3 files changed, 0 insertions, 489 deletions
diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
deleted file mode 100644
index debb776c8f..0000000000
--- a/src/lib/libcrypto/chacha/chacha-merged.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/* $OpenBSD: chacha-merged.c,v 1.13 2024/06/05 19:43:06 tb Exp $ */
-/*
-chacha-merged.c version 20080118
-D. J. Bernstein
-Public domain.
-*/
-#include <stdint.h>
-#define CHACHA_MINKEYLEN        16
-#define CHACHA_NONCELEN         8
-#define CHACHA_CTRLEN           8
-#define CHACHA_STATELEN         (CHACHA_NONCELEN+CHACHA_CTRLEN)
-#define CHACHA_BLOCKLEN         64
-typedef uint8_t u8;
-typedef uint32_t u32;
-struct chacha_ctx {
-        u32 input[16];
-        u8 ks[CHACHA_BLOCKLEN];
-        u8 unused;
-};
-static inline void chacha_keysetup(struct chacha_ctx *x, const u8 *k, u32 kbits)
-    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
-static inline void chacha_ivsetup(struct chacha_ctx *x, const u8 *iv,
-    const u8 *ctr)
-    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
-    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
-static inline void chacha_encrypt_bytes(struct chacha_ctx *x, const u8 *m,
-    u8 *c, u32 bytes)
-    __attribute__((__bounded__(__buffer__, 2, 4)))
-    __attribute__((__bounded__(__buffer__, 3, 4)));
-typedef struct chacha_ctx chacha_ctx;
-#define U8C(v) (v##U)
-#define U32C(v) (v##U)
-#define U8V(v) ((u8)(v) & U8C(0xFF))
-#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
-#define ROTL32(v, n) \
-  (U32V((v) << (n)) | ((v) >> (32 - (n))))
-#define U8TO32_LITTLE(p) \
-  (((u32)((p)[0])) | \
-   ((u32)((p)[1]) <<  8) | \
-   ((u32)((p)[2]) << 16) | \
-   ((u32)((p)[3]) << 24))
-#define U32TO8_LITTLE(p, v) \
-  do { \
-    (p)[0] = U8V((v)); \
-    (p)[1] = U8V((v) >>  8); \
-    (p)[2] = U8V((v) >> 16); \
-    (p)[3] = U8V((v) >> 24); \
-  } while (0)
-#define ROTATE(v,c) (ROTL32(v,c))
-#define XOR(v,w) ((v) ^ (w))
-#define PLUS(v,w) (U32V((v) + (w)))
-#define PLUSONE(v) (PLUS((v),1))
-#define QUARTERROUND(a,b,c,d) \
-  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
-  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
-  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
-  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
-/* Initialise with "expand 32-byte k". */
-static const char sigma[16] = {
-        0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
-        0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
-};
-/* Initialise with "expand 16-byte k". */
-static const char tau[16] = {
-        0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
-        0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
-};
-static inline void
-chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
-{
-        const char *constants;
-        x->input[4] = U8TO32_LITTLE(k + 0);
-        x->input[5] = U8TO32_LITTLE(k + 4);
-        x->input[6] = U8TO32_LITTLE(k + 8);
-        x->input[7] = U8TO32_LITTLE(k + 12);
-        if (kbits == 256) { /* recommended */
-                k += 16;
-                constants = sigma;
-        } else { /* kbits == 128 */
-                constants = tau;
-        }
-        x->input[8] = U8TO32_LITTLE(k + 0);
-        x->input[9] = U8TO32_LITTLE(k + 4);
-        x->input[10] = U8TO32_LITTLE(k + 8);
-        x->input[11] = U8TO32_LITTLE(k + 12);
-        x->input[0] = U8TO32_LITTLE(constants + 0);
-        x->input[1] = U8TO32_LITTLE(constants + 4);
-        x->input[2] = U8TO32_LITTLE(constants + 8);
-        x->input[3] = U8TO32_LITTLE(constants + 12);
-}
-static inline void
-chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
-{
-        x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
-        x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
-        x->input[14] = U8TO32_LITTLE(iv + 0);
-        x->input[15] = U8TO32_LITTLE(iv + 4);
-}
-static inline void
-chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
-{
-        u32 x0, x1, x2, x3, x4, x5, x6, x7;
-        u32 x8, x9, x10, x11, x12, x13, x14, x15;
-        u32 j0, j1, j2, j3, j4, j5, j6, j7;
-        u32 j8, j9, j10, j11, j12, j13, j14, j15;
-        u8 *ctarget = NULL;
-        u8 tmp[64];
-        u32 i;
-        if (!bytes)
-                return;
-        j0 = x->input[0];
-        j1 = x->input[1];
-        j2 = x->input[2];
-        j3 = x->input[3];
-        j4 = x->input[4];
-        j5 = x->input[5];
-        j6 = x->input[6];
-        j7 = x->input[7];
-        j8 = x->input[8];
-        j9 = x->input[9];
-        j10 = x->input[10];
-        j11 = x->input[11];
-        j12 = x->input[12];
-        j13 = x->input[13];
-        j14 = x->input[14];
-        j15 = x->input[15];
-        for (;;) {
-                if (bytes < 64) {
-                        for (i = 0; i < bytes; ++i)
-                                tmp[i] = m[i];
-                        m = tmp;
-                        ctarget = c;
-                        c = tmp;
-                }
-                x0 = j0;
-                x1 = j1;
-                x2 = j2;
-                x3 = j3;
-                x4 = j4;
-                x5 = j5;
-                x6 = j6;
-                x7 = j7;
-                x8 = j8;
-                x9 = j9;
-                x10 = j10;
-                x11 = j11;
-                x12 = j12;
-                x13 = j13;
-                x14 = j14;
-                x15 = j15;
-                for (i = 20; i > 0; i -= 2) {
-                        QUARTERROUND(x0, x4, x8, x12)
-                        QUARTERROUND(x1, x5, x9, x13)
-                        QUARTERROUND(x2, x6, x10, x14)
-                        QUARTERROUND(x3, x7, x11, x15)
-                        QUARTERROUND(x0, x5, x10, x15)
-                        QUARTERROUND(x1, x6, x11, x12)
-                        QUARTERROUND(x2, x7, x8, x13)
-                        QUARTERROUND(x3, x4, x9, x14)
-                }
-                x0 = PLUS(x0, j0);
-                x1 = PLUS(x1, j1);
-                x2 = PLUS(x2, j2);
-                x3 = PLUS(x3, j3);
-                x4 = PLUS(x4, j4);
-                x5 = PLUS(x5, j5);
-                x6 = PLUS(x6, j6);
-                x7 = PLUS(x7, j7);
-                x8 = PLUS(x8, j8);
-                x9 = PLUS(x9, j9);
-                x10 = PLUS(x10, j10);
-                x11 = PLUS(x11, j11);
-                x12 = PLUS(x12, j12);
-                x13 = PLUS(x13, j13);
-                x14 = PLUS(x14, j14);
-                x15 = PLUS(x15, j15);
-                if (bytes < 64) {
-                        U32TO8_LITTLE(x->ks + 0, x0);
-                        U32TO8_LITTLE(x->ks + 4, x1);
-                        U32TO8_LITTLE(x->ks + 8, x2);
-                        U32TO8_LITTLE(x->ks + 12, x3);
-                        U32TO8_LITTLE(x->ks + 16, x4);
-                        U32TO8_LITTLE(x->ks + 20, x5);
-                        U32TO8_LITTLE(x->ks + 24, x6);
-                        U32TO8_LITTLE(x->ks + 28, x7);
-                        U32TO8_LITTLE(x->ks + 32, x8);
-                        U32TO8_LITTLE(x->ks + 36, x9);
-                        U32TO8_LITTLE(x->ks + 40, x10);
-                        U32TO8_LITTLE(x->ks + 44, x11);
-                        U32TO8_LITTLE(x->ks + 48, x12);
-                        U32TO8_LITTLE(x->ks + 52, x13);
-                        U32TO8_LITTLE(x->ks + 56, x14);
-                        U32TO8_LITTLE(x->ks + 60, x15);
-                }
-                x0 = XOR(x0, U8TO32_LITTLE(m + 0));
-                x1 = XOR(x1, U8TO32_LITTLE(m + 4));
-                x2 = XOR(x2, U8TO32_LITTLE(m + 8));
-                x3 = XOR(x3, U8TO32_LITTLE(m + 12));
-                x4 = XOR(x4, U8TO32_LITTLE(m + 16));
-                x5 = XOR(x5, U8TO32_LITTLE(m + 20));
-                x6 = XOR(x6, U8TO32_LITTLE(m + 24));
-                x7 = XOR(x7, U8TO32_LITTLE(m + 28));
-                x8 = XOR(x8, U8TO32_LITTLE(m + 32));
-                x9 = XOR(x9, U8TO32_LITTLE(m + 36));
-                x10 = XOR(x10, U8TO32_LITTLE(m + 40));
-                x11 = XOR(x11, U8TO32_LITTLE(m + 44));
-                x12 = XOR(x12, U8TO32_LITTLE(m + 48));
-                x13 = XOR(x13, U8TO32_LITTLE(m + 52));
-                x14 = XOR(x14, U8TO32_LITTLE(m + 56));
-                x15 = XOR(x15, U8TO32_LITTLE(m + 60));
-                j12 = PLUSONE(j12);
-                if (!j12) {
-                        j13 = PLUSONE(j13);
-                        /*
-                         * Stopping at 2^70 bytes per nonce is the user's
-                         * responsibility.
-                         */
-                }
-                U32TO8_LITTLE(c + 0, x0);
-                U32TO8_LITTLE(c + 4, x1);
-                U32TO8_LITTLE(c + 8, x2);
-                U32TO8_LITTLE(c + 12, x3);
-                U32TO8_LITTLE(c + 16, x4);
-                U32TO8_LITTLE(c + 20, x5);
-                U32TO8_LITTLE(c + 24, x6);
-                U32TO8_LITTLE(c + 28, x7);
-                U32TO8_LITTLE(c + 32, x8);
-                U32TO8_LITTLE(c + 36, x9);
-                U32TO8_LITTLE(c + 40, x10);
-                U32TO8_LITTLE(c + 44, x11);
-                U32TO8_LITTLE(c + 48, x12);
-                U32TO8_LITTLE(c + 52, x13);
-                U32TO8_LITTLE(c + 56, x14);
-                U32TO8_LITTLE(c + 60, x15);
-                if (bytes <= 64) {
-                        if (bytes < 64) {
-                                for (i = 0; i < bytes; ++i)
-                                        ctarget[i] = c[i];
-                        }
-                        x->input[12] = j12;
-                        x->input[13] = j13;
-                        x->unused = 64 - bytes;
-                        return;
-                }
-                bytes -= 64;
-                c += 64;
-                m += 64;
-        }
-}
-void
-CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32],
-    const unsigned char nonce[16])
-{
-        uint32_t x[16];
-        int i;
-        x[0] = U8TO32_LITTLE(sigma + 0);
-        x[1] = U8TO32_LITTLE(sigma + 4);
-        x[2] = U8TO32_LITTLE(sigma + 8);
-        x[3] = U8TO32_LITTLE(sigma + 12);
-        x[4] = U8TO32_LITTLE(key + 0);
-        x[5] = U8TO32_LITTLE(key + 4);
-        x[6] = U8TO32_LITTLE(key + 8);
-        x[7] = U8TO32_LITTLE(key + 12);
-        x[8] = U8TO32_LITTLE(key + 16);
-        x[9] = U8TO32_LITTLE(key + 20);
-        x[10] = U8TO32_LITTLE(key + 24);
-        x[11] = U8TO32_LITTLE(key + 28);
-        x[12] = U8TO32_LITTLE(nonce + 0);
-        x[13] = U8TO32_LITTLE(nonce + 4);
-        x[14] = U8TO32_LITTLE(nonce + 8);
-        x[15] = U8TO32_LITTLE(nonce + 12);
-        for (i = 20; i > 0; i -= 2) {
-                QUARTERROUND(x[0], x[4], x[8], x[12])
-                QUARTERROUND(x[1], x[5], x[9], x[13])
-                QUARTERROUND(x[2], x[6], x[10], x[14])
-                QUARTERROUND(x[3], x[7], x[11], x[15])
-                QUARTERROUND(x[0], x[5], x[10], x[15])
-                QUARTERROUND(x[1], x[6], x[11], x[12])
-                QUARTERROUND(x[2], x[7], x[8], x[13])
-                QUARTERROUND(x[3], x[4], x[9], x[14])
-        }
-        U32TO8_LITTLE(subkey + 0, x[0]);
-        U32TO8_LITTLE(subkey + 4, x[1]);
-        U32TO8_LITTLE(subkey + 8, x[2]);
-        U32TO8_LITTLE(subkey + 12, x[3]);
-        U32TO8_LITTLE(subkey + 16, x[12]);
-        U32TO8_LITTLE(subkey + 20, x[13]);
-        U32TO8_LITTLE(subkey + 24, x[14]);
-        U32TO8_LITTLE(subkey + 28, x[15]);
-}
-LCRYPTO_ALIAS(CRYPTO_hchacha_20);
diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c
deleted file mode 100644
index b60e3c4f27..0000000000
--- a/src/lib/libcrypto/chacha/chacha.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/* $OpenBSD: chacha.c,v 1.10 2023/07/05 16:17:20 beck Exp $ */
-/*
- * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stdint.h>
-#include <openssl/chacha.h>
-#include "chacha-merged.c"
-void
-ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, uint32_t keybits)
-{
-        chacha_keysetup((chacha_ctx *)ctx, key, keybits);
-        ctx->unused = 0;
-}
-LCRYPTO_ALIAS(ChaCha_set_key);
-void
-ChaCha_set_iv(ChaCha_ctx *ctx, const unsigned char *iv,
-    const unsigned char *counter)
-{
-        chacha_ivsetup((chacha_ctx *)ctx, iv, counter);
-        ctx->unused = 0;
-}
-LCRYPTO_ALIAS(ChaCha_set_iv);
-void
-ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len)
-{
-        unsigned char *k;
-        uint64_t n;
-        int i, l;
-        /* Consume remaining keystream, if any exists. */
-        if (ctx->unused > 0) {
-                k = ctx->ks + 64 - ctx->unused;
-                l = (len > ctx->unused) ? ctx->unused : len;
-                for (i = 0; i < l; i++)
-                        *(out++) = *(in++) ^ *(k++);
-                ctx->unused -= l;
-                len -= l;
-        }
-        while (len > 0) {
-                if ((n = len) > UINT32_MAX)
-                        n = UINT32_MAX;
-                chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)n);
-                in += n;
-                out += n;
-                len -= n;
-        }
-}
-LCRYPTO_ALIAS(ChaCha);
-void
-CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
-    const unsigned char key[32], const unsigned char iv[8], uint64_t counter)
-{
-        struct chacha_ctx ctx;
-        uint64_t n;
-        /*
-         * chacha_ivsetup expects the counter to be in u8. Rather than
-         * converting size_t to u8 and then back again, pass a counter of
-         * NULL and manually assign it afterwards.
-         */
-        chacha_keysetup(&ctx, key, 256);
-        chacha_ivsetup(&ctx, iv, NULL);
-        if (counter != 0) {
-                ctx.input[12] = (uint32_t)counter;
-                ctx.input[13] = (uint32_t)(counter >> 32);
-        }
-        while (len > 0) {
-                if ((n = len) > UINT32_MAX)
-                        n = UINT32_MAX;
-                chacha_encrypt_bytes(&ctx, in, out, (uint32_t)n);
-                in += n;
-                out += n;
-                len -= n;
-        }
-}
-LCRYPTO_ALIAS(CRYPTO_chacha_20);
-void
-CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
-    const unsigned char key[32], const unsigned char iv[24])
-{
-        uint8_t subkey[32];
-        CRYPTO_hchacha_20(subkey, key, iv);
-        CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0);
-}
-LCRYPTO_ALIAS(CRYPTO_xchacha_20);
diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h
deleted file mode 100644
index 7d30c518a4..0000000000
--- a/src/lib/libcrypto/chacha/chacha.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* $OpenBSD: chacha.h,v 1.9 2025/01/25 17:59:44 tb Exp $ */
-/*
- * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifndef HEADER_CHACHA_H
-#define HEADER_CHACHA_H
-#include <openssl/opensslconf.h>
-#include <stddef.h>
-#include <stdint.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-typedef struct {
-        unsigned int input[16];
-        unsigned char ks[64];
-        unsigned char unused;
-} ChaCha_ctx;
-void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
-    unsigned int keybits);
-void ChaCha_set_iv(ChaCha_ctx *ctx, const unsigned char *iv,
-    const unsigned char *counter);
-void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in,
-    size_t len);
-void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
-    const unsigned char key[32], const unsigned char iv[8], uint64_t counter);
-void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
-    const unsigned char key[32], const unsigned char iv[24]);
-void CRYPTO_hchacha_20(unsigned char out[32],
-    const unsigned char key[32], const unsigned char iv[16]);
-#ifdef  __cplusplus
-}
-#endif
-#endif /* HEADER_CHACHA_H */

diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c deleted file mode 100644 index debb776c8f..0000000000 --- a/src/lib/libcrypto/chacha/chacha-merged.c +++ /dev/null
@@ -1,323 +0,0 @@
1	/* $OpenBSD: chacha-merged.c,v 1.13 2024/06/05 19:43:06 tb Exp $ */
2	/*
3	chacha-merged.c version 20080118
4	D. J. Bernstein
5	Public domain.
6	*/
7
8	#include <stdint.h>
9
10	#define CHACHA_MINKEYLEN 16
11	#define CHACHA_NONCELEN 8
12	#define CHACHA_CTRLEN 8
13	#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN)
14	#define CHACHA_BLOCKLEN 64
15
16	typedef uint8_t u8;
17	typedef uint32_t u32;
18
19	struct chacha_ctx {
20	u32 input[16];
21	u8 ks[CHACHA_BLOCKLEN];
22	u8 unused;
23	};
24
25	static inline void chacha_keysetup(struct chacha_ctx x, const u8 k, u32 kbits)
26	__attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
27	static inline void chacha_ivsetup(struct chacha_ctx x, const u8 iv,
28	const u8 *ctr)
29	__attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
30	__attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
31	static inline void chacha_encrypt_bytes(struct chacha_ctx x, const u8 m,
32	u8 *c, u32 bytes)
33	__attribute__((__bounded__(__buffer__, 2, 4)))
34	__attribute__((__bounded__(__buffer__, 3, 4)));
35
36	typedef struct chacha_ctx chacha_ctx;
37
38	#define U8C(v) (v##U)
39	#define U32C(v) (v##U)
40
41	#define U8V(v) ((u8)(v) & U8C(0xFF))
42	#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
43
44	#define ROTL32(v, n) \
45	(U32V((v) << (n)) \| ((v) >> (32 - (n))))
46
47	#define U8TO32_LITTLE(p) \
48	(((u32)((p)[0])) \| \
49	((u32)((p)[1]) << 8) \| \
50	((u32)((p)[2]) << 16) \| \
51	((u32)((p)[3]) << 24))
52
53	#define U32TO8_LITTLE(p, v) \
54	do { \
55	(p)[0] = U8V((v)); \
56	(p)[1] = U8V((v) >> 8); \
57	(p)[2] = U8V((v) >> 16); \
58	(p)[3] = U8V((v) >> 24); \
59	} while (0)
60
61	#define ROTATE(v,c) (ROTL32(v,c))
62	#define XOR(v,w) ((v) ^ (w))
63	#define PLUS(v,w) (U32V((v) + (w)))
64	#define PLUSONE(v) (PLUS((v),1))
65
66	#define QUARTERROUND(a,b,c,d) \
67	a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
68	c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
69	a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
70	c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
71
72	/* Initialise with "expand 32-byte k". */
73	static const char sigma[16] = {
74	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
75	0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
76	};
77
78	/* Initialise with "expand 16-byte k". */
79	static const char tau[16] = {
80	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
81	0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
82	};
83
84	static inline void
85	chacha_keysetup(chacha_ctx x, const u8 k, u32 kbits)
86	{
87	const char *constants;
88
89	x->input[4] = U8TO32_LITTLE(k + 0);
90	x->input[5] = U8TO32_LITTLE(k + 4);
91	x->input[6] = U8TO32_LITTLE(k + 8);
92	x->input[7] = U8TO32_LITTLE(k + 12);
93	if (kbits == 256) { /* recommended */
94	k += 16;
95	constants = sigma;
96	} else { /* kbits == 128 */
97	constants = tau;
98	}
99	x->input[8] = U8TO32_LITTLE(k + 0);
100	x->input[9] = U8TO32_LITTLE(k + 4);
101	x->input[10] = U8TO32_LITTLE(k + 8);
102	x->input[11] = U8TO32_LITTLE(k + 12);
103	x->input[0] = U8TO32_LITTLE(constants + 0);
104	x->input[1] = U8TO32_LITTLE(constants + 4);
105	x->input[2] = U8TO32_LITTLE(constants + 8);
106	x->input[3] = U8TO32_LITTLE(constants + 12);
107	}
108
109	static inline void
110	chacha_ivsetup(chacha_ctx x, const u8 iv, const u8 *counter)
111	{
112	x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
113	x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
114	x->input[14] = U8TO32_LITTLE(iv + 0);
115	x->input[15] = U8TO32_LITTLE(iv + 4);
116	}
117
118	static inline void
119	chacha_encrypt_bytes(chacha_ctx x, const u8 m, u8 *c, u32 bytes)
120	{
121	u32 x0, x1, x2, x3, x4, x5, x6, x7;
122	u32 x8, x9, x10, x11, x12, x13, x14, x15;
123	u32 j0, j1, j2, j3, j4, j5, j6, j7;
124	u32 j8, j9, j10, j11, j12, j13, j14, j15;
125	u8 *ctarget = NULL;
126	u8 tmp[64];
127	u32 i;
128
129	if (!bytes)
130	return;
131
132	j0 = x->input[0];
133	j1 = x->input[1];
134	j2 = x->input[2];
135	j3 = x->input[3];
136	j4 = x->input[4];
137	j5 = x->input[5];
138	j6 = x->input[6];
139	j7 = x->input[7];
140	j8 = x->input[8];
141	j9 = x->input[9];
142	j10 = x->input[10];
143	j11 = x->input[11];
144	j12 = x->input[12];
145	j13 = x->input[13];
146	j14 = x->input[14];
147	j15 = x->input[15];
148
149	for (;;) {
150	if (bytes < 64) {
151	for (i = 0; i < bytes; ++i)
152	tmp[i] = m[i];
153	m = tmp;
154	ctarget = c;
155	c = tmp;
156	}
157	x0 = j0;
158	x1 = j1;
159	x2 = j2;
160	x3 = j3;
161	x4 = j4;
162	x5 = j5;
163	x6 = j6;
164	x7 = j7;
165	x8 = j8;
166	x9 = j9;
167	x10 = j10;
168	x11 = j11;
169	x12 = j12;
170	x13 = j13;
171	x14 = j14;
172	x15 = j15;
173	for (i = 20; i > 0; i -= 2) {
174	QUARTERROUND(x0, x4, x8, x12)
175	QUARTERROUND(x1, x5, x9, x13)
176	QUARTERROUND(x2, x6, x10, x14)
177	QUARTERROUND(x3, x7, x11, x15)
178	QUARTERROUND(x0, x5, x10, x15)
179	QUARTERROUND(x1, x6, x11, x12)
180	QUARTERROUND(x2, x7, x8, x13)
181	QUARTERROUND(x3, x4, x9, x14)
182	}
183	x0 = PLUS(x0, j0);
184	x1 = PLUS(x1, j1);
185	x2 = PLUS(x2, j2);
186	x3 = PLUS(x3, j3);
187	x4 = PLUS(x4, j4);
188	x5 = PLUS(x5, j5);
189	x6 = PLUS(x6, j6);
190	x7 = PLUS(x7, j7);
191	x8 = PLUS(x8, j8);
192	x9 = PLUS(x9, j9);
193	x10 = PLUS(x10, j10);
194	x11 = PLUS(x11, j11);
195	x12 = PLUS(x12, j12);
196	x13 = PLUS(x13, j13);
197	x14 = PLUS(x14, j14);
198	x15 = PLUS(x15, j15);
199
200	if (bytes < 64) {
201	U32TO8_LITTLE(x->ks + 0, x0);
202	U32TO8_LITTLE(x->ks + 4, x1);
203	U32TO8_LITTLE(x->ks + 8, x2);
204	U32TO8_LITTLE(x->ks + 12, x3);
205	U32TO8_LITTLE(x->ks + 16, x4);
206	U32TO8_LITTLE(x->ks + 20, x5);
207	U32TO8_LITTLE(x->ks + 24, x6);
208	U32TO8_LITTLE(x->ks + 28, x7);
209	U32TO8_LITTLE(x->ks + 32, x8);
210	U32TO8_LITTLE(x->ks + 36, x9);
211	U32TO8_LITTLE(x->ks + 40, x10);
212	U32TO8_LITTLE(x->ks + 44, x11);
213	U32TO8_LITTLE(x->ks + 48, x12);
214	U32TO8_LITTLE(x->ks + 52, x13);
215	U32TO8_LITTLE(x->ks + 56, x14);
216	U32TO8_LITTLE(x->ks + 60, x15);
217	}
218
219	x0 = XOR(x0, U8TO32_LITTLE(m + 0));
220	x1 = XOR(x1, U8TO32_LITTLE(m + 4));
221	x2 = XOR(x2, U8TO32_LITTLE(m + 8));
222	x3 = XOR(x3, U8TO32_LITTLE(m + 12));
223	x4 = XOR(x4, U8TO32_LITTLE(m + 16));
224	x5 = XOR(x5, U8TO32_LITTLE(m + 20));
225	x6 = XOR(x6, U8TO32_LITTLE(m + 24));
226	x7 = XOR(x7, U8TO32_LITTLE(m + 28));
227	x8 = XOR(x8, U8TO32_LITTLE(m + 32));
228	x9 = XOR(x9, U8TO32_LITTLE(m + 36));
229	x10 = XOR(x10, U8TO32_LITTLE(m + 40));
230	x11 = XOR(x11, U8TO32_LITTLE(m + 44));
231	x12 = XOR(x12, U8TO32_LITTLE(m + 48));
232	x13 = XOR(x13, U8TO32_LITTLE(m + 52));
233	x14 = XOR(x14, U8TO32_LITTLE(m + 56));
234	x15 = XOR(x15, U8TO32_LITTLE(m + 60));
235
236	j12 = PLUSONE(j12);
237	if (!j12) {
238	j13 = PLUSONE(j13);
239	/*
240	* Stopping at 2^70 bytes per nonce is the user's
241	* responsibility.
242	*/
243	}
244
245	U32TO8_LITTLE(c + 0, x0);
246	U32TO8_LITTLE(c + 4, x1);
247	U32TO8_LITTLE(c + 8, x2);
248	U32TO8_LITTLE(c + 12, x3);
249	U32TO8_LITTLE(c + 16, x4);
250	U32TO8_LITTLE(c + 20, x5);
251	U32TO8_LITTLE(c + 24, x6);
252	U32TO8_LITTLE(c + 28, x7);
253	U32TO8_LITTLE(c + 32, x8);
254	U32TO8_LITTLE(c + 36, x9);
255	U32TO8_LITTLE(c + 40, x10);
256	U32TO8_LITTLE(c + 44, x11);
257	U32TO8_LITTLE(c + 48, x12);
258	U32TO8_LITTLE(c + 52, x13);
259	U32TO8_LITTLE(c + 56, x14);
260	U32TO8_LITTLE(c + 60, x15);
261
262	if (bytes <= 64) {
263	if (bytes < 64) {
264	for (i = 0; i < bytes; ++i)
265	ctarget[i] = c[i];
266	}
267	x->input[12] = j12;
268	x->input[13] = j13;
269	x->unused = 64 - bytes;
270	return;
271	}
272	bytes -= 64;
273	c += 64;
274	m += 64;
275	}
276	}
277
278	void
279	CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32],
280	const unsigned char nonce[16])
281	{
282	uint32_t x[16];
283	int i;
284
285	x[0] = U8TO32_LITTLE(sigma + 0);
286	x[1] = U8TO32_LITTLE(sigma + 4);
287	x[2] = U8TO32_LITTLE(sigma + 8);
288	x[3] = U8TO32_LITTLE(sigma + 12);
289	x[4] = U8TO32_LITTLE(key + 0);
290	x[5] = U8TO32_LITTLE(key + 4);
291	x[6] = U8TO32_LITTLE(key + 8);
292	x[7] = U8TO32_LITTLE(key + 12);
293	x[8] = U8TO32_LITTLE(key + 16);
294	x[9] = U8TO32_LITTLE(key + 20);
295	x[10] = U8TO32_LITTLE(key + 24);
296	x[11] = U8TO32_LITTLE(key + 28);
297	x[12] = U8TO32_LITTLE(nonce + 0);
298	x[13] = U8TO32_LITTLE(nonce + 4);
299	x[14] = U8TO32_LITTLE(nonce + 8);
300	x[15] = U8TO32_LITTLE(nonce + 12);
301
302	for (i = 20; i > 0; i -= 2) {
303	QUARTERROUND(x[0], x[4], x[8], x[12])
304	QUARTERROUND(x[1], x[5], x[9], x[13])
305	QUARTERROUND(x[2], x[6], x[10], x[14])
306	QUARTERROUND(x[3], x[7], x[11], x[15])
307	QUARTERROUND(x[0], x[5], x[10], x[15])
308	QUARTERROUND(x[1], x[6], x[11], x[12])
309	QUARTERROUND(x[2], x[7], x[8], x[13])
310	QUARTERROUND(x[3], x[4], x[9], x[14])
311	}
312
313	U32TO8_LITTLE(subkey + 0, x[0]);
314	U32TO8_LITTLE(subkey + 4, x[1]);
315	U32TO8_LITTLE(subkey + 8, x[2]);
316	U32TO8_LITTLE(subkey + 12, x[3]);
317
318	U32TO8_LITTLE(subkey + 16, x[12]);
319	U32TO8_LITTLE(subkey + 20, x[13]);
320	U32TO8_LITTLE(subkey + 24, x[14]);
321	U32TO8_LITTLE(subkey + 28, x[15]);
322	}
323	LCRYPTO_ALIAS(CRYPTO_hchacha_20);


diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c deleted file mode 100644 index b60e3c4f27..0000000000 --- a/src/lib/libcrypto/chacha/chacha.c +++ /dev/null
@@ -1,112 +0,0 @@
1	/* $OpenBSD: chacha.c,v 1.10 2023/07/05 16:17:20 beck Exp $ */
2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <stdint.h>
19
20	#include <openssl/chacha.h>
21
22	#include "chacha-merged.c"
23
24	void
25	ChaCha_set_key(ChaCha_ctx ctx, const unsigned char key, uint32_t keybits)
26	{
27	chacha_keysetup((chacha_ctx *)ctx, key, keybits);
28	ctx->unused = 0;
29	}
30	LCRYPTO_ALIAS(ChaCha_set_key);
31
32	void
33	ChaCha_set_iv(ChaCha_ctx ctx, const unsigned char iv,
34	const unsigned char *counter)
35	{
36	chacha_ivsetup((chacha_ctx *)ctx, iv, counter);
37	ctx->unused = 0;
38	}
39	LCRYPTO_ALIAS(ChaCha_set_iv);
40
41	void
42	ChaCha(ChaCha_ctx ctx, unsigned char out, const unsigned char *in, size_t len)
43	{
44	unsigned char *k;
45	uint64_t n;
46	int i, l;
47
48	/* Consume remaining keystream, if any exists. */
49	if (ctx->unused > 0) {
50	k = ctx->ks + 64 - ctx->unused;
51	l = (len > ctx->unused) ? ctx->unused : len;
52	for (i = 0; i < l; i++)
53	(out++) = (in++) ^ *(k++);
54	ctx->unused -= l;
55	len -= l;
56	}
57
58	while (len > 0) {
59	if ((n = len) > UINT32_MAX)
60	n = UINT32_MAX;
61
62	chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)n);
63
64	in += n;
65	out += n;
66	len -= n;
67	}
68	}
69	LCRYPTO_ALIAS(ChaCha);
70
71	void
72	CRYPTO_chacha_20(unsigned char out, const unsigned char in, size_t len,
73	const unsigned char key[32], const unsigned char iv[8], uint64_t counter)
74	{
75	struct chacha_ctx ctx;
76	uint64_t n;
77
78	/*
79	* chacha_ivsetup expects the counter to be in u8. Rather than
80	* converting size_t to u8 and then back again, pass a counter of
81	* NULL and manually assign it afterwards.
82	*/
83	chacha_keysetup(&ctx, key, 256);
84	chacha_ivsetup(&ctx, iv, NULL);
85	if (counter != 0) {
86	ctx.input[12] = (uint32_t)counter;
87	ctx.input[13] = (uint32_t)(counter >> 32);
88	}
89
90	while (len > 0) {
91	if ((n = len) > UINT32_MAX)
92	n = UINT32_MAX;
93
94	chacha_encrypt_bytes(&ctx, in, out, (uint32_t)n);
95
96	in += n;
97	out += n;
98	len -= n;
99	}
100	}
101	LCRYPTO_ALIAS(CRYPTO_chacha_20);
102
103	void
104	CRYPTO_xchacha_20(unsigned char out, const unsigned char in, size_t len,
105	const unsigned char key[32], const unsigned char iv[24])
106	{
107	uint8_t subkey[32];
108
109	CRYPTO_hchacha_20(subkey, key, iv);
110	CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0);
111	}
112	LCRYPTO_ALIAS(CRYPTO_xchacha_20);


diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h deleted file mode 100644 index 7d30c518a4..0000000000 --- a/src/lib/libcrypto/chacha/chacha.h +++ /dev/null
@@ -1,54 +0,0 @@
1	/* $OpenBSD: chacha.h,v 1.9 2025/01/25 17:59:44 tb Exp $ */
2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#ifndef HEADER_CHACHA_H
19	#define HEADER_CHACHA_H
20
21	#include <openssl/opensslconf.h>
22
23	#include <stddef.h>
24	#include <stdint.h>
25
26	#ifdef __cplusplus
27	extern "C" {
28	#endif
29
30	typedef struct {
31	unsigned int input[16];
32	unsigned char ks[64];
33	unsigned char unused;
34	} ChaCha_ctx;
35
36	void ChaCha_set_key(ChaCha_ctx ctx, const unsigned char key,
37	unsigned int keybits);
38	void ChaCha_set_iv(ChaCha_ctx ctx, const unsigned char iv,
39	const unsigned char *counter);
40	void ChaCha(ChaCha_ctx ctx, unsigned char out, const unsigned char *in,
41	size_t len);
42
43	void CRYPTO_chacha_20(unsigned char out, const unsigned char in, size_t len,
44	const unsigned char key[32], const unsigned char iv[8], uint64_t counter);
45	void CRYPTO_xchacha_20(unsigned char out, const unsigned char in, size_t len,
46	const unsigned char key[32], const unsigned char iv[24]);
47	void CRYPTO_hchacha_20(unsigned char out[32],
48	const unsigned char key[32], const unsigned char iv[16]);
49
50	#ifdef __cplusplus
51	}
52	#endif
53
54	#endif /* HEADER_CHACHA_H */