2 # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # Poly1305 hash for MIPS64.
21 # Numbers are cycles per processed byte with poly1305_blocks alone.
24 # R1x000 5.64/+120% (big-endian)
25 # Octeon II 3.80/+280% (little-endian)
27 ######################################################################
28 # There is a number of MIPS ABI in use, O32 and N32/64 are most
29 # widely used. Then there is a new contender: NUBI. It appears that if
30 # one picks the latter, it's possible to arrange code in ABI neutral
31 # manner. Therefore let's stick to NUBI register layout:
33 ($zero,$at,$t0,$t1,$t2)=map("\$$_",(0..2,24,25));
34 ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
35 ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("\$$_",(12..23));
36 ($gp,$tp,$sp,$fp,$ra)=map("\$$_",(3,28..31));
38 # The return value is placed in $a0. Following coding rules facilitate
41 # - never ever touch $tp, "thread pointer", former $gp [o32 can be
42 # excluded from the rule, because it's specified volatile];
43 # - copy return value to $t0, former $v0 [or to $a0 if you're adapting
45 # - on O32 populate $a4-$a7 with 'lw $aN,4*N($sp)' if necessary;
47 # For reference here is register layout for N32/64 MIPS ABIs:
49 # ($zero,$at,$v0,$v1)=map("\$$_",(0..3));
50 # ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
51 # ($t0,$t1,$t2,$t3,$t8,$t9)=map("\$$_",(12..15,24,25));
52 # ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23));
53 # ($gp,$sp,$fp,$ra)=map("\$$_",(28..31));
57 ######################################################################
59 # $output is the last argument if it looks like a file (it has an extension)
60 # $flavour is the first argument if it doesn't look like a file
61 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
62 # supported flavours are o32,n32,64,nubi32,nubi64, default is o32
63 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : "o32";
65 die "MIPS64 only" unless ($flavour =~ /64|n32/i);
67 $v0 = ($flavour =~ /nubi/i) ? $a0 : $t0;
68 $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0x0003f000" : "0x00030000";
70 ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
71 ($in0,$in1,$tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = ($a4,$a5,$a6,$a7,$at,$t0,$t1);
74 #include "mips_arch.h"
101 #if defined(_MIPS_ARCH_MIPS64R6)
111 # if defined(_MIPS_ARCH_MIPS64R2)
112 dsbh $in0,$in0 # byte swap
119 or $tmp0,$tmp2 # 0x000000FF000000FF
121 and $tmp1,$in0,$tmp0 # byte swap
129 dsll $tmp0,8 # 0x0000FF000000FF00
156 daddiu $tmp0,-1 # 0ffffffc0fffffff
159 daddiu $tmp0,-3 # 0ffffffc0ffffffc
165 daddu $tmp0,$in1 # s1 = r1 + (r1 >> 2)
174 my ($h0,$h1,$h2,$r0,$r1,$s1,$d0,$d1,$d2) =
175 ($s0,$s1,$s2,$s3,$s4,$s5,$in0,$in1,$t2);
179 .globl poly1305_blocks
183 dsrl $len,4 # number of complete blocks
184 bnez $len,poly1305_blocks_internal
191 .ent poly1305_blocks_internal
192 poly1305_blocks_internal:
194 .mask $SAVED_REGS_MASK,-8
200 $code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
209 ld $h0,0($ctx) # load hash value
213 ld $r0,24($ctx) # load key
218 #if defined(_MIPS_ARCH_MIPS64R6)
219 ld $in0,0($inp) # load input
222 ldl $in0,0+MSB($inp) # load input
230 # if defined(_MIPS_ARCH_MIPS64R2)
231 dsbh $in0,$in0 # byte swap
238 or $tmp0,$tmp2 # 0x000000FF000000FF
240 and $tmp1,$in0,$tmp0 # byte swap
248 dsll $tmp0,8 # 0x0000FF000000FF00
271 daddu $h0,$in0 # accumulate input
277 dmultu ($r0,$h0) # h0*r0
283 dmultu ($s1,$h1) # h1*5*r1
289 dmultu ($r1,$h0) # h0*r1
297 dmultu ($r0,$h1) # h1*r0
304 dmultu ($s1,$h2) # h2*5*r1
309 dmultu ($r0,$h2) # h2*r0
319 li $tmp0,-4 # final reduction
332 sd $h0,0($ctx) # store hash value
337 ld $s5,40($sp) # epilogue
340 $code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi epilogue
349 .end poly1305_blocks_internal
353 my ($ctx,$mac,$nonce) = ($a0,$a1,$a2);
367 daddiu $in0,$tmp0,5 # compare to modulus
369 daddu $in1,$tmp1,$tmp3
370 sltu $tmp3,$in1,$tmp3
371 daddu $tmp2,$tmp2,$tmp3
373 dsrl $tmp2,2 # see if it carried/borrowed
374 dsubu $tmp2,$zero,$tmp2
375 nor $tmp3,$zero,$tmp2
384 lwu $tmp0,0($nonce) # load nonce
393 daddu $in0,$tmp0 # accumulate nonce
395 sltu $tmp0,$in0,$tmp0
398 dsrl $tmp0,$in0,8 # write mac value
433 .asciiz "Poly1305 for MIPS64, CRYPTOGAMS by <appro\@openssl.org>"
438 $output and open STDOUT,">$output";
440 close STDOUT or die "error closing STDOUT: $!";