Acasă Explorează Ajutor
Autentificare
SoftwareDesign
/
csu3_am335x
8
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: b27aba80f5
Ramuri Etichete
csu3_am335x
/
EVSE
/
GPL
/
openssl-1.0.2g
/
crypto
/
sha
/
asm
/
sha256-armv4.pl

sha256-armv4.pl 17 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713 
  1. #!/usr/bin/env perl
    2. 

  2. 

  3. # ====================================================================
    4. 

  4. # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
    5. 

  5. # project. The module is, however, dual licensed under OpenSSL and
    6. 

  6. # CRYPTOGAMS licenses depending on where you obtain it. For further
    7. 

  7. # details see http://www.openssl.org/~appro/cryptogams/.
    8. 

  8. #
    9. 

  9. # Permission to use under GPL terms is granted.
    10. 

  10. # ====================================================================
    11. 

  11. 

  12. # SHA256 block procedure for ARMv4. May 2007.
    13. 

  13. 

  14. # Performance is ~2x better than gcc 3.4 generated code and in "abso-
    15. 

  15. # lute" terms is ~2250 cycles per 64-byte block or ~35 cycles per
    16. 

  16. # byte [on single-issue Xscale PXA250 core].
    17. 

  17. 

  18. # July 2010.
    19. 

  19. #
    20. 

  20. # Rescheduling for dual-issue pipeline resulted in 22% improvement on
    21. 

  21. # Cortex A8 core and ~20 cycles per processed byte.
    22. 

  22. 

  23. # February 2011.
    24. 

  24. #
    25. 

  25. # Profiler-assisted and platform-specific optimization resulted in 16%
    26. 

  26. # improvement on Cortex A8 core and ~15.4 cycles per processed byte.
    27. 

  27. 

  28. # September 2013.
    29. 

  29. #
    30. 

  30. # Add NEON implementation. On Cortex A8 it was measured to process one
    31. 

  31. # byte in 12.5 cycles or 23% faster than integer-only code. Snapdragon
    32. 

  32. # S4 does it in 12.5 cycles too, but it's 50% faster than integer-only
    33. 

  33. # code (meaning that latter performs sub-optimally, nothing was done
    34. 

  34. # about it).
    35. 

  35. 

  36. # May 2014.
    37. 

  37. #
    38. 

  38. # Add ARMv8 code path performing at 2.0 cpb on Apple A7.
    39. 

  39. 

  40. while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
    41. 

  41. open STDOUT,">$output";
    42. 

  42. 

  43. $ctx="r0";	$t0="r0";
    44. 

  44. $inp="r1";	$t4="r1";
    45. 

  45. $len="r2";	$t1="r2";
    46. 

  46. $T1="r3";	$t3="r3";
    47. 

  47. $A="r4";
    48. 

  48. $B="r5";
    49. 

  49. $C="r6";
    50. 

  50. $D="r7";
    51. 

  51. $E="r8";
    52. 

  52. $F="r9";
    53. 

  53. $G="r10";
    54. 

  54. $H="r11";
    55. 

  55. @V=($A,$B,$C,$D,$E,$F,$G,$H);
    56. 

  56. $t2="r12";
    57. 

  57. $Ktbl="r14";
    58. 

  58. 

  59. @Sigma0=( 2,13,22);
    60. 

  60. @Sigma1=( 6,11,25);
    61. 

  61. @sigma0=( 7,18, 3);
    62. 

  62. @sigma1=(17,19,10);
    63. 

  63. 

  64. sub BODY_00_15 {
    65. 

  65. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    66. 

  66. 

  67. $code.=<<___ if ($i<16);
    68. 

  68. #if __ARM_ARCH__>=7
    69. 

  69. 	@ ldr	$t1,[$inp],#4			@ $i
    70. 

  70. # if $i==15
    71. 

  71. 	str	$inp,[sp,#17*4]			@ make room for $t4
    72. 

  72. # endif
    73. 

  73. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    74. 

  74. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    75. 

  75. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    76. 

  76. 	rev	$t1,$t1
    77. 

  77. #else
    78. 

  78. 	@ ldrb	$t1,[$inp,#3]			@ $i
    79. 

  79. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    80. 

  80. 	ldrb	$t2,[$inp,#2]
    81. 

  81. 	ldrb	$t0,[$inp,#1]
    82. 

  82. 	orr	$t1,$t1,$t2,lsl#8
    83. 

  83. 	ldrb	$t2,[$inp],#4
    84. 

  84. 	orr	$t1,$t1,$t0,lsl#16
    85. 

  85. # if $i==15
    86. 

  86. 	str	$inp,[sp,#17*4]			@ make room for $t4
    87. 

  87. # endif
    88. 

  88. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
    89. 

  89. 	orr	$t1,$t1,$t2,lsl#24
    90. 

  90. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    91. 

  91. #endif
    92. 

  92. ___
    93. 

  93. $code.=<<___;
    94. 

  94. 	ldr	$t2,[$Ktbl],#4			@ *K256++
    95. 

  95. 	add	$h,$h,$t1			@ h+=X[i]
    96. 

  96. 	str	$t1,[sp,#`$i%16`*4]
    97. 

  97. 	eor	$t1,$f,$g
    98. 

  98. 	add	$h,$h,$t0,ror#$Sigma1[0]	@ h+=Sigma1(e)
    99. 

  99. 	and	$t1,$t1,$e
    100. 

  100. 	add	$h,$h,$t2			@ h+=K256[i]
    101. 

  101. 	eor	$t1,$t1,$g			@ Ch(e,f,g)
    102. 

  102. 	eor	$t0,$a,$a,ror#`$Sigma0[1]-$Sigma0[0]`
    103. 

  103. 	add	$h,$h,$t1			@ h+=Ch(e,f,g)
    104. 

  104. #if $i==31
    105. 

  105. 	and	$t2,$t2,#0xff
    106. 

  106. 	cmp	$t2,#0xf2			@ done?
    107. 

  107. #endif
    108. 

  108. #if $i<15
    109. 

  109. # if __ARM_ARCH__>=7
    110. 

  110. 	ldr	$t1,[$inp],#4			@ prefetch
    111. 

  111. # else
    112. 

  112. 	ldrb	$t1,[$inp,#3]
    113. 

  113. # endif
    114. 

  114. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    115. 

  115. #else
    116. 

  116. 	ldr	$t1,[sp,#`($i+2)%16`*4]		@ from future BODY_16_xx
    117. 

  117. 	eor	$t2,$a,$b			@ a^b, b^c in next round
    118. 

  118. 	ldr	$t4,[sp,#`($i+15)%16`*4]	@ from future BODY_16_xx
    119. 

  119. #endif
    120. 

  120. 	eor	$t0,$t0,$a,ror#`$Sigma0[2]-$Sigma0[0]`	@ Sigma0(a)
    121. 

  121. 	and	$t3,$t3,$t2			@ (b^c)&=(a^b)
    122. 

  122. 	add	$d,$d,$h			@ d+=h
    123. 

  123. 	eor	$t3,$t3,$b			@ Maj(a,b,c)
    124. 

  124. 	add	$h,$h,$t0,ror#$Sigma0[0]	@ h+=Sigma0(a)
    125. 

  125. 	@ add	$h,$h,$t3			@ h+=Maj(a,b,c)
    126. 

  126. ___
    127. 

  127. 	($t2,$t3)=($t3,$t2);
    128. 

  128. }
    129. 

  129. 

  130. sub BODY_16_XX {
    131. 

  131. my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_;
    132. 

  132. 

  133. $code.=<<___;
    134. 

  134. 	@ ldr	$t1,[sp,#`($i+1)%16`*4]		@ $i
    135. 

  135. 	@ ldr	$t4,[sp,#`($i+14)%16`*4]
    136. 

  136. 	mov	$t0,$t1,ror#$sigma0[0]
    137. 

  137. 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
    138. 

  138. 	mov	$t2,$t4,ror#$sigma1[0]
    139. 

  139. 	eor	$t0,$t0,$t1,ror#$sigma0[1]
    140. 

  140. 	eor	$t2,$t2,$t4,ror#$sigma1[1]
    141. 

  141. 	eor	$t0,$t0,$t1,lsr#$sigma0[2]	@ sigma0(X[i+1])
    142. 

  142. 	ldr	$t1,[sp,#`($i+0)%16`*4]
    143. 

  143. 	eor	$t2,$t2,$t4,lsr#$sigma1[2]	@ sigma1(X[i+14])
    144. 

  144. 	ldr	$t4,[sp,#`($i+9)%16`*4]
    145. 

  145. 

  146. 	add	$t2,$t2,$t0
    147. 

  147. 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`	@ from BODY_00_15
    148. 

  148. 	add	$t1,$t1,$t2
    149. 

  149. 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
    150. 

  150. 	add	$t1,$t1,$t4			@ X[i]
    151. 

  151. ___
    152. 

  152. 	&BODY_00_15(@_);
    153. 

  153. }
    154. 

  154. 

  155. $code=<<___;
    156. 

  156. #ifndef __KERNEL__
    157. 

  157. # include "arm_arch.h"
    158. 

  158. #else
    159. 

  159. # define __ARM_ARCH__ __LINUX_ARM_ARCH__
    160. 

  160. # define __ARM_MAX_ARCH__ 7
    161. 

  161. #endif
    162. 

  162. 

  163. .text
    164. 

  164. #if __ARM_ARCH__<7
    165. 

  165. .code	32
    166. 

  166. #else
    167. 

  167. .syntax unified
    168. 

  168. # ifdef __thumb2__
    169. 

  169. .thumb
    170. 

  170. # else
    171. 

  171. .code   32
    172. 

  172. # endif
    173. 

  173. #endif
    174. 

  174. 

  175. .type	K256,%object
    176. 

  176. .align	5
    177. 

  177. K256:
    178. 

  178. .word	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
    179. 

  179. .word	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
    180. 

  180. .word	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
    181. 

  181. .word	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
    182. 

  182. .word	0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc
    183. 

  183. .word	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
    184. 

  184. .word	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
    185. 

  185. .word	0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967
    186. 

  186. .word	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
    187. 

  187. .word	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
    188. 

  188. .word	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
    189. 

  189. .word	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
    190. 

  190. .word	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
    191. 

  191. .word	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
    192. 

  192. .word	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
    193. 

  193. .word	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
    194. 

  194. .size	K256,.-K256
    195. 

  195. .word	0				@ terminator
    196. 

  196. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    197. 

  197. .LOPENSSL_armcap:
    198. 

  198. .word	OPENSSL_armcap_P-sha256_block_data_order
    199. 

  199. #endif
    200. 

  200. .align	5
    201. 

  201. 

  202. .global	sha256_block_data_order
    203. 

  203. .type	sha256_block_data_order,%function
    204. 

  204. sha256_block_data_order:
    205. 

  205. #if __ARM_ARCH__<7
    206. 

  206. 	sub	r3,pc,#8		@ sha256_block_data_order
    207. 

  207. #else
    208. 

  208. 	adr	r3,sha256_block_data_order
    209. 

  209. #endif
    210. 

  210. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    211. 

  211. 	ldr	r12,.LOPENSSL_armcap
    212. 

  212. 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
    213. 

  213. 	tst	r12,#ARMV8_SHA256
    214. 

  214. 	bne	.LARMv8
    215. 

  215. 	tst	r12,#ARMV7_NEON
    216. 

  216. 	bne	.LNEON
    217. 

  217. #endif
    218. 

  218. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    219. 

  219. 	stmdb	sp!,{$ctx,$inp,$len,r4-r11,lr}
    220. 

  220. 	ldmia	$ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
    221. 

  221. 	sub	$Ktbl,r3,#256+32	@ K256
    222. 

  222. 	sub	sp,sp,#16*4		@ alloca(X[16])
    223. 

  223. .Loop:
    224. 

  224. # if __ARM_ARCH__>=7
    225. 

  225. 	ldr	$t1,[$inp],#4
    226. 

  226. # else
    227. 

  227. 	ldrb	$t1,[$inp,#3]
    228. 

  228. # endif
    229. 

  229. 	eor	$t3,$B,$C		@ magic
    230. 

  230. 	eor	$t2,$t2,$t2
    231. 

  231. ___
    232. 

  232. for($i=0;$i<16;$i++)	{ &BODY_00_15($i,@V); unshift(@V,pop(@V)); }
    233. 

  233. $code.=".Lrounds_16_xx:\n";
    234. 

  234. for (;$i<32;$i++)	{ &BODY_16_XX($i,@V); unshift(@V,pop(@V)); }
    235. 

  235. $code.=<<___;
    236. 

  236. #if __ARM_ARCH__>=7
    237. 

  237. 	ite	eq			@ Thumb2 thing, sanity check in ARM
    238. 

  238. #endif
    239. 

  239. 	ldreq	$t3,[sp,#16*4]		@ pull ctx
    240. 

  240. 	bne	.Lrounds_16_xx
    241. 

  241. 

  242. 	add	$A,$A,$t2		@ h+=Maj(a,b,c) from the past
    243. 

  243. 	ldr	$t0,[$t3,#0]
    244. 

  244. 	ldr	$t1,[$t3,#4]
    245. 

  245. 	ldr	$t2,[$t3,#8]
    246. 

  246. 	add	$A,$A,$t0
    247. 

  247. 	ldr	$t0,[$t3,#12]
    248. 

  248. 	add	$B,$B,$t1
    249. 

  249. 	ldr	$t1,[$t3,#16]
    250. 

  250. 	add	$C,$C,$t2
    251. 

  251. 	ldr	$t2,[$t3,#20]
    252. 

  252. 	add	$D,$D,$t0
    253. 

  253. 	ldr	$t0,[$t3,#24]
    254. 

  254. 	add	$E,$E,$t1
    255. 

  255. 	ldr	$t1,[$t3,#28]
    256. 

  256. 	add	$F,$F,$t2
    257. 

  257. 	ldr	$inp,[sp,#17*4]		@ pull inp
    258. 

  258. 	ldr	$t2,[sp,#18*4]		@ pull inp+len
    259. 

  259. 	add	$G,$G,$t0
    260. 

  260. 	add	$H,$H,$t1
    261. 

  261. 	stmia	$t3,{$A,$B,$C,$D,$E,$F,$G,$H}
    262. 

  262. 	cmp	$inp,$t2
    263. 

  263. 	sub	$Ktbl,$Ktbl,#256	@ rewind Ktbl
    264. 

  264. 	bne	.Loop
    265. 

  265. 

  266. 	add	sp,sp,#`16+3`*4	@ destroy frame
    267. 

  267. #if __ARM_ARCH__>=5
    268. 

  268. 	ldmia	sp!,{r4-r11,pc}
    269. 

  269. #else
    270. 

  270. 	ldmia	sp!,{r4-r11,lr}
    271. 

  271. 	tst	lr,#1
    272. 

  272. 	moveq	pc,lr			@ be binary compatible with V4, yet
    273. 

  273. 	bx	lr			@ interoperable with Thumb ISA:-)
    274. 

  274. #endif
    275. 

  275. .size	sha256_block_data_order,.-sha256_block_data_order
    276. 

  276. ___
    277. 

  277. ######################################################################
    278. 

  278. # NEON stuff
    279. 

  279. #
    280. 

  280. {{{
    281. 

  281. my @X=map("q$_",(0..3));
    282. 

  282. my ($T0,$T1,$T2,$T3,$T4,$T5)=("q8","q9","q10","q11","d24","d25");
    283. 

  283. my $Xfer=$t4;
    284. 

  284. my $j=0;
    285. 

  285. 

  286. sub Dlo()   { shift=~m|q([1]?[0-9])|?"d".($1*2):"";     }
    287. 

  287. sub Dhi()   { shift=~m|q([1]?[0-9])|?"d".($1*2+1):"";   }
    288. 

  288. 

  289. sub AUTOLOAD()          # thunk [simplified] x86-style perlasm
    290. 

  290. { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
    291. 

  291.   my $arg = pop;
    292. 

  292.     $arg = "#$arg" if ($arg*1 eq $arg);
    293. 

  293.     $code .= "\t$opcode\t".join(',',@_,$arg)."\n";
    294. 

  294. }
    295. 

  295. 

  296. sub Xupdate()
    297. 

  297. { use integer;
    298. 

  298.   my $body = shift;
    299. 

  299.   my @insns = (&$body,&$body,&$body,&$body);
    300. 

  300.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    301. 

  301. 

  302. 	&vext_8		($T0,@X[0],@X[1],4);	# X[1..4]
    303. 

  303. 	 eval(shift(@insns));
    304. 

  304. 	 eval(shift(@insns));
    305. 

  305. 	 eval(shift(@insns));
    306. 

  306. 	&vext_8		($T1,@X[2],@X[3],4);	# X[9..12]
    307. 

  307. 	 eval(shift(@insns));
    308. 

  308. 	 eval(shift(@insns));
    309. 

  309. 	 eval(shift(@insns));
    310. 

  310. 	&vshr_u32	($T2,$T0,$sigma0[0]);
    311. 

  311. 	 eval(shift(@insns));
    312. 

  312. 	 eval(shift(@insns));
    313. 

  313. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += X[9..12]
    314. 

  314. 	 eval(shift(@insns));
    315. 

  315. 	 eval(shift(@insns));
    316. 

  316. 	&vshr_u32	($T1,$T0,$sigma0[2]);
    317. 

  317. 	 eval(shift(@insns));
    318. 

  318. 	 eval(shift(@insns));
    319. 

  319. 	&vsli_32	($T2,$T0,32-$sigma0[0]);
    320. 

  320. 	 eval(shift(@insns));
    321. 

  321. 	 eval(shift(@insns));
    322. 

  322. 	&vshr_u32	($T3,$T0,$sigma0[1]);
    323. 

  323. 	 eval(shift(@insns));
    324. 

  324. 	 eval(shift(@insns));
    325. 

  325. 	&veor		($T1,$T1,$T2);
    326. 

  326. 	 eval(shift(@insns));
    327. 

  327. 	 eval(shift(@insns));
    328. 

  328. 	&vsli_32	($T3,$T0,32-$sigma0[1]);
    329. 

  329. 	 eval(shift(@insns));
    330. 

  330. 	 eval(shift(@insns));
    331. 

  331. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[0]);
    332. 

  332. 	 eval(shift(@insns));
    333. 

  333. 	 eval(shift(@insns));
    334. 

  334. 	&veor		($T1,$T1,$T3);		# sigma0(X[1..4])
    335. 

  335. 	 eval(shift(@insns));
    336. 

  336. 	 eval(shift(@insns));
    337. 

  337. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[0]);
    338. 

  338. 	 eval(shift(@insns));
    339. 

  339. 	 eval(shift(@insns));
    340. 

  340. 	  &vshr_u32	($T5,&Dhi(@X[3]),$sigma1[2]);
    341. 

  341. 	 eval(shift(@insns));
    342. 

  342. 	 eval(shift(@insns));
    343. 

  343. 	&vadd_i32	(@X[0],@X[0],$T1);	# X[0..3] += sigma0(X[1..4])
    344. 

  344. 	 eval(shift(@insns));
    345. 

  345. 	 eval(shift(@insns));
    346. 

  346. 	  &veor		($T5,$T5,$T4);
    347. 

  347. 	 eval(shift(@insns));
    348. 

  348. 	 eval(shift(@insns));
    349. 

  349. 	  &vshr_u32	($T4,&Dhi(@X[3]),$sigma1[1]);
    350. 

  350. 	 eval(shift(@insns));
    351. 

  351. 	 eval(shift(@insns));
    352. 

  352. 	  &vsli_32	($T4,&Dhi(@X[3]),32-$sigma1[1]);
    353. 

  353. 	 eval(shift(@insns));
    354. 

  354. 	 eval(shift(@insns));
    355. 

  355. 	  &veor		($T5,$T5,$T4);		# sigma1(X[14..15])
    356. 

  356. 	 eval(shift(@insns));
    357. 

  357. 	 eval(shift(@insns));
    358. 

  358. 	&vadd_i32	(&Dlo(@X[0]),&Dlo(@X[0]),$T5);# X[0..1] += sigma1(X[14..15])
    359. 

  359. 	 eval(shift(@insns));
    360. 

  360. 	 eval(shift(@insns));
    361. 

  361. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[0]);
    362. 

  362. 	 eval(shift(@insns));
    363. 

  363. 	 eval(shift(@insns));
    364. 

  364. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[0]);
    365. 

  365. 	 eval(shift(@insns));
    366. 

  366. 	 eval(shift(@insns));
    367. 

  367. 	  &vshr_u32	($T5,&Dlo(@X[0]),$sigma1[2]);
    368. 

  368. 	 eval(shift(@insns));
    369. 

  369. 	 eval(shift(@insns));
    370. 

  370. 	  &veor		($T5,$T5,$T4);
    371. 

  371. 	 eval(shift(@insns));
    372. 

  372. 	 eval(shift(@insns));
    373. 

  373. 	  &vshr_u32	($T4,&Dlo(@X[0]),$sigma1[1]);
    374. 

  374. 	 eval(shift(@insns));
    375. 

  375. 	 eval(shift(@insns));
    376. 

  376. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    377. 

  377. 	 eval(shift(@insns));
    378. 

  378. 	 eval(shift(@insns));
    379. 

  379. 	  &vsli_32	($T4,&Dlo(@X[0]),32-$sigma1[1]);
    380. 

  380. 	 eval(shift(@insns));
    381. 

  381. 	 eval(shift(@insns));
    382. 

  382. 	  &veor		($T5,$T5,$T4);		# sigma1(X[16..17])
    383. 

  383. 	 eval(shift(@insns));
    384. 

  384. 	 eval(shift(@insns));
    385. 

  385. 	&vadd_i32	(&Dhi(@X[0]),&Dhi(@X[0]),$T5);# X[2..3] += sigma1(X[16..17])
    386. 

  386. 	 eval(shift(@insns));
    387. 

  387. 	 eval(shift(@insns));
    388. 

  388. 	&vadd_i32	($T0,$T0,@X[0]);
    389. 

  389. 	 while($#insns>=2) { eval(shift(@insns)); }
    390. 

  390. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    391. 

  391. 	 eval(shift(@insns));
    392. 

  392. 	 eval(shift(@insns));
    393. 

  393. 

  394. 	push(@X,shift(@X));		# "rotate" X[]
    395. 

  395. }
    396. 

  396. 

  397. sub Xpreload()
    398. 

  398. { use integer;
    399. 

  399.   my $body = shift;
    400. 

  400.   my @insns = (&$body,&$body,&$body,&$body);
    401. 

  401.   my ($a,$b,$c,$d,$e,$f,$g,$h);
    402. 

  402. 

  403. 	 eval(shift(@insns));
    404. 

  404. 	 eval(shift(@insns));
    405. 

  405. 	 eval(shift(@insns));
    406. 

  406. 	 eval(shift(@insns));
    407. 

  407. 	&vld1_32	("{$T0}","[$Ktbl,:128]!");
    408. 

  408. 	 eval(shift(@insns));
    409. 

  409. 	 eval(shift(@insns));
    410. 

  410. 	 eval(shift(@insns));
    411. 

  411. 	 eval(shift(@insns));
    412. 

  412. 	&vrev32_8	(@X[0],@X[0]);
    413. 

  413. 	 eval(shift(@insns));
    414. 

  414. 	 eval(shift(@insns));
    415. 

  415. 	 eval(shift(@insns));
    416. 

  416. 	 eval(shift(@insns));
    417. 

  417. 	&vadd_i32	($T0,$T0,@X[0]);
    418. 

  418. 	 foreach (@insns) { eval; }	# remaining instructions
    419. 

  419. 	&vst1_32	("{$T0}","[$Xfer,:128]!");
    420. 

  420. 

  421. 	push(@X,shift(@X));		# "rotate" X[]
    422. 

  422. }
    423. 

  423. 

  424. sub body_00_15 () {
    425. 

  425. 	(
    426. 

  426. 	'($a,$b,$c,$d,$e,$f,$g,$h)=@V;'.
    427. 

  427. 	'&add	($h,$h,$t1)',			# h+=X[i]+K[i]
    428. 

  428. 	'&eor	($t1,$f,$g)',
    429. 

  429. 	'&eor	($t0,$e,$e,"ror#".($Sigma1[1]-$Sigma1[0]))',
    430. 

  430. 	'&add	($a,$a,$t2)',			# h+=Maj(a,b,c) from the past
    431. 

  431. 	'&and	($t1,$t1,$e)',
    432. 

  432. 	'&eor	($t2,$t0,$e,"ror#".($Sigma1[2]-$Sigma1[0]))',	# Sigma1(e)
    433. 

  433. 	'&eor	($t0,$a,$a,"ror#".($Sigma0[1]-$Sigma0[0]))',
    434. 

  434. 	'&eor	($t1,$t1,$g)',			# Ch(e,f,g)
    435. 

  435. 	'&add	($h,$h,$t2,"ror#$Sigma1[0]")',	# h+=Sigma1(e)
    436. 

  436. 	'&eor	($t2,$a,$b)',			# a^b, b^c in next round
    437. 

  437. 	'&eor	($t0,$t0,$a,"ror#".($Sigma0[2]-$Sigma0[0]))',	# Sigma0(a)
    438. 

  438. 	'&add	($h,$h,$t1)',			# h+=Ch(e,f,g)
    439. 

  439. 	'&ldr	($t1,sprintf "[sp,#%d]",4*(($j+1)&15))	if (($j&15)!=15);'.
    440. 

  440. 	'&ldr	($t1,"[$Ktbl]")				if ($j==15);'.
    441. 

  441. 	'&ldr	($t1,"[sp,#64]")			if ($j==31)',
    442. 

  442. 	'&and	($t3,$t3,$t2)',			# (b^c)&=(a^b)
    443. 

  443. 	'&add	($d,$d,$h)',			# d+=h
    444. 

  444. 	'&add	($h,$h,$t0,"ror#$Sigma0[0]");'.	# h+=Sigma0(a)
    445. 

  445. 	'&eor	($t3,$t3,$b)',			# Maj(a,b,c)
    446. 

  446. 	'$j++;	unshift(@V,pop(@V)); ($t2,$t3)=($t3,$t2);'
    447. 

  447. 	)
    448. 

  448. }
    449. 

  449. 

  450. $code.=<<___;
    451. 

  451. #if __ARM_MAX_ARCH__>=7
    452. 

  452. .arch	armv7-a
    453. 

  453. .fpu	neon
    454. 

  454. 

  455. .global	sha256_block_data_order_neon
    456. 

  456. .type	sha256_block_data_order_neon,%function
    457. 

  457. .align	4
    458. 

  458. sha256_block_data_order_neon:
    459. 

  459. .LNEON:
    460. 

  460. 	stmdb	sp!,{r4-r12,lr}
    461. 

  461. 

  462. 	sub	$H,sp,#16*4+16
    463. 

  463. 	adr	$Ktbl,K256
    464. 

  464. 	bic	$H,$H,#15		@ align for 128-bit stores
    465. 

  465. 	mov	$t2,sp
    466. 

  466. 	mov	sp,$H			@ alloca
    467. 

  467. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    468. 

  468. 

  469. 	vld1.8		{@X[0]},[$inp]!
    470. 

  470. 	vld1.8		{@X[1]},[$inp]!
    471. 

  471. 	vld1.8		{@X[2]},[$inp]!
    472. 

  472. 	vld1.8		{@X[3]},[$inp]!
    473. 

  473. 	vld1.32		{$T0},[$Ktbl,:128]!
    474. 

  474. 	vld1.32		{$T1},[$Ktbl,:128]!
    475. 

  475. 	vld1.32		{$T2},[$Ktbl,:128]!
    476. 

  476. 	vld1.32		{$T3},[$Ktbl,:128]!
    477. 

  477. 	vrev32.8	@X[0],@X[0]		@ yes, even on
    478. 

  478. 	str		$ctx,[sp,#64]
    479. 

  479. 	vrev32.8	@X[1],@X[1]		@ big-endian
    480. 

  480. 	str		$inp,[sp,#68]
    481. 

  481. 	mov		$Xfer,sp
    482. 

  482. 	vrev32.8	@X[2],@X[2]
    483. 

  483. 	str		$len,[sp,#72]
    484. 

  484. 	vrev32.8	@X[3],@X[3]
    485. 

  485. 	str		$t2,[sp,#76]		@ save original sp
    486. 

  486. 	vadd.i32	$T0,$T0,@X[0]
    487. 

  487. 	vadd.i32	$T1,$T1,@X[1]
    488. 

  488. 	vst1.32		{$T0},[$Xfer,:128]!
    489. 

  489. 	vadd.i32	$T2,$T2,@X[2]
    490. 

  490. 	vst1.32		{$T1},[$Xfer,:128]!
    491. 

  491. 	vadd.i32	$T3,$T3,@X[3]
    492. 

  492. 	vst1.32		{$T2},[$Xfer,:128]!
    493. 

  493. 	vst1.32		{$T3},[$Xfer,:128]!
    494. 

  494. 

  495. 	ldmia		$ctx,{$A-$H}
    496. 

  496. 	sub		$Xfer,$Xfer,#64
    497. 

  497. 	ldr		$t1,[sp,#0]
    498. 

  498. 	eor		$t2,$t2,$t2
    499. 

  499. 	eor		$t3,$B,$C
    500. 

  500. 	b		.L_00_48
    501. 

  501. 

  502. .align	4
    503. 

  503. .L_00_48:
    504. 

  504. ___
    505. 

  505. 	&Xupdate(\&body_00_15);
    506. 

  506. 	&Xupdate(\&body_00_15);
    507. 

  507. 	&Xupdate(\&body_00_15);
    508. 

  508. 	&Xupdate(\&body_00_15);
    509. 

  509. $code.=<<___;
    510. 

  510. 	teq	$t1,#0				@ check for K256 terminator
    511. 

  511. 	ldr	$t1,[sp,#0]
    512. 

  512. 	sub	$Xfer,$Xfer,#64
    513. 

  513. 	bne	.L_00_48
    514. 

  514. 

  515. 	ldr		$inp,[sp,#68]
    516. 

  516. 	ldr		$t0,[sp,#72]
    517. 

  517. 	sub		$Ktbl,$Ktbl,#256	@ rewind $Ktbl
    518. 

  518. 	teq		$inp,$t0
    519. 

  519. 	it		eq
    520. 

  520. 	subeq		$inp,$inp,#64		@ avoid SEGV
    521. 

  521. 	vld1.8		{@X[0]},[$inp]!		@ load next input block
    522. 

  522. 	vld1.8		{@X[1]},[$inp]!
    523. 

  523. 	vld1.8		{@X[2]},[$inp]!
    524. 

  524. 	vld1.8		{@X[3]},[$inp]!
    525. 

  525. 	it		ne
    526. 

  526. 	strne		$inp,[sp,#68]
    527. 

  527. 	mov		$Xfer,sp
    528. 

  528. ___
    529. 

  529. 	&Xpreload(\&body_00_15);
    530. 

  530. 	&Xpreload(\&body_00_15);
    531. 

  531. 	&Xpreload(\&body_00_15);
    532. 

  532. 	&Xpreload(\&body_00_15);
    533. 

  533. $code.=<<___;
    534. 

  534. 	ldr	$t0,[$t1,#0]
    535. 

  535. 	add	$A,$A,$t2			@ h+=Maj(a,b,c) from the past
    536. 

  536. 	ldr	$t2,[$t1,#4]
    537. 

  537. 	ldr	$t3,[$t1,#8]
    538. 

  538. 	ldr	$t4,[$t1,#12]
    539. 

  539. 	add	$A,$A,$t0			@ accumulate
    540. 

  540. 	ldr	$t0,[$t1,#16]
    541. 

  541. 	add	$B,$B,$t2
    542. 

  542. 	ldr	$t2,[$t1,#20]
    543. 

  543. 	add	$C,$C,$t3
    544. 

  544. 	ldr	$t3,[$t1,#24]
    545. 

  545. 	add	$D,$D,$t4
    546. 

  546. 	ldr	$t4,[$t1,#28]
    547. 

  547. 	add	$E,$E,$t0
    548. 

  548. 	str	$A,[$t1],#4
    549. 

  549. 	add	$F,$F,$t2
    550. 

  550. 	str	$B,[$t1],#4
    551. 

  551. 	add	$G,$G,$t3
    552. 

  552. 	str	$C,[$t1],#4
    553. 

  553. 	add	$H,$H,$t4
    554. 

  554. 	str	$D,[$t1],#4
    555. 

  555. 	stmia	$t1,{$E-$H}
    556. 

  556. 

  557. 	ittte	ne
    558. 

  558. 	movne	$Xfer,sp
    559. 

  559. 	ldrne	$t1,[sp,#0]
    560. 

  560. 	eorne	$t2,$t2,$t2
    561. 

  561. 	ldreq	sp,[sp,#76]			@ restore original sp
    562. 

  562. 	itt	ne
    563. 

  563. 	eorne	$t3,$B,$C
    564. 

  564. 	bne	.L_00_48
    565. 

  565. 

  566. 	ldmia	sp!,{r4-r12,pc}
    567. 

  567. .size	sha256_block_data_order_neon,.-sha256_block_data_order_neon
    568. 

  568. #endif
    569. 

  569. ___
    570. 

  570. }}}
    571. 

  571. ######################################################################
    572. 

  572. # ARMv8 stuff
    573. 

  573. #
    574. 

  574. {{{
    575. 

  575. my ($ABCD,$EFGH,$abcd)=map("q$_",(0..2));
    576. 

  576. my @MSG=map("q$_",(8..11));
    577. 

  577. my ($W0,$W1,$ABCD_SAVE,$EFGH_SAVE)=map("q$_",(12..15));
    578. 

  578. my $Ktbl="r3";
    579. 

  579. 

  580. $code.=<<___;
    581. 

  581. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    582. 

  582. 

  583. # ifdef __thumb2__
    584. 

  584. #  define INST(a,b,c,d)	.byte	c,d|0xc,a,b
    585. 

  585. # else
    586. 

  586. #  define INST(a,b,c,d)	.byte	a,b,c,d
    587. 

  587. # endif
    588. 

  588. 

  589. .type	sha256_block_data_order_armv8,%function
    590. 

  590. .align	5
    591. 

  591. sha256_block_data_order_armv8:
    592. 

  592. .LARMv8:
    593. 

  593. 	vld1.32	{$ABCD,$EFGH},[$ctx]
    594. 

  594. # ifdef __thumb2__
    595. 

  595. 	adr	$Ktbl,.LARMv8
    596. 

  596. 	sub	$Ktbl,$Ktbl,#.LARMv8-K256
    597. 

  597. # else
    598. 

  598. 	adrl	$Ktbl,K256
    599. 

  599. # endif
    600. 

  600. 	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
    601. 

  601. 

  602. .Loop_v8:
    603. 

  603. 	vld1.8		{@MSG[0]-@MSG[1]},[$inp]!
    604. 

  604. 	vld1.8		{@MSG[2]-@MSG[3]},[$inp]!
    605. 

  605. 	vld1.32		{$W0},[$Ktbl]!
    606. 

  606. 	vrev32.8	@MSG[0],@MSG[0]
    607. 

  607. 	vrev32.8	@MSG[1],@MSG[1]
    608. 

  608. 	vrev32.8	@MSG[2],@MSG[2]
    609. 

  609. 	vrev32.8	@MSG[3],@MSG[3]
    610. 

  610. 	vmov		$ABCD_SAVE,$ABCD	@ offload
    611. 

  611. 	vmov		$EFGH_SAVE,$EFGH
    612. 

  612. 	teq		$inp,$len
    613. 

  613. ___
    614. 

  614. for($i=0;$i<12;$i++) {
    615. 

  615. $code.=<<___;
    616. 

  616. 	vld1.32		{$W1},[$Ktbl]!
    617. 

  617. 	vadd.i32	$W0,$W0,@MSG[0]
    618. 

  618. 	sha256su0	@MSG[0],@MSG[1]
    619. 

  619. 	vmov		$abcd,$ABCD
    620. 

  620. 	sha256h		$ABCD,$EFGH,$W0
    621. 

  621. 	sha256h2	$EFGH,$abcd,$W0
    622. 

  622. 	sha256su1	@MSG[0],@MSG[2],@MSG[3]
    623. 

  623. ___
    624. 

  624. 	($W0,$W1)=($W1,$W0);	push(@MSG,shift(@MSG));
    625. 

  625. }
    626. 

  626. $code.=<<___;
    627. 

  627. 	vld1.32		{$W1},[$Ktbl]!
    628. 

  628. 	vadd.i32	$W0,$W0,@MSG[0]
    629. 

  629. 	vmov		$abcd,$ABCD
    630. 

  630. 	sha256h		$ABCD,$EFGH,$W0
    631. 

  631. 	sha256h2	$EFGH,$abcd,$W0
    632. 

  632. 

  633. 	vld1.32		{$W0},[$Ktbl]!
    634. 

  634. 	vadd.i32	$W1,$W1,@MSG[1]
    635. 

  635. 	vmov		$abcd,$ABCD
    636. 

  636. 	sha256h		$ABCD,$EFGH,$W1
    637. 

  637. 	sha256h2	$EFGH,$abcd,$W1
    638. 

  638. 

  639. 	vld1.32		{$W1},[$Ktbl]
    640. 

  640. 	vadd.i32	$W0,$W0,@MSG[2]
    641. 

  641. 	sub		$Ktbl,$Ktbl,#256-16	@ rewind
    642. 

  642. 	vmov		$abcd,$ABCD
    643. 

  643. 	sha256h		$ABCD,$EFGH,$W0
    644. 

  644. 	sha256h2	$EFGH,$abcd,$W0
    645. 

  645. 

  646. 	vadd.i32	$W1,$W1,@MSG[3]
    647. 

  647. 	vmov		$abcd,$ABCD
    648. 

  648. 	sha256h		$ABCD,$EFGH,$W1
    649. 

  649. 	sha256h2	$EFGH,$abcd,$W1
    650. 

  650. 

  651. 	vadd.i32	$ABCD,$ABCD,$ABCD_SAVE
    652. 

  652. 	vadd.i32	$EFGH,$EFGH,$EFGH_SAVE
    653. 

  653. 	it		ne
    654. 

  654. 	bne		.Loop_v8
    655. 

  655. 

  656. 	vst1.32		{$ABCD,$EFGH},[$ctx]
    657. 

  657. 

  658. 	ret		@ bx lr
    659. 

  659. .size	sha256_block_data_order_armv8,.-sha256_block_data_order_armv8
    660. 

  660. #endif
    661. 

  661. ___
    662. 

  662. }}}
    663. 

  663. $code.=<<___;
    664. 

  664. .asciz  "SHA256 block transform for ARMv4/NEON/ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
    665. 

  665. .align	2
    666. 

  666. #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
    667. 

  667. .comm   OPENSSL_armcap_P,4,4
    668. 

  668. #endif
    669. 

  669. ___
    670. 

  670. 

  671. open SELF,$0;
    672. 

  672. while(<SELF>) {
    673. 

  673. 	next if (/^#!/);
    674. 

  674. 	last if (!s/^#/@/ and !/^$/);
    675. 

  675. 	print;
    676. 

  676. }
    677. 

  677. close SELF;
    678. 

  678. 

  679. {   my  %opcode = (
    680. 

  680. 	"sha256h"	=> 0xf3000c40,	"sha256h2"	=> 0xf3100c40,
    681. 

  681. 	"sha256su0"	=> 0xf3ba03c0,	"sha256su1"	=> 0xf3200c40	);
    682. 

  682. 

  683.     sub unsha256 {
    684. 

  684. 	my ($mnemonic,$arg)=@_;
    685. 

  685. 

  686. 	if ($arg =~ m/q([0-9]+)(?:,\s*q([0-9]+))?,\s*q([0-9]+)/o) {
    687. 

  687. 	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
    688. 

  688. 					 |(($2&7)<<17)|(($2&8)<<4)
    689. 

  689. 					 |(($3&7)<<1) |(($3&8)<<2);
    690. 

  690. 	    # since ARMv7 instructions are always encoded little-endian.
    691. 

  691. 	    # correct solution is to use .inst directive, but older
    692. 

  692. 	    # assemblers don't implement it:-(
    693. 

  693. 	    sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
    694. 

  694. 			$word&0xff,($word>>8)&0xff,
    695. 

  695. 			($word>>16)&0xff,($word>>24)&0xff,
    696. 

  696. 			$mnemonic,$arg;
    697. 

  697. 	}
    698. 

  698.     }
    699. 

  699. }
    700. 

  700. 

  701. foreach (split($/,$code)) {
    702. 

  702. 

  703. 	s/\`([^\`]*)\`/eval $1/geo;
    704. 

  704. 

  705. 	s/\b(sha256\w+)\s+(q.*)/unsha256($1,$2)/geo;
    706. 

  706. 

  707. 	s/\bret\b/bx	lr/go		or
    708. 

  708. 	s/\bbx\s+lr\b/.word\t0xe12fff1e/go;	# make it possible to compile with -march=armv4
    709. 

  709. 

  710. 	print $_,"\n";
    711. 

  711. }
    712. 

  712. 

  713. close STDOUT; # enforce flush
    714.