C nettle, low-level cryptographics library
C 
C Copyright (C) 2013 Niels Möller
C  
C The nettle library is free software; you can redistribute it and/or modify
C it under the terms of the GNU Lesser General Public License as published by
C the Free Software Foundation; either version 2.1 of the License, or (at your
C option) any later version.
C 
C The nettle library is distributed in the hope that it will be useful, but
C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
C or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
C License for more details.
C 
C You should have received a copy of the GNU Lesser General Public License
C along with the nettle library; see the file COPYING.LIB.  If not, write to
C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
C MA 02111-1301, USA.

	.file "sha256-compress.asm"

define(<STATE>, <r0>)
define(<INPUT>, <r1>)
define(<K>, <r2>)
define(<SA>, <r3>)
define(<SB>, <r4>)
define(<SC>, <r5>)
define(<SD>, <r6>)
define(<SE>, <r7>)
define(<SF>, <r8>)
define(<SG>, <r10>)
define(<SH>, <r11>)
define(<T0>, <r12>)
define(<T1>, <r1>)	C Overlap INPUT
define(<COUNT>, <r0>)	C Overlap STATE
define(<W>, <r14>)

C Used for data load
define(<I0>, <r3>)
define(<I1>, <r4>)
define(<I2>, <r5>)
define(<I3>, <r6>)
define(<I4>, <r7>)
define(<DST>, <r8>)
define(<SHIFT>, <r10>)
define(<ILEFT>, <r11>)

define(<EXPN>, <
	ldr	W, [sp, #+eval(4*$1)]
	ldr	T0, [sp, #+eval(4*(($1 + 14) % 16))]
	ror	T1, T0, #17
	eor	T1, T1, T0, ror #19
	eor	T1, T1, T0, lsr #10
	add	W, W, T1
	ldr	T0, [sp, #+eval(4*(($1 + 9) % 16))]
	add	W, W, T0
	ldr	T0, [sp, #+eval(4*(($1 + 1) % 16))]
	ror	T1, T0, #7
	eor	T1, T1, T0, ror #18
	eor	T1, T1, T0, lsr #3
	add	W, W, T1
	str	W, [sp, #+eval(4*$1)]
>)

C ROUND(A,B,C,D,E,F,G,H)
C
C H += S1(E) + Choice(E,F,G) + K + W
C D += H
C H += S0(A) + Majority(A,B,C)
C
C Where
C
C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7
C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10
C Choice (E, F, G) = G^(E&(F^G))
C Majority (A,B,C) = (A&B) + (C&(A^B))
	
define(<ROUND>, <
	ror	T0, $5, #6
	eor	T0, T0, $5, ror #11
	eor	T0, T0, $5, ror #25
	add	$8, $8, T0
	eor	T0, $6, $7
	and	T0, T0, $5
	eor	T0, T0, $7
	add	$8,$8, T0
	ldr	T0, [K], #+4
	add	$8, $8, W
	add	$8, $8, T0
	add	$4, $4, $8
	ror	T0, $1, #2
	eor	T0, T0, $1, ror #13
	eor	T0, T0, $1, ror #22
	add	$8, $8, T0
	and	T0, $1, $2
	add	$8, $8, T0
	eor	T0, $1, $2
	and	T0, T0, $3
	add	$8, $8, T0
>)

define(<NOEXPN>, <
	ldr	W, [sp, + $1]
	add	$1, $1, #4
>)
	C void
	C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k)

	.text
	.align 2

PROLOGUE(_nettle_sha256_compress)
	push	{r4,r5,r6,r7,r8,r10,r11,r14}
	sub	sp, sp, #68
	str	STATE, [sp, +#64]

	C Load data up front, since we don't have enough registers
	C to load and shift on-the-fly
	ands	SHIFT, INPUT, #3
	and	INPUT, INPUT, $-4
	ldr	I0, [INPUT]
	addne	INPUT, INPUT, #4
	lsl	SHIFT, SHIFT, #3
	mov	T0, #0
	movne	T0, #-1
	lsl	I1, T0, SHIFT
	uadd8	T0, T0, I1		C Sets APSR.GE bits

	mov	DST, sp
	mov	ILEFT, #4
.Lcopy:
	ldm	INPUT!, {I1,I2,I3,I4}
	sel	I0, I0, I1
	ror	I0, I0, SHIFT
	rev	I0, I0
	sel	I1, I1, I2
	ror	I1, I1, SHIFT
	rev	I1, I1
	sel	I2, I2, I3
	ror	I2, I2, SHIFT
	rev	I2, I2
	sel	I3, I3, I4
	ror	I3, I3, SHIFT
	rev	I3, I3
	subs	ILEFT, ILEFT, #1
	stm	DST!, {I0,I1,I2,I3}
	mov	I0, I4	
	bne	.Lcopy
	
	ldm	STATE, {SA,SB,SC,SD,SE,SF,SG,SH}

	mov	COUNT,#0

.Loop1:
	NOEXPN(COUNT) ROUND(SA,SB,SC,SD,SE,SF,SG,SH)
	NOEXPN(COUNT) ROUND(SH,SA,SB,SC,SD,SE,SF,SG)
	NOEXPN(COUNT) ROUND(SG,SH,SA,SB,SC,SD,SE,SF)
	NOEXPN(COUNT) ROUND(SF,SG,SH,SA,SB,SC,SD,SE)
	NOEXPN(COUNT) ROUND(SE,SF,SG,SH,SA,SB,SC,SD)
	NOEXPN(COUNT) ROUND(SD,SE,SF,SG,SH,SA,SB,SC)
	NOEXPN(COUNT) ROUND(SC,SD,SE,SF,SG,SH,SA,SB)
	NOEXPN(COUNT) ROUND(SB,SC,SD,SE,SF,SG,SH,SA)
	cmp	COUNT,#64
	bne	.Loop1

	mov	COUNT, #3
.Loop2:
	
	EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH)
	EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG)
	EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF)
	EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE)
	EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD)
	EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC)
	EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB)
	EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA)
	EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH)
	EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG)
	EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF)
	EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE)
	EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD)
	EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC)
	EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB)
	subs	COUNT, COUNT, #1
	EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA)
	bne	.Loop2

	ldr	STATE, [sp, +#64]
	C No longer needed registers
	ldm	STATE, {r1,r2,r12,r14}
	add	SA, SA, r1
	add	SB, SB, r2
	add	SC, SC, r12
	add	SD, SD, r14
	stm	STATE!, {SA,SB,SC,SD}
	ldm	STATE, {r1,r2,r12,r14}
	add	SE, SE, r1
	add	SF, SF, r2
	add	SG, SG, r12
	add	SH, SH, r14
	stm	STATE!, {SE,SF,SG,SH}
	add	sp, sp, #68
	pop	{r4,r5,r6,r7,r8,r10,r11,pc}
EPILOGUE(_nettle_sha256_compress)