}

// A Stream represents a stream cipher.
type Stream interface {
	// XORKeyStream XORs each byte in the given slice with a byte from the
	// cipher's key stream. Dst and src must overlap entirely or not at all.
	//
	// If len(dst) < len(src), XORKeyStream should panic. It is acceptable
	// to pass a dst bigger than src, and in that case, XORKeyStream will
	// only update dst[:len(src)] and will not touch the rest of dst.
	//

		panic(err)
	}
	stream := newCipher(block, iv[:])
	test(t, name, cipherText, stream.XORKeyStream)
}
func test(t *testing.T, name string, cipherText []byte, xor func([]byte, []byte)) {
	want := "abcdefghij"
	plainText := []byte(want)
	shorterLen := len(cipherText) / 2
	defer func() {
		err := recover()
		if err == nil {
			t.Errorf("%v XORKeyStream expected to panic on len(dst) < len(src), but didn't", name)
		}

// StreamReader wraps a [Stream] into an [io.Reader]. It calls XORKeyStream
// to process each slice of data which passes through.
type StreamReader struct {
	S Stream
	R io.Reader
}

func (r StreamReader) Read(dst []byte) (n int, err error) {
	n, err = r.R.Read(dst)
	r.S.XORKeyStream(dst[:n], dst[:n])
	return
}

// StreamWriter wraps a [Stream] into an io.Writer. It calls XORKeyStream

		cfb := cipher.NewCFBEncrypter(block, iv)
		cfb.XORKeyStream(ciphertext, plaintext)

		if !bytes.Equal(ciphertext, expected) {
			t.Errorf("#%d: wrong output: got %x, expected %x", i, ciphertext, expected)
		}

		cfbdec := cipher.NewCFBDecrypter(block, iv)
		plaintextCopy := make([]byte, len(ciphertext))
		cfbdec.XORKeyStream(plaintextCopy, ciphertext)

		if !bytes.Equal(plaintextCopy, plaintext) {

		panic("chacha20poly1305: invalid buffer overlap")
	}

	var polyKey [32]byte
	s, _ := chacha20.NewUnauthenticatedCipher(c.key[:], nonce)
	s.XORKeyStream(polyKey[:], polyKey[:])
	s.SetCounter(1) // set the counter to 1, skipping 32 bytes
	s.XORKeyStream(ciphertext, plaintext)

	p := poly1305.New(&polyKey)
	writeWithPadding(p, additionalData)
	writeWithPadding(p, ciphertext)
	writeUint64(p, len(additionalData))

//
// If len(dst) < len(src), XORKeyStream will panic. It is acceptable
// to pass a dst bigger than src, and in that case, XORKeyStream will
// only update dst[:len(src)] and will not touch the rest of dst.
//
// Multiple calls to XORKeyStream behave as if the concatenation of
// the src buffers was passed in a single run. That is, Cipher
// maintains state and does not reset at each XORKeyStream call.

		cfbe := cipher.NewCFBEncrypter(b, iv)
		cfbe.XORKeyStream(ct, pt[:0])
		assertEqual("CFB encrypt", ct, pt)

		cfbd := cipher.NewCFBDecrypter(b, iv)
		cfbd.XORKeyStream(ct, pt[:0])
		assertEqual("CFB decrypt", ct, pt)

		ctr := cipher.NewCTR(b, iv)
		ctr.XORKeyStream(ct, pt[:0])
		assertEqual("CTR", ct, pt)

		ofb := cipher.NewOFB(b, iv)
		ofb.XORKeyStream(ct, pt[:0])
		assertEqual("OFB", ct, pt)
	}

	data1 := make([]byte, 1<<20)
	for i := range data1 {
		c1a.XORKeyStream(data1[i:i+1], data1[i:i+1])
		c1b.XORKeyStream(data1[i:i+1], data1[i:i+1])
	}

	c2a, _ := NewCipher(golden[0].key)
	c2b, _ := NewCipher(golden[1].key)
	data2 := make([]byte, 1<<20)
	c2a.XORKeyStream(data2, data2)
	c2b.XORKeyStream(data2, data2)

	if !bytes.Equal(data1, data2) {
		t.Fatalf("bad block")
	}
}

		panic("ciphertext too short")
	}
	iv := ciphertext[:aes.BlockSize]
	ciphertext = ciphertext[aes.BlockSize:]

	stream := cipher.NewCFBDecrypter(block, iv)

	// XORKeyStream can work in-place if the two arguments are the same.
	stream.XORKeyStream(ciphertext, ciphertext)
	fmt.Printf("%s", ciphertext)
	// Output: some plaintext
}

func ExampleNewCFBEncrypter() {

//go:build gc && !purego

package chacha20

import "golang.org/x/sys/cpu"

var haveAsm = cpu.S390X.HasVX

const bufSize = 256

// xorKeyStreamVX is an assembly implementation of XORKeyStream. It must only
// be called when the vector facility is available. Implementation in asm_s390x.s.
//
//go:noescape
func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32)