Merge branch 'busybox' into merge

41 files changed, 3129 insertions, 627 deletions

diff --git a/Makefile b/Makefile
index 3109e4fcf..52a2cff87 100644
--- a/Makefile
+++ b/Makefile
@@ -551,6 +551,7 @@ libs-y		:= \
                 findutils/ \
                 init/ \
                 libbb/ \
+                libbb/yescrypt/ \
                 libpwdgrp/ \
                 loginutils/ \
                 mailutils/ \
diff --git a/include/libbb.h b/include/libbb.h
index 4cacdacba..7a375f4d2 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1210,6 +1210,16 @@ char *bin2hex(char *dst, const char *src, int count) FAST_FUNC;
 /* Reverse */
 char* hex2bin(char *dst, const char *src, int count) FAST_FUNC;
 
+void FAST_FUNC xorbuf_3(void *dst, const void *src1, const void *src2, unsigned count);
+void FAST_FUNC xorbuf(void* buf, const void* mask, unsigned count);
+void FAST_FUNC xorbuf16_aligned_long(void* buf, const void* mask);
+void FAST_FUNC xorbuf64_3_aligned64(void *dst, const void *src1, const void *src2);
+#if BB_UNALIGNED_MEMACCESS_OK
+# define xorbuf16(buf,mask) xorbuf16_aligned_long(buf,mask)
+#else
+void FAST_FUNC xorbuf16(void* buf, const void* mask);
+#endif
+
 /* Generate a UUID */
 void generate_uuid(uint8_t *buf) FAST_FUNC;
 
@@ -1924,18 +1934,25 @@ extern char *pw_encrypt(const char *clear, const char *salt, int cleanup) FAST_F
 extern int obscure(const char *old, const char *newval, const struct passwd *pwdp) FAST_FUNC;
 /*
  * rnd is additional random input. New one is returned.
- * Useful if you call crypt_make_salt many times in a row:
- * rnd = crypt_make_salt(buf1, 4, 0);
- * rnd = crypt_make_salt(buf2, 4, rnd);
- * rnd = crypt_make_salt(buf3, 4, rnd);
+ * Useful if you call crypt_make_rand64encoded many times in a row:
+ * rnd = crypt_make_rand64encoded(buf1, 4, 0);
+ * rnd = crypt_make_rand64encoded(buf2, 4, rnd);
+ * rnd = crypt_make_rand64encoded(buf3, 4, rnd);
  * (otherwise we risk having same salt generated)
  */
-extern int crypt_make_salt(char *p, int cnt /*, int rnd*/) FAST_FUNC;
-/* "$N$" + sha_salt_16_bytes + NUL */
-#define MAX_PW_SALT_LEN (3 + 16 + 1)
+extern int crypt_make_rand64encoded(char *p, int cnt /*, int rnd*/) FAST_FUNC;
+/* Size of char salt[] to hold randomly-generated salt string
+ * sha256/512:
+ * "$5$" ["rounds=999999999$"] "<sha_salt_16_chars><NUL>"
+ * "$6$" ["rounds=999999999$"] "<sha_salt_16_chars><NUL>"
+ * #define MAX_PW_SALT_LEN (3 + sizeof("rounds=999999999$")-1 + 16 + 1)
+ * yescrypt:
+ * "$y$" <up to 8 params of up to 6 chars each> "$" <up to 86 chars salt><NUL>
+ * (86 chars are ascii64-encoded 64 binary bytes)
+ */
+#define MAX_PW_SALT_LEN (3 + 8*6 + 1 + 86 + 1)
 extern char* crypt_make_pw_salt(char p[MAX_PW_SALT_LEN], const char *algo) FAST_FUNC;
 
-
 /* Returns number of lines changed, or -1 on error */
 #if !(ENABLE_FEATURE_ADDUSER_TO_GROUP || ENABLE_FEATURE_DEL_USER_FROM_GROUP)
 #define update_passwd(filename, username, data, member) \
@@ -2335,6 +2352,21 @@ char *decode_base64(char *dst, const char **pp_src) FAST_FUNC;
 char *decode_base32(char *dst, const char **pp_src) FAST_FUNC;
 void read_base64(FILE *src_stream, FILE *dst_stream, int flags) FAST_FUNC;
 
+int FAST_FUNC i2a64(int i);
+int FAST_FUNC a2i64(char c);
+char* FAST_FUNC num2str64_lsb_first(char *s, unsigned v, int n);
+
+enum {
+        /* how many bytes XYZ_end() fills */
+        MD5_OUTSIZE    = 16,
+        SHA1_OUTSIZE   = 20,
+        SHA256_OUTSIZE = 32,
+        SHA512_OUTSIZE = 64,
+        SHA3_OUTSIZE   = 28,
+        /* size of input block */
+        SHA2_INSIZE     = 64,
+};
+
 #if defined CONFIG_FEATURE_USE_CNG_API
 struct bcrypt_hash_ctx_t {
         void *handle;
@@ -2399,6 +2431,7 @@ unsigned sha512_end(sha512_ctx_t *ctx, void *resbuf) FAST_FUNC;
 void sha3_begin(sha3_ctx_t *ctx) FAST_FUNC;
 void sha3_hash(sha3_ctx_t *ctx, const void *buffer, size_t len) FAST_FUNC;
 unsigned sha3_end(sha3_ctx_t *ctx, void *resbuf) FAST_FUNC;
+void FAST_FUNC sha256_block(const void *in, size_t len, uint8_t hash[32]);
 /* TLS benefits from knowing that sha1 and sha256 share these. Give them "agnostic" names too */
 #if defined CONFIG_FEATURE_USE_CNG_API
 typedef struct bcrypt_hash_ctx_t md5sha_ctx_t;
@@ -2409,13 +2442,35 @@ typedef struct md5_ctx_t md5sha_ctx_t;
 #define md5sha_hash md5_hash
 #define sha_end sha1_end
 #endif
-enum {
-        MD5_OUTSIZE    = 16,
-        SHA1_OUTSIZE   = 20,
-        SHA256_OUTSIZE = 32,
-        SHA512_OUTSIZE = 64,
-        SHA3_OUTSIZE   = 28,
-};
+
+/* RFC 2104 HMAC (hash-based message authentication code) */
+typedef struct hmac_ctx {
+        md5sha_ctx_t hashed_key_xor_ipad;
+        md5sha_ctx_t hashed_key_xor_opad;
+} hmac_ctx_t;
+#define HMAC_ONLY_SHA256 (!ENABLE_FEATURE_TLS_SHA1)
+typedef void md5sha_begin_func(md5sha_ctx_t *ctx) FAST_FUNC;
+#if HMAC_ONLY_SHA256
+#define hmac_begin(ctx,key,key_size,begin) \
+        hmac_begin(ctx,key,key_size)
+#endif
+void FAST_FUNC hmac_begin(hmac_ctx_t *ctx, const uint8_t *key, unsigned key_size, md5sha_begin_func *begin);
+static ALWAYS_INLINE void hmac_hash(hmac_ctx_t *ctx, const void *in, size_t len)
+{
+        md5sha_hash(&ctx->hashed_key_xor_ipad, in, len);
+}
+unsigned FAST_FUNC hmac_end(hmac_ctx_t *ctx, uint8_t *out);
+#if HMAC_ONLY_SHA256
+#define hmac_block(key,key_size,begin,in,sz,out) \
+        hmac_block(key,key_size,in,sz,out)
+#endif
+unsigned FAST_FUNC hmac_block(const uint8_t *key, unsigned key_size,
+                md5sha_begin_func *begin,
+                const void *in, unsigned sz,
+                uint8_t *out);
+/* HMAC helpers for TLS: */
+void FAST_FUNC hmac_hash_v(hmac_ctx_t *ctx, va_list va);
+unsigned FAST_FUNC hmac_peek_hash(hmac_ctx_t *ctx, uint8_t *out, ...);
 
 extern uint32_t *global_crc32_table;
 uint32_t *crc32_filltable(uint32_t *tbl256, int endian) FAST_FUNC;
diff --git a/include/usage.src.h b/include/usage.src.h
index 5d2038834..0881337f8 100644
--- a/include/usage.src.h
+++ b/include/usage.src.h
@@ -17,11 +17,11 @@
 #define scripted_trivial_usage NOUSAGE_STR
 #define scripted_full_usage ""
 
-#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
-# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512" \
+#if !ENABLE_USE_BB_CRYPT
+# define CRYPT_METHODS_HELP_STR "des,md5,sha256/512,yescrypt" \
         " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
 #else
-# define CRYPT_METHODS_HELP_STR "des,md5" \
+# define CRYPT_METHODS_HELP_STR "des,md5"IF_USE_BB_CRYPT_SHA(",sha256/512")IF_USE_BB_CRYPT_YES(",yescrypt") \
         " (default "CONFIG_FEATURE_DEFAULT_PASSWD_ALGO")"
 #endif
 
diff --git a/init/bootchartd.c b/init/bootchartd.c
index 0929890a3..a5447c6ad 100644
--- a/init/bootchartd.c
+++ b/init/bootchartd.c
@@ -133,7 +133,7 @@ static void dump_file(FILE *fp, const char *filename)
 static int dump_procs(FILE *fp, int look_for_login_process)
 {
         struct dirent *entry;
-        DIR *dir = opendir("/proc");
+        DIR *dir = xopendir("/proc");
         int found_login_process = 0;
 
         fputs(G.jiffy_line, fp);
diff --git a/libbb/bitops.c b/libbb/bitops.c
new file mode 100644
index 000000000..467e1a2d9
--- /dev/null
+++ b/libbb/bitops.c
@@ -0,0 +1,128 @@
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-y += bitops.o
+
+#include "libbb.h"
+
+void FAST_FUNC xorbuf_3(void *dst, const void *src1, const void *src2, unsigned count)
+{
+        uint8_t *d = dst;
+        const uint8_t *s1 = src1;
+        const uint8_t *s2 = src2;
+#if BB_UNALIGNED_MEMACCESS_OK
+        while (count >= sizeof(long)) {
+                *(long*)d = *(long*)s1 ^ *(long*)s2;
+                count -= sizeof(long);
+                d += sizeof(long);
+                s1 += sizeof(long);
+                s2 += sizeof(long);
+        }
+#endif
+        while (count--)
+                *d++ = *s1++ ^ *s2++;
+}
+
+void FAST_FUNC xorbuf(void *dst, const void *src, unsigned count)
+{
+        xorbuf_3(dst, dst, src, count);
+}
+
+void FAST_FUNC xorbuf16_aligned_long(void *dst, const void *src)
+{
+#if defined(__SSE__) /* any x86_64 has it */
+        asm volatile(
+"\n             movups  (%0),%%xmm0"
+"\n             movups  (%1),%%xmm1"   // can't just xorps(%1),%%xmm0:
+"\n             xorps   %%xmm1,%%xmm0" // SSE requires 16-byte alignment
+"\n             movups  %%xmm0,(%0)"
+"\n"
+                : "=r" (dst), "=r" (src)
+                : "0" (dst), "1" (src)
+                : "xmm0", "xmm1", "memory"
+        );
+#else
+        unsigned long *d = dst;
+        const unsigned long *s = src;
+        d[0] ^= s[0];
+# if LONG_MAX <= 0x7fffffffffffffff
+        d[1] ^= s[1];
+#  if LONG_MAX == 0x7fffffff
+        d[2] ^= s[2];
+        d[3] ^= s[3];
+#  endif
+# endif
+#endif
+}
+// The above can be inlined in libbb.h, in a way where compiler
+// is even free to use better addressing modes than (%reg), and
+// to keep the result in a register
+// (to not store it to memory after each XOR):
+//#if defined(__SSE__)
+//#include <xmmintrin.h>
+//^^^ or just: typedef float __m128_u attribute((__vector_size__(16),__may_alias__,__aligned__(1)));
+//static ALWAYS_INLINE void xorbuf16_aligned_long(void *dst, const void *src)
+//{
+//      __m128_u xmm0, xmm1;
+//      asm volatile(
+//"\n           xorps   %1,%0"
+//              : "=x" (xmm0), "=x" (xmm1)
+//              : "0" (*(__m128_u*)dst), "1" (*(__m128_u*)src)
+//      );
+//      *(__m128_u*)dst = xmm0; // this store may be optimized out!
+//}
+//#endif
+// but I don't trust gcc optimizer enough to not generate some monstrosity.
+// See GMULT() function in TLS code as an example.
+
+void FAST_FUNC xorbuf64_3_aligned64(void *dst, const void *src1, const void *src2)
+{
+#if defined(__SSE__) /* any x86_64 has it */
+        asm volatile(
+"\n             movups  0*16(%1),%%xmm0"
+"\n             movups  0*16(%2),%%xmm1" // can't just xorps(%2),%%xmm0:
+"\n             xorps   %%xmm1,%%xmm0"   // SSE requires 16-byte alignment, we have only 8-byte
+"\n             movups  %%xmm0,0*16(%0)"
+"\n             movups  1*16(%1),%%xmm0"
+"\n             movups  1*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,1*16(%0)"
+"\n             movups  2*16(%1),%%xmm0"
+"\n             movups  2*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,2*16(%0)"
+"\n             movups  3*16(%1),%%xmm0"
+"\n             movups  3*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,3*16(%0)"
+"\n"
+                : "=r" (dst), "=r" (src1), "=r" (src2)
+                : "0" (dst), "1" (src1), "2" (src2)
+                : "xmm0", "xmm1", "memory"
+        );
+#else
+        long *d = dst;
+        const long *s1 = src1;
+        const long *s2 = src2;
+        unsigned count = 64 / sizeof(long);
+        do {
+                *d++ = *s1++ ^ *s2++;
+        } while (--count != 0);
+#endif
+}
+
+#if !BB_UNALIGNED_MEMACCESS_OK
+void FAST_FUNC xorbuf16(void *dst, const void *src)
+{
+#define p_aligned(a) (((uintptr_t)(a) & (sizeof(long)-1)) == 0)
+        if (p_aligned(src) && p_aligned(dst)) {
+                xorbuf16_aligned_long(dst, src);
+                return;
+        }
+        xorbuf_3(dst, dst, src, 16);
+}
+#endif
diff --git a/libbb/hash_hmac.c b/libbb/hash_hmac.c
new file mode 100644
index 000000000..9e48e0f51
--- /dev/null
+++ b/libbb/hash_hmac.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2025 Denys Vlasenko
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-$(CONFIG_TLS) += hash_hmac.o
+//kbuild:lib-$(CONFIG_USE_BB_CRYPT_YES) += hash_hmac.o
+
+#include "libbb.h"
+
+// RFC 2104:
+// HMAC(key, text) based on a hash H (say, sha256) is:
+// ipad = [0x36 x INSIZE]
+// opad = [0x5c x INSIZE]
+// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
+//
+// H(key XOR opad) and H(key XOR ipad) can be precomputed
+// if we often need HMAC hmac with the same key.
+//
+// text is often given in disjoint pieces.
+void FAST_FUNC hmac_begin(hmac_ctx_t *ctx, const uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
+{
+#if HMAC_ONLY_SHA256
+#define begin sha256_begin
+#endif
+        uint8_t key_xor_ipad[SHA2_INSIZE];
+        uint8_t key_xor_opad[SHA2_INSIZE];
+        unsigned i;
+
+        // "The authentication key can be of any length up to INSIZE, the
+        // block length of the hash function.  Applications that use keys longer
+        // than INSIZE bytes will first hash the key using H and then use the
+        // resultant OUTSIZE byte string as the actual key to HMAC."
+        if (key_size > SHA2_INSIZE) {
+                uint8_t tempkey[SHA1_OUTSIZE < SHA256_OUTSIZE ? SHA256_OUTSIZE : SHA1_OUTSIZE];
+                /* use ctx->hashed_key_xor_ipad as scratch ctx */
+                begin(&ctx->hashed_key_xor_ipad);
+                md5sha_hash(&ctx->hashed_key_xor_ipad, key, key_size);
+                key_size = sha_end(&ctx->hashed_key_xor_ipad, tempkey);
+                key = tempkey;
+        }
+
+        for (i = 0; i < key_size; i++) {
+                key_xor_ipad[i] = key[i] ^ 0x36;
+                key_xor_opad[i] = key[i] ^ 0x5c;
+        }
+        for (; i < SHA2_INSIZE; i++) {
+                key_xor_ipad[i] = 0x36;
+                key_xor_opad[i] = 0x5c;
+        }
+
+        begin(&ctx->hashed_key_xor_ipad);
+        begin(&ctx->hashed_key_xor_opad);
+        md5sha_hash(&ctx->hashed_key_xor_ipad, key_xor_ipad, SHA2_INSIZE);
+        md5sha_hash(&ctx->hashed_key_xor_opad, key_xor_opad, SHA2_INSIZE);
+}
+#undef begin
+
+unsigned FAST_FUNC hmac_end(hmac_ctx_t *ctx, uint8_t *out)
+{
+        unsigned len = sha_end(&ctx->hashed_key_xor_ipad, out);
+        /* out = H((key XOR opad) + out) */
+        md5sha_hash(&ctx->hashed_key_xor_opad, out, len);
+        return sha_end(&ctx->hashed_key_xor_opad, out);
+}
+
+unsigned FAST_FUNC hmac_block(const uint8_t *key, unsigned key_size, md5sha_begin_func *begin, const void *in, unsigned sz, uint8_t *out)
+{
+        hmac_ctx_t ctx;
+        hmac_begin(&ctx, key, key_size, begin);
+        hmac_hash(&ctx, in, sz);
+        return hmac_end(&ctx, out);
+}
+
+/* TLS helpers */
+
+void FAST_FUNC hmac_hash_v(
+                hmac_ctx_t *ctx,
+                va_list va)
+{
+        uint8_t *in;
+
+        /* ctx->hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
+        /* ctx->hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
+
+        /* calculate out = H((key XOR ipad) + text) */
+        while ((in = va_arg(va, uint8_t*)) != NULL) {
+                unsigned size = va_arg(va, unsigned);
+                md5sha_hash(&ctx->hashed_key_xor_ipad, in, size);
+        }
+}
+
+/* Using HMAC state, make a copy of it (IOW: without affecting this state!)
+ * hash in the list of (ptr,size) blocks, and finish the HMAC to out[] buffer.
+ * This function is useful for TLS PRF.
+ */
+unsigned FAST_FUNC hmac_peek_hash(hmac_ctx_t *ctx, uint8_t *out, ...)
+{
+        hmac_ctx_t tmpctx = *ctx; /* struct copy */
+        va_list va;
+
+        va_start(va, out);
+        hmac_hash_v(&tmpctx, va);
+        va_end(va);
+
+        return hmac_end(&tmpctx, out);
+}
diff --git a/libbb/hash_sha256_block.c b/libbb/hash_sha256_block.c
new file mode 100644
index 000000000..3c4366321
--- /dev/null
+++ b/libbb/hash_sha256_block.c
@@ -0,0 +1,19 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 Denys Vlasenko
+ *
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+//kbuild:lib-y += hash_sha256_block.o
+#include "libbb.h"
+
+void FAST_FUNC
+sha256_block(const void *in, size_t len, uint8_t hash[32])
+{
+        sha256_ctx_t ctx;
+        sha256_begin(&ctx);
+        sha256_hash(&ctx, in, len);
+        sha256_end(&ctx, hash);
+}
diff --git a/libbb/hash_sha256_hwaccel_x86-32.S b/libbb/hash_sha256_hwaccel_x86-32.S
index a0e4a571a..8d84055e8 100644
--- a/libbb/hash_sha256_hwaccel_x86-32.S
+++ b/libbb/hash_sha256_hwaccel_x86-32.S
@@ -34,21 +34,21 @@
 #define MSG             %xmm0
 #define STATE0          %xmm1
 #define STATE1          %xmm2
-#define MSGTMP0         %xmm3
-#define MSGTMP1         %xmm4
-#define MSGTMP2         %xmm5
-#define MSGTMP3         %xmm6
+#define MSG0            %xmm3
+#define MSG1            %xmm4
+#define MSG2            %xmm5
+#define MSG3            %xmm6
 
 #define XMMTMP          %xmm7
 
-#define SHUF(a,b,c,d) $(a+(b<<2)+(c<<4)+(d<<6))
+#define SHUF(a,b,c,d) $((a)+((b)<<2)+((c)<<4)+((d)<<6))
 
         .balign 8       # allow decoders to fetch at least 2 first insns
 sha256_process_block64_shaNI:
 
-        movu128         76+0*16(%eax), XMMTMP /* ABCD (little-endian dword order) */
+        movu128         76+0*16(%eax), XMMTMP /* ABCD (shown least-significant-dword-first) */
         movu128         76+1*16(%eax), STATE1 /* EFGH */
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
         mova128         STATE1, STATE0
         /* ---          -------------- ABCD -- EFGH */
         shufps          SHUF(1,0,1,0), XMMTMP, STATE0 /* FEBA */
@@ -58,190 +58,208 @@ sha256_process_block64_shaNI:
         mova128         PSHUFFLE_BSWAP32_FLIP_MASK, XMMTMP
         movl            $K256+8*16, SHA256CONSTANTS
 
+// sha256rnds2 instruction uses only lower 64 bits of MSG.
+// The code below needs to move upper 64 bits to lower 64 bits
+// for the second sha256rnds2 invocation
+// (what remains in upper bits does not matter).
+// There are several ways to do it:
+// movhlps    MSG, MSG                // abcd -> cdcd (3 bytes of code)
+// shuf128_32 SHUF(2,3,n,n), MSG, MSG // abcd -> cdXX (4 bytes)
+// punpckhqdq MSG, MSG                // abcd -> cdcd (4 bytes)
+// unpckhpd   MSG, MSG                // abcd -> cdcd (4 bytes)
+// psrldq     $8, MSG                 // abcd -> cd00 (5 bytes)
+// palignr    $8, MSG, MSG            // abcd -> cdab (6 bytes, SSSE3 insn)
+#define MOVE_UPPER64_DOWN(reg) movhlps reg, reg
+//#define MOVE_UPPER64_DOWN(reg) shuf128_32 SHUF(2,3,0,0), reg, reg
+//#define MOVE_UPPER64_DOWN(reg) punpckhqdq reg, reg
+//#define MOVE_UPPER64_DOWN(reg) unpckhpd reg, reg
+//#define MOVE_UPPER64_DOWN(reg) psrldq $8, reg
+//#define MOVE_UPPER64_DOWN(reg) palignr $8, reg, reg
+
         /* Rounds 0-3 */
         movu128         0*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP0
+        mova128         MSG, MSG0
                 paddd           0*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 4-7 */
         movu128         1*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP1
+        mova128         MSG, MSG1
                 paddd           1*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 8-11 */
         movu128         2*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP2
+        mova128         MSG, MSG2
                 paddd           2*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 12-15 */
         movu128         3*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
 /* ...to here */
-        mova128         MSG, MSGTMP3
+        mova128         MSG, MSG3
                 paddd           3*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 16-19 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           4*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 20-23 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           5*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 24-27 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           6*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 28-31 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           7*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 32-35 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           8*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 36-39 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           9*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 40-43 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           10*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 44-47 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           11*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 48-51 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           12*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 52-55 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           13*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 56-59 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           14*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 60-63 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           15*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Write hash values back in the correct order */
         mova128         STATE0, XMMTMP
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
         /* ---          -------------- HGDC -- FEBA */
         shufps          SHUF(3,2,3,2), STATE1, STATE0 /* ABCD */
         shufps          SHUF(1,0,1,0), STATE1, XMMTMP /* EFGH */
diff --git a/libbb/hash_sha256_hwaccel_x86-64.S b/libbb/hash_sha256_hwaccel_x86-64.S
index 172c2eae2..ee3abbd1f 100644
--- a/libbb/hash_sha256_hwaccel_x86-64.S
+++ b/libbb/hash_sha256_hwaccel_x86-64.S
@@ -34,24 +34,24 @@
 #define MSG             %xmm0
 #define STATE0          %xmm1
 #define STATE1          %xmm2
-#define MSGTMP0         %xmm3
-#define MSGTMP1         %xmm4
-#define MSGTMP2         %xmm5
-#define MSGTMP3         %xmm6
+#define MSG0            %xmm3
+#define MSG1            %xmm4
+#define MSG2            %xmm5
+#define MSG3            %xmm6
 
 #define XMMTMP          %xmm7
 
 #define SAVE0           %xmm8
 #define SAVE1           %xmm9
 
-#define SHUF(a,b,c,d) $(a+(b<<2)+(c<<4)+(d<<6))
+#define SHUF(a,b,c,d) $((a)+((b)<<2)+((c)<<4)+((d)<<6))
 
         .balign 8       # allow decoders to fetch at least 2 first insns
 sha256_process_block64_shaNI:
 
-        movu128         80+0*16(%rdi), XMMTMP /* ABCD (little-endian dword order) */
+        movu128         80+0*16(%rdi), XMMTMP /* ABCD (shown least-significant-dword-first) */
         movu128         80+1*16(%rdi), STATE1 /* EFGH */
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
         mova128         STATE1, STATE0
         /* ---          -------------- ABCD -- EFGH */
         shufps          SHUF(1,0,1,0), XMMTMP, STATE0 /* FEBA */
@@ -65,185 +65,203 @@ sha256_process_block64_shaNI:
         mova128         STATE0, SAVE0
         mova128         STATE1, SAVE1
 
+// sha256rnds2 instruction uses only lower 64 bits of MSG.
+// The code below needs to move upper 64 bits to lower 64 bits
+// for the second sha256rnds2 invocation
+// (what remains in upper bits does not matter).
+// There are several ways to do it:
+// movhlps    MSG, MSG                // abcd -> cdcd (3 bytes of code)
+// shuf128_32 SHUF(2,3,n,n), MSG, MSG // abcd -> cdXX (4 bytes)
+// punpckhqdq MSG, MSG                // abcd -> cdcd (4 bytes)
+// unpckhpd   MSG, MSG                // abcd -> cdcd (4 bytes)
+// psrldq     $8, MSG                 // abcd -> cd00 (5 bytes)
+// palignr    $8, MSG, MSG            // abcd -> cdab (6 bytes, SSSE3 insn)
+#define MOVE_UPPER64_DOWN(reg) movhlps reg, reg
+//#define MOVE_UPPER64_DOWN(reg) shuf128_32 SHUF(2,3,0,0), reg, reg
+//#define MOVE_UPPER64_DOWN(reg) punpckhqdq reg, reg
+//#define MOVE_UPPER64_DOWN(reg) unpckhpd reg, reg
+//#define MOVE_UPPER64_DOWN(reg) psrldq $8, reg
+//#define MOVE_UPPER64_DOWN(reg) palignr $8, reg, reg
+
         /* Rounds 0-3 */
         movu128         0*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP0
+        mova128         MSG, MSG0
                 paddd           0*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 4-7 */
         movu128         1*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP1
+        mova128         MSG, MSG1
                 paddd           1*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 8-11 */
         movu128         2*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP2
+        mova128         MSG, MSG2
                 paddd           2*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 12-15 */
         movu128         3*16(DATA_PTR), MSG
         pshufb          XMMTMP, MSG
 /* ...to here */
-        mova128         MSG, MSGTMP3
+        mova128         MSG, MSG3
                 paddd           3*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 16-19 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           4*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 20-23 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           5*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 24-27 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           6*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 28-31 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           7*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 32-35 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           8*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 36-39 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           9*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
 
         /* Rounds 40-43 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           10*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
 
         /* Rounds 44-47 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           11*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
-        sha256msg2      MSGTMP3, MSGTMP0
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG3, XMMTMP
+        palignr         $4, MSG2, XMMTMP
+        paddd           XMMTMP, MSG0
+        sha256msg2      MSG3, MSG0
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
 
         /* Rounds 48-51 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                 paddd           12*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
-        sha256msg2      MSGTMP0, MSGTMP1
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG0, XMMTMP
+        palignr         $4, MSG3, XMMTMP
+        paddd           XMMTMP, MSG1
+        sha256msg2      MSG0, MSG1
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
 
         /* Rounds 52-55 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                 paddd           13*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
-        sha256msg2      MSGTMP1, MSGTMP2
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG1, XMMTMP
+        palignr         $4, MSG0, XMMTMP
+        paddd           XMMTMP, MSG2
+        sha256msg2      MSG1, MSG2
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 56-59 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                 paddd           14*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
-        sha256msg2      MSGTMP2, MSGTMP3
-                shuf128_32      $0x0E, MSG, MSG
+        mova128         MSG2, XMMTMP
+        palignr         $4, MSG1, XMMTMP
+        paddd           XMMTMP, MSG3
+        sha256msg2      MSG2, MSG3
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Rounds 60-63 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                 paddd           15*16-8*16(SHA256CONSTANTS), MSG
                 sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                 sha256rnds2     MSG, STATE1, STATE0
 
         /* Add current hash values with previously saved */
@@ -252,7 +270,7 @@ sha256_process_block64_shaNI:
 
         /* Write hash values back in the correct order */
         mova128         STATE0, XMMTMP
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
         /* ---          -------------- HGDC -- FEBA */
         shufps          SHUF(3,2,3,2), STATE1, STATE0 /* ABCD */
         shufps          SHUF(1,0,1,0), STATE1, XMMTMP /* EFGH */
diff --git a/libbb/pw_ascii64.c b/libbb/pw_ascii64.c
new file mode 100644
index 000000000..3993932ca
--- /dev/null
+++ b/libbb/pw_ascii64.c
@@ -0,0 +1,91 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 1999-2004 by Erik Andersen <andersen@codepoet.org>
+ *
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+
+/* Returns >=64 for invalid chars */
+int FAST_FUNC a2i64(char c)
+{
+        unsigned char ch = c;
+        if (ch >= 'a')
+                /* "a..z" to 38..63 */
+                /* anything after "z": positive int >= 64 */
+                return (ch - 'a' + 38);
+
+        if (ch > 'Z')
+                /* after "Z" but before "a": positive byte >= 64 */
+                return ch;
+
+        if (ch >= 'A')
+                /* "A..Z" to 12..37 */
+                return (ch - 'A' + 12);
+
+        if (ch > '9')
+                return 64;
+
+        /* "./0123456789" to 0,1,2..11 */
+        /* anything before "." becomes positive byte >= 64 */
+        return (unsigned char)(ch - '.');
+}
+
+/* 0..63 ->
+ * "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+ */
+int FAST_FUNC i2a64(int i)
+{
+        i &= 0x3f;
+
+        i += '.';
+        /* the above maps 0..11 to "./0123456789":
+         * ACSII codes of "./" are ('0'-2) and ('0'-1) */
+
+        if (i > '9')
+                i += ('A' - '9' - 1);
+        if (i > 'Z')
+                i += ('a' - 'Z' - 1);
+        return i;
+}
+
+char* FAST_FUNC
+num2str64_lsb_first(char *s, unsigned v, int n)
+{
+        while (--n >= 0) {
+                *s++ = i2a64(v);
+                v >>= 6;
+        }
+        return s;
+}
+
+static void
+num2str64_4chars_msb_first(char *s, unsigned v)
+{
+        *s++ = i2a64(v >> 18); /* bits 23..18 */
+        *s++ = i2a64(v >> 12); /* bits 17..12 */
+        *s++ = i2a64(v >> 6); /* bits 11..6 */
+        *s   = i2a64(v); /* bits 5..0 */
+}
+
+int FAST_FUNC crypt_make_rand64encoded(char *p, int cnt /*, int x */)
+{
+        /* was: x += ... */
+        unsigned x = getpid() + monotonic_us();
+        do {
+                /* x = (x*1664525 + 1013904223) % 2^32 generator is lame
+                 * (low-order bit is not "random", etc...),
+                 * but for our purposes it is good enough */
+                x = x*1664525 + 1013904223;
+                /* BTW, Park and Miller's "minimal standard generator" is
+                 * x = x*16807 % ((2^31)-1)
+                 * It has no problem with visibly alternating lowest bit
+                 * but is also weak in cryptographic sense + needs div,
+                 * which needs more code (and slower) on many CPUs */
+                *p++ = i2a64(x >> 16);
+                *p++ = i2a64(x >> 22);
+        } while (--cnt);
+        *p = '\0';
+        return x;
+}
diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
index 3463fd95b..93653de9f 100644
--- a/libbb/pw_encrypt.c
+++ b/libbb/pw_encrypt.c
@@ -13,48 +13,11 @@
 #endif
 #include "libbb.h"
 
-/* static const uint8_t ascii64[] ALIGN1 =
- * "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
- */
-
-static int i64c(int i)
-{
-        i &= 0x3f;
-        if (i == 0)
-                return '.';
-        if (i == 1)
-                return '/';
-        if (i < 12)
-                return ('0' - 2 + i);
-        if (i < 38)
-                return ('A' - 12 + i);
-        return ('a' - 38 + i);
-}
-
-int FAST_FUNC crypt_make_salt(char *p, int cnt /*, int x */)
-{
-        /* was: x += ... */
-        unsigned x = getpid() + monotonic_us();
-        do {
-                /* x = (x*1664525 + 1013904223) % 2^32 generator is lame
-                 * (low-order bit is not "random", etc...),
-                 * but for our purposes it is good enough */
-                x = x*1664525 + 1013904223;
-                /* BTW, Park and Miller's "minimal standard generator" is
-                 * x = x*16807 % ((2^31)-1)
-                 * It has no problem with visibly alternating lowest bit
-                 * but is also weak in cryptographic sense + needs div,
-                 * which needs more code (and slower) on many CPUs */
-                *p++ = i64c(x >> 16);
-                *p++ = i64c(x >> 22);
-        } while (--cnt);
-        *p = '\0';
-        return x;
-}
+#include "pw_ascii64.c"
 
 char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
 {
-        int len = 2/2;
+        int len = 2 / 2;
         char *salt_ptr = salt;
 
         /* Standard chpasswd uses uppercase algos ("MD5", not "md5").
@@ -67,28 +30,61 @@ char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
                 *salt_ptr++ = '$';
 #if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
                 if ((algo[0]|0x20) == 's') { /* sha */
-                        salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
-                        len = 16/2;
+                        salt[1] = '5' + (strncasecmp(algo, "sha512", 6) == 0);
+                        len = 16 / 2;
+                }
+#endif
+#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_YES
+                if ((algo[0]|0x20) == 'y') { /* yescrypt */
+                        int rnd;
+                        salt[1] = 'y';
+// The "j9T$" below is the default "yescrypt parameters" encoded by yescrypt_encode_params_r():
+//shadow-4.17.4/src/passwd.c
+//      salt = crypt_make_salt(NULL, NULL);
+//shadow-4.17.4/lib/salt.c
+//const char *crypt_make_salt(const char *meth, void *arg)
+//      if (streq(method, "YESCRYPT")) {
+//              MAGNUM(result, 'y');
+//              salt_len = YESCRYPT_SALT_SIZE; // 24
+//              rounds = YESCRYPT_get_salt_cost(arg);  // always Y_COST_DEFAULT == 5 for NULL arg
+//              YESCRYPT_salt_cost_to_buf(result, rounds); // always "j9T$"
+//      char *retval = crypt_gensalt(result, rounds, NULL, 0);
+//libxcrypt-4.4.38/lib/crypt-yescrypt.c
+//void gensalt_yescrypt_rn (unsigned long count,
+//                     const uint8_t *rbytes, size_t nrbytes,
+//                     uint8_t *output, size_t o_size)
+//  yescrypt_params_t params = {
+//    .flags = YESCRYPT_DEFAULTS,
+//    .p = 1,
+//  };
+//  if (count < 3) ... else
+//      params.r = 32;                  // N in 4KiB
+//      params.N = 1ULL << (count + 7); // 3 -> 1024, 4 -> 2048, ... 11 -> 262144
+//  yescrypt_encode_params_r(&params, rbytes, nrbytes, outbuf, o_size) // always "$y$j9T$<random>"
+                        len = 22 / 2;
+                        salt_ptr = stpcpy(salt_ptr, "j9T$");
+                        /* append 2*len random chars */
+                        rnd = crypt_make_rand64encoded(salt_ptr, len);
+                        /* fix up last char: it must be in 0..3 range (encoded as one of "./01").
+                         * IOW: salt_ptr[20..21] encode 16th random byte, must not be > 0xff.
+                         * Without this, we can generate salts which are rejected
+                         * by implementations with more strict salt length check.
+                         */
+                        salt_ptr[21] = i2a64(rnd & 3);
+                        /* For "mkpasswd -m yescrypt PASS j9T$<salt>" use case,
+                         * "j9T$" is considered part of salt,
+                         * need to return pointer to 'j'. Without -4,
+                         * we'd end up using "j9T$j9T$<salt>" as salt.
+                         */
+                        return salt_ptr - 4;
                 }
 #endif
         }
-        crypt_make_salt(salt_ptr, len);
+        crypt_make_rand64encoded(salt_ptr, len); /* appends 2*len random chars */
         return salt_ptr;
 }
 
 #if ENABLE_USE_BB_CRYPT
-
-static char*
-to64(char *s, unsigned v, int n)
-{
-        while (--n >= 0) {
-                /* *s++ = ascii64[v & 0x3f]; */
-                *s++ = i64c(v);
-                v >>= 6;
-        }
-        return s;
-}
-
 /*
  * DES and MD5 crypt implementations are taken from uclibc.
  * They were modified to not use static buffers.
@@ -99,6 +95,9 @@ to64(char *s, unsigned v, int n)
 #if ENABLE_USE_BB_CRYPT_SHA
 #include "pw_encrypt_sha.c"
 #endif
+#if ENABLE_USE_BB_CRYPT_YES
+#include "pw_encrypt_yes.c"
+#endif
 
 /* Other advanced crypt ids (TODO?): */
 /* $2$ or $2a$: Blowfish */
@@ -109,7 +108,7 @@ static struct des_ctx *des_ctx;
 /* my_crypt returns malloc'ed data */
 static char *my_crypt(const char *key, const char *salt)
 {
-        /* MD5 or SHA? */
+        /* "$x$...." string? */
         if (salt[0] == '$' && salt[1] && salt[2] == '$') {
                 if (salt[1] == '1')
                         return md5_crypt(xzalloc(MD5_OUT_BUFSIZE), (unsigned char*)key, (unsigned char*)salt);
@@ -117,6 +116,10 @@ static char *my_crypt(const char *key, const char *salt)
                 if (salt[1] == '5' || salt[1] == '6')
                         return sha_crypt((char*)key, (char*)salt);
 #endif
+#if ENABLE_USE_BB_CRYPT_YES
+                if (salt[1] == 'y')
+                        return yes_crypt(key, salt);
+#endif
         }
 
         if (!des_cctx)
diff --git a/libbb/pw_encrypt_des.c b/libbb/pw_encrypt_des.c
index fe8237cfe..ca8aa9bcc 100644
--- a/libbb/pw_encrypt_des.c
+++ b/libbb/pw_encrypt_des.c
@@ -186,39 +186,9 @@ static const uint8_t pbox[32] ALIGN1 = {
          2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
 };
 
-static const uint32_t bits32[32] ALIGN4 = {
-        0x80000000, 0x40000000, 0x20000000, 0x10000000,
-        0x08000000, 0x04000000, 0x02000000, 0x01000000,
-        0x00800000, 0x00400000, 0x00200000, 0x00100000,
-        0x00080000, 0x00040000, 0x00020000, 0x00010000,
-        0x00008000, 0x00004000, 0x00002000, 0x00001000,
-        0x00000800, 0x00000400, 0x00000200, 0x00000100,
-        0x00000080, 0x00000040, 0x00000020, 0x00000010,
-        0x00000008, 0x00000004, 0x00000002, 0x00000001
-};
-
 static const uint8_t bits8[8] ALIGN1 = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
 
 
-static int
-ascii_to_bin(char ch)
-{
-        if (ch > 'z')
-                return 0;
-        if (ch >= 'a')
-                return (ch - 'a' + 38);
-        if (ch > 'Z')
-                return 0;
-        if (ch >= 'A')
-                return (ch - 'A' + 12);
-        if (ch > '9')
-                return 0;
-        if (ch >= '.')
-                return (ch - '.');
-        return 0;
-}
-
-
 /* Static stuff that stays resident and doesn't change after
  * being initialized, and therefore doesn't need to be made
  * reentrant. */
@@ -354,11 +324,18 @@ des_init(struct des_ctx *ctx, const struct const_des_ctx *cctx)
         int i, j, b, k, inbit, obit;
         uint32_t p;
         const uint32_t *bits28, *bits24;
+        uint32_t bits32[32];
 
         if (!ctx)
                 ctx = xmalloc(sizeof(*ctx));
         const_ctx = cctx;
 
+        p = 0x80000000U;
+        for (i = 0; p; i++) {
+                bits32[i] = p;
+                p >>= 1;
+        }
+
 #if USE_REPETITIVE_SPEEDUP
         old_rawkey0 = old_rawkey1 = 0;
         old_salt = 0;
@@ -694,21 +671,6 @@ do_des(struct des_ctx *ctx, /*uint32_t l_in, uint32_t r_in,*/ uint32_t *l_out, u
 
 #define DES_OUT_BUFSIZE 21
 
-static void
-to64_msb_first(char *s, unsigned v)
-{
-#if 0
-        *s++ = ascii64[(v >> 18) & 0x3f]; /* bits 23..18 */
-        *s++ = ascii64[(v >> 12) & 0x3f]; /* bits 17..12 */
-        *s++ = ascii64[(v >> 6) & 0x3f]; /* bits 11..6 */
-        *s   = ascii64[v & 0x3f]; /* bits 5..0 */
-#endif
-        *s++ = i64c(v >> 18); /* bits 23..18 */
-        *s++ = i64c(v >> 12); /* bits 17..12 */
-        *s++ = i64c(v >> 6); /* bits 11..6 */
-        *s   = i64c(v); /* bits 5..0 */
-}
-
 static char *
 NOINLINE
 des_crypt(struct des_ctx *ctx, char output[DES_OUT_BUFSIZE],
@@ -740,44 +702,28 @@ des_crypt(struct des_ctx *ctx, char output[DES_OUT_BUFSIZE],
          */
         output[0] = salt_str[0];
         output[1] = salt_str[1];
-        salt = (ascii_to_bin(salt_str[1]) << 6)
-             |  ascii_to_bin(salt_str[0]);
+
+        salt = a2i64(salt_str[0]);
+        if (salt >= 64)
+                return NULL; /* bad salt char */
+        salt |= (a2i64(salt_str[1]) << 6);
+        if (salt >= (64 << 6))
+                return NULL; /* bad salt char */
         setup_salt(ctx, salt); /* set ctx->saltbits for do_des() */
 
         /* Do it. */
         do_des(ctx, /*0, 0,*/ &r0, &r1, 25 /* count */);
 
         /* Now encode the result. */
-#if 0
-{
-        uint32_t l = (r0 >> 8);
-        q = (uint8_t *)output + 2;
-        *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 31..26 of r0 */
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 25..20 of r0 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 19..14 of r0 */
-        *q++ = ascii64[l & 0x3f]; /* bits 13..8 of r0 */
-        l = ((r0 << 16) | (r1 >> 16));
-        *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 7..2 of r0 */
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 1..2 of r0 and 31..28 of r1 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 27..22 of r1 */
-        *q++ = ascii64[l & 0x3f]; /* bits 21..16 of r1 */
-        l = r1 << 2;
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 15..10 of r1 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 9..4 of r1 */
-        *q++ = ascii64[l & 0x3f]; /* bits 3..0 of r1 + 00 */
-        *q = 0;
-}
-#else
         /* Each call takes low-order 24 bits and stores 4 chars */
         /* bits 31..8 of r0 */
-        to64_msb_first(output + 2, (r0 >> 8));
+        num2str64_4chars_msb_first(output + 2, (r0 >> 8));
         /* bits 7..0 of r0 and 31..16 of r1 */
-        to64_msb_first(output + 6, (r0 << 16) | (r1 >> 16));
+        num2str64_4chars_msb_first(output + 6, (r0 << 16) | (r1 >> 16));
         /* bits 15..0 of r1 and two zero bits (plus extra zero byte) */
-        to64_msb_first(output + 10, (r1 << 8));
+        num2str64_4chars_msb_first(output + 10, (r1 << 8));
         /* extra zero byte is encoded as '.', fixing it */
         output[13] = '\0';
-#endif
 
         return output;
 }
diff --git a/libbb/pw_encrypt_md5.c b/libbb/pw_encrypt_md5.c
index 1e52ecaea..92d039f96 100644
--- a/libbb/pw_encrypt_md5.c
+++ b/libbb/pw_encrypt_md5.c
@@ -149,9 +149,9 @@ md5_crypt(char result[MD5_OUT_BUFSIZE], const unsigned char *pw, const unsigned
         final[16] = final[5];
         for (i = 0; i < 5; i++) {
                 unsigned l = (final[i] << 16) | (final[i+6] << 8) | final[i+12];
-                p = to64(p, l, 4);
+                p = num2str64_lsb_first(p, l, 4);
         }
-        p = to64(p, final[11], 2);
+        p = num2str64_lsb_first(p, final[11], 2);
         *p = '\0';
 
         /* Don't leave anything around in vm they could use. */
diff --git a/libbb/pw_encrypt_sha.c b/libbb/pw_encrypt_sha.c
index 5457d7ab6..695a5c07f 100644
--- a/libbb/pw_encrypt_sha.c
+++ b/libbb/pw_encrypt_sha.c
@@ -84,8 +84,7 @@ sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
            as a scratch space later. */
         salt_data = xstrndup(salt_data, salt_len);
         /* add "salt$" to result */
-        strcpy(resptr, salt_data);
-        resptr += salt_len;
+        resptr = stpcpy(resptr, salt_data);
         *resptr++ = '$';
         /* key data doesn't need much processing */
         key_len = strlen(key_data);
@@ -198,7 +197,7 @@ sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
 #define b64_from_24bit(B2, B1, B0, N) \
 do { \
         unsigned w = ((B2) << 16) | ((B1) << 8) | (B0); \
-        resptr = to64(resptr, w, N); \
+        resptr = num2str64_lsb_first(resptr, w, N); \
 } while (0)
         if (_32or64 == 32) { /* sha256 */
                 unsigned i = 0;
diff --git a/libbb/pw_encrypt_yes.c b/libbb/pw_encrypt_yes.c
new file mode 100644
index 000000000..50bd06418
--- /dev/null
+++ b/libbb/pw_encrypt_yes.c
@@ -0,0 +1,24 @@
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+#include "yescrypt/alg-yescrypt.h"
+
+static char *
+yes_crypt(const char *passwd, const char *salt_data)
+{
+        /* prefix, '$', hash, NUL */
+        char buf[YESCRYPT_PREFIX_LEN + 1 + YESCRYPT_HASH_LEN + 1];
+        char *retval;
+
+        retval = yescrypt_r(
+                        (const uint8_t *)passwd, strlen(passwd),
+                        (const uint8_t *)salt_data,
+                        buf, sizeof(buf));
+        /* The returned value is either buf[], or NULL on error */
+
+        return xstrdup(retval);
+}
diff --git a/libbb/yescrypt/Kbuild.src b/libbb/yescrypt/Kbuild.src
new file mode 100644
index 000000000..a61211a29
--- /dev/null
+++ b/libbb/yescrypt/Kbuild.src
@@ -0,0 +1,9 @@
+# Makefile for busybox
+#
+# Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+#
+# Licensed under GPLv2, see file LICENSE in this source tree.
+
+lib-y:=
+
+INSERT
diff --git a/libbb/yescrypt/PARAMETERS b/libbb/yescrypt/PARAMETERS
new file mode 100644
index 000000000..d9f5d24e6
--- /dev/null
+++ b/libbb/yescrypt/PARAMETERS
@@ -0,0 +1,196 @@
+        Optimal yescrypt configuration.
+
+yescrypt is very flexible, but configuring it optimally is complicated.
+Here are some guidelines to simplify near-optimal configuration.  We
+start by listing the parameters and their typical values, and then give
+currently recommended parameter sets by use case.
+
+
+        Parameters and their typical values.
+
+Set flags (yescrypt flavor) to YESCRYPT_DEFAULTS to use the currently
+recommended flavor.  (Other flags values exist for compatibility and for
+specialized cases where you think you know what you're doing.)
+
+Set N (block count) based on target memory usage and running time, as
+well as on the value of r (block size in 128 byte units).  N must be a
+power of two.
+
+Set r (block size) to 8 (so that N is in KiB, which is convenient) or to
+another small value (if more optimal or for fine-tuning of the total
+size and/or running time).  Reasonable values for r are from 8 to 96.
+
+Set p (parallelism) to 1 meaning no thread-level parallelism within one
+computation of yescrypt.  (Use of thread-level parallelism within
+yescrypt makes sense for ROM initialization and for key derivation at
+high memory usage, but usually not for password hashing where
+parallelism is available through concurrent authentication attempts.
+Don't use p > 1 unnecessarily.)
+
+Set t (time) to 0 to use the optimal running time for a given memory
+usage.  This will allow you to maximize the memory usage (the value of
+N*r) while staying within your running time constraints.  (Non-zero t
+makes sense in specialized cases where you can't afford higher memory
+usage but can afford more time.)
+
+Set g (upgrades) to 0 because there have been no hash upgrades yet.
+
+Set NROM (block count of ROM) to 0 unless you use a ROM (see below).
+NROM must be a power of two.
+
+
+        Password hashing for user authentication, no ROM.
+
+Small and fast (memory usage 2 MiB, performance like bcrypt cost 2^5 -
+latency 2-3 ms and throughput 10,000+ per second on a 16-core server):
+
+flags = YESCRYPT_DEFAULTS, N = 2048, r = 8, p = 1, t = 0, g = 0, NROM = 0
+
+Large and slow (memory usage 16 MiB, performance like bcrypt cost 2^8 -
+latency 10-30 ms and throughput 1000+ per second on a 16-core server):
+
+flags = YESCRYPT_DEFAULTS, N = 4096, r = 32, p = 1, t = 0, g = 0, NROM = 0
+
+Of course, even heavier and slower settings are possible, if affordable.
+Simply double the value of N as many times as needed.  Since N must be a
+power of two, you may use r (in the range of 8 to 32) or/and t (in the
+range of 0 to 2) for fine-tuning the running time, but first bring N to
+the maximum you can afford.  If this feels too complicated, just use one
+of the two parameter sets given above (preferably the second) as-is.
+
+
+        Password hashing for user authentication, with ROM.
+
+It's similar to the above, except that you need to adjust r, set NROM,
+and initialize the ROM.
+
+First decide on a ROM size, such as making it a large portion of your
+dedicated authentication servers' RAM sizes.  Since NROM (block count)
+must be a power of two, you might need to choose r (block size) based on
+how your desired ROM size corresponds to a power of two.  Also tuning
+for performance on current hardware, you'll likely end up with r in the
+range from slightly below 16 to 32.  For example, to use 15/16 of a
+server's 256 GiB RAM as ROM (thus, making it 240 GiB), you could use
+r=15 or r=30.  To use 23/24 of a server's 384 GiB RAM as ROM (thus,
+making it 368 GiB), you'd use r=23.  Then set NROM to your desired ROM
+size in KiB divided by 128*r.  Note that these examples might (or might
+not) be too extreme, leaving little memory for the rest of the system.
+You could as well opt for 7/8 with r=14 or 11/12 with r=11 or r=22.
+
+Note that higher r may make placing of ROM in e.g. NVMe flash memory
+instead of in RAM more reasonable (or less unreasonable) than it would
+have been with a lower r.  If this is a concern as it relates to
+possible attacks and you do not intend to ever do it defensively, you
+might want to keep r lower (e.g., prefer r=15 over r=30 in the example
+above, even if 30 performs slightly faster).
+
+Your adjustments to r, if you deviate from powers of two, will also
+result in weirder memory usage per hash.  Like 1.75 MiB at r=14 instead
+of 2 MiB at r=8 that you would have used without a ROM.  That's OK.
+
+For ROM initialization, which you do with yescrypt_init_shared(), use
+the same r and NROM that you'd later use for password hashing, choose p
+based on your servers' physical and/or logical CPU count (maybe
+considering eventual upgrades as you won't be able to change this later,
+but without going unnecessarily high - e.g., p=28, p=56, or p=112 make
+sense on servers that currently have 28 physical / 56 logical CPUs), and
+set the rest of the parameters to:
+
+flags = YESCRYPT_DEFAULTS, N = 0, t = 0, g = 0
+
+N is set to 0 because it isn't relevant during ROM initialization (you
+can use different values of N for hashing passwords with the same ROM).
+
+To keep the ROM in e.g. SysV shared memory and reuse it across your
+authentication service restarts, you'd need to allocate the memory and
+set the flags to "YESCRYPT_DEFAULTS | YESCRYPT_SHARED_PREALLOCATED".
+
+For actual password hashing, you'd use your chosen values for N, r,
+NROM, and set the rest of the parameters to:
+
+flags = YESCRYPT_DEFAULTS, p = 1, t = 0, g = 0
+
+Note that although you'd use a large p for ROM initialization, you
+should use p=1 for actual password hashing like you would without a ROM.
+
+Do not forget to pass the ROM into the actual password hashing (and keep
+r and NROM set accordingly).
+
+Since N must be a power of two and r is dependent on ROM size, you may
+use t (in the range of 0 to 2) for fine-tuning the running time, but
+first bring N to the maximum you can afford.
+
+If this feels too complicated, or even if it doesn't, please consider
+engaging Openwall for your yescrypt deployment.  We'd be happy to help.
+
+
+        Password-based key derivation.
+
+(Or rather passphrase-based.)
+
+Use settings similar to those for password hashing without a ROM, but
+adjusted for higher memory usage and running time, and optionally with
+thread-level parallelism.
+
+Small and fast (memory usage 128 MiB, running time under 100 ms on a
+fast desktop):
+
+flags = YESCRYPT_DEFAULTS, N = 32768, r = 32, p = 1, t = 0, g = 0, NROM = 0
+
+Large and fast (memory usage 1 GiB, running time under 200 ms on a fast
+quad-core desktop not including memory allocation overhead, under 250 ms
+with the overhead included), but requires build with OpenMP support (or
+otherwise will run as slow as yet be weaker than its p=1 alternative):
+
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 4, t = 0, g = 0, NROM = 0
+
+Large and slower (memory usage 1 GiB, running time under 300 ms on a
+fast quad-core desktop not including memory allocation overhead, under
+350 ms with the overhead included), also requires build with OpenMP
+support (or otherwise will run slower than the p=1 alternative below):
+
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 4, t = 2, g = 0, NROM = 0
+
+Large and slow (memory usage 1 GiB, running time under 600 ms on a fast
+desktop not including memory allocation overhead, under 650 ms with the
+overhead included):
+
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 1, t = 0, g = 0, NROM = 0
+
+Just like with password hashing, even heavier and slower settings are
+possible, if affordable, and you achieve them by adjusting N, r, t in
+the same way and in the same preferred ranges (please see the section on
+password hashing without a ROM, above).  Unlike with password hashing,
+it makes some sense to go above t=2 if you expect that your users might
+not be able to afford more memory but can afford more time.  However,
+increasing the memory usage provides better protection, and we don't
+recommend forcing your users to wait for more than 1 second as they
+could as well type more characters in that time.  If this feels too
+complicated, just use one of the above parameter sets as-is.
+
+
+        Amortization of memory allocation overhead.
+
+It takes a significant fraction of yescrypt's total running time to
+allocate memory from the operating system, especially considering that
+the kernel zeroizes the memory before handing it over to your program.
+
+Unless you naturally need to compute yescrypt just once per process, you
+may achieve greater efficiency by fully using advanced yescrypt APIs
+that let you preserve and reuse the memory allocation across yescrypt
+invocations.  This is done by reusing the structure pointed to by the
+"yescrypt_local_t *local" argument of yescrypt_r() or yescrypt_kdf()
+without calling yescrypt_free_local() inbetween the repeated invocations
+of yescrypt.
+
+
+        YESCRYPT_DEFAULTS macro.
+
+Please note that the value of the YESCRYPT_DEFAULTS macro might change
+later, so if you use the macro like it's recommended here then for
+results reproducible across versions you might need to store its value
+somewhere along with the hashes or the encrypted data.
+
+If you use yescrypt's standard hash string encoding, then yescrypt
+already encodes and decodes this value for you, so you don't need to
+worry about this.
diff --git a/libbb/yescrypt/README b/libbb/yescrypt/README
new file mode 100644
index 000000000..c1011c56a
--- /dev/null
+++ b/libbb/yescrypt/README
@@ -0,0 +1,4 @@
+The yescrypt code in this directory is adapted from libxcrypt-4.4.38
+with minimal edits, hopefully making it easier to track
+backports by resetting the tree to the commit which created this file,
+then comparing changes in upstream libxcrypt to the tree.
diff --git a/libbb/yescrypt/alg-sha256.c b/libbb/yescrypt/alg-sha256.c
new file mode 100644
index 000000000..20e8d1ee4
--- /dev/null
+++ b/libbb/yescrypt/alg-sha256.c
@@ -0,0 +1,86 @@
+/*-
+ * Copyright 2005-2016 Colin Percival
+ * Copyright 2016-2018,2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+static void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+                const uint8_t *salt, size_t saltlen,
+                uint64_t c, uint8_t *buf, size_t dkLen)
+{
+        hmac_ctx_t Phctx, PShctx;
+        uint32_t i;
+
+        /* Compute HMAC state after processing P. */
+        hmac_begin(&Phctx, passwd, passwdlen, sha256_begin);
+
+        /* Compute HMAC state after processing P and S. */
+        PShctx = Phctx;
+        hmac_hash(&PShctx, salt, saltlen);
+
+        /* Iterate through the blocks. */
+        for (i = 0; dkLen != 0; ) {
+                uint64_t U[32 / 8];
+                uint64_t T[32 / 8];
+                uint64_t j;
+                uint32_t ivec;
+                size_t clen;
+                int k;
+
+                /* Generate INT(i). */
+                i++;
+                ivec = SWAP_BE32(i);
+
+                /* Compute U_1 = PRF(P, S || INT(i)). */
+                hmac_peek_hash(&PShctx, (void*)T, &ivec, 4, NULL);
+//TODO: the above is a vararg function, might incur some ABI pain
+//does libbb need a non-vararg version with just one (buf,len)?
+
+                if (c > 1) {
+                        /* T_i = U_1 ... */
+                        memcpy(U, T, 32);
+                        for (j = 2; j <= c; j++) {
+                                /* Compute U_j. */
+                                hmac_peek_hash(&Phctx, (void*)U, U, 32, NULL);
+                                /* ... xor U_j ... */
+                                for (k = 0; k < 32 / 8; k++)
+                                        T[k] ^= U[k];
+                                //TODO: xorbuf32_aligned_long(T, U);
+                        }
+                }
+
+                /* Copy as many bytes as necessary into buf. */
+                clen = dkLen;
+                if (clen > 32)
+                        clen = 32;
+                buf = mempcpy(buf, T, clen);
+                dkLen -= clen;
+        }
+}
diff --git a/libbb/yescrypt/alg-yescrypt-common.c b/libbb/yescrypt/alg-yescrypt-common.c
new file mode 100644
index 000000000..c51823787
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt-common.c
@@ -0,0 +1,408 @@
+/*-
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if RESTRICTED_PARAMS
+
+#define decode64_uint32(dst, src, min) \
+({ \
+        uint32_t d32 = a2i64(*(src)); \
+        if (d32 > 47) \
+                goto fail; \
+        *(dst) = d32 + (min); \
+        ++src; \
+})
+#define test_decode64_uint32() ((void)0)
+#define FULL_PARAMS(...)
+
+#else
+
+#define FULL_PARAMS(...) __VA_ARGS__
+
+/* Not inlining:
+ * de/encode64 functions are only used to read
+ * yescrypt_params_t field, and convert salt to binary -
+ * both of these are negligible compared to main hashing operation
+ */
+static NOINLINE const uint8_t *decode64_uint32(
+                uint32_t *dst,
+                const uint8_t *src, uint32_t val)
+{
+        uint32_t start = 0, end = 47, bits = 0;
+        uint32_t c;
+
+        if (!src) /* previous decode failed already? */
+                goto fail;
+
+        c = a2i64(*src++);
+        if (c > 63)
+                goto fail;
+
+// The encoding of number N:
+// start = 0 end = 47
+// If N < 48, it is encoded verbatim, else
+// N -= 48
+// start = end+1 = 48
+// end += (64-end)/2 = 55
+// If N < (end+1-start)<<6 = 8<<6, it is encoded as 48+(N>>6)|low6bits (that is, 48...55|<6bit>), else
+// N -= 8<<6
+// start = end+1 = 56
+// end += (64-end)/2 = 59
+// If N < (end+1-start)<<2*6 = 4<<12, it is encoded as 56+(N>>2*6)|low12bits (that is, 56...59|<6bit>|<6bit>), else
+// ...same for 60..61|<6bit>|<6bit>|<6bit>
+// .......same for 62|<6bit>|<6bit>|<6bit>|<6bit>
+// .......same for 63|<6bit>|<6bit>|<6bit>|<6bit>|<6bit>
+        dbg_dec64("c:%d val:0x%08x", (int)c, (unsigned)val);
+        while (c > end) {
+                dbg_dec64("c:%d > end:%d", (int)c, (int)end);
+                val += (end + 1 - start) << bits;
+                dbg_dec64("val+=0x%08x", (int)((end + 1 - start) << bits));
+                dbg_dec64(" val:0x%08x", (unsigned)val);
+                start = end + 1;
+                end += (64 - end) / 2;
+                bits += 6;
+                dbg_dec64("start=%d", (int)start);
+                dbg_dec64("end=%d", (int)end);
+                dbg_dec64("bits=%d", (int)bits);
+        }
+
+        val += (c - start) << bits;
+        dbg_dec64("final val+=0x%08x", (int)((c - start) << bits));
+        dbg_dec64("       val:0x%08x", (unsigned)val);
+
+        while (bits != 0) {
+                c = a2i64(*src++);
+                if (c > 63)
+                        goto fail;
+                bits -= 6;
+                val += c << bits;
+                dbg_dec64("low bits val+=0x%08x", (int)(c << bits));
+                dbg_dec64("          val:0x%08x", (unsigned)val);
+        }
+ ret:
+        *dst = val;
+        return src;
+ fail:
+        val = 0;
+        src = NULL;
+        goto ret;
+}
+
+#if TEST_DECODE64
+static void test_decode64_uint32(void)
+{
+        const uint8_t *src, *end;
+        uint32_t u32;
+        int a = 48;
+        int b = 8<<6;  // 0x0200
+        int c = 4<<12; // 0x04000
+        int d = 2<<18; // 0x080000
+        int e = 1<<24; // 0x1000000
+
+        src = (void*)"wzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x0003ffff+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 4) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        src = (void*)"xzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x0007ffff+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 4) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        // Note how the last representable "x---" encoding, 0x7ffff, is exactly d-1!
+        // And if we now increment it, we get:
+        src = (void*)"y....";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x00000000+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 5) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        src = (void*)"yzzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x00ffffff+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 5) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+
+        src = (void*)"zzzzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x3fffffff+e+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 6) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+
+        bb_error_msg("test_decode64_uint32() OK");
+}
+#else
+# define test_decode64_uint32() ((void)0)
+#endif
+
+#endif /* !RESTRICTED_PARAMS */
+
+#if 1
+static const uint8_t *decode64(
+                uint8_t *dst, size_t *dstlen,
+                const uint8_t *src)
+{
+        unsigned dstpos = 0;
+
+        dbg_dec64("src:'%s'", src);
+        for (;;) {
+                uint32_t c, value = 0;
+                int bits = 0;
+                while (*src != '\0' && *src != '$') {
+                        c = a2i64(*src);
+                        if (c > 63) { /* bad ascii64 char, stop decoding at it */
+                                break;
+                        }
+                        src++;
+                        value |= c << bits;
+                        bits += 6;
+                        if (bits == 24) /* got 4 chars */
+                                goto store;
+                }
+                /* we read entire src, or met a non-ascii64 char (such as "$") */
+                if (bits == 0)
+                        break;
+                /* else: we got last, partial bit block - store it */
+ store:
+                dbg_dec64(" storing bits:%d dstpos:%u v:%08x", bits, dstpos, (int)SWAP_BE32(value)); //BE to see lsb first
+                for (;;) {
+                        if ((*src == '\0' || *src == '$')
+                         && value == 0 && bits < 8
+                        ) {
+                                /* Example: mkpasswd PWD '$y$j9T$123':
+                                 * the "123" is bits:18 value:03,51,00
+                                 * is considered to be 2 bytes, not 3!
+                                 *
+                                 * '$y$j9T$zzz' in upstream fails outright (3rd byte isn't zero).
+                                 * IOW: for upstream, validity of salt depends on VALUE,
+                                 * not just size of salt. Which is a bug.
+                                 * The '$y$j9T$zzz.' salt is the same
+                                 * (it adds 6 zero msbits) but upstream works with it,
+                                 * thus '$y$j9T$zzz' should work too and give the same result.
+                                 */
+                                goto end;
+                        }
+                        if (dstpos >= *dstlen) {
+                                dbg_dec64(" ERR: bits:%d dstpos:%u dst[] is too small", bits, dstpos);
+                                goto fail;
+                        }
+                        *dst++ = value;
+                        dstpos++;
+                        value >>= 8;
+                        bits -= 8;
+                        if (bits <= 0) /* can get negative, if we e.g. had 6 bits */
+                                break;
+                }
+                if (*src == '\0' || *src == '$')
+                        break;
+        }
+ end:
+        *dstlen = dstpos;
+        dbg_dec64("dec64: OK, dst[%d]", (int)dstpos);
+        return src;
+ fail:
+        /* *dstlen = 0; - not needed, caller detects error by seeing NULL */
+        return NULL;
+}
+#else
+/* Buggy (and larger) original code */
+static const uint8_t *decode64(
+                uint8_t *dst, size_t *dstlen,
+                const uint8_t *src, size_t srclen)
+{
+        size_t dstpos = 0;
+
+        while (dstpos <= *dstlen && srclen) {
+                uint32_t value = 0, bits = 0;
+                while (srclen--) {
+                        uint32_t c = a2i64(*src);
+                        if (c > 63) {
+                                srclen = 0;
+                                break;
+                        }
+                        src++;
+                        value |= c << bits;
+                        bits += 6;
+                        if (bits >= 24)
+                                break;
+                }
+                if (!bits)
+                        break;
+                if (bits < 12) /* must have at least one full byte */
+                        goto fail;
+                dbg_dec64(" storing bits:%d v:%08x", (int)bits, (int)SWAP_BE32(value)); //BE to see lsb first
+                while (dstpos++ < *dstlen) {
+                        *dst++ = value;
+                        value >>= 8;
+                        bits -= 8;
+                        if (bits < 8) { /* 2 or 4 */
+                                if (value) /* must be 0 */
+                                        goto fail;
+                                bits = 0;
+                                break;
+                        }
+                }
+                if (bits)
+                        goto fail;
+        }
+
+        if (!srclen && dstpos <= *dstlen) {
+                *dstlen = dstpos;
+                dbg_dec64("dec64: OK, dst[%d]", (int)dstpos);
+                return src;
+        }
+ fail:
+        /* *dstlen = 0; - not needed, caller detects error by seeing NULL */
+        return NULL;
+}
+#endif
+
+static char *encode64(
+                char *dst, size_t dstlen,
+                const uint8_t *src, size_t srclen)
+{
+        while (srclen) {
+                uint32_t value = 0, b = 0;
+                do {
+                        value |= (uint32_t)(*src++ << b);
+                        b += 8;
+                        srclen--;
+                } while (srclen && b < 24);
+
+                b >>= 3; /* number of bits to number of bytes */
+                b++; /* 1, 2 or 3 bytes will become 2, 3 or 4 ascii64 chars */
+                dstlen -= b;
+                if ((ssize_t)dstlen <= 0)
+                        return NULL;
+                dst = num2str64_lsb_first(dst, value, b);
+        }
+        *dst = '\0';
+        return dst;
+}
+
+char *yescrypt_r(
+                const uint8_t *passwd, size_t passwdlen,
+                const uint8_t *setting,
+                char *buf, size_t buflen)
+{
+        struct {
+                yescrypt_ctx_t yctx[1];
+                unsigned char hashbin32[32];
+        } u;
+#define yctx      u.yctx
+#define hashbin32 u.hashbin32
+        char *dst;
+        const uint8_t *src, *saltend;
+        size_t need, prefixlen;
+        uint32_t u32;
+
+        test_decode64_uint32();
+
+        memset(yctx, 0, sizeof(yctx));
+        FULL_PARAMS(yctx->param.p = 1;)
+
+        /* we assume setting starts with "$y$" (caller must ensure this) */
+        src = setting + 3;
+
+        src = decode64_uint32(&yctx->param.flags, src, 0);
+        /* "j9T" returns: 0x2f */
+        //if (!src)
+        //      goto fail;
+
+        if (yctx->param.flags < YESCRYPT_RW) {
+                dbg("yctx->param.flags=0x%x", (unsigned)yctx->param.flags);
+                goto fail; // bbox: we don't support scrypt - only yescrypt
+        } else if (yctx->param.flags <= YESCRYPT_RW + (YESCRYPT_RW_FLAVOR_MASK >> 2)) {
+                /* "j9T" sets flags to 0xb6 */
+                yctx->param.flags = YESCRYPT_RW + ((yctx->param.flags - YESCRYPT_RW) << 2);
+                dbg("yctx->param.flags=0x%x", (unsigned)yctx->param.flags);
+                dbg(" YESCRYPT_RW:%u", !!(yctx->param.flags & YESCRYPT_RW));
+                dbg((yctx->param.flags & YESCRYPT_RW_FLAVOR_MASK) ==
+                       (YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K)
+                    ? " YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K"
+                    : " flags are not standard"
+                );
+        } else {
+                goto fail;
+        }
+
+        src = decode64_uint32(&u32, src, 1);
+        if (/*!src ||*/ u32 > 63)
+                goto fail;
+        yctx->param.N = (uint64_t)1 << u32;
+        /* "j9T" sets to 4096 (1<<12) */
+        dbg("yctx->param.N=%llu (1<<%u)", (unsigned long long)yctx->param.N, (unsigned)u32);
+
+        src = decode64_uint32(&yctx->param.r, src, 1);
+        /* "j9T" sets to 32 */
+        dbg("yctx->param.r=%u", yctx->param.r);
+
+        if (!src)
+                goto fail;
+        if (*src != '$') {
+#if RESTRICTED_PARAMS
+                goto fail;
+#else
+                src = decode64_uint32(&u32, src, 1);
+                dbg("yescrypt has extended params:0x%x", (unsigned)u32);
+                if (u32 & 1)
+                        src = decode64_uint32(&yctx->param.p, src, 2);
+                if (u32 & 2)
+                        src = decode64_uint32(&yctx->param.t, src, 1);
+                if (u32 & 4)
+                        src = decode64_uint32(&yctx->param.g, src, 1);
+                if (u32 & 8) {
+                        src = decode64_uint32(&u32, src, 1);
+                        if (/*!src ||*/ u32 > 63)
+                                goto fail;
+                        yctx->param.NROM = (uint64_t)1 << u32;
+                }
+                if (!src)
+                        goto fail;
+                if (*src != '$')
+                        goto fail;
+#endif
+        }
+
+        yctx->saltlen = sizeof(yctx->salt);
+        src++; /* now points to salt */
+        saltend = decode64(yctx->salt, &yctx->saltlen, src);
+        if (!saltend || (*saltend != '\0' && *saltend != '$'))
+                goto fail; /* salt[] is too small, or bad char during decode */
+        dbg_dec64("salt is %d ascii64 chars -> %d bytes (in binary)", (int)(saltend - src), (int)yctx->saltlen);
+
+        prefixlen = saltend - setting;
+        need = prefixlen + 1 + YESCRYPT_HASH_LEN + 1;
+        if (need > buflen /*overflow is quite unlikely: || need < prefixlen*/)
+                goto fail;
+
+        if (yescrypt_kdf32(yctx, passwd, passwdlen, hashbin32)) {
+                dbg("error in yescrypt_kdf32");
+                goto fail;
+        }
+
+        dst = mempcpy(buf, setting, prefixlen);
+        *dst++ = '$';
+        dst = encode64(dst, buflen - (dst - buf), hashbin32, sizeof(hashbin32));
+        if (!dst)
+                goto fail;
+ ret:
+        free_region(yctx->local);
+        explicit_bzero(&u, sizeof(u));
+        return buf;
+ fail:
+        buf = NULL;
+        goto ret;
+#undef yctx
+#undef hashbin32
+}
diff --git a/libbb/yescrypt/alg-yescrypt-kdf.c b/libbb/yescrypt/alg-yescrypt-kdf.c
new file mode 100644
index 000000000..a9a1bd591
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt-kdf.c
@@ -0,0 +1,1212 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2012-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+
+#if __STDC_VERSION__ >= 199901L
+/* Have restrict */
+#elif defined(__GNUC__)
+#define restrict __restrict
+#else
+#define restrict
+#endif
+
+#ifdef __GNUC__
+#define unlikely(exp) __builtin_expect(exp, 0)
+#else
+#define unlikely(exp) (exp)
+#endif
+
+typedef union {
+        uint32_t w[16];
+        uint64_t d[8];
+} salsa20_blk_t;
+
+static void salsa20_simd_shuffle(
+                const salsa20_blk_t *Bin,
+                salsa20_blk_t *Bout)
+{
+#define COMBINE(out, in1, in2) \
+do { \
+        Bout->d[out] = Bin->w[in1 * 2] | ((uint64_t)Bin->w[in2 * 2 + 1] << 32); \
+} while (0)
+        COMBINE(0, 0, 2);
+        COMBINE(1, 5, 7);
+        COMBINE(2, 2, 4);
+        COMBINE(3, 7, 1);
+        COMBINE(4, 4, 6);
+        COMBINE(5, 1, 3);
+        COMBINE(6, 6, 0);
+        COMBINE(7, 3, 5);
+#undef COMBINE
+}
+
+static void salsa20_simd_unshuffle(
+                const salsa20_blk_t *Bin,
+                salsa20_blk_t *Bout)
+{
+#define UNCOMBINE(out, in1, in2) \
+do { \
+        Bout->w[out * 2] = Bin->d[in1]; \
+        Bout->w[out * 2 + 1] = Bin->d[in2] >> 32; \
+} while (0)
+        UNCOMBINE(0, 0, 6);
+        UNCOMBINE(1, 5, 3);
+        UNCOMBINE(2, 2, 0);
+        UNCOMBINE(3, 7, 5);
+        UNCOMBINE(4, 4, 2);
+        UNCOMBINE(5, 1, 7);
+        UNCOMBINE(6, 6, 4);
+        UNCOMBINE(7, 3, 1);
+#undef UNCOMBINE
+}
+
+#define DECL_X \
+        salsa20_blk_t X
+#define DECL_Y \
+        salsa20_blk_t Y
+
+#if KDF_UNROLL_COPY
+#define COPY(out, in) \
+do { \
+        (out).d[0] = (in).d[0]; \
+        (out).d[1] = (in).d[1]; \
+        (out).d[2] = (in).d[2]; \
+        (out).d[3] = (in).d[3]; \
+        (out).d[4] = (in).d[4]; \
+        (out).d[5] = (in).d[5]; \
+        (out).d[6] = (in).d[6]; \
+        (out).d[7] = (in).d[7]; \
+} while (0)
+#else
+#define COPY(out, in) \
+do { \
+        memcpy((out).d, (in).d, sizeof((in).d)); \
+} while (0)
+#endif
+
+#define READ_X(in)   COPY(X, in)
+#define WRITE_X(out) COPY(out, X)
+
+/**
+ * salsa20(B):
+ * Apply the Salsa20 core to the provided block.
+ */
+static void salsa20(salsa20_blk_t *restrict B,
+                salsa20_blk_t *restrict Bout,
+                uint32_t doublerounds)
+{
+        salsa20_blk_t X;
+#define x X.w
+
+        salsa20_simd_unshuffle(B, &X);
+
+        do {
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+                /* Operate on columns */
+#if KDF_UNROLL_SALSA20
+                x[ 4] ^= R(x[ 0]+x[12], 7); // x[j] ^= R(x[k]+x[l], CONST)
+                x[ 8] ^= R(x[ 4]+x[ 0], 9);
+                x[12] ^= R(x[ 8]+x[ 4],13);
+                x[ 0] ^= R(x[12]+x[ 8],18);
+
+                x[ 9] ^= R(x[ 5]+x[ 1], 7);
+                x[13] ^= R(x[ 9]+x[ 5], 9);
+                x[ 1] ^= R(x[13]+x[ 9],13);
+                x[ 5] ^= R(x[ 1]+x[13],18);
+
+                x[14] ^= R(x[10]+x[ 6], 7);
+                x[ 2] ^= R(x[14]+x[10], 9);
+                x[ 6] ^= R(x[ 2]+x[14],13);
+                x[10] ^= R(x[ 6]+x[ 2],18);
+
+                x[ 3] ^= R(x[15]+x[11], 7);
+                x[ 7] ^= R(x[ 3]+x[15], 9);
+                x[11] ^= R(x[ 7]+x[ 3],13);
+                x[15] ^= R(x[11]+x[ 7],18);
+#else
+                {
+                        unsigned j, k, l;
+                        j = 4; k = 0; l = 12;
+                        for (;;) {
+                                uint32_t t;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t, 7); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t, 9); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t,13); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t,18); });
+                                if (j == 15) break;
+                                l = j + 1; k = j + 5; j = (j+9) & 0xf;
+                        }
+                }
+#endif
+                /* Operate on rows */
+#if KDF_UNROLL_SALSA20
+// i=0 n=0
+                x[ 1] ^= R(x[ 0]+x[ 3], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 2] ^= R(x[ 1]+x[ 0], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 3] ^= R(x[ 2]+x[ 1],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[ 0] ^= R(x[ 3]+x[ 2],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=4 n=1                                          ^^^j^^^       ^^^k^^^       ^^^l^^^
+                x[ 6] ^= R(x[ 5]+x[ 4], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 7] ^= R(x[ 6]+x[ 5], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 4] ^= R(x[ 7]+x[ 6],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[ 5] ^= R(x[ 4]+x[ 7],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=8 n=2
+                x[11] ^= R(x[10]+x[ 9], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 8] ^= R(x[11]+x[10], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 9] ^= R(x[ 8]+x[11],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[10] ^= R(x[ 9]+x[ 8],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=12 n=3
+                x[12] ^= R(x[15]+x[14], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[13] ^= R(x[12]+x[15], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[14] ^= R(x[13]+x[12],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[15] ^= R(x[14]+x[13],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+#else
+                {
+                        unsigned j, k, l;
+                        uint32_t *xrow;
+                        j = 1; k = 0; l = 3;
+                        xrow = &x[0];
+                        for (;;) {
+                                uint32_t t;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t, 7); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t, 9); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t,13); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t,18); });
+                                if (j == 3) break;
+                                l = j; k = j + 1; j = (j+2) & 3;
+                                xrow += 4;
+                        }
+                }
+#endif
+
+#undef R
+        } while (--doublerounds);
+#undef x
+
+        {
+                uint32_t i;
+                salsa20_simd_shuffle(&X, Bout);
+                for (i = 0; i < 16; i++) {
+                        // bbox: note: was unrolled x4
+                        B->w[i] = Bout->w[i] += B->w[i];
+                }
+        }
+#if 0
+        /* Too expensive */
+        explicit_bzero(&X, sizeof(X));
+#endif
+}
+
+/**
+ * Apply the Salsa20/2 core to the block provided in X.
+ */
+#define SALSA20_2(out) \
+        salsa20(&X, &out, 1)
+
+#if 0
+#define XOR(out, in1, in2) \
+do { \
+        (out).d[0] = (in1).d[0] ^ (in2).d[0]; \
+        (out).d[1] = (in1).d[1] ^ (in2).d[1]; \
+        (out).d[2] = (in1).d[2] ^ (in2).d[2]; \
+        (out).d[3] = (in1).d[3] ^ (in2).d[3]; \
+        (out).d[4] = (in1).d[4] ^ (in2).d[4]; \
+        (out).d[5] = (in1).d[5] ^ (in2).d[5]; \
+        (out).d[6] = (in1).d[6] ^ (in2).d[6]; \
+        (out).d[7] = (in1).d[7] ^ (in2).d[7]; \
+} while (0)
+#else
+#define XOR(out, in1, in2) \
+do { \
+        xorbuf64_3_aligned64(&(out).d, &(in1).d, &(in2).d); \
+} while (0)
+#endif
+
+#define XOR_X(in)         XOR(X, X, in)
+#define XOR_X_2(in1, in2) XOR(X, in1, in2)
+#define XOR_X_WRITE_XOR_Y_2(out, in) \
+do { \
+        XOR(Y, out, in); \
+        COPY(out, Y); \
+        XOR(X, X, Y); \
+} while (0)
+
+/**
+ * Apply the Salsa20/8 core to the block provided in X ^ in.
+ */
+#define SALSA20_8_XOR_MEM(in, out) \
+do { \
+        XOR_X(in); \
+        salsa20(&X, &out, 4); \
+} while (0)
+
+#define INTEGERIFY ((uint32_t)X.d[0])
+
+/**
+ * blockmix_salsa8(Bin, Bout, r):
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
+ * bytes in length; the output Bout must also be the same size.
+ */
+static void blockmix_salsa8(
+                const salsa20_blk_t *restrict Bin,
+                salsa20_blk_t *restrict Bout,
+                size_t r)
+{
+        size_t i;
+        DECL_X;
+
+        READ_X(Bin[r * 2 - 1]);
+        for (i = 0; i < r; i++) {
+                SALSA20_8_XOR_MEM(Bin[i * 2], Bout[i]);
+                SALSA20_8_XOR_MEM(Bin[i * 2 + 1], Bout[r + i]);
+        }
+}
+
+static uint32_t blockmix_salsa8_xor(
+                const salsa20_blk_t *restrict Bin1,
+                const salsa20_blk_t *restrict Bin2,
+                salsa20_blk_t *restrict Bout,
+                size_t r)
+{
+        size_t i;
+        DECL_X;
+
+        XOR_X_2(Bin1[r * 2 - 1], Bin2[r * 2 - 1]);
+        for (i = 0; i < r; i++) {
+                XOR_X(Bin1[i * 2]);
+                SALSA20_8_XOR_MEM(Bin2[i * 2], Bout[i]);
+                XOR_X(Bin1[i * 2 + 1]);
+                SALSA20_8_XOR_MEM(Bin2[i * 2 + 1], Bout[r + i]);
+        }
+
+        return INTEGERIFY;
+}
+
+/* This is tunable */
+#define Swidth 8
+
+/* Not tunable in this implementation, hard-coded in a few places */
+#define PWXsimple 2
+#define PWXgather 4
+
+/* Derived values.  Not tunable except via Swidth above. */
+#define PWXbytes (PWXgather * PWXsimple * 8)
+#define Sbytes   (3 * (1 << Swidth) * PWXsimple * 8)
+#define Smask    (((1 << Swidth) - 1) * PWXsimple * 8)
+#define Smask2   (((uint64_t)Smask << 32) | Smask)
+
+#define DECL_SMASK2REG       do {} while (0)
+#define FORCE_REGALLOC_3     do {} while (0)
+#define MAYBE_MEMORY_BARRIER do {} while (0)
+
+#define PWXFORM_SIMD(x0, x1) \
+do { \
+        uint64_t x = x0 & Smask2; \
+        uint64_t *p0 = (uint64_t *)(S0 + (uint32_t)x); \
+        uint64_t *p1 = (uint64_t *)(S1 + (x >> 32)); \
+        x0 = ((x0 >> 32) * (uint32_t)x0 + p0[0]) ^ p1[0]; \
+        x1 = ((x1 >> 32) * (uint32_t)x1 + p0[1]) ^ p1[1]; \
+} while (0)
+
+#if KDF_UNROLL_PWXFORM_ROUND
+#define PWXFORM_ROUND \
+do { \
+        PWXFORM_SIMD(X.d[0], X.d[1]); \
+        PWXFORM_SIMD(X.d[2], X.d[3]); \
+        PWXFORM_SIMD(X.d[4], X.d[5]); \
+        PWXFORM_SIMD(X.d[6], X.d[7]); \
+} while (0)
+#else
+#define PWXFORM_ROUND \
+do { \
+        for (int pwxi=0; pwxi<8; pwxi+=2) \
+                PWXFORM_SIMD(X.d[pwxi], X.d[pwxi + 1]); \
+} while (0)
+#endif
+
+/*
+ * This offset helps address the 256-byte write block via the single-byte
+ * displacements encodable in x86(-64) instructions.  It is needed because the
+ * displacements are signed.  Without it, we'd get 4-byte displacements for
+ * half of the writes.  Setting it to 0x80 instead of 0x7c would avoid needing
+ * a displacement for one of the writes, but then the LEA instruction would
+ * need a 4-byte displacement.
+ */
+#define PWXFORM_WRITE_OFFSET 0x7c
+
+#define PWXFORM_WRITE \
+do { \
+        WRITE_X(*(salsa20_blk_t *)(Sw - PWXFORM_WRITE_OFFSET)); \
+        Sw += 64; \
+} while (0)
+
+#if KDF_UNROLL_PWXFORM
+#define PWXFORM \
+do { \
+        uint8_t *Sw = S2 + w + PWXFORM_WRITE_OFFSET; \
+        FORCE_REGALLOC_3; \
+        MAYBE_MEMORY_BARRIER; \
+        PWXFORM_ROUND; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; \
+        w = (w + 64 * 4) & Smask2; \
+        { \
+                uint8_t *Stmp = S2; \
+                S2 = S1; \
+                S1 = S0; \
+                S0 = Stmp; \
+        } \
+} while (0)
+#else
+#define PWXFORM \
+do { \
+        uint8_t *Sw = S2 + w + PWXFORM_WRITE_OFFSET; \
+        FORCE_REGALLOC_3; \
+        MAYBE_MEMORY_BARRIER; \
+        PWXFORM_ROUND; \
+        for (int pwxj=0; pwxj<4; pwxj++) {\
+                PWXFORM_ROUND; PWXFORM_WRITE; \
+        } \
+        PWXFORM_ROUND; \
+        w = (w + 64 * 4) & Smask2; \
+        { \
+                uint8_t *Stmp = S2; \
+                S2 = S1; \
+                S1 = S0; \
+                S0 = Stmp; \
+        } \
+} while (0)
+#endif
+
+typedef struct {
+        uint8_t *S0, *S1, *S2;
+        size_t w;
+} pwxform_ctx_t;
+
+#define Salloc (Sbytes + ((sizeof(pwxform_ctx_t) + 63) & ~63U))
+
+/**
+ * blockmix_pwxform(Bin, Bout, r, S):
+ * Compute Bout = BlockMix_pwxform{salsa20/2, r, S}(Bin).  The input Bin must
+ * be 128r bytes in length; the output Bout must also be the same size.
+ */
+static void blockmix(
+                const salsa20_blk_t *restrict Bin,
+                salsa20_blk_t *restrict Bout,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+
+        READ_X(Bin[r]);
+
+        DECL_SMASK2REG;
+
+        i = 0;
+        for (;;) {
+                XOR_X(Bin[i]);
+                PWXFORM;
+                if (unlikely(i >= r))
+                        break;
+                WRITE_X(Bout[i]);
+                i++;
+        }
+
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+
+        SALSA20_2(Bout[i]);
+}
+
+static uint32_t blockmix_xor(
+                const salsa20_blk_t *Bin1,
+                const salsa20_blk_t *restrict Bin2,
+                salsa20_blk_t *Bout,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+
+        XOR_X_2(Bin1[r], Bin2[r]);
+
+        DECL_SMASK2REG;
+
+        i = 0;
+        r--;
+        for (;;) {
+                XOR_X(Bin1[i]);
+                XOR_X(Bin2[i]);
+                PWXFORM;
+                if (unlikely(i > r))
+                        break;
+                WRITE_X(Bout[i]);
+                i++;
+        }
+
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+
+        SALSA20_2(Bout[i]);
+
+        return INTEGERIFY;
+}
+
+static uint32_t blockmix_xor_save(
+                salsa20_blk_t *restrict Bin1out,
+                salsa20_blk_t *restrict Bin2,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+        DECL_Y;
+
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+
+        XOR_X_2(Bin1out[r], Bin2[r]);
+
+        DECL_SMASK2REG;
+
+        i = 0;
+        r--;
+        for (;;) {
+                XOR_X_WRITE_XOR_Y_2(Bin2[i], Bin1out[i]);
+                PWXFORM;
+                if (unlikely(i > r))
+                        break;
+                WRITE_X(Bin1out[i]);
+                i++;
+        }
+
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+
+        SALSA20_2(Bin1out[i]);
+
+        return INTEGERIFY;
+}
+
+/**
+ * integerify(B, r):
+ * Return the result of parsing B_{2r-1} as a little-endian integer.
+ */
+static inline uint32_t integerify(const salsa20_blk_t *B, size_t r)
+{
+/*
+ * Our 64-bit words are in host byte order, which is why we don't just read
+ * w[0] here (would be wrong on big-endian).  Also, our 32-bit words are
+ * SIMD-shuffled (so the next 32 bits would be part of d[6]), but currently
+ * this does not matter as we only care about the least significant 32 bits.
+ */
+        return (uint32_t)B[2 * r - 1].d[0];
+}
+
+/**
+ * smix1(B, r, N, flags, V, NROM, VROM, XY, ctx):
+ * Compute first loop of B = SMix_r(B, N).  The input B must be 128r bytes in
+ * length; the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 128r+64 bytes in length.  N must be even and at least 4.
+ * The array V must be aligned to a multiple of 64 bytes, and arrays B and XY
+ * to a multiple of at least 16 bytes.
+ */
+#if DISABLE_NROM_CODE
+#define smix1(B,r,N,flags,V,NROM,VROM,XY,ctx) \
+        smix1(B,r,N,flags,V,XY,ctx)
+#endif
+static void smix1(uint8_t *B, size_t r, uint32_t N,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                pwxform_ctx_t *ctx)
+{
+#if DISABLE_NROM_CODE
+        uint32_t NROM = 0;
+        const salsa20_blk_t *VROM = NULL;
+#endif
+        size_t s = 2 * r;
+        salsa20_blk_t *X = V, *Y = &V[s];
+        uint32_t i, j;
+
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = (salsa20_blk_t *)&B[i * 64];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = &X[i];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_shuffle(tmp, dst);
+        }
+
+        if (VROM) {
+                uint32_t n;
+                const salsa20_blk_t *V_j;
+
+                V_j = &VROM[(NROM - 1) * s];
+                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                V_j = &VROM[j * s];
+                X = Y + s;
+                j = blockmix_xor(Y, V_j, X, r, ctx);
+
+                for (n = 2; n < N; n <<= 1) {
+                        uint32_t m = (n < N / 2) ? n : (N - 1 - n);
+                        for (i = 1; i < m; i += 2) {
+                                j &= n - 1;
+                                j += i - 1;
+                                V_j = &V[j * s];
+                                Y = X + s;
+                                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                                V_j = &VROM[j * s];
+                                X = Y + s;
+                                j = blockmix_xor(Y, V_j, X, r, ctx);
+                        }
+                }
+                n >>= 1;
+
+                j &= n - 1;
+                j += N - 2 - n;
+                V_j = &V[j * s];
+                Y = X + s;
+                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                V_j = &VROM[j * s];
+                blockmix_xor(Y, V_j, XY, r, ctx);
+        } else if (flags & YESCRYPT_RW) {
+//can't use flags___YESCRYPT_RW, smix1() may be called with flags = 0
+                uint32_t n;
+                salsa20_blk_t *V_j;
+
+                blockmix(X, Y, r, ctx);
+                X = Y + s;
+                blockmix(Y, X, r, ctx);
+                j = integerify(X, r);
+
+                for (n = 2; n < N; n <<= 1) {
+                        uint32_t m = (n < N / 2) ? n : (N - 1 - n);
+                        for (i = 1; i < m; i += 2) {
+                                Y = X + s;
+                                j &= n - 1;
+                                j += i - 1;
+                                V_j = &V[j * s];
+                                j = blockmix_xor(X, V_j, Y, r, ctx);
+                                j &= n - 1;
+                                j += i;
+                                V_j = &V[j * s];
+                                X = Y + s;
+                                j = blockmix_xor(Y, V_j, X, r, ctx);
+                        }
+                }
+                n >>= 1;
+
+                j &= n - 1;
+                j += N - 2 - n;
+                V_j = &V[j * s];
+                Y = X + s;
+                j = blockmix_xor(X, V_j, Y, r, ctx);
+                j &= n - 1;
+                j += N - 1 - n;
+                V_j = &V[j * s];
+                blockmix_xor(Y, V_j, XY, r, ctx);
+        } else {
+                N -= 2;
+                do {
+                        blockmix_salsa8(X, Y, r);
+                        X = Y + s;
+                        blockmix_salsa8(Y, X, r);
+                        Y = X + s;
+                } while ((N -= 2));
+
+                blockmix_salsa8(X, Y, r);
+                blockmix_salsa8(Y, XY, r);
+        }
+
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = &XY[i];
+                salsa20_blk_t *tmp = &XY[s];
+                salsa20_blk_t *dst = (salsa20_blk_t *)&B[i * 64];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_unshuffle(tmp, dst);
+        }
+}
+
+/**
+ * smix2(B, r, N, Nloop, flags, V, NROM, VROM, XY, ctx):
+ * Compute second loop of B = SMix_r(B, N).  The input B must be 128r bytes in
+ * length; the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r bytes in length.  N must be a power of 2 and at
+ * least 2.  Nloop must be even.  The array V must be aligned to a multiple of
+ * 64 bytes, and arrays B and XY to a multiple of at least 16 bytes.
+ */
+#if DISABLE_NROM_CODE
+#define smix2(B,r,N,Nloop,flags,V,NROM,VROM,XY,ctx) \
+        smix2(B,r,N,Nloop,flags,V,XY,ctx)
+#endif
+static void smix2(uint8_t *B, size_t r, uint32_t N, uint64_t Nloop,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                pwxform_ctx_t *ctx)
+{
+#if DISABLE_NROM_CODE
+        uint32_t NROM = 0;
+        const salsa20_blk_t *VROM = NULL;
+#endif
+        size_t s = 2 * r;
+        salsa20_blk_t *X = XY, *Y = &XY[s];
+        uint32_t i, j;
+
+        if (Nloop == 0)
+                return;
+
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = (salsa20_blk_t *)&B[i * 64];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = &X[i];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_shuffle(tmp, dst);
+        }
+
+        j = integerify(X, r) & (N - 1);
+
+/*
+ * Normally, VROM implies YESCRYPT_RW, but we check for these separately
+ * because our SMix resets YESCRYPT_RW for the smix2() calls operating on the
+ * entire V when p > 1.
+ */
+//and this is why bbox can't use flags___YESCRYPT_RW in this function
+        if (VROM && (flags & YESCRYPT_RW)) {
+                do {
+                        salsa20_blk_t *V_j = &V[j * s];
+                        const salsa20_blk_t *VROM_j;
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (NROM - 1);
+                        VROM_j = &VROM[j * s];
+                        j = blockmix_xor(X, VROM_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (VROM) {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (NROM - 1);
+                        V_j = &VROM[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (flags & YESCRYPT_RW) {
+                do {
+                        salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (ctx) {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1);
+                } while (Nloop -= 2);
+        }
+
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = &X[i];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = (salsa20_blk_t *)&B[i * 64];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_unshuffle(tmp, dst);
+        }
+}
+
+/**
+ * p2floor(x):
+ * Largest power of 2 not greater than argument.
+ */
+static uint64_t p2floor(uint64_t x)
+{
+        uint64_t y;
+        while ((y = x & (x - 1)))
+                x = y;
+        return x;
+}
+
+/**
+ * smix(B, r, N, p, t, flags, V, NROM, VROM, XY, S, passwd):
+ * Compute B = SMix_r(B, N).  The input B must be 128rp bytes in length; the
+ * temporary storage V must be 128rN bytes in length; the temporary storage
+ * XY must be 256r or 256rp bytes in length (the larger size is required with
+ * OpenMP-enabled builds).  N must be a power of 2 and at least 4.  The array V
+ * must be aligned to a multiple of 64 bytes, and arrays B and XY to a multiple
+ * of at least 16 bytes (aligning them to 64 bytes as well saves cache lines
+ * and helps avoid false sharing in OpenMP-enabled builds when p > 1, but it
+ * might also result in cache bank conflicts).
+ */
+#if DISABLE_NROM_CODE
+#define smix(B,r,N,p,t,flags,V,NROM,VROM,XY,S,passwd) \
+        smix(B,r,N,p,t,flags,V,XY,S,passwd)
+#endif
+static void smix(uint8_t *B, size_t r, uint32_t N, uint32_t p, uint32_t t,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                uint8_t *S, uint8_t *passwd)
+{
+        size_t s = 2 * r;
+        uint32_t Nchunk;
+        uint64_t Nloop_all, Nloop_rw;
+        uint32_t i;
+
+        Nchunk = N / p;
+        Nloop_all = Nchunk;
+        if (flags___YESCRYPT_RW) {
+                if (t <= 1) {
+                        if (t)
+                                Nloop_all *= 2; /* 2/3 */
+                        Nloop_all = (Nloop_all + 2) / 3; /* 1/3, round up */
+                } else {
+                        Nloop_all *= t - 1;
+                }
+        } else if (t) {
+                if (t == 1)
+                        Nloop_all += (Nloop_all + 1) / 2; /* 1.5, round up */
+                Nloop_all *= t;
+        }
+
+        Nloop_rw = 0;
+        if (flags___YESCRYPT_RW)
+                Nloop_rw = Nloop_all / p;
+
+        Nchunk &= ~(uint32_t)1; /* round down to even */
+        Nloop_all++; Nloop_all &= ~(uint64_t)1; /* round up to even */
+        Nloop_rw++; Nloop_rw &= ~(uint64_t)1; /* round up to even */
+
+        for (i = 0; i < p; i++) {
+                uint32_t Vchunk = i * Nchunk;
+                uint32_t Np = (i < p - 1) ? Nchunk : (N - Vchunk);
+                uint8_t *Bp = &B[128 * r * i];
+                salsa20_blk_t *Vp = &V[Vchunk * s];
+                salsa20_blk_t *XYp = XY;
+                pwxform_ctx_t *ctx_i = NULL;
+                if (flags___YESCRYPT_RW) {
+                        uint8_t *Si = S + i * Salloc;
+                        smix1(Bp, 1, Sbytes / 128, 0 /* no flags */,
+                                (salsa20_blk_t *)Si, 0, NULL, XYp, NULL);
+                        ctx_i = (pwxform_ctx_t *)(Si + Sbytes);
+                        ctx_i->S2 = Si;
+                        ctx_i->S1 = Si + Sbytes / 3;
+                        ctx_i->S0 = Si + Sbytes / 3 * 2;
+                        ctx_i->w = 0;
+                        if (i == 0)
+                                hmac_block(
+                                        /* key,len: */ Bp + (128 * r - 64), 64,
+                                        /* hash fn: */ sha256_begin,
+                                        /* in,len: */  passwd, 32,
+                                        /* outbuf: */  passwd
+                                );
+                }
+                smix1(Bp, r, Np, flags, Vp, NROM, VROM, XYp, ctx_i);
+                smix2(Bp, r, p2floor(Np), Nloop_rw, flags, Vp,
+                        NROM, VROM, XYp, ctx_i);
+        }
+
+        if (Nloop_all > Nloop_rw) {
+                for (i = 0; i < p; i++) {
+                        uint8_t *Bp = &B[128 * r * i];
+                        salsa20_blk_t *XYp = XY;
+                        pwxform_ctx_t *ctx_i = NULL;
+                        if (flags___YESCRYPT_RW) {
+                                uint8_t *Si = S + i * Salloc;
+                                ctx_i = (pwxform_ctx_t *)(Si + Sbytes);
+                        }
+                        smix2(Bp, r, N, Nloop_all - Nloop_rw,
+                                flags & (uint32_t)~YESCRYPT_RW,
+                                V, NROM, VROM, XYp, ctx_i);
+                }
+        }
+}
+
+/* Allocator code */
+
+static void alloc_region(yescrypt_region_t *region, size_t size)
+{
+        uint8_t *base;
+        int flags =
+# ifdef MAP_NOCORE /* huh? */
+                MAP_NOCORE |
+# endif
+                MAP_ANON | MAP_PRIVATE;
+
+        base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0);
+        if (base == MAP_FAILED)
+                bb_die_memory_exhausted();
+
+#if defined(MADV_HUGEPAGE)
+        /* Reduces mkpasswd qweRTY123@-+ '$y$jHT$123'
+         * (which allocates 4 Gbytes)
+         * run time from 10.543s to 5.635s
+         * Seen on linux-5.18.0.
+         */
+        madvise(base, size, MADV_HUGEPAGE);
+#endif
+        //region->base = base;
+        //region->base_size = size;
+        region->aligned = base;
+        region->aligned_size = size;
+}
+
+static void free_region(yescrypt_region_t *region)
+{
+        if (region->aligned)
+                munmap(region->aligned, region->aligned_size);
+        //region->base = NULL;
+        //region->base_size = 0;
+        region->aligned = NULL;
+        region->aligned_size = 0;
+}
+/**
+ * yescrypt_kdf_body(shared, local, passwd, passwdlen, salt, saltlen,
+ *     flags, N, r, p, t, NROM, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen), or a revision of scrypt as requested by flags and shared, and
+ * write the result into buf.
+ *
+ * shared and flags may request special modes as described in yescrypt.h.
+ *
+ * local is the thread-local data structure, allowing to preserve and reuse a
+ * memory allocation across calls, thereby reducing its overhead.
+ *
+ * t controls computation time while not affecting peak memory usage.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * This optimized implementation currently limits N to the range from 4 to
+ * 2^31, but other implementations might not.
+ */
+static int yescrypt_kdf32_body(
+                yescrypt_ctx_t *yctx,
+                const uint8_t *passwd, size_t passwdlen,
+                uint32_t flags, uint64_t N, uint32_t t,
+                uint8_t *buf32)
+{
+#if !DISABLE_NROM_CODE
+        const salsa20_blk_t *VROM;
+#endif
+        size_t B_size, V_size, XY_size, need;
+        uint8_t *B, *S;
+        salsa20_blk_t *V, *XY;
+        struct {
+                uint8_t sha256[32];
+                uint8_t dk[32];
+        } u;
+#define sha256 u.sha256
+#define dk     u.dk
+        uint8_t *dkp = buf32;
+        uint32_t r, p;
+
+        /* Sanity-check parameters */
+        switch (flags___YESCRYPT_MODE_MASK) {
+        case 0: /* classic scrypt - can't have anything non-standard */
+                if (flags || t || YCTX_param_NROM)
+                        goto out_EINVAL;
+                break;
+        case YESCRYPT_WORM:
+                if (flags != YESCRYPT_WORM || YCTX_param_NROM)
+                        goto out_EINVAL;
+                break;
+        case YESCRYPT_RW:
+                if (flags != (flags & YESCRYPT_KNOWN_FLAGS))
+                        goto out_EINVAL;
+#if PWXsimple == 2 && PWXgather == 4 && Sbytes == 12288
+                if ((flags & YESCRYPT_RW_FLAVOR_MASK) ==
+                    (YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 |
+                    YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K))
+                        break;
+#else
+#error "Unsupported pwxform settings"
+#endif
+                /* FALLTHRU */
+        default:
+                goto out_EINVAL;
+        }
+
+        r = YCTX_param_r;
+        p = YCTX_param_p;
+        if ((uint64_t)r * (uint64_t)p >= 1 << 30) {
+                dbg("r * n >= 2^30");
+                goto out_EINVAL;
+        }
+        if (N > UINT32_MAX) {
+                dbg("N > 0x%lx", (long)UINT32_MAX);
+                goto out_EINVAL;
+        }
+        if (N <= 3
+         || r < 1
+         || p < 1
+        ) {
+                dbg("bad N, r or p");
+                goto out_EINVAL;
+        }
+        if (r > SIZE_MAX / 256 / p
+         || N > SIZE_MAX / 128 / r
+        ) {
+                /* 32-bit testcase: mkpasswd qweRTY123@-+ '$y$jHT$123'
+                 * (works on 64-bit, needs buffer > 4Gbytes)
+                 */
+                dbg("r > SIZE_MAX / 256 / p? %c", "NY"[r > SIZE_MAX / 256 / p]);
+                dbg("N > SIZE_MAX / 128 / r? %c", "NY"[N > SIZE_MAX / 128 / r]);
+                goto out_EINVAL;
+        }
+        if (flags___YESCRYPT_RW) {
+                /* p cannot be greater than SIZE_MAX/Salloc on 64-bit systems,
+                   but it can on 32-bit systems.  */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wtype-limits"
+                if (N / p <= 3 || p > SIZE_MAX / Salloc) {
+                        dbg("bad p:%ld", (long)p);
+                        goto out_EINVAL;
+                }
+#pragma GCC diagnostic pop
+        }
+
+#if !DISABLE_NROM_CODE
+        VROM = NULL;
+        if (YCTX_param_NROM)
+                goto out_EINVAL;
+#endif
+
+        /* Allocate memory */
+        V = NULL;
+        V_size = (size_t)128 * r * N;
+        need = V_size;
+        B_size = (size_t)128 * r * p;
+        need += B_size;
+        if (need < B_size) {
+                dbg("integer overflow at += B_size(%lu)", (long)B_size);
+                goto out_EINVAL;
+        }
+        XY_size = (size_t)256 * r;
+        need += XY_size;
+        if (need < XY_size) {
+                dbg("integer overflow at += XY_size(%lu)", (long)XY_size);
+                goto out_EINVAL;
+        }
+        if (flags___YESCRYPT_RW) {
+                size_t S_size = (size_t)Salloc * p;
+                need += S_size;
+                if (need < S_size) {
+                        dbg("integer overflow at += S_size(%lu)", (long)S_size);
+                        goto out_EINVAL;
+                }
+        }
+        if (yctx->local->aligned_size < need) {
+                free_region(yctx->local);
+                alloc_region(yctx->local, need);
+                dbg("allocated local:%lu 0x%lx", (long)need, (long)need);
+                /* standard "j9T" params allocate 16Mbytes here */
+        }
+        if (flags & YESCRYPT_ALLOC_ONLY)
+                return -3; /* expected "failure" */
+        B = (uint8_t *)yctx->local->aligned;
+        V = (salsa20_blk_t *)((uint8_t *)B + B_size);
+        XY = (salsa20_blk_t *)((uint8_t *)V + V_size);
+        S = NULL;
+        if (flags___YESCRYPT_RW)
+                S = (uint8_t *)XY + XY_size;
+
+        if (flags) {
+                hmac_block(
+                        /* key,len: */ (const void*)"yescrypt-prehash", (flags & YESCRYPT_PREHASH) ? 16 : 8,
+                        /* hash fn: */ sha256_begin,
+                        /* in,len: */  passwd, passwdlen,
+                        /* outbuf: */  sha256
+                );
+                passwd = sha256;
+                passwdlen = sizeof(sha256);
+        }
+
+        PBKDF2_SHA256(passwd, passwdlen, yctx->salt, yctx->saltlen, 1, B, B_size);
+
+        if (flags)
+                memcpy(sha256, B, sizeof(sha256));
+
+        if (p == 1 || (flags___YESCRYPT_RW)) {
+                smix(B, r, N, p, t, flags, V, YCTX_param_NROM, VROM, XY, S, sha256);
+        } else {
+                uint32_t i;
+                for (i = 0; i < p; i++) {
+                        smix(&B[(size_t)128 * r * i], r, N, 1, t, flags, V,
+                                YCTX_param_NROM, VROM, XY, NULL, NULL);
+                }
+        }
+
+        dkp = buf32;
+        if (flags && /*buflen:*/32 < sizeof(dk)) {
+                PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, dk, sizeof(dk));
+                dkp = dk;
+        }
+
+        PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf32, /*buflen:*/32);
+
+        /*
+         * Except when computing classic scrypt, allow all computation so far
+         * to be performed on the client.  The final steps below match those of
+         * SCRAM (RFC 5802), so that an extension of SCRAM (with the steps so
+         * far in place of SCRAM's use of PBKDF2 and with SHA-256 in place of
+         * SCRAM's use of SHA-1) would be usable with yescrypt hashes.
+         */
+        if (flags && !(flags & YESCRYPT_PREHASH)) {
+                /* Compute ClientKey */
+                hmac_block(
+                        /* key,len: */ dkp, sizeof(dk),
+                        /* hash fn: */ sha256_begin,
+                        /* in,len: */  "Client Key", 10,
+                        /* outbuf: */  sha256
+                );
+                /* Compute StoredKey */
+                {
+                        size_t clen = /*buflen:*/32;
+                        if (clen > sizeof(dk))
+                                clen = sizeof(dk);
+                        if (sizeof(dk) != 32) { /* not true, optimize it out */
+                                sha256_block(sha256, sizeof(sha256), dk);
+                                memcpy(buf32, dk, clen);
+                        } else {
+                                sha256_block(sha256, sizeof(sha256), buf32);
+                        }
+                }
+        }
+
+        explicit_bzero(&u, sizeof(u));
+
+        /* Success! */
+        return 0;
+
+ out_EINVAL:
+        //bbox does not need this: errno = EINVAL;
+        return -1;
+#undef sha256
+#undef dk
+}
+
+/**
+ * yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen, params,
+ *     buf, buflen):
+ * Compute scrypt or its revision as requested by the parameters.  The inputs
+ * to this function are the same as those for yescrypt_kdf_body() above, with
+ * the addition of g, which controls hash upgrades (0 for no upgrades so far).
+ */
+static
+int yescrypt_kdf32(
+                yescrypt_ctx_t *yctx,
+                const uint8_t *passwd, size_t passwdlen,
+                uint8_t *buf32)
+{
+        uint32_t flags = YCTX_param_flags;
+        uint64_t N = YCTX_param_N;
+        uint32_t r = YCTX_param_r;
+        uint32_t p = YCTX_param_p;
+        uint32_t t = YCTX_param_t;
+        uint32_t g = YCTX_param_g;
+        uint8_t dk32[32];
+        int retval;
+
+        /* Support for hash upgrades has been temporarily removed */
+        if (g) {
+                //bbox does not need this: errno = EINVAL;
+                return -1;
+        }
+
+        if ((flags___YESCRYPT_RW)
+         && p >= 1
+         && N / p >= 0x100
+         && N / p * r >= 0x20000
+        ) {
+                if (yescrypt_kdf32_body(yctx,
+                    passwd, passwdlen,
+                    flags | YESCRYPT_ALLOC_ONLY, N, t,
+                    buf32) != -3
+                ) {
+                        dbg("yescrypt_kdf32_body: not -3");
+                        return -1;
+                }
+                retval = yescrypt_kdf32_body(yctx,
+                                passwd, passwdlen,
+                                flags | YESCRYPT_PREHASH, N >> 6, 0,
+                                dk32);
+                if (retval) {
+                        dbg("yescrypt_kdf32_body(PREHASH):%d", retval);
+                        return retval;
+                }
+                passwd = dk32;
+                passwdlen = sizeof(dk32);
+        }
+
+        retval = yescrypt_kdf32_body(yctx,
+                        passwd, passwdlen,
+                        flags, N, t, buf32);
+
+        explicit_bzero(dk32, sizeof(dk32));
+
+        dbg("yescrypt_kdf32_body:%d", retval);
+        return retval;
+}
diff --git a/libbb/yescrypt/alg-yescrypt.h b/libbb/yescrypt/alg-yescrypt.h
new file mode 100644
index 000000000..b69843f5d
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt.h
@@ -0,0 +1,247 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+
+// busybox debug and size-reduction configuration
+
+#ifdef YESCRYPT_INTERNAL
+# if 1
+#  define dbg(...) ((void)0)
+# else
+#  define dbg(...) bb_error_msg(__VA_ARGS__)
+# endif
+# if 1
+#  define dbg_dec64(...) ((void)0)
+# else
+#  define dbg_dec64(...) bb_error_msg(__VA_ARGS__)
+# endif
+# define TEST_DECODE64  0
+#endif
+
+// Only accept one-char parameters in salt, and only first three?
+// Almost any reasonable yescrypt hashes in /etc/shadow should
+// only ever use "jXY" parameters which set N and r.
+// Fancy multi-byte-encoded wide integers are not needed for that.
+#define RESTRICTED_PARAMS  1
+// Note: if you enable the above, please also enable
+// YCTX_param_p, YCTX_param_t, YCTX_param_g, YCTX_param_NROM
+// optimizations, and DISABLE_NROM_CODE.
+
+#define DISABLE_NROM_CODE  1
+
+// How much we save by forcing "standard" value by commenting the next line:
+//  160 bytes
+//#define YCTX_param_flags           yctx->param.flags
+//  260 bytes
+//#define flags___YESCRYPT_RW        (flags & YESCRYPT_RW)
+//  140 bytes
+//#define flags___YESCRYPT_MODE_MASK (flags & YESCRYPT_MODE_MASK)
+// ^^^^ forcing the above since the code already requires (checks for) this
+//   50 bytes
+#define YCTX_param_N     yctx->param.N
+// -100 bytes (negative!!!)
+#define YCTX_param_r     yctx->param.r
+//  400 bytes
+//#define YCTX_param_p     yctx->param.p
+//  130 bytes
+//#define YCTX_param_t     yctx->param.t
+//    2 bytes
+//#define YCTX_param_g     yctx->param.g
+//    1 bytes
+// ^^^^ this looks wrong, compiler should be able to constant-propagate the fact that NROM code is dead
+//#define YCTX_param_NROM  yctx->param.NROM
+
+#ifndef YCTX_param_flags
+#define YCTX_param_flags (YESCRYPT_RW | YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K)
+#endif
+#ifndef flags___YESCRYPT_RW
+#define flags___YESCRYPT_RW ((void)flags, YESCRYPT_RW)
+#endif
+#ifndef flags___YESCRYPT_MODE_MASK
+#define flags___YESCRYPT_MODE_MASK ((void)flags, YESCRYPT_RW)
+#endif
+// standard ("j9T") values:
+#ifndef YCTX_param_N
+#define YCTX_param_N     4096
+#endif
+#ifndef YCTX_param_r
+#define YCTX_param_r     32
+#endif
+#ifndef YCTX_param_p
+#define YCTX_param_p     1
+#endif
+#ifndef YCTX_param_t
+#define YCTX_param_t     0
+#endif
+#ifndef YCTX_param_g
+#define YCTX_param_g     0
+#endif
+#ifndef YCTX_param_NROM
+#define YCTX_param_NROM  0
+#endif
+
+// "Faster/smaller code" knobs:
+// -941 bytes:
+#define KDF_UNROLL_COPY 0
+// -5324 bytes if 0:
+#define KDF_UNROLL_PWXFORM_ROUND 0
+// -4864 bytes if 0:
+#define KDF_UNROLL_PWXFORM 0
+// if both this ^^^^^^^^^^ and PWXFORM_ROUND set to 0: -7666 bytes
+// -464 bytes:
+#define KDF_UNROLL_SALSA20 0
+
+/**
+ * Type and possible values for the flags argument of yescrypt_kdf(),
+ * yescrypt_encode_params_r(), yescrypt_encode_params().  Most of these may be
+ * OR'ed together, except that YESCRYPT_WORM stands on its own.
+ * Please refer to the description of yescrypt_kdf() below for the meaning of
+ * these flags.
+ */
+/* yescrypt flags:
+ * bits pos: 7654321076543210
+ *                    ss  r w
+ *                sbox  gg y
+ */
+/* Public */
+#define YESCRYPT_WORM                   1
+#define YESCRYPT_RW                     0x002
+#define YESCRYPT_ROUNDS_3               0x000 //r=0
+#define YESCRYPT_ROUNDS_6               0x004 //r=1
+#define YESCRYPT_GATHER_1               0x000 //gg=00
+#define YESCRYPT_GATHER_2               0x008 //gg=01
+#define YESCRYPT_GATHER_4               0x010 //gg=10
+#define YESCRYPT_GATHER_8               0x018 //gg=11
+#define YESCRYPT_SIMPLE_1               0x000 //ss=00
+#define YESCRYPT_SIMPLE_2               0x020 //ss=01
+#define YESCRYPT_SIMPLE_4               0x040 //ss=10
+#define YESCRYPT_SIMPLE_8               0x060 //ss=11
+#define YESCRYPT_SBOX_6K                0x000 //sbox=0000
+#define YESCRYPT_SBOX_12K               0x080 //sbox=0001
+#define YESCRYPT_SBOX_24K               0x100 //sbox=0010
+#define YESCRYPT_SBOX_48K               0x180 //sbox=0011
+#define YESCRYPT_SBOX_96K               0x200 //sbox=0100
+#define YESCRYPT_SBOX_192K              0x280 //sbox=0101
+#define YESCRYPT_SBOX_384K              0x300 //sbox=0110
+#define YESCRYPT_SBOX_768K              0x380 //sbox=0111
+
+#ifdef YESCRYPT_INTERNAL
+/* Private */
+#define YESCRYPT_MODE_MASK              0x003
+#define YESCRYPT_RW_FLAVOR_MASK         0x3fc
+#define YESCRYPT_ALLOC_ONLY             0x08000000
+#define YESCRYPT_PREHASH                0x10000000
+#endif
+
+#define YESCRYPT_RW_DEFAULTS \
+        (YESCRYPT_RW | \
+        YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | \
+        YESCRYPT_SBOX_12K)
+
+#define YESCRYPT_DEFAULTS YESCRYPT_RW_DEFAULTS
+
+#ifdef YESCRYPT_INTERNAL
+#define YESCRYPT_KNOWN_FLAGS \
+        (YESCRYPT_MODE_MASK | YESCRYPT_RW_FLAVOR_MASK | \
+        YESCRYPT_ALLOC_ONLY | YESCRYPT_PREHASH)
+#endif
+
+/* How many chars base-64 encoded bytes require? */
+#define YESCRYPT_BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6)
+/* The /etc/passwd-style hash is "<prefix>$<hash><NUL>" */
+/*
+ * "$y$", up to 8 params of up to 6 chars each, '$', salt
+ * Alternatively, but that's smaller:
+ * "$7$", 3 params encoded as 1+5+5 chars, salt
+ */
+#define YESCRYPT_PREFIX_LEN (3 + 8 * 6 + 1 + YESCRYPT_BYTES2CHARS(32))
+
+#define YESCRYPT_HASH_SIZE 32
+#define YESCRYPT_HASH_LEN  YESCRYPT_BYTES2CHARS(YESCRYPT_HASH_SIZE)
+
+/**
+ * Internal type used by the memory allocator.  Please do not use it directly.
+ * Use yescrypt_shared_t and yescrypt_local_t as appropriate instead, since
+ * they might differ from each other in a future version.
+ */
+typedef struct {
+//      void *base;
+        void *aligned;
+//      size_t base_size;
+        size_t aligned_size;
+} yescrypt_region_t;
+
+/**
+ * yescrypt parameters combined into one struct.  N, r, p are the same as in
+ * classic scrypt, except that the meaning of p changes when YESCRYPT_RW is
+ * set.  flags, t, g, NROM are special to yescrypt.
+ */
+typedef struct {
+        uint32_t flags;
+        uint32_t r;
+        uint64_t N;
+#if !RESTRICTED_PARAMS
+        uint32_t p, t, g;
+        uint64_t NROM;
+#endif
+} yescrypt_params_t;
+
+typedef struct {
+        yescrypt_params_t param;
+
+        /* salt in binary form */
+        /* stored here to cut down on the amount of function paramaters */
+        unsigned char salt[64];
+        size_t saltlen;
+
+        /* used by the memory allocator */
+        //yescrypt_region_t shared[1];
+        yescrypt_region_t local[1];
+} yescrypt_ctx_t;
+
+/**
+ * yescrypt_r(shared, local, passwd, passwdlen, setting, key, buf, buflen):
+ * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
+ * parameters and salt value encoded in setting.  If shared is not NULL, a ROM
+ * is used and YESCRYPT_RW is required.  Otherwise, whether to compute classic
+ * scrypt, YESCRYPT_WORM (a slight deviation from classic scrypt), or
+ * YESCRYPT_RW (time-memory tradeoff discouraging modification) is determined
+ * by the setting string.  shared (if not NULL) and local must be initialized
+ * as described above for yescrypt_kdf().  buf must be large enough (as
+ * indicated by buflen) to hold the encoded hash string.
+ *
+ * Return the encoded hash string on success; or NULL on error.
+ *
+ * MT-safe as long as local and buf are local to the thread.
+ */
+extern char *yescrypt_r(
+            const uint8_t *passwd, size_t passwdlen,
+            const uint8_t *setting,
+            char *buf, size_t buflen
+);
diff --git a/libbb/yescrypt/y.c b/libbb/yescrypt/y.c
new file mode 100644
index 000000000..d5ab8903f
--- /dev/null
+++ b/libbb/yescrypt/y.c
@@ -0,0 +1,16 @@
+/*
+ * The compilation unit for yescrypt-related code.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-$(CONFIG_USE_BB_CRYPT_YES) += y.o
+
+#include "libbb.h"
+
+#define YESCRYPT_INTERNAL
+#include "alg-yescrypt.h"
+#include "alg-sha256.c"
+#include "alg-yescrypt-kdf.c"
+#include "alg-yescrypt-common.c"
diff --git a/loginutils/Config.src b/loginutils/Config.src
index cbb09646b..a7812bd32 100644
--- a/loginutils/Config.src
+++ b/loginutils/Config.src
@@ -91,6 +91,17 @@ config USE_BB_CRYPT_SHA
         With this option off, login will fail password check for any
         user which has password encrypted with these algorithms.
 
+config USE_BB_CRYPT_YES
+        bool "Enable yescrypt functions"
+        default y
+        depends on USE_BB_CRYPT
+        help
+        Enable this if you have passwords starting with "$y$" or
+        in your /etc/passwd or /etc/shadow files. These passwords
+        are hashed using yescrypt algorithms.
+        With this option off, login will fail password check for any
+        user which has password encrypted with these algorithms.
+
 INSERT
 
 endmenu
diff --git a/loginutils/chpasswd.c b/loginutils/chpasswd.c
index 65530b614..353f19961 100644
--- a/loginutils/chpasswd.c
+++ b/loginutils/chpasswd.c
@@ -17,7 +17,7 @@
 //config:       default "des"
 //config:       depends on PASSWD || CRYPTPW || CHPASSWD
 //config:       help
-//config:       Possible choices are "d[es]", "m[d5]", "s[ha256]" or "sha512".
+//config:       Possible choices: "d[es]", "m[d5]", "s[ha256]", "sha512", "yescrypt"
 
 //applet:IF_CHPASSWD(APPLET(chpasswd, BB_DIR_USR_SBIN, BB_SUID_DROP))
 
diff --git a/loginutils/cryptpw.c b/loginutils/cryptpw.c
index 1c338540f..666deff0b 100644
--- a/loginutils/cryptpw.c
+++ b/loginutils/cryptpw.c
@@ -84,8 +84,7 @@ to cryptpw. -a option (alias for -m) came from cryptpw.
 int cryptpw_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
 int cryptpw_main(int argc UNUSED_PARAM, char **argv)
 {
-        /* Supports: cryptpw -m sha256 PASS 'rounds=999999999$SALT' */
-        char salt[MAX_PW_SALT_LEN + sizeof("rounds=999999999$")];
+        char salt[MAX_PW_SALT_LEN];
         char *salt_ptr;
         char *password;
         const char *opt_m, *opt_S;
@@ -100,7 +99,7 @@ int cryptpw_main(int argc UNUSED_PARAM, char **argv)
         ;
 #endif
         fd = STDIN_FILENO;
-        opt_m = CONFIG_FEATURE_DEFAULT_PASSWD_ALGO;
+        opt_m = NULL;
         opt_S = NULL;
         /* at most two non-option arguments; -P NUM */
         getopt32long(argv, "^" "sP:+S:m:a:" "\0" "?2",
@@ -114,10 +113,34 @@ int cryptpw_main(int argc UNUSED_PARAM, char **argv)
         if (argv[0] && !opt_S)
                 opt_S = argv[1];
 
-        salt_ptr = crypt_make_pw_salt(salt, opt_m);
-        if (opt_S)
-                /* put user's data after the "$N$" prefix */
-                safe_strncpy(salt_ptr, opt_S, sizeof(salt) - (sizeof("$N$")-1));
+        if (opt_S && !opt_S[0]) {
+                /* mkpasswd 5.6.2 compat: SALT of ""
+                 * is treated as not specified
+                 * (both forms: -S "" and argv[1] of "")
+                 */
+                opt_S = NULL;
+        }
+
+        if (opt_m) {
+                /* "cryptpw -m ALGO PASSWORD [SALT]" */
+                /* generate "$x$" algo prefix + random salt */
+                salt_ptr = crypt_make_pw_salt(salt, opt_m);
+                if (opt_S) {
+                        /* "cryptpw -m ALGO PASSWORD SALT" */
+                        /* put SALT data after the "$x$" prefix */
+                        safe_strncpy(salt_ptr, opt_S, sizeof(salt) - (sizeof("$N$")-1));
+                }
+        } else {
+                if (!opt_S) {
+                        /* "cryptpw PASSWORD" */
+                        /* generate random salt with default algo */
+                        crypt_make_pw_salt(salt, CONFIG_FEATURE_DEFAULT_PASSWD_ALGO);
+                } else {
+                        /* "cryptpw PASSWORD '$x$SALT'" */
+                        /* use given salt; algo will be detected by pw_encrypt() */
+                        safe_strncpy(salt, opt_S, sizeof(salt));
+                }
+        }
 
         xmove_fd(fd, STDIN_FILENO);
 
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
index 9c927ed79..984889915 100644
--- a/loginutils/sulogin.c
+++ b/loginutils/sulogin.c
@@ -79,7 +79,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
                         break;
                 }
                 pause_after_failed_login();
-                bb_simple_info_msg("Login incorrect");
+                bb_simple_error_msg("Login incorrect");
         }
 
         /* util-linux 2.36.1 compat: no message */
@@ -119,9 +119,12 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
         }
 
         /*
-         * Note: login does this (should we do it too?):
+         * Note: login does this. util-linux's sulogin does NOT.
+         * But it's rather unpleasant to have non-functioning ^C in a shell,
+         * and surprisingly, there is no easy way to remove SIG_IGN from ^C
+         * in the shell. So, we are doing it:
          */
-        /*signal(SIGINT, SIG_DFL);*/
+        signal(SIGINT, SIG_DFL);
 
         /* Exec shell with no additional parameters. Never returns. */
         exec_shell(shell, /* -p? then shell is login:*/(opts & 1), NULL);
diff --git a/miscutils/crond.c b/miscutils/crond.c
index b3762d327..96131cae4 100644
--- a/miscutils/crond.c
+++ b/miscutils/crond.c
@@ -177,7 +177,7 @@ static void crondlog(unsigned level, const char *msg, va_list va)
 {
         if (level >= G.log_level) {
                 /*
-                 * We are called only for info meesages.
+                 * We are called only for info messages.
                  * Warnings/errors use plain bb_[p]error_msg's, which
                  * need not touch syslog_level
                  * (they are ok with LOG_ERR default).
diff --git a/networking/httpd.c b/networking/httpd.c
index 1dae602ee..50595104c 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -3074,7 +3074,7 @@ int httpd_main(int argc UNUSED_PARAM, char **argv)
                 salt[0] = '$';
                 salt[1] = '1';
                 salt[2] = '$';
-                crypt_make_salt(salt + 3, 4);
+                crypt_make_rand64encoded(salt + 3, 8 / 2); /* 8 chars */
                 puts(pw_encrypt(pass, salt, /*cleanup:*/ 0));
                 return 0;
         }
diff --git a/networking/ntpd.c b/networking/ntpd.c
index 4c4842cb2..dd0a9c91f 100644
--- a/networking/ntpd.c
+++ b/networking/ntpd.c
@@ -1057,7 +1057,7 @@ step_time(double offset)
         }
         tval = tvn.tv_sec;
         strftime_YYYYMMDDHHMMSS(buf, sizeof(buf), &tval);
-        bb_info_msg("setting time to %s.%06u (offset %+fs)", buf, (unsigned)tvn.tv_usec, offset);
+        bb_error_msg("setting time to %s.%06u (offset %+fs)", buf, (unsigned)tvn.tv_usec, offset);
         //maybe? G.FREQHOLD_cnt = 0;
 
         /* Correct various fields which contain time-relative values: */
@@ -1976,7 +1976,7 @@ recv_and_process_peer_pkt(peer_t *p)
 
         p->reachable_bits |= 1;
         if ((MAX_VERBOSE && G.verbose) || (option_mask32 & OPT_w)) {
-                bb_info_msg("reply from %s: offset:%+f delay:%f status:0x%02x strat:%d refid:0x%08x rootdelay:%f reach:0x%02x",
+                bb_error_msg("reply from %s: offset:%+f delay:%f status:0x%02x strat:%d refid:0x%08x rootdelay:%f reach:0x%02x",
                         p->p_dotted,
                         offset,
                         p->p_raw_delay,
diff --git a/networking/telnetd.c b/networking/telnetd.c
index bfeea1400..a5a783047 100644
--- a/networking/telnetd.c
+++ b/networking/telnetd.c
@@ -104,8 +104,8 @@
 //usage:#define telnetd_full_usage "\n\n"
 //usage:       "Handle incoming telnet connections"
 //usage:        IF_NOT_FEATURE_TELNETD_STANDALONE(" via inetd") "\n"
-//usage:     "\n        -l LOGIN        Exec LOGIN on connect"
-//usage:     "\n        -f ISSUE_FILE   Display ISSUE_FILE instead of /etc/issue"
+//usage:     "\n        -l LOGIN        Exec LOGIN on connect (default /bin/login)"
+//usage:     "\n        -f ISSUE_FILE   Display ISSUE_FILE instead of /etc/issue.net"
 //usage:     "\n        -K              Close connection as soon as login exits"
 //usage:     "\n                        (normally wait until all programs close slave pty)"
 //usage:        IF_FEATURE_TELNETD_STANDALONE(
diff --git a/networking/tftp.c b/networking/tftp.c
index f5b4367ca..b698a9288 100644
--- a/networking/tftp.c
+++ b/networking/tftp.c
@@ -250,7 +250,7 @@ static int tftp_blksize_check(const char *blksize_str, int maxsize)
                 return -1;
         }
 # if ENABLE_TFTP_DEBUG
-        bb_info_msg("using blksize %u", blksize);
+        bb_error_msg("using blksize %u", blksize);
 # endif
         return blksize;
 }
diff --git a/networking/tls.c b/networking/tls.c
index 89726fee0..13bdc0423 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -22,19 +22,7 @@
 
 #include "tls.h"
 
-#if ENABLE_FEATURE_TLS_SCHANNEL || ENABLE_FEATURE_USE_CNG_API
-#include <windows.h>
-#endif
-
 #if !ENABLE_FEATURE_TLS_SCHANNEL
-#if ENABLE_FEATURE_USE_CNG_API
-# include <bcrypt.h>
-
-// these work on Windows >= 10
-# define BCRYPT_HMAC_SHA1_ALG_HANDLE   ((BCRYPT_ALG_HANDLE) 0x000000a1)
-# define BCRYPT_HMAC_SHA256_ALG_HANDLE ((BCRYPT_ALG_HANDLE) 0x000000b1)
-#endif
-
 // Usually enabled. You can disable some of them to force only
 // specific ciphers to be advertized to server.
 // (this would not exclude code to handle disabled ciphers, no code size win)
@@ -201,8 +189,6 @@
 #define TLS_MAX_OUTBUF          (1 << 14)
 
 enum {
-        SHA_INSIZE     = 64,
-
         AES128_KEYSIZE = 16,
         AES256_KEYSIZE = 32,
 
@@ -348,34 +334,6 @@ void FAST_FUNC tls_get_random(void *buf, unsigned len)
                 xfunc_die();
 }
 
-static void xorbuf3(void *dst, const void *src1, const void *src2, unsigned count)
-{
-        uint8_t *d = dst;
-        const uint8_t *s1 = src1;
-        const uint8_t* s2 = src2;
-        while (count--)
-                *d++ = *s1++ ^ *s2++;
-}
-
-void FAST_FUNC xorbuf(void *dst, const void *src, unsigned count)
-{
-        xorbuf3(dst, dst, src, count);
-}
-
-void FAST_FUNC xorbuf_aligned_AES_BLOCK_SIZE(void *dst, const void *src)
-{
-        unsigned long *d = dst;
-        const unsigned long *s = src;
-        d[0] ^= s[0];
-#if ULONG_MAX <= 0xffffffffffffffff
-        d[1] ^= s[1];
- #if ULONG_MAX == 0xffffffff
-        d[2] ^= s[2];
-        d[3] ^= s[3];
- #endif
-#endif
-}
-
 #if !TLS_DEBUG_HASH
 # define hash_handshake(tls, fmt, buffer, len) \
          hash_handshake(tls, buffer, len)
@@ -406,191 +364,6 @@ static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer
 # define TLS_MAC_SIZE(tls) (tls)->MAC_size
 #endif
 
-// RFC 2104:
-// HMAC(key, text) based on a hash H (say, sha256) is:
-// ipad = [0x36 x INSIZE]
-// opad = [0x5c x INSIZE]
-// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
-//
-// H(key XOR opad) and H(key XOR ipad) can be precomputed
-// if we often need HMAC hmac with the same key.
-//
-// text is often given in disjoint pieces.
-#if !ENABLE_FEATURE_USE_CNG_API
-typedef struct hmac_precomputed {
-        md5sha_ctx_t hashed_key_xor_ipad;
-        md5sha_ctx_t hashed_key_xor_opad;
-} hmac_precomputed_t;
-
-typedef void md5sha_begin_func(md5sha_ctx_t *ctx) FAST_FUNC;
-
-#define sha1_begin_hmac sha1_begin
-#define sha256_begin_hmac sha256_begin
-#define hmac_uninit(...) ((void)0)
-
-#if !ENABLE_FEATURE_TLS_SHA1
-#define hmac_begin(pre,key,key_size,begin) \
-        hmac_begin(pre,key,key_size)
-#define begin sha256_begin
-#endif
-
-static void hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
-{
-        uint8_t key_xor_ipad[SHA_INSIZE];
-        uint8_t key_xor_opad[SHA_INSIZE];
-//      uint8_t tempkey[SHA1_OUTSIZE < SHA256_OUTSIZE ? SHA256_OUTSIZE : SHA1_OUTSIZE];
-        unsigned i;
-
-        // "The authentication key can be of any length up to INSIZE, the
-        // block length of the hash function.  Applications that use keys longer
-        // than INSIZE bytes will first hash the key using H and then use the
-        // resultant OUTSIZE byte string as the actual key to HMAC."
-        if (key_size > SHA_INSIZE) {
-                bb_simple_error_msg_and_die("HMAC key>64"); //does not happen (yet?)
-//              md5sha_ctx_t ctx;
-//              begin(&ctx);
-//              md5sha_hash(&ctx, key, key_size);
-//              key_size = sha_end(&ctx, tempkey);
-//              //key = tempkey; - right? RIGHT? why does it work without this?
-//              // because SHA_INSIZE is 64, but hmac() is always called with
-//              // key_size = tls->MAC_size = SHA1/256_OUTSIZE (20 or 32),
-//              // and prf_hmac_sha256() -> hmac_sha256() key sizes are:
-//              // - RSA_PREMASTER_SIZE is 48
-//              // - CURVE25519_KEYSIZE is 32
-//              // - master_secret[] is 48
-        }
-
-        for (i = 0; i < key_size; i++) {
-                key_xor_ipad[i] = key[i] ^ 0x36;
-                key_xor_opad[i] = key[i] ^ 0x5c;
-        }
-        for (; i < SHA_INSIZE; i++) {
-                key_xor_ipad[i] = 0x36;
-                key_xor_opad[i] = 0x5c;
-        }
-
-        begin(&pre->hashed_key_xor_ipad);
-        begin(&pre->hashed_key_xor_opad);
-        md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
-        md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
-}
-#undef begin
-
-static unsigned hmac_sha_precomputed_v(
-                hmac_precomputed_t *pre,
-                uint8_t *out,
-                va_list va)
-{
-        uint8_t *text;
-        unsigned len;
-
-        /* pre->hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
-        /* pre->hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
-
-        /* calculate out = H((key XOR ipad) + text) */
-        while ((text = va_arg(va, uint8_t*)) != NULL) {
-                unsigned text_size = va_arg(va, unsigned);
-                md5sha_hash(&pre->hashed_key_xor_ipad, text, text_size);
-        }
-        len = sha_end(&pre->hashed_key_xor_ipad, out);
-
-        /* out = H((key XOR opad) + out) */
-        md5sha_hash(&pre->hashed_key_xor_opad, out, len);
-        return sha_end(&pre->hashed_key_xor_opad, out);
-}
-#else
-#define sha1_begin_hmac BCRYPT_HMAC_SHA1_ALG_HANDLE
-#define sha256_begin_hmac BCRYPT_HMAC_SHA256_ALG_HANDLE
-
-#if !ENABLE_FEATURE_TLS_SHA1
-#define hmac_begin(pre,key,key_size,begin) _hmac_begin(pre, key, key_size, sha256_begin_hmac)
-#else
-#define hmac_begin _hmac_begin
-#endif
-
-typedef struct bcrypt_hash_ctx_t hmac_precomputed_t;
-
-static void _hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size, BCRYPT_ALG_HANDLE alg_handle) {
-        DWORD hash_object_length = 0;
-        ULONG _unused;
-        NTSTATUS status;
-
-        status = BCryptGetProperty(alg_handle, BCRYPT_OBJECT_LENGTH, (PUCHAR)&hash_object_length, sizeof(DWORD), &_unused, 0);
-        mingw_die_if_error(status, "BCryptGetProperty");
-        status = BCryptGetProperty(alg_handle, BCRYPT_HASH_LENGTH, (PUCHAR)&pre->output_size, sizeof(DWORD), &_unused, 0);
-        mingw_die_if_error(status, "BCryptGetProperty");
-
-
-        pre->hash_obj = xmalloc(hash_object_length);
-
-        status = BCryptCreateHash(alg_handle, &pre->handle, pre->hash_obj, hash_object_length, key, key_size, BCRYPT_HASH_REUSABLE_FLAG);
-        mingw_die_if_error(status, "BCryptCreateHash");
-}
-
-static unsigned hmac_sha_precomputed_v(
-                hmac_precomputed_t *pre,
-                uint8_t *out,
-                va_list va)
-{
-        uint8_t *text;
-        NTSTATUS status;
-
-        while ((text = va_arg(va, uint8_t*)) != NULL) {
-                unsigned text_size = va_arg(va, unsigned);
-                /*status = */ BCryptHashData(pre->handle, text, text_size, 0);
-                //mingw_die_if_error(status, "BCryptHashData");
-        }
-
-        status = BCryptFinishHash(pre->handle, out, pre->output_size, 0);
-        mingw_die_if_error(status, "BCryptFinishHash");
-
-        return pre->output_size;
-}
-
-static void hmac_uninit(hmac_precomputed_t *pre) {
-        BCryptDestroyHash(pre->handle);
-        free(pre->hash_obj);
-}
-
-#endif
-
-static unsigned hmac_sha_precomputed(hmac_precomputed_t *pre_init, uint8_t *out, ...)
-{
-        hmac_precomputed_t pre;
-        va_list va;
-        unsigned len;
-
-        va_start(va, out);
-        pre = *pre_init; /* struct copy */
-        len = hmac_sha_precomputed_v(&pre, out, va);
-        va_end(va);
-        return len;
-}
-
-#if !ENABLE_FEATURE_TLS_SHA1
-#define hmac(tls,out,key,key_size,...) \
-        hmac(out,key,key_size, __VA_ARGS__)
-#endif
-static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
-{
-        hmac_precomputed_t pre;
-        va_list va;
-        unsigned len;
-
-        va_start(va, key_size);
-
-        hmac_begin(&pre, key, key_size,
-                        (ENABLE_FEATURE_TLS_SHA1 && tls->MAC_size == SHA1_OUTSIZE)
-                                ? sha1_begin_hmac
-                                : sha256_begin_hmac
-        );
-        len = hmac_sha_precomputed_v(&pre, out, va);
-
-        va_end(va);
-        hmac_uninit(&pre);
-        return len;
-}
-
 // RFC 5246:
 // 5.  HMAC and the Pseudorandom Function
 //...
@@ -635,7 +408,7 @@ static void prf_hmac_sha256(/*tls_state_t *tls,*/
                 const char *label,
                 uint8_t *seed, unsigned seed_size)
 {
-        hmac_precomputed_t pre;
+        hmac_ctx_t ctx;
         uint8_t a[TLS_MAX_MAC_SIZE];
         uint8_t *out_p = outbuf;
         unsigned label_size = strlen(label);
@@ -645,29 +418,27 @@ static void prf_hmac_sha256(/*tls_state_t *tls,*/
 #define SEED   label, label_size, seed, seed_size
 #define A      a, MAC_size
 
-        hmac_begin(&pre, secret, secret_size, sha256_begin_hmac);
+        hmac_begin(&ctx, secret, secret_size, sha256_begin);
 
         /* A(1) = HMAC_hash(secret, seed) */
-        hmac_sha_precomputed(&pre, a, SEED, NULL);
+        hmac_peek_hash(&ctx, a, SEED, NULL);
 
         for (;;) {
                 /* HMAC_hash(secret, A(1) + seed) */
                 if (outbuf_size <= MAC_size) {
                         /* Last, possibly incomplete, block */
                         /* (use a[] as temp buffer) */
-                        hmac_sha_precomputed(&pre, a, A, SEED, NULL);
+                        hmac_peek_hash(&ctx, a, A, SEED, NULL);
                         memcpy(out_p, a, outbuf_size);
                         return;
                 }
                 /* Not last block. Store directly to result buffer */
-                hmac_sha_precomputed(&pre, out_p, A, SEED, NULL);
+                hmac_peek_hash(&ctx, out_p, A, SEED, NULL);
                 out_p += MAC_size;
                 outbuf_size -= MAC_size;
                 /* A(2) = HMAC_hash(secret, A(1)) */
-                hmac_sha_precomputed(&pre, a, A, NULL);
+                hmac_peek_hash(&ctx, a, A, NULL);
         }
-
-        hmac_uninit(&pre);
 #undef A
 #undef SECRET
 #undef SEED
@@ -733,6 +504,29 @@ static void *tls_get_zeroed_outbuf(tls_state_t *tls, int len)
         return record;
 }
 
+/* Calculate the HMAC over the list of blocks */
+#if !ENABLE_FEATURE_TLS_SHA1
+#define hmac_blocks(tls,out,key,key_size,...) \
+        hmac_blocks(out,key,key_size, __VA_ARGS__)
+#endif
+static unsigned hmac_blocks(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
+{
+        hmac_ctx_t ctx;
+        va_list va;
+
+        hmac_begin(&ctx, key, key_size,
+                        (ENABLE_FEATURE_TLS_SHA1 && tls->MAC_size == SHA1_OUTSIZE)
+                                ? sha1_begin
+                                : sha256_begin
+        );
+
+        va_start(va, key_size);
+        hmac_hash_v(&ctx, va);
+        va_end(va);
+
+        return hmac_end(&ctx, out);
+}
+
 static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, unsigned type)
 {
         uint8_t *buf = tls->outbuf + OUTBUF_PFX;
@@ -754,7 +548,7 @@ static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, un
         xhdr->len16_lo = size & 0xff;
 
         /* Calculate MAC signature */
-        hmac(tls, buf + size, /* result */
+        hmac_blocks(tls, buf + size, /* result */
                 tls->client_write_MAC_key, TLS_MAC_SIZE(tls),
                 &tls->write_seq64_be, sizeof(tls->write_seq64_be),
                 xhdr, RECHDR_LEN,
@@ -943,8 +737,13 @@ static void xwrite_encrypted_aesgcm(tls_state_t *tls, unsigned size, unsigned ty
                 cnt++;
                 COUNTER(nonce) = htonl(cnt); /* yes, first cnt here is 2 (!) */
                 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
-                n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
-                xorbuf(buf, scratch, n);
+                if (remaining >= AES_BLOCK_SIZE) {
+                        n = AES_BLOCK_SIZE;
+                        xorbuf_AES_BLOCK_SIZE(buf, scratch);
+                } else {
+                        n = remaining;
+                        xorbuf(buf, scratch, n);
+                }
                 buf += n;
                 remaining -= n;
         }
@@ -1102,7 +901,7 @@ static void tls_aesgcm_decrypt(tls_state_t *tls, uint8_t *buf, int size)
                 COUNTER(nonce) = htonl(cnt); /* yes, first cnt here is 2 (!) */
                 aes_encrypt_one_block(&tls->aes_decrypt, nonce, scratch);
                 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
-                xorbuf3(buf, scratch, buf + 8, n);
+                xorbuf_3(buf, scratch, buf + 8, n);
                 buf += n;
                 remaining -= n;
         }
diff --git a/networking/tls.h b/networking/tls.h
index 4fac23993..eee5a7617 100644
--- a/networking/tls.h
+++ b/networking/tls.h
@@ -83,10 +83,9 @@ typedef  int16_t  int16;
 
 void tls_get_random(void *buf, unsigned len) FAST_FUNC;
 
-void xorbuf(void* buf, const void* mask, unsigned count) FAST_FUNC;
-
 #define ALIGNED_long ALIGNED(sizeof(long))
-void xorbuf_aligned_AES_BLOCK_SIZE(void* buf, const void* mask) FAST_FUNC;
+#define xorbuf_aligned_AES_BLOCK_SIZE(dst,src) xorbuf16_aligned_long(dst,src)
+#define xorbuf_AES_BLOCK_SIZE(dst,src)         xorbuf16(dst,src)
 
 #define matrixCryptoGetPrngData(buf, len, userPtr) (tls_get_random(buf, len), PS_SUCCESS)
 
diff --git a/networking/tls_aesgcm.c b/networking/tls_aesgcm.c
index 5ddcdd2ad..9c2381a57 100644
--- a/networking/tls_aesgcm.c
+++ b/networking/tls_aesgcm.c
@@ -167,10 +167,7 @@ void FAST_FUNC aesgcm_GHASH(byte* h,
         blocks = cSz / AES_BLOCK_SIZE;
         partial = cSz % AES_BLOCK_SIZE;
         while (blocks--) {
-            if (BB_UNALIGNED_MEMACCESS_OK) // c is not guaranteed to be aligned
-                xorbuf_aligned_AES_BLOCK_SIZE(x, c);
-            else
-                xorbuf(x, c, AES_BLOCK_SIZE);
+            xorbuf_AES_BLOCK_SIZE(x, c);
             GMULT(x, h);
             c += AES_BLOCK_SIZE;
         }
diff --git a/shell/hush.c b/shell/hush.c
index 0b2bc01f5..d1f687f9d 100644
--- a/shell/hush.c
+++ b/shell/hush.c
@@ -4625,6 +4625,11 @@ static int fetch_heredocs(o_string *as_string, struct pipe *pi, int heredoc_cnt,
 
                                         redir->rd_type = REDIRECT_HEREDOC2;
                                         /* redir->rd_dup is (ab)used to indicate <<- */
+                                        if (!redir->rd_filename) {
+                                                /* examples: "echo <<", "echo <<<", "echo <<>" */
+                                                syntax_error("missing here document terminator");
+                                                return -1;
+                                        }
                                         p = fetch_till_str(as_string, input,
                                                         redir->rd_filename, redir->rd_dup);
                                         if (!p) {
diff --git a/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.right b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.right
new file mode 100644
index 000000000..7af73557a
--- /dev/null
+++ b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.right
@@ -0,0 +1 @@
+hush: syntax error: missing here document terminator
diff --git a/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.tests b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.tests
new file mode 100755
index 000000000..33ccde26b
--- /dev/null
+++ b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF1.tests
@@ -0,0 +1,2 @@
+echo <<
+echo Done:
diff --git a/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.right b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.right
new file mode 100644
index 000000000..7af73557a
--- /dev/null
+++ b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.right
@@ -0,0 +1 @@
+hush: syntax error: missing here document terminator
diff --git a/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.tests b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.tests
new file mode 100755
index 000000000..fcda11045
--- /dev/null
+++ b/shell/hush_test/hush-heredoc/heredoc_syntax_err_no_EOF2.tests
@@ -0,0 +1,2 @@
+echo << >
+echo Done:
diff --git a/testsuite/cryptpw.tests b/testsuite/cryptpw.tests
index 0dd91fe15..83bfde521 100755
--- a/testsuite/cryptpw.tests
+++ b/testsuite/cryptpw.tests
@@ -22,21 +22,93 @@ testing "cryptpw des zz" \
 #SKIP=
 
 optional USE_BB_CRYPT_SHA
-testing "cryptpw sha256" \
-        "cryptpw -m sha256 QWErty '123456789012345678901234567890'" \
-        '$5$1234567890123456$5DxfOCmU4vRhtzfsbdK.6wSGMwwVbac7ZkWwusb8Si7\n' "" ""
+# Note: mkpasswd-5.6.2 won't accept "-m sha256", wants "-m sha256crypt"
+testing 'cryptpw sha256' \
+        'cryptpw -m sha256 QWErty 1234567890123456' \
+        '$5$1234567890123456$5DxfOCmU4vRhtzfsbdK.6wSGMwwVbac7ZkWwusb8Si7\n' \
+        '' ''
+# mkpasswd-5.6.2 does not allow overlong salts, we truncate (at 16 chars for sha256)
+testing 'cryptpw sha256 overlong' \
+        'cryptpw -m sha256 QWErty 123456789012345678901234567890' \
+        '$5$1234567890123456$5DxfOCmU4vRhtzfsbdK.6wSGMwwVbac7ZkWwusb8Si7\n' \
+        '' ''
+testing 'cryptpw sha256 implicit' \
+        'cryptpw QWErty \$5\$1234567890123456' \
+        '$5$1234567890123456$5DxfOCmU4vRhtzfsbdK.6wSGMwwVbac7ZkWwusb8Si7\n' \
+        '' ''
+testing 'cryptpw sha256 rounds=99999' \
+        'cryptpw -m sha256 QWErty rounds=99999\$123456789012345678901234567890' \
+        '$5$rounds=99999$1234567890123456$aYellycJGZM6AKyVzaQsSrDBdTixubtMnM6J.MN0xM8\n' \
+        '' ''
+testing 'cryptpw sha256 rounds=99999 implicit' \
+        'cryptpw QWErty \$5\$rounds=99999\$123456789012345678901234567890' \
+        '$5$rounds=99999$1234567890123456$aYellycJGZM6AKyVzaQsSrDBdTixubtMnM6J.MN0xM8\n' \
+        '' ''
 
-testing "cryptpw sha256 rounds=99999" \
-        "cryptpw -m sha256 QWErty 'rounds=99999\$123456789012345678901234567890'" \
-        '$5$rounds=99999$1234567890123456$aYellycJGZM6AKyVzaQsSrDBdTixubtMnM6J.MN0xM8\n' "" ""
-
-testing "cryptpw sha512" \
-        "cryptpw -m sha512 QWErty '123456789012345678901234567890'" \
-        '$6$1234567890123456$KB7QqxFyqmJSWyQYcCuGeFukgz1bPQoipWZf7.9L7z3k8UNTXa6UikbKcUGDc2ANn7DOGmDaroxDgpK16w/RE0\n' "" ""
+testing 'cryptpw sha512' \
+        'cryptpw -m sha512 QWErty 123456789012345678901234567890' \
+        '$6$1234567890123456$KB7QqxFyqmJSWyQYcCuGeFukgz1bPQoipWZf7.9L7z3k8UNTXa6UikbKcUGDc2ANn7DOGmDaroxDgpK16w/RE0\n' \
+        '' ''
+testing 'cryptpw sha512crypt' \
+        'cryptpw -m sha512crypt QWErty 123456789012345678901234567890' \
+        '$6$1234567890123456$KB7QqxFyqmJSWyQYcCuGeFukgz1bPQoipWZf7.9L7z3k8UNTXa6UikbKcUGDc2ANn7DOGmDaroxDgpK16w/RE0\n' \
+        '' ''
+testing 'cryptpw sha512 rounds=99999' \
+        'cryptpw -m sha512 QWErty rounds=99999\$123456789012345678901234567890' \
+        '$6$rounds=99999$1234567890123456$BfF6gD6ZjUmwawH5QaAglYAxtU./yvsz0fcQ464l49aMI2DZW3j5ri28CrxK7riPWNpLuUpfaIdY751SBYKUH.\n' \
+        '' ''
+SKIP=
 
-testing "cryptpw sha512 rounds=99999" \
-        "cryptpw -m sha512 QWErty 'rounds=99999\$123456789012345678901234567890'" \
-        '$6$rounds=99999$1234567890123456$BfF6gD6ZjUmwawH5QaAglYAxtU./yvsz0fcQ464l49aMI2DZW3j5ri28CrxK7riPWNpLuUpfaIdY751SBYKUH.\n' "" ""
+optional USE_BB_CRYPT_YES
+testing 'cryptpw yescrypt' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$123456789012345678901234' \
+        '$y$j9T$123456789012345678901234$AKxw5OX/T4jD.v./IW.5tE/j7izNjw06fg3OvH1LsN9\n' \
+        '' ''
+testing 'cryptpw yescrypt with non-standard N=2048 instead of 4096 (j8T instead of j9T)' \
+        'cryptpw -m yescrypt qweRTY123@-+ j8T\$123456789012345678901234' \
+        '$y$j8T$123456789012345678901234$JQUUfopCxlfZNE8f.THJwbOkhy.XtB3GIjo9HUVioWB\n' \
+        '' ''
+# mkpasswd-5.6.2 allows short salts for yescrypt
+# ...but there is a catch. Not all of them.
+# The "partial" (not fitting in whole bytes) ascii64-encoded salt
+# is a special case. For example, "$zzz" would not even work in upstream.
+testing 'cryptpw yescrypt with empty salt' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$' \
+        '$y$j9T$$hpeksL94GXNRwnA00L3c8WFy0khFAUbCpBSak.N3Bp.\n' \
+        '' ''
+testing 'cryptpw yescrypt with 3-char salt' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$123' \
+        '$y$j9T$123$A34DMIGUbUIo3bjx66Wtk2IFoREMIw6d49it25KQh2D\n' \
+        '' ''
+# "." is not allowed in mkpasswd-5.6.2
+# ....................................
+# ".." is decoded into one zero byte (not two)
+testing 'cryptpw yescrypt with 2-char salt ".."' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$..' \
+        '$y$j9T$..$yVHeOayxOGg6cHL3.dg10u7T.qSgySfLN3uhSVSLNn/\n' \
+        '' ''
+# "..." is decoded into two zero bytes (not three, not one)
+testing 'cryptpw yescrypt with 3-char salt "..."' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$...' \
+        '$y$j9T$...$xHvJ5USZ7hFyXYbOijtEOMfZRS23cWIxu2eIBXRymA5\n' \
+        '' ''
+# "...." is decoded into three zero bytes (no surprises here)
+testing 'cryptpw yescrypt with 4-char salt "...."' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$....' \
+        '$y$j9T$....$wOnauYL2/NEtr6YQi9pi8AtV7L57sEbVOAnWJIcP9q2\n' \
+        '' ''
+# 84 chars = 21 4-char blocks which decode into 21*3 = 63 bytes.
+# The last byte of the maximum allowed salt size has to come from an incomplete
+# char block. E.g. "z/" encodes byte 0x7f. "z1" is 0xff.
+# Anything larger (e.g. "z2") is an error (it encodes 0x13f).
+testing 'cryptpw yescrypt with 86-char salt (max size)' \
+        'cryptpw -m yescrypt qweRTY123@-+ j9T\$123456789012345678901234567890123456789012345678901234567890123456789012345678901234z/' \
+        '$y$j9T$123456789012345678901234567890123456789012345678901234567890123456789012345678901234z/$Exxe8IoPXiddFsqj7iqCanRf8FyquAoB0/uceLmLjG.\n' \
+        '' ''
+testing 'cryptpw yescrypt implicit' \
+        'cryptpw qweRTY123@-+ \$y\$j9T\$123456789012345678901234' \
+        '$y$j9T$123456789012345678901234$AKxw5OX/T4jD.v./IW.5tE/j7izNjw06fg3OvH1LsN9\n' \
+        '' ''
 SKIP=
 
 exit $FAILCOUNT