--- /dev/null
+#! /usr/bin/env perl
+# Author: Min Zhou <zhoumin@loongson.cn>
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+my $code;
+
+# Here is the scalar register layout for LoongArch.
+my ($zero,$ra,$tp,$sp,$fp)=map("\$r$_",(0..3,22));
+my ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11));
+my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$x)=map("\$r$_",(12..21));
+my ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8)=map("\$r$_",(23..31));
+
+# Here is the 128-bit vector register layout for LSX extension.
+my ($vr0,$vr1,$vr2,$vr3,$vr4,$vr5,$vr6,$vr7,$vr8,$vr9,$vr10,
+ $vr11,$vr12,$vr13,$vr14,$vr15,$vr16,$vr17,$vr18,$vr19,
+ $vr20,$vr21,$vr22,$vr23,$vr24,$vr25,$vr26,$vr27,$vr28,
+ $vr29,$vr30,$vr31)=map("\$vr$_",(0..31));
+
+# Here is the 256-bit vector register layout for LASX extension.
+my ($xr0,$xr1,$xr2,$xr3,$xr4,$xr5,$xr6,$xr7,$xr8,$xr9,$xr10,
+ $xr11,$xr12,$xr13,$xr14,$xr15,$xr16,$xr17,$xr18,$xr19,
+ $xr20,$xr21,$xr22,$xr23,$xr24,$xr25,$xr26,$xr27,$xr28,
+ $xr29,$xr30,$xr31)=map("\$xr$_",(0..31));
+
+my $output;
+for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); }
+open STDOUT,">$output";
+
+# Input parameter block
+my ($out, $inp, $len, $key, $counter) = ($a0, $a1, $a2, $a3, $a4);
+
+$code .= <<EOF;
+#include "loongarch_arch.h"
+
+.text
+
+.extern OPENSSL_loongarch_hwcap_P
+
+.align 6
+.Lsigma:
+.ascii "expand 32-byte k"
+.Linc8x:
+.long 0,1,2,3,4,5,6,7
+.Linc4x:
+.long 0,1,2,3
+
+.globl ChaCha20_ctr32
+.type ChaCha20_ctr32 function
+
+.align 6
+ChaCha20_ctr32:
+ # $a0 = arg #1 (out pointer)
+ # $a1 = arg #2 (inp pointer)
+ # $a2 = arg #3 (len)
+ # $a3 = arg #4 (key array)
+ # $a4 = arg #5 (counter array)
+
+ beqz $len,.Lno_data
+ la.pcrel $t0,OPENSSL_loongarch_hwcap_P
+ ld.w $t0,$t0,0
+
+ andi $t1,$t0,LOONGARCH_HWCAP_LASX
+ bnez $t1,.LChaCha20_8x
+
+ andi $t2,$t0,LOONGARCH_HWCAP_LSX
+ bnez $t2,.LChaCha20_4x
+
+ b .LChaCha20_1x
+
+EOF
+
+########################################################################
+# Scalar code path that handles all lengths.
+{
+# Load the initial states in array @x[*] and update directly
+my @x = ($t0, $t1, $t2, $t3, $t4, $t5, $t6, $t7,
+ $s0, $s1, $s2, $s3, $s4, $s5, $s6, $s7);
+
+sub ROUND {
+ my ($a0,$b0,$c0,$d0) = @_;
+ my ($a1,$b1,$c1,$d1) = map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2) = map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+ my ($a3,$b3,$c3,$d3) = map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+
+$code .= <<EOF;
+ add.w @x[$a0],@x[$a0],@x[$b0]
+ xor @x[$d0],@x[$d0],@x[$a0]
+ rotri.w @x[$d0],@x[$d0],16 # rotate left 16 bits
+ add.w @x[$a1],@x[$a1],@x[$b1]
+ xor @x[$d1],@x[$d1],@x[$a1]
+ rotri.w @x[$d1],@x[$d1],16
+
+ add.w @x[$c0],@x[$c0],@x[$d0]
+ xor @x[$b0],@x[$b0],@x[$c0]
+ rotri.w @x[$b0],@x[$b0],20 # rotate left 12 bits
+ add.w @x[$c1],@x[$c1],@x[$d1]
+ xor @x[$b1],@x[$b1],@x[$c1]
+ rotri.w @x[$b1],@x[$b1],20
+
+ add.w @x[$a0],@x[$a0],@x[$b0]
+ xor @x[$d0],@x[$d0],@x[$a0]
+ rotri.w @x[$d0],@x[$d0],24 # rotate left 8 bits
+ add.w @x[$a1],@x[$a1],@x[$b1]
+ xor @x[$d1],@x[$d1],@x[$a1]
+ rotri.w @x[$d1],@x[$d1],24
+
+ add.w @x[$c0],@x[$c0],@x[$d0]
+ xor @x[$b0],@x[$b0],@x[$c0]
+ rotri.w @x[$b0],@x[$b0],25 # rotate left 7 bits
+ add.w @x[$c1],@x[$c1],@x[$d1]
+ xor @x[$b1],@x[$b1],@x[$c1]
+ rotri.w @x[$b1],@x[$b1],25
+
+ add.w @x[$a2],@x[$a2],@x[$b2]
+ xor @x[$d2],@x[$d2],@x[$a2]
+ rotri.w @x[$d2],@x[$d2],16
+ add.w @x[$a3],@x[$a3],@x[$b3]
+ xor @x[$d3],@x[$d3],@x[$a3]
+ rotri.w @x[$d3],@x[$d3],16
+
+ add.w @x[$c2],@x[$c2],@x[$d2]
+ xor @x[$b2],@x[$b2],@x[$c2]
+ rotri.w @x[$b2],@x[$b2],20
+ add.w @x[$c3],@x[$c3],@x[$d3]
+ xor @x[$b3],@x[$b3],@x[$c3]
+ rotri.w @x[$b3],@x[$b3],20
+
+ add.w @x[$a2],@x[$a2],@x[$b2]
+ xor @x[$d2],@x[$d2],@x[$a2]
+ rotri.w @x[$d2],@x[$d2],24
+ add.w @x[$a3],@x[$a3],@x[$b3]
+ xor @x[$d3],@x[$d3],@x[$a3]
+ rotri.w @x[$d3],@x[$d3],24
+
+ add.w @x[$c2],@x[$c2],@x[$d2]
+ xor @x[$b2],@x[$b2],@x[$c2]
+ rotri.w @x[$b2],@x[$b2],25
+ add.w @x[$c3],@x[$c3],@x[$d3]
+ xor @x[$b3],@x[$b3],@x[$c3]
+ rotri.w @x[$b3],@x[$b3],25
+
+EOF
+}
+
+$code .= <<EOF;
+.align 6
+.LChaCha20_1x:
+ addi.d $sp,$sp,-256
+ st.d $s0,$sp,0
+ st.d $s1,$sp,8
+ st.d $s2,$sp,16
+ st.d $s3,$sp,24
+ st.d $s4,$sp,32
+ st.d $s5,$sp,40
+ st.d $s6,$sp,48
+ st.d $s7,$sp,56
+ st.d $s8,$sp,64
+
+ # Save the initial block counter in $s8
+ ld.w $s8,$counter,0
+ b .Loop_outer_1x
+
+.align 5
+.Loop_outer_1x:
+ # Load constants
+ la.local $t8,.Lsigma
+ ld.w @x[0],$t8,0 # 'expa'
+ ld.w @x[1],$t8,4 # 'nd 3'
+ ld.w @x[2],$t8,8 # '2-by'
+ ld.w @x[3],$t8,12 # 'te k'
+
+ # Load key
+ ld.w @x[4],$key,4*0
+ ld.w @x[5],$key,4*1
+ ld.w @x[6],$key,4*2
+ ld.w @x[7],$key,4*3
+ ld.w @x[8],$key,4*4
+ ld.w @x[9],$key,4*5
+ ld.w @x[10],$key,4*6
+ ld.w @x[11],$key,4*7
+
+ # Load block counter
+ move @x[12],$s8
+
+ # Load nonce
+ ld.w @x[13],$counter,4*1
+ ld.w @x[14],$counter,4*2
+ ld.w @x[15],$counter,4*3
+
+ # Update states in \@x[*] for 20 rounds
+ ori $t8,$zero,10
+ b .Loop_1x
+
+.align 5
+.Loop_1x:
+EOF
+
+&ROUND (0, 4, 8, 12);
+&ROUND (0, 5, 10, 15);
+
+$code .= <<EOF;
+ addi.w $t8,$t8,-1
+ bnez $t8,.Loop_1x
+
+ # Get the final states by adding the initial states
+ la.local $t8,.Lsigma
+ ld.w $a7,$t8,4*0
+ ld.w $a6,$t8,4*1
+ ld.w $a5,$t8,4*2
+ add.w @x[0],@x[0],$a7
+ add.w @x[1],@x[1],$a6
+ add.w @x[2],@x[2],$a5
+ ld.w $a7,$t8,4*3
+ add.w @x[3],@x[3],$a7
+
+ ld.w $t8,$key,4*0
+ ld.w $a7,$key,4*1
+ ld.w $a6,$key,4*2
+ ld.w $a5,$key,4*3
+ add.w @x[4],@x[4],$t8
+ add.w @x[5],@x[5],$a7
+ add.w @x[6],@x[6],$a6
+ add.w @x[7],@x[7],$a5
+
+ ld.w $t8,$key,4*4
+ ld.w $a7,$key,4*5
+ ld.w $a6,$key,4*6
+ ld.w $a5,$key,4*7
+ add.w @x[8],@x[8],$t8
+ add.w @x[9],@x[9],$a7
+ add.w @x[10],@x[10],$a6
+ add.w @x[11],@x[11],$a5
+
+ add.w @x[12],@x[12],$s8
+
+ ld.w $t8,$counter,4*1
+ ld.w $a7,$counter,4*2
+ ld.w $a6,$counter,4*3
+ add.w @x[13],@x[13],$t8
+ add.w @x[14],@x[14],$a7
+ add.w @x[15],@x[15],$a6
+
+ ori $t8,$zero,64
+ bltu $len,$t8,.Ltail_1x
+
+ # Get the encrypted message by xor states with plaintext
+ ld.w $t8,$inp,4*0
+ ld.w $a7,$inp,4*1
+ ld.w $a6,$inp,4*2
+ ld.w $a5,$inp,4*3
+ xor $t8,$t8,@x[0]
+ xor $a7,$a7,@x[1]
+ xor $a6,$a6,@x[2]
+ xor $a5,$a5,@x[3]
+ st.w $t8,$out,4*0
+ st.w $a7,$out,4*1
+ st.w $a6,$out,4*2
+ st.w $a5,$out,4*3
+
+ ld.w $t8,$inp,4*4
+ ld.w $a7,$inp,4*5
+ ld.w $a6,$inp,4*6
+ ld.w $a5,$inp,4*7
+ xor $t8,$t8,@x[4]
+ xor $a7,$a7,@x[5]
+ xor $a6,$a6,@x[6]
+ xor $a5,$a5,@x[7]
+ st.w $t8,$out,4*4
+ st.w $a7,$out,4*5
+ st.w $a6,$out,4*6
+ st.w $a5,$out,4*7
+
+ ld.w $t8,$inp,4*8
+ ld.w $a7,$inp,4*9
+ ld.w $a6,$inp,4*10
+ ld.w $a5,$inp,4*11
+ xor $t8,$t8,@x[8]
+ xor $a7,$a7,@x[9]
+ xor $a6,$a6,@x[10]
+ xor $a5,$a5,@x[11]
+ st.w $t8,$out,4*8
+ st.w $a7,$out,4*9
+ st.w $a6,$out,4*10
+ st.w $a5,$out,4*11
+
+ ld.w $t8,$inp,4*12
+ ld.w $a7,$inp,4*13
+ ld.w $a6,$inp,4*14
+ ld.w $a5,$inp,4*15
+ xor $t8,$t8,@x[12]
+ xor $a7,$a7,@x[13]
+ xor $a6,$a6,@x[14]
+ xor $a5,$a5,@x[15]
+ st.w $t8,$out,4*12
+ st.w $a7,$out,4*13
+ st.w $a6,$out,4*14
+ st.w $a5,$out,4*15
+
+ addi.d $len,$len,-64
+ beqz $len,.Ldone_1x
+ addi.d $inp,$inp,64
+ addi.d $out,$out,64
+ addi.w $s8,$s8,1
+ b .Loop_outer_1x
+
+.align 4
+.Ltail_1x:
+ # Handle the tail for 1x (1 <= tail_len <= 63)
+ addi.d $a7,$sp,72
+ st.w @x[0],$a7,4*0
+ st.w @x[1],$a7,4*1
+ st.w @x[2],$a7,4*2
+ st.w @x[3],$a7,4*3
+ st.w @x[4],$a7,4*4
+ st.w @x[5],$a7,4*5
+ st.w @x[6],$a7,4*6
+ st.w @x[7],$a7,4*7
+ st.w @x[8],$a7,4*8
+ st.w @x[9],$a7,4*9
+ st.w @x[10],$a7,4*10
+ st.w @x[11],$a7,4*11
+ st.w @x[12],$a7,4*12
+ st.w @x[13],$a7,4*13
+ st.w @x[14],$a7,4*14
+ st.w @x[15],$a7,4*15
+
+ move $t8,$zero
+
+.Loop_tail_1x:
+ # Xor input with states byte by byte
+ ldx.bu $a6,$inp,$t8
+ ldx.bu $a5,$a7,$t8
+ xor $a6,$a6,$a5
+ stx.b $a6,$out,$t8
+ addi.w $t8,$t8,1
+ addi.d $len,$len,-1
+ bnez $len,.Loop_tail_1x
+ b .Ldone_1x
+
+.Ldone_1x:
+ ld.d $s0,$sp,0
+ ld.d $s1,$sp,8
+ ld.d $s2,$sp,16
+ ld.d $s3,$sp,24
+ ld.d $s4,$sp,32
+ ld.d $s5,$sp,40
+ ld.d $s6,$sp,48
+ ld.d $s7,$sp,56
+ ld.d $s8,$sp,64
+ addi.d $sp,$sp,256
+
+ b .Lend
+
+EOF
+}
+
+########################################################################
+# 128-bit LSX code path that handles all lengths.
+{
+# Load the initial states in array @x[*] and update directly.
+my @x = ($vr0, $vr1, $vr2, $vr3, $vr4, $vr5, $vr6, $vr7,
+ $vr8, $vr9, $vr10, $vr11, $vr12, $vr13, $vr14, $vr15);
+
+# Save the initial states in array @y[*]
+my @y = ($vr16, $vr17, $vr18, $vr19, $vr20, $vr21, $vr22, $vr23,
+ $vr24, $vr25, $vr26, $vr27, $vr28, $vr29, $vr30, $vr31);
+
+sub ROUND_4x {
+ my ($a0,$b0,$c0,$d0) = @_;
+ my ($a1,$b1,$c1,$d1) = map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2) = map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+ my ($a3,$b3,$c3,$d3) = map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+
+$code .= <<EOF;
+ vadd.w @x[$a0],@x[$a0],@x[$b0]
+ vxor.v @x[$d0],@x[$d0],@x[$a0]
+ vrotri.w @x[$d0],@x[$d0],16 # rotate left 16 bits
+ vadd.w @x[$a1],@x[$a1],@x[$b1]
+ vxor.v @x[$d1],@x[$d1],@x[$a1]
+ vrotri.w @x[$d1],@x[$d1],16
+
+ vadd.w @x[$c0],@x[$c0],@x[$d0]
+ vxor.v @x[$b0],@x[$b0],@x[$c0]
+ vrotri.w @x[$b0],@x[$b0],20 # rotate left 12 bits
+ vadd.w @x[$c1],@x[$c1],@x[$d1]
+ vxor.v @x[$b1],@x[$b1],@x[$c1]
+ vrotri.w @x[$b1],@x[$b1],20
+
+ vadd.w @x[$a0],@x[$a0],@x[$b0]
+ vxor.v @x[$d0],@x[$d0],@x[$a0]
+ vrotri.w @x[$d0],@x[$d0],24 # rotate left 8 bits
+ vadd.w @x[$a1],@x[$a1],@x[$b1]
+ vxor.v @x[$d1],@x[$d1],@x[$a1]
+ vrotri.w @x[$d1],@x[$d1],24
+
+ vadd.w @x[$c0],@x[$c0],@x[$d0]
+ vxor.v @x[$b0],@x[$b0],@x[$c0]
+ vrotri.w @x[$b0],@x[$b0],25 # rotate left 7 bits
+ vadd.w @x[$c1],@x[$c1],@x[$d1]
+ vxor.v @x[$b1],@x[$b1],@x[$c1]
+ vrotri.w @x[$b1],@x[$b1],25
+
+ vadd.w @x[$a2],@x[$a2],@x[$b2]
+ vxor.v @x[$d2],@x[$d2],@x[$a2]
+ vrotri.w @x[$d2],@x[$d2],16
+ vadd.w @x[$a3],@x[$a3],@x[$b3]
+ vxor.v @x[$d3],@x[$d3],@x[$a3]
+ vrotri.w @x[$d3],@x[$d3],16
+
+ vadd.w @x[$c2],@x[$c2],@x[$d2]
+ vxor.v @x[$b2],@x[$b2],@x[$c2]
+ vrotri.w @x[$b2],@x[$b2],20
+ vadd.w @x[$c3],@x[$c3],@x[$d3]
+ vxor.v @x[$b3],@x[$b3],@x[$c3]
+ vrotri.w @x[$b3],@x[$b3],20
+
+ vadd.w @x[$a2],@x[$a2],@x[$b2]
+ vxor.v @x[$d2],@x[$d2],@x[$a2]
+ vrotri.w @x[$d2],@x[$d2],24
+ vadd.w @x[$a3],@x[$a3],@x[$b3]
+ vxor.v @x[$d3],@x[$d3],@x[$a3]
+ vrotri.w @x[$d3],@x[$d3],24
+
+ vadd.w @x[$c2],@x[$c2],@x[$d2]
+ vxor.v @x[$b2],@x[$b2],@x[$c2]
+ vrotri.w @x[$b2],@x[$b2],25
+ vadd.w @x[$c3],@x[$c3],@x[$d3]
+ vxor.v @x[$b3],@x[$b3],@x[$c3]
+ vrotri.w @x[$b3],@x[$b3],25
+
+EOF
+}
+
+$code .= <<EOF;
+.align 6
+.LChaCha20_4x:
+ ori $t3,$zero,64
+ bleu $len,$t3,.LChaCha20_1x # goto 1x when len <= 64
+
+ addi.d $sp,$sp,-128
+
+ # Save the initial block counter in $t4
+ ld.w $t4,$counter,0
+ b .Loop_outer_4x
+
+.align 5
+.Loop_outer_4x:
+ # Load constant
+ la.local $t8,.Lsigma
+ vldrepl.w @x[0],$t8,4*0 # 'expa'
+ vldrepl.w @x[1],$t8,4*1 # 'nd 3'
+ vldrepl.w @x[2],$t8,4*2 # '2-by'
+ vldrepl.w @x[3],$t8,4*3 # 'te k'
+
+ # Load key
+ vldrepl.w @x[4],$key,4*0
+ vldrepl.w @x[5],$key,4*1
+ vldrepl.w @x[6],$key,4*2
+ vldrepl.w @x[7],$key,4*3
+ vldrepl.w @x[8],$key,4*4
+ vldrepl.w @x[9],$key,4*5
+ vldrepl.w @x[10],$key,4*6
+ vldrepl.w @x[11],$key,4*7
+
+ # Load block counter
+ vreplgr2vr.w @x[12],$t4
+
+ # Load nonce
+ vldrepl.w @x[13],$counter,4*1
+ vldrepl.w @x[14],$counter,4*2
+ vldrepl.w @x[15],$counter,4*3
+
+ # Get the correct block counter for each block
+ la.local $t8,.Linc4x
+ vld @y[0],$t8,0
+ vadd.w @x[12],@x[12],@y[0]
+
+ # Copy the initial states from \@x[*] to \@y[*]
+ vori.b @y[0],@x[0],0
+ vori.b @y[1],@x[1],0
+ vori.b @y[2],@x[2],0
+ vori.b @y[3],@x[3],0
+ vori.b @y[4],@x[4],0
+ vori.b @y[5],@x[5],0
+ vori.b @y[6],@x[6],0
+ vori.b @y[7],@x[7],0
+ vori.b @y[8],@x[8],0
+ vori.b @y[9],@x[9],0
+ vori.b @y[10],@x[10],0
+ vori.b @y[11],@x[11],0
+ vori.b @y[12],@x[12],0
+ vori.b @y[13],@x[13],0
+ vori.b @y[14],@x[14],0
+ vori.b @y[15],@x[15],0
+
+ # Update states in \@x[*] for 20 rounds
+ ori $t8,$zero,10
+ b .Loop_4x
+
+.align 5
+.Loop_4x:
+EOF
+
+&ROUND_4x (0, 4, 8, 12);
+&ROUND_4x (0, 5, 10, 15);
+
+$code .= <<EOF;
+ addi.w $t8,$t8,-1
+ bnez $t8,.Loop_4x
+
+ # Get the final states by adding the initial states
+ vadd.w @x[0],@x[0],@y[0]
+ vadd.w @x[1],@x[1],@y[1]
+ vadd.w @x[2],@x[2],@y[2]
+ vadd.w @x[3],@x[3],@y[3]
+ vadd.w @x[4],@x[4],@y[4]
+ vadd.w @x[5],@x[5],@y[5]
+ vadd.w @x[6],@x[6],@y[6]
+ vadd.w @x[7],@x[7],@y[7]
+ vadd.w @x[8],@x[8],@y[8]
+ vadd.w @x[9],@x[9],@y[9]
+ vadd.w @x[10],@x[10],@y[10]
+ vadd.w @x[11],@x[11],@y[11]
+ vadd.w @x[12],@x[12],@y[12]
+ vadd.w @x[13],@x[13],@y[13]
+ vadd.w @x[14],@x[14],@y[14]
+ vadd.w @x[15],@x[15],@y[15]
+
+ # Get the transpose of \@x[*] and save them in \@x[*]
+ vilvl.w @y[0],@x[1],@x[0]
+ vilvh.w @y[1],@x[1],@x[0]
+ vilvl.w @y[2],@x[3],@x[2]
+ vilvh.w @y[3],@x[3],@x[2]
+ vilvl.w @y[4],@x[5],@x[4]
+ vilvh.w @y[5],@x[5],@x[4]
+ vilvl.w @y[6],@x[7],@x[6]
+ vilvh.w @y[7],@x[7],@x[6]
+ vilvl.w @y[8],@x[9],@x[8]
+ vilvh.w @y[9],@x[9],@x[8]
+ vilvl.w @y[10],@x[11],@x[10]
+ vilvh.w @y[11],@x[11],@x[10]
+ vilvl.w @y[12],@x[13],@x[12]
+ vilvh.w @y[13],@x[13],@x[12]
+ vilvl.w @y[14],@x[15],@x[14]
+ vilvh.w @y[15],@x[15],@x[14]
+
+ vilvl.d @x[0],@y[2],@y[0]
+ vilvh.d @x[1],@y[2],@y[0]
+ vilvl.d @x[2],@y[3],@y[1]
+ vilvh.d @x[3],@y[3],@y[1]
+ vilvl.d @x[4],@y[6],@y[4]
+ vilvh.d @x[5],@y[6],@y[4]
+ vilvl.d @x[6],@y[7],@y[5]
+ vilvh.d @x[7],@y[7],@y[5]
+ vilvl.d @x[8],@y[10],@y[8]
+ vilvh.d @x[9],@y[10],@y[8]
+ vilvl.d @x[10],@y[11],@y[9]
+ vilvh.d @x[11],@y[11],@y[9]
+ vilvl.d @x[12],@y[14],@y[12]
+ vilvh.d @x[13],@y[14],@y[12]
+ vilvl.d @x[14],@y[15],@y[13]
+ vilvh.d @x[15],@y[15],@y[13]
+EOF
+
+# Adjust the order of elements in @x[*] for ease of use.
+@x = (@x[0],@x[4],@x[8],@x[12],@x[1],@x[5],@x[9],@x[13],
+ @x[2],@x[6],@x[10],@x[14],@x[3],@x[7],@x[11],@x[15]);
+
+$code .= <<EOF;
+ ori $t8,$zero,64*4
+ bltu $len,$t8,.Ltail_4x
+
+ # Get the encrypted message by xor states with plaintext
+ vld @y[0],$inp,16*0
+ vld @y[1],$inp,16*1
+ vld @y[2],$inp,16*2
+ vld @y[3],$inp,16*3
+ vxor.v @y[0],@y[0],@x[0]
+ vxor.v @y[1],@y[1],@x[1]
+ vxor.v @y[2],@y[2],@x[2]
+ vxor.v @y[3],@y[3],@x[3]
+ vst @y[0],$out,16*0
+ vst @y[1],$out,16*1
+ vst @y[2],$out,16*2
+ vst @y[3],$out,16*3
+
+ vld @y[0],$inp,16*4
+ vld @y[1],$inp,16*5
+ vld @y[2],$inp,16*6
+ vld @y[3],$inp,16*7
+ vxor.v @y[0],@y[0],@x[4]
+ vxor.v @y[1],@y[1],@x[5]
+ vxor.v @y[2],@y[2],@x[6]
+ vxor.v @y[3],@y[3],@x[7]
+ vst @y[0],$out,16*4
+ vst @y[1],$out,16*5
+ vst @y[2],$out,16*6
+ vst @y[3],$out,16*7
+
+ vld @y[0],$inp,16*8
+ vld @y[1],$inp,16*9
+ vld @y[2],$inp,16*10
+ vld @y[3],$inp,16*11
+ vxor.v @y[0],@y[0],@x[8]
+ vxor.v @y[1],@y[1],@x[9]
+ vxor.v @y[2],@y[2],@x[10]
+ vxor.v @y[3],@y[3],@x[11]
+ vst @y[0],$out,16*8
+ vst @y[1],$out,16*9
+ vst @y[2],$out,16*10
+ vst @y[3],$out,16*11
+
+ vld @y[0],$inp,16*12
+ vld @y[1],$inp,16*13
+ vld @y[2],$inp,16*14
+ vld @y[3],$inp,16*15
+ vxor.v @y[0],@y[0],@x[12]
+ vxor.v @y[1],@y[1],@x[13]
+ vxor.v @y[2],@y[2],@x[14]
+ vxor.v @y[3],@y[3],@x[15]
+ vst @y[0],$out,16*12
+ vst @y[1],$out,16*13
+ vst @y[2],$out,16*14
+ vst @y[3],$out,16*15
+
+ addi.d $len,$len,-64*4
+ beqz $len,.Ldone_4x
+ addi.d $inp,$inp,64*4
+ addi.d $out,$out,64*4
+ addi.w $t4,$t4,4
+ b .Loop_outer_4x
+
+.Ltail_4x:
+ # Handle the tail for 4x (1 <= tail_len <= 255)
+ ori $t8,$zero,192
+ bgeu $len,$t8,.L192_or_more4x
+ ori $t8,$zero,128
+ bgeu $len,$t8,.L128_or_more4x
+ ori $t8,$zero,64
+ bgeu $len,$t8,.L64_or_more4x
+
+ vst @x[0],$sp,16*0
+ vst @x[1],$sp,16*1
+ vst @x[2],$sp,16*2
+ vst @x[3],$sp,16*3
+ move $t8,$zero
+ b .Loop_tail_4x
+
+.align 5
+.L64_or_more4x:
+ vld @y[0],$inp,16*0
+ vld @y[1],$inp,16*1
+ vld @y[2],$inp,16*2
+ vld @y[3],$inp,16*3
+ vxor.v @y[0],@y[0],@x[0]
+ vxor.v @y[1],@y[1],@x[1]
+ vxor.v @y[2],@y[2],@x[2]
+ vxor.v @y[3],@y[3],@x[3]
+ vst @y[0],$out,16*0
+ vst @y[1],$out,16*1
+ vst @y[2],$out,16*2
+ vst @y[3],$out,16*3
+
+ addi.d $len,$len,-64
+ beqz $len,.Ldone_4x
+ addi.d $inp,$inp,64
+ addi.d $out,$out,64
+ vst @x[4],$sp,16*0
+ vst @x[5],$sp,16*1
+ vst @x[6],$sp,16*2
+ vst @x[7],$sp,16*3
+ move $t8,$zero
+ b .Loop_tail_4x
+
+.align 5
+.L128_or_more4x:
+ vld @y[0],$inp,16*0
+ vld @y[1],$inp,16*1
+ vld @y[2],$inp,16*2
+ vld @y[3],$inp,16*3
+ vxor.v @y[0],@y[0],@x[0]
+ vxor.v @y[1],@y[1],@x[1]
+ vxor.v @y[2],@y[2],@x[2]
+ vxor.v @y[3],@y[3],@x[3]
+ vst @y[0],$out,16*0
+ vst @y[1],$out,16*1
+ vst @y[2],$out,16*2
+ vst @y[3],$out,16*3
+
+ vld @y[0],$inp,16*4
+ vld @y[1],$inp,16*5
+ vld @y[2],$inp,16*6
+ vld @y[3],$inp,16*7
+ vxor.v @y[0],@y[0],@x[4]
+ vxor.v @y[1],@y[1],@x[5]
+ vxor.v @y[2],@y[2],@x[6]
+ vxor.v @y[3],@y[3],@x[7]
+ vst @y[0],$out,16*4
+ vst @y[1],$out,16*5
+ vst @y[2],$out,16*6
+ vst @y[3],$out,16*7
+
+ addi.d $len,$len,-128
+ beqz $len,.Ldone_4x
+ addi.d $inp,$inp,128
+ addi.d $out,$out,128
+ vst @x[8],$sp,16*0
+ vst @x[9],$sp,16*1
+ vst @x[10],$sp,16*2
+ vst @x[11],$sp,16*3
+ move $t8,$zero
+ b .Loop_tail_4x
+
+.align 5
+.L192_or_more4x:
+ vld @y[0],$inp,16*0
+ vld @y[1],$inp,16*1
+ vld @y[2],$inp,16*2
+ vld @y[3],$inp,16*3
+ vxor.v @y[0],@y[0],@x[0]
+ vxor.v @y[1],@y[1],@x[1]
+ vxor.v @y[2],@y[2],@x[2]
+ vxor.v @y[3],@y[3],@x[3]
+ vst @y[0],$out,16*0
+ vst @y[1],$out,16*1
+ vst @y[2],$out,16*2
+ vst @y[3],$out,16*3
+
+ vld @y[0],$inp,16*4
+ vld @y[1],$inp,16*5
+ vld @y[2],$inp,16*6
+ vld @y[3],$inp,16*7
+ vxor.v @y[0],@y[0],@x[4]
+ vxor.v @y[1],@y[1],@x[5]
+ vxor.v @y[2],@y[2],@x[6]
+ vxor.v @y[3],@y[3],@x[7]
+ vst @y[0],$out,16*4
+ vst @y[1],$out,16*5
+ vst @y[2],$out,16*6
+ vst @y[3],$out,16*7
+
+ vld @y[0],$inp,16*8
+ vld @y[1],$inp,16*9
+ vld @y[2],$inp,16*10
+ vld @y[3],$inp,16*11
+ vxor.v @y[0],@y[0],@x[8]
+ vxor.v @y[1],@y[1],@x[9]
+ vxor.v @y[2],@y[2],@x[10]
+ vxor.v @y[3],@y[3],@x[11]
+ vst @y[0],$out,16*8
+ vst @y[1],$out,16*9
+ vst @y[2],$out,16*10
+ vst @y[3],$out,16*11
+
+ addi.d $len,$len,-192
+ beqz $len,.Ldone_4x
+ addi.d $inp,$inp,192
+ addi.d $out,$out,192
+ vst @x[12],$sp,16*0
+ vst @x[13],$sp,16*1
+ vst @x[14],$sp,16*2
+ vst @x[15],$sp,16*3
+ move $t8,$zero
+ b .Loop_tail_4x
+
+.Loop_tail_4x:
+ # Xor input with states byte by byte
+ ldx.bu $t5,$inp,$t8
+ ldx.bu $t6,$sp,$t8
+ xor $t5,$t5,$t6
+ stx.b $t5,$out,$t8
+ addi.w $t8,$t8,1
+ addi.d $len,$len,-1
+ bnez $len,.Loop_tail_4x
+ b .Ldone_4x
+
+.Ldone_4x:
+ addi.d $sp,$sp,128
+ b .Lend
+
+EOF
+}
+
+########################################################################
+# 256-bit LASX code path that handles all lengths.
+{
+# Load the initial states in array @x[*] and update directly.
+my @x = ($xr0, $xr1, $xr2, $xr3, $xr4, $xr5, $xr6, $xr7,
+ $xr8, $xr9, $xr10, $xr11, $xr12, $xr13, $xr14, $xr15);
+
+# Save the initial states in array @y[*]
+my @y = ($xr16, $xr17, $xr18, $xr19, $xr20, $xr21, $xr22, $xr23,
+ $xr24, $xr25, $xr26, $xr27, $xr28, $xr29, $xr30, $xr31);
+
+sub ROUND_8x {
+ my ($a0,$b0,$c0,$d0) = @_;
+ my ($a1,$b1,$c1,$d1) = map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2) = map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+ my ($a3,$b3,$c3,$d3) = map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+
+$code .= <<EOF;
+ xvadd.w @x[$a0],@x[$a0],@x[$b0]
+ xvxor.v @x[$d0],@x[$d0],@x[$a0]
+ xvrotri.w @x[$d0],@x[$d0],16 # rotate left 16 bits
+ xvadd.w @x[$a1],@x[$a1],@x[$b1]
+ xvxor.v @x[$d1],@x[$d1],@x[$a1]
+ xvrotri.w @x[$d1],@x[$d1],16
+
+ xvadd.w @x[$c0],@x[$c0],@x[$d0]
+ xvxor.v @x[$b0],@x[$b0],@x[$c0]
+ xvrotri.w @x[$b0],@x[$b0],20 # rotate left 12 bits
+ xvadd.w @x[$c1],@x[$c1],@x[$d1]
+ xvxor.v @x[$b1],@x[$b1],@x[$c1]
+ xvrotri.w @x[$b1],@x[$b1],20
+
+ xvadd.w @x[$a0],@x[$a0],@x[$b0]
+ xvxor.v @x[$d0],@x[$d0],@x[$a0]
+ xvrotri.w @x[$d0],@x[$d0],24 # rotate left 8 bits
+ xvadd.w @x[$a1],@x[$a1],@x[$b1]
+ xvxor.v @x[$d1],@x[$d1],@x[$a1]
+ xvrotri.w @x[$d1],@x[$d1],24
+
+ xvadd.w @x[$c0],@x[$c0],@x[$d0]
+ xvxor.v @x[$b0],@x[$b0],@x[$c0]
+ xvrotri.w @x[$b0],@x[$b0],25 # rotate left 7 bits
+ xvadd.w @x[$c1],@x[$c1],@x[$d1]
+ xvxor.v @x[$b1],@x[$b1],@x[$c1]
+ xvrotri.w @x[$b1],@x[$b1],25
+
+ xvadd.w @x[$a2],@x[$a2],@x[$b2]
+ xvxor.v @x[$d2],@x[$d2],@x[$a2]
+ xvrotri.w @x[$d2],@x[$d2],16
+ xvadd.w @x[$a3],@x[$a3],@x[$b3]
+ xvxor.v @x[$d3],@x[$d3],@x[$a3]
+ xvrotri.w @x[$d3],@x[$d3],16
+
+ xvadd.w @x[$c2],@x[$c2],@x[$d2]
+ xvxor.v @x[$b2],@x[$b2],@x[$c2]
+ xvrotri.w @x[$b2],@x[$b2],20
+ xvadd.w @x[$c3],@x[$c3],@x[$d3]
+ xvxor.v @x[$b3],@x[$b3],@x[$c3]
+ xvrotri.w @x[$b3],@x[$b3],20
+
+ xvadd.w @x[$a2],@x[$a2],@x[$b2]
+ xvxor.v @x[$d2],@x[$d2],@x[$a2]
+ xvrotri.w @x[$d2],@x[$d2],24
+ xvadd.w @x[$a3],@x[$a3],@x[$b3]
+ xvxor.v @x[$d3],@x[$d3],@x[$a3]
+ xvrotri.w @x[$d3],@x[$d3],24
+
+ xvadd.w @x[$c2],@x[$c2],@x[$d2]
+ xvxor.v @x[$b2],@x[$b2],@x[$c2]
+ xvrotri.w @x[$b2],@x[$b2],25
+ xvadd.w @x[$c3],@x[$c3],@x[$d3]
+ xvxor.v @x[$b3],@x[$b3],@x[$c3]
+ xvrotri.w @x[$b3],@x[$b3],25
+
+EOF
+}
+
+$code .= <<EOF;
+.align 6
+.LChaCha20_8x:
+ ori $t3,$zero,64
+ bleu $len,$t3,.LChaCha20_1x # goto 1x when len <= 64
+
+ addi.d $sp,$sp,-128
+
+ # Save the initial block counter in $t4
+ ld.w $t4,$counter,0
+ b .Loop_outer_8x
+
+.align 5
+.Loop_outer_8x:
+ # Load constant
+ la.local $t8,.Lsigma
+ xvldrepl.w @x[0],$t8,4*0 # 'expa'
+ xvldrepl.w @x[1],$t8,4*1 # 'nd 3'
+ xvldrepl.w @x[2],$t8,4*2 # '2-by'
+ xvldrepl.w @x[3],$t8,4*3 # 'te k'
+
+ # Load key
+ xvldrepl.w @x[4],$key,4*0
+ xvldrepl.w @x[5],$key,4*1
+ xvldrepl.w @x[6],$key,4*2
+ xvldrepl.w @x[7],$key,4*3
+ xvldrepl.w @x[8],$key,4*4
+ xvldrepl.w @x[9],$key,4*5
+ xvldrepl.w @x[10],$key,4*6
+ xvldrepl.w @x[11],$key,4*7
+
+ # Load block counter
+ xvreplgr2vr.w @x[12],$t4
+
+ # Load nonce
+ xvldrepl.w @x[13],$counter,4*1
+ xvldrepl.w @x[14],$counter,4*2
+ xvldrepl.w @x[15],$counter,4*3
+
+ # Get the correct block counter for each block
+ la.local $t8,.Linc8x
+ xvld @y[0],$t8,0
+ xvadd.w @x[12],@x[12],@y[0]
+
+ # Copy the initial states from \@x[*] to \@y[*]
+ xvori.b @y[0],@x[0],0
+ xvori.b @y[1],@x[1],0
+ xvori.b @y[2],@x[2],0
+ xvori.b @y[3],@x[3],0
+ xvori.b @y[4],@x[4],0
+ xvori.b @y[5],@x[5],0
+ xvori.b @y[6],@x[6],0
+ xvori.b @y[7],@x[7],0
+ xvori.b @y[8],@x[8],0
+ xvori.b @y[9],@x[9],0
+ xvori.b @y[10],@x[10],0
+ xvori.b @y[11],@x[11],0
+ xvori.b @y[12],@x[12],0
+ xvori.b @y[13],@x[13],0
+ xvori.b @y[14],@x[14],0
+ xvori.b @y[15],@x[15],0
+
+ # Update states in \@x[*] for 20 rounds
+ ori $t8,$zero,10
+ b .Loop_8x
+
+.align 5
+.Loop_8x:
+EOF
+
+&ROUND_8x (0, 4, 8, 12);
+&ROUND_8x (0, 5, 10, 15);
+
+$code .= <<EOF;
+ addi.w $t8,$t8,-1
+ bnez $t8,.Loop_8x
+
+ # Get the final states by adding the initial states
+ xvadd.w @x[0],@x[0],@y[0]
+ xvadd.w @x[1],@x[1],@y[1]
+ xvadd.w @x[2],@x[2],@y[2]
+ xvadd.w @x[3],@x[3],@y[3]
+ xvadd.w @x[4],@x[4],@y[4]
+ xvadd.w @x[5],@x[5],@y[5]
+ xvadd.w @x[6],@x[6],@y[6]
+ xvadd.w @x[7],@x[7],@y[7]
+ xvadd.w @x[8],@x[8],@y[8]
+ xvadd.w @x[9],@x[9],@y[9]
+ xvadd.w @x[10],@x[10],@y[10]
+ xvadd.w @x[11],@x[11],@y[11]
+ xvadd.w @x[12],@x[12],@y[12]
+ xvadd.w @x[13],@x[13],@y[13]
+ xvadd.w @x[14],@x[14],@y[14]
+ xvadd.w @x[15],@x[15],@y[15]
+
+ # Get the transpose of \@x[*] and save them in \@y[*]
+ xvilvl.w @y[0],@x[1],@x[0]
+ xvilvh.w @y[1],@x[1],@x[0]
+ xvilvl.w @y[2],@x[3],@x[2]
+ xvilvh.w @y[3],@x[3],@x[2]
+ xvilvl.w @y[4],@x[5],@x[4]
+ xvilvh.w @y[5],@x[5],@x[4]
+ xvilvl.w @y[6],@x[7],@x[6]
+ xvilvh.w @y[7],@x[7],@x[6]
+ xvilvl.w @y[8],@x[9],@x[8]
+ xvilvh.w @y[9],@x[9],@x[8]
+ xvilvl.w @y[10],@x[11],@x[10]
+ xvilvh.w @y[11],@x[11],@x[10]
+ xvilvl.w @y[12],@x[13],@x[12]
+ xvilvh.w @y[13],@x[13],@x[12]
+ xvilvl.w @y[14],@x[15],@x[14]
+ xvilvh.w @y[15],@x[15],@x[14]
+
+ xvilvl.d @x[0],@y[2],@y[0]
+ xvilvh.d @x[1],@y[2],@y[0]
+ xvilvl.d @x[2],@y[3],@y[1]
+ xvilvh.d @x[3],@y[3],@y[1]
+ xvilvl.d @x[4],@y[6],@y[4]
+ xvilvh.d @x[5],@y[6],@y[4]
+ xvilvl.d @x[6],@y[7],@y[5]
+ xvilvh.d @x[7],@y[7],@y[5]
+ xvilvl.d @x[8],@y[10],@y[8]
+ xvilvh.d @x[9],@y[10],@y[8]
+ xvilvl.d @x[10],@y[11],@y[9]
+ xvilvh.d @x[11],@y[11],@y[9]
+ xvilvl.d @x[12],@y[14],@y[12]
+ xvilvh.d @x[13],@y[14],@y[12]
+ xvilvl.d @x[14],@y[15],@y[13]
+ xvilvh.d @x[15],@y[15],@y[13]
+
+ xvori.b @y[0],@x[4],0
+ xvpermi.q @y[0],@x[0],0x20
+ xvori.b @y[1],@x[5],0
+ xvpermi.q @y[1],@x[1],0x20
+ xvori.b @y[2],@x[6],0
+ xvpermi.q @y[2],@x[2],0x20
+ xvori.b @y[3],@x[7],0
+ xvpermi.q @y[3],@x[3],0x20
+ xvori.b @y[4],@x[4],0
+ xvpermi.q @y[4],@x[0],0x31
+ xvori.b @y[5],@x[5],0
+ xvpermi.q @y[5],@x[1],0x31
+ xvori.b @y[6],@x[6],0
+ xvpermi.q @y[6],@x[2],0x31
+ xvori.b @y[7],@x[7],0
+ xvpermi.q @y[7],@x[3],0x31
+ xvori.b @y[8],@x[12],0
+ xvpermi.q @y[8],@x[8],0x20
+ xvori.b @y[9],@x[13],0
+ xvpermi.q @y[9],@x[9],0x20
+ xvori.b @y[10],@x[14],0
+ xvpermi.q @y[10],@x[10],0x20
+ xvori.b @y[11],@x[15],0
+ xvpermi.q @y[11],@x[11],0x20
+ xvori.b @y[12],@x[12],0
+ xvpermi.q @y[12],@x[8],0x31
+ xvori.b @y[13],@x[13],0
+ xvpermi.q @y[13],@x[9],0x31
+ xvori.b @y[14],@x[14],0
+ xvpermi.q @y[14],@x[10],0x31
+ xvori.b @y[15],@x[15],0
+ xvpermi.q @y[15],@x[11],0x31
+
+EOF
+
+# Adjust the order of elements in @y[*] for ease of use.
+@y = (@y[0],@y[8],@y[1],@y[9],@y[2],@y[10],@y[3],@y[11],
+ @y[4],@y[12],@y[5],@y[13],@y[6],@y[14],@y[7],@y[15]);
+
+$code .= <<EOF;
+ ori $t8,$zero,64*8
+ bltu $len,$t8,.Ltail_8x
+
+ # Get the encrypted message by xor states with plaintext
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvld @x[2],$inp,32*6
+ xvld @x[3],$inp,32*7
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvxor.v @x[2],@x[2],@y[6]
+ xvxor.v @x[3],@x[3],@y[7]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+ xvst @x[2],$out,32*6
+ xvst @x[3],$out,32*7
+
+ xvld @x[0],$inp,32*8
+ xvld @x[1],$inp,32*9
+ xvld @x[2],$inp,32*10
+ xvld @x[3],$inp,32*11
+ xvxor.v @x[0],@x[0],@y[8]
+ xvxor.v @x[1],@x[1],@y[9]
+ xvxor.v @x[2],@x[2],@y[10]
+ xvxor.v @x[3],@x[3],@y[11]
+ xvst @x[0],$out,32*8
+ xvst @x[1],$out,32*9
+ xvst @x[2],$out,32*10
+ xvst @x[3],$out,32*11
+
+ xvld @x[0],$inp,32*12
+ xvld @x[1],$inp,32*13
+ xvld @x[2],$inp,32*14
+ xvld @x[3],$inp,32*15
+ xvxor.v @x[0],@x[0],@y[12]
+ xvxor.v @x[1],@x[1],@y[13]
+ xvxor.v @x[2],@x[2],@y[14]
+ xvxor.v @x[3],@x[3],@y[15]
+ xvst @x[0],$out,32*12
+ xvst @x[1],$out,32*13
+ xvst @x[2],$out,32*14
+ xvst @x[3],$out,32*15
+
+ addi.d $len,$len,-64*8
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,64*8
+ addi.d $out,$out,64*8
+ addi.w $t4,$t4,8
+ b .Loop_outer_8x
+
+.Ltail_8x:
+ # Handle the tail for 8x (1 <= tail_len <= 511)
+ ori $t8,$zero,448
+ bgeu $len,$t8,.L448_or_more8x
+ ori $t8,$zero,384
+ bgeu $len,$t8,.L384_or_more8x
+ ori $t8,$zero,320
+ bgeu $len,$t8,.L320_or_more8x
+ ori $t8,$zero,256
+ bgeu $len,$t8,.L256_or_more8x
+ ori $t8,$zero,192
+ bgeu $len,$t8,.L192_or_more8x
+ ori $t8,$zero,128
+ bgeu $len,$t8,.L128_or_more8x
+ ori $t8,$zero,64
+ bgeu $len,$t8,.L64_or_more8x
+
+ xvst @y[0],$sp,32*0
+ xvst @y[1],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L64_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+
+ addi.d $len,$len,-64
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,64
+ addi.d $out,$out,64
+ xvst @y[2],$sp,32*0
+ xvst @y[3],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L128_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ addi.d $len,$len,-128
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,128
+ addi.d $out,$out,128
+ xvst @y[4],$sp,32*0
+ xvst @y[5],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L192_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+
+ addi.d $len,$len,-192
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,192
+ addi.d $out,$out,192
+ xvst @y[6],$sp,32*0
+ xvst @y[7],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L256_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvld @x[2],$inp,32*6
+ xvld @x[3],$inp,32*7
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvxor.v @x[2],@x[2],@y[6]
+ xvxor.v @x[3],@x[3],@y[7]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+ xvst @x[2],$out,32*6
+ xvst @x[3],$out,32*7
+
+ addi.d $len,$len,-256
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,256
+ addi.d $out,$out,256
+ xvst @y[8],$sp,32*0
+ xvst @y[9],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L320_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvld @x[2],$inp,32*6
+ xvld @x[3],$inp,32*7
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvxor.v @x[2],@x[2],@y[6]
+ xvxor.v @x[3],@x[3],@y[7]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+ xvst @x[2],$out,32*6
+ xvst @x[3],$out,32*7
+
+ xvld @x[0],$inp,32*8
+ xvld @x[1],$inp,32*9
+ xvxor.v @x[0],@x[0],@y[8]
+ xvxor.v @x[1],@x[1],@y[9]
+ xvst @x[0],$out,32*8
+ xvst @x[1],$out,32*9
+
+ addi.d $len,$len,-320
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,320
+ addi.d $out,$out,320
+ xvst @y[10],$sp,32*0
+ xvst @y[11],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L384_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvld @x[2],$inp,32*6
+ xvld @x[3],$inp,32*7
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvxor.v @x[2],@x[2],@y[6]
+ xvxor.v @x[3],@x[3],@y[7]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+ xvst @x[2],$out,32*6
+ xvst @x[3],$out,32*7
+
+ xvld @x[0],$inp,32*8
+ xvld @x[1],$inp,32*9
+ xvld @x[2],$inp,32*10
+ xvld @x[3],$inp,32*11
+ xvxor.v @x[0],@x[0],@y[8]
+ xvxor.v @x[1],@x[1],@y[9]
+ xvxor.v @x[2],@x[2],@y[10]
+ xvxor.v @x[3],@x[3],@y[11]
+ xvst @x[0],$out,32*8
+ xvst @x[1],$out,32*9
+ xvst @x[2],$out,32*10
+ xvst @x[3],$out,32*11
+
+ addi.d $len,$len,-384
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,384
+ addi.d $out,$out,384
+ xvst @y[12],$sp,32*0
+ xvst @y[13],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.align 5
+.L448_or_more8x:
+ xvld @x[0],$inp,32*0
+ xvld @x[1],$inp,32*1
+ xvld @x[2],$inp,32*2
+ xvld @x[3],$inp,32*3
+ xvxor.v @x[0],@x[0],@y[0]
+ xvxor.v @x[1],@x[1],@y[1]
+ xvxor.v @x[2],@x[2],@y[2]
+ xvxor.v @x[3],@x[3],@y[3]
+ xvst @x[0],$out,32*0
+ xvst @x[1],$out,32*1
+ xvst @x[2],$out,32*2
+ xvst @x[3],$out,32*3
+
+ xvld @x[0],$inp,32*4
+ xvld @x[1],$inp,32*5
+ xvld @x[2],$inp,32*6
+ xvld @x[3],$inp,32*7
+ xvxor.v @x[0],@x[0],@y[4]
+ xvxor.v @x[1],@x[1],@y[5]
+ xvxor.v @x[2],@x[2],@y[6]
+ xvxor.v @x[3],@x[3],@y[7]
+ xvst @x[0],$out,32*4
+ xvst @x[1],$out,32*5
+ xvst @x[2],$out,32*6
+ xvst @x[3],$out,32*7
+
+ xvld @x[0],$inp,32*8
+ xvld @x[1],$inp,32*9
+ xvld @x[2],$inp,32*10
+ xvld @x[3],$inp,32*11
+ xvxor.v @x[0],@x[0],@y[8]
+ xvxor.v @x[1],@x[1],@y[9]
+ xvxor.v @x[2],@x[2],@y[10]
+ xvxor.v @x[3],@x[3],@y[11]
+ xvst @x[0],$out,32*8
+ xvst @x[1],$out,32*9
+ xvst @x[2],$out,32*10
+ xvst @x[3],$out,32*11
+
+ xvld @x[0],$inp,32*12
+ xvld @x[1],$inp,32*13
+ xvxor.v @x[0],@x[0],@y[12]
+ xvxor.v @x[1],@x[1],@y[13]
+ xvst @x[0],$out,32*12
+ xvst @x[1],$out,32*13
+
+ addi.d $len,$len,-448
+ beqz $len,.Ldone_8x
+ addi.d $inp,$inp,448
+ addi.d $out,$out,448
+ xvst @y[14],$sp,32*0
+ xvst @y[15],$sp,32*1
+ move $t8,$zero
+ b .Loop_tail_8x
+
+.Loop_tail_8x:
+ # Xor input with states byte by byte
+ ldx.bu $t5,$inp,$t8
+ ldx.bu $t6,$sp,$t8
+ xor $t5,$t5,$t6
+ stx.b $t5,$out,$t8
+ addi.w $t8,$t8,1
+ addi.d $len,$len,-1
+ bnez $len,.Loop_tail_8x
+ b .Ldone_8x
+
+.Ldone_8x:
+ addi.d $sp,$sp,128
+ b .Lend
+
+EOF
+}
+
+$code .= <<EOF;
+.Lno_data:
+.Lend:
+ jr $ra
+.size ChaCha20_ctr32,.-ChaCha20_ctr32
+EOF
+
+$code =~ s/\`([^\`]*)\`/eval($1)/gem;
+
+print $code;
+
+close STDOUT;
projects / thirdparty / openssl.git / commitdiff
