shithub: mc

Download patch

ref: 204b05d910ebcaec8af1fe62e8bbd19f3f41932a
parent: 6c434100fac87e19234389aba2329165827d0711
author: Ori Bernstein <[email protected]>
date: Thu Nov 24 11:30:24 EST 2016

Add chacha20.myr

	We now have a cipher in libcrypto.

--- /dev/null
+++ b/lib/crypto/chacha20.myr
@@ -1,0 +1,239 @@
+use std
+
+pkg crypto =
+	type chacha20ctx = struct
+		input	: uint32[16]
+	;;
+
+	const chacha20keysetup	: (x : chacha20ctx#, k : byte[:] -> void) 
+	const chacha20ivsetup	: (x : chacha20ctx#, iv : byte[:] -> void)
+	const chacha20encrypt	: (x : chacha20ctx#, m : byte[:], c : byte[:] -> void)
+;;
+
+const sigma = "expand 32-byte k"
+const tau = "expand 16-byte k"
+
+const chacha20keysetup = {x, k
+	var constants
+
+	x.input[4] = std.getle32(k[0:4])
+	x.input[5] = std.getle32(k[4:8])
+	x.input[6] = std.getle32(k[8:12])
+	x.input[7] = std.getle32(k[12:16])
+	if k.len * 8 == 256
+		k = k[16:]
+		constants = sigma
+	elif k.len * 8 == 128
+		constants = tau
+	else
+		std.die("invalid key length")
+	;;
+	x.input[8] = std.getle32(k[0:4])
+	x.input[9] = std.getle32(k[4:8])
+	x.input[10] = std.getle32(k[8:12])
+	x.input[11] = std.getle32(k[12:16])
+	x.input[0] = std.getle32(constants[0:4])
+	x.input[1] = std.getle32(constants[4:8])
+	x.input[2] = std.getle32(constants[8:12])
+	x.input[3] = std.getle32(constants[12:16])
+}
+
+const chacha20ivsetup = {x, iv
+  x.input[12] = 0
+  x.input[13] = 0
+  x.input[14] = std.getle32(iv[0:4])
+  x.input[15] = std.getle32(iv[4:8])
+}
+
+
+const chacha20encrypt = {x, m, c
+	var x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 : uint32;
+	var j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15 : uint32;
+	var ctarget = [][:]
+	var tmp : byte[64];
+
+	std.assert(m.len == c.len, "mismatch between message and ciphertext lengths\n")
+	j0 = x.input[0]
+	j1 = x.input[1]
+	j2 = x.input[2]
+	j3 = x.input[3]
+	j4 = x.input[4]
+	j5 = x.input[5]
+	j6 = x.input[6]
+	j7 = x.input[7]
+	j8 = x.input[8]
+	j9 = x.input[9]
+	j10 = x.input[10]
+	j11 = x.input[11]
+	j12 = x.input[12]
+	j13 = x.input[13]
+	j14 = x.input[14]
+	j15 = x.input[15]
+
+	while true
+		if m.len < 64
+			std.slcp(tmp[:m.len], m)
+			m = tmp[:]
+			ctarget = c
+			c = tmp[:]
+		;;
+		x0 = j0
+		x1 = j1
+		x2 = j2
+		x3 = j3
+		x4 = j4
+		x5 = j5
+		x6 = j6
+		x7 = j7
+		x8 = j8
+		x9 = j9
+		x10 = j10
+		x11 = j11
+		x12 = j12
+		x13 = j13
+		x14 = j14
+		x15 = j15
+		/* do the rounds */
+		for var i = 20; i > 0; i -= 2
+			x0 = (x0 + x4)
+			x12 = (((x12 ^ x0 : uint32) << 16) | ((x12 ^ x0) >> (32 - 16)))
+			x8 = (x8 + x12)
+			x4 = (((x4 ^ x8 : uint32) << 12) | ((x4 ^ x8) >> (32 - 12)))
+			x0 = (x0 + x4)
+			x12 = (((x12 ^ x0 : uint32) << 8) | ((x12 ^ x0) >> (32 - 8)))
+			x8 = (x8 + x12)
+			x4 = (((x4 ^ x8 : uint32) << 7) | ((x4 ^ x8) >> (32 - 7)))
+
+			x1 = (x1 + x5)
+			x13 = ((((x13 ^ x1) : uint32) << 16) | ((x13 ^ x1) >> (32 - 16)))
+			x9 = (x9 + x13)
+			x5 = ((((x5 ^ x9) : uint32) << 12) | ((x5 ^ x9) >> (32 - 12)))
+			x1 = (x1 + x5)
+			x13 = ((((x13 ^ x1) : uint32) << 8) | ((x13 ^ x1) >> (32 - 8)))
+			x9 = (x9 + x13)
+			x5 = ((((x5 ^ x9) : uint32) << 7) | ((x5 ^ x9) >> (32 - 7)))
+
+			x2 = (x2 + x6)
+			x14 = ((((x14 ^ x2) : uint32) << 16) | ((x14 ^ x2) >> (32 - 16)))
+			x10 = (x10 + x14)
+			x6 = ((((x6 ^ x10) : uint32) << 12) | ((x6 ^ x10) >> (32 - 12)))
+			x2 = (x2 + x6)
+			x14 = ((((x14 ^ x2) : uint32) << 8) | ((x14 ^ x2) >> (32 - 8)))
+			x10 = (x10 + x14)
+			x6 = ((((x6 ^ x10) : uint32) << 7) | ((x6 ^ x10) >> (32 - 7)))
+
+			x3 = (x3 + x7)
+			x15 = ((((x15 ^ x3) : uint32) << 16) | ((x15 ^ x3) >> (32 - 16)))
+			x11 = (x11 + x15)
+			x7 = ((((x7 ^ x11) : uint32) << 12) | ((x7 ^ x11) >> (32 - 12)))
+			x3 = (x3 + x7)
+			x15 = ((((x15 ^ x3) : uint32) << 8) | ((x15 ^ x3) >> (32 - 8)))
+			x11 = (x11 + x15)
+			x7 = ((((x7 ^ x11) : uint32) << 7) | ((x7 ^ x11) >> (32 - 7)))
+
+			x0 = (x0 + x5)
+			x15 = ((((x15 ^ x0) : uint32) << 16) | ((x15 ^ x0) >> (32 - 16)))
+			x10 = (x10 + x15)
+			x5 = ((((x5 ^ x10) : uint32) << 12) | ((x5 ^ x10) >> (32 - 12)))
+			x0 = (x0 + x5)
+			x15 = ((((x15 ^ x0) : uint32) << 8) | ((x15 ^ x0) >> (32 - 8)))
+			x10 = (x10 + x15)
+			x5 = ((((x5 ^ x10) : uint32) << 7) | ((x5 ^ x10) >> (32 - 7)))
+
+			x1 = (x1 + x6)
+			x12 = ((((x12 ^ x1) : uint32) << 16) | ((x12 ^ x1) >> (32 - 16)))
+			x11 = (x11 + x12)
+			x6 = ((((x6 ^ x11) : uint32) << 12) | ((x6 ^ x11) >> (32 - 12)))
+			x1 = (x1 + x6)
+			x12 = ((((x12 ^ x1) : uint32) << 8) | ((x12 ^ x1) >> (32 - 8)))
+			x11 = (x11 + x12)
+			x6 = ((((x6 ^ x11) : uint32) << 7) | ((x6 ^ x11) >> (32 - 7)))
+
+			x2 = (x2 + x7)
+			x13 = ((((x13 ^ x2) : uint32) << 16) | ((x13 ^ x2) >> (32 - 16)))
+			x8 = (x8 + x13)
+			x7 = ((((x7 ^ x8) : uint32) << 12) | ((x7 ^ x8) >> (32 - 12)))
+			x2 = (x2 + x7)
+			x13 = ((((x13 ^ x2) : uint32) << 8) | ((x13 ^ x2) >> (32 - 8)))
+			x8 = (x8 + x13)
+			x7 = ((((x7 ^ x8) : uint32) << 7) | ((x7 ^ x8) >> (32 - 7)))
+
+			x3 = (x3 + x4)
+			x14 = ((((x14 ^ x3) : uint32) << 16) | ((x14 ^ x3) >> (32 - 16)))
+			x9 = (x9 + x14)
+			x4 = ((((x4 ^ x9) : uint32) << 12) | ((x4 ^ x9) >> (32 - 12)))
+			x3 = (x3 + x4)
+			x14 = ((((x14 ^ x3) : uint32) << 8) | ((x14 ^ x3) >> (32 - 8)))
+			x9 = (x9 + x14)
+			x4 = ((((x4 ^ x9) : uint32) << 7) | ((x4 ^ x9) >> (32 - 7)))
+		;;
+		x0 = x0 + j0
+		x1 = x1 + j1
+		x2 = x2 + j2
+		x3 = x3 + j3
+		x4 = x4 + j4
+		x5 = x5 + j5
+		x6 = x6 + j6
+		x7 = x7 + j7
+		x8 = x8 + j8
+		x9 = x9 + j9
+		x10 = x10 + j10
+		x11 = x11 + j11
+		x12 = x12 + j12
+		x13 = x13 + j13
+		x14 = x14 + j14
+		x15 = x15 + j15
+
+		x0 = x0 ^ std.getle32(m[0:4]);
+		x1 = x1 ^ std.getle32(m[4:8]);
+		x2 = x2 ^ std.getle32(m[8:12]);
+		x3 = x3 ^ std.getle32(m[12:16]);
+		x4 = x4 ^ std.getle32(m[16:20]);
+		x5 = x5 ^ std.getle32(m[20:24]);
+		x6 = x6 ^ std.getle32(m[24:28]);
+		x7 = x7 ^ std.getle32(m[28:32]);
+		x8 = x8 ^ std.getle32(m[32:36]);
+		x9 = x9 ^ std.getle32(m[36:40]);
+		x10 = x10 ^ std.getle32(m[40:44]);
+		x11 = x11 ^ std.getle32(m[44:48]);
+		x12 = x12 ^ std.getle32(m[48:52]);
+		x13 = x13 ^ std.getle32(m[52:56]);
+		x14 = x14 ^ std.getle32(m[56:60]);
+		x15 = x15 ^ std.getle32(m[60:64]);
+
+		j12++
+		if j12 == 0
+			j13++
+		;;
+
+		std.putle32(c[0:4], x0);
+		std.putle32(c[4:8], x1);
+		std.putle32(c[8:12], x2);
+		std.putle32(c[12:16], x3);
+		std.putle32(c[16:20], x4);
+		std.putle32(c[20:24], x5);
+		std.putle32(c[24:28], x6);
+		std.putle32(c[28:32], x7);
+		std.putle32(c[32:36], x8);
+		std.putle32(c[36:40], x9);
+		std.putle32(c[40:44], x10);
+		std.putle32(c[44:48], x11);
+		std.putle32(c[48:52], x12);
+		std.putle32(c[52:56], x13);
+		std.putle32(c[56:60], x14);
+		std.putle32(c[60:64], x15);
+
+		if m.len <= 64
+			if m.len < 64
+				std.slcp(ctarget[:m.len], c)
+			;;
+			x.input[12] = j12;
+			x.input[13] = j13;
+			-> void
+		;;
+		c = c[64:]
+		m = m[64:]
+	;;
+
+}
+
--- /dev/null
+++ b/lib/crypto/test/chacha20.myr
@@ -1,0 +1,861 @@
+use std
+use testr
+use crypto
+
+type check = struct
+	key	: byte[:]
+	iv	: byte[:]
+	stream0	: byte[:]
+	stream1	: byte[:]
+	state	: uint32[:]
+;;
+
+const main = {
+	testr.run([
+		[.name="chacha20-128-zero-key-zero-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000000,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000000,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000000,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\x89\x67\x09\x52\x60\x83\x64\xfd" \
+					"\x00\xb2\xf9\x09\x36\xf0\x31\xc8" \
+					"\xe7\x56\xe1\x5d\xba\x04\xb8\x49" \
+					"\x3d\x00\x42\x92\x59\xb2\x0f\x46" \
+					"\xcc\x04\xf1\x11\x24\x6b\x6c\x2c" \
+					"\xe0\x66\xbe\x3b\xfb\x32\xd9\xaa" \
+					"\x0f\xdd\xfb\xc1\x21\x23\xd4\xb9" \
+					"\xe4\x4f\x34\xdc\xa0\x5a\x10\x3f",
+
+				.stream1=\
+					"\x6c\xd1\x35\xc2\x87\x8c\x83\x2b" \
+					"\x58\x96\xb1\x34\xf6\x14\x2a\x9d" \
+					"\x4d\x8d\x0d\x8f\x10\x26\xd2\x0a" \
+					"\x0a\x81\x51\x2c\xbc\xe6\xe9\x75" \
+					"\x8a\x71\x43\xd0\x21\x97\x80\x22" \
+					"\xa3\x84\x14\x1a\x80\xce\xa3\x06" \
+					"\x2f\x41\xf6\x7a\x75\x2e\x66\xad" \
+					"\x34\x11\x98\x4c\x78\x7e\x30\xad",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-zero-key-zero-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000000,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000000,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000000,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\x76\xb8\xe0\xad\xa0\xf1\x3d\x90" \
+					"\x40\x5d\x6a\xe5\x53\x86\xbd\x28" \
+					"\xbd\xd2\x19\xb8\xa0\x8d\xed\x1a" \
+					"\xa8\x36\xef\xcc\x8b\x77\x0d\xc7" \
+					"\xda\x41\x59\x7c\x51\x57\x48\x8d" \
+					"\x77\x24\xe0\x3f\xb8\xd8\x4a\x37" \
+					"\x6a\x43\xb8\xf4\x15\x18\xa1\x1c" \
+					"\xc3\x87\xb6\x69\xb2\xee\x65\x86",
+
+				.stream1=\
+					"\x9f\x07\xe7\xbe\x55\x51\x38\x7a" \
+					"\x98\xba\x97\x7c\x73\x2d\x08\x0d" \
+					"\xcb\x0f\x29\xa0\x48\xe3\x65\x69" \
+					"\x12\xc6\x53\x3e\x32\xee\x7a\xed" \
+					"\x29\xb7\x21\x76\x9c\xe6\x4e\x43" \
+					"\xd5\x71\x33\xb0\x74\xd8\x39\xd5" \
+					"\x31\xed\x1f\x28\x51\x0a\xfb\x45" \
+					"\xac\xe1\x0a\x1f\x4b\x79\x4d\x6f",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-onebit-key-zero-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x01\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000001,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000001,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000000,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\xae\x56\x06\x0d\x04\xf5\xb5\x97" \
+					"\x89\x7f\xf2\xaf\x13\x88\xdb\xce" \
+					"\xff\x5a\x2a\x49\x20\x33\x5d\xc1" \
+					"\x7a\x3c\xb1\xb1\xb1\x0f\xbe\x70" \
+					"\xec\xe8\xf4\x86\x4d\x8c\x7c\xdf" \
+					"\x00\x76\x45\x3a\x82\x91\xc7\xdb" \
+					"\xeb\x3a\xa9\xc9\xd1\x0e\x8c\xa3" \
+					"\x6b\xe4\x44\x93\x76\xed\x7c\x42",
+
+				.stream1=\
+					"\xfc\x3d\x47\x1c\x34\xa3\x6f\xbb" \
+					"\xf6\x16\xbc\x0a\x0e\x7c\x52\x30" \
+					"\x30\xd9\x44\xf4\x3e\xc3\xe7\x8d" \
+					"\xd6\xa1\x24\x66\x54\x7c\xb4\xf7" \
+					"\xb3\xce\xbd\x0a\x50\x05\xe7\x62" \
+					"\xe5\x62\xd1\x37\x5b\x7a\xc4\x45" \
+					"\x93\xa9\x91\xb8\x5d\x1a\x60\xfb" \
+					"\xa2\x03\x5d\xfa\xa2\xa6\x42\xd5",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-onebit-key-zero-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x01\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000001,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000000,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000000,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\xc5\xd3\x0a\x7c\xe1\xec\x11\x93" \
+					"\x78\xc8\x4f\x48\x7d\x77\x5a\x85" \
+					"\x42\xf1\x3e\xce\x23\x8a\x94\x55" \
+					"\xe8\x22\x9e\x88\x8d\xe8\x5b\xbd" \
+					"\x29\xeb\x63\xd0\xa1\x7a\x5b\x99" \
+					"\x9b\x52\xda\x22\xbe\x40\x23\xeb" \
+					"\x07\x62\x0a\x54\xf6\xfa\x6a\xd8" \
+					"\x73\x7b\x71\xeb\x04\x64\xda\xc0",
+
+				.stream1=\
+					"\x10\xf6\x56\xe6\xd1\xfd\x55\x05" \
+					"\x3e\x50\xc4\x87\x5c\x99\x30\xa3" \
+					"\x3f\x6d\x02\x63\xbd\x14\xdf\xd6" \
+					"\xab\x8c\x70\x52\x1c\x19\x33\x8b" \
+					"\x23\x08\xb9\x5c\xf8\xd0\xbb\x7d" \
+					"\x20\x2d\x21\x02\x78\x0e\xa3\x52" \
+					"\x8f\x1c\xb4\x85\x60\xf7\x6b\x20" \
+					"\xf3\x82\xb9\x42\x50\x0f\xce\xac",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-zero-key-onebit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x01\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000000,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000000,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000001,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\x16\x63\x87\x9e\xb3\xf2\xc9\x94" \
+					"\x9e\x23\x88\xca\xa3\x43\xd3\x61" \
+					"\xbb\x13\x27\x71\x24\x5a\xe6\xd0" \
+					"\x27\xca\x9c\xb0\x10\xdc\x1f\xa7" \
+					"\x17\x8d\xc4\x1f\x82\x78\xbc\x1f" \
+					"\x64\xb3\xf1\x27\x69\xa2\x40\x97" \
+					"\xf4\x0d\x63\xa8\x63\x66\xbd\xb3" \
+					"\x6a\xc0\x8a\xbe\x60\xc0\x7f\xe8",
+
+				.stream1=\
+					"\xb0\x57\x37\x5c\x89\x14\x44\x08" \
+					"\xcc\x74\x46\x24\xf6\x9f\x7f\x4c" \
+					"\xcb\xd9\x33\x66\xc9\x2f\xc4\xdf" \
+					"\xca\xda\x65\xf1\xb9\x59\xd8\xc6" \
+					"\x4d\xfc\x50\xde\x71\x1f\xb4\x64" \
+					"\x16\xc2\x55\x3c\xc6\x0f\x21\xbb" \
+					"\xfd\x00\x64\x91\xcb\x17\x88\x8b" \
+					"\x4f\xb3\x52\x1c\x4f\xdd\x87\x45",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-zero-key-onebit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00" \
+					"\x00\x00\x00\x00\x00\x00\x00\x00"
+,
+				.iv = "\x01\x00\x00\x00\x00\x00\x00\x00",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x00000000,
+					/* 5 */ 0x00000000,
+					/* 6 */ 0x00000000,
+					/* 7 */ 0x00000000,
+					/* 8 */ 0x00000000,
+					/* 9 */ 0x00000000,
+					/* 10 */ 0x00000000,
+					/* 11 */ 0x00000000,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x00000001,
+					/* 15 */ 0x00000000,
+				][:],
+				.stream0=\
+					"\xef\x3f\xdf\xd6\xc6\x15\x78\xfb" \
+					"\xf5\xcf\x35\xbd\x3d\xd3\x3b\x80" \
+					"\x09\x63\x16\x34\xd2\x1e\x42\xac" \
+					"\x33\x96\x0b\xd1\x38\xe5\x0d\x32" \
+					"\x11\x1e\x4c\xaf\x23\x7e\xe5\x3c" \
+					"\xa8\xad\x64\x26\x19\x4a\x88\x54" \
+					"\x5d\xdc\x49\x7a\x0b\x46\x6e\x7d" \
+					"\x6b\xbd\xb0\x04\x1b\x2f\x58\x6b",
+
+				.stream1=\
+					"\x53\x05\xe5\xe4\x4a\xff\x19\xb2" \
+					"\x35\x93\x61\x44\x67\x5e\xfb\xe4" \
+					"\x40\x9e\xb7\xe8\xe5\xf1\x43\x0f" \
+					"\x5f\x58\x36\xae\xb4\x9b\xb5\x32" \
+					"\x8b\x01\x7c\x4b\x9d\xc1\x1f\x8a" \
+					"\x03\x86\x3f\xa8\x03\xdc\x71\xd5" \
+					"\x72\x6b\x2b\x6b\x31\xaa\x32\x70" \
+					"\x8a\xfe\x5a\xf1\xd6\xb6\x90\x58",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-allbit-key-allbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xff\xff\xff\xff\xff\xff\xff\xff" \
+					"\xff\xff\xff\xff\xff\xff\xff\xff"
+,
+				.iv = "\xff\xff\xff\xff\xff\xff\xff\xff",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xffffffff,
+					/* 5 */ 0xffffffff,
+					/* 6 */ 0xffffffff,
+					/* 7 */ 0xffffffff,
+					/* 8 */ 0xffffffff,
+					/* 9 */ 0xffffffff,
+					/* 10 */ 0xffffffff,
+					/* 11 */ 0xffffffff,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xffffffff,
+					/* 15 */ 0xffffffff,
+				][:],
+				.stream0=\
+					"\x99\x29\x47\xc3\x96\x61\x26\xa0" \
+					"\xe6\x60\xa3\xe9\x5d\xb0\x48\xde" \
+					"\x09\x1f\xb9\xe0\x18\x5b\x1e\x41" \
+					"\xe4\x10\x15\xbb\x7e\xe5\x01\x50" \
+					"\x39\x9e\x47\x60\xb2\x62\xf9\xd5" \
+					"\x3f\x26\xd8\xdd\x19\xe5\x6f\x5c" \
+					"\x50\x6a\xe0\xc3\x61\x9f\xa6\x7f" \
+					"\xb0\xc4\x08\x10\x6d\x02\x03\xee",
+
+				.stream1=\
+					"\x40\xea\x3c\xfa\x61\xfa\x32\xa2" \
+					"\xfd\xa8\xd1\x23\x8a\x21\x35\xd9" \
+					"\xd4\x17\x87\x75\x24\x0f\x99\x00" \
+					"\x70\x64\xa6\xa7\xf0\xc7\x31\xb6" \
+					"\x7c\x22\x7c\x52\xef\x79\x6b\x6b" \
+					"\xed\x9f\x90\x59\xba\x06\x14\xbc" \
+					"\xf6\xdd\x6e\x38\x91\x7f\x3b\x15" \
+					"\x0e\x57\x63\x75\xbe\x50\xed\x67",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-allbit-key-allbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xff\xff\xff\xff\xff\xff\xff\xff" \
+					"\xff\xff\xff\xff\xff\xff\xff\xff" \
+					"\xff\xff\xff\xff\xff\xff\xff\xff" \
+					"\xff\xff\xff\xff\xff\xff\xff\xff"
+,
+				.iv = "\xff\xff\xff\xff\xff\xff\xff\xff",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xffffffff,
+					/* 5 */ 0xffffffff,
+					/* 6 */ 0xffffffff,
+					/* 7 */ 0xffffffff,
+					/* 8 */ 0xffffffff,
+					/* 9 */ 0xffffffff,
+					/* 10 */ 0xffffffff,
+					/* 11 */ 0xffffffff,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xffffffff,
+					/* 15 */ 0xffffffff,
+				][:],
+				.stream0=\
+					"\xd9\xbf\x3f\x6b\xce\x6e\xd0\xb5" \
+					"\x42\x54\x55\x77\x67\xfb\x57\x44" \
+					"\x3d\xd4\x77\x89\x11\xb6\x06\x05" \
+					"\x5c\x39\xcc\x25\xe6\x74\xb8\x36" \
+					"\x3f\xea\xbc\x57\xfd\xe5\x4f\x79" \
+					"\x0c\x52\xc8\xae\x43\x24\x0b\x79" \
+					"\xd4\x90\x42\xb7\x77\xbf\xd6\xcb" \
+					"\x80\xe9\x31\x27\x0b\x7f\x50\xeb",
+
+				.stream1=\
+					"\x5b\xac\x2a\xcd\x86\xa8\x36\xc5" \
+					"\xdc\x98\xc1\x16\xc1\x21\x7e\xc3" \
+					"\x1d\x3a\x63\xa9\x45\x13\x19\xf0" \
+					"\x97\xf3\xb4\xd6\xda\xb0\x77\x87" \
+					"\x19\x47\x7d\x24\xd2\x4b\x40\x3a" \
+					"\x12\x24\x1d\x7c\xca\x06\x4f\x79" \
+					"\x0f\x1d\x51\xcc\xaf\xf6\xb1\x66" \
+					"\x7d\x4b\xbc\xa1\x95\x8c\x43\x06",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-evenbit-key-evenbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x55\x55\x55\x55\x55\x55\x55\x55" \
+					"\x55\x55\x55\x55\x55\x55\x55\x55"
+,
+				.iv = "\x55\x55\x55\x55\x55\x55\x55\x55",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x55555555,
+					/* 5 */ 0x55555555,
+					/* 6 */ 0x55555555,
+					/* 7 */ 0x55555555,
+					/* 8 */ 0x55555555,
+					/* 9 */ 0x55555555,
+					/* 10 */ 0x55555555,
+					/* 11 */ 0x55555555,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x55555555,
+					/* 15 */ 0x55555555,
+				][:],
+				.stream0=\
+					"\x35\x7d\x7d\x94\xf9\x66\x77\x8f" \
+					"\x58\x15\xa2\x05\x1d\xcb\x04\x13" \
+					"\x3b\x26\xb0\xea\xd9\xf5\x7d\xd0" \
+					"\x99\x27\x83\x7b\xc3\x06\x7e\x4b" \
+					"\x6b\xf2\x99\xad\x81\xf7\xf5\x0c" \
+					"\x8d\xa8\x3c\x78\x10\xbf\xc1\x7b" \
+					"\xb6\xf4\x81\x3a\xb6\xc3\x26\x95" \
+					"\x70\x45\xfd\x3f\xd5\xe1\x99\x15",
+
+				.stream1=\
+					"\xec\x74\x4a\x6b\x9b\xf8\xcb\xdc" \
+					"\xb3\x6d\x8b\x6a\x54\x99\xc6\x8a" \
+					"\x08\xef\x7b\xe6\xcc\x1e\x93\xf2" \
+					"\xf5\xbc\xd2\xca\xd4\xe4\x7c\x18" \
+					"\xa3\xe5\xd9\x4b\x56\x66\x38\x2c" \
+					"\x6d\x13\x0d\x82\x2d\xd5\x6a\xac" \
+					"\xb0\xf8\x19\x52\x78\xe7\xb2\x92" \
+					"\x49\x5f\x09\x86\x8d\xdf\x12\xcc",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-evenbit-key-evenbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x55\x55\x55\x55\x55\x55\x55\x55" \
+					"\x55\x55\x55\x55\x55\x55\x55\x55" \
+					"\x55\x55\x55\x55\x55\x55\x55\x55" \
+					"\x55\x55\x55\x55\x55\x55\x55\x55"
+,
+				.iv = "\x55\x55\x55\x55\x55\x55\x55\x55",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x55555555,
+					/* 5 */ 0x55555555,
+					/* 6 */ 0x55555555,
+					/* 7 */ 0x55555555,
+					/* 8 */ 0x55555555,
+					/* 9 */ 0x55555555,
+					/* 10 */ 0x55555555,
+					/* 11 */ 0x55555555,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x55555555,
+					/* 15 */ 0x55555555,
+				][:],
+				.stream0=\
+					"\xbe\xa9\x41\x1a\xa4\x53\xc5\x43" \
+					"\x4a\x5a\xe8\xc9\x28\x62\xf5\x64" \
+					"\x39\x68\x55\xa9\xea\x6e\x22\xd6" \
+					"\xd3\xb5\x0a\xe1\xb3\x66\x33\x11" \
+					"\xa4\xa3\x60\x6c\x67\x1d\x60\x5c" \
+					"\xe1\x6c\x3a\xec\xe8\xe6\x1e\xa1" \
+					"\x45\xc5\x97\x75\x01\x7b\xee\x2f" \
+					"\xa6\xf8\x8a\xfc\x75\x80\x69\xf7",
+
+				.stream1=\
+					"\xe0\xb8\xf6\x76\xe6\x44\x21\x6f" \
+					"\x4d\x2a\x34\x22\xd7\xfa\x36\xc6" \
+					"\xc4\x93\x1a\xca\x95\x0e\x9d\xa4" \
+					"\x27\x88\xe6\xd0\xb6\xd1\xcd\x83" \
+					"\x8e\xf6\x52\xe9\x7b\x14\x5b\x14" \
+					"\x87\x1e\xae\x6c\x68\x04\xc7\x00" \
+					"\x4d\xb5\xac\x2f\xce\x4c\x68\xc7" \
+					"\x26\xd0\x04\xb1\x0f\xca\xba\x86",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-oddbit-key-oddbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+,
+				.iv = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xaaaaaaaa,
+					/* 5 */ 0xaaaaaaaa,
+					/* 6 */ 0xaaaaaaaa,
+					/* 7 */ 0xaaaaaaaa,
+					/* 8 */ 0xaaaaaaaa,
+					/* 9 */ 0xaaaaaaaa,
+					/* 10 */ 0xaaaaaaaa,
+					/* 11 */ 0xaaaaaaaa,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xaaaaaaaa,
+					/* 15 */ 0xaaaaaaaa,
+				][:],
+				.stream0=\
+					"\xfc\x79\xac\xbd\x58\x52\x61\x03" \
+					"\x86\x27\x76\xaa\xb2\x0f\x3b\x7d" \
+					"\x8d\x31\x49\xb2\xfa\xb6\x57\x66" \
+					"\x29\x93\x16\xb6\xe5\xb1\x66\x84" \
+					"\xde\x5d\xe5\x48\xc1\xb7\xd0\x83" \
+					"\xef\xd9\xe3\x05\x23\x19\xe0\xc6" \
+					"\x25\x41\x41\xda\x04\xa6\x58\x6d" \
+					"\xf8\x00\xf6\x4d\x46\xb0\x1c\x87",
+
+				.stream1=\
+					"\x1f\x05\xbc\x67\xe0\x76\x28\xeb" \
+					"\xe6\xf6\x86\x5a\x21\x77\xe0\xb6" \
+					"\x6a\x55\x8a\xa7\xcc\x1e\x8f\xf1" \
+					"\xa9\x8d\x27\xf7\x07\x1f\x83\x35" \
+					"\xef\xce\x45\x37\xbb\x0e\xf7\xb5" \
+					"\x73\xb3\x2f\x32\x76\x5f\x29\x00" \
+					"\x7d\xa5\x3b\xba\x62\xe7\xa4\x4d" \
+					"\x00\x6f\x41\xeb\x28\xfe\x15\xd6",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-oddbit-key-oddbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
+					"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+,
+				.iv = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xaaaaaaaa,
+					/* 5 */ 0xaaaaaaaa,
+					/* 6 */ 0xaaaaaaaa,
+					/* 7 */ 0xaaaaaaaa,
+					/* 8 */ 0xaaaaaaaa,
+					/* 9 */ 0xaaaaaaaa,
+					/* 10 */ 0xaaaaaaaa,
+					/* 11 */ 0xaaaaaaaa,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xaaaaaaaa,
+					/* 15 */ 0xaaaaaaaa,
+				][:],
+				.stream0=\
+					"\x9a\xa2\xa9\xf6\x56\xef\xde\x5a" \
+					"\xa7\x59\x1c\x5f\xed\x4b\x35\xae" \
+					"\xa2\x89\x5d\xec\x7c\xb4\x54\x3b" \
+					"\x9e\x9f\x21\xf5\xe7\xbc\xbc\xf3" \
+					"\xc4\x3c\x74\x8a\x97\x08\x88\xf8" \
+					"\x24\x83\x93\xa0\x9d\x43\xe0\xb7" \
+					"\xe1\x64\xbc\x4d\x0b\x0f\xb2\x40" \
+					"\xa2\xd7\x21\x15\xc4\x80\x89\x06",
+
+				.stream1=\
+					"\x72\x18\x44\x89\x44\x05\x45\xd0" \
+					"\x21\xd9\x7e\xf6\xb6\x93\xdf\xe5" \
+					"\xb2\xc1\x32\xd4\x7e\x6f\x04\x1c" \
+					"\x90\x63\x65\x1f\x96\xb6\x23\xe6" \
+					"\x2a\x11\x99\x9a\x23\xb6\xf7\xc4" \
+					"\x61\xb2\x15\x30\x26\xad\x5e\x86" \
+					"\x6a\x2e\x59\x7e\xd0\x7b\x84\x01" \
+					"\xde\xc6\x3a\x09\x34\xc6\xb2\xa9",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-seqpat-key-seqpat-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x11\x22\x33\x44\x55\x66\x77" \
+					"\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
+,
+				.iv = "\x0f\x1e\x2d\x3c\x4b\x5a\x69\x78",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x33221100,
+					/* 5 */ 0x77665544,
+					/* 6 */ 0xbbaa9988,
+					/* 7 */ 0xffeeddcc,
+					/* 8 */ 0x33221100,
+					/* 9 */ 0x77665544,
+					/* 10 */ 0xbbaa9988,
+					/* 11 */ 0xffeeddcc,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x3c2d1e0f,
+					/* 15 */ 0x78695a4b,
+				][:],
+				.stream0=\
+					"\xd1\xab\xf6\x30\x46\x7e\xb4\xf6" \
+					"\x7f\x1c\xfb\x47\xcd\x62\x6a\xae" \
+					"\x8a\xfe\xdb\xbe\x4f\xf8\xfc\x5f" \
+					"\xe9\xcf\xae\x30\x7e\x74\xed\x45" \
+					"\x1f\x14\x04\x42\x5a\xd2\xb5\x45" \
+					"\x69\xd5\xf1\x81\x48\x93\x99\x71" \
+					"\xab\xb8\xfa\xfc\x88\xce\x4a\xc7" \
+					"\xfe\x1c\x3d\x1f\x7a\x1e\xb7\xca",
+
+				.stream1=\
+					"\xe7\x6c\xa8\x7b\x61\xa9\x71\x35" \
+					"\x41\x49\x77\x60\xdd\x9a\xe0\x59" \
+					"\x35\x0c\xad\x0d\xce\xdf\xaa\x80" \
+					"\xa8\x83\x11\x9a\x1a\x6f\x98\x7f" \
+					"\xd1\xce\x91\xfd\x8e\xe0\x82\x80" \
+					"\x34\xb4\x11\x20\x0a\x97\x45\xa2" \
+					"\x85\x55\x44\x75\xd1\x2a\xfc\x04" \
+					"\x88\x7f\xef\x35\x16\xd1\x2a\x2c",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-seqpat-key-seqpat-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\x00\x11\x22\x33\x44\x55\x66\x77" \
+					"\x88\x99\xaa\xbb\xcc\xdd\xee\xff" \
+					"\xff\xee\xdd\xcc\xbb\xaa\x99\x88" \
+					"\x77\x66\x55\x44\x33\x22\x11\x00"
+,
+				.iv = "\x0f\x1e\x2d\x3c\x4b\x5a\x69\x78",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0x33221100,
+					/* 5 */ 0x77665544,
+					/* 6 */ 0xbbaa9988,
+					/* 7 */ 0xffeeddcc,
+					/* 8 */ 0xccddeeff,
+					/* 9 */ 0x8899aabb,
+					/* 10 */ 0x44556677,
+					/* 11 */ 0x00112233,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0x3c2d1e0f,
+					/* 15 */ 0x78695a4b,
+				][:],
+				.stream0=\
+					"\x9f\xad\xf4\x09\xc0\x08\x11\xd0" \
+					"\x04\x31\xd6\x7e\xfb\xd8\x8f\xba" \
+					"\x59\x21\x8d\x5d\x67\x08\xb1\xd6" \
+					"\x85\x86\x3f\xab\xbb\x0e\x96\x1e" \
+					"\xea\x48\x0f\xd6\xfb\x53\x2b\xfd" \
+					"\x49\x4b\x21\x51\x01\x50\x57\x42" \
+					"\x3a\xb6\x0a\x63\xfe\x4f\x55\xf7" \
+					"\xa2\x12\xe2\x16\x7c\xca\xb9\x31",
+
+				.stream1=\
+					"\xfb\xfd\x29\xcf\x7b\xc1\xd2\x79" \
+					"\xed\xdf\x25\xdd\x31\x6b\xb8\x84" \
+					"\x3d\x6e\xde\xe0\xbd\x1e\xf1\x21" \
+					"\xd1\x2f\xa1\x7c\xbc\x2c\x57\x4c" \
+					"\xcc\xab\x5e\x27\x51\x67\xb0\x8b" \
+					"\xd6\x86\xf8\xa0\x9d\xf8\x7e\xc3" \
+					"\xff\xb3\x53\x61\xb9\x4e\xbf\xa1" \
+					"\x3f\xec\x0e\x48\x89\xd1\x8d\xa5",
+
+
+			]
+			check(&ck)
+		}],
+
+		[.name="chacha20-128-randbit-key-randbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xc4\x6e\xc1\xb1\x8c\xe8\xa8\x78" \
+					"\x72\x5a\x37\xe7\x80\xdf\xb7\x35"
+,
+				.iv = "\x1a\xda\x31\xd5\xcf\x68\x82\x21",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3120646e,
+					/* 2 */ 0x79622d36,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xb1c16ec4,
+					/* 5 */ 0x78a8e88c,
+					/* 6 */ 0xe7375a72,
+					/* 7 */ 0x35b7df80,
+					/* 8 */ 0xb1c16ec4,
+					/* 9 */ 0x78a8e88c,
+					/* 10 */ 0xe7375a72,
+					/* 11 */ 0x35b7df80,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xd531da1a,
+					/* 15 */ 0x218268cf,
+				][:],
+				.stream0=\
+					"\x82\x6a\xbd\xd8\x44\x60\xe2\xe9" \
+					"\x34\x9f\x0e\xf4\xaf\x5b\x17\x9b" \
+					"\x42\x6e\x4b\x2d\x10\x9a\x9c\x5b" \
+					"\xb4\x40\x00\xae\x51\xbe\xa9\x0a" \
+					"\x49\x6b\xee\xef\x62\xa7\x68\x50" \
+					"\xff\x3f\x04\x02\xc4\xdd\xc9\x9f" \
+					"\x6d\xb0\x7f\x15\x1c\x1c\x0d\xfa" \
+					"\xc2\xe5\x65\x65\xd6\x28\x96\x25",
+
+				.stream1=\
+					"\x5b\x23\x13\x2e\x7b\x46\x9c\x7b" \
+					"\xfb\x88\xfa\x95\xd4\x4c\xa5\xae" \
+					"\x3e\x45\xe8\x48\xa4\x10\x8e\x98" \
+					"\xba\xd7\xa9\xeb\x15\x51\x27\x84" \
+					"\xa6\xa9\xe6\xe5\x91\xdc\xe6\x74" \
+					"\x12\x0a\xca\xf9\x04\x0f\xf5\x0f" \
+					"\xf3\xac\x30\xcc\xfb\x5e\x14\x20" \
+					"\x4f\x5e\x42\x68\xb9\x0a\x88\x04",
+
+
+			]
+			check(&ck)
+		}],
+		[.name="chacha20-256-randbit-key-randbit-iv", .fn={ctx
+			var ck : check = [
+				.key = \
+					"\xc4\x6e\xc1\xb1\x8c\xe8\xa8\x78" \
+					"\x72\x5a\x37\xe7\x80\xdf\xb7\x35" \
+					"\x1f\x68\xed\x2e\x19\x4c\x79\xfb" \
+					"\xc6\xae\xbe\xe1\xa6\x67\x97\x5d"
+,
+				.iv = "\x1a\xda\x31\xd5\xcf\x68\x82\x21",
+				.state=[
+					/* 0 */ 0x61707865,
+					/* 1 */ 0x3320646e,
+					/* 2 */ 0x79622d32,
+					/* 3 */ 0x6b206574,
+					/* 4 */ 0xb1c16ec4,
+					/* 5 */ 0x78a8e88c,
+					/* 6 */ 0xe7375a72,
+					/* 7 */ 0x35b7df80,
+					/* 8 */ 0x2eed681f,
+					/* 9 */ 0xfb794c19,
+					/* 10 */ 0xe1beaec6,
+					/* 11 */ 0x5d9767a6,
+					/* 12 */ 0x00000000,
+					/* 13 */ 0x00000000,
+					/* 14 */ 0xd531da1a,
+					/* 15 */ 0x218268cf,
+				][:],
+				.stream0=\
+					"\xf6\x3a\x89\xb7\x5c\x22\x71\xf9" \
+					"\x36\x88\x16\x54\x2b\xa5\x2f\x06" \
+					"\xed\x49\x24\x17\x92\x30\x2b\x00" \
+					"\xb5\xe8\xf8\x0a\xe9\xa4\x73\xaf" \
+					"\xc2\x5b\x21\x8f\x51\x9a\xf0\xfd" \
+					"\xd4\x06\x36\x2e\x8d\x69\xde\x7f" \
+					"\x54\xc6\x04\xa6\xe0\x0f\x35\x3f" \
+					"\x11\x0f\x77\x1b\xdc\xa8\xab\x92",
+
+				.stream1=\
+					"\xe5\xfb\xc3\x4e\x60\xa1\xd9\xa9" \
+					"\xdb\x17\x34\x5b\x0a\x40\x27\x36" \
+					"\x85\x3b\xf9\x10\xb0\x60\xbd\xf1" \
+					"\xf8\x97\xb6\x29\x0f\x01\xd1\x38" \
+					"\xae\x2c\x4c\x90\x22\x5b\xa9\xea" \
+					"\x14\xd5\x18\xf5\x59\x29\xde\xa0" \
+					"\x98\xca\x7a\x6c\xcf\xe6\x12\x27" \
+					"\x05\x3c\x84\xe4\x9a\x4a\x33\x32",
+
+
+			]
+			check(&ck)
+		}],
+	][:])
+}
+
+const check = {chk
+	var st
+	var data : byte[64] = [
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+	]
+	var result : byte[64] = [
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0,
+	]
+
+	crypto.chacha20keysetup(&st, chk.key)
+	crypto.chacha20ivsetup(&st, chk.iv)
+
+	for (i, s) in std.byenum(chk.state)
+		std.assert(st.input[i] == s, "mismatched state\n")
+	;;
+
+	crypto.chacha20encrypt(&st, data[:], result[:])
+	std.assert(std.sleq(result[:], chk.stream0), "mismatched stream0")
+
+	crypto.chacha20encrypt(&st, data[:], result[:])
+	std.assert(std.sleq(result[:], chk.stream1), "mismatched stream1")
+}
+