28 files changed, 3152 insertions, 410 deletions
diff --git a/libbb/Config.src b/libbb/Config.src
index 61b4601d6..eff327c2a 100644
--- a/libbb/Config.src
+++ b/libbb/Config.src
@@ -37,6 +37,14 @@ config PASSWORD_MINLEN
        help
        Minimum allowable password length.
+config FEATURE_USE_CNG_API
+        bool "Use the Windows CNG API for checksums (Windows 10+ only)"
+        default n
+        depends on PLATFORM_MINGW32
+        help
+        Use the in-built Windows CNG API for checksums.
+        This reduces code size, but is only supported on Windows 10+.
 config MD5_SMALL
        int "MD5: Trade bytes for speed (0:fast, 3:slow)"
        default 1  # all "fast or small" options default to small
@@ -67,6 +75,7 @@ config SHA1_SMALL
 config SHA1_HWACCEL
        bool "SHA1: Use hardware accelerated instructions if possible"
        default y
+        depends on !FEATURE_USE_CNG_API
        help
        On x86, this adds ~590 bytes of code. Throughput
        is about twice as fast as fully-unrolled generic code.
@@ -74,6 +83,7 @@ config SHA1_HWACCEL
 config SHA256_HWACCEL
        bool "SHA256: Use hardware accelerated instructions if possible"
        default y
+        depends on !FEATURE_USE_CNG_API
        help
        On x86, this adds ~1k bytes of code.
@@ -182,8 +192,8 @@ config FEATURE_EDITING_VI
 config FEATURE_EDITING_HISTORY
        int "History size"
        # Don't allow way too big values here, code uses fixed "char *history[N]" struct member
-        range 0 9999
+        range 0 2000
-        default 255
+        default 200
        depends on FEATURE_EDITING
        help
        Specify command history size (0 - disable).
diff --git a/libbb/bitops.c b/libbb/bitops.c
new file mode 100644
index 000000000..467e1a2d9
--- /dev/null
+++ b/libbb/bitops.c
@@ -0,0 +1,128 @@
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-y += bitops.o
+#include "libbb.h"
+void FAST_FUNC xorbuf_3(void *dst, const void *src1, const void *src2, unsigned count)
+{
+        uint8_t *d = dst;
+        const uint8_t *s1 = src1;
+        const uint8_t *s2 = src2;
+#if BB_UNALIGNED_MEMACCESS_OK
+        while (count >= sizeof(long)) {
+                *(long*)d = *(long*)s1 ^ *(long*)s2;
+                count -= sizeof(long);
+                d += sizeof(long);
+                s1 += sizeof(long);
+                s2 += sizeof(long);
+        }
+#endif
+        while (count--)
+                *d++ = *s1++ ^ *s2++;
+}
+void FAST_FUNC xorbuf(void *dst, const void *src, unsigned count)
+{
+        xorbuf_3(dst, dst, src, count);
+}
+void FAST_FUNC xorbuf16_aligned_long(void *dst, const void *src)
+{
+#if defined(__SSE__) /* any x86_64 has it */
+        asm volatile(
+"\n             movups  (%0),%%xmm0"
+"\n             movups  (%1),%%xmm1"   // can't just xorps(%1),%%xmm0:
+"\n             xorps   %%xmm1,%%xmm0" // SSE requires 16-byte alignment
+"\n             movups  %%xmm0,(%0)"
+"\n"
+                : "=r" (dst), "=r" (src)
+                : "0" (dst), "1" (src)
+                : "xmm0", "xmm1", "memory"
+        );
+#else
+        unsigned long *d = dst;
+        const unsigned long *s = src;
+        d[0] ^= s[0];
+# if LONG_MAX <= 0x7fffffffffffffff
+        d[1] ^= s[1];
+#  if LONG_MAX == 0x7fffffff
+        d[2] ^= s[2];
+        d[3] ^= s[3];
+#  endif
+# endif
+#endif
+}
+// The above can be inlined in libbb.h, in a way where compiler
+// is even free to use better addressing modes than (%reg), and
+// to keep the result in a register
+// (to not store it to memory after each XOR):
+//#if defined(__SSE__)
+//#include <xmmintrin.h>
+//^^^ or just: typedef float __m128_u attribute((__vector_size__(16),__may_alias__,__aligned__(1)));
+//static ALWAYS_INLINE void xorbuf16_aligned_long(void *dst, const void *src)
+//{
+//      __m128_u xmm0, xmm1;
+//      asm volatile(
+//"\n           xorps   %1,%0"
+//              : "=x" (xmm0), "=x" (xmm1)
+//              : "0" (*(__m128_u*)dst), "1" (*(__m128_u*)src)
+//      );
+//      *(__m128_u*)dst = xmm0; // this store may be optimized out!
+//}
+//#endif
+// but I don't trust gcc optimizer enough to not generate some monstrosity.
+// See GMULT() function in TLS code as an example.
+void FAST_FUNC xorbuf64_3_aligned64(void *dst, const void *src1, const void *src2)
+{
+#if defined(__SSE__) /* any x86_64 has it */
+        asm volatile(
+"\n             movups  0*16(%1),%%xmm0"
+"\n             movups  0*16(%2),%%xmm1" // can't just xorps(%2),%%xmm0:
+"\n             xorps   %%xmm1,%%xmm0"   // SSE requires 16-byte alignment, we have only 8-byte
+"\n             movups  %%xmm0,0*16(%0)"
+"\n             movups  1*16(%1),%%xmm0"
+"\n             movups  1*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,1*16(%0)"
+"\n             movups  2*16(%1),%%xmm0"
+"\n             movups  2*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,2*16(%0)"
+"\n             movups  3*16(%1),%%xmm0"
+"\n             movups  3*16(%2),%%xmm1"
+"\n             xorps   %%xmm1,%%xmm0"
+"\n             movups  %%xmm0,3*16(%0)"
+"\n"
+                : "=r" (dst), "=r" (src1), "=r" (src2)
+                : "0" (dst), "1" (src1), "2" (src2)
+                : "xmm0", "xmm1", "memory"
+        );
+#else
+        long *d = dst;
+        const long *s1 = src1;
+        const long *s2 = src2;
+        unsigned count = 64 / sizeof(long);
+        do {
+                *d++ = *s1++ ^ *s2++;
+        } while (--count != 0);
+#endif
+}
+#if !BB_UNALIGNED_MEMACCESS_OK
+void FAST_FUNC xorbuf16(void *dst, const void *src)
+{
+#define p_aligned(a) (((uintptr_t)(a) & (sizeof(long)-1)) == 0)
+        if (p_aligned(src) && p_aligned(dst)) {
+                xorbuf16_aligned_long(dst, src);
+                return;
+        }
+        xorbuf_3(dst, dst, src, 16);
+}
+#endif
diff --git a/libbb/const_hack.c b/libbb/const_hack.c
index 75163fede..1d175481b 100644
--- a/libbb/const_hack.c
+++ b/libbb/const_hack.c
@@ -9,18 +9,27 @@
 #include "libbb.h"
 #if defined(__clang_major__) && __clang_major__ >= 9
-void FAST_FUNC XZALLOC_CONST_PTR(const void *pptr, size_t size)
+/* Clang/llvm drops assignment to "constant" storage. Silently.
+ * Needs serious convincing to not eliminate the store.
+ */
+static ALWAYS_INLINE void* not_const_pp(const void *p)
 {
-        ASSIGN_CONST_PTR(pptr, xzalloc(size));
+        void *pp;
+        asm volatile (
+                "# forget that p points to const"
+                : /*outputs*/ "=r" (pp)
+                : /*inputs*/ "0" (p)
+        );
+        return pp;
 }
+void FAST_FUNC ASSIGN_CONST_PTR(const void *pptr, void *v)
-# if ENABLE_PLATFORM_MINGW32
+{
-void FAST_FUNC ASSIGN_CONST_PTR(const void *pptr, const void *v)
+        *(void**)not_const_pp(pptr) = v;
+        barrier();
+}
+void FAST_FUNC XZALLOC_CONST_PTR(const void *pptr, size_t size)
 {
-        do {
+        *(void**)not_const_pp(pptr) = xzalloc(size);
-                *(void**)not_const_pp(pptr) = (void*)(v);
+        barrier();
-                barrier();
-        } while (0);
 }
-# endif
 #endif
diff --git a/libbb/dump.c b/libbb/dump.c
index aa57eca8c..b2abe85af 100644
--- a/libbb/dump.c
+++ b/libbb/dump.c
@@ -703,15 +703,21 @@ static NOINLINE void display(priv_dumper_t* dumper)
                                                        conv_u(pr, bp);
                                                        break;
                                                case F_UINT: {
+                                                        union {
+                                                                uint16_t uval16;
+                                                                uint32_t uval32;
+                                                        } u;
                                                        unsigned value = (unsigned char)*bp;
                                                        switch (pr->bcnt) {
                                                        case 1:
                                                                break;
                                                        case 2:
-                                                                move_from_unaligned16(value, bp);
+                                                                move_from_unaligned16(u.uval16, bp);
+                                                                value = u.uval16;
                                                                break;
                                                        case 4:
-                                                                move_from_unaligned32(value, bp);
+                                                                move_from_unaligned32(u.uval32, bp);
+                                                                value = u.uval32;
                                                                break;
                                                        /* case 8: no users yet */
                                                        }
diff --git a/libbb/hash_hmac.c b/libbb/hash_hmac.c
new file mode 100644
index 000000000..b3138029f
--- /dev/null
+++ b/libbb/hash_hmac.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2025 Denys Vlasenko
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-$(CONFIG_TLS) += hash_hmac.o
+//kbuild:lib-$(CONFIG_USE_BB_CRYPT_YES) += hash_hmac.o
+#include "libbb.h"
+// RFC 2104:
+// HMAC(key, text) based on a hash H (say, sha256) is:
+// ipad = [0x36 x INSIZE]
+// opad = [0x5c x INSIZE]
+// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
+//
+// H(key XOR opad) and H(key XOR ipad) can be precomputed
+// if we often need HMAC hmac with the same key.
+//
+// text is often given in disjoint pieces.
+#if !ENABLE_FEATURE_USE_CNG_API
+void FAST_FUNC hmac_begin(hmac_ctx_t *ctx, const uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
+{
+#if HMAC_ONLY_SHA256
+#define begin sha256_begin
+#endif
+        uint8_t key_xor_ipad[SHA2_INSIZE];
+        uint8_t key_xor_opad[SHA2_INSIZE];
+        unsigned i;
+        // "The authentication key can be of any length up to INSIZE, the
+        // block length of the hash function.  Applications that use keys longer
+        // than INSIZE bytes will first hash the key using H and then use the
+        // resultant OUTSIZE byte string as the actual key to HMAC."
+        if (key_size > SHA2_INSIZE) {
+                uint8_t tempkey[SHA1_OUTSIZE < SHA256_OUTSIZE ? SHA256_OUTSIZE : SHA1_OUTSIZE];
+                /* use ctx->hashed_key_xor_ipad as scratch ctx */
+                begin(&ctx->hashed_key_xor_ipad);
+                md5sha_hash(&ctx->hashed_key_xor_ipad, key, key_size);
+                key_size = sha_end(&ctx->hashed_key_xor_ipad, tempkey);
+                key = tempkey;
+        }
+        for (i = 0; i < key_size; i++) {
+                key_xor_ipad[i] = key[i] ^ 0x36;
+                key_xor_opad[i] = key[i] ^ 0x5c;
+        }
+        for (; i < SHA2_INSIZE; i++) {
+                key_xor_ipad[i] = 0x36;
+                key_xor_opad[i] = 0x5c;
+        }
+        begin(&ctx->hashed_key_xor_ipad);
+        begin(&ctx->hashed_key_xor_opad);
+        md5sha_hash(&ctx->hashed_key_xor_ipad, key_xor_ipad, SHA2_INSIZE);
+        md5sha_hash(&ctx->hashed_key_xor_opad, key_xor_opad, SHA2_INSIZE);
+}
+#undef begin
+unsigned FAST_FUNC hmac_end(hmac_ctx_t *ctx, uint8_t *out)
+{
+        unsigned len = sha_end(&ctx->hashed_key_xor_ipad, out);
+        /* out = H((key XOR opad) + out) */
+        md5sha_hash(&ctx->hashed_key_xor_opad, out, len);
+        return sha_end(&ctx->hashed_key_xor_opad, out);
+}
+unsigned FAST_FUNC hmac_block(const uint8_t *key, unsigned key_size, md5sha_begin_func *begin, const void *in, unsigned sz, uint8_t *out)
+{
+        hmac_ctx_t ctx;
+        hmac_begin(&ctx, key, key_size, begin);
+        hmac_hash(&ctx, in, sz);
+        return hmac_end(&ctx, out);
+}
+/* TLS helpers */
+void FAST_FUNC hmac_hash_v(
+                hmac_ctx_t *ctx,
+                va_list va)
+{
+        uint8_t *in;
+        /* ctx->hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
+        /* ctx->hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
+        /* calculate out = H((key XOR ipad) + text) */
+        while ((in = va_arg(va, uint8_t*)) != NULL) {
+                unsigned size = va_arg(va, unsigned);
+                md5sha_hash(&ctx->hashed_key_xor_ipad, in, size);
+        }
+}
+#else
+void _hmac_begin(hmac_ctx_t *ctx, uint8_t *key, unsigned key_size,
+                                        BCRYPT_ALG_HANDLE alg_handle) {
+        DWORD hash_object_length = 0;
+        ULONG _unused;
+        NTSTATUS status;
+        status = BCryptGetProperty(alg_handle, BCRYPT_OBJECT_LENGTH,
+                                (PUCHAR)&hash_object_length, sizeof(DWORD), &_unused, 0);
+        mingw_die_if_error(status, "BCryptGetProperty");
+        status = BCryptGetProperty(alg_handle, BCRYPT_HASH_LENGTH,
+                                (PUCHAR)&ctx->output_size, sizeof(DWORD), &_unused, 0);
+        mingw_die_if_error(status, "BCryptGetProperty");
+        ctx->hash_obj = xmalloc(hash_object_length);
+        status = BCryptCreateHash(alg_handle, &ctx->handle, ctx->hash_obj,
+                                hash_object_length, key, key_size, BCRYPT_HASH_REUSABLE_FLAG);
+        mingw_die_if_error(status, "BCryptCreateHash");
+}
+unsigned FAST_FUNC hmac_end(hmac_ctx_t *ctx, uint8_t *out)
+{
+        NTSTATUS status;
+        status = BCryptFinishHash(ctx->handle, out, ctx->output_size, 0);
+        mingw_die_if_error(status, "BCryptFinishHash");
+        return ctx->output_size;
+}
+void FAST_FUNC hmac_hash_v(hmac_ctx_t *ctx, va_list va)
+{
+        uint8_t *in;
+        while ((in = va_arg(va, uint8_t*)) != NULL) {
+                unsigned size = va_arg(va, unsigned);
+                BCryptHashData(ctx->handle, in, size, 0);
+        }
+}
+void hmac_uninit(hmac_ctx_t *ctx) {
+        BCryptDestroyHash(ctx->handle);
+        free(ctx->hash_obj);
+}
+#endif
+/* Using HMAC state, make a copy of it (IOW: without affecting this state!)
+ * hash in the list of (ptr,size) blocks, and finish the HMAC to out[] buffer.
+ * This function is useful for TLS PRF.
+ */
+unsigned hmac_peek_hash(hmac_ctx_t *ctx, uint8_t *out, ...)
+{
+        hmac_ctx_t tmpctx = *ctx; /* struct copy */
+        va_list va;
+        va_start(va, out);
+        hmac_hash_v(&tmpctx, va);
+        va_end(va);
+        return hmac_end(&tmpctx, out);
+}
diff --git a/libbb/hash_md5_sha.c b/libbb/hash_md5_sha.c
index 75a61c32c..22dd890bf 100644
--- a/libbb/hash_md5_sha.c
+++ b/libbb/hash_md5_sha.c
@@ -13,6 +13,82 @@
 #define NEED_SHA512 (ENABLE_SHA512SUM || ENABLE_USE_BB_CRYPT_SHA)
+#if ENABLE_FEATURE_USE_CNG_API
+# include <windows.h>
+# include <bcrypt.h>
+// these work on Windows >= 10
+# define BCRYPT_MD5_ALG_HANDLE    ((BCRYPT_ALG_HANDLE) 0x00000021)
+# define BCRYPT_SHA1_ALG_HANDLE   ((BCRYPT_ALG_HANDLE) 0x00000031)
+# define BCRYPT_SHA256_ALG_HANDLE ((BCRYPT_ALG_HANDLE) 0x00000041)
+# define BCRYPT_SHA512_ALG_HANDLE ((BCRYPT_ALG_HANDLE) 0x00000061)
+/* Initialize structure containing state of computation.
+ * (RFC 1321, 3.3: Step 3)
+ */
+static void generic_init(struct bcrypt_hash_ctx_t *ctx, BCRYPT_ALG_HANDLE alg_handle) {
+        DWORD hash_object_length = 0;
+        ULONG _unused;
+        NTSTATUS status;
+        status = BCryptGetProperty(alg_handle, BCRYPT_OBJECT_LENGTH, (PUCHAR)&hash_object_length, sizeof(DWORD), &_unused, 0);
+        mingw_die_if_error(status, "BCryptGetProperty");
+        status = BCryptGetProperty(alg_handle, BCRYPT_HASH_LENGTH, (PUCHAR)&ctx->output_size, sizeof(DWORD), &_unused, 0);
+        mingw_die_if_error(status, "BCryptGetProperty");
+        ctx->hash_obj = xmalloc(hash_object_length);
+        status = BCryptCreateHash(alg_handle, &ctx->handle, ctx->hash_obj, hash_object_length, NULL, 0, 0);
+        mingw_die_if_error(status, "BCryptCreateHash");
+}
+void FAST_FUNC md5_begin(md5_ctx_t *ctx)
+{
+        generic_init(ctx, BCRYPT_MD5_ALG_HANDLE);
+}
+void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
+{
+        generic_init(ctx, BCRYPT_SHA1_ALG_HANDLE);
+}
+/* Initialize structure containing state of computation.
+   (FIPS 180-2:5.3.2)  */
+void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
+{
+        generic_init(ctx, BCRYPT_SHA256_ALG_HANDLE);
+}
+#if NEED_SHA512
+/* Initialize structure containing state of computation.
+   (FIPS 180-2:5.3.3)  */
+void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
+{
+        generic_init(ctx, BCRYPT_SHA512_ALG_HANDLE);
+}
+#endif /* NEED_SHA512 */
+void FAST_FUNC generic_hash(struct bcrypt_hash_ctx_t *ctx, const void *buffer, size_t len)
+{
+        /*
+                for perf, no error checking here
+        */
+        /*NTSTATUS status = */ BCryptHashData(ctx->handle, (const PUCHAR)buffer, len, 0);
+        // mingw_die_if_error(status, "BCryptHashData");
+}
+unsigned FAST_FUNC generic_end(struct bcrypt_hash_ctx_t *ctx, void *resbuf)
+{
+        NTSTATUS status = BCryptFinishHash(ctx->handle, resbuf, ctx->output_size, 0);
+        mingw_die_if_error(status, "BCryptFinishHash");
+        BCryptDestroyHash(ctx->handle);
+        free(ctx->hash_obj);
+        return ctx->output_size;
+}
+#endif /* !ENABLE_FEATURE_USE_CNG_API */
 #if ENABLE_SHA1_HWACCEL || ENABLE_SHA256_HWACCEL
 # if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
 static void cpuid_eax_ebx_ecx(unsigned *eax, unsigned *ebx, unsigned *ecx, unsigned *edx)
@@ -80,6 +156,7 @@ static ALWAYS_INLINE uint64_t rotl64(uint64_t x, unsigned n)
        return (x << n) | (x >> (64 - n));
 }
+#if !ENABLE_FEATURE_USE_CNG_API
 /* Process the remaining bytes in the buffer */
 static void FAST_FUNC common64_end(md5_ctx_t *ctx, int swap_needed)
 {
@@ -1367,6 +1444,7 @@ unsigned FAST_FUNC sha512_end(sha512_ctx_t *ctx, void *resbuf)
        return sizeof(ctx->hash);
 }
 #endif /* NEED_SHA512 */
+#endif /* !ENABLE_FEATURE_USE_CNG_API */
 /*
diff --git a/libbb/hash_sha256_block.c b/libbb/hash_sha256_block.c
new file mode 100644
index 000000000..3c4366321
--- /dev/null
+++ b/libbb/hash_sha256_block.c
@@ -0,0 +1,19 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 Denys Vlasenko
+ *
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+//kbuild:lib-y += hash_sha256_block.o
+#include "libbb.h"
+void FAST_FUNC
+sha256_block(const void *in, size_t len, uint8_t hash[32])
+{
+        sha256_ctx_t ctx;
+        sha256_begin(&ctx);
+        sha256_hash(&ctx, in, len);
+        sha256_end(&ctx, hash);
+}
diff --git a/libbb/hash_sha256_hwaccel_x86-32.S b/libbb/hash_sha256_hwaccel_x86-32.S
index a0e4a571a..8d84055e8 100644
--- a/libbb/hash_sha256_hwaccel_x86-32.S
+++ b/libbb/hash_sha256_hwaccel_x86-32.S
@@ -34,21 +34,21 @@
 #define MSG             %xmm0
 #define STATE0          %xmm1
 #define STATE1          %xmm2
-#define MSGTMP0         %xmm3
+#define MSG0            %xmm3
-#define MSGTMP1         %xmm4
+#define MSG1            %xmm4
-#define MSGTMP2         %xmm5
+#define MSG2            %xmm5
-#define MSGTMP3         %xmm6
+#define MSG3            %xmm6
 #define XMMTMP          %xmm7
-#define SHUF(a,b,c,d) $(a+(b<<2)+(c<<4)+(d<<6))
+#define SHUF(a,b,c,d) $((a)+((b)<<2)+((c)<<4)+((d)<<6))
        .balign 8       # allow decoders to fetch at least 2 first insns
 sha256_process_block64_shaNI:
-        movu128         76+0*16(%eax), XMMTMP /* ABCD (little-endian dword order) */
+        movu128         76+0*16(%eax), XMMTMP /* ABCD (shown least-significant-dword-first) */
        movu128         76+1*16(%eax), STATE1 /* EFGH */
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
        mova128         STATE1, STATE0
        /* ---          -------------- ABCD -- EFGH */
        shufps          SHUF(1,0,1,0), XMMTMP, STATE0 /* FEBA */
@@ -58,190 +58,208 @@ sha256_process_block64_shaNI:
        mova128         PSHUFFLE_BSWAP32_FLIP_MASK, XMMTMP
        movl            $K256+8*16, SHA256CONSTANTS
+// sha256rnds2 instruction uses only lower 64 bits of MSG.
+// The code below needs to move upper 64 bits to lower 64 bits
+// for the second sha256rnds2 invocation
+// (what remains in upper bits does not matter).
+// There are several ways to do it:
+// movhlps    MSG, MSG                // abcd -> cdcd (3 bytes of code)
+// shuf128_32 SHUF(2,3,n,n), MSG, MSG // abcd -> cdXX (4 bytes)
+// punpckhqdq MSG, MSG                // abcd -> cdcd (4 bytes)
+// unpckhpd   MSG, MSG                // abcd -> cdcd (4 bytes)
+// psrldq     $8, MSG                 // abcd -> cd00 (5 bytes)
+// palignr    $8, MSG, MSG            // abcd -> cdab (6 bytes, SSSE3 insn)
+#define MOVE_UPPER64_DOWN(reg) movhlps reg, reg
+//#define MOVE_UPPER64_DOWN(reg) shuf128_32 SHUF(2,3,0,0), reg, reg
+//#define MOVE_UPPER64_DOWN(reg) punpckhqdq reg, reg
+//#define MOVE_UPPER64_DOWN(reg) unpckhpd reg, reg
+//#define MOVE_UPPER64_DOWN(reg) psrldq $8, reg
+//#define MOVE_UPPER64_DOWN(reg) palignr $8, reg, reg
        /* Rounds 0-3 */
        movu128         0*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP0
+        mova128         MSG, MSG0
                paddd           0*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 4-7 */
        movu128         1*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP1
+        mova128         MSG, MSG1
                paddd           1*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 8-11 */
        movu128         2*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP2
+        mova128         MSG, MSG2
                paddd           2*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 12-15 */
        movu128         3*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
 /* ...to here */
-        mova128         MSG, MSGTMP3
+        mova128         MSG, MSG3
                paddd           3*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 16-19 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           4*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 20-23 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           5*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 24-27 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           6*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 28-31 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           7*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 32-35 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           8*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 36-39 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           9*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 40-43 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           10*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 44-47 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           11*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 48-51 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           12*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 52-55 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           13*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 56-59 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           14*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 60-63 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           15*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Write hash values back in the correct order */
        mova128         STATE0, XMMTMP
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
        /* ---          -------------- HGDC -- FEBA */
        shufps          SHUF(3,2,3,2), STATE1, STATE0 /* ABCD */
        shufps          SHUF(1,0,1,0), STATE1, XMMTMP /* EFGH */
diff --git a/libbb/hash_sha256_hwaccel_x86-64.S b/libbb/hash_sha256_hwaccel_x86-64.S
index 172c2eae2..ee3abbd1f 100644
--- a/libbb/hash_sha256_hwaccel_x86-64.S
+++ b/libbb/hash_sha256_hwaccel_x86-64.S
@@ -34,24 +34,24 @@
 #define MSG             %xmm0
 #define STATE0          %xmm1
 #define STATE1          %xmm2
-#define MSGTMP0         %xmm3
+#define MSG0            %xmm3
-#define MSGTMP1         %xmm4
+#define MSG1            %xmm4
-#define MSGTMP2         %xmm5
+#define MSG2            %xmm5
-#define MSGTMP3         %xmm6
+#define MSG3            %xmm6
 #define XMMTMP          %xmm7
 #define SAVE0           %xmm8
 #define SAVE1           %xmm9
-#define SHUF(a,b,c,d) $(a+(b<<2)+(c<<4)+(d<<6))
+#define SHUF(a,b,c,d) $((a)+((b)<<2)+((c)<<4)+((d)<<6))
        .balign 8       # allow decoders to fetch at least 2 first insns
 sha256_process_block64_shaNI:
-        movu128         80+0*16(%rdi), XMMTMP /* ABCD (little-endian dword order) */
+        movu128         80+0*16(%rdi), XMMTMP /* ABCD (shown least-significant-dword-first) */
        movu128         80+1*16(%rdi), STATE1 /* EFGH */
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
        mova128         STATE1, STATE0
        /* ---          -------------- ABCD -- EFGH */
        shufps          SHUF(1,0,1,0), XMMTMP, STATE0 /* FEBA */
@@ -65,185 +65,203 @@ sha256_process_block64_shaNI:
        mova128         STATE0, SAVE0
        mova128         STATE1, SAVE1
+// sha256rnds2 instruction uses only lower 64 bits of MSG.
+// The code below needs to move upper 64 bits to lower 64 bits
+// for the second sha256rnds2 invocation
+// (what remains in upper bits does not matter).
+// There are several ways to do it:
+// movhlps    MSG, MSG                // abcd -> cdcd (3 bytes of code)
+// shuf128_32 SHUF(2,3,n,n), MSG, MSG // abcd -> cdXX (4 bytes)
+// punpckhqdq MSG, MSG                // abcd -> cdcd (4 bytes)
+// unpckhpd   MSG, MSG                // abcd -> cdcd (4 bytes)
+// psrldq     $8, MSG                 // abcd -> cd00 (5 bytes)
+// palignr    $8, MSG, MSG            // abcd -> cdab (6 bytes, SSSE3 insn)
+#define MOVE_UPPER64_DOWN(reg) movhlps reg, reg
+//#define MOVE_UPPER64_DOWN(reg) shuf128_32 SHUF(2,3,0,0), reg, reg
+//#define MOVE_UPPER64_DOWN(reg) punpckhqdq reg, reg
+//#define MOVE_UPPER64_DOWN(reg) unpckhpd reg, reg
+//#define MOVE_UPPER64_DOWN(reg) psrldq $8, reg
+//#define MOVE_UPPER64_DOWN(reg) palignr $8, reg, reg
        /* Rounds 0-3 */
        movu128         0*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP0
+        mova128         MSG, MSG0
                paddd           0*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 4-7 */
        movu128         1*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP1
+        mova128         MSG, MSG1
                paddd           1*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 8-11 */
        movu128         2*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
-        mova128         MSG, MSGTMP2
+        mova128         MSG, MSG2
                paddd           2*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 12-15 */
        movu128         3*16(DATA_PTR), MSG
        pshufb          XMMTMP, MSG
 /* ...to here */
-        mova128         MSG, MSGTMP3
+        mova128         MSG, MSG3
                paddd           3*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 16-19 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           4*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 20-23 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           5*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 24-27 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           6*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 28-31 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           7*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 32-35 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           8*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 36-39 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           9*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP1, MSGTMP0
+        sha256msg1      MSG1, MSG0
        /* Rounds 40-43 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           10*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP2, MSGTMP1
+        sha256msg1      MSG2, MSG1
        /* Rounds 44-47 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           11*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP3, XMMTMP
+        mova128         MSG3, XMMTMP
-        palignr         $4, MSGTMP2, XMMTMP
+        palignr         $4, MSG2, XMMTMP
-        paddd           XMMTMP, MSGTMP0
+        paddd           XMMTMP, MSG0
-        sha256msg2      MSGTMP3, MSGTMP0
+        sha256msg2      MSG3, MSG0
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP3, MSGTMP2
+        sha256msg1      MSG3, MSG2
        /* Rounds 48-51 */
-        mova128         MSGTMP0, MSG
+        mova128         MSG0, MSG
                paddd           12*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP0, XMMTMP
+        mova128         MSG0, XMMTMP
-        palignr         $4, MSGTMP3, XMMTMP
+        palignr         $4, MSG3, XMMTMP
-        paddd           XMMTMP, MSGTMP1
+        paddd           XMMTMP, MSG1
-        sha256msg2      MSGTMP0, MSGTMP1
+        sha256msg2      MSG0, MSG1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
-        sha256msg1      MSGTMP0, MSGTMP3
+        sha256msg1      MSG0, MSG3
        /* Rounds 52-55 */
-        mova128         MSGTMP1, MSG
+        mova128         MSG1, MSG
                paddd           13*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP1, XMMTMP
+        mova128         MSG1, XMMTMP
-        palignr         $4, MSGTMP0, XMMTMP
+        palignr         $4, MSG0, XMMTMP
-        paddd           XMMTMP, MSGTMP2
+        paddd           XMMTMP, MSG2
-        sha256msg2      MSGTMP1, MSGTMP2
+        sha256msg2      MSG1, MSG2
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 56-59 */
-        mova128         MSGTMP2, MSG
+        mova128         MSG2, MSG
                paddd           14*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-        mova128         MSGTMP2, XMMTMP
+        mova128         MSG2, XMMTMP
-        palignr         $4, MSGTMP1, XMMTMP
+        palignr         $4, MSG1, XMMTMP
-        paddd           XMMTMP, MSGTMP3
+        paddd           XMMTMP, MSG3
-        sha256msg2      MSGTMP2, MSGTMP3
+        sha256msg2      MSG2, MSG3
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Rounds 60-63 */
-        mova128         MSGTMP3, MSG
+        mova128         MSG3, MSG
                paddd           15*16-8*16(SHA256CONSTANTS), MSG
                sha256rnds2     MSG, STATE0, STATE1
-                shuf128_32      $0x0E, MSG, MSG
+                MOVE_UPPER64_DOWN(MSG)
                sha256rnds2     MSG, STATE1, STATE0
        /* Add current hash values with previously saved */
@@ -252,7 +270,7 @@ sha256_process_block64_shaNI:
        /* Write hash values back in the correct order */
        mova128         STATE0, XMMTMP
-/* shufps takes dwords 0,1 from *2nd* operand, and dwords 2,3 from 1st one */
+/* shufps: dwords 0,1 of the result are selected from *2nd* operand, and dwords 2,3 from 1st operand */
        /* ---          -------------- HGDC -- FEBA */
        shufps          SHUF(3,2,3,2), STATE1, STATE0 /* ABCD */
        shufps          SHUF(1,0,1,0), STATE1, XMMTMP /* EFGH */
diff --git a/libbb/lineedit.c b/libbb/lineedit.c
index 8e2b37853..c8a0f37fe 100644
--- a/libbb/lineedit.c
+++ b/libbb/lineedit.c
@@ -457,7 +457,7 @@ static void put_cur_glyph_and_inc_cursor(void)
                 * have automargin (IOW: it is moving cursor to next line
                 * by itself (which is wrong for VT-10x terminals)),
                 * this will break things: there will be one extra empty line */
-                puts("\r"); /* + implicit '\n' */
+                fputs("\r\n", stderr);
 #else
                /* VT-10x terminals don't wrap cursor to next line when last char
                 * on the line is printed - cursor stays "over" this char.
@@ -1302,9 +1302,10 @@ static void showfiles(void)
                        );
                }
                if (ENABLE_UNICODE_SUPPORT)
-                        puts(printable_string(matches[n]));
+                        fputs(printable_string(matches[n]), stderr);
                else
-                        puts(matches[n]);
+                        fputs(matches[n], stderr);
+                bb_putchar_stderr('\n');
        }
 }
@@ -1595,8 +1596,8 @@ unsigned FAST_FUNC size_from_HISTFILESIZE(const char *hp)
 # endif
        if (hp) {
                size = atoi(hp);
-                if (size <= 0)
+                if (size < 0)
-                        return 1;
+                        return 0;
                if (size > MAX_HISTORY)
                        return MAX_HISTORY;
        }
@@ -1690,18 +1691,21 @@ static void load_history(line_input_t *st_parm)
        /* NB: do not trash old history if file can't be opened */
        fp = fopen_for_read(st_parm->hist_file);
-        if (fp) {
+        if (!fp)
-                /* clean up old history */
+                return;
-                for (idx = st_parm->cnt_history; idx > 0;) {
-                        idx--;
+        /* clean up old history */
-                        free(st_parm->history[idx]);
+        for (idx = st_parm->cnt_history; idx > 0;) {
-                        st_parm->history[idx] = NULL;
+                idx--;
-                }
+                free(st_parm->history[idx]);
+                st_parm->history[idx] = NULL;
+        }
-                /* fill temp_h[], retaining only last MAX_HISTORY lines */
+        /* fill temp_h[], retaining only last max_history lines */
-                memset(temp_h, 0, sizeof(temp_h));
+        memset(temp_h, 0, sizeof(temp_h));
-                idx = 0;
+        idx = 0;
-                st_parm->cnt_history_in_file = 0;
+        st_parm->cnt_history_in_file = 0;
+        if (st_parm->max_history != 0) {
                while ((line = xmalloc_fgetline(fp)) != NULL) {
                        if (line[0] == '\0') {
                                free(line);
@@ -1714,34 +1718,34 @@ static void load_history(line_input_t *st_parm)
                        if (idx == st_parm->max_history)
                                idx = 0;
                }
-                fclose(fp);
+        }
+        fclose(fp);
-                /* find first non-NULL temp_h[], if any */
-                if (st_parm->cnt_history_in_file) {
-                        while (temp_h[idx] == NULL) {
-                                idx++;
-                                if (idx == st_parm->max_history)
-                                        idx = 0;
-                        }
-                }
-                /* copy temp_h[] to st_parm->history[] */
+        /* find first non-NULL temp_h[], if any */
-                for (i = 0; i < st_parm->max_history;) {
+        if (st_parm->cnt_history_in_file != 0) {
-                        line = temp_h[idx];
+                while (temp_h[idx] == NULL) {
-                        if (!line)
-                                break;
                        idx++;
                        if (idx == st_parm->max_history)
                                idx = 0;
-                        line_len = strlen(line);
-                        if (line_len >= MAX_LINELEN)
-                                line[MAX_LINELEN-1] = '\0';
-                        st_parm->history[i++] = line;
                }
-                st_parm->cnt_history = i;
-                if (ENABLE_FEATURE_EDITING_SAVE_ON_EXIT)
-                        st_parm->cnt_history_in_file = i;
        }
+        /* copy temp_h[] to st_parm->history[] */
+        for (i = 0; i < st_parm->max_history;) {
+                line = temp_h[idx];
+                if (!line)
+                        break;
+                idx++;
+                if (idx == st_parm->max_history)
+                        idx = 0;
+                line_len = strlen(line);
+                if (line_len >= MAX_LINELEN)
+                        line[MAX_LINELEN-1] = '\0';
+                st_parm->history[i++] = line;
+        }
+        st_parm->cnt_history = i;
+        if (ENABLE_FEATURE_EDITING_SAVE_ON_EXIT)
+                st_parm->cnt_history_in_file = i;
 }
 #  if ENABLE_FEATURE_EDITING_SAVE_ON_EXIT
@@ -1749,17 +1753,27 @@ void FAST_FUNC save_history(line_input_t *st)
 {
        FILE *fp;
-        if (!st || !st->hist_file)
+        /* bash compat: HISTFILE="" disables history saving */
+        if (!st || !st->hist_file || !state->hist_file[0])
                return;
        if (st->cnt_history <= st->cnt_history_in_file)
-                return;
+                return; /* no new entries were added */
+        /* note: if st->max_history is 0, we do not abort: we truncate the history to 0 lines */
-        fp = fopen(st->hist_file, "a");
+        fp = fopen(st->hist_file, (st->max_history == 0 ? "w" : "a"));
        if (fp) {
                int i, fd;
                char *new_name;
                line_input_t *st_temp;
+                /* max_history==0 needs special-casing in general code,
+                 * just handle it in a simpler way: */
+                if (st->max_history == 0) {
+                        /* fopen("w") already truncated it */
+                        fclose(fp);
+                        return;
+                }
                for (i = st->cnt_history_in_file; i < st->cnt_history; i++)
                        fprintf(fp, "%s\n", st->history[i]);
                fclose(fp);
@@ -1769,6 +1783,8 @@ void FAST_FUNC save_history(line_input_t *st)
                st_temp = new_line_input_t(st->flags);
                st_temp->hist_file = st->hist_file;
                st_temp->max_history = st->max_history;
+                /* load no more than max_history last lines */
+                /* (in unlikely case that file disappeared, st_temp gets empty history) */
                load_history(st_temp);
                /* write out temp file and replace hist_file atomically */
@@ -1792,13 +1808,13 @@ static void save_history(char *str)
        int fd;
        int len, len2;
-        if (!state->hist_file)
+        /* bash compat: HISTFILE="" disables history saving */
+        if (!state->hist_file || !state->hist_file[0])
                return;
        fd = open(state->hist_file, O_WRONLY | O_CREAT | O_APPEND, 0600);
        if (fd < 0)
                return;
-        xlseek(fd, 0, SEEK_END); /* paranoia */
        len = strlen(str);
        str[len] = '\n'; /* we (try to) do atomic write */
        len2 = full_write(fd, str, len + 1);
@@ -1853,13 +1869,10 @@ static void remember_in_history(char *str)
        if (str[0] == '\0')
                return;
        i = state->cnt_history;
-        /* Don't save dupes */
+        /* Don't save dups */
-        if (i && strcmp(state->history[i-1], str) == 0)
+        if (i != 0 && strcmp(state->history[i-1], str) == 0)
                return;
-        free(state->history[state->max_history]); /* redundant, paranoia */
-        state->history[state->max_history] = NULL; /* redundant, paranoia */
        /* If history[] is full, remove the oldest command */
        /* we need to keep history[state->max_history] empty, hence >=, not > */
        if (i >= state->max_history) {
@@ -1872,7 +1885,7 @@ static void remember_in_history(char *str)
                        state->cnt_history_in_file--;
 # endif
        }
-        /* i <= state->max_history-1 */
+        /* i < state->max_history */
        state->history[i++] = xstrdup(str);
        /* i <= state->max_history */
        state->cur_history = i;
@@ -2388,7 +2401,6 @@ static int lineedit_read_key(char *read_key_buffer, int timeout)
                                errno = EINTR;
                                return -1;
                        }
-//FIXME: still races here with signals, but small window to poll() inside read_key
                        IF_FEATURE_EDITING_WINCH(S.ok_to_redraw = 1;)
                        /* errno = 0; - read_key does this itself */
                        ic = read_key(STDIN_FILENO, read_key_buffer, timeout);
diff --git a/libbb/poll_with_signals.c b/libbb/poll_with_signals.c
new file mode 100644
index 000000000..d3c005418
--- /dev/null
+++ b/libbb/poll_with_signals.c
@@ -0,0 +1,48 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-$(CONFIG_PLATFORM_POSIX) += poll_with_signals.o
+#include "libbb.h"
+/* Shells, for example, need their line input and "read" builtin
+ * to be interruptible, and the naive handling of it a-la:
+ *      if (bb_got_signal) {
+ *              errno = EINTR;
+ *              return -1;
+ *      }
+ *      poll(pfd, 1, -1); // signal here would set EINTR
+ * is racy.
+ * This is a bit heavy-handed, but safe wrt races:
+ */
+int FAST_FUNC check_got_signal_and_poll(struct pollfd pfd[1], int timeout)
+{
+        int n;
+        struct timespec tv;
+        sigset_t orig_mask;
+        if (bb_got_signal) /* optimization */
+                goto eintr;
+        if (timeout >= 0) {
+                tv.tv_sec = timeout / 1000;
+                tv.tv_nsec = (timeout % 1000) * 1000000;
+        }
+        /* test bb_got_signal, then poll(), atomically wrt signals */
+        sigfillset(&orig_mask);
+        sigprocmask2(SIG_BLOCK, &orig_mask);
+        if (bb_got_signal) {
+                sigprocmask2(SIG_SETMASK, &orig_mask);
+ eintr:
+                errno = EINTR; /* inform the caller that we got a signal */
+                return -1;
+        }
+        n = ppoll(pfd, 1, timeout >= 0 ? &tv : NULL, &orig_mask);
+        sigprocmask2(SIG_SETMASK, &orig_mask);
+        return n;
+}
diff --git a/libbb/pw_ascii64.c b/libbb/pw_ascii64.c
new file mode 100644
index 000000000..3993932ca
--- /dev/null
+++ b/libbb/pw_ascii64.c
@@ -0,0 +1,91 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 1999-2004 by Erik Andersen <andersen@codepoet.org>
+ *
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+/* Returns >=64 for invalid chars */
+int FAST_FUNC a2i64(char c)
+{
+        unsigned char ch = c;
+        if (ch >= 'a')
+                /* "a..z" to 38..63 */
+                /* anything after "z": positive int >= 64 */
+                return (ch - 'a' + 38);
+        if (ch > 'Z')
+                /* after "Z" but before "a": positive byte >= 64 */
+                return ch;
+        if (ch >= 'A')
+                /* "A..Z" to 12..37 */
+                return (ch - 'A' + 12);
+        if (ch > '9')
+                return 64;
+        /* "./0123456789" to 0,1,2..11 */
+        /* anything before "." becomes positive byte >= 64 */
+        return (unsigned char)(ch - '.');
+}
+/* 0..63 ->
+ * "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+ */
+int FAST_FUNC i2a64(int i)
+{
+        i &= 0x3f;
+        i += '.';
+        /* the above maps 0..11 to "./0123456789":
+         * ACSII codes of "./" are ('0'-2) and ('0'-1) */
+        if (i > '9')
+                i += ('A' - '9' - 1);
+        if (i > 'Z')
+                i += ('a' - 'Z' - 1);
+        return i;
+}
+char* FAST_FUNC
+num2str64_lsb_first(char *s, unsigned v, int n)
+{
+        while (--n >= 0) {
+                *s++ = i2a64(v);
+                v >>= 6;
+        }
+        return s;
+}
+static void
+num2str64_4chars_msb_first(char *s, unsigned v)
+{
+        *s++ = i2a64(v >> 18); /* bits 23..18 */
+        *s++ = i2a64(v >> 12); /* bits 17..12 */
+        *s++ = i2a64(v >> 6); /* bits 11..6 */
+        *s   = i2a64(v); /* bits 5..0 */
+}
+int FAST_FUNC crypt_make_rand64encoded(char *p, int cnt /*, int x */)
+{
+        /* was: x += ... */
+        unsigned x = getpid() + monotonic_us();
+        do {
+                /* x = (x*1664525 + 1013904223) % 2^32 generator is lame
+                 * (low-order bit is not "random", etc...),
+                 * but for our purposes it is good enough */
+                x = x*1664525 + 1013904223;
+                /* BTW, Park and Miller's "minimal standard generator" is
+                 * x = x*16807 % ((2^31)-1)
+                 * It has no problem with visibly alternating lowest bit
+                 * but is also weak in cryptographic sense + needs div,
+                 * which needs more code (and slower) on many CPUs */
+                *p++ = i2a64(x >> 16);
+                *p++ = i2a64(x >> 22);
+        } while (--cnt);
+        *p = '\0';
+        return x;
+}
diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
index 3463fd95b..93653de9f 100644
--- a/libbb/pw_encrypt.c
+++ b/libbb/pw_encrypt.c
@@ -13,48 +13,11 @@
 #endif
 #include "libbb.h"
-/* static const uint8_t ascii64[] ALIGN1 =
+#include "pw_ascii64.c"
- * "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
- */
-static int i64c(int i)
-{
-        i &= 0x3f;
-        if (i == 0)
-                return '.';
-        if (i == 1)
-                return '/';
-        if (i < 12)
-                return ('0' - 2 + i);
-        if (i < 38)
-                return ('A' - 12 + i);
-        return ('a' - 38 + i);
-}
-int FAST_FUNC crypt_make_salt(char *p, int cnt /*, int x */)
-{
-        /* was: x += ... */
-        unsigned x = getpid() + monotonic_us();
-        do {
-                /* x = (x*1664525 + 1013904223) % 2^32 generator is lame
-                 * (low-order bit is not "random", etc...),
-                 * but for our purposes it is good enough */
-                x = x*1664525 + 1013904223;
-                /* BTW, Park and Miller's "minimal standard generator" is
-                 * x = x*16807 % ((2^31)-1)
-                 * It has no problem with visibly alternating lowest bit
-                 * but is also weak in cryptographic sense + needs div,
-                 * which needs more code (and slower) on many CPUs */
-                *p++ = i64c(x >> 16);
-                *p++ = i64c(x >> 22);
-        } while (--cnt);
-        *p = '\0';
-        return x;
-}
 char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
 {
-        int len = 2/2;
+        int len = 2 / 2;
        char *salt_ptr = salt;
        /* Standard chpasswd uses uppercase algos ("MD5", not "md5").
@@ -67,28 +30,61 @@ char* FAST_FUNC crypt_make_pw_salt(char salt[MAX_PW_SALT_LEN], const char *algo)
                *salt_ptr++ = '$';
 #if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_SHA
                if ((algo[0]|0x20) == 's') { /* sha */
-                        salt[1] = '5' + (strcasecmp(algo, "sha512") == 0);
+                        salt[1] = '5' + (strncasecmp(algo, "sha512", 6) == 0);
-                        len = 16/2;
+                        len = 16 / 2;
+                }
+#endif
+#if !ENABLE_USE_BB_CRYPT || ENABLE_USE_BB_CRYPT_YES
+                if ((algo[0]|0x20) == 'y') { /* yescrypt */
+                        int rnd;
+                        salt[1] = 'y';
+// The "j9T$" below is the default "yescrypt parameters" encoded by yescrypt_encode_params_r():
+//shadow-4.17.4/src/passwd.c
+//      salt = crypt_make_salt(NULL, NULL);
+//shadow-4.17.4/lib/salt.c
+//const char *crypt_make_salt(const char *meth, void *arg)
+//      if (streq(method, "YESCRYPT")) {
+//              MAGNUM(result, 'y');
+//              salt_len = YESCRYPT_SALT_SIZE; // 24
+//              rounds = YESCRYPT_get_salt_cost(arg);  // always Y_COST_DEFAULT == 5 for NULL arg
+//              YESCRYPT_salt_cost_to_buf(result, rounds); // always "j9T$"
+//      char *retval = crypt_gensalt(result, rounds, NULL, 0);
+//libxcrypt-4.4.38/lib/crypt-yescrypt.c
+//void gensalt_yescrypt_rn (unsigned long count,
+//                     const uint8_t *rbytes, size_t nrbytes,
+//                     uint8_t *output, size_t o_size)
+//  yescrypt_params_t params = {
+//    .flags = YESCRYPT_DEFAULTS,
+//    .p = 1,
+//  };
+//  if (count < 3) ... else
+//      params.r = 32;                  // N in 4KiB
+//      params.N = 1ULL << (count + 7); // 3 -> 1024, 4 -> 2048, ... 11 -> 262144
+//  yescrypt_encode_params_r(&params, rbytes, nrbytes, outbuf, o_size) // always "$y$j9T$<random>"
+                        len = 22 / 2;
+                        salt_ptr = stpcpy(salt_ptr, "j9T$");
+                        /* append 2*len random chars */
+                        rnd = crypt_make_rand64encoded(salt_ptr, len);
+                        /* fix up last char: it must be in 0..3 range (encoded as one of "./01").
+                         * IOW: salt_ptr[20..21] encode 16th random byte, must not be > 0xff.
+                         * Without this, we can generate salts which are rejected
+                         * by implementations with more strict salt length check.
+                         */
+                        salt_ptr[21] = i2a64(rnd & 3);
+                        /* For "mkpasswd -m yescrypt PASS j9T$<salt>" use case,
+                         * "j9T$" is considered part of salt,
+                         * need to return pointer to 'j'. Without -4,
+                         * we'd end up using "j9T$j9T$<salt>" as salt.
+                         */
+                        return salt_ptr - 4;
                }
 #endif
        }
-        crypt_make_salt(salt_ptr, len);
+        crypt_make_rand64encoded(salt_ptr, len); /* appends 2*len random chars */
        return salt_ptr;
 }
 #if ENABLE_USE_BB_CRYPT
-static char*
-to64(char *s, unsigned v, int n)
-{
-        while (--n >= 0) {
-                /* *s++ = ascii64[v & 0x3f]; */
-                *s++ = i64c(v);
-                v >>= 6;
-        }
-        return s;
-}
 /*
 * DES and MD5 crypt implementations are taken from uclibc.
 * They were modified to not use static buffers.
@@ -99,6 +95,9 @@ to64(char *s, unsigned v, int n)
 #if ENABLE_USE_BB_CRYPT_SHA
 #include "pw_encrypt_sha.c"
 #endif
+#if ENABLE_USE_BB_CRYPT_YES
+#include "pw_encrypt_yes.c"
+#endif
 /* Other advanced crypt ids (TODO?): */
 /* $2$ or $2a$: Blowfish */
@@ -109,7 +108,7 @@ static struct des_ctx *des_ctx;
 /* my_crypt returns malloc'ed data */
 static char *my_crypt(const char *key, const char *salt)
 {
-        /* MD5 or SHA? */
+        /* "$x$...." string? */
        if (salt[0] == '$' && salt[1] && salt[2] == '$') {
                if (salt[1] == '1')
                        return md5_crypt(xzalloc(MD5_OUT_BUFSIZE), (unsigned char*)key, (unsigned char*)salt);
@@ -117,6 +116,10 @@ static char *my_crypt(const char *key, const char *salt)
                if (salt[1] == '5' || salt[1] == '6')
                        return sha_crypt((char*)key, (char*)salt);
 #endif
+#if ENABLE_USE_BB_CRYPT_YES
+                if (salt[1] == 'y')
+                        return yes_crypt(key, salt);
+#endif
        }
        if (!des_cctx)
diff --git a/libbb/pw_encrypt_des.c b/libbb/pw_encrypt_des.c
index fe8237cfe..ca8aa9bcc 100644
--- a/libbb/pw_encrypt_des.c
+++ b/libbb/pw_encrypt_des.c
@@ -186,39 +186,9 @@ static const uint8_t pbox[32] ALIGN1 = {
         2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
 };
-static const uint32_t bits32[32] ALIGN4 = {
-        0x80000000, 0x40000000, 0x20000000, 0x10000000,
-        0x08000000, 0x04000000, 0x02000000, 0x01000000,
-        0x00800000, 0x00400000, 0x00200000, 0x00100000,
-        0x00080000, 0x00040000, 0x00020000, 0x00010000,
-        0x00008000, 0x00004000, 0x00002000, 0x00001000,
-        0x00000800, 0x00000400, 0x00000200, 0x00000100,
-        0x00000080, 0x00000040, 0x00000020, 0x00000010,
-        0x00000008, 0x00000004, 0x00000002, 0x00000001
-};
 static const uint8_t bits8[8] ALIGN1 = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
-static int
-ascii_to_bin(char ch)
-{
-        if (ch > 'z')
-                return 0;
-        if (ch >= 'a')
-                return (ch - 'a' + 38);
-        if (ch > 'Z')
-                return 0;
-        if (ch >= 'A')
-                return (ch - 'A' + 12);
-        if (ch > '9')
-                return 0;
-        if (ch >= '.')
-                return (ch - '.');
-        return 0;
-}
 /* Static stuff that stays resident and doesn't change after
 * being initialized, and therefore doesn't need to be made
 * reentrant. */
@@ -354,11 +324,18 @@ des_init(struct des_ctx *ctx, const struct const_des_ctx *cctx)
        int i, j, b, k, inbit, obit;
        uint32_t p;
        const uint32_t *bits28, *bits24;
+        uint32_t bits32[32];
        if (!ctx)
                ctx = xmalloc(sizeof(*ctx));
        const_ctx = cctx;
+        p = 0x80000000U;
+        for (i = 0; p; i++) {
+                bits32[i] = p;
+                p >>= 1;
+        }
 #if USE_REPETITIVE_SPEEDUP
        old_rawkey0 = old_rawkey1 = 0;
        old_salt = 0;
@@ -694,21 +671,6 @@ do_des(struct des_ctx *ctx, /*uint32_t l_in, uint32_t r_in,*/ uint32_t *l_out, u
 #define DES_OUT_BUFSIZE 21
-static void
-to64_msb_first(char *s, unsigned v)
-{
-#if 0
-        *s++ = ascii64[(v >> 18) & 0x3f]; /* bits 23..18 */
-        *s++ = ascii64[(v >> 12) & 0x3f]; /* bits 17..12 */
-        *s++ = ascii64[(v >> 6) & 0x3f]; /* bits 11..6 */
-        *s   = ascii64[v & 0x3f]; /* bits 5..0 */
-#endif
-        *s++ = i64c(v >> 18); /* bits 23..18 */
-        *s++ = i64c(v >> 12); /* bits 17..12 */
-        *s++ = i64c(v >> 6); /* bits 11..6 */
-        *s   = i64c(v); /* bits 5..0 */
-}
 static char *
 NOINLINE
 des_crypt(struct des_ctx *ctx, char output[DES_OUT_BUFSIZE],
@@ -740,44 +702,28 @@ des_crypt(struct des_ctx *ctx, char output[DES_OUT_BUFSIZE],
         */
        output[0] = salt_str[0];
        output[1] = salt_str[1];
-        salt = (ascii_to_bin(salt_str[1]) << 6)
-             |  ascii_to_bin(salt_str[0]);
+        salt = a2i64(salt_str[0]);
+        if (salt >= 64)
+                return NULL; /* bad salt char */
+        salt |= (a2i64(salt_str[1]) << 6);
+        if (salt >= (64 << 6))
+                return NULL; /* bad salt char */
        setup_salt(ctx, salt); /* set ctx->saltbits for do_des() */
        /* Do it. */
        do_des(ctx, /*0, 0,*/ &r0, &r1, 25 /* count */);
        /* Now encode the result. */
-#if 0
-{
-        uint32_t l = (r0 >> 8);
-        q = (uint8_t *)output + 2;
-        *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 31..26 of r0 */
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 25..20 of r0 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 19..14 of r0 */
-        *q++ = ascii64[l & 0x3f]; /* bits 13..8 of r0 */
-        l = ((r0 << 16) | (r1 >> 16));
-        *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 7..2 of r0 */
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 1..2 of r0 and 31..28 of r1 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 27..22 of r1 */
-        *q++ = ascii64[l & 0x3f]; /* bits 21..16 of r1 */
-        l = r1 << 2;
-        *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 15..10 of r1 */
-        *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 9..4 of r1 */
-        *q++ = ascii64[l & 0x3f]; /* bits 3..0 of r1 + 00 */
-        *q = 0;
-}
-#else
        /* Each call takes low-order 24 bits and stores 4 chars */
        /* bits 31..8 of r0 */
-        to64_msb_first(output + 2, (r0 >> 8));
+        num2str64_4chars_msb_first(output + 2, (r0 >> 8));
        /* bits 7..0 of r0 and 31..16 of r1 */
-        to64_msb_first(output + 6, (r0 << 16) | (r1 >> 16));
+        num2str64_4chars_msb_first(output + 6, (r0 << 16) | (r1 >> 16));
        /* bits 15..0 of r1 and two zero bits (plus extra zero byte) */
-        to64_msb_first(output + 10, (r1 << 8));
+        num2str64_4chars_msb_first(output + 10, (r1 << 8));
        /* extra zero byte is encoded as '.', fixing it */
        output[13] = '\0';
-#endif
        return output;
 }
diff --git a/libbb/pw_encrypt_md5.c b/libbb/pw_encrypt_md5.c
index 1e52ecaea..92d039f96 100644
--- a/libbb/pw_encrypt_md5.c
+++ b/libbb/pw_encrypt_md5.c
@@ -149,9 +149,9 @@ md5_crypt(char result[MD5_OUT_BUFSIZE], const unsigned char *pw, const unsigned
        final[16] = final[5];
        for (i = 0; i < 5; i++) {
                unsigned l = (final[i] << 16) | (final[i+6] << 8) | final[i+12];
-                p = to64(p, l, 4);
+                p = num2str64_lsb_first(p, l, 4);
        }
-        p = to64(p, final[11], 2);
+        p = num2str64_lsb_first(p, final[11], 2);
        *p = '\0';
        /* Don't leave anything around in vm they could use. */
diff --git a/libbb/pw_encrypt_sha.c b/libbb/pw_encrypt_sha.c
index 5457d7ab6..695a5c07f 100644
--- a/libbb/pw_encrypt_sha.c
+++ b/libbb/pw_encrypt_sha.c
@@ -84,8 +84,7 @@ sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
           as a scratch space later. */
        salt_data = xstrndup(salt_data, salt_len);
        /* add "salt$" to result */
-        strcpy(resptr, salt_data);
+        resptr = stpcpy(resptr, salt_data);
-        resptr += salt_len;
        *resptr++ = '$';
        /* key data doesn't need much processing */
        key_len = strlen(key_data);
@@ -198,7 +197,7 @@ sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
 #define b64_from_24bit(B2, B1, B0, N) \
 do { \
        unsigned w = ((B2) << 16) | ((B1) << 8) | (B0); \
-        resptr = to64(resptr, w, N); \
+        resptr = num2str64_lsb_first(resptr, w, N); \
 } while (0)
        if (_32or64 == 32) { /* sha256 */
                unsigned i = 0;
diff --git a/libbb/pw_encrypt_yes.c b/libbb/pw_encrypt_yes.c
new file mode 100644
index 000000000..50bd06418
--- /dev/null
+++ b/libbb/pw_encrypt_yes.c
@@ -0,0 +1,24 @@
+/*
+ * Utility routines.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+#include "yescrypt/alg-yescrypt.h"
+static char *
+yes_crypt(const char *passwd, const char *salt_data)
+{
+        /* prefix, '$', hash, NUL */
+        char buf[YESCRYPT_PREFIX_LEN + 1 + YESCRYPT_HASH_LEN + 1];
+        char *retval;
+        retval = yescrypt_r(
+                        (const uint8_t *)passwd, strlen(passwd),
+                        (const uint8_t *)salt_data,
+                        buf, sizeof(buf));
+        /* The returned value is either buf[], or NULL on error */
+        return xstrdup(retval);
+}
diff --git a/libbb/read_key.c b/libbb/read_key.c
index 54886cc9c..2414105ee 100644
--- a/libbb/read_key.c
+++ b/libbb/read_key.c
@@ -11,7 +11,7 @@
 int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
 {
-        struct pollfd pfd;
+        struct pollfd pfd[1];
        const char *seq;
        int n;
@@ -117,8 +117,8 @@ int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
                return windows_read_key(fd, buffer, timeout);
 #endif
-        pfd.fd = fd;
+        pfd->fd = fd;
-        pfd.events = POLLIN;
+        pfd->events = POLLIN;
        buffer++; /* saved chars counter is in buffer[-1] now */
@@ -126,12 +126,16 @@ int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
        errno = 0;
        n = (unsigned char)buffer[-1];
        if (n == 0) {
-                /* If no data, wait for input.
+                /* No data. Wait for input. */
-                 * If requested, wait TIMEOUT ms. TIMEOUT = -1 is useful
-                 * if fd can be in non-blocking mode.
+                /* timeout == -2 means "do not poll". Else: */
-                 */
                if (timeout >= -1) {
-                        n = poll(&pfd, 1, timeout);
+                        /* We must poll even if timeout == -1:
+                         * we want to be interrupted if signal arrives,
+                         * regardless of SA_RESTART-ness of that signal!
+                         */
+                        /* test bb_got_signal, then poll(), atomically wrt signals */
+                        n = check_got_signal_and_poll(pfd, timeout);
                        if (n < 0 && errno == EINTR)
                                return n;
                        if (n == 0) {
@@ -140,6 +144,7 @@ int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
                                return -1;
                        }
                }
                /* It is tempting to read more than one byte here,
                 * but it breaks pasting. Example: at shell prompt,
                 * user presses "c","a","t" and then pastes "\nline\n".
@@ -178,7 +183,7 @@ int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
                                 * so if we block for long it's not really an escape sequence.
                                 * Timeout is needed to reconnect escape sequences
                                 * split up by transmission over a serial console. */
-                                if (safe_poll(&pfd, 1, 50) == 0) {
+                                if (safe_poll(pfd, 1, 50) == 0) {
                                        /* No more data!
                                         * Array is sorted from shortest to longest,
                                         * we can't match anything later in array -
@@ -227,7 +232,7 @@ int64_t FAST_FUNC read_key(int fd, char *buffer, int timeout)
         * n = bytes read. Try to read more until we time out.
         */
        while (n < KEYCODE_BUFFER_SIZE-1) { /* 1 for count byte at buffer[-1] */
-                if (safe_poll(&pfd, 1, 50) == 0) {
+                if (safe_poll(pfd, 1, 50) == 0) {
                        /* No more data! */
                        break;
                }
diff --git a/libbb/u_signal_names.c b/libbb/u_signal_names.c
index ef2b6f891..e233849c5 100644
--- a/libbb/u_signal_names.c
+++ b/libbb/u_signal_names.c
@@ -27,10 +27,6 @@
 #include "libbb.h"
-#if ENABLE_PLATFORM_MINGW32
-# undef SIGPIPE
-#endif
 #if ENABLE_PLATFORM_POSIX || defined(SIGSTKFLT) || defined(SIGVTALRM)
 # define SIGLEN 7
 #elif defined(SIGWINCH) || (ENABLE_FEATURE_RTMINMAX && \
diff --git a/libbb/xfuncs.c b/libbb/xfuncs.c
index 7df1a4cd3..5609858d1 100644
--- a/libbb/xfuncs.c
+++ b/libbb/xfuncs.c
@@ -333,7 +333,7 @@ int FAST_FUNC get_termios_and_make_raw(int fd, struct termios *newterm, struct t
        *newterm = *oldterm;
 #if ENABLE_PLATFORM_MINGW32
-        newterm->imode &=
+        newterm->w_mode &=
                ~(ENABLE_ECHO_INPUT | ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT);
 #else
        /* Turn off buffered input (ICANON)
diff --git a/libbb/yescrypt/Kbuild.src b/libbb/yescrypt/Kbuild.src
new file mode 100644
index 000000000..a61211a29
--- /dev/null
+++ b/libbb/yescrypt/Kbuild.src
@@ -0,0 +1,9 @@
+# Makefile for busybox
+#
+# Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+#
+# Licensed under GPLv2, see file LICENSE in this source tree.
+lib-y:=
+INSERT
diff --git a/libbb/yescrypt/PARAMETERS b/libbb/yescrypt/PARAMETERS
new file mode 100644
index 000000000..d9f5d24e6
--- /dev/null
+++ b/libbb/yescrypt/PARAMETERS
@@ -0,0 +1,196 @@
+        Optimal yescrypt configuration.
+yescrypt is very flexible, but configuring it optimally is complicated.
+Here are some guidelines to simplify near-optimal configuration.  We
+start by listing the parameters and their typical values, and then give
+currently recommended parameter sets by use case.
+        Parameters and their typical values.
+Set flags (yescrypt flavor) to YESCRYPT_DEFAULTS to use the currently
+recommended flavor.  (Other flags values exist for compatibility and for
+specialized cases where you think you know what you're doing.)
+Set N (block count) based on target memory usage and running time, as
+well as on the value of r (block size in 128 byte units).  N must be a
+power of two.
+Set r (block size) to 8 (so that N is in KiB, which is convenient) or to
+another small value (if more optimal or for fine-tuning of the total
+size and/or running time).  Reasonable values for r are from 8 to 96.
+Set p (parallelism) to 1 meaning no thread-level parallelism within one
+computation of yescrypt.  (Use of thread-level parallelism within
+yescrypt makes sense for ROM initialization and for key derivation at
+high memory usage, but usually not for password hashing where
+parallelism is available through concurrent authentication attempts.
+Don't use p > 1 unnecessarily.)
+Set t (time) to 0 to use the optimal running time for a given memory
+usage.  This will allow you to maximize the memory usage (the value of
+N*r) while staying within your running time constraints.  (Non-zero t
+makes sense in specialized cases where you can't afford higher memory
+usage but can afford more time.)
+Set g (upgrades) to 0 because there have been no hash upgrades yet.
+Set NROM (block count of ROM) to 0 unless you use a ROM (see below).
+NROM must be a power of two.
+        Password hashing for user authentication, no ROM.
+Small and fast (memory usage 2 MiB, performance like bcrypt cost 2^5 -
+latency 2-3 ms and throughput 10,000+ per second on a 16-core server):
+flags = YESCRYPT_DEFAULTS, N = 2048, r = 8, p = 1, t = 0, g = 0, NROM = 0
+Large and slow (memory usage 16 MiB, performance like bcrypt cost 2^8 -
+latency 10-30 ms and throughput 1000+ per second on a 16-core server):
+flags = YESCRYPT_DEFAULTS, N = 4096, r = 32, p = 1, t = 0, g = 0, NROM = 0
+Of course, even heavier and slower settings are possible, if affordable.
+Simply double the value of N as many times as needed.  Since N must be a
+power of two, you may use r (in the range of 8 to 32) or/and t (in the
+range of 0 to 2) for fine-tuning the running time, but first bring N to
+the maximum you can afford.  If this feels too complicated, just use one
+of the two parameter sets given above (preferably the second) as-is.
+        Password hashing for user authentication, with ROM.
+It's similar to the above, except that you need to adjust r, set NROM,
+and initialize the ROM.
+First decide on a ROM size, such as making it a large portion of your
+dedicated authentication servers' RAM sizes.  Since NROM (block count)
+must be a power of two, you might need to choose r (block size) based on
+how your desired ROM size corresponds to a power of two.  Also tuning
+for performance on current hardware, you'll likely end up with r in the
+range from slightly below 16 to 32.  For example, to use 15/16 of a
+server's 256 GiB RAM as ROM (thus, making it 240 GiB), you could use
+r=15 or r=30.  To use 23/24 of a server's 384 GiB RAM as ROM (thus,
+making it 368 GiB), you'd use r=23.  Then set NROM to your desired ROM
+size in KiB divided by 128*r.  Note that these examples might (or might
+not) be too extreme, leaving little memory for the rest of the system.
+You could as well opt for 7/8 with r=14 or 11/12 with r=11 or r=22.
+Note that higher r may make placing of ROM in e.g. NVMe flash memory
+instead of in RAM more reasonable (or less unreasonable) than it would
+have been with a lower r.  If this is a concern as it relates to
+possible attacks and you do not intend to ever do it defensively, you
+might want to keep r lower (e.g., prefer r=15 over r=30 in the example
+above, even if 30 performs slightly faster).
+Your adjustments to r, if you deviate from powers of two, will also
+result in weirder memory usage per hash.  Like 1.75 MiB at r=14 instead
+of 2 MiB at r=8 that you would have used without a ROM.  That's OK.
+For ROM initialization, which you do with yescrypt_init_shared(), use
+the same r and NROM that you'd later use for password hashing, choose p
+based on your servers' physical and/or logical CPU count (maybe
+considering eventual upgrades as you won't be able to change this later,
+but without going unnecessarily high - e.g., p=28, p=56, or p=112 make
+sense on servers that currently have 28 physical / 56 logical CPUs), and
+set the rest of the parameters to:
+flags = YESCRYPT_DEFAULTS, N = 0, t = 0, g = 0
+N is set to 0 because it isn't relevant during ROM initialization (you
+can use different values of N for hashing passwords with the same ROM).
+To keep the ROM in e.g. SysV shared memory and reuse it across your
+authentication service restarts, you'd need to allocate the memory and
+set the flags to "YESCRYPT_DEFAULTS | YESCRYPT_SHARED_PREALLOCATED".
+For actual password hashing, you'd use your chosen values for N, r,
+NROM, and set the rest of the parameters to:
+flags = YESCRYPT_DEFAULTS, p = 1, t = 0, g = 0
+Note that although you'd use a large p for ROM initialization, you
+should use p=1 for actual password hashing like you would without a ROM.
+Do not forget to pass the ROM into the actual password hashing (and keep
+r and NROM set accordingly).
+Since N must be a power of two and r is dependent on ROM size, you may
+use t (in the range of 0 to 2) for fine-tuning the running time, but
+first bring N to the maximum you can afford.
+If this feels too complicated, or even if it doesn't, please consider
+engaging Openwall for your yescrypt deployment.  We'd be happy to help.
+        Password-based key derivation.
+(Or rather passphrase-based.)
+Use settings similar to those for password hashing without a ROM, but
+adjusted for higher memory usage and running time, and optionally with
+thread-level parallelism.
+Small and fast (memory usage 128 MiB, running time under 100 ms on a
+fast desktop):
+flags = YESCRYPT_DEFAULTS, N = 32768, r = 32, p = 1, t = 0, g = 0, NROM = 0
+Large and fast (memory usage 1 GiB, running time under 200 ms on a fast
+quad-core desktop not including memory allocation overhead, under 250 ms
+with the overhead included), but requires build with OpenMP support (or
+otherwise will run as slow as yet be weaker than its p=1 alternative):
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 4, t = 0, g = 0, NROM = 0
+Large and slower (memory usage 1 GiB, running time under 300 ms on a
+fast quad-core desktop not including memory allocation overhead, under
+350 ms with the overhead included), also requires build with OpenMP
+support (or otherwise will run slower than the p=1 alternative below):
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 4, t = 2, g = 0, NROM = 0
+Large and slow (memory usage 1 GiB, running time under 600 ms on a fast
+desktop not including memory allocation overhead, under 650 ms with the
+overhead included):
+flags = YESCRYPT_DEFAULTS, N = 262144, r = 32, p = 1, t = 0, g = 0, NROM = 0
+Just like with password hashing, even heavier and slower settings are
+possible, if affordable, and you achieve them by adjusting N, r, t in
+the same way and in the same preferred ranges (please see the section on
+password hashing without a ROM, above).  Unlike with password hashing,
+it makes some sense to go above t=2 if you expect that your users might
+not be able to afford more memory but can afford more time.  However,
+increasing the memory usage provides better protection, and we don't
+recommend forcing your users to wait for more than 1 second as they
+could as well type more characters in that time.  If this feels too
+complicated, just use one of the above parameter sets as-is.
+        Amortization of memory allocation overhead.
+It takes a significant fraction of yescrypt's total running time to
+allocate memory from the operating system, especially considering that
+the kernel zeroizes the memory before handing it over to your program.
+Unless you naturally need to compute yescrypt just once per process, you
+may achieve greater efficiency by fully using advanced yescrypt APIs
+that let you preserve and reuse the memory allocation across yescrypt
+invocations.  This is done by reusing the structure pointed to by the
+"yescrypt_local_t *local" argument of yescrypt_r() or yescrypt_kdf()
+without calling yescrypt_free_local() inbetween the repeated invocations
+of yescrypt.
+        YESCRYPT_DEFAULTS macro.
+Please note that the value of the YESCRYPT_DEFAULTS macro might change
+later, so if you use the macro like it's recommended here then for
+results reproducible across versions you might need to store its value
+somewhere along with the hashes or the encrypted data.
+If you use yescrypt's standard hash string encoding, then yescrypt
+already encodes and decodes this value for you, so you don't need to
+worry about this.
diff --git a/libbb/yescrypt/README b/libbb/yescrypt/README
new file mode 100644
index 000000000..c1011c56a
--- /dev/null
+++ b/libbb/yescrypt/README
@@ -0,0 +1,4 @@
+The yescrypt code in this directory is adapted from libxcrypt-4.4.38
+with minimal edits, hopefully making it easier to track
+backports by resetting the tree to the commit which created this file,
+then comparing changes in upstream libxcrypt to the tree.
diff --git a/libbb/yescrypt/alg-sha256.c b/libbb/yescrypt/alg-sha256.c
new file mode 100644
index 000000000..20e8d1ee4
--- /dev/null
+++ b/libbb/yescrypt/alg-sha256.c
@@ -0,0 +1,86 @@
+/*-
+ * Copyright 2005-2016 Colin Percival
+ * Copyright 2016-2018,2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+static void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+                const uint8_t *salt, size_t saltlen,
+                uint64_t c, uint8_t *buf, size_t dkLen)
+{
+        hmac_ctx_t Phctx, PShctx;
+        uint32_t i;
+        /* Compute HMAC state after processing P. */
+        hmac_begin(&Phctx, passwd, passwdlen, sha256_begin);
+        /* Compute HMAC state after processing P and S. */
+        PShctx = Phctx;
+        hmac_hash(&PShctx, salt, saltlen);
+        /* Iterate through the blocks. */
+        for (i = 0; dkLen != 0; ) {
+                uint64_t U[32 / 8];
+                uint64_t T[32 / 8];
+                uint64_t j;
+                uint32_t ivec;
+                size_t clen;
+                int k;
+                /* Generate INT(i). */
+                i++;
+                ivec = SWAP_BE32(i);
+                /* Compute U_1 = PRF(P, S || INT(i)). */
+                hmac_peek_hash(&PShctx, (void*)T, &ivec, 4, NULL);
+//TODO: the above is a vararg function, might incur some ABI pain
+//does libbb need a non-vararg version with just one (buf,len)?
+                if (c > 1) {
+                        /* T_i = U_1 ... */
+                        memcpy(U, T, 32);
+                        for (j = 2; j <= c; j++) {
+                                /* Compute U_j. */
+                                hmac_peek_hash(&Phctx, (void*)U, U, 32, NULL);
+                                /* ... xor U_j ... */
+                                for (k = 0; k < 32 / 8; k++)
+                                        T[k] ^= U[k];
+                                //TODO: xorbuf32_aligned_long(T, U);
+                        }
+                }
+                /* Copy as many bytes as necessary into buf. */
+                clen = dkLen;
+                if (clen > 32)
+                        clen = 32;
+                buf = mempcpy(buf, T, clen);
+                dkLen -= clen;
+        }
+}
diff --git a/libbb/yescrypt/alg-yescrypt-common.c b/libbb/yescrypt/alg-yescrypt-common.c
new file mode 100644
index 000000000..c51823787
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt-common.c
@@ -0,0 +1,408 @@
+/*-
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#if RESTRICTED_PARAMS
+#define decode64_uint32(dst, src, min) \
+({ \
+        uint32_t d32 = a2i64(*(src)); \
+        if (d32 > 47) \
+                goto fail; \
+        *(dst) = d32 + (min); \
+        ++src; \
+})
+#define test_decode64_uint32() ((void)0)
+#define FULL_PARAMS(...)
+#else
+#define FULL_PARAMS(...) __VA_ARGS__
+/* Not inlining:
+ * de/encode64 functions are only used to read
+ * yescrypt_params_t field, and convert salt to binary -
+ * both of these are negligible compared to main hashing operation
+ */
+static NOINLINE const uint8_t *decode64_uint32(
+                uint32_t *dst,
+                const uint8_t *src, uint32_t val)
+{
+        uint32_t start = 0, end = 47, bits = 0;
+        uint32_t c;
+        if (!src) /* previous decode failed already? */
+                goto fail;
+        c = a2i64(*src++);
+        if (c > 63)
+                goto fail;
+// The encoding of number N:
+// start = 0 end = 47
+// If N < 48, it is encoded verbatim, else
+// N -= 48
+// start = end+1 = 48
+// end += (64-end)/2 = 55
+// If N < (end+1-start)<<6 = 8<<6, it is encoded as 48+(N>>6)|low6bits (that is, 48...55|<6bit>), else
+// N -= 8<<6
+// start = end+1 = 56
+// end += (64-end)/2 = 59
+// If N < (end+1-start)<<2*6 = 4<<12, it is encoded as 56+(N>>2*6)|low12bits (that is, 56...59|<6bit>|<6bit>), else
+// ...same for 60..61|<6bit>|<6bit>|<6bit>
+// .......same for 62|<6bit>|<6bit>|<6bit>|<6bit>
+// .......same for 63|<6bit>|<6bit>|<6bit>|<6bit>|<6bit>
+        dbg_dec64("c:%d val:0x%08x", (int)c, (unsigned)val);
+        while (c > end) {
+                dbg_dec64("c:%d > end:%d", (int)c, (int)end);
+                val += (end + 1 - start) << bits;
+                dbg_dec64("val+=0x%08x", (int)((end + 1 - start) << bits));
+                dbg_dec64(" val:0x%08x", (unsigned)val);
+                start = end + 1;
+                end += (64 - end) / 2;
+                bits += 6;
+                dbg_dec64("start=%d", (int)start);
+                dbg_dec64("end=%d", (int)end);
+                dbg_dec64("bits=%d", (int)bits);
+        }
+        val += (c - start) << bits;
+        dbg_dec64("final val+=0x%08x", (int)((c - start) << bits));
+        dbg_dec64("       val:0x%08x", (unsigned)val);
+        while (bits != 0) {
+                c = a2i64(*src++);
+                if (c > 63)
+                        goto fail;
+                bits -= 6;
+                val += c << bits;
+                dbg_dec64("low bits val+=0x%08x", (int)(c << bits));
+                dbg_dec64("          val:0x%08x", (unsigned)val);
+        }
+ ret:
+        *dst = val;
+        return src;
+ fail:
+        val = 0;
+        src = NULL;
+        goto ret;
+}
+#if TEST_DECODE64
+static void test_decode64_uint32(void)
+{
+        const uint8_t *src, *end;
+        uint32_t u32;
+        int a = 48;
+        int b = 8<<6;  // 0x0200
+        int c = 4<<12; // 0x04000
+        int d = 2<<18; // 0x080000
+        int e = 1<<24; // 0x1000000
+        src = (void*)"wzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x0003ffff+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 4) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        src = (void*)"xzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x0007ffff+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 4) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        // Note how the last representable "x---" encoding, 0x7ffff, is exactly d-1!
+        // And if we now increment it, we get:
+        src = (void*)"y....";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x00000000+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 5) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        src = (void*)"yzzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x00ffffff+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 5) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        src = (void*)"zzzzzz";
+        end = decode64_uint32(&u32, src, 0);
+        if (u32 != 0x3fffffff+e+d+c+b+a) bb_error_msg_and_die("Incorrect decode '%s':0x%08x", src, (unsigned)u32);
+        if (end != src + 6) bb_error_msg_and_die("Incorrect decode '%s': %p end:%p", src, src, end);
+        bb_error_msg("test_decode64_uint32() OK");
+}
+#else
+# define test_decode64_uint32() ((void)0)
+#endif
+#endif /* !RESTRICTED_PARAMS */
+#if 1
+static const uint8_t *decode64(
+                uint8_t *dst, size_t *dstlen,
+                const uint8_t *src)
+{
+        unsigned dstpos = 0;
+        dbg_dec64("src:'%s'", src);
+        for (;;) {
+                uint32_t c, value = 0;
+                int bits = 0;
+                while (*src != '\0' && *src != '$') {
+                        c = a2i64(*src);
+                        if (c > 63) { /* bad ascii64 char, stop decoding at it */
+                                break;
+                        }
+                        src++;
+                        value |= c << bits;
+                        bits += 6;
+                        if (bits == 24) /* got 4 chars */
+                                goto store;
+                }
+                /* we read entire src, or met a non-ascii64 char (such as "$") */
+                if (bits == 0)
+                        break;
+                /* else: we got last, partial bit block - store it */
+ store:
+                dbg_dec64(" storing bits:%d dstpos:%u v:%08x", bits, dstpos, (int)SWAP_BE32(value)); //BE to see lsb first
+                for (;;) {
+                        if ((*src == '\0' || *src == '$')
+                         && value == 0 && bits < 8
+                        ) {
+                                /* Example: mkpasswd PWD '$y$j9T$123':
+                                 * the "123" is bits:18 value:03,51,00
+                                 * is considered to be 2 bytes, not 3!
+                                 *
+                                 * '$y$j9T$zzz' in upstream fails outright (3rd byte isn't zero).
+                                 * IOW: for upstream, validity of salt depends on VALUE,
+                                 * not just size of salt. Which is a bug.
+                                 * The '$y$j9T$zzz.' salt is the same
+                                 * (it adds 6 zero msbits) but upstream works with it,
+                                 * thus '$y$j9T$zzz' should work too and give the same result.
+                                 */
+                                goto end;
+                        }
+                        if (dstpos >= *dstlen) {
+                                dbg_dec64(" ERR: bits:%d dstpos:%u dst[] is too small", bits, dstpos);
+                                goto fail;
+                        }
+                        *dst++ = value;
+                        dstpos++;
+                        value >>= 8;
+                        bits -= 8;
+                        if (bits <= 0) /* can get negative, if we e.g. had 6 bits */
+                                break;
+                }
+                if (*src == '\0' || *src == '$')
+                        break;
+        }
+ end:
+        *dstlen = dstpos;
+        dbg_dec64("dec64: OK, dst[%d]", (int)dstpos);
+        return src;
+ fail:
+        /* *dstlen = 0; - not needed, caller detects error by seeing NULL */
+        return NULL;
+}
+#else
+/* Buggy (and larger) original code */
+static const uint8_t *decode64(
+                uint8_t *dst, size_t *dstlen,
+                const uint8_t *src, size_t srclen)
+{
+        size_t dstpos = 0;
+        while (dstpos <= *dstlen && srclen) {
+                uint32_t value = 0, bits = 0;
+                while (srclen--) {
+                        uint32_t c = a2i64(*src);
+                        if (c > 63) {
+                                srclen = 0;
+                                break;
+                        }
+                        src++;
+                        value |= c << bits;
+                        bits += 6;
+                        if (bits >= 24)
+                                break;
+                }
+                if (!bits)
+                        break;
+                if (bits < 12) /* must have at least one full byte */
+                        goto fail;
+                dbg_dec64(" storing bits:%d v:%08x", (int)bits, (int)SWAP_BE32(value)); //BE to see lsb first
+                while (dstpos++ < *dstlen) {
+                        *dst++ = value;
+                        value >>= 8;
+                        bits -= 8;
+                        if (bits < 8) { /* 2 or 4 */
+                                if (value) /* must be 0 */
+                                        goto fail;
+                                bits = 0;
+                                break;
+                        }
+                }
+                if (bits)
+                        goto fail;
+        }
+        if (!srclen && dstpos <= *dstlen) {
+                *dstlen = dstpos;
+                dbg_dec64("dec64: OK, dst[%d]", (int)dstpos);
+                return src;
+        }
+ fail:
+        /* *dstlen = 0; - not needed, caller detects error by seeing NULL */
+        return NULL;
+}
+#endif
+static char *encode64(
+                char *dst, size_t dstlen,
+                const uint8_t *src, size_t srclen)
+{
+        while (srclen) {
+                uint32_t value = 0, b = 0;
+                do {
+                        value |= (uint32_t)(*src++ << b);
+                        b += 8;
+                        srclen--;
+                } while (srclen && b < 24);
+                b >>= 3; /* number of bits to number of bytes */
+                b++; /* 1, 2 or 3 bytes will become 2, 3 or 4 ascii64 chars */
+                dstlen -= b;
+                if ((ssize_t)dstlen <= 0)
+                        return NULL;
+                dst = num2str64_lsb_first(dst, value, b);
+        }
+        *dst = '\0';
+        return dst;
+}
+char *yescrypt_r(
+                const uint8_t *passwd, size_t passwdlen,
+                const uint8_t *setting,
+                char *buf, size_t buflen)
+{
+        struct {
+                yescrypt_ctx_t yctx[1];
+                unsigned char hashbin32[32];
+        } u;
+#define yctx      u.yctx
+#define hashbin32 u.hashbin32
+        char *dst;
+        const uint8_t *src, *saltend;
+        size_t need, prefixlen;
+        uint32_t u32;
+        test_decode64_uint32();
+        memset(yctx, 0, sizeof(yctx));
+        FULL_PARAMS(yctx->param.p = 1;)
+        /* we assume setting starts with "$y$" (caller must ensure this) */
+        src = setting + 3;
+        src = decode64_uint32(&yctx->param.flags, src, 0);
+        /* "j9T" returns: 0x2f */
+        //if (!src)
+        //      goto fail;
+        if (yctx->param.flags < YESCRYPT_RW) {
+                dbg("yctx->param.flags=0x%x", (unsigned)yctx->param.flags);
+                goto fail; // bbox: we don't support scrypt - only yescrypt
+        } else if (yctx->param.flags <= YESCRYPT_RW + (YESCRYPT_RW_FLAVOR_MASK >> 2)) {
+                /* "j9T" sets flags to 0xb6 */
+                yctx->param.flags = YESCRYPT_RW + ((yctx->param.flags - YESCRYPT_RW) << 2);
+                dbg("yctx->param.flags=0x%x", (unsigned)yctx->param.flags);
+                dbg(" YESCRYPT_RW:%u", !!(yctx->param.flags & YESCRYPT_RW));
+                dbg((yctx->param.flags & YESCRYPT_RW_FLAVOR_MASK) ==
+                       (YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K)
+                    ? " YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K"
+                    : " flags are not standard"
+                );
+        } else {
+                goto fail;
+        }
+        src = decode64_uint32(&u32, src, 1);
+        if (/*!src ||*/ u32 > 63)
+                goto fail;
+        yctx->param.N = (uint64_t)1 << u32;
+        /* "j9T" sets to 4096 (1<<12) */
+        dbg("yctx->param.N=%llu (1<<%u)", (unsigned long long)yctx->param.N, (unsigned)u32);
+        src = decode64_uint32(&yctx->param.r, src, 1);
+        /* "j9T" sets to 32 */
+        dbg("yctx->param.r=%u", yctx->param.r);
+        if (!src)
+                goto fail;
+        if (*src != '$') {
+#if RESTRICTED_PARAMS
+                goto fail;
+#else
+                src = decode64_uint32(&u32, src, 1);
+                dbg("yescrypt has extended params:0x%x", (unsigned)u32);
+                if (u32 & 1)
+                        src = decode64_uint32(&yctx->param.p, src, 2);
+                if (u32 & 2)
+                        src = decode64_uint32(&yctx->param.t, src, 1);
+                if (u32 & 4)
+                        src = decode64_uint32(&yctx->param.g, src, 1);
+                if (u32 & 8) {
+                        src = decode64_uint32(&u32, src, 1);
+                        if (/*!src ||*/ u32 > 63)
+                                goto fail;
+                        yctx->param.NROM = (uint64_t)1 << u32;
+                }
+                if (!src)
+                        goto fail;
+                if (*src != '$')
+                        goto fail;
+#endif
+        }
+        yctx->saltlen = sizeof(yctx->salt);
+        src++; /* now points to salt */
+        saltend = decode64(yctx->salt, &yctx->saltlen, src);
+        if (!saltend || (*saltend != '\0' && *saltend != '$'))
+                goto fail; /* salt[] is too small, or bad char during decode */
+        dbg_dec64("salt is %d ascii64 chars -> %d bytes (in binary)", (int)(saltend - src), (int)yctx->saltlen);
+        prefixlen = saltend - setting;
+        need = prefixlen + 1 + YESCRYPT_HASH_LEN + 1;
+        if (need > buflen /*overflow is quite unlikely: || need < prefixlen*/)
+                goto fail;
+        if (yescrypt_kdf32(yctx, passwd, passwdlen, hashbin32)) {
+                dbg("error in yescrypt_kdf32");
+                goto fail;
+        }
+        dst = mempcpy(buf, setting, prefixlen);
+        *dst++ = '$';
+        dst = encode64(dst, buflen - (dst - buf), hashbin32, sizeof(hashbin32));
+        if (!dst)
+                goto fail;
+ ret:
+        free_region(yctx->local);
+        explicit_bzero(&u, sizeof(u));
+        return buf;
+ fail:
+        buf = NULL;
+        goto ret;
+#undef yctx
+#undef hashbin32
+}
diff --git a/libbb/yescrypt/alg-yescrypt-kdf.c b/libbb/yescrypt/alg-yescrypt-kdf.c
new file mode 100644
index 000000000..a9a1bd591
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt-kdf.c
@@ -0,0 +1,1212 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2012-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#if __STDC_VERSION__ >= 199901L
+/* Have restrict */
+#elif defined(__GNUC__)
+#define restrict __restrict
+#else
+#define restrict
+#endif
+#ifdef __GNUC__
+#define unlikely(exp) __builtin_expect(exp, 0)
+#else
+#define unlikely(exp) (exp)
+#endif
+typedef union {
+        uint32_t w[16];
+        uint64_t d[8];
+} salsa20_blk_t;
+static void salsa20_simd_shuffle(
+                const salsa20_blk_t *Bin,
+                salsa20_blk_t *Bout)
+{
+#define COMBINE(out, in1, in2) \
+do { \
+        Bout->d[out] = Bin->w[in1 * 2] | ((uint64_t)Bin->w[in2 * 2 + 1] << 32); \
+} while (0)
+        COMBINE(0, 0, 2);
+        COMBINE(1, 5, 7);
+        COMBINE(2, 2, 4);
+        COMBINE(3, 7, 1);
+        COMBINE(4, 4, 6);
+        COMBINE(5, 1, 3);
+        COMBINE(6, 6, 0);
+        COMBINE(7, 3, 5);
+#undef COMBINE
+}
+static void salsa20_simd_unshuffle(
+                const salsa20_blk_t *Bin,
+                salsa20_blk_t *Bout)
+{
+#define UNCOMBINE(out, in1, in2) \
+do { \
+        Bout->w[out * 2] = Bin->d[in1]; \
+        Bout->w[out * 2 + 1] = Bin->d[in2] >> 32; \
+} while (0)
+        UNCOMBINE(0, 0, 6);
+        UNCOMBINE(1, 5, 3);
+        UNCOMBINE(2, 2, 0);
+        UNCOMBINE(3, 7, 5);
+        UNCOMBINE(4, 4, 2);
+        UNCOMBINE(5, 1, 7);
+        UNCOMBINE(6, 6, 4);
+        UNCOMBINE(7, 3, 1);
+#undef UNCOMBINE
+}
+#define DECL_X \
+        salsa20_blk_t X
+#define DECL_Y \
+        salsa20_blk_t Y
+#if KDF_UNROLL_COPY
+#define COPY(out, in) \
+do { \
+        (out).d[0] = (in).d[0]; \
+        (out).d[1] = (in).d[1]; \
+        (out).d[2] = (in).d[2]; \
+        (out).d[3] = (in).d[3]; \
+        (out).d[4] = (in).d[4]; \
+        (out).d[5] = (in).d[5]; \
+        (out).d[6] = (in).d[6]; \
+        (out).d[7] = (in).d[7]; \
+} while (0)
+#else
+#define COPY(out, in) \
+do { \
+        memcpy((out).d, (in).d, sizeof((in).d)); \
+} while (0)
+#endif
+#define READ_X(in)   COPY(X, in)
+#define WRITE_X(out) COPY(out, X)
+/**
+ * salsa20(B):
+ * Apply the Salsa20 core to the provided block.
+ */
+static void salsa20(salsa20_blk_t *restrict B,
+                salsa20_blk_t *restrict Bout,
+                uint32_t doublerounds)
+{
+        salsa20_blk_t X;
+#define x X.w
+        salsa20_simd_unshuffle(B, &X);
+        do {
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+                /* Operate on columns */
+#if KDF_UNROLL_SALSA20
+                x[ 4] ^= R(x[ 0]+x[12], 7); // x[j] ^= R(x[k]+x[l], CONST)
+                x[ 8] ^= R(x[ 4]+x[ 0], 9);
+                x[12] ^= R(x[ 8]+x[ 4],13);
+                x[ 0] ^= R(x[12]+x[ 8],18);
+                x[ 9] ^= R(x[ 5]+x[ 1], 7);
+                x[13] ^= R(x[ 9]+x[ 5], 9);
+                x[ 1] ^= R(x[13]+x[ 9],13);
+                x[ 5] ^= R(x[ 1]+x[13],18);
+                x[14] ^= R(x[10]+x[ 6], 7);
+                x[ 2] ^= R(x[14]+x[10], 9);
+                x[ 6] ^= R(x[ 2]+x[14],13);
+                x[10] ^= R(x[ 6]+x[ 2],18);
+                x[ 3] ^= R(x[15]+x[11], 7);
+                x[ 7] ^= R(x[ 3]+x[15], 9);
+                x[11] ^= R(x[ 7]+x[ 3],13);
+                x[15] ^= R(x[11]+x[ 7],18);
+#else
+                {
+                        unsigned j, k, l;
+                        j = 4; k = 0; l = 12;
+                        for (;;) {
+                                uint32_t t;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t, 7); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t, 9); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t,13); }); l = k; k = j; j = (j+4) & 0xf;
+                                x[j] ^= ({ t = x[k] + x[l]; R(t,18); });
+                                if (j == 15) break;
+                                l = j + 1; k = j + 5; j = (j+9) & 0xf;
+                        }
+                }
+#endif
+                /* Operate on rows */
+#if KDF_UNROLL_SALSA20
+// i=0 n=0
+                x[ 1] ^= R(x[ 0]+x[ 3], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 2] ^= R(x[ 1]+x[ 0], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 3] ^= R(x[ 2]+x[ 1],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[ 0] ^= R(x[ 3]+x[ 2],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=4 n=1                                          ^^^j^^^       ^^^k^^^       ^^^l^^^
+                x[ 6] ^= R(x[ 5]+x[ 4], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 7] ^= R(x[ 6]+x[ 5], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 4] ^= R(x[ 7]+x[ 6],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[ 5] ^= R(x[ 4]+x[ 7],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=8 n=2
+                x[11] ^= R(x[10]+x[ 9], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[ 8] ^= R(x[11]+x[10], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[ 9] ^= R(x[ 8]+x[11],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[10] ^= R(x[ 9]+x[ 8],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+// i=12 n=3
+                x[12] ^= R(x[15]+x[14], 7); // [i + (n+1)&3] [i + (n+0)&3] [i + (n+3)&3]
+                x[13] ^= R(x[12]+x[15], 9); // [i + (n+2)&3] [i + (n+1)&3] [i + (n+0)&3]
+                x[14] ^= R(x[13]+x[12],13); // [i + (n+3)&3] [i + (n+2)&3] [i + (n+1)&3]
+                x[15] ^= R(x[14]+x[13],18); // [i + (n+0)&3] [i + (n+3)&3] [i + (n+2)&3]
+#else
+                {
+                        unsigned j, k, l;
+                        uint32_t *xrow;
+                        j = 1; k = 0; l = 3;
+                        xrow = &x[0];
+                        for (;;) {
+                                uint32_t t;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t, 7); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t, 9); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t,13); }); l = k; k = j; j = (j+1) & 3;
+                                xrow[j] ^= ({ t = xrow[k] + xrow[l]; R(t,18); });
+                                if (j == 3) break;
+                                l = j; k = j + 1; j = (j+2) & 3;
+                                xrow += 4;
+                        }
+                }
+#endif
+#undef R
+        } while (--doublerounds);
+#undef x
+        {
+                uint32_t i;
+                salsa20_simd_shuffle(&X, Bout);
+                for (i = 0; i < 16; i++) {
+                        // bbox: note: was unrolled x4
+                        B->w[i] = Bout->w[i] += B->w[i];
+                }
+        }
+#if 0
+        /* Too expensive */
+        explicit_bzero(&X, sizeof(X));
+#endif
+}
+/**
+ * Apply the Salsa20/2 core to the block provided in X.
+ */
+#define SALSA20_2(out) \
+        salsa20(&X, &out, 1)
+#if 0
+#define XOR(out, in1, in2) \
+do { \
+        (out).d[0] = (in1).d[0] ^ (in2).d[0]; \
+        (out).d[1] = (in1).d[1] ^ (in2).d[1]; \
+        (out).d[2] = (in1).d[2] ^ (in2).d[2]; \
+        (out).d[3] = (in1).d[3] ^ (in2).d[3]; \
+        (out).d[4] = (in1).d[4] ^ (in2).d[4]; \
+        (out).d[5] = (in1).d[5] ^ (in2).d[5]; \
+        (out).d[6] = (in1).d[6] ^ (in2).d[6]; \
+        (out).d[7] = (in1).d[7] ^ (in2).d[7]; \
+} while (0)
+#else
+#define XOR(out, in1, in2) \
+do { \
+        xorbuf64_3_aligned64(&(out).d, &(in1).d, &(in2).d); \
+} while (0)
+#endif
+#define XOR_X(in)         XOR(X, X, in)
+#define XOR_X_2(in1, in2) XOR(X, in1, in2)
+#define XOR_X_WRITE_XOR_Y_2(out, in) \
+do { \
+        XOR(Y, out, in); \
+        COPY(out, Y); \
+        XOR(X, X, Y); \
+} while (0)
+/**
+ * Apply the Salsa20/8 core to the block provided in X ^ in.
+ */
+#define SALSA20_8_XOR_MEM(in, out) \
+do { \
+        XOR_X(in); \
+        salsa20(&X, &out, 4); \
+} while (0)
+#define INTEGERIFY ((uint32_t)X.d[0])
+/**
+ * blockmix_salsa8(Bin, Bout, r):
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
+ * bytes in length; the output Bout must also be the same size.
+ */
+static void blockmix_salsa8(
+                const salsa20_blk_t *restrict Bin,
+                salsa20_blk_t *restrict Bout,
+                size_t r)
+{
+        size_t i;
+        DECL_X;
+        READ_X(Bin[r * 2 - 1]);
+        for (i = 0; i < r; i++) {
+                SALSA20_8_XOR_MEM(Bin[i * 2], Bout[i]);
+                SALSA20_8_XOR_MEM(Bin[i * 2 + 1], Bout[r + i]);
+        }
+}
+static uint32_t blockmix_salsa8_xor(
+                const salsa20_blk_t *restrict Bin1,
+                const salsa20_blk_t *restrict Bin2,
+                salsa20_blk_t *restrict Bout,
+                size_t r)
+{
+        size_t i;
+        DECL_X;
+        XOR_X_2(Bin1[r * 2 - 1], Bin2[r * 2 - 1]);
+        for (i = 0; i < r; i++) {
+                XOR_X(Bin1[i * 2]);
+                SALSA20_8_XOR_MEM(Bin2[i * 2], Bout[i]);
+                XOR_X(Bin1[i * 2 + 1]);
+                SALSA20_8_XOR_MEM(Bin2[i * 2 + 1], Bout[r + i]);
+        }
+        return INTEGERIFY;
+}
+/* This is tunable */
+#define Swidth 8
+/* Not tunable in this implementation, hard-coded in a few places */
+#define PWXsimple 2
+#define PWXgather 4
+/* Derived values.  Not tunable except via Swidth above. */
+#define PWXbytes (PWXgather * PWXsimple * 8)
+#define Sbytes   (3 * (1 << Swidth) * PWXsimple * 8)
+#define Smask    (((1 << Swidth) - 1) * PWXsimple * 8)
+#define Smask2   (((uint64_t)Smask << 32) | Smask)
+#define DECL_SMASK2REG       do {} while (0)
+#define FORCE_REGALLOC_3     do {} while (0)
+#define MAYBE_MEMORY_BARRIER do {} while (0)
+#define PWXFORM_SIMD(x0, x1) \
+do { \
+        uint64_t x = x0 & Smask2; \
+        uint64_t *p0 = (uint64_t *)(S0 + (uint32_t)x); \
+        uint64_t *p1 = (uint64_t *)(S1 + (x >> 32)); \
+        x0 = ((x0 >> 32) * (uint32_t)x0 + p0[0]) ^ p1[0]; \
+        x1 = ((x1 >> 32) * (uint32_t)x1 + p0[1]) ^ p1[1]; \
+} while (0)
+#if KDF_UNROLL_PWXFORM_ROUND
+#define PWXFORM_ROUND \
+do { \
+        PWXFORM_SIMD(X.d[0], X.d[1]); \
+        PWXFORM_SIMD(X.d[2], X.d[3]); \
+        PWXFORM_SIMD(X.d[4], X.d[5]); \
+        PWXFORM_SIMD(X.d[6], X.d[7]); \
+} while (0)
+#else
+#define PWXFORM_ROUND \
+do { \
+        for (int pwxi=0; pwxi<8; pwxi+=2) \
+                PWXFORM_SIMD(X.d[pwxi], X.d[pwxi + 1]); \
+} while (0)
+#endif
+/*
+ * This offset helps address the 256-byte write block via the single-byte
+ * displacements encodable in x86(-64) instructions.  It is needed because the
+ * displacements are signed.  Without it, we'd get 4-byte displacements for
+ * half of the writes.  Setting it to 0x80 instead of 0x7c would avoid needing
+ * a displacement for one of the writes, but then the LEA instruction would
+ * need a 4-byte displacement.
+ */
+#define PWXFORM_WRITE_OFFSET 0x7c
+#define PWXFORM_WRITE \
+do { \
+        WRITE_X(*(salsa20_blk_t *)(Sw - PWXFORM_WRITE_OFFSET)); \
+        Sw += 64; \
+} while (0)
+#if KDF_UNROLL_PWXFORM
+#define PWXFORM \
+do { \
+        uint8_t *Sw = S2 + w + PWXFORM_WRITE_OFFSET; \
+        FORCE_REGALLOC_3; \
+        MAYBE_MEMORY_BARRIER; \
+        PWXFORM_ROUND; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; PWXFORM_WRITE; \
+        PWXFORM_ROUND; \
+        w = (w + 64 * 4) & Smask2; \
+        { \
+                uint8_t *Stmp = S2; \
+                S2 = S1; \
+                S1 = S0; \
+                S0 = Stmp; \
+        } \
+} while (0)
+#else
+#define PWXFORM \
+do { \
+        uint8_t *Sw = S2 + w + PWXFORM_WRITE_OFFSET; \
+        FORCE_REGALLOC_3; \
+        MAYBE_MEMORY_BARRIER; \
+        PWXFORM_ROUND; \
+        for (int pwxj=0; pwxj<4; pwxj++) {\
+                PWXFORM_ROUND; PWXFORM_WRITE; \
+        } \
+        PWXFORM_ROUND; \
+        w = (w + 64 * 4) & Smask2; \
+        { \
+                uint8_t *Stmp = S2; \
+                S2 = S1; \
+                S1 = S0; \
+                S0 = Stmp; \
+        } \
+} while (0)
+#endif
+typedef struct {
+        uint8_t *S0, *S1, *S2;
+        size_t w;
+} pwxform_ctx_t;
+#define Salloc (Sbytes + ((sizeof(pwxform_ctx_t) + 63) & ~63U))
+/**
+ * blockmix_pwxform(Bin, Bout, r, S):
+ * Compute Bout = BlockMix_pwxform{salsa20/2, r, S}(Bin).  The input Bin must
+ * be 128r bytes in length; the output Bout must also be the same size.
+ */
+static void blockmix(
+                const salsa20_blk_t *restrict Bin,
+                salsa20_blk_t *restrict Bout,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+        READ_X(Bin[r]);
+        DECL_SMASK2REG;
+        i = 0;
+        for (;;) {
+                XOR_X(Bin[i]);
+                PWXFORM;
+                if (unlikely(i >= r))
+                        break;
+                WRITE_X(Bout[i]);
+                i++;
+        }
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+        SALSA20_2(Bout[i]);
+}
+static uint32_t blockmix_xor(
+                const salsa20_blk_t *Bin1,
+                const salsa20_blk_t *restrict Bin2,
+                salsa20_blk_t *Bout,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+        XOR_X_2(Bin1[r], Bin2[r]);
+        DECL_SMASK2REG;
+        i = 0;
+        r--;
+        for (;;) {
+                XOR_X(Bin1[i]);
+                XOR_X(Bin2[i]);
+                PWXFORM;
+                if (unlikely(i > r))
+                        break;
+                WRITE_X(Bout[i]);
+                i++;
+        }
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+        SALSA20_2(Bout[i]);
+        return INTEGERIFY;
+}
+static uint32_t blockmix_xor_save(
+                salsa20_blk_t *restrict Bin1out,
+                salsa20_blk_t *restrict Bin2,
+                size_t r,
+                pwxform_ctx_t *restrict ctx)
+{
+        uint8_t *S0 = ctx->S0, *S1 = ctx->S1, *S2 = ctx->S2;
+        size_t w = ctx->w;
+        size_t i;
+        DECL_X;
+        DECL_Y;
+        /* Convert count of 128-byte blocks to max index of 64-byte block */
+        r = r * 2 - 1;
+        XOR_X_2(Bin1out[r], Bin2[r]);
+        DECL_SMASK2REG;
+        i = 0;
+        r--;
+        for (;;) {
+                XOR_X_WRITE_XOR_Y_2(Bin2[i], Bin1out[i]);
+                PWXFORM;
+                if (unlikely(i > r))
+                        break;
+                WRITE_X(Bin1out[i]);
+                i++;
+        }
+        ctx->S0 = S0;
+        ctx->S1 = S1;
+        ctx->S2 = S2;
+        ctx->w = w;
+        SALSA20_2(Bin1out[i]);
+        return INTEGERIFY;
+}
+/**
+ * integerify(B, r):
+ * Return the result of parsing B_{2r-1} as a little-endian integer.
+ */
+static inline uint32_t integerify(const salsa20_blk_t *B, size_t r)
+{
+/*
+ * Our 64-bit words are in host byte order, which is why we don't just read
+ * w[0] here (would be wrong on big-endian).  Also, our 32-bit words are
+ * SIMD-shuffled (so the next 32 bits would be part of d[6]), but currently
+ * this does not matter as we only care about the least significant 32 bits.
+ */
+        return (uint32_t)B[2 * r - 1].d[0];
+}
+/**
+ * smix1(B, r, N, flags, V, NROM, VROM, XY, ctx):
+ * Compute first loop of B = SMix_r(B, N).  The input B must be 128r bytes in
+ * length; the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 128r+64 bytes in length.  N must be even and at least 4.
+ * The array V must be aligned to a multiple of 64 bytes, and arrays B and XY
+ * to a multiple of at least 16 bytes.
+ */
+#if DISABLE_NROM_CODE
+#define smix1(B,r,N,flags,V,NROM,VROM,XY,ctx) \
+        smix1(B,r,N,flags,V,XY,ctx)
+#endif
+static void smix1(uint8_t *B, size_t r, uint32_t N,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                pwxform_ctx_t *ctx)
+{
+#if DISABLE_NROM_CODE
+        uint32_t NROM = 0;
+        const salsa20_blk_t *VROM = NULL;
+#endif
+        size_t s = 2 * r;
+        salsa20_blk_t *X = V, *Y = &V[s];
+        uint32_t i, j;
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = (salsa20_blk_t *)&B[i * 64];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = &X[i];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_shuffle(tmp, dst);
+        }
+        if (VROM) {
+                uint32_t n;
+                const salsa20_blk_t *V_j;
+                V_j = &VROM[(NROM - 1) * s];
+                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                V_j = &VROM[j * s];
+                X = Y + s;
+                j = blockmix_xor(Y, V_j, X, r, ctx);
+                for (n = 2; n < N; n <<= 1) {
+                        uint32_t m = (n < N / 2) ? n : (N - 1 - n);
+                        for (i = 1; i < m; i += 2) {
+                                j &= n - 1;
+                                j += i - 1;
+                                V_j = &V[j * s];
+                                Y = X + s;
+                                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                                V_j = &VROM[j * s];
+                                X = Y + s;
+                                j = blockmix_xor(Y, V_j, X, r, ctx);
+                        }
+                }
+                n >>= 1;
+                j &= n - 1;
+                j += N - 2 - n;
+                V_j = &V[j * s];
+                Y = X + s;
+                j = blockmix_xor(X, V_j, Y, r, ctx) & (NROM - 1);
+                V_j = &VROM[j * s];
+                blockmix_xor(Y, V_j, XY, r, ctx);
+        } else if (flags & YESCRYPT_RW) {
+//can't use flags___YESCRYPT_RW, smix1() may be called with flags = 0
+                uint32_t n;
+                salsa20_blk_t *V_j;
+                blockmix(X, Y, r, ctx);
+                X = Y + s;
+                blockmix(Y, X, r, ctx);
+                j = integerify(X, r);
+                for (n = 2; n < N; n <<= 1) {
+                        uint32_t m = (n < N / 2) ? n : (N - 1 - n);
+                        for (i = 1; i < m; i += 2) {
+                                Y = X + s;
+                                j &= n - 1;
+                                j += i - 1;
+                                V_j = &V[j * s];
+                                j = blockmix_xor(X, V_j, Y, r, ctx);
+                                j &= n - 1;
+                                j += i;
+                                V_j = &V[j * s];
+                                X = Y + s;
+                                j = blockmix_xor(Y, V_j, X, r, ctx);
+                        }
+                }
+                n >>= 1;
+                j &= n - 1;
+                j += N - 2 - n;
+                V_j = &V[j * s];
+                Y = X + s;
+                j = blockmix_xor(X, V_j, Y, r, ctx);
+                j &= n - 1;
+                j += N - 1 - n;
+                V_j = &V[j * s];
+                blockmix_xor(Y, V_j, XY, r, ctx);
+        } else {
+                N -= 2;
+                do {
+                        blockmix_salsa8(X, Y, r);
+                        X = Y + s;
+                        blockmix_salsa8(Y, X, r);
+                        Y = X + s;
+                } while ((N -= 2));
+                blockmix_salsa8(X, Y, r);
+                blockmix_salsa8(Y, XY, r);
+        }
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = &XY[i];
+                salsa20_blk_t *tmp = &XY[s];
+                salsa20_blk_t *dst = (salsa20_blk_t *)&B[i * 64];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_unshuffle(tmp, dst);
+        }
+}
+/**
+ * smix2(B, r, N, Nloop, flags, V, NROM, VROM, XY, ctx):
+ * Compute second loop of B = SMix_r(B, N).  The input B must be 128r bytes in
+ * length; the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r bytes in length.  N must be a power of 2 and at
+ * least 2.  Nloop must be even.  The array V must be aligned to a multiple of
+ * 64 bytes, and arrays B and XY to a multiple of at least 16 bytes.
+ */
+#if DISABLE_NROM_CODE
+#define smix2(B,r,N,Nloop,flags,V,NROM,VROM,XY,ctx) \
+        smix2(B,r,N,Nloop,flags,V,XY,ctx)
+#endif
+static void smix2(uint8_t *B, size_t r, uint32_t N, uint64_t Nloop,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                pwxform_ctx_t *ctx)
+{
+#if DISABLE_NROM_CODE
+        uint32_t NROM = 0;
+        const salsa20_blk_t *VROM = NULL;
+#endif
+        size_t s = 2 * r;
+        salsa20_blk_t *X = XY, *Y = &XY[s];
+        uint32_t i, j;
+        if (Nloop == 0)
+                return;
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = (salsa20_blk_t *)&B[i * 64];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = &X[i];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_shuffle(tmp, dst);
+        }
+        j = integerify(X, r) & (N - 1);
+/*
+ * Normally, VROM implies YESCRYPT_RW, but we check for these separately
+ * because our SMix resets YESCRYPT_RW for the smix2() calls operating on the
+ * entire V when p > 1.
+ */
+//and this is why bbox can't use flags___YESCRYPT_RW in this function
+        if (VROM && (flags & YESCRYPT_RW)) {
+                do {
+                        salsa20_blk_t *V_j = &V[j * s];
+                        const salsa20_blk_t *VROM_j;
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (NROM - 1);
+                        VROM_j = &VROM[j * s];
+                        j = blockmix_xor(X, VROM_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (VROM) {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (NROM - 1);
+                        V_j = &VROM[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (flags & YESCRYPT_RW) {
+                do {
+                        salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_xor_save(X, V_j, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else if (ctx) {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_xor(X, V_j, X, r, ctx) & (N - 1);
+                } while (Nloop -= 2);
+        } else {
+                do {
+                        const salsa20_blk_t *V_j = &V[j * s];
+                        j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1);
+                        V_j = &V[j * s];
+                        j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1);
+                } while (Nloop -= 2);
+        }
+        for (i = 0; i < 2 * r; i++) {
+                const salsa20_blk_t *src = &X[i];
+                salsa20_blk_t *tmp = Y;
+                salsa20_blk_t *dst = (salsa20_blk_t *)&B[i * 64];
+                size_t k;
+                for (k = 0; k < 16; k++)
+                        tmp->w[k] = SWAP_LE32(src->w[k]);
+                salsa20_simd_unshuffle(tmp, dst);
+        }
+}
+/**
+ * p2floor(x):
+ * Largest power of 2 not greater than argument.
+ */
+static uint64_t p2floor(uint64_t x)
+{
+        uint64_t y;
+        while ((y = x & (x - 1)))
+                x = y;
+        return x;
+}
+/**
+ * smix(B, r, N, p, t, flags, V, NROM, VROM, XY, S, passwd):
+ * Compute B = SMix_r(B, N).  The input B must be 128rp bytes in length; the
+ * temporary storage V must be 128rN bytes in length; the temporary storage
+ * XY must be 256r or 256rp bytes in length (the larger size is required with
+ * OpenMP-enabled builds).  N must be a power of 2 and at least 4.  The array V
+ * must be aligned to a multiple of 64 bytes, and arrays B and XY to a multiple
+ * of at least 16 bytes (aligning them to 64 bytes as well saves cache lines
+ * and helps avoid false sharing in OpenMP-enabled builds when p > 1, but it
+ * might also result in cache bank conflicts).
+ */
+#if DISABLE_NROM_CODE
+#define smix(B,r,N,p,t,flags,V,NROM,VROM,XY,S,passwd) \
+        smix(B,r,N,p,t,flags,V,XY,S,passwd)
+#endif
+static void smix(uint8_t *B, size_t r, uint32_t N, uint32_t p, uint32_t t,
+                uint32_t flags,
+                salsa20_blk_t *V,
+                uint32_t NROM, const salsa20_blk_t *VROM,
+                salsa20_blk_t *XY,
+                uint8_t *S, uint8_t *passwd)
+{
+        size_t s = 2 * r;
+        uint32_t Nchunk;
+        uint64_t Nloop_all, Nloop_rw;
+        uint32_t i;
+        Nchunk = N / p;
+        Nloop_all = Nchunk;
+        if (flags___YESCRYPT_RW) {
+                if (t <= 1) {
+                        if (t)
+                                Nloop_all *= 2; /* 2/3 */
+                        Nloop_all = (Nloop_all + 2) / 3; /* 1/3, round up */
+                } else {
+                        Nloop_all *= t - 1;
+                }
+        } else if (t) {
+                if (t == 1)
+                        Nloop_all += (Nloop_all + 1) / 2; /* 1.5, round up */
+                Nloop_all *= t;
+        }
+        Nloop_rw = 0;
+        if (flags___YESCRYPT_RW)
+                Nloop_rw = Nloop_all / p;
+        Nchunk &= ~(uint32_t)1; /* round down to even */
+        Nloop_all++; Nloop_all &= ~(uint64_t)1; /* round up to even */
+        Nloop_rw++; Nloop_rw &= ~(uint64_t)1; /* round up to even */
+        for (i = 0; i < p; i++) {
+                uint32_t Vchunk = i * Nchunk;
+                uint32_t Np = (i < p - 1) ? Nchunk : (N - Vchunk);
+                uint8_t *Bp = &B[128 * r * i];
+                salsa20_blk_t *Vp = &V[Vchunk * s];
+                salsa20_blk_t *XYp = XY;
+                pwxform_ctx_t *ctx_i = NULL;
+                if (flags___YESCRYPT_RW) {
+                        uint8_t *Si = S + i * Salloc;
+                        smix1(Bp, 1, Sbytes / 128, 0 /* no flags */,
+                                (salsa20_blk_t *)Si, 0, NULL, XYp, NULL);
+                        ctx_i = (pwxform_ctx_t *)(Si + Sbytes);
+                        ctx_i->S2 = Si;
+                        ctx_i->S1 = Si + Sbytes / 3;
+                        ctx_i->S0 = Si + Sbytes / 3 * 2;
+                        ctx_i->w = 0;
+                        if (i == 0)
+                                hmac_block(
+                                        /* key,len: */ Bp + (128 * r - 64), 64,
+                                        /* hash fn: */ sha256_begin,
+                                        /* in,len: */  passwd, 32,
+                                        /* outbuf: */  passwd
+                                );
+                }
+                smix1(Bp, r, Np, flags, Vp, NROM, VROM, XYp, ctx_i);
+                smix2(Bp, r, p2floor(Np), Nloop_rw, flags, Vp,
+                        NROM, VROM, XYp, ctx_i);
+        }
+        if (Nloop_all > Nloop_rw) {
+                for (i = 0; i < p; i++) {
+                        uint8_t *Bp = &B[128 * r * i];
+                        salsa20_blk_t *XYp = XY;
+                        pwxform_ctx_t *ctx_i = NULL;
+                        if (flags___YESCRYPT_RW) {
+                                uint8_t *Si = S + i * Salloc;
+                                ctx_i = (pwxform_ctx_t *)(Si + Sbytes);
+                        }
+                        smix2(Bp, r, N, Nloop_all - Nloop_rw,
+                                flags & (uint32_t)~YESCRYPT_RW,
+                                V, NROM, VROM, XYp, ctx_i);
+                }
+        }
+}
+/* Allocator code */
+static void alloc_region(yescrypt_region_t *region, size_t size)
+{
+        uint8_t *base;
+        int flags =
+# ifdef MAP_NOCORE /* huh? */
+                MAP_NOCORE |
+# endif
+                MAP_ANON | MAP_PRIVATE;
+        base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0);
+        if (base == MAP_FAILED)
+                bb_die_memory_exhausted();
+#if defined(MADV_HUGEPAGE)
+        /* Reduces mkpasswd qweRTY123@-+ '$y$jHT$123'
+         * (which allocates 4 Gbytes)
+         * run time from 10.543s to 5.635s
+         * Seen on linux-5.18.0.
+         */
+        madvise(base, size, MADV_HUGEPAGE);
+#endif
+        //region->base = base;
+        //region->base_size = size;
+        region->aligned = base;
+        region->aligned_size = size;
+}
+static void free_region(yescrypt_region_t *region)
+{
+        if (region->aligned)
+                munmap(region->aligned, region->aligned_size);
+        //region->base = NULL;
+        //region->base_size = 0;
+        region->aligned = NULL;
+        region->aligned_size = 0;
+}
+/**
+ * yescrypt_kdf_body(shared, local, passwd, passwdlen, salt, saltlen,
+ *     flags, N, r, p, t, NROM, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen), or a revision of scrypt as requested by flags and shared, and
+ * write the result into buf.
+ *
+ * shared and flags may request special modes as described in yescrypt.h.
+ *
+ * local is the thread-local data structure, allowing to preserve and reuse a
+ * memory allocation across calls, thereby reducing its overhead.
+ *
+ * t controls computation time while not affecting peak memory usage.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * This optimized implementation currently limits N to the range from 4 to
+ * 2^31, but other implementations might not.
+ */
+static int yescrypt_kdf32_body(
+                yescrypt_ctx_t *yctx,
+                const uint8_t *passwd, size_t passwdlen,
+                uint32_t flags, uint64_t N, uint32_t t,
+                uint8_t *buf32)
+{
+#if !DISABLE_NROM_CODE
+        const salsa20_blk_t *VROM;
+#endif
+        size_t B_size, V_size, XY_size, need;
+        uint8_t *B, *S;
+        salsa20_blk_t *V, *XY;
+        struct {
+                uint8_t sha256[32];
+                uint8_t dk[32];
+        } u;
+#define sha256 u.sha256
+#define dk     u.dk
+        uint8_t *dkp = buf32;
+        uint32_t r, p;
+        /* Sanity-check parameters */
+        switch (flags___YESCRYPT_MODE_MASK) {
+        case 0: /* classic scrypt - can't have anything non-standard */
+                if (flags || t || YCTX_param_NROM)
+                        goto out_EINVAL;
+                break;
+        case YESCRYPT_WORM:
+                if (flags != YESCRYPT_WORM || YCTX_param_NROM)
+                        goto out_EINVAL;
+                break;
+        case YESCRYPT_RW:
+                if (flags != (flags & YESCRYPT_KNOWN_FLAGS))
+                        goto out_EINVAL;
+#if PWXsimple == 2 && PWXgather == 4 && Sbytes == 12288
+                if ((flags & YESCRYPT_RW_FLAVOR_MASK) ==
+                    (YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 |
+                    YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K))
+                        break;
+#else
+#error "Unsupported pwxform settings"
+#endif
+                /* FALLTHRU */
+        default:
+                goto out_EINVAL;
+        }
+        r = YCTX_param_r;
+        p = YCTX_param_p;
+        if ((uint64_t)r * (uint64_t)p >= 1 << 30) {
+                dbg("r * n >= 2^30");
+                goto out_EINVAL;
+        }
+        if (N > UINT32_MAX) {
+                dbg("N > 0x%lx", (long)UINT32_MAX);
+                goto out_EINVAL;
+        }
+        if (N <= 3
+         || r < 1
+         || p < 1
+        ) {
+                dbg("bad N, r or p");
+                goto out_EINVAL;
+        }
+        if (r > SIZE_MAX / 256 / p
+         || N > SIZE_MAX / 128 / r
+        ) {
+                /* 32-bit testcase: mkpasswd qweRTY123@-+ '$y$jHT$123'
+                 * (works on 64-bit, needs buffer > 4Gbytes)
+                 */
+                dbg("r > SIZE_MAX / 256 / p? %c", "NY"[r > SIZE_MAX / 256 / p]);
+                dbg("N > SIZE_MAX / 128 / r? %c", "NY"[N > SIZE_MAX / 128 / r]);
+                goto out_EINVAL;
+        }
+        if (flags___YESCRYPT_RW) {
+                /* p cannot be greater than SIZE_MAX/Salloc on 64-bit systems,
+                   but it can on 32-bit systems.  */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wtype-limits"
+                if (N / p <= 3 || p > SIZE_MAX / Salloc) {
+                        dbg("bad p:%ld", (long)p);
+                        goto out_EINVAL;
+                }
+#pragma GCC diagnostic pop
+        }
+#if !DISABLE_NROM_CODE
+        VROM = NULL;
+        if (YCTX_param_NROM)
+                goto out_EINVAL;
+#endif
+        /* Allocate memory */
+        V = NULL;
+        V_size = (size_t)128 * r * N;
+        need = V_size;
+        B_size = (size_t)128 * r * p;
+        need += B_size;
+        if (need < B_size) {
+                dbg("integer overflow at += B_size(%lu)", (long)B_size);
+                goto out_EINVAL;
+        }
+        XY_size = (size_t)256 * r;
+        need += XY_size;
+        if (need < XY_size) {
+                dbg("integer overflow at += XY_size(%lu)", (long)XY_size);
+                goto out_EINVAL;
+        }
+        if (flags___YESCRYPT_RW) {
+                size_t S_size = (size_t)Salloc * p;
+                need += S_size;
+                if (need < S_size) {
+                        dbg("integer overflow at += S_size(%lu)", (long)S_size);
+                        goto out_EINVAL;
+                }
+        }
+        if (yctx->local->aligned_size < need) {
+                free_region(yctx->local);
+                alloc_region(yctx->local, need);
+                dbg("allocated local:%lu 0x%lx", (long)need, (long)need);
+                /* standard "j9T" params allocate 16Mbytes here */
+        }
+        if (flags & YESCRYPT_ALLOC_ONLY)
+                return -3; /* expected "failure" */
+        B = (uint8_t *)yctx->local->aligned;
+        V = (salsa20_blk_t *)((uint8_t *)B + B_size);
+        XY = (salsa20_blk_t *)((uint8_t *)V + V_size);
+        S = NULL;
+        if (flags___YESCRYPT_RW)
+                S = (uint8_t *)XY + XY_size;
+        if (flags) {
+                hmac_block(
+                        /* key,len: */ (const void*)"yescrypt-prehash", (flags & YESCRYPT_PREHASH) ? 16 : 8,
+                        /* hash fn: */ sha256_begin,
+                        /* in,len: */  passwd, passwdlen,
+                        /* outbuf: */  sha256
+                );
+                passwd = sha256;
+                passwdlen = sizeof(sha256);
+        }
+        PBKDF2_SHA256(passwd, passwdlen, yctx->salt, yctx->saltlen, 1, B, B_size);
+        if (flags)
+                memcpy(sha256, B, sizeof(sha256));
+        if (p == 1 || (flags___YESCRYPT_RW)) {
+                smix(B, r, N, p, t, flags, V, YCTX_param_NROM, VROM, XY, S, sha256);
+        } else {
+                uint32_t i;
+                for (i = 0; i < p; i++) {
+                        smix(&B[(size_t)128 * r * i], r, N, 1, t, flags, V,
+                                YCTX_param_NROM, VROM, XY, NULL, NULL);
+                }
+        }
+        dkp = buf32;
+        if (flags && /*buflen:*/32 < sizeof(dk)) {
+                PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, dk, sizeof(dk));
+                dkp = dk;
+        }
+        PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf32, /*buflen:*/32);
+        /*
+         * Except when computing classic scrypt, allow all computation so far
+         * to be performed on the client.  The final steps below match those of
+         * SCRAM (RFC 5802), so that an extension of SCRAM (with the steps so
+         * far in place of SCRAM's use of PBKDF2 and with SHA-256 in place of
+         * SCRAM's use of SHA-1) would be usable with yescrypt hashes.
+         */
+        if (flags && !(flags & YESCRYPT_PREHASH)) {
+                /* Compute ClientKey */
+                hmac_block(
+                        /* key,len: */ dkp, sizeof(dk),
+                        /* hash fn: */ sha256_begin,
+                        /* in,len: */  "Client Key", 10,
+                        /* outbuf: */  sha256
+                );
+                /* Compute StoredKey */
+                {
+                        size_t clen = /*buflen:*/32;
+                        if (clen > sizeof(dk))
+                                clen = sizeof(dk);
+                        if (sizeof(dk) != 32) { /* not true, optimize it out */
+                                sha256_block(sha256, sizeof(sha256), dk);
+                                memcpy(buf32, dk, clen);
+                        } else {
+                                sha256_block(sha256, sizeof(sha256), buf32);
+                        }
+                }
+        }
+        explicit_bzero(&u, sizeof(u));
+        /* Success! */
+        return 0;
+ out_EINVAL:
+        //bbox does not need this: errno = EINVAL;
+        return -1;
+#undef sha256
+#undef dk
+}
+/**
+ * yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen, params,
+ *     buf, buflen):
+ * Compute scrypt or its revision as requested by the parameters.  The inputs
+ * to this function are the same as those for yescrypt_kdf_body() above, with
+ * the addition of g, which controls hash upgrades (0 for no upgrades so far).
+ */
+static
+int yescrypt_kdf32(
+                yescrypt_ctx_t *yctx,
+                const uint8_t *passwd, size_t passwdlen,
+                uint8_t *buf32)
+{
+        uint32_t flags = YCTX_param_flags;
+        uint64_t N = YCTX_param_N;
+        uint32_t r = YCTX_param_r;
+        uint32_t p = YCTX_param_p;
+        uint32_t t = YCTX_param_t;
+        uint32_t g = YCTX_param_g;
+        uint8_t dk32[32];
+        int retval;
+        /* Support for hash upgrades has been temporarily removed */
+        if (g) {
+                //bbox does not need this: errno = EINVAL;
+                return -1;
+        }
+        if ((flags___YESCRYPT_RW)
+         && p >= 1
+         && N / p >= 0x100
+         && N / p * r >= 0x20000
+        ) {
+                if (yescrypt_kdf32_body(yctx,
+                    passwd, passwdlen,
+                    flags | YESCRYPT_ALLOC_ONLY, N, t,
+                    buf32) != -3
+                ) {
+                        dbg("yescrypt_kdf32_body: not -3");
+                        return -1;
+                }
+                retval = yescrypt_kdf32_body(yctx,
+                                passwd, passwdlen,
+                                flags | YESCRYPT_PREHASH, N >> 6, 0,
+                                dk32);
+                if (retval) {
+                        dbg("yescrypt_kdf32_body(PREHASH):%d", retval);
+                        return retval;
+                }
+                passwd = dk32;
+                passwdlen = sizeof(dk32);
+        }
+        retval = yescrypt_kdf32_body(yctx,
+                        passwd, passwdlen,
+                        flags, N, t, buf32);
+        explicit_bzero(dk32, sizeof(dk32));
+        dbg("yescrypt_kdf32_body:%d", retval);
+        return retval;
+}
diff --git a/libbb/yescrypt/alg-yescrypt.h b/libbb/yescrypt/alg-yescrypt.h
new file mode 100644
index 000000000..b69843f5d
--- /dev/null
+++ b/libbb/yescrypt/alg-yescrypt.h
@@ -0,0 +1,247 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+// busybox debug and size-reduction configuration
+#ifdef YESCRYPT_INTERNAL
+# if 1
+#  define dbg(...) ((void)0)
+# else
+#  define dbg(...) bb_error_msg(__VA_ARGS__)
+# endif
+# if 1
+#  define dbg_dec64(...) ((void)0)
+# else
+#  define dbg_dec64(...) bb_error_msg(__VA_ARGS__)
+# endif
+# define TEST_DECODE64  0
+#endif
+// Only accept one-char parameters in salt, and only first three?
+// Almost any reasonable yescrypt hashes in /etc/shadow should
+// only ever use "jXY" parameters which set N and r.
+// Fancy multi-byte-encoded wide integers are not needed for that.
+#define RESTRICTED_PARAMS  1
+// Note: if you enable the above, please also enable
+// YCTX_param_p, YCTX_param_t, YCTX_param_g, YCTX_param_NROM
+// optimizations, and DISABLE_NROM_CODE.
+#define DISABLE_NROM_CODE  1
+// How much we save by forcing "standard" value by commenting the next line:
+//  160 bytes
+//#define YCTX_param_flags           yctx->param.flags
+//  260 bytes
+//#define flags___YESCRYPT_RW        (flags & YESCRYPT_RW)
+//  140 bytes
+//#define flags___YESCRYPT_MODE_MASK (flags & YESCRYPT_MODE_MASK)
+// ^^^^ forcing the above since the code already requires (checks for) this
+//   50 bytes
+#define YCTX_param_N     yctx->param.N
+// -100 bytes (negative!!!)
+#define YCTX_param_r     yctx->param.r
+//  400 bytes
+//#define YCTX_param_p     yctx->param.p
+//  130 bytes
+//#define YCTX_param_t     yctx->param.t
+//    2 bytes
+//#define YCTX_param_g     yctx->param.g
+//    1 bytes
+// ^^^^ this looks wrong, compiler should be able to constant-propagate the fact that NROM code is dead
+//#define YCTX_param_NROM  yctx->param.NROM
+#ifndef YCTX_param_flags
+#define YCTX_param_flags (YESCRYPT_RW | YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | YESCRYPT_SBOX_12K)
+#endif
+#ifndef flags___YESCRYPT_RW
+#define flags___YESCRYPT_RW ((void)flags, YESCRYPT_RW)
+#endif
+#ifndef flags___YESCRYPT_MODE_MASK
+#define flags___YESCRYPT_MODE_MASK ((void)flags, YESCRYPT_RW)
+#endif
+// standard ("j9T") values:
+#ifndef YCTX_param_N
+#define YCTX_param_N     4096
+#endif
+#ifndef YCTX_param_r
+#define YCTX_param_r     32
+#endif
+#ifndef YCTX_param_p
+#define YCTX_param_p     1
+#endif
+#ifndef YCTX_param_t
+#define YCTX_param_t     0
+#endif
+#ifndef YCTX_param_g
+#define YCTX_param_g     0
+#endif
+#ifndef YCTX_param_NROM
+#define YCTX_param_NROM  0
+#endif
+// "Faster/smaller code" knobs:
+// -941 bytes:
+#define KDF_UNROLL_COPY 0
+// -5324 bytes if 0:
+#define KDF_UNROLL_PWXFORM_ROUND 0
+// -4864 bytes if 0:
+#define KDF_UNROLL_PWXFORM 0
+// if both this ^^^^^^^^^^ and PWXFORM_ROUND set to 0: -7666 bytes
+// -464 bytes:
+#define KDF_UNROLL_SALSA20 0
+/**
+ * Type and possible values for the flags argument of yescrypt_kdf(),
+ * yescrypt_encode_params_r(), yescrypt_encode_params().  Most of these may be
+ * OR'ed together, except that YESCRYPT_WORM stands on its own.
+ * Please refer to the description of yescrypt_kdf() below for the meaning of
+ * these flags.
+ */
+/* yescrypt flags:
+ * bits pos: 7654321076543210
+ *                    ss  r w
+ *                sbox  gg y
+ */
+/* Public */
+#define YESCRYPT_WORM                   1
+#define YESCRYPT_RW                     0x002
+#define YESCRYPT_ROUNDS_3               0x000 //r=0
+#define YESCRYPT_ROUNDS_6               0x004 //r=1
+#define YESCRYPT_GATHER_1               0x000 //gg=00
+#define YESCRYPT_GATHER_2               0x008 //gg=01
+#define YESCRYPT_GATHER_4               0x010 //gg=10
+#define YESCRYPT_GATHER_8               0x018 //gg=11
+#define YESCRYPT_SIMPLE_1               0x000 //ss=00
+#define YESCRYPT_SIMPLE_2               0x020 //ss=01
+#define YESCRYPT_SIMPLE_4               0x040 //ss=10
+#define YESCRYPT_SIMPLE_8               0x060 //ss=11
+#define YESCRYPT_SBOX_6K                0x000 //sbox=0000
+#define YESCRYPT_SBOX_12K               0x080 //sbox=0001
+#define YESCRYPT_SBOX_24K               0x100 //sbox=0010
+#define YESCRYPT_SBOX_48K               0x180 //sbox=0011
+#define YESCRYPT_SBOX_96K               0x200 //sbox=0100
+#define YESCRYPT_SBOX_192K              0x280 //sbox=0101
+#define YESCRYPT_SBOX_384K              0x300 //sbox=0110
+#define YESCRYPT_SBOX_768K              0x380 //sbox=0111
+#ifdef YESCRYPT_INTERNAL
+/* Private */
+#define YESCRYPT_MODE_MASK              0x003
+#define YESCRYPT_RW_FLAVOR_MASK         0x3fc
+#define YESCRYPT_ALLOC_ONLY             0x08000000
+#define YESCRYPT_PREHASH                0x10000000
+#endif
+#define YESCRYPT_RW_DEFAULTS \
+        (YESCRYPT_RW | \
+        YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | \
+        YESCRYPT_SBOX_12K)
+#define YESCRYPT_DEFAULTS YESCRYPT_RW_DEFAULTS
+#ifdef YESCRYPT_INTERNAL
+#define YESCRYPT_KNOWN_FLAGS \
+        (YESCRYPT_MODE_MASK | YESCRYPT_RW_FLAVOR_MASK | \
+        YESCRYPT_ALLOC_ONLY | YESCRYPT_PREHASH)
+#endif
+/* How many chars base-64 encoded bytes require? */
+#define YESCRYPT_BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6)
+/* The /etc/passwd-style hash is "<prefix>$<hash><NUL>" */
+/*
+ * "$y$", up to 8 params of up to 6 chars each, '$', salt
+ * Alternatively, but that's smaller:
+ * "$7$", 3 params encoded as 1+5+5 chars, salt
+ */
+#define YESCRYPT_PREFIX_LEN (3 + 8 * 6 + 1 + YESCRYPT_BYTES2CHARS(32))
+#define YESCRYPT_HASH_SIZE 32
+#define YESCRYPT_HASH_LEN  YESCRYPT_BYTES2CHARS(YESCRYPT_HASH_SIZE)
+/**
+ * Internal type used by the memory allocator.  Please do not use it directly.
+ * Use yescrypt_shared_t and yescrypt_local_t as appropriate instead, since
+ * they might differ from each other in a future version.
+ */
+typedef struct {
+//      void *base;
+        void *aligned;
+//      size_t base_size;
+        size_t aligned_size;
+} yescrypt_region_t;
+/**
+ * yescrypt parameters combined into one struct.  N, r, p are the same as in
+ * classic scrypt, except that the meaning of p changes when YESCRYPT_RW is
+ * set.  flags, t, g, NROM are special to yescrypt.
+ */
+typedef struct {
+        uint32_t flags;
+        uint32_t r;
+        uint64_t N;
+#if !RESTRICTED_PARAMS
+        uint32_t p, t, g;
+        uint64_t NROM;
+#endif
+} yescrypt_params_t;
+typedef struct {
+        yescrypt_params_t param;
+        /* salt in binary form */
+        /* stored here to cut down on the amount of function paramaters */
+        unsigned char salt[64];
+        size_t saltlen;
+        /* used by the memory allocator */
+        //yescrypt_region_t shared[1];
+        yescrypt_region_t local[1];
+} yescrypt_ctx_t;
+/**
+ * yescrypt_r(shared, local, passwd, passwdlen, setting, key, buf, buflen):
+ * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
+ * parameters and salt value encoded in setting.  If shared is not NULL, a ROM
+ * is used and YESCRYPT_RW is required.  Otherwise, whether to compute classic
+ * scrypt, YESCRYPT_WORM (a slight deviation from classic scrypt), or
+ * YESCRYPT_RW (time-memory tradeoff discouraging modification) is determined
+ * by the setting string.  shared (if not NULL) and local must be initialized
+ * as described above for yescrypt_kdf().  buf must be large enough (as
+ * indicated by buflen) to hold the encoded hash string.
+ *
+ * Return the encoded hash string on success; or NULL on error.
+ *
+ * MT-safe as long as local and buf are local to the thread.
+ */
+extern char *yescrypt_r(
+            const uint8_t *passwd, size_t passwdlen,
+            const uint8_t *setting,
+            char *buf, size_t buflen
+);
diff --git a/libbb/yescrypt/y.c b/libbb/yescrypt/y.c
new file mode 100644
index 000000000..d5ab8903f
--- /dev/null
+++ b/libbb/yescrypt/y.c
@@ -0,0 +1,16 @@
+/*
+ * The compilation unit for yescrypt-related code.
+ *
+ * Copyright (C) 2025 by Denys Vlasenko <vda.linux@googlemail.com>
+ *
+ * Licensed under GPLv2, see file LICENSE in this source tree.
+ */
+//kbuild:lib-$(CONFIG_USE_BB_CRYPT_YES) += y.o
+#include "libbb.h"
+#define YESCRYPT_INTERNAL
+#include "alg-yescrypt.h"
+#include "alg-sha256.c"
+#include "alg-yescrypt-kdf.c"
+#include "alg-yescrypt-common.c"