Imported Upstream version 1.1.1i

[platform/upstream/openssl1.1.git] / crypto / ec / asm / x25519-x86_64.pl

#!/usr/bin/env perl
# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
#
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
#
# X25519 lower-level primitives for x86_64.
#
# February 2018.
#
# This module implements radix 2^51 multiplication and squaring, and
# radix 2^64 multiplication, squaring, addition, subtraction and final
# reduction. Latter radix is used on ADCX/ADOX-capable processors such
# as Broadwell. On related note one should mention that there are
# vector implementations that provide significantly better performance
# on some processors(*), but they are large and overly complex. Which
# in combination with them being effectively processor-specific makes
# the undertaking hard to justify. The goal for this implementation
# is rather versatility and simplicity [and ultimately formal
# verification].
#
# (*)   For example sandy2x should provide ~30% improvement on Sandy
#       Bridge, but only nominal ~5% on Haswell [and big loss on
#       Broadwell and successors].
#
######################################################################
# Improvement coefficients:
#
#                       amd64-51(*)     gcc-5.x(**)
#
# P4                    +22%            +40%
# Sandy Bridge          -3%             +11%
# Haswell               -1%             +13%
# Broadwell(***)        +30%            +35%
# Skylake(***)          +33%            +47%
# Silvermont            +20%            +26%
# Goldmont              +40%            +50%
# Bulldozer             +20%            +9%
# Ryzen(***)            +43%            +40%
# VIA                   +170%           +120%
#
# (*)   amd64-51 is popular assembly implementation with 2^51 radix,
#       only multiplication and squaring subroutines were linked
#       for comparison, but not complete ladder step; gain on most
#       processors is because this module refrains from shld, and
#       minor regression on others is because this does result in
#       higher instruction count;
# (**)  compiler is free to inline functions, in assembly one would
#       need to implement ladder step to do that, and it will improve
#       performance by several percent;
# (***) ADCX/ADOX result for 2^64 radix, there is no corresponding
#       C implementation, so that comparison is always against
#       2^51 radix;

$flavour = shift;
$output  = shift;
if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }

$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);

$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";

open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
*STDOUT=*OUT;

if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
                =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
        $addx = ($1>=2.23);
}

if (!$addx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
            `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
        $addx = ($1>=2.10);
}

if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
            `ml64 2>&1` =~ /Version ([0-9]+)\./) {
        $addx = ($1>=12);
}

if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
        my $ver = $2 + $3/100.0;        # 3.1->3.01, 3.10->3.10
        $addx = ($ver>=3.03);
}

$code.=<<___;
.text

.globl  x25519_fe51_mul
.type   x25519_fe51_mul,\@function,3
.align  32
x25519_fe51_mul:
.cfi_startproc
        push    %rbp
.cfi_push       %rbp
        push    %rbx
.cfi_push       %rbx
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
        lea     -8*5(%rsp),%rsp
.cfi_adjust_cfa_offset  40
.Lfe51_mul_body:

        mov     8*0(%rsi),%rax          # f[0]
        mov     8*0(%rdx),%r11          # load g[0-4]
        mov     8*1(%rdx),%r12
        mov     8*2(%rdx),%r13
        mov     8*3(%rdx),%rbp
        mov     8*4(%rdx),%r14

        mov     %rdi,8*4(%rsp)          # offload 1st argument
        mov     %rax,%rdi
        mulq    %r11                    # f[0]*g[0]
        mov     %r11,8*0(%rsp)          # offload g[0]
        mov     %rax,%rbx               # %rbx:%rcx = h0
        mov     %rdi,%rax
        mov     %rdx,%rcx
        mulq    %r12                    # f[0]*g[1]
        mov     %r12,8*1(%rsp)          # offload g[1]
        mov     %rax,%r8                # %r8:%r9 = h1
        mov     %rdi,%rax
        lea     (%r14,%r14,8),%r15
        mov     %rdx,%r9
        mulq    %r13                    # f[0]*g[2]
        mov     %r13,8*2(%rsp)          # offload g[2]
        mov     %rax,%r10               # %r10:%r11 = h2
        mov     %rdi,%rax
        lea     (%r14,%r15,2),%rdi      # g[4]*19
        mov     %rdx,%r11
        mulq    %rbp                    # f[0]*g[3]
        mov     %rax,%r12               # %r12:%r13 = h3
        mov     8*0(%rsi),%rax          # f[0]
        mov     %rdx,%r13
        mulq    %r14                    # f[0]*g[4]
        mov     %rax,%r14               # %r14:%r15 = h4
        mov     8*1(%rsi),%rax          # f[1]
        mov     %rdx,%r15

        mulq    %rdi                    # f[1]*g[4]*19
        add     %rax,%rbx
        mov     8*2(%rsi),%rax          # f[2]
        adc     %rdx,%rcx
        mulq    %rdi                    # f[2]*g[4]*19
        add     %rax,%r8
        mov     8*3(%rsi),%rax          # f[3]
        adc     %rdx,%r9
        mulq    %rdi                    # f[3]*g[4]*19
        add     %rax,%r10
        mov     8*4(%rsi),%rax          # f[4]
        adc     %rdx,%r11
        mulq    %rdi                    # f[4]*g[4]*19
        imulq   \$19,%rbp,%rdi          # g[3]*19
        add     %rax,%r12
        mov     8*1(%rsi),%rax          # f[1]
        adc     %rdx,%r13
        mulq    %rbp                    # f[1]*g[3]
        mov     8*2(%rsp),%rbp          # g[2]
        add     %rax,%r14
        mov     8*2(%rsi),%rax          # f[2]
        adc     %rdx,%r15

        mulq    %rdi                    # f[2]*g[3]*19
        add     %rax,%rbx
        mov     8*3(%rsi),%rax          # f[3]
        adc     %rdx,%rcx
        mulq    %rdi                    # f[3]*g[3]*19
        add     %rax,%r8
        mov     8*4(%rsi),%rax          # f[4]
        adc     %rdx,%r9
        mulq    %rdi                    # f[4]*g[3]*19
        imulq   \$19,%rbp,%rdi          # g[2]*19
        add     %rax,%r10
        mov     8*1(%rsi),%rax          # f[1]
        adc     %rdx,%r11
        mulq    %rbp                    # f[1]*g[2]
        add     %rax,%r12
        mov     8*2(%rsi),%rax          # f[2]
        adc     %rdx,%r13
        mulq    %rbp                    # f[2]*g[2]
        mov     8*1(%rsp),%rbp          # g[1]
        add     %rax,%r14
        mov     8*3(%rsi),%rax          # f[3]
        adc     %rdx,%r15

        mulq    %rdi                    # f[3]*g[2]*19
        add     %rax,%rbx
        mov     8*4(%rsi),%rax          # f[3]
        adc     %rdx,%rcx
        mulq    %rdi                    # f[4]*g[2]*19
        add     %rax,%r8
        mov     8*1(%rsi),%rax          # f[1]
        adc     %rdx,%r9
        mulq    %rbp                    # f[1]*g[1]
        imulq   \$19,%rbp,%rdi
        add     %rax,%r10
        mov     8*2(%rsi),%rax          # f[2]
        adc     %rdx,%r11
        mulq    %rbp                    # f[2]*g[1]
        add     %rax,%r12
        mov     8*3(%rsi),%rax          # f[3]
        adc     %rdx,%r13
        mulq    %rbp                    # f[3]*g[1]
        mov     8*0(%rsp),%rbp          # g[0]
        add     %rax,%r14
        mov     8*4(%rsi),%rax          # f[4]
        adc     %rdx,%r15

        mulq    %rdi                    # f[4]*g[1]*19
        add     %rax,%rbx
        mov     8*1(%rsi),%rax          # f[1]
        adc     %rdx,%rcx
        mul     %rbp                    # f[1]*g[0]
        add     %rax,%r8
        mov     8*2(%rsi),%rax          # f[2]
        adc     %rdx,%r9
        mul     %rbp                    # f[2]*g[0]
        add     %rax,%r10
        mov     8*3(%rsi),%rax          # f[3]
        adc     %rdx,%r11
        mul     %rbp                    # f[3]*g[0]
        add     %rax,%r12
        mov     8*4(%rsi),%rax          # f[4]
        adc     %rdx,%r13
        mulq    %rbp                    # f[4]*g[0]
        add     %rax,%r14
        adc     %rdx,%r15

        mov     8*4(%rsp),%rdi          # restore 1st argument
        jmp     .Lreduce51
.Lfe51_mul_epilogue:
.cfi_endproc
.size   x25519_fe51_mul,.-x25519_fe51_mul

.globl  x25519_fe51_sqr
.type   x25519_fe51_sqr,\@function,2
.align  32
x25519_fe51_sqr:
.cfi_startproc
        push    %rbp
.cfi_push       %rbp
        push    %rbx
.cfi_push       %rbx
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
        lea     -8*5(%rsp),%rsp
.cfi_adjust_cfa_offset  40
.Lfe51_sqr_body:

        mov     8*0(%rsi),%rax          # g[0]
        mov     8*2(%rsi),%r15          # g[2]
        mov     8*4(%rsi),%rbp          # g[4]

        mov     %rdi,8*4(%rsp)          # offload 1st argument
        lea     (%rax,%rax),%r14
        mulq    %rax                    # g[0]*g[0]
        mov     %rax,%rbx
        mov     8*1(%rsi),%rax          # g[1]
        mov     %rdx,%rcx
        mulq    %r14                    # 2*g[0]*g[1]
        mov     %rax,%r8
        mov     %r15,%rax
        mov     %r15,8*0(%rsp)          # offload g[2]
        mov     %rdx,%r9
        mulq    %r14                    # 2*g[0]*g[2]
        mov     %rax,%r10
        mov     8*3(%rsi),%rax
        mov     %rdx,%r11
        imulq   \$19,%rbp,%rdi          # g[4]*19
        mulq    %r14                    # 2*g[0]*g[3]
        mov     %rax,%r12
        mov     %rbp,%rax
        mov     %rdx,%r13
        mulq    %r14                    # 2*g[0]*g[4]
        mov     %rax,%r14
        mov     %rbp,%rax
        mov     %rdx,%r15

        mulq    %rdi                    # g[4]*g[4]*19
        add     %rax,%r12
        mov     8*1(%rsi),%rax          # g[1]
        adc     %rdx,%r13

        mov     8*3(%rsi),%rsi          # g[3]
        lea     (%rax,%rax),%rbp
        mulq    %rax                    # g[1]*g[1]
        add     %rax,%r10
        mov     8*0(%rsp),%rax          # g[2]
        adc     %rdx,%r11
        mulq    %rbp                    # 2*g[1]*g[2]
        add     %rax,%r12
        mov     %rbp,%rax
        adc     %rdx,%r13
        mulq    %rsi                    # 2*g[1]*g[3]
        add     %rax,%r14
        mov     %rbp,%rax
        adc     %rdx,%r15
        imulq   \$19,%rsi,%rbp          # g[3]*19
        mulq    %rdi                    # 2*g[1]*g[4]*19
        add     %rax,%rbx
        lea     (%rsi,%rsi),%rax
        adc     %rdx,%rcx

        mulq    %rdi                    # 2*g[3]*g[4]*19
        add     %rax,%r10
        mov     %rsi,%rax
        adc     %rdx,%r11
        mulq    %rbp                    # g[3]*g[3]*19
        add     %rax,%r8
        mov     8*0(%rsp),%rax          # g[2]
        adc     %rdx,%r9

        lea     (%rax,%rax),%rsi
        mulq    %rax                    # g[2]*g[2]
        add     %rax,%r14
        mov     %rbp,%rax
        adc     %rdx,%r15
        mulq    %rsi                    # 2*g[2]*g[3]*19
        add     %rax,%rbx
        mov     %rsi,%rax
        adc     %rdx,%rcx
        mulq    %rdi                    # 2*g[2]*g[4]*19
        add     %rax,%r8
        adc     %rdx,%r9

        mov     8*4(%rsp),%rdi          # restore 1st argument
        jmp     .Lreduce51

.align  32
.Lreduce51:
        mov     \$0x7ffffffffffff,%rbp

        mov     %r10,%rdx
        shr     \$51,%r10
        shl     \$13,%r11
        and     %rbp,%rdx               # %rdx = g2 = h2 & mask
        or      %r10,%r11               # h2>>51
        add     %r11,%r12
        adc     \$0,%r13                # h3 += h2>>51

        mov     %rbx,%rax
        shr     \$51,%rbx
        shl     \$13,%rcx
        and     %rbp,%rax               # %rax = g0 = h0 & mask
        or      %rbx,%rcx               # h0>>51
        add     %rcx,%r8                # h1 += h0>>51
        adc     \$0,%r9

        mov     %r12,%rbx
        shr     \$51,%r12
        shl     \$13,%r13
        and     %rbp,%rbx               # %rbx = g3 = h3 & mask
        or      %r12,%r13               # h3>>51
        add     %r13,%r14               # h4 += h3>>51
        adc     \$0,%r15

        mov     %r8,%rcx
        shr     \$51,%r8
        shl     \$13,%r9
        and     %rbp,%rcx               # %rcx = g1 = h1 & mask
        or      %r8,%r9
        add     %r9,%rdx                # g2 += h1>>51

        mov     %r14,%r10
        shr     \$51,%r14
        shl     \$13,%r15
        and     %rbp,%r10               # %r10 = g4 = h0 & mask
        or      %r14,%r15               # h0>>51

        lea     (%r15,%r15,8),%r14
        lea     (%r15,%r14,2),%r15
        add     %r15,%rax               # g0 += (h0>>51)*19

        mov     %rdx,%r8
        and     %rbp,%rdx               # g2 &= mask
        shr     \$51,%r8
        add     %r8,%rbx                # g3 += g2>>51

        mov     %rax,%r9
        and     %rbp,%rax               # g0 &= mask
        shr     \$51,%r9
        add     %r9,%rcx                # g1 += g0>>51

        mov     %rax,8*0(%rdi)          # save the result
        mov     %rcx,8*1(%rdi)
        mov     %rdx,8*2(%rdi)
        mov     %rbx,8*3(%rdi)
        mov     %r10,8*4(%rdi)

        mov     8*5(%rsp),%r15
.cfi_restore    %r15
        mov     8*6(%rsp),%r14
.cfi_restore    %r14
        mov     8*7(%rsp),%r13
.cfi_restore    %r13
        mov     8*8(%rsp),%r12
.cfi_restore    %r12
        mov     8*9(%rsp),%rbx
.cfi_restore    %rbx
        mov     8*10(%rsp),%rbp
.cfi_restore    %rbp
        lea     8*11(%rsp),%rsp
.cfi_adjust_cfa_offset  88
.Lfe51_sqr_epilogue:
        ret
.cfi_endproc
.size   x25519_fe51_sqr,.-x25519_fe51_sqr

.globl  x25519_fe51_mul121666
.type   x25519_fe51_mul121666,\@function,2
.align  32
x25519_fe51_mul121666:
.cfi_startproc
        push    %rbp
.cfi_push       %rbp
        push    %rbx
.cfi_push       %rbx
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
        lea     -8*5(%rsp),%rsp
.cfi_adjust_cfa_offset  40
.Lfe51_mul121666_body:
        mov     \$121666,%eax

        mulq    8*0(%rsi)
        mov     %rax,%rbx               # %rbx:%rcx = h0
        mov     \$121666,%eax
        mov     %rdx,%rcx
        mulq    8*1(%rsi)
        mov     %rax,%r8                # %r8:%r9 = h1
        mov     \$121666,%eax
        mov     %rdx,%r9
        mulq    8*2(%rsi)
        mov     %rax,%r10               # %r10:%r11 = h2
        mov     \$121666,%eax
        mov     %rdx,%r11
        mulq    8*3(%rsi)
        mov     %rax,%r12               # %r12:%r13 = h3
        mov     \$121666,%eax           # f[0]
        mov     %rdx,%r13
        mulq    8*4(%rsi)
        mov     %rax,%r14               # %r14:%r15 = h4
        mov     %rdx,%r15

        jmp     .Lreduce51
.Lfe51_mul121666_epilogue:
.cfi_endproc
.size   x25519_fe51_mul121666,.-x25519_fe51_mul121666
___
########################################################################
# Base 2^64 subroutines modulo 2*(2^255-19)
#
if ($addx) {
my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5,$acc6,$acc7) = map("%r$_",(8..15));

$code.=<<___;
.extern OPENSSL_ia32cap_P
.globl  x25519_fe64_eligible
.type   x25519_fe64_eligible,\@abi-omnipotent
.align  32
x25519_fe64_eligible:
.cfi_startproc
        mov     OPENSSL_ia32cap_P+8(%rip),%ecx
        xor     %eax,%eax
        and     \$0x80100,%ecx
        cmp     \$0x80100,%ecx
        cmove   %ecx,%eax
        ret
.cfi_endproc
.size   x25519_fe64_eligible,.-x25519_fe64_eligible

.globl  x25519_fe64_mul
.type   x25519_fe64_mul,\@function,3
.align  32
x25519_fe64_mul:
.cfi_startproc
        push    %rbp
.cfi_push       %rbp
        push    %rbx
.cfi_push       %rbx
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
        push    %rdi                    # offload dst
.cfi_push       %rdi
        lea     -8*2(%rsp),%rsp
.cfi_adjust_cfa_offset  16
.Lfe64_mul_body:

        mov     %rdx,%rax
        mov     8*0(%rdx),%rbp          # b[0]
        mov     8*0(%rsi),%rdx          # a[0]
        mov     8*1(%rax),%rcx          # b[1]
        mov     8*2(%rax),$acc6         # b[2]
        mov     8*3(%rax),$acc7         # b[3]

        mulx    %rbp,$acc0,%rax         # a[0]*b[0]
        xor     %edi,%edi               # cf=0,of=0
        mulx    %rcx,$acc1,%rbx         # a[0]*b[1]
        adcx    %rax,$acc1
        mulx    $acc6,$acc2,%rax        # a[0]*b[2]
        adcx    %rbx,$acc2
        mulx    $acc7,$acc3,$acc4       # a[0]*b[3]
         mov    8*1(%rsi),%rdx          # a[1]
        adcx    %rax,$acc3
        mov     $acc6,(%rsp)            # offload b[2]
        adcx    %rdi,$acc4              # cf=0

        mulx    %rbp,%rax,%rbx          # a[1]*b[0]
        adox    %rax,$acc1
        adcx    %rbx,$acc2
        mulx    %rcx,%rax,%rbx          # a[1]*b[1]
        adox    %rax,$acc2
        adcx    %rbx,$acc3
        mulx    $acc6,%rax,%rbx         # a[1]*b[2]
        adox    %rax,$acc3
        adcx    %rbx,$acc4
        mulx    $acc7,%rax,$acc5        # a[1]*b[3]
         mov    8*2(%rsi),%rdx          # a[2]
        adox    %rax,$acc4
        adcx    %rdi,$acc5              # cf=0
        adox    %rdi,$acc5              # of=0

        mulx    %rbp,%rax,%rbx          # a[2]*b[0]
        adcx    %rax,$acc2
        adox    %rbx,$acc3
        mulx    %rcx,%rax,%rbx          # a[2]*b[1]
        adcx    %rax,$acc3
        adox    %rbx,$acc4
        mulx    $acc6,%rax,%rbx         # a[2]*b[2]
        adcx    %rax,$acc4
        adox    %rbx,$acc5
        mulx    $acc7,%rax,$acc6        # a[2]*b[3]
         mov    8*3(%rsi),%rdx          # a[3]
        adcx    %rax,$acc5
        adox    %rdi,$acc6              # of=0
        adcx    %rdi,$acc6              # cf=0

        mulx    %rbp,%rax,%rbx          # a[3]*b[0]
        adox    %rax,$acc3
        adcx    %rbx,$acc4
        mulx    %rcx,%rax,%rbx          # a[3]*b[1]
        adox    %rax,$acc4
        adcx    %rbx,$acc5
        mulx    (%rsp),%rax,%rbx        # a[3]*b[2]
        adox    %rax,$acc5
        adcx    %rbx,$acc6
        mulx    $acc7,%rax,$acc7        # a[3]*b[3]
         mov    \$38,%edx
        adox    %rax,$acc6
        adcx    %rdi,$acc7              # cf=0
        adox    %rdi,$acc7              # of=0

        jmp     .Lreduce64
.Lfe64_mul_epilogue:
.cfi_endproc
.size   x25519_fe64_mul,.-x25519_fe64_mul

.globl  x25519_fe64_sqr
.type   x25519_fe64_sqr,\@function,2
.align  32
x25519_fe64_sqr:
.cfi_startproc
        push    %rbp
.cfi_push       %rbp
        push    %rbx
.cfi_push       %rbx
        push    %r12
.cfi_push       %r12
        push    %r13
.cfi_push       %r13
        push    %r14
.cfi_push       %r14
        push    %r15
.cfi_push       %r15
        push    %rdi                    # offload dst
.cfi_push       %rdi
        lea     -8*2(%rsp),%rsp
.cfi_adjust_cfa_offset  16
.Lfe64_sqr_body:

        mov     8*0(%rsi),%rdx          # a[0]
        mov     8*1(%rsi),%rcx          # a[1]
        mov     8*2(%rsi),%rbp          # a[2]
        mov     8*3(%rsi),%rsi          # a[3]

        ################################################################
        mulx    %rdx,$acc0,$acc7        # a[0]*a[0]
        mulx    %rcx,$acc1,%rax         # a[0]*a[1]
        xor     %edi,%edi               # cf=0,of=0
        mulx    %rbp,$acc2,%rbx         # a[0]*a[2]
        adcx    %rax,$acc2
        mulx    %rsi,$acc3,$acc4        # a[0]*a[3]
         mov    %rcx,%rdx               # a[1]
        adcx    %rbx,$acc3
        adcx    %rdi,$acc4              # cf=0

        ################################################################
        mulx    %rbp,%rax,%rbx          # a[1]*a[2]
        adox    %rax,$acc3
        adcx    %rbx,$acc4
        mulx    %rsi,%rax,$acc5         # a[1]*a[3]
         mov    %rbp,%rdx               # a[2]
        adox    %rax,$acc4
        adcx    %rdi,$acc5

        ################################################################
        mulx    %rsi,%rax,$acc6         # a[2]*a[3]
         mov    %rcx,%rdx               # a[1]
        adox    %rax,$acc5
        adcx    %rdi,$acc6              # cf=0
        adox    %rdi,$acc6              # of=0

         adcx   $acc1,$acc1             # acc1:6<<1
        adox    $acc7,$acc1
         adcx   $acc2,$acc2
        mulx    %rdx,%rax,%rbx          # a[1]*a[1]
         mov    %rbp,%rdx               # a[2]
         adcx   $acc3,$acc3
        adox    %rax,$acc2
         adcx   $acc4,$acc4
        adox    %rbx,$acc3
        mulx    %rdx,%rax,%rbx          # a[2]*a[2]
         mov    %rsi,%rdx               # a[3]
         adcx   $acc5,$acc5
        adox    %rax,$acc4
         adcx   $acc6,$acc6
        adox    %rbx,$acc5
        mulx    %rdx,%rax,$acc7         # a[3]*a[3]
         mov    \$38,%edx
        adox    %rax,$acc6
        adcx    %rdi,$acc7              # cf=0
        adox    %rdi,$acc7              # of=0
        jmp     .Lreduce64

.align  32
.Lreduce64:
        mulx    $acc4,%rax,%rbx
        adcx    %rax,$acc0
        adox    %rbx,$acc1
        mulx    $acc5,%rax,%rbx
        adcx    %rax,$acc1
        adox    %rbx,$acc2
        mulx    $acc6,%rax,%rbx
        adcx    %rax,$acc2
        adox    %rbx,$acc3
        mulx    $acc7,%rax,$acc4
        adcx    %rax,$acc3
        adox    %rdi,$acc4
        adcx    %rdi,$acc4

        mov     8*2(%rsp),%rdi          # restore dst
        imulq   %rdx,$acc4

        add     $acc4,$acc0
        adc     \$0,$acc1
        adc     \$0,$acc2
        adc     \$0,$acc3

        sbb     %rax,%rax               # cf -> mask
        and     \$38,%rax

        add     %rax,$acc0
        mov     $acc1,8*1(%rdi)
        mov     $acc2,8*2(%rdi)
        mov     $acc3,8*3(%rdi)
        mov     $acc0,8*0(%rdi)

        mov     8*3(%rsp),%r15
.cfi_restore    %r15
        mov     8*4(%rsp),%r14
.cfi_restore    %r14
        mov     8*5(%rsp),%r13
.cfi_restore    %r13
        mov     8*6(%rsp),%r12
.cfi_restore    %r12
        mov     8*7(%rsp),%rbx
.cfi_restore    %rbx
        mov     8*8(%rsp),%rbp
.cfi_restore    %rbp
        lea     8*9(%rsp),%rsp
.cfi_adjust_cfa_offset  88
.Lfe64_sqr_epilogue:
        ret
.cfi_endproc
.size   x25519_fe64_sqr,.-x25519_fe64_sqr

.globl  x25519_fe64_mul121666
.type   x25519_fe64_mul121666,\@function,2
.align  32
x25519_fe64_mul121666:
.Lfe64_mul121666_body:
.cfi_startproc
        mov     \$121666,%edx
        mulx    8*0(%rsi),$acc0,%rcx
        mulx    8*1(%rsi),$acc1,%rax
        add     %rcx,$acc1
        mulx    8*2(%rsi),$acc2,%rcx
        adc     %rax,$acc2
        mulx    8*3(%rsi),$acc3,%rax
        adc     %rcx,$acc3
        adc     \$0,%rax

        imulq   \$38,%rax,%rax

        add     %rax,$acc0
        adc     \$0,$acc1
        adc     \$0,$acc2
        adc     \$0,$acc3

        sbb     %rax,%rax               # cf -> mask
        and     \$38,%rax

        add     %rax,$acc0
        mov     $acc1,8*1(%rdi)
        mov     $acc2,8*2(%rdi)
        mov     $acc3,8*3(%rdi)
        mov     $acc0,8*0(%rdi)

.Lfe64_mul121666_epilogue:
        ret
.cfi_endproc
.size   x25519_fe64_mul121666,.-x25519_fe64_mul121666

.globl  x25519_fe64_add
.type   x25519_fe64_add,\@function,3
.align  32
x25519_fe64_add:
.Lfe64_add_body:
.cfi_startproc
        mov     8*0(%rsi),$acc0
        mov     8*1(%rsi),$acc1
        mov     8*2(%rsi),$acc2
        mov     8*3(%rsi),$acc3

        add     8*0(%rdx),$acc0
        adc     8*1(%rdx),$acc1
        adc     8*2(%rdx),$acc2
        adc     8*3(%rdx),$acc3

        sbb     %rax,%rax               # cf -> mask
        and     \$38,%rax

        add     %rax,$acc0
        adc     \$0,$acc1
        adc     \$0,$acc2
        mov     $acc1,8*1(%rdi)
        adc     \$0,$acc3
        mov     $acc2,8*2(%rdi)
        sbb     %rax,%rax               # cf -> mask
        mov     $acc3,8*3(%rdi)
        and     \$38,%rax

        add     %rax,$acc0
        mov     $acc0,8*0(%rdi)

.Lfe64_add_epilogue:
        ret
.cfi_endproc
.size   x25519_fe64_add,.-x25519_fe64_add

.globl  x25519_fe64_sub
.type   x25519_fe64_sub,\@function,3
.align  32
x25519_fe64_sub:
.Lfe64_sub_body:
.cfi_startproc
        mov     8*0(%rsi),$acc0
        mov     8*1(%rsi),$acc1
        mov     8*2(%rsi),$acc2
        mov     8*3(%rsi),$acc3

        sub     8*0(%rdx),$acc0
        sbb     8*1(%rdx),$acc1
        sbb     8*2(%rdx),$acc2
        sbb     8*3(%rdx),$acc3

        sbb     %rax,%rax               # cf -> mask
        and     \$38,%rax

        sub     %rax,$acc0
        sbb     \$0,$acc1
        sbb     \$0,$acc2
        mov     $acc1,8*1(%rdi)
        sbb     \$0,$acc3
        mov     $acc2,8*2(%rdi)
        sbb     %rax,%rax               # cf -> mask
        mov     $acc3,8*3(%rdi)
        and     \$38,%rax

        sub     %rax,$acc0
        mov     $acc0,8*0(%rdi)

.Lfe64_sub_epilogue:
        ret
.cfi_endproc
.size   x25519_fe64_sub,.-x25519_fe64_sub

.globl  x25519_fe64_tobytes
.type   x25519_fe64_tobytes,\@function,2
.align  32
x25519_fe64_tobytes:
.Lfe64_to_body:
.cfi_startproc
        mov     8*0(%rsi),$acc0
        mov     8*1(%rsi),$acc1
        mov     8*2(%rsi),$acc2
        mov     8*3(%rsi),$acc3

        ################################# reduction modulo 2^255-19
        lea     ($acc3,$acc3),%rax
        sar     \$63,$acc3              # most significant bit -> mask
        shr     \$1,%rax                # most significant bit cleared
        and     \$19,$acc3
        add     \$19,$acc3              # compare to modulus in the same go

        add     $acc3,$acc0
        adc     \$0,$acc1
        adc     \$0,$acc2
        adc     \$0,%rax

        lea     (%rax,%rax),$acc3
        sar     \$63,%rax               # most significant bit -> mask
        shr     \$1,$acc3               # most significant bit cleared
        not     %rax
        and     \$19,%rax

        sub     %rax,$acc0
        sbb     \$0,$acc1
        sbb     \$0,$acc2
        sbb     \$0,$acc3

        mov     $acc0,8*0(%rdi)
        mov     $acc1,8*1(%rdi)
        mov     $acc2,8*2(%rdi)
        mov     $acc3,8*3(%rdi)

.Lfe64_to_epilogue:
        ret
.cfi_endproc
.size   x25519_fe64_tobytes,.-x25519_fe64_tobytes
___
} else {
$code.=<<___;
.globl  x25519_fe64_eligible
.type   x25519_fe64_eligible,\@abi-omnipotent
.align  32
x25519_fe64_eligible:
.cfi_startproc
        xor     %eax,%eax
        ret
.cfi_endproc
.size   x25519_fe64_eligible,.-x25519_fe64_eligible

.globl  x25519_fe64_mul
.type   x25519_fe64_mul,\@abi-omnipotent
.globl  x25519_fe64_sqr
.globl  x25519_fe64_mul121666
.globl  x25519_fe64_add
.globl  x25519_fe64_sub
.globl  x25519_fe64_tobytes
x25519_fe64_mul:
x25519_fe64_sqr:
x25519_fe64_mul121666:
x25519_fe64_add:
x25519_fe64_sub:
x25519_fe64_tobytes:
.cfi_startproc
        .byte   0x0f,0x0b       # ud2
        ret
.cfi_endproc
.size   x25519_fe64_mul,.-x25519_fe64_mul
___
}
$code.=<<___;
.asciz  "X25519 primitives for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
___

# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
if ($win64) {
$rec="%rcx";
$frame="%rdx";
$context="%r8";
$disp="%r9";

$code.=<<___;
.extern __imp_RtlVirtualUnwind

.type   short_handler,\@abi-omnipotent
.align  16
short_handler:
        push    %rsi
        push    %rdi
        push    %rbx
        push    %rbp
        push    %r12
        push    %r13
        push    %r14
        push    %r15
        pushfq
        sub     \$64,%rsp

        mov     120($context),%rax      # pull context->Rax
        mov     248($context),%rbx      # pull context->Rip

        mov     8($disp),%rsi           # disp->ImageBase
        mov     56($disp),%r11          # disp->HandlerData

        mov     0(%r11),%r10d           # HandlerData[0]
        lea     (%rsi,%r10),%r10        # end of prologue label
        cmp     %r10,%rbx               # context->Rip<end of prologue label
        jb      .Lcommon_seh_tail

        mov     152($context),%rax      # pull context->Rsp
        jmp     .Lcommon_seh_tail
.size   short_handler,.-short_handler

.type   full_handler,\@abi-omnipotent
.align  16
full_handler:
        push    %rsi
        push    %rdi
        push    %rbx
        push    %rbp
        push    %r12
        push    %r13
        push    %r14
        push    %r15
        pushfq
        sub     \$64,%rsp

        mov     120($context),%rax      # pull context->Rax
        mov     248($context),%rbx      # pull context->Rip

        mov     8($disp),%rsi           # disp->ImageBase
        mov     56($disp),%r11          # disp->HandlerData

        mov     0(%r11),%r10d           # HandlerData[0]
        lea     (%rsi,%r10),%r10        # end of prologue label
        cmp     %r10,%rbx               # context->Rip<end of prologue label
        jb      .Lcommon_seh_tail

        mov     152($context),%rax      # pull context->Rsp

        mov     4(%r11),%r10d           # HandlerData[1]
        lea     (%rsi,%r10),%r10        # epilogue label
        cmp     %r10,%rbx               # context->Rip>=epilogue label
        jae     .Lcommon_seh_tail

        mov     8(%r11),%r10d           # HandlerData[2]
        lea     (%rax,%r10),%rax

        mov     -8(%rax),%rbp
        mov     -16(%rax),%rbx
        mov     -24(%rax),%r12
        mov     -32(%rax),%r13
        mov     -40(%rax),%r14
        mov     -48(%rax),%r15
        mov     %rbx,144($context)      # restore context->Rbx
        mov     %rbp,160($context)      # restore context->Rbp
        mov     %r12,216($context)      # restore context->R12
        mov     %r13,224($context)      # restore context->R13
        mov     %r14,232($context)      # restore context->R14
        mov     %r15,240($context)      # restore context->R15

.Lcommon_seh_tail:
        mov     8(%rax),%rdi
        mov     16(%rax),%rsi
        mov     %rax,152($context)      # restore context->Rsp
        mov     %rsi,168($context)      # restore context->Rsi
        mov     %rdi,176($context)      # restore context->Rdi

        mov     40($disp),%rdi          # disp->ContextRecord
        mov     $context,%rsi           # context
        mov     \$154,%ecx              # sizeof(CONTEXT)
        .long   0xa548f3fc              # cld; rep movsq

        mov     $disp,%rsi
        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
        mov     0(%rsi),%r8             # arg3, disp->ControlPc
        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
        mov     40(%rsi),%r10           # disp->ContextRecord
        lea     56(%rsi),%r11           # &disp->HandlerData
        lea     24(%rsi),%r12           # &disp->EstablisherFrame
        mov     %r10,32(%rsp)           # arg5
        mov     %r11,40(%rsp)           # arg6
        mov     %r12,48(%rsp)           # arg7
        mov     %rcx,56(%rsp)           # arg8, (NULL)
        call    *__imp_RtlVirtualUnwind(%rip)

        mov     \$1,%eax                # ExceptionContinueSearch
        add     \$64,%rsp
        popfq
        pop     %r15
        pop     %r14
        pop     %r13
        pop     %r12
        pop     %rbp
        pop     %rbx
        pop     %rdi
        pop     %rsi
        ret
.size   full_handler,.-full_handler

.section        .pdata
.align  4
        .rva    .LSEH_begin_x25519_fe51_mul
        .rva    .LSEH_end_x25519_fe51_mul
        .rva    .LSEH_info_x25519_fe51_mul

        .rva    .LSEH_begin_x25519_fe51_sqr
        .rva    .LSEH_end_x25519_fe51_sqr
        .rva    .LSEH_info_x25519_fe51_sqr

        .rva    .LSEH_begin_x25519_fe51_mul121666
        .rva    .LSEH_end_x25519_fe51_mul121666
        .rva    .LSEH_info_x25519_fe51_mul121666
___
$code.=<<___    if ($addx);
        .rva    .LSEH_begin_x25519_fe64_mul
        .rva    .LSEH_end_x25519_fe64_mul
        .rva    .LSEH_info_x25519_fe64_mul

        .rva    .LSEH_begin_x25519_fe64_sqr
        .rva    .LSEH_end_x25519_fe64_sqr
        .rva    .LSEH_info_x25519_fe64_sqr

        .rva    .LSEH_begin_x25519_fe64_mul121666
        .rva    .LSEH_end_x25519_fe64_mul121666
        .rva    .LSEH_info_x25519_fe64_mul121666

        .rva    .LSEH_begin_x25519_fe64_add
        .rva    .LSEH_end_x25519_fe64_add
        .rva    .LSEH_info_x25519_fe64_add

        .rva    .LSEH_begin_x25519_fe64_sub
        .rva    .LSEH_end_x25519_fe64_sub
        .rva    .LSEH_info_x25519_fe64_sub

        .rva    .LSEH_begin_x25519_fe64_tobytes
        .rva    .LSEH_end_x25519_fe64_tobytes
        .rva    .LSEH_info_x25519_fe64_tobytes
___
$code.=<<___;
.section        .xdata
.align  8
.LSEH_info_x25519_fe51_mul:
        .byte   9,0,0,0
        .rva    full_handler
        .rva    .Lfe51_mul_body,.Lfe51_mul_epilogue     # HandlerData[]
        .long   88,0
.LSEH_info_x25519_fe51_sqr:
        .byte   9,0,0,0
        .rva    full_handler
        .rva    .Lfe51_sqr_body,.Lfe51_sqr_epilogue     # HandlerData[]
        .long   88,0
.LSEH_info_x25519_fe51_mul121666:
        .byte   9,0,0,0
        .rva    full_handler
        .rva    .Lfe51_mul121666_body,.Lfe51_mul121666_epilogue # HandlerData[]
        .long   88,0
___
$code.=<<___    if ($addx);
.LSEH_info_x25519_fe64_mul:
        .byte   9,0,0,0
        .rva    full_handler
        .rva    .Lfe64_mul_body,.Lfe64_mul_epilogue     # HandlerData[]
        .long   72,0
.LSEH_info_x25519_fe64_sqr:
        .byte   9,0,0,0
        .rva    full_handler
        .rva    .Lfe64_sqr_body,.Lfe64_sqr_epilogue     # HandlerData[]
        .long   72,0
.LSEH_info_x25519_fe64_mul121666:
        .byte   9,0,0,0
        .rva    short_handler
        .rva    .Lfe64_mul121666_body,.Lfe64_mul121666_epilogue # HandlerData[]
.LSEH_info_x25519_fe64_add:
        .byte   9,0,0,0
        .rva    short_handler
        .rva    .Lfe64_add_body,.Lfe64_add_epilogue     # HandlerData[]
.LSEH_info_x25519_fe64_sub:
        .byte   9,0,0,0
        .rva    short_handler
        .rva    .Lfe64_sub_body,.Lfe64_sub_epilogue     # HandlerData[]
.LSEH_info_x25519_fe64_tobytes:
        .byte   9,0,0,0
        .rva    short_handler
        .rva    .Lfe64_to_body,.Lfe64_to_epilogue       # HandlerData[]
___
}

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT or die "error closing STDOUT: $!";