Upgrade openssl from 1.1.0e to 1.1.1b, with source code. 4.0.78

2025-03-09 15:49:59 +00:00 · 2021-03-01 20:47:57 +08:00 · 2021-03-01 20:47:57 +08:00 · 96dbd7bced
commit 96dbd7bced
parent 8f1c992379
1476 changed files with 616554 additions and 4 deletions
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-armv4.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-armv4.pl
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-armv8.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-armv8.pl
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-c64xplus.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-c64xplus.pl
@ -0,0 +1,926 @@
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# ChaCha20 for C64x+.
+#
+# October 2015
+#
+# Performance is 3.54 cycles per processed byte, which is ~4.3 times
+# faster than code generated by TI compiler. Compiler also disables
+# interrupts for some reason, thus making interrupt response time
+# dependent on input length. This module on the other hand is free
+# from such limitation.
+
+$output=pop;
+open STDOUT,">$output";
+
+($OUT,$INP,$LEN,$KEYB,$COUNTERA)=("A4","B4","A6","B6","A8");
+($KEYA,$COUNTERB,$STEP)=("A7","B7","A3");
+
+@X=  ("A16","B16","A17","B17","A18","B18","A19","B19",
+      "A20","B20","A21","B21","A22","B22","A23","B23");
+@Y=  ("A24","B24","A25","B25","A26","B26","A27","B27",
+      "A28","B28","A29","B29","A30","B30","A31","B31");
+@DAT=("A6", "A7", "B6", "B7", "A8", "A9", "B8", "B9",
+      "A10","A11","B10","B11","A12","A13","B12","B13");
+
+# yes, overlaps with @DAT, used only in 2x interleave code path...
+@K2x=("A6", "B6", "A7", "B7", "A8", "B8", "A9", "B9",
+      "A10","B10","A11","B11","A2", "B2", "A13","B13");
+
+$code.=<<___;
+	.text
+
+	.if	.ASSEMBLER_VERSION<7000000
+	.asg	0,__TI_EABI__
+	.endif
+	.if	__TI_EABI__
+	.asg	ChaCha20_ctr32,_ChaCha20_ctr32
+	.endif
+
+	.asg	B3,RA
+	.asg	A15,FP
+	.asg	B15,SP
+
+	.global	_ChaCha20_ctr32
+	.align	32
+_ChaCha20_ctr32:
+	.asmfunc	stack_usage(40+64)
+	MV	$LEN,A0			; reassign
+  [!A0]	BNOP	RA			; no data
+|| [A0]	STW	FP,*SP--(40+64)		; save frame pointer and alloca(40+64)
+|| [A0]	MV	SP,FP
+   [A0]	STDW	B13:B12,*SP[4+8]	; ABI says so
+|| [A0]	MV	$KEYB,$KEYA
+|| [A0]	MV	$COUNTERA,$COUNTERB
+   [A0]	STDW	B11:B10,*SP[3+8]
+|| [A0]	STDW	A13:A12,*FP[-3]
+   [A0]	STDW	A11:A10,*FP[-4]
+|| [A0]	MVK	128,$STEP		; 2 * input block size
+
+   [A0]	LDW	*${KEYA}[0],@Y[4]	; load key
+|| [A0]	LDW	*${KEYB}[1],@Y[5]
+|| [A0]	MVK	0x00007865,@Y[0]	; synthesize sigma
+|| [A0]	MVK	0x0000646e,@Y[1]
+   [A0]	LDW	*${KEYA}[2],@Y[6]
+|| [A0]	LDW	*${KEYB}[3],@Y[7]
+|| [A0]	MVKH	0x61700000,@Y[0]
+|| [A0]	MVKH	0x33200000,@Y[1]
+	LDW	*${KEYA}[4],@Y[8]
+||	LDW	*${KEYB}[5],@Y[9]
+||	MVK	0x00002d32,@Y[2]
+||	MVK	0x00006574,@Y[3]
+	LDW	*${KEYA}[6],@Y[10]
+||	LDW	*${KEYB}[7],@Y[11]
+||	MVKH	0x79620000,@Y[2]
+||	MVKH	0x6b200000,@Y[3]
+	LDW	*${COUNTERA}[0],@Y[12]	; load counter||nonce
+||	LDW	*${COUNTERB}[1],@Y[13]
+||	CMPLTU	A0,$STEP,A1		; is length < 2*blocks?
+	LDW	*${COUNTERA}[2],@Y[14]
+||	LDW	*${COUNTERB}[3],@Y[15]
+|| [A1]	BNOP	top1x?
+   [A1]	MVK	64,$STEP		; input block size
+||	MVK	10,B0			; inner loop counter
+
+	DMV	@Y[2],@Y[0],@X[2]:@X[0]	; copy block
+||	DMV	@Y[3],@Y[1],@X[3]:@X[1]
+||[!A1]	STDW	@Y[2]:@Y[0],*FP[-12]	; offload key material to stack
+||[!A1]	STDW	@Y[3]:@Y[1],*SP[2]
+	DMV	@Y[6],@Y[4],@X[6]:@X[4]
+||	DMV	@Y[7],@Y[5],@X[7]:@X[5]
+||[!A1]	STDW	@Y[6]:@Y[4],*FP[-10]
+||[!A1]	STDW	@Y[7]:@Y[5],*SP[4]
+	DMV	@Y[10],@Y[8],@X[10]:@X[8]
+||	DMV	@Y[11],@Y[9],@X[11]:@X[9]
+||[!A1]	STDW	@Y[10]:@Y[8],*FP[-8]
+||[!A1]	STDW	@Y[11]:@Y[9],*SP[6]
+	DMV	@Y[14],@Y[12],@X[14]:@X[12]
+||	DMV	@Y[15],@Y[13],@X[15]:@X[13]
+||[!A1]	MV	@Y[12],@K2x[12]		; counter
+||[!A1]	MV	@Y[13],@K2x[13]
+||[!A1]	STW	@Y[14],*FP[-6*2]
+||[!A1]	STW	@Y[15],*SP[8*2]
+___
+{	################################################################
+	# 2x interleave gives 50% performance improvement
+	#
+my ($a0,$a1,$a2,$a3) = (0..3);
+my ($b0,$b1,$b2,$b3) = (4..7);
+my ($c0,$c1,$c2,$c3) = (8..11);
+my ($d0,$d1,$d2,$d3) = (12..15);
+
+$code.=<<___;
+outer2x?:
+	ADD	@X[$b1],@X[$a1],@X[$a1]
+||	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	 DMV	@Y[2],@Y[0],@K2x[2]:@K2x[0]
+||	 DMV	@Y[3],@Y[1],@K2x[3]:@K2x[1]
+	XOR	@X[$a1],@X[$d1],@X[$d1]
+||	XOR	@X[$a2],@X[$d2],@X[$d2]
+||	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	 DMV	@Y[6],@Y[4],@K2x[6]:@K2x[4]
+||	 DMV	@Y[7],@Y[5],@K2x[7]:@K2x[5]
+	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
+||	SWAP2	@X[$d2],@X[$d2]
+||	SWAP2	@X[$d0],@X[$d0]
+||	SWAP2	@X[$d3],@X[$d3]
+
+	ADD	@X[$d1],@X[$c1],@X[$c1]
+||	ADD	@X[$d2],@X[$c2],@X[$c2]
+||	ADD	@X[$d0],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c3],@X[$c3]
+||	 DMV	@Y[10],@Y[8],@K2x[10]:@K2x[8]
+||	 DMV	@Y[11],@Y[9],@K2x[11]:@K2x[9]
+	XOR	@X[$c1],@X[$b1],@X[$b1]
+||	XOR	@X[$c2],@X[$b2],@X[$b2]
+||	XOR	@X[$c0],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b3],@X[$b3]
+||	 ADD	1,@Y[12],@Y[12]		; adjust counter for 2nd block
+	ROTL	@X[$b1],12,@X[$b1]
+||	ROTL	@X[$b2],12,@X[$b2]
+||	 MV	@Y[14],@K2x[14]
+||	 MV	@Y[15],@K2x[15]
+top2x?:
+	ROTL	@X[$b0],12,@X[$b0]
+||	ROTL	@X[$b3],12,@X[$b3]
+||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
+||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
+	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
+||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
+
+||	ADD	@X[$b1],@X[$a1],@X[$a1]
+||	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
+||	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
+	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
+||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
+||	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+||	XOR	@X[$a2],@X[$d2],@X[$d2]
+	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	ROTL	@X[$d1],8,@X[$d1]
+||	ROTL	@X[$d2],8,@X[$d2]
+||	 SWAP2	@Y[$d1],@Y[$d1]		; rotate by 16
+||	 SWAP2	@Y[$d2],@Y[$d2]
+||	 SWAP2	@Y[$d0],@Y[$d0]
+||	 SWAP2	@Y[$d3],@Y[$d3]
+	ROTL	@X[$d0],8,@X[$d0]
+||	ROTL	@X[$d3],8,@X[$d3]
+||	 ADD	@Y[$d1],@Y[$c1],@Y[$c1]
+||	 ADD	@Y[$d2],@Y[$c2],@Y[$c2]
+||	 ADD	@Y[$d0],@Y[$c0],@Y[$c0]
+||	 ADD	@Y[$d3],@Y[$c3],@Y[$c3]
+||	BNOP	middle2x1?		; protect from interrupt
+
+	ADD	@X[$d1],@X[$c1],@X[$c1]
+||	ADD	@X[$d2],@X[$c2],@X[$c2]
+||	 XOR	@Y[$c1],@Y[$b1],@Y[$b1]
+||	 XOR	@Y[$c2],@Y[$b2],@Y[$b2]
+||	 XOR	@Y[$c0],@Y[$b0],@Y[$b0]
+||	 XOR	@Y[$c3],@Y[$b3],@Y[$b3]
+	ADD	@X[$d0],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c3],@X[$c3]
+||	XOR	@X[$c1],@X[$b1],@X[$b1]
+||	XOR	@X[$c2],@X[$b2],@X[$b2]
+||	ROTL	@X[$d1],0,@X[$d2]	; moved to avoid cross-path stall
+||	ROTL	@X[$d2],0,@X[$d3]
+	XOR	@X[$c0],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b3],@X[$b3]
+||	MV	@X[$d0],@X[$d1]
+||	MV	@X[$d3],@X[$d0]
+||	 ROTL	@Y[$b1],12,@Y[$b1]
+||	 ROTL	@Y[$b2],12,@Y[$b2]
+	ROTL	@X[$b1],7,@X[$b0]	; avoided cross-path stall
+||	ROTL	@X[$b2],7,@X[$b1]
+	ROTL	@X[$b0],7,@X[$b3]
+||	ROTL	@X[$b3],7,@X[$b2]
+middle2x1?:
+
+	 ROTL	@Y[$b0],12,@Y[$b0]
+||	 ROTL	@Y[$b3],12,@Y[$b3]
+||	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b1],@X[$a1],@X[$a1]
+	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+
+||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
+||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
+||	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+	XOR	@X[$a2],@X[$d2],@X[$d2]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
+||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
+||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
+||	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
+	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
+||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
+||	 ROTL	@Y[$d1],8,@Y[$d1]
+||	 ROTL	@Y[$d2],8,@Y[$d2]
+||	SWAP2	@X[$d0],@X[$d0]		; rotate by 16
+||	SWAP2	@X[$d1],@X[$d1]
+||	SWAP2	@X[$d2],@X[$d2]
+||	SWAP2	@X[$d3],@X[$d3]
+	 ROTL	@Y[$d0],8,@Y[$d0]
+||	 ROTL	@Y[$d3],8,@Y[$d3]
+||	ADD	@X[$d0],@X[$c2],@X[$c2]
+||	ADD	@X[$d1],@X[$c3],@X[$c3]
+||	ADD	@X[$d2],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c1],@X[$c1]
+||	BNOP	middle2x2?		; protect from interrupt
+
+	 ADD	@Y[$d1],@Y[$c1],@Y[$c1]
+||	 ADD	@Y[$d2],@Y[$c2],@Y[$c2]
+||	XOR	@X[$c2],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b1],@X[$b1]
+||	XOR	@X[$c0],@X[$b2],@X[$b2]
+||	XOR	@X[$c1],@X[$b3],@X[$b3]
+	 ADD	@Y[$d0],@Y[$c0],@Y[$c0]
+||	 ADD	@Y[$d3],@Y[$c3],@Y[$c3]
+||	 XOR	@Y[$c1],@Y[$b1],@Y[$b1]
+||	 XOR	@Y[$c2],@Y[$b2],@Y[$b2]
+||	 ROTL	@Y[$d1],0,@Y[$d2]	; moved to avoid cross-path stall
+||	 ROTL	@Y[$d2],0,@Y[$d3]
+	 XOR	@Y[$c0],@Y[$b0],@Y[$b0]
+||	 XOR	@Y[$c3],@Y[$b3],@Y[$b3]
+||	 MV	@Y[$d0],@Y[$d1]
+||	 MV	@Y[$d3],@Y[$d0]
+||	ROTL	@X[$b0],12,@X[$b0]
+||	ROTL	@X[$b1],12,@X[$b1]
+	 ROTL	@Y[$b1],7,@Y[$b0]	; avoided cross-path stall
+||	 ROTL	@Y[$b2],7,@Y[$b1]
+	 ROTL	@Y[$b0],7,@Y[$b3]
+||	 ROTL	@Y[$b3],7,@Y[$b2]
+middle2x2?:
+
+	ROTL	@X[$b2],12,@X[$b2]
+||	ROTL	@X[$b3],12,@X[$b3]
+||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
+||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
+	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
+||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
+
+||	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b1],@X[$a1],@X[$a1]
+||	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
+||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
+	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
+||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
+||	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+	XOR	@X[$a2],@X[$d2],@X[$d2]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	ROTL	@X[$d0],8,@X[$d0]
+||	ROTL	@X[$d1],8,@X[$d1]
+||	 SWAP2	@Y[$d0],@Y[$d0]		; rotate by 16
+||	 SWAP2	@Y[$d1],@Y[$d1]
+||	 SWAP2	@Y[$d2],@Y[$d2]
+||	 SWAP2	@Y[$d3],@Y[$d3]
+	ROTL	@X[$d2],8,@X[$d2]
+||	ROTL	@X[$d3],8,@X[$d3]
+||	 ADD	@Y[$d0],@Y[$c2],@Y[$c2]
+||	 ADD	@Y[$d1],@Y[$c3],@Y[$c3]
+||	 ADD	@Y[$d2],@Y[$c0],@Y[$c0]
+||	 ADD	@Y[$d3],@Y[$c1],@Y[$c1]
+||	BNOP	bottom2x1?		; protect from interrupt
+
+	ADD	@X[$d0],@X[$c2],@X[$c2]
+||	ADD	@X[$d1],@X[$c3],@X[$c3]
+||	 XOR	@Y[$c2],@Y[$b0],@Y[$b0]
+||	 XOR	@Y[$c3],@Y[$b1],@Y[$b1]
+||	 XOR	@Y[$c0],@Y[$b2],@Y[$b2]
+||	 XOR	@Y[$c1],@Y[$b3],@Y[$b3]
+	ADD	@X[$d2],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c1],@X[$c1]
+||	XOR	@X[$c2],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b1],@X[$b1]
+||	ROTL	@X[$d0],0,@X[$d3]	; moved to avoid cross-path stall
+||	ROTL	@X[$d1],0,@X[$d0]
+	XOR	@X[$c0],@X[$b2],@X[$b2]
+||	XOR	@X[$c1],@X[$b3],@X[$b3]
+||	MV	@X[$d2],@X[$d1]
+||	MV	@X[$d3],@X[$d2]
+||	 ROTL	@Y[$b0],12,@Y[$b0]
+||	 ROTL	@Y[$b1],12,@Y[$b1]
+	ROTL	@X[$b0],7,@X[$b1]	; avoided cross-path stall
+||	ROTL	@X[$b1],7,@X[$b2]
+	ROTL	@X[$b2],7,@X[$b3]
+||	ROTL	@X[$b3],7,@X[$b0]
+|| [B0]	SUB	B0,1,B0			; decrement inner loop counter
+bottom2x1?:
+
+	 ROTL	@Y[$b2],12,@Y[$b2]
+||	 ROTL	@Y[$b3],12,@Y[$b3]
+|| [B0]	ADD	@X[$b1],@X[$a1],@X[$a1]	; modulo-scheduled
+|| [B0]	ADD	@X[$b2],@X[$a2],@X[$a2]
+   [B0]	ADD	@X[$b0],@X[$a0],@X[$a0]
+|| [B0]	ADD	@X[$b3],@X[$a3],@X[$a3]
+
+||	 ADD	@Y[$b0],@Y[$a0],@Y[$a0]
+||	 ADD	@Y[$b1],@Y[$a1],@Y[$a1]
+|| [B0]	XOR	@X[$a1],@X[$d1],@X[$d1]
+|| [B0]	XOR	@X[$a2],@X[$d2],@X[$d2]
+   [B0]	XOR	@X[$a0],@X[$d0],@X[$d0]
+|| [B0]	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	 ADD	@Y[$b2],@Y[$a2],@Y[$a2]
+||	 ADD	@Y[$b3],@Y[$a3],@Y[$a3]
+||	 XOR	@Y[$a0],@Y[$d0],@Y[$d0]
+||	 XOR	@Y[$a1],@Y[$d1],@Y[$d1]
+	 XOR	@Y[$a2],@Y[$d2],@Y[$d2]
+||	 XOR	@Y[$a3],@Y[$d3],@Y[$d3]
+||	 ROTL	@Y[$d0],8,@Y[$d0]
+||	 ROTL	@Y[$d1],8,@Y[$d1]
+|| [B0]	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
+|| [B0]	SWAP2	@X[$d2],@X[$d2]
+|| [B0]	SWAP2	@X[$d0],@X[$d0]
+|| [B0]	SWAP2	@X[$d3],@X[$d3]
+	 ROTL	@Y[$d2],8,@Y[$d2]
+||	 ROTL	@Y[$d3],8,@Y[$d3]
+|| [B0]	ADD	@X[$d1],@X[$c1],@X[$c1]
+|| [B0]	ADD	@X[$d2],@X[$c2],@X[$c2]
+|| [B0]	ADD	@X[$d0],@X[$c0],@X[$c0]
+|| [B0]	ADD	@X[$d3],@X[$c3],@X[$c3]
+|| [B0]	BNOP	top2x?			; even protects from interrupt
+
+	 ADD	@Y[$d0],@Y[$c2],@Y[$c2]
+||	 ADD	@Y[$d1],@Y[$c3],@Y[$c3]
+|| [B0]	XOR	@X[$c1],@X[$b1],@X[$b1]
+|| [B0]	XOR	@X[$c2],@X[$b2],@X[$b2]
+|| [B0]	XOR	@X[$c0],@X[$b0],@X[$b0]
+|| [B0]	XOR	@X[$c3],@X[$b3],@X[$b3]
+	 ADD	@Y[$d2],@Y[$c0],@Y[$c0]
+||	 ADD	@Y[$d3],@Y[$c1],@Y[$c1]
+||	 XOR	@Y[$c2],@Y[$b0],@Y[$b0]
+||	 XOR	@Y[$c3],@Y[$b1],@Y[$b1]
+||	 ROTL	@Y[$d0],0,@Y[$d3]	; moved to avoid cross-path stall
+||	 ROTL	@Y[$d1],0,@Y[$d0]
+	 XOR	@Y[$c0],@Y[$b2],@Y[$b2]
+||	 XOR	@Y[$c1],@Y[$b3],@Y[$b3]
+||	 MV	@Y[$d2],@Y[$d1]
+||	 MV	@Y[$d3],@Y[$d2]
+|| [B0]	ROTL	@X[$b1],12,@X[$b1]
+|| [B0]	ROTL	@X[$b2],12,@X[$b2]
+	 ROTL	@Y[$b0],7,@Y[$b1]	; avoided cross-path stall
+||	 ROTL	@Y[$b1],7,@Y[$b2]
+	 ROTL	@Y[$b2],7,@Y[$b3]
+||	 ROTL	@Y[$b3],7,@Y[$b0]
+bottom2x2?:
+___
+}
+
+$code.=<<___;
+	ADD	@K2x[0],@X[0],@X[0]	; accumulate key material
+||	ADD	@K2x[1],@X[1],@X[1]
+||	ADD	@K2x[2],@X[2],@X[2]
+||	ADD	@K2x[3],@X[3],@X[3]
+	 ADD	@K2x[0],@Y[0],@Y[0]
+||	 ADD	@K2x[1],@Y[1],@Y[1]
+||	 ADD	@K2x[2],@Y[2],@Y[2]
+||	 ADD	@K2x[3],@Y[3],@Y[3]
+||	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
+	ADD	@K2x[4],@X[4],@X[4]
+||	ADD	@K2x[5],@X[5],@X[5]
+||	ADD	@K2x[6],@X[6],@X[6]
+||	ADD	@K2x[7],@X[7],@X[7]
+||	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
+	 ADD	@K2x[4],@Y[4],@Y[4]
+||	 ADD	@K2x[5],@Y[5],@Y[5]
+||	 ADD	@K2x[6],@Y[6],@Y[6]
+||	 ADD	@K2x[7],@Y[7],@Y[7]
+||	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
+	ADD	@K2x[8],@X[8],@X[8]
+||	ADD	@K2x[9],@X[9],@X[9]
+||	ADD	@K2x[10],@X[10],@X[10]
+||	ADD	@K2x[11],@X[11],@X[11]
+||	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
+	 ADD	@K2x[8],@Y[8],@Y[8]
+||	 ADD	@K2x[9],@Y[9],@Y[9]
+||	 ADD	@K2x[10],@Y[10],@Y[10]
+||	 ADD	@K2x[11],@Y[11],@Y[11]
+||	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
+	ADD	@K2x[12],@X[12],@X[12]
+||	ADD	@K2x[13],@X[13],@X[13]
+||	ADD	@K2x[14],@X[14],@X[14]
+||	ADD	@K2x[15],@X[15],@X[15]
+||	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
+	 ADD	@K2x[12],@Y[12],@Y[12]
+||	 ADD	@K2x[13],@Y[13],@Y[13]
+||	 ADD	@K2x[14],@Y[14],@Y[14]
+||	 ADD	@K2x[15],@Y[15],@Y[15]
+||	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
+	 ADD	1,@Y[12],@Y[12]		; adjust counter for 2nd block
+||	ADD	2,@K2x[12],@K2x[12]	; increment counter
+||	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
+
+	.if	.BIG_ENDIAN
+	SWAP2	@X[0],@X[0]
+||	SWAP2	@X[1],@X[1]
+||	SWAP2	@X[2],@X[2]
+||	SWAP2	@X[3],@X[3]
+	SWAP2	@X[4],@X[4]
+||	SWAP2	@X[5],@X[5]
+||	SWAP2	@X[6],@X[6]
+||	SWAP2	@X[7],@X[7]
+	SWAP2	@X[8],@X[8]
+||	SWAP2	@X[9],@X[9]
+||	SWAP4	@X[0],@X[1]
+||	SWAP4	@X[1],@X[0]
+	SWAP2	@X[10],@X[10]
+||	SWAP2	@X[11],@X[11]
+||	SWAP4	@X[2],@X[3]
+||	SWAP4	@X[3],@X[2]
+	SWAP2	@X[12],@X[12]
+||	SWAP2	@X[13],@X[13]
+||	SWAP4	@X[4],@X[5]
+||	SWAP4	@X[5],@X[4]
+	SWAP2	@X[14],@X[14]
+||	SWAP2	@X[15],@X[15]
+||	SWAP4	@X[6],@X[7]
+||	SWAP4	@X[7],@X[6]
+	SWAP4	@X[8],@X[9]
+||	SWAP4	@X[9],@X[8]
+||	 SWAP2	@Y[0],@Y[0]
+||	 SWAP2	@Y[1],@Y[1]
+	SWAP4	@X[10],@X[11]
+||	SWAP4	@X[11],@X[10]
+||	 SWAP2	@Y[2],@Y[2]
+||	 SWAP2	@Y[3],@Y[3]
+	SWAP4	@X[12],@X[13]
+||	SWAP4	@X[13],@X[12]
+||	 SWAP2	@Y[4],@Y[4]
+||	 SWAP2	@Y[5],@Y[5]
+	SWAP4	@X[14],@X[15]
+||	SWAP4	@X[15],@X[14]
+||	 SWAP2	@Y[6],@Y[6]
+||	 SWAP2	@Y[7],@Y[7]
+	 SWAP2	@Y[8],@Y[8]
+||	 SWAP2	@Y[9],@Y[9]
+||	 SWAP4	@Y[0],@Y[1]
+||	 SWAP4	@Y[1],@Y[0]
+	 SWAP2	@Y[10],@Y[10]
+||	 SWAP2	@Y[11],@Y[11]
+||	 SWAP4	@Y[2],@Y[3]
+||	 SWAP4	@Y[3],@Y[2]
+	 SWAP2	@Y[12],@Y[12]
+||	 SWAP2	@Y[13],@Y[13]
+||	 SWAP4	@Y[4],@Y[5]
+||	 SWAP4	@Y[5],@Y[4]
+	 SWAP2	@Y[14],@Y[14]
+||	 SWAP2	@Y[15],@Y[15]
+||	 SWAP4	@Y[6],@Y[7]
+||	 SWAP4	@Y[7],@Y[6]
+	 SWAP4	@Y[8],@Y[9]
+||	 SWAP4	@Y[9],@Y[8]
+	 SWAP4	@Y[10],@Y[11]
+||	 SWAP4	@Y[11],@Y[10]
+	 SWAP4	@Y[12],@Y[13]
+||	 SWAP4	@Y[13],@Y[12]
+	 SWAP4	@Y[14],@Y[15]
+||	 SWAP4	@Y[15],@Y[14]
+	.endif
+
+	XOR	@DAT[0],@X[0],@X[0]	; xor 1st block
+||	XOR	@DAT[3],@X[3],@X[3]
+||	XOR	@DAT[2],@X[2],@X[1]
+||	XOR	@DAT[1],@X[1],@X[2]
+||	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
+	XOR	@DAT[4],@X[4],@X[4]
+||	XOR	@DAT[7],@X[7],@X[7]
+||	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
+	XOR	@DAT[6],@X[6],@X[5]
+||	XOR	@DAT[5],@X[5],@X[6]
+||	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
+	XOR	@DAT[8],@X[8],@X[8]
+||	XOR	@DAT[11],@X[11],@X[11]
+||	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
+	XOR	@DAT[10],@X[10],@X[9]
+||	XOR	@DAT[9],@X[9],@X[10]
+||	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
+	XOR	@DAT[12],@X[12],@X[12]
+||	XOR	@DAT[15],@X[15],@X[15]
+||	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
+	XOR	@DAT[14],@X[14],@X[13]
+||	XOR	@DAT[13],@X[13],@X[14]
+||	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
+   [A0]	SUB	A0,$STEP,A0		; SUB	A0,128,A0
+||	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
+
+	XOR	@Y[0],@DAT[0],@DAT[0]	; xor 2nd block
+||	XOR	@Y[1],@DAT[1],@DAT[1]
+||	STNDW	@X[2]:@X[0],*${OUT}++[8]
+	XOR	@Y[2],@DAT[2],@DAT[2]
+||	XOR	@Y[3],@DAT[3],@DAT[3]
+||	STNDW	@X[3]:@X[1],*${OUT}[-7]
+	XOR	@Y[4],@DAT[4],@DAT[4]
+|| [A0]	LDDW	*FP[-12],@X[2]:@X[0]	; re-load key material from stack
+|| [A0]	LDDW	*SP[2],  @X[3]:@X[1]
+	XOR	@Y[5],@DAT[5],@DAT[5]
+||	STNDW	@X[6]:@X[4],*${OUT}[-6]
+	XOR	@Y[6],@DAT[6],@DAT[6]
+||	XOR	@Y[7],@DAT[7],@DAT[7]
+||	STNDW	@X[7]:@X[5],*${OUT}[-5]
+	XOR	@Y[8],@DAT[8],@DAT[8]
+|| [A0]	LDDW	*FP[-10],@X[6]:@X[4]
+|| [A0]	LDDW	*SP[4],  @X[7]:@X[5]
+	XOR	@Y[9],@DAT[9],@DAT[9]
+||	STNDW	@X[10]:@X[8],*${OUT}[-4]
+	XOR	@Y[10],@DAT[10],@DAT[10]
+||	XOR	@Y[11],@DAT[11],@DAT[11]
+||	STNDW	@X[11]:@X[9],*${OUT}[-3]
+	XOR	@Y[12],@DAT[12],@DAT[12]
+|| [A0]	LDDW	*FP[-8], @X[10]:@X[8]
+|| [A0]	LDDW	*SP[6],  @X[11]:@X[9]
+	XOR	@Y[13],@DAT[13],@DAT[13]
+||	STNDW	@X[14]:@X[12],*${OUT}[-2]
+	XOR	@Y[14],@DAT[14],@DAT[14]
+||	XOR	@Y[15],@DAT[15],@DAT[15]
+||	STNDW	@X[15]:@X[13],*${OUT}[-1]
+
+   [A0]	MV	@K2x[12],@X[12]
+|| [A0]	MV	@K2x[13],@X[13]
+|| [A0]	LDW	*FP[-6*2], @X[14]
+|| [A0]	LDW	*SP[8*2],  @X[15]
+
+   [A0]	DMV	@X[2],@X[0],@Y[2]:@Y[0]	; duplicate key material
+||	STNDW	@DAT[1]:@DAT[0],*${OUT}++[8]
+   [A0]	DMV	@X[3],@X[1],@Y[3]:@Y[1]
+||	STNDW	@DAT[3]:@DAT[2],*${OUT}[-7]
+   [A0]	DMV	@X[6],@X[4],@Y[6]:@Y[4]
+||	STNDW	@DAT[5]:@DAT[4],*${OUT}[-6]
+||	CMPLTU	A0,$STEP,A1		; is remaining length < 2*blocks?
+||[!A0]	BNOP	epilogue?
+   [A0]	DMV	@X[7],@X[5],@Y[7]:@Y[5]
+||	STNDW	@DAT[7]:@DAT[6],*${OUT}[-5]
+||[!A1]	BNOP	outer2x?
+   [A0]	DMV	@X[10],@X[8],@Y[10]:@Y[8]
+||	STNDW	@DAT[9]:@DAT[8],*${OUT}[-4]
+   [A0]	DMV	@X[11],@X[9],@Y[11]:@Y[9]
+||	STNDW	@DAT[11]:@DAT[10],*${OUT}[-3]
+   [A0]	DMV	@X[14],@X[12],@Y[14]:@Y[12]
+||	STNDW	@DAT[13]:@DAT[12],*${OUT}[-2]
+   [A0]	DMV	@X[15],@X[13],@Y[15]:@Y[13]
+||	STNDW	@DAT[15]:@DAT[14],*${OUT}[-1]
+;;===== branch to epilogue? is taken here
+   [A1]	MVK	64,$STEP
+|| [A0]	MVK	10,B0			; inner loop counter
+;;===== branch to outer2x? is taken here
+___
+{
+my ($a0,$a1,$a2,$a3) = (0..3);
+my ($b0,$b1,$b2,$b3) = (4..7);
+my ($c0,$c1,$c2,$c3) = (8..11);
+my ($d0,$d1,$d2,$d3) = (12..15);
+
+$code.=<<___;
+top1x?:
+	ADD	@X[$b1],@X[$a1],@X[$a1]
+||	ADD	@X[$b2],@X[$a2],@X[$a2]
+	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+||	XOR	@X[$a2],@X[$d2],@X[$d2]
+	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	SWAP2	@X[$d1],@X[$d1]		; rotate by 16
+||	SWAP2	@X[$d2],@X[$d2]
+	SWAP2	@X[$d0],@X[$d0]
+||	SWAP2	@X[$d3],@X[$d3]
+
+||	ADD	@X[$d1],@X[$c1],@X[$c1]
+||	ADD	@X[$d2],@X[$c2],@X[$c2]
+	ADD	@X[$d0],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c3],@X[$c3]
+||	XOR	@X[$c1],@X[$b1],@X[$b1]
+||	XOR	@X[$c2],@X[$b2],@X[$b2]
+	XOR	@X[$c0],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b3],@X[$b3]
+||	ROTL	@X[$b1],12,@X[$b1]
+||	ROTL	@X[$b2],12,@X[$b2]
+	ROTL	@X[$b0],12,@X[$b0]
+||	ROTL	@X[$b3],12,@X[$b3]
+
+	ADD	@X[$b1],@X[$a1],@X[$a1]
+||	ADD	@X[$b2],@X[$a2],@X[$a2]
+	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+||	XOR	@X[$a2],@X[$d2],@X[$d2]
+	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	ROTL	@X[$d1],8,@X[$d1]
+||	ROTL	@X[$d2],8,@X[$d2]
+	ROTL	@X[$d0],8,@X[$d0]
+||	ROTL	@X[$d3],8,@X[$d3]
+||	BNOP	middle1x?		; protect from interrupt
+
+	ADD	@X[$d1],@X[$c1],@X[$c1]
+||	ADD	@X[$d2],@X[$c2],@X[$c2]
+	ADD	@X[$d0],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c3],@X[$c3]
+||	XOR	@X[$c1],@X[$b1],@X[$b1]
+||	XOR	@X[$c2],@X[$b2],@X[$b2]
+||	ROTL	@X[$d1],0,@X[$d2]	; moved to avoid cross-path stall
+||	ROTL	@X[$d2],0,@X[$d3]
+	XOR	@X[$c0],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b3],@X[$b3]
+||	ROTL	@X[$d0],0,@X[$d1]
+||	ROTL	@X[$d3],0,@X[$d0]
+	ROTL	@X[$b1],7,@X[$b0]	; avoided cross-path stall
+||	ROTL	@X[$b2],7,@X[$b1]
+	ROTL	@X[$b0],7,@X[$b3]
+||	ROTL	@X[$b3],7,@X[$b2]
+middle1x?:
+
+	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b1],@X[$a1],@X[$a1]
+	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+	XOR	@X[$a2],@X[$d2],@X[$d2]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	SWAP2	@X[$d0],@X[$d0]		; rotate by 16
+||	SWAP2	@X[$d1],@X[$d1]
+	SWAP2	@X[$d2],@X[$d2]
+||	SWAP2	@X[$d3],@X[$d3]
+
+||	ADD	@X[$d0],@X[$c2],@X[$c2]
+||	ADD	@X[$d1],@X[$c3],@X[$c3]
+	ADD	@X[$d2],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c1],@X[$c1]
+||	XOR	@X[$c2],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b1],@X[$b1]
+	XOR	@X[$c0],@X[$b2],@X[$b2]
+||	XOR	@X[$c1],@X[$b3],@X[$b3]
+||	ROTL	@X[$b0],12,@X[$b0]
+||	ROTL	@X[$b1],12,@X[$b1]
+	ROTL	@X[$b2],12,@X[$b2]
+||	ROTL	@X[$b3],12,@X[$b3]
+
+	ADD	@X[$b0],@X[$a0],@X[$a0]
+||	ADD	@X[$b1],@X[$a1],@X[$a1]
+|| [B0]	SUB	B0,1,B0			; decrement inner loop counter
+	ADD	@X[$b2],@X[$a2],@X[$a2]
+||	ADD	@X[$b3],@X[$a3],@X[$a3]
+||	XOR	@X[$a0],@X[$d0],@X[$d0]
+||	XOR	@X[$a1],@X[$d1],@X[$d1]
+	XOR	@X[$a2],@X[$d2],@X[$d2]
+||	XOR	@X[$a3],@X[$d3],@X[$d3]
+||	ROTL	@X[$d0],8,@X[$d0]
+||	ROTL	@X[$d1],8,@X[$d1]
+	ROTL	@X[$d2],8,@X[$d2]
+||	ROTL	@X[$d3],8,@X[$d3]
+|| [B0]	BNOP	top1x?			; even protects from interrupt
+
+	ADD	@X[$d0],@X[$c2],@X[$c2]
+||	ADD	@X[$d1],@X[$c3],@X[$c3]
+	ADD	@X[$d2],@X[$c0],@X[$c0]
+||	ADD	@X[$d3],@X[$c1],@X[$c1]
+||	XOR	@X[$c2],@X[$b0],@X[$b0]
+||	XOR	@X[$c3],@X[$b1],@X[$b1]
+||	ROTL	@X[$d0],0,@X[$d3]	; moved to avoid cross-path stall
+||	ROTL	@X[$d1],0,@X[$d0]
+	XOR	@X[$c0],@X[$b2],@X[$b2]
+||	XOR	@X[$c1],@X[$b3],@X[$b3]
+||	ROTL	@X[$d2],0,@X[$d1]
+||	ROTL	@X[$d3],0,@X[$d2]
+	ROTL	@X[$b0],7,@X[$b1]	; avoided cross-path stall
+||	ROTL	@X[$b1],7,@X[$b2]
+	ROTL	@X[$b2],7,@X[$b3]
+||	ROTL	@X[$b3],7,@X[$b0]
+||[!B0]	CMPLTU	A0,$STEP,A1		; less than 64 bytes left?
+bottom1x?:
+___
+}
+
+$code.=<<___;
+	ADD	@Y[0],@X[0],@X[0]	; accumulate key material
+||	ADD	@Y[1],@X[1],@X[1]
+||	ADD	@Y[2],@X[2],@X[2]
+||	ADD	@Y[3],@X[3],@X[3]
+||[!A1]	LDNDW	*${INP}++[8],@DAT[1]:@DAT[0]
+|| [A1]	BNOP	tail?
+	ADD	@Y[4],@X[4],@X[4]
+||	ADD	@Y[5],@X[5],@X[5]
+||	ADD	@Y[6],@X[6],@X[6]
+||	ADD	@Y[7],@X[7],@X[7]
+||[!A1]	LDNDW	*${INP}[-7],@DAT[3]:@DAT[2]
+	ADD	@Y[8],@X[8],@X[8]
+||	ADD	@Y[9],@X[9],@X[9]
+||	ADD	@Y[10],@X[10],@X[10]
+||	ADD	@Y[11],@X[11],@X[11]
+||[!A1]	LDNDW	*${INP}[-6],@DAT[5]:@DAT[4]
+	ADD	@Y[12],@X[12],@X[12]
+||	ADD	@Y[13],@X[13],@X[13]
+||	ADD	@Y[14],@X[14],@X[14]
+||	ADD	@Y[15],@X[15],@X[15]
+||[!A1]	LDNDW	*${INP}[-5],@DAT[7]:@DAT[6]
+  [!A1]	LDNDW	*${INP}[-4],@DAT[9]:@DAT[8]
+  [!A1]	LDNDW	*${INP}[-3],@DAT[11]:@DAT[10]
+	LDNDW	*${INP}[-2],@DAT[13]:@DAT[12]
+	LDNDW	*${INP}[-1],@DAT[15]:@DAT[14]
+
+	.if	.BIG_ENDIAN
+	SWAP2	@X[0],@X[0]
+||	SWAP2	@X[1],@X[1]
+||	SWAP2	@X[2],@X[2]
+||	SWAP2	@X[3],@X[3]
+	SWAP2	@X[4],@X[4]
+||	SWAP2	@X[5],@X[5]
+||	SWAP2	@X[6],@X[6]
+||	SWAP2	@X[7],@X[7]
+	SWAP2	@X[8],@X[8]
+||	SWAP2	@X[9],@X[9]
+||	SWAP4	@X[0],@X[1]
+||	SWAP4	@X[1],@X[0]
+	SWAP2	@X[10],@X[10]
+||	SWAP2	@X[11],@X[11]
+||	SWAP4	@X[2],@X[3]
+||	SWAP4	@X[3],@X[2]
+	SWAP2	@X[12],@X[12]
+||	SWAP2	@X[13],@X[13]
+||	SWAP4	@X[4],@X[5]
+||	SWAP4	@X[5],@X[4]
+	SWAP2	@X[14],@X[14]
+||	SWAP2	@X[15],@X[15]
+||	SWAP4	@X[6],@X[7]
+||	SWAP4	@X[7],@X[6]
+	SWAP4	@X[8],@X[9]
+||	SWAP4	@X[9],@X[8]
+	SWAP4	@X[10],@X[11]
+||	SWAP4	@X[11],@X[10]
+	SWAP4	@X[12],@X[13]
+||	SWAP4	@X[13],@X[12]
+	SWAP4	@X[14],@X[15]
+||	SWAP4	@X[15],@X[14]
+	.else
+	NOP	1
+	.endif
+
+	XOR	@X[0],@DAT[0],@DAT[0]	; xor with input
+||	XOR	@X[1],@DAT[1],@DAT[1]
+||	XOR	@X[2],@DAT[2],@DAT[2]
+||	XOR	@X[3],@DAT[3],@DAT[3]
+|| [A0]	SUB	A0,$STEP,A0		; SUB	A0,64,A0
+	XOR	@X[4],@DAT[4],@DAT[4]
+||	XOR	@X[5],@DAT[5],@DAT[5]
+||	XOR	@X[6],@DAT[6],@DAT[6]
+||	XOR	@X[7],@DAT[7],@DAT[7]
+||	STNDW	@DAT[1]:@DAT[0],*${OUT}++[8]
+	XOR	@X[8],@DAT[8],@DAT[8]
+||	XOR	@X[9],@DAT[9],@DAT[9]
+||	XOR	@X[10],@DAT[10],@DAT[10]
+||	XOR	@X[11],@DAT[11],@DAT[11]
+||	STNDW	@DAT[3]:@DAT[2],*${OUT}[-7]
+	XOR	@X[12],@DAT[12],@DAT[12]
+||	XOR	@X[13],@DAT[13],@DAT[13]
+||	XOR	@X[14],@DAT[14],@DAT[14]
+||	XOR	@X[15],@DAT[15],@DAT[15]
+||	STNDW	@DAT[5]:@DAT[4],*${OUT}[-6]
+|| [A0]	BNOP	top1x?
+   [A0]	DMV	@Y[2],@Y[0],@X[2]:@X[0]	; duplicate key material
+|| [A0]	DMV	@Y[3],@Y[1],@X[3]:@X[1]
+||	STNDW	@DAT[7]:@DAT[6],*${OUT}[-5]
+   [A0]	DMV	@Y[6],@Y[4],@X[6]:@X[4]
+|| [A0]	DMV	@Y[7],@Y[5],@X[7]:@X[5]
+||	STNDW	@DAT[9]:@DAT[8],*${OUT}[-4]
+   [A0]	DMV	@Y[10],@Y[8],@X[10]:@X[8]
+|| [A0]	DMV	@Y[11],@Y[9],@X[11]:@X[9]
+|| [A0]	ADD	1,@Y[12],@Y[12]		; increment counter
+||	STNDW	@DAT[11]:@DAT[10],*${OUT}[-3]
+   [A0]	DMV	@Y[14],@Y[12],@X[14]:@X[12]
+|| [A0]	DMV	@Y[15],@Y[13],@X[15]:@X[13]
+||	STNDW	@DAT[13]:@DAT[12],*${OUT}[-2]
+   [A0]	MVK	10,B0			; inner loop counter
+||	STNDW	@DAT[15]:@DAT[14],*${OUT}[-1]
+;;===== branch to top1x? is taken here
+
+epilogue?:
+	LDDW	*FP[-4],A11:A10		; ABI says so
+	LDDW	*FP[-3],A13:A12
+||	LDDW	*SP[3+8],B11:B10
+	LDDW	*SP[4+8],B13:B12
+||	BNOP	RA
+	LDW	*++SP(40+64),FP		; restore frame pointer
+	NOP	4
+
+tail?:
+	LDBU	*${INP}++[1],B24	; load byte by byte
+||	SUB	A0,1,A0
+||	SUB	A0,1,B1
+  [!B1]	BNOP	epilogue?		; interrupts are disabled for whole time
+|| [A0] LDBU	*${INP}++[1],B24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+  [!B1]	BNOP	epilogue?
+|| [A0] LDBU	*${INP}++[1],B24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+  [!B1]	BNOP	epilogue?
+||	ROTL	@X[0],0,A24
+|| [A0] LDBU	*${INP}++[1],B24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+  [!B1]	BNOP	epilogue?
+||	ROTL	@X[0],24,A24
+|| [A0] LDBU	*${INP}++[1],A24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+  [!B1]	BNOP	epilogue?
+||	ROTL	@X[0],16,A24
+|| [A0] LDBU	*${INP}++[1],A24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,B25
+	STB	B25,*${OUT}++[1]	; store byte by byte
+||[!B1]	BNOP	epilogue?
+||	ROTL	@X[0],8,A24
+|| [A0] LDBU	*${INP}++[1],A24
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,B25
+	STB	B25,*${OUT}++[1]
+___
+sub TAIL_STEP {
+my $Xi= shift;
+my $T = ($Xi=~/^B/?"B24":"A24");	# match @X[i] to avoid cross path
+my $D = $T; $D=~tr/AB/BA/;
+my $O = $D; $O=~s/24/25/;
+
+$code.=<<___;
+||[!B1]	BNOP	epilogue?
+||	ROTL	$Xi,0,$T
+|| [A0] LDBU	*${INP}++[1],$D
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,$O
+	STB	$O,*${OUT}++[1]
+||[!B1]	BNOP	epilogue?
+||	ROTL	$Xi,24,$T
+|| [A0] LDBU	*${INP}++[1],$T
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,$O
+	STB	$O,*${OUT}++[1]
+||[!B1]	BNOP	epilogue?
+||	ROTL	$Xi,16,$T
+|| [A0] LDBU	*${INP}++[1],$T
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,$O
+	STB	$O,*${OUT}++[1]
+||[!B1]	BNOP	epilogue?
+||	ROTL	$Xi,8,$T
+|| [A0] LDBU	*${INP}++[1],$T
+|| [A0]	SUB	A0,1,A0
+||	SUB	B1,1,B1
+||	XOR	A24,B24,$O
+	STB	$O,*${OUT}++[1]
+___
+}
+	foreach (1..14) { TAIL_STEP(@X[$_]); }
+$code.=<<___;
+||[!B1]	BNOP	epilogue?
+||	ROTL	@X[15],0,B24
+||	XOR	A24,B24,A25
+	STB	A25,*${OUT}++[1]
+||	ROTL	@X[15],24,B24
+||	XOR	A24,B24,A25
+	STB	A25,*${OUT}++[1]
+||	ROTL	@X[15],16,B24
+||	XOR	A24,B24,A25
+	STB	A25,*${OUT}++[1]
+||	XOR	A24,B24,A25
+	STB	A25,*${OUT}++[1]
+||	XOR	A24,B24,B25
+	STB	B25,*${OUT}++[1]
+	.endasmfunc
+
+	.sect	.const
+	.cstring "ChaCha20 for C64x+, CRYPTOGAMS by <appro\@openssl.org>"
+	.align	4
+___
+
+print $code;
+close STDOUT;
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-ppc.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-ppc.pl
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-s390x.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-s390x.pl
@ -0,0 +1,326 @@
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# December 2015
+#
+# ChaCha20 for s390x.
+#
+# 3 times faster than compiler-generated code.
+
+$flavour = shift;
+
+if ($flavour =~ /3[12]/) {
+	$SIZE_T=4;
+	$g="";
+} else {
+	$SIZE_T=8;
+	$g="g";
+}
+
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+open STDOUT,">$output";
+
+sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
+{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://;
+    $code .= "\t$opcode\t".join(',',@_)."\n";
+}
+
+my $sp="%r15";
+
+my $stdframe=16*$SIZE_T+4*8;
+my $frame=$stdframe+4*20;
+
+my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6));
+
+my @x=map("%r$_",(0..7,"x","x","x","x",(10..13)));
+my @t=map("%r$_",(8,9));
+
+sub ROUND {
+my ($a0,$b0,$c0,$d0)=@_;
+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+my ($xc,$xc_)=map("\"$_\"",@t);
+my @x=map("\"$_\"",@x);
+
+	# Consider order in which variables are addressed by their
+	# index:
+	#
+	#	a   b   c   d
+	#
+	#	0   4   8  12 < even round
+	#	1   5   9  13
+	#	2   6  10  14
+	#	3   7  11  15
+	#	0   5  10  15 < odd round
+	#	1   6  11  12
+	#	2   7   8  13
+	#	3   4   9  14
+	#
+	# 'a', 'b' and 'd's are permanently allocated in registers,
+	# @x[0..7,12..15], while 'c's are maintained in memory. If
+	# you observe 'c' column, you'll notice that pair of 'c's is
+	# invariant between rounds. This means that we have to reload
+	# them once per round, in the middle. This is why you'll see
+	# 'c' stores and loads in the middle, but none in the beginning
+	# or end.
+
+	(
+	"&alr	(@x[$a0],@x[$b0])",	# Q1
+	 "&alr	(@x[$a1],@x[$b1])",	# Q2
+	"&xr	(@x[$d0],@x[$a0])",
+	 "&xr	(@x[$d1],@x[$a1])",
+	"&rll	(@x[$d0],@x[$d0],16)",
+	 "&rll	(@x[$d1],@x[$d1],16)",
+
+	"&alr	($xc,@x[$d0])",
+	 "&alr	($xc_,@x[$d1])",
+	"&xr	(@x[$b0],$xc)",
+	 "&xr	(@x[$b1],$xc_)",
+	"&rll	(@x[$b0],@x[$b0],12)",
+	 "&rll	(@x[$b1],@x[$b1],12)",
+
+	"&alr	(@x[$a0],@x[$b0])",
+	 "&alr	(@x[$a1],@x[$b1])",
+	"&xr	(@x[$d0],@x[$a0])",
+	 "&xr	(@x[$d1],@x[$a1])",
+	"&rll	(@x[$d0],@x[$d0],8)",
+	 "&rll	(@x[$d1],@x[$d1],8)",
+
+	"&alr	($xc,@x[$d0])",
+	 "&alr	($xc_,@x[$d1])",
+	"&xr	(@x[$b0],$xc)",
+	 "&xr	(@x[$b1],$xc_)",
+	"&rll	(@x[$b0],@x[$b0],7)",
+	 "&rll	(@x[$b1],@x[$b1],7)",
+
+	"&stm	($xc,$xc_,'$stdframe+4*8+4*$c0($sp)')",	# reload pair of 'c's
+	"&lm	($xc,$xc_,'$stdframe+4*8+4*$c2($sp)')",
+
+	"&alr	(@x[$a2],@x[$b2])",	# Q3
+	 "&alr	(@x[$a3],@x[$b3])",	# Q4
+	"&xr	(@x[$d2],@x[$a2])",
+	 "&xr	(@x[$d3],@x[$a3])",
+	"&rll	(@x[$d2],@x[$d2],16)",
+	 "&rll	(@x[$d3],@x[$d3],16)",
+
+	"&alr	($xc,@x[$d2])",
+	 "&alr	($xc_,@x[$d3])",
+	"&xr	(@x[$b2],$xc)",
+	 "&xr	(@x[$b3],$xc_)",
+	"&rll	(@x[$b2],@x[$b2],12)",
+	 "&rll	(@x[$b3],@x[$b3],12)",
+
+	"&alr	(@x[$a2],@x[$b2])",
+	 "&alr	(@x[$a3],@x[$b3])",
+	"&xr	(@x[$d2],@x[$a2])",
+	 "&xr	(@x[$d3],@x[$a3])",
+	"&rll	(@x[$d2],@x[$d2],8)",
+	 "&rll	(@x[$d3],@x[$d3],8)",
+
+	"&alr	($xc,@x[$d2])",
+	 "&alr	($xc_,@x[$d3])",
+	"&xr	(@x[$b2],$xc)",
+	 "&xr	(@x[$b3],$xc_)",
+	"&rll	(@x[$b2],@x[$b2],7)",
+	 "&rll	(@x[$b3],@x[$b3],7)"
+	);
+}
+
+$code.=<<___;
+.text
+
+.globl	ChaCha20_ctr32
+.type	ChaCha20_ctr32,\@function
+.align	32
+ChaCha20_ctr32:
+	lt${g}r	$len,$len			# $len==0?
+	bzr	%r14
+	a${g}hi	$len,-64
+	l${g}hi	%r1,-$frame
+	stm${g}	%r6,%r15,`6*$SIZE_T`($sp)
+	sl${g}r	$out,$inp			# difference
+	la	$len,0($inp,$len)		# end of input minus 64
+	larl	%r7,.Lsigma
+	lgr	%r0,$sp
+	la	$sp,0(%r1,$sp)
+	st${g}	%r0,0($sp)
+
+	lmg	%r8,%r11,0($key)		# load key
+	lmg	%r12,%r13,0($counter)		# load counter
+	lmg	%r6,%r7,0(%r7)			# load sigma constant
+
+	la	%r14,0($inp)
+	st${g}	$out,$frame+3*$SIZE_T($sp)
+	st${g}	$len,$frame+4*$SIZE_T($sp)
+	stmg	%r6,%r13,$stdframe($sp)		# copy key schedule to stack
+	srlg	@x[12],%r12,32			# 32-bit counter value
+	j	.Loop_outer
+
+.align	16
+.Loop_outer:
+	lm	@x[0],@x[7],$stdframe+4*0($sp)		# load x[0]-x[7]
+	lm	@t[0],@t[1],$stdframe+4*10($sp)		# load x[10]-x[11]
+	lm	@x[13],@x[15],$stdframe+4*13($sp)	# load x[13]-x[15]
+	stm	@t[0],@t[1],$stdframe+4*8+4*10($sp)	# offload x[10]-x[11]
+	lm	@t[0],@t[1],$stdframe+4*8($sp)		# load x[8]-x[9]
+	st	@x[12],$stdframe+4*12($sp)		# save counter
+	st${g}	%r14,$frame+2*$SIZE_T($sp)		# save input pointer
+	lhi	%r14,10
+	j	.Loop
+
+.align	4
+.Loop:
+___
+	foreach (&ROUND(0, 4, 8,12)) { eval; }
+	foreach (&ROUND(0, 5,10,15)) { eval; }
+$code.=<<___;
+	brct	%r14,.Loop
+
+	l${g}	%r14,$frame+2*$SIZE_T($sp)		# pull input pointer
+	stm	@t[0],@t[1],$stdframe+4*8+4*8($sp)	# offload x[8]-x[9]
+	lm${g}	@t[0],@t[1],$frame+3*$SIZE_T($sp)
+
+	al	@x[0],$stdframe+4*0($sp)	# accumulate key schedule
+	al	@x[1],$stdframe+4*1($sp)
+	al	@x[2],$stdframe+4*2($sp)
+	al	@x[3],$stdframe+4*3($sp)
+	al	@x[4],$stdframe+4*4($sp)
+	al	@x[5],$stdframe+4*5($sp)
+	al	@x[6],$stdframe+4*6($sp)
+	al	@x[7],$stdframe+4*7($sp)
+	lrvr	@x[0],@x[0]
+	lrvr	@x[1],@x[1]
+	lrvr	@x[2],@x[2]
+	lrvr	@x[3],@x[3]
+	lrvr	@x[4],@x[4]
+	lrvr	@x[5],@x[5]
+	lrvr	@x[6],@x[6]
+	lrvr	@x[7],@x[7]
+	al	@x[12],$stdframe+4*12($sp)
+	al	@x[13],$stdframe+4*13($sp)
+	al	@x[14],$stdframe+4*14($sp)
+	al	@x[15],$stdframe+4*15($sp)
+	lrvr	@x[12],@x[12]
+	lrvr	@x[13],@x[13]
+	lrvr	@x[14],@x[14]
+	lrvr	@x[15],@x[15]
+
+	la	@t[0],0(@t[0],%r14)		# reconstruct output pointer
+	cl${g}r	%r14,@t[1]
+	jh	.Ltail
+
+	x	@x[0],4*0(%r14)			# xor with input
+	x	@x[1],4*1(%r14)
+	st	@x[0],4*0(@t[0])		# store output
+	x	@x[2],4*2(%r14)
+	st	@x[1],4*1(@t[0])
+	x	@x[3],4*3(%r14)
+	st	@x[2],4*2(@t[0])
+	x	@x[4],4*4(%r14)
+	st	@x[3],4*3(@t[0])
+	 lm	@x[0],@x[3],$stdframe+4*8+4*8($sp)	# load x[8]-x[11]
+	x	@x[5],4*5(%r14)
+	st	@x[4],4*4(@t[0])
+	x	@x[6],4*6(%r14)
+	 al	@x[0],$stdframe+4*8($sp)
+	st	@x[5],4*5(@t[0])
+	x	@x[7],4*7(%r14)
+	 al	@x[1],$stdframe+4*9($sp)
+	st	@x[6],4*6(@t[0])
+	x	@x[12],4*12(%r14)
+	 al	@x[2],$stdframe+4*10($sp)
+	st	@x[7],4*7(@t[0])
+	x	@x[13],4*13(%r14)
+	 al	@x[3],$stdframe+4*11($sp)
+	st	@x[12],4*12(@t[0])
+	x	@x[14],4*14(%r14)
+	st	@x[13],4*13(@t[0])
+	x	@x[15],4*15(%r14)
+	st	@x[14],4*14(@t[0])
+	 lrvr	@x[0],@x[0]
+	st	@x[15],4*15(@t[0])
+	 lrvr	@x[1],@x[1]
+	 lrvr	@x[2],@x[2]
+	 lrvr	@x[3],@x[3]
+	lhi	@x[12],1
+	 x	@x[0],4*8(%r14)
+	al	@x[12],$stdframe+4*12($sp)	# increment counter
+	 x	@x[1],4*9(%r14)
+	 st	@x[0],4*8(@t[0])
+	 x	@x[2],4*10(%r14)
+	 st	@x[1],4*9(@t[0])
+	 x	@x[3],4*11(%r14)
+	 st	@x[2],4*10(@t[0])
+	 st	@x[3],4*11(@t[0])
+
+	cl${g}r	%r14,@t[1]			# done yet?
+	la	%r14,64(%r14)
+	jl	.Loop_outer
+
+.Ldone:
+	xgr	%r0,%r0
+	xgr	%r1,%r1
+	xgr	%r2,%r2
+	xgr	%r3,%r3
+	stmg	%r0,%r3,$stdframe+4*4($sp)	# wipe key copy
+	stmg	%r0,%r3,$stdframe+4*12($sp)
+
+	lm${g}	%r6,%r15,`$frame+6*$SIZE_T`($sp)
+	br	%r14
+
+.align	16
+.Ltail:
+	la	@t[1],64($t[1])
+	stm	@x[0],@x[7],$stdframe+4*0($sp)
+	sl${g}r	@t[1],%r14
+	lm	@x[0],@x[3],$stdframe+4*8+4*8($sp)
+	l${g}hi	@x[6],0
+	stm	@x[12],@x[15],$stdframe+4*12($sp)
+	al	@x[0],$stdframe+4*8($sp)
+	al	@x[1],$stdframe+4*9($sp)
+	al	@x[2],$stdframe+4*10($sp)
+	al	@x[3],$stdframe+4*11($sp)
+	lrvr	@x[0],@x[0]
+	lrvr	@x[1],@x[1]
+	lrvr	@x[2],@x[2]
+	lrvr	@x[3],@x[3]
+	stm	@x[0],@x[3],$stdframe+4*8($sp)
+
+.Loop_tail:
+	llgc	@x[4],0(@x[6],%r14)
+	llgc	@x[5],$stdframe(@x[6],$sp)
+	xr	@x[5],@x[4]
+	stc	@x[5],0(@x[6],@t[0])
+	la	@x[6],1(@x[6])
+	brct	@t[1],.Loop_tail
+
+	j	.Ldone
+.size	ChaCha20_ctr32,.-ChaCha20_ctr32
+
+.align	32
+.Lsigma:
+.long	0x61707865,0x3320646e,0x79622d32,0x6b206574	# endian-neutral
+.asciz	"ChaCha20 for s390x, CRYPTOGAMS by <appro\@openssl.org>"
+.align	4
+___
+
+foreach (split("\n",$code)) {
+	s/\`([^\`]*)\`/eval $1/ge;
+
+	print $_,"\n";
+}
+close STDOUT;
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-x86.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-x86.pl
--- a/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-x86_64.pl
+++ b/trunk/3rdparty/openssl-1.1-fit/crypto/chacha/asm/chacha-x86_64.pl