CoCalc -- shake.c

GitHub Repository: freebsd/freebsd-src
Path: blob/main/contrib/bearssl/src/kdf/shake.c
³⁹⁴⁸⁸ views
1
/*
2
 * Copyright (c) 2018 Thomas Pornin <[email protected]>
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining 
5
 * a copy of this software and associated documentation files (the
6
 * "Software"), to deal in the Software without restriction, including
7
 * without limitation the rights to use, copy, modify, merge, publish,
8
 * distribute, sublicense, and/or sell copies of the Software, and to
9
 * permit persons to whom the Software is furnished to do so, subject to
10
 * the following conditions:
11
 *
12
 * The above copyright notice and this permission notice shall be 
13
 * included in all copies or substantial portions of the Software.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
 * SOFTWARE.
23
 */
24

25
#include "inner.h"
26

27
/*
28
 * Round constants.
29
 */
30
static const uint64_t RC[] = {
31
	0x0000000000000001, 0x0000000000008082,
32
	0x800000000000808A, 0x8000000080008000,
33
	0x000000000000808B, 0x0000000080000001,
34
	0x8000000080008081, 0x8000000000008009,
35
	0x000000000000008A, 0x0000000000000088,
36
	0x0000000080008009, 0x000000008000000A,
37
	0x000000008000808B, 0x800000000000008B,
38
	0x8000000000008089, 0x8000000000008003,
39
	0x8000000000008002, 0x8000000000000080,
40
	0x000000000000800A, 0x800000008000000A,
41
	0x8000000080008081, 0x8000000000008080,
42
	0x0000000080000001, 0x8000000080008008
43
};
44

45
/*
46
 * XOR a block of data into the provided state. This supports only
47
 * blocks whose length is a multiple of 64 bits.
48
 */
49
static void
50
xor_block(uint64_t *A, const void *data, size_t rate)
51
{
52
	size_t u;
53

54
	for (u = 0; u < rate; u += 8) {
55
		A[u >> 3] ^= br_dec64le((const unsigned char *)data + u);
56
	}
57
}
58

59
/*
60
 * Process a block with the provided data. The data length must be a
61
 * multiple of 8 (in bytes); normally, this is the "rate".
62
 */
63
static void
64
process_block(uint64_t *A)
65
{
66
	uint64_t t0, t1, t2, t3, t4;
67
	uint64_t tt0, tt1, tt2, tt3;
68
	uint64_t t, kt;
69
	uint64_t c0, c1, c2, c3, c4, bnn;
70
	int j;
71

72
	/*
73
	 * Compute the 24 rounds. This loop is partially unrolled (each
74
	 * iteration computes two rounds).
75
	 */
76
	for (j = 0; j < 24; j += 2) {
77

78
		tt0 = A[ 1] ^ A[ 6];
79
		tt1 = A[11] ^ A[16];
80
		tt0 ^= A[21] ^ tt1;
81
		tt0 = (tt0 << 1) | (tt0 >> 63);
82
		tt2 = A[ 4] ^ A[ 9];
83
		tt3 = A[14] ^ A[19];
84
		tt0 ^= A[24];
85
		tt2 ^= tt3;
86
		t0 = tt0 ^ tt2;
87

88
		tt0 = A[ 2] ^ A[ 7];
89
		tt1 = A[12] ^ A[17];
90
		tt0 ^= A[22] ^ tt1;
91
		tt0 = (tt0 << 1) | (tt0 >> 63);
92
		tt2 = A[ 0] ^ A[ 5];
93
		tt3 = A[10] ^ A[15];
94
		tt0 ^= A[20];
95
		tt2 ^= tt3;
96
		t1 = tt0 ^ tt2;
97

98
		tt0 = A[ 3] ^ A[ 8];
99
		tt1 = A[13] ^ A[18];
100
		tt0 ^= A[23] ^ tt1;
101
		tt0 = (tt0 << 1) | (tt0 >> 63);
102
		tt2 = A[ 1] ^ A[ 6];
103
		tt3 = A[11] ^ A[16];
104
		tt0 ^= A[21];
105
		tt2 ^= tt3;
106
		t2 = tt0 ^ tt2;
107

108
		tt0 = A[ 4] ^ A[ 9];
109
		tt1 = A[14] ^ A[19];
110
		tt0 ^= A[24] ^ tt1;
111
		tt0 = (tt0 << 1) | (tt0 >> 63);
112
		tt2 = A[ 2] ^ A[ 7];
113
		tt3 = A[12] ^ A[17];
114
		tt0 ^= A[22];
115
		tt2 ^= tt3;
116
		t3 = tt0 ^ tt2;
117

118
		tt0 = A[ 0] ^ A[ 5];
119
		tt1 = A[10] ^ A[15];
120
		tt0 ^= A[20] ^ tt1;
121
		tt0 = (tt0 << 1) | (tt0 >> 63);
122
		tt2 = A[ 3] ^ A[ 8];
123
		tt3 = A[13] ^ A[18];
124
		tt0 ^= A[23];
125
		tt2 ^= tt3;
126
		t4 = tt0 ^ tt2;
127

128
		A[ 0] = A[ 0] ^ t0;
129
		A[ 5] = A[ 5] ^ t0;
130
		A[10] = A[10] ^ t0;
131
		A[15] = A[15] ^ t0;
132
		A[20] = A[20] ^ t0;
133
		A[ 1] = A[ 1] ^ t1;
134
		A[ 6] = A[ 6] ^ t1;
135
		A[11] = A[11] ^ t1;
136
		A[16] = A[16] ^ t1;
137
		A[21] = A[21] ^ t1;
138
		A[ 2] = A[ 2] ^ t2;
139
		A[ 7] = A[ 7] ^ t2;
140
		A[12] = A[12] ^ t2;
141
		A[17] = A[17] ^ t2;
142
		A[22] = A[22] ^ t2;
143
		A[ 3] = A[ 3] ^ t3;
144
		A[ 8] = A[ 8] ^ t3;
145
		A[13] = A[13] ^ t3;
146
		A[18] = A[18] ^ t3;
147
		A[23] = A[23] ^ t3;
148
		A[ 4] = A[ 4] ^ t4;
149
		A[ 9] = A[ 9] ^ t4;
150
		A[14] = A[14] ^ t4;
151
		A[19] = A[19] ^ t4;
152
		A[24] = A[24] ^ t4;
153
		A[ 5] = (A[ 5] << 36) | (A[ 5] >> (64 - 36));
154
		A[10] = (A[10] <<  3) | (A[10] >> (64 -  3));
155
		A[15] = (A[15] << 41) | (A[15] >> (64 - 41));
156
		A[20] = (A[20] << 18) | (A[20] >> (64 - 18));
157
		A[ 1] = (A[ 1] <<  1) | (A[ 1] >> (64 -  1));
158
		A[ 6] = (A[ 6] << 44) | (A[ 6] >> (64 - 44));
159
		A[11] = (A[11] << 10) | (A[11] >> (64 - 10));
160
		A[16] = (A[16] << 45) | (A[16] >> (64 - 45));
161
		A[21] = (A[21] <<  2) | (A[21] >> (64 - 2));
162
		A[ 2] = (A[ 2] << 62) | (A[ 2] >> (64 - 62));
163
		A[ 7] = (A[ 7] <<  6) | (A[ 7] >> (64 -  6));
164
		A[12] = (A[12] << 43) | (A[12] >> (64 - 43));
165
		A[17] = (A[17] << 15) | (A[17] >> (64 - 15));
166
		A[22] = (A[22] << 61) | (A[22] >> (64 - 61));
167
		A[ 3] = (A[ 3] << 28) | (A[ 3] >> (64 - 28));
168
		A[ 8] = (A[ 8] << 55) | (A[ 8] >> (64 - 55));
169
		A[13] = (A[13] << 25) | (A[13] >> (64 - 25));
170
		A[18] = (A[18] << 21) | (A[18] >> (64 - 21));
171
		A[23] = (A[23] << 56) | (A[23] >> (64 - 56));
172
		A[ 4] = (A[ 4] << 27) | (A[ 4] >> (64 - 27));
173
		A[ 9] = (A[ 9] << 20) | (A[ 9] >> (64 - 20));
174
		A[14] = (A[14] << 39) | (A[14] >> (64 - 39));
175
		A[19] = (A[19] <<  8) | (A[19] >> (64 -  8));
176
		A[24] = (A[24] << 14) | (A[24] >> (64 - 14));
177
		bnn = ~A[12];
178
		kt = A[ 6] | A[12];
179
		c0 = A[ 0] ^ kt;
180
		kt = bnn | A[18];
181
		c1 = A[ 6] ^ kt;
182
		kt = A[18] & A[24];
183
		c2 = A[12] ^ kt;
184
		kt = A[24] | A[ 0];
185
		c3 = A[18] ^ kt;
186
		kt = A[ 0] & A[ 6];
187
		c4 = A[24] ^ kt;
188
		A[ 0] = c0;
189
		A[ 6] = c1;
190
		A[12] = c2;
191
		A[18] = c3;
192
		A[24] = c4;
193
		bnn = ~A[22];
194
		kt = A[ 9] | A[10];
195
		c0 = A[ 3] ^ kt;
196
		kt = A[10] & A[16];
197
		c1 = A[ 9] ^ kt;
198
		kt = A[16] | bnn;
199
		c2 = A[10] ^ kt;
200
		kt = A[22] | A[ 3];
201
		c3 = A[16] ^ kt;
202
		kt = A[ 3] & A[ 9];
203
		c4 = A[22] ^ kt;
204
		A[ 3] = c0;
205
		A[ 9] = c1;
206
		A[10] = c2;
207
		A[16] = c3;
208
		A[22] = c4;
209
		bnn = ~A[19];
210
		kt = A[ 7] | A[13];
211
		c0 = A[ 1] ^ kt;
212
		kt = A[13] & A[19];
213
		c1 = A[ 7] ^ kt;
214
		kt = bnn & A[20];
215
		c2 = A[13] ^ kt;
216
		kt = A[20] | A[ 1];
217
		c3 = bnn ^ kt;
218
		kt = A[ 1] & A[ 7];
219
		c4 = A[20] ^ kt;
220
		A[ 1] = c0;
221
		A[ 7] = c1;
222
		A[13] = c2;
223
		A[19] = c3;
224
		A[20] = c4;
225
		bnn = ~A[17];
226
		kt = A[ 5] & A[11];
227
		c0 = A[ 4] ^ kt;
228
		kt = A[11] | A[17];
229
		c1 = A[ 5] ^ kt;
230
		kt = bnn | A[23];
231
		c2 = A[11] ^ kt;
232
		kt = A[23] & A[ 4];
233
		c3 = bnn ^ kt;
234
		kt = A[ 4] | A[ 5];
235
		c4 = A[23] ^ kt;
236
		A[ 4] = c0;
237
		A[ 5] = c1;
238
		A[11] = c2;
239
		A[17] = c3;
240
		A[23] = c4;
241
		bnn = ~A[ 8];
242
		kt = bnn & A[14];
243
		c0 = A[ 2] ^ kt;
244
		kt = A[14] | A[15];
245
		c1 = bnn ^ kt;
246
		kt = A[15] & A[21];
247
		c2 = A[14] ^ kt;
248
		kt = A[21] | A[ 2];
249
		c3 = A[15] ^ kt;
250
		kt = A[ 2] & A[ 8];
251
		c4 = A[21] ^ kt;
252
		A[ 2] = c0;
253
		A[ 8] = c1;
254
		A[14] = c2;
255
		A[15] = c3;
256
		A[21] = c4;
257
		A[ 0] = A[ 0] ^ RC[j + 0];
258

259
		tt0 = A[ 6] ^ A[ 9];
260
		tt1 = A[ 7] ^ A[ 5];
261
		tt0 ^= A[ 8] ^ tt1;
262
		tt0 = (tt0 << 1) | (tt0 >> 63);
263
		tt2 = A[24] ^ A[22];
264
		tt3 = A[20] ^ A[23];
265
		tt0 ^= A[21];
266
		tt2 ^= tt3;
267
		t0 = tt0 ^ tt2;
268

269
		tt0 = A[12] ^ A[10];
270
		tt1 = A[13] ^ A[11];
271
		tt0 ^= A[14] ^ tt1;
272
		tt0 = (tt0 << 1) | (tt0 >> 63);
273
		tt2 = A[ 0] ^ A[ 3];
274
		tt3 = A[ 1] ^ A[ 4];
275
		tt0 ^= A[ 2];
276
		tt2 ^= tt3;
277
		t1 = tt0 ^ tt2;
278

279
		tt0 = A[18] ^ A[16];
280
		tt1 = A[19] ^ A[17];
281
		tt0 ^= A[15] ^ tt1;
282
		tt0 = (tt0 << 1) | (tt0 >> 63);
283
		tt2 = A[ 6] ^ A[ 9];
284
		tt3 = A[ 7] ^ A[ 5];
285
		tt0 ^= A[ 8];
286
		tt2 ^= tt3;
287
		t2 = tt0 ^ tt2;
288

289
		tt0 = A[24] ^ A[22];
290
		tt1 = A[20] ^ A[23];
291
		tt0 ^= A[21] ^ tt1;
292
		tt0 = (tt0 << 1) | (tt0 >> 63);
293
		tt2 = A[12] ^ A[10];
294
		tt3 = A[13] ^ A[11];
295
		tt0 ^= A[14];
296
		tt2 ^= tt3;
297
		t3 = tt0 ^ tt2;
298

299
		tt0 = A[ 0] ^ A[ 3];
300
		tt1 = A[ 1] ^ A[ 4];
301
		tt0 ^= A[ 2] ^ tt1;
302
		tt0 = (tt0 << 1) | (tt0 >> 63);
303
		tt2 = A[18] ^ A[16];
304
		tt3 = A[19] ^ A[17];
305
		tt0 ^= A[15];
306
		tt2 ^= tt3;
307
		t4 = tt0 ^ tt2;
308

309
		A[ 0] = A[ 0] ^ t0;
310
		A[ 3] = A[ 3] ^ t0;
311
		A[ 1] = A[ 1] ^ t0;
312
		A[ 4] = A[ 4] ^ t0;
313
		A[ 2] = A[ 2] ^ t0;
314
		A[ 6] = A[ 6] ^ t1;
315
		A[ 9] = A[ 9] ^ t1;
316
		A[ 7] = A[ 7] ^ t1;
317
		A[ 5] = A[ 5] ^ t1;
318
		A[ 8] = A[ 8] ^ t1;
319
		A[12] = A[12] ^ t2;
320
		A[10] = A[10] ^ t2;
321
		A[13] = A[13] ^ t2;
322
		A[11] = A[11] ^ t2;
323
		A[14] = A[14] ^ t2;
324
		A[18] = A[18] ^ t3;
325
		A[16] = A[16] ^ t3;
326
		A[19] = A[19] ^ t3;
327
		A[17] = A[17] ^ t3;
328
		A[15] = A[15] ^ t3;
329
		A[24] = A[24] ^ t4;
330
		A[22] = A[22] ^ t4;
331
		A[20] = A[20] ^ t4;
332
		A[23] = A[23] ^ t4;
333
		A[21] = A[21] ^ t4;
334
		A[ 3] = (A[ 3] << 36) | (A[ 3] >> (64 - 36));
335
		A[ 1] = (A[ 1] <<  3) | (A[ 1] >> (64 -  3));
336
		A[ 4] = (A[ 4] << 41) | (A[ 4] >> (64 - 41));
337
		A[ 2] = (A[ 2] << 18) | (A[ 2] >> (64 - 18));
338
		A[ 6] = (A[ 6] <<  1) | (A[ 6] >> (64 -  1));
339
		A[ 9] = (A[ 9] << 44) | (A[ 9] >> (64 - 44));
340
		A[ 7] = (A[ 7] << 10) | (A[ 7] >> (64 - 10));
341
		A[ 5] = (A[ 5] << 45) | (A[ 5] >> (64 - 45));
342
		A[ 8] = (A[ 8] <<  2) | (A[ 8] >> (64 - 2));
343
		A[12] = (A[12] << 62) | (A[12] >> (64 - 62));
344
		A[10] = (A[10] <<  6) | (A[10] >> (64 -  6));
345
		A[13] = (A[13] << 43) | (A[13] >> (64 - 43));
346
		A[11] = (A[11] << 15) | (A[11] >> (64 - 15));
347
		A[14] = (A[14] << 61) | (A[14] >> (64 - 61));
348
		A[18] = (A[18] << 28) | (A[18] >> (64 - 28));
349
		A[16] = (A[16] << 55) | (A[16] >> (64 - 55));
350
		A[19] = (A[19] << 25) | (A[19] >> (64 - 25));
351
		A[17] = (A[17] << 21) | (A[17] >> (64 - 21));
352
		A[15] = (A[15] << 56) | (A[15] >> (64 - 56));
353
		A[24] = (A[24] << 27) | (A[24] >> (64 - 27));
354
		A[22] = (A[22] << 20) | (A[22] >> (64 - 20));
355
		A[20] = (A[20] << 39) | (A[20] >> (64 - 39));
356
		A[23] = (A[23] <<  8) | (A[23] >> (64 -  8));
357
		A[21] = (A[21] << 14) | (A[21] >> (64 - 14));
358
		bnn = ~A[13];
359
		kt = A[ 9] | A[13];
360
		c0 = A[ 0] ^ kt;
361
		kt = bnn | A[17];
362
		c1 = A[ 9] ^ kt;
363
		kt = A[17] & A[21];
364
		c2 = A[13] ^ kt;
365
		kt = A[21] | A[ 0];
366
		c3 = A[17] ^ kt;
367
		kt = A[ 0] & A[ 9];
368
		c4 = A[21] ^ kt;
369
		A[ 0] = c0;
370
		A[ 9] = c1;
371
		A[13] = c2;
372
		A[17] = c3;
373
		A[21] = c4;
374
		bnn = ~A[14];
375
		kt = A[22] | A[ 1];
376
		c0 = A[18] ^ kt;
377
		kt = A[ 1] & A[ 5];
378
		c1 = A[22] ^ kt;
379
		kt = A[ 5] | bnn;
380
		c2 = A[ 1] ^ kt;
381
		kt = A[14] | A[18];
382
		c3 = A[ 5] ^ kt;
383
		kt = A[18] & A[22];
384
		c4 = A[14] ^ kt;
385
		A[18] = c0;
386
		A[22] = c1;
387
		A[ 1] = c2;
388
		A[ 5] = c3;
389
		A[14] = c4;
390
		bnn = ~A[23];
391
		kt = A[10] | A[19];
392
		c0 = A[ 6] ^ kt;
393
		kt = A[19] & A[23];
394
		c1 = A[10] ^ kt;
395
		kt = bnn & A[ 2];
396
		c2 = A[19] ^ kt;
397
		kt = A[ 2] | A[ 6];
398
		c3 = bnn ^ kt;
399
		kt = A[ 6] & A[10];
400
		c4 = A[ 2] ^ kt;
401
		A[ 6] = c0;
402
		A[10] = c1;
403
		A[19] = c2;
404
		A[23] = c3;
405
		A[ 2] = c4;
406
		bnn = ~A[11];
407
		kt = A[ 3] & A[ 7];
408
		c0 = A[24] ^ kt;
409
		kt = A[ 7] | A[11];
410
		c1 = A[ 3] ^ kt;
411
		kt = bnn | A[15];
412
		c2 = A[ 7] ^ kt;
413
		kt = A[15] & A[24];
414
		c3 = bnn ^ kt;
415
		kt = A[24] | A[ 3];
416
		c4 = A[15] ^ kt;
417
		A[24] = c0;
418
		A[ 3] = c1;
419
		A[ 7] = c2;
420
		A[11] = c3;
421
		A[15] = c4;
422
		bnn = ~A[16];
423
		kt = bnn & A[20];
424
		c0 = A[12] ^ kt;
425
		kt = A[20] | A[ 4];
426
		c1 = bnn ^ kt;
427
		kt = A[ 4] & A[ 8];
428
		c2 = A[20] ^ kt;
429
		kt = A[ 8] | A[12];
430
		c3 = A[ 4] ^ kt;
431
		kt = A[12] & A[16];
432
		c4 = A[ 8] ^ kt;
433
		A[12] = c0;
434
		A[16] = c1;
435
		A[20] = c2;
436
		A[ 4] = c3;
437
		A[ 8] = c4;
438
		A[ 0] = A[ 0] ^ RC[j + 1];
439
		t = A[ 5];
440
		A[ 5] = A[18];
441
		A[18] = A[11];
442
		A[11] = A[10];
443
		A[10] = A[ 6];
444
		A[ 6] = A[22];
445
		A[22] = A[20];
446
		A[20] = A[12];
447
		A[12] = A[19];
448
		A[19] = A[15];
449
		A[15] = A[24];
450
		A[24] = A[ 8];
451
		A[ 8] = t;
452
		t = A[ 1];
453
		A[ 1] = A[ 9];
454
		A[ 9] = A[14];
455
		A[14] = A[ 2];
456
		A[ 2] = A[13];
457
		A[13] = A[23];
458
		A[23] = A[ 4];
459
		A[ 4] = A[21];
460
		A[21] = A[16];
461
		A[16] = A[ 3];
462
		A[ 3] = A[17];
463
		A[17] = A[ 7];
464
		A[ 7] = t;
465
	}
466
}
467

468
/* see bearssl_kdf.h */
469
void
470
br_shake_init(br_shake_context *sc, int security_level)
471
{
472
	sc->rate = 200 - (size_t)(security_level >> 2);
473
	sc->dptr = 0;
474
	memset(sc->A, 0, sizeof sc->A);
475
	sc->A[ 1] = ~(uint64_t)0;
476
	sc->A[ 2] = ~(uint64_t)0;
477
	sc->A[ 8] = ~(uint64_t)0;
478
	sc->A[12] = ~(uint64_t)0;
479
	sc->A[17] = ~(uint64_t)0;
480
	sc->A[20] = ~(uint64_t)0;
481
}
482

483
/* see bearssl_kdf.h */
484
void
485
br_shake_inject(br_shake_context *sc, const void *data, size_t len)
486
{
487
	const unsigned char *buf;
488
	size_t rate, dptr;
489

490
	buf = data;
491
	rate = sc->rate;
492
	dptr = sc->dptr;
493
	while (len > 0) {
494
		size_t clen;
495

496
		clen = rate - dptr;
497
		if (clen > len) {
498
			clen = len;
499
		}
500
		memcpy(sc->dbuf + dptr, buf, clen);
501
		dptr += clen;
502
		buf += clen;
503
		len -= clen;
504
		if (dptr == rate) {
505
			xor_block(sc->A, sc->dbuf, rate);
506
			process_block(sc->A);
507
			dptr = 0;
508
		}
509
	}
510
	sc->dptr = dptr;
511
}
512

513
/* see bearssl_kdf.h */
514
void
515
br_shake_flip(br_shake_context *sc)
516
{
517
	/*
518
	 * We apply padding and pre-XOR the value into the state. We
519
	 * set dptr to the end of the buffer, so that first call to
520
	 * shake_extract() will process the block.
521
	 */
522
	if ((sc->dptr + 1) == sc->rate) {
523
		sc->dbuf[sc->dptr ++] = 0x9F;
524
	} else {
525
		sc->dbuf[sc->dptr ++] = 0x1F;
526
		memset(sc->dbuf + sc->dptr, 0x00, sc->rate - sc->dptr - 1);
527
		sc->dbuf[sc->rate - 1] = 0x80;
528
		sc->dptr = sc->rate;
529
	}
530
	xor_block(sc->A, sc->dbuf, sc->rate);
531
}
532

533
/* see bearssl_kdf.h */
534
void
535
br_shake_produce(br_shake_context *sc, void *out, size_t len)
536
{
537
	unsigned char *buf;
538
	size_t dptr, rate;
539

540
	buf = out;
541
	dptr = sc->dptr;
542
	rate = sc->rate;
543
	while (len > 0) {
544
		size_t clen;
545

546
		if (dptr == rate) {
547
			unsigned char *dbuf;
548
			uint64_t *A;
549

550
			A = sc->A;
551
			dbuf = sc->dbuf;
552
			process_block(A);
553
			br_enc64le(dbuf +   0,  A[ 0]);
554
			br_enc64le(dbuf +   8, ~A[ 1]);
555
			br_enc64le(dbuf +  16, ~A[ 2]);
556
			br_enc64le(dbuf +  24,  A[ 3]);
557
			br_enc64le(dbuf +  32,  A[ 4]);
558
			br_enc64le(dbuf +  40,  A[ 5]);
559
			br_enc64le(dbuf +  48,  A[ 6]);
560
			br_enc64le(dbuf +  56,  A[ 7]);
561
			br_enc64le(dbuf +  64, ~A[ 8]);
562
			br_enc64le(dbuf +  72,  A[ 9]);
563
			br_enc64le(dbuf +  80,  A[10]);
564
			br_enc64le(dbuf +  88,  A[11]);
565
			br_enc64le(dbuf +  96, ~A[12]);
566
			br_enc64le(dbuf + 104,  A[13]);
567
			br_enc64le(dbuf + 112,  A[14]);
568
			br_enc64le(dbuf + 120,  A[15]);
569
			br_enc64le(dbuf + 128,  A[16]);
570
			br_enc64le(dbuf + 136, ~A[17]);
571
			br_enc64le(dbuf + 144,  A[18]);
572
			br_enc64le(dbuf + 152,  A[19]);
573
			br_enc64le(dbuf + 160, ~A[20]);
574
			br_enc64le(dbuf + 168,  A[21]);
575
			br_enc64le(dbuf + 176,  A[22]);
576
			br_enc64le(dbuf + 184,  A[23]);
577
			br_enc64le(dbuf + 192,  A[24]);
578
			dptr = 0;
579
		}
580
		clen = rate - dptr;
581
		if (clen > len) {
582
			clen = len;
583
		}
584
		memcpy(buf, sc->dbuf + dptr, clen);
585
		dptr += clen;
586
		buf += clen;
587
		len -= clen;
588
	}
589
	sc->dptr = dptr;
590
}
591

592
Product

Resources

Company
