bind9/lib/isc/chacha_private.h

/*
 * Taken from OpenBSD CVS src/lib/libc/crypt/chacha_private.h on
 * May 12, 2014.
 */

/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/

typedef unsigned char u8;
typedef unsigned int u32;

typedef struct
{
  u32 input[16]; /* could be compressed */
} chacha_ctx;

#define U8C(v) (v##U)
#define U32C(v) (v##U)

#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))

#define ROTL32(v, n) \
  (U32V((v) << (n)) | ((v) >> (32 - (n))))

#define U8TO32_LITTLE(p) \
  (((u32)((p)[0])      ) | \
   ((u32)((p)[1]) <<  8) | \
   ((u32)((p)[2]) << 16) | \
   ((u32)((p)[3]) << 24))

#define U32TO8_LITTLE(p, v) \
  do { \
    (p)[0] = U8V((v)      ); \
    (p)[1] = U8V((v) >>  8); \
    (p)[2] = U8V((v) >> 16); \
    (p)[3] = U8V((v) >> 24); \
  } while (0)

#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))

#define QUARTERROUND(a,b,c,d) \
  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);

static const char sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
				'2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
static const char tau[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '1',
			      '6', '-', 'b', 'y', 't', 'e', ' ', 'k' };

static void
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
{
  const char *constants;

  UNUSED(ivbits);

  x->input[4] = U8TO32_LITTLE(k + 0);
  x->input[5] = U8TO32_LITTLE(k + 4);
  x->input[6] = U8TO32_LITTLE(k + 8);
  x->input[7] = U8TO32_LITTLE(k + 12);
  if (kbits == 256) { /* recommended */
    k += 16;
    constants = sigma;
  } else { /* kbits == 128 */
    constants = tau;
  }
  x->input[8] = U8TO32_LITTLE(k + 0);
  x->input[9] = U8TO32_LITTLE(k + 4);
  x->input[10] = U8TO32_LITTLE(k + 8);
  x->input[11] = U8TO32_LITTLE(k + 12);
  x->input[0] = U8TO32_LITTLE(constants + 0);
  x->input[1] = U8TO32_LITTLE(constants + 4);
  x->input[2] = U8TO32_LITTLE(constants + 8);
  x->input[3] = U8TO32_LITTLE(constants + 12);
}

static void
chacha_ivsetup(chacha_ctx *x,const u8 *iv)
{
  x->input[12] = 0;
  x->input[13] = 0;
  x->input[14] = U8TO32_LITTLE(iv + 0);
  x->input[15] = U8TO32_LITTLE(iv + 4);
}

static void
chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
{
  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
  u8 *ctarget = NULL;
  u8 tmp[64];
  u_int i;

  if (!bytes) return;

  j0 = x->input[0];
  j1 = x->input[1];
  j2 = x->input[2];
  j3 = x->input[3];
  j4 = x->input[4];
  j5 = x->input[5];
  j6 = x->input[6];
  j7 = x->input[7];
  j8 = x->input[8];
  j9 = x->input[9];
  j10 = x->input[10];
  j11 = x->input[11];
  j12 = x->input[12];
  j13 = x->input[13];
  j14 = x->input[14];
  j15 = x->input[15];

  for (;;) {
    if (bytes < 64) {
      for (i = 0;i < bytes;++i) tmp[i] = m[i];
      m = tmp;
      ctarget = c;
      c = tmp;
    }
    x0 = j0;
    x1 = j1;
    x2 = j2;
    x3 = j3;
    x4 = j4;
    x5 = j5;
    x6 = j6;
    x7 = j7;
    x8 = j8;
    x9 = j9;
    x10 = j10;
    x11 = j11;
    x12 = j12;
    x13 = j13;
    x14 = j14;
    x15 = j15;
    for (i = 20;i > 0;i -= 2) {
      QUARTERROUND( x0, x4, x8,x12)
      QUARTERROUND( x1, x5, x9,x13)
      QUARTERROUND( x2, x6,x10,x14)
      QUARTERROUND( x3, x7,x11,x15)
      QUARTERROUND( x0, x5,x10,x15)
      QUARTERROUND( x1, x6,x11,x12)
      QUARTERROUND( x2, x7, x8,x13)
      QUARTERROUND( x3, x4, x9,x14)
    }
    x0 = PLUS(x0,j0);
    x1 = PLUS(x1,j1);
    x2 = PLUS(x2,j2);
    x3 = PLUS(x3,j3);
    x4 = PLUS(x4,j4);
    x5 = PLUS(x5,j5);
    x6 = PLUS(x6,j6);
    x7 = PLUS(x7,j7);
    x8 = PLUS(x8,j8);
    x9 = PLUS(x9,j9);
    x10 = PLUS(x10,j10);
    x11 = PLUS(x11,j11);
    x12 = PLUS(x12,j12);
    x13 = PLUS(x13,j13);
    x14 = PLUS(x14,j14);
    x15 = PLUS(x15,j15);

#ifndef KEYSTREAM_ONLY
    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
#endif

    j12 = PLUSONE(j12);
    if (!j12) {
      j13 = PLUSONE(j13);
      /* stopping at 2^70 bytes per nonce is user's responsibility */
    }

    U32TO8_LITTLE(c + 0,x0);
    U32TO8_LITTLE(c + 4,x1);
    U32TO8_LITTLE(c + 8,x2);
    U32TO8_LITTLE(c + 12,x3);
    U32TO8_LITTLE(c + 16,x4);
    U32TO8_LITTLE(c + 20,x5);
    U32TO8_LITTLE(c + 24,x6);
    U32TO8_LITTLE(c + 28,x7);
    U32TO8_LITTLE(c + 32,x8);
    U32TO8_LITTLE(c + 36,x9);
    U32TO8_LITTLE(c + 40,x10);
    U32TO8_LITTLE(c + 44,x11);
    U32TO8_LITTLE(c + 48,x12);
    U32TO8_LITTLE(c + 52,x13);
    U32TO8_LITTLE(c + 56,x14);
    U32TO8_LITTLE(c + 60,x15);

    if (bytes <= 64) {
      if (bytes < 64) {
        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
      }
      x->input[12] = j12;
      x->input[13] = j13;
      return;
    }
    bytes -= 64;
    c += 64;
#ifndef KEYSTREAM_ONLY
    m += 64;
#endif
  }
}
[35942] Update random number generator to ChaCha based (and add tests) Squashed commit of the following: commit 219a904fea95c74016229b6f4436d4f09de1bfd0 Author: Evan Hunt <each@isc.org> Date: Mon Jun 2 12:20:54 2014 -0700 [rt35942] style commit 90bc77185e9798af4595989abb8698efef8c70d7 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 18:01:30 2014 +0530 Return p-value=0 when prerequisite (monobit) fails commit 5594669728f1181a447616f60b835e4a043d1b21 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:44:25 2014 +0530 Print proportion of test sequences passing too commit 9e94b67a4114651224a8285f7c4a7fb03907f376 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:34:03 2014 +0530 Check uniform distribution of p-values commit acf911b32dd84ac1c30c57d8937cfeb6b3ff972f Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:17:39 2014 +0530 Check proportion of sequences passing a test commit 7289eb441fc4ec623364ad882e22b240ba8da308 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 04:33:37 2014 +0530 Refactor common setup code into random_test() No behavioral change is made. commit 51feef3e08c233d34a6b8b9d25a72d43110b4eed Author: Mukund Sivaraman <muks@isc.org> Date: Sun Jun 1 17:31:57 2014 +0530 Fix binary rank computation commit 0ea3c03dea353f309d13c38e26aa0abbffdcff2b Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 27 06:01:10 2014 +0530 Add binary matrix rank RNG test commit eb4e7c53540ac97436d94714d30084907eeff01a Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 15:45:31 2014 +0530 Add function to find rank of a binary matrix commit 1292a06e0e09ebd37d4ecf5337814951dcacc4a4 Author: Evan Hunt <each@isc.org> Date: Thu May 29 16:21:51 2014 -0700 [rt35942] style; check whether we need libm for exp() commit c19788e5a89235e937a5aedf2ebea50f33406609 Author: Evan Hunt <each@isc.org> Date: Thu May 29 15:31:19 2014 -0700 [rt35942] incidental spelling error fixed commit c833326ad0df21e2a8b35958e85ccc0a692e38be Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 29 11:34:37 2014 +0530 Revert "Add function to find rank of a binary matrix" This reverts commit 21b2f230e17f7fc638f81d9a34bcb148b0c4a6fb. This test will be added in RT#36125. commit cf786a533d34fdcd9e1c5650356e56d33e93a29f Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 29 11:33:18 2014 +0530 Revert "Add binary matrix rank RNG test" This reverts commit dd843b9ca84fa9af80ec39631152f82778f0b97c. This test will be added in RT#36125. commit dd843b9ca84fa9af80ec39631152f82778f0b97c Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 27 06:01:10 2014 +0530 Add binary matrix rank RNG test commit 21b2f230e17f7fc638f81d9a34bcb148b0c4a6fb Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 15:45:31 2014 +0530 Add function to find rank of a binary matrix commit 313c30088d6ba933bde3abb920f2a6d16b9b77e1 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 13:38:44 2014 +0530 Add block frequency random test commit 0d279c60ed3eabe52cf3e1435bf14ec62752536f Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 13:04:03 2014 +0530 Add preconditions from NIST spec commit 7a6c5f2ce5078814d5cf0fea30596e58171174c1 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 12:51:03 2014 +0530 Add functions to use in RNG tests commit 8c5cb5594f904f6669cdffaa364f799b4a2c6b58 Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 22 00:26:10 2014 +0530 Add runs RNG test commit 4882f078cc2596c0911066ffb783e4dd145a63ec Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 23:58:20 2014 +0530 Pre-compute bitcounts LUT commit 896db3809fba2d9884a4a3a2fa847a73e007ad7f Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 23:30:23 2014 +0530 Fix the bit value being checked (this shouldn't affect the test) commit b932cbb5dae39eb819db29cf9490fb51d59b7c56 Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 19:35:12 2014 +0530 Add monobits RNG test commit 7bef19fd8b095aa567a975ef5c97d5812162d92e Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 16:53:02 2014 +0530 Add API documentation commit 54483f7feb64b5646dd1da45b1fd396e7d04b926 Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 16:39:03 2014 +0530 Rename isc_rngctx_t to isc_rng_t commit 7c5031b53555137a82c6b6218cd4dd5e95acf94d Author: Evan Hunt <each@isc.org> Date: Tue May 20 23:29:53 2014 -0700 [rt35942] use attach/detach with isc_rngctx_t commit 8aabae5e09888e6af651ed27bd6b4e9f76334d55 Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 20 18:32:42 2014 +0530 Move RNG from dispatch.c to libisc commit e6d4ad4f389998b91d46e95e258cf420cb21d977 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 12 19:16:27 2014 +0530 Replace old arc4random with new ChaCha implementation from OpenBSD 2014-06-04 04:08:59 -04:00			`/*`
			`* Taken from OpenBSD CVS src/lib/libc/crypt/chacha_private.h on`
			`* May 12, 2014.`
			`*/`

			`/*`
			`chacha-merged.c version 20080118`
			`D. J. Bernstein`
			`Public domain.`
			`*/`

			`typedef unsigned char u8;`
			`typedef unsigned int u32;`

			`typedef struct`
			`{`
			`u32 input[16]; /* could be compressed */`
			`} chacha_ctx;`

			`#define U8C(v) (v##U)`
			`#define U32C(v) (v##U)`

			`#define U8V(v) ((u8)(v) & U8C(0xFF))`
			`#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))`

			`#define ROTL32(v, n) \`
			`(U32V((v) << (n)) \| ((v) >> (32 - (n))))`

			`#define U8TO32_LITTLE(p) \`
			`(((u32)((p)[0]) ) \| \`
			`((u32)((p)[1]) << 8) \| \`
			`((u32)((p)[2]) << 16) \| \`
			`((u32)((p)[3]) << 24))`

			`#define U32TO8_LITTLE(p, v) \`
			`do { \`
			`(p)[0] = U8V((v) ); \`
			`(p)[1] = U8V((v) >> 8); \`
			`(p)[2] = U8V((v) >> 16); \`
			`(p)[3] = U8V((v) >> 24); \`
			`} while (0)`

			`#define ROTATE(v,c) (ROTL32(v,c))`
			`#define XOR(v,w) ((v) ^ (w))`
			`#define PLUS(v,w) (U32V((v) + (w)))`
			`#define PLUSONE(v) (PLUS((v),1))`

			`#define QUARTERROUND(a,b,c,d) \`
			`a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \`
			`c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \`
			`a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \`
			`c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);`

silence compiler warnings 2014-06-09 22:38:32 -04:00			`static const char sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',`
			`'2', '-', 'b', 'y', 't', 'e', ' ', 'k' };`
			`static const char tau[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '1',`
			`'6', '-', 'b', 'y', 't', 'e', ' ', 'k' };`
[35942] Update random number generator to ChaCha based (and add tests) Squashed commit of the following: commit 219a904fea95c74016229b6f4436d4f09de1bfd0 Author: Evan Hunt <each@isc.org> Date: Mon Jun 2 12:20:54 2014 -0700 [rt35942] style commit 90bc77185e9798af4595989abb8698efef8c70d7 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 18:01:30 2014 +0530 Return p-value=0 when prerequisite (monobit) fails commit 5594669728f1181a447616f60b835e4a043d1b21 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:44:25 2014 +0530 Print proportion of test sequences passing too commit 9e94b67a4114651224a8285f7c4a7fb03907f376 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:34:03 2014 +0530 Check uniform distribution of p-values commit acf911b32dd84ac1c30c57d8937cfeb6b3ff972f Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 17:17:39 2014 +0530 Check proportion of sequences passing a test commit 7289eb441fc4ec623364ad882e22b240ba8da308 Author: Mukund Sivaraman <muks@isc.org> Date: Mon Jun 2 04:33:37 2014 +0530 Refactor common setup code into random_test() No behavioral change is made. commit 51feef3e08c233d34a6b8b9d25a72d43110b4eed Author: Mukund Sivaraman <muks@isc.org> Date: Sun Jun 1 17:31:57 2014 +0530 Fix binary rank computation commit 0ea3c03dea353f309d13c38e26aa0abbffdcff2b Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 27 06:01:10 2014 +0530 Add binary matrix rank RNG test commit eb4e7c53540ac97436d94714d30084907eeff01a Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 15:45:31 2014 +0530 Add function to find rank of a binary matrix commit 1292a06e0e09ebd37d4ecf5337814951dcacc4a4 Author: Evan Hunt <each@isc.org> Date: Thu May 29 16:21:51 2014 -0700 [rt35942] style; check whether we need libm for exp() commit c19788e5a89235e937a5aedf2ebea50f33406609 Author: Evan Hunt <each@isc.org> Date: Thu May 29 15:31:19 2014 -0700 [rt35942] incidental spelling error fixed commit c833326ad0df21e2a8b35958e85ccc0a692e38be Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 29 11:34:37 2014 +0530 Revert "Add function to find rank of a binary matrix" This reverts commit 21b2f230e17f7fc638f81d9a34bcb148b0c4a6fb. This test will be added in RT#36125. commit cf786a533d34fdcd9e1c5650356e56d33e93a29f Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 29 11:33:18 2014 +0530 Revert "Add binary matrix rank RNG test" This reverts commit dd843b9ca84fa9af80ec39631152f82778f0b97c. This test will be added in RT#36125. commit dd843b9ca84fa9af80ec39631152f82778f0b97c Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 27 06:01:10 2014 +0530 Add binary matrix rank RNG test commit 21b2f230e17f7fc638f81d9a34bcb148b0c4a6fb Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 15:45:31 2014 +0530 Add function to find rank of a binary matrix commit 313c30088d6ba933bde3abb920f2a6d16b9b77e1 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 13:38:44 2014 +0530 Add block frequency random test commit 0d279c60ed3eabe52cf3e1435bf14ec62752536f Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 13:04:03 2014 +0530 Add preconditions from NIST spec commit 7a6c5f2ce5078814d5cf0fea30596e58171174c1 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 26 12:51:03 2014 +0530 Add functions to use in RNG tests commit 8c5cb5594f904f6669cdffaa364f799b4a2c6b58 Author: Mukund Sivaraman <muks@isc.org> Date: Thu May 22 00:26:10 2014 +0530 Add runs RNG test commit 4882f078cc2596c0911066ffb783e4dd145a63ec Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 23:58:20 2014 +0530 Pre-compute bitcounts LUT commit 896db3809fba2d9884a4a3a2fa847a73e007ad7f Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 23:30:23 2014 +0530 Fix the bit value being checked (this shouldn't affect the test) commit b932cbb5dae39eb819db29cf9490fb51d59b7c56 Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 19:35:12 2014 +0530 Add monobits RNG test commit 7bef19fd8b095aa567a975ef5c97d5812162d92e Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 16:53:02 2014 +0530 Add API documentation commit 54483f7feb64b5646dd1da45b1fd396e7d04b926 Author: Mukund Sivaraman <muks@isc.org> Date: Wed May 21 16:39:03 2014 +0530 Rename isc_rngctx_t to isc_rng_t commit 7c5031b53555137a82c6b6218cd4dd5e95acf94d Author: Evan Hunt <each@isc.org> Date: Tue May 20 23:29:53 2014 -0700 [rt35942] use attach/detach with isc_rngctx_t commit 8aabae5e09888e6af651ed27bd6b4e9f76334d55 Author: Mukund Sivaraman <muks@isc.org> Date: Tue May 20 18:32:42 2014 +0530 Move RNG from dispatch.c to libisc commit e6d4ad4f389998b91d46e95e258cf420cb21d977 Author: Mukund Sivaraman <muks@isc.org> Date: Mon May 12 19:16:27 2014 +0530 Replace old arc4random with new ChaCha implementation from OpenBSD 2014-06-04 04:08:59 -04:00
			`static void`
			`chacha_keysetup(chacha_ctx x,const u8 k,u32 kbits,u32 ivbits)`
			`{`
			`const char *constants;`

			`UNUSED(ivbits);`

			`x->input[4] = U8TO32_LITTLE(k + 0);`
			`x->input[5] = U8TO32_LITTLE(k + 4);`
			`x->input[6] = U8TO32_LITTLE(k + 8);`
			`x->input[7] = U8TO32_LITTLE(k + 12);`
			`if (kbits == 256) { /* recommended */`
			`k += 16;`
			`constants = sigma;`
			`} else { /* kbits == 128 */`
			`constants = tau;`
			`}`
			`x->input[8] = U8TO32_LITTLE(k + 0);`
			`x->input[9] = U8TO32_LITTLE(k + 4);`
			`x->input[10] = U8TO32_LITTLE(k + 8);`
			`x->input[11] = U8TO32_LITTLE(k + 12);`
			`x->input[0] = U8TO32_LITTLE(constants + 0);`
			`x->input[1] = U8TO32_LITTLE(constants + 4);`
			`x->input[2] = U8TO32_LITTLE(constants + 8);`
			`x->input[3] = U8TO32_LITTLE(constants + 12);`
			`}`

			`static void`
			`chacha_ivsetup(chacha_ctx x,const u8 iv)`
			`{`
			`x->input[12] = 0;`
			`x->input[13] = 0;`
			`x->input[14] = U8TO32_LITTLE(iv + 0);`
			`x->input[15] = U8TO32_LITTLE(iv + 4);`
			`}`

			`static void`
			`chacha_encrypt_bytes(chacha_ctx x,const u8 m,u8 *c,u32 bytes)`
			`{`
			`u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;`
			`u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;`
			`u8 *ctarget = NULL;`
			`u8 tmp[64];`
			`u_int i;`

			`if (!bytes) return;`

			`j0 = x->input[0];`
			`j1 = x->input[1];`
			`j2 = x->input[2];`
			`j3 = x->input[3];`
			`j4 = x->input[4];`
			`j5 = x->input[5];`
			`j6 = x->input[6];`
			`j7 = x->input[7];`
			`j8 = x->input[8];`
			`j9 = x->input[9];`
			`j10 = x->input[10];`
			`j11 = x->input[11];`
			`j12 = x->input[12];`
			`j13 = x->input[13];`
			`j14 = x->input[14];`
			`j15 = x->input[15];`

			`for (;;) {`
			`if (bytes < 64) {`
			`for (i = 0;i < bytes;++i) tmp[i] = m[i];`
			`m = tmp;`
			`ctarget = c;`
			`c = tmp;`
			`}`
			`x0 = j0;`
			`x1 = j1;`
			`x2 = j2;`
			`x3 = j3;`
			`x4 = j4;`
			`x5 = j5;`
			`x6 = j6;`
			`x7 = j7;`
			`x8 = j8;`
			`x9 = j9;`
			`x10 = j10;`
			`x11 = j11;`
			`x12 = j12;`
			`x13 = j13;`
			`x14 = j14;`
			`x15 = j15;`
			`for (i = 20;i > 0;i -= 2) {`
			`QUARTERROUND( x0, x4, x8,x12)`
			`QUARTERROUND( x1, x5, x9,x13)`
			`QUARTERROUND( x2, x6,x10,x14)`
			`QUARTERROUND( x3, x7,x11,x15)`
			`QUARTERROUND( x0, x5,x10,x15)`
			`QUARTERROUND( x1, x6,x11,x12)`
			`QUARTERROUND( x2, x7, x8,x13)`
			`QUARTERROUND( x3, x4, x9,x14)`
			`}`
			`x0 = PLUS(x0,j0);`
			`x1 = PLUS(x1,j1);`
			`x2 = PLUS(x2,j2);`
			`x3 = PLUS(x3,j3);`
			`x4 = PLUS(x4,j4);`
			`x5 = PLUS(x5,j5);`
			`x6 = PLUS(x6,j6);`
			`x7 = PLUS(x7,j7);`
			`x8 = PLUS(x8,j8);`
			`x9 = PLUS(x9,j9);`
			`x10 = PLUS(x10,j10);`
			`x11 = PLUS(x11,j11);`
			`x12 = PLUS(x12,j12);`
			`x13 = PLUS(x13,j13);`
			`x14 = PLUS(x14,j14);`
			`x15 = PLUS(x15,j15);`

			`#ifndef KEYSTREAM_ONLY`
			`x0 = XOR(x0,U8TO32_LITTLE(m + 0));`
			`x1 = XOR(x1,U8TO32_LITTLE(m + 4));`
			`x2 = XOR(x2,U8TO32_LITTLE(m + 8));`
			`x3 = XOR(x3,U8TO32_LITTLE(m + 12));`
			`x4 = XOR(x4,U8TO32_LITTLE(m + 16));`
			`x5 = XOR(x5,U8TO32_LITTLE(m + 20));`
			`x6 = XOR(x6,U8TO32_LITTLE(m + 24));`
			`x7 = XOR(x7,U8TO32_LITTLE(m + 28));`
			`x8 = XOR(x8,U8TO32_LITTLE(m + 32));`
			`x9 = XOR(x9,U8TO32_LITTLE(m + 36));`
			`x10 = XOR(x10,U8TO32_LITTLE(m + 40));`
			`x11 = XOR(x11,U8TO32_LITTLE(m + 44));`
			`x12 = XOR(x12,U8TO32_LITTLE(m + 48));`
			`x13 = XOR(x13,U8TO32_LITTLE(m + 52));`
			`x14 = XOR(x14,U8TO32_LITTLE(m + 56));`
			`x15 = XOR(x15,U8TO32_LITTLE(m + 60));`
			`#endif`

			`j12 = PLUSONE(j12);`
			`if (!j12) {`
			`j13 = PLUSONE(j13);`
			`/* stopping at 2^70 bytes per nonce is user's responsibility */`
			`}`

			`U32TO8_LITTLE(c + 0,x0);`
			`U32TO8_LITTLE(c + 4,x1);`
			`U32TO8_LITTLE(c + 8,x2);`
			`U32TO8_LITTLE(c + 12,x3);`
			`U32TO8_LITTLE(c + 16,x4);`
			`U32TO8_LITTLE(c + 20,x5);`
			`U32TO8_LITTLE(c + 24,x6);`
			`U32TO8_LITTLE(c + 28,x7);`
			`U32TO8_LITTLE(c + 32,x8);`
			`U32TO8_LITTLE(c + 36,x9);`
			`U32TO8_LITTLE(c + 40,x10);`
			`U32TO8_LITTLE(c + 44,x11);`
			`U32TO8_LITTLE(c + 48,x12);`
			`U32TO8_LITTLE(c + 52,x13);`
			`U32TO8_LITTLE(c + 56,x14);`
			`U32TO8_LITTLE(c + 60,x15);`

			`if (bytes <= 64) {`
			`if (bytes < 64) {`
			`for (i = 0;i < bytes;++i) ctarget[i] = c[i];`
			`}`
			`x->input[12] = j12;`
			`x->input[13] = j13;`
			`return;`
			`}`
			`bytes -= 64;`
			`c += 64;`
			`#ifndef KEYSTREAM_ONLY`
			`m += 64;`
			`#endif`
			`}`
			`}`