roll up chi loop for gcc -Os

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

library/sha3.c

@@ -10,6 +10,8 @@
  *  https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
  */
 
+#include "common.h"
+
 /*
  * These macros select manually unrolled implementations of parts of the main permutation function.
  *
@@ -23,9 +25,13 @@
 #undef   MBEDTLS_SHA3_THETA_UNROLL //no-check-names
 #define  MBEDTLS_SHA3_RHO_UNROLL   //no-check-names
 #define  MBEDTLS_SHA3_PI_UNROLL    //no-check-names
+#if !defined(MBEDTLS_COMPILER_IS_GCC) || defined(__OPTIMIZE_SIZE__)
+/* GCC doesn't perform well with the rolled-up version, especially at -O2, so only enable on gcc
+ * if optimising for size. Always enable for other compilers. */
 #undef   MBEDTLS_SHA3_CHI_UNROLL    //no-check-names
-
-#include "common.h"
+#else
+#define  MBEDTLS_SHA3_CHI_UNROLL    //no-check-names
+#endif
 
 #if defined(MBEDTLS_SHA3_C)
 
@@ -156,8 +162,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx)
 #endif
 
         /* Chi */
-#if !defined(MBEDTLS_SHA3_CHI_UNROLL) && !defined(MBEDTLS_COMPILER_IS_GCC) //no-check-names
-        /* GCC doesn't perform well with the rolled-up version, especially at -O2. */
+#if !defined(MBEDTLS_SHA3_CHI_UNROLL) //no-check-names
         for (i = 0; i <= 20; i += 5) {
             lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4];
             s[i + 0] ^= (~lane[1]) & lane[2];