Bug Summary

File:src/libexec/ld.so/chacha_private.h
Warning:line 118, column 40
Assigned value is garbage or undefined

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name util.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/libexec/ld.so/obj -resource-dir /usr/local/lib/clang/13.0.0 -D DO_CLEAN_BOOT -I /usr/src/libexec/ld.so -I /usr/src/libexec/ld.so/amd64 -D DEF_WEAK(x)=asm("") -D DEF_STRONG(x)=asm("") -D strsep=_dl_strsep -D strlcat=_dl_strlcat -D strlen=_dl_strlen -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/libexec/ld.so/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fno-builtin -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/libexec/ld.so/util.c

/usr/src/libexec/ld.so/util.c

1/* $OpenBSD: util.c,v 1.49 2022/01/08 06:49:41 guenther Exp $ */
2
3/*
4 * Copyright (c) 1998 Per Fogelstrom, Opsycon AB
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
16 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 */
28
29#include <sys/types.h>
30#include <syslog.h>
31
32#include "syscall.h"
33#include "util.h"
34#include "resolve.h"
35#define KEYSTREAM_ONLY
36#include "chacha_private.h"
37
38#ifndef _RET_PROTECTOR1
39/*
40 * Stack protector dummies.
41 * Ideally, a scheme to compile these stubs from libc should be used, but
42 * this would end up dragging too much code from libc here.
43 */
44long __guard_local __dso_hidden__attribute__((__visibility__("hidden"))) __attribute__((section(".openbsd.randomdata")));
45
46void __stack_smash_handler(char [], int);
47
48void
49__stack_smash_handler(char func[], int damaged)
50{
51 char message[256];
52
53 /* <10> indicates LOG_CRIT */
54 _dl_strlcpy(message, "<10>ld.so:", sizeof message);
55 _dl_strlcat(message, __progname, sizeof message);
56 if (_dl_strlen(message) > sizeof(message)/2)
57 _dl_strlcpy(message + sizeof(message)/2, "...",
58 sizeof(message) - sizeof(message)/2);
59 _dl_strlcat(message, " stack overflow in function ", sizeof message);
60 _dl_strlcat(message, func, sizeof message);
61
62 _dl_sendsyslog(message, _dl_strlen(message), LOG_CONS0x02);
63 _dl_diedie()_dl_thrkill(0, 9, ((void*)0));
64}
65#endif /* _RET_PROTECTOR */
66
67char *
68_dl_strdup(const char *orig)
69{
70 char *newstr;
71 size_t len;
72
73 len = _dl_strlen(orig)+1;
74 newstr = _dl_malloc(len);
75 if (newstr != NULL((void*)0))
76 _dl_strlcpy(newstr, orig, len);
77 return (newstr);
78}
79
80#define KEYSZ32 32
81#define IVSZ8 8
82#define REKEY_AFTER_BYTES(1 << 31) (1 << 31)
83static chacha_ctx chacha;
84static size_t chacha_bytes;
85
86void
87_dl_arc4randombuf(void *buf, size_t buflen)
88{
89 if (chacha_bytes == 0) {
2
Assuming 'chacha_bytes' is not equal to 0
3
Taking false branch
90 char bytes[KEYSZ32 + IVSZ8];
91
92 if (_dl_getentropy(bytes, KEYSZ32 + IVSZ8) != 0)
93 _dl_die("no entropy");
94 chacha_keysetup(&chacha, bytes, KEYSZ32 * 8);
95 chacha_ivsetup(&chacha, bytes + KEYSZ32);
96 if (_dl_getentropy(bytes, KEYSZ32 + IVSZ8) != 0)
97 _dl_die("could not clobber rng key");
98 }
99
100 chacha_encrypt_bytes(&chacha, buf, buf, buflen);
4
Calling 'chacha_encrypt_bytes'
101
102 if (REKEY_AFTER_BYTES(1 << 31) - chacha_bytes < buflen)
103 chacha_bytes = 0;
104 else
105 chacha_bytes += buflen;
106}
107
108u_int32_t
109_dl_arc4random(void)
110{
111 u_int32_t rnd;
112
113 _dl_arc4randombuf(&rnd, sizeof(rnd));
1
Calling '_dl_arc4randombuf'
114 return (rnd);
115}

/usr/src/libexec/ld.so/chacha_private.h

1/*
2chacha-merged.c version 20080118
3D. J. Bernstein
4Public domain.
5*/
6
7/* $OpenBSD: chacha_private.h,v 1.1 2018/02/09 22:13:04 mortimer Exp $ */
8
9typedef unsigned char u8;
10typedef unsigned int u32;
11
12typedef struct
13{
14 u32 input[16]; /* could be compressed */
15} chacha_ctx;
16
17#define U8C(v)(vU) (v##U)
18#define U32C(v)(vU) (v##U)
19
20#define U8V(v)((u8)(v) & (0xFFU)) ((u8)(v) & U8C(0xFF)(0xFFU))
21#define U32V(v)((u32)(v) & (0xFFFFFFFFU)) ((u32)(v) & U32C(0xFFFFFFFF)(0xFFFFFFFFU))
22
23#define ROTL32(v, n)(((u32)((v) << (n)) & (0xFFFFFFFFU)) | ((v) >>
(32 - (n)))) \
24 (U32V((v) << (n))((u32)((v) << (n)) & (0xFFFFFFFFU)) | ((v) >> (32 - (n))))
25
26#define U8TO32_LITTLE(p)(((u32)((p)[0]) ) | ((u32)((p)[1]) << 8) | ((u32)((p)[2
]) << 16) | ((u32)((p)[3]) << 24)) \
27 (((u32)((p)[0]) ) | \
28 ((u32)((p)[1]) << 8) | \
29 ((u32)((p)[2]) << 16) | \
30 ((u32)((p)[3]) << 24))
31
32#define U32TO8_LITTLE(p, v)do { (p)[0] = ((u8)((v)) & (0xFFU)); (p)[1] = ((u8)((v) >>
8) & (0xFFU)); (p)[2] = ((u8)((v) >> 16) & (0xFFU
)); (p)[3] = ((u8)((v) >> 24) & (0xFFU)); } while (
0) \
33 do { \
34 (p)[0] = U8V((v) )((u8)((v)) & (0xFFU)); \
35 (p)[1] = U8V((v) >> 8)((u8)((v) >> 8) & (0xFFU)); \
36 (p)[2] = U8V((v) >> 16)((u8)((v) >> 16) & (0xFFU)); \
37 (p)[3] = U8V((v) >> 24)((u8)((v) >> 24) & (0xFFU)); \
38 } while (0)
39
40#define ROTATE(v,c)((((u32)((v) << (c)) & (0xFFFFFFFFU)) | ((v) >>
(32 - (c))))) (ROTL32(v,c)(((u32)((v) << (c)) & (0xFFFFFFFFU)) | ((v) >>
(32 - (c)))))
41#define XOR(v,w)((v) ^ (w)) ((v) ^ (w))
42#define PLUS(v,w)(((u32)((v) + (w)) & (0xFFFFFFFFU))) (U32V((v) + (w))((u32)((v) + (w)) & (0xFFFFFFFFU)))
43#define PLUSONE(v)((((u32)(((v)) + (1)) & (0xFFFFFFFFU)))) (PLUS((v),1)(((u32)(((v)) + (1)) & (0xFFFFFFFFU))))
44
45#define QUARTERROUND(a,b,c,d)a = (((u32)((a) + (b)) & (0xFFFFFFFFU))); d = ((((u32)(((
(d) ^ (a))) << (16)) & (0xFFFFFFFFU)) | ((((d) ^ (a
))) >> (32 - (16))))); c = (((u32)((c) + (d)) & (0xFFFFFFFFU
))); b = ((((u32)((((b) ^ (c))) << (12)) & (0xFFFFFFFFU
)) | ((((b) ^ (c))) >> (32 - (12))))); a = (((u32)((a) +
(b)) & (0xFFFFFFFFU))); d = ((((u32)((((d) ^ (a))) <<
(8)) & (0xFFFFFFFFU)) | ((((d) ^ (a))) >> (32 - (8
))))); c = (((u32)((c) + (d)) & (0xFFFFFFFFU))); b = ((((
u32)((((b) ^ (c))) << (7)) & (0xFFFFFFFFU)) | ((((b
) ^ (c))) >> (32 - (7))))); \
46 a = PLUS(a,b)(((u32)((a) + (b)) & (0xFFFFFFFFU))); d = ROTATE(XOR(d,a),16)((((u32)((((d) ^ (a))) << (16)) & (0xFFFFFFFFU)) | (
(((d) ^ (a))) >> (32 - (16))))); \
47 c = PLUS(c,d)(((u32)((c) + (d)) & (0xFFFFFFFFU))); b = ROTATE(XOR(b,c),12)((((u32)((((b) ^ (c))) << (12)) & (0xFFFFFFFFU)) | (
(((b) ^ (c))) >> (32 - (12))))); \
48 a = PLUS(a,b)(((u32)((a) + (b)) & (0xFFFFFFFFU))); d = ROTATE(XOR(d,a), 8)((((u32)((((d) ^ (a))) << (8)) & (0xFFFFFFFFU)) | (
(((d) ^ (a))) >> (32 - (8))))); \
49 c = PLUS(c,d)(((u32)((c) + (d)) & (0xFFFFFFFFU))); b = ROTATE(XOR(b,c), 7)((((u32)((((b) ^ (c))) << (7)) & (0xFFFFFFFFU)) | (
(((b) ^ (c))) >> (32 - (7)))));
50
51static const char sigma[16] = "expand 32-byte k";
52static const char tau[16] = "expand 16-byte k";
53
54static void
55chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
56{
57 const char *constants;
58
59 x->input[4] = U8TO32_LITTLE(k + 0)(((u32)((k + 0)[0]) ) | ((u32)((k + 0)[1]) << 8) | ((u32
)((k + 0)[2]) << 16) | ((u32)((k + 0)[3]) << 24));
60 x->input[5] = U8TO32_LITTLE(k + 4)(((u32)((k + 4)[0]) ) | ((u32)((k + 4)[1]) << 8) | ((u32
)((k + 4)[2]) << 16) | ((u32)((k + 4)[3]) << 24));
61 x->input[6] = U8TO32_LITTLE(k + 8)(((u32)((k + 8)[0]) ) | ((u32)((k + 8)[1]) << 8) | ((u32
)((k + 8)[2]) << 16) | ((u32)((k + 8)[3]) << 24));
62 x->input[7] = U8TO32_LITTLE(k + 12)(((u32)((k + 12)[0]) ) | ((u32)((k + 12)[1]) << 8) | ((
u32)((k + 12)[2]) << 16) | ((u32)((k + 12)[3]) <<
24));
63 if (kbits == 256) { /* recommended */
64 k += 16;
65 constants = sigma;
66 } else { /* kbits == 128 */
67 constants = tau;
68 }
69 x->input[8] = U8TO32_LITTLE(k + 0)(((u32)((k + 0)[0]) ) | ((u32)((k + 0)[1]) << 8) | ((u32
)((k + 0)[2]) << 16) | ((u32)((k + 0)[3]) << 24));
70 x->input[9] = U8TO32_LITTLE(k + 4)(((u32)((k + 4)[0]) ) | ((u32)((k + 4)[1]) << 8) | ((u32
)((k + 4)[2]) << 16) | ((u32)((k + 4)[3]) << 24));
71 x->input[10] = U8TO32_LITTLE(k + 8)(((u32)((k + 8)[0]) ) | ((u32)((k + 8)[1]) << 8) | ((u32
)((k + 8)[2]) << 16) | ((u32)((k + 8)[3]) << 24));
72 x->input[11] = U8TO32_LITTLE(k + 12)(((u32)((k + 12)[0]) ) | ((u32)((k + 12)[1]) << 8) | ((
u32)((k + 12)[2]) << 16) | ((u32)((k + 12)[3]) <<
24));
73 x->input[0] = U8TO32_LITTLE(constants + 0)(((u32)((constants + 0)[0]) ) | ((u32)((constants + 0)[1]) <<
8) | ((u32)((constants + 0)[2]) << 16) | ((u32)((constants
+ 0)[3]) << 24));
74 x->input[1] = U8TO32_LITTLE(constants + 4)(((u32)((constants + 4)[0]) ) | ((u32)((constants + 4)[1]) <<
8) | ((u32)((constants + 4)[2]) << 16) | ((u32)((constants
+ 4)[3]) << 24));
75 x->input[2] = U8TO32_LITTLE(constants + 8)(((u32)((constants + 8)[0]) ) | ((u32)((constants + 8)[1]) <<
8) | ((u32)((constants + 8)[2]) << 16) | ((u32)((constants
+ 8)[3]) << 24));
76 x->input[3] = U8TO32_LITTLE(constants + 12)(((u32)((constants + 12)[0]) ) | ((u32)((constants + 12)[1]) <<
8) | ((u32)((constants + 12)[2]) << 16) | ((u32)((constants
+ 12)[3]) << 24));
77}
78
79static void
80chacha_ivsetup(chacha_ctx *x,const u8 *iv)
81{
82 x->input[12] = 0;
83 x->input[13] = 0;
84 x->input[14] = U8TO32_LITTLE(iv + 0)(((u32)((iv + 0)[0]) ) | ((u32)((iv + 0)[1]) << 8) | ((
u32)((iv + 0)[2]) << 16) | ((u32)((iv + 0)[3]) <<
24));
85 x->input[15] = U8TO32_LITTLE(iv + 4)(((u32)((iv + 4)[0]) ) | ((u32)((iv + 4)[1]) << 8) | ((
u32)((iv + 4)[2]) << 16) | ((u32)((iv + 4)[3]) <<
24));
86}
87
88static void
89chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
90{
91 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
92 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
93 u8 *ctarget = NULL((void*)0);
94 u8 tmp[64];
95 u_int i;
96
97 if (!bytes
4.1
'bytes' is 4
4.1
'bytes' is 4
) return;
5
Taking false branch
98
99 j0 = x->input[0];
100 j1 = x->input[1];
101 j2 = x->input[2];
102 j3 = x->input[3];
103 j4 = x->input[4];
104 j5 = x->input[5];
105 j6 = x->input[6];
106 j7 = x->input[7];
107 j8 = x->input[8];
108 j9 = x->input[9];
109 j10 = x->input[10];
110 j11 = x->input[11];
111 j12 = x->input[12];
112 j13 = x->input[13];
113 j14 = x->input[14];
114 j15 = x->input[15];
115
116 for (;;) {
6
Loop condition is true. Entering loop body
117 if (bytes
6.1
'bytes' is < 64
6.1
'bytes' is < 64
 < 64) {
7
Taking true branch
118 for (i = 0;i < bytes;++i) tmp[i] = m[i];
8
The value 0 is assigned to 'i'
9
Loop condition is true. Entering loop body
10
Assigned value is garbage or undefined
119 m = tmp;
120 ctarget = c;
121 c = tmp;
122 }
123 x0 = j0;
124 x1 = j1;
125 x2 = j2;
126 x3 = j3;
127 x4 = j4;
128 x5 = j5;
129 x6 = j6;
130 x7 = j7;
131 x8 = j8;
132 x9 = j9;
133 x10 = j10;
134 x11 = j11;
135 x12 = j12;
136 x13 = j13;
137 x14 = j14;
138 x15 = j15;
139 for (i = 20;i > 0;i -= 2) {
140 QUARTERROUND( x0, x4, x8,x12)x0 = (((u32)((x0) + (x4)) & (0xFFFFFFFFU))); x12 = ((((u32
)((((x12) ^ (x0))) << (16)) & (0xFFFFFFFFU)) | ((((
x12) ^ (x0))) >> (32 - (16))))); x8 = (((u32)((x8) + (x12
)) & (0xFFFFFFFFU))); x4 = ((((u32)((((x4) ^ (x8))) <<
(12)) & (0xFFFFFFFFU)) | ((((x4) ^ (x8))) >> (32 -
(12))))); x0 = (((u32)((x0) + (x4)) & (0xFFFFFFFFU))); x12
= ((((u32)((((x12) ^ (x0))) << (8)) & (0xFFFFFFFFU
)) | ((((x12) ^ (x0))) >> (32 - (8))))); x8 = (((u32)((
x8) + (x12)) & (0xFFFFFFFFU))); x4 = ((((u32)((((x4) ^ (x8
))) << (7)) & (0xFFFFFFFFU)) | ((((x4) ^ (x8))) >>
(32 - (7)))));
141 QUARTERROUND( x1, x5, x9,x13)x1 = (((u32)((x1) + (x5)) & (0xFFFFFFFFU))); x13 = ((((u32
)((((x13) ^ (x1))) << (16)) & (0xFFFFFFFFU)) | ((((
x13) ^ (x1))) >> (32 - (16))))); x9 = (((u32)((x9) + (x13
)) & (0xFFFFFFFFU))); x5 = ((((u32)((((x5) ^ (x9))) <<
(12)) & (0xFFFFFFFFU)) | ((((x5) ^ (x9))) >> (32 -
(12))))); x1 = (((u32)((x1) + (x5)) & (0xFFFFFFFFU))); x13
= ((((u32)((((x13) ^ (x1))) << (8)) & (0xFFFFFFFFU
)) | ((((x13) ^ (x1))) >> (32 - (8))))); x9 = (((u32)((
x9) + (x13)) & (0xFFFFFFFFU))); x5 = ((((u32)((((x5) ^ (x9
))) << (7)) & (0xFFFFFFFFU)) | ((((x5) ^ (x9))) >>
(32 - (7)))));
142 QUARTERROUND( x2, x6,x10,x14)x2 = (((u32)((x2) + (x6)) & (0xFFFFFFFFU))); x14 = ((((u32
)((((x14) ^ (x2))) << (16)) & (0xFFFFFFFFU)) | ((((
x14) ^ (x2))) >> (32 - (16))))); x10 = (((u32)((x10) + (
x14)) & (0xFFFFFFFFU))); x6 = ((((u32)((((x6) ^ (x10))) <<
(12)) & (0xFFFFFFFFU)) | ((((x6) ^ (x10))) >> (32 -
(12))))); x2 = (((u32)((x2) + (x6)) & (0xFFFFFFFFU))); x14
= ((((u32)((((x14) ^ (x2))) << (8)) & (0xFFFFFFFFU
)) | ((((x14) ^ (x2))) >> (32 - (8))))); x10 = (((u32)(
(x10) + (x14)) & (0xFFFFFFFFU))); x6 = ((((u32)((((x6) ^ (
x10))) << (7)) & (0xFFFFFFFFU)) | ((((x6) ^ (x10)))
>> (32 - (7)))));
143 QUARTERROUND( x3, x7,x11,x15)x3 = (((u32)((x3) + (x7)) & (0xFFFFFFFFU))); x15 = ((((u32
)((((x15) ^ (x3))) << (16)) & (0xFFFFFFFFU)) | ((((
x15) ^ (x3))) >> (32 - (16))))); x11 = (((u32)((x11) + (
x15)) & (0xFFFFFFFFU))); x7 = ((((u32)((((x7) ^ (x11))) <<
(12)) & (0xFFFFFFFFU)) | ((((x7) ^ (x11))) >> (32 -
(12))))); x3 = (((u32)((x3) + (x7)) & (0xFFFFFFFFU))); x15
= ((((u32)((((x15) ^ (x3))) << (8)) & (0xFFFFFFFFU
)) | ((((x15) ^ (x3))) >> (32 - (8))))); x11 = (((u32)(
(x11) + (x15)) & (0xFFFFFFFFU))); x7 = ((((u32)((((x7) ^ (
x11))) << (7)) & (0xFFFFFFFFU)) | ((((x7) ^ (x11)))
>> (32 - (7)))));
144 QUARTERROUND( x0, x5,x10,x15)x0 = (((u32)((x0) + (x5)) & (0xFFFFFFFFU))); x15 = ((((u32
)((((x15) ^ (x0))) << (16)) & (0xFFFFFFFFU)) | ((((
x15) ^ (x0))) >> (32 - (16))))); x10 = (((u32)((x10) + (
x15)) & (0xFFFFFFFFU))); x5 = ((((u32)((((x5) ^ (x10))) <<
(12)) & (0xFFFFFFFFU)) | ((((x5) ^ (x10))) >> (32 -
(12))))); x0 = (((u32)((x0) + (x5)) & (0xFFFFFFFFU))); x15
= ((((u32)((((x15) ^ (x0))) << (8)) & (0xFFFFFFFFU
)) | ((((x15) ^ (x0))) >> (32 - (8))))); x10 = (((u32)(
(x10) + (x15)) & (0xFFFFFFFFU))); x5 = ((((u32)((((x5) ^ (
x10))) << (7)) & (0xFFFFFFFFU)) | ((((x5) ^ (x10)))
>> (32 - (7)))));
145 QUARTERROUND( x1, x6,x11,x12)x1 = (((u32)((x1) + (x6)) & (0xFFFFFFFFU))); x12 = ((((u32
)((((x12) ^ (x1))) << (16)) & (0xFFFFFFFFU)) | ((((
x12) ^ (x1))) >> (32 - (16))))); x11 = (((u32)((x11) + (
x12)) & (0xFFFFFFFFU))); x6 = ((((u32)((((x6) ^ (x11))) <<
(12)) & (0xFFFFFFFFU)) | ((((x6) ^ (x11))) >> (32 -
(12))))); x1 = (((u32)((x1) + (x6)) & (0xFFFFFFFFU))); x12
= ((((u32)((((x12) ^ (x1))) << (8)) & (0xFFFFFFFFU
)) | ((((x12) ^ (x1))) >> (32 - (8))))); x11 = (((u32)(
(x11) + (x12)) & (0xFFFFFFFFU))); x6 = ((((u32)((((x6) ^ (
x11))) << (7)) & (0xFFFFFFFFU)) | ((((x6) ^ (x11)))
>> (32 - (7)))));
146 QUARTERROUND( x2, x7, x8,x13)x2 = (((u32)((x2) + (x7)) & (0xFFFFFFFFU))); x13 = ((((u32
)((((x13) ^ (x2))) << (16)) & (0xFFFFFFFFU)) | ((((
x13) ^ (x2))) >> (32 - (16))))); x8 = (((u32)((x8) + (x13
)) & (0xFFFFFFFFU))); x7 = ((((u32)((((x7) ^ (x8))) <<
(12)) & (0xFFFFFFFFU)) | ((((x7) ^ (x8))) >> (32 -
(12))))); x2 = (((u32)((x2) + (x7)) & (0xFFFFFFFFU))); x13
= ((((u32)((((x13) ^ (x2))) << (8)) & (0xFFFFFFFFU
)) | ((((x13) ^ (x2))) >> (32 - (8))))); x8 = (((u32)((
x8) + (x13)) & (0xFFFFFFFFU))); x7 = ((((u32)((((x7) ^ (x8
))) << (7)) & (0xFFFFFFFFU)) | ((((x7) ^ (x8))) >>
(32 - (7)))));
147 QUARTERROUND( x3, x4, x9,x14)x3 = (((u32)((x3) + (x4)) & (0xFFFFFFFFU))); x14 = ((((u32
)((((x14) ^ (x3))) << (16)) & (0xFFFFFFFFU)) | ((((
x14) ^ (x3))) >> (32 - (16))))); x9 = (((u32)((x9) + (x14
)) & (0xFFFFFFFFU))); x4 = ((((u32)((((x4) ^ (x9))) <<
(12)) & (0xFFFFFFFFU)) | ((((x4) ^ (x9))) >> (32 -
(12))))); x3 = (((u32)((x3) + (x4)) & (0xFFFFFFFFU))); x14
= ((((u32)((((x14) ^ (x3))) << (8)) & (0xFFFFFFFFU
)) | ((((x14) ^ (x3))) >> (32 - (8))))); x9 = (((u32)((
x9) + (x14)) & (0xFFFFFFFFU))); x4 = ((((u32)((((x4) ^ (x9
))) << (7)) & (0xFFFFFFFFU)) | ((((x4) ^ (x9))) >>
(32 - (7)))));
148 }
149 x0 = PLUS(x0,j0)(((u32)((x0) + (j0)) & (0xFFFFFFFFU)));
150 x1 = PLUS(x1,j1)(((u32)((x1) + (j1)) & (0xFFFFFFFFU)));
151 x2 = PLUS(x2,j2)(((u32)((x2) + (j2)) & (0xFFFFFFFFU)));
152 x3 = PLUS(x3,j3)(((u32)((x3) + (j3)) & (0xFFFFFFFFU)));
153 x4 = PLUS(x4,j4)(((u32)((x4) + (j4)) & (0xFFFFFFFFU)));
154 x5 = PLUS(x5,j5)(((u32)((x5) + (j5)) & (0xFFFFFFFFU)));
155 x6 = PLUS(x6,j6)(((u32)((x6) + (j6)) & (0xFFFFFFFFU)));
156 x7 = PLUS(x7,j7)(((u32)((x7) + (j7)) & (0xFFFFFFFFU)));
157 x8 = PLUS(x8,j8)(((u32)((x8) + (j8)) & (0xFFFFFFFFU)));
158 x9 = PLUS(x9,j9)(((u32)((x9) + (j9)) & (0xFFFFFFFFU)));
159 x10 = PLUS(x10,j10)(((u32)((x10) + (j10)) & (0xFFFFFFFFU)));
160 x11 = PLUS(x11,j11)(((u32)((x11) + (j11)) & (0xFFFFFFFFU)));
161 x12 = PLUS(x12,j12)(((u32)((x12) + (j12)) & (0xFFFFFFFFU)));
162 x13 = PLUS(x13,j13)(((u32)((x13) + (j13)) & (0xFFFFFFFFU)));
163 x14 = PLUS(x14,j14)(((u32)((x14) + (j14)) & (0xFFFFFFFFU)));
164 x15 = PLUS(x15,j15)(((u32)((x15) + (j15)) & (0xFFFFFFFFU)));
165
166#ifndef KEYSTREAM_ONLY
167 x0 = XOR(x0,U8TO32_LITTLE(m + 0))((x0) ^ ((((u32)((m + 0)[0]) ) | ((u32)((m + 0)[1]) << 8
) | ((u32)((m + 0)[2]) << 16) | ((u32)((m + 0)[3]) <<
24))));
168 x1 = XOR(x1,U8TO32_LITTLE(m + 4))((x1) ^ ((((u32)((m + 4)[0]) ) | ((u32)((m + 4)[1]) << 8
) | ((u32)((m + 4)[2]) << 16) | ((u32)((m + 4)[3]) <<
24))));
169 x2 = XOR(x2,U8TO32_LITTLE(m + 8))((x2) ^ ((((u32)((m + 8)[0]) ) | ((u32)((m + 8)[1]) << 8
) | ((u32)((m + 8)[2]) << 16) | ((u32)((m + 8)[3]) <<
24))));
170 x3 = XOR(x3,U8TO32_LITTLE(m + 12))((x3) ^ ((((u32)((m + 12)[0]) ) | ((u32)((m + 12)[1]) <<
8) | ((u32)((m + 12)[2]) << 16) | ((u32)((m + 12)[3]) <<
24))));
171 x4 = XOR(x4,U8TO32_LITTLE(m + 16))((x4) ^ ((((u32)((m + 16)[0]) ) | ((u32)((m + 16)[1]) <<
8) | ((u32)((m + 16)[2]) << 16) | ((u32)((m + 16)[3]) <<
24))));
172 x5 = XOR(x5,U8TO32_LITTLE(m + 20))((x5) ^ ((((u32)((m + 20)[0]) ) | ((u32)((m + 20)[1]) <<
8) | ((u32)((m + 20)[2]) << 16) | ((u32)((m + 20)[3]) <<
24))));
173 x6 = XOR(x6,U8TO32_LITTLE(m + 24))((x6) ^ ((((u32)((m + 24)[0]) ) | ((u32)((m + 24)[1]) <<
8) | ((u32)((m + 24)[2]) << 16) | ((u32)((m + 24)[3]) <<
24))));
174 x7 = XOR(x7,U8TO32_LITTLE(m + 28))((x7) ^ ((((u32)((m + 28)[0]) ) | ((u32)((m + 28)[1]) <<
8) | ((u32)((m + 28)[2]) << 16) | ((u32)((m + 28)[3]) <<
24))));
175 x8 = XOR(x8,U8TO32_LITTLE(m + 32))((x8) ^ ((((u32)((m + 32)[0]) ) | ((u32)((m + 32)[1]) <<
8) | ((u32)((m + 32)[2]) << 16) | ((u32)((m + 32)[3]) <<
24))));
176 x9 = XOR(x9,U8TO32_LITTLE(m + 36))((x9) ^ ((((u32)((m + 36)[0]) ) | ((u32)((m + 36)[1]) <<
8) | ((u32)((m + 36)[2]) << 16) | ((u32)((m + 36)[3]) <<
24))));
177 x10 = XOR(x10,U8TO32_LITTLE(m + 40))((x10) ^ ((((u32)((m + 40)[0]) ) | ((u32)((m + 40)[1]) <<
8) | ((u32)((m + 40)[2]) << 16) | ((u32)((m + 40)[3]) <<
24))));
178 x11 = XOR(x11,U8TO32_LITTLE(m + 44))((x11) ^ ((((u32)((m + 44)[0]) ) | ((u32)((m + 44)[1]) <<
8) | ((u32)((m + 44)[2]) << 16) | ((u32)((m + 44)[3]) <<
24))));
179 x12 = XOR(x12,U8TO32_LITTLE(m + 48))((x12) ^ ((((u32)((m + 48)[0]) ) | ((u32)((m + 48)[1]) <<
8) | ((u32)((m + 48)[2]) << 16) | ((u32)((m + 48)[3]) <<
24))));
180 x13 = XOR(x13,U8TO32_LITTLE(m + 52))((x13) ^ ((((u32)((m + 52)[0]) ) | ((u32)((m + 52)[1]) <<
8) | ((u32)((m + 52)[2]) << 16) | ((u32)((m + 52)[3]) <<
24))));
181 x14 = XOR(x14,U8TO32_LITTLE(m + 56))((x14) ^ ((((u32)((m + 56)[0]) ) | ((u32)((m + 56)[1]) <<
8) | ((u32)((m + 56)[2]) << 16) | ((u32)((m + 56)[3]) <<
24))));
182 x15 = XOR(x15,U8TO32_LITTLE(m + 60))((x15) ^ ((((u32)((m + 60)[0]) ) | ((u32)((m + 60)[1]) <<
8) | ((u32)((m + 60)[2]) << 16) | ((u32)((m + 60)[3]) <<
24))));
183#endif
184
185 j12 = PLUSONE(j12)((((u32)(((j12)) + (1)) & (0xFFFFFFFFU))));
186 if (!j12) {
187 j13 = PLUSONE(j13)((((u32)(((j13)) + (1)) & (0xFFFFFFFFU))));
188 /* stopping at 2^70 bytes per nonce is user's responsibility */
189 }
190
191 U32TO8_LITTLE(c + 0,x0)do { (c + 0)[0] = ((u8)((x0)) & (0xFFU)); (c + 0)[1] = ((
u8)((x0) >> 8) & (0xFFU)); (c + 0)[2] = ((u8)((x0) >>
16) & (0xFFU)); (c + 0)[3] = ((u8)((x0) >> 24) &
(0xFFU)); } while (0);
192 U32TO8_LITTLE(c + 4,x1)do { (c + 4)[0] = ((u8)((x1)) & (0xFFU)); (c + 4)[1] = ((
u8)((x1) >> 8) & (0xFFU)); (c + 4)[2] = ((u8)((x1) >>
16) & (0xFFU)); (c + 4)[3] = ((u8)((x1) >> 24) &
(0xFFU)); } while (0);
193 U32TO8_LITTLE(c + 8,x2)do { (c + 8)[0] = ((u8)((x2)) & (0xFFU)); (c + 8)[1] = ((
u8)((x2) >> 8) & (0xFFU)); (c + 8)[2] = ((u8)((x2) >>
16) & (0xFFU)); (c + 8)[3] = ((u8)((x2) >> 24) &
(0xFFU)); } while (0);
194 U32TO8_LITTLE(c + 12,x3)do { (c + 12)[0] = ((u8)((x3)) & (0xFFU)); (c + 12)[1] = (
(u8)((x3) >> 8) & (0xFFU)); (c + 12)[2] = ((u8)((x3
) >> 16) & (0xFFU)); (c + 12)[3] = ((u8)((x3) >>
24) & (0xFFU)); } while (0);
195 U32TO8_LITTLE(c + 16,x4)do { (c + 16)[0] = ((u8)((x4)) & (0xFFU)); (c + 16)[1] = (
(u8)((x4) >> 8) & (0xFFU)); (c + 16)[2] = ((u8)((x4
) >> 16) & (0xFFU)); (c + 16)[3] = ((u8)((x4) >>
24) & (0xFFU)); } while (0);
196 U32TO8_LITTLE(c + 20,x5)do { (c + 20)[0] = ((u8)((x5)) & (0xFFU)); (c + 20)[1] = (
(u8)((x5) >> 8) & (0xFFU)); (c + 20)[2] = ((u8)((x5
) >> 16) & (0xFFU)); (c + 20)[3] = ((u8)((x5) >>
24) & (0xFFU)); } while (0);
197 U32TO8_LITTLE(c + 24,x6)do { (c + 24)[0] = ((u8)((x6)) & (0xFFU)); (c + 24)[1] = (
(u8)((x6) >> 8) & (0xFFU)); (c + 24)[2] = ((u8)((x6
) >> 16) & (0xFFU)); (c + 24)[3] = ((u8)((x6) >>
24) & (0xFFU)); } while (0);
198 U32TO8_LITTLE(c + 28,x7)do { (c + 28)[0] = ((u8)((x7)) & (0xFFU)); (c + 28)[1] = (
(u8)((x7) >> 8) & (0xFFU)); (c + 28)[2] = ((u8)((x7
) >> 16) & (0xFFU)); (c + 28)[3] = ((u8)((x7) >>
24) & (0xFFU)); } while (0);
199 U32TO8_LITTLE(c + 32,x8)do { (c + 32)[0] = ((u8)((x8)) & (0xFFU)); (c + 32)[1] = (
(u8)((x8) >> 8) & (0xFFU)); (c + 32)[2] = ((u8)((x8
) >> 16) & (0xFFU)); (c + 32)[3] = ((u8)((x8) >>
24) & (0xFFU)); } while (0);
200 U32TO8_LITTLE(c + 36,x9)do { (c + 36)[0] = ((u8)((x9)) & (0xFFU)); (c + 36)[1] = (
(u8)((x9) >> 8) & (0xFFU)); (c + 36)[2] = ((u8)((x9
) >> 16) & (0xFFU)); (c + 36)[3] = ((u8)((x9) >>
24) & (0xFFU)); } while (0);
201 U32TO8_LITTLE(c + 40,x10)do { (c + 40)[0] = ((u8)((x10)) & (0xFFU)); (c + 40)[1] =
((u8)((x10) >> 8) & (0xFFU)); (c + 40)[2] = ((u8)(
(x10) >> 16) & (0xFFU)); (c + 40)[3] = ((u8)((x10) >>
24) & (0xFFU)); } while (0);
202 U32TO8_LITTLE(c + 44,x11)do { (c + 44)[0] = ((u8)((x11)) & (0xFFU)); (c + 44)[1] =
((u8)((x11) >> 8) & (0xFFU)); (c + 44)[2] = ((u8)(
(x11) >> 16) & (0xFFU)); (c + 44)[3] = ((u8)((x11) >>
24) & (0xFFU)); } while (0);
203 U32TO8_LITTLE(c + 48,x12)do { (c + 48)[0] = ((u8)((x12)) & (0xFFU)); (c + 48)[1] =
((u8)((x12) >> 8) & (0xFFU)); (c + 48)[2] = ((u8)(
(x12) >> 16) & (0xFFU)); (c + 48)[3] = ((u8)((x12) >>
24) & (0xFFU)); } while (0);
204 U32TO8_LITTLE(c + 52,x13)do { (c + 52)[0] = ((u8)((x13)) & (0xFFU)); (c + 52)[1] =
((u8)((x13) >> 8) & (0xFFU)); (c + 52)[2] = ((u8)(
(x13) >> 16) & (0xFFU)); (c + 52)[3] = ((u8)((x13) >>
24) & (0xFFU)); } while (0);
205 U32TO8_LITTLE(c + 56,x14)do { (c + 56)[0] = ((u8)((x14)) & (0xFFU)); (c + 56)[1] =
((u8)((x14) >> 8) & (0xFFU)); (c + 56)[2] = ((u8)(
(x14) >> 16) & (0xFFU)); (c + 56)[3] = ((u8)((x14) >>
24) & (0xFFU)); } while (0);
206 U32TO8_LITTLE(c + 60,x15)do { (c + 60)[0] = ((u8)((x15)) & (0xFFU)); (c + 60)[1] =
((u8)((x15) >> 8) & (0xFFU)); (c + 60)[2] = ((u8)(
(x15) >> 16) & (0xFFU)); (c + 60)[3] = ((u8)((x15) >>
24) & (0xFFU)); } while (0);
207
208 if (bytes <= 64) {
209 if (bytes < 64) {
210 for (i = 0;i < bytes;++i) ctarget[i] = c[i];
211 }
212 x->input[12] = j12;
213 x->input[13] = j13;
214 return;
215 }
216 bytes -= 64;
217 c += 64;
218#ifndef KEYSTREAM_ONLY
219 m += 64;
220#endif
221 }
222}