2 # Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
19 # Montgomery multiplication routine for x86_64. While it gives modest
20 # 9% improvement of rsa4096 sign on Opteron, rsa512 sign runs more
21 # than twice, >2x, as fast. Most common rsa1024 sign is improved by
22 # respectful 50%. It remains to be seen if loop unrolling and
23 # dedicated squaring routine can provide further improvement...
27 # Add dedicated squaring procedure. Performance improvement varies
28 # from platform to platform, but in average it's ~5%/15%/25%/33%
29 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
33 # Unroll and modulo-schedule inner loops in such manner that they
34 # are "fallen through" for input lengths of 8, which is critical for
35 # 1024-bit RSA *sign*. Average performance improvement in comparison
36 # to *initial* version of this module from 2005 is ~0%/30%/40%/45%
37 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
41 # Optimize reduction in squaring procedure and improve 1024+-bit RSA
42 # sign performance by 10-16% on Intel Sandy Bridge and later
43 # (virtually same on non-Intel processors).
47 # Add MULX/ADOX/ADCX code path.
49 # $output is the last argument if it looks like a file (it has an extension)
50 # $flavour is the first argument if it doesn't look like a file
51 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
52 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
54 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
56 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
57 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
58 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
59 die "can't locate x86_64-xlate.pl";
61 open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""
62 or die "can't call $xlate: $!";
65 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
66 =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
70 if (!$addx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
71 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
75 if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
76 `ml64 2>&1` =~ /Version ([0-9]+)\./) {
80 if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
81 my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
86 $rp="%rdi"; # BN_ULONG *rp,
87 $ap="%rsi"; # const BN_ULONG *ap,
88 $bp="%rdx"; # const BN_ULONG *bp,
89 $np="%rcx"; # const BN_ULONG *np,
90 $n0="%r8"; # const BN_ULONG *n0,
91 $num="%r9"; # int num);
103 .extern OPENSSL_ia32cap_P
106 .type bn_mul_mont,\@function,6
112 .cfi_def_cfa_register %rax
118 $code.=<<___ if ($addx);
119 mov OPENSSL_ia32cap_P+8(%rip),%r11d
145 lea -16(%rsp,$num,8),%r10 # future alloca(8*(num+2))
146 neg $num # restore $num
147 and \$-1024,%r10 # minimize TLB usage
149 # An OS-agnostic version of __chkstk.
151 # Some OSes (Windows) insist on stack being "wired" to
152 # physical memory in strictly sequential manner, i.e. if stack
153 # allocation spans two pages, then reference to farmost one can
154 # be punishable by SEGV. But page walking can do good even on
155 # other OSes, because it guarantees that villain thread hits
156 # the guard page before it can make damage to innocent one...
163 jmp .Lmul_page_walk_done
171 .Lmul_page_walk_done:
173 mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
174 .cfi_cfa_expression %rsp+8,$num,8,mul,plus,deref,+8
176 mov $bp,%r12 # reassign $bp
180 mov ($n0),$n0 # pull n0[0] value
181 mov ($bp),$m0 # m0=bp[0]
188 mulq $m0 # ap[0]*bp[0]
192 imulq $lo0,$m1 # "tp[0]"*n0
196 add %rax,$lo0 # discarded
209 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
212 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
216 mulq $m0 # ap[j]*bp[0]
228 mov ($ap),%rax # ap[0]
230 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
232 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
239 mov $hi1,-8(%rsp,$num,8)
240 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
246 mov ($bp,$i,8),$m0 # m0=bp[i]
250 mulq $m0 # ap[0]*bp[i]
251 add %rax,$lo0 # ap[0]*bp[i]+tp[0]
255 imulq $lo0,$m1 # tp[0]*n0
259 add %rax,$lo0 # discarded
262 mov 8(%rsp),$lo0 # tp[1]
273 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
276 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
280 mulq $m0 # ap[j]*bp[i]
284 add $hi0,$lo0 # ap[j]*bp[i]+tp[j]
294 mov ($ap),%rax # ap[0]
296 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
299 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
305 add $lo0,$hi1 # pull upmost overflow bit
307 mov $hi1,-8(%rsp,$num,8)
308 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
314 xor $i,$i # i=0 and clear CF!
315 mov (%rsp),%rax # tp[0]
319 .Lsub: sbb ($np,$i,8),%rax
320 mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i]
321 mov 8(%rsp,$i,8),%rax # tp[i+1]
323 dec $j # doesn't affect CF!
326 sbb \$0,%rax # handle upmost overflow bit
328 xor %rax,%rbx # not %rax
332 .Lcopy: # conditional copy
337 mov $num,(%rsp,$i,8) # zap temporary vector
339 mov %rdx,($rp,$i,8) # rp[i]=tp[i]
344 mov 8(%rsp,$num,8),%rsi # restore %rsp
360 .cfi_def_cfa_register %rsp
364 .size bn_mul_mont,.-bn_mul_mont
367 my @A=("%r10","%r11");
368 my @N=("%r13","%rdi");
370 .type bn_mul4x_mont,\@function,6
376 .cfi_def_cfa_register %rax
379 $code.=<<___ if ($addx);
400 lea -32(%rsp,$num,8),%r10 # future alloca(8*(num+4))
402 and \$-1024,%r10 # minimize TLB usage
410 jmp .Lmul4x_page_walk_done
417 .Lmul4x_page_walk_done:
419 mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
420 .cfi_cfa_expression %rsp+8,$num,8,mul,plus,deref,+8
422 mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
423 mov %rdx,%r12 # reassign $bp
427 mov ($n0),$n0 # pull n0[0] value
428 mov ($bp),$m0 # m0=bp[0]
435 mulq $m0 # ap[0]*bp[0]
439 imulq $A[0],$m1 # "tp[0]"*n0
443 add %rax,$A[0] # discarded
466 mulq $m0 # ap[j]*bp[0]
468 mov -16($np,$j,8),%rax
474 mov -8($ap,$j,8),%rax
476 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
478 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
481 mulq $m0 # ap[j]*bp[0]
483 mov -8($np,$j,8),%rax
491 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
493 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
496 mulq $m0 # ap[j]*bp[0]
506 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
508 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
511 mulq $m0 # ap[j]*bp[0]
520 mov -16($ap,$j,8),%rax
522 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
524 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
529 mulq $m0 # ap[j]*bp[0]
531 mov -16($np,$j,8),%rax
537 mov -8($ap,$j,8),%rax
539 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
541 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
544 mulq $m0 # ap[j]*bp[0]
546 mov -8($np,$j,8),%rax
552 mov ($ap),%rax # ap[0]
554 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
556 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
562 mov $N[0],-8(%rsp,$j,8)
563 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
568 mov ($bp,$i,8),$m0 # m0=bp[i]
572 mulq $m0 # ap[0]*bp[i]
573 add %rax,$A[0] # ap[0]*bp[i]+tp[0]
577 imulq $A[0],$m1 # tp[0]*n0
581 add %rax,$A[0] # "$N[0]", discarded
586 mulq $m0 # ap[j]*bp[i]
590 add 8(%rsp),$A[1] # +tp[1]
598 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[i]+tp[j]
601 mov $N[1],(%rsp) # tp[j-1]
606 mulq $m0 # ap[j]*bp[i]
608 mov -16($np,$j,8),%rax
610 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
616 mov -8($ap,$j,8),%rax
620 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
623 mulq $m0 # ap[j]*bp[i]
625 mov -8($np,$j,8),%rax
627 add -8(%rsp,$j,8),$A[1]
637 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
640 mulq $m0 # ap[j]*bp[i]
644 add (%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
654 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
657 mulq $m0 # ap[j]*bp[i]
661 add 8(%rsp,$j,8),$A[1]
668 mov -16($ap,$j,8),%rax
672 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
677 mulq $m0 # ap[j]*bp[i]
679 mov -16($np,$j,8),%rax
681 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
687 mov -8($ap,$j,8),%rax
691 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
694 mulq $m0 # ap[j]*bp[i]
696 mov -8($np,$j,8),%rax
698 add -8(%rsp,$j,8),$A[1]
705 mov ($ap),%rax # ap[0]
709 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
715 add (%rsp,$num,8),$N[0] # pull upmost overflow bit
717 mov $N[0],-8(%rsp,$j,8)
718 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
724 my @ri=("%rax","%rdx",$m0,$m1);
726 mov 16(%rsp,$num,8),$rp # restore $rp
728 mov 0(%rsp),@ri[0] # tp[0]
729 mov 8(%rsp),@ri[1] # tp[1]
730 shr \$2,$j # j=num/4-1
731 lea (%rsp),$ap # borrow ap for tp
732 xor $i,$i # i=0 and clear CF!
735 mov 16($ap),@ri[2] # tp[2]
736 mov 24($ap),@ri[3] # tp[3]
740 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
741 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
742 sbb 16($np,$i,8),@ri[2]
743 mov 32($ap,$i,8),@ri[0] # tp[i+1]
744 mov 40($ap,$i,8),@ri[1]
745 sbb 24($np,$i,8),@ri[3]
746 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
747 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
748 sbb 32($np,$i,8),@ri[0]
749 mov 48($ap,$i,8),@ri[2]
750 mov 56($ap,$i,8),@ri[3]
751 sbb 40($np,$i,8),@ri[1]
753 dec $j # doesn't affect CF!
756 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
757 mov 32($ap,$i,8),@ri[0] # load overflow bit
758 sbb 16($np,$i,8),@ri[2]
759 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
760 sbb 24($np,$i,8),@ri[3]
761 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
763 sbb \$0,@ri[0] # handle upmost overflow bit
764 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
768 pshufd \$0,%xmm4,%xmm4
776 .Lcopy4x: # conditional copy
777 movdqa (%rsp,%rax),%xmm1
778 movdqu ($rp,%rax),%xmm2
781 movdqa 16(%rsp,%rax),%xmm3
782 movdqa %xmm0,(%rsp,%rax)
784 movdqu 16($rp,%rax),%xmm2
785 movdqu %xmm1,($rp,%rax)
788 movdqa %xmm0,16(%rsp,%rax)
790 movdqu %xmm3,16($rp,%rax)
797 mov 8(%rsp,$num,8),%rsi # restore %rsp
813 .cfi_def_cfa_register %rsp
817 .size bn_mul4x_mont,.-bn_mul4x_mont
821 ######################################################################
822 # void bn_sqr8x_mont(
823 my $rptr="%rdi"; # const BN_ULONG *rptr,
824 my $aptr="%rsi"; # const BN_ULONG *aptr,
825 my $bptr="%rdx"; # not used
826 my $nptr="%rcx"; # const BN_ULONG *nptr,
827 my $n0 ="%r8"; # const BN_ULONG *n0);
828 my $num ="%r9"; # int num, has to be divisible by 8
830 my ($i,$j,$tptr)=("%rbp","%rcx",$rptr);
831 my @A0=("%r10","%r11");
832 my @A1=("%r12","%r13");
833 my ($a0,$a1,$ai)=("%r14","%r15","%rbx");
835 $code.=<<___ if ($addx);
836 .extern bn_sqrx8x_internal # see x86_64-mont5 module
839 .extern bn_sqr8x_internal # see x86_64-mont5 module
841 .type bn_sqr8x_mont,\@function,6
846 .cfi_def_cfa_register %rax
863 shl \$3,${num}d # convert $num to bytes
864 shl \$3+2,%r10 # 4*$num
867 ##############################################################
868 # ensure that stack frame doesn't alias with $aptr modulo
869 # 4096. this is done to allow memory disambiguation logic
872 lea -64(%rsp,$num,2),%r11
879 sub %r11,%rbp # align with $aptr
880 lea -64(%rbp,$num,2),%rbp # future alloca(frame+2*$num)
885 lea 4096-64(,$num,2),%r10 # 4096-frame-2*$num
886 lea -64(%rbp,$num,2),%rbp # future alloca(frame+2*$num)
900 jmp .Lsqr8x_page_walk_done
908 .Lsqr8x_page_walk_done:
914 mov %rax, 40(%rsp) # save original %rsp
915 .cfi_cfa_expression %rsp+40,deref,+8
918 movq $nptr, %xmm2 # save pointer to modulus
920 movq $rptr,%xmm1 # save $rptr
921 movq %r10, %xmm3 # -$num
923 $code.=<<___ if ($addx);
924 mov OPENSSL_ia32cap_P+8(%rip),%eax
929 call bn_sqrx8x_internal # see x86_64-mont5 module
930 # %rax top-most carry
933 # %r8 end of tp[2*num]
938 sar \$3+2,%rcx # %cf=0
945 call bn_sqr8x_internal # see x86_64-mont5 module
946 # %rax top-most carry
949 # %rdi end of tp[2*num]
954 sar \$3+2,%rcx # %cf=0
974 inc %rcx # preserves %cf
977 sbb \$0,%rax # top-most carry
978 lea (%rbx,$num),%rbx # rewind
979 lea ($rptr,$num),$rptr # rewind
983 pshufd \$0,%xmm1,%xmm1
984 mov 40(%rsp),%rsi # restore %rsp
986 jmp .Lsqr8x_cond_copy
990 movdqa 16*0(%rbx),%xmm2
991 movdqa 16*1(%rbx),%xmm3
993 movdqu 16*0($rptr),%xmm4
994 movdqu 16*1($rptr),%xmm5
995 lea 16*2($rptr),$rptr
996 movdqa %xmm0,-16*2(%rbx) # zero tp
997 movdqa %xmm0,-16*1(%rbx)
998 movdqa %xmm0,-16*2(%rbx,%rdx)
999 movdqa %xmm0,-16*1(%rbx,%rdx)
1008 movdqu %xmm4,-16*2($rptr)
1009 movdqu %xmm5,-16*1($rptr)
1011 jnz .Lsqr8x_cond_copy
1027 .cfi_def_cfa_register %rsp
1031 .size bn_sqr8x_mont,.-bn_sqr8x_mont
1036 my $bp="%rdx"; # original value
1039 .type bn_mulx4x_mont,\@function,6
1044 .cfi_def_cfa_register %rax
1060 shl \$3,${num}d # convert $num to bytes
1062 sub $num,%r10 # -$num
1064 lea -72(%rsp,%r10),%rbp # future alloca(frame+$num+8)
1069 lea (%rbp,%r11),%rsp
1072 ja .Lmulx4x_page_walk
1073 jmp .Lmulx4x_page_walk_done
1077 lea -4096(%rsp),%rsp
1080 ja .Lmulx4x_page_walk
1081 .Lmulx4x_page_walk_done:
1084 ##############################################################
1087 # +8 off-loaded &b[i]
1096 mov $num,0(%rsp) # save $num
1098 mov %r10,16(%rsp) # end of b[num]
1100 mov $n0, 24(%rsp) # save *n0
1101 mov $rp, 32(%rsp) # save $rp
1102 mov %rax,40(%rsp) # save original %rsp
1103 .cfi_cfa_expression %rsp+40,deref,+8
1104 mov $num,48(%rsp) # inner counter
1110 my ($aptr, $bptr, $nptr, $tptr, $mi, $bi, $zero, $num)=
1111 ("%rsi","%rdi","%rcx","%rbx","%r8","%r9","%rbp","%rax");
1115 mov ($bp),%rdx # b[0], $bp==%rdx actually
1116 lea 64+32(%rsp),$tptr
1119 mulx 0*8($aptr),$mi,%rax # a[0]*b[0]
1120 mulx 1*8($aptr),%r11,%r14 # a[1]*b[0]
1122 mov $bptr,8(%rsp) # off-load &b[i]
1123 mulx 2*8($aptr),%r12,%r13 # ...
1127 mov $mi,$bptr # borrow $bptr
1128 imulq 24(%rsp),$mi # "t[0]"*n0
1129 xor $zero,$zero # cf=0, of=0
1131 mulx 3*8($aptr),%rax,%r14
1133 lea 4*8($aptr),$aptr
1135 adcx $zero,%r14 # cf=0
1137 mulx 0*8($nptr),%rax,%r10
1138 adcx %rax,$bptr # discarded
1140 mulx 1*8($nptr),%rax,%r11
1143 .byte 0xc4,0x62,0xfb,0xf6,0xa1,0x10,0x00,0x00,0x00 # mulx 2*8($nptr),%rax,%r12
1144 mov 48(%rsp),$bptr # counter value
1145 mov %r10,-4*8($tptr)
1148 mulx 3*8($nptr),%rax,%r15
1150 mov %r11,-3*8($tptr)
1152 adox $zero,%r15 # of=0
1153 lea 4*8($nptr),$nptr
1154 mov %r12,-2*8($tptr)
1160 adcx $zero,%r15 # cf=0, modulo-scheduled
1161 mulx 0*8($aptr),%r10,%rax # a[4]*b[0]
1163 mulx 1*8($aptr),%r11,%r14 # a[5]*b[0]
1165 mulx 2*8($aptr),%r12,%rax # ...
1167 mulx 3*8($aptr),%r13,%r14
1171 adcx $zero,%r14 # cf=0
1172 lea 4*8($aptr),$aptr
1173 lea 4*8($tptr),$tptr
1176 mulx 0*8($nptr),%rax,%r15
1179 mulx 1*8($nptr),%rax,%r15
1182 mulx 2*8($nptr),%rax,%r15
1183 mov %r10,-5*8($tptr)
1185 mov %r11,-4*8($tptr)
1187 mulx 3*8($nptr),%rax,%r15
1189 mov %r12,-3*8($tptr)
1192 lea 4*8($nptr),$nptr
1193 mov %r13,-2*8($tptr)
1195 dec $bptr # of=0, pass cf
1198 mov 0(%rsp),$num # load num
1199 mov 8(%rsp),$bptr # re-load &b[i]
1200 adc $zero,%r15 # modulo-scheduled
1202 sbb %r15,%r15 # top-most carry
1203 mov %r14,-1*8($tptr)
1208 mov ($bptr),%rdx # b[i]
1209 lea 8($bptr),$bptr # b++
1210 sub $num,$aptr # rewind $aptr
1211 mov %r15,($tptr) # save top-most carry
1212 lea 64+4*8(%rsp),$tptr
1213 sub $num,$nptr # rewind $nptr
1215 mulx 0*8($aptr),$mi,%r11 # a[0]*b[i]
1216 xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
1218 mulx 1*8($aptr),%r14,%r12 # a[1]*b[i]
1219 adox -4*8($tptr),$mi
1221 mulx 2*8($aptr),%r15,%r13 # ...
1222 adox -3*8($tptr),%r11
1224 adox -2*8($tptr),%r12
1228 mov $bptr,8(%rsp) # off-load &b[i]
1230 imulq 24(%rsp),$mi # "t[0]"*n0
1231 xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
1233 mulx 3*8($aptr),%rax,%r14
1236 adox -1*8($tptr),%r13
1238 lea 4*8($aptr),$aptr
1241 mulx 0*8($nptr),%rax,%r10
1242 adcx %rax,%r15 # discarded
1244 mulx 1*8($nptr),%rax,%r11
1247 mulx 2*8($nptr),%rax,%r12
1248 mov %r10,-4*8($tptr)
1251 mulx 3*8($nptr),%rax,%r15
1253 mov %r11,-3*8($tptr)
1254 lea 4*8($nptr),$nptr
1256 adox $zero,%r15 # of=0
1257 mov 48(%rsp),$bptr # counter value
1258 mov %r12,-2*8($tptr)
1264 mulx 0*8($aptr),%r10,%rax # a[4]*b[i]
1265 adcx $zero,%r15 # cf=0, modulo-scheduled
1267 mulx 1*8($aptr),%r11,%r14 # a[5]*b[i]
1268 adcx 0*8($tptr),%r10
1270 mulx 2*8($aptr),%r12,%rax # ...
1271 adcx 1*8($tptr),%r11
1273 mulx 3*8($aptr),%r13,%r14
1275 adcx 2*8($tptr),%r12
1277 adcx 3*8($tptr),%r13
1278 adox $zero,%r14 # of=0
1279 lea 4*8($aptr),$aptr
1280 lea 4*8($tptr),$tptr
1281 adcx $zero,%r14 # cf=0
1284 mulx 0*8($nptr),%rax,%r15
1287 mulx 1*8($nptr),%rax,%r15
1290 mulx 2*8($nptr),%rax,%r15
1291 mov %r10,-5*8($tptr)
1294 mulx 3*8($nptr),%rax,%r15
1296 mov %r11,-4*8($tptr)
1297 mov %r12,-3*8($tptr)
1300 lea 4*8($nptr),$nptr
1301 mov %r13,-2*8($tptr)
1303 dec $bptr # of=0, pass cf
1306 mov 0(%rsp),$num # load num
1307 mov 8(%rsp),$bptr # re-load &b[i]
1308 adc $zero,%r15 # modulo-scheduled
1309 sub 0*8($tptr),$zero # pull top-most carry
1311 sbb %r15,%r15 # top-most carry
1312 mov %r14,-1*8($tptr)
1318 sub $num,$nptr # rewind $nptr
1321 shr \$3+2,$num # %cf=0
1322 mov 32(%rsp),$rptr # restore rp
1331 lea 8*4($tptr),$tptr
1336 lea 8*4($nptr),$nptr
1341 lea 8*4($rptr),$rptr
1342 dec $num # preserves %cf
1345 sbb \$0,%r15 # top-most carry
1347 sub %rdx,$rptr # rewind
1351 pshufd \$0,%xmm1,%xmm1
1352 mov 40(%rsp),%rsi # restore %rsp
1354 jmp .Lmulx4x_cond_copy
1358 movdqa 16*0($tptr),%xmm2
1359 movdqa 16*1($tptr),%xmm3
1360 lea 16*2($tptr),$tptr
1361 movdqu 16*0($rptr),%xmm4
1362 movdqu 16*1($rptr),%xmm5
1363 lea 16*2($rptr),$rptr
1364 movdqa %xmm0,-16*2($tptr) # zero tp
1365 movdqa %xmm0,-16*1($tptr)
1374 movdqu %xmm4,-16*2($rptr)
1375 movdqu %xmm5,-16*1($rptr)
1377 jnz .Lmulx4x_cond_copy
1395 .cfi_def_cfa_register %rsp
1399 .size bn_mulx4x_mont,.-bn_mulx4x_mont
1403 .asciz "Montgomery Multiplication for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
1407 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
1408 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
1416 .extern __imp_RtlVirtualUnwind
1417 .type mul_handler,\@abi-omnipotent
1431 mov 120($context),%rax # pull context->Rax
1432 mov 248($context),%rbx # pull context->Rip
1434 mov 8($disp),%rsi # disp->ImageBase
1435 mov 56($disp),%r11 # disp->HandlerData
1437 mov 0(%r11),%r10d # HandlerData[0]
1438 lea (%rsi,%r10),%r10 # end of prologue label
1439 cmp %r10,%rbx # context->Rip<end of prologue label
1440 jb .Lcommon_seh_tail
1442 mov 152($context),%rax # pull context->Rsp
1444 mov 4(%r11),%r10d # HandlerData[1]
1445 lea (%rsi,%r10),%r10 # epilogue label
1446 cmp %r10,%rbx # context->Rip>=epilogue label
1447 jae .Lcommon_seh_tail
1449 mov 192($context),%r10 # pull $num
1450 mov 8(%rax,%r10,8),%rax # pull saved stack pointer
1452 jmp .Lcommon_pop_regs
1453 .size mul_handler,.-mul_handler
1455 .type sqr_handler,\@abi-omnipotent
1469 mov 120($context),%rax # pull context->Rax
1470 mov 248($context),%rbx # pull context->Rip
1472 mov 8($disp),%rsi # disp->ImageBase
1473 mov 56($disp),%r11 # disp->HandlerData
1475 mov 0(%r11),%r10d # HandlerData[0]
1476 lea (%rsi,%r10),%r10 # end of prologue label
1477 cmp %r10,%rbx # context->Rip<.Lsqr_prologue
1478 jb .Lcommon_seh_tail
1480 mov 4(%r11),%r10d # HandlerData[1]
1481 lea (%rsi,%r10),%r10 # body label
1482 cmp %r10,%rbx # context->Rip<.Lsqr_body
1483 jb .Lcommon_pop_regs
1485 mov 152($context),%rax # pull context->Rsp
1487 mov 8(%r11),%r10d # HandlerData[2]
1488 lea (%rsi,%r10),%r10 # epilogue label
1489 cmp %r10,%rbx # context->Rip>=.Lsqr_epilogue
1490 jae .Lcommon_seh_tail
1492 mov 40(%rax),%rax # pull saved stack pointer
1501 mov %rbx,144($context) # restore context->Rbx
1502 mov %rbp,160($context) # restore context->Rbp
1503 mov %r12,216($context) # restore context->R12
1504 mov %r13,224($context) # restore context->R13
1505 mov %r14,232($context) # restore context->R14
1506 mov %r15,240($context) # restore context->R15
1511 mov %rax,152($context) # restore context->Rsp
1512 mov %rsi,168($context) # restore context->Rsi
1513 mov %rdi,176($context) # restore context->Rdi
1515 mov 40($disp),%rdi # disp->ContextRecord
1516 mov $context,%rsi # context
1517 mov \$154,%ecx # sizeof(CONTEXT)
1518 .long 0xa548f3fc # cld; rep movsq
1521 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1522 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1523 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1524 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1525 mov 40(%rsi),%r10 # disp->ContextRecord
1526 lea 56(%rsi),%r11 # &disp->HandlerData
1527 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1528 mov %r10,32(%rsp) # arg5
1529 mov %r11,40(%rsp) # arg6
1530 mov %r12,48(%rsp) # arg7
1531 mov %rcx,56(%rsp) # arg8, (NULL)
1532 call *__imp_RtlVirtualUnwind(%rip)
1534 mov \$1,%eax # ExceptionContinueSearch
1546 .size sqr_handler,.-sqr_handler
1550 .rva .LSEH_begin_bn_mul_mont
1551 .rva .LSEH_end_bn_mul_mont
1552 .rva .LSEH_info_bn_mul_mont
1554 .rva .LSEH_begin_bn_mul4x_mont
1555 .rva .LSEH_end_bn_mul4x_mont
1556 .rva .LSEH_info_bn_mul4x_mont
1558 .rva .LSEH_begin_bn_sqr8x_mont
1559 .rva .LSEH_end_bn_sqr8x_mont
1560 .rva .LSEH_info_bn_sqr8x_mont
1562 $code.=<<___ if ($addx);
1563 .rva .LSEH_begin_bn_mulx4x_mont
1564 .rva .LSEH_end_bn_mulx4x_mont
1565 .rva .LSEH_info_bn_mulx4x_mont
1570 .LSEH_info_bn_mul_mont:
1573 .rva .Lmul_body,.Lmul_epilogue # HandlerData[]
1574 .LSEH_info_bn_mul4x_mont:
1577 .rva .Lmul4x_body,.Lmul4x_epilogue # HandlerData[]
1578 .LSEH_info_bn_sqr8x_mont:
1581 .rva .Lsqr8x_prologue,.Lsqr8x_body,.Lsqr8x_epilogue # HandlerData[]
1584 $code.=<<___ if ($addx);
1585 .LSEH_info_bn_mulx4x_mont:
1588 .rva .Lmulx4x_prologue,.Lmulx4x_body,.Lmulx4x_epilogue # HandlerData[]
1594 close STDOUT or die "error closing STDOUT: $!";
projects / openssl.git / blob