diff options
Diffstat (limited to 'lib/libcrypto/bn')
-rw-r--r-- | lib/libcrypto/bn/asm/ia64.S | 217 | ||||
-rw-r--r-- | lib/libcrypto/bn/bn_mont.c | 2 | ||||
-rw-r--r-- | lib/libcrypto/bn/bntest.c | 2 |
3 files changed, 88 insertions, 133 deletions
diff --git a/lib/libcrypto/bn/asm/ia64.S b/lib/libcrypto/bn/asm/ia64.S index 7dfda855660..7b82b820e62 100644 --- a/lib/libcrypto/bn/asm/ia64.S +++ b/lib/libcrypto/bn/asm/ia64.S @@ -1,6 +1,6 @@ .explicit .text -.ident "ia64.S, Version 2.0" +.ident "ia64.S, Version 2.1" .ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" // @@ -35,7 +35,7 @@ // What does it mean? You might ratiocinate that the original code // should run just faster... Because sum of latencies is smaller... // Wrong! Note that getf latency increased. This means that if a loop is -// scheduled for lower latency (and they are), then it will suffer from +// scheduled for lower latency (as they were), then it will suffer from // stall condition and the code will therefore turn anti-scalable, e.g. // original bn_mul_words spun at 5*n or 2.5 times slower than expected // on Itanium2! What to do? Reschedule loops for Itanium2? But then @@ -145,6 +145,12 @@ // -Drum=nop.m in command line. // +#if defined(_HPUX_SOURCE) && !defined(_LP64) +#define ADDP addp4 +#else +#define ADDP add +#endif + #if 1 // // bn_[add|sub]_words routines. @@ -178,27 +184,12 @@ bn_add_words: brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_add_words_ctop: @@ -246,27 +237,12 @@ bn_sub_words: brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_sub_words_ctop: @@ -332,16 +308,10 @@ bn_mul_words: #ifndef XMA_TEMPTATION -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) +{ .mmi; mov r40=0 // serves as r35 at first (p27) mov ar.ec=13 };; // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium @@ -424,89 +394,64 @@ bn_mul_words: .global bn_mul_add_words# .proc bn_mul_add_words# .align 64 -//.skip 0 // makes the loop split at 64-byte boundary +.skip 48 // makes the loop body aligned at 64-byte boundary bn_mul_add_words: .prologue .fframe 0 .save ar.pfs,r2 -{ .mii; alloc r2=ar.pfs,4,12,0,16 - cmp4.le p6,p0=r34,r0 };; -{ .mfb; mov r8=r0 // return value -(p6) br.ret.spnt.many b0 };; - .save ar.lc,r3 -{ .mii; sub r10=r34,r0,1 - mov r3=ar.lc - mov r9=pr };; + .save pr,r9 +{ .mmi; alloc r2=ar.pfs,4,4,0,8 + cmp4.le p6,p0=r34,r0 + mov r3=ar.lc };; +{ .mib; mov r8=r0 // return value + sub r10=r34,r0,1 +(p6) br.ret.spnt.many b0 };; .body -{ .mib; setf.sig f8=r35 // w - mov pr.rot=0x800001<<16 - // ------^----- serves as (p50) at first (p27) +{ .mib; setf.sig f8=r35 // w + mov r9=pr brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 } -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r18=0,r32 // rp copy -#else - mov r18=r32 // rp copy -#endif - mov ar.ec=15 };; - -// This loop spins in 3*(n+14) ticks on Itanium and should spin in -// 2*(n+14) on "wider" IA-64 implementations (to be verified with new -// µ-architecture manuals as they become available). As usual it's -// possible to compress the epilogue, down to 10 in this case, at the -// cost of scalability. Compressed (and therefore non-scalable) loop -// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% -// from "wider" IA-64 so let it be scalable! Special attention was -// paid for having the loop body split at 64-byte boundary. ld8 is -// scheduled for L1 cache as the data is more than likely there. -// Indeed, bn_mul_words has put it there a moment ago:-) +{ .mii; ADDP r16=0,r32 // rp copy + mov pr.rot=0x2001<<16 + // ------^----- serves as (p40) at first (p27) + mov ar.ec=11 };; + +// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on +// Itanium 2. Yes, unlike previous versions it scales:-) Previous +// version was peforming *all* additions in IALU and was starving +// for those even on Itanium 2. In this version one addition is +// moved to FPU and is folded with multiplication. This is at cost +// of propogating the result from previous call to this subroutine +// to L2 cache... In other words negligible even for shorter keys. +// *Overall* performance improvement [over previous version] varies +// from 11 to 22 percent depending on key length. .L_bn_mul_add_words_ctop: -{ .mfi; (p25) getf.sig r36=f52 // low - (p21) xmpy.lu f48=f37,f8 - (p28) cmp.ltu p54,p50=r41,r39 } -{ .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f40=f37,f8 - (p28) add r45=r45,r41 };; -{ .mii; (p25) getf.sig r32=f44 // high - .pred.rel "mutex",p50,p54 - (p50) add r40=r38,r35 // (p27) - (p54) add r40=r38,r35,1 } // (p27) -{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 - (p0) nop.f 0x0 - (p0) nop.b 0x0 } -{ .mii; (p27) ld8 r44=[r18],8 - (p62) cmp.eq.or p61,p0=-1,r46 - (p62) add r46=1,r46 } -{ .mfb; (p30) st8 [r14]=r47,8 - (p0) nop.f 0x0 +.pred.rel "mutex",p40,p42 +{ .mfi; (p23) getf.sig r36=f45 // low + (p20) xma.lu f42=f36,f8,f50 // low + (p40) add r39=r39,r35 } // (p27) +{ .mfi; (p16) ldf8 f32=[r15],8 // *(ap++) + (p20) xma.hu f36=f36,f8,f50 // high + (p42) add r39=r39,r35,1 };; // (p27) +{ .mmi; (p24) getf.sig r32=f40 // high + (p16) ldf8 f46=[r16],8 // *(rp1++) + (p40) cmp.ltu p41,p39=r39,r35 } // (p27) +{ .mib; (p26) st8 [r14]=r39,8 // *(rp2++) + (p42) cmp.leu p41,p39=r39,r35 // (p27) br.ctop.sptk .L_bn_mul_add_words_ctop};; .L_bn_mul_add_words_cend: -{ .mii; nop.m 0x0 -.pred.rel "mutex",p53,p57 -(p53) add r8=r38,r0 -(p57) add r8=r38,r0,1 } -{ .mfb; nop.m 0x0 - nop.f 0x0 - nop.b 0x0 };; -{ .mii; -(p63) add r8=1,r8 - mov pr=r9,0x1ffff - mov ar.lc=r3 } -{ .mfb; rum 1<<5 // clear um.mfh - nop.f 0x0 +{ .mmi; .pred.rel "mutex",p40,p42 +(p40) add r8=r35,r0 +(p42) add r8=r35,r0,1 + mov pr=r9,0x1ffff } +{ .mib; rum 1<<5 // clear um.mfh + mov ar.lc=r3 br.ret.sptk.many b0 };; .endp bn_mul_add_words# #endif @@ -527,7 +472,8 @@ bn_sqr_words: sxt4 r34=r34 };; { .mii; cmp.le p6,p0=r34,r0 mov r8=r0 } // return value -{ .mfb; nop.f 0x0 +{ .mfb; ADDP r32=0,r32 + nop.f 0x0 (p6) br.ret.spnt.many b0 };; .save ar.lc,r3 @@ -536,11 +482,7 @@ bn_sqr_words: mov r9=pr };; .body -#if defined(_HPUX_SOURCE) && defined(_ILP32) -{ .mii; addp4 r32=0,r32 - addp4 r33=0,r33 };; -#endif -{ .mib; +{ .mib; ADDP r33=0,r33 mov pr.rot=1<<16 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16 } @@ -605,7 +547,7 @@ bn_sqr_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r33=0,r33 addp4 r32=0,r32 };; @@ -631,6 +573,10 @@ bn_sqr_comba8: // clause in Itanium µ-architecture manual? Comments are welcomed and // highly appreciated. // +// On Itanium 2 it takes ~190 ticks. This is because of stalls on +// result from getf.sig. I do nothing about it at this point for +// reasons depicted below. +// // However! It should be noted that even 160 ticks is darn good result // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the // C version (compiled with gcc with inline assembler). I really @@ -673,7 +619,7 @@ bn_mul_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1231,7 +1177,7 @@ bn_sqr_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r32=0,r32 addp4 r33=0,r33 };; @@ -1264,7 +1210,7 @@ bn_mul_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1448,8 +1394,8 @@ bn_mul_comba4: #define I r21 #if 0 -// Some preprocessors (most notably HP-UX) apper to be allergic to -// macros enclosed to parenthesis as these three will be. +// Some preprocessors (most notably HP-UX) appear to be allergic to +// macros enclosed to parenthesis [as these three were]. #define cont p16 #define break p0 // p20 #define equ p24 @@ -1581,9 +1527,18 @@ bn_div_words: // output: f8 = (int)(a/b) // clobbered: f8,f9,f10,f11,pred pred=p15 -// This procedure is essentially Intel code and therefore is -// copyrighted to Intel Corporation (I suppose...). It's sligtly -// modified for specific needs. +// One can argue that this snippet is copyrighted to Intel +// Corporation, as it's essentially identical to one of those +// found in "Divide, Square Root and Remainder" section at +// http://www.intel.com/software/products/opensource/libraries/num.htm. +// Yes, I admit that the referred code was used as template, +// but after I realized that there hardly is any other instruction +// sequence which would perform this operation. I mean I figure that +// any independent attempt to implement high-performance division +// will result in code virtually identical to the Intel code. It +// should be noted though that below division kernel is 1 cycle +// faster than Intel one (note commented splits:-), not to mention +// original prologue (rather lack of one) and epilogue. .align 32 .skip 16 .L_udiv64_32_b6: diff --git a/lib/libcrypto/bn/bn_mont.c b/lib/libcrypto/bn/bn_mont.c index c9ebdbaabeb..b79b1b60da0 100644 --- a/lib/libcrypto/bn/bn_mont.c +++ b/lib/libcrypto/bn/bn_mont.c @@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_init(&Ri); R= &(mont->RR); /* grab RR as a temp */ - BN_copy(&(mont->N),mod); /* Set N */ + if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */ mont->N.neg = 0; #ifdef MONT_WORD diff --git a/lib/libcrypto/bn/bntest.c b/lib/libcrypto/bn/bntest.c index 8ef733013d6..79d813d85e1 100644 --- a/lib/libcrypto/bn/bntest.c +++ b/lib/libcrypto/bn/bntest.c @@ -232,7 +232,7 @@ int main(int argc, char *argv[]) EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices - * the failure, see test_bn in test/Makefile.ssl*/ + * the failure, see test_bn in test/Makefile */ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); |