3 # Implemented as a Perl wrapper as we want to support several different
4 # architectures with single file. We pick up the target based on the
5 # file name we are asked to generate.
7 # It should be noted though that this perl code is nothing like
8 # <openssl>/crypto/perlasm/x86*. In this case perl is used pretty much
9 # as pre-processor to cover for platform differences in name decoration,
10 # linker tables, 32-/64-bit instruction sets...
12 # As you might know there're several PowerPC ABI in use. Most notably
13 # Linux and AIX use different 32-bit ABIs. Good news are that these ABIs
14 # are similar enough to implement leaf(!) functions, which would be ABI
15 # neutral. And that's what you find here: ABI neutral leaf functions.
16 # In case you wonder what that is...
20 # MEASUREMENTS WITH cc ON a 200 MhZ PowerPC 604e.
22 # The following is the performance of 32-bit compiler
25 # OpenSSL 0.9.6c 21 dec 2001
26 # built on: Tue Jun 11 11:06:51 EDT 2002
27 # options:bn(64,32) ...
28 #compiler: cc -DTHREADS -DAIX -DB_ENDIAN -DBN_LLONG -O3
29 # sign verify sign/s verify/s
30 #rsa 512 bits 0.0098s 0.0009s 102.0 1170.6
31 #rsa 1024 bits 0.0507s 0.0026s 19.7 387.5
32 #rsa 2048 bits 0.3036s 0.0085s 3.3 117.1
33 #rsa 4096 bits 2.0040s 0.0299s 0.5 33.4
34 #dsa 512 bits 0.0087s 0.0106s 114.3 94.5
35 #dsa 1024 bits 0.0256s 0.0313s 39.0 32.0
37 # Same bechmark with this assembler code:
39 #rsa 512 bits 0.0056s 0.0005s 178.6 2049.2
40 #rsa 1024 bits 0.0283s 0.0015s 35.3 674.1
41 #rsa 2048 bits 0.1744s 0.0050s 5.7 201.2
42 #rsa 4096 bits 1.1644s 0.0179s 0.9 55.7
43 #dsa 512 bits 0.0052s 0.0062s 191.6 162.0
44 #dsa 1024 bits 0.0149s 0.0180s 67.0 55.5
46 # Number of operations increases by at almost 75%
48 # Here are performance numbers for 64-bit compiler
51 # OpenSSL 0.9.6g [engine] 9 Aug 2002
52 # built on: Fri Apr 18 16:59:20 EDT 2003
53 # options:bn(64,64) ...
54 # compiler: cc -DTHREADS -D_REENTRANT -q64 -DB_ENDIAN -O3
55 # sign verify sign/s verify/s
56 #rsa 512 bits 0.0028s 0.0003s 357.1 3844.4
57 #rsa 1024 bits 0.0148s 0.0008s 67.5 1239.7
58 #rsa 2048 bits 0.0963s 0.0028s 10.4 353.0
59 #rsa 4096 bits 0.6538s 0.0102s 1.5 98.1
60 #dsa 512 bits 0.0026s 0.0032s 382.5 313.7
61 #dsa 1024 bits 0.0081s 0.0099s 122.8 100.6
63 # Same benchmark with this assembler code:
65 #rsa 512 bits 0.0020s 0.0002s 510.4 6273.7
66 #rsa 1024 bits 0.0088s 0.0005s 114.1 2128.3
67 #rsa 2048 bits 0.0540s 0.0016s 18.5 622.5
68 #rsa 4096 bits 0.3700s 0.0058s 2.7 171.0
69 #dsa 512 bits 0.0016s 0.0020s 610.7 507.1
70 #dsa 1024 bits 0.0047s 0.0058s 212.5 173.2
72 # Again, performance increases by at about 75%
74 # Mac OS X, Apple G5 1.8GHz (Note this is 32 bit code)
75 # OpenSSL 0.9.7c 30 Sep 2003
79 #rsa 512 bits 0.0011s 0.0001s 906.1 11012.5
80 #rsa 1024 bits 0.0060s 0.0003s 166.6 3363.1
81 #rsa 2048 bits 0.0370s 0.0010s 27.1 982.4
82 #rsa 4096 bits 0.2426s 0.0036s 4.1 280.4
83 #dsa 512 bits 0.0010s 0.0012s 1038.1 841.5
84 #dsa 1024 bits 0.0030s 0.0037s 329.6 269.7
85 #dsa 2048 bits 0.0101s 0.0127s 98.9 78.6
87 # Same benchmark with this assembler code:
89 #rsa 512 bits 0.0007s 0.0001s 1416.2 16645.9
90 #rsa 1024 bits 0.0036s 0.0002s 274.4 5380.6
91 #rsa 2048 bits 0.0222s 0.0006s 45.1 1589.5
92 #rsa 4096 bits 0.1469s 0.0022s 6.8 449.6
93 #dsa 512 bits 0.0006s 0.0007s 1664.2 1376.2
94 #dsa 1024 bits 0.0018s 0.0023s 545.0 442.2
95 #dsa 2048 bits 0.0061s 0.0075s 163.5 132.8
97 # Performance increase of ~60%
99 # If you have comments or suggestions to improve code send
100 # me a note at schari@us.ibm.com
105 if ($opf =~ /32\.s/) {
111 $LDU= "lwzu"; # load and update
113 $STU= "stwu"; # store and update
114 $UMULL= "mullw"; # unsigned multiply low
115 $UMULH= "mulhwu"; # unsigned multiply high
116 $UDIV= "divwu"; # unsigned divide
117 $UCMPI= "cmplwi"; # unsigned compare with immediate
118 $UCMP= "cmplw"; # unsigned compare
119 $CNTLZ= "cntlzw"; # count leading zeros
120 $SHL= "slw"; # shift left
121 $SHR= "srw"; # unsigned shift right
122 $SHRI= "srwi"; # unsigned shift right by immediate
123 $SHLI= "slwi"; # shift left by immediate
124 $CLRU= "clrlwi"; # clear upper bits
125 $INSR= "insrwi"; # insert right
126 $ROTL= "rotlwi"; # rotate left by immediate
127 $TR= "tw"; # conditional trap
128 } elsif ($opf =~ /64\.s/) {
133 # same as above, but 64-bit mnemonics...
135 $LDU= "ldu"; # load and update
137 $STU= "stdu"; # store and update
138 $UMULL= "mulld"; # unsigned multiply low
139 $UMULH= "mulhdu"; # unsigned multiply high
140 $UDIV= "divdu"; # unsigned divide
141 $UCMPI= "cmpldi"; # unsigned compare with immediate
142 $UCMP= "cmpld"; # unsigned compare
143 $CNTLZ= "cntlzd"; # count leading zeros
144 $SHL= "sld"; # shift left
145 $SHR= "srd"; # unsigned shift right
146 $SHRI= "srdi"; # unsigned shift right by immediate
147 $SHLI= "sldi"; # shift left by immediate
148 $CLRU= "clrldi"; # clear upper bits
149 $INSR= "insrdi"; # insert right
150 $ROTL= "rotldi"; # rotate left by immediate
151 $TR= "td"; # conditional trap
152 } else { die "nonsense $opf"; }
154 ( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
156 # function entry points from the AIX code
158 # There are other, more elegant, ways to handle this. We (IBM) chose
159 # this approach as it plays well with scripts we run to 'namespace'
160 # OpenSSL .i.e. we add a prefix to all the public symbols so we can
161 # co-exist in the same process with other implementations of OpenSSL.
162 # 'cleverer' ways of doing these substitutions tend to hide data we
163 # need to be obvious.
165 my @items = ("bn_sqr_comba4",
176 if ($opf =~ /linux/) { do_linux(); }
177 elsif ($opf =~ /aix/) { do_aix(); }
178 elsif ($opf =~ /osx/) { do_osx(); }
185 foreach $t (@items) {
187 \t.section\t".opd","aw"\
191 \t.quad\t.$t,.TOC.\@tocbase,0\
194 \t.type\t.$t,\@function\
200 foreach $t (@items) {
204 # hide internal labels to avoid pollution of name table...
205 $d=~s/Lppcasm_/.Lppcasm_/gm;
210 # AIX assembler is smart enough to please the linker without
211 # making us do something special...
218 # Change the bn symbol prefix from '.' to '_'
219 foreach $t (@items) {
222 # Change .machine to something OS X asm will accept
223 $d=~s/\.machine.*/.text/g;
224 $d=~s/\#/;/g; # change comment from '#' to ';'
231 foreach $t (@items) {
239 #--------------------------------------------------------------------
246 # Created by: Suresh Chari
247 # IBM Thomas J. Watson Research Library
251 # Description: Optimized assembly routines for OpenSSL crypto
252 # on the 32 bitPowerPC platform.
257 # 2. Fixed bn_add,bn_sub and bn_div_words, added comments,
258 # cleaned up code. Also made a single version which can
259 # be used for both the AIX and Linux compilers. See NOTE
261 # 12/05/03 Suresh Chari
262 # (with lots of help from) Andy Polyakov
264 # 1. Initial version 10/20/02 Suresh Chari
267 # The following file works for the xlc,cc
270 # NOTE: To get the file to link correctly with the gcc compiler
271 # you have to change the names of the routines and remove
272 # the first .(dot) character. This should automatically
273 # be done in the build process.
275 # Hand optimized assembly code for the following routines
288 # NOTE: It is possible to optimize this code more for
289 # specific PowerPC or Power architectures. On the Northstar
290 # architecture the optimizations in this file do
291 # NOT provide much improvement.
293 # If you have comments or suggestions to improve code send
294 # me a note at schari\@us.ibm.com
296 #--------------------------------------------------------------------------
298 # Defines to be used in the assembly code.
300 .set r0,0 # we use it as storage for value of 0
301 .set SP,1 # preserved
302 .set RTOC,2 # preserved
303 .set r3,3 # 1st argument/return value
304 .set r4,4 # 2nd argument/volatile register
305 .set r5,5 # 3rd argument/volatile register
313 .set r13,13 # not used, nor any other "below" it...
317 .set BO_dCTR_NZERO,16
328 # Declare function names to be global
329 # NOTE: For gcc these names MUST be changed to remove
330 # the first . i.e. for example change ".bn_sqr_comba4"
331 # to "bn_sqr_comba4". This should be automatically done
334 .globl .bn_sqr_comba4
335 .globl .bn_sqr_comba8
336 .globl .bn_mul_comba4
337 .globl .bn_mul_comba8
343 .globl .bn_mul_add_words
350 # NOTE: The following label name should be changed to
351 # "bn_sqr_comba4" i.e. remove the first dot
352 # for the gcc compiler. This should be automatically
359 # Optimized version of bn_sqr_comba4.
361 # void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
365 # Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:
367 # r5,r6 are the two BN_ULONGs being multiplied.
368 # r7,r8 are the results of the 32x32 giving 64 bit multiply.
369 # r9,r10, r11 are the equivalents of c1,c2, c3.
370 # Here's the assembly
373 xor r0,r0,r0 # set r0 = 0. Used in the addze
376 #sqr_add_c(a,0,c1,c2,c3)
379 $UMULH r10,r5,r5 #in first iteration. No need
380 #to add since c1=c2=c3=0.
381 # Note c3(r11) is NOT set to 0
384 $ST r9,`0*$BNSZ`(r3) # r[0]=c1;
385 # sqr_add_c2(a,1,0,c2,c3,c1);
390 addc r7,r7,r7 # compute (r7,r8)=2*(r7,r8)
392 addze r9,r0 # catch carry if any.
393 # r9= r0(=0) and carry
395 addc r10,r7,r10 # now add to temp result.
396 addze r11,r8 # r8 added to r11 which is 0
399 $ST r10,`1*$BNSZ`(r3) #r[1]=c2;
400 #sqr_add_c(a,1,c3,c1,c2)
406 #sqr_add_c2(a,2,0,c3,c1,c2)
418 $ST r11,`2*$BNSZ`(r3) #r[2]=c3
419 #sqr_add_c2(a,3,0,c1,c2,c3);
430 #sqr_add_c2(a,2,1,c1,c2,c3);
442 $ST r9,`3*$BNSZ`(r3) #r[3]=c1
443 #sqr_add_c(a,2,c2,c3,c1);
449 #sqr_add_c2(a,3,1,c2,c3,c1);
460 $ST r10,`4*$BNSZ`(r3) #r[4]=c2
461 #sqr_add_c2(a,3,2,c3,c1,c2);
472 $ST r11,`5*$BNSZ`(r3) #r[5] = c3
473 #sqr_add_c(a,3,c1,c2,c3);
479 $ST r9,`6*$BNSZ`(r3) #r[6]=c1
480 $ST r10,`7*$BNSZ`(r3) #r[7]=c2
481 bclr BO_ALWAYS,CR0_LT
485 # NOTE: The following label name should be changed to
486 # "bn_sqr_comba8" i.e. remove the first dot
487 # for the gcc compiler. This should be automatically
494 # This is an optimized version of the bn_sqr_comba8 routine.
495 # Tightly uses the adde instruction
498 # void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
502 # Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:
504 # r5,r6 are the two BN_ULONGs being multiplied.
505 # r7,r8 are the results of the 32x32 giving 64 bit multiply.
506 # r9,r10, r11 are the equivalents of c1,c2, c3.
508 # Possible optimization of loading all 8 longs of a into registers
509 # doesnt provide any speedup
512 xor r0,r0,r0 #set r0 = 0.Used in addze
515 #sqr_add_c(a,0,c1,c2,c3);
517 $UMULL r9,r5,r5 #1st iteration: no carries.
519 $ST r9,`0*$BNSZ`(r3) # r[0]=c1;
520 #sqr_add_c2(a,1,0,c2,c3,c1);
525 addc r10,r7,r10 #add the two register number
526 adde r11,r8,r0 # (r8,r7) to the three register
527 addze r9,r0 # number (r9,r11,r10).NOTE:r0=0
529 addc r10,r7,r10 #add the two register number
530 adde r11,r8,r11 # (r8,r7) to the three register
531 addze r9,r9 # number (r9,r11,r10).
533 $ST r10,`1*$BNSZ`(r3) # r[1]=c2
535 #sqr_add_c(a,1,c3,c1,c2);
541 #sqr_add_c2(a,2,0,c3,c1,c2);
554 $ST r11,`2*$BNSZ`(r3) #r[2]=c3
555 #sqr_add_c2(a,3,0,c1,c2,c3);
556 $LD r6,`3*$BNSZ`(r4) #r6 = a[3]. r5 is already a[0].
567 #sqr_add_c2(a,2,1,c1,c2,c3);
581 $ST r9,`3*$BNSZ`(r3) #r[3]=c1;
582 #sqr_add_c(a,2,c2,c3,c1);
589 #sqr_add_c2(a,3,1,c2,c3,c1);
601 #sqr_add_c2(a,4,0,c2,c3,c1);
614 $ST r10,`4*$BNSZ`(r3) #r[4]=c2;
615 #sqr_add_c2(a,5,0,c3,c1,c2);
627 #sqr_add_c2(a,4,1,c3,c1,c2);
640 #sqr_add_c2(a,3,2,c3,c1,c2);
653 $ST r11,`5*$BNSZ`(r3) #r[5]=c3;
654 #sqr_add_c(a,3,c1,c2,c3);
660 #sqr_add_c2(a,4,2,c1,c2,c3);
672 #sqr_add_c2(a,5,1,c1,c2,c3);
685 #sqr_add_c2(a,6,0,c1,c2,c3);
696 $ST r9,`6*$BNSZ`(r3) #r[6]=c1;
697 #sqr_add_c2(a,7,0,c2,c3,c1);
708 #sqr_add_c2(a,6,1,c2,c3,c1);
720 #sqr_add_c2(a,5,2,c2,c3,c1);
731 #sqr_add_c2(a,4,3,c2,c3,c1);
743 $ST r10,`7*$BNSZ`(r3) #r[7]=c2;
744 #sqr_add_c(a,4,c3,c1,c2);
750 #sqr_add_c2(a,5,3,c3,c1,c2);
760 #sqr_add_c2(a,6,2,c3,c1,c2);
772 #sqr_add_c2(a,7,1,c3,c1,c2);
783 $ST r11,`8*$BNSZ`(r3) #r[8]=c3;
784 #sqr_add_c2(a,7,2,c1,c2,c3);
795 #sqr_add_c2(a,6,3,c1,c2,c3);
806 #sqr_add_c2(a,5,4,c1,c2,c3);
817 $ST r9,`9*$BNSZ`(r3) #r[9]=c1;
818 #sqr_add_c(a,5,c2,c3,c1);
824 #sqr_add_c2(a,6,4,c2,c3,c1);
834 #sqr_add_c2(a,7,3,c2,c3,c1);
845 $ST r10,`10*$BNSZ`(r3) #r[10]=c2;
846 #sqr_add_c2(a,7,4,c3,c1,c2);
856 #sqr_add_c2(a,6,5,c3,c1,c2);
867 $ST r11,`11*$BNSZ`(r3) #r[11]=c3;
868 #sqr_add_c(a,6,c1,c2,c3);
874 #sqr_add_c2(a,7,5,c1,c2,c3)
884 $ST r9,`12*$BNSZ`(r3) #r[12]=c1;
886 #sqr_add_c2(a,7,6,c2,c3,c1)
896 $ST r10,`13*$BNSZ`(r3) #r[13]=c2;
897 #sqr_add_c(a,7,c3,c1,c2);
902 $ST r11,`14*$BNSZ`(r3) #r[14]=c3;
903 $ST r9, `15*$BNSZ`(r3) #r[15]=c1;
906 bclr BO_ALWAYS,CR0_LT
911 # NOTE: The following label name should be changed to
912 # "bn_mul_comba4" i.e. remove the first dot
913 # for the gcc compiler. This should be automatically
920 # This is an optimized version of the bn_mul_comba4 routine.
922 # void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
926 # r6, r7 are the 2 BN_ULONGs being multiplied.
927 # r8, r9 are the results of the 32x32 giving 64 multiply.
928 # r10, r11, r12 are the equivalents of c1, c2, and c3.
930 xor r0,r0,r0 #r0=0. Used in addze below.
931 #mul_add_c(a[0],b[0],c1,c2,c3);
936 $ST r10,`0*$BNSZ`(r3) #r[0]=c1
937 #mul_add_c(a[0],b[1],c2,c3,c1);
944 #mul_add_c(a[1],b[0],c2,c3,c1);
945 $LD r6, `1*$BNSZ`(r4)
946 $LD r7, `0*$BNSZ`(r5)
952 $ST r11,`1*$BNSZ`(r3) #r[1]=c2
953 #mul_add_c(a[2],b[0],c3,c1,c2);
960 #mul_add_c(a[1],b[1],c3,c1,c2);
968 #mul_add_c(a[0],b[2],c3,c1,c2);
976 $ST r12,`2*$BNSZ`(r3) #r[2]=c3
977 #mul_add_c(a[0],b[3],c1,c2,c3);
984 #mul_add_c(a[1],b[2],c1,c2,c3);
992 #mul_add_c(a[2],b[1],c1,c2,c3);
1000 #mul_add_c(a[3],b[0],c1,c2,c3);
1001 $LD r6,`3*$BNSZ`(r4)
1002 $LD r7,`0*$BNSZ`(r5)
1008 $ST r10,`3*$BNSZ`(r3) #r[3]=c1
1009 #mul_add_c(a[3],b[1],c2,c3,c1);
1010 $LD r7,`1*$BNSZ`(r5)
1016 #mul_add_c(a[2],b[2],c2,c3,c1);
1017 $LD r6,`2*$BNSZ`(r4)
1018 $LD r7,`2*$BNSZ`(r5)
1024 #mul_add_c(a[1],b[3],c2,c3,c1);
1025 $LD r6,`1*$BNSZ`(r4)
1026 $LD r7,`3*$BNSZ`(r5)
1032 $ST r11,`4*$BNSZ`(r3) #r[4]=c2
1033 #mul_add_c(a[2],b[3],c3,c1,c2);
1034 $LD r6,`2*$BNSZ`(r4)
1040 #mul_add_c(a[3],b[2],c3,c1,c2);
1041 $LD r6,`3*$BNSZ`(r4)
1042 $LD r7,`2*$BNSZ`(r5)
1048 $ST r12,`5*$BNSZ`(r3) #r[5]=c3
1049 #mul_add_c(a[3],b[3],c1,c2,c3);
1050 $LD r7,`3*$BNSZ`(r5)
1056 $ST r10,`6*$BNSZ`(r3) #r[6]=c1
1057 $ST r11,`7*$BNSZ`(r3) #r[7]=c2
1058 bclr BO_ALWAYS,CR0_LT
1062 # NOTE: The following label name should be changed to
1063 # "bn_mul_comba8" i.e. remove the first dot
1064 # for the gcc compiler. This should be automatically
1071 # Optimized version of the bn_mul_comba8 routine.
1073 # void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
1077 # r6, r7 are the 2 BN_ULONGs being multiplied.
1078 # r8, r9 are the results of the 32x32 giving 64 multiply.
1079 # r10, r11, r12 are the equivalents of c1, c2, and c3.
1081 xor r0,r0,r0 #r0=0. Used in addze below.
1083 #mul_add_c(a[0],b[0],c1,c2,c3);
1084 $LD r6,`0*$BNSZ`(r4) #a[0]
1085 $LD r7,`0*$BNSZ`(r5) #b[0]
1088 $ST r10,`0*$BNSZ`(r3) #r[0]=c1;
1089 #mul_add_c(a[0],b[1],c2,c3,c1);
1090 $LD r7,`1*$BNSZ`(r5)
1094 addze r12,r9 # since we didnt set r12 to zero before.
1096 #mul_add_c(a[1],b[0],c2,c3,c1);
1097 $LD r6,`1*$BNSZ`(r4)
1098 $LD r7,`0*$BNSZ`(r5)
1104 $ST r11,`1*$BNSZ`(r3) #r[1]=c2;
1105 #mul_add_c(a[2],b[0],c3,c1,c2);
1106 $LD r6,`2*$BNSZ`(r4)
1112 #mul_add_c(a[1],b[1],c3,c1,c2);
1113 $LD r6,`1*$BNSZ`(r4)
1114 $LD r7,`1*$BNSZ`(r5)
1120 #mul_add_c(a[0],b[2],c3,c1,c2);
1121 $LD r6,`0*$BNSZ`(r4)
1122 $LD r7,`2*$BNSZ`(r5)
1128 $ST r12,`2*$BNSZ`(r3) #r[2]=c3;
1129 #mul_add_c(a[0],b[3],c1,c2,c3);
1130 $LD r7,`3*$BNSZ`(r5)
1136 #mul_add_c(a[1],b[2],c1,c2,c3);
1137 $LD r6,`1*$BNSZ`(r4)
1138 $LD r7,`2*$BNSZ`(r5)
1145 #mul_add_c(a[2],b[1],c1,c2,c3);
1146 $LD r6,`2*$BNSZ`(r4)
1147 $LD r7,`1*$BNSZ`(r5)
1153 #mul_add_c(a[3],b[0],c1,c2,c3);
1154 $LD r6,`3*$BNSZ`(r4)
1155 $LD r7,`0*$BNSZ`(r5)
1161 $ST r10,`3*$BNSZ`(r3) #r[3]=c1;
1162 #mul_add_c(a[4],b[0],c2,c3,c1);
1163 $LD r6,`4*$BNSZ`(r4)
1169 #mul_add_c(a[3],b[1],c2,c3,c1);
1170 $LD r6,`3*$BNSZ`(r4)
1171 $LD r7,`1*$BNSZ`(r5)
1177 #mul_add_c(a[2],b[2],c2,c3,c1);
1178 $LD r6,`2*$BNSZ`(r4)
1179 $LD r7,`2*$BNSZ`(r5)
1185 #mul_add_c(a[1],b[3],c2,c3,c1);
1186 $LD r6,`1*$BNSZ`(r4)
1187 $LD r7,`3*$BNSZ`(r5)
1193 #mul_add_c(a[0],b[4],c2,c3,c1);
1194 $LD r6,`0*$BNSZ`(r4)
1195 $LD r7,`4*$BNSZ`(r5)
1201 $ST r11,`4*$BNSZ`(r3) #r[4]=c2;
1202 #mul_add_c(a[0],b[5],c3,c1,c2);
1203 $LD r7,`5*$BNSZ`(r5)
1209 #mul_add_c(a[1],b[4],c3,c1,c2);
1210 $LD r6,`1*$BNSZ`(r4)
1211 $LD r7,`4*$BNSZ`(r5)
1217 #mul_add_c(a[2],b[3],c3,c1,c2);
1218 $LD r6,`2*$BNSZ`(r4)
1219 $LD r7,`3*$BNSZ`(r5)
1225 #mul_add_c(a[3],b[2],c3,c1,c2);
1226 $LD r6,`3*$BNSZ`(r4)
1227 $LD r7,`2*$BNSZ`(r5)
1233 #mul_add_c(a[4],b[1],c3,c1,c2);
1234 $LD r6,`4*$BNSZ`(r4)
1235 $LD r7,`1*$BNSZ`(r5)
1241 #mul_add_c(a[5],b[0],c3,c1,c2);
1242 $LD r6,`5*$BNSZ`(r4)
1243 $LD r7,`0*$BNSZ`(r5)
1249 $ST r12,`5*$BNSZ`(r3) #r[5]=c3;
1250 #mul_add_c(a[6],b[0],c1,c2,c3);
1251 $LD r6,`6*$BNSZ`(r4)
1257 #mul_add_c(a[5],b[1],c1,c2,c3);
1258 $LD r6,`5*$BNSZ`(r4)
1259 $LD r7,`1*$BNSZ`(r5)
1265 #mul_add_c(a[4],b[2],c1,c2,c3);
1266 $LD r6,`4*$BNSZ`(r4)
1267 $LD r7,`2*$BNSZ`(r5)
1273 #mul_add_c(a[3],b[3],c1,c2,c3);
1274 $LD r6,`3*$BNSZ`(r4)
1275 $LD r7,`3*$BNSZ`(r5)
1281 #mul_add_c(a[2],b[4],c1,c2,c3);
1282 $LD r6,`2*$BNSZ`(r4)
1283 $LD r7,`4*$BNSZ`(r5)
1289 #mul_add_c(a[1],b[5],c1,c2,c3);
1290 $LD r6,`1*$BNSZ`(r4)
1291 $LD r7,`5*$BNSZ`(r5)
1297 #mul_add_c(a[0],b[6],c1,c2,c3);
1298 $LD r6,`0*$BNSZ`(r4)
1299 $LD r7,`6*$BNSZ`(r5)
1305 $ST r10,`6*$BNSZ`(r3) #r[6]=c1;
1306 #mul_add_c(a[0],b[7],c2,c3,c1);
1307 $LD r7,`7*$BNSZ`(r5)
1313 #mul_add_c(a[1],b[6],c2,c3,c1);
1314 $LD r6,`1*$BNSZ`(r4)
1315 $LD r7,`6*$BNSZ`(r5)
1321 #mul_add_c(a[2],b[5],c2,c3,c1);
1322 $LD r6,`2*$BNSZ`(r4)
1323 $LD r7,`5*$BNSZ`(r5)
1329 #mul_add_c(a[3],b[4],c2,c3,c1);
1330 $LD r6,`3*$BNSZ`(r4)
1331 $LD r7,`4*$BNSZ`(r5)
1337 #mul_add_c(a[4],b[3],c2,c3,c1);
1338 $LD r6,`4*$BNSZ`(r4)
1339 $LD r7,`3*$BNSZ`(r5)
1345 #mul_add_c(a[5],b[2],c2,c3,c1);
1346 $LD r6,`5*$BNSZ`(r4)
1347 $LD r7,`2*$BNSZ`(r5)
1353 #mul_add_c(a[6],b[1],c2,c3,c1);
1354 $LD r6,`6*$BNSZ`(r4)
1355 $LD r7,`1*$BNSZ`(r5)
1361 #mul_add_c(a[7],b[0],c2,c3,c1);
1362 $LD r6,`7*$BNSZ`(r4)
1363 $LD r7,`0*$BNSZ`(r5)
1369 $ST r11,`7*$BNSZ`(r3) #r[7]=c2;
1370 #mul_add_c(a[7],b[1],c3,c1,c2);
1371 $LD r7,`1*$BNSZ`(r5)
1377 #mul_add_c(a[6],b[2],c3,c1,c2);
1378 $LD r6,`6*$BNSZ`(r4)
1379 $LD r7,`2*$BNSZ`(r5)
1385 #mul_add_c(a[5],b[3],c3,c1,c2);
1386 $LD r6,`5*$BNSZ`(r4)
1387 $LD r7,`3*$BNSZ`(r5)
1393 #mul_add_c(a[4],b[4],c3,c1,c2);
1394 $LD r6,`4*$BNSZ`(r4)
1395 $LD r7,`4*$BNSZ`(r5)
1401 #mul_add_c(a[3],b[5],c3,c1,c2);
1402 $LD r6,`3*$BNSZ`(r4)
1403 $LD r7,`5*$BNSZ`(r5)
1409 #mul_add_c(a[2],b[6],c3,c1,c2);
1410 $LD r6,`2*$BNSZ`(r4)
1411 $LD r7,`6*$BNSZ`(r5)
1417 #mul_add_c(a[1],b[7],c3,c1,c2);
1418 $LD r6,`1*$BNSZ`(r4)
1419 $LD r7,`7*$BNSZ`(r5)
1425 $ST r12,`8*$BNSZ`(r3) #r[8]=c3;
1426 #mul_add_c(a[2],b[7],c1,c2,c3);
1427 $LD r6,`2*$BNSZ`(r4)
1433 #mul_add_c(a[3],b[6],c1,c2,c3);
1434 $LD r6,`3*$BNSZ`(r4)
1435 $LD r7,`6*$BNSZ`(r5)
1441 #mul_add_c(a[4],b[5],c1,c2,c3);
1442 $LD r6,`4*$BNSZ`(r4)
1443 $LD r7,`5*$BNSZ`(r5)
1449 #mul_add_c(a[5],b[4],c1,c2,c3);
1450 $LD r6,`5*$BNSZ`(r4)
1451 $LD r7,`4*$BNSZ`(r5)
1457 #mul_add_c(a[6],b[3],c1,c2,c3);
1458 $LD r6,`6*$BNSZ`(r4)
1459 $LD r7,`3*$BNSZ`(r5)
1465 #mul_add_c(a[7],b[2],c1,c2,c3);
1466 $LD r6,`7*$BNSZ`(r4)
1467 $LD r7,`2*$BNSZ`(r5)
1473 $ST r10,`9*$BNSZ`(r3) #r[9]=c1;
1474 #mul_add_c(a[7],b[3],c2,c3,c1);
1475 $LD r7,`3*$BNSZ`(r5)
1481 #mul_add_c(a[6],b[4],c2,c3,c1);
1482 $LD r6,`6*$BNSZ`(r4)
1483 $LD r7,`4*$BNSZ`(r5)
1489 #mul_add_c(a[5],b[5],c2,c3,c1);
1490 $LD r6,`5*$BNSZ`(r4)
1491 $LD r7,`5*$BNSZ`(r5)
1497 #mul_add_c(a[4],b[6],c2,c3,c1);
1498 $LD r6,`4*$BNSZ`(r4)
1499 $LD r7,`6*$BNSZ`(r5)
1505 #mul_add_c(a[3],b[7],c2,c3,c1);
1506 $LD r6,`3*$BNSZ`(r4)
1507 $LD r7,`7*$BNSZ`(r5)
1513 $ST r11,`10*$BNSZ`(r3) #r[10]=c2;
1514 #mul_add_c(a[4],b[7],c3,c1,c2);
1515 $LD r6,`4*$BNSZ`(r4)
1521 #mul_add_c(a[5],b[6],c3,c1,c2);
1522 $LD r6,`5*$BNSZ`(r4)
1523 $LD r7,`6*$BNSZ`(r5)
1529 #mul_add_c(a[6],b[5],c3,c1,c2);
1530 $LD r6,`6*$BNSZ`(r4)
1531 $LD r7,`5*$BNSZ`(r5)
1537 #mul_add_c(a[7],b[4],c3,c1,c2);
1538 $LD r6,`7*$BNSZ`(r4)
1539 $LD r7,`4*$BNSZ`(r5)
1545 $ST r12,`11*$BNSZ`(r3) #r[11]=c3;
1546 #mul_add_c(a[7],b[5],c1,c2,c3);
1547 $LD r7,`5*$BNSZ`(r5)
1553 #mul_add_c(a[6],b[6],c1,c2,c3);
1554 $LD r6,`6*$BNSZ`(r4)
1555 $LD r7,`6*$BNSZ`(r5)
1561 #mul_add_c(a[5],b[7],c1,c2,c3);
1562 $LD r6,`5*$BNSZ`(r4)
1563 $LD r7,`7*$BNSZ`(r5)
1569 $ST r10,`12*$BNSZ`(r3) #r[12]=c1;
1570 #mul_add_c(a[6],b[7],c2,c3,c1);
1571 $LD r6,`6*$BNSZ`(r4)
1577 #mul_add_c(a[7],b[6],c2,c3,c1);
1578 $LD r6,`7*$BNSZ`(r4)
1579 $LD r7,`6*$BNSZ`(r5)
1585 $ST r11,`13*$BNSZ`(r3) #r[13]=c2;
1586 #mul_add_c(a[7],b[7],c3,c1,c2);
1587 $LD r7,`7*$BNSZ`(r5)
1592 $ST r12,`14*$BNSZ`(r3) #r[14]=c3;
1593 $ST r10,`15*$BNSZ`(r3) #r[15]=c1;
1594 bclr BO_ALWAYS,CR0_LT
1598 # NOTE: The following label name should be changed to
1599 # "bn_sub_words" i.e. remove the first dot
1600 # for the gcc compiler. This should be automatically
1607 # Handcoded version of bn_sub_words
1609 #BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1616 # Note: No loop unrolling done since this is not a performance
1619 xor r0,r0,r0 #set r0 = 0
1621 # check for r6 = 0 AND set carry bit.
1623 subfc. r7,r0,r6 # If r6 is 0 then result is 0.
1624 # if r6 > 0 then result !=0
1625 # In either case carry bit is set.
1626 bc BO_IF,CR0_EQ,Lppcasm_sub_adios
1631 Lppcasm_sub_mainloop:
1634 subfe r6,r8,r7 # r6 = r7+carry bit + onescomplement(r8)
1635 # if carry = 1 this is r7-r8. Else it
1636 # is r7-r8 -1 as we need.
1638 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_sub_mainloop
1640 subfze r3,r0 # if carry bit is set then r3 = 0 else -1
1641 andi. r3,r3,1 # keep only last bit.
1642 bclr BO_ALWAYS,CR0_LT
1647 # NOTE: The following label name should be changed to
1648 # "bn_add_words" i.e. remove the first dot
1649 # for the gcc compiler. This should be automatically
1656 # Handcoded version of bn_add_words
1658 #BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1665 # Note: No loop unrolling done since this is not a performance
1670 # check for r6 = 0. Is this needed?
1672 addic. r6,r6,0 #test r6 and clear carry bit.
1673 bc BO_IF,CR0_EQ,Lppcasm_add_adios
1678 Lppcasm_add_mainloop:
1683 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_add_mainloop
1685 addze r3,r0 #return carry bit.
1686 bclr BO_ALWAYS,CR0_LT
1690 # NOTE: The following label name should be changed to
1691 # "bn_div_words" i.e. remove the first dot
1692 # for the gcc compiler. This should be automatically
1699 # This is a cleaned up version of code generated by
1700 # the AIX compiler. The only optimization is to use
1701 # the PPC instruction to count leading zeros instead
1702 # of call to num_bits_word. Since this was compiled
1703 # only at level -O2 we can possibly squeeze it more?
1709 $UCMPI 0,r5,0 # compare r5 and 0
1710 bc BO_IF_NOT,CR0_EQ,Lppcasm_div1 # proceed if d!=0
1711 li r3,-1 # d=0 return -1
1712 bclr BO_ALWAYS,CR0_LT
1716 $CNTLZ. r7,r5 #r7 = num leading 0s in d.
1717 bc BO_IF,CR0_EQ,Lppcasm_div2 #proceed if no leading zeros
1718 subf r8,r7,r8 #r8 = BN_num_bits_word(d)
1719 $SHR. r9,r3,r8 #are there any bits above r8'th?
1720 $TR 16,r9,r0 #if there're, signal to dump core...
1722 $UCMP 0,r3,r5 #h>=d?
1723 bc BO_IF,CR0_LT,Lppcasm_div3 #goto Lppcasm_div3 if not
1724 subf r3,r5,r3 #h-=d ;
1725 Lppcasm_div3: #r7 = BN_BITS2-i. so r7=i
1726 cmpi 0,0,r7,0 # is (i == 0)?
1727 bc BO_IF,CR0_EQ,Lppcasm_div4
1728 $SHL r3,r3,r7 # h = (h<< i)
1729 $SHR r8,r4,r8 # r8 = (l >> BN_BITS2 -i)
1730 $SHL r5,r5,r7 # d<<=i
1731 or r3,r3,r8 # h = (h<<i)|(l>>(BN_BITS2-i))
1732 $SHL r4,r4,r7 # l <<=i
1734 $SHRI r9,r5,`$BITS/2` # r9 = dh
1735 # dl will be computed when needed
1736 # as it saves registers.
1738 mtctr r6 #counter will be in count.
1739 Lppcasm_divouterloop:
1740 $SHRI r8,r3,`$BITS/2` #r8 = (h>>BN_BITS4)
1741 $SHRI r11,r4,`$BITS/2` #r11= (l&BN_MASK2h)>>BN_BITS4
1742 # compute here for innerloop.
1743 $UCMP 0,r8,r9 # is (h>>BN_BITS4)==dh
1744 bc BO_IF_NOT,CR0_EQ,Lppcasm_div5 # goto Lppcasm_div5 if not
1747 $CLRU r8,r8,`$BITS/2` #q = BN_MASK2l
1750 $UDIV r8,r3,r9 #q = h/dh
1752 $UMULL r12,r9,r8 #th = q*dh
1753 $CLRU r10,r5,`$BITS/2` #r10=dl
1754 $UMULL r6,r8,r10 #tl = q*dl
1756 Lppcasm_divinnerloop:
1757 subf r10,r12,r3 #t = h -th
1758 $SHRI r7,r10,`$BITS/2` #r7= (t &BN_MASK2H), sort of...
1759 addic. r7,r7,0 #test if r7 == 0. used below.
1760 # now want to compute
1761 # r7 = (t<<BN_BITS4)|((l&BN_MASK2h)>>BN_BITS4)
1762 # the following 2 instructions do that
1763 $SHLI r7,r10,`$BITS/2` # r7 = (t<<BN_BITS4)
1764 or r7,r7,r11 # r7|=((l&BN_MASK2h)>>BN_BITS4)
1765 $UCMP 1,r6,r7 # compare (tl <= r7)
1766 bc BO_IF_NOT,CR0_EQ,Lppcasm_divinnerexit
1767 bc BO_IF_NOT,CR1_FEX,Lppcasm_divinnerexit
1769 subf r12,r9,r12 #th -=dh
1770 $CLRU r10,r5,`$BITS/2` #r10=dl. t is no longer needed in loop.
1771 subf r6,r10,r6 #tl -=dl
1772 b Lppcasm_divinnerloop
1773 Lppcasm_divinnerexit:
1774 $SHRI r10,r6,`$BITS/2` #t=(tl>>BN_BITS4)
1775 $SHLI r11,r6,`$BITS/2` #tl=(tl<<BN_BITS4)&BN_MASK2h;
1776 $UCMP 1,r4,r11 # compare l and tl
1777 add r12,r12,r10 # th+=t
1778 bc BO_IF_NOT,CR1_FX,Lppcasm_div7 # if (l>=tl) goto Lppcasm_div7
1779 addi r12,r12,1 # th++
1781 subf r11,r11,r4 #r11=l-tl
1782 $UCMP 1,r3,r12 #compare h and th
1783 bc BO_IF_NOT,CR1_FX,Lppcasm_div8 #if (h>=th) goto Lppcasm_div8
1787 subf r12,r12,r3 #r12 = h-th
1788 $SHLI r4,r11,`$BITS/2` #l=(l&BN_MASK2l)<<BN_BITS4
1790 # h = ((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2
1791 # the following 2 instructions will do this.
1792 $INSR r11,r12,`$BITS/2`,`$BITS/2` # r11 is the value we want rotated $BITS/2.
1793 $ROTL r3,r11,`$BITS/2` # rotate by $BITS/2 and store in r3
1794 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_div9#if (count==0) break ;
1795 $SHLI r0,r8,`$BITS/2` #ret =q<<BN_BITS4
1796 b Lppcasm_divouterloop
1799 bclr BO_ALWAYS,CR0_LT
1803 # NOTE: The following label name should be changed to
1804 # "bn_sqr_words" i.e. remove the first dot
1805 # for the gcc compiler. This should be automatically
1811 # Optimized version of bn_sqr_words
1813 # void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
1822 # No unrolling done here. Not performance critical.
1824 addic. r5,r5,0 #test r5.
1825 bc BO_IF,CR0_EQ,Lppcasm_sqr_adios
1829 Lppcasm_sqr_mainloop:
1830 #sqr(r[0],r[1],a[0]);
1836 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_sqr_mainloop
1838 bclr BO_ALWAYS,CR0_LT
1843 # NOTE: The following label name should be changed to
1844 # "bn_mul_words" i.e. remove the first dot
1845 # for the gcc compiler. This should be automatically
1852 # BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
1859 xor r12,r12,r12 # used for carry
1860 rlwinm. r7,r5,30,2,31 # num >> 2
1861 bc BO_IF,CR0_EQ,Lppcasm_mw_REM
1864 #mul(rp[0],ap[0],w,c1);
1865 $LD r8,`0*$BNSZ`(r4)
1869 #addze r10,r10 #carry is NOT ignored.
1870 #will be taken care of
1871 #in second spin below
1873 $ST r9,`0*$BNSZ`(r3)
1874 #mul(rp[1],ap[1],w,c1);
1875 $LD r8,`1*$BNSZ`(r4)
1880 $ST r11,`1*$BNSZ`(r3)
1881 #mul(rp[2],ap[2],w,c1);
1882 $LD r8,`2*$BNSZ`(r4)
1887 $ST r9,`2*$BNSZ`(r3)
1888 #mul_add(rp[3],ap[3],w,c1);
1889 $LD r8,`3*$BNSZ`(r4)
1893 addze r12,r12 #this spin we collect carry into
1895 $ST r11,`3*$BNSZ`(r3)
1897 addi r3,r3,`4*$BNSZ`
1898 addi r4,r4,`4*$BNSZ`
1899 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_mw_LOOP
1903 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1904 #mul(rp[0],ap[0],w,c1);
1905 $LD r8,`0*$BNSZ`(r4)
1910 $ST r9,`0*$BNSZ`(r3)
1915 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1918 #mul(rp[1],ap[1],w,c1);
1919 $LD r8,`1*$BNSZ`(r4)
1924 $ST r9,`1*$BNSZ`(r3)
1929 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1931 #mul_add(rp[2],ap[2],w,c1);
1932 $LD r8,`2*$BNSZ`(r4)
1937 $ST r9,`2*$BNSZ`(r3)
1942 bclr BO_ALWAYS,CR0_LT
1946 # NOTE: The following label name should be changed to
1947 # "bn_mul_add_words" i.e. remove the first dot
1948 # for the gcc compiler. This should be automatically
1955 # BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
1962 # empirical evidence suggests that unrolled version performs best!!
1964 xor r0,r0,r0 #r0 = 0
1965 xor r12,r12,r12 #r12 = 0 . used for carry
1966 rlwinm. r7,r5,30,2,31 # num >> 2
1967 bc BO_IF,CR0_EQ,Lppcasm_maw_leftover # if (num < 4) go LPPCASM_maw_leftover
1969 Lppcasm_maw_mainloop:
1970 #mul_add(rp[0],ap[0],w,c1);
1971 $LD r8,`0*$BNSZ`(r4)
1972 $LD r11,`0*$BNSZ`(r3)
1975 addc r9,r9,r12 #r12 is carry.
1979 #the above instruction addze
1980 #is NOT needed. Carry will NOT
1981 #be ignored. It's not affected
1982 #by multiply and will be collected
1984 $ST r9,`0*$BNSZ`(r3)
1986 #mul_add(rp[1],ap[1],w,c1);
1987 $LD r8,`1*$BNSZ`(r4)
1988 $LD r9,`1*$BNSZ`(r3)
1991 adde r11,r11,r10 #r10 is carry.
1995 $ST r11,`1*$BNSZ`(r3)
1997 #mul_add(rp[2],ap[2],w,c1);
1998 $LD r8,`2*$BNSZ`(r4)
2000 $LD r11,`2*$BNSZ`(r3)
2006 $ST r9,`2*$BNSZ`(r3)
2008 #mul_add(rp[3],ap[3],w,c1);
2009 $LD r8,`3*$BNSZ`(r4)
2011 $LD r9,`3*$BNSZ`(r3)
2017 $ST r11,`3*$BNSZ`(r3)
2018 addi r3,r3,`4*$BNSZ`
2019 addi r4,r4,`4*$BNSZ`
2020 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_maw_mainloop
2022 Lppcasm_maw_leftover:
2024 bc BO_IF,CR0_EQ,Lppcasm_maw_adios
2027 #mul_add(rp[0],ap[0],w,c1);
2039 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
2040 #mul_add(rp[1],ap[1],w,c1);
2051 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
2052 #mul_add(rp[2],ap[2],w,c1);
2065 bclr BO_ALWAYS,CR0_LT
2069 $data =~ s/\`([^\`]*)\`/eval $1/gem;
2071 # if some assembler chokes on some simplified mnemonic,
2072 # this is the spot to fix it up, e.g.:
2073 # GNU as doesn't seem to accept cmplw, 32-bit unsigned compare
2074 $data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
2075 # assembler X doesn't accept li, load immediate value
2076 #$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
2077 # assembler Y chokes on apostrophes in comments