Provide a replacement assembly implementation for SHA-256 on amd64.

Replace the perlasm generated SHA-256 assembly implementation with one that
is actually readable. Call the assembly implementation from a C wrapper
that can, in the future, dispatch to alternate implementations. Performance
is similar (or even better) on modern CPUs, while somewhat slower on older
CPUs (this is in part due to the wrapper, the impact of which is more
noticable with small block sizes).

Thanks to gkoehler@ and tb@ for testing.

ok tb@

3 files changed, 330 insertions, 6 deletions

diff --git a/src/lib/libcrypto/arch/amd64/Makefile.inc b/src/lib/libcrypto/arch/amd64/Makefile.inc
index 2f41f44381..07fcf46ed5 100644
--- a/src/lib/libcrypto/arch/amd64/Makefile.inc
+++ b/src/lib/libcrypto/arch/amd64/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.30 2024/10/18 13:36:24 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.31 2024/11/08 15:09:48 jsing Exp $
 
 # amd64-specific libcrypto build rules
 
@@ -51,11 +51,8 @@ SSLASM+= rc4 rc4-x86_64
 CFLAGS+= -DSHA1_ASM
 SSLASM+= sha sha1-x86_64
 CFLAGS+= -DSHA256_ASM
-SRCS+= sha256-x86_64.S
-GENERATED+= sha256-x86_64.S
-sha256-x86_64.S: ${LCRYPTO_SRC}/sha/asm/sha512-x86_64.pl ${EXTRA_PL}
-        cd ${LCRYPTO_SRC}/sha/asm ; \
-                /usr/bin/perl ./sha512-x86_64.pl ${.OBJDIR}/${.TARGET}
+SRCS+= sha256_amd64.c
+SRCS+= sha256_amd64_generic.S
 CFLAGS+= -DSHA512_ASM
 SRCS+= sha512-x86_64.S
 GENERATED+= sha512-x86_64.S
diff --git a/src/lib/libcrypto/sha/sha256_amd64.c b/src/lib/libcrypto/sha/sha256_amd64.c
new file mode 100644
index 0000000000..f7531b340f
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha256_amd64.c
@@ -0,0 +1,26 @@
+/* $OpenBSD: sha256_amd64.c,v 1.1 2024/11/08 15:09:48 jsing Exp $ */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/sha.h>
+
+void sha256_block_generic(SHA256_CTX *ctx, const void *in, size_t num);
+
+void
+sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num)
+{
+        sha256_block_generic(ctx, in, num);
+}
diff --git a/src/lib/libcrypto/sha/sha256_amd64_generic.S b/src/lib/libcrypto/sha/sha256_amd64_generic.S
new file mode 100644
index 0000000000..07078fb0d5
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha256_amd64_generic.S
@@ -0,0 +1,301 @@
+/* $OpenBSD: sha256_amd64_generic.S,v 1.1 2024/11/08 15:09:48 jsing Exp $ */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef __CET__
+#include <cet.h>
+#else
+#define _CET_ENDBR
+#endif
+
+#define ctx             %rdi
+#define in              %rsi
+#define num             %rdx
+
+#define round           %rdi
+
+#define hs0             %r8d
+#define hs1             %r9d
+#define hs2             %r10d
+#define hs3             %r11d
+#define hs4             %r12d
+#define hs5             %r13d
+#define hs6             %r14d
+#define hs7             %r15d
+
+#define k256            %rbp
+
+#define tmp0            %eax
+#define tmp1            %ebx
+#define tmp2            %ecx
+#define tmp3            %edx
+
+/*
+ * Load message into wt, storing a copy in the message schedule:
+ *
+ *  Wt = Mt
+ */
+#define sha256_message_schedule_load(idx, m, w, wt) \
+        movl    (m, round, 4), wt;                              \
+        bswapl  wt;                                             \
+        movl    wt, ((idx&0xf)*4)(w);
+
+/*
+ * Update message schedule and return current value in wt:
+ *
+ *  Wt = sigma1(W(t-2)) + W(t-7) + sigma0(W(t-15)) + W(t-16)
+ *
+ *  sigma0(x) = ror(x, 7) ^ ror(x, 18) ^ (x >> 3)
+ *  sigma1(x) = ror(x, 17) ^ ror(x, 19) ^ (x >> 10)
+ */
+#define sha256_message_schedule_update(idx, w, wt) \
+        movl    (((idx-2)&0xf)*4)(w), wt;       /* sigma1 */    \
+        movl    wt, tmp1;                       /* sigma1 */    \
+        rorl    $(19-17), tmp1;                 /* sigma1 */    \
+        xorl    wt, tmp1;                       /* sigma1 */    \
+        rorl    $17, tmp1;                      /* sigma1 */    \
+        shrl    $10, wt;                        /* sigma1 */    \
+        xorl    tmp1, wt;                       /* sigma1 */    \
+        \
+        addl    (((idx-7)&0xf)*4)(w), wt;       /* Wt-7 */      \
+        addl    (((idx-16)&0xf)*4)(w), wt;      /* Wt-16 */     \
+        \
+        movl    (((idx-15)&0xf)*4)(w), tmp2;    /* sigma0 */    \
+        movl    tmp2, tmp3;                     /* sigma0 */    \
+        rorl    $(18-7), tmp2;                  /* sigma0 */    \
+        xorl    tmp3, tmp2;                     /* sigma0 */    \
+        rorl    $7, tmp2;                       /* sigma0 */    \
+        shrl    $3, tmp3;                       /* sigma0 */    \
+        xorl    tmp3, tmp2;                     /* sigma0 */    \
+        addl    tmp2, wt;                       /* sigma0 */    \
+        \
+        movl    wt, ((idx&0xf)*4)(w);
+
+/*
+ * Compute a SHA-256 round:
+ *
+ *  T1 = h + Sigma1(e) + Ch(e, f, g) + Kt + Wt
+ *  T2 = Sigma0(a) + Maj(a, b, c)
+ *
+ *  Sigma0(x) = ror(x, 2) ^ ror(x, 13) ^ ror(x, 22)
+ *  Sigma1(x) = ror(x, 6) ^ ror(x, 11) ^ ror(x, 25)
+ *  Ch(x, y, z) = (x & y) ^ (~x & z) = ((y ^ z) & x) ^ z
+ *  Maj(x, y, z) = (x & y) ^ (x & z) ^ (y & z) = ((y ^ z) & x) ^ (y & z)
+ *
+ * Upon completion d = d + T1, h = T1 + T2, pending rotation.
+ */
+#define sha256_round(idx, a, b, c, d, e, f, g, h, k, w, wt) \
+        addl    wt, h;                          /* T1 Wt */     \
+        addl    (k256, round, 4), h;            /* T1 Kt */     \
+        \
+        movl    e, tmp1;                        /* T1 Sigma1 */ \
+        rorl    $(25-11), tmp1;                 /* T1 Sigma1 */ \
+        xorl    e, tmp1;                        /* T1 Sigma1 */ \
+        rorl    $(11-6), tmp1;                  /* T1 Sigma1 */ \
+        xorl    e, tmp1;                        /* T1 Sigma1 */ \
+        rorl    $6, tmp1;                       /* T1 Sigma1 */ \
+        addl    tmp1, h;                        /* T1 Sigma1 */ \
+        \
+        movl    f, tmp2;                        /* T1 Ch */     \
+        xorl    g, tmp2;                        /* T1 Ch */     \
+        andl    e, tmp2;                        /* T1 Ch */     \
+        xorl    g, tmp2;                        /* T1 Ch */     \
+        addl    tmp2, h;                        /* T1 Ch */     \
+        \
+        addl    h, d;                           /* d += T1 */   \
+        \
+        movl    a, tmp1;                        /* T2 Sigma0 */ \
+        rorl    $(22-13), tmp1;                 /* T2 Sigma0 */ \
+        xorl    a, tmp1;                        /* T2 Sigma0 */ \
+        rorl    $(13-2), tmp1;                  /* T2 Sigma0 */ \
+        xorl    a, tmp1;                        /* T2 Sigma0 */ \
+        rorl    $2, tmp1;                       /* T2 Sigma0 */ \
+        addl    tmp1, h;                        /* T2 Sigma0 */ \
+        \
+        movl    b, tmp2;                        /* T2 Maj */    \
+        xorl    c, tmp2;                        /* T2 Maj */    \
+        andl    a, tmp2;                        /* T2 Maj */    \
+        movl    b, tmp3;                        /* T2 Maj */    \
+        andl    c, tmp3;                        /* T2 Maj */    \
+        xorl    tmp2, tmp3;                     /* T2 Maj */    \
+        addl    tmp3, h;                        /* T2 Maj */    \
+        \
+        addq    $1, round;
+
+#define sha256_round_load(idx, a, b, c, d, e, f, g, h) \
+        sha256_message_schedule_load(idx, in, %rsp, tmp0) \
+        sha256_round(idx, a, b, c, d, e, f, g, h, k256, %rsp, tmp0)
+
+#define sha256_round_update(idx, a, b, c, d, e, f, g, h) \
+        sha256_message_schedule_update(idx, %rsp, tmp0) \
+        sha256_round(idx, a, b, c, d, e, f, g, h, k256, %rsp, tmp0)
+
+.text
+
+/*
+ * void sha256_block_generic(SHA256_CTX *ctx, const void *in, size_t num);
+ *
+ * Standard x86-64 ABI: rdi = ctx, rsi = in, rdx = num
+ */
+.align 16
+.globl  sha256_block_generic
+.type   sha256_block_generic,@function
+sha256_block_generic:
+        _CET_ENDBR
+
+        /* Save callee save registers. */
+        pushq   %rbx
+        pushq   %rbp
+        pushq   %r12
+        pushq   %r13
+        pushq   %r14
+        pushq   %r15
+
+        /* Allocate space for message schedule and context pointer. */
+        movq    %rsp, %rax
+        subq    $(64+32), %rsp
+        andq    $~63, %rsp
+        movq    %rax, (64+16)(%rsp)
+        movq    ctx, (64+8)(%rsp)
+
+        /* Compute and store end of message. */
+        shlq    $6, num
+        leaq    (in, num, 1), %rbx
+        movq    %rbx, (64+0)(%rsp)
+
+        /* Address of SHA-256 constants. */
+        leaq    K256(%rip), k256
+
+        /* Load current hash state from context. */
+        movl    (0*4)(ctx), hs0
+        movl    (1*4)(ctx), hs1
+        movl    (2*4)(ctx), hs2
+        movl    (3*4)(ctx), hs3
+        movl    (4*4)(ctx), hs4
+        movl    (5*4)(ctx), hs5
+        movl    (6*4)(ctx), hs6
+        movl    (7*4)(ctx), hs7
+
+        jmp     .Lblock_loop0
+
+.align 16
+.Lblock_loop0:
+        mov     $0, round
+
+        /* Round 0 through 15. */
+        sha256_round_load(0, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7)
+        sha256_round_load(1, hs7, hs0, hs1, hs2, hs3, hs4, hs5, hs6)
+        sha256_round_load(2, hs6, hs7, hs0, hs1, hs2, hs3, hs4, hs5)
+        sha256_round_load(3, hs5, hs6, hs7, hs0, hs1, hs2, hs3, hs4)
+        sha256_round_load(4, hs4, hs5, hs6, hs7, hs0, hs1, hs2, hs3)
+        sha256_round_load(5, hs3, hs4, hs5, hs6, hs7, hs0, hs1, hs2)
+        sha256_round_load(6, hs2, hs3, hs4, hs5, hs6, hs7, hs0, hs1)
+        sha256_round_load(7, hs1, hs2, hs3, hs4, hs5, hs6, hs7, hs0)
+        sha256_round_load(8, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7)
+        sha256_round_load(9, hs7, hs0, hs1, hs2, hs3, hs4, hs5, hs6)
+        sha256_round_load(10, hs6, hs7, hs0, hs1, hs2, hs3, hs4, hs5)
+        sha256_round_load(11, hs5, hs6, hs7, hs0, hs1, hs2, hs3, hs4)
+        sha256_round_load(12, hs4, hs5, hs6, hs7, hs0, hs1, hs2, hs3)
+        sha256_round_load(13, hs3, hs4, hs5, hs6, hs7, hs0, hs1, hs2)
+        sha256_round_load(14, hs2, hs3, hs4, hs5, hs6, hs7, hs0, hs1)
+        sha256_round_load(15, hs1, hs2, hs3, hs4, hs5, hs6, hs7, hs0)
+
+        jmp     .Lblock_loop16
+
+.align 16
+.Lblock_loop16:
+        /* Round 16 through 63. */
+        sha256_round_update(16, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7)
+        sha256_round_update(17, hs7, hs0, hs1, hs2, hs3, hs4, hs5, hs6)
+        sha256_round_update(18, hs6, hs7, hs0, hs1, hs2, hs3, hs4, hs5)
+        sha256_round_update(19, hs5, hs6, hs7, hs0, hs1, hs2, hs3, hs4)
+        sha256_round_update(20, hs4, hs5, hs6, hs7, hs0, hs1, hs2, hs3)
+        sha256_round_update(21, hs3, hs4, hs5, hs6, hs7, hs0, hs1, hs2)
+        sha256_round_update(22, hs2, hs3, hs4, hs5, hs6, hs7, hs0, hs1)
+        sha256_round_update(23, hs1, hs2, hs3, hs4, hs5, hs6, hs7, hs0)
+        sha256_round_update(24, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7)
+        sha256_round_update(25, hs7, hs0, hs1, hs2, hs3, hs4, hs5, hs6)
+        sha256_round_update(26, hs6, hs7, hs0, hs1, hs2, hs3, hs4, hs5)
+        sha256_round_update(27, hs5, hs6, hs7, hs0, hs1, hs2, hs3, hs4)
+        sha256_round_update(28, hs4, hs5, hs6, hs7, hs0, hs1, hs2, hs3)
+        sha256_round_update(29, hs3, hs4, hs5, hs6, hs7, hs0, hs1, hs2)
+        sha256_round_update(30, hs2, hs3, hs4, hs5, hs6, hs7, hs0, hs1)
+        sha256_round_update(31, hs1, hs2, hs3, hs4, hs5, hs6, hs7, hs0)
+
+        cmp     $64, round
+        jb      .Lblock_loop16
+
+        movq    (64+8)(%rsp), ctx
+
+        /* Add intermediate state to hash state. */
+        addl    (0*4)(ctx), hs0
+        addl    (1*4)(ctx), hs1
+        addl    (2*4)(ctx), hs2
+        addl    (3*4)(ctx), hs3
+        addl    (4*4)(ctx), hs4
+        addl    (5*4)(ctx), hs5
+        addl    (6*4)(ctx), hs6
+        addl    (7*4)(ctx), hs7
+
+        /* Store new hash state to context. */
+        movl    hs0, (0*4)(ctx)
+        movl    hs1, (1*4)(ctx)
+        movl    hs2, (2*4)(ctx)
+        movl    hs3, (3*4)(ctx)
+        movl    hs4, (4*4)(ctx)
+        movl    hs5, (5*4)(ctx)
+        movl    hs6, (6*4)(ctx)
+        movl    hs7, (7*4)(ctx)
+
+        addq    $64, in
+        cmpq    (64+0)(%rsp), in
+        jb      .Lblock_loop0
+
+        movq    (64+16)(%rsp), %rsp
+
+        /* Restore callee save registers. */
+        popq    %r15
+        popq    %r14
+        popq    %r13
+        popq    %r12
+        popq    %rbp
+        popq    %rbx
+
+        ret
+
+/*
+ * SHA-256 constants - see FIPS 180-4 section 4.2.2.
+ */
+.rodata
+.align  64
+.type   K256,@object
+K256:
+.long   0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5
+.long   0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5
+.long   0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3
+.long   0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174
+.long   0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc
+.long   0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da
+.long   0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7
+.long   0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967
+.long   0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13
+.long   0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85
+.long   0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3
+.long   0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070
+.long   0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5
+.long   0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3
+.long   0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208
+.long   0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2