rsa: Further optimization of multiplications for Cortex-M0

In RSA, we often need to actually compute (a*b)+c+d: provide some
assembly optimized functions for that.

With -O3, 3072-bit exponent, lower verification time from 104 ms to
88 ms on STM32F072 @48Mhz.

BRANCH=poppy
BUG=b:35647963
BUG=b:77608104
TEST=On staff, flash, verification successful
TEST=make test-rsa, make test-rsa3
TEST=make BOARD=hammer test-utils test-rsa3, test on board

Change-Id: I80e8a7258d091e4f6adea11797729ac657dfd85d
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1071411
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/common/rsa.c b/common/rsa.c
index 3d8518e9ef..8b166e9dfb 100644
--- a/common/rsa.c
+++ b/common/rsa.c
@@ -56,8 +56,8 @@ static void mont_mul_add(const struct rsa_public_key *key,
 	uint32_t i;
 
 	for (i = 1; i < RSANUMWORDS; ++i) {
-		A = (A >> 32) + mula32(a, b[i], c[i]);
-		B = (B >> 32) + mula32(d0, key->n[i], A);
+		A = mulaa32(a, b[i], c[i], A >> 32);
+		B = mulaa32(d0, key->n[i], A, B >> 32);
 		c[i - 1] = (uint32_t)B;
 	}
 
@@ -82,7 +82,7 @@ static void mont_mul_add_0(const struct rsa_public_key *key,
 	uint32_t i;
 
 	for (i = 1; i < RSANUMWORDS; ++i) {
-		B = (B >> 32) + mula32(d0, key->n[i], c[i]);
+		B = mulaa32(d0, key->n[i], c[i], B >> 32);
 		c[i - 1] = (uint32_t)B;
 	}