arc4random: simplify design for better safety

Rather than buffering 16 MiB of entropy in userspace (by way of
chacha20), simply call getrandom() every time.

This approach is doubtlessly slower, for now, but trying to prematurely
optimize arc4random appears to be leading toward all sorts of nasty
properties and gotchas. Instead, this patch takes a much more
conservative approach. The interface is added as a basic loop wrapper
around getrandom(), and then later, the kernel and libc together can
work together on optimizing that.

This prevents numerous issues in which userspace is unaware of when it
really must throw away its buffer, since we avoid buffering all
together. Future improvements may include userspace learning more from
the kernel about when to do that, which might make these sorts of
chacha20-based optimizations more possible. The current heuristic of 16
MiB is meaningless garbage that doesn't correspond to anything the
kernel might know about. So for now, let's just do something
conservative that we know is correct and won't lead to cryptographic
issues for users of this function.

This patch might be considered along the lines of, "optimization is the
root of all evil," in that the much more complex implementation it
replaces moves too fast without considering security implications,
whereas the incremental approach done here is a much safer way of going
about things. Once this lands, we can take our time in optimizing this
properly using new interplay between the kernel and userspace.

getrandom(0) is used, since that's the one that ensures the bytes
returned are cryptographically secure. But on systems without it, we
fallback to using /dev/urandom. This is unfortunate because it means
opening a file descriptor, but there's not much of a choice. Secondly,
as part of the fallback, in order to get more or less the same
properties of getrandom(0), we poll on /dev/random, and if the poll
succeeds at least once, then we assume the RNG is initialized. This is a
rough approximation, as the ancient "non-blocking pool" initialized
after the "blocking pool", not before, and it may not port back to all
ancient kernels, though it does to all kernels supported by glibc
(≥3.2), so generally it's the best approximation we can do.

The motivation for including arc4random, in the first place, is to have
source-level compatibility with existing code. That means this patch
doesn't attempt to litigate the interface itself. It does, however,
choose a conservative approach for implementing it.

Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Paul Eggert <eggert@cs.ucla.edu>
Cc: Mark Harris <mark.hsj@gmail.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

5 files changed, 45 insertions, 559 deletions

diff --git a/stdlib/Makefile b/stdlib/Makefile
index a900962685..f7b25c1981 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -246,7 +246,6 @@ tests := \
   # tests
 
 tests-internal := \
-  tst-arc4random-chacha20 \
   tst-strtod1i \
   tst-strtod3 \
   tst-strtod4 \
@@ -256,7 +255,6 @@ tests-internal := \
   # tests-internal
 
 tests-static := \
-  tst-arc4random-chacha20 \
   tst-secure-getenv \
   # tests-static
 
diff --git a/stdlib/arc4random.c b/stdlib/arc4random.c
index 65547e79aa..e417ef624d 100644
--- a/stdlib/arc4random.c
+++ b/stdlib/arc4random.c
@@ -1,4 +1,4 @@
-/* Pseudo Random Number Generator based on ChaCha20.
+/* Pseudo Random Number Generator
    Copyright (C) 2022 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -16,7 +16,6 @@
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
-#include <arc4random.h>
 #include <errno.h>
 #include <not-cancel.h>
 #include <stdio.h>
@@ -24,53 +23,6 @@
 #include <sys/mman.h>
 #include <sys/param.h>
 #include <sys/random.h>
-#include <tls-internal.h>
-
-/* arc4random keeps two counters: 'have' is the current valid bytes not yet
-   consumed in 'buf' while 'count' is the maximum number of bytes until a
-   reseed.
-
-   Both the initial seed and reseed try to obtain entropy from the kernel
-   and abort the process if none could be obtained.
-
-   The state 'buf' improves the usage of the cipher calls, allowing to call
-   optimized implementations (if the architecture provides it) and minimize
-   function call overhead.  */
-
-#include <chacha20.c>
-
-/* Called from the fork function to reset the state.  */
-void
-__arc4random_fork_subprocess (void)
-{
-  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
-  if (state != NULL)
-    {
-      explicit_bzero (state, sizeof (*state));
-      /* Force key init.  */
-      state->count = -1;
-    }
-}
-
-/* Return the current thread random state or try to create one if there is
-   none available.  In the case malloc can not allocate a state, arc4random
-   will try to get entropy with arc4random_getentropy.  */
-static struct arc4random_state_t *
-arc4random_get_state (void)
-{
-  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
-  if (state == NULL)
-    {
-      state = malloc (sizeof (struct arc4random_state_t));
-      if (state != NULL)
-	{
-	  /* Force key initialization on first call.  */
-	  state->count = -1;
-	  __glibc_tls_internal ()->rand_state = state;
-	}
-    }
-  return state;
-}
 
 static void
 arc4random_getrandom_failure (void)
@@ -78,106 +30,63 @@ arc4random_getrandom_failure (void)
   __libc_fatal ("Fatal glibc error: cannot get entropy for arc4random\n");
 }
 
-static void
-arc4random_rekey (struct arc4random_state_t *state, uint8_t *rnd, size_t rndlen)
+void
+__arc4random_buf (void *p, size_t n)
 {
-  chacha20_crypt (state->ctx, state->buf, state->buf, sizeof state->buf);
-
-  /* Mix optional user provided data.  */
-  if (rnd != NULL)
-    {
-      size_t m = MIN (rndlen, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-      for (size_t i = 0; i < m; i++)
-	state->buf[i] ^= rnd[i];
-    }
-
-  /* Immediately reinit for backtracking resistance.  */
-  chacha20_init (state->ctx, state->buf, state->buf + CHACHA20_KEY_SIZE);
-  explicit_bzero (state->buf, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-  state->have = sizeof (state->buf) - (CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-}
+  static int seen_initialized;
+  size_t l;
+  int fd;
 
-static void
-arc4random_getentropy (void *rnd, size_t len)
-{
-  if (__getrandom_nocancel (rnd, len, GRND_NONBLOCK) == len)
+  if (n == 0)
     return;
 
-  int fd = TEMP_FAILURE_RETRY (__open64_nocancel ("/dev/urandom",
-						  O_RDONLY | O_CLOEXEC));
-  if (fd != -1)
+  for (;;)
     {
-      uint8_t *p = rnd;
-      uint8_t *end = p + len;
-      do
+      l = TEMP_FAILURE_RETRY (__getrandom_nocancel (p, n, 0));
+      if (l > 0)
 	{
-	  ssize_t ret = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, end - p));
-	  if (ret <= 0)
-	    arc4random_getrandom_failure ();
-	  p += ret;
+	  if ((size_t) l == n)
+	    return; /* Done reading, success.  */
+	  p = (uint8_t *) p + l;
+	  n -= l;
+	  continue; /* Interrupted by a signal; keep going.  */
 	}
-      while (p < end);
-
-      if (__close_nocancel (fd) == 0)
-	return;
+      else if (l < 0 && errno == ENOSYS)
+	break; /* No syscall, so fallback to /dev/urandom.  */
+      arc4random_getrandom_failure ();
     }
-  arc4random_getrandom_failure ();
-}
 
-/* Check if the thread context STATE should be reseed with kernel entropy
-   depending of requested LEN bytes.  If there is less than requested,
-   the state is either initialized or reseeded, otherwise the internal
-   counter subtract the requested length.  */
-static void
-arc4random_check_stir (struct arc4random_state_t *state, size_t len)
-{
-  if (state->count <= len || state->count == -1)
+  if (atomic_load_relaxed (&seen_initialized) == 0)
     {
-      uint8_t rnd[CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE];
-      arc4random_getentropy (rnd, sizeof rnd);
-
-      if (state->count == -1)
-	chacha20_init (state->ctx, rnd, rnd + CHACHA20_KEY_SIZE);
-      else
-	arc4random_rekey (state, rnd, sizeof rnd);
-
-      explicit_bzero (rnd, sizeof rnd);
-
-      /* Invalidate the buf.  */
-      state->have = 0;
-      memset (state->buf, 0, sizeof state->buf);
-      state->count = CHACHA20_RESEED_SIZE;
+      /* Poll /dev/random as an approximation of RNG initialization.  */
+      struct pollfd pfd = { .events = POLLIN };
+      pfd.fd = TEMP_FAILURE_RETRY (
+	  __open64_nocancel ("/dev/random", O_RDONLY | O_CLOEXEC | O_NOCTTY));
+      if (pfd.fd < 0)
+	arc4random_getrandom_failure ();
+      if (TEMP_FAILURE_RETRY (__poll_infinity_nocancel (&pfd, 1)) < 0)
+	arc4random_getrandom_failure ();
+      if (__close_nocancel (pfd.fd) < 0)
+	arc4random_getrandom_failure ();
+      atomic_store_relaxed (&seen_initialized, 1);
     }
-  else
-    state->count -= len;
-}
 
-void
-__arc4random_buf (void *buffer, size_t len)
-{
-  struct arc4random_state_t *state = arc4random_get_state ();
-  if (__glibc_unlikely (state == NULL))
-    {
-      arc4random_getentropy (buffer, len);
-      return;
-    }
-
-  arc4random_check_stir (state, len);
-  while (len > 0)
+  fd = TEMP_FAILURE_RETRY (
+      __open64_nocancel ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY));
+  if (fd < 0)
+    arc4random_getrandom_failure ();
+  for (;;)
     {
-      if (state->have > 0)
-	{
-	  size_t m = MIN (len, state->have);
-	  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
-	  memcpy (buffer, ks, m);
-	  explicit_bzero (ks, m);
-	  buffer += m;
-	  len -= m;
-	  state->have -= m;
-	}
-      if (state->have == 0)
-	arc4random_rekey (state, NULL, 0);
+      l = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, n));
+      if (l <= 0)
+	arc4random_getrandom_failure ();
+      if ((size_t) l == n)
+	break; /* Done reading, success.  */
+      p = (uint8_t *) p + l;
+      n -= l;
     }
+  if (__close_nocancel (fd) < 0)
+    arc4random_getrandom_failure ();
 }
 libc_hidden_def (__arc4random_buf)
 weak_alias (__arc4random_buf, arc4random_buf)
@@ -186,22 +95,7 @@ uint32_t
 __arc4random (void)
 {
   uint32_t r;
-
-  struct arc4random_state_t *state = arc4random_get_state ();
-  if (__glibc_unlikely (state == NULL))
-    {
-      arc4random_getentropy (&r, sizeof (uint32_t));
-      return r;
-    }
-
-  arc4random_check_stir (state, sizeof (uint32_t));
-  if (state->have < sizeof (uint32_t))
-    arc4random_rekey (state, NULL, 0);
-  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
-  memcpy (&r, ks, sizeof (uint32_t));
-  memset (ks, 0, sizeof (uint32_t));
-  state->have -= sizeof (uint32_t);
-
+  __arc4random_buf (&r, sizeof (r));
   return r;
 }
 libc_hidden_def (__arc4random)
diff --git a/stdlib/arc4random.h b/stdlib/arc4random.h
deleted file mode 100644
index cd39389c19..0000000000
--- a/stdlib/arc4random.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* Arc4random definition used on TLS.
-   Copyright (C) 2022 Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Lesser General Public
-   License as published by the Free Software Foundation; either
-   version 2.1 of the License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Lesser General Public License for more details.
-
-   You should have received a copy of the GNU Lesser General Public
-   License along with the GNU C Library; if not, see
-   <https://www.gnu.org/licenses/>.  */
-
-#ifndef _CHACHA20_H
-#define _CHACHA20_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-/* Internal ChaCha20 state.  */
-#define CHACHA20_STATE_LEN	16
-#define CHACHA20_BLOCK_SIZE	64
-
-/* Maximum number bytes until reseed (16 MB).  */
-#define CHACHA20_RESEED_SIZE	(16 * 1024 * 1024)
-
-/* Internal arc4random buffer, used on each feedback step so offer some
-   backtracking protection and to allow better used of vectorized
-   chacha20 implementations.  */
-#define CHACHA20_BUFSIZE        (8 * CHACHA20_BLOCK_SIZE)
-
-_Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE,
-		"CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE");
-
-struct arc4random_state_t
-{
-  uint32_t ctx[CHACHA20_STATE_LEN];
-  size_t have;
-  size_t count;
-  uint8_t buf[CHACHA20_BUFSIZE];
-};
-
-#endif
diff --git a/stdlib/chacha20.c b/stdlib/chacha20.c
deleted file mode 100644
index 2745a81315..0000000000
--- a/stdlib/chacha20.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/* Generic ChaCha20 implementation (used on arc4random).
-   Copyright (C) 2022 Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Lesser General Public
-   License as published by the Free Software Foundation; either
-   version 2.1 of the License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Lesser General Public License for more details.
-
-   You should have received a copy of the GNU Lesser General Public
-   License along with the GNU C Library; if not, see
-   <https://www.gnu.org/licenses/>.  */
-
-#include <array_length.h>
-#include <endian.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-
-/* 32-bit stream position, then 96-bit nonce.  */
-#define CHACHA20_IV_SIZE	16
-#define CHACHA20_KEY_SIZE	32
-
-#define CHACHA20_STATE_LEN	16
-
-/* The ChaCha20 implementation is based on RFC8439 [1], omitting the final
-   XOR of the keystream with the plaintext because the plaintext is a
-   stream of zeros.  */
-
-enum chacha20_constants
-{
-  CHACHA20_CONSTANT_EXPA = 0x61707865U,
-  CHACHA20_CONSTANT_ND_3 = 0x3320646eU,
-  CHACHA20_CONSTANT_2_BY = 0x79622d32U,
-  CHACHA20_CONSTANT_TE_K = 0x6b206574U
-};
-
-static inline uint32_t
-read_unaligned_32 (const uint8_t *p)
-{
-  uint32_t r;
-  memcpy (&r, p, sizeof (r));
-  return r;
-}
-
-static inline void
-write_unaligned_32 (uint8_t *p, uint32_t v)
-{
-  memcpy (p, &v, sizeof (v));
-}
-
-#if __BYTE_ORDER == __BIG_ENDIAN
-# define read_unaligned_le32(p) __builtin_bswap32 (read_unaligned_32 (p))
-# define set_state(v)		__builtin_bswap32 ((v))
-#else
-# define read_unaligned_le32(p) read_unaligned_32 ((p))
-# define set_state(v)		(v)
-#endif
-
-static inline void
-chacha20_init (uint32_t *state, const uint8_t *key, const uint8_t *iv)
-{
-  state[0]  = CHACHA20_CONSTANT_EXPA;
-  state[1]  = CHACHA20_CONSTANT_ND_3;
-  state[2]  = CHACHA20_CONSTANT_2_BY;
-  state[3]  = CHACHA20_CONSTANT_TE_K;
-
-  state[4]  = read_unaligned_le32 (key + 0 * sizeof (uint32_t));
-  state[5]  = read_unaligned_le32 (key + 1 * sizeof (uint32_t));
-  state[6]  = read_unaligned_le32 (key + 2 * sizeof (uint32_t));
-  state[7]  = read_unaligned_le32 (key + 3 * sizeof (uint32_t));
-  state[8]  = read_unaligned_le32 (key + 4 * sizeof (uint32_t));
-  state[9]  = read_unaligned_le32 (key + 5 * sizeof (uint32_t));
-  state[10] = read_unaligned_le32 (key + 6 * sizeof (uint32_t));
-  state[11] = read_unaligned_le32 (key + 7 * sizeof (uint32_t));
-
-  state[12] = read_unaligned_le32 (iv + 0 * sizeof (uint32_t));
-  state[13] = read_unaligned_le32 (iv + 1 * sizeof (uint32_t));
-  state[14] = read_unaligned_le32 (iv + 2 * sizeof (uint32_t));
-  state[15] = read_unaligned_le32 (iv + 3 * sizeof (uint32_t));
-}
-
-static inline uint32_t
-rotl32 (unsigned int shift, uint32_t word)
-{
-  return (word << (shift & 31)) | (word >> ((-shift) & 31));
-}
-
-static void
-state_final (const uint8_t *src, uint8_t *dst, uint32_t v)
-{
-#ifdef CHACHA20_XOR_FINAL
-  v ^= read_unaligned_32 (src);
-#endif
-  write_unaligned_32 (dst, v);
-}
-
-static inline void
-chacha20_block (uint32_t *state, uint8_t *dst, const uint8_t *src)
-{
-  uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
-  uint32_t x8, x9, x10, x11, x12, x13, x14, x15;
-
-  x0 = state[0];
-  x1 = state[1];
-  x2 = state[2];
-  x3 = state[3];
-  x4 = state[4];
-  x5 = state[5];
-  x6 = state[6];
-  x7 = state[7];
-  x8 = state[8];
-  x9 = state[9];
-  x10 = state[10];
-  x11 = state[11];
-  x12 = state[12];
-  x13 = state[13];
-  x14 = state[14];
-  x15 = state[15];
-
-  for (int i = 0; i < 20; i += 2)
-    {
-#define QROUND(_x0, _x1, _x2, _x3) 			\
-  do {							\
-   _x0 = _x0 + _x1; _x3 = rotl32 (16, (_x0 ^ _x3)); 	\
-   _x2 = _x2 + _x3; _x1 = rotl32 (12, (_x1 ^ _x2)); 	\
-   _x0 = _x0 + _x1; _x3 = rotl32 (8,  (_x0 ^ _x3));	\
-   _x2 = _x2 + _x3; _x1 = rotl32 (7,  (_x1 ^ _x2));	\
-  } while(0)
-
-      QROUND (x0, x4, x8,  x12);
-      QROUND (x1, x5, x9,  x13);
-      QROUND (x2, x6, x10, x14);
-      QROUND (x3, x7, x11, x15);
-
-      QROUND (x0, x5, x10, x15);
-      QROUND (x1, x6, x11, x12);
-      QROUND (x2, x7, x8,  x13);
-      QROUND (x3, x4, x9,  x14);
-    }
-
-  state_final (&src[0], &dst[0], set_state (x0 + state[0]));
-  state_final (&src[4], &dst[4], set_state (x1 + state[1]));
-  state_final (&src[8], &dst[8], set_state (x2 + state[2]));
-  state_final (&src[12], &dst[12], set_state (x3 + state[3]));
-  state_final (&src[16], &dst[16], set_state (x4 + state[4]));
-  state_final (&src[20], &dst[20], set_state (x5 + state[5]));
-  state_final (&src[24], &dst[24], set_state (x6 + state[6]));
-  state_final (&src[28], &dst[28], set_state (x7 + state[7]));
-  state_final (&src[32], &dst[32], set_state (x8 + state[8]));
-  state_final (&src[36], &dst[36], set_state (x9 + state[9]));
-  state_final (&src[40], &dst[40], set_state (x10 + state[10]));
-  state_final (&src[44], &dst[44], set_state (x11 + state[11]));
-  state_final (&src[48], &dst[48], set_state (x12 + state[12]));
-  state_final (&src[52], &dst[52], set_state (x13 + state[13]));
-  state_final (&src[56], &dst[56], set_state (x14 + state[14]));
-  state_final (&src[60], &dst[60], set_state (x15 + state[15]));
-
-  state[12]++;
-}
-
-static void
-__attribute_maybe_unused__
-chacha20_crypt_generic (uint32_t *state, uint8_t *dst, const uint8_t *src,
-			size_t bytes)
-{
-  while (bytes >= CHACHA20_BLOCK_SIZE)
-    {
-      chacha20_block (state, dst, src);
-
-      bytes -= CHACHA20_BLOCK_SIZE;
-      dst += CHACHA20_BLOCK_SIZE;
-      src += CHACHA20_BLOCK_SIZE;
-    }
-
-  if (__glibc_unlikely (bytes != 0))
-    {
-      uint8_t stream[CHACHA20_BLOCK_SIZE];
-      chacha20_block (state, stream, src);
-      memcpy (dst, stream, bytes);
-      explicit_bzero (stream, sizeof stream);
-    }
-}
-
-/* Get the architecture optimized version.  */
-#include <chacha20_arch.h>
diff --git a/stdlib/tst-arc4random-chacha20.c b/stdlib/tst-arc4random-chacha20.c
deleted file mode 100644
index 45ba54920d..0000000000
--- a/stdlib/tst-arc4random-chacha20.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* Basic tests for chacha20 cypher used in arc4random.
-   Copyright (C) 2022 Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Lesser General Public
-   License as published by the Free Software Foundation; either
-   version 2.1 of the License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Lesser General Public License for more details.
-
-   You should have received a copy of the GNU Lesser General Public
-   License along with the GNU C Library; if not, see
-   <https://www.gnu.org/licenses/>.  */
-
-#include <arc4random.h>
-#include <support/check.h>
-#include <sys/cdefs.h>
-
-/* The test does not define CHACHA20_XOR_FINAL to mimic what arc4random
-   actual does.  */
-#include <chacha20.c>
-
-static int
-do_test (void)
-{
-  const uint8_t key[CHACHA20_KEY_SIZE] =
-    {
-      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-    };
-  const uint8_t iv[CHACHA20_IV_SIZE] =
-    {
-      0x0, 0x0, 0x0, 0x0,
-      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-    };
-  const uint8_t expected1[CHACHA20_BUFSIZE] =
-    {
-      0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90, 0x40, 0x5d, 0x6a,
-      0xe5, 0x53, 0x86, 0xbd, 0x28, 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d,
-      0xed, 0x1a, 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7, 0xda,
-      0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d, 0x77, 0x24, 0xe0, 0x3f,
-      0xb8, 0xd8, 0x4a, 0x37, 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1,
-      0x1c, 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86, 0x9f, 0x07,
-      0xe7, 0xbe, 0x55, 0x51, 0x38, 0x7a, 0x98, 0xba, 0x97, 0x7c, 0x73,
-      0x2d, 0x08, 0x0d, 0xcb, 0x0f, 0x29, 0xa0, 0x48, 0xe3, 0x65, 0x69,
-      0x12, 0xc6, 0x53, 0x3e, 0x32, 0xee, 0x7a, 0xed, 0x29, 0xb7, 0x21,
-      0x76, 0x9c, 0xe6, 0x4e, 0x43, 0xd5, 0x71, 0x33, 0xb0, 0x74, 0xd8,
-      0x39, 0xd5, 0x31, 0xed, 0x1f, 0x28, 0x51, 0x0a, 0xfb, 0x45, 0xac,
-      0xe1, 0x0a, 0x1f, 0x4b, 0x79, 0x4d, 0x6f, 0x2d, 0x09, 0xa0, 0xe6,
-      0x63, 0x26, 0x6c, 0xe1, 0xae, 0x7e, 0xd1, 0x08, 0x19, 0x68, 0xa0,
-      0x75, 0x8e, 0x71, 0x8e, 0x99, 0x7b, 0xd3, 0x62, 0xc6, 0xb0, 0xc3,
-      0x46, 0x34, 0xa9, 0xa0, 0xb3, 0x5d, 0x01, 0x27, 0x37, 0x68, 0x1f,
-      0x7b, 0x5d, 0x0f, 0x28, 0x1e, 0x3a, 0xfd, 0xe4, 0x58, 0xbc, 0x1e,
-      0x73, 0xd2, 0xd3, 0x13, 0xc9, 0xcf, 0x94, 0xc0, 0x5f, 0xf3, 0x71,
-      0x62, 0x40, 0xa2, 0x48, 0xf2, 0x13, 0x20, 0xa0, 0x58, 0xd7, 0xb3,
-      0x56, 0x6b, 0xd5, 0x20, 0xda, 0xaa, 0x3e, 0xd2, 0xbf, 0x0a, 0xc5,
-      0xb8, 0xb1, 0x20, 0xfb, 0x85, 0x27, 0x73, 0xc3, 0x63, 0x97, 0x34,
-      0xb4, 0x5c, 0x91, 0xa4, 0x2d, 0xd4, 0xcb, 0x83, 0xf8, 0x84, 0x0d,
-      0x2e, 0xed, 0xb1, 0x58, 0x13, 0x10, 0x62, 0xac, 0x3f, 0x1f, 0x2c,
-      0xf8, 0xff, 0x6d, 0xcd, 0x18, 0x56, 0xe8, 0x6a, 0x1e, 0x6c, 0x31,
-      0x67, 0x16, 0x7e, 0xe5, 0xa6, 0x88, 0x74, 0x2b, 0x47, 0xc5, 0xad,
-      0xfb, 0x59, 0xd4, 0xdf, 0x76, 0xfd, 0x1d, 0xb1, 0xe5, 0x1e, 0xe0,
-      0x3b, 0x1c, 0xa9, 0xf8, 0x2a, 0xca, 0x17, 0x3e, 0xdb, 0x8b, 0x72,
-      0x93, 0x47, 0x4e, 0xbe, 0x98, 0x0f, 0x90, 0x4d, 0x10, 0xc9, 0x16,
-      0x44, 0x2b, 0x47, 0x83, 0xa0, 0xe9, 0x84, 0x86, 0x0c, 0xb6, 0xc9,
-      0x57, 0xb3, 0x9c, 0x38, 0xed, 0x8f, 0x51, 0xcf, 0xfa, 0xa6, 0x8a,
-      0x4d, 0xe0, 0x10, 0x25, 0xa3, 0x9c, 0x50, 0x45, 0x46, 0xb9, 0xdc,
-      0x14, 0x06, 0xa7, 0xeb, 0x28, 0x15, 0x1e, 0x51, 0x50, 0xd7, 0xb2,
-      0x04, 0xba, 0xa7, 0x19, 0xd4, 0xf0, 0x91, 0x02, 0x12, 0x17, 0xdb,
-      0x5c, 0xf1, 0xb5, 0xc8, 0x4c, 0x4f, 0xa7, 0x1a, 0x87, 0x96, 0x10,
-      0xa1, 0xa6, 0x95, 0xac, 0x52, 0x7c, 0x5b, 0x56, 0x77, 0x4a, 0x6b,
-      0x8a, 0x21, 0xaa, 0xe8, 0x86, 0x85, 0x86, 0x8e, 0x09, 0x4c, 0xf2,
-      0x9e, 0xf4, 0x09, 0x0a, 0xf7, 0xa9, 0x0c, 0xc0, 0x7e, 0x88, 0x17,
-      0xaa, 0x52, 0x87, 0x63, 0x79, 0x7d, 0x3c, 0x33, 0x2b, 0x67, 0xca,
-      0x4b, 0xc1, 0x10, 0x64, 0x2c, 0x21, 0x51, 0xec, 0x47, 0xee, 0x84,
-      0xcb, 0x8c, 0x42, 0xd8, 0x5f, 0x10, 0xe2, 0xa8, 0xcb, 0x18, 0xc3,
-      0xb7, 0x33, 0x5f, 0x26, 0xe8, 0xc3, 0x9a, 0x12, 0xb1, 0xbc, 0xc1,
-      0x70, 0x71, 0x77, 0xb7, 0x61, 0x38, 0x73, 0x2e, 0xed, 0xaa, 0xb7,
-      0x4d, 0xa1, 0x41, 0x0f, 0xc0, 0x55, 0xea, 0x06, 0x8c, 0x99, 0xe9,
-      0x26, 0x0a, 0xcb, 0xe3, 0x37, 0xcf, 0x5d, 0x3e, 0x00, 0xe5, 0xb3,
-      0x23, 0x0f, 0xfe, 0xdb, 0x0b, 0x99, 0x07, 0x87, 0xd0, 0xc7, 0x0e,
-      0x0b, 0xfe, 0x41, 0x98, 0xea, 0x67, 0x58, 0xdd, 0x5a, 0x61, 0xfb,
-      0x5f, 0xec, 0x2d, 0xf9, 0x81, 0xf3, 0x1b, 0xef, 0xe1, 0x53, 0xf8,
-      0x1d, 0x17, 0x16, 0x17, 0x84, 0xdb
-    };
-
-  const uint8_t expected2[CHACHA20_BUFSIZE] =
-    {
-      0x1c, 0x88, 0x22, 0xd5, 0x3c, 0xd1, 0xee, 0x7d, 0xb5, 0x32, 0x36,
-      0x48, 0x28, 0xbd, 0xf4, 0x04, 0xb0, 0x40, 0xa8, 0xdc, 0xc5, 0x22,
-      0xf3, 0xd3, 0xd9, 0x9a, 0xec, 0x4b, 0x80, 0x57, 0xed, 0xb8, 0x50,
-      0x09, 0x31, 0xa2, 0xc4, 0x2d, 0x2f, 0x0c, 0x57, 0x08, 0x47, 0x10,
-      0x0b, 0x57, 0x54, 0xda, 0xfc, 0x5f, 0xbd, 0xb8, 0x94, 0xbb, 0xef,
-      0x1a, 0x2d, 0xe1, 0xa0, 0x7f, 0x8b, 0xa0, 0xc4, 0xb9, 0x19, 0x30,
-      0x10, 0x66, 0xed, 0xbc, 0x05, 0x6b, 0x7b, 0x48, 0x1e, 0x7a, 0x0c,
-      0x46, 0x29, 0x7b, 0xbb, 0x58, 0x9d, 0x9d, 0xa5, 0xb6, 0x75, 0xa6,
-      0x72, 0x3e, 0x15, 0x2e, 0x5e, 0x63, 0xa4, 0xce, 0x03, 0x4e, 0x9e,
-      0x83, 0xe5, 0x8a, 0x01, 0x3a, 0xf0, 0xe7, 0x35, 0x2f, 0xb7, 0x90,
-      0x85, 0x14, 0xe3, 0xb3, 0xd1, 0x04, 0x0d, 0x0b, 0xb9, 0x63, 0xb3,
-      0x95, 0x4b, 0x63, 0x6b, 0x5f, 0xd4, 0xbf, 0x6d, 0x0a, 0xad, 0xba,
-      0xf8, 0x15, 0x7d, 0x06, 0x2a, 0xcb, 0x24, 0x18, 0xc1, 0x76, 0xa4,
-      0x75, 0x51, 0x1b, 0x35, 0xc3, 0xf6, 0x21, 0x8a, 0x56, 0x68, 0xea,
-      0x5b, 0xc6, 0xf5, 0x4b, 0x87, 0x82, 0xf8, 0xb3, 0x40, 0xf0, 0x0a,
-      0xc1, 0xbe, 0xba, 0x5e, 0x62, 0xcd, 0x63, 0x2a, 0x7c, 0xe7, 0x80,
-      0x9c, 0x72, 0x56, 0x08, 0xac, 0xa5, 0xef, 0xbf, 0x7c, 0x41, 0xf2,
-      0x37, 0x64, 0x3f, 0x06, 0xc0, 0x99, 0x72, 0x07, 0x17, 0x1d, 0xe8,
-      0x67, 0xf9, 0xd6, 0x97, 0xbf, 0x5e, 0xa6, 0x01, 0x1a, 0xbc, 0xce,
-      0x6c, 0x8c, 0xdb, 0x21, 0x13, 0x94, 0xd2, 0xc0, 0x2d, 0xd0, 0xfb,
-      0x60, 0xdb, 0x5a, 0x2c, 0x17, 0xac, 0x3d, 0xc8, 0x58, 0x78, 0xa9,
-      0x0b, 0xed, 0x38, 0x09, 0xdb, 0xb9, 0x6e, 0xaa, 0x54, 0x26, 0xfc,
-      0x8e, 0xae, 0x0d, 0x2d, 0x65, 0xc4, 0x2a, 0x47, 0x9f, 0x08, 0x86,
-      0x48, 0xbe, 0x2d, 0xc8, 0x01, 0xd8, 0x2a, 0x36, 0x6f, 0xdd, 0xc0,
-      0xef, 0x23, 0x42, 0x63, 0xc0, 0xb6, 0x41, 0x7d, 0x5f, 0x9d, 0xa4,
-      0x18, 0x17, 0xb8, 0x8d, 0x68, 0xe5, 0xe6, 0x71, 0x95, 0xc5, 0xc1,
-      0xee, 0x30, 0x95, 0xe8, 0x21, 0xf2, 0x25, 0x24, 0xb2, 0x0b, 0xe4,
-      0x1c, 0xeb, 0x59, 0x04, 0x12, 0xe4, 0x1d, 0xc6, 0x48, 0x84, 0x3f,
-      0xa9, 0xbf, 0xec, 0x7a, 0x3d, 0xcf, 0x61, 0xab, 0x05, 0x41, 0x57,
-      0x33, 0x16, 0xd3, 0xfa, 0x81, 0x51, 0x62, 0x93, 0x03, 0xfe, 0x97,
-      0x41, 0x56, 0x2e, 0xd0, 0x65, 0xdb, 0x4e, 0xbc, 0x00, 0x50, 0xef,
-      0x55, 0x83, 0x64, 0xae, 0x81, 0x12, 0x4a, 0x28, 0xf5, 0xc0, 0x13,
-      0x13, 0x23, 0x2f, 0xbc, 0x49, 0x6d, 0xfd, 0x8a, 0x25, 0x68, 0x65,
-      0x7b, 0x68, 0x6d, 0x72, 0x14, 0x38, 0x2a, 0x1a, 0x00, 0x90, 0x30,
-      0x17, 0xdd, 0xa9, 0x69, 0x87, 0x84, 0x42, 0xba, 0x5a, 0xff, 0xf6,
-      0x61, 0x3f, 0x55, 0x3c, 0xbb, 0x23, 0x3c, 0xe4, 0x6d, 0x9a, 0xee,
-      0x93, 0xa7, 0x87, 0x6c, 0xf5, 0xe9, 0xe8, 0x29, 0x12, 0xb1, 0x8c,
-      0xad, 0xf0, 0xb3, 0x43, 0x27, 0xb2, 0xe0, 0x42, 0x7e, 0xcf, 0x66,
-      0xb7, 0xce, 0xb7, 0xc0, 0x91, 0x8d, 0xc4, 0x7b, 0xdf, 0xf1, 0x2a,
-      0x06, 0x2a, 0xdf, 0x07, 0x13, 0x30, 0x09, 0xce, 0x7a, 0x5e, 0x5c,
-      0x91, 0x7e, 0x01, 0x68, 0x30, 0x61, 0x09, 0xb7, 0xcb, 0x49, 0x65,
-      0x3a, 0x6d, 0x2c, 0xae, 0xf0, 0x05, 0xde, 0x78, 0x3a, 0x9a, 0x9b,
-      0xfe, 0x05, 0x38, 0x1e, 0xd1, 0x34, 0x8d, 0x94, 0xec, 0x65, 0x88,
-      0x6f, 0x9c, 0x0b, 0x61, 0x9c, 0x52, 0xc5, 0x53, 0x38, 0x00, 0xb1,
-      0x6c, 0x83, 0x61, 0x72, 0xb9, 0x51, 0x82, 0xdb, 0xc5, 0xee, 0xc0,
-      0x42, 0xb8, 0x9e, 0x22, 0xf1, 0x1a, 0x08, 0x5b, 0x73, 0x9a, 0x36,
-      0x11, 0xcd, 0x8d, 0x83, 0x60, 0x18
-    };
-
-  /* Check with the expected internal arc4random keystream buffer.  Some
-     architecture optimizations expects a buffer with a minimum size which
-     is a multiple of then ChaCha20 blocksize, so they might not be prepared
-     to handle smaller buffers.  */
-
-  uint8_t output[CHACHA20_BUFSIZE];
-
-  uint32_t state[CHACHA20_STATE_LEN];
-  chacha20_init (state, key, iv);
-
-  /* Check with the initial state.  */
-  uint8_t input[CHACHA20_BUFSIZE] = { 0 };
-
-  chacha20_crypt (state, output, input, CHACHA20_BUFSIZE);
-  TEST_COMPARE_BLOB (output, sizeof output, expected1, CHACHA20_BUFSIZE);
-
-  /* And on the next round.  */
-  chacha20_crypt (state, output, input, CHACHA20_BUFSIZE);
-  TEST_COMPARE_BLOB (output, sizeof output, expected2, CHACHA20_BUFSIZE);
-
-  return 0;
-}
-
-#include <support/test-driver.c>