From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon May 19 12:50:00 2014
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C31C0427
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Mon, 19 May 2014 12:50:00 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 951A027CC
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Mon, 19 May 2014 12:50:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4JCo08t007562
 for <freebsd-ports-bugs@freefall.freebsd.org>; Mon, 19 May 2014 12:50:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4JCo03l007561;
 Mon, 19 May 2014 12:50:00 GMT (envelope-from gnats)
Resent-Date: Mon, 19 May 2014 12:50:00 GMT
Resent-Message-Id: <201405191250.s4JCo03l007561@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, freebsd@nagilum.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0F76D313
 for <FreeBSD-gnats-submit@freebsd.org>; Mon, 19 May 2014 12:47:31 +0000 (UTC)
Received: from mo6-p05-ob.smtp.rzone.de (mo6-p05-ob.smtp.rzone.de
 [IPv6:2a01:238:20a:202:5305::6])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B357F27AE
 for <FreeBSD-gnats-submit@freebsd.org>; Mon, 19 May 2014 12:47:26 +0000 (UTC)
Received: from cakebox.homeunix.net (188-015-186-093.fttx.vsenet.de
 [93.186.15.188]) by smtp.strato.de (RZmta 34.2 AUTH)
 with ESMTPSA id z049f5q4JCl8AJo
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "cakebox.mooo.com",
 Issuer "CA Cert Signing Authority" (verification FAILED - unable to verify the
 first certificate)) (Client hostname not verified);
 Mon, 19 May 2014 14:47:08 +0200 (CEST)
Received: from cakebox.homeunix.net (localhost [127.0.0.1])
 by cakebox.homeunix.net (Postfix) with ESMTP id 34AAF2D5B22;
 Mon, 19 May 2014 14:47:05 +0200 (CEST)
Received: by cakebox.homeunix.net (Postfix, from userid 0)
 id F0C1B2D5B06; Mon, 19 May 2014 14:47:04 +0200 (CEST)
Message-Id: <20140519124704.F0C1B2D5B06@cakebox.homeunix.net>
Date: Mon, 19 May 2014 14:47:04 +0200 (CEST)
From: freebsd@nagilum.org
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.114
Subject: ports/189945: add optional chacha20 & poly1305 support to
 security/openssl
Cc: dinoex@FreeBSD.org
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 May 2014 12:50:00 -0000


>Number:         189945
>Category:       ports
>Synopsis:       add optional chacha20 & poly1305 support to security/openssl
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 19 12:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     freebsd@nagilum.org
>Release:        FreeBSD 9.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD cakebox.tis 9.2-STABLE FreeBSD 9.2-STABLE #0 r264294M: Fri Apr 11 10:19:25 CEST 2014 root@cakebox.tis:/usr/obj/export/src/sys/net5501 i386


>Description:
	This adds the option to have chacha20 & poly1305 support in
	openssl. This patch is based on googles work and the updated
	version of their patchset from http://sven.soup.io/.

>How-To-Repeat:
	Apply patch, enable the option, build openssl.

>Fix:
	Apply attached patch


--- openssl.patch begins here ---
diff -Naur openssl.orig/Makefile openssl/Makefile
--- openssl.orig/Makefile	2014-05-03 18:36:42.000000000 +0200
+++ openssl/Makefile	2014-05-19 14:25:54.000000000 +0200
@@ -19,7 +19,7 @@
 .error You have `USE_OPENSSL' variable defined either in environment or in make(1) arguments. Please undefine and try again.
 .endif
 
-OPTIONS_DEFINE=	SHARED THREADS I386 SSE2 ASM PADLOCK ZLIB SCTP MD2 RC5 RFC3779 GMP
+OPTIONS_DEFINE=	SHARED THREADS I386 SSE2 ASM PADLOCK ZLIB SCTP MD2 RC5 RFC3779 GMP CHAPOLY
 OPTIONS_DEFAULT=SHARED THREADS SSE2 ASM ZLIB SCTP MD2
 .for a in amd64 ia64
 OPTIONS_DEFINE_${a}=	EC
@@ -44,6 +44,7 @@
 RFC3779_DESC?=	RFC3779 support
 GMP_DESC?=	gmp support (LGPLv3)
 EC_DESC?=	Optimize NIST elliptic curves
+CHAPOLY_DESC?=	chacha20 & poly1305 support
 
 GMP_LIB_DEPENDS=	libgmp.so:${PORTSDIR}/math/gmp
 
@@ -80,6 +81,10 @@
 
 .include <bsd.port.pre.mk>
 
+.if ${PORT_OPTIONS:MCHAPOLY}
+EXTRA_PATCHES+=        ${FILESDIR}/extra-patch-chapoly
+.endif
+
 .if ${PREFIX} == /usr
 IGNORE=	OpenSSL can not be installed over the base version
 .endif
diff -Naur openssl.orig/files/extra-patch-chapoly openssl/files/extra-patch-chapoly
--- openssl.orig/files/extra-patch-chapoly	1970-01-01 01:00:00.000000000 +0100
+++ openssl/files/extra-patch-chapoly	2014-05-19 13:57:30.000000000 +0200
@@ -0,0 +1,7296 @@
+--- ./crypto/evp/evp_aead.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/evp/evp_aead.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,192 @@
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ * 
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to.  The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ * 
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ * 
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ *    must display the following acknowledgement:
++ *    "This product includes cryptographic software written by
++ *     Eric Young (eay@cryptsoft.com)"
++ *    The word 'cryptographic' can be left out if the rouines from the library
++ *    being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from 
++ *    the apps directory (application code) you must include an acknowledgement:
++ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ * 
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ * 
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed.  i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <limits.h>
++#include <string.h>
++
++#include <openssl/evp.h>
++#include <openssl/err.h>
++
++#include "evp_locl.h"
++
++size_t EVP_AEAD_key_length(const EVP_AEAD *aead)
++	{
++	return aead->key_len;
++	}
++
++size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead)
++	{
++	return aead->nonce_len;
++	}
++
++size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead)
++	{
++	return aead->overhead;
++	}
++
++size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
++	{
++	return aead->max_tag_len;
++	}
++
++int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++		      const unsigned char *key, size_t key_len,
++		      size_t tag_len, ENGINE *impl)
++	{
++	ctx->aead = aead;
++	if (key_len != aead->key_len)
++		{
++		EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
++		return 0;
++		}
++	return aead->init(ctx, key, key_len, tag_len);
++	}
++
++void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
++	{
++	if (ctx->aead == NULL)
++		return;
++	ctx->aead->cleanup(ctx);
++	ctx->aead = NULL;
++	}
++
++/* check_alias returns 0 if |out| points within the buffer determined by |in|
++ * and |in_len| and 1 otherwise.
++ *
++ * When processing, there's only an issue if |out| points within in[:in_len]
++ * and isn't equal to |in|. If that's the case then writing the output will
++ * stomp input that hasn't been read yet.
++ *
++ * This function checks for that case. */
++static int check_alias(const unsigned char *in, size_t in_len,
++		       const unsigned char *out)
++	{
++	if (out <= in)
++		return 1;
++	if (in + in_len <= out)
++		return 1;
++	return 0;
++	}
++
++ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++			  unsigned char *out, size_t max_out_len,
++			  const unsigned char *nonce, size_t nonce_len,
++			  const unsigned char *in, size_t in_len,
++			  const unsigned char *ad, size_t ad_len)
++	{
++	size_t possible_out_len = in_len + ctx->aead->overhead;
++	ssize_t r;
++
++	if (possible_out_len < in_len /* overflow */ ||
++	    possible_out_len > SSIZE_MAX /* return value cannot be
++					    represented */)
++		{
++		EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
++		goto error;
++		}
++
++	if (!check_alias(in, in_len, out))
++		{
++		EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
++		goto error;
++		}
++
++	r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
++			    in, in_len, ad, ad_len);
++	if (r >= 0)
++		return r;
++
++error:
++	/* In the event of an error, clear the output buffer so that a caller
++	 * that doesn't check the return value doesn't send raw data. */
++	memset(out, 0, max_out_len);
++	return -1;
++	}
++
++ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++			 unsigned char *out, size_t max_out_len,
++			 const unsigned char *nonce, size_t nonce_len,
++			 const unsigned char *in, size_t in_len,
++			 const unsigned char *ad, size_t ad_len)
++	{
++	ssize_t r;
++
++	if (in_len > SSIZE_MAX)
++		{
++		EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
++		goto error;  /* may not be able to represent return value. */
++		}
++
++	if (!check_alias(in, in_len, out))
++		{
++		EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
++		goto error;
++		}
++
++	r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
++			    in, in_len, ad, ad_len);
++
++	if (r >= 0)
++		return r;
++
++error:
++	/* In the event of an error, clear the output buffer so that a caller
++	 * that doesn't check the return value doesn't try and process bad
++	 * data. */
++	memset(out, 0, max_out_len);
++	return -1;
++	}
+--- ./crypto/evp/e_aes.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./crypto/evp/e_aes.c	2014-05-19 10:46:17.000000000 +0200
+@@ -814,47 +814,48 @@
+ 		}
+ 	}
+ 
+-static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+-                        const unsigned char *iv, int enc)
++static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
++				const unsigned char *key, size_t key_len)
+ 	{
+-	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
+-	if (!iv && !key)
+-		return 1;
+-	if (key)
+-		{ do {
+ #ifdef BSAES_CAPABLE
+ 		if (BSAES_CAPABLE)
+ 			{
+-			AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
+-			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
++			AES_set_encrypt_key(key,key_len*8,aes_key);
++			CRYPTO_gcm128_init(gcm_ctx,aes_key,
+ 					(block128_f)AES_encrypt);
+-			gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
+-			break;
++			return (ctr128_f)bsaes_ctr32_encrypt_blocks;
+ 			}
+-		else
+ #endif
+ #ifdef VPAES_CAPABLE
+ 		if (VPAES_CAPABLE)
+ 			{
+-			vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
+-			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
++			vpaes_set_encrypt_key(key,key_len*8,aes_key);
++			CRYPTO_gcm128_init(gcm_ctx,aes_key,
+ 					(block128_f)vpaes_encrypt);
+-			gctx->ctr = NULL;
+-			break;
++			return NULL;
+ 			}
+ 		else
+ #endif
+ 		(void)0;	/* terminate potentially open 'else' */
+ 
+-		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
+-		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
++		AES_set_encrypt_key(key, key_len*8, aes_key);
++		CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ #ifdef AES_CTR_ASM
+-		gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
++		return (ctr128_f)AES_ctr32_encrypt;
+ #else
+-		gctx->ctr = NULL;
++		return NULL;
+ #endif
+-		} while (0);
++	}
+ 
++static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++                        const unsigned char *iv, int enc)
++	{
++	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
++	if (!iv && !key)
++		return 1;
++	if (key)
++		{
++		gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key_len);
+ 		/* If we have an iv can set it directly, otherwise use
+ 		 * saved IV.
+ 		 */
+@@ -1316,5 +1317,176 @@
+ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
+ 
++#define EVP_AEAD_AES_128_GCM_TAG_LEN 16
++
++struct aead_aes_128_gcm_ctx {
++	union { double align; AES_KEY ks; } ks;
++	GCM128_CONTEXT gcm;
++	ctr128_f ctr;
++	unsigned char tag_len;
++};
++
++static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx,
++	const unsigned char *key, size_t key_len, size_t tag_len)
++	{
++	struct aead_aes_128_gcm_ctx *gcm_ctx;
++
++	if (key_len*8 != 128)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH);
++		return 0;  /* EVP_AEAD_CTX_init should catch this. */
++		}
++
++	if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
++		tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN;
++
++	if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE);
++		return 0;
++		}
++
++	gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx));
++	if (gcm_ctx == NULL)
++		return 0;
++
++#ifdef AESNI_CAPABLE
++	if (AESNI_CAPABLE)
++		{
++		aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks);
++		CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
++				   (block128_f)aesni_encrypt);
++		gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
++		}
++	else
++#endif
++		{
++		gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
++					       key, key_len);
++		}
++	gcm_ctx->tag_len = tag_len;
++	ctx->aead_state = gcm_ctx;
++
++	return 1;
++	}
++
++static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx)
++	{
++	struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++	OPENSSL_free(gcm_ctx);
++	}
++
++static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx,
++	unsigned char *out, size_t max_out_len,
++	const unsigned char *nonce, size_t nonce_len,
++	const unsigned char *in, size_t in_len,
++	const unsigned char *ad, size_t ad_len)
++	{
++	size_t bulk = 0;
++	const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++	GCM128_CONTEXT gcm;
++
++	if (max_out_len < in_len + gcm_ctx->tag_len)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL);
++		return -1;
++		}
++
++	memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
++	CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
++
++	if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
++		return -1;
++
++	if (gcm_ctx->ctr)
++		{
++		if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
++						in_len - bulk, gcm_ctx->ctr))
++			return -1;
++		}
++	else
++		{
++		if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
++					  in_len - bulk))
++			return -1;
++		}
++
++	CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
++	return in_len + gcm_ctx->tag_len;
++	}
++
++static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx,
++	unsigned char *out, size_t max_out_len,
++	const unsigned char *nonce, size_t nonce_len,
++	const unsigned char *in, size_t in_len,
++	const unsigned char *ad, size_t ad_len)
++	{
++	size_t bulk = 0;
++	const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++	unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN];
++	size_t out_len;
++	GCM128_CONTEXT gcm;
++
++	if (in_len < gcm_ctx->tag_len)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);
++		return -1;
++		}
++
++	out_len = in_len - gcm_ctx->tag_len;
++
++	if (max_out_len < out_len)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL);
++		return -1;
++		}
++
++	memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
++	CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
++
++	if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
++		return -1;
++
++	if (gcm_ctx->ctr)
++		{
++		if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
++						in_len-bulk-gcm_ctx->tag_len,
++						gcm_ctx->ctr))
++			return -1;
++		}
++	else
++		{
++		if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
++					  in_len - bulk - gcm_ctx->tag_len))
++			return -1;
++		}
++
++	CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
++	if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0)
++		{
++		EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);
++		return -1;
++		}
++
++	return out_len;
++	}
++
++static const EVP_AEAD aead_aes_128_gcm = {
++	16,  /* key len */
++	12,  /* nonce len */
++	EVP_AEAD_AES_128_GCM_TAG_LEN,  /* overhead */
++	EVP_AEAD_AES_128_GCM_TAG_LEN,  /* max tag length */
++
++	aead_aes_128_gcm_init,
++	aead_aes_128_gcm_cleanup,
++	aead_aes_128_gcm_seal,
++	aead_aes_128_gcm_open,
++};
++
++const EVP_AEAD *EVP_aead_aes_128_gcm()
++	{
++	return &aead_aes_128_gcm;
++	}
++
+ #endif
+ #endif
+--- ./crypto/evp/e_chacha20poly1305.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/evp/e_chacha20poly1305.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,261 @@
++/* ====================================================================
++ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#include <stdint.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
++
++#include <openssl/chacha.h>
++#include <openssl/poly1305.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include "evp_locl.h"
++
++#define POLY1305_TAG_LEN 16
++#define CHACHA20_NONCE_LEN 8
++
++struct aead_chacha20_poly1305_ctx
++	{
++	unsigned char key[32];
++	unsigned char tag_len;
++	};
++
++static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, size_t tag_len)
++	{
++	struct aead_chacha20_poly1305_ctx *c20_ctx;
++
++	if (tag_len == 0)
++		tag_len = POLY1305_TAG_LEN;
++
++	if (tag_len > POLY1305_TAG_LEN)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_INIT, EVP_R_TOO_LARGE);
++		return 0;
++		}
++
++	if (key_len != sizeof(c20_ctx->key))
++		return 0;  /* internal error - EVP_AEAD_CTX_init should catch this. */
++
++	c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
++	if (c20_ctx == NULL)
++		return 0;
++
++	memcpy(&c20_ctx->key[0], key, key_len);
++	c20_ctx->tag_len = tag_len;
++	ctx->aead_state = c20_ctx;
++
++	return 1;
++	}
++
++static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx)
++	{
++	struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++	OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
++	OPENSSL_free(c20_ctx);
++	}
++
++static void poly1305_update_with_length(poly1305_state *poly1305,
++	const unsigned char *data, size_t data_len)
++	{
++	size_t j = data_len;
++	unsigned char length_bytes[8];
++	unsigned i;
++
++	for (i = 0; i < sizeof(length_bytes); i++)
++		{
++		length_bytes[i] = j;
++		j >>= 8;
++		}
++
++	CRYPTO_poly1305_update(poly1305, data, data_len);
++	CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
++}
++
++static ssize_t aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx,
++	unsigned char *out, size_t max_out_len,
++	const unsigned char *nonce, size_t nonce_len,
++	const unsigned char *in, size_t in_len,
++	const unsigned char *ad, size_t ad_len)
++	{
++	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++	unsigned char poly1305_key[32];
++	poly1305_state poly1305;
++	const uint64_t in_len_64 = in_len;
++
++	/* The underlying ChaCha implementation may not overflow the block
++	 * counter into the second counter word. Therefore we disallow
++	 * individual operations that work on more than 2TB at a time.
++	 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
++	 * 32-bits and this produces a warning because it's always false.
++	 * Casting to uint64_t inside the conditional is not sufficient to stop
++	 * the warning. */
++	if (in_len_64 >= (1ull << 32)*64-64)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_TOO_LARGE);
++		return -1;
++		}
++
++	if (max_out_len < in_len + c20_ctx->tag_len)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_BUFFER_TOO_SMALL);
++		return -1;
++		}
++
++	if (nonce_len != CHACHA20_NONCE_LEN)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_IV_TOO_LARGE);
++		return -1;
++		}
++
++	memset(poly1305_key, 0, sizeof(poly1305_key));
++	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0);
++
++	CRYPTO_poly1305_init(&poly1305, poly1305_key);
++	poly1305_update_with_length(&poly1305, ad, ad_len);
++	CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
++	poly1305_update_with_length(&poly1305, out, in_len);
++
++	if (c20_ctx->tag_len != POLY1305_TAG_LEN)
++		{
++		unsigned char tag[POLY1305_TAG_LEN];
++		CRYPTO_poly1305_finish(&poly1305, tag);
++		memcpy(out + in_len, tag, c20_ctx->tag_len);
++		return in_len + c20_ctx->tag_len;
++		}
++
++	CRYPTO_poly1305_finish(&poly1305, out + in_len);
++	return in_len + POLY1305_TAG_LEN;
++	}
++
++static ssize_t aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx,
++	unsigned char *out, size_t max_out_len,
++	const unsigned char *nonce, size_t nonce_len,
++	const unsigned char *in, size_t in_len,
++	const unsigned char *ad, size_t ad_len)
++	{
++	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++	unsigned char mac[POLY1305_TAG_LEN];
++	unsigned char poly1305_key[32];
++	size_t out_len;
++	poly1305_state poly1305;
++	const uint64_t in_len_64 = in_len;
++
++	if (in_len < c20_ctx->tag_len)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT);
++		return -1;
++		}
++
++	/* The underlying ChaCha implementation may not overflow the block
++	 * counter into the second counter word. Therefore we disallow
++	 * individual operations that work on more than 2TB at a time.
++	 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
++	 * 32-bits and this produces a warning because it's always false.
++	 * Casting to uint64_t inside the conditional is not sufficient to stop
++	 * the warning. */
++	if (in_len_64 >= (1ull << 32)*64-64)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_TOO_LARGE);
++		return -1;
++		}
++
++	if (nonce_len != CHACHA20_NONCE_LEN)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_IV_TOO_LARGE);
++		return -1;
++		}
++
++	out_len = in_len - c20_ctx->tag_len;
++
++	if (max_out_len < out_len)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BUFFER_TOO_SMALL);
++		return -1;
++		}
++
++	memset(poly1305_key, 0, sizeof(poly1305_key));
++	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0);
++
++	CRYPTO_poly1305_init(&poly1305, poly1305_key);
++	poly1305_update_with_length(&poly1305, ad, ad_len);
++	poly1305_update_with_length(&poly1305, in, out_len);
++	CRYPTO_poly1305_finish(&poly1305, mac);
++
++	if (CRYPTO_memcmp(mac, in + out_len, c20_ctx->tag_len) != 0)
++		{
++		EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT);
++		return -1;
++		}
++
++	CRYPTO_chacha_20(out, in, out_len, c20_ctx->key, nonce, 1);
++	return out_len;
++	}
++
++static const EVP_AEAD aead_chacha20_poly1305 =
++	{
++	32,  /* key len */
++	CHACHA20_NONCE_LEN,   /* nonce len */
++	POLY1305_TAG_LEN,  /* overhead */
++	POLY1305_TAG_LEN,  /* max tag length */
++
++	aead_chacha20_poly1305_init,
++	aead_chacha20_poly1305_cleanup,
++	aead_chacha20_poly1305_seal,
++	aead_chacha20_poly1305_open,
++	};
++
++const EVP_AEAD *EVP_aead_chacha20_poly1305()
++	{
++	return &aead_chacha20_poly1305;
++	}
++
++#endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
+--- ./crypto/evp/evp_err.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./crypto/evp/evp_err.c	2014-05-19 10:46:17.000000000 +0200
+@@ -70,6 +70,14 @@
+ 
+ static ERR_STRING_DATA EVP_str_functs[]=
+ 	{
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_INIT),	"AEAD_AES_128_GCM_INIT"},
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_OPEN),	"AEAD_AES_128_GCM_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_SEAL),	"AEAD_AES_128_GCM_SEAL"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_INIT),	"AEAD_CHACHA20_POLY1305_INIT"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_OPEN),	"AEAD_CHACHA20_POLY1305_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_SEAL),	"AEAD_CHACHA20_POLY1305_SEAL"},
++{ERR_FUNC(EVP_F_AEAD_CTX_OPEN),	"AEAD_CTX_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_CTX_SEAL),	"AEAD_CTX_SEAL"},
+ {ERR_FUNC(EVP_F_AESNI_INIT_KEY),	"AESNI_INIT_KEY"},
+ {ERR_FUNC(EVP_F_AESNI_XTS_CIPHER),	"AESNI_XTS_CIPHER"},
+ {ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
+@@ -84,6 +92,7 @@
+ {ERR_FUNC(EVP_F_DSA_PKEY2PKCS8),	"DSA_PKEY2PKCS8"},
+ {ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8),	"ECDSA_PKEY2PKCS8"},
+ {ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8),	"ECKEY_PKEY2PKCS8"},
++{ERR_FUNC(EVP_F_EVP_AEAD_CTX_INIT),	"EVP_AEAD_CTX_init"},
+ {ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX),	"EVP_CipherInit_ex"},
+ {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_COPY),	"EVP_CIPHER_CTX_copy"},
+ {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL),	"EVP_CIPHER_CTX_ctrl"},
+@@ -202,10 +211,12 @@
+ {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
+ {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
+ {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED),"operaton not initialized"},
++{ERR_REASON(EVP_R_OUTPUT_ALIASES_INPUT)  ,"output aliases input"},
+ {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
+ {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
++{ERR_REASON(EVP_R_TAG_TOO_LARGE)         ,"tag too large"},
+ {ERR_REASON(EVP_R_TOO_LARGE)             ,"too large"},
+ {ERR_REASON(EVP_R_UNKNOWN_CIPHER)        ,"unknown cipher"},
+ {ERR_REASON(EVP_R_UNKNOWN_DIGEST)        ,"unknown digest"},
+--- ./crypto/evp/evp.h.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./crypto/evp/evp.h	2014-05-19 10:46:17.000000000 +0200
+@@ -1242,6 +1242,114 @@
+ 	int (*ctrl_str)(EVP_PKEY_CTX *ctx,
+ 					const char *type, const char *value));
+ 
++/* Authenticated Encryption with Additional Data.
++ *
++ * AEAD couples confidentiality and integrity in a single primtive. AEAD
++ * algorithms take a key and then can seal and open individual messages. Each
++ * message has a unique, per-message nonce and, optionally, additional data
++ * which is authenticated but not included in the output. */
++
++struct evp_aead_st;
++typedef struct evp_aead_st EVP_AEAD;
++
++#ifndef OPENSSL_NO_AES
++/* EVP_aes_128_gcm is AES-128 in Galois Counter Mode. */
++const EVP_AEAD *EVP_aead_aes_128_gcm(void);
++#endif
++
++#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
++/* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */
++const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
++#endif
++
++/* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
++ * |aead|. */
++size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
++
++/* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
++ * for |aead|. */
++size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);
++
++/* EVP_AEAD_max_overhead returns the maximum number of additional bytes added
++ * by the act of sealing data with |aead|. */
++size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);
++
++/* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
++ * is the largest value that can be passed as |tag_len| to
++ * |EVP_AEAD_CTX_init|. */
++size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
++
++/* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
++ * and message-independent IV. */
++typedef struct evp_aead_ctx_st {
++	const EVP_AEAD *aead;
++	/* aead_state is an opaque pointer to whatever state the AEAD needs to
++	 * maintain. */
++	void *aead_state;
++} EVP_AEAD_CTX;
++
++#define EVP_AEAD_DEFAULT_TAG_LENGTH 0
++
++/* EVP_AEAD_init initializes |ctx| for the given AEAD algorithm from |impl|.
++ * The |impl| argument may be NULL to choose the default implementation.
++ * Authentication tags may be truncated by passing a size as |tag_len|. A
++ * |tag_len| of zero indicates the default tag length and this is defined as
++ * EVP_AEAD_DEFAULT_TAG_LENGTH for readability.
++ * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */
++int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++		      const unsigned char *key, size_t key_len,
++		      size_t tag_len, ENGINE *impl);
++
++/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */
++void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
++
++/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
++ * authenticates |ad_len| bytes from |ad| and writes the result to |out|,
++ * returning the number of bytes written, or -1 on error.
++ *
++ * This function may be called (with the same EVP_AEAD_CTX) concurrently with
++ * itself or EVP_AEAD_CTX_open.
++ *
++ * At most |max_out_len| bytes are written to |out| and, in order to ensure
++ * success, |max_out_len| should be |in_len| plus the result of
++ * EVP_AEAD_overhead.
++ *
++ * The length of |nonce|, |nonce_len|, must be equal to the result of
++ * EVP_AEAD_nonce_length for this AEAD.
++ *
++ * EVP_AEAD_CTX_seal never results in a partial output. If |max_out_len| is
++ * insufficient, -1 will be returned.
++ *
++ * If |in| and |out| alias then |out| must be <= |in|. */
++ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++			  unsigned char *out, size_t max_out_len,
++			  const unsigned char *nonce, size_t nonce_len,
++			  const unsigned char *in, size_t in_len,
++			  const unsigned char *ad, size_t ad_len);
++
++/* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
++ * from |ad| and decrypts at most |in_len| bytes into |out|. It returns the
++ * number of bytes written, or -1 on error.
++ *
++ * This function may be called (with the same EVP_AEAD_CTX) concurrently with
++ * itself or EVP_AEAD_CTX_seal.
++ *
++ * At most |in_len| bytes are written to |out|. In order to ensure success,
++ * |max_out_len| should be at least |in_len|.
++ *
++ * The length of |nonce|, |nonce_len|, must be equal to the result of
++ * EVP_AEAD_nonce_length for this AEAD.
++ *
++ * EVP_AEAD_CTX_open never results in a partial output. If |max_out_len| is
++ * insufficient, -1 will be returned.
++ *
++ * If |in| and |out| alias then |out| must be <= |in|. */
++ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++			  unsigned char *out, size_t max_out_len,
++			  const unsigned char *nonce, size_t nonce_len,
++			  const unsigned char *in, size_t in_len,
++			  const unsigned char *ad, size_t ad_len);
++
+ void EVP_add_alg_module(void);
+ 
+ /* BEGIN ERROR CODES */
+@@ -1253,6 +1361,14 @@
+ /* Error codes for the EVP functions. */
+ 
+ /* Function codes. */
++#define EVP_F_AEAD_AES_128_GCM_INIT			 183
++#define EVP_F_AEAD_AES_128_GCM_OPEN			 181
++#define EVP_F_AEAD_AES_128_GCM_SEAL			 182
++#define EVP_F_AEAD_CHACHA20_POLY1305_INIT		 187
++#define EVP_F_AEAD_CHACHA20_POLY1305_OPEN		 184
++#define EVP_F_AEAD_CHACHA20_POLY1305_SEAL		 183
++#define EVP_F_AEAD_CTX_OPEN				 185
++#define EVP_F_AEAD_CTX_SEAL				 186
+ #define EVP_F_AESNI_INIT_KEY				 165
+ #define EVP_F_AESNI_XTS_CIPHER				 176
+ #define EVP_F_AES_INIT_KEY				 133
+@@ -1267,6 +1383,7 @@
+ #define EVP_F_DSA_PKEY2PKCS8				 135
+ #define EVP_F_ECDSA_PKEY2PKCS8				 129
+ #define EVP_F_ECKEY_PKEY2PKCS8				 132
++#define EVP_F_EVP_AEAD_CTX_INIT				 180
+ #define EVP_F_EVP_CIPHERINIT_EX				 123
+ #define EVP_F_EVP_CIPHER_CTX_COPY			 163
+ #define EVP_F_EVP_CIPHER_CTX_CTRL			 124
+@@ -1382,10 +1499,12 @@
+ #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED		 105
+ #define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE	 150
+ #define EVP_R_OPERATON_NOT_INITIALIZED			 151
++#define EVP_R_OUTPUT_ALIASES_INPUT			 170
+ #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE			 117
+ #define EVP_R_PRIVATE_KEY_DECODE_ERROR			 145
+ #define EVP_R_PRIVATE_KEY_ENCODE_ERROR			 146
+ #define EVP_R_PUBLIC_KEY_NOT_RSA			 106
++#define EVP_R_TAG_TOO_LARGE				 171
+ #define EVP_R_TOO_LARGE					 164
+ #define EVP_R_UNKNOWN_CIPHER				 160
+ #define EVP_R_UNKNOWN_DIGEST				 161
+--- ./crypto/evp/evp_locl.h.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./crypto/evp/evp_locl.h	2014-05-19 10:46:17.000000000 +0200
+@@ -348,6 +348,30 @@
+ 			     ASN1_TYPE *param,
+ 			     const EVP_CIPHER *c, const EVP_MD *md, int en_de);
+ 
++/* EVP_AEAD represents a specific AEAD algorithm. */
++struct evp_aead_st {
++	unsigned char key_len;
++	unsigned char nonce_len;
++	unsigned char overhead;
++	unsigned char max_tag_len;
++
++	int (*init) (struct evp_aead_ctx_st*, const unsigned char *key,
++		     size_t key_len, size_t tag_len);
++	void (*cleanup) (struct evp_aead_ctx_st*);
++
++	ssize_t (*seal) (const struct evp_aead_ctx_st *ctx,
++			 unsigned char *out, size_t max_out_len,
++			 const unsigned char *nonce, size_t nonce_len,
++			 const unsigned char *in, size_t in_len,
++			 const unsigned char *ad, size_t ad_len);
++
++	ssize_t (*open) (const struct evp_aead_ctx_st *ctx,
++			 unsigned char *out, size_t max_out_len,
++			 const unsigned char *nonce, size_t nonce_len,
++			 const unsigned char *in, size_t in_len,
++			 const unsigned char *ad, size_t ad_len);
++};
++
+ #ifdef OPENSSL_FIPS
+ 
+ #ifdef OPENSSL_DOING_MAKEDEPEND
+--- ./crypto/evp/Makefile.orig	2014-04-07 18:55:33.000000000 +0200
++++ ./crypto/evp/Makefile	2014-05-19 10:46:17.000000000 +0200
+@@ -29,7 +29,8 @@
+ 	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+ 	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
+ 	e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c	\
+-	e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
++	e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c evp_aead.c \
++	e_chacha20poly1305.c
+ 
+ LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ 	e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
+@@ -42,7 +43,7 @@
+ 	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+ 	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
+ 	e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
+-	e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
++	e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o evp_aead.o e_chacha20poly1305.o
+ 
+ SRC= $(LIBSRC)
+ 
+@@ -239,6 +240,21 @@
+ e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
++e_chacha20poly1305.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++e_chacha20poly1305.o: ../../include/openssl/chacha.h
++e_chacha20poly1305.o: ../../include/openssl/crypto.h
++e_chacha20poly1305.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++e_chacha20poly1305.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
++e_chacha20poly1305.o: ../../include/openssl/obj_mac.h
++e_chacha20poly1305.o: ../../include/openssl/objects.h
++e_chacha20poly1305.o: ../../include/openssl/opensslconf.h
++e_chacha20poly1305.o: ../../include/openssl/opensslv.h
++e_chacha20poly1305.o: ../../include/openssl/ossl_typ.h
++e_chacha20poly1305.o: ../../include/openssl/poly1305.h
++e_chacha20poly1305.o: ../../include/openssl/safestack.h
++e_chacha20poly1305.o: ../../include/openssl/stack.h
++e_chacha20poly1305.o: ../../include/openssl/symhacks.h e_chacha20poly1305.c
++e_chacha20poly1305.o: evp_locl.h
+ e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+@@ -258,9 +274,10 @@
+ e_des3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ e_des3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ e_des3.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+-e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+-e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+-e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h
++e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
++e_des3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++e_des3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
++e_des3.o: ../cryptlib.h e_des3.c evp_locl.h
+ e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -356,6 +373,14 @@
+ evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
++evp_aead.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++evp_aead.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++evp_aead.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++evp_aead.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++evp_aead.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
++evp_aead.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++evp_aead.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++evp_aead.o: ../../include/openssl/symhacks.h evp_aead.c
+ evp_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+ evp_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+ evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+--- ./crypto/chacha/chacha_enc.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/chacha/chacha_enc.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,167 @@
++/*
++ *  Chacha stream algorithm.
++ *
++ *  Created on: Jun, 2013
++ *  Author: Elie Bursztein (elieb@google.com)
++ *
++ *  Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdint.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA)
++
++#include <openssl/chacha.h>
++
++/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
++static const char sigma[16] = "expand 32-byte k";
++
++#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
++#define XOR(v, w) ((v) ^ (w))
++#define PLUS(x, y) ((x) + (y))
++#define PLUSONE(v) (PLUS((v), 1))
++
++#define U32TO8_LITTLE(p, v) \
++	{ (p)[0] = (v >>  0) & 0xff; (p)[1] = (v >>  8) & 0xff; \
++	  (p)[2] = (v >> 16) & 0xff; (p)[3] = (v >> 24) & 0xff; }
++#define U8TO32_LITTLE(p)   \
++	(((uint32_t)((p)[0])      ) | ((uint32_t)((p)[1]) <<  8) | \
++	 ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24)   )
++
++/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
++#define QUARTERROUND(a,b,c,d) \
++  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]),16); \
++  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]),12); \
++  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]), 8); \
++  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]), 7);
++
++typedef unsigned int uint32_t;
++
++/* chacha_core performs |num_rounds| rounds of ChaCha20 on the input words in
++ * |input| and writes the 64 output bytes to |output|. */
++static void chacha_core(unsigned char output[64], const uint32_t input[16],
++			int num_rounds)
++	{
++	uint32_t x[16];
++	int i;
++
++	memcpy(x, input, sizeof(uint32_t) * 16);
++	for (i = 20; i > 0; i -= 2)
++		{
++		QUARTERROUND( 0, 4, 8,12)
++		QUARTERROUND( 1, 5, 9,13)
++		QUARTERROUND( 2, 6,10,14)
++		QUARTERROUND( 3, 7,11,15)
++		QUARTERROUND( 0, 5,10,15)
++		QUARTERROUND( 1, 6,11,12)
++		QUARTERROUND( 2, 7, 8,13)
++		QUARTERROUND( 3, 4, 9,14)
++		}
++
++	for (i = 0; i < 16; ++i)
++		x[i] = PLUS(x[i], input[i]);
++	for (i = 0; i < 16; ++i)
++		U32TO8_LITTLE(output + 4 * i, x[i]);
++	}
++
++void CRYPTO_chacha_20(unsigned char *out,
++		      const unsigned char *in, size_t in_len,
++		      const unsigned char key[32],
++		      const unsigned char nonce[8],
++		      size_t counter)
++	{
++	uint32_t input[16];
++	unsigned char buf[64];
++	size_t todo, i;
++
++	input[0] = U8TO32_LITTLE(sigma + 0);
++	input[1] = U8TO32_LITTLE(sigma + 4);
++	input[2] = U8TO32_LITTLE(sigma + 8);
++	input[3] = U8TO32_LITTLE(sigma + 12);
++
++	input[4] = U8TO32_LITTLE(key + 0);
++	input[5] = U8TO32_LITTLE(key + 4);
++	input[6] = U8TO32_LITTLE(key + 8);
++	input[7] = U8TO32_LITTLE(key + 12);
++
++	input[8] = U8TO32_LITTLE(key + 16);
++	input[9] = U8TO32_LITTLE(key + 20);
++	input[10] = U8TO32_LITTLE(key + 24);
++	input[11] = U8TO32_LITTLE(key + 28);
++
++	input[12] = counter;
++	input[13] = ((uint64_t) counter) >> 32;
++	input[14] = U8TO32_LITTLE(nonce + 0);
++	input[15] = U8TO32_LITTLE(nonce + 4);
++
++	while (in_len > 0)
++		{
++		todo = sizeof(buf);
++		if (in_len < todo)
++			todo = in_len;
++
++		chacha_core(buf, input, 20);
++		for (i = 0; i < todo; i++)
++			out[i] = in[i] ^ buf[i];
++
++		out += todo;
++		in += todo;
++		in_len -= todo;
++
++		input[12]++;
++		if (input[12] == 0)
++			input[13]++;
++		}
++	}
++
++#endif  /* !OPENSSL_NO_CHACHA */
+--- ./crypto/chacha/chacha.h.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/chacha/chacha.h	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,85 @@
++/*
++ *  Chacha stream algorithm.
++ *
++ *  Created on: Jun, 2013
++ *  Author: Elie Bursztein (elieb@google.com)
++ *
++ *  Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++#ifndef HEADER_CHACHA_H
++#define HEADER_CHACHA_H
++
++#include <openssl/opensslconf.h>
++
++#if defined(OPENSSL_NO_CHACHA)
++#error ChaCha support is disabled.
++#endif
++
++#include <stddef.h>
++
++#ifdef  __cplusplus
++extern "C" {
++#endif
++
++/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
++ * nonce and writes the result to |out|, which may be equal to |in|. The
++ * initial block counter is specified by |counter|. */
++void CRYPTO_chacha_20(unsigned char *out,
++		      const unsigned char *in, size_t in_len,
++		      const unsigned char key[32],
++		      const unsigned char nonce[8],
++		      size_t counter);
++
++#ifdef  __cplusplus
++}
++#endif
++
++#endif
+--- ./crypto/chacha/chachatest.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/chacha/chachatest.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,211 @@
++/*
++ *  Chacha stream algorithm.
++ *
++ *  Created on: Jun, 2013
++ *  Author: Elie Bursztein (elieb@google.com)
++ *
++ *  Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <stdint.h>
++
++#include <openssl/chacha.h>
++
++struct chacha_test {
++	const char *keyhex;
++	const char *noncehex;
++	const char *outhex;
++};
++
++static const struct chacha_test chacha_tests[] = {
++	{
++		"0000000000000000000000000000000000000000000000000000000000000000",
++		"0000000000000000",
++		"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586",
++	},
++	{
++		"0000000000000000000000000000000000000000000000000000000000000001",
++		"0000000000000000",
++		"4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea817e9ad275ae546963",
++	},
++	{
++		"0000000000000000000000000000000000000000000000000000000000000000",
++		"0000000000000001",
++		"de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df137821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e445f41e31afab757",
++	},
++	{
++		"0000000000000000000000000000000000000000000000000000000000000000",
++		"0100000000000000",
++		"ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd138e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d6bbdb0041b2f586b",
++	},
++	{
++		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
++		"0001020304050607",
++		"f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb",
++	},
++};
++
++static unsigned char hex_digit(char h)
++	{
++	if (h >= '0' && h <= '9')
++		return h - '0';
++	else if (h >= 'a' && h <= 'f')
++		return h - 'a' + 10;
++	else if (h >= 'A' && h <= 'F')
++		return h - 'A' + 10;
++	else
++		abort();
++	}
++
++static void hex_decode(unsigned char *out, const char* hex)
++	{
++	size_t j = 0;
++
++	while (*hex != 0)
++		{
++		unsigned char v = hex_digit(*hex++);
++		v <<= 4;
++		v |= hex_digit(*hex++);
++		out[j++] = v;
++		}
++	}
++
++static void hexdump(unsigned char *a, size_t len)
++	{
++	size_t i;
++
++	for (i = 0; i < len; i++)
++		printf("%02x", a[i]);
++	}
++
++/* misalign returns a pointer that points 0 to 15 bytes into |in| such that the
++ * returned pointer has alignment 1 mod 16. */
++static void* misalign(void* in)
++	{
++	intptr_t x = (intptr_t) in;
++	x += (17 - (x % 16)) % 16;
++	return (void*) x;
++	}
++
++int main()
++	{
++	static const unsigned num_tests =
++		sizeof(chacha_tests) / sizeof(struct chacha_test);
++	unsigned i;
++	unsigned char key_bytes[32 + 16];
++	unsigned char nonce_bytes[8 + 16] = {0};
++
++	unsigned char *key = misalign(key_bytes);
++	unsigned char *nonce = misalign(nonce_bytes);
++
++	for (i = 0; i < num_tests; i++)
++		{
++		const struct chacha_test *test = &chacha_tests[i];
++		unsigned char *expected, *out_bytes, *zero_bytes, *out, *zeros;
++		size_t len = strlen(test->outhex);
++
++		if (strlen(test->keyhex) != 32*2 ||
++		    strlen(test->noncehex) != 8*2 ||
++		    (len & 1) == 1)
++			return 1;
++
++		len /= 2;
++
++		hex_decode(key, test->keyhex);
++		hex_decode(nonce, test->noncehex);
++
++		expected = malloc(len);
++		out_bytes = malloc(len+16);
++		zero_bytes = malloc(len+16);
++		/* Attempt to test unaligned inputs. */
++		out = misalign(out_bytes);
++		zeros = misalign(zero_bytes);
++		memset(zeros, 0, len);
++
++		hex_decode(expected, test->outhex);
++		CRYPTO_chacha_20(out, zeros, len, key, nonce, 0);
++
++		if (memcmp(out, expected, len) != 0)
++			{
++			printf("ChaCha20 test #%d failed.\n", i);
++			printf("got:      ");
++			hexdump(out, len);
++			printf("\nexpected: ");
++			hexdump(expected, len);
++			printf("\n");
++			return 1;
++			}
++
++		/* The last test has a large output. We test whether the
++		 * counter works as expected by skipping the first 64 bytes of
++		 * it. */
++		if (i == num_tests - 1)
++			{
++			CRYPTO_chacha_20(out, zeros, len - 64, key, nonce, 1);
++			if (memcmp(out, expected + 64, len - 64) != 0)
++				{
++				printf("ChaCha20 skip test failed.\n");
++				return 1;
++				}
++			}
++
++		free(expected);
++		free(zero_bytes);
++		free(out_bytes);
++		}
++
++
++	printf("PASS\n");
++	return 0;
++	}
+--- ./crypto/chacha/chacha_vec.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/chacha/chacha_vec.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,345 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
++ * marked as public domain. It was been altered to allow for non-aligned inputs
++ * and to allow the block counter to be passed in specifically. */
++
++#include <string.h>
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA)
++
++#include <openssl/chacha.h>
++
++#ifndef CHACHA_RNDS
++#define CHACHA_RNDS 20    /* 8 (high speed), 20 (conservative), 12 (middle) */
++#endif
++
++/* Architecture-neutral way to specify 16-byte vector of ints              */
++typedef unsigned vec __attribute__ ((vector_size (16)));
++
++/* This implementation is designed for Neon, SSE and AltiVec machines. The
++ * following specify how to do certain vector operations efficiently on
++ * each architecture, using intrinsics.
++ * This implementation supports parallel processing of multiple blocks,
++ * including potentially using general-purpose registers.
++ */
++#if __ARM_NEON__
++#include <arm_neon.h>
++#define GPR_TOO   1
++#define VBPI      2
++#define ONE       (vec)vsetq_lane_u32(1,vdupq_n_u32(0),0)
++#define LOAD(m)   (vec)(*((vec*)(m)))
++#define STORE(m,r) (*((vec*)(m))) = (r)
++#define ROTV1(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,1)
++#define ROTV2(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,2)
++#define ROTV3(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,3)
++#define ROTW16(x) (vec)vrev32q_u16((uint16x8_t)x)
++#if __clang__
++#define ROTW7(x)  (x << ((vec){ 7, 7, 7, 7})) ^ (x >> ((vec){25,25,25,25}))
++#define ROTW8(x)  (x << ((vec){ 8, 8, 8, 8})) ^ (x >> ((vec){24,24,24,24}))
++#define ROTW12(x) (x << ((vec){12,12,12,12})) ^ (x >> ((vec){20,20,20,20}))
++#else
++#define ROTW7(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,7),(uint32x4_t)x,25)
++#define ROTW8(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,8),(uint32x4_t)x,24)
++#define ROTW12(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,12),(uint32x4_t)x,20)
++#endif
++#elif __SSE2__
++#include <emmintrin.h>
++#define GPR_TOO   0
++#if __clang__
++#define VBPI      4
++#else
++#define VBPI      3
++#endif
++#define ONE       (vec)_mm_set_epi32(0,0,0,1)
++#define LOAD(m)   (vec)_mm_loadu_si128((__m128i*)(m))
++#define STORE(m,r) _mm_storeu_si128((__m128i*)(m), (__m128i) (r))
++#define ROTV1(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(0,3,2,1))
++#define ROTV2(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(1,0,3,2))
++#define ROTV3(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(2,1,0,3))
++#define ROTW7(x)  (vec)(_mm_slli_epi32((__m128i)x, 7) ^ _mm_srli_epi32((__m128i)x,25))
++#define ROTW12(x) (vec)(_mm_slli_epi32((__m128i)x,12) ^ _mm_srli_epi32((__m128i)x,20))
++#if __SSSE3__
++#include <tmmintrin.h>
++#define ROTW8(x)  (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))
++#define ROTW16(x) (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))
++#else
++#define ROTW8(x)  (vec)(_mm_slli_epi32((__m128i)x, 8) ^ _mm_srli_epi32((__m128i)x,24))
++#define ROTW16(x) (vec)(_mm_slli_epi32((__m128i)x,16) ^ _mm_srli_epi32((__m128i)x,16))
++#endif
++#else
++#error -- Implementation supports only machines with neon or SSE2
++#endif
++
++#ifndef REVV_BE
++#define REVV_BE(x)  (x)
++#endif
++
++#ifndef REVW_BE
++#define REVW_BE(x)  (x)
++#endif
++
++#define BPI      (VBPI + GPR_TOO)  /* Blocks computed per loop iteration   */
++
++#define DQROUND_VECTORS(a,b,c,d)                \
++    a += b; d ^= a; d = ROTW16(d);              \
++    c += d; b ^= c; b = ROTW12(b);              \
++    a += b; d ^= a; d = ROTW8(d);               \
++    c += d; b ^= c; b = ROTW7(b);               \
++    b = ROTV1(b); c = ROTV2(c);  d = ROTV3(d);  \
++    a += b; d ^= a; d = ROTW16(d);              \
++    c += d; b ^= c; b = ROTW12(b);              \
++    a += b; d ^= a; d = ROTW8(d);               \
++    c += d; b ^= c; b = ROTW7(b);               \
++    b = ROTV3(b); c = ROTV2(c); d = ROTV1(d);
++
++#define QROUND_WORDS(a,b,c,d) \
++  a = a+b; d ^= a; d = d<<16 | d>>16; \
++  c = c+d; b ^= c; b = b<<12 | b>>20; \
++  a = a+b; d ^= a; d = d<< 8 | d>>24; \
++  c = c+d; b ^= c; b = b<< 7 | b>>25;
++
++#define WRITE_XOR(in, op, d, v0, v1, v2, v3)                   \
++	STORE(op + d + 0, LOAD(in + d + 0) ^ REVV_BE(v0));      \
++	STORE(op + d + 4, LOAD(in + d + 4) ^ REVV_BE(v1));      \
++	STORE(op + d + 8, LOAD(in + d + 8) ^ REVV_BE(v2));      \
++	STORE(op + d +12, LOAD(in + d +12) ^ REVV_BE(v3));
++
++void CRYPTO_chacha_20(
++	unsigned char *out,
++	const unsigned char *in,
++	size_t inlen,
++	const unsigned char key[32],
++	const unsigned char nonce[8],
++	size_t counter)
++	{
++	unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
++#if defined(__ARM_NEON__)
++	unsigned *np;
++#endif
++	vec s0, s1, s2, s3;
++#if !defined(__ARM_NEON__) && !defined(__SSE2__)
++	__attribute__ ((aligned (16))) unsigned key[8], nonce[4];
++#endif
++	__attribute__ ((aligned (16))) unsigned chacha_const[] =
++		{0x61707865,0x3320646E,0x79622D32,0x6B206574};
++#if defined(__ARM_NEON__) || defined(__SSE2__)
++	kp = (unsigned *)key;
++#else
++	((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
++	((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
++	nonce[0] = REVW_BE(((unsigned *)nonce)[0]);
++	nonce[1] = REVW_BE(((unsigned *)nonce)[1]);
++	nonce[2] = REVW_BE(((unsigned *)nonce)[2]);
++	nonce[3] = REVW_BE(((unsigned *)nonce)[3]);
++	kp = (unsigned *)key;
++	np = (unsigned *)nonce;
++#endif
++#if defined(__ARM_NEON__)
++	np = (unsigned*) nonce;
++#endif
++	s0 = LOAD(chacha_const);
++	s1 = LOAD(&((vec*)kp)[0]);
++	s2 = LOAD(&((vec*)kp)[1]);
++	s3 = (vec){
++		counter & 0xffffffff,
++#if __ARM_NEON__
++		0,  /* can't right-shift 32 bits on a 32-bit system. */
++#else
++		counter >> 32,
++#endif
++		((uint32_t*)nonce)[0],
++		((uint32_t*)nonce)[1]
++	};
++
++	for (iters = 0; iters < inlen/(BPI*64); iters++)
++		{
++#if GPR_TOO
++		register unsigned x0, x1, x2, x3, x4, x5, x6, x7, x8,
++				  x9, x10, x11, x12, x13, x14, x15;
++#endif
++#if VBPI > 2
++		vec v8,v9,v10,v11;
++#endif
++#if VBPI > 3
++		vec v12,v13,v14,v15;
++#endif
++
++		vec v0,v1,v2,v3,v4,v5,v6,v7;
++		v4 = v0 = s0; v5 = v1 = s1; v6 = v2 = s2; v3 = s3;
++		v7 = v3 + ONE;
++#if VBPI > 2
++		v8 = v4; v9 = v5; v10 = v6;
++		v11 =  v7 + ONE;
++#endif
++#if VBPI > 3
++		v12 = v8; v13 = v9; v14 = v10;
++		v15 = v11 + ONE;
++#endif
++#if GPR_TOO
++		x0 = chacha_const[0]; x1 = chacha_const[1];
++		x2 = chacha_const[2]; x3 = chacha_const[3];
++		x4 = kp[0]; x5 = kp[1]; x6  = kp[2]; x7  = kp[3];
++		x8 = kp[4]; x9 = kp[5]; x10 = kp[6]; x11 = kp[7];
++		x12 = counter+BPI*iters+(BPI-1); x13 = 0;
++		x14 = np[0]; x15 = np[1];
++#endif
++		for (i = CHACHA_RNDS/2; i; i--)
++			{
++			DQROUND_VECTORS(v0,v1,v2,v3)
++			DQROUND_VECTORS(v4,v5,v6,v7)
++#if VBPI > 2
++			DQROUND_VECTORS(v8,v9,v10,v11)
++#endif
++#if VBPI > 3
++			DQROUND_VECTORS(v12,v13,v14,v15)
++#endif
++#if GPR_TOO
++			QROUND_WORDS( x0, x4, x8,x12)
++			QROUND_WORDS( x1, x5, x9,x13)
++			QROUND_WORDS( x2, x6,x10,x14)
++			QROUND_WORDS( x3, x7,x11,x15)
++			QROUND_WORDS( x0, x5,x10,x15)
++			QROUND_WORDS( x1, x6,x11,x12)
++			QROUND_WORDS( x2, x7, x8,x13)
++			QROUND_WORDS( x3, x4, x9,x14)
++#endif
++			}
++
++		WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
++		s3 += ONE;
++		WRITE_XOR(ip, op, 16, v4+s0, v5+s1, v6+s2, v7+s3)
++		s3 += ONE;
++#if VBPI > 2
++		WRITE_XOR(ip, op, 32, v8+s0, v9+s1, v10+s2, v11+s3)
++		s3 += ONE;
++#endif
++#if VBPI > 3
++		WRITE_XOR(ip, op, 48, v12+s0, v13+s1, v14+s2, v15+s3)
++		s3 += ONE;
++#endif
++		ip += VBPI*16;
++		op += VBPI*16;
++#if GPR_TOO
++		op[0]  = REVW_BE(REVW_BE(ip[0])  ^ (x0  + chacha_const[0]));
++		op[1]  = REVW_BE(REVW_BE(ip[1])  ^ (x1  + chacha_const[1]));
++		op[2]  = REVW_BE(REVW_BE(ip[2])  ^ (x2  + chacha_const[2]));
++		op[3]  = REVW_BE(REVW_BE(ip[3])  ^ (x3  + chacha_const[3]));
++		op[4]  = REVW_BE(REVW_BE(ip[4])  ^ (x4  + kp[0]));
++		op[5]  = REVW_BE(REVW_BE(ip[5])  ^ (x5  + kp[1]));
++		op[6]  = REVW_BE(REVW_BE(ip[6])  ^ (x6  + kp[2]));
++		op[7]  = REVW_BE(REVW_BE(ip[7])  ^ (x7  + kp[3]));
++		op[8]  = REVW_BE(REVW_BE(ip[8])  ^ (x8  + kp[4]));
++		op[9]  = REVW_BE(REVW_BE(ip[9])  ^ (x9  + kp[5]));
++		op[10] = REVW_BE(REVW_BE(ip[10]) ^ (x10 + kp[6]));
++		op[11] = REVW_BE(REVW_BE(ip[11]) ^ (x11 + kp[7]));
++		op[12] = REVW_BE(REVW_BE(ip[12]) ^ (x12 + BPI*iters+(BPI-1)));
++		op[13] = REVW_BE(REVW_BE(ip[13]) ^ (x13));
++		op[14] = REVW_BE(REVW_BE(ip[14]) ^ (x14 + np[0]));
++		op[15] = REVW_BE(REVW_BE(ip[15]) ^ (x15 + np[1]));
++		s3 += ONE;
++		ip += 16;
++		op += 16;
++#endif
++		}
++
++	for (iters = inlen%(BPI*64)/64; iters != 0; iters--)
++		{
++		vec v0 = s0, v1 = s1, v2 = s2, v3 = s3;
++		for (i = CHACHA_RNDS/2; i; i--)
++			{
++			DQROUND_VECTORS(v0,v1,v2,v3);
++			}
++		WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
++		s3 += ONE;
++		ip += 16;
++		op += 16;
++		}
++
++	inlen = inlen % 64;
++	if (inlen)
++		{
++		__attribute__ ((aligned (16))) vec buf[4];
++		vec v0,v1,v2,v3;
++		v0 = s0; v1 = s1; v2 = s2; v3 = s3;
++		for (i = CHACHA_RNDS/2; i; i--)
++			{
++			DQROUND_VECTORS(v0,v1,v2,v3);
++			}
++
++		if (inlen >= 16)
++			{
++			STORE(op + 0, LOAD(ip + 0) ^ REVV_BE(v0 + s0));
++			if (inlen >= 32)
++				{
++				STORE(op + 4, LOAD(ip + 4) ^ REVV_BE(v1 + s1));
++				if (inlen >= 48)
++					{
++					STORE(op + 8, LOAD(ip +  8) ^
++						      REVV_BE(v2 + s2));
++					buf[3] = REVV_BE(v3 + s3);
++					}
++				else
++					buf[2] = REVV_BE(v2 + s2);
++				}
++			else
++				buf[1] = REVV_BE(v1 + s1);
++			}
++		else
++			buf[0] = REVV_BE(v0 + s0);
++
++		for (i=inlen & ~15; i<inlen; i++)
++			((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
++		}
++	}
++
++#endif  /* !OPENSSL_NO_CHACHA */
+--- ./crypto/chacha/Makefile.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/chacha/Makefile	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,80 @@
++#
++# OpenSSL/crypto/chacha/Makefile
++#
++
++DIR=	chacha
++TOP=	../..
++CC=	cc
++CPP=    $(CC) -E
++INCLUDES=
++CFLAG=-g
++AR=		ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++ASFLAGS= $(INCLUDES) $(ASFLAG)
++AFLAGS= $(ASFLAGS)
++
++CHACHA_ENC=chacha_enc.o
++
++GENERAL=Makefile
++TEST=chachatest.o
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=chacha_vec.c
++LIBOBJ=$(CHACHA_ENC)
++
++SRC= $(LIBSRC)
++
++EXHEADER=chacha.h
++HEADER=	$(EXHEADER)
++
++ALL=    $(GENERAL) $(SRC) $(HEADER)
++
++top:
++	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all:	lib
++
++lib:	$(LIBOBJ)
++	$(AR) $(LIB) $(LIBOBJ)
++	$(RANLIB) $(LIB) || echo Never mind.
++	@touch lib
++
++files:
++	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++	do  \
++	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++	done;
++
++tags:
++	ctags $(SRC)
++
++tests:
++
++lint:
++	lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++	mv -f Makefile.new $(MAKEFILE)
++
++clean:
++	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
+--- ./crypto/poly1305/Makefile.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/Makefile	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,81 @@
++#
++# OpenSSL/crypto/poly1305/Makefile
++#
++
++DIR=	poly1305
++TOP=	../..
++CC=	cc
++CPP=    $(CC) -E
++INCLUDES=
++CFLAG=-g
++AR=		ar r
++
++POLY1305=poly1305_vec.o
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++ASFLAGS= $(INCLUDES) $(ASFLAG)
++AFLAGS= $(ASFLAGS)
++
++GENERAL=Makefile
++TEST=
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=poly1305_vec.c
++LIBOBJ=$(POLY1305)
++
++SRC= $(LIBSRC)
++
++EXHEADER=poly1305.h
++HEADER=	$(EXHEADER)
++
++ALL=    $(GENERAL) $(SRC) $(HEADER)
++
++top:
++	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all:	lib
++
++lib:	$(LIBOBJ)
++	$(AR) $(LIB) $(LIBOBJ)
++	$(RANLIB) $(LIB) || echo Never mind.
++	@touch lib
++
++files:
++	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++	do  \
++	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++	done;
++
++tags:
++	ctags $(SRC)
++
++tests:
++
++lint:
++	lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++	mv -f Makefile.new $(MAKEFILE)
++
++clean:
++	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++poly1305_vec.o: ../../include/openssl/poly1305.h poly1305_vec.c
+--- ./crypto/poly1305/poly1305_arm_asm.s.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305_arm_asm.s	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,2009 @@
++# This implementation was taken from the public domain, neon2 version in
++# SUPERCOP by D. J. Bernstein and Peter Schwabe.
++
++# qhasm: int32 input_0
++
++# qhasm: int32 input_1
++
++# qhasm: int32 input_2
++
++# qhasm: int32 input_3
++
++# qhasm: stack32 input_4
++
++# qhasm: stack32 input_5
++
++# qhasm: stack32 input_6
++
++# qhasm: stack32 input_7
++
++# qhasm: int32 caller_r4
++
++# qhasm: int32 caller_r5
++
++# qhasm: int32 caller_r6
++
++# qhasm: int32 caller_r7
++
++# qhasm: int32 caller_r8
++
++# qhasm: int32 caller_r9
++
++# qhasm: int32 caller_r10
++
++# qhasm: int32 caller_r11
++
++# qhasm: int32 caller_r12
++
++# qhasm: int32 caller_r14
++
++# qhasm: reg128 caller_q4
++
++# qhasm: reg128 caller_q5
++
++# qhasm: reg128 caller_q6
++
++# qhasm: reg128 caller_q7
++
++# qhasm: startcode
++.fpu neon
++.text
++
++# qhasm: reg128 r0
++
++# qhasm: reg128 r1
++
++# qhasm: reg128 r2
++
++# qhasm: reg128 r3
++
++# qhasm: reg128 r4
++
++# qhasm: reg128 x01
++
++# qhasm: reg128 x23
++
++# qhasm: reg128 x4
++
++# qhasm: reg128 y0
++
++# qhasm: reg128 y12
++
++# qhasm: reg128 y34
++
++# qhasm: reg128 5y12
++
++# qhasm: reg128 5y34
++
++# qhasm: stack128 y0_stack
++
++# qhasm: stack128 y12_stack
++
++# qhasm: stack128 y34_stack
++
++# qhasm: stack128 5y12_stack
++
++# qhasm: stack128 5y34_stack
++
++# qhasm: reg128 z0
++
++# qhasm: reg128 z12
++
++# qhasm: reg128 z34
++
++# qhasm: reg128 5z12
++
++# qhasm: reg128 5z34
++
++# qhasm: stack128 z0_stack
++
++# qhasm: stack128 z12_stack
++
++# qhasm: stack128 z34_stack
++
++# qhasm: stack128 5z12_stack
++
++# qhasm: stack128 5z34_stack
++
++# qhasm: stack128 two24
++
++# qhasm: int32 ptr
++
++# qhasm: reg128 c01
++
++# qhasm: reg128 c23
++
++# qhasm: reg128 d01
++
++# qhasm: reg128 d23
++
++# qhasm: reg128 t0
++
++# qhasm: reg128 t1
++
++# qhasm: reg128 t2
++
++# qhasm: reg128 t3
++
++# qhasm: reg128 t4
++
++# qhasm: reg128 mask
++
++# qhasm: reg128 u0
++
++# qhasm: reg128 u1
++
++# qhasm: reg128 u2
++
++# qhasm: reg128 u3
++
++# qhasm: reg128 u4
++
++# qhasm: reg128 v01
++
++# qhasm: reg128 mid
++
++# qhasm: reg128 v23
++
++# qhasm: reg128 v4
++
++# qhasm: int32 len
++
++# qhasm: qpushenter crypto_onetimeauth_poly1305_neon2_blocks
++.align 4
++.global openssl_poly1305_neon2_blocks
++.type openssl_poly1305_neon2_blocks STT_FUNC
++openssl_poly1305_neon2_blocks:
++vpush {q4,q5,q6,q7}
++mov r12,sp
++sub sp,sp,#192
++and sp,sp,#0xffffffe0
++
++# qhasm: len = input_3
++# asm 1: mov >len=int32#4,<input_3=int32#4
++# asm 2: mov >len=r3,<input_3=r3
++mov r3,r3
++
++# qhasm: new y0
++
++# qhasm: y0  = mem64[input_1]y0[1]; input_1 += 8
++# asm 1: vld1.8 {<y0=reg128#1%bot},[<input_1=int32#2]!
++# asm 2: vld1.8 {<y0=d0},[<input_1=r1]!
++vld1.8 {d0},[r1]!
++
++# qhasm: y12 = mem128[input_1]; input_1 += 16
++# asm 1: vld1.8 {>y12=reg128#2%bot->y12=reg128#2%top},[<input_1=int32#2]!
++# asm 2: vld1.8 {>y12=d2->y12=d3},[<input_1=r1]!
++vld1.8 {d2-d3},[r1]!
++
++# qhasm: y34 = mem128[input_1]; input_1 += 16
++# asm 1: vld1.8 {>y34=reg128#3%bot->y34=reg128#3%top},[<input_1=int32#2]!
++# asm 2: vld1.8 {>y34=d4->y34=d5},[<input_1=r1]!
++vld1.8 {d4-d5},[r1]!
++
++# qhasm: input_1 += 8
++# asm 1: add >input_1=int32#2,<input_1=int32#2,#8
++# asm 2: add >input_1=r1,<input_1=r1,#8
++add r1,r1,#8
++
++# qhasm: new z0
++
++# qhasm: z0  = mem64[input_1]z0[1]; input_1 += 8
++# asm 1: vld1.8 {<z0=reg128#4%bot},[<input_1=int32#2]!
++# asm 2: vld1.8 {<z0=d6},[<input_1=r1]!
++vld1.8 {d6},[r1]!
++
++# qhasm: z12 = mem128[input_1]; input_1 += 16
++# asm 1: vld1.8 {>z12=reg128#5%bot->z12=reg128#5%top},[<input_1=int32#2]!
++# asm 2: vld1.8 {>z12=d8->z12=d9},[<input_1=r1]!
++vld1.8 {d8-d9},[r1]!
++
++# qhasm: z34 = mem128[input_1]; input_1 += 16
++# asm 1: vld1.8 {>z34=reg128#6%bot->z34=reg128#6%top},[<input_1=int32#2]!
++# asm 2: vld1.8 {>z34=d10->z34=d11},[<input_1=r1]!
++vld1.8 {d10-d11},[r1]!
++
++# qhasm: 2x mask = 0xffffffff
++# asm 1: vmov.i64 >mask=reg128#7,#0xffffffff
++# asm 2: vmov.i64 >mask=q6,#0xffffffff
++vmov.i64 q6,#0xffffffff
++
++# qhasm: 2x u4 = 0xff
++# asm 1: vmov.i64 >u4=reg128#8,#0xff
++# asm 2: vmov.i64 >u4=q7,#0xff
++vmov.i64 q7,#0xff
++
++# qhasm: x01 aligned= mem128[input_0];input_0+=16
++# asm 1: vld1.8 {>x01=reg128#9%bot->x01=reg128#9%top},[<input_0=int32#1,: 128]!
++# asm 2: vld1.8 {>x01=d16->x01=d17},[<input_0=r0,: 128]!
++vld1.8 {d16-d17},[r0,: 128]!
++
++# qhasm: x23 aligned= mem128[input_0];input_0+=16
++# asm 1: vld1.8 {>x23=reg128#10%bot->x23=reg128#10%top},[<input_0=int32#1,: 128]!
++# asm 2: vld1.8 {>x23=d18->x23=d19},[<input_0=r0,: 128]!
++vld1.8 {d18-d19},[r0,: 128]!
++
++# qhasm: x4  aligned= mem64[input_0]x4[1]
++# asm 1: vld1.8 {<x4=reg128#11%bot},[<input_0=int32#1,: 64]
++# asm 2: vld1.8 {<x4=d20},[<input_0=r0,: 64]
++vld1.8 {d20},[r0,: 64]
++
++# qhasm: input_0 -= 32
++# asm 1: sub >input_0=int32#1,<input_0=int32#1,#32
++# asm 2: sub >input_0=r0,<input_0=r0,#32
++sub r0,r0,#32
++
++# qhasm: 2x mask unsigned>>=6
++# asm 1: vshr.u64 >mask=reg128#7,<mask=reg128#7,#6
++# asm 2: vshr.u64 >mask=q6,<mask=q6,#6
++vshr.u64 q6,q6,#6
++
++# qhasm: 2x u4 unsigned>>= 7
++# asm 1: vshr.u64 >u4=reg128#8,<u4=reg128#8,#7
++# asm 2: vshr.u64 >u4=q7,<u4=q7,#7
++vshr.u64 q7,q7,#7
++
++# qhasm: 4x 5y12 = y12 << 2
++# asm 1: vshl.i32 >5y12=reg128#12,<y12=reg128#2,#2
++# asm 2: vshl.i32 >5y12=q11,<y12=q1,#2
++vshl.i32 q11,q1,#2
++
++# qhasm: 4x 5y34 = y34 << 2
++# asm 1: vshl.i32 >5y34=reg128#13,<y34=reg128#3,#2
++# asm 2: vshl.i32 >5y34=q12,<y34=q2,#2
++vshl.i32 q12,q2,#2
++
++# qhasm: 4x 5y12 += y12
++# asm 1: vadd.i32 >5y12=reg128#12,<5y12=reg128#12,<y12=reg128#2
++# asm 2: vadd.i32 >5y12=q11,<5y12=q11,<y12=q1
++vadd.i32 q11,q11,q1
++
++# qhasm: 4x 5y34 += y34
++# asm 1: vadd.i32 >5y34=reg128#13,<5y34=reg128#13,<y34=reg128#3
++# asm 2: vadd.i32 >5y34=q12,<5y34=q12,<y34=q2
++vadd.i32 q12,q12,q2
++
++# qhasm: 2x u4 <<= 24
++# asm 1: vshl.i64 >u4=reg128#8,<u4=reg128#8,#24
++# asm 2: vshl.i64 >u4=q7,<u4=q7,#24
++vshl.i64 q7,q7,#24
++
++# qhasm: 4x 5z12 = z12 << 2
++# asm 1: vshl.i32 >5z12=reg128#14,<z12=reg128#5,#2
++# asm 2: vshl.i32 >5z12=q13,<z12=q4,#2
++vshl.i32 q13,q4,#2
++
++# qhasm: 4x 5z34 = z34 << 2
++# asm 1: vshl.i32 >5z34=reg128#15,<z34=reg128#6,#2
++# asm 2: vshl.i32 >5z34=q14,<z34=q5,#2
++vshl.i32 q14,q5,#2
++
++# qhasm: 4x 5z12 += z12
++# asm 1: vadd.i32 >5z12=reg128#14,<5z12=reg128#14,<z12=reg128#5
++# asm 2: vadd.i32 >5z12=q13,<5z12=q13,<z12=q4
++vadd.i32 q13,q13,q4
++
++# qhasm: 4x 5z34 += z34
++# asm 1: vadd.i32 >5z34=reg128#15,<5z34=reg128#15,<z34=reg128#6
++# asm 2: vadd.i32 >5z34=q14,<5z34=q14,<z34=q5
++vadd.i32 q14,q14,q5
++
++# qhasm: new two24
++
++# qhasm: new y0_stack
++
++# qhasm: new y12_stack
++
++# qhasm: new y34_stack
++
++# qhasm: new 5y12_stack
++
++# qhasm: new 5y34_stack
++
++# qhasm: new z0_stack
++
++# qhasm: new z12_stack
++
++# qhasm: new z34_stack
++
++# qhasm: new 5z12_stack
++
++# qhasm: new 5z34_stack
++
++# qhasm: ptr = &two24
++# asm 1: lea >ptr=int32#2,<two24=stack128#1
++# asm 2: lea >ptr=r1,<two24=[sp,#0]
++add r1,sp,#0
++
++# qhasm: mem128[ptr] aligned= u4
++# asm 1: vst1.8 {<u4=reg128#8%bot-<u4=reg128#8%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<u4=d14-<u4=d15},[<ptr=r1,: 128]
++vst1.8 {d14-d15},[r1,: 128]
++
++# qhasm: r4 = u4
++# asm 1: vmov >r4=reg128#16,<u4=reg128#8
++# asm 2: vmov >r4=q15,<u4=q7
++vmov q15,q7
++
++# qhasm: r0 = u4
++# asm 1: vmov >r0=reg128#8,<u4=reg128#8
++# asm 2: vmov >r0=q7,<u4=q7
++vmov q7,q7
++
++# qhasm: ptr = &y0_stack
++# asm 1: lea >ptr=int32#2,<y0_stack=stack128#2
++# asm 2: lea >ptr=r1,<y0_stack=[sp,#16]
++add r1,sp,#16
++
++# qhasm: mem128[ptr] aligned= y0
++# asm 1: vst1.8 {<y0=reg128#1%bot-<y0=reg128#1%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<y0=d0-<y0=d1},[<ptr=r1,: 128]
++vst1.8 {d0-d1},[r1,: 128]
++
++# qhasm: ptr = &y12_stack
++# asm 1: lea >ptr=int32#2,<y12_stack=stack128#3
++# asm 2: lea >ptr=r1,<y12_stack=[sp,#32]
++add r1,sp,#32
++
++# qhasm: mem128[ptr] aligned= y12
++# asm 1: vst1.8 {<y12=reg128#2%bot-<y12=reg128#2%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<y12=d2-<y12=d3},[<ptr=r1,: 128]
++vst1.8 {d2-d3},[r1,: 128]
++
++# qhasm: ptr = &y34_stack
++# asm 1: lea >ptr=int32#2,<y34_stack=stack128#4
++# asm 2: lea >ptr=r1,<y34_stack=[sp,#48]
++add r1,sp,#48
++
++# qhasm: mem128[ptr] aligned= y34
++# asm 1: vst1.8 {<y34=reg128#3%bot-<y34=reg128#3%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<y34=d4-<y34=d5},[<ptr=r1,: 128]
++vst1.8 {d4-d5},[r1,: 128]
++
++# qhasm: ptr = &z0_stack
++# asm 1: lea >ptr=int32#2,<z0_stack=stack128#7
++# asm 2: lea >ptr=r1,<z0_stack=[sp,#96]
++add r1,sp,#96
++
++# qhasm: mem128[ptr] aligned= z0
++# asm 1: vst1.8 {<z0=reg128#4%bot-<z0=reg128#4%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<z0=d6-<z0=d7},[<ptr=r1,: 128]
++vst1.8 {d6-d7},[r1,: 128]
++
++# qhasm: ptr = &z12_stack
++# asm 1: lea >ptr=int32#2,<z12_stack=stack128#8
++# asm 2: lea >ptr=r1,<z12_stack=[sp,#112]
++add r1,sp,#112
++
++# qhasm: mem128[ptr] aligned= z12
++# asm 1: vst1.8 {<z12=reg128#5%bot-<z12=reg128#5%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<z12=d8-<z12=d9},[<ptr=r1,: 128]
++vst1.8 {d8-d9},[r1,: 128]
++
++# qhasm: ptr = &z34_stack
++# asm 1: lea >ptr=int32#2,<z34_stack=stack128#9
++# asm 2: lea >ptr=r1,<z34_stack=[sp,#128]
++add r1,sp,#128
++
++# qhasm: mem128[ptr] aligned= z34
++# asm 1: vst1.8 {<z34=reg128#6%bot-<z34=reg128#6%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<z34=d10-<z34=d11},[<ptr=r1,: 128]
++vst1.8 {d10-d11},[r1,: 128]
++
++# qhasm: ptr = &5y12_stack
++# asm 1: lea >ptr=int32#2,<5y12_stack=stack128#5
++# asm 2: lea >ptr=r1,<5y12_stack=[sp,#64]
++add r1,sp,#64
++
++# qhasm: mem128[ptr] aligned= 5y12
++# asm 1: vst1.8 {<5y12=reg128#12%bot-<5y12=reg128#12%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<5y12=d22-<5y12=d23},[<ptr=r1,: 128]
++vst1.8 {d22-d23},[r1,: 128]
++
++# qhasm: ptr = &5y34_stack
++# asm 1: lea >ptr=int32#2,<5y34_stack=stack128#6
++# asm 2: lea >ptr=r1,<5y34_stack=[sp,#80]
++add r1,sp,#80
++
++# qhasm: mem128[ptr] aligned= 5y34
++# asm 1: vst1.8 {<5y34=reg128#13%bot-<5y34=reg128#13%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<5y34=d24-<5y34=d25},[<ptr=r1,: 128]
++vst1.8 {d24-d25},[r1,: 128]
++
++# qhasm: ptr = &5z12_stack
++# asm 1: lea >ptr=int32#2,<5z12_stack=stack128#10
++# asm 2: lea >ptr=r1,<5z12_stack=[sp,#144]
++add r1,sp,#144
++
++# qhasm: mem128[ptr] aligned= 5z12
++# asm 1: vst1.8 {<5z12=reg128#14%bot-<5z12=reg128#14%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<5z12=d26-<5z12=d27},[<ptr=r1,: 128]
++vst1.8 {d26-d27},[r1,: 128]
++
++# qhasm: ptr = &5z34_stack
++# asm 1: lea >ptr=int32#2,<5z34_stack=stack128#11
++# asm 2: lea >ptr=r1,<5z34_stack=[sp,#160]
++add r1,sp,#160
++
++# qhasm: mem128[ptr] aligned= 5z34
++# asm 1: vst1.8 {<5z34=reg128#15%bot-<5z34=reg128#15%top},[<ptr=int32#2,: 128]
++# asm 2: vst1.8 {<5z34=d28-<5z34=d29},[<ptr=r1,: 128]
++vst1.8 {d28-d29},[r1,: 128]
++
++# qhasm:                       unsigned>? len - 64
++# asm 1: cmp <len=int32#4,#64
++# asm 2: cmp <len=r3,#64
++cmp r3,#64
++
++# qhasm: goto below64bytes if !unsigned>
++bls ._below64bytes
++
++# qhasm: input_2 += 32
++# asm 1: add >input_2=int32#2,<input_2=int32#3,#32
++# asm 2: add >input_2=r1,<input_2=r2,#32
++add r1,r2,#32
++
++# qhasm: mainloop2:
++._mainloop2:
++
++# qhasm:   c01 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>c01=reg128#1%bot->c01=reg128#1%top},[<input_2=int32#2]!
++# asm 2: vld1.8 {>c01=d0->c01=d1},[<input_2=r1]!
++vld1.8 {d0-d1},[r1]!
++
++# qhasm:   c23 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>c23=reg128#2%bot->c23=reg128#2%top},[<input_2=int32#2]!
++# asm 2: vld1.8 {>c23=d2->c23=d3},[<input_2=r1]!
++vld1.8 {d2-d3},[r1]!
++
++# qhasm: r4[0,1] += x01[0] unsigned*  z34[2];  r4[2,3] += x01[1] unsigned*  z34[3]
++# asm 1: vmlal.u32 <r4=reg128#16,<x01=reg128#9%bot,<z34=reg128#6%top
++# asm 2: vmlal.u32 <r4=q15,<x01=d16,<z34=d11
++vmlal.u32 q15,d16,d11
++
++# qhasm:   ptr = &z12_stack
++# asm 1: lea >ptr=int32#3,<z12_stack=stack128#8
++# asm 2: lea >ptr=r2,<z12_stack=[sp,#112]
++add r2,sp,#112
++
++# qhasm:   z12 aligned= mem128[ptr]
++# asm 1: vld1.8 {>z12=reg128#3%bot->z12=reg128#3%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>z12=d4->z12=d5},[<ptr=r2,: 128]
++vld1.8 {d4-d5},[r2,: 128]
++
++# qhasm: r4[0,1] += x01[2] unsigned* z34[0];  r4[2,3] += x01[3] unsigned* z34[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<x01=reg128#9%top,<z34=reg128#6%bot
++# asm 2: vmlal.u32 <r4=q15,<x01=d17,<z34=d10
++vmlal.u32 q15,d17,d10
++
++# qhasm:   ptr = &z0_stack
++# asm 1: lea >ptr=int32#3,<z0_stack=stack128#7
++# asm 2: lea >ptr=r2,<z0_stack=[sp,#96]
++add r2,sp,#96
++
++# qhasm:   z0 aligned= mem128[ptr]
++# asm 1: vld1.8 {>z0=reg128#4%bot->z0=reg128#4%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>z0=d6->z0=d7},[<ptr=r2,: 128]
++vld1.8 {d6-d7},[r2,: 128]
++
++# qhasm: r4[0,1] += x23[0] unsigned* z12[2];  r4[2,3] += x23[1] unsigned* z12[3]
++# asm 1: vmlal.u32 <r4=reg128#16,<x23=reg128#10%bot,<z12=reg128#3%top
++# asm 2: vmlal.u32 <r4=q15,<x23=d18,<z12=d5
++vmlal.u32 q15,d18,d5
++
++# qhasm:   c01 c23 = c01[0]c01[1]c01[2]c23[2]c23[0]c23[1]c01[3]c23[3]
++# asm 1: vtrn.32 <c01=reg128#1%top,<c23=reg128#2%top
++# asm 2: vtrn.32 <c01=d1,<c23=d3
++vtrn.32 d1,d3
++
++# qhasm: r4[0,1] += x23[2] unsigned* z12[0];  r4[2,3] += x23[3] unsigned* z12[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<x23=reg128#10%top,<z12=reg128#3%bot
++# asm 2: vmlal.u32 <r4=q15,<x23=d19,<z12=d4
++vmlal.u32 q15,d19,d4
++
++# qhasm: r4[0,1] +=  x4[0] unsigned* z0[0];  r4[2,3] +=  x4[1] unsigned* z0[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<x4=reg128#11%bot,<z0=reg128#4%bot
++# asm 2: vmlal.u32 <r4=q15,<x4=d20,<z0=d6
++vmlal.u32 q15,d20,d6
++
++# qhasm: r3[0,1] = c23[2]<<18; r3[2,3] = c23[3]<<18 
++# asm 1: vshll.u32 >r3=reg128#5,<c23=reg128#2%top,#18
++# asm 2: vshll.u32 >r3=q4,<c23=d3,#18
++vshll.u32 q4,d3,#18
++
++# qhasm:   c01 c23 = c01[0]c23[0]c01[2]c01[3]c01[1]c23[1]c23[2]c23[3]
++# asm 1: vtrn.32 <c01=reg128#1%bot,<c23=reg128#2%bot
++# asm 2: vtrn.32 <c01=d0,<c23=d2
++vtrn.32 d0,d2
++
++# qhasm: r3[0,1] += x01[0] unsigned* z34[0];   r3[2,3] += x01[1] unsigned* z34[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<x01=reg128#9%bot,<z34=reg128#6%bot
++# asm 2: vmlal.u32 <r3=q4,<x01=d16,<z34=d10
++vmlal.u32 q4,d16,d10
++
++# qhasm: r3[0,1] += x01[2] unsigned* z12[2];   r3[2,3] += x01[3] unsigned* z12[3]
++# asm 1: vmlal.u32 <r3=reg128#5,<x01=reg128#9%top,<z12=reg128#3%top
++# asm 2: vmlal.u32 <r3=q4,<x01=d17,<z12=d5
++vmlal.u32 q4,d17,d5
++
++# qhasm:   r0 = r0[1]c01[0]r0[2,3] 
++# asm 1: vext.32 <r0=reg128#8%bot,<r0=reg128#8%bot,<c01=reg128#1%bot,#1
++# asm 2: vext.32 <r0=d14,<r0=d14,<c01=d0,#1
++vext.32 d14,d14,d0,#1
++
++# qhasm: r3[0,1] += x23[0] unsigned* z12[0];   r3[2,3] += x23[1] unsigned* z12[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<x23=reg128#10%bot,<z12=reg128#3%bot
++# asm 2: vmlal.u32 <r3=q4,<x23=d18,<z12=d4
++vmlal.u32 q4,d18,d4
++
++# qhasm: 								input_2 -= 64
++# asm 1: sub >input_2=int32#2,<input_2=int32#2,#64
++# asm 2: sub >input_2=r1,<input_2=r1,#64
++sub r1,r1,#64
++
++# qhasm: r3[0,1] += x23[2] unsigned* z0[0];   r3[2,3] += x23[3] unsigned* z0[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<x23=reg128#10%top,<z0=reg128#4%bot
++# asm 2: vmlal.u32 <r3=q4,<x23=d19,<z0=d6
++vmlal.u32 q4,d19,d6
++
++# qhasm:   ptr = &5z34_stack
++# asm 1: lea >ptr=int32#3,<5z34_stack=stack128#11
++# asm 2: lea >ptr=r2,<5z34_stack=[sp,#160]
++add r2,sp,#160
++
++# qhasm:   5z34 aligned= mem128[ptr]
++# asm 1: vld1.8 {>5z34=reg128#6%bot->5z34=reg128#6%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>5z34=d10->5z34=d11},[<ptr=r2,: 128]
++vld1.8 {d10-d11},[r2,: 128]
++
++# qhasm: r3[0,1] +=  x4[0] unsigned*  5z34[2]; r3[2,3] +=  x4[1] unsigned*  5z34[3]
++# asm 1: vmlal.u32 <r3=reg128#5,<x4=reg128#11%bot,<5z34=reg128#6%top
++# asm 2: vmlal.u32 <r3=q4,<x4=d20,<5z34=d11
++vmlal.u32 q4,d20,d11
++
++# qhasm:   r0 = r0[1]r0[0]r0[3]r0[2] 
++# asm 1: vrev64.i32 >r0=reg128#8,<r0=reg128#8
++# asm 2: vrev64.i32 >r0=q7,<r0=q7
++vrev64.i32 q7,q7
++
++# qhasm:   r2[0,1] = c01[2]<<12; r2[2,3] = c01[3]<<12 
++# asm 1: vshll.u32 >r2=reg128#14,<c01=reg128#1%top,#12
++# asm 2: vshll.u32 >r2=q13,<c01=d1,#12
++vshll.u32 q13,d1,#12
++
++# qhasm:   		d01 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>d01=reg128#12%bot->d01=reg128#12%top},[<input_2=int32#2]!
++# asm 2: vld1.8 {>d01=d22->d01=d23},[<input_2=r1]!
++vld1.8 {d22-d23},[r1]!
++
++# qhasm: r2[0,1] += x01[0] unsigned* z12[2];   r2[2,3] += x01[1] unsigned* z12[3]
++# asm 1: vmlal.u32 <r2=reg128#14,<x01=reg128#9%bot,<z12=reg128#3%top
++# asm 2: vmlal.u32 <r2=q13,<x01=d16,<z12=d5
++vmlal.u32 q13,d16,d5
++
++# qhasm: r2[0,1] += x01[2] unsigned* z12[0];   r2[2,3] += x01[3] unsigned* z12[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<x01=reg128#9%top,<z12=reg128#3%bot
++# asm 2: vmlal.u32 <r2=q13,<x01=d17,<z12=d4
++vmlal.u32 q13,d17,d4
++
++# qhasm: r2[0,1] += x23[0] unsigned* z0[0];   r2[2,3] += x23[1] unsigned* z0[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<x23=reg128#10%bot,<z0=reg128#4%bot
++# asm 2: vmlal.u32 <r2=q13,<x23=d18,<z0=d6
++vmlal.u32 q13,d18,d6
++
++# qhasm: r2[0,1] += x23[2] unsigned*  5z34[2]; r2[2,3] += x23[3] unsigned*  5z34[3]
++# asm 1: vmlal.u32 <r2=reg128#14,<x23=reg128#10%top,<5z34=reg128#6%top
++# asm 2: vmlal.u32 <r2=q13,<x23=d19,<5z34=d11
++vmlal.u32 q13,d19,d11
++
++# qhasm: r2[0,1] +=  x4[0] unsigned* 5z34[0]; r2[2,3] +=  x4[1] unsigned* 5z34[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<x4=reg128#11%bot,<5z34=reg128#6%bot
++# asm 2: vmlal.u32 <r2=q13,<x4=d20,<5z34=d10
++vmlal.u32 q13,d20,d10
++
++# qhasm:   r0 = r0[0,1]c01[1]r0[2] 
++# asm 1: vext.32 <r0=reg128#8%top,<c01=reg128#1%bot,<r0=reg128#8%top,#1
++# asm 2: vext.32 <r0=d15,<c01=d0,<r0=d15,#1
++vext.32 d15,d0,d15,#1
++
++# qhasm:   r1[0,1] = c23[0]<<6; r1[2,3] = c23[1]<<6 
++# asm 1: vshll.u32 >r1=reg128#15,<c23=reg128#2%bot,#6
++# asm 2: vshll.u32 >r1=q14,<c23=d2,#6
++vshll.u32 q14,d2,#6
++
++# qhasm: r1[0,1] += x01[0] unsigned* z12[0];   r1[2,3] += x01[1] unsigned* z12[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<x01=reg128#9%bot,<z12=reg128#3%bot
++# asm 2: vmlal.u32 <r1=q14,<x01=d16,<z12=d4
++vmlal.u32 q14,d16,d4
++
++# qhasm: r1[0,1] += x01[2] unsigned* z0[0];   r1[2,3] += x01[3] unsigned* z0[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<x01=reg128#9%top,<z0=reg128#4%bot
++# asm 2: vmlal.u32 <r1=q14,<x01=d17,<z0=d6
++vmlal.u32 q14,d17,d6
++
++# qhasm: r1[0,1] += x23[0] unsigned*  5z34[2]; r1[2,3] += x23[1] unsigned*  5z34[3]
++# asm 1: vmlal.u32 <r1=reg128#15,<x23=reg128#10%bot,<5z34=reg128#6%top
++# asm 2: vmlal.u32 <r1=q14,<x23=d18,<5z34=d11
++vmlal.u32 q14,d18,d11
++
++# qhasm: r1[0,1] += x23[2] unsigned* 5z34[0]; r1[2,3] += x23[3] unsigned* 5z34[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<x23=reg128#10%top,<5z34=reg128#6%bot
++# asm 2: vmlal.u32 <r1=q14,<x23=d19,<5z34=d10
++vmlal.u32 q14,d19,d10
++
++# qhasm: ptr = &5z12_stack
++# asm 1: lea >ptr=int32#3,<5z12_stack=stack128#10
++# asm 2: lea >ptr=r2,<5z12_stack=[sp,#144]
++add r2,sp,#144
++
++# qhasm: 5z12 aligned= mem128[ptr]
++# asm 1: vld1.8 {>5z12=reg128#1%bot->5z12=reg128#1%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>5z12=d0->5z12=d1},[<ptr=r2,: 128]
++vld1.8 {d0-d1},[r2,: 128]
++
++# qhasm: r1[0,1] +=  x4[0] unsigned* 5z12[2]; r1[2,3] +=  x4[1] unsigned* 5z12[3]
++# asm 1: vmlal.u32 <r1=reg128#15,<x4=reg128#11%bot,<5z12=reg128#1%top
++# asm 2: vmlal.u32 <r1=q14,<x4=d20,<5z12=d1
++vmlal.u32 q14,d20,d1
++
++# qhasm:   		d23 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>d23=reg128#2%bot->d23=reg128#2%top},[<input_2=int32#2]!
++# asm 2: vld1.8 {>d23=d2->d23=d3},[<input_2=r1]!
++vld1.8 {d2-d3},[r1]!
++
++# qhasm:   		input_2 += 32
++# asm 1: add >input_2=int32#2,<input_2=int32#2,#32
++# asm 2: add >input_2=r1,<input_2=r1,#32
++add r1,r1,#32
++
++# qhasm: r0[0,1] +=  x4[0] unsigned* 5z12[0]; r0[2,3] +=  x4[1] unsigned* 5z12[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<x4=reg128#11%bot,<5z12=reg128#1%bot
++# asm 2: vmlal.u32 <r0=q7,<x4=d20,<5z12=d0
++vmlal.u32 q7,d20,d0
++
++# qhasm: r0[0,1] += x23[0] unsigned* 5z34[0]; r0[2,3] += x23[1] unsigned* 5z34[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<x23=reg128#10%bot,<5z34=reg128#6%bot
++# asm 2: vmlal.u32 <r0=q7,<x23=d18,<5z34=d10
++vmlal.u32 q7,d18,d10
++
++# qhasm:   		d01 d23 = d01[0] d23[0] d01[1] d23[1] 
++# asm 1: vswp <d23=reg128#2%bot,<d01=reg128#12%top
++# asm 2: vswp <d23=d2,<d01=d23
++vswp d2,d23
++
++# qhasm: r0[0,1] += x23[2] unsigned* 5z12[2]; r0[2,3] += x23[3] unsigned* 5z12[3]
++# asm 1: vmlal.u32 <r0=reg128#8,<x23=reg128#10%top,<5z12=reg128#1%top
++# asm 2: vmlal.u32 <r0=q7,<x23=d19,<5z12=d1
++vmlal.u32 q7,d19,d1
++
++# qhasm: r0[0,1] += x01[0] unsigned* z0[0];   r0[2,3] += x01[1] unsigned* z0[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<x01=reg128#9%bot,<z0=reg128#4%bot
++# asm 2: vmlal.u32 <r0=q7,<x01=d16,<z0=d6
++vmlal.u32 q7,d16,d6
++
++# qhasm:   		new mid
++
++# qhasm:   		2x v4 = d23 unsigned>> 40  
++# asm 1: vshr.u64 >v4=reg128#4,<d23=reg128#2,#40
++# asm 2: vshr.u64 >v4=q3,<d23=q1,#40
++vshr.u64 q3,q1,#40
++
++# qhasm:   		mid = d01[1]d23[0] mid[2,3] 
++# asm 1: vext.32 <mid=reg128#1%bot,<d01=reg128#12%bot,<d23=reg128#2%bot,#1
++# asm 2: vext.32 <mid=d0,<d01=d22,<d23=d2,#1
++vext.32 d0,d22,d2,#1
++
++# qhasm:   		new v23
++
++# qhasm:   		v23[2] = d23[0,1] unsigned>> 14; v23[3] = d23[2,3] unsigned>> 14
++# asm 1: vshrn.u64 <v23=reg128#10%top,<d23=reg128#2,#14
++# asm 2: vshrn.u64 <v23=d19,<d23=q1,#14
++vshrn.u64 d19,q1,#14
++
++# qhasm:   		mid = mid[0,1] d01[3]d23[2] 
++# asm 1: vext.32 <mid=reg128#1%top,<d01=reg128#12%top,<d23=reg128#2%top,#1
++# asm 2: vext.32 <mid=d1,<d01=d23,<d23=d3,#1
++vext.32 d1,d23,d3,#1
++
++# qhasm:   		new v01
++
++# qhasm:   		v01[2] = d01[0,1] unsigned>> 26; v01[3] = d01[2,3] unsigned>> 26
++# asm 1: vshrn.u64 <v01=reg128#11%top,<d01=reg128#12,#26
++# asm 2: vshrn.u64 <v01=d21,<d01=q11,#26
++vshrn.u64 d21,q11,#26
++
++# qhasm:   		v01 = d01[1]d01[0] v01[2,3] 
++# asm 1: vext.32 <v01=reg128#11%bot,<d01=reg128#12%bot,<d01=reg128#12%bot,#1
++# asm 2: vext.32 <v01=d20,<d01=d22,<d01=d22,#1
++vext.32 d20,d22,d22,#1
++
++# qhasm: r0[0,1] += x01[2] unsigned*  5z34[2]; r0[2,3] += x01[3] unsigned*  5z34[3]
++# asm 1: vmlal.u32 <r0=reg128#8,<x01=reg128#9%top,<5z34=reg128#6%top
++# asm 2: vmlal.u32 <r0=q7,<x01=d17,<5z34=d11
++vmlal.u32 q7,d17,d11
++
++# qhasm:   		v01 = v01[1]d01[2] v01[2,3] 
++# asm 1: vext.32 <v01=reg128#11%bot,<v01=reg128#11%bot,<d01=reg128#12%top,#1
++# asm 2: vext.32 <v01=d20,<v01=d20,<d01=d23,#1
++vext.32 d20,d20,d23,#1
++
++# qhasm:   		v23[0] = mid[0,1] unsigned>> 20; v23[1] = mid[2,3] unsigned>> 20
++# asm 1: vshrn.u64 <v23=reg128#10%bot,<mid=reg128#1,#20
++# asm 2: vshrn.u64 <v23=d18,<mid=q0,#20
++vshrn.u64 d18,q0,#20
++
++# qhasm:   		v4 = v4[0]v4[2]v4[1]v4[3]  
++# asm 1: vtrn.32 <v4=reg128#4%bot,<v4=reg128#4%top
++# asm 2: vtrn.32 <v4=d6,<v4=d7
++vtrn.32 d6,d7
++
++# qhasm:   		4x v01 &= 0x03ffffff
++# asm 1: vand.i32 <v01=reg128#11,#0x03ffffff
++# asm 2: vand.i32 <v01=q10,#0x03ffffff
++vand.i32 q10,#0x03ffffff
++
++# qhasm: ptr = &y34_stack
++# asm 1: lea >ptr=int32#3,<y34_stack=stack128#4
++# asm 2: lea >ptr=r2,<y34_stack=[sp,#48]
++add r2,sp,#48
++
++# qhasm: y34 aligned= mem128[ptr]
++# asm 1: vld1.8 {>y34=reg128#3%bot->y34=reg128#3%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>y34=d4->y34=d5},[<ptr=r2,: 128]
++vld1.8 {d4-d5},[r2,: 128]
++
++# qhasm:   		4x v23 &= 0x03ffffff
++# asm 1: vand.i32 <v23=reg128#10,#0x03ffffff
++# asm 2: vand.i32 <v23=q9,#0x03ffffff
++vand.i32 q9,#0x03ffffff
++
++# qhasm: ptr = &y12_stack
++# asm 1: lea >ptr=int32#3,<y12_stack=stack128#3
++# asm 2: lea >ptr=r2,<y12_stack=[sp,#32]
++add r2,sp,#32
++
++# qhasm: y12 aligned= mem128[ptr]
++# asm 1: vld1.8 {>y12=reg128#2%bot->y12=reg128#2%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>y12=d2->y12=d3},[<ptr=r2,: 128]
++vld1.8 {d2-d3},[r2,: 128]
++
++# qhasm:   		4x v4 |= 0x01000000
++# asm 1: vorr.i32 <v4=reg128#4,#0x01000000
++# asm 2: vorr.i32 <v4=q3,#0x01000000
++vorr.i32 q3,#0x01000000
++
++# qhasm: ptr = &y0_stack
++# asm 1: lea >ptr=int32#3,<y0_stack=stack128#2
++# asm 2: lea >ptr=r2,<y0_stack=[sp,#16]
++add r2,sp,#16
++
++# qhasm: y0 aligned= mem128[ptr]
++# asm 1: vld1.8 {>y0=reg128#1%bot->y0=reg128#1%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>y0=d0->y0=d1},[<ptr=r2,: 128]
++vld1.8 {d0-d1},[r2,: 128]
++
++# qhasm: r4[0,1] += v01[0] unsigned*  y34[2];  r4[2,3] += v01[1] unsigned*  y34[3]
++# asm 1: vmlal.u32 <r4=reg128#16,<v01=reg128#11%bot,<y34=reg128#3%top
++# asm 2: vmlal.u32 <r4=q15,<v01=d20,<y34=d5
++vmlal.u32 q15,d20,d5
++
++# qhasm: r4[0,1] += v01[2] unsigned* y34[0];  r4[2,3] += v01[3] unsigned* y34[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<v01=reg128#11%top,<y34=reg128#3%bot
++# asm 2: vmlal.u32 <r4=q15,<v01=d21,<y34=d4
++vmlal.u32 q15,d21,d4
++
++# qhasm: r4[0,1] += v23[0] unsigned* y12[2];  r4[2,3] += v23[1] unsigned* y12[3]
++# asm 1: vmlal.u32 <r4=reg128#16,<v23=reg128#10%bot,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r4=q15,<v23=d18,<y12=d3
++vmlal.u32 q15,d18,d3
++
++# qhasm: r4[0,1] += v23[2] unsigned* y12[0];  r4[2,3] += v23[3] unsigned* y12[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<v23=reg128#10%top,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r4=q15,<v23=d19,<y12=d2
++vmlal.u32 q15,d19,d2
++
++# qhasm: r4[0,1] +=  v4[0] unsigned* y0[0];  r4[2,3] +=  v4[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r4=reg128#16,<v4=reg128#4%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r4=q15,<v4=d6,<y0=d0
++vmlal.u32 q15,d6,d0
++
++# qhasm: ptr = &5y34_stack
++# asm 1: lea >ptr=int32#3,<5y34_stack=stack128#6
++# asm 2: lea >ptr=r2,<5y34_stack=[sp,#80]
++add r2,sp,#80
++
++# qhasm: 5y34 aligned= mem128[ptr]
++# asm 1: vld1.8 {>5y34=reg128#13%bot->5y34=reg128#13%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>5y34=d24->5y34=d25},[<ptr=r2,: 128]
++vld1.8 {d24-d25},[r2,: 128]
++
++# qhasm: r3[0,1] += v01[0] unsigned* y34[0];   r3[2,3] += v01[1] unsigned* y34[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<v01=reg128#11%bot,<y34=reg128#3%bot
++# asm 2: vmlal.u32 <r3=q4,<v01=d20,<y34=d4
++vmlal.u32 q4,d20,d4
++
++# qhasm: r3[0,1] += v01[2] unsigned* y12[2];   r3[2,3] += v01[3] unsigned* y12[3]
++# asm 1: vmlal.u32 <r3=reg128#5,<v01=reg128#11%top,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r3=q4,<v01=d21,<y12=d3
++vmlal.u32 q4,d21,d3
++
++# qhasm: r3[0,1] += v23[0] unsigned* y12[0];   r3[2,3] += v23[1] unsigned* y12[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<v23=reg128#10%bot,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r3=q4,<v23=d18,<y12=d2
++vmlal.u32 q4,d18,d2
++
++# qhasm: r3[0,1] += v23[2] unsigned* y0[0];   r3[2,3] += v23[3] unsigned* y0[1]
++# asm 1: vmlal.u32 <r3=reg128#5,<v23=reg128#10%top,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r3=q4,<v23=d19,<y0=d0
++vmlal.u32 q4,d19,d0
++
++# qhasm: r3[0,1] +=  v4[0] unsigned*  5y34[2]; r3[2,3] +=  v4[1] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r3=reg128#5,<v4=reg128#4%bot,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r3=q4,<v4=d6,<5y34=d25
++vmlal.u32 q4,d6,d25
++
++# qhasm: ptr = &5y12_stack
++# asm 1: lea >ptr=int32#3,<5y12_stack=stack128#5
++# asm 2: lea >ptr=r2,<5y12_stack=[sp,#64]
++add r2,sp,#64
++
++# qhasm: 5y12 aligned= mem128[ptr]
++# asm 1: vld1.8 {>5y12=reg128#12%bot->5y12=reg128#12%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>5y12=d22->5y12=d23},[<ptr=r2,: 128]
++vld1.8 {d22-d23},[r2,: 128]
++
++# qhasm: r0[0,1] +=  v4[0] unsigned* 5y12[0]; r0[2,3] +=  v4[1] unsigned* 5y12[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<v4=reg128#4%bot,<5y12=reg128#12%bot
++# asm 2: vmlal.u32 <r0=q7,<v4=d6,<5y12=d22
++vmlal.u32 q7,d6,d22
++
++# qhasm: r0[0,1] += v23[0] unsigned* 5y34[0]; r0[2,3] += v23[1] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<v23=reg128#10%bot,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r0=q7,<v23=d18,<5y34=d24
++vmlal.u32 q7,d18,d24
++
++# qhasm: r0[0,1] += v23[2] unsigned* 5y12[2]; r0[2,3] += v23[3] unsigned* 5y12[3]
++# asm 1: vmlal.u32 <r0=reg128#8,<v23=reg128#10%top,<5y12=reg128#12%top
++# asm 2: vmlal.u32 <r0=q7,<v23=d19,<5y12=d23
++vmlal.u32 q7,d19,d23
++
++# qhasm: r0[0,1] += v01[0] unsigned* y0[0];   r0[2,3] += v01[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r0=reg128#8,<v01=reg128#11%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r0=q7,<v01=d20,<y0=d0
++vmlal.u32 q7,d20,d0
++
++# qhasm: r0[0,1] += v01[2] unsigned*  5y34[2]; r0[2,3] += v01[3] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r0=reg128#8,<v01=reg128#11%top,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r0=q7,<v01=d21,<5y34=d25
++vmlal.u32 q7,d21,d25
++
++# qhasm: r1[0,1] += v01[0] unsigned* y12[0];   r1[2,3] += v01[1] unsigned* y12[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<v01=reg128#11%bot,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r1=q14,<v01=d20,<y12=d2
++vmlal.u32 q14,d20,d2
++
++# qhasm: r1[0,1] += v01[2] unsigned* y0[0];   r1[2,3] += v01[3] unsigned* y0[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<v01=reg128#11%top,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r1=q14,<v01=d21,<y0=d0
++vmlal.u32 q14,d21,d0
++
++# qhasm: r1[0,1] += v23[0] unsigned*  5y34[2]; r1[2,3] += v23[1] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r1=reg128#15,<v23=reg128#10%bot,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r1=q14,<v23=d18,<5y34=d25
++vmlal.u32 q14,d18,d25
++
++# qhasm: r1[0,1] += v23[2] unsigned* 5y34[0]; r1[2,3] += v23[3] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r1=reg128#15,<v23=reg128#10%top,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r1=q14,<v23=d19,<5y34=d24
++vmlal.u32 q14,d19,d24
++
++# qhasm: r1[0,1] +=  v4[0] unsigned* 5y12[2]; r1[2,3] +=  v4[1] unsigned* 5y12[3]
++# asm 1: vmlal.u32 <r1=reg128#15,<v4=reg128#4%bot,<5y12=reg128#12%top
++# asm 2: vmlal.u32 <r1=q14,<v4=d6,<5y12=d23
++vmlal.u32 q14,d6,d23
++
++# qhasm: r2[0,1] += v01[0] unsigned* y12[2];   r2[2,3] += v01[1] unsigned* y12[3]
++# asm 1: vmlal.u32 <r2=reg128#14,<v01=reg128#11%bot,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r2=q13,<v01=d20,<y12=d3
++vmlal.u32 q13,d20,d3
++
++# qhasm: r2[0,1] += v01[2] unsigned* y12[0];   r2[2,3] += v01[3] unsigned* y12[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<v01=reg128#11%top,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r2=q13,<v01=d21,<y12=d2
++vmlal.u32 q13,d21,d2
++
++# qhasm: r2[0,1] += v23[0] unsigned* y0[0];   r2[2,3] += v23[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<v23=reg128#10%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r2=q13,<v23=d18,<y0=d0
++vmlal.u32 q13,d18,d0
++
++# qhasm: r2[0,1] += v23[2] unsigned*  5y34[2]; r2[2,3] += v23[3] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r2=reg128#14,<v23=reg128#10%top,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r2=q13,<v23=d19,<5y34=d25
++vmlal.u32 q13,d19,d25
++
++# qhasm: r2[0,1] +=  v4[0] unsigned* 5y34[0]; r2[2,3] +=  v4[1] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r2=reg128#14,<v4=reg128#4%bot,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r2=q13,<v4=d6,<5y34=d24
++vmlal.u32 q13,d6,d24
++
++# qhasm: 				ptr = &two24
++# asm 1: lea >ptr=int32#3,<two24=stack128#1
++# asm 2: lea >ptr=r2,<two24=[sp,#0]
++add r2,sp,#0
++
++# qhasm: 2x t1 = r0 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#4,<r0=reg128#8,#26
++# asm 2: vshr.u64 >t1=q3,<r0=q7,#26
++vshr.u64 q3,q7,#26
++
++# qhasm:   				len -= 64
++# asm 1: sub >len=int32#4,<len=int32#4,#64
++# asm 2: sub >len=r3,<len=r3,#64
++sub r3,r3,#64
++
++# qhasm:    r0 &= mask
++# asm 1: vand >r0=reg128#6,<r0=reg128#8,<mask=reg128#7
++# asm 2: vand >r0=q5,<r0=q7,<mask=q6
++vand q5,q7,q6
++
++# qhasm: 2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#4,<r1=reg128#15,<t1=reg128#4
++# asm 2: vadd.i64 >r1=q3,<r1=q14,<t1=q3
++vadd.i64 q3,q14,q3
++
++# qhasm: 		2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#8,<r3=reg128#5,#26
++# asm 2: vshr.u64 >t4=q7,<r3=q4,#26
++vshr.u64 q7,q4,#26
++
++# qhasm: 		   r3 &= mask
++# asm 1: vand >r3=reg128#5,<r3=reg128#5,<mask=reg128#7
++# asm 2: vand >r3=q4,<r3=q4,<mask=q6
++vand q4,q4,q6
++
++# qhasm: 		2x x4 = r4 + t4
++# asm 1: vadd.i64 >x4=reg128#8,<r4=reg128#16,<t4=reg128#8
++# asm 2: vadd.i64 >x4=q7,<r4=q15,<t4=q7
++vadd.i64 q7,q15,q7
++
++# qhasm: 				r4 aligned= mem128[ptr]
++# asm 1: vld1.8 {>r4=reg128#16%bot->r4=reg128#16%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>r4=d30->r4=d31},[<ptr=r2,: 128]
++vld1.8 {d30-d31},[r2,: 128]
++
++# qhasm: 2x t2 = r1 unsigned>> 26
++# asm 1: vshr.u64 >t2=reg128#9,<r1=reg128#4,#26
++# asm 2: vshr.u64 >t2=q8,<r1=q3,#26
++vshr.u64 q8,q3,#26
++
++# qhasm:    r1 &= mask
++# asm 1: vand >r1=reg128#4,<r1=reg128#4,<mask=reg128#7
++# asm 2: vand >r1=q3,<r1=q3,<mask=q6
++vand q3,q3,q6
++
++# qhasm: 		2x t0 = x4 unsigned>> 26
++# asm 1: vshr.u64 >t0=reg128#10,<x4=reg128#8,#26
++# asm 2: vshr.u64 >t0=q9,<x4=q7,#26
++vshr.u64 q9,q7,#26
++
++# qhasm: 2x r2 += t2
++# asm 1: vadd.i64 >r2=reg128#9,<r2=reg128#14,<t2=reg128#9
++# asm 2: vadd.i64 >r2=q8,<r2=q13,<t2=q8
++vadd.i64 q8,q13,q8
++
++# qhasm: 		   x4 &= mask
++# asm 1: vand >x4=reg128#11,<x4=reg128#8,<mask=reg128#7
++# asm 2: vand >x4=q10,<x4=q7,<mask=q6
++vand q10,q7,q6
++
++# qhasm: 		2x x01 = r0 + t0
++# asm 1: vadd.i64 >x01=reg128#6,<r0=reg128#6,<t0=reg128#10
++# asm 2: vadd.i64 >x01=q5,<r0=q5,<t0=q9
++vadd.i64 q5,q5,q9
++
++# qhasm: 				r0 aligned= mem128[ptr]
++# asm 1: vld1.8 {>r0=reg128#8%bot->r0=reg128#8%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>r0=d14->r0=d15},[<ptr=r2,: 128]
++vld1.8 {d14-d15},[r2,: 128]
++
++# qhasm: 				ptr = &z34_stack
++# asm 1: lea >ptr=int32#3,<z34_stack=stack128#9
++# asm 2: lea >ptr=r2,<z34_stack=[sp,#128]
++add r2,sp,#128
++
++# qhasm: 		2x t0 <<= 2
++# asm 1: vshl.i64 >t0=reg128#10,<t0=reg128#10,#2
++# asm 2: vshl.i64 >t0=q9,<t0=q9,#2
++vshl.i64 q9,q9,#2
++
++# qhasm: 2x t3 = r2 unsigned>> 26
++# asm 1: vshr.u64 >t3=reg128#14,<r2=reg128#9,#26
++# asm 2: vshr.u64 >t3=q13,<r2=q8,#26
++vshr.u64 q13,q8,#26
++
++# qhasm: 		2x x01 += t0
++# asm 1: vadd.i64 >x01=reg128#15,<x01=reg128#6,<t0=reg128#10
++# asm 2: vadd.i64 >x01=q14,<x01=q5,<t0=q9
++vadd.i64 q14,q5,q9
++
++# qhasm: 				z34 aligned= mem128[ptr]
++# asm 1: vld1.8 {>z34=reg128#6%bot->z34=reg128#6%top},[<ptr=int32#3,: 128]
++# asm 2: vld1.8 {>z34=d10->z34=d11},[<ptr=r2,: 128]
++vld1.8 {d10-d11},[r2,: 128]
++
++# qhasm:    x23 = r2 & mask
++# asm 1: vand >x23=reg128#10,<r2=reg128#9,<mask=reg128#7
++# asm 2: vand >x23=q9,<r2=q8,<mask=q6
++vand q9,q8,q6
++
++# qhasm: 2x r3 += t3
++# asm 1: vadd.i64 >r3=reg128#5,<r3=reg128#5,<t3=reg128#14
++# asm 2: vadd.i64 >r3=q4,<r3=q4,<t3=q13
++vadd.i64 q4,q4,q13
++
++# qhasm: 								input_2 += 32
++# asm 1: add >input_2=int32#2,<input_2=int32#2,#32
++# asm 2: add >input_2=r1,<input_2=r1,#32
++add r1,r1,#32
++
++# qhasm: 		2x t1 = x01 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#14,<x01=reg128#15,#26
++# asm 2: vshr.u64 >t1=q13,<x01=q14,#26
++vshr.u64 q13,q14,#26
++
++# qhasm: 						x23 = x23[0,2,1,3]
++# asm 1: vtrn.32 <x23=reg128#10%bot,<x23=reg128#10%top
++# asm 2: vtrn.32 <x23=d18,<x23=d19
++vtrn.32 d18,d19
++
++# qhasm: 		   x01 = x01 & mask
++# asm 1: vand >x01=reg128#9,<x01=reg128#15,<mask=reg128#7
++# asm 2: vand >x01=q8,<x01=q14,<mask=q6
++vand q8,q14,q6
++
++# qhasm: 		2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#4,<r1=reg128#4,<t1=reg128#14
++# asm 2: vadd.i64 >r1=q3,<r1=q3,<t1=q13
++vadd.i64 q3,q3,q13
++
++# qhasm: 2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#14,<r3=reg128#5,#26
++# asm 2: vshr.u64 >t4=q13,<r3=q4,#26
++vshr.u64 q13,q4,#26
++
++# qhasm: 						x01 = x01[0,2,1,3]
++# asm 1: vtrn.32 <x01=reg128#9%bot,<x01=reg128#9%top
++# asm 2: vtrn.32 <x01=d16,<x01=d17
++vtrn.32 d16,d17
++
++# qhasm:    r3 &= mask
++# asm 1: vand >r3=reg128#5,<r3=reg128#5,<mask=reg128#7
++# asm 2: vand >r3=q4,<r3=q4,<mask=q6
++vand q4,q4,q6
++
++# qhasm: 						r1 = r1[0,2,1,3]
++# asm 1: vtrn.32 <r1=reg128#4%bot,<r1=reg128#4%top
++# asm 2: vtrn.32 <r1=d6,<r1=d7
++vtrn.32 d6,d7
++
++# qhasm: 2x x4 += t4
++# asm 1: vadd.i64 >x4=reg128#11,<x4=reg128#11,<t4=reg128#14
++# asm 2: vadd.i64 >x4=q10,<x4=q10,<t4=q13
++vadd.i64 q10,q10,q13
++
++# qhasm: 						r3 = r3[0,2,1,3]
++# asm 1: vtrn.32 <r3=reg128#5%bot,<r3=reg128#5%top
++# asm 2: vtrn.32 <r3=d8,<r3=d9
++vtrn.32 d8,d9
++
++# qhasm: 						x01 = x01[0,1] r1[0,1]
++# asm 1: vext.32 <x01=reg128#9%top,<r1=reg128#4%bot,<r1=reg128#4%bot,#0
++# asm 2: vext.32 <x01=d17,<r1=d6,<r1=d6,#0
++vext.32 d17,d6,d6,#0
++
++# qhasm: 						x23 = x23[0,1] r3[0,1]
++# asm 1: vext.32 <x23=reg128#10%top,<r3=reg128#5%bot,<r3=reg128#5%bot,#0
++# asm 2: vext.32 <x23=d19,<r3=d8,<r3=d8,#0
++vext.32 d19,d8,d8,#0
++
++# qhasm: 						x4 = x4[0,2,1,3]
++# asm 1: vtrn.32 <x4=reg128#11%bot,<x4=reg128#11%top
++# asm 2: vtrn.32 <x4=d20,<x4=d21
++vtrn.32 d20,d21
++
++# qhasm:                   unsigned>? len - 64
++# asm 1: cmp <len=int32#4,#64
++# asm 2: cmp <len=r3,#64
++cmp r3,#64
++
++# qhasm: goto mainloop2 if unsigned>
++bhi ._mainloop2
++
++# qhasm: input_2 -= 32
++# asm 1: sub >input_2=int32#3,<input_2=int32#2,#32
++# asm 2: sub >input_2=r2,<input_2=r1,#32
++sub r2,r1,#32
++
++# qhasm: below64bytes:
++._below64bytes:
++
++# qhasm:              unsigned>? len - 32
++# asm 1: cmp <len=int32#4,#32
++# asm 2: cmp <len=r3,#32
++cmp r3,#32
++
++# qhasm: goto end if !unsigned>
++bls ._end
++
++# qhasm: mainloop:
++._mainloop:
++
++# qhasm:   new r0
++
++# qhasm: ptr = &two24
++# asm 1: lea >ptr=int32#2,<two24=stack128#1
++# asm 2: lea >ptr=r1,<two24=[sp,#0]
++add r1,sp,#0
++
++# qhasm: r4 aligned= mem128[ptr]
++# asm 1: vld1.8 {>r4=reg128#5%bot->r4=reg128#5%top},[<ptr=int32#2,: 128]
++# asm 2: vld1.8 {>r4=d8->r4=d9},[<ptr=r1,: 128]
++vld1.8 {d8-d9},[r1,: 128]
++
++# qhasm: u4 aligned= mem128[ptr]
++# asm 1: vld1.8 {>u4=reg128#6%bot->u4=reg128#6%top},[<ptr=int32#2,: 128]
++# asm 2: vld1.8 {>u4=d10->u4=d11},[<ptr=r1,: 128]
++vld1.8 {d10-d11},[r1,: 128]
++
++# qhasm:   c01 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>c01=reg128#8%bot->c01=reg128#8%top},[<input_2=int32#3]!
++# asm 2: vld1.8 {>c01=d14->c01=d15},[<input_2=r2]!
++vld1.8 {d14-d15},[r2]!
++
++# qhasm: r4[0,1] += x01[0] unsigned*  y34[2];  r4[2,3] += x01[1] unsigned*  y34[3]
++# asm 1: vmlal.u32 <r4=reg128#5,<x01=reg128#9%bot,<y34=reg128#3%top
++# asm 2: vmlal.u32 <r4=q4,<x01=d16,<y34=d5
++vmlal.u32 q4,d16,d5
++
++# qhasm:   c23 = mem128[input_2];input_2+=16 
++# asm 1: vld1.8 {>c23=reg128#14%bot->c23=reg128#14%top},[<input_2=int32#3]!
++# asm 2: vld1.8 {>c23=d26->c23=d27},[<input_2=r2]!
++vld1.8 {d26-d27},[r2]!
++
++# qhasm: r4[0,1] += x01[2] unsigned* y34[0];  r4[2,3] += x01[3] unsigned* y34[1]
++# asm 1: vmlal.u32 <r4=reg128#5,<x01=reg128#9%top,<y34=reg128#3%bot
++# asm 2: vmlal.u32 <r4=q4,<x01=d17,<y34=d4
++vmlal.u32 q4,d17,d4
++
++# qhasm:   r0 = u4[1]c01[0]r0[2,3] 
++# asm 1: vext.32 <r0=reg128#4%bot,<u4=reg128#6%bot,<c01=reg128#8%bot,#1
++# asm 2: vext.32 <r0=d6,<u4=d10,<c01=d14,#1
++vext.32 d6,d10,d14,#1
++
++# qhasm: r4[0,1] += x23[0] unsigned* y12[2];  r4[2,3] += x23[1] unsigned* y12[3]
++# asm 1: vmlal.u32 <r4=reg128#5,<x23=reg128#10%bot,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r4=q4,<x23=d18,<y12=d3
++vmlal.u32 q4,d18,d3
++
++# qhasm:   r0 = r0[0,1]u4[1]c23[0] 
++# asm 1: vext.32 <r0=reg128#4%top,<u4=reg128#6%bot,<c23=reg128#14%bot,#1
++# asm 2: vext.32 <r0=d7,<u4=d10,<c23=d26,#1
++vext.32 d7,d10,d26,#1
++
++# qhasm: r4[0,1] += x23[2] unsigned* y12[0];  r4[2,3] += x23[3] unsigned* y12[1]
++# asm 1: vmlal.u32 <r4=reg128#5,<x23=reg128#10%top,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r4=q4,<x23=d19,<y12=d2
++vmlal.u32 q4,d19,d2
++
++# qhasm:   r0 = r0[1]r0[0]r0[3]r0[2] 
++# asm 1: vrev64.i32 >r0=reg128#4,<r0=reg128#4
++# asm 2: vrev64.i32 >r0=q3,<r0=q3
++vrev64.i32 q3,q3
++
++# qhasm: r4[0,1] +=  x4[0] unsigned* y0[0];  r4[2,3] +=  x4[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r4=reg128#5,<x4=reg128#11%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r4=q4,<x4=d20,<y0=d0
++vmlal.u32 q4,d20,d0
++
++# qhasm: r0[0,1] +=  x4[0] unsigned* 5y12[0]; r0[2,3] +=  x4[1] unsigned* 5y12[1]
++# asm 1: vmlal.u32 <r0=reg128#4,<x4=reg128#11%bot,<5y12=reg128#12%bot
++# asm 2: vmlal.u32 <r0=q3,<x4=d20,<5y12=d22
++vmlal.u32 q3,d20,d22
++
++# qhasm: r0[0,1] += x23[0] unsigned* 5y34[0]; r0[2,3] += x23[1] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r0=reg128#4,<x23=reg128#10%bot,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r0=q3,<x23=d18,<5y34=d24
++vmlal.u32 q3,d18,d24
++
++# qhasm: r0[0,1] += x23[2] unsigned* 5y12[2]; r0[2,3] += x23[3] unsigned* 5y12[3]
++# asm 1: vmlal.u32 <r0=reg128#4,<x23=reg128#10%top,<5y12=reg128#12%top
++# asm 2: vmlal.u32 <r0=q3,<x23=d19,<5y12=d23
++vmlal.u32 q3,d19,d23
++
++# qhasm:   c01 c23 = c01[0]c23[0]c01[2]c23[2]c01[1]c23[1]c01[3]c23[3] 
++# asm 1: vtrn.32 <c01=reg128#8,<c23=reg128#14
++# asm 2: vtrn.32 <c01=q7,<c23=q13
++vtrn.32 q7,q13
++
++# qhasm: r0[0,1] += x01[0] unsigned* y0[0];   r0[2,3] += x01[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r0=reg128#4,<x01=reg128#9%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r0=q3,<x01=d16,<y0=d0
++vmlal.u32 q3,d16,d0
++
++# qhasm:   r3[0,1] = c23[2]<<18; r3[2,3] = c23[3]<<18 
++# asm 1: vshll.u32 >r3=reg128#6,<c23=reg128#14%top,#18
++# asm 2: vshll.u32 >r3=q5,<c23=d27,#18
++vshll.u32 q5,d27,#18
++
++# qhasm: r0[0,1] += x01[2] unsigned*  5y34[2]; r0[2,3] += x01[3] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r0=reg128#4,<x01=reg128#9%top,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r0=q3,<x01=d17,<5y34=d25
++vmlal.u32 q3,d17,d25
++
++# qhasm: r3[0,1] += x01[0] unsigned* y34[0];   r3[2,3] += x01[1] unsigned* y34[1]
++# asm 1: vmlal.u32 <r3=reg128#6,<x01=reg128#9%bot,<y34=reg128#3%bot
++# asm 2: vmlal.u32 <r3=q5,<x01=d16,<y34=d4
++vmlal.u32 q5,d16,d4
++
++# qhasm: r3[0,1] += x01[2] unsigned* y12[2];   r3[2,3] += x01[3] unsigned* y12[3]
++# asm 1: vmlal.u32 <r3=reg128#6,<x01=reg128#9%top,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r3=q5,<x01=d17,<y12=d3
++vmlal.u32 q5,d17,d3
++
++# qhasm: r3[0,1] += x23[0] unsigned* y12[0];   r3[2,3] += x23[1] unsigned* y12[1]
++# asm 1: vmlal.u32 <r3=reg128#6,<x23=reg128#10%bot,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r3=q5,<x23=d18,<y12=d2
++vmlal.u32 q5,d18,d2
++
++# qhasm: r3[0,1] += x23[2] unsigned* y0[0];   r3[2,3] += x23[3] unsigned* y0[1]
++# asm 1: vmlal.u32 <r3=reg128#6,<x23=reg128#10%top,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r3=q5,<x23=d19,<y0=d0
++vmlal.u32 q5,d19,d0
++
++# qhasm:   r1[0,1] = c23[0]<<6; r1[2,3] = c23[1]<<6 
++# asm 1: vshll.u32 >r1=reg128#14,<c23=reg128#14%bot,#6
++# asm 2: vshll.u32 >r1=q13,<c23=d26,#6
++vshll.u32 q13,d26,#6
++
++# qhasm: r3[0,1] +=  x4[0] unsigned*  5y34[2]; r3[2,3] +=  x4[1] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r3=reg128#6,<x4=reg128#11%bot,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r3=q5,<x4=d20,<5y34=d25
++vmlal.u32 q5,d20,d25
++
++# qhasm: r1[0,1] += x01[0] unsigned* y12[0];   r1[2,3] += x01[1] unsigned* y12[1]
++# asm 1: vmlal.u32 <r1=reg128#14,<x01=reg128#9%bot,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r1=q13,<x01=d16,<y12=d2
++vmlal.u32 q13,d16,d2
++
++# qhasm: r1[0,1] += x01[2] unsigned* y0[0];   r1[2,3] += x01[3] unsigned* y0[1]
++# asm 1: vmlal.u32 <r1=reg128#14,<x01=reg128#9%top,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r1=q13,<x01=d17,<y0=d0
++vmlal.u32 q13,d17,d0
++
++# qhasm: r1[0,1] += x23[0] unsigned*  5y34[2]; r1[2,3] += x23[1] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r1=reg128#14,<x23=reg128#10%bot,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r1=q13,<x23=d18,<5y34=d25
++vmlal.u32 q13,d18,d25
++
++# qhasm: r1[0,1] += x23[2] unsigned* 5y34[0]; r1[2,3] += x23[3] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r1=reg128#14,<x23=reg128#10%top,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r1=q13,<x23=d19,<5y34=d24
++vmlal.u32 q13,d19,d24
++
++# qhasm:   r2[0,1] = c01[2]<<12; r2[2,3] = c01[3]<<12 
++# asm 1: vshll.u32 >r2=reg128#8,<c01=reg128#8%top,#12
++# asm 2: vshll.u32 >r2=q7,<c01=d15,#12
++vshll.u32 q7,d15,#12
++
++# qhasm: r1[0,1] +=  x4[0] unsigned* 5y12[2]; r1[2,3] +=  x4[1] unsigned* 5y12[3]
++# asm 1: vmlal.u32 <r1=reg128#14,<x4=reg128#11%bot,<5y12=reg128#12%top
++# asm 2: vmlal.u32 <r1=q13,<x4=d20,<5y12=d23
++vmlal.u32 q13,d20,d23
++
++# qhasm: r2[0,1] += x01[0] unsigned* y12[2];   r2[2,3] += x01[1] unsigned* y12[3]
++# asm 1: vmlal.u32 <r2=reg128#8,<x01=reg128#9%bot,<y12=reg128#2%top
++# asm 2: vmlal.u32 <r2=q7,<x01=d16,<y12=d3
++vmlal.u32 q7,d16,d3
++
++# qhasm: r2[0,1] += x01[2] unsigned* y12[0];   r2[2,3] += x01[3] unsigned* y12[1]
++# asm 1: vmlal.u32 <r2=reg128#8,<x01=reg128#9%top,<y12=reg128#2%bot
++# asm 2: vmlal.u32 <r2=q7,<x01=d17,<y12=d2
++vmlal.u32 q7,d17,d2
++
++# qhasm: r2[0,1] += x23[0] unsigned* y0[0];   r2[2,3] += x23[1] unsigned* y0[1]
++# asm 1: vmlal.u32 <r2=reg128#8,<x23=reg128#10%bot,<y0=reg128#1%bot
++# asm 2: vmlal.u32 <r2=q7,<x23=d18,<y0=d0
++vmlal.u32 q7,d18,d0
++
++# qhasm: r2[0,1] += x23[2] unsigned*  5y34[2]; r2[2,3] += x23[3] unsigned*  5y34[3]
++# asm 1: vmlal.u32 <r2=reg128#8,<x23=reg128#10%top,<5y34=reg128#13%top
++# asm 2: vmlal.u32 <r2=q7,<x23=d19,<5y34=d25
++vmlal.u32 q7,d19,d25
++
++# qhasm: r2[0,1] +=  x4[0] unsigned* 5y34[0]; r2[2,3] +=  x4[1] unsigned* 5y34[1]
++# asm 1: vmlal.u32 <r2=reg128#8,<x4=reg128#11%bot,<5y34=reg128#13%bot
++# asm 2: vmlal.u32 <r2=q7,<x4=d20,<5y34=d24
++vmlal.u32 q7,d20,d24
++
++# qhasm: 2x t1 = r0 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#9,<r0=reg128#4,#26
++# asm 2: vshr.u64 >t1=q8,<r0=q3,#26
++vshr.u64 q8,q3,#26
++
++# qhasm:    r0 &= mask
++# asm 1: vand >r0=reg128#4,<r0=reg128#4,<mask=reg128#7
++# asm 2: vand >r0=q3,<r0=q3,<mask=q6
++vand q3,q3,q6
++
++# qhasm: 2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#9,<r1=reg128#14,<t1=reg128#9
++# asm 2: vadd.i64 >r1=q8,<r1=q13,<t1=q8
++vadd.i64 q8,q13,q8
++
++# qhasm: 		2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#10,<r3=reg128#6,#26
++# asm 2: vshr.u64 >t4=q9,<r3=q5,#26
++vshr.u64 q9,q5,#26
++
++# qhasm: 		   r3 &= mask
++# asm 1: vand >r3=reg128#6,<r3=reg128#6,<mask=reg128#7
++# asm 2: vand >r3=q5,<r3=q5,<mask=q6
++vand q5,q5,q6
++
++# qhasm: 		2x r4 += t4
++# asm 1: vadd.i64 >r4=reg128#5,<r4=reg128#5,<t4=reg128#10
++# asm 2: vadd.i64 >r4=q4,<r4=q4,<t4=q9
++vadd.i64 q4,q4,q9
++
++# qhasm: 2x t2 = r1 unsigned>> 26
++# asm 1: vshr.u64 >t2=reg128#10,<r1=reg128#9,#26
++# asm 2: vshr.u64 >t2=q9,<r1=q8,#26
++vshr.u64 q9,q8,#26
++
++# qhasm:    r1 &= mask
++# asm 1: vand >r1=reg128#11,<r1=reg128#9,<mask=reg128#7
++# asm 2: vand >r1=q10,<r1=q8,<mask=q6
++vand q10,q8,q6
++
++# qhasm: 		2x t0 = r4 unsigned>> 26
++# asm 1: vshr.u64 >t0=reg128#9,<r4=reg128#5,#26
++# asm 2: vshr.u64 >t0=q8,<r4=q4,#26
++vshr.u64 q8,q4,#26
++
++# qhasm: 2x r2 += t2
++# asm 1: vadd.i64 >r2=reg128#8,<r2=reg128#8,<t2=reg128#10
++# asm 2: vadd.i64 >r2=q7,<r2=q7,<t2=q9
++vadd.i64 q7,q7,q9
++
++# qhasm: 		   r4 &= mask
++# asm 1: vand >r4=reg128#5,<r4=reg128#5,<mask=reg128#7
++# asm 2: vand >r4=q4,<r4=q4,<mask=q6
++vand q4,q4,q6
++
++# qhasm: 		2x r0 += t0
++# asm 1: vadd.i64 >r0=reg128#4,<r0=reg128#4,<t0=reg128#9
++# asm 2: vadd.i64 >r0=q3,<r0=q3,<t0=q8
++vadd.i64 q3,q3,q8
++
++# qhasm: 		2x t0 <<= 2
++# asm 1: vshl.i64 >t0=reg128#9,<t0=reg128#9,#2
++# asm 2: vshl.i64 >t0=q8,<t0=q8,#2
++vshl.i64 q8,q8,#2
++
++# qhasm: 2x t3 = r2 unsigned>> 26
++# asm 1: vshr.u64 >t3=reg128#14,<r2=reg128#8,#26
++# asm 2: vshr.u64 >t3=q13,<r2=q7,#26
++vshr.u64 q13,q7,#26
++
++# qhasm: 		2x r0 += t0
++# asm 1: vadd.i64 >r0=reg128#4,<r0=reg128#4,<t0=reg128#9
++# asm 2: vadd.i64 >r0=q3,<r0=q3,<t0=q8
++vadd.i64 q3,q3,q8
++
++# qhasm:    x23 = r2 & mask
++# asm 1: vand >x23=reg128#10,<r2=reg128#8,<mask=reg128#7
++# asm 2: vand >x23=q9,<r2=q7,<mask=q6
++vand q9,q7,q6
++
++# qhasm: 2x r3 += t3
++# asm 1: vadd.i64 >r3=reg128#6,<r3=reg128#6,<t3=reg128#14
++# asm 2: vadd.i64 >r3=q5,<r3=q5,<t3=q13
++vadd.i64 q5,q5,q13
++
++# qhasm: 		2x t1 = r0 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#8,<r0=reg128#4,#26
++# asm 2: vshr.u64 >t1=q7,<r0=q3,#26
++vshr.u64 q7,q3,#26
++
++# qhasm: 		   x01 = r0 & mask
++# asm 1: vand >x01=reg128#9,<r0=reg128#4,<mask=reg128#7
++# asm 2: vand >x01=q8,<r0=q3,<mask=q6
++vand q8,q3,q6
++
++# qhasm: 		2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#4,<r1=reg128#11,<t1=reg128#8
++# asm 2: vadd.i64 >r1=q3,<r1=q10,<t1=q7
++vadd.i64 q3,q10,q7
++
++# qhasm: 2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#8,<r3=reg128#6,#26
++# asm 2: vshr.u64 >t4=q7,<r3=q5,#26
++vshr.u64 q7,q5,#26
++
++# qhasm:    r3 &= mask
++# asm 1: vand >r3=reg128#6,<r3=reg128#6,<mask=reg128#7
++# asm 2: vand >r3=q5,<r3=q5,<mask=q6
++vand q5,q5,q6
++
++# qhasm: 2x x4 = r4 + t4
++# asm 1: vadd.i64 >x4=reg128#11,<r4=reg128#5,<t4=reg128#8
++# asm 2: vadd.i64 >x4=q10,<r4=q4,<t4=q7
++vadd.i64 q10,q4,q7
++
++# qhasm:   len -= 32
++# asm 1: sub >len=int32#4,<len=int32#4,#32
++# asm 2: sub >len=r3,<len=r3,#32
++sub r3,r3,#32
++
++# qhasm: x01 = x01[0,2,1,3]
++# asm 1: vtrn.32 <x01=reg128#9%bot,<x01=reg128#9%top
++# asm 2: vtrn.32 <x01=d16,<x01=d17
++vtrn.32 d16,d17
++
++# qhasm: x23 = x23[0,2,1,3]
++# asm 1: vtrn.32 <x23=reg128#10%bot,<x23=reg128#10%top
++# asm 2: vtrn.32 <x23=d18,<x23=d19
++vtrn.32 d18,d19
++
++# qhasm: r1 = r1[0,2,1,3]
++# asm 1: vtrn.32 <r1=reg128#4%bot,<r1=reg128#4%top
++# asm 2: vtrn.32 <r1=d6,<r1=d7
++vtrn.32 d6,d7
++
++# qhasm: r3 = r3[0,2,1,3]
++# asm 1: vtrn.32 <r3=reg128#6%bot,<r3=reg128#6%top
++# asm 2: vtrn.32 <r3=d10,<r3=d11
++vtrn.32 d10,d11
++
++# qhasm: x4 = x4[0,2,1,3]
++# asm 1: vtrn.32 <x4=reg128#11%bot,<x4=reg128#11%top
++# asm 2: vtrn.32 <x4=d20,<x4=d21
++vtrn.32 d20,d21
++
++# qhasm: x01 = x01[0,1] r1[0,1]
++# asm 1: vext.32 <x01=reg128#9%top,<r1=reg128#4%bot,<r1=reg128#4%bot,#0
++# asm 2: vext.32 <x01=d17,<r1=d6,<r1=d6,#0
++vext.32 d17,d6,d6,#0
++
++# qhasm: x23 = x23[0,1] r3[0,1]
++# asm 1: vext.32 <x23=reg128#10%top,<r3=reg128#6%bot,<r3=reg128#6%bot,#0
++# asm 2: vext.32 <x23=d19,<r3=d10,<r3=d10,#0
++vext.32 d19,d10,d10,#0
++
++# qhasm: unsigned>? len - 32
++# asm 1: cmp <len=int32#4,#32
++# asm 2: cmp <len=r3,#32
++cmp r3,#32
++
++# qhasm: goto mainloop if unsigned>
++bhi ._mainloop
++
++# qhasm: end:
++._end:
++
++# qhasm: mem128[input_0] = x01;input_0+=16
++# asm 1: vst1.8 {<x01=reg128#9%bot-<x01=reg128#9%top},[<input_0=int32#1]!
++# asm 2: vst1.8 {<x01=d16-<x01=d17},[<input_0=r0]!
++vst1.8 {d16-d17},[r0]!
++
++# qhasm: mem128[input_0] = x23;input_0+=16
++# asm 1: vst1.8 {<x23=reg128#10%bot-<x23=reg128#10%top},[<input_0=int32#1]!
++# asm 2: vst1.8 {<x23=d18-<x23=d19},[<input_0=r0]!
++vst1.8 {d18-d19},[r0]!
++
++# qhasm: mem64[input_0] = x4[0]
++# asm 1: vst1.8 <x4=reg128#11%bot,[<input_0=int32#1]
++# asm 2: vst1.8 <x4=d20,[<input_0=r0]
++vst1.8 d20,[r0]
++
++# qhasm: len = len
++# asm 1: mov >len=int32#1,<len=int32#4
++# asm 2: mov >len=r0,<len=r3
++mov r0,r3
++
++# qhasm: qpopreturn len
++mov sp,r12
++vpop {q4,q5,q6,q7}
++bx lr
++
++# qhasm: int32 input_0
++
++# qhasm: int32 input_1
++
++# qhasm: int32 input_2
++
++# qhasm: int32 input_3
++
++# qhasm: stack32 input_4
++
++# qhasm: stack32 input_5
++
++# qhasm: stack32 input_6
++
++# qhasm: stack32 input_7
++
++# qhasm: int32 caller_r4
++
++# qhasm: int32 caller_r5
++
++# qhasm: int32 caller_r6
++
++# qhasm: int32 caller_r7
++
++# qhasm: int32 caller_r8
++
++# qhasm: int32 caller_r9
++
++# qhasm: int32 caller_r10
++
++# qhasm: int32 caller_r11
++
++# qhasm: int32 caller_r12
++
++# qhasm: int32 caller_r14
++
++# qhasm: reg128 caller_q4
++
++# qhasm: reg128 caller_q5
++
++# qhasm: reg128 caller_q6
++
++# qhasm: reg128 caller_q7
++
++# qhasm: reg128 r0
++
++# qhasm: reg128 r1
++
++# qhasm: reg128 r2
++
++# qhasm: reg128 r3
++
++# qhasm: reg128 r4
++
++# qhasm: reg128 x01
++
++# qhasm: reg128 x23
++
++# qhasm: reg128 x4
++
++# qhasm: reg128 y01
++
++# qhasm: reg128 y23
++
++# qhasm: reg128 y4
++
++# qhasm: reg128 _5y01
++
++# qhasm: reg128 _5y23
++
++# qhasm: reg128 _5y4
++
++# qhasm: reg128 c01
++
++# qhasm: reg128 c23
++
++# qhasm: reg128 c4
++
++# qhasm: reg128 t0
++
++# qhasm: reg128 t1
++
++# qhasm: reg128 t2
++
++# qhasm: reg128 t3
++
++# qhasm: reg128 t4
++
++# qhasm: reg128 mask
++
++# qhasm: enter crypto_onetimeauth_poly1305_neon2_addmulmod
++.align 2
++.global openssl_poly1305_neon2_addmulmod
++.type openssl_poly1305_neon2_addmulmod STT_FUNC
++openssl_poly1305_neon2_addmulmod:
++sub sp,sp,#0
++
++# qhasm: 				2x mask = 0xffffffff
++# asm 1: vmov.i64 >mask=reg128#1,#0xffffffff
++# asm 2: vmov.i64 >mask=q0,#0xffffffff
++vmov.i64 q0,#0xffffffff
++
++# qhasm:   y01 aligned= mem128[input_2];input_2+=16
++# asm 1: vld1.8 {>y01=reg128#2%bot->y01=reg128#2%top},[<input_2=int32#3,: 128]!
++# asm 2: vld1.8 {>y01=d2->y01=d3},[<input_2=r2,: 128]!
++vld1.8 {d2-d3},[r2,: 128]!
++
++# qhasm: 4x _5y01 = y01 << 2
++# asm 1: vshl.i32 >_5y01=reg128#3,<y01=reg128#2,#2
++# asm 2: vshl.i32 >_5y01=q2,<y01=q1,#2
++vshl.i32 q2,q1,#2
++
++# qhasm:   y23 aligned= mem128[input_2];input_2+=16
++# asm 1: vld1.8 {>y23=reg128#4%bot->y23=reg128#4%top},[<input_2=int32#3,: 128]!
++# asm 2: vld1.8 {>y23=d6->y23=d7},[<input_2=r2,: 128]!
++vld1.8 {d6-d7},[r2,: 128]!
++
++# qhasm: 4x _5y23 = y23 << 2
++# asm 1: vshl.i32 >_5y23=reg128#9,<y23=reg128#4,#2
++# asm 2: vshl.i32 >_5y23=q8,<y23=q3,#2
++vshl.i32 q8,q3,#2
++
++# qhasm:   y4  aligned= mem64[input_2]y4[1]
++# asm 1: vld1.8 {<y4=reg128#10%bot},[<input_2=int32#3,: 64]
++# asm 2: vld1.8 {<y4=d18},[<input_2=r2,: 64]
++vld1.8 {d18},[r2,: 64]
++
++# qhasm: 4x _5y4 = y4 << 2
++# asm 1: vshl.i32 >_5y4=reg128#11,<y4=reg128#10,#2
++# asm 2: vshl.i32 >_5y4=q10,<y4=q9,#2
++vshl.i32 q10,q9,#2
++
++# qhasm:   x01 aligned= mem128[input_1];input_1+=16
++# asm 1: vld1.8 {>x01=reg128#12%bot->x01=reg128#12%top},[<input_1=int32#2,: 128]!
++# asm 2: vld1.8 {>x01=d22->x01=d23},[<input_1=r1,: 128]!
++vld1.8 {d22-d23},[r1,: 128]!
++
++# qhasm: 4x _5y01 += y01
++# asm 1: vadd.i32 >_5y01=reg128#3,<_5y01=reg128#3,<y01=reg128#2
++# asm 2: vadd.i32 >_5y01=q2,<_5y01=q2,<y01=q1
++vadd.i32 q2,q2,q1
++
++# qhasm:   x23 aligned= mem128[input_1];input_1+=16
++# asm 1: vld1.8 {>x23=reg128#13%bot->x23=reg128#13%top},[<input_1=int32#2,: 128]!
++# asm 2: vld1.8 {>x23=d24->x23=d25},[<input_1=r1,: 128]!
++vld1.8 {d24-d25},[r1,: 128]!
++
++# qhasm: 4x _5y23 += y23
++# asm 1: vadd.i32 >_5y23=reg128#9,<_5y23=reg128#9,<y23=reg128#4
++# asm 2: vadd.i32 >_5y23=q8,<_5y23=q8,<y23=q3
++vadd.i32 q8,q8,q3
++
++# qhasm: 4x _5y4 += y4
++# asm 1: vadd.i32 >_5y4=reg128#11,<_5y4=reg128#11,<y4=reg128#10
++# asm 2: vadd.i32 >_5y4=q10,<_5y4=q10,<y4=q9
++vadd.i32 q10,q10,q9
++
++# qhasm:   c01 aligned= mem128[input_3];input_3+=16
++# asm 1: vld1.8 {>c01=reg128#14%bot->c01=reg128#14%top},[<input_3=int32#4,: 128]!
++# asm 2: vld1.8 {>c01=d26->c01=d27},[<input_3=r3,: 128]!
++vld1.8 {d26-d27},[r3,: 128]!
++
++# qhasm: 4x x01 += c01
++# asm 1: vadd.i32 >x01=reg128#12,<x01=reg128#12,<c01=reg128#14
++# asm 2: vadd.i32 >x01=q11,<x01=q11,<c01=q13
++vadd.i32 q11,q11,q13
++
++# qhasm:   c23 aligned= mem128[input_3];input_3+=16
++# asm 1: vld1.8 {>c23=reg128#14%bot->c23=reg128#14%top},[<input_3=int32#4,: 128]!
++# asm 2: vld1.8 {>c23=d26->c23=d27},[<input_3=r3,: 128]!
++vld1.8 {d26-d27},[r3,: 128]!
++
++# qhasm: 4x x23 += c23
++# asm 1: vadd.i32 >x23=reg128#13,<x23=reg128#13,<c23=reg128#14
++# asm 2: vadd.i32 >x23=q12,<x23=q12,<c23=q13
++vadd.i32 q12,q12,q13
++
++# qhasm:   x4  aligned= mem64[input_1]x4[1]
++# asm 1: vld1.8 {<x4=reg128#14%bot},[<input_1=int32#2,: 64]
++# asm 2: vld1.8 {<x4=d26},[<input_1=r1,: 64]
++vld1.8 {d26},[r1,: 64]
++
++# qhasm: 				2x mask unsigned>>=6
++# asm 1: vshr.u64 >mask=reg128#1,<mask=reg128#1,#6
++# asm 2: vshr.u64 >mask=q0,<mask=q0,#6
++vshr.u64 q0,q0,#6
++
++# qhasm:   c4  aligned= mem64[input_3]c4[1]
++# asm 1: vld1.8 {<c4=reg128#15%bot},[<input_3=int32#4,: 64]
++# asm 2: vld1.8 {<c4=d28},[<input_3=r3,: 64]
++vld1.8 {d28},[r3,: 64]
++
++# qhasm: 4x x4 += c4
++# asm 1: vadd.i32 >x4=reg128#14,<x4=reg128#14,<c4=reg128#15
++# asm 2: vadd.i32 >x4=q13,<x4=q13,<c4=q14
++vadd.i32 q13,q13,q14
++
++# qhasm: r0[0,1]  = x01[0] unsigned* y01[0];   r0[2,3]  = x01[1] unsigned* y01[1]
++# asm 1: vmull.u32 >r0=reg128#15,<x01=reg128#12%bot,<y01=reg128#2%bot
++# asm 2: vmull.u32 >r0=q14,<x01=d22,<y01=d2
++vmull.u32 q14,d22,d2
++
++# qhasm: r0[0,1] += x01[2] unsigned*  _5y4[0]; r0[2,3] += x01[3] unsigned*  _5y4[1]
++# asm 1: vmlal.u32 <r0=reg128#15,<x01=reg128#12%top,<_5y4=reg128#11%bot
++# asm 2: vmlal.u32 <r0=q14,<x01=d23,<_5y4=d20
++vmlal.u32 q14,d23,d20
++
++# qhasm: r0[0,1] += x23[0] unsigned* _5y23[2]; r0[2,3] += x23[1] unsigned* _5y23[3]
++# asm 1: vmlal.u32 <r0=reg128#15,<x23=reg128#13%bot,<_5y23=reg128#9%top
++# asm 2: vmlal.u32 <r0=q14,<x23=d24,<_5y23=d17
++vmlal.u32 q14,d24,d17
++
++# qhasm: r0[0,1] += x23[2] unsigned* _5y23[0]; r0[2,3] += x23[3] unsigned* _5y23[1]
++# asm 1: vmlal.u32 <r0=reg128#15,<x23=reg128#13%top,<_5y23=reg128#9%bot
++# asm 2: vmlal.u32 <r0=q14,<x23=d25,<_5y23=d16
++vmlal.u32 q14,d25,d16
++
++# qhasm: r0[0,1] +=  x4[0] unsigned* _5y01[2]; r0[2,3] +=  x4[1] unsigned* _5y01[3]
++# asm 1: vmlal.u32 <r0=reg128#15,<x4=reg128#14%bot,<_5y01=reg128#3%top
++# asm 2: vmlal.u32 <r0=q14,<x4=d26,<_5y01=d5
++vmlal.u32 q14,d26,d5
++
++# qhasm: r1[0,1]  = x01[0] unsigned* y01[2];   r1[2,3]  = x01[1] unsigned* y01[3]
++# asm 1: vmull.u32 >r1=reg128#3,<x01=reg128#12%bot,<y01=reg128#2%top
++# asm 2: vmull.u32 >r1=q2,<x01=d22,<y01=d3
++vmull.u32 q2,d22,d3
++
++# qhasm: r1[0,1] += x01[2] unsigned* y01[0];   r1[2,3] += x01[3] unsigned* y01[1]
++# asm 1: vmlal.u32 <r1=reg128#3,<x01=reg128#12%top,<y01=reg128#2%bot
++# asm 2: vmlal.u32 <r1=q2,<x01=d23,<y01=d2
++vmlal.u32 q2,d23,d2
++
++# qhasm: r1[0,1] += x23[0] unsigned*  _5y4[0]; r1[2,3] += x23[1] unsigned*  _5y4[1]
++# asm 1: vmlal.u32 <r1=reg128#3,<x23=reg128#13%bot,<_5y4=reg128#11%bot
++# asm 2: vmlal.u32 <r1=q2,<x23=d24,<_5y4=d20
++vmlal.u32 q2,d24,d20
++
++# qhasm: r1[0,1] += x23[2] unsigned* _5y23[2]; r1[2,3] += x23[3] unsigned* _5y23[3]
++# asm 1: vmlal.u32 <r1=reg128#3,<x23=reg128#13%top,<_5y23=reg128#9%top
++# asm 2: vmlal.u32 <r1=q2,<x23=d25,<_5y23=d17
++vmlal.u32 q2,d25,d17
++
++# qhasm: r1[0,1] +=  x4[0] unsigned* _5y23[0]; r1[2,3] +=  x4[1] unsigned* _5y23[1]
++# asm 1: vmlal.u32 <r1=reg128#3,<x4=reg128#14%bot,<_5y23=reg128#9%bot
++# asm 2: vmlal.u32 <r1=q2,<x4=d26,<_5y23=d16
++vmlal.u32 q2,d26,d16
++
++# qhasm: r2[0,1]  = x01[0] unsigned* y23[0];   r2[2,3]  = x01[1] unsigned* y23[1]
++# asm 1: vmull.u32 >r2=reg128#16,<x01=reg128#12%bot,<y23=reg128#4%bot
++# asm 2: vmull.u32 >r2=q15,<x01=d22,<y23=d6
++vmull.u32 q15,d22,d6
++
++# qhasm: r2[0,1] += x01[2] unsigned* y01[2];   r2[2,3] += x01[3] unsigned* y01[3]
++# asm 1: vmlal.u32 <r2=reg128#16,<x01=reg128#12%top,<y01=reg128#2%top
++# asm 2: vmlal.u32 <r2=q15,<x01=d23,<y01=d3
++vmlal.u32 q15,d23,d3
++
++# qhasm: r2[0,1] += x23[0] unsigned* y01[0];   r2[2,3] += x23[1] unsigned* y01[1]
++# asm 1: vmlal.u32 <r2=reg128#16,<x23=reg128#13%bot,<y01=reg128#2%bot
++# asm 2: vmlal.u32 <r2=q15,<x23=d24,<y01=d2
++vmlal.u32 q15,d24,d2
++
++# qhasm: r2[0,1] += x23[2] unsigned*  _5y4[0]; r2[2,3] += x23[3] unsigned*  _5y4[1]
++# asm 1: vmlal.u32 <r2=reg128#16,<x23=reg128#13%top,<_5y4=reg128#11%bot
++# asm 2: vmlal.u32 <r2=q15,<x23=d25,<_5y4=d20
++vmlal.u32 q15,d25,d20
++
++# qhasm: r2[0,1] +=  x4[0] unsigned* _5y23[2]; r2[2,3] +=  x4[1] unsigned* _5y23[3]
++# asm 1: vmlal.u32 <r2=reg128#16,<x4=reg128#14%bot,<_5y23=reg128#9%top
++# asm 2: vmlal.u32 <r2=q15,<x4=d26,<_5y23=d17
++vmlal.u32 q15,d26,d17
++
++# qhasm: r3[0,1]  = x01[0] unsigned* y23[2];   r3[2,3]  = x01[1] unsigned* y23[3]
++# asm 1: vmull.u32 >r3=reg128#9,<x01=reg128#12%bot,<y23=reg128#4%top
++# asm 2: vmull.u32 >r3=q8,<x01=d22,<y23=d7
++vmull.u32 q8,d22,d7
++
++# qhasm: r3[0,1] += x01[2] unsigned* y23[0];   r3[2,3] += x01[3] unsigned* y23[1]
++# asm 1: vmlal.u32 <r3=reg128#9,<x01=reg128#12%top,<y23=reg128#4%bot
++# asm 2: vmlal.u32 <r3=q8,<x01=d23,<y23=d6
++vmlal.u32 q8,d23,d6
++
++# qhasm: r3[0,1] += x23[0] unsigned* y01[2];   r3[2,3] += x23[1] unsigned* y01[3]
++# asm 1: vmlal.u32 <r3=reg128#9,<x23=reg128#13%bot,<y01=reg128#2%top
++# asm 2: vmlal.u32 <r3=q8,<x23=d24,<y01=d3
++vmlal.u32 q8,d24,d3
++
++# qhasm: r3[0,1] += x23[2] unsigned* y01[0];   r3[2,3] += x23[3] unsigned* y01[1]
++# asm 1: vmlal.u32 <r3=reg128#9,<x23=reg128#13%top,<y01=reg128#2%bot
++# asm 2: vmlal.u32 <r3=q8,<x23=d25,<y01=d2
++vmlal.u32 q8,d25,d2
++
++# qhasm: r3[0,1] +=  x4[0] unsigned*  _5y4[0]; r3[2,3] +=  x4[1] unsigned*  _5y4[1]
++# asm 1: vmlal.u32 <r3=reg128#9,<x4=reg128#14%bot,<_5y4=reg128#11%bot
++# asm 2: vmlal.u32 <r3=q8,<x4=d26,<_5y4=d20
++vmlal.u32 q8,d26,d20
++
++# qhasm: r4[0,1]  = x01[0] unsigned*  y4[0];  r4[2,3]  = x01[1] unsigned*  y4[1]
++# asm 1: vmull.u32 >r4=reg128#10,<x01=reg128#12%bot,<y4=reg128#10%bot
++# asm 2: vmull.u32 >r4=q9,<x01=d22,<y4=d18
++vmull.u32 q9,d22,d18
++
++# qhasm: r4[0,1] += x01[2] unsigned* y23[2];  r4[2,3] += x01[3] unsigned* y23[3]
++# asm 1: vmlal.u32 <r4=reg128#10,<x01=reg128#12%top,<y23=reg128#4%top
++# asm 2: vmlal.u32 <r4=q9,<x01=d23,<y23=d7
++vmlal.u32 q9,d23,d7
++
++# qhasm: r4[0,1] += x23[0] unsigned* y23[0];  r4[2,3] += x23[1] unsigned* y23[1]
++# asm 1: vmlal.u32 <r4=reg128#10,<x23=reg128#13%bot,<y23=reg128#4%bot
++# asm 2: vmlal.u32 <r4=q9,<x23=d24,<y23=d6
++vmlal.u32 q9,d24,d6
++
++# qhasm: r4[0,1] += x23[2] unsigned* y01[2];  r4[2,3] += x23[3] unsigned* y01[3]
++# asm 1: vmlal.u32 <r4=reg128#10,<x23=reg128#13%top,<y01=reg128#2%top
++# asm 2: vmlal.u32 <r4=q9,<x23=d25,<y01=d3
++vmlal.u32 q9,d25,d3
++
++# qhasm: r4[0,1] +=  x4[0] unsigned* y01[0];  r4[2,3] +=  x4[1] unsigned* y01[1]
++# asm 1: vmlal.u32 <r4=reg128#10,<x4=reg128#14%bot,<y01=reg128#2%bot
++# asm 2: vmlal.u32 <r4=q9,<x4=d26,<y01=d2
++vmlal.u32 q9,d26,d2
++
++# qhasm: 2x t1 = r0 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#2,<r0=reg128#15,#26
++# asm 2: vshr.u64 >t1=q1,<r0=q14,#26
++vshr.u64 q1,q14,#26
++
++# qhasm:    r0 &= mask
++# asm 1: vand >r0=reg128#4,<r0=reg128#15,<mask=reg128#1
++# asm 2: vand >r0=q3,<r0=q14,<mask=q0
++vand q3,q14,q0
++
++# qhasm: 2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#2,<r1=reg128#3,<t1=reg128#2
++# asm 2: vadd.i64 >r1=q1,<r1=q2,<t1=q1
++vadd.i64 q1,q2,q1
++
++# qhasm:                 2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#3,<r3=reg128#9,#26
++# asm 2: vshr.u64 >t4=q2,<r3=q8,#26
++vshr.u64 q2,q8,#26
++
++# qhasm:                    r3 &= mask
++# asm 1: vand >r3=reg128#9,<r3=reg128#9,<mask=reg128#1
++# asm 2: vand >r3=q8,<r3=q8,<mask=q0
++vand q8,q8,q0
++
++# qhasm:                 2x r4 += t4
++# asm 1: vadd.i64 >r4=reg128#3,<r4=reg128#10,<t4=reg128#3
++# asm 2: vadd.i64 >r4=q2,<r4=q9,<t4=q2
++vadd.i64 q2,q9,q2
++
++# qhasm: 2x t2 = r1 unsigned>> 26
++# asm 1: vshr.u64 >t2=reg128#10,<r1=reg128#2,#26
++# asm 2: vshr.u64 >t2=q9,<r1=q1,#26
++vshr.u64 q9,q1,#26
++
++# qhasm:    r1 &= mask
++# asm 1: vand >r1=reg128#2,<r1=reg128#2,<mask=reg128#1
++# asm 2: vand >r1=q1,<r1=q1,<mask=q0
++vand q1,q1,q0
++
++# qhasm:                 2x t0 = r4 unsigned>> 26
++# asm 1: vshr.u64 >t0=reg128#11,<r4=reg128#3,#26
++# asm 2: vshr.u64 >t0=q10,<r4=q2,#26
++vshr.u64 q10,q2,#26
++
++# qhasm: 2x r2 += t2
++# asm 1: vadd.i64 >r2=reg128#10,<r2=reg128#16,<t2=reg128#10
++# asm 2: vadd.i64 >r2=q9,<r2=q15,<t2=q9
++vadd.i64 q9,q15,q9
++
++# qhasm:                    r4 &= mask
++# asm 1: vand >r4=reg128#3,<r4=reg128#3,<mask=reg128#1
++# asm 2: vand >r4=q2,<r4=q2,<mask=q0
++vand q2,q2,q0
++
++# qhasm:                 2x r0 += t0
++# asm 1: vadd.i64 >r0=reg128#4,<r0=reg128#4,<t0=reg128#11
++# asm 2: vadd.i64 >r0=q3,<r0=q3,<t0=q10
++vadd.i64 q3,q3,q10
++
++# qhasm:                 2x t0 <<= 2
++# asm 1: vshl.i64 >t0=reg128#11,<t0=reg128#11,#2
++# asm 2: vshl.i64 >t0=q10,<t0=q10,#2
++vshl.i64 q10,q10,#2
++
++# qhasm: 2x t3 = r2 unsigned>> 26
++# asm 1: vshr.u64 >t3=reg128#12,<r2=reg128#10,#26
++# asm 2: vshr.u64 >t3=q11,<r2=q9,#26
++vshr.u64 q11,q9,#26
++
++# qhasm:                 2x r0 += t0
++# asm 1: vadd.i64 >r0=reg128#4,<r0=reg128#4,<t0=reg128#11
++# asm 2: vadd.i64 >r0=q3,<r0=q3,<t0=q10
++vadd.i64 q3,q3,q10
++
++# qhasm:    x23 = r2 & mask
++# asm 1: vand >x23=reg128#10,<r2=reg128#10,<mask=reg128#1
++# asm 2: vand >x23=q9,<r2=q9,<mask=q0
++vand q9,q9,q0
++
++# qhasm: 2x r3 += t3
++# asm 1: vadd.i64 >r3=reg128#9,<r3=reg128#9,<t3=reg128#12
++# asm 2: vadd.i64 >r3=q8,<r3=q8,<t3=q11
++vadd.i64 q8,q8,q11
++
++# qhasm:                 2x t1 = r0 unsigned>> 26
++# asm 1: vshr.u64 >t1=reg128#11,<r0=reg128#4,#26
++# asm 2: vshr.u64 >t1=q10,<r0=q3,#26
++vshr.u64 q10,q3,#26
++
++# qhasm: 				x23 = x23[0,2,1,3]
++# asm 1: vtrn.32 <x23=reg128#10%bot,<x23=reg128#10%top
++# asm 2: vtrn.32 <x23=d18,<x23=d19
++vtrn.32 d18,d19
++
++# qhasm:                    x01 = r0 & mask
++# asm 1: vand >x01=reg128#4,<r0=reg128#4,<mask=reg128#1
++# asm 2: vand >x01=q3,<r0=q3,<mask=q0
++vand q3,q3,q0
++
++# qhasm:                 2x r1 += t1
++# asm 1: vadd.i64 >r1=reg128#2,<r1=reg128#2,<t1=reg128#11
++# asm 2: vadd.i64 >r1=q1,<r1=q1,<t1=q10
++vadd.i64 q1,q1,q10
++
++# qhasm: 2x t4 = r3 unsigned>> 26
++# asm 1: vshr.u64 >t4=reg128#11,<r3=reg128#9,#26
++# asm 2: vshr.u64 >t4=q10,<r3=q8,#26
++vshr.u64 q10,q8,#26
++
++# qhasm: 				x01 = x01[0,2,1,3]
++# asm 1: vtrn.32 <x01=reg128#4%bot,<x01=reg128#4%top
++# asm 2: vtrn.32 <x01=d6,<x01=d7
++vtrn.32 d6,d7
++
++# qhasm:    r3 &= mask
++# asm 1: vand >r3=reg128#1,<r3=reg128#9,<mask=reg128#1
++# asm 2: vand >r3=q0,<r3=q8,<mask=q0
++vand q0,q8,q0
++
++# qhasm: 				r1 = r1[0,2,1,3]
++# asm 1: vtrn.32 <r1=reg128#2%bot,<r1=reg128#2%top
++# asm 2: vtrn.32 <r1=d2,<r1=d3
++vtrn.32 d2,d3
++
++# qhasm: 2x x4 = r4 + t4
++# asm 1: vadd.i64 >x4=reg128#3,<r4=reg128#3,<t4=reg128#11
++# asm 2: vadd.i64 >x4=q2,<r4=q2,<t4=q10
++vadd.i64 q2,q2,q10
++
++# qhasm: 				r3 = r3[0,2,1,3]
++# asm 1: vtrn.32 <r3=reg128#1%bot,<r3=reg128#1%top
++# asm 2: vtrn.32 <r3=d0,<r3=d1
++vtrn.32 d0,d1
++
++# qhasm: 				x01 = x01[0,1] r1[0,1]
++# asm 1: vext.32 <x01=reg128#4%top,<r1=reg128#2%bot,<r1=reg128#2%bot,#0
++# asm 2: vext.32 <x01=d7,<r1=d2,<r1=d2,#0
++vext.32 d7,d2,d2,#0
++
++# qhasm: 				x23 = x23[0,1] r3[0,1]
++# asm 1: vext.32 <x23=reg128#10%top,<r3=reg128#1%bot,<r3=reg128#1%bot,#0
++# asm 2: vext.32 <x23=d19,<r3=d0,<r3=d0,#0
++vext.32 d19,d0,d0,#0
++
++# qhasm: 				x4 = x4[0,2,1,3]
++# asm 1: vtrn.32 <x4=reg128#3%bot,<x4=reg128#3%top
++# asm 2: vtrn.32 <x4=d4,<x4=d5
++vtrn.32 d4,d5
++
++# qhasm: mem128[input_0] aligned= x01;input_0+=16
++# asm 1: vst1.8 {<x01=reg128#4%bot-<x01=reg128#4%top},[<input_0=int32#1,: 128]!
++# asm 2: vst1.8 {<x01=d6-<x01=d7},[<input_0=r0,: 128]!
++vst1.8 {d6-d7},[r0,: 128]!
++
++# qhasm: mem128[input_0] aligned= x23;input_0+=16
++# asm 1: vst1.8 {<x23=reg128#10%bot-<x23=reg128#10%top},[<input_0=int32#1,: 128]!
++# asm 2: vst1.8 {<x23=d18-<x23=d19},[<input_0=r0,: 128]!
++vst1.8 {d18-d19},[r0,: 128]!
++
++# qhasm: mem64[input_0] aligned= x4[0]
++# asm 1: vst1.8 <x4=reg128#3%bot,[<input_0=int32#1,: 64]
++# asm 2: vst1.8 <x4=d4,[<input_0=r0,: 64]
++vst1.8 d4,[r0,: 64]
++
++# qhasm: return
++add sp,sp,#0
++bx lr
+--- ./crypto/poly1305/poly1305_arm.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305_arm.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,335 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation was taken from the public domain, neon2 version in
++ * SUPERCOP by D. J. Bernstein and Peter Schwabe. */
++
++#include <stdint.h>
++
++#include <openssl/poly1305.h>
++
++#if !defined(OPENSSL_NO_POLY1305)
++
++typedef struct {
++  uint32_t v[12]; /* for alignment; only using 10 */
++} fe1305x2;
++
++#define addmulmod openssl_poly1305_neon2_addmulmod
++#define blocks openssl_poly1305_neon2_blocks
++
++extern void addmulmod(fe1305x2 *r, const fe1305x2 *x, const fe1305x2 *y, const fe1305x2 *c);
++
++extern int blocks(fe1305x2 *h, const fe1305x2 *precomp, const unsigned char *in, unsigned int inlen);
++
++static void freeze(fe1305x2 *r)
++	{
++	int i;
++
++	uint32_t x0 = r->v[0];
++	uint32_t x1 = r->v[2];
++	uint32_t x2 = r->v[4];
++	uint32_t x3 = r->v[6];
++	uint32_t x4 = r->v[8];
++	uint32_t y0;
++	uint32_t y1;
++	uint32_t y2;
++	uint32_t y3;
++	uint32_t y4;
++	uint32_t swap;
++
++	for (i = 0;i < 3;++i)
++		{
++		x1 += x0 >> 26; x0 &= 0x3ffffff;
++		x2 += x1 >> 26; x1 &= 0x3ffffff;
++		x3 += x2 >> 26; x2 &= 0x3ffffff;
++		x4 += x3 >> 26; x3 &= 0x3ffffff;
++		x0 += 5*(x4 >> 26); x4 &= 0x3ffffff;
++		}
++
++	y0 = x0 + 5;
++	y1 = x1 + (y0 >> 26); y0 &= 0x3ffffff;
++	y2 = x2 + (y1 >> 26); y1 &= 0x3ffffff;
++	y3 = x3 + (y2 >> 26); y2 &= 0x3ffffff;
++	y4 = x4 + (y3 >> 26); y3 &= 0x3ffffff;
++	swap = -(y4 >> 26); y4 &= 0x3ffffff;
++
++	y0 ^= x0;
++	y1 ^= x1;
++	y2 ^= x2;
++	y3 ^= x3;
++	y4 ^= x4;
++
++	y0 &= swap;
++	y1 &= swap;
++	y2 &= swap;
++	y3 &= swap;
++	y4 &= swap;
++
++	y0 ^= x0;
++	y1 ^= x1;
++	y2 ^= x2;
++	y3 ^= x3;
++	y4 ^= x4;
++
++	r->v[0] = y0;
++	r->v[2] = y1;
++	r->v[4] = y2;
++	r->v[6] = y3;
++	r->v[8] = y4;
++	}
++
++static void fe1305x2_tobytearray(unsigned char *r, fe1305x2 *x)
++	{
++	uint32_t x0 = x->v[0];
++	uint32_t x1 = x->v[2];
++	uint32_t x2 = x->v[4];
++	uint32_t x3 = x->v[6];
++	uint32_t x4 = x->v[8];
++
++	x1 += x0 >> 26;
++	x0 &= 0x3ffffff;
++	x2 += x1 >> 26;
++	x1 &= 0x3ffffff;
++	x3 += x2 >> 26;
++	x2 &= 0x3ffffff;
++	x4 += x3 >> 26;
++	x3 &= 0x3ffffff;
++
++	*(uint32_t *) r = x0 + (x1 << 26);
++	*(uint32_t *) (r + 4) = (x1 >> 6) + (x2 << 20);
++	*(uint32_t *) (r + 8) = (x2 >> 12) + (x3 << 14);
++	*(uint32_t *) (r + 12) = (x3 >> 18) + (x4 << 8);
++	}
++
++/* load32 exists to avoid breaking strict aliasing rules in
++ * fe1305x2_frombytearray. */
++static uint32_t load32(unsigned char *t)
++	{
++	uint32_t tmp;
++	memcpy(&tmp, t, sizeof(tmp));
++	return tmp;
++	}
++
++static void fe1305x2_frombytearray(fe1305x2 *r, const unsigned char *x, unsigned long long xlen)
++	{
++	int i;
++	unsigned char t[17];
++
++	for (i = 0; (i < 16) && (i < xlen); i++)
++		t[i] = x[i];
++	xlen -= i;
++	x += i;
++	t[i++] = 1;
++	for (; i<17; i++)
++		t[i] = 0;
++
++	r->v[0] = 0x3ffffff & load32(t);
++	r->v[2] = 0x3ffffff & (load32(t + 3) >> 2);
++	r->v[4] = 0x3ffffff & (load32(t + 6) >> 4);
++	r->v[6] = 0x3ffffff & (load32(t + 9) >> 6);
++	r->v[8] = load32(t + 13);
++
++	if (xlen)
++		{
++		for (i = 0; (i < 16) && (i < xlen); i++)
++			t[i] = x[i];
++		t[i++] = 1;
++		for (; i<17; i++)
++			t[i] = 0;
++
++		r->v[1] = 0x3ffffff & load32(t);
++		r->v[3] = 0x3ffffff & (load32(t + 3) >> 2);
++		r->v[5] = 0x3ffffff & (load32(t + 6) >> 4);
++		r->v[7] = 0x3ffffff & (load32(t + 9) >> 6);
++		r->v[9] = load32(t + 13);
++		}
++	else
++		r->v[1] = r->v[3] = r->v[5] = r->v[7] = r->v[9] = 0;
++	}
++
++static const fe1305x2 zero __attribute__ ((aligned (16)));
++
++struct poly1305_state_st {
++	unsigned char data[sizeof(fe1305x2[5]) + 128];
++	unsigned char buf[32];
++	unsigned int buf_used;
++	unsigned char key[16];
++};
++
++void CRYPTO_poly1305_init(poly1305_state *state, const unsigned char key[32])
++	{
++	struct poly1305_state_st *st = (struct poly1305_state_st*) (state);
++	fe1305x2 *const r = (fe1305x2 *) (st->data + (15 & (-(int) st->data)));
++	fe1305x2 *const h = r + 1;
++	fe1305x2 *const c = h + 1;
++	fe1305x2 *const precomp = c + 1;
++	unsigned int j;
++
++	r->v[1] = r->v[0] = 0x3ffffff & *(uint32_t *) key;
++	r->v[3] = r->v[2] = 0x3ffff03 & ((*(uint32_t *) (key + 3)) >> 2);
++	r->v[5] = r->v[4] = 0x3ffc0ff & ((*(uint32_t *) (key + 6)) >> 4);
++	r->v[7] = r->v[6] = 0x3f03fff & ((*(uint32_t *) (key + 9)) >> 6);
++	r->v[9] = r->v[8] = 0x00fffff & ((*(uint32_t *) (key + 12)) >> 8);
++
++	for (j = 0; j < 10; j++)
++		h->v[j] = 0; /* XXX: should fast-forward a bit */
++
++	addmulmod(precomp,r,r,&zero);                 /* precompute r^2 */
++	addmulmod(precomp + 1,precomp,precomp,&zero); /* precompute r^4 */
++
++	memcpy(st->key, key + 16, 16);
++	st->buf_used = 0;
++	}
++
++void CRYPTO_poly1305_update(poly1305_state *state, const unsigned char *in, size_t in_len)
++	{
++	struct poly1305_state_st *st = (struct poly1305_state_st*) (state);
++	fe1305x2 *const r = (fe1305x2 *) (st->data + (15 & (-(int) st->data)));
++	fe1305x2 *const h = r + 1;
++	fe1305x2 *const c = h + 1;
++	fe1305x2 *const precomp = c + 1;
++	unsigned int i;
++	unsigned char data[sizeof(fe1305x2) + 16];
++	fe1305x2 *const r2r = (fe1305x2 *) (data + (15 & (-(int) data)));
++
++	if (st->buf_used)
++		{
++		unsigned int todo = 32 - st->buf_used;
++		if (todo > in_len)
++			todo = in_len;
++		for (i = 0; i < todo; i++)
++			st->buf[st->buf_used + i] = in[i];
++		st->buf_used += todo;
++		in_len -= todo;
++		in += todo;
++
++		if (st->buf_used == sizeof(st->buf))
++			{
++			fe1305x2_frombytearray(c, st->buf, sizeof(st->buf));
++			r2r->v[0] = precomp->v[0];
++			r2r->v[2] = precomp->v[2];
++			r2r->v[4] = precomp->v[4];
++			r2r->v[6] = precomp->v[6];
++			r2r->v[8] = precomp->v[8];
++			r2r->v[1] = r->v[1];
++			r2r->v[3] = r->v[3];
++			r2r->v[5] = r->v[5];
++			r2r->v[7] = r->v[7];
++			r2r->v[9] = r->v[9];
++			addmulmod(h,h,r2r,c);
++			st->buf_used = 0;
++			}
++		}
++
++	while (in_len > 32)
++		{
++		unsigned int tlen = 1048576;
++		if (in_len < 1048576)
++			tlen = in_len;
++		tlen -= blocks(h, precomp, in, tlen);
++		in_len -= tlen;
++		in += tlen;
++		}
++
++	if (in_len)
++		{
++		for (i = 0; i < in_len; i++)
++			st->buf[i] = in[i];
++		st->buf_used = in_len;
++		}
++	}
++
++void CRYPTO_poly1305_finish(poly1305_state* state, unsigned char mac[16])
++	{
++	struct poly1305_state_st *st = (struct poly1305_state_st*) (state);
++	fe1305x2 *const r = (fe1305x2 *) (st->data + (15 & (-(int) st->data)));
++	fe1305x2 *const h = r + 1;
++	fe1305x2 *const c = h + 1;
++	fe1305x2 *const precomp = c + 1;
++
++	if (st->buf_used > 16)
++		{
++		fe1305x2_frombytearray(c, st->buf, st->buf_used);
++		precomp->v[1] = r->v[1];
++		precomp->v[3] = r->v[3];
++		precomp->v[5] = r->v[5];
++		precomp->v[7] = r->v[7];
++		precomp->v[9] = r->v[9];
++		addmulmod(h,h,precomp,c);
++		}
++	else if (st->buf_used > 0)
++		{
++		fe1305x2_frombytearray(c, st->buf, st->buf_used);
++		r->v[1] = 1;
++		r->v[3] = 0;
++		r->v[5] = 0;
++		r->v[7] = 0;
++		r->v[9] = 0;
++		addmulmod(h,h,r,c);
++		}
++
++	h->v[0] += h->v[1];
++	h->v[2] += h->v[3];
++	h->v[4] += h->v[5];
++	h->v[6] += h->v[7];
++	h->v[8] += h->v[9];
++	freeze(h);
++
++	fe1305x2_frombytearray(c, st->key, 16);
++	c->v[8] ^= (1 << 24);
++
++	h->v[0] += c->v[0];
++	h->v[2] += c->v[2];
++	h->v[4] += c->v[4];
++	h->v[6] += c->v[6];
++	h->v[8] += c->v[8];
++	fe1305x2_tobytearray(mac, h);
++	}
++
++#endif  /* !OPENSSL_NO_POLY1305 */
+--- ./crypto/poly1305/poly1305.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,320 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation of poly1305 is by Andrew Moon
++ * (https://github.com/floodyberry/poly1305-donna) and released as public
++ * domain. */
++
++#include <string.h>
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_POLY1305)
++
++#include <openssl/poly1305.h>
++
++#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
++/* We can assume little-endian. */
++static uint32_t U8TO32_LE(const unsigned char *m)
++	{
++	uint32_t r;
++	memcpy(&r, m, sizeof(r));
++	return r;
++	}
++
++static void U32TO8_LE(unsigned char *m, uint32_t v)
++	{
++	memcpy(m, &v, sizeof(v));
++	}
++#else
++static uint32_t U8TO32_LE(const unsigned char *m)
++	{
++	return (uint32_t)m[0] |
++	       (uint32_t)m[1] << 8 |
++	       (uint32_t)m[2] << 16 |
++	       (uint32_t)m[3] << 24;
++	}
++
++static void U32TO8_LE(unsigned char *m, uint32_t v)
++	{
++	m[0] = v;
++	m[1] = v >> 8;
++	m[2] = v >> 16;
++	m[3] = v >> 24;
++	}
++#endif
++
++static uint64_t
++mul32x32_64(uint32_t a, uint32_t b)
++	{
++	return (uint64_t)a * b;
++	}
++
++
++struct poly1305_state_st
++	{
++	uint32_t r0,r1,r2,r3,r4;
++	uint32_t s1,s2,s3,s4;
++	uint32_t h0,h1,h2,h3,h4;
++	unsigned char buf[16];
++	unsigned int buf_used;
++	unsigned char key[16];
++	};
++
++/* poly1305_blocks updates |state| given some amount of input data. This
++ * function may only be called with a |len| that is not a multiple of 16 at the
++ * end of the data. Otherwise the input must be buffered into 16 byte blocks.
++ * */
++static void poly1305_update(struct poly1305_state_st *state,
++			    const unsigned char *in, size_t len)
++	{
++	uint32_t t0,t1,t2,t3;
++	uint64_t t[5];
++	uint32_t b;
++	uint64_t c;
++	size_t j;
++	unsigned char mp[16];
++
++	if (len < 16)
++		goto poly1305_donna_atmost15bytes;
++
++poly1305_donna_16bytes:
++	t0 = U8TO32_LE(in);
++	t1 = U8TO32_LE(in+4);
++	t2 = U8TO32_LE(in+8);
++	t3 = U8TO32_LE(in+12);
++
++	in += 16;
++	len -= 16;
++
++	state->h0 += t0 & 0x3ffffff;
++	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++	state->h4 += (t3 >> 8) | (1 << 24);
++
++poly1305_donna_mul:
++	t[0] = mul32x32_64(state->h0,state->r0) +
++	       mul32x32_64(state->h1,state->s4) +
++	       mul32x32_64(state->h2,state->s3) +
++	       mul32x32_64(state->h3,state->s2) +
++	       mul32x32_64(state->h4,state->s1);
++	t[1] = mul32x32_64(state->h0,state->r1) +
++	       mul32x32_64(state->h1,state->r0) +
++	       mul32x32_64(state->h2,state->s4) +
++	       mul32x32_64(state->h3,state->s3) +
++	       mul32x32_64(state->h4,state->s2);
++	t[2] = mul32x32_64(state->h0,state->r2) +
++	       mul32x32_64(state->h1,state->r1) +
++	       mul32x32_64(state->h2,state->r0) +
++	       mul32x32_64(state->h3,state->s4) +
++	       mul32x32_64(state->h4,state->s3);
++	t[3] = mul32x32_64(state->h0,state->r3) +
++	       mul32x32_64(state->h1,state->r2) +
++	       mul32x32_64(state->h2,state->r1) +
++	       mul32x32_64(state->h3,state->r0) +
++	       mul32x32_64(state->h4,state->s4);
++	t[4] = mul32x32_64(state->h0,state->r4) +
++	       mul32x32_64(state->h1,state->r3) +
++	       mul32x32_64(state->h2,state->r2) +
++	       mul32x32_64(state->h3,state->r1) +
++	       mul32x32_64(state->h4,state->r0);
++
++	           state->h0 = (uint32_t)t[0] & 0x3ffffff; c =           (t[0] >> 26);
++	t[1] += c; state->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
++	t[2] += b; state->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
++	t[3] += b; state->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
++	t[4] += b; state->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
++	state->h0 += b * 5;
++
++	if (len >= 16)
++		goto poly1305_donna_16bytes;
++
++	/* final bytes */
++poly1305_donna_atmost15bytes:
++	if (!len)
++		return;
++
++	for (j = 0; j < len; j++)
++		mp[j] = in[j];
++	mp[j++] = 1;
++	for (; j < 16; j++)
++		mp[j] = 0;
++	len = 0;
++
++	t0 = U8TO32_LE(mp+0);
++	t1 = U8TO32_LE(mp+4);
++	t2 = U8TO32_LE(mp+8);
++	t3 = U8TO32_LE(mp+12);
++
++	state->h0 += t0 & 0x3ffffff;
++	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++	state->h4 += (t3 >> 8);
++
++	goto poly1305_donna_mul;
++	}
++
++void CRYPTO_poly1305_init(poly1305_state *statep, const unsigned char key[32])
++	{
++	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++	uint32_t t0,t1,t2,t3;
++
++	t0 = U8TO32_LE(key+0);
++	t1 = U8TO32_LE(key+4);
++	t2 = U8TO32_LE(key+8);
++	t3 = U8TO32_LE(key+12);
++
++	/* precompute multipliers */
++	state->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
++	state->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
++	state->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
++	state->r3 = t2 & 0x3f03fff; t3 >>= 8;
++	state->r4 = t3 & 0x00fffff;
++
++	state->s1 = state->r1 * 5;
++	state->s2 = state->r2 * 5;
++	state->s3 = state->r3 * 5;
++	state->s4 = state->r4 * 5;
++
++	/* init state */
++	state->h0 = 0;
++	state->h1 = 0;
++	state->h2 = 0;
++	state->h3 = 0;
++	state->h4 = 0;
++
++	state->buf_used = 0;
++	memcpy(state->key, key + 16, sizeof(state->key));
++	}
++
++void CRYPTO_poly1305_update(poly1305_state *statep, const unsigned char *in,
++		     size_t in_len)
++	{
++	unsigned int i;
++	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++
++	if (state->buf_used)
++		{
++		unsigned int todo = 16 - state->buf_used;
++		if (todo > in_len)
++			todo = in_len;
++		for (i = 0; i < todo; i++)
++			state->buf[state->buf_used + i] = in[i];
++		state->buf_used += todo;
++		in_len -= todo;
++		in += todo;
++
++		if (state->buf_used == 16)
++			{
++			poly1305_update(state, state->buf, 16);
++			state->buf_used = 0;
++			}
++		}
++
++	if (in_len >= 16)
++		{
++		size_t todo = in_len & ~0xf;
++		poly1305_update(state, in, todo);
++		in += todo;
++		in_len &= 0xf;
++		}
++
++	if (in_len)
++		{
++		for (i = 0; i < in_len; i++)
++			state->buf[i] = in[i];
++		state->buf_used = in_len;
++		}
++	}
++
++void CRYPTO_poly1305_finish(poly1305_state *statep, unsigned char mac[16])
++	{
++	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++	uint64_t f0,f1,f2,f3;
++	uint32_t g0,g1,g2,g3,g4;
++	uint32_t b, nb;
++
++	if (state->buf_used)
++		poly1305_update(state, state->buf, state->buf_used);
++
++	                    b = state->h0 >> 26; state->h0 = state->h0 & 0x3ffffff;
++	state->h1 +=     b; b = state->h1 >> 26; state->h1 = state->h1 & 0x3ffffff;
++	state->h2 +=     b; b = state->h2 >> 26; state->h2 = state->h2 & 0x3ffffff;
++	state->h3 +=     b; b = state->h3 >> 26; state->h3 = state->h3 & 0x3ffffff;
++	state->h4 +=     b; b = state->h4 >> 26; state->h4 = state->h4 & 0x3ffffff;
++	state->h0 += b * 5;
++
++	g0 = state->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
++	g1 = state->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
++	g2 = state->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
++	g3 = state->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
++	g4 = state->h4 + b - (1 << 26);
++
++	b = (g4 >> 31) - 1;
++	nb = ~b;
++	state->h0 = (state->h0 & nb) | (g0 & b);
++	state->h1 = (state->h1 & nb) | (g1 & b);
++	state->h2 = (state->h2 & nb) | (g2 & b);
++	state->h3 = (state->h3 & nb) | (g3 & b);
++	state->h4 = (state->h4 & nb) | (g4 & b);
++
++	f0 = ((state->h0      ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
++	f1 = ((state->h1 >>  6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
++	f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
++	f3 = ((state->h3 >> 18) | (state->h4 <<  8)) + (uint64_t)U8TO32_LE(&state->key[12]);
++
++	U32TO8_LE(&mac[ 0], f0); f1 += (f0 >> 32);
++	U32TO8_LE(&mac[ 4], f1); f2 += (f1 >> 32);
++	U32TO8_LE(&mac[ 8], f2); f3 += (f2 >> 32);
++	U32TO8_LE(&mac[12], f3);
++	}
++
++#endif  /* !OPENSSL_NO_POLY1305 */
+--- ./crypto/poly1305/poly1305.h.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305.h	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,88 @@
++/*
++ *  Poly1305
++ *
++ *  Created on: Jun, 2013
++ *  Author: Elie Bursztein (elieb@google.com)
++ *
++ *  Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#ifndef HEADER_POLY1305_H_
++#define HEADER_POLY1305_H_
++
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if defined(OPENSSL_NO_POLY1305)
++#error Poly1305 support is disabled.
++#endif
++
++typedef unsigned char poly1305_state[512];
++
++/* poly1305_init sets up |state| so that it can be used to calculate an
++ * authentication tag with the one-time key |key|. Note that |key| is a
++ * one-time key and therefore there is no `reset' method because that would
++ * enable several messages to be authenticated with the same key. */
++extern void CRYPTO_poly1305_init(poly1305_state* state,
++				 const unsigned char key[32]);
++
++/* poly1305_update processes |in_len| bytes from |in|. It can be called zero or
++ * more times after poly1305_init. */
++extern void CRYPTO_poly1305_update(poly1305_state* state,
++				   const unsigned char *in,
++				   size_t in_len);
++
++/* poly1305_finish completes the poly1305 calculation and writes a 16 byte
++ * authentication tag to |mac|. */
++extern void CRYPTO_poly1305_finish(poly1305_state* state,
++				   unsigned char mac[16]);
++
++#endif  /* HEADER_POLY1305_H_ */
+--- ./crypto/poly1305/poly1305test.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305test.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,166 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <openssl/poly1305.h>
++
++struct poly1305_test
++	{
++	const char *inputhex;
++	const char *keyhex;
++	const char *outhex;
++	};
++
++static const struct poly1305_test poly1305_tests[] = {
++	{
++		"",
++		"c8afaac331ee372cd6082de134943b174710130e9f6fea8d72293850a667d86c",
++		"4710130e9f6fea8d72293850a667d86c",
++	},
++	{
++		"48656c6c6f20776f726c6421",
++		"746869732069732033322d62797465206b657920666f7220506f6c7931333035",
++		"a6f745008f81c916a20dcc74eef2b2f0",
++	},
++	{
++		"0000000000000000000000000000000000000000000000000000000000000000",
++		"746869732069732033322d62797465206b657920666f7220506f6c7931333035",
++		"49ec78090e481ec6c26b33b91ccc0307",
++	},
++	{
++		"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 000000000000000000000000000000",
++		"746869732069732033322d62797465206b657920666f7220506f6c7931333035",
++		"da84bcab02676c38cdb015604274c2aa",
++	},
++};
++
++static unsigned char hex_digit(char h)
++	{
++	if (h >= '0' && h <= '9')
++		return h - '0';
++	else if (h >= 'a' && h <= 'f')
++		return h - 'a' + 10;
++	else if (h >= 'A' && h <= 'F')
++		return h - 'A' + 10;
++	else
++		abort();
++	}
++
++static void hex_decode(unsigned char *out, const char* hex)
++	{
++	size_t j = 0;
++
++	while (*hex != 0)
++		{
++		unsigned char v = hex_digit(*hex++);
++		v <<= 4;
++		v |= hex_digit(*hex++);
++		out[j++] = v;
++		}
++	}
++
++static void hexdump(unsigned char *a, size_t len)
++	{
++	size_t i;
++
++	for (i = 0; i < len; i++)
++		printf("%02x", a[i]);
++	}
++
++int main()
++	{
++	static const unsigned num_tests =
++		sizeof(poly1305_tests) / sizeof(struct poly1305_test);
++	unsigned i;
++	unsigned char key[32], out[16], expected[16];
++	poly1305_state poly1305;
++
++	for (i = 0; i < num_tests; i++)
++		{
++		const struct poly1305_test *test = &poly1305_tests[i];
++		unsigned char *in;
++		size_t inlen = strlen(test->inputhex);
++
++		if (strlen(test->keyhex) != sizeof(key)*2 ||
++		    strlen(test->outhex) != sizeof(out)*2 ||
++		    (inlen & 1) == 1)
++			return 1;
++
++		inlen /= 2;
++
++		hex_decode(key, test->keyhex);
++		hex_decode(expected, test->outhex);
++
++		in = malloc(inlen);
++
++		hex_decode(in, test->inputhex);
++		CRYPTO_poly1305_init(&poly1305, key);
++		CRYPTO_poly1305_update(&poly1305, in, inlen);
++		CRYPTO_poly1305_finish(&poly1305, out);
++
++		if (memcmp(out, expected, sizeof(expected)) != 0)
++			{
++			printf("Poly1305 test #%d failed.\n", i);
++			printf("got:      ");
++			hexdump(out, sizeof(out));
++			printf("\nexpected: ");
++			hexdump(expected, sizeof(expected));
++			printf("\n");
++			return 1;
++			}
++
++		free(in);
++		}
++
++	printf("PASS\n");
++	return 0;
++	}
+--- ./crypto/poly1305/poly1305_vec.c.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./crypto/poly1305/poly1305_vec.c	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,733 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation of poly1305 is by Andrew Moon
++ * (https://github.com/floodyberry/poly1305-donna) and released as public
++ * domain. It implements SIMD vectorization based on the algorithm described in
++ * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
++ * block size
++*/
++
++#include <emmintrin.h>
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_POLY1305)
++
++#include <openssl/poly1305.h>
++
++#define ALIGN(x) __attribute__((aligned(x)))
++#define INLINE inline
++#define U8TO64_LE(m) (*(uint64_t*)(m))
++#define U8TO32_LE(m) (*(uint32_t*)(m))
++#define U64TO8_LE(m,v) (*(uint64_t*)(m)) = v
++
++typedef __m128i xmmi;
++typedef __uint128_t uint128_t;
++
++static const uint32_t ALIGN(16) poly1305_x64_sse2_message_mask[4] =
++	{(1 << 26) - 1, 0, (1 << 26) - 1, 0};
++static const uint32_t ALIGN(16) poly1305_x64_sse2_5[4] = {5, 0, 5, 0};
++static const uint32_t ALIGN(16) poly1305_x64_sse2_1shl128[4] =
++	{(1 << 24), 0, (1 << 24), 0};
++
++static uint128_t INLINE
++add128(uint128_t a, uint128_t b)
++	{
++	return a + b;
++	}
++
++static uint128_t INLINE
++add128_64(uint128_t a, uint64_t b)
++	{
++	return a + b;
++	}
++
++static uint128_t INLINE
++mul64x64_128(uint64_t a, uint64_t b)
++	{
++	return (uint128_t)a * b;
++	}
++
++static uint64_t INLINE
++lo128(uint128_t a)
++	{
++	return (uint64_t)a;
++	}
++
++static uint64_t INLINE
++shr128(uint128_t v, const int shift)
++	{
++	return (uint64_t)(v >> shift);
++	}
++
++static uint64_t INLINE
++shr128_pair(uint64_t hi, uint64_t lo, const int shift)
++	{
++	return (uint64_t)((((uint128_t)hi << 64) | lo) >> shift);
++	}
++
++typedef struct poly1305_power_t
++	{
++	union
++		{
++		xmmi v;
++		uint64_t u[2];
++		uint32_t d[4];
++		} R20,R21,R22,R23,R24,S21,S22,S23,S24;
++	} poly1305_power;
++
++typedef struct poly1305_state_internal_t
++	{
++	poly1305_power P[2];     /* 288 bytes, top 32 bit halves unused = 144
++				    bytes of free storage */
++	union
++		{
++		xmmi H[5];           /*  80 bytes  */
++		uint64_t HH[10];
++		};
++	/* uint64_t r0,r1,r2;       [24 bytes] */
++	/* uint64_t pad0,pad1;      [16 bytes] */
++	uint64_t started;        /*   8 bytes  */
++	uint64_t leftover;       /*   8 bytes  */
++	uint8_t buffer[64];      /*  64 bytes  */
++	} poly1305_state_internal;   /* 448 bytes total + 63 bytes for
++					alignment = 511 bytes raw */
++
++static poly1305_state_internal INLINE
++*poly1305_aligned_state(poly1305_state *state)
++	{
++	return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);
++	}
++
++/* copy 0-63 bytes */
++static void INLINE
++poly1305_block_copy(uint8_t *dst, const uint8_t *src, size_t bytes)
++	{
++	size_t offset = src - dst;
++	if (bytes & 32)
++		{
++		_mm_storeu_si128((xmmi *)(dst + 0), _mm_loadu_si128((xmmi *)(dst + offset + 0)));
++		_mm_storeu_si128((xmmi *)(dst + 16), _mm_loadu_si128((xmmi *)(dst + offset + 16)));
++		dst += 32;
++		}
++	if (bytes & 16)
++		{
++		_mm_storeu_si128((xmmi *)dst,
++				 _mm_loadu_si128((xmmi *)(dst + offset)));
++		dst += 16;
++		}
++	if (bytes &  8)
++		{
++		*(uint64_t *)dst = *(uint64_t *)(dst + offset);
++		dst += 8;
++		}
++	if (bytes &  4)
++		{
++		*(uint32_t *)dst = *(uint32_t *)(dst + offset);
++		dst += 4;
++		}
++	if (bytes &  2)
++		{
++		*(uint16_t *)dst = *(uint16_t *)(dst + offset);
++		dst += 2;
++		}
++	if (bytes &  1)
++		{
++		*( uint8_t *)dst = *( uint8_t *)(dst + offset);
++		}
++	}
++
++/* zero 0-15 bytes */
++static void INLINE
++poly1305_block_zero(uint8_t *dst, size_t bytes)
++	{
++	if (bytes &  8) { *(uint64_t *)dst = 0; dst += 8; }
++	if (bytes &  4) { *(uint32_t *)dst = 0; dst += 4; }
++	if (bytes &  2) { *(uint16_t *)dst = 0; dst += 2; }
++	if (bytes &  1) { *( uint8_t *)dst = 0; }
++	}
++
++static size_t INLINE
++poly1305_min(size_t a, size_t b)
++	{
++	return (a < b) ? a : b;
++	}
++
++void
++CRYPTO_poly1305_init(poly1305_state *state, const unsigned char key[32])
++	{
++	poly1305_state_internal *st = poly1305_aligned_state(state);
++	poly1305_power *p;
++	uint64_t r0,r1,r2;
++	uint64_t t0,t1;
++
++	/* clamp key */
++	t0 = U8TO64_LE(key + 0);
++	t1 = U8TO64_LE(key + 8);
++	r0 = t0 & 0xffc0fffffff; t0 >>= 44; t0 |= t1 << 20;
++	r1 = t0 & 0xfffffc0ffff; t1 >>= 24;
++	r2 = t1 & 0x00ffffffc0f;
++
++	/* store r in un-used space of st->P[1] */
++	p = &st->P[1];
++	p->R20.d[1] = (uint32_t)(r0      );
++	p->R20.d[3] = (uint32_t)(r0 >> 32);
++	p->R21.d[1] = (uint32_t)(r1      );
++	p->R21.d[3] = (uint32_t)(r1 >> 32);
++	p->R22.d[1] = (uint32_t)(r2      );
++	p->R22.d[3] = (uint32_t)(r2 >> 32);
++
++	/* store pad */
++	p->R23.d[1] = U8TO32_LE(key + 16);
++	p->R23.d[3] = U8TO32_LE(key + 20);
++	p->R24.d[1] = U8TO32_LE(key + 24);
++	p->R24.d[3] = U8TO32_LE(key + 28);
++
++	/* H = 0 */
++	st->H[0] = _mm_setzero_si128();
++	st->H[1] = _mm_setzero_si128();
++	st->H[2] = _mm_setzero_si128();
++	st->H[3] = _mm_setzero_si128();
++	st->H[4] = _mm_setzero_si128();
++
++	st->started = 0;
++	st->leftover = 0;
++	}
++
++static void
++poly1305_first_block(poly1305_state_internal *st, const uint8_t *m)
++	{
++	const xmmi MMASK =
++		_mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
++	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
++	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
++	xmmi T5,T6;
++	poly1305_power *p;
++	uint128_t d[3];
++	uint64_t r0,r1,r2;
++	uint64_t r20,r21,r22,s22;
++	uint64_t pad0,pad1;
++	uint64_t c;
++	uint64_t i;
++
++	/* pull out stored info */
++	p = &st->P[1];
++
++	r0   = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
++	r1   = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
++	r2   = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
++	pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
++	pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
++
++	/* compute powers r^2,r^4 */
++	r20 = r0;
++	r21 = r1;
++	r22 = r2;
++	for (i = 0; i < 2; i++)
++		{
++		s22 = r22 * (5 << 2);
++
++		d[0] = add128(mul64x64_128(r20, r20), mul64x64_128(r21 * 2, s22));
++		d[1] = add128(mul64x64_128(r22, s22), mul64x64_128(r20 * 2, r21));
++		d[2] = add128(mul64x64_128(r21, r21), mul64x64_128(r22 * 2, r20));
++
++		                           r20 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
++		d[1] = add128_64(d[1], c); r21 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
++		d[2] = add128_64(d[2], c); r22 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
++		r20 += c * 5; c = (r20 >> 44); r20 = r20 & 0xfffffffffff;
++		r21 += c;
++
++		p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)( r20                     ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
++		p->R21.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
++		p->R22.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 8)               ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
++		p->R23.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 34) | (r22 << 10)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
++		p->R24.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r22 >> 16)              )            ), _MM_SHUFFLE(1,0,1,0));
++		p->S21.v = _mm_mul_epu32(p->R21.v, FIVE);
++		p->S22.v = _mm_mul_epu32(p->R22.v, FIVE);
++		p->S23.v = _mm_mul_epu32(p->R23.v, FIVE);
++		p->S24.v = _mm_mul_epu32(p->R24.v, FIVE);
++		p--;
++		}
++
++	/* put saved info back */
++	p = &st->P[1];
++	p->R20.d[1] = (uint32_t)(r0        );
++	p->R20.d[3] = (uint32_t)(r0   >> 32);
++	p->R21.d[1] = (uint32_t)(r1        );
++	p->R21.d[3] = (uint32_t)(r1   >> 32);
++	p->R22.d[1] = (uint32_t)(r2        );
++	p->R22.d[3] = (uint32_t)(r2   >> 32);
++	p->R23.d[1] = (uint32_t)(pad0      );
++	p->R23.d[3] = (uint32_t)(pad0 >> 32);
++	p->R24.d[1] = (uint32_t)(pad1      );
++	p->R24.d[3] = (uint32_t)(pad1 >> 32);
++
++	/* H = [Mx,My] */
++	T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
++	T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
++	st->H[0] = _mm_and_si128(MMASK, T5);
++	st->H[1] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++	T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
++	st->H[2] = _mm_and_si128(MMASK, T5);
++	st->H[3] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++	st->H[4] = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
++	}
++
++static void
++poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes)
++	{
++	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
++	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
++	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
++
++	poly1305_power *p;
++	xmmi H0,H1,H2,H3,H4;
++	xmmi T0,T1,T2,T3,T4,T5,T6;
++	xmmi M0,M1,M2,M3,M4;
++	xmmi C1,C2;
++
++	H0 = st->H[0];
++	H1 = st->H[1];
++	H2 = st->H[2];
++	H3 = st->H[3];
++	H4 = st->H[4];
++
++	while (bytes >= 64)
++		{
++		/* H *= [r^4,r^4] */
++		p = &st->P[0];
++		T0 = _mm_mul_epu32(H0, p->R20.v);
++		T1 = _mm_mul_epu32(H0, p->R21.v);
++		T2 = _mm_mul_epu32(H0, p->R22.v);
++		T3 = _mm_mul_epu32(H0, p->R23.v);
++		T4 = _mm_mul_epu32(H0, p->R24.v);
++		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
++
++		/* H += [Mx,My]*[r^2,r^2] */
++		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
++		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
++		M0 = _mm_and_si128(MMASK, T5);
++		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
++		M2 = _mm_and_si128(MMASK, T5);
++		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
++
++		p = &st->P[1];
++		T5 = _mm_mul_epu32(M0, p->R20.v); T6 = _mm_mul_epu32(M0, p->R21.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(M1, p->S24.v); T6 = _mm_mul_epu32(M1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(M2, p->S23.v); T6 = _mm_mul_epu32(M2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(M3, p->S22.v); T6 = _mm_mul_epu32(M3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(M4, p->S21.v); T6 = _mm_mul_epu32(M4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(M0, p->R22.v); T6 = _mm_mul_epu32(M0, p->R23.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(M1, p->R21.v); T6 = _mm_mul_epu32(M1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(M2, p->R20.v); T6 = _mm_mul_epu32(M2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(M3, p->S24.v); T6 = _mm_mul_epu32(M3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(M4, p->S23.v); T6 = _mm_mul_epu32(M4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(M0, p->R24.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(M1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(M2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(M3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(M4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
++
++		/* H += [Mx,My] */
++		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 32)), _mm_loadl_epi64((xmmi *)(m + 48)));
++		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 40)), _mm_loadl_epi64((xmmi *)(m + 56)));
++		M0 = _mm_and_si128(MMASK, T5);
++		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
++		M2 = _mm_and_si128(MMASK, T5);
++		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
++
++		T0 = _mm_add_epi64(T0, M0);
++		T1 = _mm_add_epi64(T1, M1);
++		T2 = _mm_add_epi64(T2, M2);
++		T3 = _mm_add_epi64(T3, M3);
++		T4 = _mm_add_epi64(T4, M4);
++
++		/* reduce */
++		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
++		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
++		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
++		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
++
++		/* H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My]) */
++		H0 = T0;
++		H1 = T1;
++		H2 = T2;
++		H3 = T3;
++		H4 = T4;
++
++		m += 64;
++		bytes -= 64;
++		}
++
++	st->H[0] = H0;
++	st->H[1] = H1;
++	st->H[2] = H2;
++	st->H[3] = H3;
++	st->H[4] = H4;
++	}
++
++static size_t
++poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes)
++	{
++	const xmmi MMASK =
++		_mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
++	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
++	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
++
++	poly1305_power *p;
++	xmmi H0,H1,H2,H3,H4;
++	xmmi M0,M1,M2,M3,M4;
++	xmmi T0,T1,T2,T3,T4,T5,T6;
++	xmmi C1,C2;
++
++	uint64_t r0,r1,r2;
++	uint64_t t0,t1,t2,t3,t4;
++	uint64_t c;
++	size_t consumed = 0;
++
++	H0 = st->H[0];
++	H1 = st->H[1];
++	H2 = st->H[2];
++	H3 = st->H[3];
++	H4 = st->H[4];
++
++	/* p = [r^2,r^2] */
++	p = &st->P[1];
++
++	if (bytes >= 32)
++		{
++		/* H *= [r^2,r^2] */
++		T0 = _mm_mul_epu32(H0, p->R20.v);
++		T1 = _mm_mul_epu32(H0, p->R21.v);
++		T2 = _mm_mul_epu32(H0, p->R22.v);
++		T3 = _mm_mul_epu32(H0, p->R23.v);
++		T4 = _mm_mul_epu32(H0, p->R24.v);
++		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
++		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
++
++		/* H += [Mx,My] */
++		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
++		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
++		M0 = _mm_and_si128(MMASK, T5);
++		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
++		M2 = _mm_and_si128(MMASK, T5);
++		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
++		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
++
++		T0 = _mm_add_epi64(T0, M0);
++		T1 = _mm_add_epi64(T1, M1);
++		T2 = _mm_add_epi64(T2, M2);
++		T3 = _mm_add_epi64(T3, M3);
++		T4 = _mm_add_epi64(T4, M4);
++
++		/* reduce */
++		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
++		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
++		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
++		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
++
++		/* H = (H*[r^2,r^2] + [Mx,My]) */
++		H0 = T0;
++		H1 = T1;
++		H2 = T2;
++		H3 = T3;
++		H4 = T4;
++
++		consumed = 32;
++		}
++
++	/* finalize, H *= [r^2,r] */
++	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
++	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
++	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
++
++	p->R20.d[2] = (uint32_t)( r0                    ) & 0x3ffffff;
++	p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff;
++	p->R22.d[2] = (uint32_t)((r1 >> 8)              ) & 0x3ffffff;
++	p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff;
++	p->R24.d[2] = (uint32_t)((r2 >> 16)             )            ;
++	p->S21.d[2] = p->R21.d[2] * 5;
++	p->S22.d[2] = p->R22.d[2] * 5;
++	p->S23.d[2] = p->R23.d[2] * 5;
++	p->S24.d[2] = p->R24.d[2] * 5;
++
++	/* H *= [r^2,r] */
++	T0 = _mm_mul_epu32(H0, p->R20.v);
++	T1 = _mm_mul_epu32(H0, p->R21.v);
++	T2 = _mm_mul_epu32(H0, p->R22.v);
++	T3 = _mm_mul_epu32(H0, p->R23.v);
++	T4 = _mm_mul_epu32(H0, p->R24.v);
++	T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++	T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++	T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++	T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
++	T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++	T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++	T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++	T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
++	T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
++	T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
++	T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
++	T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
++
++	C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
++	C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
++	C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
++	C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
++
++	/* H = H[0]+H[1] */
++	H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));
++	H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));
++	H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));
++	H3 = _mm_add_epi64(T3, _mm_srli_si128(T3, 8));
++	H4 = _mm_add_epi64(T4, _mm_srli_si128(T4, 8));
++
++	t0 = _mm_cvtsi128_si32(H0)    ; c = (t0 >> 26); t0 &= 0x3ffffff;
++	t1 = _mm_cvtsi128_si32(H1) + c; c = (t1 >> 26); t1 &= 0x3ffffff;
++	t2 = _mm_cvtsi128_si32(H2) + c; c = (t2 >> 26); t2 &= 0x3ffffff;
++	t3 = _mm_cvtsi128_si32(H3) + c; c = (t3 >> 26); t3 &= 0x3ffffff;
++	t4 = _mm_cvtsi128_si32(H4) + c; c = (t4 >> 26); t4 &= 0x3ffffff;
++	t0 =              t0 + (c * 5); c = (t0 >> 26); t0 &= 0x3ffffff;
++	t1 =              t1 + c;
++
++	st->HH[0] =  ((t0      ) | (t1 << 26)             ) & 0xfffffffffffull;
++	st->HH[1] =  ((t1 >> 18) | (t2 <<  8) | (t3 << 34)) & 0xfffffffffffull;
++	st->HH[2] =  ((t3 >> 10) | (t4 << 16)             ) & 0x3ffffffffffull;
++
++	return consumed;
++	}
++
++void
++CRYPTO_poly1305_update(poly1305_state *state, const unsigned char *m,
++		       size_t bytes)
++	{
++	poly1305_state_internal *st = poly1305_aligned_state(state);
++	size_t want;
++
++	/* need at least 32 initial bytes to start the accelerated branch */
++	if (!st->started)
++		{
++		if ((st->leftover == 0) && (bytes > 32))
++			{
++			poly1305_first_block(st, m);
++			m += 32;
++			bytes -= 32;
++			}
++		else
++			{
++			want = poly1305_min(32 - st->leftover, bytes);
++			poly1305_block_copy(st->buffer + st->leftover, m, want);
++			bytes -= want;
++			m += want;
++			st->leftover += want;
++			if ((st->leftover < 32) || (bytes == 0))
++				return;
++			poly1305_first_block(st, st->buffer);
++			st->leftover = 0;
++			}
++		st->started = 1;
++		}
++
++	/* handle leftover */
++	if (st->leftover)
++		{
++		want = poly1305_min(64 - st->leftover, bytes);
++		poly1305_block_copy(st->buffer + st->leftover, m, want);
++		bytes -= want;
++		m += want;
++		st->leftover += want;
++		if (st->leftover < 64)
++			return;
++		poly1305_blocks(st, st->buffer, 64);
++		st->leftover = 0;
++		}
++
++	/* process 64 byte blocks */
++	if (bytes >= 64)
++		{
++		want = (bytes & ~63);
++		poly1305_blocks(st, m, want);
++		m += want;
++		bytes -= want;
++		}
++
++	if (bytes)
++		{
++		poly1305_block_copy(st->buffer + st->leftover, m, bytes);
++		st->leftover += bytes;
++		}
++	}
++
++void
++CRYPTO_poly1305_finish(poly1305_state *state, unsigned char mac[16])
++	{
++	poly1305_state_internal *st = poly1305_aligned_state(state);
++	size_t leftover = st->leftover;
++	uint8_t *m = st->buffer;
++	uint128_t d[3];
++	uint64_t h0,h1,h2;
++	uint64_t t0,t1;
++	uint64_t g0,g1,g2,c,nc;
++	uint64_t r0,r1,r2,s1,s2;
++	poly1305_power *p;
++
++	if (st->started)
++		{
++		size_t consumed = poly1305_combine(st, m, leftover);
++		leftover -= consumed;
++		m += consumed;
++		}
++
++	/* st->HH will either be 0 or have the combined result */
++	h0 = st->HH[0];
++	h1 = st->HH[1];
++	h2 = st->HH[2];
++
++	p = &st->P[1];
++	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
++	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
++	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
++	s1 = r1 * (5 << 2);
++	s2 = r2 * (5 << 2);
++
++	if (leftover < 16)
++		goto poly1305_donna_atmost15bytes;
++
++poly1305_donna_atleast16bytes:
++	t0 = U8TO64_LE(m + 0);
++	t1 = U8TO64_LE(m + 8);
++	h0 += t0 & 0xfffffffffff;
++	t0 = shr128_pair(t1, t0, 44);
++	h1 += t0 & 0xfffffffffff;
++	h2 += (t1 >> 24) | ((uint64_t)1 << 40);
++
++poly1305_donna_mul:
++	d[0] = add128(add128(mul64x64_128(h0, r0), mul64x64_128(h1, s2)), mul64x64_128(h2, s1));
++	d[1] = add128(add128(mul64x64_128(h0, r1), mul64x64_128(h1, r0)), mul64x64_128(h2, s2));
++	d[2] = add128(add128(mul64x64_128(h0, r2), mul64x64_128(h1, r1)), mul64x64_128(h2, r0));
++	                           h0 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
++	d[1] = add128_64(d[1], c); h1 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
++	d[2] = add128_64(d[2], c); h2 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
++	h0   += c * 5;
++
++	m += 16;
++	leftover -= 16;
++	if (leftover >= 16) goto poly1305_donna_atleast16bytes;
++
++	/* final bytes */
++poly1305_donna_atmost15bytes:
++	if (!leftover) goto poly1305_donna_finish;
++
++	m[leftover++] = 1;
++	poly1305_block_zero(m + leftover, 16 - leftover);
++	leftover = 16;
++
++	t0 = U8TO64_LE(m+0);
++	t1 = U8TO64_LE(m+8);
++	h0 += t0 & 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
++	h1 += t0 & 0xfffffffffff;
++	h2 += (t1 >> 24);
++
++	goto poly1305_donna_mul;
++
++poly1305_donna_finish:
++	             c = (h0 >> 44); h0 &= 0xfffffffffff;
++	h1 += c;     c = (h1 >> 44); h1 &= 0xfffffffffff;
++	h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
++	h0 += c * 5;
++
++	g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
++	g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
++	g2 = h2 + c - ((uint64_t)1 << 42);
++
++	c = (g2 >> 63) - 1;
++	nc = ~c;
++	h0 = (h0 & nc) | (g0 & c);
++	h1 = (h1 & nc) | (g1 & c);
++	h2 = (h2 & nc) | (g2 & c);
++
++	/* pad */
++	t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
++	t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
++	h0 += (t0 & 0xfffffffffff)    ; c = (h0 >> 44); h0 &= 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
++	h1 += (t0 & 0xfffffffffff) + c; c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24);
++	h2 += (t1                ) + c;
++
++	U64TO8_LE(mac + 0, ((h0      ) | (h1 << 44)));
++	U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
++	}
++
++#endif  /* !OPENSSL_NO_POLY1305 */
+--- ./doc/crypto/EVP_AEAD_CTX_init.pod.orig	2014-05-19 10:46:17.000000000 +0200
++++ ./doc/crypto/EVP_AEAD_CTX_init.pod	2014-05-19 10:46:17.000000000 +0200
+@@ -0,0 +1,96 @@
++=pod
++
++=head1 NAME
++
++EVP_AEAD_CTX_init, EVP_AEAD_CTX_cleanup, EVP_AEAD_CTX_seal, EVP_AEAD_CTX_open - authenticated encryption functions.
++
++=head1 SYNOPSIS
++
++ #include <openssl/evp.h>
++
++ int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++                       const unsigned char *key, size_t key_len,
++                       size_t tag_len, ENGINE *impl);
++ void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
++ ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++                           unsigned char *out, size_t max_out_len,
++                           const unsigned char *nonce, size_t nonce_len,
++                           const unsigned char *in, size_t in_len,
++                           const unsigned char *ad, size_t ad_len);
++ ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++                           unsigned char *out, size_t max_out_len,
++                           const unsigned char *nonce, size_t nonce_len,
++                           const unsigned char *in, size_t in_len,
++                           const unsigned char *ad, size_t ad_len);
++
++=head1 DESCRIPTION
++
++The EVP_AEAD_CTX_init() function initialises an B<EVP_AEAD_CTX> structure and
++performs any precomputation needed to use B<aead> with B<key>. The length of
++the key, B<key_len>, is given in bytes.
++
++The B<tag_len> argument contains the length of the tags, in bytes, and allows
++for the processing of truncated authenticators. A zero value indicates that the
++default tag length should be used and this is defined as
++C<EVP_AEAD_DEFAULT_TAG_LENGTH> in order to make the code clear. Using truncated
++tags increases an attacker's chance of creating a valid forgery. Be aware that
++the attacker's chance may increase more than exponentially as would naively be
++expected.
++
++When no longer needed, the initialised B<EVP_AEAD_CTX> structure must be passed
++to EVP_AEAD_CTX_cleanup(), which will deallocate any memory used.
++
++With an B<EVP_AEAD_CTX> in hand, one can seal and open messages. These
++operations are intended to meet the standard notions of privacy and
++authenticity for authenticated encryption. For formal definitions see I<Bellare
++and Namprempre>, "Authenticated encryption: relations among notions and
++analysis of the generic composition paradigm," Lecture Notes in Computer
++Science B<1976> (2000), 531-545,
++L<http://www-cse.ucsd.edu/~mihir/papers/oem.html>.
++
++When sealing messages, a nonce must be given. The length of the nonce is fixed
++by the AEAD in use and is returned by EVP_AEAD_nonce_length(). I<The nonce must
++be unique for all messages with the same key>. This is critically important -
++nonce reuse may completely undermine the security of the AEAD. Nonces may be
++predictable and public, so long as they are unique. Uniqueness may be achieved
++with a simple counter or, if long enough, may be generated randomly. The nonce
++must be passed into the "open" operation by the receiver so must either be
++implicit (e.g. a counter), or must be transmitted along with the sealed message.
++
++The "seal" and "open" operations are atomic - an entire message must be
++encrypted or decrypted in a single call. Large messages may have to be split up
++in order to accomodate this. When doing so, be mindful of the need not to
++repeat nonces and the possibility that an attacker could duplicate, reorder or
++drop message chunks. For example, using a single key for a given (large)
++message and sealing chunks with nonces counting from zero would be secure as
++long as the number of chunks was securely transmitted. (Otherwise an attacker
++could truncate the message by dropping chunks from the end.)
++
++The number of chunks could be transmitted by prefixing it to the plaintext, for
++example. This also assumes that no other message would ever use the same key
++otherwise the rule that nonces must be unique for a given key would be
++violated.
++
++The "seal" and "open" operations also permit additional data to be
++authenticated via the B<ad> parameter. This data is not included in the
++ciphertext and must be identical for both the "seal" and "open" call. This
++permits implicit context to be authenticated but may be C<NULL> if not needed.
++
++The "seal" and "open" operations may work inplace if the B<out> and B<in>
++arguments are equal. They may also be used to shift the data left inside the
++same buffer if B<out> is less than B<in>. However, B<out> may not point inside
++the input data otherwise the input may be overwritten before it has been read.
++This case will cause an error.
++
++=head1 RETURN VALUES
++
++The "seal" and "open" operations return an C<ssize_t> with value -1 on error,
++otherwise they return the number of output bytes written. An error will be
++returned if the input length is large enough that the output size exceeds the
++range of a C<ssize_t>.
++
++=head1 HISTORY
++
++These functions were first added to OpenSSL 1.0.2.
++
++=cut
+--- ./ssl/ssl_lib.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl_lib.c	2014-05-19 10:46:18.000000000 +0200
+@@ -2777,6 +2777,18 @@
+ 		OPENSSL_free(s->enc_write_ctx);
+ 		s->enc_write_ctx=NULL;
+ 		}
++	if (s->aead_read_ctx != NULL)
++		{
++		EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx);
++		OPENSSL_free(s->aead_read_ctx);
++		s->aead_read_ctx = NULL;
++		}
++	if (s->aead_write_ctx != NULL)
++		{
++		EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx);
++		OPENSSL_free(s->aead_write_ctx);
++		s->aead_write_ctx = NULL;
++		}
+ #ifndef OPENSSL_NO_COMP
+ 	if (s->expand != NULL)
+ 		{
+--- ./ssl/s2_clnt.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s2_clnt.c	2014-05-19 10:46:18.000000000 +0200
+@@ -623,7 +623,7 @@
+ 	if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
+ 		{
+ 
+-		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ 			{
+ 			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+--- ./ssl/s2_enc.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s2_enc.c	2014-05-19 10:46:18.000000000 +0200
+@@ -68,7 +68,7 @@
+ 	const EVP_MD *md;
+ 	int num;
+ 
+-	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ 		{
+ 		ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 		SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+--- ./ssl/s2_srvr.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s2_srvr.c	2014-05-19 10:46:18.000000000 +0200
+@@ -452,7 +452,7 @@
+ 
+ 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
+ 	
+-	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ 		{
+ 		ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+--- ./ssl/s3_enc.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s3_enc.c	2014-05-19 10:46:18.000000000 +0200
+@@ -397,7 +397,13 @@
+ 	if (s->s3->tmp.key_block_length != 0)
+ 		return(1);
+ 
+-	if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL,&comp))
++	if (!ssl_cipher_get_comp(s->session, &comp))
++		{
++		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
++		return(0);
++		}
++
++	if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL))
+ 		{
+ 		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ 		return(0);
+--- ./ssl/s3_lib.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s3_lib.c	2014-05-19 10:46:18.000000000 +0200
+@@ -166,6 +166,11 @@
+ 
+ #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
+ 
++/* FIXED_NONCE_LEN is a macro that results in the correct value to set the
++ * fixed nonce length in SSL_CIPHER.algorithms2. It's the inverse of
++ * SSL_CIPHER_AEAD_FIXED_NONCE_LEN. */
++#define FIXED_NONCE_LEN(x) ((x/2)<<24)
++
+ /* list of available SSLv3 ciphers (sorted by id) */
+ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 
+@@ -1836,7 +1841,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -1868,7 +1874,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -1900,7 +1907,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -1932,7 +1940,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -1964,7 +1973,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -1996,7 +2006,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -2709,7 +2720,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -2741,7 +2753,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -2773,7 +2786,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -2805,7 +2819,8 @@
+ 	SSL_AEAD,
+ 	SSL_TLSV1_2,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+-	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
++		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 	128,
+ 	128,
+ 	},
+@@ -2889,6 +2904,51 @@
+ 	},
+ #endif
+ 
++	{
++	1,
++	TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
++	TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
++	SSL_kEECDH,
++	SSL_aRSA,
++	SSL_CHACHA20POLY1305,
++	SSL_AEAD,
++	SSL_TLSV1_2,
++	SSL_NOT_EXP|SSL_HIGH,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
++	256,
++	0,
++	},
++
++	{
++	1,
++	TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
++	TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
++	SSL_kEECDH,
++	SSL_aECDSA,
++	SSL_CHACHA20POLY1305,
++	SSL_AEAD,
++	SSL_TLSV1_2,
++	SSL_NOT_EXP|SSL_HIGH,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
++	256,
++	0,
++	},
++
++	{
++	1,
++	TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
++	TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
++	SSL_kEDH,
++	SSL_aRSA,
++	SSL_CHACHA20POLY1305,
++	SSL_AEAD,
++	SSL_TLSV1_2,
++	SSL_NOT_EXP|SSL_HIGH,
++	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
++	256,
++	0,
++	},
++
+ /* end of list */
+ 	};
+ 
+--- ./ssl/s3_pkt.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/s3_pkt.c	2014-05-19 10:46:18.000000000 +0200
+@@ -773,6 +773,11 @@
+ 		else
+ 			eivlen = 0;
+ 		}
++	else if (s->aead_write_ctx != NULL &&
++		 s->aead_write_ctx->variable_nonce_included_in_record)
++		{
++		eivlen = s->aead_write_ctx->variable_nonce_len;
++		}
+ 	else 
+ 		eivlen = 0;
+ 
+--- ./ssl/ssl3.h.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl3.h	2014-05-19 10:46:18.000000000 +0200
+@@ -517,6 +517,7 @@
+ 		unsigned char *key_block;
+ 
+ 		const EVP_CIPHER *new_sym_enc;
++		const EVP_AEAD *new_aead;
+ 		const EVP_MD *new_hash;
+ 		int new_mac_pkey_type;
+ 		int new_mac_secret_size;
+--- ./ssl/ssl_ciph.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl_ciph.c	2014-05-19 10:46:18.000000000 +0200
+@@ -298,6 +298,7 @@
+ 	{0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
+ 	{0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
+ 	{0,SSL_TXT_CAMELLIA   ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
++	{0,SSL_TXT_CHACHA20   ,0,0,0,SSL_CHACHA20POLY1305,0,0,0,0,0,0},
+ 
+ 	/* MAC aliases */	
+ 	{0,SSL_TXT_MD5,0,     0,0,0,SSL_MD5,   0,0,0,0,0},
+@@ -484,16 +485,12 @@
+ 	}
+ #endif
+ 
+-int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+-	     const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
++/* ssl_cipher_get_comp sets |comp| to the correct SSL_COMP for the given
++ * session and returns 1. On error it returns 0. */
++int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
+ 	{
+ 	int i;
+-	const SSL_CIPHER *c;
+ 
+-	c=s->cipher;
+-	if (c == NULL) return(0);
+-	if (comp != NULL)
+-		{
+ 		SSL_COMP ctmp;
+ #ifndef OPENSSL_NO_COMP
+ 		load_builtin_compressions();
+@@ -509,8 +506,52 @@
+ 			else
+ 				*comp=NULL;
+ 			}
++
++	return 1;
++	}
++
++/* ssl_cipher_get_evp_aead sets |*aead| to point to the correct EVP_AEAD object
++ * for |s->cipher|. It returns 1 on success and 0 on error. */
++int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
++	{
++	const SSL_CIPHER *c = s->cipher;
++
++	*aead = NULL;
++
++	if (c == NULL)
++		return 0;
++	if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0)
++		return 0;
++
++#ifndef OPENSSL_NO_AES
++	switch (c->algorithm_enc)
++		{
++	case SSL_AES128GCM:
++		*aead = EVP_aead_aes_128_gcm();
++		return 1;
++	case SSL_CHACHA20POLY1305:
++		*aead = EVP_aead_chacha20_poly1305();
++		return 1;
++		}
++#endif
++
++	return 0;
+ 		}
+ 
++int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
++	     const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
++	{
++	int i;
++	const SSL_CIPHER *c;
++
++	c=s->cipher;
++	if (c == NULL) return(0);
++
++	/* This function doesn't deal with EVP_AEAD. See
++	 * |ssl_cipher_get_aead_evp|. */
++	if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)
++		return(0);
++
+ 	if ((enc == NULL) || (md == NULL)) return(0);
+ 
+ 	switch (c->algorithm_enc)
+@@ -1401,7 +1442,9 @@
+ 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+ 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+ 
+-	/* AES is our preferred symmetric cipher */
++	/* CHACHA20 is fast and safe on all hardware and is thus our preferred
++	 * symmetric cipher, with AES second. */
++	ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+ 	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+ 
+ 	/* Temporarily enable everything else for sorting */
+@@ -1675,6 +1718,9 @@
+ 	case SSL_SEED:
+ 		enc="SEED(128)";
+ 		break;
++	case SSL_CHACHA20POLY1305:
++		enc="ChaCha20-Poly1305";
++		break;
+ 	default:
+ 		enc="unknown";
+ 		break;
+--- ./ssl/ssl_err.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl_err.c	2014-05-19 10:46:18.000000000 +0200
+@@ -278,7 +278,10 @@
+ {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN),	"SSL_VERIFY_CERT_CHAIN"},
+ {ERR_FUNC(SSL_F_SSL_WRITE),	"SSL_write"},
+ {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC),	"tls1_cert_verify_mac"},
+-{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE),	"TLS1_CHANGE_CIPHER_STATE"},
++{ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT),	"TLS1_AEAD_CTX_INIT"},
++{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE),	"tls1_change_cipher_state"},
++{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD),	"TLS1_CHANGE_CIPHER_STATE_AEAD"},
++{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER),	"TLS1_CHANGE_CIPHER_STATE_CIPHER"},
+ {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT),	"TLS1_CHECK_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_TLS1_ENC),	"TLS1_ENC"},
+ {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),	"TLS1_EXPORT_KEYING_MATERIAL"},
+--- ./ssl/ssl.h.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl.h	2014-05-19 10:46:18.000000000 +0200
+@@ -291,6 +291,7 @@
+ #define SSL_TXT_CAMELLIA128	"CAMELLIA128"
+ #define SSL_TXT_CAMELLIA256	"CAMELLIA256"
+ #define SSL_TXT_CAMELLIA	"CAMELLIA"
++#define SSL_TXT_CHACHA20	"CHACHA20"
+ 
+ #define SSL_TXT_MD5		"MD5"
+ #define SSL_TXT_SHA1		"SHA1"
+@@ -399,7 +400,9 @@
+ 	unsigned long algorithm_ssl;	/* (major) protocol version */
+ 
+ 	unsigned long algo_strength;	/* strength and export flags */
+-	unsigned long algorithm2;	/* Extra flags */
++	unsigned long algorithm2;	/* Extra flags. See SSL2_CF_* in ssl2.h
++					   and algorithm2 section in
++					   ssl_locl.h */
+ 	int strength_bits;		/* Number of bits really used */
+ 	int alg_bits;			/* Number of bits for algorithm */
+ 	};
+@@ -733,6 +736,9 @@
+ 
+ #endif
+ 
++struct ssl_aead_ctx_st;
++typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
++
+ #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
+ #define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
+ #else
+@@ -1201,6 +1207,9 @@
+ 	/* These are the ones being used, the ones in SSL_SESSION are
+ 	 * the ones to be 'copied' into these ones */
+ 	int mac_flags; 
++	SSL_AEAD_CTX *aead_read_ctx;	/* AEAD context. If non-NULL, then
++					   |enc_read_ctx| and |read_hash| are
++					   ignored. */
+ 	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
+ 	EVP_MD_CTX *read_hash;		/* used for mac generation */
+ #ifndef OPENSSL_NO_COMP
+@@ -1209,6 +1218,9 @@
+ 	char *expand;
+ #endif
+ 
++	SSL_AEAD_CTX *aead_write_ctx;	/* AEAD context. If non-NULL, then
++					   |enc_write_ctx| and |write_hash| are
++					   ignored. */
+ 	EVP_CIPHER_CTX *enc_write_ctx;		/* cryptographic state */
+ 	EVP_MD_CTX *write_hash;		/* used for mac generation */
+ #ifndef OPENSSL_NO_COMP
+@@ -2269,8 +2281,11 @@
+ #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 206
+ #define SSL_F_SSL_VERIFY_CERT_CHAIN			 207
+ #define SSL_F_SSL_WRITE					 208
++#define SSL_F_TLS1_AEAD_CTX_INIT			 339
+ #define SSL_F_TLS1_CERT_VERIFY_MAC			 286
+ #define SSL_F_TLS1_CHANGE_CIPHER_STATE			 209
++#define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD		 340
++#define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER		 338
+ #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT		 274
+ #define SSL_F_TLS1_ENC					 210
+ #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL		 314
+--- ./ssl/ssl_locl.h.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl_locl.h	2014-05-19 10:46:18.000000000 +0200
+@@ -328,6 +328,7 @@
+ #define SSL_SEED		0x00000800L
+ #define SSL_AES128GCM		0x00001000L
+ #define SSL_AES256GCM		0x00002000L
++#define SSL_CHACHA20POLY1305	0x00004000L
+ 
+ #define SSL_AES        		(SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
+ #define SSL_CAMELLIA		(SSL_CAMELLIA128|SSL_CAMELLIA256)
+@@ -379,6 +380,20 @@
+ #define TLS1_STREAM_MAC 0x04
+ 
+ 
++/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
++ * indicates that the cipher is implemented via an EVP_AEAD. */
++#define SSL_CIPHER_ALGORITHM2_AEAD (1<<23)
++
++/* SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
++ * for an SSL_CIPHER* with the SSL_CIPHER_ALGORITHM2_AEAD flag. */
++#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
++	(((ssl_cipher->algorithm2 >> 24) & 0xf)*2)
++
++/* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in
++ * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is
++ * included as a prefix of the record. (AES-GCM, for example, does with with an
++ * 8-byte variable nonce.) */
++#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22)
+ 
+ /*
+  * Export and cipher strength information. For each cipher we have to decide
+@@ -586,6 +601,20 @@
+ 				      int use_context);
+ 	} SSL3_ENC_METHOD;
+ 
++/* ssl_aead_ctx_st contains information about an AEAD that is being used to
++ * encrypt an SSL connection. */
++struct ssl_aead_ctx_st
++	{
++	EVP_AEAD_CTX ctx;
++	/* fixed_nonce contains any bytes of the nonce that are fixed for all
++	 * records. */
++	unsigned char fixed_nonce[8];
++	unsigned char fixed_nonce_len, variable_nonce_len, tag_len;
++	/* variable_nonce_included_in_record is non-zero if the variable nonce
++	 * for a record is included as a prefix before the ciphertext. */
++	char variable_nonce_included_in_record;
++	};
++
+ #ifndef OPENSSL_NO_COMP
+ /* Used for holding the relevant compression methods loaded into SSL_CTX */
+ typedef struct ssl3_comp_st
+@@ -834,8 +863,10 @@
+ 					     STACK_OF(SSL_CIPHER) **sorted,
+ 					     const char *rule_str);
+ void ssl_update_cache(SSL *s, int mode);
++int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp);
++int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
+ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
+-		       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
++		       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size);
+ int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);			   
+ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
+ int ssl_undefined_function(SSL *s);
+--- ./ssl/ssl_txt.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/ssl_txt.c	2014-05-19 10:46:18.000000000 +0200
+@@ -216,7 +216,7 @@
+ 		{
+ 		SSL_COMP *comp = NULL;
+ 
+-		ssl_cipher_get_evp(x,NULL,NULL,NULL,NULL,&comp);
++		ssl_cipher_get_comp(x, &comp);
+ 		if (comp == NULL)
+ 			{
+ 			if (BIO_printf(bp,"\n    Compression: %d",x->compress_meth) <= 0) goto err;
+--- ./ssl/t1_enc.c.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./ssl/t1_enc.c	2014-05-19 10:46:18.000000000 +0200
+@@ -316,56 +316,92 @@
+ 	return ret;
+ 	}
+ 
+-int tls1_change_cipher_state(SSL *s, int which)
++/* tls1_aead_ctx_init allocates |*aead_ctx|, if needed and returns 1. It
++ * returns 0 on malloc error. */
++static int tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
+ 	{
+-	static const unsigned char empty[]="";
+-	unsigned char *p,*mac_secret;
+-	unsigned char *exp_label;
+-	unsigned char tmp1[EVP_MAX_KEY_LENGTH];
+-	unsigned char tmp2[EVP_MAX_KEY_LENGTH];
+-	unsigned char iv1[EVP_MAX_IV_LENGTH*2];
+-	unsigned char iv2[EVP_MAX_IV_LENGTH*2];
+-	unsigned char *ms,*key,*iv;
+-	int client_write;
+-	EVP_CIPHER_CTX *dd;
+-	const EVP_CIPHER *c;
+-#ifndef OPENSSL_NO_COMP
+-	const SSL_COMP *comp;
+-#endif
+-	const EVP_MD *m;
+-	int mac_type;
+-	int *mac_secret_size;
+-	EVP_MD_CTX *mac_ctx;
+-	EVP_PKEY *mac_key;
+-	int is_export,n,i,j,k,exp_label_len,cl;
+-	int reuse_dd = 0;
+-
+-	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+-	c=s->s3->tmp.new_sym_enc;
+-	m=s->s3->tmp.new_hash;
+-	mac_type = s->s3->tmp.new_mac_pkey_type;
+-#ifndef OPENSSL_NO_COMP
+-	comp=s->s3->tmp.new_compression;
+-#endif
++	if (*aead_ctx != NULL)
++		EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
++	else
++		{
++		*aead_ctx = (SSL_AEAD_CTX*) OPENSSL_malloc(sizeof(SSL_AEAD_CTX));
++		if (*aead_ctx == NULL)
++			{
++			SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE);
++			return 0;
++			}
++		}
+ 
+-#ifdef KSSL_DEBUG
+-	printf("tls1_change_cipher_state(which= %d) w/\n", which);
+-	printf("\talg= %ld/%ld, comp= %p\n",
+-	       s->s3->tmp.new_cipher->algorithm_mkey,
+-	       s->s3->tmp.new_cipher->algorithm_auth,
+-	       comp);
+-	printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+-	printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+-                c->nid,c->block_size,c->key_len,c->iv_len);
+-	printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+-	{
+-        int i;
+-        for (i=0; i<s->s3->tmp.key_block_length; i++)
+-		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
++	return 1;
++	}
++
++static int tls1_change_cipher_state_aead(SSL *s, char is_read,
++	const unsigned char *key, unsigned key_len,
++	const unsigned char *iv, unsigned iv_len)
++	{
++	const EVP_AEAD *aead = s->s3->tmp.new_aead;
++	SSL_AEAD_CTX *aead_ctx;
++
++	if (is_read)
++		{
++		if (!tls1_aead_ctx_init(&s->aead_read_ctx))
++			return 0;
++		aead_ctx = s->aead_read_ctx;
++		}
++	else
++		{
++		if (!tls1_aead_ctx_init(&s->aead_write_ctx))
++			return 0;
++		aead_ctx = s->aead_write_ctx;
+         }
+-#endif	/* KSSL_DEBUG */
+ 
+-	if (which & SSL3_CC_READ)
++	if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
++			       EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */))
++		return 0;
++	if (iv_len > sizeof(aead_ctx->fixed_nonce))
++		{
++		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR);
++		return 0;
++		}
++	memcpy(aead_ctx->fixed_nonce, iv, iv_len);
++	aead_ctx->fixed_nonce_len = iv_len;
++	aead_ctx->variable_nonce_len = 8;  /* always the case, currently. */
++	aead_ctx->variable_nonce_included_in_record =
++		(s->s3->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD) != 0;
++	if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead))
++		{
++		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR);
++		return 0;
++		}
++	aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
++
++	return 1;
++	}
++
++/* tls1_change_cipher_state_cipher performs the work needed to switch cipher
++ * states when using EVP_CIPHER. The argument |is_read| is true iff this
++ * function is being called due to reading, as opposed to writing, a
++ * ChangeCipherSpec message. In order to support export ciphersuites,
++ * use_client_keys indicates whether the key material provided is in the
++ * "client write" direction. */
++static int tls1_change_cipher_state_cipher(
++	SSL *s, char is_read, char use_client_keys,
++	const unsigned char *mac_secret, unsigned mac_secret_len,
++	const unsigned char *key, unsigned key_len,
++	const unsigned char *iv, unsigned iv_len)
++	{
++	const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc;
++	const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0;
++	EVP_CIPHER_CTX *cipher_ctx;
++	EVP_MD_CTX *mac_ctx;
++	char is_aead_cipher;
++
++	unsigned char export_tmp1[EVP_MAX_KEY_LENGTH];
++	unsigned char export_tmp2[EVP_MAX_KEY_LENGTH];
++	unsigned char export_iv1[EVP_MAX_IV_LENGTH * 2];
++	unsigned char export_iv2[EVP_MAX_IV_LENGTH * 2];
++
++	if (is_read)
+ 		{
+ 		if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
+ 			s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
+@@ -373,15 +409,159 @@
+ 			s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
+ 
+ 		if (s->enc_read_ctx != NULL)
+-			reuse_dd = 1;
++			EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
+ 		else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+ 			goto err;
+ 		else
+ 			/* make sure it's intialized in case we exit later with an error */
+ 			EVP_CIPHER_CTX_init(s->enc_read_ctx);
+-		dd= s->enc_read_ctx;
++
++		cipher_ctx = s->enc_read_ctx;
+ 		mac_ctx=ssl_replace_hash(&s->read_hash,NULL);
++
++		memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_len);
++		s->s3->read_mac_secret_size = mac_secret_len;
++		}
++	else
++		{
++		if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
++			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
++		else
++			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
++		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
++			EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
++		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
++			goto err;
++		cipher_ctx = s->enc_write_ctx;
++		mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
++
++		memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_len);
++		s->s3->write_mac_secret_size = mac_secret_len;
++		}
++
++	if (is_export)
++		{
++		/* In here I set both the read and write key/iv to the
++		 * same value since only the correct one will be used :-).
++		 */
++		const unsigned char *label;
++		unsigned label_len;
++
++		if (use_client_keys)
++			{
++			label = (const unsigned char*) TLS_MD_CLIENT_WRITE_KEY_CONST;
++			label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
++			}
++		else
++			{
++			label = (const unsigned char*) TLS_MD_SERVER_WRITE_KEY_CONST;
++			label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
++			}
++
++		if (!tls1_PRF(ssl_get_algorithm2(s),
++				label, label_len,
++				s->s3->client_random, SSL3_RANDOM_SIZE,
++				s->s3->server_random, SSL3_RANDOM_SIZE,
++				NULL, 0, NULL, 0,
++				key /* secret */, key_len /* secret length */,
++				export_tmp1 /* output */,
++				export_tmp2 /* scratch space */,
++				EVP_CIPHER_key_length(s->s3->tmp.new_sym_enc) /* output length */))
++			return 0;
++		key = export_tmp1;
++
++		if (iv_len > 0)
++			{
++			static const unsigned char empty[] = "";
++
++			if (!tls1_PRF(ssl_get_algorithm2(s),
++					TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
++					s->s3->client_random, SSL3_RANDOM_SIZE,
++					s->s3->server_random, SSL3_RANDOM_SIZE,
++					NULL, 0, NULL, 0,
++					empty /* secret */ ,0 /* secret length */,
++					export_iv1 /* output */,
++					export_iv2 /* scratch space */,
++					iv_len * 2 /* output length */))
++				return 0;
++
++			if (use_client_keys)
++				iv = export_iv1;
++			else
++				iv = &export_iv1[iv_len];
++			}
++		}
++
++	/* is_aead_cipher indicates whether the EVP_CIPHER implements an AEAD
++	 * interface. This is different from the newer EVP_AEAD interface. */
++	is_aead_cipher = (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0;
++
++	if (!is_aead_cipher)
++		{
++		EVP_PKEY *mac_key =
++			EVP_PKEY_new_mac_key(s->s3->tmp.new_mac_pkey_type,
++					     NULL, mac_secret, mac_secret_len);
++		if (!mac_key)
++			return 0;
++		EVP_DigestSignInit(mac_ctx, NULL, s->s3->tmp.new_hash, NULL, mac_key);
++		EVP_PKEY_free(mac_key);
++		}
++
++	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
++		{
++		EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key,
++				  NULL /* iv */, !is_read);
++		EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, iv_len, (void*) iv);
++		}
++	else
++		EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, iv, !is_read);
++
++	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
++	if (is_aead_cipher && mac_secret_len > 0)
++		EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
++				    mac_secret_len, (void*) mac_secret);
++
++	if (is_export)
++		{
++		OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1));
++		OPENSSL_cleanse(export_tmp2, sizeof(export_tmp1));
++		OPENSSL_cleanse(export_iv1, sizeof(export_iv1));
++		OPENSSL_cleanse(export_iv2, sizeof(export_iv2));
++		}
++
++	return 1;
++
++err:
++	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE);
++	return 0;
++	}
++
++int tls1_change_cipher_state(SSL *s, int which)
++	{
++	/* is_read is true if we have just read a ChangeCipherSpec message -
++	 * i.e. we need to update the read cipherspec. Otherwise we have just
++	 * written one. */
++	const char is_read = (which & SSL3_CC_READ) != 0;
++	/* use_client_keys is true if we wish to use the keys for the "client
++	 * write" direction. This is the case if we're a client sending a
++	 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. */
++	const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||
++				     which == SSL3_CHANGE_CIPHER_SERVER_READ;
++	const unsigned char *client_write_mac_secret, *server_write_mac_secret, *mac_secret;
++	const unsigned char *client_write_key, *server_write_key, *key;
++	const unsigned char *client_write_iv, *server_write_iv, *iv;
++	const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc;
++	const EVP_AEAD *aead = s->s3->tmp.new_aead;
++	unsigned key_len, iv_len, mac_secret_len;
++	const unsigned char *key_data;
++	const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0;
++
++	/* Update compression contexts. */
+ #ifndef OPENSSL_NO_COMP
++	const SSL_COMP *comp = s->s3->tmp.new_compression;
++
++	if (is_read)
++		{
+ 		if (s->expand != NULL)
+ 			{
+ 			COMP_CTX_free(s->expand);
+@@ -393,42 +573,17 @@
+ 			if (s->expand == NULL)
+ 				{
+ 				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+-				goto err2;
++				return 0;
+ 				}
+ 			if (s->s3->rrec.comp == NULL)
+-				s->s3->rrec.comp=(unsigned char *)
+-					OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
++				s->s3->rrec.comp =
++					(unsigned char *)OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+ 			if (s->s3->rrec.comp == NULL)
+ 				goto err;
+ 			}
+-#endif
+-		/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+- 		if (s->version != DTLS1_VERSION)
+-			memset(&(s->s3->read_sequence[0]),0,8);
+-		mac_secret= &(s->s3->read_mac_secret[0]);
+-		mac_secret_size=&(s->s3->read_mac_secret_size);
+ 		}
+ 	else
+ 		{
+-		if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
+-			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+-			else
+-			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
+-		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
+-			reuse_dd = 1;
+-		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
+-			goto err;
+-		dd= s->enc_write_ctx;
+-		if (SSL_IS_DTLS(s))
+-			{
+-			mac_ctx = EVP_MD_CTX_create();
+-			if (!mac_ctx)
+-				goto err;
+-			s->write_hash = mac_ctx;
+-			}
+-		else
+-			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+-#ifndef OPENSSL_NO_COMP
+ 		if (s->compress != NULL)
+ 			{
+ 			COMP_CTX_free(s->compress);
+@@ -440,155 +595,96 @@
+ 			if (s->compress == NULL)
+ 				{
+ 				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+-				goto err2;
++				return 0;
+ 				}
+ 			}
+-#endif
+-		/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+- 		if (s->version != DTLS1_VERSION)
+-			memset(&(s->s3->write_sequence[0]),0,8);
+-		mac_secret= &(s->s3->write_mac_secret[0]);
+-		mac_secret_size = &(s->s3->write_mac_secret_size);
+-		}
+-
+-	if (reuse_dd)
+-		EVP_CIPHER_CTX_cleanup(dd);
+-
+-	p=s->s3->tmp.key_block;
+-	i=*mac_secret_size=s->s3->tmp.new_mac_secret_size;
+-
+-	cl=EVP_CIPHER_key_length(c);
+-	j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+-	               cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+-	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
+-	/* If GCM mode only part of IV comes from PRF */
+-	if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
+-		k = EVP_GCM_TLS_FIXED_IV_LEN;
+-	else
+-		k=EVP_CIPHER_iv_length(c);
+-	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
+-		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
+-		{
+-		ms=  &(p[ 0]); n=i+i;
+-		key= &(p[ n]); n+=j+j;
+-		iv=  &(p[ n]); n+=k+k;
+-		exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
+-		exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
+-		client_write=1;
+-		}
+-	else
+-		{
+-		n=i;
+-		ms=  &(p[ n]); n+=i+j;
+-		key= &(p[ n]); n+=j+k;
+-		iv=  &(p[ n]); n+=k;
+-		exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
+-		exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
+-		client_write=0;
+ 		}
++#endif  /* OPENSSL_NO_COMP */
+ 
+-	if (n > s->s3->tmp.key_block_length)
+-		{
+-		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
+-		goto err2;
+-		}
++	/* Reset sequence number to zero. */
++	memset(is_read ? s->s3->read_sequence : s->s3->write_sequence, 0, 8);
++
++	/* key_arg is used for SSLv2. We don't need it for TLS. */
++	s->session->key_arg_length = 0;
+ 
+-	memcpy(mac_secret,ms,i);
++	mac_secret_len = s->s3->tmp.new_mac_secret_size;
+ 
+-	if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER))
++	if (aead != NULL)
+ 		{
+-		mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
+-				mac_secret,*mac_secret_size);
+-		EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
+-		EVP_PKEY_free(mac_key);
++		key_len = EVP_AEAD_key_length(aead);
++		iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher);
+ 		}
+-#ifdef TLS_DEBUG
+-printf("which = %04X\nmac key=",which);
+-{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
+-#endif
+-	if (is_export)
++	else
+ 		{
+-		/* In here I set both the read and write key/iv to the
+-		 * same value since only the correct one will be used :-).
+-		 */
+-		if (!tls1_PRF(ssl_get_algorithm2(s),
+-				exp_label,exp_label_len,
+-				s->s3->client_random,SSL3_RANDOM_SIZE,
+-				s->s3->server_random,SSL3_RANDOM_SIZE,
+-				NULL,0,NULL,0,
+-				key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
+-			goto err2;
+-		key=tmp1;
++		key_len = EVP_CIPHER_key_length(cipher);
++		if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher))
++			key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher);
+ 
+-		if (k > 0)
+-			{
+-			if (!tls1_PRF(ssl_get_algorithm2(s),
+-					TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
+-					s->s3->client_random,SSL3_RANDOM_SIZE,
+-					s->s3->server_random,SSL3_RANDOM_SIZE,
+-					NULL,0,NULL,0,
+-					empty,0,iv1,iv2,k*2))
+-				goto err2;
+-			if (client_write)
+-				iv=iv1;
++		if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
++			iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
++		else
++			iv_len = EVP_CIPHER_iv_length(cipher);
++		}
++
++	key_data = s->s3->tmp.key_block;
++	client_write_mac_secret = key_data; key_data += mac_secret_len;
++	server_write_mac_secret = key_data; key_data += mac_secret_len;
++	client_write_key =        key_data; key_data += key_len;
++	server_write_key =        key_data; key_data += key_len;
++	client_write_iv  =        key_data; key_data += iv_len;
++	server_write_iv  =        key_data; key_data += iv_len;
++
++	if (use_client_keys)
++		{
++		mac_secret = client_write_mac_secret;
++		key = client_write_key;
++		iv = client_write_iv;
++		}
+ 			else
+-				iv= &(iv1[k]);
+-			}
++		{
++		mac_secret = server_write_mac_secret;
++		key = server_write_key;
++		iv = server_write_iv;
+ 		}
+ 
+-	s->session->key_arg_length=0;
+-#ifdef KSSL_DEBUG
++	if (key_data - s->s3->tmp.key_block != s->s3->tmp.key_block_length)
+ 	{
+-        int i;
+-	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+-	printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
+-	printf("\n");
+-	printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
+-	printf("\n");
++		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
++		return 0;
+ 	}
+-#endif	/* KSSL_DEBUG */
+ 
+-	if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
++	if (aead != NULL)
+ 		{
+-		EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
+-		EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
++		if (!tls1_change_cipher_state_aead(s, is_read,
++						   key, key_len, iv, iv_len))
++			return 0;
+ 		}
+ 	else	
+-		EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
+-
+-	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
+-	if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
+-		EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY,
+-				*mac_secret_size,mac_secret);
+-
+-#ifdef TLS_DEBUG
+-printf("which = %04X\nkey=",which);
+-{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
+-printf("\niv=");
+-{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
+-printf("\n");
+-#endif
++		{
++		if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys,
++						     mac_secret, mac_secret_len,
++						     key, key_len,
++						     iv, iv_len))
++			return 0;
++		}
+ 
+-	OPENSSL_cleanse(tmp1,sizeof(tmp1));
+-	OPENSSL_cleanse(tmp2,sizeof(tmp1));
+-	OPENSSL_cleanse(iv1,sizeof(iv1));
+-	OPENSSL_cleanse(iv2,sizeof(iv2));
+-	return(1);
++	return 1;
+ err:
+ 	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
+-err2:
+-	return(0);
++	return 0;
+ 	}
+ 
+ int tls1_setup_key_block(SSL *s)
+ 	{
+ 	unsigned char *p1,*p2=NULL;
+-	const EVP_CIPHER *c;
+-	const EVP_MD *hash;
++	const EVP_CIPHER *c = NULL;
++	const EVP_MD *hash = NULL;
++	const EVP_AEAD *aead = NULL;
+ 	int num;
+ 	SSL_COMP *comp;
+ 	int mac_type= NID_undef,mac_secret_size=0;
+ 	int ret=0;
++	unsigned key_len, iv_len;
+ 
+ #ifdef KSSL_DEBUG
+ 	printf ("tls1_setup_key_block()\n");
+@@ -597,17 +693,36 @@
+ 	if (s->s3->tmp.key_block_length != 0)
+ 		return(1);
+ 
+-	if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp))
++	if (!ssl_cipher_get_comp(s->session, &comp))
++		goto cipher_unavailable_err;
++
++	if (s->session->cipher &&
++	    (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD))
+ 		{
+-		SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+-		return(0);
++		if (!ssl_cipher_get_evp_aead(s->session, &aead))
++			goto cipher_unavailable_err;
++		key_len = EVP_AEAD_key_length(aead);
++		iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
++		}
++	else
++		{
++		if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size))
++			goto cipher_unavailable_err;
++		key_len = EVP_CIPHER_key_length(c);
++
++		if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
++			iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
++		else
++			iv_len = EVP_CIPHER_iv_length(c);
+ 		}
+ 
++	s->s3->tmp.new_aead=aead;
+ 	s->s3->tmp.new_sym_enc=c;
+ 	s->s3->tmp.new_hash=hash;
+ 	s->s3->tmp.new_mac_pkey_type = mac_type;
+ 	s->s3->tmp.new_mac_secret_size = mac_secret_size;
+-	num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c);
++
++	num=key_len+mac_secret_size+iv_len;
+ 	num*=2;
+ 
+ 	ssl3_cleanup_key_block(s);
+@@ -670,6 +785,10 @@
+ 		OPENSSL_free(p2);
+ 		}
+ 	return(ret);
++
++cipher_unavailable_err:
++	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
++	return 0;
+ 	}
+ 
+ /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+@@ -688,6 +807,134 @@
+ 	unsigned long l;
+ 	int bs,i,j,k,pad=0,ret,mac_size=0;
+ 	const EVP_CIPHER *enc;
++	const SSL_AEAD_CTX *aead;
++
++	if (send)
++		rec = &s->s3->wrec;
++	else
++		rec = &s->s3->rrec;
++
++	if (send)
++		aead = s->aead_write_ctx;
++	else
++		aead = s->aead_read_ctx;
++
++	if (aead)
++		{
++		unsigned char ad[13], *seq, *in, *out, nonce[16];
++		unsigned nonce_used;
++		ssize_t n;
++
++		seq = send ? s->s3->write_sequence : s->s3->read_sequence;
++
++		if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
++			{
++			unsigned char dtlsseq[9], *p = dtlsseq;
++
++			s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p);
++			memcpy(p, &seq[2], 6);
++			memcpy(ad, dtlsseq, 8);
++			}
++		else
++			{
++			memcpy(ad, seq, 8);
++			for (i=7; i>=0; i--)	/* increment */
++				{
++				++seq[i];
++				if (seq[i] != 0)
++					break;
++				}
++			}
++
++		ad[8]  = rec->type;
++		ad[9]  = (unsigned char)(s->version>>8);
++		ad[10] = (unsigned char)(s->version);
++
++		if (aead->fixed_nonce_len + aead->variable_nonce_len > sizeof(nonce) ||
++		    aead->variable_nonce_len > 8)
++			return -1;  /* internal error - should never happen. */
++
++		memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);
++		nonce_used = aead->fixed_nonce_len;
++
++		if (send)
++			{
++			size_t len = rec->length;
++			size_t eivlen = 0;
++			in = rec->input;
++			out = rec->data;
++
++			/* When sending we use the sequence number as the
++			 * variable part of the nonce. */
++			if (aead->variable_nonce_len > 8)
++				return -1;
++			memcpy(nonce + nonce_used, ad, aead->variable_nonce_len);
++			nonce_used += aead->variable_nonce_len;
++
++			/* in do_ssl3_write, rec->input is moved forward by
++			 * variable_nonce_len in order to leave space for the
++			 * variable nonce. Thus we can copy the sequence number
++			 * bytes into place without overwriting any of the
++			 * plaintext. */
++			if (aead->variable_nonce_included_in_record)
++				{
++				memcpy(out, ad, aead->variable_nonce_len);
++				len -= aead->variable_nonce_len;
++				eivlen = aead->variable_nonce_len;
++				}
++
++			ad[11] = len >> 8;
++			ad[12] = len & 0xff;
++
++			n = EVP_AEAD_CTX_seal(&aead->ctx,
++					      out + eivlen, len + aead->tag_len,
++					      nonce, nonce_used,
++					      in + eivlen, len,
++					      ad, sizeof(ad));
++			if (n >= 0 && aead->variable_nonce_included_in_record)
++				n += aead->variable_nonce_len;
++			}
++		else
++			{
++			/* receive */
++			size_t len = rec->length;
++
++			if (rec->data != rec->input)
++				return -1;  /* internal error - should never happen. */
++			out = in = rec->input;
++
++			if (len < aead->variable_nonce_len)
++				return 0;
++			memcpy(nonce + nonce_used,
++			       aead->variable_nonce_included_in_record ? in : ad,
++			       aead->variable_nonce_len);
++			nonce_used += aead->variable_nonce_len;
++
++			if (aead->variable_nonce_included_in_record)
++				{
++				in += aead->variable_nonce_len;
++				len -= aead->variable_nonce_len;
++				out += aead->variable_nonce_len;
++				}
++
++			if (len < aead->tag_len)
++				return 0;
++			len -= aead->tag_len;
++
++			ad[11] = len >> 8;
++			ad[12] = len & 0xff;
++
++			n = EVP_AEAD_CTX_open(&aead->ctx, out, len, nonce, nonce_used,
++					      in, len + aead->tag_len, ad, sizeof(ad));
++
++			rec->data = rec->input = out;
++			}
++
++		if (n == -1)
++			return -1;
++		rec->length = n;
++		return 1;
++		}
+ 
+ 	if (send)
+ 		{
+--- ./ssl/tls1.h.orig	2014-04-06 04:45:34.000000000 +0200
++++ ./ssl/tls1.h	2014-05-19 10:46:18.000000000 +0200
+@@ -525,6 +525,10 @@
+ #define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256        0x0300C031
+ #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
+ 
++#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305		0x0300CC13
++#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305		0x0300CC14
++#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305		0x0300CC15
++
+ /* XXX
+  * Inconsistency alert:
+  * The OpenSSL names of ciphers with ephemeral DH here include the string
+@@ -676,6 +680,10 @@
+ #define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256       "ECDH-RSA-AES128-GCM-SHA256"
+ #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384       "ECDH-RSA-AES256-GCM-SHA384"
+ 
++#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305	"ECDHE-RSA-CHACHA20-POLY1305"
++#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	"ECDHE-ECDSA-CHACHA20-POLY1305"
++#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305		"DHE-RSA-CHACHA20-POLY1305"
++
+ #define TLS_CT_RSA_SIGN			1
+ #define TLS_CT_DSS_SIGN			2
+ #define TLS_CT_RSA_FIXED_DH		3
+--- ./test/Makefile.orig	2014-04-07 18:55:44.000000000 +0200
++++ ./test/Makefile	2014-05-19 10:46:18.000000000 +0200
+@@ -63,6 +63,8 @@
+ JPAKETEST=	jpaketest
+ SRPTEST=	srptest
+ ASN1TEST=	asn1test
++CHACHATEST=	chachatest
++POLY1305TEST=	poly1305test
+ 
+ TESTS=		alltests
+ 
+@@ -86,7 +88,9 @@
+ 	$(MDC2TEST).o $(RMDTEST).o \
+ 	$(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \
+ 	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o \
+-	$(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o
++	$(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(CHACHATEST).o \
++	$(POLY1305TEST).o
++
+ SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
+ 	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
+ 	$(HMACTEST).c $(WPTEST).c \
+@@ -94,7 +98,8 @@
+ 	$(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \
+ 	$(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \
+ 	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c \
+-	$(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c
++	$(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
++	$(CHACHATEST).c $(POLY1305TEST).c
+ 
+ EXHEADER= 
+ HEADER=	$(EXHEADER)
+@@ -137,7 +142,7 @@
+ 	test_enc test_x509 test_rsa test_crl test_sid \
+ 	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
+ 	test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \
+-	test_jpake test_srp test_cms
++	test_jpake test_srp test_cms # test_chacha test_poly1305
+ 
+ test_evp:
+ 	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
+@@ -318,6 +323,14 @@
+ 	@echo "Test SRP"
+ 	../util/shlib_wrap.sh ./srptest
+ 
++#test_chacha: $(CHACHATEST)$(EXE_EXT)
++#	@echo "Test ChaCha"
++#	../util/shlib_wrap.sh ./$(CHACHATEST)
++#
++#test_poly1305: $(POLY1305TEST)$(EXE_EXT)
++#	@echo "Test Poly1305"
++#	../util/shlib_wrap.sh ./$(POLY1305TEST)
++
+ lint:
+ 	lint -DLINT $(INCLUDES) $(SRC)>fluff
+ 
+@@ -394,6 +407,12 @@
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+ 	@target=$(SHA512TEST); $(BUILD_CMD)
+ 
++$(CHACHATEST)$(EXE_EXT): $(CHACHATEST).o $(DLIBCRYPTO)
++	@target=$(CHACHATEST); $(BUILD_CMD)
++
++$(POLY1305TEST)$(EXE_EXT): $(POLY1305TEST).o $(DLIBCRYPTO)
++	@target=$(CHACHATEST); $(BUILD_CMD)
++
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+ 	@target=$(RMDTEST); $(BUILD_CMD)
+ 
+--- ./Configure.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./Configure	2014-05-19 10:46:17.000000000 +0200
+@@ -124,24 +124,24 @@
+ my $bits1="THIRTY_TWO_BIT ";
+ my $bits2="SIXTY_FOUR_BIT ";
+ 
+-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
++my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:::";
+ 
+ my $x86_elf_asm="$x86_asm:elf";
+ 
+-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
+-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
+-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
+-my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
+-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
+-my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
+-my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
+-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
+-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
+-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
+-my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
+-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
+-my $no_asm=":::::::::::::::void";
++my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o::chacha_vec.o:poly1305_vec.o";
++my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::::void";
++my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::::void";
++my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::::void";
++my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::::void";
++my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::::";
++my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::::";
++my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::::ghash-s390x.o:";
++my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::chacha_vec.o:poly1305_arm.o poly1305_arm_asm.o:void";
++my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::::32";
++my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::::64";
++my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::::";
++my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::::";
++my $no_asm=":::::::::::::::::void";
+ 
+ # As for $BSDthreads. Idea is to maintain "collective" set of flags,
+ # which would cover all BSD flavors. -pthread applies to them all, 
+@@ -152,7 +152,7 @@
+ # seems to be sufficient?
+ my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
+ 
+-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
++#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $chacha_obj : $poly1305_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib :
+ 
+ my %table=(
+ # File 'TABLE' (created by 'make TABLE') contains the data from this list,
+@@ -647,6 +647,8 @@
+ my $idx_cmll_obj = $idx++;
+ my $idx_modes_obj = $idx++;
+ my $idx_engines_obj = $idx++;
++my $idx_chacha_obj = $idx++;
++my $idx_poly1305_obj = $idx++;
+ my $idx_perlasm_scheme = $idx++;
+ my $idx_dso_scheme = $idx++;
+ my $idx_shared_target = $idx++;
+@@ -692,6 +694,8 @@
+ my $bf_enc	="bf_enc.o";
+ my $cast_enc="c_enc.o";
+ my $rc4_enc="rc4_enc.o rc4_skey.o";
++my $chacha_enc="chacha_enc.o";
++my $poly1305 ="poly1305.o";
+ my $rc5_enc="rc5_enc.o";
+ my $md5_obj="";
+ my $sha1_obj="";
+@@ -1144,7 +1148,7 @@
+ 
+ print "IsMK1MF=$IsMK1MF\n";
+ 
+-my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++my @fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+ my $cc = $fields[$idx_cc];
+ # Allow environment CC to override compiler...
+ if($ENV{CC}) {
+@@ -1181,6 +1185,8 @@
+ my $ar = $ENV{'AR'} || "ar";
+ my $arflags = $fields[$idx_arflags];
+ my $multilib = $fields[$idx_multilib];
++my $chacha_obj = $fields[$idx_chacha_obj];
++my $poly1305_obj = $fields[$idx_poly1305_obj];
+ 
+ # if $prefix/lib$multilib is not an existing directory, then
+ # assume that it's not searched by linker automatically, in
+@@ -1477,6 +1483,8 @@
+ $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
+ $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
+ $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
++$chacha_obj=$chacha_enc	unless ($chacha_obj =~ /\.o$/);
++$poly1305_obj=$poly1305	unless ($poly1305_obj =~ /\.o$/);
+ $rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
+ if ($sha1_obj =~ /\.o$/)
+ 	{
+@@ -1637,6 +1645,8 @@
+ 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
+ 	s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
+ 	s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
++	s/^CHACHA_ENC=.*$/CHACHA_ENC= $chacha_obj/;
++	s/^POLY1305=.*$/POLY1305= $poly1305_obj/;
+ 	s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
+ 	s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
+ 	s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
+@@ -1698,6 +1708,8 @@
+ print "BF_ENC        =$bf_obj\n";
+ print "CAST_ENC      =$cast_obj\n";
+ print "RC4_ENC       =$rc4_obj\n";
++print "CHACHA_ENC    =$chacha_obj\n";
++print "POLY1305      =$poly1305_obj\n";
+ print "RC5_ENC       =$rc5_obj\n";
+ print "MD5_OBJ_ASM   =$md5_obj\n";
+ print "SHA1_OBJ_ASM  =$sha1_obj\n";
+@@ -2096,11 +2108,11 @@
+ 
+ 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
+ 	my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
+-	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
+-	my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
++	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $chacha_obj,my $poly1305_obj,
++	my $rmd160_obj, my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
+ 	my $perlasm_scheme,my $dso_scheme,my $shared_target,my $shared_cflag,
+ 	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags,my $multilib)=
+-	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++	split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+ 			
+ 	print <<EOF
+ 
+@@ -2121,6 +2133,8 @@
+ \$sha1_obj     = $sha1_obj
+ \$cast_obj     = $cast_obj
+ \$rc4_obj      = $rc4_obj
++\$chacha_obj    = $chacha_obj
++\$poly1305_obj = $poly1305_obj
+ \$rmd160_obj   = $rmd160_obj
+ \$rc5_obj      = $rc5_obj
+ \$wp_obj       = $wp_obj
+@@ -2150,7 +2164,7 @@
+ 
+ 	foreach $target (sort keys %table)
+ 		{
+-		@fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++		@fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+ 
+ 		if ($fields[$idx_dso_scheme-1] =~ /^(beos|dl|dlfcn|win32|vms)$/)
+ 			{
+--- ./Makefile.org.orig	2014-03-17 17:14:20.000000000 +0100
++++ ./Makefile.org	2014-05-19 10:46:18.000000000 +0200
+@@ -94,6 +94,8 @@
+ CAST_ENC= c_enc.o
+ RC4_ENC= rc4_enc.o
+ RC5_ENC= rc5_enc.o
++CHACHA_ENC= chacha_enc.o
++POLY1305= poly1305.o
+ MD5_ASM_OBJ= 
+ SHA1_ASM_OBJ= 
+ RMD160_ASM_OBJ= 
+@@ -147,7 +149,7 @@
+ 	bn ec rsa dsa ecdsa dh ecdh dso engine \
+ 	buffer bio stack lhash rand err \
+ 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+-	cms pqueue ts jpake srp store cmac
++	cms pqueue ts jpake srp store cmac poly1305 chacha
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+ 
+@@ -232,6 +234,8 @@
+ 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
+ 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
+ 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
++		CHACHA_ENC='$(CHACHA_ENC)'			\
++		POLY1305='$(POLY1305)'				\
+ 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
+ 		FIPSLIBDIR='${FIPSLIBDIR}'			\
+ 		FIPSDIR='${FIPSDIR}'				\
--- openssl.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: