lib/isc/chacha_private.h

84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman/*
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman * Taken from OpenBSD CVS src/lib/libc/crypt/chacha_private.h on
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman * May 12, 2014.
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman */
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman/*
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanchacha-merged.c version 20080118
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund SivaramanD. J. Bernstein
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund SivaramanPublic domain.
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman*/
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramantypedef unsigned char u8;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramantypedef unsigned int u32;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramantypedef struct
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman{
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u32 input[16]; /* could be compressed */
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman} chacha_ctx;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U8C(v) (v##U)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U32C(v) (v##U)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U8V(v) ((u8)(v) & U8C(0xFF))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define ROTL32(v, n) \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  (U32V((v) << (n)) | ((v) >> (32 - (n))))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U8TO32_LITTLE(p) \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  (((u32)((p)[0])      ) | \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman   ((u32)((p)[1]) <<  8) | \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman   ((u32)((p)[2]) << 16) | \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman   ((u32)((p)[3]) << 24))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define U32TO8_LITTLE(p, v) \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  do { \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    (p)[0] = U8V((v)      ); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    (p)[1] = U8V((v) >>  8); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    (p)[2] = U8V((v) >> 16); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    (p)[3] = U8V((v) >> 24); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  } while (0)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define ROTATE(v,c) (ROTL32(v,c))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define XOR(v,w) ((v) ^ (w))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define PLUS(v,w) (U32V((v) + (w)))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define PLUSONE(v) (PLUS((v),1))
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#define QUARTERROUND(a,b,c,d) \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
5331f97edc125f66ac6d0060b3d016309169f411Mark Andrewsstatic const char sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
5331f97edc125f66ac6d0060b3d016309169f411Mark Andrews                '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
5331f97edc125f66ac6d0060b3d016309169f411Mark Andrewsstatic const char tau[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '1',
5331f97edc125f66ac6d0060b3d016309169f411Mark Andrews                  '6', '-', 'b', 'y', 't', 'e', ' ', 'k' };
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanstatic void
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanchacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman{
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  const char *constants;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  UNUSED(ivbits);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[4] = U8TO32_LITTLE(k + 0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[5] = U8TO32_LITTLE(k + 4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[6] = U8TO32_LITTLE(k + 8);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[7] = U8TO32_LITTLE(k + 12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  if (kbits == 256) { /* recommended */
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    k += 16;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    constants = sigma;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  } else { /* kbits == 128 */
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    constants = tau;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[8] = U8TO32_LITTLE(k + 0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[9] = U8TO32_LITTLE(k + 4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[10] = U8TO32_LITTLE(k + 8);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[11] = U8TO32_LITTLE(k + 12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[0] = U8TO32_LITTLE(constants + 0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[1] = U8TO32_LITTLE(constants + 4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[2] = U8TO32_LITTLE(constants + 8);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[3] = U8TO32_LITTLE(constants + 12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman}
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanstatic void
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanchacha_ivsetup(chacha_ctx *x,const u8 *iv)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman{
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[12] = 0;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[13] = 0;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[14] = U8TO32_LITTLE(iv + 0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  x->input[15] = U8TO32_LITTLE(iv + 4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman}
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanstatic void
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaramanchacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman{
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u8 *ctarget = NULL;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u8 tmp[64];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  u_int i;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  if (!bytes) return;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j0 = x->input[0];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j1 = x->input[1];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j2 = x->input[2];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j3 = x->input[3];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j4 = x->input[4];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j5 = x->input[5];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j6 = x->input[6];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j7 = x->input[7];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j8 = x->input[8];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j9 = x->input[9];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j10 = x->input[10];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j11 = x->input[11];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j12 = x->input[12];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j13 = x->input[13];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j14 = x->input[14];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  j15 = x->input[15];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  for (;;) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    if (bytes < 64) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      for (i = 0;i < bytes;++i) tmp[i] = m[i];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      m = tmp;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      ctarget = c;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      c = tmp;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x0 = j0;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x1 = j1;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x2 = j2;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x3 = j3;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x4 = j4;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x5 = j5;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x6 = j6;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x7 = j7;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x8 = j8;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x9 = j9;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x10 = j10;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x11 = j11;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x12 = j12;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x13 = j13;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x14 = j14;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x15 = j15;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    for (i = 20;i > 0;i -= 2) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x0, x4, x8,x12)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x1, x5, x9,x13)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x2, x6,x10,x14)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x3, x7,x11,x15)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x0, x5,x10,x15)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x1, x6,x11,x12)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x2, x7, x8,x13)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      QUARTERROUND( x3, x4, x9,x14)
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x0 = PLUS(x0,j0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x1 = PLUS(x1,j1);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x2 = PLUS(x2,j2);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x3 = PLUS(x3,j3);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x4 = PLUS(x4,j4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x5 = PLUS(x5,j5);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x6 = PLUS(x6,j6);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x7 = PLUS(x7,j7);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x8 = PLUS(x8,j8);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x9 = PLUS(x9,j9);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x10 = PLUS(x10,j10);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x11 = PLUS(x11,j11);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x12 = PLUS(x12,j12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x13 = PLUS(x13,j13);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x14 = PLUS(x14,j14);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x15 = PLUS(x15,j15);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#ifndef KEYSTREAM_ONLY
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#endif
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    j12 = PLUSONE(j12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    if (!j12) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      j13 = PLUSONE(j13);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      /* stopping at 2^70 bytes per nonce is user's responsibility */
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 0,x0);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 4,x1);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 8,x2);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 12,x3);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 16,x4);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 20,x5);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 24,x6);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 28,x7);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 32,x8);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 36,x9);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 40,x10);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 44,x11);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 48,x12);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 52,x13);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 56,x14);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    U32TO8_LITTLE(c + 60,x15);
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    if (bytes <= 64) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      if (bytes < 64) {
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      x->input[12] = j12;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      x->input[13] = j13;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman      return;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    bytes -= 64;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    c += 64;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#ifndef KEYSTREAM_ONLY
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman    m += 64;
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman#endif
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman  }
84dc4b3e7eea3e9c8fafa5f4fd632a51ee8b356fMukund Sivaraman}