[openssl-commits] [openssl] master update

Andy Polyakov appro at openssl.org
Thu Jun 15 19:54:02 UTC 2017 

The branch master has been updated
       via  5eb2dd88b3b97a0bdd1929924463b339ef3e141b (commit)
      from  0c3d0d4a01d71f7de4e340f045cb9fd16b3bf4d2 (commit)


- Log -----------------------------------------------------------------
commit 5eb2dd88b3b97a0bdd1929924463b339ef3e141b
Author: Andy Polyakov <appro at openssl.org>
Date:   Wed Jun 14 13:35:17 2017 +0200

    Add sha/asm/keccak1600-armv8.pl.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/sha/asm/keccak1600-armv8.pl | 653 +++++++++++++++++++++++++++++++++++++
 1 file changed, 653 insertions(+)
 create mode 100755 crypto/sha/asm/keccak1600-armv8.pl

diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl
new file mode 100755
index 0000000..b67fb63
--- /dev/null
+++ b/crypto/sha/asm/keccak1600-armv8.pl
@@ -0,0 +1,653 @@
+#!/usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ====================================================================
+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# Keccak-1600 for ARMv8.
+#
+# June 2017.
+#
+# This is straightforward KECCAK_1X_ALT implementation. It makes no
+# sense to attempt SIMD/NEON implementation for following reason.
+# 64-bit lanes of vector registers can't be addressed as easily as in
+# 32-bit mode. This means that 64-bit NEON is bound to be slower than
+# 32-bit NEON, and this implementation is faster than 32-bit NEON on
+# same processor. Even though it takes more scalar xor's and andn's,
+# it gets compensated by availability of rotate. Not to forget that
+# most processors achieve higher issue rate with scalar instructions.
+#
+######################################################################
+# Numbers are cycles per processed byte.
+#
+#		r=1088(*)
+#
+# Cortex-A53	13
+# Cortex-A57	12
+# X-Gene	14
+# Mongoose	10
+# Denver	7.8
+# Apple A7	7.2
+#
+# (*)	Corresponds to SHA3-256. No improvement coefficients are listed
+#	because they vary too much from compiler to compiler. Newer
+#	compiler does much better and improvement varies from 5% on
+#	Cortex-A57 to 25% on Cortex-A53. While in comparison to older
+#	compiler this code is at least 2x faster...
+
+$flavour = shift;
+$output  = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+my @A = map([ "x$_", "x".($_+1), "x".($_+2), "x".($_+3), "x".($_+4) ],
+            (0, 5, 10, 15, 20));
+   $A[3][3] = "x25"; # x18 is reserved
+
+my @C = map("x$_", (26,27,28,30));
+
+my @rhotates = ([  0,  1, 62, 28, 27 ],
+                [ 36, 44,  6, 55, 20 ],
+                [  3, 10, 43, 25, 39 ],
+                [ 41, 45, 15, 21,  8 ],
+                [ 18,  2, 61, 56, 14 ]);
+
+$code.=<<___;
+.text
+
+.align 8	// strategic alignment and padding that allows to use
+		// address value as loop termination condition...
+	.quad	0,0,0,0,0,0,0,0
+.type	iotas,%object
+iotas:
+	.quad	0x0000000000000001
+	.quad	0x0000000000008082
+	.quad	0x800000000000808a
+	.quad	0x8000000080008000
+	.quad	0x000000000000808b
+	.quad	0x0000000080000001
+	.quad	0x8000000080008081
+	.quad	0x8000000000008009
+	.quad	0x000000000000008a
+	.quad	0x0000000000000088
+	.quad	0x0000000080008009
+	.quad	0x000000008000000a
+	.quad	0x000000008000808b
+	.quad	0x800000000000008b
+	.quad	0x8000000000008089
+	.quad	0x8000000000008003
+	.quad	0x8000000000008002
+	.quad	0x8000000000000080
+	.quad	0x000000000000800a
+	.quad	0x800000008000000a
+	.quad	0x8000000080008081
+	.quad	0x8000000000008080
+	.quad	0x0000000080000001
+	.quad	0x8000000080008008
+.size	iotas,.-iotas
+
+.type	KeccakF1600_int,%function
+.align	5
+KeccakF1600_int:
+	adr	$C[2],iotas
+	stp	$C[2],x30,[sp,#16]		// 32 bytes on top are mine
+	b	.Loop
+.align	4
+.Loop:
+	////////////////////////////////////////// Theta
+	eor	$C[0],$A[0][0],$A[1][0]
+	stp	$A[0][4],$A[1][4],[sp,#0]	// offload pair...
+	eor	$C[1],$A[0][1],$A[1][1]
+	eor	$C[2],$A[0][2],$A[1][2]
+	eor	$C[3],$A[0][3],$A[1][3]
+___
+	$C[4]=$A[0][4];
+	$C[5]=$A[1][4];
+$code.=<<___;
+	eor	$C[4],$A[0][4],$A[1][4]
+	eor	$C[0],$C[0],$A[2][0]
+	eor	$C[1],$C[1],$A[2][1]
+	eor	$C[2],$C[2],$A[2][2]
+	eor	$C[3],$C[3],$A[2][3]
+	eor	$C[4],$C[4],$A[2][4]
+	eor	$C[0],$C[0],$A[3][0]
+	eor	$C[1],$C[1],$A[3][1]
+	eor	$C[2],$C[2],$A[3][2]
+	eor	$C[3],$C[3],$A[3][3]
+	eor	$C[4],$C[4],$A[3][4]
+	eor	$C[0],$C[0],$A[4][0]
+	eor	$C[2],$C[2],$A[4][2]
+	eor	$C[1],$C[1],$A[4][1]
+	eor	$C[3],$C[3],$A[4][3]
+	eor	$C[4],$C[4],$A[4][4]
+
+	eor	$C[5],$C[0],$C[2],ror#63
+
+	eor	$A[0][1],$A[0][1],$C[5]
+	eor	$A[1][1],$A[1][1],$C[5]
+	eor	$A[2][1],$A[2][1],$C[5]
+	eor	$A[3][1],$A[3][1],$C[5]
+	eor	$A[4][1],$A[4][1],$C[5]
+
+	eor	$C[5],$C[1],$C[3],ror#63
+	eor	$C[2],$C[2],$C[4],ror#63
+	eor	$C[3],$C[3],$C[0],ror#63
+	eor	$C[4],$C[4],$C[1],ror#63
+
+	eor	$C[1],   $A[0][2],$C[5]		// mov	$C[1],$A[0][2]
+	eor	$A[1][2],$A[1][2],$C[5]
+	eor	$A[2][2],$A[2][2],$C[5]
+	eor	$A[3][2],$A[3][2],$C[5]
+	eor	$A[4][2],$A[4][2],$C[5]
+
+	eor	$A[0][0],$A[0][0],$C[4]
+	eor	$A[1][0],$A[1][0],$C[4]
+	eor	$A[2][0],$A[2][0],$C[4]
+	eor	$A[3][0],$A[3][0],$C[4]
+	eor	$A[4][0],$A[4][0],$C[4]
+___
+	$C[4]=undef;
+	$C[5]=undef;
+$code.=<<___;
+	ldp	$A[0][4],$A[1][4],[sp,#0]	// re-load offloaded data
+	eor	$C[0],   $A[0][3],$C[2]		// mov	$C[0],$A[0][3]
+	eor	$A[1][3],$A[1][3],$C[2]
+	eor	$A[2][3],$A[2][3],$C[2]
+	eor	$A[3][3],$A[3][3],$C[2]
+	eor	$A[4][3],$A[4][3],$C[2]
+
+	eor	$C[2],   $A[0][4],$C[3]		// mov	$C[2],$A[0][4]
+	eor	$A[1][4],$A[1][4],$C[3]
+	eor	$A[2][4],$A[2][4],$C[3]
+	eor	$A[3][4],$A[3][4],$C[3]
+	eor	$A[4][4],$A[4][4],$C[3]
+
+	////////////////////////////////////////// Rho+Pi
+	mov	$C[3],$A[0][1]
+	ror	$A[0][1],$A[1][1],#64-$rhotates[1][1]
+	//mov	$C[1],$A[0][2]
+	ror	$A[0][2],$A[2][2],#64-$rhotates[2][2]
+	//mov	$C[0],$A[0][3]
+	ror	$A[0][3],$A[3][3],#64-$rhotates[3][3]
+	//mov	$C[2],$A[0][4]
+	ror	$A[0][4],$A[4][4],#64-$rhotates[4][4]
+
+	ror	$A[1][1],$A[1][4],#64-$rhotates[1][4]
+	ror	$A[2][2],$A[2][3],#64-$rhotates[2][3]
+	ror	$A[3][3],$A[3][2],#64-$rhotates[3][2]
+	ror	$A[4][4],$A[4][1],#64-$rhotates[4][1]
+
+	ror	$A[1][4],$A[4][2],#64-$rhotates[4][2]
+	ror	$A[2][3],$A[3][4],#64-$rhotates[3][4]
+	ror	$A[3][2],$A[2][1],#64-$rhotates[2][1]
+	ror	$A[4][1],$A[1][3],#64-$rhotates[1][3]
+
+	ror	$A[4][2],$A[2][4],#64-$rhotates[2][4]
+	ror	$A[3][4],$A[4][3],#64-$rhotates[4][3]
+	ror	$A[2][1],$A[1][2],#64-$rhotates[1][2]
+	ror	$A[1][3],$A[3][1],#64-$rhotates[3][1]
+
+	ror	$A[2][4],$A[4][0],#64-$rhotates[4][0]
+	ror	$A[4][3],$A[3][0],#64-$rhotates[3][0]
+	ror	$A[1][2],$A[2][0],#64-$rhotates[2][0]
+	ror	$A[3][1],$A[1][0],#64-$rhotates[1][0]
+
+	ror	$A[1][0],$C[0],#64-$rhotates[0][3]
+	ror	$A[2][0],$C[3],#64-$rhotates[0][1]
+	ror	$A[3][0],$C[2],#64-$rhotates[0][4]
+	ror	$A[4][0],$C[1],#64-$rhotates[0][2]
+
+	////////////////////////////////////////// Chi+Iota
+	bic	$C[0],$A[0][2],$A[0][1]
+	bic	$C[1],$A[0][3],$A[0][2]
+	bic	$C[2],$A[0][0],$A[0][4]
+	bic	$C[3],$A[0][1],$A[0][0]
+	eor	$A[0][0],$A[0][0],$C[0]
+	bic	$C[0],$A[0][4],$A[0][3]
+	eor	$A[0][1],$A[0][1],$C[1]
+	 ldr	$C[1],[sp,#16]
+	eor	$A[0][3],$A[0][3],$C[2]
+	eor	$A[0][4],$A[0][4],$C[3]
+	eor	$A[0][2],$A[0][2],$C[0]
+	 ldr	$C[3],[$C[1]],#8		// Iota[i++]
+
+	bic	$C[0],$A[1][2],$A[1][1]
+	 tst	$C[1],#255			// are we done?
+	 str	$C[1],[sp,#16]
+	bic	$C[1],$A[1][3],$A[1][2]
+	bic	$C[2],$A[1][0],$A[1][4]
+	 eor	$A[0][0],$A[0][0],$C[3]		// A[0][0] ^= Iota
+	bic	$C[3],$A[1][1],$A[1][0]
+	eor	$A[1][0],$A[1][0],$C[0]
+	bic	$C[0],$A[1][4],$A[1][3]
+	eor	$A[1][1],$A[1][1],$C[1]
+	eor	$A[1][3],$A[1][3],$C[2]
+	eor	$A[1][4],$A[1][4],$C[3]
+	eor	$A[1][2],$A[1][2],$C[0]
+
+	bic	$C[0],$A[2][2],$A[2][1]
+	bic	$C[1],$A[2][3],$A[2][2]
+	bic	$C[2],$A[2][0],$A[2][4]
+	bic	$C[3],$A[2][1],$A[2][0]
+	eor	$A[2][0],$A[2][0],$C[0]
+	bic	$C[0],$A[2][4],$A[2][3]
+	eor	$A[2][1],$A[2][1],$C[1]
+	eor	$A[2][3],$A[2][3],$C[2]
+	eor	$A[2][4],$A[2][4],$C[3]
+	eor	$A[2][2],$A[2][2],$C[0]
+
+	bic	$C[0],$A[3][2],$A[3][1]
+	bic	$C[1],$A[3][3],$A[3][2]
+	bic	$C[2],$A[3][0],$A[3][4]
+	bic	$C[3],$A[3][1],$A[3][0]
+	eor	$A[3][0],$A[3][0],$C[0]
+	bic	$C[0],$A[3][4],$A[3][3]
+	eor	$A[3][1],$A[3][1],$C[1]
+	eor	$A[3][3],$A[3][3],$C[2]
+	eor	$A[3][4],$A[3][4],$C[3]
+	eor	$A[3][2],$A[3][2],$C[0]
+
+	bic	$C[0],$A[4][2],$A[4][1]
+	bic	$C[1],$A[4][3],$A[4][2]
+	bic	$C[2],$A[4][0],$A[4][4]
+	bic	$C[3],$A[4][1],$A[4][0]
+	eor	$A[4][0],$A[4][0],$C[0]
+	bic	$C[0],$A[4][4],$A[4][3]
+	eor	$A[4][1],$A[4][1],$C[1]
+	eor	$A[4][3],$A[4][3],$C[2]
+	eor	$A[4][4],$A[4][4],$C[3]
+	eor	$A[4][2],$A[4][2],$C[0]
+
+	bne	.Loop
+
+	ldr	x30,[sp,#24]
+	ret
+.size	KeccakF1600_int,.-KeccakF1600_int
+
+.type	KeccakF1600,%function
+.align	5
+KeccakF1600:
+	stp	x29,x30,[sp,#-128]!
+	add	x29,sp,#0
+	stp	x19,x20,[sp,#16]
+	stp	x21,x22,[sp,#32]
+	stp	x23,x24,[sp,#48]
+	stp	x25,x26,[sp,#64]
+	stp	x27,x28,[sp,#80]
+	sub	sp,sp,#48
+
+	str	x0,[sp,#32]			// offload argument
+	mov	$C[0],x0
+	ldp	$A[0][0],$A[0][1],[x0,#16*0]
+	ldp	$A[0][2],$A[0][3],[$C[0],#16*1]
+	ldp	$A[0][4],$A[1][0],[$C[0],#16*2]
+	ldp	$A[1][1],$A[1][2],[$C[0],#16*3]
+	ldp	$A[1][3],$A[1][4],[$C[0],#16*4]
+	ldp	$A[2][0],$A[2][1],[$C[0],#16*5]
+	ldp	$A[2][2],$A[2][3],[$C[0],#16*6]
+	ldp	$A[2][4],$A[3][0],[$C[0],#16*7]
+	ldp	$A[3][1],$A[3][2],[$C[0],#16*8]
+	ldp	$A[3][3],$A[3][4],[$C[0],#16*9]
+	ldp	$A[4][0],$A[4][1],[$C[0],#16*10]
+	ldp	$A[4][2],$A[4][3],[$C[0],#16*11]
+	ldr	$A[4][4],[$C[0],#16*12]
+
+	bl	KeccakF1600_int
+
+	ldr	$C[0],[sp,#32]
+	stp	$A[0][0],$A[0][1],[$C[0],#16*0]
+	stp	$A[0][2],$A[0][3],[$C[0],#16*1]
+	stp	$A[0][4],$A[1][0],[$C[0],#16*2]
+	stp	$A[1][1],$A[1][2],[$C[0],#16*3]
+	stp	$A[1][3],$A[1][4],[$C[0],#16*4]
+	stp	$A[2][0],$A[2][1],[$C[0],#16*5]
+	stp	$A[2][2],$A[2][3],[$C[0],#16*6]
+	stp	$A[2][4],$A[3][0],[$C[0],#16*7]
+	stp	$A[3][1],$A[3][2],[$C[0],#16*8]
+	stp	$A[3][3],$A[3][4],[$C[0],#16*9]
+	stp	$A[4][0],$A[4][1],[$C[0],#16*10]
+	stp	$A[4][2],$A[4][3],[$C[0],#16*11]
+	str	$A[4][4],[$C[0],#16*12]
+
+	ldp	x19,x20,[x29,#16]
+	add	sp,sp,#48
+	ldp	x21,x22,[x29,#32]
+	ldp	x23,x24,[x29,#48]
+	ldp	x25,x26,[x29,#64]
+	ldp	x27,x28,[x29,#80]
+	ldp	x29,x30,[sp],#128
+	ret
+.size	KeccakF1600,.-KeccakF1600
+
+.globl	SHA3_absorb
+.type	SHA3_absorb,%function
+.align	5
+SHA3_absorb:
+	stp	x29,x30,[sp,#-128]!
+	add	x29,sp,#0
+	stp	x19,x20,[sp,#16]
+	stp	x21,x22,[sp,#32]
+	stp	x23,x24,[sp,#48]
+	stp	x25,x26,[sp,#64]
+	stp	x27,x28,[sp,#80]
+	sub	sp,sp,#64
+
+	stp	x0,x1,[sp,#32]			// offload arguments
+	stp	x2,x3,[sp,#48]
+
+	mov	$C[0],x0			// uint64_t A[5][5]
+	mov	$C[1],x1			// const void *inp
+	mov	$C[2],x2			// size_t len
+	mov	$C[3],x3			// size_t bsz
+	ldp	$A[0][0],$A[0][1],[$C[0],#16*0]
+	ldp	$A[0][2],$A[0][3],[$C[0],#16*1]
+	ldp	$A[0][4],$A[1][0],[$C[0],#16*2]
+	ldp	$A[1][1],$A[1][2],[$C[0],#16*3]
+	ldp	$A[1][3],$A[1][4],[$C[0],#16*4]
+	ldp	$A[2][0],$A[2][1],[$C[0],#16*5]
+	ldp	$A[2][2],$A[2][3],[$C[0],#16*6]
+	ldp	$A[2][4],$A[3][0],[$C[0],#16*7]
+	ldp	$A[3][1],$A[3][2],[$C[0],#16*8]
+	ldp	$A[3][3],$A[3][4],[$C[0],#16*9]
+	ldp	$A[4][0],$A[4][1],[$C[0],#16*10]
+	ldp	$A[4][2],$A[4][3],[$C[0],#16*11]
+	ldr	$A[4][4],[$C[0],#16*12]
+	b	.Loop_absorb
+
+.align	4
+.Loop_absorb:
+	subs	$C[0],$C[2],$C[3]		// len - bsz
+	blo	.Labsorbed
+
+	str	$C[0],[sp,#48]			// save len - bsz
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[0][0],$A[0][0],$C[0]
+	cmp	$C[3],#8*2
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[0][1],$A[0][1],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[0][2],$A[0][2],$C[0]
+	cmp	$C[3],#8*4
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[0][3],$A[0][3],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[0][4],$A[0][4],$C[0]
+	cmp	$C[3],#8*6
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[1][0],$A[1][0],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[1][1],$A[1][1],$C[0]
+	cmp	$C[3],#8*8
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[1][2],$A[1][2],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[1][3],$A[1][3],$C[0]
+	cmp	$C[3],#8*10
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[1][4],$A[1][4],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[2][0],$A[2][0],$C[0]
+	cmp	$C[3],#8*12
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[2][1],$A[2][1],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[2][2],$A[2][2],$C[0]
+	cmp	$C[3],#8*14
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[2][3],$A[2][3],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[2][4],$A[2][4],$C[0]
+	cmp	$C[3],#8*16
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[3][0],$A[3][0],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[3][1],$A[3][1],$C[0]
+	cmp	$C[3],#8*18
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[3][2],$A[3][2],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[3][3],$A[3][3],$C[0]
+	cmp	$C[3],#8*20
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[3][4],$A[3][4],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[4][0],$A[4][0],$C[0]
+	cmp	$C[3],#8*22
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[4][1],$A[4][1],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[4][2],$A[4][2],$C[0]
+	cmp	$C[3],#8*24
+	blo	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[4][3],$A[4][3],$C[0]
+	beq	.Lprocess_block
+	ldr	$C[0],[$C[1]],#8		// *inp++
+#ifdef	__AARCH64EB__
+	rev	$C[0],$C[0]
+#endif
+	eor	$A[4][4],$A[4][4],$C[0]
+
+.Lprocess_block:
+	str	$C[1],[sp,#40]			// save inp
+
+	bl	KeccakF1600_int
+
+	ldr	$C[1],[sp,#40]			// restore arguments
+	ldp	$C[2],$C[3],[sp,#48]
+	b	.Loop_absorb
+
+.align	4
+.Labsorbed:
+	ldr	$C[1],[sp,#32]
+	stp	$A[0][0],$A[0][1],[$C[1],#16*0]
+	stp	$A[0][2],$A[0][3],[$C[1],#16*1]
+	stp	$A[0][4],$A[1][0],[$C[1],#16*2]
+	stp	$A[1][1],$A[1][2],[$C[1],#16*3]
+	stp	$A[1][3],$A[1][4],[$C[1],#16*4]
+	stp	$A[2][0],$A[2][1],[$C[1],#16*5]
+	stp	$A[2][2],$A[2][3],[$C[1],#16*6]
+	stp	$A[2][4],$A[3][0],[$C[1],#16*7]
+	stp	$A[3][1],$A[3][2],[$C[1],#16*8]
+	stp	$A[3][3],$A[3][4],[$C[1],#16*9]
+	stp	$A[4][0],$A[4][1],[$C[1],#16*10]
+	stp	$A[4][2],$A[4][3],[$C[1],#16*11]
+	str	$A[4][4],[$C[1],#16*12]
+
+	mov	x0,$C[0]			// return value
+	ldp	x19,x20,[x29,#16]
+	add	sp,sp,#64
+	ldp	x21,x22,[x29,#32]
+	ldp	x23,x24,[x29,#48]
+	ldp	x25,x26,[x29,#64]
+	ldp	x27,x28,[x29,#80]
+	ldp	x29,x30,[sp],#128
+	ret
+.size	SHA3_absorb,.-SHA3_absorb
+___
+{
+my ($A_flat,$out,$len,$bsz) = map("x$_",(19..22));
+$code.=<<___;
+.globl	SHA3_squeeze
+.type	SHA3_squeeze,%function
+.align	5
+SHA3_squeeze:
+	stp	x29,x30,[sp,#-48]!
+	add	x29,sp,#0
+	stp	x19,x20,[sp,#16]
+	stp	x21,x22,[sp,#32]
+
+	mov	$A_flat,x0			// put aside arguments
+	mov	$out,x1
+	mov	$len,x2
+	mov	$bsz,x3
+
+.Loop_squeeze:
+	ldr	x4,[x0],#8
+	cmp	$len,#8
+	blo	.Lsqueeze_tail
+#ifdef	__AARCH64EB__
+	rev	x4,x4
+#endif
+	str	x4,[$out],#8
+	subs	$len,$len,#8
+	beq	.Lsqueeze_done
+
+	subs	x3,x3,#8
+	bhi	.Loop_squeeze
+
+	mov	x0,$A_flat
+	bl	KeccakF1600
+	mov	x0,$A_flat
+	mov	x3,$bsz
+	b	.Loop_squeeze
+
+.align	4
+.Lsqueeze_tail:
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+	lsr	x4,x4,#8
+	subs	$len,$len,#1
+	beq	.Lsqueeze_done
+	strb	w4,[$out],#1
+
+.Lsqueeze_done:
+	ldp	x19,x20,[sp,#16]
+	ldp	x21,x22,[sp,#32]
+	ldp	x29,x30,[sp],#48
+	ret
+.size	SHA3_squeeze,.-SHA3_squeeze
+.asciz	"Keccak-1600 absorb and squeeze for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
+___
+}
+
+print $code;
+close STDOUT;

More information about the openssl-commits mailing list