crypto/internal/fips140/nistec: redundant code in p256PointAddAffineAsm #76376
Description
In the p256PointAddAffineAsm function of ARM64 and AMD64, when handling Negate y2in, there are some unreasonable assumptions that lead to some redundant code. Of course, the current implementation also does not produce incorrect results.
In fact, the y2in will be in (0, P), We do not need to handle the '> p256' case here.
ARM64:
// Negate y2in based on sign
LDP 2*16(b_ptr), (y0, y1)
LDP 3*16(b_ptr), (y2, y3)
MOVD $-1, acc0
SUBS y0, acc0, acc0
SBCS y1, const0, acc1
SBCS y2, ZR, acc2
SBCS y3, const1, acc3
SBC $0, ZR, t0
ADDS $-1, acc0, acc4
ADCS const0, acc1, acc5
ADCS $0, acc2, acc6
ADCS const1, acc3, acc7
ADC $0, t0, t0
CMP $0, t0
CSEL EQ, acc4, acc0, acc0
CSEL EQ, acc5, acc1, acc1
CSEL EQ, acc6, acc2, acc2
CSEL EQ, acc7, acc3, acc3AMD64:
// Negate y2in based on sign
MOVQ 32(CX), R10
MOVQ 40(CX), R11
MOVQ 48(CX), R12
MOVQ 56(CX), R13
MOVQ $-1, BX
MOVQ p256const0<>+0(SB), CX
MOVQ $0x00000000, R8
MOVQ p256const1<>+0(SB), R9
XORQ AX, AX
// Speculatively subtract
SUBQ R10, BX
SBBQ R11, CX
SBBQ R12, R8
SBBQ R13, R9
SBBQ $0x00, AX
MOVQ BX, R14
MOVQ CX, R15
MOVQ R8, DI
MOVQ R9, SI
// Add in case the operand was > p256
ADDQ $-1, BX
ADCQ p256const0<>+0(SB), CX
ADCQ $0x00, R8
ADCQ p256const1<>+0(SB), R9
ADCQ $0x00, AX
CMOVQNE R14, BX
CMOVQNE R15, CX
CMOVQNE DI, R8
CMOVQNE SI, R9