Add sha/asm/keccak1600-mmx.pl, x86 MMX module.

[openssl.git] / crypto / sha / asm / keccak1600-ppc64.pl

#!/usr/bin/env perl
# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
#
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
#
# Keccak-1600 for PPC64.
#
# June 2017.
#
# This is straightforward KECCAK_1X_ALT implementation that works on
# *any* PPC64. Then PowerISA 2.07 adds 2x64-bit vector rotate, and
# it's possible to achieve performance better than below, but that is
# naturally option only for POWER8 and successors...
#
######################################################################
# Numbers are cycles per processed byte.
#
#               r=1088(*)
#
# PPC970/G5     14.6/+120%
# POWER7        10.3/+100%
# POWER8        11.5/+85%
#
# (*)   Corresponds to SHA3-256. Percentage after slash is improvement
#       over gcc-4.x-generated KECCAK_1X_ALT code. Newer compilers do
#       much better (but watch out for them generating code specific
#       to processor they execute on).

$flavour = shift;

if ($flavour =~ /64/) {
        $SIZE_T =8;
        $LRSAVE =2*$SIZE_T;
        $UCMP   ="cmpld";
        $STU    ="stdu";
        $POP    ="ld";
        $PUSH   ="std";
} else { die "nonsense $flavour"; }

$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
die "can't locate ppc-xlate.pl";

open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";

$FRAME=24*$SIZE_T+6*$SIZE_T+32;
$LOCALS=6*$SIZE_T;
$TEMP=$LOCALS+6*$SIZE_T;

my $sp ="r1";

my @A = map([ "r$_", "r".($_+1), "r".($_+2), "r".($_+3), "r".($_+4) ],
            (7, 12, 17, 22, 27));
   $A[1][1] = "r6"; # r13 is reserved

my @C = map("r$_", (0,3,4,5));

my @rhotates = ([  0,  1, 62, 28, 27 ],
                [ 36, 44,  6, 55, 20 ],
                [  3, 10, 43, 25, 39 ],
                [ 41, 45, 15, 21,  8 ],
                [ 18,  2, 61, 56, 14 ]);

$code.=<<___;
.text

.type   KeccakF1600_int,\@function
.align  5
KeccakF1600_int:
        li      r0,24
        mtctr   r0
        b       .Loop
.align  4
.Loop:
        xor     $C[0],$A[0][0],$A[1][0]         ; Theta
        std     $A[0][4],`$TEMP+0`($sp)
        xor     $C[1],$A[0][1],$A[1][1]
        std     $A[1][4],`$TEMP+8`($sp)
        xor     $C[2],$A[0][2],$A[1][2]
        std     $A[2][4],`$TEMP+16`($sp)
        xor     $C[3],$A[0][3],$A[1][3]
        std     $A[3][4],`$TEMP+24`($sp)
___
        $C[4]=$A[0][4];
        $C[5]=$A[1][4];
        $C[6]=$A[2][4];
        $C[7]=$A[3][4];
$code.=<<___;
        xor     $C[4],$A[0][4],$A[1][4]
        xor     $C[0],$C[0],$A[2][0]
        xor     $C[1],$C[1],$A[2][1]
        xor     $C[2],$C[2],$A[2][2]
        xor     $C[3],$C[3],$A[2][3]
        xor     $C[4],$C[4],$A[2][4]
        xor     $C[0],$C[0],$A[3][0]
        xor     $C[1],$C[1],$A[3][1]
        xor     $C[2],$C[2],$A[3][2]
        xor     $C[3],$C[3],$A[3][3]
        xor     $C[4],$C[4],$A[3][4]
        xor     $C[0],$C[0],$A[4][0]
        xor     $C[2],$C[2],$A[4][2]
        xor     $C[1],$C[1],$A[4][1]
        xor     $C[3],$C[3],$A[4][3]
        rotldi  $C[5],$C[2],1
        xor     $C[4],$C[4],$A[4][4]
        rotldi  $C[6],$C[3],1
        xor     $C[5],$C[5],$C[0]
        rotldi  $C[7],$C[4],1

        xor     $A[0][1],$A[0][1],$C[5]
        xor     $A[1][1],$A[1][1],$C[5]
        xor     $A[2][1],$A[2][1],$C[5]
        xor     $A[3][1],$A[3][1],$C[5]
        xor     $A[4][1],$A[4][1],$C[5]

        rotldi  $C[5],$C[0],1
        xor     $C[6],$C[6],$C[1]
        xor     $C[2],$C[2],$C[7]
        rotldi  $C[7],$C[1],1
        xor     $C[3],$C[3],$C[5]
        xor     $C[4],$C[4],$C[7]

        xor     $C[1],   $A[0][2],$C[6]                 ;mr     $C[1],$A[0][2]
        xor     $A[1][2],$A[1][2],$C[6]
        xor     $A[2][2],$A[2][2],$C[6]
        xor     $A[3][2],$A[3][2],$C[6]
        xor     $A[4][2],$A[4][2],$C[6]

        xor     $A[0][0],$A[0][0],$C[4]
        xor     $A[1][0],$A[1][0],$C[4]
        xor     $A[2][0],$A[2][0],$C[4]
        xor     $A[3][0],$A[3][0],$C[4]
        xor     $A[4][0],$A[4][0],$C[4]
___
        $C[4]=undef;
        $C[5]=undef;
        $C[6]=undef;
        $C[7]=undef;
$code.=<<___;
        ld      $A[0][4],`$TEMP+0`($sp)
        xor     $C[0],   $A[0][3],$C[2]                 ;mr     $C[0],$A[0][3]
        ld      $A[1][4],`$TEMP+8`($sp)
        xor     $A[1][3],$A[1][3],$C[2]
        ld      $A[2][4],`$TEMP+16`($sp)
        xor     $A[2][3],$A[2][3],$C[2]
        ld      $A[3][4],`$TEMP+24`($sp)
        xor     $A[3][3],$A[3][3],$C[2]
        xor     $A[4][3],$A[4][3],$C[2]

        xor     $C[2],   $A[0][4],$C[3]                 ;mr     $C[2],$A[0][4]
        xor     $A[1][4],$A[1][4],$C[3]
        xor     $A[2][4],$A[2][4],$C[3]
        xor     $A[3][4],$A[3][4],$C[3]
        xor     $A[4][4],$A[4][4],$C[3]

        mr      $C[3],$A[0][1]                          ; Rho+Pi
        rotldi  $A[0][1],$A[1][1],$rhotates[1][1]
        ;mr     $C[1],$A[0][2]
        rotldi  $A[0][2],$A[2][2],$rhotates[2][2]
        ;mr     $C[0],$A[0][3]
        rotldi  $A[0][3],$A[3][3],$rhotates[3][3]
        ;mr     $C[2],$A[0][4]
        rotldi  $A[0][4],$A[4][4],$rhotates[4][4]

        rotldi  $A[1][1],$A[1][4],$rhotates[1][4]
        rotldi  $A[2][2],$A[2][3],$rhotates[2][3]
        rotldi  $A[3][3],$A[3][2],$rhotates[3][2]
        rotldi  $A[4][4],$A[4][1],$rhotates[4][1]

        rotldi  $A[1][4],$A[4][2],$rhotates[4][2]
        rotldi  $A[2][3],$A[3][4],$rhotates[3][4]
        rotldi  $A[3][2],$A[2][1],$rhotates[2][1]
        rotldi  $A[4][1],$A[1][3],$rhotates[1][3]

        rotldi  $A[4][2],$A[2][4],$rhotates[2][4]
        rotldi  $A[3][4],$A[4][3],$rhotates[4][3]
        rotldi  $A[2][1],$A[1][2],$rhotates[1][2]
        rotldi  $A[1][3],$A[3][1],$rhotates[3][1]

        rotldi  $A[2][4],$A[4][0],$rhotates[4][0]
        rotldi  $A[4][3],$A[3][0],$rhotates[3][0]
        rotldi  $A[1][2],$A[2][0],$rhotates[2][0]
        rotldi  $A[3][1],$A[1][0],$rhotates[1][0]

        rotldi  $A[1][0],$C[0],$rhotates[0][3]
        rotldi  $A[2][0],$C[3],$rhotates[0][1]
        rotldi  $A[3][0],$C[2],$rhotates[0][4]
        rotldi  $A[4][0],$C[1],$rhotates[0][2]

        andc    $C[0],$A[0][2],$A[0][1]                 ; Chi+Iota
        andc    $C[1],$A[0][3],$A[0][2]
        andc    $C[2],$A[0][0],$A[0][4]
        andc    $C[3],$A[0][1],$A[0][0]
        xor     $A[0][0],$A[0][0],$C[0]
        andc    $C[0],$A[0][4],$A[0][3]
        xor     $A[0][1],$A[0][1],$C[1]
         ld     $C[1],`$LOCALS+4*$SIZE_T`($sp)
        xor     $A[0][3],$A[0][3],$C[2]
        xor     $A[0][4],$A[0][4],$C[3]
        xor     $A[0][2],$A[0][2],$C[0]
         ldu    $C[3],8($C[1])                          ; Iota[i++]

        andc    $C[0],$A[1][2],$A[1][1]
         std    $C[1],`$LOCALS+4*$SIZE_T`($sp)
        andc    $C[1],$A[1][3],$A[1][2]
        andc    $C[2],$A[1][0],$A[1][4]
         xor    $A[0][0],$A[0][0],$C[3]                 ; A[0][0] ^= Iota
        andc    $C[3],$A[1][1],$A[1][0]
        xor     $A[1][0],$A[1][0],$C[0]
        andc    $C[0],$A[1][4],$A[1][3]
        xor     $A[1][1],$A[1][1],$C[1]
        xor     $A[1][3],$A[1][3],$C[2]
        xor     $A[1][4],$A[1][4],$C[3]
        xor     $A[1][2],$A[1][2],$C[0]

        andc    $C[0],$A[2][2],$A[2][1]
        andc    $C[1],$A[2][3],$A[2][2]
        andc    $C[2],$A[2][0],$A[2][4]
        andc    $C[3],$A[2][1],$A[2][0]
        xor     $A[2][0],$A[2][0],$C[0]
        andc    $C[0],$A[2][4],$A[2][3]
        xor     $A[2][1],$A[2][1],$C[1]
        xor     $A[2][3],$A[2][3],$C[2]
        xor     $A[2][4],$A[2][4],$C[3]
        xor     $A[2][2],$A[2][2],$C[0]

        andc    $C[0],$A[3][2],$A[3][1]
        andc    $C[1],$A[3][3],$A[3][2]
        andc    $C[2],$A[3][0],$A[3][4]
        andc    $C[3],$A[3][1],$A[3][0]
        xor     $A[3][0],$A[3][0],$C[0]
        andc    $C[0],$A[3][4],$A[3][3]
        xor     $A[3][1],$A[3][1],$C[1]
        xor     $A[3][3],$A[3][3],$C[2]
        xor     $A[3][4],$A[3][4],$C[3]
        xor     $A[3][2],$A[3][2],$C[0]

        andc    $C[0],$A[4][2],$A[4][1]
        andc    $C[1],$A[4][3],$A[4][2]
        andc    $C[2],$A[4][0],$A[4][4]
        andc    $C[3],$A[4][1],$A[4][0]
        xor     $A[4][0],$A[4][0],$C[0]
        andc    $C[0],$A[4][4],$A[4][3]
        xor     $A[4][1],$A[4][1],$C[1]
        xor     $A[4][3],$A[4][3],$C[2]
        xor     $A[4][4],$A[4][4],$C[3]
        xor     $A[4][2],$A[4][2],$C[0]

        bdnz    .Loop

        blr
        .long   0
        .byte   0,12,0x14,0,0,0,0,0
.size   KeccakF1600_int,.-KeccakF1600_int

.type   KeccakF1600,\@function
.align  5
KeccakF1600:
        $STU    $sp,-$FRAME($sp)
        mflr    r0
        $PUSH   r14,`$FRAME-$SIZE_T*18`($sp)
        $PUSH   r15,`$FRAME-$SIZE_T*17`($sp)
        $PUSH   r16,`$FRAME-$SIZE_T*16`($sp)
        $PUSH   r17,`$FRAME-$SIZE_T*15`($sp)
        $PUSH   r18,`$FRAME-$SIZE_T*14`($sp)
        $PUSH   r19,`$FRAME-$SIZE_T*13`($sp)
        $PUSH   r20,`$FRAME-$SIZE_T*12`($sp)
        $PUSH   r21,`$FRAME-$SIZE_T*11`($sp)
        $PUSH   r22,`$FRAME-$SIZE_T*10`($sp)
        $PUSH   r23,`$FRAME-$SIZE_T*9`($sp)
        $PUSH   r24,`$FRAME-$SIZE_T*8`($sp)
        $PUSH   r25,`$FRAME-$SIZE_T*7`($sp)
        $PUSH   r26,`$FRAME-$SIZE_T*6`($sp)
        $PUSH   r27,`$FRAME-$SIZE_T*5`($sp)
        $PUSH   r28,`$FRAME-$SIZE_T*4`($sp)
        $PUSH   r29,`$FRAME-$SIZE_T*3`($sp)
        $PUSH   r30,`$FRAME-$SIZE_T*2`($sp)
        $PUSH   r31,`$FRAME-$SIZE_T*1`($sp)
        $PUSH   r0,`$FRAME+$LRSAVE`($sp)

        bl      PICmeup
        subi    r12,r12,8                       ; prepare for ldu

        $PUSH   r3,`$LOCALS+0*$SIZE_T`($sp)
        ;$PUSH  r4,`$LOCALS+1*$SIZE_T`($sp)
        ;$PUSH  r5,`$LOCALS+2*$SIZE_T`($sp)
        ;$PUSH  r6,`$LOCALS+3*$SIZE_T`($sp)
        $PUSH   r12,`$LOCALS+4*$SIZE_T`($sp)

        ld      $A[0][0],`8*0`(r3)              ; load A[5][5]
        ld      $A[0][1],`8*1`(r3)
        ld      $A[0][2],`8*2`(r3)
        ld      $A[0][3],`8*3`(r3)
        ld      $A[0][4],`8*4`(r3)
        ld      $A[1][0],`8*5`(r3)
        ld      $A[1][1],`8*6`(r3)
        ld      $A[1][2],`8*7`(r3)
        ld      $A[1][3],`8*8`(r3)
        ld      $A[1][4],`8*9`(r3)
        ld      $A[2][0],`8*10`(r3)
        ld      $A[2][1],`8*11`(r3)
        ld      $A[2][2],`8*12`(r3)
        ld      $A[2][3],`8*13`(r3)
        ld      $A[2][4],`8*14`(r3)
        ld      $A[3][0],`8*15`(r3)
        ld      $A[3][1],`8*16`(r3)
        ld      $A[3][2],`8*17`(r3)
        ld      $A[3][3],`8*18`(r3)
        ld      $A[3][4],`8*19`(r3)
        ld      $A[4][0],`8*20`(r3)
        ld      $A[4][1],`8*21`(r3)
        ld      $A[4][2],`8*22`(r3)
        ld      $A[4][3],`8*23`(r3)
        ld      $A[4][4],`8*24`(r3)

        bl      KeccakF1600_int

        $POP    r3,`$LOCALS+0*$SIZE_T`($sp)
        std     $A[0][0],`8*0`(r3)              ; return A[5][5]
        std     $A[0][1],`8*1`(r3)
        std     $A[0][2],`8*2`(r3)
        std     $A[0][3],`8*3`(r3)
        std     $A[0][4],`8*4`(r3)
        std     $A[1][0],`8*5`(r3)
        std     $A[1][1],`8*6`(r3)
        std     $A[1][2],`8*7`(r3)
        std     $A[1][3],`8*8`(r3)
        std     $A[1][4],`8*9`(r3)
        std     $A[2][0],`8*10`(r3)
        std     $A[2][1],`8*11`(r3)
        std     $A[2][2],`8*12`(r3)
        std     $A[2][3],`8*13`(r3)
        std     $A[2][4],`8*14`(r3)
        std     $A[3][0],`8*15`(r3)
        std     $A[3][1],`8*16`(r3)
        std     $A[3][2],`8*17`(r3)
        std     $A[3][3],`8*18`(r3)
        std     $A[3][4],`8*19`(r3)
        std     $A[4][0],`8*20`(r3)
        std     $A[4][1],`8*21`(r3)
        std     $A[4][2],`8*22`(r3)
        std     $A[4][3],`8*23`(r3)
        std     $A[4][4],`8*24`(r3)

        $POP    r0,`$FRAME+$LRSAVE`($sp)
        $POP    r14,`$FRAME-$SIZE_T*18`($sp)
        $POP    r15,`$FRAME-$SIZE_T*17`($sp)
        $POP    r16,`$FRAME-$SIZE_T*16`($sp)
        $POP    r17,`$FRAME-$SIZE_T*15`($sp)
        $POP    r18,`$FRAME-$SIZE_T*14`($sp)
        $POP    r19,`$FRAME-$SIZE_T*13`($sp)
        $POP    r20,`$FRAME-$SIZE_T*12`($sp)
        $POP    r21,`$FRAME-$SIZE_T*11`($sp)
        $POP    r22,`$FRAME-$SIZE_T*10`($sp)
        $POP    r23,`$FRAME-$SIZE_T*9`($sp)
        $POP    r24,`$FRAME-$SIZE_T*8`($sp)
        $POP    r25,`$FRAME-$SIZE_T*7`($sp)
        $POP    r26,`$FRAME-$SIZE_T*6`($sp)
        $POP    r27,`$FRAME-$SIZE_T*5`($sp)
        $POP    r28,`$FRAME-$SIZE_T*4`($sp)
        $POP    r29,`$FRAME-$SIZE_T*3`($sp)
        $POP    r30,`$FRAME-$SIZE_T*2`($sp)
        $POP    r31,`$FRAME-$SIZE_T*1`($sp)
        mtlr    r0
        addi    $sp,$sp,$FRAME
        blr
        .long   0
        .byte   0,12,4,1,0x80,18,1,0
        .long   0
.size   KeccakF1600,.-KeccakF1600

.type   dword_le_load,\@function
.align  5
dword_le_load:
        lbzu    r0,1(r3)
        lbzu    r4,1(r3)
        lbzu    r5,1(r3)
        insrdi  r0,r4,8,48
        lbzu    r4,1(r3)
        insrdi  r0,r5,8,40
        lbzu    r5,1(r3)
        insrdi  r0,r4,8,32
        lbzu    r4,1(r3)
        insrdi  r0,r5,8,24
        lbzu    r5,1(r3)
        insrdi  r0,r4,8,16
        lbzu    r4,1(r3)
        insrdi  r0,r5,8,8
        insrdi  r0,r4,8,0
        blr
        .long   0
        .byte   0,12,0x14,0,0,0,1,0
        .long   0
.size   dword_le_load,.-dword_le_load

.globl  SHA3_absorb
.type   SHA3_absorb,\@function
.align  5
SHA3_absorb:
        $STU    $sp,-$FRAME($sp)
        mflr    r0
        $PUSH   r14,`$FRAME-$SIZE_T*18`($sp)
        $PUSH   r15,`$FRAME-$SIZE_T*17`($sp)
        $PUSH   r16,`$FRAME-$SIZE_T*16`($sp)
        $PUSH   r17,`$FRAME-$SIZE_T*15`($sp)
        $PUSH   r18,`$FRAME-$SIZE_T*14`($sp)
        $PUSH   r19,`$FRAME-$SIZE_T*13`($sp)
        $PUSH   r20,`$FRAME-$SIZE_T*12`($sp)
        $PUSH   r21,`$FRAME-$SIZE_T*11`($sp)
        $PUSH   r22,`$FRAME-$SIZE_T*10`($sp)
        $PUSH   r23,`$FRAME-$SIZE_T*9`($sp)
        $PUSH   r24,`$FRAME-$SIZE_T*8`($sp)
        $PUSH   r25,`$FRAME-$SIZE_T*7`($sp)
        $PUSH   r26,`$FRAME-$SIZE_T*6`($sp)
        $PUSH   r27,`$FRAME-$SIZE_T*5`($sp)
        $PUSH   r28,`$FRAME-$SIZE_T*4`($sp)
        $PUSH   r29,`$FRAME-$SIZE_T*3`($sp)
        $PUSH   r30,`$FRAME-$SIZE_T*2`($sp)
        $PUSH   r31,`$FRAME-$SIZE_T*1`($sp)
        $PUSH   r0,`$FRAME+$LRSAVE`($sp)

        bl      PICmeup
        subi    r4,r4,1                         ; prepare for lbzu
        subi    r12,r12,8                       ; prepare for ldu

        $PUSH   r3,`$LOCALS+0*$SIZE_T`($sp)     ; save A[][]
        $PUSH   r4,`$LOCALS+1*$SIZE_T`($sp)     ; save inp
        $PUSH   r5,`$LOCALS+2*$SIZE_T`($sp)     ; save len
        $PUSH   r6,`$LOCALS+3*$SIZE_T`($sp)     ; save bsz
        mr      r0,r6
        $PUSH   r12,`$LOCALS+4*$SIZE_T`($sp)

        ld      $A[0][0],`8*0`(r3)              ; load A[5][5]
        ld      $A[0][1],`8*1`(r3)
        ld      $A[0][2],`8*2`(r3)
        ld      $A[0][3],`8*3`(r3)
        ld      $A[0][4],`8*4`(r3)
        ld      $A[1][0],`8*5`(r3)
        ld      $A[1][1],`8*6`(r3)
        ld      $A[1][2],`8*7`(r3)
        ld      $A[1][3],`8*8`(r3)
        ld      $A[1][4],`8*9`(r3)
        ld      $A[2][0],`8*10`(r3)
        ld      $A[2][1],`8*11`(r3)
        ld      $A[2][2],`8*12`(r3)
        ld      $A[2][3],`8*13`(r3)
        ld      $A[2][4],`8*14`(r3)
        ld      $A[3][0],`8*15`(r3)
        ld      $A[3][1],`8*16`(r3)
        ld      $A[3][2],`8*17`(r3)
        ld      $A[3][3],`8*18`(r3)
        ld      $A[3][4],`8*19`(r3)
        ld      $A[4][0],`8*20`(r3)
        ld      $A[4][1],`8*21`(r3)
        ld      $A[4][2],`8*22`(r3)
        ld      $A[4][3],`8*23`(r3)
        ld      $A[4][4],`8*24`(r3)

        mr      r3,r4
        mr      r4,r5
        mr      r5,r0

        b       .Loop_absorb

.align  4
.Loop_absorb:
        $UCMP   r4,r5                           ; len < bsz?
        blt     .Labsorbed

        sub     r4,r4,r5                        ; len -= bsz
        srwi    r5,r5,3
        $PUSH   r4,`$LOCALS+2*$SIZE_T`($sp)     ; save len
        mtctr   r5
        bl      dword_le_load                   ; *inp++
        xor     $A[0][0],$A[0][0],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[0][1],$A[0][1],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[0][2],$A[0][2],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[0][3],$A[0][3],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[0][4],$A[0][4],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[1][0],$A[1][0],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[1][1],$A[1][1],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[1][2],$A[1][2],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[1][3],$A[1][3],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[1][4],$A[1][4],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[2][0],$A[2][0],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[2][1],$A[2][1],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[2][2],$A[2][2],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[2][3],$A[2][3],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[2][4],$A[2][4],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[3][0],$A[3][0],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[3][1],$A[3][1],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[3][2],$A[3][2],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[3][3],$A[3][3],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[3][4],$A[3][4],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[4][0],$A[4][0],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[4][1],$A[4][1],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[4][2],$A[4][2],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[4][3],$A[4][3],r0
        bdz     .Lprocess_block
        bl      dword_le_load                   ; *inp++
        xor     $A[4][4],$A[4][4],r0

.Lprocess_block:
        $PUSH   r3,`$LOCALS+1*$SIZE_T`($sp)     ; save inp

        bl      KeccakF1600_int

        $POP    r0,`$LOCALS+4*$SIZE_T`($sp)     ; pull iotas[24]
        $POP    r5,`$LOCALS+3*$SIZE_T`($sp)     ; restore bsz
        $POP    r4,`$LOCALS+2*$SIZE_T`($sp)     ; restore len
        $POP    r3,`$LOCALS+1*$SIZE_T`($sp)     ; restore inp
        addic   r0,r0,`-8*24`                   ; rewind iotas
        $PUSH   r0,`$LOCALS+4*$SIZE_T`($sp)

        b       .Loop_absorb

.align  4
.Labsorbed:
        $POP    r3,`$LOCALS+0*$SIZE_T`($sp)
        std     $A[0][0],`8*0`(r3)              ; return A[5][5]
        std     $A[0][1],`8*1`(r3)
        std     $A[0][2],`8*2`(r3)
        std     $A[0][3],`8*3`(r3)
        std     $A[0][4],`8*4`(r3)
        std     $A[1][0],`8*5`(r3)
        std     $A[1][1],`8*6`(r3)
        std     $A[1][2],`8*7`(r3)
        std     $A[1][3],`8*8`(r3)
        std     $A[1][4],`8*9`(r3)
        std     $A[2][0],`8*10`(r3)
        std     $A[2][1],`8*11`(r3)
        std     $A[2][2],`8*12`(r3)
        std     $A[2][3],`8*13`(r3)
        std     $A[2][4],`8*14`(r3)
        std     $A[3][0],`8*15`(r3)
        std     $A[3][1],`8*16`(r3)
        std     $A[3][2],`8*17`(r3)
        std     $A[3][3],`8*18`(r3)
        std     $A[3][4],`8*19`(r3)
        std     $A[4][0],`8*20`(r3)
        std     $A[4][1],`8*21`(r3)
        std     $A[4][2],`8*22`(r3)
        std     $A[4][3],`8*23`(r3)
        std     $A[4][4],`8*24`(r3)

        mr      r3,r4                           ; return value
        $POP    r0,`$FRAME+$LRSAVE`($sp)
        $POP    r14,`$FRAME-$SIZE_T*18`($sp)
        $POP    r15,`$FRAME-$SIZE_T*17`($sp)
        $POP    r16,`$FRAME-$SIZE_T*16`($sp)
        $POP    r17,`$FRAME-$SIZE_T*15`($sp)
        $POP    r18,`$FRAME-$SIZE_T*14`($sp)
        $POP    r19,`$FRAME-$SIZE_T*13`($sp)
        $POP    r20,`$FRAME-$SIZE_T*12`($sp)
        $POP    r21,`$FRAME-$SIZE_T*11`($sp)
        $POP    r22,`$FRAME-$SIZE_T*10`($sp)
        $POP    r23,`$FRAME-$SIZE_T*9`($sp)
        $POP    r24,`$FRAME-$SIZE_T*8`($sp)
        $POP    r25,`$FRAME-$SIZE_T*7`($sp)
        $POP    r26,`$FRAME-$SIZE_T*6`($sp)
        $POP    r27,`$FRAME-$SIZE_T*5`($sp)
        $POP    r28,`$FRAME-$SIZE_T*4`($sp)
        $POP    r29,`$FRAME-$SIZE_T*3`($sp)
        $POP    r30,`$FRAME-$SIZE_T*2`($sp)
        $POP    r31,`$FRAME-$SIZE_T*1`($sp)
        mtlr    r0
        addi    $sp,$sp,$FRAME
        blr
        .long   0
        .byte   0,12,4,1,0x80,18,4,0
        .long   0
.size   SHA3_absorb,.-SHA3_absorb
___
{
my ($A_flat,$out,$len,$bsz) = map("r$_",(28..31));
$code.=<<___;
.globl  SHA3_squeeze
.type   SHA3_squeeze,\@function
.align  5
SHA3_squeeze:
        $STU    $sp,`-10*$SIZE_T`($sp)
        mflr    r0
        $PUSH   r28,`6*$SIZE_T`($sp)
        $PUSH   r29,`7*$SIZE_T`($sp)
        $PUSH   r30,`8*$SIZE_T`($sp)
        $PUSH   r31,`9*$SIZE_T`($sp)
        $PUSH   r0,`10*$SIZE_T+$LRSAVE`($sp)

        mr      $A_flat,r3
        subi    r3,r3,8                 ; prepare for ldu
        subi    $out,r4,1               ; prepare for stbu
        mr      $len,r5
        mr      $bsz,r6
        b       .Loop_squeeze

.align  4
.Loop_squeeze:
        ldu     r0,8(r3)
        ${UCMP}i $len,8
        blt     .Lsqueeze_tail

        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)
        srdi    r0,r0,8
        stbu    r0,1($out)

        subic.  $len,$len,8
        beq     .Lsqueeze_done

        subic.  r6,r6,8
        bgt     .Loop_squeeze

        mr      r3,$A_flat
        bl      KeccakF1600
        subi    r3,$A_flat,8            ; prepare for ldu
        mr      r6,$bsz
        b       .Loop_squeeze

.align  4
.Lsqueeze_tail:
        mtctr   $len
.Loop_tail:
        stbu    r0,1($out)
        srdi    r0,r0,8
        bdnz    .Loop_tail

.Lsqueeze_done:
        $POP    r0,`10*$SIZE_T+$LRSAVE`($sp)
        $POP    r28,`6*$SIZE_T`($sp)
        $POP    r29,`7*$SIZE_T`($sp)
        $POP    r30,`8*$SIZE_T`($sp)
        $POP    r31,`9*$SIZE_T`($sp)
        mtlr    r0
        addi    $sp,$sp,`10*$SIZE_T`
        blr
        .long   0
        .byte   0,12,4,1,0x80,4,4,0
        .long   0
.size   SHA3_squeeze,.-SHA3_squeeze
___
}

# Ugly hack here, because PPC assembler syntax seem to vary too
# much from platforms to platform...
$code.=<<___;
.align  6
PICmeup:
        mflr    r0
        bcl     20,31,\$+4
        mflr    r12   ; vvvvvv "distance" between . and 1st data entry
        addi    r12,r12,`64-8`
        mtlr    r0
        blr
        .long   0
        .byte   0,12,0x14,0,0,0,0,0
        .space  `64-9*4`
.type   iotas,\@object
iotas:
        .quad   0x0000000000000001
        .quad   0x0000000000008082
        .quad   0x800000000000808a
        .quad   0x8000000080008000
        .quad   0x000000000000808b
        .quad   0x0000000080000001
        .quad   0x8000000080008081
        .quad   0x8000000000008009
        .quad   0x000000000000008a
        .quad   0x0000000000000088
        .quad   0x0000000080008009
        .quad   0x000000008000000a
        .quad   0x000000008000808b
        .quad   0x800000000000008b
        .quad   0x8000000000008089
        .quad   0x8000000000008003
        .quad   0x8000000000008002
        .quad   0x8000000000000080
        .quad   0x000000000000800a
        .quad   0x800000008000000a
        .quad   0x8000000080008081
        .quad   0x8000000000008080
        .quad   0x0000000080000001
        .quad   0x8000000080008008
.size   iotas,.-iotas
.asciz  "Keccak-1600 absorb and squeeze for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
___

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;