3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # ECP_NISTZ256 module for SPARCv9.
14 # Original ECP_NISTZ256 submission targeting x86_64 is detailed in
15 # http://eprint.iacr.org/2013/816. In the process of adaptation
16 # original .c module was made 32-bit savvy in order to make this
17 # implementation possible.
19 # with/without -DECP_NISTZ256_ASM
20 # UltraSPARC III +12-18%
21 # SPARC T4 +99-550% (+66-150% on 32-bit Solaris)
23 # Ranges denote minimum and maximum improvement coefficients depending
24 # on benchmark. Lower coefficients are for ECDSA sign, server-side
25 # operation. Keep in mind that +200% means 3x improvement.
28 #include "sparc_arch.h"
30 #define LOCALS (STACK_BIAS+STACK_FRAME)
32 .register %g2,#scratch
33 .register %g3,#scratch
34 # define STACK64_FRAME STACK_FRAME
35 # define LOCALS64 LOCALS
37 # define STACK64_FRAME (2047+192)
38 # define LOCALS64 STACK64_FRAME
41 .section ".text",#alloc,#execinstr
43 ########################################################################
44 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
46 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
47 open TABLE,"<ecp_nistz256_table.c" or
48 open TABLE,"<${dir}../ecp_nistz256_table.c" or
49 die "failed to open ecp_nistz256_table.c:",$!;
54 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
58 # See ecp_nistz256_table.c for explanation for why it's 64*16*37.
59 # 64*16*37-1 is because $#arr returns last valid index or @arr, not
61 die "insane number of elements" if ($#arr != 64*16*37-1);
64 .globl ecp_nistz256_precomputed
66 ecp_nistz256_precomputed:
68 ########################################################################
69 # this conversion smashes P256_POINT_AFFINE by individual bytes with
70 # 64 byte interval, similar to
74 @tbl = splice(@arr,0,64*16);
75 for($i=0;$i<64;$i++) {
77 for($j=0;$j<64;$j++) {
78 push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff;
81 $code.=join(',',map { sprintf "0x%02x",$_} @line);
87 my ($rp,$ap,$bp)=map("%i$_",(0..2));
88 my @acc=map("%l$_",(0..7));
89 my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7)=(map("%o$_",(0..5)),"%g4","%g5");
90 my ($bi,$a0,$mask,$carry)=(map("%i$_",(3..5)),"%g1");
91 my ($rp_real,$ap_real)=("%g2","%g3");
94 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
96 .LRR: ! 2^512 mod P precomputed for NIST P256 polynomial
97 .long 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb
98 .long 0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004
100 .long 1,0,0,0,0,0,0,0
101 .asciz "ECP_NISTZ256 for SPARCv9, CRYPTOGAMS by <appro\@openssl.org>"
103 ! void ecp_nistz256_to_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
104 .globl ecp_nistz256_to_mont
106 ecp_nistz256_to_mont:
107 save %sp,-STACK_FRAME,%sp
111 call __ecp_nistz256_mul_mont
115 .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
117 ! void ecp_nistz256_from_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
118 .globl ecp_nistz256_from_mont
120 ecp_nistz256_from_mont:
121 save %sp,-STACK_FRAME,%sp
125 call __ecp_nistz256_mul_mont
129 .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
131 ! void ecp_nistz256_mul_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8],
132 ! const BN_ULONG %i2[8]);
133 .globl ecp_nistz256_mul_mont
135 ecp_nistz256_mul_mont:
136 save %sp,-STACK_FRAME,%sp
138 call __ecp_nistz256_mul_mont
142 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
144 ! void ecp_nistz256_sqr_mont(BN_ULONG %i0[8],const BN_ULONG %i2[8]);
145 .globl ecp_nistz256_sqr_mont
147 ecp_nistz256_sqr_mont:
148 save %sp,-STACK_FRAME,%sp
150 call __ecp_nistz256_mul_mont
154 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
157 ########################################################################
158 # Special thing to keep in mind is that $t0-$t7 hold 64-bit values,
159 # while all others are meant to keep 32. "Meant to" means that additions
160 # to @acc[0-7] do "contaminate" upper bits, but they are cleared before
161 # they can affect outcome (follow 'and' with $mask). Also keep in mind
162 # that addition with carry is addition with 32-bit carry, even though
163 # CPU is 64-bit. [Addition with 64-bit carry was introduced in T3, see
164 # below for VIS3 code paths.]
168 __ecp_nistz256_mul_mont:
169 ld [$bp+0],$bi ! b[0]
172 srl $mask,0,$mask ! 0xffffffff
180 mulx $a0,$bi,$t0 ! a[0-7]*b[0], 64-bit results
188 srlx $t0,32,@acc[1] ! extract high parts
195 srlx $t7,32,@acc[0] ! "@acc[8]"
198 for($i=1;$i<8;$i++) {
200 addcc @acc[1],$t1,@acc[1] ! accumulate high parts
201 ld [$bp+4*$i],$bi ! b[$i]
202 ld [$ap+4],$t1 ! re-load a[1-7]
203 addccc @acc[2],$t2,@acc[2]
204 addccc @acc[3],$t3,@acc[3]
207 addccc @acc[4],$t4,@acc[4]
208 addccc @acc[5],$t5,@acc[5]
211 addccc @acc[6],$t6,@acc[6]
212 addccc @acc[7],$t7,@acc[7]
215 addccc @acc[0],$carry,@acc[0] ! "@acc[8]"
218 # Reduction iteration is normally performed by accumulating
219 # result of multiplication of modulus by "magic" digit [and
220 # omitting least significant word, which is guaranteed to
221 # be 0], but thanks to special form of modulus and "magic"
222 # digit being equal to least significant word, it can be
223 # performed with additions and subtractions alone. Indeed:
225 # ffff.0001.0000.0000.0000.ffff.ffff.ffff
227 # + xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.abcd
229 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
232 # xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.abcd
233 # + abcd.0000.abcd.0000.0000.abcd.0000.0000.0000
234 # - abcd.0000.0000.0000.0000.0000.0000.abcd
236 # or marking redundant operations:
238 # xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.----
239 # + abcd.0000.abcd.0000.0000.abcd.----.----.----
240 # - abcd.----.----.----.----.----.----.----
243 ! multiplication-less reduction
244 addcc @acc[3],$t0,@acc[3] ! r[3]+=r[0]
245 addccc @acc[4],%g0,@acc[4] ! r[4]+=0
246 and @acc[1],$mask,@acc[1]
247 and @acc[2],$mask,@acc[2]
248 addccc @acc[5],%g0,@acc[5] ! r[5]+=0
249 addccc @acc[6],$t0,@acc[6] ! r[6]+=r[0]
250 and @acc[3],$mask,@acc[3]
251 and @acc[4],$mask,@acc[4]
252 addccc @acc[7],%g0,@acc[7] ! r[7]+=0
253 addccc @acc[0],$t0,@acc[0] ! r[8]+=r[0] "@acc[8]"
254 and @acc[5],$mask,@acc[5]
255 and @acc[6],$mask,@acc[6]
256 addc $carry,%g0,$carry ! top-most carry
257 subcc @acc[7],$t0,@acc[7] ! r[7]-=r[0]
258 subccc @acc[0],%g0,@acc[0] ! r[8]-=0 "@acc[8]"
259 subc $carry,%g0,$carry ! top-most carry
260 and @acc[7],$mask,@acc[7]
261 and @acc[0],$mask,@acc[0] ! "@acc[8]"
263 push(@acc,shift(@acc)); # rotate registers to "omit" acc[0]
265 mulx $a0,$bi,$t0 ! a[0-7]*b[$i], 64-bit results
273 add @acc[0],$t0,$t0 ! accumulate low parts, can't overflow
275 srlx $t0,32,@acc[1] ! extract high parts
288 srlx $t7,32,@acc[0] ! "@acc[8]"
292 addcc @acc[1],$t1,@acc[1] ! accumulate high parts
293 addccc @acc[2],$t2,@acc[2]
294 addccc @acc[3],$t3,@acc[3]
295 addccc @acc[4],$t4,@acc[4]
296 addccc @acc[5],$t5,@acc[5]
297 addccc @acc[6],$t6,@acc[6]
298 addccc @acc[7],$t7,@acc[7]
299 addccc @acc[0],$carry,@acc[0] ! "@acc[8]"
302 addcc @acc[3],$t0,@acc[3] ! multiplication-less reduction
303 addccc @acc[4],%g0,@acc[4]
304 addccc @acc[5],%g0,@acc[5]
305 addccc @acc[6],$t0,@acc[6]
306 addccc @acc[7],%g0,@acc[7]
307 addccc @acc[0],$t0,@acc[0] ! "@acc[8]"
308 addc $carry,%g0,$carry
309 subcc @acc[7],$t0,@acc[7]
310 subccc @acc[0],%g0,@acc[0] ! "@acc[8]"
311 subc $carry,%g0,$carry ! top-most carry
313 push(@acc,shift(@acc)); # rotate registers to omit acc[0]
315 ! Final step is "if result > mod, subtract mod", but we do it
316 ! "other way around", namely subtract modulus from result
317 ! and if it borrowed, add modulus back.
319 subcc @acc[0],-1,@acc[0] ! subtract modulus
320 subccc @acc[1],-1,@acc[1]
321 subccc @acc[2],-1,@acc[2]
322 subccc @acc[3],0,@acc[3]
323 subccc @acc[4],0,@acc[4]
324 subccc @acc[5],0,@acc[5]
325 subccc @acc[6],1,@acc[6]
326 subccc @acc[7],-1,@acc[7]
327 subc $carry,0,$carry ! broadcast borrow bit
329 ! Note that because mod has special form, i.e. consists of
330 ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by
331 ! using value of broadcasted borrow and the borrow bit itself.
332 ! To minimize dependency chain we first broadcast and then
333 ! extract the bit by negating (follow $bi).
335 addcc @acc[0],$carry,@acc[0] ! add modulus or zero
336 addccc @acc[1],$carry,@acc[1]
339 addccc @acc[2],$carry,@acc[2]
341 addccc @acc[3],0,@acc[3]
343 addccc @acc[4],0,@acc[4]
345 addccc @acc[5],0,@acc[5]
347 addccc @acc[6],$bi,@acc[6]
349 addc @acc[7],$carry,@acc[7]
353 .size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
355 ! void ecp_nistz256_add(BN_ULONG %i0[8],const BN_ULONG %i1[8],
356 ! const BN_ULONG %i2[8]);
357 .globl ecp_nistz256_add
360 save %sp,-STACK_FRAME,%sp
368 call __ecp_nistz256_add
372 .size ecp_nistz256_add,.-ecp_nistz256_add
376 ld [$bp+0],$t0 ! b[0]
380 addcc @acc[0],$t0,@acc[0]
383 addccc @acc[1],$t1,@acc[1]
386 addccc @acc[2],$t2,@acc[2]
387 addccc @acc[3],$t3,@acc[3]
388 addccc @acc[4],$t4,@acc[4]
389 addccc @acc[5],$t5,@acc[5]
390 addccc @acc[6],$t6,@acc[6]
391 addccc @acc[7],$t7,@acc[7]
392 subc %g0,%g0,$carry ! broadcast carry bit
396 ! if a+b carries, subtract modulus.
398 ! Note that because mod has special form, i.e. consists of
399 ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by
400 ! using value of broadcasted borrow and the borrow bit itself.
401 ! To minimize dependency chain we first broadcast and then
402 ! extract the bit by negating (follow $bi).
404 subcc @acc[0],$carry,@acc[0] ! subtract synthesized modulus
405 subccc @acc[1],$carry,@acc[1]
408 subccc @acc[2],$carry,@acc[2]
410 subccc @acc[3],0,@acc[3]
412 subccc @acc[4],0,@acc[4]
414 subccc @acc[5],0,@acc[5]
416 subccc @acc[6],$bi,@acc[6]
418 subc @acc[7],$carry,@acc[7]
422 .size __ecp_nistz256_add,.-__ecp_nistz256_add
424 ! void ecp_nistz256_mul_by_2(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
425 .globl ecp_nistz256_mul_by_2
427 ecp_nistz256_mul_by_2:
428 save %sp,-STACK_FRAME,%sp
436 call __ecp_nistz256_mul_by_2
440 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
443 __ecp_nistz256_mul_by_2:
444 addcc @acc[0],@acc[0],@acc[0] ! a+a=2*a
445 addccc @acc[1],@acc[1],@acc[1]
446 addccc @acc[2],@acc[2],@acc[2]
447 addccc @acc[3],@acc[3],@acc[3]
448 addccc @acc[4],@acc[4],@acc[4]
449 addccc @acc[5],@acc[5],@acc[5]
450 addccc @acc[6],@acc[6],@acc[6]
451 addccc @acc[7],@acc[7],@acc[7]
453 subc %g0,%g0,$carry ! broadcast carry bit
454 .size __ecp_nistz256_mul_by_2,.-__ecp_nistz256_mul_by_2
456 ! void ecp_nistz256_mul_by_3(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
457 .globl ecp_nistz256_mul_by_3
459 ecp_nistz256_mul_by_3:
460 save %sp,-STACK_FRAME,%sp
468 call __ecp_nistz256_mul_by_3
472 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
475 __ecp_nistz256_mul_by_3:
476 addcc @acc[0],@acc[0],$t0 ! a+a=2*a
477 addccc @acc[1],@acc[1],$t1
478 addccc @acc[2],@acc[2],$t2
479 addccc @acc[3],@acc[3],$t3
480 addccc @acc[4],@acc[4],$t4
481 addccc @acc[5],@acc[5],$t5
482 addccc @acc[6],@acc[6],$t6
483 addccc @acc[7],@acc[7],$t7
484 subc %g0,%g0,$carry ! broadcast carry bit
486 subcc $t0,$carry,$t0 ! .Lreduce_by_sub but without stores
488 subccc $t1,$carry,$t1
489 subccc $t2,$carry,$t2
496 addcc $t0,@acc[0],@acc[0] ! 2*a+a=3*a
497 addccc $t1,@acc[1],@acc[1]
498 addccc $t2,@acc[2],@acc[2]
499 addccc $t3,@acc[3],@acc[3]
500 addccc $t4,@acc[4],@acc[4]
501 addccc $t5,@acc[5],@acc[5]
502 addccc $t6,@acc[6],@acc[6]
503 addccc $t7,@acc[7],@acc[7]
505 subc %g0,%g0,$carry ! broadcast carry bit
506 .size __ecp_nistz256_mul_by_3,.-__ecp_nistz256_mul_by_3
508 ! void ecp_nistz256_sub(BN_ULONG %i0[8],const BN_ULONG %i1[8],
509 ! const BN_ULONG %i2[8]);
510 .globl ecp_nistz256_sub
513 save %sp,-STACK_FRAME,%sp
521 call __ecp_nistz256_sub_from
525 .size ecp_nistz256_sub,.-ecp_nistz256_sub
527 ! void ecp_nistz256_neg(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
528 .globl ecp_nistz256_neg
531 save %sp,-STACK_FRAME,%sp
540 call __ecp_nistz256_sub_from
544 .size ecp_nistz256_neg,.-ecp_nistz256_neg
547 __ecp_nistz256_sub_from:
548 ld [$bp+0],$t0 ! b[0]
552 subcc @acc[0],$t0,@acc[0]
555 subccc @acc[1],$t1,@acc[1]
556 subccc @acc[2],$t2,@acc[2]
559 subccc @acc[3],$t3,@acc[3]
560 subccc @acc[4],$t4,@acc[4]
561 subccc @acc[5],$t5,@acc[5]
562 subccc @acc[6],$t6,@acc[6]
563 subccc @acc[7],$t7,@acc[7]
564 subc %g0,%g0,$carry ! broadcast borrow bit
568 ! if a-b borrows, add modulus.
570 ! Note that because mod has special form, i.e. consists of
571 ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by
572 ! using value of broadcasted borrow and the borrow bit itself.
573 ! To minimize dependency chain we first broadcast and then
574 ! extract the bit by negating (follow $bi).
576 addcc @acc[0],$carry,@acc[0] ! add synthesized modulus
577 addccc @acc[1],$carry,@acc[1]
580 addccc @acc[2],$carry,@acc[2]
582 addccc @acc[3],0,@acc[3]
584 addccc @acc[4],0,@acc[4]
586 addccc @acc[5],0,@acc[5]
588 addccc @acc[6],$bi,@acc[6]
590 addc @acc[7],$carry,@acc[7]
594 .size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
597 __ecp_nistz256_sub_morf:
598 ld [$bp+0],$t0 ! b[0]
602 subcc $t0,@acc[0],@acc[0]
605 subccc $t1,@acc[1],@acc[1]
606 subccc $t2,@acc[2],@acc[2]
609 subccc $t3,@acc[3],@acc[3]
610 subccc $t4,@acc[4],@acc[4]
611 subccc $t5,@acc[5],@acc[5]
612 subccc $t6,@acc[6],@acc[6]
613 subccc $t7,@acc[7],@acc[7]
615 subc %g0,%g0,$carry ! broadcast borrow bit
616 .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
618 ! void ecp_nistz256_div_by_2(BN_ULONG %i0[8],const BN_ULONG %i1[8]);
619 .globl ecp_nistz256_div_by_2
621 ecp_nistz256_div_by_2:
622 save %sp,-STACK_FRAME,%sp
630 call __ecp_nistz256_div_by_2
634 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
637 __ecp_nistz256_div_by_2:
638 ! ret = (a is odd ? a+mod : a) >> 1
642 addcc @acc[0],$carry,@acc[0]
643 addccc @acc[1],$carry,@acc[1]
644 addccc @acc[2],$carry,@acc[2]
645 addccc @acc[3],0,@acc[3]
646 addccc @acc[4],0,@acc[4]
647 addccc @acc[5],0,@acc[5]
648 addccc @acc[6],$bi,@acc[6]
649 addccc @acc[7],$carry,@acc[7]
654 srl @acc[0],1,@acc[0]
656 srl @acc[1],1,@acc[1]
657 or @acc[0],$t0,@acc[0]
659 srl @acc[2],1,@acc[2]
660 or @acc[1],$t1,@acc[1]
663 srl @acc[3],1,@acc[3]
664 or @acc[2],$t2,@acc[2]
667 srl @acc[4],1,@acc[4]
668 or @acc[3],$t3,@acc[3]
671 srl @acc[5],1,@acc[5]
672 or @acc[4],$t4,@acc[4]
675 srl @acc[6],1,@acc[6]
676 or @acc[5],$t5,@acc[5]
679 srl @acc[7],1,@acc[7]
680 or @acc[6],$t6,@acc[6]
683 or @acc[7],$t7,@acc[7]
687 .size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
690 ########################################################################
691 # following subroutines are "literal" implemetation of those found in
694 ########################################################################
695 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
698 my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3));
699 # above map() describes stack layout with 4 temporary
700 # 256-bit vectors on top.
707 .globl ecp_nistz256_point_double
709 ecp_nistz256_point_double:
710 SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5)
711 ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0]
712 and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1
713 cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK)
714 be ecp_nistz256_point_double_vis3
717 save %sp,-STACK_FRAME-32*4,%sp
723 ld [$ap+32+4],@acc[1]
724 ld [$ap+32+8],@acc[2]
725 ld [$ap+32+12],@acc[3]
726 ld [$ap+32+16],@acc[4]
727 ld [$ap+32+20],@acc[5]
728 ld [$ap+32+24],@acc[6]
729 ld [$ap+32+28],@acc[7]
730 call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(S, in_y);
731 add %sp,LOCALS+$S,$rp
735 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Zsqr, in_z);
736 add %sp,LOCALS+$Zsqr,$rp
739 call __ecp_nistz256_add ! p256_add(M, Zsqr, in_x);
740 add %sp,LOCALS+$M,$rp
742 add %sp,LOCALS+$S,$bp
743 add %sp,LOCALS+$S,$ap
744 call __ecp_nistz256_mul_mont ! p256_sqr_mont(S, S);
745 add %sp,LOCALS+$S,$rp
747 ld [$ap_real],@acc[0]
748 add %sp,LOCALS+$Zsqr,$bp
749 ld [$ap_real+4],@acc[1]
750 ld [$ap_real+8],@acc[2]
751 ld [$ap_real+12],@acc[3]
752 ld [$ap_real+16],@acc[4]
753 ld [$ap_real+20],@acc[5]
754 ld [$ap_real+24],@acc[6]
755 ld [$ap_real+28],@acc[7]
756 call __ecp_nistz256_sub_from ! p256_sub(Zsqr, in_x, Zsqr);
757 add %sp,LOCALS+$Zsqr,$rp
761 call __ecp_nistz256_mul_mont ! p256_mul_mont(tmp0, in_z, in_y);
762 add %sp,LOCALS+$tmp0,$rp
764 call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(res_z, tmp0);
767 add %sp,LOCALS+$Zsqr,$bp
768 add %sp,LOCALS+$M,$ap
769 call __ecp_nistz256_mul_mont ! p256_mul_mont(M, M, Zsqr);
770 add %sp,LOCALS+$M,$rp
772 call __ecp_nistz256_mul_by_3 ! p256_mul_by_3(M, M);
773 add %sp,LOCALS+$M,$rp
775 add %sp,LOCALS+$S,$bp
776 add %sp,LOCALS+$S,$ap
777 call __ecp_nistz256_mul_mont ! p256_sqr_mont(tmp0, S);
778 add %sp,LOCALS+$tmp0,$rp
780 call __ecp_nistz256_div_by_2 ! p256_div_by_2(res_y, tmp0);
784 add %sp,LOCALS+$S,$ap
785 call __ecp_nistz256_mul_mont ! p256_mul_mont(S, S, in_x);
786 add %sp,LOCALS+$S,$rp
788 call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(tmp0, S);
789 add %sp,LOCALS+$tmp0,$rp
791 add %sp,LOCALS+$M,$bp
792 add %sp,LOCALS+$M,$ap
793 call __ecp_nistz256_mul_mont ! p256_sqr_mont(res_x, M);
796 add %sp,LOCALS+$tmp0,$bp
797 call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, tmp0);
800 add %sp,LOCALS+$S,$bp
801 call __ecp_nistz256_sub_morf ! p256_sub(S, S, res_x);
802 add %sp,LOCALS+$S,$rp
804 add %sp,LOCALS+$M,$bp
805 add %sp,LOCALS+$S,$ap
806 call __ecp_nistz256_mul_mont ! p256_mul_mont(S, S, M);
807 add %sp,LOCALS+$S,$rp
810 call __ecp_nistz256_sub_from ! p256_sub(res_y, S, res_y);
815 .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
819 ########################################################################
820 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
821 # const P256_POINT *in2);
823 my ($res_x,$res_y,$res_z,
824 $H,$Hsqr,$R,$Rsqr,$Hcub,
825 $U1,$U2,$S1,$S2)=map(32*$_,(0..11));
826 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
828 # above map() describes stack layout with 12 temporary
829 # 256-bit vectors on top. Then we reserve some space for
830 # !in1infty, !in2infty, result of check for zero and return pointer.
832 my $bp_real=$rp_real;
835 .globl ecp_nistz256_point_add
837 ecp_nistz256_point_add:
838 SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5)
839 ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0]
840 and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1
841 cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK)
842 be ecp_nistz256_point_add_vis3
845 save %sp,-STACK_FRAME-32*12-32,%sp
847 stx $rp,[%fp+STACK_BIAS-8] ! off-load $rp
851 ld [$bp],@acc[0] ! in2_x
859 ld [$bp+32],$t0 ! in2_y
867 or @acc[1],@acc[0],@acc[0]
868 or @acc[3],@acc[2],@acc[2]
869 or @acc[5],@acc[4],@acc[4]
870 or @acc[7],@acc[6],@acc[6]
871 or @acc[2],@acc[0],@acc[0]
872 or @acc[6],@acc[4],@acc[4]
873 or @acc[4],@acc[0],@acc[0]
881 or @acc[0],$t0,$t0 ! !in2infty
883 st $t0,[%fp+STACK_BIAS-12]
885 ld [$ap],@acc[0] ! in1_x
893 ld [$ap+32],$t0 ! in1_y
901 or @acc[1],@acc[0],@acc[0]
902 or @acc[3],@acc[2],@acc[2]
903 or @acc[5],@acc[4],@acc[4]
904 or @acc[7],@acc[6],@acc[6]
905 or @acc[2],@acc[0],@acc[0]
906 or @acc[6],@acc[4],@acc[4]
907 or @acc[4],@acc[0],@acc[0]
915 or @acc[0],$t0,$t0 ! !in1infty
917 st $t0,[%fp+STACK_BIAS-16]
921 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z2sqr, in2_z);
922 add %sp,LOCALS+$Z2sqr,$rp
926 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z1sqr, in1_z);
927 add %sp,LOCALS+$Z1sqr,$rp
930 add %sp,LOCALS+$Z2sqr,$ap
931 call __ecp_nistz256_mul_mont ! p256_mul_mont(S1, Z2sqr, in2_z);
932 add %sp,LOCALS+$S1,$rp
935 add %sp,LOCALS+$Z1sqr,$ap
936 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, Z1sqr, in1_z);
937 add %sp,LOCALS+$S2,$rp
940 add %sp,LOCALS+$S1,$ap
941 call __ecp_nistz256_mul_mont ! p256_mul_mont(S1, S1, in1_y);
942 add %sp,LOCALS+$S1,$rp
945 add %sp,LOCALS+$S2,$ap
946 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S2, in2_y);
947 add %sp,LOCALS+$S2,$rp
949 add %sp,LOCALS+$S1,$bp
950 call __ecp_nistz256_sub_from ! p256_sub(R, S2, S1);
951 add %sp,LOCALS+$R,$rp
953 or @acc[1],@acc[0],@acc[0] ! see if result is zero
954 or @acc[3],@acc[2],@acc[2]
955 or @acc[5],@acc[4],@acc[4]
956 or @acc[7],@acc[6],@acc[6]
957 or @acc[2],@acc[0],@acc[0]
958 or @acc[6],@acc[4],@acc[4]
959 or @acc[4],@acc[0],@acc[0]
960 st @acc[0],[%fp+STACK_BIAS-20]
963 add %sp,LOCALS+$Z2sqr,$ap
964 call __ecp_nistz256_mul_mont ! p256_mul_mont(U1, in1_x, Z2sqr);
965 add %sp,LOCALS+$U1,$rp
968 add %sp,LOCALS+$Z1sqr,$ap
969 call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, in2_x, Z1sqr);
970 add %sp,LOCALS+$U2,$rp
972 add %sp,LOCALS+$U1,$bp
973 call __ecp_nistz256_sub_from ! p256_sub(H, U2, U1);
974 add %sp,LOCALS+$H,$rp
976 or @acc[1],@acc[0],@acc[0] ! see if result is zero
977 or @acc[3],@acc[2],@acc[2]
978 or @acc[5],@acc[4],@acc[4]
979 or @acc[7],@acc[6],@acc[6]
980 or @acc[2],@acc[0],@acc[0]
981 or @acc[6],@acc[4],@acc[4]
982 orcc @acc[4],@acc[0],@acc[0]
984 bne,pt %icc,.Ladd_proceed ! is_equal(U1,U2)?
987 ld [%fp+STACK_BIAS-12],$t0
988 ld [%fp+STACK_BIAS-16],$t1
989 ld [%fp+STACK_BIAS-20],$t2
991 be,pt %icc,.Ladd_proceed ! (in1infty || in2infty)?
994 be,pt %icc,.Ladd_proceed ! is_equal(S1,S2)?
997 ldx [%fp+STACK_BIAS-8],$rp
1027 add %sp,LOCALS+$R,$bp
1028 add %sp,LOCALS+$R,$ap
1029 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Rsqr, R);
1030 add %sp,LOCALS+$Rsqr,$rp
1033 add %sp,LOCALS+$H,$ap
1034 call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, H, in1_z);
1035 add %sp,LOCALS+$res_z,$rp
1037 add %sp,LOCALS+$H,$bp
1038 add %sp,LOCALS+$H,$ap
1039 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Hsqr, H);
1040 add %sp,LOCALS+$Hsqr,$rp
1043 add %sp,LOCALS+$res_z,$ap
1044 call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, res_z, in2_z);
1045 add %sp,LOCALS+$res_z,$rp
1047 add %sp,LOCALS+$H,$bp
1048 add %sp,LOCALS+$Hsqr,$ap
1049 call __ecp_nistz256_mul_mont ! p256_mul_mont(Hcub, Hsqr, H);
1050 add %sp,LOCALS+$Hcub,$rp
1052 add %sp,LOCALS+$U1,$bp
1053 add %sp,LOCALS+$Hsqr,$ap
1054 call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, U1, Hsqr);
1055 add %sp,LOCALS+$U2,$rp
1057 call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(Hsqr, U2);
1058 add %sp,LOCALS+$Hsqr,$rp
1060 add %sp,LOCALS+$Rsqr,$bp
1061 call __ecp_nistz256_sub_morf ! p256_sub(res_x, Rsqr, Hsqr);
1062 add %sp,LOCALS+$res_x,$rp
1064 add %sp,LOCALS+$Hcub,$bp
1065 call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, Hcub);
1066 add %sp,LOCALS+$res_x,$rp
1068 add %sp,LOCALS+$U2,$bp
1069 call __ecp_nistz256_sub_morf ! p256_sub(res_y, U2, res_x);
1070 add %sp,LOCALS+$res_y,$rp
1072 add %sp,LOCALS+$Hcub,$bp
1073 add %sp,LOCALS+$S1,$ap
1074 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S1, Hcub);
1075 add %sp,LOCALS+$S2,$rp
1077 add %sp,LOCALS+$R,$bp
1078 add %sp,LOCALS+$res_y,$ap
1079 call __ecp_nistz256_mul_mont ! p256_mul_mont(res_y, res_y, R);
1080 add %sp,LOCALS+$res_y,$rp
1082 add %sp,LOCALS+$S2,$bp
1083 call __ecp_nistz256_sub_from ! p256_sub(res_y, res_y, S2);
1084 add %sp,LOCALS+$res_y,$rp
1086 ld [%fp+STACK_BIAS-16],$t1 ! !in1infty
1087 ld [%fp+STACK_BIAS-12],$t2 ! !in2infty
1088 ldx [%fp+STACK_BIAS-8],$rp
1090 for($i=0;$i<96;$i+=8) { # conditional moves
1092 ld [%sp+LOCALS+$i],@acc[0] ! res
1093 ld [%sp+LOCALS+$i+4],@acc[1]
1094 ld [$bp_real+$i],@acc[2] ! in2
1095 ld [$bp_real+$i+4],@acc[3]
1096 ld [$ap_real+$i],@acc[4] ! in1
1097 ld [$ap_real+$i+4],@acc[5]
1098 movrz $t1,@acc[2],@acc[0]
1099 movrz $t1,@acc[3],@acc[1]
1100 movrz $t2,@acc[4],@acc[0]
1101 movrz $t2,@acc[5],@acc[1]
1103 st @acc[1],[$rp+$i+4]
1110 .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
1114 ########################################################################
1115 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
1116 # const P256_POINT_AFFINE *in2);
1118 my ($res_x,$res_y,$res_z,
1119 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9));
1121 # above map() describes stack layout with 10 temporary
1122 # 256-bit vectors on top. Then we reserve some space for
1123 # !in1infty, !in2infty, result of check for zero and return pointer.
1125 my @ONE_mont=(1,0,0,-1,-1,-1,-2,0);
1126 my $bp_real=$rp_real;
1129 .globl ecp_nistz256_point_add_affine
1131 ecp_nistz256_point_add_affine:
1132 SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5)
1133 ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0]
1134 and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1
1135 cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK)
1136 be ecp_nistz256_point_add_affine_vis3
1139 save %sp,-STACK_FRAME-32*10-32,%sp
1141 stx $rp,[%fp+STACK_BIAS-8] ! off-load $rp
1145 ld [$ap],@acc[0] ! in1_x
1153 ld [$ap+32],$t0 ! in1_y
1161 or @acc[1],@acc[0],@acc[0]
1162 or @acc[3],@acc[2],@acc[2]
1163 or @acc[5],@acc[4],@acc[4]
1164 or @acc[7],@acc[6],@acc[6]
1165 or @acc[2],@acc[0],@acc[0]
1166 or @acc[6],@acc[4],@acc[4]
1167 or @acc[4],@acc[0],@acc[0]
1175 or @acc[0],$t0,$t0 ! !in1infty
1177 st $t0,[%fp+STACK_BIAS-16]
1179 ld [$bp],@acc[0] ! in2_x
1187 ld [$bp+32],$t0 ! in2_y
1195 or @acc[1],@acc[0],@acc[0]
1196 or @acc[3],@acc[2],@acc[2]
1197 or @acc[5],@acc[4],@acc[4]
1198 or @acc[7],@acc[6],@acc[6]
1199 or @acc[2],@acc[0],@acc[0]
1200 or @acc[6],@acc[4],@acc[4]
1201 or @acc[4],@acc[0],@acc[0]
1209 or @acc[0],$t0,$t0 ! !in2infty
1211 st $t0,[%fp+STACK_BIAS-12]
1215 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z1sqr, in1_z);
1216 add %sp,LOCALS+$Z1sqr,$rp
1219 add %sp,LOCALS+$Z1sqr,$ap
1220 call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, Z1sqr, in2_x);
1221 add %sp,LOCALS+$U2,$rp
1224 call __ecp_nistz256_sub_from ! p256_sub(H, U2, in1_x);
1225 add %sp,LOCALS+$H,$rp
1228 add %sp,LOCALS+$Z1sqr,$ap
1229 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, Z1sqr, in1_z);
1230 add %sp,LOCALS+$S2,$rp
1233 add %sp,LOCALS+$H,$ap
1234 call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, H, in1_z);
1235 add %sp,LOCALS+$res_z,$rp
1238 add %sp,LOCALS+$S2,$ap
1239 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S2, in2_y);
1240 add %sp,LOCALS+$S2,$rp
1243 call __ecp_nistz256_sub_from ! p256_sub(R, S2, in1_y);
1244 add %sp,LOCALS+$R,$rp
1246 add %sp,LOCALS+$H,$bp
1247 add %sp,LOCALS+$H,$ap
1248 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Hsqr, H);
1249 add %sp,LOCALS+$Hsqr,$rp
1251 add %sp,LOCALS+$R,$bp
1252 add %sp,LOCALS+$R,$ap
1253 call __ecp_nistz256_mul_mont ! p256_sqr_mont(Rsqr, R);
1254 add %sp,LOCALS+$Rsqr,$rp
1256 add %sp,LOCALS+$H,$bp
1257 add %sp,LOCALS+$Hsqr,$ap
1258 call __ecp_nistz256_mul_mont ! p256_mul_mont(Hcub, Hsqr, H);
1259 add %sp,LOCALS+$Hcub,$rp
1262 add %sp,LOCALS+$Hsqr,$ap
1263 call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, in1_x, Hsqr);
1264 add %sp,LOCALS+$U2,$rp
1266 call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(Hsqr, U2);
1267 add %sp,LOCALS+$Hsqr,$rp
1269 add %sp,LOCALS+$Rsqr,$bp
1270 call __ecp_nistz256_sub_morf ! p256_sub(res_x, Rsqr, Hsqr);
1271 add %sp,LOCALS+$res_x,$rp
1273 add %sp,LOCALS+$Hcub,$bp
1274 call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, Hcub);
1275 add %sp,LOCALS+$res_x,$rp
1277 add %sp,LOCALS+$U2,$bp
1278 call __ecp_nistz256_sub_morf ! p256_sub(res_y, U2, res_x);
1279 add %sp,LOCALS+$res_y,$rp
1282 add %sp,LOCALS+$Hcub,$ap
1283 call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, in1_y, Hcub);
1284 add %sp,LOCALS+$S2,$rp
1286 add %sp,LOCALS+$R,$bp
1287 add %sp,LOCALS+$res_y,$ap
1288 call __ecp_nistz256_mul_mont ! p256_mul_mont(res_y, res_y, R);
1289 add %sp,LOCALS+$res_y,$rp
1291 add %sp,LOCALS+$S2,$bp
1292 call __ecp_nistz256_sub_from ! p256_sub(res_y, res_y, S2);
1293 add %sp,LOCALS+$res_y,$rp
1295 ld [%fp+STACK_BIAS-16],$t1 ! !in1infty
1296 ld [%fp+STACK_BIAS-12],$t2 ! !in2infty
1297 ldx [%fp+STACK_BIAS-8],$rp
1299 for($i=0;$i<64;$i+=8) { # conditional moves
1301 ld [%sp+LOCALS+$i],@acc[0] ! res
1302 ld [%sp+LOCALS+$i+4],@acc[1]
1303 ld [$bp_real+$i],@acc[2] ! in2
1304 ld [$bp_real+$i+4],@acc[3]
1305 ld [$ap_real+$i],@acc[4] ! in1
1306 ld [$ap_real+$i+4],@acc[5]
1307 movrz $t1,@acc[2],@acc[0]
1308 movrz $t1,@acc[3],@acc[1]
1309 movrz $t2,@acc[4],@acc[0]
1310 movrz $t2,@acc[5],@acc[1]
1312 st @acc[1],[$rp+$i+4]
1318 ld [%sp+LOCALS+$i],@acc[0] ! res
1319 ld [%sp+LOCALS+$i+4],@acc[1]
1320 ld [$ap_real+$i],@acc[4] ! in1
1321 ld [$ap_real+$i+4],@acc[5]
1322 movrz $t1,@ONE_mont[$j],@acc[0]
1323 movrz $t1,@ONE_mont[$j+1],@acc[1]
1324 movrz $t2,@acc[4],@acc[0]
1325 movrz $t2,@acc[5],@acc[1]
1327 st @acc[1],[$rp+$i+4]
1333 .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
1337 my ($out,$inp,$index)=map("%i$_",(0..2));
1341 ! void ecp_nistz256_scatter_w5(void *%i0,const P256_POINT *%i1,
1343 .globl ecp_nistz256_scatter_w5
1345 ecp_nistz256_scatter_w5:
1346 save %sp,-STACK_FRAME,%sp
1349 add $out,$index,$out
1360 st %l0,[$out+64*0-4]
1361 st %l1,[$out+64*1-4]
1362 st %l2,[$out+64*2-4]
1363 st %l3,[$out+64*3-4]
1364 st %l4,[$out+64*4-4]
1365 st %l5,[$out+64*5-4]
1366 st %l6,[$out+64*6-4]
1367 st %l7,[$out+64*7-4]
1379 st %l0,[$out+64*0-4]
1380 st %l1,[$out+64*1-4]
1381 st %l2,[$out+64*2-4]
1382 st %l3,[$out+64*3-4]
1383 st %l4,[$out+64*4-4]
1384 st %l5,[$out+64*5-4]
1385 st %l6,[$out+64*6-4]
1386 st %l7,[$out+64*7-4]
1397 st %l0,[$out+64*0-4]
1398 st %l1,[$out+64*1-4]
1399 st %l2,[$out+64*2-4]
1400 st %l3,[$out+64*3-4]
1401 st %l4,[$out+64*4-4]
1402 st %l5,[$out+64*5-4]
1403 st %l6,[$out+64*6-4]
1404 st %l7,[$out+64*7-4]
1408 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
1410 ! void ecp_nistz256_gather_w5(P256_POINT *%i0,const void *%i1,
1412 .globl ecp_nistz256_gather_w5
1414 ecp_nistz256_gather_w5:
1415 save %sp,-STACK_FRAME,%sp
1420 add $index,$mask,$index
1422 add $inp,$index,$inp
1505 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
1507 ! void ecp_nistz256_scatter_w7(void *%i0,const P256_POINT_AFFINE *%i1,
1509 .globl ecp_nistz256_scatter_w7
1511 ecp_nistz256_scatter_w7:
1512 save %sp,-STACK_FRAME,%sp
1514 add $out,$index,$out
1519 subcc $index,1,$index
1520 stb %l0,[$out+64*0-1]
1522 stb %l1,[$out+64*1-1]
1524 stb %l2,[$out+64*2-1]
1526 stb %l3,[$out+64*3-1]
1527 bne .Loop_scatter_w7
1532 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
1534 ! void ecp_nistz256_gather_w7(P256_POINT_AFFINE *%i0,const void *%i1,
1536 .globl ecp_nistz256_gather_w7
1538 ecp_nistz256_gather_w7:
1539 save %sp,-STACK_FRAME,%sp
1544 add $index,$mask,$index
1545 add $inp,$index,$inp
1549 ldub [$inp+64*0],%l0
1550 prefetch [$inp+3840+64*0],1
1551 subcc $index,1,$index
1552 ldub [$inp+64*1],%l1
1553 prefetch [$inp+3840+64*1],1
1554 ldub [$inp+64*2],%l2
1555 prefetch [$inp+3840+64*2],1
1556 ldub [$inp+64*3],%l3
1557 prefetch [$inp+3840+64*3],1
1572 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
1576 ########################################################################
1577 # Following subroutines are VIS3 counterparts of those above that
1578 # implement ones found in ecp_nistz256.c. Key difference is that they
1579 # use 128-bit muliplication and addition with 64-bit carry, and in order
1580 # to do that they perform conversion from uin32_t[8] to uint64_t[4] upon
1581 # entry and vice versa on return.
1583 my ($rp,$ap,$bp)=map("%i$_",(0..2));
1584 my ($t0,$t1,$t2,$t3,$a0,$a1,$a2,$a3)=map("%l$_",(0..7));
1585 my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5)=map("%o$_",(0..5));
1586 my ($bi,$poly1,$poly3,$minus1)=(map("%i$_",(3..5)),"%g1");
1587 my ($rp_real,$ap_real)=("%g2","%g3");
1588 my ($acc6,$acc7)=($bp,$bi); # used in squaring
1592 __ecp_nistz256_mul_by_2_vis3:
1593 addcc $acc0,$acc0,$acc0
1594 addxccc $acc1,$acc1,$acc1
1595 addxccc $acc2,$acc2,$acc2
1596 addxccc $acc3,$acc3,$acc3
1597 b .Lreduce_by_sub_vis3
1598 addxc %g0,%g0,$acc4 ! did it carry?
1599 .size __ecp_nistz256_mul_by_2_vis3,.-__ecp_nistz256_mul_by_2_vis3
1602 __ecp_nistz256_add_vis3:
1608 __ecp_nistz256_add_noload_vis3:
1610 addcc $t0,$acc0,$acc0
1611 addxccc $t1,$acc1,$acc1
1612 addxccc $t2,$acc2,$acc2
1613 addxccc $t3,$acc3,$acc3
1614 addxc %g0,%g0,$acc4 ! did it carry?
1616 .Lreduce_by_sub_vis3:
1618 addcc $acc0,1,$t0 ! add -modulus, i.e. subtract
1619 addxccc $acc1,$poly1,$t1
1620 addxccc $acc2,$minus1,$t2
1621 addxc $acc3,$poly3,$t3
1623 movrnz $acc4,$t0,$acc0 ! if a+b carried, ret = ret-mod
1624 movrnz $acc4,$t1,$acc1
1626 movrnz $acc4,$t2,$acc2
1628 movrnz $acc4,$t3,$acc3
1632 .size __ecp_nistz256_add_vis3,.-__ecp_nistz256_add_vis3
1634 ! Trouble with subtraction is that there is no subtraction with 64-bit
1635 ! borrow, only with 32-bit one. For this reason we "decompose" 64-bit
1636 ! $acc0-$acc3 to 32-bit values and pick b[4] in 32-bit pieces. But
1637 ! recall that SPARC is big-endian, which is why you'll observe that
1638 ! b[4] is accessed as 4-0-12-8-20-16-28-24. And prior reduction we
1639 ! "collect" result back to 64-bit $acc0-$acc3.
1641 __ecp_nistz256_sub_from_vis3:
1650 subcc $acc0,$t0,$acc0
1652 subccc $acc4,$t1,$acc4
1654 subccc $acc1,$t2,$acc1
1656 and $acc0,$poly1,$acc0
1657 subccc $acc5,$t3,$acc5
1660 and $acc1,$poly1,$acc1
1662 or $acc0,$acc4,$acc0
1664 or $acc1,$acc5,$acc1
1666 subccc $acc2,$t0,$acc2
1667 subccc $acc4,$t1,$acc4
1668 subccc $acc3,$t2,$acc3
1669 and $acc2,$poly1,$acc2
1670 subccc $acc5,$t3,$acc5
1672 and $acc3,$poly1,$acc3
1674 or $acc2,$acc4,$acc2
1675 subc %g0,%g0,$acc4 ! did it borrow?
1676 b .Lreduce_by_add_vis3
1677 or $acc3,$acc5,$acc3
1678 .size __ecp_nistz256_sub_from_vis3,.-__ecp_nistz256_sub_from_vis3
1681 __ecp_nistz256_sub_morf_vis3:
1690 subcc $t0,$acc0,$acc0
1692 subccc $t1,$acc4,$acc4
1694 subccc $t2,$acc1,$acc1
1696 and $acc0,$poly1,$acc0
1697 subccc $t3,$acc5,$acc5
1700 and $acc1,$poly1,$acc1
1702 or $acc0,$acc4,$acc0
1704 or $acc1,$acc5,$acc1
1706 subccc $t0,$acc2,$acc2
1707 subccc $t1,$acc4,$acc4
1708 subccc $t2,$acc3,$acc3
1709 and $acc2,$poly1,$acc2
1710 subccc $t3,$acc5,$acc5
1712 and $acc3,$poly1,$acc3
1714 or $acc2,$acc4,$acc2
1715 subc %g0,%g0,$acc4 ! did it borrow?
1716 or $acc3,$acc5,$acc3
1718 .Lreduce_by_add_vis3:
1720 addcc $acc0,-1,$t0 ! add modulus
1722 addxccc $acc1,$poly1,$t1
1723 not $poly1,$poly1 ! restore $poly1
1724 addxccc $acc2,%g0,$t2
1727 movrnz $acc4,$t0,$acc0 ! if a-b borrowed, ret = ret+mod
1728 movrnz $acc4,$t1,$acc1
1730 movrnz $acc4,$t2,$acc2
1732 movrnz $acc4,$t3,$acc3
1736 .size __ecp_nistz256_sub_morf_vis3,.-__ecp_nistz256_sub_morf_vis3
1739 __ecp_nistz256_div_by_2_vis3:
1740 ! ret = (a is odd ? a+mod : a) >> 1
1745 addcc $acc0,-1,$t0 ! add modulus
1746 addxccc $acc1,$t1,$t1
1747 addxccc $acc2,%g0,$t2
1748 addxccc $acc3,$t3,$t3
1749 addxc %g0,%g0,$acc4 ! carry bit
1751 movrnz $acc5,$t0,$acc0
1752 movrnz $acc5,$t1,$acc1
1753 movrnz $acc5,$t2,$acc2
1754 movrnz $acc5,$t3,$acc3
1755 movrz $acc5,%g0,$acc4
1770 sllx $acc4,63,$t3 ! don't forget carry bit
1776 .size __ecp_nistz256_div_by_2_vis3,.-__ecp_nistz256_div_by_2_vis3
1778 ! compared to __ecp_nistz256_mul_mont it's almost 4x smaller and
1779 ! 4x faster [on T4]...
1781 __ecp_nistz256_mul_mont_vis3:
1783 not $poly3,$poly3 ! 0xFFFFFFFF00000001
1791 ldx [$bp+8],$bi ! b[1]
1793 addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication
1795 addxccc $acc2,$t1,$acc2
1797 addxccc $acc3,$t2,$acc3
1801 for($i=1;$i<4;$i++) {
1802 # Reduction iteration is normally performed by accumulating
1803 # result of multiplication of modulus by "magic" digit [and
1804 # omitting least significant word, which is guaranteed to
1805 # be 0], but thanks to special form of modulus and "magic"
1806 # digit being equal to least significant word, it can be
1807 # performed with additions and subtractions alone. Indeed:
1809 # ffff0001.00000000.0000ffff.ffffffff
1811 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
1813 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
1816 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
1817 # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
1818 # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
1820 # or marking redundant operations:
1822 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
1823 # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
1824 # - 0000abcd.efgh0000.--------.--------.--------
1825 # ^^^^^^^^ but this word is calculated with umulxhi, because
1826 # there is no subtract with 64-bit borrow:-(
1829 sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part
1830 umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part
1831 addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0]
1833 addxccc $acc2,$t1,$acc1
1835 addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001
1837 addxccc $acc4,$t3,$acc3
1839 addxc $acc5,%g0,$acc4
1841 addcc $acc0,$t0,$acc0 ! accumulate low parts of multiplication
1843 addxccc $acc1,$t1,$acc1
1845 addxccc $acc2,$t2,$acc2
1847 addxccc $acc3,$t3,$acc3
1849 addxc $acc4,%g0,$acc4
1851 $code.=<<___ if ($i<3);
1852 ldx [$bp+8*($i+1)],$bi ! bp[$i+1]
1855 addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication
1857 addxccc $acc2,$t1,$acc2
1859 addxccc $acc3,$t2,$acc3
1860 addxccc $acc4,$t3,$acc4
1865 sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part
1866 umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part
1867 addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0]
1868 addxccc $acc2,$t1,$acc1
1869 addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001
1870 addxccc $acc4,$t3,$acc3
1871 b .Lmul_final_vis3 ! see below
1872 addxc $acc5,%g0,$acc4
1873 .size __ecp_nistz256_mul_mont_vis3,.-__ecp_nistz256_mul_mont_vis3
1875 ! compared to above __ecp_nistz256_mul_mont_vis3 it's 21% less
1876 ! instructions, but only 14% faster [on T4]...
1878 __ecp_nistz256_sqr_mont_vis3:
1879 ! | | | | | |a1*a0| |
1880 ! | | | | |a2*a0| | |
1881 ! | |a3*a2|a3*a0| | | |
1882 ! | | | |a2*a1| | | |
1883 ! | | |a3*a1| | | | |
1884 ! *| | | | | | | | 2|
1885 ! +|a3*a3|a2*a2|a1*a1|a0*a0|
1886 ! |--+--+--+--+--+--+--+--|
1887 ! |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
1889 ! "can't overflow" below mark carrying into high part of
1890 ! multiplication result, which can't overflow, because it
1891 ! can never be all ones.
1893 mulx $a1,$a0,$acc1 ! a[1]*a[0]
1895 mulx $a2,$a0,$acc2 ! a[2]*a[0]
1897 mulx $a3,$a0,$acc3 ! a[3]*a[0]
1898 umulxhi $a3,$a0,$acc4
1900 addcc $acc2,$t1,$acc2 ! accumulate high parts of multiplication
1901 mulx $a2,$a1,$t0 ! a[2]*a[1]
1903 addxccc $acc3,$t2,$acc3
1904 mulx $a3,$a1,$t2 ! a[3]*a[1]
1906 addxc $acc4,%g0,$acc4 ! can't overflow
1908 mulx $a3,$a2,$acc5 ! a[3]*a[2]
1909 not $poly3,$poly3 ! 0xFFFFFFFF00000001
1910 umulxhi $a3,$a2,$acc6
1912 addcc $t2,$t1,$t1 ! accumulate high parts of multiplication
1913 mulx $a0,$a0,$acc0 ! a[0]*a[0]
1914 addxc $t3,%g0,$t2 ! can't overflow
1916 addcc $acc3,$t0,$acc3 ! accumulate low parts of multiplication
1918 addxccc $acc4,$t1,$acc4
1919 mulx $a1,$a1,$t1 ! a[1]*a[1]
1920 addxccc $acc5,$t2,$acc5
1922 addxc $acc6,%g0,$acc6 ! can't overflow
1924 addcc $acc1,$acc1,$acc1 ! acc[1-6]*=2
1925 mulx $a2,$a2,$t2 ! a[2]*a[2]
1926 addxccc $acc2,$acc2,$acc2
1928 addxccc $acc3,$acc3,$acc3
1929 mulx $a3,$a3,$t3 ! a[3]*a[3]
1930 addxccc $acc4,$acc4,$acc4
1932 addxccc $acc5,$acc5,$acc5
1933 addxccc $acc6,$acc6,$acc6
1936 addcc $acc1,$a0,$acc1 ! +a[i]*a[i]
1937 addxccc $acc2,$t1,$acc2
1938 addxccc $acc3,$a1,$acc3
1939 addxccc $acc4,$t2,$acc4
1941 addxccc $acc5,$a2,$acc5
1943 addxccc $acc6,$t3,$acc6
1944 sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part
1945 addxc $acc7,$a3,$acc7
1947 for($i=0;$i<3;$i++) { # reductions, see commentary
1948 # in multiplication for details
1950 umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part
1951 addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0]
1953 addxccc $acc2,$t1,$acc1
1955 addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001
1956 sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part
1957 addxc %g0,$t3,$acc3 ! cant't overflow
1961 umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part
1962 addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0]
1963 addxccc $acc2,$t1,$acc1
1964 addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001
1965 addxc %g0,$t3,$acc3 ! can't overflow
1967 addcc $acc0,$acc4,$acc0 ! accumulate upper half
1968 addxccc $acc1,$acc5,$acc1
1969 addxccc $acc2,$acc6,$acc2
1970 addxccc $acc3,$acc7,$acc3
1975 ! Final step is "if result > mod, subtract mod", but as comparison
1976 ! means subtraction, we do the subtraction and then copy outcome
1977 ! if it didn't borrow. But note that as we [have to] replace
1978 ! subtraction with addition with negative, carry/borrow logic is
1981 addcc $acc0,1,$t0 ! add -modulus, i.e. subtract
1982 not $poly3,$poly3 ! restore 0x00000000FFFFFFFE
1983 addxccc $acc1,$poly1,$t1
1984 addxccc $acc2,$minus1,$t2
1985 addxccc $acc3,$poly3,$t3
1986 addxccc $acc4,$minus1,%g0 ! did it carry?
1988 movcs %xcc,$t0,$acc0
1989 movcs %xcc,$t1,$acc1
1991 movcs %xcc,$t2,$acc2
1993 movcs %xcc,$t3,$acc3
1997 .size __ecp_nistz256_sqr_mont_vis3,.-__ecp_nistz256_sqr_mont_vis3
2000 ########################################################################
2001 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
2004 my ($res_x,$res_y,$res_z,
2006 $S,$M,$Zsqr,$tmp0)=map(32*$_,(0..9));
2007 # above map() describes stack layout with 10 temporary
2008 # 256-bit vectors on top.
2012 ecp_nistz256_point_double_vis3:
2013 save %sp,-STACK64_FRAME-32*10,%sp
2018 sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000
2019 srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE
2021 ! convert input to uint64_t[4]
2032 ld [$ap+32],$acc0 ! in_y
2040 ld [$ap+32+16],$acc2
2044 ld [$ap+32+24],$acc3
2048 stx $a0,[%sp+LOCALS64+$in_x]
2050 stx $a1,[%sp+LOCALS64+$in_x+8]
2052 stx $a2,[%sp+LOCALS64+$in_x+16]
2054 stx $a3,[%sp+LOCALS64+$in_x+24]
2056 stx $acc0,[%sp+LOCALS64+$in_y]
2058 stx $acc1,[%sp+LOCALS64+$in_y+8]
2060 stx $acc2,[%sp+LOCALS64+$in_y+16]
2061 stx $acc3,[%sp+LOCALS64+$in_y+24]
2063 ld [$ap+64],$a0 ! in_z
2081 stx $a0,[%sp+LOCALS64+$in_z]
2083 stx $a1,[%sp+LOCALS64+$in_z+8]
2085 stx $a2,[%sp+LOCALS64+$in_z+16]
2086 stx $a3,[%sp+LOCALS64+$in_z+24]
2088 ! in_y is still in $acc0-$acc3
2089 call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(S, in_y);
2090 add %sp,LOCALS64+$S,$rp
2092 ! in_z is still in $a0-$a3
2093 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Zsqr, in_z);
2094 add %sp,LOCALS64+$Zsqr,$rp
2096 mov $acc0,$a0 ! put Zsqr aside
2101 add %sp,LOCALS64+$in_x,$bp
2102 call __ecp_nistz256_add_vis3 ! p256_add(M, Zsqr, in_x);
2103 add %sp,LOCALS64+$M,$rp
2105 mov $a0,$acc0 ! restore Zsqr
2106 ldx [%sp+LOCALS64+$S],$a0 ! forward load
2108 ldx [%sp+LOCALS64+$S+8],$a1
2110 ldx [%sp+LOCALS64+$S+16],$a2
2112 ldx [%sp+LOCALS64+$S+24],$a3
2114 add %sp,LOCALS64+$in_x,$bp
2115 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(Zsqr, in_x, Zsqr);
2116 add %sp,LOCALS64+$Zsqr,$rp
2118 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(S, S);
2119 add %sp,LOCALS64+$S,$rp
2121 ldx [%sp+LOCALS64+$in_z],$bi
2122 ldx [%sp+LOCALS64+$in_y],$a0
2123 ldx [%sp+LOCALS64+$in_y+8],$a1
2124 ldx [%sp+LOCALS64+$in_y+16],$a2
2125 ldx [%sp+LOCALS64+$in_y+24],$a3
2126 add %sp,LOCALS64+$in_z,$bp
2127 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(tmp0, in_z, in_y);
2128 add %sp,LOCALS64+$tmp0,$rp
2130 ldx [%sp+LOCALS64+$M],$bi ! forward load
2131 ldx [%sp+LOCALS64+$Zsqr],$a0
2132 ldx [%sp+LOCALS64+$Zsqr+8],$a1
2133 ldx [%sp+LOCALS64+$Zsqr+16],$a2
2134 ldx [%sp+LOCALS64+$Zsqr+24],$a3
2136 call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(res_z, tmp0);
2137 add %sp,LOCALS64+$res_z,$rp
2139 add %sp,LOCALS64+$M,$bp
2140 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(M, M, Zsqr);
2141 add %sp,LOCALS64+$M,$rp
2143 mov $acc0,$a0 ! put aside M
2147 call __ecp_nistz256_mul_by_2_vis3
2148 add %sp,LOCALS64+$M,$rp
2149 mov $a0,$t0 ! copy M
2150 ldx [%sp+LOCALS64+$S],$a0 ! forward load
2152 ldx [%sp+LOCALS64+$S+8],$a1
2154 ldx [%sp+LOCALS64+$S+16],$a2
2156 ldx [%sp+LOCALS64+$S+24],$a3
2157 call __ecp_nistz256_add_noload_vis3 ! p256_mul_by_3(M, M);
2158 add %sp,LOCALS64+$M,$rp
2160 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(tmp0, S);
2161 add %sp,LOCALS64+$tmp0,$rp
2163 ldx [%sp+LOCALS64+$S],$bi ! forward load
2164 ldx [%sp+LOCALS64+$in_x],$a0
2165 ldx [%sp+LOCALS64+$in_x+8],$a1
2166 ldx [%sp+LOCALS64+$in_x+16],$a2
2167 ldx [%sp+LOCALS64+$in_x+24],$a3
2169 call __ecp_nistz256_div_by_2_vis3 ! p256_div_by_2(res_y, tmp0);
2170 add %sp,LOCALS64+$res_y,$rp
2172 add %sp,LOCALS64+$S,$bp
2173 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S, S, in_x);
2174 add %sp,LOCALS64+$S,$rp
2176 ldx [%sp+LOCALS64+$M],$a0 ! forward load
2177 ldx [%sp+LOCALS64+$M+8],$a1
2178 ldx [%sp+LOCALS64+$M+16],$a2
2179 ldx [%sp+LOCALS64+$M+24],$a3
2181 call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(tmp0, S);
2182 add %sp,LOCALS64+$tmp0,$rp
2184 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(res_x, M);
2185 add %sp,LOCALS64+$res_x,$rp
2187 add %sp,LOCALS64+$tmp0,$bp
2188 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, tmp0);
2189 add %sp,LOCALS64+$res_x,$rp
2191 ldx [%sp+LOCALS64+$M],$a0 ! forward load
2192 ldx [%sp+LOCALS64+$M+8],$a1
2193 ldx [%sp+LOCALS64+$M+16],$a2
2194 ldx [%sp+LOCALS64+$M+24],$a3
2196 add %sp,LOCALS64+$S,$bp
2197 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(S, S, res_x);
2198 add %sp,LOCALS64+$S,$rp
2201 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S, S, M);
2202 add %sp,LOCALS64+$S,$rp
2204 ldx [%sp+LOCALS64+$res_x],$a0 ! forward load
2205 ldx [%sp+LOCALS64+$res_x+8],$a1
2206 ldx [%sp+LOCALS64+$res_x+16],$a2
2207 ldx [%sp+LOCALS64+$res_x+24],$a3
2209 add %sp,LOCALS64+$res_y,$bp
2210 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, S, res_y);
2211 add %sp,LOCALS64+$res_y,$bp
2213 ! convert output to uint_32[8]
2216 st $a0,[$rp_real] ! res_x
2221 st $t1,[$rp_real+12]
2222 st $a2,[$rp_real+16]
2223 st $t2,[$rp_real+20]
2224 st $a3,[$rp_real+24]
2225 st $t3,[$rp_real+28]
2227 ldx [%sp+LOCALS64+$res_z],$a0 ! forward load
2229 ldx [%sp+LOCALS64+$res_z+8],$a1
2231 ldx [%sp+LOCALS64+$res_z+16],$a2
2233 ldx [%sp+LOCALS64+$res_z+24],$a3
2235 st $acc0,[$rp_real+32] ! res_y
2236 st $t0, [$rp_real+32+4]
2237 st $acc1,[$rp_real+32+8]
2238 st $t1, [$rp_real+32+12]
2239 st $acc2,[$rp_real+32+16]
2240 st $t2, [$rp_real+32+20]
2241 st $acc3,[$rp_real+32+24]
2242 st $t3, [$rp_real+32+28]
2246 st $a0,[$rp_real+64] ! res_z
2248 st $t0,[$rp_real+64+4]
2250 st $a1,[$rp_real+64+8]
2251 st $t1,[$rp_real+64+12]
2252 st $a2,[$rp_real+64+16]
2253 st $t2,[$rp_real+64+20]
2254 st $a3,[$rp_real+64+24]
2255 st $t3,[$rp_real+64+28]
2259 .size ecp_nistz256_point_double_vis3,.-ecp_nistz256_point_double_vis3
2262 ########################################################################
2263 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
2264 # const P256_POINT *in2);
2266 my ($res_x,$res_y,$res_z,
2267 $in1_x,$in1_y,$in1_z,
2268 $in2_x,$in2_y,$in2_z,
2269 $H,$Hsqr,$R,$Rsqr,$Hcub,
2270 $U1,$U2,$S1,$S2)=map(32*$_,(0..17));
2271 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
2273 # above map() describes stack layout with 18 temporary
2274 # 256-bit vectors on top. Then we reserve some space for
2275 # !in1infty, !in2infty and result of check for zero.
2278 .globl ecp_nistz256_point_add_vis3
2280 ecp_nistz256_point_add_vis3:
2281 save %sp,-STACK64_FRAME-32*18-32,%sp
2286 sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000
2287 srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE
2289 ! convert input to uint64_t[4]
2290 ld [$bp],$a0 ! in2_x
2300 ld [$bp+32],$acc0 ! in2_y
2308 ld [$bp+32+16],$acc2
2312 ld [$bp+32+24],$acc3
2316 stx $a0,[%sp+LOCALS64+$in2_x]
2318 stx $a1,[%sp+LOCALS64+$in2_x+8]
2320 stx $a2,[%sp+LOCALS64+$in2_x+16]
2322 stx $a3,[%sp+LOCALS64+$in2_x+24]
2324 stx $acc0,[%sp+LOCALS64+$in2_y]
2326 stx $acc1,[%sp+LOCALS64+$in2_y+8]
2328 stx $acc2,[%sp+LOCALS64+$in2_y+16]
2329 stx $acc3,[%sp+LOCALS64+$in2_y+24]
2333 or $acc1,$acc0,$acc0
2334 or $acc3,$acc2,$acc2
2336 or $acc2,$acc0,$acc0
2338 movrnz $a0,-1,$a0 ! !in2infty
2339 stx $a0,[%fp+STACK_BIAS-8]
2341 ld [$bp+64],$acc0 ! in2_z
2345 ld [$bp+64+16],$acc2
2347 ld [$bp+64+24],$acc3
2351 ld [$ap],$a0 ! in1_x
2367 stx $acc0,[%sp+LOCALS64+$in2_z]
2369 stx $acc1,[%sp+LOCALS64+$in2_z+8]
2371 stx $acc2,[%sp+LOCALS64+$in2_z+16]
2372 stx $acc3,[%sp+LOCALS64+$in2_z+24]
2375 ld [$ap+32],$acc0 ! in1_y
2382 ld [$ap+32+16],$acc2
2384 ld [$ap+32+24],$acc3
2388 stx $a0,[%sp+LOCALS64+$in1_x]
2390 stx $a1,[%sp+LOCALS64+$in1_x+8]
2392 stx $a2,[%sp+LOCALS64+$in1_x+16]
2394 stx $a3,[%sp+LOCALS64+$in1_x+24]
2396 stx $acc0,[%sp+LOCALS64+$in1_y]
2398 stx $acc1,[%sp+LOCALS64+$in1_y+8]
2400 stx $acc2,[%sp+LOCALS64+$in1_y+16]
2401 stx $acc3,[%sp+LOCALS64+$in1_y+24]
2405 or $acc1,$acc0,$acc0
2406 or $acc3,$acc2,$acc2
2408 or $acc2,$acc0,$acc0
2410 movrnz $a0,-1,$a0 ! !in1infty
2411 stx $a0,[%fp+STACK_BIAS-16]
2413 ldx [%sp+LOCALS64+$in2_z],$a0 ! forward load
2414 ldx [%sp+LOCALS64+$in2_z+8],$a1
2415 ldx [%sp+LOCALS64+$in2_z+16],$a2
2416 ldx [%sp+LOCALS64+$in2_z+24],$a3
2418 ld [$ap+64],$acc0 ! in1_z
2422 ld [$ap+64+16],$acc2
2424 ld [$ap+64+24],$acc3
2432 stx $acc0,[%sp+LOCALS64+$in1_z]
2434 stx $acc1,[%sp+LOCALS64+$in1_z+8]
2436 stx $acc2,[%sp+LOCALS64+$in1_z+16]
2437 stx $acc3,[%sp+LOCALS64+$in1_z+24]
2439 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z2sqr, in2_z);
2440 add %sp,LOCALS64+$Z2sqr,$rp
2442 ldx [%sp+LOCALS64+$in1_z],$a0
2443 ldx [%sp+LOCALS64+$in1_z+8],$a1
2444 ldx [%sp+LOCALS64+$in1_z+16],$a2
2445 ldx [%sp+LOCALS64+$in1_z+24],$a3
2446 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z1sqr, in1_z);
2447 add %sp,LOCALS64+$Z1sqr,$rp
2449 ldx [%sp+LOCALS64+$Z2sqr],$bi
2450 ldx [%sp+LOCALS64+$in2_z],$a0
2451 ldx [%sp+LOCALS64+$in2_z+8],$a1
2452 ldx [%sp+LOCALS64+$in2_z+16],$a2
2453 ldx [%sp+LOCALS64+$in2_z+24],$a3
2454 add %sp,LOCALS64+$Z2sqr,$bp
2455 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S1, Z2sqr, in2_z);
2456 add %sp,LOCALS64+$S1,$rp
2458 ldx [%sp+LOCALS64+$Z1sqr],$bi
2459 ldx [%sp+LOCALS64+$in1_z],$a0
2460 ldx [%sp+LOCALS64+$in1_z+8],$a1
2461 ldx [%sp+LOCALS64+$in1_z+16],$a2
2462 ldx [%sp+LOCALS64+$in1_z+24],$a3
2463 add %sp,LOCALS64+$Z1sqr,$bp
2464 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, Z1sqr, in1_z);
2465 add %sp,LOCALS64+$S2,$rp
2467 ldx [%sp+LOCALS64+$S1],$bi
2468 ldx [%sp+LOCALS64+$in1_y],$a0
2469 ldx [%sp+LOCALS64+$in1_y+8],$a1
2470 ldx [%sp+LOCALS64+$in1_y+16],$a2
2471 ldx [%sp+LOCALS64+$in1_y+24],$a3
2472 add %sp,LOCALS64+$S1,$bp
2473 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S1, S1, in1_y);
2474 add %sp,LOCALS64+$S1,$rp
2476 ldx [%sp+LOCALS64+$S2],$bi
2477 ldx [%sp+LOCALS64+$in2_y],$a0
2478 ldx [%sp+LOCALS64+$in2_y+8],$a1
2479 ldx [%sp+LOCALS64+$in2_y+16],$a2
2480 ldx [%sp+LOCALS64+$in2_y+24],$a3
2481 add %sp,LOCALS64+$S2,$bp
2482 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S2, in2_y);
2483 add %sp,LOCALS64+$S2,$rp
2485 ldx [%sp+LOCALS64+$Z2sqr],$bi ! forward load
2486 ldx [%sp+LOCALS64+$in1_x],$a0
2487 ldx [%sp+LOCALS64+$in1_x+8],$a1
2488 ldx [%sp+LOCALS64+$in1_x+16],$a2
2489 ldx [%sp+LOCALS64+$in1_x+24],$a3
2491 add %sp,LOCALS64+$S1,$bp
2492 call __ecp_nistz256_sub_from_vis3 ! p256_sub(R, S2, S1);
2493 add %sp,LOCALS64+$R,$rp
2495 or $acc1,$acc0,$acc0 ! see if result is zero
2496 or $acc3,$acc2,$acc2
2497 or $acc2,$acc0,$acc0
2498 stx $acc0,[%fp+STACK_BIAS-24]
2500 add %sp,LOCALS64+$Z2sqr,$bp
2501 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U1, in1_x, Z2sqr);
2502 add %sp,LOCALS64+$U1,$rp
2504 ldx [%sp+LOCALS64+$Z1sqr],$bi
2505 ldx [%sp+LOCALS64+$in2_x],$a0
2506 ldx [%sp+LOCALS64+$in2_x+8],$a1
2507 ldx [%sp+LOCALS64+$in2_x+16],$a2
2508 ldx [%sp+LOCALS64+$in2_x+24],$a3
2509 add %sp,LOCALS64+$Z1sqr,$bp
2510 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, in2_x, Z1sqr);
2511 add %sp,LOCALS64+$U2,$rp
2513 ldx [%sp+LOCALS64+$R],$a0 ! forward load
2514 ldx [%sp+LOCALS64+$R+8],$a1
2515 ldx [%sp+LOCALS64+$R+16],$a2
2516 ldx [%sp+LOCALS64+$R+24],$a3
2518 add %sp,LOCALS64+$U1,$bp
2519 call __ecp_nistz256_sub_from_vis3 ! p256_sub(H, U2, U1);
2520 add %sp,LOCALS64+$H,$rp
2522 or $acc1,$acc0,$acc0 ! see if result is zero
2523 or $acc3,$acc2,$acc2
2524 orcc $acc2,$acc0,$acc0
2526 bne,pt %xcc,.Ladd_proceed_vis3 ! is_equal(U1,U2)?
2529 ldx [%fp+STACK_BIAS-8],$t0
2530 ldx [%fp+STACK_BIAS-16],$t1
2531 ldx [%fp+STACK_BIAS-24],$t2
2533 be,pt %xcc,.Ladd_proceed_vis3 ! (in1infty || in2infty)?
2536 be,pt %xcc,.Ladd_proceed_vis3 ! is_equal(S1,S2)?
2542 st %g0,[$rp_real+12]
2543 st %g0,[$rp_real+16]
2544 st %g0,[$rp_real+20]
2545 st %g0,[$rp_real+24]
2546 st %g0,[$rp_real+28]
2547 st %g0,[$rp_real+32]
2548 st %g0,[$rp_real+32+4]
2549 st %g0,[$rp_real+32+8]
2550 st %g0,[$rp_real+32+12]
2551 st %g0,[$rp_real+32+16]
2552 st %g0,[$rp_real+32+20]
2553 st %g0,[$rp_real+32+24]
2554 st %g0,[$rp_real+32+28]
2555 st %g0,[$rp_real+64]
2556 st %g0,[$rp_real+64+4]
2557 st %g0,[$rp_real+64+8]
2558 st %g0,[$rp_real+64+12]
2559 st %g0,[$rp_real+64+16]
2560 st %g0,[$rp_real+64+20]
2561 st %g0,[$rp_real+64+24]
2562 st %g0,[$rp_real+64+28]
2568 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Rsqr, R);
2569 add %sp,LOCALS64+$Rsqr,$rp
2571 ldx [%sp+LOCALS64+$H],$bi
2572 ldx [%sp+LOCALS64+$in1_z],$a0
2573 ldx [%sp+LOCALS64+$in1_z+8],$a1
2574 ldx [%sp+LOCALS64+$in1_z+16],$a2
2575 ldx [%sp+LOCALS64+$in1_z+24],$a3
2576 add %sp,LOCALS64+$H,$bp
2577 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, H, in1_z);
2578 add %sp,LOCALS64+$res_z,$rp
2580 ldx [%sp+LOCALS64+$H],$a0
2581 ldx [%sp+LOCALS64+$H+8],$a1
2582 ldx [%sp+LOCALS64+$H+16],$a2
2583 ldx [%sp+LOCALS64+$H+24],$a3
2584 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Hsqr, H);
2585 add %sp,LOCALS64+$Hsqr,$rp
2587 ldx [%sp+LOCALS64+$res_z],$bi
2588 ldx [%sp+LOCALS64+$in2_z],$a0
2589 ldx [%sp+LOCALS64+$in2_z+8],$a1
2590 ldx [%sp+LOCALS64+$in2_z+16],$a2
2591 ldx [%sp+LOCALS64+$in2_z+24],$a3
2592 add %sp,LOCALS64+$res_z,$bp
2593 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, res_z, in2_z);
2594 add %sp,LOCALS64+$res_z,$rp
2596 ldx [%sp+LOCALS64+$H],$bi
2597 ldx [%sp+LOCALS64+$Hsqr],$a0
2598 ldx [%sp+LOCALS64+$Hsqr+8],$a1
2599 ldx [%sp+LOCALS64+$Hsqr+16],$a2
2600 ldx [%sp+LOCALS64+$Hsqr+24],$a3
2601 add %sp,LOCALS64+$H,$bp
2602 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(Hcub, Hsqr, H);
2603 add %sp,LOCALS64+$Hcub,$rp
2605 ldx [%sp+LOCALS64+$U1],$bi
2606 ldx [%sp+LOCALS64+$Hsqr],$a0
2607 ldx [%sp+LOCALS64+$Hsqr+8],$a1
2608 ldx [%sp+LOCALS64+$Hsqr+16],$a2
2609 ldx [%sp+LOCALS64+$Hsqr+24],$a3
2610 add %sp,LOCALS64+$U1,$bp
2611 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, U1, Hsqr);
2612 add %sp,LOCALS64+$U2,$rp
2614 call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(Hsqr, U2);
2615 add %sp,LOCALS64+$Hsqr,$rp
2617 add %sp,LOCALS64+$Rsqr,$bp
2618 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_x, Rsqr, Hsqr);
2619 add %sp,LOCALS64+$res_x,$rp
2621 add %sp,LOCALS64+$Hcub,$bp
2622 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, Hcub);
2623 add %sp,LOCALS64+$res_x,$rp
2625 ldx [%sp+LOCALS64+$S1],$bi ! forward load
2626 ldx [%sp+LOCALS64+$Hcub],$a0
2627 ldx [%sp+LOCALS64+$Hcub+8],$a1
2628 ldx [%sp+LOCALS64+$Hcub+16],$a2
2629 ldx [%sp+LOCALS64+$Hcub+24],$a3
2631 add %sp,LOCALS64+$U2,$bp
2632 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_y, U2, res_x);
2633 add %sp,LOCALS64+$res_y,$rp
2635 add %sp,LOCALS64+$S1,$bp
2636 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S1, Hcub);
2637 add %sp,LOCALS64+$S2,$rp
2639 ldx [%sp+LOCALS64+$R],$bi
2640 ldx [%sp+LOCALS64+$res_y],$a0
2641 ldx [%sp+LOCALS64+$res_y+8],$a1
2642 ldx [%sp+LOCALS64+$res_y+16],$a2
2643 ldx [%sp+LOCALS64+$res_y+24],$a3
2644 add %sp,LOCALS64+$R,$bp
2645 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_y, res_y, R);
2646 add %sp,LOCALS64+$res_y,$rp
2648 add %sp,LOCALS64+$S2,$bp
2649 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, res_y, S2);
2650 add %sp,LOCALS64+$res_y,$rp
2652 ldx [%fp+STACK_BIAS-16],$t1 ! !in1infty
2653 ldx [%fp+STACK_BIAS-8],$t2 ! !in2infty
2655 for($i=0;$i<96;$i+=16) { # conditional moves
2657 ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res
2658 ldx [%sp+LOCALS64+$res_x+$i+8],$acc1
2659 ldx [%sp+LOCALS64+$in2_x+$i],$acc2 ! in2
2660 ldx [%sp+LOCALS64+$in2_x+$i+8],$acc3
2661 ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1
2662 ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5
2663 movrz $t1,$acc2,$acc0
2664 movrz $t1,$acc3,$acc1
2665 movrz $t2,$acc4,$acc0
2666 movrz $t2,$acc5,$acc1
2669 st $acc0,[$rp_real+$i]
2670 st $acc2,[$rp_real+$i+4]
2671 st $acc1,[$rp_real+$i+8]
2672 st $acc3,[$rp_real+$i+12]
2679 .size ecp_nistz256_point_add_vis3,.-ecp_nistz256_point_add_vis3
2682 ########################################################################
2683 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
2684 # const P256_POINT_AFFINE *in2);
2686 my ($res_x,$res_y,$res_z,
2687 $in1_x,$in1_y,$in1_z,
2689 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..14));
2691 # above map() describes stack layout with 15 temporary
2692 # 256-bit vectors on top. Then we reserve some space for
2693 # !in1infty and !in2infty.
2697 ecp_nistz256_point_add_affine_vis3:
2698 save %sp,-STACK64_FRAME-32*15-32,%sp
2703 sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000
2704 srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE
2706 ! convert input to uint64_t[4]
2707 ld [$bp],$a0 ! in2_x
2717 ld [$bp+32],$acc0 ! in2_y
2725 ld [$bp+32+16],$acc2
2729 ld [$bp+32+24],$acc3
2733 stx $a0,[%sp+LOCALS64+$in2_x]
2735 stx $a1,[%sp+LOCALS64+$in2_x+8]
2737 stx $a2,[%sp+LOCALS64+$in2_x+16]
2739 stx $a3,[%sp+LOCALS64+$in2_x+24]
2741 stx $acc0,[%sp+LOCALS64+$in2_y]
2743 stx $acc1,[%sp+LOCALS64+$in2_y+8]
2745 stx $acc2,[%sp+LOCALS64+$in2_y+16]
2746 stx $acc3,[%sp+LOCALS64+$in2_y+24]
2750 or $acc1,$acc0,$acc0
2751 or $acc3,$acc2,$acc2
2753 or $acc2,$acc0,$acc0
2755 movrnz $a0,-1,$a0 ! !in2infty
2756 stx $a0,[%fp+STACK_BIAS-8]
2758 ld [$ap],$a0 ! in1_x
2768 ld [$ap+32],$acc0 ! in1_y
2776 ld [$ap+32+16],$acc2
2780 ld [$ap+32+24],$acc3
2784 stx $a0,[%sp+LOCALS64+$in1_x]
2786 stx $a1,[%sp+LOCALS64+$in1_x+8]
2788 stx $a2,[%sp+LOCALS64+$in1_x+16]
2790 stx $a3,[%sp+LOCALS64+$in1_x+24]
2792 stx $acc0,[%sp+LOCALS64+$in1_y]
2794 stx $acc1,[%sp+LOCALS64+$in1_y+8]
2796 stx $acc2,[%sp+LOCALS64+$in1_y+16]
2797 stx $acc3,[%sp+LOCALS64+$in1_y+24]
2801 or $acc1,$acc0,$acc0
2802 or $acc3,$acc2,$acc2
2804 or $acc2,$acc0,$acc0
2806 movrnz $a0,-1,$a0 ! !in1infty
2807 stx $a0,[%fp+STACK_BIAS-16]
2809 ld [$ap+64],$a0 ! in1_z
2823 stx $a0,[%sp+LOCALS64+$in1_z]
2825 stx $a1,[%sp+LOCALS64+$in1_z+8]
2827 stx $a2,[%sp+LOCALS64+$in1_z+16]
2828 stx $a3,[%sp+LOCALS64+$in1_z+24]
2830 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z1sqr, in1_z);
2831 add %sp,LOCALS64+$Z1sqr,$rp
2833 ldx [%sp+LOCALS64+$in2_x],$bi
2838 add %sp,LOCALS64+$in2_x,$bp
2839 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, Z1sqr, in2_x);
2840 add %sp,LOCALS64+$U2,$rp
2842 ldx [%sp+LOCALS64+$Z1sqr],$bi ! forward load
2843 ldx [%sp+LOCALS64+$in1_z],$a0
2844 ldx [%sp+LOCALS64+$in1_z+8],$a1
2845 ldx [%sp+LOCALS64+$in1_z+16],$a2
2846 ldx [%sp+LOCALS64+$in1_z+24],$a3
2848 add %sp,LOCALS64+$in1_x,$bp
2849 call __ecp_nistz256_sub_from_vis3 ! p256_sub(H, U2, in1_x);
2850 add %sp,LOCALS64+$H,$rp
2852 add %sp,LOCALS64+$Z1sqr,$bp
2853 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, Z1sqr, in1_z);
2854 add %sp,LOCALS64+$S2,$rp
2856 ldx [%sp+LOCALS64+$H],$bi
2857 ldx [%sp+LOCALS64+$in1_z],$a0
2858 ldx [%sp+LOCALS64+$in1_z+8],$a1
2859 ldx [%sp+LOCALS64+$in1_z+16],$a2
2860 ldx [%sp+LOCALS64+$in1_z+24],$a3
2861 add %sp,LOCALS64+$H,$bp
2862 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, H, in1_z);
2863 add %sp,LOCALS64+$res_z,$rp
2865 ldx [%sp+LOCALS64+$S2],$bi
2866 ldx [%sp+LOCALS64+$in2_y],$a0
2867 ldx [%sp+LOCALS64+$in2_y+8],$a1
2868 ldx [%sp+LOCALS64+$in2_y+16],$a2
2869 ldx [%sp+LOCALS64+$in2_y+24],$a3
2870 add %sp,LOCALS64+$S2,$bp
2871 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S2, in2_y);
2872 add %sp,LOCALS64+$S2,$rp
2874 ldx [%sp+LOCALS64+$H],$a0 ! forward load
2875 ldx [%sp+LOCALS64+$H+8],$a1
2876 ldx [%sp+LOCALS64+$H+16],$a2
2877 ldx [%sp+LOCALS64+$H+24],$a3
2879 add %sp,LOCALS64+$in1_y,$bp
2880 call __ecp_nistz256_sub_from_vis3 ! p256_sub(R, S2, in1_y);
2881 add %sp,LOCALS64+$R,$rp
2883 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Hsqr, H);
2884 add %sp,LOCALS64+$Hsqr,$rp
2886 ldx [%sp+LOCALS64+$R],$a0
2887 ldx [%sp+LOCALS64+$R+8],$a1
2888 ldx [%sp+LOCALS64+$R+16],$a2
2889 ldx [%sp+LOCALS64+$R+24],$a3
2890 call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Rsqr, R);
2891 add %sp,LOCALS64+$Rsqr,$rp
2893 ldx [%sp+LOCALS64+$H],$bi
2894 ldx [%sp+LOCALS64+$Hsqr],$a0
2895 ldx [%sp+LOCALS64+$Hsqr+8],$a1
2896 ldx [%sp+LOCALS64+$Hsqr+16],$a2
2897 ldx [%sp+LOCALS64+$Hsqr+24],$a3
2898 add %sp,LOCALS64+$H,$bp
2899 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(Hcub, Hsqr, H);
2900 add %sp,LOCALS64+$Hcub,$rp
2902 ldx [%sp+LOCALS64+$Hsqr],$bi
2903 ldx [%sp+LOCALS64+$in1_x],$a0
2904 ldx [%sp+LOCALS64+$in1_x+8],$a1
2905 ldx [%sp+LOCALS64+$in1_x+16],$a2
2906 ldx [%sp+LOCALS64+$in1_x+24],$a3
2907 add %sp,LOCALS64+$Hsqr,$bp
2908 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, in1_x, Hsqr);
2909 add %sp,LOCALS64+$U2,$rp
2911 call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(Hsqr, U2);
2912 add %sp,LOCALS64+$Hsqr,$rp
2914 add %sp,LOCALS64+$Rsqr,$bp
2915 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_x, Rsqr, Hsqr);
2916 add %sp,LOCALS64+$res_x,$rp
2918 add %sp,LOCALS64+$Hcub,$bp
2919 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, Hcub);
2920 add %sp,LOCALS64+$res_x,$rp
2922 ldx [%sp+LOCALS64+$Hcub],$bi ! forward load
2923 ldx [%sp+LOCALS64+$in1_y],$a0
2924 ldx [%sp+LOCALS64+$in1_y+8],$a1
2925 ldx [%sp+LOCALS64+$in1_y+16],$a2
2926 ldx [%sp+LOCALS64+$in1_y+24],$a3
2928 add %sp,LOCALS64+$U2,$bp
2929 call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_y, U2, res_x);
2930 add %sp,LOCALS64+$res_y,$rp
2932 add %sp,LOCALS64+$Hcub,$bp
2933 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, in1_y, Hcub);
2934 add %sp,LOCALS64+$S2,$rp
2936 ldx [%sp+LOCALS64+$R],$bi
2937 ldx [%sp+LOCALS64+$res_y],$a0
2938 ldx [%sp+LOCALS64+$res_y+8],$a1
2939 ldx [%sp+LOCALS64+$res_y+16],$a2
2940 ldx [%sp+LOCALS64+$res_y+24],$a3
2941 add %sp,LOCALS64+$R,$bp
2942 call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_y, res_y, R);
2943 add %sp,LOCALS64+$res_y,$rp
2945 add %sp,LOCALS64+$S2,$bp
2946 call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, res_y, S2);
2947 add %sp,LOCALS64+$res_y,$rp
2949 ldx [%fp+STACK_BIAS-16],$t1 ! !in1infty
2950 ldx [%fp+STACK_BIAS-8],$t2 ! !in2infty
2952 add %o7,.Lone_mont_vis3-1b,$bp
2954 for($i=0;$i<64;$i+=16) { # conditional moves
2956 ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res
2957 ldx [%sp+LOCALS64+$res_x+$i+8],$acc1
2958 ldx [%sp+LOCALS64+$in2_x+$i],$acc2 ! in2
2959 ldx [%sp+LOCALS64+$in2_x+$i+8],$acc3
2960 ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1
2961 ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5
2962 movrz $t1,$acc2,$acc0
2963 movrz $t1,$acc3,$acc1
2964 movrz $t2,$acc4,$acc0
2965 movrz $t2,$acc5,$acc1
2968 st $acc0,[$rp_real+$i]
2969 st $acc2,[$rp_real+$i+4]
2970 st $acc1,[$rp_real+$i+8]
2971 st $acc3,[$rp_real+$i+12]
2974 for(;$i<96;$i+=16) {
2976 ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res
2977 ldx [%sp+LOCALS64+$res_x+$i+8],$acc1
2978 ldx [$bp+$i-64],$acc2 ! "in2"
2979 ldx [$bp+$i-64+8],$acc3
2980 ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1
2981 ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5
2982 movrz $t1,$acc2,$acc0
2983 movrz $t1,$acc3,$acc1
2984 movrz $t2,$acc4,$acc0
2985 movrz $t2,$acc5,$acc1
2988 st $acc0,[$rp_real+$i]
2989 st $acc2,[$rp_real+$i+4]
2990 st $acc1,[$rp_real+$i+8]
2991 st $acc3,[$rp_real+$i+12]
2997 .size ecp_nistz256_point_add_affine_vis3,.-ecp_nistz256_point_add_affine_vis3
3000 .long 0x00000000,0x00000001, 0xffffffff,0x00000000
3001 .long 0xffffffff,0xffffffff, 0x00000000,0xfffffffe
3006 # Purpose of these subroutines is to explicitly encode VIS instructions,
3007 # so that one can compile the module without having to specify VIS
3008 # extensions on compiler command line, e.g. -xarch=v9 vs. -xarch=v9a.
3009 # Idea is to reserve for option to produce "universal" binary and let
3010 # programmer detect if current CPU is VIS capable at run-time.
3012 my ($mnemonic,$rs1,$rs2,$rd)=@_;
3013 my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24 );
3015 my %visopf = ( "addxc" => 0x011,
3017 "umulxhi" => 0x016 );
3019 $ref = "$mnemonic\t$rs1,$rs2,$rd";
3021 if ($opf=$visopf{$mnemonic}) {
3022 foreach ($rs1,$rs2,$rd) {
3023 return $ref if (!/%([goli])([0-9])/);
3027 return sprintf ".word\t0x%08x !%s",
3028 0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2,
3035 foreach (split("\n",$code)) {
3036 s/\`([^\`]*)\`/eval $1/ge;
3038 s/\b(umulxhi|addxc[c]{0,2})\s+(%[goli][0-7]),\s*(%[goli][0-7]),\s*(%[goli][0-7])/
3039 &unvis3($1,$2,$3,$4)
projects / openssl.git / blob