xref: /minix3/crypto/external/bsd/openssl/lib/libcrypto/arch/arm/ghash-armv4.S (revision 0a6a1f1d05b60e214de2f05a7310ddd1f0e590e7) 
1#include "arm_arch.h"
2#include "arm_asm.h"
3
4.syntax	unified
5.text
6.code	32
7
8.type	rem_4bit,%object
9.align	5
10rem_4bit:
11.short	0x0000,0x1C20,0x3840,0x2460
12.short	0x7080,0x6CA0,0x48C0,0x54E0
13.short	0xE100,0xFD20,0xD940,0xC560
14.short	0x9180,0x8DA0,0xA9C0,0xB5E0
15.size	rem_4bit,.-rem_4bit
16
17.type	rem_4bit_get,%function
18rem_4bit_get:
19	sub	r2,pc,#8
20	sub	r2,r2,#32	@ &rem_4bit
21	b	.Lrem_4bit_got
22	nop
23.size	rem_4bit_get,.-rem_4bit_get
24
25.global	gcm_ghash_4bit
26.type	gcm_ghash_4bit,%function
27gcm_ghash_4bit:
28	sub	r12,pc,#8
29	add	r3,r2,r3		@ r3 to point at the end
30	stmdb	sp!,{r3-r11,lr}		@ save r3/end too
31	sub	r12,r12,#48		@ &rem_4bit
32
33	ldmia	r12,{r4-r11}		@ copy rem_4bit ...
34	stmdb	sp!,{r4-r11}		@ ... to stack
35
36	ldrb	r12,[r2,#15]
37	ldrb	r14,[r0,#15]
38.Louter:
39	eor	r12,r12,r14
40	and	r14,r12,#0xf0
41	and	r12,r12,#0x0f
42	mov	r3,#14
43
44	add	r7,r1,r12,lsl#4
45	ldmia	r7,{r4-r7}	@ load Htbl[nlo]
46	add	r11,r1,r14
47	ldrb	r12,[r2,#14]
48
49	and	r14,r4,#0xf		@ rem
50	ldmia	r11,{r8-r11}	@ load Htbl[nhi]
51	add	r14,r14,r14
52	eor	r4,r8,r4,lsr#4
53	ldrh	r8,[sp,r14]		@ rem_4bit[rem]
54	eor	r4,r4,r5,lsl#28
55	ldrb	r14,[r0,#14]
56	eor	r5,r9,r5,lsr#4
57	eor	r5,r5,r6,lsl#28
58	eor	r6,r10,r6,lsr#4
59	eor	r6,r6,r7,lsl#28
60	eor	r7,r11,r7,lsr#4
61	eor	r12,r12,r14
62	and	r14,r12,#0xf0
63	and	r12,r12,#0x0f
64	eor	r7,r7,r8,lsl#16
65
66.Linner:
67	add	r11,r1,r12,lsl#4
68	and	r12,r4,#0xf		@ rem
69	subs	r3,r3,#1
70	add	r12,r12,r12
71	ldmia	r11,{r8-r11}	@ load Htbl[nlo]
72	eor	r4,r8,r4,lsr#4
73	eor	r4,r4,r5,lsl#28
74	eor	r5,r9,r5,lsr#4
75	eor	r5,r5,r6,lsl#28
76	ldrh	r8,[sp,r12]		@ rem_4bit[rem]
77	eor	r6,r10,r6,lsr#4
78	ldrbpl	r12,[r2,r3]
79	eor	r6,r6,r7,lsl#28
80	eor	r7,r11,r7,lsr#4
81
82	add	r11,r1,r14
83	and	r14,r4,#0xf		@ rem
84	eor	r7,r7,r8,lsl#16	@ ^= rem_4bit[rem]
85	add	r14,r14,r14
86	ldmia	r11,{r8-r11}	@ load Htbl[nhi]
87	eor	r4,r8,r4,lsr#4
88	ldrbpl	r8,[r0,r3]
89	eor	r4,r4,r5,lsl#28
90	eor	r5,r9,r5,lsr#4
91	ldrh	r9,[sp,r14]
92	eor	r5,r5,r6,lsl#28
93	eor	r6,r10,r6,lsr#4
94	eor	r6,r6,r7,lsl#28
95	eorpl	r12,r12,r8
96	eor	r7,r11,r7,lsr#4
97	andpl	r14,r12,#0xf0
98	andpl	r12,r12,#0x0f
99	eor	r7,r7,r9,lsl#16	@ ^= rem_4bit[rem]
100	bpl	.Linner
101
102	ldr	r3,[sp,#32]		@ re-load r3/end
103	add	r2,r2,#16
104	mov	r14,r4
105#if __ARM_ARCH__>=7 && defined(__ARMEL__)
106	rev	r4,r4
107	str	r4,[r0,#12]
108#elif defined(__ARMEB__)
109	str	r4,[r0,#12]
110#else
111	mov	r9,r4,lsr#8
112	strb	r4,[r0,#12+3]
113	mov	r10,r4,lsr#16
114	strb	r9,[r0,#12+2]
115	mov	r11,r4,lsr#24
116	strb	r10,[r0,#12+1]
117	strb	r11,[r0,#12]
118#endif
119	cmp	r2,r3
120#if __ARM_ARCH__>=7 && defined(__ARMEL__)
121	rev	r5,r5
122	str	r5,[r0,#8]
123#elif defined(__ARMEB__)
124	str	r5,[r0,#8]
125#else
126	mov	r9,r5,lsr#8
127	strb	r5,[r0,#8+3]
128	mov	r10,r5,lsr#16
129	strb	r9,[r0,#8+2]
130	mov	r11,r5,lsr#24
131	strb	r10,[r0,#8+1]
132	strb	r11,[r0,#8]
133#endif
134	ldrbne	r12,[r2,#15]
135#if __ARM_ARCH__>=7 && defined(__ARMEL__)
136	rev	r6,r6
137	str	r6,[r0,#4]
138#elif defined(__ARMEB__)
139	str	r6,[r0,#4]
140#else
141	mov	r9,r6,lsr#8
142	strb	r6,[r0,#4+3]
143	mov	r10,r6,lsr#16
144	strb	r9,[r0,#4+2]
145	mov	r11,r6,lsr#24
146	strb	r10,[r0,#4+1]
147	strb	r11,[r0,#4]
148#endif
149
150#if __ARM_ARCH__>=7 && defined(__ARMEL__)
151	rev	r7,r7
152	str	r7,[r0,#0]
153#elif defined(__ARMEB__)
154	str	r7,[r0,#0]
155#else
156	mov	r9,r7,lsr#8
157	strb	r7,[r0,#0+3]
158	mov	r10,r7,lsr#16
159	strb	r9,[r0,#0+2]
160	mov	r11,r7,lsr#24
161	strb	r10,[r0,#0+1]
162	strb	r11,[r0,#0]
163#endif
164
165	bne	.Louter
166
167	add	sp,sp,#36
168#if __ARM_ARCH__>=5
169	ldmia	sp!,{r4-r11,pc}
170#else
171	ldmia	sp!,{r4-r11,lr}
172	tst	lr,#1
173	moveq	pc,lr			@ be binary compatible with V4, yet
174	.word	0xe12fff1e			@ interoperable with Thumb ISA:-)
175#endif
176.size	gcm_ghash_4bit,.-gcm_ghash_4bit
177
178.global	gcm_gmult_4bit
179.type	gcm_gmult_4bit,%function
180gcm_gmult_4bit:
181	stmdb	sp!,{r4-r11,lr}
182	ldrb	r12,[r0,#15]
183	b	rem_4bit_get
184.Lrem_4bit_got:
185	and	r14,r12,#0xf0
186	and	r12,r12,#0x0f
187	mov	r3,#14
188
189	add	r7,r1,r12,lsl#4
190	ldmia	r7,{r4-r7}	@ load Htbl[nlo]
191	ldrb	r12,[r0,#14]
192
193	add	r11,r1,r14
194	and	r14,r4,#0xf		@ rem
195	ldmia	r11,{r8-r11}	@ load Htbl[nhi]
196	add	r14,r14,r14
197	eor	r4,r8,r4,lsr#4
198	ldrh	r8,[r2,r14]	@ rem_4bit[rem]
199	eor	r4,r4,r5,lsl#28
200	eor	r5,r9,r5,lsr#4
201	eor	r5,r5,r6,lsl#28
202	eor	r6,r10,r6,lsr#4
203	eor	r6,r6,r7,lsl#28
204	eor	r7,r11,r7,lsr#4
205	and	r14,r12,#0xf0
206	eor	r7,r7,r8,lsl#16
207	and	r12,r12,#0x0f
208
209.Loop:
210	add	r11,r1,r12,lsl#4
211	and	r12,r4,#0xf		@ rem
212	subs	r3,r3,#1
213	add	r12,r12,r12
214	ldmia	r11,{r8-r11}	@ load Htbl[nlo]
215	eor	r4,r8,r4,lsr#4
216	eor	r4,r4,r5,lsl#28
217	eor	r5,r9,r5,lsr#4
218	eor	r5,r5,r6,lsl#28
219	ldrh	r8,[r2,r12]	@ rem_4bit[rem]
220	eor	r6,r10,r6,lsr#4
221	ldrbpl	r12,[r0,r3]
222	eor	r6,r6,r7,lsl#28
223	eor	r7,r11,r7,lsr#4
224
225	add	r11,r1,r14
226	and	r14,r4,#0xf		@ rem
227	eor	r7,r7,r8,lsl#16	@ ^= rem_4bit[rem]
228	add	r14,r14,r14
229	ldmia	r11,{r8-r11}	@ load Htbl[nhi]
230	eor	r4,r8,r4,lsr#4
231	eor	r4,r4,r5,lsl#28
232	eor	r5,r9,r5,lsr#4
233	ldrh	r8,[r2,r14]	@ rem_4bit[rem]
234	eor	r5,r5,r6,lsl#28
235	eor	r6,r10,r6,lsr#4
236	eor	r6,r6,r7,lsl#28
237	eor	r7,r11,r7,lsr#4
238	andpl	r14,r12,#0xf0
239	andpl	r12,r12,#0x0f
240	eor	r7,r7,r8,lsl#16	@ ^= rem_4bit[rem]
241	bpl	.Loop
242#if __ARM_ARCH__>=7 && defined(__ARMEL__)
243	rev	r4,r4
244	str	r4,[r0,#12]
245#elif defined(__ARMEB__)
246	str	r4,[r0,#12]
247#else
248	mov	r9,r4,lsr#8
249	strb	r4,[r0,#12+3]
250	mov	r10,r4,lsr#16
251	strb	r9,[r0,#12+2]
252	mov	r11,r4,lsr#24
253	strb	r10,[r0,#12+1]
254	strb	r11,[r0,#12]
255#endif
256
257#if __ARM_ARCH__>=7 && defined(__ARMEL__)
258	rev	r5,r5
259	str	r5,[r0,#8]
260#elif defined(__ARMEB__)
261	str	r5,[r0,#8]
262#else
263	mov	r9,r5,lsr#8
264	strb	r5,[r0,#8+3]
265	mov	r10,r5,lsr#16
266	strb	r9,[r0,#8+2]
267	mov	r11,r5,lsr#24
268	strb	r10,[r0,#8+1]
269	strb	r11,[r0,#8]
270#endif
271
272#if __ARM_ARCH__>=7 && defined(__ARMEL__)
273	rev	r6,r6
274	str	r6,[r0,#4]
275#elif defined(__ARMEB__)
276	str	r6,[r0,#4]
277#else
278	mov	r9,r6,lsr#8
279	strb	r6,[r0,#4+3]
280	mov	r10,r6,lsr#16
281	strb	r9,[r0,#4+2]
282	mov	r11,r6,lsr#24
283	strb	r10,[r0,#4+1]
284	strb	r11,[r0,#4]
285#endif
286
287#if __ARM_ARCH__>=7 && defined(__ARMEL__)
288	rev	r7,r7
289	str	r7,[r0,#0]
290#elif defined(__ARMEB__)
291	str	r7,[r0,#0]
292#else
293	mov	r9,r7,lsr#8
294	strb	r7,[r0,#0+3]
295	mov	r10,r7,lsr#16
296	strb	r9,[r0,#0+2]
297	mov	r11,r7,lsr#24
298	strb	r10,[r0,#0+1]
299	strb	r11,[r0,#0]
300#endif
301
302#if __ARM_ARCH__>=5
303	ldmia	sp!,{r4-r11,pc}
304#else
305	ldmia	sp!,{r4-r11,lr}
306	tst	lr,#1
307	moveq	pc,lr			@ be binary compatible with V4, yet
308	.word	0xe12fff1e			@ interoperable with Thumb ISA:-)
309#endif
310.size	gcm_gmult_4bit,.-gcm_gmult_4bit
311#if __ARM_MAX_ARCH__>=7
312.arch	armv7-a
313.fpu	neon
314
315.global	gcm_init_neon
316.type	gcm_init_neon,%function
317.align	4
318gcm_init_neon:
319	vld1.64		d7,[r1,:64]!	@ load H
320	vmov.i8		q8,#0xe1
321	vld1.64		d6,[r1,:64]
322	vshl.i64	d17,#57
323	vshr.u64	d16,#63		@ t0=0xc2....01
324	vdup.8		q9,d7[7]
325	vshr.u64	d26,d6,#63
326	vshr.s8		q9,#7			@ broadcast carry bit
327	vshl.i64	q3,q3,#1
328	vand		q8,q8,q9
329	vorr		d7,d26		@ H<<<=1
330	veor		q3,q3,q8		@ twisted H
331	vstmia		r0,{q3}
332
333	RET					@ bx lr
334.size	gcm_init_neon,.-gcm_init_neon
335
336.global	gcm_gmult_neon
337.type	gcm_gmult_neon,%function
338.align	4
339gcm_gmult_neon:
340	vld1.64		d7,[r0,:64]!	@ load Xi
341	vld1.64		d6,[r0,:64]!
342	vmov.i64	d29,#0x0000ffffffffffff
343	vldmia		r1,{d26-d27}	@ load twisted H
344	vmov.i64	d30,#0x00000000ffffffff
345#ifdef __ARMEL__
346	vrev64.8	q3,q3
347#endif
348	vmov.i64	d31,#0x000000000000ffff
349	veor		d28,d26,d27		@ Karatsuba pre-processing
350	mov		r3,#16
351	b		.Lgmult_neon
352.size	gcm_gmult_neon,.-gcm_gmult_neon
353
354.global	gcm_ghash_neon
355.type	gcm_ghash_neon,%function
356.align	4
357gcm_ghash_neon:
358	vld1.64		d1,[r0,:64]!	@ load Xi
359	vld1.64		d0,[r0,:64]!
360	vmov.i64	d29,#0x0000ffffffffffff
361	vldmia		r1,{d26-d27}	@ load twisted H
362	vmov.i64	d30,#0x00000000ffffffff
363#ifdef __ARMEL__
364	vrev64.8	q0,q0
365#endif
366	vmov.i64	d31,#0x000000000000ffff
367	veor		d28,d26,d27		@ Karatsuba pre-processing
368
369.Loop_neon:
370	vld1.64		d7,[r2]!		@ load inp
371	vld1.64		d6,[r2]!
372#ifdef __ARMEL__
373	vrev64.8	q3,q3
374#endif
375	veor		q3,q0			@ inp^=Xi
376.Lgmult_neon:
377	vext.8		d16, d26, d26, #1	@ A1
378	vmull.p8	q8, d16, d6		@ F = A1*B
379	vext.8		d0, d6, d6, #1	@ B1
380	vmull.p8	q0, d26, d0		@ E = A*B1
381	vext.8		d18, d26, d26, #2	@ A2
382	vmull.p8	q9, d18, d6		@ H = A2*B
383	vext.8		d22, d6, d6, #2	@ B2
384	vmull.p8	q11, d26, d22		@ G = A*B2
385	vext.8		d20, d26, d26, #3	@ A3
386	veor		q8, q8, q0		@ L = E + F
387	vmull.p8	q10, d20, d6		@ J = A3*B
388	vext.8		d0, d6, d6, #3	@ B3
389	veor		q9, q9, q11		@ M = G + H
390	vmull.p8	q0, d26, d0		@ I = A*B3
391	veor		d16, d16, d17	@ t0 = (L) (P0 + P1) << 8
392	vand		d17, d17, d29
393	vext.8		d22, d6, d6, #4	@ B4
394	veor		d18, d18, d19	@ t1 = (M) (P2 + P3) << 16
395	vand		d19, d19, d30
396	vmull.p8	q11, d26, d22		@ K = A*B4
397	veor		q10, q10, q0		@ N = I + J
398	veor		d16, d16, d17
399	veor		d18, d18, d19
400	veor		d20, d20, d21	@ t2 = (N) (P4 + P5) << 24
401	vand		d21, d21, d31
402	vext.8		q8, q8, q8, #15
403	veor		d22, d22, d23	@ t3 = (K) (P6 + P7) << 32
404	vmov.i64	d23, #0
405	vext.8		q9, q9, q9, #14
406	veor		d20, d20, d21
407	vmull.p8	q0, d26, d6		@ D = A*B
408	vext.8		q11, q11, q11, #12
409	vext.8		q10, q10, q10, #13
410	veor		q8, q8, q9
411	veor		q10, q10, q11
412	veor		q0, q0, q8
413	veor		q0, q0, q10
414	veor		d6,d6,d7	@ Karatsuba pre-processing
415	vext.8		d16, d28, d28, #1	@ A1
416	vmull.p8	q8, d16, d6		@ F = A1*B
417	vext.8		d2, d6, d6, #1	@ B1
418	vmull.p8	q1, d28, d2		@ E = A*B1
419	vext.8		d18, d28, d28, #2	@ A2
420	vmull.p8	q9, d18, d6		@ H = A2*B
421	vext.8		d22, d6, d6, #2	@ B2
422	vmull.p8	q11, d28, d22		@ G = A*B2
423	vext.8		d20, d28, d28, #3	@ A3
424	veor		q8, q8, q1		@ L = E + F
425	vmull.p8	q10, d20, d6		@ J = A3*B
426	vext.8		d2, d6, d6, #3	@ B3
427	veor		q9, q9, q11		@ M = G + H
428	vmull.p8	q1, d28, d2		@ I = A*B3
429	veor		d16, d16, d17	@ t0 = (L) (P0 + P1) << 8
430	vand		d17, d17, d29
431	vext.8		d22, d6, d6, #4	@ B4
432	veor		d18, d18, d19	@ t1 = (M) (P2 + P3) << 16
433	vand		d19, d19, d30
434	vmull.p8	q11, d28, d22		@ K = A*B4
435	veor		q10, q10, q1		@ N = I + J
436	veor		d16, d16, d17
437	veor		d18, d18, d19
438	veor		d20, d20, d21	@ t2 = (N) (P4 + P5) << 24
439	vand		d21, d21, d31
440	vext.8		q8, q8, q8, #15
441	veor		d22, d22, d23	@ t3 = (K) (P6 + P7) << 32
442	vmov.i64	d23, #0
443	vext.8		q9, q9, q9, #14
444	veor		d20, d20, d21
445	vmull.p8	q1, d28, d6		@ D = A*B
446	vext.8		q11, q11, q11, #12
447	vext.8		q10, q10, q10, #13
448	veor		q8, q8, q9
449	veor		q10, q10, q11
450	veor		q1, q1, q8
451	veor		q1, q1, q10
452	vext.8		d16, d27, d27, #1	@ A1
453	vmull.p8	q8, d16, d7		@ F = A1*B
454	vext.8		d4, d7, d7, #1	@ B1
455	vmull.p8	q2, d27, d4		@ E = A*B1
456	vext.8		d18, d27, d27, #2	@ A2
457	vmull.p8	q9, d18, d7		@ H = A2*B
458	vext.8		d22, d7, d7, #2	@ B2
459	vmull.p8	q11, d27, d22		@ G = A*B2
460	vext.8		d20, d27, d27, #3	@ A3
461	veor		q8, q8, q2		@ L = E + F
462	vmull.p8	q10, d20, d7		@ J = A3*B
463	vext.8		d4, d7, d7, #3	@ B3
464	veor		q9, q9, q11		@ M = G + H
465	vmull.p8	q2, d27, d4		@ I = A*B3
466	veor		d16, d16, d17	@ t0 = (L) (P0 + P1) << 8
467	vand		d17, d17, d29
468	vext.8		d22, d7, d7, #4	@ B4
469	veor		d18, d18, d19	@ t1 = (M) (P2 + P3) << 16
470	vand		d19, d19, d30
471	vmull.p8	q11, d27, d22		@ K = A*B4
472	veor		q10, q10, q2		@ N = I + J
473	veor		d16, d16, d17
474	veor		d18, d18, d19
475	veor		d20, d20, d21	@ t2 = (N) (P4 + P5) << 24
476	vand		d21, d21, d31
477	vext.8		q8, q8, q8, #15
478	veor		d22, d22, d23	@ t3 = (K) (P6 + P7) << 32
479	vmov.i64	d23, #0
480	vext.8		q9, q9, q9, #14
481	veor		d20, d20, d21
482	vmull.p8	q2, d27, d7		@ D = A*B
483	vext.8		q11, q11, q11, #12
484	vext.8		q10, q10, q10, #13
485	veor		q8, q8, q9
486	veor		q10, q10, q11
487	veor		q2, q2, q8
488	veor		q2, q2, q10
489	veor		q1,q1,q0		@ Karatsuba post-processing
490	veor		q1,q1,q2
491	veor		d1,d1,d2
492	veor		d4,d4,d3	@ Xh|Xl - 256-bit result
493
494	@ equivalent of reduction_avx from ghash-x86_64.pl
495	vshl.i64	q9,q0,#57		@ 1st phase
496	vshl.i64	q10,q0,#62
497	veor		q10,q10,q9		@
498	vshl.i64	q9,q0,#63
499	veor		q10, q10, q9		@
500 	veor		d1,d1,d20	@
501	veor		d4,d4,d21
502
503	vshr.u64	q10,q0,#1		@ 2nd phase
504	veor		q2,q2,q0
505	veor		q0,q0,q10		@
506	vshr.u64	q10,q10,#6
507	vshr.u64	q0,q0,#1		@
508	veor		q0,q0,q2		@
509	veor		q0,q0,q10		@
510
511	subs		r3,#16
512	bne		.Loop_neon
513
514#ifdef __ARMEL__
515	vrev64.8	q0,q0
516#endif
517	sub		r0,#16
518	vst1.64		d1,[r0,:64]!	@ write out Xi
519	vst1.64		d0,[r0,:64]
520
521	RET					@ bx lr
522.size	gcm_ghash_neon,.-gcm_ghash_neon
523#endif
524.asciz  "GHASH for ARMv4/NEON, CRYPTOGAMS by <appro@openssl.org>"
525.align  2
526