Text file src/crypto/internal/fips140/sha512/sha512block_riscv64.s

     1  // Copyright 2023 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build !purego
     6  
     7  #include "textflag.h"
     8  
     9  // SHA512 block routine. See sha512block.go for Go equivalent.
    10  //
    11  // The algorithm is detailed in FIPS 180-4:
    12  //
    13  //  https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
    14  //
    15  // Wt = Mt; for 0 <= t <= 15
    16  // Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79
    17  //
    18  // a = H0
    19  // b = H1
    20  // c = H2
    21  // d = H3
    22  // e = H4
    23  // f = H5
    24  // g = H6
    25  // h = H7
    26  //
    27  // for t = 0 to 79 {
    28  //    T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
    29  //    T2 = BIGSIGMA0(a) + Maj(a,b,c)
    30  //    h = g
    31  //    g = f
    32  //    f = e
    33  //    e = d + T1
    34  //    d = c
    35  //    c = b
    36  //    b = a
    37  //    a = T1 + T2
    38  // }
    39  //
    40  // H0 = a + H0
    41  // H1 = b + H1
    42  // H2 = c + H2
    43  // H3 = d + H3
    44  // H4 = e + H4
    45  // H5 = f + H5
    46  // H6 = g + H6
    47  // H7 = h + H7
    48  
    49  // Wt = Mt; for 0 <= t <= 15
    50  #define MSGSCHEDULE0(index) \
    51  	MOVBU	((index*8)+0)(X29), X5; \
    52  	MOVBU	((index*8)+1)(X29), X6; \
    53  	MOVBU	((index*8)+2)(X29), X7; \
    54  	MOVBU	((index*8)+3)(X29), X8; \
    55  	SLL	$56, X5; \
    56  	SLL	$48, X6; \
    57  	OR	X5, X6, X5; \
    58  	SLL	$40, X7; \
    59  	OR	X5, X7, X5; \
    60  	SLL	$32, X8; \
    61  	OR	X5, X8, X5; \
    62  	MOVBU	((index*8)+4)(X29), X9; \
    63  	MOVBU	((index*8)+5)(X29), X6; \
    64  	MOVBU	((index*8)+6)(X29), X7; \
    65  	MOVBU	((index*8)+7)(X29), X8; \
    66  	SLL	$24, X9; \
    67  	OR	X5, X9, X5; \
    68  	SLL	$16, X6; \
    69  	OR	X5, X6, X5; \
    70  	SLL	$8, X7; \
    71  	OR	X5, X7, X5; \
    72  	OR	X5, X8, X5; \
    73  	MOV	X5, (index*8)(X19)
    74  
    75  // Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79
    76  //   SIGMA0(x) = ROTR(1,x) XOR ROTR(8,x) XOR SHR(7,x)
    77  //   SIGMA1(x) = ROTR(19,x) XOR ROTR(61,x) XOR SHR(6,x)
    78  #define MSGSCHEDULE1(index) \
    79  	MOV	(((index-2)&0xf)*8)(X19), X5; \
    80  	MOV	(((index-15)&0xf)*8)(X19), X6; \
    81  	MOV	(((index-7)&0xf)*8)(X19), X9; \
    82  	MOV	(((index-16)&0xf)*8)(X19), X21; \
    83  	ROR	$19, X5, X7; \
    84  	ROR	$61, X5, X8; \
    85  	SRL	$6, X5; \
    86  	XOR	X7, X5; \
    87  	XOR	X8, X5; \
    88  	ADD	X9, X5; \
    89  	ROR	$1, X6, X7; \
    90  	ROR	$8, X6, X8; \
    91  	SRL	$7, X6; \
    92  	XOR	X7, X6; \
    93  	XOR	X8, X6; \
    94  	ADD	X6, X5; \
    95  	ADD	X21, X5; \
    96  	MOV	X5, ((index&0xf)*8)(X19)
    97  
    98  // Calculate T1 in X5.
    99  // h is also used as an accumulator. Wt is passed in X5.
   100  //   T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt
   101  //     BIGSIGMA1(x) = ROTR(14,x) XOR ROTR(18,x) XOR ROTR(41,x)
   102  //     Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
   103  //                 = ((y XOR z) AND x) XOR z
   104  #define SHA512T1(index, e, f, g, h) \
   105  	MOV	(index*8)(X18), X8; \
   106  	ADD	X5, h; \
   107  	ROR	$14, e, X6; \
   108  	ADD	X8, h; \
   109  	ROR	$18, e, X7; \
   110  	ROR	$41, e, X8; \
   111  	XOR	X7, X6; \
   112  	XOR	f, g, X5; \
   113  	XOR	X8, X6; \
   114  	AND	e, X5; \
   115  	ADD	X6, h; \
   116  	XOR	g, X5; \
   117  	ADD	h, X5
   118  
   119  // Calculate T2 in X6.
   120  //   T2 = BIGSIGMA0(a) + Maj(a, b, c)
   121  //     BIGSIGMA0(x) = ROTR(28,x) XOR ROTR(34,x) XOR ROTR(39,x)
   122  //     Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
   123  //                  = ((y XOR z) AND x) XOR (y AND z)
   124  #define SHA512T2(a, b, c) \
   125  	ROR	$28, a, X6; \
   126  	ROR	$34, a, X7; \
   127  	ROR	$39, a, X8; \
   128  	XOR	X7, X6; \
   129  	XOR	b, c, X9; \
   130  	AND	b, c, X7; \
   131  	AND	a, X9; \
   132  	XOR	X8, X6; \
   133  	XOR	X7, X9; \
   134  	ADD	X9, X6
   135  
   136  // Calculate T1 and T2, then e = d + T1 and a = T1 + T2.
   137  // The values for e and a are stored in d and h, ready for rotation.
   138  #define SHA512ROUND(index, a, b, c, d, e, f, g, h) \
   139  	SHA512T1(index, e, f, g, h); \
   140  	SHA512T2(a, b, c); \
   141  	MOV	X6, h; \
   142  	ADD	X5, d; \
   143  	ADD	X5, h
   144  
   145  #define SHA512ROUND0(index, a, b, c, d, e, f, g, h) \
   146  	MSGSCHEDULE0(index); \
   147  	SHA512ROUND(index, a, b, c, d, e, f, g, h)
   148  
   149  #define SHA512ROUND1(index, a, b, c, d, e, f, g, h) \
   150  	MSGSCHEDULE1(index); \
   151  	SHA512ROUND(index, a, b, c, d, e, f, g, h)
   152  
   153  // func block(dig *Digest, p []byte)
   154  TEXT ·block(SB),0,$128-32
   155  	MOV	p_base+8(FP), X29
   156  	MOV	p_len+16(FP), X30
   157  	SRL	$7, X30
   158  	SLL	$7, X30
   159  
   160  	ADD	X29, X30, X28
   161  	BEQ	X28, X29, end
   162  
   163  	MOV	$·_K(SB), X18		// const table
   164  	ADD	$8, X2, X19		// message schedule
   165  
   166  	MOV	dig+0(FP), X20
   167  	MOV	(0*8)(X20), X10		// a = H0
   168  	MOV	(1*8)(X20), X11		// b = H1
   169  	MOV	(2*8)(X20), X12		// c = H2
   170  	MOV	(3*8)(X20), X13		// d = H3
   171  	MOV	(4*8)(X20), X14		// e = H4
   172  	MOV	(5*8)(X20), X15		// f = H5
   173  	MOV	(6*8)(X20), X16		// g = H6
   174  	MOV	(7*8)(X20), X17		// h = H7
   175  
   176  loop:
   177  	SHA512ROUND0(0, X10, X11, X12, X13, X14, X15, X16, X17)
   178  	SHA512ROUND0(1, X17, X10, X11, X12, X13, X14, X15, X16)
   179  	SHA512ROUND0(2, X16, X17, X10, X11, X12, X13, X14, X15)
   180  	SHA512ROUND0(3, X15, X16, X17, X10, X11, X12, X13, X14)
   181  	SHA512ROUND0(4, X14, X15, X16, X17, X10, X11, X12, X13)
   182  	SHA512ROUND0(5, X13, X14, X15, X16, X17, X10, X11, X12)
   183  	SHA512ROUND0(6, X12, X13, X14, X15, X16, X17, X10, X11)
   184  	SHA512ROUND0(7, X11, X12, X13, X14, X15, X16, X17, X10)
   185  	SHA512ROUND0(8, X10, X11, X12, X13, X14, X15, X16, X17)
   186  	SHA512ROUND0(9, X17, X10, X11, X12, X13, X14, X15, X16)
   187  	SHA512ROUND0(10, X16, X17, X10, X11, X12, X13, X14, X15)
   188  	SHA512ROUND0(11, X15, X16, X17, X10, X11, X12, X13, X14)
   189  	SHA512ROUND0(12, X14, X15, X16, X17, X10, X11, X12, X13)
   190  	SHA512ROUND0(13, X13, X14, X15, X16, X17, X10, X11, X12)
   191  	SHA512ROUND0(14, X12, X13, X14, X15, X16, X17, X10, X11)
   192  	SHA512ROUND0(15, X11, X12, X13, X14, X15, X16, X17, X10)
   193  
   194  	SHA512ROUND1(16, X10, X11, X12, X13, X14, X15, X16, X17)
   195  	SHA512ROUND1(17, X17, X10, X11, X12, X13, X14, X15, X16)
   196  	SHA512ROUND1(18, X16, X17, X10, X11, X12, X13, X14, X15)
   197  	SHA512ROUND1(19, X15, X16, X17, X10, X11, X12, X13, X14)
   198  	SHA512ROUND1(20, X14, X15, X16, X17, X10, X11, X12, X13)
   199  	SHA512ROUND1(21, X13, X14, X15, X16, X17, X10, X11, X12)
   200  	SHA512ROUND1(22, X12, X13, X14, X15, X16, X17, X10, X11)
   201  	SHA512ROUND1(23, X11, X12, X13, X14, X15, X16, X17, X10)
   202  	SHA512ROUND1(24, X10, X11, X12, X13, X14, X15, X16, X17)
   203  	SHA512ROUND1(25, X17, X10, X11, X12, X13, X14, X15, X16)
   204  	SHA512ROUND1(26, X16, X17, X10, X11, X12, X13, X14, X15)
   205  	SHA512ROUND1(27, X15, X16, X17, X10, X11, X12, X13, X14)
   206  	SHA512ROUND1(28, X14, X15, X16, X17, X10, X11, X12, X13)
   207  	SHA512ROUND1(29, X13, X14, X15, X16, X17, X10, X11, X12)
   208  	SHA512ROUND1(30, X12, X13, X14, X15, X16, X17, X10, X11)
   209  	SHA512ROUND1(31, X11, X12, X13, X14, X15, X16, X17, X10)
   210  	SHA512ROUND1(32, X10, X11, X12, X13, X14, X15, X16, X17)
   211  	SHA512ROUND1(33, X17, X10, X11, X12, X13, X14, X15, X16)
   212  	SHA512ROUND1(34, X16, X17, X10, X11, X12, X13, X14, X15)
   213  	SHA512ROUND1(35, X15, X16, X17, X10, X11, X12, X13, X14)
   214  	SHA512ROUND1(36, X14, X15, X16, X17, X10, X11, X12, X13)
   215  	SHA512ROUND1(37, X13, X14, X15, X16, X17, X10, X11, X12)
   216  	SHA512ROUND1(38, X12, X13, X14, X15, X16, X17, X10, X11)
   217  	SHA512ROUND1(39, X11, X12, X13, X14, X15, X16, X17, X10)
   218  	SHA512ROUND1(40, X10, X11, X12, X13, X14, X15, X16, X17)
   219  	SHA512ROUND1(41, X17, X10, X11, X12, X13, X14, X15, X16)
   220  	SHA512ROUND1(42, X16, X17, X10, X11, X12, X13, X14, X15)
   221  	SHA512ROUND1(43, X15, X16, X17, X10, X11, X12, X13, X14)
   222  	SHA512ROUND1(44, X14, X15, X16, X17, X10, X11, X12, X13)
   223  	SHA512ROUND1(45, X13, X14, X15, X16, X17, X10, X11, X12)
   224  	SHA512ROUND1(46, X12, X13, X14, X15, X16, X17, X10, X11)
   225  	SHA512ROUND1(47, X11, X12, X13, X14, X15, X16, X17, X10)
   226  	SHA512ROUND1(48, X10, X11, X12, X13, X14, X15, X16, X17)
   227  	SHA512ROUND1(49, X17, X10, X11, X12, X13, X14, X15, X16)
   228  	SHA512ROUND1(50, X16, X17, X10, X11, X12, X13, X14, X15)
   229  	SHA512ROUND1(51, X15, X16, X17, X10, X11, X12, X13, X14)
   230  	SHA512ROUND1(52, X14, X15, X16, X17, X10, X11, X12, X13)
   231  	SHA512ROUND1(53, X13, X14, X15, X16, X17, X10, X11, X12)
   232  	SHA512ROUND1(54, X12, X13, X14, X15, X16, X17, X10, X11)
   233  	SHA512ROUND1(55, X11, X12, X13, X14, X15, X16, X17, X10)
   234  	SHA512ROUND1(56, X10, X11, X12, X13, X14, X15, X16, X17)
   235  	SHA512ROUND1(57, X17, X10, X11, X12, X13, X14, X15, X16)
   236  	SHA512ROUND1(58, X16, X17, X10, X11, X12, X13, X14, X15)
   237  	SHA512ROUND1(59, X15, X16, X17, X10, X11, X12, X13, X14)
   238  	SHA512ROUND1(60, X14, X15, X16, X17, X10, X11, X12, X13)
   239  	SHA512ROUND1(61, X13, X14, X15, X16, X17, X10, X11, X12)
   240  	SHA512ROUND1(62, X12, X13, X14, X15, X16, X17, X10, X11)
   241  	SHA512ROUND1(63, X11, X12, X13, X14, X15, X16, X17, X10)
   242  	SHA512ROUND1(64, X10, X11, X12, X13, X14, X15, X16, X17)
   243  	SHA512ROUND1(65, X17, X10, X11, X12, X13, X14, X15, X16)
   244  	SHA512ROUND1(66, X16, X17, X10, X11, X12, X13, X14, X15)
   245  	SHA512ROUND1(67, X15, X16, X17, X10, X11, X12, X13, X14)
   246  	SHA512ROUND1(68, X14, X15, X16, X17, X10, X11, X12, X13)
   247  	SHA512ROUND1(69, X13, X14, X15, X16, X17, X10, X11, X12)
   248  	SHA512ROUND1(70, X12, X13, X14, X15, X16, X17, X10, X11)
   249  	SHA512ROUND1(71, X11, X12, X13, X14, X15, X16, X17, X10)
   250  	SHA512ROUND1(72, X10, X11, X12, X13, X14, X15, X16, X17)
   251  	SHA512ROUND1(73, X17, X10, X11, X12, X13, X14, X15, X16)
   252  	SHA512ROUND1(74, X16, X17, X10, X11, X12, X13, X14, X15)
   253  	SHA512ROUND1(75, X15, X16, X17, X10, X11, X12, X13, X14)
   254  	SHA512ROUND1(76, X14, X15, X16, X17, X10, X11, X12, X13)
   255  	SHA512ROUND1(77, X13, X14, X15, X16, X17, X10, X11, X12)
   256  	SHA512ROUND1(78, X12, X13, X14, X15, X16, X17, X10, X11)
   257  	SHA512ROUND1(79, X11, X12, X13, X14, X15, X16, X17, X10)
   258  
   259  	MOV	(0*8)(X20), X5
   260  	MOV	(1*8)(X20), X6
   261  	MOV	(2*8)(X20), X7
   262  	MOV	(3*8)(X20), X8
   263  	ADD	X5, X10		// H0 = a + H0
   264  	ADD	X6, X11		// H1 = b + H1
   265  	ADD	X7, X12		// H2 = c + H2
   266  	ADD	X8, X13		// H3 = d + H3
   267  	MOV	X10, (0*8)(X20)
   268  	MOV	X11, (1*8)(X20)
   269  	MOV	X12, (2*8)(X20)
   270  	MOV	X13, (3*8)(X20)
   271  	MOV	(4*8)(X20), X5
   272  	MOV	(5*8)(X20), X6
   273  	MOV	(6*8)(X20), X7
   274  	MOV	(7*8)(X20), X8
   275  	ADD	X5, X14		// H4 = e + H4
   276  	ADD	X6, X15		// H5 = f + H5
   277  	ADD	X7, X16		// H6 = g + H6
   278  	ADD	X8, X17		// H7 = h + H7
   279  	MOV	X14, (4*8)(X20)
   280  	MOV	X15, (5*8)(X20)
   281  	MOV	X16, (6*8)(X20)
   282  	MOV	X17, (7*8)(X20)
   283  
   284  	ADD	$128, X29
   285  	BNE	X28, X29, loop
   286  
   287  end:
   288  	RET
   289  

View as plain text