2 # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # IALU(*)/gcc-4.4 NEON
19 # ARM11xx(ARMv6) 7.78/+100% -
20 # Cortex-A5 6.35/+130% 3.00
21 # Cortex-A8 6.25/+115% 2.36
22 # Cortex-A9 5.10/+95% 2.55
23 # Cortex-A15 3.85/+85% 1.25(**)
24 # Snapdragon S4 5.70/+100% 1.48(**)
26 # (*) this is for -march=armv6, i.e. with bunch of ldrb loading data;
27 # (**) these are trade-off results, they can be improved by ~8% but at
28 # the cost of 15/12% regression on Cortex-A5/A7, it's even possible
29 # to improve Cortex-A9 result, but then A5/A7 loose more than 20%;
31 # $output is the last argument if it looks like a file (it has an extension)
32 # $flavour is the first argument if it doesn't look like a file
33 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
34 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
36 if ($flavour && $flavour ne "void") {
37 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
38 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
39 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
40 die "can't locate arm-xlate.pl";
42 open STDOUT,"| \"$^X\" $xlate $flavour \"$output\""
43 or die "can't call $xlate: $!";
45 $output and open STDOUT,">$output";
48 ($ctx,$inp,$len,$padbit)=map("r$_",(0..3));
53 #if defined(__thumb2__)
63 .globl poly1305_blocks
65 .type poly1305_init,%function
73 str r3,[$ctx,#0] @ zero hash value
78 str r3,[$ctx,#36] @ is_base2_26
87 #if __ARM_MAX_ARCH__>=7
88 adr r11,.Lpoly1305_init
89 ldr r12,.LOPENSSL_armcap
94 and r3,r10,#-4 @ 0x0ffffffc
105 #if __ARM_MAX_ARCH__>=7
106 # if !defined(_WIN32)
107 ldr r12,[r11,r12] @ OPENSSL_armcap_P
109 # if defined(__APPLE__) || defined(_WIN32)
122 #if __ARM_MAX_ARCH__>=7
123 tst r12,#ARMV7_NEON @ check for NEON
125 adr r9,.Lpoly1305_blocks_neon
126 adr r11,.Lpoly1305_blocks
127 adr r12,.Lpoly1305_emit
128 adr r10,.Lpoly1305_emit_neon
132 orr r11,r11,#1 @ thumb-ify address
135 addeq r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
136 addne r12,r11,#(.Lpoly1305_emit_neon-.Lpoly1305_init)
137 addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
138 addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
159 #if __ARM_MAX_ARCH__>=7
160 stmia r2,{r11,r12} @ fill functions table
171 moveq pc,lr @ be binary compatible with V4, yet
172 bx lr @ interoperable with Thumb ISA:-)
174 .size poly1305_init,.-poly1305_init
177 my ($h0,$h1,$h2,$h3,$h4,$r0,$r1,$r2,$r3)=map("r$_",(4..12));
178 my ($s1,$s2,$s3)=($r1,$r2,$r3);
181 .type poly1305_blocks,%function
185 stmdb sp!,{r3-r11,lr}
191 add $len,$len,$inp @ end pointer
194 ldmia $ctx,{$h0-$r3} @ load context
196 str $ctx,[sp,#12] @ offload stuff
206 ldrb r0,[lr],#16 @ load input
210 addhi $h4,$h4,#1 @ 1<<128
220 adds $h0,$h0,r3 @ accumulate input
242 str lr,[sp,#8] @ offload input pointer
244 add $s1,$r1,$r1,lsr#2
247 ldr r0,[lr],#16 @ load input
251 addhi $h4,$h4,#1 @ padbit
261 adds $h0,$h0,r0 @ accumulate input
262 str lr,[sp,#8] @ offload input pointer
264 add $s1,$r1,$r1,lsr#2
267 add $s2,$r2,$r2,lsr#2
269 add $s3,$r3,$r3,lsr#2
276 ldr $r1,[sp,#20] @ reload $r1
282 str r0,[sp,#0] @ future $h0
284 ldr $r2,[sp,#24] @ reload $r2
285 adds r2,r2,r1 @ d1+=d0>>32
287 adc lr,r3,#0 @ future $h2
288 str r2,[sp,#4] @ future $h1
293 ldr $r3,[sp,#28] @ reload $r3
305 adds $h2,lr,r0 @ d2+=d1>>32
306 ldr lr,[sp,#8] @ reload input pointer
308 adds $h3,r2,r1 @ d3+=d2>>32
309 ldr r0,[sp,#16] @ reload end pointer
311 add $h4,$h4,r3 @ h4+=d3>>32
315 add r1,r1,r1,lsr#2 @ *=5
322 cmp r0,lr @ done yet?
327 stmia $ctx,{$h0-$h4} @ store the result
331 ldmia sp!,{r3-r11,pc}
333 ldmia sp!,{r3-r11,lr}
335 moveq pc,lr @ be binary compatible with V4, yet
336 bx lr @ interoperable with Thumb ISA:-)
338 .size poly1305_blocks,.-poly1305_blocks
342 my ($ctx,$mac,$nonce)=map("r$_",(0..2));
343 my ($h0,$h1,$h2,$h3,$h4,$g0,$g1,$g2,$g3)=map("r$_",(3..11));
347 .type poly1305_emit,%function
352 .Lpoly1305_emit_enter:
355 adds $g0,$h0,#5 @ compare to modulus
360 tst $g4,#4 @ did it carry/borrow?
437 moveq pc,lr @ be binary compatible with V4, yet
438 bx lr @ interoperable with Thumb ISA:-)
440 .size poly1305_emit,.-poly1305_emit
443 my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("d$_",(0..9));
444 my ($D0,$D1,$D2,$D3,$D4, $H0,$H1,$H2,$H3,$H4) = map("q$_",(5..14));
445 my ($T0,$T1,$MASK) = map("q$_",(15,4,0));
447 my ($in2,$zeros,$tbl0,$tbl1) = map("r$_",(4..7));
450 #if __ARM_MAX_ARCH__>=7
453 .type poly1305_init_neon,%function
456 ldr r4,[$ctx,#20] @ load key base 2^32
461 and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
469 and r3,r3,#0x03ffffff
470 and r4,r4,#0x03ffffff
471 and r5,r5,#0x03ffffff
473 vdup.32 $R0,r2 @ r^1 in both lanes
474 add r2,r3,r3,lsl#2 @ *5
487 mov $zeros,#2 @ counter
490 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
491 @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
492 @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
493 @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
494 @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
495 @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
497 vmull.u32 $D0,$R0,${R0}[1]
498 vmull.u32 $D1,$R1,${R0}[1]
499 vmull.u32 $D2,$R2,${R0}[1]
500 vmull.u32 $D3,$R3,${R0}[1]
501 vmull.u32 $D4,$R4,${R0}[1]
503 vmlal.u32 $D0,$R4,${S1}[1]
504 vmlal.u32 $D1,$R0,${R1}[1]
505 vmlal.u32 $D2,$R1,${R1}[1]
506 vmlal.u32 $D3,$R2,${R1}[1]
507 vmlal.u32 $D4,$R3,${R1}[1]
509 vmlal.u32 $D0,$R3,${S2}[1]
510 vmlal.u32 $D1,$R4,${S2}[1]
511 vmlal.u32 $D3,$R1,${R2}[1]
512 vmlal.u32 $D2,$R0,${R2}[1]
513 vmlal.u32 $D4,$R2,${R2}[1]
515 vmlal.u32 $D0,$R2,${S3}[1]
516 vmlal.u32 $D3,$R0,${R3}[1]
517 vmlal.u32 $D1,$R3,${S3}[1]
518 vmlal.u32 $D2,$R4,${S3}[1]
519 vmlal.u32 $D4,$R1,${R3}[1]
521 vmlal.u32 $D3,$R4,${S4}[1]
522 vmlal.u32 $D0,$R1,${S4}[1]
523 vmlal.u32 $D1,$R2,${S4}[1]
524 vmlal.u32 $D2,$R3,${S4}[1]
525 vmlal.u32 $D4,$R0,${R4}[1]
527 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
528 @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
531 @ H0>>+H1>>+H2>>+H3>>+H4
532 @ H3>>+H4>>*5+H0>>+H1
536 @ Result of multiplication of n-bit number by m-bit number is
537 @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
538 @ m-bit number multiplied by 2^n is still n+m bits wide.
540 @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
541 @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
542 @ one is n+1 bits wide.
544 @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
545 @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
546 @ can be 27. However! In cases when their width exceeds 26 bits
547 @ they are limited by 2^26+2^6. This in turn means that *sum*
548 @ of the products with these values can still be viewed as sum
549 @ of 52-bit numbers as long as the amount of addends is not a
550 @ power of 2. For example,
552 @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
554 @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
555 @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
556 @ 8 * (2^52) or 2^55. However, the value is then multiplied by
557 @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
558 @ which is less than 32 * (2^52) or 2^57. And when processing
559 @ data we are looking at triple as many addends...
561 @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
562 @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
563 @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
564 @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
565 @ instruction accepts 2x32-bit input and writes 2x64-bit result.
566 @ This means that result of reduction have to be compressed upon
567 @ loop wrap-around. This can be done in the process of reduction
568 @ to minimize amount of instructions [as well as amount of
569 @ 128-bit instructions, which benefits low-end processors], but
570 @ one has to watch for H2 (which is narrower than H0) and 5*H4
571 @ not being wider than 58 bits, so that result of right shift
572 @ by 26 bits fits in 32 bits. This is also useful on x86,
573 @ because it allows to use paddd in place for paddq, which
574 @ benefits Atom, where paddq is ridiculously slow.
580 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
581 vbic.i32 $D3#lo,#0xfc000000 @ &=0x03ffffff
582 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
583 vbic.i32 $D0#lo,#0xfc000000
585 vshrn.u64 $T0#lo,$D4,#26
589 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
590 vbic.i32 $D4#lo,#0xfc000000
591 vbic.i32 $D1#lo,#0xfc000000
593 vadd.i32 $D0#lo,$D0#lo,$T0#lo
594 vshl.u32 $T0#lo,$T0#lo,#2
595 vshrn.u64 $T1#lo,$D2,#26
597 vadd.i32 $D0#lo,$D0#lo,$T0#lo @ h4 -> h0
598 vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
599 vbic.i32 $D2#lo,#0xfc000000
601 vshr.u32 $T0#lo,$D0#lo,#26
602 vbic.i32 $D0#lo,#0xfc000000
603 vshr.u32 $T1#lo,$D3#lo,#26
604 vbic.i32 $D3#lo,#0xfc000000
605 vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
606 vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
608 subs $zeros,$zeros,#1
609 beq .Lsquare_break_neon
611 add $tbl0,$ctx,#(48+0*9*4)
612 add $tbl1,$ctx,#(48+1*9*4)
614 vtrn.32 $R0,$D0#lo @ r^2:r^1
620 vshl.u32 $S2,$R2,#2 @ *5
629 vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
630 vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
631 vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
632 vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
633 vst1.32 {${S4}[0]},[$tbl0,:32]
634 vst1.32 {${S4}[1]},[$tbl1,:32]
640 add $tbl0,$ctx,#(48+2*4*9)
641 add $tbl1,$ctx,#(48+3*4*9)
643 vmov $R0,$D0#lo @ r^4:r^3
644 vshl.u32 $S1,$D1#lo,#2 @ *5
646 vshl.u32 $S2,$D2#lo,#2
648 vshl.u32 $S3,$D3#lo,#2
650 vshl.u32 $S4,$D4#lo,#2
652 vadd.i32 $S1,$S1,$D1#lo
653 vadd.i32 $S2,$S2,$D2#lo
654 vadd.i32 $S3,$S3,$D3#lo
655 vadd.i32 $S4,$S4,$D4#lo
657 vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
658 vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
659 vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
660 vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
661 vst1.32 {${S4}[0]},[$tbl0]
662 vst1.32 {${S4}[1]},[$tbl1]
665 .size poly1305_init_neon,.-poly1305_init_neon
667 .type poly1305_blocks_neon,%function
669 poly1305_blocks_neon:
670 .Lpoly1305_blocks_neon:
671 ldr ip,[$ctx,#36] @ is_base2_26
677 tst ip,ip @ is_base2_26?
678 beq .Lpoly1305_blocks
682 vstmdb sp!,{d8-d15} @ ABI specification says so
684 tst ip,ip @ is_base2_26?
688 bl poly1305_init_neon
690 ldr r4,[$ctx,#0] @ load hash value base 2^32
696 and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
698 veor $D0#lo,$D0#lo,$D0#lo
701 veor $D1#lo,$D1#lo,$D1#lo
704 veor $D2#lo,$D2#lo,$D2#lo
707 veor $D3#lo,$D3#lo,$D3#lo
708 and r3,r3,#0x03ffffff
710 veor $D4#lo,$D4#lo,$D4#lo
711 and r4,r4,#0x03ffffff
713 and r5,r5,#0x03ffffff
714 str r1,[$ctx,#36] @ is_base2_26
728 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
731 veor $D0#lo,$D0#lo,$D0#lo
732 veor $D1#lo,$D1#lo,$D1#lo
733 veor $D2#lo,$D2#lo,$D2#lo
734 veor $D3#lo,$D3#lo,$D3#lo
735 veor $D4#lo,$D4#lo,$D4#lo
736 vld4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
738 vld1.32 {$D4#lo[0]},[$ctx]
739 sub $ctx,$ctx,#16 @ rewind
743 mov $padbit,$padbit,lsl#24
747 vld4.32 {$H0#lo[0],$H1#lo[0],$H2#lo[0],$H3#lo[0]},[$inp]!
748 vmov.32 $H4#lo[0],$padbit
758 vsri.u32 $H4#lo,$H3#lo,#8 @ base 2^32 -> base 2^26
759 vshl.u32 $H3#lo,$H3#lo,#18
761 vsri.u32 $H3#lo,$H2#lo,#14
762 vshl.u32 $H2#lo,$H2#lo,#12
763 vadd.i32 $H4#hi,$H4#lo,$D4#lo @ add hash value and move to #hi
765 vbic.i32 $H3#lo,#0xfc000000
766 vsri.u32 $H2#lo,$H1#lo,#20
767 vshl.u32 $H1#lo,$H1#lo,#6
769 vbic.i32 $H2#lo,#0xfc000000
770 vsri.u32 $H1#lo,$H0#lo,#26
771 vadd.i32 $H3#hi,$H3#lo,$D3#lo
773 vbic.i32 $H0#lo,#0xfc000000
774 vbic.i32 $H1#lo,#0xfc000000
775 vadd.i32 $H2#hi,$H2#lo,$D2#lo
777 vadd.i32 $H0#hi,$H0#lo,$D0#lo
778 vadd.i32 $H1#hi,$H1#lo,$D1#lo
792 vmov.i32 $H4,#1<<24 @ padbit, yes, always
793 vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
795 vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
798 addhi $tbl1,$ctx,#(48+1*9*4)
799 addhi $tbl0,$ctx,#(48+3*9*4)
807 vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
813 vbic.i32 $H3,#0xfc000000
817 vbic.i32 $H2,#0xfc000000
820 vbic.i32 $H0,#0xfc000000
821 vbic.i32 $H1,#0xfc000000
825 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^2
826 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
827 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
828 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
833 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
834 @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
835 @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
836 @ \___________________/
837 @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
838 @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
839 @ \___________________/ \____________________/
841 @ Note that we start with inp[2:3]*r^2. This is because it
842 @ doesn't depend on reduction in previous iteration.
843 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
844 @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
845 @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
846 @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
847 @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
848 @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
850 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
853 vadd.i32 $H2#lo,$H2#lo,$D2#lo @ accumulate inp[0:1]
854 vmull.u32 $D2,$H2#hi,${R0}[1]
855 vadd.i32 $H0#lo,$H0#lo,$D0#lo
856 vmull.u32 $D0,$H0#hi,${R0}[1]
857 vadd.i32 $H3#lo,$H3#lo,$D3#lo
858 vmull.u32 $D3,$H3#hi,${R0}[1]
859 vmlal.u32 $D2,$H1#hi,${R1}[1]
860 vadd.i32 $H1#lo,$H1#lo,$D1#lo
861 vmull.u32 $D1,$H1#hi,${R0}[1]
863 vadd.i32 $H4#lo,$H4#lo,$D4#lo
864 vmull.u32 $D4,$H4#hi,${R0}[1]
866 vmlal.u32 $D0,$H4#hi,${S1}[1]
869 vmlal.u32 $D3,$H2#hi,${R1}[1]
870 vld1.32 ${S4}[1],[$tbl1,:32]
871 vmlal.u32 $D1,$H0#hi,${R1}[1]
872 vmlal.u32 $D4,$H3#hi,${R1}[1]
874 vmlal.u32 $D0,$H3#hi,${S2}[1]
875 vmlal.u32 $D3,$H1#hi,${R2}[1]
876 vmlal.u32 $D4,$H2#hi,${R2}[1]
877 vmlal.u32 $D1,$H4#hi,${S2}[1]
878 vmlal.u32 $D2,$H0#hi,${R2}[1]
880 vmlal.u32 $D3,$H0#hi,${R3}[1]
881 vmlal.u32 $D0,$H2#hi,${S3}[1]
882 vmlal.u32 $D4,$H1#hi,${R3}[1]
883 vmlal.u32 $D1,$H3#hi,${S3}[1]
884 vmlal.u32 $D2,$H4#hi,${S3}[1]
886 vmlal.u32 $D3,$H4#hi,${S4}[1]
887 vmlal.u32 $D0,$H1#hi,${S4}[1]
888 vmlal.u32 $D4,$H0#hi,${R4}[1]
889 vmlal.u32 $D1,$H2#hi,${S4}[1]
890 vmlal.u32 $D2,$H3#hi,${S4}[1]
892 vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
895 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
896 @ (hash+inp[0:1])*r^4 and accumulate
898 vmlal.u32 $D3,$H3#lo,${R0}[0]
899 vmlal.u32 $D0,$H0#lo,${R0}[0]
900 vmlal.u32 $D4,$H4#lo,${R0}[0]
901 vmlal.u32 $D1,$H1#lo,${R0}[0]
902 vmlal.u32 $D2,$H2#lo,${R0}[0]
903 vld1.32 ${S4}[0],[$tbl0,:32]
905 vmlal.u32 $D3,$H2#lo,${R1}[0]
906 vmlal.u32 $D0,$H4#lo,${S1}[0]
907 vmlal.u32 $D4,$H3#lo,${R1}[0]
908 vmlal.u32 $D1,$H0#lo,${R1}[0]
909 vmlal.u32 $D2,$H1#lo,${R1}[0]
911 vmlal.u32 $D3,$H1#lo,${R2}[0]
912 vmlal.u32 $D0,$H3#lo,${S2}[0]
913 vmlal.u32 $D4,$H2#lo,${R2}[0]
914 vmlal.u32 $D1,$H4#lo,${S2}[0]
915 vmlal.u32 $D2,$H0#lo,${R2}[0]
917 vmlal.u32 $D3,$H0#lo,${R3}[0]
918 vmlal.u32 $D0,$H2#lo,${S3}[0]
919 vmlal.u32 $D4,$H1#lo,${R3}[0]
920 vmlal.u32 $D1,$H3#lo,${S3}[0]
921 vmlal.u32 $D3,$H4#lo,${S4}[0]
923 vmlal.u32 $D2,$H4#lo,${S3}[0]
924 vmlal.u32 $D0,$H1#lo,${S4}[0]
925 vmlal.u32 $D4,$H0#lo,${R4}[0]
926 vmov.i32 $H4,#1<<24 @ padbit, yes, always
927 vmlal.u32 $D1,$H2#lo,${S4}[0]
928 vmlal.u32 $D2,$H3#lo,${S4}[0]
930 vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
939 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
940 @ lazy reduction interleaved with base 2^32 -> base 2^26 of
941 @ inp[0:3] previously loaded to $H0-$H3 and smashed to $H0-$H4.
947 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
948 vbic.i32 $D3#lo,#0xfc000000
949 vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
950 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
952 vbic.i32 $D0#lo,#0xfc000000
954 vshrn.u64 $T0#lo,$D4,#26
958 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
960 vbic.i32 $D4#lo,#0xfc000000
962 vbic.i32 $D1#lo,#0xfc000000
964 vadd.i32 $D0#lo,$D0#lo,$T0#lo
965 vshl.u32 $T0#lo,$T0#lo,#2
966 vbic.i32 $H3,#0xfc000000
967 vshrn.u64 $T1#lo,$D2,#26
969 vaddl.u32 $D0,$D0#lo,$T0#lo @ h4 -> h0 [widen for a sec]
971 vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
973 vbic.i32 $D2#lo,#0xfc000000
974 vbic.i32 $H2,#0xfc000000
976 vshrn.u64 $T0#lo,$D0,#26 @ re-narrow
979 vbic.i32 $H0,#0xfc000000
980 vshr.u32 $T1#lo,$D3#lo,#26
981 vbic.i32 $D3#lo,#0xfc000000
982 vbic.i32 $D0#lo,#0xfc000000
983 vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
984 vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
985 vbic.i32 $H1,#0xfc000000
990 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
991 @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
993 add $tbl1,$ctx,#(48+0*9*4)
994 add $tbl0,$ctx,#(48+1*9*4)
1000 vadd.i32 $H2#hi,$H2#lo,$D2#lo @ add hash value and move to #hi
1001 vadd.i32 $H0#hi,$H0#lo,$D0#lo
1002 vadd.i32 $H3#hi,$H3#lo,$D3#lo
1003 vadd.i32 $H1#hi,$H1#lo,$D1#lo
1004 vadd.i32 $H4#hi,$H4#lo,$D4#lo
1007 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^1
1008 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^2
1010 vadd.i32 $H2#lo,$H2#lo,$D2#lo @ can be redundant
1011 vmull.u32 $D2,$H2#hi,$R0
1012 vadd.i32 $H0#lo,$H0#lo,$D0#lo
1013 vmull.u32 $D0,$H0#hi,$R0
1014 vadd.i32 $H3#lo,$H3#lo,$D3#lo
1015 vmull.u32 $D3,$H3#hi,$R0
1016 vadd.i32 $H1#lo,$H1#lo,$D1#lo
1017 vmull.u32 $D1,$H1#hi,$R0
1018 vadd.i32 $H4#lo,$H4#lo,$D4#lo
1019 vmull.u32 $D4,$H4#hi,$R0
1021 vmlal.u32 $D0,$H4#hi,$S1
1022 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
1023 vmlal.u32 $D3,$H2#hi,$R1
1024 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
1025 vmlal.u32 $D1,$H0#hi,$R1
1026 vmlal.u32 $D4,$H3#hi,$R1
1027 vmlal.u32 $D2,$H1#hi,$R1
1029 vmlal.u32 $D3,$H1#hi,$R2
1030 vld1.32 ${S4}[1],[$tbl1,:32]
1031 vmlal.u32 $D0,$H3#hi,$S2
1032 vld1.32 ${S4}[0],[$tbl0,:32]
1033 vmlal.u32 $D4,$H2#hi,$R2
1034 vmlal.u32 $D1,$H4#hi,$S2
1035 vmlal.u32 $D2,$H0#hi,$R2
1037 vmlal.u32 $D3,$H0#hi,$R3
1039 addne $tbl1,$ctx,#(48+2*9*4)
1040 vmlal.u32 $D0,$H2#hi,$S3
1042 addne $tbl0,$ctx,#(48+3*9*4)
1043 vmlal.u32 $D4,$H1#hi,$R3
1044 vmlal.u32 $D1,$H3#hi,$S3
1045 vmlal.u32 $D2,$H4#hi,$S3
1047 vmlal.u32 $D3,$H4#hi,$S4
1048 vorn $MASK,$MASK,$MASK @ all-ones, can be redundant
1049 vmlal.u32 $D0,$H1#hi,$S4
1050 vshr.u64 $MASK,$MASK,#38
1051 vmlal.u32 $D4,$H0#hi,$R4
1052 vmlal.u32 $D1,$H2#hi,$S4
1053 vmlal.u32 $D2,$H3#hi,$S4
1057 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1058 @ (hash+inp[0:1])*r^4:r^3 and accumulate
1060 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^3
1061 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
1063 vmlal.u32 $D2,$H2#lo,$R0
1064 vmlal.u32 $D0,$H0#lo,$R0
1065 vmlal.u32 $D3,$H3#lo,$R0
1066 vmlal.u32 $D1,$H1#lo,$R0
1067 vmlal.u32 $D4,$H4#lo,$R0
1069 vmlal.u32 $D0,$H4#lo,$S1
1070 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
1071 vmlal.u32 $D3,$H2#lo,$R1
1072 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
1073 vmlal.u32 $D1,$H0#lo,$R1
1074 vmlal.u32 $D4,$H3#lo,$R1
1075 vmlal.u32 $D2,$H1#lo,$R1
1077 vmlal.u32 $D3,$H1#lo,$R2
1078 vld1.32 ${S4}[1],[$tbl1,:32]
1079 vmlal.u32 $D0,$H3#lo,$S2
1080 vld1.32 ${S4}[0],[$tbl0,:32]
1081 vmlal.u32 $D4,$H2#lo,$R2
1082 vmlal.u32 $D1,$H4#lo,$S2
1083 vmlal.u32 $D2,$H0#lo,$R2
1085 vmlal.u32 $D3,$H0#lo,$R3
1086 vmlal.u32 $D0,$H2#lo,$S3
1087 vmlal.u32 $D4,$H1#lo,$R3
1088 vmlal.u32 $D1,$H3#lo,$S3
1089 vmlal.u32 $D2,$H4#lo,$S3
1091 vmlal.u32 $D3,$H4#lo,$S4
1092 vorn $MASK,$MASK,$MASK @ all-ones
1093 vmlal.u32 $D0,$H1#lo,$S4
1094 vshr.u64 $MASK,$MASK,#38
1095 vmlal.u32 $D4,$H0#lo,$R4
1096 vmlal.u32 $D1,$H2#lo,$S4
1097 vmlal.u32 $D2,$H3#lo,$S4
1100 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1101 @ horizontal addition
1103 vadd.i64 $D3#lo,$D3#lo,$D3#hi
1104 vadd.i64 $D0#lo,$D0#lo,$D0#hi
1105 vadd.i64 $D4#lo,$D4#lo,$D4#hi
1106 vadd.i64 $D1#lo,$D1#lo,$D1#hi
1107 vadd.i64 $D2#lo,$D2#lo,$D2#hi
1109 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1110 @ lazy reduction, but without narrowing
1112 vshr.u64 $T0,$D3,#26
1113 vand.i64 $D3,$D3,$MASK
1114 vshr.u64 $T1,$D0,#26
1115 vand.i64 $D0,$D0,$MASK
1116 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
1117 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
1119 vshr.u64 $T0,$D4,#26
1120 vand.i64 $D4,$D4,$MASK
1121 vshr.u64 $T1,$D1,#26
1122 vand.i64 $D1,$D1,$MASK
1123 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
1125 vadd.i64 $D0,$D0,$T0
1127 vshr.u64 $T1,$D2,#26
1128 vand.i64 $D2,$D2,$MASK
1129 vadd.i64 $D0,$D0,$T0 @ h4 -> h0
1130 vadd.i64 $D3,$D3,$T1 @ h2 -> h3
1132 vshr.u64 $T0,$D0,#26
1133 vand.i64 $D0,$D0,$MASK
1134 vshr.u64 $T1,$D3,#26
1135 vand.i64 $D3,$D3,$MASK
1136 vadd.i64 $D1,$D1,$T0 @ h0 -> h1
1137 vadd.i64 $D4,$D4,$T1 @ h3 -> h4
1142 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1145 vst4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
1146 vst1.32 {$D4#lo[0]},[$ctx]
1148 vldmia sp!,{d8-d15} @ epilogue
1152 .size poly1305_blocks_neon,.-poly1305_blocks_neon
1154 .type poly1305_emit_neon,%function
1157 .Lpoly1305_emit_neon:
1158 ldr ip,[$ctx,#36] @ is_base2_26
1163 beq .Lpoly1305_emit_enter
1165 ldmia $ctx,{$h0-$h4}
1168 adds $h0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
1170 adcs $h1,$h1,$h2,lsl#20
1172 adcs $h2,$h2,$h3,lsl#14
1174 adcs $h3,$h3,$h4,lsl#8
1175 adc $h4,$g0,$h4,lsr#24 @ can be partially reduced ...
1177 and $g0,$h4,#-4 @ ... so reduce
1179 add $g0,$g0,$g0,lsr#2 @ *= 5
1186 adds $g0,$h0,#5 @ compare to modulus
1191 tst $g4,#4 @ did it carry/borrow?
1204 ldr $g3,[$nonce,#12]
1206 adds $h0,$h0,$g0 @ accumulate nonce
1217 str $h0,[$mac,#0] @ store the result
1224 .size poly1305_emit_neon,.-poly1305_emit_neon
1228 .long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
1231 .word OPENSSL_armcap_P
1233 .word OPENSSL_armcap_P-.Lpoly1305_init
1239 .asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
1241 #if __ARM_MAX_ARCH__>=7
1242 .comm OPENSSL_armcap_P,4,4
1246 foreach (split("\n",$code)) {
1247 s/\`([^\`]*)\`/eval $1/geo;
1249 s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
1250 s/\bret\b/bx lr/go or
1251 s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
1255 close STDOUT or die "error closing STDOUT: $!"; # enforce flush
projects / openssl.git / blob