Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
OWEALs
/
openssl
-ын хуулбар git://git.openssl.org/openssl.git
2
0
Салаа 0
Файлууд Асуудлууд 1 Мэдлэгийн сан
Мод: 3a561b06d9
Салаанууд Тагууд
openssl
/
crypto
/
sha
/
asm
/
sha256-armv4.pl

sha256-armv4.pl 18 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. 

  10. # ====================================================================
    11. 

  11. # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
    12. 

  12. # project. The module is, however, dual licensed under OpenSSL and
    13. 

  13. # CRYPTOGAMS licenses depending on where you obtain it. For further
    14. 

  14. # details see http://www.openssl.org/~appro/cryptogams/.
    15. 

  15. #
    16. 

  16. # Permission to use under GPL terms is granted.
    17. 

  17. # ====================================================================
    18. 

  18. 

  19. # SHA256 block procedure for ARMv4. May 2007.
    20. 

  20. 

  21. # Performance is ~2x better than gcc 3.4 generated code and in "abso-
    22. 

  22. # lute" terms is ~2250 cycles per 64-byte block or ~35 cycles per
    23. 

  23. # byte [on single-issue Xscale PXA250 core].
    24. 

  24. 

  25. # July 2010.
    26. 

  26. #
    27. 

  27. # Rescheduling for dual-issue pipeline resulted in 22% improvement on
    28. 

  28. # Cortex A8 core and ~20 cycles per processed byte.
    29. 

  29. 

  30. # February 2011.
    31. 

  31. #
    32. 

  32. # Profiler-assisted and platform-specific optimization resulted in 16%
    33. 

  33. # improvement on Cortex A8 core and ~15.4 cycles per processed byte.
    34. 

  34. 

  35. # September 2013.
    36. 

  36. #
    37. 

  37. # Add NEON implementation. On Cortex A8 it was measured to process one
    38. 

  38. # byte in 12.5 cycles or 23% faster than integer-only code. Snapdragon
    39. 

  39. # S4 does it in 12.5 cycles too, but it's 50% faster than integer-only
    40. 

  40. # code (meaning that latter performs sub-optimally, nothing was done
    41. 

  41. # about it).
    42. 

  42. 

  43. # May 2014.
    44. 

  44. #
    45. 

  45. # Add ARMv8 code path performing at 2.0 cpb on Apple A7.
    46. 

  46. 

  47. $flavour = shift;
    48. 

  48. if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
    49. 

  49. else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
    50. 

  50. 

  51. if ($flavour && $flavour ne "void") {
    52. 

  52.     $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
    53. 

  53.     ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
    54. 

  54.     ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
    55. 

  55.     die "can't locate arm-xlate.pl";
    56. 

  56. 

  57.     open STDOUT,"| \"$^X\" $xlate $flavour $output";
    58. 

  58. } else {
    59. 

  59.     open STDOUT,">$output";
    60. 

  60. }
    61. 

  61. 

  62. $ctx="r0";	$t0="r0";
    63. 

  63. $inp="r1";	$t4="r1";
    64. 

  64. $len="r2";	$t1="r2";
    65. 

  65. $T1="r3";	$t3="r3";
    66. 

  66. $A="r4";
    67. 

  67. $B="r5";
    68. 

  68. $C="r6";
    69. 

  69. $D="r7";
    70. 

  70. $E="r8";
    71. 

  71. $F="r9";
    72. 

  72. $G="r10";
    73. 

  73. $H="r11";
    74. 

  74. @V=($A,$B,$C,$D,$E,$F,$G,$H);
    75. 

  75. $t2="r12";
    76. 

  76. $Ktbl="r14";
    77. 

  77. 

  78. @Sigma0=( 2,13,22);
    79. 

  79. @Sigma1=( 6,11,25);
    80. 

  80. @sigma0=( 7,18, 3);
    81. 

  81. @sigma1=(17,19,10);
    82. 

  82. 

  83. sub BODY_00_15 {
    84. 

  84. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    85. 

  85. 

  86. $code.=<<___ if ($i<16);
    87. 

  87. #if __ARM_ARCH__>=7
    88. 

  88. 	@ ldr	$t1,[$inp],#4			@ $i
    89. 

  89. # if $i==15
    90. 

  90. 	str	$inp,[sp,#17*4]			@ make room for $t4
    91. 

  91. # endif
    92. 

  92. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    93. 

  93. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    94. 

  94. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    95. 

  95. # ifndef __ARMEB__
    96. 

  96. 	rev	$t1,$t1
    97. 

  97. # endif
    98. 

  98. #else
    99. 

  99. 	@ ldrb	$t1,[$inp,#3]			@ $i
    100. 

  100. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    101. 

  101. 	ldrb	$t2,[$inp,#2]
    102. 

  102. 	ldrb	$t0,[$inp,#1]
    103. 

  103. 	orr	$t1,$t1,$t2,lsl#8
    104. 

  104. 	ldrb	$t2,[$inp],#4
    105. 

  105. 	orr	$t1,$t1,$t0,lsl#16
    106. 

  106. # if $i==15
    107. 

  107. 	str	$inp,[sp,#17*4]			@ make room for $t4
    108. 

  108. # endif
    109. 

  109. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    110. 

  110. 	orr	$t1,$t1,$t2,lsl#24
    111. 

  111. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    112. 

  112. #endif
    113. 

  113. ___
    114. 

  114. $code.=<<___;
    115. 

  115. 	ldr	$t2,[$Ktbl],#4			@ *K256++
    116. 

  116. 	add	$h,$h,$t1			@ h+=X[i]
    117. 

  117. 	str	$t1,[sp,#`$i%16`*4]
    118. 

  118. 	eor	$t1,$f,$g
    119. 

  119. 	add	$h,$h,$t0,ror#$Sigma1[0]	@ h+=Sigma1(e)
    120. 

  120. 	and	$t1,$t1,$e
    121. 

  121. 	add	$h,$h,$t2			@ h+=K256[i]
    122. 

  122. 	eor	$t1,$t1,$g			@ Ch(e,f,g)
    123. 

  123. 	eor	$t0,$a,$a,ror#`$Sigma0[1]-$Sigma0[0]`
    124. 

  124. 	add	$h,$h,$t1			@ h+=Ch(e,f,g)
    125. 

  125. #if $i==31
    126. 

  126. 	and	$t2,$t2,#0xff
    127. 

  127. 	cmp	$t2,#0xf2			@ done?
    128. 

  128. #endif
    129. 

  129. #if $i<15
    130. 

  130. # if __ARM_ARCH__>=7
    131. 

  131. 	ldr	$t1,[$inp],#4			@ prefetch
    132. 

  132. # else
    133. 

  133. 	ldrb	$t1,[$inp,#3]
    134. 

  134. # endif
    135. 

  135. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    136. 

  136. #else
    137. 

  137. 	ldr	$t1,[sp,#`($i+2)%16`*4]		@ from future BODY_16_xx
    138. 

  138. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    139. 

  139. 	ldr	$t4,[sp,#`($i+15)%16`*4]	@ from future BODY_16_xx
    140. 

  140. #endif
    141. 

  141. 	eor	$t0,$t0,$a,ror#`$Sigma0[2]-$Sigma0[0]`	@ Sigma0(a)
    142. 

  142. 	and	$t3,$t3,$t2			@ (b^c)&=(a^b)
    143. 

  143. 	add	$d,$d,$h			@ d+=h
    144. 

  144. 	eor	$t3,$t3,$b			@ Maj(a,b,c)
    145. 

  145. 	add	$h,$h,$t0,ror#$Sigma0[0]	@ h+=Sigma0(a)
    146. 

  146. 	@ add	$h,$h,$t3			@ h+=Maj(a,b,c)
    147. 

  147. ___
    148. 

  148. 	($t2,$t3)=($t3,$t2);
    149. 

  149. }
    150. 

  150. 

  151. sub BODY_16_XX {
    152. 

  152. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    153. 

  153. 

  154. $code.=<<___;
    155. 

  155. 	@ ldr	$t1,[sp,#`($i+1)%16`*4]		@ $i
    156. 

  156. 	@ ldr	$t4,[sp,#`($i+14)%16`*4]
    157. 

  157. 	mov	$t0,$t1,ror#$sigma0[0]
    158. 

  158. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    159. 

  159. 	mov	$t2,$t4,ror#$sigma1[0]
    160. 

  160. 	eor	$t0,$t0,$t1,ror#$sigma0[1]
    161. 

  161. 	eor	$t2,$t2,$t4,ror#$sigma1[1]
    162. 

  162. 	eor	$t0,$t0,$t1,lsr#$sigma0[2]	@ sigma0(X[i+1])
    163. 

  163. 	ldr	$t1,[sp,#`($i+0)%16`*4]
    164. 

  164. 	eor	$t2,$t2,$t4,lsr#$sigma1[2]	@ sigma1(X[i+14])
    165. 

  165. 	ldr	$t4,[sp,#`($i+9)%16`*4]
    166. 

  166. 

  167. 	add	$t2,$t2,$t0
    168. 

  168. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`	@ from BODY_00_15
    169. 

  169. 	add	$t1,$t1,$t2
    170. 

  170. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    171. 

  171. 	add	$t1,$t1,$t4			@ X[i]
    172. 

  172. ___
    173. 

  173. 	&BODY_00_15(@_);
    174. 

  174. }
    175. 

  175. 

  176. $code=<<___;
    177. 

  177. #ifndef __KERNEL__
    178. 

  178. # include "arm_arch.h"
    179. 

  179. #else
    180. 

  180. # define __ARM_ARCH__ __LINUX_ARM_ARCH__
    181. 

  181. # define __ARM_MAX_ARCH__ 7
    182. 

  182. #endif
    183. 

  183. 

  184. #if defined(__thumb2__)
    185. 

  185. .syntax unified
    186. 

  186. .thumb
    187. 

  187. #else
    188. 

  188. .code   32
    189. 

  189. #endif
    190. 

  190. 

  191. .text
    192. 

  192. 

  193. .type	K256,%object
    194. 

  194. .align	5
    195. 

  195. K256:
    196. 

  196. .word	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
    197. 

  197. .word	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
    198. 

  198. .word	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
    199. 

  199. .word	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
    200. 

  200. .word	0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc
    201. 

  201. .word	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
    202. 

  202. .word	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
    203. 

  203. .word	0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967
    204. 

  204. .word	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
    205. 

  205. .word	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
    206. 

  206. .word	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
    207. 

  207. .word	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
    208. 

  208. .word	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
    209. 

  209. .word	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
    210. 

  210. .word	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
    211. 

  211. .word	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
    212. 

  212. .size	K256,.-K256
    213. 

  213. .word	0				@ terminator
    214. 

  214. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    215. 

  215. .LOPENSSL_armcap:
    216. 

  216. # ifdef	_WIN32
    217. 

  217. .word	OPENSSL_armcap_P
    218. 

  218. # else
    219. 

  219. .word	OPENSSL_armcap_P-.Lsha256_block_data_order
    220. 

  220. # endif
    221. 

  221. #endif
    222. 

  222. .align	5
    223. 

  223. 

  224. .global	sha256_block_data_order
    225. 

  225. .type	sha256_block_data_order,%function
    226. 

  226. sha256_block_data_order:
    227. 

  227. .Lsha256_block_data_order:
    228. 

  228. #if __ARM_ARCH__<7 && !defined(__thumb2__)
    229. 

  229. 	sub	r3,pc,#8		@ sha256_block_data_order
    230. 

  230. #else
    231. 

  231. 	adr	r3,.Lsha256_block_data_order
    232. 

  232. #endif
    233. 

  233. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    234. 

  234. 	ldr	r12,.LOPENSSL_armcap
    235. 

  235. # if !defined(_WIN32)
    236. 

  236. 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
    237. 

  237. # endif
    238. 

  238. # if defined(__APPLE__) || defined(_WIN32)
    239. 

  239. 	ldr	r12,[r12]
    240. 

  240. # endif
    241. 

  241. 	tst	r12,#ARMV8_SHA256
    242. 

  242. 	bne	.LARMv8
    243. 

  243. 	tst	r12,#ARMV7_NEON
    244. 

  244. 	bne	.LNEON
    245. 

  245. #endif
    246. 

  246. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    247. 

  247. 	stmdb	sp!,{$ctx,$inp,$len,r4-r11,lr}
    248. 

  248. 	ldmia	$ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
    249. 

  249. 	sub	$Ktbl,r3,#256+32	@ K256
    250. 

  250. 	sub	sp,sp,#16*4		@ alloca(X[16])
    251. 

  251. .Loop:
    252. 

  252. # if __ARM_ARCH__>=7
    253. 

  253. 	ldr	$t1,[$inp],#4
    254. 

  254. # else
    255. 

  255. 	ldrb	$t1,[$inp,#3]
    256. 

  256. # endif
    257. 

  257. 	eor	$t3,$B,$C		@ magic
    258. 

  258. 	eor	$t2,$t2,$t2
    259. 

  259. ___
    260. 

  260. for($i=0;$i<16;$i++)	{ &BODY_00_15($i,@V); unshift(@V,pop(@V)); }
    261. 

  261. $code.=".Lrounds_16_xx:\n";
    262. 

  262. for (;$i<32;$i++)	{ &BODY_16_XX($i,@V); unshift(@V,pop(@V)); }
    263. 

  263. $code.=<<___;
    264. 

  264. #ifdef	__thumb2__
    265. 

  265. 	ite	eq			@ Thumb2 thing, sanity check in ARM
    266. 

  266. #endif
    267. 

  267. 	ldreq	$t3,[sp,#16*4]		@ pull ctx
    268. 

  268. 	bne	.Lrounds_16_xx
    269. 

  269. 

  270. 	add	$A,$A,$t2		@ h+=Maj(a,b,c) from the past
    271. 

  271. 	ldr	$t0,[$t3,#0]
    272. 

  272. 	ldr	$t1,[$t3,#4]
    273. 

  273. 	ldr	$t2,[$t3,#8]
    274. 

  274. 	add	$A,$A,$t0
    275. 

  275. 	ldr	$t0,[$t3,#12]
    276. 

  276. 	add	$B,$B,$t1
    277. 

  277. 	ldr	$t1,[$t3,#16]
    278. 

  278. 	add	$C,$C,$t2
    279. 

  279. 	ldr	$t2,[$t3,#20]
    280. 

  280. 	add	$D,$D,$t0
    281. 

  281. 	ldr	$t0,[$t3,#24]
    282. 

  282. 	add	$E,$E,$t1
    283. 

  283. 	ldr	$t1,[$t3,#28]
    284. 

  284. 	add	$F,$F,$t2
    285. 

  285. 	ldr	$inp,[sp,#17*4]		@ pull inp
    286. 

  286. 	ldr	$t2,[sp,#18*4]		@ pull inp+len
    287. 

  287. 	add	$G,$G,$t0
    288. 

  288. 	add	$H,$H,$t1
    289. 

  289. 	stmia	$t3,{$A,$B,$C,$D,$E,$F,$G,$H}
    290. 

  290. 	cmp	$inp,$t2
    291. 

  291. 	sub	$Ktbl,$Ktbl,#256	@ rewind Ktbl
    292. 

  292. 	bne	.Loop
    293. 

  293. 

  294. 	add	sp,sp,#`16+3`*4	@ destroy frame
    295. 

  295. #if __ARM_ARCH__>=5
    296. 

  296. 	ldmia	sp!,{r4-r11,pc}
    297. 

  297. #else
    298. 

  298. 	ldmia	sp!,{r4-r11,lr}
    299. 

  299. 	tst	lr,#1
    300. 

  300. 	moveq	pc,lr			@ be binary compatible with V4, yet
    301. 

  301. 	bx	lr			@ interoperable with Thumb ISA:-)
    302. 

  302. #endif
    303. 

  303. .size	sha256_block_data_order,.-sha256_block_data_order
    304. 

  304. ___
    305. 

  305. ######################################################################
    306. 

  306. # NEON stuff
    307. 

  307. #
    308. 

  308. {{{
    309. 

  309. my @X=map("q$_",(0..3));
    310. 

  310. my ($T0,$T1,$T2,$T3,$T4,$T5)=("q8","q9","q10","q11","d24","d25");
    311. 

  311. my $Xfer=$t4;
    312. 

  312. my $j=0;
    313. 

  313. 

  314. sub Dlo()   { shift=~m|q([1]?[0-9])|?"d".($1*2):"";     }
    315. 

  315. sub Dhi()   { shift=~m|q([1]?[0-9])|?"d".($1*2+1):"";   }
    316. 

  316. 

  317. sub AUTOLOAD()          # thunk [simplified] x86-style perlasm
    318. 

  318. { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
    319. 

  319.   my $arg = pop;
    320. 

  320.     $arg = "#$arg" if ($arg*1 eq $arg);
    321. 

  321.     $code .= "\t$opcode\t".join(',',@_,$arg)."\n";
    322. 

  322. }
    323. 

  323. 

  324. sub Xupdate()
    325. 

  325. { use integer;
    326. 

  326.   my $body = shift;
    327. 

  327.   my @insns = (&$body,&$body,&$body,&$body);
    328. 

  328.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    329. 

  329. 

  330. 	&vext_8		($T0,@X[0],@X[1],4);	# X[1..4]
    331. 

  331. 	 eval(shift(@insns));
    332. 

  332. 	 eval(shift(@insns));
    333. 

  333. 	 eval(shift(@insns));
    334. 

  334. 	&vext_8		($T1,@X[2],@X[3],4);	# X[9..12]
    335. 

  335. 	 eval(shift(@insns));
    336. 

  336. 	 eval(shift(@insns));
    337. 

  337. 	 eval(shift(@insns));
    338. 

  338. 	&vshr_u32	($T2,$T0,$sigma0[0]);
    339. 

  339. 	 eval(shift(@insns));
    340. 

  340. 	 eval(shift(@insns));
    341. 

  341. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += X[9..12]
    342. 

  342. 	 eval(shift(@insns));
    343. 

  343. 	 eval(shift(@insns));
    344. 

  344. 	&vshr_u32	($T1,$T0,$sigma0[2]);
    345. 

  345. 	 eval(shift(@insns));
    346. 

  346. 	 eval(shift(@insns));
    347. 

  347. 	&vsli_32	($T2,$T0,32-$sigma0[0]);
    348. 

  348. 	 eval(shift(@insns));
    349. 

  349. 	 eval(shift(@insns));
    350. 

  350. 	&vshr_u32	($T3,$T0,$sigma0[1]);
    351. 

  351. 	 eval(shift(@insns));
    352. 

  352. 	 eval(shift(@insns));
    353. 

  353. 	&veor		($T1,$T1,$T2);
    354. 

  354. 	 eval(shift(@insns));
    355. 

  355. 	 eval(shift(@insns));
    356. 

  356. 	&vsli_32	($T3,$T0,32-$sigma0[1]);
    357. 

  357. 	 eval(shift(@insns));
    358. 

  358. 	 eval(shift(@insns));
    359. 

  359. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[0]);
    360. 

  360. 	 eval(shift(@insns));
    361. 

  361. 	 eval(shift(@insns));
    362. 

  362. 	&veor		($T1,$T1,$T3);		# sigma0(X[1..4])
    363. 

  363. 	 eval(shift(@insns));
    364. 

  364. 	 eval(shift(@insns));
    365. 

  365. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[0]);
    366. 

  366. 	 eval(shift(@insns));
    367. 

  367. 	 eval(shift(@insns));
    368. 

  368. 	  &vshr_u32	($T5,&Dhi(@X[3]),$sigma1[2]);
    369. 

  369. 	 eval(shift(@insns));
    370. 

  370. 	 eval(shift(@insns));
    371. 

  371. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += sigma0(X[1..4])
    372. 

  372. 	 eval(shift(@insns));
    373. 

  373. 	 eval(shift(@insns));
    374. 

  374. 	  &veor		($T5,$T5,$T4);
    375. 

  375. 	 eval(shift(@insns));
    376. 

  376. 	 eval(shift(@insns));
    377. 

  377. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[1]);
    378. 

  378. 	 eval(shift(@insns));
    379. 

  379. 	 eval(shift(@insns));
    380. 

  380. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[1]);
    381. 

  381. 	 eval(shift(@insns));
    382. 

  382. 	 eval(shift(@insns));
    383. 

  383. 	  &veor		($T5,$T5,$T4);		# sigma1(X[14..15])
    384. 

  384. 	 eval(shift(@insns));
    385. 

  385. 	 eval(shift(@insns));
    386. 

  386. 	&vadd_i32	(&Dlo(@X[0]),&Dlo(@X[0]),$T5);# X[0..1] += sigma1(X[14..15])
    387. 

  387. 	 eval(shift(@insns));
    388. 

  388. 	 eval(shift(@insns));
    389. 

  389. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[0]);
    390. 

  390. 	 eval(shift(@insns));
    391. 

  391. 	 eval(shift(@insns));
    392. 

  392. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[0]);
    393. 

  393. 	 eval(shift(@insns));
    394. 

  394. 	 eval(shift(@insns));
    395. 

  395. 	  &vshr_u32	($T5,&Dlo(@X[0]),$sigma1[2]);
    396. 

  396. 	 eval(shift(@insns));
    397. 

  397. 	 eval(shift(@insns));
    398. 

  398. 	  &veor		($T5,$T5,$T4);
    399. 

  399. 	 eval(shift(@insns));
    400. 

  400. 	 eval(shift(@insns));
    401. 

  401. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[1]);
    402. 

  402. 	 eval(shift(@insns));
    403. 

  403. 	 eval(shift(@insns));
    404. 

  404. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    405. 

  405. 	 eval(shift(@insns));
    406. 

  406. 	 eval(shift(@insns));
    407. 

  407. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[1]);
    408. 

  408. 	 eval(shift(@insns));
    409. 

  409. 	 eval(shift(@insns));
    410. 

  410. 	  &veor		($T5,$T5,$T4);		# sigma1(X[16..17])
    411. 

  411. 	 eval(shift(@insns));
    412. 

  412. 	 eval(shift(@insns));
    413. 

  413. 	&vadd_i32	(&Dhi(@X[0]),&Dhi(@X[0]),$T5);# X[2..3] += sigma1(X[16..17])
    414. 

  414. 	 eval(shift(@insns));
    415. 

  415. 	 eval(shift(@insns));
    416. 

  416. 	&vadd_i32	($T0,$T0,@X[0]);
    417. 

  417. 	 while($#insns>=2) { eval(shift(@insns)); }
    418. 

  418. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    419. 

  419. 	 eval(shift(@insns));
    420. 

  420. 	 eval(shift(@insns));
    421. 

  421. 

  422. 	push(@X,shift(@X));		# "rotate" X[]
    423. 

  423. }
    424. 

  424. 

  425. sub Xpreload()
    426. 

  426. { use integer;
    427. 

  427.   my $body = shift;
    428. 

  428.   my @insns = (&$body,&$body,&$body,&$body);
    429. 

  429.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    430. 

  430. 

  431. 	 eval(shift(@insns));
    432. 

  432. 	 eval(shift(@insns));
    433. 

  433. 	 eval(shift(@insns));
    434. 

  434. 	 eval(shift(@insns));
    435. 

  435. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    436. 

  436. 	 eval(shift(@insns));
    437. 

  437. 	 eval(shift(@insns));
    438. 

  438. 	 eval(shift(@insns));
    439. 

  439. 	 eval(shift(@insns));
    440. 

  440. 	&vrev32_8	(@X[0],@X[0]);
    441. 

  441. 	 eval(shift(@insns));
    442. 

  442. 	 eval(shift(@insns));
    443. 

  443. 	 eval(shift(@insns));
    444. 

  444. 	 eval(shift(@insns));
    445. 

  445. 	&vadd_i32	($T0,$T0,@X[0]);
    446. 

  446. 	 foreach (@insns) { eval; }	# remaining instructions
    447. 

  447. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    448. 

  448. 

  449. 	push(@X,shift(@X));		# "rotate" X[]
    450. 

  450. }
    451. 

  451. 

  452. sub body_00_15 () {
    453. 

  453. 	(
    454. 

  454. 	'($a,$b,$c,$d,$e,$f,$g,$h)=@V;'.
    455. 

  455. 	'&add	($h,$h,$t1)',			# h+=X[i]+K[i]
    456. 

  456. 	'&eor	($t1,$f,$g)',
    457. 

  457. 	'&eor	($t0,$e,$e,"ror#".($Sigma1[1]-$Sigma1[0]))',
    458. 

  458. 	'&add	($a,$a,$t2)',			# h+=Maj(a,b,c) from the past
    459. 

  459. 	'&and	($t1,$t1,$e)',
    460. 

  460. 	'&eor	($t2,$t0,$e,"ror#".($Sigma1[2]-$Sigma1[0]))',	# Sigma1(e)
    461. 

  461. 	'&eor	($t0,$a,$a,"ror#".($Sigma0[1]-$Sigma0[0]))',
    462. 

  462. 	'&eor	($t1,$t1,$g)',			# Ch(e,f,g)
    463. 

  463. 	'&add	($h,$h,$t2,"ror#$Sigma1[0]")',	# h+=Sigma1(e)
    464. 

  464. 	'&eor	($t2,$a,$b)',			# a^b, b^c in next round
    465. 

  465. 	'&eor	($t0,$t0,$a,"ror#".($Sigma0[2]-$Sigma0[0]))',	# Sigma0(a)
    466. 

  466. 	'&add	($h,$h,$t1)',			# h+=Ch(e,f,g)
    467. 

  467. 	'&ldr	($t1,sprintf "[sp,#%d]",4*(($j+1)&15))	if (($j&15)!=15);'.
    468. 

  468. 	'&ldr	($t1,"[$Ktbl]")				if ($j==15);'.
    469. 

  469. 	'&ldr	($t1,"[sp,#64]")			if ($j==31)',
    470. 

  470. 	'&and	($t3,$t3,$t2)',			# (b^c)&=(a^b)
    471. 

  471. 	'&add	($d,$d,$h)',			# d+=h
    472. 

  472. 	'&add	($h,$h,$t0,"ror#$Sigma0[0]");'.	# h+=Sigma0(a)
    473. 

  473. 	'&eor	($t3,$t3,$b)',			# Maj(a,b,c)
    474. 

  474. 	'$j++;	unshift(@V,pop(@V)); ($t2,$t3)=($t3,$t2);'
    475. 

  475. 	)
    476. 

  476. }
    477. 

  477. 

  478. $code.=<<___;
    479. 

  479. #if __ARM_MAX_ARCH__>=7
    480. 

  480. .arch	armv7-a
    481. 

  481. .fpu	neon
    482. 

  482. 

  483. .global	sha256_block_data_order_neon
    484. 

  484. .type	sha256_block_data_order_neon,%function
    485. 

  485. .align	5
    486. 

  486. .skip	16
    487. 

  487. sha256_block_data_order_neon:
    488. 

  488. .LNEON:
    489. 

  489. 	stmdb	sp!,{r4-r12,lr}
    490. 

  490. 

  491. 	sub	$H,sp,#16*4+16
    492. 

  492. 	adr	$Ktbl,K256
    493. 

  493. 	bic	$H,$H,#15		@ align for 128-bit stores
    494. 

  494. 	mov	$t2,sp
    495. 

  495. 	mov	sp,$H			@ alloca
    496. 

  496. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    497. 

  497. 

  498. 	vld1.8		{@X[0]},[$inp]!
    499. 

  499. 	vld1.8		{@X[1]},[$inp]!
    500. 

  500. 	vld1.8		{@X[2]},[$inp]!
    501. 

  501. 	vld1.8		{@X[3]},[$inp]!
    502. 

  502. 	vld1.32		{$T0},[$Ktbl,:128]!
    503. 

  503. 	vld1.32		{$T1},[$Ktbl,:128]!
    504. 

  504. 	vld1.32		{$T2},[$Ktbl,:128]!
    505. 

  505. 	vld1.32		{$T3},[$Ktbl,:128]!
    506. 

  506. 	vrev32.8	@X[0],@X[0]		@ yes, even on
    507. 

  507. 	str		$ctx,[sp,#64]
    508. 

  508. 	vrev32.8	@X[1],@X[1]		@ big-endian
    509. 

  509. 	str		$inp,[sp,#68]
    510. 

  510. 	mov		$Xfer,sp
    511. 

  511. 	vrev32.8	@X[2],@X[2]
    512. 

  512. 	str		$len,[sp,#72]
    513. 

  513. 	vrev32.8	@X[3],@X[3]
    514. 

  514. 	str		$t2,[sp,#76]		@ save original sp
    515. 

  515. 	vadd.i32	$T0,$T0,@X[0]
    516. 

  516. 	vadd.i32	$T1,$T1,@X[1]
    517. 

  517. 	vst1.32		{$T0},[$Xfer,:128]!
    518. 

  518. 	vadd.i32	$T2,$T2,@X[2]
    519. 

  519. 	vst1.32		{$T1},[$Xfer,:128]!
    520. 

  520. 	vadd.i32	$T3,$T3,@X[3]
    521. 

  521. 	vst1.32		{$T2},[$Xfer,:128]!
    522. 

  522. 	vst1.32		{$T3},[$Xfer,:128]!
    523. 

  523. 

  524. 	ldmia		$ctx,{$A-$H}
    525. 

  525. 	sub		$Xfer,$Xfer,#64
    526. 

  526. 	ldr		$t1,[sp,#0]
    527. 

  527. 	eor		$t2,$t2,$t2
    528. 

  528. 	eor		$t3,$B,$C
    529. 

  529. 	b		.L_00_48
    530. 

  530. 

  531. .align	4
    532. 

  532. .L_00_48:
    533. 

  533. ___
    534. 

  534. 	&Xupdate(\&body_00_15);
    535. 

  535. 	&Xupdate(\&body_00_15);
    536. 

  536. 	&Xupdate(\&body_00_15);
    537. 

  537. 	&Xupdate(\&body_00_15);
    538. 

  538. $code.=<<___;
    539. 

  539. 	teq	$t1,#0				@ check for K256 terminator
    540. 

  540. 	ldr	$t1,[sp,#0]
    541. 

  541. 	sub	$Xfer,$Xfer,#64
    542. 

  542. 	bne	.L_00_48
    543. 

  543. 

  544. 	ldr		$inp,[sp,#68]
    545. 

  545. 	ldr		$t0,[sp,#72]
    546. 

  546. 	sub		$Ktbl,$Ktbl,#256	@ rewind $Ktbl
    547. 

  547. 	teq		$inp,$t0
    548. 

  548. 	it		eq
    549. 

  549. 	subeq		$inp,$inp,#64		@ avoid SEGV
    550. 

  550. 	vld1.8		{@X[0]},[$inp]!		@ load next input block
    551. 

  551. 	vld1.8		{@X[1]},[$inp]!
    552. 

  552. 	vld1.8		{@X[2]},[$inp]!
    553. 

  553. 	vld1.8		{@X[3]},[$inp]!
    554. 

  554. 	it		ne
    555. 

  555. 	strne		$inp,[sp,#68]
    556. 

  556. 	mov		$Xfer,sp
    557. 

  557. ___
    558. 

  558. 	&Xpreload(\&body_00_15);
    559. 

  559. 	&Xpreload(\&body_00_15);
    560. 

  560. 	&Xpreload(\&body_00_15);
    561. 

  561. 	&Xpreload(\&body_00_15);
    562. 

  562. $code.=<<___;
    563. 

  563. 	ldr	$t0,[$t1,#0]
    564. 

  564. 	add	$A,$A,$t2			@ h+=Maj(a,b,c) from the past
    565. 

  565. 	ldr	$t2,[$t1,#4]
    566. 

  566. 	ldr	$t3,[$t1,#8]
    567. 

  567. 	ldr	$t4,[$t1,#12]
    568. 

  568. 	add	$A,$A,$t0			@ accumulate
    569. 

  569. 	ldr	$t0,[$t1,#16]
    570. 

  570. 	add	$B,$B,$t2
    571. 

  571. 	ldr	$t2,[$t1,#20]
    572. 

  572. 	add	$C,$C,$t3
    573. 

  573. 	ldr	$t3,[$t1,#24]
    574. 

  574. 	add	$D,$D,$t4
    575. 

  575. 	ldr	$t4,[$t1,#28]
    576. 

  576. 	add	$E,$E,$t0
    577. 

  577. 	str	$A,[$t1],#4
    578. 

  578. 	add	$F,$F,$t2
    579. 

  579. 	str	$B,[$t1],#4
    580. 

  580. 	add	$G,$G,$t3
    581. 

  581. 	str	$C,[$t1],#4
    582. 

  582. 	add	$H,$H,$t4
    583. 

  583. 	str	$D,[$t1],#4
    584. 

  584. 	stmia	$t1,{$E-$H}
    585. 

  585. 

  586. 	ittte	ne
    587. 

  587. 	movne	$Xfer,sp
    588. 

  588. 	ldrne	$t1,[sp,#0]
    589. 

  589. 	eorne	$t2,$t2,$t2
    590. 

  590. 	ldreq	sp,[sp,#76]			@ restore original sp
    591. 

  591. 	itt	ne
    592. 

  592. 	eorne	$t3,$B,$C
    593. 

  593. 	bne	.L_00_48
    594. 

  594. 

  595. 	ldmia	sp!,{r4-r12,pc}
    596. 

  596. .size	sha256_block_data_order_neon,.-sha256_block_data_order_neon
    597. 

  597. #endif
    598. 

  598. ___
    599. 

  599. }}}
    600. 

  600. ######################################################################
    601. 

  601. # ARMv8 stuff
    602. 

  602. #
    603. 

  603. {{{
    604. 

  604. my ($ABCD,$EFGH,$abcd)=map("q$_",(0..2));
    605. 

  605. my @MSG=map("q$_",(8..11));
    606. 

  606. my ($W0,$W1,$ABCD_SAVE,$EFGH_SAVE)=map("q$_",(12..15));
    607. 

  607. my $Ktbl="r3";
    608. 

  608. my $_byte = ($flavour =~ /win/ ? "DCB" : ".byte");
    609. 

  609. 

  610. $code.=<<___;
    611. 

  611. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    612. 

  612. 

  613. # if defined(__thumb2__)
    614. 

  614. #  define INST(a,b,c,d)	$_byte	c,d|0xc,a,b
    615. 

  615. # else
    616. 

  616. #  define INST(a,b,c,d)	$_byte	a,b,c,d
    617. 

  617. # endif
    618. 

  618. 

  619. .type	sha256_block_data_order_armv8,%function
    620. 

  620. .align	5
    621. 

  621. sha256_block_data_order_armv8:
    622. 

  622. .LARMv8:
    623. 

  623. 	vld1.32	{$ABCD,$EFGH},[$ctx]
    624. 

  624. 	sub	$Ktbl,$Ktbl,#256+32
    625. 

  625. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    626. 

  626. 	b	.Loop_v8
    627. 

  627. 

  628. .align	4
    629. 

  629. .Loop_v8:
    630. 

  630. 	vld1.8		{@MSG[0]-@MSG[1]},[$inp]!
    631. 

  631. 	vld1.8		{@MSG[2]-@MSG[3]},[$inp]!
    632. 

  632. 	vld1.32		{$W0},[$Ktbl]!
    633. 

  633. 	vrev32.8	@MSG[0],@MSG[0]
    634. 

  634. 	vrev32.8	@MSG[1],@MSG[1]
    635. 

  635. 	vrev32.8	@MSG[2],@MSG[2]
    636. 

  636. 	vrev32.8	@MSG[3],@MSG[3]
    637. 

  637. 	vmov		$ABCD_SAVE,$ABCD	@ offload
    638. 

  638. 	vmov		$EFGH_SAVE,$EFGH
    639. 

  639. 	teq		$inp,$len
    640. 

  640. ___
    641. 

  641. for($i=0;$i<12;$i++) {
    642. 

  642. $code.=<<___;
    643. 

  643. 	vld1.32		{$W1},[$Ktbl]!
    644. 

  644. 	vadd.i32	$W0,$W0,@MSG[0]
    645. 

  645. 	sha256su0	@MSG[0],@MSG[1]
    646. 

  646. 	vmov		$abcd,$ABCD
    647. 

  647. 	sha256h		$ABCD,$EFGH,$W0
    648. 

  648. 	sha256h2	$EFGH,$abcd,$W0
    649. 

  649. 	sha256su1	@MSG[0],@MSG[2],@MSG[3]
    650. 

  650. ___
    651. 

  651. 	($W0,$W1)=($W1,$W0);	push(@MSG,shift(@MSG));
    652. 

  652. }
    653. 

  653. $code.=<<___;
    654. 

  654. 	vld1.32		{$W1},[$Ktbl]!
    655. 

  655. 	vadd.i32	$W0,$W0,@MSG[0]
    656. 

  656. 	vmov		$abcd,$ABCD
    657. 

  657. 	sha256h		$ABCD,$EFGH,$W0
    658. 

  658. 	sha256h2	$EFGH,$abcd,$W0
    659. 

  659. 

  660. 	vld1.32		{$W0},[$Ktbl]!
    661. 

  661. 	vadd.i32	$W1,$W1,@MSG[1]
    662. 

  662. 	vmov		$abcd,$ABCD
    663. 

  663. 	sha256h		$ABCD,$EFGH,$W1
    664. 

  664. 	sha256h2	$EFGH,$abcd,$W1
    665. 

  665. 

  666. 	vld1.32		{$W1},[$Ktbl]
    667. 

  667. 	vadd.i32	$W0,$W0,@MSG[2]
    668. 

  668. 	sub		$Ktbl,$Ktbl,#256-16	@ rewind
    669. 

  669. 	vmov		$abcd,$ABCD
    670. 

  670. 	sha256h		$ABCD,$EFGH,$W0
    671. 

  671. 	sha256h2	$EFGH,$abcd,$W0
    672. 

  672. 

  673. 	vadd.i32	$W1,$W1,@MSG[3]
    674. 

  674. 	vmov		$abcd,$ABCD
    675. 

  675. 	sha256h		$ABCD,$EFGH,$W1
    676. 

  676. 	sha256h2	$EFGH,$abcd,$W1
    677. 

  677. 

  678. 	vadd.i32	$ABCD,$ABCD,$ABCD_SAVE
    679. 

  679. 	vadd.i32	$EFGH,$EFGH,$EFGH_SAVE
    680. 

  680. 	it		ne
    681. 

  681. 	bne		.Loop_v8
    682. 

  682. 

  683. 	vst1.32		{$ABCD,$EFGH},[$ctx]
    684. 

  684. 

  685. 	ret		@ bx lr
    686. 

  686. .size	sha256_block_data_order_armv8,.-sha256_block_data_order_armv8
    687. 

  687. #endif
    688. 

  688. ___
    689. 

  689. }}}
    690. 

  690. $code.=<<___;
    691. 

  691. .asciz  "SHA256 block transform for ARMv4/NEON/ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
    692. 

  692. .align	2
    693. 

  693. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    694. 

  694. .comm   OPENSSL_armcap_P,4,4
    695. 

  695. #endif
    696. 

  696. ___
    697. 

  697. 

  698. open SELF,$0;
    699. 

  699. while(<SELF>) {
    700. 

  700. 	next if (/^#!/);
    701. 

  701. 	last if (!s/^#/@/ and !/^$/);
    702. 

  702. 	print;
    703. 

  703. }
    704. 

  704. close SELF;
    705. 

  705. 

  706. {   my  %opcode = (
    707. 

  707. 	"sha256h"	=> 0xf3000c40,	"sha256h2"	=> 0xf3100c40,
    708. 

  708. 	"sha256su0"	=> 0xf3ba03c0,	"sha256su1"	=> 0xf3200c40	);
    709. 

  709. 

  710.     sub unsha256 {
    711. 

  711. 	my ($mnemonic,$arg)=@_;
    712. 

  712. 

  713. 	if ($arg =~ m/q([0-9]+)(?:,\s*q([0-9]+))?,\s*q([0-9]+)/o) {
    714. 

  714. 	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
    715. 

  715. 					 |(($2&7)<<17)|(($2&8)<<4)
    716. 

  716. 					 |(($3&7)<<1) |(($3&8)<<2);
    717. 

  717. 	    # since ARMv7 instructions are always encoded little-endian.
    718. 

  718. 	    # correct solution is to use .inst directive, but older
    719. 

  719. 	    # assemblers don't implement it:-(
    720. 

  720. 	    sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
    721. 

  721. 			$word&0xff,($word>>8)&0xff,
    722. 

  722. 			($word>>16)&0xff,($word>>24)&0xff,
    723. 

  723. 			$mnemonic,$arg;
    724. 

  724. 	}
    725. 

  725.     }
    726. 

  726. }
    727. 

  727. 

  728. foreach (split($/,$code)) {
    729. 

  729. 

  730. 	s/\`([^\`]*)\`/eval $1/geo;
    731. 

  731. 

  732. 	s/\b(sha256\w+)\s+(q.*)/unsha256($1,$2)/geo;
    733. 

  733. 

  734. 	s/\bret\b/bx	lr/go		or
    735. 

  735. 	s/\bbx\s+lr\b/.word\t0xe12fff1e/go;	# make it possible to compile with -march=armv4
    736. 

  736. 

  737. 	print $_,"\n";
    738. 

  738. }
    739. 

  739. 

  740. close STDOUT; # enforce flush
    741.