/* Optimized SSE2 implementation of ChaCha20 cipher. Copyright (C) 2022 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ /* chacha20-amd64-ssse3.S - SSSE3 implementation of ChaCha20 cipher Copyright (C) 2017-2019 Jussi Kivilinna This file is part of Libgcrypt. Libgcrypt is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. Libgcrypt is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this program; if not, see . */ /* Based on D. J. Bernstein reference implementation at http://cr.yp.to/chacha.html: chacha-regs.c version 20080118 D. J. Bernstein Public domain. */ #include #include #if MINIMUM_X86_ISA_LEVEL <= 2 #ifdef PIC # define rRIP (%rip) #else # define rRIP #endif /* 'ret' instruction replacement for straight-line speculation mitigation */ #define ret_spec_stop \ ret; int3; /* register macros */ #define INPUT %rdi #define DST %rsi #define SRC %rdx #define NBLKS %rcx #define ROUND %eax /* stack structure */ #define STACK_VEC_X12 (16) #define STACK_VEC_X13 (16 + STACK_VEC_X12) #define STACK_TMP (16 + STACK_VEC_X13) #define STACK_TMP1 (16 + STACK_TMP) #define STACK_TMP2 (16 + STACK_TMP1) #define STACK_MAX (16 + STACK_TMP2) /* vector registers */ #define X0 %xmm0 #define X1 %xmm1 #define X2 %xmm2 #define X3 %xmm3 #define X4 %xmm4 #define X5 %xmm5 #define X6 %xmm6 #define X7 %xmm7 #define X8 %xmm8 #define X9 %xmm9 #define X10 %xmm10 #define X11 %xmm11 #define X12 %xmm12 #define X13 %xmm13 #define X14 %xmm14 #define X15 %xmm15 /********************************************************************** helper macros **********************************************************************/ /* 4x4 32-bit integer matrix transpose */ #define TRANSPOSE_4x4(x0, x1, x2, x3, t1, t2, t3) \ movdqa x0, t2; \ punpckhdq x1, t2; \ punpckldq x1, x0; \ \ movdqa x2, t1; \ punpckldq x3, t1; \ punpckhdq x3, x2; \ \ movdqa x0, x1; \ punpckhqdq t1, x1; \ punpcklqdq t1, x0; \ \ movdqa t2, x3; \ punpckhqdq x2, x3; \ punpcklqdq x2, t2; \ movdqa t2, x2; /* fill xmm register with 32-bit value from memory */ #define PBROADCASTD(mem32, xreg) \ movd mem32, xreg; \ pshufd $0, xreg, xreg; /********************************************************************** 4-way chacha20 **********************************************************************/ #define ROTATE2(v1,v2,c,tmp1,tmp2) \ movdqa v1, tmp1; \ movdqa v2, tmp2; \ psrld $(32 - (c)), v1; \ pslld $(c), tmp1; \ paddb tmp1, v1; \ psrld $(32 - (c)), v2; \ pslld $(c), tmp2; \ paddb tmp2, v2; #define XOR(ds,s) \ pxor s, ds; #define PLUS(ds,s) \ paddd s, ds; #define QUARTERROUND2(a1,b1,c1,d1,a2,b2,c2,d2,ign,tmp1,tmp2) \ PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2); \ ROTATE2(d1, d2, 16, tmp1, tmp2); \ PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2); \ ROTATE2(b1, b2, 12, tmp1, tmp2); \ PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2); \ ROTATE2(d1, d2, 8, tmp1, tmp2); \ PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2); \ ROTATE2(b1, b2, 7, tmp1, tmp2); .section .text.sse2,"ax",@progbits chacha20_data: .align 16 L(counter1): .long 1,0,0,0 L(inc_counter): .long 0,1,2,3 L(unsigned_cmp): .long 0x80000000,0x80000000,0x80000000,0x80000000 .hidden __chacha20_sse2_blocks4 ENTRY (__chacha20_sse2_blocks4) /* input: * %rdi: input * %rsi: dst * %rdx: src * %rcx: nblks (multiple of 4) */ pushq %rbp; cfi_adjust_cfa_offset(8); cfi_rel_offset(rbp, 0) movq %rsp, %rbp; cfi_def_cfa_register(%rbp); subq $STACK_MAX, %rsp; andq $~15, %rsp; L(loop4): mov $20, ROUND; /* Construct counter vectors X12 and X13 */ movdqa L(inc_counter) rRIP, X0; movdqa L(unsigned_cmp) rRIP, X2; PBROADCASTD((12 * 4)(INPUT), X12); PBROADCASTD((13 * 4)(INPUT), X13); paddd X0, X12; movdqa X12, X1; pxor X2, X0; pxor X2, X1; pcmpgtd X1, X0; psubd X0, X13; movdqa X12, (STACK_VEC_X12)(%rsp); movdqa X13, (STACK_VEC_X13)(%rsp); /* Load vectors */ PBROADCASTD((0 * 4)(INPUT), X0); PBROADCASTD((1 * 4)(INPUT), X1); PBROADCASTD((2 * 4)(INPUT), X2); PBROADCASTD((3 * 4)(INPUT), X3); PBROADCASTD((4 * 4)(INPUT), X4); PBROADCASTD((5 * 4)(INPUT), X5); PBROADCASTD((6 * 4)(INPUT), X6); PBROADCASTD((7 * 4)(INPUT), X7); PBROADCASTD((8 * 4)(INPUT), X8); PBROADCASTD((9 * 4)(INPUT), X9); PBROADCASTD((10 * 4)(INPUT), X10); PBROADCASTD((11 * 4)(INPUT), X11); PBROADCASTD((14 * 4)(INPUT), X14); PBROADCASTD((15 * 4)(INPUT), X15); movdqa X11, (STACK_TMP)(%rsp); movdqa X15, (STACK_TMP1)(%rsp); L(round2_4): QUARTERROUND2(X0, X4, X8, X12, X1, X5, X9, X13, tmp:=,X11,X15) movdqa (STACK_TMP)(%rsp), X11; movdqa (STACK_TMP1)(%rsp), X15; movdqa X8, (STACK_TMP)(%rsp); movdqa X9, (STACK_TMP1)(%rsp); QUARTERROUND2(X2, X6, X10, X14, X3, X7, X11, X15, tmp:=,X8,X9) QUARTERROUND2(X0, X5, X10, X15, X1, X6, X11, X12, tmp:=,X8,X9) movdqa (STACK_TMP)(%rsp), X8; movdqa (STACK_TMP1)(%rsp), X9; movdqa X11, (STACK_TMP)(%rsp); movdqa X15, (STACK_TMP1)(%rsp); QUARTERROUND2(X2, X7, X8, X13, X3, X4, X9, X14, tmp:=,X11,X15) sub $2, ROUND; jnz L(round2_4); /* tmp := X15 */ movdqa (STACK_TMP)(%rsp), X11; PBROADCASTD((0 * 4)(INPUT), X15); PLUS(X0, X15); PBROADCASTD((1 * 4)(INPUT), X15); PLUS(X1, X15); PBROADCASTD((2 * 4)(INPUT), X15); PLUS(X2, X15); PBROADCASTD((3 * 4)(INPUT), X15); PLUS(X3, X15); PBROADCASTD((4 * 4)(INPUT), X15); PLUS(X4, X15); PBROADCASTD((5 * 4)(INPUT), X15); PLUS(X5, X15); PBROADCASTD((6 * 4)(INPUT), X15); PLUS(X6, X15); PBROADCASTD((7 * 4)(INPUT), X15); PLUS(X7, X15); PBROADCASTD((8 * 4)(INPUT), X15); PLUS(X8, X15); PBROADCASTD((9 * 4)(INPUT), X15); PLUS(X9, X15); PBROADCASTD((10 * 4)(INPUT), X15); PLUS(X10, X15); PBROADCASTD((11 * 4)(INPUT), X15); PLUS(X11, X15); movdqa (STACK_VEC_X12)(%rsp), X15; PLUS(X12, X15); movdqa (STACK_VEC_X13)(%rsp), X15; PLUS(X13, X15); movdqa X13, (STACK_TMP)(%rsp); PBROADCASTD((14 * 4)(INPUT), X15); PLUS(X14, X15); movdqa (STACK_TMP1)(%rsp), X15; movdqa X14, (STACK_TMP1)(%rsp); PBROADCASTD((15 * 4)(INPUT), X13); PLUS(X15, X13); movdqa X15, (STACK_TMP2)(%rsp); /* Update counter */ addq $4, (12 * 4)(INPUT); TRANSPOSE_4x4(X0, X1, X2, X3, X13, X14, X15); movdqu X0, (64 * 0 + 16 * 0)(DST) movdqu X1, (64 * 1 + 16 * 0)(DST) movdqu X2, (64 * 2 + 16 * 0)(DST) movdqu X3, (64 * 3 + 16 * 0)(DST) TRANSPOSE_4x4(X4, X5, X6, X7, X0, X1, X2); movdqa (STACK_TMP)(%rsp), X13; movdqa (STACK_TMP1)(%rsp), X14; movdqa (STACK_TMP2)(%rsp), X15; movdqu X4, (64 * 0 + 16 * 1)(DST) movdqu X5, (64 * 1 + 16 * 1)(DST) movdqu X6, (64 * 2 + 16 * 1)(DST) movdqu X7, (64 * 3 + 16 * 1)(DST) TRANSPOSE_4x4(X8, X9, X10, X11, X0, X1, X2); movdqu X8, (64 * 0 + 16 * 2)(DST) movdqu X9, (64 * 1 + 16 * 2)(DST) movdqu X10, (64 * 2 + 16 * 2)(DST) movdqu X11, (64 * 3 + 16 * 2)(DST) TRANSPOSE_4x4(X12, X13, X14, X15, X0, X1, X2); movdqu X12, (64 * 0 + 16 * 3)(DST) movdqu X13, (64 * 1 + 16 * 3)(DST) movdqu X14, (64 * 2 + 16 * 3)(DST) movdqu X15, (64 * 3 + 16 * 3)(DST) sub $4, NBLKS; lea (4 * 64)(DST), DST; lea (4 * 64)(SRC), SRC; jnz L(loop4); /* eax zeroed by round loop. */ leave; cfi_adjust_cfa_offset(-8) cfi_def_cfa_register(%rsp); ret_spec_stop; END (__chacha20_sse2_blocks4) #endif /* if MINIMUM_X86_ISA_LEVEL <= 2 */