2 # Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # IALU(*)/gcc-4.4 NEON
19 # ARM11xx(ARMv6) 7.78/+100% -
20 # Cortex-A5 6.35/+130% 3.00
21 # Cortex-A8 6.25/+115% 2.36
22 # Cortex-A9 5.10/+95% 2.55
23 # Cortex-A15 3.85/+85% 1.25(**)
24 # Snapdragon S4 5.70/+100% 1.48(**)
26 # (*) this is for -march=armv6, i.e. with bunch of ldrb loading data;
27 # (**) these are trade-off results, they can be improved by ~8% but at
28 # the cost of 15/12% regression on Cortex-A5/A7, it's even possible
29 # to improve Cortex-A9 result, but then A5/A7 loose more than 20%;
32 if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
33 else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
35 if ($flavour && $flavour ne "void") {
36 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
37 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
38 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
39 die "can't locate arm-xlate.pl";
41 open STDOUT,"| \"$^X\" $xlate $flavour $output";
43 open STDOUT,">$output";
46 ($ctx,$inp,$len,$padbit)=map("r$_",(0..3));
52 #if defined(__thumb2__)
60 .globl poly1305_blocks
62 .type poly1305_init,%function
70 str r3,[$ctx,#0] @ zero hash value
75 str r3,[$ctx,#36] @ is_base2_26
84 #if __ARM_MAX_ARCH__>=7
85 adr r11,.Lpoly1305_init
86 ldr r12,.LOPENSSL_armcap
91 and r3,r10,#-4 @ 0x0ffffffc
102 #if __ARM_MAX_ARCH__>=7
103 ldr r12,[r11,r12] @ OPENSSL_armcap_P
117 #if __ARM_MAX_ARCH__>=7
118 tst r12,#ARMV7_NEON @ check for NEON
120 adr r9,poly1305_blocks_neon
121 adr r11,poly1305_blocks
126 adr r12,poly1305_emit
127 adr r10,poly1305_emit_neon
136 addeq r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
137 addne r12,r11,#(.Lpoly1305_emit_neon-.Lpoly1305_init)
138 addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
139 addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
142 orr r12,r12,#1 @ thumb-ify address
164 #if __ARM_MAX_ARCH__>=7
165 stmia r2,{r11,r12} @ fill functions table
176 moveq pc,lr @ be binary compatible with V4, yet
177 bx lr @ interoperable with Thumb ISA:-)
179 .size poly1305_init,.-poly1305_init
182 my ($h0,$h1,$h2,$h3,$h4,$r0,$r1,$r2,$r3)=map("r$_",(4..12));
183 my ($s1,$s2,$s3)=($r1,$r2,$r3);
186 .type poly1305_blocks,%function
190 stmdb sp!,{r3-r11,lr}
196 add $len,$len,$inp @ end pointer
199 ldmia $ctx,{$h0-$r3} @ load context
201 str $ctx,[sp,#12] @ offload stuff
211 ldrb r0,[lr],#16 @ load input
215 addhi $h4,$h4,#1 @ 1<<128
225 adds $h0,$h0,r3 @ accumulate input
247 str lr,[sp,#8] @ offload input pointer
249 add $s1,$r1,$r1,lsr#2
252 ldr r0,[lr],#16 @ load input
256 addhi $h4,$h4,#1 @ padbit
266 adds $h0,$h0,r0 @ accumulate input
267 str lr,[sp,#8] @ offload input pointer
269 add $s1,$r1,$r1,lsr#2
272 add $s2,$r2,$r2,lsr#2
274 add $s3,$r3,$r3,lsr#2
281 ldr $r1,[sp,#20] @ reload $r1
287 str r0,[sp,#0] @ future $h0
289 ldr $r2,[sp,#24] @ reload $r2
290 adds r2,r2,r1 @ d1+=d0>>32
292 adc lr,r3,#0 @ future $h2
293 str r2,[sp,#4] @ future $h1
298 ldr $r3,[sp,#28] @ reload $r3
310 adds $h2,lr,r0 @ d2+=d1>>32
311 ldr lr,[sp,#8] @ reload input pointer
313 adds $h3,r2,r1 @ d3+=d2>>32
314 ldr r0,[sp,#16] @ reload end pointer
316 add $h4,$h4,r3 @ h4+=d3>>32
320 add r1,r1,r1,lsr#2 @ *=5
327 cmp r0,lr @ done yet?
332 stmia $ctx,{$h0-$h4} @ store the result
336 ldmia sp!,{r3-r11,pc}
338 ldmia sp!,{r3-r11,lr}
340 moveq pc,lr @ be binary compatible with V4, yet
341 bx lr @ interoperable with Thumb ISA:-)
343 .size poly1305_blocks,.-poly1305_blocks
347 my ($ctx,$mac,$nonce)=map("r$_",(0..2));
348 my ($h0,$h1,$h2,$h3,$h4,$g0,$g1,$g2,$g3)=map("r$_",(3..11));
352 .type poly1305_emit,%function
357 .Lpoly1305_emit_enter:
360 adds $g0,$h0,#5 @ compare to modulus
365 tst $g4,#4 @ did it carry/borrow?
442 moveq pc,lr @ be binary compatible with V4, yet
443 bx lr @ interoperable with Thumb ISA:-)
445 .size poly1305_emit,.-poly1305_emit
448 my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("d$_",(0..9));
449 my ($D0,$D1,$D2,$D3,$D4, $H0,$H1,$H2,$H3,$H4) = map("q$_",(5..14));
450 my ($T0,$T1,$MASK) = map("q$_",(15,4,0));
452 my ($in2,$zeros,$tbl0,$tbl1) = map("r$_",(4..7));
455 #if __ARM_MAX_ARCH__>=7
458 .type poly1305_init_neon,%function
461 ldr r4,[$ctx,#20] @ load key base 2^32
466 and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
474 and r3,r3,#0x03ffffff
475 and r4,r4,#0x03ffffff
476 and r5,r5,#0x03ffffff
478 vdup.32 $R0,r2 @ r^1 in both lanes
479 add r2,r3,r3,lsl#2 @ *5
492 mov $zeros,#2 @ counter
495 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
496 @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
497 @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
498 @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
499 @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
500 @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
502 vmull.u32 $D0,$R0,${R0}[1]
503 vmull.u32 $D1,$R1,${R0}[1]
504 vmull.u32 $D2,$R2,${R0}[1]
505 vmull.u32 $D3,$R3,${R0}[1]
506 vmull.u32 $D4,$R4,${R0}[1]
508 vmlal.u32 $D0,$R4,${S1}[1]
509 vmlal.u32 $D1,$R0,${R1}[1]
510 vmlal.u32 $D2,$R1,${R1}[1]
511 vmlal.u32 $D3,$R2,${R1}[1]
512 vmlal.u32 $D4,$R3,${R1}[1]
514 vmlal.u32 $D0,$R3,${S2}[1]
515 vmlal.u32 $D1,$R4,${S2}[1]
516 vmlal.u32 $D3,$R1,${R2}[1]
517 vmlal.u32 $D2,$R0,${R2}[1]
518 vmlal.u32 $D4,$R2,${R2}[1]
520 vmlal.u32 $D0,$R2,${S3}[1]
521 vmlal.u32 $D3,$R0,${R3}[1]
522 vmlal.u32 $D1,$R3,${S3}[1]
523 vmlal.u32 $D2,$R4,${S3}[1]
524 vmlal.u32 $D4,$R1,${R3}[1]
526 vmlal.u32 $D3,$R4,${S4}[1]
527 vmlal.u32 $D0,$R1,${S4}[1]
528 vmlal.u32 $D1,$R2,${S4}[1]
529 vmlal.u32 $D2,$R3,${S4}[1]
530 vmlal.u32 $D4,$R0,${R4}[1]
532 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
533 @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
536 @ H0>>+H1>>+H2>>+H3>>+H4
537 @ H3>>+H4>>*5+H0>>+H1
541 @ Result of multiplication of n-bit number by m-bit number is
542 @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
543 @ m-bit number multiplied by 2^n is still n+m bits wide.
545 @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
546 @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
547 @ one is n+1 bits wide.
549 @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
550 @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
551 @ can be 27. However! In cases when their width exceeds 26 bits
552 @ they are limited by 2^26+2^6. This in turn means that *sum*
553 @ of the products with these values can still be viewed as sum
554 @ of 52-bit numbers as long as the amount of addends is not a
555 @ power of 2. For example,
557 @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
559 @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
560 @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
561 @ 8 * (2^52) or 2^55. However, the value is then multiplied by
562 @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
563 @ which is less than 32 * (2^52) or 2^57. And when processing
564 @ data we are looking at triple as many addends...
566 @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
567 @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
568 @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
569 @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
570 @ instruction accepts 2x32-bit input and writes 2x64-bit result.
571 @ This means that result of reduction have to be compressed upon
572 @ loop wrap-around. This can be done in the process of reduction
573 @ to minimize amount of instructions [as well as amount of
574 @ 128-bit instructions, which benefits low-end processors], but
575 @ one has to watch for H2 (which is narrower than H0) and 5*H4
576 @ not being wider than 58 bits, so that result of right shift
577 @ by 26 bits fits in 32 bits. This is also useful on x86,
578 @ because it allows to use paddd in place for paddq, which
579 @ benefits Atom, where paddq is ridiculously slow.
585 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
586 vbic.i32 $D3#lo,#0xfc000000 @ &=0x03ffffff
587 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
588 vbic.i32 $D0#lo,#0xfc000000
590 vshrn.u64 $T0#lo,$D4,#26
594 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
595 vbic.i32 $D4#lo,#0xfc000000
596 vbic.i32 $D1#lo,#0xfc000000
598 vadd.i32 $D0#lo,$D0#lo,$T0#lo
599 vshl.u32 $T0#lo,$T0#lo,#2
600 vshrn.u64 $T1#lo,$D2,#26
602 vadd.i32 $D0#lo,$D0#lo,$T0#lo @ h4 -> h0
603 vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
604 vbic.i32 $D2#lo,#0xfc000000
606 vshr.u32 $T0#lo,$D0#lo,#26
607 vbic.i32 $D0#lo,#0xfc000000
608 vshr.u32 $T1#lo,$D3#lo,#26
609 vbic.i32 $D3#lo,#0xfc000000
610 vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
611 vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
613 subs $zeros,$zeros,#1
614 beq .Lsquare_break_neon
616 add $tbl0,$ctx,#(48+0*9*4)
617 add $tbl1,$ctx,#(48+1*9*4)
619 vtrn.32 $R0,$D0#lo @ r^2:r^1
625 vshl.u32 $S2,$R2,#2 @ *5
634 vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
635 vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
636 vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
637 vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
638 vst1.32 {${S4}[0]},[$tbl0,:32]
639 vst1.32 {${S4}[1]},[$tbl1,:32]
645 add $tbl0,$ctx,#(48+2*4*9)
646 add $tbl1,$ctx,#(48+3*4*9)
648 vmov $R0,$D0#lo @ r^4:r^3
649 vshl.u32 $S1,$D1#lo,#2 @ *5
651 vshl.u32 $S2,$D2#lo,#2
653 vshl.u32 $S3,$D3#lo,#2
655 vshl.u32 $S4,$D4#lo,#2
657 vadd.i32 $S1,$S1,$D1#lo
658 vadd.i32 $S2,$S2,$D2#lo
659 vadd.i32 $S3,$S3,$D3#lo
660 vadd.i32 $S4,$S4,$D4#lo
662 vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
663 vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
664 vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
665 vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
666 vst1.32 {${S4}[0]},[$tbl0]
667 vst1.32 {${S4}[1]},[$tbl1]
670 .size poly1305_init_neon,.-poly1305_init_neon
672 .type poly1305_blocks_neon,%function
674 poly1305_blocks_neon:
675 .Lpoly1305_blocks_neon:
676 ldr ip,[$ctx,#36] @ is_base2_26
682 tst ip,ip @ is_base2_26?
683 beq .Lpoly1305_blocks
687 vstmdb sp!,{d8-d15} @ ABI specification says so
689 tst ip,ip @ is_base2_26?
693 bl poly1305_init_neon
695 ldr r4,[$ctx,#0] @ load hash value base 2^32
701 and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
703 veor $D0#lo,$D0#lo,$D0#lo
706 veor $D1#lo,$D1#lo,$D1#lo
709 veor $D2#lo,$D2#lo,$D2#lo
712 veor $D3#lo,$D3#lo,$D3#lo
713 and r3,r3,#0x03ffffff
715 veor $D4#lo,$D4#lo,$D4#lo
716 and r4,r4,#0x03ffffff
718 and r5,r5,#0x03ffffff
719 str r1,[$ctx,#36] @ is_base2_26
733 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
736 veor $D0#lo,$D0#lo,$D0#lo
737 veor $D1#lo,$D1#lo,$D1#lo
738 veor $D2#lo,$D2#lo,$D2#lo
739 veor $D3#lo,$D3#lo,$D3#lo
740 veor $D4#lo,$D4#lo,$D4#lo
741 vld4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
743 vld1.32 {$D4#lo[0]},[$ctx]
744 sub $ctx,$ctx,#16 @ rewind
748 mov $padbit,$padbit,lsl#24
752 vld4.32 {$H0#lo[0],$H1#lo[0],$H2#lo[0],$H3#lo[0]},[$inp]!
753 vmov.32 $H4#lo[0],$padbit
763 vsri.u32 $H4#lo,$H3#lo,#8 @ base 2^32 -> base 2^26
764 vshl.u32 $H3#lo,$H3#lo,#18
766 vsri.u32 $H3#lo,$H2#lo,#14
767 vshl.u32 $H2#lo,$H2#lo,#12
768 vadd.i32 $H4#hi,$H4#lo,$D4#lo @ add hash value and move to #hi
770 vbic.i32 $H3#lo,#0xfc000000
771 vsri.u32 $H2#lo,$H1#lo,#20
772 vshl.u32 $H1#lo,$H1#lo,#6
774 vbic.i32 $H2#lo,#0xfc000000
775 vsri.u32 $H1#lo,$H0#lo,#26
776 vadd.i32 $H3#hi,$H3#lo,$D3#lo
778 vbic.i32 $H0#lo,#0xfc000000
779 vbic.i32 $H1#lo,#0xfc000000
780 vadd.i32 $H2#hi,$H2#lo,$D2#lo
782 vadd.i32 $H0#hi,$H0#lo,$D0#lo
783 vadd.i32 $H1#hi,$H1#lo,$D1#lo
797 vmov.i32 $H4,#1<<24 @ padbit, yes, always
798 vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
800 vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
803 addhi $tbl1,$ctx,#(48+1*9*4)
804 addhi $tbl0,$ctx,#(48+3*9*4)
812 vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
818 vbic.i32 $H3,#0xfc000000
822 vbic.i32 $H2,#0xfc000000
825 vbic.i32 $H0,#0xfc000000
826 vbic.i32 $H1,#0xfc000000
830 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^2
831 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
832 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
833 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
838 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
839 @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
840 @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
841 @ \___________________/
842 @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
843 @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
844 @ \___________________/ \____________________/
846 @ Note that we start with inp[2:3]*r^2. This is because it
847 @ doesn't depend on reduction in previous iteration.
848 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
849 @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
850 @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
851 @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
852 @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
853 @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
855 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
858 vadd.i32 $H2#lo,$H2#lo,$D2#lo @ accumulate inp[0:1]
859 vmull.u32 $D2,$H2#hi,${R0}[1]
860 vadd.i32 $H0#lo,$H0#lo,$D0#lo
861 vmull.u32 $D0,$H0#hi,${R0}[1]
862 vadd.i32 $H3#lo,$H3#lo,$D3#lo
863 vmull.u32 $D3,$H3#hi,${R0}[1]
864 vmlal.u32 $D2,$H1#hi,${R1}[1]
865 vadd.i32 $H1#lo,$H1#lo,$D1#lo
866 vmull.u32 $D1,$H1#hi,${R0}[1]
868 vadd.i32 $H4#lo,$H4#lo,$D4#lo
869 vmull.u32 $D4,$H4#hi,${R0}[1]
871 vmlal.u32 $D0,$H4#hi,${S1}[1]
874 vmlal.u32 $D3,$H2#hi,${R1}[1]
875 vld1.32 ${S4}[1],[$tbl1,:32]
876 vmlal.u32 $D1,$H0#hi,${R1}[1]
877 vmlal.u32 $D4,$H3#hi,${R1}[1]
879 vmlal.u32 $D0,$H3#hi,${S2}[1]
880 vmlal.u32 $D3,$H1#hi,${R2}[1]
881 vmlal.u32 $D4,$H2#hi,${R2}[1]
882 vmlal.u32 $D1,$H4#hi,${S2}[1]
883 vmlal.u32 $D2,$H0#hi,${R2}[1]
885 vmlal.u32 $D3,$H0#hi,${R3}[1]
886 vmlal.u32 $D0,$H2#hi,${S3}[1]
887 vmlal.u32 $D4,$H1#hi,${R3}[1]
888 vmlal.u32 $D1,$H3#hi,${S3}[1]
889 vmlal.u32 $D2,$H4#hi,${S3}[1]
891 vmlal.u32 $D3,$H4#hi,${S4}[1]
892 vmlal.u32 $D0,$H1#hi,${S4}[1]
893 vmlal.u32 $D4,$H0#hi,${R4}[1]
894 vmlal.u32 $D1,$H2#hi,${S4}[1]
895 vmlal.u32 $D2,$H3#hi,${S4}[1]
897 vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
900 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
901 @ (hash+inp[0:1])*r^4 and accumulate
903 vmlal.u32 $D3,$H3#lo,${R0}[0]
904 vmlal.u32 $D0,$H0#lo,${R0}[0]
905 vmlal.u32 $D4,$H4#lo,${R0}[0]
906 vmlal.u32 $D1,$H1#lo,${R0}[0]
907 vmlal.u32 $D2,$H2#lo,${R0}[0]
908 vld1.32 ${S4}[0],[$tbl0,:32]
910 vmlal.u32 $D3,$H2#lo,${R1}[0]
911 vmlal.u32 $D0,$H4#lo,${S1}[0]
912 vmlal.u32 $D4,$H3#lo,${R1}[0]
913 vmlal.u32 $D1,$H0#lo,${R1}[0]
914 vmlal.u32 $D2,$H1#lo,${R1}[0]
916 vmlal.u32 $D3,$H1#lo,${R2}[0]
917 vmlal.u32 $D0,$H3#lo,${S2}[0]
918 vmlal.u32 $D4,$H2#lo,${R2}[0]
919 vmlal.u32 $D1,$H4#lo,${S2}[0]
920 vmlal.u32 $D2,$H0#lo,${R2}[0]
922 vmlal.u32 $D3,$H0#lo,${R3}[0]
923 vmlal.u32 $D0,$H2#lo,${S3}[0]
924 vmlal.u32 $D4,$H1#lo,${R3}[0]
925 vmlal.u32 $D1,$H3#lo,${S3}[0]
926 vmlal.u32 $D3,$H4#lo,${S4}[0]
928 vmlal.u32 $D2,$H4#lo,${S3}[0]
929 vmlal.u32 $D0,$H1#lo,${S4}[0]
930 vmlal.u32 $D4,$H0#lo,${R4}[0]
931 vmov.i32 $H4,#1<<24 @ padbit, yes, always
932 vmlal.u32 $D1,$H2#lo,${S4}[0]
933 vmlal.u32 $D2,$H3#lo,${S4}[0]
935 vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
944 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
945 @ lazy reduction interleaved with base 2^32 -> base 2^26 of
946 @ inp[0:3] previously loaded to $H0-$H3 and smashed to $H0-$H4.
952 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
953 vbic.i32 $D3#lo,#0xfc000000
954 vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
955 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
957 vbic.i32 $D0#lo,#0xfc000000
959 vshrn.u64 $T0#lo,$D4,#26
963 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
965 vbic.i32 $D4#lo,#0xfc000000
967 vbic.i32 $D1#lo,#0xfc000000
969 vadd.i32 $D0#lo,$D0#lo,$T0#lo
970 vshl.u32 $T0#lo,$T0#lo,#2
971 vbic.i32 $H3,#0xfc000000
972 vshrn.u64 $T1#lo,$D2,#26
974 vaddl.u32 $D0,$D0#lo,$T0#lo @ h4 -> h0 [widen for a sec]
976 vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
978 vbic.i32 $D2#lo,#0xfc000000
979 vbic.i32 $H2,#0xfc000000
981 vshrn.u64 $T0#lo,$D0,#26 @ re-narrow
984 vbic.i32 $H0,#0xfc000000
985 vshr.u32 $T1#lo,$D3#lo,#26
986 vbic.i32 $D3#lo,#0xfc000000
987 vbic.i32 $D0#lo,#0xfc000000
988 vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
989 vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
990 vbic.i32 $H1,#0xfc000000
995 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
996 @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
998 add $tbl1,$ctx,#(48+0*9*4)
999 add $tbl0,$ctx,#(48+1*9*4)
1005 vadd.i32 $H2#hi,$H2#lo,$D2#lo @ add hash value and move to #hi
1006 vadd.i32 $H0#hi,$H0#lo,$D0#lo
1007 vadd.i32 $H3#hi,$H3#lo,$D3#lo
1008 vadd.i32 $H1#hi,$H1#lo,$D1#lo
1009 vadd.i32 $H4#hi,$H4#lo,$D4#lo
1012 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^1
1013 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^2
1015 vadd.i32 $H2#lo,$H2#lo,$D2#lo @ can be redundant
1016 vmull.u32 $D2,$H2#hi,$R0
1017 vadd.i32 $H0#lo,$H0#lo,$D0#lo
1018 vmull.u32 $D0,$H0#hi,$R0
1019 vadd.i32 $H3#lo,$H3#lo,$D3#lo
1020 vmull.u32 $D3,$H3#hi,$R0
1021 vadd.i32 $H1#lo,$H1#lo,$D1#lo
1022 vmull.u32 $D1,$H1#hi,$R0
1023 vadd.i32 $H4#lo,$H4#lo,$D4#lo
1024 vmull.u32 $D4,$H4#hi,$R0
1026 vmlal.u32 $D0,$H4#hi,$S1
1027 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
1028 vmlal.u32 $D3,$H2#hi,$R1
1029 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
1030 vmlal.u32 $D1,$H0#hi,$R1
1031 vmlal.u32 $D4,$H3#hi,$R1
1032 vmlal.u32 $D2,$H1#hi,$R1
1034 vmlal.u32 $D3,$H1#hi,$R2
1035 vld1.32 ${S4}[1],[$tbl1,:32]
1036 vmlal.u32 $D0,$H3#hi,$S2
1037 vld1.32 ${S4}[0],[$tbl0,:32]
1038 vmlal.u32 $D4,$H2#hi,$R2
1039 vmlal.u32 $D1,$H4#hi,$S2
1040 vmlal.u32 $D2,$H0#hi,$R2
1042 vmlal.u32 $D3,$H0#hi,$R3
1044 addne $tbl1,$ctx,#(48+2*9*4)
1045 vmlal.u32 $D0,$H2#hi,$S3
1047 addne $tbl0,$ctx,#(48+3*9*4)
1048 vmlal.u32 $D4,$H1#hi,$R3
1049 vmlal.u32 $D1,$H3#hi,$S3
1050 vmlal.u32 $D2,$H4#hi,$S3
1052 vmlal.u32 $D3,$H4#hi,$S4
1053 vorn $MASK,$MASK,$MASK @ all-ones, can be redundant
1054 vmlal.u32 $D0,$H1#hi,$S4
1055 vshr.u64 $MASK,$MASK,#38
1056 vmlal.u32 $D4,$H0#hi,$R4
1057 vmlal.u32 $D1,$H2#hi,$S4
1058 vmlal.u32 $D2,$H3#hi,$S4
1062 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1063 @ (hash+inp[0:1])*r^4:r^3 and accumulate
1065 vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^3
1066 vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
1068 vmlal.u32 $D2,$H2#lo,$R0
1069 vmlal.u32 $D0,$H0#lo,$R0
1070 vmlal.u32 $D3,$H3#lo,$R0
1071 vmlal.u32 $D1,$H1#lo,$R0
1072 vmlal.u32 $D4,$H4#lo,$R0
1074 vmlal.u32 $D0,$H4#lo,$S1
1075 vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
1076 vmlal.u32 $D3,$H2#lo,$R1
1077 vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
1078 vmlal.u32 $D1,$H0#lo,$R1
1079 vmlal.u32 $D4,$H3#lo,$R1
1080 vmlal.u32 $D2,$H1#lo,$R1
1082 vmlal.u32 $D3,$H1#lo,$R2
1083 vld1.32 ${S4}[1],[$tbl1,:32]
1084 vmlal.u32 $D0,$H3#lo,$S2
1085 vld1.32 ${S4}[0],[$tbl0,:32]
1086 vmlal.u32 $D4,$H2#lo,$R2
1087 vmlal.u32 $D1,$H4#lo,$S2
1088 vmlal.u32 $D2,$H0#lo,$R2
1090 vmlal.u32 $D3,$H0#lo,$R3
1091 vmlal.u32 $D0,$H2#lo,$S3
1092 vmlal.u32 $D4,$H1#lo,$R3
1093 vmlal.u32 $D1,$H3#lo,$S3
1094 vmlal.u32 $D2,$H4#lo,$S3
1096 vmlal.u32 $D3,$H4#lo,$S4
1097 vorn $MASK,$MASK,$MASK @ all-ones
1098 vmlal.u32 $D0,$H1#lo,$S4
1099 vshr.u64 $MASK,$MASK,#38
1100 vmlal.u32 $D4,$H0#lo,$R4
1101 vmlal.u32 $D1,$H2#lo,$S4
1102 vmlal.u32 $D2,$H3#lo,$S4
1105 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1106 @ horizontal addition
1108 vadd.i64 $D3#lo,$D3#lo,$D3#hi
1109 vadd.i64 $D0#lo,$D0#lo,$D0#hi
1110 vadd.i64 $D4#lo,$D4#lo,$D4#hi
1111 vadd.i64 $D1#lo,$D1#lo,$D1#hi
1112 vadd.i64 $D2#lo,$D2#lo,$D2#hi
1114 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1115 @ lazy reduction, but without narrowing
1117 vshr.u64 $T0,$D3,#26
1118 vand.i64 $D3,$D3,$MASK
1119 vshr.u64 $T1,$D0,#26
1120 vand.i64 $D0,$D0,$MASK
1121 vadd.i64 $D4,$D4,$T0 @ h3 -> h4
1122 vadd.i64 $D1,$D1,$T1 @ h0 -> h1
1124 vshr.u64 $T0,$D4,#26
1125 vand.i64 $D4,$D4,$MASK
1126 vshr.u64 $T1,$D1,#26
1127 vand.i64 $D1,$D1,$MASK
1128 vadd.i64 $D2,$D2,$T1 @ h1 -> h2
1130 vadd.i64 $D0,$D0,$T0
1132 vshr.u64 $T1,$D2,#26
1133 vand.i64 $D2,$D2,$MASK
1134 vadd.i64 $D0,$D0,$T0 @ h4 -> h0
1135 vadd.i64 $D3,$D3,$T1 @ h2 -> h3
1137 vshr.u64 $T0,$D0,#26
1138 vand.i64 $D0,$D0,$MASK
1139 vshr.u64 $T1,$D3,#26
1140 vand.i64 $D3,$D3,$MASK
1141 vadd.i64 $D1,$D1,$T0 @ h0 -> h1
1142 vadd.i64 $D4,$D4,$T1 @ h3 -> h4
1147 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1150 vst4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
1151 vst1.32 {$D4#lo[0]},[$ctx]
1153 vldmia sp!,{d8-d15} @ epilogue
1157 .size poly1305_blocks_neon,.-poly1305_blocks_neon
1159 .type poly1305_emit_neon,%function
1162 .Lpoly1305_emit_neon:
1163 ldr ip,[$ctx,#36] @ is_base2_26
1168 beq .Lpoly1305_emit_enter
1170 ldmia $ctx,{$h0-$h4}
1173 adds $h0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
1175 adcs $h1,$h1,$h2,lsl#20
1177 adcs $h2,$h2,$h3,lsl#14
1179 adcs $h3,$h3,$h4,lsl#8
1180 adc $h4,$g0,$h4,lsr#24 @ can be partially reduced ...
1182 and $g0,$h4,#-4 @ ... so reduce
1184 add $g0,$g0,$g0,lsr#2 @ *= 5
1191 adds $g0,$h0,#5 @ compare to modulus
1196 tst $g4,#4 @ did it carry/borrow?
1209 ldr $g3,[$nonce,#12]
1211 adds $h0,$h0,$g0 @ accumulate nonce
1222 str $h0,[$mac,#0] @ store the result
1229 .size poly1305_emit_neon,.-poly1305_emit_neon
1233 .long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
1235 .word OPENSSL_armcap_P-.Lpoly1305_init
1240 .asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
1242 #if __ARM_MAX_ARCH__>=7
1243 .comm OPENSSL_armcap_P,4,4
1247 foreach (split("\n",$code)) {
1248 s/\`([^\`]*)\`/eval $1/geo;
1250 s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
1251 s/\bret\b/bx lr/go or
1252 s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
1256 close STDOUT or die "error closing STDOUT: $!"; # enforce flush
projects / FreeBSD / FreeBSD.git / blob