Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 506cb0f632
Branches Tags
openssl
/
crypto
/
sha
/
asm
/
sha256-armv4.pl

sha256-armv4.pl 19 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. 

  10. # ====================================================================
    11. 

  11. # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
    12. 

  12. # project. The module is, however, dual licensed under OpenSSL and
    13. 

  13. # CRYPTOGAMS licenses depending on where you obtain it. For further
    14. 

  14. # details see http://www.openssl.org/~appro/cryptogams/.
    15. 

  15. #
    16. 

  16. # Permission to use under GPL terms is granted.
    17. 

  17. # ====================================================================
    18. 

  18. 

  19. # SHA256 block procedure for ARMv4. May 2007.
    20. 

  20. 

  21. # Performance is ~2x better than gcc 3.4 generated code and in "abso-
    22. 

  22. # lute" terms is ~2250 cycles per 64-byte block or ~35 cycles per
    23. 

  23. # byte [on single-issue Xscale PXA250 core].
    24. 

  24. 

  25. # July 2010.
    26. 

  26. #
    27. 

  27. # Rescheduling for dual-issue pipeline resulted in 22% improvement on
    28. 

  28. # Cortex A8 core and ~20 cycles per processed byte.
    29. 

  29. 

  30. # February 2011.
    31. 

  31. #
    32. 

  32. # Profiler-assisted and platform-specific optimization resulted in 16%
    33. 

  33. # improvement on Cortex A8 core and ~15.4 cycles per processed byte.
    34. 

  34. 

  35. # September 2013.
    36. 

  36. #
    37. 

  37. # Add NEON implementation. On Cortex A8 it was measured to process one
    38. 

  38. # byte in 12.5 cycles or 23% faster than integer-only code. Snapdragon
    39. 

  39. # S4 does it in 12.5 cycles too, but it's 50% faster than integer-only
    40. 

  40. # code (meaning that latter performs sub-optimally, nothing was done
    41. 

  41. # about it).
    42. 

  42. 

  43. # May 2014.
    44. 

  44. #
    45. 

  45. # Add ARMv8 code path performing at 2.0 cpb on Apple A7.
    46. 

  46. 

  47. # $output is the last argument if it looks like a file (it has an extension)
    48. 

  48. # $flavour is the first argument if it doesn't look like a file
    49. 

  49. $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
    50. 

  50. $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
    51. 

  51. 

  52. if ($flavour && $flavour ne "void") {
    53. 

  53.     $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
    54. 

  54.     ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
    55. 

  55.     ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
    56. 

  56.     die "can't locate arm-xlate.pl";
    57. 

  57. 

  58.     open STDOUT,"| \"$^X\" $xlate $flavour \"$output\""
    59. 

  59.         or die "can't call $xlate: $!";
    60. 

  60. } else {
    61. 

  61.     $output and open STDOUT,">$output";
    62. 

  62. }
    63. 

  63. 

  64. $ctx="r0";	$t0="r0";
    65. 

  65. $inp="r1";	$t4="r1";
    66. 

  66. $len="r2";	$t1="r2";
    67. 

  67. $T1="r3";	$t3="r3";
    68. 

  68. $A="r4";
    69. 

  69. $B="r5";
    70. 

  70. $C="r6";
    71. 

  71. $D="r7";
    72. 

  72. $E="r8";
    73. 

  73. $F="r9";
    74. 

  74. $G="r10";
    75. 

  75. $H="r11";
    76. 

  76. @V=($A,$B,$C,$D,$E,$F,$G,$H);
    77. 

  77. $t2="r12";
    78. 

  78. $Ktbl="r14";
    79. 

  79. 

  80. @Sigma0=( 2,13,22);
    81. 

  81. @Sigma1=( 6,11,25);
    82. 

  82. @sigma0=( 7,18, 3);
    83. 

  83. @sigma1=(17,19,10);
    84. 

  84. 

  85. sub BODY_00_15 {
    86. 

  86. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    87. 

  87. 

  88. $code.=<<___ if ($i<16);
    89. 

  89. #if __ARM_ARCH__>=7
    90. 

  90. 	@ ldr	$t1,[$inp],#4			@ $i
    91. 

  91. # if $i==15
    92. 

  92. 	str	$inp,[sp,#17*4]			@ make room for $t4
    93. 

  93. # endif
    94. 

  94. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    95. 

  95. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    96. 

  96. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    97. 

  97. # ifndef __ARMEB__
    98. 

  98. 	rev	$t1,$t1
    99. 

  99. # endif
    100. 

  100. #else
    101. 

  101. 	@ ldrb	$t1,[$inp,#3]			@ $i
    102. 

  102. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    103. 

  103. 	ldrb	$t2,[$inp,#2]
    104. 

  104. 	ldrb	$t0,[$inp,#1]
    105. 

  105. 	orr	$t1,$t1,$t2,lsl#8
    106. 

  106. 	ldrb	$t2,[$inp],#4
    107. 

  107. 	orr	$t1,$t1,$t0,lsl#16
    108. 

  108. # if $i==15
    109. 

  109. 	str	$inp,[sp,#17*4]			@ make room for $t4
    110. 

  110. # endif
    111. 

  111. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    112. 

  112. 	orr	$t1,$t1,$t2,lsl#24
    113. 

  113. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    114. 

  114. #endif
    115. 

  115. ___
    116. 

  116. $code.=<<___;
    117. 

  117. 	ldr	$t2,[$Ktbl],#4			@ *K256++
    118. 

  118. 	add	$h,$h,$t1			@ h+=X[i]
    119. 

  119. 	str	$t1,[sp,#`$i%16`*4]
    120. 

  120. 	eor	$t1,$f,$g
    121. 

  121. 	add	$h,$h,$t0,ror#$Sigma1[0]	@ h+=Sigma1(e)
    122. 

  122. 	and	$t1,$t1,$e
    123. 

  123. 	add	$h,$h,$t2			@ h+=K256[i]
    124. 

  124. 	eor	$t1,$t1,$g			@ Ch(e,f,g)
    125. 

  125. 	eor	$t0,$a,$a,ror#`$Sigma0[1]-$Sigma0[0]`
    126. 

  126. 	add	$h,$h,$t1			@ h+=Ch(e,f,g)
    127. 

  127. #if $i==31
    128. 

  128. 	and	$t2,$t2,#0xff
    129. 

  129. 	cmp	$t2,#0xf2			@ done?
    130. 

  130. #endif
    131. 

  131. #if $i<15
    132. 

  132. # if __ARM_ARCH__>=7
    133. 

  133. 	ldr	$t1,[$inp],#4			@ prefetch
    134. 

  134. # else
    135. 

  135. 	ldrb	$t1,[$inp,#3]
    136. 

  136. # endif
    137. 

  137. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    138. 

  138. #else
    139. 

  139. 	ldr	$t1,[sp,#`($i+2)%16`*4]		@ from future BODY_16_xx
    140. 

  140. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    141. 

  141. 	ldr	$t4,[sp,#`($i+15)%16`*4]	@ from future BODY_16_xx
    142. 

  142. #endif
    143. 

  143. 	eor	$t0,$t0,$a,ror#`$Sigma0[2]-$Sigma0[0]`	@ Sigma0(a)
    144. 

  144. 	and	$t3,$t3,$t2			@ (b^c)&=(a^b)
    145. 

  145. 	add	$d,$d,$h			@ d+=h
    146. 

  146. 	eor	$t3,$t3,$b			@ Maj(a,b,c)
    147. 

  147. 	add	$h,$h,$t0,ror#$Sigma0[0]	@ h+=Sigma0(a)
    148. 

  148. 	@ add	$h,$h,$t3			@ h+=Maj(a,b,c)
    149. 

  149. ___
    150. 

  150. 	($t2,$t3)=($t3,$t2);
    151. 

  151. }
    152. 

  152. 

  153. sub BODY_16_XX {
    154. 

  154. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    155. 

  155. 

  156. $code.=<<___;
    157. 

  157. 	@ ldr	$t1,[sp,#`($i+1)%16`*4]		@ $i
    158. 

  158. 	@ ldr	$t4,[sp,#`($i+14)%16`*4]
    159. 

  159. 	mov	$t0,$t1,ror#$sigma0[0]
    160. 

  160. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    161. 

  161. 	mov	$t2,$t4,ror#$sigma1[0]
    162. 

  162. 	eor	$t0,$t0,$t1,ror#$sigma0[1]
    163. 

  163. 	eor	$t2,$t2,$t4,ror#$sigma1[1]
    164. 

  164. 	eor	$t0,$t0,$t1,lsr#$sigma0[2]	@ sigma0(X[i+1])
    165. 

  165. 	ldr	$t1,[sp,#`($i+0)%16`*4]
    166. 

  166. 	eor	$t2,$t2,$t4,lsr#$sigma1[2]	@ sigma1(X[i+14])
    167. 

  167. 	ldr	$t4,[sp,#`($i+9)%16`*4]
    168. 

  168. 

  169. 	add	$t2,$t2,$t0
    170. 

  170. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`	@ from BODY_00_15
    171. 

  171. 	add	$t1,$t1,$t2
    172. 

  172. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    173. 

  173. 	add	$t1,$t1,$t4			@ X[i]
    174. 

  174. ___
    175. 

  175. 	&BODY_00_15(@_);
    176. 

  176. }
    177. 

  177. 

  178. $code=<<___;
    179. 

  179. #ifndef __KERNEL__
    180. 

  180. # include "arm_arch.h"
    181. 

  181. #else
    182. 

  182. # define __ARM_ARCH__ __LINUX_ARM_ARCH__
    183. 

  183. # define __ARM_MAX_ARCH__ 7
    184. 

  184. #endif
    185. 

  185. 

  186. #if defined(__thumb2__)
    187. 

  187. .syntax unified
    188. 

  188. .thumb
    189. 

  189. #else
    190. 

  190. .code   32
    191. 

  191. #endif
    192. 

  192. 

  193. .text
    194. 

  194. 

  195. .type	K256,%object
    196. 

  196. .align	5
    197. 

  197. K256:
    198. 

  198. .word	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
    199. 

  199. .word	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
    200. 

  200. .word	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
    201. 

  201. .word	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
    202. 

  202. .word	0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc
    203. 

  203. .word	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
    204. 

  204. .word	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
    205. 

  205. .word	0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967
    206. 

  206. .word	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
    207. 

  207. .word	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
    208. 

  208. .word	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
    209. 

  209. .word	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
    210. 

  210. .word	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
    211. 

  211. .word	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
    212. 

  212. .word	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
    213. 

  213. .word	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
    214. 

  214. .size	K256,.-K256
    215. 

  215. .word	0				@ terminator
    216. 

  216. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    217. 

  217. .LOPENSSL_armcap:
    218. 

  218. # ifdef	_WIN32
    219. 

  219. .word	OPENSSL_armcap_P
    220. 

  220. # else
    221. 

  221. .word	OPENSSL_armcap_P-.Lsha256_block_data_order
    222. 

  222. # endif
    223. 

  223. #endif
    224. 

  224. .align	5
    225. 

  225. 

  226. .global	sha256_block_data_order
    227. 

  227. .type	sha256_block_data_order,%function
    228. 

  228. sha256_block_data_order:
    229. 

  229. .Lsha256_block_data_order:
    230. 

  230. #if __ARM_ARCH__<7 && !defined(__thumb2__)
    231. 

  231. 	sub	r3,pc,#8		@ sha256_block_data_order
    232. 

  232. #else
    233. 

  233. 	adr	r3,.Lsha256_block_data_order
    234. 

  234. #endif
    235. 

  235. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    236. 

  236. 	ldr	r12,.LOPENSSL_armcap
    237. 

  237. # if !defined(_WIN32)
    238. 

  238. 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
    239. 

  239. # endif
    240. 

  240. # if defined(__APPLE__) || defined(_WIN32)
    241. 

  241. 	ldr	r12,[r12]
    242. 

  242. # endif
    243. 

  243. 	tst	r12,#ARMV8_SHA256
    244. 

  244. 	bne	.LARMv8
    245. 

  245. 	tst	r12,#ARMV7_NEON
    246. 

  246. 	bne	.LNEON
    247. 

  247. #endif
    248. 

  248. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    249. 

  249. 	stmdb	sp!,{$ctx,$inp,$len,r4-r11,lr}
    250. 

  250. 	ldmia	$ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
    251. 

  251. 	sub	$Ktbl,r3,#256+32	@ K256
    252. 

  252. 	sub	sp,sp,#16*4		@ alloca(X[16])
    253. 

  253. .Loop:
    254. 

  254. # if __ARM_ARCH__>=7
    255. 

  255. 	ldr	$t1,[$inp],#4
    256. 

  256. # else
    257. 

  257. 	ldrb	$t1,[$inp,#3]
    258. 

  258. # endif
    259. 

  259. 	eor	$t3,$B,$C		@ magic
    260. 

  260. 	eor	$t2,$t2,$t2
    261. 

  261. ___
    262. 

  262. for($i=0;$i<16;$i++)	{ &BODY_00_15($i,@V); unshift(@V,pop(@V)); }
    263. 

  263. $code.=".Lrounds_16_xx:\n";
    264. 

  264. for (;$i<32;$i++)	{ &BODY_16_XX($i,@V); unshift(@V,pop(@V)); }
    265. 

  265. $code.=<<___;
    266. 

  266. #ifdef	__thumb2__
    267. 

  267. 	ite	eq			@ Thumb2 thing, sanity check in ARM
    268. 

  268. #endif
    269. 

  269. 	ldreq	$t3,[sp,#16*4]		@ pull ctx
    270. 

  270. 	bne	.Lrounds_16_xx
    271. 

  271. 

  272. 	add	$A,$A,$t2		@ h+=Maj(a,b,c) from the past
    273. 

  273. 	ldr	$t0,[$t3,#0]
    274. 

  274. 	ldr	$t1,[$t3,#4]
    275. 

  275. 	ldr	$t2,[$t3,#8]
    276. 

  276. 	add	$A,$A,$t0
    277. 

  277. 	ldr	$t0,[$t3,#12]
    278. 

  278. 	add	$B,$B,$t1
    279. 

  279. 	ldr	$t1,[$t3,#16]
    280. 

  280. 	add	$C,$C,$t2
    281. 

  281. 	ldr	$t2,[$t3,#20]
    282. 

  282. 	add	$D,$D,$t0
    283. 

  283. 	ldr	$t0,[$t3,#24]
    284. 

  284. 	add	$E,$E,$t1
    285. 

  285. 	ldr	$t1,[$t3,#28]
    286. 

  286. 	add	$F,$F,$t2
    287. 

  287. 	ldr	$inp,[sp,#17*4]		@ pull inp
    288. 

  288. 	ldr	$t2,[sp,#18*4]		@ pull inp+len
    289. 

  289. 	add	$G,$G,$t0
    290. 

  290. 	add	$H,$H,$t1
    291. 

  291. 	stmia	$t3,{$A,$B,$C,$D,$E,$F,$G,$H}
    292. 

  292. 	cmp	$inp,$t2
    293. 

  293. 	sub	$Ktbl,$Ktbl,#256	@ rewind Ktbl
    294. 

  294. 	bne	.Loop
    295. 

  295. 

  296. 	add	sp,sp,#`16+3`*4	@ destroy frame
    297. 

  297. #if __ARM_ARCH__>=5
    298. 

  298. 	ldmia	sp!,{r4-r11,pc}
    299. 

  299. #else
    300. 

  300. 	ldmia	sp!,{r4-r11,lr}
    301. 

  301. 	tst	lr,#1
    302. 

  302. 	moveq	pc,lr			@ be binary compatible with V4, yet
    303. 

  303. 	bx	lr			@ interoperable with Thumb ISA:-)
    304. 

  304. #endif
    305. 

  305. .size	sha256_block_data_order,.-sha256_block_data_order
    306. 

  306. ___
    307. 

  307. ######################################################################
    308. 

  308. # NEON stuff
    309. 

  309. #
    310. 

  310. {{{
    311. 

  311. my @X=map("q$_",(0..3));
    312. 

  312. my ($T0,$T1,$T2,$T3,$T4,$T5)=("q8","q9","q10","q11","d24","d25");
    313. 

  313. my $Xfer=$t4;
    314. 

  314. my $j=0;
    315. 

  315. 

  316. sub Dlo()   { shift=~m|q([1]?[0-9])|?"d".($1*2):"";     }
    317. 

  317. sub Dhi()   { shift=~m|q([1]?[0-9])|?"d".($1*2+1):"";   }
    318. 

  318. 

  319. sub AUTOLOAD()          # thunk [simplified] x86-style perlasm
    320. 

  320. { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
    321. 

  321.   my $arg = pop;
    322. 

  322.     $arg = "#$arg" if ($arg*1 eq $arg);
    323. 

  323.     $code .= "\t$opcode\t".join(',',@_,$arg)."\n";
    324. 

  324. }
    325. 

  325. 

  326. sub Xupdate()
    327. 

  327. { use integer;
    328. 

  328.   my $body = shift;
    329. 

  329.   my @insns = (&$body,&$body,&$body,&$body);
    330. 

  330.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    331. 

  331. 

  332. 	&vext_8		($T0,@X[0],@X[1],4);	# X[1..4]
    333. 

  333. 	 eval(shift(@insns));
    334. 

  334. 	 eval(shift(@insns));
    335. 

  335. 	 eval(shift(@insns));
    336. 

  336. 	&vext_8		($T1,@X[2],@X[3],4);	# X[9..12]
    337. 

  337. 	 eval(shift(@insns));
    338. 

  338. 	 eval(shift(@insns));
    339. 

  339. 	 eval(shift(@insns));
    340. 

  340. 	&vshr_u32	($T2,$T0,$sigma0[0]);
    341. 

  341. 	 eval(shift(@insns));
    342. 

  342. 	 eval(shift(@insns));
    343. 

  343. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += X[9..12]
    344. 

  344. 	 eval(shift(@insns));
    345. 

  345. 	 eval(shift(@insns));
    346. 

  346. 	&vshr_u32	($T1,$T0,$sigma0[2]);
    347. 

  347. 	 eval(shift(@insns));
    348. 

  348. 	 eval(shift(@insns));
    349. 

  349. 	&vsli_32	($T2,$T0,32-$sigma0[0]);
    350. 

  350. 	 eval(shift(@insns));
    351. 

  351. 	 eval(shift(@insns));
    352. 

  352. 	&vshr_u32	($T3,$T0,$sigma0[1]);
    353. 

  353. 	 eval(shift(@insns));
    354. 

  354. 	 eval(shift(@insns));
    355. 

  355. 	&veor		($T1,$T1,$T2);
    356. 

  356. 	 eval(shift(@insns));
    357. 

  357. 	 eval(shift(@insns));
    358. 

  358. 	&vsli_32	($T3,$T0,32-$sigma0[1]);
    359. 

  359. 	 eval(shift(@insns));
    360. 

  360. 	 eval(shift(@insns));
    361. 

  361. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[0]);
    362. 

  362. 	 eval(shift(@insns));
    363. 

  363. 	 eval(shift(@insns));
    364. 

  364. 	&veor		($T1,$T1,$T3);		# sigma0(X[1..4])
    365. 

  365. 	 eval(shift(@insns));
    366. 

  366. 	 eval(shift(@insns));
    367. 

  367. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[0]);
    368. 

  368. 	 eval(shift(@insns));
    369. 

  369. 	 eval(shift(@insns));
    370. 

  370. 	  &vshr_u32	($T5,&Dhi(@X[3]),$sigma1[2]);
    371. 

  371. 	 eval(shift(@insns));
    372. 

  372. 	 eval(shift(@insns));
    373. 

  373. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += sigma0(X[1..4])
    374. 

  374. 	 eval(shift(@insns));
    375. 

  375. 	 eval(shift(@insns));
    376. 

  376. 	  &veor		($T5,$T5,$T4);
    377. 

  377. 	 eval(shift(@insns));
    378. 

  378. 	 eval(shift(@insns));
    379. 

  379. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[1]);
    380. 

  380. 	 eval(shift(@insns));
    381. 

  381. 	 eval(shift(@insns));
    382. 

  382. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[1]);
    383. 

  383. 	 eval(shift(@insns));
    384. 

  384. 	 eval(shift(@insns));
    385. 

  385. 	  &veor		($T5,$T5,$T4);		# sigma1(X[14..15])
    386. 

  386. 	 eval(shift(@insns));
    387. 

  387. 	 eval(shift(@insns));
    388. 

  388. 	&vadd_i32	(&Dlo(@X[0]),&Dlo(@X[0]),$T5);# X[0..1] += sigma1(X[14..15])
    389. 

  389. 	 eval(shift(@insns));
    390. 

  390. 	 eval(shift(@insns));
    391. 

  391. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[0]);
    392. 

  392. 	 eval(shift(@insns));
    393. 

  393. 	 eval(shift(@insns));
    394. 

  394. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[0]);
    395. 

  395. 	 eval(shift(@insns));
    396. 

  396. 	 eval(shift(@insns));
    397. 

  397. 	  &vshr_u32	($T5,&Dlo(@X[0]),$sigma1[2]);
    398. 

  398. 	 eval(shift(@insns));
    399. 

  399. 	 eval(shift(@insns));
    400. 

  400. 	  &veor		($T5,$T5,$T4);
    401. 

  401. 	 eval(shift(@insns));
    402. 

  402. 	 eval(shift(@insns));
    403. 

  403. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[1]);
    404. 

  404. 	 eval(shift(@insns));
    405. 

  405. 	 eval(shift(@insns));
    406. 

  406. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    407. 

  407. 	 eval(shift(@insns));
    408. 

  408. 	 eval(shift(@insns));
    409. 

  409. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[1]);
    410. 

  410. 	 eval(shift(@insns));
    411. 

  411. 	 eval(shift(@insns));
    412. 

  412. 	  &veor		($T5,$T5,$T4);		# sigma1(X[16..17])
    413. 

  413. 	 eval(shift(@insns));
    414. 

  414. 	 eval(shift(@insns));
    415. 

  415. 	&vadd_i32	(&Dhi(@X[0]),&Dhi(@X[0]),$T5);# X[2..3] += sigma1(X[16..17])
    416. 

  416. 	 eval(shift(@insns));
    417. 

  417. 	 eval(shift(@insns));
    418. 

  418. 	&vadd_i32	($T0,$T0,@X[0]);
    419. 

  419. 	 while($#insns>=2) { eval(shift(@insns)); }
    420. 

  420. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    421. 

  421. 	 eval(shift(@insns));
    422. 

  422. 	 eval(shift(@insns));
    423. 

  423. 

  424. 	push(@X,shift(@X));		# "rotate" X[]
    425. 

  425. }
    426. 

  426. 

  427. sub Xpreload()
    428. 

  428. { use integer;
    429. 

  429.   my $body = shift;
    430. 

  430.   my @insns = (&$body,&$body,&$body,&$body);
    431. 

  431.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    432. 

  432. 

  433. 	 eval(shift(@insns));
    434. 

  434. 	 eval(shift(@insns));
    435. 

  435. 	 eval(shift(@insns));
    436. 

  436. 	 eval(shift(@insns));
    437. 

  437. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    438. 

  438. 	 eval(shift(@insns));
    439. 

  439. 	 eval(shift(@insns));
    440. 

  440. 	 eval(shift(@insns));
    441. 

  441. 	 eval(shift(@insns));
    442. 

  442. 	&vrev32_8	(@X[0],@X[0]);
    443. 

  443. 	 eval(shift(@insns));
    444. 

  444. 	 eval(shift(@insns));
    445. 

  445. 	 eval(shift(@insns));
    446. 

  446. 	 eval(shift(@insns));
    447. 

  447. 	&vadd_i32	($T0,$T0,@X[0]);
    448. 

  448. 	 foreach (@insns) { eval; }	# remaining instructions
    449. 

  449. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    450. 

  450. 

  451. 	push(@X,shift(@X));		# "rotate" X[]
    452. 

  452. }
    453. 

  453. 

  454. sub body_00_15 () {
    455. 

  455. 	(
    456. 

  456. 	'($a,$b,$c,$d,$e,$f,$g,$h)=@V;'.
    457. 

  457. 	'&add	($h,$h,$t1)',			# h+=X[i]+K[i]
    458. 

  458. 	'&eor	($t1,$f,$g)',
    459. 

  459. 	'&eor	($t0,$e,$e,"ror#".($Sigma1[1]-$Sigma1[0]))',
    460. 

  460. 	'&add	($a,$a,$t2)',			# h+=Maj(a,b,c) from the past
    461. 

  461. 	'&and	($t1,$t1,$e)',
    462. 

  462. 	'&eor	($t2,$t0,$e,"ror#".($Sigma1[2]-$Sigma1[0]))',	# Sigma1(e)
    463. 

  463. 	'&eor	($t0,$a,$a,"ror#".($Sigma0[1]-$Sigma0[0]))',
    464. 

  464. 	'&eor	($t1,$t1,$g)',			# Ch(e,f,g)
    465. 

  465. 	'&add	($h,$h,$t2,"ror#$Sigma1[0]")',	# h+=Sigma1(e)
    466. 

  466. 	'&eor	($t2,$a,$b)',			# a^b, b^c in next round
    467. 

  467. 	'&eor	($t0,$t0,$a,"ror#".($Sigma0[2]-$Sigma0[0]))',	# Sigma0(a)
    468. 

  468. 	'&add	($h,$h,$t1)',			# h+=Ch(e,f,g)
    469. 

  469. 	'&ldr	($t1,sprintf "[sp,#%d]",4*(($j+1)&15))	if (($j&15)!=15);'.
    470. 

  470. 	'&ldr	($t1,"[$Ktbl]")				if ($j==15);'.
    471. 

  471. 	'&ldr	($t1,"[sp,#64]")			if ($j==31)',
    472. 

  472. 	'&and	($t3,$t3,$t2)',			# (b^c)&=(a^b)
    473. 

  473. 	'&add	($d,$d,$h)',			# d+=h
    474. 

  474. 	'&add	($h,$h,$t0,"ror#$Sigma0[0]");'.	# h+=Sigma0(a)
    475. 

  475. 	'&eor	($t3,$t3,$b)',			# Maj(a,b,c)
    476. 

  476. 	'$j++;	unshift(@V,pop(@V)); ($t2,$t3)=($t3,$t2);'
    477. 

  477. 	)
    478. 

  478. }
    479. 

  479. 

  480. $code.=<<___;
    481. 

  481. #if __ARM_MAX_ARCH__>=7
    482. 

  482. .arch	armv7-a
    483. 

  483. .fpu	neon
    484. 

  484. 

  485. .global	sha256_block_data_order_neon
    486. 

  486. .type	sha256_block_data_order_neon,%function
    487. 

  487. .align	5
    488. 

  488. .skip	16
    489. 

  489. sha256_block_data_order_neon:
    490. 

  490. .LNEON:
    491. 

  491. 	stmdb	sp!,{r4-r12,lr}
    492. 

  492. 

  493. 	sub	$H,sp,#16*4+16
    494. 

  494. 	adr	$Ktbl,K256
    495. 

  495. 	bic	$H,$H,#15		@ align for 128-bit stores
    496. 

  496. 	mov	$t2,sp
    497. 

  497. 	mov	sp,$H			@ alloca
    498. 

  498. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    499. 

  499. 

  500. 	vld1.8		{@X[0]},[$inp]!
    501. 

  501. 	vld1.8		{@X[1]},[$inp]!
    502. 

  502. 	vld1.8		{@X[2]},[$inp]!
    503. 

  503. 	vld1.8		{@X[3]},[$inp]!
    504. 

  504. 	vld1.32		{$T0},[$Ktbl,:128]!
    505. 

  505. 	vld1.32		{$T1},[$Ktbl,:128]!
    506. 

  506. 	vld1.32		{$T2},[$Ktbl,:128]!
    507. 

  507. 	vld1.32		{$T3},[$Ktbl,:128]!
    508. 

  508. 	vrev32.8	@X[0],@X[0]		@ yes, even on
    509. 

  509. 	str		$ctx,[sp,#64]
    510. 

  510. 	vrev32.8	@X[1],@X[1]		@ big-endian
    511. 

  511. 	str		$inp,[sp,#68]
    512. 

  512. 	mov		$Xfer,sp
    513. 

  513. 	vrev32.8	@X[2],@X[2]
    514. 

  514. 	str		$len,[sp,#72]
    515. 

  515. 	vrev32.8	@X[3],@X[3]
    516. 

  516. 	str		$t2,[sp,#76]		@ save original sp
    517. 

  517. 	vadd.i32	$T0,$T0,@X[0]
    518. 

  518. 	vadd.i32	$T1,$T1,@X[1]
    519. 

  519. 	vst1.32		{$T0},[$Xfer,:128]!
    520. 

  520. 	vadd.i32	$T2,$T2,@X[2]
    521. 

  521. 	vst1.32		{$T1},[$Xfer,:128]!
    522. 

  522. 	vadd.i32	$T3,$T3,@X[3]
    523. 

  523. 	vst1.32		{$T2},[$Xfer,:128]!
    524. 

  524. 	vst1.32		{$T3},[$Xfer,:128]!
    525. 

  525. 

  526. 	ldmia		$ctx,{$A-$H}
    527. 

  527. 	sub		$Xfer,$Xfer,#64
    528. 

  528. 	ldr		$t1,[sp,#0]
    529. 

  529. 	eor		$t2,$t2,$t2
    530. 

  530. 	eor		$t3,$B,$C
    531. 

  531. 	b		.L_00_48
    532. 

  532. 

  533. .align	4
    534. 

  534. .L_00_48:
    535. 

  535. ___
    536. 

  536. 	&Xupdate(\&body_00_15);
    537. 

  537. 	&Xupdate(\&body_00_15);
    538. 

  538. 	&Xupdate(\&body_00_15);
    539. 

  539. 	&Xupdate(\&body_00_15);
    540. 

  540. $code.=<<___;
    541. 

  541. 	teq	$t1,#0				@ check for K256 terminator
    542. 

  542. 	ldr	$t1,[sp,#0]
    543. 

  543. 	sub	$Xfer,$Xfer,#64
    544. 

  544. 	bne	.L_00_48
    545. 

  545. 

  546. 	ldr		$inp,[sp,#68]
    547. 

  547. 	ldr		$t0,[sp,#72]
    548. 

  548. 	sub		$Ktbl,$Ktbl,#256	@ rewind $Ktbl
    549. 

  549. 	teq		$inp,$t0
    550. 

  550. 	it		eq
    551. 

  551. 	subeq		$inp,$inp,#64		@ avoid SEGV
    552. 

  552. 	vld1.8		{@X[0]},[$inp]!		@ load next input block
    553. 

  553. 	vld1.8		{@X[1]},[$inp]!
    554. 

  554. 	vld1.8		{@X[2]},[$inp]!
    555. 

  555. 	vld1.8		{@X[3]},[$inp]!
    556. 

  556. 	it		ne
    557. 

  557. 	strne		$inp,[sp,#68]
    558. 

  558. 	mov		$Xfer,sp
    559. 

  559. ___
    560. 

  560. 	&Xpreload(\&body_00_15);
    561. 

  561. 	&Xpreload(\&body_00_15);
    562. 

  562. 	&Xpreload(\&body_00_15);
    563. 

  563. 	&Xpreload(\&body_00_15);
    564. 

  564. $code.=<<___;
    565. 

  565. 	ldr	$t0,[$t1,#0]
    566. 

  566. 	add	$A,$A,$t2			@ h+=Maj(a,b,c) from the past
    567. 

  567. 	ldr	$t2,[$t1,#4]
    568. 

  568. 	ldr	$t3,[$t1,#8]
    569. 

  569. 	ldr	$t4,[$t1,#12]
    570. 

  570. 	add	$A,$A,$t0			@ accumulate
    571. 

  571. 	ldr	$t0,[$t1,#16]
    572. 

  572. 	add	$B,$B,$t2
    573. 

  573. 	ldr	$t2,[$t1,#20]
    574. 

  574. 	add	$C,$C,$t3
    575. 

  575. 	ldr	$t3,[$t1,#24]
    576. 

  576. 	add	$D,$D,$t4
    577. 

  577. 	ldr	$t4,[$t1,#28]
    578. 

  578. 	add	$E,$E,$t0
    579. 

  579. 	str	$A,[$t1],#4
    580. 

  580. 	add	$F,$F,$t2
    581. 

  581. 	str	$B,[$t1],#4
    582. 

  582. 	add	$G,$G,$t3
    583. 

  583. 	str	$C,[$t1],#4
    584. 

  584. 	add	$H,$H,$t4
    585. 

  585. 	str	$D,[$t1],#4
    586. 

  586. 	stmia	$t1,{$E-$H}
    587. 

  587. 

  588. 	ittte	ne
    589. 

  589. 	movne	$Xfer,sp
    590. 

  590. 	ldrne	$t1,[sp,#0]
    591. 

  591. 	eorne	$t2,$t2,$t2
    592. 

  592. 	ldreq	sp,[sp,#76]			@ restore original sp
    593. 

  593. 	itt	ne
    594. 

  594. 	eorne	$t3,$B,$C
    595. 

  595. 	bne	.L_00_48
    596. 

  596. 

  597. 	ldmia	sp!,{r4-r12,pc}
    598. 

  598. .size	sha256_block_data_order_neon,.-sha256_block_data_order_neon
    599. 

  599. #endif
    600. 

  600. ___
    601. 

  601. }}}
    602. 

  602. ######################################################################
    603. 

  603. # ARMv8 stuff
    604. 

  604. #
    605. 

  605. {{{
    606. 

  606. my ($ABCD,$EFGH,$abcd)=map("q$_",(0..2));
    607. 

  607. my @MSG=map("q$_",(8..11));
    608. 

  608. my ($W0,$W1,$ABCD_SAVE,$EFGH_SAVE)=map("q$_",(12..15));
    609. 

  609. my $Ktbl="r3";
    610. 

  610. my $_byte = ($flavour =~ /win/ ? "DCB" : ".byte");
    611. 

  611. 

  612. $code.=<<___;
    613. 

  613. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    614. 

  614. 

  615. # if defined(__thumb2__)
    616. 

  616. #  define INST(a,b,c,d)	$_byte	c,d|0xc,a,b
    617. 

  617. # else
    618. 

  618. #  define INST(a,b,c,d)	$_byte	a,b,c,d
    619. 

  619. # endif
    620. 

  620. 

  621. .type	sha256_block_data_order_armv8,%function
    622. 

  622. .align	5
    623. 

  623. sha256_block_data_order_armv8:
    624. 

  624. .LARMv8:
    625. 

  625. 	vld1.32	{$ABCD,$EFGH},[$ctx]
    626. 

  626. 	sub	$Ktbl,$Ktbl,#256+32
    627. 

  627. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    628. 

  628. 	b	.Loop_v8
    629. 

  629. 

  630. .align	4
    631. 

  631. .Loop_v8:
    632. 

  632. 	vld1.8		{@MSG[0]-@MSG[1]},[$inp]!
    633. 

  633. 	vld1.8		{@MSG[2]-@MSG[3]},[$inp]!
    634. 

  634. 	vld1.32		{$W0},[$Ktbl]!
    635. 

  635. 	vrev32.8	@MSG[0],@MSG[0]
    636. 

  636. 	vrev32.8	@MSG[1],@MSG[1]
    637. 

  637. 	vrev32.8	@MSG[2],@MSG[2]
    638. 

  638. 	vrev32.8	@MSG[3],@MSG[3]
    639. 

  639. 	vmov		$ABCD_SAVE,$ABCD	@ offload
    640. 

  640. 	vmov		$EFGH_SAVE,$EFGH
    641. 

  641. 	teq		$inp,$len
    642. 

  642. ___
    643. 

  643. for($i=0;$i<12;$i++) {
    644. 

  644. $code.=<<___;
    645. 

  645. 	vld1.32		{$W1},[$Ktbl]!
    646. 

  646. 	vadd.i32	$W0,$W0,@MSG[0]
    647. 

  647. 	sha256su0	@MSG[0],@MSG[1]
    648. 

  648. 	vmov		$abcd,$ABCD
    649. 

  649. 	sha256h		$ABCD,$EFGH,$W0
    650. 

  650. 	sha256h2	$EFGH,$abcd,$W0
    651. 

  651. 	sha256su1	@MSG[0],@MSG[2],@MSG[3]
    652. 

  652. ___
    653. 

  653. 	($W0,$W1)=($W1,$W0);	push(@MSG,shift(@MSG));
    654. 

  654. }
    655. 

  655. $code.=<<___;
    656. 

  656. 	vld1.32		{$W1},[$Ktbl]!
    657. 

  657. 	vadd.i32	$W0,$W0,@MSG[0]
    658. 

  658. 	vmov		$abcd,$ABCD
    659. 

  659. 	sha256h		$ABCD,$EFGH,$W0
    660. 

  660. 	sha256h2	$EFGH,$abcd,$W0
    661. 

  661. 

  662. 	vld1.32		{$W0},[$Ktbl]!
    663. 

  663. 	vadd.i32	$W1,$W1,@MSG[1]
    664. 

  664. 	vmov		$abcd,$ABCD
    665. 

  665. 	sha256h		$ABCD,$EFGH,$W1
    666. 

  666. 	sha256h2	$EFGH,$abcd,$W1
    667. 

  667. 

  668. 	vld1.32		{$W1},[$Ktbl]
    669. 

  669. 	vadd.i32	$W0,$W0,@MSG[2]
    670. 

  670. 	sub		$Ktbl,$Ktbl,#256-16	@ rewind
    671. 

  671. 	vmov		$abcd,$ABCD
    672. 

  672. 	sha256h		$ABCD,$EFGH,$W0
    673. 

  673. 	sha256h2	$EFGH,$abcd,$W0
    674. 

  674. 

  675. 	vadd.i32	$W1,$W1,@MSG[3]
    676. 

  676. 	vmov		$abcd,$ABCD
    677. 

  677. 	sha256h		$ABCD,$EFGH,$W1
    678. 

  678. 	sha256h2	$EFGH,$abcd,$W1
    679. 

  679. 

  680. 	vadd.i32	$ABCD,$ABCD,$ABCD_SAVE
    681. 

  681. 	vadd.i32	$EFGH,$EFGH,$EFGH_SAVE
    682. 

  682. 	it		ne
    683. 

  683. 	bne		.Loop_v8
    684. 

  684. 

  685. 	vst1.32		{$ABCD,$EFGH},[$ctx]
    686. 

  686. 

  687. 	ret		@ bx lr
    688. 

  688. .size	sha256_block_data_order_armv8,.-sha256_block_data_order_armv8
    689. 

  689. #endif
    690. 

  690. ___
    691. 

  691. }}}
    692. 

  692. $code.=<<___;
    693. 

  693. .asciz  "SHA256 block transform for ARMv4/NEON/ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
    694. 

  694. .align	2
    695. 

  695. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    696. 

  696. .comm   OPENSSL_armcap_P,4,4
    697. 

  697. #endif
    698. 

  698. ___
    699. 

  699. 

  700. open SELF,$0;
    701. 

  701. while(<SELF>) {
    702. 

  702. 	next if (/^#!/);
    703. 

  703. 	last if (!s/^#/@/ and !/^$/);
    704. 

  704. 	print;
    705. 

  705. }
    706. 

  706. close SELF;
    707. 

  707. 

  708. {   my  %opcode = (
    709. 

  709. 	"sha256h"	=> 0xf3000c40,	"sha256h2"	=> 0xf3100c40,
    710. 

  710. 	"sha256su0"	=> 0xf3ba03c0,	"sha256su1"	=> 0xf3200c40	);
    711. 

  711. 

  712.     sub unsha256 {
    713. 

  713. 	my ($mnemonic,$arg)=@_;
    714. 

  714. 

  715. 	if ($arg =~ m/q([0-9]+)(?:,\s*q([0-9]+))?,\s*q([0-9]+)/o) {
    716. 

  716. 	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
    717. 

  717. 					 |(($2&7)<<17)|(($2&8)<<4)
    718. 

  718. 					 |(($3&7)<<1) |(($3&8)<<2);
    719. 

  719. 	    # since ARMv7 instructions are always encoded little-endian.
    720. 

  720. 	    # correct solution is to use .inst directive, but older
    721. 

  721. 	    # assemblers don't implement it:-(
    722. 

  722. 	    sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
    723. 

  723. 			$word&0xff,($word>>8)&0xff,
    724. 

  724. 			($word>>16)&0xff,($word>>24)&0xff,
    725. 

  725. 			$mnemonic,$arg;
    726. 

  726. 	}
    727. 

  727.     }
    728. 

  728. }
    729. 

  729. 

  730. foreach (split($/,$code)) {
    731. 

  731. 

  732. 	s/\`([^\`]*)\`/eval $1/geo;
    733. 

  733. 

  734. 	s/\b(sha256\w+)\s+(q.*)/unsha256($1,$2)/geo;
    735. 

  735. 

  736. 	s/\bret\b/bx	lr/go		or
    737. 

  737. 	s/\bbx\s+lr\b/.word\t0xe12fff1e/go;	# make it possible to compile with -march=armv4
    738. 

  738. 

  739. 	print $_,"\n";
    740. 

  740. }
    741. 

  741. 

  742. close STDOUT; # enforce flush
    743.