Changeset 19087

Timestamp:

04/23/12 04:19:49 (14 months ago)

Author:

BrainSlayer

Message:

mips asm

Location:

src/router/openssl/crypto/sha

Files:

• Makefile (modified) (1 diff)
• asm/sha1-armv4-large.pl (modified) (5 diffs)
• asm/sha1-mips.pl (added)
• asm/sha256-armv4.pl (modified) (7 diffs)
• asm/sha512-armv4.pl (modified) (16 diffs)
• asm/sha512-mips.pl (added)

src/router/openssl/crypto/sha/Makefile

@@ -65 +65 @@
 sha1-armv4-large.s: asm/sha1-armv4-large.pl
         $(PERL) $< $@
+
+sha256-mips.s: asm/sha512-mips.pl
+        $(PERL) $< > $@
+
+sha512-mips.s: asm/sha512-mips.pl
+        $(PERL) $< > $@
+
+sha1-mips.s: asm/sha1-mips.pl
+        $(PERL) $< > $@
+
 
 sha1-ppc.s:     asm/sha1-ppc.pl;        $(PERL) asm/sha1-ppc.pl linux32 $@

src/router/openssl/crypto/sha/asm/sha1-armv4-large.pl

@@ -38 +38 @@
 #       the same job in Thumb, therefore the code is never twice as
 #       small and always slower.
-# [***] which is also ~35% better than compiler generated code.
-
-$output=shift;
+# [***] which is also ~35% better than compiler generated code. Dual-
+#       issue Cortex A8 core was measured to process input block in
+#       ~990 cycles.
+
+# August 2010.
+#
+# Rescheduling for dual-issue pipeline resulted in 13% improvement on
+# Cortex A8 core and in absolute terms ~870 cycles per input block
+# [or 13.6 cycles per byte].
+
+# February 2011.
+#
+# Profiler-assisted and platform-specific optimization resulted in 10%
+# improvement on Cortex A8 core and 12.2 cycles per byte.
+
+while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
 open STDOUT,">$output";
 
@@ -59 +72 @@
 @V=($a,$b,$c,$d,$e);
 
-# One can optimize this for aligned access on big-endian architecture,
-# but code's endian neutrality makes it too pretty:-)
-sub Xload {
-my ($a,$b,$c,$d,$e)=@_;
-$code.=<<___;
-        ldrb    $t0,[$inp],#4
-        ldrb    $t1,[$inp,#-3]
-        ldrb    $t2,[$inp,#-2]
-        ldrb    $t3,[$inp,#-1]
-        add     $e,$K,$e,ror#2                  @ E+=K_00_19
-        orr     $t0,$t1,$t0,lsl#8
-        add     $e,$e,$a,ror#27                 @ E+=ROR(A,27)
-        orr     $t0,$t2,$t0,lsl#8
-        eor     $t1,$c,$d                       @ F_xx_xx
-        orr     $t0,$t3,$t0,lsl#8
-        add     $e,$e,$t0                       @ E+=X[i]
-        str     $t0,[$Xi,#-4]!
-___
-}
 sub Xupdate {
-my ($a,$b,$c,$d,$e,$flag)=@_;
+my ($a,$b,$c,$d,$e,$opt1,$opt2)=@_;
 $code.=<<___;
         ldr     $t0,[$Xi,#15*4]
         ldr     $t1,[$Xi,#13*4]
         ldr     $t2,[$Xi,#7*4]
+        add     $e,$K,$e,ror#2                  @ E+=K_xx_xx
         ldr     $t3,[$Xi,#2*4]
-        add     $e,$K,$e,ror#2                  @ E+=K_xx_xx
         eor     $t0,$t0,$t1
-        eor     $t0,$t0,$t2
-        eor     $t0,$t0,$t3
+        eor     $t2,$t2,$t3                     @ 1 cycle stall
+        eor     $t1,$c,$d                       @ F_xx_xx
+        mov     $t0,$t0,ror#31
         add     $e,$e,$a,ror#27                 @ E+=ROR(A,27)
-___
-$code.=<<___ if (!defined($flag));
-        eor     $t1,$c,$d                       @ F_xx_xx, but not in 40_59
-___
-$code.=<<___;
-        mov     $t0,$t0,ror#31
+        eor     $t0,$t0,$t2,ror#31
+        str     $t0,[$Xi,#-4]!
+        $opt1                                   @ F_xx_xx
+        $opt2                                   @ F_xx_xx
         add     $e,$e,$t0                       @ E+=X[i]
+___
+}
+
+sub BODY_00_15 {
+my ($a,$b,$c,$d,$e)=@_;
+$code.=<<___;
+#if __ARM_ARCH__<7
+        ldrb    $t1,[$inp,#2]
+        ldrb    $t0,[$inp,#3]
+        ldrb    $t2,[$inp,#1]
+        add     $e,$K,$e,ror#2                  @ E+=K_00_19
+        ldrb    $t3,[$inp],#4
+        orr     $t0,$t0,$t1,lsl#8
+        eor     $t1,$c,$d                       @ F_xx_xx
+        orr     $t0,$t0,$t2,lsl#16
+        add     $e,$e,$a,ror#27                 @ E+=ROR(A,27)
+        orr     $t0,$t0,$t3,lsl#24
+#else
+        ldr     $t0,[$inp],#4                   @ handles unaligned
+        add     $e,$K,$e,ror#2                  @ E+=K_00_19
+        eor     $t1,$c,$d                       @ F_xx_xx
+        add     $e,$e,$a,ror#27                 @ E+=ROR(A,27)
+#ifdef __ARMEL__
+        rev     $t0,$t0                         @ byte swap
+#endif
+#endif
+        and     $t1,$b,$t1,ror#2
+        add     $e,$e,$t0                       @ E+=X[i]
+        eor     $t1,$t1,$d,ror#2                @ F_00_19(B,C,D)
         str     $t0,[$Xi,#-4]!
-___
-}
-
-sub BODY_00_15 {
-my ($a,$b,$c,$d,$e)=@_;
-        &Xload(@_);
-$code.=<<___;
-        and     $t1,$b,$t1,ror#2
+        add     $e,$e,$t1                       @ E+=F_00_19(B,C,D)
+___
+}
+
+sub BODY_16_19 {
+my ($a,$b,$c,$d,$e)=@_;
+        &Xupdate(@_,"and $t1,$b,$t1,ror#2");
+$code.=<<___;
         eor     $t1,$t1,$d,ror#2                @ F_00_19(B,C,D)
         add     $e,$e,$t1                       @ E+=F_00_19(B,C,D)
@@ -111 +133 @@
 }
 
-sub BODY_16_19 {
-my ($a,$b,$c,$d,$e)=@_;
-        &Xupdate(@_);
-$code.=<<___;
-        and     $t1,$b,$t1,ror#2
-        eor     $t1,$t1,$d,ror#2                @ F_00_19(B,C,D)
-        add     $e,$e,$t1                       @ E+=F_00_19(B,C,D)
-___
-}
-
 sub BODY_20_39 {
 my ($a,$b,$c,$d,$e)=@_;
-        &Xupdate(@_);
-$code.=<<___;
-        eor     $t1,$b,$t1,ror#2                @ F_20_39(B,C,D)
+        &Xupdate(@_,"eor $t1,$b,$t1,ror#2");
+$code.=<<___;
         add     $e,$e,$t1                       @ E+=F_20_39(B,C,D)
 ___
@@ -132 +143 @@
 sub BODY_40_59 {
 my ($a,$b,$c,$d,$e)=@_;
-        &Xupdate(@_,1);
-$code.=<<___;
-        and     $t1,$b,$c,ror#2
-        orr     $t2,$b,$c,ror#2
-        and     $t2,$t2,$d,ror#2
-        orr     $t1,$t1,$t2                     @ F_40_59(B,C,D)
+        &Xupdate(@_,"and $t1,$b,$t1,ror#2","and $t2,$c,$d");
+$code.=<<___;
         add     $e,$e,$t1                       @ E+=F_40_59(B,C,D)
+        add     $e,$e,$t2,ror#2
 ___
 }
 
 $code=<<___;
+#include "arm_arch.h"
+
 .text
 
@@ -216 +226 @@
         bne     .Lloop                  @ [+18], total 1307
 
+#if __ARM_ARCH__>=5
+        ldmia   sp!,{r4-r12,pc}
+#else
         ldmia   sp!,{r4-r12,lr}
         tst     lr,#1
         moveq   pc,lr                   @ be binary compatible with V4, yet
         bx      lr                      @ interoperable with Thumb ISA:-)
+#endif
 .align  2
 .LK_00_19:      .word   0x5a827999

src/router/openssl/crypto/sha/asm/sha256-armv4.pl

@@ -12 +12 @@
 # Performance is ~2x better than gcc 3.4 generated code and in "abso-
 # lute" terms is ~2250 cycles per 64-byte block or ~35 cycles per
-# byte.
-
-$output=shift;
+# byte [on single-issue Xscale PXA250 core].
+
+# July 2010.
+#
+# Rescheduling for dual-issue pipeline resulted in 22% improvement on
+# Cortex A8 core and ~20 cycles per processed byte.
+
+# February 2011.
+#
+# Profiler-assisted and platform-specific optimization resulted in 16%
+# improvement on Cortex A8 core and ~17 cycles per processed byte.
+
+while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
 open STDOUT,">$output";
 
 $ctx="r0";      $t0="r0";
-$inp="r1";
+$inp="r1";      $t3="r1";
 $len="r2";      $t1="r2";
 $T1="r3";
@@ -42 +52 @@
 
 $code.=<<___ if ($i<16);
+#if __ARM_ARCH__>=7
+        ldr     $T1,[$inp],#4
+#else
         ldrb    $T1,[$inp,#3]                   @ $i
         ldrb    $t2,[$inp,#2]
@@ -49 +62 @@
         orr     $T1,$T1,$t1,lsl#16
         orr     $T1,$T1,$t0,lsl#24
-        `"str   $inp,[sp,#17*4]"        if ($i==15)`
+#endif
 ___
 $code.=<<___;
+        mov     $t0,$e,ror#$Sigma1[0]
         ldr     $t2,[$Ktbl],#4                  @ *K256++
+        eor     $t0,$t0,$e,ror#$Sigma1[1]
+        eor     $t1,$f,$g
+#if $i>=16
+        add     $T1,$T1,$t3                     @ from BODY_16_xx
+#elif __ARM_ARCH__>=7 && defined(__ARMEL__)
+        rev     $T1,$T1
+#endif
+#if $i==15
+        str     $inp,[sp,#17*4]                 @ leave room for $t3
+#endif
+        eor     $t0,$t0,$e,ror#$Sigma1[2]       @ Sigma1(e)
+        and     $t1,$t1,$e
         str     $T1,[sp,#`$i%16`*4]
-        mov     $t0,$e,ror#$Sigma1[0]
-        eor     $t0,$t0,$e,ror#$Sigma1[1]
-        eor     $t0,$t0,$e,ror#$Sigma1[2]       @ Sigma1(e)
         add     $T1,$T1,$t0
-        eor     $t1,$f,$g
-        and     $t1,$t1,$e
         eor     $t1,$t1,$g                      @ Ch(e,f,g)
+        add     $T1,$T1,$h
+        mov     $h,$a,ror#$Sigma0[0]
         add     $T1,$T1,$t1
-        add     $T1,$T1,$h
+        eor     $h,$h,$a,ror#$Sigma0[1]
         add     $T1,$T1,$t2
-        mov     $h,$a,ror#$Sigma0[0]
-        eor     $h,$h,$a,ror#$Sigma0[1]
         eor     $h,$h,$a,ror#$Sigma0[2]         @ Sigma0(a)
+#if $i>=15
+        ldr     $t3,[sp,#`($i+2)%16`*4]         @ from BODY_16_xx
+#endif
         orr     $t0,$a,$b
+        and     $t1,$a,$b
         and     $t0,$t0,$c
-        and     $t1,$a,$b
+        add     $h,$h,$T1
         orr     $t0,$t0,$t1                     @ Maj(a,b,c)
+        add     $d,$d,$T1
         add     $h,$h,$t0
-        add     $d,$d,$T1
-        add     $h,$h,$T1
 ___
 }
@@ -81 +105 @@
 
 $code.=<<___;
-        ldr     $t1,[sp,#`($i+1)%16`*4] @ $i
+        @ ldr   $t3,[sp,#`($i+1)%16`*4]         @ $i
         ldr     $t2,[sp,#`($i+14)%16`*4]
+        mov     $t0,$t3,ror#$sigma0[0]
         ldr     $T1,[sp,#`($i+0)%16`*4]
-        ldr     $inp,[sp,#`($i+9)%16`*4]
-        mov     $t0,$t1,ror#$sigma0[0]
-        eor     $t0,$t0,$t1,ror#$sigma0[1]
-        eor     $t0,$t0,$t1,lsr#$sigma0[2]      @ sigma0(X[i+1])
-        mov     $t1,$t2,ror#$sigma1[0]
-        eor     $t1,$t1,$t2,ror#$sigma1[1]
-        eor     $t1,$t1,$t2,lsr#$sigma1[2]      @ sigma1(X[i+14])
+        eor     $t0,$t0,$t3,ror#$sigma0[1]
+        ldr     $t1,[sp,#`($i+9)%16`*4]
+        eor     $t0,$t0,$t3,lsr#$sigma0[2]      @ sigma0(X[i+1])
+        mov     $t3,$t2,ror#$sigma1[0]
         add     $T1,$T1,$t0
+        eor     $t3,$t3,$t2,ror#$sigma1[1]
         add     $T1,$T1,$t1
-        add     $T1,$T1,$inp
+        eor     $t3,$t3,$t2,lsr#$sigma1[2]      @ sigma1(X[i+14])
+        @ add   $T1,$T1,$t3
 ___
         &BODY_00_15(@_);
@@ -99 +123 @@
 
 $code=<<___;
+#include "arm_arch.h"
+
 .text
 .code   32
@@ -128 +154 @@
         sub     r3,pc,#8                @ sha256_block_data_order
         add     $len,$inp,$len,lsl#6    @ len to point at the end of inp
-        stmdb   sp!,{$ctx,$inp,$len,r4-r12,lr}
+        stmdb   sp!,{$ctx,$inp,$len,r4-r11,lr}
         ldmia   $ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
         sub     $Ktbl,r3,#256           @ K256
@@ -167 +193 @@
 
         add     sp,sp,#`16+3`*4 @ destroy frame
-        ldmia   sp!,{r4-r12,lr}
+#if __ARM_ARCH__>=5
+        ldmia   sp!,{r4-r11,pc}
+#else
+        ldmia   sp!,{r4-r11,lr}
         tst     lr,#1
         moveq   pc,lr                   @ be binary compatible with V4, yet
         bx      lr                      @ interoperable with Thumb ISA:-)
+#endif
 .size   sha256_block_data_order,.-sha256_block_data_order
 .asciz  "SHA256 block transform for ARMv4, CRYPTOGAMS by <appro\@openssl.org>"

src/router/openssl/crypto/sha/asm/sha512-armv4.pl

@@ -11 +11 @@
 
 # This code is ~4.5 (four and a half) times faster than code generated
-# by gcc 3.4 and it spends ~72 clock cycles per byte. 
+# by gcc 3.4 and it spends ~72 clock cycles per byte [on single-issue
+# Xscale PXA250 core].
+#
+# July 2010.
+#
+# Rescheduling for dual-issue pipeline resulted in 6% improvement on
+# Cortex A8 core and ~40 cycles per processed byte.
+
+# February 2011.
+#
+# Profiler-assisted and platform-specific optimization resulted in 7%
+# improvement on Coxtex A8 core and ~38 cycles per byte.
+
+# March 2011.
+#
+# Add NEON implementation. On Cortex A8 it was measured to process
+# one byte in 25.5 cycles or 47% faster than integer-only code.
 
 # Byte order [in]dependence. =========================================
 #
-# Caller is expected to maintain specific *dword* order in h[0-7],
-# namely with most significant dword at *lower* address, which is
-# reflected in below two parameters. *Byte* order within these dwords
-# in turn is whatever *native* byte order on current platform.
-$hi=0;
-$lo=4;
+# Originally caller was expected to maintain specific *dword* order in
+# h[0-7], namely with most significant dword at *lower* address, which
+# was reflected in below two parameters as 0 and 4. Now caller is
+# expected to maintain native byte order for whole 64-bit values.
+$hi="HI";
+$lo="LO";
 # ====================================================================
 
-$output=shift;
+while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
 open STDOUT,">$output";
 
-$ctx="r0";
+$ctx="r0";      # parameter block
 $inp="r1";
 $len="r2";
+
 $Tlo="r3";
 $Thi="r4";
@@ -56 +73 @@
 my $magic = shift;
 $code.=<<___;
-        ldr     $t2,[sp,#$Hoff+0]       @ h.lo
-        ldr     $t3,[sp,#$Hoff+4]       @ h.hi
         @ Sigma1(x)     (ROTR((x),14) ^ ROTR((x),18)  ^ ROTR((x),41))
         @ LO            lo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23
         @ HI            hi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23
         mov     $t0,$Elo,lsr#14
+        str     $Tlo,[sp,#$Xoff+0]
         mov     $t1,$Ehi,lsr#14
+        str     $Thi,[sp,#$Xoff+4]
         eor     $t0,$t0,$Ehi,lsl#18
+        ldr     $t2,[sp,#$Hoff+0]       @ h.lo
         eor     $t1,$t1,$Elo,lsl#18
+        ldr     $t3,[sp,#$Hoff+4]       @ h.hi
         eor     $t0,$t0,$Elo,lsr#18
         eor     $t1,$t1,$Ehi,lsr#18
@@ -74 +93 @@
         eor     $t1,$t1,$Ehi,lsl#23     @ Sigma1(e)
         adds    $Tlo,$Tlo,$t0
+        ldr     $t0,[sp,#$Foff+0]       @ f.lo
         adc     $Thi,$Thi,$t1           @ T += Sigma1(e)
+        ldr     $t1,[sp,#$Foff+4]       @ f.hi
         adds    $Tlo,$Tlo,$t2
+        ldr     $t2,[sp,#$Goff+0]       @ g.lo
         adc     $Thi,$Thi,$t3           @ T += h
-
-        ldr     $t0,[sp,#$Foff+0]       @ f.lo
-        ldr     $t1,[sp,#$Foff+4]       @ f.hi
-        ldr     $t2,[sp,#$Goff+0]       @ g.lo
         ldr     $t3,[sp,#$Goff+4]       @ g.hi
+
+        eor     $t0,$t0,$t2
         str     $Elo,[sp,#$Eoff+0]
+        eor     $t1,$t1,$t3
         str     $Ehi,[sp,#$Eoff+4]
+        and     $t0,$t0,$Elo
         str     $Alo,[sp,#$Aoff+0]
+        and     $t1,$t1,$Ehi
         str     $Ahi,[sp,#$Aoff+4]
-
         eor     $t0,$t0,$t2
-        eor     $t1,$t1,$t3
-        and     $t0,$t0,$Elo
-        and     $t1,$t1,$Ehi
-        eor     $t0,$t0,$t2
+        ldr     $t2,[$Ktbl,#$lo]        @ K[i].lo
         eor     $t1,$t1,$t3             @ Ch(e,f,g)
-
-        ldr     $t2,[$Ktbl,#4]          @ K[i].lo
-        ldr     $t3,[$Ktbl,#0]          @ K[i].hi
+        ldr     $t3,[$Ktbl,#$hi]        @ K[i].hi
+
+        adds    $Tlo,$Tlo,$t0
         ldr     $Elo,[sp,#$Doff+0]      @ d.lo
+        adc     $Thi,$Thi,$t1           @ T += Ch(e,f,g)
         ldr     $Ehi,[sp,#$Doff+4]      @ d.hi
-
-        adds    $Tlo,$Tlo,$t0
-        adc     $Thi,$Thi,$t1           @ T += Ch(e,f,g)
         adds    $Tlo,$Tlo,$t2
+        and     $t0,$t2,#0xff
         adc     $Thi,$Thi,$t3           @ T += K[i]
         adds    $Elo,$Elo,$Tlo
+        ldr     $t2,[sp,#$Boff+0]       @ b.lo
         adc     $Ehi,$Ehi,$Thi          @ d += T
-
-        and     $t0,$t2,#0xff
         teq     $t0,#$magic
+
+        ldr     $t3,[sp,#$Coff+0]       @ c.lo
         orreq   $Ktbl,$Ktbl,#1
-
-        ldr     $t2,[sp,#$Boff+0]       @ b.lo
-        ldr     $t3,[sp,#$Coff+0]       @ c.lo
         @ Sigma0(x)     (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
         @ LO            lo>>28^hi<<4  ^ hi>>2^lo<<30 ^ hi>>7^lo<<25
@@ -128 +144 @@
         eor     $t1,$t1,$Ahi,lsl#25     @ Sigma0(a)
         adds    $Tlo,$Tlo,$t0
+        and     $t0,$Alo,$t2
         adc     $Thi,$Thi,$t1           @ T += Sigma0(a)
 
-        and     $t0,$Alo,$t2
+        ldr     $t1,[sp,#$Boff+4]       @ b.hi
         orr     $Alo,$Alo,$t2
-        ldr     $t1,[sp,#$Boff+4]       @ b.hi
         ldr     $t2,[sp,#$Coff+4]       @ c.hi
         and     $Alo,$Alo,$t3
-        orr     $Alo,$Alo,$t0           @ Maj(a,b,c).lo
         and     $t3,$Ahi,$t1
         orr     $Ahi,$Ahi,$t1
+        orr     $Alo,$Alo,$t0           @ Maj(a,b,c).lo
         and     $Ahi,$Ahi,$t2
+        adds    $Alo,$Alo,$Tlo
         orr     $Ahi,$Ahi,$t3           @ Maj(a,b,c).hi
-        adds    $Alo,$Alo,$Tlo
+        sub     sp,sp,#8
         adc     $Ahi,$Ahi,$Thi          @ h += T
-
-        sub     sp,sp,#8
+        tst     $Ktbl,#1
         add     $Ktbl,$Ktbl,#8
 ___
 }
 $code=<<___;
+#include "arm_arch.h"
+#ifdef __ARMEL__
+# define LO 0
+# define HI 4
+# define WORD64(hi0,lo0,hi1,lo1)        .word   lo0,hi0, lo1,hi1
+#else
+# define HI 0
+# define LO 4
+# define WORD64(hi0,lo0,hi1,lo1)        .word   hi0,lo0, hi1,lo1
+#endif
+
 .text
 .code   32
@@ -153 +180 @@
 .align  5
 K512:
-.word   0x428a2f98,0xd728ae22, 0x71374491,0x23ef65cd
-.word   0xb5c0fbcf,0xec4d3b2f, 0xe9b5dba5,0x8189dbbc
-.word   0x3956c25b,0xf348b538, 0x59f111f1,0xb605d019
-.word   0x923f82a4,0xaf194f9b, 0xab1c5ed5,0xda6d8118
-.word   0xd807aa98,0xa3030242, 0x12835b01,0x45706fbe
-.word   0x243185be,0x4ee4b28c, 0x550c7dc3,0xd5ffb4e2
-.word   0x72be5d74,0xf27b896f, 0x80deb1fe,0x3b1696b1
-.word   0x9bdc06a7,0x25c71235, 0xc19bf174,0xcf692694
-.word   0xe49b69c1,0x9ef14ad2, 0xefbe4786,0x384f25e3
-.word   0x0fc19dc6,0x8b8cd5b5, 0x240ca1cc,0x77ac9c65
-.word   0x2de92c6f,0x592b0275, 0x4a7484aa,0x6ea6e483
-.word   0x5cb0a9dc,0xbd41fbd4, 0x76f988da,0x831153b5
-.word   0x983e5152,0xee66dfab, 0xa831c66d,0x2db43210
-.word   0xb00327c8,0x98fb213f, 0xbf597fc7,0xbeef0ee4
-.word   0xc6e00bf3,0x3da88fc2, 0xd5a79147,0x930aa725
-.word   0x06ca6351,0xe003826f, 0x14292967,0x0a0e6e70
-.word   0x27b70a85,0x46d22ffc, 0x2e1b2138,0x5c26c926
-.word   0x4d2c6dfc,0x5ac42aed, 0x53380d13,0x9d95b3df
-.word   0x650a7354,0x8baf63de, 0x766a0abb,0x3c77b2a8
-.word   0x81c2c92e,0x47edaee6, 0x92722c85,0x1482353b
-.word   0xa2bfe8a1,0x4cf10364, 0xa81a664b,0xbc423001
-.word   0xc24b8b70,0xd0f89791, 0xc76c51a3,0x0654be30
-.word   0xd192e819,0xd6ef5218, 0xd6990624,0x5565a910
-.word   0xf40e3585,0x5771202a, 0x106aa070,0x32bbd1b8
-.word   0x19a4c116,0xb8d2d0c8, 0x1e376c08,0x5141ab53
-.word   0x2748774c,0xdf8eeb99, 0x34b0bcb5,0xe19b48a8
-.word   0x391c0cb3,0xc5c95a63, 0x4ed8aa4a,0xe3418acb
-.word   0x5b9cca4f,0x7763e373, 0x682e6ff3,0xd6b2b8a3
-.word   0x748f82ee,0x5defb2fc, 0x78a5636f,0x43172f60
-.word   0x84c87814,0xa1f0ab72, 0x8cc70208,0x1a6439ec
-.word   0x90befffa,0x23631e28, 0xa4506ceb,0xde82bde9
-.word   0xbef9a3f7,0xb2c67915, 0xc67178f2,0xe372532b
-.word   0xca273ece,0xea26619c, 0xd186b8c7,0x21c0c207
-.word   0xeada7dd6,0xcde0eb1e, 0xf57d4f7f,0xee6ed178
-.word   0x06f067aa,0x72176fba, 0x0a637dc5,0xa2c898a6
-.word   0x113f9804,0xbef90dae, 0x1b710b35,0x131c471b
-.word   0x28db77f5,0x23047d84, 0x32caab7b,0x40c72493
-.word   0x3c9ebe0a,0x15c9bebc, 0x431d67c4,0x9c100d4c
-.word   0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a
-.word   0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817
+WORD64(0x428a2f98,0xd728ae22, 0x71374491,0x23ef65cd)
+WORD64(0xb5c0fbcf,0xec4d3b2f, 0xe9b5dba5,0x8189dbbc)
+WORD64(0x3956c25b,0xf348b538, 0x59f111f1,0xb605d019)
+WORD64(0x923f82a4,0xaf194f9b, 0xab1c5ed5,0xda6d8118)
+WORD64(0xd807aa98,0xa3030242, 0x12835b01,0x45706fbe)
+WORD64(0x243185be,0x4ee4b28c, 0x550c7dc3,0xd5ffb4e2)
+WORD64(0x72be5d74,0xf27b896f, 0x80deb1fe,0x3b1696b1)
+WORD64(0x9bdc06a7,0x25c71235, 0xc19bf174,0xcf692694)
+WORD64(0xe49b69c1,0x9ef14ad2, 0xefbe4786,0x384f25e3)
+WORD64(0x0fc19dc6,0x8b8cd5b5, 0x240ca1cc,0x77ac9c65)
+WORD64(0x2de92c6f,0x592b0275, 0x4a7484aa,0x6ea6e483)
+WORD64(0x5cb0a9dc,0xbd41fbd4, 0x76f988da,0x831153b5)
+WORD64(0x983e5152,0xee66dfab, 0xa831c66d,0x2db43210)
+WORD64(0xb00327c8,0x98fb213f, 0xbf597fc7,0xbeef0ee4)
+WORD64(0xc6e00bf3,0x3da88fc2, 0xd5a79147,0x930aa725)
+WORD64(0x06ca6351,0xe003826f, 0x14292967,0x0a0e6e70)
+WORD64(0x27b70a85,0x46d22ffc, 0x2e1b2138,0x5c26c926)
+WORD64(0x4d2c6dfc,0x5ac42aed, 0x53380d13,0x9d95b3df)
+WORD64(0x650a7354,0x8baf63de, 0x766a0abb,0x3c77b2a8)
+WORD64(0x81c2c92e,0x47edaee6, 0x92722c85,0x1482353b)
+WORD64(0xa2bfe8a1,0x4cf10364, 0xa81a664b,0xbc423001)
+WORD64(0xc24b8b70,0xd0f89791, 0xc76c51a3,0x0654be30)
+WORD64(0xd192e819,0xd6ef5218, 0xd6990624,0x5565a910)
+WORD64(0xf40e3585,0x5771202a, 0x106aa070,0x32bbd1b8)
+WORD64(0x19a4c116,0xb8d2d0c8, 0x1e376c08,0x5141ab53)
+WORD64(0x2748774c,0xdf8eeb99, 0x34b0bcb5,0xe19b48a8)
+WORD64(0x391c0cb3,0xc5c95a63, 0x4ed8aa4a,0xe3418acb)
+WORD64(0x5b9cca4f,0x7763e373, 0x682e6ff3,0xd6b2b8a3)
+WORD64(0x748f82ee,0x5defb2fc, 0x78a5636f,0x43172f60)
+WORD64(0x84c87814,0xa1f0ab72, 0x8cc70208,0x1a6439ec)
+WORD64(0x90befffa,0x23631e28, 0xa4506ceb,0xde82bde9)
+WORD64(0xbef9a3f7,0xb2c67915, 0xc67178f2,0xe372532b)
+WORD64(0xca273ece,0xea26619c, 0xd186b8c7,0x21c0c207)
+WORD64(0xeada7dd6,0xcde0eb1e, 0xf57d4f7f,0xee6ed178)
+WORD64(0x06f067aa,0x72176fba, 0x0a637dc5,0xa2c898a6)
+WORD64(0x113f9804,0xbef90dae, 0x1b710b35,0x131c471b)
+WORD64(0x28db77f5,0x23047d84, 0x32caab7b,0x40c72493)
+WORD64(0x3c9ebe0a,0x15c9bebc, 0x431d67c4,0x9c100d4c)
+WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a)
+WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
 .size   K512,.-K512
+.LOPENSSL_armcap:
+.word   OPENSSL_armcap_P-sha512_block_data_order
+.skip   32-4
 
 .global sha512_block_data_order
@@ -200 +230 @@
         sub     r3,pc,#8                @ sha512_block_data_order
         add     $len,$inp,$len,lsl#7    @ len to point at the end of inp
+#if __ARM_ARCH__>=7
+        ldr     r12,.LOPENSSL_armcap
+        ldr     r12,[r3,r12]            @ OPENSSL_armcap_P
+        tst     r12,#1
+        bne     .LNEON
+#endif
         stmdb   sp!,{r4-r12,lr}
-        sub     $Ktbl,r3,#640           @ K512
+        sub     $Ktbl,r3,#672           @ K512
         sub     sp,sp,#9*8
 
@@ -235 +271 @@
 
 .L00_15:
+#if __ARM_ARCH__<7
         ldrb    $Tlo,[$inp,#7]
         ldrb    $t0, [$inp,#6]
@@ -249 +286 @@
         orr     $Thi,$Thi,$t0,lsl#16
         orr     $Thi,$Thi,$t1,lsl#24
-        str     $Tlo,[sp,#$Xoff+0]
-        str     $Thi,[sp,#$Xoff+4]
+#else
+        ldr     $Tlo,[$inp,#4]
+        ldr     $Thi,[$inp],#8
+#ifdef __ARMEL__
+        rev     $Tlo,$Tlo
+        rev     $Thi,$Thi
+#endif
+#endif
 ___
         &BODY_00_15(0x94);
@@ -256 +299 @@
         tst     $Ktbl,#1
         beq     .L00_15
-        bic     $Ktbl,$Ktbl,#1
-
-.L16_79:
         ldr     $t0,[sp,#`$Xoff+8*(16-1)`+0]
         ldr     $t1,[sp,#`$Xoff+8*(16-1)`+4]
-        ldr     $t2,[sp,#`$Xoff+8*(16-14)`+0]
-        ldr     $t3,[sp,#`$Xoff+8*(16-14)`+4]
-
+        bic     $Ktbl,$Ktbl,#1
+.L16_79:
         @ sigma0(x)     (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
         @ LO            lo>>1^hi<<31  ^ lo>>8^hi<<24 ^ lo>>7^hi<<25
         @ HI            hi>>1^lo<<31  ^ hi>>8^lo<<24 ^ hi>>7
         mov     $Tlo,$t0,lsr#1
+        ldr     $t2,[sp,#`$Xoff+8*(16-14)`+0]
         mov     $Thi,$t1,lsr#1
+        ldr     $t3,[sp,#`$Xoff+8*(16-14)`+4]
         eor     $Tlo,$Tlo,$t1,lsl#31
         eor     $Thi,$Thi,$t0,lsl#31
@@ -292 +333 @@
         eor     $t0,$t0,$t2,lsr#6
         eor     $t1,$t1,$t3,lsr#6
+        ldr     $t2,[sp,#`$Xoff+8*(16-9)`+0]
         eor     $t0,$t0,$t3,lsl#26
 
-        ldr     $t2,[sp,#`$Xoff+8*(16-9)`+0]
         ldr     $t3,[sp,#`$Xoff+8*(16-9)`+4]
         adds    $Tlo,$Tlo,$t0
+        ldr     $t0,[sp,#`$Xoff+8*16`+0]
         adc     $Thi,$Thi,$t1
 
-        ldr     $t0,[sp,#`$Xoff+8*16`+0]
         ldr     $t1,[sp,#`$Xoff+8*16`+4]
         adds    $Tlo,$Tlo,$t2
@@ -305 +346 @@
         adds    $Tlo,$Tlo,$t0
         adc     $Thi,$Thi,$t1
-        str     $Tlo,[sp,#$Xoff+0]
-        str     $Thi,[sp,#$Xoff+4]
 ___
         &BODY_00_15(0x17);
 $code.=<<___;
-        tst     $Ktbl,#1
+        ldreq   $t0,[sp,#`$Xoff+8*(16-1)`+0]
+        ldreq   $t1,[sp,#`$Xoff+8*(16-1)`+4]
         beq     .L16_79
         bic     $Ktbl,$Ktbl,#1
@@ -321 +361 @@
         ldr     $t3, [$ctx,#$Boff+$hi]
         adds    $t0,$Alo,$t0
+        str     $t0, [$ctx,#$Aoff+$lo]
         adc     $t1,$Ahi,$t1
+        str     $t1, [$ctx,#$Aoff+$hi]
         adds    $t2,$Tlo,$t2
+        str     $t2, [$ctx,#$Boff+$lo]
         adc     $t3,$Thi,$t3
-        str     $t0, [$ctx,#$Aoff+$lo]
-        str     $t1, [$ctx,#$Aoff+$hi]
-        str     $t2, [$ctx,#$Boff+$lo]
         str     $t3, [$ctx,#$Boff+$hi]
 
@@ -338 +378 @@
         ldr     $t3, [$ctx,#$Doff+$hi]
         adds    $t0,$Alo,$t0
+        str     $t0, [$ctx,#$Coff+$lo]
         adc     $t1,$Ahi,$t1
+        str     $t1, [$ctx,#$Coff+$hi]
         adds    $t2,$Tlo,$t2
+        str     $t2, [$ctx,#$Doff+$lo]
         adc     $t3,$Thi,$t3
-        str     $t0, [$ctx,#$Coff+$lo]
-        str     $t1, [$ctx,#$Coff+$hi]
-        str     $t2, [$ctx,#$Doff+$lo]
         str     $t3, [$ctx,#$Doff+$hi]
 
@@ -353 +393 @@
         ldr     $t3, [$ctx,#$Foff+$hi]
         adds    $Elo,$Elo,$t0
+        str     $Elo,[$ctx,#$Eoff+$lo]
         adc     $Ehi,$Ehi,$t1
+        str     $Ehi,[$ctx,#$Eoff+$hi]
         adds    $t2,$Tlo,$t2
+        str     $t2, [$ctx,#$Foff+$lo]
         adc     $t3,$Thi,$t3
-        str     $Elo,[$ctx,#$Eoff+$lo]
-        str     $Ehi,[$ctx,#$Eoff+$hi]
-        str     $t2, [$ctx,#$Foff+$lo]
         str     $t3, [$ctx,#$Foff+$hi]
 
@@ -370 +410 @@
         ldr     $t3, [$ctx,#$Hoff+$hi]
         adds    $t0,$Alo,$t0
+        str     $t0, [$ctx,#$Goff+$lo]
         adc     $t1,$Ahi,$t1
+        str     $t1, [$ctx,#$Goff+$hi]
         adds    $t2,$Tlo,$t2
+        str     $t2, [$ctx,#$Hoff+$lo]
         adc     $t3,$Thi,$t3
-        str     $t0, [$ctx,#$Goff+$lo]
-        str     $t1, [$ctx,#$Goff+$hi]
-        str     $t2, [$ctx,#$Hoff+$lo]
         str     $t3, [$ctx,#$Hoff+$hi]
 
@@ -385 +425 @@
 
         add     sp,sp,#8*9              @ destroy frame
+#if __ARM_ARCH__>=5
+        ldmia   sp!,{r4-r12,pc}
+#else
         ldmia   sp!,{r4-r12,lr}
         tst     lr,#1
         moveq   pc,lr                   @ be binary compatible with V4, yet
         bx      lr                      @ interoperable with Thumb ISA:-)
-.size   sha512_block_data_order,.-sha512_block_data_order
-.asciz  "SHA512 block transform for ARMv4, CRYPTOGAMS by <appro\@openssl.org>"
+#endif
+___
+
+{
+my @Sigma0=(28,34,39);
+my @Sigma1=(14,18,41);
+my @sigma0=(1, 8, 7);
+my @sigma1=(19,61,6);
+
+my $Ktbl="r3";
+my $cnt="r12";  # volatile register known as ip, intra-procedure-call scratch
+
+my @X=map("d$_",(0..15));
+my @V=($A,$B,$C,$D,$E,$F,$G,$H)=map("d$_",(16..23));
+
+sub NEON_00_15() {
+my $i=shift;
+my ($a,$b,$c,$d,$e,$f,$g,$h)=@_;
+my ($t0,$t1,$t2,$T1,$K,$Ch,$Maj)=map("d$_",(24..31));   # temps
+
+$code.=<<___ if ($i<16 || $i&1);
+        vshr.u64        $t0,$e,#@Sigma1[0]      @ $i
+#if $i<16
+        vld1.64         {@X[$i%16]},[$inp]!     @ handles unaligned
+#endif
+        vshr.u64        $t1,$e,#@Sigma1[1]
+        vshr.u64        $t2,$e,#@Sigma1[2]
+___
+$code.=<<___;
+        vld1.64         {$K},[$Ktbl,:64]!       @ K[i++]
+        vsli.64         $t0,$e,#`64-@Sigma1[0]`
+        vsli.64         $t1,$e,#`64-@Sigma1[1]`
+        vsli.64         $t2,$e,#`64-@Sigma1[2]`
+#if $i<16 && defined(__ARMEL__)
+        vrev64.8        @X[$i],@X[$i]
+#endif
+        vadd.i64        $T1,$K,$h
+        veor            $Ch,$f,$g
+        veor            $t0,$t1
+        vand            $Ch,$e
+        veor            $t0,$t2                 @ Sigma1(e)
+        veor            $Ch,$g                  @ Ch(e,f,g)
+        vadd.i64        $T1,$t0
+        vshr.u64        $t0,$a,#@Sigma0[0]
+        vadd.i64        $T1,$Ch
+        vshr.u64        $t1,$a,#@Sigma0[1]
+        vshr.u64        $t2,$a,#@Sigma0[2]
+        vsli.64         $t0,$a,#`64-@Sigma0[0]`
+        vsli.64         $t1,$a,#`64-@Sigma0[1]`
+        vsli.64         $t2,$a,#`64-@Sigma0[2]`
+        vadd.i64        $T1,@X[$i%16]
+        vorr            $Maj,$a,$c
+        vand            $Ch,$a,$c
+        veor            $h,$t0,$t1
+        vand            $Maj,$b
+        veor            $h,$t2                  @ Sigma0(a)
+        vorr            $Maj,$Ch                @ Maj(a,b,c)
+        vadd.i64        $h,$T1
+        vadd.i64        $d,$T1
+        vadd.i64        $h,$Maj
+___
+}
+
+sub NEON_16_79() {
+my $i=shift;
+
+if ($i&1)       { &NEON_00_15($i,@_); return; }
+
+# 2x-vectorized, therefore runs every 2nd round
+my @X=map("q$_",(0..7));                        # view @X as 128-bit vector
+my ($t0,$t1,$s0,$s1) = map("q$_",(12..15));     # temps
+my ($d0,$d1,$d2) = map("d$_",(24..26));         # temps from NEON_00_15
+my $e=@_[4];                                    # $e from NEON_00_15
+$i /= 2;
+$code.=<<___;
+        vshr.u64        $t0,@X[($i+7)%8],#@sigma1[0]
+        vshr.u64        $t1,@X[($i+7)%8],#@sigma1[1]
+        vshr.u64        $s1,@X[($i+7)%8],#@sigma1[2]
+        vsli.64         $t0,@X[($i+7)%8],#`64-@sigma1[0]`
+        vext.8          $s0,@X[$i%8],@X[($i+1)%8],#8    @ X[i+1]
+        vsli.64         $t1,@X[($i+7)%8],#`64-@sigma1[1]`
+        veor            $s1,$t0
+        vshr.u64        $t0,$s0,#@sigma0[0]
+        veor            $s1,$t1                         @ sigma1(X[i+14])
+        vshr.u64        $t1,$s0,#@sigma0[1]
+        vadd.i64        @X[$i%8],$s1
+        vshr.u64        $s1,$s0,#@sigma0[2]
+        vsli.64         $t0,$s0,#`64-@sigma0[0]`
+        vsli.64         $t1,$s0,#`64-@sigma0[1]`
+        vext.8          $s0,@X[($i+4)%8],@X[($i+5)%8],#8        @ X[i+9]
+        veor            $s1,$t0
+        vshr.u64        $d0,$e,#@Sigma1[0]              @ from NEON_00_15
+        vadd.i64        @X[$i%8],$s0
+        vshr.u64        $d1,$e,#@Sigma1[1]              @ from NEON_00_15
+        veor            $s1,$t1                         @ sigma0(X[i+1])
+        vshr.u64        $d2,$e,#@Sigma1[2]              @ from NEON_00_15
+        vadd.i64        @X[$i%8],$s1
+___
+        &NEON_00_15(2*$i,@_);
+}
+
+$code.=<<___;
+#if __ARM_ARCH__>=7
+.fpu    neon
+
+.align  4
+.LNEON:
+        dmb                             @ errata #451034 on early Cortex A8
+        vstmdb  sp!,{d8-d15}            @ ABI specification says so
+        sub     $Ktbl,r3,#672           @ K512
+        vldmia  $ctx,{$A-$H}            @ load context
+.Loop_neon:
+___
+for($i=0;$i<16;$i++)    { &NEON_00_15($i,@V); unshift(@V,pop(@V)); }
+$code.=<<___;
+        mov             $cnt,#4
+.L16_79_neon:
+        subs            $cnt,#1
+___
+for(;$i<32;$i++)        { &NEON_16_79($i,@V); unshift(@V,pop(@V)); }
+$code.=<<___;
+        bne             .L16_79_neon
+
+        vldmia          $ctx,{d24-d31}  @ load context to temp
+        vadd.i64        q8,q12          @ vectorized accumulate
+        vadd.i64        q9,q13
+        vadd.i64        q10,q14
+        vadd.i64        q11,q15
+        vstmia          $ctx,{$A-$H}    @ save context
+        teq             $inp,$len
+        sub             $Ktbl,#640      @ rewind K512
+        bne             .Loop_neon
+
+        vldmia  sp!,{d8-d15}            @ epilogue
+        bx      lr
+#endif
+___
+}
+$code.=<<___;
+.size   sha512_block_data_order,.-sha512_block_data_order
+.asciz  "SHA512 block transform for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
 .align  2
+.comm   OPENSSL_armcap_P,4,4
 ___