Clarify how the EVP IV is used with ChaCha

EVP_chacha20() was aligned to follow OpenSSL's nonconformant implementation
during a2k20 by djm and myself in an effort to allow OpenSSH to use the
OpenSSL 1.1 API. Some corresponding OpenSSL 1.1 documentation was imported
at the same time. A comment attempted to translate between implementation
and the incorrect documentation, which was necessarily gibberish. Improve
the situation by rephrasing and dropping nonsensical bits.

Prompted by a question of schwarze

diff --git a/lib/libcrypto/evp/e_chacha.c b/lib/libcrypto/evp/e_chacha.c
index add0488..5cd03c7 100644 (file)
--- a/lib/libcrypto/evp/e_chacha.c
+++ b/lib/libcrypto/evp/e_chacha.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha.c,v 1.12 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: e_chacha.c,v 1.13 2023/08/24 04:20:57 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -53,13 +53,11 @@ static const EVP_CIPHER chacha20_cipher = {
        .nid = NID_chacha20,
        .block_size = 1,
        .key_len = 32,
-       /* 
-        * The 128 bit EVP IV is split for ChaCha into four 32 bit pieces:
-        *                      counter[0]      counter[1]      iv[0]   iv[1]
-        * OpenSSL exposes these as:
-        *      openssl_iv =    counter[0]      iv[0]           iv[1]   iv[2]
-        * Due to the cipher internal state's symmetry, these are functionally
-        * equivalent.
+       /*
+        * The 16-byte EVP IV is split into 4 little-endian 4-byte words
+        *      evpiv[15:12]    evpiv[11:8]     evpiv[7:4]      evpiv[3:0]
+        *      iv[1]           iv[0]           counter[1]      counter[0]
+        * and passed as iv[] and counter[] to ChaCha_set_iv().
         */
        .iv_len = 16,
        .flags = EVP_CIPH_STREAM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |