(%rsp), %xmm10
1577 movaps 0x50(%rsp), %xmm11
1578 movaps 0x60(%rsp), %xmm12
1579 movaps 0x70(%rsp), %xmm13
1580 movaps 0x80(%rsp), %xmm14
1581 movaps 0x90(%rsp), %xmm15
1582 lea 0xa8(%rsp), %rsp
1583 .LSEH_end_ecp_nistz256_gather_w5:
1587 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
1589 ################################################################################
1590 # void ecp_nistz256_scatter_w7(uint64_t *val, uint64_t *in_t, int index);
1591 .globl ecp_nistz256_scatter_w7
1592 .type ecp_nistz256_scatter_w7,\@abi-omnipotent
1594 ecp_nistz256_scatter_w7:
1595 movdqu 0x00($in_t), %xmm0
1597 movdqu 0x10($in_t), %xmm1
1598 movdqu 0x20($in_t), %xmm2
1599 movdqu 0x30($in_t), %xmm3
1600 movdqa %xmm0, 0x00($val,$index)
1601 movdqa %xmm1, 0x10($val,$index)
1602 movdqa %xmm2, 0x20($val,$index)
1603 movdqa %xmm3, 0x30($val,$index)
1606 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
1608 ################################################################################
1609 # void ecp_nistz256_gather_w7(uint64_t *val, uint64_t *in_t, int index);
1610 .globl ecp_nistz256_gather_w7
1611 .type ecp_nistz256_gather_w7,\@abi-omnipotent
1613 ecp_nistz256_gather_w7:
1615 $code.=<<___ if ($avx>1);
1616 mov OPENSSL_ia32cap_P+8(%rip), %eax
1618 jnz .Lavx2_gather_w7
1620 $code.=<<___ if ($win64);
1621 lea -0x88(%rsp), %rax
1622 .LSEH_begin_ecp_nistz256_gather_w7:
1623 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax), %rsp
1624 .byte 0x0f,0x29,0x70,0xe0 #movaps %xmm6, -0x20(%rax)
1625 .byte 0x0f,0x29,0x78,0xf0 #movaps %xmm7, -0x10(%rax)
1626 .byte 0x44,0x0f,0x29,0x00 #movaps %xmm8, 0(%rax)
1627 .byte 0x44,0x0f,0x29,0x48,0x10 #movaps %xmm9, 0x10(%rax)
1628 .byte 0x44,0x0f,0x29,0x50,0x20 #movaps %xmm10, 0x20(%rax)
1629 .byte 0x44,0x0f,0x29,0x58,0x30 #movaps %xmm11, 0x30(%rax)
1630 .byte 0x44,0x0f,0x29,0x60,0x40 #movaps %xmm12, 0x40(%rax)
1631 .byte 0x44,0x0f,0x29,0x68,0x50 #movaps %xmm13, 0x50(%rax)
1632 .byte 0x44,0x0f,0x29,0x70,0x60 #movaps %xmm14, 0x60(%rax)
1633 .byte 0x44,0x0f,0x29,0x78,0x70 #movaps %xmm15, 0x70(%rax)
1636 movdqa .LOne(%rip), $M0
1645 pshufd \$0, $INDEX, $INDEX
1648 .Lselect_loop_sse_w7:
1651 movdqa 16*0($in_t), $T0a
1652 movdqa 16*1($in_t), $T0b
1653 pcmpeqd $INDEX, $TMP0
1654 movdqa 16*2($in_t), $T0c
1655 movdqa 16*3($in_t), $T0d
1656 lea 16*4($in_t), $in_t
1665 prefetcht0 255($in_t)
1669 jnz .Lselect_loop_sse_w7
1671 movdqu $Ra, 16*0($val)
1672 movdqu $Rb, 16*1($val)
1673 movdqu $Rc, 16*2($val)
1674 movdqu $Rd, 16*3($val)
1676 $code.=<<___ if ($win64);
1677 movaps (%rsp), %xmm6
1678 movaps 0x10(%rsp), %xmm7
1679 movaps 0x20(%rsp), %xmm8
1680 movaps 0x30(%rsp), %xmm9
1681 movaps 0x40(%rsp), %xmm10
1682 movaps 0x50(%rsp), %xmm11
1683 movaps 0x60(%rsp), %xmm12
1684 movaps 0x70(%rsp), %xmm13
1685 movaps 0x80(%rsp), %xmm14
1686 movaps 0x90(%rsp), %xmm15
1687 lea 0xa8(%rsp), %rsp
1688 .LSEH_end_ecp_nistz256_gather_w7:
1692 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
1696 my ($val,$in_t,$index)=$win64?("%rcx","%rdx","%r8d"):("%rdi","%rsi","%edx");
1697 my ($TWO,$INDEX,$Ra,$Rb,$Rc)=map("%ymm$_",(0..4));
1698 my ($M0,$T0a,$T0b,$T0c,$TMP0)=map("%ymm$_",(5..9));
1699 my ($M1,$T1a,$T1b,$T1c,$TMP1)=map("%ymm$_",(10..14));
1702 ################################################################################
1703 # void ecp_nistz256_avx2_gather_w5(uint64_t *val, uint64_t *in_t, int index);
1704 .type ecp_nistz256_avx2_gather_w5,\@abi-omnipotent
1706 ecp_nistz256_avx2_gather_w5:
1710 $code.=<<___ if ($win64);
1711 lea -0x88(%rsp), %rax
1712 .LSEH_begin_ecp_nistz256_avx2_gather_w5:
1713 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax), %rsp
1714 .byte 0xc5,0xf8,0x29,0x70,0xe0 #vmovaps %xmm6, -0x20(%rax)
1715 .byte 0xc5,0xf8,0x29,0x78,0xf0 #vmovaps %xmm7, -0x10(%rax)
1716 .byte 0xc5,0x78,0x29,0x40,0x00 #vmovaps %xmm8, 8(%rax)
1717 .byte 0xc5,0x78,0x29,0x48,0x10 #vmovaps %xmm9, 0x10(%rax)
1718 .byte 0xc5,0x78,0x29,0x50,0x20 #vmovaps %xmm10, 0x20(%rax)
1719 .byte 0xc5,0x78,0x29,0x58,0x30 #vmovaps %xmm11, 0x30(%rax)
1720 .byte 0xc5,0x78,0x29,0x60,0x40 #vmovaps %xmm12, 0x40(%rax)
1721 .byte 0xc5,0x78,0x29,0x68,0x50 #vmovaps %xmm13, 0x50(%rax)
1722 .byte 0xc5,0x78,0x29,0x70,0x60 #vmovaps %xmm14, 0x60(%rax)
1723 .byte 0xc5,0x78,0x29,0x78,0x70 #vmovaps %xmm15, 0x70(%rax)
1726 vmovdqa .LTwo(%rip), $TWO
1732 vmovdqa .LOne(%rip), $M0
1733 vmovdqa .LTwo(%rip), $M1
1736 vpermd $INDEX, $Ra, $INDEX
1739 .Lselect_loop_avx2_w5:
1741 vmovdqa 32*0($in_t), $T0a
1742 vmovdqa 32*1($in_t), $T0b
1743 vmovdqa 32*2($in_t), $T0c
1745 vmovdqa 32*3($in_t), $T1a
1746 vmovdqa 32*4($in_t), $T1b
1747 vmovdqa 32*5($in_t), $T1c
1749 vpcmpeqd $INDEX, $M0, $TMP0
1750 vpcmpeqd $INDEX, $M1, $TMP1
1752 vpaddd $TWO, $M0, $M0
1753 vpaddd $TWO, $M1, $M1
1754 lea 32*6($in_t), $in_t
1756 vpand $TMP0, $T0a, $T0a
1757 vpand $TMP0, $T0b, $T0b
1758 vpand $TMP0, $T0c, $T0c
1759 vpand $TMP1, $T1a, $T1a
1760 vpand $TMP1, $T1b, $T1b
1761 vpand $TMP1, $T1c, $T1c
1763 vpxor $T0a, $Ra, $Ra
1764 vpxor $T0b, $Rb, $Rb
1765 vpxor $T0c, $Rc, $Rc
1766 vpxor $T1a, $Ra, $Ra
1767 vpxor $T1b, $Rb, $Rb
1768 vpxor $T1c, $Rc, $Rc
1771 jnz .Lselect_loop_avx2_w5
1773 vmovdqu $Ra, 32*0($val)
1774 vmovdqu $Rb, 32*1($val)
1775 vmovdqu $Rc, 32*2($val)
1778 $code.=<<___ if ($win64);
1779 movaps (%rsp), %xmm6
1780 movaps 0x10(%rsp), %xmm7
1781 movaps 0x20(%rsp), %xmm8
1782 movaps 0x30(%rsp), %xmm9
1783 movaps 0x40(%rsp), %xmm10
1784 movaps 0x50(%rsp), %xmm11
1785 movaps 0x60(%rsp), %xmm12
1786 movaps 0x70(%rsp), %xmm13
1787 movaps 0x80(%rsp), %xmm14
1788 movaps 0x90(%rsp), %xmm15
1789 lea 0xa8(%rsp), %rsp
1790 .LSEH_end_ecp_nistz256_avx2_gather_w5:
1794 .size ecp_nistz256_avx2_gather_w5,.-ecp_nistz256_avx2_gather_w5
1798 my ($val,$in_t,$index)=$win64?("%rcx","%rdx","%r8d"):("%rdi","%rsi","%edx");
1799 my ($THREE,$INDEX,$Ra,$Rb)=map("%ymm$_",(0..3));
1800 my ($M0,$T0a,$T0b,$TMP0)=map("%ymm$_",(4..7));
1801 my ($M1,$T1a,$T1b,$TMP1)=map("%ymm$_",(8..11));
1802 my ($M2,$T2a,$T2b,$TMP2)=map("%ymm$_",(12..15));
1806 ################################################################################
1807 # void ecp_nistz256_avx2_gather_w7(uint64_t *val, uint64_t *in_t, int index);
1808 .globl ecp_nistz256_avx2_gather_w7
1809 .type ecp_nistz256_avx2_gather_w7,\@abi-omnipotent
1811 ecp_nistz256_avx2_gather_w7:
1815 $code.=<<___ if ($win64);
1816 lea -0x88(%rsp), %rax
1817 .LSEH_begin_ecp_nistz256_avx2_gather_w7:
1818 .byte 0x48,0x8d,0x60,0xe0 #lea -0x20(%rax), %rsp
1819 .byte 0xc5,0xf8,0x29,0x70,0xe0 #vmovaps %xmm6, -0x20(%rax)
1820 .byte 0xc5,0xf8,0x29,0x78,0xf0 #vmovaps %xmm7, -0x10(%rax)
1821 .byte 0xc5,0x78,0x29,0x40,0x00 #vmovaps %xmm8, 8(%rax)
1822 .byte 0xc5,0x78,0x29,0x48,0x10 #vmovaps %xmm9, 0x10(%rax)
1823 .byte 0xc5,0x78,0x29,0x50,0x20 #vmovaps %xmm10, 0x20(%rax)
1824 .byte 0xc5,0x78,0x29,0x58,0x30 #vmovaps %xmm11, 0x30(%rax)
1825 .byte 0xc5,0x78,0x29,0x60,0x40 #vmovaps %xmm12, 0x40(%rax)
1826 .byte 0xc5,0x78,0x29,0x68,0x50 #vmovaps %xmm13, 0x50(%rax)
1827 .byte 0xc5,0x78,0x29,0x70,0x60 #vmovaps %xmm14, 0x60(%rax)
1828 .byte 0xc5,0x78,0x29,0x78,0x70 #vmovaps %xmm15, 0x70(%rax)
1831 vmovdqa .LThree(%rip), $THREE
1836 vmovdqa .LOne(%rip), $M0
1837 vmovdqa .LTwo(%rip), $M1
1838 vmovdqa .LThree(%rip), $M2
1841 vpermd $INDEX, $Ra, $INDEX
1842 # Skip index = 0, because it is implicitly the point at infinity
1845 .Lselect_loop_avx2_w7:
1847 vmovdqa 32*0($in_t), $T0a
1848 vmovdqa 32*1($in_t), $T0b
1850 vmovdqa 32*2($in_t), $T1a
1851 vmovdqa 32*3($in_t), $T1b
1853 vmovdqa 32*4($in_t), $T2a
1854 vmovdqa 32*5($in_t), $T2b
1856 vpcmpeqd $INDEX, $M0, $TMP0
1857 vpcmpeqd $INDEX, $M1, $TMP1
1858 vpcmpeqd $INDEX, $M2, $TMP2
1860 vpaddd $THREE, $M0, $M0
1861 vpaddd $THREE, $M1, $M1
1862 vpaddd $THREE, $M2, $M2
1863 lea 32*6($in_t), $in_t
1865 vpand $TMP0, $T0a, $T0a
1866 vpand $TMP0, $T0b, $T0b
1867 vpand $TMP1, $T1a, $T1a
1868 vpand $TMP1, $T1b, $T1b
1869 vpand $TMP2, $T2a, $T2a
1870 vpand $TMP2, $T2b, $T2b
1872 vpxor $T0a, $Ra, $Ra
1873 vpxor $T0b, $Rb, $Rb
1874 vpxor $T1a, $Ra, $Ra
1875 vpxor $T1b, $Rb, $Rb
1876 vpxor $T2a, $Ra, $Ra
1877 vpxor $T2b, $Rb, $Rb
1880 jnz .Lselect_loop_avx2_w7
1883 vmovdqa 32*0($in_t), $T0a
1884 vmovdqa 32*1($in_t), $T0b
1886 vpcmpeqd $INDEX, $M0, $TMP0
1888 vpand $TMP0, $T0a, $T0a
1889 vpand $TMP0, $T0b, $T0b
1891 vpxor $T0a, $Ra, $Ra
1892 vpxor $T0b, $Rb, $Rb
1894 vmovdqu $Ra, 32*0($val)
1895 vmovdqu $Rb, 32*1($val)
1898 $code.=<<___ if ($win64);
1899 movaps (%rsp), %xmm6
1900 movaps 0x10(%rsp), %xmm7
1901 movaps 0x20(%rsp), %xmm8
1902 movaps 0x30(%rsp), %xmm9
1903 movaps 0x40(%rsp), %xmm10
1904 movaps 0x50(%rsp), %xmm11
1905 movaps 0x60(%rsp), %xmm12
1906 movaps 0x70(%rsp), %xmm13
1907 movaps 0x80(%rsp), %xmm14
1908 movaps 0x90(%rsp), %xmm15
1909 lea 0xa8(%rsp), %rsp
1910 .LSEH_end_ecp_nistz256_avx2_gather_w7:
1914 .size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7
1918 .globl ecp_nistz256_avx2_gather_w7
1919 .type ecp_nistz256_avx2_gather_w7,\@function,3
1921 ecp_nistz256_avx2_gather_w7:
1922 .byte 0x0f,0x0b # ud2
1924 .size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7
1928 ########################################################################
1929 # This block implements higher level point_double, point_add and
1930 # point_add_affine. The key to performance in this case is to allow
1931 # out-of-order execution logic to overlap computations from next step
1932 # with tail processing from current step. By using tailored calling
1933 # sequence we minimize inter-step overhead to give processor better
1934 # shot at overlapping operations...
1936 # You will notice that input data is copied to stack. Trouble is that
1937 # there are no registers to spare for holding original pointers and
1938 # reloading them, pointers, would create undesired dependencies on
1939 # effective addresses calculation paths. In other words it's too done
1940 # to favour out-of-order execution logic.
1941 # <appro@openssl.org>
1943 my ($r_ptr,$a_ptr,$b_org,$b_ptr)=("%rdi","%rsi","%rdx","%rbx");
1944 my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5,$acc6,$acc7)=map("%r$_",(8..15));
1945 my ($t0,$t1,$t2,$t3,$t4)=("%rax","%rbp","%rcx",$acc4,$acc4);
1946 my ($poly1,$poly3)=($acc6,$acc7);
1948 sub load_for_mul () {
1949 my ($a,$b,$src0) = @_;
1950 my $bias = $src0 eq "%rax" ? 0 : -128;
1956 lea $bias+$a, $a_ptr
1961 sub load_for_sqr () {
1963 my $bias = $src0 eq "%rax" ? 0 : -128;
1967 lea $bias+$a, $a_ptr
1973 ########################################################################
1974 # operate in 4-5-0-1 "name space" that matches multiplication output
1976 my ($a0,$a1,$a2,$a3,$t3,$t4)=($acc4,$acc5,$acc0,$acc1,$acc2,$acc3);
1979 .type __ecp_nistz256_add_toq,\@abi-omnipotent
1981 __ecp_nistz256_add_toq:
1982 add 8*0($b_ptr), $a0
1983 adc 8*1($b_ptr), $a1
1985 adc 8*2($b_ptr), $a2
1986 adc 8*3($b_ptr), $a3
2000 mov $a0, 8*0($r_ptr)
2002 mov $a1, 8*1($r_ptr)
2004 mov $a2, 8*2($r_ptr)
2005 mov $a3, 8*3($r_ptr)
2008 .size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq
2010 .type __ecp_nistz256_sub_fromq,\@abi-omnipotent
2012 __ecp_nistz256_sub_fromq:
2013 sub 8*0($b_ptr), $a0
2014 sbb 8*1($b_ptr), $a1
2016 sbb 8*2($b_ptr), $a2
2017 sbb 8*3($b_ptr), $a3
2031 mov $a0, 8*0($r_ptr)
2033 mov $a1, 8*1($r_ptr)
2035 mov $a2, 8*2($r_ptr)
2036 mov $a3, 8*3($r_ptr)
2039 .size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq
2041 .type __ecp_nistz256_subq,\@abi-omnipotent
2043 __ecp_nistz256_subq:
2066 .size __ecp_nistz256_subq,.-__ecp_nistz256_subq
2068 .type __ecp_nistz256_mul_by_2q,\@abi-omnipotent
2070 __ecp_nistz256_mul_by_2q:
2071 add $a0, $a0 # a0:a3+a0:a3
2089 mov $a0, 8*0($r_ptr)
2091 mov $a1, 8*1($r_ptr)
2093 mov $a2, 8*2($r_ptr)
2094 mov $a3, 8*3($r_ptr)
2097 .size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q
2102 my ($src0,$sfx,$bias);
2103 my ($S,$M,$Zsqr,$in_x,$tmp0)=map(32*$_,(0..4));
2111 .globl ecp_nistz256_point_double
2112 .type ecp_nistz256_point_double,\@function,2
2114 ecp_nistz256_point_double:
2116 $code.=<<___ if ($addx);
2118 and OPENSSL_ia32cap_P+8(%rip), %ecx
2128 .type ecp_nistz256_point_doublex,\@function,2
2130 ecp_nistz256_point_doublex:
2143 movdqu 0x00($a_ptr), %xmm0 # copy *(P256_POINT *)$a_ptr.x
2144 mov $a_ptr, $b_ptr # backup copy
2145 movdqu 0x10($a_ptr), %xmm1
2146 mov 0x20+8*0($a_ptr), $acc4 # load in_y in "5-4-0-1" order
2147 mov 0x20+8*1($a_ptr), $acc5
2148 mov 0x20+8*2($a_ptr), $acc0
2149 mov 0x20+8*3($a_ptr), $acc1
2150 mov .Lpoly+8*1(%rip), $poly1
2151 mov .Lpoly+8*3(%rip), $poly3
2152 movdqa %xmm0, $in_x(%rsp)
2153 movdqa %xmm1, $in_x+0x10(%rsp)
2154 lea 0x20($r_ptr), $acc2
2155 lea 0x40($r_ptr), $acc3
2160 lea $S(%rsp), $r_ptr
2161 call __ecp_nistz256_mul_by_2$x # p256_mul_by_2(S, in_y);
2163 mov 0x40+8*0($a_ptr), $src0
2164 mov 0x40+8*1($a_ptr), $acc6
2165 mov 0x40+8*2($a_ptr), $acc7
2166 mov 0x40+8*3($a_ptr), $acc0
2167 lea 0x40-$bias($a_ptr), $a_ptr
2168 lea $Zsqr(%rsp), $r_ptr
2169 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Zsqr, in_z);
2171 `&load_for_sqr("$S(%rsp)", "$src0")`
2172 lea $S(%rsp), $r_ptr
2173 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(S, S);
2175 mov 0x20($b_ptr), $src0 # $b_ptr is still valid
2176 mov 0x40+8*0($b_ptr), $acc1
2177 mov 0x40+8*1($b_ptr), $acc2
2178 mov 0x40+8*2($b_ptr), $acc3
2179 mov 0x40+8*3($b_ptr), $acc4
2180 lea 0x40-$bias($b_ptr), $a_ptr
2181 lea 0x20($b_ptr), $b_ptr
2183 call __ecp_nistz256_mul_mont$x # p256_mul_mont(res_z, in_z, in_y);
2184 call __ecp_nistz256_mul_by_2$x # p256_mul_by_2(res_z, res_z);
2186 mov $in_x+8*0(%rsp), $acc4 # "5-4-0-1" order
2187 mov $in_x+8*1(%rsp), $acc5
2188 lea $Zsqr(%rsp), $b_ptr
2189 mov $in_x+8*2(%rsp), $acc0
2190 mov $in_x+8*3(%rsp), $acc1
2191 lea $M(%rsp), $r_ptr
2192 call __ecp_nistz256_add_to$x # p256_add(M, in_x, Zsqr);
2194 mov $in_x+8*0(%rsp), $acc4 # "5-4-0-1" order
2195 mov $in_x+8*1(%rsp), $acc5
2196 lea $Zsqr(%rsp), $b_ptr
2197 mov $in_x+8*2(%rsp), $acc0
2198 mov $in_x+8*3(%rsp), $acc1
2199 lea $Zsqr(%rsp), $r_ptr
2200 call __ecp_nistz256_sub_from$x # p256_sub(Zsqr, in_x, Zsqr);
2202 `&load_for_sqr("$S(%rsp)", "$src0")`
2204 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(res_y, S);
2207 ######## ecp_nistz256_div_by_2(res_y, res_y); ##########################
2208 # operate in 4-5-6-7 "name space" that matches squaring output
2210 my ($poly1,$poly3)=($a_ptr,$t1);
2211 my ($a0,$a1,$a2,$a3,$t3,$t4,$t1)=($acc4,$acc5,$acc6,$acc7,$acc0,$acc1,$acc2);
2224 xor $a_ptr, $a_ptr # borrow $a_ptr
2233 mov $a1, $t0 # a0:a3>>1
2244 mov $a0, 8*0($r_ptr)
2246 mov $a1, 8*1($r_ptr)
2250 mov $a2, 8*2($r_ptr)
2251 mov $a3, 8*3($r_ptr)
2255 `&load_for_mul("$M(%rsp)", "$Zsqr(%rsp)", "$src0")`
2256 lea $M(%rsp), $r_ptr
2257 call __ecp_nistz256_mul_mont$x # p256_mul_mont(M, M, Zsqr);
2259 lea $tmp0(%rsp), $r_ptr
2260 call __ecp_nistz256_mul_by_2$x
2262 lea $M(%rsp), $b_ptr
2263 lea $M(%rsp), $r_ptr
2264 call __ecp_nistz256_add_to$x # p256_mul_by_3(M, M);
2266 `&load_for_mul("$S(%rsp)", "$in_x(%rsp)", "$src0")`
2267 lea $S(%rsp), $r_ptr
2268 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S, S, in_x);
2270 lea $tmp0(%rsp), $r_ptr
2271 call __ecp_nistz256_mul_by_2$x # p256_mul_by_2(tmp0, S);
2273 `&load_for_sqr("$M(%rsp)", "$src0")`
2275 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(res_x, M);
2277 lea $tmp0(%rsp), $b_ptr
2278 mov $acc6, $acc0 # harmonize sqr output and sub input
2282 call __ecp_nistz256_sub_from$x # p256_sub(res_x, res_x, tmp0);
2284 mov $S+8*0(%rsp), $t0
2285 mov $S+8*1(%rsp), $t1
2286 mov $S+8*2(%rsp), $t2
2287 mov $S+8*3(%rsp), $acc2 # "4-5-0-1" order
2288 lea $S(%rsp), $r_ptr
2289 call __ecp_nistz256_sub$x # p256_sub(S, S, res_x);
2292 lea $M(%rsp), $b_ptr
2293 mov $acc4, $acc6 # harmonize sub output and mul input
2295 mov $acc4, $S+8*0(%rsp) # have to save:-(
2297 mov $acc5, $S+8*1(%rsp)
2299 mov $acc0, $S+8*2(%rsp)
2300 lea $S-$bias(%rsp), $a_ptr
2302 mov $acc1, $S+8*3(%rsp)
2304 lea $S(%rsp), $r_ptr
2305 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S, S, M);
2309 call __ecp_nistz256_sub_from$x # p256_sub(res_y, S, res_y);
2319 .size ecp_nistz256_point_double$sfx,.-ecp_nistz256_point_double$sfx
2326 my ($src0,$sfx,$bias);
2327 my ($H,$Hsqr,$R,$Rsqr,$Hcub,
2329 $res_x,$res_y,$res_z,
2330 $in1_x,$in1_y,$in1_z,
2331 $in2_x,$in2_y,$in2_z)=map(32*$_,(0..17));
2332 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
2340 .globl ecp_nistz256_point_add
2341 .type ecp_nistz256_point_add,\@function,3
2343 ecp_nistz256_point_add:
2345 $code.=<<___ if ($addx);
2347 and OPENSSL_ia32cap_P+8(%rip), %ecx
2357 .type ecp_nistz256_point_addx,\@function,3
2359 ecp_nistz256_point_addx:
2372 movdqu 0x00($a_ptr), %xmm0 # copy *(P256_POINT *)$a_ptr
2373 movdqu 0x10($a_ptr), %xmm1
2374 movdqu 0x20($a_ptr), %xmm2
2375 movdqu 0x30($a_ptr), %xmm3
2376 movdqu 0x40($a_ptr), %xmm4
2377 movdqu 0x50($a_ptr), %xmm5
2378 mov $a_ptr, $b_ptr # reassign
2379 mov $b_org, $a_ptr # reassign
2380 movdqa %xmm0, $in1_x(%rsp)
2381 movdqa %xmm1, $in1_x+0x10(%rsp)
2383 movdqa %xmm2, $in1_y(%rsp)
2384 movdqa %xmm3, $in1_y+0x10(%rsp)
2386 movdqa %xmm4, $in1_z(%rsp)
2387 movdqa %xmm5, $in1_z+0x10(%rsp)
2390 movdqu 0x00($a_ptr), %xmm0 # copy *(P256_POINT *)$b_ptr
2391 pshufd \$0xb1, %xmm3, %xmm5
2392 movdqu 0x10($a_ptr), %xmm1
2393 movdqu 0x20($a_ptr), %xmm2
2395 movdqu 0x30($a_ptr), %xmm3
2396 mov 0x40+8*0($a_ptr), $src0 # load original in2_z
2397 mov 0x40+8*1($a_ptr), $acc6
2398 mov 0x40+8*2($a_ptr), $acc7
2399 mov 0x40+8*3($a_ptr), $acc0
2400 movdqa %xmm0, $in2_x(%rsp)
2401 pshufd \$0x1e, %xmm5, %xmm4
2402 movdqa %xmm1, $in2_x+0x10(%rsp)
2404 movq $r_ptr, %xmm0 # save $r_ptr
2405 movdqa %xmm2, $in2_y(%rsp)
2406 movdqa %xmm3, $in2_y+0x10(%rsp)
2412 lea 0x40-$bias($a_ptr), $a_ptr # $a_ptr is still valid
2413 mov $src0, $in2_z+8*0(%rsp) # make in2_z copy
2414 mov $acc6, $in2_z+8*1(%rsp)
2415 mov $acc7, $in2_z+8*2(%rsp)
2416 mov $acc0, $in2_z+8*3(%rsp)
2417 lea $Z2sqr(%rsp), $r_ptr # Z2^2
2418 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Z2sqr, in2_z);
2420 pcmpeqd %xmm4, %xmm5
2421 pshufd \$0xb1, %xmm3, %xmm4
2423 pshufd \$0, %xmm5, %xmm5 # in1infty
2424 pshufd \$0x1e, %xmm4, %xmm3
2427 pcmpeqd %xmm3, %xmm4
2428 pshufd \$0, %xmm4, %xmm4 # in2infty
2429 mov 0x40+8*0($b_ptr), $src0 # load original in1_z
2430 mov 0x40+8*1($b_ptr), $acc6
2431 mov 0x40+8*2($b_ptr), $acc7
2432 mov 0x40+8*3($b_ptr), $acc0
2434 lea 0x40-$bias($b_ptr), $a_ptr
2435 lea $Z1sqr(%rsp), $r_ptr # Z1^2
2436 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Z1sqr, in1_z);
2438 `&load_for_mul("$Z2sqr(%rsp)", "$in2_z(%rsp)", "$src0")`
2439 lea $S1(%rsp), $r_ptr # S1 = Z2^3
2440 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S1, Z2sqr, in2_z);
2442 `&load_for_mul("$Z1sqr(%rsp)", "$in1_z(%rsp)", "$src0")`
2443 lea $S2(%rsp), $r_ptr # S2 = Z1^3
2444 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, Z1sqr, in1_z);
2446 `&load_for_mul("$S1(%rsp)", "$in1_y(%rsp)", "$src0")`
2447 lea $S1(%rsp), $r_ptr # S1 = Y1*Z2^3
2448 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S1, S1, in1_y);
2450 `&load_for_mul("$S2(%rsp)", "$in2_y(%rsp)", "$src0")`
2451 lea $S2(%rsp), $r_ptr # S2 = Y2*Z1^3
2452 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, S2, in2_y);
2454 lea $S1(%rsp), $b_ptr
2455 lea $R(%rsp), $r_ptr # R = S2 - S1
2456 call __ecp_nistz256_sub_from$x # p256_sub(R, S2, S1);
2458 or $acc5, $acc4 # see if result is zero
2462 por %xmm5, %xmm2 # in1infty || in2infty
2465 `&load_for_mul("$Z2sqr(%rsp)", "$in1_x(%rsp)", "$src0")`
2466 lea $U1(%rsp), $r_ptr # U1 = X1*Z2^2
2467 call __ecp_nistz256_mul_mont$x # p256_mul_mont(U1, in1_x, Z2sqr);
2469 `&load_for_mul("$Z1sqr(%rsp)", "$in2_x(%rsp)", "$src0")`
2470 lea $U2(%rsp), $r_ptr # U2 = X2*Z1^2
2471 call __ecp_nistz256_mul_mont$x # p256_mul_mont(U2, in2_x, Z1sqr);
2473 lea $U1(%rsp), $b_ptr
2474 lea $H(%rsp), $r_ptr # H = U2 - U1
2475 call __ecp_nistz256_sub_from$x # p256_sub(H, U2, U1);
2477 or $acc5, $acc4 # see if result is zero
2481 .byte 0x3e # predict taken
2482 jnz .Ladd_proceed$x # is_equal(U1,U2)?
2486 jnz .Ladd_proceed$x # (in1infty || in2infty)?
2488 jz .Ladd_proceed$x # is_equal(S1,S2)?
2490 movq %xmm0, $r_ptr # restore $r_ptr
2492 movdqu %xmm0, 0x00($r_ptr)
2493 movdqu %xmm0, 0x10($r_ptr)
2494 movdqu %xmm0, 0x20($r_ptr)
2495 movdqu %xmm0, 0x30($r_ptr)
2496 movdqu %xmm0, 0x40($r_ptr)
2497 movdqu %xmm0, 0x50($r_ptr)
2502 `&load_for_sqr("$R(%rsp)", "$src0")`
2503 lea $Rsqr(%rsp), $r_ptr # R^2
2504 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Rsqr, R);
2506 `&load_for_mul("$H(%rsp)", "$in1_z(%rsp)", "$src0")`
2507 lea $res_z(%rsp), $r_ptr # Z3 = H*Z1*Z2
2508 call __ecp_nistz256_mul_mont$x # p256_mul_mont(res_z, H, in1_z);
2510 `&load_for_sqr("$H(%rsp)", "$src0")`
2511 lea $Hsqr(%rsp), $r_ptr # H^2
2512 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Hsqr, H);
2514 `&load_for_mul("$res_z(%rsp)", "$in2_z(%rsp)", "$src0")`
2515 lea $res_z(%rsp), $r_ptr # Z3 = H*Z1*Z2
2516 call __ecp_nistz256_mul_mont$x # p256_mul_mont(res_z, res_z, in2_z);
2518 `&load_for_mul("$Hsqr(%rsp)", "$H(%rsp)", "$src0")`
2519 lea $Hcub(%rsp), $r_ptr # H^3
2520 call __ecp_nistz256_mul_mont$x # p256_mul_mont(Hcub, Hsqr, H);
2522 `&load_for_mul("$Hsqr(%rsp)", "$U1(%rsp)", "$src0")`
2523 lea $U2(%rsp), $r_ptr # U1*H^2
2524 call __ecp_nistz256_mul_mont$x # p256_mul_mont(U2, U1, Hsqr);
2527 #######################################################################
2528 # operate in 4-5-0-1 "name space" that matches multiplication output
2530 my ($acc0,$acc1,$acc2,$acc3,$t3,$t4)=($acc4,$acc5,$acc0,$acc1,$acc2,$acc3);
2531 my ($poly1, $poly3)=($acc6,$acc7);
2534 #lea $U2(%rsp), $a_ptr
2535 #lea $Hsqr(%rsp), $r_ptr # 2*U1*H^2
2536 #call __ecp_nistz256_mul_by_2 # ecp_nistz256_mul_by_2(Hsqr, U2);
2538 add $acc0, $acc0 # a0:a3+a0:a3
2539 lea $Rsqr(%rsp), $a_ptr
2556 mov 8*0($a_ptr), $t0
2558 mov 8*1($a_ptr), $t1
2560 mov 8*2($a_ptr), $t2
2562 mov 8*3($a_ptr), $t3
2564 call __ecp_nistz256_sub$x # p256_sub(res_x, Rsqr, Hsqr);
2566 lea $Hcub(%rsp), $b_ptr
2567 lea $res_x(%rsp), $r_ptr
2568 call __ecp_nistz256_sub_from$x # p256_sub(res_x, res_x, Hcub);
2570 mov $U2+8*0(%rsp), $t0
2571 mov $U2+8*1(%rsp), $t1
2572 mov $U2+8*2(%rsp), $t2
2573 mov $U2+8*3(%rsp), $t3
2574 lea $res_y(%rsp), $r_ptr
2576 call __ecp_nistz256_sub$x # p256_sub(res_y, U2, res_x);
2578 mov $acc0, 8*0($r_ptr) # save the result, as
2579 mov $acc1, 8*1($r_ptr) # __ecp_nistz256_sub doesn't
2580 mov $acc2, 8*2($r_ptr)
2581 mov $acc3, 8*3($r_ptr)
2585 `&load_for_mul("$S1(%rsp)", "$Hcub(%rsp)", "$src0")`
2586 lea $S2(%rsp), $r_ptr
2587 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, S1, Hcub);
2589 `&load_for_mul("$R(%rsp)", "$res_y(%rsp)", "$src0")`
2590 lea $res_y(%rsp), $r_ptr
2591 call __ecp_nistz256_mul_mont$x # p256_mul_mont(res_y, R, res_y);
2593 lea $S2(%rsp), $b_ptr
2594 lea $res_y(%rsp), $r_ptr
2595 call __ecp_nistz256_sub_from$x # p256_sub(res_y, res_y, S2);
2597 movq %xmm0, $r_ptr # restore $r_ptr
2599 movdqa %xmm5, %xmm0 # copy_conditional(res_z, in2_z, in1infty);
2601 pandn $res_z(%rsp), %xmm0
2603 pandn $res_z+0x10(%rsp), %xmm1
2605 pand $in2_z(%rsp), %xmm2
2606 pand $in2_z+0x10(%rsp), %xmm3
2610 movdqa %xmm4, %xmm0 # copy_conditional(res_z, in1_z, in2infty);
2616 pand $in1_z(%rsp), %xmm2
2617 pand $in1_z+0x10(%rsp), %xmm3
2620 movdqu %xmm2, 0x40($r_ptr)
2621 movdqu %xmm3, 0x50($r_ptr)
2623 movdqa %xmm5, %xmm0 # copy_conditional(res_x, in2_x, in1infty);
2625 pandn $res_x(%rsp), %xmm0
2627 pandn $res_x+0x10(%rsp), %xmm1
2629 pand $in2_x(%rsp), %xmm2
2630 pand $in2_x+0x10(%rsp), %xmm3
2634 movdqa %xmm4, %xmm0 # copy_conditional(res_x, in1_x, in2infty);
2640 pand $in1_x(%rsp), %xmm2
2641 pand $in1_x+0x10(%rsp), %xmm3
2644 movdqu %xmm2, 0x00($r_ptr)
2645 movdqu %xmm3, 0x10($r_ptr)
2647 movdqa %xmm5, %xmm0 # copy_conditional(res_y, in2_y, in1infty);
2649 pandn $res_y(%rsp), %xmm0
2651 pandn $res_y+0x10(%rsp), %xmm1
2653 pand $in2_y(%rsp), %xmm2
2654 pand $in2_y+0x10(%rsp), %xmm3
2658 movdqa %xmm4, %xmm0 # copy_conditional(res_y, in1_y, in2infty);
2664 pand $in1_y(%rsp), %xmm2
2665 pand $in1_y+0x10(%rsp), %xmm3
2668 movdqu %xmm2, 0x20($r_ptr)
2669 movdqu %xmm3, 0x30($r_ptr)
2680 .size ecp_nistz256_point_add$sfx,.-ecp_nistz256_point_add$sfx
2685 sub gen_add_affine () {
2687 my ($src0,$sfx,$bias);
2688 my ($U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr,
2689 $res_x,$res_y,$res_z,
2690 $in1_x,$in1_y,$in1_z,
2691 $in2_x,$in2_y)=map(32*$_,(0..14));
2700 .globl ecp_nistz256_point_add_affine
2701 .type ecp_nistz256_point_add_affine,\@function,3
2703 ecp_nistz256_point_add_affine:
2705 $code.=<<___ if ($addx);
2707 and OPENSSL_ia32cap_P+8(%rip), %ecx
2709 je .Lpoint_add_affinex
2717 .type ecp_nistz256_point_add_affinex,\@function,3
2719 ecp_nistz256_point_add_affinex:
2720 .Lpoint_add_affinex:
2732 movdqu 0x00($a_ptr), %xmm0 # copy *(P256_POINT *)$a_ptr
2733 mov $b_org, $b_ptr # reassign
2734 movdqu 0x10($a_ptr), %xmm1
2735 movdqu 0x20($a_ptr), %xmm2
2736 movdqu 0x30($a_ptr), %xmm3
2737 movdqu 0x40($a_ptr), %xmm4
2738 movdqu 0x50($a_ptr), %xmm5
2739 mov 0x40+8*0($a_ptr), $src0 # load original in1_z
2740 mov 0x40+8*1($a_ptr), $acc6
2741 mov 0x40+8*2($a_ptr), $acc7
2742 mov 0x40+8*3($a_ptr), $acc0
2743 movdqa %xmm0, $in1_x(%rsp)
2744 movdqa %xmm1, $in1_x+0x10(%rsp)
2746 movdqa %xmm2, $in1_y(%rsp)
2747 movdqa %xmm3, $in1_y+0x10(%rsp)
2749 movdqa %xmm4, $in1_z(%rsp)
2750 movdqa %xmm5, $in1_z+0x10(%rsp)
2753 movdqu 0x00($b_ptr), %xmm0 # copy *(P256_POINT_AFFINE *)$b_ptr
2754 pshufd \$0xb1, %xmm3, %xmm5
2755 movdqu 0x10($b_ptr), %xmm1
2756 movdqu 0x20($b_ptr), %xmm2
2758 movdqu 0x30($b_ptr), %xmm3
2759 movdqa %xmm0, $in2_x(%rsp)
2760 pshufd \$0x1e, %xmm5, %xmm4
2761 movdqa %xmm1, $in2_x+0x10(%rsp)
2763 movq $r_ptr, %xmm0 # save $r_ptr
2764 movdqa %xmm2, $in2_y(%rsp)
2765 movdqa %xmm3, $in2_y+0x10(%rsp)
2771 lea 0x40-$bias($a_ptr), $a_ptr # $a_ptr is still valid
2772 lea $Z1sqr(%rsp), $r_ptr # Z1^2
2773 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Z1sqr, in1_z);
2775 pcmpeqd %xmm4, %xmm5
2776 pshufd \$0xb1, %xmm3, %xmm4
2777 mov 0x00($b_ptr), $src0 # $b_ptr is still valid
2778 #lea 0x00($b_ptr), $b_ptr
2779 mov $acc4, $acc1 # harmonize sqr output and mul input
2781 pshufd \$0, %xmm5, %xmm5 # in1infty
2782 pshufd \$0x1e, %xmm4, %xmm3
2787 pcmpeqd %xmm3, %xmm4
2788 pshufd \$0, %xmm4, %xmm4 # in2infty
2790 lea $Z1sqr-$bias(%rsp), $a_ptr
2792 lea $U2(%rsp), $r_ptr # U2 = X2*Z1^2
2793 call __ecp_nistz256_mul_mont$x # p256_mul_mont(U2, Z1sqr, in2_x);
2795 lea $in1_x(%rsp), $b_ptr
2796 lea $H(%rsp), $r_ptr # H = U2 - U1
2797 call __ecp_nistz256_sub_from$x # p256_sub(H, U2, in1_x);
2799 `&load_for_mul("$Z1sqr(%rsp)", "$in1_z(%rsp)", "$src0")`
2800 lea $S2(%rsp), $r_ptr # S2 = Z1^3
2801 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, Z1sqr, in1_z);
2803 `&load_for_mul("$H(%rsp)", "$in1_z(%rsp)", "$src0")`
2804 lea $res_z(%rsp), $r_ptr # Z3 = H*Z1*Z2
2805 call __ecp_nistz256_mul_mont$x # p256_mul_mont(res_z, H, in1_z);
2807 `&load_for_mul("$S2(%rsp)", "$in2_y(%rsp)", "$src0")`
2808 lea $S2(%rsp), $r_ptr # S2 = Y2*Z1^3
2809 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, S2, in2_y);
2811 lea $in1_y(%rsp), $b_ptr
2812 lea $R(%rsp), $r_ptr # R = S2 - S1
2813 call __ecp_nistz256_sub_from$x # p256_sub(R, S2, in1_y);
2815 `&load_for_sqr("$H(%rsp)", "$src0")`
2816 lea $Hsqr(%rsp), $r_ptr # H^2
2817 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Hsqr, H);
2819 `&load_for_sqr("$R(%rsp)", "$src0")`
2820 lea $Rsqr(%rsp), $r_ptr # R^2
2821 call __ecp_nistz256_sqr_mont$x # p256_sqr_mont(Rsqr, R);
2823 `&load_for_mul("$H(%rsp)", "$Hsqr(%rsp)", "$src0")`
2824 lea $Hcub(%rsp), $r_ptr # H^3
2825 call __ecp_nistz256_mul_mont$x # p256_mul_mont(Hcub, Hsqr, H);
2827 `&load_for_mul("$Hsqr(%rsp)", "$in1_x(%rsp)", "$src0")`
2828 lea $U2(%rsp), $r_ptr # U1*H^2
2829 call __ecp_nistz256_mul_mont$x # p256_mul_mont(U2, in1_x, Hsqr);
2832 #######################################################################
2833 # operate in 4-5-0-1 "name space" that matches multiplication output
2835 my ($acc0,$acc1,$acc2,$acc3,$t3,$t4)=($acc4,$acc5,$acc0,$acc1,$acc2,$acc3);
2836 my ($poly1, $poly3)=($acc6,$acc7);
2839 #lea $U2(%rsp), $a_ptr
2840 #lea $Hsqr(%rsp), $r_ptr # 2*U1*H^2
2841 #call __ecp_nistz256_mul_by_2 # ecp_nistz256_mul_by_2(Hsqr, U2);
2843 add $acc0, $acc0 # a0:a3+a0:a3
2844 lea $Rsqr(%rsp), $a_ptr
2861 mov 8*0($a_ptr), $t0
2863 mov 8*1($a_ptr), $t1
2865 mov 8*2($a_ptr), $t2
2867 mov 8*3($a_ptr), $t3
2869 call __ecp_nistz256_sub$x # p256_sub(res_x, Rsqr, Hsqr);
2871 lea $Hcub(%rsp), $b_ptr
2872 lea $res_x(%rsp), $r_ptr
2873 call __ecp_nistz256_sub_from$x # p256_sub(res_x, res_x, Hcub);
2875 mov $U2+8*0(%rsp), $t0
2876 mov $U2+8*1(%rsp), $t1
2877 mov $U2+8*2(%rsp), $t2
2878 mov $U2+8*3(%rsp), $t3
2879 lea $H(%rsp), $r_ptr
2881 call __ecp_nistz256_sub$x # p256_sub(H, U2, res_x);
2883 mov $acc0, 8*0($r_ptr) # save the result, as
2884 mov $acc1, 8*1($r_ptr) # __ecp_nistz256_sub doesn't
2885 mov $acc2, 8*2($r_ptr)
2886 mov $acc3, 8*3($r_ptr)
2890 `&load_for_mul("$Hcub(%rsp)", "$in1_y(%rsp)", "$src0")`
2891 lea $S2(%rsp), $r_ptr
2892 call __ecp_nistz256_mul_mont$x # p256_mul_mont(S2, Hcub, in1_y);
2894 `&load_for_mul("$H(%rsp)", "$R(%rsp)", "$src0")`
2895 lea $H(%rsp), $r_ptr
2896 call __ecp_nistz256_mul_mont$x # p256_mul_mont(H, H, R);
2898 lea $S2(%rsp), $b_ptr
2899 lea $res_y(%rsp), $r_ptr
2900 call __ecp_nistz256_sub_from$x # p256_sub(res_y, H, S2);
2902 movq %xmm0, $r_ptr # restore $r_ptr
2904 movdqa %xmm5, %xmm0 # copy_conditional(res_z, ONE, in1infty);
2906 pandn $res_z(%rsp), %xmm0
2908 pandn $res_z+0x10(%rsp), %xmm1
2910 pand .LONE_mont(%rip), %xmm2
2911 pand .LONE_mont+0x10(%rip), %xmm3
2915 movdqa %xmm4, %xmm0 # copy_conditional(res_z, in1_z, in2infty);
2921 pand $in1_z(%rsp), %xmm2
2922 pand $in1_z+0x10(%rsp), %xmm3
2925 movdqu %xmm2, 0x40($r_ptr)
2926 movdqu %xmm3, 0x50($r_ptr)
2928 movdqa %xmm5, %xmm0 # copy_conditional(res_x, in2_x, in1infty);
2930 pandn $res_x(%rsp), %xmm0
2932 pandn $res_x+0x10(%rsp), %xmm1
2934 pand $in2_x(%rsp), %xmm2
2935 pand $in2_x+0x10(%rsp), %xmm3
2939 movdqa %xmm4, %xmm0 # copy_conditional(res_x, in1_x, in2infty);
2945 pand $in1_x(%rsp), %xmm2
2946 pand $in1_x+0x10(%rsp), %xmm3
2949 movdqu %xmm2, 0x00($r_ptr)
2950 movdqu %xmm3, 0x10($r_ptr)
2952 movdqa %xmm5, %xmm0 # copy_conditional(res_y, in2_y, in1infty);
2954 pandn $res_y(%rsp), %xmm0
2956 pandn $res_y+0x10(%rsp), %xmm1
2958 pand $in2_y(%rsp), %xmm2
2959 pand $in2_y+0x10(%rsp), %xmm3
2963 movdqa %xmm4, %xmm0 # copy_conditional(res_y, in1_y, in2infty);
2969 pand $in1_y(%rsp), %xmm2
2970 pand $in1_y+0x10(%rsp), %xmm3
2973 movdqu %xmm2, 0x20($r_ptr)
2974 movdqu %xmm3, 0x30($r_ptr)
2984 .size ecp_nistz256_point_add_affine$sfx,.-ecp_nistz256_point_add_affine$sfx
2987 &gen_add_affine("q");
2989 ########################################################################
2993 ########################################################################
2994 # operate in 4-5-0-1 "name space" that matches multiplication output
2996 my ($a0,$a1,$a2,$a3,$t3,$t4)=($acc4,$acc5,$acc0,$acc1,$acc2,$acc3);
2999 .type __ecp_nistz256_add_tox,\@abi-omnipotent
3001 __ecp_nistz256_add_tox:
3003 adc 8*0($b_ptr), $a0
3004 adc 8*1($b_ptr), $a1
3006 adc 8*2($b_ptr), $a2
3007 adc 8*3($b_ptr), $a3
3022 mov $a0, 8*0($r_ptr)
3024 mov $a1, 8*1($r_ptr)
3026 mov $a2, 8*2($r_ptr)
3027 mov $a3, 8*3($r_ptr)
3030 .size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox
3032 .type __ecp_nistz256_sub_fromx,\@abi-omnipotent
3034 __ecp_nistz256_sub_fromx:
3036 sbb 8*0($b_ptr), $a0
3037 sbb 8*1($b_ptr), $a1
3039 sbb 8*2($b_ptr), $a2
3040 sbb 8*3($b_ptr), $a3
3055 mov $a0, 8*0($r_ptr)
3057 mov $a1, 8*1($r_ptr)
3059 mov $a2, 8*2($r_ptr)
3060 mov $a3, 8*3($r_ptr)
3063 .size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx
3065 .type __ecp_nistz256_subx,\@abi-omnipotent
3067 __ecp_nistz256_subx:
3092 .size __ecp_nistz256_subx,.-__ecp_nistz256_subx
3094 .type __ecp_nistz256_mul_by_2x,\@abi-omnipotent
3096 __ecp_nistz256_mul_by_2x:
3098 adc $a0, $a0 # a0:a3+a0:a3
3117 mov $a0, 8*0($r_ptr)
3119 mov $a1, 8*1($r_ptr)
3121 mov $a2, 8*2($r_ptr)
3122 mov $a3, 8*3($r_ptr)
3125 .size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x
3130 &gen_add_affine("x");
3134 ########################################################################
3135 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
3137 open TABLE,"<ecp_nistz256_table.c" or
3138 open TABLE,"<${dir}../ecp_nistz256_table.c" or
3139 die "failed to open ecp_nistz256_table.c:",$!;
3144 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
3148 die "insane number of elements" if ($#arr != 64*16*37-1);
3152 .globl ecp_nistz256_precomputed
3153 .type ecp_nistz256_precomputed,\@object
3155 ecp_nistz256_precomputed:
3157 while (@line=splice(@arr,0,16)) {
3158 print ".long\t",join(',',map { sprintf "0x%08x",$_} @line),"\n";
3161 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
3164 $code =~ s/\`([^\`]*)\`/eval $1/gem;
projects / openssl.git / blob