Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: b9e084f139
Branches Tags
openssl
/
crypto
/
chacha
/
asm
/
chacha-c64xplus.pl

chacha-c64xplus.pl 25 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. #
    10. 

  10. # ====================================================================
    11. 

  11. # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
    12. 

  12. # project. The module is, however, dual licensed under OpenSSL and
    13. 

  13. # CRYPTOGAMS licenses depending on where you obtain it. For further
    14. 

  14. # details see http://www.openssl.org/~appro/cryptogams/.
    15. 

  15. # ====================================================================
    16. 

  16. #
    17. 

  17. # ChaCha20 for C64x+.
    18. 

  18. #
    19. 

  19. # October 2015
    20. 

  20. #
    21. 

  21. # Performance is 3.54 cycles per processed byte, which is ~4.3 times
    22. 

  22. # faster than code generated by TI compiler. Compiler also disables
    23. 

  23. # interrupts for some reason, thus making interrupt response time
    24. 

  24. # dependent on input length. This module on the other hand is free
    25. 

  25. # from such limitation.
    26. 

  26. 

  27. $output=pop and open STDOUT,">$output";
    28. 

  28. 

  29. ($OUT,$INP,$LEN,$KEYB,$COUNTERA)=("A4","B4","A6","B6","A8");
    30. 

  30. ($KEYA,$COUNTERB,$STEP)=("A7","B7","A3");
    31. 

  31. 

  32. @X=  ("A16","B16","A17","B17","A18","B18","A19","B19",
    33. 

  33.       "A20","B20","A21","B21","A22","B22","A23","B23");
    34. 

  34. @Y=  ("A24","B24","A25","B25","A26","B26","A27","B27",
    35. 

  35.       "A28","B28","A29","B29","A30","B30","A31","B31");
    36. 

  36. @DAT=("A6", "A7", "B6", "B7", "A8", "A9", "B8", "B9",
    37. 

  37.       "A10","A11","B10","B11","A12","A13","B12","B13");
    38. 

  38. 

  39. # yes, overlaps with @DAT, used only in 2x interleave code path...
    40. 

  40. @K2x=("A6", "B6", "A7", "B7", "A8", "B8", "A9", "B9",
    41. 

  41.       "A10","B10","A11","B11","A2", "B2", "A13","B13");
    42. 

  42. 

  43. $code.=<<___;
    44. 

  44. 	.text
    45. 

  45. 

  46. 	.if	.ASSEMBLER_VERSION<7000000
    47. 

  47. 	.asg	0,__TI_EABI__
    48. 

  48. 	.endif
    49. 

  49. 	.if	__TI_EABI__
    50. 

  50. 	.asg	ChaCha20_ctr32,_ChaCha20_ctr32
    51. 

  51. 	.endif
    52. 

  52. 

  53. 	.asg	B3,RA
    54. 

  54. 	.asg	A15,FP
    55. 

  55. 	.asg	B15,SP
    56. 

  56. 

  57. 	.global	_ChaCha20_ctr32
    58. 

  58. 	.align	32
    59. 

  59. _ChaCha20_ctr32:
    60. 

  60. 	.asmfunc	stack_usage(40+64)
    61. 

  61. 	MV	$LEN,A0			; reassign
    62. 

  62.   [!A0]	BNOP	RA			; no data
    63. 

  63. || [A0]	STW	FP,*SP--(40+64)		; save frame pointer and alloca(40+64)
    64. 

  64. || [A0]	MV	SP,FP
    65. 

  65.    [A0]	STDW	B13:B12,*SP[4+8]	; ABI says so
    66. 

  66. || [A0]	MV	$KEYB,$KEYA
    67. 

  67. || [A0]	MV	$COUNTERA,$COUNTERB
    68. 

  68.    [A0]	STDW	B11:B10,*SP[3+8]
    69. 

  69. || [A0]	STDW	A13:A12,*FP[-3]
    70. 

  70.    [A0]	STDW	A11:A10,*FP[-4]
    71. 

  71. || [A0]	MVK	128,$STEP		; 2 * input block size
    72. 

  72. 

  73.    [A0]	LDW	*${KEYA}[0],@Y[4]	; load key
    74. 

  74. || [A0]	LDW	*${KEYB}[1],@Y[5]
    75. 

  75. || [A0]	MVK	0x00007865,@Y[0]	; synthesize sigma
    76. 

  76. || [A0]	MVK	0x0000646e,@Y[1]
    77. 

  77.    [A0]	LDW	*${KEYA}[2],@Y[6]
    78. 

  78. || [A0]	LDW	*${KEYB}[3],@Y[7]
    79. 

  79. || [A0]	MVKH	0x61700000,@Y[0]
    80. 

  80. || [A0]	MVKH	0x33200000,@Y[1]
    81. 

  81. 	LDW	*${KEYA}[4],@Y[8]
    82. 

  82. ||	LDW	*${KEYB}[5],@Y[9]
    83. 

  83. ||	MVK	0x00002d32,@Y[2]
    84. 

  84. ||	MVK	0x00006574,@Y[3]
    85. 

  85. 	LDW	*${KEYA}[6],@Y[10]
    86. 

  86. ||	LDW	*${KEYB}[7],@Y[11]
    87. 

  87. ||	MVKH	0x79620000,@Y[2]
    88. 

  88. ||	MVKH	0x6b200000,@Y[3]
    89. 

  89. 	LDW	*${COUNTERA}[0],@Y[12]	; load counter||nonce
    90. 

  90. ||	LDW	*${COUNTERB}[1],@Y[13]
    91. 

  91. ||	CMPLTU	A0,$STEP,A1		; is length < 2*blocks?
    92. 

  92. 	LDW	*${COUNTERA}[2],@Y[14]
    93. 

  93. ||	LDW	*${COUNTERB}[3],@Y[15]
    94. 

  94. || [A1]	BNOP	top1x?
    95. 

  95.    [A1]	MVK	64,$STEP		; input block size
    96. 

  96. ||	MVK	10,B0			; inner loop counter
    97. 

  97. 

  98. 	DMV	@Y[2],@Y[0],@X[2]:@X[0]	; copy block
    99. 

  99. ||	DMV	@Y[3],@Y[1],@X[3]:@X[1]
    100. 

  100. ||[!A1]	STDW	@Y[2]:@Y[0],*FP[-12]	; offload key material to stack
    101. 

  101. ||[!A1]	STDW	@Y[3]:@Y[1],*SP[2]
    102. 

  102. 	DMV	@Y[6],@Y[4],@X[6]:@X[4]
    103. 

  103. ||	DMV	@Y[7],@Y[5],@X[7]:@X[5]
    104. 

  104. ||[!A1]	STDW	@Y[6]:@Y[4],*FP[-10]
    105. 

  105. ||[!A1]	STDW	@Y[7]:@Y[5],*SP[4]
    106. 

  106. 	DMV	@Y[10],@Y[8],@X[10]:@X[8]
    107. 

  107. ||	DMV	@Y[11],@Y[9],@X[11]:@X[9]
    108. 

  108. ||[!A1]	STDW	@Y[10]:@Y[8],*FP[-8]
    109. 

  109. ||[!A1]	STDW	@Y[11]:@Y[9],*SP[6]
    110. 

  110. 	DMV	@Y[14],@Y[12],@X[14]:@X[12]
    111. 

  111. ||	DMV	@Y[15],@Y[13],@X[15]:@X[13]
    112. 

  112. ||[!A1]	MV	@Y[12],@K2x[12]		; counter
    113. 

  113. ||[!A1]	MV	@Y[13],@K2x[13]
    114. 

  114. ||[!A1]	STW	@Y[14],*FP[-6*2]
    115. 

  115. ||[!A1]	STW	@Y[15],*SP[8*2]
    116. 

  116. ___
    117. 

  117. {	################################################################
    118. 

  118. 	# 2x interleave gives 50% performance improvement
    119. 

  119. 	#
    120. 

  120. my ($a0,$a1,$a2,$a3) = (0..3);
    121. 

  121. my ($b0,$b1,$b2,$b3) = (4..7);
    122. 

  122. my ($c0,$c1,$c2,$c3) = (8..11);
    123. 

  123. my ($d0,$d1,$d2,$d3) = (12..15);
    124. 

  124. 

  125. $code.=<<___;
    126. 

  126. outer2x?:
    127. 

  127. 	ADD	@X[$b1],@X[$a1],@X[$a1]
    128. 

  128. ||	ADD	@X[$b2],@X[$a2],@X[$a2]
    129. 

  129. ||	ADD	@X[$b0],@X[$a0],@X[$a0]
    130. 

  130. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    131. 

  131. ||	 DMV	@Y[2],@Y[0],@K2x[2]:@K2x[0]
    132. 

  132. ||	 DMV	@Y[3],@Y[1],@K2x[3]:@K2x[1]
    133. 

  133. 	XOR	@X[$a1],@X[$d1],@X[$d1]
    134. 

  134. ||	XOR	@X[$a2],@X[$d2],@X[$d2]
    135. 

  135. ||	XOR	@X[$a0],@X[$d0],@X[$d0]
    136. 

  136. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    137. 

  137. ||	 DMV	@Y[6],@Y[4],@K2x[6]:@K2x[4]
    138. 

  138. ||	 DMV	@Y[7],@Y[5],@K2x[7]:@K2x[5]
    139. 

  139. 	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
    140. 

  140. ||	SWAP2	@X[$d2],@X[$d2]
    141. 

  141. ||	SWAP2	@X[$d0],@X[$d0]
    142. 

  142. ||	SWAP2	@X[$d3],@X[$d3]
    143. 

  143. 

  144. 	ADD	@X[$d1],@X[$c1],@X[$c1]
    145. 

  145. ||	ADD	@X[$d2],@X[$c2],@X[$c2]
    146. 

  146. ||	ADD	@X[$d0],@X[$c0],@X[$c0]
    147. 

  147. ||	ADD	@X[$d3],@X[$c3],@X[$c3]
    148. 

  148. ||	 DMV	@Y[10],@Y[8],@K2x[10]:@K2x[8]
    149. 

  149. ||	 DMV	@Y[11],@Y[9],@K2x[11]:@K2x[9]
    150. 

  150. 	XOR	@X[$c1],@X[$b1],@X[$b1]
    151. 

  151. ||	XOR	@X[$c2],@X[$b2],@X[$b2]
    152. 

  152. ||	XOR	@X[$c0],@X[$b0],@X[$b0]
    153. 

  153. ||	XOR	@X[$c3],@X[$b3],@X[$b3]
    154. 

  154. ||	 ADD	1,@Y[12],@Y[12]		; adjust counter for 2nd block
    155. 

  155. 	ROTL	@X[$b1],12,@X[$b1]
    156. 

  156. ||	ROTL	@X[$b2],12,@X[$b2]
    157. 

  157. ||	 MV	@Y[14],@K2x[14]
    158. 

  158. ||	 MV	@Y[15],@K2x[15]
    159. 

  159. top2x?:
    160. 

  160. 	ROTL	@X[$b0],12,@X[$b0]
    161. 

  161. ||	ROTL	@X[$b3],12,@X[$b3]
    162. 

  162. ||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
    163. 

  163. ||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
    164. 

  164. 	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
    165. 

  165. ||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
    166. 

  166. 

  167. ||	ADD	@X[$b1],@X[$a1],@X[$a1]
    168. 

  168. ||	ADD	@X[$b2],@X[$a2],@X[$a2]
    169. 

  169. ||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
    170. 

  170. ||	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
    171. 

  171. 	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
    172. 

  172. ||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
    173. 

  173. ||	ADD	@X[$b0],@X[$a0],@X[$a0]
    174. 

  174. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    175. 

  175. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    176. 

  176. ||	XOR	@X[$a2],@X[$d2],@X[$d2]
    177. 

  177. 	XOR	@X[$a0],@X[$d0],@X[$d0]
    178. 

  178. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    179. 

  179. ||	ROTL	@X[$d1],8,@X[$d1]
    180. 

  180. ||	ROTL	@X[$d2],8,@X[$d2]
    181. 

  181. ||	 SWAP2	@Y[$d1],@Y[$d1]		; rotate by 16
    182. 

  182. ||	 SWAP2	@Y[$d2],@Y[$d2]
    183. 

  183. ||	 SWAP2	@Y[$d0],@Y[$d0]
    184. 

  184. ||	 SWAP2	@Y[$d3],@Y[$d3]
    185. 

  185. 	ROTL	@X[$d0],8,@X[$d0]
    186. 

  186. ||	ROTL	@X[$d3],8,@X[$d3]
    187. 

  187. ||	 ADD	@Y[$d1],@Y[$c1],@Y[$c1]
    188. 

  188. ||	 ADD	@Y[$d2],@Y[$c2],@Y[$c2]
    189. 

  189. ||	 ADD	@Y[$d0],@Y[$c0],@Y[$c0]
    190. 

  190. ||	 ADD	@Y[$d3],@Y[$c3],@Y[$c3]
    191. 

  191. ||	BNOP	middle2x1?		; protect from interrupt
    192. 

  192. 

  193. 	ADD	@X[$d1],@X[$c1],@X[$c1]
    194. 

  194. ||	ADD	@X[$d2],@X[$c2],@X[$c2]
    195. 

  195. ||	 XOR	@Y[$c1],@Y[$b1],@Y[$b1]
    196. 

  196. ||	 XOR	@Y[$c2],@Y[$b2],@Y[$b2]
    197. 

  197. ||	 XOR	@Y[$c0],@Y[$b0],@Y[$b0]
    198. 

  198. ||	 XOR	@Y[$c3],@Y[$b3],@Y[$b3]
    199. 

  199. 	ADD	@X[$d0],@X[$c0],@X[$c0]
    200. 

  200. ||	ADD	@X[$d3],@X[$c3],@X[$c3]
    201. 

  201. ||	XOR	@X[$c1],@X[$b1],@X[$b1]
    202. 

  202. ||	XOR	@X[$c2],@X[$b2],@X[$b2]
    203. 

  203. ||	ROTL	@X[$d1],0,@X[$d2]	; moved to avoid cross-path stall
    204. 

  204. ||	ROTL	@X[$d2],0,@X[$d3]
    205. 

  205. 	XOR	@X[$c0],@X[$b0],@X[$b0]
    206. 

  206. ||	XOR	@X[$c3],@X[$b3],@X[$b3]
    207. 

  207. ||	MV	@X[$d0],@X[$d1]
    208. 

  208. ||	MV	@X[$d3],@X[$d0]
    209. 

  209. ||	 ROTL	@Y[$b1],12,@Y[$b1]
    210. 

  210. ||	 ROTL	@Y[$b2],12,@Y[$b2]
    211. 

  211. 	ROTL	@X[$b1],7,@X[$b0]	; avoided cross-path stall
    212. 

  212. ||	ROTL	@X[$b2],7,@X[$b1]
    213. 

  213. 	ROTL	@X[$b0],7,@X[$b3]
    214. 

  214. ||	ROTL	@X[$b3],7,@X[$b2]
    215. 

  215. middle2x1?:
    216. 

  216. 

  217. 	 ROTL	@Y[$b0],12,@Y[$b0]
    218. 

  218. ||	 ROTL	@Y[$b3],12,@Y[$b3]
    219. 

  219. ||	ADD	@X[$b0],@X[$a0],@X[$a0]
    220. 

  220. ||	ADD	@X[$b1],@X[$a1],@X[$a1]
    221. 

  221. 	ADD	@X[$b2],@X[$a2],@X[$a2]
    222. 

  222. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    223. 

  223. 

  224. ||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
    225. 

  225. ||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
    226. 

  226. ||	XOR	@X[$a0],@X[$d0],@X[$d0]
    227. 

  227. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    228. 

  228. 	XOR	@X[$a2],@X[$d2],@X[$d2]
    229. 

  229. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    230. 

  230. ||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
    231. 

  231. ||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
    232. 

  232. ||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
    233. 

  233. ||	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
    234. 

  234. 	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
    235. 

  235. ||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
    236. 

  236. ||	 ROTL	@Y[$d1],8,@Y[$d1]
    237. 

  237. ||	 ROTL	@Y[$d2],8,@Y[$d2]
    238. 

  238. ||	SWAP2	@X[$d0],@X[$d0]		; rotate by 16
    239. 

  239. ||	SWAP2	@X[$d1],@X[$d1]
    240. 

  240. ||	SWAP2	@X[$d2],@X[$d2]
    241. 

  241. ||	SWAP2	@X[$d3],@X[$d3]
    242. 

  242. 	 ROTL	@Y[$d0],8,@Y[$d0]
    243. 

  243. ||	 ROTL	@Y[$d3],8,@Y[$d3]
    244. 

  244. ||	ADD	@X[$d0],@X[$c2],@X[$c2]
    245. 

  245. ||	ADD	@X[$d1],@X[$c3],@X[$c3]
    246. 

  246. ||	ADD	@X[$d2],@X[$c0],@X[$c0]
    247. 

  247. ||	ADD	@X[$d3],@X[$c1],@X[$c1]
    248. 

  248. ||	BNOP	middle2x2?		; protect from interrupt
    249. 

  249. 

  250. 	 ADD	@Y[$d1],@Y[$c1],@Y[$c1]
    251. 

  251. ||	 ADD	@Y[$d2],@Y[$c2],@Y[$c2]
    252. 

  252. ||	XOR	@X[$c2],@X[$b0],@X[$b0]
    253. 

  253. ||	XOR	@X[$c3],@X[$b1],@X[$b1]
    254. 

  254. ||	XOR	@X[$c0],@X[$b2],@X[$b2]
    255. 

  255. ||	XOR	@X[$c1],@X[$b3],@X[$b3]
    256. 

  256. 	 ADD	@Y[$d0],@Y[$c0],@Y[$c0]
    257. 

  257. ||	 ADD	@Y[$d3],@Y[$c3],@Y[$c3]
    258. 

  258. ||	 XOR	@Y[$c1],@Y[$b1],@Y[$b1]
    259. 

  259. ||	 XOR	@Y[$c2],@Y[$b2],@Y[$b2]
    260. 

  260. ||	 ROTL	@Y[$d1],0,@Y[$d2]	; moved to avoid cross-path stall
    261. 

  261. ||	 ROTL	@Y[$d2],0,@Y[$d3]
    262. 

  262. 	 XOR	@Y[$c0],@Y[$b0],@Y[$b0]
    263. 

  263. ||	 XOR	@Y[$c3],@Y[$b3],@Y[$b3]
    264. 

  264. ||	 MV	@Y[$d0],@Y[$d1]
    265. 

  265. ||	 MV	@Y[$d3],@Y[$d0]
    266. 

  266. ||	ROTL	@X[$b0],12,@X[$b0]
    267. 

  267. ||	ROTL	@X[$b1],12,@X[$b1]
    268. 

  268. 	 ROTL	@Y[$b1],7,@Y[$b0]	; avoided cross-path stall
    269. 

  269. ||	 ROTL	@Y[$b2],7,@Y[$b1]
    270. 

  270. 	 ROTL	@Y[$b0],7,@Y[$b3]
    271. 

  271. ||	 ROTL	@Y[$b3],7,@Y[$b2]
    272. 

  272. middle2x2?:
    273. 

  273. 

  274. 	ROTL	@X[$b2],12,@X[$b2]
    275. 

  275. ||	ROTL	@X[$b3],12,@X[$b3]
    276. 

  276. ||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
    277. 

  277. ||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
    278. 

  278. 	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
    279. 

  279. ||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
    280. 

  280. 

  281. ||	ADD	@X[$b0],@X[$a0],@X[$a0]
    282. 

  282. ||	ADD	@X[$b1],@X[$a1],@X[$a1]
    283. 

  283. ||	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
    284. 

  284. ||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
    285. 

  285. 	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
    286. 

  286. ||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
    287. 

  287. ||	ADD	@X[$b2],@X[$a2],@X[$a2]
    288. 

  288. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    289. 

  289. ||	XOR	@X[$a0],@X[$d0],@X[$d0]
    290. 

  290. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    291. 

  291. 	XOR	@X[$a2],@X[$d2],@X[$d2]
    292. 

  292. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    293. 

  293. ||	ROTL	@X[$d0],8,@X[$d0]
    294. 

  294. ||	ROTL	@X[$d1],8,@X[$d1]
    295. 

  295. ||	 SWAP2	@Y[$d0],@Y[$d0]		; rotate by 16
    296. 

  296. ||	 SWAP2	@Y[$d1],@Y[$d1]
    297. 

  297. ||	 SWAP2	@Y[$d2],@Y[$d2]
    298. 

  298. ||	 SWAP2	@Y[$d3],@Y[$d3]
    299. 

  299. 	ROTL	@X[$d2],8,@X[$d2]
    300. 

  300. ||	ROTL	@X[$d3],8,@X[$d3]
    301. 

  301. ||	 ADD	@Y[$d0],@Y[$c2],@Y[$c2]
    302. 

  302. ||	 ADD	@Y[$d1],@Y[$c3],@Y[$c3]
    303. 

  303. ||	 ADD	@Y[$d2],@Y[$c0],@Y[$c0]
    304. 

  304. ||	 ADD	@Y[$d3],@Y[$c1],@Y[$c1]
    305. 

  305. ||	BNOP	bottom2x1?		; protect from interrupt
    306. 

  306. 

  307. 	ADD	@X[$d0],@X[$c2],@X[$c2]
    308. 

  308. ||	ADD	@X[$d1],@X[$c3],@X[$c3]
    309. 

  309. ||	 XOR	@Y[$c2],@Y[$b0],@Y[$b0]
    310. 

  310. ||	 XOR	@Y[$c3],@Y[$b1],@Y[$b1]
    311. 

  311. ||	 XOR	@Y[$c0],@Y[$b2],@Y[$b2]
    312. 

  312. ||	 XOR	@Y[$c1],@Y[$b3],@Y[$b3]
    313. 

  313. 	ADD	@X[$d2],@X[$c0],@X[$c0]
    314. 

  314. ||	ADD	@X[$d3],@X[$c1],@X[$c1]
    315. 

  315. ||	XOR	@X[$c2],@X[$b0],@X[$b0]
    316. 

  316. ||	XOR	@X[$c3],@X[$b1],@X[$b1]
    317. 

  317. ||	ROTL	@X[$d0],0,@X[$d3]	; moved to avoid cross-path stall
    318. 

  318. ||	ROTL	@X[$d1],0,@X[$d0]
    319. 

  319. 	XOR	@X[$c0],@X[$b2],@X[$b2]
    320. 

  320. ||	XOR	@X[$c1],@X[$b3],@X[$b3]
    321. 

  321. ||	MV	@X[$d2],@X[$d1]
    322. 

  322. ||	MV	@X[$d3],@X[$d2]
    323. 

  323. ||	 ROTL	@Y[$b0],12,@Y[$b0]
    324. 

  324. ||	 ROTL	@Y[$b1],12,@Y[$b1]
    325. 

  325. 	ROTL	@X[$b0],7,@X[$b1]	; avoided cross-path stall
    326. 

  326. ||	ROTL	@X[$b1],7,@X[$b2]
    327. 

  327. 	ROTL	@X[$b2],7,@X[$b3]
    328. 

  328. ||	ROTL	@X[$b3],7,@X[$b0]
    329. 

  329. || [B0]	SUB	B0,1,B0			; decrement inner loop counter
    330. 

  330. bottom2x1?:
    331. 

  331. 

  332. 	 ROTL	@Y[$b2],12,@Y[$b2]
    333. 

  333. ||	 ROTL	@Y[$b3],12,@Y[$b3]
    334. 

  334. || [B0]	ADD	@X[$b1],@X[$a1],@X[$a1]	; modulo-scheduled
    335. 

  335. || [B0]	ADD	@X[$b2],@X[$a2],@X[$a2]
    336. 

  336.    [B0]	ADD	@X[$b0],@X[$a0],@X[$a0]
    337. 

  337. || [B0]	ADD	@X[$b3],@X[$a3],@X[$a3]
    338. 

  338. 

  339. ||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
    340. 

  340. ||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
    341. 

  341. || [B0]	XOR	@X[$a1],@X[$d1],@X[$d1]
    342. 

  342. || [B0]	XOR	@X[$a2],@X[$d2],@X[$d2]
    343. 

  343.    [B0]	XOR	@X[$a0],@X[$d0],@X[$d0]
    344. 

  344. || [B0]	XOR	@X[$a3],@X[$d3],@X[$d3]
    345. 

  345. ||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
    346. 

  346. ||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
    347. 

  347. ||	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
    348. 

  348. ||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
    349. 

  349. 	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
    350. 

  350. ||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
    351. 

  351. ||	 ROTL	@Y[$d0],8,@Y[$d0]
    352. 

  352. ||	 ROTL	@Y[$d1],8,@Y[$d1]
    353. 

  353. || [B0]	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
    354. 

  354. || [B0]	SWAP2	@X[$d2],@X[$d2]
    355. 

  355. || [B0]	SWAP2	@X[$d0],@X[$d0]
    356. 

  356. || [B0]	SWAP2	@X[$d3],@X[$d3]
    357. 

  357. 	 ROTL	@Y[$d2],8,@Y[$d2]
    358. 

  358. ||	 ROTL	@Y[$d3],8,@Y[$d3]
    359. 

  359. || [B0]	ADD	@X[$d1],@X[$c1],@X[$c1]
    360. 

  360. || [B0]	ADD	@X[$d2],@X[$c2],@X[$c2]
    361. 

  361. || [B0]	ADD	@X[$d0],@X[$c0],@X[$c0]
    362. 

  362. || [B0]	ADD	@X[$d3],@X[$c3],@X[$c3]
    363. 

  363. || [B0]	BNOP	top2x?			; even protects from interrupt
    364. 

  364. 

  365. 	 ADD	@Y[$d0],@Y[$c2],@Y[$c2]
    366. 

  366. ||	 ADD	@Y[$d1],@Y[$c3],@Y[$c3]
    367. 

  367. || [B0]	XOR	@X[$c1],@X[$b1],@X[$b1]
    368. 

  368. || [B0]	XOR	@X[$c2],@X[$b2],@X[$b2]
    369. 

  369. || [B0]	XOR	@X[$c0],@X[$b0],@X[$b0]
    370. 

  370. || [B0]	XOR	@X[$c3],@X[$b3],@X[$b3]
    371. 

  371. 	 ADD	@Y[$d2],@Y[$c0],@Y[$c0]
    372. 

  372. ||	 ADD	@Y[$d3],@Y[$c1],@Y[$c1]
    373. 

  373. ||	 XOR	@Y[$c2],@Y[$b0],@Y[$b0]
    374. 

  374. ||	 XOR	@Y[$c3],@Y[$b1],@Y[$b1]
    375. 

  375. ||	 ROTL	@Y[$d0],0,@Y[$d3]	; moved to avoid cross-path stall
    376. 

  376. ||	 ROTL	@Y[$d1],0,@Y[$d0]
    377. 

  377. 	 XOR	@Y[$c0],@Y[$b2],@Y[$b2]
    378. 

  378. ||	 XOR	@Y[$c1],@Y[$b3],@Y[$b3]
    379. 

  379. ||	 MV	@Y[$d2],@Y[$d1]
    380. 

  380. ||	 MV	@Y[$d3],@Y[$d2]
    381. 

  381. || [B0]	ROTL	@X[$b1],12,@X[$b1]
    382. 

  382. || [B0]	ROTL	@X[$b2],12,@X[$b2]
    383. 

  383. 	 ROTL	@Y[$b0],7,@Y[$b1]	; avoided cross-path stall
    384. 

  384. ||	 ROTL	@Y[$b1],7,@Y[$b2]
    385. 

  385. 	 ROTL	@Y[$b2],7,@Y[$b3]
    386. 

  386. ||	 ROTL	@Y[$b3],7,@Y[$b0]
    387. 

  387. bottom2x2?:
    388. 

  388. ___
    389. 

  389. }
    390. 

  390. 

  391. $code.=<<___;
    392. 

  392. 	ADD	@K2x[0],@X[0],@X[0]	; accumulate key material
    393. 

  393. ||	ADD	@K2x[1],@X[1],@X[1]
    394. 

  394. ||	ADD	@K2x[2],@X[2],@X[2]
    395. 

  395. ||	ADD	@K2x[3],@X[3],@X[3]
    396. 

  396. 	 ADD	@K2x[0],@Y[0],@Y[0]
    397. 

  397. ||	 ADD	@K2x[1],@Y[1],@Y[1]
    398. 

  398. ||	 ADD	@K2x[2],@Y[2],@Y[2]
    399. 

  399. ||	 ADD	@K2x[3],@Y[3],@Y[3]
    400. 

  400. ||	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
    401. 

  401. 	ADD	@K2x[4],@X[4],@X[4]
    402. 

  402. ||	ADD	@K2x[5],@X[5],@X[5]
    403. 

  403. ||	ADD	@K2x[6],@X[6],@X[6]
    404. 

  404. ||	ADD	@K2x[7],@X[7],@X[7]
    405. 

  405. ||	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
    406. 

  406. 	 ADD	@K2x[4],@Y[4],@Y[4]
    407. 

  407. ||	 ADD	@K2x[5],@Y[5],@Y[5]
    408. 

  408. ||	 ADD	@K2x[6],@Y[6],@Y[6]
    409. 

  409. ||	 ADD	@K2x[7],@Y[7],@Y[7]
    410. 

  410. ||	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
    411. 

  411. 	ADD	@K2x[8],@X[8],@X[8]
    412. 

  412. ||	ADD	@K2x[9],@X[9],@X[9]
    413. 

  413. ||	ADD	@K2x[10],@X[10],@X[10]
    414. 

  414. ||	ADD	@K2x[11],@X[11],@X[11]
    415. 

  415. ||	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
    416. 

  416. 	 ADD	@K2x[8],@Y[8],@Y[8]
    417. 

  417. ||	 ADD	@K2x[9],@Y[9],@Y[9]
    418. 

  418. ||	 ADD	@K2x[10],@Y[10],@Y[10]
    419. 

  419. ||	 ADD	@K2x[11],@Y[11],@Y[11]
    420. 

  420. ||	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
    421. 

  421. 	ADD	@K2x[12],@X[12],@X[12]
    422. 

  422. ||	ADD	@K2x[13],@X[13],@X[13]
    423. 

  423. ||	ADD	@K2x[14],@X[14],@X[14]
    424. 

  424. ||	ADD	@K2x[15],@X[15],@X[15]
    425. 

  425. ||	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
    426. 

  426. 	 ADD	@K2x[12],@Y[12],@Y[12]
    427. 

  427. ||	 ADD	@K2x[13],@Y[13],@Y[13]
    428. 

  428. ||	 ADD	@K2x[14],@Y[14],@Y[14]
    429. 

  429. ||	 ADD	@K2x[15],@Y[15],@Y[15]
    430. 

  430. ||	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
    431. 

  431. 	 ADD	1,@Y[12],@Y[12]		; adjust counter for 2nd block
    432. 

  432. ||	ADD	2,@K2x[12],@K2x[12]	; increment counter
    433. 

  433. ||	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
    434. 

  434. 

  435. 	.if	.BIG_ENDIAN
    436. 

  436. 	SWAP2	@X[0],@X[0]
    437. 

  437. ||	SWAP2	@X[1],@X[1]
    438. 

  438. ||	SWAP2	@X[2],@X[2]
    439. 

  439. ||	SWAP2	@X[3],@X[3]
    440. 

  440. 	SWAP2	@X[4],@X[4]
    441. 

  441. ||	SWAP2	@X[5],@X[5]
    442. 

  442. ||	SWAP2	@X[6],@X[6]
    443. 

  443. ||	SWAP2	@X[7],@X[7]
    444. 

  444. 	SWAP2	@X[8],@X[8]
    445. 

  445. ||	SWAP2	@X[9],@X[9]
    446. 

  446. ||	SWAP4	@X[0],@X[1]
    447. 

  447. ||	SWAP4	@X[1],@X[0]
    448. 

  448. 	SWAP2	@X[10],@X[10]
    449. 

  449. ||	SWAP2	@X[11],@X[11]
    450. 

  450. ||	SWAP4	@X[2],@X[3]
    451. 

  451. ||	SWAP4	@X[3],@X[2]
    452. 

  452. 	SWAP2	@X[12],@X[12]
    453. 

  453. ||	SWAP2	@X[13],@X[13]
    454. 

  454. ||	SWAP4	@X[4],@X[5]
    455. 

  455. ||	SWAP4	@X[5],@X[4]
    456. 

  456. 	SWAP2	@X[14],@X[14]
    457. 

  457. ||	SWAP2	@X[15],@X[15]
    458. 

  458. ||	SWAP4	@X[6],@X[7]
    459. 

  459. ||	SWAP4	@X[7],@X[6]
    460. 

  460. 	SWAP4	@X[8],@X[9]
    461. 

  461. ||	SWAP4	@X[9],@X[8]
    462. 

  462. ||	 SWAP2	@Y[0],@Y[0]
    463. 

  463. ||	 SWAP2	@Y[1],@Y[1]
    464. 

  464. 	SWAP4	@X[10],@X[11]
    465. 

  465. ||	SWAP4	@X[11],@X[10]
    466. 

  466. ||	 SWAP2	@Y[2],@Y[2]
    467. 

  467. ||	 SWAP2	@Y[3],@Y[3]
    468. 

  468. 	SWAP4	@X[12],@X[13]
    469. 

  469. ||	SWAP4	@X[13],@X[12]
    470. 

  470. ||	 SWAP2	@Y[4],@Y[4]
    471. 

  471. ||	 SWAP2	@Y[5],@Y[5]
    472. 

  472. 	SWAP4	@X[14],@X[15]
    473. 

  473. ||	SWAP4	@X[15],@X[14]
    474. 

  474. ||	 SWAP2	@Y[6],@Y[6]
    475. 

  475. ||	 SWAP2	@Y[7],@Y[7]
    476. 

  476. 	 SWAP2	@Y[8],@Y[8]
    477. 

  477. ||	 SWAP2	@Y[9],@Y[9]
    478. 

  478. ||	 SWAP4	@Y[0],@Y[1]
    479. 

  479. ||	 SWAP4	@Y[1],@Y[0]
    480. 

  480. 	 SWAP2	@Y[10],@Y[10]
    481. 

  481. ||	 SWAP2	@Y[11],@Y[11]
    482. 

  482. ||	 SWAP4	@Y[2],@Y[3]
    483. 

  483. ||	 SWAP4	@Y[3],@Y[2]
    484. 

  484. 	 SWAP2	@Y[12],@Y[12]
    485. 

  485. ||	 SWAP2	@Y[13],@Y[13]
    486. 

  486. ||	 SWAP4	@Y[4],@Y[5]
    487. 

  487. ||	 SWAP4	@Y[5],@Y[4]
    488. 

  488. 	 SWAP2	@Y[14],@Y[14]
    489. 

  489. ||	 SWAP2	@Y[15],@Y[15]
    490. 

  490. ||	 SWAP4	@Y[6],@Y[7]
    491. 

  491. ||	 SWAP4	@Y[7],@Y[6]
    492. 

  492. 	 SWAP4	@Y[8],@Y[9]
    493. 

  493. ||	 SWAP4	@Y[9],@Y[8]
    494. 

  494. 	 SWAP4	@Y[10],@Y[11]
    495. 

  495. ||	 SWAP4	@Y[11],@Y[10]
    496. 

  496. 	 SWAP4	@Y[12],@Y[13]
    497. 

  497. ||	 SWAP4	@Y[13],@Y[12]
    498. 

  498. 	 SWAP4	@Y[14],@Y[15]
    499. 

  499. ||	 SWAP4	@Y[15],@Y[14]
    500. 

  500. 	.endif
    501. 

  501. 

  502. 	XOR	@DAT[0],@X[0],@X[0]	; xor 1st block
    503. 

  503. ||	XOR	@DAT[3],@X[3],@X[3]
    504. 

  504. ||	XOR	@DAT[2],@X[2],@X[1]
    505. 

  505. ||	XOR	@DAT[1],@X[1],@X[2]
    506. 

  506. ||	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
    507. 

  507. 	XOR	@DAT[4],@X[4],@X[4]
    508. 

  508. ||	XOR	@DAT[7],@X[7],@X[7]
    509. 

  509. ||	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
    510. 

  510. 	XOR	@DAT[6],@X[6],@X[5]
    511. 

  511. ||	XOR	@DAT[5],@X[5],@X[6]
    512. 

  512. ||	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
    513. 

  513. 	XOR	@DAT[8],@X[8],@X[8]
    514. 

  514. ||	XOR	@DAT[11],@X[11],@X[11]
    515. 

  515. ||	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
    516. 

  516. 	XOR	@DAT[10],@X[10],@X[9]
    517. 

  517. ||	XOR	@DAT[9],@X[9],@X[10]
    518. 

  518. ||	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
    519. 

  519. 	XOR	@DAT[12],@X[12],@X[12]
    520. 

  520. ||	XOR	@DAT[15],@X[15],@X[15]
    521. 

  521. ||	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
    522. 

  522. 	XOR	@DAT[14],@X[14],@X[13]
    523. 

  523. ||	XOR	@DAT[13],@X[13],@X[14]
    524. 

  524. ||	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
    525. 

  525.    [A0]	SUB	A0,$STEP,A0		; SUB	A0,128,A0
    526. 

  526. ||	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
    527. 

  527. 

  528. 	XOR	@Y[0],@DAT[0],@DAT[0]	; xor 2nd block
    529. 

  529. ||	XOR	@Y[1],@DAT[1],@DAT[1]
    530. 

  530. ||	STNDW	@X[2]:@X[0],*${OUT}++[8]
    531. 

  531. 	XOR	@Y[2],@DAT[2],@DAT[2]
    532. 

  532. ||	XOR	@Y[3],@DAT[3],@DAT[3]
    533. 

  533. ||	STNDW	@X[3]:@X[1],*${OUT}[-7]
    534. 

  534. 	XOR	@Y[4],@DAT[4],@DAT[4]
    535. 

  535. || [A0]	LDDW	*FP[-12],@X[2]:@X[0]	; re-load key material from stack
    536. 

  536. || [A0]	LDDW	*SP[2],  @X[3]:@X[1]
    537. 

  537. 	XOR	@Y[5],@DAT[5],@DAT[5]
    538. 

  538. ||	STNDW	@X[6]:@X[4],*${OUT}[-6]
    539. 

  539. 	XOR	@Y[6],@DAT[6],@DAT[6]
    540. 

  540. ||	XOR	@Y[7],@DAT[7],@DAT[7]
    541. 

  541. ||	STNDW	@X[7]:@X[5],*${OUT}[-5]
    542. 

  542. 	XOR	@Y[8],@DAT[8],@DAT[8]
    543. 

  543. || [A0]	LDDW	*FP[-10],@X[6]:@X[4]
    544. 

  544. || [A0]	LDDW	*SP[4],  @X[7]:@X[5]
    545. 

  545. 	XOR	@Y[9],@DAT[9],@DAT[9]
    546. 

  546. ||	STNDW	@X[10]:@X[8],*${OUT}[-4]
    547. 

  547. 	XOR	@Y[10],@DAT[10],@DAT[10]
    548. 

  548. ||	XOR	@Y[11],@DAT[11],@DAT[11]
    549. 

  549. ||	STNDW	@X[11]:@X[9],*${OUT}[-3]
    550. 

  550. 	XOR	@Y[12],@DAT[12],@DAT[12]
    551. 

  551. || [A0]	LDDW	*FP[-8], @X[10]:@X[8]
    552. 

  552. || [A0]	LDDW	*SP[6],  @X[11]:@X[9]
    553. 

  553. 	XOR	@Y[13],@DAT[13],@DAT[13]
    554. 

  554. ||	STNDW	@X[14]:@X[12],*${OUT}[-2]
    555. 

  555. 	XOR	@Y[14],@DAT[14],@DAT[14]
    556. 

  556. ||	XOR	@Y[15],@DAT[15],@DAT[15]
    557. 

  557. ||	STNDW	@X[15]:@X[13],*${OUT}[-1]
    558. 

  558. 

  559.    [A0]	MV	@K2x[12],@X[12]
    560. 

  560. || [A0]	MV	@K2x[13],@X[13]
    561. 

  561. || [A0]	LDW	*FP[-6*2], @X[14]
    562. 

  562. || [A0]	LDW	*SP[8*2],  @X[15]
    563. 

  563. 

  564.    [A0]	DMV	@X[2],@X[0],@Y[2]:@Y[0]	; duplicate key material
    565. 

  565. ||	STNDW	@DAT[1]:@DAT[0],*${OUT}++[8]
    566. 

  566.    [A0]	DMV	@X[3],@X[1],@Y[3]:@Y[1]
    567. 

  567. ||	STNDW	@DAT[3]:@DAT[2],*${OUT}[-7]
    568. 

  568.    [A0]	DMV	@X[6],@X[4],@Y[6]:@Y[4]
    569. 

  569. ||	STNDW	@DAT[5]:@DAT[4],*${OUT}[-6]
    570. 

  570. ||	CMPLTU	A0,$STEP,A1		; is remaining length < 2*blocks?
    571. 

  571. ||[!A0]	BNOP	epilogue?
    572. 

  572.    [A0]	DMV	@X[7],@X[5],@Y[7]:@Y[5]
    573. 

  573. ||	STNDW	@DAT[7]:@DAT[6],*${OUT}[-5]
    574. 

  574. ||[!A1]	BNOP	outer2x?
    575. 

  575.    [A0]	DMV	@X[10],@X[8],@Y[10]:@Y[8]
    576. 

  576. ||	STNDW	@DAT[9]:@DAT[8],*${OUT}[-4]
    577. 

  577.    [A0]	DMV	@X[11],@X[9],@Y[11]:@Y[9]
    578. 

  578. ||	STNDW	@DAT[11]:@DAT[10],*${OUT}[-3]
    579. 

  579.    [A0]	DMV	@X[14],@X[12],@Y[14]:@Y[12]
    580. 

  580. ||	STNDW	@DAT[13]:@DAT[12],*${OUT}[-2]
    581. 

  581.    [A0]	DMV	@X[15],@X[13],@Y[15]:@Y[13]
    582. 

  582. ||	STNDW	@DAT[15]:@DAT[14],*${OUT}[-1]
    583. 

  583. ;;===== branch to epilogue? is taken here
    584. 

  584.    [A1]	MVK	64,$STEP
    585. 

  585. || [A0]	MVK	10,B0			; inner loop counter
    586. 

  586. ;;===== branch to outer2x? is taken here
    587. 

  587. ___
    588. 

  588. {
    589. 

  589. my ($a0,$a1,$a2,$a3) = (0..3);
    590. 

  590. my ($b0,$b1,$b2,$b3) = (4..7);
    591. 

  591. my ($c0,$c1,$c2,$c3) = (8..11);
    592. 

  592. my ($d0,$d1,$d2,$d3) = (12..15);
    593. 

  593. 

  594. $code.=<<___;
    595. 

  595. top1x?:
    596. 

  596. 	ADD	@X[$b1],@X[$a1],@X[$a1]
    597. 

  597. ||	ADD	@X[$b2],@X[$a2],@X[$a2]
    598. 

  598. 	ADD	@X[$b0],@X[$a0],@X[$a0]
    599. 

  599. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    600. 

  600. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    601. 

  601. ||	XOR	@X[$a2],@X[$d2],@X[$d2]
    602. 

  602. 	XOR	@X[$a0],@X[$d0],@X[$d0]
    603. 

  603. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    604. 

  604. ||	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
    605. 

  605. ||	SWAP2	@X[$d2],@X[$d2]
    606. 

  606. 	SWAP2	@X[$d0],@X[$d0]
    607. 

  607. ||	SWAP2	@X[$d3],@X[$d3]
    608. 

  608. 

  609. ||	ADD	@X[$d1],@X[$c1],@X[$c1]
    610. 

  610. ||	ADD	@X[$d2],@X[$c2],@X[$c2]
    611. 

  611. 	ADD	@X[$d0],@X[$c0],@X[$c0]
    612. 

  612. ||	ADD	@X[$d3],@X[$c3],@X[$c3]
    613. 

  613. ||	XOR	@X[$c1],@X[$b1],@X[$b1]
    614. 

  614. ||	XOR	@X[$c2],@X[$b2],@X[$b2]
    615. 

  615. 	XOR	@X[$c0],@X[$b0],@X[$b0]
    616. 

  616. ||	XOR	@X[$c3],@X[$b3],@X[$b3]
    617. 

  617. ||	ROTL	@X[$b1],12,@X[$b1]
    618. 

  618. ||	ROTL	@X[$b2],12,@X[$b2]
    619. 

  619. 	ROTL	@X[$b0],12,@X[$b0]
    620. 

  620. ||	ROTL	@X[$b3],12,@X[$b3]
    621. 

  621. 

  622. 	ADD	@X[$b1],@X[$a1],@X[$a1]
    623. 

  623. ||	ADD	@X[$b2],@X[$a2],@X[$a2]
    624. 

  624. 	ADD	@X[$b0],@X[$a0],@X[$a0]
    625. 

  625. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    626. 

  626. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    627. 

  627. ||	XOR	@X[$a2],@X[$d2],@X[$d2]
    628. 

  628. 	XOR	@X[$a0],@X[$d0],@X[$d0]
    629. 

  629. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    630. 

  630. ||	ROTL	@X[$d1],8,@X[$d1]
    631. 

  631. ||	ROTL	@X[$d2],8,@X[$d2]
    632. 

  632. 	ROTL	@X[$d0],8,@X[$d0]
    633. 

  633. ||	ROTL	@X[$d3],8,@X[$d3]
    634. 

  634. ||	BNOP	middle1x?		; protect from interrupt
    635. 

  635. 

  636. 	ADD	@X[$d1],@X[$c1],@X[$c1]
    637. 

  637. ||	ADD	@X[$d2],@X[$c2],@X[$c2]
    638. 

  638. 	ADD	@X[$d0],@X[$c0],@X[$c0]
    639. 

  639. ||	ADD	@X[$d3],@X[$c3],@X[$c3]
    640. 

  640. ||	XOR	@X[$c1],@X[$b1],@X[$b1]
    641. 

  641. ||	XOR	@X[$c2],@X[$b2],@X[$b2]
    642. 

  642. ||	ROTL	@X[$d1],0,@X[$d2]	; moved to avoid cross-path stall
    643. 

  643. ||	ROTL	@X[$d2],0,@X[$d3]
    644. 

  644. 	XOR	@X[$c0],@X[$b0],@X[$b0]
    645. 

  645. ||	XOR	@X[$c3],@X[$b3],@X[$b3]
    646. 

  646. ||	ROTL	@X[$d0],0,@X[$d1]
    647. 

  647. ||	ROTL	@X[$d3],0,@X[$d0]
    648. 

  648. 	ROTL	@X[$b1],7,@X[$b0]	; avoided cross-path stall
    649. 

  649. ||	ROTL	@X[$b2],7,@X[$b1]
    650. 

  650. 	ROTL	@X[$b0],7,@X[$b3]
    651. 

  651. ||	ROTL	@X[$b3],7,@X[$b2]
    652. 

  652. middle1x?:
    653. 

  653. 

  654. 	ADD	@X[$b0],@X[$a0],@X[$a0]
    655. 

  655. ||	ADD	@X[$b1],@X[$a1],@X[$a1]
    656. 

  656. 	ADD	@X[$b2],@X[$a2],@X[$a2]
    657. 

  657. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    658. 

  658. ||	XOR	@X[$a0],@X[$d0],@X[$d0]
    659. 

  659. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    660. 

  660. 	XOR	@X[$a2],@X[$d2],@X[$d2]
    661. 

  661. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    662. 

  662. ||	SWAP2	@X[$d0],@X[$d0]		; rotate by 16
    663. 

  663. ||	SWAP2	@X[$d1],@X[$d1]
    664. 

  664. 	SWAP2	@X[$d2],@X[$d2]
    665. 

  665. ||	SWAP2	@X[$d3],@X[$d3]
    666. 

  666. 

  667. ||	ADD	@X[$d0],@X[$c2],@X[$c2]
    668. 

  668. ||	ADD	@X[$d1],@X[$c3],@X[$c3]
    669. 

  669. 	ADD	@X[$d2],@X[$c0],@X[$c0]
    670. 

  670. ||	ADD	@X[$d3],@X[$c1],@X[$c1]
    671. 

  671. ||	XOR	@X[$c2],@X[$b0],@X[$b0]
    672. 

  672. ||	XOR	@X[$c3],@X[$b1],@X[$b1]
    673. 

  673. 	XOR	@X[$c0],@X[$b2],@X[$b2]
    674. 

  674. ||	XOR	@X[$c1],@X[$b3],@X[$b3]
    675. 

  675. ||	ROTL	@X[$b0],12,@X[$b0]
    676. 

  676. ||	ROTL	@X[$b1],12,@X[$b1]
    677. 

  677. 	ROTL	@X[$b2],12,@X[$b2]
    678. 

  678. ||	ROTL	@X[$b3],12,@X[$b3]
    679. 

  679. 

  680. 	ADD	@X[$b0],@X[$a0],@X[$a0]
    681. 

  681. ||	ADD	@X[$b1],@X[$a1],@X[$a1]
    682. 

  682. || [B0]	SUB	B0,1,B0			; decrement inner loop counter
    683. 

  683. 	ADD	@X[$b2],@X[$a2],@X[$a2]
    684. 

  684. ||	ADD	@X[$b3],@X[$a3],@X[$a3]
    685. 

  685. ||	XOR	@X[$a0],@X[$d0],@X[$d0]
    686. 

  686. ||	XOR	@X[$a1],@X[$d1],@X[$d1]
    687. 

  687. 	XOR	@X[$a2],@X[$d2],@X[$d2]
    688. 

  688. ||	XOR	@X[$a3],@X[$d3],@X[$d3]
    689. 

  689. ||	ROTL	@X[$d0],8,@X[$d0]
    690. 

  690. ||	ROTL	@X[$d1],8,@X[$d1]
    691. 

  691. 	ROTL	@X[$d2],8,@X[$d2]
    692. 

  692. ||	ROTL	@X[$d3],8,@X[$d3]
    693. 

  693. || [B0]	BNOP	top1x?			; even protects from interrupt
    694. 

  694. 

  695. 	ADD	@X[$d0],@X[$c2],@X[$c2]
    696. 

  696. ||	ADD	@X[$d1],@X[$c3],@X[$c3]
    697. 

  697. 	ADD	@X[$d2],@X[$c0],@X[$c0]
    698. 

  698. ||	ADD	@X[$d3],@X[$c1],@X[$c1]
    699. 

  699. ||	XOR	@X[$c2],@X[$b0],@X[$b0]
    700. 

  700. ||	XOR	@X[$c3],@X[$b1],@X[$b1]
    701. 

  701. ||	ROTL	@X[$d0],0,@X[$d3]	; moved to avoid cross-path stall
    702. 

  702. ||	ROTL	@X[$d1],0,@X[$d0]
    703. 

  703. 	XOR	@X[$c0],@X[$b2],@X[$b2]
    704. 

  704. ||	XOR	@X[$c1],@X[$b3],@X[$b3]
    705. 

  705. ||	ROTL	@X[$d2],0,@X[$d1]
    706. 

  706. ||	ROTL	@X[$d3],0,@X[$d2]
    707. 

  707. 	ROTL	@X[$b0],7,@X[$b1]	; avoided cross-path stall
    708. 

  708. ||	ROTL	@X[$b1],7,@X[$b2]
    709. 

  709. 	ROTL	@X[$b2],7,@X[$b3]
    710. 

  710. ||	ROTL	@X[$b3],7,@X[$b0]
    711. 

  711. ||[!B0]	CMPLTU	A0,$STEP,A1		; less than 64 bytes left?
    712. 

  712. bottom1x?:
    713. 

  713. ___
    714. 

  714. }
    715. 

  715. 

  716. $code.=<<___;
    717. 

  717. 	ADD	@Y[0],@X[0],@X[0]	; accumulate key material
    718. 

  718. ||	ADD	@Y[1],@X[1],@X[1]
    719. 

  719. ||	ADD	@Y[2],@X[2],@X[2]
    720. 

  720. ||	ADD	@Y[3],@X[3],@X[3]
    721. 

  721. ||[!A1]	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
    722. 

  722. || [A1]	BNOP	tail?
    723. 

  723. 	ADD	@Y[4],@X[4],@X[4]
    724. 

  724. ||	ADD	@Y[5],@X[5],@X[5]
    725. 

  725. ||	ADD	@Y[6],@X[6],@X[6]
    726. 

  726. ||	ADD	@Y[7],@X[7],@X[7]
    727. 

  727. ||[!A1]	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
    728. 

  728. 	ADD	@Y[8],@X[8],@X[8]
    729. 

  729. ||	ADD	@Y[9],@X[9],@X[9]
    730. 

  730. ||	ADD	@Y[10],@X[10],@X[10]
    731. 

  731. ||	ADD	@Y[11],@X[11],@X[11]
    732. 

  732. ||[!A1]	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
    733. 

  733. 	ADD	@Y[12],@X[12],@X[12]
    734. 

  734. ||	ADD	@Y[13],@X[13],@X[13]
    735. 

  735. ||	ADD	@Y[14],@X[14],@X[14]
    736. 

  736. ||	ADD	@Y[15],@X[15],@X[15]
    737. 

  737. ||[!A1]	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
    738. 

  738.   [!A1]	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
    739. 

  739.   [!A1]	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
    740. 

  740. 	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
    741. 

  741. 	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
    742. 

  742. 

  743. 	.if	.BIG_ENDIAN
    744. 

  744. 	SWAP2	@X[0],@X[0]
    745. 

  745. ||	SWAP2	@X[1],@X[1]
    746. 

  746. ||	SWAP2	@X[2],@X[2]
    747. 

  747. ||	SWAP2	@X[3],@X[3]
    748. 

  748. 	SWAP2	@X[4],@X[4]
    749. 

  749. ||	SWAP2	@X[5],@X[5]
    750. 

  750. ||	SWAP2	@X[6],@X[6]
    751. 

  751. ||	SWAP2	@X[7],@X[7]
    752. 

  752. 	SWAP2	@X[8],@X[8]
    753. 

  753. ||	SWAP2	@X[9],@X[9]
    754. 

  754. ||	SWAP4	@X[0],@X[1]
    755. 

  755. ||	SWAP4	@X[1],@X[0]
    756. 

  756. 	SWAP2	@X[10],@X[10]
    757. 

  757. ||	SWAP2	@X[11],@X[11]
    758. 

  758. ||	SWAP4	@X[2],@X[3]
    759. 

  759. ||	SWAP4	@X[3],@X[2]
    760. 

  760. 	SWAP2	@X[12],@X[12]
    761. 

  761. ||	SWAP2	@X[13],@X[13]
    762. 

  762. ||	SWAP4	@X[4],@X[5]
    763. 

  763. ||	SWAP4	@X[5],@X[4]
    764. 

  764. 	SWAP2	@X[14],@X[14]
    765. 

  765. ||	SWAP2	@X[15],@X[15]
    766. 

  766. ||	SWAP4	@X[6],@X[7]
    767. 

  767. ||	SWAP4	@X[7],@X[6]
    768. 

  768. 	SWAP4	@X[8],@X[9]
    769. 

  769. ||	SWAP4	@X[9],@X[8]
    770. 

  770. 	SWAP4	@X[10],@X[11]
    771. 

  771. ||	SWAP4	@X[11],@X[10]
    772. 

  772. 	SWAP4	@X[12],@X[13]
    773. 

  773. ||	SWAP4	@X[13],@X[12]
    774. 

  774. 	SWAP4	@X[14],@X[15]
    775. 

  775. ||	SWAP4	@X[15],@X[14]
    776. 

  776. 	.else
    777. 

  777. 	NOP	1
    778. 

  778. 	.endif
    779. 

  779. 

  780. 	XOR	@X[0],@DAT[0],@DAT[0]	; xor with input
    781. 

  781. ||	XOR	@X[1],@DAT[1],@DAT[1]
    782. 

  782. ||	XOR	@X[2],@DAT[2],@DAT[2]
    783. 

  783. ||	XOR	@X[3],@DAT[3],@DAT[3]
    784. 

  784. || [A0]	SUB	A0,$STEP,A0		; SUB	A0,64,A0
    785. 

  785. 	XOR	@X[4],@DAT[4],@DAT[4]
    786. 

  786. ||	XOR	@X[5],@DAT[5],@DAT[5]
    787. 

  787. ||	XOR	@X[6],@DAT[6],@DAT[6]
    788. 

  788. ||	XOR	@X[7],@DAT[7],@DAT[7]
    789. 

  789. ||	STNDW	@DAT[1]:@DAT[0],*${OUT}++[8]
    790. 

  790. 	XOR	@X[8],@DAT[8],@DAT[8]
    791. 

  791. ||	XOR	@X[9],@DAT[9],@DAT[9]
    792. 

  792. ||	XOR	@X[10],@DAT[10],@DAT[10]
    793. 

  793. ||	XOR	@X[11],@DAT[11],@DAT[11]
    794. 

  794. ||	STNDW	@DAT[3]:@DAT[2],*${OUT}[-7]
    795. 

  795. 	XOR	@X[12],@DAT[12],@DAT[12]
    796. 

  796. ||	XOR	@X[13],@DAT[13],@DAT[13]
    797. 

  797. ||	XOR	@X[14],@DAT[14],@DAT[14]
    798. 

  798. ||	XOR	@X[15],@DAT[15],@DAT[15]
    799. 

  799. ||	STNDW	@DAT[5]:@DAT[4],*${OUT}[-6]
    800. 

  800. || [A0]	BNOP	top1x?
    801. 

  801.    [A0]	DMV	@Y[2],@Y[0],@X[2]:@X[0]	; duplicate key material
    802. 

  802. || [A0]	DMV	@Y[3],@Y[1],@X[3]:@X[1]
    803. 

  803. ||	STNDW	@DAT[7]:@DAT[6],*${OUT}[-5]
    804. 

  804.    [A0]	DMV	@Y[6],@Y[4],@X[6]:@X[4]
    805. 

  805. || [A0]	DMV	@Y[7],@Y[5],@X[7]:@X[5]
    806. 

  806. ||	STNDW	@DAT[9]:@DAT[8],*${OUT}[-4]
    807. 

  807.    [A0]	DMV	@Y[10],@Y[8],@X[10]:@X[8]
    808. 

  808. || [A0]	DMV	@Y[11],@Y[9],@X[11]:@X[9]
    809. 

  809. || [A0]	ADD	1,@Y[12],@Y[12]		; increment counter
    810. 

  810. ||	STNDW	@DAT[11]:@DAT[10],*${OUT}[-3]
    811. 

  811.    [A0]	DMV	@Y[14],@Y[12],@X[14]:@X[12]
    812. 

  812. || [A0]	DMV	@Y[15],@Y[13],@X[15]:@X[13]
    813. 

  813. ||	STNDW	@DAT[13]:@DAT[12],*${OUT}[-2]
    814. 

  814.    [A0]	MVK	10,B0			; inner loop counter
    815. 

  815. ||	STNDW	@DAT[15]:@DAT[14],*${OUT}[-1]
    816. 

  816. ;;===== branch to top1x? is taken here
    817. 

  817. 

  818. epilogue?:
    819. 

  819. 	LDDW	*FP[-4],A11:A10		; ABI says so
    820. 

  820. 	LDDW	*FP[-3],A13:A12
    821. 

  821. ||	LDDW	*SP[3+8],B11:B10
    822. 

  822. 	LDDW	*SP[4+8],B13:B12
    823. 

  823. ||	BNOP	RA
    824. 

  824. 	LDW	*++SP(40+64),FP		; restore frame pointer
    825. 

  825. 	NOP	4
    826. 

  826. 

  827. tail?:
    828. 

  828. 	LDBU	*${INP}++[1],B24	; load byte by byte
    829. 

  829. ||	SUB	A0,1,A0
    830. 

  830. ||	SUB	A0,1,B1
    831. 

  831.   [!B1]	BNOP	epilogue?		; interrupts are disabled for whole time
    832. 

  832. || [A0] LDBU	*${INP}++[1],B24
    833. 

  833. || [A0]	SUB	A0,1,A0
    834. 

  834. ||	SUB	B1,1,B1
    835. 

  835.   [!B1]	BNOP	epilogue?
    836. 

  836. || [A0] LDBU	*${INP}++[1],B24
    837. 

  837. || [A0]	SUB	A0,1,A0
    838. 

  838. ||	SUB	B1,1,B1
    839. 

  839.   [!B1]	BNOP	epilogue?
    840. 

  840. ||	ROTL	@X[0],0,A24
    841. 

  841. || [A0] LDBU	*${INP}++[1],B24
    842. 

  842. || [A0]	SUB	A0,1,A0
    843. 

  843. ||	SUB	B1,1,B1
    844. 

  844.   [!B1]	BNOP	epilogue?
    845. 

  845. ||	ROTL	@X[0],24,A24
    846. 

  846. || [A0] LDBU	*${INP}++[1],A24
    847. 

  847. || [A0]	SUB	A0,1,A0
    848. 

  848. ||	SUB	B1,1,B1
    849. 

  849.   [!B1]	BNOP	epilogue?
    850. 

  850. ||	ROTL	@X[0],16,A24
    851. 

  851. || [A0] LDBU	*${INP}++[1],A24
    852. 

  852. || [A0]	SUB	A0,1,A0
    853. 

  853. ||	SUB	B1,1,B1
    854. 

  854. ||	XOR	A24,B24,B25
    855. 

  855. 	STB	B25,*${OUT}++[1]	; store byte by byte
    856. 

  856. ||[!B1]	BNOP	epilogue?
    857. 

  857. ||	ROTL	@X[0],8,A24
    858. 

  858. || [A0] LDBU	*${INP}++[1],A24
    859. 

  859. || [A0]	SUB	A0,1,A0
    860. 

  860. ||	SUB	B1,1,B1
    861. 

  861. ||	XOR	A24,B24,B25
    862. 

  862. 	STB	B25,*${OUT}++[1]
    863. 

  863. ___
    864. 

  864. sub TAIL_STEP {
    865. 

  865. my $Xi= shift;
    866. 

  866. my $T = ($Xi=~/^B/?"B24":"A24");	# match @X[i] to avoid cross path
    867. 

  867. my $D = $T; $D=~tr/AB/BA/;
    868. 

  868. my $O = $D; $O=~s/24/25/;
    869. 

  869. 

  870. $code.=<<___;
    871. 

  871. ||[!B1]	BNOP	epilogue?
    872. 

  872. ||	ROTL	$Xi,0,$T
    873. 

  873. || [A0] LDBU	*${INP}++[1],$D
    874. 

  874. || [A0]	SUB	A0,1,A0
    875. 

  875. ||	SUB	B1,1,B1
    876. 

  876. ||	XOR	A24,B24,$O
    877. 

  877. 	STB	$O,*${OUT}++[1]
    878. 

  878. ||[!B1]	BNOP	epilogue?
    879. 

  879. ||	ROTL	$Xi,24,$T
    880. 

  880. || [A0] LDBU	*${INP}++[1],$T
    881. 

  881. || [A0]	SUB	A0,1,A0
    882. 

  882. ||	SUB	B1,1,B1
    883. 

  883. ||	XOR	A24,B24,$O
    884. 

  884. 	STB	$O,*${OUT}++[1]
    885. 

  885. ||[!B1]	BNOP	epilogue?
    886. 

  886. ||	ROTL	$Xi,16,$T
    887. 

  887. || [A0] LDBU	*${INP}++[1],$T
    888. 

  888. || [A0]	SUB	A0,1,A0
    889. 

  889. ||	SUB	B1,1,B1
    890. 

  890. ||	XOR	A24,B24,$O
    891. 

  891. 	STB	$O,*${OUT}++[1]
    892. 

  892. ||[!B1]	BNOP	epilogue?
    893. 

  893. ||	ROTL	$Xi,8,$T
    894. 

  894. || [A0] LDBU	*${INP}++[1],$T
    895. 

  895. || [A0]	SUB	A0,1,A0
    896. 

  896. ||	SUB	B1,1,B1
    897. 

  897. ||	XOR	A24,B24,$O
    898. 

  898. 	STB	$O,*${OUT}++[1]
    899. 

  899. ___
    900. 

  900. }
    901. 

  901. 	foreach (1..14) { TAIL_STEP(@X[$_]); }
    902. 

  902. $code.=<<___;
    903. 

  903. ||[!B1]	BNOP	epilogue?
    904. 

  904. ||	ROTL	@X[15],0,B24
    905. 

  905. ||	XOR	A24,B24,A25
    906. 

  906. 	STB	A25,*${OUT}++[1]
    907. 

  907. ||	ROTL	@X[15],24,B24
    908. 

  908. ||	XOR	A24,B24,A25
    909. 

  909. 	STB	A25,*${OUT}++[1]
    910. 

  910. ||	ROTL	@X[15],16,B24
    911. 

  911. ||	XOR	A24,B24,A25
    912. 

  912. 	STB	A25,*${OUT}++[1]
    913. 

  913. ||	XOR	A24,B24,A25
    914. 

  914. 	STB	A25,*${OUT}++[1]
    915. 

  915. ||	XOR	A24,B24,B25
    916. 

  916. 	STB	B25,*${OUT}++[1]
    917. 

  917. 	.endasmfunc
    918. 

  918. 

  919. 	.sect	.const
    920. 

  920. 	.cstring "ChaCha20 for C64x+, CRYPTOGAMS by <appro\@openssl.org>"
    921. 

  921. 	.align	4
    922. 

  922. ___
    923. 

  923. 

  924. print $code;
    925. 

  925. close STDOUT or die "error closing STDOUT: $!";
    926.