Re: [PATCH v6] arc4random: simplify design for better safety

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 26/07/22 16:58, Jason A. Donenfeld wrote:
> Rather than buffering 16 MiB of entropy in userspace (by way of
> chacha20), simply call getrandom() every time.
> 
> This approach is doubtlessly slower, for now, but trying to prematurely
> optimize arc4random appears to be leading toward all sorts of nasty
> properties and gotchas. Instead, this patch takes a much more
> conservative approach. The interface is added as a basic loop wrapper
> around getrandom(), and then later, the kernel and libc together can
> work together on optimizing that.
> 
> This prevents numerous issues in which userspace is unaware of when it
> really must throw away its buffer, since we avoid buffering all
> together. Future improvements may include userspace learning more from
> the kernel about when to do that, which might make these sorts of
> chacha20-based optimizations more possible. The current heuristic of 16
> MiB is meaningless garbage that doesn't correspond to anything the
> kernel might know about. So for now, let's just do something
> conservative that we know is correct and won't lead to cryptographic
> issues for users of this function.
> 
> This patch might be considered along the lines of, "optimization is the
> root of all evil," in that the much more complex implementation it
> replaces moves too fast without considering security implications,
> whereas the incremental approach done here is a much safer way of going
> about things. Once this lands, we can take our time in optimizing this
> properly using new interplay between the kernel and userspace.
> 
> getrandom(0) is used, since that's the one that ensures the bytes
> returned are cryptographically secure. But on systems without it, we
> fallback to using /dev/urandom. This is unfortunate because it means
> opening a file descriptor, but there's not much of a choice. Secondly,
> as part of the fallback, in order to get more or less the same
> properties of getrandom(0), we poll on /dev/random, and if the poll
> succeeds at least once, then we assume the RNG is initialized. This is a
> rough approximation, as the ancient "non-blocking pool" initialized
> after the "blocking pool", not before, and it may not port back to all
> ancient kernels, though it does to all kernels supported by glibc
> (≥3.2), so generally it's the best approximation we can do.
> 
> The motivation for including arc4random, in the first place, is to have
> source-level compatibility with existing code. That means this patch
> doesn't attempt to litigate the interface itself. It does, however,
> choose a conservative approach for implementing it.

LGTM, I agree this is safe solution for 2.36, we can optimize it later
if is were the case.

I will run some tests and push it upstream.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@xxxxxxxxxx>

> 
> Cc: Adhemerval Zanella Netto <adhemerval.zanella@xxxxxxxxxx>
> Cc: Florian Weimer <fweimer@xxxxxxxxxx>
> Cc: Cristian Rodríguez <crrodriguez@xxxxxxxxxxxx>
> Cc: Paul Eggert <eggert@xxxxxxxxxxx>
> Cc: Mark Harris <mark.hsj@xxxxxxxxx>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> Cc: linux-crypto@xxxxxxxxxxxxxxx
> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
> ---
>  LICENSES                                      |  23 -
>  NEWS                                          |   4 +-
>  include/stdlib.h                              |   3 -
>  manual/math.texi                              |  13 +-
>  stdlib/Makefile                               |   2 -
>  stdlib/arc4random.c                           | 196 ++----
>  stdlib/arc4random.h                           |  48 --
>  stdlib/chacha20.c                             | 191 ------
>  stdlib/tst-arc4random-chacha20.c              | 167 -----
>  sysdeps/aarch64/Makefile                      |   4 -
>  sysdeps/aarch64/chacha20-aarch64.S            | 314 ----------
>  sysdeps/aarch64/chacha20_arch.h               |  40 --
>  sysdeps/generic/chacha20_arch.h               |  24 -
>  sysdeps/generic/not-cancel.h                  |   3 +
>  sysdeps/generic/tls-internal-struct.h         |   1 -
>  sysdeps/generic/tls-internal.c                |  10 -
>  sysdeps/mach/hurd/_Fork.c                     |   2 -
>  sysdeps/mach/hurd/not-cancel.h                |   4 +
>  sysdeps/nptl/_Fork.c                          |   2 -
>  .../powerpc/powerpc64/be/multiarch/Makefile   |   4 -
>  .../powerpc64/be/multiarch/chacha20-ppc.c     |   1 -
>  .../powerpc64/be/multiarch/chacha20_arch.h    |  42 --
>  sysdeps/powerpc/powerpc64/power8/Makefile     |   5 -
>  .../powerpc/powerpc64/power8/chacha20-ppc.c   | 256 --------
>  .../powerpc/powerpc64/power8/chacha20_arch.h  |  37 --
>  sysdeps/s390/s390-64/Makefile                 |   6 -
>  sysdeps/s390/s390-64/chacha20-s390x.S         | 573 ------------------
>  sysdeps/s390/s390-64/chacha20_arch.h          |  45 --
>  sysdeps/unix/sysv/linux/not-cancel.h          |   8 +-
>  sysdeps/unix/sysv/linux/tls-internal.c        |  10 -
>  sysdeps/unix/sysv/linux/tls-internal.h        |   1 -
>  sysdeps/x86_64/Makefile                       |   7 -
>  sysdeps/x86_64/chacha20-amd64-avx2.S          | 328 ----------
>  sysdeps/x86_64/chacha20-amd64-sse2.S          | 311 ----------
>  sysdeps/x86_64/chacha20_arch.h                |  55 --
>  35 files changed, 64 insertions(+), 2676 deletions(-)
>  delete mode 100644 stdlib/arc4random.h
>  delete mode 100644 stdlib/chacha20.c
>  delete mode 100644 stdlib/tst-arc4random-chacha20.c
>  delete mode 100644 sysdeps/aarch64/chacha20-aarch64.S
>  delete mode 100644 sysdeps/aarch64/chacha20_arch.h
>  delete mode 100644 sysdeps/generic/chacha20_arch.h
>  delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/Makefile
>  delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/chacha20-ppc.c
>  delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/chacha20_arch.h
>  delete mode 100644 sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c
>  delete mode 100644 sysdeps/powerpc/powerpc64/power8/chacha20_arch.h
>  delete mode 100644 sysdeps/s390/s390-64/chacha20-s390x.S
>  delete mode 100644 sysdeps/s390/s390-64/chacha20_arch.h
>  delete mode 100644 sysdeps/x86_64/chacha20-amd64-avx2.S
>  delete mode 100644 sysdeps/x86_64/chacha20-amd64-sse2.S
>  delete mode 100644 sysdeps/x86_64/chacha20_arch.h
> 
> diff --git a/LICENSES b/LICENSES
> index cd04fb6e84..530893b1dc 100644
> --- a/LICENSES
> +++ b/LICENSES
> @@ -389,26 +389,3 @@ Copyright 2001 by Stephen L. Moshier <moshier@xxxxxxxxxxxxxxx>
>   You should have received a copy of the GNU Lesser General Public
>   License along with this library; if not, see
>   <https://www.gnu.org/licenses/>.  */
> -
> -sysdeps/aarch64/chacha20-aarch64.S, sysdeps/x86_64/chacha20-amd64-sse2.S,
> -sysdeps/x86_64/chacha20-amd64-avx2.S, and
> -sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c, and
> -sysdeps/s390/s390-64/chacha20-s390x.S imports code from libgcrypt,
> -with the following notices:
> -
> -Copyright (C) 2017-2019 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -This file is part of Libgcrypt.
> -
> -Libgcrypt is free software; you can redistribute it and/or modify
> -it under the terms of the GNU Lesser General Public License as
> -published by the Free Software Foundation; either version 2.1 of
> -the License, or (at your option) any later version.
> -
> -Libgcrypt is distributed in the hope that it will be useful,
> -but WITHOUT ANY WARRANTY; without even the implied warranty of
> -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -GNU Lesser General Public License for more details.
> -
> -You should have received a copy of the GNU Lesser General Public
> -License along with this program; if not, see <https://www.gnu.org/licenses/>.

Ok.

> diff --git a/NEWS b/NEWS
> index 8420a65cd0..fe531bfe1e 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -61,8 +61,8 @@ Major new features:
>    is not defined (if __cpp_char8_t is defined, then char8_t is a builtin type).
>  
>  * The functions arc4random, arc4random_buf, and arc4random_uniform have been
> -  added.  The functions use a pseudo-random number generator along with
> -  entropy from the kernel.
> +  added.  The functions wrap getrandom and/or /dev/urandom to return high-
> +  quality randomness from the kernel.
>  
>  Deprecated and removed features, and other changes affecting compatibility:
>  
> diff --git a/include/stdlib.h b/include/stdlib.h
> index cae7f7cdf8..db51f4a4f6 100644
> --- a/include/stdlib.h
> +++ b/include/stdlib.h
> @@ -152,9 +152,6 @@ __typeof (arc4random_uniform) __arc4random_uniform;
>  libc_hidden_proto (__arc4random_uniform);
>  extern void __arc4random_buf_internal (void *buffer, size_t len)
>       attribute_hidden;
> -/* Called from the fork function to reinitialize the internal cipher state
> -   in child process.  */
> -extern void __arc4random_fork_subprocess (void) attribute_hidden;
>  
>  extern double __strtod_internal (const char *__restrict __nptr,
>  				 char **__restrict __endptr, int __group)

Ok.

> diff --git a/manual/math.texi b/manual/math.texi
> index 141695cc30..6d69bbff66 100644
> --- a/manual/math.texi
> +++ b/manual/math.texi
> @@ -1993,17 +1993,10 @@ This section describes the random number functions provided as a GNU
>  extension, based on OpenBSD interfaces.
>  
>  @Theglibc{} uses kernel entropy obtained either through @code{getrandom}
> -or by reading @file{/dev/urandom} to seed and periodically re-seed the
> -internal state.  A per-thread data pool is used, which allows fast output
> -generation.
> +or by reading @file{/dev/urandom} to seed.
>  
> -Although these functions provide higher random quality than ISO, BSD, and
> -SVID functions, these still use a Pseudo-Random generator and should not
> -be used in cryptographic contexts.
> -
> -The internal state is cleared and reseeded with kernel entropy on @code{fork}
> -and @code{_Fork}.  It is not cleared on either a direct @code{clone} syscall
> -or when using @theglibc{} @code{syscall} function.
> +These functions provide higher random quality than ISO, BSD, and SVID
> +functions, and may be used in cryptographic contexts.
>  
>  The prototypes for these functions are in @file{stdlib.h}.
>  @pindex stdlib.h
> diff --git a/stdlib/Makefile b/stdlib/Makefile
> index a900962685..f7b25c1981 100644
> --- a/stdlib/Makefile
> +++ b/stdlib/Makefile
> @@ -246,7 +246,6 @@ tests := \
>    # tests
>  
>  tests-internal := \
> -  tst-arc4random-chacha20 \
>    tst-strtod1i \
>    tst-strtod3 \
>    tst-strtod4 \
> @@ -256,7 +255,6 @@ tests-internal := \
>    # tests-internal
>  
>  tests-static := \
> -  tst-arc4random-chacha20 \
>    tst-secure-getenv \
>    # tests-static
>  

Ok.

> diff --git a/stdlib/arc4random.c b/stdlib/arc4random.c
> index 65547e79aa..0cb9991328 100644
> --- a/stdlib/arc4random.c
> +++ b/stdlib/arc4random.c
> @@ -1,4 +1,4 @@
> -/* Pseudo Random Number Generator based on ChaCha20.
> +/* Pseudo Random Number Generator
>     Copyright (C) 2022 Free Software Foundation, Inc.
>     This file is part of the GNU C Library.
>  
> @@ -16,7 +16,6 @@
>     License along with the GNU C Library; if not, see
>     <https://www.gnu.org/licenses/>.  */
>  
> -#include <arc4random.h>
>  #include <errno.h>
>  #include <not-cancel.h>
>  #include <stdio.h>
> @@ -24,53 +23,6 @@
>  #include <sys/mman.h>
>  #include <sys/param.h>
>  #include <sys/random.h>
> -#include <tls-internal.h>
> -
> -/* arc4random keeps two counters: 'have' is the current valid bytes not yet
> -   consumed in 'buf' while 'count' is the maximum number of bytes until a
> -   reseed.
> -
> -   Both the initial seed and reseed try to obtain entropy from the kernel
> -   and abort the process if none could be obtained.
> -
> -   The state 'buf' improves the usage of the cipher calls, allowing to call
> -   optimized implementations (if the architecture provides it) and minimize
> -   function call overhead.  */
> -
> -#include <chacha20.c>
> -
> -/* Called from the fork function to reset the state.  */
> -void
> -__arc4random_fork_subprocess (void)
> -{
> -  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
> -  if (state != NULL)
> -    {
> -      explicit_bzero (state, sizeof (*state));
> -      /* Force key init.  */
> -      state->count = -1;
> -    }
> -}
> -
> -/* Return the current thread random state or try to create one if there is
> -   none available.  In the case malloc can not allocate a state, arc4random
> -   will try to get entropy with arc4random_getentropy.  */
> -static struct arc4random_state_t *
> -arc4random_get_state (void)
> -{
> -  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
> -  if (state == NULL)
> -    {
> -      state = malloc (sizeof (struct arc4random_state_t));
> -      if (state != NULL)
> -	{
> -	  /* Force key initialization on first call.  */
> -	  state->count = -1;
> -	  __glibc_tls_internal ()->rand_state = state;
> -	}
> -    }
> -  return state;
> -}
>  
>  static void
>  arc4random_getrandom_failure (void)
> @@ -78,106 +30,63 @@ arc4random_getrandom_failure (void)
>    __libc_fatal ("Fatal glibc error: cannot get entropy for arc4random\n");
>  }
>  
> -static void
> -arc4random_rekey (struct arc4random_state_t *state, uint8_t *rnd, size_t rndlen)
> +void
> +__arc4random_buf (void *p, size_t n)
>  {
> -  chacha20_crypt (state->ctx, state->buf, state->buf, sizeof state->buf);
> -
> -  /* Mix optional user provided data.  */
> -  if (rnd != NULL)
> -    {
> -      size_t m = MIN (rndlen, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
> -      for (size_t i = 0; i < m; i++)
> -	state->buf[i] ^= rnd[i];
> -    }
> -
> -  /* Immediately reinit for backtracking resistance.  */
> -  chacha20_init (state->ctx, state->buf, state->buf + CHACHA20_KEY_SIZE);
> -  explicit_bzero (state->buf, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
> -  state->have = sizeof (state->buf) - (CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
> -}
> +  static int seen_initialized;
> +  size_t l;
> +  int fd;
>  
> -static void
> -arc4random_getentropy (void *rnd, size_t len)
> -{
> -  if (__getrandom_nocancel (rnd, len, GRND_NONBLOCK) == len)
> +  if (n == 0)
>      return;
>  
> -  int fd = TEMP_FAILURE_RETRY (__open64_nocancel ("/dev/urandom",
> -						  O_RDONLY | O_CLOEXEC));
> -  if (fd != -1)
> +  for (;;)
>      {
> -      uint8_t *p = rnd;
> -      uint8_t *end = p + len;
> -      do
> +      l = TEMP_FAILURE_RETRY (__getrandom_nocancel (p, n, 0));
> +      if (l > 0)
>  	{
> -	  ssize_t ret = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, end - p));
> -	  if (ret <= 0)
> -	    arc4random_getrandom_failure ();
> -	  p += ret;
> +	  if ((size_t) l == n)
> +	    return; /* Done reading, success.  */
> +	  p = (uint8_t *) p + l;
> +	  n -= l;
> +	  continue; /* Interrupted by a signal; keep going.  */
>  	}
> -      while (p < end);
> -
> -      if (__close_nocancel (fd) == 0)
> -	return;
> +      else if (l < 0 && errno == ENOSYS)
> +	break; /* No syscall, so fallback to /dev/urandom.  */
> +      arc4random_getrandom_failure ();
>      }
> -  arc4random_getrandom_failure ();
> -}
>  
> -/* Check if the thread context STATE should be reseed with kernel entropy
> -   depending of requested LEN bytes.  If there is less than requested,
> -   the state is either initialized or reseeded, otherwise the internal
> -   counter subtract the requested length.  */
> -static void
> -arc4random_check_stir (struct arc4random_state_t *state, size_t len)
> -{
> -  if (state->count <= len || state->count == -1)
> +  if (!atomic_load_relaxed (&seen_initialized))
>      {
> -      uint8_t rnd[CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE];
> -      arc4random_getentropy (rnd, sizeof rnd);
> -
> -      if (state->count == -1)
> -	chacha20_init (state->ctx, rnd, rnd + CHACHA20_KEY_SIZE);
> -      else
> -	arc4random_rekey (state, rnd, sizeof rnd);
> -
> -      explicit_bzero (rnd, sizeof rnd);
> -
> -      /* Invalidate the buf.  */
> -      state->have = 0;
> -      memset (state->buf, 0, sizeof state->buf);
> -      state->count = CHACHA20_RESEED_SIZE;
> +      /* Poll /dev/random as an approximation of RNG initialization.  */
> +      struct pollfd pfd = { .events = POLLIN };
> +      pfd.fd = TEMP_FAILURE_RETRY (
> +	  __open64_nocancel ("/dev/random", O_RDONLY | O_CLOEXEC | O_NOCTTY));
> +      if (pfd.fd < 0)
> +	arc4random_getrandom_failure ();
> +      if (TEMP_FAILURE_RETRY (__poll_infinity_nocancel (&pfd, 1)) < 0)
> +	arc4random_getrandom_failure ();
> +      if (__close_nocancel (pfd.fd) < 0)
> +	arc4random_getrandom_failure ();
> +      atomic_store_relaxed (&seen_initialized, 1);
>      }
> -  else
> -    state->count -= len;
> -}
>  
> -void
> -__arc4random_buf (void *buffer, size_t len)
> -{
> -  struct arc4random_state_t *state = arc4random_get_state ();
> -  if (__glibc_unlikely (state == NULL))
> -    {
> -      arc4random_getentropy (buffer, len);
> -      return;
> -    }
> -
> -  arc4random_check_stir (state, len);
> -  while (len > 0)
> +  fd = TEMP_FAILURE_RETRY (
> +      __open64_nocancel ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY));
> +  if (fd < 0)
> +    arc4random_getrandom_failure ();
> +  for (;;)
>      {
> -      if (state->have > 0)
> -	{
> -	  size_t m = MIN (len, state->have);
> -	  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
> -	  memcpy (buffer, ks, m);
> -	  explicit_bzero (ks, m);
> -	  buffer += m;
> -	  len -= m;
> -	  state->have -= m;
> -	}
> -      if (state->have == 0)
> -	arc4random_rekey (state, NULL, 0);
> +      l = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, n));
> +      if (l <= 0)
> +	arc4random_getrandom_failure ();
> +      if ((size_t) l == n)
> +	break; /* Done reading, success.  */
> +      p = (uint8_t *) p + l;
> +      n -= l;
>      }
> +  if (__close_nocancel (fd) < 0)
> +    arc4random_getrandom_failure ();
>  }
>  libc_hidden_def (__arc4random_buf)
>  weak_alias (__arc4random_buf, arc4random_buf)
> @@ -186,22 +95,7 @@ uint32_t
>  __arc4random (void)
>  {
>    uint32_t r;
> -
> -  struct arc4random_state_t *state = arc4random_get_state ();
> -  if (__glibc_unlikely (state == NULL))
> -    {
> -      arc4random_getentropy (&r, sizeof (uint32_t));
> -      return r;
> -    }
> -
> -  arc4random_check_stir (state, sizeof (uint32_t));
> -  if (state->have < sizeof (uint32_t))
> -    arc4random_rekey (state, NULL, 0);
> -  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
> -  memcpy (&r, ks, sizeof (uint32_t));
> -  memset (ks, 0, sizeof (uint32_t));
> -  state->have -= sizeof (uint32_t);
> -
> +  __arc4random_buf (&r, sizeof (r));
>    return r;
>  }
>  libc_hidden_def (__arc4random)

Ok.

> diff --git a/stdlib/arc4random.h b/stdlib/arc4random.h
> deleted file mode 100644
> index cd39389c19..0000000000
> --- a/stdlib/arc4random.h
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -/* Arc4random definition used on TLS.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#ifndef _CHACHA20_H
> -#define _CHACHA20_H
> -
> -#include <stddef.h>
> -#include <stdint.h>
> -
> -/* Internal ChaCha20 state.  */
> -#define CHACHA20_STATE_LEN	16
> -#define CHACHA20_BLOCK_SIZE	64
> -
> -/* Maximum number bytes until reseed (16 MB).  */
> -#define CHACHA20_RESEED_SIZE	(16 * 1024 * 1024)
> -
> -/* Internal arc4random buffer, used on each feedback step so offer some
> -   backtracking protection and to allow better used of vectorized
> -   chacha20 implementations.  */
> -#define CHACHA20_BUFSIZE        (8 * CHACHA20_BLOCK_SIZE)
> -
> -_Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE,
> -		"CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE");
> -
> -struct arc4random_state_t
> -{
> -  uint32_t ctx[CHACHA20_STATE_LEN];
> -  size_t have;
> -  size_t count;
> -  uint8_t buf[CHACHA20_BUFSIZE];
> -};
> -
> -#endif

Ok.

> diff --git a/stdlib/chacha20.c b/stdlib/chacha20.c
> deleted file mode 100644
> index 2745a81315..0000000000
> --- a/stdlib/chacha20.c
> +++ /dev/null
> @@ -1,191 +0,0 @@
> -/* Generic ChaCha20 implementation (used on arc4random).
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <array_length.h>
> -#include <endian.h>
> -#include <stddef.h>
> -#include <stdint.h>
> -#include <string.h>
> -
> -/* 32-bit stream position, then 96-bit nonce.  */
> -#define CHACHA20_IV_SIZE	16
> -#define CHACHA20_KEY_SIZE	32
> -
> -#define CHACHA20_STATE_LEN	16
> -
> -/* The ChaCha20 implementation is based on RFC8439 [1], omitting the final
> -   XOR of the keystream with the plaintext because the plaintext is a
> -   stream of zeros.  */
> -
> -enum chacha20_constants
> -{
> -  CHACHA20_CONSTANT_EXPA = 0x61707865U,
> -  CHACHA20_CONSTANT_ND_3 = 0x3320646eU,
> -  CHACHA20_CONSTANT_2_BY = 0x79622d32U,
> -  CHACHA20_CONSTANT_TE_K = 0x6b206574U
> -};
> -
> -static inline uint32_t
> -read_unaligned_32 (const uint8_t *p)
> -{
> -  uint32_t r;
> -  memcpy (&r, p, sizeof (r));
> -  return r;
> -}
> -
> -static inline void
> -write_unaligned_32 (uint8_t *p, uint32_t v)
> -{
> -  memcpy (p, &v, sizeof (v));
> -}
> -
> -#if __BYTE_ORDER == __BIG_ENDIAN
> -# define read_unaligned_le32(p) __builtin_bswap32 (read_unaligned_32 (p))
> -# define set_state(v)		__builtin_bswap32 ((v))
> -#else
> -# define read_unaligned_le32(p) read_unaligned_32 ((p))
> -# define set_state(v)		(v)
> -#endif
> -
> -static inline void
> -chacha20_init (uint32_t *state, const uint8_t *key, const uint8_t *iv)
> -{
> -  state[0]  = CHACHA20_CONSTANT_EXPA;
> -  state[1]  = CHACHA20_CONSTANT_ND_3;
> -  state[2]  = CHACHA20_CONSTANT_2_BY;
> -  state[3]  = CHACHA20_CONSTANT_TE_K;
> -
> -  state[4]  = read_unaligned_le32 (key + 0 * sizeof (uint32_t));
> -  state[5]  = read_unaligned_le32 (key + 1 * sizeof (uint32_t));
> -  state[6]  = read_unaligned_le32 (key + 2 * sizeof (uint32_t));
> -  state[7]  = read_unaligned_le32 (key + 3 * sizeof (uint32_t));
> -  state[8]  = read_unaligned_le32 (key + 4 * sizeof (uint32_t));
> -  state[9]  = read_unaligned_le32 (key + 5 * sizeof (uint32_t));
> -  state[10] = read_unaligned_le32 (key + 6 * sizeof (uint32_t));
> -  state[11] = read_unaligned_le32 (key + 7 * sizeof (uint32_t));
> -
> -  state[12] = read_unaligned_le32 (iv + 0 * sizeof (uint32_t));
> -  state[13] = read_unaligned_le32 (iv + 1 * sizeof (uint32_t));
> -  state[14] = read_unaligned_le32 (iv + 2 * sizeof (uint32_t));
> -  state[15] = read_unaligned_le32 (iv + 3 * sizeof (uint32_t));
> -}
> -
> -static inline uint32_t
> -rotl32 (unsigned int shift, uint32_t word)
> -{
> -  return (word << (shift & 31)) | (word >> ((-shift) & 31));
> -}
> -
> -static void
> -state_final (const uint8_t *src, uint8_t *dst, uint32_t v)
> -{
> -#ifdef CHACHA20_XOR_FINAL
> -  v ^= read_unaligned_32 (src);
> -#endif
> -  write_unaligned_32 (dst, v);
> -}
> -
> -static inline void
> -chacha20_block (uint32_t *state, uint8_t *dst, const uint8_t *src)
> -{
> -  uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
> -  uint32_t x8, x9, x10, x11, x12, x13, x14, x15;
> -
> -  x0 = state[0];
> -  x1 = state[1];
> -  x2 = state[2];
> -  x3 = state[3];
> -  x4 = state[4];
> -  x5 = state[5];
> -  x6 = state[6];
> -  x7 = state[7];
> -  x8 = state[8];
> -  x9 = state[9];
> -  x10 = state[10];
> -  x11 = state[11];
> -  x12 = state[12];
> -  x13 = state[13];
> -  x14 = state[14];
> -  x15 = state[15];
> -
> -  for (int i = 0; i < 20; i += 2)
> -    {
> -#define QROUND(_x0, _x1, _x2, _x3) 			\
> -  do {							\
> -   _x0 = _x0 + _x1; _x3 = rotl32 (16, (_x0 ^ _x3)); 	\
> -   _x2 = _x2 + _x3; _x1 = rotl32 (12, (_x1 ^ _x2)); 	\
> -   _x0 = _x0 + _x1; _x3 = rotl32 (8,  (_x0 ^ _x3));	\
> -   _x2 = _x2 + _x3; _x1 = rotl32 (7,  (_x1 ^ _x2));	\
> -  } while(0)
> -
> -      QROUND (x0, x4, x8,  x12);
> -      QROUND (x1, x5, x9,  x13);
> -      QROUND (x2, x6, x10, x14);
> -      QROUND (x3, x7, x11, x15);
> -
> -      QROUND (x0, x5, x10, x15);
> -      QROUND (x1, x6, x11, x12);
> -      QROUND (x2, x7, x8,  x13);
> -      QROUND (x3, x4, x9,  x14);
> -    }
> -
> -  state_final (&src[0], &dst[0], set_state (x0 + state[0]));
> -  state_final (&src[4], &dst[4], set_state (x1 + state[1]));
> -  state_final (&src[8], &dst[8], set_state (x2 + state[2]));
> -  state_final (&src[12], &dst[12], set_state (x3 + state[3]));
> -  state_final (&src[16], &dst[16], set_state (x4 + state[4]));
> -  state_final (&src[20], &dst[20], set_state (x5 + state[5]));
> -  state_final (&src[24], &dst[24], set_state (x6 + state[6]));
> -  state_final (&src[28], &dst[28], set_state (x7 + state[7]));
> -  state_final (&src[32], &dst[32], set_state (x8 + state[8]));
> -  state_final (&src[36], &dst[36], set_state (x9 + state[9]));
> -  state_final (&src[40], &dst[40], set_state (x10 + state[10]));
> -  state_final (&src[44], &dst[44], set_state (x11 + state[11]));
> -  state_final (&src[48], &dst[48], set_state (x12 + state[12]));
> -  state_final (&src[52], &dst[52], set_state (x13 + state[13]));
> -  state_final (&src[56], &dst[56], set_state (x14 + state[14]));
> -  state_final (&src[60], &dst[60], set_state (x15 + state[15]));
> -
> -  state[12]++;
> -}
> -
> -static void
> -__attribute_maybe_unused__
> -chacha20_crypt_generic (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -			size_t bytes)
> -{
> -  while (bytes >= CHACHA20_BLOCK_SIZE)
> -    {
> -      chacha20_block (state, dst, src);
> -
> -      bytes -= CHACHA20_BLOCK_SIZE;
> -      dst += CHACHA20_BLOCK_SIZE;
> -      src += CHACHA20_BLOCK_SIZE;
> -    }
> -
> -  if (__glibc_unlikely (bytes != 0))
> -    {
> -      uint8_t stream[CHACHA20_BLOCK_SIZE];
> -      chacha20_block (state, stream, src);
> -      memcpy (dst, stream, bytes);
> -      explicit_bzero (stream, sizeof stream);
> -    }
> -}
> -
> -/* Get the architecture optimized version.  */
> -#include <chacha20_arch.h>
> diff --git a/stdlib/tst-arc4random-chacha20.c b/stdlib/tst-arc4random-chacha20.c
> deleted file mode 100644
> index 45ba54920d..0000000000
> --- a/stdlib/tst-arc4random-chacha20.c
> +++ /dev/null
> @@ -1,167 +0,0 @@
> -/* Basic tests for chacha20 cypher used in arc4random.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <arc4random.h>
> -#include <support/check.h>
> -#include <sys/cdefs.h>
> -
> -/* The test does not define CHACHA20_XOR_FINAL to mimic what arc4random
> -   actual does.  */
> -#include <chacha20.c>
> -
> -static int
> -do_test (void)
> -{
> -  const uint8_t key[CHACHA20_KEY_SIZE] =
> -    {
> -      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> -      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> -      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> -      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> -    };
> -  const uint8_t iv[CHACHA20_IV_SIZE] =
> -    {
> -      0x0, 0x0, 0x0, 0x0,
> -      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> -    };
> -  const uint8_t expected1[CHACHA20_BUFSIZE] =
> -    {
> -      0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90, 0x40, 0x5d, 0x6a,
> -      0xe5, 0x53, 0x86, 0xbd, 0x28, 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d,
> -      0xed, 0x1a, 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7, 0xda,
> -      0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d, 0x77, 0x24, 0xe0, 0x3f,
> -      0xb8, 0xd8, 0x4a, 0x37, 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1,
> -      0x1c, 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86, 0x9f, 0x07,
> -      0xe7, 0xbe, 0x55, 0x51, 0x38, 0x7a, 0x98, 0xba, 0x97, 0x7c, 0x73,
> -      0x2d, 0x08, 0x0d, 0xcb, 0x0f, 0x29, 0xa0, 0x48, 0xe3, 0x65, 0x69,
> -      0x12, 0xc6, 0x53, 0x3e, 0x32, 0xee, 0x7a, 0xed, 0x29, 0xb7, 0x21,
> -      0x76, 0x9c, 0xe6, 0x4e, 0x43, 0xd5, 0x71, 0x33, 0xb0, 0x74, 0xd8,
> -      0x39, 0xd5, 0x31, 0xed, 0x1f, 0x28, 0x51, 0x0a, 0xfb, 0x45, 0xac,
> -      0xe1, 0x0a, 0x1f, 0x4b, 0x79, 0x4d, 0x6f, 0x2d, 0x09, 0xa0, 0xe6,
> -      0x63, 0x26, 0x6c, 0xe1, 0xae, 0x7e, 0xd1, 0x08, 0x19, 0x68, 0xa0,
> -      0x75, 0x8e, 0x71, 0x8e, 0x99, 0x7b, 0xd3, 0x62, 0xc6, 0xb0, 0xc3,
> -      0x46, 0x34, 0xa9, 0xa0, 0xb3, 0x5d, 0x01, 0x27, 0x37, 0x68, 0x1f,
> -      0x7b, 0x5d, 0x0f, 0x28, 0x1e, 0x3a, 0xfd, 0xe4, 0x58, 0xbc, 0x1e,
> -      0x73, 0xd2, 0xd3, 0x13, 0xc9, 0xcf, 0x94, 0xc0, 0x5f, 0xf3, 0x71,
> -      0x62, 0x40, 0xa2, 0x48, 0xf2, 0x13, 0x20, 0xa0, 0x58, 0xd7, 0xb3,
> -      0x56, 0x6b, 0xd5, 0x20, 0xda, 0xaa, 0x3e, 0xd2, 0xbf, 0x0a, 0xc5,
> -      0xb8, 0xb1, 0x20, 0xfb, 0x85, 0x27, 0x73, 0xc3, 0x63, 0x97, 0x34,
> -      0xb4, 0x5c, 0x91, 0xa4, 0x2d, 0xd4, 0xcb, 0x83, 0xf8, 0x84, 0x0d,
> -      0x2e, 0xed, 0xb1, 0x58, 0x13, 0x10, 0x62, 0xac, 0x3f, 0x1f, 0x2c,
> -      0xf8, 0xff, 0x6d, 0xcd, 0x18, 0x56, 0xe8, 0x6a, 0x1e, 0x6c, 0x31,
> -      0x67, 0x16, 0x7e, 0xe5, 0xa6, 0x88, 0x74, 0x2b, 0x47, 0xc5, 0xad,
> -      0xfb, 0x59, 0xd4, 0xdf, 0x76, 0xfd, 0x1d, 0xb1, 0xe5, 0x1e, 0xe0,
> -      0x3b, 0x1c, 0xa9, 0xf8, 0x2a, 0xca, 0x17, 0x3e, 0xdb, 0x8b, 0x72,
> -      0x93, 0x47, 0x4e, 0xbe, 0x98, 0x0f, 0x90, 0x4d, 0x10, 0xc9, 0x16,
> -      0x44, 0x2b, 0x47, 0x83, 0xa0, 0xe9, 0x84, 0x86, 0x0c, 0xb6, 0xc9,
> -      0x57, 0xb3, 0x9c, 0x38, 0xed, 0x8f, 0x51, 0xcf, 0xfa, 0xa6, 0x8a,
> -      0x4d, 0xe0, 0x10, 0x25, 0xa3, 0x9c, 0x50, 0x45, 0x46, 0xb9, 0xdc,
> -      0x14, 0x06, 0xa7, 0xeb, 0x28, 0x15, 0x1e, 0x51, 0x50, 0xd7, 0xb2,
> -      0x04, 0xba, 0xa7, 0x19, 0xd4, 0xf0, 0x91, 0x02, 0x12, 0x17, 0xdb,
> -      0x5c, 0xf1, 0xb5, 0xc8, 0x4c, 0x4f, 0xa7, 0x1a, 0x87, 0x96, 0x10,
> -      0xa1, 0xa6, 0x95, 0xac, 0x52, 0x7c, 0x5b, 0x56, 0x77, 0x4a, 0x6b,
> -      0x8a, 0x21, 0xaa, 0xe8, 0x86, 0x85, 0x86, 0x8e, 0x09, 0x4c, 0xf2,
> -      0x9e, 0xf4, 0x09, 0x0a, 0xf7, 0xa9, 0x0c, 0xc0, 0x7e, 0x88, 0x17,
> -      0xaa, 0x52, 0x87, 0x63, 0x79, 0x7d, 0x3c, 0x33, 0x2b, 0x67, 0xca,
> -      0x4b, 0xc1, 0x10, 0x64, 0x2c, 0x21, 0x51, 0xec, 0x47, 0xee, 0x84,
> -      0xcb, 0x8c, 0x42, 0xd8, 0x5f, 0x10, 0xe2, 0xa8, 0xcb, 0x18, 0xc3,
> -      0xb7, 0x33, 0x5f, 0x26, 0xe8, 0xc3, 0x9a, 0x12, 0xb1, 0xbc, 0xc1,
> -      0x70, 0x71, 0x77, 0xb7, 0x61, 0x38, 0x73, 0x2e, 0xed, 0xaa, 0xb7,
> -      0x4d, 0xa1, 0x41, 0x0f, 0xc0, 0x55, 0xea, 0x06, 0x8c, 0x99, 0xe9,
> -      0x26, 0x0a, 0xcb, 0xe3, 0x37, 0xcf, 0x5d, 0x3e, 0x00, 0xe5, 0xb3,
> -      0x23, 0x0f, 0xfe, 0xdb, 0x0b, 0x99, 0x07, 0x87, 0xd0, 0xc7, 0x0e,
> -      0x0b, 0xfe, 0x41, 0x98, 0xea, 0x67, 0x58, 0xdd, 0x5a, 0x61, 0xfb,
> -      0x5f, 0xec, 0x2d, 0xf9, 0x81, 0xf3, 0x1b, 0xef, 0xe1, 0x53, 0xf8,
> -      0x1d, 0x17, 0x16, 0x17, 0x84, 0xdb
> -    };
> -
> -  const uint8_t expected2[CHACHA20_BUFSIZE] =
> -    {
> -      0x1c, 0x88, 0x22, 0xd5, 0x3c, 0xd1, 0xee, 0x7d, 0xb5, 0x32, 0x36,
> -      0x48, 0x28, 0xbd, 0xf4, 0x04, 0xb0, 0x40, 0xa8, 0xdc, 0xc5, 0x22,
> -      0xf3, 0xd3, 0xd9, 0x9a, 0xec, 0x4b, 0x80, 0x57, 0xed, 0xb8, 0x50,
> -      0x09, 0x31, 0xa2, 0xc4, 0x2d, 0x2f, 0x0c, 0x57, 0x08, 0x47, 0x10,
> -      0x0b, 0x57, 0x54, 0xda, 0xfc, 0x5f, 0xbd, 0xb8, 0x94, 0xbb, 0xef,
> -      0x1a, 0x2d, 0xe1, 0xa0, 0x7f, 0x8b, 0xa0, 0xc4, 0xb9, 0x19, 0x30,
> -      0x10, 0x66, 0xed, 0xbc, 0x05, 0x6b, 0x7b, 0x48, 0x1e, 0x7a, 0x0c,
> -      0x46, 0x29, 0x7b, 0xbb, 0x58, 0x9d, 0x9d, 0xa5, 0xb6, 0x75, 0xa6,
> -      0x72, 0x3e, 0x15, 0x2e, 0x5e, 0x63, 0xa4, 0xce, 0x03, 0x4e, 0x9e,
> -      0x83, 0xe5, 0x8a, 0x01, 0x3a, 0xf0, 0xe7, 0x35, 0x2f, 0xb7, 0x90,
> -      0x85, 0x14, 0xe3, 0xb3, 0xd1, 0x04, 0x0d, 0x0b, 0xb9, 0x63, 0xb3,
> -      0x95, 0x4b, 0x63, 0x6b, 0x5f, 0xd4, 0xbf, 0x6d, 0x0a, 0xad, 0xba,
> -      0xf8, 0x15, 0x7d, 0x06, 0x2a, 0xcb, 0x24, 0x18, 0xc1, 0x76, 0xa4,
> -      0x75, 0x51, 0x1b, 0x35, 0xc3, 0xf6, 0x21, 0x8a, 0x56, 0x68, 0xea,
> -      0x5b, 0xc6, 0xf5, 0x4b, 0x87, 0x82, 0xf8, 0xb3, 0x40, 0xf0, 0x0a,
> -      0xc1, 0xbe, 0xba, 0x5e, 0x62, 0xcd, 0x63, 0x2a, 0x7c, 0xe7, 0x80,
> -      0x9c, 0x72, 0x56, 0x08, 0xac, 0xa5, 0xef, 0xbf, 0x7c, 0x41, 0xf2,
> -      0x37, 0x64, 0x3f, 0x06, 0xc0, 0x99, 0x72, 0x07, 0x17, 0x1d, 0xe8,
> -      0x67, 0xf9, 0xd6, 0x97, 0xbf, 0x5e, 0xa6, 0x01, 0x1a, 0xbc, 0xce,
> -      0x6c, 0x8c, 0xdb, 0x21, 0x13, 0x94, 0xd2, 0xc0, 0x2d, 0xd0, 0xfb,
> -      0x60, 0xdb, 0x5a, 0x2c, 0x17, 0xac, 0x3d, 0xc8, 0x58, 0x78, 0xa9,
> -      0x0b, 0xed, 0x38, 0x09, 0xdb, 0xb9, 0x6e, 0xaa, 0x54, 0x26, 0xfc,
> -      0x8e, 0xae, 0x0d, 0x2d, 0x65, 0xc4, 0x2a, 0x47, 0x9f, 0x08, 0x86,
> -      0x48, 0xbe, 0x2d, 0xc8, 0x01, 0xd8, 0x2a, 0x36, 0x6f, 0xdd, 0xc0,
> -      0xef, 0x23, 0x42, 0x63, 0xc0, 0xb6, 0x41, 0x7d, 0x5f, 0x9d, 0xa4,
> -      0x18, 0x17, 0xb8, 0x8d, 0x68, 0xe5, 0xe6, 0x71, 0x95, 0xc5, 0xc1,
> -      0xee, 0x30, 0x95, 0xe8, 0x21, 0xf2, 0x25, 0x24, 0xb2, 0x0b, 0xe4,
> -      0x1c, 0xeb, 0x59, 0x04, 0x12, 0xe4, 0x1d, 0xc6, 0x48, 0x84, 0x3f,
> -      0xa9, 0xbf, 0xec, 0x7a, 0x3d, 0xcf, 0x61, 0xab, 0x05, 0x41, 0x57,
> -      0x33, 0x16, 0xd3, 0xfa, 0x81, 0x51, 0x62, 0x93, 0x03, 0xfe, 0x97,
> -      0x41, 0x56, 0x2e, 0xd0, 0x65, 0xdb, 0x4e, 0xbc, 0x00, 0x50, 0xef,
> -      0x55, 0x83, 0x64, 0xae, 0x81, 0x12, 0x4a, 0x28, 0xf5, 0xc0, 0x13,
> -      0x13, 0x23, 0x2f, 0xbc, 0x49, 0x6d, 0xfd, 0x8a, 0x25, 0x68, 0x65,
> -      0x7b, 0x68, 0x6d, 0x72, 0x14, 0x38, 0x2a, 0x1a, 0x00, 0x90, 0x30,
> -      0x17, 0xdd, 0xa9, 0x69, 0x87, 0x84, 0x42, 0xba, 0x5a, 0xff, 0xf6,
> -      0x61, 0x3f, 0x55, 0x3c, 0xbb, 0x23, 0x3c, 0xe4, 0x6d, 0x9a, 0xee,
> -      0x93, 0xa7, 0x87, 0x6c, 0xf5, 0xe9, 0xe8, 0x29, 0x12, 0xb1, 0x8c,
> -      0xad, 0xf0, 0xb3, 0x43, 0x27, 0xb2, 0xe0, 0x42, 0x7e, 0xcf, 0x66,
> -      0xb7, 0xce, 0xb7, 0xc0, 0x91, 0x8d, 0xc4, 0x7b, 0xdf, 0xf1, 0x2a,
> -      0x06, 0x2a, 0xdf, 0x07, 0x13, 0x30, 0x09, 0xce, 0x7a, 0x5e, 0x5c,
> -      0x91, 0x7e, 0x01, 0x68, 0x30, 0x61, 0x09, 0xb7, 0xcb, 0x49, 0x65,
> -      0x3a, 0x6d, 0x2c, 0xae, 0xf0, 0x05, 0xde, 0x78, 0x3a, 0x9a, 0x9b,
> -      0xfe, 0x05, 0x38, 0x1e, 0xd1, 0x34, 0x8d, 0x94, 0xec, 0x65, 0x88,
> -      0x6f, 0x9c, 0x0b, 0x61, 0x9c, 0x52, 0xc5, 0x53, 0x38, 0x00, 0xb1,
> -      0x6c, 0x83, 0x61, 0x72, 0xb9, 0x51, 0x82, 0xdb, 0xc5, 0xee, 0xc0,
> -      0x42, 0xb8, 0x9e, 0x22, 0xf1, 0x1a, 0x08, 0x5b, 0x73, 0x9a, 0x36,
> -      0x11, 0xcd, 0x8d, 0x83, 0x60, 0x18
> -    };
> -
> -  /* Check with the expected internal arc4random keystream buffer.  Some
> -     architecture optimizations expects a buffer with a minimum size which
> -     is a multiple of then ChaCha20 blocksize, so they might not be prepared
> -     to handle smaller buffers.  */
> -
> -  uint8_t output[CHACHA20_BUFSIZE];
> -
> -  uint32_t state[CHACHA20_STATE_LEN];
> -  chacha20_init (state, key, iv);
> -
> -  /* Check with the initial state.  */
> -  uint8_t input[CHACHA20_BUFSIZE] = { 0 };
> -
> -  chacha20_crypt (state, output, input, CHACHA20_BUFSIZE);
> -  TEST_COMPARE_BLOB (output, sizeof output, expected1, CHACHA20_BUFSIZE);
> -
> -  /* And on the next round.  */
> -  chacha20_crypt (state, output, input, CHACHA20_BUFSIZE);
> -  TEST_COMPARE_BLOB (output, sizeof output, expected2, CHACHA20_BUFSIZE);
> -
> -  return 0;
> -}
> -
> -#include <support/test-driver.c>
> diff --git a/sysdeps/aarch64/Makefile b/sysdeps/aarch64/Makefile
> index 7dfd1b62dd..17fb1c5b72 100644
> --- a/sysdeps/aarch64/Makefile
> +++ b/sysdeps/aarch64/Makefile
> @@ -51,10 +51,6 @@ ifeq ($(subdir),csu)
>  gen-as-const-headers += tlsdesc.sym
>  endif
>  
> -ifeq ($(subdir),stdlib)
> -sysdep_routines += chacha20-aarch64
> -endif
> -
>  ifeq ($(subdir),gmon)
>  CFLAGS-mcount.c += -mgeneral-regs-only
>  endif
> diff --git a/sysdeps/aarch64/chacha20-aarch64.S b/sysdeps/aarch64/chacha20-aarch64.S
> deleted file mode 100644
> index cce5291c5c..0000000000
> --- a/sysdeps/aarch64/chacha20-aarch64.S
> +++ /dev/null
> @@ -1,314 +0,0 @@
> -/* Optimized AArch64 implementation of ChaCha20 cipher.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -/* Copyright (C) 2017-2019 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -   This file is part of Libgcrypt.
> -
> -   Libgcrypt is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU Lesser General Public License as
> -   published by the Free Software Foundation; either version 2.1 of
> -   the License, or (at your option) any later version.
> -
> -   Libgcrypt is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -   GNU Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with this program; if not, see <https://www.gnu.org/licenses/>.
> - */
> -
> -/* Based on D. J. Bernstein reference implementation at
> -   http://cr.yp.to/chacha.html:
> -
> -   chacha-regs.c version 20080118
> -   D. J. Bernstein
> -   Public domain.  */
> -
> -#include <sysdep.h>
> -
> -/* Only LE is supported.  */
> -#ifdef __AARCH64EL__
> -
> -#define GET_DATA_POINTER(reg, name) \
> -        adrp    reg, name ; \
> -        add     reg, reg, :lo12:name
> -
> -/* 'ret' instruction replacement for straight-line speculation mitigation */
> -#define ret_spec_stop \
> -        ret; dsb sy; isb;
> -
> -.cpu generic+simd
> -
> -.text
> -
> -/* register macros */
> -#define INPUT     x0
> -#define DST       x1
> -#define SRC       x2
> -#define NBLKS     x3
> -#define ROUND     x4
> -#define INPUT_CTR x5
> -#define INPUT_POS x6
> -#define CTR       x7
> -
> -/* vector registers */
> -#define X0 v16
> -#define X4 v17
> -#define X8 v18
> -#define X12 v19
> -
> -#define X1 v20
> -#define X5 v21
> -
> -#define X9 v22
> -#define X13 v23
> -#define X2 v24
> -#define X6 v25
> -
> -#define X3 v26
> -#define X7 v27
> -#define X11 v28
> -#define X15 v29
> -
> -#define X10 v30
> -#define X14 v31
> -
> -#define VCTR    v0
> -#define VTMP0   v1
> -#define VTMP1   v2
> -#define VTMP2   v3
> -#define VTMP3   v4
> -#define X12_TMP v5
> -#define X13_TMP v6
> -#define ROT8    v7
> -
> -/**********************************************************************
> -  helper macros
> - **********************************************************************/
> -
> -#define _(...) __VA_ARGS__
> -
> -#define vpunpckldq(s1, s2, dst) \
> -	zip1 dst.4s, s2.4s, s1.4s;
> -
> -#define vpunpckhdq(s1, s2, dst) \
> -	zip2 dst.4s, s2.4s, s1.4s;
> -
> -#define vpunpcklqdq(s1, s2, dst) \
> -	zip1 dst.2d, s2.2d, s1.2d;
> -
> -#define vpunpckhqdq(s1, s2, dst) \
> -	zip2 dst.2d, s2.2d, s1.2d;
> -
> -/* 4x4 32-bit integer matrix transpose */
> -#define transpose_4x4(x0, x1, x2, x3, t1, t2, t3) \
> -	vpunpckhdq(x1, x0, t2); \
> -	vpunpckldq(x1, x0, x0); \
> -	\
> -	vpunpckldq(x3, x2, t1); \
> -	vpunpckhdq(x3, x2, x2); \
> -	\
> -	vpunpckhqdq(t1, x0, x1); \
> -	vpunpcklqdq(t1, x0, x0); \
> -	\
> -	vpunpckhqdq(x2, t2, x3); \
> -	vpunpcklqdq(x2, t2, x2);
> -
> -/**********************************************************************
> -  4-way chacha20
> - **********************************************************************/
> -
> -#define XOR(d,s1,s2) \
> -	eor d.16b, s2.16b, s1.16b;
> -
> -#define PLUS(ds,s) \
> -	add ds.4s, ds.4s, s.4s;
> -
> -#define ROTATE4(dst1,dst2,dst3,dst4,c,src1,src2,src3,src4) \
> -	shl dst1.4s, src1.4s, #(c);		\
> -	shl dst2.4s, src2.4s, #(c);		\
> -	shl dst3.4s, src3.4s, #(c);		\
> -	shl dst4.4s, src4.4s, #(c);		\
> -	sri dst1.4s, src1.4s, #(32 - (c));	\
> -	sri dst2.4s, src2.4s, #(32 - (c));	\
> -	sri dst3.4s, src3.4s, #(32 - (c));	\
> -	sri dst4.4s, src4.4s, #(32 - (c));
> -
> -#define ROTATE4_8(dst1,dst2,dst3,dst4,src1,src2,src3,src4) \
> -	tbl dst1.16b, {src1.16b}, ROT8.16b;     \
> -	tbl dst2.16b, {src2.16b}, ROT8.16b;	\
> -	tbl dst3.16b, {src3.16b}, ROT8.16b;	\
> -	tbl dst4.16b, {src4.16b}, ROT8.16b;
> -
> -#define ROTATE4_16(dst1,dst2,dst3,dst4,src1,src2,src3,src4) \
> -	rev32 dst1.8h, src1.8h;			\
> -	rev32 dst2.8h, src2.8h;			\
> -	rev32 dst3.8h, src3.8h;			\
> -	rev32 dst4.8h, src4.8h;
> -
> -#define QUARTERROUND4(a1,b1,c1,d1,a2,b2,c2,d2,a3,b3,c3,d3,a4,b4,c4,d4,ign,tmp1,tmp2,tmp3,tmp4) \
> -	PLUS(a1,b1); PLUS(a2,b2);						\
> -	PLUS(a3,b3); PLUS(a4,b4);						\
> -	    XOR(tmp1,d1,a1); XOR(tmp2,d2,a2);					\
> -	    XOR(tmp3,d3,a3); XOR(tmp4,d4,a4);					\
> -		ROTATE4_16(d1, d2, d3, d4, tmp1, tmp2, tmp3, tmp4);		\
> -	PLUS(c1,d1); PLUS(c2,d2);						\
> -	PLUS(c3,d3); PLUS(c4,d4);						\
> -	    XOR(tmp1,b1,c1); XOR(tmp2,b2,c2);					\
> -	    XOR(tmp3,b3,c3); XOR(tmp4,b4,c4);					\
> -		ROTATE4(b1, b2, b3, b4, 12, tmp1, tmp2, tmp3, tmp4)		\
> -	PLUS(a1,b1); PLUS(a2,b2);						\
> -	PLUS(a3,b3); PLUS(a4,b4);						\
> -	    XOR(tmp1,d1,a1); XOR(tmp2,d2,a2);					\
> -	    XOR(tmp3,d3,a3); XOR(tmp4,d4,a4);					\
> -		ROTATE4_8(d1, d2, d3, d4, tmp1, tmp2, tmp3, tmp4)		\
> -	PLUS(c1,d1); PLUS(c2,d2);						\
> -	PLUS(c3,d3); PLUS(c4,d4);						\
> -	    XOR(tmp1,b1,c1); XOR(tmp2,b2,c2);					\
> -	    XOR(tmp3,b3,c3); XOR(tmp4,b4,c4);					\
> -		ROTATE4(b1, b2, b3, b4, 7, tmp1, tmp2, tmp3, tmp4)		\
> -
> -.align 4
> -L(__chacha20_blocks4_data_inc_counter):
> -	.long 0,1,2,3
> -
> -.align 4
> -L(__chacha20_blocks4_data_rot8):
> -	.byte 3,0,1,2
> -	.byte 7,4,5,6
> -	.byte 11,8,9,10
> -	.byte 15,12,13,14
> -
> -.hidden __chacha20_neon_blocks4
> -ENTRY (__chacha20_neon_blocks4)
> -	/* input:
> -	 *	x0: input
> -	 *	x1: dst
> -	 *	x2: src
> -	 *	x3: nblks (multiple of 4)
> -	 */
> -
> -	GET_DATA_POINTER(CTR, L(__chacha20_blocks4_data_rot8))
> -	add INPUT_CTR, INPUT, #(12*4);
> -	ld1 {ROT8.16b}, [CTR];
> -	GET_DATA_POINTER(CTR, L(__chacha20_blocks4_data_inc_counter))
> -	mov INPUT_POS, INPUT;
> -	ld1 {VCTR.16b}, [CTR];
> -
> -L(loop4):
> -	/* Construct counter vectors X12 and X13 */
> -
> -	ld1 {X15.16b}, [INPUT_CTR];
> -	mov ROUND, #20;
> -	ld1 {VTMP1.16b-VTMP3.16b}, [INPUT_POS];
> -
> -	dup X12.4s, X15.s[0];
> -	dup X13.4s, X15.s[1];
> -	ldr CTR, [INPUT_CTR];
> -	add X12.4s, X12.4s, VCTR.4s;
> -	dup X0.4s, VTMP1.s[0];
> -	dup X1.4s, VTMP1.s[1];
> -	dup X2.4s, VTMP1.s[2];
> -	dup X3.4s, VTMP1.s[3];
> -	dup X14.4s, X15.s[2];
> -	cmhi VTMP0.4s, VCTR.4s, X12.4s;
> -	dup X15.4s, X15.s[3];
> -	add CTR, CTR, #4; /* Update counter */
> -	dup X4.4s, VTMP2.s[0];
> -	dup X5.4s, VTMP2.s[1];
> -	dup X6.4s, VTMP2.s[2];
> -	dup X7.4s, VTMP2.s[3];
> -	sub X13.4s, X13.4s, VTMP0.4s;
> -	dup X8.4s, VTMP3.s[0];
> -	dup X9.4s, VTMP3.s[1];
> -	dup X10.4s, VTMP3.s[2];
> -	dup X11.4s, VTMP3.s[3];
> -	mov X12_TMP.16b, X12.16b;
> -	mov X13_TMP.16b, X13.16b;
> -	str CTR, [INPUT_CTR];
> -
> -L(round2):
> -	subs ROUND, ROUND, #2
> -	QUARTERROUND4(X0, X4,  X8, X12,   X1, X5,  X9, X13,
> -		      X2, X6, X10, X14,   X3, X7, X11, X15,
> -		      tmp:=,VTMP0,VTMP1,VTMP2,VTMP3)
> -	QUARTERROUND4(X0, X5, X10, X15,   X1, X6, X11, X12,
> -		      X2, X7,  X8, X13,   X3, X4,  X9, X14,
> -		      tmp:=,VTMP0,VTMP1,VTMP2,VTMP3)
> -	b.ne L(round2);
> -
> -	ld1 {VTMP0.16b, VTMP1.16b}, [INPUT_POS], #32;
> -
> -	PLUS(X12, X12_TMP);        /* INPUT + 12 * 4 + counter */
> -	PLUS(X13, X13_TMP);        /* INPUT + 13 * 4 + counter */
> -
> -	dup VTMP2.4s, VTMP0.s[0]; /* INPUT + 0 * 4 */
> -	dup VTMP3.4s, VTMP0.s[1]; /* INPUT + 1 * 4 */
> -	dup X12_TMP.4s, VTMP0.s[2]; /* INPUT + 2 * 4 */
> -	dup X13_TMP.4s, VTMP0.s[3]; /* INPUT + 3 * 4 */
> -	PLUS(X0, VTMP2);
> -	PLUS(X1, VTMP3);
> -	PLUS(X2, X12_TMP);
> -	PLUS(X3, X13_TMP);
> -
> -	dup VTMP2.4s, VTMP1.s[0]; /* INPUT + 4 * 4 */
> -	dup VTMP3.4s, VTMP1.s[1]; /* INPUT + 5 * 4 */
> -	dup X12_TMP.4s, VTMP1.s[2]; /* INPUT + 6 * 4 */
> -	dup X13_TMP.4s, VTMP1.s[3]; /* INPUT + 7 * 4 */
> -	ld1 {VTMP0.16b, VTMP1.16b}, [INPUT_POS];
> -	mov INPUT_POS, INPUT;
> -	PLUS(X4, VTMP2);
> -	PLUS(X5, VTMP3);
> -	PLUS(X6, X12_TMP);
> -	PLUS(X7, X13_TMP);
> -
> -	dup VTMP2.4s, VTMP0.s[0]; /* INPUT + 8 * 4 */
> -	dup VTMP3.4s, VTMP0.s[1]; /* INPUT + 9 * 4 */
> -	dup X12_TMP.4s, VTMP0.s[2]; /* INPUT + 10 * 4 */
> -	dup X13_TMP.4s, VTMP0.s[3]; /* INPUT + 11 * 4 */
> -	dup VTMP0.4s, VTMP1.s[2]; /* INPUT + 14 * 4 */
> -	dup VTMP1.4s, VTMP1.s[3]; /* INPUT + 15 * 4 */
> -	PLUS(X8, VTMP2);
> -	PLUS(X9, VTMP3);
> -	PLUS(X10, X12_TMP);
> -	PLUS(X11, X13_TMP);
> -	PLUS(X14, VTMP0);
> -	PLUS(X15, VTMP1);
> -
> -	transpose_4x4(X0, X1, X2, X3, VTMP0, VTMP1, VTMP2);
> -	transpose_4x4(X4, X5, X6, X7, VTMP0, VTMP1, VTMP2);
> -	transpose_4x4(X8, X9, X10, X11, VTMP0, VTMP1, VTMP2);
> -	transpose_4x4(X12, X13, X14, X15, VTMP0, VTMP1, VTMP2);
> -
> -	subs NBLKS, NBLKS, #4;
> -
> -	st1 {X0.16b,X4.16B,X8.16b, X12.16b}, [DST], #64
> -	st1 {X1.16b,X5.16b}, [DST], #32;
> -	st1 {X9.16b, X13.16b, X2.16b, X6.16b}, [DST], #64
> -	st1 {X10.16b,X14.16b}, [DST], #32;
> -	st1 {X3.16b, X7.16b, X11.16b, X15.16b}, [DST], #64;
> -
> -	b.ne L(loop4);
> -
> -	ret_spec_stop
> -END (__chacha20_neon_blocks4)
> -
> -#endif
> diff --git a/sysdeps/aarch64/chacha20_arch.h b/sysdeps/aarch64/chacha20_arch.h
> deleted file mode 100644
> index 37dbb917f1..0000000000
> --- a/sysdeps/aarch64/chacha20_arch.h
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -/* Chacha20 implementation, used on arc4random.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <ldsodefs.h>
> -#include <stdbool.h>
> -
> -unsigned int __chacha20_neon_blocks4 (uint32_t *state, uint8_t *dst,
> -				      const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -
> -static void
> -chacha20_crypt (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -		size_t bytes)
> -{
> -  _Static_assert (CHACHA20_BUFSIZE % 4 == 0,
> -		  "CHACHA20_BUFSIZE not multiple of 4");
> -  _Static_assert (CHACHA20_BUFSIZE > CHACHA20_BLOCK_SIZE * 4,
> -		  "CHACHA20_BUFSIZE <= CHACHA20_BLOCK_SIZE * 4");
> -#ifdef __AARCH64EL__
> -  __chacha20_neon_blocks4 (state, dst, src,
> -			   CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -#else
> -  chacha20_crypt_generic (state, dst, src, bytes);
> -#endif
> -}
> diff --git a/sysdeps/generic/chacha20_arch.h b/sysdeps/generic/chacha20_arch.h
> deleted file mode 100644
> index 1b4559ccbc..0000000000
> --- a/sysdeps/generic/chacha20_arch.h
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -/* Chacha20 implementation, generic interface for encrypt.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -static inline void
> -chacha20_crypt (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -		size_t bytes)
> -{
> -  chacha20_crypt_generic (state, dst, src, bytes);
> -}
> diff --git a/sysdeps/generic/not-cancel.h b/sysdeps/generic/not-cancel.h
> index acceb9b67f..b5a42c70d6 100644
> --- a/sysdeps/generic/not-cancel.h
> +++ b/sysdeps/generic/not-cancel.h
> @@ -20,6 +20,7 @@
>  # define NOT_CANCEL_H
>  
>  #include <fcntl.h>
> +#include <poll.h>
>  #include <unistd.h>
>  #include <sys/wait.h>
>  #include <time.h>
> @@ -50,5 +51,7 @@
>    __fcntl64 (fd, cmd, __VA_ARGS__)
>  #define __getrandom_nocancel(buf, size, flags) \
>    __getrandom (buf, size, flags)
> +#define __poll_infinity_nocancel(fds, nfds) \
> +  __poll (fds, nfds, -1)
>  
>  #endif /* NOT_CANCEL_H  */
> diff --git a/sysdeps/generic/tls-internal-struct.h b/sysdeps/generic/tls-internal-struct.h
> index a91915831b..d76c715a96 100644
> --- a/sysdeps/generic/tls-internal-struct.h
> +++ b/sysdeps/generic/tls-internal-struct.h
> @@ -23,7 +23,6 @@ struct tls_internal_t
>  {
>    char *strsignal_buf;
>    char *strerror_l_buf;
> -  struct arc4random_state_t *rand_state;
>  };
>  
>  #endif

Ok.

> diff --git a/sysdeps/generic/tls-internal.c b/sysdeps/generic/tls-internal.c
> index 8a0f37d509..b32b31b5a9 100644
> --- a/sysdeps/generic/tls-internal.c
> +++ b/sysdeps/generic/tls-internal.c
> @@ -16,7 +16,6 @@
>     License along with the GNU C Library; if not, see
>     <https://www.gnu.org/licenses/>.  */
>  
> -#include <stdlib/arc4random.h>
>  #include <string.h>
>  #include <tls-internal.h>
>  
> @@ -27,13 +26,4 @@ __glibc_tls_internal_free (void)
>  {
>    free (__tls_internal.strsignal_buf);
>    free (__tls_internal.strerror_l_buf);
> -
> -  if (__tls_internal.rand_state != NULL)
> -    {
> -      /* Clear any lingering random state prior so if the thread stack is
> -	 cached it won't leak any data.  */
> -      explicit_bzero (__tls_internal.rand_state,
> -		      sizeof (*__tls_internal.rand_state));
> -      free (__tls_internal.rand_state);
> -    }
>  }

Ok.

> diff --git a/sysdeps/mach/hurd/_Fork.c b/sysdeps/mach/hurd/_Fork.c
> index 667068c8cf..e60b86fab1 100644
> --- a/sysdeps/mach/hurd/_Fork.c
> +++ b/sysdeps/mach/hurd/_Fork.c
> @@ -662,8 +662,6 @@ retry:
>        _hurd_malloc_fork_child ();
>        call_function_static_weak (__malloc_fork_unlock_child);
>  
> -      call_function_static_weak (__arc4random_fork_subprocess);
> -
>        /* Run things that want to run in the child task to set up.  */
>        RUN_HOOK (_hurd_fork_child_hook, ());
>  

Ok.

> diff --git a/sysdeps/mach/hurd/not-cancel.h b/sysdeps/mach/hurd/not-cancel.h
> index 9a3a7ed59a..ae58b734e3 100644
> --- a/sysdeps/mach/hurd/not-cancel.h
> +++ b/sysdeps/mach/hurd/not-cancel.h
> @@ -21,6 +21,7 @@
>  
>  #include <fcntl.h>
>  #include <unistd.h>
> +#include <poll.h>
>  #include <sys/wait.h>
>  #include <time.h>
>  #include <sys/uio.h>
> @@ -77,6 +78,9 @@ __typeof (__fcntl) __fcntl_nocancel;
>  #define __getrandom_nocancel(buf, size, flags) \
>    __getrandom (buf, size, flags)
>  
> +#define __poll_infinity_nocancel(fds, nfds) \
> +  __poll (fds, nfds, -1)
> +
>  #if IS_IN (libc)
>  hidden_proto (__close_nocancel)
>  hidden_proto (__close_nocancel_nostatus)
> diff --git a/sysdeps/nptl/_Fork.c b/sysdeps/nptl/_Fork.c
> index 7dc02569f6..dd568992e2 100644
> --- a/sysdeps/nptl/_Fork.c
> +++ b/sysdeps/nptl/_Fork.c
> @@ -43,8 +43,6 @@ _Fork (void)
>        self->robust_head.list = &self->robust_head;
>        INTERNAL_SYSCALL_CALL (set_robust_list, &self->robust_head,
>  			     sizeof (struct robust_list_head));
> -
> -      call_function_static_weak (__arc4random_fork_subprocess);
>      }
>    return pid;
>  }

Ok.

> diff --git a/sysdeps/powerpc/powerpc64/be/multiarch/Makefile b/sysdeps/powerpc/powerpc64/be/multiarch/Makefile
> deleted file mode 100644
> index 8c75165f7f..0000000000
> --- a/sysdeps/powerpc/powerpc64/be/multiarch/Makefile
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -ifeq ($(subdir),stdlib)
> -sysdep_routines += chacha20-ppc
> -CFLAGS-chacha20-ppc.c += -mcpu=power8
> -endif
> diff --git a/sysdeps/powerpc/powerpc64/be/multiarch/chacha20-ppc.c b/sysdeps/powerpc/powerpc64/be/multiarch/chacha20-ppc.c
> deleted file mode 100644
> index cf9e735326..0000000000
> --- a/sysdeps/powerpc/powerpc64/be/multiarch/chacha20-ppc.c
> +++ /dev/null
> @@ -1 +0,0 @@
> -#include <sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c>
> diff --git a/sysdeps/powerpc/powerpc64/be/multiarch/chacha20_arch.h b/sysdeps/powerpc/powerpc64/be/multiarch/chacha20_arch.h
> deleted file mode 100644
> index 08494dc045..0000000000
> --- a/sysdeps/powerpc/powerpc64/be/multiarch/chacha20_arch.h
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -/* PowerPC optimization for ChaCha20.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <stdbool.h>
> -#include <ldsodefs.h>
> -
> -unsigned int __chacha20_power8_blocks4 (uint32_t *state, uint8_t *dst,
> -					const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -
> -static void
> -chacha20_crypt (uint32_t *state, uint8_t *dst,
> -		const uint8_t *src, size_t bytes)
> -{
> -  _Static_assert (CHACHA20_BUFSIZE % 4 == 0,
> -		  "CHACHA20_BUFSIZE not multiple of 4");
> -  _Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE * 4,
> -		  "CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE * 4");
> -
> -  unsigned long int hwcap = GLRO(dl_hwcap);
> -  unsigned long int hwcap2 = GLRO(dl_hwcap2);
> -  if (hwcap2 & PPC_FEATURE2_ARCH_2_07 && hwcap & PPC_FEATURE_HAS_ALTIVEC)
> -    __chacha20_power8_blocks4 (state, dst, src,
> -			       CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -  else
> -    chacha20_crypt_generic (state, dst, src, bytes);
> -}
> diff --git a/sysdeps/powerpc/powerpc64/power8/Makefile b/sysdeps/powerpc/powerpc64/power8/Makefile
> index abb0aa3f11..71a59529f3 100644
> --- a/sysdeps/powerpc/powerpc64/power8/Makefile
> +++ b/sysdeps/powerpc/powerpc64/power8/Makefile
> @@ -1,8 +1,3 @@
>  ifeq ($(subdir),string)
>  sysdep_routines += strcasestr-ppc64
>  endif
> -
> -ifeq ($(subdir),stdlib)
> -sysdep_routines += chacha20-ppc
> -CFLAGS-chacha20-ppc.c += -mcpu=power8
> -endif

Ok.

> diff --git a/sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c b/sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c
> deleted file mode 100644
> index 0bbdcb9363..0000000000
> --- a/sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c
> +++ /dev/null
> @@ -1,256 +0,0 @@
> -/* Optimized PowerPC implementation of ChaCha20 cipher.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -/* chacha20-ppc.c - PowerPC vector implementation of ChaCha20
> -   Copyright (C) 2019 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -   This file is part of Libgcrypt.
> -
> -   Libgcrypt is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU Lesser General Public License as
> -   published by the Free Software Foundation; either version 2.1 of
> -   the License, or (at your option) any later version.
> -
> -   Libgcrypt is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -   GNU Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with this program; if not, see <https://www.gnu.org/licenses/>.
> - */
> -
> -#include <altivec.h>
> -#include <endian.h>
> -#include <stddef.h>
> -#include <stdint.h>
> -#include <sys/cdefs.h>
> -
> -typedef vector unsigned char vector16x_u8;
> -typedef vector unsigned int vector4x_u32;
> -typedef vector unsigned long long vector2x_u64;
> -
> -#if __BYTE_ORDER == __BIG_ENDIAN
> -static const vector16x_u8 le_bswap_const =
> -  { 3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12 };
> -#endif
> -
> -static inline vector4x_u32
> -vec_rol_elems (vector4x_u32 v, unsigned int idx)
> -{
> -#if __BYTE_ORDER != __BIG_ENDIAN
> -  return vec_sld (v, v, (16 - (4 * idx)) & 15);
> -#else
> -  return vec_sld (v, v, (4 * idx) & 15);
> -#endif
> -}
> -
> -static inline vector4x_u32
> -vec_load_le (unsigned long offset, const unsigned char *ptr)
> -{
> -  vector4x_u32 vec;
> -  vec = vec_vsx_ld (offset, (const uint32_t *)ptr);
> -#if __BYTE_ORDER == __BIG_ENDIAN
> -  vec = (vector4x_u32) vec_perm ((vector16x_u8)vec, (vector16x_u8)vec,
> -				 le_bswap_const);
> -#endif
> -  return vec;
> -}
> -
> -static inline void
> -vec_store_le (vector4x_u32 vec, unsigned long offset, unsigned char *ptr)
> -{
> -#if __BYTE_ORDER == __BIG_ENDIAN
> -  vec = (vector4x_u32)vec_perm((vector16x_u8)vec, (vector16x_u8)vec,
> -			       le_bswap_const);
> -#endif
> -  vec_vsx_st (vec, offset, (uint32_t *)ptr);
> -}
> -
> -
> -static inline vector4x_u32
> -vec_add_ctr_u64 (vector4x_u32 v, vector4x_u32 a)
> -{
> -#if __BYTE_ORDER == __BIG_ENDIAN
> -  static const vector16x_u8 swap32 =
> -    { 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11 };
> -  vector2x_u64 vec, add, sum;
> -
> -  vec = (vector2x_u64)vec_perm ((vector16x_u8)v, (vector16x_u8)v, swap32);
> -  add = (vector2x_u64)vec_perm ((vector16x_u8)a, (vector16x_u8)a, swap32);
> -  sum = vec + add;
> -  return (vector4x_u32)vec_perm ((vector16x_u8)sum, (vector16x_u8)sum, swap32);
> -#else
> -  return (vector4x_u32)((vector2x_u64)(v) + (vector2x_u64)(a));
> -#endif
> -}
> -
> -/**********************************************************************
> -  4-way chacha20
> - **********************************************************************/
> -
> -#define ROTATE(v1,rolv)			\
> -	__asm__ ("vrlw %0,%1,%2\n\t" : "=v" (v1) : "v" (v1), "v" (rolv))
> -
> -#define PLUS(ds,s) \
> -	((ds) += (s))
> -
> -#define XOR(ds,s) \
> -	((ds) ^= (s))
> -
> -#define ADD_U64(v,a) \
> -	(v = vec_add_ctr_u64(v, a))
> -
> -/* 4x4 32-bit integer matrix transpose */
> -#define transpose_4x4(x0, x1, x2, x3) ({ \
> -	vector4x_u32 t1 = vec_mergeh(x0, x2); \
> -	vector4x_u32 t2 = vec_mergel(x0, x2); \
> -	vector4x_u32 t3 = vec_mergeh(x1, x3); \
> -	x3 = vec_mergel(x1, x3); \
> -	x0 = vec_mergeh(t1, t3); \
> -	x1 = vec_mergel(t1, t3); \
> -	x2 = vec_mergeh(t2, x3); \
> -	x3 = vec_mergel(t2, x3); \
> -      })
> -
> -#define QUARTERROUND2(a1,b1,c1,d1,a2,b2,c2,d2)			\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE(d1, rotate_16); ROTATE(d2, rotate_16);	\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE(b1, rotate_12); ROTATE(b2, rotate_12);	\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE(d1, rotate_8); ROTATE(d2, rotate_8);		\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE(b1, rotate_7); ROTATE(b2, rotate_7);
> -
> -unsigned int attribute_hidden
> -__chacha20_power8_blocks4 (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -			   size_t nblks)
> -{
> -  vector4x_u32 counters_0123 = { 0, 1, 2, 3 };
> -  vector4x_u32 counter_4 = { 4, 0, 0, 0 };
> -  vector4x_u32 rotate_16 = { 16, 16, 16, 16 };
> -  vector4x_u32 rotate_12 = { 12, 12, 12, 12 };
> -  vector4x_u32 rotate_8 = { 8, 8, 8, 8 };
> -  vector4x_u32 rotate_7 = { 7, 7, 7, 7 };
> -  vector4x_u32 state0, state1, state2, state3;
> -  vector4x_u32 v0, v1, v2, v3, v4, v5, v6, v7;
> -  vector4x_u32 v8, v9, v10, v11, v12, v13, v14, v15;
> -  vector4x_u32 tmp;
> -  int i;
> -
> -  /* Force preload of constants to vector registers.  */
> -  __asm__ ("": "+v" (counters_0123) :: "memory");
> -  __asm__ ("": "+v" (counter_4) :: "memory");
> -  __asm__ ("": "+v" (rotate_16) :: "memory");
> -  __asm__ ("": "+v" (rotate_12) :: "memory");
> -  __asm__ ("": "+v" (rotate_8) :: "memory");
> -  __asm__ ("": "+v" (rotate_7) :: "memory");
> -
> -  state0 = vec_vsx_ld (0 * 16, state);
> -  state1 = vec_vsx_ld (1 * 16, state);
> -  state2 = vec_vsx_ld (2 * 16, state);
> -  state3 = vec_vsx_ld (3 * 16, state);
> -
> -  do
> -    {
> -      v0 = vec_splat (state0, 0);
> -      v1 = vec_splat (state0, 1);
> -      v2 = vec_splat (state0, 2);
> -      v3 = vec_splat (state0, 3);
> -      v4 = vec_splat (state1, 0);
> -      v5 = vec_splat (state1, 1);
> -      v6 = vec_splat (state1, 2);
> -      v7 = vec_splat (state1, 3);
> -      v8 = vec_splat (state2, 0);
> -      v9 = vec_splat (state2, 1);
> -      v10 = vec_splat (state2, 2);
> -      v11 = vec_splat (state2, 3);
> -      v12 = vec_splat (state3, 0);
> -      v13 = vec_splat (state3, 1);
> -      v14 = vec_splat (state3, 2);
> -      v15 = vec_splat (state3, 3);
> -
> -      v12 += counters_0123;
> -      v13 -= vec_cmplt (v12, counters_0123);
> -
> -      for (i = 20; i > 0; i -= 2)
> -	{
> -	  QUARTERROUND2 (v0, v4,  v8, v12,   v1, v5,  v9, v13)
> -	  QUARTERROUND2 (v2, v6, v10, v14,   v3, v7, v11, v15)
> -	  QUARTERROUND2 (v0, v5, v10, v15,   v1, v6, v11, v12)
> -	  QUARTERROUND2 (v2, v7,  v8, v13,   v3, v4,  v9, v14)
> -	}
> -
> -      v0 += vec_splat (state0, 0);
> -      v1 += vec_splat (state0, 1);
> -      v2 += vec_splat (state0, 2);
> -      v3 += vec_splat (state0, 3);
> -      v4 += vec_splat (state1, 0);
> -      v5 += vec_splat (state1, 1);
> -      v6 += vec_splat (state1, 2);
> -      v7 += vec_splat (state1, 3);
> -      v8 += vec_splat (state2, 0);
> -      v9 += vec_splat (state2, 1);
> -      v10 += vec_splat (state2, 2);
> -      v11 += vec_splat (state2, 3);
> -      tmp = vec_splat( state3, 0);
> -      tmp += counters_0123;
> -      v12 += tmp;
> -      v13 += vec_splat (state3, 1) - vec_cmplt (tmp, counters_0123);
> -      v14 += vec_splat (state3, 2);
> -      v15 += vec_splat (state3, 3);
> -      ADD_U64 (state3, counter_4);
> -
> -      transpose_4x4 (v0, v1, v2, v3);
> -      transpose_4x4 (v4, v5, v6, v7);
> -      transpose_4x4 (v8, v9, v10, v11);
> -      transpose_4x4 (v12, v13, v14, v15);
> -
> -      vec_store_le (v0, (64 * 0 + 16 * 0), dst);
> -      vec_store_le (v1, (64 * 1 + 16 * 0), dst);
> -      vec_store_le (v2, (64 * 2 + 16 * 0), dst);
> -      vec_store_le (v3, (64 * 3 + 16 * 0), dst);
> -
> -      vec_store_le (v4, (64 * 0 + 16 * 1), dst);
> -      vec_store_le (v5, (64 * 1 + 16 * 1), dst);
> -      vec_store_le (v6, (64 * 2 + 16 * 1), dst);
> -      vec_store_le (v7, (64 * 3 + 16 * 1), dst);
> -
> -      vec_store_le (v8, (64 * 0 + 16 * 2), dst);
> -      vec_store_le (v9, (64 * 1 + 16 * 2), dst);
> -      vec_store_le (v10, (64 * 2 + 16 * 2), dst);
> -      vec_store_le (v11, (64 * 3 + 16 * 2), dst);
> -
> -      vec_store_le (v12, (64 * 0 + 16 * 3), dst);
> -      vec_store_le (v13, (64 * 1 + 16 * 3), dst);
> -      vec_store_le (v14, (64 * 2 + 16 * 3), dst);
> -      vec_store_le (v15, (64 * 3 + 16 * 3), dst);
> -
> -      src += 4*64;
> -      dst += 4*64;
> -
> -      nblks -= 4;
> -    }
> -  while (nblks);
> -
> -  vec_vsx_st (state3, 3 * 16, state);
> -
> -  return 0;
> -}
> diff --git a/sysdeps/powerpc/powerpc64/power8/chacha20_arch.h b/sysdeps/powerpc/powerpc64/power8/chacha20_arch.h
> deleted file mode 100644
> index ded06762b6..0000000000
> --- a/sysdeps/powerpc/powerpc64/power8/chacha20_arch.h
> +++ /dev/null
> @@ -1,37 +0,0 @@
> -/* PowerPC optimization for ChaCha20.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <stdbool.h>
> -#include <ldsodefs.h>
> -
> -unsigned int __chacha20_power8_blocks4 (uint32_t *state, uint8_t *dst,
> -					const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -
> -static void
> -chacha20_crypt (uint32_t *state, uint8_t *dst,
> -		const uint8_t *src, size_t bytes)
> -{
> -  _Static_assert (CHACHA20_BUFSIZE % 4 == 0,
> -		  "CHACHA20_BUFSIZE not multiple of 4");
> -  _Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE * 4,
> -		  "CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE * 4");
> -
> -  __chacha20_power8_blocks4 (state, dst, src,
> -			     CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -}
> diff --git a/sysdeps/s390/s390-64/Makefile b/sysdeps/s390/s390-64/Makefile
> index 96c110f490..66ed844e68 100644
> --- a/sysdeps/s390/s390-64/Makefile
> +++ b/sysdeps/s390/s390-64/Makefile
> @@ -67,9 +67,3 @@ tests-container += tst-glibc-hwcaps-cache
>  endif
>  
>  endif # $(subdir) == elf
> -
> -ifeq ($(subdir),stdlib)
> -sysdep_routines += \
> -  chacha20-s390x \
> -  # sysdep_routines
> -endif
> diff --git a/sysdeps/s390/s390-64/chacha20-s390x.S b/sysdeps/s390/s390-64/chacha20-s390x.S
> deleted file mode 100644
> index e38504d370..0000000000
> --- a/sysdeps/s390/s390-64/chacha20-s390x.S
> +++ /dev/null
> @@ -1,573 +0,0 @@
> -/* Optimized s390x implementation of ChaCha20 cipher.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -/* chacha20-s390x.S  -  zSeries implementation of ChaCha20 cipher
> -
> -   Copyright (C) 2020 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -   This file is part of Libgcrypt.
> -
> -   Libgcrypt is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU Lesser General Public License as
> -   published by the Free Software Foundation; either version 2.1 of
> -   the License, or (at your option) any later version.
> -
> -   Libgcrypt is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -   GNU Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with this program; if not, see <https://www.gnu.org/licenses/>.
> - */
> -
> -#include <sysdep.h>
> -
> -#ifdef HAVE_S390_VX_ASM_SUPPORT
> -
> -/* CFA expressions are used for pointing CFA and registers to
> - * SP relative offsets. */
> -# define DW_REGNO_SP 15
> -
> -/* Fixed length encoding used for integers for now. */
> -# define DW_SLEB128_7BIT(value) \
> -        0x00|((value) & 0x7f)
> -# define DW_SLEB128_28BIT(value) \
> -        0x80|((value)&0x7f), \
> -        0x80|(((value)>>7)&0x7f), \
> -        0x80|(((value)>>14)&0x7f), \
> -        0x00|(((value)>>21)&0x7f)
> -
> -# define cfi_cfa_on_stack(rsp_offs,cfa_depth) \
> -        .cfi_escape \
> -          0x0f, /* DW_CFA_def_cfa_expression */ \
> -            DW_SLEB128_7BIT(11), /* length */ \
> -          0x7f, /* DW_OP_breg15, rsp + constant */ \
> -            DW_SLEB128_28BIT(rsp_offs), \
> -          0x06, /* DW_OP_deref */ \
> -          0x23, /* DW_OP_plus_constu */ \
> -            DW_SLEB128_28BIT((cfa_depth)+160)
> -
> -.machine "z13+vx"
> -.text
> -
> -.balign 16
> -.Lconsts:
> -.Lwordswap:
> -	.byte 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3
> -.Lbswap128:
> -	.byte 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0
> -.Lbswap32:
> -	.byte 3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12
> -.Lone:
> -	.long 0, 0, 0, 1
> -.Ladd_counter_0123:
> -	.long 0, 1, 2, 3
> -.Ladd_counter_4567:
> -	.long 4, 5, 6, 7
> -
> -/* register macros */
> -#define INPUT %r2
> -#define DST   %r3
> -#define SRC   %r4
> -#define NBLKS %r0
> -#define ROUND %r1
> -
> -/* stack structure */
> -
> -#define STACK_FRAME_STD    (8 * 16 + 8 * 4)
> -#define STACK_FRAME_F8_F15 (8 * 8)
> -#define STACK_FRAME_Y0_Y15 (16 * 16)
> -#define STACK_FRAME_CTR    (4 * 16)
> -#define STACK_FRAME_PARAMS (6 * 8)
> -
> -#define STACK_MAX   (STACK_FRAME_STD + STACK_FRAME_F8_F15 + \
> -		     STACK_FRAME_Y0_Y15 + STACK_FRAME_CTR + \
> -		     STACK_FRAME_PARAMS)
> -
> -#define STACK_F8     (STACK_MAX - STACK_FRAME_F8_F15)
> -#define STACK_F9     (STACK_F8 + 8)
> -#define STACK_F10    (STACK_F9 + 8)
> -#define STACK_F11    (STACK_F10 + 8)
> -#define STACK_F12    (STACK_F11 + 8)
> -#define STACK_F13    (STACK_F12 + 8)
> -#define STACK_F14    (STACK_F13 + 8)
> -#define STACK_F15    (STACK_F14 + 8)
> -#define STACK_Y0_Y15 (STACK_F8 - STACK_FRAME_Y0_Y15)
> -#define STACK_CTR    (STACK_Y0_Y15 - STACK_FRAME_CTR)
> -#define STACK_INPUT  (STACK_CTR - STACK_FRAME_PARAMS)
> -#define STACK_DST    (STACK_INPUT + 8)
> -#define STACK_SRC    (STACK_DST + 8)
> -#define STACK_NBLKS  (STACK_SRC + 8)
> -#define STACK_POCTX  (STACK_NBLKS + 8)
> -#define STACK_POSRC  (STACK_POCTX + 8)
> -
> -#define STACK_G0_H3  STACK_Y0_Y15
> -
> -/* vector registers */
> -#define A0 %v0
> -#define A1 %v1
> -#define A2 %v2
> -#define A3 %v3
> -
> -#define B0 %v4
> -#define B1 %v5
> -#define B2 %v6
> -#define B3 %v7
> -
> -#define C0 %v8
> -#define C1 %v9
> -#define C2 %v10
> -#define C3 %v11
> -
> -#define D0 %v12
> -#define D1 %v13
> -#define D2 %v14
> -#define D3 %v15
> -
> -#define E0 %v16
> -#define E1 %v17
> -#define E2 %v18
> -#define E3 %v19
> -
> -#define F0 %v20
> -#define F1 %v21
> -#define F2 %v22
> -#define F3 %v23
> -
> -#define G0 %v24
> -#define G1 %v25
> -#define G2 %v26
> -#define G3 %v27
> -
> -#define H0 %v28
> -#define H1 %v29
> -#define H2 %v30
> -#define H3 %v31
> -
> -#define IO0 E0
> -#define IO1 E1
> -#define IO2 E2
> -#define IO3 E3
> -#define IO4 F0
> -#define IO5 F1
> -#define IO6 F2
> -#define IO7 F3
> -
> -#define S0 G0
> -#define S1 G1
> -#define S2 G2
> -#define S3 G3
> -
> -#define TMP0 H0
> -#define TMP1 H1
> -#define TMP2 H2
> -#define TMP3 H3
> -
> -#define X0 A0
> -#define X1 A1
> -#define X2 A2
> -#define X3 A3
> -#define X4 B0
> -#define X5 B1
> -#define X6 B2
> -#define X7 B3
> -#define X8 C0
> -#define X9 C1
> -#define X10 C2
> -#define X11 C3
> -#define X12 D0
> -#define X13 D1
> -#define X14 D2
> -#define X15 D3
> -
> -#define Y0 E0
> -#define Y1 E1
> -#define Y2 E2
> -#define Y3 E3
> -#define Y4 F0
> -#define Y5 F1
> -#define Y6 F2
> -#define Y7 F3
> -#define Y8 G0
> -#define Y9 G1
> -#define Y10 G2
> -#define Y11 G3
> -#define Y12 H0
> -#define Y13 H1
> -#define Y14 H2
> -#define Y15 H3
> -
> -/**********************************************************************
> -  helper macros
> - **********************************************************************/
> -
> -#define _ /*_*/
> -
> -#define START_STACK(last_r) \
> -	lgr %r0, %r15; \
> -	lghi %r1, ~15; \
> -	stmg %r6, last_r, 6 * 8(%r15); \
> -	aghi %r0, -STACK_MAX; \
> -	ngr %r0, %r1; \
> -	lgr %r1, %r15; \
> -	cfi_def_cfa_register(1); \
> -	lgr %r15, %r0; \
> -	stg %r1, 0(%r15); \
> -	cfi_cfa_on_stack(0, 0); \
> -	std %f8, STACK_F8(%r15); \
> -	std %f9, STACK_F9(%r15); \
> -	std %f10, STACK_F10(%r15); \
> -	std %f11, STACK_F11(%r15); \
> -	std %f12, STACK_F12(%r15); \
> -	std %f13, STACK_F13(%r15); \
> -	std %f14, STACK_F14(%r15); \
> -	std %f15, STACK_F15(%r15);
> -
> -#define END_STACK(last_r) \
> -	lg %r1, 0(%r15); \
> -	ld %f8, STACK_F8(%r15); \
> -	ld %f9, STACK_F9(%r15); \
> -	ld %f10, STACK_F10(%r15); \
> -	ld %f11, STACK_F11(%r15); \
> -	ld %f12, STACK_F12(%r15); \
> -	ld %f13, STACK_F13(%r15); \
> -	ld %f14, STACK_F14(%r15); \
> -	ld %f15, STACK_F15(%r15); \
> -	lmg %r6, last_r, 6 * 8(%r1); \
> -	lgr %r15, %r1; \
> -	cfi_def_cfa_register(DW_REGNO_SP);
> -
> -#define PLUS(dst,src) \
> -	vaf dst, dst, src;
> -
> -#define XOR(dst,src) \
> -	vx dst, dst, src;
> -
> -#define ROTATE(v1,c) \
> -	verllf v1, v1, (c)(0);
> -
> -#define WORD_ROTATE(v1,s) \
> -	vsldb v1, v1, v1, ((s) * 4);
> -
> -#define DST_8(OPER, I, J) \
> -	OPER(A##I, J); OPER(B##I, J); OPER(C##I, J); OPER(D##I, J); \
> -	OPER(E##I, J); OPER(F##I, J); OPER(G##I, J); OPER(H##I, J);
> -
> -/**********************************************************************
> -  round macros
> - **********************************************************************/
> -
> -/**********************************************************************
> -  8-way chacha20 ("vertical")
> - **********************************************************************/
> -
> -#define QUARTERROUND4_V8_POLY(x0,x1,x2,x3,x4,x5,x6,x7,\
> -			      x8,x9,x10,x11,x12,x13,x14,x15,\
> -			      y0,y1,y2,y3,y4,y5,y6,y7,\
> -			      y8,y9,y10,y11,y12,y13,y14,y15,\
> -			      op1,op2,op3,op4,op5,op6,op7,op8,\
> -			      op9,op10,op11,op12) \
> -	op1;							\
> -	PLUS(x0, x1); PLUS(x4, x5);				\
> -	PLUS(x8, x9); PLUS(x12, x13);				\
> -	PLUS(y0, y1); PLUS(y4, y5);				\
> -	PLUS(y8, y9); PLUS(y12, y13);				\
> -	    op2;						\
> -	    XOR(x3, x0);  XOR(x7, x4);				\
> -	    XOR(x11, x8); XOR(x15, x12);			\
> -	    XOR(y3, y0);  XOR(y7, y4);				\
> -	    XOR(y11, y8); XOR(y15, y12);			\
> -		op3;						\
> -		ROTATE(x3, 16); ROTATE(x7, 16);			\
> -		ROTATE(x11, 16); ROTATE(x15, 16);		\
> -		ROTATE(y3, 16); ROTATE(y7, 16);			\
> -		ROTATE(y11, 16); ROTATE(y15, 16);		\
> -	op4;							\
> -	PLUS(x2, x3); PLUS(x6, x7);				\
> -	PLUS(x10, x11); PLUS(x14, x15);				\
> -	PLUS(y2, y3); PLUS(y6, y7);				\
> -	PLUS(y10, y11); PLUS(y14, y15);				\
> -	    op5;						\
> -	    XOR(x1, x2); XOR(x5, x6);				\
> -	    XOR(x9, x10); XOR(x13, x14);			\
> -	    XOR(y1, y2); XOR(y5, y6);				\
> -	    XOR(y9, y10); XOR(y13, y14);			\
> -		op6;						\
> -		ROTATE(x1,12); ROTATE(x5,12);			\
> -		ROTATE(x9,12); ROTATE(x13,12);			\
> -		ROTATE(y1,12); ROTATE(y5,12);			\
> -		ROTATE(y9,12); ROTATE(y13,12);			\
> -	op7;							\
> -	PLUS(x0, x1); PLUS(x4, x5);				\
> -	PLUS(x8, x9); PLUS(x12, x13);				\
> -	PLUS(y0, y1); PLUS(y4, y5);				\
> -	PLUS(y8, y9); PLUS(y12, y13);				\
> -	    op8;						\
> -	    XOR(x3, x0); XOR(x7, x4);				\
> -	    XOR(x11, x8); XOR(x15, x12);			\
> -	    XOR(y3, y0); XOR(y7, y4);				\
> -	    XOR(y11, y8); XOR(y15, y12);			\
> -		op9;						\
> -		ROTATE(x3,8); ROTATE(x7,8);			\
> -		ROTATE(x11,8); ROTATE(x15,8);			\
> -		ROTATE(y3,8); ROTATE(y7,8);			\
> -		ROTATE(y11,8); ROTATE(y15,8);			\
> -	op10;							\
> -	PLUS(x2, x3); PLUS(x6, x7);				\
> -	PLUS(x10, x11); PLUS(x14, x15);				\
> -	PLUS(y2, y3); PLUS(y6, y7);				\
> -	PLUS(y10, y11); PLUS(y14, y15);				\
> -	    op11;						\
> -	    XOR(x1, x2); XOR(x5, x6);				\
> -	    XOR(x9, x10); XOR(x13, x14);			\
> -	    XOR(y1, y2); XOR(y5, y6);				\
> -	    XOR(y9, y10); XOR(y13, y14);			\
> -		op12;						\
> -		ROTATE(x1,7); ROTATE(x5,7);			\
> -		ROTATE(x9,7); ROTATE(x13,7);			\
> -		ROTATE(y1,7); ROTATE(y5,7);			\
> -		ROTATE(y9,7); ROTATE(y13,7);
> -
> -#define QUARTERROUND4_V8(x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15,\
> -			 y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15) \
> -	QUARTERROUND4_V8_POLY(x0,x1,x2,x3,x4,x5,x6,x7,\
> -			      x8,x9,x10,x11,x12,x13,x14,x15,\
> -			      y0,y1,y2,y3,y4,y5,y6,y7,\
> -			      y8,y9,y10,y11,y12,y13,y14,y15,\
> -			      ,,,,,,,,,,,)
> -
> -#define TRANSPOSE_4X4_2(v0,v1,v2,v3,va,vb,vc,vd,tmp0,tmp1,tmp2,tmpa,tmpb,tmpc) \
> -	  vmrhf tmp0, v0, v1;					\
> -	  vmrhf tmp1, v2, v3;					\
> -	  vmrlf tmp2, v0, v1;					\
> -	  vmrlf   v3, v2, v3;					\
> -	  vmrhf tmpa, va, vb;					\
> -	  vmrhf tmpb, vc, vd;					\
> -	  vmrlf tmpc, va, vb;					\
> -	  vmrlf   vd, vc, vd;					\
> -	  vpdi v0, tmp0, tmp1, 0;				\
> -	  vpdi v1, tmp0, tmp1, 5;				\
> -	  vpdi v2, tmp2,   v3, 0;				\
> -	  vpdi v3, tmp2,   v3, 5;				\
> -	  vpdi va, tmpa, tmpb, 0;				\
> -	  vpdi vb, tmpa, tmpb, 5;				\
> -	  vpdi vc, tmpc,   vd, 0;				\
> -	  vpdi vd, tmpc,   vd, 5;
> -
> -.balign 8
> -.globl __chacha20_s390x_vx_blocks8
> -ENTRY (__chacha20_s390x_vx_blocks8)
> -	/* input:
> -	 *	%r2: input
> -	 *	%r3: dst
> -	 *	%r4: src
> -	 *	%r5: nblks (multiple of 8)
> -	 */
> -
> -	START_STACK(%r8);
> -	lgr NBLKS, %r5;
> -
> -	larl %r7, .Lconsts;
> -
> -	/* Load counter. */
> -	lg %r8, (12 * 4)(INPUT);
> -	rllg %r8, %r8, 32;
> -
> -.balign 4
> -	/* Process eight chacha20 blocks per loop. */
> -.Lloop8:
> -	vlm Y0, Y3, 0(INPUT);
> -
> -	slgfi NBLKS, 8;
> -	lghi ROUND, (20 / 2);
> -
> -	/* Construct counter vectors X12/X13 & Y12/Y13. */
> -	vl X4, (.Ladd_counter_0123 - .Lconsts)(%r7);
> -	vl Y4, (.Ladd_counter_4567 - .Lconsts)(%r7);
> -	vrepf Y12, Y3, 0;
> -	vrepf Y13, Y3, 1;
> -	vaccf X5, Y12, X4;
> -	vaccf Y5, Y12, Y4;
> -	vaf X12, Y12, X4;
> -	vaf Y12, Y12, Y4;
> -	vaf X13, Y13, X5;
> -	vaf Y13, Y13, Y5;
> -
> -	vrepf X0, Y0, 0;
> -	vrepf X1, Y0, 1;
> -	vrepf X2, Y0, 2;
> -	vrepf X3, Y0, 3;
> -	vrepf X4, Y1, 0;
> -	vrepf X5, Y1, 1;
> -	vrepf X6, Y1, 2;
> -	vrepf X7, Y1, 3;
> -	vrepf X8, Y2, 0;
> -	vrepf X9, Y2, 1;
> -	vrepf X10, Y2, 2;
> -	vrepf X11, Y2, 3;
> -	vrepf X14, Y3, 2;
> -	vrepf X15, Y3, 3;
> -
> -	/* Store counters for blocks 0-7. */
> -	vstm X12, X13, (STACK_CTR + 0 * 16)(%r15);
> -	vstm Y12, Y13, (STACK_CTR + 2 * 16)(%r15);
> -
> -	vlr Y0, X0;
> -	vlr Y1, X1;
> -	vlr Y2, X2;
> -	vlr Y3, X3;
> -	vlr Y4, X4;
> -	vlr Y5, X5;
> -	vlr Y6, X6;
> -	vlr Y7, X7;
> -	vlr Y8, X8;
> -	vlr Y9, X9;
> -	vlr Y10, X10;
> -	vlr Y11, X11;
> -	vlr Y14, X14;
> -	vlr Y15, X15;
> -
> -	/* Update and store counter. */
> -	agfi %r8, 8;
> -	rllg %r5, %r8, 32;
> -	stg %r5, (12 * 4)(INPUT);
> -
> -.balign 4
> -.Lround2_8:
> -	QUARTERROUND4_V8(X0, X4,  X8, X12,   X1, X5,  X9, X13,
> -			 X2, X6, X10, X14,   X3, X7, X11, X15,
> -			 Y0, Y4,  Y8, Y12,   Y1, Y5,  Y9, Y13,
> -			 Y2, Y6, Y10, Y14,   Y3, Y7, Y11, Y15);
> -	QUARTERROUND4_V8(X0, X5, X10, X15,   X1, X6, X11, X12,
> -			 X2, X7,  X8, X13,   X3, X4,  X9, X14,
> -			 Y0, Y5, Y10, Y15,   Y1, Y6, Y11, Y12,
> -			 Y2, Y7,  Y8, Y13,   Y3, Y4,  Y9, Y14);
> -	brctg ROUND, .Lround2_8;
> -
> -	/* Store blocks 4-7. */
> -	vstm Y0, Y15, STACK_Y0_Y15(%r15);
> -
> -	/* Load counters for blocks 0-3. */
> -	vlm Y0, Y1, (STACK_CTR + 0 * 16)(%r15);
> -
> -	lghi ROUND, 1;
> -	j .Lfirst_output_4blks_8;
> -
> -.balign 4
> -.Lsecond_output_4blks_8:
> -	/* Load blocks 4-7. */
> -	vlm X0, X15, STACK_Y0_Y15(%r15);
> -
> -	/* Load counters for blocks 4-7. */
> -	vlm Y0, Y1, (STACK_CTR + 2 * 16)(%r15);
> -
> -	lghi ROUND, 0;
> -
> -.balign 4
> -	/* Output four chacha20 blocks per loop. */
> -.Lfirst_output_4blks_8:
> -	vlm Y12, Y15, 0(INPUT);
> -	PLUS(X12, Y0);
> -	PLUS(X13, Y1);
> -	vrepf Y0, Y12, 0;
> -	vrepf Y1, Y12, 1;
> -	vrepf Y2, Y12, 2;
> -	vrepf Y3, Y12, 3;
> -	vrepf Y4, Y13, 0;
> -	vrepf Y5, Y13, 1;
> -	vrepf Y6, Y13, 2;
> -	vrepf Y7, Y13, 3;
> -	vrepf Y8, Y14, 0;
> -	vrepf Y9, Y14, 1;
> -	vrepf Y10, Y14, 2;
> -	vrepf Y11, Y14, 3;
> -	vrepf Y14, Y15, 2;
> -	vrepf Y15, Y15, 3;
> -	PLUS(X0, Y0);
> -	PLUS(X1, Y1);
> -	PLUS(X2, Y2);
> -	PLUS(X3, Y3);
> -	PLUS(X4, Y4);
> -	PLUS(X5, Y5);
> -	PLUS(X6, Y6);
> -	PLUS(X7, Y7);
> -	PLUS(X8, Y8);
> -	PLUS(X9, Y9);
> -	PLUS(X10, Y10);
> -	PLUS(X11, Y11);
> -	PLUS(X14, Y14);
> -	PLUS(X15, Y15);
> -
> -	vl Y15, (.Lbswap32 - .Lconsts)(%r7);
> -	TRANSPOSE_4X4_2(X0, X1, X2, X3, X4, X5, X6, X7,
> -			Y9, Y10, Y11, Y12, Y13, Y14);
> -	TRANSPOSE_4X4_2(X8, X9, X10, X11, X12, X13, X14, X15,
> -			Y9, Y10, Y11, Y12, Y13, Y14);
> -
> -	vlm Y0, Y14, 0(SRC);
> -	vperm X0, X0, X0, Y15;
> -	vperm X1, X1, X1, Y15;
> -	vperm X2, X2, X2, Y15;
> -	vperm X3, X3, X3, Y15;
> -	vperm X4, X4, X4, Y15;
> -	vperm X5, X5, X5, Y15;
> -	vperm X6, X6, X6, Y15;
> -	vperm X7, X7, X7, Y15;
> -	vperm X8, X8, X8, Y15;
> -	vperm X9, X9, X9, Y15;
> -	vperm X10, X10, X10, Y15;
> -	vperm X11, X11, X11, Y15;
> -	vperm X12, X12, X12, Y15;
> -	vperm X13, X13, X13, Y15;
> -	vperm X14, X14, X14, Y15;
> -	vperm X15, X15, X15, Y15;
> -	vl Y15, (15 * 16)(SRC);
> -
> -	XOR(Y0, X0);
> -	XOR(Y1, X4);
> -	XOR(Y2, X8);
> -	XOR(Y3, X12);
> -	XOR(Y4, X1);
> -	XOR(Y5, X5);
> -	XOR(Y6, X9);
> -	XOR(Y7, X13);
> -	XOR(Y8, X2);
> -	XOR(Y9, X6);
> -	XOR(Y10, X10);
> -	XOR(Y11, X14);
> -	XOR(Y12, X3);
> -	XOR(Y13, X7);
> -	XOR(Y14, X11);
> -	XOR(Y15, X15);
> -	vstm Y0, Y15, 0(DST);
> -
> -	aghi SRC, 256;
> -	aghi DST, 256;
> -
> -	clgije ROUND, 1, .Lsecond_output_4blks_8;
> -
> -	clgijhe NBLKS, 8, .Lloop8;
> -
> -
> -	END_STACK(%r8);
> -	xgr %r2, %r2;
> -	br %r14;
> -END (__chacha20_s390x_vx_blocks8)
> -
> -#endif /* HAVE_S390_VX_ASM_SUPPORT */

Ok.

> diff --git a/sysdeps/s390/s390-64/chacha20_arch.h b/sysdeps/s390/s390-64/chacha20_arch.h
> deleted file mode 100644
> index 0c6abf77e8..0000000000
> --- a/sysdeps/s390/s390-64/chacha20_arch.h
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -/* s390x optimization for ChaCha20.VE_S390_VX_ASM_SUPPORT
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <stdbool.h>
> -#include <ldsodefs.h>
> -#include <sys/auxv.h>
> -
> -unsigned int __chacha20_s390x_vx_blocks8 (uint32_t *state, uint8_t *dst,
> -					  const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -
> -static inline void
> -chacha20_crypt (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -		size_t bytes)
> -{
> -#ifdef HAVE_S390_VX_ASM_SUPPORT
> -  _Static_assert (CHACHA20_BUFSIZE % 8 == 0,
> -		  "CHACHA20_BUFSIZE not multiple of 8");
> -  _Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE * 8,
> -		  "CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE * 8");
> -
> -  if (GLRO(dl_hwcap) & HWCAP_S390_VX)
> -    {
> -      __chacha20_s390x_vx_blocks8 (state, dst, src,
> -				   CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -      return;
> -    }
> -#endif
> -  chacha20_crypt_generic (state, dst, src, bytes);
> -}
> diff --git a/sysdeps/unix/sysv/linux/not-cancel.h b/sysdeps/unix/sysv/linux/not-cancel.h
> index 2c58d5ae2f..a263d294b1 100644
> --- a/sysdeps/unix/sysv/linux/not-cancel.h
> +++ b/sysdeps/unix/sysv/linux/not-cancel.h
> @@ -23,6 +23,7 @@
>  #include <sysdep.h>
>  #include <errno.h>
>  #include <unistd.h>
> +#include <sys/poll.h>
>  #include <sys/syscall.h>
>  #include <sys/wait.h>
>  #include <time.h>
> @@ -70,9 +71,14 @@ __writev_nocancel_nostatus (int fd, const struct iovec *iov, int iovcnt)
>  static inline int
>  __getrandom_nocancel (void *buf, size_t buflen, unsigned int flags)
>  {
> -  return INTERNAL_SYSCALL_CALL (getrandom, buf, buflen, flags);
> +  return INLINE_SYSCALL_CALL (getrandom, buf, buflen, flags);
>  }
>  
> +static inline int
> +__poll_infinity_nocancel (struct pollfd *fds, nfds_t nfds)
> +{
> +  return INLINE_SYSCALL_CALL (ppoll, fds, nfds, NULL, NULL, 0);
> +}
>  
>  /* Uncancelable fcntl.  */
>  __typeof (__fcntl) __fcntl64_nocancel;

Ok, rv32 and arc already redefines __NR_ppoll __NR_ppoll_time64 and we don't really
case about the timeout.

> diff --git a/sysdeps/unix/sysv/linux/tls-internal.c b/sysdeps/unix/sysv/linux/tls-internal.c
> index 0326ebb767..c8a9ed2d40 100644
> --- a/sysdeps/unix/sysv/linux/tls-internal.c
> +++ b/sysdeps/unix/sysv/linux/tls-internal.c
> @@ -16,7 +16,6 @@
>     License along with the GNU C Library; if not, see
>     <https://www.gnu.org/licenses/>.  */
>  
> -#include <stdlib/arc4random.h>
>  #include <string.h>
>  #include <tls-internal.h>
>  
> @@ -26,13 +25,4 @@ __glibc_tls_internal_free (void)
>    struct pthread *self = THREAD_SELF;
>    free (self->tls_state.strsignal_buf);
>    free (self->tls_state.strerror_l_buf);
> -
> -  if (self->tls_state.rand_state != NULL)
> -    {
> -      /* Clear any lingering random state prior so if the thread stack is
> -         cached it won't leak any data.  */
> -      explicit_bzero (self->tls_state.rand_state,
> -		      sizeof (*self->tls_state.rand_state));
> -      free (self->tls_state.rand_state);
> -    }
>  }

Ok.

> diff --git a/sysdeps/unix/sysv/linux/tls-internal.h b/sysdeps/unix/sysv/linux/tls-internal.h
> index ebc65d896a..2ebe977802 100644
> --- a/sysdeps/unix/sysv/linux/tls-internal.h
> +++ b/sysdeps/unix/sysv/linux/tls-internal.h
> @@ -28,7 +28,6 @@ __glibc_tls_internal (void)
>    return &THREAD_SELF->tls_state;
>  }
>  
> -/* Reset the arc4random TCB state on fork.  */
>  extern void __glibc_tls_internal_free (void) attribute_hidden;
>  
>  #endif
> diff --git a/sysdeps/x86_64/Makefile b/sysdeps/x86_64/Makefile
> index 1178475d75..c19bef2dec 100644
> --- a/sysdeps/x86_64/Makefile
> +++ b/sysdeps/x86_64/Makefile
> @@ -5,13 +5,6 @@ ifeq ($(subdir),csu)
>  gen-as-const-headers += link-defines.sym
>  endif
>  
> -ifeq ($(subdir),stdlib)
> -sysdep_routines += \
> -  chacha20-amd64-sse2 \
> -  chacha20-amd64-avx2 \
> -  # sysdep_routines
> -endif
> -
>  ifeq ($(subdir),gmon)
>  sysdep_routines += _mcount
>  # We cannot compile _mcount.S with -pg because that would create

Ok.

> diff --git a/sysdeps/x86_64/chacha20-amd64-avx2.S b/sysdeps/x86_64/chacha20-amd64-avx2.S
> deleted file mode 100644
> index aefd1cdbd0..0000000000
> --- a/sysdeps/x86_64/chacha20-amd64-avx2.S
> +++ /dev/null
> @@ -1,328 +0,0 @@
> -/* Optimized AVX2 implementation of ChaCha20 cipher.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -/* chacha20-amd64-avx2.S  -  AVX2 implementation of ChaCha20 cipher
> -
> -   Copyright (C) 2017-2019 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -   This file is part of Libgcrypt.
> -
> -   Libgcrypt is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU Lesser General Public License as
> -   published by the Free Software Foundation; either version 2.1 of
> -   the License, or (at your option) any later version.
> -
> -   Libgcrypt is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -   GNU Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with this program; if not, see <https://www.gnu.org/licenses/>.
> -*/
> -
> -/* Based on D. J. Bernstein reference implementation at
> -   http://cr.yp.to/chacha.html:
> -
> -   chacha-regs.c version 20080118
> -   D. J. Bernstein
> -   Public domain.  */
> -
> -#include <sysdep.h>
> -
> -#ifdef PIC
> -#  define rRIP (%rip)
> -#else
> -#  define rRIP
> -#endif
> -
> -/* register macros */
> -#define INPUT %rdi
> -#define DST   %rsi
> -#define SRC   %rdx
> -#define NBLKS %rcx
> -#define ROUND %eax
> -
> -/* stack structure */
> -#define STACK_VEC_X12 (32)
> -#define STACK_VEC_X13 (32 + STACK_VEC_X12)
> -#define STACK_TMP     (32 + STACK_VEC_X13)
> -#define STACK_TMP1    (32 + STACK_TMP)
> -
> -#define STACK_MAX     (32 + STACK_TMP1)
> -
> -/* vector registers */
> -#define X0 %ymm0
> -#define X1 %ymm1
> -#define X2 %ymm2
> -#define X3 %ymm3
> -#define X4 %ymm4
> -#define X5 %ymm5
> -#define X6 %ymm6
> -#define X7 %ymm7
> -#define X8 %ymm8
> -#define X9 %ymm9
> -#define X10 %ymm10
> -#define X11 %ymm11
> -#define X12 %ymm12
> -#define X13 %ymm13
> -#define X14 %ymm14
> -#define X15 %ymm15
> -
> -#define X0h %xmm0
> -#define X1h %xmm1
> -#define X2h %xmm2
> -#define X3h %xmm3
> -#define X4h %xmm4
> -#define X5h %xmm5
> -#define X6h %xmm6
> -#define X7h %xmm7
> -#define X8h %xmm8
> -#define X9h %xmm9
> -#define X10h %xmm10
> -#define X11h %xmm11
> -#define X12h %xmm12
> -#define X13h %xmm13
> -#define X14h %xmm14
> -#define X15h %xmm15
> -
> -/**********************************************************************
> -  helper macros
> - **********************************************************************/
> -
> -/* 4x4 32-bit integer matrix transpose */
> -#define transpose_4x4(x0,x1,x2,x3,t1,t2) \
> -	vpunpckhdq x1, x0, t2; \
> -	vpunpckldq x1, x0, x0; \
> -	\
> -	vpunpckldq x3, x2, t1; \
> -	vpunpckhdq x3, x2, x2; \
> -	\
> -	vpunpckhqdq t1, x0, x1; \
> -	vpunpcklqdq t1, x0, x0; \
> -	\
> -	vpunpckhqdq x2, t2, x3; \
> -	vpunpcklqdq x2, t2, x2;
> -
> -/* 2x2 128-bit matrix transpose */
> -#define transpose_16byte_2x2(x0,x1,t1) \
> -	vmovdqa    x0, t1; \
> -	vperm2i128 $0x20, x1, x0, x0; \
> -	vperm2i128 $0x31, x1, t1, x1;
> -
> -/**********************************************************************
> -  8-way chacha20
> - **********************************************************************/
> -
> -#define ROTATE2(v1,v2,c,tmp)	\
> -	vpsrld $(32 - (c)), v1, tmp;	\
> -	vpslld $(c), v1, v1;		\
> -	vpaddb tmp, v1, v1;		\
> -	vpsrld $(32 - (c)), v2, tmp;	\
> -	vpslld $(c), v2, v2;		\
> -	vpaddb tmp, v2, v2;
> -
> -#define ROTATE_SHUF_2(v1,v2,shuf)	\
> -	vpshufb shuf, v1, v1;		\
> -	vpshufb shuf, v2, v2;
> -
> -#define XOR(ds,s) \
> -	vpxor s, ds, ds;
> -
> -#define PLUS(ds,s) \
> -	vpaddd s, ds, ds;
> -
> -#define QUARTERROUND2(a1,b1,c1,d1,a2,b2,c2,d2,ign,tmp1,\
> -		      interleave_op1,interleave_op2,\
> -		      interleave_op3,interleave_op4)		\
> -	vbroadcasti128 .Lshuf_rol16 rRIP, tmp1;			\
> -		interleave_op1;					\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE_SHUF_2(d1, d2, tmp1);			\
> -		interleave_op2;					\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE2(b1, b2, 12, tmp1);				\
> -	vbroadcasti128 .Lshuf_rol8 rRIP, tmp1;			\
> -		interleave_op3;					\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE_SHUF_2(d1, d2, tmp1);			\
> -		interleave_op4;					\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE2(b1, b2,  7, tmp1);
> -
> -	.section .text.avx2, "ax", @progbits
> -	.align 32
> -chacha20_data:
> -L(shuf_rol16):
> -	.byte 2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13
> -L(shuf_rol8):
> -	.byte 3,0,1,2,7,4,5,6,11,8,9,10,15,12,13,14
> -L(inc_counter):
> -	.byte 0,1,2,3,4,5,6,7
> -L(unsigned_cmp):
> -	.long 0x80000000
> -
> -	.hidden __chacha20_avx2_blocks8
> -ENTRY (__chacha20_avx2_blocks8)
> -	/* input:
> -	 *	%rdi: input
> -	 *	%rsi: dst
> -	 *	%rdx: src
> -	 *	%rcx: nblks (multiple of 8)
> -	 */
> -	vzeroupper;
> -
> -	pushq %rbp;
> -	cfi_adjust_cfa_offset(8);
> -	cfi_rel_offset(rbp, 0)
> -	movq %rsp, %rbp;
> -	cfi_def_cfa_register(rbp);
> -
> -	subq $STACK_MAX, %rsp;
> -	andq $~31, %rsp;
> -
> -L(loop8):
> -	mov $20, ROUND;
> -
> -	/* Construct counter vectors X12 and X13 */
> -	vpmovzxbd L(inc_counter) rRIP, X0;
> -	vpbroadcastd L(unsigned_cmp) rRIP, X2;
> -	vpbroadcastd (12 * 4)(INPUT), X12;
> -	vpbroadcastd (13 * 4)(INPUT), X13;
> -	vpaddd X0, X12, X12;
> -	vpxor X2, X0, X0;
> -	vpxor X2, X12, X1;
> -	vpcmpgtd X1, X0, X0;
> -	vpsubd X0, X13, X13;
> -	vmovdqa X12, (STACK_VEC_X12)(%rsp);
> -	vmovdqa X13, (STACK_VEC_X13)(%rsp);
> -
> -	/* Load vectors */
> -	vpbroadcastd (0 * 4)(INPUT), X0;
> -	vpbroadcastd (1 * 4)(INPUT), X1;
> -	vpbroadcastd (2 * 4)(INPUT), X2;
> -	vpbroadcastd (3 * 4)(INPUT), X3;
> -	vpbroadcastd (4 * 4)(INPUT), X4;
> -	vpbroadcastd (5 * 4)(INPUT), X5;
> -	vpbroadcastd (6 * 4)(INPUT), X6;
> -	vpbroadcastd (7 * 4)(INPUT), X7;
> -	vpbroadcastd (8 * 4)(INPUT), X8;
> -	vpbroadcastd (9 * 4)(INPUT), X9;
> -	vpbroadcastd (10 * 4)(INPUT), X10;
> -	vpbroadcastd (11 * 4)(INPUT), X11;
> -	vpbroadcastd (14 * 4)(INPUT), X14;
> -	vpbroadcastd (15 * 4)(INPUT), X15;
> -	vmovdqa X15, (STACK_TMP)(%rsp);
> -
> -L(round2):
> -	QUARTERROUND2(X0, X4,  X8, X12,   X1, X5,  X9, X13, tmp:=,X15,,,,)
> -	vmovdqa (STACK_TMP)(%rsp), X15;
> -	vmovdqa X8, (STACK_TMP)(%rsp);
> -	QUARTERROUND2(X2, X6, X10, X14,   X3, X7, X11, X15, tmp:=,X8,,,,)
> -	QUARTERROUND2(X0, X5, X10, X15,   X1, X6, X11, X12, tmp:=,X8,,,,)
> -	vmovdqa (STACK_TMP)(%rsp), X8;
> -	vmovdqa X15, (STACK_TMP)(%rsp);
> -	QUARTERROUND2(X2, X7,  X8, X13,   X3, X4,  X9, X14, tmp:=,X15,,,,)
> -	sub $2, ROUND;
> -	jnz L(round2);
> -
> -	vmovdqa X8, (STACK_TMP1)(%rsp);
> -
> -	/* tmp := X15 */
> -	vpbroadcastd (0 * 4)(INPUT), X15;
> -	PLUS(X0, X15);
> -	vpbroadcastd (1 * 4)(INPUT), X15;
> -	PLUS(X1, X15);
> -	vpbroadcastd (2 * 4)(INPUT), X15;
> -	PLUS(X2, X15);
> -	vpbroadcastd (3 * 4)(INPUT), X15;
> -	PLUS(X3, X15);
> -	vpbroadcastd (4 * 4)(INPUT), X15;
> -	PLUS(X4, X15);
> -	vpbroadcastd (5 * 4)(INPUT), X15;
> -	PLUS(X5, X15);
> -	vpbroadcastd (6 * 4)(INPUT), X15;
> -	PLUS(X6, X15);
> -	vpbroadcastd (7 * 4)(INPUT), X15;
> -	PLUS(X7, X15);
> -	transpose_4x4(X0, X1, X2, X3, X8, X15);
> -	transpose_4x4(X4, X5, X6, X7, X8, X15);
> -	vmovdqa (STACK_TMP1)(%rsp), X8;
> -	transpose_16byte_2x2(X0, X4, X15);
> -	transpose_16byte_2x2(X1, X5, X15);
> -	transpose_16byte_2x2(X2, X6, X15);
> -	transpose_16byte_2x2(X3, X7, X15);
> -	vmovdqa (STACK_TMP)(%rsp), X15;
> -	vmovdqu X0, (64 * 0 + 16 * 0)(DST)
> -	vmovdqu X1, (64 * 1 + 16 * 0)(DST)
> -	vpbroadcastd (8 * 4)(INPUT), X0;
> -	PLUS(X8, X0);
> -	vpbroadcastd (9 * 4)(INPUT), X0;
> -	PLUS(X9, X0);
> -	vpbroadcastd (10 * 4)(INPUT), X0;
> -	PLUS(X10, X0);
> -	vpbroadcastd (11 * 4)(INPUT), X0;
> -	PLUS(X11, X0);
> -	vmovdqa (STACK_VEC_X12)(%rsp), X0;
> -	PLUS(X12, X0);
> -	vmovdqa (STACK_VEC_X13)(%rsp), X0;
> -	PLUS(X13, X0);
> -	vpbroadcastd (14 * 4)(INPUT), X0;
> -	PLUS(X14, X0);
> -	vpbroadcastd (15 * 4)(INPUT), X0;
> -	PLUS(X15, X0);
> -	vmovdqu X2, (64 * 2 + 16 * 0)(DST)
> -	vmovdqu X3, (64 * 3 + 16 * 0)(DST)
> -
> -	/* Update counter */
> -	addq $8, (12 * 4)(INPUT);
> -
> -	transpose_4x4(X8, X9, X10, X11, X0, X1);
> -	transpose_4x4(X12, X13, X14, X15, X0, X1);
> -	vmovdqu X4, (64 * 4 + 16 * 0)(DST)
> -	vmovdqu X5, (64 * 5 + 16 * 0)(DST)
> -	transpose_16byte_2x2(X8, X12, X0);
> -	transpose_16byte_2x2(X9, X13, X0);
> -	transpose_16byte_2x2(X10, X14, X0);
> -	transpose_16byte_2x2(X11, X15, X0);
> -	vmovdqu X6,  (64 * 6 + 16 * 0)(DST)
> -	vmovdqu X7,  (64 * 7 + 16 * 0)(DST)
> -	vmovdqu X8,  (64 * 0 + 16 * 2)(DST)
> -	vmovdqu X9,  (64 * 1 + 16 * 2)(DST)
> -	vmovdqu X10, (64 * 2 + 16 * 2)(DST)
> -	vmovdqu X11, (64 * 3 + 16 * 2)(DST)
> -	vmovdqu X12, (64 * 4 + 16 * 2)(DST)
> -	vmovdqu X13, (64 * 5 + 16 * 2)(DST)
> -	vmovdqu X14, (64 * 6 + 16 * 2)(DST)
> -	vmovdqu X15, (64 * 7 + 16 * 2)(DST)
> -
> -	sub $8, NBLKS;
> -	lea (8 * 64)(DST), DST;
> -	lea (8 * 64)(SRC), SRC;
> -	jnz L(loop8);
> -
> -	vzeroupper;
> -
> -	/* eax zeroed by round loop. */
> -	leave;
> -	cfi_adjust_cfa_offset(-8)
> -	cfi_def_cfa_register(%rsp);
> -	ret;
> -	int3;
> -END(__chacha20_avx2_blocks8)
> diff --git a/sysdeps/x86_64/chacha20-amd64-sse2.S b/sysdeps/x86_64/chacha20-amd64-sse2.S
> deleted file mode 100644
> index 351a1109c6..0000000000
> --- a/sysdeps/x86_64/chacha20-amd64-sse2.S
> +++ /dev/null
> @@ -1,311 +0,0 @@
> -/* Optimized SSE2 implementation of ChaCha20 cipher.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -/* chacha20-amd64-ssse3.S  -  SSSE3 implementation of ChaCha20 cipher
> -
> -   Copyright (C) 2017-2019 Jussi Kivilinna <jussi.kivilinna@xxxxxx>
> -
> -   This file is part of Libgcrypt.
> -
> -   Libgcrypt is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU Lesser General Public License as
> -   published by the Free Software Foundation; either version 2.1 of
> -   the License, or (at your option) any later version.
> -
> -   Libgcrypt is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -   GNU Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with this program; if not, see <https://www.gnu.org/licenses/>.
> -*/
> -
> -/* Based on D. J. Bernstein reference implementation at
> -   http://cr.yp.to/chacha.html:
> -
> -   chacha-regs.c version 20080118
> -   D. J. Bernstein
> -   Public domain.  */
> -
> -#include <sysdep.h>
> -#include <isa-level.h>
> -
> -#if MINIMUM_X86_ISA_LEVEL <= 2
> -
> -#ifdef PIC
> -#  define rRIP (%rip)
> -#else
> -#  define rRIP
> -#endif
> -
> -/* 'ret' instruction replacement for straight-line speculation mitigation */
> -#define ret_spec_stop \
> -        ret; int3;
> -
> -/* register macros */
> -#define INPUT %rdi
> -#define DST   %rsi
> -#define SRC   %rdx
> -#define NBLKS %rcx
> -#define ROUND %eax
> -
> -/* stack structure */
> -#define STACK_VEC_X12 (16)
> -#define STACK_VEC_X13 (16 + STACK_VEC_X12)
> -#define STACK_TMP     (16 + STACK_VEC_X13)
> -#define STACK_TMP1    (16 + STACK_TMP)
> -#define STACK_TMP2    (16 + STACK_TMP1)
> -
> -#define STACK_MAX     (16 + STACK_TMP2)
> -
> -/* vector registers */
> -#define X0 %xmm0
> -#define X1 %xmm1
> -#define X2 %xmm2
> -#define X3 %xmm3
> -#define X4 %xmm4
> -#define X5 %xmm5
> -#define X6 %xmm6
> -#define X7 %xmm7
> -#define X8 %xmm8
> -#define X9 %xmm9
> -#define X10 %xmm10
> -#define X11 %xmm11
> -#define X12 %xmm12
> -#define X13 %xmm13
> -#define X14 %xmm14
> -#define X15 %xmm15
> -
> -/**********************************************************************
> -  helper macros
> - **********************************************************************/
> -
> -/* 4x4 32-bit integer matrix transpose */
> -#define TRANSPOSE_4x4(x0, x1, x2, x3, t1, t2, t3) \
> -	movdqa    x0, t2; \
> -	punpckhdq x1, t2; \
> -	punpckldq x1, x0; \
> -	\
> -	movdqa    x2, t1; \
> -	punpckldq x3, t1; \
> -	punpckhdq x3, x2; \
> -	\
> -	movdqa     x0, x1; \
> -	punpckhqdq t1, x1; \
> -	punpcklqdq t1, x0; \
> -	\
> -	movdqa     t2, x3; \
> -	punpckhqdq x2, x3; \
> -	punpcklqdq x2, t2; \
> -	movdqa     t2, x2;
> -
> -/* fill xmm register with 32-bit value from memory */
> -#define PBROADCASTD(mem32, xreg) \
> -	movd mem32, xreg; \
> -	pshufd $0, xreg, xreg;
> -
> -/**********************************************************************
> -  4-way chacha20
> - **********************************************************************/
> -
> -#define ROTATE2(v1,v2,c,tmp1,tmp2)	\
> -	movdqa v1, tmp1; 		\
> -	movdqa v2, tmp2; 		\
> -	psrld $(32 - (c)), v1;		\
> -	pslld $(c), tmp1;		\
> -	paddb tmp1, v1;			\
> -	psrld $(32 - (c)), v2;		\
> -	pslld $(c), tmp2;		\
> -	paddb tmp2, v2;
> -
> -#define XOR(ds,s) \
> -	pxor s, ds;
> -
> -#define PLUS(ds,s) \
> -	paddd s, ds;
> -
> -#define QUARTERROUND2(a1,b1,c1,d1,a2,b2,c2,d2,ign,tmp1,tmp2)	\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE2(d1, d2, 16, tmp1, tmp2);			\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE2(b1, b2, 12, tmp1, tmp2);			\
> -	PLUS(a1,b1); PLUS(a2,b2); XOR(d1,a1); XOR(d2,a2);	\
> -	    ROTATE2(d1, d2, 8, tmp1, tmp2);			\
> -	PLUS(c1,d1); PLUS(c2,d2); XOR(b1,c1); XOR(b2,c2);	\
> -	    ROTATE2(b1, b2,  7, tmp1, tmp2);
> -
> -	.section .text.sse2,"ax",@progbits
> -
> -chacha20_data:
> -	.align 16
> -L(counter1):
> -	.long 1,0,0,0
> -L(inc_counter):
> -	.long 0,1,2,3
> -L(unsigned_cmp):
> -	.long 0x80000000,0x80000000,0x80000000,0x80000000
> -
> -	.hidden __chacha20_sse2_blocks4
> -ENTRY (__chacha20_sse2_blocks4)
> -	/* input:
> -	 *	%rdi: input
> -	 *	%rsi: dst
> -	 *	%rdx: src
> -	 *	%rcx: nblks (multiple of 4)
> -	 */
> -
> -	pushq %rbp;
> -	cfi_adjust_cfa_offset(8);
> -	cfi_rel_offset(rbp, 0)
> -	movq %rsp, %rbp;
> -	cfi_def_cfa_register(%rbp);
> -
> -	subq $STACK_MAX, %rsp;
> -	andq $~15, %rsp;
> -
> -L(loop4):
> -	mov $20, ROUND;
> -
> -	/* Construct counter vectors X12 and X13 */
> -	movdqa L(inc_counter) rRIP, X0;
> -	movdqa L(unsigned_cmp) rRIP, X2;
> -	PBROADCASTD((12 * 4)(INPUT), X12);
> -	PBROADCASTD((13 * 4)(INPUT), X13);
> -	paddd X0, X12;
> -	movdqa X12, X1;
> -	pxor X2, X0;
> -	pxor X2, X1;
> -	pcmpgtd X1, X0;
> -	psubd X0, X13;
> -	movdqa X12, (STACK_VEC_X12)(%rsp);
> -	movdqa X13, (STACK_VEC_X13)(%rsp);
> -
> -	/* Load vectors */
> -	PBROADCASTD((0 * 4)(INPUT), X0);
> -	PBROADCASTD((1 * 4)(INPUT), X1);
> -	PBROADCASTD((2 * 4)(INPUT), X2);
> -	PBROADCASTD((3 * 4)(INPUT), X3);
> -	PBROADCASTD((4 * 4)(INPUT), X4);
> -	PBROADCASTD((5 * 4)(INPUT), X5);
> -	PBROADCASTD((6 * 4)(INPUT), X6);
> -	PBROADCASTD((7 * 4)(INPUT), X7);
> -	PBROADCASTD((8 * 4)(INPUT), X8);
> -	PBROADCASTD((9 * 4)(INPUT), X9);
> -	PBROADCASTD((10 * 4)(INPUT), X10);
> -	PBROADCASTD((11 * 4)(INPUT), X11);
> -	PBROADCASTD((14 * 4)(INPUT), X14);
> -	PBROADCASTD((15 * 4)(INPUT), X15);
> -	movdqa X11, (STACK_TMP)(%rsp);
> -	movdqa X15, (STACK_TMP1)(%rsp);
> -
> -L(round2_4):
> -	QUARTERROUND2(X0, X4,  X8, X12,   X1, X5,  X9, X13, tmp:=,X11,X15)
> -	movdqa (STACK_TMP)(%rsp), X11;
> -	movdqa (STACK_TMP1)(%rsp), X15;
> -	movdqa X8, (STACK_TMP)(%rsp);
> -	movdqa X9, (STACK_TMP1)(%rsp);
> -	QUARTERROUND2(X2, X6, X10, X14,   X3, X7, X11, X15, tmp:=,X8,X9)
> -	QUARTERROUND2(X0, X5, X10, X15,   X1, X6, X11, X12, tmp:=,X8,X9)
> -	movdqa (STACK_TMP)(%rsp), X8;
> -	movdqa (STACK_TMP1)(%rsp), X9;
> -	movdqa X11, (STACK_TMP)(%rsp);
> -	movdqa X15, (STACK_TMP1)(%rsp);
> -	QUARTERROUND2(X2, X7,  X8, X13,   X3, X4,  X9, X14, tmp:=,X11,X15)
> -	sub $2, ROUND;
> -	jnz L(round2_4);
> -
> -	/* tmp := X15 */
> -	movdqa (STACK_TMP)(%rsp), X11;
> -	PBROADCASTD((0 * 4)(INPUT), X15);
> -	PLUS(X0, X15);
> -	PBROADCASTD((1 * 4)(INPUT), X15);
> -	PLUS(X1, X15);
> -	PBROADCASTD((2 * 4)(INPUT), X15);
> -	PLUS(X2, X15);
> -	PBROADCASTD((3 * 4)(INPUT), X15);
> -	PLUS(X3, X15);
> -	PBROADCASTD((4 * 4)(INPUT), X15);
> -	PLUS(X4, X15);
> -	PBROADCASTD((5 * 4)(INPUT), X15);
> -	PLUS(X5, X15);
> -	PBROADCASTD((6 * 4)(INPUT), X15);
> -	PLUS(X6, X15);
> -	PBROADCASTD((7 * 4)(INPUT), X15);
> -	PLUS(X7, X15);
> -	PBROADCASTD((8 * 4)(INPUT), X15);
> -	PLUS(X8, X15);
> -	PBROADCASTD((9 * 4)(INPUT), X15);
> -	PLUS(X9, X15);
> -	PBROADCASTD((10 * 4)(INPUT), X15);
> -	PLUS(X10, X15);
> -	PBROADCASTD((11 * 4)(INPUT), X15);
> -	PLUS(X11, X15);
> -	movdqa (STACK_VEC_X12)(%rsp), X15;
> -	PLUS(X12, X15);
> -	movdqa (STACK_VEC_X13)(%rsp), X15;
> -	PLUS(X13, X15);
> -	movdqa X13, (STACK_TMP)(%rsp);
> -	PBROADCASTD((14 * 4)(INPUT), X15);
> -	PLUS(X14, X15);
> -	movdqa (STACK_TMP1)(%rsp), X15;
> -	movdqa X14, (STACK_TMP1)(%rsp);
> -	PBROADCASTD((15 * 4)(INPUT), X13);
> -	PLUS(X15, X13);
> -	movdqa X15, (STACK_TMP2)(%rsp);
> -
> -	/* Update counter */
> -	addq $4, (12 * 4)(INPUT);
> -
> -	TRANSPOSE_4x4(X0, X1, X2, X3, X13, X14, X15);
> -	movdqu X0, (64 * 0 + 16 * 0)(DST)
> -	movdqu X1, (64 * 1 + 16 * 0)(DST)
> -	movdqu X2, (64 * 2 + 16 * 0)(DST)
> -	movdqu X3, (64 * 3 + 16 * 0)(DST)
> -	TRANSPOSE_4x4(X4, X5, X6, X7, X0, X1, X2);
> -	movdqa (STACK_TMP)(%rsp), X13;
> -	movdqa (STACK_TMP1)(%rsp), X14;
> -	movdqa (STACK_TMP2)(%rsp), X15;
> -	movdqu X4, (64 * 0 + 16 * 1)(DST)
> -	movdqu X5, (64 * 1 + 16 * 1)(DST)
> -	movdqu X6, (64 * 2 + 16 * 1)(DST)
> -	movdqu X7, (64 * 3 + 16 * 1)(DST)
> -	TRANSPOSE_4x4(X8, X9, X10, X11, X0, X1, X2);
> -	movdqu X8,  (64 * 0 + 16 * 2)(DST)
> -	movdqu X9,  (64 * 1 + 16 * 2)(DST)
> -	movdqu X10, (64 * 2 + 16 * 2)(DST)
> -	movdqu X11, (64 * 3 + 16 * 2)(DST)
> -	TRANSPOSE_4x4(X12, X13, X14, X15, X0, X1, X2);
> -	movdqu X12, (64 * 0 + 16 * 3)(DST)
> -	movdqu X13, (64 * 1 + 16 * 3)(DST)
> -	movdqu X14, (64 * 2 + 16 * 3)(DST)
> -	movdqu X15, (64 * 3 + 16 * 3)(DST)
> -
> -	sub $4, NBLKS;
> -	lea (4 * 64)(DST), DST;
> -	lea (4 * 64)(SRC), SRC;
> -	jnz L(loop4);
> -
> -	/* eax zeroed by round loop. */
> -	leave;
> -	cfi_adjust_cfa_offset(-8)
> -	cfi_def_cfa_register(%rsp);
> -	ret_spec_stop;
> -END (__chacha20_sse2_blocks4)
> -
> -#endif /* if MINIMUM_X86_ISA_LEVEL <= 2 */

Ok.

> diff --git a/sysdeps/x86_64/chacha20_arch.h b/sysdeps/x86_64/chacha20_arch.h
> deleted file mode 100644
> index 6f3784e392..0000000000
> --- a/sysdeps/x86_64/chacha20_arch.h
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -/* Chacha20 implementation, used on arc4random.
> -   Copyright (C) 2022 Free Software Foundation, Inc.
> -   This file is part of the GNU C Library.
> -
> -   The GNU C Library is free software; you can redistribute it and/or
> -   modify it under the terms of the GNU Lesser General Public
> -   License as published by the Free Software Foundation; either
> -   version 2.1 of the License, or (at your option) any later version.
> -
> -   The GNU C Library is distributed in the hope that it will be useful,
> -   but WITHOUT ANY WARRANTY; without even the implied warranty of
> -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -   Lesser General Public License for more details.
> -
> -   You should have received a copy of the GNU Lesser General Public
> -   License along with the GNU C Library; if not, see
> -   <https://www.gnu.org/licenses/>.  */
> -
> -#include <isa-level.h>
> -#include <ldsodefs.h>
> -#include <cpu-features.h>
> -#include <sys/param.h>
> -
> -unsigned int __chacha20_sse2_blocks4 (uint32_t *state, uint8_t *dst,
> -				      const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -unsigned int __chacha20_avx2_blocks8 (uint32_t *state, uint8_t *dst,
> -				      const uint8_t *src, size_t nblks)
> -     attribute_hidden;
> -
> -static inline void
> -chacha20_crypt (uint32_t *state, uint8_t *dst, const uint8_t *src,
> -		size_t bytes)
> -{
> -  _Static_assert (CHACHA20_BUFSIZE % 4 == 0 && CHACHA20_BUFSIZE % 8 == 0,
> -		  "CHACHA20_BUFSIZE not multiple of 4 or 8");
> -  _Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE * 8,
> -		  "CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE * 8");
> -
> -#if MINIMUM_X86_ISA_LEVEL > 2
> -  __chacha20_avx2_blocks8 (state, dst, src,
> -			   CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -#else
> -  const struct cpu_features* cpu_features = __get_cpu_features ();
> -
> -  /* AVX2 version uses vzeroupper, so disable it if RTM is enabled.  */
> -  if (X86_ISA_CPU_FEATURE_USABLE_P (cpu_features, AVX2)
> -      && X86_ISA_CPU_FEATURES_ARCH_P (cpu_features, Prefer_No_VZEROUPPER, !))
> -    __chacha20_avx2_blocks8 (state, dst, src,
> -			     CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -  else
> -    __chacha20_sse2_blocks4 (state, dst, src,
> -			     CHACHA20_BUFSIZE / CHACHA20_BLOCK_SIZE);
> -#endif
> -}

Ok.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux