.ctags.d is previous, include it in our tarballs

[openssl.git] / crypto / chacha / asm / chacha-ppc.pl

#! /usr/bin/env perl
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

#
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
#
# October 2015
#
# ChaCha20 for PowerPC/AltiVec.
#
# June 2018
#
# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for
# processors that can't issue more than one vector instruction per
# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x
# interleave would perform better. Incidentally PowerISA 2.07 (first
# implemented by POWER8) defined new usable instructions, hence 4xVSX
# code path...
#
# Performance in cycles per byte out of large buffer.
#
#                       IALU/gcc-4.x    3xAltiVec+1xIALU        4xVSX
#
# Freescale e300        13.6/+115%      -                       -
# PPC74x0/G4e           6.81/+310%      3.81                    -
# PPC970/G5             9.29/+160%      ?                       -
# POWER7                8.62/+61%       3.35                    -
# POWER8                8.70/+51%       2.91                    2.09
# POWER9                8.80/+29%       4.44(*)                 2.45(**)
#
# (*)   this is trade-off result, it's possible to improve it, but
#       then it would negatively affect all others;
# (**)  POWER9 seems to be "allergic" to mixing vector and integer
#       instructions, which is why switch to vector-only code pays
#       off that much;

# $output is the last argument if it looks like a file (it has an extension)
# $flavour is the first argument if it doesn't look like a file
$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;

if ($flavour =~ /64/) {
        $SIZE_T =8;
        $LRSAVE =2*$SIZE_T;
        $STU    ="stdu";
        $POP    ="ld";
        $PUSH   ="std";
        $UCMP   ="cmpld";
} elsif ($flavour =~ /32/) {
        $SIZE_T =4;
        $LRSAVE =$SIZE_T;
        $STU    ="stwu";
        $POP    ="lwz";
        $PUSH   ="stw";
        $UCMP   ="cmplw";
} else { die "nonsense $flavour"; }

$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0;

$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
die "can't locate ppc-xlate.pl";

open STDOUT,"| $^X $xlate $flavour \"$output\""
    or die "can't call $xlate: $!";

$LOCALS=6*$SIZE_T;
$FRAME=$LOCALS+64+18*$SIZE_T;   # 64 is for local variables

sub AUTOLOAD()          # thunk [simplified] x86-style perlasm
{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
    $code .= "\t$opcode\t".join(',',@_)."\n";
}

my $sp = "r1";

my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7));

my @x=map("r$_",(16..31));
my @d=map("r$_",(11,12,14,15));
my @t=map("r$_",(7..10));

sub ROUND {
my ($a0,$b0,$c0,$d0)=@_;
my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));

    (
        "&add           (@x[$a0],@x[$a0],@x[$b0])",
         "&add          (@x[$a1],@x[$a1],@x[$b1])",
          "&add         (@x[$a2],@x[$a2],@x[$b2])",
           "&add        (@x[$a3],@x[$a3],@x[$b3])",
        "&xor           (@x[$d0],@x[$d0],@x[$a0])",
         "&xor          (@x[$d1],@x[$d1],@x[$a1])",
          "&xor         (@x[$d2],@x[$d2],@x[$a2])",
           "&xor        (@x[$d3],@x[$d3],@x[$a3])",
        "&rotlwi        (@x[$d0],@x[$d0],16)",
         "&rotlwi       (@x[$d1],@x[$d1],16)",
          "&rotlwi      (@x[$d2],@x[$d2],16)",
           "&rotlwi     (@x[$d3],@x[$d3],16)",

        "&add           (@x[$c0],@x[$c0],@x[$d0])",
         "&add          (@x[$c1],@x[$c1],@x[$d1])",
          "&add         (@x[$c2],@x[$c2],@x[$d2])",
           "&add        (@x[$c3],@x[$c3],@x[$d3])",
        "&xor           (@x[$b0],@x[$b0],@x[$c0])",
         "&xor          (@x[$b1],@x[$b1],@x[$c1])",
          "&xor         (@x[$b2],@x[$b2],@x[$c2])",
           "&xor        (@x[$b3],@x[$b3],@x[$c3])",
        "&rotlwi        (@x[$b0],@x[$b0],12)",
         "&rotlwi       (@x[$b1],@x[$b1],12)",
          "&rotlwi      (@x[$b2],@x[$b2],12)",
           "&rotlwi     (@x[$b3],@x[$b3],12)",

        "&add           (@x[$a0],@x[$a0],@x[$b0])",
         "&add          (@x[$a1],@x[$a1],@x[$b1])",
          "&add         (@x[$a2],@x[$a2],@x[$b2])",
           "&add        (@x[$a3],@x[$a3],@x[$b3])",
        "&xor           (@x[$d0],@x[$d0],@x[$a0])",
         "&xor          (@x[$d1],@x[$d1],@x[$a1])",
          "&xor         (@x[$d2],@x[$d2],@x[$a2])",
           "&xor        (@x[$d3],@x[$d3],@x[$a3])",
        "&rotlwi        (@x[$d0],@x[$d0],8)",
         "&rotlwi       (@x[$d1],@x[$d1],8)",
          "&rotlwi      (@x[$d2],@x[$d2],8)",
           "&rotlwi     (@x[$d3],@x[$d3],8)",

        "&add           (@x[$c0],@x[$c0],@x[$d0])",
         "&add          (@x[$c1],@x[$c1],@x[$d1])",
          "&add         (@x[$c2],@x[$c2],@x[$d2])",
           "&add        (@x[$c3],@x[$c3],@x[$d3])",
        "&xor           (@x[$b0],@x[$b0],@x[$c0])",
         "&xor          (@x[$b1],@x[$b1],@x[$c1])",
          "&xor         (@x[$b2],@x[$b2],@x[$c2])",
           "&xor        (@x[$b3],@x[$b3],@x[$c3])",
        "&rotlwi        (@x[$b0],@x[$b0],7)",
         "&rotlwi       (@x[$b1],@x[$b1],7)",
          "&rotlwi      (@x[$b2],@x[$b2],7)",
           "&rotlwi     (@x[$b3],@x[$b3],7)"
    );
}

$code.=<<___;
.machine        "any"
.text

.globl  .ChaCha20_ctr32_int
.align  5
.ChaCha20_ctr32_int:
__ChaCha20_ctr32_int:
        ${UCMP}i $len,0
        beqlr-

        $STU    $sp,-$FRAME($sp)
        mflr    r0

        $PUSH   r14,`$FRAME-$SIZE_T*18`($sp)
        $PUSH   r15,`$FRAME-$SIZE_T*17`($sp)
        $PUSH   r16,`$FRAME-$SIZE_T*16`($sp)
        $PUSH   r17,`$FRAME-$SIZE_T*15`($sp)
        $PUSH   r18,`$FRAME-$SIZE_T*14`($sp)
        $PUSH   r19,`$FRAME-$SIZE_T*13`($sp)
        $PUSH   r20,`$FRAME-$SIZE_T*12`($sp)
        $PUSH   r21,`$FRAME-$SIZE_T*11`($sp)
        $PUSH   r22,`$FRAME-$SIZE_T*10`($sp)
        $PUSH   r23,`$FRAME-$SIZE_T*9`($sp)
        $PUSH   r24,`$FRAME-$SIZE_T*8`($sp)
        $PUSH   r25,`$FRAME-$SIZE_T*7`($sp)
        $PUSH   r26,`$FRAME-$SIZE_T*6`($sp)
        $PUSH   r27,`$FRAME-$SIZE_T*5`($sp)
        $PUSH   r28,`$FRAME-$SIZE_T*4`($sp)
        $PUSH   r29,`$FRAME-$SIZE_T*3`($sp)
        $PUSH   r30,`$FRAME-$SIZE_T*2`($sp)
        $PUSH   r31,`$FRAME-$SIZE_T*1`($sp)
        $PUSH   r0,`$FRAME+$LRSAVE`($sp)

        lwz     @d[0],0($ctr)                   # load counter
        lwz     @d[1],4($ctr)
        lwz     @d[2],8($ctr)
        lwz     @d[3],12($ctr)

        bl      __ChaCha20_1x

        $POP    r0,`$FRAME+$LRSAVE`($sp)
        $POP    r14,`$FRAME-$SIZE_T*18`($sp)
        $POP    r15,`$FRAME-$SIZE_T*17`($sp)
        $POP    r16,`$FRAME-$SIZE_T*16`($sp)
        $POP    r17,`$FRAME-$SIZE_T*15`($sp)
        $POP    r18,`$FRAME-$SIZE_T*14`($sp)
        $POP    r19,`$FRAME-$SIZE_T*13`($sp)
        $POP    r20,`$FRAME-$SIZE_T*12`($sp)
        $POP    r21,`$FRAME-$SIZE_T*11`($sp)
        $POP    r22,`$FRAME-$SIZE_T*10`($sp)
        $POP    r23,`$FRAME-$SIZE_T*9`($sp)
        $POP    r24,`$FRAME-$SIZE_T*8`($sp)
        $POP    r25,`$FRAME-$SIZE_T*7`($sp)
        $POP    r26,`$FRAME-$SIZE_T*6`($sp)
        $POP    r27,`$FRAME-$SIZE_T*5`($sp)
        $POP    r28,`$FRAME-$SIZE_T*4`($sp)
        $POP    r29,`$FRAME-$SIZE_T*3`($sp)
        $POP    r30,`$FRAME-$SIZE_T*2`($sp)
        $POP    r31,`$FRAME-$SIZE_T*1`($sp)
        mtlr    r0
        addi    $sp,$sp,$FRAME
        blr
        .long   0
        .byte   0,12,4,1,0x80,18,5,0
        .long   0
.size   .ChaCha20_ctr32_int,.-.ChaCha20_ctr32_int

.align  5
__ChaCha20_1x:
Loop_outer:
        lis     @x[0],0x6170                    # synthesize sigma
        lis     @x[1],0x3320
        lis     @x[2],0x7962
        lis     @x[3],0x6b20
        ori     @x[0],@x[0],0x7865
        ori     @x[1],@x[1],0x646e
        ori     @x[2],@x[2],0x2d32
        ori     @x[3],@x[3],0x6574

        li      r0,10                           # inner loop counter
        lwz     @x[4],0($key)                   # load key
        lwz     @x[5],4($key)
        lwz     @x[6],8($key)
        lwz     @x[7],12($key)
        lwz     @x[8],16($key)
        mr      @x[12],@d[0]                    # copy counter
        lwz     @x[9],20($key)
        mr      @x[13],@d[1]
        lwz     @x[10],24($key)
        mr      @x[14],@d[2]
        lwz     @x[11],28($key)
        mr      @x[15],@d[3]

        mr      @t[0],@x[4]
        mr      @t[1],@x[5]
        mr      @t[2],@x[6]
        mr      @t[3],@x[7]

        mtctr   r0
Loop:
___
        foreach (&ROUND(0, 4, 8,12)) { eval; }
        foreach (&ROUND(0, 5,10,15)) { eval; }
$code.=<<___;
        bdnz    Loop

        subic   $len,$len,64                    # $len-=64
        addi    @x[0],@x[0],0x7865              # accumulate key block
        addi    @x[1],@x[1],0x646e
        addi    @x[2],@x[2],0x2d32
        addi    @x[3],@x[3],0x6574
        addis   @x[0],@x[0],0x6170
        addis   @x[1],@x[1],0x3320
        addis   @x[2],@x[2],0x7962
        addis   @x[3],@x[3],0x6b20

        subfe.  r0,r0,r0                        # borrow?-1:0
        add     @x[4],@x[4],@t[0]
        lwz     @t[0],16($key)
        add     @x[5],@x[5],@t[1]
        lwz     @t[1],20($key)
        add     @x[6],@x[6],@t[2]
        lwz     @t[2],24($key)
        add     @x[7],@x[7],@t[3]
        lwz     @t[3],28($key)
        add     @x[8],@x[8],@t[0]
        add     @x[9],@x[9],@t[1]
        add     @x[10],@x[10],@t[2]
        add     @x[11],@x[11],@t[3]

        add     @x[12],@x[12],@d[0]
        add     @x[13],@x[13],@d[1]
        add     @x[14],@x[14],@d[2]
        add     @x[15],@x[15],@d[3]
        addi    @d[0],@d[0],1                   # increment counter
___
if (!$LITTLE_ENDIAN) { for($i=0;$i<16;$i++) {   # flip byte order
$code.=<<___;
        mr      @t[$i&3],@x[$i]
        rotlwi  @x[$i],@x[$i],8
        rlwimi  @x[$i],@t[$i&3],24,0,7
        rlwimi  @x[$i],@t[$i&3],24,16,23
___
} }
$code.=<<___;
        bne     Ltail                           # $len-=64 borrowed

        lwz     @t[0],0($inp)                   # load input, aligned or not
        lwz     @t[1],4($inp)
        ${UCMP}i $len,0                         # done already?
        lwz     @t[2],8($inp)
        lwz     @t[3],12($inp)
        xor     @x[0],@x[0],@t[0]               # xor with input
        lwz     @t[0],16($inp)
        xor     @x[1],@x[1],@t[1]
        lwz     @t[1],20($inp)
        xor     @x[2],@x[2],@t[2]
        lwz     @t[2],24($inp)
        xor     @x[3],@x[3],@t[3]
        lwz     @t[3],28($inp)
        xor     @x[4],@x[4],@t[0]
        lwz     @t[0],32($inp)
        xor     @x[5],@x[5],@t[1]
        lwz     @t[1],36($inp)
        xor     @x[6],@x[6],@t[2]
        lwz     @t[2],40($inp)
        xor     @x[7],@x[7],@t[3]
        lwz     @t[3],44($inp)
        xor     @x[8],@x[8],@t[0]
        lwz     @t[0],48($inp)
        xor     @x[9],@x[9],@t[1]
        lwz     @t[1],52($inp)
        xor     @x[10],@x[10],@t[2]
        lwz     @t[2],56($inp)
        xor     @x[11],@x[11],@t[3]
        lwz     @t[3],60($inp)
        xor     @x[12],@x[12],@t[0]
        stw     @x[0],0($out)                   # store output, aligned or not
        xor     @x[13],@x[13],@t[1]
        stw     @x[1],4($out)
        xor     @x[14],@x[14],@t[2]
        stw     @x[2],8($out)
        xor     @x[15],@x[15],@t[3]
        stw     @x[3],12($out)
        stw     @x[4],16($out)
        stw     @x[5],20($out)
        stw     @x[6],24($out)
        stw     @x[7],28($out)
        stw     @x[8],32($out)
        stw     @x[9],36($out)
        stw     @x[10],40($out)
        stw     @x[11],44($out)
        stw     @x[12],48($out)
        stw     @x[13],52($out)
        stw     @x[14],56($out)
        addi    $inp,$inp,64
        stw     @x[15],60($out)
        addi    $out,$out,64

        bne     Loop_outer

        blr

.align  4
Ltail:
        addi    $len,$len,64                    # restore tail length
        subi    $inp,$inp,1                     # prepare for *++ptr
        subi    $out,$out,1
        addi    @t[0],$sp,$LOCALS-1
        mtctr   $len

        stw     @x[0],`$LOCALS+0`($sp)          # save whole block to stack
        stw     @x[1],`$LOCALS+4`($sp)
        stw     @x[2],`$LOCALS+8`($sp)
        stw     @x[3],`$LOCALS+12`($sp)
        stw     @x[4],`$LOCALS+16`($sp)
        stw     @x[5],`$LOCALS+20`($sp)
        stw     @x[6],`$LOCALS+24`($sp)
        stw     @x[7],`$LOCALS+28`($sp)
        stw     @x[8],`$LOCALS+32`($sp)
        stw     @x[9],`$LOCALS+36`($sp)
        stw     @x[10],`$LOCALS+40`($sp)
        stw     @x[11],`$LOCALS+44`($sp)
        stw     @x[12],`$LOCALS+48`($sp)
        stw     @x[13],`$LOCALS+52`($sp)
        stw     @x[14],`$LOCALS+56`($sp)
        stw     @x[15],`$LOCALS+60`($sp)

Loop_tail:                                      # byte-by-byte loop
        lbzu    @d[0],1($inp)
        lbzu    @x[0],1(@t[0])
        xor     @d[1],@d[0],@x[0]
        stbu    @d[1],1($out)
        bdnz    Loop_tail

        stw     $sp,`$LOCALS+0`($sp)            # wipe block on stack
        stw     $sp,`$LOCALS+4`($sp)
        stw     $sp,`$LOCALS+8`($sp)
        stw     $sp,`$LOCALS+12`($sp)
        stw     $sp,`$LOCALS+16`($sp)
        stw     $sp,`$LOCALS+20`($sp)
        stw     $sp,`$LOCALS+24`($sp)
        stw     $sp,`$LOCALS+28`($sp)
        stw     $sp,`$LOCALS+32`($sp)
        stw     $sp,`$LOCALS+36`($sp)
        stw     $sp,`$LOCALS+40`($sp)
        stw     $sp,`$LOCALS+44`($sp)
        stw     $sp,`$LOCALS+48`($sp)
        stw     $sp,`$LOCALS+52`($sp)
        stw     $sp,`$LOCALS+56`($sp)
        stw     $sp,`$LOCALS+60`($sp)

        blr
        .long   0
        .byte   0,12,0x14,0,0,0,0,0
___

{{{
my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2)
                                = map("v$_",(0..11));
my @K                           = map("v$_",(12..17));
my ($FOUR,$sixteen,$twenty4)    = map("v$_",(18..19,23));
my ($inpperm,$outperm,$outmask) = map("v$_",(24..26));
my @D                           = map("v$_",(27..31));
my ($twelve,$seven,$T0,$T1) = @D;

my $FRAME=$LOCALS+64+10*16+18*$SIZE_T;  # 10*16 is for v23-v31 offload

sub VMXROUND {
my $odd = pop;
my ($a,$b,$c,$d)=@_;

        (
        "&vadduwm       ('$a','$a','$b')",
        "&vxor          ('$d','$d','$a')",
        "&vperm         ('$d','$d','$d','$sixteen')",

        "&vadduwm       ('$c','$c','$d')",
        "&vxor          ('$b','$b','$c')",
        "&vrlw          ('$b','$b','$twelve')",

        "&vadduwm       ('$a','$a','$b')",
        "&vxor          ('$d','$d','$a')",
        "&vperm         ('$d','$d','$d','$twenty4')",

        "&vadduwm       ('$c','$c','$d')",
        "&vxor          ('$b','$b','$c')",
        "&vrlw          ('$b','$b','$seven')",

        "&vrldoi        ('$c','$c',8)",
        "&vrldoi        ('$b','$b',$odd?4:12)",
        "&vrldoi        ('$d','$d',$odd?12:4)"
        );
}

$code.=<<___;

.globl  .ChaCha20_ctr32_vmx
.align  5
.ChaCha20_ctr32_vmx:
        ${UCMP}i $len,256
        blt     __ChaCha20_ctr32_int

        $STU    $sp,-$FRAME($sp)
        mflr    r0
        li      r10,`15+$LOCALS+64`
        li      r11,`31+$LOCALS+64`
        mfspr   r12,256
        stvx    v23,r10,$sp
        addi    r10,r10,32
        stvx    v24,r11,$sp
        addi    r11,r11,32
        stvx    v25,r10,$sp
        addi    r10,r10,32
        stvx    v26,r11,$sp
        addi    r11,r11,32
        stvx    v27,r10,$sp
        addi    r10,r10,32
        stvx    v28,r11,$sp
        addi    r11,r11,32
        stvx    v29,r10,$sp
        addi    r10,r10,32
        stvx    v30,r11,$sp
        stvx    v31,r10,$sp
        stw     r12,`$FRAME-$SIZE_T*18-4`($sp)  # save vrsave
        $PUSH   r14,`$FRAME-$SIZE_T*18`($sp)
        $PUSH   r15,`$FRAME-$SIZE_T*17`($sp)
        $PUSH   r16,`$FRAME-$SIZE_T*16`($sp)
        $PUSH   r17,`$FRAME-$SIZE_T*15`($sp)
        $PUSH   r18,`$FRAME-$SIZE_T*14`($sp)
        $PUSH   r19,`$FRAME-$SIZE_T*13`($sp)
        $PUSH   r20,`$FRAME-$SIZE_T*12`($sp)
        $PUSH   r21,`$FRAME-$SIZE_T*11`($sp)
        $PUSH   r22,`$FRAME-$SIZE_T*10`($sp)
        $PUSH   r23,`$FRAME-$SIZE_T*9`($sp)
        $PUSH   r24,`$FRAME-$SIZE_T*8`($sp)
        $PUSH   r25,`$FRAME-$SIZE_T*7`($sp)
        $PUSH   r26,`$FRAME-$SIZE_T*6`($sp)
        $PUSH   r27,`$FRAME-$SIZE_T*5`($sp)
        $PUSH   r28,`$FRAME-$SIZE_T*4`($sp)
        $PUSH   r29,`$FRAME-$SIZE_T*3`($sp)
        $PUSH   r30,`$FRAME-$SIZE_T*2`($sp)
        $PUSH   r31,`$FRAME-$SIZE_T*1`($sp)
        li      r12,-4096+511
        $PUSH   r0, `$FRAME+$LRSAVE`($sp)
        mtspr   256,r12                         # preserve 29 AltiVec registers

        bl      Lconsts                         # returns pointer Lsigma in r12
        li      @x[0],16
        li      @x[1],32
        li      @x[2],48
        li      @x[3],64
        li      @x[4],31                        # 31 is not a typo
        li      @x[5],15                        # nor is 15

        lvx     @K[1],0,$key                    # load key
        ?lvsr   $T0,0,$key                      # prepare unaligned load
        lvx     @K[2],@x[0],$key
        lvx     @D[0],@x[4],$key

        lvx     @K[3],0,$ctr                    # load counter
        ?lvsr   $T1,0,$ctr                      # prepare unaligned load
        lvx     @D[1],@x[5],$ctr

        lvx     @K[0],0,r12                     # load constants
        lvx     @K[5],@x[0],r12                 # one
        lvx     $FOUR,@x[1],r12
        lvx     $sixteen,@x[2],r12
        lvx     $twenty4,@x[3],r12

        ?vperm  @K[1],@K[2],@K[1],$T0           # align key
        ?vperm  @K[2],@D[0],@K[2],$T0
        ?vperm  @K[3],@D[1],@K[3],$T1           # align counter

        lwz     @d[0],0($ctr)                   # load counter to GPR
        lwz     @d[1],4($ctr)
        vadduwm @K[3],@K[3],@K[5]               # adjust AltiVec counter
        lwz     @d[2],8($ctr)
        vadduwm @K[4],@K[3],@K[5]
        lwz     @d[3],12($ctr)
        vadduwm @K[5],@K[4],@K[5]

        vxor    $T0,$T0,$T0                     # 0x00..00
        vspltisw $outmask,-1                    # 0xff..ff
        ?lvsr   $inpperm,0,$inp                 # prepare for unaligned load
        ?lvsl   $outperm,0,$out                 # prepare for unaligned store
        ?vperm  $outmask,$outmask,$T0,$outperm

        be?lvsl $T0,0,@x[0]                     # 0x00..0f
        be?vspltisb $T1,3                       # 0x03..03
        be?vxor $T0,$T0,$T1                     # swap bytes within words
        be?vxor $outperm,$outperm,$T1
        be?vperm $inpperm,$inpperm,$inpperm,$T0

        li      r0,10                           # inner loop counter
        b       Loop_outer_vmx

.align  4
Loop_outer_vmx:
        lis     @x[0],0x6170                    # synthesize sigma
        lis     @x[1],0x3320
         vmr    $A0,@K[0]
        lis     @x[2],0x7962
        lis     @x[3],0x6b20
         vmr    $A1,@K[0]
        ori     @x[0],@x[0],0x7865
        ori     @x[1],@x[1],0x646e
         vmr    $A2,@K[0]
        ori     @x[2],@x[2],0x2d32
        ori     @x[3],@x[3],0x6574
         vmr    $B0,@K[1]

        lwz     @x[4],0($key)                   # load key to GPR
         vmr    $B1,@K[1]
        lwz     @x[5],4($key)
         vmr    $B2,@K[1]
        lwz     @x[6],8($key)
         vmr    $C0,@K[2]
        lwz     @x[7],12($key)
         vmr    $C1,@K[2]
        lwz     @x[8],16($key)
         vmr    $C2,@K[2]
        mr      @x[12],@d[0]                    # copy GPR counter
        lwz     @x[9],20($key)
         vmr    $D0,@K[3]
        mr      @x[13],@d[1]
        lwz     @x[10],24($key)
         vmr    $D1,@K[4]
        mr      @x[14],@d[2]
        lwz     @x[11],28($key)
         vmr    $D2,@K[5]
        mr      @x[15],@d[3]

        mr      @t[0],@x[4]
        mr      @t[1],@x[5]
        mr      @t[2],@x[6]
        mr      @t[3],@x[7]

        vspltisw $twelve,12                     # synthesize constants
        vspltisw $seven,7

        mtctr   r0
        nop
Loop_vmx:
___
        my @thread0=&VMXROUND($A0,$B0,$C0,$D0,0);
        my @thread1=&VMXROUND($A1,$B1,$C1,$D1,0);
        my @thread2=&VMXROUND($A2,$B2,$C2,$D2,0);
        my @thread3=&ROUND(0,4,8,12);

        foreach (@thread0) {
                eval;
                eval(shift(@thread1));
                eval(shift(@thread2));

                eval(shift(@thread3));
                eval(shift(@thread3));
                eval(shift(@thread3));
        }
        foreach (@thread3) { eval; }

        @thread0=&VMXROUND($A0,$B0,$C0,$D0,1);
        @thread1=&VMXROUND($A1,$B1,$C1,$D1,1);
        @thread2=&VMXROUND($A2,$B2,$C2,$D2,1);
        @thread3=&ROUND(0,5,10,15);

        foreach (@thread0) {
                eval;
                eval(shift(@thread1));
                eval(shift(@thread2));

                eval(shift(@thread3));
                eval(shift(@thread3));
                eval(shift(@thread3));
        }
        foreach (@thread3) { eval; }
$code.=<<___;
        bdnz    Loop_vmx

        subi    $len,$len,256                   # $len-=256
        addi    @x[0],@x[0],0x7865              # accumulate key block
        addi    @x[1],@x[1],0x646e
        addi    @x[2],@x[2],0x2d32
        addi    @x[3],@x[3],0x6574
        addis   @x[0],@x[0],0x6170
        addis   @x[1],@x[1],0x3320
        addis   @x[2],@x[2],0x7962
        addis   @x[3],@x[3],0x6b20
        add     @x[4],@x[4],@t[0]
        lwz     @t[0],16($key)
        add     @x[5],@x[5],@t[1]
        lwz     @t[1],20($key)
        add     @x[6],@x[6],@t[2]
        lwz     @t[2],24($key)
        add     @x[7],@x[7],@t[3]
        lwz     @t[3],28($key)
        add     @x[8],@x[8],@t[0]
        add     @x[9],@x[9],@t[1]
        add     @x[10],@x[10],@t[2]
        add     @x[11],@x[11],@t[3]
        add     @x[12],@x[12],@d[0]
        add     @x[13],@x[13],@d[1]
        add     @x[14],@x[14],@d[2]
        add     @x[15],@x[15],@d[3]

        vadduwm $A0,$A0,@K[0]                   # accumulate key block
        vadduwm $A1,$A1,@K[0]
        vadduwm $A2,$A2,@K[0]
        vadduwm $B0,$B0,@K[1]
        vadduwm $B1,$B1,@K[1]
        vadduwm $B2,$B2,@K[1]
        vadduwm $C0,$C0,@K[2]
        vadduwm $C1,$C1,@K[2]
        vadduwm $C2,$C2,@K[2]
        vadduwm $D0,$D0,@K[3]
        vadduwm $D1,$D1,@K[4]
        vadduwm $D2,$D2,@K[5]

        addi    @d[0],@d[0],4                   # increment counter
        vadduwm @K[3],@K[3],$FOUR
        vadduwm @K[4],@K[4],$FOUR
        vadduwm @K[5],@K[5],$FOUR

___
if (!$LITTLE_ENDIAN) { for($i=0;$i<16;$i++) {   # flip byte order
$code.=<<___;
        mr      @t[$i&3],@x[$i]
        rotlwi  @x[$i],@x[$i],8
        rlwimi  @x[$i],@t[$i&3],24,0,7
        rlwimi  @x[$i],@t[$i&3],24,16,23
___
} }
$code.=<<___;
        lwz     @t[0],0($inp)                   # load input, aligned or not
        lwz     @t[1],4($inp)
        lwz     @t[2],8($inp)
        lwz     @t[3],12($inp)
        xor     @x[0],@x[0],@t[0]               # xor with input
        lwz     @t[0],16($inp)
        xor     @x[1],@x[1],@t[1]
        lwz     @t[1],20($inp)
        xor     @x[2],@x[2],@t[2]
        lwz     @t[2],24($inp)
        xor     @x[3],@x[3],@t[3]
        lwz     @t[3],28($inp)
        xor     @x[4],@x[4],@t[0]
        lwz     @t[0],32($inp)
        xor     @x[5],@x[5],@t[1]
        lwz     @t[1],36($inp)
        xor     @x[6],@x[6],@t[2]
        lwz     @t[2],40($inp)
        xor     @x[7],@x[7],@t[3]
        lwz     @t[3],44($inp)
        xor     @x[8],@x[8],@t[0]
        lwz     @t[0],48($inp)
        xor     @x[9],@x[9],@t[1]
        lwz     @t[1],52($inp)
        xor     @x[10],@x[10],@t[2]
        lwz     @t[2],56($inp)
        xor     @x[11],@x[11],@t[3]
        lwz     @t[3],60($inp)
        xor     @x[12],@x[12],@t[0]
        stw     @x[0],0($out)                   # store output, aligned or not
        xor     @x[13],@x[13],@t[1]
        stw     @x[1],4($out)
        xor     @x[14],@x[14],@t[2]
        stw     @x[2],8($out)
        xor     @x[15],@x[15],@t[3]
        stw     @x[3],12($out)
        addi    $inp,$inp,64
        stw     @x[4],16($out)
        li      @t[0],16
        stw     @x[5],20($out)
        li      @t[1],32
        stw     @x[6],24($out)
        li      @t[2],48
        stw     @x[7],28($out)
        li      @t[3],64
        stw     @x[8],32($out)
        stw     @x[9],36($out)
        stw     @x[10],40($out)
        stw     @x[11],44($out)
        stw     @x[12],48($out)
        stw     @x[13],52($out)
        stw     @x[14],56($out)
        stw     @x[15],60($out)
        addi    $out,$out,64

        lvx     @D[0],0,$inp                    # load input
        lvx     @D[1],@t[0],$inp
        lvx     @D[2],@t[1],$inp
        lvx     @D[3],@t[2],$inp
        lvx     @D[4],@t[3],$inp
        addi    $inp,$inp,64

        ?vperm  @D[0],@D[1],@D[0],$inpperm      # align input
        ?vperm  @D[1],@D[2],@D[1],$inpperm
        ?vperm  @D[2],@D[3],@D[2],$inpperm
        ?vperm  @D[3],@D[4],@D[3],$inpperm
        vxor    $A0,$A0,@D[0]                   # xor with input
        vxor    $B0,$B0,@D[1]
        lvx     @D[1],@t[0],$inp                # keep loading input
        vxor    $C0,$C0,@D[2]
        lvx     @D[2],@t[1],$inp
        vxor    $D0,$D0,@D[3]
        lvx     @D[3],@t[2],$inp
        lvx     @D[0],@t[3],$inp
        addi    $inp,$inp,64
        li      @t[3],63                        # 63 is not a typo
        vperm   $A0,$A0,$A0,$outperm            # pre-misalign output
        vperm   $B0,$B0,$B0,$outperm
        vperm   $C0,$C0,$C0,$outperm
        vperm   $D0,$D0,$D0,$outperm

        ?vperm  @D[4],@D[1],@D[4],$inpperm      # align input
        ?vperm  @D[1],@D[2],@D[1],$inpperm
        ?vperm  @D[2],@D[3],@D[2],$inpperm
        ?vperm  @D[3],@D[0],@D[3],$inpperm
        vxor    $A1,$A1,@D[4]
        vxor    $B1,$B1,@D[1]
        lvx     @D[1],@t[0],$inp                # keep loading input
        vxor    $C1,$C1,@D[2]
        lvx     @D[2],@t[1],$inp
        vxor    $D1,$D1,@D[3]
        lvx     @D[3],@t[2],$inp
        lvx     @D[4],@t[3],$inp                # redundant in aligned case
        addi    $inp,$inp,64
        vperm   $A1,$A1,$A1,$outperm            # pre-misalign output
        vperm   $B1,$B1,$B1,$outperm
        vperm   $C1,$C1,$C1,$outperm
        vperm   $D1,$D1,$D1,$outperm

        ?vperm  @D[0],@D[1],@D[0],$inpperm      # align input
        ?vperm  @D[1],@D[2],@D[1],$inpperm
        ?vperm  @D[2],@D[3],@D[2],$inpperm
        ?vperm  @D[3],@D[4],@D[3],$inpperm
        vxor    $A2,$A2,@D[0]
        vxor    $B2,$B2,@D[1]
        vxor    $C2,$C2,@D[2]
        vxor    $D2,$D2,@D[3]
        vperm   $A2,$A2,$A2,$outperm            # pre-misalign output
        vperm   $B2,$B2,$B2,$outperm
        vperm   $C2,$C2,$C2,$outperm
        vperm   $D2,$D2,$D2,$outperm

        andi.   @x[1],$out,15                   # is $out aligned?
        mr      @x[0],$out

        vsel    @D[0],$A0,$B0,$outmask          # collect pre-misaligned output
        vsel    @D[1],$B0,$C0,$outmask
        vsel    @D[2],$C0,$D0,$outmask
        vsel    @D[3],$D0,$A1,$outmask
        vsel    $B0,$A1,$B1,$outmask
        vsel    $C0,$B1,$C1,$outmask
        vsel    $D0,$C1,$D1,$outmask
        vsel    $A1,$D1,$A2,$outmask
        vsel    $B1,$A2,$B2,$outmask
        vsel    $C1,$B2,$C2,$outmask
        vsel    $D1,$C2,$D2,$outmask

        #stvx   $A0,0,$out                      # take it easy on the edges
        stvx    @D[0],@t[0],$out                # store output
        stvx    @D[1],@t[1],$out
        stvx    @D[2],@t[2],$out
        addi    $out,$out,64
        stvx    @D[3],0,$out
        stvx    $B0,@t[0],$out
        stvx    $C0,@t[1],$out
        stvx    $D0,@t[2],$out
        addi    $out,$out,64
        stvx    $A1,0,$out
        stvx    $B1,@t[0],$out
        stvx    $C1,@t[1],$out
        stvx    $D1,@t[2],$out
        addi    $out,$out,64

        beq     Laligned_vmx

        sub     @x[2],$out,@x[1]                # in misaligned case edges
        li      @x[3],0                         # are written byte-by-byte
Lunaligned_tail_vmx:
        stvebx  $D2,@x[3],@x[2]
        addi    @x[3],@x[3],1
        cmpw    @x[3],@x[1]
        bne     Lunaligned_tail_vmx

        sub     @x[2],@x[0],@x[1]
Lunaligned_head_vmx:
        stvebx  $A0,@x[1],@x[2]
        cmpwi   @x[1],15
        addi    @x[1],@x[1],1
        bne     Lunaligned_head_vmx

        ${UCMP}i $len,255                       # done with 256-byte blocks yet?
        bgt     Loop_outer_vmx

        b       Ldone_vmx

.align  4
Laligned_vmx:
        stvx    $A0,0,@x[0]                     # head hexaword was not stored

        ${UCMP}i $len,255                       # done with 256-byte blocks yet?
        bgt     Loop_outer_vmx
        nop

Ldone_vmx:
        ${UCMP}i $len,0                         # done yet?
        bnel    __ChaCha20_1x

        lwz     r12,`$FRAME-$SIZE_T*18-4`($sp)  # pull vrsave
        li      r10,`15+$LOCALS+64`
        li      r11,`31+$LOCALS+64`
        mtspr   256,r12                         # restore vrsave
        lvx     v23,r10,$sp
        addi    r10,r10,32
        lvx     v24,r11,$sp
        addi    r11,r11,32
        lvx     v25,r10,$sp
        addi    r10,r10,32
        lvx     v26,r11,$sp
        addi    r11,r11,32
        lvx     v27,r10,$sp
        addi    r10,r10,32
        lvx     v28,r11,$sp
        addi    r11,r11,32
        lvx     v29,r10,$sp
        addi    r10,r10,32
        lvx     v30,r11,$sp
        lvx     v31,r10,$sp
        $POP    r0, `$FRAME+$LRSAVE`($sp)
        $POP    r14,`$FRAME-$SIZE_T*18`($sp)
        $POP    r15,`$FRAME-$SIZE_T*17`($sp)
        $POP    r16,`$FRAME-$SIZE_T*16`($sp)
        $POP    r17,`$FRAME-$SIZE_T*15`($sp)
        $POP    r18,`$FRAME-$SIZE_T*14`($sp)
        $POP    r19,`$FRAME-$SIZE_T*13`($sp)
        $POP    r20,`$FRAME-$SIZE_T*12`($sp)
        $POP    r21,`$FRAME-$SIZE_T*11`($sp)
        $POP    r22,`$FRAME-$SIZE_T*10`($sp)
        $POP    r23,`$FRAME-$SIZE_T*9`($sp)
        $POP    r24,`$FRAME-$SIZE_T*8`($sp)
        $POP    r25,`$FRAME-$SIZE_T*7`($sp)
        $POP    r26,`$FRAME-$SIZE_T*6`($sp)
        $POP    r27,`$FRAME-$SIZE_T*5`($sp)
        $POP    r28,`$FRAME-$SIZE_T*4`($sp)
        $POP    r29,`$FRAME-$SIZE_T*3`($sp)
        $POP    r30,`$FRAME-$SIZE_T*2`($sp)
        $POP    r31,`$FRAME-$SIZE_T*1`($sp)
        mtlr    r0
        addi    $sp,$sp,$FRAME
        blr
        .long   0
        .byte   0,12,0x04,1,0x80,18,5,0
        .long   0
.size   .ChaCha20_ctr32_vmx,.-.ChaCha20_ctr32_vmx
___
}}}
{{{
my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15));
my @K = map("v$_",(16..19));
my $CTR = "v26";
my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30));
my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3);
my $beperm = "v31";

my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10)));

my $FRAME=$LOCALS+64+7*16;      # 7*16 is for v26-v31 offload

sub VSX_lane_ROUND {
my ($a0,$b0,$c0,$d0)=@_;
my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
my @x=map("\"v$_\"",(0..15));

        (
        "&vadduwm       (@x[$a0],@x[$a0],@x[$b0])",     # Q1
         "&vadduwm      (@x[$a1],@x[$a1],@x[$b1])",     # Q2
          "&vadduwm     (@x[$a2],@x[$a2],@x[$b2])",     # Q3
           "&vadduwm    (@x[$a3],@x[$a3],@x[$b3])",     # Q4
        "&vxor          (@x[$d0],@x[$d0],@x[$a0])",
         "&vxor         (@x[$d1],@x[$d1],@x[$a1])",
          "&vxor        (@x[$d2],@x[$d2],@x[$a2])",
           "&vxor       (@x[$d3],@x[$d3],@x[$a3])",
        "&vrlw          (@x[$d0],@x[$d0],'$sixteen')",
         "&vrlw         (@x[$d1],@x[$d1],'$sixteen')",
          "&vrlw        (@x[$d2],@x[$d2],'$sixteen')",
           "&vrlw       (@x[$d3],@x[$d3],'$sixteen')",

        "&vadduwm       (@x[$c0],@x[$c0],@x[$d0])",
         "&vadduwm      (@x[$c1],@x[$c1],@x[$d1])",
          "&vadduwm     (@x[$c2],@x[$c2],@x[$d2])",
           "&vadduwm    (@x[$c3],@x[$c3],@x[$d3])",
        "&vxor          (@x[$b0],@x[$b0],@x[$c0])",
         "&vxor         (@x[$b1],@x[$b1],@x[$c1])",
          "&vxor        (@x[$b2],@x[$b2],@x[$c2])",
           "&vxor       (@x[$b3],@x[$b3],@x[$c3])",
        "&vrlw          (@x[$b0],@x[$b0],'$twelve')",
         "&vrlw         (@x[$b1],@x[$b1],'$twelve')",
          "&vrlw        (@x[$b2],@x[$b2],'$twelve')",
           "&vrlw       (@x[$b3],@x[$b3],'$twelve')",

        "&vadduwm       (@x[$a0],@x[$a0],@x[$b0])",
         "&vadduwm      (@x[$a1],@x[$a1],@x[$b1])",
          "&vadduwm     (@x[$a2],@x[$a2],@x[$b2])",
           "&vadduwm    (@x[$a3],@x[$a3],@x[$b3])",
        "&vxor          (@x[$d0],@x[$d0],@x[$a0])",
         "&vxor         (@x[$d1],@x[$d1],@x[$a1])",
          "&vxor        (@x[$d2],@x[$d2],@x[$a2])",
           "&vxor       (@x[$d3],@x[$d3],@x[$a3])",
        "&vrlw          (@x[$d0],@x[$d0],'$eight')",
         "&vrlw         (@x[$d1],@x[$d1],'$eight')",
          "&vrlw        (@x[$d2],@x[$d2],'$eight')",
           "&vrlw       (@x[$d3],@x[$d3],'$eight')",

        "&vadduwm       (@x[$c0],@x[$c0],@x[$d0])",
         "&vadduwm      (@x[$c1],@x[$c1],@x[$d1])",
          "&vadduwm     (@x[$c2],@x[$c2],@x[$d2])",
           "&vadduwm    (@x[$c3],@x[$c3],@x[$d3])",
        "&vxor          (@x[$b0],@x[$b0],@x[$c0])",
         "&vxor         (@x[$b1],@x[$b1],@x[$c1])",
          "&vxor        (@x[$b2],@x[$b2],@x[$c2])",
           "&vxor       (@x[$b3],@x[$b3],@x[$c3])",
        "&vrlw          (@x[$b0],@x[$b0],'$seven')",
         "&vrlw         (@x[$b1],@x[$b1],'$seven')",
          "&vrlw        (@x[$b2],@x[$b2],'$seven')",
           "&vrlw       (@x[$b3],@x[$b3],'$seven')"
        );
}

$code.=<<___;

.globl  .ChaCha20_ctr32_vsx
.align  5
.ChaCha20_ctr32_vsx:
        $STU    $sp,-$FRAME($sp)
        mflr    r0
        li      r10,`15+$LOCALS+64`
        li      r11,`31+$LOCALS+64`
        mfspr   r12,256
        stvx    v26,r10,$sp
        addi    r10,r10,32
        stvx    v27,r11,$sp
        addi    r11,r11,32
        stvx    v28,r10,$sp
        addi    r10,r10,32
        stvx    v29,r11,$sp
        addi    r11,r11,32
        stvx    v30,r10,$sp
        stvx    v31,r11,$sp
        stw     r12,`$FRAME-4`($sp)             # save vrsave
        li      r12,-4096+63
        $PUSH   r0, `$FRAME+$LRSAVE`($sp)
        mtspr   256,r12                         # preserve 29 AltiVec registers

        bl      Lconsts                         # returns pointer Lsigma in r12
        lvx_4w  @K[0],0,r12                     # load sigma
        addi    r12,r12,0x50
        li      $x10,16
        li      $x20,32
        li      $x30,48
        li      r11,64

        lvx_4w  @K[1],0,$key                    # load key
        lvx_4w  @K[2],$x10,$key
        lvx_4w  @K[3],0,$ctr                    # load counter

        vxor    $xt0,$xt0,$xt0
        lvx_4w  $xt1,r11,r12
        vspltw  $CTR,@K[3],0
        vsldoi  @K[3],@K[3],$xt0,4
        vsldoi  @K[3],$xt0,@K[3],12             # clear @K[3].word[0]
        vadduwm $CTR,$CTR,$xt1

        be?lvsl $beperm,0,$x10                  # 0x00..0f
        be?vspltisb $xt0,3                      # 0x03..03
        be?vxor $beperm,$beperm,$xt0            # swap bytes within words

        li      r0,10                           # inner loop counter
        mtctr   r0
        b       Loop_outer_vsx

.align  5
Loop_outer_vsx:
        lvx     $xa0,$x00,r12                   # load [smashed] sigma
        lvx     $xa1,$x10,r12
        lvx     $xa2,$x20,r12
        lvx     $xa3,$x30,r12

        vspltw  $xb0,@K[1],0                    # smash the key
        vspltw  $xb1,@K[1],1
        vspltw  $xb2,@K[1],2
        vspltw  $xb3,@K[1],3

        vspltw  $xc0,@K[2],0
        vspltw  $xc1,@K[2],1
        vspltw  $xc2,@K[2],2
        vspltw  $xc3,@K[2],3

        vmr     $xd0,$CTR                       # smash the counter
        vspltw  $xd1,@K[3],1
        vspltw  $xd2,@K[3],2
        vspltw  $xd3,@K[3],3

        vspltisw $sixteen,-16                   # synthesize constants
        vspltisw $twelve,12
        vspltisw $eight,8
        vspltisw $seven,7

Loop_vsx:
___
        foreach (&VSX_lane_ROUND(0, 4, 8,12)) { eval; }
        foreach (&VSX_lane_ROUND(0, 5,10,15)) { eval; }
$code.=<<___;
        bdnz    Loop_vsx

        vadduwm $xd0,$xd0,$CTR

        vmrgew  $xt0,$xa0,$xa1                  # transpose data
        vmrgew  $xt1,$xa2,$xa3
        vmrgow  $xa0,$xa0,$xa1
        vmrgow  $xa2,$xa2,$xa3
         vmrgew $xt2,$xb0,$xb1
         vmrgew $xt3,$xb2,$xb3
        vpermdi $xa1,$xa0,$xa2,0b00
        vpermdi $xa3,$xa0,$xa2,0b11
        vpermdi $xa0,$xt0,$xt1,0b00
        vpermdi $xa2,$xt0,$xt1,0b11

        vmrgow  $xb0,$xb0,$xb1
        vmrgow  $xb2,$xb2,$xb3
         vmrgew $xt0,$xc0,$xc1
         vmrgew $xt1,$xc2,$xc3
        vpermdi $xb1,$xb0,$xb2,0b00
        vpermdi $xb3,$xb0,$xb2,0b11
        vpermdi $xb0,$xt2,$xt3,0b00
        vpermdi $xb2,$xt2,$xt3,0b11

        vmrgow  $xc0,$xc0,$xc1
        vmrgow  $xc2,$xc2,$xc3
         vmrgew $xt2,$xd0,$xd1
         vmrgew $xt3,$xd2,$xd3
        vpermdi $xc1,$xc0,$xc2,0b00
        vpermdi $xc3,$xc0,$xc2,0b11
        vpermdi $xc0,$xt0,$xt1,0b00
        vpermdi $xc2,$xt0,$xt1,0b11

        vmrgow  $xd0,$xd0,$xd1
        vmrgow  $xd2,$xd2,$xd3
         vspltisw $xt0,4
         vadduwm  $CTR,$CTR,$xt0                # next counter value
        vpermdi $xd1,$xd0,$xd2,0b00
        vpermdi $xd3,$xd0,$xd2,0b11
        vpermdi $xd0,$xt2,$xt3,0b00
        vpermdi $xd2,$xt2,$xt3,0b11

        vadduwm $xa0,$xa0,@K[0]
        vadduwm $xb0,$xb0,@K[1]
        vadduwm $xc0,$xc0,@K[2]
        vadduwm $xd0,$xd0,@K[3]

        be?vperm $xa0,$xa0,$xa0,$beperm
        be?vperm $xb0,$xb0,$xb0,$beperm
        be?vperm $xc0,$xc0,$xc0,$beperm
        be?vperm $xd0,$xd0,$xd0,$beperm

        ${UCMP}i $len,0x40
        blt     Ltail_vsx

        lvx_4w  $xt0,$x00,$inp
        lvx_4w  $xt1,$x10,$inp
        lvx_4w  $xt2,$x20,$inp
        lvx_4w  $xt3,$x30,$inp

        vxor    $xt0,$xt0,$xa0
        vxor    $xt1,$xt1,$xb0
        vxor    $xt2,$xt2,$xc0
        vxor    $xt3,$xt3,$xd0

        stvx_4w $xt0,$x00,$out
        stvx_4w $xt1,$x10,$out
        addi    $inp,$inp,0x40
        stvx_4w $xt2,$x20,$out
        subi    $len,$len,0x40
        stvx_4w $xt3,$x30,$out
        addi    $out,$out,0x40
        beq     Ldone_vsx

        vadduwm $xa0,$xa1,@K[0]
        vadduwm $xb0,$xb1,@K[1]
        vadduwm $xc0,$xc1,@K[2]
        vadduwm $xd0,$xd1,@K[3]

        be?vperm $xa0,$xa0,$xa0,$beperm
        be?vperm $xb0,$xb0,$xb0,$beperm
        be?vperm $xc0,$xc0,$xc0,$beperm
        be?vperm $xd0,$xd0,$xd0,$beperm

        ${UCMP}i $len,0x40
        blt     Ltail_vsx

        lvx_4w  $xt0,$x00,$inp
        lvx_4w  $xt1,$x10,$inp
        lvx_4w  $xt2,$x20,$inp
        lvx_4w  $xt3,$x30,$inp

        vxor    $xt0,$xt0,$xa0
        vxor    $xt1,$xt1,$xb0
        vxor    $xt2,$xt2,$xc0
        vxor    $xt3,$xt3,$xd0

        stvx_4w $xt0,$x00,$out
        stvx_4w $xt1,$x10,$out
        addi    $inp,$inp,0x40
        stvx_4w $xt2,$x20,$out
        subi    $len,$len,0x40
        stvx_4w $xt3,$x30,$out
        addi    $out,$out,0x40
        beq     Ldone_vsx

        vadduwm $xa0,$xa2,@K[0]
        vadduwm $xb0,$xb2,@K[1]
        vadduwm $xc0,$xc2,@K[2]
        vadduwm $xd0,$xd2,@K[3]

        be?vperm $xa0,$xa0,$xa0,$beperm
        be?vperm $xb0,$xb0,$xb0,$beperm
        be?vperm $xc0,$xc0,$xc0,$beperm
        be?vperm $xd0,$xd0,$xd0,$beperm

        ${UCMP}i $len,0x40
        blt     Ltail_vsx

        lvx_4w  $xt0,$x00,$inp
        lvx_4w  $xt1,$x10,$inp
        lvx_4w  $xt2,$x20,$inp
        lvx_4w  $xt3,$x30,$inp

        vxor    $xt0,$xt0,$xa0
        vxor    $xt1,$xt1,$xb0
        vxor    $xt2,$xt2,$xc0
        vxor    $xt3,$xt3,$xd0

        stvx_4w $xt0,$x00,$out
        stvx_4w $xt1,$x10,$out
        addi    $inp,$inp,0x40
        stvx_4w $xt2,$x20,$out
        subi    $len,$len,0x40
        stvx_4w $xt3,$x30,$out
        addi    $out,$out,0x40
        beq     Ldone_vsx

        vadduwm $xa0,$xa3,@K[0]
        vadduwm $xb0,$xb3,@K[1]
        vadduwm $xc0,$xc3,@K[2]
        vadduwm $xd0,$xd3,@K[3]

        be?vperm $xa0,$xa0,$xa0,$beperm
        be?vperm $xb0,$xb0,$xb0,$beperm
        be?vperm $xc0,$xc0,$xc0,$beperm
        be?vperm $xd0,$xd0,$xd0,$beperm

        ${UCMP}i $len,0x40
        blt     Ltail_vsx

        lvx_4w  $xt0,$x00,$inp
        lvx_4w  $xt1,$x10,$inp
        lvx_4w  $xt2,$x20,$inp
        lvx_4w  $xt3,$x30,$inp

        vxor    $xt0,$xt0,$xa0
        vxor    $xt1,$xt1,$xb0
        vxor    $xt2,$xt2,$xc0
        vxor    $xt3,$xt3,$xd0

        stvx_4w $xt0,$x00,$out
        stvx_4w $xt1,$x10,$out
        addi    $inp,$inp,0x40
        stvx_4w $xt2,$x20,$out
        subi    $len,$len,0x40
        stvx_4w $xt3,$x30,$out
        addi    $out,$out,0x40
        mtctr   r0
        bne     Loop_outer_vsx

Ldone_vsx:
        lwz     r12,`$FRAME-4`($sp)             # pull vrsave
        li      r10,`15+$LOCALS+64`
        li      r11,`31+$LOCALS+64`
        $POP    r0, `$FRAME+$LRSAVE`($sp)
        mtspr   256,r12                         # restore vrsave
        lvx     v26,r10,$sp
        addi    r10,r10,32
        lvx     v27,r11,$sp
        addi    r11,r11,32
        lvx     v28,r10,$sp
        addi    r10,r10,32
        lvx     v29,r11,$sp
        addi    r11,r11,32
        lvx     v30,r10,$sp
        lvx     v31,r11,$sp
        mtlr    r0
        addi    $sp,$sp,$FRAME
        blr

.align  4
Ltail_vsx:
        addi    r11,$sp,$LOCALS
        mtctr   $len
        stvx_4w $xa0,$x00,r11                   # offload block to stack
        stvx_4w $xb0,$x10,r11
        stvx_4w $xc0,$x20,r11
        stvx_4w $xd0,$x30,r11
        subi    r12,r11,1                       # prepare for *++ptr
        subi    $inp,$inp,1
        subi    $out,$out,1

Loop_tail_vsx:
        lbzu    r6,1(r12)
        lbzu    r7,1($inp)
        xor     r6,r6,r7
        stbu    r6,1($out)
        bdnz    Loop_tail_vsx

        stvx_4w $K[0],$x00,r11                  # wipe copy of the block
        stvx_4w $K[0],$x10,r11
        stvx_4w $K[0],$x20,r11
        stvx_4w $K[0],$x30,r11

        b       Ldone_vsx
        .long   0
        .byte   0,12,0x04,1,0x80,0,5,0
        .long   0
.size   .ChaCha20_ctr32_vsx,.-.ChaCha20_ctr32_vsx
___
}}}
$code.=<<___;
.align  5
Lconsts:
        mflr    r0
        bcl     20,31,\$+4
        mflr    r12     #vvvvv "distance between . and Lsigma
        addi    r12,r12,`64-8`
        mtlr    r0
        blr
        .long   0
        .byte   0,12,0x14,0,0,0,0,0
        .space  `64-9*4`
Lsigma:
        .long   0x61707865,0x3320646e,0x79622d32,0x6b206574
        .long   1,0,0,0
        .long   4,0,0,0
___
$code.=<<___    if ($LITTLE_ENDIAN);
        .long   0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001
        .long   0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300
___
$code.=<<___    if (!$LITTLE_ENDIAN);   # flipped words
        .long   0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d
        .long   0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c
___
$code.=<<___;
        .long   0x61707865,0x61707865,0x61707865,0x61707865
        .long   0x3320646e,0x3320646e,0x3320646e,0x3320646e
        .long   0x79622d32,0x79622d32,0x79622d32,0x79622d32
        .long   0x6b206574,0x6b206574,0x6b206574,0x6b206574
        .long   0,1,2,3
.asciz  "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by <appro\@openssl.org>"
.align  2
___

foreach (split("\n",$code)) {
        s/\`([^\`]*)\`/eval $1/ge;

        # instructions prefixed with '?' are endian-specific and need
        # to be adjusted accordingly...
        if ($flavour !~ /le$/) {        # big-endian
            s/be\?//            or
            s/le\?/#le#/        or
            s/\?lvsr/lvsl/      or
            s/\?lvsl/lvsr/      or
            s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or
            s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/;
        } else {                        # little-endian
            s/le\?//            or
            s/be\?/#be#/        or
            s/\?([a-z]+)/$1/    or
            s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/;
        }

        print $_,"\n";
}

close STDOUT or die "error closing STDOUT: $!";