diff --git a/Configure b/Configure

index 9c803dc..5a5c2d8 100755

--- a/Configure

+++ b/Configure

@@ -139,8 +139,8 @@ my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes

 my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";

 my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";

 my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";

-my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";

-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";

+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";

+my $ppc32_asm=$ppc64_asm;

 my $no_asm=":::::::::::::::void";

 # As for $BSDthreads. Idea is to maintain "collective" set of flags,

@@ -357,6 +357,7 @@ my %table=(

 ####

 "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 "linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",

+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",

 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

@@ -462,8 +463,8 @@ my %table=(

 #### IBM's AIX.

 "aix3-cc",  "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",

-"aix-gcc",  "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",

-"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",

+"aix-gcc",  "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",

+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",

 # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE

 # at build time. $OBJECT_MODE is respected at ./config stage!

 "aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",

@@ -1525,7 +1526,7 @@ else	{

 	$wp_obj="wp_block.o";

 	}

 $cmll_obj=$cmll_enc	unless ($cmll_obj =~ /.o$/);

-if ($modes_obj =~ /ghash/)

+if ($modes_obj =~ /ghash\-/)

 	{

 	$cflags.=" -DGHASH_ASM";

 	}

diff --git a/config b/config

index 88b9bc6..8b80802 100755

--- a/config

+++ b/config

@@ -587,13 +587,20 @@ case "$GUESSOS" in

 	fi

 	;;

   ppc64-*-linux2)

-	echo "WARNING! If you wish to build 64-bit library, then you have to"

-	echo "         invoke './Configure linux-ppc64' *manually*."

-	if [ "$TEST" = "false" -a -t 1 ]; then

-	    echo "         You have about 5 seconds to press Ctrl-C to abort."

-	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1

+	if [ -z "$KERNEL_BITS" ]; then

+	    echo "WARNING! If you wish to build 64-bit library, then you have to"

+	    echo "         invoke './Configure linux-ppc64' *manually*."

+	    if [ "$TEST" = "false" -a -t 1 ]; then

+		echo "         You have about 5 seconds to press Ctrl-C to abort."

+		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1

+	    fi

+	fi

+	if [ "$KERNEL_BITS" = "64" ]; then

+	    OUT="linux-ppc64"

+	else

+	    OUT="linux-ppc"

+	    (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"

 	fi

-	OUT="linux-ppc"

 	;;

   ppc-*-linux2) OUT="linux-ppc" ;;

   ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;

diff --git a/crypto/aes/Makefile b/crypto/aes/Makefile

index 45ede0a..847f4ee 100644

--- a/crypto/aes/Makefile

+++ b/crypto/aes/Makefile

@@ -71,6 +71,10 @@ aes-sparcv9.s: asm/aes-sparcv9.pl

 aes-ppc.s:	asm/aes-ppc.pl

 	$(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@

+vpaes-ppc.s:	asm/vpaes-ppc.pl

+	$(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@

+aesp8-ppc.s:	asm/aesp8-ppc.pl

+	$(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@

 aes-parisc.s:	asm/aes-parisc.pl

 	$(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@

diff --git a/crypto/aes/asm/aes-ppc.pl b/crypto/aes/asm/aes-ppc.pl

index 7c52cbe..7a99fc3 100644

--- a/crypto/aes/asm/aes-ppc.pl

+++ b/crypto/aes/asm/aes-ppc.pl

@@ -45,6 +45,8 @@ if ($flavour =~ /64/) {

 	$PUSH	="stw";

 } else { die "nonsense $flavour"; }

+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;

+

 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;

 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or

 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or

@@ -68,7 +70,7 @@ $key="r5";

 $Tbl0="r3";

 $Tbl1="r6";

 $Tbl2="r7";

-$Tbl3="r2";

+$Tbl3=$out;	# stay away from "r2"; $out is offloaded to stack

 $s0="r8";

 $s1="r9";

@@ -76,7 +78,7 @@ $s2="r10";

 $s3="r11";

 $t0="r12";

-$t1="r13";

+$t1="r0";	# stay away from "r13";

 $t2="r14";

 $t3="r15";

@@ -100,9 +102,6 @@ $acc13="r29";

 $acc14="r30";

 $acc15="r31";

-# stay away from TLS pointer

-if ($SIZE_T==8)	{ die if ($t1 ne "r13");  $t1="r0";		}

-else		{ die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0";	}

 $mask80=$Tbl2;

 $mask1b=$Tbl3;

@@ -337,8 +336,7 @@ $code.=<<___;

 	$STU	$sp,-$FRAME($sp)

 	mflr	r0

-	$PUSH	$toc,`$FRAME-$SIZE_T*20`($sp)

-	$PUSH	r13,`$FRAME-$SIZE_T*19`($sp)

+	$PUSH	$out,`$FRAME-$SIZE_T*19`($sp)

 	$PUSH	r14,`$FRAME-$SIZE_T*18`($sp)

 	$PUSH	r15,`$FRAME-$SIZE_T*17`($sp)

 	$PUSH	r16,`$FRAME-$SIZE_T*16`($sp)

@@ -365,16 +363,61 @@ $code.=<<___;

 	bne	Lenc_unaligned

 Lenc_unaligned_ok:

+___

+$code.=<<___ if (!$LITTLE_ENDIAN);

 	lwz	$s0,0($inp)

 	lwz	$s1,4($inp)

 	lwz	$s2,8($inp)

 	lwz	$s3,12($inp)

+___

+$code.=<<___ if ($LITTLE_ENDIAN);

+	lwz	$t0,0($inp)

+	lwz	$t1,4($inp)

+	lwz	$t2,8($inp)

+	lwz	$t3,12($inp)

+	rotlwi	$s0,$t0,8

+	rotlwi	$s1,$t1,8

+	rotlwi	$s2,$t2,8

+	rotlwi	$s3,$t3,8

+	rlwimi	$s0,$t0,24,0,7

+	rlwimi	$s1,$t1,24,0,7

+	rlwimi	$s2,$t2,24,0,7

+	rlwimi	$s3,$t3,24,0,7

+	rlwimi	$s0,$t0,24,16,23

+	rlwimi	$s1,$t1,24,16,23

+	rlwimi	$s2,$t2,24,16,23

+	rlwimi	$s3,$t3,24,16,23

+___

+$code.=<<___;

 	bl	LAES_Te

 	bl	Lppc_AES_encrypt_compact

+	$POP	$out,`$FRAME-$SIZE_T*19`($sp)

+___

+$code.=<<___ if ($LITTLE_ENDIAN);

+	rotlwi	$t0,$s0,8

+	rotlwi	$t1,$s1,8

+	rotlwi	$t2,$s2,8

+	rotlwi	$t3,$s3,8

+	rlwimi	$t0,$s0,24,0,7

+	rlwimi	$t1,$s1,24,0,7

+	rlwimi	$t2,$s2,24,0,7

+	rlwimi	$t3,$s3,24,0,7

+	rlwimi	$t0,$s0,24,16,23

+	rlwimi	$t1,$s1,24,16,23

+	rlwimi	$t2,$s2,24,16,23

+	rlwimi	$t3,$s3,24,16,23

+	stw	$t0,0($out)

+	stw	$t1,4($out)

+	stw	$t2,8($out)

+	stw	$t3,12($out)

+___

+$code.=<<___ if (!$LITTLE_ENDIAN);

 	stw	$s0,0($out)

 	stw	$s1,4($out)

 	stw	$s2,8($out)

 	stw	$s3,12($out)

+___

+$code.=<<___;

 	b	Lenc_done

 Lenc_unaligned:

@@ -417,6 +460,7 @@ Lenc_xpage:

 	bl	LAES_Te

 	bl	Lppc_AES_encrypt_compact

+	$POP	$out,`$FRAME-$SIZE_T*19`($sp)

 	extrwi	$acc00,$s0,8,0

 	extrwi	$acc01,$s0,8,8

@@ -449,8 +493,6 @@ Lenc_xpage:

 Lenc_done:

 	$POP	r0,`$FRAME+$LRSAVE`($sp)

-	$POP	$toc,`$FRAME-$SIZE_T*20`($sp)

-	$POP	r13,`$FRAME-$SIZE_T*19`($sp)

 	$POP	r14,`$FRAME-$SIZE_T*18`($sp)

 	$POP	r15,`$FRAME-$SIZE_T*17`($sp)

 	$POP	r16,`$FRAME-$SIZE_T*16`($sp)

@@ -764,6 +806,7 @@ Lenc_compact_done:

 	blr

 	.long	0

 	.byte	0,12,0x14,0,0,0,0,0

+.size	.AES_encrypt,.-.AES_encrypt

 .globl	.AES_decrypt

 .align	7

@@ -771,8 +814,7 @@ Lenc_compact_done:

 	$STU	$sp,-$FRAME($sp)

 	mflr	r0

-	$PUSH	$toc,`$FRAME-$SIZE_T*20`($sp)

-	$PUSH	r13,`$FRAME-$SIZE_T*19`($sp)

+	$PUSH	$out,`$FRAME-$SIZE_T*19`($sp)

 	$PUSH	r14,`$FRAME-$SIZE_T*18`($sp)

 	$PUSH	r15,`$FRAME-$SIZE_T*17`($sp)

 	$PUSH	r16,`$FRAME-$SIZE_T*16`($sp)

@@ -799,16 +841,61 @@ Lenc_compact_done:

 	bne	Ldec_unaligned

 Ldec_unaligned_ok:

+___

+$code.=<<___ if (!$LITTLE_ENDIAN);

 	lwz	$s0,0($inp)

 	lwz	$s1,4($inp)

 	lwz	$s2,8($inp)

 	lwz	$s3,12($inp)

+___

+$code.=<<___ if ($LITTLE_ENDIAN);

+	lwz	$t0,0($inp)

+	lwz	$t1,4($inp)

+	lwz	$t2,8($inp)

+	lwz	$t3,12($inp)

+	rotlwi	$s0,$t0,8

+	rotlwi	$s1,$t1,8

+	rotlwi	$s2,$t2,8

+	rotlwi	$s3,$t3,8

+	rlwimi	$s0,$t0,24,0,7

+	rlwimi	$s1,$t1,24,0,7

+	rlwimi	$s2,$t2,24,0,7

+	rlwimi	$s3,$t3,24,0,7

+	rlwimi	$s0,$t0,24,16,23

+	rlwimi	$s1,$t1,24,16,23

+	rlwimi	$s2,$t2,24,16,23

+	rlwimi	$s3,$t3,24,16,23

+___

+$code.=<<___;

 	bl	LAES_Td

 	bl	Lppc_AES_decrypt_compact

+	$POP	$out,`$FRAME-$SIZE_T*19`($sp)

+___

+$code.=<<___ if ($LITTLE_ENDIAN);

+	rotlwi	$t0,$s0,8

+	rotlwi	$t1,$s1,8

+	rotlwi	$t2,$s2,8

+	rotlwi	$t3,$s3,8

+	rlwimi	$t0,$s0,24,0,7

+	rlwimi	$t1,$s1,24,0,7

+	rlwimi	$t2,$s2,24,0,7

+	rlwimi	$t3,$s3,24,0,7

+	rlwimi	$t0,$s0,24,16,23

+	rlwimi	$t1,$s1,24,16,23

+	rlwimi	$t2,$s2,24,16,23

+	rlwimi	$t3,$s3,24,16,23

+	stw	$t0,0($out)

+	stw	$t1,4($out)

+	stw	$t2,8($out)

+	stw	$t3,12($out)

+___

+$code.=<<___ if (!$LITTLE_ENDIAN);

 	stw	$s0,0($out)

 	stw	$s1,4($out)

 	stw	$s2,8($out)

 	stw	$s3,12($out)

+___

+$code.=<<___;

 	b	Ldec_done

 Ldec_unaligned:

@@ -851,6 +938,7 @@ Ldec_xpage:

 	bl	LAES_Td

 	bl	Lppc_AES_decrypt_compact

+	$POP	$out,`$FRAME-$SIZE_T*19`($sp)

 	extrwi	$acc00,$s0,8,0

 	extrwi	$acc01,$s0,8,8

@@ -883,8 +971,6 @@ Ldec_xpage:

 Ldec_done:

 	$POP	r0,`$FRAME+$LRSAVE`($sp)

-	$POP	$toc,`$FRAME-$SIZE_T*20`($sp)

-	$POP	r13,`$FRAME-$SIZE_T*19`($sp)

 	$POP	r14,`$FRAME-$SIZE_T*18`($sp)

 	$POP	r15,`$FRAME-$SIZE_T*17`($sp)

 	$POP	r16,`$FRAME-$SIZE_T*16`($sp)

@@ -1355,6 +1441,7 @@ Ldec_compact_done:

 	blr

 	.long	0

 	.byte	0,12,0x14,0,0,0,0,0

+.size	.AES_decrypt,.-.AES_decrypt

 .asciz	"AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"

 .align	7

diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl

new file mode 100755

index 0000000..3ee8979

--- /dev/null

+++ b/crypto/aes/asm/aesp8-ppc.pl

@@ -0,0 +1,1940 @@

+#!/usr/bin/env perl

+#

+# ====================================================================

+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL

+# project. The module is, however, dual licensed under OpenSSL and

+# CRYPTOGAMS licenses depending on where you obtain it. For further

+# details see http://www.openssl.org/~appro/cryptogams/.

+# ====================================================================

+#

+# This module implements support for AES instructions as per PowerISA

+# specification version 2.07, first implemented by POWER8 processor.

+# The module is endian-agnostic in sense that it supports both big-

+# and little-endian cases. Data alignment in parallelizable modes is

+# handled with VSX loads and stores, which implies MSR.VSX flag being

+# set. It should also be noted that ISA specification doesn't prohibit

+# alignment exceptions for these instructions on page boundaries.

+# Initially alignment was handled in pure AltiVec/VMX way [when data

+# is aligned programmatically, which in turn guarantees exception-

+# free execution], but it turned to hamper performance when vcipher

+# instructions are interleaved. It's reckoned that eventual

+# misalignment penalties at page boundaries are in average lower

+# than additional overhead in pure AltiVec approach.

+

+$flavour = shift;

+

+if ($flavour =~ /64/) {

+	$SIZE_T	=8;

+	$LRSAVE	=2*$SIZE_T;

+	$STU	="stdu";

+	$POP	="ld";

+	$PUSH	="std";

+	$UCMP	="cmpld";

+	$SHL	="sldi";

+} elsif ($flavour =~ /32/) {

+	$SIZE_T	=4;

+	$LRSAVE	=$SIZE_T;

+	$STU	="stwu";

+	$POP	="lwz";

+	$PUSH	="stw";

+	$UCMP	="cmplw";

+	$SHL	="slwi";

+} else { die "nonsense $flavour"; }

+

+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;

+

+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;

+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or

+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or

+die "can't locate ppc-xlate.pl";

+

+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";

+

+$FRAME=8*$SIZE_T;

+$prefix="aes_p8";

+

+$sp="r1";

+$vrsave="r12";

+

+#########################################################################

+{{{	# Key setup procedures						#

+my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));

+my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));

+my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));

+

+$code.=<<___;

+.machine	"any"

+

+.text

+

+.align	7

+rcon:

+.long	0x01000000, 0x01000000, 0x01000000, 0x01000000	?rev

+.long	0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000	?rev

+.long	0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c	?rev

+.long	0,0,0,0						?asis

+Lconsts:

+	mflr	r0

+	bcl	20,31,\$+4

+	mflr	$ptr	 #vvvvv "distance between . and rcon

+	addi	$ptr,$ptr,-0x48

+	mtlr	r0

+	blr

+	.long	0

+	.byte	0,12,0x14,0,0,0,0,0

+.asciz	"AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"

+

+.globl	.${prefix}_set_encrypt_key

+.align	5

+.${prefix}_set_encrypt_key:

+Lset_encrypt_key:

+	mflr		r11

+	$PUSH		r11,$LRSAVE($sp)

+

+	li		$ptr,-1

+	${UCMP}i	$inp,0

+	beq-		Lenc_key_abort		# if ($inp==0) return -1;

+	${UCMP}i	$out,0

+	beq-		Lenc_key_abort		# if ($out==0) return -1;

+	li		$ptr,-2

+	cmpwi		$bits,128

+	blt-		Lenc_key_abort

+	cmpwi		$bits,256

+	bgt-		Lenc_key_abort

+	andi.		r0,$bits,0x3f

+	bne-		Lenc_key_abort

+

+	lis		r0,0xfff0

+	mfspr		$vrsave,256

+	mtspr		256,r0

+

+	bl		Lconsts

+	mtlr		r11

+

+	neg		r9,$inp

+	lvx		$in0,0,$inp

+	addi		$inp,$inp,15		# 15 is not typo

+	lvsr		$key,0,r9		# borrow $key

+	li		r8,0x20

+	cmpwi		$bits,192

+	lvx		$in1,0,$inp

+	le?vspltisb	$mask,0x0f		# borrow $mask

+	lvx		$rcon,0,$ptr

+	le?vxor		$key,$key,$mask		# adjust for byte swap

+	lvx		$mask,r8,$ptr

+	addi		$ptr,$ptr,0x10

+	vperm		$in0,$in0,$in1,$key	# align [and byte swap in LE]

+	li		$cnt,8

+	vxor		$zero,$zero,$zero

+	mtctr		$cnt

+

+	?lvsr		$outperm,0,$out

+	vspltisb	$outmask,-1

+	lvx		$outhead,0,$out

+	?vperm		$outmask,$zero,$outmask,$outperm

+

+	blt		Loop128

+	addi		$inp,$inp,8

+	beq		L192

+	addi		$inp,$inp,8

+	b		L256

+

+.align	4

+Loop128:

+	vperm		$key,$in0,$in0,$mask	# rotate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vcipherlast	$key,$key,$rcon

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	 vadduwm	$rcon,$rcon,$rcon

+	vxor		$in0,$in0,$key

+	bdnz		Loop128

+

+	lvx		$rcon,0,$ptr		# last two round keys

+

+	vperm		$key,$in0,$in0,$mask	# rotate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vcipherlast	$key,$key,$rcon

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	 vadduwm	$rcon,$rcon,$rcon

+	vxor		$in0,$in0,$key

+

+	vperm		$key,$in0,$in0,$mask	# rotate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vcipherlast	$key,$key,$rcon

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vxor		$in0,$in0,$key

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	 stvx		$stage,0,$out

+

+	addi		$inp,$out,15		# 15 is not typo

+	addi		$out,$out,0x50

+

+	li		$rounds,10

+	b		Ldone

+

+.align	4

+L192:

+	lvx		$tmp,0,$inp

+	li		$cnt,4

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+	vperm		$in1,$in1,$tmp,$key	# align [and byte swap in LE]

+	vspltisb	$key,8			# borrow $key

+	mtctr		$cnt

+	vsububm		$mask,$mask,$key	# adjust the mask

+

+Loop192:

+	vperm		$key,$in1,$in1,$mask	# roate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	vcipherlast	$key,$key,$rcon

+

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+

+	 vsldoi		$stage,$zero,$in1,8

+	vspltw		$tmp,$in0,3

+	vxor		$tmp,$tmp,$in1

+	vsldoi		$in1,$zero,$in1,12	# >>32

+	 vadduwm	$rcon,$rcon,$rcon

+	vxor		$in1,$in1,$tmp

+	vxor		$in0,$in0,$key

+	vxor		$in1,$in1,$key

+	 vsldoi		$stage,$stage,$in0,8

+

+	vperm		$key,$in1,$in1,$mask	# rotate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	 vperm		$outtail,$stage,$stage,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vcipherlast	$key,$key,$rcon

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	 vsldoi		$stage,$in0,$in1,8

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	 vperm		$outtail,$stage,$stage,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	vspltw		$tmp,$in0,3

+	vxor		$tmp,$tmp,$in1

+	vsldoi		$in1,$zero,$in1,12	# >>32

+	 vadduwm	$rcon,$rcon,$rcon

+	vxor		$in1,$in1,$tmp

+	vxor		$in0,$in0,$key

+	vxor		$in1,$in1,$key

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	 stvx		$stage,0,$out

+	 addi		$inp,$out,15		# 15 is not typo

+	 addi		$out,$out,16

+	bdnz		Loop192

+

+	li		$rounds,12

+	addi		$out,$out,0x20

+	b		Ldone

+

+.align	4

+L256:

+	lvx		$tmp,0,$inp

+	li		$cnt,7

+	li		$rounds,14

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+	vperm		$in1,$in1,$tmp,$key	# align [and byte swap in LE]

+	mtctr		$cnt

+

+Loop256:

+	vperm		$key,$in1,$in1,$mask	# rotate-n-splat

+	vsldoi		$tmp,$zero,$in0,12	# >>32

+	 vperm		$outtail,$in1,$in1,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	vcipherlast	$key,$key,$rcon

+	 stvx		$stage,0,$out

+	 addi		$out,$out,16

+

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in0,$in0,$tmp

+	 vadduwm	$rcon,$rcon,$rcon

+	vxor		$in0,$in0,$key

+	 vperm		$outtail,$in0,$in0,$outperm	# rotate

+	 vsel		$stage,$outhead,$outtail,$outmask

+	 vmr		$outhead,$outtail

+	 stvx		$stage,0,$out

+	 addi		$inp,$out,15		# 15 is not typo

+	 addi		$out,$out,16

+	bdz		Ldone

+

+	vspltw		$key,$in0,3		# just splat

+	vsldoi		$tmp,$zero,$in1,12	# >>32

+	vsbox		$key,$key

+

+	vxor		$in1,$in1,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in1,$in1,$tmp

+	vsldoi		$tmp,$zero,$tmp,12	# >>32

+	vxor		$in1,$in1,$tmp

+

+	vxor		$in1,$in1,$key

+	b		Loop256

+

+.align	4

+Ldone:

+	lvx		$in1,0,$inp		# redundant in aligned case

+	vsel		$in1,$outhead,$in1,$outmask

+	stvx		$in1,0,$inp

+	li		$ptr,0

+	mtspr		256,$vrsave

+	stw		$rounds,0($out)

+

+Lenc_key_abort:

+	mr		r3,$ptr

+	blr

+	.long		0

+	.byte		0,12,0x14,1,0,0,3,0

+	.long		0

+.size	.${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key

+

+.globl	.${prefix}_set_decrypt_key

+.align	5

+.${prefix}_set_decrypt_key:

+	$STU		$sp,-$FRAME($sp)

+	mflr		r10

+	$PUSH		r10,$FRAME+$LRSAVE($sp)

+	bl		Lset_encrypt_key

+	mtlr		r10

+

+	cmpwi		r3,0

+	bne-		Ldec_key_abort

+

+	slwi		$cnt,$rounds,4

+	subi		$inp,$out,240		# first round key

+	srwi		$rounds,$rounds,1

+	add		$out,$inp,$cnt		# last round key

+	mtctr		$rounds

+

+Ldeckey:

+	lwz		r0, 0($inp)

+	lwz		r6, 4($inp)

+	lwz		r7, 8($inp)

+	lwz		r8, 12($inp)

+	addi		$inp,$inp,16

+	lwz		r9, 0($out)

+	lwz		r10,4($out)

+	lwz		r11,8($out)

+	lwz		r12,12($out)

+	stw		r0, 0($out)

+	stw		r6, 4($out)

+	stw		r7, 8($out)

+	stw		r8, 12($out)

+	subi		$out,$out,16

+	stw		r9, -16($inp)

+	stw		r10,-12($inp)

+	stw		r11,-8($inp)

+	stw		r12,-4($inp)

+	bdnz		Ldeckey

+

+	xor		r3,r3,r3		# return value